1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 16 * Paul Moore <paul.moore@hp.com> 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 19 * 20 * This program is free software; you can redistribute it and/or modify 21 * it under the terms of the GNU General Public License version 2, 22 * as published by the Free Software Foundation. 23 */ 24 25 #include <linux/init.h> 26 #include <linux/kernel.h> 27 #include <linux/ptrace.h> 28 #include <linux/errno.h> 29 #include <linux/sched.h> 30 #include <linux/security.h> 31 #include <linux/xattr.h> 32 #include <linux/capability.h> 33 #include <linux/unistd.h> 34 #include <linux/mm.h> 35 #include <linux/mman.h> 36 #include <linux/slab.h> 37 #include <linux/pagemap.h> 38 #include <linux/swap.h> 39 #include <linux/spinlock.h> 40 #include <linux/syscalls.h> 41 #include <linux/file.h> 42 #include <linux/namei.h> 43 #include <linux/mount.h> 44 #include <linux/ext2_fs.h> 45 #include <linux/proc_fs.h> 46 #include <linux/kd.h> 47 #include <linux/netfilter_ipv4.h> 48 #include <linux/netfilter_ipv6.h> 49 #include <linux/tty.h> 50 #include <net/icmp.h> 51 #include <net/ip.h> /* for local_port_range[] */ 52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53 #include <net/net_namespace.h> 54 #include <net/netlabel.h> 55 #include <asm/uaccess.h> 56 #include <asm/ioctls.h> 57 #include <asm/atomic.h> 58 #include <linux/bitops.h> 59 #include <linux/interrupt.h> 60 #include <linux/netdevice.h> /* for network interface checks */ 61 #include <linux/netlink.h> 62 #include <linux/tcp.h> 63 #include <linux/udp.h> 64 #include <linux/dccp.h> 65 #include <linux/quota.h> 66 #include <linux/un.h> /* for Unix socket types */ 67 #include <net/af_unix.h> /* for Unix socket types */ 68 #include <linux/parser.h> 69 #include <linux/nfs_mount.h> 70 #include <net/ipv6.h> 71 #include <linux/hugetlb.h> 72 #include <linux/personality.h> 73 #include <linux/sysctl.h> 74 #include <linux/audit.h> 75 #include <linux/string.h> 76 #include <linux/selinux.h> 77 #include <linux/mutex.h> 78 79 #include "avc.h" 80 #include "objsec.h" 81 #include "netif.h" 82 #include "netnode.h" 83 #include "xfrm.h" 84 #include "netlabel.h" 85 86 #define XATTR_SELINUX_SUFFIX "selinux" 87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 88 89 #define NUM_SEL_MNT_OPTS 4 90 91 extern unsigned int policydb_loaded_version; 92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 93 extern int selinux_compat_net; 94 extern struct security_operations *security_ops; 95 96 /* SECMARK reference count */ 97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 98 99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 100 int selinux_enforcing = 0; 101 102 static int __init enforcing_setup(char *str) 103 { 104 selinux_enforcing = simple_strtol(str,NULL,0); 105 return 1; 106 } 107 __setup("enforcing=", enforcing_setup); 108 #endif 109 110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 112 113 static int __init selinux_enabled_setup(char *str) 114 { 115 selinux_enabled = simple_strtol(str, NULL, 0); 116 return 1; 117 } 118 __setup("selinux=", selinux_enabled_setup); 119 #else 120 int selinux_enabled = 1; 121 #endif 122 123 /* Original (dummy) security module. */ 124 static struct security_operations *original_ops = NULL; 125 126 /* Minimal support for a secondary security module, 127 just to allow the use of the dummy or capability modules. 128 The owlsm module can alternatively be used as a secondary 129 module as long as CONFIG_OWLSM_FD is not enabled. */ 130 static struct security_operations *secondary_ops = NULL; 131 132 /* Lists of inode and superblock security structures initialized 133 before the policy was loaded. */ 134 static LIST_HEAD(superblock_security_head); 135 static DEFINE_SPINLOCK(sb_security_lock); 136 137 static struct kmem_cache *sel_inode_cache; 138 139 /** 140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 141 * 142 * Description: 143 * This function checks the SECMARK reference counter to see if any SECMARK 144 * targets are currently configured, if the reference counter is greater than 145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 146 * enabled, false (0) if SECMARK is disabled. 147 * 148 */ 149 static int selinux_secmark_enabled(void) 150 { 151 return (atomic_read(&selinux_secmark_refcount) > 0); 152 } 153 154 /* Allocate and free functions for each kind of security blob. */ 155 156 static int task_alloc_security(struct task_struct *task) 157 { 158 struct task_security_struct *tsec; 159 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 161 if (!tsec) 162 return -ENOMEM; 163 164 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 165 task->security = tsec; 166 167 return 0; 168 } 169 170 static void task_free_security(struct task_struct *task) 171 { 172 struct task_security_struct *tsec = task->security; 173 task->security = NULL; 174 kfree(tsec); 175 } 176 177 static int inode_alloc_security(struct inode *inode) 178 { 179 struct task_security_struct *tsec = current->security; 180 struct inode_security_struct *isec; 181 182 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 183 if (!isec) 184 return -ENOMEM; 185 186 mutex_init(&isec->lock); 187 INIT_LIST_HEAD(&isec->list); 188 isec->inode = inode; 189 isec->sid = SECINITSID_UNLABELED; 190 isec->sclass = SECCLASS_FILE; 191 isec->task_sid = tsec->sid; 192 inode->i_security = isec; 193 194 return 0; 195 } 196 197 static void inode_free_security(struct inode *inode) 198 { 199 struct inode_security_struct *isec = inode->i_security; 200 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 201 202 spin_lock(&sbsec->isec_lock); 203 if (!list_empty(&isec->list)) 204 list_del_init(&isec->list); 205 spin_unlock(&sbsec->isec_lock); 206 207 inode->i_security = NULL; 208 kmem_cache_free(sel_inode_cache, isec); 209 } 210 211 static int file_alloc_security(struct file *file) 212 { 213 struct task_security_struct *tsec = current->security; 214 struct file_security_struct *fsec; 215 216 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 217 if (!fsec) 218 return -ENOMEM; 219 220 fsec->sid = tsec->sid; 221 fsec->fown_sid = tsec->sid; 222 file->f_security = fsec; 223 224 return 0; 225 } 226 227 static void file_free_security(struct file *file) 228 { 229 struct file_security_struct *fsec = file->f_security; 230 file->f_security = NULL; 231 kfree(fsec); 232 } 233 234 static int superblock_alloc_security(struct super_block *sb) 235 { 236 struct superblock_security_struct *sbsec; 237 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 239 if (!sbsec) 240 return -ENOMEM; 241 242 mutex_init(&sbsec->lock); 243 INIT_LIST_HEAD(&sbsec->list); 244 INIT_LIST_HEAD(&sbsec->isec_head); 245 spin_lock_init(&sbsec->isec_lock); 246 sbsec->sb = sb; 247 sbsec->sid = SECINITSID_UNLABELED; 248 sbsec->def_sid = SECINITSID_FILE; 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 250 sb->s_security = sbsec; 251 252 return 0; 253 } 254 255 static void superblock_free_security(struct super_block *sb) 256 { 257 struct superblock_security_struct *sbsec = sb->s_security; 258 259 spin_lock(&sb_security_lock); 260 if (!list_empty(&sbsec->list)) 261 list_del_init(&sbsec->list); 262 spin_unlock(&sb_security_lock); 263 264 sb->s_security = NULL; 265 kfree(sbsec); 266 } 267 268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 269 { 270 struct sk_security_struct *ssec; 271 272 ssec = kzalloc(sizeof(*ssec), priority); 273 if (!ssec) 274 return -ENOMEM; 275 276 ssec->peer_sid = SECINITSID_UNLABELED; 277 ssec->sid = SECINITSID_UNLABELED; 278 sk->sk_security = ssec; 279 280 selinux_netlbl_sk_security_reset(ssec, family); 281 282 return 0; 283 } 284 285 static void sk_free_security(struct sock *sk) 286 { 287 struct sk_security_struct *ssec = sk->sk_security; 288 289 sk->sk_security = NULL; 290 kfree(ssec); 291 } 292 293 /* The security server must be initialized before 294 any labeling or access decisions can be provided. */ 295 extern int ss_initialized; 296 297 /* The file system's label must be initialized prior to use. */ 298 299 static char *labeling_behaviors[6] = { 300 "uses xattr", 301 "uses transition SIDs", 302 "uses task SIDs", 303 "uses genfs_contexts", 304 "not configured for labeling", 305 "uses mountpoint labeling", 306 }; 307 308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 309 310 static inline int inode_doinit(struct inode *inode) 311 { 312 return inode_doinit_with_dentry(inode, NULL); 313 } 314 315 enum { 316 Opt_error = -1, 317 Opt_context = 1, 318 Opt_fscontext = 2, 319 Opt_defcontext = 3, 320 Opt_rootcontext = 4, 321 }; 322 323 static match_table_t tokens = { 324 {Opt_context, "context=%s"}, 325 {Opt_fscontext, "fscontext=%s"}, 326 {Opt_defcontext, "defcontext=%s"}, 327 {Opt_rootcontext, "rootcontext=%s"}, 328 {Opt_error, NULL}, 329 }; 330 331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 332 333 static int may_context_mount_sb_relabel(u32 sid, 334 struct superblock_security_struct *sbsec, 335 struct task_security_struct *tsec) 336 { 337 int rc; 338 339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 340 FILESYSTEM__RELABELFROM, NULL); 341 if (rc) 342 return rc; 343 344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 345 FILESYSTEM__RELABELTO, NULL); 346 return rc; 347 } 348 349 static int may_context_mount_inode_relabel(u32 sid, 350 struct superblock_security_struct *sbsec, 351 struct task_security_struct *tsec) 352 { 353 int rc; 354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 355 FILESYSTEM__RELABELFROM, NULL); 356 if (rc) 357 return rc; 358 359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 360 FILESYSTEM__ASSOCIATE, NULL); 361 return rc; 362 } 363 364 static int sb_finish_set_opts(struct super_block *sb) 365 { 366 struct superblock_security_struct *sbsec = sb->s_security; 367 struct dentry *root = sb->s_root; 368 struct inode *root_inode = root->d_inode; 369 int rc = 0; 370 371 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 372 /* Make sure that the xattr handler exists and that no 373 error other than -ENODATA is returned by getxattr on 374 the root directory. -ENODATA is ok, as this may be 375 the first boot of the SELinux kernel before we have 376 assigned xattr values to the filesystem. */ 377 if (!root_inode->i_op->getxattr) { 378 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 379 "xattr support\n", sb->s_id, sb->s_type->name); 380 rc = -EOPNOTSUPP; 381 goto out; 382 } 383 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 384 if (rc < 0 && rc != -ENODATA) { 385 if (rc == -EOPNOTSUPP) 386 printk(KERN_WARNING "SELinux: (dev %s, type " 387 "%s) has no security xattr handler\n", 388 sb->s_id, sb->s_type->name); 389 else 390 printk(KERN_WARNING "SELinux: (dev %s, type " 391 "%s) getxattr errno %d\n", sb->s_id, 392 sb->s_type->name, -rc); 393 goto out; 394 } 395 } 396 397 sbsec->initialized = 1; 398 399 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 400 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 401 sb->s_id, sb->s_type->name); 402 else 403 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 404 sb->s_id, sb->s_type->name, 405 labeling_behaviors[sbsec->behavior-1]); 406 407 /* Initialize the root inode. */ 408 rc = inode_doinit_with_dentry(root_inode, root); 409 410 /* Initialize any other inodes associated with the superblock, e.g. 411 inodes created prior to initial policy load or inodes created 412 during get_sb by a pseudo filesystem that directly 413 populates itself. */ 414 spin_lock(&sbsec->isec_lock); 415 next_inode: 416 if (!list_empty(&sbsec->isec_head)) { 417 struct inode_security_struct *isec = 418 list_entry(sbsec->isec_head.next, 419 struct inode_security_struct, list); 420 struct inode *inode = isec->inode; 421 spin_unlock(&sbsec->isec_lock); 422 inode = igrab(inode); 423 if (inode) { 424 if (!IS_PRIVATE(inode)) 425 inode_doinit(inode); 426 iput(inode); 427 } 428 spin_lock(&sbsec->isec_lock); 429 list_del_init(&isec->list); 430 goto next_inode; 431 } 432 spin_unlock(&sbsec->isec_lock); 433 out: 434 return rc; 435 } 436 437 /* 438 * This function should allow an FS to ask what it's mount security 439 * options were so it can use those later for submounts, displaying 440 * mount options, or whatever. 441 */ 442 static int selinux_get_mnt_opts(const struct super_block *sb, 443 struct security_mnt_opts *opts) 444 { 445 int rc = 0, i; 446 struct superblock_security_struct *sbsec = sb->s_security; 447 char *context = NULL; 448 u32 len; 449 char tmp; 450 451 security_init_mnt_opts(opts); 452 453 if (!sbsec->initialized) 454 return -EINVAL; 455 456 if (!ss_initialized) 457 return -EINVAL; 458 459 /* 460 * if we ever use sbsec flags for anything other than tracking mount 461 * settings this is going to need a mask 462 */ 463 tmp = sbsec->flags; 464 /* count the number of mount options for this sb */ 465 for (i = 0; i < 8; i++) { 466 if (tmp & 0x01) 467 opts->num_mnt_opts++; 468 tmp >>= 1; 469 } 470 471 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 472 if (!opts->mnt_opts) { 473 rc = -ENOMEM; 474 goto out_free; 475 } 476 477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 478 if (!opts->mnt_opts_flags) { 479 rc = -ENOMEM; 480 goto out_free; 481 } 482 483 i = 0; 484 if (sbsec->flags & FSCONTEXT_MNT) { 485 rc = security_sid_to_context(sbsec->sid, &context, &len); 486 if (rc) 487 goto out_free; 488 opts->mnt_opts[i] = context; 489 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 490 } 491 if (sbsec->flags & CONTEXT_MNT) { 492 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 493 if (rc) 494 goto out_free; 495 opts->mnt_opts[i] = context; 496 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 497 } 498 if (sbsec->flags & DEFCONTEXT_MNT) { 499 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 500 if (rc) 501 goto out_free; 502 opts->mnt_opts[i] = context; 503 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 504 } 505 if (sbsec->flags & ROOTCONTEXT_MNT) { 506 struct inode *root = sbsec->sb->s_root->d_inode; 507 struct inode_security_struct *isec = root->i_security; 508 509 rc = security_sid_to_context(isec->sid, &context, &len); 510 if (rc) 511 goto out_free; 512 opts->mnt_opts[i] = context; 513 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 514 } 515 516 BUG_ON(i != opts->num_mnt_opts); 517 518 return 0; 519 520 out_free: 521 security_free_mnt_opts(opts); 522 return rc; 523 } 524 525 static int bad_option(struct superblock_security_struct *sbsec, char flag, 526 u32 old_sid, u32 new_sid) 527 { 528 /* check if the old mount command had the same options */ 529 if (sbsec->initialized) 530 if (!(sbsec->flags & flag) || 531 (old_sid != new_sid)) 532 return 1; 533 534 /* check if we were passed the same options twice, 535 * aka someone passed context=a,context=b 536 */ 537 if (!sbsec->initialized) 538 if (sbsec->flags & flag) 539 return 1; 540 return 0; 541 } 542 543 /* 544 * Allow filesystems with binary mount data to explicitly set mount point 545 * labeling information. 546 */ 547 static int selinux_set_mnt_opts(struct super_block *sb, 548 struct security_mnt_opts *opts) 549 { 550 int rc = 0, i; 551 struct task_security_struct *tsec = current->security; 552 struct superblock_security_struct *sbsec = sb->s_security; 553 const char *name = sb->s_type->name; 554 struct inode *inode = sbsec->sb->s_root->d_inode; 555 struct inode_security_struct *root_isec = inode->i_security; 556 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 557 u32 defcontext_sid = 0; 558 char **mount_options = opts->mnt_opts; 559 int *flags = opts->mnt_opts_flags; 560 int num_opts = opts->num_mnt_opts; 561 562 mutex_lock(&sbsec->lock); 563 564 if (!ss_initialized) { 565 if (!num_opts) { 566 /* Defer initialization until selinux_complete_init, 567 after the initial policy is loaded and the security 568 server is ready to handle calls. */ 569 spin_lock(&sb_security_lock); 570 if (list_empty(&sbsec->list)) 571 list_add(&sbsec->list, &superblock_security_head); 572 spin_unlock(&sb_security_lock); 573 goto out; 574 } 575 rc = -EINVAL; 576 printk(KERN_WARNING "Unable to set superblock options before " 577 "the security server is initialized\n"); 578 goto out; 579 } 580 581 /* 582 * Binary mount data FS will come through this function twice. Once 583 * from an explicit call and once from the generic calls from the vfs. 584 * Since the generic VFS calls will not contain any security mount data 585 * we need to skip the double mount verification. 586 * 587 * This does open a hole in which we will not notice if the first 588 * mount using this sb set explict options and a second mount using 589 * this sb does not set any security options. (The first options 590 * will be used for both mounts) 591 */ 592 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 593 && (num_opts == 0)) 594 goto out; 595 596 /* 597 * parse the mount options, check if they are valid sids. 598 * also check if someone is trying to mount the same sb more 599 * than once with different security options. 600 */ 601 for (i = 0; i < num_opts; i++) { 602 u32 sid; 603 rc = security_context_to_sid(mount_options[i], 604 strlen(mount_options[i]), &sid); 605 if (rc) { 606 printk(KERN_WARNING "SELinux: security_context_to_sid" 607 "(%s) failed for (dev %s, type %s) errno=%d\n", 608 mount_options[i], sb->s_id, name, rc); 609 goto out; 610 } 611 switch (flags[i]) { 612 case FSCONTEXT_MNT: 613 fscontext_sid = sid; 614 615 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 616 fscontext_sid)) 617 goto out_double_mount; 618 619 sbsec->flags |= FSCONTEXT_MNT; 620 break; 621 case CONTEXT_MNT: 622 context_sid = sid; 623 624 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 625 context_sid)) 626 goto out_double_mount; 627 628 sbsec->flags |= CONTEXT_MNT; 629 break; 630 case ROOTCONTEXT_MNT: 631 rootcontext_sid = sid; 632 633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 634 rootcontext_sid)) 635 goto out_double_mount; 636 637 sbsec->flags |= ROOTCONTEXT_MNT; 638 639 break; 640 case DEFCONTEXT_MNT: 641 defcontext_sid = sid; 642 643 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 644 defcontext_sid)) 645 goto out_double_mount; 646 647 sbsec->flags |= DEFCONTEXT_MNT; 648 649 break; 650 default: 651 rc = -EINVAL; 652 goto out; 653 } 654 } 655 656 if (sbsec->initialized) { 657 /* previously mounted with options, but not on this attempt? */ 658 if (sbsec->flags && !num_opts) 659 goto out_double_mount; 660 rc = 0; 661 goto out; 662 } 663 664 if (strcmp(sb->s_type->name, "proc") == 0) 665 sbsec->proc = 1; 666 667 /* Determine the labeling behavior to use for this filesystem type. */ 668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 669 if (rc) { 670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 671 __FUNCTION__, sb->s_type->name, rc); 672 goto out; 673 } 674 675 /* sets the context of the superblock for the fs being mounted. */ 676 if (fscontext_sid) { 677 678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec); 679 if (rc) 680 goto out; 681 682 sbsec->sid = fscontext_sid; 683 } 684 685 /* 686 * Switch to using mount point labeling behavior. 