1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kd.h> 28 #include <linux/kernel.h> 29 #include <linux/tracehook.h> 30 #include <linux/errno.h> 31 #include <linux/sched.h> 32 #include <linux/security.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/netfilter_ipv4.h> 50 #include <linux/netfilter_ipv6.h> 51 #include <linux/tty.h> 52 #include <net/icmp.h> 53 #include <net/ip.h> /* for local_port_range[] */ 54 #include <net/sock.h> 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/dccp.h> 69 #include <linux/quota.h> 70 #include <linux/un.h> /* for Unix socket types */ 71 #include <net/af_unix.h> /* for Unix socket types */ 72 #include <linux/parser.h> 73 #include <linux/nfs_mount.h> 74 #include <net/ipv6.h> 75 #include <linux/hugetlb.h> 76 #include <linux/personality.h> 77 #include <linux/audit.h> 78 #include <linux/string.h> 79 #include <linux/selinux.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/security.h> 86 #include <linux/msg.h> 87 #include <linux/shm.h> 88 89 #include "avc.h" 90 #include "objsec.h" 91 #include "netif.h" 92 #include "netnode.h" 93 #include "netport.h" 94 #include "xfrm.h" 95 #include "netlabel.h" 96 #include "audit.h" 97 #include "avc_ss.h" 98 99 #define SB_TYPE_FMT "%s%s%s" 100 #define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0]) 101 #define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : "" 102 103 extern struct security_operations *security_ops; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 int selinux_enforcing; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!strict_strtoul(str, 0, &enforcing)) 115 selinux_enforcing = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #endif 120 121 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 122 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 123 124 static int __init selinux_enabled_setup(char *str) 125 { 126 unsigned long enabled; 127 if (!strict_strtoul(str, 0, &enabled)) 128 selinux_enabled = enabled ? 1 : 0; 129 return 1; 130 } 131 __setup("selinux=", selinux_enabled_setup); 132 #else 133 int selinux_enabled = 1; 134 #endif 135 136 static struct kmem_cache *sel_inode_cache; 137 138 /** 139 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 140 * 141 * Description: 142 * This function checks the SECMARK reference counter to see if any SECMARK 143 * targets are currently configured, if the reference counter is greater than 144 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 145 * enabled, false (0) if SECMARK is disabled. If the always_check_network 146 * policy capability is enabled, SECMARK is always considered enabled. 147 * 148 */ 149 static int selinux_secmark_enabled(void) 150 { 151 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 152 } 153 154 /** 155 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 156 * 157 * Description: 158 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 159 * (1) if any are enabled or false (0) if neither are enabled. If the 160 * always_check_network policy capability is enabled, peer labeling 161 * is always considered enabled. 162 * 163 */ 164 static int selinux_peerlbl_enabled(void) 165 { 166 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 167 } 168 169 /* 170 * initialise the security for the init task 171 */ 172 static void cred_init_security(void) 173 { 174 struct cred *cred = (struct cred *) current->real_cred; 175 struct task_security_struct *tsec; 176 177 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 178 if (!tsec) 179 panic("SELinux: Failed to initialize initial task.\n"); 180 181 tsec->osid = tsec->sid = SECINITSID_KERNEL; 182 cred->security = tsec; 183 } 184 185 /* 186 * get the security ID of a set of credentials 187 */ 188 static inline u32 cred_sid(const struct cred *cred) 189 { 190 const struct task_security_struct *tsec; 191 192 tsec = cred->security; 193 return tsec->sid; 194 } 195 196 /* 197 * get the objective security ID of a task 198 */ 199 static inline u32 task_sid(const struct task_struct *task) 200 { 201 u32 sid; 202 203 rcu_read_lock(); 204 sid = cred_sid(__task_cred(task)); 205 rcu_read_unlock(); 206 return sid; 207 } 208 209 /* 210 * get the subjective security ID of the current task 211 */ 212 static inline u32 current_sid(void) 213 { 214 const struct task_security_struct *tsec = current_security(); 215 216 return tsec->sid; 217 } 218 219 /* Allocate and free functions for each kind of security blob. */ 220 221 static int inode_alloc_security(struct inode *inode) 222 { 223 struct inode_security_struct *isec; 224 u32 sid = current_sid(); 225 226 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 227 if (!isec) 228 return -ENOMEM; 229 230 mutex_init(&isec->lock); 231 INIT_LIST_HEAD(&isec->list); 232 isec->inode = inode; 233 isec->sid = SECINITSID_UNLABELED; 234 isec->sclass = SECCLASS_FILE; 235 isec->task_sid = sid; 236 inode->i_security = isec; 237 238 return 0; 239 } 240 241 static void inode_free_security(struct inode *inode) 242 { 243 struct inode_security_struct *isec = inode->i_security; 244 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 245 246 spin_lock(&sbsec->isec_lock); 247 if (!list_empty(&isec->list)) 248 list_del_init(&isec->list); 249 spin_unlock(&sbsec->isec_lock); 250 251 inode->i_security = NULL; 252 kmem_cache_free(sel_inode_cache, isec); 253 } 254 255 static int file_alloc_security(struct file *file) 256 { 257 struct file_security_struct *fsec; 258 u32 sid = current_sid(); 259 260 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 261 if (!fsec) 262 return -ENOMEM; 263 264 fsec->sid = sid; 265 fsec->fown_sid = sid; 266 file->f_security = fsec; 267 268 return 0; 269 } 270 271 static void file_free_security(struct file *file) 272 { 273 struct file_security_struct *fsec = file->f_security; 274 file->f_security = NULL; 275 kfree(fsec); 276 } 277 278 static int superblock_alloc_security(struct super_block *sb) 279 { 280 struct superblock_security_struct *sbsec; 281 282 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 283 if (!sbsec) 284 return -ENOMEM; 285 286 mutex_init(&sbsec->lock); 287 INIT_LIST_HEAD(&sbsec->isec_head); 288 spin_lock_init(&sbsec->isec_lock); 289 sbsec->sb = sb; 290 sbsec->sid = SECINITSID_UNLABELED; 291 sbsec->def_sid = SECINITSID_FILE; 292 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 293 sb->s_security = sbsec; 294 295 return 0; 296 } 297 298 static void superblock_free_security(struct super_block *sb) 299 { 300 struct superblock_security_struct *sbsec = sb->s_security; 301 sb->s_security = NULL; 302 kfree(sbsec); 303 } 304 305 /* The file system's label must be initialized prior to use. */ 306 307 static const char *labeling_behaviors[7] = { 308 "uses xattr", 309 "uses transition SIDs", 310 "uses task SIDs", 311 "uses genfs_contexts", 312 "not configured for labeling", 313 "uses mountpoint labeling", 314 "uses native labeling", 315 }; 316 317 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 318 319 static inline int inode_doinit(struct inode *inode) 320 { 321 return inode_doinit_with_dentry(inode, NULL); 322 } 323 324 enum { 325 Opt_error = -1, 326 Opt_context = 1, 327 Opt_fscontext = 2, 328 Opt_defcontext = 3, 329 Opt_rootcontext = 4, 330 Opt_labelsupport = 5, 331 Opt_nextmntopt = 6, 332 }; 333 334 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 335 336 static const match_table_t tokens = { 337 {Opt_context, CONTEXT_STR "%s"}, 338 {Opt_fscontext, FSCONTEXT_STR "%s"}, 339 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 340 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 341 {Opt_labelsupport, LABELSUPP_STR}, 342 {Opt_error, NULL}, 343 }; 344 345 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 346 347 static int may_context_mount_sb_relabel(u32 sid, 348 struct superblock_security_struct *sbsec, 349 const struct cred *cred) 350 { 351 const struct task_security_struct *tsec = cred->security; 352 int rc; 353 354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 355 FILESYSTEM__RELABELFROM, NULL); 356 if (rc) 357 return rc; 358 359 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 360 FILESYSTEM__RELABELTO, NULL); 361 return rc; 362 } 363 364 static int may_context_mount_inode_relabel(u32 sid, 365 struct superblock_security_struct *sbsec, 366 const struct cred *cred) 367 { 368 const struct task_security_struct *tsec = cred->security; 369 int rc; 370 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 371 FILESYSTEM__RELABELFROM, NULL); 372 if (rc) 373 return rc; 374 375 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 376 FILESYSTEM__ASSOCIATE, NULL); 377 return rc; 378 } 379 380 static int selinux_is_sblabel_mnt(struct super_block *sb) 381 { 382 struct superblock_security_struct *sbsec = sb->s_security; 383 384 if (sbsec->behavior == SECURITY_FS_USE_XATTR || 385 sbsec->behavior == SECURITY_FS_USE_TRANS || 386 sbsec->behavior == SECURITY_FS_USE_TASK) 387 return 1; 388 389 /* Special handling for sysfs. Is genfs but also has setxattr handler*/ 390 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0) 391 return 1; 392 393 /* 394 * Special handling for rootfs. Is genfs but supports 395 * setting SELinux context on in-core inodes. 396 */ 397 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0) 398 return 1; 399 400 return 0; 401 } 402 403 static int sb_finish_set_opts(struct super_block *sb) 404 { 405 struct superblock_security_struct *sbsec = sb->s_security; 406 struct dentry *root = sb->s_root; 407 struct inode *root_inode = root->d_inode; 408 int rc = 0; 409 410 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 411 /* Make sure that the xattr handler exists and that no 412 error other than -ENODATA is returned by getxattr on 413 the root directory. -ENODATA is ok, as this may be 414 the first boot of the SELinux kernel before we have 415 assigned xattr values to the filesystem. */ 416 if (!root_inode->i_op->getxattr) { 417 printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no " 418 "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb)); 419 rc = -EOPNOTSUPP; 420 goto out; 421 } 422 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 423 if (rc < 0 && rc != -ENODATA) { 424 if (rc == -EOPNOTSUPP) 425 printk(KERN_WARNING "SELinux: (dev %s, type " 426 SB_TYPE_FMT") has no security xattr handler\n", 427 sb->s_id, SB_TYPE_ARGS(sb)); 428 else 429 printk(KERN_WARNING "SELinux: (dev %s, type " 430 SB_TYPE_FMT") getxattr errno %d\n", sb->s_id, 431 SB_TYPE_ARGS(sb), -rc); 432 goto out; 433 } 434 } 435 436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 437 printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n", 438 sb->s_id, SB_TYPE_ARGS(sb)); 439 else 440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n", 441 sb->s_id, SB_TYPE_ARGS(sb), 442 labeling_behaviors[sbsec->behavior-1]); 443 444 sbsec->flags |= SE_SBINITIALIZED; 445 if (selinux_is_sblabel_mnt(sb)) 446 sbsec->flags |= SBLABEL_MNT; 447 448 /* Initialize the root inode. */ 449 rc = inode_doinit_with_dentry(root_inode, root); 450 451 /* Initialize any other inodes associated with the superblock, e.g. 452 inodes created prior to initial policy load or inodes created 453 during get_sb by a pseudo filesystem that directly 454 populates itself. */ 455 spin_lock(&sbsec->isec_lock); 456 next_inode: 457 if (!list_empty(&sbsec->isec_head)) { 458 struct inode_security_struct *isec = 459 list_entry(sbsec->isec_head.next, 460 struct inode_security_struct, list); 461 struct inode *inode = isec->inode; 462 spin_unlock(&sbsec->isec_lock); 463 inode = igrab(inode); 464 if (inode) { 465 if (!IS_PRIVATE(inode)) 466 inode_doinit(inode); 467 iput(inode); 468 } 469 spin_lock(&sbsec->isec_lock); 470 list_del_init(&isec->list); 471 goto next_inode; 472 } 473 spin_unlock(&sbsec->isec_lock); 474 out: 475 return rc; 476 } 477 478 /* 479 * This function should allow an FS to ask what it's mount security 480 * options were so it can use those later for submounts, displaying 481 * mount options, or whatever. 482 */ 483 static int selinux_get_mnt_opts(const struct super_block *sb, 484 struct security_mnt_opts *opts) 485 { 486 int rc = 0, i; 487 struct superblock_security_struct *sbsec = sb->s_security; 488 char *context = NULL; 489 u32 len; 490 char tmp; 491 492 security_init_mnt_opts(opts); 493 494 if (!(sbsec->flags & SE_SBINITIALIZED)) 495 return -EINVAL; 496 497 if (!ss_initialized) 498 return -EINVAL; 499 500 /* make sure we always check enough bits to cover the mask */ 501 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 502 503 tmp = sbsec->flags & SE_MNTMASK; 504 /* count the number of mount options for this sb */ 505 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 506 if (tmp & 0x01) 507 opts->num_mnt_opts++; 508 tmp >>= 1; 509 } 510 /* Check if the Label support flag is set */ 511 if (sbsec->flags & SBLABEL_MNT) 512 opts->num_mnt_opts++; 513 514 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 515 if (!opts->mnt_opts) { 516 rc = -ENOMEM; 517 goto out_free; 518 } 519 520 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 521 if (!opts->mnt_opts_flags) { 522 rc = -ENOMEM; 523 goto out_free; 524 } 525 526 i = 0; 527 if (sbsec->flags & FSCONTEXT_MNT) { 528 rc = security_sid_to_context(sbsec->sid, &context, &len); 529 if (rc) 530 goto out_free; 531 opts->mnt_opts[i] = context; 532 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 533 } 534 if (sbsec->flags & CONTEXT_MNT) { 535 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 536 if (rc) 537 goto out_free; 538 opts->mnt_opts[i] = context; 539 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 540 } 541 if (sbsec->flags & DEFCONTEXT_MNT) { 542 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 543 if (rc) 544 goto out_free; 545 opts->mnt_opts[i] = context; 546 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 547 } 548 if (sbsec->flags & ROOTCONTEXT_MNT) { 549 struct inode *root = sbsec->sb->s_root->d_inode; 550 struct inode_security_struct *isec = root->i_security; 551 552 rc = security_sid_to_context(isec->sid, &context, &len); 553 if (rc) 554 goto out_free; 555 opts->mnt_opts[i] = context; 556 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 557 } 558 if (sbsec->flags & SBLABEL_MNT) { 559 opts->mnt_opts[i] = NULL; 560 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 561 } 562 563 BUG_ON(i != opts->num_mnt_opts); 564 565 return 0; 566 567 out_free: 568 security_free_mnt_opts(opts); 569 return rc; 570 } 571 572 static int bad_option(struct superblock_security_struct *sbsec, char flag, 573 u32 old_sid, u32 new_sid) 574 { 575 char mnt_flags = sbsec->flags & SE_MNTMASK; 576 577 /* check if the old mount command had the same options */ 578 if (sbsec->flags & SE_SBINITIALIZED) 579 if (!(sbsec->flags & flag) || 580 (old_sid != new_sid)) 581 return 1; 582 583 /* check if we were passed the same options twice, 584 * aka someone passed context=a,context=b 585 */ 586 if (!(sbsec->flags & SE_SBINITIALIZED)) 587 if (mnt_flags & flag) 588 return 1; 589 return 0; 590 } 591 592 /* 593 * Allow filesystems with binary mount data to explicitly set mount point 594 * labeling information. 595 */ 596 static int selinux_set_mnt_opts(struct super_block *sb, 597 struct security_mnt_opts *opts, 598 unsigned long kern_flags, 599 unsigned long *set_kern_flags) 600 { 601 const struct cred *cred = current_cred(); 602 int rc = 0, i; 603 struct superblock_security_struct *sbsec = sb->s_security; 604 struct inode *inode = sbsec->sb->s_root->d_inode; 605 struct inode_security_struct *root_isec = inode->i_security; 606 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 607 u32 defcontext_sid = 0; 608 char **mount_options = opts->mnt_opts; 609 int *flags = opts->mnt_opts_flags; 610 int num_opts = opts->num_mnt_opts; 611 612 mutex_lock(&sbsec->lock); 613 614 if (!ss_initialized) { 615 if (!num_opts) { 616 /* Defer initialization until selinux_complete_init, 617 after the initial policy is loaded and the security 618 server is ready to handle calls. */ 619 goto out; 620 } 621 rc = -EINVAL; 622 printk(KERN_WARNING "SELinux: Unable to set superblock options " 623 "before the security server is initialized\n"); 624 goto out; 625 } 626 if (kern_flags && !set_kern_flags) { 627 /* Specifying internal flags without providing a place to 628 * place the results is not allowed */ 629 rc = -EINVAL; 630 goto out; 631 } 632 633 /* 634 * Binary mount data FS will come through this function twice. Once 635 * from an explicit call and once from the generic calls from the vfs. 636 * Since the generic VFS calls will not contain any security mount data 637 * we need to skip the double mount verification. 638 * 639 * This does open a hole in which we will not notice if the first 640 * mount using this sb set explict options and a second mount using 641 * this sb does not set any security options. (The first options 642 * will be used for both mounts) 643 */ 644 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 645 && (num_opts == 0)) 646 goto out; 647 648 /* 649 * parse the mount options, check if they are valid sids. 650 * also check if someone is trying to mount the same sb more 651 * than once with different security options. 652 */ 653 for (i = 0; i < num_opts; i++) { 654 u32 sid; 655 656 if (flags[i] == SBLABEL_MNT) 657 continue; 658 rc = security_context_to_sid(mount_options[i], 659 strlen(mount_options[i]), &sid); 660 if (rc) { 661 printk(KERN_WARNING "SELinux: security_context_to_sid" 662 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n", 663 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc); 664 goto out; 665 } 666 switch (flags[i]) { 667 case FSCONTEXT_MNT: 668 fscontext_sid = sid; 669 670 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 671 fscontext_sid)) 672 goto out_double_mount; 673 674 sbsec->flags |= FSCONTEXT_MNT; 675 break; 676 case CONTEXT_MNT: 677 context_sid = sid; 678 679 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 680 context_sid)) 681 goto out_double_mount; 682 683 sbsec->flags |= CONTEXT_MNT; 684 break; 685 case ROOTCONTEXT_MNT: 686 rootcontext_sid = sid; 687 688 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 689 rootcontext_sid)) 690 goto out_double_mount; 691 692 sbsec->flags |= ROOTCONTEXT_MNT; 693 694 break; 695 case DEFCONTEXT_MNT: 696 defcontext_sid = sid; 697 698 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 699 defcontext_sid)) 700 goto out_double_mount; 701 702 sbsec->flags |= DEFCONTEXT_MNT; 703 704 break; 705 default: 706 rc = -EINVAL; 707 goto out; 708 } 709 } 710 711 if (sbsec->flags & SE_SBINITIALIZED) { 712 /* previously mounted with options, but not on this attempt? */ 713 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 714 goto out_double_mount; 715 rc = 0; 716 goto out; 717 } 718 719 if (strcmp(sb->s_type->name, "proc") == 0) 720 sbsec->flags |= SE_SBPROC; 721 722 if (!sbsec->behavior) { 723 /* 724 * Determine the labeling behavior to use for this 725 * filesystem type. 726 */ 727 rc = security_fs_use(sb); 728 if (rc) { 729 printk(KERN_WARNING 730 "%s: security_fs_use(%s) returned %d\n", 731 __func__, sb->s_type->name, rc); 732 goto out; 733 } 734 } 735 /* sets the context of the superblock for the fs being mounted. */ 736 if (fscontext_sid) { 737 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 738 if (rc) 739 goto out; 740 741 sbsec->sid = fscontext_sid; 742 } 743 744 /* 745 * Switch to using mount point labeling behavior. 