1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 16 * Paul Moore <paul.moore@hp.com> 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 19 * 20 * This program is free software; you can redistribute it and/or modify 21 * it under the terms of the GNU General Public License version 2, 22 * as published by the Free Software Foundation. 23 */ 24 25 #include <linux/init.h> 26 #include <linux/kernel.h> 27 #include <linux/ptrace.h> 28 #include <linux/errno.h> 29 #include <linux/sched.h> 30 #include <linux/security.h> 31 #include <linux/xattr.h> 32 #include <linux/capability.h> 33 #include <linux/unistd.h> 34 #include <linux/mm.h> 35 #include <linux/mman.h> 36 #include <linux/slab.h> 37 #include <linux/pagemap.h> 38 #include <linux/swap.h> 39 #include <linux/spinlock.h> 40 #include <linux/syscalls.h> 41 #include <linux/file.h> 42 #include <linux/namei.h> 43 #include <linux/mount.h> 44 #include <linux/ext2_fs.h> 45 #include <linux/proc_fs.h> 46 #include <linux/kd.h> 47 #include <linux/netfilter_ipv4.h> 48 #include <linux/netfilter_ipv6.h> 49 #include <linux/tty.h> 50 #include <net/icmp.h> 51 #include <net/ip.h> /* for local_port_range[] */ 52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53 #include <net/net_namespace.h> 54 #include <net/netlabel.h> 55 #include <asm/uaccess.h> 56 #include <asm/ioctls.h> 57 #include <asm/atomic.h> 58 #include <linux/bitops.h> 59 #include <linux/interrupt.h> 60 #include <linux/netdevice.h> /* for network interface checks */ 61 #include <linux/netlink.h> 62 #include <linux/tcp.h> 63 #include <linux/udp.h> 64 #include <linux/dccp.h> 65 #include <linux/quota.h> 66 #include <linux/un.h> /* for Unix socket types */ 67 #include <net/af_unix.h> /* for Unix socket types */ 68 #include <linux/parser.h> 69 #include <linux/nfs_mount.h> 70 #include <net/ipv6.h> 71 #include <linux/hugetlb.h> 72 #include <linux/personality.h> 73 #include <linux/sysctl.h> 74 #include <linux/audit.h> 75 #include <linux/string.h> 76 #include <linux/selinux.h> 77 #include <linux/mutex.h> 78 79 #include "avc.h" 80 #include "objsec.h" 81 #include "netif.h" 82 #include "netnode.h" 83 #include "xfrm.h" 84 #include "netlabel.h" 85 86 #define XATTR_SELINUX_SUFFIX "selinux" 87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 88 89 #define NUM_SEL_MNT_OPTS 4 90 91 extern unsigned int policydb_loaded_version; 92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 93 extern int selinux_compat_net; 94 extern struct security_operations *security_ops; 95 96 /* SECMARK reference count */ 97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 98 99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 100 int selinux_enforcing = 0; 101 102 static int __init enforcing_setup(char *str) 103 { 104 selinux_enforcing = simple_strtol(str,NULL,0); 105 return 1; 106 } 107 __setup("enforcing=", enforcing_setup); 108 #endif 109 110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 112 113 static int __init selinux_enabled_setup(char *str) 114 { 115 selinux_enabled = simple_strtol(str, NULL, 0); 116 return 1; 117 } 118 __setup("selinux=", selinux_enabled_setup); 119 #else 120 int selinux_enabled = 1; 121 #endif 122 123 /* Original (dummy) security module. */ 124 static struct security_operations *original_ops = NULL; 125 126 /* Minimal support for a secondary security module, 127 just to allow the use of the dummy or capability modules. 128 The owlsm module can alternatively be used as a secondary 129 module as long as CONFIG_OWLSM_FD is not enabled. */ 130 static struct security_operations *secondary_ops = NULL; 131 132 /* Lists of inode and superblock security structures initialized 133 before the policy was loaded. */ 134 static LIST_HEAD(superblock_security_head); 135 static DEFINE_SPINLOCK(sb_security_lock); 136 137 static struct kmem_cache *sel_inode_cache; 138 139 /** 140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 141 * 142 * Description: 143 * This function checks the SECMARK reference counter to see if any SECMARK 144 * targets are currently configured, if the reference counter is greater than 145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 146 * enabled, false (0) if SECMARK is disabled. 147 * 148 */ 149 static int selinux_secmark_enabled(void) 150 { 151 return (atomic_read(&selinux_secmark_refcount) > 0); 152 } 153 154 /* Allocate and free functions for each kind of security blob. */ 155 156 static int task_alloc_security(struct task_struct *task) 157 { 158 struct task_security_struct *tsec; 159 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 161 if (!tsec) 162 return -ENOMEM; 163 164 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 165 task->security = tsec; 166 167 return 0; 168 } 169 170 static void task_free_security(struct task_struct *task) 171 { 172 struct task_security_struct *tsec = task->security; 173 task->security = NULL; 174 kfree(tsec); 175 } 176 177 static int inode_alloc_security(struct inode *inode) 178 { 179 struct task_security_struct *tsec = current->security; 180 struct inode_security_struct *isec; 181 182 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 183 if (!isec) 184 return -ENOMEM; 185 186 mutex_init(&isec->lock); 187 INIT_LIST_HEAD(&isec->list); 188 isec->inode = inode; 189 isec->sid = SECINITSID_UNLABELED; 190 isec->sclass = SECCLASS_FILE; 191 isec->task_sid = tsec->sid; 192 inode->i_security = isec; 193 194 return 0; 195 } 196 197 static void inode_free_security(struct inode *inode) 198 { 199 struct inode_security_struct *isec = inode->i_security; 200 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 201 202 spin_lock(&sbsec->isec_lock); 203 if (!list_empty(&isec->list)) 204 list_del_init(&isec->list); 205 spin_unlock(&sbsec->isec_lock); 206 207 inode->i_security = NULL; 208 kmem_cache_free(sel_inode_cache, isec); 209 } 210 211 static int file_alloc_security(struct file *file) 212 { 213 struct task_security_struct *tsec = current->security; 214 struct file_security_struct *fsec; 215 216 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 217 if (!fsec) 218 return -ENOMEM; 219 220 fsec->sid = tsec->sid; 221 fsec->fown_sid = tsec->sid; 222 file->f_security = fsec; 223 224 return 0; 225 } 226 227 static void file_free_security(struct file *file) 228 { 229 struct file_security_struct *fsec = file->f_security; 230 file->f_security = NULL; 231 kfree(fsec); 232 } 233 234 static int superblock_alloc_security(struct super_block *sb) 235 { 236 struct superblock_security_struct *sbsec; 237 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 239 if (!sbsec) 240 return -ENOMEM; 241 242 mutex_init(&sbsec->lock); 243 INIT_LIST_HEAD(&sbsec->list); 244 INIT_LIST_HEAD(&sbsec->isec_head); 245 spin_lock_init(&sbsec->isec_lock); 246 sbsec->sb = sb; 247 sbsec->sid = SECINITSID_UNLABELED; 248 sbsec->def_sid = SECINITSID_FILE; 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 250 sb->s_security = sbsec; 251 252 return 0; 253 } 254 255 static void superblock_free_security(struct super_block *sb) 256 { 257 struct superblock_security_struct *sbsec = sb->s_security; 258 259 spin_lock(&sb_security_lock); 260 if (!list_empty(&sbsec->list)) 261 list_del_init(&sbsec->list); 262 spin_unlock(&sb_security_lock); 263 264 sb->s_security = NULL; 265 kfree(sbsec); 266 } 267 268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 269 { 270 struct sk_security_struct *ssec; 271 272 ssec = kzalloc(sizeof(*ssec), priority); 273 if (!ssec) 274 return -ENOMEM; 275 276 ssec->peer_sid = SECINITSID_UNLABELED; 277 ssec->sid = SECINITSID_UNLABELED; 278 sk->sk_security = ssec; 279 280 selinux_netlbl_sk_security_reset(ssec, family); 281 282 return 0; 283 } 284 285 static void sk_free_security(struct sock *sk) 286 { 287 struct sk_security_struct *ssec = sk->sk_security; 288 289 sk->sk_security = NULL; 290 kfree(ssec); 291 } 292 293 /* The security server must be initialized before 294 any labeling or access decisions can be provided. */ 295 extern int ss_initialized; 296 297 /* The file system's label must be initialized prior to use. */ 298 299 static char *labeling_behaviors[6] = { 300 "uses xattr", 301 "uses transition SIDs", 302 "uses task SIDs", 303 "uses genfs_contexts", 304 "not configured for labeling", 305 "uses mountpoint labeling", 306 }; 307 308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 309 310 static inline int inode_doinit(struct inode *inode) 311 { 312 return inode_doinit_with_dentry(inode, NULL); 313 } 314 315 enum { 316 Opt_error = -1, 317 Opt_context = 1, 318 Opt_fscontext = 2, 319 Opt_defcontext = 3, 320 Opt_rootcontext = 4, 321 }; 322 323 static match_table_t tokens = { 324 {Opt_context, "context=%s"}, 325 {Opt_fscontext, "fscontext=%s"}, 326 {Opt_defcontext, "defcontext=%s"}, 327 {Opt_rootcontext, "rootcontext=%s"}, 328 {Opt_error, NULL}, 329 }; 330 331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 332 333 static int may_context_mount_sb_relabel(u32 sid, 334 struct superblock_security_struct *sbsec, 335 struct task_security_struct *tsec) 336 { 337 int rc; 338 339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 340 FILESYSTEM__RELABELFROM, NULL); 341 if (rc) 342 return rc; 343 344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 345 FILESYSTEM__RELABELTO, NULL); 346 return rc; 347 } 348 349 static int may_context_mount_inode_relabel(u32 sid, 350 struct superblock_security_struct *sbsec, 351 struct task_security_struct *tsec) 352 { 353 int rc; 354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 355 FILESYSTEM__RELABELFROM, NULL); 356 if (rc) 357 return rc; 358 359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 360 FILESYSTEM__ASSOCIATE, NULL); 361 return rc; 362 } 363 364 static int sb_finish_set_opts(struct super_block *sb) 365 { 366 struct superblock_security_struct *sbsec = sb->s_security; 367 struct dentry *root = sb->s_root; 368 struct inode *root_inode = root->d_inode; 369 int rc = 0; 370 371 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 372 /* Make sure that the xattr handler exists and that no 373 error other than -ENODATA is returned by getxattr on 374 the root directory. -ENODATA is ok, as this may be 375 the first boot of the SELinux kernel before we have 376 assigned xattr values to the filesystem. */ 377 if (!root_inode->i_op->getxattr) { 378 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 379 "xattr support\n", sb->s_id, sb->s_type->name); 380 rc = -EOPNOTSUPP; 381 goto out; 382 } 383 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 384 if (rc < 0 && rc != -ENODATA) { 385 if (rc == -EOPNOTSUPP) 386 printk(KERN_WARNING "SELinux: (dev %s, type " 387 "%s) has no security xattr handler\n", 388 sb->s_id, sb->s_type->name); 389 else 390 printk(KERN_WARNING "SELinux: (dev %s, type " 391 "%s) getxattr errno %d\n", sb->s_id, 392 sb->s_type->name, -rc); 393 goto out; 394 } 395 } 396 397 sbsec->initialized = 1; 398 399 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 400 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 401 sb->s_id, sb->s_type->name); 402 else 403 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 404 sb->s_id, sb->s_type->name, 405 labeling_behaviors[sbsec->behavior-1]); 406 407 /* Initialize the root inode. */ 408 rc = inode_doinit_with_dentry(root_inode, root); 409 410 /* Initialize any other inodes associated with the superblock, e.g. 411 inodes created prior to initial policy load or inodes created 412 during get_sb by a pseudo filesystem that directly 413 populates itself. */ 414 spin_lock(&sbsec->isec_lock); 415 next_inode: 416 if (!list_empty(&sbsec->isec_head)) { 417 struct inode_security_struct *isec = 418 list_entry(sbsec->isec_head.next, 419 struct inode_security_struct, list); 420 struct inode *inode = isec->inode; 421 spin_unlock(&sbsec->isec_lock); 422 inode = igrab(inode); 423 if (inode) { 424 if (!IS_PRIVATE(inode)) 425 inode_doinit(inode); 426 iput(inode); 427 } 428 spin_lock(&sbsec->isec_lock); 429 list_del_init(&isec->list); 430 goto next_inode; 431 } 432 spin_unlock(&sbsec->isec_lock); 433 out: 434 return rc; 435 } 436 437 /* 438 * This function should allow an FS to ask what it's mount security 439 * options were so it can use those later for submounts, displaying 440 * mount options, or whatever. 441 */ 442 static int selinux_get_mnt_opts(const struct super_block *sb, 443 struct security_mnt_opts *opts) 444 { 445 int rc = 0, i; 446 struct superblock_security_struct *sbsec = sb->s_security; 447 char *context = NULL; 448 u32 len; 449 char tmp; 450 451 security_init_mnt_opts(opts); 452 453 if (!sbsec->initialized) 454 return -EINVAL; 455 456 if (!ss_initialized) 457 return -EINVAL; 458 459 /* 460 * if we ever use sbsec flags for anything other than tracking mount 461 * settings this is going to need a mask 462 */ 463 tmp = sbsec->flags; 464 /* count the number of mount options for this sb */ 465 for (i = 0; i < 8; i++) { 466 if (tmp & 0x01) 467 opts->num_mnt_opts++; 468 tmp >>= 1; 469 } 470 471 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 472 if (!opts->mnt_opts) { 473 rc = -ENOMEM; 474 goto out_free; 475 } 476 477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 478 if (!opts->mnt_opts_flags) { 479 rc = -ENOMEM; 480 goto out_free; 481 } 482 483 i = 0; 484 if (sbsec->flags & FSCONTEXT_MNT) { 485 rc = security_sid_to_context(sbsec->sid, &context, &len); 486 if (rc) 487 goto out_free; 488 opts->mnt_opts[i] = context; 489 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 490 } 491 if (sbsec->flags & CONTEXT_MNT) { 492 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 493 if (rc) 494 goto out_free; 495 opts->mnt_opts[i] = context; 496 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 497 } 498 if (sbsec->flags & DEFCONTEXT_MNT) { 499 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 500 if (rc) 501 goto out_free; 502 opts->mnt_opts[i] = context; 503 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 504 } 505 if (sbsec->flags & ROOTCONTEXT_MNT) { 506 struct inode *root = sbsec->sb->s_root->d_inode; 507 struct inode_security_struct *isec = root->i_security; 508 509 rc = security_sid_to_context(isec->sid, &context, &len); 510 if (rc) 511 goto out_free; 512 opts->mnt_opts[i] = context; 513 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 514 } 515 516 BUG_ON(i != opts->num_mnt_opts); 517 518 return 0; 519 520 out_free: 521 security_free_mnt_opts(opts); 522 return rc; 523 } 524 525 static int bad_option(struct superblock_security_struct *sbsec, char flag, 526 u32 old_sid, u32 new_sid) 527 { 528 /* check if the old mount command had the same options */ 529 if (sbsec->initialized) 530 if (!(sbsec->flags & flag) || 531 (old_sid != new_sid)) 532 return 1; 533 534 /* check if we were passed the same options twice, 535 * aka someone passed context=a,context=b 536 */ 537 if (!sbsec->initialized) 538 if (sbsec->flags & flag) 539 return 1; 540 return 0; 541 } 542 543 /* 544 * Allow filesystems with binary mount data to explicitly set mount point 545 * labeling information. 546 */ 547 static int selinux_set_mnt_opts(struct super_block *sb, 548 struct security_mnt_opts *opts) 549 { 550 int rc = 0, i; 551 struct task_security_struct *tsec = current->security; 552 struct superblock_security_struct *sbsec = sb->s_security; 553 const char *name = sb->s_type->name; 554 struct inode *inode = sbsec->sb->s_root->d_inode; 555 struct inode_security_struct *root_isec = inode->i_security; 556 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 557 u32 defcontext_sid = 0; 558 char **mount_options = opts->mnt_opts; 559 int *flags = opts->mnt_opts_flags; 560 int num_opts = opts->num_mnt_opts; 561 562 mutex_lock(&sbsec->lock); 563 564 if (!ss_initialized) { 565 if (!num_opts) { 566 /* Defer initialization until selinux_complete_init, 567 after the initial policy is loaded and the security 568 server is ready to handle calls. */ 569 spin_lock(&sb_security_lock); 570 if (list_empty(&sbsec->list)) 571 list_add(&sbsec->list, &superblock_security_head); 572 spin_unlock(&sb_security_lock); 573 goto out; 574 } 575 rc = -EINVAL; 576 printk(KERN_WARNING "Unable to set superblock options before " 577 "the security server is initialized\n"); 578 goto out; 579 } 580 581 /* 582 * Binary mount data FS will come through this function twice. Once 583 * from an explicit call and once from the generic calls from the vfs. 584 * Since the generic VFS calls will not contain any security mount data 585 * we need to skip the double mount verification. 586 * 587 * This does open a hole in which we will not notice if the first 588 * mount using this sb set explict options and a second mount using 589 * this sb does not set any security options. (The first options 590 * will be used for both mounts) 591 */ 592 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 593 && (num_opts == 0)) 594 goto out; 595 596 /* 597 * parse the mount options, check if they are valid sids. 598 * also check if someone is trying to mount the same sb more 599 * than once with different security options. 600 */ 601 for (i = 0; i < num_opts; i++) { 602 u32 sid; 603 rc = security_context_to_sid(mount_options[i], 604 strlen(mount_options[i]), &sid); 605 if (rc) { 606 printk(KERN_WARNING "SELinux: security_context_to_sid" 607 "(%s) failed for (dev %s, type %s) errno=%d\n", 608 mount_options[i], sb->s_id, name, rc); 609 goto out; 610 } 611 switch (flags[i]) { 612 case FSCONTEXT_MNT: 613 fscontext_sid = sid; 614 615 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 616 fscontext_sid)) 617 goto out_double_mount; 618 619 sbsec->flags |= FSCONTEXT_MNT; 620 break; 621 case CONTEXT_MNT: 622 context_sid = sid; 623 624 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 625 context_sid)) 626 goto out_double_mount; 627 628 sbsec->flags |= CONTEXT_MNT; 629 break; 630 case ROOTCONTEXT_MNT: 631 rootcontext_sid = sid; 632 633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 634 rootcontext_sid)) 635 goto out_double_mount; 636 637 sbsec->flags |= ROOTCONTEXT_MNT; 638 639 break; 640 case DEFCONTEXT_MNT: 641 defcontext_sid = sid; 642 643 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 644 defcontext_sid)) 645 goto out_double_mount; 646 647 sbsec->flags |= DEFCONTEXT_MNT; 648 649 break; 650 default: 651 rc = -EINVAL; 652 goto out; 653 } 654 } 655 656 if (sbsec->initialized) { 657 /* previously mounted with options, but not on this attempt? */ 658 if (sbsec->flags && !num_opts) 659 goto out_double_mount; 660 rc = 0; 661 goto out; 662 } 663 664 if (strcmp(sb->s_type->name, "proc") == 0) 665 sbsec->proc = 1; 666 667 /* Determine the labeling behavior to use for this filesystem type. */ 668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 669 if (rc) { 670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 671 __FUNCTION__, sb->s_type->name, rc); 672 goto out; 673 } 674 675 /* sets the context of the superblock for the fs being mounted. */ 676 if (fscontext_sid) { 677 678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec); 679 if (rc) 680 goto out; 681 682 sbsec->sid = fscontext_sid; 683 } 684 685 /* 686 * Switch to using mount point labeling behavior. 