1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. 16 * Paul Moore, <paul.moore@hp.com> 17 * 18 * This program is free software; you can redistribute it and/or modify 19 * it under the terms of the GNU General Public License version 2, 20 * as published by the Free Software Foundation. 21 */ 22 23 #include <linux/module.h> 24 #include <linux/init.h> 25 #include <linux/kernel.h> 26 #include <linux/ptrace.h> 27 #include <linux/errno.h> 28 #include <linux/sched.h> 29 #include <linux/security.h> 30 #include <linux/xattr.h> 31 #include <linux/capability.h> 32 #include <linux/unistd.h> 33 #include <linux/mm.h> 34 #include <linux/mman.h> 35 #include <linux/slab.h> 36 #include <linux/pagemap.h> 37 #include <linux/swap.h> 38 #include <linux/smp_lock.h> 39 #include <linux/spinlock.h> 40 #include <linux/syscalls.h> 41 #include <linux/file.h> 42 #include <linux/namei.h> 43 #include <linux/mount.h> 44 #include <linux/ext2_fs.h> 45 #include <linux/proc_fs.h> 46 #include <linux/kd.h> 47 #include <linux/netfilter_ipv4.h> 48 #include <linux/netfilter_ipv6.h> 49 #include <linux/tty.h> 50 #include <net/icmp.h> 51 #include <net/ip.h> /* for sysctl_local_port_range[] */ 52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53 #include <asm/uaccess.h> 54 #include <asm/semaphore.h> 55 #include <asm/ioctls.h> 56 #include <linux/bitops.h> 57 #include <linux/interrupt.h> 58 #include <linux/netdevice.h> /* for network interface checks */ 59 #include <linux/netlink.h> 60 #include <linux/tcp.h> 61 #include <linux/udp.h> 62 #include <linux/quota.h> 63 #include <linux/un.h> /* for Unix socket types */ 64 #include <net/af_unix.h> /* for Unix socket types */ 65 #include <linux/parser.h> 66 #include <linux/nfs_mount.h> 67 #include <net/ipv6.h> 68 #include <linux/hugetlb.h> 69 #include <linux/personality.h> 70 #include <linux/sysctl.h> 71 #include <linux/audit.h> 72 #include <linux/string.h> 73 #include <linux/selinux.h> 74 75 #include "avc.h" 76 #include "objsec.h" 77 #include "netif.h" 78 #include "xfrm.h" 79 #include "selinux_netlabel.h" 80 81 #define XATTR_SELINUX_SUFFIX "selinux" 82 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 83 84 extern unsigned int policydb_loaded_version; 85 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 86 extern int selinux_compat_net; 87 88 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 89 int selinux_enforcing = 0; 90 91 static int __init enforcing_setup(char *str) 92 { 93 selinux_enforcing = simple_strtol(str,NULL,0); 94 return 1; 95 } 96 __setup("enforcing=", enforcing_setup); 97 #endif 98 99 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 100 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 101 102 static int __init selinux_enabled_setup(char *str) 103 { 104 selinux_enabled = simple_strtol(str, NULL, 0); 105 return 1; 106 } 107 __setup("selinux=", selinux_enabled_setup); 108 #else 109 int selinux_enabled = 1; 110 #endif 111 112 /* Original (dummy) security module. */ 113 static struct security_operations *original_ops = NULL; 114 115 /* Minimal support for a secondary security module, 116 just to allow the use of the dummy or capability modules. 117 The owlsm module can alternatively be used as a secondary 118 module as long as CONFIG_OWLSM_FD is not enabled. */ 119 static struct security_operations *secondary_ops = NULL; 120 121 /* Lists of inode and superblock security structures initialized 122 before the policy was loaded. */ 123 static LIST_HEAD(superblock_security_head); 124 static DEFINE_SPINLOCK(sb_security_lock); 125 126 static kmem_cache_t *sel_inode_cache; 127 128 /* Return security context for a given sid or just the context 129 length if the buffer is null or length is 0 */ 130 static int selinux_getsecurity(u32 sid, void *buffer, size_t size) 131 { 132 char *context; 133 unsigned len; 134 int rc; 135 136 rc = security_sid_to_context(sid, &context, &len); 137 if (rc) 138 return rc; 139 140 if (!buffer || !size) 141 goto getsecurity_exit; 142 143 if (size < len) { 144 len = -ERANGE; 145 goto getsecurity_exit; 146 } 147 memcpy(buffer, context, len); 148 149 getsecurity_exit: 150 kfree(context); 151 return len; 152 } 153 154 /* Allocate and free functions for each kind of security blob. */ 155 156 static int task_alloc_security(struct task_struct *task) 157 { 158 struct task_security_struct *tsec; 159 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 161 if (!tsec) 162 return -ENOMEM; 163 164 tsec->task = task; 165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 166 task->security = tsec; 167 168 return 0; 169 } 170 171 static void task_free_security(struct task_struct *task) 172 { 173 struct task_security_struct *tsec = task->security; 174 task->security = NULL; 175 kfree(tsec); 176 } 177 178 static int inode_alloc_security(struct inode *inode) 179 { 180 struct task_security_struct *tsec = current->security; 181 struct inode_security_struct *isec; 182 183 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL); 184 if (!isec) 185 return -ENOMEM; 186 187 memset(isec, 0, sizeof(*isec)); 188 init_MUTEX(&isec->sem); 189 INIT_LIST_HEAD(&isec->list); 190 isec->inode = inode; 191 isec->sid = SECINITSID_UNLABELED; 192 isec->sclass = SECCLASS_FILE; 193 isec->task_sid = tsec->sid; 194 inode->i_security = isec; 195 196 return 0; 197 } 198 199 static void inode_free_security(struct inode *inode) 200 { 201 struct inode_security_struct *isec = inode->i_security; 202 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 203 204 spin_lock(&sbsec->isec_lock); 205 if (!list_empty(&isec->list)) 206 list_del_init(&isec->list); 207 spin_unlock(&sbsec->isec_lock); 208 209 inode->i_security = NULL; 210 kmem_cache_free(sel_inode_cache, isec); 211 } 212 213 static int file_alloc_security(struct file *file) 214 { 215 struct task_security_struct *tsec = current->security; 216 struct file_security_struct *fsec; 217 218 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 219 if (!fsec) 220 return -ENOMEM; 221 222 fsec->file = file; 223 fsec->sid = tsec->sid; 224 fsec->fown_sid = tsec->sid; 225 file->f_security = fsec; 226 227 return 0; 228 } 229 230 static void file_free_security(struct file *file) 231 { 232 struct file_security_struct *fsec = file->f_security; 233 file->f_security = NULL; 234 kfree(fsec); 235 } 236 237 static int superblock_alloc_security(struct super_block *sb) 238 { 239 struct superblock_security_struct *sbsec; 240 241 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 242 if (!sbsec) 243 return -ENOMEM; 244 245 init_MUTEX(&sbsec->sem); 246 INIT_LIST_HEAD(&sbsec->list); 247 INIT_LIST_HEAD(&sbsec->isec_head); 248 spin_lock_init(&sbsec->isec_lock); 249 sbsec->sb = sb; 250 sbsec->sid = SECINITSID_UNLABELED; 251 sbsec->def_sid = SECINITSID_FILE; 252 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 253 sb->s_security = sbsec; 254 255 return 0; 256 } 257 258 static void superblock_free_security(struct super_block *sb) 259 { 260 struct superblock_security_struct *sbsec = sb->s_security; 261 262 spin_lock(&sb_security_lock); 263 if (!list_empty(&sbsec->list)) 264 list_del_init(&sbsec->list); 265 spin_unlock(&sb_security_lock); 266 267 sb->s_security = NULL; 268 kfree(sbsec); 269 } 270 271 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 272 { 273 struct sk_security_struct *ssec; 274 275 ssec = kzalloc(sizeof(*ssec), priority); 276 if (!ssec) 277 return -ENOMEM; 278 279 ssec->sk = sk; 280 ssec->peer_sid = SECINITSID_UNLABELED; 281 ssec->sid = SECINITSID_UNLABELED; 282 sk->sk_security = ssec; 283 284 return 0; 285 } 286 287 static void sk_free_security(struct sock *sk) 288 { 289 struct sk_security_struct *ssec = sk->sk_security; 290 291 sk->sk_security = NULL; 292 kfree(ssec); 293 } 294 295 /* The security server must be initialized before 296 any labeling or access decisions can be provided. */ 297 extern int ss_initialized; 298 299 /* The file system's label must be initialized prior to use. */ 300 301 static char *labeling_behaviors[6] = { 302 "uses xattr", 303 "uses transition SIDs", 304 "uses task SIDs", 305 "uses genfs_contexts", 306 "not configured for labeling", 307 "uses mountpoint labeling", 308 }; 309 310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 311 312 static inline int inode_doinit(struct inode *inode) 313 { 314 return inode_doinit_with_dentry(inode, NULL); 315 } 316 317 enum { 318 Opt_context = 1, 319 Opt_fscontext = 2, 320 Opt_defcontext = 4, 321 Opt_rootcontext = 8, 322 }; 323 324 static match_table_t tokens = { 325 {Opt_context, "context=%s"}, 326 {Opt_fscontext, "fscontext=%s"}, 327 {Opt_defcontext, "defcontext=%s"}, 328 {Opt_rootcontext, "rootcontext=%s"}, 329 }; 330 331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 332 333 static int may_context_mount_sb_relabel(u32 sid, 334 struct superblock_security_struct *sbsec, 335 struct task_security_struct *tsec) 336 { 337 int rc; 338 339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 340 FILESYSTEM__RELABELFROM, NULL); 341 if (rc) 342 return rc; 343 344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 345 FILESYSTEM__RELABELTO, NULL); 346 return rc; 347 } 348 349 static int may_context_mount_inode_relabel(u32 sid, 350 struct superblock_security_struct *sbsec, 351 struct task_security_struct *tsec) 352 { 353 int rc; 354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 355 FILESYSTEM__RELABELFROM, NULL); 356 if (rc) 357 return rc; 358 359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 360 FILESYSTEM__ASSOCIATE, NULL); 361 return rc; 362 } 363 364 static int try_context_mount(struct super_block *sb, void *data) 365 { 366 char *context = NULL, *defcontext = NULL; 367 char *fscontext = NULL, *rootcontext = NULL; 368 const char *name; 369 u32 sid; 370 int alloc = 0, rc = 0, seen = 0; 371 struct task_security_struct *tsec = current->security; 372 struct superblock_security_struct *sbsec = sb->s_security; 373 374 if (!data) 375 goto out; 376 377 name = sb->s_type->name; 378 379 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 380 381 /* NFS we understand. */ 382 if (!strcmp(name, "nfs")) { 383 struct nfs_mount_data *d = data; 384 385 if (d->version < NFS_MOUNT_VERSION) 386 goto out; 387 388 if (d->context[0]) { 389 context = d->context; 390 seen |= Opt_context; 391 } 392 } else 393 goto out; 394 395 } else { 396 /* Standard string-based options. */ 397 char *p, *options = data; 398 399 while ((p = strsep(&options, ",")) != NULL) { 400 int token; 401 substring_t args[MAX_OPT_ARGS]; 402 403 if (!*p) 404 continue; 405 406 token = match_token(p, tokens, args); 407 408 switch (token) { 409 case Opt_context: 410 if (seen & (Opt_context|Opt_defcontext)) { 411 rc = -EINVAL; 412 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 413 goto out_free; 414 } 415 context = match_strdup(&args[0]); 416 if (!context) { 417 rc = -ENOMEM; 418 goto out_free; 419 } 420 if (!alloc) 421 alloc = 1; 422 seen |= Opt_context; 423 break; 424 425 case Opt_fscontext: 426 if (seen & Opt_fscontext) { 427 rc = -EINVAL; 428 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 429 goto out_free; 430 } 431 fscontext = match_strdup(&args[0]); 432 if (!fscontext) { 433 rc = -ENOMEM; 434 goto out_free; 435 } 436 if (!alloc) 437 alloc = 1; 438 seen |= Opt_fscontext; 439 break; 440 441 case Opt_rootcontext: 442 if (seen & Opt_rootcontext) { 443 rc = -EINVAL; 444 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 445 goto out_free; 446 } 447 rootcontext = match_strdup(&args[0]); 448 if (!rootcontext) { 449 rc = -ENOMEM; 450 goto out_free; 451 } 452 if (!alloc) 453 alloc = 1; 454 seen |= Opt_rootcontext; 455 break; 456 457 case Opt_defcontext: 458 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 459 rc = -EINVAL; 460 printk(KERN_WARNING "SELinux: " 461 "defcontext option is invalid " 462 "for this filesystem type\n"); 463 goto out_free; 464 } 465 if (seen & (Opt_context|Opt_defcontext)) { 466 rc = -EINVAL; 467 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 468 goto out_free; 469 } 470 defcontext = match_strdup(&args[0]); 471 if (!defcontext) { 472 rc = -ENOMEM; 473 goto out_free; 474 } 475 if (!alloc) 476 alloc = 1; 477 seen |= Opt_defcontext; 478 break; 479 480 default: 481 rc = -EINVAL; 482 printk(KERN_WARNING "SELinux: unknown mount " 483 "option\n"); 484 goto out_free; 485 486 } 487 } 488 } 489 490 if (!seen) 491 goto out; 492 493 /* sets the context of the superblock for the fs being mounted. */ 494 if (fscontext) { 495 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid); 496 if (rc) { 497 printk(KERN_WARNING "SELinux: security_context_to_sid" 498 "(%s) failed for (dev %s, type %s) errno=%d\n", 499 fscontext, sb->s_id, name, rc); 500 goto out_free; 501 } 502 503 rc = may_context_mount_sb_relabel(sid, sbsec, tsec); 504 if (rc) 505 goto out_free; 506 507 sbsec->sid = sid; 508 } 509 510 /* 511 * Switch to using mount point labeling behavior. 512 * sets the label used on all file below the mountpoint, and will set 513 * the superblock context if not already set. 514 */ 515 if (context) { 516 rc = security_context_to_sid(context, strlen(context), &sid); 517 if (rc) { 518 printk(KERN_WARNING "SELinux: security_context_to_sid" 519 "(%s) failed for (dev %s, type %s) errno=%d\n", 520 context, sb->s_id, name, rc); 521 goto out_free; 522 } 523 524 if (!fscontext) { 525 rc = may_context_mount_sb_relabel(sid, sbsec, tsec); 526 if (rc) 527 goto out_free; 528 sbsec->sid = sid; 529 } else { 530 rc = may_context_mount_inode_relabel(sid, sbsec, tsec); 531 if (rc) 532 goto out_free; 533 } 534 sbsec->mntpoint_sid = sid; 535 536 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 537 } 538 539 if (rootcontext) { 540 struct inode *inode = sb->s_root->d_inode; 541 struct inode_security_struct *isec = inode->i_security; 542 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid); 543 if (rc) { 544 printk(KERN_WARNING "SELinux: security_context_to_sid" 545 "(%s) failed for (dev %s, type %s) errno=%d\n", 546 rootcontext, sb->s_id, name, rc); 547 goto out_free; 548 } 549 550 rc = may_context_mount_inode_relabel(sid, sbsec, tsec); 551 if (rc) 552 goto out_free; 553 554 isec->sid = sid; 555 isec->initialized = 1; 556 } 557 558 if (defcontext) { 559 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); 560 if (rc) { 561 printk(KERN_WARNING "SELinux: security_context_to_sid" 562 "(%s) failed for (dev %s, type %s) errno=%d\n", 563 defcontext, sb->s_id, name, rc); 564 goto out_free; 565 } 566 567 if (sid == sbsec->def_sid) 568 goto out_free; 569 570 rc = may_context_mount_inode_relabel(sid, sbsec, tsec); 571 if (rc) 572 goto out_free; 573 574 sbsec->def_sid = sid; 575 } 576 577 out_free: 578 if (alloc) { 579 kfree(context); 580 kfree(defcontext); 581 kfree(fscontext); 582 kfree(rootcontext); 583 } 584 out: 585 return rc; 586 } 587 588 static int superblock_doinit(struct super_block *sb, void *data) 589 { 590 struct superblock_security_struct *sbsec = sb->s_security; 591 struct dentry *root = sb->s_root; 592 struct inode *inode = root->d_inode; 593 int rc = 0; 594 595 down(&sbsec->sem); 596 if (sbsec->initialized) 597 goto out; 598 599 if (!ss_initialized) { 600 /* Defer initialization until selinux_complete_init, 601 after the initial policy is loaded and the security 602 server is ready to handle calls. */ 603 spin_lock(&sb_security_lock); 604 if (list_empty(&sbsec->list)) 605 list_add(&sbsec->list, &superblock_security_head); 606 spin_unlock(&sb_security_lock); 607 goto out; 608 } 609 610 /* Determine the labeling behavior to use for this filesystem type. */ 611 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 612 if (rc) { 613 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 614 __FUNCTION__, sb->s_type->name, rc); 615 goto out; 616 } 617 618 rc = try_context_mount(sb, data); 619 if (rc) 620 goto out; 621 622 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 623 /* Make sure that the xattr handler exists and that no 624 error other than -ENODATA is returned by getxattr on 625 the root directory. -ENODATA is ok, as this may be 626 the first boot of the SELinux kernel before we have 627 assigned xattr values to the filesystem. */ 628 if (!inode->i_op->getxattr) { 629 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 630 "xattr support\n", sb->s_id, sb->s_type->name); 631 rc = -EOPNOTSUPP; 632 goto out; 633 } 634 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 