1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kd.h> 28 #include <linux/kernel.h> 29 #include <linux/tracehook.h> 30 #include <linux/errno.h> 31 #include <linux/sched.h> 32 #include <linux/security.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/netfilter_ipv4.h> 50 #include <linux/netfilter_ipv6.h> 51 #include <linux/tty.h> 52 #include <net/icmp.h> 53 #include <net/ip.h> /* for local_port_range[] */ 54 #include <net/sock.h> 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/net_namespace.h> 57 #include <net/netlabel.h> 58 #include <linux/uaccess.h> 59 #include <asm/ioctls.h> 60 #include <linux/atomic.h> 61 #include <linux/bitops.h> 62 #include <linux/interrupt.h> 63 #include <linux/netdevice.h> /* for network interface checks */ 64 #include <net/netlink.h> 65 #include <linux/tcp.h> 66 #include <linux/udp.h> 67 #include <linux/dccp.h> 68 #include <linux/quota.h> 69 #include <linux/un.h> /* for Unix socket types */ 70 #include <net/af_unix.h> /* for Unix socket types */ 71 #include <linux/parser.h> 72 #include <linux/nfs_mount.h> 73 #include <net/ipv6.h> 74 #include <linux/hugetlb.h> 75 #include <linux/personality.h> 76 #include <linux/audit.h> 77 #include <linux/string.h> 78 #include <linux/selinux.h> 79 #include <linux/mutex.h> 80 #include <linux/posix-timers.h> 81 #include <linux/syslog.h> 82 #include <linux/user_namespace.h> 83 #include <linux/export.h> 84 #include <linux/msg.h> 85 #include <linux/shm.h> 86 87 #include "avc.h" 88 #include "objsec.h" 89 #include "netif.h" 90 #include "netnode.h" 91 #include "netport.h" 92 #include "xfrm.h" 93 #include "netlabel.h" 94 #include "audit.h" 95 #include "avc_ss.h" 96 97 extern struct security_operations *security_ops; 98 99 /* SECMARK reference count */ 100 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 101 102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 103 int selinux_enforcing; 104 105 static int __init enforcing_setup(char *str) 106 { 107 unsigned long enforcing; 108 if (!strict_strtoul(str, 0, &enforcing)) 109 selinux_enforcing = enforcing ? 1 : 0; 110 return 1; 111 } 112 __setup("enforcing=", enforcing_setup); 113 #endif 114 115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 117 118 static int __init selinux_enabled_setup(char *str) 119 { 120 unsigned long enabled; 121 if (!strict_strtoul(str, 0, &enabled)) 122 selinux_enabled = enabled ? 1 : 0; 123 return 1; 124 } 125 __setup("selinux=", selinux_enabled_setup); 126 #else 127 int selinux_enabled = 1; 128 #endif 129 130 static struct kmem_cache *sel_inode_cache; 131 132 /** 133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 134 * 135 * Description: 136 * This function checks the SECMARK reference counter to see if any SECMARK 137 * targets are currently configured, if the reference counter is greater than 138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 139 * enabled, false (0) if SECMARK is disabled. 140 * 141 */ 142 static int selinux_secmark_enabled(void) 143 { 144 return (atomic_read(&selinux_secmark_refcount) > 0); 145 } 146 147 /* 148 * initialise the security for the init task 149 */ 150 static void cred_init_security(void) 151 { 152 struct cred *cred = (struct cred *) current->real_cred; 153 struct task_security_struct *tsec; 154 155 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 156 if (!tsec) 157 panic("SELinux: Failed to initialize initial task.\n"); 158 159 tsec->osid = tsec->sid = SECINITSID_KERNEL; 160 cred->security = tsec; 161 } 162 163 /* 164 * get the security ID of a set of credentials 165 */ 166 static inline u32 cred_sid(const struct cred *cred) 167 { 168 const struct task_security_struct *tsec; 169 170 tsec = cred->security; 171 return tsec->sid; 172 } 173 174 /* 175 * get the objective security ID of a task 176 */ 177 static inline u32 task_sid(const struct task_struct *task) 178 { 179 u32 sid; 180 181 rcu_read_lock(); 182 sid = cred_sid(__task_cred(task)); 183 rcu_read_unlock(); 184 return sid; 185 } 186 187 /* 188 * get the subjective security ID of the current task 189 */ 190 static inline u32 current_sid(void) 191 { 192 const struct task_security_struct *tsec = current_security(); 193 194 return tsec->sid; 195 } 196 197 /* Allocate and free functions for each kind of security blob. */ 198 199 static int inode_alloc_security(struct inode *inode) 200 { 201 struct inode_security_struct *isec; 202 u32 sid = current_sid(); 203 204 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 205 if (!isec) 206 return -ENOMEM; 207 208 mutex_init(&isec->lock); 209 INIT_LIST_HEAD(&isec->list); 210 isec->inode = inode; 211 isec->sid = SECINITSID_UNLABELED; 212 isec->sclass = SECCLASS_FILE; 213 isec->task_sid = sid; 214 inode->i_security = isec; 215 216 return 0; 217 } 218 219 static void inode_free_security(struct inode *inode) 220 { 221 struct inode_security_struct *isec = inode->i_security; 222 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 223 224 spin_lock(&sbsec->isec_lock); 225 if (!list_empty(&isec->list)) 226 list_del_init(&isec->list); 227 spin_unlock(&sbsec->isec_lock); 228 229 inode->i_security = NULL; 230 kmem_cache_free(sel_inode_cache, isec); 231 } 232 233 static int file_alloc_security(struct file *file) 234 { 235 struct file_security_struct *fsec; 236 u32 sid = current_sid(); 237 238 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 239 if (!fsec) 240 return -ENOMEM; 241 242 fsec->sid = sid; 243 fsec->fown_sid = sid; 244 file->f_security = fsec; 245 246 return 0; 247 } 248 249 static void file_free_security(struct file *file) 250 { 251 struct file_security_struct *fsec = file->f_security; 252 file->f_security = NULL; 253 kfree(fsec); 254 } 255 256 static int superblock_alloc_security(struct super_block *sb) 257 { 258 struct superblock_security_struct *sbsec; 259 260 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 261 if (!sbsec) 262 return -ENOMEM; 263 264 mutex_init(&sbsec->lock); 265 INIT_LIST_HEAD(&sbsec->isec_head); 266 spin_lock_init(&sbsec->isec_lock); 267 sbsec->sb = sb; 268 sbsec->sid = SECINITSID_UNLABELED; 269 sbsec->def_sid = SECINITSID_FILE; 270 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 271 sb->s_security = sbsec; 272 273 return 0; 274 } 275 276 static void superblock_free_security(struct super_block *sb) 277 { 278 struct superblock_security_struct *sbsec = sb->s_security; 279 sb->s_security = NULL; 280 kfree(sbsec); 281 } 282 283 /* The file system's label must be initialized prior to use. */ 284 285 static const char *labeling_behaviors[6] = { 286 "uses xattr", 287 "uses transition SIDs", 288 "uses task SIDs", 289 "uses genfs_contexts", 290 "not configured for labeling", 291 "uses mountpoint labeling", 292 }; 293 294 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 295 296 static inline int inode_doinit(struct inode *inode) 297 { 298 return inode_doinit_with_dentry(inode, NULL); 299 } 300 301 enum { 302 Opt_error = -1, 303 Opt_context = 1, 304 Opt_fscontext = 2, 305 Opt_defcontext = 3, 306 Opt_rootcontext = 4, 307 Opt_labelsupport = 5, 308 Opt_nextmntopt = 6, 309 }; 310 311 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 312 313 static const match_table_t tokens = { 314 {Opt_context, CONTEXT_STR "%s"}, 315 {Opt_fscontext, FSCONTEXT_STR "%s"}, 316 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 318 {Opt_labelsupport, LABELSUPP_STR}, 319 {Opt_error, NULL}, 320 }; 321 322 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 323 324 static int may_context_mount_sb_relabel(u32 sid, 325 struct superblock_security_struct *sbsec, 326 const struct cred *cred) 327 { 328 const struct task_security_struct *tsec = cred->security; 329 int rc; 330 331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 332 FILESYSTEM__RELABELFROM, NULL); 333 if (rc) 334 return rc; 335 336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 337 FILESYSTEM__RELABELTO, NULL); 338 return rc; 339 } 340 341 static int may_context_mount_inode_relabel(u32 sid, 342 struct superblock_security_struct *sbsec, 343 const struct cred *cred) 344 { 345 const struct task_security_struct *tsec = cred->security; 346 int rc; 347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 348 FILESYSTEM__RELABELFROM, NULL); 349 if (rc) 350 return rc; 351 352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 353 FILESYSTEM__ASSOCIATE, NULL); 354 return rc; 355 } 356 357 static int selinux_is_sblabel_mnt(struct super_block *sb) 358 { 359 struct superblock_security_struct *sbsec = sb->s_security; 360 361 if (sbsec->behavior == SECURITY_FS_USE_XATTR || 362 sbsec->behavior == SECURITY_FS_USE_TRANS || 363 sbsec->behavior == SECURITY_FS_USE_TASK) 364 return 1; 365 366 /* Special handling for sysfs. Is genfs but also has setxattr handler*/ 367 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0) 368 return 1; 369 370 /* 371 * Special handling for rootfs. Is genfs but supports 372 * setting SELinux context on in-core inodes. 373 */ 374 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0) 375 return 1; 376 377 return 0; 378 } 379 380 static int sb_finish_set_opts(struct super_block *sb) 381 { 382 struct superblock_security_struct *sbsec = sb->s_security; 383 struct dentry *root = sb->s_root; 384 struct inode *root_inode = root->d_inode; 385 int rc = 0; 386 387 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 388 /* Make sure that the xattr handler exists and that no 389 error other than -ENODATA is returned by getxattr on 390 the root directory. -ENODATA is ok, as this may be 391 the first boot of the SELinux kernel before we have 392 assigned xattr values to the filesystem. */ 393 if (!root_inode->i_op->getxattr) { 394 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 395 "xattr support\n", sb->s_id, sb->s_type->name); 396 rc = -EOPNOTSUPP; 397 goto out; 398 } 399 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 400 if (rc < 0 && rc != -ENODATA) { 401 if (rc == -EOPNOTSUPP) 402 printk(KERN_WARNING "SELinux: (dev %s, type " 403 "%s) has no security xattr handler\n", 404 sb->s_id, sb->s_type->name); 405 else 406 printk(KERN_WARNING "SELinux: (dev %s, type " 407 "%s) getxattr errno %d\n", sb->s_id, 408 sb->s_type->name, -rc); 409 goto out; 410 } 411 } 412 413 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 414 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 415 sb->s_id, sb->s_type->name); 416 else 417 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 418 sb->s_id, sb->s_type->name, 419 labeling_behaviors[sbsec->behavior-1]); 420 421 sbsec->flags |= SE_SBINITIALIZED; 422 if (selinux_is_sblabel_mnt(sb)) 423 sbsec->flags |= SBLABEL_MNT; 424 425 /* Initialize the root inode. */ 426 rc = inode_doinit_with_dentry(root_inode, root); 427 428 /* Initialize any other inodes associated with the superblock, e.g. 429 inodes created prior to initial policy load or inodes created 430 during get_sb by a pseudo filesystem that directly 431 populates itself. */ 432 spin_lock(&sbsec->isec_lock); 433 next_inode: 434 if (!list_empty(&sbsec->isec_head)) { 435 struct inode_security_struct *isec = 436 list_entry(sbsec->isec_head.next, 437 struct inode_security_struct, list); 438 struct inode *inode = isec->inode; 439 spin_unlock(&sbsec->isec_lock); 440 inode = igrab(inode); 441 if (inode) { 442 if (!IS_PRIVATE(inode)) 443 inode_doinit(inode); 444 iput(inode); 445 } 446 spin_lock(&sbsec->isec_lock); 447 list_del_init(&isec->list); 448 goto next_inode; 449 } 450 spin_unlock(&sbsec->isec_lock); 451 out: 452 return rc; 453 } 454 455 /* 456 * This function should allow an FS to ask what it's mount security 457 * options were so it can use those later for submounts, displaying 458 * mount options, or whatever. 459 */ 460 static int selinux_get_mnt_opts(const struct super_block *sb, 461 struct security_mnt_opts *opts) 462 { 463 int rc = 0, i; 464 struct superblock_security_struct *sbsec = sb->s_security; 465 char *context = NULL; 466 u32 len; 467 char tmp; 468 469 security_init_mnt_opts(opts); 470 471 if (!(sbsec->flags & SE_SBINITIALIZED)) 472 return -EINVAL; 473 474 if (!ss_initialized) 475 return -EINVAL; 476 477 /* make sure we always check enough bits to cover the mask */ 478 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 479 480 tmp = sbsec->flags & SE_MNTMASK; 481 /* count the number of mount options for this sb */ 482 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 483 if (tmp & 0x01) 484 opts->num_mnt_opts++; 485 tmp >>= 1; 486 } 487 488 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 489 if (!opts->mnt_opts) { 490 rc = -ENOMEM; 491 goto out_free; 492 } 493 494 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 495 if (!opts->mnt_opts_flags) { 496 rc = -ENOMEM; 497 goto out_free; 498 } 499 500 i = 0; 501 if (sbsec->flags & FSCONTEXT_MNT) { 502 rc = security_sid_to_context(sbsec->sid, &context, &len); 503 if (rc) 504 goto out_free; 505 opts->mnt_opts[i] = context; 506 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 507 } 508 if (sbsec->flags & CONTEXT_MNT) { 509 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 510 if (rc) 511 goto out_free; 512 opts->mnt_opts[i] = context; 513 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 514 } 515 if (sbsec->flags & DEFCONTEXT_MNT) { 516 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 517 if (rc) 518 goto out_free; 519 opts->mnt_opts[i] = context; 520 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 521 } 522 if (sbsec->flags & ROOTCONTEXT_MNT) { 523 struct inode *root = sbsec->sb->s_root->d_inode; 524 struct inode_security_struct *isec = root->i_security; 525 526 rc = security_sid_to_context(isec->sid, &context, &len); 527 if (rc) 528 goto out_free; 529 opts->mnt_opts[i] = context; 530 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 531 } 532 if (sbsec->flags & SBLABEL_MNT) { 533 opts->mnt_opts[i] = NULL; 534 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 535 } 536 537 BUG_ON(i != opts->num_mnt_opts); 538 539 return 0; 540 541 out_free: 542 security_free_mnt_opts(opts); 543 return rc; 544 } 545 546 static int bad_option(struct superblock_security_struct *sbsec, char flag, 547 u32 old_sid, u32 new_sid) 548 { 549 char mnt_flags = sbsec->flags & SE_MNTMASK; 550 551 /* check if the old mount command had the same options */ 552 if (sbsec->flags & SE_SBINITIALIZED) 553 if (!(sbsec->flags & flag) || 554 (old_sid != new_sid)) 555 return 1; 556 557 /* check if we were passed the same options twice, 558 * aka someone passed context=a,context=b 559 */ 560 if (!(sbsec->flags & SE_SBINITIALIZED)) 561 if (mnt_flags & flag) 562 return 1; 563 return 0; 564 } 565 566 /* 567 * Allow filesystems with binary mount data to explicitly set mount point 568 * labeling information. 569 */ 570 static int selinux_set_mnt_opts(struct super_block *sb, 571 struct security_mnt_opts *opts) 572 { 573 const struct cred *cred = current_cred(); 574 int rc = 0, i; 575 struct superblock_security_struct *sbsec = sb->s_security; 576 const char *name = sb->s_type->name; 577 struct inode *inode = sbsec->sb->s_root->d_inode; 578 struct inode_security_struct *root_isec = inode->i_security; 579 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 580 u32 defcontext_sid = 0; 581 char **mount_options = opts->mnt_opts; 582 int *flags = opts->mnt_opts_flags; 583 int num_opts = opts->num_mnt_opts; 584 585 mutex_lock(&sbsec->lock); 586 587 if (!ss_initialized) { 588 if (!num_opts) { 589 /* Defer initialization until selinux_complete_init, 590 after the initial policy is loaded and the security 591 server is ready to handle calls. */ 592 goto out; 593 } 594 rc = -EINVAL; 595 printk(KERN_WARNING "SELinux: Unable to set superblock options " 596 "before the security server is initialized\n"); 597 goto out; 598 } 599 600 /* 601 * Binary mount data FS will come through this function twice. Once 602 * from an explicit call and once from the generic calls from the vfs. 603 * Since the generic VFS calls will not contain any security mount data 604 * we need to skip the double mount verification. 605 * 606 * This does open a hole in which we will not notice if the first 607 * mount using this sb set explict options and a second mount using 608 * this sb does not set any security options. (The first options 609 * will be used for both mounts) 610 */ 611 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 612 && (num_opts == 0)) 613 goto out; 614 615 /* 616 * parse the mount options, check if they are valid sids. 617 * also check if someone is trying to mount the same sb more 618 * than once with different security options. 619 */ 620 for (i = 0; i < num_opts; i++) { 621 u32 sid; 622 623 if (flags[i] == SBLABEL_MNT) 624 continue; 625 rc = security_context_to_sid(mount_options[i], 626 strlen(mount_options[i]), &sid); 627 if (rc) { 628 printk(KERN_WARNING "SELinux: security_context_to_sid" 629 "(%s) failed for (dev %s, type %s) errno=%d\n", 630 mount_options[i], sb->s_id, name, rc); 631 goto out; 632 } 633 switch (flags[i]) { 634 case FSCONTEXT_MNT: 635 fscontext_sid = sid; 636 637 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 638 fscontext_sid)) 639 goto out_double_mount; 640 641 sbsec->flags |= FSCONTEXT_MNT; 642 break; 643 case CONTEXT_MNT: 644 context_sid = sid; 645 646 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 647 context_sid)) 648 goto out_double_mount; 649 650 sbsec->flags |= CONTEXT_MNT; 651 break; 652 case ROOTCONTEXT_MNT: 653 rootcontext_sid = sid; 654 655 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 656 rootcontext_sid)) 657 goto out_double_mount; 658 659 sbsec->flags |= ROOTCONTEXT_MNT; 660 661 break; 662 case DEFCONTEXT_MNT: 663 defcontext_sid = sid; 664 665 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 666 defcontext_sid)) 667 goto out_double_mount; 668 669 sbsec->flags |= DEFCONTEXT_MNT; 670 671 break; 672 default: 673 rc = -EINVAL; 674 goto out; 675 } 676 } 677 678 if (sbsec->flags & SE_SBINITIALIZED) { 679 /* previously mounted with options, but not on this attempt? */ 680 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 681 goto out_double_mount; 682 rc = 0; 683 goto out; 684 } 685 686 if (strcmp(sb->s_type->name, "proc") == 0) 687 sbsec->flags |= SE_SBPROC; 688 689 /* Determine the labeling behavior to use for this filesystem type. */ 690 rc = security_fs_use(sb); 691 if (rc) { 692 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 693 __func__, sb->s_type->name, rc); 694 goto out; 695 } 696 697 /* sets the context of the superblock for the fs being mounted. */ 698 if (fscontext_sid) { 699 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 700 if (rc) 701 goto out; 702 703 sbsec->sid = fscontext_sid; 704 } 705 706 /* 707 * Switch to using mount point labeling behavior. 