1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul.moore@hp.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kernel.h> 28 #include <linux/tracehook.h> 29 #include <linux/errno.h> 30 #include <linux/sched.h> 31 #include <linux/security.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/swap.h> 40 #include <linux/spinlock.h> 41 #include <linux/syscalls.h> 42 #include <linux/file.h> 43 #include <linux/fdtable.h> 44 #include <linux/namei.h> 45 #include <linux/mount.h> 46 #include <linux/proc_fs.h> 47 #include <linux/netfilter_ipv4.h> 48 #include <linux/netfilter_ipv6.h> 49 #include <linux/tty.h> 50 #include <net/icmp.h> 51 #include <net/ip.h> /* for local_port_range[] */ 52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53 #include <net/net_namespace.h> 54 #include <net/netlabel.h> 55 #include <linux/uaccess.h> 56 #include <asm/ioctls.h> 57 #include <asm/atomic.h> 58 #include <linux/bitops.h> 59 #include <linux/interrupt.h> 60 #include <linux/netdevice.h> /* for network interface checks */ 61 #include <linux/netlink.h> 62 #include <linux/tcp.h> 63 #include <linux/udp.h> 64 #include <linux/dccp.h> 65 #include <linux/quota.h> 66 #include <linux/un.h> /* for Unix socket types */ 67 #include <net/af_unix.h> /* for Unix socket types */ 68 #include <linux/parser.h> 69 #include <linux/nfs_mount.h> 70 #include <net/ipv6.h> 71 #include <linux/hugetlb.h> 72 #include <linux/personality.h> 73 #include <linux/sysctl.h> 74 #include <linux/audit.h> 75 #include <linux/string.h> 76 #include <linux/selinux.h> 77 #include <linux/mutex.h> 78 #include <linux/posix-timers.h> 79 #include <linux/syslog.h> 80 81 #include "avc.h" 82 #include "objsec.h" 83 #include "netif.h" 84 #include "netnode.h" 85 #include "netport.h" 86 #include "xfrm.h" 87 #include "netlabel.h" 88 #include "audit.h" 89 90 #define XATTR_SELINUX_SUFFIX "selinux" 91 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 92 93 #define NUM_SEL_MNT_OPTS 5 94 95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 96 extern struct security_operations *security_ops; 97 98 /* SECMARK reference count */ 99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 100 101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 102 int selinux_enforcing; 103 104 static int __init enforcing_setup(char *str) 105 { 106 unsigned long enforcing; 107 if (!strict_strtoul(str, 0, &enforcing)) 108 selinux_enforcing = enforcing ? 1 : 0; 109 return 1; 110 } 111 __setup("enforcing=", enforcing_setup); 112 #endif 113 114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 116 117 static int __init selinux_enabled_setup(char *str) 118 { 119 unsigned long enabled; 120 if (!strict_strtoul(str, 0, &enabled)) 121 selinux_enabled = enabled ? 1 : 0; 122 return 1; 123 } 124 __setup("selinux=", selinux_enabled_setup); 125 #else 126 int selinux_enabled = 1; 127 #endif 128 129 130 /* 131 * Minimal support for a secondary security module, 132 * just to allow the use of the capability module. 133 */ 134 static struct security_operations *secondary_ops; 135 136 /* Lists of inode and superblock security structures initialized 137 before the policy was loaded. */ 138 static LIST_HEAD(superblock_security_head); 139 static DEFINE_SPINLOCK(sb_security_lock); 140 141 static struct kmem_cache *sel_inode_cache; 142 143 /** 144 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 145 * 146 * Description: 147 * This function checks the SECMARK reference counter to see if any SECMARK 148 * targets are currently configured, if the reference counter is greater than 149 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 150 * enabled, false (0) if SECMARK is disabled. 151 * 152 */ 153 static int selinux_secmark_enabled(void) 154 { 155 return (atomic_read(&selinux_secmark_refcount) > 0); 156 } 157 158 /* 159 * initialise the security for the init task 160 */ 161 static void cred_init_security(void) 162 { 163 struct cred *cred = (struct cred *) current->real_cred; 164 struct task_security_struct *tsec; 165 166 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 167 if (!tsec) 168 panic("SELinux: Failed to initialize initial task.\n"); 169 170 tsec->osid = tsec->sid = SECINITSID_KERNEL; 171 cred->security = tsec; 172 } 173 174 /* 175 * get the security ID of a set of credentials 176 */ 177 static inline u32 cred_sid(const struct cred *cred) 178 { 179 const struct task_security_struct *tsec; 180 181 tsec = cred->security; 182 return tsec->sid; 183 } 184 185 /* 186 * get the objective security ID of a task 187 */ 188 static inline u32 task_sid(const struct task_struct *task) 189 { 190 u32 sid; 191 192 rcu_read_lock(); 193 sid = cred_sid(__task_cred(task)); 194 rcu_read_unlock(); 195 return sid; 196 } 197 198 /* 199 * get the subjective security ID of the current task 200 */ 201 static inline u32 current_sid(void) 202 { 203 const struct task_security_struct *tsec = current_cred()->security; 204 205 return tsec->sid; 206 } 207 208 /* Allocate and free functions for each kind of security blob. */ 209 210 static int inode_alloc_security(struct inode *inode) 211 { 212 struct inode_security_struct *isec; 213 u32 sid = current_sid(); 214 215 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 216 if (!isec) 217 return -ENOMEM; 218 219 mutex_init(&isec->lock); 220 INIT_LIST_HEAD(&isec->list); 221 isec->inode = inode; 222 isec->sid = SECINITSID_UNLABELED; 223 isec->sclass = SECCLASS_FILE; 224 isec->task_sid = sid; 225 inode->i_security = isec; 226 227 return 0; 228 } 229 230 static void inode_free_security(struct inode *inode) 231 { 232 struct inode_security_struct *isec = inode->i_security; 233 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 234 235 spin_lock(&sbsec->isec_lock); 236 if (!list_empty(&isec->list)) 237 list_del_init(&isec->list); 238 spin_unlock(&sbsec->isec_lock); 239 240 inode->i_security = NULL; 241 kmem_cache_free(sel_inode_cache, isec); 242 } 243 244 static int file_alloc_security(struct file *file) 245 { 246 struct file_security_struct *fsec; 247 u32 sid = current_sid(); 248 249 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 250 if (!fsec) 251 return -ENOMEM; 252 253 fsec->sid = sid; 254 fsec->fown_sid = sid; 255 file->f_security = fsec; 256 257 return 0; 258 } 259 260 static void file_free_security(struct file *file) 261 { 262 struct file_security_struct *fsec = file->f_security; 263 file->f_security = NULL; 264 kfree(fsec); 265 } 266 267 static int superblock_alloc_security(struct super_block *sb) 268 { 269 struct superblock_security_struct *sbsec; 270 271 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 272 if (!sbsec) 273 return -ENOMEM; 274 275 mutex_init(&sbsec->lock); 276 INIT_LIST_HEAD(&sbsec->list); 277 INIT_LIST_HEAD(&sbsec->isec_head); 278 spin_lock_init(&sbsec->isec_lock); 279 sbsec->sb = sb; 280 sbsec->sid = SECINITSID_UNLABELED; 281 sbsec->def_sid = SECINITSID_FILE; 282 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 283 sb->s_security = sbsec; 284 285 return 0; 286 } 287 288 static void superblock_free_security(struct super_block *sb) 289 { 290 struct superblock_security_struct *sbsec = sb->s_security; 291 292 spin_lock(&sb_security_lock); 293 if (!list_empty(&sbsec->list)) 294 list_del_init(&sbsec->list); 295 spin_unlock(&sb_security_lock); 296 297 sb->s_security = NULL; 298 kfree(sbsec); 299 } 300 301 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 302 { 303 struct sk_security_struct *ssec; 304 305 ssec = kzalloc(sizeof(*ssec), priority); 306 if (!ssec) 307 return -ENOMEM; 308 309 ssec->peer_sid = SECINITSID_UNLABELED; 310 ssec->sid = SECINITSID_UNLABELED; 311 sk->sk_security = ssec; 312 313 selinux_netlbl_sk_security_reset(ssec); 314 315 return 0; 316 } 317 318 static void sk_free_security(struct sock *sk) 319 { 320 struct sk_security_struct *ssec = sk->sk_security; 321 322 sk->sk_security = NULL; 323 selinux_netlbl_sk_security_free(ssec); 324 kfree(ssec); 325 } 326 327 /* The security server must be initialized before 328 any labeling or access decisions can be provided. */ 329 extern int ss_initialized; 330 331 /* The file system's label must be initialized prior to use. */ 332 333 static char *labeling_behaviors[6] = { 334 "uses xattr", 335 "uses transition SIDs", 336 "uses task SIDs", 337 "uses genfs_contexts", 338 "not configured for labeling", 339 "uses mountpoint labeling", 340 }; 341 342 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 343 344 static inline int inode_doinit(struct inode *inode) 345 { 346 return inode_doinit_with_dentry(inode, NULL); 347 } 348 349 enum { 350 Opt_error = -1, 351 Opt_context = 1, 352 Opt_fscontext = 2, 353 Opt_defcontext = 3, 354 Opt_rootcontext = 4, 355 Opt_labelsupport = 5, 356 }; 357 358 static const match_table_t tokens = { 359 {Opt_context, CONTEXT_STR "%s"}, 360 {Opt_fscontext, FSCONTEXT_STR "%s"}, 361 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 363 {Opt_labelsupport, LABELSUPP_STR}, 364 {Opt_error, NULL}, 365 }; 366 367 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 368 369 static int may_context_mount_sb_relabel(u32 sid, 370 struct superblock_security_struct *sbsec, 371 const struct cred *cred) 372 { 373 const struct task_security_struct *tsec = cred->security; 374 int rc; 375 376 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 377 FILESYSTEM__RELABELFROM, NULL); 378 if (rc) 379 return rc; 380 381 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 382 FILESYSTEM__RELABELTO, NULL); 383 return rc; 384 } 385 386 static int may_context_mount_inode_relabel(u32 sid, 387 struct superblock_security_struct *sbsec, 388 const struct cred *cred) 389 { 390 const struct task_security_struct *tsec = cred->security; 391 int rc; 392 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 393 FILESYSTEM__RELABELFROM, NULL); 394 if (rc) 395 return rc; 396 397 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 398 FILESYSTEM__ASSOCIATE, NULL); 399 return rc; 400 } 401 402 static int sb_finish_set_opts(struct super_block *sb) 403 { 404 struct superblock_security_struct *sbsec = sb->s_security; 405 struct dentry *root = sb->s_root; 406 struct inode *root_inode = root->d_inode; 407 int rc = 0; 408 409 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 410 /* Make sure that the xattr handler exists and that no 411 error other than -ENODATA is returned by getxattr on 412 the root directory. -ENODATA is ok, as this may be 413 the first boot of the SELinux kernel before we have 414 assigned xattr values to the filesystem. */ 415 if (!root_inode->i_op->getxattr) { 416 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 417 "xattr support\n", sb->s_id, sb->s_type->name); 418 rc = -EOPNOTSUPP; 419 goto out; 420 } 421 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 422 if (rc < 0 && rc != -ENODATA) { 423 if (rc == -EOPNOTSUPP) 424 printk(KERN_WARNING "SELinux: (dev %s, type " 425 "%s) has no security xattr handler\n", 426 sb->s_id, sb->s_type->name); 427 else 428 printk(KERN_WARNING "SELinux: (dev %s, type " 429 "%s) getxattr errno %d\n", sb->s_id, 430 sb->s_type->name, -rc); 431 goto out; 432 } 433 } 434 435 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); 436 437 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 438 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 439 sb->s_id, sb->s_type->name); 440 else 441 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 442 sb->s_id, sb->s_type->name, 443 labeling_behaviors[sbsec->behavior-1]); 444 445 if (sbsec->behavior == SECURITY_FS_USE_GENFS || 446 sbsec->behavior == SECURITY_FS_USE_MNTPOINT || 447 sbsec->behavior == SECURITY_FS_USE_NONE || 448 sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 449 sbsec->flags &= ~SE_SBLABELSUPP; 450 451 /* Special handling for sysfs. Is genfs but also has setxattr handler*/ 452 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0) 453 sbsec->flags |= SE_SBLABELSUPP; 454 455 /* Initialize the root inode. */ 456 rc = inode_doinit_with_dentry(root_inode, root); 457 458 /* Initialize any other inodes associated with the superblock, e.g. 459 inodes created prior to initial policy load or inodes created 460 during get_sb by a pseudo filesystem that directly 461 populates itself. */ 462 spin_lock(&sbsec->isec_lock); 463 next_inode: 464 if (!list_empty(&sbsec->isec_head)) { 465 struct inode_security_struct *isec = 466 list_entry(sbsec->isec_head.next, 467 struct inode_security_struct, list); 468 struct inode *inode = isec->inode; 469 spin_unlock(&sbsec->isec_lock); 470 inode = igrab(inode); 471 if (inode) { 472 if (!IS_PRIVATE(inode)) 473 inode_doinit(inode); 474 iput(inode); 475 } 476 spin_lock(&sbsec->isec_lock); 477 list_del_init(&isec->list); 478 goto next_inode; 479 } 480 spin_unlock(&sbsec->isec_lock); 481 out: 482 return rc; 483 } 484 485 /* 486 * This function should allow an FS to ask what it's mount security 487 * options were so it can use those later for submounts, displaying 488 * mount options, or whatever. 489 */ 490 static int selinux_get_mnt_opts(const struct super_block *sb, 491 struct security_mnt_opts *opts) 492 { 493 int rc = 0, i; 494 struct superblock_security_struct *sbsec = sb->s_security; 495 char *context = NULL; 496 u32 len; 497 char tmp; 498 499 security_init_mnt_opts(opts); 500 501 if (!(sbsec->flags & SE_SBINITIALIZED)) 502 return -EINVAL; 503 504 if (!ss_initialized) 505 return -EINVAL; 506 507 tmp = sbsec->flags & SE_MNTMASK; 508 /* count the number of mount options for this sb */ 509 for (i = 0; i < 8; i++) { 510 if (tmp & 0x01) 511 opts->num_mnt_opts++; 512 tmp >>= 1; 513 } 514 /* Check if the Label support flag is set */ 515 if (sbsec->flags & SE_SBLABELSUPP) 516 opts->num_mnt_opts++; 517 518 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 519 if (!opts->mnt_opts) { 520 rc = -ENOMEM; 521 goto out_free; 522 } 523 524 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 525 if (!opts->mnt_opts_flags) { 526 rc = -ENOMEM; 527 goto out_free; 528 } 529 530 i = 0; 531 if (sbsec->flags & FSCONTEXT_MNT) { 532 rc = security_sid_to_context(sbsec->sid, &context, &len); 533 if (rc) 534 goto out_free; 535 opts->mnt_opts[i] = context; 536 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 537 } 538 if (sbsec->flags & CONTEXT_MNT) { 539 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 540 if (rc) 541 goto out_free; 542 opts->mnt_opts[i] = context; 543 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 544 } 545 if (sbsec->flags & DEFCONTEXT_MNT) { 546 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 547 if (rc) 548 goto out_free; 549 opts->mnt_opts[i] = context; 550 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 551 } 552 if (sbsec->flags & ROOTCONTEXT_MNT) { 553 struct inode *root = sbsec->sb->s_root->d_inode; 554 struct inode_security_struct *isec = root->i_security; 555 556 rc = security_sid_to_context(isec->sid, &context, &len); 557 if (rc) 558 goto out_free; 559 opts->mnt_opts[i] = context; 560 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 561 } 562 if (sbsec->flags & SE_SBLABELSUPP) { 563 opts->mnt_opts[i] = NULL; 564 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; 565 } 566 567 BUG_ON(i != opts->num_mnt_opts); 568 569 return 0; 570 571 out_free: 572 security_free_mnt_opts(opts); 573 return rc; 574 } 575 576 static int bad_option(struct superblock_security_struct *sbsec, char flag, 577 u32 old_sid, u32 new_sid) 578 { 579 char mnt_flags = sbsec->flags & SE_MNTMASK; 580 581 /* check if the old mount command had the same options */ 582 if (sbsec->flags & SE_SBINITIALIZED) 583 if (!(sbsec->flags & flag) || 584 (old_sid != new_sid)) 585 return 1; 586 587 /* check if we were passed the same options twice, 588 * aka someone passed context=a,context=b 589 */ 590 if (!(sbsec->flags & SE_SBINITIALIZED)) 591 if (mnt_flags & flag) 592 return 1; 593 return 0; 594 } 595 596 /* 597 * Allow filesystems with binary mount data to explicitly set mount point 598 * labeling information. 599 */ 600 static int selinux_set_mnt_opts(struct super_block *sb, 601 struct security_mnt_opts *opts) 602 { 603 const struct cred *cred = current_cred(); 604 int rc = 0, i; 605 struct superblock_security_struct *sbsec = sb->s_security; 606 const char *name = sb->s_type->name; 607 struct inode *inode = sbsec->sb->s_root->d_inode; 608 struct inode_security_struct *root_isec = inode->i_security; 609 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 610 u32 defcontext_sid = 0; 611 char **mount_options = opts->mnt_opts; 612 int *flags = opts->mnt_opts_flags; 613 int num_opts = opts->num_mnt_opts; 614 615 mutex_lock(&sbsec->lock); 616 617 if (!ss_initialized) { 618 if (!num_opts) { 619 /* Defer initialization until selinux_complete_init, 620 after the initial policy is loaded and the security 621 server is ready to handle calls. */ 622 spin_lock(&sb_security_lock); 623 if (list_empty(&sbsec->list)) 624 list_add(&sbsec->list, &superblock_security_head); 625 spin_unlock(&sb_security_lock); 626 goto out; 627 } 628 rc = -EINVAL; 629 printk(KERN_WARNING "SELinux: Unable to set superblock options " 630 "before the security server is initialized\n"); 631 goto out; 632 } 633 634 /* 635 * Binary mount data FS will come through this function twice. Once 636 * from an explicit call and once from the generic calls from the vfs. 637 * Since the generic VFS calls will not contain any security mount data 638 * we need to skip the double mount verification. 639 * 640 * This does open a hole in which we will not notice if the first 641 * mount using this sb set explict options and a second mount using 642 * this sb does not set any security options. (The first options 643 * will be used for both mounts) 644 */ 645 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 646 && (num_opts == 0)) 647 goto out; 648 649 /* 650 * parse the mount options, check if they are valid sids. 651 * also check if someone is trying to mount the same sb more 652 * than once with different security options. 653 */ 654 for (i = 0; i < num_opts; i++) { 655 u32 sid; 656 657 if (flags[i] == SE_SBLABELSUPP) 658 continue; 659 rc = security_context_to_sid(mount_options[i], 660 strlen(mount_options[i]), &sid); 661 if (rc) { 662 printk(KERN_WARNING "SELinux: security_context_to_sid" 663 "(%s) failed for (dev %s, type %s) errno=%d\n", 664 mount_options[i], sb->s_id, name, rc); 665 goto out; 666 } 667 switch (flags[i]) { 668 case FSCONTEXT_MNT: 669 fscontext_sid = sid; 670 671 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 672 fscontext_sid)) 673 goto out_double_mount; 674 675 sbsec->flags |= FSCONTEXT_MNT; 676 break; 677 case CONTEXT_MNT: 678 context_sid = sid; 679 680 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 681 context_sid)) 682 goto out_double_mount; 683 684 sbsec->flags |= CONTEXT_MNT; 685 break; 686 case ROOTCONTEXT_MNT: 687 rootcontext_sid = sid; 688 689 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 690 rootcontext_sid)) 691 goto out_double_mount; 692 693 sbsec->flags |= ROOTCONTEXT_MNT; 694 695 break; 696 case DEFCONTEXT_MNT: 697 defcontext_sid = sid; 698 699 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 700 defcontext_sid)) 701 goto out_double_mount; 702 703 sbsec->flags |= DEFCONTEXT_MNT; 704 705 break; 706 default: 707 rc = -EINVAL; 708 goto out; 709 } 710 } 711 712 if (sbsec->flags & SE_SBINITIALIZED) { 713 /* previously mounted with options, but not on this attempt? */ 714 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 715 goto out_double_mount; 716 rc = 0; 717 goto out; 718 } 719 720 if (strcmp(sb->s_type->name, "proc") == 0) 721 sbsec->flags |= SE_SBPROC; 722 723 /* Determine the labeling behavior to use for this filesystem type. */ 724 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); 725 if (rc) { 726 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 727 __func__, sb->s_type->name, rc); 728 goto out; 729 } 730 731 /* sets the context of the superblock for the fs being mounted. */ 732 if (fscontext_sid) { 733 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 734 if (rc) 735 goto out; 736 737 sbsec->sid = fscontext_sid; 738 } 739 740 /* 741 * Switch to using mount point labeling behavior. 