635 if (rc < 0 && rc != -ENODATA) { 636 if (rc == -EOPNOTSUPP) 637 printk(KERN_WARNING "SELinux: (dev %s, type " 638 "%s) has no security xattr handler\n", 639 sb->s_id, sb->s_type->name); 640 else 641 printk(KERN_WARNING "SELinux: (dev %s, type " 642 "%s) getxattr errno %d\n", sb->s_id, 643 sb->s_type->name, -rc); 644 goto out; 645 } 646 } 647 648 if (strcmp(sb->s_type->name, "proc") == 0) 649 sbsec->proc = 1; 650 651 sbsec->initialized = 1; 652 653 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { 654 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", 655 sb->s_id, sb->s_type->name); 656 } 657 else { 658 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", 659 sb->s_id, sb->s_type->name, 660 labeling_behaviors[sbsec->behavior-1]); 661 } 662 663 /* Initialize the root inode. */ 664 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); 665 666 /* Initialize any other inodes associated with the superblock, e.g. 667 inodes created prior to initial policy load or inodes created 668 during get_sb by a pseudo filesystem that directly 669 populates itself. */ 670 spin_lock(&sbsec->isec_lock); 671 next_inode: 672 if (!list_empty(&sbsec->isec_head)) { 673 struct inode_security_struct *isec = 674 list_entry(sbsec->isec_head.next, 675 struct inode_security_struct, list); 676 struct inode *inode = isec->inode; 677 spin_unlock(&sbsec->isec_lock); 678 inode = igrab(inode); 679 if (inode) { 680 if (!IS_PRIVATE (inode)) 681 inode_doinit(inode); 682 iput(inode); 683 } 684 spin_lock(&sbsec->isec_lock); 685 list_del_init(&isec->list); 686 goto next_inode; 687 } 688 spin_unlock(&sbsec->isec_lock); 689 out: 690 up(&sbsec->sem); 691 return rc; 692 } 693 694 static inline u16 inode_mode_to_security_class(umode_t mode) 695 { 696 switch (mode & S_IFMT) { 697 case S_IFSOCK: 698 return SECCLASS_SOCK_FILE; 699 case S_IFLNK: 700 return SECCLASS_LNK_FILE; 701 case S_IFREG: 702 return SECCLASS_FILE; 703 case S_IFBLK: 704 return SECCLASS_BLK_FILE; 705 case S_IFDIR: 706 return SECCLASS_DIR; 707 case S_IFCHR: 708 return SECCLASS_CHR_FILE; 709 case S_IFIFO: 710 return SECCLASS_FIFO_FILE; 711 712 } 713 714 return SECCLASS_FILE; 715 } 716 717 static inline int default_protocol_stream(int protocol) 718 { 719 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 720 } 721 722 static inline int default_protocol_dgram(int protocol) 723 { 724 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 725 } 726 727 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 728 { 729 switch (family) { 730 case PF_UNIX: 731 switch (type) { 732 case SOCK_STREAM: 733 case SOCK_SEQPACKET: 734 return SECCLASS_UNIX_STREAM_SOCKET; 735 case SOCK_DGRAM: 736 return SECCLASS_UNIX_DGRAM_SOCKET; 737 } 738 break; 739 case PF_INET: 740 case PF_INET6: 741 switch (type) { 742 case SOCK_STREAM: 743 if (default_protocol_stream(protocol)) 744 return SECCLASS_TCP_SOCKET; 745 else 746 return SECCLASS_RAWIP_SOCKET; 747 case SOCK_DGRAM: 748 if (default_protocol_dgram(protocol)) 749 return SECCLASS_UDP_SOCKET; 750 else 751 return SECCLASS_RAWIP_SOCKET; 752 default: 753 return SECCLASS_RAWIP_SOCKET; 754 } 755 break; 756 case PF_NETLINK: 757 switch (protocol) { 758 case NETLINK_ROUTE: 759 return SECCLASS_NETLINK_ROUTE_SOCKET; 760 case NETLINK_FIREWALL: 761 return SECCLASS_NETLINK_FIREWALL_SOCKET; 762 case NETLINK_INET_DIAG: 763 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 764 case NETLINK_NFLOG: 765 return SECCLASS_NETLINK_NFLOG_SOCKET; 766 case NETLINK_XFRM: 767 return SECCLASS_NETLINK_XFRM_SOCKET; 768 case NETLINK_SELINUX: 769 return SECCLASS_NETLINK_SELINUX_SOCKET; 770 case NETLINK_AUDIT: 771 return SECCLASS_NETLINK_AUDIT_SOCKET; 772 case NETLINK_IP6_FW: 773 return SECCLASS_NETLINK_IP6FW_SOCKET; 774 case NETLINK_DNRTMSG: 775 return SECCLASS_NETLINK_DNRT_SOCKET; 776 case NETLINK_KOBJECT_UEVENT: 777 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 778 default: 779 return SECCLASS_NETLINK_SOCKET; 780 } 781 case PF_PACKET: 782 return SECCLASS_PACKET_SOCKET; 783 case PF_KEY: 784 return SECCLASS_KEY_SOCKET; 785 case PF_APPLETALK: 786 return SECCLASS_APPLETALK_SOCKET; 787 } 788 789 return SECCLASS_SOCKET; 790 } 791 792 #ifdef CONFIG_PROC_FS 793 static int selinux_proc_get_sid(struct proc_dir_entry *de, 794 u16 tclass, 795 u32 *sid) 796 { 797 int buflen, rc; 798 char *buffer, *path, *end; 799 800 buffer = (char*)__get_free_page(GFP_KERNEL); 801 if (!buffer) 802 return -ENOMEM; 803 804 buflen = PAGE_SIZE; 805 end = buffer+buflen; 806 *--end = '\0'; 807 buflen--; 808 path = end-1; 809 *path = '/'; 810 while (de && de != de->parent) { 811 buflen -= de->namelen + 1; 812 if (buflen < 0) 813 break; 814 end -= de->namelen; 815 memcpy(end, de->name, de->namelen); 816 *--end = '/'; 817 path = end; 818 de = de->parent; 819 } 820 rc = security_genfs_sid("proc", path, tclass, sid); 821 free_page((unsigned long)buffer); 822 return rc; 823 } 824 #else 825 static int selinux_proc_get_sid(struct proc_dir_entry *de, 826 u16 tclass, 827 u32 *sid) 828 { 829 return -EINVAL; 830 } 831 #endif 832 833 /* The inode's security attributes must be initialized before first use. */ 834 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 835 { 836 struct superblock_security_struct *sbsec = NULL; 837 struct inode_security_struct *isec = inode->i_security; 838 u32 sid; 839 struct dentry *dentry; 840 #define INITCONTEXTLEN 255 841 char *context = NULL; 842 unsigned len = 0; 843 int rc = 0; 844 int hold_sem = 0; 845 846 if (isec->initialized) 847 goto out; 848 849 down(&isec->sem); 850 hold_sem = 1; 851 if (isec->initialized) 852 goto out; 853 854 sbsec = inode->i_sb->s_security; 855 if (!sbsec->initialized) { 856 /* Defer initialization until selinux_complete_init, 857 after the initial policy is loaded and the security 858 server is ready to handle calls. */ 859 spin_lock(&sbsec->isec_lock); 860 if (list_empty(&isec->list)) 861 list_add(&isec->list, &sbsec->isec_head); 862 spin_unlock(&sbsec->isec_lock); 863 goto out; 864 } 865 866 switch (sbsec->behavior) { 867 case SECURITY_FS_USE_XATTR: 868 if (!inode->i_op->getxattr) { 869 isec->sid = sbsec->def_sid; 870 break; 871 } 872 873 /* Need a dentry, since the xattr API requires one. 874 Life would be simpler if we could just pass the inode. */ 875 if (opt_dentry) { 876 /* Called from d_instantiate or d_splice_alias. */ 877 dentry = dget(opt_dentry); 878 } else { 879 /* Called from selinux_complete_init, try to find a dentry. */ 880 dentry = d_find_alias(inode); 881 } 882 if (!dentry) { 883 printk(KERN_WARNING "%s: no dentry for dev=%s " 884 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 885 inode->i_ino); 886 goto out; 887 } 888 889 len = INITCONTEXTLEN; 890 context = kmalloc(len, GFP_KERNEL); 891 if (!context) { 892 rc = -ENOMEM; 893 dput(dentry); 894 goto out; 895 } 896 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 897 context, len); 898 if (rc == -ERANGE) { 899 /* Need a larger buffer. Query for the right size. */ 900 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 901 NULL, 0); 902 if (rc < 0) { 903 dput(dentry); 904 goto out; 905 } 906 kfree(context); 907 len = rc; 908 context = kmalloc(len, GFP_KERNEL); 909 if (!context) { 910 rc = -ENOMEM; 911 dput(dentry); 912 goto out; 913 } 914 rc = inode->i_op->getxattr(dentry, 915 XATTR_NAME_SELINUX, 916 context, len); 917 } 918 dput(dentry); 919 if (rc < 0) { 920 if (rc != -ENODATA) { 921 printk(KERN_WARNING "%s: getxattr returned " 922 "%d for dev=%s ino=%ld\n", __FUNCTION__, 923 -rc, inode->i_sb->s_id, inode->i_ino); 924 kfree(context); 925 goto out; 926 } 927 /* Map ENODATA to the default file SID */ 928 sid = sbsec->def_sid; 929 rc = 0; 930 } else { 931 rc = security_context_to_sid_default(context, rc, &sid, 932 sbsec->def_sid); 933 if (rc) { 934 printk(KERN_WARNING "%s: context_to_sid(%s) " 935 "returned %d for dev=%s ino=%ld\n", 936 __FUNCTION__, context, -rc, 937 inode->i_sb->s_id, inode->i_ino); 938 kfree(context); 939 /* Leave with the unlabeled SID */ 940 rc = 0; 941 break; 942 } 943 } 944 kfree(context); 945 isec->sid = sid; 946 break; 947 case SECURITY_FS_USE_TASK: 948 isec->sid = isec->task_sid; 949 break; 950 case SECURITY_FS_USE_TRANS: 951 /* Default to the fs SID. */ 952 isec->sid = sbsec->sid; 953 954 /* Try to obtain a transition SID. */ 955 isec->sclass = inode_mode_to_security_class(inode->i_mode); 956 rc = security_transition_sid(isec->task_sid, 957 sbsec->sid, 958 isec->sclass, 959 &sid); 960 if (rc) 961 goto out; 962 isec->sid = sid; 963 break; 964 case SECURITY_FS_USE_MNTPOINT: 965 isec->sid = sbsec->mntpoint_sid; 966 break; 967 default: 968 /* Default to the fs superblock SID. */ 969 isec->sid = sbsec->sid; 970 971 if (sbsec->proc) { 972 struct proc_inode *proci = PROC_I(inode); 973 if (proci->pde) { 974 isec->sclass = inode_mode_to_security_class(inode->i_mode); 975 rc = selinux_proc_get_sid(proci->pde, 976 isec->sclass, 977 &sid); 978 if (rc) 979 goto out; 980 isec->sid = sid; 981 } 982 } 983 break; 984 } 985 986 isec->initialized = 1; 987 988 out: 989 if (isec->sclass == SECCLASS_FILE) 990 isec->sclass = inode_mode_to_security_class(inode->i_mode); 991 992 if (hold_sem) 993 up(&isec->sem); 994 return rc; 995 } 996 997 /* Convert a Linux signal to an access vector. */ 998 static inline u32 signal_to_av(int sig) 999 { 1000 u32 perm = 0; 1001 1002 switch (sig) { 1003 case SIGCHLD: 1004 /* Commonly granted from child to parent. */ 1005 perm = PROCESS__SIGCHLD; 1006 break; 1007 case SIGKILL: 1008 /* Cannot be caught or ignored */ 1009 perm = PROCESS__SIGKILL; 1010 break; 1011 case SIGSTOP: 1012 /* Cannot be caught or ignored */ 1013 perm = PROCESS__SIGSTOP; 1014 break; 1015 default: 1016 /* All other signals. */ 1017 perm = PROCESS__SIGNAL; 1018 break; 1019 } 1020 1021 return perm; 1022 } 1023 1024 /* Check permission betweeen a pair of tasks, e.g. signal checks, 1025 fork check, ptrace check, etc. */ 1026 static int task_has_perm(struct task_struct *tsk1, 1027 struct task_struct *tsk2, 1028 u32 perms) 1029 { 1030 struct task_security_struct *tsec1, *tsec2; 1031 1032 tsec1 = tsk1->security; 1033 tsec2 = tsk2->security; 1034 return avc_has_perm(tsec1->sid, tsec2->sid, 1035 SECCLASS_PROCESS, perms, NULL); 1036 } 1037 1038 /* Check whether a task is allowed to use a capability. */ 1039 static int task_has_capability(struct task_struct *tsk, 1040 int cap) 1041 { 1042 struct task_security_struct *tsec; 1043 struct avc_audit_data ad; 1044 1045 tsec = tsk->security; 1046 1047 AVC_AUDIT_DATA_INIT(&ad,CAP); 1048 ad.tsk = tsk; 1049 ad.u.cap = cap; 1050 1051 return avc_has_perm(tsec->sid, tsec->sid, 1052 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); 1053 } 1054 1055 /* Check whether a task is allowed to use a system operation. */ 1056 static int task_has_system(struct task_struct *tsk, 1057 u32 perms) 1058 { 1059 struct task_security_struct *tsec; 1060 1061 tsec = tsk->security; 1062 1063 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1064 SECCLASS_SYSTEM, perms, NULL); 1065 } 1066 1067 /* Check whether a task has a particular permission to an inode. 1068 The 'adp' parameter is optional and allows other audit 1069 data to be passed (e.g. the dentry). */ 1070 static int inode_has_perm(struct task_struct *tsk, 1071 struct inode *inode, 1072 u32 perms, 1073 struct avc_audit_data *adp) 1074 { 1075 struct task_security_struct *tsec; 1076 struct inode_security_struct *isec; 1077 struct avc_audit_data ad; 1078 1079 tsec = tsk->security; 1080 isec = inode->i_security; 1081 1082 if (!adp) { 1083 adp = &ad; 1084 AVC_AUDIT_DATA_INIT(&ad, FS); 1085 ad.u.fs.inode = inode; 1086 } 1087 1088 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1089 } 1090 1091 /* Same as inode_has_perm, but pass explicit audit data containing 1092 the dentry to help the auditing code to more easily generate the 1093 pathname if needed. */ 1094 static inline int dentry_has_perm(struct task_struct *tsk, 1095 struct vfsmount *mnt, 1096 struct dentry *dentry, 1097 u32 av) 1098 { 1099 struct inode *inode = dentry->d_inode; 1100 struct avc_audit_data ad; 1101 AVC_AUDIT_DATA_INIT(&ad,FS); 1102 ad.u.fs.mnt = mnt; 1103 ad.u.fs.dentry = dentry; 1104 return inode_has_perm(tsk, inode, av, &ad); 1105 } 1106 1107 /* Check whether a task can use an open file descriptor to 1108 access an inode in a given way. Check access to the 1109 descriptor itself, and then use dentry_has_perm to 1110 check a particular permission to the file. 1111 Access to the descriptor is implicitly granted if it 1112 has the same SID as the process. If av is zero, then 1113 access to the file is not checked, e.g. for cases 1114 where only the descriptor is affected like seek. */ 1115 static int file_has_perm(struct task_struct *tsk, 1116 struct file *file, 1117 u32 av) 1118 { 1119 struct task_security_struct *tsec = tsk->security; 1120 struct file_security_struct *fsec = file->f_security; 1121 struct vfsmount *mnt = file->f_vfsmnt; 1122 struct dentry *dentry = file->f_dentry; 1123 struct inode *inode = dentry->d_inode; 1124 struct avc_audit_data ad; 1125 int rc; 1126 1127 AVC_AUDIT_DATA_INIT(&ad, FS); 1128 ad.u.fs.mnt = mnt; 1129 ad.u.fs.dentry = dentry; 1130 1131 if (tsec->sid != fsec->sid) { 1132 rc = avc_has_perm(tsec->sid, fsec->sid, 1133 SECCLASS_FD, 1134 FD__USE, 1135 &ad); 1136 if (rc) 1137 return rc; 1138 } 1139 1140 /* av is zero if only checking access to the descriptor. */ 1141 if (av) 1142 return inode_has_perm(tsk, inode, av, &ad); 1143 1144 return 0; 1145 } 1146 1147 /* Check whether a task can create a file. */ 1148 static int may_create(struct inode *dir, 1149 struct dentry *dentry, 1150 u16 tclass) 1151 { 1152 struct task_security_struct *tsec; 1153 struct inode_security_struct *dsec; 1154 struct superblock_security_struct *sbsec; 1155 u32 newsid; 1156 struct avc_audit_data ad; 1157 int rc; 1158 1159 tsec = current->security; 1160 dsec = dir->i_security; 1161 sbsec = dir->i_sb->s_security; 1162 1163 AVC_AUDIT_DATA_INIT(&ad, FS); 1164 ad.u.fs.dentry = dentry; 1165 1166 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1167 DIR__ADD_NAME | DIR__SEARCH, 1168 &ad); 1169 if (rc) 1170 return rc; 1171 1172 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1173 newsid = tsec->create_sid; 1174 } else { 1175 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1176 &newsid); 1177 if (rc) 1178 return rc; 1179 } 1180 1181 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1182 if (rc) 1183 return rc; 1184 1185 return avc_has_perm(newsid, sbsec->sid, 1186 SECCLASS_FILESYSTEM, 1187 FILESYSTEM__ASSOCIATE, &ad); 1188 } 1189 1190 /* Check whether a task can create a key. */ 1191 static int may_create_key(u32 ksid, 1192 struct task_struct *ctx) 1193 { 1194 struct task_security_struct *tsec; 1195 1196 tsec = ctx->security; 1197 1198 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1199 } 1200 1201 #define MAY_LINK 0 1202 #define MAY_UNLINK 1 1203 #define MAY_RMDIR 2 1204 1205 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1206 static int may_link(struct inode *dir, 1207 struct dentry *dentry, 1208 int kind) 1209 1210 { 1211 struct task_security_struct *tsec; 1212 struct inode_security_struct *dsec, *isec; 1213 struct avc_audit_data ad; 1214 u32 av; 1215 int rc; 1216 1217 tsec = current->security; 1218 dsec = dir->i_security; 1219 isec = dentry->d_inode->i_security; 1220 1221 AVC_AUDIT_DATA_INIT(&ad, FS); 1222 ad.u.fs.dentry = dentry; 1223 1224 av = DIR__SEARCH; 1225 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1226 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1227 if (rc) 1228 return rc; 1229 1230 switch (kind) { 1231 case MAY_LINK: 1232 av = FILE__LINK; 1233 break; 1234 case MAY_UNLINK: 1235 av = FILE__UNLINK; 1236 break; 1237 case MAY_RMDIR: 1238 av = DIR__RMDIR; 1239 break; 1240 default: 1241 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1242 return 0; 1243 } 1244 1245 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1246 return rc; 1247 } 1248 1249 static inline int may_rename(struct inode *old_dir, 1250 struct dentry *old_dentry, 1251 struct inode *new_dir, 1252 struct dentry *new_dentry) 1253 { 1254 struct task_security_struct *tsec; 1255 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1256 struct avc_audit_data ad; 1257 u32 av; 1258 int old_is_dir, new_is_dir; 1259 int rc; 1260 1261 tsec = current->security; 1262 