708 * sets the label used on all file below the mountpoint, and will set 709 * the superblock context if not already set. 710 */ 711 if (context_sid) { 712 if (!fscontext_sid) { 713 rc = may_context_mount_sb_relabel(context_sid, sbsec, 714 cred); 715 if (rc) 716 goto out; 717 sbsec->sid = context_sid; 718 } else { 719 rc = may_context_mount_inode_relabel(context_sid, sbsec, 720 cred); 721 if (rc) 722 goto out; 723 } 724 if (!rootcontext_sid) 725 rootcontext_sid = context_sid; 726 727 sbsec->mntpoint_sid = context_sid; 728 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 729 } 730 731 if (rootcontext_sid) { 732 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 733 cred); 734 if (rc) 735 goto out; 736 737 root_isec->sid = rootcontext_sid; 738 root_isec->initialized = 1; 739 } 740 741 if (defcontext_sid) { 742 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 743 rc = -EINVAL; 744 printk(KERN_WARNING "SELinux: defcontext option is " 745 "invalid for this filesystem type\n"); 746 goto out; 747 } 748 749 if (defcontext_sid != sbsec->def_sid) { 750 rc = may_context_mount_inode_relabel(defcontext_sid, 751 sbsec, cred); 752 if (rc) 753 goto out; 754 } 755 756 sbsec->def_sid = defcontext_sid; 757 } 758 759 rc = sb_finish_set_opts(sb); 760 out: 761 mutex_unlock(&sbsec->lock); 762 return rc; 763 out_double_mount: 764 rc = -EINVAL; 765 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 766 "security settings for (dev %s, type %s)\n", sb->s_id, name); 767 goto out; 768 } 769 770 static int selinux_cmp_sb_context(const struct super_block *oldsb, 771 const struct super_block *newsb) 772 { 773 struct superblock_security_struct *old = oldsb->s_security; 774 struct superblock_security_struct *new = newsb->s_security; 775 char oldflags = old->flags & SE_MNTMASK; 776 char newflags = new->flags & SE_MNTMASK; 777 778 if (oldflags != newflags) 779 goto mismatch; 780 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 781 goto mismatch; 782 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 783 goto mismatch; 784 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 785 goto mismatch; 786 if (oldflags & ROOTCONTEXT_MNT) { 787 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security; 788 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security; 789 if (oldroot->sid != newroot->sid) 790 goto mismatch; 791 } 792 return 0; 793 mismatch: 794 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 795 "different security settings for (dev %s, " 796 "type %s)\n", newsb->s_id, newsb->s_type->name); 797 return -EBUSY; 798 } 799 800 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 801 struct super_block *newsb) 802 { 803 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 804 struct superblock_security_struct *newsbsec = newsb->s_security; 805 806 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 807 int set_context = (oldsbsec->flags & CONTEXT_MNT); 808 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 809 810 /* 811 * if the parent was able to be mounted it clearly had no special lsm 812 * mount options. thus we can safely deal with this superblock later 813 */ 814 if (!ss_initialized) 815 return 0; 816 817 /* how can we clone if the old one wasn't set up?? */ 818 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 819 820 /* if fs is reusing a sb, make sure that the contexts match */ 821 if (newsbsec->flags & SE_SBINITIALIZED) 822 return selinux_cmp_sb_context(oldsb, newsb); 823 824 mutex_lock(&newsbsec->lock); 825 826 newsbsec->flags = oldsbsec->flags; 827 828 newsbsec->sid = oldsbsec->sid; 829 newsbsec->def_sid = oldsbsec->def_sid; 830 newsbsec->behavior = oldsbsec->behavior; 831 832 if (set_context) { 833 u32 sid = oldsbsec->mntpoint_sid; 834 835 if (!set_fscontext) 836 newsbsec->sid = sid; 837 if (!set_rootcontext) { 838 struct inode *newinode = newsb->s_root->d_inode; 839 struct inode_security_struct *newisec = newinode->i_security; 840 newisec->sid = sid; 841 } 842 newsbsec->mntpoint_sid = sid; 843 } 844 if (set_rootcontext) { 845 const struct inode *oldinode = oldsb->s_root->d_inode; 846 const struct inode_security_struct *oldisec = oldinode->i_security; 847 struct inode *newinode = newsb->s_root->d_inode; 848 struct inode_security_struct *newisec = newinode->i_security; 849 850 newisec->sid = oldisec->sid; 851 } 852 853 sb_finish_set_opts(newsb); 854 mutex_unlock(&newsbsec->lock); 855 return 0; 856 } 857 858 static int selinux_parse_opts_str(char *options, 859 struct security_mnt_opts *opts) 860 { 861 char *p; 862 char *context = NULL, *defcontext = NULL; 863 char *fscontext = NULL, *rootcontext = NULL; 864 int rc, num_mnt_opts = 0; 865 866 opts->num_mnt_opts = 0; 867 868 /* Standard string-based options. */ 869 while ((p = strsep(&options, "|")) != NULL) { 870 int token; 871 substring_t args[MAX_OPT_ARGS]; 872 873 if (!*p) 874 continue; 875 876 token = match_token(p, tokens, args); 877 878 switch (token) { 879 case Opt_context: 880 if (context || defcontext) { 881 rc = -EINVAL; 882 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 883 goto out_err; 884 } 885 context = match_strdup(&args[0]); 886 if (!context) { 887 rc = -ENOMEM; 888 goto out_err; 889 } 890 break; 891 892 case Opt_fscontext: 893 if (fscontext) { 894 rc = -EINVAL; 895 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 896 goto out_err; 897 } 898 fscontext = match_strdup(&args[0]); 899 if (!fscontext) { 900 rc = -ENOMEM; 901 goto out_err; 902 } 903 break; 904 905 case Opt_rootcontext: 906 if (rootcontext) { 907 rc = -EINVAL; 908 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 909 goto out_err; 910 } 911 rootcontext = match_strdup(&args[0]); 912 if (!rootcontext) { 913 rc = -ENOMEM; 914 goto out_err; 915 } 916 break; 917 918 case Opt_defcontext: 919 if (context || defcontext) { 920 rc = -EINVAL; 921 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 922 goto out_err; 923 } 924 defcontext = match_strdup(&args[0]); 925 if (!defcontext) { 926 rc = -ENOMEM; 927 goto out_err; 928 } 929 break; 930 case Opt_labelsupport: 931 break; 932 default: 933 rc = -EINVAL; 934 printk(KERN_WARNING "SELinux: unknown mount option\n"); 935 goto out_err; 936 937 } 938 } 939 940 rc = -ENOMEM; 941 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 942 if (!opts->mnt_opts) 943 goto out_err; 944 945 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 946 if (!opts->mnt_opts_flags) { 947 kfree(opts->mnt_opts); 948 goto out_err; 949 } 950 951 if (fscontext) { 952 opts->mnt_opts[num_mnt_opts] = fscontext; 953 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 954 } 955 if (context) { 956 opts->mnt_opts[num_mnt_opts] = context; 957 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 958 } 959 if (rootcontext) { 960 opts->mnt_opts[num_mnt_opts] = rootcontext; 961 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 962 } 963 if (defcontext) { 964 opts->mnt_opts[num_mnt_opts] = defcontext; 965 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 966 } 967 968 opts->num_mnt_opts = num_mnt_opts; 969 return 0; 970 971 out_err: 972 kfree(context); 973 kfree(defcontext); 974 kfree(fscontext); 975 kfree(rootcontext); 976 return rc; 977 } 978 /* 979 * string mount options parsing and call set the sbsec 980 */ 981 static int superblock_doinit(struct super_block *sb, void *data) 982 { 983 int rc = 0; 984 char *options = data; 985 struct security_mnt_opts opts; 986 987 security_init_mnt_opts(&opts); 988 989 if (!data) 990 goto out; 991 992 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 993 994 rc = selinux_parse_opts_str(options, &opts); 995 if (rc) 996 goto out_err; 997 998 out: 999 rc = selinux_set_mnt_opts(sb, &opts); 1000 1001 out_err: 1002 security_free_mnt_opts(&opts); 1003 return rc; 1004 } 1005 1006 static void selinux_write_opts(struct seq_file *m, 1007 struct security_mnt_opts *opts) 1008 { 1009 int i; 1010 char *prefix; 1011 1012 for (i = 0; i < opts->num_mnt_opts; i++) { 1013 char *has_comma; 1014 1015 if (opts->mnt_opts[i]) 1016 has_comma = strchr(opts->mnt_opts[i], ','); 1017 else 1018 has_comma = NULL; 1019 1020 switch (opts->mnt_opts_flags[i]) { 1021 case CONTEXT_MNT: 1022 prefix = CONTEXT_STR; 1023 break; 1024 case FSCONTEXT_MNT: 1025 prefix = FSCONTEXT_STR; 1026 break; 1027 case ROOTCONTEXT_MNT: 1028 prefix = ROOTCONTEXT_STR; 1029 break; 1030 case DEFCONTEXT_MNT: 1031 prefix = DEFCONTEXT_STR; 1032 break; 1033 case SBLABEL_MNT: 1034 seq_putc(m, ','); 1035 seq_puts(m, LABELSUPP_STR); 1036 continue; 1037 default: 1038 BUG(); 1039 return; 1040 }; 1041 /* we need a comma before each option */ 1042 seq_putc(m, ','); 1043 seq_puts(m, prefix); 1044 if (has_comma) 1045 seq_putc(m, '\"'); 1046 seq_puts(m, opts->mnt_opts[i]); 1047 if (has_comma) 1048 seq_putc(m, '\"'); 1049 } 1050 } 1051 1052 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1053 { 1054 struct security_mnt_opts opts; 1055 int rc; 1056 1057 rc = selinux_get_mnt_opts(sb, &opts); 1058 if (rc) { 1059 /* before policy load we may get EINVAL, don't show anything */ 1060 if (rc == -EINVAL) 1061 rc = 0; 1062 return rc; 1063 } 1064 1065 selinux_write_opts(m, &opts); 1066 1067 security_free_mnt_opts(&opts); 1068 1069 return rc; 1070 } 1071 1072 static inline u16 inode_mode_to_security_class(umode_t mode) 1073 { 1074 switch (mode & S_IFMT) { 1075 case S_IFSOCK: 1076 return SECCLASS_SOCK_FILE; 1077 case S_IFLNK: 1078 return SECCLASS_LNK_FILE; 1079 case S_IFREG: 1080 return SECCLASS_FILE; 1081 case S_IFBLK: 1082 return SECCLASS_BLK_FILE; 1083 case S_IFDIR: 1084 return SECCLASS_DIR; 1085 case S_IFCHR: 1086 return SECCLASS_CHR_FILE; 1087 case S_IFIFO: 1088 return SECCLASS_FIFO_FILE; 1089 1090 } 1091 1092 return SECCLASS_FILE; 1093 } 1094 1095 static inline int default_protocol_stream(int protocol) 1096 { 1097 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1098 } 1099 1100 static inline int default_protocol_dgram(int protocol) 1101 { 1102 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1103 } 1104 1105 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1106 { 1107 switch (family) { 1108 case PF_UNIX: 1109 switch (type) { 1110 case SOCK_STREAM: 1111 case SOCK_SEQPACKET: 1112 return SECCLASS_UNIX_STREAM_SOCKET; 1113 case SOCK_DGRAM: 1114 return SECCLASS_UNIX_DGRAM_SOCKET; 1115 } 1116 break; 1117 case PF_INET: 1118 case PF_INET6: 1119 switch (type) { 1120 case SOCK_STREAM: 1121 if (default_protocol_stream(protocol)) 1122 return SECCLASS_TCP_SOCKET; 1123 else 1124 return SECCLASS_RAWIP_SOCKET; 1125 case SOCK_DGRAM: 1126 if (default_protocol_dgram(protocol)) 1127 return SECCLASS_UDP_SOCKET; 1128 else 1129 return SECCLASS_RAWIP_SOCKET; 1130 case SOCK_DCCP: 1131 return SECCLASS_DCCP_SOCKET; 1132 default: 1133 return SECCLASS_RAWIP_SOCKET; 1134 } 1135 break; 1136 case PF_NETLINK: 1137 switch (protocol) { 1138 case NETLINK_ROUTE: 1139 return SECCLASS_NETLINK_ROUTE_SOCKET; 1140 case NETLINK_FIREWALL: 1141 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1142 case NETLINK_SOCK_DIAG: 1143 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1144 case NETLINK_NFLOG: 1145 return SECCLASS_NETLINK_NFLOG_SOCKET; 1146 case NETLINK_XFRM: 1147 return SECCLASS_NETLINK_XFRM_SOCKET; 1148 case NETLINK_SELINUX: 1149 return SECCLASS_NETLINK_SELINUX_SOCKET; 1150 case NETLINK_AUDIT: 1151 return SECCLASS_NETLINK_AUDIT_SOCKET; 1152 case NETLINK_IP6_FW: 1153 return SECCLASS_NETLINK_IP6FW_SOCKET; 1154 case NETLINK_DNRTMSG: 1155 return SECCLASS_NETLINK_DNRT_SOCKET; 1156 case NETLINK_KOBJECT_UEVENT: 1157 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1158 default: 1159 return SECCLASS_NETLINK_SOCKET; 1160 } 1161 case PF_PACKET: 1162 return SECCLASS_PACKET_SOCKET; 1163 case PF_KEY: 1164 return SECCLASS_KEY_SOCKET; 1165 case PF_APPLETALK: 1166 return SECCLASS_APPLETALK_SOCKET; 1167 } 1168 1169 return SECCLASS_SOCKET; 1170 } 1171 1172 #ifdef CONFIG_PROC_FS 1173 static int selinux_proc_get_sid(struct dentry *dentry, 1174 u16 tclass, 1175 u32 *sid) 1176 { 1177 int rc; 1178 char *buffer, *path; 1179 1180 buffer = (char *)__get_free_page(GFP_KERNEL); 1181 if (!buffer) 1182 return -ENOMEM; 1183 1184 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1185 if (IS_ERR(path)) 1186 rc = PTR_ERR(path); 1187 else { 1188 /* each process gets a /proc/PID/ entry. Strip off the 1189 * PID part to get a valid selinux labeling. 1190 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1191 while (path[1] >= '0' && path[1] <= '9') { 1192 path[1] = '/'; 1193 path++; 1194 } 1195 rc = security_genfs_sid("proc", path, tclass, sid); 1196 } 1197 free_page((unsigned long)buffer); 1198 return rc; 1199 } 1200 #else 1201 static int selinux_proc_get_sid(struct dentry *dentry, 1202 u16 tclass, 1203 u32 *sid) 1204 { 1205 return -EINVAL; 1206 } 1207 #endif 1208 1209 /* The inode's security attributes must be initialized before first use. */ 1210 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1211 { 1212 struct superblock_security_struct *sbsec = NULL; 1213 struct inode_security_struct *isec = inode->i_security; 1214 u32 sid; 1215 struct dentry *dentry; 1216 #define INITCONTEXTLEN 255 1217 char *context = NULL; 1218 unsigned len = 0; 1219 int rc = 0; 1220 1221 if (isec->initialized) 1222 goto out; 1223 1224 mutex_lock(&isec->lock); 1225 if (isec->initialized) 1226 goto out_unlock; 1227 1228 sbsec = inode->i_sb->s_security; 1229 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1230 /* Defer initialization until selinux_complete_init, 1231 after the initial policy is loaded and the security 1232 server is ready to handle calls. */ 1233 spin_lock(&sbsec->isec_lock); 1234 if (list_empty(&isec->list)) 1235 list_add(&isec->list, &sbsec->isec_head); 1236 spin_unlock(&sbsec->isec_lock); 1237 goto out_unlock; 1238 } 1239 1240 switch (sbsec->behavior) { 1241 case SECURITY_FS_USE_XATTR: 1242 if (!inode->i_op->getxattr) { 1243 isec->sid = sbsec->def_sid; 1244 break; 1245 } 1246 1247 /* Need a dentry, since the xattr API requires one. 1248 Life would be simpler if we could just pass the inode. */ 1249 if (opt_dentry) { 1250 /* Called from d_instantiate or d_splice_alias. */ 1251 dentry = dget(opt_dentry); 1252 } else { 1253 /* Called from selinux_complete_init, try to find a dentry. */ 1254 dentry = d_find_alias(inode); 1255 } 1256 if (!dentry) { 1257 /* 1258 * this is can be hit on boot when a file is accessed 1259 * before the policy is loaded. When we load policy we 1260 * may find inodes that have no dentry on the 1261 * sbsec->isec_head list. No reason to complain as these 1262 * will get fixed up the next time we go through 1263 * inode_doinit with a dentry, before these inodes could 1264 * be used again by userspace. 1265 */ 1266 goto out_unlock; 1267 } 1268 1269 len = INITCONTEXTLEN; 1270 context = kmalloc(len+1, GFP_NOFS); 1271 if (!context) { 1272 rc = -ENOMEM; 1273 dput(dentry); 1274 goto out_unlock; 1275 } 1276 context[len] = '\0'; 1277 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1278 context, len); 1279 if (rc == -ERANGE) { 1280 kfree(context); 1281 1282 /* Need a larger buffer. Query for the right size. */ 1283 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1284 NULL, 0); 1285 if (rc < 0) { 1286 dput(dentry); 1287 goto out_unlock; 1288 } 1289 len = rc; 1290 context = kmalloc(len+1, GFP_NOFS); 1291 if (!context) { 1292 rc = -ENOMEM; 1293 dput(dentry); 1294 goto out_unlock; 1295 } 1296 context[len] = '\0'; 1297 rc = inode->i_op->getxattr(dentry, 1298 XATTR_NAME_SELINUX, 1299 context, len); 1300 } 1301 dput(dentry); 1302 if (rc < 0) { 1303 if (rc != -ENODATA) { 1304 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1305 "%d for dev=%s ino=%ld\n", __func__, 1306 -rc, inode->i_sb->s_id, inode->i_ino); 1307 kfree(context); 1308 goto out_unlock; 1309 } 1310 /* Map ENODATA to the default file SID */ 1311 sid = sbsec->def_sid; 1312 rc = 0; 1313 } else { 1314 rc = security_context_to_sid_default(context, rc, &sid, 1315 sbsec->def_sid, 1316 GFP_NOFS); 1317 if (rc) { 1318 char *dev = inode->i_sb->s_id; 1319 unsigned long ino = inode->i_ino; 1320 1321 if (rc == -EINVAL) { 1322 if (printk_ratelimit()) 1323 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1324 "context=%s. This indicates you may need to relabel the inode or the " 1325 "filesystem in question.\n", ino, dev, context); 1326 } else { 1327 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1328 "returned %d for dev=%s ino=%ld\n", 1329 __func__, context, -rc, dev, ino); 1330 } 1331 kfree(context); 1332 /* Leave with the unlabeled SID */ 1333 rc = 0; 1334 break; 1335 } 1336 } 1337 kfree(context); 1338 isec->sid = sid; 1339 break; 1340 case SECURITY_FS_USE_TASK: 1341 isec->sid = isec->task_sid; 1342 break; 1343 case SECURITY_FS_USE_TRANS: 1344 /* Default to the fs SID. */ 1345 isec->sid = sbsec->sid; 1346 1347 /* Try to obtain a transition SID. */ 1348 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1349 rc = security_transition_sid(isec->task_sid, sbsec->sid, 1350 isec->sclass, NULL, &sid); 1351 if (rc) 1352 goto out_unlock; 1353 isec->sid = sid; 1354 break; 1355 case SECURITY_FS_USE_MNTPOINT: 1356 isec->sid = sbsec->mntpoint_sid; 1357 break; 1358 default: 1359 /* Default to the fs superblock SID. */ 1360 isec->sid = sbsec->sid; 1361 1362 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1363 if (opt_dentry) { 1364 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1365 rc = selinux_proc_get_sid(opt_dentry, 1366 isec->sclass, 1367 &sid); 1368 if (rc) 1369 goto out_unlock; 1370 isec->sid = sid; 1371 } 1372 } 1373 break; 1374 } 1375 1376 isec->initialized = 1; 1377 1378 out_unlock: 1379 mutex_unlock(&isec->lock); 1380 out: 1381 if (isec->sclass == SECCLASS_FILE) 1382 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1383 return rc; 1384 } 1385 1386 /* Convert a Linux signal to an access vector. */ 1387 static inline u32 signal_to_av(int sig) 1388 { 1389 u32 perm = 0; 1390 1391 switch (sig) { 1392 case SIGCHLD: 1393 /* Commonly granted from child to parent. */ 1394 perm = PROCESS__SIGCHLD; 1395 break; 1396 case SIGKILL: 1397 /* Cannot be caught or ignored */ 1398 perm = PROCESS__SIGKILL; 1399 break; 1400 case SIGSTOP: 1401 /* Cannot be caught or ignored */ 1402 perm = PROCESS__SIGSTOP; 1403 break; 1404 default: 1405 /* All other signals. */ 1406 perm = PROCESS__SIGNAL; 1407 break; 1408 } 1409 1410 return perm; 1411 } 1412 1413 /* 1414 * Check permission between a pair of credentials 1415 * fork check, ptrace check, etc. 1416 */ 1417 static int cred_has_perm(const struct cred *actor, 1418 const struct cred *target, 1419 u32 perms) 1420 { 1421 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1422 1423 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1424 } 1425 1426 /* 1427 * Check permission between a pair of tasks, e.g. signal checks, 1428 * fork check, ptrace check, etc. 1429 * tsk1 is the actor and tsk2 is the target 1430 * - this uses the default subjective creds of tsk1 1431 */ 1432 static int task_has_perm(const struct task_struct *tsk1, 1433 const struct task_struct *tsk2, 1434 u32 perms) 1435 { 1436 const struct task_security_struct *__tsec1, *__tsec2; 1437 u32 sid1, sid2; 1438 1439 rcu_read_lock(); 1440 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1441 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1442 rcu_read_unlock(); 1443 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1444 } 1445 1446 /* 1447 * Check permission between current and another task, e.g. signal checks, 1448 * fork check, ptrace check, etc. 1449 * current is the actor and tsk2 is the target 1450 * - this uses current's subjective creds 1451 */ 1452 static int current_has_perm(const struct task_struct *tsk, 1453 u32 perms) 1454 { 1455 u32 sid, tsid; 1456 1457 sid = current_sid(); 1458 tsid = task_sid(tsk); 1459 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1460 } 1461 1462 #if CAP_LAST_CAP > 63 1463 #error Fix SELinux to handle capabilities > 63. 1464 #endif 1465 1466 /* Check whether a task is allowed to use a capability. */ 1467 static int cred_has_capability(const struct cred *cred, 1468 int cap, int audit) 1469 { 1470 struct common_audit_data ad; 1471 struct av_decision avd; 1472 u16 sclass; 1473 u32 sid = cred_sid(cred); 1474 u32 av = CAP_TO_MASK(cap); 1475 int rc; 1476 1477 ad.type = LSM_AUDIT_DATA_CAP; 1478 ad.u.cap = cap; 1479 1480 switch (CAP_TO_INDEX(cap)) { 1481 case 0: 1482 sclass = SECCLASS_CAPABILITY; 1483 break; 1484 case 1: 1485 sclass = SECCLASS_CAPABILITY2; 1486 break; 1487 default: 1488 printk(KERN_ERR 1489 "SELinux: out of range capability %d\n", cap); 1490 BUG(); 1491 return -EINVAL; 1492 } 1493 1494 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1495 if (audit == SECURITY_CAP_AUDIT) { 1496 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1497 if (rc2) 1498 return rc2; 1499 } 1500 return rc; 1501 } 1502 1503 /* Check whether a task is allowed to use a system operation. */ 1504 static int task_has_system(struct task_struct *tsk, 1505 u32 perms) 1506 { 1507 u32 sid = task_sid(tsk); 1508 1509 return avc_has_perm(sid, SECINITSID_KERNEL, 1510 SECCLASS_SYSTEM, perms, NULL); 1511 } 1512 1513 /* Check whether a task has a particular permission to an inode. 