687 * sets the label used on all file below the mountpoint, and will set 688 * the superblock context if not already set. 689 */ 690 if (context_sid) { 691 if (!fscontext_sid) { 692 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); 693 if (rc) 694 goto out; 695 sbsec->sid = context_sid; 696 } else { 697 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec); 698 if (rc) 699 goto out; 700 } 701 if (!rootcontext_sid) 702 rootcontext_sid = context_sid; 703 704 sbsec->mntpoint_sid = context_sid; 705 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 706 } 707 708 if (rootcontext_sid) { 709 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec); 710 if (rc) 711 goto out; 712 713 root_isec->sid = rootcontext_sid; 714 root_isec->initialized = 1; 715 } 716 717 if (defcontext_sid) { 718 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 719 rc = -EINVAL; 720 printk(KERN_WARNING "SELinux: defcontext option is " 721 "invalid for this filesystem type\n"); 722 goto out; 723 } 724 725 if (defcontext_sid != sbsec->def_sid) { 726 rc = may_context_mount_inode_relabel(defcontext_sid, 727 sbsec, tsec); 728 if (rc) 729 goto out; 730 } 731 732 sbsec->def_sid = defcontext_sid; 733 } 734 735 rc = sb_finish_set_opts(sb); 736 out: 737 mutex_unlock(&sbsec->lock); 738 return rc; 739 out_double_mount: 740 rc = -EINVAL; 741 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 742 "security settings for (dev %s, type %s)\n", sb->s_id, name); 743 goto out; 744 } 745 746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 747 struct super_block *newsb) 748 { 749 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 750 struct superblock_security_struct *newsbsec = newsb->s_security; 751 752 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 753 int set_context = (oldsbsec->flags & CONTEXT_MNT); 754 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 755 756 /* we can't error, we can't save the info, this shouldn't get called 757 * this early in the boot process. */ 758 BUG_ON(!ss_initialized); 759 760 /* how can we clone if the old one wasn't set up?? */ 761 BUG_ON(!oldsbsec->initialized); 762 763 /* if fs is reusing a sb, just let its options stand... */ 764 if (newsbsec->initialized) 765 return; 766 767 mutex_lock(&newsbsec->lock); 768 769 newsbsec->flags = oldsbsec->flags; 770 771 newsbsec->sid = oldsbsec->sid; 772 newsbsec->def_sid = oldsbsec->def_sid; 773 newsbsec->behavior = oldsbsec->behavior; 774 775 if (set_context) { 776 u32 sid = oldsbsec->mntpoint_sid; 777 778 if (!set_fscontext) 779 newsbsec->sid = sid; 780 if (!set_rootcontext) { 781 struct inode *newinode = newsb->s_root->d_inode; 782 struct inode_security_struct *newisec = newinode->i_security; 783 newisec->sid = sid; 784 } 785 newsbsec->mntpoint_sid = sid; 786 } 787 if (set_rootcontext) { 788 const struct inode *oldinode = oldsb->s_root->d_inode; 789 const struct inode_security_struct *oldisec = oldinode->i_security; 790 struct inode *newinode = newsb->s_root->d_inode; 791 struct inode_security_struct *newisec = newinode->i_security; 792 793 newisec->sid = oldisec->sid; 794 } 795 796 sb_finish_set_opts(newsb); 797 mutex_unlock(&newsbsec->lock); 798 } 799 800 static int selinux_parse_opts_str(char *options, 801 struct security_mnt_opts *opts) 802 { 803 char *p; 804 char *context = NULL, *defcontext = NULL; 805 char *fscontext = NULL, *rootcontext = NULL; 806 int rc, num_mnt_opts = 0; 807 808 opts->num_mnt_opts = 0; 809 810 /* Standard string-based options. */ 811 while ((p = strsep(&options, "|")) != NULL) { 812 int token; 813 substring_t args[MAX_OPT_ARGS]; 814 815 if (!*p) 816 continue; 817 818 token = match_token(p, tokens, args); 819 820 switch (token) { 821 case Opt_context: 822 if (context || defcontext) { 823 rc = -EINVAL; 824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 825 goto out_err; 826 } 827 context = match_strdup(&args[0]); 828 if (!context) { 829 rc = -ENOMEM; 830 goto out_err; 831 } 832 break; 833 834 case Opt_fscontext: 835 if (fscontext) { 836 rc = -EINVAL; 837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 838 goto out_err; 839 } 840 fscontext = match_strdup(&args[0]); 841 if (!fscontext) { 842 rc = -ENOMEM; 843 goto out_err; 844 } 845 break; 846 847 case Opt_rootcontext: 848 if (rootcontext) { 849 rc = -EINVAL; 850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 851 goto out_err; 852 } 853 rootcontext = match_strdup(&args[0]); 854 if (!rootcontext) { 855 rc = -ENOMEM; 856 goto out_err; 857 } 858 break; 859 860 case Opt_defcontext: 861 if (context || defcontext) { 862 rc = -EINVAL; 863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 864 goto out_err; 865 } 866 defcontext = match_strdup(&args[0]); 867 if (!defcontext) { 868 rc = -ENOMEM; 869 goto out_err; 870 } 871 break; 872 873 default: 874 rc = -EINVAL; 875 printk(KERN_WARNING "SELinux: unknown mount option\n"); 876 goto out_err; 877 878 } 879 } 880 881 rc = -ENOMEM; 882 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 883 if (!opts->mnt_opts) 884 goto out_err; 885 886 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 887 if (!opts->mnt_opts_flags) { 888 kfree(opts->mnt_opts); 889 goto out_err; 890 } 891 892 if (fscontext) { 893 opts->mnt_opts[num_mnt_opts] = fscontext; 894 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 895 } 896 if (context) { 897 opts->mnt_opts[num_mnt_opts] = context; 898 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 899 } 900 if (rootcontext) { 901 opts->mnt_opts[num_mnt_opts] = rootcontext; 902 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 903 } 904 if (defcontext) { 905 opts->mnt_opts[num_mnt_opts] = defcontext; 906 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 907 } 908 909 opts->num_mnt_opts = num_mnt_opts; 910 return 0; 911 912 out_err: 913 kfree(context); 914 kfree(defcontext); 915 kfree(fscontext); 916 kfree(rootcontext); 917 return rc; 918 } 919 /* 920 * string mount options parsing and call set the sbsec 921 */ 922 static int superblock_doinit(struct super_block *sb, void *data) 923 { 924 int rc = 0; 925 char *options = data; 926 struct security_mnt_opts opts; 927 928 security_init_mnt_opts(&opts); 929 930 if (!data) 931 goto out; 932 933 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 934 935 rc = selinux_parse_opts_str(options, &opts); 936 if (rc) 937 goto out_err; 938 939 out: 940 rc = selinux_set_mnt_opts(sb, &opts); 941 942 out_err: 943 security_free_mnt_opts(&opts); 944 return rc; 945 } 946 947 static inline u16 inode_mode_to_security_class(umode_t mode) 948 { 949 switch (mode & S_IFMT) { 950 case S_IFSOCK: 951 return SECCLASS_SOCK_FILE; 952 case S_IFLNK: 953 return SECCLASS_LNK_FILE; 954 case S_IFREG: 955 return SECCLASS_FILE; 956 case S_IFBLK: 957 return SECCLASS_BLK_FILE; 958 case S_IFDIR: 959 return SECCLASS_DIR; 960 case S_IFCHR: 961 return SECCLASS_CHR_FILE; 962 case S_IFIFO: 963 return SECCLASS_FIFO_FILE; 964 965 } 966 967 return SECCLASS_FILE; 968 } 969 970 static inline int default_protocol_stream(int protocol) 971 { 972 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 973 } 974 975 static inline int default_protocol_dgram(int protocol) 976 { 977 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 978 } 979 980 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 981 { 982 switch (family) { 983 case PF_UNIX: 984 switch (type) { 985 case SOCK_STREAM: 986 case SOCK_SEQPACKET: 987 return SECCLASS_UNIX_STREAM_SOCKET; 988 case SOCK_DGRAM: 989 return SECCLASS_UNIX_DGRAM_SOCKET; 990 } 991 break; 992 case PF_INET: 993 case PF_INET6: 994 switch (type) { 995 case SOCK_STREAM: 996 if (default_protocol_stream(protocol)) 997 return SECCLASS_TCP_SOCKET; 998 else 999 return SECCLASS_RAWIP_SOCKET; 1000 case SOCK_DGRAM: 1001 if (default_protocol_dgram(protocol)) 1002 return SECCLASS_UDP_SOCKET; 1003 else 1004 return SECCLASS_RAWIP_SOCKET; 1005 case SOCK_DCCP: 1006 return SECCLASS_DCCP_SOCKET; 1007 default: 1008 return SECCLASS_RAWIP_SOCKET; 1009 } 1010 break; 1011 case PF_NETLINK: 1012 switch (protocol) { 1013 case NETLINK_ROUTE: 1014 return SECCLASS_NETLINK_ROUTE_SOCKET; 1015 case NETLINK_FIREWALL: 1016 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1017 case NETLINK_INET_DIAG: 1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1019 case NETLINK_NFLOG: 1020 return SECCLASS_NETLINK_NFLOG_SOCKET; 1021 case NETLINK_XFRM: 1022 return SECCLASS_NETLINK_XFRM_SOCKET; 1023 case NETLINK_SELINUX: 1024 return SECCLASS_NETLINK_SELINUX_SOCKET; 1025 case NETLINK_AUDIT: 1026 return SECCLASS_NETLINK_AUDIT_SOCKET; 1027 case NETLINK_IP6_FW: 1028 return SECCLASS_NETLINK_IP6FW_SOCKET; 1029 case NETLINK_DNRTMSG: 1030 return SECCLASS_NETLINK_DNRT_SOCKET; 1031 case NETLINK_KOBJECT_UEVENT: 1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1033 default: 1034 return SECCLASS_NETLINK_SOCKET; 1035 } 1036 case PF_PACKET: 1037 return SECCLASS_PACKET_SOCKET; 1038 case PF_KEY: 1039 return SECCLASS_KEY_SOCKET; 1040 case PF_APPLETALK: 1041 return SECCLASS_APPLETALK_SOCKET; 1042 } 1043 1044 return SECCLASS_SOCKET; 1045 } 1046 1047 #ifdef CONFIG_PROC_FS 1048 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1049 u16 tclass, 1050 u32 *sid) 1051 { 1052 int buflen, rc; 1053 char *buffer, *path, *end; 1054 1055 buffer = (char*)__get_free_page(GFP_KERNEL); 1056 if (!buffer) 1057 return -ENOMEM; 1058 1059 buflen = PAGE_SIZE; 1060 end = buffer+buflen; 1061 *--end = '\0'; 1062 buflen--; 1063 path = end-1; 1064 *path = '/'; 1065 while (de && de != de->parent) { 1066 buflen -= de->namelen + 1; 1067 if (buflen < 0) 1068 break; 1069 end -= de->namelen; 1070 memcpy(end, de->name, de->namelen); 1071 *--end = '/'; 1072 path = end; 1073 de = de->parent; 1074 } 1075 rc = security_genfs_sid("proc", path, tclass, sid); 1076 free_page((unsigned long)buffer); 1077 return rc; 1078 } 1079 #else 1080 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1081 u16 tclass, 1082 u32 *sid) 1083 { 1084 return -EINVAL; 1085 } 1086 #endif 1087 1088 /* The inode's security attributes must be initialized before first use. */ 1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1090 { 1091 struct superblock_security_struct *sbsec = NULL; 1092 struct inode_security_struct *isec = inode->i_security; 1093 u32 sid; 1094 struct dentry *dentry; 1095 #define INITCONTEXTLEN 255 1096 char *context = NULL; 1097 unsigned len = 0; 1098 int rc = 0; 1099 1100 if (isec->initialized) 1101 goto out; 1102 1103 mutex_lock(&isec->lock); 1104 if (isec->initialized) 1105 goto out_unlock; 1106 1107 sbsec = inode->i_sb->s_security; 1108 if (!sbsec->initialized) { 1109 /* Defer initialization until selinux_complete_init, 1110 after the initial policy is loaded and the security 1111 server is ready to handle calls. */ 1112 spin_lock(&sbsec->isec_lock); 1113 if (list_empty(&isec->list)) 1114 list_add(&isec->list, &sbsec->isec_head); 1115 spin_unlock(&sbsec->isec_lock); 1116 goto out_unlock; 1117 } 1118 1119 switch (sbsec->behavior) { 1120 case SECURITY_FS_USE_XATTR: 1121 if (!inode->i_op->getxattr) { 1122 isec->sid = sbsec->def_sid; 1123 break; 1124 } 1125 1126 /* Need a dentry, since the xattr API requires one. 1127 Life would be simpler if we could just pass the inode. */ 1128 if (opt_dentry) { 1129 /* Called from d_instantiate or d_splice_alias. */ 1130 dentry = dget(opt_dentry); 1131 } else { 1132 /* Called from selinux_complete_init, try to find a dentry. */ 1133 dentry = d_find_alias(inode); 1134 } 1135 if (!dentry) { 1136 printk(KERN_WARNING "%s: no dentry for dev=%s " 1137 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 1138 inode->i_ino); 1139 goto out_unlock; 1140 } 1141 1142 len = INITCONTEXTLEN; 1143 context = kmalloc(len, GFP_NOFS); 1144 if (!context) { 1145 rc = -ENOMEM; 1146 dput(dentry); 1147 goto out_unlock; 1148 } 1149 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1150 context, len); 1151 if (rc == -ERANGE) { 1152 /* Need a larger buffer. Query for the right size. */ 1153 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1154 NULL, 0); 1155 if (rc < 0) { 1156 dput(dentry); 1157 goto out_unlock; 1158 } 1159 kfree(context); 1160 len = rc; 1161 context = kmalloc(len, GFP_NOFS); 1162 if (!context) { 1163 rc = -ENOMEM; 1164 dput(dentry); 1165 goto out_unlock; 1166 } 1167 rc = inode->i_op->getxattr(dentry, 1168 XATTR_NAME_SELINUX, 1169 context, len); 1170 } 1171 dput(dentry); 1172 if (rc < 0) { 1173 if (rc != -ENODATA) { 1174 printk(KERN_WARNING "%s: getxattr returned " 1175 "%d for dev=%s ino=%ld\n", __FUNCTION__, 1176 -rc, inode->i_sb->s_id, inode->i_ino); 1177 kfree(context); 1178 goto out_unlock; 1179 } 1180 /* Map ENODATA to the default file SID */ 1181 sid = sbsec->def_sid; 1182 rc = 0; 1183 } else { 1184 rc = security_context_to_sid_default(context, rc, &sid, 1185 sbsec->def_sid, 1186 GFP_NOFS); 1187 if (rc) { 1188 printk(KERN_WARNING "%s: context_to_sid(%s) " 1189 "returned %d for dev=%s ino=%ld\n", 1190 __FUNCTION__, context, -rc, 1191 inode->i_sb->s_id, inode->i_ino); 1192 kfree(context); 1193 /* Leave with the unlabeled SID */ 1194 rc = 0; 1195 break; 1196 } 1197 } 1198 kfree(context); 1199 isec->sid = sid; 1200 break; 1201 case SECURITY_FS_USE_TASK: 1202 isec->sid = isec->task_sid; 1203 break; 1204 case SECURITY_FS_USE_TRANS: 1205 /* Default to the fs SID. */ 1206 isec->sid = sbsec->sid; 1207 1208 /* Try to obtain a transition SID. */ 1209 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1210 rc = security_transition_sid(isec->task_sid, 1211 sbsec->sid, 1212 isec->sclass, 1213 &sid); 1214 if (rc) 1215 goto out_unlock; 1216 isec->sid = sid; 1217 break; 1218 case SECURITY_FS_USE_MNTPOINT: 1219 isec->sid = sbsec->mntpoint_sid; 1220 break; 1221 default: 1222 /* Default to the fs superblock SID. */ 1223 isec->sid = sbsec->sid; 1224 1225 if (sbsec->proc) { 1226 struct proc_inode *proci = PROC_I(inode); 1227 if (proci->pde) { 1228 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1229 rc = selinux_proc_get_sid(proci->pde, 1230 isec->sclass, 1231 &sid); 1232 if (rc) 1233 goto out_unlock; 1234 isec->sid = sid; 1235 } 1236 } 1237 break; 1238 } 1239 1240 isec->initialized = 1; 1241 1242 out_unlock: 1243 mutex_unlock(&isec->lock); 1244 out: 1245 if (isec->sclass == SECCLASS_FILE) 1246 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1247 return rc; 1248 } 1249 1250 /* Convert a Linux signal to an access vector. */ 1251 static inline u32 signal_to_av(int sig) 1252 { 1253 u32 perm = 0; 1254 1255 switch (sig) { 1256 case SIGCHLD: 1257 /* Commonly granted from child to parent. */ 1258 perm = PROCESS__SIGCHLD; 1259 break; 1260 case SIGKILL: 1261 /* Cannot be caught or ignored */ 1262 perm = PROCESS__SIGKILL; 1263 break; 1264 case SIGSTOP: 1265 /* Cannot be caught or ignored */ 1266 perm = PROCESS__SIGSTOP; 1267 break; 1268 default: 1269 /* All other signals. */ 1270 perm = PROCESS__SIGNAL; 1271 break; 1272 } 1273 1274 return perm; 1275 } 1276 1277 /* Check permission betweeen a pair of tasks, e.g. signal checks, 1278 fork check, ptrace check, etc. */ 1279 static int task_has_perm(struct task_struct *tsk1, 1280 struct task_struct *tsk2, 1281 u32 perms) 1282 { 1283 struct task_security_struct *tsec1, *tsec2; 1284 1285 tsec1 = tsk1->security; 1286 tsec2 = tsk2->security; 1287 return avc_has_perm(tsec1->sid, tsec2->sid, 1288 SECCLASS_PROCESS, perms, NULL); 1289 } 1290 1291 #if CAP_LAST_CAP > 63 1292 #error Fix SELinux to handle capabilities > 63. 1293 #endif 1294 1295 /* Check whether a task is allowed to use a capability. */ 1296 static int task_has_capability(struct task_struct *tsk, 1297 int cap) 1298 { 1299 struct task_security_struct *tsec; 1300 struct avc_audit_data ad; 1301 u16 sclass; 1302 u32 av = CAP_TO_MASK(cap); 1303 1304 tsec = tsk->security; 1305 1306 AVC_AUDIT_DATA_INIT(&ad,CAP); 1307 ad.tsk = tsk; 1308 ad.u.cap = cap; 1309 1310 switch (CAP_TO_INDEX(cap)) { 1311 case 0: 1312 sclass = SECCLASS_CAPABILITY; 1313 break; 1314 case 1: 1315 sclass = SECCLASS_CAPABILITY2; 1316 break; 1317 default: 1318 printk(KERN_ERR 1319 "SELinux: out of range capability %d\n", cap); 1320 BUG(); 1321 } 1322 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); 1323 } 1324 1325 /* Check whether a task is allowed to use a system operation. */ 1326 static int task_has_system(struct task_struct *tsk, 1327 u32 perms) 1328 { 1329 struct task_security_struct *tsec; 1330 1331 tsec = tsk->security; 1332 1333 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1334 SECCLASS_SYSTEM, perms, NULL); 1335 } 1336 1337 /* Check whether a task has a particular permission to an inode. 