746 * sets the label used on all file below the mountpoint, and will set 747 * the superblock context if not already set. 748 */ 749 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 750 sbsec->behavior = SECURITY_FS_USE_NATIVE; 751 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 752 } 753 754 if (context_sid) { 755 if (!fscontext_sid) { 756 rc = may_context_mount_sb_relabel(context_sid, sbsec, 757 cred); 758 if (rc) 759 goto out; 760 sbsec->sid = context_sid; 761 } else { 762 rc = may_context_mount_inode_relabel(context_sid, sbsec, 763 cred); 764 if (rc) 765 goto out; 766 } 767 if (!rootcontext_sid) 768 rootcontext_sid = context_sid; 769 770 sbsec->mntpoint_sid = context_sid; 771 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 772 } 773 774 if (rootcontext_sid) { 775 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 776 cred); 777 if (rc) 778 goto out; 779 780 root_isec->sid = rootcontext_sid; 781 root_isec->initialized = 1; 782 } 783 784 if (defcontext_sid) { 785 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 786 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 787 rc = -EINVAL; 788 printk(KERN_WARNING "SELinux: defcontext option is " 789 "invalid for this filesystem type\n"); 790 goto out; 791 } 792 793 if (defcontext_sid != sbsec->def_sid) { 794 rc = may_context_mount_inode_relabel(defcontext_sid, 795 sbsec, cred); 796 if (rc) 797 goto out; 798 } 799 800 sbsec->def_sid = defcontext_sid; 801 } 802 803 rc = sb_finish_set_opts(sb); 804 out: 805 mutex_unlock(&sbsec->lock); 806 return rc; 807 out_double_mount: 808 rc = -EINVAL; 809 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 810 "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id, 811 SB_TYPE_ARGS(sb)); 812 goto out; 813 } 814 815 static int selinux_cmp_sb_context(const struct super_block *oldsb, 816 const struct super_block *newsb) 817 { 818 struct superblock_security_struct *old = oldsb->s_security; 819 struct superblock_security_struct *new = newsb->s_security; 820 char oldflags = old->flags & SE_MNTMASK; 821 char newflags = new->flags & SE_MNTMASK; 822 823 if (oldflags != newflags) 824 goto mismatch; 825 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 826 goto mismatch; 827 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 828 goto mismatch; 829 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 830 goto mismatch; 831 if (oldflags & ROOTCONTEXT_MNT) { 832 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security; 833 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security; 834 if (oldroot->sid != newroot->sid) 835 goto mismatch; 836 } 837 return 0; 838 mismatch: 839 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 840 "different security settings for (dev %s, " 841 "type %s)\n", newsb->s_id, newsb->s_type->name); 842 return -EBUSY; 843 } 844 845 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 846 struct super_block *newsb) 847 { 848 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 849 struct superblock_security_struct *newsbsec = newsb->s_security; 850 851 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 852 int set_context = (oldsbsec->flags & CONTEXT_MNT); 853 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 854 855 /* 856 * if the parent was able to be mounted it clearly had no special lsm 857 * mount options. thus we can safely deal with this superblock later 858 */ 859 if (!ss_initialized) 860 return 0; 861 862 /* how can we clone if the old one wasn't set up?? */ 863 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 864 865 /* if fs is reusing a sb, make sure that the contexts match */ 866 if (newsbsec->flags & SE_SBINITIALIZED) 867 return selinux_cmp_sb_context(oldsb, newsb); 868 869 mutex_lock(&newsbsec->lock); 870 871 newsbsec->flags = oldsbsec->flags; 872 873 newsbsec->sid = oldsbsec->sid; 874 newsbsec->def_sid = oldsbsec->def_sid; 875 newsbsec->behavior = oldsbsec->behavior; 876 877 if (set_context) { 878 u32 sid = oldsbsec->mntpoint_sid; 879 880 if (!set_fscontext) 881 newsbsec->sid = sid; 882 if (!set_rootcontext) { 883 struct inode *newinode = newsb->s_root->d_inode; 884 struct inode_security_struct *newisec = newinode->i_security; 885 newisec->sid = sid; 886 } 887 newsbsec->mntpoint_sid = sid; 888 } 889 if (set_rootcontext) { 890 const struct inode *oldinode = oldsb->s_root->d_inode; 891 const struct inode_security_struct *oldisec = oldinode->i_security; 892 struct inode *newinode = newsb->s_root->d_inode; 893 struct inode_security_struct *newisec = newinode->i_security; 894 895 newisec->sid = oldisec->sid; 896 } 897 898 sb_finish_set_opts(newsb); 899 mutex_unlock(&newsbsec->lock); 900 return 0; 901 } 902 903 static int selinux_parse_opts_str(char *options, 904 struct security_mnt_opts *opts) 905 { 906 char *p; 907 char *context = NULL, *defcontext = NULL; 908 char *fscontext = NULL, *rootcontext = NULL; 909 int rc, num_mnt_opts = 0; 910 911 opts->num_mnt_opts = 0; 912 913 /* Standard string-based options. */ 914 while ((p = strsep(&options, "|")) != NULL) { 915 int token; 916 substring_t args[MAX_OPT_ARGS]; 917 918 if (!*p) 919 continue; 920 921 token = match_token(p, tokens, args); 922 923 switch (token) { 924 case Opt_context: 925 if (context || defcontext) { 926 rc = -EINVAL; 927 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 928 goto out_err; 929 } 930 context = match_strdup(&args[0]); 931 if (!context) { 932 rc = -ENOMEM; 933 goto out_err; 934 } 935 break; 936 937 case Opt_fscontext: 938 if (fscontext) { 939 rc = -EINVAL; 940 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 941 goto out_err; 942 } 943 fscontext = match_strdup(&args[0]); 944 if (!fscontext) { 945 rc = -ENOMEM; 946 goto out_err; 947 } 948 break; 949 950 case Opt_rootcontext: 951 if (rootcontext) { 952 rc = -EINVAL; 953 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 954 goto out_err; 955 } 956 rootcontext = match_strdup(&args[0]); 957 if (!rootcontext) { 958 rc = -ENOMEM; 959 goto out_err; 960 } 961 break; 962 963 case Opt_defcontext: 964 if (context || defcontext) { 965 rc = -EINVAL; 966 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 967 goto out_err; 968 } 969 defcontext = match_strdup(&args[0]); 970 if (!defcontext) { 971 rc = -ENOMEM; 972 goto out_err; 973 } 974 break; 975 case Opt_labelsupport: 976 break; 977 default: 978 rc = -EINVAL; 979 printk(KERN_WARNING "SELinux: unknown mount option\n"); 980 goto out_err; 981 982 } 983 } 984 985 rc = -ENOMEM; 986 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 987 if (!opts->mnt_opts) 988 goto out_err; 989 990 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 991 if (!opts->mnt_opts_flags) { 992 kfree(opts->mnt_opts); 993 goto out_err; 994 } 995 996 if (fscontext) { 997 opts->mnt_opts[num_mnt_opts] = fscontext; 998 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 999 } 1000 if (context) { 1001 opts->mnt_opts[num_mnt_opts] = context; 1002 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1003 } 1004 if (rootcontext) { 1005 opts->mnt_opts[num_mnt_opts] = rootcontext; 1006 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1007 } 1008 if (defcontext) { 1009 opts->mnt_opts[num_mnt_opts] = defcontext; 1010 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1011 } 1012 1013 opts->num_mnt_opts = num_mnt_opts; 1014 return 0; 1015 1016 out_err: 1017 kfree(context); 1018 kfree(defcontext); 1019 kfree(fscontext); 1020 kfree(rootcontext); 1021 return rc; 1022 } 1023 /* 1024 * string mount options parsing and call set the sbsec 1025 */ 1026 static int superblock_doinit(struct super_block *sb, void *data) 1027 { 1028 int rc = 0; 1029 char *options = data; 1030 struct security_mnt_opts opts; 1031 1032 security_init_mnt_opts(&opts); 1033 1034 if (!data) 1035 goto out; 1036 1037 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1038 1039 rc = selinux_parse_opts_str(options, &opts); 1040 if (rc) 1041 goto out_err; 1042 1043 out: 1044 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1045 1046 out_err: 1047 security_free_mnt_opts(&opts); 1048 return rc; 1049 } 1050 1051 static void selinux_write_opts(struct seq_file *m, 1052 struct security_mnt_opts *opts) 1053 { 1054 int i; 1055 char *prefix; 1056 1057 for (i = 0; i < opts->num_mnt_opts; i++) { 1058 char *has_comma; 1059 1060 if (opts->mnt_opts[i]) 1061 has_comma = strchr(opts->mnt_opts[i], ','); 1062 else 1063 has_comma = NULL; 1064 1065 switch (opts->mnt_opts_flags[i]) { 1066 case CONTEXT_MNT: 1067 prefix = CONTEXT_STR; 1068 break; 1069 case FSCONTEXT_MNT: 1070 prefix = FSCONTEXT_STR; 1071 break; 1072 case ROOTCONTEXT_MNT: 1073 prefix = ROOTCONTEXT_STR; 1074 break; 1075 case DEFCONTEXT_MNT: 1076 prefix = DEFCONTEXT_STR; 1077 break; 1078 case SBLABEL_MNT: 1079 seq_putc(m, ','); 1080 seq_puts(m, LABELSUPP_STR); 1081 continue; 1082 default: 1083 BUG(); 1084 return; 1085 }; 1086 /* we need a comma before each option */ 1087 seq_putc(m, ','); 1088 seq_puts(m, prefix); 1089 if (has_comma) 1090 seq_putc(m, '\"'); 1091 seq_puts(m, opts->mnt_opts[i]); 1092 if (has_comma) 1093 seq_putc(m, '\"'); 1094 } 1095 } 1096 1097 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1098 { 1099 struct security_mnt_opts opts; 1100 int rc; 1101 1102 rc = selinux_get_mnt_opts(sb, &opts); 1103 if (rc) { 1104 /* before policy load we may get EINVAL, don't show anything */ 1105 if (rc == -EINVAL) 1106 rc = 0; 1107 return rc; 1108 } 1109 1110 selinux_write_opts(m, &opts); 1111 1112 security_free_mnt_opts(&opts); 1113 1114 return rc; 1115 } 1116 1117 static inline u16 inode_mode_to_security_class(umode_t mode) 1118 { 1119 switch (mode & S_IFMT) { 1120 case S_IFSOCK: 1121 return SECCLASS_SOCK_FILE; 1122 case S_IFLNK: 1123 return SECCLASS_LNK_FILE; 1124 case S_IFREG: 1125 return SECCLASS_FILE; 1126 case S_IFBLK: 1127 return SECCLASS_BLK_FILE; 1128 case S_IFDIR: 1129 return SECCLASS_DIR; 1130 case S_IFCHR: 1131 return SECCLASS_CHR_FILE; 1132 case S_IFIFO: 1133 return SECCLASS_FIFO_FILE; 1134 1135 } 1136 1137 return SECCLASS_FILE; 1138 } 1139 1140 static inline int default_protocol_stream(int protocol) 1141 { 1142 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1143 } 1144 1145 static inline int default_protocol_dgram(int protocol) 1146 { 1147 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1148 } 1149 1150 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1151 { 1152 switch (family) { 1153 case PF_UNIX: 1154 switch (type) { 1155 case SOCK_STREAM: 1156 case SOCK_SEQPACKET: 1157 return SECCLASS_UNIX_STREAM_SOCKET; 1158 case SOCK_DGRAM: 1159 return SECCLASS_UNIX_DGRAM_SOCKET; 1160 } 1161 break; 1162 case PF_INET: 1163 case PF_INET6: 1164 switch (type) { 1165 case SOCK_STREAM: 1166 if (default_protocol_stream(protocol)) 1167 return SECCLASS_TCP_SOCKET; 1168 else 1169 return SECCLASS_RAWIP_SOCKET; 1170 case SOCK_DGRAM: 1171 if (default_protocol_dgram(protocol)) 1172 return SECCLASS_UDP_SOCKET; 1173 else 1174 return SECCLASS_RAWIP_SOCKET; 1175 case SOCK_DCCP: 1176 return SECCLASS_DCCP_SOCKET; 1177 default: 1178 return SECCLASS_RAWIP_SOCKET; 1179 } 1180 break; 1181 case PF_NETLINK: 1182 switch (protocol) { 1183 case NETLINK_ROUTE: 1184 return SECCLASS_NETLINK_ROUTE_SOCKET; 1185 case NETLINK_FIREWALL: 1186 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1187 case NETLINK_SOCK_DIAG: 1188 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1189 case NETLINK_NFLOG: 1190 return SECCLASS_NETLINK_NFLOG_SOCKET; 1191 case NETLINK_XFRM: 1192 return SECCLASS_NETLINK_XFRM_SOCKET; 1193 case NETLINK_SELINUX: 1194 return SECCLASS_NETLINK_SELINUX_SOCKET; 1195 case NETLINK_AUDIT: 1196 return SECCLASS_NETLINK_AUDIT_SOCKET; 1197 case NETLINK_IP6_FW: 1198 return SECCLASS_NETLINK_IP6FW_SOCKET; 1199 case NETLINK_DNRTMSG: 1200 return SECCLASS_NETLINK_DNRT_SOCKET; 1201 case NETLINK_KOBJECT_UEVENT: 1202 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1203 default: 1204 return SECCLASS_NETLINK_SOCKET; 1205 } 1206 case PF_PACKET: 1207 return SECCLASS_PACKET_SOCKET; 1208 case PF_KEY: 1209 return SECCLASS_KEY_SOCKET; 1210 case PF_APPLETALK: 1211 return SECCLASS_APPLETALK_SOCKET; 1212 } 1213 1214 return SECCLASS_SOCKET; 1215 } 1216 1217 #ifdef CONFIG_PROC_FS 1218 static int selinux_proc_get_sid(struct dentry *dentry, 1219 u16 tclass, 1220 u32 *sid) 1221 { 1222 int rc; 1223 char *buffer, *path; 1224 1225 buffer = (char *)__get_free_page(GFP_KERNEL); 1226 if (!buffer) 1227 return -ENOMEM; 1228 1229 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1230 if (IS_ERR(path)) 1231 rc = PTR_ERR(path); 1232 else { 1233 /* each process gets a /proc/PID/ entry. Strip off the 1234 * PID part to get a valid selinux labeling. 1235 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1236 while (path[1] >= '0' && path[1] <= '9') { 1237 path[1] = '/'; 1238 path++; 1239 } 1240 rc = security_genfs_sid("proc", path, tclass, sid); 1241 } 1242 free_page((unsigned long)buffer); 1243 return rc; 1244 } 1245 #else 1246 static int selinux_proc_get_sid(struct dentry *dentry, 1247 u16 tclass, 1248 u32 *sid) 1249 { 1250 return -EINVAL; 1251 } 1252 #endif 1253 1254 /* The inode's security attributes must be initialized before first use. */ 1255 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1256 { 1257 struct superblock_security_struct *sbsec = NULL; 1258 struct inode_security_struct *isec = inode->i_security; 1259 u32 sid; 1260 struct dentry *dentry; 1261 #define INITCONTEXTLEN 255 1262 char *context = NULL; 1263 unsigned len = 0; 1264 int rc = 0; 1265 1266 if (isec->initialized) 1267 goto out; 1268 1269 mutex_lock(&isec->lock); 1270 if (isec->initialized) 1271 goto out_unlock; 1272 1273 sbsec = inode->i_sb->s_security; 1274 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1275 /* Defer initialization until selinux_complete_init, 1276 after the initial policy is loaded and the security 1277 server is ready to handle calls. */ 1278 spin_lock(&sbsec->isec_lock); 1279 if (list_empty(&isec->list)) 1280 list_add(&isec->list, &sbsec->isec_head); 1281 spin_unlock(&sbsec->isec_lock); 1282 goto out_unlock; 1283 } 1284 1285 switch (sbsec->behavior) { 1286 case SECURITY_FS_USE_NATIVE: 1287 break; 1288 case SECURITY_FS_USE_XATTR: 1289 if (!inode->i_op->getxattr) { 1290 isec->sid = sbsec->def_sid; 1291 break; 1292 } 1293 1294 /* Need a dentry, since the xattr API requires one. 1295 Life would be simpler if we could just pass the inode. */ 1296 if (opt_dentry) { 1297 /* Called from d_instantiate or d_splice_alias. */ 1298 dentry = dget(opt_dentry); 1299 } else { 1300 /* Called from selinux_complete_init, try to find a dentry. */ 1301 dentry = d_find_alias(inode); 1302 } 1303 if (!dentry) { 1304 /* 1305 * this is can be hit on boot when a file is accessed 1306 * before the policy is loaded. When we load policy we 1307 * may find inodes that have no dentry on the 1308 * sbsec->isec_head list. No reason to complain as these 1309 * will get fixed up the next time we go through 1310 * inode_doinit with a dentry, before these inodes could 1311 * be used again by userspace. 1312 */ 1313 goto out_unlock; 1314 } 1315 1316 len = INITCONTEXTLEN; 1317 context = kmalloc(len+1, GFP_NOFS); 1318 if (!context) { 1319 rc = -ENOMEM; 1320 dput(dentry); 1321 goto out_unlock; 1322 } 1323 context[len] = '\0'; 1324 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1325 context, len); 1326 if (rc == -ERANGE) { 1327 kfree(context); 1328 1329 /* Need a larger buffer. Query for the right size. */ 1330 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1331 NULL, 0); 1332 if (rc < 0) { 1333 dput(dentry); 1334 goto out_unlock; 1335 } 1336 len = rc; 1337 context = kmalloc(len+1, GFP_NOFS); 1338 if (!context) { 1339 rc = -ENOMEM; 1340 dput(dentry); 1341 goto out_unlock; 1342 } 1343 context[len] = '\0'; 1344 rc = inode->i_op->getxattr(dentry, 1345 XATTR_NAME_SELINUX, 1346 context, len); 1347 } 1348 dput(dentry); 1349 if (rc < 0) { 1350 if (rc != -ENODATA) { 1351 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1352 "%d for dev=%s ino=%ld\n", __func__, 1353 -rc, inode->i_sb->s_id, inode->i_ino); 1354 kfree(context); 1355 goto out_unlock; 1356 } 1357 /* Map ENODATA to the default file SID */ 1358 sid = sbsec->def_sid; 1359 rc = 0; 1360 } else { 1361 rc = security_context_to_sid_default(context, rc, &sid, 1362 sbsec->def_sid, 1363 GFP_NOFS); 1364 if (rc) { 1365 char *dev = inode->i_sb->s_id; 1366 unsigned long ino = inode->i_ino; 1367 1368 if (rc == -EINVAL) { 1369 if (printk_ratelimit()) 1370 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1371 "context=%s. This indicates you may need to relabel the inode or the " 1372 "filesystem in question.\n", ino, dev, context); 1373 } else { 1374 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1375 "returned %d for dev=%s ino=%ld\n", 1376 __func__, context, -rc, dev, ino); 1377 } 1378 kfree(context); 1379 /* Leave with the unlabeled SID */ 1380 rc = 0; 1381 break; 1382 } 1383 } 1384 kfree(context); 1385 isec->sid = sid; 1386 break; 1387 case SECURITY_FS_USE_TASK: 1388 isec->sid = isec->task_sid; 1389 break; 1390 case SECURITY_FS_USE_TRANS: 1391 /* Default to the fs SID. */ 1392 isec->sid = sbsec->sid; 1393 1394 /* Try to obtain a transition SID. */ 1395 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1396 rc = security_transition_sid(isec->task_sid, sbsec->sid, 1397 isec->sclass, NULL, &sid); 1398 if (rc) 1399 goto out_unlock; 1400 isec->sid = sid; 1401 break; 1402 case SECURITY_FS_USE_MNTPOINT: 1403 isec->sid = sbsec->mntpoint_sid; 1404 break; 1405 default: 1406 /* Default to the fs superblock SID. */ 1407 isec->sid = sbsec->sid; 1408 1409 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1410 if (opt_dentry) { 1411 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1412 rc = selinux_proc_get_sid(opt_dentry, 1413 isec->sclass, 1414 &sid); 1415 if (rc) 1416 goto out_unlock; 1417 isec->sid = sid; 1418 } 1419 } 1420 break; 1421 } 1422 1423 isec->initialized = 1; 1424 1425 out_unlock: 1426 mutex_unlock(&isec->lock); 1427 out: 1428 if (isec->sclass == SECCLASS_FILE) 1429 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1430 return rc; 1431 } 1432 1433 /* Convert a Linux signal to an access vector. */ 1434 static inline u32 signal_to_av(int sig) 1435 { 1436 u32 perm = 0; 1437 1438 switch (sig) { 1439 case SIGCHLD: 1440 /* Commonly granted from child to parent. */ 1441 perm = PROCESS__SIGCHLD; 1442 break; 1443 case SIGKILL: 1444 /* Cannot be caught or ignored */ 1445 perm = PROCESS__SIGKILL; 1446 break; 1447 case SIGSTOP: 1448 /* Cannot be caught or ignored */ 1449 perm = PROCESS__SIGSTOP; 1450 break; 1451 default: 1452 /* All other signals. */ 1453 perm = PROCESS__SIGNAL; 1454 break; 1455 } 1456 1457 return perm; 1458 } 1459 1460 /* 1461 * Check permission between a pair of credentials 1462 * fork check, ptrace check, etc. 1463 */ 1464 static int cred_has_perm(const struct cred *actor, 1465 const struct cred *target, 1466 u32 perms) 1467 { 1468 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1469 1470 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1471 } 1472 1473 /* 1474 * Check permission between a pair of tasks, e.g. signal checks, 1475 * fork check, ptrace check, etc. 1476 * tsk1 is the actor and tsk2 is the target 1477 * - this uses the default subjective creds of tsk1 1478 */ 1479 static int task_has_perm(const struct task_struct *tsk1, 1480 const struct task_struct *tsk2, 1481 u32 perms) 1482 { 1483 const struct task_security_struct *__tsec1, *__tsec2; 1484 u32 sid1, sid2; 1485 1486 rcu_read_lock(); 1487 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1488 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1489 rcu_read_unlock(); 1490 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1491 } 1492 1493 /* 1494 * Check permission between current and another task, e.g. signal checks, 1495 * fork check, ptrace check, etc. 1496 * current is the actor and tsk2 is the target 1497 * - this uses current's subjective creds 1498 */ 1499 static int current_has_perm(const struct task_struct *tsk, 1500 u32 perms) 1501 { 1502 u32 sid, tsid; 1503 1504 sid = current_sid(); 1505 tsid = task_sid(tsk); 1506 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1507 } 1508 1509 #if CAP_LAST_CAP > 63 1510 #error Fix SELinux to handle capabilities > 63. 1511 #endif 1512 1513 /* Check whether a task is allowed to use a capability. */ 1514 static int cred_has_capability(const struct cred *cred, 1515 int cap, int audit) 1516 { 1517 struct common_audit_data ad; 1518 struct av_decision avd; 1519 u16 sclass; 1520 u32 sid = cred_sid(cred); 1521 u32 av = CAP_TO_MASK(cap); 1522 int rc; 1523 1524 ad.type = LSM_AUDIT_DATA_CAP; 1525 ad.u.cap = cap; 1526 1527 switch (CAP_TO_INDEX(cap)) { 1528 case 0: 1529 sclass = SECCLASS_CAPABILITY; 1530 break; 1531 case 1: 1532 sclass = SECCLASS_CAPABILITY2; 1533 break; 1534 default: 1535 printk(KERN_ERR 1536 "SELinux: out of range capability %d\n", cap); 1537 BUG(); 1538 return -EINVAL; 1539 } 1540 1541 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1542 if (audit == SECURITY_CAP_AUDIT) { 1543 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1544 if (rc2) 1545 return rc2; 1546 } 1547 return rc; 1548 } 1549 1550 /* Check whether a task is allowed to use a system operation. */ 1551 static int task_has_system(struct task_struct *tsk, 1552 u32 perms) 1553 { 1554 u32 sid = task_sid(tsk); 1555 1556 return avc_has_perm(sid, SECINITSID_KERNEL, 1557 SECCLASS_SYSTEM, perms, NULL); 1558 } 1559 1560 /* Check whether a task has a particular permission to an inode. 