1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kd.h> 28 #include <linux/kernel.h> 29 #include <linux/tracehook.h> 30 #include <linux/errno.h> 31 #include <linux/sched.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/netfilter_ipv4.h> 50 #include <linux/netfilter_ipv6.h> 51 #include <linux/tty.h> 52 #include <net/icmp.h> 53 #include <net/ip.h> /* for local_port_range[] */ 54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 55 #include <net/inet_connection_sock.h> 56 #include <net/net_namespace.h> 57 #include <net/netlabel.h> 58 #include <linux/uaccess.h> 59 #include <asm/ioctls.h> 60 #include <linux/atomic.h> 61 #include <linux/bitops.h> 62 #include <linux/interrupt.h> 63 #include <linux/netdevice.h> /* for network interface checks */ 64 #include <net/netlink.h> 65 #include <linux/tcp.h> 66 #include <linux/udp.h> 67 #include <linux/dccp.h> 68 #include <linux/quota.h> 69 #include <linux/un.h> /* for Unix socket types */ 70 #include <net/af_unix.h> /* for Unix socket types */ 71 #include <linux/parser.h> 72 #include <linux/nfs_mount.h> 73 #include <net/ipv6.h> 74 #include <linux/hugetlb.h> 75 #include <linux/personality.h> 76 #include <linux/audit.h> 77 #include <linux/string.h> 78 #include <linux/selinux.h> 79 #include <linux/mutex.h> 80 #include <linux/posix-timers.h> 81 #include <linux/syslog.h> 82 #include <linux/user_namespace.h> 83 #include <linux/export.h> 84 #include <linux/msg.h> 85 #include <linux/shm.h> 86 87 #include "avc.h" 88 #include "objsec.h" 89 #include "netif.h" 90 #include "netnode.h" 91 #include "netport.h" 92 #include "xfrm.h" 93 #include "netlabel.h" 94 #include "audit.h" 95 #include "avc_ss.h" 96 97 /* SECMARK reference count */ 98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 99 100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 101 int selinux_enforcing; 102 103 static int __init enforcing_setup(char *str) 104 { 105 unsigned long enforcing; 106 if (!kstrtoul(str, 0, &enforcing)) 107 selinux_enforcing = enforcing ? 1 : 0; 108 return 1; 109 } 110 __setup("enforcing=", enforcing_setup); 111 #endif 112 113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 115 116 static int __init selinux_enabled_setup(char *str) 117 { 118 unsigned long enabled; 119 if (!kstrtoul(str, 0, &enabled)) 120 selinux_enabled = enabled ? 1 : 0; 121 return 1; 122 } 123 __setup("selinux=", selinux_enabled_setup); 124 #else 125 int selinux_enabled = 1; 126 #endif 127 128 static struct kmem_cache *sel_inode_cache; 129 static struct kmem_cache *file_security_cache; 130 131 /** 132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 133 * 134 * Description: 135 * This function checks the SECMARK reference counter to see if any SECMARK 136 * targets are currently configured, if the reference counter is greater than 137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network 139 * policy capability is enabled, SECMARK is always considered enabled. 140 * 141 */ 142 static int selinux_secmark_enabled(void) 143 { 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 145 } 146 147 /** 148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 149 * 150 * Description: 151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 152 * (1) if any are enabled or false (0) if neither are enabled. If the 153 * always_check_network policy capability is enabled, peer labeling 154 * is always considered enabled. 155 * 156 */ 157 static int selinux_peerlbl_enabled(void) 158 { 159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 160 } 161 162 static int selinux_netcache_avc_callback(u32 event) 163 { 164 if (event == AVC_CALLBACK_RESET) { 165 sel_netif_flush(); 166 sel_netnode_flush(); 167 sel_netport_flush(); 168 synchronize_net(); 169 } 170 return 0; 171 } 172 173 /* 174 * initialise the security for the init task 175 */ 176 static void cred_init_security(void) 177 { 178 struct cred *cred = (struct cred *) current->real_cred; 179 struct task_security_struct *tsec; 180 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 182 if (!tsec) 183 panic("SELinux: Failed to initialize initial task.\n"); 184 185 tsec->osid = tsec->sid = SECINITSID_KERNEL; 186 cred->security = tsec; 187 } 188 189 /* 190 * get the security ID of a set of credentials 191 */ 192 static inline u32 cred_sid(const struct cred *cred) 193 { 194 const struct task_security_struct *tsec; 195 196 tsec = cred->security; 197 return tsec->sid; 198 } 199 200 /* 201 * get the objective security ID of a task 202 */ 203 static inline u32 task_sid(const struct task_struct *task) 204 { 205 u32 sid; 206 207 rcu_read_lock(); 208 sid = cred_sid(__task_cred(task)); 209 rcu_read_unlock(); 210 return sid; 211 } 212 213 /* 214 * get the subjective security ID of the current task 215 */ 216 static inline u32 current_sid(void) 217 { 218 const struct task_security_struct *tsec = current_security(); 219 220 return tsec->sid; 221 } 222 223 /* Allocate and free functions for each kind of security blob. */ 224 225 static int inode_alloc_security(struct inode *inode) 226 { 227 struct inode_security_struct *isec; 228 u32 sid = current_sid(); 229 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 231 if (!isec) 232 return -ENOMEM; 233 234 mutex_init(&isec->lock); 235 INIT_LIST_HEAD(&isec->list); 236 isec->inode = inode; 237 isec->sid = SECINITSID_UNLABELED; 238 isec->sclass = SECCLASS_FILE; 239 isec->task_sid = sid; 240 inode->i_security = isec; 241 242 return 0; 243 } 244 245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 246 247 /* 248 * Try reloading inode security labels that have been marked as invalid. The 249 * @may_sleep parameter indicates when sleeping and thus reloading labels is 250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is 251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 252 * when no dentry is available, set it to NULL instead. 253 */ 254 static int __inode_security_revalidate(struct inode *inode, 255 struct dentry *opt_dentry, 256 bool may_sleep) 257 { 258 struct inode_security_struct *isec = inode->i_security; 259 260 might_sleep_if(may_sleep); 261 262 if (isec->initialized == LABEL_INVALID) { 263 if (!may_sleep) 264 return -ECHILD; 265 266 /* 267 * Try reloading the inode security label. This will fail if 268 * @opt_dentry is NULL and no dentry for this inode can be 269 * found; in that case, continue using the old label. 270 */ 271 inode_doinit_with_dentry(inode, opt_dentry); 272 } 273 return 0; 274 } 275 276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 277 { 278 return inode->i_security; 279 } 280 281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 282 { 283 int error; 284 285 error = __inode_security_revalidate(inode, NULL, !rcu); 286 if (error) 287 return ERR_PTR(error); 288 return inode->i_security; 289 } 290 291 /* 292 * Get the security label of an inode. 293 */ 294 static struct inode_security_struct *inode_security(struct inode *inode) 295 { 296 __inode_security_revalidate(inode, NULL, true); 297 return inode->i_security; 298 } 299 300 /* 301 * Get the security label of a dentry's backing inode. 302 */ 303 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 304 { 305 struct inode *inode = d_backing_inode(dentry); 306 307 __inode_security_revalidate(inode, dentry, true); 308 return inode->i_security; 309 } 310 311 static void inode_free_rcu(struct rcu_head *head) 312 { 313 struct inode_security_struct *isec; 314 315 isec = container_of(head, struct inode_security_struct, rcu); 316 kmem_cache_free(sel_inode_cache, isec); 317 } 318 319 static void inode_free_security(struct inode *inode) 320 { 321 struct inode_security_struct *isec = inode->i_security; 322 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 323 324 /* 325 * As not all inode security structures are in a list, we check for 326 * empty list outside of the lock to make sure that we won't waste 327 * time taking a lock doing nothing. 328 * 329 * The list_del_init() function can be safely called more than once. 330 * It should not be possible for this function to be called with 331 * concurrent list_add(), but for better safety against future changes 332 * in the code, we use list_empty_careful() here. 333 */ 334 if (!list_empty_careful(&isec->list)) { 335 spin_lock(&sbsec->isec_lock); 336 list_del_init(&isec->list); 337 spin_unlock(&sbsec->isec_lock); 338 } 339 340 /* 341 * The inode may still be referenced in a path walk and 342 * a call to selinux_inode_permission() can be made 343 * after inode_free_security() is called. Ideally, the VFS 344 * wouldn't do this, but fixing that is a much harder 345 * job. For now, simply free the i_security via RCU, and 346 * leave the current inode->i_security pointer intact. 347 * The inode will be freed after the RCU grace period too. 348 */ 349 call_rcu(&isec->rcu, inode_free_rcu); 350 } 351 352 static int file_alloc_security(struct file *file) 353 { 354 struct file_security_struct *fsec; 355 u32 sid = current_sid(); 356 357 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 358 if (!fsec) 359 return -ENOMEM; 360 361 fsec->sid = sid; 362 fsec->fown_sid = sid; 363 file->f_security = fsec; 364 365 return 0; 366 } 367 368 static void file_free_security(struct file *file) 369 { 370 struct file_security_struct *fsec = file->f_security; 371 file->f_security = NULL; 372 kmem_cache_free(file_security_cache, fsec); 373 } 374 375 static int superblock_alloc_security(struct super_block *sb) 376 { 377 struct superblock_security_struct *sbsec; 378 379 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 380 if (!sbsec) 381 return -ENOMEM; 382 383 mutex_init(&sbsec->lock); 384 INIT_LIST_HEAD(&sbsec->isec_head); 385 spin_lock_init(&sbsec->isec_lock); 386 sbsec->sb = sb; 387 sbsec->sid = SECINITSID_UNLABELED; 388 sbsec->def_sid = SECINITSID_FILE; 389 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 390 sb->s_security = sbsec; 391 392 return 0; 393 } 394 395 static void superblock_free_security(struct super_block *sb) 396 { 397 struct superblock_security_struct *sbsec = sb->s_security; 398 sb->s_security = NULL; 399 kfree(sbsec); 400 } 401 402 /* The file system's label must be initialized prior to use. */ 403 404 static const char *labeling_behaviors[7] = { 405 "uses xattr", 406 "uses transition SIDs", 407 "uses task SIDs", 408 "uses genfs_contexts", 409 "not configured for labeling", 410 "uses mountpoint labeling", 411 "uses native labeling", 412 }; 413 414 static inline int inode_doinit(struct inode *inode) 415 { 416 return inode_doinit_with_dentry(inode, NULL); 417 } 418 419 enum { 420 Opt_error = -1, 421 Opt_context = 1, 422 Opt_fscontext = 2, 423 Opt_defcontext = 3, 424 Opt_rootcontext = 4, 425 Opt_labelsupport = 5, 426 Opt_nextmntopt = 6, 427 }; 428 429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 430 431 static const match_table_t tokens = { 432 {Opt_context, CONTEXT_STR "%s"}, 433 {Opt_fscontext, FSCONTEXT_STR "%s"}, 434 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 436 {Opt_labelsupport, LABELSUPP_STR}, 437 {Opt_error, NULL}, 438 }; 439 440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 441 442 static int may_context_mount_sb_relabel(u32 sid, 443 struct superblock_security_struct *sbsec, 444 const struct cred *cred) 445 { 446 const struct task_security_struct *tsec = cred->security; 447 int rc; 448 449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 450 FILESYSTEM__RELABELFROM, NULL); 451 if (rc) 452 return rc; 453 454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 455 FILESYSTEM__RELABELTO, NULL); 456 return rc; 457 } 458 459 static int may_context_mount_inode_relabel(u32 sid, 460 struct superblock_security_struct *sbsec, 461 const struct cred *cred) 462 { 463 const struct task_security_struct *tsec = cred->security; 464 int rc; 465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 466 FILESYSTEM__RELABELFROM, NULL); 467 if (rc) 468 return rc; 469 470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 FILESYSTEM__ASSOCIATE, NULL); 472 return rc; 473 } 474 475 static int selinux_is_sblabel_mnt(struct super_block *sb) 476 { 477 struct superblock_security_struct *sbsec = sb->s_security; 478 479 return sbsec->behavior == SECURITY_FS_USE_XATTR || 480 sbsec->behavior == SECURITY_FS_USE_TRANS || 481 sbsec->behavior == SECURITY_FS_USE_TASK || 482 sbsec->behavior == SECURITY_FS_USE_NATIVE || 483 /* Special handling. Genfs but also in-core setxattr handler */ 484 !strcmp(sb->s_type->name, "sysfs") || 485 !strcmp(sb->s_type->name, "pstore") || 486 !strcmp(sb->s_type->name, "debugfs") || 487 !strcmp(sb->s_type->name, "rootfs"); 488 } 489 490 static int sb_finish_set_opts(struct super_block *sb) 491 { 492 struct superblock_security_struct *sbsec = sb->s_security; 493 struct dentry *root = sb->s_root; 494 struct inode *root_inode = d_backing_inode(root); 495 int rc = 0; 496 497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 498 /* Make sure that the xattr handler exists and that no 499 error other than -ENODATA is returned by getxattr on 500 the root directory. -ENODATA is ok, as this may be 501 the first boot of the SELinux kernel before we have 502 assigned xattr values to the filesystem. */ 503 if (!root_inode->i_op->getxattr) { 504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 505 "xattr support\n", sb->s_id, sb->s_type->name); 506 rc = -EOPNOTSUPP; 507 goto out; 508 } 509 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 510 if (rc < 0 && rc != -ENODATA) { 511 if (rc == -EOPNOTSUPP) 512 printk(KERN_WARNING "SELinux: (dev %s, type " 513 "%s) has no security xattr handler\n", 514 sb->s_id, sb->s_type->name); 515 else 516 printk(KERN_WARNING "SELinux: (dev %s, type " 517 "%s) getxattr errno %d\n", sb->s_id, 518 sb->s_type->name, -rc); 519 goto out; 520 } 521 } 522 523 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 524 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 525 sb->s_id, sb->s_type->name); 526 527 sbsec->flags |= SE_SBINITIALIZED; 528 if (selinux_is_sblabel_mnt(sb)) 529 sbsec->flags |= SBLABEL_MNT; 530 531 /* Initialize the root inode. */ 532 rc = inode_doinit_with_dentry(root_inode, root); 533 534 /* Initialize any other inodes associated with the superblock, e.g. 535 inodes created prior to initial policy load or inodes created 536 during get_sb by a pseudo filesystem that directly 537 populates itself. */ 538 spin_lock(&sbsec->isec_lock); 539 next_inode: 540 if (!list_empty(&sbsec->isec_head)) { 541 struct inode_security_struct *isec = 542 list_entry(sbsec->isec_head.next, 543 struct inode_security_struct, list); 544 struct inode *inode = isec->inode; 545 list_del_init(&isec->list); 546 spin_unlock(&sbsec->isec_lock); 547 inode = igrab(inode); 548 if (inode) { 549 if (!IS_PRIVATE(inode)) 550 inode_doinit(inode); 551 iput(inode); 552 } 553 spin_lock(&sbsec->isec_lock); 554 goto next_inode; 555 } 556 spin_unlock(&sbsec->isec_lock); 557 out: 558 return rc; 559 } 560 561 /* 562 * This function should allow an FS to ask what it's mount security 563 * options were so it can use those later for submounts, displaying 564 * mount options, or whatever. 565 */ 566 static int selinux_get_mnt_opts(const struct super_block *sb, 567 struct security_mnt_opts *opts) 568 { 569 int rc = 0, i; 570 struct superblock_security_struct *sbsec = sb->s_security; 571 char *context = NULL; 572 u32 len; 573 char tmp; 574 575 security_init_mnt_opts(opts); 576 577 if (!(sbsec->flags & SE_SBINITIALIZED)) 578 return -EINVAL; 579 580 if (!ss_initialized) 581 return -EINVAL; 582 583 /* make sure we always check enough bits to cover the mask */ 584 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 585 586 tmp = sbsec->flags & SE_MNTMASK; 587 /* count the number of mount options for this sb */ 588 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 589 if (tmp & 0x01) 590 opts->num_mnt_opts++; 591 tmp >>= 1; 592 } 593 /* Check if the Label support flag is set */ 594 if (sbsec->flags & SBLABEL_MNT) 595 opts->num_mnt_opts++; 596 597 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 598 if (!opts->mnt_opts) { 599 rc = -ENOMEM; 600 goto out_free; 601 } 602 603 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 604 if (!opts->mnt_opts_flags) { 605 rc = -ENOMEM; 606 goto out_free; 607 } 608 609 i = 0; 610 if (sbsec->flags & FSCONTEXT_MNT) { 611 rc = security_sid_to_context(sbsec->sid, &context, &len); 612 if (rc) 613 goto out_free; 614 opts->mnt_opts[i] = context; 615 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 616 } 617 if (sbsec->flags & CONTEXT_MNT) { 618 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 619 if (rc) 620 goto out_free; 621 opts->mnt_opts[i] = context; 622 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 623 } 624 if (sbsec->flags & DEFCONTEXT_MNT) { 625 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 626 if (rc) 627 goto out_free; 628 opts->mnt_opts[i] = context; 629 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 630 } 631 if (sbsec->flags & ROOTCONTEXT_MNT) { 632 struct dentry *root = sbsec->sb->s_root; 633 struct inode_security_struct *isec = backing_inode_security(root); 634 635 rc = security_sid_to_context(isec->sid, &context, &len); 636 if (rc) 637 goto out_free; 638 opts->mnt_opts[i] = context; 639 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 640 } 641 if (sbsec->flags & SBLABEL_MNT) { 642 opts->mnt_opts[i] = NULL; 643 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 644 } 645 646 BUG_ON(i != opts->num_mnt_opts); 647 648 return 0; 649 650 out_free: 651 security_free_mnt_opts(opts); 652 return rc; 653 } 654 655 static int bad_option(struct superblock_security_struct *sbsec, char flag, 656 u32 old_sid, u32 new_sid) 657 { 658 char mnt_flags = sbsec->flags & SE_MNTMASK; 659 660 /* check if the old mount command had the same options */ 661 if (sbsec->flags & SE_SBINITIALIZED) 662 if (!(sbsec->flags & flag) || 663 (old_sid != new_sid)) 664 return 1; 665 666 /* check if we were passed the same options twice, 667 * aka someone passed context=a,context=b 668 */ 669 if (!(sbsec->flags & SE_SBINITIALIZED)) 670 if (mnt_flags & flag) 671 return 1; 672 return 0; 673 } 674 675 /* 676 * Allow filesystems with binary mount data to explicitly set mount point 677 * labeling information. 678 */ 679 static int selinux_set_mnt_opts(struct super_block *sb, 680 struct security_mnt_opts *opts, 681 unsigned long kern_flags, 682 unsigned long *set_kern_flags) 683 { 684 const struct cred *cred = current_cred(); 685 int rc = 0, i; 686 struct superblock_security_struct *sbsec = sb->s_security; 687 const char *name = sb->s_type->name; 688 struct dentry *root = sbsec->sb->s_root; 689 struct inode_security_struct *root_isec = backing_inode_security(root); 690 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 691 u32 defcontext_sid = 0; 692 char **mount_options = opts->mnt_opts; 693 int *flags = opts->mnt_opts_flags; 694 int num_opts = opts->num_mnt_opts; 695 696 mutex_lock(&sbsec->lock); 697 698 if (!ss_initialized) { 699 if (!num_opts) { 700 /* Defer initialization until selinux_complete_init, 701 after the initial policy is loaded and the security 702 server is ready to handle calls. */ 703 goto out; 704 } 705 rc = -EINVAL; 706 printk(KERN_WARNING "SELinux: Unable to set superblock options " 707 "before the security server is initialized\n"); 708 goto out; 709 } 710 if (kern_flags && !set_kern_flags) { 711 /* Specifying internal flags without providing a place to 712 * place the results is not allowed */ 713 rc = -EINVAL; 714 goto out; 715 } 716 717 /* 718 * Binary mount data FS will come through this function twice. Once 719 * from an explicit call and once from the generic calls from the vfs. 720 * Since the generic VFS calls will not contain any security mount data 721 * we need to skip the double mount verification. 722 * 723 * This does open a hole in which we will not notice if the first 724 * mount using this sb set explict options and a second mount using 725 * this sb does not set any security options. (The first options 726 * will be used for both mounts) 727 */ 728 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 729 && (num_opts == 0)) 730 goto out; 731 732 /* 733 * parse the mount options, check if they are valid sids. 734 * also check if someone is trying to mount the same sb more 735 * than once with different security options. 736 */ 737 for (i = 0; i < num_opts; i++) { 738 u32 sid; 739 740 if (flags[i] == SBLABEL_MNT) 741 continue; 742 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 743 if (rc) { 744 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 745 "(%s) failed for (dev %s, type %s) errno=%d\n", 746 mount_options[i], sb->s_id, name, rc); 747 goto out; 748 } 749 switch (flags[i]) { 750 case FSCONTEXT_MNT: 751 fscontext_sid = sid; 752 753 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 754 fscontext_sid)) 755 goto out_double_mount; 756 757 sbsec->flags |= FSCONTEXT_MNT; 758 break; 759 case CONTEXT_MNT: 760 context_sid = sid; 761 762 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 763 context_sid)) 764 goto out_double_mount; 765 766 sbsec->flags |= CONTEXT_MNT; 767 break; 768 case ROOTCONTEXT_MNT: 769 rootcontext_sid = sid; 770 771 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 772 rootcontext_sid)) 773 goto out_double_mount; 774 775 sbsec->flags |= ROOTCONTEXT_MNT; 776 777 break; 778 case DEFCONTEXT_MNT: 779 defcontext_sid = sid; 780 781 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 782 defcontext_sid)) 783 goto out_double_mount; 784 785 sbsec->flags |= DEFCONTEXT_MNT; 786 787 break; 788 default: 789 rc = -EINVAL; 790 goto out; 791 } 792 } 793 794 if (sbsec->flags & SE_SBINITIALIZED) { 795 /* previously mounted with options, but not on this attempt? */ 796 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 797 goto out_double_mount; 798 rc = 0; 799 goto out; 800 } 801 802 if (strcmp(sb->s_type->name, "proc") == 0) 803 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 804 805 if (!strcmp(sb->s_type->name, "debugfs") || 806 !strcmp(sb->s_type->name, "sysfs") || 807 !strcmp(sb->s_type->name, "pstore")) 808 sbsec->flags |= SE_SBGENFS; 809 810 if (!sbsec->behavior) { 811 /* 812 * Determine the labeling behavior to use for this 813 * filesystem type. 814 */ 815 rc = security_fs_use(sb); 816 if (rc) { 817 printk(KERN_WARNING 818 "%s: security_fs_use(%s) returned %d\n", 819 __func__, sb->s_type->name, rc); 820 goto out; 821 } 822 } 823 /* sets the context of the superblock for the fs being mounted. */ 824 if (fscontext_sid) { 825 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 826 if (rc) 827 goto out; 828 829 sbsec->sid = fscontext_sid; 830 } 831 832 /* 833 * Switch to using mount point labeling behavior. 