1338 The 'adp' parameter is optional and allows other audit 1339 data to be passed (e.g. the dentry). */ 1340 static int inode_has_perm(struct task_struct *tsk, 1341 struct inode *inode, 1342 u32 perms, 1343 struct avc_audit_data *adp) 1344 { 1345 struct task_security_struct *tsec; 1346 struct inode_security_struct *isec; 1347 struct avc_audit_data ad; 1348 1349 if (unlikely (IS_PRIVATE (inode))) 1350 return 0; 1351 1352 tsec = tsk->security; 1353 isec = inode->i_security; 1354 1355 if (!adp) { 1356 adp = &ad; 1357 AVC_AUDIT_DATA_INIT(&ad, FS); 1358 ad.u.fs.inode = inode; 1359 } 1360 1361 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1362 } 1363 1364 /* Same as inode_has_perm, but pass explicit audit data containing 1365 the dentry to help the auditing code to more easily generate the 1366 pathname if needed. */ 1367 static inline int dentry_has_perm(struct task_struct *tsk, 1368 struct vfsmount *mnt, 1369 struct dentry *dentry, 1370 u32 av) 1371 { 1372 struct inode *inode = dentry->d_inode; 1373 struct avc_audit_data ad; 1374 AVC_AUDIT_DATA_INIT(&ad,FS); 1375 ad.u.fs.path.mnt = mnt; 1376 ad.u.fs.path.dentry = dentry; 1377 return inode_has_perm(tsk, inode, av, &ad); 1378 } 1379 1380 /* Check whether a task can use an open file descriptor to 1381 access an inode in a given way. Check access to the 1382 descriptor itself, and then use dentry_has_perm to 1383 check a particular permission to the file. 1384 Access to the descriptor is implicitly granted if it 1385 has the same SID as the process. If av is zero, then 1386 access to the file is not checked, e.g. for cases 1387 where only the descriptor is affected like seek. */ 1388 static int file_has_perm(struct task_struct *tsk, 1389 struct file *file, 1390 u32 av) 1391 { 1392 struct task_security_struct *tsec = tsk->security; 1393 struct file_security_struct *fsec = file->f_security; 1394 struct inode *inode = file->f_path.dentry->d_inode; 1395 struct avc_audit_data ad; 1396 int rc; 1397 1398 AVC_AUDIT_DATA_INIT(&ad, FS); 1399 ad.u.fs.path = file->f_path; 1400 1401 if (tsec->sid != fsec->sid) { 1402 rc = avc_has_perm(tsec->sid, fsec->sid, 1403 SECCLASS_FD, 1404 FD__USE, 1405 &ad); 1406 if (rc) 1407 return rc; 1408 } 1409 1410 /* av is zero if only checking access to the descriptor. */ 1411 if (av) 1412 return inode_has_perm(tsk, inode, av, &ad); 1413 1414 return 0; 1415 } 1416 1417 /* Check whether a task can create a file. */ 1418 static int may_create(struct inode *dir, 1419 struct dentry *dentry, 1420 u16 tclass) 1421 { 1422 struct task_security_struct *tsec; 1423 struct inode_security_struct *dsec; 1424 struct superblock_security_struct *sbsec; 1425 u32 newsid; 1426 struct avc_audit_data ad; 1427 int rc; 1428 1429 tsec = current->security; 1430 dsec = dir->i_security; 1431 sbsec = dir->i_sb->s_security; 1432 1433 AVC_AUDIT_DATA_INIT(&ad, FS); 1434 ad.u.fs.path.dentry = dentry; 1435 1436 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1437 DIR__ADD_NAME | DIR__SEARCH, 1438 &ad); 1439 if (rc) 1440 return rc; 1441 1442 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1443 newsid = tsec->create_sid; 1444 } else { 1445 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1446 &newsid); 1447 if (rc) 1448 return rc; 1449 } 1450 1451 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1452 if (rc) 1453 return rc; 1454 1455 return avc_has_perm(newsid, sbsec->sid, 1456 SECCLASS_FILESYSTEM, 1457 FILESYSTEM__ASSOCIATE, &ad); 1458 } 1459 1460 /* Check whether a task can create a key. */ 1461 static int may_create_key(u32 ksid, 1462 struct task_struct *ctx) 1463 { 1464 struct task_security_struct *tsec; 1465 1466 tsec = ctx->security; 1467 1468 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1469 } 1470 1471 #define MAY_LINK 0 1472 #define MAY_UNLINK 1 1473 #define MAY_RMDIR 2 1474 1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1476 static int may_link(struct inode *dir, 1477 struct dentry *dentry, 1478 int kind) 1479 1480 { 1481 struct task_security_struct *tsec; 1482 struct inode_security_struct *dsec, *isec; 1483 struct avc_audit_data ad; 1484 u32 av; 1485 int rc; 1486 1487 tsec = current->security; 1488 dsec = dir->i_security; 1489 isec = dentry->d_inode->i_security; 1490 1491 AVC_AUDIT_DATA_INIT(&ad, FS); 1492 ad.u.fs.path.dentry = dentry; 1493 1494 av = DIR__SEARCH; 1495 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1496 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1497 if (rc) 1498 return rc; 1499 1500 switch (kind) { 1501 case MAY_LINK: 1502 av = FILE__LINK; 1503 break; 1504 case MAY_UNLINK: 1505 av = FILE__UNLINK; 1506 break; 1507 case MAY_RMDIR: 1508 av = DIR__RMDIR; 1509 break; 1510 default: 1511 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1512 return 0; 1513 } 1514 1515 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1516 return rc; 1517 } 1518 1519 static inline int may_rename(struct inode *old_dir, 1520 struct dentry *old_dentry, 1521 struct inode *new_dir, 1522 struct dentry *new_dentry) 1523 { 1524 struct task_security_struct *tsec; 1525 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1526 struct avc_audit_data ad; 1527 u32 av; 1528 int old_is_dir, new_is_dir; 1529 int rc; 1530 1531 tsec = current->security; 1532 old_dsec = old_dir->i_security; 1533 old_isec = old_dentry->d_inode->i_security; 1534 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1535 new_dsec = new_dir->i_security; 1536 1537 AVC_AUDIT_DATA_INIT(&ad, FS); 1538 1539 ad.u.fs.path.dentry = old_dentry; 1540 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1541 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1542 if (rc) 1543 return rc; 1544 rc = avc_has_perm(tsec->sid, old_isec->sid, 1545 old_isec->sclass, FILE__RENAME, &ad); 1546 if (rc) 1547 return rc; 1548 if (old_is_dir && new_dir != old_dir) { 1549 rc = avc_has_perm(tsec->sid, old_isec->sid, 1550 old_isec->sclass, DIR__REPARENT, &ad); 1551 if (rc) 1552 return rc; 1553 } 1554 1555 ad.u.fs.path.dentry = new_dentry; 1556 av = DIR__ADD_NAME | DIR__SEARCH; 1557 if (new_dentry->d_inode) 1558 av |= DIR__REMOVE_NAME; 1559 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1560 if (rc) 1561 return rc; 1562 if (new_dentry->d_inode) { 1563 new_isec = new_dentry->d_inode->i_security; 1564 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1565 rc = avc_has_perm(tsec->sid, new_isec->sid, 1566 new_isec->sclass, 1567 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1568 if (rc) 1569 return rc; 1570 } 1571 1572 return 0; 1573 } 1574 1575 /* Check whether a task can perform a filesystem operation. */ 1576 static int superblock_has_perm(struct task_struct *tsk, 1577 struct super_block *sb, 1578 u32 perms, 1579 struct avc_audit_data *ad) 1580 { 1581 struct task_security_struct *tsec; 1582 struct superblock_security_struct *sbsec; 1583 1584 tsec = tsk->security; 1585 sbsec = sb->s_security; 1586 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1587 perms, ad); 1588 } 1589 1590 /* Convert a Linux mode and permission mask to an access vector. */ 1591 static inline u32 file_mask_to_av(int mode, int mask) 1592 { 1593 u32 av = 0; 1594 1595 if ((mode & S_IFMT) != S_IFDIR) { 1596 if (mask & MAY_EXEC) 1597 av |= FILE__EXECUTE; 1598 if (mask & MAY_READ) 1599 av |= FILE__READ; 1600 1601 if (mask & MAY_APPEND) 1602 av |= FILE__APPEND; 1603 else if (mask & MAY_WRITE) 1604 av |= FILE__WRITE; 1605 1606 } else { 1607 if (mask & MAY_EXEC) 1608 av |= DIR__SEARCH; 1609 if (mask & MAY_WRITE) 1610 av |= DIR__WRITE; 1611 if (mask & MAY_READ) 1612 av |= DIR__READ; 1613 } 1614 1615 return av; 1616 } 1617 1618 /* 1619 * Convert a file mask to an access vector and include the correct open 1620 * open permission. 1621 */ 1622 static inline u32 open_file_mask_to_av(int mode, int mask) 1623 { 1624 u32 av = file_mask_to_av(mode, mask); 1625 1626 if (selinux_policycap_openperm) { 1627 /* 1628 * lnk files and socks do not really have an 'open' 1629 */ 1630 if (S_ISREG(mode)) 1631 av |= FILE__OPEN; 1632 else if (S_ISCHR(mode)) 1633 av |= CHR_FILE__OPEN; 1634 else if (S_ISBLK(mode)) 1635 av |= BLK_FILE__OPEN; 1636 else if (S_ISFIFO(mode)) 1637 av |= FIFO_FILE__OPEN; 1638 else if (S_ISDIR(mode)) 1639 av |= DIR__OPEN; 1640 else 1641 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av " 1642 "with unknown mode:%x\n", mode); 1643 } 1644 return av; 1645 } 1646 1647 /* Convert a Linux file to an access vector. */ 1648 static inline u32 file_to_av(struct file *file) 1649 { 1650 u32 av = 0; 1651 1652 if (file->f_mode & FMODE_READ) 1653 av |= FILE__READ; 1654 if (file->f_mode & FMODE_WRITE) { 1655 if (file->f_flags & O_APPEND) 1656 av |= FILE__APPEND; 1657 else 1658 av |= FILE__WRITE; 1659 } 1660 if (!av) { 1661 /* 1662 * Special file opened with flags 3 for ioctl-only use. 1663 */ 1664 av = FILE__IOCTL; 1665 } 1666 1667 return av; 1668 } 1669 1670 /* Hook functions begin here. */ 1671 1672 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1673 { 1674 struct task_security_struct *psec = parent->security; 1675 struct task_security_struct *csec = child->security; 1676 int rc; 1677 1678 rc = secondary_ops->ptrace(parent,child); 1679 if (rc) 1680 return rc; 1681 1682 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1683 /* Save the SID of the tracing process for later use in apply_creds. */ 1684 if (!(child->ptrace & PT_PTRACED) && !rc) 1685 csec->ptrace_sid = psec->sid; 1686 return rc; 1687 } 1688 1689 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1690 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1691 { 1692 int error; 1693 1694 error = task_has_perm(current, target, PROCESS__GETCAP); 1695 if (error) 1696 return error; 1697 1698 return secondary_ops->capget(target, effective, inheritable, permitted); 1699 } 1700 1701 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1702 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1703 { 1704 int error; 1705 1706 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1707 if (error) 1708 return error; 1709 1710 return task_has_perm(current, target, PROCESS__SETCAP); 1711 } 1712 1713 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1714 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1715 { 1716 secondary_ops->capset_set(target, effective, inheritable, permitted); 1717 } 1718 1719 static int selinux_capable(struct task_struct *tsk, int cap) 1720 { 1721 int rc; 1722 1723 rc = secondary_ops->capable(tsk, cap); 1724 if (rc) 1725 return rc; 1726 1727 return task_has_capability(tsk,cap); 1728 } 1729 1730 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1731 { 1732 int buflen, rc; 1733 char *buffer, *path, *end; 1734 1735 rc = -ENOMEM; 1736 buffer = (char*)__get_free_page(GFP_KERNEL); 1737 if (!buffer) 1738 goto out; 1739 1740 buflen = PAGE_SIZE; 1741 end = buffer+buflen; 1742 *--end = '\0'; 1743 buflen--; 1744 path = end-1; 1745 *path = '/'; 1746 while (table) { 1747 const char *name = table->procname; 1748 size_t namelen = strlen(name); 1749 buflen -= namelen + 1; 1750 if (buflen < 0) 1751 goto out_free; 1752 end -= namelen; 1753 memcpy(end, name, namelen); 1754 *--end = '/'; 1755 path = end; 1756 table = table->parent; 1757 } 1758 buflen -= 4; 1759 if (buflen < 0) 1760 goto out_free; 1761 end -= 4; 1762 memcpy(end, "/sys", 4); 1763 path = end; 1764 rc = security_genfs_sid("proc", path, tclass, sid); 1765 out_free: 1766 free_page((unsigned long)buffer); 1767 out: 1768 return rc; 1769 } 1770 1771 static int selinux_sysctl(ctl_table *table, int op) 1772 { 1773 int error = 0; 1774 u32 av; 1775 struct task_security_struct *tsec; 1776 u32 tsid; 1777 int rc; 1778 1779 rc = secondary_ops->sysctl(table, op); 1780 if (rc) 1781 return rc; 1782 1783 tsec = current->security; 1784 1785 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1786 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1787 if (rc) { 1788 /* Default to the well-defined sysctl SID. */ 1789 tsid = SECINITSID_SYSCTL; 1790 } 1791 1792 /* The op values are "defined" in sysctl.c, thereby creating 1793 * a bad coupling between this module and sysctl.c */ 1794 if(op == 001) { 1795 error = avc_has_perm(tsec->sid, tsid, 1796 SECCLASS_DIR, DIR__SEARCH, NULL); 1797 } else { 1798 av = 0; 1799 if (op & 004) 1800 av |= FILE__READ; 1801 if (op & 002) 1802 av |= FILE__WRITE; 1803 if (av) 1804 error = avc_has_perm(tsec->sid, tsid, 1805 SECCLASS_FILE, av, NULL); 1806 } 1807 1808 return error; 1809 } 1810 1811 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1812 { 1813 int rc = 0; 1814 1815 if (!sb) 1816 return 0; 1817 1818 switch (cmds) { 1819 case Q_SYNC: 1820 case Q_QUOTAON: 1821 case Q_QUOTAOFF: 1822 case Q_SETINFO: 1823 case Q_SETQUOTA: 1824 rc = superblock_has_perm(current, 1825 sb, 1826 FILESYSTEM__QUOTAMOD, NULL); 1827 break; 1828 case Q_GETFMT: 1829 case Q_GETINFO: 1830 case Q_GETQUOTA: 1831 rc = superblock_has_perm(current, 1832 sb, 1833 FILESYSTEM__QUOTAGET, NULL); 1834 break; 1835 default: 1836 rc = 0; /* let the kernel handle invalid cmds */ 1837 break; 1838 } 1839 return rc; 1840 } 1841 1842 static int selinux_quota_on(struct dentry *dentry) 1843 { 1844 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1845 } 1846 1847 static int selinux_syslog(int type) 1848 { 1849 int rc; 1850 1851 rc = secondary_ops->syslog(type); 1852 if (rc) 1853 return rc; 1854 1855 switch (type) { 1856 case 3: /* Read last kernel messages */ 1857 case 10: /* Return size of the log buffer */ 1858 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1859 break; 1860 case 6: /* Disable logging to console */ 1861 case 7: /* Enable logging to console */ 1862 case 8: /* Set level of messages printed to console */ 1863 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1864 break; 1865 case 0: /* Close log */ 1866 case 1: /* Open log */ 1867 case 2: /* Read from log */ 1868 case 4: /* Read/clear last kernel messages */ 1869 case 5: /* Clear ring buffer */ 1870 default: 1871 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1872 break; 1873 } 1874 return rc; 1875 } 1876 1877 /* 1878 * Check that a process has enough memory to allocate a new virtual 1879 * mapping. 0 means there is enough memory for the allocation to 1880 * succeed and -ENOMEM implies there is not. 1881 * 1882 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1883 * if the capability is granted, but __vm_enough_memory requires 1 if 1884 * the capability is granted. 1885 * 1886 * Do not audit the selinux permission check, as this is applied to all 1887 * processes that allocate mappings. 1888 */ 1889 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1890 { 1891 int rc, cap_sys_admin = 0; 1892 struct task_security_struct *tsec = current->security; 1893 1894 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1895 if (rc == 0) 1896 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1897 SECCLASS_CAPABILITY, 1898 CAP_TO_MASK(CAP_SYS_ADMIN), 1899 0, 1900 NULL); 1901 1902 if (rc == 0) 1903 cap_sys_admin = 1; 1904 1905 return __vm_enough_memory(mm, pages, cap_sys_admin); 1906 } 1907 1908 /* binprm security operations */ 1909 1910 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1911 { 1912 struct bprm_security_struct *bsec; 1913 1914 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1915 if (!bsec) 1916 return -ENOMEM; 1917 1918 bsec->sid = SECINITSID_UNLABELED; 1919 bsec->set = 0; 1920 1921 bprm->security = bsec; 1922 return 0; 1923 } 1924 1925 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1926 { 1927 struct task_security_struct *tsec; 1928 struct inode *inode = bprm->file->f_path.dentry->d_inode; 1929 struct inode_security_struct *isec; 1930 struct bprm_security_struct *bsec; 1931 u32 newsid; 1932 struct avc_audit_data ad; 1933 int rc; 1934 1935 rc = secondary_ops->bprm_set_security(bprm); 1936 if (rc) 1937 return rc; 1938 1939 bsec = bprm->security; 1940 1941 if (bsec->set) 1942 return 0; 1943 1944 tsec = current->security; 1945 isec = inode->i_security; 1946 1947 /* Default to the current task SID. */ 1948 bsec->sid = tsec->sid; 1949 1950 /* Reset fs, key, and sock SIDs on execve. */ 1951 tsec->create_sid = 0; 1952 tsec->keycreate_sid = 0; 1953 tsec->sockcreate_sid = 0; 1954 1955 if (tsec->exec_sid) { 1956 newsid = tsec->exec_sid; 1957 /* Reset exec SID on execve. */ 1958 tsec->exec_sid = 0; 1959 } else { 1960 /* Check for a default transition on this program. */ 1961 rc = security_transition_sid(tsec->sid, isec->sid, 1962 SECCLASS_PROCESS, &newsid); 1963 if (rc) 1964 return rc; 1965 } 1966 1967 AVC_AUDIT_DATA_INIT(&ad, FS); 1968 ad.u.fs.path = bprm->file->f_path; 1969 1970 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1971 newsid = tsec->sid; 1972 1973 if (tsec->sid == newsid) { 1974 rc = avc_has_perm(tsec->sid, isec->sid, 1975 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1976 if (rc) 1977 return rc; 1978 } else { 1979 /* Check permissions for the transition. */ 1980 rc = avc_has_perm(tsec->sid, newsid, 1981 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1982 if (rc) 1983 return rc; 1984 1985 rc = avc_has_perm(newsid, isec->sid, 1986 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1987 if (rc) 1988 return rc; 1989 1990 /* Clear any possibly unsafe personality bits on exec: */ 1991 current->personality &= ~PER_CLEAR_ON_SETID; 1992 1993 /* Set the security field to the new SID. */ 1994 bsec->sid = newsid; 1995 } 1996 1997 bsec->set = 1; 1998 return 0; 1999 } 2000 2001 static int selinux_bprm_check_security (struct linux_binprm *bprm) 2002 { 2003 return secondary_ops->bprm_check_security(bprm); 2004 } 2005 2006 2007 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 2008 { 2009 struct task_security_struct *tsec = current->security; 2010 int atsecure = 0; 2011 2012 if (tsec->osid != tsec->sid) { 2013 /* Enable secure mode for SIDs transitions unless 2014 the noatsecure permission is granted between 2015 the two SIDs, i.e. ahp returns 0. */ 2016 atsecure = avc_has_perm(tsec->osid, tsec->sid, 2017 SECCLASS_PROCESS, 2018 PROCESS__NOATSECURE, NULL); 2019 } 2020 2021 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 2022 } 2023 2024 static void selinux_bprm_free_security(struct linux_binprm *bprm) 2025 { 2026 kfree(bprm->security); 2027 bprm->security = NULL; 2028 } 2029 2030 extern struct vfsmount *selinuxfs_mount; 2031 extern struct dentry *selinux_null; 2032 2033 /* Derived from fs/exec.c:flush_old_files. */ 2034 static inline void flush_unauthorized_files(struct files_struct * files) 2035 { 2036 struct avc_audit_data ad; 2037 struct file *file, *devnull = NULL; 2038 struct tty_struct *tty; 2039 struct fdtable *fdt; 2040 long j = -1; 2041 int drop_tty = 0; 2042 2043 mutex_lock(&tty_mutex); 2044 tty = get_current_tty(); 2045 if (tty) { 2046 file_list_lock(); 2047 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 2048 if (file) { 2049 /* Revalidate access to controlling tty. 2050 Use inode_has_perm on the tty inode directly rather 2051 than using file_has_perm, as this particular open 2052 file may belong to another process and we are only 2053 interested in the inode-based check here. */ 2054 struct inode *inode = file->f_path.dentry->d_inode; 2055 if (inode_has_perm(current, inode, 2056 FILE__READ | FILE__WRITE, NULL)) { 2057 drop_tty = 1; 2058 } 2059 } 2060 file_list_unlock(); 2061 } 2062 mutex_unlock(&tty_mutex); 2063 /* Reset controlling tty. */ 2064 if (drop_tty) 2065 no_tty(); 2066 2067 /* Revalidate access to inherited open files. */ 2068 2069 AVC_AUDIT_DATA_INIT(&ad,FS); 2070 2071 spin_lock(&files->file_lock); 2072 for (;;) { 2073 unsigned long set, i; 2074 int fd; 2075 2076 j++; 2077 i = j * __NFDBITS; 2078 fdt = files_fdtable(files); 2079 if (i >= fdt->max_fds) 2080 break; 2081 set = fdt->open_fds->fds_bits[j]; 2082 if (!set) 2083 continue; 2084 spin_unlock(&files->file_lock); 2085 for ( ; set ; i++,set >>= 1) { 2086 if (set & 1) { 2087 file = fget(i); 2088 if (!file) 2089 continue; 2090 if (file_has_perm(current, 2091 file, 2092 file_to_av(file))) { 2093 sys_close(i); 2094 fd = get_unused_fd(); 2095 if (fd != i) { 2096 if (fd >= 0) 2097 put_unused_fd(fd); 2098 fput(file); 2099 continue; 2100 } 2101 if (devnull) { 2102 get_file(devnull); 2103 } else { 2104 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2105 if (IS_ERR(devnull)) { 2106 devnull = NULL; 2107 put_unused_fd(fd); 2108 fput(file); 2109 continue; 2110 } 2111 } 2112 fd_install(fd, devnull); 2113 } 2114 fput(file); 2115 } 2116 } 2117 spin_lock(&files->file_lock); 2118 2119 } 2120 spin_unlock(&files->file_lock); 2121 } 2122 2123 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 2124 { 2125 struct task_security_struct *tsec; 2126 struct bprm_security_struct *bsec; 2127 u32 sid; 2128 int rc; 2129 2130 secondary_ops->bprm_apply_creds(bprm, unsafe); 2131 2132 tsec = current->security; 2133 2134 bsec = bprm->security; 2135 sid = bsec->sid; 2136 2137 tsec->osid = tsec->sid; 2138 bsec->unsafe = 0; 2139 if (tsec->sid != sid) { 2140 /* Check for shared state. If not ok, leave SID 2141 unchanged and kill. */ 2142 if (unsafe & LSM_UNSAFE_SHARE) { 2143 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 2144 PROCESS__SHARE, NULL); 2145 if (rc) { 2146 bsec->unsafe = 1; 2147 return; 2148 } 2149 } 2150 2151 /* Check for ptracing, and update the task SID if ok. 2152 Otherwise, leave SID unchanged and kill. */ 2153 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2154 rc = avc_has_perm(tsec->ptrace_sid, sid, 2155 SECCLASS_PROCESS, PROCESS__PTRACE, 2156 NULL); 2157 if (rc) { 2158 bsec->unsafe = 1; 2159 return; 2160 } 2161 } 2162 tsec->sid = sid; 2163 } 2164 } 2165 2166 /* 2167 * called after apply_creds without the task lock held 2168 */ 2169 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2170 { 2171 struct task_security_struct *tsec; 2172 struct rlimit *rlim, *initrlim; 2173 struct itimerval itimer; 2174 struct bprm_security_struct *bsec; 2175 int rc, i; 2176 2177 tsec = current->security; 2178 bsec = bprm->security; 2179 2180 if (bsec->unsafe) { 2181 force_sig_specific(SIGKILL, current); 2182 return; 2183 } 2184 if (tsec->osid == tsec->sid) 2185 return; 2186 2187 /* Close files for which the new task SID is not authorized. */ 2188 flush_unauthorized_files(current->files); 2189 2190 /* Check whether the new SID can inherit signal state 2191 from the old SID. If not, clear itimers to avoid 2192 subsequent signal generation and flush and unblock 2193 signals. This must occur _after_ the task SID has 2194 been updated so that any kill done after the flush 2195 will be checked against the new SID. */ 2196 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2197 PROCESS__SIGINH, NULL); 2198 if (rc) { 2199 memset(&itimer, 0, sizeof itimer); 2200 for (i = 0; i < 3; i++) 2201 do_setitimer(i, &itimer, NULL); 2202 flush_signals(current); 2203 spin_lock_irq(¤t->sighand->siglock); 2204 flush_signal_handlers(current, 1); 2205 sigemptyset(¤t->blocked); 2206 recalc_sigpending(); 2207 spin_unlock_irq(¤t->sighand->siglock); 2208 } 2209 2210 /* Always clear parent death signal on SID transitions. */ 2211 current->pdeath_signal = 0; 2212 2213 /* Check whether the new SID can inherit resource limits 2214 from the old SID. If not, reset all soft limits to 2215 the lower of the current task's hard limit and the init 2216 task's soft limit. Note that the setting of hard limits 2217 (even to lower them) can be controlled by the setrlimit 2218 check. The inclusion of the init task's soft limit into 2219 the computation is to avoid resetting soft limits higher 2220 than the default soft limit for cases where the default 2221 is lower than the hard limit, e.g. RLIMIT_CORE or 2222 RLIMIT_STACK.