1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/module.h> 22 #include <linux/init.h> 23 #include <linux/kernel.h> 24 #include <linux/ptrace.h> 25 #include <linux/errno.h> 26 #include <linux/sched.h> 27 #include <linux/security.h> 28 #include <linux/xattr.h> 29 #include <linux/capability.h> 30 #include <linux/unistd.h> 31 #include <linux/mm.h> 32 #include <linux/mman.h> 33 #include <linux/slab.h> 34 #include <linux/pagemap.h> 35 #include <linux/swap.h> 36 #include <linux/smp_lock.h> 37 #include <linux/spinlock.h> 38 #include <linux/syscalls.h> 39 #include <linux/file.h> 40 #include <linux/namei.h> 41 #include <linux/mount.h> 42 #include <linux/ext2_fs.h> 43 #include <linux/proc_fs.h> 44 #include <linux/kd.h> 45 #include <linux/netfilter_ipv4.h> 46 #include <linux/netfilter_ipv6.h> 47 #include <linux/tty.h> 48 #include <net/icmp.h> 49 #include <net/ip.h> /* for sysctl_local_port_range[] */ 50 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 51 #include <asm/uaccess.h> 52 #include <asm/semaphore.h> 53 #include <asm/ioctls.h> 54 #include <linux/bitops.h> 55 #include <linux/interrupt.h> 56 #include <linux/netdevice.h> /* for network interface checks */ 57 #include <linux/netlink.h> 58 #include <linux/tcp.h> 59 #include <linux/udp.h> 60 #include <linux/quota.h> 61 #include <linux/un.h> /* for Unix socket types */ 62 #include <net/af_unix.h> /* for Unix socket types */ 63 #include <linux/parser.h> 64 #include <linux/nfs_mount.h> 65 #include <net/ipv6.h> 66 #include <linux/hugetlb.h> 67 #include <linux/personality.h> 68 #include <linux/sysctl.h> 69 #include <linux/audit.h> 70 #include <linux/string.h> 71 #include <linux/selinux.h> 72 73 #include "avc.h" 74 #include "objsec.h" 75 #include "netif.h" 76 #include "xfrm.h" 77 78 #define XATTR_SELINUX_SUFFIX "selinux" 79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 80 81 extern unsigned int policydb_loaded_version; 82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 83 extern int selinux_compat_net; 84 85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 86 int selinux_enforcing = 0; 87 88 static int __init enforcing_setup(char *str) 89 { 90 selinux_enforcing = simple_strtol(str,NULL,0); 91 return 1; 92 } 93 __setup("enforcing=", enforcing_setup); 94 #endif 95 96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 98 99 static int __init selinux_enabled_setup(char *str) 100 { 101 selinux_enabled = simple_strtol(str, NULL, 0); 102 return 1; 103 } 104 __setup("selinux=", selinux_enabled_setup); 105 #else 106 int selinux_enabled = 1; 107 #endif 108 109 /* Original (dummy) security module. */ 110 static struct security_operations *original_ops = NULL; 111 112 /* Minimal support for a secondary security module, 113 just to allow the use of the dummy or capability modules. 114 The owlsm module can alternatively be used as a secondary 115 module as long as CONFIG_OWLSM_FD is not enabled. */ 116 static struct security_operations *secondary_ops = NULL; 117 118 /* Lists of inode and superblock security structures initialized 119 before the policy was loaded. */ 120 static LIST_HEAD(superblock_security_head); 121 static DEFINE_SPINLOCK(sb_security_lock); 122 123 static kmem_cache_t *sel_inode_cache; 124 125 /* Return security context for a given sid or just the context 126 length if the buffer is null or length is 0 */ 127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size) 128 { 129 char *context; 130 unsigned len; 131 int rc; 132 133 rc = security_sid_to_context(sid, &context, &len); 134 if (rc) 135 return rc; 136 137 if (!buffer || !size) 138 goto getsecurity_exit; 139 140 if (size < len) { 141 len = -ERANGE; 142 goto getsecurity_exit; 143 } 144 memcpy(buffer, context, len); 145 146 getsecurity_exit: 147 kfree(context); 148 return len; 149 } 150 151 /* Allocate and free functions for each kind of security blob. */ 152 153 static int task_alloc_security(struct task_struct *task) 154 { 155 struct task_security_struct *tsec; 156 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 158 if (!tsec) 159 return -ENOMEM; 160 161 tsec->task = task; 162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 163 task->security = tsec; 164 165 return 0; 166 } 167 168 static void task_free_security(struct task_struct *task) 169 { 170 struct task_security_struct *tsec = task->security; 171 task->security = NULL; 172 kfree(tsec); 173 } 174 175 static int inode_alloc_security(struct inode *inode) 176 { 177 struct task_security_struct *tsec = current->security; 178 struct inode_security_struct *isec; 179 180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL); 181 if (!isec) 182 return -ENOMEM; 183 184 memset(isec, 0, sizeof(*isec)); 185 init_MUTEX(&isec->sem); 186 INIT_LIST_HEAD(&isec->list); 187 isec->inode = inode; 188 isec->sid = SECINITSID_UNLABELED; 189 isec->sclass = SECCLASS_FILE; 190 isec->task_sid = tsec->sid; 191 inode->i_security = isec; 192 193 return 0; 194 } 195 196 static void inode_free_security(struct inode *inode) 197 { 198 struct inode_security_struct *isec = inode->i_security; 199 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 200 201 spin_lock(&sbsec->isec_lock); 202 if (!list_empty(&isec->list)) 203 list_del_init(&isec->list); 204 spin_unlock(&sbsec->isec_lock); 205 206 inode->i_security = NULL; 207 kmem_cache_free(sel_inode_cache, isec); 208 } 209 210 static int file_alloc_security(struct file *file) 211 { 212 struct task_security_struct *tsec = current->security; 213 struct file_security_struct *fsec; 214 215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 216 if (!fsec) 217 return -ENOMEM; 218 219 fsec->file = file; 220 fsec->sid = tsec->sid; 221 fsec->fown_sid = tsec->sid; 222 file->f_security = fsec; 223 224 return 0; 225 } 226 227 static void file_free_security(struct file *file) 228 { 229 struct file_security_struct *fsec = file->f_security; 230 file->f_security = NULL; 231 kfree(fsec); 232 } 233 234 static int superblock_alloc_security(struct super_block *sb) 235 { 236 struct superblock_security_struct *sbsec; 237 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 239 if (!sbsec) 240 return -ENOMEM; 241 242 init_MUTEX(&sbsec->sem); 243 INIT_LIST_HEAD(&sbsec->list); 244 INIT_LIST_HEAD(&sbsec->isec_head); 245 spin_lock_init(&sbsec->isec_lock); 246 sbsec->sb = sb; 247 sbsec->sid = SECINITSID_UNLABELED; 248 sbsec->def_sid = SECINITSID_FILE; 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 250 sb->s_security = sbsec; 251 252 return 0; 253 } 254 255 static void superblock_free_security(struct super_block *sb) 256 { 257 struct superblock_security_struct *sbsec = sb->s_security; 258 259 spin_lock(&sb_security_lock); 260 if (!list_empty(&sbsec->list)) 261 list_del_init(&sbsec->list); 262 spin_unlock(&sb_security_lock); 263 264 sb->s_security = NULL; 265 kfree(sbsec); 266 } 267 268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 269 { 270 struct sk_security_struct *ssec; 271 272 if (family != PF_UNIX) 273 return 0; 274 275 ssec = kzalloc(sizeof(*ssec), priority); 276 if (!ssec) 277 return -ENOMEM; 278 279 ssec->sk = sk; 280 ssec->peer_sid = SECINITSID_UNLABELED; 281 sk->sk_security = ssec; 282 283 return 0; 284 } 285 286 static void sk_free_security(struct sock *sk) 287 { 288 struct sk_security_struct *ssec = sk->sk_security; 289 290 if (sk->sk_family != PF_UNIX) 291 return; 292 293 sk->sk_security = NULL; 294 kfree(ssec); 295 } 296 297 /* The security server must be initialized before 298 any labeling or access decisions can be provided. */ 299 extern int ss_initialized; 300 301 /* The file system's label must be initialized prior to use. */ 302 303 static char *labeling_behaviors[6] = { 304 "uses xattr", 305 "uses transition SIDs", 306 "uses task SIDs", 307 "uses genfs_contexts", 308 "not configured for labeling", 309 "uses mountpoint labeling", 310 }; 311 312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 313 314 static inline int inode_doinit(struct inode *inode) 315 { 316 return inode_doinit_with_dentry(inode, NULL); 317 } 318 319 enum { 320 Opt_context = 1, 321 Opt_fscontext = 2, 322 Opt_defcontext = 4, 323 }; 324 325 static match_table_t tokens = { 326 {Opt_context, "context=%s"}, 327 {Opt_fscontext, "fscontext=%s"}, 328 {Opt_defcontext, "defcontext=%s"}, 329 }; 330 331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 332 333 static int may_context_mount_sb_relabel(u32 sid, 334 struct superblock_security_struct *sbsec, 335 struct task_security_struct *tsec) 336 { 337 int rc; 338 339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 340 FILESYSTEM__RELABELFROM, NULL); 341 if (rc) 342 return rc; 343 344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 345 FILESYSTEM__RELABELTO, NULL); 346 return rc; 347 } 348 349 static int try_context_mount(struct super_block *sb, void *data) 350 { 351 char *context = NULL, *defcontext = NULL; 352 char *fscontext = NULL; 353 const char *name; 354 u32 sid; 355 int alloc = 0, rc = 0, seen = 0; 356 struct task_security_struct *tsec = current->security; 357 struct superblock_security_struct *sbsec = sb->s_security; 358 359 if (!data) 360 goto out; 361 362 name = sb->s_type->name; 363 364 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 365 366 /* NFS we understand. */ 367 if (!strcmp(name, "nfs")) { 368 struct nfs_mount_data *d = data; 369 370 if (d->version < NFS_MOUNT_VERSION) 371 goto out; 372 373 if (d->context[0]) { 374 context = d->context; 375 seen |= Opt_context; 376 } 377 } else 378 goto out; 379 380 } else { 381 /* Standard string-based options. */ 382 char *p, *options = data; 383 384 while ((p = strsep(&options, ",")) != NULL) { 385 int token; 386 substring_t args[MAX_OPT_ARGS]; 387 388 if (!*p) 389 continue; 390 391 token = match_token(p, tokens, args); 392 393 switch (token) { 394 case Opt_context: 395 if (seen & (Opt_context|Opt_defcontext)) { 396 rc = -EINVAL; 397 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 398 goto out_free; 399 } 400 context = match_strdup(&args[0]); 401 if (!context) { 402 rc = -ENOMEM; 403 goto out_free; 404 } 405 if (!alloc) 406 alloc = 1; 407 seen |= Opt_context; 408 break; 409 410 case Opt_fscontext: 411 if (seen & Opt_fscontext) { 412 rc = -EINVAL; 413 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 414 goto out_free; 415 } 416 fscontext = match_strdup(&args[0]); 417 if (!fscontext) { 418 rc = -ENOMEM; 419 goto out_free; 420 } 421 if (!alloc) 422 alloc = 1; 423 seen |= Opt_fscontext; 424 break; 425 426 case Opt_defcontext: 427 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 428 rc = -EINVAL; 429 printk(KERN_WARNING "SELinux: " 430 "defcontext option is invalid " 431 "for this filesystem type\n"); 432 goto out_free; 433 } 434 if (seen & (Opt_context|Opt_defcontext)) { 435 rc = -EINVAL; 436 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 437 goto out_free; 438 } 439 defcontext = match_strdup(&args[0]); 440 if (!defcontext) { 441 rc = -ENOMEM; 442 goto out_free; 443 } 444 if (!alloc) 445 alloc = 1; 446 seen |= Opt_defcontext; 447 break; 448 449 default: 450 rc = -EINVAL; 451 printk(KERN_WARNING "SELinux: unknown mount " 452 "option\n"); 453 goto out_free; 454 455 } 456 } 457 } 458 459 if (!seen) 460 goto out; 461 462 /* sets the context of the superblock for the fs being mounted. */ 463 if (fscontext) { 464 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid); 465 if (rc) { 466 printk(KERN_WARNING "SELinux: security_context_to_sid" 467 "(%s) failed for (dev %s, type %s) errno=%d\n", 468 fscontext, sb->s_id, name, rc); 469 goto out_free; 470 } 471 472 rc = may_context_mount_sb_relabel(sid, sbsec, tsec); 473 if (rc) 474 goto out_free; 475 476 sbsec->sid = sid; 477 } 478 479 /* 480 * Switch to using mount point labeling behavior. 481 * sets the label used on all file below the mountpoint, and will set 482 * the superblock context if not already set. 483 */ 484 if (context) { 485 rc = security_context_to_sid(context, strlen(context), &sid); 486 if (rc) { 487 printk(KERN_WARNING "SELinux: security_context_to_sid" 488 "(%s) failed for (dev %s, type %s) errno=%d\n", 489 context, sb->s_id, name, rc); 490 goto out_free; 491 } 492 493 rc = may_context_mount_sb_relabel(sid, sbsec, tsec); 494 if (rc) 495 goto out_free; 496 497 if (!fscontext) 498 sbsec->sid = sid; 499 sbsec->mntpoint_sid = sid; 500 501 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 502 } 503 504 if (defcontext) { 505 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); 506 if (rc) { 507 printk(KERN_WARNING "SELinux: security_context_to_sid" 508 "(%s) failed for (dev %s, type %s) errno=%d\n", 509 defcontext, sb->s_id, name, rc); 510 goto out_free; 511 } 512 513 if (sid == sbsec->def_sid) 514 goto out_free; 515 516 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 517 FILESYSTEM__RELABELFROM, NULL); 518 if (rc) 519 goto out_free; 520 521 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 522 FILESYSTEM__ASSOCIATE, NULL); 523 if (rc) 524 goto out_free; 525 526 sbsec->def_sid = sid; 527 } 528 529 out_free: 530 if (alloc) { 531 kfree(context); 532 kfree(defcontext); 533 kfree(fscontext); 534 } 535 out: 536 return rc; 537 } 538 539 static int superblock_doinit(struct super_block *sb, void *data) 540 { 541 struct superblock_security_struct *sbsec = sb->s_security; 542 struct dentry *root = sb->s_root; 543 struct inode *inode = root->d_inode; 544 int rc = 0; 545 546 down(&sbsec->sem); 547 if (sbsec->initialized) 548 goto out; 549 550 if (!ss_initialized) { 551 /* Defer initialization until selinux_complete_init, 552 after the initial policy is loaded and the security 553 server is ready to handle calls. */ 554 spin_lock(&sb_security_lock); 555 if (list_empty(&sbsec->list)) 556 list_add(&sbsec->list, &superblock_security_head); 557 spin_unlock(&sb_security_lock); 558 goto out; 559 } 560 561 /* Determine the labeling behavior to use for this filesystem type. */ 562 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 563 if (rc) { 564 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 565 __FUNCTION__, sb->s_type->name, rc); 566 goto out; 567 } 568 569 rc = try_context_mount(sb, data); 570 if (rc) 571 goto out; 572 573 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 574 /* Make sure that the xattr handler exists and that no 575 error other than -ENODATA is returned by getxattr on 576 the root directory. -ENODATA is ok, as this may be 577 the first boot of the SELinux kernel before we have 578 assigned xattr values to the filesystem. */ 579 if (!inode->i_op->getxattr) { 580 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 581 "xattr support\n", sb->s_id, sb->s_type->name); 582 rc = -EOPNOTSUPP; 583 goto out; 584 } 585 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 586 if (rc < 0 && rc != -ENODATA) { 587 if (rc == -EOPNOTSUPP) 588 printk(KERN_WARNING "SELinux: (dev %s, type " 589 "%s) has no security xattr handler\n", 590 sb->s_id, sb->s_type->name); 591 else 592 printk(KERN_WARNING "SELinux: (dev %s, type " 593 "%s) getxattr errno %d\n", sb->s_id, 594 sb->s_type->name, -rc); 595 goto out; 596 } 597 } 598 599 if (strcmp(sb->s_type->name, "proc") == 0) 600 sbsec->proc = 1; 601 602 sbsec->initialized = 1; 603 604 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { 605 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", 606 sb->s_id, sb->s_type->name); 607 } 608 else { 609 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", 610 sb->s_id, sb->s_type->name, 611 labeling_behaviors[sbsec->behavior-1]); 612 } 613 614 /* Initialize the root inode. */ 615 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); 616 617 /* Initialize any other inodes associated with the superblock, e.g. 618 inodes created prior to initial policy load or inodes created 619 during