old_dsec = old_dir->i_security; 1263 old_isec = old_dentry->d_inode->i_security; 1264 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1265 new_dsec = new_dir->i_security; 1266 1267 AVC_AUDIT_DATA_INIT(&ad, FS); 1268 1269 ad.u.fs.dentry = old_dentry; 1270 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1271 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1272 if (rc) 1273 return rc; 1274 rc = avc_has_perm(tsec->sid, old_isec->sid, 1275 old_isec->sclass, FILE__RENAME, &ad); 1276 if (rc) 1277 return rc; 1278 if (old_is_dir && new_dir != old_dir) { 1279 rc = avc_has_perm(tsec->sid, old_isec->sid, 1280 old_isec->sclass, DIR__REPARENT, &ad); 1281 if (rc) 1282 return rc; 1283 } 1284 1285 ad.u.fs.dentry = new_dentry; 1286 av = DIR__ADD_NAME | DIR__SEARCH; 1287 if (new_dentry->d_inode) 1288 av |= DIR__REMOVE_NAME; 1289 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1290 if (rc) 1291 return rc; 1292 if (new_dentry->d_inode) { 1293 new_isec = new_dentry->d_inode->i_security; 1294 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1295 rc = avc_has_perm(tsec->sid, new_isec->sid, 1296 new_isec->sclass, 1297 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1298 if (rc) 1299 return rc; 1300 } 1301 1302 return 0; 1303 } 1304 1305 /* Check whether a task can perform a filesystem operation. */ 1306 static int superblock_has_perm(struct task_struct *tsk, 1307 struct super_block *sb, 1308 u32 perms, 1309 struct avc_audit_data *ad) 1310 { 1311 struct task_security_struct *tsec; 1312 struct superblock_security_struct *sbsec; 1313 1314 tsec = tsk->security; 1315 sbsec = sb->s_security; 1316 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1317 perms, ad); 1318 } 1319 1320 /* Convert a Linux mode and permission mask to an access vector. */ 1321 static inline u32 file_mask_to_av(int mode, int mask) 1322 { 1323 u32 av = 0; 1324 1325 if ((mode & S_IFMT) != S_IFDIR) { 1326 if (mask & MAY_EXEC) 1327 av |= FILE__EXECUTE; 1328 if (mask & MAY_READ) 1329 av |= FILE__READ; 1330 1331 if (mask & MAY_APPEND) 1332 av |= FILE__APPEND; 1333 else if (mask & MAY_WRITE) 1334 av |= FILE__WRITE; 1335 1336 } else { 1337 if (mask & MAY_EXEC) 1338 av |= DIR__SEARCH; 1339 if (mask & MAY_WRITE) 1340 av |= DIR__WRITE; 1341 if (mask & MAY_READ) 1342 av |= DIR__READ; 1343 } 1344 1345 return av; 1346 } 1347 1348 /* Convert a Linux file to an access vector. */ 1349 static inline u32 file_to_av(struct file *file) 1350 { 1351 u32 av = 0; 1352 1353 if (file->f_mode & FMODE_READ) 1354 av |= FILE__READ; 1355 if (file->f_mode & FMODE_WRITE) { 1356 if (file->f_flags & O_APPEND) 1357 av |= FILE__APPEND; 1358 else 1359 av |= FILE__WRITE; 1360 } 1361 1362 return av; 1363 } 1364 1365 /* Set an inode's SID to a specified value. */ 1366 static int inode_security_set_sid(struct inode *inode, u32 sid) 1367 { 1368 struct inode_security_struct *isec = inode->i_security; 1369 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 1370 1371 if (!sbsec->initialized) { 1372 /* Defer initialization to selinux_complete_init. */ 1373 return 0; 1374 } 1375 1376 down(&isec->sem); 1377 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1378 isec->sid = sid; 1379 isec->initialized = 1; 1380 up(&isec->sem); 1381 return 0; 1382 } 1383 1384 /* Hook functions begin here. */ 1385 1386 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1387 { 1388 struct task_security_struct *psec = parent->security; 1389 struct task_security_struct *csec = child->security; 1390 int rc; 1391 1392 rc = secondary_ops->ptrace(parent,child); 1393 if (rc) 1394 return rc; 1395 1396 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1397 /* Save the SID of the tracing process for later use in apply_creds. */ 1398 if (!(child->ptrace & PT_PTRACED) && !rc) 1399 csec->ptrace_sid = psec->sid; 1400 return rc; 1401 } 1402 1403 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1404 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1405 { 1406 int error; 1407 1408 error = task_has_perm(current, target, PROCESS__GETCAP); 1409 if (error) 1410 return error; 1411 1412 return secondary_ops->capget(target, effective, inheritable, permitted); 1413 } 1414 1415 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1416 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1417 { 1418 int error; 1419 1420 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1421 if (error) 1422 return error; 1423 1424 return task_has_perm(current, target, PROCESS__SETCAP); 1425 } 1426 1427 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1428 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1429 { 1430 secondary_ops->capset_set(target, effective, inheritable, permitted); 1431 } 1432 1433 static int selinux_capable(struct task_struct *tsk, int cap) 1434 { 1435 int rc; 1436 1437 rc = secondary_ops->capable(tsk, cap); 1438 if (rc) 1439 return rc; 1440 1441 return task_has_capability(tsk,cap); 1442 } 1443 1444 static int selinux_sysctl(ctl_table *table, int op) 1445 { 1446 int error = 0; 1447 u32 av; 1448 struct task_security_struct *tsec; 1449 u32 tsid; 1450 int rc; 1451 1452 rc = secondary_ops->sysctl(table, op); 1453 if (rc) 1454 return rc; 1455 1456 tsec = current->security; 1457 1458 rc = selinux_proc_get_sid(table->de, (op == 001) ? 1459 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1460 if (rc) { 1461 /* Default to the well-defined sysctl SID. */ 1462 tsid = SECINITSID_SYSCTL; 1463 } 1464 1465 /* The op values are "defined" in sysctl.c, thereby creating 1466 * a bad coupling between this module and sysctl.c */ 1467 if(op == 001) { 1468 error = avc_has_perm(tsec->sid, tsid, 1469 SECCLASS_DIR, DIR__SEARCH, NULL); 1470 } else { 1471 av = 0; 1472 if (op & 004) 1473 av |= FILE__READ; 1474 if (op & 002) 1475 av |= FILE__WRITE; 1476 if (av) 1477 error = avc_has_perm(tsec->sid, tsid, 1478 SECCLASS_FILE, av, NULL); 1479 } 1480 1481 return error; 1482 } 1483 1484 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1485 { 1486 int rc = 0; 1487 1488 if (!sb) 1489 return 0; 1490 1491 switch (cmds) { 1492 case Q_SYNC: 1493 case Q_QUOTAON: 1494 case Q_QUOTAOFF: 1495 case Q_SETINFO: 1496 case Q_SETQUOTA: 1497 rc = superblock_has_perm(current, 1498 sb, 1499 FILESYSTEM__QUOTAMOD, NULL); 1500 break; 1501 case Q_GETFMT: 1502 case Q_GETINFO: 1503 case Q_GETQUOTA: 1504 rc = superblock_has_perm(current, 1505 sb, 1506 FILESYSTEM__QUOTAGET, NULL); 1507 break; 1508 default: 1509 rc = 0; /* let the kernel handle invalid cmds */ 1510 break; 1511 } 1512 return rc; 1513 } 1514 1515 static int selinux_quota_on(struct dentry *dentry) 1516 { 1517 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1518 } 1519 1520 static int selinux_syslog(int type) 1521 { 1522 int rc; 1523 1524 rc = secondary_ops->syslog(type); 1525 if (rc) 1526 return rc; 1527 1528 switch (type) { 1529 case 3: /* Read last kernel messages */ 1530 case 10: /* Return size of the log buffer */ 1531 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1532 break; 1533 case 6: /* Disable logging to console */ 1534 case 7: /* Enable logging to console */ 1535 case 8: /* Set level of messages printed to console */ 1536 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1537 break; 1538 case 0: /* Close log */ 1539 case 1: /* Open log */ 1540 case 2: /* Read from log */ 1541 case 4: /* Read/clear last kernel messages */ 1542 case 5: /* Clear ring buffer */ 1543 default: 1544 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1545 break; 1546 } 1547 return rc; 1548 } 1549 1550 /* 1551 * Check that a process has enough memory to allocate a new virtual 1552 * mapping. 0 means there is enough memory for the allocation to 1553 * succeed and -ENOMEM implies there is not. 1554 * 1555 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1556 * if the capability is granted, but __vm_enough_memory requires 1 if 1557 * the capability is granted. 1558 * 1559 * Do not audit the selinux permission check, as this is applied to all 1560 * processes that allocate mappings. 1561 */ 1562 static int selinux_vm_enough_memory(long pages) 1563 { 1564 int rc, cap_sys_admin = 0; 1565 struct task_security_struct *tsec = current->security; 1566 1567 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1568 if (rc == 0) 1569 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1570 SECCLASS_CAPABILITY, 1571 CAP_TO_MASK(CAP_SYS_ADMIN), 1572 NULL); 1573 1574 if (rc == 0) 1575 cap_sys_admin = 1; 1576 1577 return __vm_enough_memory(pages, cap_sys_admin); 1578 } 1579 1580 /* binprm security operations */ 1581 1582 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1583 { 1584 struct bprm_security_struct *bsec; 1585 1586 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1587 if (!bsec) 1588 return -ENOMEM; 1589 1590 bsec->bprm = bprm; 1591 bsec->sid = SECINITSID_UNLABELED; 1592 bsec->set = 0; 1593 1594 bprm->security = bsec; 1595 return 0; 1596 } 1597 1598 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1599 { 1600 struct task_security_struct *tsec; 1601 struct inode *inode = bprm->file->f_dentry->d_inode; 1602 struct inode_security_struct *isec; 1603 struct bprm_security_struct *bsec; 1604 u32 newsid; 1605 struct avc_audit_data ad; 1606 int rc; 1607 1608 rc = secondary_ops->bprm_set_security(bprm); 1609 if (rc) 1610 return rc; 1611 1612 bsec = bprm->security; 1613 1614 if (bsec->set) 1615 return 0; 1616 1617 tsec = current->security; 1618 isec = inode->i_security; 1619 1620 /* Default to the current task SID. */ 1621 bsec->sid = tsec->sid; 1622 1623 /* Reset fs, key, and sock SIDs on execve. */ 1624 tsec->create_sid = 0; 1625 tsec->keycreate_sid = 0; 1626 tsec->sockcreate_sid = 0; 1627 1628 if (tsec->exec_sid) { 1629 newsid = tsec->exec_sid; 1630 /* Reset exec SID on execve. */ 1631 tsec->exec_sid = 0; 1632 } else { 1633 /* Check for a default transition on this program. */ 1634 rc = security_transition_sid(tsec->sid, isec->sid, 1635 SECCLASS_PROCESS, &newsid); 1636 if (rc) 1637 return rc; 1638 } 1639 1640 AVC_AUDIT_DATA_INIT(&ad, FS); 1641 ad.u.fs.mnt = bprm->file->f_vfsmnt; 1642 ad.u.fs.dentry = bprm->file->f_dentry; 1643 1644 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 1645 newsid = tsec->sid; 1646 1647 if (tsec->sid == newsid) { 1648 rc = avc_has_perm(tsec->sid, isec->sid, 1649 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1650 if (rc) 1651 return rc; 1652 } else { 1653 /* Check permissions for the transition. */ 1654 rc = avc_has_perm(tsec->sid, newsid, 1655 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1656 if (rc) 1657 return rc; 1658 1659 rc = avc_has_perm(newsid, isec->sid, 1660 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1661 if (rc) 1662 return rc; 1663 1664 /* Clear any possibly unsafe personality bits on exec: */ 1665 current->personality &= ~PER_CLEAR_ON_SETID; 1666 1667 /* Set the security field to the new SID. */ 1668 bsec->sid = newsid; 1669 } 1670 1671 bsec->set = 1; 1672 return 0; 1673 } 1674 1675 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1676 { 1677 return secondary_ops->bprm_check_security(bprm); 1678 } 1679 1680 1681 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1682 { 1683 struct task_security_struct *tsec = current->security; 1684 int atsecure = 0; 1685 1686 if (tsec->osid != tsec->sid) { 1687 /* Enable secure mode for SIDs transitions unless 1688 the noatsecure permission is granted between 1689 the two SIDs, i.e. ahp returns 0. */ 1690 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1691 SECCLASS_PROCESS, 1692 PROCESS__NOATSECURE, NULL); 1693 } 1694 1695 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1696 } 1697 1698 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1699 { 1700 kfree(bprm->security); 1701 bprm->security = NULL; 1702 } 1703 1704 extern struct vfsmount *selinuxfs_mount; 1705 extern struct dentry *selinux_null; 1706 1707 /* Derived from fs/exec.c:flush_old_files. */ 1708 static inline void flush_unauthorized_files(struct files_struct * files) 1709 { 1710 struct avc_audit_data ad; 1711 struct file *file, *devnull = NULL; 1712 struct tty_struct *tty = current->signal->tty; 1713 struct fdtable *fdt; 1714 long j = -1; 1715 1716 if (tty) { 1717 file_list_lock(); 1718 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 1719 if (file) { 1720 /* Revalidate access to controlling tty. 1721 Use inode_has_perm on the tty inode directly rather 1722 than using file_has_perm, as this particular open 1723 file may belong to another process and we are only 1724 interested in the inode-based check here. */ 1725 struct inode *inode = file->f_dentry->d_inode; 1726 if (inode_has_perm(current, inode, 1727 FILE__READ | FILE__WRITE, NULL)) { 1728 /* Reset controlling tty. */ 1729 current->signal->tty = NULL; 1730 current->signal->tty_old_pgrp = 0; 1731 } 1732 } 1733 file_list_unlock(); 1734 } 1735 1736 /* Revalidate access to inherited open files. */ 1737 1738 AVC_AUDIT_DATA_INIT(&ad,FS); 1739 1740 spin_lock(&files->file_lock); 1741 for (;;) { 1742 unsigned long set, i; 1743 int fd; 1744 1745 j++; 1746 i = j * __NFDBITS; 1747 fdt = files_fdtable(files); 1748 if (i >= fdt->max_fds || i >= fdt->max_fdset) 1749 break; 1750 set = fdt->open_fds->fds_bits[j]; 1751 if (!set) 1752 continue; 1753 spin_unlock(&files->file_lock); 1754 for ( ; set ; i++,set >>= 1) { 1755 if (set & 1) { 1756 file = fget(i); 1757 if (!file) 1758 continue; 1759 if (file_has_perm(current, 1760 file, 1761 file_to_av(file))) { 1762 sys_close(i); 1763 fd = get_unused_fd(); 1764 if (fd != i) { 1765 if (fd >= 0) 1766 put_unused_fd(fd); 1767 fput(file); 1768 continue; 1769 } 1770 if (devnull) { 1771 get_file(devnull); 1772 } else { 1773 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 1774 if (!devnull) { 1775 put_unused_fd(fd); 1776 fput(file); 1777 continue; 1778 } 1779 } 1780 fd_install(fd, devnull); 1781 } 1782 fput(file); 1783 } 1784 } 1785 spin_lock(&files->file_lock); 1786 1787 } 1788 spin_unlock(&files->file_lock); 1789 } 1790 1791 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 1792 { 1793 struct task_security_struct *tsec; 1794 struct bprm_security_struct *bsec; 1795 u32 sid; 1796 int rc; 1797 1798 secondary_ops->bprm_apply_creds(bprm, unsafe); 1799 1800 tsec = current->security; 1801 1802 bsec = bprm->security; 1803 sid = bsec->sid; 1804 1805 tsec->osid = tsec->sid; 1806 bsec->unsafe = 0; 1807 if (tsec->sid != sid) { 1808 /* Check for shared state. If not ok, leave SID 1809 unchanged and kill. */ 1810 if (unsafe & LSM_UNSAFE_SHARE) { 1811 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 1812 PROCESS__SHARE, NULL); 1813 if (rc) { 1814 bsec->unsafe = 1; 1815 return; 1816 } 1817 } 1818 1819 /* Check for ptracing, and update the task SID if ok. 1820 Otherwise, leave SID unchanged and kill. */ 1821 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 1822 rc = avc_has_perm(tsec->ptrace_sid, sid, 1823 SECCLASS_PROCESS, PROCESS__PTRACE, 1824 NULL); 1825 if (rc) { 1826 bsec->unsafe = 1; 1827 return; 1828 } 1829 } 1830 tsec->sid = sid; 1831 } 1832 } 1833 1834 /* 1835 * called after apply_creds without the task lock held 1836 */ 1837 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 1838 { 1839 struct task_security_struct *tsec; 1840 struct rlimit *rlim, *initrlim; 1841 struct itimerval itimer; 1842 struct bprm_security_struct *bsec; 1843 int rc, i; 1844 1845 tsec = current->security; 1846 bsec = bprm->security; 1847 1848 if (bsec->unsafe) { 1849 force_sig_specific(SIGKILL, current); 1850 return; 1851 } 1852 if (tsec->osid == tsec->sid) 1853 return; 1854 1855 /* Close files for which the new task SID is not authorized. */ 1856 flush_unauthorized_files(current->files); 1857 1858 /* Check whether the new SID can inherit signal state 1859 from the old SID. If not, clear itimers to avoid 1860 subsequent signal generation and flush and unblock 1861 signals. This must occur _after_ the task SID has 1862 been updated so that any kill done after the flush 1863 will be checked against the new SID. */ 1864 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1865 PROCESS__SIGINH, NULL); 1866 if (rc) { 1867 memset(&itimer, 0, sizeof itimer); 1868 for (i = 0; i < 3; i++) 1869 do_setitimer(i, &itimer, NULL); 1870 flush_signals(current); 1871 spin_lock_irq(¤t->sighand->siglock); 1872 flush_signal_handlers(current, 1); 1873 sigemptyset(¤t->blocked); 1874 recalc_sigpending(); 1875 spin_unlock_irq(¤t->sighand->siglock); 1876 } 1877 1878 /* Check whether the new SID can inherit resource limits 1879 from the old SID. If not, reset all soft limits to 1880 the lower of the current task's hard limit and the init 1881 task's soft limit. Note that the setting of hard limits 1882 (even to lower them) can be controlled by the setrlimit 1883 check. The inclusion of the init task's soft limit into 1884 the computation is to avoid resetting soft limits higher 1885 than the default soft limit for cases where the default 1886 is lower than the hard limit, e.g. RLIMIT_CORE or 1887 RLIMIT_STACK.