*/ 2223 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2224 PROCESS__RLIMITINH, NULL); 2225 if (rc) { 2226 for (i = 0; i < RLIM_NLIMITS; i++) { 2227 rlim = current->signal->rlim + i; 2228 initrlim = init_task.signal->rlim+i; 2229 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2230 } 2231 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2232 /* 2233 * This will cause RLIMIT_CPU calculations 2234 * to be refigured. 2235 */ 2236 current->it_prof_expires = jiffies_to_cputime(1); 2237 } 2238 } 2239 2240 /* Wake up the parent if it is waiting so that it can 2241 recheck wait permission to the new task SID. */ 2242 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 2243 } 2244 2245 /* superblock security operations */ 2246 2247 static int selinux_sb_alloc_security(struct super_block *sb) 2248 { 2249 return superblock_alloc_security(sb); 2250 } 2251 2252 static void selinux_sb_free_security(struct super_block *sb) 2253 { 2254 superblock_free_security(sb); 2255 } 2256 2257 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2258 { 2259 if (plen > olen) 2260 return 0; 2261 2262 return !memcmp(prefix, option, plen); 2263 } 2264 2265 static inline int selinux_option(char *option, int len) 2266 { 2267 return (match_prefix("context=", sizeof("context=")-1, option, len) || 2268 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 2269 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) || 2270 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len)); 2271 } 2272 2273 static inline void take_option(char **to, char *from, int *first, int len) 2274 { 2275 if (!*first) { 2276 **to = ','; 2277 *to += 1; 2278 } else 2279 *first = 0; 2280 memcpy(*to, from, len); 2281 *to += len; 2282 } 2283 2284 static inline void take_selinux_option(char **to, char *from, int *first, 2285 int len) 2286 { 2287 int current_size = 0; 2288 2289 if (!*first) { 2290 **to = '|'; 2291 *to += 1; 2292 } 2293 else 2294 *first = 0; 2295 2296 while (current_size < len) { 2297 if (*from != '"') { 2298 **to = *from; 2299 *to += 1; 2300 } 2301 from += 1; 2302 current_size += 1; 2303 } 2304 } 2305 2306 static int selinux_sb_copy_data(char *orig, char *copy) 2307 { 2308 int fnosec, fsec, rc = 0; 2309 char *in_save, *in_curr, *in_end; 2310 char *sec_curr, *nosec_save, *nosec; 2311 int open_quote = 0; 2312 2313 in_curr = orig; 2314 sec_curr = copy; 2315 2316 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2317 if (!nosec) { 2318 rc = -ENOMEM; 2319 goto out; 2320 } 2321 2322 nosec_save = nosec; 2323 fnosec = fsec = 1; 2324 in_save = in_end = orig; 2325 2326 do { 2327 if (*in_end == '"') 2328 open_quote = !open_quote; 2329 if ((*in_end == ',' && open_quote == 0) || 2330 *in_end == '\0') { 2331 int len = in_end - in_curr; 2332 2333 if (selinux_option(in_curr, len)) 2334 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2335 else 2336 take_option(&nosec, in_curr, &fnosec, len); 2337 2338 in_curr = in_end + 1; 2339 } 2340 } while (*in_end++); 2341 2342 strcpy(in_save, nosec_save); 2343 free_page((unsigned long)nosec_save); 2344 out: 2345 return rc; 2346 } 2347 2348 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 2349 { 2350 struct avc_audit_data ad; 2351 int rc; 2352 2353 rc = superblock_doinit(sb, data); 2354 if (rc) 2355 return rc; 2356 2357 AVC_AUDIT_DATA_INIT(&ad,FS); 2358 ad.u.fs.path.dentry = sb->s_root; 2359 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2360 } 2361 2362 static int selinux_sb_statfs(struct dentry *dentry) 2363 { 2364 struct avc_audit_data ad; 2365 2366 AVC_AUDIT_DATA_INIT(&ad,FS); 2367 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2368 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2369 } 2370 2371 static int selinux_mount(char * dev_name, 2372 struct nameidata *nd, 2373 char * type, 2374 unsigned long flags, 2375 void * data) 2376 { 2377 int rc; 2378 2379 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2380 if (rc) 2381 return rc; 2382 2383 if (flags & MS_REMOUNT) 2384 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2385 FILESYSTEM__REMOUNT, NULL); 2386 else 2387 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2388 FILE__MOUNTON); 2389 } 2390 2391 static int selinux_umount(struct vfsmount *mnt, int flags) 2392 { 2393 int rc; 2394 2395 rc = secondary_ops->sb_umount(mnt, flags); 2396 if (rc) 2397 return rc; 2398 2399 return superblock_has_perm(current,mnt->mnt_sb, 2400 FILESYSTEM__UNMOUNT,NULL); 2401 } 2402 2403 /* inode security operations */ 2404 2405 static int selinux_inode_alloc_security(struct inode *inode) 2406 { 2407 return inode_alloc_security(inode); 2408 } 2409 2410 static void selinux_inode_free_security(struct inode *inode) 2411 { 2412 inode_free_security(inode); 2413 } 2414 2415 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2416 char **name, void **value, 2417 size_t *len) 2418 { 2419 struct task_security_struct *tsec; 2420 struct inode_security_struct *dsec; 2421 struct superblock_security_struct *sbsec; 2422 u32 newsid, clen; 2423 int rc; 2424 char *namep = NULL, *context; 2425 2426 tsec = current->security; 2427 dsec = dir->i_security; 2428 sbsec = dir->i_sb->s_security; 2429 2430 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2431 newsid = tsec->create_sid; 2432 } else { 2433 rc = security_transition_sid(tsec->sid, dsec->sid, 2434 inode_mode_to_security_class(inode->i_mode), 2435 &newsid); 2436 if (rc) { 2437 printk(KERN_WARNING "%s: " 2438 "security_transition_sid failed, rc=%d (dev=%s " 2439 "ino=%ld)\n", 2440 __FUNCTION__, 2441 -rc, inode->i_sb->s_id, inode->i_ino); 2442 return rc; 2443 } 2444 } 2445 2446 /* Possibly defer initialization to selinux_complete_init. */ 2447 if (sbsec->initialized) { 2448 struct inode_security_struct *isec = inode->i_security; 2449 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2450 isec->sid = newsid; 2451 isec->initialized = 1; 2452 } 2453 2454 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2455 return -EOPNOTSUPP; 2456 2457 if (name) { 2458 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2459 if (!namep) 2460 return -ENOMEM; 2461 *name = namep; 2462 } 2463 2464 if (value && len) { 2465 rc = security_sid_to_context(newsid, &context, &clen); 2466 if (rc) { 2467 kfree(namep); 2468 return rc; 2469 } 2470 *value = context; 2471 *len = clen; 2472 } 2473 2474 return 0; 2475 } 2476 2477 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2478 { 2479 return may_create(dir, dentry, SECCLASS_FILE); 2480 } 2481 2482 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2483 { 2484 int rc; 2485 2486 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2487 if (rc) 2488 return rc; 2489 return may_link(dir, old_dentry, MAY_LINK); 2490 } 2491 2492 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2493 { 2494 int rc; 2495 2496 rc = secondary_ops->inode_unlink(dir, dentry); 2497 if (rc) 2498 return rc; 2499 return may_link(dir, dentry, MAY_UNLINK); 2500 } 2501 2502 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2503 { 2504 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2505 } 2506 2507 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2508 { 2509 return may_create(dir, dentry, SECCLASS_DIR); 2510 } 2511 2512 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2513 { 2514 return may_link(dir, dentry, MAY_RMDIR); 2515 } 2516 2517 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2518 { 2519 int rc; 2520 2521 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2522 if (rc) 2523 return rc; 2524 2525 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2526 } 2527 2528 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2529 struct inode *new_inode, struct dentry *new_dentry) 2530 { 2531 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2532 } 2533 2534 static int selinux_inode_readlink(struct dentry *dentry) 2535 { 2536 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2537 } 2538 2539 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2540 { 2541 int rc; 2542 2543 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2544 if (rc) 2545 return rc; 2546 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2547 } 2548 2549 static int selinux_inode_permission(struct inode *inode, int mask, 2550 struct nameidata *nd) 2551 { 2552 int rc; 2553 2554 rc = secondary_ops->inode_permission(inode, mask, nd); 2555 if (rc) 2556 return rc; 2557 2558 if (!mask) { 2559 /* No permission to check. Existence test. */ 2560 return 0; 2561 } 2562 2563 return inode_has_perm(current, inode, 2564 open_file_mask_to_av(inode->i_mode, mask), NULL); 2565 } 2566 2567 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2568 { 2569 int rc; 2570 2571 rc = secondary_ops->inode_setattr(dentry, iattr); 2572 if (rc) 2573 return rc; 2574 2575 if (iattr->ia_valid & ATTR_FORCE) 2576 return 0; 2577 2578 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2579 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2580 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2581 2582 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2583 } 2584 2585 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2586 { 2587 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2588 } 2589 2590 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name) 2591 { 2592 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2593 sizeof XATTR_SECURITY_PREFIX - 1)) { 2594 if (!strcmp(name, XATTR_NAME_CAPS)) { 2595 if (!capable(CAP_SETFCAP)) 2596 return -EPERM; 2597 } else if (!capable(CAP_SYS_ADMIN)) { 2598 /* A different attribute in the security namespace. 2599 Restrict to administrator. */ 2600 return -EPERM; 2601 } 2602 } 2603 2604 /* Not an attribute we recognize, so just check the 2605 ordinary setattr permission. */ 2606 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2607 } 2608 2609 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2610 { 2611 struct task_security_struct *tsec = current->security; 2612 struct inode *inode = dentry->d_inode; 2613 struct inode_security_struct *isec = inode->i_security; 2614 struct superblock_security_struct *sbsec; 2615 struct avc_audit_data ad; 2616 u32 newsid; 2617 int rc = 0; 2618 2619 if (strcmp(name, XATTR_NAME_SELINUX)) 2620 return selinux_inode_setotherxattr(dentry, name); 2621 2622 sbsec = inode->i_sb->s_security; 2623 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2624 return -EOPNOTSUPP; 2625 2626 if (!is_owner_or_cap(inode)) 2627 return -EPERM; 2628 2629 AVC_AUDIT_DATA_INIT(&ad,FS); 2630 ad.u.fs.path.dentry = dentry; 2631 2632 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2633 FILE__RELABELFROM, &ad); 2634 if (rc) 2635 return rc; 2636 2637 rc = security_context_to_sid(value, size, &newsid); 2638 if (rc) 2639 return rc; 2640 2641 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2642 FILE__RELABELTO, &ad); 2643 if (rc) 2644 return rc; 2645 2646 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2647 isec->sclass); 2648 if (rc) 2649 return rc; 2650 2651 return avc_has_perm(newsid, 2652 sbsec->sid, 2653 SECCLASS_FILESYSTEM, 2654 FILESYSTEM__ASSOCIATE, 2655 &ad); 2656 } 2657 2658 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2659 void *value, size_t size, int flags) 2660 { 2661 struct inode *inode = dentry->d_inode; 2662 struct inode_security_struct *isec = inode->i_security; 2663 u32 newsid; 2664 int rc; 2665 2666 if (strcmp(name, XATTR_NAME_SELINUX)) { 2667 /* Not an attribute we recognize, so nothing to do. */ 2668 return; 2669 } 2670 2671 rc = security_context_to_sid(value, size, &newsid); 2672 if (rc) { 2673 printk(KERN_WARNING "%s: unable to obtain SID for context " 2674 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2675 return; 2676 } 2677 2678 isec->sid = newsid; 2679 return; 2680 } 2681 2682 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2683 { 2684 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2685 } 2686 2687 static int selinux_inode_listxattr (struct dentry *dentry) 2688 { 2689 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2690 } 2691 2692 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2693 { 2694 if (strcmp(name, XATTR_NAME_SELINUX)) 2695 return selinux_inode_setotherxattr(dentry, name); 2696 2697 /* No one is allowed to remove a SELinux security label. 2698 You can change the label, but all data must be labeled. */ 2699 return -EACCES; 2700 } 2701 2702 /* 2703 * Copy the in-core inode security context value to the user. If the 2704 * getxattr() prior to this succeeded, check to see if we need to 2705 * canonicalize the value to be finally returned to the user. 2706 * 2707 * Permission check is handled by selinux_inode_getxattr hook. 2708 */ 2709 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2710 { 2711 u32 size; 2712 int error; 2713 char *context = NULL; 2714 struct inode_security_struct *isec = inode->i_security; 2715 2716 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2717 return -EOPNOTSUPP; 2718 2719 error = security_sid_to_context(isec->sid, &context, &size); 2720 if (error) 2721 return error; 2722 error = size; 2723 if (alloc) { 2724 *buffer = context; 2725 goto out_nofree; 2726 } 2727 kfree(context); 2728 out_nofree: 2729 return error; 2730 } 2731 2732 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2733 const void *value, size_t size, int flags) 2734 { 2735 struct inode_security_struct *isec = inode->i_security; 2736 u32 newsid; 2737 int rc; 2738 2739 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2740 return -EOPNOTSUPP; 2741 2742 if (!value || !size) 2743 return -EACCES; 2744 2745 rc = security_context_to_sid((void*)value, size, &newsid); 2746 if (rc) 2747 return rc; 2748 2749 isec->sid = newsid; 2750 return 0; 2751 } 2752 2753 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2754 { 2755 const int len = sizeof(XATTR_NAME_SELINUX); 2756 if (buffer && len <= buffer_size) 2757 memcpy(buffer, XATTR_NAME_SELINUX, len); 2758 return len; 2759 } 2760 2761 static int selinux_inode_need_killpriv(struct dentry *dentry) 2762 { 2763 return secondary_ops->inode_need_killpriv(dentry); 2764 } 2765 2766 static int selinux_inode_killpriv(struct dentry *dentry) 2767 { 2768 return secondary_ops->inode_killpriv(dentry); 2769 } 2770 2771 /* file security operations */ 2772 2773 static int selinux_revalidate_file_permission(struct file *file, int mask) 2774 { 2775 int rc; 2776 struct inode *inode = file->f_path.dentry->d_inode; 2777 2778 if (!mask) { 2779 /* No permission to check. Existence test. */ 2780 return 0; 2781 } 2782 2783 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2784 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2785 mask |= MAY_APPEND; 2786 2787 rc = file_has_perm(current, file, 2788 file_mask_to_av(inode->i_mode, mask)); 2789 if (rc) 2790 return rc; 2791 2792 return selinux_netlbl_inode_permission(inode, mask); 2793 } 2794 2795 static int selinux_file_permission(struct file *file, int mask) 2796 { 2797 struct inode *inode = file->f_path.dentry->d_inode; 2798 struct task_security_struct *tsec = current->security; 2799 struct file_security_struct *fsec = file->f_security; 2800 struct inode_security_struct *isec = inode->i_security; 2801 2802 if (!mask) { 2803 /* No permission to check. Existence test. */ 2804 return 0; 2805 } 2806 2807 if (tsec->sid == fsec->sid && fsec->isid == isec->sid 2808 && fsec->pseqno == avc_policy_seqno()) 2809 return selinux_netlbl_inode_permission(inode, mask); 2810 2811 return selinux_revalidate_file_permission(file, mask); 2812 } 2813 2814 static int selinux_file_alloc_security(struct file *file) 2815 { 2816 return file_alloc_security(file); 2817 } 2818 2819 static void selinux_file_free_security(struct file *file) 2820 { 2821 file_free_security(file); 2822 } 2823 2824 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2825 unsigned long arg) 2826 { 2827 int error = 0; 2828 2829 switch (cmd) { 2830 case FIONREAD: 2831 /* fall through */ 2832 case FIBMAP: 2833 /* fall through */ 2834 case FIGETBSZ: 2835 /* fall through */ 2836 case EXT2_IOC_GETFLAGS: 2837 /* fall through */ 2838 case EXT2_IOC_GETVERSION: 2839 error = file_has_perm(current, file, FILE__GETATTR); 2840 break; 2841 2842 case EXT2_IOC_SETFLAGS: 2843 /* fall through */ 2844 case EXT2_IOC_SETVERSION: 2845 error = file_has_perm(current, file, FILE__SETATTR); 2846 break; 2847 2848 /* sys_ioctl() checks */ 2849 case FIONBIO: 2850 /* fall through */ 2851 case FIOASYNC: 2852 error = file_has_perm(current, file, 0); 2853 break; 2854 2855 case KDSKBENT: 2856 case KDSKBSENT: 2857 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2858 break; 2859 2860 /* default case assumes that the command will go 2861 * to the file's ioctl() function. 2862 */ 2863 default: 2864 error = file_has_perm(current, file, FILE__IOCTL); 2865 2866 } 2867 return error; 2868 } 2869 2870 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2871 { 2872 #ifndef CONFIG_PPC32 2873 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2874 /* 2875 * We are making executable an anonymous mapping or a 2876 * private file mapping that will also be writable. 2877 * This has an additional check. 