834 * sets the label used on all file below the mountpoint, and will set 835 * the superblock context if not already set. 836 */ 837 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 838 sbsec->behavior = SECURITY_FS_USE_NATIVE; 839 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 840 } 841 842 if (context_sid) { 843 if (!fscontext_sid) { 844 rc = may_context_mount_sb_relabel(context_sid, sbsec, 845 cred); 846 if (rc) 847 goto out; 848 sbsec->sid = context_sid; 849 } else { 850 rc = may_context_mount_inode_relabel(context_sid, sbsec, 851 cred); 852 if (rc) 853 goto out; 854 } 855 if (!rootcontext_sid) 856 rootcontext_sid = context_sid; 857 858 sbsec->mntpoint_sid = context_sid; 859 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 860 } 861 862 if (rootcontext_sid) { 863 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 864 cred); 865 if (rc) 866 goto out; 867 868 root_isec->sid = rootcontext_sid; 869 root_isec->initialized = LABEL_INITIALIZED; 870 } 871 872 if (defcontext_sid) { 873 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 874 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 875 rc = -EINVAL; 876 printk(KERN_WARNING "SELinux: defcontext option is " 877 "invalid for this filesystem type\n"); 878 goto out; 879 } 880 881 if (defcontext_sid != sbsec->def_sid) { 882 rc = may_context_mount_inode_relabel(defcontext_sid, 883 sbsec, cred); 884 if (rc) 885 goto out; 886 } 887 888 sbsec->def_sid = defcontext_sid; 889 } 890 891 rc = sb_finish_set_opts(sb); 892 out: 893 mutex_unlock(&sbsec->lock); 894 return rc; 895 out_double_mount: 896 rc = -EINVAL; 897 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 898 "security settings for (dev %s, type %s)\n", sb->s_id, name); 899 goto out; 900 } 901 902 static int selinux_cmp_sb_context(const struct super_block *oldsb, 903 const struct super_block *newsb) 904 { 905 struct superblock_security_struct *old = oldsb->s_security; 906 struct superblock_security_struct *new = newsb->s_security; 907 char oldflags = old->flags & SE_MNTMASK; 908 char newflags = new->flags & SE_MNTMASK; 909 910 if (oldflags != newflags) 911 goto mismatch; 912 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 913 goto mismatch; 914 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 915 goto mismatch; 916 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 917 goto mismatch; 918 if (oldflags & ROOTCONTEXT_MNT) { 919 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 920 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 921 if (oldroot->sid != newroot->sid) 922 goto mismatch; 923 } 924 return 0; 925 mismatch: 926 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 927 "different security settings for (dev %s, " 928 "type %s)\n", newsb->s_id, newsb->s_type->name); 929 return -EBUSY; 930 } 931 932 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 933 struct super_block *newsb) 934 { 935 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 936 struct superblock_security_struct *newsbsec = newsb->s_security; 937 938 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 939 int set_context = (oldsbsec->flags & CONTEXT_MNT); 940 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 941 942 /* 943 * if the parent was able to be mounted it clearly had no special lsm 944 * mount options. thus we can safely deal with this superblock later 945 */ 946 if (!ss_initialized) 947 return 0; 948 949 /* how can we clone if the old one wasn't set up?? */ 950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 951 952 /* if fs is reusing a sb, make sure that the contexts match */ 953 if (newsbsec->flags & SE_SBINITIALIZED) 954 return selinux_cmp_sb_context(oldsb, newsb); 955 956 mutex_lock(&newsbsec->lock); 957 958 newsbsec->flags = oldsbsec->flags; 959 960 newsbsec->sid = oldsbsec->sid; 961 newsbsec->def_sid = oldsbsec->def_sid; 962 newsbsec->behavior = oldsbsec->behavior; 963 964 if (set_context) { 965 u32 sid = oldsbsec->mntpoint_sid; 966 967 if (!set_fscontext) 968 newsbsec->sid = sid; 969 if (!set_rootcontext) { 970 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 971 newisec->sid = sid; 972 } 973 newsbsec->mntpoint_sid = sid; 974 } 975 if (set_rootcontext) { 976 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 978 979 newisec->sid = oldisec->sid; 980 } 981 982 sb_finish_set_opts(newsb); 983 mutex_unlock(&newsbsec->lock); 984 return 0; 985 } 986 987 static int selinux_parse_opts_str(char *options, 988 struct security_mnt_opts *opts) 989 { 990 char *p; 991 char *context = NULL, *defcontext = NULL; 992 char *fscontext = NULL, *rootcontext = NULL; 993 int rc, num_mnt_opts = 0; 994 995 opts->num_mnt_opts = 0; 996 997 /* Standard string-based options. */ 998 while ((p = strsep(&options, "|")) != NULL) { 999 int token; 1000 substring_t args[MAX_OPT_ARGS]; 1001 1002 if (!*p) 1003 continue; 1004 1005 token = match_token(p, tokens, args); 1006 1007 switch (token) { 1008 case Opt_context: 1009 if (context || defcontext) { 1010 rc = -EINVAL; 1011 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1012 goto out_err; 1013 } 1014 context = match_strdup(&args[0]); 1015 if (!context) { 1016 rc = -ENOMEM; 1017 goto out_err; 1018 } 1019 break; 1020 1021 case Opt_fscontext: 1022 if (fscontext) { 1023 rc = -EINVAL; 1024 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1025 goto out_err; 1026 } 1027 fscontext = match_strdup(&args[0]); 1028 if (!fscontext) { 1029 rc = -ENOMEM; 1030 goto out_err; 1031 } 1032 break; 1033 1034 case Opt_rootcontext: 1035 if (rootcontext) { 1036 rc = -EINVAL; 1037 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1038 goto out_err; 1039 } 1040 rootcontext = match_strdup(&args[0]); 1041 if (!rootcontext) { 1042 rc = -ENOMEM; 1043 goto out_err; 1044 } 1045 break; 1046 1047 case Opt_defcontext: 1048 if (context || defcontext) { 1049 rc = -EINVAL; 1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1051 goto out_err; 1052 } 1053 defcontext = match_strdup(&args[0]); 1054 if (!defcontext) { 1055 rc = -ENOMEM; 1056 goto out_err; 1057 } 1058 break; 1059 case Opt_labelsupport: 1060 break; 1061 default: 1062 rc = -EINVAL; 1063 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1064 goto out_err; 1065 1066 } 1067 } 1068 1069 rc = -ENOMEM; 1070 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 1071 if (!opts->mnt_opts) 1072 goto out_err; 1073 1074 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 1075 if (!opts->mnt_opts_flags) { 1076 kfree(opts->mnt_opts); 1077 goto out_err; 1078 } 1079 1080 if (fscontext) { 1081 opts->mnt_opts[num_mnt_opts] = fscontext; 1082 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1083 } 1084 if (context) { 1085 opts->mnt_opts[num_mnt_opts] = context; 1086 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1087 } 1088 if (rootcontext) { 1089 opts->mnt_opts[num_mnt_opts] = rootcontext; 1090 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1091 } 1092 if (defcontext) { 1093 opts->mnt_opts[num_mnt_opts] = defcontext; 1094 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1095 } 1096 1097 opts->num_mnt_opts = num_mnt_opts; 1098 return 0; 1099 1100 out_err: 1101 kfree(context); 1102 kfree(defcontext); 1103 kfree(fscontext); 1104 kfree(rootcontext); 1105 return rc; 1106 } 1107 /* 1108 * string mount options parsing and call set the sbsec 1109 */ 1110 static int superblock_doinit(struct super_block *sb, void *data) 1111 { 1112 int rc = 0; 1113 char *options = data; 1114 struct security_mnt_opts opts; 1115 1116 security_init_mnt_opts(&opts); 1117 1118 if (!data) 1119 goto out; 1120 1121 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1122 1123 rc = selinux_parse_opts_str(options, &opts); 1124 if (rc) 1125 goto out_err; 1126 1127 out: 1128 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1129 1130 out_err: 1131 security_free_mnt_opts(&opts); 1132 return rc; 1133 } 1134 1135 static void selinux_write_opts(struct seq_file *m, 1136 struct security_mnt_opts *opts) 1137 { 1138 int i; 1139 char *prefix; 1140 1141 for (i = 0; i < opts->num_mnt_opts; i++) { 1142 char *has_comma; 1143 1144 if (opts->mnt_opts[i]) 1145 has_comma = strchr(opts->mnt_opts[i], ','); 1146 else 1147 has_comma = NULL; 1148 1149 switch (opts->mnt_opts_flags[i]) { 1150 case CONTEXT_MNT: 1151 prefix = CONTEXT_STR; 1152 break; 1153 case FSCONTEXT_MNT: 1154 prefix = FSCONTEXT_STR; 1155 break; 1156 case ROOTCONTEXT_MNT: 1157 prefix = ROOTCONTEXT_STR; 1158 break; 1159 case DEFCONTEXT_MNT: 1160 prefix = DEFCONTEXT_STR; 1161 break; 1162 case SBLABEL_MNT: 1163 seq_putc(m, ','); 1164 seq_puts(m, LABELSUPP_STR); 1165 continue; 1166 default: 1167 BUG(); 1168 return; 1169 }; 1170 /* we need a comma before each option */ 1171 seq_putc(m, ','); 1172 seq_puts(m, prefix); 1173 if (has_comma) 1174 seq_putc(m, '\"'); 1175 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1176 if (has_comma) 1177 seq_putc(m, '\"'); 1178 } 1179 } 1180 1181 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1182 { 1183 struct security_mnt_opts opts; 1184 int rc; 1185 1186 rc = selinux_get_mnt_opts(sb, &opts); 1187 if (rc) { 1188 /* before policy load we may get EINVAL, don't show anything */ 1189 if (rc == -EINVAL) 1190 rc = 0; 1191 return rc; 1192 } 1193 1194 selinux_write_opts(m, &opts); 1195 1196 security_free_mnt_opts(&opts); 1197 1198 return rc; 1199 } 1200 1201 static inline u16 inode_mode_to_security_class(umode_t mode) 1202 { 1203 switch (mode & S_IFMT) { 1204 case S_IFSOCK: 1205 return SECCLASS_SOCK_FILE; 1206 case S_IFLNK: 1207 return SECCLASS_LNK_FILE; 1208 case S_IFREG: 1209 return SECCLASS_FILE; 1210 case S_IFBLK: 1211 return SECCLASS_BLK_FILE; 1212 case S_IFDIR: 1213 return SECCLASS_DIR; 1214 case S_IFCHR: 1215 return SECCLASS_CHR_FILE; 1216 case S_IFIFO: 1217 return SECCLASS_FIFO_FILE; 1218 1219 } 1220 1221 return SECCLASS_FILE; 1222 } 1223 1224 static inline int default_protocol_stream(int protocol) 1225 { 1226 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1227 } 1228 1229 static inline int default_protocol_dgram(int protocol) 1230 { 1231 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1232 } 1233 1234 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1235 { 1236 switch (family) { 1237 case PF_UNIX: 1238 switch (type) { 1239 case SOCK_STREAM: 1240 case SOCK_SEQPACKET: 1241 return SECCLASS_UNIX_STREAM_SOCKET; 1242 case SOCK_DGRAM: 1243 return SECCLASS_UNIX_DGRAM_SOCKET; 1244 } 1245 break; 1246 case PF_INET: 1247 case PF_INET6: 1248 switch (type) { 1249 case SOCK_STREAM: 1250 if (default_protocol_stream(protocol)) 1251 return SECCLASS_TCP_SOCKET; 1252 else 1253 return SECCLASS_RAWIP_SOCKET; 1254 case SOCK_DGRAM: 1255 if (default_protocol_dgram(protocol)) 1256 return SECCLASS_UDP_SOCKET; 1257 else 1258 return SECCLASS_RAWIP_SOCKET; 1259 case SOCK_DCCP: 1260 return SECCLASS_DCCP_SOCKET; 1261 default: 1262 return SECCLASS_RAWIP_SOCKET; 1263 } 1264 break; 1265 case PF_NETLINK: 1266 switch (protocol) { 1267 case NETLINK_ROUTE: 1268 return SECCLASS_NETLINK_ROUTE_SOCKET; 1269 case NETLINK_SOCK_DIAG: 1270 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1271 case NETLINK_NFLOG: 1272 return SECCLASS_NETLINK_NFLOG_SOCKET; 1273 case NETLINK_XFRM: 1274 return SECCLASS_NETLINK_XFRM_SOCKET; 1275 case NETLINK_SELINUX: 1276 return SECCLASS_NETLINK_SELINUX_SOCKET; 1277 case NETLINK_ISCSI: 1278 return SECCLASS_NETLINK_ISCSI_SOCKET; 1279 case NETLINK_AUDIT: 1280 return SECCLASS_NETLINK_AUDIT_SOCKET; 1281 case NETLINK_FIB_LOOKUP: 1282 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1283 case NETLINK_CONNECTOR: 1284 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1285 case NETLINK_NETFILTER: 1286 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1287 case NETLINK_DNRTMSG: 1288 return SECCLASS_NETLINK_DNRT_SOCKET; 1289 case NETLINK_KOBJECT_UEVENT: 1290 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1291 case NETLINK_GENERIC: 1292 return SECCLASS_NETLINK_GENERIC_SOCKET; 1293 case NETLINK_SCSITRANSPORT: 1294 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1295 case NETLINK_RDMA: 1296 return SECCLASS_NETLINK_RDMA_SOCKET; 1297 case NETLINK_CRYPTO: 1298 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1299 default: 1300 return SECCLASS_NETLINK_SOCKET; 1301 } 1302 case PF_PACKET: 1303 return SECCLASS_PACKET_SOCKET; 1304 case PF_KEY: 1305 return SECCLASS_KEY_SOCKET; 1306 case PF_APPLETALK: 1307 return SECCLASS_APPLETALK_SOCKET; 1308 } 1309 1310 return SECCLASS_SOCKET; 1311 } 1312 1313 static int selinux_genfs_get_sid(struct dentry *dentry, 1314 u16 tclass, 1315 u16 flags, 1316 u32 *sid) 1317 { 1318 int rc; 1319 struct super_block *sb = dentry->d_inode->i_sb; 1320 char *buffer, *path; 1321 1322 buffer = (char *)__get_free_page(GFP_KERNEL); 1323 if (!buffer) 1324 return -ENOMEM; 1325 1326 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1327 if (IS_ERR(path)) 1328 rc = PTR_ERR(path); 1329 else { 1330 if (flags & SE_SBPROC) { 1331 /* each process gets a /proc/PID/ entry. Strip off the 1332 * PID part to get a valid selinux labeling. 1333 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1334 while (path[1] >= '0' && path[1] <= '9') { 1335 path[1] = '/'; 1336 path++; 1337 } 1338 } 1339 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1340 } 1341 free_page((unsigned long)buffer); 1342 return rc; 1343 } 1344 1345 /* The inode's security attributes must be initialized before first use. */ 1346 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1347 { 1348 struct superblock_security_struct *sbsec = NULL; 1349 struct inode_security_struct *isec = inode->i_security; 1350 u32 sid; 1351 struct dentry *dentry; 1352 #define INITCONTEXTLEN 255 1353 char *context = NULL; 1354 unsigned len = 0; 1355 int rc = 0; 1356 1357 if (isec->initialized == LABEL_INITIALIZED) 1358 goto out; 1359 1360 mutex_lock(&isec->lock); 1361 if (isec->initialized == LABEL_INITIALIZED) 1362 goto out_unlock; 1363 1364 sbsec = inode->i_sb->s_security; 1365 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1366 /* Defer initialization until selinux_complete_init, 1367 after the initial policy is loaded and the security 1368 server is ready to handle calls. */ 1369 spin_lock(&sbsec->isec_lock); 1370 if (list_empty(&isec->list)) 1371 list_add(&isec->list, &sbsec->isec_head); 1372 spin_unlock(&sbsec->isec_lock); 1373 goto out_unlock; 1374 } 1375 1376 switch (sbsec->behavior) { 1377 case SECURITY_FS_USE_NATIVE: 1378 break; 1379 case SECURITY_FS_USE_XATTR: 1380 if (!inode->i_op->getxattr) { 1381 isec->sid = sbsec->def_sid; 1382 break; 1383 } 1384 1385 /* Need a dentry, since the xattr API requires one. 1386 Life would be simpler if we could just pass the inode. */ 1387 if (opt_dentry) { 1388 /* Called from d_instantiate or d_splice_alias. */ 1389 dentry = dget(opt_dentry); 1390 } else { 1391 /* Called from selinux_complete_init, try to find a dentry. */ 1392 dentry = d_find_alias(inode); 1393 } 1394 if (!dentry) { 1395 /* 1396 * this is can be hit on boot when a file is accessed 1397 * before the policy is loaded. When we load policy we 1398 * may find inodes that have no dentry on the 1399 * sbsec->isec_head list. No reason to complain as these 1400 * will get fixed up the next time we go through 1401 * inode_doinit with a dentry, before these inodes could 1402 * be used again by userspace. 1403 */ 1404 goto out_unlock; 1405 } 1406 1407 len = INITCONTEXTLEN; 1408 context = kmalloc(len+1, GFP_NOFS); 1409 if (!context) { 1410 rc = -ENOMEM; 1411 dput(dentry); 1412 goto out_unlock; 1413 } 1414 context[len] = '\0'; 1415 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1416 context, len); 1417 if (rc == -ERANGE) { 1418 kfree(context); 1419 1420 /* Need a larger buffer. Query for the right size. */ 1421 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1422 NULL, 0); 1423 if (rc < 0) { 1424 dput(dentry); 1425 goto out_unlock; 1426 } 1427 len = rc; 1428 context = kmalloc(len+1, GFP_NOFS); 1429 if (!context) { 1430 rc = -ENOMEM; 1431 dput(dentry); 1432 goto out_unlock; 1433 } 1434 context[len] = '\0'; 1435 rc = inode->i_op->getxattr(dentry, 1436 XATTR_NAME_SELINUX, 1437 context, len); 1438 } 1439 dput(dentry); 1440 if (rc < 0) { 1441 if (rc != -ENODATA) { 1442 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1443 "%d for dev=%s ino=%ld\n", __func__, 1444 -rc, inode->i_sb->s_id, inode->i_ino); 1445 kfree(context); 1446 goto out_unlock; 1447 } 1448 /* Map ENODATA to the default file SID */ 1449 sid = sbsec->def_sid; 1450 rc = 0; 1451 } else { 1452 rc = security_context_to_sid_default(context, rc, &sid, 1453 sbsec->def_sid, 1454 GFP_NOFS); 1455 if (rc) { 1456 char *dev = inode->i_sb->s_id; 1457 unsigned long ino = inode->i_ino; 1458 1459 if (rc == -EINVAL) { 1460 if (printk_ratelimit()) 1461 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1462 "context=%s. This indicates you may need to relabel the inode or the " 1463 "filesystem in question.\n", ino, dev, context); 1464 } else { 1465 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1466 "returned %d for dev=%s ino=%ld\n", 1467 __func__, context, -rc, dev, ino); 1468 } 1469 kfree(context); 1470 /* Leave with the unlabeled SID */ 1471 rc = 0; 1472 break; 1473 } 1474 } 1475 kfree(context); 1476 isec->sid = sid; 1477 break; 1478 case SECURITY_FS_USE_TASK: 1479 isec->sid = isec->task_sid; 1480 break; 1481 case SECURITY_FS_USE_TRANS: 1482 /* Default to the fs SID. */ 1483 isec->sid = sbsec->sid; 1484 1485 /* Try to obtain a transition SID. */ 1486 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1487 rc = security_transition_sid(isec->task_sid, sbsec->sid, 1488 isec->sclass, NULL, &sid); 1489 if (rc) 1490 goto out_unlock; 1491 isec->sid = sid; 1492 break; 1493 case SECURITY_FS_USE_MNTPOINT: 1494 isec->sid = sbsec->mntpoint_sid; 1495 break; 1496 default: 1497 /* Default to the fs superblock SID. */ 1498 isec->sid = sbsec->sid; 1499 1500 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1501 /* We must have a dentry to determine the label on 1502 * procfs inodes */ 1503 if (opt_dentry) 1504 /* Called from d_instantiate or 1505 * d_splice_alias. */ 1506 dentry = dget(opt_dentry); 1507 else 1508 /* Called from selinux_complete_init, try to 1509 * find a dentry. */ 1510 dentry = d_find_alias(inode); 1511 /* 1512 * This can be hit on boot when a file is accessed 1513 * before the policy is loaded. When we load policy we 1514 * may find inodes that have no dentry on the 1515 * sbsec->isec_head list. No reason to complain as 1516 * these will get fixed up the next time we go through 1517 * inode_doinit() with a dentry, before these inodes 1518 * could be used again by userspace. 1519 */ 1520 if (!dentry) 1521 goto out_unlock; 1522 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1523 rc = selinux_genfs_get_sid(dentry, isec->sclass, 1524 sbsec->flags, &sid); 1525 dput(dentry); 1526 if (rc) 1527 goto out_unlock; 1528 isec->sid = sid; 1529 } 1530 break; 1531 } 1532 1533 isec->initialized = LABEL_INITIALIZED; 1534 1535 out_unlock: 1536 mutex_unlock(&isec->lock); 1537 out: 1538 if (isec->sclass == SECCLASS_FILE) 1539 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1540 return rc; 1541 } 1542 1543 /* Convert a Linux signal to an access vector. */ 1544 static inline u32 signal_to_av(int sig) 1545 { 1546 u32 perm = 0; 1547 1548 switch (sig) { 1549 case SIGCHLD: 1550 /* Commonly granted from child to parent. */ 1551 perm = PROCESS__SIGCHLD; 1552 break; 1553 case SIGKILL: 1554 /* Cannot be caught or ignored */ 1555 perm = PROCESS__SIGKILL; 1556 break; 1557 case SIGSTOP: 1558 /* Cannot be caught or ignored */ 1559 perm = PROCESS__SIGSTOP; 1560 break; 1561 default: 1562 /* All other signals. */ 1563 perm = PROCESS__SIGNAL; 1564 break; 1565 } 1566 1567 return perm; 1568 } 1569 1570 /* 1571 * Check permission between a pair of credentials 1572 * fork check, ptrace check, etc. 1573 */ 1574 static int cred_has_perm(const struct cred *actor, 1575 const struct cred *target, 1576 u32 perms) 1577 { 1578 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1579 1580 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1581 } 1582 1583 /* 1584 * Check permission between a pair of tasks, e.g. signal checks, 1585 * fork check, ptrace check, etc. 1586 * tsk1 is the actor and tsk2 is the target 1587 * - this uses the default subjective creds of tsk1 1588 */ 1589 static int task_has_perm(const struct task_struct *tsk1, 1590 const struct task_struct *tsk2, 1591 u32 perms) 1592 { 1593 const struct task_security_struct *__tsec1, *__tsec2; 1594 u32 sid1, sid2; 1595 1596 rcu_read_lock(); 1597 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1598 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1599 rcu_read_unlock(); 1600 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1601 } 1602 1603 /* 1604 * Check permission between current and another task, e.g. signal checks, 1605 * fork check, ptrace check, etc. 1606 * current is the actor and tsk2 is the target 1607 * - this uses current's subjective creds 1608 */ 1609 static int current_has_perm(const struct task_struct *tsk, 1610 u32 perms) 1611 { 1612 u32 sid, tsid; 1613 1614 sid = current_sid(); 1615 tsid = task_sid(tsk); 1616 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1617 } 1618 1619 #if CAP_LAST_CAP > 63 1620 #error Fix SELinux to handle capabilities > 63. 