*/ 1888 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1889 PROCESS__RLIMITINH, NULL); 1890 if (rc) { 1891 for (i = 0; i < RLIM_NLIMITS; i++) { 1892 rlim = current->signal->rlim + i; 1893 initrlim = init_task.signal->rlim+i; 1894 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 1895 } 1896 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 1897 /* 1898 * This will cause RLIMIT_CPU calculations 1899 * to be refigured. 1900 */ 1901 current->it_prof_expires = jiffies_to_cputime(1); 1902 } 1903 } 1904 1905 /* Wake up the parent if it is waiting so that it can 1906 recheck wait permission to the new task SID. */ 1907 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 1908 } 1909 1910 /* superblock security operations */ 1911 1912 static int selinux_sb_alloc_security(struct super_block *sb) 1913 { 1914 return superblock_alloc_security(sb); 1915 } 1916 1917 static void selinux_sb_free_security(struct super_block *sb) 1918 { 1919 superblock_free_security(sb); 1920 } 1921 1922 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 1923 { 1924 if (plen > olen) 1925 return 0; 1926 1927 return !memcmp(prefix, option, plen); 1928 } 1929 1930 static inline int selinux_option(char *option, int len) 1931 { 1932 return (match_prefix("context=", sizeof("context=")-1, option, len) || 1933 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 1934 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) || 1935 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len)); 1936 } 1937 1938 static inline void take_option(char **to, char *from, int *first, int len) 1939 { 1940 if (!*first) { 1941 **to = ','; 1942 *to += 1; 1943 } 1944 else 1945 *first = 0; 1946 memcpy(*to, from, len); 1947 *to += len; 1948 } 1949 1950 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 1951 { 1952 int fnosec, fsec, rc = 0; 1953 char *in_save, *in_curr, *in_end; 1954 char *sec_curr, *nosec_save, *nosec; 1955 1956 in_curr = orig; 1957 sec_curr = copy; 1958 1959 /* Binary mount data: just copy */ 1960 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 1961 copy_page(sec_curr, in_curr); 1962 goto out; 1963 } 1964 1965 nosec = (char *)get_zeroed_page(GFP_KERNEL); 1966 if (!nosec) { 1967 rc = -ENOMEM; 1968 goto out; 1969 } 1970 1971 nosec_save = nosec; 1972 fnosec = fsec = 1; 1973 in_save = in_end = orig; 1974 1975 do { 1976 if (*in_end == ',' || *in_end == '\0') { 1977 int len = in_end - in_curr; 1978 1979 if (selinux_option(in_curr, len)) 1980 take_option(&sec_curr, in_curr, &fsec, len); 1981 else 1982 take_option(&nosec, in_curr, &fnosec, len); 1983 1984 in_curr = in_end + 1; 1985 } 1986 } while (*in_end++); 1987 1988 strcpy(in_save, nosec_save); 1989 free_page((unsigned long)nosec_save); 1990 out: 1991 return rc; 1992 } 1993 1994 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 1995 { 1996 struct avc_audit_data ad; 1997 int rc; 1998 1999 rc = superblock_doinit(sb, data); 2000 if (rc) 2001 return rc; 2002 2003 AVC_AUDIT_DATA_INIT(&ad,FS); 2004 ad.u.fs.dentry = sb->s_root; 2005 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2006 } 2007 2008 static int selinux_sb_statfs(struct dentry *dentry) 2009 { 2010 struct avc_audit_data ad; 2011 2012 AVC_AUDIT_DATA_INIT(&ad,FS); 2013 ad.u.fs.dentry = dentry->d_sb->s_root; 2014 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2015 } 2016 2017 static int selinux_mount(char * dev_name, 2018 struct nameidata *nd, 2019 char * type, 2020 unsigned long flags, 2021 void * data) 2022 { 2023 int rc; 2024 2025 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2026 if (rc) 2027 return rc; 2028 2029 if (flags & MS_REMOUNT) 2030 return superblock_has_perm(current, nd->mnt->mnt_sb, 2031 FILESYSTEM__REMOUNT, NULL); 2032 else 2033 return dentry_has_perm(current, nd->mnt, nd->dentry, 2034 FILE__MOUNTON); 2035 } 2036 2037 static int selinux_umount(struct vfsmount *mnt, int flags) 2038 { 2039 int rc; 2040 2041 rc = secondary_ops->sb_umount(mnt, flags); 2042 if (rc) 2043 return rc; 2044 2045 return superblock_has_perm(current,mnt->mnt_sb, 2046 FILESYSTEM__UNMOUNT,NULL); 2047 } 2048 2049 /* inode security operations */ 2050 2051 static int selinux_inode_alloc_security(struct inode *inode) 2052 { 2053 return inode_alloc_security(inode); 2054 } 2055 2056 static void selinux_inode_free_security(struct inode *inode) 2057 { 2058 inode_free_security(inode); 2059 } 2060 2061 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2062 char **name, void **value, 2063 size_t *len) 2064 { 2065 struct task_security_struct *tsec; 2066 struct inode_security_struct *dsec; 2067 struct superblock_security_struct *sbsec; 2068 u32 newsid, clen; 2069 int rc; 2070 char *namep = NULL, *context; 2071 2072 tsec = current->security; 2073 dsec = dir->i_security; 2074 sbsec = dir->i_sb->s_security; 2075 2076 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2077 newsid = tsec->create_sid; 2078 } else { 2079 rc = security_transition_sid(tsec->sid, dsec->sid, 2080 inode_mode_to_security_class(inode->i_mode), 2081 &newsid); 2082 if (rc) { 2083 printk(KERN_WARNING "%s: " 2084 "security_transition_sid failed, rc=%d (dev=%s " 2085 "ino=%ld)\n", 2086 __FUNCTION__, 2087 -rc, inode->i_sb->s_id, inode->i_ino); 2088 return rc; 2089 } 2090 } 2091 2092 inode_security_set_sid(inode, newsid); 2093 2094 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2095 return -EOPNOTSUPP; 2096 2097 if (name) { 2098 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 2099 if (!namep) 2100 return -ENOMEM; 2101 *name = namep; 2102 } 2103 2104 if (value && len) { 2105 rc = security_sid_to_context(newsid, &context, &clen); 2106 if (rc) { 2107 kfree(namep); 2108 return rc; 2109 } 2110 *value = context; 2111 *len = clen; 2112 } 2113 2114 return 0; 2115 } 2116 2117 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2118 { 2119 return may_create(dir, dentry, SECCLASS_FILE); 2120 } 2121 2122 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2123 { 2124 int rc; 2125 2126 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2127 if (rc) 2128 return rc; 2129 return may_link(dir, old_dentry, MAY_LINK); 2130 } 2131 2132 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2133 { 2134 int rc; 2135 2136 rc = secondary_ops->inode_unlink(dir, dentry); 2137 if (rc) 2138 return rc; 2139 return may_link(dir, dentry, MAY_UNLINK); 2140 } 2141 2142 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2143 { 2144 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2145 } 2146 2147 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2148 { 2149 return may_create(dir, dentry, SECCLASS_DIR); 2150 } 2151 2152 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2153 { 2154 return may_link(dir, dentry, MAY_RMDIR); 2155 } 2156 2157 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2158 { 2159 int rc; 2160 2161 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2162 if (rc) 2163 return rc; 2164 2165 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2166 } 2167 2168 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2169 struct inode *new_inode, struct dentry *new_dentry) 2170 { 2171 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2172 } 2173 2174 static int selinux_inode_readlink(struct dentry *dentry) 2175 { 2176 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2177 } 2178 2179 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2180 { 2181 int rc; 2182 2183 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2184 if (rc) 2185 return rc; 2186 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2187 } 2188 2189 static int selinux_inode_permission(struct inode *inode, int mask, 2190 struct nameidata *nd) 2191 { 2192 int rc; 2193 2194 rc = secondary_ops->inode_permission(inode, mask, nd); 2195 if (rc) 2196 return rc; 2197 2198 if (!mask) { 2199 /* No permission to check. Existence test. */ 2200 return 0; 2201 } 2202 2203 return inode_has_perm(current, inode, 2204 file_mask_to_av(inode->i_mode, mask), NULL); 2205 } 2206 2207 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2208 { 2209 int rc; 2210 2211 rc = secondary_ops->inode_setattr(dentry, iattr); 2212 if (rc) 2213 return rc; 2214 2215 if (iattr->ia_valid & ATTR_FORCE) 2216 return 0; 2217 2218 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2219 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2220 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2221 2222 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2223 } 2224 2225 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2226 { 2227 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2228 } 2229 2230 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2231 { 2232 struct task_security_struct *tsec = current->security; 2233 struct inode *inode = dentry->d_inode; 2234 struct inode_security_struct *isec = inode->i_security; 2235 struct superblock_security_struct *sbsec; 2236 struct avc_audit_data ad; 2237 u32 newsid; 2238 int rc = 0; 2239 2240 if (strcmp(name, XATTR_NAME_SELINUX)) { 2241 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2242 sizeof XATTR_SECURITY_PREFIX - 1) && 2243 !capable(CAP_SYS_ADMIN)) { 2244 /* A different attribute in the security namespace. 2245 Restrict to administrator. */ 2246 return -EPERM; 2247 } 2248 2249 /* Not an attribute we recognize, so just check the 2250 ordinary setattr permission. */ 2251 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2252 } 2253 2254 sbsec = inode->i_sb->s_security; 2255 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2256 return -EOPNOTSUPP; 2257 2258 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) 2259 return -EPERM; 2260 2261 AVC_AUDIT_DATA_INIT(&ad,FS); 2262 ad.u.fs.dentry = dentry; 2263 2264 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2265 FILE__RELABELFROM, &ad); 2266 if (rc) 2267 return rc; 2268 2269 rc = security_context_to_sid(value, size, &newsid); 2270 if (rc) 2271 return rc; 2272 2273 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2274 FILE__RELABELTO, &ad); 2275 if (rc) 2276 return rc; 2277 2278 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2279 isec->sclass); 2280 if (rc) 2281 return rc; 2282 2283 return avc_has_perm(newsid, 2284 sbsec->sid, 2285 SECCLASS_FILESYSTEM, 2286 FILESYSTEM__ASSOCIATE, 2287 &ad); 2288 } 2289 2290 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2291 void *value, size_t size, int flags) 2292 { 2293 struct inode *inode = dentry->d_inode; 2294 struct inode_security_struct *isec = inode->i_security; 2295 u32 newsid; 2296 int rc; 2297 2298 if (strcmp(name, XATTR_NAME_SELINUX)) { 2299 /* Not an attribute we recognize, so nothing to do. */ 2300 return; 2301 } 2302 2303 rc = security_context_to_sid(value, size, &newsid); 2304 if (rc) { 2305 printk(KERN_WARNING "%s: unable to obtain SID for context " 2306 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2307 return; 2308 } 2309 2310 isec->sid = newsid; 2311 return; 2312 } 2313 2314 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2315 { 2316 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2317 } 2318 2319 static int selinux_inode_listxattr (struct dentry *dentry) 2320 { 2321 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2322 } 2323 2324 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2325 { 2326 if (strcmp(name, XATTR_NAME_SELINUX)) { 2327 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2328 sizeof XATTR_SECURITY_PREFIX - 1) && 2329 !capable(CAP_SYS_ADMIN)) { 2330 /* A different attribute in the security namespace. 2331 Restrict to administrator. */ 2332 return -EPERM; 2333 } 2334 2335 /* Not an attribute we recognize, so just check the 2336 ordinary setattr permission. Might want a separate 2337 permission for removexattr. */ 2338 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2339 } 2340 2341 /* No one is allowed to remove a SELinux security label. 2342 You can change the label, but all data must be labeled. */ 2343 return -EACCES; 2344 } 2345 2346 static const char *selinux_inode_xattr_getsuffix(void) 2347 { 2348 return XATTR_SELINUX_SUFFIX; 2349 } 2350 2351 /* 2352 * Copy the in-core inode security context value to the user. If the 2353 * getxattr() prior to this succeeded, check to see if we need to 2354 * canonicalize the value to be finally returned to the user. 2355 * 2356 * Permission check is handled by selinux_inode_getxattr hook. 2357 */ 2358 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) 2359 { 2360 struct inode_security_struct *isec = inode->i_security; 2361 2362 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2363 return -EOPNOTSUPP; 2364 2365 return selinux_getsecurity(isec->sid, buffer, size); 2366 } 2367 2368 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2369 const void *value, size_t size, int flags) 2370 { 2371 struct inode_security_struct *isec = inode->i_security; 2372 u32 newsid; 2373 int rc; 2374 2375 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2376 return -EOPNOTSUPP; 2377 2378 if (!value || !size) 2379 return -EACCES; 2380 2381 rc = security_context_to_sid((void*)value, size, &newsid); 2382 if (rc) 2383 return rc; 2384 2385 isec->sid = newsid; 2386 return 0; 2387 } 2388 2389 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2390 { 2391 const int len = sizeof(XATTR_NAME_SELINUX); 2392 if (buffer && len <= buffer_size) 2393 memcpy(buffer, XATTR_NAME_SELINUX, len); 2394 return len; 2395 } 2396 2397 /* file security operations */ 2398 2399 static int selinux_file_permission(struct file *file, int mask) 2400 { 2401 int rc; 2402 struct inode *inode = file->f_dentry->d_inode; 2403 2404 if (!mask) { 2405 /* No permission to check. Existence test. */ 2406 return 0; 2407 } 2408 2409 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2410 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2411 mask |= MAY_APPEND; 2412 2413 rc = file_has_perm(current, file, 2414 file_mask_to_av(inode->i_mode, mask)); 2415 if (rc) 2416 return rc; 2417 2418 return selinux_netlbl_inode_permission(inode, mask); 2419 } 2420 2421 static int selinux_file_alloc_security(struct file *file) 2422 { 2423 return file_alloc_security(file); 2424 } 2425 2426 static void selinux_file_free_security(struct file *file) 2427 { 2428 file_free_security(file); 2429 } 2430 2431 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2432 unsigned long arg) 2433 { 2434 int error = 0; 2435 2436 switch (cmd) { 2437 case FIONREAD: 2438 /* fall through */ 2439 case FIBMAP: 2440 /* fall through */ 2441 case FIGETBSZ: 2442 /* fall through */ 2443 case EXT2_IOC_GETFLAGS: 2444 /* fall through */ 2445 case EXT2_IOC_GETVERSION: 2446 error = file_has_perm(current, file, FILE__GETATTR); 2447 break; 2448 2449 case EXT2_IOC_SETFLAGS: 2450 /* fall through */ 2451 case EXT2_IOC_SETVERSION: 2452 error = file_has_perm(current, file, FILE__SETATTR); 2453 break; 2454 2455 /* sys_ioctl() checks */ 2456 case FIONBIO: 2457 /* fall through */ 2458 case FIOASYNC: 2459 error = file_has_perm(current, file, 0); 2460 break; 2461 2462 case KDSKBENT: 2463 case KDSKBSENT: 2464 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2465 break; 2466 2467 /* default case assumes that the command will go 2468 * to the file's ioctl() function. 2469 */ 2470 default: 2471 error = file_has_perm(current, file, FILE__IOCTL); 2472 2473 } 2474 return error; 2475 } 2476 2477 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2478 { 2479 #ifndef CONFIG_PPC32 2480 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2481 /* 2482 * We are making executable an anonymous mapping or a 2483 * private file mapping that will also be writable. 2484 * This has an additional check. 