687 * sets the label used on all file below the mountpoint, and will set 688 * the superblock context if not already set. 689 */ 690 if (context_sid) { 691 if (!fscontext_sid) { 692 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); 693 if (rc) 694 goto out; 695 sbsec->sid = context_sid; 696 } else { 697 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec); 698 if (rc) 699 goto out; 700 } 701 if (!rootcontext_sid) 702 rootcontext_sid = context_sid; 703 704 sbsec->mntpoint_sid = context_sid; 705 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 706 } 707 708 if (rootcontext_sid) { 709 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec); 710 if (rc) 711 goto out; 712 713 root_isec->sid = rootcontext_sid; 714 root_isec->initialized = 1; 715 } 716 717 if (defcontext_sid) { 718 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 719 rc = -EINVAL; 720 printk(KERN_WARNING "SELinux: defcontext option is " 721 "invalid for this filesystem type\n"); 722 goto out; 723 } 724 725 if (defcontext_sid != sbsec->def_sid) { 726 rc = may_context_mount_inode_relabel(defcontext_sid, 727 sbsec, tsec); 728 if (rc) 729 goto out; 730 } 731 732 sbsec->def_sid = defcontext_sid; 733 } 734 735 rc = sb_finish_set_opts(sb); 736 out: 737 mutex_unlock(&sbsec->lock); 738 return rc; 739 out_double_mount: 740 rc = -EINVAL; 741 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 742 "security settings for (dev %s, type %s)\n", sb->s_id, name); 743 goto out; 744 } 745 746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 747 struct super_block *newsb) 748 { 749 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 750 struct superblock_security_struct *newsbsec = newsb->s_security; 751 752 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 753 int set_context = (oldsbsec->flags & CONTEXT_MNT); 754 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 755 756 /* we can't error, we can't save the info, this shouldn't get called 757 * this early in the boot process. */ 758 BUG_ON(!ss_initialized); 759 760 /* how can we clone if the old one wasn't set up?? */ 761 BUG_ON(!oldsbsec->initialized); 762 763 /* if fs is reusing a sb, just let its options stand... */ 764 if (newsbsec->initialized) 765 return; 766 767 mutex_lock(&newsbsec->lock); 768 769 newsbsec->flags = oldsbsec->flags; 770 771 newsbsec->sid = oldsbsec->sid; 772 newsbsec->def_sid = oldsbsec->def_sid; 773 newsbsec->behavior = oldsbsec->behavior; 774 775 if (set_context) { 776 u32 sid = oldsbsec->mntpoint_sid; 777 778 if (!set_fscontext) 779 newsbsec->sid = sid; 780 if (!set_rootcontext) { 781 struct inode *newinode = newsb->s_root->d_inode; 782 struct inode_security_struct *newisec = newinode->i_security; 783 newisec->sid = sid; 784 } 785 newsbsec->mntpoint_sid = sid; 786 } 787 if (set_rootcontext) { 788 const struct inode *oldinode = oldsb->s_root->d_inode; 789 const struct inode_security_struct *oldisec = oldinode->i_security; 790 struct inode *newinode = newsb->s_root->d_inode; 791 struct inode_security_struct *newisec = newinode->i_security; 792 793 newisec->sid = oldisec->sid; 794 } 795 796 sb_finish_set_opts(newsb); 797 mutex_unlock(&newsbsec->lock); 798 } 799 800 static int selinux_parse_opts_str(char *options, 801 struct security_mnt_opts *opts) 802 { 803 char *p; 804 char *context = NULL, *defcontext = NULL; 805 char *fscontext = NULL, *rootcontext = NULL; 806 int rc, num_mnt_opts = 0; 807 808 opts->num_mnt_opts = 0; 809 810 /* Standard string-based options. */ 811 while ((p = strsep(&options, "|")) != NULL) { 812 int token; 813 substring_t args[MAX_OPT_ARGS]; 814 815 if (!*p) 816 continue; 817 818 token = match_token(p, tokens, args); 819 820 switch (token) { 821 case Opt_context: 822 if (context || defcontext) { 823 rc = -EINVAL; 824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 825 goto out_err; 826 } 827 context = match_strdup(&args[0]); 828 if (!context) { 829 rc = -ENOMEM; 830 goto out_err; 831 } 832 break; 833 834 case Opt_fscontext: 835 if (fscontext) { 836 rc = -EINVAL; 837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 838 goto out_err; 839 } 840 fscontext = match_strdup(&args[0]); 841 if (!fscontext) { 842 rc = -ENOMEM; 843 goto out_err; 844 } 845 break; 846 847 case Opt_rootcontext: 848 if (rootcontext) { 849 rc = -EINVAL; 850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 851 goto out_err; 852 } 853 rootcontext = match_strdup(&args[0]); 854 if (!rootcontext) { 855 rc = -ENOMEM; 856 goto out_err; 857 } 858 break; 859 860 case Opt_defcontext: 861 if (context || defcontext) { 862 rc = -EINVAL; 863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 864 goto out_err; 865 } 866 defcontext = match_strdup(&args[0]); 867 if (!defcontext) { 868 rc = -ENOMEM; 869 goto out_err; 870 } 871 break; 872 873 default: 874 rc = -EINVAL; 875 printk(KERN_WARNING "SELinux: unknown mount option\n"); 876 goto out_err; 877 878 } 879 } 880 881 rc = -ENOMEM; 882 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 883 if (!opts->mnt_opts) 884 goto out_err; 885 886 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 887 if (!opts->mnt_opts_flags) { 888 kfree(opts->mnt_opts); 889 goto out_err; 890 } 891 892 if (fscontext) { 893 opts->mnt_opts[num_mnt_opts] = fscontext; 894 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 895 } 896 if (context) { 897 opts->mnt_opts[num_mnt_opts] = context; 898 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 899 } 900 if (rootcontext) { 901 opts->mnt_opts[num_mnt_opts] = rootcontext; 902 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 903 } 904 if (defcontext) { 905 opts->mnt_opts[num_mnt_opts] = defcontext; 906 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 907 } 908 909 opts->num_mnt_opts = num_mnt_opts; 910 return 0; 911 912 out_err: 913 kfree(context); 914 kfree(defcontext); 915 kfree(fscontext); 916 kfree(rootcontext); 917 return rc; 918 } 919 /* 920 * string mount options parsing and call set the sbsec 921 */ 922 static int superblock_doinit(struct super_block *sb, void *data) 923 { 924 int rc = 0; 925 char *options = data; 926 struct security_mnt_opts opts; 927 928 security_init_mnt_opts(&opts); 929 930 if (!data) 931 goto out; 932 933 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 934 935 rc = selinux_parse_opts_str(options, &opts); 936 if (rc) 937 goto out_err; 938 939 out: 940 rc = selinux_set_mnt_opts(sb, &opts); 941 942 out_err: 943 security_free_mnt_opts(&opts); 944 return rc; 945 } 946 947 static inline u16 inode_mode_to_security_class(umode_t mode) 948 { 949 switch (mode & S_IFMT) { 950 case S_IFSOCK: 951 return SECCLASS_SOCK_FILE; 952 case S_IFLNK: 953 return SECCLASS_LNK_FILE; 954 case S_IFREG: 955 return SECCLASS_FILE; 956 case S_IFBLK: 957 return SECCLASS_BLK_FILE; 958 case S_IFDIR: 959 return SECCLASS_DIR; 960 case S_IFCHR: 961 return SECCLASS_CHR_FILE; 962 case S_IFIFO: 963 return SECCLASS_FIFO_FILE; 964 965 } 966 967 return SECCLASS_FILE; 968 } 969 970 static inline int default_protocol_stream(int protocol) 971 { 972 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 973 } 974 975 static inline int default_protocol_dgram(int protocol) 976 { 977 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 978 } 979 980 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 981 { 982 switch (family) { 983 case PF_UNIX: 984 switch (type) { 985 case SOCK_STREAM: 986 case SOCK_SEQPACKET: 987 return SECCLASS_UNIX_STREAM_SOCKET; 988 case SOCK_DGRAM: 989 return SECCLASS_UNIX_DGRAM_SOCKET; 990 } 991 break; 992 case PF_INET: 993 case PF_INET6: 994 switch (type) { 995 case SOCK_STREAM: 996 if (default_protocol_stream(protocol)) 997 return SECCLASS_TCP_SOCKET; 998 else 999 return SECCLASS_RAWIP_SOCKET; 1000 case SOCK_DGRAM: 1001 if (default_protocol_dgram(protocol)) 1002 return SECCLASS_UDP_SOCKET; 1003 else 1004 return SECCLASS_RAWIP_SOCKET; 1005 case SOCK_DCCP: 1006 return SECCLASS_DCCP_SOCKET; 1007 default: 1008 return SECCLASS_RAWIP_SOCKET; 1009 } 1010 break; 1011 case PF_NETLINK: 1012 switch (protocol) { 1013 case NETLINK_ROUTE: 1014 return SECCLASS_NETLINK_ROUTE_SOCKET; 1015 case NETLINK_FIREWALL: 1016 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1017 case NETLINK_INET_DIAG: 1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1019 case NETLINK_NFLOG: 1020 return SECCLASS_NETLINK_NFLOG_SOCKET; 1021 case NETLINK_XFRM: 1022 return SECCLASS_NETLINK_XFRM_SOCKET; 1023 case NETLINK_SELINUX: 1024 return SECCLASS_NETLINK_SELINUX_SOCKET; 1025 case NETLINK_AUDIT: 1026 return SECCLASS_NETLINK_AUDIT_SOCKET; 1027 case NETLINK_IP6_FW: 1028 return SECCLASS_NETLINK_IP6FW_SOCKET; 1029 case NETLINK_DNRTMSG: 1030 return SECCLASS_NETLINK_DNRT_SOCKET; 1031 case NETLINK_KOBJECT_UEVENT: 1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1033 default: 1034 return SECCLASS_NETLINK_SOCKET; 1035 } 1036 case PF_PACKET: 1037 return SECCLASS_PACKET_SOCKET; 1038 case PF_KEY: 1039 return SECCLASS_KEY_SOCKET; 1040 case PF_APPLETALK: 1041 return SECCLASS_APPLETALK_SOCKET; 1042 } 1043 1044 return SECCLASS_SOCKET; 1045 } 1046 1047 #ifdef CONFIG_PROC_FS 1048 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1049 u16 tclass, 1050 u32 *sid) 1051 { 1052 int buflen, rc; 1053 char *buffer, *path, *end; 1054 1055 buffer = (char*)__get_free_page(GFP_KERNEL); 1056 if (!buffer) 1057 return -ENOMEM; 1058 1059 buflen = PAGE_SIZE; 1060 end = buffer+buflen; 1061 *--end = '\0'; 1062 buflen--; 1063 path = end-1; 1064 *path = '/'; 1065 while (de && de != de->parent) { 1066 buflen -= de->namelen + 1; 1067 if (buflen < 0) 1068 break; 1069 end -= de->namelen; 1070 memcpy(end, de->name, de->namelen); 1071 *--end = '/'; 1072 path = end; 1073 de = de->parent; 1074 } 1075 rc = security_genfs_sid("proc", path, tclass, sid); 1076 free_page((unsigned long)buffer); 1077 return rc; 1078 } 1079 #else 1080 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1081 u16 tclass, 1082 u32 *sid) 1083 { 1084 return -EINVAL; 1085 } 1086 #endif 1087 1088 /* The inode's security attributes must be initialized before first use. */ 1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1090 { 1091 struct superblock_security_struct *sbsec = NULL; 1092 struct inode_security_struct *isec = inode->i_security; 1093 u32 sid; 1094 struct dentry *dentry; 1095 #define INITCONTEXTLEN 255 1096 char *context = NULL; 1097 unsigned len = 0; 1098 int rc = 0; 1099 1100 if (isec->initialized) 1101 goto out; 1102 1103 mutex_lock(&isec->lock); 1104 if (isec->initialized) 1105 goto out_unlock; 1106 1107 sbsec = inode->i_sb->s_security; 1108 if (!sbsec->initialized) { 1109 /* Defer initialization until selinux_complete_init, 1110 after the initial policy is loaded and the security 1111 server is ready to handle calls. */ 1112 spin_lock(&sbsec->isec_lock); 1113 if (list_empty(&isec->list)) 1114 list_add(&isec->list, &sbsec->isec_head); 1115 spin_unlock(&sbsec->isec_lock); 1116 goto out_unlock; 1117 } 1118 1119 switch (sbsec->behavior) { 1120 case SECURITY_FS_USE_XATTR: 1121 if (!inode->i_op->getxattr) { 1122 isec->sid = sbsec->def_sid; 1123 break; 1124 } 1125 1126 /* Need a dentry, since the xattr API requires one. 1127 Life would be simpler if we could just pass the inode. */ 1128 if (opt_dentry) { 1129 /* Called from d_instantiate or d_splice_alias. */ 1130 dentry = dget(opt_dentry); 1131 } else { 1132 /* Called from selinux_complete_init, try to find a dentry. */ 1133 dentry = d_find_alias(inode); 1134 } 1135 if (!dentry) { 1136 printk(KERN_WARNING "%s: no dentry for dev=%s " 1137 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 1138 inode->i_ino); 1139 goto out_unlock; 1140 } 1141 1142 len = INITCONTEXTLEN; 1143 context = kmalloc(len, GFP_NOFS); 1144 if (!context) { 1145 rc = -ENOMEM; 1146 dput(dentry); 1147 goto out_unlock; 1148 } 1149 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1150 context, len); 1151 if (rc == -ERANGE) { 1152 /* Need a larger buffer. Query for the right size. */ 1153 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1154 NULL, 0); 1155 if (rc < 0) { 1156 dput(dentry); 1157 goto out_unlock; 1158 } 1159 kfree(context); 1160 len = rc; 1161 context = kmalloc(len, GFP_NOFS); 1162 if (!context) { 1163 rc = -ENOMEM; 1164 dput(dentry); 1165 goto out_unlock; 1166 } 1167 rc = inode->i_op->getxattr(dentry, 1168 XATTR_NAME_SELINUX, 1169 context, len); 1170 } 1171 dput(dentry); 1172 if (rc < 0) { 1173 if (rc != -ENODATA) { 1174 printk(KERN_WARNING "%s: getxattr returned " 1175 "%d for dev=%s ino=%ld\n", __FUNCTION__, 1176 -rc, inode->i_sb->s_id, inode->i_ino); 1177 kfree(context); 1178 goto out_unlock; 1179 } 1180 /* Map ENODATA to the default file SID */ 1181 sid = sbsec->def_sid; 1182 rc = 0; 1183 } else { 1184 rc = security_context_to_sid_default(context, rc, &sid, 1185 sbsec->def_sid, 1186 GFP_NOFS); 1187 if (rc) { 1188 printk(KERN_WARNING "%s: context_to_sid(%s) " 1189 "returned %d for dev=%s ino=%ld\n", 1190 __FUNCTION__, context, -rc, 1191 inode->i_sb->s_id, inode->i_ino); 1192 kfree(context); 1193 /* Leave with the unlabeled SID */ 1194 rc = 0; 1195 break; 1196 } 1197 } 1198 kfree(context); 1199 isec->sid = sid; 1200 break; 1201 case SECURITY_FS_USE_TASK: 1202 isec->sid = isec->task_sid; 1203 break; 1204 case SECURITY_FS_USE_TRANS: 1205 /* Default to the fs SID. */ 1206 isec->sid = sbsec->sid; 1207 1208 /* Try to obtain a transition SID. */ 1209 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1210 rc = security_transition_sid(isec->task_sid, 1211 sbsec->sid, 1212 isec->sclass, 1213 &sid); 1214 if (rc) 1215 goto out_unlock; 1216 isec->sid = sid; 1217 break; 1218 case SECURITY_FS_USE_MNTPOINT: 1219 isec->sid = sbsec->mntpoint_sid; 1220 break; 1221 default: 1222 /* Default to the fs superblock SID. */ 1223 isec->sid = sbsec->sid; 1224 1225 if (sbsec->proc) { 1226 struct proc_inode *proci = PROC_I(inode); 1227 if (proci->pde) { 1228 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1229 rc = selinux_proc_get_sid(proci->pde, 1230 isec->sclass, 1231 &sid); 1232 if (rc) 1233 goto out_unlock; 1234 isec->sid = sid; 1235 } 1236 } 1237 break; 1238 } 1239 1240 isec->initialized = 1; 1241 1242 out_unlock: 1243 mutex_unlock(&isec->lock); 1244 out: 1245 if (isec->sclass == SECCLASS_FILE) 1246 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1247 return rc; 1248 } 1249 1250 /* Convert a Linux signal to an access vector. */ 1251 static inline u32 signal_to_av(int sig) 1252 { 1253 u32 perm = 0; 1254 1255 switch (sig) { 1256 case SIGCHLD: 1257 /* Commonly granted from child to parent. */ 1258 perm = PROCESS__SIGCHLD; 1259 break; 1260 case SIGKILL: 1261 /* Cannot be caught or ignored */ 1262 perm = PROCESS__SIGKILL; 1263 break; 1264 case SIGSTOP: 1265 /* Cannot be caught or ignored */ 1266 perm = PROCESS__SIGSTOP; 1267 break; 1268 default: 1269 /* All other signals. */ 1270 perm = PROCESS__SIGNAL; 1271 break; 1272 } 1273 1274 return perm; 1275 } 1276 1277 /* Check permission betweeen a pair of tasks, e.g. signal checks, 1278 fork check, ptrace check, etc. */ 1279 static int task_has_perm(struct task_struct *tsk1, 1280 struct task_struct *tsk2, 1281 u32 perms) 1282 { 1283 struct task_security_struct *tsec1, *tsec2; 1284 1285 tsec1 = tsk1->security; 1286 tsec2 = tsk2->security; 1287 return avc_has_perm(tsec1->sid, tsec2->sid, 1288 SECCLASS_PROCESS, perms, NULL); 1289 } 1290 1291 #if CAP_LAST_CAP > 63 1292 #error Fix SELinux to handle capabilities > 63. 1293 #endif 1294 1295 /* Check whether a task is allowed to use a capability. */ 1296 static int task_has_capability(struct task_struct *tsk, 1297 int cap) 1298 { 1299 struct task_security_struct *tsec; 1300 struct avc_audit_data ad; 1301 u16 sclass; 1302 u32 av = CAP_TO_MASK(cap); 1303 1304 tsec = tsk->security; 1305 1306 AVC_AUDIT_DATA_INIT(&ad,CAP); 1307 ad.tsk = tsk; 1308 ad.u.cap = cap; 1309 1310 switch (CAP_TO_INDEX(cap)) { 1311 case 0: 1312 sclass = SECCLASS_CAPABILITY; 1313 break; 1314 case 1: 1315 sclass = SECCLASS_CAPABILITY2; 1316 break; 1317 default: 1318 printk(KERN_ERR 1319 "SELinux: out of range capability %d\n", cap); 1320 BUG(); 1321 } 1322 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); 1323 } 1324 1325 /* Check whether a task is allowed to use a system operation. */ 1326 static int task_has_system(struct task_struct *tsk, 1327 u32 perms) 1328 { 1329 struct task_security_struct *tsec; 1330 1331 tsec = tsk->security; 1332 1333 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1334 SECCLASS_SYSTEM, perms, NULL); 1335 } 1336 1337 /* Check whether a task has a particular permission to an inode. 