742 * sets the label used on all file below the mountpoint, and will set 743 * the superblock context if not already set. 744 */ 745 if (context_sid) { 746 if (!fscontext_sid) { 747 rc = may_context_mount_sb_relabel(context_sid, sbsec, 748 cred); 749 if (rc) 750 goto out; 751 sbsec->sid = context_sid; 752 } else { 753 rc = may_context_mount_inode_relabel(context_sid, sbsec, 754 cred); 755 if (rc) 756 goto out; 757 } 758 if (!rootcontext_sid) 759 rootcontext_sid = context_sid; 760 761 sbsec->mntpoint_sid = context_sid; 762 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 763 } 764 765 if (rootcontext_sid) { 766 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 767 cred); 768 if (rc) 769 goto out; 770 771 root_isec->sid = rootcontext_sid; 772 root_isec->initialized = 1; 773 } 774 775 if (defcontext_sid) { 776 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 777 rc = -EINVAL; 778 printk(KERN_WARNING "SELinux: defcontext option is " 779 "invalid for this filesystem type\n"); 780 goto out; 781 } 782 783 if (defcontext_sid != sbsec->def_sid) { 784 rc = may_context_mount_inode_relabel(defcontext_sid, 785 sbsec, cred); 786 if (rc) 787 goto out; 788 } 789 790 sbsec->def_sid = defcontext_sid; 791 } 792 793 rc = sb_finish_set_opts(sb); 794 out: 795 mutex_unlock(&sbsec->lock); 796 return rc; 797 out_double_mount: 798 rc = -EINVAL; 799 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 800 "security settings for (dev %s, type %s)\n", sb->s_id, name); 801 goto out; 802 } 803 804 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 805 struct super_block *newsb) 806 { 807 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 808 struct superblock_security_struct *newsbsec = newsb->s_security; 809 810 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 811 int set_context = (oldsbsec->flags & CONTEXT_MNT); 812 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 813 814 /* 815 * if the parent was able to be mounted it clearly had no special lsm 816 * mount options. thus we can safely put this sb on the list and deal 817 * with it later 818 */ 819 if (!ss_initialized) { 820 spin_lock(&sb_security_lock); 821 if (list_empty(&newsbsec->list)) 822 list_add(&newsbsec->list, &superblock_security_head); 823 spin_unlock(&sb_security_lock); 824 return; 825 } 826 827 /* how can we clone if the old one wasn't set up?? */ 828 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 829 830 /* if fs is reusing a sb, just let its options stand... */ 831 if (newsbsec->flags & SE_SBINITIALIZED) 832 return; 833 834 mutex_lock(&newsbsec->lock); 835 836 newsbsec->flags = oldsbsec->flags; 837 838 newsbsec->sid = oldsbsec->sid; 839 newsbsec->def_sid = oldsbsec->def_sid; 840 newsbsec->behavior = oldsbsec->behavior; 841 842 if (set_context) { 843 u32 sid = oldsbsec->mntpoint_sid; 844 845 if (!set_fscontext) 846 newsbsec->sid = sid; 847 if (!set_rootcontext) { 848 struct inode *newinode = newsb->s_root->d_inode; 849 struct inode_security_struct *newisec = newinode->i_security; 850 newisec->sid = sid; 851 } 852 newsbsec->mntpoint_sid = sid; 853 } 854 if (set_rootcontext) { 855 const struct inode *oldinode = oldsb->s_root->d_inode; 856 const struct inode_security_struct *oldisec = oldinode->i_security; 857 struct inode *newinode = newsb->s_root->d_inode; 858 struct inode_security_struct *newisec = newinode->i_security; 859 860 newisec->sid = oldisec->sid; 861 } 862 863 sb_finish_set_opts(newsb); 864 mutex_unlock(&newsbsec->lock); 865 } 866 867 static int selinux_parse_opts_str(char *options, 868 struct security_mnt_opts *opts) 869 { 870 char *p; 871 char *context = NULL, *defcontext = NULL; 872 char *fscontext = NULL, *rootcontext = NULL; 873 int rc, num_mnt_opts = 0; 874 875 opts->num_mnt_opts = 0; 876 877 /* Standard string-based options. */ 878 while ((p = strsep(&options, "|")) != NULL) { 879 int token; 880 substring_t args[MAX_OPT_ARGS]; 881 882 if (!*p) 883 continue; 884 885 token = match_token(p, tokens, args); 886 887 switch (token) { 888 case Opt_context: 889 if (context || defcontext) { 890 rc = -EINVAL; 891 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 892 goto out_err; 893 } 894 context = match_strdup(&args[0]); 895 if (!context) { 896 rc = -ENOMEM; 897 goto out_err; 898 } 899 break; 900 901 case Opt_fscontext: 902 if (fscontext) { 903 rc = -EINVAL; 904 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 905 goto out_err; 906 } 907 fscontext = match_strdup(&args[0]); 908 if (!fscontext) { 909 rc = -ENOMEM; 910 goto out_err; 911 } 912 break; 913 914 case Opt_rootcontext: 915 if (rootcontext) { 916 rc = -EINVAL; 917 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 918 goto out_err; 919 } 920 rootcontext = match_strdup(&args[0]); 921 if (!rootcontext) { 922 rc = -ENOMEM; 923 goto out_err; 924 } 925 break; 926 927 case Opt_defcontext: 928 if (context || defcontext) { 929 rc = -EINVAL; 930 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 931 goto out_err; 932 } 933 defcontext = match_strdup(&args[0]); 934 if (!defcontext) { 935 rc = -ENOMEM; 936 goto out_err; 937 } 938 break; 939 case Opt_labelsupport: 940 break; 941 default: 942 rc = -EINVAL; 943 printk(KERN_WARNING "SELinux: unknown mount option\n"); 944 goto out_err; 945 946 } 947 } 948 949 rc = -ENOMEM; 950 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 951 if (!opts->mnt_opts) 952 goto out_err; 953 954 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 955 if (!opts->mnt_opts_flags) { 956 kfree(opts->mnt_opts); 957 goto out_err; 958 } 959 960 if (fscontext) { 961 opts->mnt_opts[num_mnt_opts] = fscontext; 962 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 963 } 964 if (context) { 965 opts->mnt_opts[num_mnt_opts] = context; 966 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 967 } 968 if (rootcontext) { 969 opts->mnt_opts[num_mnt_opts] = rootcontext; 970 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 971 } 972 if (defcontext) { 973 opts->mnt_opts[num_mnt_opts] = defcontext; 974 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 975 } 976 977 opts->num_mnt_opts = num_mnt_opts; 978 return 0; 979 980 out_err: 981 kfree(context); 982 kfree(defcontext); 983 kfree(fscontext); 984 kfree(rootcontext); 985 return rc; 986 } 987 /* 988 * string mount options parsing and call set the sbsec 989 */ 990 static int superblock_doinit(struct super_block *sb, void *data) 991 { 992 int rc = 0; 993 char *options = data; 994 struct security_mnt_opts opts; 995 996 security_init_mnt_opts(&opts); 997 998 if (!data) 999 goto out; 1000 1001 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1002 1003 rc = selinux_parse_opts_str(options, &opts); 1004 if (rc) 1005 goto out_err; 1006 1007 out: 1008 rc = selinux_set_mnt_opts(sb, &opts); 1009 1010 out_err: 1011 security_free_mnt_opts(&opts); 1012 return rc; 1013 } 1014 1015 static void selinux_write_opts(struct seq_file *m, 1016 struct security_mnt_opts *opts) 1017 { 1018 int i; 1019 char *prefix; 1020 1021 for (i = 0; i < opts->num_mnt_opts; i++) { 1022 char *has_comma; 1023 1024 if (opts->mnt_opts[i]) 1025 has_comma = strchr(opts->mnt_opts[i], ','); 1026 else 1027 has_comma = NULL; 1028 1029 switch (opts->mnt_opts_flags[i]) { 1030 case CONTEXT_MNT: 1031 prefix = CONTEXT_STR; 1032 break; 1033 case FSCONTEXT_MNT: 1034 prefix = FSCONTEXT_STR; 1035 break; 1036 case ROOTCONTEXT_MNT: 1037 prefix = ROOTCONTEXT_STR; 1038 break; 1039 case DEFCONTEXT_MNT: 1040 prefix = DEFCONTEXT_STR; 1041 break; 1042 case SE_SBLABELSUPP: 1043 seq_putc(m, ','); 1044 seq_puts(m, LABELSUPP_STR); 1045 continue; 1046 default: 1047 BUG(); 1048 }; 1049 /* we need a comma before each option */ 1050 seq_putc(m, ','); 1051 seq_puts(m, prefix); 1052 if (has_comma) 1053 seq_putc(m, '\"'); 1054 seq_puts(m, opts->mnt_opts[i]); 1055 if (has_comma) 1056 seq_putc(m, '\"'); 1057 } 1058 } 1059 1060 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1061 { 1062 struct security_mnt_opts opts; 1063 int rc; 1064 1065 rc = selinux_get_mnt_opts(sb, &opts); 1066 if (rc) { 1067 /* before policy load we may get EINVAL, don't show anything */ 1068 if (rc == -EINVAL) 1069 rc = 0; 1070 return rc; 1071 } 1072 1073 selinux_write_opts(m, &opts); 1074 1075 security_free_mnt_opts(&opts); 1076 1077 return rc; 1078 } 1079 1080 static inline u16 inode_mode_to_security_class(umode_t mode) 1081 { 1082 switch (mode & S_IFMT) { 1083 case S_IFSOCK: 1084 return SECCLASS_SOCK_FILE; 1085 case S_IFLNK: 1086 return SECCLASS_LNK_FILE; 1087 case S_IFREG: 1088 return SECCLASS_FILE; 1089 case S_IFBLK: 1090 return SECCLASS_BLK_FILE; 1091 case S_IFDIR: 1092 return SECCLASS_DIR; 1093 case S_IFCHR: 1094 return SECCLASS_CHR_FILE; 1095 case S_IFIFO: 1096 return SECCLASS_FIFO_FILE; 1097 1098 } 1099 1100 return SECCLASS_FILE; 1101 } 1102 1103 static inline int default_protocol_stream(int protocol) 1104 { 1105 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1106 } 1107 1108 static inline int default_protocol_dgram(int protocol) 1109 { 1110 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1111 } 1112 1113 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1114 { 1115 switch (family) { 1116 case PF_UNIX: 1117 switch (type) { 1118 case SOCK_STREAM: 1119 case SOCK_SEQPACKET: 1120 return SECCLASS_UNIX_STREAM_SOCKET; 1121 case SOCK_DGRAM: 1122 return SECCLASS_UNIX_DGRAM_SOCKET; 1123 } 1124 break; 1125 case PF_INET: 1126 case PF_INET6: 1127 switch (type) { 1128 case SOCK_STREAM: 1129 if (default_protocol_stream(protocol)) 1130 return SECCLASS_TCP_SOCKET; 1131 else 1132 return SECCLASS_RAWIP_SOCKET; 1133 case SOCK_DGRAM: 1134 if (default_protocol_dgram(protocol)) 1135 return SECCLASS_UDP_SOCKET; 1136 else 1137 return SECCLASS_RAWIP_SOCKET; 1138 case SOCK_DCCP: 1139 return SECCLASS_DCCP_SOCKET; 1140 default: 1141 return SECCLASS_RAWIP_SOCKET; 1142 } 1143 break; 1144 case PF_NETLINK: 1145 switch (protocol) { 1146 case NETLINK_ROUTE: 1147 return SECCLASS_NETLINK_ROUTE_SOCKET; 1148 case NETLINK_FIREWALL: 1149 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1150 case NETLINK_INET_DIAG: 1151 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1152 case NETLINK_NFLOG: 1153 return SECCLASS_NETLINK_NFLOG_SOCKET; 1154 case NETLINK_XFRM: 1155 return SECCLASS_NETLINK_XFRM_SOCKET; 1156 case NETLINK_SELINUX: 1157 return SECCLASS_NETLINK_SELINUX_SOCKET; 1158 case NETLINK_AUDIT: 1159 return SECCLASS_NETLINK_AUDIT_SOCKET; 1160 case NETLINK_IP6_FW: 1161 return SECCLASS_NETLINK_IP6FW_SOCKET; 1162 case NETLINK_DNRTMSG: 1163 return SECCLASS_NETLINK_DNRT_SOCKET; 1164 case NETLINK_KOBJECT_UEVENT: 1165 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1166 default: 1167 return SECCLASS_NETLINK_SOCKET; 1168 } 1169 case PF_PACKET: 1170 return SECCLASS_PACKET_SOCKET; 1171 case PF_KEY: 1172 return SECCLASS_KEY_SOCKET; 1173 case PF_APPLETALK: 1174 return SECCLASS_APPLETALK_SOCKET; 1175 } 1176 1177 return SECCLASS_SOCKET; 1178 } 1179 1180 #ifdef CONFIG_PROC_FS 1181 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1182 u16 tclass, 1183 u32 *sid) 1184 { 1185 int buflen, rc; 1186 char *buffer, *path, *end; 1187 1188 buffer = (char *)__get_free_page(GFP_KERNEL); 1189 if (!buffer) 1190 return -ENOMEM; 1191 1192 buflen = PAGE_SIZE; 1193 end = buffer+buflen; 1194 *--end = '\0'; 1195 buflen--; 1196 path = end-1; 1197 *path = '/'; 1198 while (de && de != de->parent) { 1199 buflen -= de->namelen + 1; 1200 if (buflen < 0) 1201 break; 1202 end -= de->namelen; 1203 memcpy(end, de->name, de->namelen); 1204 *--end = '/'; 1205 path = end; 1206 de = de->parent; 1207 } 1208 rc = security_genfs_sid("proc", path, tclass, sid); 1209 free_page((unsigned long)buffer); 1210 return rc; 1211 } 1212 #else 1213 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1214 u16 tclass, 1215 u32 *sid) 1216 { 1217 return -EINVAL; 1218 } 1219 #endif 1220 1221 /* The inode's security attributes must be initialized before first use. */ 1222 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1223 { 1224 struct superblock_security_struct *sbsec = NULL; 1225 struct inode_security_struct *isec = inode->i_security; 1226 u32 sid; 1227 struct dentry *dentry; 1228 #define INITCONTEXTLEN 255 1229 char *context = NULL; 1230 unsigned len = 0; 1231 int rc = 0; 1232 1233 if (isec->initialized) 1234 goto out; 1235 1236 mutex_lock(&isec->lock); 1237 if (isec->initialized) 1238 goto out_unlock; 1239 1240 sbsec = inode->i_sb->s_security; 1241 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1242 /* Defer initialization until selinux_complete_init, 1243 after the initial policy is loaded and the security 1244 server is ready to handle calls. */ 1245 spin_lock(&sbsec->isec_lock); 1246 if (list_empty(&isec->list)) 1247 list_add(&isec->list, &sbsec->isec_head); 1248 spin_unlock(&sbsec->isec_lock); 1249 goto out_unlock; 1250 } 1251 1252 switch (sbsec->behavior) { 1253 case SECURITY_FS_USE_XATTR: 1254 if (!inode->i_op->getxattr) { 1255 isec->sid = sbsec->def_sid; 1256 break; 1257 } 1258 1259 /* Need a dentry, since the xattr API requires one. 1260 Life would be simpler if we could just pass the inode. */ 1261 if (opt_dentry) { 1262 /* Called from d_instantiate or d_splice_alias. */ 1263 dentry = dget(opt_dentry); 1264 } else { 1265 /* Called from selinux_complete_init, try to find a dentry. */ 1266 dentry = d_find_alias(inode); 1267 } 1268 if (!dentry) { 1269 /* 1270 * this is can be hit on boot when a file is accessed 1271 * before the policy is loaded. When we load policy we 1272 * may find inodes that have no dentry on the 1273 * sbsec->isec_head list. No reason to complain as these 1274 * will get fixed up the next time we go through 1275 * inode_doinit with a dentry, before these inodes could 1276 * be used again by userspace. 1277 */ 1278 goto out_unlock; 1279 } 1280 1281 len = INITCONTEXTLEN; 1282 context = kmalloc(len+1, GFP_NOFS); 1283 if (!context) { 1284 rc = -ENOMEM; 1285 dput(dentry); 1286 goto out_unlock; 1287 } 1288 context[len] = '\0'; 1289 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1290 context, len); 1291 if (rc == -ERANGE) { 1292 kfree(context); 1293 1294 /* Need a larger buffer. Query for the right size. */ 1295 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1296 NULL, 0); 1297 if (rc < 0) { 1298 dput(dentry); 1299 goto out_unlock; 1300 } 1301 len = rc; 1302 context = kmalloc(len+1, GFP_NOFS); 1303 if (!context) { 1304 rc = -ENOMEM; 1305 dput(dentry); 1306 goto out_unlock; 1307 } 1308 context[len] = '\0'; 1309 rc = inode->i_op->getxattr(dentry, 1310 XATTR_NAME_SELINUX, 1311 context, len); 1312 } 1313 dput(dentry); 1314 if (rc < 0) { 1315 if (rc != -ENODATA) { 1316 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1317 "%d for dev=%s ino=%ld\n", __func__, 1318 -rc, inode->i_sb->s_id, inode->i_ino); 1319 kfree(context); 1320 goto out_unlock; 1321 } 1322 /* Map ENODATA to the default file SID */ 1323 sid = sbsec->def_sid; 1324 rc = 0; 1325 } else { 1326 rc = security_context_to_sid_default(context, rc, &sid, 1327 sbsec->def_sid, 1328 GFP_NOFS); 1329 if (rc) { 1330 char *dev = inode->i_sb->s_id; 1331 unsigned long ino = inode->i_ino; 1332 1333 if (rc == -EINVAL) { 1334 if (printk_ratelimit()) 1335 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1336 "context=%s. This indicates you may need to relabel the inode or the " 1337 "filesystem in question.\n", ino, dev, context); 1338 } else { 1339 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1340 "returned %d for dev=%s ino=%ld\n", 1341 __func__, context, -rc, dev, ino); 1342 } 1343 kfree(context); 1344 /* Leave with the unlabeled SID */ 1345 rc = 0; 1346 break; 1347 } 1348 } 1349 kfree(context); 1350 isec->sid = sid; 1351 break; 1352 case SECURITY_FS_USE_TASK: 1353 isec->sid = isec->task_sid; 1354 break; 1355 case SECURITY_FS_USE_TRANS: 1356 /* Default to the fs SID. */ 1357 isec->sid = sbsec->sid; 1358 1359 /* Try to obtain a transition SID. */ 1360 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1361 rc = security_transition_sid(isec->task_sid, 1362 sbsec->sid, 1363 isec->sclass, 1364 &sid); 1365 if (rc) 1366 goto out_unlock; 1367 isec->sid = sid; 1368 break; 1369 case SECURITY_FS_USE_MNTPOINT: 1370 isec->sid = sbsec->mntpoint_sid; 1371 break; 1372 default: 1373 /* Default to the fs superblock SID. */ 1374 isec->sid = sbsec->sid; 1375 1376 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1377 struct proc_inode *proci = PROC_I(inode); 1378 if (proci->pde) { 1379 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1380 rc = selinux_proc_get_sid(proci->pde, 1381 isec->sclass, 1382 &sid); 1383 if (rc) 1384 goto out_unlock; 1385 isec->sid = sid; 1386 } 1387 } 1388 break; 1389 } 1390 1391 isec->initialized = 1; 1392 1393 out_unlock: 1394 mutex_unlock(&isec->lock); 1395 out: 1396 if (isec->sclass == SECCLASS_FILE) 1397 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1398 return rc; 1399 } 1400 1401 /* Convert a Linux signal to an access vector. */ 1402 static inline u32 signal_to_av(int sig) 1403 { 1404 u32 perm = 0; 1405 1406 switch (sig) { 1407 case SIGCHLD: 1408 /* Commonly granted from child to parent. */ 1409 perm = PROCESS__SIGCHLD; 1410 break; 1411 case SIGKILL: 1412 /* Cannot be caught or ignored */ 1413 perm = PROCESS__SIGKILL; 1414 break; 1415 case SIGSTOP: 1416 /* Cannot be caught or ignored */ 1417 perm = PROCESS__SIGSTOP; 1418 break; 1419 default: 1420 /* All other signals. */ 1421 perm = PROCESS__SIGNAL; 1422 break; 1423 } 1424 1425 return perm; 1426 } 1427 1428 /* 1429 * Check permission between a pair of credentials 1430 * fork check, ptrace check, etc. 1431 */ 1432 static int cred_has_perm(const struct cred *actor, 1433 const struct cred *target, 1434 u32 perms) 1435 { 1436 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1437 1438 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1439 } 1440 1441 /* 1442 * Check permission between a pair of tasks, e.g. signal checks, 1443 * fork check, ptrace check, etc. 1444 * tsk1 is the actor and tsk2 is the target 1445 * - this uses the default subjective creds of tsk1 1446 */ 1447 static int task_has_perm(const struct task_struct *tsk1, 1448 const struct task_struct *tsk2, 1449 u32 perms) 1450 { 1451 const struct task_security_struct *__tsec1, *__tsec2; 1452 u32 sid1, sid2; 1453 1454 rcu_read_lock(); 1455 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1456 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1457 rcu_read_unlock(); 1458 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1459 } 1460 1461 /* 1462 * Check permission between current and another task, e.g. signal checks, 1463 * fork check, ptrace check, etc. 1464 * current is the actor and tsk2 is the target 1465 * - this uses current's subjective creds 1466 */ 1467 static int current_has_perm(const struct task_struct *tsk, 1468 u32 perms) 1469 { 1470 u32 sid, tsid; 1471 1472 sid = current_sid(); 1473 tsid = task_sid(tsk); 1474 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1475 } 1476 1477 #if CAP_LAST_CAP > 63 1478 #error Fix SELinux to handle capabilities > 63. 