2485 */ 2486 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2487 if (rc) 2488 return rc; 2489 } 2490 #endif 2491 2492 if (file) { 2493 /* read access is always possible with a mapping */ 2494 u32 av = FILE__READ; 2495 2496 /* write access only matters if the mapping is shared */ 2497 if (shared && (prot & PROT_WRITE)) 2498 av |= FILE__WRITE; 2499 2500 if (prot & PROT_EXEC) 2501 av |= FILE__EXECUTE; 2502 2503 return file_has_perm(current, file, av); 2504 } 2505 return 0; 2506 } 2507 2508 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2509 unsigned long prot, unsigned long flags) 2510 { 2511 int rc; 2512 2513 rc = secondary_ops->file_mmap(file, reqprot, prot, flags); 2514 if (rc) 2515 return rc; 2516 2517 if (selinux_checkreqprot) 2518 prot = reqprot; 2519 2520 return file_map_prot_check(file, prot, 2521 (flags & MAP_TYPE) == MAP_SHARED); 2522 } 2523 2524 static int selinux_file_mprotect(struct vm_area_struct *vma, 2525 unsigned long reqprot, 2526 unsigned long prot) 2527 { 2528 int rc; 2529 2530 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2531 if (rc) 2532 return rc; 2533 2534 if (selinux_checkreqprot) 2535 prot = reqprot; 2536 2537 #ifndef CONFIG_PPC32 2538 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2539 rc = 0; 2540 if (vma->vm_start >= vma->vm_mm->start_brk && 2541 vma->vm_end <= vma->vm_mm->brk) { 2542 rc = task_has_perm(current, current, 2543 PROCESS__EXECHEAP); 2544 } else if (!vma->vm_file && 2545 vma->vm_start <= vma->vm_mm->start_stack && 2546 vma->vm_end >= vma->vm_mm->start_stack) { 2547 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2548 } else if (vma->vm_file && vma->anon_vma) { 2549 /* 2550 * We are making executable a file mapping that has 2551 * had some COW done. Since pages might have been 2552 * written, check ability to execute the possibly 2553 * modified content. This typically should only 2554 * occur for text relocations. 2555 */ 2556 rc = file_has_perm(current, vma->vm_file, 2557 FILE__EXECMOD); 2558 } 2559 if (rc) 2560 return rc; 2561 } 2562 #endif 2563 2564 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2565 } 2566 2567 static int selinux_file_lock(struct file *file, unsigned int cmd) 2568 { 2569 return file_has_perm(current, file, FILE__LOCK); 2570 } 2571 2572 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2573 unsigned long arg) 2574 { 2575 int err = 0; 2576 2577 switch (cmd) { 2578 case F_SETFL: 2579 if (!file->f_dentry || !file->f_dentry->d_inode) { 2580 err = -EINVAL; 2581 break; 2582 } 2583 2584 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2585 err = file_has_perm(current, file,FILE__WRITE); 2586 break; 2587 } 2588 /* fall through */ 2589 case F_SETOWN: 2590 case F_SETSIG: 2591 case F_GETFL: 2592 case F_GETOWN: 2593 case F_GETSIG: 2594 /* Just check FD__USE permission */ 2595 err = file_has_perm(current, file, 0); 2596 break; 2597 case F_GETLK: 2598 case F_SETLK: 2599 case F_SETLKW: 2600 #if BITS_PER_LONG == 32 2601 case F_GETLK64: 2602 case F_SETLK64: 2603 case F_SETLKW64: 2604 #endif 2605 if (!file->f_dentry || !file->f_dentry->d_inode) { 2606 err = -EINVAL; 2607 break; 2608 } 2609 err = file_has_perm(current, file, FILE__LOCK); 2610 break; 2611 } 2612 2613 return err; 2614 } 2615 2616 static int selinux_file_set_fowner(struct file *file) 2617 { 2618 struct task_security_struct *tsec; 2619 struct file_security_struct *fsec; 2620 2621 tsec = current->security; 2622 fsec = file->f_security; 2623 fsec->fown_sid = tsec->sid; 2624 2625 return 0; 2626 } 2627 2628 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2629 struct fown_struct *fown, int signum) 2630 { 2631 struct file *file; 2632 u32 perm; 2633 struct task_security_struct *tsec; 2634 struct file_security_struct *fsec; 2635 2636 /* struct fown_struct is never outside the context of a struct file */ 2637 file = (struct file *)((long)fown - offsetof(struct file,f_owner)); 2638 2639 tsec = tsk->security; 2640 fsec = file->f_security; 2641 2642 if (!signum) 2643 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 2644 else 2645 perm = signal_to_av(signum); 2646 2647 return avc_has_perm(fsec->fown_sid, tsec->sid, 2648 SECCLASS_PROCESS, perm, NULL); 2649 } 2650 2651 static int selinux_file_receive(struct file *file) 2652 { 2653 return file_has_perm(current, file, file_to_av(file)); 2654 } 2655 2656 /* task security operations */ 2657 2658 static int selinux_task_create(unsigned long clone_flags) 2659 { 2660 int rc; 2661 2662 rc = secondary_ops->task_create(clone_flags); 2663 if (rc) 2664 return rc; 2665 2666 return task_has_perm(current, current, PROCESS__FORK); 2667 } 2668 2669 static int selinux_task_alloc_security(struct task_struct *tsk) 2670 { 2671 struct task_security_struct *tsec1, *tsec2; 2672 int rc; 2673 2674 tsec1 = current->security; 2675 2676 rc = task_alloc_security(tsk); 2677 if (rc) 2678 return rc; 2679 tsec2 = tsk->security; 2680 2681 tsec2->osid = tsec1->osid; 2682 tsec2->sid = tsec1->sid; 2683 2684 /* Retain the exec, fs, key, and sock SIDs across fork */ 2685 tsec2->exec_sid = tsec1->exec_sid; 2686 tsec2->create_sid = tsec1->create_sid; 2687 tsec2->keycreate_sid = tsec1->keycreate_sid; 2688 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 2689 2690 /* Retain ptracer SID across fork, if any. 2691 This will be reset by the ptrace hook upon any 2692 subsequent ptrace_attach operations. */ 2693 tsec2->ptrace_sid = tsec1->ptrace_sid; 2694 2695 return 0; 2696 } 2697 2698 static void selinux_task_free_security(struct task_struct *tsk) 2699 { 2700 task_free_security(tsk); 2701 } 2702 2703 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2704 { 2705 /* Since setuid only affects the current process, and 2706 since the SELinux controls are not based on the Linux 2707 identity attributes, SELinux does not need to control 2708 this operation. However, SELinux does control the use 2709 of the CAP_SETUID and CAP_SETGID capabilities using the 2710 capable hook. */ 2711 return 0; 2712 } 2713 2714 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2715 { 2716 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 2717 } 2718 2719 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 2720 { 2721 /* See the comment for setuid above. */ 2722 return 0; 2723 } 2724 2725 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 2726 { 2727 return task_has_perm(current, p, PROCESS__SETPGID); 2728 } 2729 2730 static int selinux_task_getpgid(struct task_struct *p) 2731 { 2732 return task_has_perm(current, p, PROCESS__GETPGID); 2733 } 2734 2735 static int selinux_task_getsid(struct task_struct *p) 2736 { 2737 return task_has_perm(current, p, PROCESS__GETSESSION); 2738 } 2739 2740 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 2741 { 2742 selinux_get_task_sid(p, secid); 2743 } 2744 2745 static int selinux_task_setgroups(struct group_info *group_info) 2746 { 2747 /* See the comment for setuid above. */ 2748 return 0; 2749 } 2750 2751 static int selinux_task_setnice(struct task_struct *p, int nice) 2752 { 2753 int rc; 2754 2755 rc = secondary_ops->task_setnice(p, nice); 2756 if (rc) 2757 return rc; 2758 2759 return task_has_perm(current,p, PROCESS__SETSCHED); 2760 } 2761 2762 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 2763 { 2764 return task_has_perm(current, p, PROCESS__SETSCHED); 2765 } 2766 2767 static int selinux_task_getioprio(struct task_struct *p) 2768 { 2769 return task_has_perm(current, p, PROCESS__GETSCHED); 2770 } 2771 2772 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 2773 { 2774 struct rlimit *old_rlim = current->signal->rlim + resource; 2775 int rc; 2776 2777 rc = secondary_ops->task_setrlimit(resource, new_rlim); 2778 if (rc) 2779 return rc; 2780 2781 /* Control the ability to change the hard limit (whether 2782 lowering or raising it), so that the hard limit can 2783 later be used as a safe reset point for the soft limit 2784 upon context transitions. See selinux_bprm_apply_creds. */ 2785 if (old_rlim->rlim_max != new_rlim->rlim_max) 2786 return task_has_perm(current, current, PROCESS__SETRLIMIT); 2787 2788 return 0; 2789 } 2790 2791 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 2792 { 2793 return task_has_perm(current, p, PROCESS__SETSCHED); 2794 } 2795 2796 static int selinux_task_getscheduler(struct task_struct *p) 2797 { 2798 return task_has_perm(current, p, PROCESS__GETSCHED); 2799 } 2800 2801 static int selinux_task_movememory(struct task_struct *p) 2802 { 2803 return task_has_perm(current, p, PROCESS__SETSCHED); 2804 } 2805 2806 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 2807 int sig, u32 secid) 2808 { 2809 u32 perm; 2810 int rc; 2811 struct task_security_struct *tsec; 2812 2813 rc = secondary_ops->task_kill(p, info, sig, secid); 2814 if (rc) 2815 return rc; 2816 2817 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 2818 return 0; 2819 2820 if (!sig) 2821 perm = PROCESS__SIGNULL; /* null signal; existence test */ 2822 else 2823 perm = signal_to_av(sig); 2824 tsec = p->security; 2825 if (secid) 2826 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 2827 else 2828 rc = task_has_perm(current, p, perm); 2829 return rc; 2830 } 2831 2832 static int selinux_task_prctl(int option, 2833 unsigned long arg2, 2834 unsigned long arg3, 2835 unsigned long arg4, 2836 unsigned long arg5) 2837 { 2838 /* The current prctl operations do not appear to require 2839 any SELinux controls since they merely observe or modify 2840 the state of the current process. */ 2841 return 0; 2842 } 2843 2844 static int selinux_task_wait(struct task_struct *p) 2845 { 2846 u32 perm; 2847 2848 perm = signal_to_av(p->exit_signal); 2849 2850 return task_has_perm(p, current, perm); 2851 } 2852 2853 static void selinux_task_reparent_to_init(struct task_struct *p) 2854 { 2855 struct task_security_struct *tsec; 2856 2857 secondary_ops->task_reparent_to_init(p); 2858 2859 tsec = p->security; 2860 tsec->osid = tsec->sid; 2861 tsec->sid = SECINITSID_KERNEL; 2862 return; 2863 } 2864 2865 static void selinux_task_to_inode(struct task_struct *p, 2866 struct inode *inode) 2867 { 2868 struct task_security_struct *tsec = p->security; 2869 struct inode_security_struct *isec = inode->i_security; 2870 2871 isec->sid = tsec->sid; 2872 isec->initialized = 1; 2873 return; 2874 } 2875 2876 /* Returns error only if unable to parse addresses */ 2877 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) 2878 { 2879 int offset, ihlen, ret = -EINVAL; 2880 struct iphdr _iph, *ih; 2881 2882 offset = skb->nh.raw - skb->data; 2883 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 2884 if (ih == NULL) 2885 goto out; 2886 2887 ihlen = ih->ihl * 4; 2888 if (ihlen < sizeof(_iph)) 2889 goto out; 2890 2891 ad->u.net.v4info.saddr = ih->saddr; 2892 ad->u.net.v4info.daddr = ih->daddr; 2893 ret = 0; 2894 2895 switch (ih->protocol) { 2896 case IPPROTO_TCP: { 2897 struct tcphdr _tcph, *th; 2898 2899 if (ntohs(ih->frag_off) & IP_OFFSET) 2900 break; 2901 2902 offset += ihlen; 2903 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2904 if (th == NULL) 2905 break; 2906 2907 ad->u.net.sport = th->source; 2908 ad->u.net.dport = th->dest; 2909 break; 2910 } 2911 2912 case IPPROTO_UDP: { 2913 struct udphdr _udph, *uh; 2914 2915 if (ntohs(ih->frag_off) & IP_OFFSET) 2916 break; 2917 2918 offset += ihlen; 2919 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2920 if (uh == NULL) 2921 break; 2922 2923 ad->u.net.sport = uh->source; 2924 ad->u.net.dport = uh->dest; 2925 break; 2926 } 2927 2928 default: 2929 break; 2930 } 2931 out: 2932 return ret; 2933 } 2934 2935 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2936 2937 /* Returns error only if unable to parse addresses */ 2938 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad) 2939 { 2940 u8 nexthdr; 2941 int ret = -EINVAL, offset; 2942 struct ipv6hdr _ipv6h, *ip6; 2943 2944 offset = skb->nh.raw - skb->data; 2945 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 2946 if (ip6 == NULL) 2947 goto out; 2948 2949 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 2950 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 2951 ret = 0; 2952 2953 nexthdr = ip6->nexthdr; 2954 offset += sizeof(_ipv6h); 2955 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 2956 if (offset < 0) 2957 goto out; 2958 2959 switch (nexthdr) { 2960 case IPPROTO_TCP: { 2961 struct tcphdr _tcph, *th; 2962 2963 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2964 if (th == NULL) 2965 break; 2966 2967 ad->u.net.sport = th->source; 2968 ad->u.net.dport = th->dest; 2969 break; 2970 } 2971 2972 case IPPROTO_UDP: { 2973 struct udphdr _udph, *uh; 2974 2975 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2976 if (uh == NULL) 2977 break; 2978 2979 ad->u.net.sport = uh->source; 2980 ad->u.net.dport = uh->dest; 2981 break; 2982 } 2983 2984 /* includes fragments */ 2985 default: 2986 break; 2987 } 2988 out: 2989 return ret; 2990 } 2991 2992 #endif /* IPV6 */ 2993 2994 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 2995 char **addrp, int *len, int src) 2996 { 2997 int ret = 0; 2998 2999 switch (ad->u.net.family) { 3000 case PF_INET: 3001 ret = selinux_parse_skb_ipv4(skb, ad); 3002 if (ret || !addrp) 3003 break; 3004 *len = 4; 3005 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3006 &ad->u.net.v4info.daddr); 3007 break; 3008 3009 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3010 case PF_INET6: 3011 ret = selinux_parse_skb_ipv6(skb, ad); 3012 if (ret || !addrp) 3013 break; 3014 *len = 16; 3015 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3016 &ad->u.net.v6info.daddr); 3017 break; 3018 #endif /* IPV6 */ 3019 default: 3020 break; 3021 } 3022 3023 return ret; 3024 } 3025 3026 /* socket security operations */ 3027 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3028 u32 perms) 3029 { 3030 struct inode_security_struct *isec; 3031 struct task_security_struct *tsec; 3032 struct avc_audit_data ad; 3033 int err = 0; 3034 3035 tsec = task->security; 3036 isec = SOCK_INODE(sock)->i_security; 3037 3038 if (isec->sid == SECINITSID_KERNEL) 3039 goto out; 3040 3041 AVC_AUDIT_DATA_INIT(&ad,NET); 3042 ad.u.net.sk = sock->sk; 3043 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3044 3045 out: 3046 return err; 3047 } 3048 3049 static int selinux_socket_create(int family, int type, 3050 int protocol, int kern) 3051 { 3052 int err = 0; 3053 struct task_security_struct *tsec; 3054 u32 newsid; 3055 3056 if (kern) 3057 goto out; 3058 3059 tsec = current->security; 3060 newsid = tsec->sockcreate_sid ? : tsec->sid; 3061 err = avc_has_perm(tsec->sid, newsid, 3062 socket_type_to_security_class(family, type, 3063 protocol), SOCKET__CREATE, NULL); 3064 3065 out: 3066 return err; 3067 } 3068 3069 static int selinux_socket_post_create(struct socket *sock, int family, 3070 int type, int protocol, int kern) 3071 { 3072 int err = 0; 3073 struct inode_security_struct *isec; 3074 struct task_security_struct *tsec; 3075 struct sk_security_struct *sksec; 3076 u32 newsid; 3077 3078 isec = SOCK_INODE(sock)->i_security; 3079 3080 tsec = current->security; 3081 newsid = tsec->sockcreate_sid ? : tsec->sid; 3082 isec->sclass = socket_type_to_security_class(family, type, protocol); 3083 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3084 isec->initialized = 1; 3085 3086 if (sock->sk) { 3087 sksec = sock->sk->sk_security; 3088 sksec->sid = isec->sid; 3089 err = selinux_netlbl_socket_post_create(sock, 3090 family, 3091 isec->sid); 3092 } 3093 3094 return err; 3095 } 3096 3097 /* Range of port numbers used to automatically bind. 3098 Need to determine whether we should perform a name_bind 3099 permission check between the socket and the port number. */ 3100 #define ip_local_port_range_0 sysctl_local_port_range[0] 3101 #define ip_local_port_range_1 sysctl_local_port_range[1] 3102 3103 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3104 { 3105 u16 family; 3106 int err; 3107 3108 err = socket_has_perm(current, sock, SOCKET__BIND); 3109 if (err) 3110 goto out; 3111 3112 /* 3113 * If PF_INET or PF_INET6, check name_bind permission for the port. 3114 * Multiple address binding for SCTP is not supported yet: we just 3115 * check the first address now. 3116 */ 3117 family = sock->sk->sk_family; 3118 if (family == PF_INET || family == PF_INET6) { 3119 char *addrp; 3120 struct inode_security_struct *isec; 3121 struct task_security_struct *tsec; 3122 struct avc_audit_data ad; 3123 struct sockaddr_in *addr4 = NULL; 3124 struct sockaddr_in6 *addr6 = NULL; 3125 unsigned short snum; 3126 struct