1514 The 'adp' parameter is optional and allows other audit 1515 data to be passed (e.g. the dentry). */ 1516 static int inode_has_perm(const struct cred *cred, 1517 struct inode *inode, 1518 u32 perms, 1519 struct common_audit_data *adp, 1520 unsigned flags) 1521 { 1522 struct inode_security_struct *isec; 1523 u32 sid; 1524 1525 validate_creds(cred); 1526 1527 if (unlikely(IS_PRIVATE(inode))) 1528 return 0; 1529 1530 sid = cred_sid(cred); 1531 isec = inode->i_security; 1532 1533 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); 1534 } 1535 1536 /* Same as inode_has_perm, but pass explicit audit data containing 1537 the dentry to help the auditing code to more easily generate the 1538 pathname if needed. */ 1539 static inline int dentry_has_perm(const struct cred *cred, 1540 struct dentry *dentry, 1541 u32 av) 1542 { 1543 struct inode *inode = dentry->d_inode; 1544 struct common_audit_data ad; 1545 1546 ad.type = LSM_AUDIT_DATA_DENTRY; 1547 ad.u.dentry = dentry; 1548 return inode_has_perm(cred, inode, av, &ad, 0); 1549 } 1550 1551 /* Same as inode_has_perm, but pass explicit audit data containing 1552 the path to help the auditing code to more easily generate the 1553 pathname if needed. */ 1554 static inline int path_has_perm(const struct cred *cred, 1555 struct path *path, 1556 u32 av) 1557 { 1558 struct inode *inode = path->dentry->d_inode; 1559 struct common_audit_data ad; 1560 1561 ad.type = LSM_AUDIT_DATA_PATH; 1562 ad.u.path = *path; 1563 return inode_has_perm(cred, inode, av, &ad, 0); 1564 } 1565 1566 /* Check whether a task can use an open file descriptor to 1567 access an inode in a given way. Check access to the 1568 descriptor itself, and then use dentry_has_perm to 1569 check a particular permission to the file. 1570 Access to the descriptor is implicitly granted if it 1571 has the same SID as the process. If av is zero, then 1572 access to the file is not checked, e.g. for cases 1573 where only the descriptor is affected like seek. */ 1574 static int file_has_perm(const struct cred *cred, 1575 struct file *file, 1576 u32 av) 1577 { 1578 struct file_security_struct *fsec = file->f_security; 1579 struct inode *inode = file_inode(file); 1580 struct common_audit_data ad; 1581 u32 sid = cred_sid(cred); 1582 int rc; 1583 1584 ad.type = LSM_AUDIT_DATA_PATH; 1585 ad.u.path = file->f_path; 1586 1587 if (sid != fsec->sid) { 1588 rc = avc_has_perm(sid, fsec->sid, 1589 SECCLASS_FD, 1590 FD__USE, 1591 &ad); 1592 if (rc) 1593 goto out; 1594 } 1595 1596 /* av is zero if only checking access to the descriptor. */ 1597 rc = 0; 1598 if (av) 1599 rc = inode_has_perm(cred, inode, av, &ad, 0); 1600 1601 out: 1602 return rc; 1603 } 1604 1605 /* Check whether a task can create a file. */ 1606 static int may_create(struct inode *dir, 1607 struct dentry *dentry, 1608 u16 tclass) 1609 { 1610 const struct task_security_struct *tsec = current_security(); 1611 struct inode_security_struct *dsec; 1612 struct superblock_security_struct *sbsec; 1613 u32 sid, newsid; 1614 struct common_audit_data ad; 1615 int rc; 1616 1617 dsec = dir->i_security; 1618 sbsec = dir->i_sb->s_security; 1619 1620 sid = tsec->sid; 1621 newsid = tsec->create_sid; 1622 1623 ad.type = LSM_AUDIT_DATA_DENTRY; 1624 ad.u.dentry = dentry; 1625 1626 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1627 DIR__ADD_NAME | DIR__SEARCH, 1628 &ad); 1629 if (rc) 1630 return rc; 1631 1632 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) { 1633 rc = security_transition_sid(sid, dsec->sid, tclass, 1634 &dentry->d_name, &newsid); 1635 if (rc) 1636 return rc; 1637 } 1638 1639 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1640 if (rc) 1641 return rc; 1642 1643 return avc_has_perm(newsid, sbsec->sid, 1644 SECCLASS_FILESYSTEM, 1645 FILESYSTEM__ASSOCIATE, &ad); 1646 } 1647 1648 /* Check whether a task can create a key. */ 1649 static int may_create_key(u32 ksid, 1650 struct task_struct *ctx) 1651 { 1652 u32 sid = task_sid(ctx); 1653 1654 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1655 } 1656 1657 #define MAY_LINK 0 1658 #define MAY_UNLINK 1 1659 #define MAY_RMDIR 2 1660 1661 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1662 static int may_link(struct inode *dir, 1663 struct dentry *dentry, 1664 int kind) 1665 1666 { 1667 struct inode_security_struct *dsec, *isec; 1668 struct common_audit_data ad; 1669 u32 sid = current_sid(); 1670 u32 av; 1671 int rc; 1672 1673 dsec = dir->i_security; 1674 isec = dentry->d_inode->i_security; 1675 1676 ad.type = LSM_AUDIT_DATA_DENTRY; 1677 ad.u.dentry = dentry; 1678 1679 av = DIR__SEARCH; 1680 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1681 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1682 if (rc) 1683 return rc; 1684 1685 switch (kind) { 1686 case MAY_LINK: 1687 av = FILE__LINK; 1688 break; 1689 case MAY_UNLINK: 1690 av = FILE__UNLINK; 1691 break; 1692 case MAY_RMDIR: 1693 av = DIR__RMDIR; 1694 break; 1695 default: 1696 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1697 __func__, kind); 1698 return 0; 1699 } 1700 1701 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1702 return rc; 1703 } 1704 1705 static inline int may_rename(struct inode *old_dir, 1706 struct dentry *old_dentry, 1707 struct inode *new_dir, 1708 struct dentry *new_dentry) 1709 { 1710 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1711 struct common_audit_data ad; 1712 u32 sid = current_sid(); 1713 u32 av; 1714 int old_is_dir, new_is_dir; 1715 int rc; 1716 1717 old_dsec = old_dir->i_security; 1718 old_isec = old_dentry->d_inode->i_security; 1719 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1720 new_dsec = new_dir->i_security; 1721 1722 ad.type = LSM_AUDIT_DATA_DENTRY; 1723 1724 ad.u.dentry = old_dentry; 1725 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1726 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1727 if (rc) 1728 return rc; 1729 rc = avc_has_perm(sid, old_isec->sid, 1730 old_isec->sclass, FILE__RENAME, &ad); 1731 if (rc) 1732 return rc; 1733 if (old_is_dir && new_dir != old_dir) { 1734 rc = avc_has_perm(sid, old_isec->sid, 1735 old_isec->sclass, DIR__REPARENT, &ad); 1736 if (rc) 1737 return rc; 1738 } 1739 1740 ad.u.dentry = new_dentry; 1741 av = DIR__ADD_NAME | DIR__SEARCH; 1742 if (new_dentry->d_inode) 1743 av |= DIR__REMOVE_NAME; 1744 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1745 if (rc) 1746 return rc; 1747 if (new_dentry->d_inode) { 1748 new_isec = new_dentry->d_inode->i_security; 1749 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1750 rc = avc_has_perm(sid, new_isec->sid, 1751 new_isec->sclass, 1752 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1753 if (rc) 1754 return rc; 1755 } 1756 1757 return 0; 1758 } 1759 1760 /* Check whether a task can perform a filesystem operation. */ 1761 static int superblock_has_perm(const struct cred *cred, 1762 struct super_block *sb, 1763 u32 perms, 1764 struct common_audit_data *ad) 1765 { 1766 struct superblock_security_struct *sbsec; 1767 u32 sid = cred_sid(cred); 1768 1769 sbsec = sb->s_security; 1770 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1771 } 1772 1773 /* Convert a Linux mode and permission mask to an access vector. */ 1774 static inline u32 file_mask_to_av(int mode, int mask) 1775 { 1776 u32 av = 0; 1777 1778 if (!S_ISDIR(mode)) { 1779 if (mask & MAY_EXEC) 1780 av |= FILE__EXECUTE; 1781 if (mask & MAY_READ) 1782 av |= FILE__READ; 1783 1784 if (mask & MAY_APPEND) 1785 av |= FILE__APPEND; 1786 else if (mask & MAY_WRITE) 1787 av |= FILE__WRITE; 1788 1789 } else { 1790 if (mask & MAY_EXEC) 1791 av |= DIR__SEARCH; 1792 if (mask & MAY_WRITE) 1793 av |= DIR__WRITE; 1794 if (mask & MAY_READ) 1795 av |= DIR__READ; 1796 } 1797 1798 return av; 1799 } 1800 1801 /* Convert a Linux file to an access vector. */ 1802 static inline u32 file_to_av(struct file *file) 1803 { 1804 u32 av = 0; 1805 1806 if (file->f_mode & FMODE_READ) 1807 av |= FILE__READ; 1808 if (file->f_mode & FMODE_WRITE) { 1809 if (file->f_flags & O_APPEND) 1810 av |= FILE__APPEND; 1811 else 1812 av |= FILE__WRITE; 1813 } 1814 if (!av) { 1815 /* 1816 * Special file opened with flags 3 for ioctl-only use. 1817 */ 1818 av = FILE__IOCTL; 1819 } 1820 1821 return av; 1822 } 1823 1824 /* 1825 * Convert a file to an access vector and include the correct open 1826 * open permission. 1827 */ 1828 static inline u32 open_file_to_av(struct file *file) 1829 { 1830 u32 av = file_to_av(file); 1831 1832 if (selinux_policycap_openperm) 1833 av |= FILE__OPEN; 1834 1835 return av; 1836 } 1837 1838 /* Hook functions begin here. */ 1839 1840 static int selinux_ptrace_access_check(struct task_struct *child, 1841 unsigned int mode) 1842 { 1843 int rc; 1844 1845 rc = cap_ptrace_access_check(child, mode); 1846 if (rc) 1847 return rc; 1848 1849 if (mode & PTRACE_MODE_READ) { 1850 u32 sid = current_sid(); 1851 u32 csid = task_sid(child); 1852 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 1853 } 1854 1855 return current_has_perm(child, PROCESS__PTRACE); 1856 } 1857 1858 static int selinux_ptrace_traceme(struct task_struct *parent) 1859 { 1860 int rc; 1861 1862 rc = cap_ptrace_traceme(parent); 1863 if (rc) 1864 return rc; 1865 1866 return task_has_perm(parent, current, PROCESS__PTRACE); 1867 } 1868 1869 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1870 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1871 { 1872 int error; 1873 1874 error = current_has_perm(target, PROCESS__GETCAP); 1875 if (error) 1876 return error; 1877 1878 return cap_capget(target, effective, inheritable, permitted); 1879 } 1880 1881 static int selinux_capset(struct cred *new, const struct cred *old, 1882 const kernel_cap_t *effective, 1883 const kernel_cap_t *inheritable, 1884 const kernel_cap_t *permitted) 1885 { 1886 int error; 1887 1888 error = cap_capset(new, old, 1889 effective, inheritable, permitted); 1890 if (error) 1891 return error; 1892 1893 return cred_has_perm(old, new, PROCESS__SETCAP); 1894 } 1895 1896 /* 1897 * (This comment used to live with the selinux_task_setuid hook, 1898 * which was removed). 1899 * 1900 * Since setuid only affects the current process, and since the SELinux 1901 * controls are not based on the Linux identity attributes, SELinux does not 1902 * need to control this operation. However, SELinux does control the use of 1903 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 1904 */ 1905 1906 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 1907 int cap, int audit) 1908 { 1909 int rc; 1910 1911 rc = cap_capable(cred, ns, cap, audit); 1912 if (rc) 1913 return rc; 1914 1915 return cred_has_capability(cred, cap, audit); 1916 } 1917 1918 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1919 { 1920 const struct cred *cred = current_cred(); 1921 int rc = 0; 1922 1923 if (!sb) 1924 return 0; 1925 1926 switch (cmds) { 1927 case Q_SYNC: 1928 case Q_QUOTAON: 1929 case Q_QUOTAOFF: 1930 case Q_SETINFO: 1931 case Q_SETQUOTA: 1932 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 1933 break; 1934 case Q_GETFMT: 1935 case Q_GETINFO: 1936 case Q_GETQUOTA: 1937 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 1938 break; 1939 default: 1940 rc = 0; /* let the kernel handle invalid cmds */ 1941 break; 1942 } 1943 return rc; 1944 } 1945 1946 static int selinux_quota_on(struct dentry *dentry) 1947 { 1948 const struct cred *cred = current_cred(); 1949 1950 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 1951 } 1952 1953 static int selinux_syslog(int type) 1954 { 1955 int rc; 1956 1957 switch (type) { 1958 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1959 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1960 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1961 break; 1962 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 1963 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 1964 /* Set level of messages printed to console */ 1965 case SYSLOG_ACTION_CONSOLE_LEVEL: 1966 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1967 break; 1968 case SYSLOG_ACTION_CLOSE: /* Close log */ 1969 case SYSLOG_ACTION_OPEN: /* Open log */ 1970 case SYSLOG_ACTION_READ: /* Read from log */ 1971 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 1972 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 1973 default: 1974 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1975 break; 1976 } 1977 return rc; 1978 } 1979 1980 /* 1981 * Check that a process has enough memory to allocate a new virtual 1982 * mapping. 0 means there is enough memory for the allocation to 1983 * succeed and -ENOMEM implies there is not. 1984 * 1985 * Do not audit the selinux permission check, as this is applied to all 1986 * processes that allocate mappings. 1987 */ 1988 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1989 { 1990 int rc, cap_sys_admin = 0; 1991 1992 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, 1993 SECURITY_CAP_NOAUDIT); 1994 if (rc == 0) 1995 cap_sys_admin = 1; 1996 1997 return __vm_enough_memory(mm, pages, cap_sys_admin); 1998 } 1999 2000 /* binprm security operations */ 2001 2002 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2003 { 2004 const struct task_security_struct *old_tsec; 2005 struct task_security_struct *new_tsec; 2006 struct inode_security_struct *isec; 2007 struct common_audit_data ad; 2008 struct inode *inode = file_inode(bprm->file); 2009 int rc; 2010 2011 rc = cap_bprm_set_creds(bprm); 2012 if (rc) 2013 return rc; 2014 2015 /* SELinux context only depends on initial program or script and not 2016 * the script interpreter */ 2017 if (bprm->cred_prepared) 2018 return 0; 2019 2020 old_tsec = current_security(); 2021 new_tsec = bprm->cred->security; 2022 isec = inode->i_security; 2023 2024 /* Default to the current task SID. */ 2025 new_tsec->sid = old_tsec->sid; 2026 new_tsec->osid = old_tsec->sid; 2027 2028 /* Reset fs, key, and sock SIDs on execve. */ 2029 new_tsec->create_sid = 0; 2030 new_tsec->keycreate_sid = 0; 2031 new_tsec->sockcreate_sid = 0; 2032 2033 if (old_tsec->exec_sid) { 2034 new_tsec->sid = old_tsec->exec_sid; 2035 /* Reset exec SID on execve. */ 2036 new_tsec->exec_sid = 0; 2037 2038 /* 2039 * Minimize confusion: if no_new_privs and a transition is 2040 * explicitly requested, then fail the exec. 2041 */ 2042 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) 2043 return -EPERM; 2044 } else { 2045 /* Check for a default transition on this program. */ 2046 rc = security_transition_sid(old_tsec->sid, isec->sid, 2047 SECCLASS_PROCESS, NULL, 2048 &new_tsec->sid); 2049 if (rc) 2050 return rc; 2051 } 2052 2053 ad.type = LSM_AUDIT_DATA_PATH; 2054 ad.u.path = bprm->file->f_path; 2055 2056 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || 2057 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) 2058 new_tsec->sid = old_tsec->sid; 2059 2060 if (new_tsec->sid == old_tsec->sid) { 2061 rc = avc_has_perm(old_tsec->sid, isec->sid, 2062 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2063 if (rc) 2064 return rc; 2065 } else { 2066 /* Check permissions for the transition. */ 2067 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2068 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2069 if (rc) 2070 return rc; 2071 2072 rc = avc_has_perm(new_tsec->sid, isec->sid, 2073 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2074 if (rc) 2075 return rc; 2076 2077 /* Check for shared state */ 2078 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2079 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2080 SECCLASS_PROCESS, PROCESS__SHARE, 2081 NULL); 2082 if (rc) 2083 return -EPERM; 2084 } 2085 2086 /* Make sure that anyone attempting to ptrace over a task that 2087 * changes its SID has the appropriate permit */ 2088 if (bprm->unsafe & 2089 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2090 struct task_struct *tracer; 2091 struct task_security_struct *sec; 2092 u32 ptsid = 0; 2093 2094 rcu_read_lock(); 2095 tracer = ptrace_parent(current); 2096 if (likely(tracer != NULL)) { 2097 sec = __task_cred(tracer)->security; 2098 ptsid = sec->sid; 2099 } 2100 rcu_read_unlock(); 2101 2102 if (ptsid != 0) { 2103 rc = avc_has_perm(ptsid, new_tsec->sid, 2104 SECCLASS_PROCESS, 2105 PROCESS__PTRACE, NULL); 2106 if (rc) 2107 return -EPERM; 2108 } 2109 } 2110 2111 /* Clear any possibly unsafe personality bits on exec: */ 2112 bprm->per_clear |= PER_CLEAR_ON_SETID; 2113 } 2114 2115 return 0; 2116 } 2117 2118 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2119 { 2120 const struct task_security_struct *tsec = current_security(); 2121 u32 sid, osid; 2122 int atsecure = 0; 2123 2124 sid = tsec->sid; 2125 osid = tsec->osid; 2126 2127 if (osid != sid) { 2128 /* Enable secure mode for SIDs transitions unless 2129 the noatsecure permission is granted between 2130 the two SIDs, i.e. ahp returns 0. */ 2131 atsecure = avc_has_perm(osid, sid, 2132 SECCLASS_PROCESS, 2133 PROCESS__NOATSECURE, NULL); 2134 } 2135 2136 return (atsecure || cap_bprm_secureexec(bprm)); 2137 } 2138 2139 static int match_file(const void *p, struct file *file, unsigned fd) 2140 { 2141 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2142 } 2143 2144 /* Derived from fs/exec.c:flush_old_files. */ 2145 static inline void flush_unauthorized_files(const struct cred *cred, 2146 struct files_struct *files) 2147 { 2148 struct file *file, *devnull = NULL; 2149 struct tty_struct *tty; 2150 int drop_tty = 0; 2151 unsigned n; 2152 2153 tty = get_current_tty(); 2154 if (tty) { 2155 spin_lock(&tty_files_lock); 2156 if (!list_empty(&tty->tty_files)) { 2157 struct tty_file_private *file_priv; 2158 2159 /* Revalidate access to controlling tty. 2160 Use path_has_perm on the tty path directly rather 2161 than using file_has_perm, as this particular open 2162 file may belong to another process and we are only 2163 interested in the inode-based check here. */ 2164 file_priv = list_first_entry(&tty->tty_files, 2165 struct tty_file_private, list); 2166 file = file_priv->file; 2167 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) 2168 drop_tty = 1; 2169 } 2170 spin_unlock(&tty_files_lock); 2171 tty_kref_put(tty); 2172 } 2173 /* Reset controlling tty. */ 2174 if (drop_tty) 2175 no_tty(); 2176 2177 /* Revalidate access to inherited open files. */ 2178 n = iterate_fd(files, 0, match_file, cred); 2179 if (!n) /* none found? */ 2180 return; 2181 2182 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2183 if (IS_ERR(devnull)) 2184 devnull = NULL; 2185 /* replace all the matching ones with this */ 2186 do { 2187 replace_fd(n - 1, devnull, 0); 2188 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2189 if (devnull) 2190 fput(devnull); 2191 } 2192 2193 /* 2194 * Prepare a process for imminent new credential changes due to exec 2195 */ 2196 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2197 { 2198 struct task_security_struct *new_tsec; 2199 struct rlimit *rlim, *initrlim; 2200 int rc, i; 2201 2202 new_tsec = bprm->cred->security; 2203 if (new_tsec->sid == new_tsec->osid) 2204 return; 2205 2206 /* Close files for which the new task SID is not authorized. */ 2207 flush_unauthorized_files(bprm->cred, current->files); 2208 2209 /* Always clear parent death signal on SID transitions. */ 2210 current->pdeath_signal = 0; 2211 2212 /* Check whether the new SID can inherit resource limits from the old 2213 * SID. If not, reset all soft limits to the lower of the current 2214 * task's hard limit and the init task's soft limit. 2215 * 2216 * Note that the setting of hard limits (even to lower them) can be 2217 * controlled by the setrlimit check. The inclusion of the init task's 2218 * soft limit into the computation is to avoid resetting soft limits 2219 * higher than the default soft limit for cases where the default is 2220 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2221 */ 2222 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2223 PROCESS__RLIMITINH, NULL); 2224 if (rc) { 2225 /* protect against do_prlimit() */ 2226 task_lock(current); 2227 for (i = 0; i < RLIM_NLIMITS; i++) { 2228 rlim = current->signal->rlim + i; 2229 initrlim = init_task.signal->rlim + i; 2230 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2231 } 2232 task_unlock(current); 2233 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2234 } 2235 } 2236 2237 /* 2238 * Clean up the process immediately after the installation of new credentials 2239 * due to exec 2240 */ 2241 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2242 { 2243 const struct task_security_struct *tsec = current_security(); 2244 struct itimerval itimer; 2245 u32 osid, sid; 2246 int rc, i; 2247 2248 osid = tsec->osid; 2249 sid = tsec->sid; 2250 2251 if (sid == osid) 2252 return; 2253 2254 /* Check whether the new SID can inherit signal state from the old SID. 2255 * If not, clear itimers to avoid subsequent signal generation and 2256 * flush and unblock signals. 