1479 #endif 1480 1481 /* Check whether a task is allowed to use a capability. */ 1482 static int task_has_capability(struct task_struct *tsk, 1483 const struct cred *cred, 1484 int cap, int audit) 1485 { 1486 struct common_audit_data ad; 1487 struct av_decision avd; 1488 u16 sclass; 1489 u32 sid = cred_sid(cred); 1490 u32 av = CAP_TO_MASK(cap); 1491 int rc; 1492 1493 COMMON_AUDIT_DATA_INIT(&ad, CAP); 1494 ad.tsk = tsk; 1495 ad.u.cap = cap; 1496 1497 switch (CAP_TO_INDEX(cap)) { 1498 case 0: 1499 sclass = SECCLASS_CAPABILITY; 1500 break; 1501 case 1: 1502 sclass = SECCLASS_CAPABILITY2; 1503 break; 1504 default: 1505 printk(KERN_ERR 1506 "SELinux: out of range capability %d\n", cap); 1507 BUG(); 1508 } 1509 1510 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1511 if (audit == SECURITY_CAP_AUDIT) 1512 avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1513 return rc; 1514 } 1515 1516 /* Check whether a task is allowed to use a system operation. */ 1517 static int task_has_system(struct task_struct *tsk, 1518 u32 perms) 1519 { 1520 u32 sid = task_sid(tsk); 1521 1522 return avc_has_perm(sid, SECINITSID_KERNEL, 1523 SECCLASS_SYSTEM, perms, NULL); 1524 } 1525 1526 /* Check whether a task has a particular permission to an inode. 1527 The 'adp' parameter is optional and allows other audit 1528 data to be passed (e.g. the dentry). */ 1529 static int inode_has_perm(const struct cred *cred, 1530 struct inode *inode, 1531 u32 perms, 1532 struct common_audit_data *adp) 1533 { 1534 struct inode_security_struct *isec; 1535 struct common_audit_data ad; 1536 u32 sid; 1537 1538 validate_creds(cred); 1539 1540 if (unlikely(IS_PRIVATE(inode))) 1541 return 0; 1542 1543 sid = cred_sid(cred); 1544 isec = inode->i_security; 1545 1546 if (!adp) { 1547 adp = &ad; 1548 COMMON_AUDIT_DATA_INIT(&ad, FS); 1549 ad.u.fs.inode = inode; 1550 } 1551 1552 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1553 } 1554 1555 /* Same as inode_has_perm, but pass explicit audit data containing 1556 the dentry to help the auditing code to more easily generate the 1557 pathname if needed. */ 1558 static inline int dentry_has_perm(const struct cred *cred, 1559 struct vfsmount *mnt, 1560 struct dentry *dentry, 1561 u32 av) 1562 { 1563 struct inode *inode = dentry->d_inode; 1564 struct common_audit_data ad; 1565 1566 COMMON_AUDIT_DATA_INIT(&ad, FS); 1567 ad.u.fs.path.mnt = mnt; 1568 ad.u.fs.path.dentry = dentry; 1569 return inode_has_perm(cred, inode, av, &ad); 1570 } 1571 1572 /* Check whether a task can use an open file descriptor to 1573 access an inode in a given way. Check access to the 1574 descriptor itself, and then use dentry_has_perm to 1575 check a particular permission to the file. 1576 Access to the descriptor is implicitly granted if it 1577 has the same SID as the process. If av is zero, then 1578 access to the file is not checked, e.g. for cases 1579 where only the descriptor is affected like seek. */ 1580 static int file_has_perm(const struct cred *cred, 1581 struct file *file, 1582 u32 av) 1583 { 1584 struct file_security_struct *fsec = file->f_security; 1585 struct inode *inode = file->f_path.dentry->d_inode; 1586 struct common_audit_data ad; 1587 u32 sid = cred_sid(cred); 1588 int rc; 1589 1590 COMMON_AUDIT_DATA_INIT(&ad, FS); 1591 ad.u.fs.path = file->f_path; 1592 1593 if (sid != fsec->sid) { 1594 rc = avc_has_perm(sid, fsec->sid, 1595 SECCLASS_FD, 1596 FD__USE, 1597 &ad); 1598 if (rc) 1599 goto out; 1600 } 1601 1602 /* av is zero if only checking access to the descriptor. */ 1603 rc = 0; 1604 if (av) 1605 rc = inode_has_perm(cred, inode, av, &ad); 1606 1607 out: 1608 return rc; 1609 } 1610 1611 /* Check whether a task can create a file. */ 1612 static int may_create(struct inode *dir, 1613 struct dentry *dentry, 1614 u16 tclass) 1615 { 1616 const struct cred *cred = current_cred(); 1617 const struct task_security_struct *tsec = cred->security; 1618 struct inode_security_struct *dsec; 1619 struct superblock_security_struct *sbsec; 1620 u32 sid, newsid; 1621 struct common_audit_data ad; 1622 int rc; 1623 1624 dsec = dir->i_security; 1625 sbsec = dir->i_sb->s_security; 1626 1627 sid = tsec->sid; 1628 newsid = tsec->create_sid; 1629 1630 COMMON_AUDIT_DATA_INIT(&ad, FS); 1631 ad.u.fs.path.dentry = dentry; 1632 1633 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1634 DIR__ADD_NAME | DIR__SEARCH, 1635 &ad); 1636 if (rc) 1637 return rc; 1638 1639 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1640 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); 1641 if (rc) 1642 return rc; 1643 } 1644 1645 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1646 if (rc) 1647 return rc; 1648 1649 return avc_has_perm(newsid, sbsec->sid, 1650 SECCLASS_FILESYSTEM, 1651 FILESYSTEM__ASSOCIATE, &ad); 1652 } 1653 1654 /* Check whether a task can create a key. */ 1655 static int may_create_key(u32 ksid, 1656 struct task_struct *ctx) 1657 { 1658 u32 sid = task_sid(ctx); 1659 1660 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1661 } 1662 1663 #define MAY_LINK 0 1664 #define MAY_UNLINK 1 1665 #define MAY_RMDIR 2 1666 1667 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1668 static int may_link(struct inode *dir, 1669 struct dentry *dentry, 1670 int kind) 1671 1672 { 1673 struct inode_security_struct *dsec, *isec; 1674 struct common_audit_data ad; 1675 u32 sid = current_sid(); 1676 u32 av; 1677 int rc; 1678 1679 dsec = dir->i_security; 1680 isec = dentry->d_inode->i_security; 1681 1682 COMMON_AUDIT_DATA_INIT(&ad, FS); 1683 ad.u.fs.path.dentry = dentry; 1684 1685 av = DIR__SEARCH; 1686 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1687 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1688 if (rc) 1689 return rc; 1690 1691 switch (kind) { 1692 case MAY_LINK: 1693 av = FILE__LINK; 1694 break; 1695 case MAY_UNLINK: 1696 av = FILE__UNLINK; 1697 break; 1698 case MAY_RMDIR: 1699 av = DIR__RMDIR; 1700 break; 1701 default: 1702 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1703 __func__, kind); 1704 return 0; 1705 } 1706 1707 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1708 return rc; 1709 } 1710 1711 static inline int may_rename(struct inode *old_dir, 1712 struct dentry *old_dentry, 1713 struct inode *new_dir, 1714 struct dentry *new_dentry) 1715 { 1716 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1717 struct common_audit_data ad; 1718 u32 sid = current_sid(); 1719 u32 av; 1720 int old_is_dir, new_is_dir; 1721 int rc; 1722 1723 old_dsec = old_dir->i_security; 1724 old_isec = old_dentry->d_inode->i_security; 1725 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1726 new_dsec = new_dir->i_security; 1727 1728 COMMON_AUDIT_DATA_INIT(&ad, FS); 1729 1730 ad.u.fs.path.dentry = old_dentry; 1731 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1732 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1733 if (rc) 1734 return rc; 1735 rc = avc_has_perm(sid, old_isec->sid, 1736 old_isec->sclass, FILE__RENAME, &ad); 1737 if (rc) 1738 return rc; 1739 if (old_is_dir && new_dir != old_dir) { 1740 rc = avc_has_perm(sid, old_isec->sid, 1741 old_isec->sclass, DIR__REPARENT, &ad); 1742 if (rc) 1743 return rc; 1744 } 1745 1746 ad.u.fs.path.dentry = new_dentry; 1747 av = DIR__ADD_NAME | DIR__SEARCH; 1748 if (new_dentry->d_inode) 1749 av |= DIR__REMOVE_NAME; 1750 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1751 if (rc) 1752 return rc; 1753 if (new_dentry->d_inode) { 1754 new_isec = new_dentry->d_inode->i_security; 1755 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1756 rc = avc_has_perm(sid, new_isec->sid, 1757 new_isec->sclass, 1758 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1759 if (rc) 1760 return rc; 1761 } 1762 1763 return 0; 1764 } 1765 1766 /* Check whether a task can perform a filesystem operation. */ 1767 static int superblock_has_perm(const struct cred *cred, 1768 struct super_block *sb, 1769 u32 perms, 1770 struct common_audit_data *ad) 1771 { 1772 struct superblock_security_struct *sbsec; 1773 u32 sid = cred_sid(cred); 1774 1775 sbsec = sb->s_security; 1776 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1777 } 1778 1779 /* Convert a Linux mode and permission mask to an access vector. */ 1780 static inline u32 file_mask_to_av(int mode, int mask) 1781 { 1782 u32 av = 0; 1783 1784 if ((mode & S_IFMT) != S_IFDIR) { 1785 if (mask & MAY_EXEC) 1786 av |= FILE__EXECUTE; 1787 if (mask & MAY_READ) 1788 av |= FILE__READ; 1789 1790 if (mask & MAY_APPEND) 1791 av |= FILE__APPEND; 1792 else if (mask & MAY_WRITE) 1793 av |= FILE__WRITE; 1794 1795 } else { 1796 if (mask & MAY_EXEC) 1797 av |= DIR__SEARCH; 1798 if (mask & MAY_WRITE) 1799 av |= DIR__WRITE; 1800 if (mask & MAY_READ) 1801 av |= DIR__READ; 1802 } 1803 1804 return av; 1805 } 1806 1807 /* Convert a Linux file to an access vector. */ 1808 static inline u32 file_to_av(struct file *file) 1809 { 1810 u32 av = 0; 1811 1812 if (file->f_mode & FMODE_READ) 1813 av |= FILE__READ; 1814 if (file->f_mode & FMODE_WRITE) { 1815 if (file->f_flags & O_APPEND) 1816 av |= FILE__APPEND; 1817 else 1818 av |= FILE__WRITE; 1819 } 1820 if (!av) { 1821 /* 1822 * Special file opened with flags 3 for ioctl-only use. 1823 */ 1824 av = FILE__IOCTL; 1825 } 1826 1827 return av; 1828 } 1829 1830 /* 1831 * Convert a file to an access vector and include the correct open 1832 * open permission. 1833 */ 1834 static inline u32 open_file_to_av(struct file *file) 1835 { 1836 u32 av = file_to_av(file); 1837 1838 if (selinux_policycap_openperm) { 1839 mode_t mode = file->f_path.dentry->d_inode->i_mode; 1840 /* 1841 * lnk files and socks do not really have an 'open' 1842 */ 1843 if (S_ISREG(mode)) 1844 av |= FILE__OPEN; 1845 else if (S_ISCHR(mode)) 1846 av |= CHR_FILE__OPEN; 1847 else if (S_ISBLK(mode)) 1848 av |= BLK_FILE__OPEN; 1849 else if (S_ISFIFO(mode)) 1850 av |= FIFO_FILE__OPEN; 1851 else if (S_ISDIR(mode)) 1852 av |= DIR__OPEN; 1853 else if (S_ISSOCK(mode)) 1854 av |= SOCK_FILE__OPEN; 1855 else 1856 printk(KERN_ERR "SELinux: WARNING: inside %s with " 1857 "unknown mode:%o\n", __func__, mode); 1858 } 1859 return av; 1860 } 1861 1862 /* Hook functions begin here. */ 1863 1864 static int selinux_ptrace_access_check(struct task_struct *child, 1865 unsigned int mode) 1866 { 1867 int rc; 1868 1869 rc = cap_ptrace_access_check(child, mode); 1870 if (rc) 1871 return rc; 1872 1873 if (mode == PTRACE_MODE_READ) { 1874 u32 sid = current_sid(); 1875 u32 csid = task_sid(child); 1876 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 1877 } 1878 1879 return current_has_perm(child, PROCESS__PTRACE); 1880 } 1881 1882 static int selinux_ptrace_traceme(struct task_struct *parent) 1883 { 1884 int rc; 1885 1886 rc = cap_ptrace_traceme(parent); 1887 if (rc) 1888 return rc; 1889 1890 return task_has_perm(parent, current, PROCESS__PTRACE); 1891 } 1892 1893 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1894 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1895 { 1896 int error; 1897 1898 error = current_has_perm(target, PROCESS__GETCAP); 1899 if (error) 1900 return error; 1901 1902 return cap_capget(target, effective, inheritable, permitted); 1903 } 1904 1905 static int selinux_capset(struct cred *new, const struct cred *old, 1906 const kernel_cap_t *effective, 1907 const kernel_cap_t *inheritable, 1908 const kernel_cap_t *permitted) 1909 { 1910 int error; 1911 1912 error = cap_capset(new, old, 1913 effective, inheritable, permitted); 1914 if (error) 1915 return error; 1916 1917 return cred_has_perm(old, new, PROCESS__SETCAP); 1918 } 1919 1920 /* 1921 * (This comment used to live with the selinux_task_setuid hook, 1922 * which was removed). 1923 * 1924 * Since setuid only affects the current process, and since the SELinux 1925 * controls are not based on the Linux identity attributes, SELinux does not 1926 * need to control this operation. However, SELinux does control the use of 1927 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 1928 */ 1929 1930 static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1931 int cap, int audit) 1932 { 1933 int rc; 1934 1935 rc = cap_capable(tsk, cred, cap, audit); 1936 if (rc) 1937 return rc; 1938 1939 return task_has_capability(tsk, cred, cap, audit); 1940 } 1941 1942 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1943 { 1944 int buflen, rc; 1945 char *buffer, *path, *end; 1946 1947 rc = -ENOMEM; 1948 buffer = (char *)__get_free_page(GFP_KERNEL); 1949 if (!buffer) 1950 goto out; 1951 1952 buflen = PAGE_SIZE; 1953 end = buffer+buflen; 1954 *--end = '\0'; 1955 buflen--; 1956 path = end-1; 1957 *path = '/'; 1958 while (table) { 1959 const char *name = table->procname; 1960 size_t namelen = strlen(name); 1961 buflen -= namelen + 1; 1962 if (buflen < 0) 1963 goto out_free; 1964 end -= namelen; 1965 memcpy(end, name, namelen); 1966 *--end = '/'; 1967 path = end; 1968 table = table->parent; 1969 } 1970 buflen -= 4; 1971 if (buflen < 0) 1972 goto out_free; 1973 end -= 4; 1974 memcpy(end, "/sys", 4); 1975 path = end; 1976 rc = security_genfs_sid("proc", path, tclass, sid); 1977 out_free: 1978 free_page((unsigned long)buffer); 1979 out: 1980 return rc; 1981 } 1982 1983 static int selinux_sysctl(ctl_table *table, int op) 1984 { 1985 int error = 0; 1986 u32 av; 1987 u32 tsid, sid; 1988 int rc; 1989 1990 sid = current_sid(); 1991 1992 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1993 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1994 if (rc) { 1995 /* Default to the well-defined sysctl SID. */ 1996 tsid = SECINITSID_SYSCTL; 1997 } 1998 1999 /* The op values are "defined" in sysctl.c, thereby creating 2000 * a bad coupling between this module and sysctl.c */ 2001 if (op == 001) { 2002 error = avc_has_perm(sid, tsid, 2003 SECCLASS_DIR, DIR__SEARCH, NULL); 2004 } else { 2005 av = 0; 2006 if (op & 004) 2007 av |= FILE__READ; 2008 if (op & 002) 2009 av |= FILE__WRITE; 2010 if (av) 2011 error = avc_has_perm(sid, tsid, 2012 SECCLASS_FILE, av, NULL); 2013 } 2014 2015 return error; 2016 } 2017 2018 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2019 { 2020 const struct cred *cred = current_cred(); 2021 int rc = 0; 2022 2023 if (!sb) 2024 return 0; 2025 2026 switch (cmds) { 2027 case Q_SYNC: 2028 case Q_QUOTAON: 2029 case Q_QUOTAOFF: 2030 case Q_SETINFO: 2031 case Q_SETQUOTA: 2032 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2033 break; 2034 case Q_GETFMT: 2035 case Q_GETINFO: 2036 case Q_GETQUOTA: 2037 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2038 break; 2039 default: 2040 rc = 0; /* let the kernel handle invalid cmds */ 2041 break; 2042 } 2043 return rc; 2044 } 2045 2046 static int selinux_quota_on(struct dentry *dentry) 2047 { 2048 const struct cred *cred = current_cred(); 2049 2050 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 2051 } 2052 2053 static int selinux_syslog(int type, bool from_file) 2054 { 2055 int rc; 2056 2057 rc = cap_syslog(type, from_file); 2058 if (rc) 2059 return rc; 2060 2061 switch (type) { 2062 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2063 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2064 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2065 break; 2066 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2067 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2068 /* Set level of messages printed to console */ 2069 case SYSLOG_ACTION_CONSOLE_LEVEL: 2070 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2071 break; 2072 case SYSLOG_ACTION_CLOSE: /* Close log */ 2073 case SYSLOG_ACTION_OPEN: /* Open log */ 2074 case SYSLOG_ACTION_READ: /* Read from log */ 2075 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 2076 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 2077 default: 2078 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2079 break; 2080 } 2081 return rc; 2082 } 2083 2084 /* 2085 * Check that a process has enough memory to allocate a new virtual 2086 * mapping. 0 means there is enough memory for the allocation to 2087 * succeed and -ENOMEM implies there is not. 2088 * 2089 * Do not audit the selinux permission check, as this is applied to all 2090 * processes that allocate mappings. 2091 */ 2092 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2093 { 2094 int rc, cap_sys_admin = 0; 2095 2096 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN, 2097 SECURITY_CAP_NOAUDIT); 2098 if (rc == 0) 2099 cap_sys_admin = 1; 2100 2101 return __vm_enough_memory(mm, pages, cap_sys_admin); 2102 } 2103 2104 /* binprm security operations */ 2105 2106 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2107 { 2108 const struct task_security_struct *old_tsec; 2109 struct task_security_struct *new_tsec; 2110 struct inode_security_struct *isec; 2111 struct common_audit_data ad; 2112 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2113 int rc; 2114 2115 rc = cap_bprm_set_creds(bprm); 2116 if (rc) 2117 return rc; 2118 2119 /* SELinux context only depends on initial program or script and not 2120 * the script interpreter */ 2121 if (bprm->cred_prepared) 2122 return 0; 2123 2124 old_tsec = current_security(); 2125 new_tsec = bprm->cred->security; 2126 isec = inode->i_security; 2127 2128 /* Default to the current task SID. */ 2129 new_tsec->sid = old_tsec->sid; 2130 new_tsec->osid = old_tsec->sid; 2131 2132 /* Reset fs, key, and sock SIDs on execve. */ 2133 new_tsec->create_sid = 0; 2134 new_tsec->keycreate_sid = 0; 2135 new_tsec->sockcreate_sid = 0; 2136 2137 if (old_tsec->exec_sid) { 2138 new_tsec->sid = old_tsec->exec_sid; 2139 /* Reset exec SID on execve. */ 2140 new_tsec->exec_sid = 0; 2141 } else { 2142 /* Check for a default transition on this program. */ 2143 rc = security_transition_sid(old_tsec->sid, isec->sid, 2144 SECCLASS_PROCESS, &new_tsec->sid); 2145 if (rc) 2146 return rc; 2147 } 2148 2149 COMMON_AUDIT_DATA_INIT(&ad, FS); 2150 ad.u.fs.path = bprm->file->f_path; 2151 2152 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2153 new_tsec->sid = old_tsec->sid; 2154 2155 if (new_tsec->sid == old_tsec->sid) { 2156 rc = avc_has_perm(old_tsec->sid, isec->sid, 2157 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2158 if (rc) 2159 return rc; 2160 } else { 2161 /* Check permissions for the transition. */ 2162 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2163 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2164 if (rc) 2165 return rc; 2166 2167 rc = avc_has_perm(new_tsec->sid, isec->sid, 2168 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2169 if (rc) 2170 return rc; 2171 2172 /* Check for shared state */ 2173 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2174 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2175 SECCLASS_PROCESS, PROCESS__SHARE, 2176 NULL); 2177 if (rc) 2178 return -EPERM; 2179 } 2180 2181 /* Make sure that anyone attempting to ptrace over a task that 2182 * changes its SID has the appropriate permit */ 2183 if (bprm->unsafe & 2184 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2185 struct task_struct *tracer; 2186 struct task_security_struct *sec; 2187 u32 ptsid = 0; 2188 2189 rcu_read_lock(); 2190 tracer = tracehook_tracer_task(current); 2191 if (likely(tracer != NULL)) { 2192 sec = __task_cred(tracer)->security; 2193 ptsid = sec->sid; 2194 } 2195 rcu_read_unlock(); 2196 2197 if (ptsid != 0) { 2198 rc = avc_has_perm(ptsid, new_tsec->sid, 2199 SECCLASS_PROCESS, 2200 PROCESS__PTRACE, NULL); 2201 if (rc) 2202 return -EPERM; 2203 } 2204 } 2205 2206 /* Clear any possibly unsafe personality bits on exec: */ 2207 bprm->per_clear |= PER_CLEAR_ON_SETID; 2208 } 2209 2210 return 0; 2211 } 2212 2213 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2214 { 2215 const struct cred *cred = current_cred(); 2216 const struct task_security_struct *tsec = cred->security; 2217 u32 sid, osid; 2218 int atsecure = 0; 2219 2220 sid = tsec->sid; 2221 osid = tsec->osid; 2222 2223 if (osid != sid) { 2224 /* Enable secure mode for SIDs transitions unless 2225 the noatsecure permission is granted between 2226 the two SIDs, i.e. ahp returns 0. */ 2227 atsecure = avc_has_perm(osid, sid, 2228 SECCLASS_PROCESS, 2229 PROCESS__NOATSECURE, NULL); 2230 } 2231 2232 return (atsecure || cap_bprm_secureexec(bprm)); 2233 } 2234 2235 extern struct vfsmount *selinuxfs_mount; 2236 extern struct dentry *selinux_null; 2237 2238 /* Derived from fs/exec.c:flush_old_files. */ 2239 static inline void flush_unauthorized_files(const struct cred *cred, 2240 struct files_struct *files) 2241 { 2242 struct common_audit_data ad; 2243 struct file *file, *devnull = NULL; 2244 struct tty_struct *tty; 2245 struct fdtable *fdt; 2246 long j = -1; 2247 int drop_tty = 0; 2248 2249 tty = get_current_tty(); 2250 if (tty) { 2251 file_list_lock(); 2252 if (!list_empty(&tty->tty_files)) { 2253 struct inode *inode; 2254 2255 /* Revalidate access to controlling tty. 2256 Use inode_has_perm on the tty inode directly rather 2257 than using file_has_perm, as this particular open 2258 file may belong to another process and we are only 2259 interested in the inode-based check here. */ 2260 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list); 2261 inode = file->f_path.dentry->d_inode; 2262 if (inode_has_perm(cred, inode, 2263 FILE__READ | FILE__WRITE, NULL)) { 2264 drop_tty = 1; 2265 } 2266 } 2267 file_list_unlock(); 2268 tty_kref_put(tty); 2269 } 2270 /* Reset controlling tty. */ 2271 if (drop_tty) 2272 no_tty(); 2273 2274 /* Revalidate access to inherited open files. */ 2275 2276 COMMON_AUDIT_DATA_INIT(&ad, FS); 2277 2278 spin_lock(&files->file_lock); 2279 for (;;) { 2280 unsigned long set, i; 2281 int fd; 2282 2283 j++; 2284 i = j * __NFDBITS; 2285 fdt = files_fdtable(files); 2286 if (i >= fdt->max_fds) 2287 break; 2288 set = fdt->open_fds->fds_bits[j]; 2289 if (!set) 2290 continue; 2291 spin_unlock(&files->file_lock); 2292 for ( ; set ; i++, set >>= 1) { 2293 if (set & 1) { 2294 file = fget(i); 2295 if (!file) 2296 continue; 2297 if (file_has_perm(cred, 2298 file, 2299 file_to_av(file))) { 2300 sys_close(i); 2301 fd = get_unused_fd(); 2302 if (fd != i) { 2303 if (fd >= 0) 2304 put_unused_fd(fd); 2305 fput(file); 2306 continue; 2307 } 2308 if (devnull) { 2309 get_file(devnull); 2310 } else { 2311 devnull = dentry_open( 2312 dget(selinux_null), 2313 mntget(selinuxfs_mount), 2314 O_RDWR, cred); 2315 if (IS_ERR(devnull)) { 2316 devnull = NULL; 2317 put_unused_fd(fd); 2318 fput(file); 2319 continue; 2320 } 2321 } 2322 fd_install(fd, devnull); 2323 } 2324 fput(file); 2325 } 2326 } 2327 spin_lock(&files->file_lock); 2328 2329 } 2330 spin_unlock(&files->file_lock); 2331 } 2332 2333 /* 2334 * Prepare a process for imminent new credential changes due to exec 2335 */ 2336 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2337 { 2338 struct task_security_struct *new_tsec; 2339 struct rlimit *rlim, *initrlim; 2340 int rc, i; 2341 2342 new_tsec = bprm->cred->security; 2343 if (new_tsec->sid == new_tsec->osid) 2344 return; 2345 2346 /* Close files for which the new task SID is not authorized. */ 2347 flush_unauthorized_files(bprm->cred, current->files); 2348 2349 /* Always clear parent death signal on SID transitions. */ 2350 current->pdeath_signal = 0; 2351 2352 /* Check whether the new SID can inherit resource limits from the old 2353 * SID. If not, reset all soft limits to the lower of the current 2354 * task's hard limit and the init task's soft limit. 