get_sb by a pseudo filesystem that directly 620 populates itself. */ 621 spin_lock(&sbsec->isec_lock); 622 next_inode: 623 if (!list_empty(&sbsec->isec_head)) { 624 struct inode_security_struct *isec = 625 list_entry(sbsec->isec_head.next, 626 struct inode_security_struct, list); 627 struct inode *inode = isec->inode; 628 spin_unlock(&sbsec->isec_lock); 629 inode = igrab(inode); 630 if (inode) { 631 if (!IS_PRIVATE (inode)) 632 inode_doinit(inode); 633 iput(inode); 634 } 635 spin_lock(&sbsec->isec_lock); 636 list_del_init(&isec->list); 637 goto next_inode; 638 } 639 spin_unlock(&sbsec->isec_lock); 640 out: 641 up(&sbsec->sem); 642 return rc; 643 } 644 645 static inline u16 inode_mode_to_security_class(umode_t mode) 646 { 647 switch (mode & S_IFMT) { 648 case S_IFSOCK: 649 return SECCLASS_SOCK_FILE; 650 case S_IFLNK: 651 return SECCLASS_LNK_FILE; 652 case S_IFREG: 653 return SECCLASS_FILE; 654 case S_IFBLK: 655 return SECCLASS_BLK_FILE; 656 case S_IFDIR: 657 return SECCLASS_DIR; 658 case S_IFCHR: 659 return SECCLASS_CHR_FILE; 660 case S_IFIFO: 661 return SECCLASS_FIFO_FILE; 662 663 } 664 665 return SECCLASS_FILE; 666 } 667 668 static inline int default_protocol_stream(int protocol) 669 { 670 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 671 } 672 673 static inline int default_protocol_dgram(int protocol) 674 { 675 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 676 } 677 678 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 679 { 680 switch (family) { 681 case PF_UNIX: 682 switch (type) { 683 case SOCK_STREAM: 684 case SOCK_SEQPACKET: 685 return SECCLASS_UNIX_STREAM_SOCKET; 686 case SOCK_DGRAM: 687 return SECCLASS_UNIX_DGRAM_SOCKET; 688 } 689 break; 690 case PF_INET: 691 case PF_INET6: 692 switch (type) { 693 case SOCK_STREAM: 694 if (default_protocol_stream(protocol)) 695 return SECCLASS_TCP_SOCKET; 696 else 697 return SECCLASS_RAWIP_SOCKET; 698 case SOCK_DGRAM: 699 if (default_protocol_dgram(protocol)) 700 return SECCLASS_UDP_SOCKET; 701 else 702 return SECCLASS_RAWIP_SOCKET; 703 default: 704 return SECCLASS_RAWIP_SOCKET; 705 } 706 break; 707 case PF_NETLINK: 708 switch (protocol) { 709 case NETLINK_ROUTE: 710 return SECCLASS_NETLINK_ROUTE_SOCKET; 711 case NETLINK_FIREWALL: 712 return SECCLASS_NETLINK_FIREWALL_SOCKET; 713 case NETLINK_INET_DIAG: 714 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 715 case NETLINK_NFLOG: 716 return SECCLASS_NETLINK_NFLOG_SOCKET; 717 case NETLINK_XFRM: 718 return SECCLASS_NETLINK_XFRM_SOCKET; 719 case NETLINK_SELINUX: 720 return SECCLASS_NETLINK_SELINUX_SOCKET; 721 case NETLINK_AUDIT: 722 return SECCLASS_NETLINK_AUDIT_SOCKET; 723 case NETLINK_IP6_FW: 724 return SECCLASS_NETLINK_IP6FW_SOCKET; 725 case NETLINK_DNRTMSG: 726 return SECCLASS_NETLINK_DNRT_SOCKET; 727 case NETLINK_KOBJECT_UEVENT: 728 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 729 default: 730 return SECCLASS_NETLINK_SOCKET; 731 } 732 case PF_PACKET: 733 return SECCLASS_PACKET_SOCKET; 734 case PF_KEY: 735 return SECCLASS_KEY_SOCKET; 736 case PF_APPLETALK: 737 return SECCLASS_APPLETALK_SOCKET; 738 } 739 740 return SECCLASS_SOCKET; 741 } 742 743 #ifdef CONFIG_PROC_FS 744 static int selinux_proc_get_sid(struct proc_dir_entry *de, 745 u16 tclass, 746 u32 *sid) 747 { 748 int buflen, rc; 749 char *buffer, *path, *end; 750 751 buffer = (char*)__get_free_page(GFP_KERNEL); 752 if (!buffer) 753 return -ENOMEM; 754 755 buflen = PAGE_SIZE; 756 end = buffer+buflen; 757 *--end = '\0'; 758 buflen--; 759 path = end-1; 760 *path = '/'; 761 while (de && de != de->parent) { 762 buflen -= de->namelen + 1; 763 if (buflen < 0) 764 break; 765 end -= de->namelen; 766 memcpy(end, de->name, de->namelen); 767 *--end = '/'; 768 path = end; 769 de = de->parent; 770 } 771 rc = security_genfs_sid("proc", path, tclass, sid); 772 free_page((unsigned long)buffer); 773 return rc; 774 } 775 #else 776 static int selinux_proc_get_sid(struct proc_dir_entry *de, 777 u16 tclass, 778 u32 *sid) 779 { 780 return -EINVAL; 781 } 782 #endif 783 784 /* The inode's security attributes must be initialized before first use. */ 785 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 786 { 787 struct superblock_security_struct *sbsec = NULL; 788 struct inode_security_struct *isec = inode->i_security; 789 u32 sid; 790 struct dentry *dentry; 791 #define INITCONTEXTLEN 255 792 char *context = NULL; 793 unsigned len = 0; 794 int rc = 0; 795 int hold_sem = 0; 796 797 if (isec->initialized) 798 goto out; 799 800 down(&isec->sem); 801 hold_sem = 1; 802 if (isec->initialized) 803 goto out; 804 805 sbsec = inode->i_sb->s_security; 806 if (!sbsec->initialized) { 807 /* Defer initialization until selinux_complete_init, 808 after the initial policy is loaded and the security 809 server is ready to handle calls. */ 810 spin_lock(&sbsec->isec_lock); 811 if (list_empty(&isec->list)) 812 list_add(&isec->list, &sbsec->isec_head); 813 spin_unlock(&sbsec->isec_lock); 814 goto out; 815 } 816 817 switch (sbsec->behavior) { 818 case SECURITY_FS_USE_XATTR: 819 if (!inode->i_op->getxattr) { 820 isec->sid = sbsec->def_sid; 821 break; 822 } 823 824 /* Need a dentry, since the xattr API requires one. 825 Life would be simpler if we could just pass the inode. */ 826 if (opt_dentry) { 827 /* Called from d_instantiate or d_splice_alias. */ 828 dentry = dget(opt_dentry); 829 } else { 830 /* Called from selinux_complete_init, try to find a dentry. */ 831 dentry = d_find_alias(inode); 832 } 833 if (!dentry) { 834 printk(KERN_WARNING "%s: no dentry for dev=%s " 835 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 836 inode->i_ino); 837 goto out; 838 } 839 840 len = INITCONTEXTLEN; 841 context = kmalloc(len, GFP_KERNEL); 842 if (!context) { 843 rc = -ENOMEM; 844 dput(dentry); 845 goto out; 846 } 847 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 848 context, len); 849 if (rc == -ERANGE) { 850 /* Need a larger buffer. Query for the right size. */ 851 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 852 NULL, 0); 853 if (rc < 0) { 854 dput(dentry); 855 goto out; 856 } 857 kfree(context); 858 len = rc; 859 context = kmalloc(len, GFP_KERNEL); 860 if (!context) { 861 rc = -ENOMEM; 862 dput(dentry); 863 goto out; 864 } 865 rc = inode->i_op->getxattr(dentry, 866 XATTR_NAME_SELINUX, 867 context, len); 868 } 869 dput(dentry); 870 if (rc < 0) { 871 if (rc != -ENODATA) { 872 printk(KERN_WARNING "%s: getxattr returned " 873 "%d for dev=%s ino=%ld\n", __FUNCTION__, 874 -rc, inode->i_sb->s_id, inode->i_ino); 875 kfree(context); 876 goto out; 877 } 878 /* Map ENODATA to the default file SID */ 879 sid = sbsec->def_sid; 880 rc = 0; 881 } else { 882 rc = security_context_to_sid_default(context, rc, &sid, 883 sbsec->def_sid); 884 if (rc) { 885 printk(KERN_WARNING "%s: context_to_sid(%s) " 886 "returned %d for dev=%s ino=%ld\n", 887 __FUNCTION__, context, -rc, 888 inode->i_sb->s_id, inode->i_ino); 889 kfree(context); 890 /* Leave with the unlabeled SID */ 891 rc = 0; 892 break; 893 } 894 } 895 kfree(context); 896 isec->sid = sid; 897 break; 898 case SECURITY_FS_USE_TASK: 899 isec->sid = isec->task_sid; 900 break; 901 case SECURITY_FS_USE_TRANS: 902 /* Default to the fs SID. */ 903 isec->sid = sbsec->sid; 904 905 /* Try to obtain a transition SID. */ 906 isec->sclass = inode_mode_to_security_class(inode->i_mode); 907 rc = security_transition_sid(isec->task_sid, 908 sbsec->sid, 909 isec->sclass, 910 &sid); 911 if (rc) 912 goto out; 913 isec->sid = sid; 914 break; 915 case SECURITY_FS_USE_MNTPOINT: 916 isec->sid = sbsec->mntpoint_sid; 917 break; 918 default: 919 /* Default to the fs superblock SID. */ 920 isec->sid = sbsec->sid; 921 922 if (sbsec->proc) { 923 struct proc_inode *proci = PROC_I(inode); 924 if (proci->pde) { 925 isec->sclass = inode_mode_to_security_class(inode->i_mode); 926 rc = selinux_proc_get_sid(proci->pde, 927 isec->sclass, 928 &sid); 929 if (rc) 930 goto out; 931 isec->sid = sid; 932 } 933 } 934 break; 935 } 936 937 isec->initialized = 1; 938 939 out: 940 if (isec->sclass == SECCLASS_FILE) 941 isec->sclass = inode_mode_to_security_class(inode->i_mode); 942 943 if (hold_sem) 944 up(&isec->sem); 945 return rc; 946 } 947 948 /* Convert a Linux signal to an access vector. */ 949 static inline u32 signal_to_av(int sig) 950 { 951 u32 perm = 0; 952 953 switch (sig) { 954 case SIGCHLD: 955 /* Commonly granted from child to parent. */ 956 perm = PROCESS__SIGCHLD; 957 break; 958 case SIGKILL: 959 /* Cannot be caught or ignored */ 960 perm = PROCESS__SIGKILL; 961 break; 962 case SIGSTOP: 963 /* Cannot be caught or ignored */ 964 perm = PROCESS__SIGSTOP; 965 break; 966 default: 967 /* All other signals. */ 968 perm = PROCESS__SIGNAL; 969 break; 970 } 971 972 return perm; 973 } 974 975 /* Check permission betweeen a pair of tasks, e.g. signal checks, 976 fork check, ptrace check, etc. */ 977 static int task_has_perm(struct task_struct *tsk1, 978 struct task_struct *tsk2, 979 u32 perms) 980 { 981 struct task_security_struct *tsec1, *tsec2; 982 983 tsec1 = tsk1->security; 984 tsec2 = tsk2->security; 985 return avc_has_perm(tsec1->sid, tsec2->sid, 986 SECCLASS_PROCESS, perms, NULL); 987 } 988 989 /* Check whether a task is allowed to use a capability. */ 990 static int task_has_capability(struct task_struct *tsk, 991 int cap) 992 { 993 struct task_security_struct *tsec; 994 struct avc_audit_data ad; 995 996 tsec = tsk->security; 997 998 AVC_AUDIT_DATA_INIT(&ad,CAP); 999 ad.tsk = tsk; 1000 ad.u.cap = cap; 1001 1002 return avc_has_perm(tsec->sid, tsec->sid, 1003 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); 1004 } 1005 1006 /* Check whether a task is allowed to use a system operation. */ 1007 static int task_has_system(struct task_struct *tsk, 1008 u32 perms) 1009 { 1010 struct task_security_struct *tsec; 1011 1012 tsec = tsk->security; 1013 1014 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1015 SECCLASS_SYSTEM, perms, NULL); 1016 } 1017 1018 /* Check whether a task has a particular permission to an inode. 1019 The 'adp' parameter is optional and allows other audit 1020 data to be passed (e.g. the dentry). */ 1021 static int inode_has_perm(struct task_struct *tsk, 1022 struct inode *inode, 1023 u32 perms, 1024 struct avc_audit_data *adp) 1025 { 1026 struct task_security_struct *tsec; 1027 struct inode_security_struct *isec; 1028 struct avc_audit_data ad; 1029 1030 tsec = tsk->security; 1031 isec = inode->i_security; 1032 1033 if (!adp) { 1034 adp = &ad; 1035 AVC_AUDIT_DATA_INIT(&ad, FS); 1036 ad.u.fs.inode = inode; 1037 } 1038 1039 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1040 } 1041 1042 /* Same as inode_has_perm, but pass explicit audit data containing 1043 the dentry to help the auditing code to more easily generate the 1044 pathname if needed. */ 1045 static inline int dentry_has_perm(struct task_struct *tsk, 1046 struct vfsmount *mnt, 1047 struct dentry *dentry, 1048 u32 av) 1049 { 1050 struct inode *inode = dentry->d_inode; 1051 struct avc_audit_data ad; 1052 AVC_AUDIT_DATA_INIT(&ad,FS); 1053 ad.u.fs.mnt = mnt; 1054 ad.u.fs.dentry = dentry; 1055 return inode_has_perm(tsk, inode, av, &ad); 1056 } 1057 1058 /* Check whether a task can use an open file descriptor to 1059 access an inode in a given way. Check access to the 1060 descriptor itself, and then use dentry_has_perm to 1061 check a particular permission to the file. 1062 Access to the descriptor is implicitly granted if it 1063 has the same SID as the process. If av is zero, then 1064 access to the file is not checked, e.g. for cases 1065 where only the descriptor is affected like seek. */ 1066 static int file_has_perm(struct task_struct *tsk, 1067 struct file *file, 1068 u32 av) 1069 { 1070 struct task_security_struct *tsec = tsk->security; 1071 struct file_security_struct *fsec = file->f_security; 1072 struct vfsmount *mnt = file->f_vfsmnt; 1073 struct dentry *dentry = file->f_dentry; 1074 struct inode *inode = dentry->d_inode; 1075 struct avc_audit_data ad; 1076 int rc; 1077 1078 AVC_AUDIT_DATA_INIT(&ad, FS); 1079 ad.u.fs.mnt = mnt; 1080 ad.u.fs.dentry = dentry; 1081 1082 if (tsec->sid != fsec->sid) { 1083 rc = avc_has_perm(tsec->sid, fsec->sid, 1084 SECCLASS_FD, 1085 FD__USE, 1086 &ad); 1087 if (rc) 1088 return rc; 1089 } 1090 1091 /* av is zero if only checking access to the descriptor. */ 1092 if (av) 1093 return inode_has_perm(tsk, inode, av, &ad); 1094 1095 return 0; 1096 } 1097 1098 /* Check whether a task can create a file. */ 1099 static int may_create(struct inode *dir, 1100 struct dentry *dentry, 1101 u16 tclass) 1102 { 1103 struct task_security_struct *tsec; 1104 struct inode_security_struct *dsec; 1105 struct superblock_security_struct *sbsec; 1106 u32 newsid; 1107 struct avc_audit_data ad; 1108 int rc; 1109 1110 tsec = current->security; 1111 dsec = dir->i_security; 1112 sbsec = dir->i_sb->s_security; 1113 1114 AVC_AUDIT_DATA_INIT(&ad, FS); 1115 ad.u.fs.dentry = dentry; 1116 1117 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1118 DIR__ADD_NAME | DIR__SEARCH, 1119 &ad); 1120 if (rc) 1121 return rc; 1122 1123 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1124 newsid = tsec->create_sid; 1125 } else { 1126 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1127 &newsid); 1128 if (rc) 1129 return rc; 1130 } 1131 1132 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1133 if (rc) 1134 return rc; 1135 1136 return avc_has_perm(newsid, sbsec->sid, 1137 SECCLASS_FILESYSTEM, 1138 FILESYSTEM__ASSOCIATE, &ad); 1139 } 1140 1141 /* Check whether a task can create a key. */ 1142 static int may_create_key(u32 ksid, 1143 struct task_struct *ctx) 1144 { 1145 struct task_security_struct *tsec; 1146 1147 tsec = ctx->security; 1148 1149 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1150 } 1151 1152 #define MAY_LINK 0 1153 #define MAY_UNLINK 1 1154 #define MAY_RMDIR 2 1155 1156 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1157 static int may_link(struct inode *dir, 1158 struct dentry *dentry, 1159 int kind) 1160 1161 { 1162 struct task_security_struct *tsec; 1163 struct inode_security_struct *dsec, *isec; 1164 struct avc_audit_data ad; 1165 u32 av; 1166 int rc; 1167 1168 tsec = current->security; 1169 dsec = dir->i_security; 1170 isec = dentry->d_inode->i_security; 1171 1172 AVC_AUDIT_DATA_INIT(&ad, FS); 1173 ad.u.fs.dentry = dentry; 1174 1175 av = DIR__SEARCH; 1176 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1177 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1178 if (rc) 1179 return rc; 1180 1181 switch (kind) { 1182 case MAY_LINK: 1183 av = FILE__LINK; 1184 break; 1185 case MAY_UNLINK: 1186 av = FILE__UNLINK; 1187 break; 1188 case MAY_RMDIR: 1189 av = DIR__RMDIR; 1190 break; 1191 default: 1192 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1193 return 0; 1194 } 1195 1196 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1197 return rc; 1198 } 1199 1200 static inline int may_rename(struct inode *old_dir, 1201 struct dentry *old_dentry, 1202 struct inode *new_dir, 1203 struct dentry *new_dentry) 1204 { 1205 struct task_security_struct *tsec; 1206 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1207 struct avc_audit_data ad; 1208 u32 av; 1209 int old_is_dir, new_is_dir; 1210 int rc; 1211 1212 tsec = current->security; 1213 old_dsec = old_dir->i_security; 1214 old_isec = old_dentry->d_inode->i_security; 1215 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1216 new_dsec = new_dir->i_security; 1217 1218 AVC_AUDIT_DATA_INIT(&ad, FS); 1219 1220 ad.u.fs.dentry = old_dentry; 1221 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1222 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1223 if (rc) 1224 return rc; 1225 rc = avc_has_perm(tsec->sid, old_isec->sid, 1226 