1621 #endif 1622 1623 /* Check whether a task is allowed to use a capability. */ 1624 static int cred_has_capability(const struct cred *cred, 1625 int cap, int audit) 1626 { 1627 struct common_audit_data ad; 1628 struct av_decision avd; 1629 u16 sclass; 1630 u32 sid = cred_sid(cred); 1631 u32 av = CAP_TO_MASK(cap); 1632 int rc; 1633 1634 ad.type = LSM_AUDIT_DATA_CAP; 1635 ad.u.cap = cap; 1636 1637 switch (CAP_TO_INDEX(cap)) { 1638 case 0: 1639 sclass = SECCLASS_CAPABILITY; 1640 break; 1641 case 1: 1642 sclass = SECCLASS_CAPABILITY2; 1643 break; 1644 default: 1645 printk(KERN_ERR 1646 "SELinux: out of range capability %d\n", cap); 1647 BUG(); 1648 return -EINVAL; 1649 } 1650 1651 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1652 if (audit == SECURITY_CAP_AUDIT) { 1653 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1654 if (rc2) 1655 return rc2; 1656 } 1657 return rc; 1658 } 1659 1660 /* Check whether a task is allowed to use a system operation. */ 1661 static int task_has_system(struct task_struct *tsk, 1662 u32 perms) 1663 { 1664 u32 sid = task_sid(tsk); 1665 1666 return avc_has_perm(sid, SECINITSID_KERNEL, 1667 SECCLASS_SYSTEM, perms, NULL); 1668 } 1669 1670 /* Check whether a task has a particular permission to an inode. 1671 The 'adp' parameter is optional and allows other audit 1672 data to be passed (e.g. the dentry). */ 1673 static int inode_has_perm(const struct cred *cred, 1674 struct inode *inode, 1675 u32 perms, 1676 struct common_audit_data *adp) 1677 { 1678 struct inode_security_struct *isec; 1679 u32 sid; 1680 1681 validate_creds(cred); 1682 1683 if (unlikely(IS_PRIVATE(inode))) 1684 return 0; 1685 1686 sid = cred_sid(cred); 1687 isec = inode->i_security; 1688 1689 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1690 } 1691 1692 /* Same as inode_has_perm, but pass explicit audit data containing 1693 the dentry to help the auditing code to more easily generate the 1694 pathname if needed. */ 1695 static inline int dentry_has_perm(const struct cred *cred, 1696 struct dentry *dentry, 1697 u32 av) 1698 { 1699 struct inode *inode = d_backing_inode(dentry); 1700 struct common_audit_data ad; 1701 1702 ad.type = LSM_AUDIT_DATA_DENTRY; 1703 ad.u.dentry = dentry; 1704 __inode_security_revalidate(inode, dentry, true); 1705 return inode_has_perm(cred, inode, av, &ad); 1706 } 1707 1708 /* Same as inode_has_perm, but pass explicit audit data containing 1709 the path to help the auditing code to more easily generate the 1710 pathname if needed. */ 1711 static inline int path_has_perm(const struct cred *cred, 1712 const struct path *path, 1713 u32 av) 1714 { 1715 struct inode *inode = d_backing_inode(path->dentry); 1716 struct common_audit_data ad; 1717 1718 ad.type = LSM_AUDIT_DATA_PATH; 1719 ad.u.path = *path; 1720 __inode_security_revalidate(inode, path->dentry, true); 1721 return inode_has_perm(cred, inode, av, &ad); 1722 } 1723 1724 /* Same as path_has_perm, but uses the inode from the file struct. */ 1725 static inline int file_path_has_perm(const struct cred *cred, 1726 struct file *file, 1727 u32 av) 1728 { 1729 struct common_audit_data ad; 1730 1731 ad.type = LSM_AUDIT_DATA_PATH; 1732 ad.u.path = file->f_path; 1733 return inode_has_perm(cred, file_inode(file), av, &ad); 1734 } 1735 1736 /* Check whether a task can use an open file descriptor to 1737 access an inode in a given way. Check access to the 1738 descriptor itself, and then use dentry_has_perm to 1739 check a particular permission to the file. 1740 Access to the descriptor is implicitly granted if it 1741 has the same SID as the process. If av is zero, then 1742 access to the file is not checked, e.g. for cases 1743 where only the descriptor is affected like seek. */ 1744 static int file_has_perm(const struct cred *cred, 1745 struct file *file, 1746 u32 av) 1747 { 1748 struct file_security_struct *fsec = file->f_security; 1749 struct inode *inode = file_inode(file); 1750 struct common_audit_data ad; 1751 u32 sid = cred_sid(cred); 1752 int rc; 1753 1754 ad.type = LSM_AUDIT_DATA_PATH; 1755 ad.u.path = file->f_path; 1756 1757 if (sid != fsec->sid) { 1758 rc = avc_has_perm(sid, fsec->sid, 1759 SECCLASS_FD, 1760 FD__USE, 1761 &ad); 1762 if (rc) 1763 goto out; 1764 } 1765 1766 /* av is zero if only checking access to the descriptor. */ 1767 rc = 0; 1768 if (av) 1769 rc = inode_has_perm(cred, inode, av, &ad); 1770 1771 out: 1772 return rc; 1773 } 1774 1775 /* 1776 * Determine the label for an inode that might be unioned. 1777 */ 1778 static int selinux_determine_inode_label(struct inode *dir, 1779 const struct qstr *name, 1780 u16 tclass, 1781 u32 *_new_isid) 1782 { 1783 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1784 const struct inode_security_struct *dsec = inode_security(dir); 1785 const struct task_security_struct *tsec = current_security(); 1786 1787 if ((sbsec->flags & SE_SBINITIALIZED) && 1788 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1789 *_new_isid = sbsec->mntpoint_sid; 1790 } else if ((sbsec->flags & SBLABEL_MNT) && 1791 tsec->create_sid) { 1792 *_new_isid = tsec->create_sid; 1793 } else { 1794 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1795 name, _new_isid); 1796 } 1797 1798 return 0; 1799 } 1800 1801 /* Check whether a task can create a file. */ 1802 static int may_create(struct inode *dir, 1803 struct dentry *dentry, 1804 u16 tclass) 1805 { 1806 const struct task_security_struct *tsec = current_security(); 1807 struct inode_security_struct *dsec; 1808 struct superblock_security_struct *sbsec; 1809 u32 sid, newsid; 1810 struct common_audit_data ad; 1811 int rc; 1812 1813 dsec = inode_security(dir); 1814 sbsec = dir->i_sb->s_security; 1815 1816 sid = tsec->sid; 1817 1818 ad.type = LSM_AUDIT_DATA_DENTRY; 1819 ad.u.dentry = dentry; 1820 1821 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1822 DIR__ADD_NAME | DIR__SEARCH, 1823 &ad); 1824 if (rc) 1825 return rc; 1826 1827 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass, 1828 &newsid); 1829 if (rc) 1830 return rc; 1831 1832 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1833 if (rc) 1834 return rc; 1835 1836 return avc_has_perm(newsid, sbsec->sid, 1837 SECCLASS_FILESYSTEM, 1838 FILESYSTEM__ASSOCIATE, &ad); 1839 } 1840 1841 /* Check whether a task can create a key. */ 1842 static int may_create_key(u32 ksid, 1843 struct task_struct *ctx) 1844 { 1845 u32 sid = task_sid(ctx); 1846 1847 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1848 } 1849 1850 #define MAY_LINK 0 1851 #define MAY_UNLINK 1 1852 #define MAY_RMDIR 2 1853 1854 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1855 static int may_link(struct inode *dir, 1856 struct dentry *dentry, 1857 int kind) 1858 1859 { 1860 struct inode_security_struct *dsec, *isec; 1861 struct common_audit_data ad; 1862 u32 sid = current_sid(); 1863 u32 av; 1864 int rc; 1865 1866 dsec = inode_security(dir); 1867 isec = backing_inode_security(dentry); 1868 1869 ad.type = LSM_AUDIT_DATA_DENTRY; 1870 ad.u.dentry = dentry; 1871 1872 av = DIR__SEARCH; 1873 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1874 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1875 if (rc) 1876 return rc; 1877 1878 switch (kind) { 1879 case MAY_LINK: 1880 av = FILE__LINK; 1881 break; 1882 case MAY_UNLINK: 1883 av = FILE__UNLINK; 1884 break; 1885 case MAY_RMDIR: 1886 av = DIR__RMDIR; 1887 break; 1888 default: 1889 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1890 __func__, kind); 1891 return 0; 1892 } 1893 1894 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1895 return rc; 1896 } 1897 1898 static inline int may_rename(struct inode *old_dir, 1899 struct dentry *old_dentry, 1900 struct inode *new_dir, 1901 struct dentry *new_dentry) 1902 { 1903 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1904 struct common_audit_data ad; 1905 u32 sid = current_sid(); 1906 u32 av; 1907 int old_is_dir, new_is_dir; 1908 int rc; 1909 1910 old_dsec = inode_security(old_dir); 1911 old_isec = backing_inode_security(old_dentry); 1912 old_is_dir = d_is_dir(old_dentry); 1913 new_dsec = inode_security(new_dir); 1914 1915 ad.type = LSM_AUDIT_DATA_DENTRY; 1916 1917 ad.u.dentry = old_dentry; 1918 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1919 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1920 if (rc) 1921 return rc; 1922 rc = avc_has_perm(sid, old_isec->sid, 1923 old_isec->sclass, FILE__RENAME, &ad); 1924 if (rc) 1925 return rc; 1926 if (old_is_dir && new_dir != old_dir) { 1927 rc = avc_has_perm(sid, old_isec->sid, 1928 old_isec->sclass, DIR__REPARENT, &ad); 1929 if (rc) 1930 return rc; 1931 } 1932 1933 ad.u.dentry = new_dentry; 1934 av = DIR__ADD_NAME | DIR__SEARCH; 1935 if (d_is_positive(new_dentry)) 1936 av |= DIR__REMOVE_NAME; 1937 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1938 if (rc) 1939 return rc; 1940 if (d_is_positive(new_dentry)) { 1941 new_isec = backing_inode_security(new_dentry); 1942 new_is_dir = d_is_dir(new_dentry); 1943 rc = avc_has_perm(sid, new_isec->sid, 1944 new_isec->sclass, 1945 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1946 if (rc) 1947 return rc; 1948 } 1949 1950 return 0; 1951 } 1952 1953 /* Check whether a task can perform a filesystem operation. */ 1954 static int superblock_has_perm(const struct cred *cred, 1955 struct super_block *sb, 1956 u32 perms, 1957 struct common_audit_data *ad) 1958 { 1959 struct superblock_security_struct *sbsec; 1960 u32 sid = cred_sid(cred); 1961 1962 sbsec = sb->s_security; 1963 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1964 } 1965 1966 /* Convert a Linux mode and permission mask to an access vector. */ 1967 static inline u32 file_mask_to_av(int mode, int mask) 1968 { 1969 u32 av = 0; 1970 1971 if (!S_ISDIR(mode)) { 1972 if (mask & MAY_EXEC) 1973 av |= FILE__EXECUTE; 1974 if (mask & MAY_READ) 1975 av |= FILE__READ; 1976 1977 if (mask & MAY_APPEND) 1978 av |= FILE__APPEND; 1979 else if (mask & MAY_WRITE) 1980 av |= FILE__WRITE; 1981 1982 } else { 1983 if (mask & MAY_EXEC) 1984 av |= DIR__SEARCH; 1985 if (mask & MAY_WRITE) 1986 av |= DIR__WRITE; 1987 if (mask & MAY_READ) 1988 av |= DIR__READ; 1989 } 1990 1991 return av; 1992 } 1993 1994 /* Convert a Linux file to an access vector. */ 1995 static inline u32 file_to_av(struct file *file) 1996 { 1997 u32 av = 0; 1998 1999 if (file->f_mode & FMODE_READ) 2000 av |= FILE__READ; 2001 if (file->f_mode & FMODE_WRITE) { 2002 if (file->f_flags & O_APPEND) 2003 av |= FILE__APPEND; 2004 else 2005 av |= FILE__WRITE; 2006 } 2007 if (!av) { 2008 /* 2009 * Special file opened with flags 3 for ioctl-only use. 2010 */ 2011 av = FILE__IOCTL; 2012 } 2013 2014 return av; 2015 } 2016 2017 /* 2018 * Convert a file to an access vector and include the correct open 2019 * open permission. 2020 */ 2021 static inline u32 open_file_to_av(struct file *file) 2022 { 2023 u32 av = file_to_av(file); 2024 2025 if (selinux_policycap_openperm) 2026 av |= FILE__OPEN; 2027 2028 return av; 2029 } 2030 2031 /* Hook functions begin here. */ 2032 2033 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2034 { 2035 u32 mysid = current_sid(); 2036 u32 mgrsid = task_sid(mgr); 2037 2038 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2039 BINDER__SET_CONTEXT_MGR, NULL); 2040 } 2041 2042 static int selinux_binder_transaction(struct task_struct *from, 2043 struct task_struct *to) 2044 { 2045 u32 mysid = current_sid(); 2046 u32 fromsid = task_sid(from); 2047 u32 tosid = task_sid(to); 2048 int rc; 2049 2050 if (mysid != fromsid) { 2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2052 BINDER__IMPERSONATE, NULL); 2053 if (rc) 2054 return rc; 2055 } 2056 2057 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2058 NULL); 2059 } 2060 2061 static int selinux_binder_transfer_binder(struct task_struct *from, 2062 struct task_struct *to) 2063 { 2064 u32 fromsid = task_sid(from); 2065 u32 tosid = task_sid(to); 2066 2067 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2068 NULL); 2069 } 2070 2071 static int selinux_binder_transfer_file(struct task_struct *from, 2072 struct task_struct *to, 2073 struct file *file) 2074 { 2075 u32 sid = task_sid(to); 2076 struct file_security_struct *fsec = file->f_security; 2077 struct dentry *dentry = file->f_path.dentry; 2078 struct inode_security_struct *isec = backing_inode_security(dentry); 2079 struct common_audit_data ad; 2080 int rc; 2081 2082 ad.type = LSM_AUDIT_DATA_PATH; 2083 ad.u.path = file->f_path; 2084 2085 if (sid != fsec->sid) { 2086 rc = avc_has_perm(sid, fsec->sid, 2087 SECCLASS_FD, 2088 FD__USE, 2089 &ad); 2090 if (rc) 2091 return rc; 2092 } 2093 2094 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2095 return 0; 2096 2097 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2098 &ad); 2099 } 2100 2101 static int selinux_ptrace_access_check(struct task_struct *child, 2102 unsigned int mode) 2103 { 2104 if (mode & PTRACE_MODE_READ) { 2105 u32 sid = current_sid(); 2106 u32 csid = task_sid(child); 2107 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2108 } 2109 2110 return current_has_perm(child, PROCESS__PTRACE); 2111 } 2112 2113 static int selinux_ptrace_traceme(struct task_struct *parent) 2114 { 2115 return task_has_perm(parent, current, PROCESS__PTRACE); 2116 } 2117 2118 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2119 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2120 { 2121 return current_has_perm(target, PROCESS__GETCAP); 2122 } 2123 2124 static int selinux_capset(struct cred *new, const struct cred *old, 2125 const kernel_cap_t *effective, 2126 const kernel_cap_t *inheritable, 2127 const kernel_cap_t *permitted) 2128 { 2129 return cred_has_perm(old, new, PROCESS__SETCAP); 2130 } 2131 2132 /* 2133 * (This comment used to live with the selinux_task_setuid hook, 2134 * which was removed). 2135 * 2136 * Since setuid only affects the current process, and since the SELinux 2137 * controls are not based on the Linux identity attributes, SELinux does not 2138 * need to control this operation. However, SELinux does control the use of 2139 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2140 */ 2141 2142 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2143 int cap, int audit) 2144 { 2145 return cred_has_capability(cred, cap, audit); 2146 } 2147 2148 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2149 { 2150 const struct cred *cred = current_cred(); 2151 int rc = 0; 2152 2153 if (!sb) 2154 return 0; 2155 2156 switch (cmds) { 2157 case Q_SYNC: 2158 case Q_QUOTAON: 2159 case Q_QUOTAOFF: 2160 case Q_SETINFO: 2161 case Q_SETQUOTA: 2162 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2163 break; 2164 case Q_GETFMT: 2165 case Q_GETINFO: 2166 case Q_GETQUOTA: 2167 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2168 break; 2169 default: 2170 rc = 0; /* let the kernel handle invalid cmds */ 2171 break; 2172 } 2173 return rc; 2174 } 2175 2176 static int selinux_quota_on(struct dentry *dentry) 2177 { 2178 const struct cred *cred = current_cred(); 2179 2180 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2181 } 2182 2183 static int selinux_syslog(int type) 2184 { 2185 int rc; 2186 2187 switch (type) { 2188 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2189 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2190 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2191 break; 2192 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2193 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2194 /* Set level of messages printed to console */ 2195 case SYSLOG_ACTION_CONSOLE_LEVEL: 2196 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2197 break; 2198 case SYSLOG_ACTION_CLOSE: /* Close log */ 2199 case SYSLOG_ACTION_OPEN: /* Open log */ 2200 case SYSLOG_ACTION_READ: /* Read from log */ 2201 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 2202 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 2203 default: 2204 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2205 break; 2206 } 2207 return rc; 2208 } 2209 2210 /* 2211 * Check that a process has enough memory to allocate a new virtual 2212 * mapping. 0 means there is enough memory for the allocation to 2213 * succeed and -ENOMEM implies there is not. 2214 * 2215 * Do not audit the selinux permission check, as this is applied to all 2216 * processes that allocate mappings. 2217 */ 2218 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2219 { 2220 int rc, cap_sys_admin = 0; 2221 2222 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2223 SECURITY_CAP_NOAUDIT); 2224 if (rc == 0) 2225 cap_sys_admin = 1; 2226 2227 return cap_sys_admin; 2228 } 2229 2230 /* binprm security operations */ 2231 2232 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2233 const struct task_security_struct *old_tsec, 2234 const struct task_security_struct *new_tsec) 2235 { 2236 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2237 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); 2238 int rc; 2239 2240 if (!nnp && !nosuid) 2241 return 0; /* neither NNP nor nosuid */ 2242 2243 if (new_tsec->sid == old_tsec->sid) 2244 return 0; /* No change in credentials */ 2245 2246 /* 2247 * The only transitions we permit under NNP or nosuid 2248 * are transitions to bounded SIDs, i.e. SIDs that are 2249 * guaranteed to only be allowed a subset of the permissions 2250 * of the current SID. 2251 */ 2252 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2253 if (rc) { 2254 /* 2255 * On failure, preserve the errno values for NNP vs nosuid. 2256 * NNP: Operation not permitted for caller. 2257 * nosuid: Permission denied to file. 2258 */ 2259 if (nnp) 2260 return -EPERM; 2261 else 2262 return -EACCES; 2263 } 2264 return 0; 2265 } 2266 2267 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2268 { 2269 const struct task_security_struct *old_tsec; 2270 struct task_security_struct *new_tsec; 2271 struct inode_security_struct *isec; 2272 struct common_audit_data ad; 2273 struct inode *inode = file_inode(bprm->file); 2274 int rc; 2275 2276 /* SELinux context only depends on initial program or script and not 2277 * the script interpreter */ 2278 if (bprm->cred_prepared) 2279 return 0; 2280 2281 old_tsec = current_security(); 2282 new_tsec = bprm->cred->security; 2283 isec = inode_security(inode); 2284 2285 /* Default to the current task SID. */ 2286 new_tsec->sid = old_tsec->sid; 2287 new_tsec->osid = old_tsec->sid; 2288 2289 /* Reset fs, key, and sock SIDs on execve. */ 2290 new_tsec->create_sid = 0; 2291 new_tsec->keycreate_sid = 0; 2292 new_tsec->sockcreate_sid = 0; 2293 2294 if (old_tsec->exec_sid) { 2295 new_tsec->sid = old_tsec->exec_sid; 2296 /* Reset exec SID on execve. */ 2297 new_tsec->exec_sid = 0; 2298 2299 /* Fail on NNP or nosuid if not an allowed transition. */ 2300 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2301 if (rc) 2302 return rc; 2303 } else { 2304 /* Check for a default transition on this program. */ 2305 rc = security_transition_sid(old_tsec->sid, isec->sid, 2306 SECCLASS_PROCESS, NULL, 2307 &new_tsec->sid); 2308 if (rc) 2309 return rc; 2310 2311 /* 2312 * Fallback to old SID on NNP or nosuid if not an allowed 2313 * transition. 2314 */ 2315 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2316 if (rc) 2317 new_tsec->sid = old_tsec->sid; 2318 } 2319 2320 ad.type = LSM_AUDIT_DATA_PATH; 2321 ad.u.path = bprm->file->f_path; 2322 2323 if (new_tsec->sid == old_tsec->sid) { 2324 rc = avc_has_perm(old_tsec->sid, isec->sid, 2325 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2326 if (rc) 2327 return rc; 2328 } else { 2329 /* Check permissions for the transition. */ 2330 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2331 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2332 if (rc) 2333 return rc; 2334 2335 rc = avc_has_perm(new_tsec->sid, isec->sid, 2336 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2337 if (rc) 2338 return rc; 2339 2340 /* Check for shared state */ 2341 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2342 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2343 SECCLASS_PROCESS, PROCESS__SHARE, 2344 NULL); 2345 if (rc) 2346 return -EPERM; 2347 } 2348 2349 /* Make sure that anyone attempting to ptrace over a task that 2350 * changes its SID has the appropriate permit */ 2351 if (bprm->unsafe & 2352 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2353 struct task_struct *tracer; 2354 struct task_security_struct *sec; 2355 u32 ptsid = 0; 2356 2357 rcu_read_lock(); 2358 tracer = ptrace_parent(current); 2359 if (likely(tracer != NULL)) { 2360 sec = __task_cred(tracer)->security; 2361 ptsid = sec->sid; 2362 } 2363 rcu_read_unlock(); 2364 2365 if (ptsid != 0) { 2366 rc = avc_has_perm(ptsid, new_tsec->sid, 2367 SECCLASS_PROCESS, 2368 PROCESS__PTRACE, NULL); 2369 if (rc) 2370 return -EPERM; 2371 } 2372 } 2373 2374 /* Clear any possibly unsafe personality bits on exec: */ 2375 bprm->per_clear |= PER_CLEAR_ON_SETID; 2376 } 2377 2378 return 0; 2379 } 2380 2381 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2382 { 2383 const struct task_security_struct *tsec = current_security(); 2384 u32 sid, osid; 2385 int atsecure = 0; 2386 2387 sid = tsec->sid; 2388 osid = tsec->osid; 2389 2390 if (osid != sid) { 2391 /* Enable secure mode for SIDs transitions unless 2392 the noatsecure permission is granted between 2393 the two SIDs, i.e. ahp returns 0. */ 2394 atsecure = avc_has_perm(osid, sid, 2395 SECCLASS_PROCESS, 2396 PROCESS__NOATSECURE, NULL); 2397 } 2398 2399 return !!atsecure; 2400 } 2401 2402 static int match_file(const void *p, struct file *file, unsigned fd) 2403 { 2404 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2405 } 2406 2407 /* Derived from fs/exec.c:flush_old_files. */ 2408 static inline void flush_unauthorized_files(const struct cred *cred, 2409 struct files_struct *files) 2410 { 2411 struct file *file, *devnull = NULL; 2412 struct tty_struct *tty; 2413 int drop_tty = 0; 2414 unsigned n; 2415 2416 tty = get_current_tty(); 2417 if (tty) { 2418 spin_lock(&tty->files_lock); 2419 if (!list_empty(&tty->tty_files)) { 2420 struct tty_file_private *file_priv; 2421 2422 /* Revalidate access to controlling tty. 2423 Use file_path_has_perm on the tty path directly 2424 rather than using file_has_perm, as this particular 2425 open file may belong to another process and we are 2426 only interested in the inode-based check here. */ 2427 file_priv = list_first_entry(&tty->tty_files, 2428 struct tty_file_private, list); 2429 file = file_priv->file; 2430 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2431 drop_tty = 1; 2432 } 2433 spin_unlock(&tty->files_lock); 2434 tty_kref_put(tty); 2435 } 2436 /* Reset controlling tty. */ 2437 if (drop_tty) 2438 no_tty(); 2439 2440 /* Revalidate access to inherited open files. */ 2441 n = iterate_fd(files, 0, match_file, cred); 2442 if (!n) /* none found? */ 2443 return; 2444 2445 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2446 if (IS_ERR(devnull)) 2447 devnull = NULL; 2448 /* replace all the matching ones with this */ 2449 do { 2450 replace_fd(n - 1, devnull, 0); 2451 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2452 if (devnull) 2453 fput(devnull); 2454 } 2455 2456 /* 2457 * Prepare a process for imminent new credential changes due to exec 2458 */ 2459 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2460 { 2461 struct task_security_struct *new_tsec; 2462 struct rlimit *rlim, *initrlim; 2463 int rc, i; 2464 2465 new_tsec = bprm->cred->security; 2466 if (new_tsec->sid == new_tsec->osid) 2467 return; 2468 2469 /* Close files for which the new task SID is not authorized. */ 2470 flush_unauthorized_files(bprm->cred, current->files); 2471 2472 /* Always clear parent death signal on SID transitions. */ 2473 current->pdeath_signal = 0; 2474 2475 /* Check whether the new SID can inherit resource limits from the old 2476 * SID. If not, reset all soft limits to the lower of the current 2477 * task's hard limit and the init task's soft limit. 