2355 * 2356 * Note that the setting of hard limits (even to lower them) can be 2357 * controlled by the setrlimit check. The inclusion of the init task's 2358 * soft limit into the computation is to avoid resetting soft limits 2359 * higher than the default soft limit for cases where the default is 2360 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2361 */ 2362 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2363 PROCESS__RLIMITINH, NULL); 2364 if (rc) { 2365 for (i = 0; i < RLIM_NLIMITS; i++) { 2366 rlim = current->signal->rlim + i; 2367 initrlim = init_task.signal->rlim + i; 2368 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2369 } 2370 update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur); 2371 } 2372 } 2373 2374 /* 2375 * Clean up the process immediately after the installation of new credentials 2376 * due to exec 2377 */ 2378 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2379 { 2380 const struct task_security_struct *tsec = current_security(); 2381 struct itimerval itimer; 2382 u32 osid, sid; 2383 int rc, i; 2384 2385 osid = tsec->osid; 2386 sid = tsec->sid; 2387 2388 if (sid == osid) 2389 return; 2390 2391 /* Check whether the new SID can inherit signal state from the old SID. 2392 * If not, clear itimers to avoid subsequent signal generation and 2393 * flush and unblock signals. 2394 * 2395 * This must occur _after_ the task SID has been updated so that any 2396 * kill done after the flush will be checked against the new SID. 2397 */ 2398 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2399 if (rc) { 2400 memset(&itimer, 0, sizeof itimer); 2401 for (i = 0; i < 3; i++) 2402 do_setitimer(i, &itimer, NULL); 2403 spin_lock_irq(¤t->sighand->siglock); 2404 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { 2405 __flush_signals(current); 2406 flush_signal_handlers(current, 1); 2407 sigemptyset(¤t->blocked); 2408 } 2409 spin_unlock_irq(¤t->sighand->siglock); 2410 } 2411 2412 /* Wake up the parent if it is waiting so that it can recheck 2413 * wait permission to the new task SID. */ 2414 read_lock(&tasklist_lock); 2415 __wake_up_parent(current, current->real_parent); 2416 read_unlock(&tasklist_lock); 2417 } 2418 2419 /* superblock security operations */ 2420 2421 static int selinux_sb_alloc_security(struct super_block *sb) 2422 { 2423 return superblock_alloc_security(sb); 2424 } 2425 2426 static void selinux_sb_free_security(struct super_block *sb) 2427 { 2428 superblock_free_security(sb); 2429 } 2430 2431 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2432 { 2433 if (plen > olen) 2434 return 0; 2435 2436 return !memcmp(prefix, option, plen); 2437 } 2438 2439 static inline int selinux_option(char *option, int len) 2440 { 2441 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2442 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2443 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2444 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2445 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2446 } 2447 2448 static inline void take_option(char **to, char *from, int *first, int len) 2449 { 2450 if (!*first) { 2451 **to = ','; 2452 *to += 1; 2453 } else 2454 *first = 0; 2455 memcpy(*to, from, len); 2456 *to += len; 2457 } 2458 2459 static inline void take_selinux_option(char **to, char *from, int *first, 2460 int len) 2461 { 2462 int current_size = 0; 2463 2464 if (!*first) { 2465 **to = '|'; 2466 *to += 1; 2467 } else 2468 *first = 0; 2469 2470 while (current_size < len) { 2471 if (*from != '"') { 2472 **to = *from; 2473 *to += 1; 2474 } 2475 from += 1; 2476 current_size += 1; 2477 } 2478 } 2479 2480 static int selinux_sb_copy_data(char *orig, char *copy) 2481 { 2482 int fnosec, fsec, rc = 0; 2483 char *in_save, *in_curr, *in_end; 2484 char *sec_curr, *nosec_save, *nosec; 2485 int open_quote = 0; 2486 2487 in_curr = orig; 2488 sec_curr = copy; 2489 2490 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2491 if (!nosec) { 2492 rc = -ENOMEM; 2493 goto out; 2494 } 2495 2496 nosec_save = nosec; 2497 fnosec = fsec = 1; 2498 in_save = in_end = orig; 2499 2500 do { 2501 if (*in_end == '"') 2502 open_quote = !open_quote; 2503 if ((*in_end == ',' && open_quote == 0) || 2504 *in_end == '\0') { 2505 int len = in_end - in_curr; 2506 2507 if (selinux_option(in_curr, len)) 2508 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2509 else 2510 take_option(&nosec, in_curr, &fnosec, len); 2511 2512 in_curr = in_end + 1; 2513 } 2514 } while (*in_end++); 2515 2516 strcpy(in_save, nosec_save); 2517 free_page((unsigned long)nosec_save); 2518 out: 2519 return rc; 2520 } 2521 2522 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2523 { 2524 const struct cred *cred = current_cred(); 2525 struct common_audit_data ad; 2526 int rc; 2527 2528 rc = superblock_doinit(sb, data); 2529 if (rc) 2530 return rc; 2531 2532 /* Allow all mounts performed by the kernel */ 2533 if (flags & MS_KERNMOUNT) 2534 return 0; 2535 2536 COMMON_AUDIT_DATA_INIT(&ad, FS); 2537 ad.u.fs.path.dentry = sb->s_root; 2538 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2539 } 2540 2541 static int selinux_sb_statfs(struct dentry *dentry) 2542 { 2543 const struct cred *cred = current_cred(); 2544 struct common_audit_data ad; 2545 2546 COMMON_AUDIT_DATA_INIT(&ad, FS); 2547 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2548 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2549 } 2550 2551 static int selinux_mount(char *dev_name, 2552 struct path *path, 2553 char *type, 2554 unsigned long flags, 2555 void *data) 2556 { 2557 const struct cred *cred = current_cred(); 2558 2559 if (flags & MS_REMOUNT) 2560 return superblock_has_perm(cred, path->mnt->mnt_sb, 2561 FILESYSTEM__REMOUNT, NULL); 2562 else 2563 return dentry_has_perm(cred, path->mnt, path->dentry, 2564 FILE__MOUNTON); 2565 } 2566 2567 static int selinux_umount(struct vfsmount *mnt, int flags) 2568 { 2569 const struct cred *cred = current_cred(); 2570 2571 return superblock_has_perm(cred, mnt->mnt_sb, 2572 FILESYSTEM__UNMOUNT, NULL); 2573 } 2574 2575 /* inode security operations */ 2576 2577 static int selinux_inode_alloc_security(struct inode *inode) 2578 { 2579 return inode_alloc_security(inode); 2580 } 2581 2582 static void selinux_inode_free_security(struct inode *inode) 2583 { 2584 inode_free_security(inode); 2585 } 2586 2587 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2588 char **name, void **value, 2589 size_t *len) 2590 { 2591 const struct cred *cred = current_cred(); 2592 const struct task_security_struct *tsec = cred->security; 2593 struct inode_security_struct *dsec; 2594 struct superblock_security_struct *sbsec; 2595 u32 sid, newsid, clen; 2596 int rc; 2597 char *namep = NULL, *context; 2598 2599 dsec = dir->i_security; 2600 sbsec = dir->i_sb->s_security; 2601 2602 sid = tsec->sid; 2603 newsid = tsec->create_sid; 2604 2605 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 2606 rc = security_transition_sid(sid, dsec->sid, 2607 inode_mode_to_security_class(inode->i_mode), 2608 &newsid); 2609 if (rc) { 2610 printk(KERN_WARNING "%s: " 2611 "security_transition_sid failed, rc=%d (dev=%s " 2612 "ino=%ld)\n", 2613 __func__, 2614 -rc, inode->i_sb->s_id, inode->i_ino); 2615 return rc; 2616 } 2617 } 2618 2619 /* Possibly defer initialization to selinux_complete_init. */ 2620 if (sbsec->flags & SE_SBINITIALIZED) { 2621 struct inode_security_struct *isec = inode->i_security; 2622 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2623 isec->sid = newsid; 2624 isec->initialized = 1; 2625 } 2626 2627 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) 2628 return -EOPNOTSUPP; 2629 2630 if (name) { 2631 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2632 if (!namep) 2633 return -ENOMEM; 2634 *name = namep; 2635 } 2636 2637 if (value && len) { 2638 rc = security_sid_to_context_force(newsid, &context, &clen); 2639 if (rc) { 2640 kfree(namep); 2641 return rc; 2642 } 2643 *value = context; 2644 *len = clen; 2645 } 2646 2647 return 0; 2648 } 2649 2650 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2651 { 2652 return may_create(dir, dentry, SECCLASS_FILE); 2653 } 2654 2655 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2656 { 2657 return may_link(dir, old_dentry, MAY_LINK); 2658 } 2659 2660 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2661 { 2662 return may_link(dir, dentry, MAY_UNLINK); 2663 } 2664 2665 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2666 { 2667 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2668 } 2669 2670 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2671 { 2672 return may_create(dir, dentry, SECCLASS_DIR); 2673 } 2674 2675 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2676 { 2677 return may_link(dir, dentry, MAY_RMDIR); 2678 } 2679 2680 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2681 { 2682 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2683 } 2684 2685 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2686 struct inode *new_inode, struct dentry *new_dentry) 2687 { 2688 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2689 } 2690 2691 static int selinux_inode_readlink(struct dentry *dentry) 2692 { 2693 const struct cred *cred = current_cred(); 2694 2695 return dentry_has_perm(cred, NULL, dentry, FILE__READ); 2696 } 2697 2698 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2699 { 2700 const struct cred *cred = current_cred(); 2701 2702 return dentry_has_perm(cred, NULL, dentry, FILE__READ); 2703 } 2704 2705 static int selinux_inode_permission(struct inode *inode, int mask) 2706 { 2707 const struct cred *cred = current_cred(); 2708 2709 if (!mask) { 2710 /* No permission to check. Existence test. */ 2711 return 0; 2712 } 2713 2714 return inode_has_perm(cred, inode, 2715 file_mask_to_av(inode->i_mode, mask), NULL); 2716 } 2717 2718 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2719 { 2720 const struct cred *cred = current_cred(); 2721 unsigned int ia_valid = iattr->ia_valid; 2722 2723 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 2724 if (ia_valid & ATTR_FORCE) { 2725 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 2726 ATTR_FORCE); 2727 if (!ia_valid) 2728 return 0; 2729 } 2730 2731 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2732 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 2733 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); 2734 2735 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE); 2736 } 2737 2738 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2739 { 2740 const struct cred *cred = current_cred(); 2741 2742 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR); 2743 } 2744 2745 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2746 { 2747 const struct cred *cred = current_cred(); 2748 2749 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2750 sizeof XATTR_SECURITY_PREFIX - 1)) { 2751 if (!strcmp(name, XATTR_NAME_CAPS)) { 2752 if (!capable(CAP_SETFCAP)) 2753 return -EPERM; 2754 } else if (!capable(CAP_SYS_ADMIN)) { 2755 /* A different attribute in the security namespace. 2756 Restrict to administrator. */ 2757 return -EPERM; 2758 } 2759 } 2760 2761 /* Not an attribute we recognize, so just check the 2762 ordinary setattr permission. */ 2763 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); 2764 } 2765 2766 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2767 const void *value, size_t size, int flags) 2768 { 2769 struct inode *inode = dentry->d_inode; 2770 struct inode_security_struct *isec = inode->i_security; 2771 struct superblock_security_struct *sbsec; 2772 struct common_audit_data ad; 2773 u32 newsid, sid = current_sid(); 2774 int rc = 0; 2775 2776 if (strcmp(name, XATTR_NAME_SELINUX)) 2777 return selinux_inode_setotherxattr(dentry, name); 2778 2779 sbsec = inode->i_sb->s_security; 2780 if (!(sbsec->flags & SE_SBLABELSUPP)) 2781 return -EOPNOTSUPP; 2782 2783 if (!is_owner_or_cap(inode)) 2784 return -EPERM; 2785 2786 COMMON_AUDIT_DATA_INIT(&ad, FS); 2787 ad.u.fs.path.dentry = dentry; 2788 2789 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2790 FILE__RELABELFROM, &ad); 2791 if (rc) 2792 return rc; 2793 2794 rc = security_context_to_sid(value, size, &newsid); 2795 if (rc == -EINVAL) { 2796 if (!capable(CAP_MAC_ADMIN)) 2797 return rc; 2798 rc = security_context_to_sid_force(value, size, &newsid); 2799 } 2800 if (rc) 2801 return rc; 2802 2803 rc = avc_has_perm(sid, newsid, isec->sclass, 2804 FILE__RELABELTO, &ad); 2805 if (rc) 2806 return rc; 2807 2808 rc = security_validate_transition(isec->sid, newsid, sid, 2809 isec->sclass); 2810 if (rc) 2811 return rc; 2812 2813 return avc_has_perm(newsid, 2814 sbsec->sid, 2815 SECCLASS_FILESYSTEM, 2816 FILESYSTEM__ASSOCIATE, 2817 &ad); 2818 } 2819 2820 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 2821 const void *value, size_t size, 2822 int flags) 2823 { 2824 struct inode *inode = dentry->d_inode; 2825 struct inode_security_struct *isec = inode->i_security; 2826 u32 newsid; 2827 int rc; 2828 2829 if (strcmp(name, XATTR_NAME_SELINUX)) { 2830 /* Not an attribute we recognize, so nothing to do. */ 2831 return; 2832 } 2833 2834 rc = security_context_to_sid_force(value, size, &newsid); 2835 if (rc) { 2836 printk(KERN_ERR "SELinux: unable to map context to SID" 2837 "for (%s, %lu), rc=%d\n", 2838 inode->i_sb->s_id, inode->i_ino, -rc); 2839 return; 2840 } 2841 2842 isec->sid = newsid; 2843 return; 2844 } 2845 2846 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2847 { 2848 const struct cred *cred = current_cred(); 2849 2850 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); 2851 } 2852 2853 static int selinux_inode_listxattr(struct dentry *dentry) 2854 { 2855 const struct cred *cred = current_cred(); 2856 2857 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR); 2858 } 2859 2860 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2861 { 2862 if (strcmp(name, XATTR_NAME_SELINUX)) 2863 return selinux_inode_setotherxattr(dentry, name); 2864 2865 /* No one is allowed to remove a SELinux security label. 2866 You can change the label, but all data must be labeled. */ 2867 return -EACCES; 2868 } 2869 2870 /* 2871 * Copy the inode security context value to the user. 2872 * 2873 * Permission check is handled by selinux_inode_getxattr hook. 2874 */ 2875 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2876 { 2877 u32 size; 2878 int error; 2879 char *context = NULL; 2880 struct inode_security_struct *isec = inode->i_security; 2881 2882 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2883 return -EOPNOTSUPP; 2884 2885 /* 2886 * If the caller has CAP_MAC_ADMIN, then get the raw context 2887 * value even if it is not defined by current policy; otherwise, 2888 * use the in-core value under current policy. 2889 * Use the non-auditing forms of the permission checks since 2890 * getxattr may be called by unprivileged processes commonly 2891 * and lack of permission just means that we fall back to the 2892 * in-core context value, not a denial. 2893 */ 2894 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN, 2895 SECURITY_CAP_NOAUDIT); 2896 if (!error) 2897 error = security_sid_to_context_force(isec->sid, &context, 2898 &size); 2899 else 2900 error = security_sid_to_context(isec->sid, &context, &size); 2901 if (error) 2902 return error; 2903 error = size; 2904 if (alloc) { 2905 *buffer = context; 2906 goto out_nofree; 2907 } 2908 kfree(context); 2909 out_nofree: 2910 return error; 2911 } 2912 2913 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2914 const void *value, size_t size, int flags) 2915 { 2916 struct inode_security_struct *isec = inode->i_security; 2917 u32 newsid; 2918 int rc; 2919 2920 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2921 return -EOPNOTSUPP; 2922 2923 if (!value || !size) 2924 return -EACCES; 2925 2926 rc = security_context_to_sid((void *)value, size, &newsid); 2927 if (rc) 2928 return rc; 2929 2930 isec->sid = newsid; 2931 isec->initialized = 1; 2932 return 0; 2933 } 2934 2935 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2936 { 2937 const int len = sizeof(XATTR_NAME_SELINUX); 2938 if (buffer && len <= buffer_size) 2939 memcpy(buffer, XATTR_NAME_SELINUX, len); 2940 return len; 2941 } 2942 2943 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2944 { 2945 struct inode_security_struct *isec = inode->i_security; 2946 *secid = isec->sid; 2947 } 2948 2949 /* file security operations */ 2950 2951 static int selinux_revalidate_file_permission(struct file *file, int mask) 2952 { 2953 const struct cred *cred = current_cred(); 2954 struct inode *inode = file->f_path.dentry->d_inode; 2955 2956 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2957 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2958 mask |= MAY_APPEND; 2959 2960 return file_has_perm(cred, file, 2961 file_mask_to_av(inode->i_mode, mask)); 2962 } 2963 2964 static int selinux_file_permission(struct file *file, int mask) 2965 { 2966 struct inode *inode = file->f_path.dentry->d_inode; 2967 struct file_security_struct *fsec = file->f_security; 2968 struct inode_security_struct *isec = inode->i_security; 2969 u32 sid = current_sid(); 2970 2971 if (!mask) 2972 /* No permission to check. Existence test. */ 2973 return 0; 2974 2975 if (sid == fsec->sid && fsec->isid == isec->sid && 2976 fsec->pseqno == avc_policy_seqno()) 2977 /* No change since dentry_open check. */ 2978 return 0; 2979 2980 return selinux_revalidate_file_permission(file, mask); 2981 } 2982 2983 static int selinux_file_alloc_security(struct file *file) 2984 { 2985 return file_alloc_security(file); 2986 } 2987 2988 static void selinux_file_free_security(struct file *file) 2989 { 2990 file_free_security(file); 2991 } 2992 2993 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2994 unsigned long arg) 2995 { 2996 const struct cred *cred = current_cred(); 2997 u32 av = 0; 2998 2999 if (_IOC_DIR(cmd) & _IOC_WRITE) 3000 av |= FILE__WRITE; 3001 if (_IOC_DIR(cmd) & _IOC_READ) 3002 av |= FILE__READ; 3003 if (!av) 3004 av = FILE__IOCTL; 3005 3006 return file_has_perm(cred, file, av); 3007 } 3008 3009 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3010 { 3011 const struct cred *cred = current_cred(); 3012 int rc = 0; 3013 3014 #ifndef CONFIG_PPC32 3015 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3016 /* 3017 * We are making executable an anonymous mapping or a 3018 * private file mapping that will also be writable. 