2878 */ 2879 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2880 if (rc) 2881 return rc; 2882 } 2883 #endif 2884 2885 if (file) { 2886 /* read access is always possible with a mapping */ 2887 u32 av = FILE__READ; 2888 2889 /* write access only matters if the mapping is shared */ 2890 if (shared && (prot & PROT_WRITE)) 2891 av |= FILE__WRITE; 2892 2893 if (prot & PROT_EXEC) 2894 av |= FILE__EXECUTE; 2895 2896 return file_has_perm(current, file, av); 2897 } 2898 return 0; 2899 } 2900 2901 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2902 unsigned long prot, unsigned long flags, 2903 unsigned long addr, unsigned long addr_only) 2904 { 2905 int rc = 0; 2906 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2907 2908 if (addr < mmap_min_addr) 2909 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2910 MEMPROTECT__MMAP_ZERO, NULL); 2911 if (rc || addr_only) 2912 return rc; 2913 2914 if (selinux_checkreqprot) 2915 prot = reqprot; 2916 2917 return file_map_prot_check(file, prot, 2918 (flags & MAP_TYPE) == MAP_SHARED); 2919 } 2920 2921 static int selinux_file_mprotect(struct vm_area_struct *vma, 2922 unsigned long reqprot, 2923 unsigned long prot) 2924 { 2925 int rc; 2926 2927 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2928 if (rc) 2929 return rc; 2930 2931 if (selinux_checkreqprot) 2932 prot = reqprot; 2933 2934 #ifndef CONFIG_PPC32 2935 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2936 rc = 0; 2937 if (vma->vm_start >= vma->vm_mm->start_brk && 2938 vma->vm_end <= vma->vm_mm->brk) { 2939 rc = task_has_perm(current, current, 2940 PROCESS__EXECHEAP); 2941 } else if (!vma->vm_file && 2942 vma->vm_start <= vma->vm_mm->start_stack && 2943 vma->vm_end >= vma->vm_mm->start_stack) { 2944 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2945 } else if (vma->vm_file && vma->anon_vma) { 2946 /* 2947 * We are making executable a file mapping that has 2948 * had some COW done. Since pages might have been 2949 * written, check ability to execute the possibly 2950 * modified content. This typically should only 2951 * occur for text relocations. 2952 */ 2953 rc = file_has_perm(current, vma->vm_file, 2954 FILE__EXECMOD); 2955 } 2956 if (rc) 2957 return rc; 2958 } 2959 #endif 2960 2961 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2962 } 2963 2964 static int selinux_file_lock(struct file *file, unsigned int cmd) 2965 { 2966 return file_has_perm(current, file, FILE__LOCK); 2967 } 2968 2969 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2970 unsigned long arg) 2971 { 2972 int err = 0; 2973 2974 switch (cmd) { 2975 case F_SETFL: 2976 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2977 err = -EINVAL; 2978 break; 2979 } 2980 2981 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2982 err = file_has_perm(current, file,FILE__WRITE); 2983 break; 2984 } 2985 /* fall through */ 2986 case F_SETOWN: 2987 case F_SETSIG: 2988 case F_GETFL: 2989 case F_GETOWN: 2990 case F_GETSIG: 2991 /* Just check FD__USE permission */ 2992 err = file_has_perm(current, file, 0); 2993 break; 2994 case F_GETLK: 2995 case F_SETLK: 2996 case F_SETLKW: 2997 #if BITS_PER_LONG == 32 2998 case F_GETLK64: 2999 case F_SETLK64: 3000 case F_SETLKW64: 3001 #endif 3002 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3003 err = -EINVAL; 3004 break; 3005 } 3006 err = file_has_perm(current, file, FILE__LOCK); 3007 break; 3008 } 3009 3010 return err; 3011 } 3012 3013 static int selinux_file_set_fowner(struct file *file) 3014 { 3015 struct task_security_struct *tsec; 3016 struct file_security_struct *fsec; 3017 3018 tsec = current->security; 3019 fsec = file->f_security; 3020 fsec->fown_sid = tsec->sid; 3021 3022 return 0; 3023 } 3024 3025 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3026 struct fown_struct *fown, int signum) 3027 { 3028 struct file *file; 3029 u32 perm; 3030 struct task_security_struct *tsec; 3031 struct file_security_struct *fsec; 3032 3033 /* struct fown_struct is never outside the context of a struct file */ 3034 file = container_of(fown, struct file, f_owner); 3035 3036 tsec = tsk->security; 3037 fsec = file->f_security; 3038 3039 if (!signum) 3040 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3041 else 3042 perm = signal_to_av(signum); 3043 3044 return avc_has_perm(fsec->fown_sid, tsec->sid, 3045 SECCLASS_PROCESS, perm, NULL); 3046 } 3047 3048 static int selinux_file_receive(struct file *file) 3049 { 3050 return file_has_perm(current, file, file_to_av(file)); 3051 } 3052 3053 static int selinux_dentry_open(struct file *file) 3054 { 3055 struct file_security_struct *fsec; 3056 struct inode *inode; 3057 struct inode_security_struct *isec; 3058 inode = file->f_path.dentry->d_inode; 3059 fsec = file->f_security; 3060 isec = inode->i_security; 3061 /* 3062 * Save inode label and policy sequence number 3063 * at open-time so that selinux_file_permission 3064 * can determine whether revalidation is necessary. 3065 * Task label is already saved in the file security 3066 * struct as its SID. 3067 */ 3068 fsec->isid = isec->sid; 3069 fsec->pseqno = avc_policy_seqno(); 3070 /* 3071 * Since the inode label or policy seqno may have changed 3072 * between the selinux_inode_permission check and the saving 3073 * of state above, recheck that access is still permitted. 3074 * Otherwise, access might never be revalidated against the 3075 * new inode label or new policy. 3076 * This check is not redundant - do not remove. 3077 */ 3078 return inode_has_perm(current, inode, file_to_av(file), NULL); 3079 } 3080 3081 /* task security operations */ 3082 3083 static int selinux_task_create(unsigned long clone_flags) 3084 { 3085 int rc; 3086 3087 rc = secondary_ops->task_create(clone_flags); 3088 if (rc) 3089 return rc; 3090 3091 return task_has_perm(current, current, PROCESS__FORK); 3092 } 3093 3094 static int selinux_task_alloc_security(struct task_struct *tsk) 3095 { 3096 struct task_security_struct *tsec1, *tsec2; 3097 int rc; 3098 3099 tsec1 = current->security; 3100 3101 rc = task_alloc_security(tsk); 3102 if (rc) 3103 return rc; 3104 tsec2 = tsk->security; 3105 3106 tsec2->osid = tsec1->osid; 3107 tsec2->sid = tsec1->sid; 3108 3109 /* Retain the exec, fs, key, and sock SIDs across fork */ 3110 tsec2->exec_sid = tsec1->exec_sid; 3111 tsec2->create_sid = tsec1->create_sid; 3112 tsec2->keycreate_sid = tsec1->keycreate_sid; 3113 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 3114 3115 /* Retain ptracer SID across fork, if any. 3116 This will be reset by the ptrace hook upon any 3117 subsequent ptrace_attach operations. */ 3118 tsec2->ptrace_sid = tsec1->ptrace_sid; 3119 3120 return 0; 3121 } 3122 3123 static void selinux_task_free_security(struct task_struct *tsk) 3124 { 3125 task_free_security(tsk); 3126 } 3127 3128 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3129 { 3130 /* Since setuid only affects the current process, and 3131 since the SELinux controls are not based on the Linux 3132 identity attributes, SELinux does not need to control 3133 this operation. However, SELinux does control the use 3134 of the CAP_SETUID and CAP_SETGID capabilities using the 3135 capable hook. */ 3136 return 0; 3137 } 3138 3139 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3140 { 3141 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3142 } 3143 3144 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3145 { 3146 /* See the comment for setuid above. */ 3147 return 0; 3148 } 3149 3150 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3151 { 3152 return task_has_perm(current, p, PROCESS__SETPGID); 3153 } 3154 3155 static int selinux_task_getpgid(struct task_struct *p) 3156 { 3157 return task_has_perm(current, p, PROCESS__GETPGID); 3158 } 3159 3160 static int selinux_task_getsid(struct task_struct *p) 3161 { 3162 return task_has_perm(current, p, PROCESS__GETSESSION); 3163 } 3164 3165 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3166 { 3167 selinux_get_task_sid(p, secid); 3168 } 3169 3170 static int selinux_task_setgroups(struct group_info *group_info) 3171 { 3172 /* See the comment for setuid above. */ 3173 return 0; 3174 } 3175 3176 static int selinux_task_setnice(struct task_struct *p, int nice) 3177 { 3178 int rc; 3179 3180 rc = secondary_ops->task_setnice(p, nice); 3181 if (rc) 3182 return rc; 3183 3184 return task_has_perm(current,p, PROCESS__SETSCHED); 3185 } 3186 3187 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3188 { 3189 int rc; 3190 3191 rc = secondary_ops->task_setioprio(p, ioprio); 3192 if (rc) 3193 return rc; 3194 3195 return task_has_perm(current, p, PROCESS__SETSCHED); 3196 } 3197 3198 static int selinux_task_getioprio(struct task_struct *p) 3199 { 3200 return task_has_perm(current, p, PROCESS__GETSCHED); 3201 } 3202 3203 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3204 { 3205 struct rlimit *old_rlim = current->signal->rlim + resource; 3206 int rc; 3207 3208 rc = secondary_ops->task_setrlimit(resource, new_rlim); 3209 if (rc) 3210 return rc; 3211 3212 /* Control the ability to change the hard limit (whether 3213 lowering or raising it), so that the hard limit can 3214 later be used as a safe reset point for the soft limit 3215 upon context transitions. See selinux_bprm_apply_creds. */ 3216 if (old_rlim->rlim_max != new_rlim->rlim_max) 3217 return task_has_perm(current, current, PROCESS__SETRLIMIT); 3218 3219 return 0; 3220 } 3221 3222 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 3223 { 3224 int rc; 3225 3226 rc = secondary_ops->task_setscheduler(p, policy, lp); 3227 if (rc) 3228 return rc; 3229 3230 return task_has_perm(current, p, PROCESS__SETSCHED); 3231 } 3232 3233 static int selinux_task_getscheduler(struct task_struct *p) 3234 { 3235 return task_has_perm(current, p, PROCESS__GETSCHED); 3236 } 3237 3238 static int selinux_task_movememory(struct task_struct *p) 3239 { 3240 return task_has_perm(current, p, PROCESS__SETSCHED); 3241 } 3242 3243 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3244 int sig, u32 secid) 3245 { 3246 u32 perm; 3247 int rc; 3248 struct task_security_struct *tsec; 3249 3250 rc = secondary_ops->task_kill(p, info, sig, secid); 3251 if (rc) 3252 return rc; 3253 3254 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 3255 return 0; 3256 3257 if (!sig) 3258 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3259 else 3260 perm = signal_to_av(sig); 3261 tsec = p->security; 3262 if (secid) 3263 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3264 else 3265 rc = task_has_perm(current, p, perm); 3266 return rc; 3267 } 3268 3269 static int selinux_task_prctl(int option, 3270 unsigned long arg2, 3271 unsigned long arg3, 3272 unsigned long arg4, 3273 unsigned long arg5) 3274 { 3275 /* The current prctl operations do not appear to require 3276 any SELinux controls since they merely observe or modify 3277 the state of the current process. */ 3278 return 0; 3279 } 3280 3281 static int selinux_task_wait(struct task_struct *p) 3282 { 3283 return task_has_perm(p, current, PROCESS__SIGCHLD); 3284 } 3285 3286 static void selinux_task_reparent_to_init(struct task_struct *p) 3287 { 3288 struct task_security_struct *tsec; 3289 3290 secondary_ops->task_reparent_to_init(p); 3291 3292 tsec = p->security; 3293 tsec->osid = tsec->sid; 3294 tsec->sid = SECINITSID_KERNEL; 3295 return; 3296 } 3297 3298 static void selinux_task_to_inode(struct task_struct *p, 3299 struct inode *inode) 3300 { 3301 struct task_security_struct *tsec = p->security; 3302 struct inode_security_struct *isec = inode->i_security; 3303 3304 isec->sid = tsec->sid; 3305 isec->initialized = 1; 3306 return; 3307 } 3308 3309 /* Returns error only if unable to parse addresses */ 3310 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3311 struct avc_audit_data *ad, u8 *proto) 3312 { 3313 int offset, ihlen, ret = -EINVAL; 3314 struct iphdr _iph, *ih; 3315 3316 offset = skb_network_offset(skb); 3317 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3318 if (ih == NULL) 3319 goto out; 3320 3321 ihlen = ih->ihl * 4; 3322 if (ihlen < sizeof(_iph)) 3323 goto out; 3324 3325 ad->u.net.v4info.saddr = ih->saddr; 3326 ad->u.net.v4info.daddr = ih->daddr; 3327 ret = 0; 3328 3329 if (proto) 3330 *proto = ih->protocol; 3331 3332 switch (ih->protocol) { 3333 case IPPROTO_TCP: { 3334 struct tcphdr _tcph, *th; 3335 3336 if (ntohs(ih->frag_off) & IP_OFFSET) 3337 break; 3338 3339 offset += ihlen; 3340 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3341 if (th == NULL) 3342 break; 3343 3344 ad->u.net.sport = th->source; 3345 ad->u.net.dport = th->dest; 3346 break; 3347 } 3348 3349 case IPPROTO_UDP: { 3350 struct udphdr _udph, *uh; 3351 3352 if (ntohs(ih->frag_off) & IP_OFFSET) 3353 break; 3354 3355 offset += ihlen; 3356 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3357 if (uh == NULL) 3358 break; 3359 3360 ad->u.net.sport = uh->source; 3361 ad->u.net.dport = uh->dest; 3362 break; 3363 } 3364 3365 case IPPROTO_DCCP: { 3366 struct dccp_hdr _dccph, *dh; 3367 3368 if (ntohs(ih->frag_off) & IP_OFFSET) 3369 break; 3370 3371 offset += ihlen; 3372 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3373 if (dh == NULL) 3374 break; 3375 3376 ad->u.net.sport = dh->dccph_sport; 3377 ad->u.net.dport = dh->dccph_dport; 3378 break; 3379 } 3380 3381 default: 3382 break; 3383 } 3384 out: 3385 return ret; 3386 } 3387 3388 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3389 3390 /* Returns error only if unable to parse addresses */ 3391 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3392 struct avc_audit_data *ad, u8 *proto) 3393 { 3394 u8 nexthdr; 3395 int ret = -EINVAL, offset; 3396 struct ipv6hdr _ipv6h, *ip6; 3397 3398 offset = skb_network_offset(skb); 3399 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3400 if (ip6 == NULL) 3401 goto out; 3402 3403 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3404 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3405 ret = 0; 3406 3407 nexthdr = ip6->nexthdr; 3408 offset += sizeof(_ipv6h); 3409 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3410 if (offset < 0) 3411 goto out; 3412 3413 if (proto) 3414 *proto = nexthdr; 3415 3416 switch (nexthdr) { 3417 case IPPROTO_TCP: { 3418 struct tcphdr _tcph, *th; 3419 3420 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3421 if (th == NULL) 3422 break; 3423 3424 ad->u.net.sport = th->source; 3425 ad->u.net.dport = th->dest; 3426 break; 3427 } 3428 3429 case IPPROTO_UDP: { 3430 struct udphdr _udph, *uh; 3431 3432 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3433 if (uh == NULL) 3434 break; 3435 3436 ad->u.net.sport = uh->source; 3437 ad->u.net.dport = uh->dest; 3438 break; 3439 } 3440 3441 case IPPROTO_DCCP: { 3442 struct dccp_hdr _dccph, *dh; 3443 3444 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3445 if (dh == NULL) 3446 break; 3447 3448 ad->u.net.sport = dh->dccph_sport; 3449 ad->u.net.dport = dh->dccph_dport; 3450 break; 3451 } 3452 3453 /* includes fragments */ 3454 default: 3455 break; 3456 } 3457 out: 3458 return ret; 3459 } 3460 3461 #endif /* IPV6 */ 3462 3463 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3464 char **addrp, int src, u8 *proto) 3465 { 3466 int ret = 0; 3467 3468 switch (ad->u.net.family) { 3469 case PF_INET: 3470 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3471 if (ret || !addrp) 3472 break; 3473 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3474 &ad->u.net.v4info.daddr); 3475 break; 3476 3477 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3478 case PF_INET6: 3479 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3480 if (ret || !addrp) 3481 break; 3482 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3483 &ad->u.net.v6info.daddr); 3484 break; 3485 #endif /* IPV6 */ 3486 default: 3487 break; 3488 } 3489 3490 if (unlikely(ret)) 3491 printk(KERN_WARNING 3492 "SELinux: failure in selinux_parse_skb()," 3493 " unable to parse packet\n"); 3494 3495 return ret; 3496 } 3497 3498 /** 3499 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3500 * @skb: the packet 3501 * @family: protocol family 3502 * @sid: the packet's peer label SID 3503 * 3504 * Description: 3505 * Check the various different forms of network peer labeling and determine 3506 * the peer label/SID for the packet; most of the magic actually occurs in 3507 * the security server function security_net_peersid_cmp(). The function 3508 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3509 * or -EACCES if @sid is invalid due to inconsistencies with the different 3510 * peer labels. 