2478 * 2479 * Note that the setting of hard limits (even to lower them) can be 2480 * controlled by the setrlimit check. The inclusion of the init task's 2481 * soft limit into the computation is to avoid resetting soft limits 2482 * higher than the default soft limit for cases where the default is 2483 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2484 */ 2485 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2486 PROCESS__RLIMITINH, NULL); 2487 if (rc) { 2488 /* protect against do_prlimit() */ 2489 task_lock(current); 2490 for (i = 0; i < RLIM_NLIMITS; i++) { 2491 rlim = current->signal->rlim + i; 2492 initrlim = init_task.signal->rlim + i; 2493 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2494 } 2495 task_unlock(current); 2496 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2497 } 2498 } 2499 2500 /* 2501 * Clean up the process immediately after the installation of new credentials 2502 * due to exec 2503 */ 2504 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2505 { 2506 const struct task_security_struct *tsec = current_security(); 2507 struct itimerval itimer; 2508 u32 osid, sid; 2509 int rc, i; 2510 2511 osid = tsec->osid; 2512 sid = tsec->sid; 2513 2514 if (sid == osid) 2515 return; 2516 2517 /* Check whether the new SID can inherit signal state from the old SID. 2518 * If not, clear itimers to avoid subsequent signal generation and 2519 * flush and unblock signals. 2520 * 2521 * This must occur _after_ the task SID has been updated so that any 2522 * kill done after the flush will be checked against the new SID. 2523 */ 2524 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2525 if (rc) { 2526 memset(&itimer, 0, sizeof itimer); 2527 for (i = 0; i < 3; i++) 2528 do_setitimer(i, &itimer, NULL); 2529 spin_lock_irq(¤t->sighand->siglock); 2530 if (!fatal_signal_pending(current)) { 2531 flush_sigqueue(¤t->pending); 2532 flush_sigqueue(¤t->signal->shared_pending); 2533 flush_signal_handlers(current, 1); 2534 sigemptyset(¤t->blocked); 2535 recalc_sigpending(); 2536 } 2537 spin_unlock_irq(¤t->sighand->siglock); 2538 } 2539 2540 /* Wake up the parent if it is waiting so that it can recheck 2541 * wait permission to the new task SID. */ 2542 read_lock(&tasklist_lock); 2543 __wake_up_parent(current, current->real_parent); 2544 read_unlock(&tasklist_lock); 2545 } 2546 2547 /* superblock security operations */ 2548 2549 static int selinux_sb_alloc_security(struct super_block *sb) 2550 { 2551 return superblock_alloc_security(sb); 2552 } 2553 2554 static void selinux_sb_free_security(struct super_block *sb) 2555 { 2556 superblock_free_security(sb); 2557 } 2558 2559 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2560 { 2561 if (plen > olen) 2562 return 0; 2563 2564 return !memcmp(prefix, option, plen); 2565 } 2566 2567 static inline int selinux_option(char *option, int len) 2568 { 2569 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2570 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2571 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2572 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2573 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2574 } 2575 2576 static inline void take_option(char **to, char *from, int *first, int len) 2577 { 2578 if (!*first) { 2579 **to = ','; 2580 *to += 1; 2581 } else 2582 *first = 0; 2583 memcpy(*to, from, len); 2584 *to += len; 2585 } 2586 2587 static inline void take_selinux_option(char **to, char *from, int *first, 2588 int len) 2589 { 2590 int current_size = 0; 2591 2592 if (!*first) { 2593 **to = '|'; 2594 *to += 1; 2595 } else 2596 *first = 0; 2597 2598 while (current_size < len) { 2599 if (*from != '"') { 2600 **to = *from; 2601 *to += 1; 2602 } 2603 from += 1; 2604 current_size += 1; 2605 } 2606 } 2607 2608 static int selinux_sb_copy_data(char *orig, char *copy) 2609 { 2610 int fnosec, fsec, rc = 0; 2611 char *in_save, *in_curr, *in_end; 2612 char *sec_curr, *nosec_save, *nosec; 2613 int open_quote = 0; 2614 2615 in_curr = orig; 2616 sec_curr = copy; 2617 2618 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2619 if (!nosec) { 2620 rc = -ENOMEM; 2621 goto out; 2622 } 2623 2624 nosec_save = nosec; 2625 fnosec = fsec = 1; 2626 in_save = in_end = orig; 2627 2628 do { 2629 if (*in_end == '"') 2630 open_quote = !open_quote; 2631 if ((*in_end == ',' && open_quote == 0) || 2632 *in_end == '\0') { 2633 int len = in_end - in_curr; 2634 2635 if (selinux_option(in_curr, len)) 2636 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2637 else 2638 take_option(&nosec, in_curr, &fnosec, len); 2639 2640 in_curr = in_end + 1; 2641 } 2642 } while (*in_end++); 2643 2644 strcpy(in_save, nosec_save); 2645 free_page((unsigned long)nosec_save); 2646 out: 2647 return rc; 2648 } 2649 2650 static int selinux_sb_remount(struct super_block *sb, void *data) 2651 { 2652 int rc, i, *flags; 2653 struct security_mnt_opts opts; 2654 char *secdata, **mount_options; 2655 struct superblock_security_struct *sbsec = sb->s_security; 2656 2657 if (!(sbsec->flags & SE_SBINITIALIZED)) 2658 return 0; 2659 2660 if (!data) 2661 return 0; 2662 2663 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2664 return 0; 2665 2666 security_init_mnt_opts(&opts); 2667 secdata = alloc_secdata(); 2668 if (!secdata) 2669 return -ENOMEM; 2670 rc = selinux_sb_copy_data(data, secdata); 2671 if (rc) 2672 goto out_free_secdata; 2673 2674 rc = selinux_parse_opts_str(secdata, &opts); 2675 if (rc) 2676 goto out_free_secdata; 2677 2678 mount_options = opts.mnt_opts; 2679 flags = opts.mnt_opts_flags; 2680 2681 for (i = 0; i < opts.num_mnt_opts; i++) { 2682 u32 sid; 2683 2684 if (flags[i] == SBLABEL_MNT) 2685 continue; 2686 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2687 if (rc) { 2688 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2689 "(%s) failed for (dev %s, type %s) errno=%d\n", 2690 mount_options[i], sb->s_id, sb->s_type->name, rc); 2691 goto out_free_opts; 2692 } 2693 rc = -EINVAL; 2694 switch (flags[i]) { 2695 case FSCONTEXT_MNT: 2696 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2697 goto out_bad_option; 2698 break; 2699 case CONTEXT_MNT: 2700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2701 goto out_bad_option; 2702 break; 2703 case ROOTCONTEXT_MNT: { 2704 struct inode_security_struct *root_isec; 2705 root_isec = backing_inode_security(sb->s_root); 2706 2707 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2708 goto out_bad_option; 2709 break; 2710 } 2711 case DEFCONTEXT_MNT: 2712 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2713 goto out_bad_option; 2714 break; 2715 default: 2716 goto out_free_opts; 2717 } 2718 } 2719 2720 rc = 0; 2721 out_free_opts: 2722 security_free_mnt_opts(&opts); 2723 out_free_secdata: 2724 free_secdata(secdata); 2725 return rc; 2726 out_bad_option: 2727 printk(KERN_WARNING "SELinux: unable to change security options " 2728 "during remount (dev %s, type=%s)\n", sb->s_id, 2729 sb->s_type->name); 2730 goto out_free_opts; 2731 } 2732 2733 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2734 { 2735 const struct cred *cred = current_cred(); 2736 struct common_audit_data ad; 2737 int rc; 2738 2739 rc = superblock_doinit(sb, data); 2740 if (rc) 2741 return rc; 2742 2743 /* Allow all mounts performed by the kernel */ 2744 if (flags & MS_KERNMOUNT) 2745 return 0; 2746 2747 ad.type = LSM_AUDIT_DATA_DENTRY; 2748 ad.u.dentry = sb->s_root; 2749 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2750 } 2751 2752 static int selinux_sb_statfs(struct dentry *dentry) 2753 { 2754 const struct cred *cred = current_cred(); 2755 struct common_audit_data ad; 2756 2757 ad.type = LSM_AUDIT_DATA_DENTRY; 2758 ad.u.dentry = dentry->d_sb->s_root; 2759 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2760 } 2761 2762 static int selinux_mount(const char *dev_name, 2763 struct path *path, 2764 const char *type, 2765 unsigned long flags, 2766 void *data) 2767 { 2768 const struct cred *cred = current_cred(); 2769 2770 if (flags & MS_REMOUNT) 2771 return superblock_has_perm(cred, path->dentry->d_sb, 2772 FILESYSTEM__REMOUNT, NULL); 2773 else 2774 return path_has_perm(cred, path, FILE__MOUNTON); 2775 } 2776 2777 static int selinux_umount(struct vfsmount *mnt, int flags) 2778 { 2779 const struct cred *cred = current_cred(); 2780 2781 return superblock_has_perm(cred, mnt->mnt_sb, 2782 FILESYSTEM__UNMOUNT, NULL); 2783 } 2784 2785 /* inode security operations */ 2786 2787 static int selinux_inode_alloc_security(struct inode *inode) 2788 { 2789 return inode_alloc_security(inode); 2790 } 2791 2792 static void selinux_inode_free_security(struct inode *inode) 2793 { 2794 inode_free_security(inode); 2795 } 2796 2797 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2798 struct qstr *name, void **ctx, 2799 u32 *ctxlen) 2800 { 2801 u32 newsid; 2802 int rc; 2803 2804 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name, 2805 inode_mode_to_security_class(mode), 2806 &newsid); 2807 if (rc) 2808 return rc; 2809 2810 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2811 } 2812 2813 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2814 const struct qstr *qstr, 2815 const char **name, 2816 void **value, size_t *len) 2817 { 2818 const struct task_security_struct *tsec = current_security(); 2819 struct superblock_security_struct *sbsec; 2820 u32 sid, newsid, clen; 2821 int rc; 2822 char *context; 2823 2824 sbsec = dir->i_sb->s_security; 2825 2826 sid = tsec->sid; 2827 newsid = tsec->create_sid; 2828 2829 rc = selinux_determine_inode_label( 2830 dir, qstr, 2831 inode_mode_to_security_class(inode->i_mode), 2832 &newsid); 2833 if (rc) 2834 return rc; 2835 2836 /* Possibly defer initialization to selinux_complete_init. */ 2837 if (sbsec->flags & SE_SBINITIALIZED) { 2838 struct inode_security_struct *isec = inode->i_security; 2839 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2840 isec->sid = newsid; 2841 isec->initialized = LABEL_INITIALIZED; 2842 } 2843 2844 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2845 return -EOPNOTSUPP; 2846 2847 if (name) 2848 *name = XATTR_SELINUX_SUFFIX; 2849 2850 if (value && len) { 2851 rc = security_sid_to_context_force(newsid, &context, &clen); 2852 if (rc) 2853 return rc; 2854 *value = context; 2855 *len = clen; 2856 } 2857 2858 return 0; 2859 } 2860 2861 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2862 { 2863 return may_create(dir, dentry, SECCLASS_FILE); 2864 } 2865 2866 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2867 { 2868 return may_link(dir, old_dentry, MAY_LINK); 2869 } 2870 2871 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2872 { 2873 return may_link(dir, dentry, MAY_UNLINK); 2874 } 2875 2876 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2877 { 2878 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2879 } 2880 2881 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2882 { 2883 return may_create(dir, dentry, SECCLASS_DIR); 2884 } 2885 2886 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2887 { 2888 return may_link(dir, dentry, MAY_RMDIR); 2889 } 2890 2891 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2892 { 2893 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2894 } 2895 2896 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2897 struct inode *new_inode, struct dentry *new_dentry) 2898 { 2899 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2900 } 2901 2902 static int selinux_inode_readlink(struct dentry *dentry) 2903 { 2904 const struct cred *cred = current_cred(); 2905 2906 return dentry_has_perm(cred, dentry, FILE__READ); 2907 } 2908 2909 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2910 bool rcu) 2911 { 2912 const struct cred *cred = current_cred(); 2913 struct common_audit_data ad; 2914 struct inode_security_struct *isec; 2915 u32 sid; 2916 2917 validate_creds(cred); 2918 2919 ad.type = LSM_AUDIT_DATA_DENTRY; 2920 ad.u.dentry = dentry; 2921 sid = cred_sid(cred); 2922 isec = inode_security_rcu(inode, rcu); 2923 if (IS_ERR(isec)) 2924 return PTR_ERR(isec); 2925 2926 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 2927 rcu ? MAY_NOT_BLOCK : 0); 2928 } 2929 2930 static noinline int audit_inode_permission(struct inode *inode, 2931 u32 perms, u32 audited, u32 denied, 2932 int result, 2933 unsigned flags) 2934 { 2935 struct common_audit_data ad; 2936 struct inode_security_struct *isec = inode->i_security; 2937 int rc; 2938 2939 ad.type = LSM_AUDIT_DATA_INODE; 2940 ad.u.inode = inode; 2941 2942 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 2943 audited, denied, result, &ad, flags); 2944 if (rc) 2945 return rc; 2946 return 0; 2947 } 2948 2949 static int selinux_inode_permission(struct inode *inode, int mask) 2950 { 2951 const struct cred *cred = current_cred(); 2952 u32 perms; 2953 bool from_access; 2954 unsigned flags = mask & MAY_NOT_BLOCK; 2955 struct inode_security_struct *isec; 2956 u32 sid; 2957 struct av_decision avd; 2958 int rc, rc2; 2959 u32 audited, denied; 2960 2961 from_access = mask & MAY_ACCESS; 2962 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2963 2964 /* No permission to check. Existence test. */ 2965 if (!mask) 2966 return 0; 2967 2968 validate_creds(cred); 2969 2970 if (unlikely(IS_PRIVATE(inode))) 2971 return 0; 2972 2973 perms = file_mask_to_av(inode->i_mode, mask); 2974 2975 sid = cred_sid(cred); 2976 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 2977 if (IS_ERR(isec)) 2978 return PTR_ERR(isec); 2979 2980 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 2981 audited = avc_audit_required(perms, &avd, rc, 2982 from_access ? FILE__AUDIT_ACCESS : 0, 2983 &denied); 2984 if (likely(!audited)) 2985 return rc; 2986 2987 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 2988 if (rc2) 2989 return rc2; 2990 return rc; 2991 } 2992 2993 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2994 { 2995 const struct cred *cred = current_cred(); 2996 unsigned int ia_valid = iattr->ia_valid; 2997 __u32 av = FILE__WRITE; 2998 2999 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3000 if (ia_valid & ATTR_FORCE) { 3001 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3002 ATTR_FORCE); 3003 if (!ia_valid) 3004 return 0; 3005 } 3006 3007 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3008 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3009 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3010 3011 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) 3012 && !(ia_valid & ATTR_FILE)) 3013 av |= FILE__OPEN; 3014 3015 return dentry_has_perm(cred, dentry, av); 3016 } 3017 3018 static int selinux_inode_getattr(const struct path *path) 3019 { 3020 return path_has_perm(current_cred(), path, FILE__GETATTR); 3021 } 3022 3023 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 3024 { 3025 const struct cred *cred = current_cred(); 3026 3027 if (!strncmp(name, XATTR_SECURITY_PREFIX, 3028 sizeof XATTR_SECURITY_PREFIX - 1)) { 3029 if (!strcmp(name, XATTR_NAME_CAPS)) { 3030 if (!capable(CAP_SETFCAP)) 3031 return -EPERM; 3032 } else if (!capable(CAP_SYS_ADMIN)) { 3033 /* A different attribute in the security namespace. 3034 Restrict to administrator. */ 3035 return -EPERM; 3036 } 3037 } 3038 3039 /* Not an attribute we recognize, so just check the 3040 ordinary setattr permission. */ 3041 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3042 } 3043 3044 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3045 const void *value, size_t size, int flags) 3046 { 3047 struct inode *inode = d_backing_inode(dentry); 3048 struct inode_security_struct *isec = backing_inode_security(dentry); 3049 struct superblock_security_struct *sbsec; 3050 struct common_audit_data ad; 3051 u32 newsid, sid = current_sid(); 3052 int rc = 0; 3053 3054 if (strcmp(name, XATTR_NAME_SELINUX)) 3055 return selinux_inode_setotherxattr(dentry, name); 3056 3057 sbsec = inode->i_sb->s_security; 3058 if (!(sbsec->flags & SBLABEL_MNT)) 3059 return -EOPNOTSUPP; 3060 3061 if (!inode_owner_or_capable(inode)) 3062 return -EPERM; 3063 3064 ad.type = LSM_AUDIT_DATA_DENTRY; 3065 ad.u.dentry = dentry; 3066 3067 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3068 FILE__RELABELFROM, &ad); 3069 if (rc) 3070 return rc; 3071 3072 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3073 if (rc == -EINVAL) { 3074 if (!capable(CAP_MAC_ADMIN)) { 3075 struct audit_buffer *ab; 3076 size_t audit_size; 3077 const char *str; 3078 3079 /* We strip a nul only if it is at the end, otherwise the 3080 * context contains a nul and we should audit that */ 3081 if (value) { 3082 str = value; 3083 if (str[size - 1] == '\0') 3084 audit_size = size - 1; 3085 else 3086 audit_size = size; 3087 } else { 3088 str = ""; 3089 audit_size = 0; 3090 } 3091 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3092 audit_log_format(ab, "op=setxattr invalid_context="); 3093 audit_log_n_untrustedstring(ab, value, audit_size); 3094 audit_log_end(ab); 3095 3096 return rc; 3097 } 3098 rc = security_context_to_sid_force(value, size, &newsid); 3099 } 3100 if (rc) 3101 return rc; 3102 3103 rc = avc_has_perm(sid, newsid, isec->sclass, 3104 FILE__RELABELTO, &ad); 3105 if (rc) 3106 return rc; 3107 3108 rc = security_validate_transition(isec->sid, newsid, sid, 3109 isec->sclass); 3110 if (rc) 3111 return rc; 3112 3113 return avc_has_perm(newsid, 3114 sbsec->sid, 3115 SECCLASS_FILESYSTEM, 3116 FILESYSTEM__ASSOCIATE, 3117 &ad); 3118 } 3119 3120 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3121 const void *value, size_t size, 3122 int flags) 3123 { 3124 struct inode *inode = d_backing_inode(dentry); 3125 struct inode_security_struct *isec = backing_inode_security(dentry); 3126 u32 newsid; 3127 int rc; 3128 3129 if (strcmp(name, XATTR_NAME_SELINUX)) { 3130 /* Not an attribute we recognize, so nothing to do. */ 3131 return; 3132 } 3133 3134 rc = security_context_to_sid_force(value, size, &newsid); 3135 if (rc) { 3136 printk(KERN_ERR "SELinux: unable to map context to SID" 3137 "for (%s, %lu), rc=%d\n", 3138 inode->i_sb->s_id, inode->i_ino, -rc); 3139 return; 3140 } 3141 3142 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3143 isec->sid = newsid; 3144 isec->initialized = LABEL_INITIALIZED; 3145 3146 return; 3147 } 3148 3149 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3150 { 3151 const struct cred *cred = current_cred(); 3152 3153 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3154 } 3155 3156 static int selinux_inode_listxattr(struct dentry *dentry) 3157 { 3158 const struct cred *cred = current_cred(); 3159 3160 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3161 } 3162 3163 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3164 { 3165 if (strcmp(name, XATTR_NAME_SELINUX)) 3166 return selinux_inode_setotherxattr(dentry, name); 3167 3168 /* No one is allowed to remove a SELinux security label. 3169 You can change the label, but all data must be labeled. */ 3170 return -EACCES; 3171 } 3172 3173 /* 3174 * Copy the inode security context value to the user. 3175 * 3176 * Permission check is handled by selinux_inode_getxattr hook. 3177 */ 3178 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3179 { 3180 u32 size; 3181 int error; 3182 char *context = NULL; 3183 struct inode_security_struct *isec = inode_security(inode); 3184 3185 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3186 return -EOPNOTSUPP; 3187 3188 /* 3189 * If the caller has CAP_MAC_ADMIN, then get the raw context 3190 * value even if it is not defined by current policy; otherwise, 3191 * use the in-core value under current policy. 3192 * Use the non-auditing forms of the permission checks since 3193 * getxattr may be called by unprivileged processes commonly 3194 * and lack of permission just means that we fall back to the 3195 * in-core context value, not a denial. 