3019 * This has an additional check. 3020 */ 3021 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3022 if (rc) 3023 goto error; 3024 } 3025 #endif 3026 3027 if (file) { 3028 /* read access is always possible with a mapping */ 3029 u32 av = FILE__READ; 3030 3031 /* write access only matters if the mapping is shared */ 3032 if (shared && (prot & PROT_WRITE)) 3033 av |= FILE__WRITE; 3034 3035 if (prot & PROT_EXEC) 3036 av |= FILE__EXECUTE; 3037 3038 return file_has_perm(cred, file, av); 3039 } 3040 3041 error: 3042 return rc; 3043 } 3044 3045 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 3046 unsigned long prot, unsigned long flags, 3047 unsigned long addr, unsigned long addr_only) 3048 { 3049 int rc = 0; 3050 u32 sid = current_sid(); 3051 3052 /* 3053 * notice that we are intentionally putting the SELinux check before 3054 * the secondary cap_file_mmap check. This is such a likely attempt 3055 * at bad behaviour/exploit that we always want to get the AVC, even 3056 * if DAC would have also denied the operation. 3057 */ 3058 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3059 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3060 MEMPROTECT__MMAP_ZERO, NULL); 3061 if (rc) 3062 return rc; 3063 } 3064 3065 /* do DAC check on address space usage */ 3066 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 3067 if (rc || addr_only) 3068 return rc; 3069 3070 if (selinux_checkreqprot) 3071 prot = reqprot; 3072 3073 return file_map_prot_check(file, prot, 3074 (flags & MAP_TYPE) == MAP_SHARED); 3075 } 3076 3077 static int selinux_file_mprotect(struct vm_area_struct *vma, 3078 unsigned long reqprot, 3079 unsigned long prot) 3080 { 3081 const struct cred *cred = current_cred(); 3082 3083 if (selinux_checkreqprot) 3084 prot = reqprot; 3085 3086 #ifndef CONFIG_PPC32 3087 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3088 int rc = 0; 3089 if (vma->vm_start >= vma->vm_mm->start_brk && 3090 vma->vm_end <= vma->vm_mm->brk) { 3091 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3092 } else if (!vma->vm_file && 3093 vma->vm_start <= vma->vm_mm->start_stack && 3094 vma->vm_end >= vma->vm_mm->start_stack) { 3095 rc = current_has_perm(current, PROCESS__EXECSTACK); 3096 } else if (vma->vm_file && vma->anon_vma) { 3097 /* 3098 * We are making executable a file mapping that has 3099 * had some COW done. Since pages might have been 3100 * written, check ability to execute the possibly 3101 * modified content. This typically should only 3102 * occur for text relocations. 3103 */ 3104 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3105 } 3106 if (rc) 3107 return rc; 3108 } 3109 #endif 3110 3111 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3112 } 3113 3114 static int selinux_file_lock(struct file *file, unsigned int cmd) 3115 { 3116 const struct cred *cred = current_cred(); 3117 3118 return file_has_perm(cred, file, FILE__LOCK); 3119 } 3120 3121 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3122 unsigned long arg) 3123 { 3124 const struct cred *cred = current_cred(); 3125 int err = 0; 3126 3127 switch (cmd) { 3128 case F_SETFL: 3129 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3130 err = -EINVAL; 3131 break; 3132 } 3133 3134 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3135 err = file_has_perm(cred, file, FILE__WRITE); 3136 break; 3137 } 3138 /* fall through */ 3139 case F_SETOWN: 3140 case F_SETSIG: 3141 case F_GETFL: 3142 case F_GETOWN: 3143 case F_GETSIG: 3144 /* Just check FD__USE permission */ 3145 err = file_has_perm(cred, file, 0); 3146 break; 3147 case F_GETLK: 3148 case F_SETLK: 3149 case F_SETLKW: 3150 #if BITS_PER_LONG == 32 3151 case F_GETLK64: 3152 case F_SETLK64: 3153 case F_SETLKW64: 3154 #endif 3155 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 3156 err = -EINVAL; 3157 break; 3158 } 3159 err = file_has_perm(cred, file, FILE__LOCK); 3160 break; 3161 } 3162 3163 return err; 3164 } 3165 3166 static int selinux_file_set_fowner(struct file *file) 3167 { 3168 struct file_security_struct *fsec; 3169 3170 fsec = file->f_security; 3171 fsec->fown_sid = current_sid(); 3172 3173 return 0; 3174 } 3175 3176 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3177 struct fown_struct *fown, int signum) 3178 { 3179 struct file *file; 3180 u32 sid = task_sid(tsk); 3181 u32 perm; 3182 struct file_security_struct *fsec; 3183 3184 /* struct fown_struct is never outside the context of a struct file */ 3185 file = container_of(fown, struct file, f_owner); 3186 3187 fsec = file->f_security; 3188 3189 if (!signum) 3190 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3191 else 3192 perm = signal_to_av(signum); 3193 3194 return avc_has_perm(fsec->fown_sid, sid, 3195 SECCLASS_PROCESS, perm, NULL); 3196 } 3197 3198 static int selinux_file_receive(struct file *file) 3199 { 3200 const struct cred *cred = current_cred(); 3201 3202 return file_has_perm(cred, file, file_to_av(file)); 3203 } 3204 3205 static int selinux_dentry_open(struct file *file, const struct cred *cred) 3206 { 3207 struct file_security_struct *fsec; 3208 struct inode *inode; 3209 struct inode_security_struct *isec; 3210 3211 inode = file->f_path.dentry->d_inode; 3212 fsec = file->f_security; 3213 isec = inode->i_security; 3214 /* 3215 * Save inode label and policy sequence number 3216 * at open-time so that selinux_file_permission 3217 * can determine whether revalidation is necessary. 3218 * Task label is already saved in the file security 3219 * struct as its SID. 3220 */ 3221 fsec->isid = isec->sid; 3222 fsec->pseqno = avc_policy_seqno(); 3223 /* 3224 * Since the inode label or policy seqno may have changed 3225 * between the selinux_inode_permission check and the saving 3226 * of state above, recheck that access is still permitted. 3227 * Otherwise, access might never be revalidated against the 3228 * new inode label or new policy. 3229 * This check is not redundant - do not remove. 3230 */ 3231 return inode_has_perm(cred, inode, open_file_to_av(file), NULL); 3232 } 3233 3234 /* task security operations */ 3235 3236 static int selinux_task_create(unsigned long clone_flags) 3237 { 3238 return current_has_perm(current, PROCESS__FORK); 3239 } 3240 3241 /* 3242 * allocate the SELinux part of blank credentials 3243 */ 3244 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3245 { 3246 struct task_security_struct *tsec; 3247 3248 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3249 if (!tsec) 3250 return -ENOMEM; 3251 3252 cred->security = tsec; 3253 return 0; 3254 } 3255 3256 /* 3257 * detach and free the LSM part of a set of credentials 3258 */ 3259 static void selinux_cred_free(struct cred *cred) 3260 { 3261 struct task_security_struct *tsec = cred->security; 3262 3263 BUG_ON((unsigned long) cred->security < PAGE_SIZE); 3264 cred->security = (void *) 0x7UL; 3265 kfree(tsec); 3266 } 3267 3268 /* 3269 * prepare a new set of credentials for modification 3270 */ 3271 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3272 gfp_t gfp) 3273 { 3274 const struct task_security_struct *old_tsec; 3275 struct task_security_struct *tsec; 3276 3277 old_tsec = old->security; 3278 3279 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3280 if (!tsec) 3281 return -ENOMEM; 3282 3283 new->security = tsec; 3284 return 0; 3285 } 3286 3287 /* 3288 * transfer the SELinux data to a blank set of creds 3289 */ 3290 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3291 { 3292 const struct task_security_struct *old_tsec = old->security; 3293 struct task_security_struct *tsec = new->security; 3294 3295 *tsec = *old_tsec; 3296 } 3297 3298 /* 3299 * set the security data for a kernel service 3300 * - all the creation contexts are set to unlabelled 3301 */ 3302 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3303 { 3304 struct task_security_struct *tsec = new->security; 3305 u32 sid = current_sid(); 3306 int ret; 3307 3308 ret = avc_has_perm(sid, secid, 3309 SECCLASS_KERNEL_SERVICE, 3310 KERNEL_SERVICE__USE_AS_OVERRIDE, 3311 NULL); 3312 if (ret == 0) { 3313 tsec->sid = secid; 3314 tsec->create_sid = 0; 3315 tsec->keycreate_sid = 0; 3316 tsec->sockcreate_sid = 0; 3317 } 3318 return ret; 3319 } 3320 3321 /* 3322 * set the file creation context in a security record to the same as the 3323 * objective context of the specified inode 3324 */ 3325 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3326 { 3327 struct inode_security_struct *isec = inode->i_security; 3328 struct task_security_struct *tsec = new->security; 3329 u32 sid = current_sid(); 3330 int ret; 3331 3332 ret = avc_has_perm(sid, isec->sid, 3333 SECCLASS_KERNEL_SERVICE, 3334 KERNEL_SERVICE__CREATE_FILES_AS, 3335 NULL); 3336 3337 if (ret == 0) 3338 tsec->create_sid = isec->sid; 3339 return 0; 3340 } 3341 3342 static int selinux_kernel_module_request(char *kmod_name) 3343 { 3344 u32 sid; 3345 struct common_audit_data ad; 3346 3347 sid = task_sid(current); 3348 3349 COMMON_AUDIT_DATA_INIT(&ad, KMOD); 3350 ad.u.kmod_name = kmod_name; 3351 3352 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3353 SYSTEM__MODULE_REQUEST, &ad); 3354 } 3355 3356 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3357 { 3358 return current_has_perm(p, PROCESS__SETPGID); 3359 } 3360 3361 static int selinux_task_getpgid(struct task_struct *p) 3362 { 3363 return current_has_perm(p, PROCESS__GETPGID); 3364 } 3365 3366 static int selinux_task_getsid(struct task_struct *p) 3367 { 3368 return current_has_perm(p, PROCESS__GETSESSION); 3369 } 3370 3371 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3372 { 3373 *secid = task_sid(p); 3374 } 3375 3376 static int selinux_task_setnice(struct task_struct *p, int nice) 3377 { 3378 int rc; 3379 3380 rc = cap_task_setnice(p, nice); 3381 if (rc) 3382 return rc; 3383 3384 return current_has_perm(p, PROCESS__SETSCHED); 3385 } 3386 3387 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3388 { 3389 int rc; 3390 3391 rc = cap_task_setioprio(p, ioprio); 3392 if (rc) 3393 return rc; 3394 3395 return current_has_perm(p, PROCESS__SETSCHED); 3396 } 3397 3398 static int selinux_task_getioprio(struct task_struct *p) 3399 { 3400 return current_has_perm(p, PROCESS__GETSCHED); 3401 } 3402 3403 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3404 { 3405 struct rlimit *old_rlim = current->signal->rlim + resource; 3406 3407 /* Control the ability to change the hard limit (whether 3408 lowering or raising it), so that the hard limit can 3409 later be used as a safe reset point for the soft limit 3410 upon context transitions. See selinux_bprm_committing_creds. */ 3411 if (old_rlim->rlim_max != new_rlim->rlim_max) 3412 return current_has_perm(current, PROCESS__SETRLIMIT); 3413 3414 return 0; 3415 } 3416 3417 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 3418 { 3419 int rc; 3420 3421 rc = cap_task_setscheduler(p, policy, lp); 3422 if (rc) 3423 return rc; 3424 3425 return current_has_perm(p, PROCESS__SETSCHED); 3426 } 3427 3428 static int selinux_task_getscheduler(struct task_struct *p) 3429 { 3430 return current_has_perm(p, PROCESS__GETSCHED); 3431 } 3432 3433 static int selinux_task_movememory(struct task_struct *p) 3434 { 3435 return current_has_perm(p, PROCESS__SETSCHED); 3436 } 3437 3438 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3439 int sig, u32 secid) 3440 { 3441 u32 perm; 3442 int rc; 3443 3444 if (!sig) 3445 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3446 else 3447 perm = signal_to_av(sig); 3448 if (secid) 3449 rc = avc_has_perm(secid, task_sid(p), 3450 SECCLASS_PROCESS, perm, NULL); 3451 else 3452 rc = current_has_perm(p, perm); 3453 return rc; 3454 } 3455 3456 static int selinux_task_wait(struct task_struct *p) 3457 { 3458 return task_has_perm(p, current, PROCESS__SIGCHLD); 3459 } 3460 3461 static void selinux_task_to_inode(struct task_struct *p, 3462 struct inode *inode) 3463 { 3464 struct inode_security_struct *isec = inode->i_security; 3465 u32 sid = task_sid(p); 3466 3467 isec->sid = sid; 3468 isec->initialized = 1; 3469 } 3470 3471 /* Returns error only if unable to parse addresses */ 3472 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3473 struct common_audit_data *ad, u8 *proto) 3474 { 3475 int offset, ihlen, ret = -EINVAL; 3476 struct iphdr _iph, *ih; 3477 3478 offset = skb_network_offset(skb); 3479 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3480 if (ih == NULL) 3481 goto out; 3482 3483 ihlen = ih->ihl * 4; 3484 if (ihlen < sizeof(_iph)) 3485 goto out; 3486 3487 ad->u.net.v4info.saddr = ih->saddr; 3488 ad->u.net.v4info.daddr = ih->daddr; 3489 ret = 0; 3490 3491 if (proto) 3492 *proto = ih->protocol; 3493 3494 switch (ih->protocol) { 3495 case IPPROTO_TCP: { 3496 struct tcphdr _tcph, *th; 3497 3498 if (ntohs(ih->frag_off) & IP_OFFSET) 3499 break; 3500 3501 offset += ihlen; 3502 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3503 if (th == NULL) 3504 break; 3505 3506 ad->u.net.sport = th->source; 3507 ad->u.net.dport = th->dest; 3508 break; 3509 } 3510 3511 case IPPROTO_UDP: { 3512 struct udphdr _udph, *uh; 3513 3514 if (ntohs(ih->frag_off) & IP_OFFSET) 3515 break; 3516 3517 offset += ihlen; 3518 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3519 if (uh == NULL) 3520 break; 3521 3522 ad->u.net.sport = uh->source; 3523 ad->u.net.dport = uh->dest; 3524 break; 3525 } 3526 3527 case IPPROTO_DCCP: { 3528 struct dccp_hdr _dccph, *dh; 3529 3530 if (ntohs(ih->frag_off) & IP_OFFSET) 3531 break; 3532 3533 offset += ihlen; 3534 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3535 if (dh == NULL) 3536 break; 3537 3538 ad->u.net.sport = dh->dccph_sport; 3539 ad->u.net.dport = dh->dccph_dport; 3540 break; 3541 } 3542 3543 default: 3544 break; 3545 } 3546 out: 3547 return ret; 3548 } 3549 3550 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3551 3552 /* Returns error only if unable to parse addresses */ 3553 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3554 struct common_audit_data *ad, u8 *proto) 3555 { 3556 u8 nexthdr; 3557 int ret = -EINVAL, offset; 3558 struct ipv6hdr _ipv6h, *ip6; 3559 3560 offset = skb_network_offset(skb); 3561 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3562 if (ip6 == NULL) 3563 goto out; 3564 3565 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3566 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3567 ret = 0; 3568 3569 nexthdr = ip6->nexthdr; 3570 offset += sizeof(_ipv6h); 3571 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3572 if (offset < 0) 3573 goto out; 3574 3575 if (proto) 3576 *proto = nexthdr; 3577 3578 switch (nexthdr) { 3579 case IPPROTO_TCP: { 3580 struct tcphdr _tcph, *th; 3581 3582 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3583 if (th == NULL) 3584 break; 3585 3586 ad->u.net.sport = th->source; 3587 ad->u.net.dport = th->dest; 3588 break; 3589 } 3590 3591 case IPPROTO_UDP: { 3592 struct udphdr _udph, *uh; 3593 3594 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3595 if (uh == NULL) 3596 break; 3597 3598 ad->u.net.sport = uh->source; 3599 ad->u.net.dport = uh->dest; 3600 break; 3601 } 3602 3603 case IPPROTO_DCCP: { 3604 struct dccp_hdr _dccph, *dh; 3605 3606 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3607 if (dh == NULL) 3608 break; 3609 3610 ad->u.net.sport = dh->dccph_sport; 3611 ad->u.net.dport = dh->dccph_dport; 3612 break; 3613 } 3614 3615 /* includes fragments */ 3616 default: 3617 break; 3618 } 3619 out: 3620 return ret; 3621 } 3622 3623 #endif /* IPV6 */ 3624 3625 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 3626 char **_addrp, int src, u8 *proto) 3627 { 3628 char *addrp; 3629 int ret; 3630 3631 switch (ad->u.net.family) { 3632 case PF_INET: 3633 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3634 if (ret) 3635 goto parse_error; 3636 addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3637 &ad->u.net.v4info.daddr); 3638 goto okay; 3639 3640 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3641 case PF_INET6: 3642 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3643 if (ret) 3644 goto parse_error; 3645 addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3646 &ad->u.net.v6info.daddr); 3647 goto okay; 3648 #endif /* IPV6 */ 3649 default: 3650 addrp = NULL; 3651 goto okay; 3652 } 3653 3654 parse_error: 3655 printk(KERN_WARNING 3656 "SELinux: failure in selinux_parse_skb()," 3657 " unable to parse packet\n"); 3658 return ret; 3659 3660 okay: 3661 if (_addrp) 3662 *_addrp = addrp; 3663 return 0; 3664 } 3665 3666 /** 3667 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3668 * @skb: the packet 3669 * @family: protocol family 3670 * @sid: the packet's peer label SID 3671 * 3672 * Description: 3673 * Check the various different forms of network peer labeling and determine 3674 * the peer label/SID for the packet; most of the magic actually occurs in 3675 * the security server function security_net_peersid_cmp(). The function 3676 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3677 * or -EACCES if @sid is invalid due to inconsistencies with the different 3678 * peer labels. 