1561 The 'adp' parameter is optional and allows other audit 1562 data to be passed (e.g. the dentry). */ 1563 static int inode_has_perm(const struct cred *cred, 1564 struct inode *inode, 1565 u32 perms, 1566 struct common_audit_data *adp) 1567 { 1568 struct inode_security_struct *isec; 1569 u32 sid; 1570 1571 validate_creds(cred); 1572 1573 if (unlikely(IS_PRIVATE(inode))) 1574 return 0; 1575 1576 sid = cred_sid(cred); 1577 isec = inode->i_security; 1578 1579 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1580 } 1581 1582 /* Same as inode_has_perm, but pass explicit audit data containing 1583 the dentry to help the auditing code to more easily generate the 1584 pathname if needed. */ 1585 static inline int dentry_has_perm(const struct cred *cred, 1586 struct dentry *dentry, 1587 u32 av) 1588 { 1589 struct inode *inode = dentry->d_inode; 1590 struct common_audit_data ad; 1591 1592 ad.type = LSM_AUDIT_DATA_DENTRY; 1593 ad.u.dentry = dentry; 1594 return inode_has_perm(cred, inode, av, &ad); 1595 } 1596 1597 /* Same as inode_has_perm, but pass explicit audit data containing 1598 the path to help the auditing code to more easily generate the 1599 pathname if needed. */ 1600 static inline int path_has_perm(const struct cred *cred, 1601 struct path *path, 1602 u32 av) 1603 { 1604 struct inode *inode = path->dentry->d_inode; 1605 struct common_audit_data ad; 1606 1607 ad.type = LSM_AUDIT_DATA_PATH; 1608 ad.u.path = *path; 1609 return inode_has_perm(cred, inode, av, &ad); 1610 } 1611 1612 /* Same as path_has_perm, but uses the inode from the file struct. */ 1613 static inline int file_path_has_perm(const struct cred *cred, 1614 struct file *file, 1615 u32 av) 1616 { 1617 struct common_audit_data ad; 1618 1619 ad.type = LSM_AUDIT_DATA_PATH; 1620 ad.u.path = file->f_path; 1621 return inode_has_perm(cred, file_inode(file), av, &ad); 1622 } 1623 1624 /* Check whether a task can use an open file descriptor to 1625 access an inode in a given way. Check access to the 1626 descriptor itself, and then use dentry_has_perm to 1627 check a particular permission to the file. 1628 Access to the descriptor is implicitly granted if it 1629 has the same SID as the process. If av is zero, then 1630 access to the file is not checked, e.g. for cases 1631 where only the descriptor is affected like seek. */ 1632 static int file_has_perm(const struct cred *cred, 1633 struct file *file, 1634 u32 av) 1635 { 1636 struct file_security_struct *fsec = file->f_security; 1637 struct inode *inode = file_inode(file); 1638 struct common_audit_data ad; 1639 u32 sid = cred_sid(cred); 1640 int rc; 1641 1642 ad.type = LSM_AUDIT_DATA_PATH; 1643 ad.u.path = file->f_path; 1644 1645 if (sid != fsec->sid) { 1646 rc = avc_has_perm(sid, fsec->sid, 1647 SECCLASS_FD, 1648 FD__USE, 1649 &ad); 1650 if (rc) 1651 goto out; 1652 } 1653 1654 /* av is zero if only checking access to the descriptor. */ 1655 rc = 0; 1656 if (av) 1657 rc = inode_has_perm(cred, inode, av, &ad); 1658 1659 out: 1660 return rc; 1661 } 1662 1663 /* Check whether a task can create a file. */ 1664 static int may_create(struct inode *dir, 1665 struct dentry *dentry, 1666 u16 tclass) 1667 { 1668 const struct task_security_struct *tsec = current_security(); 1669 struct inode_security_struct *dsec; 1670 struct superblock_security_struct *sbsec; 1671 u32 sid, newsid; 1672 struct common_audit_data ad; 1673 int rc; 1674 1675 dsec = dir->i_security; 1676 sbsec = dir->i_sb->s_security; 1677 1678 sid = tsec->sid; 1679 newsid = tsec->create_sid; 1680 1681 ad.type = LSM_AUDIT_DATA_DENTRY; 1682 ad.u.dentry = dentry; 1683 1684 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1685 DIR__ADD_NAME | DIR__SEARCH, 1686 &ad); 1687 if (rc) 1688 return rc; 1689 1690 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) { 1691 rc = security_transition_sid(sid, dsec->sid, tclass, 1692 &dentry->d_name, &newsid); 1693 if (rc) 1694 return rc; 1695 } 1696 1697 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1698 if (rc) 1699 return rc; 1700 1701 return avc_has_perm(newsid, sbsec->sid, 1702 SECCLASS_FILESYSTEM, 1703 FILESYSTEM__ASSOCIATE, &ad); 1704 } 1705 1706 /* Check whether a task can create a key. */ 1707 static int may_create_key(u32 ksid, 1708 struct task_struct *ctx) 1709 { 1710 u32 sid = task_sid(ctx); 1711 1712 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1713 } 1714 1715 #define MAY_LINK 0 1716 #define MAY_UNLINK 1 1717 #define MAY_RMDIR 2 1718 1719 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1720 static int may_link(struct inode *dir, 1721 struct dentry *dentry, 1722 int kind) 1723 1724 { 1725 struct inode_security_struct *dsec, *isec; 1726 struct common_audit_data ad; 1727 u32 sid = current_sid(); 1728 u32 av; 1729 int rc; 1730 1731 dsec = dir->i_security; 1732 isec = dentry->d_inode->i_security; 1733 1734 ad.type = LSM_AUDIT_DATA_DENTRY; 1735 ad.u.dentry = dentry; 1736 1737 av = DIR__SEARCH; 1738 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1739 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1740 if (rc) 1741 return rc; 1742 1743 switch (kind) { 1744 case MAY_LINK: 1745 av = FILE__LINK; 1746 break; 1747 case MAY_UNLINK: 1748 av = FILE__UNLINK; 1749 break; 1750 case MAY_RMDIR: 1751 av = DIR__RMDIR; 1752 break; 1753 default: 1754 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1755 __func__, kind); 1756 return 0; 1757 } 1758 1759 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1760 return rc; 1761 } 1762 1763 static inline int may_rename(struct inode *old_dir, 1764 struct dentry *old_dentry, 1765 struct inode *new_dir, 1766 struct dentry *new_dentry) 1767 { 1768 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1769 struct common_audit_data ad; 1770 u32 sid = current_sid(); 1771 u32 av; 1772 int old_is_dir, new_is_dir; 1773 int rc; 1774 1775 old_dsec = old_dir->i_security; 1776 old_isec = old_dentry->d_inode->i_security; 1777 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1778 new_dsec = new_dir->i_security; 1779 1780 ad.type = LSM_AUDIT_DATA_DENTRY; 1781 1782 ad.u.dentry = old_dentry; 1783 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1784 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1785 if (rc) 1786 return rc; 1787 rc = avc_has_perm(sid, old_isec->sid, 1788 old_isec->sclass, FILE__RENAME, &ad); 1789 if (rc) 1790 return rc; 1791 if (old_is_dir && new_dir != old_dir) { 1792 rc = avc_has_perm(sid, old_isec->sid, 1793 old_isec->sclass, DIR__REPARENT, &ad); 1794 if (rc) 1795 return rc; 1796 } 1797 1798 ad.u.dentry = new_dentry; 1799 av = DIR__ADD_NAME | DIR__SEARCH; 1800 if (new_dentry->d_inode) 1801 av |= DIR__REMOVE_NAME; 1802 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1803 if (rc) 1804 return rc; 1805 if (new_dentry->d_inode) { 1806 new_isec = new_dentry->d_inode->i_security; 1807 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1808 rc = avc_has_perm(sid, new_isec->sid, 1809 new_isec->sclass, 1810 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1811 if (rc) 1812 return rc; 1813 } 1814 1815 return 0; 1816 } 1817 1818 /* Check whether a task can perform a filesystem operation. */ 1819 static int superblock_has_perm(const struct cred *cred, 1820 struct super_block *sb, 1821 u32 perms, 1822 struct common_audit_data *ad) 1823 { 1824 struct superblock_security_struct *sbsec; 1825 u32 sid = cred_sid(cred); 1826 1827 sbsec = sb->s_security; 1828 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1829 } 1830 1831 /* Convert a Linux mode and permission mask to an access vector. */ 1832 static inline u32 file_mask_to_av(int mode, int mask) 1833 { 1834 u32 av = 0; 1835 1836 if (!S_ISDIR(mode)) { 1837 if (mask & MAY_EXEC) 1838 av |= FILE__EXECUTE; 1839 if (mask & MAY_READ) 1840 av |= FILE__READ; 1841 1842 if (mask & MAY_APPEND) 1843 av |= FILE__APPEND; 1844 else if (mask & MAY_WRITE) 1845 av |= FILE__WRITE; 1846 1847 } else { 1848 if (mask & MAY_EXEC) 1849 av |= DIR__SEARCH; 1850 if (mask & MAY_WRITE) 1851 av |= DIR__WRITE; 1852 if (mask & MAY_READ) 1853 av |= DIR__READ; 1854 } 1855 1856 return av; 1857 } 1858 1859 /* Convert a Linux file to an access vector. */ 1860 static inline u32 file_to_av(struct file *file) 1861 { 1862 u32 av = 0; 1863 1864 if (file->f_mode & FMODE_READ) 1865 av |= FILE__READ; 1866 if (file->f_mode & FMODE_WRITE) { 1867 if (file->f_flags & O_APPEND) 1868 av |= FILE__APPEND; 1869 else 1870 av |= FILE__WRITE; 1871 } 1872 if (!av) { 1873 /* 1874 * Special file opened with flags 3 for ioctl-only use. 1875 */ 1876 av = FILE__IOCTL; 1877 } 1878 1879 return av; 1880 } 1881 1882 /* 1883 * Convert a file to an access vector and include the correct open 1884 * open permission. 1885 */ 1886 static inline u32 open_file_to_av(struct file *file) 1887 { 1888 u32 av = file_to_av(file); 1889 1890 if (selinux_policycap_openperm) 1891 av |= FILE__OPEN; 1892 1893 return av; 1894 } 1895 1896 /* Hook functions begin here. */ 1897 1898 static int selinux_ptrace_access_check(struct task_struct *child, 1899 unsigned int mode) 1900 { 1901 int rc; 1902 1903 rc = cap_ptrace_access_check(child, mode); 1904 if (rc) 1905 return rc; 1906 1907 if (mode & PTRACE_MODE_READ) { 1908 u32 sid = current_sid(); 1909 u32 csid = task_sid(child); 1910 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 1911 } 1912 1913 return current_has_perm(child, PROCESS__PTRACE); 1914 } 1915 1916 static int selinux_ptrace_traceme(struct task_struct *parent) 1917 { 1918 int rc; 1919 1920 rc = cap_ptrace_traceme(parent); 1921 if (rc) 1922 return rc; 1923 1924 return task_has_perm(parent, current, PROCESS__PTRACE); 1925 } 1926 1927 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1928 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1929 { 1930 int error; 1931 1932 error = current_has_perm(target, PROCESS__GETCAP); 1933 if (error) 1934 return error; 1935 1936 return cap_capget(target, effective, inheritable, permitted); 1937 } 1938 1939 static int selinux_capset(struct cred *new, const struct cred *old, 1940 const kernel_cap_t *effective, 1941 const kernel_cap_t *inheritable, 1942 const kernel_cap_t *permitted) 1943 { 1944 int error; 1945 1946 error = cap_capset(new, old, 1947 effective, inheritable, permitted); 1948 if (error) 1949 return error; 1950 1951 return cred_has_perm(old, new, PROCESS__SETCAP); 1952 } 1953 1954 /* 1955 * (This comment used to live with the selinux_task_setuid hook, 1956 * which was removed). 1957 * 1958 * Since setuid only affects the current process, and since the SELinux 1959 * controls are not based on the Linux identity attributes, SELinux does not 1960 * need to control this operation. However, SELinux does control the use of 1961 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 1962 */ 1963 1964 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 1965 int cap, int audit) 1966 { 1967 int rc; 1968 1969 rc = cap_capable(cred, ns, cap, audit); 1970 if (rc) 1971 return rc; 1972 1973 return cred_has_capability(cred, cap, audit); 1974 } 1975 1976 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1977 { 1978 const struct cred *cred = current_cred(); 1979 int rc = 0; 1980 1981 if (!sb) 1982 return 0; 1983 1984 switch (cmds) { 1985 case Q_SYNC: 1986 case Q_QUOTAON: 1987 case Q_QUOTAOFF: 1988 case Q_SETINFO: 1989 case Q_SETQUOTA: 1990 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 1991 break; 1992 case Q_GETFMT: 1993 case Q_GETINFO: 1994 case Q_GETQUOTA: 1995 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 1996 break; 1997 default: 1998 rc = 0; /* let the kernel handle invalid cmds */ 1999 break; 2000 } 2001 return rc; 2002 } 2003 2004 static int selinux_quota_on(struct dentry *dentry) 2005 { 2006 const struct cred *cred = current_cred(); 2007 2008 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2009 } 2010 2011 static int selinux_syslog(int type) 2012 { 2013 int rc; 2014 2015 switch (type) { 2016 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2017 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2018 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2019 break; 2020 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2021 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2022 /* Set level of messages printed to console */ 2023 case SYSLOG_ACTION_CONSOLE_LEVEL: 2024 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2025 break; 2026 case SYSLOG_ACTION_CLOSE: /* Close log */ 2027 case SYSLOG_ACTION_OPEN: /* Open log */ 2028 case SYSLOG_ACTION_READ: /* Read from log */ 2029 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 2030 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 2031 default: 2032 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2033 break; 2034 } 2035 return rc; 2036 } 2037 2038 /* 2039 * Check that a process has enough memory to allocate a new virtual 2040 * mapping. 0 means there is enough memory for the allocation to 2041 * succeed and -ENOMEM implies there is not. 2042 * 2043 * Do not audit the selinux permission check, as this is applied to all 2044 * processes that allocate mappings. 2045 */ 2046 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2047 { 2048 int rc, cap_sys_admin = 0; 2049 2050 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, 2051 SECURITY_CAP_NOAUDIT); 2052 if (rc == 0) 2053 cap_sys_admin = 1; 2054 2055 return __vm_enough_memory(mm, pages, cap_sys_admin); 2056 } 2057 2058 /* binprm security operations */ 2059 2060 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2061 { 2062 const struct task_security_struct *old_tsec; 2063 struct task_security_struct *new_tsec; 2064 struct inode_security_struct *isec; 2065 struct common_audit_data ad; 2066 struct inode *inode = file_inode(bprm->file); 2067 int rc; 2068 2069 rc = cap_bprm_set_creds(bprm); 2070 if (rc) 2071 return rc; 2072 2073 /* SELinux context only depends on initial program or script and not 2074 * the script interpreter */ 2075 if (bprm->cred_prepared) 2076 return 0; 2077 2078 old_tsec = current_security(); 2079 new_tsec = bprm->cred->security; 2080 isec = inode->i_security; 2081 2082 /* Default to the current task SID. */ 2083 new_tsec->sid = old_tsec->sid; 2084 new_tsec->osid = old_tsec->sid; 2085 2086 /* Reset fs, key, and sock SIDs on execve. */ 2087 new_tsec->create_sid = 0; 2088 new_tsec->keycreate_sid = 0; 2089 new_tsec->sockcreate_sid = 0; 2090 2091 if (old_tsec->exec_sid) { 2092 new_tsec->sid = old_tsec->exec_sid; 2093 /* Reset exec SID on execve. */ 2094 new_tsec->exec_sid = 0; 2095 2096 /* 2097 * Minimize confusion: if no_new_privs and a transition is 2098 * explicitly requested, then fail the exec. 2099 */ 2100 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) 2101 return -EPERM; 2102 } else { 2103 /* Check for a default transition on this program. */ 2104 rc = security_transition_sid(old_tsec->sid, isec->sid, 2105 SECCLASS_PROCESS, NULL, 2106 &new_tsec->sid); 2107 if (rc) 2108 return rc; 2109 } 2110 2111 ad.type = LSM_AUDIT_DATA_PATH; 2112 ad.u.path = bprm->file->f_path; 2113 2114 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || 2115 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) 2116 new_tsec->sid = old_tsec->sid; 2117 2118 if (new_tsec->sid == old_tsec->sid) { 2119 rc = avc_has_perm(old_tsec->sid, isec->sid, 2120 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2121 if (rc) 2122 return rc; 2123 } else { 2124 /* Check permissions for the transition. */ 2125 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2126 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2127 if (rc) 2128 return rc; 2129 2130 rc = avc_has_perm(new_tsec->sid, isec->sid, 2131 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2132 if (rc) 2133 return rc; 2134 2135 /* Check for shared state */ 2136 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2137 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2138 SECCLASS_PROCESS, PROCESS__SHARE, 2139 NULL); 2140 if (rc) 2141 return -EPERM; 2142 } 2143 2144 /* Make sure that anyone attempting to ptrace over a task that 2145 * changes its SID has the appropriate permit */ 2146 if (bprm->unsafe & 2147 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2148 struct task_struct *tracer; 2149 struct task_security_struct *sec; 2150 u32 ptsid = 0; 2151 2152 rcu_read_lock(); 2153 tracer = ptrace_parent(current); 2154 if (likely(tracer != NULL)) { 2155 sec = __task_cred(tracer)->security; 2156 ptsid = sec->sid; 2157 } 2158 rcu_read_unlock(); 2159 2160 if (ptsid != 0) { 2161 rc = avc_has_perm(ptsid, new_tsec->sid, 2162 SECCLASS_PROCESS, 2163 PROCESS__PTRACE, NULL); 2164 if (rc) 2165 return -EPERM; 2166 } 2167 } 2168 2169 /* Clear any possibly unsafe personality bits on exec: */ 2170 bprm->per_clear |= PER_CLEAR_ON_SETID; 2171 } 2172 2173 return 0; 2174 } 2175 2176 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2177 { 2178 const struct task_security_struct *tsec = current_security(); 2179 u32 sid, osid; 2180 int atsecure = 0; 2181 2182 sid = tsec->sid; 2183 osid = tsec->osid; 2184 2185 if (osid != sid) { 2186 /* Enable secure mode for SIDs transitions unless 2187 the noatsecure permission is granted between 2188 the two SIDs, i.e. ahp returns 0. */ 2189 atsecure = avc_has_perm(osid, sid, 2190 SECCLASS_PROCESS, 2191 PROCESS__NOATSECURE, NULL); 2192 } 2193 2194 return (atsecure || cap_bprm_secureexec(bprm)); 2195 } 2196 2197 static int match_file(const void *p, struct file *file, unsigned fd) 2198 { 2199 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2200 } 2201 2202 /* Derived from fs/exec.c:flush_old_files. */ 2203 static inline void flush_unauthorized_files(const struct cred *cred, 2204 struct files_struct *files) 2205 { 2206 struct file *file, *devnull = NULL; 2207 struct tty_struct *tty; 2208 int drop_tty = 0; 2209 unsigned n; 2210 2211 tty = get_current_tty(); 2212 if (tty) { 2213 spin_lock(&tty_files_lock); 2214 if (!list_empty(&tty->tty_files)) { 2215 struct tty_file_private *file_priv; 2216 2217 /* Revalidate access to controlling tty. 2218 Use file_path_has_perm on the tty path directly 2219 rather than using file_has_perm, as this particular 2220 open file may belong to another process and we are 2221 only interested in the inode-based check here. */ 2222 file_priv = list_first_entry(&tty->tty_files, 2223 struct tty_file_private, list); 2224 file = file_priv->file; 2225 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2226 drop_tty = 1; 2227 } 2228 spin_unlock(&tty_files_lock); 2229 tty_kref_put(tty); 2230 } 2231 /* Reset controlling tty. */ 2232 if (drop_tty) 2233 no_tty(); 2234 2235 /* Revalidate access to inherited open files. */ 2236 n = iterate_fd(files, 0, match_file, cred); 2237 if (!n) /* none found? */ 2238 return; 2239 2240 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2241 if (IS_ERR(devnull)) 2242 devnull = NULL; 2243 /* replace all the matching ones with this */ 2244 do { 2245 replace_fd(n - 1, devnull, 0); 2246 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2247 if (devnull) 2248 fput(devnull); 2249 } 2250 2251 /* 2252 * Prepare a process for imminent new credential changes due to exec 2253 */ 2254 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2255 { 2256 struct task_security_struct *new_tsec; 2257 struct rlimit *rlim, *initrlim; 2258 int rc, i; 2259 2260 new_tsec = bprm->cred->security; 2261 if (new_tsec->sid == new_tsec->osid) 2262 return; 2263 2264 /* Close files for which the new task SID is not authorized. */ 2265 flush_unauthorized_files(bprm->cred, current->files); 2266 2267 /* Always clear parent death signal on SID transitions. */ 2268 current->pdeath_signal = 0; 2269 2270 /* Check whether the new SID can inherit resource limits from the old 2271 * SID. If not, reset all soft limits to the lower of the current 2272 * task's hard limit and the init task's soft limit. 2273 * 2274 * Note that the setting of hard limits (even to lower them) can be 2275 * controlled by the setrlimit check. The inclusion of the init task's 2276 * soft limit into the computation is to avoid resetting soft limits 2277 * higher than the default soft limit for cases where the default is 2278 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2279 */ 2280 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2281 PROCESS__RLIMITINH, NULL); 2282 if (rc) { 2283 /* protect against do_prlimit() */ 2284 task_lock(current); 2285 for (i = 0; i < RLIM_NLIMITS; i++) { 2286 rlim = current->signal->rlim + i; 2287 initrlim = init_task.signal->rlim + i; 2288 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2289 } 2290 task_unlock(current); 2291 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2292 } 2293 } 2294 2295 /* 2296 * Clean up the process immediately after the installation of new credentials 2297 * due to exec 2298 */ 2299 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2300 { 2301 const struct task_security_struct *tsec = current_security(); 2302 struct itimerval itimer; 2303 u32 osid, sid; 2304 int rc, i; 2305 2306 osid = tsec->osid; 2307 sid = tsec->sid; 2308 2309 if (sid == osid) 2310 return; 2311 2312 /* Check whether the new SID can inherit signal state from the old SID. 2313 * If not, clear itimers to avoid subsequent signal generation and 2314 * flush and unblock signals. 