3196 */ 3197 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 3198 SECURITY_CAP_NOAUDIT); 3199 if (!error) 3200 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, 3201 SECURITY_CAP_NOAUDIT); 3202 if (!error) 3203 error = security_sid_to_context_force(isec->sid, &context, 3204 &size); 3205 else 3206 error = security_sid_to_context(isec->sid, &context, &size); 3207 if (error) 3208 return error; 3209 error = size; 3210 if (alloc) { 3211 *buffer = context; 3212 goto out_nofree; 3213 } 3214 kfree(context); 3215 out_nofree: 3216 return error; 3217 } 3218 3219 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3220 const void *value, size_t size, int flags) 3221 { 3222 struct inode_security_struct *isec = inode_security(inode); 3223 u32 newsid; 3224 int rc; 3225 3226 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3227 return -EOPNOTSUPP; 3228 3229 if (!value || !size) 3230 return -EACCES; 3231 3232 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3233 if (rc) 3234 return rc; 3235 3236 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3237 isec->sid = newsid; 3238 isec->initialized = LABEL_INITIALIZED; 3239 return 0; 3240 } 3241 3242 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3243 { 3244 const int len = sizeof(XATTR_NAME_SELINUX); 3245 if (buffer && len <= buffer_size) 3246 memcpy(buffer, XATTR_NAME_SELINUX, len); 3247 return len; 3248 } 3249 3250 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3251 { 3252 struct inode_security_struct *isec = inode_security_novalidate(inode); 3253 *secid = isec->sid; 3254 } 3255 3256 /* file security operations */ 3257 3258 static int selinux_revalidate_file_permission(struct file *file, int mask) 3259 { 3260 const struct cred *cred = current_cred(); 3261 struct inode *inode = file_inode(file); 3262 3263 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3264 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3265 mask |= MAY_APPEND; 3266 3267 return file_has_perm(cred, file, 3268 file_mask_to_av(inode->i_mode, mask)); 3269 } 3270 3271 static int selinux_file_permission(struct file *file, int mask) 3272 { 3273 struct inode *inode = file_inode(file); 3274 struct file_security_struct *fsec = file->f_security; 3275 struct inode_security_struct *isec; 3276 u32 sid = current_sid(); 3277 3278 if (!mask) 3279 /* No permission to check. Existence test. */ 3280 return 0; 3281 3282 isec = inode_security(inode); 3283 if (sid == fsec->sid && fsec->isid == isec->sid && 3284 fsec->pseqno == avc_policy_seqno()) 3285 /* No change since file_open check. */ 3286 return 0; 3287 3288 return selinux_revalidate_file_permission(file, mask); 3289 } 3290 3291 static int selinux_file_alloc_security(struct file *file) 3292 { 3293 return file_alloc_security(file); 3294 } 3295 3296 static void selinux_file_free_security(struct file *file) 3297 { 3298 file_free_security(file); 3299 } 3300 3301 /* 3302 * Check whether a task has the ioctl permission and cmd 3303 * operation to an inode. 3304 */ 3305 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3306 u32 requested, u16 cmd) 3307 { 3308 struct common_audit_data ad; 3309 struct file_security_struct *fsec = file->f_security; 3310 struct inode *inode = file_inode(file); 3311 struct inode_security_struct *isec = inode_security(inode); 3312 struct lsm_ioctlop_audit ioctl; 3313 u32 ssid = cred_sid(cred); 3314 int rc; 3315 u8 driver = cmd >> 8; 3316 u8 xperm = cmd & 0xff; 3317 3318 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3319 ad.u.op = &ioctl; 3320 ad.u.op->cmd = cmd; 3321 ad.u.op->path = file->f_path; 3322 3323 if (ssid != fsec->sid) { 3324 rc = avc_has_perm(ssid, fsec->sid, 3325 SECCLASS_FD, 3326 FD__USE, 3327 &ad); 3328 if (rc) 3329 goto out; 3330 } 3331 3332 if (unlikely(IS_PRIVATE(inode))) 3333 return 0; 3334 3335 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3336 requested, driver, xperm, &ad); 3337 out: 3338 return rc; 3339 } 3340 3341 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3342 unsigned long arg) 3343 { 3344 const struct cred *cred = current_cred(); 3345 int error = 0; 3346 3347 switch (cmd) { 3348 case FIONREAD: 3349 /* fall through */ 3350 case FIBMAP: 3351 /* fall through */ 3352 case FIGETBSZ: 3353 /* fall through */ 3354 case FS_IOC_GETFLAGS: 3355 /* fall through */ 3356 case FS_IOC_GETVERSION: 3357 error = file_has_perm(cred, file, FILE__GETATTR); 3358 break; 3359 3360 case FS_IOC_SETFLAGS: 3361 /* fall through */ 3362 case FS_IOC_SETVERSION: 3363 error = file_has_perm(cred, file, FILE__SETATTR); 3364 break; 3365 3366 /* sys_ioctl() checks */ 3367 case FIONBIO: 3368 /* fall through */ 3369 case FIOASYNC: 3370 error = file_has_perm(cred, file, 0); 3371 break; 3372 3373 case KDSKBENT: 3374 case KDSKBSENT: 3375 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3376 SECURITY_CAP_AUDIT); 3377 break; 3378 3379 /* default case assumes that the command will go 3380 * to the file's ioctl() function. 3381 */ 3382 default: 3383 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3384 } 3385 return error; 3386 } 3387 3388 static int default_noexec; 3389 3390 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3391 { 3392 const struct cred *cred = current_cred(); 3393 int rc = 0; 3394 3395 if (default_noexec && 3396 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3397 (!shared && (prot & PROT_WRITE)))) { 3398 /* 3399 * We are making executable an anonymous mapping or a 3400 * private file mapping that will also be writable. 3401 * This has an additional check. 3402 */ 3403 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3404 if (rc) 3405 goto error; 3406 } 3407 3408 if (file) { 3409 /* read access is always possible with a mapping */ 3410 u32 av = FILE__READ; 3411 3412 /* write access only matters if the mapping is shared */ 3413 if (shared && (prot & PROT_WRITE)) 3414 av |= FILE__WRITE; 3415 3416 if (prot & PROT_EXEC) 3417 av |= FILE__EXECUTE; 3418 3419 return file_has_perm(cred, file, av); 3420 } 3421 3422 error: 3423 return rc; 3424 } 3425 3426 static int selinux_mmap_addr(unsigned long addr) 3427 { 3428 int rc = 0; 3429 3430 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3431 u32 sid = current_sid(); 3432 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3433 MEMPROTECT__MMAP_ZERO, NULL); 3434 } 3435 3436 return rc; 3437 } 3438 3439 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3440 unsigned long prot, unsigned long flags) 3441 { 3442 if (selinux_checkreqprot) 3443 prot = reqprot; 3444 3445 return file_map_prot_check(file, prot, 3446 (flags & MAP_TYPE) == MAP_SHARED); 3447 } 3448 3449 static int selinux_file_mprotect(struct vm_area_struct *vma, 3450 unsigned long reqprot, 3451 unsigned long prot) 3452 { 3453 const struct cred *cred = current_cred(); 3454 3455 if (selinux_checkreqprot) 3456 prot = reqprot; 3457 3458 if (default_noexec && 3459 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3460 int rc = 0; 3461 if (vma->vm_start >= vma->vm_mm->start_brk && 3462 vma->vm_end <= vma->vm_mm->brk) { 3463 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3464 } else if (!vma->vm_file && 3465 vma->vm_start <= vma->vm_mm->start_stack && 3466 vma->vm_end >= vma->vm_mm->start_stack) { 3467 rc = current_has_perm(current, PROCESS__EXECSTACK); 3468 } else if (vma->vm_file && vma->anon_vma) { 3469 /* 3470 * We are making executable a file mapping that has 3471 * had some COW done. Since pages might have been 3472 * written, check ability to execute the possibly 3473 * modified content. This typically should only 3474 * occur for text relocations. 3475 */ 3476 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3477 } 3478 if (rc) 3479 return rc; 3480 } 3481 3482 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3483 } 3484 3485 static int selinux_file_lock(struct file *file, unsigned int cmd) 3486 { 3487 const struct cred *cred = current_cred(); 3488 3489 return file_has_perm(cred, file, FILE__LOCK); 3490 } 3491 3492 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3493 unsigned long arg) 3494 { 3495 const struct cred *cred = current_cred(); 3496 int err = 0; 3497 3498 switch (cmd) { 3499 case F_SETFL: 3500 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3501 err = file_has_perm(cred, file, FILE__WRITE); 3502 break; 3503 } 3504 /* fall through */ 3505 case F_SETOWN: 3506 case F_SETSIG: 3507 case F_GETFL: 3508 case F_GETOWN: 3509 case F_GETSIG: 3510 case F_GETOWNER_UIDS: 3511 /* Just check FD__USE permission */ 3512 err = file_has_perm(cred, file, 0); 3513 break; 3514 case F_GETLK: 3515 case F_SETLK: 3516 case F_SETLKW: 3517 case F_OFD_GETLK: 3518 case F_OFD_SETLK: 3519 case F_OFD_SETLKW: 3520 #if BITS_PER_LONG == 32 3521 case F_GETLK64: 3522 case F_SETLK64: 3523 case F_SETLKW64: 3524 #endif 3525 err = file_has_perm(cred, file, FILE__LOCK); 3526 break; 3527 } 3528 3529 return err; 3530 } 3531 3532 static void selinux_file_set_fowner(struct file *file) 3533 { 3534 struct file_security_struct *fsec; 3535 3536 fsec = file->f_security; 3537 fsec->fown_sid = current_sid(); 3538 } 3539 3540 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3541 struct fown_struct *fown, int signum) 3542 { 3543 struct file *file; 3544 u32 sid = task_sid(tsk); 3545 u32 perm; 3546 struct file_security_struct *fsec; 3547 3548 /* struct fown_struct is never outside the context of a struct file */ 3549 file = container_of(fown, struct file, f_owner); 3550 3551 fsec = file->f_security; 3552 3553 if (!signum) 3554 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3555 else 3556 perm = signal_to_av(signum); 3557 3558 return avc_has_perm(fsec->fown_sid, sid, 3559 SECCLASS_PROCESS, perm, NULL); 3560 } 3561 3562 static int selinux_file_receive(struct file *file) 3563 { 3564 const struct cred *cred = current_cred(); 3565 3566 return file_has_perm(cred, file, file_to_av(file)); 3567 } 3568 3569 static int selinux_file_open(struct file *file, const struct cred *cred) 3570 { 3571 struct file_security_struct *fsec; 3572 struct inode_security_struct *isec; 3573 3574 fsec = file->f_security; 3575 isec = inode_security(file_inode(file)); 3576 /* 3577 * Save inode label and policy sequence number 3578 * at open-time so that selinux_file_permission 3579 * can determine whether revalidation is necessary. 3580 * Task label is already saved in the file security 3581 * struct as its SID. 3582 */ 3583 fsec->isid = isec->sid; 3584 fsec->pseqno = avc_policy_seqno(); 3585 /* 3586 * Since the inode label or policy seqno may have changed 3587 * between the selinux_inode_permission check and the saving 3588 * of state above, recheck that access is still permitted. 3589 * Otherwise, access might never be revalidated against the 3590 * new inode label or new policy. 3591 * This check is not redundant - do not remove. 3592 */ 3593 return file_path_has_perm(cred, file, open_file_to_av(file)); 3594 } 3595 3596 /* task security operations */ 3597 3598 static int selinux_task_create(unsigned long clone_flags) 3599 { 3600 return current_has_perm(current, PROCESS__FORK); 3601 } 3602 3603 /* 3604 * allocate the SELinux part of blank credentials 3605 */ 3606 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3607 { 3608 struct task_security_struct *tsec; 3609 3610 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3611 if (!tsec) 3612 return -ENOMEM; 3613 3614 cred->security = tsec; 3615 return 0; 3616 } 3617 3618 /* 3619 * detach and free the LSM part of a set of credentials 3620 */ 3621 static void selinux_cred_free(struct cred *cred) 3622 { 3623 struct task_security_struct *tsec = cred->security; 3624 3625 /* 3626 * cred->security == NULL if security_cred_alloc_blank() or 3627 * security_prepare_creds() returned an error. 3628 */ 3629 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3630 cred->security = (void *) 0x7UL; 3631 kfree(tsec); 3632 } 3633 3634 /* 3635 * prepare a new set of credentials for modification 3636 */ 3637 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3638 gfp_t gfp) 3639 { 3640 const struct task_security_struct *old_tsec; 3641 struct task_security_struct *tsec; 3642 3643 old_tsec = old->security; 3644 3645 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3646 if (!tsec) 3647 return -ENOMEM; 3648 3649 new->security = tsec; 3650 return 0; 3651 } 3652 3653 /* 3654 * transfer the SELinux data to a blank set of creds 3655 */ 3656 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3657 { 3658 const struct task_security_struct *old_tsec = old->security; 3659 struct task_security_struct *tsec = new->security; 3660 3661 *tsec = *old_tsec; 3662 } 3663 3664 /* 3665 * set the security data for a kernel service 3666 * - all the creation contexts are set to unlabelled 3667 */ 3668 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3669 { 3670 struct task_security_struct *tsec = new->security; 3671 u32 sid = current_sid(); 3672 int ret; 3673 3674 ret = avc_has_perm(sid, secid, 3675 SECCLASS_KERNEL_SERVICE, 3676 KERNEL_SERVICE__USE_AS_OVERRIDE, 3677 NULL); 3678 if (ret == 0) { 3679 tsec->sid = secid; 3680 tsec->create_sid = 0; 3681 tsec->keycreate_sid = 0; 3682 tsec->sockcreate_sid = 0; 3683 } 3684 return ret; 3685 } 3686 3687 /* 3688 * set the file creation context in a security record to the same as the 3689 * objective context of the specified inode 3690 */ 3691 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3692 { 3693 struct inode_security_struct *isec = inode_security(inode); 3694 struct task_security_struct *tsec = new->security; 3695 u32 sid = current_sid(); 3696 int ret; 3697 3698 ret = avc_has_perm(sid, isec->sid, 3699 SECCLASS_KERNEL_SERVICE, 3700 KERNEL_SERVICE__CREATE_FILES_AS, 3701 NULL); 3702 3703 if (ret == 0) 3704 tsec->create_sid = isec->sid; 3705 return ret; 3706 } 3707 3708 static int selinux_kernel_module_request(char *kmod_name) 3709 { 3710 u32 sid; 3711 struct common_audit_data ad; 3712 3713 sid = task_sid(current); 3714 3715 ad.type = LSM_AUDIT_DATA_KMOD; 3716 ad.u.kmod_name = kmod_name; 3717 3718 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3719 SYSTEM__MODULE_REQUEST, &ad); 3720 } 3721 3722 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3723 { 3724 return current_has_perm(p, PROCESS__SETPGID); 3725 } 3726 3727 static int selinux_task_getpgid(struct task_struct *p) 3728 { 3729 return current_has_perm(p, PROCESS__GETPGID); 3730 } 3731 3732 static int selinux_task_getsid(struct task_struct *p) 3733 { 3734 return current_has_perm(p, PROCESS__GETSESSION); 3735 } 3736 3737 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3738 { 3739 *secid = task_sid(p); 3740 } 3741 3742 static int selinux_task_setnice(struct task_struct *p, int nice) 3743 { 3744 return current_has_perm(p, PROCESS__SETSCHED); 3745 } 3746 3747 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3748 { 3749 return current_has_perm(p, PROCESS__SETSCHED); 3750 } 3751 3752 static int selinux_task_getioprio(struct task_struct *p) 3753 { 3754 return current_has_perm(p, PROCESS__GETSCHED); 3755 } 3756 3757 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3758 struct rlimit *new_rlim) 3759 { 3760 struct rlimit *old_rlim = p->signal->rlim + resource; 3761 3762 /* Control the ability to change the hard limit (whether 3763 lowering or raising it), so that the hard limit can 3764 later be used as a safe reset point for the soft limit 3765 upon context transitions. See selinux_bprm_committing_creds. */ 3766 if (old_rlim->rlim_max != new_rlim->rlim_max) 3767 return current_has_perm(p, PROCESS__SETRLIMIT); 3768 3769 return 0; 3770 } 3771 3772 static int selinux_task_setscheduler(struct task_struct *p) 3773 { 3774 return current_has_perm(p, PROCESS__SETSCHED); 3775 } 3776 3777 static int selinux_task_getscheduler(struct task_struct *p) 3778 { 3779 return current_has_perm(p, PROCESS__GETSCHED); 3780 } 3781 3782 static int selinux_task_movememory(struct task_struct *p) 3783 { 3784 return current_has_perm(p, PROCESS__SETSCHED); 3785 } 3786 3787 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3788 int sig, u32 secid) 3789 { 3790 u32 perm; 3791 int rc; 3792 3793 if (!sig) 3794 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3795 else 3796 perm = signal_to_av(sig); 3797 if (secid) 3798 rc = avc_has_perm(secid, task_sid(p), 3799 SECCLASS_PROCESS, perm, NULL); 3800 else 3801 rc = current_has_perm(p, perm); 3802 return rc; 3803 } 3804 3805 static int selinux_task_wait(struct task_struct *p) 3806 { 3807 return task_has_perm(p, current, PROCESS__SIGCHLD); 3808 } 3809 3810 static void selinux_task_to_inode(struct task_struct *p, 3811 struct inode *inode) 3812 { 3813 struct inode_security_struct *isec = inode->i_security; 3814 u32 sid = task_sid(p); 3815 3816 isec->sid = sid; 3817 isec->initialized = LABEL_INITIALIZED; 3818 } 3819 3820 /* Returns error only if unable to parse addresses */ 3821 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3822 struct common_audit_data *ad, u8 *proto) 3823 { 3824 int offset, ihlen, ret = -EINVAL; 3825 struct iphdr _iph, *ih; 3826 3827 offset = skb_network_offset(skb); 3828 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3829 if (ih == NULL) 3830 goto out; 3831 3832 ihlen = ih->ihl * 4; 3833 if (ihlen < sizeof(_iph)) 3834 goto out; 3835 3836 ad->u.net->v4info.saddr = ih->saddr; 3837 ad->u.net->v4info.daddr = ih->daddr; 3838 ret = 0; 3839 3840 if (proto) 3841 *proto = ih->protocol; 3842 3843 switch (ih->protocol) { 3844 case IPPROTO_TCP: { 3845 struct tcphdr _tcph, *th; 3846 3847 if (ntohs(ih->frag_off) & IP_OFFSET) 3848 break; 3849 3850 offset += ihlen; 3851 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3852 if (th == NULL) 3853 break; 3854 3855 ad->u.net->sport = th->source; 3856 ad->u.net->dport = th->dest; 3857 break; 3858 } 3859 3860 case IPPROTO_UDP: { 3861 struct udphdr _udph, *uh; 3862 3863 if (ntohs(ih->frag_off) & IP_OFFSET) 3864 break; 3865 3866 offset += ihlen; 3867 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3868 if (uh == NULL) 3869 break; 3870 3871 ad->u.net->sport = uh->source; 3872 ad->u.net->dport = uh->dest; 3873 break; 3874 } 3875 3876 case IPPROTO_DCCP: { 3877 struct dccp_hdr _dccph, *dh; 3878 3879 if (ntohs(ih->frag_off) & IP_OFFSET) 3880 break; 3881 3882 offset += ihlen; 3883 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3884 if (dh == NULL) 3885 break; 3886 3887 ad->u.net->sport = dh->dccph_sport; 3888 ad->u.net->dport = dh->dccph_dport; 3889 break; 3890 } 3891 3892 default: 3893 break; 3894 } 3895 out: 3896 return ret; 3897 } 3898 3899 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3900 3901 /* Returns error only if unable to parse addresses */ 3902 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3903 struct common_audit_data *ad, u8 *proto) 3904 { 3905 u8 nexthdr; 3906 int ret = -EINVAL, offset; 3907 struct ipv6hdr _ipv6h, *ip6; 3908 __be16 frag_off; 3909 3910 offset = skb_network_offset(skb); 3911 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3912 if (ip6 == NULL) 3913 goto out; 3914 3915 ad->u.net->v6info.saddr = ip6->saddr; 3916 ad->u.net->v6info.daddr = ip6->daddr; 3917 ret = 0; 3918 3919 nexthdr = ip6->nexthdr; 3920 offset += sizeof(_ipv6h); 3921 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3922 if (offset < 0) 3923 goto out; 3924 3925 if (proto) 3926 *proto = nexthdr; 3927 3928 switch (nexthdr) { 3929 case IPPROTO_TCP: { 3930 struct tcphdr _tcph, *th; 3931 3932 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3933 if (th == NULL) 3934 break; 3935 3936 ad->u.net->sport = th->source; 3937 ad->u.net->dport = th->dest; 3938 break; 3939 } 3940 3941 case IPPROTO_UDP: { 3942 struct udphdr _udph, *uh; 3943 3944 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3945 if (uh == NULL) 3946 break; 3947 3948 ad->u.net->sport = uh->source; 3949 ad->u.net->dport = uh->dest; 3950 break; 3951 } 3952 3953 case IPPROTO_DCCP: { 3954 struct dccp_hdr _dccph, *dh; 3955 3956 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3957 if (dh == NULL) 3958 break; 3959 3960 ad->u.net->sport = dh->dccph_sport; 3961 ad->u.net->dport = dh->dccph_dport; 3962 break; 3963 } 3964 3965 /* includes fragments */ 3966 default: 3967 break; 3968 } 3969 out: 3970 return ret; 3971 } 3972 3973 #endif /* IPV6 */ 3974 3975 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 3976 char **_addrp, int src, u8 *proto) 3977 { 3978 char *addrp; 3979 int ret; 3980 3981 switch (ad->u.net->family) { 3982 case PF_INET: 3983 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3984 if (ret) 3985 goto parse_error; 3986 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 3987 &ad->u.net->v4info.daddr); 3988 goto okay; 3989 3990 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3991 case PF_INET6: 3992 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3993 if (ret) 3994 goto parse_error; 3995 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 3996 &ad->u.net->v6info.daddr); 3997 goto okay; 3998 #endif /* IPV6 */ 3999 default: 4000 addrp = NULL; 4001 goto okay; 4002 } 4003 4004 parse_error: 4005 printk(KERN_WARNING 4006 "SELinux: failure in selinux_parse_skb()," 4007 " unable to parse packet\n"); 4008 return ret; 4009 4010 okay: 4011 if (_addrp) 4012 *_addrp = addrp; 4013 return 0; 4014 } 4015 4016 /** 4017 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4018 * @skb: the packet 4019 * @family: protocol family 4020 * @sid: the packet's peer label SID 4021 * 4022 * Description: 4023 * Check the various different forms of network peer labeling and determine 4024 * the peer label/SID for the packet; most of the magic actually occurs in 4025 * the security server function security_net_peersid_cmp(). The function 4026 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4027 * or -EACCES if @sid is invalid due to inconsistencies with the different 4028 * peer labels. 4029 * 4030 */ 4031 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4032 { 4033 int err; 4034 u32 xfrm_sid; 4035 u32 nlbl_sid; 4036 u32 nlbl_type; 4037 4038 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4039 if (unlikely(err)) 4040 return -EACCES; 4041 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4042 if (unlikely(err)) 4043 return -EACCES; 4044 4045 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4046 if (unlikely(err)) { 4047 printk(KERN_WARNING 4048 "SELinux: failure in selinux_skb_peerlbl_sid()," 4049 " unable to determine packet's peer label\n"); 4050 return -EACCES; 4051 } 4052 4053 return 0; 4054 } 4055 4056 /** 4057 * selinux_conn_sid - Determine the child socket label for a connection 4058 * @sk_sid: the parent socket's SID 4059 * @skb_sid: the packet's SID 4060 * @conn_sid: the resulting connection SID 4061 * 4062 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4063 * combined with the MLS information from @skb_sid in order to create 4064 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4065 * of @sk_sid. Returns zero on success, negative values on failure. 