3679 * 3680 */ 3681 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3682 { 3683 int err; 3684 u32 xfrm_sid; 3685 u32 nlbl_sid; 3686 u32 nlbl_type; 3687 3688 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3689 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3690 3691 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3692 if (unlikely(err)) { 3693 printk(KERN_WARNING 3694 "SELinux: failure in selinux_skb_peerlbl_sid()," 3695 " unable to determine packet's peer label\n"); 3696 return -EACCES; 3697 } 3698 3699 return 0; 3700 } 3701 3702 /* socket security operations */ 3703 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3704 u32 perms) 3705 { 3706 struct inode_security_struct *isec; 3707 struct common_audit_data ad; 3708 u32 sid; 3709 int err = 0; 3710 3711 isec = SOCK_INODE(sock)->i_security; 3712 3713 if (isec->sid == SECINITSID_KERNEL) 3714 goto out; 3715 sid = task_sid(task); 3716 3717 COMMON_AUDIT_DATA_INIT(&ad, NET); 3718 ad.u.net.sk = sock->sk; 3719 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 3720 3721 out: 3722 return err; 3723 } 3724 3725 static int selinux_socket_create(int family, int type, 3726 int protocol, int kern) 3727 { 3728 const struct cred *cred = current_cred(); 3729 const struct task_security_struct *tsec = cred->security; 3730 u32 sid, newsid; 3731 u16 secclass; 3732 int err = 0; 3733 3734 if (kern) 3735 goto out; 3736 3737 sid = tsec->sid; 3738 newsid = tsec->sockcreate_sid ?: sid; 3739 3740 secclass = socket_type_to_security_class(family, type, protocol); 3741 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL); 3742 3743 out: 3744 return err; 3745 } 3746 3747 static int selinux_socket_post_create(struct socket *sock, int family, 3748 int type, int protocol, int kern) 3749 { 3750 const struct cred *cred = current_cred(); 3751 const struct task_security_struct *tsec = cred->security; 3752 struct inode_security_struct *isec; 3753 struct sk_security_struct *sksec; 3754 u32 sid, newsid; 3755 int err = 0; 3756 3757 sid = tsec->sid; 3758 newsid = tsec->sockcreate_sid; 3759 3760 isec = SOCK_INODE(sock)->i_security; 3761 3762 if (kern) 3763 isec->sid = SECINITSID_KERNEL; 3764 else if (newsid) 3765 isec->sid = newsid; 3766 else 3767 isec->sid = sid; 3768 3769 isec->sclass = socket_type_to_security_class(family, type, protocol); 3770 isec->initialized = 1; 3771 3772 if (sock->sk) { 3773 sksec = sock->sk->sk_security; 3774 sksec->sid = isec->sid; 3775 sksec->sclass = isec->sclass; 3776 err = selinux_netlbl_socket_post_create(sock->sk, family); 3777 } 3778 3779 return err; 3780 } 3781 3782 /* Range of port numbers used to automatically bind. 3783 Need to determine whether we should perform a name_bind 3784 permission check between the socket and the port number. */ 3785 3786 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3787 { 3788 u16 family; 3789 int err; 3790 3791 err = socket_has_perm(current, sock, SOCKET__BIND); 3792 if (err) 3793 goto out; 3794 3795 /* 3796 * If PF_INET or PF_INET6, check name_bind permission for the port. 3797 * Multiple address binding for SCTP is not supported yet: we just 3798 * check the first address now. 3799 */ 3800 family = sock->sk->sk_family; 3801 if (family == PF_INET || family == PF_INET6) { 3802 char *addrp; 3803 struct inode_security_struct *isec; 3804 struct common_audit_data ad; 3805 struct sockaddr_in *addr4 = NULL; 3806 struct sockaddr_in6 *addr6 = NULL; 3807 unsigned short snum; 3808 struct sock *sk = sock->sk; 3809 u32 sid, node_perm; 3810 3811 isec = SOCK_INODE(sock)->i_security; 3812 3813 if (family == PF_INET) { 3814 addr4 = (struct sockaddr_in *)address; 3815 snum = ntohs(addr4->sin_port); 3816 addrp = (char *)&addr4->sin_addr.s_addr; 3817 } else { 3818 addr6 = (struct sockaddr_in6 *)address; 3819 snum = ntohs(addr6->sin6_port); 3820 addrp = (char *)&addr6->sin6_addr.s6_addr; 3821 } 3822 3823 if (snum) { 3824 int low, high; 3825 3826 inet_get_local_port_range(&low, &high); 3827 3828 if (snum < max(PROT_SOCK, low) || snum > high) { 3829 err = sel_netport_sid(sk->sk_protocol, 3830 snum, &sid); 3831 if (err) 3832 goto out; 3833 COMMON_AUDIT_DATA_INIT(&ad, NET); 3834 ad.u.net.sport = htons(snum); 3835 ad.u.net.family = family; 3836 err = avc_has_perm(isec->sid, sid, 3837 isec->sclass, 3838 SOCKET__NAME_BIND, &ad); 3839 if (err) 3840 goto out; 3841 } 3842 } 3843 3844 switch (isec->sclass) { 3845 case SECCLASS_TCP_SOCKET: 3846 node_perm = TCP_SOCKET__NODE_BIND; 3847 break; 3848 3849 case SECCLASS_UDP_SOCKET: 3850 node_perm = UDP_SOCKET__NODE_BIND; 3851 break; 3852 3853 case SECCLASS_DCCP_SOCKET: 3854 node_perm = DCCP_SOCKET__NODE_BIND; 3855 break; 3856 3857 default: 3858 node_perm = RAWIP_SOCKET__NODE_BIND; 3859 break; 3860 } 3861 3862 err = sel_netnode_sid(addrp, family, &sid); 3863 if (err) 3864 goto out; 3865 3866 COMMON_AUDIT_DATA_INIT(&ad, NET); 3867 ad.u.net.sport = htons(snum); 3868 ad.u.net.family = family; 3869 3870 if (family == PF_INET) 3871 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3872 else 3873 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3874 3875 err = avc_has_perm(isec->sid, sid, 3876 isec->sclass, node_perm, &ad); 3877 if (err) 3878 goto out; 3879 } 3880 out: 3881 return err; 3882 } 3883 3884 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3885 { 3886 struct sock *sk = sock->sk; 3887 struct inode_security_struct *isec; 3888 int err; 3889 3890 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3891 if (err) 3892 return err; 3893 3894 /* 3895 * If a TCP or DCCP socket, check name_connect permission for the port. 3896 */ 3897 isec = SOCK_INODE(sock)->i_security; 3898 if (isec->sclass == SECCLASS_TCP_SOCKET || 3899 isec->sclass == SECCLASS_DCCP_SOCKET) { 3900 struct common_audit_data ad; 3901 struct sockaddr_in *addr4 = NULL; 3902 struct sockaddr_in6 *addr6 = NULL; 3903 unsigned short snum; 3904 u32 sid, perm; 3905 3906 if (sk->sk_family == PF_INET) { 3907 addr4 = (struct sockaddr_in *)address; 3908 if (addrlen < sizeof(struct sockaddr_in)) 3909 return -EINVAL; 3910 snum = ntohs(addr4->sin_port); 3911 } else { 3912 addr6 = (struct sockaddr_in6 *)address; 3913 if (addrlen < SIN6_LEN_RFC2133) 3914 return -EINVAL; 3915 snum = ntohs(addr6->sin6_port); 3916 } 3917 3918 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 3919 if (err) 3920 goto out; 3921 3922 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3923 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3924 3925 COMMON_AUDIT_DATA_INIT(&ad, NET); 3926 ad.u.net.dport = htons(snum); 3927 ad.u.net.family = sk->sk_family; 3928 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3929 if (err) 3930 goto out; 3931 } 3932 3933 err = selinux_netlbl_socket_connect(sk, address); 3934 3935 out: 3936 return err; 3937 } 3938 3939 static int selinux_socket_listen(struct socket *sock, int backlog) 3940 { 3941 return socket_has_perm(current, sock, SOCKET__LISTEN); 3942 } 3943 3944 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3945 { 3946 int err; 3947 struct inode_security_struct *isec; 3948 struct inode_security_struct *newisec; 3949 3950 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3951 if (err) 3952 return err; 3953 3954 newisec = SOCK_INODE(newsock)->i_security; 3955 3956 isec = SOCK_INODE(sock)->i_security; 3957 newisec->sclass = isec->sclass; 3958 newisec->sid = isec->sid; 3959 newisec->initialized = 1; 3960 3961 return 0; 3962 } 3963 3964 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3965 int size) 3966 { 3967 return socket_has_perm(current, sock, SOCKET__WRITE); 3968 } 3969 3970 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3971 int size, int flags) 3972 { 3973 return socket_has_perm(current, sock, SOCKET__READ); 3974 } 3975 3976 static int selinux_socket_getsockname(struct socket *sock) 3977 { 3978 return socket_has_perm(current, sock, SOCKET__GETATTR); 3979 } 3980 3981 static int selinux_socket_getpeername(struct socket *sock) 3982 { 3983 return socket_has_perm(current, sock, SOCKET__GETATTR); 3984 } 3985 3986 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 3987 { 3988 int err; 3989 3990 err = socket_has_perm(current, sock, SOCKET__SETOPT); 3991 if (err) 3992 return err; 3993 3994 return selinux_netlbl_socket_setsockopt(sock, level, optname); 3995 } 3996 3997 static int selinux_socket_getsockopt(struct socket *sock, int level, 3998 int optname) 3999 { 4000 return socket_has_perm(current, sock, SOCKET__GETOPT); 4001 } 4002 4003 static int selinux_socket_shutdown(struct socket *sock, int how) 4004 { 4005 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 4006 } 4007 4008 static int selinux_socket_unix_stream_connect(struct socket *sock, 4009 struct socket *other, 4010 struct sock *newsk) 4011 { 4012 struct sk_security_struct *ssec; 4013 struct inode_security_struct *isec; 4014 struct inode_security_struct *other_isec; 4015 struct common_audit_data ad; 4016 int err; 4017 4018 isec = SOCK_INODE(sock)->i_security; 4019 other_isec = SOCK_INODE(other)->i_security; 4020 4021 COMMON_AUDIT_DATA_INIT(&ad, NET); 4022 ad.u.net.sk = other->sk; 4023 4024 err = avc_has_perm(isec->sid, other_isec->sid, 4025 isec->sclass, 4026 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4027 if (err) 4028 return err; 4029 4030 /* connecting socket */ 4031 ssec = sock->sk->sk_security; 4032 ssec->peer_sid = other_isec->sid; 4033 4034 /* server child socket */ 4035 ssec = newsk->sk_security; 4036 ssec->peer_sid = isec->sid; 4037 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 4038 4039 return err; 4040 } 4041 4042 static int selinux_socket_unix_may_send(struct socket *sock, 4043 struct socket *other) 4044 { 4045 struct inode_security_struct *isec; 4046 struct inode_security_struct *other_isec; 4047 struct common_audit_data ad; 4048 int err; 4049 4050 isec = SOCK_INODE(sock)->i_security; 4051 other_isec = SOCK_INODE(other)->i_security; 4052 4053 COMMON_AUDIT_DATA_INIT(&ad, NET); 4054 ad.u.net.sk = other->sk; 4055 4056 err = avc_has_perm(isec->sid, other_isec->sid, 4057 isec->sclass, SOCKET__SENDTO, &ad); 4058 if (err) 4059 return err; 4060 4061 return 0; 4062 } 4063 4064 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4065 u32 peer_sid, 4066 struct common_audit_data *ad) 4067 { 4068 int err; 4069 u32 if_sid; 4070 u32 node_sid; 4071 4072 err = sel_netif_sid(ifindex, &if_sid); 4073 if (err) 4074 return err; 4075 err = avc_has_perm(peer_sid, if_sid, 4076 SECCLASS_NETIF, NETIF__INGRESS, ad); 4077 if (err) 4078 return err; 4079 4080 err = sel_netnode_sid(addrp, family, &node_sid); 4081 if (err) 4082 return err; 4083 return avc_has_perm(peer_sid, node_sid, 4084 SECCLASS_NODE, NODE__RECVFROM, ad); 4085 } 4086 4087 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4088 u16 family) 4089 { 4090 int err = 0; 4091 struct sk_security_struct *sksec = sk->sk_security; 4092 u32 peer_sid; 4093 u32 sk_sid = sksec->sid; 4094 struct common_audit_data ad; 4095 char *addrp; 4096 4097 COMMON_AUDIT_DATA_INIT(&ad, NET); 4098 ad.u.net.netif = skb->skb_iif; 4099 ad.u.net.family = family; 4100 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4101 if (err) 4102 return err; 4103 4104 if (selinux_secmark_enabled()) { 4105 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4106 PACKET__RECV, &ad); 4107 if (err) 4108 return err; 4109 } 4110 4111 if (selinux_policycap_netpeer) { 4112 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4113 if (err) 4114 return err; 4115 err = avc_has_perm(sk_sid, peer_sid, 4116 SECCLASS_PEER, PEER__RECV, &ad); 4117 if (err) 4118 selinux_netlbl_err(skb, err, 0); 4119 } else { 4120 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4121 if (err) 4122 return err; 4123 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4124 } 4125 4126 return err; 4127 } 4128 4129 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4130 { 4131 int err; 4132 struct sk_security_struct *sksec = sk->sk_security; 4133 u16 family = sk->sk_family; 4134 u32 sk_sid = sksec->sid; 4135 struct common_audit_data ad; 4136 char *addrp; 4137 u8 secmark_active; 4138 u8 peerlbl_active; 4139 4140 if (family != PF_INET && family != PF_INET6) 4141 return 0; 4142 4143 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4144 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4145 family = PF_INET; 4146 4147 /* If any sort of compatibility mode is enabled then handoff processing 4148 * to the selinux_sock_rcv_skb_compat() function to deal with the 4149 * special handling. We do this in an attempt to keep this function 4150 * as fast and as clean as possible. */ 4151 if (!selinux_policycap_netpeer) 4152 return selinux_sock_rcv_skb_compat(sk, skb, family); 4153 4154 secmark_active = selinux_secmark_enabled(); 4155 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4156 if (!secmark_active && !peerlbl_active) 4157 return 0; 4158 4159 COMMON_AUDIT_DATA_INIT(&ad, NET); 4160 ad.u.net.netif = skb->skb_iif; 4161 ad.u.net.family = family; 4162 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4163 if (err) 4164 return err; 4165 4166 if (peerlbl_active) { 4167 u32 peer_sid; 4168 4169 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4170 if (err) 4171 return err; 4172 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, 4173 peer_sid, &ad); 4174 if (err) { 4175 selinux_netlbl_err(skb, err, 0); 4176 return err; 4177 } 4178 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4179 PEER__RECV, &ad); 4180 if (err) 4181 selinux_netlbl_err(skb, err, 0); 4182 } 4183 4184 if (secmark_active) { 4185 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4186 PACKET__RECV, &ad); 4187 if (err) 4188 return err; 4189 } 4190 4191 return err; 4192 } 4193 4194 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4195 int __user *optlen, unsigned len) 4196 { 4197 int err = 0; 4198 char *scontext; 4199 u32 scontext_len; 4200 struct sk_security_struct *ssec; 4201 struct inode_security_struct *isec; 4202 u32 peer_sid = SECSID_NULL; 4203 4204 isec = SOCK_INODE(sock)->i_security; 4205 4206 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4207 isec->sclass == SECCLASS_TCP_SOCKET) { 4208 ssec = sock->sk->sk_security; 4209 peer_sid = ssec->peer_sid; 4210 } 4211 if (peer_sid == SECSID_NULL) { 4212 err = -ENOPROTOOPT; 4213 goto out; 4214 } 4215 4216 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4217 4218 if (err) 4219 goto out; 4220 4221 if (scontext_len > len) { 4222 err = -ERANGE; 4223 goto out_len; 4224 } 4225 4226 if (copy_to_user(optval, scontext, scontext_len)) 4227 err = -EFAULT; 4228 4229 out_len: 4230 if (put_user(scontext_len, optlen)) 4231 err = -EFAULT; 4232 4233 kfree(scontext); 4234 out: 4235 return err; 4236 } 4237 4238 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4239 { 4240 u32 peer_secid = SECSID_NULL; 4241 u16 family; 4242 4243 if (skb && skb->protocol == htons(ETH_P_IP)) 4244 family = PF_INET; 4245 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4246 family = PF_INET6; 4247 else if (sock) 4248 family = sock->sk->sk_family; 4249 else 4250 goto out; 4251 4252 if (sock && family == PF_UNIX) 4253 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); 4254 else if (skb) 4255 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4256 4257 out: 4258 *secid = peer_secid; 4259 if (peer_secid == SECSID_NULL) 4260 return -EINVAL; 4261 return 0; 4262 } 4263 4264 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4265 { 4266 return sk_alloc_security(sk, family, priority); 4267 } 4268 4269 static void selinux_sk_free_security(struct sock *sk) 4270 { 4271 sk_free_security(sk); 4272 } 4273 4274 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4275 { 4276 struct sk_security_struct *ssec = sk->sk_security; 4277 struct sk_security_struct *newssec = newsk->sk_security; 4278 4279 newssec->sid = ssec->sid; 4280 newssec->peer_sid = ssec->peer_sid; 4281 newssec->sclass = ssec->sclass; 4282 4283 selinux_netlbl_sk_security_reset(newssec); 4284 } 4285 4286 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4287 { 4288 if (!sk) 4289 *secid = SECINITSID_ANY_SOCKET; 4290 else { 4291 struct sk_security_struct *sksec = sk->sk_security; 4292 4293 *secid = sksec->sid; 4294 } 4295 } 4296 4297 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4298 { 4299 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4300 struct sk_security_struct *sksec = sk->sk_security; 4301 4302 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4303 sk->sk_family == PF_UNIX) 4304 isec->sid = sksec->sid; 4305 sksec->sclass = isec->sclass; 4306 } 4307 4308 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4309 struct request_sock *req) 4310 { 4311 struct sk_security_struct *sksec = sk->sk_security; 4312 int err; 4313 u16 family = sk->sk_family; 4314 u32 newsid; 4315 u32 peersid; 4316 4317 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4318 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4319 family = PF_INET; 4320 4321 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4322 if (err) 4323 return err; 4324 if (peersid == SECSID_NULL) { 4325 req->secid = sksec->sid; 4326 req->peer_secid = SECSID_NULL; 4327 } else { 4328 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4329 if (err) 4330 return err; 4331 req->secid = newsid; 4332 req->peer_secid = peersid; 4333 } 4334 4335 return selinux_netlbl_inet_conn_request(req, family); 4336 } 4337 4338 static void selinux_inet_csk_clone(struct sock *newsk, 4339 const struct request_sock *req) 4340 { 4341 struct sk_security_struct *newsksec = newsk->sk_security; 4342 4343 newsksec->sid = req->secid; 4344 newsksec->peer_sid = req->peer_secid; 4345 /* NOTE: Ideally, we should also get the isec->sid for the 4346 new socket in sync, but we don't have the isec available yet. 4347 So we will wait until sock_graft to do it, by which 4348 time it will have been created and available. */ 4349 4350 /* We don't need to take any sort of lock here as we are the only 4351 * thread with access to newsksec */ 4352 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4353 } 4354 4355 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4356 { 4357 u16 family = sk->sk_family; 4358 struct sk_security_struct *sksec = sk->sk_security; 4359 4360 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4361 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4362 family = PF_INET; 4363 4364 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4365 } 4366 4367 static void selinux_req_classify_flow(const struct request_sock *req, 4368 struct flowi *fl) 4369 { 4370 fl->secid = req->secid; 4371 } 4372 4373 static int selinux_tun_dev_create(void) 4374 { 4375 u32 sid = current_sid(); 4376 4377 /* we aren't taking into account the "sockcreate" SID since the socket 4378 * that is being created here is not a socket in the traditional sense, 4379 * instead it is a private sock, accessible only to the kernel, and 4380 * representing a wide range of network traffic spanning multiple 4381 * connections unlike traditional sockets - check the TUN driver to 4382 * get a better understanding of why this socket is special */ 4383 4384 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4385 NULL); 4386 } 4387 4388 static void selinux_tun_dev_post_create(struct sock *sk) 4389 { 4390 struct sk_security_struct *sksec = sk->sk_security; 4391 4392 /* we don't currently perform any NetLabel based labeling here and it 4393 * isn't clear that we would want to do so anyway; while we could apply 4394 * labeling without the support of the TUN user the resulting labeled 4395 * traffic from the other end of the connection would almost certainly 4396 * cause confusion to the TUN user that had no idea network labeling 4397 * protocols were being used */ 4398 4399 /* see the comments in selinux_tun_dev_create() about why we don't use 4400 * the sockcreate SID here */ 4401 4402 sksec->sid = current_sid(); 4403 sksec->sclass = SECCLASS_TUN_SOCKET; 4404 } 4405 4406 static int selinux_tun_dev_attach(struct sock *sk) 4407 { 4408 struct sk_security_struct *sksec = sk->sk_security; 4409 u32 sid = current_sid(); 4410 int err; 4411 4412 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET, 4413 TUN_SOCKET__RELABELFROM, NULL); 4414 if (err) 4415 return err; 4416 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4417 TUN_SOCKET__RELABELTO, NULL); 4418 if (err) 4419 return err; 4420 4421 sksec->sid = sid; 4422 4423 return 0; 4424 } 4425 4426 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4427 { 4428 int err = 0; 4429 u32 perm; 4430 struct nlmsghdr *nlh; 4431 struct socket *sock = sk->sk_socket; 4432 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4433 4434 if (skb->len < NLMSG_SPACE(0)) { 4435 err = -EINVAL; 4436 goto out; 4437 } 4438 nlh = nlmsg_hdr(skb); 4439 4440 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4441 if (err) { 4442 if (err == -EINVAL) { 4443 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4444 "SELinux: unrecognized netlink message" 4445 " type=%hu for sclass=%hu\n", 4446 nlh->nlmsg_type, isec->sclass); 4447 if (!selinux_enforcing || security_get_allow_unknown()) 4448 err = 0; 4449 } 4450 4451 /* Ignore */ 4452 if (err == -ENOENT) 4453 err = 0; 4454 goto out; 4455 } 4456 4457 err = socket_has_perm(current, sock, perm); 4458 out: 4459 return err; 4460 } 4461 4462 #ifdef CONFIG_NETFILTER 4463 4464 