old_isec->sclass, FILE__RENAME, &ad); 1227 if (rc) 1228 return rc; 1229 if (old_is_dir && new_dir != old_dir) { 1230 rc = avc_has_perm(tsec->sid, old_isec->sid, 1231 old_isec->sclass, DIR__REPARENT, &ad); 1232 if (rc) 1233 return rc; 1234 } 1235 1236 ad.u.fs.dentry = new_dentry; 1237 av = DIR__ADD_NAME | DIR__SEARCH; 1238 if (new_dentry->d_inode) 1239 av |= DIR__REMOVE_NAME; 1240 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1241 if (rc) 1242 return rc; 1243 if (new_dentry->d_inode) { 1244 new_isec = new_dentry->d_inode->i_security; 1245 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1246 rc = avc_has_perm(tsec->sid, new_isec->sid, 1247 new_isec->sclass, 1248 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1249 if (rc) 1250 return rc; 1251 } 1252 1253 return 0; 1254 } 1255 1256 /* Check whether a task can perform a filesystem operation. */ 1257 static int superblock_has_perm(struct task_struct *tsk, 1258 struct super_block *sb, 1259 u32 perms, 1260 struct avc_audit_data *ad) 1261 { 1262 struct task_security_struct *tsec; 1263 struct superblock_security_struct *sbsec; 1264 1265 tsec = tsk->security; 1266 sbsec = sb->s_security; 1267 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1268 perms, ad); 1269 } 1270 1271 /* Convert a Linux mode and permission mask to an access vector. */ 1272 static inline u32 file_mask_to_av(int mode, int mask) 1273 { 1274 u32 av = 0; 1275 1276 if ((mode & S_IFMT) != S_IFDIR) { 1277 if (mask & MAY_EXEC) 1278 av |= FILE__EXECUTE; 1279 if (mask & MAY_READ) 1280 av |= FILE__READ; 1281 1282 if (mask & MAY_APPEND) 1283 av |= FILE__APPEND; 1284 else if (mask & MAY_WRITE) 1285 av |= FILE__WRITE; 1286 1287 } else { 1288 if (mask & MAY_EXEC) 1289 av |= DIR__SEARCH; 1290 if (mask & MAY_WRITE) 1291 av |= DIR__WRITE; 1292 if (mask & MAY_READ) 1293 av |= DIR__READ; 1294 } 1295 1296 return av; 1297 } 1298 1299 /* Convert a Linux file to an access vector. */ 1300 static inline u32 file_to_av(struct file *file) 1301 { 1302 u32 av = 0; 1303 1304 if (file->f_mode & FMODE_READ) 1305 av |= FILE__READ; 1306 if (file->f_mode & FMODE_WRITE) { 1307 if (file->f_flags & O_APPEND) 1308 av |= FILE__APPEND; 1309 else 1310 av |= FILE__WRITE; 1311 } 1312 1313 return av; 1314 } 1315 1316 /* Set an inode's SID to a specified value. */ 1317 static int inode_security_set_sid(struct inode *inode, u32 sid) 1318 { 1319 struct inode_security_struct *isec = inode->i_security; 1320 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 1321 1322 if (!sbsec->initialized) { 1323 /* Defer initialization to selinux_complete_init. */ 1324 return 0; 1325 } 1326 1327 down(&isec->sem); 1328 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1329 isec->sid = sid; 1330 isec->initialized = 1; 1331 up(&isec->sem); 1332 return 0; 1333 } 1334 1335 /* Hook functions begin here. */ 1336 1337 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1338 { 1339 struct task_security_struct *psec = parent->security; 1340 struct task_security_struct *csec = child->security; 1341 int rc; 1342 1343 rc = secondary_ops->ptrace(parent,child); 1344 if (rc) 1345 return rc; 1346 1347 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1348 /* Save the SID of the tracing process for later use in apply_creds. */ 1349 if (!(child->ptrace & PT_PTRACED) && !rc) 1350 csec->ptrace_sid = psec->sid; 1351 return rc; 1352 } 1353 1354 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1355 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1356 { 1357 int error; 1358 1359 error = task_has_perm(current, target, PROCESS__GETCAP); 1360 if (error) 1361 return error; 1362 1363 return secondary_ops->capget(target, effective, inheritable, permitted); 1364 } 1365 1366 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1367 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1368 { 1369 int error; 1370 1371 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1372 if (error) 1373 return error; 1374 1375 return task_has_perm(current, target, PROCESS__SETCAP); 1376 } 1377 1378 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1379 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1380 { 1381 secondary_ops->capset_set(target, effective, inheritable, permitted); 1382 } 1383 1384 static int selinux_capable(struct task_struct *tsk, int cap) 1385 { 1386 int rc; 1387 1388 rc = secondary_ops->capable(tsk, cap); 1389 if (rc) 1390 return rc; 1391 1392 return task_has_capability(tsk,cap); 1393 } 1394 1395 static int selinux_sysctl(ctl_table *table, int op) 1396 { 1397 int error = 0; 1398 u32 av; 1399 struct task_security_struct *tsec; 1400 u32 tsid; 1401 int rc; 1402 1403 rc = secondary_ops->sysctl(table, op); 1404 if (rc) 1405 return rc; 1406 1407 tsec = current->security; 1408 1409 rc = selinux_proc_get_sid(table->de, (op == 001) ? 1410 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1411 if (rc) { 1412 /* Default to the well-defined sysctl SID. */ 1413 tsid = SECINITSID_SYSCTL; 1414 } 1415 1416 /* The op values are "defined" in sysctl.c, thereby creating 1417 * a bad coupling between this module and sysctl.c */ 1418 if(op == 001) { 1419 error = avc_has_perm(tsec->sid, tsid, 1420 SECCLASS_DIR, DIR__SEARCH, NULL); 1421 } else { 1422 av = 0; 1423 if (op & 004) 1424 av |= FILE__READ; 1425 if (op & 002) 1426 av |= FILE__WRITE; 1427 if (av) 1428 error = avc_has_perm(tsec->sid, tsid, 1429 SECCLASS_FILE, av, NULL); 1430 } 1431 1432 return error; 1433 } 1434 1435 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1436 { 1437 int rc = 0; 1438 1439 if (!sb) 1440 return 0; 1441 1442 switch (cmds) { 1443 case Q_SYNC: 1444 case Q_QUOTAON: 1445 case Q_QUOTAOFF: 1446 case Q_SETINFO: 1447 case Q_SETQUOTA: 1448 rc = superblock_has_perm(current, 1449 sb, 1450 FILESYSTEM__QUOTAMOD, NULL); 1451 break; 1452 case Q_GETFMT: 1453 case Q_GETINFO: 1454 case Q_GETQUOTA: 1455 rc = superblock_has_perm(current, 1456 sb, 1457 FILESYSTEM__QUOTAGET, NULL); 1458 break; 1459 default: 1460 rc = 0; /* let the kernel handle invalid cmds */ 1461 break; 1462 } 1463 return rc; 1464 } 1465 1466 static int selinux_quota_on(struct dentry *dentry) 1467 { 1468 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1469 } 1470 1471 static int selinux_syslog(int type) 1472 { 1473 int rc; 1474 1475 rc = secondary_ops->syslog(type); 1476 if (rc) 1477 return rc; 1478 1479 switch (type) { 1480 case 3: /* Read last kernel messages */ 1481 case 10: /* Return size of the log buffer */ 1482 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1483 break; 1484 case 6: /* Disable logging to console */ 1485 case 7: /* Enable logging to console */ 1486 case 8: /* Set level of messages printed to console */ 1487 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1488 break; 1489 case 0: /* Close log */ 1490 case 1: /* Open log */ 1491 case 2: /* Read from log */ 1492 case 4: /* Read/clear last kernel messages */ 1493 case 5: /* Clear ring buffer */ 1494 default: 1495 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1496 break; 1497 } 1498 return rc; 1499 } 1500 1501 /* 1502 * Check that a process has enough memory to allocate a new virtual 1503 * mapping. 0 means there is enough memory for the allocation to 1504 * succeed and -ENOMEM implies there is not. 1505 * 1506 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1507 * if the capability is granted, but __vm_enough_memory requires 1 if 1508 * the capability is granted. 1509 * 1510 * Do not audit the selinux permission check, as this is applied to all 1511 * processes that allocate mappings. 1512 */ 1513 static int selinux_vm_enough_memory(long pages) 1514 { 1515 int rc, cap_sys_admin = 0; 1516 struct task_security_struct *tsec = current->security; 1517 1518 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1519 if (rc == 0) 1520 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1521 SECCLASS_CAPABILITY, 1522 CAP_TO_MASK(CAP_SYS_ADMIN), 1523 NULL); 1524 1525 if (rc == 0) 1526 cap_sys_admin = 1; 1527 1528 return __vm_enough_memory(pages, cap_sys_admin); 1529 } 1530 1531 /* binprm security operations */ 1532 1533 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1534 { 1535 struct bprm_security_struct *bsec; 1536 1537 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1538 if (!bsec) 1539 return -ENOMEM; 1540 1541 bsec->bprm = bprm; 1542 bsec->sid = SECINITSID_UNLABELED; 1543 bsec->set = 0; 1544 1545 bprm->security = bsec; 1546 return 0; 1547 } 1548 1549 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1550 { 1551 struct task_security_struct *tsec; 1552 struct inode *inode = bprm->file->f_dentry->d_inode; 1553 struct inode_security_struct *isec; 1554 struct bprm_security_struct *bsec; 1555 u32 newsid; 1556 struct avc_audit_data ad; 1557 int rc; 1558 1559 rc = secondary_ops->bprm_set_security(bprm); 1560 if (rc) 1561 return rc; 1562 1563 bsec = bprm->security; 1564 1565 if (bsec->set) 1566 return 0; 1567 1568 tsec = current->security; 1569 isec = inode->i_security; 1570 1571 /* Default to the current task SID. */ 1572 bsec->sid = tsec->sid; 1573 1574 /* Reset fs, key, and sock SIDs on execve. */ 1575 tsec->create_sid = 0; 1576 tsec->keycreate_sid = 0; 1577 tsec->sockcreate_sid = 0; 1578 1579 if (tsec->exec_sid) { 1580 newsid = tsec->exec_sid; 1581 /* Reset exec SID on execve. */ 1582 tsec->exec_sid = 0; 1583 } else { 1584 /* Check for a default transition on this program. */ 1585 rc = security_transition_sid(tsec->sid, isec->sid, 1586 SECCLASS_PROCESS, &newsid); 1587 if (rc) 1588 return rc; 1589 } 1590 1591 AVC_AUDIT_DATA_INIT(&ad, FS); 1592 ad.u.fs.mnt = bprm->file->f_vfsmnt; 1593 ad.u.fs.dentry = bprm->file->f_dentry; 1594 1595 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 1596 newsid = tsec->sid; 1597 1598 if (tsec->sid == newsid) { 1599 rc = avc_has_perm(tsec->sid, isec->sid, 1600 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1601 if (rc) 1602 return rc; 1603 } else { 1604 /* Check permissions for the transition. */ 1605 rc = avc_has_perm(tsec->sid, newsid, 1606 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1607 if (rc) 1608 return rc; 1609 1610 rc = avc_has_perm(newsid, isec->sid, 1611 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1612 if (rc) 1613 return rc; 1614 1615 /* Clear any possibly unsafe personality bits on exec: */ 1616 current->personality &= ~PER_CLEAR_ON_SETID; 1617 1618 /* Set the security field to the new SID. */ 1619 bsec->sid = newsid; 1620 } 1621 1622 bsec->set = 1; 1623 return 0; 1624 } 1625 1626 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1627 { 1628 return secondary_ops->bprm_check_security(bprm); 1629 } 1630 1631 1632 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1633 { 1634 struct task_security_struct *tsec = current->security; 1635 int atsecure = 0; 1636 1637 if (tsec->osid != tsec->sid) { 1638 /* Enable secure mode for SIDs transitions unless 1639 the noatsecure permission is granted between 1640 the two SIDs, i.e. ahp returns 0. */ 1641 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1642 SECCLASS_PROCESS, 1643 PROCESS__NOATSECURE, NULL); 1644 } 1645 1646 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1647 } 1648 1649 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1650 { 1651 kfree(bprm->security); 1652 bprm->security = NULL; 1653 } 1654 1655 extern struct vfsmount *selinuxfs_mount; 1656 extern struct dentry *selinux_null; 1657 1658 /* Derived from fs/exec.c:flush_old_files. */ 1659 static inline void flush_unauthorized_files(struct files_struct * files) 1660 { 1661 struct avc_audit_data ad; 1662 struct file *file, *devnull = NULL; 1663 struct tty_struct *tty = current->signal->tty; 1664 struct fdtable *fdt; 1665 long j = -1; 1666 1667 if (tty) { 1668 file_list_lock(); 1669 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 1670 if (file) { 1671 /* Revalidate access to controlling tty. 1672 Use inode_has_perm on the tty inode directly rather 1673 than using file_has_perm, as this particular open 1674 file may belong to another process and we are only 1675 interested in the inode-based check here. */ 1676 struct inode *inode = file->f_dentry->d_inode; 1677 if (inode_has_perm(current, inode, 1678 FILE__READ | FILE__WRITE, NULL)) { 1679 /* Reset controlling tty. */ 1680 current->signal->tty = NULL; 1681 current->signal->tty_old_pgrp = 0; 1682 } 1683 } 1684 file_list_unlock(); 1685 } 1686 1687 /* Revalidate access to inherited open files. */ 1688 1689 AVC_AUDIT_DATA_INIT(&ad,FS); 1690 1691 spin_lock(&files->file_lock); 1692 for (;;) { 1693 unsigned long set, i; 1694 int fd; 1695 1696 j++; 1697 i = j * __NFDBITS; 1698 fdt = files_fdtable(files); 1699 if (i >= fdt->max_fds || i >= fdt->max_fdset) 1700 break; 1701 set = fdt->open_fds->fds_bits[j]; 1702 if (!set) 1703 continue; 1704 spin_unlock(&files->file_lock); 1705 for ( ; set ; i++,set >>= 1) { 1706 if (set & 1) { 1707 file = fget(i); 1708 if (!file) 1709 continue; 1710 if (file_has_perm(current, 1711 file, 1712 file_to_av(file))) { 1713 sys_close(i); 1714 fd = get_unused_fd(); 1715 if (fd != i) { 1716 if (fd >= 0) 1717 put_unused_fd(fd); 1718 fput(file); 1719 continue; 1720 } 1721 if (devnull) { 1722 get_file(devnull); 1723 } else { 1724 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 1725 if (!devnull) { 1726 put_unused_fd(fd); 1727 fput(file); 1728 continue; 1729 } 1730 } 1731 fd_install(fd, devnull); 1732 } 1733 fput(file); 1734 } 1735 } 1736 spin_lock(&files->file_lock); 1737 1738 } 1739 spin_unlock(&files->file_lock); 1740 } 1741 1742 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 1743 { 1744 struct task_security_struct *tsec; 1745 struct bprm_security_struct *bsec; 1746 u32 sid; 1747 int rc; 1748 1749 secondary_ops->bprm_apply_creds(bprm, unsafe); 1750 1751 tsec = current->security; 1752 1753 bsec = bprm->security; 1754 sid = bsec->sid; 1755 1756 tsec->osid = tsec->sid; 1757 bsec->unsafe = 0; 1758 if (tsec->sid != sid) { 1759 /* Check for shared state. If not ok, leave SID 1760 unchanged and kill. */ 1761 if (unsafe & LSM_UNSAFE_SHARE) { 1762 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 1763 PROCESS__SHARE, NULL); 1764 if (rc) { 1765 bsec->unsafe = 1; 1766 return; 1767 } 1768 } 1769 1770 /* Check for ptracing, and update the task SID if ok. 1771 Otherwise, leave SID unchanged and kill. */ 1772 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 1773 rc = avc_has_perm(tsec->ptrace_sid, sid, 1774 SECCLASS_PROCESS, PROCESS__PTRACE, 1775 NULL); 1776 if (rc) { 1777 bsec->unsafe = 1; 1778 return; 1779 } 1780 } 1781 tsec->sid = sid; 1782 } 1783 } 1784 1785 /* 1786 * called after apply_creds without the task lock held 1787 */ 1788 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 1789 { 1790 struct task_security_struct *tsec; 1791 struct rlimit *rlim, *initrlim; 1792 struct itimerval itimer; 1793 struct bprm_security_struct *bsec; 1794 int rc, i; 1795 1796 tsec = current->security; 1797 bsec = bprm->security; 1798 1799 if (bsec->unsafe) { 1800 force_sig_specific(SIGKILL, current); 1801 return; 1802 } 1803 if (tsec->osid == tsec->sid) 1804 return; 1805 1806 /* Close files for which the new task SID is not authorized. */ 1807 flush_unauthorized_files(current->files); 1808 1809 /* Check whether the new SID can inherit signal state 1810 from the old SID. If not, clear itimers to avoid 1811 subsequent signal generation and flush and unblock 1812 signals. This must occur _after_ the task SID has 1813 been updated so that any kill done after the flush 1814 will be checked against the new SID. */ 1815 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1816 PROCESS__SIGINH, NULL); 1817 if (rc) { 1818 memset(&itimer, 0, sizeof itimer); 1819 for (i = 0; i < 3; i++) 1820 do_setitimer(i, &itimer, NULL); 1821 flush_signals(current); 1822 spin_lock_irq(¤t->sighand->siglock); 1823 flush_signal_handlers(current, 1); 1824 sigemptyset(¤t->blocked); 1825 recalc_sigpending(); 1826 spin_unlock_irq(¤t->sighand->siglock); 1827 } 1828 1829 /* Check whether the new SID can inherit resource limits 1830 from the old SID. If not, reset all soft limits to 1831 the lower of the current task's hard limit and the init 1832 task's soft limit. Note that the setting of hard limits 1833 (even to lower them) can be controlled by the setrlimit 1834 check. The inclusion of the init task's soft limit into 1835 the computation is to avoid resetting soft limits higher 1836 than the default soft limit for cases where the default 1837 is lower than the hard limit, e.g. RLIMIT_CORE or 1838 RLIMIT_STACK.