sock *sk = sock->sk; 3127 u32 sid, node_perm, addrlen; 3128 3129 tsec = current->security; 3130 isec = SOCK_INODE(sock)->i_security; 3131 3132 if (family == PF_INET) { 3133 addr4 = (struct sockaddr_in *)address; 3134 snum = ntohs(addr4->sin_port); 3135 addrlen = sizeof(addr4->sin_addr.s_addr); 3136 addrp = (char *)&addr4->sin_addr.s_addr; 3137 } else { 3138 addr6 = (struct sockaddr_in6 *)address; 3139 snum = ntohs(addr6->sin6_port); 3140 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3141 addrp = (char *)&addr6->sin6_addr.s6_addr; 3142 } 3143 3144 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) || 3145 snum > ip_local_port_range_1)) { 3146 err = security_port_sid(sk->sk_family, sk->sk_type, 3147 sk->sk_protocol, snum, &sid); 3148 if (err) 3149 goto out; 3150 AVC_AUDIT_DATA_INIT(&ad,NET); 3151 ad.u.net.sport = htons(snum); 3152 ad.u.net.family = family; 3153 err = avc_has_perm(isec->sid, sid, 3154 isec->sclass, 3155 SOCKET__NAME_BIND, &ad); 3156 if (err) 3157 goto out; 3158 } 3159 3160 switch(isec->sclass) { 3161 case SECCLASS_TCP_SOCKET: 3162 node_perm = TCP_SOCKET__NODE_BIND; 3163 break; 3164 3165 case SECCLASS_UDP_SOCKET: 3166 node_perm = UDP_SOCKET__NODE_BIND; 3167 break; 3168 3169 default: 3170 node_perm = RAWIP_SOCKET__NODE_BIND; 3171 break; 3172 } 3173 3174 err = security_node_sid(family, addrp, addrlen, &sid); 3175 if (err) 3176 goto out; 3177 3178 AVC_AUDIT_DATA_INIT(&ad,NET); 3179 ad.u.net.sport = htons(snum); 3180 ad.u.net.family = family; 3181 3182 if (family == PF_INET) 3183 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3184 else 3185 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3186 3187 err = avc_has_perm(isec->sid, sid, 3188 isec->sclass, node_perm, &ad); 3189 if (err) 3190 goto out; 3191 } 3192 out: 3193 return err; 3194 } 3195 3196 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3197 { 3198 struct inode_security_struct *isec; 3199 int err; 3200 3201 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3202 if (err) 3203 return err; 3204 3205 /* 3206 * If a TCP socket, check name_connect permission for the port. 3207 */ 3208 isec = SOCK_INODE(sock)->i_security; 3209 if (isec->sclass == SECCLASS_TCP_SOCKET) { 3210 struct sock *sk = sock->sk; 3211 struct avc_audit_data ad; 3212 struct sockaddr_in *addr4 = NULL; 3213 struct sockaddr_in6 *addr6 = NULL; 3214 unsigned short snum; 3215 u32 sid; 3216 3217 if (sk->sk_family == PF_INET) { 3218 addr4 = (struct sockaddr_in *)address; 3219 if (addrlen < sizeof(struct sockaddr_in)) 3220 return -EINVAL; 3221 snum = ntohs(addr4->sin_port); 3222 } else { 3223 addr6 = (struct sockaddr_in6 *)address; 3224 if (addrlen < SIN6_LEN_RFC2133) 3225 return -EINVAL; 3226 snum = ntohs(addr6->sin6_port); 3227 } 3228 3229 err = security_port_sid(sk->sk_family, sk->sk_type, 3230 sk->sk_protocol, snum, &sid); 3231 if (err) 3232 goto out; 3233 3234 AVC_AUDIT_DATA_INIT(&ad,NET); 3235 ad.u.net.dport = htons(snum); 3236 ad.u.net.family = sk->sk_family; 3237 err = avc_has_perm(isec->sid, sid, isec->sclass, 3238 TCP_SOCKET__NAME_CONNECT, &ad); 3239 if (err) 3240 goto out; 3241 } 3242 3243 out: 3244 return err; 3245 } 3246 3247 static int selinux_socket_listen(struct socket *sock, int backlog) 3248 { 3249 return socket_has_perm(current, sock, SOCKET__LISTEN); 3250 } 3251 3252 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3253 { 3254 int err; 3255 struct inode_security_struct *isec; 3256 struct inode_security_struct *newisec; 3257 3258 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3259 if (err) 3260 return err; 3261 3262 newisec = SOCK_INODE(newsock)->i_security; 3263 3264 isec = SOCK_INODE(sock)->i_security; 3265 newisec->sclass = isec->sclass; 3266 newisec->sid = isec->sid; 3267 newisec->initialized = 1; 3268 3269 return 0; 3270 } 3271 3272 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3273 int size) 3274 { 3275 int rc; 3276 3277 rc = socket_has_perm(current, sock, SOCKET__WRITE); 3278 if (rc) 3279 return rc; 3280 3281 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); 3282 } 3283 3284 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3285 int size, int flags) 3286 { 3287 return socket_has_perm(current, sock, SOCKET__READ); 3288 } 3289 3290 static int selinux_socket_getsockname(struct socket *sock) 3291 { 3292 return socket_has_perm(current, sock, SOCKET__GETATTR); 3293 } 3294 3295 static int selinux_socket_getpeername(struct socket *sock) 3296 { 3297 return socket_has_perm(current, sock, SOCKET__GETATTR); 3298 } 3299 3300 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3301 { 3302 return socket_has_perm(current, sock, SOCKET__SETOPT); 3303 } 3304 3305 static int selinux_socket_getsockopt(struct socket *sock, int level, 3306 int optname) 3307 { 3308 return socket_has_perm(current, sock, SOCKET__GETOPT); 3309 } 3310 3311 static int selinux_socket_shutdown(struct socket *sock, int how) 3312 { 3313 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3314 } 3315 3316 static int selinux_socket_unix_stream_connect(struct socket *sock, 3317 struct socket *other, 3318 struct sock *newsk) 3319 { 3320 struct sk_security_struct *ssec; 3321 struct inode_security_struct *isec; 3322 struct inode_security_struct *other_isec; 3323 struct avc_audit_data ad; 3324 int err; 3325 3326 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3327 if (err) 3328 return err; 3329 3330 isec = SOCK_INODE(sock)->i_security; 3331 other_isec = SOCK_INODE(other)->i_security; 3332 3333 AVC_AUDIT_DATA_INIT(&ad,NET); 3334 ad.u.net.sk = other->sk; 3335 3336 err = avc_has_perm(isec->sid, other_isec->sid, 3337 isec->sclass, 3338 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3339 if (err) 3340 return err; 3341 3342 /* connecting socket */ 3343 ssec = sock->sk->sk_security; 3344 ssec->peer_sid = other_isec->sid; 3345 3346 /* server child socket */ 3347 ssec = newsk->sk_security; 3348 ssec->peer_sid = isec->sid; 3349 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 3350 3351 return err; 3352 } 3353 3354 static int selinux_socket_unix_may_send(struct socket *sock, 3355 struct socket *other) 3356 { 3357 struct inode_security_struct *isec; 3358 struct inode_security_struct *other_isec; 3359 struct avc_audit_data ad; 3360 int err; 3361 3362 isec = SOCK_INODE(sock)->i_security; 3363 other_isec = SOCK_INODE(other)->i_security; 3364 3365 AVC_AUDIT_DATA_INIT(&ad,NET); 3366 ad.u.net.sk = other->sk; 3367 3368 err = avc_has_perm(isec->sid, other_isec->sid, 3369 isec->sclass, SOCKET__SENDTO, &ad); 3370 if (err) 3371 return err; 3372 3373 return 0; 3374 } 3375 3376 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3377 struct avc_audit_data *ad, u16 family, char *addrp, int len) 3378 { 3379 int err = 0; 3380 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3381 struct socket *sock; 3382 u16 sock_class = 0; 3383 u32 sock_sid = 0; 3384 3385 read_lock_bh(&sk->sk_callback_lock); 3386 sock = sk->sk_socket; 3387 if (sock) { 3388 struct inode *inode; 3389 inode = SOCK_INODE(sock); 3390 if (inode) { 3391 struct inode_security_struct *isec; 3392 isec = inode->i_security; 3393 sock_sid = isec->sid; 3394 sock_class = isec->sclass; 3395 } 3396 } 3397 read_unlock_bh(&sk->sk_callback_lock); 3398 if (!sock_sid) 3399 goto out; 3400 3401 if (!skb->dev) 3402 goto out; 3403 3404 err = sel_netif_sids(skb->dev, &if_sid, NULL); 3405 if (err) 3406 goto out; 3407 3408 switch (sock_class) { 3409 case SECCLASS_UDP_SOCKET: 3410 netif_perm = NETIF__UDP_RECV; 3411 node_perm = NODE__UDP_RECV; 3412 recv_perm = UDP_SOCKET__RECV_MSG; 3413 break; 3414 3415 case SECCLASS_TCP_SOCKET: 3416 netif_perm = NETIF__TCP_RECV; 3417 node_perm = NODE__TCP_RECV; 3418 recv_perm = TCP_SOCKET__RECV_MSG; 3419 break; 3420 3421 default: 3422 netif_perm = NETIF__RAWIP_RECV; 3423 node_perm = NODE__RAWIP_RECV; 3424 break; 3425 } 3426 3427 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3428 if (err) 3429 goto out; 3430 3431 err = security_node_sid(family, addrp, len, &node_sid); 3432 if (err) 3433 goto out; 3434 3435 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3436 if (err) 3437 goto out; 3438 3439 if (recv_perm) { 3440 u32 port_sid; 3441 3442 err = security_port_sid(sk->sk_family, sk->sk_type, 3443 sk->sk_protocol, ntohs(ad->u.net.sport), 3444 &port_sid); 3445 if (err) 3446 goto out; 3447 3448 err = avc_has_perm(sock_sid, port_sid, 3449 sock_class, recv_perm, ad); 3450 } 3451 3452 out: 3453 return err; 3454 } 3455 3456 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3457 { 3458 u16 family; 3459 char *addrp; 3460 int len, err = 0; 3461 struct avc_audit_data ad; 3462 struct sk_security_struct *sksec = sk->sk_security; 3463 3464 family = sk->sk_family; 3465 if (family != PF_INET && family != PF_INET6) 3466 goto out; 3467 3468 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3469 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) 3470 family = PF_INET; 3471 3472 AVC_AUDIT_DATA_INIT(&ad, NET); 3473 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]"; 3474 ad.u.net.family = family; 3475 3476 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); 3477 if (err) 3478 goto out; 3479 3480 if (selinux_compat_net) 3481 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, 3482 addrp, len); 3483 else 3484 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 3485 PACKET__RECV, &ad); 3486 if (err) 3487 goto out; 3488 3489 err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad); 3490 if (err) 3491 goto out; 3492 3493 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 3494 out: 3495 return err; 3496 } 3497 3498 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 3499 int __user *optlen, unsigned len) 3500 { 3501 int err = 0; 3502 char *scontext; 3503 u32 scontext_len; 3504 struct sk_security_struct *ssec; 3505 struct inode_security_struct *isec; 3506 u32 peer_sid = 0; 3507 3508 isec = SOCK_INODE(sock)->i_security; 3509 3510 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */ 3511 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) { 3512 ssec = sock->sk->sk_security; 3513 peer_sid = ssec->peer_sid; 3514 } 3515 else if (isec->sclass == SECCLASS_TCP_SOCKET) { 3516 peer_sid = selinux_netlbl_socket_getpeersec_stream(sock); 3517 if (peer_sid == SECSID_NULL) 3518 peer_sid = selinux_socket_getpeer_stream(sock->sk); 3519 if (peer_sid == SECSID_NULL) { 3520 err = -ENOPROTOOPT; 3521 goto out; 3522 } 3523 } 3524 else { 3525 err = -ENOPROTOOPT; 3526 goto out; 3527 } 3528 3529 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 3530 3531 if (err) 3532 goto out; 3533 3534 if (scontext_len > len) { 3535 err = -ERANGE; 3536 goto out_len; 3537 } 3538 3539 if (copy_to_user(optval, scontext, scontext_len)) 3540 err = -EFAULT; 3541 3542 out_len: 3543 if (put_user(scontext_len, optlen)) 3544 err = -EFAULT; 3545 3546 kfree(scontext); 3547 out: 3548 return err; 3549 } 3550 3551 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 3552 { 3553 u32 peer_secid = SECSID_NULL; 3554 int err = 0; 3555 3556 if (sock && (sock->sk->sk_family == PF_UNIX)) 3557 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3558 else if (skb) { 3559 peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb); 3560 if (peer_secid == SECSID_NULL) 3561 peer_secid = selinux_socket_getpeer_dgram(skb); 3562 } 3563 3564 if (peer_secid == SECSID_NULL) 3565 err = -EINVAL; 3566 *secid = peer_secid; 3567 3568 return err; 3569 } 3570 3571 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 3572 { 3573 return sk_alloc_security(sk, family, priority); 3574 } 3575 3576 static void selinux_sk_free_security(struct sock *sk) 3577 { 3578 sk_free_security(sk); 3579 } 3580 3581 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 3582 { 3583 struct sk_security_struct *ssec = sk->sk_security; 3584 struct sk_security_struct *newssec = newsk->sk_security; 3585 3586 newssec->sid = ssec->sid; 3587 newssec->peer_sid = ssec->peer_sid; 3588 } 3589 3590 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 3591 { 3592 if (!sk) 3593 *secid = SECINITSID_ANY_SOCKET; 3594 else { 3595 struct sk_security_struct *sksec = sk->sk_security; 3596 3597 *secid = sksec->sid; 3598 } 3599 } 3600 3601 static void selinux_sock_graft(struct sock* sk, struct socket *parent) 3602 { 3603 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 3604 struct sk_security_struct *sksec = sk->sk_security; 3605 3606 isec->sid = sksec->sid; 3607 3608 selinux_netlbl_sock_graft(sk, parent); 3609 } 3610 3611 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 3612 struct request_sock *req) 3613 { 3614 struct sk_security_struct *sksec = sk->sk_security; 3615 int err; 3616 u32 newsid; 3617 u32 peersid; 3618 3619 newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid); 3620 if (newsid != SECSID_NULL) { 3621 req->secid = newsid; 3622 return 0; 3623 } 3624 3625 err = selinux_xfrm_decode_session(skb, &peersid, 0); 3626 BUG_ON(err); 3627 3628 if (peersid == SECSID_NULL) { 3629 req->secid = sksec->sid; 3630 return 0; 3631 } 3632 3633 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 3634 if (err) 3635 return err; 3636 3637 req->secid = newsid; 3638 return 0; 3639 } 3640 3641 static void selinux_inet_csk_clone(struct sock *newsk, 3642 const struct request_sock *req) 3643 { 3644 struct sk_security_struct *newsksec = newsk->sk_security; 3645 3646 newsksec->sid = req->secid; 3647 /* NOTE: Ideally, we should also get the isec->sid for the 3648 new socket in sync, but we don't have the isec available yet. 3649 So we will wait until sock_graft to do it, by which 3650 time it will have been created and available. */ 3651 } 3652 3653 static void selinux_req_classify_flow(const struct request_sock *req, 3654 struct flowi *fl) 3655 { 3656 fl->secid = req->secid; 3657 } 3658 3659 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3660 { 3661 int err = 0; 3662 u32 perm; 3663 struct nlmsghdr *nlh; 3664 struct socket *sock = sk->sk_socket; 3665 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3666 3667 if (skb->len < NLMSG_SPACE(0)) { 3668 err = -EINVAL; 3669 goto out; 3670 } 3671 nlh = (struct nlmsghdr *)skb->data; 3672 3673 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3674 if (err) { 3675 if (err == -EINVAL) { 3676 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 3677 "SELinux: unrecognized netlink message" 3678 " type=%hu for sclass=%hu\n", 3679 nlh->nlmsg_type, isec->sclass); 3680 if (!selinux_enforcing) 3681 err = 0; 3682 } 3683 3684 /* Ignore */ 3685 if (err == -ENOENT) 3686 err = 0; 3687 goto out; 3688 } 3689 3690 err = socket_has_perm(current, sock, perm); 3691 out: 3692 return err; 3693 } 3694 3695 #ifdef CONFIG_NETFILTER 3696 3697 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev, 3698 struct avc_audit_data *ad, 3699 u16 family, char *addrp, int len) 3700 { 3701 int err = 0; 3702 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 3703 struct socket *sock; 3704 struct inode *inode; 3705 struct inode_security_struct *isec; 3706 3707 sock = sk->sk_socket; 3708 if (!sock) 3709 goto out; 3710 3711 inode = SOCK_INODE(sock); 3712 if (!inode) 3713 goto out; 3714 3715 isec = inode->i_security; 3716 3717 err = sel_netif_sids(dev, &if_sid, NULL); 3718 if (err) 3719 goto out; 3720 3721 switch (isec->sclass) { 3722 case SECCLASS_UDP_SOCKET: 3723 netif_perm = NETIF__UDP_SEND; 3724 node_perm = NODE__UDP_SEND; 3725 send_perm = UDP_SOCKET__SEND_MSG; 3726 break; 3727 3728 case SECCLASS_TCP_SOCKET: 3729 netif_perm = NETIF__TCP_SEND; 3730 node_perm = NODE__TCP_SEND; 3731 send_perm = TCP_SOCKET__SEND_MSG; 3732 break; 3733 3734 default: 3735 netif_perm = NETIF__RAWIP_SEND; 3736 node_perm = NODE__RAWIP_SEND; 3737 break; 3738 } 3739 3740 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3741 if (err) 3742 goto out; 3743 3744 err = security_node_sid(family, addrp, len, &node_sid); 3745 if (err) 3746 goto out; 3747 3748 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad); 3749 if (err) 3750 goto out; 3751 3752 if (send_perm) { 3753 u32 port_sid; 3754 3755 err = security_port_sid(sk->sk_family, 3756 sk->sk_type, 3757 sk->sk_protocol, 3758 ntohs(ad->u.net.dport), 3759 &port_sid); 3760 if (err) 3761 goto out; 3762 3763 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3764 send_perm, ad); 3765 } 3766 out: 3767 return err; 3768 } 3769 3770 static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 3771 struct sk_buff **pskb, 3772 const struct