4066 * 4067 */ 4068 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4069 { 4070 int err = 0; 4071 4072 if (skb_sid != SECSID_NULL) 4073 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4074 else 4075 *conn_sid = sk_sid; 4076 4077 return err; 4078 } 4079 4080 /* socket security operations */ 4081 4082 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4083 u16 secclass, u32 *socksid) 4084 { 4085 if (tsec->sockcreate_sid > SECSID_NULL) { 4086 *socksid = tsec->sockcreate_sid; 4087 return 0; 4088 } 4089 4090 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4091 socksid); 4092 } 4093 4094 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 4095 { 4096 struct sk_security_struct *sksec = sk->sk_security; 4097 struct common_audit_data ad; 4098 struct lsm_network_audit net = {0,}; 4099 u32 tsid = task_sid(task); 4100 4101 if (sksec->sid == SECINITSID_KERNEL) 4102 return 0; 4103 4104 ad.type = LSM_AUDIT_DATA_NET; 4105 ad.u.net = &net; 4106 ad.u.net->sk = sk; 4107 4108 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); 4109 } 4110 4111 static int selinux_socket_create(int family, int type, 4112 int protocol, int kern) 4113 { 4114 const struct task_security_struct *tsec = current_security(); 4115 u32 newsid; 4116 u16 secclass; 4117 int rc; 4118 4119 if (kern) 4120 return 0; 4121 4122 secclass = socket_type_to_security_class(family, type, protocol); 4123 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4124 if (rc) 4125 return rc; 4126 4127 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4128 } 4129 4130 static int selinux_socket_post_create(struct socket *sock, int family, 4131 int type, int protocol, int kern) 4132 { 4133 const struct task_security_struct *tsec = current_security(); 4134 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4135 struct sk_security_struct *sksec; 4136 int err = 0; 4137 4138 isec->sclass = socket_type_to_security_class(family, type, protocol); 4139 4140 if (kern) 4141 isec->sid = SECINITSID_KERNEL; 4142 else { 4143 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); 4144 if (err) 4145 return err; 4146 } 4147 4148 isec->initialized = LABEL_INITIALIZED; 4149 4150 if (sock->sk) { 4151 sksec = sock->sk->sk_security; 4152 sksec->sid = isec->sid; 4153 sksec->sclass = isec->sclass; 4154 err = selinux_netlbl_socket_post_create(sock->sk, family); 4155 } 4156 4157 return err; 4158 } 4159 4160 /* Range of port numbers used to automatically bind. 4161 Need to determine whether we should perform a name_bind 4162 permission check between the socket and the port number. */ 4163 4164 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4165 { 4166 struct sock *sk = sock->sk; 4167 u16 family; 4168 int err; 4169 4170 err = sock_has_perm(current, sk, SOCKET__BIND); 4171 if (err) 4172 goto out; 4173 4174 /* 4175 * If PF_INET or PF_INET6, check name_bind permission for the port. 4176 * Multiple address binding for SCTP is not supported yet: we just 4177 * check the first address now. 4178 */ 4179 family = sk->sk_family; 4180 if (family == PF_INET || family == PF_INET6) { 4181 char *addrp; 4182 struct sk_security_struct *sksec = sk->sk_security; 4183 struct common_audit_data ad; 4184 struct lsm_network_audit net = {0,}; 4185 struct sockaddr_in *addr4 = NULL; 4186 struct sockaddr_in6 *addr6 = NULL; 4187 unsigned short snum; 4188 u32 sid, node_perm; 4189 4190 if (family == PF_INET) { 4191 addr4 = (struct sockaddr_in *)address; 4192 snum = ntohs(addr4->sin_port); 4193 addrp = (char *)&addr4->sin_addr.s_addr; 4194 } else { 4195 addr6 = (struct sockaddr_in6 *)address; 4196 snum = ntohs(addr6->sin6_port); 4197 addrp = (char *)&addr6->sin6_addr.s6_addr; 4198 } 4199 4200 if (snum) { 4201 int low, high; 4202 4203 inet_get_local_port_range(sock_net(sk), &low, &high); 4204 4205 if (snum < max(PROT_SOCK, low) || snum > high) { 4206 err = sel_netport_sid(sk->sk_protocol, 4207 snum, &sid); 4208 if (err) 4209 goto out; 4210 ad.type = LSM_AUDIT_DATA_NET; 4211 ad.u.net = &net; 4212 ad.u.net->sport = htons(snum); 4213 ad.u.net->family = family; 4214 err = avc_has_perm(sksec->sid, sid, 4215 sksec->sclass, 4216 SOCKET__NAME_BIND, &ad); 4217 if (err) 4218 goto out; 4219 } 4220 } 4221 4222 switch (sksec->sclass) { 4223 case SECCLASS_TCP_SOCKET: 4224 node_perm = TCP_SOCKET__NODE_BIND; 4225 break; 4226 4227 case SECCLASS_UDP_SOCKET: 4228 node_perm = UDP_SOCKET__NODE_BIND; 4229 break; 4230 4231 case SECCLASS_DCCP_SOCKET: 4232 node_perm = DCCP_SOCKET__NODE_BIND; 4233 break; 4234 4235 default: 4236 node_perm = RAWIP_SOCKET__NODE_BIND; 4237 break; 4238 } 4239 4240 err = sel_netnode_sid(addrp, family, &sid); 4241 if (err) 4242 goto out; 4243 4244 ad.type = LSM_AUDIT_DATA_NET; 4245 ad.u.net = &net; 4246 ad.u.net->sport = htons(snum); 4247 ad.u.net->family = family; 4248 4249 if (family == PF_INET) 4250 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4251 else 4252 ad.u.net->v6info.saddr = addr6->sin6_addr; 4253 4254 err = avc_has_perm(sksec->sid, sid, 4255 sksec->sclass, node_perm, &ad); 4256 if (err) 4257 goto out; 4258 } 4259 out: 4260 return err; 4261 } 4262 4263 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4264 { 4265 struct sock *sk = sock->sk; 4266 struct sk_security_struct *sksec = sk->sk_security; 4267 int err; 4268 4269 err = sock_has_perm(current, sk, SOCKET__CONNECT); 4270 if (err) 4271 return err; 4272 4273 /* 4274 * If a TCP or DCCP socket, check name_connect permission for the port. 4275 */ 4276 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4277 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4278 struct common_audit_data ad; 4279 struct lsm_network_audit net = {0,}; 4280 struct sockaddr_in *addr4 = NULL; 4281 struct sockaddr_in6 *addr6 = NULL; 4282 unsigned short snum; 4283 u32 sid, perm; 4284 4285 if (sk->sk_family == PF_INET) { 4286 addr4 = (struct sockaddr_in *)address; 4287 if (addrlen < sizeof(struct sockaddr_in)) 4288 return -EINVAL; 4289 snum = ntohs(addr4->sin_port); 4290 } else { 4291 addr6 = (struct sockaddr_in6 *)address; 4292 if (addrlen < SIN6_LEN_RFC2133) 4293 return -EINVAL; 4294 snum = ntohs(addr6->sin6_port); 4295 } 4296 4297 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4298 if (err) 4299 goto out; 4300 4301 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4302 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4303 4304 ad.type = LSM_AUDIT_DATA_NET; 4305 ad.u.net = &net; 4306 ad.u.net->dport = htons(snum); 4307 ad.u.net->family = sk->sk_family; 4308 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4309 if (err) 4310 goto out; 4311 } 4312 4313 err = selinux_netlbl_socket_connect(sk, address); 4314 4315 out: 4316 return err; 4317 } 4318 4319 static int selinux_socket_listen(struct socket *sock, int backlog) 4320 { 4321 return sock_has_perm(current, sock->sk, SOCKET__LISTEN); 4322 } 4323 4324 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4325 { 4326 int err; 4327 struct inode_security_struct *isec; 4328 struct inode_security_struct *newisec; 4329 4330 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); 4331 if (err) 4332 return err; 4333 4334 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4335 4336 isec = inode_security_novalidate(SOCK_INODE(sock)); 4337 newisec->sclass = isec->sclass; 4338 newisec->sid = isec->sid; 4339 newisec->initialized = LABEL_INITIALIZED; 4340 4341 return 0; 4342 } 4343 4344 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4345 int size) 4346 { 4347 return sock_has_perm(current, sock->sk, SOCKET__WRITE); 4348 } 4349 4350 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4351 int size, int flags) 4352 { 4353 return sock_has_perm(current, sock->sk, SOCKET__READ); 4354 } 4355 4356 static int selinux_socket_getsockname(struct socket *sock) 4357 { 4358 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4359 } 4360 4361 static int selinux_socket_getpeername(struct socket *sock) 4362 { 4363 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4364 } 4365 4366 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4367 { 4368 int err; 4369 4370 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); 4371 if (err) 4372 return err; 4373 4374 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4375 } 4376 4377 static int selinux_socket_getsockopt(struct socket *sock, int level, 4378 int optname) 4379 { 4380 return sock_has_perm(current, sock->sk, SOCKET__GETOPT); 4381 } 4382 4383 static int selinux_socket_shutdown(struct socket *sock, int how) 4384 { 4385 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); 4386 } 4387 4388 static int selinux_socket_unix_stream_connect(struct sock *sock, 4389 struct sock *other, 4390 struct sock *newsk) 4391 { 4392 struct sk_security_struct *sksec_sock = sock->sk_security; 4393 struct sk_security_struct *sksec_other = other->sk_security; 4394 struct sk_security_struct *sksec_new = newsk->sk_security; 4395 struct common_audit_data ad; 4396 struct lsm_network_audit net = {0,}; 4397 int err; 4398 4399 ad.type = LSM_AUDIT_DATA_NET; 4400 ad.u.net = &net; 4401 ad.u.net->sk = other; 4402 4403 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4404 sksec_other->sclass, 4405 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4406 if (err) 4407 return err; 4408 4409 /* server child socket */ 4410 sksec_new->peer_sid = sksec_sock->sid; 4411 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4412 &sksec_new->sid); 4413 if (err) 4414 return err; 4415 4416 /* connecting socket */ 4417 sksec_sock->peer_sid = sksec_new->sid; 4418 4419 return 0; 4420 } 4421 4422 static int selinux_socket_unix_may_send(struct socket *sock, 4423 struct socket *other) 4424 { 4425 struct sk_security_struct *ssec = sock->sk->sk_security; 4426 struct sk_security_struct *osec = other->sk->sk_security; 4427 struct common_audit_data ad; 4428 struct lsm_network_audit net = {0,}; 4429 4430 ad.type = LSM_AUDIT_DATA_NET; 4431 ad.u.net = &net; 4432 ad.u.net->sk = other->sk; 4433 4434 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4435 &ad); 4436 } 4437 4438 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4439 char *addrp, u16 family, u32 peer_sid, 4440 struct common_audit_data *ad) 4441 { 4442 int err; 4443 u32 if_sid; 4444 u32 node_sid; 4445 4446 err = sel_netif_sid(ns, ifindex, &if_sid); 4447 if (err) 4448 return err; 4449 err = avc_has_perm(peer_sid, if_sid, 4450 SECCLASS_NETIF, NETIF__INGRESS, ad); 4451 if (err) 4452 return err; 4453 4454 err = sel_netnode_sid(addrp, family, &node_sid); 4455 if (err) 4456 return err; 4457 return avc_has_perm(peer_sid, node_sid, 4458 SECCLASS_NODE, NODE__RECVFROM, ad); 4459 } 4460 4461 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4462 u16 family) 4463 { 4464 int err = 0; 4465 struct sk_security_struct *sksec = sk->sk_security; 4466 u32 sk_sid = sksec->sid; 4467 struct common_audit_data ad; 4468 struct lsm_network_audit net = {0,}; 4469 char *addrp; 4470 4471 ad.type = LSM_AUDIT_DATA_NET; 4472 ad.u.net = &net; 4473 ad.u.net->netif = skb->skb_iif; 4474 ad.u.net->family = family; 4475 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4476 if (err) 4477 return err; 4478 4479 if (selinux_secmark_enabled()) { 4480 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4481 PACKET__RECV, &ad); 4482 if (err) 4483 return err; 4484 } 4485 4486 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4487 if (err) 4488 return err; 4489 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4490 4491 return err; 4492 } 4493 4494 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4495 { 4496 int err; 4497 struct sk_security_struct *sksec = sk->sk_security; 4498 u16 family = sk->sk_family; 4499 u32 sk_sid = sksec->sid; 4500 struct common_audit_data ad; 4501 struct lsm_network_audit net = {0,}; 4502 char *addrp; 4503 u8 secmark_active; 4504 u8 peerlbl_active; 4505 4506 if (family != PF_INET && family != PF_INET6) 4507 return 0; 4508 4509 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4510 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4511 family = PF_INET; 4512 4513 /* If any sort of compatibility mode is enabled then handoff processing 4514 * to the selinux_sock_rcv_skb_compat() function to deal with the 4515 * special handling. We do this in an attempt to keep this function 4516 * as fast and as clean as possible. */ 4517 if (!selinux_policycap_netpeer) 4518 return selinux_sock_rcv_skb_compat(sk, skb, family); 4519 4520 secmark_active = selinux_secmark_enabled(); 4521 peerlbl_active = selinux_peerlbl_enabled(); 4522 if (!secmark_active && !peerlbl_active) 4523 return 0; 4524 4525 ad.type = LSM_AUDIT_DATA_NET; 4526 ad.u.net = &net; 4527 ad.u.net->netif = skb->skb_iif; 4528 ad.u.net->family = family; 4529 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4530 if (err) 4531 return err; 4532 4533 if (peerlbl_active) { 4534 u32 peer_sid; 4535 4536 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4537 if (err) 4538 return err; 4539 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4540 addrp, family, peer_sid, &ad); 4541 if (err) { 4542 selinux_netlbl_err(skb, err, 0); 4543 return err; 4544 } 4545 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4546 PEER__RECV, &ad); 4547 if (err) { 4548 selinux_netlbl_err(skb, err, 0); 4549 return err; 4550 } 4551 } 4552 4553 if (secmark_active) { 4554 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4555 PACKET__RECV, &ad); 4556 if (err) 4557 return err; 4558 } 4559 4560 return err; 4561 } 4562 4563 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4564 int __user *optlen, unsigned len) 4565 { 4566 int err = 0; 4567 char *scontext; 4568 u32 scontext_len; 4569 struct sk_security_struct *sksec = sock->sk->sk_security; 4570 u32 peer_sid = SECSID_NULL; 4571 4572 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4573 sksec->sclass == SECCLASS_TCP_SOCKET) 4574 peer_sid = sksec->peer_sid; 4575 if (peer_sid == SECSID_NULL) 4576 return -ENOPROTOOPT; 4577 4578 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4579 if (err) 4580 return err; 4581 4582 if (scontext_len > len) { 4583 err = -ERANGE; 4584 goto out_len; 4585 } 4586 4587 if (copy_to_user(optval, scontext, scontext_len)) 4588 err = -EFAULT; 4589 4590 out_len: 4591 if (put_user(scontext_len, optlen)) 4592 err = -EFAULT; 4593 kfree(scontext); 4594 return err; 4595 } 4596 4597 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4598 { 4599 u32 peer_secid = SECSID_NULL; 4600 u16 family; 4601 4602 if (skb && skb->protocol == htons(ETH_P_IP)) 4603 family = PF_INET; 4604 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4605 family = PF_INET6; 4606 else if (sock) 4607 family = sock->sk->sk_family; 4608 else 4609 goto out; 4610 4611 if (sock && family == PF_UNIX) 4612 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); 4613 else if (skb) 4614 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4615 4616 out: 4617 *secid = peer_secid; 4618 if (peer_secid == SECSID_NULL) 4619 return -EINVAL; 4620 return 0; 4621 } 4622 4623 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4624 { 4625 struct sk_security_struct *sksec; 4626 4627 sksec = kzalloc(sizeof(*sksec), priority); 4628 if (!sksec) 4629 return -ENOMEM; 4630 4631 sksec->peer_sid = SECINITSID_UNLABELED; 4632 sksec->sid = SECINITSID_UNLABELED; 4633 sksec->sclass = SECCLASS_SOCKET; 4634 selinux_netlbl_sk_security_reset(sksec); 4635 sk->sk_security = sksec; 4636 4637 return 0; 4638 } 4639 4640 static void selinux_sk_free_security(struct sock *sk) 4641 { 4642 struct sk_security_struct *sksec = sk->sk_security; 4643 4644 sk->sk_security = NULL; 4645 selinux_netlbl_sk_security_free(sksec); 4646 kfree(sksec); 4647 } 4648 4649 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4650 { 4651 struct sk_security_struct *sksec = sk->sk_security; 4652 struct sk_security_struct *newsksec = newsk->sk_security; 4653 4654 newsksec->sid = sksec->sid; 4655 newsksec->peer_sid = sksec->peer_sid; 4656 newsksec->sclass = sksec->sclass; 4657 4658 selinux_netlbl_sk_security_reset(newsksec); 4659 } 4660 4661 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4662 { 4663 if (!sk) 4664 *secid = SECINITSID_ANY_SOCKET; 4665 else { 4666 struct sk_security_struct *sksec = sk->sk_security; 4667 4668 *secid = sksec->sid; 4669 } 4670 } 4671 4672 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4673 { 4674 struct inode_security_struct *isec = 4675 inode_security_novalidate(SOCK_INODE(parent)); 4676 struct sk_security_struct *sksec = sk->sk_security; 4677 4678 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4679 sk->sk_family == PF_UNIX) 4680 isec->sid = sksec->sid; 4681 sksec->sclass = isec->sclass; 4682 } 4683 4684 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4685 struct request_sock *req) 4686 { 4687 struct sk_security_struct *sksec = sk->sk_security; 4688 int err; 4689 u16 family = req->rsk_ops->family; 4690 u32 connsid; 4691 u32 peersid; 4692 4693 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4694 if (err) 4695 return err; 4696 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4697 if (err) 4698 return err; 4699 req->secid = connsid; 4700 req->peer_secid = peersid; 4701 4702 return selinux_netlbl_inet_conn_request(req, family); 4703 } 4704 4705 static void selinux_inet_csk_clone(struct sock *newsk, 4706 const struct request_sock *req) 4707 { 4708 struct sk_security_struct *newsksec = newsk->sk_security; 4709 4710 newsksec->sid = req->secid; 4711 newsksec->peer_sid = req->peer_secid; 4712 /* NOTE: Ideally, we should also get the isec->sid for the 4713 new socket in sync, but we don't have the isec available yet. 4714 So we will wait until sock_graft to do it, by which 4715 time it will have been created and available. */ 4716 4717 /* We don't need to take any sort of lock here as we are the only 4718 * thread with access to newsksec */ 4719 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4720 } 4721 4722 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4723 { 4724 u16 family = sk->sk_family; 4725 struct sk_security_struct *sksec = sk->sk_security; 4726 4727 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4728 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4729 family = PF_INET; 4730 4731 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4732 } 4733 4734 static int selinux_secmark_relabel_packet(u32 sid) 4735 { 4736 const struct task_security_struct *__tsec; 4737 u32 tsid; 4738 4739 __tsec = current_security(); 4740 tsid = __tsec->sid; 4741 4742 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4743 } 4744 4745 static void selinux_secmark_refcount_inc(void) 4746 { 4747 atomic_inc(&selinux_secmark_refcount); 4748 } 4749 4750 static void selinux_secmark_refcount_dec(void) 4751 { 4752 atomic_dec(&selinux_secmark_refcount); 4753 } 4754 4755 static void selinux_req_classify_flow(const struct request_sock *req, 4756 struct flowi *fl) 4757 { 4758 fl->flowi_secid = req->secid; 4759 } 4760 4761 static int selinux_tun_dev_alloc_security(void **security) 4762 { 4763 struct tun_security_struct *tunsec; 4764 4765 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 4766 if (!tunsec) 4767 return -ENOMEM; 4768 tunsec->sid = current_sid(); 4769 4770 *security = tunsec; 4771 return 0; 4772 } 4773 4774 static void selinux_tun_dev_free_security(void *security) 4775 { 4776 kfree(security); 4777 } 4778 4779 static int selinux_tun_dev_create(void) 4780 { 4781 u32 sid = current_sid(); 4782 4783 /* we aren't taking into account the "sockcreate" SID since the socket 4784 * that is being created here is not a socket in the traditional sense, 4785 * instead it is a private sock, accessible only to the kernel, and 4786 * representing a wide range of network traffic spanning multiple 4787 * connections unlike traditional sockets - check the TUN driver to 4788 * get a better understanding of why this socket is special */ 4789 4790 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4791 NULL); 4792 } 4793 4794 static int selinux_tun_dev_attach_queue(void *security) 4795 { 4796 struct tun_security_struct *tunsec = security; 4797 4798 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 4799 TUN_SOCKET__ATTACH_QUEUE, NULL); 4800 } 4801 4802 static int selinux_tun_dev_attach(struct sock *sk, void *security) 4803 { 4804 struct tun_security_struct *tunsec = security; 4805 struct sk_security_struct *sksec = sk->sk_security; 4806 4807 /* we don't currently perform any NetLabel based labeling here and it 4808 * isn't clear that we would want to do so anyway; while we could apply 4809 * labeling without the support of the TUN user the resulting labeled 4810 * traffic from the other end of the connection would almost certainly 4811 * cause confusion to the TUN user that had no idea network labeling 4812 * protocols were being used */ 4813 4814 sksec->sid = tunsec->sid; 4815 sksec->sclass = SECCLASS_TUN_SOCKET; 4816 4817 return 0; 4818 } 4819 4820 static int selinux_tun_dev_open(void *security) 4821 { 4822 struct tun_security_struct *tunsec = security; 4823 u32 sid = current_sid(); 4824 int err; 4825 4826 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 4827 TUN_SOCKET__RELABELFROM, NULL); 4828 if (err) 4829 return err; 4830 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4831 TUN_SOCKET__RELABELTO, NULL); 4832 if (err) 4833 return err; 4834 tunsec->sid = sid; 4835 4836 return 0; 4837 } 4838 4839 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4840 { 4841 int err = 0; 4842 u32 perm; 4843 struct nlmsghdr *nlh; 4844 struct sk_security_struct *sksec = sk->sk_security; 4845 4846 if (skb->len < NLMSG_HDRLEN) { 4847 err = -EINVAL; 4848 goto out; 4849 } 4850 nlh = nlmsg_hdr(skb); 4851 4852 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4853 if (err) { 4854 if (err == -EINVAL) { 4855 pr_warn_ratelimited("SELinux: unrecognized netlink" 4856 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 4857 " pig=%d comm=%s\n", 4858 sk->sk_protocol, nlh->nlmsg_type, 4859 secclass_map[sksec->sclass - 1].name, 4860 