2315 * 2316 * This must occur _after_ the task SID has been updated so that any 2317 * kill done after the flush will be checked against the new SID. 2318 */ 2319 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2320 if (rc) { 2321 memset(&itimer, 0, sizeof itimer); 2322 for (i = 0; i < 3; i++) 2323 do_setitimer(i, &itimer, NULL); 2324 spin_lock_irq(¤t->sighand->siglock); 2325 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { 2326 __flush_signals(current); 2327 flush_signal_handlers(current, 1); 2328 sigemptyset(¤t->blocked); 2329 } 2330 spin_unlock_irq(¤t->sighand->siglock); 2331 } 2332 2333 /* Wake up the parent if it is waiting so that it can recheck 2334 * wait permission to the new task SID. */ 2335 read_lock(&tasklist_lock); 2336 __wake_up_parent(current, current->real_parent); 2337 read_unlock(&tasklist_lock); 2338 } 2339 2340 /* superblock security operations */ 2341 2342 static int selinux_sb_alloc_security(struct super_block *sb) 2343 { 2344 return superblock_alloc_security(sb); 2345 } 2346 2347 static void selinux_sb_free_security(struct super_block *sb) 2348 { 2349 superblock_free_security(sb); 2350 } 2351 2352 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2353 { 2354 if (plen > olen) 2355 return 0; 2356 2357 return !memcmp(prefix, option, plen); 2358 } 2359 2360 static inline int selinux_option(char *option, int len) 2361 { 2362 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2363 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2364 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2365 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2366 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2367 } 2368 2369 static inline void take_option(char **to, char *from, int *first, int len) 2370 { 2371 if (!*first) { 2372 **to = ','; 2373 *to += 1; 2374 } else 2375 *first = 0; 2376 memcpy(*to, from, len); 2377 *to += len; 2378 } 2379 2380 static inline void take_selinux_option(char **to, char *from, int *first, 2381 int len) 2382 { 2383 int current_size = 0; 2384 2385 if (!*first) { 2386 **to = '|'; 2387 *to += 1; 2388 } else 2389 *first = 0; 2390 2391 while (current_size < len) { 2392 if (*from != '"') { 2393 **to = *from; 2394 *to += 1; 2395 } 2396 from += 1; 2397 current_size += 1; 2398 } 2399 } 2400 2401 static int selinux_sb_copy_data(char *orig, char *copy) 2402 { 2403 int fnosec, fsec, rc = 0; 2404 char *in_save, *in_curr, *in_end; 2405 char *sec_curr, *nosec_save, *nosec; 2406 int open_quote = 0; 2407 2408 in_curr = orig; 2409 sec_curr = copy; 2410 2411 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2412 if (!nosec) { 2413 rc = -ENOMEM; 2414 goto out; 2415 } 2416 2417 nosec_save = nosec; 2418 fnosec = fsec = 1; 2419 in_save = in_end = orig; 2420 2421 do { 2422 if (*in_end == '"') 2423 open_quote = !open_quote; 2424 if ((*in_end == ',' && open_quote == 0) || 2425 *in_end == '\0') { 2426 int len = in_end - in_curr; 2427 2428 if (selinux_option(in_curr, len)) 2429 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2430 else 2431 take_option(&nosec, in_curr, &fnosec, len); 2432 2433 in_curr = in_end + 1; 2434 } 2435 } while (*in_end++); 2436 2437 strcpy(in_save, nosec_save); 2438 free_page((unsigned long)nosec_save); 2439 out: 2440 return rc; 2441 } 2442 2443 static int selinux_sb_remount(struct super_block *sb, void *data) 2444 { 2445 int rc, i, *flags; 2446 struct security_mnt_opts opts; 2447 char *secdata, **mount_options; 2448 struct superblock_security_struct *sbsec = sb->s_security; 2449 2450 if (!(sbsec->flags & SE_SBINITIALIZED)) 2451 return 0; 2452 2453 if (!data) 2454 return 0; 2455 2456 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2457 return 0; 2458 2459 security_init_mnt_opts(&opts); 2460 secdata = alloc_secdata(); 2461 if (!secdata) 2462 return -ENOMEM; 2463 rc = selinux_sb_copy_data(data, secdata); 2464 if (rc) 2465 goto out_free_secdata; 2466 2467 rc = selinux_parse_opts_str(secdata, &opts); 2468 if (rc) 2469 goto out_free_secdata; 2470 2471 mount_options = opts.mnt_opts; 2472 flags = opts.mnt_opts_flags; 2473 2474 for (i = 0; i < opts.num_mnt_opts; i++) { 2475 u32 sid; 2476 size_t len; 2477 2478 if (flags[i] == SBLABEL_MNT) 2479 continue; 2480 len = strlen(mount_options[i]); 2481 rc = security_context_to_sid(mount_options[i], len, &sid); 2482 if (rc) { 2483 printk(KERN_WARNING "SELinux: security_context_to_sid" 2484 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n", 2485 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc); 2486 goto out_free_opts; 2487 } 2488 rc = -EINVAL; 2489 switch (flags[i]) { 2490 case FSCONTEXT_MNT: 2491 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2492 goto out_bad_option; 2493 break; 2494 case CONTEXT_MNT: 2495 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2496 goto out_bad_option; 2497 break; 2498 case ROOTCONTEXT_MNT: { 2499 struct inode_security_struct *root_isec; 2500 root_isec = sb->s_root->d_inode->i_security; 2501 2502 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2503 goto out_bad_option; 2504 break; 2505 } 2506 case DEFCONTEXT_MNT: 2507 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2508 goto out_bad_option; 2509 break; 2510 default: 2511 goto out_free_opts; 2512 } 2513 } 2514 2515 rc = 0; 2516 out_free_opts: 2517 security_free_mnt_opts(&opts); 2518 out_free_secdata: 2519 free_secdata(secdata); 2520 return rc; 2521 out_bad_option: 2522 printk(KERN_WARNING "SELinux: unable to change security options " 2523 "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id, 2524 SB_TYPE_ARGS(sb)); 2525 goto out_free_opts; 2526 } 2527 2528 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2529 { 2530 const struct cred *cred = current_cred(); 2531 struct common_audit_data ad; 2532 int rc; 2533 2534 rc = superblock_doinit(sb, data); 2535 if (rc) 2536 return rc; 2537 2538 /* Allow all mounts performed by the kernel */ 2539 if (flags & MS_KERNMOUNT) 2540 return 0; 2541 2542 ad.type = LSM_AUDIT_DATA_DENTRY; 2543 ad.u.dentry = sb->s_root; 2544 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2545 } 2546 2547 static int selinux_sb_statfs(struct dentry *dentry) 2548 { 2549 const struct cred *cred = current_cred(); 2550 struct common_audit_data ad; 2551 2552 ad.type = LSM_AUDIT_DATA_DENTRY; 2553 ad.u.dentry = dentry->d_sb->s_root; 2554 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2555 } 2556 2557 static int selinux_mount(const char *dev_name, 2558 struct path *path, 2559 const char *type, 2560 unsigned long flags, 2561 void *data) 2562 { 2563 const struct cred *cred = current_cred(); 2564 2565 if (flags & MS_REMOUNT) 2566 return superblock_has_perm(cred, path->dentry->d_sb, 2567 FILESYSTEM__REMOUNT, NULL); 2568 else 2569 return path_has_perm(cred, path, FILE__MOUNTON); 2570 } 2571 2572 static int selinux_umount(struct vfsmount *mnt, int flags) 2573 { 2574 const struct cred *cred = current_cred(); 2575 2576 return superblock_has_perm(cred, mnt->mnt_sb, 2577 FILESYSTEM__UNMOUNT, NULL); 2578 } 2579 2580 /* inode security operations */ 2581 2582 static int selinux_inode_alloc_security(struct inode *inode) 2583 { 2584 return inode_alloc_security(inode); 2585 } 2586 2587 static void selinux_inode_free_security(struct inode *inode) 2588 { 2589 inode_free_security(inode); 2590 } 2591 2592 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2593 struct qstr *name, void **ctx, 2594 u32 *ctxlen) 2595 { 2596 const struct cred *cred = current_cred(); 2597 struct task_security_struct *tsec; 2598 struct inode_security_struct *dsec; 2599 struct superblock_security_struct *sbsec; 2600 struct inode *dir = dentry->d_parent->d_inode; 2601 u32 newsid; 2602 int rc; 2603 2604 tsec = cred->security; 2605 dsec = dir->i_security; 2606 sbsec = dir->i_sb->s_security; 2607 2608 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2609 newsid = tsec->create_sid; 2610 } else { 2611 rc = security_transition_sid(tsec->sid, dsec->sid, 2612 inode_mode_to_security_class(mode), 2613 name, 2614 &newsid); 2615 if (rc) { 2616 printk(KERN_WARNING 2617 "%s: security_transition_sid failed, rc=%d\n", 2618 __func__, -rc); 2619 return rc; 2620 } 2621 } 2622 2623 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2624 } 2625 2626 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2627 const struct qstr *qstr, 2628 const char **name, 2629 void **value, size_t *len) 2630 { 2631 const struct task_security_struct *tsec = current_security(); 2632 struct inode_security_struct *dsec; 2633 struct superblock_security_struct *sbsec; 2634 u32 sid, newsid, clen; 2635 int rc; 2636 char *context; 2637 2638 dsec = dir->i_security; 2639 sbsec = dir->i_sb->s_security; 2640 2641 sid = tsec->sid; 2642 newsid = tsec->create_sid; 2643 2644 if ((sbsec->flags & SE_SBINITIALIZED) && 2645 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) 2646 newsid = sbsec->mntpoint_sid; 2647 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) { 2648 rc = security_transition_sid(sid, dsec->sid, 2649 inode_mode_to_security_class(inode->i_mode), 2650 qstr, &newsid); 2651 if (rc) { 2652 printk(KERN_WARNING "%s: " 2653 "security_transition_sid failed, rc=%d (dev=%s " 2654 "ino=%ld)\n", 2655 __func__, 2656 -rc, inode->i_sb->s_id, inode->i_ino); 2657 return rc; 2658 } 2659 } 2660 2661 /* Possibly defer initialization to selinux_complete_init. */ 2662 if (sbsec->flags & SE_SBINITIALIZED) { 2663 struct inode_security_struct *isec = inode->i_security; 2664 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2665 isec->sid = newsid; 2666 isec->initialized = 1; 2667 } 2668 2669 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2670 return -EOPNOTSUPP; 2671 2672 if (name) 2673 *name = XATTR_SELINUX_SUFFIX; 2674 2675 if (value && len) { 2676 rc = security_sid_to_context_force(newsid, &context, &clen); 2677 if (rc) 2678 return rc; 2679 *value = context; 2680 *len = clen; 2681 } 2682 2683 return 0; 2684 } 2685 2686 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2687 { 2688 return may_create(dir, dentry, SECCLASS_FILE); 2689 } 2690 2691 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2692 { 2693 return may_link(dir, old_dentry, MAY_LINK); 2694 } 2695 2696 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2697 { 2698 return may_link(dir, dentry, MAY_UNLINK); 2699 } 2700 2701 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2702 { 2703 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2704 } 2705 2706 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2707 { 2708 return may_create(dir, dentry, SECCLASS_DIR); 2709 } 2710 2711 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2712 { 2713 return may_link(dir, dentry, MAY_RMDIR); 2714 } 2715 2716 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2717 { 2718 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2719 } 2720 2721 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2722 struct inode *new_inode, struct dentry *new_dentry) 2723 { 2724 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2725 } 2726 2727 static int selinux_inode_readlink(struct dentry *dentry) 2728 { 2729 const struct cred *cred = current_cred(); 2730 2731 return dentry_has_perm(cred, dentry, FILE__READ); 2732 } 2733 2734 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2735 { 2736 const struct cred *cred = current_cred(); 2737 2738 return dentry_has_perm(cred, dentry, FILE__READ); 2739 } 2740 2741 static noinline int audit_inode_permission(struct inode *inode, 2742 u32 perms, u32 audited, u32 denied, 2743 unsigned flags) 2744 { 2745 struct common_audit_data ad; 2746 struct inode_security_struct *isec = inode->i_security; 2747 int rc; 2748 2749 ad.type = LSM_AUDIT_DATA_INODE; 2750 ad.u.inode = inode; 2751 2752 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 2753 audited, denied, &ad, flags); 2754 if (rc) 2755 return rc; 2756 return 0; 2757 } 2758 2759 static int selinux_inode_permission(struct inode *inode, int mask) 2760 { 2761 const struct cred *cred = current_cred(); 2762 u32 perms; 2763 bool from_access; 2764 unsigned flags = mask & MAY_NOT_BLOCK; 2765 struct inode_security_struct *isec; 2766 u32 sid; 2767 struct av_decision avd; 2768 int rc, rc2; 2769 u32 audited, denied; 2770 2771 from_access = mask & MAY_ACCESS; 2772 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2773 2774 /* No permission to check. Existence test. */ 2775 if (!mask) 2776 return 0; 2777 2778 validate_creds(cred); 2779 2780 if (unlikely(IS_PRIVATE(inode))) 2781 return 0; 2782 2783 perms = file_mask_to_av(inode->i_mode, mask); 2784 2785 sid = cred_sid(cred); 2786 isec = inode->i_security; 2787 2788 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 2789 audited = avc_audit_required(perms, &avd, rc, 2790 from_access ? FILE__AUDIT_ACCESS : 0, 2791 &denied); 2792 if (likely(!audited)) 2793 return rc; 2794 2795 rc2 = audit_inode_permission(inode, perms, audited, denied, flags); 2796 if (rc2) 2797 return rc2; 2798 return rc; 2799 } 2800 2801 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2802 { 2803 const struct cred *cred = current_cred(); 2804 unsigned int ia_valid = iattr->ia_valid; 2805 __u32 av = FILE__WRITE; 2806 2807 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 2808 if (ia_valid & ATTR_FORCE) { 2809 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 2810 ATTR_FORCE); 2811 if (!ia_valid) 2812 return 0; 2813 } 2814 2815 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2816 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 2817 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2818 2819 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) 2820 av |= FILE__OPEN; 2821 2822 return dentry_has_perm(cred, dentry, av); 2823 } 2824 2825 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2826 { 2827 const struct cred *cred = current_cred(); 2828 struct path path; 2829 2830 path.dentry = dentry; 2831 path.mnt = mnt; 2832 2833 return path_has_perm(cred, &path, FILE__GETATTR); 2834 } 2835 2836 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2837 { 2838 const struct cred *cred = current_cred(); 2839 2840 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2841 sizeof XATTR_SECURITY_PREFIX - 1)) { 2842 if (!strcmp(name, XATTR_NAME_CAPS)) { 2843 if (!capable(CAP_SETFCAP)) 2844 return -EPERM; 2845 } else if (!capable(CAP_SYS_ADMIN)) { 2846 /* A different attribute in the security namespace. 2847 Restrict to administrator. */ 2848 return -EPERM; 2849 } 2850 } 2851 2852 /* Not an attribute we recognize, so just check the 2853 ordinary setattr permission. */ 2854 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2855 } 2856 2857 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2858 const void *value, size_t size, int flags) 2859 { 2860 struct inode *inode = dentry->d_inode; 2861 struct inode_security_struct *isec = inode->i_security; 2862 struct superblock_security_struct *sbsec; 2863 struct common_audit_data ad; 2864 u32 newsid, sid = current_sid(); 2865 int rc = 0; 2866 2867 if (strcmp(name, XATTR_NAME_SELINUX)) 2868 return selinux_inode_setotherxattr(dentry, name); 2869 2870 sbsec = inode->i_sb->s_security; 2871 if (!(sbsec->flags & SBLABEL_MNT)) 2872 return -EOPNOTSUPP; 2873 2874 if (!inode_owner_or_capable(inode)) 2875 return -EPERM; 2876 2877 ad.type = LSM_AUDIT_DATA_DENTRY; 2878 ad.u.dentry = dentry; 2879 2880 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2881 FILE__RELABELFROM, &ad); 2882 if (rc) 2883 return rc; 2884 2885 rc = security_context_to_sid(value, size, &newsid); 2886 if (rc == -EINVAL) { 2887 if (!capable(CAP_MAC_ADMIN)) { 2888 struct audit_buffer *ab; 2889 size_t audit_size; 2890 const char *str; 2891 2892 /* We strip a nul only if it is at the end, otherwise the 2893 * context contains a nul and we should audit that */ 2894 if (value) { 2895 str = value; 2896 if (str[size - 1] == '\0') 2897 audit_size = size - 1; 2898 else 2899 audit_size = size; 2900 } else { 2901 str = ""; 2902 audit_size = 0; 2903 } 2904 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 2905 audit_log_format(ab, "op=setxattr invalid_context="); 2906 audit_log_n_untrustedstring(ab, value, audit_size); 2907 audit_log_end(ab); 2908 2909 return rc; 2910 } 2911 rc = security_context_to_sid_force(value, size, &newsid); 2912 } 2913 if (rc) 2914 return rc; 2915 2916 rc = avc_has_perm(sid, newsid, isec->sclass, 2917 FILE__RELABELTO, &ad); 2918 if (rc) 2919 return rc; 2920 2921 rc = security_validate_transition(isec->sid, newsid, sid, 2922 isec->sclass); 2923 if (rc) 2924 return rc; 2925 2926 return avc_has_perm(newsid, 2927 sbsec->sid, 2928 SECCLASS_FILESYSTEM, 2929 FILESYSTEM__ASSOCIATE, 2930 &ad); 2931 } 2932 2933 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 2934 const void *value, size_t size, 2935 int flags) 2936 { 2937 struct inode *inode = dentry->d_inode; 2938 struct inode_security_struct *isec = inode->i_security; 2939 u32 newsid; 2940 int rc; 2941 2942 if (strcmp(name, XATTR_NAME_SELINUX)) { 2943 /* Not an attribute we recognize, so nothing to do. */ 2944 return; 2945 } 2946 2947 rc = security_context_to_sid_force(value, size, &newsid); 2948 if (rc) { 2949 printk(KERN_ERR "SELinux: unable to map context to SID" 2950 "for (%s, %lu), rc=%d\n", 2951 inode->i_sb->s_id, inode->i_ino, -rc); 2952 return; 2953 } 2954 2955 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2956 isec->sid = newsid; 2957 isec->initialized = 1; 2958 2959 return; 2960 } 2961 2962 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2963 { 2964 const struct cred *cred = current_cred(); 2965 2966 return dentry_has_perm(cred, dentry, FILE__GETATTR); 2967 } 2968 2969 static int selinux_inode_listxattr(struct dentry *dentry) 2970 { 2971 const struct cred *cred = current_cred(); 2972 2973 return dentry_has_perm(cred, dentry, FILE__GETATTR); 2974 } 2975 2976 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2977 { 2978 if (strcmp(name, XATTR_NAME_SELINUX)) 2979 return selinux_inode_setotherxattr(dentry, name); 2980 2981 /* No one is allowed to remove a SELinux security label. 2982 You can change the label, but all data must be labeled. */ 2983 return -EACCES; 2984 } 2985 2986 /* 2987 * Copy the inode security context value to the user. 2988 * 2989 * Permission check is handled by selinux_inode_getxattr hook. 2990 */ 2991 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2992 { 2993 u32 size; 2994 int error; 2995 char *context = NULL; 2996 struct inode_security_struct *isec = inode->i_security; 2997 2998 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2999 return -EOPNOTSUPP; 3000 3001 /* 3002 * If the caller has CAP_MAC_ADMIN, then get the raw context 3003 * value even if it is not defined by current policy; otherwise, 3004 * use the in-core value under current policy. 3005 * Use the non-auditing forms of the permission checks since 3006 * getxattr may be called by unprivileged processes commonly 3007 * and lack of permission just means that we fall back to the 3008 * in-core context value, not a denial. 