2257 * 2258 * This must occur _after_ the task SID has been updated so that any 2259 * kill done after the flush will be checked against the new SID. 2260 */ 2261 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2262 if (rc) { 2263 memset(&itimer, 0, sizeof itimer); 2264 for (i = 0; i < 3; i++) 2265 do_setitimer(i, &itimer, NULL); 2266 spin_lock_irq(¤t->sighand->siglock); 2267 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { 2268 __flush_signals(current); 2269 flush_signal_handlers(current, 1); 2270 sigemptyset(¤t->blocked); 2271 } 2272 spin_unlock_irq(¤t->sighand->siglock); 2273 } 2274 2275 /* Wake up the parent if it is waiting so that it can recheck 2276 * wait permission to the new task SID. */ 2277 read_lock(&tasklist_lock); 2278 __wake_up_parent(current, current->real_parent); 2279 read_unlock(&tasklist_lock); 2280 } 2281 2282 /* superblock security operations */ 2283 2284 static int selinux_sb_alloc_security(struct super_block *sb) 2285 { 2286 return superblock_alloc_security(sb); 2287 } 2288 2289 static void selinux_sb_free_security(struct super_block *sb) 2290 { 2291 superblock_free_security(sb); 2292 } 2293 2294 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2295 { 2296 if (plen > olen) 2297 return 0; 2298 2299 return !memcmp(prefix, option, plen); 2300 } 2301 2302 static inline int selinux_option(char *option, int len) 2303 { 2304 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2305 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2306 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2307 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2308 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2309 } 2310 2311 static inline void take_option(char **to, char *from, int *first, int len) 2312 { 2313 if (!*first) { 2314 **to = ','; 2315 *to += 1; 2316 } else 2317 *first = 0; 2318 memcpy(*to, from, len); 2319 *to += len; 2320 } 2321 2322 static inline void take_selinux_option(char **to, char *from, int *first, 2323 int len) 2324 { 2325 int current_size = 0; 2326 2327 if (!*first) { 2328 **to = '|'; 2329 *to += 1; 2330 } else 2331 *first = 0; 2332 2333 while (current_size < len) { 2334 if (*from != '"') { 2335 **to = *from; 2336 *to += 1; 2337 } 2338 from += 1; 2339 current_size += 1; 2340 } 2341 } 2342 2343 static int selinux_sb_copy_data(char *orig, char *copy) 2344 { 2345 int fnosec, fsec, rc = 0; 2346 char *in_save, *in_curr, *in_end; 2347 char *sec_curr, *nosec_save, *nosec; 2348 int open_quote = 0; 2349 2350 in_curr = orig; 2351 sec_curr = copy; 2352 2353 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2354 if (!nosec) { 2355 rc = -ENOMEM; 2356 goto out; 2357 } 2358 2359 nosec_save = nosec; 2360 fnosec = fsec = 1; 2361 in_save = in_end = orig; 2362 2363 do { 2364 if (*in_end == '"') 2365 open_quote = !open_quote; 2366 if ((*in_end == ',' && open_quote == 0) || 2367 *in_end == '\0') { 2368 int len = in_end - in_curr; 2369 2370 if (selinux_option(in_curr, len)) 2371 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2372 else 2373 take_option(&nosec, in_curr, &fnosec, len); 2374 2375 in_curr = in_end + 1; 2376 } 2377 } while (*in_end++); 2378 2379 strcpy(in_save, nosec_save); 2380 free_page((unsigned long)nosec_save); 2381 out: 2382 return rc; 2383 } 2384 2385 static int selinux_sb_remount(struct super_block *sb, void *data) 2386 { 2387 int rc, i, *flags; 2388 struct security_mnt_opts opts; 2389 char *secdata, **mount_options; 2390 struct superblock_security_struct *sbsec = sb->s_security; 2391 2392 if (!(sbsec->flags & SE_SBINITIALIZED)) 2393 return 0; 2394 2395 if (!data) 2396 return 0; 2397 2398 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2399 return 0; 2400 2401 security_init_mnt_opts(&opts); 2402 secdata = alloc_secdata(); 2403 if (!secdata) 2404 return -ENOMEM; 2405 rc = selinux_sb_copy_data(data, secdata); 2406 if (rc) 2407 goto out_free_secdata; 2408 2409 rc = selinux_parse_opts_str(secdata, &opts); 2410 if (rc) 2411 goto out_free_secdata; 2412 2413 mount_options = opts.mnt_opts; 2414 flags = opts.mnt_opts_flags; 2415 2416 for (i = 0; i < opts.num_mnt_opts; i++) { 2417 u32 sid; 2418 size_t len; 2419 2420 if (flags[i] == SBLABEL_MNT) 2421 continue; 2422 len = strlen(mount_options[i]); 2423 rc = security_context_to_sid(mount_options[i], len, &sid); 2424 if (rc) { 2425 printk(KERN_WARNING "SELinux: security_context_to_sid" 2426 "(%s) failed for (dev %s, type %s) errno=%d\n", 2427 mount_options[i], sb->s_id, sb->s_type->name, rc); 2428 goto out_free_opts; 2429 } 2430 rc = -EINVAL; 2431 switch (flags[i]) { 2432 case FSCONTEXT_MNT: 2433 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2434 goto out_bad_option; 2435 break; 2436 case CONTEXT_MNT: 2437 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2438 goto out_bad_option; 2439 break; 2440 case ROOTCONTEXT_MNT: { 2441 struct inode_security_struct *root_isec; 2442 root_isec = sb->s_root->d_inode->i_security; 2443 2444 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2445 goto out_bad_option; 2446 break; 2447 } 2448 case DEFCONTEXT_MNT: 2449 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2450 goto out_bad_option; 2451 break; 2452 default: 2453 goto out_free_opts; 2454 } 2455 } 2456 2457 rc = 0; 2458 out_free_opts: 2459 security_free_mnt_opts(&opts); 2460 out_free_secdata: 2461 free_secdata(secdata); 2462 return rc; 2463 out_bad_option: 2464 printk(KERN_WARNING "SELinux: unable to change security options " 2465 "during remount (dev %s, type=%s)\n", sb->s_id, 2466 sb->s_type->name); 2467 goto out_free_opts; 2468 } 2469 2470 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2471 { 2472 const struct cred *cred = current_cred(); 2473 struct common_audit_data ad; 2474 int rc; 2475 2476 rc = superblock_doinit(sb, data); 2477 if (rc) 2478 return rc; 2479 2480 /* Allow all mounts performed by the kernel */ 2481 if (flags & MS_KERNMOUNT) 2482 return 0; 2483 2484 ad.type = LSM_AUDIT_DATA_DENTRY; 2485 ad.u.dentry = sb->s_root; 2486 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2487 } 2488 2489 static int selinux_sb_statfs(struct dentry *dentry) 2490 { 2491 const struct cred *cred = current_cred(); 2492 struct common_audit_data ad; 2493 2494 ad.type = LSM_AUDIT_DATA_DENTRY; 2495 ad.u.dentry = dentry->d_sb->s_root; 2496 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2497 } 2498 2499 static int selinux_mount(const char *dev_name, 2500 struct path *path, 2501 const char *type, 2502 unsigned long flags, 2503 void *data) 2504 { 2505 const struct cred *cred = current_cred(); 2506 2507 if (flags & MS_REMOUNT) 2508 return superblock_has_perm(cred, path->dentry->d_sb, 2509 FILESYSTEM__REMOUNT, NULL); 2510 else 2511 return path_has_perm(cred, path, FILE__MOUNTON); 2512 } 2513 2514 static int selinux_umount(struct vfsmount *mnt, int flags) 2515 { 2516 const struct cred *cred = current_cred(); 2517 2518 return superblock_has_perm(cred, mnt->mnt_sb, 2519 FILESYSTEM__UNMOUNT, NULL); 2520 } 2521 2522 /* inode security operations */ 2523 2524 static int selinux_inode_alloc_security(struct inode *inode) 2525 { 2526 return inode_alloc_security(inode); 2527 } 2528 2529 static void selinux_inode_free_security(struct inode *inode) 2530 { 2531 inode_free_security(inode); 2532 } 2533 2534 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2535 const struct qstr *qstr, char **name, 2536 void **value, size_t *len) 2537 { 2538 const struct task_security_struct *tsec = current_security(); 2539 struct inode_security_struct *dsec; 2540 struct superblock_security_struct *sbsec; 2541 u32 sid, newsid, clen; 2542 int rc; 2543 char *namep = NULL, *context; 2544 2545 dsec = dir->i_security; 2546 sbsec = dir->i_sb->s_security; 2547 2548 sid = tsec->sid; 2549 newsid = tsec->create_sid; 2550 2551 if ((sbsec->flags & SE_SBINITIALIZED) && 2552 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) 2553 newsid = sbsec->mntpoint_sid; 2554 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) { 2555 rc = security_transition_sid(sid, dsec->sid, 2556 inode_mode_to_security_class(inode->i_mode), 2557 qstr, &newsid); 2558 if (rc) { 2559 printk(KERN_WARNING "%s: " 2560 "security_transition_sid failed, rc=%d (dev=%s " 2561 "ino=%ld)\n", 2562 __func__, 2563 -rc, inode->i_sb->s_id, inode->i_ino); 2564 return rc; 2565 } 2566 } 2567 2568 /* Possibly defer initialization to selinux_complete_init. */ 2569 if (sbsec->flags & SE_SBINITIALIZED) { 2570 struct inode_security_struct *isec = inode->i_security; 2571 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2572 isec->sid = newsid; 2573 isec->initialized = 1; 2574 } 2575 2576 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2577 return -EOPNOTSUPP; 2578 2579 if (name) { 2580 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2581 if (!namep) 2582 return -ENOMEM; 2583 *name = namep; 2584 } 2585 2586 if (value && len) { 2587 rc = security_sid_to_context_force(newsid, &context, &clen); 2588 if (rc) { 2589 kfree(namep); 2590 return rc; 2591 } 2592 *value = context; 2593 *len = clen; 2594 } 2595 2596 return 0; 2597 } 2598 2599 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2600 { 2601 return may_create(dir, dentry, SECCLASS_FILE); 2602 } 2603 2604 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2605 { 2606 return may_link(dir, old_dentry, MAY_LINK); 2607 } 2608 2609 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2610 { 2611 return may_link(dir, dentry, MAY_UNLINK); 2612 } 2613 2614 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2615 { 2616 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2617 } 2618 2619 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2620 { 2621 return may_create(dir, dentry, SECCLASS_DIR); 2622 } 2623 2624 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2625 { 2626 return may_link(dir, dentry, MAY_RMDIR); 2627 } 2628 2629 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2630 { 2631 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2632 } 2633 2634 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2635 struct inode *new_inode, struct dentry *new_dentry) 2636 { 2637 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2638 } 2639 2640 static int selinux_inode_readlink(struct dentry *dentry) 2641 { 2642 const struct cred *cred = current_cred(); 2643 2644 return dentry_has_perm(cred, dentry, FILE__READ); 2645 } 2646 2647 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2648 { 2649 const struct cred *cred = current_cred(); 2650 2651 return dentry_has_perm(cred, dentry, FILE__READ); 2652 } 2653 2654 static noinline int audit_inode_permission(struct inode *inode, 2655 u32 perms, u32 audited, u32 denied, 2656 unsigned flags) 2657 { 2658 struct common_audit_data ad; 2659 struct inode_security_struct *isec = inode->i_security; 2660 int rc; 2661 2662 ad.type = LSM_AUDIT_DATA_INODE; 2663 ad.u.inode = inode; 2664 2665 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 2666 audited, denied, &ad, flags); 2667 if (rc) 2668 return rc; 2669 return 0; 2670 } 2671 2672 static int selinux_inode_permission(struct inode *inode, int mask) 2673 { 2674 const struct cred *cred = current_cred(); 2675 u32 perms; 2676 bool from_access; 2677 unsigned flags = mask & MAY_NOT_BLOCK; 2678 struct inode_security_struct *isec; 2679 u32 sid; 2680 struct av_decision avd; 2681 int rc, rc2; 2682 u32 audited, denied; 2683 2684 from_access = mask & MAY_ACCESS; 2685 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2686 2687 /* No permission to check. Existence test. */ 2688 if (!mask) 2689 return 0; 2690 2691 validate_creds(cred); 2692 2693 if (unlikely(IS_PRIVATE(inode))) 2694 return 0; 2695 2696 perms = file_mask_to_av(inode->i_mode, mask); 2697 2698 sid = cred_sid(cred); 2699 isec = inode->i_security; 2700 2701 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 2702 audited = avc_audit_required(perms, &avd, rc, 2703 from_access ? FILE__AUDIT_ACCESS : 0, 2704 &denied); 2705 if (likely(!audited)) 2706 return rc; 2707 2708 rc2 = audit_inode_permission(inode, perms, audited, denied, flags); 2709 if (rc2) 2710 return rc2; 2711 return rc; 2712 } 2713 2714 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2715 { 2716 const struct cred *cred = current_cred(); 2717 unsigned int ia_valid = iattr->ia_valid; 2718 __u32 av = FILE__WRITE; 2719 2720 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 2721 if (ia_valid & ATTR_FORCE) { 2722 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 2723 ATTR_FORCE); 2724 if (!ia_valid) 2725 return 0; 2726 } 2727 2728 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2729 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 2730 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2731 2732 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) 2733 av |= FILE__OPEN; 2734 2735 return dentry_has_perm(cred, dentry, av); 2736 } 2737 2738 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2739 { 2740 const struct cred *cred = current_cred(); 2741 struct path path; 2742 2743 path.dentry = dentry; 2744 path.mnt = mnt; 2745 2746 return path_has_perm(cred, &path, FILE__GETATTR); 2747 } 2748 2749 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2750 { 2751 const struct cred *cred = current_cred(); 2752 2753 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2754 sizeof XATTR_SECURITY_PREFIX - 1)) { 2755 if (!strcmp(name, XATTR_NAME_CAPS)) { 2756 if (!capable(CAP_SETFCAP)) 2757 return -EPERM; 2758 } else if (!capable(CAP_SYS_ADMIN)) { 2759 /* A different attribute in the security namespace. 2760 Restrict to administrator. */ 2761 return -EPERM; 2762 } 2763 } 2764 2765 /* Not an attribute we recognize, so just check the 2766 ordinary setattr permission. */ 2767 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2768 } 2769 2770 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2771 const void *value, size_t size, int flags) 2772 { 2773 struct inode *inode = dentry->d_inode; 2774 struct inode_security_struct *isec = inode->i_security; 2775 struct superblock_security_struct *sbsec; 2776 struct common_audit_data ad; 2777 u32 newsid, sid = current_sid(); 2778 int rc = 0; 2779 2780 if (strcmp(name, XATTR_NAME_SELINUX)) 2781 return selinux_inode_setotherxattr(dentry, name); 2782 2783 sbsec = inode->i_sb->s_security; 2784 if (!(sbsec->flags & SBLABEL_MNT)) 2785 return -EOPNOTSUPP; 2786 2787 if (!inode_owner_or_capable(inode)) 2788 return -EPERM; 2789 2790 ad.type = LSM_AUDIT_DATA_DENTRY; 2791 ad.u.dentry = dentry; 2792 2793 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2794 FILE__RELABELFROM, &ad); 2795 if (rc) 2796 return rc; 2797 2798 rc = security_context_to_sid(value, size, &newsid); 2799 if (rc == -EINVAL) { 2800 if (!capable(CAP_MAC_ADMIN)) { 2801 struct audit_buffer *ab; 2802 size_t audit_size; 2803 const char *str; 2804 2805 /* We strip a nul only if it is at the end, otherwise the 2806 * context contains a nul and we should audit that */ 2807 if (value) { 2808 str = value; 2809 if (str[size - 1] == '\0') 2810 audit_size = size - 1; 2811 else 2812 audit_size = size; 2813 } else { 2814 str = ""; 2815 audit_size = 0; 2816 } 2817 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 2818 audit_log_format(ab, "op=setxattr invalid_context="); 2819 audit_log_n_untrustedstring(ab, value, audit_size); 2820 audit_log_end(ab); 2821 2822 return rc; 2823 } 2824 rc = security_context_to_sid_force(value, size, &newsid); 2825 } 2826 if (rc) 2827 return rc; 2828 2829 rc = avc_has_perm(sid, newsid, isec->sclass, 2830 FILE__RELABELTO, &ad); 2831 if (rc) 2832 return rc; 2833 2834 rc = security_validate_transition(isec->sid, newsid, sid, 2835 isec->sclass); 2836 if (rc) 2837 return rc; 2838 2839 return avc_has_perm(newsid, 2840 sbsec->sid, 2841 SECCLASS_FILESYSTEM, 2842 FILESYSTEM__ASSOCIATE, 2843 &ad); 2844 } 2845 2846 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 2847 const void *value, size_t size, 2848 int flags) 2849 { 2850 struct inode *inode = dentry->d_inode; 2851 struct inode_security_struct *isec = inode->i_security; 2852 u32 newsid; 2853 int rc; 2854 2855 if (strcmp(name, XATTR_NAME_SELINUX)) { 2856 /* Not an attribute we recognize, so nothing to do. */ 2857 return; 2858 } 2859 2860 rc = security_context_to_sid_force(value, size, &newsid); 2861 if (rc) { 2862 printk(KERN_ERR "SELinux: unable to map context to SID" 2863 "for (%s, %lu), rc=%d\n", 2864 inode->i_sb->s_id, inode->i_ino, -rc); 2865 return; 2866 } 2867 2868 isec->sid = newsid; 2869 return; 2870 } 2871 2872 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2873 { 2874 const struct cred *cred = current_cred(); 2875 2876 return dentry_has_perm(cred, dentry, FILE__GETATTR); 2877 } 2878 2879 static int selinux_inode_listxattr(struct dentry *dentry) 2880 { 2881 const struct cred *cred = current_cred(); 2882 2883 return dentry_has_perm(cred, dentry, FILE__GETATTR); 2884 } 2885 2886 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2887 { 2888 if (strcmp(name, XATTR_NAME_SELINUX)) 2889 return selinux_inode_setotherxattr(dentry, name); 2890 2891 /* No one is allowed to remove a SELinux security label. 2892 You can change the label, but all data must be labeled. */ 2893 return -EACCES; 2894 } 2895 2896 /* 2897 * Copy the inode security context value to the user. 2898 * 2899 * Permission check is handled by selinux_inode_getxattr hook. 2900 */ 2901 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2902 { 2903 u32 size; 2904 int error; 2905 char *context = NULL; 2906 struct inode_security_struct *isec = inode->i_security; 2907 2908 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2909 return -EOPNOTSUPP; 2910 2911 /* 2912 * If the caller has CAP_MAC_ADMIN, then get the raw context 2913 * value even if it is not defined by current policy; otherwise, 2914 * use the in-core value under current policy. 2915 * Use the non-auditing forms of the permission checks since 2916 * getxattr may be called by unprivileged processes commonly 2917 * and lack of permission just means that we fall back to the 2918 * in-core context value, not a denial. 2919 */ 2920 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 2921 SECURITY_CAP_NOAUDIT); 2922 if (!error) 2923 error = security_sid_to_context_force(isec->sid, &context, 2924 &size); 2925 else 2926 error = security_sid_to_context(isec->sid, &context, &size); 2927 if (error) 2928 return error; 2929 error = size; 2930 if (alloc) { 2931 *buffer = context; 2932 goto out_nofree; 2933 } 2934 kfree(context); 2935 out_nofree: 2936 return error; 2937 } 2938 2939 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2940 const void *value, size_t size, int flags) 2941 { 2942 struct inode_security_struct *isec = inode->i_security; 2943 u32 newsid; 2944 int rc; 2945 2946 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2947 return -EOPNOTSUPP; 2948 2949 if (!value || !size) 2950 return -EACCES; 2951 2952 rc = security_context_to_sid((void *)value, size, &newsid); 2953 if (rc) 2954 return rc; 2955 2956 isec->sid = newsid; 2957 isec->initialized = 1; 2958 return 0; 2959 } 2960 2961 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2962 { 2963 const int len = sizeof(XATTR_NAME_SELINUX); 2964 if (buffer && len <= buffer_size) 2965 memcpy(buffer, XATTR_NAME_SELINUX, len); 2966 return len; 2967 } 2968 2969 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2970 { 2971 struct inode_security_struct *isec = inode->i_security; 2972 *secid = isec->sid; 2973 } 2974 2975 /* file security operations */ 2976 2977 static int selinux_revalidate_file_permission(struct file *file, int mask) 2978 { 2979 const struct cred *cred = current_cred(); 2980 struct inode *inode = file_inode(file); 2981 2982 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2983 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2984 mask |= MAY_APPEND; 2985 2986 return file_has_perm(cred, file, 2987 file_mask_to_av(inode->i_mode, mask)); 2988 } 2989 2990 static int selinux_file_permission(struct file *file, int mask) 2991 { 2992 struct inode *inode = file_inode(file); 2993 struct file_security_struct *fsec = file->f_security; 2994 struct inode_security_struct *isec = inode->i_security; 2995 u32 sid = current_sid(); 2996 2997 if (!mask) 2998 /* No permission to check. Existence test. */ 2999 return 0; 3000 3001 if (sid == fsec->sid && fsec->isid == isec->sid && 3002 fsec->pseqno == avc_policy_seqno()) 3003 /* No change since file_open check. */ 3004 return 0; 3005 3006 return selinux_revalidate_file_permission(file, mask); 3007 } 3008 3009 static int selinux_file_alloc_security(struct file *file) 3010 { 3011 return file_alloc_security(file); 3012 } 3013 3014 static void selinux_file_free_security(struct file *file) 3015 { 3016 file_free_security(file); 3017 } 3018 3019 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3020 unsigned long arg) 3021 { 3022 const struct cred *cred = current_cred(); 3023 int error = 0; 3024 3025 switch (cmd) { 3026 case FIONREAD: 3027 /* fall through */ 3028 case FIBMAP: 3029 /* fall through */ 3030 case FIGETBSZ: 3031 /* fall through */ 3032 case FS_IOC_GETFLAGS: 3033 /* fall through */ 3034 case FS_IOC_GETVERSION: 3035 error = file_has_perm(cred, file, FILE__GETATTR); 3036 break; 3037 3038 case FS_IOC_SETFLAGS: 3039 /* fall through */ 3040 case FS_IOC_SETVERSION: 3041 error = file_has_perm(cred, file, FILE__SETATTR); 3042 break; 3043 3044 /* sys_ioctl() checks */ 3045 case FIONBIO: 3046 /* fall through */ 3047 case FIOASYNC: 3048 error = file_has_perm(cred, file, 0); 3049 break; 3050 3051 case KDSKBENT: 3052 case KDSKBSENT: 3053 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3054 SECURITY_CAP_AUDIT); 3055 break; 3056 3057 /* default case assumes that the command will go 3058 * to the file's ioctl() function. 