*/ 1839 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1840 PROCESS__RLIMITINH, NULL); 1841 if (rc) { 1842 for (i = 0; i < RLIM_NLIMITS; i++) { 1843 rlim = current->signal->rlim + i; 1844 initrlim = init_task.signal->rlim+i; 1845 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 1846 } 1847 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 1848 /* 1849 * This will cause RLIMIT_CPU calculations 1850 * to be refigured. 1851 */ 1852 current->it_prof_expires = jiffies_to_cputime(1); 1853 } 1854 } 1855 1856 /* Wake up the parent if it is waiting so that it can 1857 recheck wait permission to the new task SID. */ 1858 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 1859 } 1860 1861 /* superblock security operations */ 1862 1863 static int selinux_sb_alloc_security(struct super_block *sb) 1864 { 1865 return superblock_alloc_security(sb); 1866 } 1867 1868 static void selinux_sb_free_security(struct super_block *sb) 1869 { 1870 superblock_free_security(sb); 1871 } 1872 1873 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 1874 { 1875 if (plen > olen) 1876 return 0; 1877 1878 return !memcmp(prefix, option, plen); 1879 } 1880 1881 static inline int selinux_option(char *option, int len) 1882 { 1883 return (match_prefix("context=", sizeof("context=")-1, option, len) || 1884 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 1885 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len)); 1886 } 1887 1888 static inline void take_option(char **to, char *from, int *first, int len) 1889 { 1890 if (!*first) { 1891 **to = ','; 1892 *to += 1; 1893 } 1894 else 1895 *first = 0; 1896 memcpy(*to, from, len); 1897 *to += len; 1898 } 1899 1900 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 1901 { 1902 int fnosec, fsec, rc = 0; 1903 char *in_save, *in_curr, *in_end; 1904 char *sec_curr, *nosec_save, *nosec; 1905 1906 in_curr = orig; 1907 sec_curr = copy; 1908 1909 /* Binary mount data: just copy */ 1910 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 1911 copy_page(sec_curr, in_curr); 1912 goto out; 1913 } 1914 1915 nosec = (char *)get_zeroed_page(GFP_KERNEL); 1916 if (!nosec) { 1917 rc = -ENOMEM; 1918 goto out; 1919 } 1920 1921 nosec_save = nosec; 1922 fnosec = fsec = 1; 1923 in_save = in_end = orig; 1924 1925 do { 1926 if (*in_end == ',' || *in_end == '\0') { 1927 int len = in_end - in_curr; 1928 1929 if (selinux_option(in_curr, len)) 1930 take_option(&sec_curr, in_curr, &fsec, len); 1931 else 1932 take_option(&nosec, in_curr, &fnosec, len); 1933 1934 in_curr = in_end + 1; 1935 } 1936 } while (*in_end++); 1937 1938 strcpy(in_save, nosec_save); 1939 free_page((unsigned long)nosec_save); 1940 out: 1941 return rc; 1942 } 1943 1944 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 1945 { 1946 struct avc_audit_data ad; 1947 int rc; 1948 1949 rc = superblock_doinit(sb, data); 1950 if (rc) 1951 return rc; 1952 1953 AVC_AUDIT_DATA_INIT(&ad,FS); 1954 ad.u.fs.dentry = sb->s_root; 1955 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 1956 } 1957 1958 static int selinux_sb_statfs(struct dentry *dentry) 1959 { 1960 struct avc_audit_data ad; 1961 1962 AVC_AUDIT_DATA_INIT(&ad,FS); 1963 ad.u.fs.dentry = dentry->d_sb->s_root; 1964 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 1965 } 1966 1967 static int selinux_mount(char * dev_name, 1968 struct nameidata *nd, 1969 char * type, 1970 unsigned long flags, 1971 void * data) 1972 { 1973 int rc; 1974 1975 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 1976 if (rc) 1977 return rc; 1978 1979 if (flags & MS_REMOUNT) 1980 return superblock_has_perm(current, nd->mnt->mnt_sb, 1981 FILESYSTEM__REMOUNT, NULL); 1982 else 1983 return dentry_has_perm(current, nd->mnt, nd->dentry, 1984 FILE__MOUNTON); 1985 } 1986 1987 static int selinux_umount(struct vfsmount *mnt, int flags) 1988 { 1989 int rc; 1990 1991 rc = secondary_ops->sb_umount(mnt, flags); 1992 if (rc) 1993 return rc; 1994 1995 return superblock_has_perm(current,mnt->mnt_sb, 1996 FILESYSTEM__UNMOUNT,NULL); 1997 } 1998 1999 /* inode security operations */ 2000 2001 static int selinux_inode_alloc_security(struct inode *inode) 2002 { 2003 return inode_alloc_security(inode); 2004 } 2005 2006 static void selinux_inode_free_security(struct inode *inode) 2007 { 2008 inode_free_security(inode); 2009 } 2010 2011 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2012 char **name, void **value, 2013 size_t *len) 2014 { 2015 struct task_security_struct *tsec; 2016 struct inode_security_struct *dsec; 2017 struct superblock_security_struct *sbsec; 2018 u32 newsid, clen; 2019 int rc; 2020 char *namep = NULL, *context; 2021 2022 tsec = current->security; 2023 dsec = dir->i_security; 2024 sbsec = dir->i_sb->s_security; 2025 2026 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2027 newsid = tsec->create_sid; 2028 } else { 2029 rc = security_transition_sid(tsec->sid, dsec->sid, 2030 inode_mode_to_security_class(inode->i_mode), 2031 &newsid); 2032 if (rc) { 2033 printk(KERN_WARNING "%s: " 2034 "security_transition_sid failed, rc=%d (dev=%s " 2035 "ino=%ld)\n", 2036 __FUNCTION__, 2037 -rc, inode->i_sb->s_id, inode->i_ino); 2038 return rc; 2039 } 2040 } 2041 2042 inode_security_set_sid(inode, newsid); 2043 2044 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2045 return -EOPNOTSUPP; 2046 2047 if (name) { 2048 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 2049 if (!namep) 2050 return -ENOMEM; 2051 *name = namep; 2052 } 2053 2054 if (value && len) { 2055 rc = security_sid_to_context(newsid, &context, &clen); 2056 if (rc) { 2057 kfree(namep); 2058 return rc; 2059 } 2060 *value = context; 2061 *len = clen; 2062 } 2063 2064 return 0; 2065 } 2066 2067 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2068 { 2069 return may_create(dir, dentry, SECCLASS_FILE); 2070 } 2071 2072 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2073 { 2074 int rc; 2075 2076 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2077 if (rc) 2078 return rc; 2079 return may_link(dir, old_dentry, MAY_LINK); 2080 } 2081 2082 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2083 { 2084 int rc; 2085 2086 rc = secondary_ops->inode_unlink(dir, dentry); 2087 if (rc) 2088 return rc; 2089 return may_link(dir, dentry, MAY_UNLINK); 2090 } 2091 2092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2093 { 2094 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2095 } 2096 2097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2098 { 2099 return may_create(dir, dentry, SECCLASS_DIR); 2100 } 2101 2102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2103 { 2104 return may_link(dir, dentry, MAY_RMDIR); 2105 } 2106 2107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2108 { 2109 int rc; 2110 2111 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2112 if (rc) 2113 return rc; 2114 2115 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2116 } 2117 2118 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2119 struct inode *new_inode, struct dentry *new_dentry) 2120 { 2121 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2122 } 2123 2124 static int selinux_inode_readlink(struct dentry *dentry) 2125 { 2126 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2127 } 2128 2129 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2130 { 2131 int rc; 2132 2133 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2134 if (rc) 2135 return rc; 2136 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2137 } 2138 2139 static int selinux_inode_permission(struct inode *inode, int mask, 2140 struct nameidata *nd) 2141 { 2142 int rc; 2143 2144 rc = secondary_ops->inode_permission(inode, mask, nd); 2145 if (rc) 2146 return rc; 2147 2148 if (!mask) { 2149 /* No permission to check. Existence test. */ 2150 return 0; 2151 } 2152 2153 return inode_has_perm(current, inode, 2154 file_mask_to_av(inode->i_mode, mask), NULL); 2155 } 2156 2157 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2158 { 2159 int rc; 2160 2161 rc = secondary_ops->inode_setattr(dentry, iattr); 2162 if (rc) 2163 return rc; 2164 2165 if (iattr->ia_valid & ATTR_FORCE) 2166 return 0; 2167 2168 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2169 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2170 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2171 2172 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2173 } 2174 2175 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2176 { 2177 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2178 } 2179 2180 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2181 { 2182 struct task_security_struct *tsec = current->security; 2183 struct inode *inode = dentry->d_inode; 2184 struct inode_security_struct *isec = inode->i_security; 2185 struct superblock_security_struct *sbsec; 2186 struct avc_audit_data ad; 2187 u32 newsid; 2188 int rc = 0; 2189 2190 if (strcmp(name, XATTR_NAME_SELINUX)) { 2191 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2192 sizeof XATTR_SECURITY_PREFIX - 1) && 2193 !capable(CAP_SYS_ADMIN)) { 2194 /* A different attribute in the security namespace. 2195 Restrict to administrator. */ 2196 return -EPERM; 2197 } 2198 2199 /* Not an attribute we recognize, so just check the 2200 ordinary setattr permission. */ 2201 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2202 } 2203 2204 sbsec = inode->i_sb->s_security; 2205 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2206 return -EOPNOTSUPP; 2207 2208 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) 2209 return -EPERM; 2210 2211 AVC_AUDIT_DATA_INIT(&ad,FS); 2212 ad.u.fs.dentry = dentry; 2213 2214 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2215 FILE__RELABELFROM, &ad); 2216 if (rc) 2217 return rc; 2218 2219 rc = security_context_to_sid(value, size, &newsid); 2220 if (rc) 2221 return rc; 2222 2223 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2224 FILE__RELABELTO, &ad); 2225 if (rc) 2226 return rc; 2227 2228 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2229 isec->sclass); 2230 if (rc) 2231 return rc; 2232 2233 return avc_has_perm(newsid, 2234 sbsec->sid, 2235 SECCLASS_FILESYSTEM, 2236 FILESYSTEM__ASSOCIATE, 2237 &ad); 2238 } 2239 2240 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2241 void *value, size_t size, int flags) 2242 { 2243 struct inode *inode = dentry->d_inode; 2244 struct inode_security_struct *isec = inode->i_security; 2245 u32 newsid; 2246 int rc; 2247 2248 if (strcmp(name, XATTR_NAME_SELINUX)) { 2249 /* Not an attribute we recognize, so nothing to do. */ 2250 return; 2251 } 2252 2253 rc = security_context_to_sid(value, size, &newsid); 2254 if (rc) { 2255 printk(KERN_WARNING "%s: unable to obtain SID for context " 2256 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2257 return; 2258 } 2259 2260 isec->sid = newsid; 2261 return; 2262 } 2263 2264 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2265 { 2266 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2267 } 2268 2269 static int selinux_inode_listxattr (struct dentry *dentry) 2270 { 2271 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2272 } 2273 2274 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2275 { 2276 if (strcmp(name, XATTR_NAME_SELINUX)) { 2277 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2278 sizeof XATTR_SECURITY_PREFIX - 1) && 2279 !capable(CAP_SYS_ADMIN)) { 2280 /* A different attribute in the security namespace. 2281 Restrict to administrator. */ 2282 return -EPERM; 2283 } 2284 2285 /* Not an attribute we recognize, so just check the 2286 ordinary setattr permission. Might want a separate 2287 permission for removexattr. */ 2288 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2289 } 2290 2291 /* No one is allowed to remove a SELinux security label. 2292 You can change the label, but all data must be labeled. */ 2293 return -EACCES; 2294 } 2295 2296 static const char *selinux_inode_xattr_getsuffix(void) 2297 { 2298 return XATTR_SELINUX_SUFFIX; 2299 } 2300 2301 /* 2302 * Copy the in-core inode security context value to the user. If the 2303 * getxattr() prior to this succeeded, check to see if we need to 2304 * canonicalize the value to be finally returned to the user. 2305 * 2306 * Permission check is handled by selinux_inode_getxattr hook. 2307 */ 2308 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) 2309 { 2310 struct inode_security_struct *isec = inode->i_security; 2311 2312 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2313 return -EOPNOTSUPP; 2314 2315 return selinux_getsecurity(isec->sid, buffer, size); 2316 } 2317 2318 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2319 const void *value, size_t size, int flags) 2320 { 2321 struct inode_security_struct *isec = inode->i_security; 2322 u32 newsid; 2323 int rc; 2324 2325 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2326 return -EOPNOTSUPP; 2327 2328 if (!value || !size) 2329 return -EACCES; 2330 2331 rc = security_context_to_sid((void*)value, size, &newsid); 2332 if (rc) 2333 return rc; 2334 2335 isec->sid = newsid; 2336 return 0; 2337 } 2338 2339 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2340 { 2341 const int len = sizeof(XATTR_NAME_SELINUX); 2342 if (buffer && len <= buffer_size) 2343 memcpy(buffer, XATTR_NAME_SELINUX, len); 2344 return len; 2345 } 2346 2347 /* file security operations */ 2348 2349 static int selinux_file_permission(struct file *file, int mask) 2350 { 2351 struct inode *inode = file->f_dentry->d_inode; 2352 2353 if (!mask) { 2354 /* No permission to check. Existence test. */ 2355 return 0; 2356 } 2357 2358 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2359 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2360 mask |= MAY_APPEND; 2361 2362 return file_has_perm(current, file, 2363 file_mask_to_av(inode->i_mode, mask)); 2364 } 2365 2366 static int selinux_file_alloc_security(struct file *file) 2367 { 2368 return file_alloc_security(file); 2369 } 2370 2371 static void selinux_file_free_security(struct file *file) 2372 { 2373 file_free_security(file); 2374 } 2375 2376 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2377 unsigned long arg) 2378 { 2379 int error = 0; 2380 2381 switch (cmd) { 2382 case FIONREAD: 2383 /* fall through */ 2384 case FIBMAP: 2385 /* fall through */ 2386 case FIGETBSZ: 2387 /* fall through */ 2388 case EXT2_IOC_GETFLAGS: 2389 /* fall through */ 2390 case EXT2_IOC_GETVERSION: 2391 error = file_has_perm(current, file, FILE__GETATTR); 2392 break; 2393 2394 case EXT2_IOC_SETFLAGS: 2395 /* fall through */ 2396 case EXT2_IOC_SETVERSION: 2397 error = file_has_perm(current, file, FILE__SETATTR); 2398 break; 2399 2400 /* sys_ioctl() checks */ 2401 case FIONBIO: 2402 /* fall through */ 2403 case FIOASYNC: 2404 error = file_has_perm(current, file, 0); 2405 break; 2406 2407 case KDSKBENT: 2408 case KDSKBSENT: 2409 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2410 break; 2411 2412 /* default case assumes that the command will go 2413 * to the file's ioctl() function. 