3009 */ 3010 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 3011 SECURITY_CAP_NOAUDIT); 3012 if (!error) 3013 error = security_sid_to_context_force(isec->sid, &context, 3014 &size); 3015 else 3016 error = security_sid_to_context(isec->sid, &context, &size); 3017 if (error) 3018 return error; 3019 error = size; 3020 if (alloc) { 3021 *buffer = context; 3022 goto out_nofree; 3023 } 3024 kfree(context); 3025 out_nofree: 3026 return error; 3027 } 3028 3029 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3030 const void *value, size_t size, int flags) 3031 { 3032 struct inode_security_struct *isec = inode->i_security; 3033 u32 newsid; 3034 int rc; 3035 3036 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3037 return -EOPNOTSUPP; 3038 3039 if (!value || !size) 3040 return -EACCES; 3041 3042 rc = security_context_to_sid((void *)value, size, &newsid); 3043 if (rc) 3044 return rc; 3045 3046 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3047 isec->sid = newsid; 3048 isec->initialized = 1; 3049 return 0; 3050 } 3051 3052 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3053 { 3054 const int len = sizeof(XATTR_NAME_SELINUX); 3055 if (buffer && len <= buffer_size) 3056 memcpy(buffer, XATTR_NAME_SELINUX, len); 3057 return len; 3058 } 3059 3060 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 3061 { 3062 struct inode_security_struct *isec = inode->i_security; 3063 *secid = isec->sid; 3064 } 3065 3066 /* file security operations */ 3067 3068 static int selinux_revalidate_file_permission(struct file *file, int mask) 3069 { 3070 const struct cred *cred = current_cred(); 3071 struct inode *inode = file_inode(file); 3072 3073 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3074 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3075 mask |= MAY_APPEND; 3076 3077 return file_has_perm(cred, file, 3078 file_mask_to_av(inode->i_mode, mask)); 3079 } 3080 3081 static int selinux_file_permission(struct file *file, int mask) 3082 { 3083 struct inode *inode = file_inode(file); 3084 struct file_security_struct *fsec = file->f_security; 3085 struct inode_security_struct *isec = inode->i_security; 3086 u32 sid = current_sid(); 3087 3088 if (!mask) 3089 /* No permission to check. Existence test. */ 3090 return 0; 3091 3092 if (sid == fsec->sid && fsec->isid == isec->sid && 3093 fsec->pseqno == avc_policy_seqno()) 3094 /* No change since file_open check. */ 3095 return 0; 3096 3097 return selinux_revalidate_file_permission(file, mask); 3098 } 3099 3100 static int selinux_file_alloc_security(struct file *file) 3101 { 3102 return file_alloc_security(file); 3103 } 3104 3105 static void selinux_file_free_security(struct file *file) 3106 { 3107 file_free_security(file); 3108 } 3109 3110 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3111 unsigned long arg) 3112 { 3113 const struct cred *cred = current_cred(); 3114 int error = 0; 3115 3116 switch (cmd) { 3117 case FIONREAD: 3118 /* fall through */ 3119 case FIBMAP: 3120 /* fall through */ 3121 case FIGETBSZ: 3122 /* fall through */ 3123 case FS_IOC_GETFLAGS: 3124 /* fall through */ 3125 case FS_IOC_GETVERSION: 3126 error = file_has_perm(cred, file, FILE__GETATTR); 3127 break; 3128 3129 case FS_IOC_SETFLAGS: 3130 /* fall through */ 3131 case FS_IOC_SETVERSION: 3132 error = file_has_perm(cred, file, FILE__SETATTR); 3133 break; 3134 3135 /* sys_ioctl() checks */ 3136 case FIONBIO: 3137 /* fall through */ 3138 case FIOASYNC: 3139 error = file_has_perm(cred, file, 0); 3140 break; 3141 3142 case KDSKBENT: 3143 case KDSKBSENT: 3144 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3145 SECURITY_CAP_AUDIT); 3146 break; 3147 3148 /* default case assumes that the command will go 3149 * to the file's ioctl() function. 3150 */ 3151 default: 3152 error = file_has_perm(cred, file, FILE__IOCTL); 3153 } 3154 return error; 3155 } 3156 3157 static int default_noexec; 3158 3159 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3160 { 3161 const struct cred *cred = current_cred(); 3162 int rc = 0; 3163 3164 if (default_noexec && 3165 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3166 /* 3167 * We are making executable an anonymous mapping or a 3168 * private file mapping that will also be writable. 3169 * This has an additional check. 3170 */ 3171 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3172 if (rc) 3173 goto error; 3174 } 3175 3176 if (file) { 3177 /* read access is always possible with a mapping */ 3178 u32 av = FILE__READ; 3179 3180 /* write access only matters if the mapping is shared */ 3181 if (shared && (prot & PROT_WRITE)) 3182 av |= FILE__WRITE; 3183 3184 if (prot & PROT_EXEC) 3185 av |= FILE__EXECUTE; 3186 3187 return file_has_perm(cred, file, av); 3188 } 3189 3190 error: 3191 return rc; 3192 } 3193 3194 static int selinux_mmap_addr(unsigned long addr) 3195 { 3196 int rc = 0; 3197 u32 sid = current_sid(); 3198 3199 /* 3200 * notice that we are intentionally putting the SELinux check before 3201 * the secondary cap_file_mmap check. This is such a likely attempt 3202 * at bad behaviour/exploit that we always want to get the AVC, even 3203 * if DAC would have also denied the operation. 3204 */ 3205 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3206 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3207 MEMPROTECT__MMAP_ZERO, NULL); 3208 if (rc) 3209 return rc; 3210 } 3211 3212 /* do DAC check on address space usage */ 3213 return cap_mmap_addr(addr); 3214 } 3215 3216 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3217 unsigned long prot, unsigned long flags) 3218 { 3219 if (selinux_checkreqprot) 3220 prot = reqprot; 3221 3222 return file_map_prot_check(file, prot, 3223 (flags & MAP_TYPE) == MAP_SHARED); 3224 } 3225 3226 static int selinux_file_mprotect(struct vm_area_struct *vma, 3227 unsigned long reqprot, 3228 unsigned long prot) 3229 { 3230 const struct cred *cred = current_cred(); 3231 3232 if (selinux_checkreqprot) 3233 prot = reqprot; 3234 3235 if (default_noexec && 3236 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3237 int rc = 0; 3238 if (vma->vm_start >= vma->vm_mm->start_brk && 3239 vma->vm_end <= vma->vm_mm->brk) { 3240 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3241 } else if (!vma->vm_file && 3242 vma->vm_start <= vma->vm_mm->start_stack && 3243 vma->vm_end >= vma->vm_mm->start_stack) { 3244 rc = current_has_perm(current, PROCESS__EXECSTACK); 3245 } else if (vma->vm_file && vma->anon_vma) { 3246 /* 3247 * We are making executable a file mapping that has 3248 * had some COW done. Since pages might have been 3249 * written, check ability to execute the possibly 3250 * modified content. This typically should only 3251 * occur for text relocations. 3252 */ 3253 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3254 } 3255 if (rc) 3256 return rc; 3257 } 3258 3259 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3260 } 3261 3262 static int selinux_file_lock(struct file *file, unsigned int cmd) 3263 { 3264 const struct cred *cred = current_cred(); 3265 3266 return file_has_perm(cred, file, FILE__LOCK); 3267 } 3268 3269 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3270 unsigned long arg) 3271 { 3272 const struct cred *cred = current_cred(); 3273 int err = 0; 3274 3275 switch (cmd) { 3276 case F_SETFL: 3277 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3278 err = file_has_perm(cred, file, FILE__WRITE); 3279 break; 3280 } 3281 /* fall through */ 3282 case F_SETOWN: 3283 case F_SETSIG: 3284 case F_GETFL: 3285 case F_GETOWN: 3286 case F_GETSIG: 3287 case F_GETOWNER_UIDS: 3288 /* Just check FD__USE permission */ 3289 err = file_has_perm(cred, file, 0); 3290 break; 3291 case F_GETLK: 3292 case F_SETLK: 3293 case F_SETLKW: 3294 #if BITS_PER_LONG == 32 3295 case F_GETLK64: 3296 case F_SETLK64: 3297 case F_SETLKW64: 3298 #endif 3299 err = file_has_perm(cred, file, FILE__LOCK); 3300 break; 3301 } 3302 3303 return err; 3304 } 3305 3306 static int selinux_file_set_fowner(struct file *file) 3307 { 3308 struct file_security_struct *fsec; 3309 3310 fsec = file->f_security; 3311 fsec->fown_sid = current_sid(); 3312 3313 return 0; 3314 } 3315 3316 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3317 struct fown_struct *fown, int signum) 3318 { 3319 struct file *file; 3320 u32 sid = task_sid(tsk); 3321 u32 perm; 3322 struct file_security_struct *fsec; 3323 3324 /* struct fown_struct is never outside the context of a struct file */ 3325 file = container_of(fown, struct file, f_owner); 3326 3327 fsec = file->f_security; 3328 3329 if (!signum) 3330 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3331 else 3332 perm = signal_to_av(signum); 3333 3334 return avc_has_perm(fsec->fown_sid, sid, 3335 SECCLASS_PROCESS, perm, NULL); 3336 } 3337 3338 static int selinux_file_receive(struct file *file) 3339 { 3340 const struct cred *cred = current_cred(); 3341 3342 return file_has_perm(cred, file, file_to_av(file)); 3343 } 3344 3345 static int selinux_file_open(struct file *file, const struct cred *cred) 3346 { 3347 struct file_security_struct *fsec; 3348 struct inode_security_struct *isec; 3349 3350 fsec = file->f_security; 3351 isec = file_inode(file)->i_security; 3352 /* 3353 * Save inode label and policy sequence number 3354 * at open-time so that selinux_file_permission 3355 * can determine whether revalidation is necessary. 3356 * Task label is already saved in the file security 3357 * struct as its SID. 3358 */ 3359 fsec->isid = isec->sid; 3360 fsec->pseqno = avc_policy_seqno(); 3361 /* 3362 * Since the inode label or policy seqno may have changed 3363 * between the selinux_inode_permission check and the saving 3364 * of state above, recheck that access is still permitted. 3365 * Otherwise, access might never be revalidated against the 3366 * new inode label or new policy. 3367 * This check is not redundant - do not remove. 3368 */ 3369 return file_path_has_perm(cred, file, open_file_to_av(file)); 3370 } 3371 3372 /* task security operations */ 3373 3374 static int selinux_task_create(unsigned long clone_flags) 3375 { 3376 return current_has_perm(current, PROCESS__FORK); 3377 } 3378 3379 /* 3380 * allocate the SELinux part of blank credentials 3381 */ 3382 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3383 { 3384 struct task_security_struct *tsec; 3385 3386 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3387 if (!tsec) 3388 return -ENOMEM; 3389 3390 cred->security = tsec; 3391 return 0; 3392 } 3393 3394 /* 3395 * detach and free the LSM part of a set of credentials 3396 */ 3397 static void selinux_cred_free(struct cred *cred) 3398 { 3399 struct task_security_struct *tsec = cred->security; 3400 3401 /* 3402 * cred->security == NULL if security_cred_alloc_blank() or 3403 * security_prepare_creds() returned an error. 3404 */ 3405 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3406 cred->security = (void *) 0x7UL; 3407 kfree(tsec); 3408 } 3409 3410 /* 3411 * prepare a new set of credentials for modification 3412 */ 3413 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3414 gfp_t gfp) 3415 { 3416 const struct task_security_struct *old_tsec; 3417 struct task_security_struct *tsec; 3418 3419 old_tsec = old->security; 3420 3421 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3422 if (!tsec) 3423 return -ENOMEM; 3424 3425 new->security = tsec; 3426 return 0; 3427 } 3428 3429 /* 3430 * transfer the SELinux data to a blank set of creds 3431 */ 3432 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3433 { 3434 const struct task_security_struct *old_tsec = old->security; 3435 struct task_security_struct *tsec = new->security; 3436 3437 *tsec = *old_tsec; 3438 } 3439 3440 /* 3441 * set the security data for a kernel service 3442 * - all the creation contexts are set to unlabelled 3443 */ 3444 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3445 { 3446 struct task_security_struct *tsec = new->security; 3447 u32 sid = current_sid(); 3448 int ret; 3449 3450 ret = avc_has_perm(sid, secid, 3451 SECCLASS_KERNEL_SERVICE, 3452 KERNEL_SERVICE__USE_AS_OVERRIDE, 3453 NULL); 3454 if (ret == 0) { 3455 tsec->sid = secid; 3456 tsec->create_sid = 0; 3457 tsec->keycreate_sid = 0; 3458 tsec->sockcreate_sid = 0; 3459 } 3460 return ret; 3461 } 3462 3463 /* 3464 * set the file creation context in a security record to the same as the 3465 * objective context of the specified inode 3466 */ 3467 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3468 { 3469 struct inode_security_struct *isec = inode->i_security; 3470 struct task_security_struct *tsec = new->security; 3471 u32 sid = current_sid(); 3472 int ret; 3473 3474 ret = avc_has_perm(sid, isec->sid, 3475 SECCLASS_KERNEL_SERVICE, 3476 KERNEL_SERVICE__CREATE_FILES_AS, 3477 NULL); 3478 3479 if (ret == 0) 3480 tsec->create_sid = isec->sid; 3481 return ret; 3482 } 3483 3484 static int selinux_kernel_module_request(char *kmod_name) 3485 { 3486 u32 sid; 3487 struct common_audit_data ad; 3488 3489 sid = task_sid(current); 3490 3491 ad.type = LSM_AUDIT_DATA_KMOD; 3492 ad.u.kmod_name = kmod_name; 3493 3494 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3495 SYSTEM__MODULE_REQUEST, &ad); 3496 } 3497 3498 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3499 { 3500 return current_has_perm(p, PROCESS__SETPGID); 3501 } 3502 3503 static int selinux_task_getpgid(struct task_struct *p) 3504 { 3505 return current_has_perm(p, PROCESS__GETPGID); 3506 } 3507 3508 static int selinux_task_getsid(struct task_struct *p) 3509 { 3510 return current_has_perm(p, PROCESS__GETSESSION); 3511 } 3512 3513 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3514 { 3515 *secid = task_sid(p); 3516 } 3517 3518 static int selinux_task_setnice(struct task_struct *p, int nice) 3519 { 3520 int rc; 3521 3522 rc = cap_task_setnice(p, nice); 3523 if (rc) 3524 return rc; 3525 3526 return current_has_perm(p, PROCESS__SETSCHED); 3527 } 3528 3529 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3530 { 3531 int rc; 3532 3533 rc = cap_task_setioprio(p, ioprio); 3534 if (rc) 3535 return rc; 3536 3537 return current_has_perm(p, PROCESS__SETSCHED); 3538 } 3539 3540 static int selinux_task_getioprio(struct task_struct *p) 3541 { 3542 return current_has_perm(p, PROCESS__GETSCHED); 3543 } 3544 3545 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3546 struct rlimit *new_rlim) 3547 { 3548 struct rlimit *old_rlim = p->signal->rlim + resource; 3549 3550 /* Control the ability to change the hard limit (whether 3551 lowering or raising it), so that the hard limit can 3552 later be used as a safe reset point for the soft limit 3553 upon context transitions. See selinux_bprm_committing_creds. */ 3554 if (old_rlim->rlim_max != new_rlim->rlim_max) 3555 return current_has_perm(p, PROCESS__SETRLIMIT); 3556 3557 return 0; 3558 } 3559 3560 static int selinux_task_setscheduler(struct task_struct *p) 3561 { 3562 int rc; 3563 3564 rc = cap_task_setscheduler(p); 3565 if (rc) 3566 return rc; 3567 3568 return current_has_perm(p, PROCESS__SETSCHED); 3569 } 3570 3571 static int selinux_task_getscheduler(struct task_struct *p) 3572 { 3573 return current_has_perm(p, PROCESS__GETSCHED); 3574 } 3575 3576 static int selinux_task_movememory(struct task_struct *p) 3577 { 3578 return current_has_perm(p, PROCESS__SETSCHED); 3579 } 3580 3581 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3582 int sig, u32 secid) 3583 { 3584 u32 perm; 3585 int rc; 3586 3587 if (!sig) 3588 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3589 else 3590 perm = signal_to_av(sig); 3591 if (secid) 3592 rc = avc_has_perm(secid, task_sid(p), 3593 SECCLASS_PROCESS, perm, NULL); 3594 else 3595 rc = current_has_perm(p, perm); 3596 return rc; 3597 } 3598 3599 static int selinux_task_wait(struct task_struct *p) 3600 { 3601 return task_has_perm(p, current, PROCESS__SIGCHLD); 3602 } 3603 3604 static void selinux_task_to_inode(struct task_struct *p, 3605 struct inode *inode) 3606 { 3607 struct inode_security_struct *isec = inode->i_security; 3608 u32 sid = task_sid(p); 3609 3610 isec->sid = sid; 3611 isec->initialized = 1; 3612 } 3613 3614 /* Returns error only if unable to parse addresses */ 3615 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3616 struct common_audit_data *ad, u8 *proto) 3617 { 3618 int offset, ihlen, ret = -EINVAL; 3619 struct iphdr _iph, *ih; 3620 3621 offset = skb_network_offset(skb); 3622 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3623 if (ih == NULL) 3624 goto out; 3625 3626 ihlen = ih->ihl * 4; 3627 if (ihlen < sizeof(_iph)) 3628 goto out; 3629 3630 ad->u.net->v4info.saddr = ih->saddr; 3631 ad->u.net->v4info.daddr = ih->daddr; 3632 ret = 0; 3633 3634 if (proto) 3635 *proto = ih->protocol; 3636 3637 switch (ih->protocol) { 3638 case IPPROTO_TCP: { 3639 struct tcphdr _tcph, *th; 3640 3641 if (ntohs(ih->frag_off) & IP_OFFSET) 3642 break; 3643 3644 offset += ihlen; 3645 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3646 if (th == NULL) 3647 break; 3648 3649 ad->u.net->sport = th->source; 3650 ad->u.net->dport = th->dest; 3651 break; 3652 } 3653 3654 case IPPROTO_UDP: { 3655 struct udphdr _udph, *uh; 3656 3657 if (ntohs(ih->frag_off) & IP_OFFSET) 3658 break; 3659 3660 offset += ihlen; 3661 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3662 if (uh == NULL) 3663 break; 3664 3665 ad->u.net->sport = uh->source; 3666 ad->u.net->dport = uh->dest; 3667 break; 3668 } 3669 3670 case IPPROTO_DCCP: { 3671 struct dccp_hdr _dccph, *dh; 3672 3673 if (ntohs(ih->frag_off) & IP_OFFSET) 3674 break; 3675 3676 offset += ihlen; 3677 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3678 if (dh == NULL) 3679 break; 3680 3681 ad->u.net->sport = dh->dccph_sport; 3682 ad->u.net->dport = dh->dccph_dport; 3683 break; 3684 } 3685 3686 default: 3687 break; 3688 } 3689 out: 3690 return ret; 3691 } 3692 3693 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3694 3695 /* Returns error only if unable to parse addresses */ 3696 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3697 struct common_audit_data *ad, u8 *proto) 3698 { 3699 u8 nexthdr; 3700 int ret = -EINVAL, offset; 3701 struct ipv6hdr _ipv6h, *ip6; 3702 __be16 frag_off; 3703 3704 offset = skb_network_offset(skb); 3705 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3706 if (ip6 == NULL) 3707 goto out; 3708 3709 ad->u.net->v6info.saddr = ip6->saddr; 3710 ad->u.net->v6info.daddr = ip6->daddr; 3711 ret = 0; 3712 3713 nexthdr = ip6->nexthdr; 3714 offset += sizeof(_ipv6h); 3715 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3716 if (offset < 0) 3717 goto out; 3718 3719 if (proto) 3720 *proto = nexthdr; 3721 3722 switch (nexthdr) { 3723 case IPPROTO_TCP: { 3724 struct tcphdr _tcph, *th; 3725 3726 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3727 if (th == NULL) 3728 break; 3729 3730 ad->u.net->sport = th->source; 3731 ad->u.net->dport = th->dest; 3732 break; 3733 } 3734 3735 case IPPROTO_UDP: { 3736 struct udphdr _udph, *uh; 3737 3738 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3739 if (uh == NULL) 3740 break; 3741 3742 ad->u.net->sport = uh->source; 3743 ad->u.net->dport = uh->dest; 3744 break; 3745 } 3746 3747 case IPPROTO_DCCP: { 3748 struct dccp_hdr _dccph, *dh; 3749 3750 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3751 if (dh == NULL) 3752 break; 3753 3754 ad->u.net->sport = dh->dccph_sport; 3755 ad->u.net->dport = dh->dccph_dport; 3756 break; 3757 } 3758 3759 /* includes fragments */ 3760 default: 3761 break; 3762 } 3763 out: 3764 return ret; 3765 } 3766 3767 #endif /* IPV6 */ 3768 3769 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 3770 char **_addrp, int src, u8 *proto) 3771 { 3772 char *addrp; 3773 int ret; 3774 3775 switch (ad->u.net->family) { 3776 case PF_INET: 3777 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3778 if (ret) 3779 goto parse_error; 3780 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 3781 &ad->u.net->v4info.daddr); 3782 goto okay; 3783 3784 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3785 case PF_INET6: 3786 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3787 if (ret) 3788 goto parse_error; 3789 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 3790 &ad->u.net->v6info.daddr); 3791 goto okay; 3792 #endif /* IPV6 */ 3793 default: 3794 addrp = NULL; 3795 goto okay; 3796 } 3797 3798 parse_error: 3799 printk(KERN_WARNING 3800 "SELinux: failure in selinux_parse_skb()," 3801 " unable to parse packet\n"); 3802 return ret; 3803 3804 okay: 3805 if (_addrp) 3806 *_addrp = addrp; 3807 return 0; 3808 } 3809 3810 /** 3811 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3812 * @skb: the packet 3813 * @family: protocol family 3814 * @sid: the packet's peer label SID 3815 * 3816 * Description: 3817 * Check the various different forms of network peer labeling and determine 3818 * the peer label/SID for the packet; most of the magic actually occurs in 3819 * the security server function security_net_peersid_cmp(). The function 3820 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3821 * or -EACCES if @sid is invalid due to inconsistencies with the different 3822 * peer labels. 