task_pid_nr(current), current->comm); 4861 if (!selinux_enforcing || security_get_allow_unknown()) 4862 err = 0; 4863 } 4864 4865 /* Ignore */ 4866 if (err == -ENOENT) 4867 err = 0; 4868 goto out; 4869 } 4870 4871 err = sock_has_perm(current, sk, perm); 4872 out: 4873 return err; 4874 } 4875 4876 #ifdef CONFIG_NETFILTER 4877 4878 static unsigned int selinux_ip_forward(struct sk_buff *skb, 4879 const struct net_device *indev, 4880 u16 family) 4881 { 4882 int err; 4883 char *addrp; 4884 u32 peer_sid; 4885 struct common_audit_data ad; 4886 struct lsm_network_audit net = {0,}; 4887 u8 secmark_active; 4888 u8 netlbl_active; 4889 u8 peerlbl_active; 4890 4891 if (!selinux_policycap_netpeer) 4892 return NF_ACCEPT; 4893 4894 secmark_active = selinux_secmark_enabled(); 4895 netlbl_active = netlbl_enabled(); 4896 peerlbl_active = selinux_peerlbl_enabled(); 4897 if (!secmark_active && !peerlbl_active) 4898 return NF_ACCEPT; 4899 4900 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4901 return NF_DROP; 4902 4903 ad.type = LSM_AUDIT_DATA_NET; 4904 ad.u.net = &net; 4905 ad.u.net->netif = indev->ifindex; 4906 ad.u.net->family = family; 4907 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4908 return NF_DROP; 4909 4910 if (peerlbl_active) { 4911 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 4912 addrp, family, peer_sid, &ad); 4913 if (err) { 4914 selinux_netlbl_err(skb, err, 1); 4915 return NF_DROP; 4916 } 4917 } 4918 4919 if (secmark_active) 4920 if (avc_has_perm(peer_sid, skb->secmark, 4921 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4922 return NF_DROP; 4923 4924 if (netlbl_active) 4925 /* we do this in the FORWARD path and not the POST_ROUTING 4926 * path because we want to make sure we apply the necessary 4927 * labeling before IPsec is applied so we can leverage AH 4928 * protection */ 4929 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 4930 return NF_DROP; 4931 4932 return NF_ACCEPT; 4933 } 4934 4935 static unsigned int selinux_ipv4_forward(void *priv, 4936 struct sk_buff *skb, 4937 const struct nf_hook_state *state) 4938 { 4939 return selinux_ip_forward(skb, state->in, PF_INET); 4940 } 4941 4942 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4943 static unsigned int selinux_ipv6_forward(void *priv, 4944 struct sk_buff *skb, 4945 const struct nf_hook_state *state) 4946 { 4947 return selinux_ip_forward(skb, state->in, PF_INET6); 4948 } 4949 #endif /* IPV6 */ 4950 4951 static unsigned int selinux_ip_output(struct sk_buff *skb, 4952 u16 family) 4953 { 4954 struct sock *sk; 4955 u32 sid; 4956 4957 if (!netlbl_enabled()) 4958 return NF_ACCEPT; 4959 4960 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4961 * because we want to make sure we apply the necessary labeling 4962 * before IPsec is applied so we can leverage AH protection */ 4963 sk = skb->sk; 4964 if (sk) { 4965 struct sk_security_struct *sksec; 4966 4967 if (sk_listener(sk)) 4968 /* if the socket is the listening state then this 4969 * packet is a SYN-ACK packet which means it needs to 4970 * be labeled based on the connection/request_sock and 4971 * not the parent socket. unfortunately, we can't 4972 * lookup the request_sock yet as it isn't queued on 4973 * the parent socket until after the SYN-ACK is sent. 4974 * the "solution" is to simply pass the packet as-is 4975 * as any IP option based labeling should be copied 4976 * from the initial connection request (in the IP 4977 * layer). it is far from ideal, but until we get a 4978 * security label in the packet itself this is the 4979 * best we can do. */ 4980 return NF_ACCEPT; 4981 4982 /* standard practice, label using the parent socket */ 4983 sksec = sk->sk_security; 4984 sid = sksec->sid; 4985 } else 4986 sid = SECINITSID_KERNEL; 4987 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4988 return NF_DROP; 4989 4990 return NF_ACCEPT; 4991 } 4992 4993 static unsigned int selinux_ipv4_output(void *priv, 4994 struct sk_buff *skb, 4995 const struct nf_hook_state *state) 4996 { 4997 return selinux_ip_output(skb, PF_INET); 4998 } 4999 5000 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5001 int ifindex, 5002 u16 family) 5003 { 5004 struct sock *sk = skb_to_full_sk(skb); 5005 struct sk_security_struct *sksec; 5006 struct common_audit_data ad; 5007 struct lsm_network_audit net = {0,}; 5008 char *addrp; 5009 u8 proto; 5010 5011 if (sk == NULL) 5012 return NF_ACCEPT; 5013 sksec = sk->sk_security; 5014 5015 ad.type = LSM_AUDIT_DATA_NET; 5016 ad.u.net = &net; 5017 ad.u.net->netif = ifindex; 5018 ad.u.net->family = family; 5019 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5020 return NF_DROP; 5021 5022 if (selinux_secmark_enabled()) 5023 if (avc_has_perm(sksec->sid, skb->secmark, 5024 SECCLASS_PACKET, PACKET__SEND, &ad)) 5025 return NF_DROP_ERR(-ECONNREFUSED); 5026 5027 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5028 return NF_DROP_ERR(-ECONNREFUSED); 5029 5030 return NF_ACCEPT; 5031 } 5032 5033 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5034 const struct net_device *outdev, 5035 u16 family) 5036 { 5037 u32 secmark_perm; 5038 u32 peer_sid; 5039 int ifindex = outdev->ifindex; 5040 struct sock *sk; 5041 struct common_audit_data ad; 5042 struct lsm_network_audit net = {0,}; 5043 char *addrp; 5044 u8 secmark_active; 5045 u8 peerlbl_active; 5046 5047 /* If any sort of compatibility mode is enabled then handoff processing 5048 * to the selinux_ip_postroute_compat() function to deal with the 5049 * special handling. We do this in an attempt to keep this function 5050 * as fast and as clean as possible. */ 5051 if (!selinux_policycap_netpeer) 5052 return selinux_ip_postroute_compat(skb, ifindex, family); 5053 5054 secmark_active = selinux_secmark_enabled(); 5055 peerlbl_active = selinux_peerlbl_enabled(); 5056 if (!secmark_active && !peerlbl_active) 5057 return NF_ACCEPT; 5058 5059 sk = skb_to_full_sk(skb); 5060 5061 #ifdef CONFIG_XFRM 5062 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5063 * packet transformation so allow the packet to pass without any checks 5064 * since we'll have another chance to perform access control checks 5065 * when the packet is on it's final way out. 5066 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5067 * is NULL, in this case go ahead and apply access control. 5068 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5069 * TCP listening state we cannot wait until the XFRM processing 5070 * is done as we will miss out on the SA label if we do; 5071 * unfortunately, this means more work, but it is only once per 5072 * connection. */ 5073 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5074 !(sk && sk_listener(sk))) 5075 return NF_ACCEPT; 5076 #endif 5077 5078 if (sk == NULL) { 5079 /* Without an associated socket the packet is either coming 5080 * from the kernel or it is being forwarded; check the packet 5081 * to determine which and if the packet is being forwarded 5082 * query the packet directly to determine the security label. */ 5083 if (skb->skb_iif) { 5084 secmark_perm = PACKET__FORWARD_OUT; 5085 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5086 return NF_DROP; 5087 } else { 5088 secmark_perm = PACKET__SEND; 5089 peer_sid = SECINITSID_KERNEL; 5090 } 5091 } else if (sk_listener(sk)) { 5092 /* Locally generated packet but the associated socket is in the 5093 * listening state which means this is a SYN-ACK packet. In 5094 * this particular case the correct security label is assigned 5095 * to the connection/request_sock but unfortunately we can't 5096 * query the request_sock as it isn't queued on the parent 5097 * socket until after the SYN-ACK packet is sent; the only 5098 * viable choice is to regenerate the label like we do in 5099 * selinux_inet_conn_request(). See also selinux_ip_output() 5100 * for similar problems. */ 5101 u32 skb_sid; 5102 struct sk_security_struct *sksec; 5103 5104 sksec = sk->sk_security; 5105 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5106 return NF_DROP; 5107 /* At this point, if the returned skb peerlbl is SECSID_NULL 5108 * and the packet has been through at least one XFRM 5109 * transformation then we must be dealing with the "final" 5110 * form of labeled IPsec packet; since we've already applied 5111 * all of our access controls on this packet we can safely 5112 * pass the packet. */ 5113 if (skb_sid == SECSID_NULL) { 5114 switch (family) { 5115 case PF_INET: 5116 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5117 return NF_ACCEPT; 5118 break; 5119 case PF_INET6: 5120 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5121 return NF_ACCEPT; 5122 break; 5123 default: 5124 return NF_DROP_ERR(-ECONNREFUSED); 5125 } 5126 } 5127 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5128 return NF_DROP; 5129 secmark_perm = PACKET__SEND; 5130 } else { 5131 /* Locally generated packet, fetch the security label from the 5132 * associated socket. */ 5133 struct sk_security_struct *sksec = sk->sk_security; 5134 peer_sid = sksec->sid; 5135 secmark_perm = PACKET__SEND; 5136 } 5137 5138 ad.type = LSM_AUDIT_DATA_NET; 5139 ad.u.net = &net; 5140 ad.u.net->netif = ifindex; 5141 ad.u.net->family = family; 5142 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5143 return NF_DROP; 5144 5145 if (secmark_active) 5146 if (avc_has_perm(peer_sid, skb->secmark, 5147 SECCLASS_PACKET, secmark_perm, &ad)) 5148 return NF_DROP_ERR(-ECONNREFUSED); 5149 5150 if (peerlbl_active) { 5151 u32 if_sid; 5152 u32 node_sid; 5153 5154 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5155 return NF_DROP; 5156 if (avc_has_perm(peer_sid, if_sid, 5157 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5158 return NF_DROP_ERR(-ECONNREFUSED); 5159 5160 if (sel_netnode_sid(addrp, family, &node_sid)) 5161 return NF_DROP; 5162 if (avc_has_perm(peer_sid, node_sid, 5163 SECCLASS_NODE, NODE__SENDTO, &ad)) 5164 return NF_DROP_ERR(-ECONNREFUSED); 5165 } 5166 5167 return NF_ACCEPT; 5168 } 5169 5170 static unsigned int selinux_ipv4_postroute(void *priv, 5171 struct sk_buff *skb, 5172 const struct nf_hook_state *state) 5173 { 5174 return selinux_ip_postroute(skb, state->out, PF_INET); 5175 } 5176 5177 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5178 static unsigned int selinux_ipv6_postroute(void *priv, 5179 struct sk_buff *skb, 5180 const struct nf_hook_state *state) 5181 { 5182 return selinux_ip_postroute(skb, state->out, PF_INET6); 5183 } 5184 #endif /* IPV6 */ 5185 5186 #endif /* CONFIG_NETFILTER */ 5187 5188 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5189 { 5190 return selinux_nlmsg_perm(sk, skb); 5191 } 5192 5193 static int ipc_alloc_security(struct task_struct *task, 5194 struct kern_ipc_perm *perm, 5195 u16 sclass) 5196 { 5197 struct ipc_security_struct *isec; 5198 u32 sid; 5199 5200 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5201 if (!isec) 5202 return -ENOMEM; 5203 5204 sid = task_sid(task); 5205 isec->sclass = sclass; 5206 isec->sid = sid; 5207 perm->security = isec; 5208 5209 return 0; 5210 } 5211 5212 static void ipc_free_security(struct kern_ipc_perm *perm) 5213 { 5214 struct ipc_security_struct *isec = perm->security; 5215 perm->security = NULL; 5216 kfree(isec); 5217 } 5218 5219 static int msg_msg_alloc_security(struct msg_msg *msg) 5220 { 5221 struct msg_security_struct *msec; 5222 5223 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5224 if (!msec) 5225 return -ENOMEM; 5226 5227 msec->sid = SECINITSID_UNLABELED; 5228 msg->security = msec; 5229 5230 return 0; 5231 } 5232 5233 static void msg_msg_free_security(struct msg_msg *msg) 5234 { 5235 struct msg_security_struct *msec = msg->security; 5236 5237 msg->security = NULL; 5238 kfree(msec); 5239 } 5240 5241 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5242 u32 perms) 5243 { 5244 struct ipc_security_struct *isec; 5245 struct common_audit_data ad; 5246 u32 sid = current_sid(); 5247 5248 isec = ipc_perms->security; 5249 5250 ad.type = LSM_AUDIT_DATA_IPC; 5251 ad.u.ipc_id = ipc_perms->key; 5252 5253 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5254 } 5255 5256 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5257 { 5258 return msg_msg_alloc_security(msg); 5259 } 5260 5261 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5262 { 5263 msg_msg_free_security(msg); 5264 } 5265 5266 /* message queue security operations */ 5267 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5268 { 5269 struct ipc_security_struct *isec; 5270 struct common_audit_data ad; 5271 u32 sid = current_sid(); 5272 int rc; 5273 5274 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 5275 if (rc) 5276 return rc; 5277 5278 isec = msq->q_perm.security; 5279 5280 ad.type = LSM_AUDIT_DATA_IPC; 5281 ad.u.ipc_id = msq->q_perm.key; 5282 5283 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5284 MSGQ__CREATE, &ad); 5285 if (rc) { 5286 ipc_free_security(&msq->q_perm); 5287 return rc; 5288 } 5289 return 0; 5290 } 5291 5292 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5293 { 5294 ipc_free_security(&msq->q_perm); 5295 } 5296 5297 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5298 { 5299 struct ipc_security_struct *isec; 5300 struct common_audit_data ad; 5301 u32 sid = current_sid(); 5302 5303 isec = msq->q_perm.security; 5304 5305 ad.type = LSM_AUDIT_DATA_IPC; 5306 ad.u.ipc_id = msq->q_perm.key; 5307 5308 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5309 MSGQ__ASSOCIATE, &ad); 5310 } 5311 5312 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5313 { 5314 int err; 5315 int perms; 5316 5317 switch (cmd) { 5318 case IPC_INFO: 5319 case MSG_INFO: 5320 /* No specific object, just general system-wide information. */ 5321 return task_has_system(current, SYSTEM__IPC_INFO); 5322 case IPC_STAT: 5323 case MSG_STAT: 5324 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5325 break; 5326 case IPC_SET: 5327 perms = MSGQ__SETATTR; 5328 break; 5329 case IPC_RMID: 5330 perms = MSGQ__DESTROY; 5331 break; 5332 default: 5333 return 0; 5334 } 5335 5336 err = ipc_has_perm(&msq->q_perm, perms); 5337 return err; 5338 } 5339 5340 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5341 { 5342 struct ipc_security_struct *isec; 5343 struct msg_security_struct *msec; 5344 struct common_audit_data ad; 5345 u32 sid = current_sid(); 5346 int rc; 5347 5348 isec = msq->q_perm.security; 5349 msec = msg->security; 5350 5351 /* 5352 * First time through, need to assign label to the message 5353 */ 5354 if (msec->sid == SECINITSID_UNLABELED) { 5355 /* 5356 * Compute new sid based on current process and 5357 * message queue this message will be stored in 5358 */ 5359 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5360 NULL, &msec->sid); 5361 if (rc) 5362 return rc; 5363 } 5364 5365 ad.type = LSM_AUDIT_DATA_IPC; 5366 ad.u.ipc_id = msq->q_perm.key; 5367 5368 /* Can this process write to the queue? */ 5369 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5370 MSGQ__WRITE, &ad); 5371 if (!rc) 5372 /* Can this process send the message */ 5373 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5374 MSG__SEND, &ad); 5375 if (!rc) 5376 /* Can the message be put in the queue? */ 5377 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5378 MSGQ__ENQUEUE, &ad); 5379 5380 return rc; 5381 } 5382 5383 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5384 struct task_struct *target, 5385 long type, int mode) 5386 { 5387 struct ipc_security_struct *isec; 5388 struct msg_security_struct *msec; 5389 struct common_audit_data ad; 5390 u32 sid = task_sid(target); 5391 int rc; 5392 5393 isec = msq->q_perm.security; 5394 msec = msg->security; 5395 5396 ad.type = LSM_AUDIT_DATA_IPC; 5397 ad.u.ipc_id = msq->q_perm.key; 5398 5399 rc = avc_has_perm(sid, isec->sid, 5400 SECCLASS_MSGQ, MSGQ__READ, &ad); 5401 if (!rc) 5402 rc = avc_has_perm(sid, msec->sid, 5403 SECCLASS_MSG, MSG__RECEIVE, &ad); 5404 return rc; 5405 } 5406 5407 /* Shared Memory security operations */ 5408 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5409 { 5410 struct ipc_security_struct *isec; 5411 struct common_audit_data ad; 5412 u32 sid = current_sid(); 5413 int rc; 5414 5415 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5416 if (rc) 5417 return rc; 5418 5419 isec = shp->shm_perm.security; 5420 5421 ad.type = LSM_AUDIT_DATA_IPC; 5422 ad.u.ipc_id = shp->shm_perm.key; 5423 5424 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5425 SHM__CREATE, &ad); 5426 if (rc) { 5427 ipc_free_security(&shp->shm_perm); 5428 return rc; 5429 } 5430 return 0; 5431 } 5432 5433 static void selinux_shm_free_security(struct shmid_kernel *shp) 5434 { 5435 ipc_free_security(&shp->shm_perm); 5436 } 5437 5438 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5439 { 5440 struct ipc_security_struct *isec; 5441 struct common_audit_data ad; 5442 u32 sid = current_sid(); 5443 5444 isec = shp->shm_perm.security; 5445 5446 ad.type = LSM_AUDIT_DATA_IPC; 5447 ad.u.ipc_id = shp->shm_perm.key; 5448 5449 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5450 SHM__ASSOCIATE, &ad); 5451 } 5452 5453 /* Note, at this point, shp is locked down */ 5454 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5455 { 5456 int perms; 5457 int err; 5458 5459 switch (cmd) { 5460 case IPC_INFO: 5461 case SHM_INFO: 5462 /* No specific object, just general system-wide information. */ 5463 return task_has_system(current, SYSTEM__IPC_INFO); 5464 case IPC_STAT: 5465 case SHM_STAT: 5466 perms = SHM__GETATTR | SHM__ASSOCIATE; 5467 break; 5468 case IPC_SET: 5469 perms = SHM__SETATTR; 5470 break; 5471 case SHM_LOCK: 5472 case SHM_UNLOCK: 5473 perms = SHM__LOCK; 5474 break; 5475 case IPC_RMID: 5476 perms = SHM__DESTROY; 5477 break; 5478 default: 5479 return 0; 5480 } 5481 5482 err = ipc_has_perm(&shp->shm_perm, perms); 5483 return err; 5484 } 5485 5486 static int selinux_shm_shmat(struct shmid_kernel *shp, 5487 char __user *shmaddr, int shmflg) 5488 { 5489 u32 perms; 5490 5491 if (shmflg & SHM_RDONLY) 5492 perms = SHM__READ; 5493 else 5494 perms = SHM__READ | SHM__WRITE; 5495 5496 return ipc_has_perm(&shp->shm_perm, perms); 5497 } 5498 5499 /* Semaphore security operations */ 5500 static int selinux_sem_alloc_security(struct sem_array *sma) 5501 { 5502 struct ipc_security_struct *isec; 5503 struct common_audit_data ad; 5504 u32 sid = current_sid(); 5505 int rc; 5506 5507 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5508 if (rc) 5509 return rc; 5510 5511 isec = sma->sem_perm.security; 5512 5513 ad.type = LSM_AUDIT_DATA_IPC; 5514 ad.u.ipc_id = sma->sem_perm.key; 5515 5516 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5517 SEM__CREATE, &ad); 5518 if (rc) { 5519 ipc_free_security(&sma->sem_perm); 5520 return rc; 5521 } 5522 return 0; 5523 } 5524 5525 static void selinux_sem_free_security(struct sem_array *sma) 5526 { 5527 ipc_free_security(&sma->sem_perm); 5528 } 5529 5530 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5531 { 5532 struct ipc_security_struct *isec; 5533 struct common_audit_data ad; 5534 u32 sid = current_sid(); 5535 5536 isec = sma->sem_perm.security; 5537 5538 ad.type = LSM_AUDIT_DATA_IPC; 5539 ad.u.ipc_id = sma->sem_perm.key; 5540 5541 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5542 SEM__ASSOCIATE, &ad); 5543 } 5544 5545 /* Note, at this point, sma is locked down */ 5546 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5547 { 5548 int err; 5549 u32 perms; 5550 5551 switch (cmd) { 5552 case IPC_INFO: 5553 case SEM_INFO: 5554 /* No specific object, just general system-wide information. */ 5555 return task_has_system(current, SYSTEM__IPC_INFO); 5556 case GETPID: 5557 case GETNCNT: 5558 case GETZCNT: 5559 perms = SEM__GETATTR; 5560 break; 5561 case GETVAL: 5562 case GETALL: 5563 perms = SEM__READ; 5564 break; 5565 case SETVAL: 5566 case SETALL: 5567 perms = SEM__WRITE; 5568 break; 5569 case IPC_RMID: 5570 perms = SEM__DESTROY; 5571 break; 5572 case IPC_SET: 5573 perms = SEM__SETATTR; 5574 break; 5575 case IPC_STAT: 5576 case SEM_STAT: 5577 perms = SEM__GETATTR | SEM__ASSOCIATE; 5578 break; 5579 default: 5580 return 0; 5581 } 5582 5583 err = ipc_has_perm(&sma->sem_perm, perms); 5584 return err; 5585 } 5586 5587 static int selinux_sem_semop(struct sem_array *sma, 5588 struct sembuf *sops, unsigned nsops, int alter) 5589 { 5590 u32 perms; 5591 5592 if (alter) 5593 perms = SEM__READ | SEM__WRITE; 5594 else 5595 perms = SEM__READ; 5596 5597 return ipc_has_perm(&sma->sem_perm, perms); 5598 } 5599 5600 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5601 { 5602 u32 av = 0; 5603 5604 av = 0; 5605 if (flag & S_IRUGO) 5606 av |= IPC__UNIX_READ; 5607 if (flag & S_IWUGO) 5608 av |= IPC__UNIX_WRITE; 5609 5610 if (av == 0) 5611 return 0; 5612 5613 return ipc_has_perm(ipcp, av); 5614 } 5615 5616 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5617 { 5618 struct ipc_security_struct *isec = ipcp->security; 5619 *secid = isec->sid; 5620 } 5621 5622 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5623 { 5624 if (inode) 5625 inode_doinit_with_dentry(inode, dentry); 5626 } 5627 5628 static int selinux_getprocattr(struct task_struct *p, 5629 char *name, char **value) 5630 { 5631 const struct task_security_struct *__tsec; 5632 u32 sid; 5633 int error; 5634 unsigned len; 5635 5636 if (current != p) { 5637 error = current_has_perm(p, PROCESS__GETATTR); 5638 if (error) 5639 return error; 5640 } 5641 5642 rcu_read_lock(); 5643 __tsec = __task_cred(p)->security; 5644 5645 if (!strcmp(name, "current")) 5646 sid = __tsec->sid; 5647 else if (!strcmp(name, "prev")) 5648 sid = __tsec->osid; 5649 else if (!strcmp(name, "exec")) 5650 sid = __tsec->exec_sid; 5651 else if (!strcmp(name, "fscreate")) 5652 sid = __tsec->create_sid; 5653 else if (!strcmp(name, "keycreate")) 5654 sid = __tsec->keycreate_sid; 5655 else if (!strcmp(name, "sockcreate")) 5656 sid = __tsec->sockcreate_sid; 5657 else 5658 goto invalid; 5659 rcu_read_unlock(); 5660 5661 if (!sid) 5662 return 0; 5663 5664 error = security_sid_to_context(sid, value, &len); 5665 if (error) 5666 return error; 5667 return len; 5668 5669 invalid: 5670 rcu_read_unlock(); 5671 return -EINVAL; 5672 } 5673 5674 static int selinux_setprocattr(struct task_struct *p, 5675 char *name, void *value, size_t size) 5676 { 5677 struct task_security_struct *tsec; 5678 struct task_struct *tracer; 5679 struct cred *new; 5680 u32 sid = 0, ptsid; 5681 int error; 5682 char *str = value; 5683 5684 if (current != p) { 5685 /* SELinux only allows a process to change its own 5686 security attributes. */ 5687 return -EACCES; 5688 } 5689 5690 /* 5691 * Basic control over ability to set these attributes at all. 5692 * current == p, but we'll pass them separately in case the 5693 * above restriction is ever removed. 