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4465 u16 family) 4466 { 4467 int err; 4468 char *addrp; 4469 u32 peer_sid; 4470 struct common_audit_data ad; 4471 u8 secmark_active; 4472 u8 netlbl_active; 4473 u8 peerlbl_active; 4474 4475 if (!selinux_policycap_netpeer) 4476 return NF_ACCEPT; 4477 4478 secmark_active = selinux_secmark_enabled(); 4479 netlbl_active = netlbl_enabled(); 4480 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4481 if (!secmark_active && !peerlbl_active) 4482 return NF_ACCEPT; 4483 4484 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4485 return NF_DROP; 4486 4487 COMMON_AUDIT_DATA_INIT(&ad, NET); 4488 ad.u.net.netif = ifindex; 4489 ad.u.net.family = family; 4490 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4491 return NF_DROP; 4492 4493 if (peerlbl_active) { 4494 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4495 peer_sid, &ad); 4496 if (err) { 4497 selinux_netlbl_err(skb, err, 1); 4498 return NF_DROP; 4499 } 4500 } 4501 4502 if (secmark_active) 4503 if (avc_has_perm(peer_sid, skb->secmark, 4504 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4505 return NF_DROP; 4506 4507 if (netlbl_active) 4508 /* we do this in the FORWARD path and not the POST_ROUTING 4509 * path because we want to make sure we apply the necessary 4510 * labeling before IPsec is applied so we can leverage AH 4511 * protection */ 4512 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 4513 return NF_DROP; 4514 4515 return NF_ACCEPT; 4516 } 4517 4518 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4519 struct sk_buff *skb, 4520 const struct net_device *in, 4521 const struct net_device *out, 4522 int (*okfn)(struct sk_buff *)) 4523 { 4524 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4525 } 4526 4527 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4528 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4529 struct sk_buff *skb, 4530 const struct net_device *in, 4531 const struct net_device *out, 4532 int (*okfn)(struct sk_buff *)) 4533 { 4534 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4535 } 4536 #endif /* IPV6 */ 4537 4538 static unsigned int selinux_ip_output(struct sk_buff *skb, 4539 u16 family) 4540 { 4541 u32 sid; 4542 4543 if (!netlbl_enabled()) 4544 return NF_ACCEPT; 4545 4546 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4547 * because we want to make sure we apply the necessary labeling 4548 * before IPsec is applied so we can leverage AH protection */ 4549 if (skb->sk) { 4550 struct sk_security_struct *sksec = skb->sk->sk_security; 4551 sid = sksec->sid; 4552 } else 4553 sid = SECINITSID_KERNEL; 4554 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4555 return NF_DROP; 4556 4557 return NF_ACCEPT; 4558 } 4559 4560 static unsigned int selinux_ipv4_output(unsigned int hooknum, 4561 struct sk_buff *skb, 4562 const struct net_device *in, 4563 const struct net_device *out, 4564 int (*okfn)(struct sk_buff *)) 4565 { 4566 return selinux_ip_output(skb, PF_INET); 4567 } 4568 4569 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4570 int ifindex, 4571 u16 family) 4572 { 4573 struct sock *sk = skb->sk; 4574 struct sk_security_struct *sksec; 4575 struct common_audit_data ad; 4576 char *addrp; 4577 u8 proto; 4578 4579 if (sk == NULL) 4580 return NF_ACCEPT; 4581 sksec = sk->sk_security; 4582 4583 COMMON_AUDIT_DATA_INIT(&ad, NET); 4584 ad.u.net.netif = ifindex; 4585 ad.u.net.family = family; 4586 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4587 return NF_DROP; 4588 4589 if (selinux_secmark_enabled()) 4590 if (avc_has_perm(sksec->sid, skb->secmark, 4591 SECCLASS_PACKET, PACKET__SEND, &ad)) 4592 return NF_DROP; 4593 4594 if (selinux_policycap_netpeer) 4595 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4596 return NF_DROP; 4597 4598 return NF_ACCEPT; 4599 } 4600 4601 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4602 u16 family) 4603 { 4604 u32 secmark_perm; 4605 u32 peer_sid; 4606 struct sock *sk; 4607 struct common_audit_data ad; 4608 char *addrp; 4609 u8 secmark_active; 4610 u8 peerlbl_active; 4611 4612 /* If any sort of compatibility mode is enabled then handoff processing 4613 * to the selinux_ip_postroute_compat() function to deal with the 4614 * special handling. We do this in an attempt to keep this function 4615 * as fast and as clean as possible. */ 4616 if (!selinux_policycap_netpeer) 4617 return selinux_ip_postroute_compat(skb, ifindex, family); 4618 #ifdef CONFIG_XFRM 4619 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4620 * packet transformation so allow the packet to pass without any checks 4621 * since we'll have another chance to perform access control checks 4622 * when the packet is on it's final way out. 4623 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4624 * is NULL, in this case go ahead and apply access control. */ 4625 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) 4626 return NF_ACCEPT; 4627 #endif 4628 secmark_active = selinux_secmark_enabled(); 4629 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4630 if (!secmark_active && !peerlbl_active) 4631 return NF_ACCEPT; 4632 4633 /* if the packet is being forwarded then get the peer label from the 4634 * packet itself; otherwise check to see if it is from a local 4635 * application or the kernel, if from an application get the peer label 4636 * from the sending socket, otherwise use the kernel's sid */ 4637 sk = skb->sk; 4638 if (sk == NULL) { 4639 switch (family) { 4640 case PF_INET: 4641 if (IPCB(skb)->flags & IPSKB_FORWARDED) 4642 secmark_perm = PACKET__FORWARD_OUT; 4643 else 4644 secmark_perm = PACKET__SEND; 4645 break; 4646 case PF_INET6: 4647 if (IP6CB(skb)->flags & IP6SKB_FORWARDED) 4648 secmark_perm = PACKET__FORWARD_OUT; 4649 else 4650 secmark_perm = PACKET__SEND; 4651 break; 4652 default: 4653 return NF_DROP; 4654 } 4655 if (secmark_perm == PACKET__FORWARD_OUT) { 4656 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4657 return NF_DROP; 4658 } else 4659 peer_sid = SECINITSID_KERNEL; 4660 } else { 4661 struct sk_security_struct *sksec = sk->sk_security; 4662 peer_sid = sksec->sid; 4663 secmark_perm = PACKET__SEND; 4664 } 4665 4666 COMMON_AUDIT_DATA_INIT(&ad, NET); 4667 ad.u.net.netif = ifindex; 4668 ad.u.net.family = family; 4669 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4670 return NF_DROP; 4671 4672 if (secmark_active) 4673 if (avc_has_perm(peer_sid, skb->secmark, 4674 SECCLASS_PACKET, secmark_perm, &ad)) 4675 return NF_DROP; 4676 4677 if (peerlbl_active) { 4678 u32 if_sid; 4679 u32 node_sid; 4680 4681 if (sel_netif_sid(ifindex, &if_sid)) 4682 return NF_DROP; 4683 if (avc_has_perm(peer_sid, if_sid, 4684 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4685 return NF_DROP; 4686 4687 if (sel_netnode_sid(addrp, family, &node_sid)) 4688 return NF_DROP; 4689 if (avc_has_perm(peer_sid, node_sid, 4690 SECCLASS_NODE, NODE__SENDTO, &ad)) 4691 return NF_DROP; 4692 } 4693 4694 return NF_ACCEPT; 4695 } 4696 4697 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4698 struct sk_buff *skb, 4699 const struct net_device *in, 4700 const struct net_device *out, 4701 int (*okfn)(struct sk_buff *)) 4702 { 4703 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4704 } 4705 4706 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4707 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4708 struct sk_buff *skb, 4709 const struct net_device *in, 4710 const struct net_device *out, 4711 int (*okfn)(struct sk_buff *)) 4712 { 4713 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4714 } 4715 #endif /* IPV6 */ 4716 4717 #endif /* CONFIG_NETFILTER */ 4718 4719 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4720 { 4721 int err; 4722 4723 err = cap_netlink_send(sk, skb); 4724 if (err) 4725 return err; 4726 4727 return selinux_nlmsg_perm(sk, skb); 4728 } 4729 4730 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4731 { 4732 int err; 4733 struct common_audit_data ad; 4734 4735 err = cap_netlink_recv(skb, capability); 4736 if (err) 4737 return err; 4738 4739 COMMON_AUDIT_DATA_INIT(&ad, CAP); 4740 ad.u.cap = capability; 4741 4742 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4743 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4744 } 4745 4746 static int ipc_alloc_security(struct task_struct *task, 4747 struct kern_ipc_perm *perm, 4748 u16 sclass) 4749 { 4750 struct ipc_security_struct *isec; 4751 u32 sid; 4752 4753 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4754 if (!isec) 4755 return -ENOMEM; 4756 4757 sid = task_sid(task); 4758 isec->sclass = sclass; 4759 isec->sid = sid; 4760 perm->security = isec; 4761 4762 return 0; 4763 } 4764 4765 static void ipc_free_security(struct kern_ipc_perm *perm) 4766 { 4767 struct ipc_security_struct *isec = perm->security; 4768 perm->security = NULL; 4769 kfree(isec); 4770 } 4771 4772 static int msg_msg_alloc_security(struct msg_msg *msg) 4773 { 4774 struct msg_security_struct *msec; 4775 4776 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4777 if (!msec) 4778 return -ENOMEM; 4779 4780 msec->sid = SECINITSID_UNLABELED; 4781 msg->security = msec; 4782 4783 return 0; 4784 } 4785 4786 static void msg_msg_free_security(struct msg_msg *msg) 4787 { 4788 struct msg_security_struct *msec = msg->security; 4789 4790 msg->security = NULL; 4791 kfree(msec); 4792 } 4793 4794 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4795 u32 perms) 4796 { 4797 struct ipc_security_struct *isec; 4798 struct common_audit_data ad; 4799 u32 sid = current_sid(); 4800 4801 isec = ipc_perms->security; 4802 4803 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4804 ad.u.ipc_id = ipc_perms->key; 4805 4806 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4807 } 4808 4809 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4810 { 4811 return msg_msg_alloc_security(msg); 4812 } 4813 4814 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4815 { 4816 msg_msg_free_security(msg); 4817 } 4818 4819 /* message queue security operations */ 4820 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4821 { 4822 struct ipc_security_struct *isec; 4823 struct common_audit_data ad; 4824 u32 sid = current_sid(); 4825 int rc; 4826 4827 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4828 if (rc) 4829 return rc; 4830 4831 isec = msq->q_perm.security; 4832 4833 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4834 ad.u.ipc_id = msq->q_perm.key; 4835 4836 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4837 MSGQ__CREATE, &ad); 4838 if (rc) { 4839 ipc_free_security(&msq->q_perm); 4840 return rc; 4841 } 4842 return 0; 4843 } 4844 4845 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4846 { 4847 ipc_free_security(&msq->q_perm); 4848 } 4849 4850 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4851 { 4852 struct ipc_security_struct *isec; 4853 struct common_audit_data ad; 4854 u32 sid = current_sid(); 4855 4856 isec = msq->q_perm.security; 4857 4858 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4859 ad.u.ipc_id = msq->q_perm.key; 4860 4861 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4862 MSGQ__ASSOCIATE, &ad); 4863 } 4864 4865 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4866 { 4867 int err; 4868 int perms; 4869 4870 switch (cmd) { 4871 case IPC_INFO: 4872 case MSG_INFO: 4873 /* No specific object, just general system-wide information. */ 4874 return task_has_system(current, SYSTEM__IPC_INFO); 4875 case IPC_STAT: 4876 case MSG_STAT: 4877 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4878 break; 4879 case IPC_SET: 4880 perms = MSGQ__SETATTR; 4881 break; 4882 case IPC_RMID: 4883 perms = MSGQ__DESTROY; 4884 break; 4885 default: 4886 return 0; 4887 } 4888 4889 err = ipc_has_perm(&msq->q_perm, perms); 4890 return err; 4891 } 4892 4893 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4894 { 4895 struct ipc_security_struct *isec; 4896 struct msg_security_struct *msec; 4897 struct common_audit_data ad; 4898 u32 sid = current_sid(); 4899 int rc; 4900 4901 isec = msq->q_perm.security; 4902 msec = msg->security; 4903 4904 /* 4905 * First time through, need to assign label to the message 4906 */ 4907 if (msec->sid == SECINITSID_UNLABELED) { 4908 /* 4909 * Compute new sid based on current process and 4910 * message queue this message will be stored in 4911 */ 4912 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 4913 &msec->sid); 4914 if (rc) 4915 return rc; 4916 } 4917 4918 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4919 ad.u.ipc_id = msq->q_perm.key; 4920 4921 /* Can this process write to the queue? */ 4922 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4923 MSGQ__WRITE, &ad); 4924 if (!rc) 4925 /* Can this process send the message */ 4926 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 4927 MSG__SEND, &ad); 4928 if (!rc) 4929 /* Can the message be put in the queue? */ 4930 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 4931 MSGQ__ENQUEUE, &ad); 4932 4933 return rc; 4934 } 4935 4936 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4937 struct task_struct *target, 4938 long type, int mode) 4939 { 4940 struct ipc_security_struct *isec; 4941 struct msg_security_struct *msec; 4942 struct common_audit_data ad; 4943 u32 sid = task_sid(target); 4944 int rc; 4945 4946 isec = msq->q_perm.security; 4947 msec = msg->security; 4948 4949 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4950 ad.u.ipc_id = msq->q_perm.key; 4951 4952 rc = avc_has_perm(sid, isec->sid, 4953 SECCLASS_MSGQ, MSGQ__READ, &ad); 4954 if (!rc) 4955 rc = avc_has_perm(sid, msec->sid, 4956 SECCLASS_MSG, MSG__RECEIVE, &ad); 4957 return rc; 4958 } 4959 4960 /* Shared Memory security operations */ 4961 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4962 { 4963 struct ipc_security_struct *isec; 4964 struct common_audit_data ad; 4965 u32 sid = current_sid(); 4966 int rc; 4967 4968 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4969 if (rc) 4970 return rc; 4971 4972 isec = shp->shm_perm.security; 4973 4974 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4975 ad.u.ipc_id = shp->shm_perm.key; 4976 4977 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 4978 SHM__CREATE, &ad); 4979 if (rc) { 4980 ipc_free_security(&shp->shm_perm); 4981 return rc; 4982 } 4983 return 0; 4984 } 4985 4986 static void selinux_shm_free_security(struct shmid_kernel *shp) 4987 { 4988 ipc_free_security(&shp->shm_perm); 4989 } 4990 4991 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4992 { 4993 struct ipc_security_struct *isec; 4994 struct common_audit_data ad; 4995 u32 sid = current_sid(); 4996 4997 isec = shp->shm_perm.security; 4998 4999 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5000 ad.u.ipc_id = shp->shm_perm.key; 5001 5002 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5003 SHM__ASSOCIATE, &ad); 5004 } 5005 5006 /* Note, at this point, shp is locked down */ 5007 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5008 { 5009 int perms; 5010 int err; 5011 5012 switch (cmd) { 5013 case IPC_INFO: 5014 case SHM_INFO: 5015 /* No specific object, just general system-wide information. */ 5016 return task_has_system(current, SYSTEM__IPC_INFO); 5017 case IPC_STAT: 5018 case SHM_STAT: 5019 perms = SHM__GETATTR | SHM__ASSOCIATE; 5020 break; 5021 case IPC_SET: 5022 perms = SHM__SETATTR; 5023 break; 5024 case SHM_LOCK: 5025 case SHM_UNLOCK: 5026 perms = SHM__LOCK; 5027 break; 5028 case IPC_RMID: 5029 perms = SHM__DESTROY; 5030 break; 5031 default: 5032 return 0; 5033 } 5034 5035 err = ipc_has_perm(&shp->shm_perm, perms); 5036 return err; 5037 } 5038 5039 static int selinux_shm_shmat(struct shmid_kernel *shp, 5040 char __user *shmaddr, int shmflg) 5041 { 5042 u32 perms; 5043 5044 if (shmflg & SHM_RDONLY) 5045 perms = SHM__READ; 5046 else 5047 perms = SHM__READ | SHM__WRITE; 5048 5049 return ipc_has_perm(&shp->shm_perm, perms); 5050 } 5051 5052 /* Semaphore security operations */ 5053 static int selinux_sem_alloc_security(struct sem_array *sma) 5054 { 5055 struct ipc_security_struct *isec; 5056 struct common_audit_data ad; 5057 u32 sid = current_sid(); 5058 int rc; 5059 5060 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5061 if (rc) 5062 return rc; 5063 5064 isec = sma->sem_perm.security; 5065 5066 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5067 ad.u.ipc_id = sma->sem_perm.key; 5068 5069 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5070 SEM__CREATE, &ad); 5071 if (rc) { 5072 ipc_free_security(&sma->sem_perm); 5073 return rc; 5074 } 5075 return 0; 5076 } 5077 5078 static void selinux_sem_free_security(struct sem_array *sma) 5079 { 5080 ipc_free_security(&sma->sem_perm); 5081 } 5082 5083 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5084 { 5085 struct ipc_security_struct *isec; 5086 struct common_audit_data ad; 5087 u32 sid = current_sid(); 5088 5089 isec = sma->sem_perm.security; 5090 5091 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5092 ad.u.ipc_id = sma->sem_perm.key; 5093 5094 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5095 SEM__ASSOCIATE, &ad); 5096 } 5097 5098 /* Note, at this point, sma is locked down */ 5099 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5100 { 5101 int err; 5102 u32 perms; 5103 5104 switch (cmd) { 5105 case IPC_INFO: 5106 case SEM_INFO: 5107 /* No specific object, just general system-wide information. */ 5108 return task_has_system(current, SYSTEM__IPC_INFO); 5109 case GETPID: 5110 case GETNCNT: 5111 case GETZCNT: 5112 perms = SEM__GETATTR; 5113 break; 5114 case GETVAL: 5115 case GETALL: 5116 perms = SEM__READ; 5117 break; 5118 case SETVAL: 5119 case SETALL: 5120 perms = SEM__WRITE; 5121 break; 5122 case IPC_RMID: 5123 perms = SEM__DESTROY; 5124 break; 5125 case IPC_SET: 5126 perms = SEM__SETATTR; 5127 break; 5128 case IPC_STAT: 5129 case SEM_STAT: 5130 perms = SEM__GETATTR | SEM__ASSOCIATE; 5131 break; 5132 default: 5133 return 0; 5134 } 5135 5136 err = ipc_has_perm(&sma->sem_perm, perms); 5137 return err; 5138 } 5139 5140 static int selinux_sem_semop(struct sem_array *sma, 5141 struct sembuf *sops, unsigned nsops, int alter) 5142 { 5143 u32 perms; 5144 5145 if (alter) 5146 perms = SEM__READ | SEM__WRITE; 5147 else 5148 perms = SEM__READ; 5149 5150 return ipc_has_perm(&sma->sem_perm, perms); 5151 } 5152 5153 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5154 { 5155 u32 av = 0; 5156 5157 av = 0; 5158 if (flag & S_IRUGO) 5159 av |= IPC__UNIX_READ; 5160 if (flag & S_IWUGO) 5161 av |= IPC__UNIX_WRITE; 5162 5163 if (av == 0) 5164 return 0; 5165 5166 return ipc_has_perm(ipcp, av); 5167 } 5168 5169 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5170 { 5171 struct ipc_security_struct *isec = ipcp->security; 5172 *secid = isec->sid; 5173 } 5174 5175 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5176 { 5177 if (inode) 5178 inode_doinit_with_dentry(inode, dentry); 5179 } 5180 5181 static int selinux_getprocattr(struct task_struct *p, 5182 char *name, char **value) 5183 { 5184 const struct task_security_struct *__tsec; 5185 u32 sid; 5186 int error; 5187 unsigned len; 5188 5189 if (current != p) { 5190 error = current_has_perm(p, PROCESS__GETATTR); 5191 if (error) 5192 return error; 5193 } 5194 5195 rcu_read_lock(); 5196 __tsec = __task_cred(p)->security; 5197 5198 if (!strcmp(name, "current")) 5199 sid = __tsec->sid; 5200 else if (!strcmp(name, "prev")) 5201 sid = __tsec->osid; 5202 else if (!strcmp(name, "exec")) 5203 sid = __tsec->exec_sid; 5204 else if (!strcmp(name, "fscreate")) 5205 sid = __tsec->create_sid; 5206 else if (!strcmp(name, "keycreate")) 5207 sid = __tsec->keycreate_sid; 5208 else if (!strcmp(name, "sockcreate")) 5209 sid = __tsec->sockcreate_sid; 5210 else 5211 goto invalid; 5212 rcu_read_unlock(); 5213 5214 if (!sid) 5215 return 0; 5216 5217 error = security_sid_to_context(sid, value, &len); 5218 if (error) 5219 return error; 5220 return len; 5221 5222 invalid: 5223 rcu_read_unlock(); 5224 return -EINVAL; 5225 } 5226 5227 static int selinux_setprocattr(struct task_struct *p, 5228 char *name, void *value, size_t size) 5229 { 5230 struct task_security_struct *tsec; 5231 struct task_struct *tracer; 5232 struct cred *new; 5233 u32 sid = 0, ptsid; 5234 int error; 5235 char *str = value; 5236 5237 if (current != p) { 5238 /* SELinux only allows a process to change its own 5239 security attributes. */ 5240 return -EACCES; 5241 } 5242 5243 /* 5244 * Basic control over ability to set these attributes at all. 5245 * current == p, but we'll pass them separately in case the 5246 * above restriction is ever removed. 