3823 * 3824 */ 3825 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3826 { 3827 int err; 3828 u32 xfrm_sid; 3829 u32 nlbl_sid; 3830 u32 nlbl_type; 3831 3832 err = selinux_skb_xfrm_sid(skb, &xfrm_sid); 3833 if (unlikely(err)) 3834 return -EACCES; 3835 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3836 if (unlikely(err)) 3837 return -EACCES; 3838 3839 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3840 if (unlikely(err)) { 3841 printk(KERN_WARNING 3842 "SELinux: failure in selinux_skb_peerlbl_sid()," 3843 " unable to determine packet's peer label\n"); 3844 return -EACCES; 3845 } 3846 3847 return 0; 3848 } 3849 3850 /* socket security operations */ 3851 3852 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 3853 u16 secclass, u32 *socksid) 3854 { 3855 if (tsec->sockcreate_sid > SECSID_NULL) { 3856 *socksid = tsec->sockcreate_sid; 3857 return 0; 3858 } 3859 3860 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 3861 socksid); 3862 } 3863 3864 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 3865 { 3866 struct sk_security_struct *sksec = sk->sk_security; 3867 struct common_audit_data ad; 3868 struct lsm_network_audit net = {0,}; 3869 u32 tsid = task_sid(task); 3870 3871 if (sksec->sid == SECINITSID_KERNEL) 3872 return 0; 3873 3874 ad.type = LSM_AUDIT_DATA_NET; 3875 ad.u.net = &net; 3876 ad.u.net->sk = sk; 3877 3878 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); 3879 } 3880 3881 static int selinux_socket_create(int family, int type, 3882 int protocol, int kern) 3883 { 3884 const struct task_security_struct *tsec = current_security(); 3885 u32 newsid; 3886 u16 secclass; 3887 int rc; 3888 3889 if (kern) 3890 return 0; 3891 3892 secclass = socket_type_to_security_class(family, type, protocol); 3893 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 3894 if (rc) 3895 return rc; 3896 3897 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 3898 } 3899 3900 static int selinux_socket_post_create(struct socket *sock, int family, 3901 int type, int protocol, int kern) 3902 { 3903 const struct task_security_struct *tsec = current_security(); 3904 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3905 struct sk_security_struct *sksec; 3906 int err = 0; 3907 3908 isec->sclass = socket_type_to_security_class(family, type, protocol); 3909 3910 if (kern) 3911 isec->sid = SECINITSID_KERNEL; 3912 else { 3913 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); 3914 if (err) 3915 return err; 3916 } 3917 3918 isec->initialized = 1; 3919 3920 if (sock->sk) { 3921 sksec = sock->sk->sk_security; 3922 sksec->sid = isec->sid; 3923 sksec->sclass = isec->sclass; 3924 err = selinux_netlbl_socket_post_create(sock->sk, family); 3925 } 3926 3927 return err; 3928 } 3929 3930 /* Range of port numbers used to automatically bind. 3931 Need to determine whether we should perform a name_bind 3932 permission check between the socket and the port number. */ 3933 3934 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3935 { 3936 struct sock *sk = sock->sk; 3937 u16 family; 3938 int err; 3939 3940 err = sock_has_perm(current, sk, SOCKET__BIND); 3941 if (err) 3942 goto out; 3943 3944 /* 3945 * If PF_INET or PF_INET6, check name_bind permission for the port. 3946 * Multiple address binding for SCTP is not supported yet: we just 3947 * check the first address now. 3948 */ 3949 family = sk->sk_family; 3950 if (family == PF_INET || family == PF_INET6) { 3951 char *addrp; 3952 struct sk_security_struct *sksec = sk->sk_security; 3953 struct common_audit_data ad; 3954 struct lsm_network_audit net = {0,}; 3955 struct sockaddr_in *addr4 = NULL; 3956 struct sockaddr_in6 *addr6 = NULL; 3957 unsigned short snum; 3958 u32 sid, node_perm; 3959 3960 if (family == PF_INET) { 3961 addr4 = (struct sockaddr_in *)address; 3962 snum = ntohs(addr4->sin_port); 3963 addrp = (char *)&addr4->sin_addr.s_addr; 3964 } else { 3965 addr6 = (struct sockaddr_in6 *)address; 3966 snum = ntohs(addr6->sin6_port); 3967 addrp = (char *)&addr6->sin6_addr.s6_addr; 3968 } 3969 3970 if (snum) { 3971 int low, high; 3972 3973 inet_get_local_port_range(&low, &high); 3974 3975 if (snum < max(PROT_SOCK, low) || snum > high) { 3976 err = sel_netport_sid(sk->sk_protocol, 3977 snum, &sid); 3978 if (err) 3979 goto out; 3980 ad.type = LSM_AUDIT_DATA_NET; 3981 ad.u.net = &net; 3982 ad.u.net->sport = htons(snum); 3983 ad.u.net->family = family; 3984 err = avc_has_perm(sksec->sid, sid, 3985 sksec->sclass, 3986 SOCKET__NAME_BIND, &ad); 3987 if (err) 3988 goto out; 3989 } 3990 } 3991 3992 switch (sksec->sclass) { 3993 case SECCLASS_TCP_SOCKET: 3994 node_perm = TCP_SOCKET__NODE_BIND; 3995 break; 3996 3997 case SECCLASS_UDP_SOCKET: 3998 node_perm = UDP_SOCKET__NODE_BIND; 3999 break; 4000 4001 case SECCLASS_DCCP_SOCKET: 4002 node_perm = DCCP_SOCKET__NODE_BIND; 4003 break; 4004 4005 default: 4006 node_perm = RAWIP_SOCKET__NODE_BIND; 4007 break; 4008 } 4009 4010 err = sel_netnode_sid(addrp, family, &sid); 4011 if (err) 4012 goto out; 4013 4014 ad.type = LSM_AUDIT_DATA_NET; 4015 ad.u.net = &net; 4016 ad.u.net->sport = htons(snum); 4017 ad.u.net->family = family; 4018 4019 if (family == PF_INET) 4020 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4021 else 4022 ad.u.net->v6info.saddr = addr6->sin6_addr; 4023 4024 err = avc_has_perm(sksec->sid, sid, 4025 sksec->sclass, node_perm, &ad); 4026 if (err) 4027 goto out; 4028 } 4029 out: 4030 return err; 4031 } 4032 4033 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4034 { 4035 struct sock *sk = sock->sk; 4036 struct sk_security_struct *sksec = sk->sk_security; 4037 int err; 4038 4039 err = sock_has_perm(current, sk, SOCKET__CONNECT); 4040 if (err) 4041 return err; 4042 4043 /* 4044 * If a TCP or DCCP socket, check name_connect permission for the port. 4045 */ 4046 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4047 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4048 struct common_audit_data ad; 4049 struct lsm_network_audit net = {0,}; 4050 struct sockaddr_in *addr4 = NULL; 4051 struct sockaddr_in6 *addr6 = NULL; 4052 unsigned short snum; 4053 u32 sid, perm; 4054 4055 if (sk->sk_family == PF_INET) { 4056 addr4 = (struct sockaddr_in *)address; 4057 if (addrlen < sizeof(struct sockaddr_in)) 4058 return -EINVAL; 4059 snum = ntohs(addr4->sin_port); 4060 } else { 4061 addr6 = (struct sockaddr_in6 *)address; 4062 if (addrlen < SIN6_LEN_RFC2133) 4063 return -EINVAL; 4064 snum = ntohs(addr6->sin6_port); 4065 } 4066 4067 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4068 if (err) 4069 goto out; 4070 4071 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4072 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4073 4074 ad.type = LSM_AUDIT_DATA_NET; 4075 ad.u.net = &net; 4076 ad.u.net->dport = htons(snum); 4077 ad.u.net->family = sk->sk_family; 4078 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4079 if (err) 4080 goto out; 4081 } 4082 4083 err = selinux_netlbl_socket_connect(sk, address); 4084 4085 out: 4086 return err; 4087 } 4088 4089 static int selinux_socket_listen(struct socket *sock, int backlog) 4090 { 4091 return sock_has_perm(current, sock->sk, SOCKET__LISTEN); 4092 } 4093 4094 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4095 { 4096 int err; 4097 struct inode_security_struct *isec; 4098 struct inode_security_struct *newisec; 4099 4100 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); 4101 if (err) 4102 return err; 4103 4104 newisec = SOCK_INODE(newsock)->i_security; 4105 4106 isec = SOCK_INODE(sock)->i_security; 4107 newisec->sclass = isec->sclass; 4108 newisec->sid = isec->sid; 4109 newisec->initialized = 1; 4110 4111 return 0; 4112 } 4113 4114 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4115 int size) 4116 { 4117 return sock_has_perm(current, sock->sk, SOCKET__WRITE); 4118 } 4119 4120 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4121 int size, int flags) 4122 { 4123 return sock_has_perm(current, sock->sk, SOCKET__READ); 4124 } 4125 4126 static int selinux_socket_getsockname(struct socket *sock) 4127 { 4128 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4129 } 4130 4131 static int selinux_socket_getpeername(struct socket *sock) 4132 { 4133 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4134 } 4135 4136 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4137 { 4138 int err; 4139 4140 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); 4141 if (err) 4142 return err; 4143 4144 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4145 } 4146 4147 static int selinux_socket_getsockopt(struct socket *sock, int level, 4148 int optname) 4149 { 4150 return sock_has_perm(current, sock->sk, SOCKET__GETOPT); 4151 } 4152 4153 static int selinux_socket_shutdown(struct socket *sock, int how) 4154 { 4155 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); 4156 } 4157 4158 static int selinux_socket_unix_stream_connect(struct sock *sock, 4159 struct sock *other, 4160 struct sock *newsk) 4161 { 4162 struct sk_security_struct *sksec_sock = sock->sk_security; 4163 struct sk_security_struct *sksec_other = other->sk_security; 4164 struct sk_security_struct *sksec_new = newsk->sk_security; 4165 struct common_audit_data ad; 4166 struct lsm_network_audit net = {0,}; 4167 int err; 4168 4169 ad.type = LSM_AUDIT_DATA_NET; 4170 ad.u.net = &net; 4171 ad.u.net->sk = other; 4172 4173 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4174 sksec_other->sclass, 4175 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4176 if (err) 4177 return err; 4178 4179 /* server child socket */ 4180 sksec_new->peer_sid = sksec_sock->sid; 4181 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4182 &sksec_new->sid); 4183 if (err) 4184 return err; 4185 4186 /* connecting socket */ 4187 sksec_sock->peer_sid = sksec_new->sid; 4188 4189 return 0; 4190 } 4191 4192 static int selinux_socket_unix_may_send(struct socket *sock, 4193 struct socket *other) 4194 { 4195 struct sk_security_struct *ssec = sock->sk->sk_security; 4196 struct sk_security_struct *osec = other->sk->sk_security; 4197 struct common_audit_data ad; 4198 struct lsm_network_audit net = {0,}; 4199 4200 ad.type = LSM_AUDIT_DATA_NET; 4201 ad.u.net = &net; 4202 ad.u.net->sk = other->sk; 4203 4204 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4205 &ad); 4206 } 4207 4208 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4209 u32 peer_sid, 4210 struct common_audit_data *ad) 4211 { 4212 int err; 4213 u32 if_sid; 4214 u32 node_sid; 4215 4216 err = sel_netif_sid(ifindex, &if_sid); 4217 if (err) 4218 return err; 4219 err = avc_has_perm(peer_sid, if_sid, 4220 SECCLASS_NETIF, NETIF__INGRESS, ad); 4221 if (err) 4222 return err; 4223 4224 err = sel_netnode_sid(addrp, family, &node_sid); 4225 if (err) 4226 return err; 4227 return avc_has_perm(peer_sid, node_sid, 4228 SECCLASS_NODE, NODE__RECVFROM, ad); 4229 } 4230 4231 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4232 u16 family) 4233 { 4234 int err = 0; 4235 struct sk_security_struct *sksec = sk->sk_security; 4236 u32 sk_sid = sksec->sid; 4237 struct common_audit_data ad; 4238 struct lsm_network_audit net = {0,}; 4239 char *addrp; 4240 4241 ad.type = LSM_AUDIT_DATA_NET; 4242 ad.u.net = &net; 4243 ad.u.net->netif = skb->skb_iif; 4244 ad.u.net->family = family; 4245 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4246 if (err) 4247 return err; 4248 4249 if (selinux_secmark_enabled()) { 4250 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4251 PACKET__RECV, &ad); 4252 if (err) 4253 return err; 4254 } 4255 4256 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4257 if (err) 4258 return err; 4259 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4260 4261 return err; 4262 } 4263 4264 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4265 { 4266 int err; 4267 struct sk_security_struct *sksec = sk->sk_security; 4268 u16 family = sk->sk_family; 4269 u32 sk_sid = sksec->sid; 4270 struct common_audit_data ad; 4271 struct lsm_network_audit net = {0,}; 4272 char *addrp; 4273 u8 secmark_active; 4274 u8 peerlbl_active; 4275 4276 if (family != PF_INET && family != PF_INET6) 4277 return 0; 4278 4279 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4280 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4281 family = PF_INET; 4282 4283 /* If any sort of compatibility mode is enabled then handoff processing 4284 * to the selinux_sock_rcv_skb_compat() function to deal with the 4285 * special handling. We do this in an attempt to keep this function 4286 * as fast and as clean as possible. */ 4287 if (!selinux_policycap_netpeer) 4288 return selinux_sock_rcv_skb_compat(sk, skb, family); 4289 4290 secmark_active = selinux_secmark_enabled(); 4291 peerlbl_active = selinux_peerlbl_enabled(); 4292 if (!secmark_active && !peerlbl_active) 4293 return 0; 4294 4295 ad.type = LSM_AUDIT_DATA_NET; 4296 ad.u.net = &net; 4297 ad.u.net->netif = skb->skb_iif; 4298 ad.u.net->family = family; 4299 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4300 if (err) 4301 return err; 4302 4303 if (peerlbl_active) { 4304 u32 peer_sid; 4305 4306 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4307 if (err) 4308 return err; 4309 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, 4310 peer_sid, &ad); 4311 if (err) { 4312 selinux_netlbl_err(skb, err, 0); 4313 return err; 4314 } 4315 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4316 PEER__RECV, &ad); 4317 if (err) 4318 selinux_netlbl_err(skb, err, 0); 4319 } 4320 4321 if (secmark_active) { 4322 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4323 PACKET__RECV, &ad); 4324 if (err) 4325 return err; 4326 } 4327 4328 return err; 4329 } 4330 4331 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4332 int __user *optlen, unsigned len) 4333 { 4334 int err = 0; 4335 char *scontext; 4336 u32 scontext_len; 4337 struct sk_security_struct *sksec = sock->sk->sk_security; 4338 u32 peer_sid = SECSID_NULL; 4339 4340 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4341 sksec->sclass == SECCLASS_TCP_SOCKET) 4342 peer_sid = sksec->peer_sid; 4343 if (peer_sid == SECSID_NULL) 4344 return -ENOPROTOOPT; 4345 4346 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4347 if (err) 4348 return err; 4349 4350 if (scontext_len > len) { 4351 err = -ERANGE; 4352 goto out_len; 4353 } 4354 4355 if (copy_to_user(optval, scontext, scontext_len)) 4356 err = -EFAULT; 4357 4358 out_len: 4359 if (put_user(scontext_len, optlen)) 4360 err = -EFAULT; 4361 kfree(scontext); 4362 return err; 4363 } 4364 4365 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4366 { 4367 u32 peer_secid = SECSID_NULL; 4368 u16 family; 4369 4370 if (skb && skb->protocol == htons(ETH_P_IP)) 4371 family = PF_INET; 4372 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4373 family = PF_INET6; 4374 else if (sock) 4375 family = sock->sk->sk_family; 4376 else 4377 goto out; 4378 4379 if (sock && family == PF_UNIX) 4380 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); 4381 else if (skb) 4382 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4383 4384 out: 4385 *secid = peer_secid; 4386 if (peer_secid == SECSID_NULL) 4387 return -EINVAL; 4388 return 0; 4389 } 4390 4391 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4392 { 4393 struct sk_security_struct *sksec; 4394 4395 sksec = kzalloc(sizeof(*sksec), priority); 4396 if (!sksec) 4397 return -ENOMEM; 4398 4399 sksec->peer_sid = SECINITSID_UNLABELED; 4400 sksec->sid = SECINITSID_UNLABELED; 4401 selinux_netlbl_sk_security_reset(sksec); 4402 sk->sk_security = sksec; 4403 4404 return 0; 4405 } 4406 4407 static void selinux_sk_free_security(struct sock *sk) 4408 { 4409 struct sk_security_struct *sksec = sk->sk_security; 4410 4411 sk->sk_security = NULL; 4412 selinux_netlbl_sk_security_free(sksec); 4413 kfree(sksec); 4414 } 4415 4416 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4417 { 4418 struct sk_security_struct *sksec = sk->sk_security; 4419 struct sk_security_struct *newsksec = newsk->sk_security; 4420 4421 newsksec->sid = sksec->sid; 4422 newsksec->peer_sid = sksec->peer_sid; 4423 newsksec->sclass = sksec->sclass; 4424 4425 selinux_netlbl_sk_security_reset(newsksec); 4426 } 4427 4428 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4429 { 4430 if (!sk) 4431 *secid = SECINITSID_ANY_SOCKET; 4432 else { 4433 struct sk_security_struct *sksec = sk->sk_security; 4434 4435 *secid = sksec->sid; 4436 } 4437 } 4438 4439 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4440 { 4441 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4442 struct sk_security_struct *sksec = sk->sk_security; 4443 4444 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4445 sk->sk_family == PF_UNIX) 4446 isec->sid = sksec->sid; 4447 sksec->sclass = isec->sclass; 4448 } 4449 4450 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4451 struct request_sock *req) 4452 { 4453 struct sk_security_struct *sksec = sk->sk_security; 4454 int err; 4455 u16 family = sk->sk_family; 4456 u32 newsid; 4457 u32 peersid; 4458 4459 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4460 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4461 family = PF_INET; 4462 4463 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4464 if (err) 4465 return err; 4466 if (peersid == SECSID_NULL) { 4467 req->secid = sksec->sid; 4468 req->peer_secid = SECSID_NULL; 4469 } else { 4470 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4471 if (err) 4472 return err; 4473 req->secid = newsid; 4474 req->peer_secid = peersid; 4475 } 4476 4477 return selinux_netlbl_inet_conn_request(req, family); 4478 } 4479 4480 static void selinux_inet_csk_clone(struct sock *newsk, 4481 const struct request_sock *req) 4482 { 4483 struct sk_security_struct *newsksec = newsk->sk_security; 4484 4485 newsksec->sid = req->secid; 4486 newsksec->peer_sid = req->peer_secid; 4487 /* NOTE: Ideally, we should also get the isec->sid for the 4488 new socket in sync, but we don't have the isec available yet. 4489 So we will wait until sock_graft to do it, by which 4490 time it will have been created and available. */ 4491 4492 /* We don't need to take any sort of lock here as we are the only 4493 * thread with access to newsksec */ 4494 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4495 } 4496 4497 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4498 { 4499 u16 family = sk->sk_family; 4500 struct sk_security_struct *sksec = sk->sk_security; 4501 4502 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4503 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4504 family = PF_INET; 4505 4506 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4507 } 4508 4509 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk) 4510 { 4511 skb_set_owner_w(skb, sk); 4512 } 4513 4514 static int selinux_secmark_relabel_packet(u32 sid) 4515 { 4516 const struct task_security_struct *__tsec; 4517 u32 tsid; 4518 4519 __tsec = current_security(); 4520 tsid = __tsec->sid; 4521 4522 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4523 } 4524 4525 static void selinux_secmark_refcount_inc(void) 4526 { 4527 atomic_inc(&selinux_secmark_refcount); 4528 } 4529 4530 static void selinux_secmark_refcount_dec(void) 4531 { 4532 atomic_dec(&selinux_secmark_refcount); 4533 } 4534 4535 static void selinux_req_classify_flow(const struct request_sock *req, 4536 struct flowi *fl) 4537 { 4538 fl->flowi_secid = req->secid; 4539 } 4540 4541 static int selinux_tun_dev_alloc_security(void **security) 4542 { 4543 struct tun_security_struct *tunsec; 4544 4545 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 4546 if (!tunsec) 4547 return -ENOMEM; 4548 tunsec->sid = current_sid(); 4549 4550 *security = tunsec; 4551 return 0; 4552 } 4553 4554 static void selinux_tun_dev_free_security(void *security) 4555 { 4556 kfree(security); 4557 } 4558 4559 static int selinux_tun_dev_create(void) 4560 { 4561 u32 sid = current_sid(); 4562 4563 /* we aren't taking into account the "sockcreate" SID since the socket 4564 * that is being created here is not a socket in the traditional sense, 4565 * instead it is a private sock, accessible only to the kernel, and 4566 * representing a wide range of network traffic spanning multiple 4567 * connections unlike traditional sockets - check the TUN driver to 4568 * get a better understanding of why this socket is special */ 4569 4570 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4571 NULL); 4572 } 4573 4574 static int selinux_tun_dev_attach_queue(void *security) 4575 { 4576 struct tun_security_struct *tunsec = security; 4577 4578 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 4579 TUN_SOCKET__ATTACH_QUEUE, NULL); 4580 } 4581 4582 static int selinux_tun_dev_attach(struct sock *sk, void *security) 4583 { 4584 struct tun_security_struct *tunsec = security; 4585 struct sk_security_struct *sksec = sk->sk_security; 4586 4587 /* we don't currently perform any NetLabel based labeling here and it 4588 * isn't clear that we would want to do so anyway; while we could apply 4589 * labeling without the support of the TUN user the resulting labeled 4590 * traffic from the other end of the connection would almost certainly 4591 * cause confusion to the TUN user that had no idea network labeling 4592 * protocols were being used */ 4593 4594 sksec->sid = tunsec->sid; 4595 sksec->sclass = SECCLASS_TUN_SOCKET; 4596 4597 return 0; 4598 } 4599 4600 static int selinux_tun_dev_open(void *security) 4601 { 4602 struct tun_security_struct *tunsec = security; 4603 u32 sid = current_sid(); 4604 int err; 4605 4606 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 4607 TUN_SOCKET__RELABELFROM, NULL); 4608 if (err) 4609 return err; 4610 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4611 TUN_SOCKET__RELABELTO, NULL); 4612 