3511 * 3512 */ 3513 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3514 { 3515 int err; 3516 u32 xfrm_sid; 3517 u32 nlbl_sid; 3518 u32 nlbl_type; 3519 3520 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3521 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3522 3523 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3524 if (unlikely(err)) { 3525 printk(KERN_WARNING 3526 "SELinux: failure in selinux_skb_peerlbl_sid()," 3527 " unable to determine packet's peer label\n"); 3528 return -EACCES; 3529 } 3530 3531 return 0; 3532 } 3533 3534 /* socket security operations */ 3535 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3536 u32 perms) 3537 { 3538 struct inode_security_struct *isec; 3539 struct task_security_struct *tsec; 3540 struct avc_audit_data ad; 3541 int err = 0; 3542 3543 tsec = task->security; 3544 isec = SOCK_INODE(sock)->i_security; 3545 3546 if (isec->sid == SECINITSID_KERNEL) 3547 goto out; 3548 3549 AVC_AUDIT_DATA_INIT(&ad,NET); 3550 ad.u.net.sk = sock->sk; 3551 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3552 3553 out: 3554 return err; 3555 } 3556 3557 static int selinux_socket_create(int family, int type, 3558 int protocol, int kern) 3559 { 3560 int err = 0; 3561 struct task_security_struct *tsec; 3562 u32 newsid; 3563 3564 if (kern) 3565 goto out; 3566 3567 tsec = current->security; 3568 newsid = tsec->sockcreate_sid ? : tsec->sid; 3569 err = avc_has_perm(tsec->sid, newsid, 3570 socket_type_to_security_class(family, type, 3571 protocol), SOCKET__CREATE, NULL); 3572 3573 out: 3574 return err; 3575 } 3576 3577 static int selinux_socket_post_create(struct socket *sock, int family, 3578 int type, int protocol, int kern) 3579 { 3580 int err = 0; 3581 struct inode_security_struct *isec; 3582 struct task_security_struct *tsec; 3583 struct sk_security_struct *sksec; 3584 u32 newsid; 3585 3586 isec = SOCK_INODE(sock)->i_security; 3587 3588 tsec = current->security; 3589 newsid = tsec->sockcreate_sid ? : tsec->sid; 3590 isec->sclass = socket_type_to_security_class(family, type, protocol); 3591 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3592 isec->initialized = 1; 3593 3594 if (sock->sk) { 3595 sksec = sock->sk->sk_security; 3596 sksec->sid = isec->sid; 3597 sksec->sclass = isec->sclass; 3598 err = selinux_netlbl_socket_post_create(sock); 3599 } 3600 3601 return err; 3602 } 3603 3604 /* Range of port numbers used to automatically bind. 3605 Need to determine whether we should perform a name_bind 3606 permission check between the socket and the port number. */ 3607 3608 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3609 { 3610 u16 family; 3611 int err; 3612 3613 err = socket_has_perm(current, sock, SOCKET__BIND); 3614 if (err) 3615 goto out; 3616 3617 /* 3618 * If PF_INET or PF_INET6, check name_bind permission for the port. 3619 * Multiple address binding for SCTP is not supported yet: we just 3620 * check the first address now. 3621 */ 3622 family = sock->sk->sk_family; 3623 if (family == PF_INET || family == PF_INET6) { 3624 char *addrp; 3625 struct inode_security_struct *isec; 3626 struct task_security_struct *tsec; 3627 struct avc_audit_data ad; 3628 struct sockaddr_in *addr4 = NULL; 3629 struct sockaddr_in6 *addr6 = NULL; 3630 unsigned short snum; 3631 struct sock *sk = sock->sk; 3632 u32 sid, node_perm, addrlen; 3633 3634 tsec = current->security; 3635 isec = SOCK_INODE(sock)->i_security; 3636 3637 if (family == PF_INET) { 3638 addr4 = (struct sockaddr_in *)address; 3639 snum = ntohs(addr4->sin_port); 3640 addrlen = sizeof(addr4->sin_addr.s_addr); 3641 addrp = (char *)&addr4->sin_addr.s_addr; 3642 } else { 3643 addr6 = (struct sockaddr_in6 *)address; 3644 snum = ntohs(addr6->sin6_port); 3645 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3646 addrp = (char *)&addr6->sin6_addr.s6_addr; 3647 } 3648 3649 if (snum) { 3650 int low, high; 3651 3652 inet_get_local_port_range(&low, &high); 3653 3654 if (snum < max(PROT_SOCK, low) || snum > high) { 3655 err = security_port_sid(sk->sk_family, 3656 sk->sk_type, 3657 sk->sk_protocol, snum, 3658 &sid); 3659 if (err) 3660 goto out; 3661 AVC_AUDIT_DATA_INIT(&ad,NET); 3662 ad.u.net.sport = htons(snum); 3663 ad.u.net.family = family; 3664 err = avc_has_perm(isec->sid, sid, 3665 isec->sclass, 3666 SOCKET__NAME_BIND, &ad); 3667 if (err) 3668 goto out; 3669 } 3670 } 3671 3672 switch(isec->sclass) { 3673 case SECCLASS_TCP_SOCKET: 3674 node_perm = TCP_SOCKET__NODE_BIND; 3675 break; 3676 3677 case SECCLASS_UDP_SOCKET: 3678 node_perm = UDP_SOCKET__NODE_BIND; 3679 break; 3680 3681 case SECCLASS_DCCP_SOCKET: 3682 node_perm = DCCP_SOCKET__NODE_BIND; 3683 break; 3684 3685 default: 3686 node_perm = RAWIP_SOCKET__NODE_BIND; 3687 break; 3688 } 3689 3690 err = sel_netnode_sid(addrp, family, &sid); 3691 if (err) 3692 goto out; 3693 3694 AVC_AUDIT_DATA_INIT(&ad,NET); 3695 ad.u.net.sport = htons(snum); 3696 ad.u.net.family = family; 3697 3698 if (family == PF_INET) 3699 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3700 else 3701 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3702 3703 err = avc_has_perm(isec->sid, sid, 3704 isec->sclass, node_perm, &ad); 3705 if (err) 3706 goto out; 3707 } 3708 out: 3709 return err; 3710 } 3711 3712 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3713 { 3714 struct inode_security_struct *isec; 3715 int err; 3716 3717 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3718 if (err) 3719 return err; 3720 3721 /* 3722 * If a TCP or DCCP socket, check name_connect permission for the port. 3723 */ 3724 isec = SOCK_INODE(sock)->i_security; 3725 if (isec->sclass == SECCLASS_TCP_SOCKET || 3726 isec->sclass == SECCLASS_DCCP_SOCKET) { 3727 struct sock *sk = sock->sk; 3728 struct avc_audit_data ad; 3729 struct sockaddr_in *addr4 = NULL; 3730 struct sockaddr_in6 *addr6 = NULL; 3731 unsigned short snum; 3732 u32 sid, perm; 3733 3734 if (sk->sk_family == PF_INET) { 3735 addr4 = (struct sockaddr_in *)address; 3736 if (addrlen < sizeof(struct sockaddr_in)) 3737 return -EINVAL; 3738 snum = ntohs(addr4->sin_port); 3739 } else { 3740 addr6 = (struct sockaddr_in6 *)address; 3741 if (addrlen < SIN6_LEN_RFC2133) 3742 return -EINVAL; 3743 snum = ntohs(addr6->sin6_port); 3744 } 3745 3746 err = security_port_sid(sk->sk_family, sk->sk_type, 3747 sk->sk_protocol, snum, &sid); 3748 if (err) 3749 goto out; 3750 3751 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3752 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3753 3754 AVC_AUDIT_DATA_INIT(&ad,NET); 3755 ad.u.net.dport = htons(snum); 3756 ad.u.net.family = sk->sk_family; 3757 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3758 if (err) 3759 goto out; 3760 } 3761 3762 out: 3763 return err; 3764 } 3765 3766 static int selinux_socket_listen(struct socket *sock, int backlog) 3767 { 3768 return socket_has_perm(current, sock, SOCKET__LISTEN); 3769 } 3770 3771 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3772 { 3773 int err; 3774 struct inode_security_struct *isec; 3775 struct inode_security_struct *newisec; 3776 3777 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3778 if (err) 3779 return err; 3780 3781 newisec = SOCK_INODE(newsock)->i_security; 3782 3783 isec = SOCK_INODE(sock)->i_security; 3784 newisec->sclass = isec->sclass; 3785 newisec->sid = isec->sid; 3786 newisec->initialized = 1; 3787 3788 return 0; 3789 } 3790 3791 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3792 int size) 3793 { 3794 int rc; 3795 3796 rc = socket_has_perm(current, sock, SOCKET__WRITE); 3797 if (rc) 3798 return rc; 3799 3800 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); 3801 } 3802 3803 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3804 int size, int flags) 3805 { 3806 return socket_has_perm(current, sock, SOCKET__READ); 3807 } 3808 3809 static int selinux_socket_getsockname(struct socket *sock) 3810 { 3811 return socket_has_perm(current, sock, SOCKET__GETATTR); 3812 } 3813 3814 static int selinux_socket_getpeername(struct socket *sock) 3815 { 3816 return socket_has_perm(current, sock, SOCKET__GETATTR); 3817 } 3818 3819 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3820 { 3821 int err; 3822 3823 err = socket_has_perm(current, sock, SOCKET__SETOPT); 3824 if (err) 3825 return err; 3826 3827 return selinux_netlbl_socket_setsockopt(sock, level, optname); 3828 } 3829 3830 static int selinux_socket_getsockopt(struct socket *sock, int level, 3831 int optname) 3832 { 3833 return socket_has_perm(current, sock, SOCKET__GETOPT); 3834 } 3835 3836 static int selinux_socket_shutdown(struct socket *sock, int how) 3837 { 3838 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3839 } 3840 3841 static int selinux_socket_unix_stream_connect(struct socket *sock, 3842 struct socket *other, 3843 struct sock *newsk) 3844 { 3845 struct sk_security_struct *ssec; 3846 struct inode_security_struct *isec; 3847 struct inode_security_struct *other_isec; 3848 struct avc_audit_data ad; 3849 int err; 3850 3851 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3852 if (err) 3853 return err; 3854 3855 isec = SOCK_INODE(sock)->i_security; 3856 other_isec = SOCK_INODE(other)->i_security; 3857 3858 AVC_AUDIT_DATA_INIT(&ad,NET); 3859 ad.u.net.sk = other->sk; 3860 3861 err = avc_has_perm(isec->sid, other_isec->sid, 3862 isec->sclass, 3863 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3864 if (err) 3865 return err; 3866 3867 /* connecting socket */ 3868 ssec = sock->sk->sk_security; 3869 ssec->peer_sid = other_isec->sid; 3870 3871 /* server child socket */ 3872 ssec = newsk->sk_security; 3873 ssec->peer_sid = isec->sid; 3874 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 3875 3876 return err; 3877 } 3878 3879 static int selinux_socket_unix_may_send(struct socket *sock, 3880 struct socket *other) 3881 { 3882 struct inode_security_struct *isec; 3883 struct inode_security_struct *other_isec; 3884 struct avc_audit_data ad; 3885 int err; 3886 3887 isec = SOCK_INODE(sock)->i_security; 3888 other_isec = SOCK_INODE(other)->i_security; 3889 3890 AVC_AUDIT_DATA_INIT(&ad,NET); 3891 ad.u.net.sk = other->sk; 3892 3893 err = avc_has_perm(isec->sid, other_isec->sid, 3894 isec->sclass, SOCKET__SENDTO, &ad); 3895 if (err) 3896 return err; 3897 3898 return 0; 3899 } 3900 3901 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 3902 u32 peer_sid, 3903 struct avc_audit_data *ad) 3904 { 3905 int err; 3906 u32 if_sid; 3907 u32 node_sid; 3908 3909 err = sel_netif_sid(ifindex, &if_sid); 3910 if (err) 3911 return err; 3912 err = avc_has_perm(peer_sid, if_sid, 3913 SECCLASS_NETIF, NETIF__INGRESS, ad); 3914 if (err) 3915 return err; 3916 3917 err = sel_netnode_sid(addrp, family, &node_sid); 3918 if (err) 3919 return err; 3920 return avc_has_perm(peer_sid, node_sid, 3921 SECCLASS_NODE, NODE__RECVFROM, ad); 3922 } 3923 3924 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, 3925 struct sk_buff *skb, 3926 struct avc_audit_data *ad, 3927 u16 family, 3928 char *addrp) 3929 { 3930 int err; 3931 struct sk_security_struct *sksec = sk->sk_security; 3932 u16 sk_class; 3933 u32 netif_perm, node_perm, recv_perm; 3934 u32 port_sid, node_sid, if_sid, sk_sid; 3935 3936 sk_sid = sksec->sid; 3937 sk_class = sksec->sclass; 3938 3939 switch (sk_class) { 3940 case SECCLASS_UDP_SOCKET: 3941 netif_perm = NETIF__UDP_RECV; 3942 node_perm = NODE__UDP_RECV; 3943 recv_perm = UDP_SOCKET__RECV_MSG; 3944 break; 3945 case SECCLASS_TCP_SOCKET: 3946 netif_perm = NETIF__TCP_RECV; 3947 node_perm = NODE__TCP_RECV; 3948 recv_perm = TCP_SOCKET__RECV_MSG; 3949 break; 3950 case SECCLASS_DCCP_SOCKET: 3951 netif_perm = NETIF__DCCP_RECV; 3952 node_perm = NODE__DCCP_RECV; 3953 recv_perm = DCCP_SOCKET__RECV_MSG; 3954 break; 3955 default: 3956 netif_perm = NETIF__RAWIP_RECV; 3957 node_perm = NODE__RAWIP_RECV; 3958 recv_perm = 0; 3959 break; 3960 } 3961 3962 err = sel_netif_sid(skb->iif, &if_sid); 3963 if (err) 3964 return err; 3965 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3966 if (err) 3967 return err; 3968 3969 err = sel_netnode_sid(addrp, family, &node_sid); 3970 if (err) 3971 return err; 3972 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3973 if (err) 3974 return err; 3975 3976 if (!recv_perm) 3977 return 0; 3978 err = security_port_sid(sk->sk_family, sk->sk_type, 3979 sk->sk_protocol, ntohs(ad->u.net.sport), 3980 &port_sid); 3981 if (unlikely(err)) { 3982 printk(KERN_WARNING 3983 "SELinux: failure in" 3984 " selinux_sock_rcv_skb_iptables_compat()," 3985 " network port label not found\n"); 3986 return err; 3987 } 3988 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 3989 } 3990 3991 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3992 struct avc_audit_data *ad, 3993 u16 family, char *addrp) 3994 { 3995 int err; 3996 struct sk_security_struct *sksec = sk->sk_security; 3997 u32 peer_sid; 3998 u32 sk_sid = sksec->sid; 3999 4000 if (selinux_compat_net) 4001 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad, 4002 family, addrp); 4003 else 4004 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4005 PACKET__RECV, ad); 4006 if (err) 4007 return err; 4008 4009 if (selinux_policycap_netpeer) { 4010 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4011 if (err) 4012 return err; 4013 err = avc_has_perm(sk_sid, peer_sid, 4014 SECCLASS_PEER, PEER__RECV, ad); 4015 } else { 4016 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad); 4017 if (err) 4018 return err; 4019 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad); 4020 } 4021 4022 return err; 4023 } 4024 4025 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4026 { 4027 int err; 4028 struct sk_security_struct *sksec = sk->sk_security; 4029 u16 family = sk->sk_family; 4030 u32 sk_sid = sksec->sid; 4031 struct avc_audit_data ad; 4032 char *addrp; 4033 4034 if (family != PF_INET && family != PF_INET6) 4035 return 0; 4036 4037 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4038 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4039 family = PF_INET; 4040 4041 AVC_AUDIT_DATA_INIT(&ad, NET); 4042 ad.u.net.netif = skb->iif; 4043 ad.u.net.family = family; 4044 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4045 if (err) 4046 return err; 4047 4048 /* If any sort of compatibility mode is enabled then handoff processing 4049 * to the selinux_sock_rcv_skb_compat() function to deal with the 4050 * special handling. We do this in an attempt to keep this function 4051 * as fast and as clean as possible. */ 4052 if (selinux_compat_net || !selinux_policycap_netpeer) 4053 return selinux_sock_rcv_skb_compat(sk, skb, &ad, 4054 family, addrp); 4055 4056 if (netlbl_enabled() || selinux_xfrm_enabled()) { 4057 u32 peer_sid; 4058 4059 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4060 if (err) 4061 return err; 4062 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4063 peer_sid, &ad); 4064 if (err) 4065 return err; 4066 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4067 PEER__RECV, &ad); 4068 } 4069 4070 if (selinux_secmark_enabled()) { 4071 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4072 PACKET__RECV, &ad); 4073 if (err) 4074 return err; 4075 } 4076 4077 return err; 4078 } 4079 4080 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4081 int __user *optlen, unsigned len) 4082 { 4083 int err = 0; 4084 char *scontext; 4085 u32 scontext_len; 4086 struct sk_security_struct *ssec; 4087 struct inode_security_struct *isec; 4088 u32 peer_sid = SECSID_NULL; 4089 4090 isec = SOCK_INODE(sock)->i_security; 4091 4092 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4093 isec->sclass == SECCLASS_TCP_SOCKET) { 4094 ssec = sock->sk->sk_security; 4095 peer_sid = ssec->peer_sid; 4096 } 4097 if (peer_sid == SECSID_NULL) { 4098 err = -ENOPROTOOPT; 4099 goto out; 4100 } 4101 4102 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4103 4104 if (err) 4105 goto out; 4106 4107 if (scontext_len > len) { 4108 err = -ERANGE; 4109 goto out_len; 4110 } 4111 4112 if (copy_to_user(optval, scontext, scontext_len)) 4113 err = -EFAULT; 4114 4115 out_len: 4116 if (put_user(scontext_len, optlen)) 4117 err = -EFAULT; 4118 4119 kfree(scontext); 4120 out: 4121 return err; 4122 } 4123 4124 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4125 { 4126 u32 peer_secid = SECSID_NULL; 4127 u16 family; 4128 4129 if (sock) 4130 family = sock->sk->sk_family; 4131 else if (skb && skb->sk) 4132 family = skb->sk->sk_family; 4133 else 4134 goto out; 4135 4136 if (sock && family == PF_UNIX) 4137 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 4138 else if (skb) 4139 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4140 4141 out: 4142 *secid = peer_secid; 4143 if (peer_secid == SECSID_NULL) 4144 return -EINVAL; 4145 return 0; 4146 } 4147 4148 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4149 { 4150 return sk_alloc_security(sk, family, priority); 4151 } 4152 4153 static void selinux_sk_free_security(struct sock *sk) 4154 { 4155 sk_free_security(sk); 4156 } 4157 4158 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4159 { 4160 struct sk_security_struct *ssec = sk->sk_security; 4161 struct sk_security_struct *newssec = newsk->sk_security; 4162 4163 newssec->sid = ssec->sid; 4164 newssec->peer_sid = ssec->peer_sid; 4165 newssec->sclass = ssec->sclass; 4166 4167 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family); 4168 } 4169 4170 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4171 { 4172 if (!sk) 4173 *secid = SECINITSID_ANY_SOCKET; 4174 else { 4175 struct sk_security_struct *sksec = sk->sk_security; 4176 4177 *secid = sksec->sid; 4178 } 4179 } 4180 4181 static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4182 { 4183 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4184 struct sk_security_struct *sksec = sk->sk_security; 4185 4186 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4187 sk->sk_family == PF_UNIX) 4188 isec->sid = sksec->sid; 4189 sksec->sclass = isec->sclass; 4190 4191 selinux_netlbl_sock_graft(sk, parent); 4192 } 4193 4194 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4195 struct request_sock *req) 4196 { 4197 struct sk_security_struct *sksec = sk->sk_security; 4198 int err; 4199 u32 newsid; 4200 u32 peersid; 4201 4202 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid); 4203 if (err) 4204 return err; 4205 if (peersid == SECSID_NULL) { 4206 req->secid = sksec->sid; 4207 req->peer_secid = SECSID_NULL; 4208 return 0; 4209 } 4210 4211 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4212 if (err) 4213 return err; 4214 4215 req->secid = newsid; 4216 req->peer_secid = peersid; 4217 return 0; 4218 } 4219 4220 static void selinux_inet_csk_clone(struct sock *newsk, 4221 const struct request_sock *req) 4222 { 4223 struct sk_security_struct *newsksec = newsk->sk_security; 4224 4225 newsksec->sid = req->secid; 4226 newsksec->peer_sid = req->peer_secid; 4227 /* NOTE: Ideally, we should also get the isec->sid for the 4228 new socket in sync, but we don't have the isec available yet. 4229 So we will wait until sock_graft to do it, by which 4230 time it will have been created and available. */ 4231 4232 /* We don't need to take any sort of lock here as we are the only 4233 * thread with access to newsksec */ 4234 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4235 } 4236 4237 static void selinux_inet_conn_established(struct sock *sk, 4238 struct sk_buff *skb) 4239 { 4240 struct sk_security_struct *sksec = sk->sk_security; 4241 4242 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid); 4243 } 4244 4245 static void selinux_req_classify_flow(const struct request_sock *req, 4246 struct flowi *fl) 4247 { 4248 fl->secid = req->secid; 4249 } 4250 4251 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4252 { 4253 int err = 0; 4254 u32 perm; 4255 struct nlmsghdr *nlh; 4256 struct socket *sock = sk->sk_socket; 4257 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4258 4259 if (skb->len < NLMSG_SPACE(0)) { 4260 err = -EINVAL; 4261 goto out; 4262 } 4263 nlh = nlmsg_hdr(skb); 4264 4265 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4266 if (err) { 4267 if (err == -EINVAL) { 4268 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4269 "SELinux: unrecognized netlink message" 4270 " type=%hu for sclass=%hu\n", 4271 nlh->nlmsg_type, isec->sclass); 4272 if (!selinux_enforcing) 4273 err = 0; 4274 } 4275 4276 /* Ignore */ 4277 if (err == -ENOENT) 4278 err = 0; 4279 goto out; 4280 } 4281 4282 err = socket_has_perm(current, sock, perm); 4283 out: 4284 return err; 4285 } 4286 4287 #ifdef CONFIG_NETFILTER 4288 4289 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4290 u16 family) 4291 { 4292 char *addrp; 4293 u32 peer_sid; 4294 struct avc_audit_data ad; 4295 u8 secmark_active; 4296 u8 peerlbl_active; 4297 4298 if (!selinux_policycap_netpeer) 4299 return NF_ACCEPT; 4300 4301 secmark_active = selinux_secmark_enabled(); 4302 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4303 if (!secmark_active && !peerlbl_active) 4304 return NF_ACCEPT; 4305 4306 AVC_AUDIT_DATA_INIT(&ad, NET); 4307 ad.u.net.netif = ifindex; 4308 ad.u.net.family = family; 4309 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4310 return NF_DROP; 4311 4312 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4313 return NF_DROP; 4314 4315 if (peerlbl_active) 4316 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4317 peer_sid, &ad) != 0) 4318 return NF_DROP; 4319 4320 if (secmark_active) 4321 if (avc_has_perm(peer_sid, skb->secmark, 4322 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4323 return NF_DROP; 4324 4325 return NF_ACCEPT; 4326 } 4327 4328 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4329 