3059 */ 3060 default: 3061 error = file_has_perm(cred, file, FILE__IOCTL); 3062 } 3063 return error; 3064 } 3065 3066 static int default_noexec; 3067 3068 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3069 { 3070 const struct cred *cred = current_cred(); 3071 int rc = 0; 3072 3073 if (default_noexec && 3074 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3075 /* 3076 * We are making executable an anonymous mapping or a 3077 * private file mapping that will also be writable. 3078 * This has an additional check. 3079 */ 3080 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3081 if (rc) 3082 goto error; 3083 } 3084 3085 if (file) { 3086 /* read access is always possible with a mapping */ 3087 u32 av = FILE__READ; 3088 3089 /* write access only matters if the mapping is shared */ 3090 if (shared && (prot & PROT_WRITE)) 3091 av |= FILE__WRITE; 3092 3093 if (prot & PROT_EXEC) 3094 av |= FILE__EXECUTE; 3095 3096 return file_has_perm(cred, file, av); 3097 } 3098 3099 error: 3100 return rc; 3101 } 3102 3103 static int selinux_mmap_addr(unsigned long addr) 3104 { 3105 int rc = 0; 3106 u32 sid = current_sid(); 3107 3108 /* 3109 * notice that we are intentionally putting the SELinux check before 3110 * the secondary cap_file_mmap check. This is such a likely attempt 3111 * at bad behaviour/exploit that we always want to get the AVC, even 3112 * if DAC would have also denied the operation. 3113 */ 3114 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3115 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3116 MEMPROTECT__MMAP_ZERO, NULL); 3117 if (rc) 3118 return rc; 3119 } 3120 3121 /* do DAC check on address space usage */ 3122 return cap_mmap_addr(addr); 3123 } 3124 3125 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3126 unsigned long prot, unsigned long flags) 3127 { 3128 if (selinux_checkreqprot) 3129 prot = reqprot; 3130 3131 return file_map_prot_check(file, prot, 3132 (flags & MAP_TYPE) == MAP_SHARED); 3133 } 3134 3135 static int selinux_file_mprotect(struct vm_area_struct *vma, 3136 unsigned long reqprot, 3137 unsigned long prot) 3138 { 3139 const struct cred *cred = current_cred(); 3140 3141 if (selinux_checkreqprot) 3142 prot = reqprot; 3143 3144 if (default_noexec && 3145 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3146 int rc = 0; 3147 if (vma->vm_start >= vma->vm_mm->start_brk && 3148 vma->vm_end <= vma->vm_mm->brk) { 3149 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3150 } else if (!vma->vm_file && 3151 vma->vm_start <= vma->vm_mm->start_stack && 3152 vma->vm_end >= vma->vm_mm->start_stack) { 3153 rc = current_has_perm(current, PROCESS__EXECSTACK); 3154 } else if (vma->vm_file && vma->anon_vma) { 3155 /* 3156 * We are making executable a file mapping that has 3157 * had some COW done. Since pages might have been 3158 * written, check ability to execute the possibly 3159 * modified content. This typically should only 3160 * occur for text relocations. 3161 */ 3162 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3163 } 3164 if (rc) 3165 return rc; 3166 } 3167 3168 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3169 } 3170 3171 static int selinux_file_lock(struct file *file, unsigned int cmd) 3172 { 3173 const struct cred *cred = current_cred(); 3174 3175 return file_has_perm(cred, file, FILE__LOCK); 3176 } 3177 3178 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3179 unsigned long arg) 3180 { 3181 const struct cred *cred = current_cred(); 3182 int err = 0; 3183 3184 switch (cmd) { 3185 case F_SETFL: 3186 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3187 err = file_has_perm(cred, file, FILE__WRITE); 3188 break; 3189 } 3190 /* fall through */ 3191 case F_SETOWN: 3192 case F_SETSIG: 3193 case F_GETFL: 3194 case F_GETOWN: 3195 case F_GETSIG: 3196 case F_GETOWNER_UIDS: 3197 /* Just check FD__USE permission */ 3198 err = file_has_perm(cred, file, 0); 3199 break; 3200 case F_GETLK: 3201 case F_SETLK: 3202 case F_SETLKW: 3203 #if BITS_PER_LONG == 32 3204 case F_GETLK64: 3205 case F_SETLK64: 3206 case F_SETLKW64: 3207 #endif 3208 err = file_has_perm(cred, file, FILE__LOCK); 3209 break; 3210 } 3211 3212 return err; 3213 } 3214 3215 static int selinux_file_set_fowner(struct file *file) 3216 { 3217 struct file_security_struct *fsec; 3218 3219 fsec = file->f_security; 3220 fsec->fown_sid = current_sid(); 3221 3222 return 0; 3223 } 3224 3225 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3226 struct fown_struct *fown, int signum) 3227 { 3228 struct file *file; 3229 u32 sid = task_sid(tsk); 3230 u32 perm; 3231 struct file_security_struct *fsec; 3232 3233 /* struct fown_struct is never outside the context of a struct file */ 3234 file = container_of(fown, struct file, f_owner); 3235 3236 fsec = file->f_security; 3237 3238 if (!signum) 3239 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3240 else 3241 perm = signal_to_av(signum); 3242 3243 return avc_has_perm(fsec->fown_sid, sid, 3244 SECCLASS_PROCESS, perm, NULL); 3245 } 3246 3247 static int selinux_file_receive(struct file *file) 3248 { 3249 const struct cred *cred = current_cred(); 3250 3251 return file_has_perm(cred, file, file_to_av(file)); 3252 } 3253 3254 static int selinux_file_open(struct file *file, const struct cred *cred) 3255 { 3256 struct file_security_struct *fsec; 3257 struct inode_security_struct *isec; 3258 3259 fsec = file->f_security; 3260 isec = file_inode(file)->i_security; 3261 /* 3262 * Save inode label and policy sequence number 3263 * at open-time so that selinux_file_permission 3264 * can determine whether revalidation is necessary. 3265 * Task label is already saved in the file security 3266 * struct as its SID. 3267 */ 3268 fsec->isid = isec->sid; 3269 fsec->pseqno = avc_policy_seqno(); 3270 /* 3271 * Since the inode label or policy seqno may have changed 3272 * between the selinux_inode_permission check and the saving 3273 * of state above, recheck that access is still permitted. 3274 * Otherwise, access might never be revalidated against the 3275 * new inode label or new policy. 3276 * This check is not redundant - do not remove. 3277 */ 3278 return path_has_perm(cred, &file->f_path, open_file_to_av(file)); 3279 } 3280 3281 /* task security operations */ 3282 3283 static int selinux_task_create(unsigned long clone_flags) 3284 { 3285 return current_has_perm(current, PROCESS__FORK); 3286 } 3287 3288 /* 3289 * allocate the SELinux part of blank credentials 3290 */ 3291 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3292 { 3293 struct task_security_struct *tsec; 3294 3295 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3296 if (!tsec) 3297 return -ENOMEM; 3298 3299 cred->security = tsec; 3300 return 0; 3301 } 3302 3303 /* 3304 * detach and free the LSM part of a set of credentials 3305 */ 3306 static void selinux_cred_free(struct cred *cred) 3307 { 3308 struct task_security_struct *tsec = cred->security; 3309 3310 /* 3311 * cred->security == NULL if security_cred_alloc_blank() or 3312 * security_prepare_creds() returned an error. 3313 */ 3314 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3315 cred->security = (void *) 0x7UL; 3316 kfree(tsec); 3317 } 3318 3319 /* 3320 * prepare a new set of credentials for modification 3321 */ 3322 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3323 gfp_t gfp) 3324 { 3325 const struct task_security_struct *old_tsec; 3326 struct task_security_struct *tsec; 3327 3328 old_tsec = old->security; 3329 3330 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3331 if (!tsec) 3332 return -ENOMEM; 3333 3334 new->security = tsec; 3335 return 0; 3336 } 3337 3338 /* 3339 * transfer the SELinux data to a blank set of creds 3340 */ 3341 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3342 { 3343 const struct task_security_struct *old_tsec = old->security; 3344 struct task_security_struct *tsec = new->security; 3345 3346 *tsec = *old_tsec; 3347 } 3348 3349 /* 3350 * set the security data for a kernel service 3351 * - all the creation contexts are set to unlabelled 3352 */ 3353 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3354 { 3355 struct task_security_struct *tsec = new->security; 3356 u32 sid = current_sid(); 3357 int ret; 3358 3359 ret = avc_has_perm(sid, secid, 3360 SECCLASS_KERNEL_SERVICE, 3361 KERNEL_SERVICE__USE_AS_OVERRIDE, 3362 NULL); 3363 if (ret == 0) { 3364 tsec->sid = secid; 3365 tsec->create_sid = 0; 3366 tsec->keycreate_sid = 0; 3367 tsec->sockcreate_sid = 0; 3368 } 3369 return ret; 3370 } 3371 3372 /* 3373 * set the file creation context in a security record to the same as the 3374 * objective context of the specified inode 3375 */ 3376 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3377 { 3378 struct inode_security_struct *isec = inode->i_security; 3379 struct task_security_struct *tsec = new->security; 3380 u32 sid = current_sid(); 3381 int ret; 3382 3383 ret = avc_has_perm(sid, isec->sid, 3384 SECCLASS_KERNEL_SERVICE, 3385 KERNEL_SERVICE__CREATE_FILES_AS, 3386 NULL); 3387 3388 if (ret == 0) 3389 tsec->create_sid = isec->sid; 3390 return ret; 3391 } 3392 3393 static int selinux_kernel_module_request(char *kmod_name) 3394 { 3395 u32 sid; 3396 struct common_audit_data ad; 3397 3398 sid = task_sid(current); 3399 3400 ad.type = LSM_AUDIT_DATA_KMOD; 3401 ad.u.kmod_name = kmod_name; 3402 3403 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3404 SYSTEM__MODULE_REQUEST, &ad); 3405 } 3406 3407 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3408 { 3409 return current_has_perm(p, PROCESS__SETPGID); 3410 } 3411 3412 static int selinux_task_getpgid(struct task_struct *p) 3413 { 3414 return current_has_perm(p, PROCESS__GETPGID); 3415 } 3416 3417 static int selinux_task_getsid(struct task_struct *p) 3418 { 3419 return current_has_perm(p, PROCESS__GETSESSION); 3420 } 3421 3422 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3423 { 3424 *secid = task_sid(p); 3425 } 3426 3427 static int selinux_task_setnice(struct task_struct *p, int nice) 3428 { 3429 int rc; 3430 3431 rc = cap_task_setnice(p, nice); 3432 if (rc) 3433 return rc; 3434 3435 return current_has_perm(p, PROCESS__SETSCHED); 3436 } 3437 3438 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3439 { 3440 int rc; 3441 3442 rc = cap_task_setioprio(p, ioprio); 3443 if (rc) 3444 return rc; 3445 3446 return current_has_perm(p, PROCESS__SETSCHED); 3447 } 3448 3449 static int selinux_task_getioprio(struct task_struct *p) 3450 { 3451 return current_has_perm(p, PROCESS__GETSCHED); 3452 } 3453 3454 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3455 struct rlimit *new_rlim) 3456 { 3457 struct rlimit *old_rlim = p->signal->rlim + resource; 3458 3459 /* Control the ability to change the hard limit (whether 3460 lowering or raising it), so that the hard limit can 3461 later be used as a safe reset point for the soft limit 3462 upon context transitions. See selinux_bprm_committing_creds. */ 3463 if (old_rlim->rlim_max != new_rlim->rlim_max) 3464 return current_has_perm(p, PROCESS__SETRLIMIT); 3465 3466 return 0; 3467 } 3468 3469 static int selinux_task_setscheduler(struct task_struct *p) 3470 { 3471 int rc; 3472 3473 rc = cap_task_setscheduler(p); 3474 if (rc) 3475 return rc; 3476 3477 return current_has_perm(p, PROCESS__SETSCHED); 3478 } 3479 3480 static int selinux_task_getscheduler(struct task_struct *p) 3481 { 3482 return current_has_perm(p, PROCESS__GETSCHED); 3483 } 3484 3485 static int selinux_task_movememory(struct task_struct *p) 3486 { 3487 return current_has_perm(p, PROCESS__SETSCHED); 3488 } 3489 3490 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3491 int sig, u32 secid) 3492 { 3493 u32 perm; 3494 int rc; 3495 3496 if (!sig) 3497 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3498 else 3499 perm = signal_to_av(sig); 3500 if (secid) 3501 rc = avc_has_perm(secid, task_sid(p), 3502 SECCLASS_PROCESS, perm, NULL); 3503 else 3504 rc = current_has_perm(p, perm); 3505 return rc; 3506 } 3507 3508 static int selinux_task_wait(struct task_struct *p) 3509 { 3510 return task_has_perm(p, current, PROCESS__SIGCHLD); 3511 } 3512 3513 static void selinux_task_to_inode(struct task_struct *p, 3514 struct inode *inode) 3515 { 3516 struct inode_security_struct *isec = inode->i_security; 3517 u32 sid = task_sid(p); 3518 3519 isec->sid = sid; 3520 isec->initialized = 1; 3521 } 3522 3523 /* Returns error only if unable to parse addresses */ 3524 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3525 struct common_audit_data *ad, u8 *proto) 3526 { 3527 int offset, ihlen, ret = -EINVAL; 3528 struct iphdr _iph, *ih; 3529 3530 offset = skb_network_offset(skb); 3531 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3532 if (ih == NULL) 3533 goto out; 3534 3535 ihlen = ih->ihl * 4; 3536 if (ihlen < sizeof(_iph)) 3537 goto out; 3538 3539 ad->u.net->v4info.saddr = ih->saddr; 3540 ad->u.net->v4info.daddr = ih->daddr; 3541 ret = 0; 3542 3543 if (proto) 3544 *proto = ih->protocol; 3545 3546 switch (ih->protocol) { 3547 case IPPROTO_TCP: { 3548 struct tcphdr _tcph, *th; 3549 3550 if (ntohs(ih->frag_off) & IP_OFFSET) 3551 break; 3552 3553 offset += ihlen; 3554 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3555 if (th == NULL) 3556 break; 3557 3558 ad->u.net->sport = th->source; 3559 ad->u.net->dport = th->dest; 3560 break; 3561 } 3562 3563 case IPPROTO_UDP: { 3564 struct udphdr _udph, *uh; 3565 3566 if (ntohs(ih->frag_off) & IP_OFFSET) 3567 break; 3568 3569 offset += ihlen; 3570 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3571 if (uh == NULL) 3572 break; 3573 3574 ad->u.net->sport = uh->source; 3575 ad->u.net->dport = uh->dest; 3576 break; 3577 } 3578 3579 case IPPROTO_DCCP: { 3580 struct dccp_hdr _dccph, *dh; 3581 3582 if (ntohs(ih->frag_off) & IP_OFFSET) 3583 break; 3584 3585 offset += ihlen; 3586 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3587 if (dh == NULL) 3588 break; 3589 3590 ad->u.net->sport = dh->dccph_sport; 3591 ad->u.net->dport = dh->dccph_dport; 3592 break; 3593 } 3594 3595 default: 3596 break; 3597 } 3598 out: 3599 return ret; 3600 } 3601 3602 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3603 3604 /* Returns error only if unable to parse addresses */ 3605 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3606 struct common_audit_data *ad, u8 *proto) 3607 { 3608 u8 nexthdr; 3609 int ret = -EINVAL, offset; 3610 struct ipv6hdr _ipv6h, *ip6; 3611 __be16 frag_off; 3612 3613 offset = skb_network_offset(skb); 3614 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3615 if (ip6 == NULL) 3616 goto out; 3617 3618 ad->u.net->v6info.saddr = ip6->saddr; 3619 ad->u.net->v6info.daddr = ip6->daddr; 3620 ret = 0; 3621 3622 nexthdr = ip6->nexthdr; 3623 offset += sizeof(_ipv6h); 3624 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3625 if (offset < 0) 3626 goto out; 3627 3628 if (proto) 3629 *proto = nexthdr; 3630 3631 switch (nexthdr) { 3632 case IPPROTO_TCP: { 3633 struct tcphdr _tcph, *th; 3634 3635 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3636 if (th == NULL) 3637 break; 3638 3639 ad->u.net->sport = th->source; 3640 ad->u.net->dport = th->dest; 3641 break; 3642 } 3643 3644 case IPPROTO_UDP: { 3645 struct udphdr _udph, *uh; 3646 3647 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3648 if (uh == NULL) 3649 break; 3650 3651 ad->u.net->sport = uh->source; 3652 ad->u.net->dport = uh->dest; 3653 break; 3654 } 3655 3656 case IPPROTO_DCCP: { 3657 struct dccp_hdr _dccph, *dh; 3658 3659 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3660 if (dh == NULL) 3661 break; 3662 3663 ad->u.net->sport = dh->dccph_sport; 3664 ad->u.net->dport = dh->dccph_dport; 3665 break; 3666 } 3667 3668 /* includes fragments */ 3669 default: 3670 break; 3671 } 3672 out: 3673 return ret; 3674 } 3675 3676 #endif /* IPV6 */ 3677 3678 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 3679 char **_addrp, int src, u8 *proto) 3680 { 3681 char *addrp; 3682 int ret; 3683 3684 switch (ad->u.net->family) { 3685 case PF_INET: 3686 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3687 if (ret) 3688 goto parse_error; 3689 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 3690 &ad->u.net->v4info.daddr); 3691 goto okay; 3692 3693 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3694 case PF_INET6: 3695 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3696 if (ret) 3697 goto parse_error; 3698 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 3699 &ad->u.net->v6info.daddr); 3700 goto okay; 3701 #endif /* IPV6 */ 3702 default: 3703 addrp = NULL; 3704 goto okay; 3705 } 3706 3707 parse_error: 3708 printk(KERN_WARNING 3709 "SELinux: failure in selinux_parse_skb()," 3710 " unable to parse packet\n"); 3711 return ret; 3712 3713 okay: 3714 if (_addrp) 3715 *_addrp = addrp; 3716 return 0; 3717 } 3718 3719 /** 3720 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3721 * @skb: the packet 3722 * @family: protocol family 3723 * @sid: the packet's peer label SID 3724 * 3725 * Description: 3726 * Check the various different forms of network peer labeling and determine 3727 * the peer label/SID for the packet; most of the magic actually occurs in 3728 * the security server function security_net_peersid_cmp(). The function 3729 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3730 * or -EACCES if @sid is invalid due to inconsistencies with the different 3731 * peer labels. 