if (err) 4613 return err; 4614 tunsec->sid = sid; 4615 4616 return 0; 4617 } 4618 4619 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4620 { 4621 int err = 0; 4622 u32 perm; 4623 struct nlmsghdr *nlh; 4624 struct sk_security_struct *sksec = sk->sk_security; 4625 4626 if (skb->len < NLMSG_HDRLEN) { 4627 err = -EINVAL; 4628 goto out; 4629 } 4630 nlh = nlmsg_hdr(skb); 4631 4632 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4633 if (err) { 4634 if (err == -EINVAL) { 4635 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4636 "SELinux: unrecognized netlink message" 4637 " type=%hu for sclass=%hu\n", 4638 nlh->nlmsg_type, sksec->sclass); 4639 if (!selinux_enforcing || security_get_allow_unknown()) 4640 err = 0; 4641 } 4642 4643 /* Ignore */ 4644 if (err == -ENOENT) 4645 err = 0; 4646 goto out; 4647 } 4648 4649 err = sock_has_perm(current, sk, perm); 4650 out: 4651 return err; 4652 } 4653 4654 #ifdef CONFIG_NETFILTER 4655 4656 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4657 u16 family) 4658 { 4659 int err; 4660 char *addrp; 4661 u32 peer_sid; 4662 struct common_audit_data ad; 4663 struct lsm_network_audit net = {0,}; 4664 u8 secmark_active; 4665 u8 netlbl_active; 4666 u8 peerlbl_active; 4667 4668 if (!selinux_policycap_netpeer) 4669 return NF_ACCEPT; 4670 4671 secmark_active = selinux_secmark_enabled(); 4672 netlbl_active = netlbl_enabled(); 4673 peerlbl_active = selinux_peerlbl_enabled(); 4674 if (!secmark_active && !peerlbl_active) 4675 return NF_ACCEPT; 4676 4677 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4678 return NF_DROP; 4679 4680 ad.type = LSM_AUDIT_DATA_NET; 4681 ad.u.net = &net; 4682 ad.u.net->netif = ifindex; 4683 ad.u.net->family = family; 4684 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4685 return NF_DROP; 4686 4687 if (peerlbl_active) { 4688 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4689 peer_sid, &ad); 4690 if (err) { 4691 selinux_netlbl_err(skb, err, 1); 4692 return NF_DROP; 4693 } 4694 } 4695 4696 if (secmark_active) 4697 if (avc_has_perm(peer_sid, skb->secmark, 4698 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4699 return NF_DROP; 4700 4701 if (netlbl_active) 4702 /* we do this in the FORWARD path and not the POST_ROUTING 4703 * path because we want to make sure we apply the necessary 4704 * labeling before IPsec is applied so we can leverage AH 4705 * protection */ 4706 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 4707 return NF_DROP; 4708 4709 return NF_ACCEPT; 4710 } 4711 4712 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4713 struct sk_buff *skb, 4714 const struct net_device *in, 4715 const struct net_device *out, 4716 int (*okfn)(struct sk_buff *)) 4717 { 4718 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4719 } 4720 4721 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4722 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4723 struct sk_buff *skb, 4724 const struct net_device *in, 4725 const struct net_device *out, 4726 int (*okfn)(struct sk_buff *)) 4727 { 4728 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4729 } 4730 #endif /* IPV6 */ 4731 4732 static unsigned int selinux_ip_output(struct sk_buff *skb, 4733 u16 family) 4734 { 4735 struct sock *sk; 4736 u32 sid; 4737 4738 if (!netlbl_enabled()) 4739 return NF_ACCEPT; 4740 4741 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4742 * because we want to make sure we apply the necessary labeling 4743 * before IPsec is applied so we can leverage AH protection */ 4744 sk = skb->sk; 4745 if (sk) { 4746 struct sk_security_struct *sksec; 4747 4748 if (sk->sk_state == TCP_LISTEN) 4749 /* if the socket is the listening state then this 4750 * packet is a SYN-ACK packet which means it needs to 4751 * be labeled based on the connection/request_sock and 4752 * not the parent socket. unfortunately, we can't 4753 * lookup the request_sock yet as it isn't queued on 4754 * the parent socket until after the SYN-ACK is sent. 4755 * the "solution" is to simply pass the packet as-is 4756 * as any IP option based labeling should be copied 4757 * from the initial connection request (in the IP 4758 * layer). it is far from ideal, but until we get a 4759 * security label in the packet itself this is the 4760 * best we can do. */ 4761 return NF_ACCEPT; 4762 4763 /* standard practice, label using the parent socket */ 4764 sksec = sk->sk_security; 4765 sid = sksec->sid; 4766 } else 4767 sid = SECINITSID_KERNEL; 4768 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4769 return NF_DROP; 4770 4771 return NF_ACCEPT; 4772 } 4773 4774 static unsigned int selinux_ipv4_output(unsigned int hooknum, 4775 struct sk_buff *skb, 4776 const struct net_device *in, 4777 const struct net_device *out, 4778 int (*okfn)(struct sk_buff *)) 4779 { 4780 return selinux_ip_output(skb, PF_INET); 4781 } 4782 4783 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4784 int ifindex, 4785 u16 family) 4786 { 4787 struct sock *sk = skb->sk; 4788 struct sk_security_struct *sksec; 4789 struct common_audit_data ad; 4790 struct lsm_network_audit net = {0,}; 4791 char *addrp; 4792 u8 proto; 4793 4794 if (sk == NULL) 4795 return NF_ACCEPT; 4796 sksec = sk->sk_security; 4797 4798 ad.type = LSM_AUDIT_DATA_NET; 4799 ad.u.net = &net; 4800 ad.u.net->netif = ifindex; 4801 ad.u.net->family = family; 4802 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4803 return NF_DROP; 4804 4805 if (selinux_secmark_enabled()) 4806 if (avc_has_perm(sksec->sid, skb->secmark, 4807 SECCLASS_PACKET, PACKET__SEND, &ad)) 4808 return NF_DROP_ERR(-ECONNREFUSED); 4809 4810 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4811 return NF_DROP_ERR(-ECONNREFUSED); 4812 4813 return NF_ACCEPT; 4814 } 4815 4816 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4817 u16 family) 4818 { 4819 u32 secmark_perm; 4820 u32 peer_sid; 4821 struct sock *sk; 4822 struct common_audit_data ad; 4823 struct lsm_network_audit net = {0,}; 4824 char *addrp; 4825 u8 secmark_active; 4826 u8 peerlbl_active; 4827 4828 /* If any sort of compatibility mode is enabled then handoff processing 4829 * to the selinux_ip_postroute_compat() function to deal with the 4830 * special handling. We do this in an attempt to keep this function 4831 * as fast and as clean as possible. */ 4832 if (!selinux_policycap_netpeer) 4833 return selinux_ip_postroute_compat(skb, ifindex, family); 4834 #ifdef CONFIG_XFRM 4835 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4836 * packet transformation so allow the packet to pass without any checks 4837 * since we'll have another chance to perform access control checks 4838 * when the packet is on it's final way out. 4839 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4840 * is NULL, in this case go ahead and apply access control. */ 4841 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) 4842 return NF_ACCEPT; 4843 #endif 4844 secmark_active = selinux_secmark_enabled(); 4845 peerlbl_active = selinux_peerlbl_enabled(); 4846 if (!secmark_active && !peerlbl_active) 4847 return NF_ACCEPT; 4848 4849 /* if the packet is being forwarded then get the peer label from the 4850 * packet itself; otherwise check to see if it is from a local 4851 * application or the kernel, if from an application get the peer label 4852 * from the sending socket, otherwise use the kernel's sid */ 4853 sk = skb->sk; 4854 if (sk == NULL) { 4855 if (skb->skb_iif) { 4856 secmark_perm = PACKET__FORWARD_OUT; 4857 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4858 return NF_DROP; 4859 } else { 4860 secmark_perm = PACKET__SEND; 4861 peer_sid = SECINITSID_KERNEL; 4862 } 4863 } else { 4864 struct sk_security_struct *sksec = sk->sk_security; 4865 peer_sid = sksec->sid; 4866 secmark_perm = PACKET__SEND; 4867 } 4868 4869 ad.type = LSM_AUDIT_DATA_NET; 4870 ad.u.net = &net; 4871 ad.u.net->netif = ifindex; 4872 ad.u.net->family = family; 4873 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4874 return NF_DROP; 4875 4876 if (secmark_active) 4877 if (avc_has_perm(peer_sid, skb->secmark, 4878 SECCLASS_PACKET, secmark_perm, &ad)) 4879 return NF_DROP_ERR(-ECONNREFUSED); 4880 4881 if (peerlbl_active) { 4882 u32 if_sid; 4883 u32 node_sid; 4884 4885 if (sel_netif_sid(ifindex, &if_sid)) 4886 return NF_DROP; 4887 if (avc_has_perm(peer_sid, if_sid, 4888 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4889 return NF_DROP_ERR(-ECONNREFUSED); 4890 4891 if (sel_netnode_sid(addrp, family, &node_sid)) 4892 return NF_DROP; 4893 if (avc_has_perm(peer_sid, node_sid, 4894 SECCLASS_NODE, NODE__SENDTO, &ad)) 4895 return NF_DROP_ERR(-ECONNREFUSED); 4896 } 4897 4898 return NF_ACCEPT; 4899 } 4900 4901 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4902 struct sk_buff *skb, 4903 const struct net_device *in, 4904 const struct net_device *out, 4905 int (*okfn)(struct sk_buff *)) 4906 { 4907 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4908 } 4909 4910 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4911 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4912 struct sk_buff *skb, 4913 const struct net_device *in, 4914 const struct net_device *out, 4915 int (*okfn)(struct sk_buff *)) 4916 { 4917 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4918 } 4919 #endif /* IPV6 */ 4920 4921 #endif /* CONFIG_NETFILTER */ 4922 4923 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4924 { 4925 int err; 4926 4927 err = cap_netlink_send(sk, skb); 4928 if (err) 4929 return err; 4930 4931 return selinux_nlmsg_perm(sk, skb); 4932 } 4933 4934 static int ipc_alloc_security(struct task_struct *task, 4935 struct kern_ipc_perm *perm, 4936 u16 sclass) 4937 { 4938 struct ipc_security_struct *isec; 4939 u32 sid; 4940 4941 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4942 if (!isec) 4943 return -ENOMEM; 4944 4945 sid = task_sid(task); 4946 isec->sclass = sclass; 4947 isec->sid = sid; 4948 perm->security = isec; 4949 4950 return 0; 4951 } 4952 4953 static void ipc_free_security(struct kern_ipc_perm *perm) 4954 { 4955 struct ipc_security_struct *isec = perm->security; 4956 perm->security = NULL; 4957 kfree(isec); 4958 } 4959 4960 static int msg_msg_alloc_security(struct msg_msg *msg) 4961 { 4962 struct msg_security_struct *msec; 4963 4964 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4965 if (!msec) 4966 return -ENOMEM; 4967 4968 msec->sid = SECINITSID_UNLABELED; 4969 msg->security = msec; 4970 4971 return 0; 4972 } 4973 4974 static void msg_msg_free_security(struct msg_msg *msg) 4975 { 4976 struct msg_security_struct *msec = msg->security; 4977 4978 msg->security = NULL; 4979 kfree(msec); 4980 } 4981 4982 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4983 u32 perms) 4984 { 4985 struct ipc_security_struct *isec; 4986 struct common_audit_data ad; 4987 u32 sid = current_sid(); 4988 4989 isec = ipc_perms->security; 4990 4991 ad.type = LSM_AUDIT_DATA_IPC; 4992 ad.u.ipc_id = ipc_perms->key; 4993 4994 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4995 } 4996 4997 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4998 { 4999 return msg_msg_alloc_security(msg); 5000 } 5001 5002 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5003 { 5004 msg_msg_free_security(msg); 5005 } 5006 5007 /* message queue security operations */ 5008 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5009 { 5010 struct ipc_security_struct *isec; 5011 struct common_audit_data ad; 5012 u32 sid = current_sid(); 5013 int rc; 5014 5015 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 5016 if (rc) 5017 return rc; 5018 5019 isec = msq->q_perm.security; 5020 5021 ad.type = LSM_AUDIT_DATA_IPC; 5022 ad.u.ipc_id = msq->q_perm.key; 5023 5024 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5025 MSGQ__CREATE, &ad); 5026 if (rc) { 5027 ipc_free_security(&msq->q_perm); 5028 return rc; 5029 } 5030 return 0; 5031 } 5032 5033 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5034 { 5035 ipc_free_security(&msq->q_perm); 5036 } 5037 5038 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5039 { 5040 struct ipc_security_struct *isec; 5041 struct common_audit_data ad; 5042 u32 sid = current_sid(); 5043 5044 isec = msq->q_perm.security; 5045 5046 ad.type = LSM_AUDIT_DATA_IPC; 5047 ad.u.ipc_id = msq->q_perm.key; 5048 5049 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5050 MSGQ__ASSOCIATE, &ad); 5051 } 5052 5053 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5054 { 5055 int err; 5056 int perms; 5057 5058 switch (cmd) { 5059 case IPC_INFO: 5060 case MSG_INFO: 5061 /* No specific object, just general system-wide information. */ 5062 return task_has_system(current, SYSTEM__IPC_INFO); 5063 case IPC_STAT: 5064 case MSG_STAT: 5065 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5066 break; 5067 case IPC_SET: 5068 perms = MSGQ__SETATTR; 5069 break; 5070 case IPC_RMID: 5071 perms = MSGQ__DESTROY; 5072 break; 5073 default: 5074 return 0; 5075 } 5076 5077 err = ipc_has_perm(&msq->q_perm, perms); 5078 return err; 5079 } 5080 5081 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5082 { 5083 struct ipc_security_struct *isec; 5084 struct msg_security_struct *msec; 5085 struct common_audit_data ad; 5086 u32 sid = current_sid(); 5087 int rc; 5088 5089 isec = msq->q_perm.security; 5090 msec = msg->security; 5091 5092 /* 5093 * First time through, need to assign label to the message 5094 */ 5095 if (msec->sid == SECINITSID_UNLABELED) { 5096 /* 5097 * Compute new sid based on current process and 5098 * message queue this message will be stored in 5099 */ 5100 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5101 NULL, &msec->sid); 5102 if (rc) 5103 return rc; 5104 } 5105 5106 ad.type = LSM_AUDIT_DATA_IPC; 5107 ad.u.ipc_id = msq->q_perm.key; 5108 5109 /* Can this process write to the queue? */ 5110 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5111 MSGQ__WRITE, &ad); 5112 if (!rc) 5113 /* Can this process send the message */ 5114 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5115 MSG__SEND, &ad); 5116 if (!rc) 5117 /* Can the message be put in the queue? */ 5118 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5119 MSGQ__ENQUEUE, &ad); 5120 5121 return rc; 5122 } 5123 5124 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5125 struct task_struct *target, 5126 long type, int mode) 5127 { 5128 struct ipc_security_struct *isec; 5129 struct msg_security_struct *msec; 5130 struct common_audit_data ad; 5131 u32 sid = task_sid(target); 5132 int rc; 5133 5134 isec = msq->q_perm.security; 5135 msec = msg->security; 5136 5137 ad.type = LSM_AUDIT_DATA_IPC; 5138 ad.u.ipc_id = msq->q_perm.key; 5139 5140 rc = avc_has_perm(sid, isec->sid, 5141 SECCLASS_MSGQ, MSGQ__READ, &ad); 5142 if (!rc) 5143 rc = avc_has_perm(sid, msec->sid, 5144 SECCLASS_MSG, MSG__RECEIVE, &ad); 5145 return rc; 5146 } 5147 5148 /* Shared Memory security operations */ 5149 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5150 { 5151 struct ipc_security_struct *isec; 5152 struct common_audit_data ad; 5153 u32 sid = current_sid(); 5154 int rc; 5155 5156 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5157 if (rc) 5158 return rc; 5159 5160 isec = shp->shm_perm.security; 5161 5162 ad.type = LSM_AUDIT_DATA_IPC; 5163 ad.u.ipc_id = shp->shm_perm.key; 5164 5165 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5166 SHM__CREATE, &ad); 5167 if (rc) { 5168 ipc_free_security(&shp->shm_perm); 5169 return rc; 5170 } 5171 return 0; 5172 } 5173 5174 static void selinux_shm_free_security(struct shmid_kernel *shp) 5175 { 5176 ipc_free_security(&shp->shm_perm); 5177 } 5178 5179 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5180 { 5181 struct ipc_security_struct *isec; 5182 struct common_audit_data ad; 5183 u32 sid = current_sid(); 5184 5185 isec = shp->shm_perm.security; 5186 5187 ad.type = LSM_AUDIT_DATA_IPC; 5188 ad.u.ipc_id = shp->shm_perm.key; 5189 5190 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5191 SHM__ASSOCIATE, &ad); 5192 } 5193 5194 /* Note, at this point, shp is locked down */ 5195 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5196 { 5197 int perms; 5198 int err; 5199 5200 switch (cmd) { 5201 case IPC_INFO: 5202 case SHM_INFO: 5203 /* No specific object, just general system-wide information. */ 5204 return task_has_system(current, SYSTEM__IPC_INFO); 5205 case IPC_STAT: 5206 case SHM_STAT: 5207 perms = SHM__GETATTR | SHM__ASSOCIATE; 5208 break; 5209 case IPC_SET: 5210 perms = SHM__SETATTR; 5211 break; 5212 case SHM_LOCK: 5213 case SHM_UNLOCK: 5214 perms = SHM__LOCK; 5215 break; 5216 case IPC_RMID: 5217 perms = SHM__DESTROY; 5218 break; 5219 default: 5220 return 0; 5221 } 5222 5223 err = ipc_has_perm(&shp->shm_perm, perms); 5224 return err; 5225 } 5226 5227 static int selinux_shm_shmat(struct shmid_kernel *shp, 5228 char __user *shmaddr, int shmflg) 5229 { 5230 u32 perms; 5231 5232 if (shmflg & SHM_RDONLY) 5233 perms = SHM__READ; 5234 else 5235 perms = SHM__READ | SHM__WRITE; 5236 5237 return ipc_has_perm(&shp->shm_perm, perms); 5238 } 5239 5240 /* Semaphore security operations */ 5241 static int selinux_sem_alloc_security(struct sem_array *sma) 5242 { 5243 struct ipc_security_struct *isec; 5244 struct common_audit_data ad; 5245 u32 sid = current_sid(); 5246 int rc; 5247 5248 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5249 if (rc) 5250 return rc; 5251 5252 isec = sma->sem_perm.security; 5253 5254 ad.type = LSM_AUDIT_DATA_IPC; 5255 ad.u.ipc_id = sma->sem_perm.key; 5256 5257 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5258 SEM__CREATE, &ad); 5259 if (rc) { 5260 ipc_free_security(&sma->sem_perm); 5261 return rc; 5262 } 5263 return 0; 5264 } 5265 5266 static void selinux_sem_free_security(struct sem_array *sma) 5267 { 5268 ipc_free_security(&sma->sem_perm); 5269 } 5270 5271 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5272 { 5273 struct ipc_security_struct *isec; 5274 struct common_audit_data ad; 5275 u32 sid = current_sid(); 5276 5277 isec = sma->sem_perm.security; 5278 5279 ad.type = LSM_AUDIT_DATA_IPC; 5280 ad.u.ipc_id = sma->sem_perm.key; 5281 5282 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5283 SEM__ASSOCIATE, &ad); 5284 } 5285 5286 /* Note, at this point, sma is locked down */ 5287 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5288 { 5289 int err; 5290 u32 perms; 5291 5292 switch (cmd) { 5293 case IPC_INFO: 5294 case SEM_INFO: 5295 /* No specific object, just general system-wide information. */ 5296 return task_has_system(current, SYSTEM__IPC_INFO); 5297 case GETPID: 5298 case GETNCNT: 5299 case GETZCNT: 5300 perms = SEM__GETATTR; 5301 break; 5302 case GETVAL: 5303 case GETALL: 5304 perms = SEM__READ; 5305 break; 5306 case SETVAL: 5307 case SETALL: 5308 perms = SEM__WRITE; 5309 break; 5310 case IPC_RMID: 5311 perms = SEM__DESTROY; 5312 break; 5313 case IPC_SET: 5314 perms = SEM__SETATTR; 5315 break; 5316 case IPC_STAT: 5317 case SEM_STAT: 5318 perms = SEM__GETATTR | SEM__ASSOCIATE; 5319 break; 5320 default: 5321 return 0; 5322 } 5323 5324 err = ipc_has_perm(&sma->sem_perm, perms); 5325 return err; 5326 } 5327 5328 static int selinux_sem_semop(struct sem_array *sma, 5329 struct sembuf *sops, unsigned nsops, int alter) 5330 { 5331 u32 perms; 5332 5333 if (alter) 5334 perms = SEM__READ | SEM__WRITE; 5335 else 5336 perms = SEM__READ; 5337 5338 return ipc_has_perm(&sma->sem_perm, perms); 5339 } 5340 5341 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5342 { 5343 u32 av = 0; 5344 5345 av = 0; 5346 if (flag & S_IRUGO) 5347 av |= IPC__UNIX_READ; 5348 if (flag & S_IWUGO) 5349 av |= IPC__UNIX_WRITE; 5350 5351 if (av == 0) 5352 return 0; 5353 5354 return ipc_has_perm(ipcp, av); 5355 } 5356 5357 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5358 { 5359 struct ipc_security_struct *isec = ipcp->security; 5360 *secid = isec->sid; 5361 } 5362 5363 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5364 { 5365 if (inode) 5366 inode_doinit_with_dentry(inode, dentry); 5367 } 5368 5369 static int selinux_getprocattr(struct task_struct *p, 5370 char *name, char **value) 5371 { 5372 const struct task_security_struct *__tsec; 5373 u32 sid; 5374 int error; 5375 unsigned len; 5376 5377 if (current != p) { 5378 error = current_has_perm(p, PROCESS__GETATTR); 5379 if (error) 5380 return error; 5381 } 5382 5383 rcu_read_lock(); 5384 __tsec = __task_cred(p)->security; 5385 5386 if (!strcmp(name, "current")) 5387 sid = __tsec->sid; 5388 else if (!strcmp(name, "prev")) 5389 sid = __tsec->osid; 5390 else if (!strcmp(name, "exec")) 5391 sid = __tsec->exec_sid; 5392 else if (!strcmp(name, "fscreate")) 5393 sid = __tsec->create_sid; 5394 else if (!strcmp(name, "keycreate")) 5395 sid = __tsec->keycreate_sid; 5396 else if (!strcmp(name, "sockcreate")) 5397 sid = __tsec->sockcreate_sid; 5398 else 5399 goto invalid; 5400 rcu_read_unlock(); 5401 5402 if (!sid) 5403 return 0; 5404 5405 error = security_sid_to_context(sid, value, &len); 5406 if (error) 5407 return error; 5408 return len; 5409 5410 invalid: 5411 rcu_read_unlock(); 5412 return -EINVAL; 5413 } 5414 5415 static int selinux_setprocattr(struct task_struct *p, 5416 char *name, void *value, size_t size) 5417 { 5418 struct task_security_struct *tsec; 5419 struct task_struct *tracer; 5420 struct cred *new; 5421 u32 sid = 0, ptsid; 5422 int error; 5423 char *str = value; 5424 5425 if (current != p) { 5426 /* SELinux only allows a process to change its own 5427 security attributes. */ 5428 return -EACCES; 5429 } 5430 5431 /* 5432 * Basic control over ability to set these attributes at all. 5433 * current == p, but we'll pass them separately in case the 5434 * above restriction is ever removed. 