1338 The 'adp' parameter is optional and allows other audit 1339 data to be passed (e.g. the dentry). */ 1340 static int inode_has_perm(struct task_struct *tsk, 1341 struct inode *inode, 1342 u32 perms, 1343 struct avc_audit_data *adp) 1344 { 1345 struct task_security_struct *tsec; 1346 struct inode_security_struct *isec; 1347 struct avc_audit_data ad; 1348 1349 if (unlikely (IS_PRIVATE (inode))) 1350 return 0; 1351 1352 tsec = tsk->security; 1353 isec = inode->i_security; 1354 1355 if (!adp) { 1356 adp = &ad; 1357 AVC_AUDIT_DATA_INIT(&ad, FS); 1358 ad.u.fs.inode = inode; 1359 } 1360 1361 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1362 } 1363 1364 /* Same as inode_has_perm, but pass explicit audit data containing 1365 the dentry to help the auditing code to more easily generate the 1366 pathname if needed. */ 1367 static inline int dentry_has_perm(struct task_struct *tsk, 1368 struct vfsmount *mnt, 1369 struct dentry *dentry, 1370 u32 av) 1371 { 1372 struct inode *inode = dentry->d_inode; 1373 struct avc_audit_data ad; 1374 AVC_AUDIT_DATA_INIT(&ad,FS); 1375 ad.u.fs.path.mnt = mnt; 1376 ad.u.fs.path.dentry = dentry; 1377 return inode_has_perm(tsk, inode, av, &ad); 1378 } 1379 1380 /* Check whether a task can use an open file descriptor to 1381 access an inode in a given way. Check access to the 1382 descriptor itself, and then use dentry_has_perm to 1383 check a particular permission to the file. 1384 Access to the descriptor is implicitly granted if it 1385 has the same SID as the process. If av is zero, then 1386 access to the file is not checked, e.g. for cases 1387 where only the descriptor is affected like seek. */ 1388 static int file_has_perm(struct task_struct *tsk, 1389 struct file *file, 1390 u32 av) 1391 { 1392 struct task_security_struct *tsec = tsk->security; 1393 struct file_security_struct *fsec = file->f_security; 1394 struct inode *inode = file->f_path.dentry->d_inode; 1395 struct avc_audit_data ad; 1396 int rc; 1397 1398 AVC_AUDIT_DATA_INIT(&ad, FS); 1399 ad.u.fs.path = file->f_path; 1400 1401 if (tsec->sid != fsec->sid) { 1402 rc = avc_has_perm(tsec->sid, fsec->sid, 1403 SECCLASS_FD, 1404 FD__USE, 1405 &ad); 1406 if (rc) 1407 return rc; 1408 } 1409 1410 /* av is zero if only checking access to the descriptor. */ 1411 if (av) 1412 return inode_has_perm(tsk, inode, av, &ad); 1413 1414 return 0; 1415 } 1416 1417 /* Check whether a task can create a file. */ 1418 static int may_create(struct inode *dir, 1419 struct dentry *dentry, 1420 u16 tclass) 1421 { 1422 struct task_security_struct *tsec; 1423 struct inode_security_struct *dsec; 1424 struct superblock_security_struct *sbsec; 1425 u32 newsid; 1426 struct avc_audit_data ad; 1427 int rc; 1428 1429 tsec = current->security; 1430 dsec = dir->i_security; 1431 sbsec = dir->i_sb->s_security; 1432 1433 AVC_AUDIT_DATA_INIT(&ad, FS); 1434 ad.u.fs.path.dentry = dentry; 1435 1436 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1437 DIR__ADD_NAME | DIR__SEARCH, 1438 &ad); 1439 if (rc) 1440 return rc; 1441 1442 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1443 newsid = tsec->create_sid; 1444 } else { 1445 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1446 &newsid); 1447 if (rc) 1448 return rc; 1449 } 1450 1451 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1452 if (rc) 1453 return rc; 1454 1455 return avc_has_perm(newsid, sbsec->sid, 1456 SECCLASS_FILESYSTEM, 1457 FILESYSTEM__ASSOCIATE, &ad); 1458 } 1459 1460 /* Check whether a task can create a key. */ 1461 static int may_create_key(u32 ksid, 1462 struct task_struct *ctx) 1463 { 1464 struct task_security_struct *tsec; 1465 1466 tsec = ctx->security; 1467 1468 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1469 } 1470 1471 #define MAY_LINK 0 1472 #define MAY_UNLINK 1 1473 #define MAY_RMDIR 2 1474 1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1476 static int may_link(struct inode *dir, 1477 struct dentry *dentry, 1478 int kind) 1479 1480 { 1481 struct task_security_struct *tsec; 1482 struct inode_security_struct *dsec, *isec; 1483 struct avc_audit_data ad; 1484 u32 av; 1485 int rc; 1486 1487 tsec = current->security; 1488 dsec = dir->i_security; 1489 isec = dentry->d_inode->i_security; 1490 1491 AVC_AUDIT_DATA_INIT(&ad, FS); 1492 ad.u.fs.path.dentry = dentry; 1493 1494 av = DIR__SEARCH; 1495 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1496 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1497 if (rc) 1498 return rc; 1499 1500 switch (kind) { 1501 case MAY_LINK: 1502 av = FILE__LINK; 1503 break; 1504 case MAY_UNLINK: 1505 av = FILE__UNLINK; 1506 break; 1507 case MAY_RMDIR: 1508 av = DIR__RMDIR; 1509 break; 1510 default: 1511 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1512 return 0; 1513 } 1514 1515 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1516 return rc; 1517 } 1518 1519 static inline int may_rename(struct inode *old_dir, 1520 struct dentry *old_dentry, 1521 struct inode *new_dir, 1522 struct dentry *new_dentry) 1523 { 1524 struct task_security_struct *tsec; 1525 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1526 struct avc_audit_data ad; 1527 u32 av; 1528 int old_is_dir, new_is_dir; 1529 int rc; 1530 1531 tsec = current->security; 1532 old_dsec = old_dir->i_security; 1533 old_isec = old_dentry->d_inode->i_security; 1534 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1535 new_dsec = new_dir->i_security; 1536 1537 AVC_AUDIT_DATA_INIT(&ad, FS); 1538 1539 ad.u.fs.path.dentry = old_dentry; 1540 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1541 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1542 if (rc) 1543 return rc; 1544 rc = avc_has_perm(tsec->sid, old_isec->sid, 1545 old_isec->sclass, FILE__RENAME, &ad); 1546 if (rc) 1547 return rc; 1548 if (old_is_dir && new_dir != old_dir) { 1549 rc = avc_has_perm(tsec->sid, old_isec->sid, 1550 old_isec->sclass, DIR__REPARENT, &ad); 1551 if (rc) 1552 return rc; 1553 } 1554 1555 ad.u.fs.path.dentry = new_dentry; 1556 av = DIR__ADD_NAME | DIR__SEARCH; 1557 if (new_dentry->d_inode) 1558 av |= DIR__REMOVE_NAME; 1559 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1560 if (rc) 1561 return rc; 1562 if (new_dentry->d_inode) { 1563 new_isec = new_dentry->d_inode->i_security; 1564 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1565 rc = avc_has_perm(tsec->sid, new_isec->sid, 1566 new_isec->sclass, 1567 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1568 if (rc) 1569 return rc; 1570 } 1571 1572 return 0; 1573 } 1574 1575 /* Check whether a task can perform a filesystem operation. */ 1576 static int superblock_has_perm(struct task_struct *tsk, 1577 struct super_block *sb, 1578 u32 perms, 1579 struct avc_audit_data *ad) 1580 { 1581 struct task_security_struct *tsec; 1582 struct superblock_security_struct *sbsec; 1583 1584 tsec = tsk->security; 1585 sbsec = sb->s_security; 1586 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1587 perms, ad); 1588 } 1589 1590 /* Convert a Linux mode and permission mask to an access vector. */ 1591 static inline u32 file_mask_to_av(int mode, int mask) 1592 { 1593 u32 av = 0; 1594 1595 if ((mode & S_IFMT) != S_IFDIR) { 1596 if (mask & MAY_EXEC) 1597 av |= FILE__EXECUTE; 1598 if (mask & MAY_READ) 1599 av |= FILE__READ; 1600 1601 if (mask & MAY_APPEND) 1602 av |= FILE__APPEND; 1603 else if (mask & MAY_WRITE) 1604 av |= FILE__WRITE; 1605 1606 } else { 1607 if (mask & MAY_EXEC) 1608 av |= DIR__SEARCH; 1609 if (mask & MAY_WRITE) 1610 av |= DIR__WRITE; 1611 if (mask & MAY_READ) 1612 av |= DIR__READ; 1613 } 1614 1615 return av; 1616 } 1617 1618 /* Convert a Linux file to an access vector. */ 1619 static inline u32 file_to_av(struct file *file) 1620 { 1621 u32 av = 0; 1622 1623 if (file->f_mode & FMODE_READ) 1624 av |= FILE__READ; 1625 if (file->f_mode & FMODE_WRITE) { 1626 if (file->f_flags & O_APPEND) 1627 av |= FILE__APPEND; 1628 else 1629 av |= FILE__WRITE; 1630 } 1631 if (!av) { 1632 /* 1633 * Special file opened with flags 3 for ioctl-only use. 1634 */ 1635 av = FILE__IOCTL; 1636 } 1637 1638 return av; 1639 } 1640 1641 /* Hook functions begin here. */ 1642 1643 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1644 { 1645 struct task_security_struct *psec = parent->security; 1646 struct task_security_struct *csec = child->security; 1647 int rc; 1648 1649 rc = secondary_ops->ptrace(parent,child); 1650 if (rc) 1651 return rc; 1652 1653 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1654 /* Save the SID of the tracing process for later use in apply_creds. */ 1655 if (!(child->ptrace & PT_PTRACED) && !rc) 1656 csec->ptrace_sid = psec->sid; 1657 return rc; 1658 } 1659 1660 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1661 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1662 { 1663 int error; 1664 1665 error = task_has_perm(current, target, PROCESS__GETCAP); 1666 if (error) 1667 return error; 1668 1669 return secondary_ops->capget(target, effective, inheritable, permitted); 1670 } 1671 1672 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1673 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1674 { 1675 int error; 1676 1677 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1678 if (error) 1679 return error; 1680 1681 return task_has_perm(current, target, PROCESS__SETCAP); 1682 } 1683 1684 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1685 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1686 { 1687 secondary_ops->capset_set(target, effective, inheritable, permitted); 1688 } 1689 1690 static int selinux_capable(struct task_struct *tsk, int cap) 1691 { 1692 int rc; 1693 1694 rc = secondary_ops->capable(tsk, cap); 1695 if (rc) 1696 return rc; 1697 1698 return task_has_capability(tsk,cap); 1699 } 1700 1701 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1702 { 1703 int buflen, rc; 1704 char *buffer, *path, *end; 1705 1706 rc = -ENOMEM; 1707 buffer = (char*)__get_free_page(GFP_KERNEL); 1708 if (!buffer) 1709 goto out; 1710 1711 buflen = PAGE_SIZE; 1712 end = buffer+buflen; 1713 *--end = '\0'; 1714 buflen--; 1715 path = end-1; 1716 *path = '/'; 1717 while (table) { 1718 const char *name = table->procname; 1719 size_t namelen = strlen(name); 1720 buflen -= namelen + 1; 1721 if (buflen < 0) 1722 goto out_free; 1723 end -= namelen; 1724 memcpy(end, name, namelen); 1725 *--end = '/'; 1726 path = end; 1727 table = table->parent; 1728 } 1729 buflen -= 4; 1730 if (buflen < 0) 1731 goto out_free; 1732 end -= 4; 1733 memcpy(end, "/sys", 4); 1734 path = end; 1735 rc = security_genfs_sid("proc", path, tclass, sid); 1736 out_free: 1737 free_page((unsigned long)buffer); 1738 out: 1739 return rc; 1740 } 1741 1742 static int selinux_sysctl(ctl_table *table, int op) 1743 { 1744 int error = 0; 1745 u32 av; 1746 struct task_security_struct *tsec; 1747 u32 tsid; 1748 int rc; 1749 1750 rc = secondary_ops->sysctl(table, op); 1751 if (rc) 1752 return rc; 1753 1754 tsec = current->security; 1755 1756 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1757 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1758 if (rc) { 1759 /* Default to the well-defined sysctl SID. */ 1760 tsid = SECINITSID_SYSCTL; 1761 } 1762 1763 /* The op values are "defined" in sysctl.c, thereby creating 1764 * a bad coupling between this module and sysctl.c */ 1765 if(op == 001) { 1766 error = avc_has_perm(tsec->sid, tsid, 1767 SECCLASS_DIR, DIR__SEARCH, NULL); 1768 } else { 1769 av = 0; 1770 if (op & 004) 1771 av |= FILE__READ; 1772 if (op & 002) 1773 av |= FILE__WRITE; 1774 if (av) 1775 error = avc_has_perm(tsec->sid, tsid, 1776 SECCLASS_FILE, av, NULL); 1777 } 1778 1779 return error; 1780 } 1781 1782 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1783 { 1784 int rc = 0; 1785 1786 if (!sb) 1787 return 0; 1788 1789 switch (cmds) { 1790 case Q_SYNC: 1791 case Q_QUOTAON: 1792 case Q_QUOTAOFF: 1793 case Q_SETINFO: 1794 case Q_SETQUOTA: 1795 rc = superblock_has_perm(current, 1796 sb, 1797 FILESYSTEM__QUOTAMOD, NULL); 1798 break; 1799 case Q_GETFMT: 1800 case Q_GETINFO: 1801 case Q_GETQUOTA: 1802 rc = superblock_has_perm(current, 1803 sb, 1804 FILESYSTEM__QUOTAGET, NULL); 1805 break; 1806 default: 1807 rc = 0; /* let the kernel handle invalid cmds */ 1808 break; 1809 } 1810 return rc; 1811 } 1812 1813 static int selinux_quota_on(struct dentry *dentry) 1814 { 1815 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1816 } 1817 1818 static int selinux_syslog(int type) 1819 { 1820 int rc; 1821 1822 rc = secondary_ops->syslog(type); 1823 if (rc) 1824 return rc; 1825 1826 switch (type) { 1827 case 3: /* Read last kernel messages */ 1828 case 10: /* Return size of the log buffer */ 1829 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1830 break; 1831 case 6: /* Disable logging to console */ 1832 case 7: /* Enable logging to console */ 1833 case 8: /* Set level of messages printed to console */ 1834 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1835 break; 1836 case 0: /* Close log */ 1837 case 1: /* Open log */ 1838 case 2: /* Read from log */ 1839 case 4: /* Read/clear last kernel messages */ 1840 case 5: /* Clear ring buffer */ 1841 default: 1842 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1843 break; 1844 } 1845 return rc; 1846 } 1847 1848 /* 1849 * Check that a process has enough memory to allocate a new virtual 1850 * mapping. 0 means there is enough memory for the allocation to 1851 * succeed and -ENOMEM implies there is not. 1852 * 1853 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1854 * if the capability is granted, but __vm_enough_memory requires 1 if 1855 * the capability is granted. 1856 * 1857 * Do not audit the selinux permission check, as this is applied to all 1858 * processes that allocate mappings. 1859 */ 1860 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1861 { 1862 int rc, cap_sys_admin = 0; 1863 struct task_security_struct *tsec = current->security; 1864 1865 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1866 if (rc == 0) 1867 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1868 SECCLASS_CAPABILITY, 1869 CAP_TO_MASK(CAP_SYS_ADMIN), 1870 0, 1871 NULL); 1872 1873 if (rc == 0) 1874 cap_sys_admin = 1; 1875 1876 return __vm_enough_memory(mm, pages, cap_sys_admin); 1877 } 1878 1879 /* binprm security operations */ 1880 1881 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1882 { 1883 struct bprm_security_struct *bsec; 1884 1885 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1886 if (!bsec) 1887 return -ENOMEM; 1888 1889 bsec->sid = SECINITSID_UNLABELED; 1890 bsec->set = 0; 1891 1892 bprm->security = bsec; 1893 return 0; 1894 } 1895 1896 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1897 { 1898 struct task_security_struct *tsec; 1899 struct inode *inode = bprm->file->f_path.dentry->d_inode; 1900 struct inode_security_struct *isec; 1901 struct bprm_security_struct *bsec; 1902 u32 newsid; 1903 struct avc_audit_data ad; 1904 int rc; 1905 1906 rc = secondary_ops->bprm_set_security(bprm); 1907 if (rc) 1908 return rc; 1909 1910 bsec = bprm->security; 1911 1912 if (bsec->set) 1913 return 0; 1914 1915 tsec = current->security; 1916 isec = inode->i_security; 1917 1918 /* Default to the current task SID. */ 1919 bsec->sid = tsec->sid; 1920 1921 /* Reset fs, key, and sock SIDs on execve. */ 1922 tsec->create_sid = 0; 1923 tsec->keycreate_sid = 0; 1924 tsec->sockcreate_sid = 0; 1925 1926 if (tsec->exec_sid) { 1927 newsid = tsec->exec_sid; 1928 /* Reset exec SID on execve. */ 1929 tsec->exec_sid = 0; 1930 } else { 1931 /* Check for a default transition on this program. */ 1932 rc = security_transition_sid(tsec->sid, isec->sid, 1933 SECCLASS_PROCESS, &newsid); 1934 if (rc) 1935 return rc; 1936 } 1937 1938 AVC_AUDIT_DATA_INIT(&ad, FS); 1939 ad.u.fs.path = bprm->file->f_path; 1940 1941 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1942 newsid = tsec->sid; 1943 1944 if (tsec->sid == newsid) { 1945 rc = avc_has_perm(tsec->sid, isec->sid, 1946 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1947 if (rc) 1948 return rc; 1949 } else { 1950 /* Check permissions for the transition. */ 1951 rc = avc_has_perm(tsec->sid, newsid, 1952 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1953 if (rc) 1954 return rc; 1955 1956 rc = avc_has_perm(newsid, isec->sid, 1957 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1958 if (rc) 1959 return rc; 1960 1961 /* Clear any possibly unsafe personality bits on exec: */ 1962 current->personality &= ~PER_CLEAR_ON_SETID; 1963 1964 /* Set the security field to the new SID. */ 1965 bsec->sid = newsid; 1966 } 1967 1968 bsec->set = 1; 1969 return 0; 1970 } 1971 1972 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1973 { 1974 return secondary_ops->bprm_check_security(bprm); 1975 } 1976 1977 1978 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1979 { 1980 struct task_security_struct *tsec = current->security; 1981 int atsecure = 0; 1982 1983 if (tsec->osid != tsec->sid) { 1984 /* Enable secure mode for SIDs transitions unless 1985 the noatsecure permission is granted between 1986 the two SIDs, i.e. ahp returns 0. */ 1987 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1988 SECCLASS_PROCESS, 1989 PROCESS__NOATSECURE, NULL); 1990 } 1991 1992 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1993 } 1994 1995 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1996 { 1997 kfree(bprm->security); 1998 bprm->security = NULL; 1999 } 2000 2001 extern struct vfsmount *selinuxfs_mount; 2002 extern struct dentry *selinux_null; 2003 2004 /* Derived from fs/exec.c:flush_old_files. */ 2005 static inline void flush_unauthorized_files(struct files_struct * files) 2006 { 2007 struct avc_audit_data ad; 2008 struct file *file, *devnull = NULL; 2009 struct tty_struct *tty; 2010 struct fdtable *fdt; 2011 long j = -1; 2012 int drop_tty = 0; 2013 2014 mutex_lock(&tty_mutex); 2015 tty = get_current_tty(); 2016 if (tty) { 2017 file_list_lock(); 2018 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 2019 if (file) { 2020 /* Revalidate access to controlling tty. 2021 Use inode_has_perm on the tty inode directly rather 2022 than using file_has_perm, as this particular open 2023 file may belong to another process and we are only 2024 interested in the inode-based check here. */ 2025 struct inode *inode = file->f_path.dentry->d_inode; 2026 if (inode_has_perm(current, inode, 2027 FILE__READ | FILE__WRITE, NULL)) { 2028 drop_tty = 1; 2029 } 2030 } 2031 file_list_unlock(); 2032 } 2033 mutex_unlock(&tty_mutex); 2034 /* Reset controlling tty. */ 2035 if (drop_tty) 2036 no_tty(); 2037 2038 /* Revalidate access to inherited open files. */ 2039 2040 AVC_AUDIT_DATA_INIT(&ad,FS); 2041 2042 spin_lock(&files->file_lock); 2043 for (;;) { 2044 unsigned long set, i; 2045 int fd; 2046 2047 j++; 2048 i = j * __NFDBITS; 2049 fdt = files_fdtable(files); 2050 if (i >= fdt->max_fds) 2051 break; 2052 set = fdt->open_fds->fds_bits[j]; 2053 if (!set) 2054 continue; 2055 spin_unlock(&files->file_lock); 2056 for ( ; set ; i++,set >>= 1) { 2057 if (set & 1) { 2058 file = fget(i); 2059 if (!file) 2060 continue; 2061 if (file_has_perm(current, 2062 file, 2063 file_to_av(file))) { 2064 sys_close(i); 2065 fd = get_unused_fd(); 2066 if (fd != i) { 2067 if (fd >= 0) 2068 put_unused_fd(fd); 2069 fput(file); 2070 continue; 2071 } 2072 if (devnull) { 2073 get_file(devnull); 2074 } else { 2075 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2076 if (IS_ERR(devnull)) { 2077 devnull = NULL; 2078 put_unused_fd(fd); 2079 fput(file); 2080 continue; 2081 } 2082 } 2083 fd_install(fd, devnull); 2084 } 2085 fput(file); 2086 } 2087 } 2088 spin_lock(&files->file_lock); 2089 2090 } 2091 spin_unlock(&files->file_lock); 2092 } 2093 2094 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 2095 { 2096 struct task_security_struct *tsec; 2097 struct bprm_security_struct *bsec; 2098 u32 sid; 2099 int rc; 2100 2101 secondary_ops->bprm_apply_creds(bprm, unsafe); 2102 2103 tsec = current->security; 2104 2105 bsec = bprm->security; 2106 sid = bsec->sid; 2107 2108 tsec->osid = tsec->sid; 2109 bsec->unsafe = 0; 2110 if (tsec->sid != sid) { 2111 /* Check for shared state. If not ok, leave SID 2112 unchanged and kill. */ 2113 if (unsafe & LSM_UNSAFE_SHARE) { 2114 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 2115 PROCESS__SHARE, NULL); 2116 if (rc) { 2117 bsec->unsafe = 1; 2118 return; 2119 } 2120 } 2121 2122 /* Check for ptracing, and update the task SID if ok. 2123 Otherwise, leave SID unchanged and kill. */ 2124 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2125 rc = avc_has_perm(tsec->ptrace_sid, sid, 2126 SECCLASS_PROCESS, PROCESS__PTRACE, 2127 NULL); 2128 if (rc) { 2129 bsec->unsafe = 1; 2130 return; 2131 } 2132 } 2133 tsec->sid = sid; 2134 } 2135 } 2136 2137 /* 2138 * called after apply_creds without the task lock held 2139 */ 2140 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2141 { 2142 struct task_security_struct *tsec; 2143 struct rlimit *rlim, *initrlim; 2144 struct itimerval itimer; 2145 struct bprm_security_struct *bsec; 2146 int rc, i; 2147 2148 tsec = current->security; 2149 bsec = bprm->security; 2150 2151 if (bsec->unsafe) { 2152 force_sig_specific(SIGKILL, current); 2153 return; 2154 } 2155 if (tsec->osid == tsec->sid) 2156 return; 2157 2158 /* Close files for which the new task SID is not authorized. */ 2159 flush_unauthorized_files(current->files); 2160 2161 /* Check whether the new SID can inherit signal state 2162 from the old SID. If not, clear itimers to avoid 2163 subsequent signal generation and flush and unblock 2164 signals. This must occur _after_ the task SID has 2165 been updated so that any kill done after the flush 2166 will be checked against the new SID. */ 2167 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2168 PROCESS__SIGINH, NULL); 2169 if (rc) { 2170 memset(&itimer, 0, sizeof itimer); 2171 for (i = 0; i < 3; i++) 2172 do_setitimer(i, &itimer, NULL); 2173 flush_signals(current); 2174 spin_lock_irq(¤t->sighand->siglock); 2175 flush_signal_handlers(current, 1); 2176 sigemptyset(¤t->blocked); 2177 recalc_sigpending(); 2178 spin_unlock_irq(¤t->sighand->siglock); 2179 } 2180 2181 /* Always clear parent death signal on SID transitions. */ 2182 current->pdeath_signal = 0; 2183 2184 /* Check whether the new SID can inherit resource limits 2185 from the old SID. If not, reset all soft limits to 2186 the lower of the current task's hard limit and the init 2187 task's soft limit. Note that the setting of hard limits 2188 (even to lower them) can be controlled by the setrlimit 2189 check. The inclusion of the init task's soft limit into 2190 the computation is to avoid resetting soft limits higher 2191 than the default soft limit for cases where the default 2192 is lower than the hard limit, e.g. RLIMIT_CORE or 2193 RLIMIT_STACK.