2414 */ 2415 default: 2416 error = file_has_perm(current, file, FILE__IOCTL); 2417 2418 } 2419 return error; 2420 } 2421 2422 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2423 { 2424 #ifndef CONFIG_PPC32 2425 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2426 /* 2427 * We are making executable an anonymous mapping or a 2428 * private file mapping that will also be writable. 2429 * This has an additional check. 2430 */ 2431 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2432 if (rc) 2433 return rc; 2434 } 2435 #endif 2436 2437 if (file) { 2438 /* read access is always possible with a mapping */ 2439 u32 av = FILE__READ; 2440 2441 /* write access only matters if the mapping is shared */ 2442 if (shared && (prot & PROT_WRITE)) 2443 av |= FILE__WRITE; 2444 2445 if (prot & PROT_EXEC) 2446 av |= FILE__EXECUTE; 2447 2448 return file_has_perm(current, file, av); 2449 } 2450 return 0; 2451 } 2452 2453 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2454 unsigned long prot, unsigned long flags) 2455 { 2456 int rc; 2457 2458 rc = secondary_ops->file_mmap(file, reqprot, prot, flags); 2459 if (rc) 2460 return rc; 2461 2462 if (selinux_checkreqprot) 2463 prot = reqprot; 2464 2465 return file_map_prot_check(file, prot, 2466 (flags & MAP_TYPE) == MAP_SHARED); 2467 } 2468 2469 static int selinux_file_mprotect(struct vm_area_struct *vma, 2470 unsigned long reqprot, 2471 unsigned long prot) 2472 { 2473 int rc; 2474 2475 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2476 if (rc) 2477 return rc; 2478 2479 if (selinux_checkreqprot) 2480 prot = reqprot; 2481 2482 #ifndef CONFIG_PPC32 2483 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2484 rc = 0; 2485 if (vma->vm_start >= vma->vm_mm->start_brk && 2486 vma->vm_end <= vma->vm_mm->brk) { 2487 rc = task_has_perm(current, current, 2488 PROCESS__EXECHEAP); 2489 } else if (!vma->vm_file && 2490 vma->vm_start <= vma->vm_mm->start_stack && 2491 vma->vm_end >= vma->vm_mm->start_stack) { 2492 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2493 } else if (vma->vm_file && vma->anon_vma) { 2494 /* 2495 * We are making executable a file mapping that has 2496 * had some COW done. Since pages might have been 2497 * written, check ability to execute the possibly 2498 * modified content. This typically should only 2499 * occur for text relocations. 2500 */ 2501 rc = file_has_perm(current, vma->vm_file, 2502 FILE__EXECMOD); 2503 } 2504 if (rc) 2505 return rc; 2506 } 2507 #endif 2508 2509 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2510 } 2511 2512 static int selinux_file_lock(struct file *file, unsigned int cmd) 2513 { 2514 return file_has_perm(current, file, FILE__LOCK); 2515 } 2516 2517 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2518 unsigned long arg) 2519 { 2520 int err = 0; 2521 2522 switch (cmd) { 2523 case F_SETFL: 2524 if (!file->f_dentry || !file->f_dentry->d_inode) { 2525 err = -EINVAL; 2526 break; 2527 } 2528 2529 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2530 err = file_has_perm(current, file,FILE__WRITE); 2531 break; 2532 } 2533 /* fall through */ 2534 case F_SETOWN: 2535 case F_SETSIG: 2536 case F_GETFL: 2537 case F_GETOWN: 2538 case F_GETSIG: 2539 /* Just check FD__USE permission */ 2540 err = file_has_perm(current, file, 0); 2541 break; 2542 case F_GETLK: 2543 case F_SETLK: 2544 case F_SETLKW: 2545 #if BITS_PER_LONG == 32 2546 case F_GETLK64: 2547 case F_SETLK64: 2548 case F_SETLKW64: 2549 #endif 2550 if (!file->f_dentry || !file->f_dentry->d_inode) { 2551 err = -EINVAL; 2552 break; 2553 } 2554 err = file_has_perm(current, file, FILE__LOCK); 2555 break; 2556 } 2557 2558 return err; 2559 } 2560 2561 static int selinux_file_set_fowner(struct file *file) 2562 { 2563 struct task_security_struct *tsec; 2564 struct file_security_struct *fsec; 2565 2566 tsec = current->security; 2567 fsec = file->f_security; 2568 fsec->fown_sid = tsec->sid; 2569 2570 return 0; 2571 } 2572 2573 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2574 struct fown_struct *fown, int signum) 2575 { 2576 struct file *file; 2577 u32 perm; 2578 struct task_security_struct *tsec; 2579 struct file_security_struct *fsec; 2580 2581 /* struct fown_struct is never outside the context of a struct file */ 2582 file = (struct file *)((long)fown - offsetof(struct file,f_owner)); 2583 2584 tsec = tsk->security; 2585 fsec = file->f_security; 2586 2587 if (!signum) 2588 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 2589 else 2590 perm = signal_to_av(signum); 2591 2592 return avc_has_perm(fsec->fown_sid, tsec->sid, 2593 SECCLASS_PROCESS, perm, NULL); 2594 } 2595 2596 static int selinux_file_receive(struct file *file) 2597 { 2598 return file_has_perm(current, file, file_to_av(file)); 2599 } 2600 2601 /* task security operations */ 2602 2603 static int selinux_task_create(unsigned long clone_flags) 2604 { 2605 int rc; 2606 2607 rc = secondary_ops->task_create(clone_flags); 2608 if (rc) 2609 return rc; 2610 2611 return task_has_perm(current, current, PROCESS__FORK); 2612 } 2613 2614 static int selinux_task_alloc_security(struct task_struct *tsk) 2615 { 2616 struct task_security_struct *tsec1, *tsec2; 2617 int rc; 2618 2619 tsec1 = current->security; 2620 2621 rc = task_alloc_security(tsk); 2622 if (rc) 2623 return rc; 2624 tsec2 = tsk->security; 2625 2626 tsec2->osid = tsec1->osid; 2627 tsec2->sid = tsec1->sid; 2628 2629 /* Retain the exec, fs, key, and sock SIDs across fork */ 2630 tsec2->exec_sid = tsec1->exec_sid; 2631 tsec2->create_sid = tsec1->create_sid; 2632 tsec2->keycreate_sid = tsec1->keycreate_sid; 2633 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 2634 2635 /* Retain ptracer SID across fork, if any. 2636 This will be reset by the ptrace hook upon any 2637 subsequent ptrace_attach operations. */ 2638 tsec2->ptrace_sid = tsec1->ptrace_sid; 2639 2640 return 0; 2641 } 2642 2643 static void selinux_task_free_security(struct task_struct *tsk) 2644 { 2645 task_free_security(tsk); 2646 } 2647 2648 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2649 { 2650 /* Since setuid only affects the current process, and 2651 since the SELinux controls are not based on the Linux 2652 identity attributes, SELinux does not need to control 2653 this operation. However, SELinux does control the use 2654 of the CAP_SETUID and CAP_SETGID capabilities using the 2655 capable hook. */ 2656 return 0; 2657 } 2658 2659 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2660 { 2661 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 2662 } 2663 2664 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 2665 { 2666 /* See the comment for setuid above. */ 2667 return 0; 2668 } 2669 2670 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 2671 { 2672 return task_has_perm(current, p, PROCESS__SETPGID); 2673 } 2674 2675 static int selinux_task_getpgid(struct task_struct *p) 2676 { 2677 return task_has_perm(current, p, PROCESS__GETPGID); 2678 } 2679 2680 static int selinux_task_getsid(struct task_struct *p) 2681 { 2682 return task_has_perm(current, p, PROCESS__GETSESSION); 2683 } 2684 2685 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 2686 { 2687 selinux_get_task_sid(p, secid); 2688 } 2689 2690 static int selinux_task_setgroups(struct group_info *group_info) 2691 { 2692 /* See the comment for setuid above. */ 2693 return 0; 2694 } 2695 2696 static int selinux_task_setnice(struct task_struct *p, int nice) 2697 { 2698 int rc; 2699 2700 rc = secondary_ops->task_setnice(p, nice); 2701 if (rc) 2702 return rc; 2703 2704 return task_has_perm(current,p, PROCESS__SETSCHED); 2705 } 2706 2707 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 2708 { 2709 return task_has_perm(current, p, PROCESS__SETSCHED); 2710 } 2711 2712 static int selinux_task_getioprio(struct task_struct *p) 2713 { 2714 return task_has_perm(current, p, PROCESS__GETSCHED); 2715 } 2716 2717 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 2718 { 2719 struct rlimit *old_rlim = current->signal->rlim + resource; 2720 int rc; 2721 2722 rc = secondary_ops->task_setrlimit(resource, new_rlim); 2723 if (rc) 2724 return rc; 2725 2726 /* Control the ability to change the hard limit (whether 2727 lowering or raising it), so that the hard limit can 2728 later be used as a safe reset point for the soft limit 2729 upon context transitions. See selinux_bprm_apply_creds. */ 2730 if (old_rlim->rlim_max != new_rlim->rlim_max) 2731 return task_has_perm(current, current, PROCESS__SETRLIMIT); 2732 2733 return 0; 2734 } 2735 2736 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 2737 { 2738 return task_has_perm(current, p, PROCESS__SETSCHED); 2739 } 2740 2741 static int selinux_task_getscheduler(struct task_struct *p) 2742 { 2743 return task_has_perm(current, p, PROCESS__GETSCHED); 2744 } 2745 2746 static int selinux_task_movememory(struct task_struct *p) 2747 { 2748 return task_has_perm(current, p, PROCESS__SETSCHED); 2749 } 2750 2751 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 2752 int sig, u32 secid) 2753 { 2754 u32 perm; 2755 int rc; 2756 struct task_security_struct *tsec; 2757 2758 rc = secondary_ops->task_kill(p, info, sig, secid); 2759 if (rc) 2760 return rc; 2761 2762 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 2763 return 0; 2764 2765 if (!sig) 2766 perm = PROCESS__SIGNULL; /* null signal; existence test */ 2767 else 2768 perm = signal_to_av(sig); 2769 tsec = p->security; 2770 if (secid) 2771 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 2772 else 2773 rc = task_has_perm(current, p, perm); 2774 return rc; 2775 } 2776 2777 static int selinux_task_prctl(int option, 2778 unsigned long arg2, 2779 unsigned long arg3, 2780 unsigned long arg4, 2781 unsigned long arg5) 2782 { 2783 /* The current prctl operations do not appear to require 2784 any SELinux controls since they merely observe or modify 2785 the state of the current process. */ 2786 return 0; 2787 } 2788 2789 static int selinux_task_wait(struct task_struct *p) 2790 { 2791 u32 perm; 2792 2793 perm = signal_to_av(p->exit_signal); 2794 2795 return task_has_perm(p, current, perm); 2796 } 2797 2798 static void selinux_task_reparent_to_init(struct task_struct *p) 2799 { 2800 struct task_security_struct *tsec; 2801 2802 secondary_ops->task_reparent_to_init(p); 2803 2804 tsec = p->security; 2805 tsec->osid = tsec->sid; 2806 tsec->sid = SECINITSID_KERNEL; 2807 return; 2808 } 2809 2810 static void selinux_task_to_inode(struct task_struct *p, 2811 struct inode *inode) 2812 { 2813 struct task_security_struct *tsec = p->security; 2814 struct inode_security_struct *isec = inode->i_security; 2815 2816 isec->sid = tsec->sid; 2817 isec->initialized = 1; 2818 return; 2819 } 2820 2821 /* Returns error only if unable to parse addresses */ 2822 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) 2823 { 2824 int offset, ihlen, ret = -EINVAL; 2825 struct iphdr _iph, *ih; 2826 2827 offset = skb->nh.raw - skb->data; 2828 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 2829 if (ih == NULL) 2830 goto out; 2831 2832 ihlen = ih->ihl * 4; 2833 if (ihlen < sizeof(_iph)) 2834 goto out; 2835 2836 ad->u.net.v4info.saddr = ih->saddr; 2837 ad->u.net.v4info.daddr = ih->daddr; 2838 ret = 0; 2839 2840 switch (ih->protocol) { 2841 case IPPROTO_TCP: { 2842 struct tcphdr _tcph, *th; 2843 2844 if (ntohs(ih->frag_off) & IP_OFFSET) 2845 break; 2846 2847 offset += ihlen; 2848 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2849 if (th == NULL) 2850 break; 2851 2852 ad->u.net.sport = th->source; 2853 ad->u.net.dport = th->dest; 2854 break; 2855 } 2856 2857 case IPPROTO_UDP: { 2858 struct udphdr _udph, *uh; 2859 2860 if (ntohs(ih->frag_off) & IP_OFFSET) 2861 break; 2862 2863 offset += ihlen; 2864 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2865 if (uh == NULL) 2866 break; 2867 2868 ad->u.net.sport = uh->source; 2869 ad->u.net.dport = uh->dest; 2870 break; 2871 } 2872 2873 default: 2874 break; 2875 } 2876 out: 2877 return ret; 2878 } 2879 2880 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2881 2882 /* Returns error only if unable to parse addresses */ 2883 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad) 2884 { 2885 u8 nexthdr; 2886 int ret = -EINVAL, offset; 2887 struct ipv6hdr _ipv6h, *ip6; 2888 2889 offset = skb->nh.raw - skb->data; 2890 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 2891 if (ip6 == NULL) 2892 goto out; 2893 2894 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 2895 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 2896 ret = 0; 2897 2898 nexthdr = ip6->nexthdr; 2899 offset += sizeof(_ipv6h); 2900 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 2901 if (offset < 0) 2902 goto out; 2903 2904 switch (nexthdr) { 2905 case IPPROTO_TCP: { 2906 struct tcphdr _tcph, *th; 2907 2908 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2909 if (th == NULL) 2910 break; 2911 2912 ad->u.net.sport = th->source; 2913 ad->u.net.dport = th->dest; 2914 break; 2915 } 2916 2917 case IPPROTO_UDP: { 2918 struct udphdr _udph, *uh; 2919 2920 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2921 if (uh == NULL) 2922 break; 2923 2924 ad->u.net.sport = uh->source; 2925 ad->u.net.dport = uh->dest; 2926 break; 2927 } 2928 2929 /* includes fragments */ 2930 default: 2931 break; 2932 } 2933 out: 2934 return ret; 2935 } 2936 2937 #endif /* IPV6 */ 2938 2939 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 2940 char **addrp, int *len, int src) 2941 { 2942 int ret = 0; 2943 2944 switch (ad->u.net.family) { 2945 case PF_INET: 2946 ret = selinux_parse_skb_ipv4(skb, ad); 2947 if (ret || !addrp) 2948 break; 2949 *len = 4; 2950 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 2951 &ad->u.net.v4info.daddr); 2952 break; 2953 2954 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2955 case PF_INET6: 2956 ret = selinux_parse_skb_ipv6(skb, ad); 2957 if (ret || !addrp) 2958 break; 2959 *len = 16; 2960 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 2961 &ad->u.net.v6info.daddr); 2962 break; 2963 #endif /* IPV6 */ 2964 default: 2965 break; 2966 } 2967 2968 return ret; 2969 } 2970 2971 /* socket security operations */ 2972 static int socket_has_perm(struct task_struct *task, struct socket *sock, 2973 u32 perms) 2974 { 2975 struct inode_security_struct *isec; 2976 struct task_security_struct *tsec; 2977 struct avc_audit_data ad; 2978 int err = 0; 2979 2980 tsec = task->security; 2981 isec = SOCK_INODE(sock)->i_security; 2982 2983 if (isec->sid == SECINITSID_KERNEL) 2984 goto out; 2985 2986 AVC_AUDIT_DATA_INIT(&ad,NET); 2987 ad.u.net.sk = sock->sk; 2988 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 2989 2990 out: 2991 return err; 2992 } 2993 2994 static int selinux_socket_create(int family, int type, 2995 int protocol, int kern) 2996 { 2997 int err = 0; 2998 struct task_security_struct *tsec; 2999 u32 newsid; 3000 3001 if (kern) 3002 goto out; 3003 3004 tsec = current->security; 3005 newsid = tsec->sockcreate_sid ? : tsec->sid; 3006 err = avc_has_perm(tsec->sid, newsid, 3007 socket_type_to_security_class(family, type, 3008 protocol), SOCKET__CREATE, NULL); 3009 3010 out: 3011 return err; 3012 } 3013 3014 static void selinux_socket_post_create(struct socket *sock, int family, 3015 int type, int protocol, int kern) 3016 { 3017 struct inode_security_struct *isec; 3018 struct task_security_struct *tsec; 3019 u32 newsid; 3020 3021 isec = SOCK_INODE(sock)->i_security; 3022 3023 tsec = current->security; 3024 newsid = tsec->sockcreate_sid ? : tsec->sid; 3025 isec->sclass = socket_type_to_security_class(family, type, protocol); 3026 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3027 isec->initialized = 1; 3028 3029 return; 3030 } 3031 3032 /* Range