struct sk_buff *skb, 4330 const struct net_device *in, 4331 const struct net_device *out, 4332 int (*okfn)(struct sk_buff *)) 4333 { 4334 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4335 } 4336 4337 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4338 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4339 struct sk_buff *skb, 4340 const struct net_device *in, 4341 const struct net_device *out, 4342 int (*okfn)(struct sk_buff *)) 4343 { 4344 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4345 } 4346 #endif /* IPV6 */ 4347 4348 static int selinux_ip_postroute_iptables_compat(struct sock *sk, 4349 int ifindex, 4350 struct avc_audit_data *ad, 4351 u16 family, char *addrp) 4352 { 4353 int err; 4354 struct sk_security_struct *sksec = sk->sk_security; 4355 u16 sk_class; 4356 u32 netif_perm, node_perm, send_perm; 4357 u32 port_sid, node_sid, if_sid, sk_sid; 4358 4359 sk_sid = sksec->sid; 4360 sk_class = sksec->sclass; 4361 4362 switch (sk_class) { 4363 case SECCLASS_UDP_SOCKET: 4364 netif_perm = NETIF__UDP_SEND; 4365 node_perm = NODE__UDP_SEND; 4366 send_perm = UDP_SOCKET__SEND_MSG; 4367 break; 4368 case SECCLASS_TCP_SOCKET: 4369 netif_perm = NETIF__TCP_SEND; 4370 node_perm = NODE__TCP_SEND; 4371 send_perm = TCP_SOCKET__SEND_MSG; 4372 break; 4373 case SECCLASS_DCCP_SOCKET: 4374 netif_perm = NETIF__DCCP_SEND; 4375 node_perm = NODE__DCCP_SEND; 4376 send_perm = DCCP_SOCKET__SEND_MSG; 4377 break; 4378 default: 4379 netif_perm = NETIF__RAWIP_SEND; 4380 node_perm = NODE__RAWIP_SEND; 4381 send_perm = 0; 4382 break; 4383 } 4384 4385 err = sel_netif_sid(ifindex, &if_sid); 4386 if (err) 4387 return err; 4388 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4389 return err; 4390 4391 err = sel_netnode_sid(addrp, family, &node_sid); 4392 if (err) 4393 return err; 4394 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 4395 if (err) 4396 return err; 4397 4398 if (send_perm != 0) 4399 return 0; 4400 4401 err = security_port_sid(sk->sk_family, sk->sk_type, 4402 sk->sk_protocol, ntohs(ad->u.net.dport), 4403 &port_sid); 4404 if (unlikely(err)) { 4405 printk(KERN_WARNING 4406 "SELinux: failure in" 4407 " selinux_ip_postroute_iptables_compat()," 4408 " network port label not found\n"); 4409 return err; 4410 } 4411 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4412 } 4413 4414 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4415 int ifindex, 4416 struct avc_audit_data *ad, 4417 u16 family, 4418 char *addrp, 4419 u8 proto) 4420 { 4421 struct sock *sk = skb->sk; 4422 struct sk_security_struct *sksec; 4423 4424 if (sk == NULL) 4425 return NF_ACCEPT; 4426 sksec = sk->sk_security; 4427 4428 if (selinux_compat_net) { 4429 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4430 ad, family, addrp)) 4431 return NF_DROP; 4432 } else { 4433 if (avc_has_perm(sksec->sid, skb->secmark, 4434 SECCLASS_PACKET, PACKET__SEND, ad)) 4435 return NF_DROP; 4436 } 4437 4438 if (selinux_policycap_netpeer) 4439 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto)) 4440 return NF_DROP; 4441 4442 return NF_ACCEPT; 4443 } 4444 4445 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4446 u16 family) 4447 { 4448 u32 secmark_perm; 4449 u32 peer_sid; 4450 struct sock *sk; 4451 struct avc_audit_data ad; 4452 char *addrp; 4453 u8 proto; 4454 u8 secmark_active; 4455 u8 peerlbl_active; 4456 4457 AVC_AUDIT_DATA_INIT(&ad, NET); 4458 ad.u.net.netif = ifindex; 4459 ad.u.net.family = family; 4460 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4461 return NF_DROP; 4462 4463 /* If any sort of compatibility mode is enabled then handoff processing 4464 * to the selinux_ip_postroute_compat() function to deal with the 4465 * special handling. We do this in an attempt to keep this function 4466 * as fast and as clean as possible. */ 4467 if (selinux_compat_net || !selinux_policycap_netpeer) 4468 return selinux_ip_postroute_compat(skb, ifindex, &ad, 4469 family, addrp, proto); 4470 4471 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4472 * packet transformation so allow the packet to pass without any checks 4473 * since we'll have another chance to perform access control checks 4474 * when the packet is on it's final way out. 4475 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4476 * is NULL, in this case go ahead and apply access control. */ 4477 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4478 return NF_ACCEPT; 4479 4480 secmark_active = selinux_secmark_enabled(); 4481 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4482 if (!secmark_active && !peerlbl_active) 4483 return NF_ACCEPT; 4484 4485 /* if the packet is locally generated (skb->sk != NULL) then use the 4486 * socket's label as the peer label, otherwise the packet is being 4487 * forwarded through this system and we need to fetch the peer label 4488 * directly from the packet */ 4489 sk = skb->sk; 4490 if (sk) { 4491 struct sk_security_struct *sksec = sk->sk_security; 4492 peer_sid = sksec->sid; 4493 secmark_perm = PACKET__SEND; 4494 } else { 4495 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4496 return NF_DROP; 4497 secmark_perm = PACKET__FORWARD_OUT; 4498 } 4499 4500 if (secmark_active) 4501 if (avc_has_perm(peer_sid, skb->secmark, 4502 SECCLASS_PACKET, secmark_perm, &ad)) 4503 return NF_DROP; 4504 4505 if (peerlbl_active) { 4506 u32 if_sid; 4507 u32 node_sid; 4508 4509 if (sel_netif_sid(ifindex, &if_sid)) 4510 return NF_DROP; 4511 if (avc_has_perm(peer_sid, if_sid, 4512 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4513 return NF_DROP; 4514 4515 if (sel_netnode_sid(addrp, family, &node_sid)) 4516 return NF_DROP; 4517 if (avc_has_perm(peer_sid, node_sid, 4518 SECCLASS_NODE, NODE__SENDTO, &ad)) 4519 return NF_DROP; 4520 } 4521 4522 return NF_ACCEPT; 4523 } 4524 4525 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4526 struct sk_buff *skb, 4527 const struct net_device *in, 4528 const struct net_device *out, 4529 int (*okfn)(struct sk_buff *)) 4530 { 4531 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4532 } 4533 4534 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4535 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4536 struct sk_buff *skb, 4537 const struct net_device *in, 4538 const struct net_device *out, 4539 int (*okfn)(struct sk_buff *)) 4540 { 4541 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4542 } 4543 #endif /* IPV6 */ 4544 4545 #endif /* CONFIG_NETFILTER */ 4546 4547 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4548 { 4549 int err; 4550 4551 err = secondary_ops->netlink_send(sk, skb); 4552 if (err) 4553 return err; 4554 4555 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4556 err = selinux_nlmsg_perm(sk, skb); 4557 4558 return err; 4559 } 4560 4561 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4562 { 4563 int err; 4564 struct avc_audit_data ad; 4565 4566 err = secondary_ops->netlink_recv(skb, capability); 4567 if (err) 4568 return err; 4569 4570 AVC_AUDIT_DATA_INIT(&ad, CAP); 4571 ad.u.cap = capability; 4572 4573 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4574 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4575 } 4576 4577 static int ipc_alloc_security(struct task_struct *task, 4578 struct kern_ipc_perm *perm, 4579 u16 sclass) 4580 { 4581 struct task_security_struct *tsec = task->security; 4582 struct ipc_security_struct *isec; 4583 4584 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4585 if (!isec) 4586 return -ENOMEM; 4587 4588 isec->sclass = sclass; 4589 isec->sid = tsec->sid; 4590 perm->security = isec; 4591 4592 return 0; 4593 } 4594 4595 static void ipc_free_security(struct kern_ipc_perm *perm) 4596 { 4597 struct ipc_security_struct *isec = perm->security; 4598 perm->security = NULL; 4599 kfree(isec); 4600 } 4601 4602 static int msg_msg_alloc_security(struct msg_msg *msg) 4603 { 4604 struct msg_security_struct *msec; 4605 4606 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4607 if (!msec) 4608 return -ENOMEM; 4609 4610 msec->sid = SECINITSID_UNLABELED; 4611 msg->security = msec; 4612 4613 return 0; 4614 } 4615 4616 static void msg_msg_free_security(struct msg_msg *msg) 4617 { 4618 struct msg_security_struct *msec = msg->security; 4619 4620 msg->security = NULL; 4621 kfree(msec); 4622 } 4623 4624 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4625 u32 perms) 4626 { 4627 struct task_security_struct *tsec; 4628 struct ipc_security_struct *isec; 4629 struct avc_audit_data ad; 4630 4631 tsec = current->security; 4632 isec = ipc_perms->security; 4633 4634 AVC_AUDIT_DATA_INIT(&ad, IPC); 4635 ad.u.ipc_id = ipc_perms->key; 4636 4637 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 4638 } 4639 4640 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4641 { 4642 return msg_msg_alloc_security(msg); 4643 } 4644 4645 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4646 { 4647 msg_msg_free_security(msg); 4648 } 4649 4650 /* message queue security operations */ 4651 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4652 { 4653 struct task_security_struct *tsec; 4654 struct ipc_security_struct *isec; 4655 struct avc_audit_data ad; 4656 int rc; 4657 4658 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4659 if (rc) 4660 return rc; 4661 4662 tsec = current->security; 4663 isec = msq->q_perm.security; 4664 4665 AVC_AUDIT_DATA_INIT(&ad, IPC); 4666 ad.u.ipc_id = msq->q_perm.key; 4667 4668 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4669 MSGQ__CREATE, &ad); 4670 if (rc) { 4671 ipc_free_security(&msq->q_perm); 4672 return rc; 4673 } 4674 return 0; 4675 } 4676 4677 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4678 { 4679 ipc_free_security(&msq->q_perm); 4680 } 4681 4682 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4683 { 4684 struct task_security_struct *tsec; 4685 struct ipc_security_struct *isec; 4686 struct avc_audit_data ad; 4687 4688 tsec = current->security; 4689 isec = msq->q_perm.security; 4690 4691 AVC_AUDIT_DATA_INIT(&ad, IPC); 4692 ad.u.ipc_id = msq->q_perm.key; 4693 4694 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4695 MSGQ__ASSOCIATE, &ad); 4696 } 4697 4698 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4699 { 4700 int err; 4701 int perms; 4702 4703 switch(cmd) { 4704 case IPC_INFO: 4705 case MSG_INFO: 4706 /* No specific object, just general system-wide information. */ 4707 return task_has_system(current, SYSTEM__IPC_INFO); 4708 case IPC_STAT: 4709 case MSG_STAT: 4710 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4711 break; 4712 case IPC_SET: 4713 perms = MSGQ__SETATTR; 4714 break; 4715 case IPC_RMID: 4716 perms = MSGQ__DESTROY; 4717 break; 4718 default: 4719 return 0; 4720 } 4721 4722 err = ipc_has_perm(&msq->q_perm, perms); 4723 return err; 4724 } 4725 4726 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4727 { 4728 struct task_security_struct *tsec; 4729 struct ipc_security_struct *isec; 4730 struct msg_security_struct *msec; 4731 struct avc_audit_data ad; 4732 int rc; 4733 4734 tsec = current->security; 4735 isec = msq->q_perm.security; 4736 msec = msg->security; 4737 4738 /* 4739 * First time through, need to assign label to the message 4740 */ 4741 if (msec->sid == SECINITSID_UNLABELED) { 4742 /* 4743 * Compute new sid based on current process and 4744 * message queue this message will be stored in 4745 */ 4746 rc = security_transition_sid(tsec->sid, 4747 isec->sid, 4748 SECCLASS_MSG, 4749 &msec->sid); 4750 if (rc) 4751 return rc; 4752 } 4753 4754 AVC_AUDIT_DATA_INIT(&ad, IPC); 4755 ad.u.ipc_id = msq->q_perm.key; 4756 4757 /* Can this process write to the queue? */ 4758 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4759 MSGQ__WRITE, &ad); 4760 if (!rc) 4761 /* Can this process send the message */ 4762 rc = avc_has_perm(tsec->sid, msec->sid, 4763 SECCLASS_MSG, MSG__SEND, &ad); 4764 if (!rc) 4765 /* Can the message be put in the queue? */ 4766 rc = avc_has_perm(msec->sid, isec->sid, 4767 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 4768 4769 return rc; 4770 } 4771 4772 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4773 struct task_struct *target, 4774 long type, int mode) 4775 { 4776 struct task_security_struct *tsec; 4777 struct ipc_security_struct *isec; 4778 struct msg_security_struct *msec; 4779 struct avc_audit_data ad; 4780 int rc; 4781 4782 tsec = target->security; 4783 isec = msq->q_perm.security; 4784 msec = msg->security; 4785 4786 AVC_AUDIT_DATA_INIT(&ad, IPC); 4787 ad.u.ipc_id = msq->q_perm.key; 4788 4789 rc = avc_has_perm(tsec->sid, isec->sid, 4790 SECCLASS_MSGQ, MSGQ__READ, &ad); 4791 if (!rc) 4792 rc = avc_has_perm(tsec->sid, msec->sid, 4793 SECCLASS_MSG, MSG__RECEIVE, &ad); 4794 return rc; 4795 } 4796 4797 /* Shared Memory security operations */ 4798 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4799 { 4800 struct task_security_struct *tsec; 4801 struct ipc_security_struct *isec; 4802 struct avc_audit_data ad; 4803 int rc; 4804 4805 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4806 if (rc) 4807 return rc; 4808 4809 tsec = current->security; 4810 isec = shp->shm_perm.security; 4811 4812 AVC_AUDIT_DATA_INIT(&ad, IPC); 4813 ad.u.ipc_id = shp->shm_perm.key; 4814 4815 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4816 SHM__CREATE, &ad); 4817 if (rc) { 4818 ipc_free_security(&shp->shm_perm); 4819 return rc; 4820 } 4821 return 0; 4822 } 4823 4824 static void selinux_shm_free_security(struct shmid_kernel *shp) 4825 { 4826 ipc_free_security(&shp->shm_perm); 4827 } 4828 4829 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4830 { 4831 struct task_security_struct *tsec; 4832 struct ipc_security_struct *isec; 4833 struct avc_audit_data ad; 4834 4835 tsec = current->security; 4836 isec = shp->shm_perm.security; 4837 4838 AVC_AUDIT_DATA_INIT(&ad, IPC); 4839 ad.u.ipc_id = shp->shm_perm.key; 4840 4841 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4842 SHM__ASSOCIATE, &ad); 4843 } 4844 4845 /* Note, at this point, shp is locked down */ 4846 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4847 { 4848 int perms; 4849 int err; 4850 4851 switch(cmd) { 4852 case IPC_INFO: 4853 case SHM_INFO: 4854 /* No specific object, just general system-wide information. */ 4855 return task_has_system(current, SYSTEM__IPC_INFO); 4856 case IPC_STAT: 4857 case SHM_STAT: 4858 perms = SHM__GETATTR | SHM__ASSOCIATE; 4859 break; 4860 case IPC_SET: 4861 perms = SHM__SETATTR; 4862 break; 4863 case SHM_LOCK: 4864 case SHM_UNLOCK: 4865 perms = SHM__LOCK; 4866 break; 4867 case IPC_RMID: 4868 perms = SHM__DESTROY; 4869 break; 4870 default: 4871 return 0; 4872 } 4873 4874 err = ipc_has_perm(&shp->shm_perm, perms); 4875 return err; 4876 } 4877 4878 static int selinux_shm_shmat(struct shmid_kernel *shp, 4879 char __user *shmaddr, int shmflg) 4880 { 4881 u32 perms; 4882 int rc; 4883 4884 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4885 if (rc) 4886 return rc; 4887 4888 if (shmflg & SHM_RDONLY) 4889 perms = SHM__READ; 4890 else 4891 perms = SHM__READ | SHM__WRITE; 4892 4893 return ipc_has_perm(&shp->shm_perm, perms); 4894 } 4895 4896 /* Semaphore security operations */ 4897 static int selinux_sem_alloc_security(struct sem_array *sma) 4898 { 4899 struct task_security_struct *tsec; 4900 struct ipc_security_struct *isec; 4901 struct avc_audit_data ad; 4902 int rc; 4903 4904 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4905 if (rc) 4906 return rc; 4907 4908 tsec = current->security; 4909 isec = sma->sem_perm.security; 4910 4911 AVC_AUDIT_DATA_INIT(&ad, IPC); 4912 ad.u.ipc_id = sma->sem_perm.key; 4913 4914 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4915 SEM__CREATE, &ad); 4916 if (rc) { 4917 ipc_free_security(&sma->sem_perm); 4918 return rc; 4919 } 4920 return 0; 4921 } 4922 4923 static void selinux_sem_free_security(struct sem_array *sma) 4924 { 4925 ipc_free_security(&sma->sem_perm); 4926 } 4927 4928 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4929 { 4930 struct task_security_struct *tsec; 4931 struct ipc_security_struct *isec; 4932 struct avc_audit_data ad; 4933 4934 tsec = current->security; 4935 isec = sma->sem_perm.security; 4936 4937 AVC_AUDIT_DATA_INIT(&ad, IPC); 4938 ad.u.ipc_id = sma->sem_perm.key; 4939 4940 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4941 SEM__ASSOCIATE, &ad); 4942 } 4943 4944 /* Note, at this point, sma is locked down */ 4945 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4946 { 4947 int err; 4948 u32 perms; 4949 4950 switch(cmd) { 4951 case IPC_INFO: 4952 case SEM_INFO: 4953 /* No specific object, just general system-wide information. */ 4954 return task_has_system(current, SYSTEM__IPC_INFO); 4955 case GETPID: 4956 case GETNCNT: 4957 case GETZCNT: 4958 perms = SEM__GETATTR; 4959 break; 4960 case GETVAL: 4961 case GETALL: 4962 perms = SEM__READ; 4963 break; 4964 case SETVAL: 4965 case SETALL: 4966 perms = SEM__WRITE; 4967 break; 4968 case IPC_RMID: 4969 perms = SEM__DESTROY; 4970 break; 4971 case IPC_SET: 4972 perms = SEM__SETATTR; 4973 break; 4974 case IPC_STAT: 4975 case SEM_STAT: 4976 perms = SEM__GETATTR | SEM__ASSOCIATE; 4977 break; 4978 default: 4979 return 0; 4980 } 4981 4982 err = ipc_has_perm(&sma->sem_perm, perms); 4983 return err; 4984 } 4985 4986 static int selinux_sem_semop(struct sem_array *sma, 4987 struct sembuf *sops, unsigned nsops, int alter) 4988 { 4989 u32 perms; 4990 4991 if (alter) 4992 perms = SEM__READ | SEM__WRITE; 4993 else 4994 perms = SEM__READ; 4995 4996 return ipc_has_perm(&sma->sem_perm, perms); 4997 } 4998 4999 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5000 { 5001 u32 av = 0; 5002 5003 av = 0; 5004 if (flag & S_IRUGO) 5005 av |= IPC__UNIX_READ; 5006 if (flag & S_IWUGO) 5007 av |= IPC__UNIX_WRITE; 5008 5009 if (av == 0) 5010 return 0; 5011 5012 return ipc_has_perm(ipcp, av); 5013 } 5014 5015 /* module stacking operations */ 5016 static int selinux_register_security (const char *name, struct security_operations *ops) 5017 { 5018 if (secondary_ops != original_ops) { 5019 printk(KERN_ERR "%s: There is already a secondary security " 5020 "module registered.\n", __FUNCTION__); 5021 return -EINVAL; 5022 } 5023 5024 secondary_ops = ops; 5025 5026 printk(KERN_INFO "%s: Registering secondary module %s\n", 5027 __FUNCTION__, 5028 name); 5029 5030 return 0; 5031 } 5032 5033 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 5034 { 5035 if (inode) 5036 inode_doinit_with_dentry(inode, dentry); 5037 } 5038 5039 static int selinux_getprocattr(struct task_struct *p, 5040 char *name, char **value) 5041 { 5042 struct task_security_struct *tsec; 5043 u32 sid; 5044 int error; 5045 unsigned len; 5046 5047 if (current != p) { 5048 error = task_has_perm(current, p, PROCESS__GETATTR); 5049 if (error) 5050 return error; 5051 } 5052 5053 tsec = p->security; 5054 5055 if (!strcmp(name, "current")) 5056 sid = tsec->sid; 5057 else if (!strcmp(name, "prev")) 5058 sid = tsec->osid; 5059 else if (!strcmp(name, "exec")) 5060 sid = tsec->exec_sid; 5061 else if (!strcmp(name, "fscreate")) 5062 sid = tsec->create_sid; 5063 else if (!strcmp(name, "keycreate")) 5064 sid = tsec->keycreate_sid; 5065 else if (!strcmp(name, "sockcreate")) 5066 sid = tsec->sockcreate_sid; 5067 else 5068 return -EINVAL; 5069 5070 if (!sid) 5071 return 0; 5072 5073 error = security_sid_to_context(sid, value, &len); 5074 if (error) 5075 return error; 5076 return len; 5077 } 5078 5079 static int selinux_setprocattr(struct task_struct *p, 5080 char *name, void *value, size_t size) 5081 { 5082 struct task_security_struct *tsec; 5083 u32 sid = 0; 5084 int error; 5085 char *str = value; 5086 5087 if (current != p) { 5088 /* SELinux only allows a process to change its own 5089 security attributes. */ 5090 return -EACCES; 5091 } 5092 5093 /* 5094 * Basic control over ability to set these attributes at all. 5095 * current == p, but we'll pass them separately in case the 5096 * above restriction is ever removed. 