*/ 2194 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2195 PROCESS__RLIMITINH, NULL); 2196 if (rc) { 2197 for (i = 0; i < RLIM_NLIMITS; i++) { 2198 rlim = current->signal->rlim + i; 2199 initrlim = init_task.signal->rlim+i; 2200 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2201 } 2202 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2203 /* 2204 * This will cause RLIMIT_CPU calculations 2205 * to be refigured. 2206 */ 2207 current->it_prof_expires = jiffies_to_cputime(1); 2208 } 2209 } 2210 2211 /* Wake up the parent if it is waiting so that it can 2212 recheck wait permission to the new task SID. */ 2213 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 2214 } 2215 2216 /* superblock security operations */ 2217 2218 static int selinux_sb_alloc_security(struct super_block *sb) 2219 { 2220 return superblock_alloc_security(sb); 2221 } 2222 2223 static void selinux_sb_free_security(struct super_block *sb) 2224 { 2225 superblock_free_security(sb); 2226 } 2227 2228 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2229 { 2230 if (plen > olen) 2231 return 0; 2232 2233 return !memcmp(prefix, option, plen); 2234 } 2235 2236 static inline int selinux_option(char *option, int len) 2237 { 2238 return (match_prefix("context=", sizeof("context=")-1, option, len) || 2239 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 2240 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) || 2241 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len)); 2242 } 2243 2244 static inline void take_option(char **to, char *from, int *first, int len) 2245 { 2246 if (!*first) { 2247 **to = ','; 2248 *to += 1; 2249 } else 2250 *first = 0; 2251 memcpy(*to, from, len); 2252 *to += len; 2253 } 2254 2255 static inline void take_selinux_option(char **to, char *from, int *first, 2256 int len) 2257 { 2258 int current_size = 0; 2259 2260 if (!*first) { 2261 **to = '|'; 2262 *to += 1; 2263 } 2264 else 2265 *first = 0; 2266 2267 while (current_size < len) { 2268 if (*from != '"') { 2269 **to = *from; 2270 *to += 1; 2271 } 2272 from += 1; 2273 current_size += 1; 2274 } 2275 } 2276 2277 static int selinux_sb_copy_data(char *orig, char *copy) 2278 { 2279 int fnosec, fsec, rc = 0; 2280 char *in_save, *in_curr, *in_end; 2281 char *sec_curr, *nosec_save, *nosec; 2282 int open_quote = 0; 2283 2284 in_curr = orig; 2285 sec_curr = copy; 2286 2287 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2288 if (!nosec) { 2289 rc = -ENOMEM; 2290 goto out; 2291 } 2292 2293 nosec_save = nosec; 2294 fnosec = fsec = 1; 2295 in_save = in_end = orig; 2296 2297 do { 2298 if (*in_end == '"') 2299 open_quote = !open_quote; 2300 if ((*in_end == ',' && open_quote == 0) || 2301 *in_end == '\0') { 2302 int len = in_end - in_curr; 2303 2304 if (selinux_option(in_curr, len)) 2305 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2306 else 2307 take_option(&nosec, in_curr, &fnosec, len); 2308 2309 in_curr = in_end + 1; 2310 } 2311 } while (*in_end++); 2312 2313 strcpy(in_save, nosec_save); 2314 free_page((unsigned long)nosec_save); 2315 out: 2316 return rc; 2317 } 2318 2319 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 2320 { 2321 struct avc_audit_data ad; 2322 int rc; 2323 2324 rc = superblock_doinit(sb, data); 2325 if (rc) 2326 return rc; 2327 2328 AVC_AUDIT_DATA_INIT(&ad,FS); 2329 ad.u.fs.path.dentry = sb->s_root; 2330 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2331 } 2332 2333 static int selinux_sb_statfs(struct dentry *dentry) 2334 { 2335 struct avc_audit_data ad; 2336 2337 AVC_AUDIT_DATA_INIT(&ad,FS); 2338 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2339 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2340 } 2341 2342 static int selinux_mount(char * dev_name, 2343 struct nameidata *nd, 2344 char * type, 2345 unsigned long flags, 2346 void * data) 2347 { 2348 int rc; 2349 2350 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2351 if (rc) 2352 return rc; 2353 2354 if (flags & MS_REMOUNT) 2355 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2356 FILESYSTEM__REMOUNT, NULL); 2357 else 2358 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2359 FILE__MOUNTON); 2360 } 2361 2362 static int selinux_umount(struct vfsmount *mnt, int flags) 2363 { 2364 int rc; 2365 2366 rc = secondary_ops->sb_umount(mnt, flags); 2367 if (rc) 2368 return rc; 2369 2370 return superblock_has_perm(current,mnt->mnt_sb, 2371 FILESYSTEM__UNMOUNT,NULL); 2372 } 2373 2374 /* inode security operations */ 2375 2376 static int selinux_inode_alloc_security(struct inode *inode) 2377 { 2378 return inode_alloc_security(inode); 2379 } 2380 2381 static void selinux_inode_free_security(struct inode *inode) 2382 { 2383 inode_free_security(inode); 2384 } 2385 2386 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2387 char **name, void **value, 2388 size_t *len) 2389 { 2390 struct task_security_struct *tsec; 2391 struct inode_security_struct *dsec; 2392 struct superblock_security_struct *sbsec; 2393 u32 newsid, clen; 2394 int rc; 2395 char *namep = NULL, *context; 2396 2397 tsec = current->security; 2398 dsec = dir->i_security; 2399 sbsec = dir->i_sb->s_security; 2400 2401 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2402 newsid = tsec->create_sid; 2403 } else { 2404 rc = security_transition_sid(tsec->sid, dsec->sid, 2405 inode_mode_to_security_class(inode->i_mode), 2406 &newsid); 2407 if (rc) { 2408 printk(KERN_WARNING "%s: " 2409 "security_transition_sid failed, rc=%d (dev=%s " 2410 "ino=%ld)\n", 2411 __FUNCTION__, 2412 -rc, inode->i_sb->s_id, inode->i_ino); 2413 return rc; 2414 } 2415 } 2416 2417 /* Possibly defer initialization to selinux_complete_init. */ 2418 if (sbsec->initialized) { 2419 struct inode_security_struct *isec = inode->i_security; 2420 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2421 isec->sid = newsid; 2422 isec->initialized = 1; 2423 } 2424 2425 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2426 return -EOPNOTSUPP; 2427 2428 if (name) { 2429 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2430 if (!namep) 2431 return -ENOMEM; 2432 *name = namep; 2433 } 2434 2435 if (value && len) { 2436 rc = security_sid_to_context(newsid, &context, &clen); 2437 if (rc) { 2438 kfree(namep); 2439 return rc; 2440 } 2441 *value = context; 2442 *len = clen; 2443 } 2444 2445 return 0; 2446 } 2447 2448 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2449 { 2450 return may_create(dir, dentry, SECCLASS_FILE); 2451 } 2452 2453 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2454 { 2455 int rc; 2456 2457 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2458 if (rc) 2459 return rc; 2460 return may_link(dir, old_dentry, MAY_LINK); 2461 } 2462 2463 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2464 { 2465 int rc; 2466 2467 rc = secondary_ops->inode_unlink(dir, dentry); 2468 if (rc) 2469 return rc; 2470 return may_link(dir, dentry, MAY_UNLINK); 2471 } 2472 2473 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2474 { 2475 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2476 } 2477 2478 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2479 { 2480 return may_create(dir, dentry, SECCLASS_DIR); 2481 } 2482 2483 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2484 { 2485 return may_link(dir, dentry, MAY_RMDIR); 2486 } 2487 2488 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2489 { 2490 int rc; 2491 2492 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2493 if (rc) 2494 return rc; 2495 2496 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2497 } 2498 2499 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2500 struct inode *new_inode, struct dentry *new_dentry) 2501 { 2502 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2503 } 2504 2505 static int selinux_inode_readlink(struct dentry *dentry) 2506 { 2507 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2508 } 2509 2510 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2511 { 2512 int rc; 2513 2514 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2515 if (rc) 2516 return rc; 2517 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2518 } 2519 2520 static int selinux_inode_permission(struct inode *inode, int mask, 2521 struct nameidata *nd) 2522 { 2523 int rc; 2524 2525 rc = secondary_ops->inode_permission(inode, mask, nd); 2526 if (rc) 2527 return rc; 2528 2529 if (!mask) { 2530 /* No permission to check. Existence test. */ 2531 return 0; 2532 } 2533 2534 return inode_has_perm(current, inode, 2535 file_mask_to_av(inode->i_mode, mask), NULL); 2536 } 2537 2538 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2539 { 2540 int rc; 2541 2542 rc = secondary_ops->inode_setattr(dentry, iattr); 2543 if (rc) 2544 return rc; 2545 2546 if (iattr->ia_valid & ATTR_FORCE) 2547 return 0; 2548 2549 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2550 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2551 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2552 2553 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2554 } 2555 2556 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2557 { 2558 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2559 } 2560 2561 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name) 2562 { 2563 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2564 sizeof XATTR_SECURITY_PREFIX - 1)) { 2565 if (!strcmp(name, XATTR_NAME_CAPS)) { 2566 if (!capable(CAP_SETFCAP)) 2567 return -EPERM; 2568 } else if (!capable(CAP_SYS_ADMIN)) { 2569 /* A different attribute in the security namespace. 2570 Restrict to administrator. */ 2571 return -EPERM; 2572 } 2573 } 2574 2575 /* Not an attribute we recognize, so just check the 2576 ordinary setattr permission. */ 2577 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2578 } 2579 2580 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2581 { 2582 struct task_security_struct *tsec = current->security; 2583 struct inode *inode = dentry->d_inode; 2584 struct inode_security_struct *isec = inode->i_security; 2585 struct superblock_security_struct *sbsec; 2586 struct avc_audit_data ad; 2587 u32 newsid; 2588 int rc = 0; 2589 2590 if (strcmp(name, XATTR_NAME_SELINUX)) 2591 return selinux_inode_setotherxattr(dentry, name); 2592 2593 sbsec = inode->i_sb->s_security; 2594 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2595 return -EOPNOTSUPP; 2596 2597 if (!is_owner_or_cap(inode)) 2598 return -EPERM; 2599 2600 AVC_AUDIT_DATA_INIT(&ad,FS); 2601 ad.u.fs.path.dentry = dentry; 2602 2603 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2604 FILE__RELABELFROM, &ad); 2605 if (rc) 2606 return rc; 2607 2608 rc = security_context_to_sid(value, size, &newsid); 2609 if (rc) 2610 return rc; 2611 2612 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2613 FILE__RELABELTO, &ad); 2614 if (rc) 2615 return rc; 2616 2617 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2618 isec->sclass); 2619 if (rc) 2620 return rc; 2621 2622 return avc_has_perm(newsid, 2623 sbsec->sid, 2624 SECCLASS_FILESYSTEM, 2625 FILESYSTEM__ASSOCIATE, 2626 &ad); 2627 } 2628 2629 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2630 void *value, size_t size, int flags) 2631 { 2632 struct inode *inode = dentry->d_inode; 2633 struct inode_security_struct *isec = inode->i_security; 2634 u32 newsid; 2635 int rc; 2636 2637 if (strcmp(name, XATTR_NAME_SELINUX)) { 2638 /* Not an attribute we recognize, so nothing to do. */ 2639 return; 2640 } 2641 2642 rc = security_context_to_sid(value, size, &newsid); 2643 if (rc) { 2644 printk(KERN_WARNING "%s: unable to obtain SID for context " 2645 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2646 return; 2647 } 2648 2649 isec->sid = newsid; 2650 return; 2651 } 2652 2653 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2654 { 2655 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2656 } 2657 2658 static int selinux_inode_listxattr (struct dentry *dentry) 2659 { 2660 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2661 } 2662 2663 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2664 { 2665 if (strcmp(name, XATTR_NAME_SELINUX)) 2666 return selinux_inode_setotherxattr(dentry, name); 2667 2668 /* No one is allowed to remove a SELinux security label. 2669 You can change the label, but all data must be labeled. */ 2670 return -EACCES; 2671 } 2672 2673 /* 2674 * Copy the in-core inode security context value to the user. If the 2675 * getxattr() prior to this succeeded, check to see if we need to 2676 * canonicalize the value to be finally returned to the user. 2677 * 2678 * Permission check is handled by selinux_inode_getxattr hook. 2679 */ 2680 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2681 { 2682 u32 size; 2683 int error; 2684 char *context = NULL; 2685 struct inode_security_struct *isec = inode->i_security; 2686 2687 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2688 return -EOPNOTSUPP; 2689 2690 error = security_sid_to_context(isec->sid, &context, &size); 2691 if (error) 2692 return error; 2693 error = size; 2694 if (alloc) { 2695 *buffer = context; 2696 goto out_nofree; 2697 } 2698 kfree(context); 2699 out_nofree: 2700 return error; 2701 } 2702 2703 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2704 const void *value, size_t size, int flags) 2705 { 2706 struct inode_security_struct *isec = inode->i_security; 2707 u32 newsid; 2708 int rc; 2709 2710 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2711 return -EOPNOTSUPP; 2712 2713 if (!value || !size) 2714 return -EACCES; 2715 2716 rc = security_context_to_sid((void*)value, size, &newsid); 2717 if (rc) 2718 return rc; 2719 2720 isec->sid = newsid; 2721 return 0; 2722 } 2723 2724 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2725 { 2726 const int len = sizeof(XATTR_NAME_SELINUX); 2727 if (buffer && len <= buffer_size) 2728 memcpy(buffer, XATTR_NAME_SELINUX, len); 2729 return len; 2730 } 2731 2732 static int selinux_inode_need_killpriv(struct dentry *dentry) 2733 { 2734 return secondary_ops->inode_need_killpriv(dentry); 2735 } 2736 2737 static int selinux_inode_killpriv(struct dentry *dentry) 2738 { 2739 return secondary_ops->inode_killpriv(dentry); 2740 } 2741 2742 /* file security operations */ 2743 2744 static int selinux_revalidate_file_permission(struct file *file, int mask) 2745 { 2746 int rc; 2747 struct inode *inode = file->f_path.dentry->d_inode; 2748 2749 if (!mask) { 2750 /* No permission to check. Existence test. */ 2751 return 0; 2752 } 2753 2754 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2755 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2756 mask |= MAY_APPEND; 2757 2758 rc = file_has_perm(current, file, 2759 file_mask_to_av(inode->i_mode, mask)); 2760 if (rc) 2761 return rc; 2762 2763 return selinux_netlbl_inode_permission(inode, mask); 2764 } 2765 2766 static int selinux_file_permission(struct file *file, int mask) 2767 { 2768 struct inode *inode = file->f_path.dentry->d_inode; 2769 struct task_security_struct *tsec = current->security; 2770 struct file_security_struct *fsec = file->f_security; 2771 struct inode_security_struct *isec = inode->i_security; 2772 2773 if (!mask) { 2774 /* No permission to check. Existence test. */ 2775 return 0; 2776 } 2777 2778 if (tsec->sid == fsec->sid && fsec->isid == isec->sid 2779 && fsec->pseqno == avc_policy_seqno()) 2780 return selinux_netlbl_inode_permission(inode, mask); 2781 2782 return selinux_revalidate_file_permission(file, mask); 2783 } 2784 2785 static int selinux_file_alloc_security(struct file *file) 2786 { 2787 return file_alloc_security(file); 2788 } 2789 2790 static void selinux_file_free_security(struct file *file) 2791 { 2792 file_free_security(file); 2793 } 2794 2795 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2796 unsigned long arg) 2797 { 2798 int error = 0; 2799 2800 switch (cmd) { 2801 case FIONREAD: 2802 /* fall through */ 2803 case FIBMAP: 2804 /* fall through */ 2805 case FIGETBSZ: 2806 /* fall through */ 2807 case EXT2_IOC_GETFLAGS: 2808 /* fall through */ 2809 case EXT2_IOC_GETVERSION: 2810 error = file_has_perm(current, file, FILE__GETATTR); 2811 break; 2812 2813 case EXT2_IOC_SETFLAGS: 2814 /* fall through */ 2815 case EXT2_IOC_SETVERSION: 2816 error = file_has_perm(current, file, FILE__SETATTR); 2817 break; 2818 2819 /* sys_ioctl() checks */ 2820 case FIONBIO: 2821 /* fall through */ 2822 case FIOASYNC: 2823 error = file_has_perm(current, file, 0); 2824 break; 2825 2826 case KDSKBENT: 2827 case KDSKBSENT: 2828 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2829 break; 2830 2831 /* default case assumes that the command will go 2832 * to the file's ioctl() function. 2833 */ 2834 default: 2835 error = file_has_perm(current, file, FILE__IOCTL); 2836 2837 } 2838 return error; 2839 } 2840 2841 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2842 { 2843 #ifndef CONFIG_PPC32 2844 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2845 /* 2846 * We are making executable an anonymous mapping or a 2847 * private file mapping that will also be writable. 2848 * This has an additional check. 