net_device *in, 3773 const struct net_device *out, 3774 int (*okfn)(struct sk_buff *), 3775 u16 family) 3776 { 3777 char *addrp; 3778 int len, err = 0; 3779 struct sock *sk; 3780 struct sk_buff *skb = *pskb; 3781 struct avc_audit_data ad; 3782 struct net_device *dev = (struct net_device *)out; 3783 struct sk_security_struct *sksec; 3784 3785 sk = skb->sk; 3786 if (!sk) 3787 goto out; 3788 3789 sksec = sk->sk_security; 3790 3791 AVC_AUDIT_DATA_INIT(&ad, NET); 3792 ad.u.net.netif = dev->name; 3793 ad.u.net.family = family; 3794 3795 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0); 3796 if (err) 3797 goto out; 3798 3799 if (selinux_compat_net) 3800 err = selinux_ip_postroute_last_compat(sk, dev, &ad, 3801 family, addrp, len); 3802 else 3803 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 3804 PACKET__SEND, &ad); 3805 3806 if (err) 3807 goto out; 3808 3809 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad); 3810 out: 3811 return err ? NF_DROP : NF_ACCEPT; 3812 } 3813 3814 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3815 struct sk_buff **pskb, 3816 const struct net_device *in, 3817 const struct net_device *out, 3818 int (*okfn)(struct sk_buff *)) 3819 { 3820 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET); 3821 } 3822 3823 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3824 3825 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, 3826 struct sk_buff **pskb, 3827 const struct net_device *in, 3828 const struct net_device *out, 3829 int (*okfn)(struct sk_buff *)) 3830 { 3831 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6); 3832 } 3833 3834 #endif /* IPV6 */ 3835 3836 #endif /* CONFIG_NETFILTER */ 3837 3838 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3839 { 3840 int err; 3841 3842 err = secondary_ops->netlink_send(sk, skb); 3843 if (err) 3844 return err; 3845 3846 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 3847 err = selinux_nlmsg_perm(sk, skb); 3848 3849 return err; 3850 } 3851 3852 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 3853 { 3854 int err; 3855 struct avc_audit_data ad; 3856 3857 err = secondary_ops->netlink_recv(skb, capability); 3858 if (err) 3859 return err; 3860 3861 AVC_AUDIT_DATA_INIT(&ad, CAP); 3862 ad.u.cap = capability; 3863 3864 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 3865 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 3866 } 3867 3868 static int ipc_alloc_security(struct task_struct *task, 3869 struct kern_ipc_perm *perm, 3870 u16 sclass) 3871 { 3872 struct task_security_struct *tsec = task->security; 3873 struct ipc_security_struct *isec; 3874 3875 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 3876 if (!isec) 3877 return -ENOMEM; 3878 3879 isec->sclass = sclass; 3880 isec->ipc_perm = perm; 3881 isec->sid = tsec->sid; 3882 perm->security = isec; 3883 3884 return 0; 3885 } 3886 3887 static void ipc_free_security(struct kern_ipc_perm *perm) 3888 { 3889 struct ipc_security_struct *isec = perm->security; 3890 perm->security = NULL; 3891 kfree(isec); 3892 } 3893 3894 static int msg_msg_alloc_security(struct msg_msg *msg) 3895 { 3896 struct msg_security_struct *msec; 3897 3898 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 3899 if (!msec) 3900 return -ENOMEM; 3901 3902 msec->msg = msg; 3903 msec->sid = SECINITSID_UNLABELED; 3904 msg->security = msec; 3905 3906 return 0; 3907 } 3908 3909 static void msg_msg_free_security(struct msg_msg *msg) 3910 { 3911 struct msg_security_struct *msec = msg->security; 3912 3913 msg->security = NULL; 3914 kfree(msec); 3915 } 3916 3917 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 3918 u32 perms) 3919 { 3920 struct task_security_struct *tsec; 3921 struct ipc_security_struct *isec; 3922 struct avc_audit_data ad; 3923 3924 tsec = current->security; 3925 isec = ipc_perms->security; 3926 3927 AVC_AUDIT_DATA_INIT(&ad, IPC); 3928 ad.u.ipc_id = ipc_perms->key; 3929 3930 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3931 } 3932 3933 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 3934 { 3935 return msg_msg_alloc_security(msg); 3936 } 3937 3938 static void selinux_msg_msg_free_security(struct msg_msg *msg) 3939 { 3940 msg_msg_free_security(msg); 3941 } 3942 3943 /* message queue security operations */ 3944 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 3945 { 3946 struct task_security_struct *tsec; 3947 struct ipc_security_struct *isec; 3948 struct avc_audit_data ad; 3949 int rc; 3950 3951 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 3952 if (rc) 3953 return rc; 3954 3955 tsec = current->security; 3956 isec = msq->q_perm.security; 3957 3958 AVC_AUDIT_DATA_INIT(&ad, IPC); 3959 ad.u.ipc_id = msq->q_perm.key; 3960 3961 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3962 MSGQ__CREATE, &ad); 3963 if (rc) { 3964 ipc_free_security(&msq->q_perm); 3965 return rc; 3966 } 3967 return 0; 3968 } 3969 3970 static void selinux_msg_queue_free_security(struct msg_queue *msq) 3971 { 3972 ipc_free_security(&msq->q_perm); 3973 } 3974 3975 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 3976 { 3977 struct task_security_struct *tsec; 3978 struct ipc_security_struct *isec; 3979 struct avc_audit_data ad; 3980 3981 tsec = current->security; 3982 isec = msq->q_perm.security; 3983 3984 AVC_AUDIT_DATA_INIT(&ad, IPC); 3985 ad.u.ipc_id = msq->q_perm.key; 3986 3987 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3988 MSGQ__ASSOCIATE, &ad); 3989 } 3990 3991 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3992 { 3993 int err; 3994 int perms; 3995 3996 switch(cmd) { 3997 case IPC_INFO: 3998 case MSG_INFO: 3999 /* No specific object, just general system-wide information. */ 4000 return task_has_system(current, SYSTEM__IPC_INFO); 4001 case IPC_STAT: 4002 case MSG_STAT: 4003 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4004 break; 4005 case IPC_SET: 4006 perms = MSGQ__SETATTR; 4007 break; 4008 case IPC_RMID: 4009 perms = MSGQ__DESTROY; 4010 break; 4011 default: 4012 return 0; 4013 } 4014 4015 err = ipc_has_perm(&msq->q_perm, perms); 4016 return err; 4017 } 4018 4019 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4020 { 4021 struct task_security_struct *tsec; 4022 struct ipc_security_struct *isec; 4023 struct msg_security_struct *msec; 4024 struct avc_audit_data ad; 4025 int rc; 4026 4027 tsec = current->security; 4028 isec = msq->q_perm.security; 4029 msec = msg->security; 4030 4031 /* 4032 * First time through, need to assign label to the message 4033 */ 4034 if (msec->sid == SECINITSID_UNLABELED) { 4035 /* 4036 * Compute new sid based on current process and 4037 * message queue this message will be stored in 4038 */ 4039 rc = security_transition_sid(tsec->sid, 4040 isec->sid, 4041 SECCLASS_MSG, 4042 &msec->sid); 4043 if (rc) 4044 return rc; 4045 } 4046 4047 AVC_AUDIT_DATA_INIT(&ad, IPC); 4048 ad.u.ipc_id = msq->q_perm.key; 4049 4050 /* Can this process write to the queue? */ 4051 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4052 MSGQ__WRITE, &ad); 4053 if (!rc) 4054 /* Can this process send the message */ 4055 rc = avc_has_perm(tsec->sid, msec->sid, 4056 SECCLASS_MSG, MSG__SEND, &ad); 4057 if (!rc) 4058 /* Can the message be put in the queue? */ 4059 rc = avc_has_perm(msec->sid, isec->sid, 4060 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 4061 4062 return rc; 4063 } 4064 4065 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4066 struct task_struct *target, 4067 long type, int mode) 4068 { 4069 struct task_security_struct *tsec; 4070 struct ipc_security_struct *isec; 4071 struct msg_security_struct *msec; 4072 struct avc_audit_data ad; 4073 int rc; 4074 4075 tsec = target->security; 4076 isec = msq->q_perm.security; 4077 msec = msg->security; 4078 4079 AVC_AUDIT_DATA_INIT(&ad, IPC); 4080 ad.u.ipc_id = msq->q_perm.key; 4081 4082 rc = avc_has_perm(tsec->sid, isec->sid, 4083 SECCLASS_MSGQ, MSGQ__READ, &ad); 4084 if (!rc) 4085 rc = avc_has_perm(tsec->sid, msec->sid, 4086 SECCLASS_MSG, MSG__RECEIVE, &ad); 4087 return rc; 4088 } 4089 4090 /* Shared Memory security operations */ 4091 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4092 { 4093 struct task_security_struct *tsec; 4094 struct ipc_security_struct *isec; 4095 struct avc_audit_data ad; 4096 int rc; 4097 4098 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4099 if (rc) 4100 return rc; 4101 4102 tsec = current->security; 4103 isec = shp->shm_perm.security; 4104 4105 AVC_AUDIT_DATA_INIT(&ad, IPC); 4106 ad.u.ipc_id = shp->shm_perm.key; 4107 4108 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4109 SHM__CREATE, &ad); 4110 if (rc) { 4111 ipc_free_security(&shp->shm_perm); 4112 return rc; 4113 } 4114 return 0; 4115 } 4116 4117 static void selinux_shm_free_security(struct shmid_kernel *shp) 4118 { 4119 ipc_free_security(&shp->shm_perm); 4120 } 4121 4122 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4123 { 4124 struct task_security_struct *tsec; 4125 struct ipc_security_struct *isec; 4126 struct avc_audit_data ad; 4127 4128 tsec = current->security; 4129 isec = shp->shm_perm.security; 4130 4131 AVC_AUDIT_DATA_INIT(&ad, IPC); 4132 ad.u.ipc_id = shp->shm_perm.key; 4133 4134 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4135 SHM__ASSOCIATE, &ad); 4136 } 4137 4138 /* Note, at this point, shp is locked down */ 4139 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4140 { 4141 int perms; 4142 int err; 4143 4144 switch(cmd) { 4145 case IPC_INFO: 4146 case SHM_INFO: 4147 /* No specific object, just general system-wide information. */ 4148 return task_has_system(current, SYSTEM__IPC_INFO); 4149 case IPC_STAT: 4150 case SHM_STAT: 4151 perms = SHM__GETATTR | SHM__ASSOCIATE; 4152 break; 4153 case IPC_SET: 4154 perms = SHM__SETATTR; 4155 break; 4156 case SHM_LOCK: 4157 case SHM_UNLOCK: 4158 perms = SHM__LOCK; 4159 break; 4160 case IPC_RMID: 4161 perms = SHM__DESTROY; 4162 break; 4163 default: 4164 return 0; 4165 } 4166 4167 err = ipc_has_perm(&shp->shm_perm, perms); 4168 return err; 4169 } 4170 4171 static int selinux_shm_shmat(struct shmid_kernel *shp, 4172 char __user *shmaddr, int shmflg) 4173 { 4174 u32 perms; 4175 int rc; 4176 4177 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4178 if (rc) 4179 return rc; 4180 4181 if (shmflg & SHM_RDONLY) 4182 perms = SHM__READ; 4183 else 4184 perms = SHM__READ | SHM__WRITE; 4185 4186 return ipc_has_perm(&shp->shm_perm, perms); 4187 } 4188 4189 /* Semaphore security operations */ 4190 static int selinux_sem_alloc_security(struct sem_array *sma) 4191 { 4192 struct task_security_struct *tsec; 4193 struct ipc_security_struct *isec; 4194 struct avc_audit_data ad; 4195 int rc; 4196 4197 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4198 if (rc) 4199 return rc; 4200 4201 tsec = current->security; 4202 isec = sma->sem_perm.security; 4203 4204 AVC_AUDIT_DATA_INIT(&ad, IPC); 4205 ad.u.ipc_id = sma->sem_perm.key; 4206 4207 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4208 SEM__CREATE, &ad); 4209 if (rc) { 4210 ipc_free_security(&sma->sem_perm); 4211 return rc; 4212 } 4213 return 0; 4214 } 4215 4216 static void selinux_sem_free_security(struct sem_array *sma) 4217 { 4218 ipc_free_security(&sma->sem_perm); 4219 } 4220 4221 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4222 { 4223 struct task_security_struct *tsec; 4224 struct ipc_security_struct *isec; 4225 struct avc_audit_data ad; 4226 4227 tsec = current->security; 4228 isec = sma->sem_perm.security; 4229 4230 AVC_AUDIT_DATA_INIT(&ad, IPC); 4231 ad.u.ipc_id = sma->sem_perm.key; 4232 4233 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4234 SEM__ASSOCIATE, &ad); 4235 } 4236 4237 /* Note, at this point, sma is locked down */ 4238 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4239 { 4240 int err; 4241 u32 perms; 4242 4243 switch(cmd) { 4244 case IPC_INFO: 4245 case SEM_INFO: 4246 /* No specific object, just general system-wide information. */ 4247 return task_has_system(current, SYSTEM__IPC_INFO); 4248 case GETPID: 4249 case GETNCNT: 4250 case GETZCNT: 4251 perms = SEM__GETATTR; 4252 break; 4253 case GETVAL: 4254 case GETALL: 4255 perms = SEM__READ; 4256 break; 4257 case SETVAL: 4258 case SETALL: 4259 perms = SEM__WRITE; 4260 break; 4261 case IPC_RMID: 4262 perms = SEM__DESTROY; 4263 break; 4264 case IPC_SET: 4265 perms = SEM__SETATTR; 4266 break; 4267 case IPC_STAT: 4268 case SEM_STAT: 4269 perms = SEM__GETATTR | SEM__ASSOCIATE; 4270 break; 4271 default: 4272 return 0; 4273 } 4274 4275 err = ipc_has_perm(&sma->sem_perm, perms); 4276 return err; 4277 } 4278 4279 static int selinux_sem_semop(struct sem_array *sma, 4280 struct sembuf *sops, unsigned nsops, int alter) 4281 { 4282 u32 perms; 4283 4284 if (alter) 4285 perms = SEM__READ | SEM__WRITE; 4286 else 4287 perms = SEM__READ; 4288 4289 return ipc_has_perm(&sma->sem_perm, perms); 4290 } 4291 4292 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4293 { 4294 u32 av = 0; 4295 4296 av = 0; 4297 if (flag & S_IRUGO) 4298 av |= IPC__UNIX_READ; 4299 if (flag & S_IWUGO) 4300 av |= IPC__UNIX_WRITE; 4301 4302 if (av == 0) 4303 return 0; 4304 4305 return ipc_has_perm(ipcp, av); 4306 } 4307 4308 /* module stacking operations */ 4309 static int selinux_register_security (const char *name, struct security_operations *ops) 4310 { 4311 if (secondary_ops != original_ops) { 4312 printk(KERN_INFO "%s: There is already a secondary security " 4313 "module registered.\n", __FUNCTION__); 4314 return -EINVAL; 4315 } 4316 4317 secondary_ops = ops; 4318 4319 printk(KERN_INFO "%s: Registering secondary module %s\n", 4320 __FUNCTION__, 4321 name); 4322 4323 return 0; 4324 } 4325 4326 static int selinux_unregister_security (const char *name, struct security_operations *ops) 4327 { 4328 if (ops != secondary_ops) { 4329 printk (KERN_INFO "%s: trying to unregister a security module " 4330 "that is not registered.\n", __FUNCTION__); 4331 return -EINVAL; 4332 } 4333 4334 secondary_ops = original_ops; 4335 4336 return 0; 4337 } 4338 4339 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4340 { 4341 if (inode) 4342 inode_doinit_with_dentry(inode, dentry); 4343 } 4344 4345 static int selinux_getprocattr(struct task_struct *p, 4346 char *name, void *value, size_t size) 4347 { 4348 struct task_security_struct *tsec; 4349 u32 sid; 4350 int error; 4351 4352 if (current != p) { 4353 error = task_has_perm(current, p, PROCESS__GETATTR); 4354 if (error) 4355 return error; 4356 } 4357 4358 tsec = p->security; 4359 4360 if (!strcmp(name, "current")) 4361 sid = tsec->sid; 4362 else if (!strcmp(name, "prev")) 4363 sid = tsec->osid; 4364 else if (!strcmp(name, "exec")) 4365 sid = tsec->exec_sid; 4366 else if (!strcmp(name, "fscreate")) 4367 sid = tsec->create_sid; 4368 else if (!strcmp(name, "keycreate")) 4369 sid = tsec->keycreate_sid; 4370 else if (!strcmp(name, "sockcreate")) 4371 sid = tsec->sockcreate_sid; 4372 else 4373 return -EINVAL; 4374 4375 if (!sid) 4376 return 0; 4377 4378 return selinux_getsecurity(sid, value, size); 4379 } 4380 4381 static int selinux_setprocattr(struct task_struct *p, 4382 char *name, void *value, size_t size) 4383 { 4384 struct task_security_struct *tsec; 4385 u32 sid = 0; 4386 int error; 4387 char *str = value; 4388 4389 if (current != p) { 4390 /* SELinux only allows a process to change its own 4391 security attributes. */ 4392 return -EACCES; 4393 } 4394 4395 /* 4396 * Basic control over ability to set these attributes at all. 4397 * current == p, but we'll pass them separately in case the 4398 * above restriction is ever removed. 