5435 */ 5436 if (!strcmp(name, "exec")) 5437 error = current_has_perm(p, PROCESS__SETEXEC); 5438 else if (!strcmp(name, "fscreate")) 5439 error = current_has_perm(p, PROCESS__SETFSCREATE); 5440 else if (!strcmp(name, "keycreate")) 5441 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5442 else if (!strcmp(name, "sockcreate")) 5443 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5444 else if (!strcmp(name, "current")) 5445 error = current_has_perm(p, PROCESS__SETCURRENT); 5446 else 5447 error = -EINVAL; 5448 if (error) 5449 return error; 5450 5451 /* Obtain a SID for the context, if one was specified. */ 5452 if (size && str[1] && str[1] != '\n') { 5453 if (str[size-1] == '\n') { 5454 str[size-1] = 0; 5455 size--; 5456 } 5457 error = security_context_to_sid(value, size, &sid); 5458 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5459 if (!capable(CAP_MAC_ADMIN)) { 5460 struct audit_buffer *ab; 5461 size_t audit_size; 5462 5463 /* We strip a nul only if it is at the end, otherwise the 5464 * context contains a nul and we should audit that */ 5465 if (str[size - 1] == '\0') 5466 audit_size = size - 1; 5467 else 5468 audit_size = size; 5469 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5470 audit_log_format(ab, "op=fscreate invalid_context="); 5471 audit_log_n_untrustedstring(ab, value, audit_size); 5472 audit_log_end(ab); 5473 5474 return error; 5475 } 5476 error = security_context_to_sid_force(value, size, 5477 &sid); 5478 } 5479 if (error) 5480 return error; 5481 } 5482 5483 new = prepare_creds(); 5484 if (!new) 5485 return -ENOMEM; 5486 5487 /* Permission checking based on the specified context is 5488 performed during the actual operation (execve, 5489 open/mkdir/...), when we know the full context of the 5490 operation. See selinux_bprm_set_creds for the execve 5491 checks and may_create for the file creation checks. The 5492 operation will then fail if the context is not permitted. */ 5493 tsec = new->security; 5494 if (!strcmp(name, "exec")) { 5495 tsec->exec_sid = sid; 5496 } else if (!strcmp(name, "fscreate")) { 5497 tsec->create_sid = sid; 5498 } else if (!strcmp(name, "keycreate")) { 5499 error = may_create_key(sid, p); 5500 if (error) 5501 goto abort_change; 5502 tsec->keycreate_sid = sid; 5503 } else if (!strcmp(name, "sockcreate")) { 5504 tsec->sockcreate_sid = sid; 5505 } else if (!strcmp(name, "current")) { 5506 error = -EINVAL; 5507 if (sid == 0) 5508 goto abort_change; 5509 5510 /* Only allow single threaded processes to change context */ 5511 error = -EPERM; 5512 if (!current_is_single_threaded()) { 5513 error = security_bounded_transition(tsec->sid, sid); 5514 if (error) 5515 goto abort_change; 5516 } 5517 5518 /* Check permissions for the transition. */ 5519 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5520 PROCESS__DYNTRANSITION, NULL); 5521 if (error) 5522 goto abort_change; 5523 5524 /* Check for ptracing, and update the task SID if ok. 5525 Otherwise, leave SID unchanged and fail. */ 5526 ptsid = 0; 5527 task_lock(p); 5528 tracer = ptrace_parent(p); 5529 if (tracer) 5530 ptsid = task_sid(tracer); 5531 task_unlock(p); 5532 5533 if (tracer) { 5534 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5535 PROCESS__PTRACE, NULL); 5536 if (error) 5537 goto abort_change; 5538 } 5539 5540 tsec->sid = sid; 5541 } else { 5542 error = -EINVAL; 5543 goto abort_change; 5544 } 5545 5546 commit_creds(new); 5547 return size; 5548 5549 abort_change: 5550 abort_creds(new); 5551 return error; 5552 } 5553 5554 static int selinux_ismaclabel(const char *name) 5555 { 5556 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 5557 } 5558 5559 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5560 { 5561 return security_sid_to_context(secid, secdata, seclen); 5562 } 5563 5564 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5565 { 5566 return security_context_to_sid(secdata, seclen, secid); 5567 } 5568 5569 static void selinux_release_secctx(char *secdata, u32 seclen) 5570 { 5571 kfree(secdata); 5572 } 5573 5574 /* 5575 * called with inode->i_mutex locked 5576 */ 5577 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5578 { 5579 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5580 } 5581 5582 /* 5583 * called with inode->i_mutex locked 5584 */ 5585 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 5586 { 5587 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 5588 } 5589 5590 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 5591 { 5592 int len = 0; 5593 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 5594 ctx, true); 5595 if (len < 0) 5596 return len; 5597 *ctxlen = len; 5598 return 0; 5599 } 5600 #ifdef CONFIG_KEYS 5601 5602 static int selinux_key_alloc(struct key *k, const struct cred *cred, 5603 unsigned long flags) 5604 { 5605 const struct task_security_struct *tsec; 5606 struct key_security_struct *ksec; 5607 5608 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5609 if (!ksec) 5610 return -ENOMEM; 5611 5612 tsec = cred->security; 5613 if (tsec->keycreate_sid) 5614 ksec->sid = tsec->keycreate_sid; 5615 else 5616 ksec->sid = tsec->sid; 5617 5618 k->security = ksec; 5619 return 0; 5620 } 5621 5622 static void selinux_key_free(struct key *k) 5623 { 5624 struct key_security_struct *ksec = k->security; 5625 5626 k->security = NULL; 5627 kfree(ksec); 5628 } 5629 5630 static int selinux_key_permission(key_ref_t key_ref, 5631 const struct cred *cred, 5632 key_perm_t perm) 5633 { 5634 struct key *key; 5635 struct key_security_struct *ksec; 5636 u32 sid; 5637 5638 /* if no specific permissions are requested, we skip the 5639 permission check. No serious, additional covert channels 5640 appear to be created. */ 5641 if (perm == 0) 5642 return 0; 5643 5644 sid = cred_sid(cred); 5645 5646 key = key_ref_to_ptr(key_ref); 5647 ksec = key->security; 5648 5649 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 5650 } 5651 5652 static int selinux_key_getsecurity(struct key *key, char **_buffer) 5653 { 5654 struct key_security_struct *ksec = key->security; 5655 char *context = NULL; 5656 unsigned len; 5657 int rc; 5658 5659 rc = security_sid_to_context(ksec->sid, &context, &len); 5660 if (!rc) 5661 rc = len; 5662 *_buffer = context; 5663 return rc; 5664 } 5665 5666 #endif 5667 5668 static struct security_operations selinux_ops = { 5669 .name = "selinux", 5670 5671 .ptrace_access_check = selinux_ptrace_access_check, 5672 .ptrace_traceme = selinux_ptrace_traceme, 5673 .capget = selinux_capget, 5674 .capset = selinux_capset, 5675 .capable = selinux_capable, 5676 .quotactl = selinux_quotactl, 5677 .quota_on = selinux_quota_on, 5678 .syslog = selinux_syslog, 5679 .vm_enough_memory = selinux_vm_enough_memory, 5680 5681 .netlink_send = selinux_netlink_send, 5682 5683 .bprm_set_creds = selinux_bprm_set_creds, 5684 .bprm_committing_creds = selinux_bprm_committing_creds, 5685 .bprm_committed_creds = selinux_bprm_committed_creds, 5686 .bprm_secureexec = selinux_bprm_secureexec, 5687 5688 .sb_alloc_security = selinux_sb_alloc_security, 5689 .sb_free_security = selinux_sb_free_security, 5690 .sb_copy_data = selinux_sb_copy_data, 5691 .sb_remount = selinux_sb_remount, 5692 .sb_kern_mount = selinux_sb_kern_mount, 5693 .sb_show_options = selinux_sb_show_options, 5694 .sb_statfs = selinux_sb_statfs, 5695 .sb_mount = selinux_mount, 5696 .sb_umount = selinux_umount, 5697 .sb_set_mnt_opts = selinux_set_mnt_opts, 5698 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5699 .sb_parse_opts_str = selinux_parse_opts_str, 5700 5701 .dentry_init_security = selinux_dentry_init_security, 5702 5703 .inode_alloc_security = selinux_inode_alloc_security, 5704 .inode_free_security = selinux_inode_free_security, 5705 .inode_init_security = selinux_inode_init_security, 5706 .inode_create = selinux_inode_create, 5707 .inode_link = selinux_inode_link, 5708 .inode_unlink = selinux_inode_unlink, 5709 .inode_symlink = selinux_inode_symlink, 5710 .inode_mkdir = selinux_inode_mkdir, 5711 .inode_rmdir = selinux_inode_rmdir, 5712 .inode_mknod = selinux_inode_mknod, 5713 .inode_rename = selinux_inode_rename, 5714 .inode_readlink = selinux_inode_readlink, 5715 .inode_follow_link = selinux_inode_follow_link, 5716 .inode_permission = selinux_inode_permission, 5717 .inode_setattr = selinux_inode_setattr, 5718 .inode_getattr = selinux_inode_getattr, 5719 .inode_setxattr = selinux_inode_setxattr, 5720 .inode_post_setxattr = selinux_inode_post_setxattr, 5721 .inode_getxattr = selinux_inode_getxattr, 5722 .inode_listxattr = selinux_inode_listxattr, 5723 .inode_removexattr = selinux_inode_removexattr, 5724 .inode_getsecurity = selinux_inode_getsecurity, 5725 .inode_setsecurity = selinux_inode_setsecurity, 5726 .inode_listsecurity = selinux_inode_listsecurity, 5727 .inode_getsecid = selinux_inode_getsecid, 5728 5729 .file_permission = selinux_file_permission, 5730 .file_alloc_security = selinux_file_alloc_security, 5731 .file_free_security = selinux_file_free_security, 5732 .file_ioctl = selinux_file_ioctl, 5733 .mmap_file = selinux_mmap_file, 5734 .mmap_addr = selinux_mmap_addr, 5735 .file_mprotect = selinux_file_mprotect, 5736 .file_lock = selinux_file_lock, 5737 .file_fcntl = selinux_file_fcntl, 5738 .file_set_fowner = selinux_file_set_fowner, 5739 .file_send_sigiotask = selinux_file_send_sigiotask, 5740 .file_receive = selinux_file_receive, 5741 5742 .file_open = selinux_file_open, 5743 5744 .task_create = selinux_task_create, 5745 .cred_alloc_blank = selinux_cred_alloc_blank, 5746 .cred_free = selinux_cred_free, 5747 .cred_prepare = selinux_cred_prepare, 5748 .cred_transfer = selinux_cred_transfer, 5749 .kernel_act_as = selinux_kernel_act_as, 5750 .kernel_create_files_as = selinux_kernel_create_files_as, 5751 .kernel_module_request = selinux_kernel_module_request, 5752 .task_setpgid = selinux_task_setpgid, 5753 .task_getpgid = selinux_task_getpgid, 5754 .task_getsid = selinux_task_getsid, 5755 .task_getsecid = selinux_task_getsecid, 5756 .task_setnice = selinux_task_setnice, 5757 .task_setioprio = selinux_task_setioprio, 5758 .task_getioprio = selinux_task_getioprio, 5759 .task_setrlimit = selinux_task_setrlimit, 5760 .task_setscheduler = selinux_task_setscheduler, 5761 .task_getscheduler = selinux_task_getscheduler, 5762 .task_movememory = selinux_task_movememory, 5763 .task_kill = selinux_task_kill, 5764 .task_wait = selinux_task_wait, 5765 .task_to_inode = selinux_task_to_inode, 5766 5767 .ipc_permission = selinux_ipc_permission, 5768 .ipc_getsecid = selinux_ipc_getsecid, 5769 5770 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5771 .msg_msg_free_security = selinux_msg_msg_free_security, 5772 5773 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5774 .msg_queue_free_security = selinux_msg_queue_free_security, 5775 .msg_queue_associate = selinux_msg_queue_associate, 5776 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5777 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5778 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5779 5780 .shm_alloc_security = selinux_shm_alloc_security, 5781 .shm_free_security = selinux_shm_free_security, 5782 .shm_associate = selinux_shm_associate, 5783 .shm_shmctl = selinux_shm_shmctl, 5784 .shm_shmat = selinux_shm_shmat, 5785 5786 .sem_alloc_security = selinux_sem_alloc_security, 5787 .sem_free_security = selinux_sem_free_security, 5788 .sem_associate = selinux_sem_associate, 5789 .sem_semctl = selinux_sem_semctl, 5790 .sem_semop = selinux_sem_semop, 5791 5792 .d_instantiate = selinux_d_instantiate, 5793 5794 .getprocattr = selinux_getprocattr, 5795 .setprocattr = selinux_setprocattr, 5796 5797 .ismaclabel = selinux_ismaclabel, 5798 .secid_to_secctx = selinux_secid_to_secctx, 5799 .secctx_to_secid = selinux_secctx_to_secid, 5800 .release_secctx = selinux_release_secctx, 5801 .inode_notifysecctx = selinux_inode_notifysecctx, 5802 .inode_setsecctx = selinux_inode_setsecctx, 5803 .inode_getsecctx = selinux_inode_getsecctx, 5804 5805 .unix_stream_connect = selinux_socket_unix_stream_connect, 5806 .unix_may_send = selinux_socket_unix_may_send, 5807 5808 .socket_create = selinux_socket_create, 5809 .socket_post_create = selinux_socket_post_create, 5810 .socket_bind = selinux_socket_bind, 5811 .socket_connect = selinux_socket_connect, 5812 .socket_listen = selinux_socket_listen, 5813 .socket_accept = selinux_socket_accept, 5814 .socket_sendmsg = selinux_socket_sendmsg, 5815 .socket_recvmsg = selinux_socket_recvmsg, 5816 .socket_getsockname = selinux_socket_getsockname, 5817 .socket_getpeername = selinux_socket_getpeername, 5818 .socket_getsockopt = selinux_socket_getsockopt, 5819 .socket_setsockopt = selinux_socket_setsockopt, 5820 .socket_shutdown = selinux_socket_shutdown, 5821 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5822 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5823 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5824 .sk_alloc_security = selinux_sk_alloc_security, 5825 .sk_free_security = selinux_sk_free_security, 5826 .sk_clone_security = selinux_sk_clone_security, 5827 .sk_getsecid = selinux_sk_getsecid, 5828 .sock_graft = selinux_sock_graft, 5829 .inet_conn_request = selinux_inet_conn_request, 5830 .inet_csk_clone = selinux_inet_csk_clone, 5831 .inet_conn_established = selinux_inet_conn_established, 5832 .secmark_relabel_packet = selinux_secmark_relabel_packet, 5833 .secmark_refcount_inc = selinux_secmark_refcount_inc, 5834 .secmark_refcount_dec = selinux_secmark_refcount_dec, 5835 .req_classify_flow = selinux_req_classify_flow, 5836 .tun_dev_alloc_security = selinux_tun_dev_alloc_security, 5837 .tun_dev_free_security = selinux_tun_dev_free_security, 5838 .tun_dev_create = selinux_tun_dev_create, 5839 .tun_dev_attach_queue = selinux_tun_dev_attach_queue, 5840 .tun_dev_attach = selinux_tun_dev_attach, 5841 .tun_dev_open = selinux_tun_dev_open, 5842 .skb_owned_by = selinux_skb_owned_by, 5843 5844 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5845 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5846 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5847 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5848 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5849 .xfrm_state_alloc = selinux_xfrm_state_alloc, 5850 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire, 5851 .xfrm_state_free_security = selinux_xfrm_state_free, 5852 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5853 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5854 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5855 .xfrm_decode_session = selinux_xfrm_decode_session, 5856 #endif 5857 5858 #ifdef CONFIG_KEYS 5859 .key_alloc = selinux_key_alloc, 5860 .key_free = selinux_key_free, 5861 .key_permission = selinux_key_permission, 5862 .key_getsecurity = selinux_key_getsecurity, 5863 #endif 5864 5865 #ifdef CONFIG_AUDIT 5866 .audit_rule_init = selinux_audit_rule_init, 5867 .audit_rule_known = selinux_audit_rule_known, 5868 .audit_rule_match = selinux_audit_rule_match, 5869 .audit_rule_free = selinux_audit_rule_free, 5870 #endif 5871 }; 5872 5873 static __init int selinux_init(void) 5874 { 5875 if (!security_module_enable(&selinux_ops)) { 5876 selinux_enabled = 0; 5877 return 0; 5878 } 5879 5880 if (!selinux_enabled) { 5881 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5882 return 0; 5883 } 5884 5885 printk(KERN_INFO "SELinux: Initializing.\n"); 5886 5887 /* Set the security state for the initial task. */ 5888 cred_init_security(); 5889 5890 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 5891 5892 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5893 sizeof(struct inode_security_struct), 5894 0, SLAB_PANIC, NULL); 5895 avc_init(); 5896 5897 if (register_security(&selinux_ops)) 5898 panic("SELinux: Unable to register with kernel.\n"); 5899 5900 if (selinux_enforcing) 5901 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5902 else 5903 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5904 5905 return 0; 5906 } 5907 5908 static void delayed_superblock_init(struct super_block *sb, void *unused) 5909 { 5910 superblock_doinit(sb, NULL); 5911 } 5912 5913 void selinux_complete_init(void) 5914 { 5915 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5916 5917 /* Set up any superblocks initialized prior to the policy load. */ 5918 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5919 iterate_supers(delayed_superblock_init, NULL); 5920 } 5921 5922 /* SELinux requires early initialization in order to label 5923 all processes and objects when they are created. */ 5924 security_initcall(selinux_init); 5925 5926 #if defined(CONFIG_NETFILTER) 5927 5928 static struct nf_hook_ops selinux_ipv4_ops[] = { 5929 { 5930 .hook = selinux_ipv4_postroute, 5931 .owner = THIS_MODULE, 5932 .pf = NFPROTO_IPV4, 5933 .hooknum = NF_INET_POST_ROUTING, 5934 .priority = NF_IP_PRI_SELINUX_LAST, 5935 }, 5936 { 5937 .hook = selinux_ipv4_forward, 5938 .owner = THIS_MODULE, 5939 .pf = NFPROTO_IPV4, 5940 .hooknum = NF_INET_FORWARD, 5941 .priority = NF_IP_PRI_SELINUX_FIRST, 5942 }, 5943 { 5944 .hook = selinux_ipv4_output, 5945 .owner = THIS_MODULE, 5946 .pf = NFPROTO_IPV4, 5947 .hooknum = NF_INET_LOCAL_OUT, 5948 .priority = NF_IP_PRI_SELINUX_FIRST, 5949 } 5950 }; 5951 5952 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5953 5954 static struct nf_hook_ops selinux_ipv6_ops[] = { 5955 { 5956 .hook = selinux_ipv6_postroute, 5957 .owner = THIS_MODULE, 5958 .pf = NFPROTO_IPV6, 5959 .hooknum = NF_INET_POST_ROUTING, 5960 .priority = NF_IP6_PRI_SELINUX_LAST, 5961 }, 5962 { 5963 .hook = selinux_ipv6_forward, 5964 .owner = THIS_MODULE, 5965 .pf = NFPROTO_IPV6, 5966 .hooknum = NF_INET_FORWARD, 5967 .priority = NF_IP6_PRI_SELINUX_FIRST, 5968 } 5969 }; 5970 5971 #endif /* IPV6 */ 5972 5973 static int __init selinux_nf_ip_init(void) 5974 { 5975 int err = 0; 5976 5977 if (!selinux_enabled) 5978 goto out; 5979 5980 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5981 5982 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5983 if (err) 5984 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 5985 5986 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5987 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5988 if (err) 5989 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); 5990 #endif /* IPV6 */ 5991 5992 out: 5993 return err; 5994 } 5995 5996 __initcall(selinux_nf_ip_init); 5997 5998 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5999 static void selinux_nf_ip_exit(void) 6000 { 6001 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6002 6003 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 6004 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6005 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 6006 #endif /* IPV6 */ 6007 } 6008 #endif 6009 6010 #else /* CONFIG_NETFILTER */ 6011 6012 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6013 #define selinux_nf_ip_exit() 6014 #endif 6015 6016 #endif /* CONFIG_NETFILTER */ 6017 6018 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6019 static int selinux_disabled; 6020 6021 int selinux_disable(void) 6022 { 6023 if (ss_initialized) { 6024 /* Not permitted after initial policy load. */ 6025 return -EINVAL; 6026 } 6027 6028 if (selinux_disabled) { 6029 /* Only do this once. */ 6030 return -EINVAL; 6031 } 6032 6033 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6034 6035 selinux_disabled = 1; 6036 selinux_enabled = 0; 6037 6038 reset_security_ops(); 6039 6040 /* Try to destroy the avc node cache */ 6041 avc_disable(); 6042 6043 /* Unregister netfilter hooks. */ 6044 selinux_nf_ip_exit(); 6045 6046 /* Unregister selinuxfs. */ 6047 exit_sel_fs(); 6048 6049 return 0; 6050 } 6051 #endif 6052