2849 */ 2850 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2851 if (rc) 2852 return rc; 2853 } 2854 #endif 2855 2856 if (file) { 2857 /* read access is always possible with a mapping */ 2858 u32 av = FILE__READ; 2859 2860 /* write access only matters if the mapping is shared */ 2861 if (shared && (prot & PROT_WRITE)) 2862 av |= FILE__WRITE; 2863 2864 if (prot & PROT_EXEC) 2865 av |= FILE__EXECUTE; 2866 2867 return file_has_perm(current, file, av); 2868 } 2869 return 0; 2870 } 2871 2872 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2873 unsigned long prot, unsigned long flags, 2874 unsigned long addr, unsigned long addr_only) 2875 { 2876 int rc = 0; 2877 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2878 2879 if (addr < mmap_min_addr) 2880 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2881 MEMPROTECT__MMAP_ZERO, NULL); 2882 if (rc || addr_only) 2883 return rc; 2884 2885 if (selinux_checkreqprot) 2886 prot = reqprot; 2887 2888 return file_map_prot_check(file, prot, 2889 (flags & MAP_TYPE) == MAP_SHARED); 2890 } 2891 2892 static int selinux_file_mprotect(struct vm_area_struct *vma, 2893 unsigned long reqprot, 2894 unsigned long prot) 2895 { 2896 int rc; 2897 2898 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2899 if (rc) 2900 return rc; 2901 2902 if (selinux_checkreqprot) 2903 prot = reqprot; 2904 2905 #ifndef CONFIG_PPC32 2906 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2907 rc = 0; 2908 if (vma->vm_start >= vma->vm_mm->start_brk && 2909 vma->vm_end <= vma->vm_mm->brk) { 2910 rc = task_has_perm(current, current, 2911 PROCESS__EXECHEAP); 2912 } else if (!vma->vm_file && 2913 vma->vm_start <= vma->vm_mm->start_stack && 2914 vma->vm_end >= vma->vm_mm->start_stack) { 2915 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2916 } else if (vma->vm_file && vma->anon_vma) { 2917 /* 2918 * We are making executable a file mapping that has 2919 * had some COW done. Since pages might have been 2920 * written, check ability to execute the possibly 2921 * modified content. This typically should only 2922 * occur for text relocations. 2923 */ 2924 rc = file_has_perm(current, vma->vm_file, 2925 FILE__EXECMOD); 2926 } 2927 if (rc) 2928 return rc; 2929 } 2930 #endif 2931 2932 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2933 } 2934 2935 static int selinux_file_lock(struct file *file, unsigned int cmd) 2936 { 2937 return file_has_perm(current, file, FILE__LOCK); 2938 } 2939 2940 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2941 unsigned long arg) 2942 { 2943 int err = 0; 2944 2945 switch (cmd) { 2946 case F_SETFL: 2947 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2948 err = -EINVAL; 2949 break; 2950 } 2951 2952 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2953 err = file_has_perm(current, file,FILE__WRITE); 2954 break; 2955 } 2956 /* fall through */ 2957 case F_SETOWN: 2958 case F_SETSIG: 2959 case F_GETFL: 2960 case F_GETOWN: 2961 case F_GETSIG: 2962 /* Just check FD__USE permission */ 2963 err = file_has_perm(current, file, 0); 2964 break; 2965 case F_GETLK: 2966 case F_SETLK: 2967 case F_SETLKW: 2968 #if BITS_PER_LONG == 32 2969 case F_GETLK64: 2970 case F_SETLK64: 2971 case F_SETLKW64: 2972 #endif 2973 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2974 err = -EINVAL; 2975 break; 2976 } 2977 err = file_has_perm(current, file, FILE__LOCK); 2978 break; 2979 } 2980 2981 return err; 2982 } 2983 2984 static int selinux_file_set_fowner(struct file *file) 2985 { 2986 struct task_security_struct *tsec; 2987 struct file_security_struct *fsec; 2988 2989 tsec = current->security; 2990 fsec = file->f_security; 2991 fsec->fown_sid = tsec->sid; 2992 2993 return 0; 2994 } 2995 2996 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2997 struct fown_struct *fown, int signum) 2998 { 2999 struct file *file; 3000 u32 perm; 3001 struct task_security_struct *tsec; 3002 struct file_security_struct *fsec; 3003 3004 /* struct fown_struct is never outside the context of a struct file */ 3005 file = container_of(fown, struct file, f_owner); 3006 3007 tsec = tsk->security; 3008 fsec = file->f_security; 3009 3010 if (!signum) 3011 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3012 else 3013 perm = signal_to_av(signum); 3014 3015 return avc_has_perm(fsec->fown_sid, tsec->sid, 3016 SECCLASS_PROCESS, perm, NULL); 3017 } 3018 3019 static int selinux_file_receive(struct file *file) 3020 { 3021 return file_has_perm(current, file, file_to_av(file)); 3022 } 3023 3024 static int selinux_dentry_open(struct file *file) 3025 { 3026 struct file_security_struct *fsec; 3027 struct inode *inode; 3028 struct inode_security_struct *isec; 3029 inode = file->f_path.dentry->d_inode; 3030 fsec = file->f_security; 3031 isec = inode->i_security; 3032 /* 3033 * Save inode label and policy sequence number 3034 * at open-time so that selinux_file_permission 3035 * can determine whether revalidation is necessary. 3036 * Task label is already saved in the file security 3037 * struct as its SID. 3038 */ 3039 fsec->isid = isec->sid; 3040 fsec->pseqno = avc_policy_seqno(); 3041 /* 3042 * Since the inode label or policy seqno may have changed 3043 * between the selinux_inode_permission check and the saving 3044 * of state above, recheck that access is still permitted. 3045 * Otherwise, access might never be revalidated against the 3046 * new inode label or new policy. 3047 * This check is not redundant - do not remove. 3048 */ 3049 return inode_has_perm(current, inode, file_to_av(file), NULL); 3050 } 3051 3052 /* task security operations */ 3053 3054 static int selinux_task_create(unsigned long clone_flags) 3055 { 3056 int rc; 3057 3058 rc = secondary_ops->task_create(clone_flags); 3059 if (rc) 3060 return rc; 3061 3062 return task_has_perm(current, current, PROCESS__FORK); 3063 } 3064 3065 static int selinux_task_alloc_security(struct task_struct *tsk) 3066 { 3067 struct task_security_struct *tsec1, *tsec2; 3068 int rc; 3069 3070 tsec1 = current->security; 3071 3072 rc = task_alloc_security(tsk); 3073 if (rc) 3074 return rc; 3075 tsec2 = tsk->security; 3076 3077 tsec2->osid = tsec1->osid; 3078 tsec2->sid = tsec1->sid; 3079 3080 /* Retain the exec, fs, key, and sock SIDs across fork */ 3081 tsec2->exec_sid = tsec1->exec_sid; 3082 tsec2->create_sid = tsec1->create_sid; 3083 tsec2->keycreate_sid = tsec1->keycreate_sid; 3084 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 3085 3086 /* Retain ptracer SID across fork, if any. 3087 This will be reset by the ptrace hook upon any 3088 subsequent ptrace_attach operations. */ 3089 tsec2->ptrace_sid = tsec1->ptrace_sid; 3090 3091 return 0; 3092 } 3093 3094 static void selinux_task_free_security(struct task_struct *tsk) 3095 { 3096 task_free_security(tsk); 3097 } 3098 3099 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3100 { 3101 /* Since setuid only affects the current process, and 3102 since the SELinux controls are not based on the Linux 3103 identity attributes, SELinux does not need to control 3104 this operation. However, SELinux does control the use 3105 of the CAP_SETUID and CAP_SETGID capabilities using the 3106 capable hook. */ 3107 return 0; 3108 } 3109 3110 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3111 { 3112 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3113 } 3114 3115 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3116 { 3117 /* See the comment for setuid above. */ 3118 return 0; 3119 } 3120 3121 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3122 { 3123 return task_has_perm(current, p, PROCESS__SETPGID); 3124 } 3125 3126 static int selinux_task_getpgid(struct task_struct *p) 3127 { 3128 return task_has_perm(current, p, PROCESS__GETPGID); 3129 } 3130 3131 static int selinux_task_getsid(struct task_struct *p) 3132 { 3133 return task_has_perm(current, p, PROCESS__GETSESSION); 3134 } 3135 3136 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3137 { 3138 selinux_get_task_sid(p, secid); 3139 } 3140 3141 static int selinux_task_setgroups(struct group_info *group_info) 3142 { 3143 /* See the comment for setuid above. */ 3144 return 0; 3145 } 3146 3147 static int selinux_task_setnice(struct task_struct *p, int nice) 3148 { 3149 int rc; 3150 3151 rc = secondary_ops->task_setnice(p, nice); 3152 if (rc) 3153 return rc; 3154 3155 return task_has_perm(current,p, PROCESS__SETSCHED); 3156 } 3157 3158 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3159 { 3160 int rc; 3161 3162 rc = secondary_ops->task_setioprio(p, ioprio); 3163 if (rc) 3164 return rc; 3165 3166 return task_has_perm(current, p, PROCESS__SETSCHED); 3167 } 3168 3169 static int selinux_task_getioprio(struct task_struct *p) 3170 { 3171 return task_has_perm(current, p, PROCESS__GETSCHED); 3172 } 3173 3174 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3175 { 3176 struct rlimit *old_rlim = current->signal->rlim + resource; 3177 int rc; 3178 3179 rc = secondary_ops->task_setrlimit(resource, new_rlim); 3180 if (rc) 3181 return rc; 3182 3183 /* Control the ability to change the hard limit (whether 3184 lowering or raising it), so that the hard limit can 3185 later be used as a safe reset point for the soft limit 3186 upon context transitions. See selinux_bprm_apply_creds. */ 3187 if (old_rlim->rlim_max != new_rlim->rlim_max) 3188 return task_has_perm(current, current, PROCESS__SETRLIMIT); 3189 3190 return 0; 3191 } 3192 3193 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 3194 { 3195 int rc; 3196 3197 rc = secondary_ops->task_setscheduler(p, policy, lp); 3198 if (rc) 3199 return rc; 3200 3201 return task_has_perm(current, p, PROCESS__SETSCHED); 3202 } 3203 3204 static int selinux_task_getscheduler(struct task_struct *p) 3205 { 3206 return task_has_perm(current, p, PROCESS__GETSCHED); 3207 } 3208 3209 static int selinux_task_movememory(struct task_struct *p) 3210 { 3211 return task_has_perm(current, p, PROCESS__SETSCHED); 3212 } 3213 3214 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3215 int sig, u32 secid) 3216 { 3217 u32 perm; 3218 int rc; 3219 struct task_security_struct *tsec; 3220 3221 rc = secondary_ops->task_kill(p, info, sig, secid); 3222 if (rc) 3223 return rc; 3224 3225 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 3226 return 0; 3227 3228 if (!sig) 3229 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3230 else 3231 perm = signal_to_av(sig); 3232 tsec = p->security; 3233 if (secid) 3234 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3235 else 3236 rc = task_has_perm(current, p, perm); 3237 return rc; 3238 } 3239 3240 static int selinux_task_prctl(int option, 3241 unsigned long arg2, 3242 unsigned long arg3, 3243 unsigned long arg4, 3244 unsigned long arg5) 3245 { 3246 /* The current prctl operations do not appear to require 3247 any SELinux controls since they merely observe or modify 3248 the state of the current process. */ 3249 return 0; 3250 } 3251 3252 static int selinux_task_wait(struct task_struct *p) 3253 { 3254 return task_has_perm(p, current, PROCESS__SIGCHLD); 3255 } 3256 3257 static void selinux_task_reparent_to_init(struct task_struct *p) 3258 { 3259 struct task_security_struct *tsec; 3260 3261 secondary_ops->task_reparent_to_init(p); 3262 3263 tsec = p->security; 3264 tsec->osid = tsec->sid; 3265 tsec->sid = SECINITSID_KERNEL; 3266 return; 3267 } 3268 3269 static void selinux_task_to_inode(struct task_struct *p, 3270 struct inode *inode) 3271 { 3272 struct task_security_struct *tsec = p->security; 3273 struct inode_security_struct *isec = inode->i_security; 3274 3275 isec->sid = tsec->sid; 3276 isec->initialized = 1; 3277 return; 3278 } 3279 3280 /* Returns error only if unable to parse addresses */ 3281 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3282 struct avc_audit_data *ad, u8 *proto) 3283 { 3284 int offset, ihlen, ret = -EINVAL; 3285 struct iphdr _iph, *ih; 3286 3287 offset = skb_network_offset(skb); 3288 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3289 if (ih == NULL) 3290 goto out; 3291 3292 ihlen = ih->ihl * 4; 3293 if (ihlen < sizeof(_iph)) 3294 goto out; 3295 3296 ad->u.net.v4info.saddr = ih->saddr; 3297 ad->u.net.v4info.daddr = ih->daddr; 3298 ret = 0; 3299 3300 if (proto) 3301 *proto = ih->protocol; 3302 3303 switch (ih->protocol) { 3304 case IPPROTO_TCP: { 3305 struct tcphdr _tcph, *th; 3306 3307 if (ntohs(ih->frag_off) & IP_OFFSET) 3308 break; 3309 3310 offset += ihlen; 3311 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3312 if (th == NULL) 3313 break; 3314 3315 ad->u.net.sport = th->source; 3316 ad->u.net.dport = th->dest; 3317 break; 3318 } 3319 3320 case IPPROTO_UDP: { 3321 struct udphdr _udph, *uh; 3322 3323 if (ntohs(ih->frag_off) & IP_OFFSET) 3324 break; 3325 3326 offset += ihlen; 3327 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3328 if (uh == NULL) 3329 break; 3330 3331 ad->u.net.sport = uh->source; 3332 ad->u.net.dport = uh->dest; 3333 break; 3334 } 3335 3336 case IPPROTO_DCCP: { 3337 struct dccp_hdr _dccph, *dh; 3338 3339 if (ntohs(ih->frag_off) & IP_OFFSET) 3340 break; 3341 3342 offset += ihlen; 3343 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3344 if (dh == NULL) 3345 break; 3346 3347 ad->u.net.sport = dh->dccph_sport; 3348 ad->u.net.dport = dh->dccph_dport; 3349 break; 3350 } 3351 3352 default: 3353 break; 3354 } 3355 out: 3356 return ret; 3357 } 3358 3359 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3360 3361 /* Returns error only if unable to parse addresses */ 3362 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3363 struct avc_audit_data *ad, u8 *proto) 3364 { 3365 u8 nexthdr; 3366 int ret = -EINVAL, offset; 3367 struct ipv6hdr _ipv6h, *ip6; 3368 3369 offset = skb_network_offset(skb); 3370 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3371 if (ip6 == NULL) 3372 goto out; 3373 3374 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3375 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3376 ret = 0; 3377 3378 nexthdr = ip6->nexthdr; 3379 offset += sizeof(_ipv6h); 3380 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3381 if (offset < 0) 3382 goto out; 3383 3384 if (proto) 3385 *proto = nexthdr; 3386 3387 switch (nexthdr) { 3388 case IPPROTO_TCP: { 3389 struct tcphdr _tcph, *th; 3390 3391 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3392 if (th == NULL) 3393 break; 3394 3395 ad->u.net.sport = th->source; 3396 ad->u.net.dport = th->dest; 3397 break; 3398 } 3399 3400 case IPPROTO_UDP: { 3401 struct udphdr _udph, *uh; 3402 3403 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3404 if (uh == NULL) 3405 break; 3406 3407 ad->u.net.sport = uh->source; 3408 ad->u.net.dport = uh->dest; 3409 break; 3410 } 3411 3412 case IPPROTO_DCCP: { 3413 struct dccp_hdr _dccph, *dh; 3414 3415 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3416 if (dh == NULL) 3417 break; 3418 3419 ad->u.net.sport = dh->dccph_sport; 3420 ad->u.net.dport = dh->dccph_dport; 3421 break; 3422 } 3423 3424 /* includes fragments */ 3425 default: 3426 break; 3427 } 3428 out: 3429 return ret; 3430 } 3431 3432 #endif /* IPV6 */ 3433 3434 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3435 char **addrp, int src, u8 *proto) 3436 { 3437 int ret = 0; 3438 3439 switch (ad->u.net.family) { 3440 case PF_INET: 3441 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3442 if (ret || !addrp) 3443 break; 3444 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3445 &ad->u.net.v4info.daddr); 3446 break; 3447 3448 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3449 case PF_INET6: 3450 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3451 if (ret || !addrp) 3452 break; 3453 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3454 &ad->u.net.v6info.daddr); 3455 break; 3456 #endif /* IPV6 */ 3457 default: 3458 break; 3459 } 3460 3461 if (unlikely(ret)) 3462 printk(KERN_WARNING 3463 "SELinux: failure in selinux_parse_skb()," 3464 " unable to parse packet\n"); 3465 3466 return ret; 3467 } 3468 3469 /** 3470 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3471 * @skb: the packet 3472 * @family: protocol family 3473 * @sid: the packet's peer label SID 3474 * 3475 * Description: 3476 * Check the various different forms of network peer labeling and determine 3477 * the peer label/SID for the packet; most of the magic actually occurs in 3478 * the security server function security_net_peersid_cmp(). The function 3479 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3480 * or -EACCES if @sid is invalid due to inconsistencies with the different 3481 * peer labels. 