3732 * 3733 */ 3734 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3735 { 3736 int err; 3737 u32 xfrm_sid; 3738 u32 nlbl_sid; 3739 u32 nlbl_type; 3740 3741 err = selinux_skb_xfrm_sid(skb, &xfrm_sid); 3742 if (unlikely(err)) 3743 return -EACCES; 3744 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3745 if (unlikely(err)) 3746 return -EACCES; 3747 3748 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3749 if (unlikely(err)) { 3750 printk(KERN_WARNING 3751 "SELinux: failure in selinux_skb_peerlbl_sid()," 3752 " unable to determine packet's peer label\n"); 3753 return -EACCES; 3754 } 3755 3756 return 0; 3757 } 3758 3759 /* socket security operations */ 3760 3761 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 3762 u16 secclass, u32 *socksid) 3763 { 3764 if (tsec->sockcreate_sid > SECSID_NULL) { 3765 *socksid = tsec->sockcreate_sid; 3766 return 0; 3767 } 3768 3769 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 3770 socksid); 3771 } 3772 3773 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 3774 { 3775 struct sk_security_struct *sksec = sk->sk_security; 3776 struct common_audit_data ad; 3777 struct lsm_network_audit net = {0,}; 3778 u32 tsid = task_sid(task); 3779 3780 if (sksec->sid == SECINITSID_KERNEL) 3781 return 0; 3782 3783 ad.type = LSM_AUDIT_DATA_NET; 3784 ad.u.net = &net; 3785 ad.u.net->sk = sk; 3786 3787 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); 3788 } 3789 3790 static int selinux_socket_create(int family, int type, 3791 int protocol, int kern) 3792 { 3793 const struct task_security_struct *tsec = current_security(); 3794 u32 newsid; 3795 u16 secclass; 3796 int rc; 3797 3798 if (kern) 3799 return 0; 3800 3801 secclass = socket_type_to_security_class(family, type, protocol); 3802 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 3803 if (rc) 3804 return rc; 3805 3806 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 3807 } 3808 3809 static int selinux_socket_post_create(struct socket *sock, int family, 3810 int type, int protocol, int kern) 3811 { 3812 const struct task_security_struct *tsec = current_security(); 3813 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3814 struct sk_security_struct *sksec; 3815 int err = 0; 3816 3817 isec->sclass = socket_type_to_security_class(family, type, protocol); 3818 3819 if (kern) 3820 isec->sid = SECINITSID_KERNEL; 3821 else { 3822 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); 3823 if (err) 3824 return err; 3825 } 3826 3827 isec->initialized = 1; 3828 3829 if (sock->sk) { 3830 sksec = sock->sk->sk_security; 3831 sksec->sid = isec->sid; 3832 sksec->sclass = isec->sclass; 3833 err = selinux_netlbl_socket_post_create(sock->sk, family); 3834 } 3835 3836 return err; 3837 } 3838 3839 /* Range of port numbers used to automatically bind. 3840 Need to determine whether we should perform a name_bind 3841 permission check between the socket and the port number. */ 3842 3843 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3844 { 3845 struct sock *sk = sock->sk; 3846 u16 family; 3847 int err; 3848 3849 err = sock_has_perm(current, sk, SOCKET__BIND); 3850 if (err) 3851 goto out; 3852 3853 /* 3854 * If PF_INET or PF_INET6, check name_bind permission for the port. 3855 * Multiple address binding for SCTP is not supported yet: we just 3856 * check the first address now. 3857 */ 3858 family = sk->sk_family; 3859 if (family == PF_INET || family == PF_INET6) { 3860 char *addrp; 3861 struct sk_security_struct *sksec = sk->sk_security; 3862 struct common_audit_data ad; 3863 struct lsm_network_audit net = {0,}; 3864 struct sockaddr_in *addr4 = NULL; 3865 struct sockaddr_in6 *addr6 = NULL; 3866 unsigned short snum; 3867 u32 sid, node_perm; 3868 3869 if (family == PF_INET) { 3870 addr4 = (struct sockaddr_in *)address; 3871 snum = ntohs(addr4->sin_port); 3872 addrp = (char *)&addr4->sin_addr.s_addr; 3873 } else { 3874 addr6 = (struct sockaddr_in6 *)address; 3875 snum = ntohs(addr6->sin6_port); 3876 addrp = (char *)&addr6->sin6_addr.s6_addr; 3877 } 3878 3879 if (snum) { 3880 int low, high; 3881 3882 inet_get_local_port_range(&low, &high); 3883 3884 if (snum < max(PROT_SOCK, low) || snum > high) { 3885 err = sel_netport_sid(sk->sk_protocol, 3886 snum, &sid); 3887 if (err) 3888 goto out; 3889 ad.type = LSM_AUDIT_DATA_NET; 3890 ad.u.net = &net; 3891 ad.u.net->sport = htons(snum); 3892 ad.u.net->family = family; 3893 err = avc_has_perm(sksec->sid, sid, 3894 sksec->sclass, 3895 SOCKET__NAME_BIND, &ad); 3896 if (err) 3897 goto out; 3898 } 3899 } 3900 3901 switch (sksec->sclass) { 3902 case SECCLASS_TCP_SOCKET: 3903 node_perm = TCP_SOCKET__NODE_BIND; 3904 break; 3905 3906 case SECCLASS_UDP_SOCKET: 3907 node_perm = UDP_SOCKET__NODE_BIND; 3908 break; 3909 3910 case SECCLASS_DCCP_SOCKET: 3911 node_perm = DCCP_SOCKET__NODE_BIND; 3912 break; 3913 3914 default: 3915 node_perm = RAWIP_SOCKET__NODE_BIND; 3916 break; 3917 } 3918 3919 err = sel_netnode_sid(addrp, family, &sid); 3920 if (err) 3921 goto out; 3922 3923 ad.type = LSM_AUDIT_DATA_NET; 3924 ad.u.net = &net; 3925 ad.u.net->sport = htons(snum); 3926 ad.u.net->family = family; 3927 3928 if (family == PF_INET) 3929 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 3930 else 3931 ad.u.net->v6info.saddr = addr6->sin6_addr; 3932 3933 err = avc_has_perm(sksec->sid, sid, 3934 sksec->sclass, node_perm, &ad); 3935 if (err) 3936 goto out; 3937 } 3938 out: 3939 return err; 3940 } 3941 3942 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3943 { 3944 struct sock *sk = sock->sk; 3945 struct sk_security_struct *sksec = sk->sk_security; 3946 int err; 3947 3948 err = sock_has_perm(current, sk, SOCKET__CONNECT); 3949 if (err) 3950 return err; 3951 3952 /* 3953 * If a TCP or DCCP socket, check name_connect permission for the port. 3954 */ 3955 if (sksec->sclass == SECCLASS_TCP_SOCKET || 3956 sksec->sclass == SECCLASS_DCCP_SOCKET) { 3957 struct common_audit_data ad; 3958 struct lsm_network_audit net = {0,}; 3959 struct sockaddr_in *addr4 = NULL; 3960 struct sockaddr_in6 *addr6 = NULL; 3961 unsigned short snum; 3962 u32 sid, perm; 3963 3964 if (sk->sk_family == PF_INET) { 3965 addr4 = (struct sockaddr_in *)address; 3966 if (addrlen < sizeof(struct sockaddr_in)) 3967 return -EINVAL; 3968 snum = ntohs(addr4->sin_port); 3969 } else { 3970 addr6 = (struct sockaddr_in6 *)address; 3971 if (addrlen < SIN6_LEN_RFC2133) 3972 return -EINVAL; 3973 snum = ntohs(addr6->sin6_port); 3974 } 3975 3976 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 3977 if (err) 3978 goto out; 3979 3980 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 3981 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3982 3983 ad.type = LSM_AUDIT_DATA_NET; 3984 ad.u.net = &net; 3985 ad.u.net->dport = htons(snum); 3986 ad.u.net->family = sk->sk_family; 3987 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 3988 if (err) 3989 goto out; 3990 } 3991 3992 err = selinux_netlbl_socket_connect(sk, address); 3993 3994 out: 3995 return err; 3996 } 3997 3998 static int selinux_socket_listen(struct socket *sock, int backlog) 3999 { 4000 return sock_has_perm(current, sock->sk, SOCKET__LISTEN); 4001 } 4002 4003 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4004 { 4005 int err; 4006 struct inode_security_struct *isec; 4007 struct inode_security_struct *newisec; 4008 4009 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); 4010 if (err) 4011 return err; 4012 4013 newisec = SOCK_INODE(newsock)->i_security; 4014 4015 isec = SOCK_INODE(sock)->i_security; 4016 newisec->sclass = isec->sclass; 4017 newisec->sid = isec->sid; 4018 newisec->initialized = 1; 4019 4020 return 0; 4021 } 4022 4023 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4024 int size) 4025 { 4026 return sock_has_perm(current, sock->sk, SOCKET__WRITE); 4027 } 4028 4029 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4030 int size, int flags) 4031 { 4032 return sock_has_perm(current, sock->sk, SOCKET__READ); 4033 } 4034 4035 static int selinux_socket_getsockname(struct socket *sock) 4036 { 4037 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4038 } 4039 4040 static int selinux_socket_getpeername(struct socket *sock) 4041 { 4042 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4043 } 4044 4045 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4046 { 4047 int err; 4048 4049 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); 4050 if (err) 4051 return err; 4052 4053 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4054 } 4055 4056 static int selinux_socket_getsockopt(struct socket *sock, int level, 4057 int optname) 4058 { 4059 return sock_has_perm(current, sock->sk, SOCKET__GETOPT); 4060 } 4061 4062 static int selinux_socket_shutdown(struct socket *sock, int how) 4063 { 4064 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); 4065 } 4066 4067 static int selinux_socket_unix_stream_connect(struct sock *sock, 4068 struct sock *other, 4069 struct sock *newsk) 4070 { 4071 struct sk_security_struct *sksec_sock = sock->sk_security; 4072 struct sk_security_struct *sksec_other = other->sk_security; 4073 struct sk_security_struct *sksec_new = newsk->sk_security; 4074 struct common_audit_data ad; 4075 struct lsm_network_audit net = {0,}; 4076 int err; 4077 4078 ad.type = LSM_AUDIT_DATA_NET; 4079 ad.u.net = &net; 4080 ad.u.net->sk = other; 4081 4082 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4083 sksec_other->sclass, 4084 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4085 if (err) 4086 return err; 4087 4088 /* server child socket */ 4089 sksec_new->peer_sid = sksec_sock->sid; 4090 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4091 &sksec_new->sid); 4092 if (err) 4093 return err; 4094 4095 /* connecting socket */ 4096 sksec_sock->peer_sid = sksec_new->sid; 4097 4098 return 0; 4099 } 4100 4101 static int selinux_socket_unix_may_send(struct socket *sock, 4102 struct socket *other) 4103 { 4104 struct sk_security_struct *ssec = sock->sk->sk_security; 4105 struct sk_security_struct *osec = other->sk->sk_security; 4106 struct common_audit_data ad; 4107 struct lsm_network_audit net = {0,}; 4108 4109 ad.type = LSM_AUDIT_DATA_NET; 4110 ad.u.net = &net; 4111 ad.u.net->sk = other->sk; 4112 4113 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4114 &ad); 4115 } 4116 4117 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4118 u32 peer_sid, 4119 struct common_audit_data *ad) 4120 { 4121 int err; 4122 u32 if_sid; 4123 u32 node_sid; 4124 4125 err = sel_netif_sid(ifindex, &if_sid); 4126 if (err) 4127 return err; 4128 err = avc_has_perm(peer_sid, if_sid, 4129 SECCLASS_NETIF, NETIF__INGRESS, ad); 4130 if (err) 4131 return err; 4132 4133 err = sel_netnode_sid(addrp, family, &node_sid); 4134 if (err) 4135 return err; 4136 return avc_has_perm(peer_sid, node_sid, 4137 SECCLASS_NODE, NODE__RECVFROM, ad); 4138 } 4139 4140 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4141 u16 family) 4142 { 4143 int err = 0; 4144 struct sk_security_struct *sksec = sk->sk_security; 4145 u32 sk_sid = sksec->sid; 4146 struct common_audit_data ad; 4147 struct lsm_network_audit net = {0,}; 4148 char *addrp; 4149 4150 ad.type = LSM_AUDIT_DATA_NET; 4151 ad.u.net = &net; 4152 ad.u.net->netif = skb->skb_iif; 4153 ad.u.net->family = family; 4154 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4155 if (err) 4156 return err; 4157 4158 if (selinux_secmark_enabled()) { 4159 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4160 PACKET__RECV, &ad); 4161 if (err) 4162 return err; 4163 } 4164 4165 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4166 if (err) 4167 return err; 4168 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4169 4170 return err; 4171 } 4172 4173 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4174 { 4175 int err; 4176 struct sk_security_struct *sksec = sk->sk_security; 4177 u16 family = sk->sk_family; 4178 u32 sk_sid = sksec->sid; 4179 struct common_audit_data ad; 4180 struct lsm_network_audit net = {0,}; 4181 char *addrp; 4182 u8 secmark_active; 4183 u8 peerlbl_active; 4184 4185 if (family != PF_INET && family != PF_INET6) 4186 return 0; 4187 4188 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4189 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4190 family = PF_INET; 4191 4192 /* If any sort of compatibility mode is enabled then handoff processing 4193 * to the selinux_sock_rcv_skb_compat() function to deal with the 4194 * special handling. We do this in an attempt to keep this function 4195 * as fast and as clean as possible. */ 4196 if (!selinux_policycap_netpeer) 4197 return selinux_sock_rcv_skb_compat(sk, skb, family); 4198 4199 secmark_active = selinux_secmark_enabled(); 4200 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4201 if (!secmark_active && !peerlbl_active) 4202 return 0; 4203 4204 ad.type = LSM_AUDIT_DATA_NET; 4205 ad.u.net = &net; 4206 ad.u.net->netif = skb->skb_iif; 4207 ad.u.net->family = family; 4208 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4209 if (err) 4210 return err; 4211 4212 if (peerlbl_active) { 4213 u32 peer_sid; 4214 4215 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4216 if (err) 4217 return err; 4218 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, 4219 peer_sid, &ad); 4220 if (err) { 4221 selinux_netlbl_err(skb, err, 0); 4222 return err; 4223 } 4224 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4225 PEER__RECV, &ad); 4226 if (err) 4227 selinux_netlbl_err(skb, err, 0); 4228 } 4229 4230 if (secmark_active) { 4231 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4232 PACKET__RECV, &ad); 4233 if (err) 4234 return err; 4235 } 4236 4237 return err; 4238 } 4239 4240 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4241 int __user *optlen, unsigned len) 4242 { 4243 int err = 0; 4244 char *scontext; 4245 u32 scontext_len; 4246 struct sk_security_struct *sksec = sock->sk->sk_security; 4247 u32 peer_sid = SECSID_NULL; 4248 4249 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4250 sksec->sclass == SECCLASS_TCP_SOCKET) 4251 peer_sid = sksec->peer_sid; 4252 if (peer_sid == SECSID_NULL) 4253 return -ENOPROTOOPT; 4254 4255 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4256 if (err) 4257 return err; 4258 4259 if (scontext_len > len) { 4260 err = -ERANGE; 4261 goto out_len; 4262 } 4263 4264 if (copy_to_user(optval, scontext, scontext_len)) 4265 err = -EFAULT; 4266 4267 out_len: 4268 if (put_user(scontext_len, optlen)) 4269 err = -EFAULT; 4270 kfree(scontext); 4271 return err; 4272 } 4273 4274 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4275 { 4276 u32 peer_secid = SECSID_NULL; 4277 u16 family; 4278 4279 if (skb && skb->protocol == htons(ETH_P_IP)) 4280 family = PF_INET; 4281 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4282 family = PF_INET6; 4283 else if (sock) 4284 family = sock->sk->sk_family; 4285 else 4286 goto out; 4287 4288 if (sock && family == PF_UNIX) 4289 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); 4290 else if (skb) 4291 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4292 4293 out: 4294 *secid = peer_secid; 4295 if (peer_secid == SECSID_NULL) 4296 return -EINVAL; 4297 return 0; 4298 } 4299 4300 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4301 { 4302 struct sk_security_struct *sksec; 4303 4304 sksec = kzalloc(sizeof(*sksec), priority); 4305 if (!sksec) 4306 return -ENOMEM; 4307 4308 sksec->peer_sid = SECINITSID_UNLABELED; 4309 sksec->sid = SECINITSID_UNLABELED; 4310 selinux_netlbl_sk_security_reset(sksec); 4311 sk->sk_security = sksec; 4312 4313 return 0; 4314 } 4315 4316 static void selinux_sk_free_security(struct sock *sk) 4317 { 4318 struct sk_security_struct *sksec = sk->sk_security; 4319 4320 sk->sk_security = NULL; 4321 selinux_netlbl_sk_security_free(sksec); 4322 kfree(sksec); 4323 } 4324 4325 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4326 { 4327 struct sk_security_struct *sksec = sk->sk_security; 4328 struct sk_security_struct *newsksec = newsk->sk_security; 4329 4330 newsksec->sid = sksec->sid; 4331 newsksec->peer_sid = sksec->peer_sid; 4332 newsksec->sclass = sksec->sclass; 4333 4334 selinux_netlbl_sk_security_reset(newsksec); 4335 } 4336 4337 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4338 { 4339 if (!sk) 4340 *secid = SECINITSID_ANY_SOCKET; 4341 else { 4342 struct sk_security_struct *sksec = sk->sk_security; 4343 4344 *secid = sksec->sid; 4345 } 4346 } 4347 4348 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4349 { 4350 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4351 struct sk_security_struct *sksec = sk->sk_security; 4352 4353 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4354 sk->sk_family == PF_UNIX) 4355 isec->sid = sksec->sid; 4356 sksec->sclass = isec->sclass; 4357 } 4358 4359 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4360 struct request_sock *req) 4361 { 4362 struct sk_security_struct *sksec = sk->sk_security; 4363 int err; 4364 u16 family = sk->sk_family; 4365 u32 newsid; 4366 u32 peersid; 4367 4368 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4369 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4370 family = PF_INET; 4371 4372 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4373 if (err) 4374 return err; 4375 if (peersid == SECSID_NULL) { 4376 req->secid = sksec->sid; 4377 req->peer_secid = SECSID_NULL; 4378 } else { 4379 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4380 if (err) 4381 return err; 4382 req->secid = newsid; 4383 req->peer_secid = peersid; 4384 } 4385 4386 return selinux_netlbl_inet_conn_request(req, family); 4387 } 4388 4389 static void selinux_inet_csk_clone(struct sock *newsk, 4390 const struct request_sock *req) 4391 { 4392 struct sk_security_struct *newsksec = newsk->sk_security; 4393 4394 newsksec->sid = req->secid; 4395 newsksec->peer_sid = req->peer_secid; 4396 /* NOTE: Ideally, we should also get the isec->sid for the 4397 new socket in sync, but we don't have the isec available yet. 4398 So we will wait until sock_graft to do it, by which 4399 time it will have been created and available. */ 4400 4401 /* We don't need to take any sort of lock here as we are the only 4402 * thread with access to newsksec */ 4403 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4404 } 4405 4406 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4407 { 4408 u16 family = sk->sk_family; 4409 struct sk_security_struct *sksec = sk->sk_security; 4410 4411 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4412 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4413 family = PF_INET; 4414 4415 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4416 } 4417 4418 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk) 4419 { 4420 skb_set_owner_w(skb, sk); 4421 } 4422 4423 static int selinux_secmark_relabel_packet(u32 sid) 4424 { 4425 const struct task_security_struct *__tsec; 4426 u32 tsid; 4427 4428 __tsec = current_security(); 4429 tsid = __tsec->sid; 4430 4431 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4432 } 4433 4434 static void selinux_secmark_refcount_inc(void) 4435 { 4436 atomic_inc(&selinux_secmark_refcount); 4437 } 4438 4439 static void selinux_secmark_refcount_dec(void) 4440 { 4441 atomic_dec(&selinux_secmark_refcount); 4442 } 4443 4444 static void selinux_req_classify_flow(const struct request_sock *req, 4445 struct flowi *fl) 4446 { 4447 fl->flowi_secid = req->secid; 4448 } 4449 4450 static int selinux_tun_dev_alloc_security(void **security) 4451 { 4452 struct tun_security_struct *tunsec; 4453 4454 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 4455 if (!tunsec) 4456 return -ENOMEM; 4457 tunsec->sid = current_sid(); 4458 4459 *security = tunsec; 4460 return 0; 4461 } 4462 4463 static void selinux_tun_dev_free_security(void *security) 4464 { 4465 kfree(security); 4466 } 4467 4468 static int selinux_tun_dev_create(void) 4469 { 4470 u32 sid = current_sid(); 4471 4472 /* we aren't taking into account the "sockcreate" SID since the socket 4473 * that is being created here is not a socket in the traditional sense, 4474 * instead it is a private sock, accessible only to the kernel, and 4475 * representing a wide range of network traffic spanning multiple 4476 * connections unlike traditional sockets - check the TUN driver to 4477 * get a better understanding of why this socket is special */ 4478 4479 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4480 NULL); 4481 } 4482 4483 static int selinux_tun_dev_attach_queue(void *security) 4484 { 4485 struct tun_security_struct *tunsec = security; 4486 4487 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 4488 TUN_SOCKET__ATTACH_QUEUE, NULL); 4489 } 4490 4491 static int selinux_tun_dev_attach(struct sock *sk, void *security) 4492 { 4493 struct tun_security_struct *tunsec = security; 4494 struct sk_security_struct *sksec = sk->sk_security; 4495 4496 /* we don't currently perform any NetLabel based labeling here and it 4497 * isn't clear that we would want to do so anyway; while we could apply 4498 * labeling without the support of the TUN user the resulting labeled 4499 * traffic from the other end of the connection would almost certainly 4500 * cause confusion to the TUN user that had no idea network labeling 4501 * protocols were being used */ 4502 4503 sksec->sid = tunsec->sid; 4504 sksec->sclass = SECCLASS_TUN_SOCKET; 4505 4506 return 0; 4507 } 4508 4509 static int selinux_tun_dev_open(void *security) 4510 { 4511 struct tun_security_struct *tunsec = security; 4512 u32 sid = current_sid(); 4513 int err; 4514 4515 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 