4399 */ 4400 if (!strcmp(name, "exec")) 4401 error = task_has_perm(current, p, PROCESS__SETEXEC); 4402 else if (!strcmp(name, "fscreate")) 4403 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 4404 else if (!strcmp(name, "keycreate")) 4405 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 4406 else if (!strcmp(name, "sockcreate")) 4407 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 4408 else if (!strcmp(name, "current")) 4409 error = task_has_perm(current, p, PROCESS__SETCURRENT); 4410 else 4411 error = -EINVAL; 4412 if (error) 4413 return error; 4414 4415 /* Obtain a SID for the context, if one was specified. */ 4416 if (size && str[1] && str[1] != '\n') { 4417 if (str[size-1] == '\n') { 4418 str[size-1] = 0; 4419 size--; 4420 } 4421 error = security_context_to_sid(value, size, &sid); 4422 if (error) 4423 return error; 4424 } 4425 4426 /* Permission checking based on the specified context is 4427 performed during the actual operation (execve, 4428 open/mkdir/...), when we know the full context of the 4429 operation. See selinux_bprm_set_security for the execve 4430 checks and may_create for the file creation checks. The 4431 operation will then fail if the context is not permitted. */ 4432 tsec = p->security; 4433 if (!strcmp(name, "exec")) 4434 tsec->exec_sid = sid; 4435 else if (!strcmp(name, "fscreate")) 4436 tsec->create_sid = sid; 4437 else if (!strcmp(name, "keycreate")) { 4438 error = may_create_key(sid, p); 4439 if (error) 4440 return error; 4441 tsec->keycreate_sid = sid; 4442 } else if (!strcmp(name, "sockcreate")) 4443 tsec->sockcreate_sid = sid; 4444 else if (!strcmp(name, "current")) { 4445 struct av_decision avd; 4446 4447 if (sid == 0) 4448 return -EINVAL; 4449 4450 /* Only allow single threaded processes to change context */ 4451 if (atomic_read(&p->mm->mm_users) != 1) { 4452 struct task_struct *g, *t; 4453 struct mm_struct *mm = p->mm; 4454 read_lock(&tasklist_lock); 4455 do_each_thread(g, t) 4456 if (t->mm == mm && t != p) { 4457 read_unlock(&tasklist_lock); 4458 return -EPERM; 4459 } 4460 while_each_thread(g, t); 4461 read_unlock(&tasklist_lock); 4462 } 4463 4464 /* Check permissions for the transition. */ 4465 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 4466 PROCESS__DYNTRANSITION, NULL); 4467 if (error) 4468 return error; 4469 4470 /* Check for ptracing, and update the task SID if ok. 4471 Otherwise, leave SID unchanged and fail. */ 4472 task_lock(p); 4473 if (p->ptrace & PT_PTRACED) { 4474 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 4475 SECCLASS_PROCESS, 4476 PROCESS__PTRACE, &avd); 4477 if (!error) 4478 tsec->sid = sid; 4479 task_unlock(p); 4480 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 4481 PROCESS__PTRACE, &avd, error, NULL); 4482 if (error) 4483 return error; 4484 } else { 4485 tsec->sid = sid; 4486 task_unlock(p); 4487 } 4488 } 4489 else 4490 return -EINVAL; 4491 4492 return size; 4493 } 4494 4495 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4496 { 4497 return security_sid_to_context(secid, secdata, seclen); 4498 } 4499 4500 static void selinux_release_secctx(char *secdata, u32 seclen) 4501 { 4502 if (secdata) 4503 kfree(secdata); 4504 } 4505 4506 #ifdef CONFIG_KEYS 4507 4508 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 4509 unsigned long flags) 4510 { 4511 struct task_security_struct *tsec = tsk->security; 4512 struct key_security_struct *ksec; 4513 4514 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 4515 if (!ksec) 4516 return -ENOMEM; 4517 4518 ksec->obj = k; 4519 if (tsec->keycreate_sid) 4520 ksec->sid = tsec->keycreate_sid; 4521 else 4522 ksec->sid = tsec->sid; 4523 k->security = ksec; 4524 4525 return 0; 4526 } 4527 4528 static void selinux_key_free(struct key *k) 4529 { 4530 struct key_security_struct *ksec = k->security; 4531 4532 k->security = NULL; 4533 kfree(ksec); 4534 } 4535 4536 static int selinux_key_permission(key_ref_t key_ref, 4537 struct task_struct *ctx, 4538 key_perm_t perm) 4539 { 4540 struct key *key; 4541 struct task_security_struct *tsec; 4542 struct key_security_struct *ksec; 4543 4544 key = key_ref_to_ptr(key_ref); 4545 4546 tsec = ctx->security; 4547 ksec = key->security; 4548 4549 /* if no specific permissions are requested, we skip the 4550 permission check. No serious, additional covert channels 4551 appear to be created. */ 4552 if (perm == 0) 4553 return 0; 4554 4555 return avc_has_perm(tsec->sid, ksec->sid, 4556 SECCLASS_KEY, perm, NULL); 4557 } 4558 4559 #endif 4560 4561 static struct security_operations selinux_ops = { 4562 .ptrace = selinux_ptrace, 4563 .capget = selinux_capget, 4564 .capset_check = selinux_capset_check, 4565 .capset_set = selinux_capset_set, 4566 .sysctl = selinux_sysctl, 4567 .capable = selinux_capable, 4568 .quotactl = selinux_quotactl, 4569 .quota_on = selinux_quota_on, 4570 .syslog = selinux_syslog, 4571 .vm_enough_memory = selinux_vm_enough_memory, 4572 4573 .netlink_send = selinux_netlink_send, 4574 .netlink_recv = selinux_netlink_recv, 4575 4576 .bprm_alloc_security = selinux_bprm_alloc_security, 4577 .bprm_free_security = selinux_bprm_free_security, 4578 .bprm_apply_creds = selinux_bprm_apply_creds, 4579 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 4580 .bprm_set_security = selinux_bprm_set_security, 4581 .bprm_check_security = selinux_bprm_check_security, 4582 .bprm_secureexec = selinux_bprm_secureexec, 4583 4584 .sb_alloc_security = selinux_sb_alloc_security, 4585 .sb_free_security = selinux_sb_free_security, 4586 .sb_copy_data = selinux_sb_copy_data, 4587 .sb_kern_mount = selinux_sb_kern_mount, 4588 .sb_statfs = selinux_sb_statfs, 4589 .sb_mount = selinux_mount, 4590 .sb_umount = selinux_umount, 4591 4592 .inode_alloc_security = selinux_inode_alloc_security, 4593 .inode_free_security = selinux_inode_free_security, 4594 .inode_init_security = selinux_inode_init_security, 4595 .inode_create = selinux_inode_create, 4596 .inode_link = selinux_inode_link, 4597 .inode_unlink = selinux_inode_unlink, 4598 .inode_symlink = selinux_inode_symlink, 4599 .inode_mkdir = selinux_inode_mkdir, 4600 .inode_rmdir = selinux_inode_rmdir, 4601 .inode_mknod = selinux_inode_mknod, 4602 .inode_rename = selinux_inode_rename, 4603 .inode_readlink = selinux_inode_readlink, 4604 .inode_follow_link = selinux_inode_follow_link, 4605 .inode_permission = selinux_inode_permission, 4606 .inode_setattr = selinux_inode_setattr, 4607 .inode_getattr = selinux_inode_getattr, 4608 .inode_setxattr = selinux_inode_setxattr, 4609 .inode_post_setxattr = selinux_inode_post_setxattr, 4610 .inode_getxattr = selinux_inode_getxattr, 4611 .inode_listxattr = selinux_inode_listxattr, 4612 .inode_removexattr = selinux_inode_removexattr, 4613 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix, 4614 .inode_getsecurity = selinux_inode_getsecurity, 4615 .inode_setsecurity = selinux_inode_setsecurity, 4616 .inode_listsecurity = selinux_inode_listsecurity, 4617 4618 .file_permission = selinux_file_permission, 4619 .file_alloc_security = selinux_file_alloc_security, 4620 .file_free_security = selinux_file_free_security, 4621 .file_ioctl = selinux_file_ioctl, 4622 .file_mmap = selinux_file_mmap, 4623 .file_mprotect = selinux_file_mprotect, 4624 .file_lock = selinux_file_lock, 4625 .file_fcntl = selinux_file_fcntl, 4626 .file_set_fowner = selinux_file_set_fowner, 4627 .file_send_sigiotask = selinux_file_send_sigiotask, 4628 .file_receive = selinux_file_receive, 4629 4630 .task_create = selinux_task_create, 4631 .task_alloc_security = selinux_task_alloc_security, 4632 .task_free_security = selinux_task_free_security, 4633 .task_setuid = selinux_task_setuid, 4634 .task_post_setuid = selinux_task_post_setuid, 4635 .task_setgid = selinux_task_setgid, 4636 .task_setpgid = selinux_task_setpgid, 4637 .task_getpgid = selinux_task_getpgid, 4638 .task_getsid = selinux_task_getsid, 4639 .task_getsecid = selinux_task_getsecid, 4640 .task_setgroups = selinux_task_setgroups, 4641 .task_setnice = selinux_task_setnice, 4642 .task_setioprio = selinux_task_setioprio, 4643 .task_getioprio = selinux_task_getioprio, 4644 .task_setrlimit = selinux_task_setrlimit, 4645 .task_setscheduler = selinux_task_setscheduler, 4646 .task_getscheduler = selinux_task_getscheduler, 4647 .task_movememory = selinux_task_movememory, 4648 .task_kill = selinux_task_kill, 4649 .task_wait = selinux_task_wait, 4650 .task_prctl = selinux_task_prctl, 4651 .task_reparent_to_init = selinux_task_reparent_to_init, 4652 .task_to_inode = selinux_task_to_inode, 4653 4654 .ipc_permission = selinux_ipc_permission, 4655 4656 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 4657 .msg_msg_free_security = selinux_msg_msg_free_security, 4658 4659 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 4660 .msg_queue_free_security = selinux_msg_queue_free_security, 4661 .msg_queue_associate = selinux_msg_queue_associate, 4662 .msg_queue_msgctl = selinux_msg_queue_msgctl, 4663 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 4664 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 4665 4666 .shm_alloc_security = selinux_shm_alloc_security, 4667 .shm_free_security = selinux_shm_free_security, 4668 .shm_associate = selinux_shm_associate, 4669 .shm_shmctl = selinux_shm_shmctl, 4670 .shm_shmat = selinux_shm_shmat, 4671 4672 .sem_alloc_security = selinux_sem_alloc_security, 4673 .sem_free_security = selinux_sem_free_security, 4674 .sem_associate = selinux_sem_associate, 4675 .sem_semctl = selinux_sem_semctl, 4676 .sem_semop = selinux_sem_semop, 4677 4678 .register_security = selinux_register_security, 4679 .unregister_security = selinux_unregister_security, 4680 4681 .d_instantiate = selinux_d_instantiate, 4682 4683 .getprocattr = selinux_getprocattr, 4684 .setprocattr = selinux_setprocattr, 4685 4686 .secid_to_secctx = selinux_secid_to_secctx, 4687 .release_secctx = selinux_release_secctx, 4688 4689 .unix_stream_connect = selinux_socket_unix_stream_connect, 4690 .unix_may_send = selinux_socket_unix_may_send, 4691 4692 .socket_create = selinux_socket_create, 4693 .socket_post_create = selinux_socket_post_create, 4694 .socket_bind = selinux_socket_bind, 4695 .socket_connect = selinux_socket_connect, 4696 .socket_listen = selinux_socket_listen, 4697 .socket_accept = selinux_socket_accept, 4698 .socket_sendmsg = selinux_socket_sendmsg, 4699 .socket_recvmsg = selinux_socket_recvmsg, 4700 .socket_getsockname = selinux_socket_getsockname, 4701 .socket_getpeername = selinux_socket_getpeername, 4702 .socket_getsockopt = selinux_socket_getsockopt, 4703 .socket_setsockopt = selinux_socket_setsockopt, 4704 .socket_shutdown = selinux_socket_shutdown, 4705 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4706 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 4707 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 4708 .sk_alloc_security = selinux_sk_alloc_security, 4709 .sk_free_security = selinux_sk_free_security, 4710 .sk_clone_security = selinux_sk_clone_security, 4711 .sk_getsecid = selinux_sk_getsecid, 4712 .sock_graft = selinux_sock_graft, 4713 .inet_conn_request = selinux_inet_conn_request, 4714 .inet_csk_clone = selinux_inet_csk_clone, 4715 .req_classify_flow = selinux_req_classify_flow, 4716 4717 #ifdef CONFIG_SECURITY_NETWORK_XFRM 4718 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4719 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 4720 .xfrm_policy_free_security = selinux_xfrm_policy_free, 4721 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 4722 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 4723 .xfrm_state_free_security = selinux_xfrm_state_free, 4724 .xfrm_state_delete_security = selinux_xfrm_state_delete, 4725 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 4726 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 4727 .xfrm_flow_state_match = selinux_xfrm_flow_state_match, 4728 .xfrm_decode_session = selinux_xfrm_decode_session, 4729 #endif 4730 4731 #ifdef CONFIG_KEYS 4732 .key_alloc = selinux_key_alloc, 4733 .key_free = selinux_key_free, 4734 .key_permission = selinux_key_permission, 4735 #endif 4736 }; 4737 4738 static __init int selinux_init(void) 4739 { 4740 struct task_security_struct *tsec; 4741 4742 if (!selinux_enabled) { 4743 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 4744 return 0; 4745 } 4746 4747 printk(KERN_INFO "SELinux: Initializing.\n"); 4748 4749 /* Set the security state for the initial task. */ 4750 if (task_alloc_security(current)) 4751 panic("SELinux: Failed to initialize initial task.\n"); 4752 tsec = current->security; 4753 tsec->osid = tsec->sid = SECINITSID_KERNEL; 4754 4755 sel_inode_cache = kmem_cache_create("selinux_inode_security", 4756 sizeof(struct inode_security_struct), 4757 0, SLAB_PANIC, NULL, NULL); 4758 avc_init(); 4759 4760 original_ops = secondary_ops = security_ops; 4761 if (!secondary_ops) 4762 panic ("SELinux: No initial security operations\n"); 4763 if (register_security (&selinux_ops)) 4764 panic("SELinux: Unable to register with kernel.\n"); 4765 4766 if (selinux_enforcing) { 4767 printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); 4768 } else { 4769 printk(KERN_INFO "SELinux: Starting in permissive mode\n"); 4770 } 4771 4772 #ifdef CONFIG_KEYS 4773 /* Add security information to initial keyrings */ 4774 selinux_key_alloc(&root_user_keyring, current, 4775 KEY_ALLOC_NOT_IN_QUOTA); 4776 selinux_key_alloc(&root_session_keyring, current, 4777 KEY_ALLOC_NOT_IN_QUOTA); 4778 #endif 4779 4780 return 0; 4781 } 4782 4783 void selinux_complete_init(void) 4784 { 4785 printk(KERN_INFO "SELinux: Completing initialization.\n"); 4786 4787 /* Set up any superblocks initialized prior to the policy load. */ 4788 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); 4789 spin_lock(&sb_lock); 4790 spin_lock(&sb_security_lock); 4791 next_sb: 4792 if (!list_empty(&superblock_security_head)) { 4793 struct superblock_security_struct *sbsec = 4794 list_entry(superblock_security_head.next, 4795 struct superblock_security_struct, 4796 list); 4797 struct super_block *sb = sbsec->sb; 4798 sb->s_count++; 4799 spin_unlock(&sb_security_lock); 4800 spin_unlock(&sb_lock); 4801 down_read(&sb->s_umount); 4802 if (sb->s_root) 4803 superblock_doinit(sb, NULL); 4804 drop_super(sb); 4805 spin_lock(&sb_lock); 4806 spin_lock(&sb_security_lock); 4807 list_del_init(&sbsec->list); 4808 goto next_sb; 4809 } 4810 spin_unlock(&sb_security_lock); 4811 spin_unlock(&sb_lock); 4812 } 4813 4814 /* SELinux requires early initialization in order to label 4815 all processes and objects when they are created. */ 4816 security_initcall(selinux_init); 4817 4818 #if defined(CONFIG_NETFILTER) 4819 4820 static struct nf_hook_ops selinux_ipv4_op = { 4821 .hook = selinux_ipv4_postroute_last, 4822 .owner = THIS_MODULE, 4823 .pf = PF_INET, 4824 .hooknum = NF_IP_POST_ROUTING, 4825 .priority = NF_IP_PRI_SELINUX_LAST, 4826 }; 4827 4828 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4829 4830 static struct nf_hook_ops selinux_ipv6_op = { 4831 .hook = selinux_ipv6_postroute_last, 4832 .owner = THIS_MODULE, 4833 .pf = PF_INET6, 4834 .hooknum = NF_IP6_POST_ROUTING, 4835 .priority = NF_IP6_PRI_SELINUX_LAST, 4836 }; 4837 4838 #endif /* IPV6 */ 4839 4840 static int __init selinux_nf_ip_init(void) 4841 { 4842 int err = 0; 4843 4844 if (!selinux_enabled) 4845 goto out; 4846 4847 printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); 4848 4849 err = nf_register_hook(&selinux_ipv4_op); 4850 if (err) 4851 panic("SELinux: nf_register_hook for IPv4: error %d\n", err); 4852 4853 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4854 4855 err = nf_register_hook(&selinux_ipv6_op); 4856 if (err) 4857 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4858 4859 #endif /* IPV6 */ 4860 4861 out: 4862 return err; 4863 } 4864 4865 __initcall(selinux_nf_ip_init); 4866 4867 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4868 static void selinux_nf_ip_exit(void) 4869 { 4870 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); 4871 4872 nf_unregister_hook(&selinux_ipv4_op); 4873 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4874 nf_unregister_hook(&selinux_ipv6_op); 4875 #endif /* IPV6 */ 4876 } 4877 #endif 4878 4879 #else /* CONFIG_NETFILTER */ 4880 4881 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4882 #define selinux_nf_ip_exit() 4883 #endif 4884 4885 #endif /* CONFIG_NETFILTER */ 4886 4887 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4888 int selinux_disable(void) 4889 { 4890 extern void exit_sel_fs(void); 4891 static int selinux_disabled = 0; 4892 4893 if (ss_initialized) { 4894 /* Not permitted after initial policy load. */ 4895 return -EINVAL; 4896 } 4897 4898 if (selinux_disabled) { 4899 /* Only do this once. */ 4900 return -EINVAL; 4901 } 4902 4903 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 4904 4905 selinux_disabled = 1; 4906 selinux_enabled = 0; 4907 4908 /* Reset security_ops to the secondary module, dummy or capability. */ 4909 security_ops = secondary_ops; 4910 4911 /* Unregister netfilter hooks. */ 4912 selinux_nf_ip_exit(); 4913 4914 /* Unregister selinuxfs. */ 4915 exit_sel_fs(); 4916 4917 return 0; 4918 } 4919 #endif 4920 4921 4922