of port numbers used to automatically bind. 3033 Need to determine whether we should perform a name_bind 3034 permission check between the socket and the port number. */ 3035 #define ip_local_port_range_0 sysctl_local_port_range[0] 3036 #define ip_local_port_range_1 sysctl_local_port_range[1] 3037 3038 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3039 { 3040 u16 family; 3041 int err; 3042 3043 err = socket_has_perm(current, sock, SOCKET__BIND); 3044 if (err) 3045 goto out; 3046 3047 /* 3048 * If PF_INET or PF_INET6, check name_bind permission for the port. 3049 * Multiple address binding for SCTP is not supported yet: we just 3050 * check the first address now. 3051 */ 3052 family = sock->sk->sk_family; 3053 if (family == PF_INET || family == PF_INET6) { 3054 char *addrp; 3055 struct inode_security_struct *isec; 3056 struct task_security_struct *tsec; 3057 struct avc_audit_data ad; 3058 struct sockaddr_in *addr4 = NULL; 3059 struct sockaddr_in6 *addr6 = NULL; 3060 unsigned short snum; 3061 struct sock *sk = sock->sk; 3062 u32 sid, node_perm, addrlen; 3063 3064 tsec = current->security; 3065 isec = SOCK_INODE(sock)->i_security; 3066 3067 if (family == PF_INET) { 3068 addr4 = (struct sockaddr_in *)address; 3069 snum = ntohs(addr4->sin_port); 3070 addrlen = sizeof(addr4->sin_addr.s_addr); 3071 addrp = (char *)&addr4->sin_addr.s_addr; 3072 } else { 3073 addr6 = (struct sockaddr_in6 *)address; 3074 snum = ntohs(addr6->sin6_port); 3075 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3076 addrp = (char *)&addr6->sin6_addr.s6_addr; 3077 } 3078 3079 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) || 3080 snum > ip_local_port_range_1)) { 3081 err = security_port_sid(sk->sk_family, sk->sk_type, 3082 sk->sk_protocol, snum, &sid); 3083 if (err) 3084 goto out; 3085 AVC_AUDIT_DATA_INIT(&ad,NET); 3086 ad.u.net.sport = htons(snum); 3087 ad.u.net.family = family; 3088 err = avc_has_perm(isec->sid, sid, 3089 isec->sclass, 3090 SOCKET__NAME_BIND, &ad); 3091 if (err) 3092 goto out; 3093 } 3094 3095 switch(isec->sclass) { 3096 case SECCLASS_TCP_SOCKET: 3097 node_perm = TCP_SOCKET__NODE_BIND; 3098 break; 3099 3100 case SECCLASS_UDP_SOCKET: 3101 node_perm = UDP_SOCKET__NODE_BIND; 3102 break; 3103 3104 default: 3105 node_perm = RAWIP_SOCKET__NODE_BIND; 3106 break; 3107 } 3108 3109 err = security_node_sid(family, addrp, addrlen, &sid); 3110 if (err) 3111 goto out; 3112 3113 AVC_AUDIT_DATA_INIT(&ad,NET); 3114 ad.u.net.sport = htons(snum); 3115 ad.u.net.family = family; 3116 3117 if (family == PF_INET) 3118 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3119 else 3120 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3121 3122 err = avc_has_perm(isec->sid, sid, 3123 isec->sclass, node_perm, &ad); 3124 if (err) 3125 goto out; 3126 } 3127 out: 3128 return err; 3129 } 3130 3131 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3132 { 3133 struct inode_security_struct *isec; 3134 int err; 3135 3136 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3137 if (err) 3138 return err; 3139 3140 /* 3141 * If a TCP socket, check name_connect permission for the port. 3142 */ 3143 isec = SOCK_INODE(sock)->i_security; 3144 if (isec->sclass == SECCLASS_TCP_SOCKET) { 3145 struct sock *sk = sock->sk; 3146 struct avc_audit_data ad; 3147 struct sockaddr_in *addr4 = NULL; 3148 struct sockaddr_in6 *addr6 = NULL; 3149 unsigned short snum; 3150 u32 sid; 3151 3152 if (sk->sk_family == PF_INET) { 3153 addr4 = (struct sockaddr_in *)address; 3154 if (addrlen < sizeof(struct sockaddr_in)) 3155 return -EINVAL; 3156 snum = ntohs(addr4->sin_port); 3157 } else { 3158 addr6 = (struct sockaddr_in6 *)address; 3159 if (addrlen < SIN6_LEN_RFC2133) 3160 return -EINVAL; 3161 snum = ntohs(addr6->sin6_port); 3162 } 3163 3164 err = security_port_sid(sk->sk_family, sk->sk_type, 3165 sk->sk_protocol, snum, &sid); 3166 if (err) 3167 goto out; 3168 3169 AVC_AUDIT_DATA_INIT(&ad,NET); 3170 ad.u.net.dport = htons(snum); 3171 ad.u.net.family = sk->sk_family; 3172 err = avc_has_perm(isec->sid, sid, isec->sclass, 3173 TCP_SOCKET__NAME_CONNECT, &ad); 3174 if (err) 3175 goto out; 3176 } 3177 3178 out: 3179 return err; 3180 } 3181 3182 static int selinux_socket_listen(struct socket *sock, int backlog) 3183 { 3184 return socket_has_perm(current, sock, SOCKET__LISTEN); 3185 } 3186 3187 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3188 { 3189 int err; 3190 struct inode_security_struct *isec; 3191 struct inode_security_struct *newisec; 3192 3193 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3194 if (err) 3195 return err; 3196 3197 newisec = SOCK_INODE(newsock)->i_security; 3198 3199 isec = SOCK_INODE(sock)->i_security; 3200 newisec->sclass = isec->sclass; 3201 newisec->sid = isec->sid; 3202 newisec->initialized = 1; 3203 3204 return 0; 3205 } 3206 3207 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3208 int size) 3209 { 3210 return socket_has_perm(current, sock, SOCKET__WRITE); 3211 } 3212 3213 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3214 int size, int flags) 3215 { 3216 return socket_has_perm(current, sock, SOCKET__READ); 3217 } 3218 3219 static int selinux_socket_getsockname(struct socket *sock) 3220 { 3221 return socket_has_perm(current, sock, SOCKET__GETATTR); 3222 } 3223 3224 static int selinux_socket_getpeername(struct socket *sock) 3225 { 3226 return socket_has_perm(current, sock, SOCKET__GETATTR); 3227 } 3228 3229 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3230 { 3231 return socket_has_perm(current, sock, SOCKET__SETOPT); 3232 } 3233 3234 static int selinux_socket_getsockopt(struct socket *sock, int level, 3235 int optname) 3236 { 3237 return socket_has_perm(current, sock, SOCKET__GETOPT); 3238 } 3239 3240 static int selinux_socket_shutdown(struct socket *sock, int how) 3241 { 3242 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3243 } 3244 3245 static int selinux_socket_unix_stream_connect(struct socket *sock, 3246 struct socket *other, 3247 struct sock *newsk) 3248 { 3249 struct sk_security_struct *ssec; 3250 struct inode_security_struct *isec; 3251 struct inode_security_struct *other_isec; 3252 struct avc_audit_data ad; 3253 int err; 3254 3255 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3256 if (err) 3257 return err; 3258 3259 isec = SOCK_INODE(sock)->i_security; 3260 other_isec = SOCK_INODE(other)->i_security; 3261 3262 AVC_AUDIT_DATA_INIT(&ad,NET); 3263 ad.u.net.sk = other->sk; 3264 3265 err = avc_has_perm(isec->sid, other_isec->sid, 3266 isec->sclass, 3267 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3268 if (err) 3269 return err; 3270 3271 /* connecting socket */ 3272 ssec = sock->sk->sk_security; 3273 ssec->peer_sid = other_isec->sid; 3274 3275 /* server child socket */ 3276 ssec = newsk->sk_security; 3277 ssec->peer_sid = isec->sid; 3278 3279 return 0; 3280 } 3281 3282 static int selinux_socket_unix_may_send(struct socket *sock, 3283 struct socket *other) 3284 { 3285 struct inode_security_struct *isec; 3286 struct inode_security_struct *other_isec; 3287 struct avc_audit_data ad; 3288 int err; 3289 3290 isec = SOCK_INODE(sock)->i_security; 3291 other_isec = SOCK_INODE(other)->i_security; 3292 3293 AVC_AUDIT_DATA_INIT(&ad,NET); 3294 ad.u.net.sk = other->sk; 3295 3296 err = avc_has_perm(isec->sid, other_isec->sid, 3297 isec->sclass, SOCKET__SENDTO, &ad); 3298 if (err) 3299 return err; 3300 3301 return 0; 3302 } 3303 3304 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3305 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class, 3306 u16 family, char *addrp, int len) 3307 { 3308 int err = 0; 3309 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3310 3311 if (!skb->dev) 3312 goto out; 3313 3314 err = sel_netif_sids(skb->dev, &if_sid, NULL); 3315 if (err) 3316 goto out; 3317 3318 switch (sock_class) { 3319 case SECCLASS_UDP_SOCKET: 3320 netif_perm = NETIF__UDP_RECV; 3321 node_perm = NODE__UDP_RECV; 3322 recv_perm = UDP_SOCKET__RECV_MSG; 3323 break; 3324 3325 case SECCLASS_TCP_SOCKET: 3326 netif_perm = NETIF__TCP_RECV; 3327 node_perm = NODE__TCP_RECV; 3328 recv_perm = TCP_SOCKET__RECV_MSG; 3329 break; 3330 3331 default: 3332 netif_perm = NETIF__RAWIP_RECV; 3333 node_perm = NODE__RAWIP_RECV; 3334 break; 3335 } 3336 3337 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3338 if (err) 3339 goto out; 3340 3341 err = security_node_sid(family, addrp, len, &node_sid); 3342 if (err) 3343 goto out; 3344 3345 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3346 if (err) 3347 goto out; 3348 3349 if (recv_perm) { 3350 u32 port_sid; 3351 3352 err = security_port_sid(sk->sk_family, sk->sk_type, 3353 sk->sk_protocol, ntohs(ad->u.net.sport), 3354 &port_sid); 3355 if (err) 3356 goto out; 3357 3358 err = avc_has_perm(sock_sid, port_sid, 3359 sock_class, recv_perm, ad); 3360 } 3361 3362 out: 3363 return err; 3364 } 3365 3366 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3367 { 3368 u16 family; 3369 u16 sock_class = 0; 3370 char *addrp; 3371 int len, err = 0; 3372 u32 sock_sid = 0; 3373 struct socket *sock; 3374 struct avc_audit_data ad; 3375 3376 family = sk->sk_family; 3377 if (family != PF_INET && family != PF_INET6) 3378 goto out; 3379 3380 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3381 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) 3382 family = PF_INET; 3383 3384 read_lock_bh(&sk->sk_callback_lock); 3385 sock = sk->sk_socket; 3386 if (sock) { 3387 struct inode *inode; 3388 inode = SOCK_INODE(sock); 3389 if (inode) { 3390 struct inode_security_struct *isec; 3391 isec = inode->i_security; 3392 sock_sid = isec->sid; 3393 sock_class = isec->sclass; 3394 } 3395 } 3396 read_unlock_bh(&sk->sk_callback_lock); 3397 if (!sock_sid) 3398 goto out; 3399 3400 AVC_AUDIT_DATA_INIT(&ad, NET); 3401 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]"; 3402 ad.u.net.family = family; 3403 3404 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); 3405 if (err) 3406 goto out; 3407 3408 if (selinux_compat_net) 3409 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid, 3410 sock_class, family, 3411 addrp, len); 3412 else 3413 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET, 3414 PACKET__RECV, &ad); 3415 if (err) 3416 goto out; 3417 3418 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb); 3419 out: 3420 return err; 3421 } 3422 3423 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 3424 int __user *optlen, unsigned len) 3425 { 3426 int err = 0; 3427 char *scontext; 3428 u32 scontext_len; 3429 struct sk_security_struct *ssec; 3430 struct inode_security_struct *isec; 3431 u32 peer_sid = 0; 3432 3433 isec = SOCK_INODE(sock)->i_security; 3434 3435 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */ 3436 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) { 3437 ssec = sock->sk->sk_security; 3438 peer_sid = ssec->peer_sid; 3439 } 3440 else if (isec->sclass == SECCLASS_TCP_SOCKET) { 3441 peer_sid = selinux_socket_getpeer_stream(sock->sk); 3442 3443 if (peer_sid == SECSID_NULL) { 3444 err = -ENOPROTOOPT; 3445 goto out; 3446 } 3447 } 3448 else { 3449 err = -ENOPROTOOPT; 3450 goto out; 3451 } 3452 3453 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 3454 3455 if (err) 3456 goto out; 3457 3458 if (scontext_len > len) { 3459 err = -ERANGE; 3460 goto out_len; 3461 } 3462 3463 if (copy_to_user(optval, scontext, scontext_len)) 3464 err = -EFAULT; 3465 3466 out_len: 3467 if (put_user(scontext_len, optlen)) 3468 err = -EFAULT; 3469 3470 kfree(scontext); 3471 out: 3472 return err; 3473 } 3474 3475 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen) 3476 { 3477 int err = 0; 3478 u32 peer_sid; 3479 3480 if (skb->sk->sk_family == PF_UNIX) 3481 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket), 3482 &peer_sid); 3483 else 3484 peer_sid = selinux_socket_getpeer_dgram(skb); 3485 3486 if (peer_sid == SECSID_NULL) 3487 return -EINVAL; 3488 3489 err = security_sid_to_context(peer_sid, secdata, seclen); 3490 if (err) 3491 return err; 3492 3493 return 0; 3494 } 3495 3496 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 3497 { 3498 return sk_alloc_security(sk, family, priority); 3499 } 3500 3501 static void selinux_sk_free_security(struct sock *sk) 3502 { 3503 sk_free_security(sk); 3504 } 3505 3506 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3507 { 3508 struct inode_security_struct *isec; 3509 u32 sock_sid = SECINITSID_ANY_SOCKET; 3510 3511 if (!sk) 3512 return selinux_no_sk_sid(fl); 3513 3514 read_lock_bh(&sk->sk_callback_lock); 3515 isec = get_sock_isec(sk); 3516 3517 if (isec) 3518 sock_sid = isec->sid; 3519 3520 read_unlock_bh(&sk->sk_callback_lock); 3521 return sock_sid; 3522 } 3523 3524 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3525 { 3526 int err = 0; 3527 u32 perm; 3528 struct nlmsghdr *nlh; 3529 struct socket *sock = sk->sk_socket; 3530 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3531 3532 if (skb->len < NLMSG_SPACE(0)) { 3533 err = -EINVAL; 3534 goto out; 3535 } 3536 nlh = (struct nlmsghdr *)skb->data; 3537 3538 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3539 if (err) { 3540 if (err == -EINVAL) { 3541 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 3542 "SELinux: unrecognized netlink message" 3543 " type=%hu for sclass=%hu\n", 3544 nlh->nlmsg_type, isec->sclass); 3545 if (!selinux_enforcing) 3546 err = 0; 3547 } 3548 3549 /* Ignore */ 3550 if (err == -ENOENT) 3551 err = 0; 3552 goto out; 3553 } 3554 3555 err = socket_has_perm(current, sock, perm); 3556 out: 3557 return err; 3558 } 3559 3560 #ifdef CONFIG_NETFILTER 3561 3562 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev, 3563 struct inode_security_struct *isec, 3564 struct avc_audit_data *ad, 3565 u16 family, char *addrp, int len) 3566 { 3567 int err; 3568 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 3569 3570 err = sel_netif_sids(dev, &if_sid, NULL); 3571 if (err) 3572 goto out; 3573 3574 switch (isec->sclass) { 3575 case SECCLASS_UDP_SOCKET: 3576 netif_perm = NETIF__UDP_SEND; 3577 node_perm = NODE__UDP_SEND; 3578 send_perm = UDP_SOCKET__SEND_MSG; 3579 break; 3580 3581 case SECCLASS_TCP_SOCKET: 3582 netif_perm = NETIF__TCP_SEND; 3583 node_perm = NODE__TCP_SEND; 3584 send_perm = TCP_SOCKET__SEND_MSG; 3585 break; 3586 3587 default: 3588 netif_perm = NETIF__RAWIP_SEND; 3589 node_perm = NODE__RAWIP_SEND; 3590 break; 3591 } 3592 3593 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3594 if (err) 3595 goto out; 3596 3597 err = security_node_sid(family, addrp, len, &node_sid); 3598 if (err) 3599 goto out; 3600 3601 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad); 3602 if (err) 3603 goto out; 3604 3605 if (send_perm) { 3606 u32 port_sid; 3607 3608 err = security_port_sid(sk->sk_family, 3609 sk->sk_type, 3610 sk->sk_protocol, 3611 ntohs(ad->u.net.dport), 3612 &port_sid); 3613 if (err) 3614 goto out; 3615 3616 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3617 send_perm, ad); 3618 } 3619 out: 3620 return err; 3621 } 3622 3623 static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 3624 struct sk_buff **pskb, 3625 const struct net_device *in, 3626 const struct net_device *out, 3627 int (*okfn)(struct sk_buff *), 3628 u16 family) 3629 { 3630 char *addrp; 3631 int len, err = 0; 3632 struct sock *sk; 3633 struct socket *sock; 3634 struct inode *inode; 3635 struct sk_buff *skb = *pskb; 3636 struct inode_security_struct *isec; 3637 struct avc_audit_data ad; 3638 struct net_device *dev = (struct net_device *)out; 3639 3640 sk = skb->sk; 3641 if (!sk) 3642 goto out; 3643 3644 sock = sk->sk_socket; 3645 if (!sock) 3646 goto out; 3647 3648 inode = SOCK_INODE(sock); 3649 if (!inode) 3650 goto out; 3651 3652 isec = inode->i_security; 3653 3654 AVC_AUDIT_DATA_INIT(&ad, NET); 3655 