5694 */ 5695 if (!strcmp(name, "exec")) 5696 error = current_has_perm(p, PROCESS__SETEXEC); 5697 else if (!strcmp(name, "fscreate")) 5698 error = current_has_perm(p, PROCESS__SETFSCREATE); 5699 else if (!strcmp(name, "keycreate")) 5700 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5701 else if (!strcmp(name, "sockcreate")) 5702 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5703 else if (!strcmp(name, "current")) 5704 error = current_has_perm(p, PROCESS__SETCURRENT); 5705 else 5706 error = -EINVAL; 5707 if (error) 5708 return error; 5709 5710 /* Obtain a SID for the context, if one was specified. */ 5711 if (size && str[1] && str[1] != '\n') { 5712 if (str[size-1] == '\n') { 5713 str[size-1] = 0; 5714 size--; 5715 } 5716 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5717 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5718 if (!capable(CAP_MAC_ADMIN)) { 5719 struct audit_buffer *ab; 5720 size_t audit_size; 5721 5722 /* We strip a nul only if it is at the end, otherwise the 5723 * context contains a nul and we should audit that */ 5724 if (str[size - 1] == '\0') 5725 audit_size = size - 1; 5726 else 5727 audit_size = size; 5728 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5729 audit_log_format(ab, "op=fscreate invalid_context="); 5730 audit_log_n_untrustedstring(ab, value, audit_size); 5731 audit_log_end(ab); 5732 5733 return error; 5734 } 5735 error = security_context_to_sid_force(value, size, 5736 &sid); 5737 } 5738 if (error) 5739 return error; 5740 } 5741 5742 new = prepare_creds(); 5743 if (!new) 5744 return -ENOMEM; 5745 5746 /* Permission checking based on the specified context is 5747 performed during the actual operation (execve, 5748 open/mkdir/...), when we know the full context of the 5749 operation. See selinux_bprm_set_creds for the execve 5750 checks and may_create for the file creation checks. The 5751 operation will then fail if the context is not permitted. */ 5752 tsec = new->security; 5753 if (!strcmp(name, "exec")) { 5754 tsec->exec_sid = sid; 5755 } else if (!strcmp(name, "fscreate")) { 5756 tsec->create_sid = sid; 5757 } else if (!strcmp(name, "keycreate")) { 5758 error = may_create_key(sid, p); 5759 if (error) 5760 goto abort_change; 5761 tsec->keycreate_sid = sid; 5762 } else if (!strcmp(name, "sockcreate")) { 5763 tsec->sockcreate_sid = sid; 5764 } else if (!strcmp(name, "current")) { 5765 error = -EINVAL; 5766 if (sid == 0) 5767 goto abort_change; 5768 5769 /* Only allow single threaded processes to change context */ 5770 error = -EPERM; 5771 if (!current_is_single_threaded()) { 5772 error = security_bounded_transition(tsec->sid, sid); 5773 if (error) 5774 goto abort_change; 5775 } 5776 5777 /* Check permissions for the transition. */ 5778 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5779 PROCESS__DYNTRANSITION, NULL); 5780 if (error) 5781 goto abort_change; 5782 5783 /* Check for ptracing, and update the task SID if ok. 5784 Otherwise, leave SID unchanged and fail. */ 5785 ptsid = 0; 5786 rcu_read_lock(); 5787 tracer = ptrace_parent(p); 5788 if (tracer) 5789 ptsid = task_sid(tracer); 5790 rcu_read_unlock(); 5791 5792 if (tracer) { 5793 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5794 PROCESS__PTRACE, NULL); 5795 if (error) 5796 goto abort_change; 5797 } 5798 5799 tsec->sid = sid; 5800 } else { 5801 error = -EINVAL; 5802 goto abort_change; 5803 } 5804 5805 commit_creds(new); 5806 return size; 5807 5808 abort_change: 5809 abort_creds(new); 5810 return error; 5811 } 5812 5813 static int selinux_ismaclabel(const char *name) 5814 { 5815 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 5816 } 5817 5818 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5819 { 5820 return security_sid_to_context(secid, secdata, seclen); 5821 } 5822 5823 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5824 { 5825 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 5826 } 5827 5828 static void selinux_release_secctx(char *secdata, u32 seclen) 5829 { 5830 kfree(secdata); 5831 } 5832 5833 static void selinux_inode_invalidate_secctx(struct inode *inode) 5834 { 5835 struct inode_security_struct *isec = inode->i_security; 5836 5837 mutex_lock(&isec->lock); 5838 isec->initialized = LABEL_INVALID; 5839 mutex_unlock(&isec->lock); 5840 } 5841 5842 /* 5843 * called with inode->i_mutex locked 5844 */ 5845 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5846 { 5847 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5848 } 5849 5850 /* 5851 * called with inode->i_mutex locked 5852 */ 5853 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 5854 { 5855 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 5856 } 5857 5858 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 5859 { 5860 int len = 0; 5861 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 5862 ctx, true); 5863 if (len < 0) 5864 return len; 5865 *ctxlen = len; 5866 return 0; 5867 } 5868 #ifdef CONFIG_KEYS 5869 5870 static int selinux_key_alloc(struct key *k, const struct cred *cred, 5871 unsigned long flags) 5872 { 5873 const struct task_security_struct *tsec; 5874 struct key_security_struct *ksec; 5875 5876 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5877 if (!ksec) 5878 return -ENOMEM; 5879 5880 tsec = cred->security; 5881 if (tsec->keycreate_sid) 5882 ksec->sid = tsec->keycreate_sid; 5883 else 5884 ksec->sid = tsec->sid; 5885 5886 k->security = ksec; 5887 return 0; 5888 } 5889 5890 static void selinux_key_free(struct key *k) 5891 { 5892 struct key_security_struct *ksec = k->security; 5893 5894 k->security = NULL; 5895 kfree(ksec); 5896 } 5897 5898 static int selinux_key_permission(key_ref_t key_ref, 5899 const struct cred *cred, 5900 unsigned perm) 5901 { 5902 struct key *key; 5903 struct key_security_struct *ksec; 5904 u32 sid; 5905 5906 /* if no specific permissions are requested, we skip the 5907 permission check. No serious, additional covert channels 5908 appear to be created. */ 5909 if (perm == 0) 5910 return 0; 5911 5912 sid = cred_sid(cred); 5913 5914 key = key_ref_to_ptr(key_ref); 5915 ksec = key->security; 5916 5917 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 5918 } 5919 5920 static int selinux_key_getsecurity(struct key *key, char **_buffer) 5921 { 5922 struct key_security_struct *ksec = key->security; 5923 char *context = NULL; 5924 unsigned len; 5925 int rc; 5926 5927 rc = security_sid_to_context(ksec->sid, &context, &len); 5928 if (!rc) 5929 rc = len; 5930 *_buffer = context; 5931 return rc; 5932 } 5933 5934 #endif 5935 5936 static struct security_hook_list selinux_hooks[] = { 5937 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 5938 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 5939 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 5940 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 5941 5942 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 5943 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 5944 LSM_HOOK_INIT(capget, selinux_capget), 5945 LSM_HOOK_INIT(capset, selinux_capset), 5946 LSM_HOOK_INIT(capable, selinux_capable), 5947 LSM_HOOK_INIT(quotactl, selinux_quotactl), 5948 LSM_HOOK_INIT(quota_on, selinux_quota_on), 5949 LSM_HOOK_INIT(syslog, selinux_syslog), 5950 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 5951 5952 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 5953 5954 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 5955 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 5956 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 5957 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), 5958 5959 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 5960 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 5961 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 5962 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 5963 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 5964 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 5965 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 5966 LSM_HOOK_INIT(sb_mount, selinux_mount), 5967 LSM_HOOK_INIT(sb_umount, selinux_umount), 5968 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 5969 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 5970 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 5971 5972 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 5973 5974 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 5975 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 5976 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 5977 LSM_HOOK_INIT(inode_create, selinux_inode_create), 5978 LSM_HOOK_INIT(inode_link, selinux_inode_link), 5979 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 5980 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 5981 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 5982 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 5983 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 5984 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 5985 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 5986 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 5987 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 5988 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 5989 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 5990 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 5991 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 5992 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 5993 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 5994 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 5995 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 5996 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 5997 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 5998 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 5999 6000 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6001 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6002 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6003 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6004 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6005 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6006 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6007 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6008 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6009 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6010 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6011 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6012 6013 LSM_HOOK_INIT(file_open, selinux_file_open), 6014 6015 LSM_HOOK_INIT(task_create, selinux_task_create), 6016 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6017 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6018 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6019 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6020 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6021 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6022 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6023 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6024 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6025 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6026 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6027 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6028 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6029 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6030 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6031 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6032 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6033 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6034 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6035 LSM_HOOK_INIT(task_wait, selinux_task_wait), 6036 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6037 6038 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6039 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6040 6041 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6042 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6043 6044 LSM_HOOK_INIT(msg_queue_alloc_security, 6045 selinux_msg_queue_alloc_security), 6046 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6047 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6048 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6049 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6050 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6051 6052 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6053 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6054 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6055 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6056 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6057 6058 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6059 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6060 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6061 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6062 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6063 6064 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6065 6066 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6067 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6068 6069 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6070 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6071 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6072 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6073 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6074 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6075 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6076 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6077 6078 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6079 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6080 6081 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6082 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6083 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6084 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6085 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6086 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6087 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6088 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6089 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6090 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6091 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6092 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6093 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6094 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6095 LSM_HOOK_INIT(socket_getpeersec_stream, 6096 selinux_socket_getpeersec_stream), 6097 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6098 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6099 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6100 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6101 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6102 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6103 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6104 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6105 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6106 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6107 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6108 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6109 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6110 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6111 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6112 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6113 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6114 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6115 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6116 6117 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6118 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6119 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6120 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6121 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6122 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6123 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6124 selinux_xfrm_state_alloc_acquire), 6125 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6126 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6127 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6128 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6129 selinux_xfrm_state_pol_flow_match), 6130 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6131 #endif 6132 6133 #ifdef CONFIG_KEYS 6134 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6135 LSM_HOOK_INIT(key_free, selinux_key_free), 6136 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6137 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6138 #endif 6139 6140 #ifdef CONFIG_AUDIT 6141 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6142 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6143 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6144 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6145 #endif 6146 }; 6147 6148 static __init int selinux_init(void) 6149 { 6150 if (!security_module_enable("selinux")) { 6151 selinux_enabled = 0; 6152 return 0; 6153 } 6154 6155 if (!selinux_enabled) { 6156 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6157 return 0; 6158 } 6159 6160 printk(KERN_INFO "SELinux: Initializing.\n"); 6161 6162 /* Set the security state for the initial task. */ 6163 cred_init_security(); 6164 6165 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6166 6167 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6168 sizeof(struct inode_security_struct), 6169 0, SLAB_PANIC, NULL); 6170 file_security_cache = kmem_cache_create("selinux_file_security", 6171 sizeof(struct file_security_struct), 6172 0, SLAB_PANIC, NULL); 6173 avc_init(); 6174 6175 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6176 6177 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6178 panic("SELinux: Unable to register AVC netcache callback\n"); 6179 6180 if (selinux_enforcing) 6181 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6182 else 6183 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6184 6185 return 0; 6186 } 6187 6188 static void delayed_superblock_init(struct super_block *sb, void *unused) 6189 { 6190 superblock_doinit(sb, NULL); 6191 } 6192 6193 void selinux_complete_init(void) 6194 { 6195 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6196 6197 /* Set up any superblocks initialized prior to the policy load. */ 6198 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6199 iterate_supers(delayed_superblock_init, NULL); 6200 } 6201 6202 /* SELinux requires early initialization in order to label 6203 all processes and objects when they are created. */ 6204 security_initcall(selinux_init); 6205 6206 #if defined(CONFIG_NETFILTER) 6207 6208 static struct nf_hook_ops selinux_nf_ops[] = { 6209 { 6210 .hook = selinux_ipv4_postroute, 6211 .pf = NFPROTO_IPV4, 6212 .hooknum = NF_INET_POST_ROUTING, 6213 .priority = NF_IP_PRI_SELINUX_LAST, 6214 }, 6215 { 6216 .hook = selinux_ipv4_forward, 6217 .pf = NFPROTO_IPV4, 6218 .hooknum = NF_INET_FORWARD, 6219 .priority = NF_IP_PRI_SELINUX_FIRST, 6220 }, 6221 { 6222 .hook = selinux_ipv4_output, 6223 .pf = NFPROTO_IPV4, 6224 .hooknum = NF_INET_LOCAL_OUT, 6225 .priority = NF_IP_PRI_SELINUX_FIRST, 6226 }, 6227 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6228 { 6229 .hook = selinux_ipv6_postroute, 6230 .pf = NFPROTO_IPV6, 6231 .hooknum = NF_INET_POST_ROUTING, 6232 .priority = NF_IP6_PRI_SELINUX_LAST, 6233 }, 6234 { 6235 .hook = selinux_ipv6_forward, 6236 .pf = NFPROTO_IPV6, 6237 .hooknum = NF_INET_FORWARD, 6238 .priority = NF_IP6_PRI_SELINUX_FIRST, 6239 }, 6240 #endif /* IPV6 */ 6241 }; 6242 6243 static int __init selinux_nf_ip_init(void) 6244 { 6245 int err; 6246 6247 if (!selinux_enabled) 6248 return 0; 6249 6250 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6251 6252 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6253 if (err) 6254 panic("SELinux: nf_register_hooks: error %d\n", err); 6255 6256 return 0; 6257 } 6258 6259 __initcall(selinux_nf_ip_init); 6260 6261 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6262 static void selinux_nf_ip_exit(void) 6263 { 6264 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6265 6266 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6267 } 6268 #endif 6269 6270 #else /* CONFIG_NETFILTER */ 6271 6272 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6273 #define selinux_nf_ip_exit() 6274 #endif 6275 6276 #endif /* CONFIG_NETFILTER */ 6277 6278 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6279 static int selinux_disabled; 6280 6281 int selinux_disable(void) 6282 { 6283 if (ss_initialized) { 6284 /* Not permitted after initial policy load. */ 6285 return -EINVAL; 6286 } 6287 6288 if (selinux_disabled) { 6289 /* Only do this once. */ 6290 return -EINVAL; 6291 } 6292 6293 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6294 6295 selinux_disabled = 1; 6296 selinux_enabled = 0; 6297 6298 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6299 6300 /* Try to destroy the avc node cache */ 6301 avc_disable(); 6302 6303 /* Unregister netfilter hooks. */ 6304 selinux_nf_ip_exit(); 6305 6306 /* Unregister selinuxfs. */ 6307 exit_sel_fs(); 6308 6309 return 0; 6310 } 6311 #endif 6312