4516 TUN_SOCKET__RELABELFROM, NULL); 4517 if (err) 4518 return err; 4519 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4520 TUN_SOCKET__RELABELTO, NULL); 4521 if (err) 4522 return err; 4523 tunsec->sid = sid; 4524 4525 return 0; 4526 } 4527 4528 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4529 { 4530 int err = 0; 4531 u32 perm; 4532 struct nlmsghdr *nlh; 4533 struct sk_security_struct *sksec = sk->sk_security; 4534 4535 if (skb->len < NLMSG_HDRLEN) { 4536 err = -EINVAL; 4537 goto out; 4538 } 4539 nlh = nlmsg_hdr(skb); 4540 4541 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4542 if (err) { 4543 if (err == -EINVAL) { 4544 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4545 "SELinux: unrecognized netlink message" 4546 " type=%hu for sclass=%hu\n", 4547 nlh->nlmsg_type, sksec->sclass); 4548 if (!selinux_enforcing || security_get_allow_unknown()) 4549 err = 0; 4550 } 4551 4552 /* Ignore */ 4553 if (err == -ENOENT) 4554 err = 0; 4555 goto out; 4556 } 4557 4558 err = sock_has_perm(current, sk, perm); 4559 out: 4560 return err; 4561 } 4562 4563 #ifdef CONFIG_NETFILTER 4564 4565 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4566 u16 family) 4567 { 4568 int err; 4569 char *addrp; 4570 u32 peer_sid; 4571 struct common_audit_data ad; 4572 struct lsm_network_audit net = {0,}; 4573 u8 secmark_active; 4574 u8 netlbl_active; 4575 u8 peerlbl_active; 4576 4577 if (!selinux_policycap_netpeer) 4578 return NF_ACCEPT; 4579 4580 secmark_active = selinux_secmark_enabled(); 4581 netlbl_active = netlbl_enabled(); 4582 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4583 if (!secmark_active && !peerlbl_active) 4584 return NF_ACCEPT; 4585 4586 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4587 return NF_DROP; 4588 4589 ad.type = LSM_AUDIT_DATA_NET; 4590 ad.u.net = &net; 4591 ad.u.net->netif = ifindex; 4592 ad.u.net->family = family; 4593 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4594 return NF_DROP; 4595 4596 if (peerlbl_active) { 4597 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4598 peer_sid, &ad); 4599 if (err) { 4600 selinux_netlbl_err(skb, err, 1); 4601 return NF_DROP; 4602 } 4603 } 4604 4605 if (secmark_active) 4606 if (avc_has_perm(peer_sid, skb->secmark, 4607 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4608 return NF_DROP; 4609 4610 if (netlbl_active) 4611 /* we do this in the FORWARD path and not the POST_ROUTING 4612 * path because we want to make sure we apply the necessary 4613 * labeling before IPsec is applied so we can leverage AH 4614 * protection */ 4615 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 4616 return NF_DROP; 4617 4618 return NF_ACCEPT; 4619 } 4620 4621 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4622 struct sk_buff *skb, 4623 const struct net_device *in, 4624 const struct net_device *out, 4625 int (*okfn)(struct sk_buff *)) 4626 { 4627 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4628 } 4629 4630 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4631 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4632 struct sk_buff *skb, 4633 const struct net_device *in, 4634 const struct net_device *out, 4635 int (*okfn)(struct sk_buff *)) 4636 { 4637 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4638 } 4639 #endif /* IPV6 */ 4640 4641 static unsigned int selinux_ip_output(struct sk_buff *skb, 4642 u16 family) 4643 { 4644 u32 sid; 4645 4646 if (!netlbl_enabled()) 4647 return NF_ACCEPT; 4648 4649 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4650 * because we want to make sure we apply the necessary labeling 4651 * before IPsec is applied so we can leverage AH protection */ 4652 if (skb->sk) { 4653 struct sk_security_struct *sksec = skb->sk->sk_security; 4654 sid = sksec->sid; 4655 } else 4656 sid = SECINITSID_KERNEL; 4657 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4658 return NF_DROP; 4659 4660 return NF_ACCEPT; 4661 } 4662 4663 static unsigned int selinux_ipv4_output(unsigned int hooknum, 4664 struct sk_buff *skb, 4665 const struct net_device *in, 4666 const struct net_device *out, 4667 int (*okfn)(struct sk_buff *)) 4668 { 4669 return selinux_ip_output(skb, PF_INET); 4670 } 4671 4672 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4673 int ifindex, 4674 u16 family) 4675 { 4676 struct sock *sk = skb->sk; 4677 struct sk_security_struct *sksec; 4678 struct common_audit_data ad; 4679 struct lsm_network_audit net = {0,}; 4680 char *addrp; 4681 u8 proto; 4682 4683 if (sk == NULL) 4684 return NF_ACCEPT; 4685 sksec = sk->sk_security; 4686 4687 ad.type = LSM_AUDIT_DATA_NET; 4688 ad.u.net = &net; 4689 ad.u.net->netif = ifindex; 4690 ad.u.net->family = family; 4691 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4692 return NF_DROP; 4693 4694 if (selinux_secmark_enabled()) 4695 if (avc_has_perm(sksec->sid, skb->secmark, 4696 SECCLASS_PACKET, PACKET__SEND, &ad)) 4697 return NF_DROP_ERR(-ECONNREFUSED); 4698 4699 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4700 return NF_DROP_ERR(-ECONNREFUSED); 4701 4702 return NF_ACCEPT; 4703 } 4704 4705 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4706 u16 family) 4707 { 4708 u32 secmark_perm; 4709 u32 peer_sid; 4710 struct sock *sk; 4711 struct common_audit_data ad; 4712 struct lsm_network_audit net = {0,}; 4713 char *addrp; 4714 u8 secmark_active; 4715 u8 peerlbl_active; 4716 4717 /* If any sort of compatibility mode is enabled then handoff processing 4718 * to the selinux_ip_postroute_compat() function to deal with the 4719 * special handling. We do this in an attempt to keep this function 4720 * as fast and as clean as possible. */ 4721 if (!selinux_policycap_netpeer) 4722 return selinux_ip_postroute_compat(skb, ifindex, family); 4723 #ifdef CONFIG_XFRM 4724 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4725 * packet transformation so allow the packet to pass without any checks 4726 * since we'll have another chance to perform access control checks 4727 * when the packet is on it's final way out. 4728 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4729 * is NULL, in this case go ahead and apply access control. */ 4730 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) 4731 return NF_ACCEPT; 4732 #endif 4733 secmark_active = selinux_secmark_enabled(); 4734 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4735 if (!secmark_active && !peerlbl_active) 4736 return NF_ACCEPT; 4737 4738 /* if the packet is being forwarded then get the peer label from the 4739 * packet itself; otherwise check to see if it is from a local 4740 * application or the kernel, if from an application get the peer label 4741 * from the sending socket, otherwise use the kernel's sid */ 4742 sk = skb->sk; 4743 if (sk == NULL) { 4744 if (skb->skb_iif) { 4745 secmark_perm = PACKET__FORWARD_OUT; 4746 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4747 return NF_DROP; 4748 } else { 4749 secmark_perm = PACKET__SEND; 4750 peer_sid = SECINITSID_KERNEL; 4751 } 4752 } else { 4753 struct sk_security_struct *sksec = sk->sk_security; 4754 peer_sid = sksec->sid; 4755 secmark_perm = PACKET__SEND; 4756 } 4757 4758 ad.type = LSM_AUDIT_DATA_NET; 4759 ad.u.net = &net; 4760 ad.u.net->netif = ifindex; 4761 ad.u.net->family = family; 4762 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4763 return NF_DROP; 4764 4765 if (secmark_active) 4766 if (avc_has_perm(peer_sid, skb->secmark, 4767 SECCLASS_PACKET, secmark_perm, &ad)) 4768 return NF_DROP_ERR(-ECONNREFUSED); 4769 4770 if (peerlbl_active) { 4771 u32 if_sid; 4772 u32 node_sid; 4773 4774 if (sel_netif_sid(ifindex, &if_sid)) 4775 return NF_DROP; 4776 if (avc_has_perm(peer_sid, if_sid, 4777 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4778 return NF_DROP_ERR(-ECONNREFUSED); 4779 4780 if (sel_netnode_sid(addrp, family, &node_sid)) 4781 return NF_DROP; 4782 if (avc_has_perm(peer_sid, node_sid, 4783 SECCLASS_NODE, NODE__SENDTO, &ad)) 4784 return NF_DROP_ERR(-ECONNREFUSED); 4785 } 4786 4787 return NF_ACCEPT; 4788 } 4789 4790 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4791 struct sk_buff *skb, 4792 const struct net_device *in, 4793 const struct net_device *out, 4794 int (*okfn)(struct sk_buff *)) 4795 { 4796 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4797 } 4798 4799 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4800 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4801 struct sk_buff *skb, 4802 const struct net_device *in, 4803 const struct net_device *out, 4804 int (*okfn)(struct sk_buff *)) 4805 { 4806 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4807 } 4808 #endif /* IPV6 */ 4809 4810 #endif /* CONFIG_NETFILTER */ 4811 4812 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4813 { 4814 int err; 4815 4816 err = cap_netlink_send(sk, skb); 4817 if (err) 4818 return err; 4819 4820 return selinux_nlmsg_perm(sk, skb); 4821 } 4822 4823 static int ipc_alloc_security(struct task_struct *task, 4824 struct kern_ipc_perm *perm, 4825 u16 sclass) 4826 { 4827 struct ipc_security_struct *isec; 4828 u32 sid; 4829 4830 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4831 if (!isec) 4832 return -ENOMEM; 4833 4834 sid = task_sid(task); 4835 isec->sclass = sclass; 4836 isec->sid = sid; 4837 perm->security = isec; 4838 4839 return 0; 4840 } 4841 4842 static void ipc_free_security(struct kern_ipc_perm *perm) 4843 { 4844 struct ipc_security_struct *isec = perm->security; 4845 perm->security = NULL; 4846 kfree(isec); 4847 } 4848 4849 static int msg_msg_alloc_security(struct msg_msg *msg) 4850 { 4851 struct msg_security_struct *msec; 4852 4853 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4854 if (!msec) 4855 return -ENOMEM; 4856 4857 msec->sid = SECINITSID_UNLABELED; 4858 msg->security = msec; 4859 4860 return 0; 4861 } 4862 4863 static void msg_msg_free_security(struct msg_msg *msg) 4864 { 4865 struct msg_security_struct *msec = msg->security; 4866 4867 msg->security = NULL; 4868 kfree(msec); 4869 } 4870 4871 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4872 u32 perms) 4873 { 4874 struct ipc_security_struct *isec; 4875 struct common_audit_data ad; 4876 u32 sid = current_sid(); 4877 4878 isec = ipc_perms->security; 4879 4880 ad.type = LSM_AUDIT_DATA_IPC; 4881 ad.u.ipc_id = ipc_perms->key; 4882 4883 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4884 } 4885 4886 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4887 { 4888 return msg_msg_alloc_security(msg); 4889 } 4890 4891 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4892 { 4893 msg_msg_free_security(msg); 4894 } 4895 4896 /* message queue security operations */ 4897 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4898 { 4899 struct ipc_security_struct *isec; 4900 struct common_audit_data ad; 4901 u32 sid = current_sid(); 4902 int rc; 4903 4904 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4905 if (rc) 4906 return rc; 4907 4908 isec = msq->q_perm.security; 4909 4910 ad.type = LSM_AUDIT_DATA_IPC; 4911 ad.u.ipc_id = msq->q_perm.key; 4912 4913 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4914 MSGQ__CREATE, &ad); 4915 if (rc) { 4916 ipc_free_security(&msq->q_perm); 4917 return rc; 4918 } 4919 return 0; 4920 } 4921 4922 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4923 { 4924 ipc_free_security(&msq->q_perm); 4925 } 4926 4927 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4928 { 4929 struct ipc_security_struct *isec; 4930 struct common_audit_data ad; 4931 u32 sid = current_sid(); 4932 4933 isec = msq->q_perm.security; 4934 4935 ad.type = LSM_AUDIT_DATA_IPC; 4936 ad.u.ipc_id = msq->q_perm.key; 4937 4938 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4939 MSGQ__ASSOCIATE, &ad); 4940 } 4941 4942 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4943 { 4944 int err; 4945 int perms; 4946 4947 switch (cmd) { 4948 case IPC_INFO: 4949 case MSG_INFO: 4950 /* No specific object, just general system-wide information. */ 4951 return task_has_system(current, SYSTEM__IPC_INFO); 4952 case IPC_STAT: 4953 case MSG_STAT: 4954 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4955 break; 4956 case IPC_SET: 4957 perms = MSGQ__SETATTR; 4958 break; 4959 case IPC_RMID: 4960 perms = MSGQ__DESTROY; 4961 break; 4962 default: 4963 return 0; 4964 } 4965 4966 err = ipc_has_perm(&msq->q_perm, perms); 4967 return err; 4968 } 4969 4970 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4971 { 4972 struct ipc_security_struct *isec; 4973 struct msg_security_struct *msec; 4974 struct common_audit_data ad; 4975 u32 sid = current_sid(); 4976 int rc; 4977 4978 isec = msq->q_perm.security; 4979 msec = msg->security; 4980 4981 /* 4982 * First time through, need to assign label to the message 4983 */ 4984 if (msec->sid == SECINITSID_UNLABELED) { 4985 /* 4986 * Compute new sid based on current process and 4987 * message queue this message will be stored in 4988 */ 4989 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 4990 NULL, &msec->sid); 4991 if (rc) 4992 return rc; 4993 } 4994 4995 ad.type = LSM_AUDIT_DATA_IPC; 4996 ad.u.ipc_id = msq->q_perm.key; 4997 4998 /* Can this process write to the queue? */ 4999 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5000 MSGQ__WRITE, &ad); 5001 if (!rc) 5002 /* Can this process send the message */ 5003 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5004 MSG__SEND, &ad); 5005 if (!rc) 5006 /* Can the message be put in the queue? */ 5007 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5008 MSGQ__ENQUEUE, &ad); 5009 5010 return rc; 5011 } 5012 5013 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5014 struct task_struct *target, 5015 long type, int mode) 5016 { 5017 struct ipc_security_struct *isec; 5018 struct msg_security_struct *msec; 5019 struct common_audit_data ad; 5020 u32 sid = task_sid(target); 5021 int rc; 5022 5023 isec = msq->q_perm.security; 5024 msec = msg->security; 5025 5026 ad.type = LSM_AUDIT_DATA_IPC; 5027 ad.u.ipc_id = msq->q_perm.key; 5028 5029 rc = avc_has_perm(sid, isec->sid, 5030 SECCLASS_MSGQ, MSGQ__READ, &ad); 5031 if (!rc) 5032 rc = avc_has_perm(sid, msec->sid, 5033 SECCLASS_MSG, MSG__RECEIVE, &ad); 5034 return rc; 5035 } 5036 5037 /* Shared Memory security operations */ 5038 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5039 { 5040 struct ipc_security_struct *isec; 5041 struct common_audit_data ad; 5042 u32 sid = current_sid(); 5043 int rc; 5044 5045 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5046 if (rc) 5047 return rc; 5048 5049 isec = shp->shm_perm.security; 5050 5051 ad.type = LSM_AUDIT_DATA_IPC; 5052 ad.u.ipc_id = shp->shm_perm.key; 5053 5054 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5055 SHM__CREATE, &ad); 5056 if (rc) { 5057 ipc_free_security(&shp->shm_perm); 5058 return rc; 5059 } 5060 return 0; 5061 } 5062 5063 static void selinux_shm_free_security(struct shmid_kernel *shp) 5064 { 5065 ipc_free_security(&shp->shm_perm); 5066 } 5067 5068 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5069 { 5070 struct ipc_security_struct *isec; 5071 struct common_audit_data ad; 5072 u32 sid = current_sid(); 5073 5074 isec = shp->shm_perm.security; 5075 5076 ad.type = LSM_AUDIT_DATA_IPC; 5077 ad.u.ipc_id = shp->shm_perm.key; 5078 5079 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5080 SHM__ASSOCIATE, &ad); 5081 } 5082 5083 /* Note, at this point, shp is locked down */ 5084 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5085 { 5086 int perms; 5087 int err; 5088 5089 switch (cmd) { 5090 case IPC_INFO: 5091 case SHM_INFO: 5092 /* No specific object, just general system-wide information. */ 5093 return task_has_system(current, SYSTEM__IPC_INFO); 5094 case IPC_STAT: 5095 case SHM_STAT: 5096 perms = SHM__GETATTR | SHM__ASSOCIATE; 5097 break; 5098 case IPC_SET: 5099 perms = SHM__SETATTR; 5100 break; 5101 case SHM_LOCK: 5102 case SHM_UNLOCK: 5103 perms = SHM__LOCK; 5104 break; 5105 case IPC_RMID: 5106 perms = SHM__DESTROY; 5107 break; 5108 default: 5109 return 0; 5110 } 5111 5112 err = ipc_has_perm(&shp->shm_perm, perms); 5113 return err; 5114 } 5115 5116 static int selinux_shm_shmat(struct shmid_kernel *shp, 5117 char __user *shmaddr, int shmflg) 5118 { 5119 u32 perms; 5120 5121 if (shmflg & SHM_RDONLY) 5122 perms = SHM__READ; 5123 else 5124 perms = SHM__READ | SHM__WRITE; 5125 5126 return ipc_has_perm(&shp->shm_perm, perms); 5127 } 5128 5129 /* Semaphore security operations */ 5130 static int selinux_sem_alloc_security(struct sem_array *sma) 5131 { 5132 struct ipc_security_struct *isec; 5133 struct common_audit_data ad; 5134 u32 sid = current_sid(); 5135 int rc; 5136 5137 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5138 if (rc) 5139 return rc; 5140 5141 isec = sma->sem_perm.security; 5142 5143 ad.type = LSM_AUDIT_DATA_IPC; 5144 ad.u.ipc_id = sma->sem_perm.key; 5145 5146 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5147 SEM__CREATE, &ad); 5148 if (rc) { 5149 ipc_free_security(&sma->sem_perm); 5150 return rc; 5151 } 5152 return 0; 5153 } 5154 5155 static void selinux_sem_free_security(struct sem_array *sma) 5156 { 5157 ipc_free_security(&sma->sem_perm); 5158 } 5159 5160 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5161 { 5162 struct ipc_security_struct *isec; 5163 struct common_audit_data ad; 5164 u32 sid = current_sid(); 5165 5166 isec = sma->sem_perm.security; 5167 5168 ad.type = LSM_AUDIT_DATA_IPC; 5169 ad.u.ipc_id = sma->sem_perm.key; 5170 5171 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5172 SEM__ASSOCIATE, &ad); 5173 } 5174 5175 /* Note, at this point, sma is locked down */ 5176 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5177 { 5178 int err; 5179 u32 perms; 5180 5181 switch (cmd) { 5182 case IPC_INFO: 5183 case SEM_INFO: 5184 /* No specific object, just general system-wide information. */ 5185 return task_has_system(current, SYSTEM__IPC_INFO); 5186 case GETPID: 5187 case GETNCNT: 5188 case GETZCNT: 5189 perms = SEM__GETATTR; 5190 break; 5191 case GETVAL: 5192 case GETALL: 5193 perms = SEM__READ; 5194 break; 5195 case SETVAL: 5196 case SETALL: 5197 perms = SEM__WRITE; 5198 break; 5199 case IPC_RMID: 5200 perms = SEM__DESTROY; 5201 break; 5202 case IPC_SET: 5203 perms = SEM__SETATTR; 5204 break; 5205 case IPC_STAT: 5206 case SEM_STAT: 5207 perms = SEM__GETATTR | SEM__ASSOCIATE; 5208 break; 5209 default: 5210 return 0; 5211 } 5212 5213 err = ipc_has_perm(&sma->sem_perm, perms); 5214 return err; 5215 } 5216 5217 static int selinux_sem_semop(struct sem_array *sma, 5218 struct sembuf *sops, unsigned nsops, int alter) 5219 { 5220 u32 perms; 5221 5222 if (alter) 5223 perms = SEM__READ | SEM__WRITE; 5224 else 5225 perms = SEM__READ; 5226 5227 return ipc_has_perm(&sma->sem_perm, perms); 5228 } 5229 5230 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5231 { 5232 u32 av = 0; 5233 5234 av = 0; 5235 if (flag & S_IRUGO) 5236 av |= IPC__UNIX_READ; 5237 if (flag & S_IWUGO) 5238 av |= IPC__UNIX_WRITE; 5239 5240 if (av == 0) 5241 return 0; 5242 5243 return ipc_has_perm(ipcp, av); 5244 } 5245 5246 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5247 { 5248 struct ipc_security_struct *isec = ipcp->security; 5249 *secid = isec->sid; 5250 } 5251 5252 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5253 { 5254 if (inode) 5255 inode_doinit_with_dentry(inode, dentry); 5256 } 5257 5258 static int selinux_getprocattr(struct task_struct *p, 5259 char *name, char **value) 5260 { 5261 const struct task_security_struct *__tsec; 5262 u32 sid; 5263 int error; 5264 unsigned len; 5265 5266 if (current != p) { 5267 error = current_has_perm(p, PROCESS__GETATTR); 5268 if (error) 5269 return error; 5270 } 5271 5272 rcu_read_lock(); 5273 __tsec = __task_cred(p)->security; 5274 5275 if (!strcmp(name, "current")) 5276 sid = __tsec->sid; 5277 else if (!strcmp(name, "prev")) 5278 sid = __tsec->osid; 5279 else if (!strcmp(name, "exec")) 5280 sid = __tsec->exec_sid; 5281 else if (!strcmp(name, "fscreate")) 5282 sid = __tsec->create_sid; 5283 else if (!strcmp(name, "keycreate")) 5284 sid = __tsec->keycreate_sid; 5285 else if (!strcmp(name, "sockcreate")) 5286 sid = __tsec->sockcreate_sid; 5287 else 5288 goto invalid; 5289 rcu_read_unlock(); 5290 5291 if (!sid) 5292 return 0; 5293 5294 error = security_sid_to_context(sid, value, &len); 5295 if (error) 5296 return error; 5297 return len; 5298 5299 invalid: 5300 rcu_read_unlock(); 5301 return -EINVAL; 5302 } 5303 5304 static int selinux_setprocattr(struct task_struct *p, 5305 char *name, void *value, size_t size) 5306 { 5307 struct task_security_struct *tsec; 5308 struct task_struct *tracer; 5309 struct cred *new; 5310 u32 sid = 0, ptsid; 5311 int error; 5312 char *str = value; 5313 5314 if (current != p) { 5315 /* SELinux only allows a process to change its own 5316 security attributes. */ 5317 return -EACCES; 5318 } 5319 5320 /* 5321 * Basic control over ability to set these attributes at all. 5322 * current == p, but we'll pass them separately in case the 5323 * above restriction is ever removed. 