5247 */ 5248 if (!strcmp(name, "exec")) 5249 error = current_has_perm(p, PROCESS__SETEXEC); 5250 else if (!strcmp(name, "fscreate")) 5251 error = current_has_perm(p, PROCESS__SETFSCREATE); 5252 else if (!strcmp(name, "keycreate")) 5253 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5254 else if (!strcmp(name, "sockcreate")) 5255 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5256 else if (!strcmp(name, "current")) 5257 error = current_has_perm(p, PROCESS__SETCURRENT); 5258 else 5259 error = -EINVAL; 5260 if (error) 5261 return error; 5262 5263 /* Obtain a SID for the context, if one was specified. */ 5264 if (size && str[1] && str[1] != '\n') { 5265 if (str[size-1] == '\n') { 5266 str[size-1] = 0; 5267 size--; 5268 } 5269 error = security_context_to_sid(value, size, &sid); 5270 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5271 if (!capable(CAP_MAC_ADMIN)) 5272 return error; 5273 error = security_context_to_sid_force(value, size, 5274 &sid); 5275 } 5276 if (error) 5277 return error; 5278 } 5279 5280 new = prepare_creds(); 5281 if (!new) 5282 return -ENOMEM; 5283 5284 /* Permission checking based on the specified context is 5285 performed during the actual operation (execve, 5286 open/mkdir/...), when we know the full context of the 5287 operation. See selinux_bprm_set_creds for the execve 5288 checks and may_create for the file creation checks. The 5289 operation will then fail if the context is not permitted. */ 5290 tsec = new->security; 5291 if (!strcmp(name, "exec")) { 5292 tsec->exec_sid = sid; 5293 } else if (!strcmp(name, "fscreate")) { 5294 tsec->create_sid = sid; 5295 } else if (!strcmp(name, "keycreate")) { 5296 error = may_create_key(sid, p); 5297 if (error) 5298 goto abort_change; 5299 tsec->keycreate_sid = sid; 5300 } else if (!strcmp(name, "sockcreate")) { 5301 tsec->sockcreate_sid = sid; 5302 } else if (!strcmp(name, "current")) { 5303 error = -EINVAL; 5304 if (sid == 0) 5305 goto abort_change; 5306 5307 /* Only allow single threaded processes to change context */ 5308 error = -EPERM; 5309 if (!current_is_single_threaded()) { 5310 error = security_bounded_transition(tsec->sid, sid); 5311 if (error) 5312 goto abort_change; 5313 } 5314 5315 /* Check permissions for the transition. */ 5316 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5317 PROCESS__DYNTRANSITION, NULL); 5318 if (error) 5319 goto abort_change; 5320 5321 /* Check for ptracing, and update the task SID if ok. 5322 Otherwise, leave SID unchanged and fail. */ 5323 ptsid = 0; 5324 task_lock(p); 5325 tracer = tracehook_tracer_task(p); 5326 if (tracer) 5327 ptsid = task_sid(tracer); 5328 task_unlock(p); 5329 5330 if (tracer) { 5331 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5332 PROCESS__PTRACE, NULL); 5333 if (error) 5334 goto abort_change; 5335 } 5336 5337 tsec->sid = sid; 5338 } else { 5339 error = -EINVAL; 5340 goto abort_change; 5341 } 5342 5343 commit_creds(new); 5344 return size; 5345 5346 abort_change: 5347 abort_creds(new); 5348 return error; 5349 } 5350 5351 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5352 { 5353 return security_sid_to_context(secid, secdata, seclen); 5354 } 5355 5356 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5357 { 5358 return security_context_to_sid(secdata, seclen, secid); 5359 } 5360 5361 static void selinux_release_secctx(char *secdata, u32 seclen) 5362 { 5363 kfree(secdata); 5364 } 5365 5366 /* 5367 * called with inode->i_mutex locked 5368 */ 5369 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5370 { 5371 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5372 } 5373 5374 /* 5375 * called with inode->i_mutex locked 5376 */ 5377 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 5378 { 5379 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 5380 } 5381 5382 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 5383 { 5384 int len = 0; 5385 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 5386 ctx, true); 5387 if (len < 0) 5388 return len; 5389 *ctxlen = len; 5390 return 0; 5391 } 5392 #ifdef CONFIG_KEYS 5393 5394 static int selinux_key_alloc(struct key *k, const struct cred *cred, 5395 unsigned long flags) 5396 { 5397 const struct task_security_struct *tsec; 5398 struct key_security_struct *ksec; 5399 5400 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5401 if (!ksec) 5402 return -ENOMEM; 5403 5404 tsec = cred->security; 5405 if (tsec->keycreate_sid) 5406 ksec->sid = tsec->keycreate_sid; 5407 else 5408 ksec->sid = tsec->sid; 5409 5410 k->security = ksec; 5411 return 0; 5412 } 5413 5414 static void selinux_key_free(struct key *k) 5415 { 5416 struct key_security_struct *ksec = k->security; 5417 5418 k->security = NULL; 5419 kfree(ksec); 5420 } 5421 5422 static int selinux_key_permission(key_ref_t key_ref, 5423 const struct cred *cred, 5424 key_perm_t perm) 5425 { 5426 struct key *key; 5427 struct key_security_struct *ksec; 5428 u32 sid; 5429 5430 /* if no specific permissions are requested, we skip the 5431 permission check. No serious, additional covert channels 5432 appear to be created. */ 5433 if (perm == 0) 5434 return 0; 5435 5436 sid = cred_sid(cred); 5437 5438 key = key_ref_to_ptr(key_ref); 5439 ksec = key->security; 5440 5441 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 5442 } 5443 5444 static int selinux_key_getsecurity(struct key *key, char **_buffer) 5445 { 5446 struct key_security_struct *ksec = key->security; 5447 char *context = NULL; 5448 unsigned len; 5449 int rc; 5450 5451 rc = security_sid_to_context(ksec->sid, &context, &len); 5452 if (!rc) 5453 rc = len; 5454 *_buffer = context; 5455 return rc; 5456 } 5457 5458 #endif 5459 5460 static struct security_operations selinux_ops = { 5461 .name = "selinux", 5462 5463 .ptrace_access_check = selinux_ptrace_access_check, 5464 .ptrace_traceme = selinux_ptrace_traceme, 5465 .capget = selinux_capget, 5466 .capset = selinux_capset, 5467 .sysctl = selinux_sysctl, 5468 .capable = selinux_capable, 5469 .quotactl = selinux_quotactl, 5470 .quota_on = selinux_quota_on, 5471 .syslog = selinux_syslog, 5472 .vm_enough_memory = selinux_vm_enough_memory, 5473 5474 .netlink_send = selinux_netlink_send, 5475 .netlink_recv = selinux_netlink_recv, 5476 5477 .bprm_set_creds = selinux_bprm_set_creds, 5478 .bprm_committing_creds = selinux_bprm_committing_creds, 5479 .bprm_committed_creds = selinux_bprm_committed_creds, 5480 .bprm_secureexec = selinux_bprm_secureexec, 5481 5482 .sb_alloc_security = selinux_sb_alloc_security, 5483 .sb_free_security = selinux_sb_free_security, 5484 .sb_copy_data = selinux_sb_copy_data, 5485 .sb_kern_mount = selinux_sb_kern_mount, 5486 .sb_show_options = selinux_sb_show_options, 5487 .sb_statfs = selinux_sb_statfs, 5488 .sb_mount = selinux_mount, 5489 .sb_umount = selinux_umount, 5490 .sb_set_mnt_opts = selinux_set_mnt_opts, 5491 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5492 .sb_parse_opts_str = selinux_parse_opts_str, 5493 5494 5495 .inode_alloc_security = selinux_inode_alloc_security, 5496 .inode_free_security = selinux_inode_free_security, 5497 .inode_init_security = selinux_inode_init_security, 5498 .inode_create = selinux_inode_create, 5499 .inode_link = selinux_inode_link, 5500 .inode_unlink = selinux_inode_unlink, 5501 .inode_symlink = selinux_inode_symlink, 5502 .inode_mkdir = selinux_inode_mkdir, 5503 .inode_rmdir = selinux_inode_rmdir, 5504 .inode_mknod = selinux_inode_mknod, 5505 .inode_rename = selinux_inode_rename, 5506 .inode_readlink = selinux_inode_readlink, 5507 .inode_follow_link = selinux_inode_follow_link, 5508 .inode_permission = selinux_inode_permission, 5509 .inode_setattr = selinux_inode_setattr, 5510 .inode_getattr = selinux_inode_getattr, 5511 .inode_setxattr = selinux_inode_setxattr, 5512 .inode_post_setxattr = selinux_inode_post_setxattr, 5513 .inode_getxattr = selinux_inode_getxattr, 5514 .inode_listxattr = selinux_inode_listxattr, 5515 .inode_removexattr = selinux_inode_removexattr, 5516 .inode_getsecurity = selinux_inode_getsecurity, 5517 .inode_setsecurity = selinux_inode_setsecurity, 5518 .inode_listsecurity = selinux_inode_listsecurity, 5519 .inode_getsecid = selinux_inode_getsecid, 5520 5521 .file_permission = selinux_file_permission, 5522 .file_alloc_security = selinux_file_alloc_security, 5523 .file_free_security = selinux_file_free_security, 5524 .file_ioctl = selinux_file_ioctl, 5525 .file_mmap = selinux_file_mmap, 5526 .file_mprotect = selinux_file_mprotect, 5527 .file_lock = selinux_file_lock, 5528 .file_fcntl = selinux_file_fcntl, 5529 .file_set_fowner = selinux_file_set_fowner, 5530 .file_send_sigiotask = selinux_file_send_sigiotask, 5531 .file_receive = selinux_file_receive, 5532 5533 .dentry_open = selinux_dentry_open, 5534 5535 .task_create = selinux_task_create, 5536 .cred_alloc_blank = selinux_cred_alloc_blank, 5537 .cred_free = selinux_cred_free, 5538 .cred_prepare = selinux_cred_prepare, 5539 .cred_transfer = selinux_cred_transfer, 5540 .kernel_act_as = selinux_kernel_act_as, 5541 .kernel_create_files_as = selinux_kernel_create_files_as, 5542 .kernel_module_request = selinux_kernel_module_request, 5543 .task_setpgid = selinux_task_setpgid, 5544 .task_getpgid = selinux_task_getpgid, 5545 .task_getsid = selinux_task_getsid, 5546 .task_getsecid = selinux_task_getsecid, 5547 .task_setnice = selinux_task_setnice, 5548 .task_setioprio = selinux_task_setioprio, 5549 .task_getioprio = selinux_task_getioprio, 5550 .task_setrlimit = selinux_task_setrlimit, 5551 .task_setscheduler = selinux_task_setscheduler, 5552 .task_getscheduler = selinux_task_getscheduler, 5553 .task_movememory = selinux_task_movememory, 5554 .task_kill = selinux_task_kill, 5555 .task_wait = selinux_task_wait, 5556 .task_to_inode = selinux_task_to_inode, 5557 5558 .ipc_permission = selinux_ipc_permission, 5559 .ipc_getsecid = selinux_ipc_getsecid, 5560 5561 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5562 .msg_msg_free_security = selinux_msg_msg_free_security, 5563 5564 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5565 .msg_queue_free_security = selinux_msg_queue_free_security, 5566 .msg_queue_associate = selinux_msg_queue_associate, 5567 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5568 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5569 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5570 5571 .shm_alloc_security = selinux_shm_alloc_security, 5572 .shm_free_security = selinux_shm_free_security, 5573 .shm_associate = selinux_shm_associate, 5574 .shm_shmctl = selinux_shm_shmctl, 5575 .shm_shmat = selinux_shm_shmat, 5576 5577 .sem_alloc_security = selinux_sem_alloc_security, 5578 .sem_free_security = selinux_sem_free_security, 5579 .sem_associate = selinux_sem_associate, 5580 .sem_semctl = selinux_sem_semctl, 5581 .sem_semop = selinux_sem_semop, 5582 5583 .d_instantiate = selinux_d_instantiate, 5584 5585 .getprocattr = selinux_getprocattr, 5586 .setprocattr = selinux_setprocattr, 5587 5588 .secid_to_secctx = selinux_secid_to_secctx, 5589 .secctx_to_secid = selinux_secctx_to_secid, 5590 .release_secctx = selinux_release_secctx, 5591 .inode_notifysecctx = selinux_inode_notifysecctx, 5592 .inode_setsecctx = selinux_inode_setsecctx, 5593 .inode_getsecctx = selinux_inode_getsecctx, 5594 5595 .unix_stream_connect = selinux_socket_unix_stream_connect, 5596 .unix_may_send = selinux_socket_unix_may_send, 5597 5598 .socket_create = selinux_socket_create, 5599 .socket_post_create = selinux_socket_post_create, 5600 .socket_bind = selinux_socket_bind, 5601 .socket_connect = selinux_socket_connect, 5602 .socket_listen = selinux_socket_listen, 5603 .socket_accept = selinux_socket_accept, 5604 .socket_sendmsg = selinux_socket_sendmsg, 5605 .socket_recvmsg = selinux_socket_recvmsg, 5606 .socket_getsockname = selinux_socket_getsockname, 5607 .socket_getpeername = selinux_socket_getpeername, 5608 .socket_getsockopt = selinux_socket_getsockopt, 5609 .socket_setsockopt = selinux_socket_setsockopt, 5610 .socket_shutdown = selinux_socket_shutdown, 5611 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5612 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5613 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5614 .sk_alloc_security = selinux_sk_alloc_security, 5615 .sk_free_security = selinux_sk_free_security, 5616 .sk_clone_security = selinux_sk_clone_security, 5617 .sk_getsecid = selinux_sk_getsecid, 5618 .sock_graft = selinux_sock_graft, 5619 .inet_conn_request = selinux_inet_conn_request, 5620 .inet_csk_clone = selinux_inet_csk_clone, 5621 .inet_conn_established = selinux_inet_conn_established, 5622 .req_classify_flow = selinux_req_classify_flow, 5623 .tun_dev_create = selinux_tun_dev_create, 5624 .tun_dev_post_create = selinux_tun_dev_post_create, 5625 .tun_dev_attach = selinux_tun_dev_attach, 5626 5627 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5628 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5629 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5630 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5631 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5632 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5633 .xfrm_state_free_security = selinux_xfrm_state_free, 5634 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5635 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5636 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5637 .xfrm_decode_session = selinux_xfrm_decode_session, 5638 #endif 5639 5640 #ifdef CONFIG_KEYS 5641 .key_alloc = selinux_key_alloc, 5642 .key_free = selinux_key_free, 5643 .key_permission = selinux_key_permission, 5644 .key_getsecurity = selinux_key_getsecurity, 5645 #endif 5646 5647 #ifdef CONFIG_AUDIT 5648 .audit_rule_init = selinux_audit_rule_init, 5649 .audit_rule_known = selinux_audit_rule_known, 5650 .audit_rule_match = selinux_audit_rule_match, 5651 .audit_rule_free = selinux_audit_rule_free, 5652 #endif 5653 }; 5654 5655 static __init int selinux_init(void) 5656 { 5657 if (!security_module_enable(&selinux_ops)) { 5658 selinux_enabled = 0; 5659 return 0; 5660 } 5661 5662 if (!selinux_enabled) { 5663 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5664 return 0; 5665 } 5666 5667 printk(KERN_INFO "SELinux: Initializing.\n"); 5668 5669 /* Set the security state for the initial task. */ 5670 cred_init_security(); 5671 5672 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5673 sizeof(struct inode_security_struct), 5674 0, SLAB_PANIC, NULL); 5675 avc_init(); 5676 5677 secondary_ops = security_ops; 5678 if (!secondary_ops) 5679 panic("SELinux: No initial security operations\n"); 5680 if (register_security(&selinux_ops)) 5681 panic("SELinux: Unable to register with kernel.\n"); 5682 5683 if (selinux_enforcing) 5684 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5685 else 5686 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5687 5688 return 0; 5689 } 5690 5691 void selinux_complete_init(void) 5692 { 5693 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5694 5695 /* Set up any superblocks initialized prior to the policy load. */ 5696 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5697 spin_lock(&sb_lock); 5698 spin_lock(&sb_security_lock); 5699 next_sb: 5700 if (!list_empty(&superblock_security_head)) { 5701 struct superblock_security_struct *sbsec = 5702 list_entry(superblock_security_head.next, 5703 struct superblock_security_struct, 5704 list); 5705 struct super_block *sb = sbsec->sb; 5706 sb->s_count++; 5707 spin_unlock(&sb_security_lock); 5708 spin_unlock(&sb_lock); 5709 down_read(&sb->s_umount); 5710 if (sb->s_root) 5711 superblock_doinit(sb, NULL); 5712 drop_super(sb); 5713 spin_lock(&sb_lock); 5714 spin_lock(&sb_security_lock); 5715 list_del_init(&sbsec->list); 5716 goto next_sb; 5717 } 5718 spin_unlock(&sb_security_lock); 5719 spin_unlock(&sb_lock); 5720 } 5721 5722 /* SELinux requires early initialization in order to label 5723 all processes and objects when they are created. */ 5724 security_initcall(selinux_init); 5725 5726 #if defined(CONFIG_NETFILTER) 5727 5728 static struct nf_hook_ops selinux_ipv4_ops[] = { 5729 { 5730 .hook = selinux_ipv4_postroute, 5731 .owner = THIS_MODULE, 5732 .pf = PF_INET, 5733 .hooknum = NF_INET_POST_ROUTING, 5734 .priority = NF_IP_PRI_SELINUX_LAST, 5735 }, 5736 { 5737 .hook = selinux_ipv4_forward, 5738 .owner = THIS_MODULE, 5739 .pf = PF_INET, 5740 .hooknum = NF_INET_FORWARD, 5741 .priority = NF_IP_PRI_SELINUX_FIRST, 5742 }, 5743 { 5744 .hook = selinux_ipv4_output, 5745 .owner = THIS_MODULE, 5746 .pf = PF_INET, 5747 .hooknum = NF_INET_LOCAL_OUT, 5748 .priority = NF_IP_PRI_SELINUX_FIRST, 5749 } 5750 }; 5751 5752 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5753 5754 static struct nf_hook_ops selinux_ipv6_ops[] = { 5755 { 5756 .hook = selinux_ipv6_postroute, 5757 .owner = THIS_MODULE, 5758 .pf = PF_INET6, 5759 .hooknum = NF_INET_POST_ROUTING, 5760 .priority = NF_IP6_PRI_SELINUX_LAST, 5761 }, 5762 { 5763 .hook = selinux_ipv6_forward, 5764 .owner = THIS_MODULE, 5765 .pf = PF_INET6, 5766 .hooknum = NF_INET_FORWARD, 5767 .priority = NF_IP6_PRI_SELINUX_FIRST, 5768 } 5769 }; 5770 5771 #endif /* IPV6 */ 5772 5773 static int __init selinux_nf_ip_init(void) 5774 { 5775 int err = 0; 5776 5777 if (!selinux_enabled) 5778 goto out; 5779 5780 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5781 5782 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5783 if (err) 5784 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 5785 5786 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5787 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5788 if (err) 5789 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); 5790 #endif /* IPV6 */ 5791 5792 out: 5793 return err; 5794 } 5795 5796 __initcall(selinux_nf_ip_init); 5797 5798 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5799 static void selinux_nf_ip_exit(void) 5800 { 5801 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5802 5803 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5804 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5805 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5806 #endif /* IPV6 */ 5807 } 5808 #endif 5809 5810 #else /* CONFIG_NETFILTER */ 5811 5812 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5813 #define selinux_nf_ip_exit() 5814 #endif 5815 5816 #endif /* CONFIG_NETFILTER */ 5817 5818 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5819 static int selinux_disabled; 5820 5821 int selinux_disable(void) 5822 { 5823 extern void exit_sel_fs(void); 5824 5825 if (ss_initialized) { 5826 /* Not permitted after initial policy load. */ 5827 return -EINVAL; 5828 } 5829 5830 if (selinux_disabled) { 5831 /* Only do this once. */ 5832 return -EINVAL; 5833 } 5834 5835 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5836 5837 selinux_disabled = 1; 5838 selinux_enabled = 0; 5839 5840 /* Reset security_ops to the secondary module, dummy or capability. */ 5841 security_ops = secondary_ops; 5842 5843 /* Try to destroy the avc node cache */ 5844 avc_disable(); 5845 5846 /* Unregister netfilter hooks. */ 5847 selinux_nf_ip_exit(); 5848 5849 /* Unregister selinuxfs. */ 5850 exit_sel_fs(); 5851 5852 return 0; 5853 } 5854 #endif 5855