5097 */ 5098 if (!strcmp(name, "exec")) 5099 error = task_has_perm(current, p, PROCESS__SETEXEC); 5100 else if (!strcmp(name, "fscreate")) 5101 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 5102 else if (!strcmp(name, "keycreate")) 5103 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 5104 else if (!strcmp(name, "sockcreate")) 5105 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 5106 else if (!strcmp(name, "current")) 5107 error = task_has_perm(current, p, PROCESS__SETCURRENT); 5108 else 5109 error = -EINVAL; 5110 if (error) 5111 return error; 5112 5113 /* Obtain a SID for the context, if one was specified. */ 5114 if (size && str[1] && str[1] != '\n') { 5115 if (str[size-1] == '\n') { 5116 str[size-1] = 0; 5117 size--; 5118 } 5119 error = security_context_to_sid(value, size, &sid); 5120 if (error) 5121 return error; 5122 } 5123 5124 /* Permission checking based on the specified context is 5125 performed during the actual operation (execve, 5126 open/mkdir/...), when we know the full context of the 5127 operation. See selinux_bprm_set_security for the execve 5128 checks and may_create for the file creation checks. The 5129 operation will then fail if the context is not permitted. */ 5130 tsec = p->security; 5131 if (!strcmp(name, "exec")) 5132 tsec->exec_sid = sid; 5133 else if (!strcmp(name, "fscreate")) 5134 tsec->create_sid = sid; 5135 else if (!strcmp(name, "keycreate")) { 5136 error = may_create_key(sid, p); 5137 if (error) 5138 return error; 5139 tsec->keycreate_sid = sid; 5140 } else if (!strcmp(name, "sockcreate")) 5141 tsec->sockcreate_sid = sid; 5142 else if (!strcmp(name, "current")) { 5143 struct av_decision avd; 5144 5145 if (sid == 0) 5146 return -EINVAL; 5147 5148 /* Only allow single threaded processes to change context */ 5149 if (atomic_read(&p->mm->mm_users) != 1) { 5150 struct task_struct *g, *t; 5151 struct mm_struct *mm = p->mm; 5152 read_lock(&tasklist_lock); 5153 do_each_thread(g, t) 5154 if (t->mm == mm && t != p) { 5155 read_unlock(&tasklist_lock); 5156 return -EPERM; 5157 } 5158 while_each_thread(g, t); 5159 read_unlock(&tasklist_lock); 5160 } 5161 5162 /* Check permissions for the transition. */ 5163 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5164 PROCESS__DYNTRANSITION, NULL); 5165 if (error) 5166 return error; 5167 5168 /* Check for ptracing, and update the task SID if ok. 5169 Otherwise, leave SID unchanged and fail. */ 5170 task_lock(p); 5171 if (p->ptrace & PT_PTRACED) { 5172 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 5173 SECCLASS_PROCESS, 5174 PROCESS__PTRACE, 0, &avd); 5175 if (!error) 5176 tsec->sid = sid; 5177 task_unlock(p); 5178 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 5179 PROCESS__PTRACE, &avd, error, NULL); 5180 if (error) 5181 return error; 5182 } else { 5183 tsec->sid = sid; 5184 task_unlock(p); 5185 } 5186 } 5187 else 5188 return -EINVAL; 5189 5190 return size; 5191 } 5192 5193 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5194 { 5195 return security_sid_to_context(secid, secdata, seclen); 5196 } 5197 5198 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) 5199 { 5200 return security_context_to_sid(secdata, seclen, secid); 5201 } 5202 5203 static void selinux_release_secctx(char *secdata, u32 seclen) 5204 { 5205 kfree(secdata); 5206 } 5207 5208 #ifdef CONFIG_KEYS 5209 5210 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5211 unsigned long flags) 5212 { 5213 struct task_security_struct *tsec = tsk->security; 5214 struct key_security_struct *ksec; 5215 5216 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5217 if (!ksec) 5218 return -ENOMEM; 5219 5220 if (tsec->keycreate_sid) 5221 ksec->sid = tsec->keycreate_sid; 5222 else 5223 ksec->sid = tsec->sid; 5224 k->security = ksec; 5225 5226 return 0; 5227 } 5228 5229 static void selinux_key_free(struct key *k) 5230 { 5231 struct key_security_struct *ksec = k->security; 5232 5233 k->security = NULL; 5234 kfree(ksec); 5235 } 5236 5237 static int selinux_key_permission(key_ref_t key_ref, 5238 struct task_struct *ctx, 5239 key_perm_t perm) 5240 { 5241 struct key *key; 5242 struct task_security_struct *tsec; 5243 struct key_security_struct *ksec; 5244 5245 key = key_ref_to_ptr(key_ref); 5246 5247 tsec = ctx->security; 5248 ksec = key->security; 5249 5250 /* if no specific permissions are requested, we skip the 5251 permission check. No serious, additional covert channels 5252 appear to be created. */ 5253 if (perm == 0) 5254 return 0; 5255 5256 return avc_has_perm(tsec->sid, ksec->sid, 5257 SECCLASS_KEY, perm, NULL); 5258 } 5259 5260 #endif 5261 5262 static struct security_operations selinux_ops = { 5263 .ptrace = selinux_ptrace, 5264 .capget = selinux_capget, 5265 .capset_check = selinux_capset_check, 5266 .capset_set = selinux_capset_set, 5267 .sysctl = selinux_sysctl, 5268 .capable = selinux_capable, 5269 .quotactl = selinux_quotactl, 5270 .quota_on = selinux_quota_on, 5271 .syslog = selinux_syslog, 5272 .vm_enough_memory = selinux_vm_enough_memory, 5273 5274 .netlink_send = selinux_netlink_send, 5275 .netlink_recv = selinux_netlink_recv, 5276 5277 .bprm_alloc_security = selinux_bprm_alloc_security, 5278 .bprm_free_security = selinux_bprm_free_security, 5279 .bprm_apply_creds = selinux_bprm_apply_creds, 5280 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 5281 .bprm_set_security = selinux_bprm_set_security, 5282 .bprm_check_security = selinux_bprm_check_security, 5283 .bprm_secureexec = selinux_bprm_secureexec, 5284 5285 .sb_alloc_security = selinux_sb_alloc_security, 5286 .sb_free_security = selinux_sb_free_security, 5287 .sb_copy_data = selinux_sb_copy_data, 5288 .sb_kern_mount = selinux_sb_kern_mount, 5289 .sb_statfs = selinux_sb_statfs, 5290 .sb_mount = selinux_mount, 5291 .sb_umount = selinux_umount, 5292 .sb_get_mnt_opts = selinux_get_mnt_opts, 5293 .sb_set_mnt_opts = selinux_set_mnt_opts, 5294 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5295 .sb_parse_opts_str = selinux_parse_opts_str, 5296 5297 5298 .inode_alloc_security = selinux_inode_alloc_security, 5299 .inode_free_security = selinux_inode_free_security, 5300 .inode_init_security = selinux_inode_init_security, 5301 .inode_create = selinux_inode_create, 5302 .inode_link = selinux_inode_link, 5303 .inode_unlink = selinux_inode_unlink, 5304 .inode_symlink = selinux_inode_symlink, 5305 .inode_mkdir = selinux_inode_mkdir, 5306 .inode_rmdir = selinux_inode_rmdir, 5307 .inode_mknod = selinux_inode_mknod, 5308 .inode_rename = selinux_inode_rename, 5309 .inode_readlink = selinux_inode_readlink, 5310 .inode_follow_link = selinux_inode_follow_link, 5311 .inode_permission = selinux_inode_permission, 5312 .inode_setattr = selinux_inode_setattr, 5313 .inode_getattr = selinux_inode_getattr, 5314 .inode_setxattr = selinux_inode_setxattr, 5315 .inode_post_setxattr = selinux_inode_post_setxattr, 5316 .inode_getxattr = selinux_inode_getxattr, 5317 .inode_listxattr = selinux_inode_listxattr, 5318 .inode_removexattr = selinux_inode_removexattr, 5319 .inode_getsecurity = selinux_inode_getsecurity, 5320 .inode_setsecurity = selinux_inode_setsecurity, 5321 .inode_listsecurity = selinux_inode_listsecurity, 5322 .inode_need_killpriv = selinux_inode_need_killpriv, 5323 .inode_killpriv = selinux_inode_killpriv, 5324 5325 .file_permission = selinux_file_permission, 5326 .file_alloc_security = selinux_file_alloc_security, 5327 .file_free_security = selinux_file_free_security, 5328 .file_ioctl = selinux_file_ioctl, 5329 .file_mmap = selinux_file_mmap, 5330 .file_mprotect = selinux_file_mprotect, 5331 .file_lock = selinux_file_lock, 5332 .file_fcntl = selinux_file_fcntl, 5333 .file_set_fowner = selinux_file_set_fowner, 5334 .file_send_sigiotask = selinux_file_send_sigiotask, 5335 .file_receive = selinux_file_receive, 5336 5337 .dentry_open = selinux_dentry_open, 5338 5339 .task_create = selinux_task_create, 5340 .task_alloc_security = selinux_task_alloc_security, 5341 .task_free_security = selinux_task_free_security, 5342 .task_setuid = selinux_task_setuid, 5343 .task_post_setuid = selinux_task_post_setuid, 5344 .task_setgid = selinux_task_setgid, 5345 .task_setpgid = selinux_task_setpgid, 5346 .task_getpgid = selinux_task_getpgid, 5347 .task_getsid = selinux_task_getsid, 5348 .task_getsecid = selinux_task_getsecid, 5349 .task_setgroups = selinux_task_setgroups, 5350 .task_setnice = selinux_task_setnice, 5351 .task_setioprio = selinux_task_setioprio, 5352 .task_getioprio = selinux_task_getioprio, 5353 .task_setrlimit = selinux_task_setrlimit, 5354 .task_setscheduler = selinux_task_setscheduler, 5355 .task_getscheduler = selinux_task_getscheduler, 5356 .task_movememory = selinux_task_movememory, 5357 .task_kill = selinux_task_kill, 5358 .task_wait = selinux_task_wait, 5359 .task_prctl = selinux_task_prctl, 5360 .task_reparent_to_init = selinux_task_reparent_to_init, 5361 .task_to_inode = selinux_task_to_inode, 5362 5363 .ipc_permission = selinux_ipc_permission, 5364 5365 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5366 .msg_msg_free_security = selinux_msg_msg_free_security, 5367 5368 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5369 .msg_queue_free_security = selinux_msg_queue_free_security, 5370 .msg_queue_associate = selinux_msg_queue_associate, 5371 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5372 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5373 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5374 5375 .shm_alloc_security = selinux_shm_alloc_security, 5376 .shm_free_security = selinux_shm_free_security, 5377 .shm_associate = selinux_shm_associate, 5378 .shm_shmctl = selinux_shm_shmctl, 5379 .shm_shmat = selinux_shm_shmat, 5380 5381 .sem_alloc_security = selinux_sem_alloc_security, 5382 .sem_free_security = selinux_sem_free_security, 5383 .sem_associate = selinux_sem_associate, 5384 .sem_semctl = selinux_sem_semctl, 5385 .sem_semop = selinux_sem_semop, 5386 5387 .register_security = selinux_register_security, 5388 5389 .d_instantiate = selinux_d_instantiate, 5390 5391 .getprocattr = selinux_getprocattr, 5392 .setprocattr = selinux_setprocattr, 5393 5394 .secid_to_secctx = selinux_secid_to_secctx, 5395 .secctx_to_secid = selinux_secctx_to_secid, 5396 .release_secctx = selinux_release_secctx, 5397 5398 .unix_stream_connect = selinux_socket_unix_stream_connect, 5399 .unix_may_send = selinux_socket_unix_may_send, 5400 5401 .socket_create = selinux_socket_create, 5402 .socket_post_create = selinux_socket_post_create, 5403 .socket_bind = selinux_socket_bind, 5404 .socket_connect = selinux_socket_connect, 5405 .socket_listen = selinux_socket_listen, 5406 .socket_accept = selinux_socket_accept, 5407 .socket_sendmsg = selinux_socket_sendmsg, 5408 .socket_recvmsg = selinux_socket_recvmsg, 5409 .socket_getsockname = selinux_socket_getsockname, 5410 .socket_getpeername = selinux_socket_getpeername, 5411 .socket_getsockopt = selinux_socket_getsockopt, 5412 .socket_setsockopt = selinux_socket_setsockopt, 5413 .socket_shutdown = selinux_socket_shutdown, 5414 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5415 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5416 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5417 .sk_alloc_security = selinux_sk_alloc_security, 5418 .sk_free_security = selinux_sk_free_security, 5419 .sk_clone_security = selinux_sk_clone_security, 5420 .sk_getsecid = selinux_sk_getsecid, 5421 .sock_graft = selinux_sock_graft, 5422 .inet_conn_request = selinux_inet_conn_request, 5423 .inet_csk_clone = selinux_inet_csk_clone, 5424 .inet_conn_established = selinux_inet_conn_established, 5425 .req_classify_flow = selinux_req_classify_flow, 5426 5427 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5428 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5429 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5430 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5431 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5432 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5433 .xfrm_state_free_security = selinux_xfrm_state_free, 5434 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5435 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5436 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5437 .xfrm_decode_session = selinux_xfrm_decode_session, 5438 #endif 5439 5440 #ifdef CONFIG_KEYS 5441 .key_alloc = selinux_key_alloc, 5442 .key_free = selinux_key_free, 5443 .key_permission = selinux_key_permission, 5444 #endif 5445 }; 5446 5447 static __init int selinux_init(void) 5448 { 5449 struct task_security_struct *tsec; 5450 5451 if (!selinux_enabled) { 5452 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5453 return 0; 5454 } 5455 5456 printk(KERN_INFO "SELinux: Initializing.\n"); 5457 5458 /* Set the security state for the initial task. */ 5459 if (task_alloc_security(current)) 5460 panic("SELinux: Failed to initialize initial task.\n"); 5461 tsec = current->security; 5462 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5463 5464 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5465 sizeof(struct inode_security_struct), 5466 0, SLAB_PANIC, NULL); 5467 avc_init(); 5468 5469 original_ops = secondary_ops = security_ops; 5470 if (!secondary_ops) 5471 panic ("SELinux: No initial security operations\n"); 5472 if (register_security (&selinux_ops)) 5473 panic("SELinux: Unable to register with kernel.\n"); 5474 5475 if (selinux_enforcing) { 5476 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5477 } else { 5478 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5479 } 5480 5481 #ifdef CONFIG_KEYS 5482 /* Add security information to initial keyrings */ 5483 selinux_key_alloc(&root_user_keyring, current, 5484 KEY_ALLOC_NOT_IN_QUOTA); 5485 selinux_key_alloc(&root_session_keyring, current, 5486 KEY_ALLOC_NOT_IN_QUOTA); 5487 #endif 5488 5489 return 0; 5490 } 5491 5492 void selinux_complete_init(void) 5493 { 5494 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5495 5496 /* Set up any superblocks initialized prior to the policy load. */ 5497 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5498 spin_lock(&sb_lock); 5499 spin_lock(&sb_security_lock); 5500 next_sb: 5501 if (!list_empty(&superblock_security_head)) { 5502 struct superblock_security_struct *sbsec = 5503 list_entry(superblock_security_head.next, 5504 struct superblock_security_struct, 5505 list); 5506 struct super_block *sb = sbsec->sb; 5507 sb->s_count++; 5508 spin_unlock(&sb_security_lock); 5509 spin_unlock(&sb_lock); 5510 down_read(&sb->s_umount); 5511 if (sb->s_root) 5512 superblock_doinit(sb, NULL); 5513 drop_super(sb); 5514 spin_lock(&sb_lock); 5515 spin_lock(&sb_security_lock); 5516 list_del_init(&sbsec->list); 5517 goto next_sb; 5518 } 5519 spin_unlock(&sb_security_lock); 5520 spin_unlock(&sb_lock); 5521 } 5522 5523 /* SELinux requires early initialization in order to label 5524 all processes and objects when they are created. */ 5525 security_initcall(selinux_init); 5526 5527 #if defined(CONFIG_NETFILTER) 5528 5529 static struct nf_hook_ops selinux_ipv4_ops[] = { 5530 { 5531 .hook = selinux_ipv4_postroute, 5532 .owner = THIS_MODULE, 5533 .pf = PF_INET, 5534 .hooknum = NF_INET_POST_ROUTING, 5535 .priority = NF_IP_PRI_SELINUX_LAST, 5536 }, 5537 { 5538 .hook = selinux_ipv4_forward, 5539 .owner = THIS_MODULE, 5540 .pf = PF_INET, 5541 .hooknum = NF_INET_FORWARD, 5542 .priority = NF_IP_PRI_SELINUX_FIRST, 5543 } 5544 }; 5545 5546 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5547 5548 static struct nf_hook_ops selinux_ipv6_ops[] = { 5549 { 5550 .hook = selinux_ipv6_postroute, 5551 .owner = THIS_MODULE, 5552 .pf = PF_INET6, 5553 .hooknum = NF_INET_POST_ROUTING, 5554 .priority = NF_IP6_PRI_SELINUX_LAST, 5555 }, 5556 { 5557 .hook = selinux_ipv6_forward, 5558 .owner = THIS_MODULE, 5559 .pf = PF_INET6, 5560 .hooknum = NF_INET_FORWARD, 5561 .priority = NF_IP6_PRI_SELINUX_FIRST, 5562 } 5563 }; 5564 5565 #endif /* IPV6 */ 5566 5567 static int __init selinux_nf_ip_init(void) 5568 { 5569 int err = 0; 5570 u32 iter; 5571 5572 if (!selinux_enabled) 5573 goto out; 5574 5575 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5576 5577 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) { 5578 err = nf_register_hook(&selinux_ipv4_ops[iter]); 5579 if (err) 5580 panic("SELinux: nf_register_hook for IPv4: error %d\n", 5581 err); 5582 } 5583 5584 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5585 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) { 5586 err = nf_register_hook(&selinux_ipv6_ops[iter]); 5587 if (err) 5588 panic("SELinux: nf_register_hook for IPv6: error %d\n", 5589 err); 5590 } 5591 #endif /* IPV6 */ 5592 5593 out: 5594 return err; 5595 } 5596 5597 __initcall(selinux_nf_ip_init); 5598 5599 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5600 static void selinux_nf_ip_exit(void) 5601 { 5602 u32 iter; 5603 5604 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5605 5606 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) 5607 nf_unregister_hook(&selinux_ipv4_ops[iter]); 5608 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5609 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) 5610 nf_unregister_hook(&selinux_ipv6_ops[iter]); 5611 #endif /* IPV6 */ 5612 } 5613 #endif 5614 5615 #else /* CONFIG_NETFILTER */ 5616 5617 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5618 #define selinux_nf_ip_exit() 5619 #endif 5620 5621 #endif /* CONFIG_NETFILTER */ 5622 5623 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5624 int selinux_disable(void) 5625 { 5626 extern void exit_sel_fs(void); 5627 static int selinux_disabled = 0; 5628 5629 if (ss_initialized) { 5630 /* Not permitted after initial policy load. */ 5631 return -EINVAL; 5632 } 5633 5634 if (selinux_disabled) { 5635 /* Only do this once. */ 5636 return -EINVAL; 5637 } 5638 5639 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5640 5641 selinux_disabled = 1; 5642 selinux_enabled = 0; 5643 5644 /* Reset security_ops to the secondary module, dummy or capability. */ 5645 security_ops = secondary_ops; 5646 5647 /* Unregister netfilter hooks. */ 5648 selinux_nf_ip_exit(); 5649 5650 /* Unregister selinuxfs. */ 5651 exit_sel_fs(); 5652 5653 return 0; 5654 } 5655 #endif 5656 5657 5658