ad.u.net.netif = dev->name; 3656 ad.u.net.family = family; 3657 3658 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0); 3659 if (err) 3660 goto out; 3661 3662 if (selinux_compat_net) 3663 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad, 3664 family, addrp, len); 3665 else 3666 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET, 3667 PACKET__SEND, &ad); 3668 3669 if (err) 3670 goto out; 3671 3672 err = selinux_xfrm_postroute_last(isec->sid, skb); 3673 out: 3674 return err ? NF_DROP : NF_ACCEPT; 3675 } 3676 3677 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3678 struct sk_buff **pskb, 3679 const struct net_device *in, 3680 const struct net_device *out, 3681 int (*okfn)(struct sk_buff *)) 3682 { 3683 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET); 3684 } 3685 3686 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3687 3688 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, 3689 struct sk_buff **pskb, 3690 const struct net_device *in, 3691 const struct net_device *out, 3692 int (*okfn)(struct sk_buff *)) 3693 { 3694 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6); 3695 } 3696 3697 #endif /* IPV6 */ 3698 3699 #endif /* CONFIG_NETFILTER */ 3700 3701 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3702 { 3703 int err; 3704 3705 err = secondary_ops->netlink_send(sk, skb); 3706 if (err) 3707 return err; 3708 3709 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 3710 err = selinux_nlmsg_perm(sk, skb); 3711 3712 return err; 3713 } 3714 3715 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 3716 { 3717 int err; 3718 struct avc_audit_data ad; 3719 3720 err = secondary_ops->netlink_recv(skb, capability); 3721 if (err) 3722 return err; 3723 3724 AVC_AUDIT_DATA_INIT(&ad, CAP); 3725 ad.u.cap = capability; 3726 3727 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 3728 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 3729 } 3730 3731 static int ipc_alloc_security(struct task_struct *task, 3732 struct kern_ipc_perm *perm, 3733 u16 sclass) 3734 { 3735 struct task_security_struct *tsec = task->security; 3736 struct ipc_security_struct *isec; 3737 3738 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 3739 if (!isec) 3740 return -ENOMEM; 3741 3742 isec->sclass = sclass; 3743 isec->ipc_perm = perm; 3744 isec->sid = tsec->sid; 3745 perm->security = isec; 3746 3747 return 0; 3748 } 3749 3750 static void ipc_free_security(struct kern_ipc_perm *perm) 3751 { 3752 struct ipc_security_struct *isec = perm->security; 3753 perm->security = NULL; 3754 kfree(isec); 3755 } 3756 3757 static int msg_msg_alloc_security(struct msg_msg *msg) 3758 { 3759 struct msg_security_struct *msec; 3760 3761 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 3762 if (!msec) 3763 return -ENOMEM; 3764 3765 msec->msg = msg; 3766 msec->sid = SECINITSID_UNLABELED; 3767 msg->security = msec; 3768 3769 return 0; 3770 } 3771 3772 static void msg_msg_free_security(struct msg_msg *msg) 3773 { 3774 struct msg_security_struct *msec = msg->security; 3775 3776 msg->security = NULL; 3777 kfree(msec); 3778 } 3779 3780 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 3781 u32 perms) 3782 { 3783 struct task_security_struct *tsec; 3784 struct ipc_security_struct *isec; 3785 struct avc_audit_data ad; 3786 3787 tsec = current->security; 3788 isec = ipc_perms->security; 3789 3790 AVC_AUDIT_DATA_INIT(&ad, IPC); 3791 ad.u.ipc_id = ipc_perms->key; 3792 3793 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3794 } 3795 3796 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 3797 { 3798 return msg_msg_alloc_security(msg); 3799 } 3800 3801 static void selinux_msg_msg_free_security(struct msg_msg *msg) 3802 { 3803 msg_msg_free_security(msg); 3804 } 3805 3806 /* message queue security operations */ 3807 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 3808 { 3809 struct task_security_struct *tsec; 3810 struct ipc_security_struct *isec; 3811 struct avc_audit_data ad; 3812 int rc; 3813 3814 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 3815 if (rc) 3816 return rc; 3817 3818 tsec = current->security; 3819 isec = msq->q_perm.security; 3820 3821 AVC_AUDIT_DATA_INIT(&ad, IPC); 3822 ad.u.ipc_id = msq->q_perm.key; 3823 3824 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3825 MSGQ__CREATE, &ad); 3826 if (rc) { 3827 ipc_free_security(&msq->q_perm); 3828 return rc; 3829 } 3830 return 0; 3831 } 3832 3833 static void selinux_msg_queue_free_security(struct msg_queue *msq) 3834 { 3835 ipc_free_security(&msq->q_perm); 3836 } 3837 3838 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 3839 { 3840 struct task_security_struct *tsec; 3841 struct ipc_security_struct *isec; 3842 struct avc_audit_data ad; 3843 3844 tsec = current->security; 3845 isec = msq->q_perm.security; 3846 3847 AVC_AUDIT_DATA_INIT(&ad, IPC); 3848 ad.u.ipc_id = msq->q_perm.key; 3849 3850 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3851 MSGQ__ASSOCIATE, &ad); 3852 } 3853 3854 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3855 { 3856 int err; 3857 int perms; 3858 3859 switch(cmd) { 3860 case IPC_INFO: 3861 case MSG_INFO: 3862 /* No specific object, just general system-wide information. */ 3863 return task_has_system(current, SYSTEM__IPC_INFO); 3864 case IPC_STAT: 3865 case MSG_STAT: 3866 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 3867 break; 3868 case IPC_SET: 3869 perms = MSGQ__SETATTR; 3870 break; 3871 case IPC_RMID: 3872 perms = MSGQ__DESTROY; 3873 break; 3874 default: 3875 return 0; 3876 } 3877 3878 err = ipc_has_perm(&msq->q_perm, perms); 3879 return err; 3880 } 3881 3882 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 3883 { 3884 struct task_security_struct *tsec; 3885 struct ipc_security_struct *isec; 3886 struct msg_security_struct *msec; 3887 struct avc_audit_data ad; 3888 int rc; 3889 3890 tsec = current->security; 3891 isec = msq->q_perm.security; 3892 msec = msg->security; 3893 3894 /* 3895 * First time through, need to assign label to the message 3896 */ 3897 if (msec->sid == SECINITSID_UNLABELED) { 3898 /* 3899 * Compute new sid based on current process and 3900 * message queue this message will be stored in 3901 */ 3902 rc = security_transition_sid(tsec->sid, 3903 isec->sid, 3904 SECCLASS_MSG, 3905 &msec->sid); 3906 if (rc) 3907 return rc; 3908 } 3909 3910 AVC_AUDIT_DATA_INIT(&ad, IPC); 3911 ad.u.ipc_id = msq->q_perm.key; 3912 3913 /* Can this process write to the queue? */ 3914 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3915 MSGQ__WRITE, &ad); 3916 if (!rc) 3917 /* Can this process send the message */ 3918 rc = avc_has_perm(tsec->sid, msec->sid, 3919 SECCLASS_MSG, MSG__SEND, &ad); 3920 if (!rc) 3921 /* Can the message be put in the queue? */ 3922 rc = avc_has_perm(msec->sid, isec->sid, 3923 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 3924 3925 return rc; 3926 } 3927 3928 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3929 struct task_struct *target, 3930 long type, int mode) 3931 { 3932 struct task_security_struct *tsec; 3933 struct ipc_security_struct *isec; 3934 struct msg_security_struct *msec; 3935 struct avc_audit_data ad; 3936 int rc; 3937 3938 tsec = target->security; 3939 isec = msq->q_perm.security; 3940 msec = msg->security; 3941 3942 AVC_AUDIT_DATA_INIT(&ad, IPC); 3943 ad.u.ipc_id = msq->q_perm.key; 3944 3945 rc = avc_has_perm(tsec->sid, isec->sid, 3946 SECCLASS_MSGQ, MSGQ__READ, &ad); 3947 if (!rc) 3948 rc = avc_has_perm(tsec->sid, msec->sid, 3949 SECCLASS_MSG, MSG__RECEIVE, &ad); 3950 return rc; 3951 } 3952 3953 /* Shared Memory security operations */ 3954 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 3955 { 3956 struct task_security_struct *tsec; 3957 struct ipc_security_struct *isec; 3958 struct avc_audit_data ad; 3959 int rc; 3960 3961 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 3962 if (rc) 3963 return rc; 3964 3965 tsec = current->security; 3966 isec = shp->shm_perm.security; 3967 3968 AVC_AUDIT_DATA_INIT(&ad, IPC); 3969 ad.u.ipc_id = shp->shm_perm.key; 3970 3971 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 3972 SHM__CREATE, &ad); 3973 if (rc) { 3974 ipc_free_security(&shp->shm_perm); 3975 return rc; 3976 } 3977 return 0; 3978 } 3979 3980 static void selinux_shm_free_security(struct shmid_kernel *shp) 3981 { 3982 ipc_free_security(&shp->shm_perm); 3983 } 3984 3985 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 3986 { 3987 struct task_security_struct *tsec; 3988 struct ipc_security_struct *isec; 3989 struct avc_audit_data ad; 3990 3991 tsec = current->security; 3992 isec = shp->shm_perm.security; 3993 3994 AVC_AUDIT_DATA_INIT(&ad, IPC); 3995 ad.u.ipc_id = shp->shm_perm.key; 3996 3997 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 3998 SHM__ASSOCIATE, &ad); 3999 } 4000 4001 /* Note, at this point, shp is locked down */ 4002 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4003 { 4004 int perms; 4005 int err; 4006 4007 switch(cmd) { 4008 case IPC_INFO: 4009 case SHM_INFO: 4010 /* No specific object, just general system-wide information. */ 4011 return task_has_system(current, SYSTEM__IPC_INFO); 4012 case IPC_STAT: 4013 case SHM_STAT: 4014 perms = SHM__GETATTR | SHM__ASSOCIATE; 4015 break; 4016 case IPC_SET: 4017 perms = SHM__SETATTR; 4018 break; 4019 case SHM_LOCK: 4020 case SHM_UNLOCK: 4021 perms = SHM__LOCK; 4022 break; 4023 case IPC_RMID: 4024 perms = SHM__DESTROY; 4025 break; 4026 default: 4027 return 0; 4028 } 4029 4030 err = ipc_has_perm(&shp->shm_perm, perms); 4031 return err; 4032 } 4033 4034 static int selinux_shm_shmat(struct shmid_kernel *shp, 4035 char __user *shmaddr, int shmflg) 4036 { 4037 u32 perms; 4038 int rc; 4039 4040 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4041 if (rc) 4042 return rc; 4043 4044 if (shmflg & SHM_RDONLY) 4045 perms = SHM__READ; 4046 else 4047 perms = SHM__READ | SHM__WRITE; 4048 4049 return ipc_has_perm(&shp->shm_perm, perms); 4050 } 4051 4052 /* Semaphore security operations */ 4053 static int selinux_sem_alloc_security(struct sem_array *sma) 4054 { 4055 struct task_security_struct *tsec; 4056 struct ipc_security_struct *isec; 4057 struct avc_audit_data ad; 4058 int rc; 4059 4060 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4061 if (rc) 4062 return rc; 4063 4064 tsec = current->security; 4065 isec = sma->sem_perm.security; 4066 4067 AVC_AUDIT_DATA_INIT(&ad, IPC); 4068 ad.u.ipc_id = sma->sem_perm.key; 4069 4070 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4071 SEM__CREATE, &ad); 4072 if (rc) { 4073 ipc_free_security(&sma->sem_perm); 4074 return rc; 4075 } 4076 return 0; 4077 } 4078 4079 static void selinux_sem_free_security(struct sem_array *sma) 4080 { 4081 ipc_free_security(&sma->sem_perm); 4082 } 4083 4084 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4085 { 4086 struct task_security_struct *tsec; 4087 struct ipc_security_struct *isec; 4088 struct avc_audit_data ad; 4089 4090 tsec = current->security; 4091 isec = sma->sem_perm.security; 4092 4093 AVC_AUDIT_DATA_INIT(&ad, IPC); 4094 ad.u.ipc_id = sma->sem_perm.key; 4095 4096 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4097 SEM__ASSOCIATE, &ad); 4098 } 4099 4100 /* Note, at this point, sma is locked down */ 4101 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4102 { 4103 int err; 4104 u32 perms; 4105 4106 switch(cmd) { 4107 case IPC_INFO: 4108 case SEM_INFO: 4109 /* No specific object, just general system-wide information. */ 4110 return task_has_system(current, SYSTEM__IPC_INFO); 4111 case GETPID: 4112 case GETNCNT: 4113 case GETZCNT: 4114 perms = SEM__GETATTR; 4115 break; 4116 case GETVAL: 4117 case GETALL: 4118 perms = SEM__READ; 4119 break; 4120 case SETVAL: 4121 case SETALL: 4122 perms = SEM__WRITE; 4123 break; 4124 case IPC_RMID: 4125 perms = SEM__DESTROY; 4126 break; 4127 case IPC_SET: 4128 perms = SEM__SETATTR; 4129 break; 4130 case IPC_STAT: 4131 case SEM_STAT: 4132 perms = SEM__GETATTR | SEM__ASSOCIATE; 4133 break; 4134 default: 4135 return 0; 4136 } 4137 4138 err = ipc_has_perm(&sma->sem_perm, perms); 4139 return err; 4140 } 4141 4142 static int selinux_sem_semop(struct sem_array *sma, 4143 struct sembuf *sops, unsigned nsops, int alter) 4144 { 4145 u32 perms; 4146 4147 if (alter) 4148 perms = SEM__READ | SEM__WRITE; 4149 else 4150 perms = SEM__READ; 4151 4152 return ipc_has_perm(&sma->sem_perm, perms); 4153 } 4154 4155 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4156 { 4157 u32 av = 0; 4158 4159 av = 0; 4160 if (flag & S_IRUGO) 4161 av |= IPC__UNIX_READ; 4162 if (flag & S_IWUGO) 4163 av |= IPC__UNIX_WRITE; 4164 4165 if (av == 0) 4166 return 0; 4167 4168 return ipc_has_perm(ipcp, av); 4169 } 4170 4171 /* module stacking operations */ 4172 static int selinux_register_security (const char *name, struct security_operations *ops) 4173 { 4174 if (secondary_ops != original_ops) { 4175 printk(KERN_INFO "%s: There is already a secondary security " 4176 "module registered.\n", __FUNCTION__); 4177 return -EINVAL; 4178 } 4179 4180 secondary_ops = ops; 4181 4182 printk(KERN_INFO "%s: Registering secondary module %s\n", 4183 __FUNCTION__, 4184 name); 4185 4186 return 0; 4187 } 4188 4189 static int selinux_unregister_security (const char *name, struct security_operations *ops) 4190 { 4191 if (ops != secondary_ops) { 4192 printk (KERN_INFO "%s: trying to unregister a security module " 4193 "that is not registered.\n", __FUNCTION__); 4194 return -EINVAL; 4195 } 4196 4197 secondary_ops = original_ops; 4198 4199 return 0; 4200 } 4201 4202 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4203 { 4204 if (inode) 4205 inode_doinit_with_dentry(inode, dentry); 4206 } 4207 4208 static int selinux_getprocattr(struct task_struct *p, 4209 char *name, void *value, size_t size) 4210 { 4211 struct task_security_struct *tsec; 4212 u32 sid; 4213 int error; 4214 4215 if (current != p) { 4216 error = task_has_perm(current, p, PROCESS__GETATTR); 4217 if (error) 4218 return error; 4219 } 4220 4221 tsec = p->security; 4222 4223 if (!strcmp(name, "current")) 4224 sid = tsec->sid; 4225 else if (!strcmp(name, "prev")) 4226 sid = tsec->osid; 4227 else if (!strcmp(name, "exec")) 4228 sid = tsec->exec_sid; 4229 else if (!strcmp(name, "fscreate")) 4230 sid = tsec->create_sid; 4231 else if (!strcmp(name, "keycreate")) 4232 sid = tsec->keycreate_sid; 4233 else if (!strcmp(name, "sockcreate")) 4234 sid = tsec->sockcreate_sid; 4235 else 4236 return -EINVAL; 4237 4238 if (!sid) 4239 return 0; 4240 4241 return selinux_getsecurity(sid, value, size); 4242 } 4243 4244 static int selinux_setprocattr(struct task_struct *p, 4245 char *name, void *value, size_t size) 4246 { 4247 struct task_security_struct *tsec; 4248 u32 sid = 0; 4249 int error; 4250 char *str = value; 4251 4252 if (current != p) { 4253 /* SELinux only allows a process to change its own 4254 security attributes. */ 4255 return -EACCES; 4256 } 4257 4258 /* 4259 * Basic control over ability to set these attributes at all. 4260 * current == p, but we'll pass them separately in case the 4261 * above restriction is ever removed. 