3482 * 3483 */ 3484 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3485 { 3486 int err; 3487 u32 xfrm_sid; 3488 u32 nlbl_sid; 3489 u32 nlbl_type; 3490 3491 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3492 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3493 3494 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3495 if (unlikely(err)) { 3496 printk(KERN_WARNING 3497 "SELinux: failure in selinux_skb_peerlbl_sid()," 3498 " unable to determine packet's peer label\n"); 3499 return -EACCES; 3500 } 3501 3502 return 0; 3503 } 3504 3505 /* socket security operations */ 3506 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3507 u32 perms) 3508 { 3509 struct inode_security_struct *isec; 3510 struct task_security_struct *tsec; 3511 struct avc_audit_data ad; 3512 int err = 0; 3513 3514 tsec = task->security; 3515 isec = SOCK_INODE(sock)->i_security; 3516 3517 if (isec->sid == SECINITSID_KERNEL) 3518 goto out; 3519 3520 AVC_AUDIT_DATA_INIT(&ad,NET); 3521 ad.u.net.sk = sock->sk; 3522 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3523 3524 out: 3525 return err; 3526 } 3527 3528 static int selinux_socket_create(int family, int type, 3529 int protocol, int kern) 3530 { 3531 int err = 0; 3532 struct task_security_struct *tsec; 3533 u32 newsid; 3534 3535 if (kern) 3536 goto out; 3537 3538 tsec = current->security; 3539 newsid = tsec->sockcreate_sid ? : tsec->sid; 3540 err = avc_has_perm(tsec->sid, newsid, 3541 socket_type_to_security_class(family, type, 3542 protocol), SOCKET__CREATE, NULL); 3543 3544 out: 3545 return err; 3546 } 3547 3548 static int selinux_socket_post_create(struct socket *sock, int family, 3549 int type, int protocol, int kern) 3550 { 3551 int err = 0; 3552 struct inode_security_struct *isec; 3553 struct task_security_struct *tsec; 3554 struct sk_security_struct *sksec; 3555 u32 newsid; 3556 3557 isec = SOCK_INODE(sock)->i_security; 3558 3559 tsec = current->security; 3560 newsid = tsec->sockcreate_sid ? : tsec->sid; 3561 isec->sclass = socket_type_to_security_class(family, type, protocol); 3562 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3563 isec->initialized = 1; 3564 3565 if (sock->sk) { 3566 sksec = sock->sk->sk_security; 3567 sksec->sid = isec->sid; 3568 sksec->sclass = isec->sclass; 3569 err = selinux_netlbl_socket_post_create(sock); 3570 } 3571 3572 return err; 3573 } 3574 3575 /* Range of port numbers used to automatically bind. 3576 Need to determine whether we should perform a name_bind 3577 permission check between the socket and the port number. */ 3578 3579 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3580 { 3581 u16 family; 3582 int err; 3583 3584 err = socket_has_perm(current, sock, SOCKET__BIND); 3585 if (err) 3586 goto out; 3587 3588 /* 3589 * If PF_INET or PF_INET6, check name_bind permission for the port. 3590 * Multiple address binding for SCTP is not supported yet: we just 3591 * check the first address now. 3592 */ 3593 family = sock->sk->sk_family; 3594 if (family == PF_INET || family == PF_INET6) { 3595 char *addrp; 3596 struct inode_security_struct *isec; 3597 struct task_security_struct *tsec; 3598 struct avc_audit_data ad; 3599 struct sockaddr_in *addr4 = NULL; 3600 struct sockaddr_in6 *addr6 = NULL; 3601 unsigned short snum; 3602 struct sock *sk = sock->sk; 3603 u32 sid, node_perm, addrlen; 3604 3605 tsec = current->security; 3606 isec = SOCK_INODE(sock)->i_security; 3607 3608 if (family == PF_INET) { 3609 addr4 = (struct sockaddr_in *)address; 3610 snum = ntohs(addr4->sin_port); 3611 addrlen = sizeof(addr4->sin_addr.s_addr); 3612 addrp = (char *)&addr4->sin_addr.s_addr; 3613 } else { 3614 addr6 = (struct sockaddr_in6 *)address; 3615 snum = ntohs(addr6->sin6_port); 3616 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3617 addrp = (char *)&addr6->sin6_addr.s6_addr; 3618 } 3619 3620 if (snum) { 3621 int low, high; 3622 3623 inet_get_local_port_range(&low, &high); 3624 3625 if (snum < max(PROT_SOCK, low) || snum > high) { 3626 err = security_port_sid(sk->sk_family, 3627 sk->sk_type, 3628 sk->sk_protocol, snum, 3629 &sid); 3630 if (err) 3631 goto out; 3632 AVC_AUDIT_DATA_INIT(&ad,NET); 3633 ad.u.net.sport = htons(snum); 3634 ad.u.net.family = family; 3635 err = avc_has_perm(isec->sid, sid, 3636 isec->sclass, 3637 SOCKET__NAME_BIND, &ad); 3638 if (err) 3639 goto out; 3640 } 3641 } 3642 3643 switch(isec->sclass) { 3644 case SECCLASS_TCP_SOCKET: 3645 node_perm = TCP_SOCKET__NODE_BIND; 3646 break; 3647 3648 case SECCLASS_UDP_SOCKET: 3649 node_perm = UDP_SOCKET__NODE_BIND; 3650 break; 3651 3652 case SECCLASS_DCCP_SOCKET: 3653 node_perm = DCCP_SOCKET__NODE_BIND; 3654 break; 3655 3656 default: 3657 node_perm = RAWIP_SOCKET__NODE_BIND; 3658 break; 3659 } 3660 3661 err = sel_netnode_sid(addrp, family, &sid); 3662 if (err) 3663 goto out; 3664 3665 AVC_AUDIT_DATA_INIT(&ad,NET); 3666 ad.u.net.sport = htons(snum); 3667 ad.u.net.family = family; 3668 3669 if (family == PF_INET) 3670 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3671 else 3672 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3673 3674 err = avc_has_perm(isec->sid, sid, 3675 isec->sclass, node_perm, &ad); 3676 if (err) 3677 goto out; 3678 } 3679 out: 3680 return err; 3681 } 3682 3683 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3684 { 3685 struct inode_security_struct *isec; 3686 int err; 3687 3688 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3689 if (err) 3690 return err; 3691 3692 /* 3693 * If a TCP or DCCP socket, check name_connect permission for the port. 3694 */ 3695 isec = SOCK_INODE(sock)->i_security; 3696 if (isec->sclass == SECCLASS_TCP_SOCKET || 3697 isec->sclass == SECCLASS_DCCP_SOCKET) { 3698 struct sock *sk = sock->sk; 3699 struct avc_audit_data ad; 3700 struct sockaddr_in *addr4 = NULL; 3701 struct sockaddr_in6 *addr6 = NULL; 3702 unsigned short snum; 3703 u32 sid, perm; 3704 3705 if (sk->sk_family == PF_INET) { 3706 addr4 = (struct sockaddr_in *)address; 3707 if (addrlen < sizeof(struct sockaddr_in)) 3708 return -EINVAL; 3709 snum = ntohs(addr4->sin_port); 3710 } else { 3711 addr6 = (struct sockaddr_in6 *)address; 3712 if (addrlen < SIN6_LEN_RFC2133) 3713 return -EINVAL; 3714 snum = ntohs(addr6->sin6_port); 3715 } 3716 3717 err = security_port_sid(sk->sk_family, sk->sk_type, 3718 sk->sk_protocol, snum, &sid); 3719 if (err) 3720 goto out; 3721 3722 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3723 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3724 3725 AVC_AUDIT_DATA_INIT(&ad,NET); 3726 ad.u.net.dport = htons(snum); 3727 ad.u.net.family = sk->sk_family; 3728 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3729 if (err) 3730 goto out; 3731 } 3732 3733 out: 3734 return err; 3735 } 3736 3737 static int selinux_socket_listen(struct socket *sock, int backlog) 3738 { 3739 return socket_has_perm(current, sock, SOCKET__LISTEN); 3740 } 3741 3742 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3743 { 3744 int err; 3745 struct inode_security_struct *isec; 3746 struct inode_security_struct *newisec; 3747 3748 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3749 if (err) 3750 return err; 3751 3752 newisec = SOCK_INODE(newsock)->i_security; 3753 3754 isec = SOCK_INODE(sock)->i_security; 3755 newisec->sclass = isec->sclass; 3756 newisec->sid = isec->sid; 3757 newisec->initialized = 1; 3758 3759 return 0; 3760 } 3761 3762 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3763 int size) 3764 { 3765 int rc; 3766 3767 rc = socket_has_perm(current, sock, SOCKET__WRITE); 3768 if (rc) 3769 return rc; 3770 3771 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); 3772 } 3773 3774 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3775 int size, int flags) 3776 { 3777 return socket_has_perm(current, sock, SOCKET__READ); 3778 } 3779 3780 static int selinux_socket_getsockname(struct socket *sock) 3781 { 3782 return socket_has_perm(current, sock, SOCKET__GETATTR); 3783 } 3784 3785 static int selinux_socket_getpeername(struct socket *sock) 3786 { 3787 return socket_has_perm(current, sock, SOCKET__GETATTR); 3788 } 3789 3790 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3791 { 3792 int err; 3793 3794 err = socket_has_perm(current, sock, SOCKET__SETOPT); 3795 if (err) 3796 return err; 3797 3798 return selinux_netlbl_socket_setsockopt(sock, level, optname); 3799 } 3800 3801 static int selinux_socket_getsockopt(struct socket *sock, int level, 3802 int optname) 3803 { 3804 return socket_has_perm(current, sock, SOCKET__GETOPT); 3805 } 3806 3807 static int selinux_socket_shutdown(struct socket *sock, int how) 3808 { 3809 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3810 } 3811 3812 static int selinux_socket_unix_stream_connect(struct socket *sock, 3813 struct socket *other, 3814 struct sock *newsk) 3815 { 3816 struct sk_security_struct *ssec; 3817 struct inode_security_struct *isec; 3818 struct inode_security_struct *other_isec; 3819 struct avc_audit_data ad; 3820 int err; 3821 3822 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3823 if (err) 3824 return err; 3825 3826 isec = SOCK_INODE(sock)->i_security; 3827 other_isec = SOCK_INODE(other)->i_security; 3828 3829 AVC_AUDIT_DATA_INIT(&ad,NET); 3830 ad.u.net.sk = other->sk; 3831 3832 err = avc_has_perm(isec->sid, other_isec->sid, 3833 isec->sclass, 3834 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3835 if (err) 3836 return err; 3837 3838 /* connecting socket */ 3839 ssec = sock->sk->sk_security; 3840 ssec->peer_sid = other_isec->sid; 3841 3842 /* server child socket */ 3843 ssec = newsk->sk_security; 3844 ssec->peer_sid = isec->sid; 3845 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 3846 3847 return err; 3848 } 3849 3850 static int selinux_socket_unix_may_send(struct socket *sock, 3851 struct socket *other) 3852 { 3853 struct inode_security_struct *isec; 3854 struct inode_security_struct *other_isec; 3855 struct avc_audit_data ad; 3856 int err; 3857 3858 isec = SOCK_INODE(sock)->i_security; 3859 other_isec = SOCK_INODE(other)->i_security; 3860 3861 AVC_AUDIT_DATA_INIT(&ad,NET); 3862 ad.u.net.sk = other->sk; 3863 3864 err = avc_has_perm(isec->sid, other_isec->sid, 3865 isec->sclass, SOCKET__SENDTO, &ad); 3866 if (err) 3867 return err; 3868 3869 return 0; 3870 } 3871 3872 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 3873 u32 peer_sid, 3874 struct avc_audit_data *ad) 3875 { 3876 int err; 3877 u32 if_sid; 3878 u32 node_sid; 3879 3880 err = sel_netif_sid(ifindex, &if_sid); 3881 if (err) 3882 return err; 3883 err = avc_has_perm(peer_sid, if_sid, 3884 SECCLASS_NETIF, NETIF__INGRESS, ad); 3885 if (err) 3886 return err; 3887 3888 err = sel_netnode_sid(addrp, family, &node_sid); 3889 if (err) 3890 return err; 3891 return avc_has_perm(peer_sid, node_sid, 3892 SECCLASS_NODE, NODE__RECVFROM, ad); 3893 } 3894 3895 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, 3896 struct sk_buff *skb, 3897 struct avc_audit_data *ad, 3898 u16 family, 3899 char *addrp) 3900 { 3901 int err; 3902 struct sk_security_struct *sksec = sk->sk_security; 3903 u16 sk_class; 3904 u32 netif_perm, node_perm, recv_perm; 3905 u32 port_sid, node_sid, if_sid, sk_sid; 3906 3907 sk_sid = sksec->sid; 3908 sk_class = sksec->sclass; 3909 3910 switch (sk_class) { 3911 case SECCLASS_UDP_SOCKET: 3912 netif_perm = NETIF__UDP_RECV; 3913 node_perm = NODE__UDP_RECV; 3914 recv_perm = UDP_SOCKET__RECV_MSG; 3915 break; 3916 case SECCLASS_TCP_SOCKET: 3917 netif_perm = NETIF__TCP_RECV; 3918 node_perm = NODE__TCP_RECV; 3919 recv_perm = TCP_SOCKET__RECV_MSG; 3920 break; 3921 case SECCLASS_DCCP_SOCKET: 3922 netif_perm = NETIF__DCCP_RECV; 3923 node_perm = NODE__DCCP_RECV; 3924 recv_perm = DCCP_SOCKET__RECV_MSG; 3925 break; 3926 default: 3927 netif_perm = NETIF__RAWIP_RECV; 3928 node_perm = NODE__RAWIP_RECV; 3929 recv_perm = 0; 3930 break; 3931 } 3932 3933 err = sel_netif_sid(skb->iif, &if_sid); 3934 if (err) 3935 return err; 3936 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3937 if (err) 3938 return err; 3939 3940 err = sel_netnode_sid(addrp, family, &node_sid); 3941 if (err) 3942 return err; 3943 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3944 if (err) 3945 return err; 3946 3947 if (!recv_perm) 3948 return 0; 3949 err = security_port_sid(sk->sk_family, sk->sk_type, 3950 sk->sk_protocol, ntohs(ad->u.net.sport), 3951 &port_sid); 3952 if (unlikely(err)) { 3953 printk(KERN_WARNING 3954 "SELinux: failure in" 3955 " selinux_sock_rcv_skb_iptables_compat()," 3956 " network port label not found\n"); 3957 return err; 3958 } 3959 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 3960 } 3961 3962 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3963 struct avc_audit_data *ad, 3964 u16 family, char *addrp) 3965 { 3966 int err; 3967 struct sk_security_struct *sksec = sk->sk_security; 3968 u32 peer_sid; 3969 u32 sk_sid = sksec->sid; 3970 3971 if (selinux_compat_net) 3972 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad, 3973 family, addrp); 3974 else 3975 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 3976 PACKET__RECV, ad); 3977 if (err) 3978 return err; 3979 3980 if (selinux_policycap_netpeer) { 3981 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 3982 if (err) 3983 return err; 3984 err = avc_has_perm(sk_sid, peer_sid, 3985 SECCLASS_PEER, PEER__RECV, ad); 3986 } else { 3987 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad); 3988 if (err) 3989 return err; 3990 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad); 3991 } 3992 3993 return err; 3994 } 3995 3996 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3997 { 3998 int err; 3999 struct sk_security_struct *sksec = sk->sk_security; 4000 u16 family = sk->sk_family; 4001 u32 sk_sid = sksec->sid; 4002 struct avc_audit_data ad; 4003 char *addrp; 4004 4005 if (family != PF_INET && family != PF_INET6) 4006 return 0; 4007 4008 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4009 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4010 family = PF_INET; 4011 4012 AVC_AUDIT_DATA_INIT(&ad, NET); 4013 ad.u.net.netif = skb->iif; 4014 ad.u.net.family = family; 4015 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4016 if (err) 4017 return err; 4018 4019 /* If any sort of compatibility mode is enabled then handoff processing 4020 * to the selinux_sock_rcv_skb_compat() function to deal with the 4021 * special handling. We do this in an attempt to keep this function 4022 * as fast and as clean as possible. */ 4023 if (selinux_compat_net || !selinux_policycap_netpeer) 4024 return selinux_sock_rcv_skb_compat(sk, skb, &ad, 4025 family, addrp); 4026 4027 if (netlbl_enabled() || selinux_xfrm_enabled()) { 4028 u32 peer_sid; 4029 4030 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4031 if (err) 4032 return err; 4033 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4034 peer_sid, &ad); 4035 if (err) 4036 return err; 4037 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4038 PEER__RECV, &ad); 4039 } 4040 4041 if (selinux_secmark_enabled()) { 4042 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4043 PACKET__RECV, &ad); 4044 if (err) 4045 return err; 4046 } 4047 4048 return err; 4049 } 4050 4051 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4052 int __user *optlen, unsigned len) 4053 { 4054 int err = 0; 4055 char *scontext; 4056 u32 scontext_len; 4057 struct sk_security_struct *ssec; 4058 struct inode_security_struct *isec; 4059 u32 peer_sid = SECSID_NULL; 4060 4061 isec = SOCK_INODE(sock)->i_security; 4062 4063 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4064 isec->sclass == SECCLASS_TCP_SOCKET) { 4065 ssec = sock->sk->sk_security; 4066 peer_sid = ssec->peer_sid; 4067 } 4068 if (peer_sid == SECSID_NULL) { 4069 err = -ENOPROTOOPT; 4070 goto out; 4071 } 4072 4073 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4074 4075 if (err) 4076 goto out; 4077 4078 if (scontext_len > len) { 4079 err = -ERANGE; 4080 goto out_len; 4081 } 4082 4083 if (copy_to_user(optval, scontext, scontext_len)) 4084 err = -EFAULT; 4085 4086 out_len: 4087 if (put_user(scontext_len, optlen)) 4088 err = -EFAULT; 4089 4090 kfree(scontext); 4091 out: 4092 return err; 4093 } 4094 4095 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4096 { 4097 u32 peer_secid = SECSID_NULL; 4098 u16 family; 4099 4100 if (sock) 4101 family = sock->sk->sk_family; 4102 else if (skb && skb->sk) 4103 family = skb->sk->sk_family; 4104 else 4105 goto out; 4106 4107 if (sock && family == PF_UNIX) 4108 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 4109 else if (skb) 4110 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4111 4112 out: 4113 *secid = peer_secid; 4114 if (peer_secid == SECSID_NULL) 4115 return -EINVAL; 4116 return 0; 4117 } 4118 4119 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4120 { 4121 return sk_alloc_security(sk, family, priority); 4122 } 4123 4124 static void selinux_sk_free_security(struct sock *sk) 4125 { 4126 sk_free_security(sk); 4127 } 4128 4129 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4130 { 4131 struct sk_security_struct *ssec = sk->sk_security; 4132 struct sk_security_struct *newssec = newsk->sk_security; 4133 4134 newssec->sid = ssec->sid; 4135 newssec->peer_sid = ssec->peer_sid; 4136 newssec->sclass = ssec->sclass; 4137 4138 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family); 4139 } 4140 4141 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4142 { 4143 if (!sk) 4144 *secid = SECINITSID_ANY_SOCKET; 4145 else { 4146 struct sk_security_struct *sksec = sk->sk_security; 4147 4148 *secid = sksec->sid; 4149 } 4150 } 4151 4152 static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4153 { 4154 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4155 struct sk_security_struct *sksec = sk->sk_security; 4156 4157 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4158 sk->sk_family == PF_UNIX) 4159 isec->sid = sksec->sid; 4160 sksec->sclass = isec->sclass; 4161 4162 selinux_netlbl_sock_graft(sk, parent); 4163 } 4164 4165 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4166 struct request_sock *req) 4167 { 4168 struct sk_security_struct *sksec = sk->sk_security; 4169 int err; 4170 u32 newsid; 4171 u32 peersid; 4172 4173 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid); 4174 if (err) 4175 return err; 4176 if (peersid == SECSID_NULL) { 4177 req->secid = sksec->sid; 4178 req->peer_secid = SECSID_NULL; 4179 return 0; 4180 } 4181 4182 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4183 if (err) 4184 return err; 4185 4186 req->secid = newsid; 4187 req->peer_secid = peersid; 4188 return 0; 4189 } 4190 4191 static void selinux_inet_csk_clone(struct sock *newsk, 4192 const struct request_sock *req) 4193 { 4194 struct sk_security_struct *newsksec = newsk->sk_security; 4195 4196 newsksec->sid = req->secid; 4197 newsksec->peer_sid = req->peer_secid; 4198 /* NOTE: Ideally, we should also get the isec->sid for the 4199 new socket in sync, but we don't have the isec available yet. 4200 So we will wait until sock_graft to do it, by which 4201 time it will have been created and available. */ 4202 4203 /* We don't need to take any sort of lock here as we are the only 4204 * thread with access to newsksec */ 4205 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4206 } 4207 4208 static void selinux_inet_conn_established(struct sock *sk, 4209 struct sk_buff *skb) 4210 { 4211 struct sk_security_struct *sksec = sk->sk_security; 4212 4213 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid); 4214 } 4215 4216 static void selinux_req_classify_flow(const struct request_sock *req, 4217 struct flowi *fl) 4218 { 4219 fl->secid = req->secid; 4220 } 4221 4222 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4223 { 4224 int err = 0; 4225 u32 perm; 4226 struct nlmsghdr *nlh; 4227 struct socket *sock = sk->sk_socket; 4228 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4229 4230 if (skb->len < NLMSG_SPACE(0)) { 4231 err = -EINVAL; 4232 goto out; 4233 } 4234 nlh = nlmsg_hdr(skb); 4235 4236 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4237 if (err) { 4238 if (err == -EINVAL) { 4239 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4240 "SELinux: unrecognized netlink message" 4241 " type=%hu for sclass=%hu\n", 4242 nlh->nlmsg_type, isec->sclass); 4243 if (!selinux_enforcing) 4244 err = 0; 4245 } 4246 4247 /* Ignore */ 4248 if (err == -ENOENT) 4249 err = 0; 4250 goto out; 4251 } 4252 4253 err = socket_has_perm(current, sock, perm); 4254 out: 4255 return err; 4256 } 4257 4258 #ifdef CONFIG_NETFILTER 4259 4260 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4261 u16 family) 4262 { 4263 char *addrp; 4264 u32 peer_sid; 4265 struct avc_audit_data ad; 4266 u8 secmark_active; 4267 u8 peerlbl_active; 4268 4269 if (!selinux_policycap_netpeer) 4270 return NF_ACCEPT; 4271 4272 secmark_active = selinux_secmark_enabled(); 4273 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4274 if (!secmark_active && !peerlbl_active) 4275 return NF_ACCEPT; 4276 4277 AVC_AUDIT_DATA_INIT(&ad, NET); 4278 ad.u.net.netif = ifindex; 4279 ad.u.net.family = family; 4280 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4281 return NF_DROP; 4282 4283 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4284 return NF_DROP; 4285 4286 if (peerlbl_active) 4287 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4288 peer_sid, &ad) != 0) 4289 return NF_DROP; 4290 4291 if (secmark_active) 4292 if (avc_has_perm(peer_sid, skb->secmark, 4293 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4294 return NF_DROP; 4295 4296 return NF_ACCEPT; 4297 } 4298 4299 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4300 struct sk_buff *skb, 4301 const struct net_device *in, 4302 const struct net_device *out, 4303 int (*okfn)(struct sk_buff *)) 4304 { 4305 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4306 } 4307 4308 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4309 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4310 struct sk_buff *skb, 4311 const struct net_device *in, 4312 const struct net_device *out, 4313 int (*okfn)(struct sk_buff *)) 4314 { 4315 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4316 } 4317 #endif /* IPV6 */ 4318 4319 static int selinux_ip_postroute_iptables_compat(struct sock *sk, 4320 int ifindex, 4321 struct avc_audit_data *ad, 4322 u16 family, char *addrp) 4323 { 4324 int err; 4325 struct sk_security_struct *sksec = sk->sk_security; 4326 u16 sk_class; 4327 u32 netif_perm, node_perm, send_perm; 4328 u32 port_sid, node_sid, if_sid, sk_sid; 4329 4330 sk_sid = sksec->sid; 4331 sk_class = sksec->sclass; 4332 4333 switch (sk_class) { 4334 case SECCLASS_UDP_SOCKET: 4335 netif_perm = NETIF__UDP_SEND; 4336 node_perm = NODE__UDP_SEND; 4337 send_perm = UDP_SOCKET__SEND_MSG; 4338 break; 4339 case SECCLASS_TCP_SOCKET: 4340 netif_perm = NETIF__TCP_SEND; 4341 node_perm = NODE__TCP_SEND; 4342 send_perm = TCP_SOCKET__SEND_MSG; 4343 break; 4344 case SECCLASS_DCCP_SOCKET: 4345 netif_perm = NETIF__DCCP_SEND; 4346 node_perm = NODE__DCCP_SEND; 4347 send_perm = DCCP_SOCKET__SEND_MSG; 4348 break; 4349 default: 4350 netif_perm = NETIF__RAWIP_SEND; 4351 node_perm = NODE__RAWIP_SEND; 4352 send_perm = 0; 4353 break; 4354 } 4355 4356 err = sel_netif_sid(ifindex, &if_sid); 4357 if (err) 4358 return err; 4359 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4360 return err; 4361 4362 err = sel_netnode_sid(addrp, family, &node_sid); 4363 if (err) 4364 return err; 4365 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 4366 if (err) 4367 return err; 4368 4369 if (send_perm != 0) 4370 return 0; 4371 4372 err = security_port_sid(sk->sk_family, sk->sk_type, 4373 sk->sk_protocol, ntohs(ad->u.net.dport), 4374 &port_sid); 4375 if (unlikely(err)) { 4376 printk(KERN_WARNING 4377 "SELinux: failure in" 4378 " selinux_ip_postroute_iptables_compat()," 4379 " network port label not found\n"); 4380 return err; 4381 } 4382 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4383 } 4384 4385 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4386 int ifindex, 4387 struct avc_audit_data *ad, 4388 u16 family, 4389 char *addrp, 4390 u8 proto) 4391 { 4392 struct sock *sk = skb->sk; 4393 struct sk_security_struct *sksec; 4394 4395 if (sk == NULL) 4396 return NF_ACCEPT; 4397 sksec = sk->sk_security; 4398 4399 if (selinux_compat_net) { 4400 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4401 ad, family, addrp)) 4402 return NF_DROP; 4403 } else { 4404 if (avc_has_perm(sksec->sid, skb->secmark, 4405 SECCLASS_PACKET, PACKET__SEND, ad)) 4406 return NF_DROP; 4407 } 4408 4409 if (selinux_policycap_netpeer) 4410 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto)) 4411 return NF_DROP; 4412 4413 return NF_ACCEPT; 4414 } 4415 4416 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4417 u16 family) 4418 { 4419 u32 secmark_perm; 4420 u32 peer_sid; 4421 struct sock *sk; 4422 struct avc_audit_data ad; 4423 char *addrp; 4424 u8 proto; 4425 u8 secmark_active; 4426 u8 peerlbl_active; 4427 4428 AVC_AUDIT_DATA_INIT(&ad, NET); 4429 ad.u.net.netif = ifindex; 4430 ad.u.net.family = family; 4431 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4432 return NF_DROP; 4433 4434 /* If any sort of compatibility mode is enabled then handoff processing 4435 * to the selinux_ip_postroute_compat() function to deal with the 4436 * special handling. We do this in an attempt to keep this function 4437 * as fast and as clean as possible. */ 4438 if (selinux_compat_net || !selinux_policycap_netpeer) 4439 return selinux_ip_postroute_compat(skb, ifindex, &ad, 4440 family, addrp, proto); 4441 4442 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4443 * packet transformation so allow the packet to pass without any checks 4444 * since we'll have another chance to perform access control checks 4445 * when the packet is on it's final way out. 4446 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4447 * is NULL, in this case go ahead and apply access control. */ 4448 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4449 return NF_ACCEPT; 4450 4451 secmark_active = selinux_secmark_enabled(); 4452 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4453 if (!secmark_active && !peerlbl_active) 4454 return NF_ACCEPT; 4455 4456 /* if the packet is locally generated (skb->sk != NULL) then use the 4457 * socket's label as the peer label, otherwise the packet is being 4458 * forwarded through this system and we need to fetch the peer label 4459 * directly from the packet */ 4460 sk = skb->sk; 4461 if (sk) { 4462 struct sk_security_struct *sksec = sk->sk_security; 4463 peer_sid = sksec->sid; 4464 secmark_perm = PACKET__SEND; 4465 } else { 4466 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4467 return NF_DROP; 4468 secmark_perm = PACKET__FORWARD_OUT; 4469 } 4470 4471 if (secmark_active) 4472 if (avc_has_perm(peer_sid, skb->secmark, 4473 SECCLASS_PACKET, secmark_perm, &ad)) 4474 return NF_DROP; 4475 4476 if (peerlbl_active) { 4477 u32 if_sid; 4478 u32 node_sid; 4479 4480 if (sel_netif_sid(ifindex, &if_sid)) 4481 return NF_DROP; 4482 if (avc_has_perm(peer_sid, if_sid, 4483 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4484 return NF_DROP; 4485 4486 if (sel_netnode_sid(addrp, family, &node_sid)) 4487 return NF_DROP; 4488 if (avc_has_perm(peer_sid, node_sid, 4489 SECCLASS_NODE, NODE__SENDTO, &ad)) 4490 return NF_DROP; 4491 } 4492 4493 return NF_ACCEPT; 4494 } 4495 4496 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4497 struct sk_buff *skb, 4498 const struct net_device *in, 4499 const struct net_device *out, 4500 int (*okfn)(struct sk_buff *)) 4501 { 4502 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4503 } 4504 4505 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4506 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4507 struct sk_buff *skb, 4508 const struct net_device *in, 4509 const struct net_device *out, 4510 int (*okfn)(struct sk_buff *)) 4511 { 4512 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4513 } 4514 #endif /* IPV6 */ 4515 4516 #endif /* CONFIG_NETFILTER */ 4517 4518 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4519 { 4520 int err; 4521 4522 err = secondary_ops->netlink_send(sk, skb); 4523 if (err) 4524 return err; 4525 4526 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4527 err = selinux_nlmsg_perm(sk, skb); 4528 4529 return err; 4530 } 4531 4532 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4533 { 4534 int err; 4535 struct avc_audit_data ad; 4536 4537 err = secondary_ops->netlink_recv(skb, capability); 4538 if (err) 4539 return err; 4540 4541 AVC_AUDIT_DATA_INIT(&ad, CAP); 4542 ad.u.cap = capability; 4543 4544 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4545 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4546 } 4547 4548 static int ipc_alloc_security(struct task_struct *task, 4549 struct kern_ipc_perm *perm, 4550 u16 sclass) 4551 { 4552 struct task_security_struct *tsec = task->security; 4553 struct ipc_security_struct *isec; 4554 4555 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4556 if (!isec) 4557 return -ENOMEM; 4558 4559 isec->sclass = sclass; 4560 isec->sid = tsec->sid; 4561 perm->security = isec; 4562 4563 return 0; 4564 } 4565 4566 static void ipc_free_security(struct kern_ipc_perm *perm) 4567 { 4568 struct ipc_security_struct *isec = perm->security; 4569 perm->security = NULL; 4570 kfree(isec); 4571 } 4572 4573 static int msg_msg_alloc_security(struct msg_msg *msg) 4574 { 4575 struct msg_security_struct *msec; 4576 4577 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4578 if (!msec) 4579 return -ENOMEM; 4580 4581 msec->sid = SECINITSID_UNLABELED; 4582 msg->security = msec; 4583 4584 return 0; 4585 } 4586 4587 static void msg_msg_free_security(struct msg_msg *msg) 4588 { 4589 struct msg_security_struct *msec = msg->security; 4590 4591 msg->security = NULL; 4592 kfree(msec); 4593 } 4594 4595 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4596 u32 perms) 4597 { 4598 struct task_security_struct *tsec; 4599 struct ipc_security_struct *isec; 4600 struct avc_audit_data ad; 4601 4602 tsec = current->security; 4603 isec = ipc_perms->security; 4604 4605 AVC_AUDIT_DATA_INIT(&ad, IPC); 4606 ad.u.ipc_id = ipc_perms->key; 4607 4608 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 4609 } 4610 4611 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4612 { 4613 return msg_msg_alloc_security(msg); 4614 } 4615 4616 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4617 { 4618 msg_msg_free_security(msg); 4619 } 4620 4621 /* message queue security operations */ 4622 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4623 { 4624 struct task_security_struct *tsec; 4625 struct ipc_security_struct *isec; 4626 struct avc_audit_data ad; 4627 int rc; 4628 4629 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4630 if (rc) 4631 return rc; 4632 4633 tsec = current->security; 4634 isec = msq->q_perm.security; 4635 4636 AVC_AUDIT_DATA_INIT(&ad, IPC); 4637 ad.u.ipc_id = msq->q_perm.key; 4638 4639 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4640 MSGQ__CREATE, &ad); 4641 if (rc) { 4642 ipc_free_security(&msq->q_perm); 4643 return rc; 4644 } 4645 return 0; 4646 } 4647 4648 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4649 { 4650 ipc_free_security(&msq->q_perm); 4651 } 4652 4653 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4654 { 4655 struct task_security_struct *tsec; 4656 struct ipc_security_struct *isec; 4657 struct avc_audit_data ad; 4658 4659 tsec = current->security; 4660 isec = msq->q_perm.security; 4661 4662 AVC_AUDIT_DATA_INIT(&ad, IPC); 4663 ad.u.ipc_id = msq->q_perm.key; 4664 4665 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4666 MSGQ__ASSOCIATE, &ad); 4667 } 4668 4669 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4670 { 4671 int err; 4672 int perms; 4673 4674 switch(cmd) { 4675 case IPC_INFO: 4676 case MSG_INFO: 4677 /* No specific object, just general system-wide information. */ 4678 return task_has_system(current, SYSTEM__IPC_INFO); 4679 case IPC_STAT: 4680 case MSG_STAT: 4681 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4682 break; 4683 case IPC_SET: 4684 perms = MSGQ__SETATTR; 4685 break; 4686 case IPC_RMID: 4687 perms = MSGQ__DESTROY; 4688 break; 4689 default: 4690 return 0; 4691 } 4692 4693 err = ipc_has_perm(&msq->q_perm, perms); 4694 return err; 4695 } 4696 4697 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4698 { 4699 struct task_security_struct *tsec; 4700 struct ipc_security_struct *isec; 4701 struct msg_security_struct *msec; 4702 struct avc_audit_data ad; 4703 int rc; 4704 4705 tsec = current->security; 4706 isec = msq->q_perm.security; 4707 msec = msg->security; 4708 4709 /* 4710 * First time through, need to assign label to the message 4711 */ 4712 if (msec->sid == SECINITSID_UNLABELED) { 4713 /* 4714 * Compute new sid based on current process and 4715 * message queue this message will be stored in 4716 */ 4717 rc = security_transition_sid(tsec->sid, 4718 isec->sid, 4719 SECCLASS_MSG, 4720 &msec->sid); 4721 if (rc) 4722 return rc; 4723 } 4724 4725 AVC_AUDIT_DATA_INIT(&ad, IPC); 4726 ad.u.ipc_id = msq->q_perm.key; 4727 4728 /* Can this process write to the queue? */ 4729 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4730 MSGQ__WRITE, &ad); 4731 if (!rc) 4732 /* Can this process send the message */ 4733 rc = avc_has_perm(tsec->sid, msec->sid, 4734 SECCLASS_MSG, MSG__SEND, &ad); 4735 if (!rc) 4736 /* Can the message be put in the queue? */ 4737 rc = avc_has_perm(msec->sid, isec->sid, 4738 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 4739 4740 return rc; 4741 } 4742 4743 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4744 struct task_struct *target, 4745 long type, int mode) 4746 { 4747 struct task_security_struct *tsec; 4748 struct ipc_security_struct *isec; 4749 struct msg_security_struct *msec; 4750 struct avc_audit_data ad; 4751 int rc; 4752 4753 tsec = target->security; 4754 isec = msq->q_perm.security; 4755 msec = msg->security; 4756 4757 AVC_AUDIT_DATA_INIT(&ad, IPC); 4758 ad.u.ipc_id = msq->q_perm.key; 4759 4760 rc = avc_has_perm(tsec->sid, isec->sid, 4761 SECCLASS_MSGQ, MSGQ__READ, &ad); 4762 if (!rc) 4763 rc = avc_has_perm(tsec->sid, msec->sid, 4764 SECCLASS_MSG, MSG__RECEIVE, &ad); 4765 return rc; 4766 } 4767 4768 /* Shared Memory security operations */ 4769 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4770 { 4771 struct task_security_struct *tsec; 4772 struct ipc_security_struct *isec; 4773 struct avc_audit_data ad; 4774 int rc; 4775 4776 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4777 if (rc) 4778 return rc; 4779 4780 tsec = current->security; 4781 isec = shp->shm_perm.security; 4782 4783 AVC_AUDIT_DATA_INIT(&ad, IPC); 4784 ad.u.ipc_id = shp->shm_perm.key; 4785 4786 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4787 SHM__CREATE, &ad); 4788 if (rc) { 4789 ipc_free_security(&shp->shm_perm); 4790 return rc; 4791 } 4792 return 0; 4793 } 4794 4795 static void selinux_shm_free_security(struct shmid_kernel *shp) 4796 { 4797 ipc_free_security(&shp->shm_perm); 4798 } 4799 4800 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4801 { 4802 struct task_security_struct *tsec; 4803 struct ipc_security_struct *isec; 4804 struct avc_audit_data ad; 4805 4806 tsec = current->security; 4807 isec = shp->shm_perm.security; 4808 4809 AVC_AUDIT_DATA_INIT(&ad, IPC); 4810 ad.u.ipc_id = shp->shm_perm.key; 4811 4812 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4813 SHM__ASSOCIATE, &ad); 4814 } 4815 4816 /* Note, at this point, shp is locked down */ 4817 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4818 { 4819 int perms; 4820 int err; 4821 4822 switch(cmd) { 4823 case IPC_INFO: 4824 case SHM_INFO: 4825 /* No specific object, just general system-wide information. */ 4826 return task_has_system(current, SYSTEM__IPC_INFO); 4827 case IPC_STAT: 4828 case SHM_STAT: 4829 perms = SHM__GETATTR | SHM__ASSOCIATE; 4830 break; 4831 case IPC_SET: 4832 perms = SHM__SETATTR; 4833 break; 4834 case SHM_LOCK: 4835 case SHM_UNLOCK: 4836 perms = SHM__LOCK; 4837 break; 4838 case IPC_RMID: 4839 perms = SHM__DESTROY; 4840 break; 4841 default: 4842 return 0; 4843 } 4844 4845 err = ipc_has_perm(&shp->shm_perm, perms); 4846 return err; 4847 } 4848 4849 static int selinux_shm_shmat(struct shmid_kernel *shp, 4850 char __user *shmaddr, int shmflg) 4851 { 4852 u32 perms; 4853 int rc; 4854 4855 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4856 if (rc) 4857 return rc; 4858 4859 if (shmflg & SHM_RDONLY) 4860 perms = SHM__READ; 4861 else 4862 perms = SHM__READ | SHM__WRITE; 4863 4864 return ipc_has_perm(&shp->shm_perm, perms); 4865 } 4866 4867 /* Semaphore security operations */ 4868 static int selinux_sem_alloc_security(struct sem_array *sma) 4869 { 4870 struct task_security_struct *tsec; 4871 struct ipc_security_struct *isec; 4872 struct avc_audit_data ad; 4873 int rc; 4874 4875 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4876 if (rc) 4877 return rc; 4878 4879 tsec = current->security; 4880 isec = sma->sem_perm.security; 4881 4882 AVC_AUDIT_DATA_INIT(&ad, IPC); 4883 ad.u.ipc_id = sma->sem_perm.key; 4884 4885 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4886 SEM__CREATE, &ad); 4887 if (rc) { 4888 ipc_free_security(&sma->sem_perm); 4889 return rc; 4890 } 4891 return 0; 4892 } 4893 4894 static void selinux_sem_free_security(struct sem_array *sma) 4895 { 4896 ipc_free_security(&sma->sem_perm); 4897 } 4898 4899 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4900 { 4901 struct task_security_struct *tsec; 4902 struct ipc_security_struct *isec; 4903 struct avc_audit_data ad; 4904 4905 tsec = current->security; 4906 isec = sma->sem_perm.security; 4907 4908 AVC_AUDIT_DATA_INIT(&ad, IPC); 4909 ad.u.ipc_id = sma->sem_perm.key; 4910 4911 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4912 SEM__ASSOCIATE, &ad); 4913 } 4914 4915 /* Note, at this point, sma is locked down */ 4916 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4917 { 4918 int err; 4919 u32 perms; 4920 4921 switch(cmd) { 4922 case IPC_INFO: 4923 case SEM_INFO: 4924 /* No specific object, just general system-wide information. */ 4925 return task_has_system(current, SYSTEM__IPC_INFO); 4926 case GETPID: 4927 case GETNCNT: 4928 case GETZCNT: 4929 perms = SEM__GETATTR; 4930 break; 4931 case GETVAL: 4932 case GETALL: 4933 perms = SEM__READ; 4934 break; 4935 case SETVAL: 4936 case SETALL: 4937 perms = SEM__WRITE; 4938 break; 4939 case IPC_RMID: 4940 perms = SEM__DESTROY; 4941 break; 4942 case IPC_SET: 4943 perms = SEM__SETATTR; 4944 break; 4945 case IPC_STAT: 4946 case SEM_STAT: 4947 perms = SEM__GETATTR | SEM__ASSOCIATE; 4948 break; 4949 default: 4950 return 0; 4951 } 4952 4953 err = ipc_has_perm(&sma->sem_perm, perms); 4954 return err; 4955 } 4956 4957 static int selinux_sem_semop(struct sem_array *sma, 4958 struct sembuf *sops, unsigned nsops, int alter) 4959 { 4960 u32 perms; 4961 4962 if (alter) 4963 perms = SEM__READ | SEM__WRITE; 4964 else 4965 perms = SEM__READ; 4966 4967 return ipc_has_perm(&sma->sem_perm, perms); 4968 } 4969 4970 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4971 { 4972 u32 av = 0; 4973 4974 av = 0; 4975 if (flag & S_IRUGO) 4976 av |= IPC__UNIX_READ; 4977 if (flag & S_IWUGO) 4978 av |= IPC__UNIX_WRITE; 4979 4980 if (av == 0) 4981 return 0; 4982 4983 return ipc_has_perm(ipcp, av); 4984 } 4985 4986 /* module stacking operations */ 4987 static int selinux_register_security (const char *name, struct security_operations *ops) 4988 { 4989 if (secondary_ops != original_ops) { 4990 printk(KERN_ERR "%s: There is already a secondary security " 4991 "module registered.\n", __FUNCTION__); 4992 return -EINVAL; 4993 } 4994 4995 secondary_ops = ops; 4996 4997 printk(KERN_INFO "%s: Registering secondary module %s\n", 4998 __FUNCTION__, 4999 name); 5000 5001 return 0; 5002 } 5003 5004 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5005 { 5006 if (inode) 5007 inode_doinit_with_dentry(inode, dentry); 5008 } 5009 5010 static int selinux_getprocattr(struct task_struct *p, 5011 char *name, char **value) 5012 { 5013 struct task_security_struct *tsec; 5014 u32 sid; 5015 int error; 5016 unsigned len; 5017 5018 if (current != p) { 5019 error = task_has_perm(current, p, PROCESS__GETATTR); 5020 if (error) 5021 return error; 5022 } 5023 5024 tsec = p->security; 5025 5026 if (!strcmp(name, "current")) 5027 sid = tsec->sid; 5028 else if (!strcmp(name, "prev")) 5029 sid = tsec->osid; 5030 else if (!strcmp(name, "exec")) 5031 sid = tsec->exec_sid; 5032 else if (!strcmp(name, "fscreate")) 5033 sid = tsec->create_sid; 5034 else if (!strcmp(name, "keycreate")) 5035 sid = tsec->keycreate_sid; 5036 else if (!strcmp(name, "sockcreate")) 5037 sid = tsec->sockcreate_sid; 5038 else 5039 return -EINVAL; 5040 5041 if (!sid) 5042 return 0; 5043 5044 error = security_sid_to_context(sid, value, &len); 5045 if (error) 5046 return error; 5047 return len; 5048 } 5049 5050 static int selinux_setprocattr(struct task_struct *p, 5051 char *name, void *value, size_t size) 5052 { 5053 struct task_security_struct *tsec; 5054 u32 sid = 0; 5055 int error; 5056 char *str = value; 5057 5058 if (current != p) { 5059 /* SELinux only allows a process to change its own 5060 security attributes. */ 5061 return -EACCES; 5062 } 5063 5064 /* 5065 * Basic control over ability to set these attributes at all. 5066 * current == p, but we'll pass them separately in case the 5067 * above restriction is ever removed. 