5324 */ 5325 if (!strcmp(name, "exec")) 5326 error = current_has_perm(p, PROCESS__SETEXEC); 5327 else if (!strcmp(name, "fscreate")) 5328 error = current_has_perm(p, PROCESS__SETFSCREATE); 5329 else if (!strcmp(name, "keycreate")) 5330 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5331 else if (!strcmp(name, "sockcreate")) 5332 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5333 else if (!strcmp(name, "current")) 5334 error = current_has_perm(p, PROCESS__SETCURRENT); 5335 else 5336 error = -EINVAL; 5337 if (error) 5338 return error; 5339 5340 /* Obtain a SID for the context, if one was specified. */ 5341 if (size && str[1] && str[1] != '\n') { 5342 if (str[size-1] == '\n') { 5343 str[size-1] = 0; 5344 size--; 5345 } 5346 error = security_context_to_sid(value, size, &sid); 5347 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5348 if (!capable(CAP_MAC_ADMIN)) { 5349 struct audit_buffer *ab; 5350 size_t audit_size; 5351 5352 /* We strip a nul only if it is at the end, otherwise the 5353 * context contains a nul and we should audit that */ 5354 if (str[size - 1] == '\0') 5355 audit_size = size - 1; 5356 else 5357 audit_size = size; 5358 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5359 audit_log_format(ab, "op=fscreate invalid_context="); 5360 audit_log_n_untrustedstring(ab, value, audit_size); 5361 audit_log_end(ab); 5362 5363 return error; 5364 } 5365 error = security_context_to_sid_force(value, size, 5366 &sid); 5367 } 5368 if (error) 5369 return error; 5370 } 5371 5372 new = prepare_creds(); 5373 if (!new) 5374 return -ENOMEM; 5375 5376 /* Permission checking based on the specified context is 5377 performed during the actual operation (execve, 5378 open/mkdir/...), when we know the full context of the 5379 operation. See selinux_bprm_set_creds for the execve 5380 checks and may_create for the file creation checks. The 5381 operation will then fail if the context is not permitted. */ 5382 tsec = new->security; 5383 if (!strcmp(name, "exec")) { 5384 tsec->exec_sid = sid; 5385 } else if (!strcmp(name, "fscreate")) { 5386 tsec->create_sid = sid; 5387 } else if (!strcmp(name, "keycreate")) { 5388 error = may_create_key(sid, p); 5389 if (error) 5390 goto abort_change; 5391 tsec->keycreate_sid = sid; 5392 } else if (!strcmp(name, "sockcreate")) { 5393 tsec->sockcreate_sid = sid; 5394 } else if (!strcmp(name, "current")) { 5395 error = -EINVAL; 5396 if (sid == 0) 5397 goto abort_change; 5398 5399 /* Only allow single threaded processes to change context */ 5400 error = -EPERM; 5401 if (!current_is_single_threaded()) { 5402 error = security_bounded_transition(tsec->sid, sid); 5403 if (error) 5404 goto abort_change; 5405 } 5406 5407 /* Check permissions for the transition. */ 5408 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5409 PROCESS__DYNTRANSITION, NULL); 5410 if (error) 5411 goto abort_change; 5412 5413 /* Check for ptracing, and update the task SID if ok. 5414 Otherwise, leave SID unchanged and fail. */ 5415 ptsid = 0; 5416 task_lock(p); 5417 tracer = ptrace_parent(p); 5418 if (tracer) 5419 ptsid = task_sid(tracer); 5420 task_unlock(p); 5421 5422 if (tracer) { 5423 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5424 PROCESS__PTRACE, NULL); 5425 if (error) 5426 goto abort_change; 5427 } 5428 5429 tsec->sid = sid; 5430 } else { 5431 error = -EINVAL; 5432 goto abort_change; 5433 } 5434 5435 commit_creds(new); 5436 return size; 5437 5438 abort_change: 5439 abort_creds(new); 5440 return error; 5441 } 5442 5443 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5444 { 5445 return security_sid_to_context(secid, secdata, seclen); 5446 } 5447 5448 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5449 { 5450 return security_context_to_sid(secdata, seclen, secid); 5451 } 5452 5453 static void selinux_release_secctx(char *secdata, u32 seclen) 5454 { 5455 kfree(secdata); 5456 } 5457 5458 /* 5459 * called with inode->i_mutex locked 5460 */ 5461 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5462 { 5463 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5464 } 5465 5466 /* 5467 * called with inode->i_mutex locked 5468 */ 5469 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 5470 { 5471 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 5472 } 5473 5474 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 5475 { 5476 int len = 0; 5477 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 5478 ctx, true); 5479 if (len < 0) 5480 return len; 5481 *ctxlen = len; 5482 return 0; 5483 } 5484 #ifdef CONFIG_KEYS 5485 5486 static int selinux_key_alloc(struct key *k, const struct cred *cred, 5487 unsigned long flags) 5488 { 5489 const struct task_security_struct *tsec; 5490 struct key_security_struct *ksec; 5491 5492 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5493 if (!ksec) 5494 return -ENOMEM; 5495 5496 tsec = cred->security; 5497 if (tsec->keycreate_sid) 5498 ksec->sid = tsec->keycreate_sid; 5499 else 5500 ksec->sid = tsec->sid; 5501 5502 k->security = ksec; 5503 return 0; 5504 } 5505 5506 static void selinux_key_free(struct key *k) 5507 { 5508 struct key_security_struct *ksec = k->security; 5509 5510 k->security = NULL; 5511 kfree(ksec); 5512 } 5513 5514 static int selinux_key_permission(key_ref_t key_ref, 5515 const struct cred *cred, 5516 key_perm_t perm) 5517 { 5518 struct key *key; 5519 struct key_security_struct *ksec; 5520 u32 sid; 5521 5522 /* if no specific permissions are requested, we skip the 5523 permission check. No serious, additional covert channels 5524 appear to be created. */ 5525 if (perm == 0) 5526 return 0; 5527 5528 sid = cred_sid(cred); 5529 5530 key = key_ref_to_ptr(key_ref); 5531 ksec = key->security; 5532 5533 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 5534 } 5535 5536 static int selinux_key_getsecurity(struct key *key, char **_buffer) 5537 { 5538 struct key_security_struct *ksec = key->security; 5539 char *context = NULL; 5540 unsigned len; 5541 int rc; 5542 5543 rc = security_sid_to_context(ksec->sid, &context, &len); 5544 if (!rc) 5545 rc = len; 5546 *_buffer = context; 5547 return rc; 5548 } 5549 5550 #endif 5551 5552 static struct security_operations selinux_ops = { 5553 .name = "selinux", 5554 5555 .ptrace_access_check = selinux_ptrace_access_check, 5556 .ptrace_traceme = selinux_ptrace_traceme, 5557 .capget = selinux_capget, 5558 .capset = selinux_capset, 5559 .capable = selinux_capable, 5560 .quotactl = selinux_quotactl, 5561 .quota_on = selinux_quota_on, 5562 .syslog = selinux_syslog, 5563 .vm_enough_memory = selinux_vm_enough_memory, 5564 5565 .netlink_send = selinux_netlink_send, 5566 5567 .bprm_set_creds = selinux_bprm_set_creds, 5568 .bprm_committing_creds = selinux_bprm_committing_creds, 5569 .bprm_committed_creds = selinux_bprm_committed_creds, 5570 .bprm_secureexec = selinux_bprm_secureexec, 5571 5572 .sb_alloc_security = selinux_sb_alloc_security, 5573 .sb_free_security = selinux_sb_free_security, 5574 .sb_copy_data = selinux_sb_copy_data, 5575 .sb_remount = selinux_sb_remount, 5576 .sb_kern_mount = selinux_sb_kern_mount, 5577 .sb_show_options = selinux_sb_show_options, 5578 .sb_statfs = selinux_sb_statfs, 5579 .sb_mount = selinux_mount, 5580 .sb_umount = selinux_umount, 5581 .sb_set_mnt_opts = selinux_set_mnt_opts, 5582 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5583 .sb_parse_opts_str = selinux_parse_opts_str, 5584 5585 5586 .inode_alloc_security = selinux_inode_alloc_security, 5587 .inode_free_security = selinux_inode_free_security, 5588 .inode_init_security = selinux_inode_init_security, 5589 .inode_create = selinux_inode_create, 5590 .inode_link = selinux_inode_link, 5591 .inode_unlink = selinux_inode_unlink, 5592 .inode_symlink = selinux_inode_symlink, 5593 .inode_mkdir = selinux_inode_mkdir, 5594 .inode_rmdir = selinux_inode_rmdir, 5595 .inode_mknod = selinux_inode_mknod, 5596 .inode_rename = selinux_inode_rename, 5597 .inode_readlink = selinux_inode_readlink, 5598 .inode_follow_link = selinux_inode_follow_link, 5599 .inode_permission = selinux_inode_permission, 5600 .inode_setattr = selinux_inode_setattr, 5601 .inode_getattr = selinux_inode_getattr, 5602 .inode_setxattr = selinux_inode_setxattr, 5603 .inode_post_setxattr = selinux_inode_post_setxattr, 5604 .inode_getxattr = selinux_inode_getxattr, 5605 .inode_listxattr = selinux_inode_listxattr, 5606 .inode_removexattr = selinux_inode_removexattr, 5607 .inode_getsecurity = selinux_inode_getsecurity, 5608 .inode_setsecurity = selinux_inode_setsecurity, 5609 .inode_listsecurity = selinux_inode_listsecurity, 5610 .inode_getsecid = selinux_inode_getsecid, 5611 5612 .file_permission = selinux_file_permission, 5613 .file_alloc_security = selinux_file_alloc_security, 5614 .file_free_security = selinux_file_free_security, 5615 .file_ioctl = selinux_file_ioctl, 5616 .mmap_file = selinux_mmap_file, 5617 .mmap_addr = selinux_mmap_addr, 5618 .file_mprotect = selinux_file_mprotect, 5619 .file_lock = selinux_file_lock, 5620 .file_fcntl = selinux_file_fcntl, 5621 .file_set_fowner = selinux_file_set_fowner, 5622 .file_send_sigiotask = selinux_file_send_sigiotask, 5623 .file_receive = selinux_file_receive, 5624 5625 .file_open = selinux_file_open, 5626 5627 .task_create = selinux_task_create, 5628 .cred_alloc_blank = selinux_cred_alloc_blank, 5629 .cred_free = selinux_cred_free, 5630 .cred_prepare = selinux_cred_prepare, 5631 .cred_transfer = selinux_cred_transfer, 5632 .kernel_act_as = selinux_kernel_act_as, 5633 .kernel_create_files_as = selinux_kernel_create_files_as, 5634 .kernel_module_request = selinux_kernel_module_request, 5635 .task_setpgid = selinux_task_setpgid, 5636 .task_getpgid = selinux_task_getpgid, 5637 .task_getsid = selinux_task_getsid, 5638 .task_getsecid = selinux_task_getsecid, 5639 .task_setnice = selinux_task_setnice, 5640 .task_setioprio = selinux_task_setioprio, 5641 .task_getioprio = selinux_task_getioprio, 5642 .task_setrlimit = selinux_task_setrlimit, 5643 .task_setscheduler = selinux_task_setscheduler, 5644 .task_getscheduler = selinux_task_getscheduler, 5645 .task_movememory = selinux_task_movememory, 5646 .task_kill = selinux_task_kill, 5647 .task_wait = selinux_task_wait, 5648 .task_to_inode = selinux_task_to_inode, 5649 5650 .ipc_permission = selinux_ipc_permission, 5651 .ipc_getsecid = selinux_ipc_getsecid, 5652 5653 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5654 .msg_msg_free_security = selinux_msg_msg_free_security, 5655 5656 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5657 .msg_queue_free_security = selinux_msg_queue_free_security, 5658 .msg_queue_associate = selinux_msg_queue_associate, 5659 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5660 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5661 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5662 5663 .shm_alloc_security = selinux_shm_alloc_security, 5664 .shm_free_security = selinux_shm_free_security, 5665 .shm_associate = selinux_shm_associate, 5666 .shm_shmctl = selinux_shm_shmctl, 5667 .shm_shmat = selinux_shm_shmat, 5668 5669 .sem_alloc_security = selinux_sem_alloc_security, 5670 .sem_free_security = selinux_sem_free_security, 5671 .sem_associate = selinux_sem_associate, 5672 .sem_semctl = selinux_sem_semctl, 5673 .sem_semop = selinux_sem_semop, 5674 5675 .d_instantiate = selinux_d_instantiate, 5676 5677 .getprocattr = selinux_getprocattr, 5678 .setprocattr = selinux_setprocattr, 5679 5680 .secid_to_secctx = selinux_secid_to_secctx, 5681 .secctx_to_secid = selinux_secctx_to_secid, 5682 .release_secctx = selinux_release_secctx, 5683 .inode_notifysecctx = selinux_inode_notifysecctx, 5684 .inode_setsecctx = selinux_inode_setsecctx, 5685 .inode_getsecctx = selinux_inode_getsecctx, 5686 5687 .unix_stream_connect = selinux_socket_unix_stream_connect, 5688 .unix_may_send = selinux_socket_unix_may_send, 5689 5690 .socket_create = selinux_socket_create, 5691 .socket_post_create = selinux_socket_post_create, 5692 .socket_bind = selinux_socket_bind, 5693 .socket_connect = selinux_socket_connect, 5694 .socket_listen = selinux_socket_listen, 5695 .socket_accept = selinux_socket_accept, 5696 .socket_sendmsg = selinux_socket_sendmsg, 5697 .socket_recvmsg = selinux_socket_recvmsg, 5698 .socket_getsockname = selinux_socket_getsockname, 5699 .socket_getpeername = selinux_socket_getpeername, 5700 .socket_getsockopt = selinux_socket_getsockopt, 5701 .socket_setsockopt = selinux_socket_setsockopt, 5702 .socket_shutdown = selinux_socket_shutdown, 5703 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5704 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5705 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5706 .sk_alloc_security = selinux_sk_alloc_security, 5707 .sk_free_security = selinux_sk_free_security, 5708 .sk_clone_security = selinux_sk_clone_security, 5709 .sk_getsecid = selinux_sk_getsecid, 5710 .sock_graft = selinux_sock_graft, 5711 .inet_conn_request = selinux_inet_conn_request, 5712 .inet_csk_clone = selinux_inet_csk_clone, 5713 .inet_conn_established = selinux_inet_conn_established, 5714 .secmark_relabel_packet = selinux_secmark_relabel_packet, 5715 .secmark_refcount_inc = selinux_secmark_refcount_inc, 5716 .secmark_refcount_dec = selinux_secmark_refcount_dec, 5717 .req_classify_flow = selinux_req_classify_flow, 5718 .tun_dev_alloc_security = selinux_tun_dev_alloc_security, 5719 .tun_dev_free_security = selinux_tun_dev_free_security, 5720 .tun_dev_create = selinux_tun_dev_create, 5721 .tun_dev_attach_queue = selinux_tun_dev_attach_queue, 5722 .tun_dev_attach = selinux_tun_dev_attach, 5723 .tun_dev_open = selinux_tun_dev_open, 5724 .skb_owned_by = selinux_skb_owned_by, 5725 5726 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5727 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5728 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5729 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5730 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5731 .xfrm_state_alloc = selinux_xfrm_state_alloc, 5732 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire, 5733 .xfrm_state_free_security = selinux_xfrm_state_free, 5734 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5735 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5736 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5737 .xfrm_decode_session = selinux_xfrm_decode_session, 5738 #endif 5739 5740 #ifdef CONFIG_KEYS 5741 .key_alloc = selinux_key_alloc, 5742 .key_free = selinux_key_free, 5743 .key_permission = selinux_key_permission, 5744 .key_getsecurity = selinux_key_getsecurity, 5745 #endif 5746 5747 #ifdef CONFIG_AUDIT 5748 .audit_rule_init = selinux_audit_rule_init, 5749 .audit_rule_known = selinux_audit_rule_known, 5750 .audit_rule_match = selinux_audit_rule_match, 5751 .audit_rule_free = selinux_audit_rule_free, 5752 #endif 5753 }; 5754 5755 static __init int selinux_init(void) 5756 { 5757 if (!security_module_enable(&selinux_ops)) { 5758 selinux_enabled = 0; 5759 return 0; 5760 } 5761 5762 if (!selinux_enabled) { 5763 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5764 return 0; 5765 } 5766 5767 printk(KERN_INFO "SELinux: Initializing.\n"); 5768 5769 /* Set the security state for the initial task. */ 5770 cred_init_security(); 5771 5772 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 5773 5774 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5775 sizeof(struct inode_security_struct), 5776 0, SLAB_PANIC, NULL); 5777 avc_init(); 5778 5779 if (register_security(&selinux_ops)) 5780 panic("SELinux: Unable to register with kernel.\n"); 5781 5782 if (selinux_enforcing) 5783 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5784 else 5785 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5786 5787 return 0; 5788 } 5789 5790 static void delayed_superblock_init(struct super_block *sb, void *unused) 5791 { 5792 superblock_doinit(sb, NULL); 5793 } 5794 5795 void selinux_complete_init(void) 5796 { 5797 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5798 5799 /* Set up any superblocks initialized prior to the policy load. */ 5800 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5801 iterate_supers(delayed_superblock_init, NULL); 5802 } 5803 5804 /* SELinux requires early initialization in order to label 5805 all processes and objects when they are created. */ 5806 security_initcall(selinux_init); 5807 5808 #if defined(CONFIG_NETFILTER) 5809 5810 static struct nf_hook_ops selinux_ipv4_ops[] = { 5811 { 5812 .hook = selinux_ipv4_postroute, 5813 .owner = THIS_MODULE, 5814 .pf = NFPROTO_IPV4, 5815 .hooknum = NF_INET_POST_ROUTING, 5816 .priority = NF_IP_PRI_SELINUX_LAST, 5817 }, 5818 { 5819 .hook = selinux_ipv4_forward, 5820 .owner = THIS_MODULE, 5821 .pf = NFPROTO_IPV4, 5822 .hooknum = NF_INET_FORWARD, 5823 .priority = NF_IP_PRI_SELINUX_FIRST, 5824 }, 5825 { 5826 .hook = selinux_ipv4_output, 5827 .owner = THIS_MODULE, 5828 .pf = NFPROTO_IPV4, 5829 .hooknum = NF_INET_LOCAL_OUT, 5830 .priority = NF_IP_PRI_SELINUX_FIRST, 5831 } 5832 }; 5833 5834 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5835 5836 static struct nf_hook_ops selinux_ipv6_ops[] = { 5837 { 5838 .hook = selinux_ipv6_postroute, 5839 .owner = THIS_MODULE, 5840 .pf = NFPROTO_IPV6, 5841 .hooknum = NF_INET_POST_ROUTING, 5842 .priority = NF_IP6_PRI_SELINUX_LAST, 5843 }, 5844 { 5845 .hook = selinux_ipv6_forward, 5846 .owner = THIS_MODULE, 5847 .pf = NFPROTO_IPV6, 5848 .hooknum = NF_INET_FORWARD, 5849 .priority = NF_IP6_PRI_SELINUX_FIRST, 5850 } 5851 }; 5852 5853 #endif /* IPV6 */ 5854 5855 static int __init selinux_nf_ip_init(void) 5856 { 5857 int err = 0; 5858 5859 if (!selinux_enabled) 5860 goto out; 5861 5862 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5863 5864 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5865 if (err) 5866 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 5867 5868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5869 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5870 if (err) 5871 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); 5872 #endif /* IPV6 */ 5873 5874 out: 5875 return err; 5876 } 5877 5878 __initcall(selinux_nf_ip_init); 5879 5880 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5881 static void selinux_nf_ip_exit(void) 5882 { 5883 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5884 5885 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5886 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5887 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5888 #endif /* IPV6 */ 5889 } 5890 #endif 5891 5892 #else /* CONFIG_NETFILTER */ 5893 5894 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5895 #define selinux_nf_ip_exit() 5896 #endif 5897 5898 #endif /* CONFIG_NETFILTER */ 5899 5900 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5901 static int selinux_disabled; 5902 5903 int selinux_disable(void) 5904 { 5905 if (ss_initialized) { 5906 /* Not permitted after initial policy load. */ 5907 return -EINVAL; 5908 } 5909 5910 if (selinux_disabled) { 5911 /* Only do this once. */ 5912 return -EINVAL; 5913 } 5914 5915 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5916 5917 selinux_disabled = 1; 5918 selinux_enabled = 0; 5919 5920 reset_security_ops(); 5921 5922 /* Try to destroy the avc node cache */ 5923 avc_disable(); 5924 5925 /* Unregister netfilter hooks. */ 5926 selinux_nf_ip_exit(); 5927 5928 /* Unregister selinuxfs. */ 5929 exit_sel_fs(); 5930 5931 return 0; 5932 } 5933 #endif 5934