4262 */ 4263 if (!strcmp(name, "exec")) 4264 error = task_has_perm(current, p, PROCESS__SETEXEC); 4265 else if (!strcmp(name, "fscreate")) 4266 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 4267 else if (!strcmp(name, "keycreate")) 4268 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 4269 else if (!strcmp(name, "sockcreate")) 4270 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 4271 else if (!strcmp(name, "current")) 4272 error = task_has_perm(current, p, PROCESS__SETCURRENT); 4273 else 4274 error = -EINVAL; 4275 if (error) 4276 return error; 4277 4278 /* Obtain a SID for the context, if one was specified. */ 4279 if (size && str[1] && str[1] != '\n') { 4280 if (str[size-1] == '\n') { 4281 str[size-1] = 0; 4282 size--; 4283 } 4284 error = security_context_to_sid(value, size, &sid); 4285 if (error) 4286 return error; 4287 } 4288 4289 /* Permission checking based on the specified context is 4290 performed during the actual operation (execve, 4291 open/mkdir/...), when we know the full context of the 4292 operation. See selinux_bprm_set_security for the execve 4293 checks and may_create for the file creation checks. The 4294 operation will then fail if the context is not permitted. */ 4295 tsec = p->security; 4296 if (!strcmp(name, "exec")) 4297 tsec->exec_sid = sid; 4298 else if (!strcmp(name, "fscreate")) 4299 tsec->create_sid = sid; 4300 else if (!strcmp(name, "keycreate")) { 4301 error = may_create_key(sid, p); 4302 if (error) 4303 return error; 4304 tsec->keycreate_sid = sid; 4305 } else if (!strcmp(name, "sockcreate")) 4306 tsec->sockcreate_sid = sid; 4307 else if (!strcmp(name, "current")) { 4308 struct av_decision avd; 4309 4310 if (sid == 0) 4311 return -EINVAL; 4312 4313 /* Only allow single threaded processes to change context */ 4314 if (atomic_read(&p->mm->mm_users) != 1) { 4315 struct task_struct *g, *t; 4316 struct mm_struct *mm = p->mm; 4317 read_lock(&tasklist_lock); 4318 do_each_thread(g, t) 4319 if (t->mm == mm && t != p) { 4320 read_unlock(&tasklist_lock); 4321 return -EPERM; 4322 } 4323 while_each_thread(g, t); 4324 read_unlock(&tasklist_lock); 4325 } 4326 4327 /* Check permissions for the transition. */ 4328 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 4329 PROCESS__DYNTRANSITION, NULL); 4330 if (error) 4331 return error; 4332 4333 /* Check for ptracing, and update the task SID if ok. 4334 Otherwise, leave SID unchanged and fail. */ 4335 task_lock(p); 4336 if (p->ptrace & PT_PTRACED) { 4337 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 4338 SECCLASS_PROCESS, 4339 PROCESS__PTRACE, &avd); 4340 if (!error) 4341 tsec->sid = sid; 4342 task_unlock(p); 4343 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 4344 PROCESS__PTRACE, &avd, error, NULL); 4345 if (error) 4346 return error; 4347 } else { 4348 tsec->sid = sid; 4349 task_unlock(p); 4350 } 4351 } 4352 else 4353 return -EINVAL; 4354 4355 return size; 4356 } 4357 4358 #ifdef CONFIG_KEYS 4359 4360 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 4361 unsigned long flags) 4362 { 4363 struct task_security_struct *tsec = tsk->security; 4364 struct key_security_struct *ksec; 4365 4366 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 4367 if (!ksec) 4368 return -ENOMEM; 4369 4370 ksec->obj = k; 4371 if (tsec->keycreate_sid) 4372 ksec->sid = tsec->keycreate_sid; 4373 else 4374 ksec->sid = tsec->sid; 4375 k->security = ksec; 4376 4377 return 0; 4378 } 4379 4380 static void selinux_key_free(struct key *k) 4381 { 4382 struct key_security_struct *ksec = k->security; 4383 4384 k->security = NULL; 4385 kfree(ksec); 4386 } 4387 4388 static int selinux_key_permission(key_ref_t key_ref, 4389 struct task_struct *ctx, 4390 key_perm_t perm) 4391 { 4392 struct key *key; 4393 struct task_security_struct *tsec; 4394 struct key_security_struct *ksec; 4395 4396 key = key_ref_to_ptr(key_ref); 4397 4398 tsec = ctx->security; 4399 ksec = key->security; 4400 4401 /* if no specific permissions are requested, we skip the 4402 permission check. No serious, additional covert channels 4403 appear to be created. */ 4404 if (perm == 0) 4405 return 0; 4406 4407 return avc_has_perm(tsec->sid, ksec->sid, 4408 SECCLASS_KEY, perm, NULL); 4409 } 4410 4411 #endif 4412 4413 static struct security_operations selinux_ops = { 4414 .ptrace = selinux_ptrace, 4415 .capget = selinux_capget, 4416 .capset_check = selinux_capset_check, 4417 .capset_set = selinux_capset_set, 4418 .sysctl = selinux_sysctl, 4419 .capable = selinux_capable, 4420 .quotactl = selinux_quotactl, 4421 .quota_on = selinux_quota_on, 4422 .syslog = selinux_syslog, 4423 .vm_enough_memory = selinux_vm_enough_memory, 4424 4425 .netlink_send = selinux_netlink_send, 4426 .netlink_recv = selinux_netlink_recv, 4427 4428 .bprm_alloc_security = selinux_bprm_alloc_security, 4429 .bprm_free_security = selinux_bprm_free_security, 4430 .bprm_apply_creds = selinux_bprm_apply_creds, 4431 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 4432 .bprm_set_security = selinux_bprm_set_security, 4433 .bprm_check_security = selinux_bprm_check_security, 4434 .bprm_secureexec = selinux_bprm_secureexec, 4435 4436 .sb_alloc_security = selinux_sb_alloc_security, 4437 .sb_free_security = selinux_sb_free_security, 4438 .sb_copy_data = selinux_sb_copy_data, 4439 .sb_kern_mount = selinux_sb_kern_mount, 4440 .sb_statfs = selinux_sb_statfs, 4441 .sb_mount = selinux_mount, 4442 .sb_umount = selinux_umount, 4443 4444 .inode_alloc_security = selinux_inode_alloc_security, 4445 .inode_free_security = selinux_inode_free_security, 4446 .inode_init_security = selinux_inode_init_security, 4447 .inode_create = selinux_inode_create, 4448 .inode_link = selinux_inode_link, 4449 .inode_unlink = selinux_inode_unlink, 4450 .inode_symlink = selinux_inode_symlink, 4451 .inode_mkdir = selinux_inode_mkdir, 4452 .inode_rmdir = selinux_inode_rmdir, 4453 .inode_mknod = selinux_inode_mknod, 4454 .inode_rename = selinux_inode_rename, 4455 .inode_readlink = selinux_inode_readlink, 4456 .inode_follow_link = selinux_inode_follow_link, 4457 .inode_permission = selinux_inode_permission, 4458 .inode_setattr = selinux_inode_setattr, 4459 .inode_getattr = selinux_inode_getattr, 4460 .inode_setxattr = selinux_inode_setxattr, 4461 .inode_post_setxattr = selinux_inode_post_setxattr, 4462 .inode_getxattr = selinux_inode_getxattr, 4463 .inode_listxattr = selinux_inode_listxattr, 4464 .inode_removexattr = selinux_inode_removexattr, 4465 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix, 4466 .inode_getsecurity = selinux_inode_getsecurity, 4467 .inode_setsecurity = selinux_inode_setsecurity, 4468 .inode_listsecurity = selinux_inode_listsecurity, 4469 4470 .file_permission = selinux_file_permission, 4471 .file_alloc_security = selinux_file_alloc_security, 4472 .file_free_security = selinux_file_free_security, 4473 .file_ioctl = selinux_file_ioctl, 4474 .file_mmap = selinux_file_mmap, 4475 .file_mprotect = selinux_file_mprotect, 4476 .file_lock = selinux_file_lock, 4477 .file_fcntl = selinux_file_fcntl, 4478 .file_set_fowner = selinux_file_set_fowner, 4479 .file_send_sigiotask = selinux_file_send_sigiotask, 4480 .file_receive = selinux_file_receive, 4481 4482 .task_create = selinux_task_create, 4483 .task_alloc_security = selinux_task_alloc_security, 4484 .task_free_security = selinux_task_free_security, 4485 .task_setuid = selinux_task_setuid, 4486 .task_post_setuid = selinux_task_post_setuid, 4487 .task_setgid = selinux_task_setgid, 4488 .task_setpgid = selinux_task_setpgid, 4489 .task_getpgid = selinux_task_getpgid, 4490 .task_getsid = selinux_task_getsid, 4491 .task_getsecid = selinux_task_getsecid, 4492 .task_setgroups = selinux_task_setgroups, 4493 .task_setnice = selinux_task_setnice, 4494 .task_setioprio = selinux_task_setioprio, 4495 .task_getioprio = selinux_task_getioprio, 4496 .task_setrlimit = selinux_task_setrlimit, 4497 .task_setscheduler = selinux_task_setscheduler, 4498 .task_getscheduler = selinux_task_getscheduler, 4499 .task_movememory = selinux_task_movememory, 4500 .task_kill = selinux_task_kill, 4501 .task_wait = selinux_task_wait, 4502 .task_prctl = selinux_task_prctl, 4503 .task_reparent_to_init = selinux_task_reparent_to_init, 4504 .task_to_inode = selinux_task_to_inode, 4505 4506 .ipc_permission = selinux_ipc_permission, 4507 4508 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 4509 .msg_msg_free_security = selinux_msg_msg_free_security, 4510 4511 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 4512 .msg_queue_free_security = selinux_msg_queue_free_security, 4513 .msg_queue_associate = selinux_msg_queue_associate, 4514 .msg_queue_msgctl = selinux_msg_queue_msgctl, 4515 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 4516 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 4517 4518 .shm_alloc_security = selinux_shm_alloc_security, 4519 .shm_free_security = selinux_shm_free_security, 4520 .shm_associate = selinux_shm_associate, 4521 .shm_shmctl = selinux_shm_shmctl, 4522 .shm_shmat = selinux_shm_shmat, 4523 4524 .sem_alloc_security = selinux_sem_alloc_security, 4525 .sem_free_security = selinux_sem_free_security, 4526 .sem_associate = selinux_sem_associate, 4527 .sem_semctl = selinux_sem_semctl, 4528 .sem_semop = selinux_sem_semop, 4529 4530 .register_security = selinux_register_security, 4531 .unregister_security = selinux_unregister_security, 4532 4533 .d_instantiate = selinux_d_instantiate, 4534 4535 .getprocattr = selinux_getprocattr, 4536 .setprocattr = selinux_setprocattr, 4537 4538 .unix_stream_connect = selinux_socket_unix_stream_connect, 4539 .unix_may_send = selinux_socket_unix_may_send, 4540 4541 .socket_create = selinux_socket_create, 4542 .socket_post_create = selinux_socket_post_create, 4543 .socket_bind = selinux_socket_bind, 4544 .socket_connect = selinux_socket_connect, 4545 .socket_listen = selinux_socket_listen, 4546 .socket_accept = selinux_socket_accept, 4547 .socket_sendmsg = selinux_socket_sendmsg, 4548 .socket_recvmsg = selinux_socket_recvmsg, 4549 .socket_getsockname = selinux_socket_getsockname, 4550 .socket_getpeername = selinux_socket_getpeername, 4551 .socket_getsockopt = selinux_socket_getsockopt, 4552 .socket_setsockopt = selinux_socket_setsockopt, 4553 .socket_shutdown = selinux_socket_shutdown, 4554 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4555 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 4556 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 4557 .sk_alloc_security = selinux_sk_alloc_security, 4558 .sk_free_security = selinux_sk_free_security, 4559 .sk_getsid = selinux_sk_getsid_security, 4560 4561 #ifdef CONFIG_SECURITY_NETWORK_XFRM 4562 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4563 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 4564 .xfrm_policy_free_security = selinux_xfrm_policy_free, 4565 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 4566 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 4567 .xfrm_state_free_security = selinux_xfrm_state_free, 4568 .xfrm_state_delete_security = selinux_xfrm_state_delete, 4569 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 4570 #endif 4571 4572 #ifdef CONFIG_KEYS 4573 .key_alloc = selinux_key_alloc, 4574 .key_free = selinux_key_free, 4575 .key_permission = selinux_key_permission, 4576 #endif 4577 }; 4578 4579 static __init int selinux_init(void) 4580 { 4581 struct task_security_struct *tsec; 4582 4583 if (!selinux_enabled) { 4584 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 4585 return 0; 4586 } 4587 4588 printk(KERN_INFO "SELinux: Initializing.\n"); 4589 4590 /* Set the security state for the initial task. */ 4591 if (task_alloc_security(current)) 4592 panic("SELinux: Failed to initialize initial task.\n"); 4593 tsec = current->security; 4594 tsec->osid = tsec->sid = SECINITSID_KERNEL; 4595 4596 sel_inode_cache = kmem_cache_create("selinux_inode_security", 4597 sizeof(struct inode_security_struct), 4598 0, SLAB_PANIC, NULL, NULL); 4599 avc_init(); 4600 4601 original_ops = secondary_ops = security_ops; 4602 if (!secondary_ops) 4603 panic ("SELinux: No initial security operations\n"); 4604 if (register_security (&selinux_ops)) 4605 panic("SELinux: Unable to register with kernel.\n"); 4606 4607 if (selinux_enforcing) { 4608 printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); 4609 } else { 4610 printk(KERN_INFO "SELinux: Starting in permissive mode\n"); 4611 } 4612 4613 #ifdef CONFIG_KEYS 4614 /* Add security information to initial keyrings */ 4615 selinux_key_alloc(&root_user_keyring, current, 4616 KEY_ALLOC_NOT_IN_QUOTA); 4617 selinux_key_alloc(&root_session_keyring, current, 4618 KEY_ALLOC_NOT_IN_QUOTA); 4619 #endif 4620 4621 return 0; 4622 } 4623 4624 void selinux_complete_init(void) 4625 { 4626 printk(KERN_INFO "SELinux: Completing initialization.\n"); 4627 4628 /* Set up any superblocks initialized prior to the policy load. */ 4629 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); 4630 spin_lock(&sb_lock); 4631 spin_lock(&sb_security_lock); 4632 next_sb: 4633 if (!list_empty(&superblock_security_head)) { 4634 struct superblock_security_struct *sbsec = 4635 list_entry(superblock_security_head.next, 4636 struct superblock_security_struct, 4637 list); 4638 struct super_block *sb = sbsec->sb; 4639 sb->s_count++; 4640 spin_unlock(&sb_security_lock); 4641 spin_unlock(&sb_lock); 4642 down_read(&sb->s_umount); 4643 if (sb->s_root) 4644 superblock_doinit(sb, NULL); 4645 drop_super(sb); 4646 spin_lock(&sb_lock); 4647 spin_lock(&sb_security_lock); 4648 list_del_init(&sbsec->list); 4649 goto next_sb; 4650 } 4651 spin_unlock(&sb_security_lock); 4652 spin_unlock(&sb_lock); 4653 } 4654 4655 /* SELinux requires early initialization in order to label 4656 all processes and objects when they are created. */ 4657 security_initcall(selinux_init); 4658 4659 #if defined(CONFIG_NETFILTER) 4660 4661 static struct nf_hook_ops selinux_ipv4_op = { 4662 .hook = selinux_ipv4_postroute_last, 4663 .owner = THIS_MODULE, 4664 .pf = PF_INET, 4665 .hooknum = NF_IP_POST_ROUTING, 4666 .priority = NF_IP_PRI_SELINUX_LAST, 4667 }; 4668 4669 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4670 4671 static struct nf_hook_ops selinux_ipv6_op = { 4672 .hook = selinux_ipv6_postroute_last, 4673 .owner = THIS_MODULE, 4674 .pf = PF_INET6, 4675 .hooknum = NF_IP6_POST_ROUTING, 4676 .priority = NF_IP6_PRI_SELINUX_LAST, 4677 }; 4678 4679 #endif /* IPV6 */ 4680 4681 static int __init selinux_nf_ip_init(void) 4682 { 4683 int err = 0; 4684 4685 if (!selinux_enabled) 4686 goto out; 4687 4688 printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); 4689 4690 err = nf_register_hook(&selinux_ipv4_op); 4691 if (err) 4692 panic("SELinux: nf_register_hook for IPv4: error %d\n", err); 4693 4694 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4695 4696 err = nf_register_hook(&selinux_ipv6_op); 4697 if (err) 4698 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4699 4700 #endif /* IPV6 */ 4701 4702 out: 4703 return err; 4704 } 4705 4706 __initcall(selinux_nf_ip_init); 4707 4708 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4709 static void selinux_nf_ip_exit(void) 4710 { 4711 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); 4712 4713 nf_unregister_hook(&selinux_ipv4_op); 4714 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4715 nf_unregister_hook(&selinux_ipv6_op); 4716 #endif /* IPV6 */ 4717 } 4718 #endif 4719 4720 #else /* CONFIG_NETFILTER */ 4721 4722 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4723 #define selinux_nf_ip_exit() 4724 #endif 4725 4726 #endif /* CONFIG_NETFILTER */ 4727 4728 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4729 int selinux_disable(void) 4730 { 4731 extern void exit_sel_fs(void); 4732 static int selinux_disabled = 0; 4733 4734 if (ss_initialized) { 4735 /* Not permitted after initial policy load. */ 4736 return -EINVAL; 4737 } 4738 4739 if (selinux_disabled) { 4740 /* Only do this once. */ 4741 return -EINVAL; 4742 } 4743 4744 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 4745 4746 selinux_disabled = 1; 4747 selinux_enabled = 0; 4748 4749 /* Reset security_ops to the secondary module, dummy or capability. */ 4750 security_ops = secondary_ops; 4751 4752 /* Unregister netfilter hooks. */ 4753 selinux_nf_ip_exit(); 4754 4755 /* Unregister selinuxfs. */ 4756 exit_sel_fs(); 4757 4758 return 0; 4759 } 4760 #endif 4761 4762 4763