5068 */ 5069 if (!strcmp(name, "exec")) 5070 error = task_has_perm(current, p, PROCESS__SETEXEC); 5071 else if (!strcmp(name, "fscreate")) 5072 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 5073 else if (!strcmp(name, "keycreate")) 5074 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 5075 else if (!strcmp(name, "sockcreate")) 5076 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 5077 else if (!strcmp(name, "current")) 5078 error = task_has_perm(current, p, PROCESS__SETCURRENT); 5079 else 5080 error = -EINVAL; 5081 if (error) 5082 return error; 5083 5084 /* Obtain a SID for the context, if one was specified. */ 5085 if (size && str[1] && str[1] != '\n') { 5086 if (str[size-1] == '\n') { 5087 str[size-1] = 0; 5088 size--; 5089 } 5090 error = security_context_to_sid(value, size, &sid); 5091 if (error) 5092 return error; 5093 } 5094 5095 /* Permission checking based on the specified context is 5096 performed during the actual operation (execve, 5097 open/mkdir/...), when we know the full context of the 5098 operation. See selinux_bprm_set_security for the execve 5099 checks and may_create for the file creation checks. The 5100 operation will then fail if the context is not permitted. */ 5101 tsec = p->security; 5102 if (!strcmp(name, "exec")) 5103 tsec->exec_sid = sid; 5104 else if (!strcmp(name, "fscreate")) 5105 tsec->create_sid = sid; 5106 else if (!strcmp(name, "keycreate")) { 5107 error = may_create_key(sid, p); 5108 if (error) 5109 return error; 5110 tsec->keycreate_sid = sid; 5111 } else if (!strcmp(name, "sockcreate")) 5112 tsec->sockcreate_sid = sid; 5113 else if (!strcmp(name, "current")) { 5114 struct av_decision avd; 5115 5116 if (sid == 0) 5117 return -EINVAL; 5118 5119 /* Only allow single threaded processes to change context */ 5120 if (atomic_read(&p->mm->mm_users) != 1) { 5121 struct task_struct *g, *t; 5122 struct mm_struct *mm = p->mm; 5123 read_lock(&tasklist_lock); 5124 do_each_thread(g, t) 5125 if (t->mm == mm && t != p) { 5126 read_unlock(&tasklist_lock); 5127 return -EPERM; 5128 } 5129 while_each_thread(g, t); 5130 read_unlock(&tasklist_lock); 5131 } 5132 5133 /* Check permissions for the transition. */ 5134 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5135 PROCESS__DYNTRANSITION, NULL); 5136 if (error) 5137 return error; 5138 5139 /* Check for ptracing, and update the task SID if ok. 5140 Otherwise, leave SID unchanged and fail. */ 5141 task_lock(p); 5142 if (p->ptrace & PT_PTRACED) { 5143 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 5144 SECCLASS_PROCESS, 5145 PROCESS__PTRACE, 0, &avd); 5146 if (!error) 5147 tsec->sid = sid; 5148 task_unlock(p); 5149 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 5150 PROCESS__PTRACE, &avd, error, NULL); 5151 if (error) 5152 return error; 5153 } else { 5154 tsec->sid = sid; 5155 task_unlock(p); 5156 } 5157 } 5158 else 5159 return -EINVAL; 5160 5161 return size; 5162 } 5163 5164 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5165 { 5166 return security_sid_to_context(secid, secdata, seclen); 5167 } 5168 5169 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) 5170 { 5171 return security_context_to_sid(secdata, seclen, secid); 5172 } 5173 5174 static void selinux_release_secctx(char *secdata, u32 seclen) 5175 { 5176 kfree(secdata); 5177 } 5178 5179 #ifdef CONFIG_KEYS 5180 5181 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5182 unsigned long flags) 5183 { 5184 struct task_security_struct *tsec = tsk->security; 5185 struct key_security_struct *ksec; 5186 5187 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5188 if (!ksec) 5189 return -ENOMEM; 5190 5191 if (tsec->keycreate_sid) 5192 ksec->sid = tsec->keycreate_sid; 5193 else 5194 ksec->sid = tsec->sid; 5195 k->security = ksec; 5196 5197 return 0; 5198 } 5199 5200 static void selinux_key_free(struct key *k) 5201 { 5202 struct key_security_struct *ksec = k->security; 5203 5204 k->security = NULL; 5205 kfree(ksec); 5206 } 5207 5208 static int selinux_key_permission(key_ref_t key_ref, 5209 struct task_struct *ctx, 5210 key_perm_t perm) 5211 { 5212 struct key *key; 5213 struct task_security_struct *tsec; 5214 struct key_security_struct *ksec; 5215 5216 key = key_ref_to_ptr(key_ref); 5217 5218 tsec = ctx->security; 5219 ksec = key->security; 5220 5221 /* if no specific permissions are requested, we skip the 5222 permission check. No serious, additional covert channels 5223 appear to be created. */ 5224 if (perm == 0) 5225 return 0; 5226 5227 return avc_has_perm(tsec->sid, ksec->sid, 5228 SECCLASS_KEY, perm, NULL); 5229 } 5230 5231 #endif 5232 5233 static struct security_operations selinux_ops = { 5234 .ptrace = selinux_ptrace, 5235 .capget = selinux_capget, 5236 .capset_check = selinux_capset_check, 5237 .capset_set = selinux_capset_set, 5238 .sysctl = selinux_sysctl, 5239 .capable = selinux_capable, 5240 .quotactl = selinux_quotactl, 5241 .quota_on = selinux_quota_on, 5242 .syslog = selinux_syslog, 5243 .vm_enough_memory = selinux_vm_enough_memory, 5244 5245 .netlink_send = selinux_netlink_send, 5246 .netlink_recv = selinux_netlink_recv, 5247 5248 .bprm_alloc_security = selinux_bprm_alloc_security, 5249 .bprm_free_security = selinux_bprm_free_security, 5250 .bprm_apply_creds = selinux_bprm_apply_creds, 5251 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 5252 .bprm_set_security = selinux_bprm_set_security, 5253 .bprm_check_security = selinux_bprm_check_security, 5254 .bprm_secureexec = selinux_bprm_secureexec, 5255 5256 .sb_alloc_security = selinux_sb_alloc_security, 5257 .sb_free_security = selinux_sb_free_security, 5258 .sb_copy_data = selinux_sb_copy_data, 5259 .sb_kern_mount = selinux_sb_kern_mount, 5260 .sb_statfs = selinux_sb_statfs, 5261 .sb_mount = selinux_mount, 5262 .sb_umount = selinux_umount, 5263 .sb_get_mnt_opts = selinux_get_mnt_opts, 5264 .sb_set_mnt_opts = selinux_set_mnt_opts, 5265 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5266 .sb_parse_opts_str = selinux_parse_opts_str, 5267 5268 5269 .inode_alloc_security = selinux_inode_alloc_security, 5270 .inode_free_security = selinux_inode_free_security, 5271 .inode_init_security = selinux_inode_init_security, 5272 .inode_create = selinux_inode_create, 5273 .inode_link = selinux_inode_link, 5274 .inode_unlink = selinux_inode_unlink, 5275 .inode_symlink = selinux_inode_symlink, 5276 .inode_mkdir = selinux_inode_mkdir, 5277 .inode_rmdir = selinux_inode_rmdir, 5278 .inode_mknod = selinux_inode_mknod, 5279 .inode_rename = selinux_inode_rename, 5280 .inode_readlink = selinux_inode_readlink, 5281 .inode_follow_link = selinux_inode_follow_link, 5282 .inode_permission = selinux_inode_permission, 5283 .inode_setattr = selinux_inode_setattr, 5284 .inode_getattr = selinux_inode_getattr, 5285 .inode_setxattr = selinux_inode_setxattr, 5286 .inode_post_setxattr = selinux_inode_post_setxattr, 5287 .inode_getxattr = selinux_inode_getxattr, 5288 .inode_listxattr = selinux_inode_listxattr, 5289 .inode_removexattr = selinux_inode_removexattr, 5290 .inode_getsecurity = selinux_inode_getsecurity, 5291 .inode_setsecurity = selinux_inode_setsecurity, 5292 .inode_listsecurity = selinux_inode_listsecurity, 5293 .inode_need_killpriv = selinux_inode_need_killpriv, 5294 .inode_killpriv = selinux_inode_killpriv, 5295 5296 .file_permission = selinux_file_permission, 5297 .file_alloc_security = selinux_file_alloc_security, 5298 .file_free_security = selinux_file_free_security, 5299 .file_ioctl = selinux_file_ioctl, 5300 .file_mmap = selinux_file_mmap, 5301 .file_mprotect = selinux_file_mprotect, 5302 .file_lock = selinux_file_lock, 5303 .file_fcntl = selinux_file_fcntl, 5304 .file_set_fowner = selinux_file_set_fowner, 5305 .file_send_sigiotask = selinux_file_send_sigiotask, 5306 .file_receive = selinux_file_receive, 5307 5308 .dentry_open = selinux_dentry_open, 5309 5310 .task_create = selinux_task_create, 5311 .task_alloc_security = selinux_task_alloc_security, 5312 .task_free_security = selinux_task_free_security, 5313 .task_setuid = selinux_task_setuid, 5314 .task_post_setuid = selinux_task_post_setuid, 5315 .task_setgid = selinux_task_setgid, 5316 .task_setpgid = selinux_task_setpgid, 5317 .task_getpgid = selinux_task_getpgid, 5318 .task_getsid = selinux_task_getsid, 5319 .task_getsecid = selinux_task_getsecid, 5320 .task_setgroups = selinux_task_setgroups, 5321 .task_setnice = selinux_task_setnice, 5322 .task_setioprio = selinux_task_setioprio, 5323 .task_getioprio = selinux_task_getioprio, 5324 .task_setrlimit = selinux_task_setrlimit, 5325 .task_setscheduler = selinux_task_setscheduler, 5326 .task_getscheduler = selinux_task_getscheduler, 5327 .task_movememory = selinux_task_movememory, 5328 .task_kill = selinux_task_kill, 5329 .task_wait = selinux_task_wait, 5330 .task_prctl = selinux_task_prctl, 5331 .task_reparent_to_init = selinux_task_reparent_to_init, 5332 .task_to_inode = selinux_task_to_inode, 5333 5334 .ipc_permission = selinux_ipc_permission, 5335 5336 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5337 .msg_msg_free_security = selinux_msg_msg_free_security, 5338 5339 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5340 .msg_queue_free_security = selinux_msg_queue_free_security, 5341 .msg_queue_associate = selinux_msg_queue_associate, 5342 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5343 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5344 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5345 5346 .shm_alloc_security = selinux_shm_alloc_security, 5347 .shm_free_security = selinux_shm_free_security, 5348 .shm_associate = selinux_shm_associate, 5349 .shm_shmctl = selinux_shm_shmctl, 5350 .shm_shmat = selinux_shm_shmat, 5351 5352 .sem_alloc_security = selinux_sem_alloc_security, 5353 .sem_free_security = selinux_sem_free_security, 5354 .sem_associate = selinux_sem_associate, 5355 .sem_semctl = selinux_sem_semctl, 5356 .sem_semop = selinux_sem_semop, 5357 5358 .register_security = selinux_register_security, 5359 5360 .d_instantiate = selinux_d_instantiate, 5361 5362 .getprocattr = selinux_getprocattr, 5363 .setprocattr = selinux_setprocattr, 5364 5365 .secid_to_secctx = selinux_secid_to_secctx, 5366 .secctx_to_secid = selinux_secctx_to_secid, 5367 .release_secctx = selinux_release_secctx, 5368 5369 .unix_stream_connect = selinux_socket_unix_stream_connect, 5370 .unix_may_send = selinux_socket_unix_may_send, 5371 5372 .socket_create = selinux_socket_create, 5373 .socket_post_create = selinux_socket_post_create, 5374 .socket_bind = selinux_socket_bind, 5375 .socket_connect = selinux_socket_connect, 5376 .socket_listen = selinux_socket_listen, 5377 .socket_accept = selinux_socket_accept, 5378 .socket_sendmsg = selinux_socket_sendmsg, 5379 .socket_recvmsg = selinux_socket_recvmsg, 5380 .socket_getsockname = selinux_socket_getsockname, 5381 .socket_getpeername = selinux_socket_getpeername, 5382 .socket_getsockopt = selinux_socket_getsockopt, 5383 .socket_setsockopt = selinux_socket_setsockopt, 5384 .socket_shutdown = selinux_socket_shutdown, 5385 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5386 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5387 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5388 .sk_alloc_security = selinux_sk_alloc_security, 5389 .sk_free_security = selinux_sk_free_security, 5390 .sk_clone_security = selinux_sk_clone_security, 5391 .sk_getsecid = selinux_sk_getsecid, 5392 .sock_graft = selinux_sock_graft, 5393 .inet_conn_request = selinux_inet_conn_request, 5394 .inet_csk_clone = selinux_inet_csk_clone, 5395 .inet_conn_established = selinux_inet_conn_established, 5396 .req_classify_flow = selinux_req_classify_flow, 5397 5398 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5399 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5400 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5401 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5402 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5403 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5404 .xfrm_state_free_security = selinux_xfrm_state_free, 5405 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5406 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5407 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5408 .xfrm_decode_session = selinux_xfrm_decode_session, 5409 #endif 5410 5411 #ifdef CONFIG_KEYS 5412 .key_alloc = selinux_key_alloc, 5413 .key_free = selinux_key_free, 5414 .key_permission = selinux_key_permission, 5415 #endif 5416 }; 5417 5418 static __init int selinux_init(void) 5419 { 5420 struct task_security_struct *tsec; 5421 5422 if (!selinux_enabled) { 5423 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5424 return 0; 5425 } 5426 5427 printk(KERN_INFO "SELinux: Initializing.\n"); 5428 5429 /* Set the security state for the initial task. */ 5430 if (task_alloc_security(current)) 5431 panic("SELinux: Failed to initialize initial task.\n"); 5432 tsec = current->security; 5433 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5434 5435 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5436 sizeof(struct inode_security_struct), 5437 0, SLAB_PANIC, NULL); 5438 avc_init(); 5439 5440 original_ops = secondary_ops = security_ops; 5441 if (!secondary_ops) 5442 panic ("SELinux: No initial security operations\n"); 5443 if (register_security (&selinux_ops)) 5444 panic("SELinux: Unable to register with kernel.\n"); 5445 5446 if (selinux_enforcing) { 5447 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5448 } else { 5449 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5450 } 5451 5452 #ifdef CONFIG_KEYS 5453 /* Add security information to initial keyrings */ 5454 selinux_key_alloc(&root_user_keyring, current, 5455 KEY_ALLOC_NOT_IN_QUOTA); 5456 selinux_key_alloc(&root_session_keyring, current, 5457 KEY_ALLOC_NOT_IN_QUOTA); 5458 #endif 5459 5460 return 0; 5461 } 5462 5463 void selinux_complete_init(void) 5464 { 5465 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5466 5467 /* Set up any superblocks initialized prior to the policy load. */ 5468 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5469 spin_lock(&sb_lock); 5470 spin_lock(&sb_security_lock); 5471 next_sb: 5472 if (!list_empty(&superblock_security_head)) { 5473 struct superblock_security_struct *sbsec = 5474 list_entry(superblock_security_head.next, 5475 struct superblock_security_struct, 5476 list); 5477 struct super_block *sb = sbsec->sb; 5478 sb->s_count++; 5479 spin_unlock(&sb_security_lock); 5480 spin_unlock(&sb_lock); 5481 down_read(&sb->s_umount); 5482 if (sb->s_root) 5483 superblock_doinit(sb, NULL); 5484 drop_super(sb); 5485 spin_lock(&sb_lock); 5486 spin_lock(&sb_security_lock); 5487 list_del_init(&sbsec->list); 5488 goto next_sb; 5489 } 5490 spin_unlock(&sb_security_lock); 5491 spin_unlock(&sb_lock); 5492 } 5493 5494 /* SELinux requires early initialization in order to label 5495 all processes and objects when they are created. */ 5496 security_initcall(selinux_init); 5497 5498 #if defined(CONFIG_NETFILTER) 5499 5500 static struct nf_hook_ops selinux_ipv4_ops[] = { 5501 { 5502 .hook = selinux_ipv4_postroute, 5503 .owner = THIS_MODULE, 5504 .pf = PF_INET, 5505 .hooknum = NF_INET_POST_ROUTING, 5506 .priority = NF_IP_PRI_SELINUX_LAST, 5507 }, 5508 { 5509 .hook = selinux_ipv4_forward, 5510 .owner = THIS_MODULE, 5511 .pf = PF_INET, 5512 .hooknum = NF_INET_FORWARD, 5513 .priority = NF_IP_PRI_SELINUX_FIRST, 5514 } 5515 }; 5516 5517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5518 5519 static struct nf_hook_ops selinux_ipv6_ops[] = { 5520 { 5521 .hook = selinux_ipv6_postroute, 5522 .owner = THIS_MODULE, 5523 .pf = PF_INET6, 5524 .hooknum = NF_INET_POST_ROUTING, 5525 .priority = NF_IP6_PRI_SELINUX_LAST, 5526 }, 5527 { 5528 .hook = selinux_ipv6_forward, 5529 .owner = THIS_MODULE, 5530 .pf = PF_INET6, 5531 .hooknum = NF_INET_FORWARD, 5532 .priority = NF_IP6_PRI_SELINUX_FIRST, 5533 } 5534 }; 5535 5536 #endif /* IPV6 */ 5537 5538 static int __init selinux_nf_ip_init(void) 5539 { 5540 int err = 0; 5541 u32 iter; 5542 5543 if (!selinux_enabled) 5544 goto out; 5545 5546 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5547 5548 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) { 5549 err = nf_register_hook(&selinux_ipv4_ops[iter]); 5550 if (err) 5551 panic("SELinux: nf_register_hook for IPv4: error %d\n", 5552 err); 5553 } 5554 5555 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5556 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) { 5557 err = nf_register_hook(&selinux_ipv6_ops[iter]); 5558 if (err) 5559 panic("SELinux: nf_register_hook for IPv6: error %d\n", 5560 err); 5561 } 5562 #endif /* IPV6 */ 5563 5564 out: 5565 return err; 5566 } 5567 5568 __initcall(selinux_nf_ip_init); 5569 5570 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5571 static void selinux_nf_ip_exit(void) 5572 { 5573 u32 iter; 5574 5575 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5576 5577 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) 5578 nf_unregister_hook(&selinux_ipv4_ops[iter]); 5579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5580 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) 5581 nf_unregister_hook(&selinux_ipv6_ops[iter]); 5582 #endif /* IPV6 */ 5583 } 5584 #endif 5585 5586 #else /* CONFIG_NETFILTER */ 5587 5588 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5589 #define selinux_nf_ip_exit() 5590 #endif 5591 5592 #endif /* CONFIG_NETFILTER */ 5593 5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5595 int selinux_disable(void) 5596 { 5597 extern void exit_sel_fs(void); 5598 static int selinux_disabled = 0; 5599 5600 if (ss_initialized) { 5601 /* Not permitted after initial policy load. */ 5602 return -EINVAL; 5603 } 5604 5605 if (selinux_disabled) { 5606 /* Only do this once. */ 5607 return -EINVAL; 5608 } 5609 5610 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5611 5612 selinux_disabled = 1; 5613 selinux_enabled = 0; 5614 5615 /* Reset security_ops to the secondary module, dummy or capability. */ 5616 security_ops = secondary_ops; 5617 5618 /* Unregister netfilter hooks. */ 5619 selinux_nf_ip_exit(); 5620 5621 /* Unregister selinuxfs. */ 5622 exit_sel_fs(); 5623 5624 return 0; 5625 } 5626 #endif 5627 5628 5629