1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kd.h> 28 #include <linux/kernel.h> 29 #include <linux/tracehook.h> 30 #include <linux/errno.h> 31 #include <linux/sched.h> 32 #include <linux/security.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/netfilter_ipv4.h> 50 #include <linux/netfilter_ipv6.h> 51 #include <linux/tty.h> 52 #include <net/icmp.h> 53 #include <net/ip.h> /* for local_port_range[] */ 54 #include <net/sock.h> 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/net_namespace.h> 57 #include <net/netlabel.h> 58 #include <linux/uaccess.h> 59 #include <asm/ioctls.h> 60 #include <linux/atomic.h> 61 #include <linux/bitops.h> 62 #include <linux/interrupt.h> 63 #include <linux/netdevice.h> /* for network interface checks */ 64 #include <net/netlink.h> 65 #include <linux/tcp.h> 66 #include <linux/udp.h> 67 #include <linux/dccp.h> 68 #include <linux/quota.h> 69 #include <linux/un.h> /* for Unix socket types */ 70 #include <net/af_unix.h> /* for Unix socket types */ 71 #include <linux/parser.h> 72 #include <linux/nfs_mount.h> 73 #include <net/ipv6.h> 74 #include <linux/hugetlb.h> 75 #include <linux/personality.h> 76 #include <linux/audit.h> 77 #include <linux/string.h> 78 #include <linux/selinux.h> 79 #include <linux/mutex.h> 80 #include <linux/posix-timers.h> 81 #include <linux/syslog.h> 82 #include <linux/user_namespace.h> 83 #include <linux/export.h> 84 #include <linux/msg.h> 85 #include <linux/shm.h> 86 87 #include "avc.h" 88 #include "objsec.h" 89 #include "netif.h" 90 #include "netnode.h" 91 #include "netport.h" 92 #include "xfrm.h" 93 #include "netlabel.h" 94 #include "audit.h" 95 #include "avc_ss.h" 96 97 #define NUM_SEL_MNT_OPTS 5 98 99 extern struct security_operations *security_ops; 100 101 /* SECMARK reference count */ 102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 103 104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 105 int selinux_enforcing; 106 107 static int __init enforcing_setup(char *str) 108 { 109 unsigned long enforcing; 110 if (!strict_strtoul(str, 0, &enforcing)) 111 selinux_enforcing = enforcing ? 1 : 0; 112 return 1; 113 } 114 __setup("enforcing=", enforcing_setup); 115 #endif 116 117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 119 120 static int __init selinux_enabled_setup(char *str) 121 { 122 unsigned long enabled; 123 if (!strict_strtoul(str, 0, &enabled)) 124 selinux_enabled = enabled ? 1 : 0; 125 return 1; 126 } 127 __setup("selinux=", selinux_enabled_setup); 128 #else 129 int selinux_enabled = 1; 130 #endif 131 132 static struct kmem_cache *sel_inode_cache; 133 134 /** 135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 136 * 137 * Description: 138 * This function checks the SECMARK reference counter to see if any SECMARK 139 * targets are currently configured, if the reference counter is greater than 140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 141 * enabled, false (0) if SECMARK is disabled. 142 * 143 */ 144 static int selinux_secmark_enabled(void) 145 { 146 return (atomic_read(&selinux_secmark_refcount) > 0); 147 } 148 149 /* 150 * initialise the security for the init task 151 */ 152 static void cred_init_security(void) 153 { 154 struct cred *cred = (struct cred *) current->real_cred; 155 struct task_security_struct *tsec; 156 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 158 if (!tsec) 159 panic("SELinux: Failed to initialize initial task.\n"); 160 161 tsec->osid = tsec->sid = SECINITSID_KERNEL; 162 cred->security = tsec; 163 } 164 165 /* 166 * get the security ID of a set of credentials 167 */ 168 static inline u32 cred_sid(const struct cred *cred) 169 { 170 const struct task_security_struct *tsec; 171 172 tsec = cred->security; 173 return tsec->sid; 174 } 175 176 /* 177 * get the objective security ID of a task 178 */ 179 static inline u32 task_sid(const struct task_struct *task) 180 { 181 u32 sid; 182 183 rcu_read_lock(); 184 sid = cred_sid(__task_cred(task)); 185 rcu_read_unlock(); 186 return sid; 187 } 188 189 /* 190 * get the subjective security ID of the current task 191 */ 192 static inline u32 current_sid(void) 193 { 194 const struct task_security_struct *tsec = current_security(); 195 196 return tsec->sid; 197 } 198 199 /* Allocate and free functions for each kind of security blob. */ 200 201 static int inode_alloc_security(struct inode *inode) 202 { 203 struct inode_security_struct *isec; 204 u32 sid = current_sid(); 205 206 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 207 if (!isec) 208 return -ENOMEM; 209 210 mutex_init(&isec->lock); 211 INIT_LIST_HEAD(&isec->list); 212 isec->inode = inode; 213 isec->sid = SECINITSID_UNLABELED; 214 isec->sclass = SECCLASS_FILE; 215 isec->task_sid = sid; 216 inode->i_security = isec; 217 218 return 0; 219 } 220 221 static void inode_free_security(struct inode *inode) 222 { 223 struct inode_security_struct *isec = inode->i_security; 224 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 225 226 spin_lock(&sbsec->isec_lock); 227 if (!list_empty(&isec->list)) 228 list_del_init(&isec->list); 229 spin_unlock(&sbsec->isec_lock); 230 231 inode->i_security = NULL; 232 kmem_cache_free(sel_inode_cache, isec); 233 } 234 235 static int file_alloc_security(struct file *file) 236 { 237 struct file_security_struct *fsec; 238 u32 sid = current_sid(); 239 240 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 241 if (!fsec) 242 return -ENOMEM; 243 244 fsec->sid = sid; 245 fsec->fown_sid = sid; 246 file->f_security = fsec; 247 248 return 0; 249 } 250 251 static void file_free_security(struct file *file) 252 { 253 struct file_security_struct *fsec = file->f_security; 254 file->f_security = NULL; 255 kfree(fsec); 256 } 257 258 static int superblock_alloc_security(struct super_block *sb) 259 { 260 struct superblock_security_struct *sbsec; 261 262 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 263 if (!sbsec) 264 return -ENOMEM; 265 266 mutex_init(&sbsec->lock); 267 INIT_LIST_HEAD(&sbsec->isec_head); 268 spin_lock_init(&sbsec->isec_lock); 269 sbsec->sb = sb; 270 sbsec->sid = SECINITSID_UNLABELED; 271 sbsec->def_sid = SECINITSID_FILE; 272 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 273 sb->s_security = sbsec; 274 275 return 0; 276 } 277 278 static void superblock_free_security(struct super_block *sb) 279 { 280 struct superblock_security_struct *sbsec = sb->s_security; 281 sb->s_security = NULL; 282 kfree(sbsec); 283 } 284 285 /* The file system's label must be initialized prior to use. */ 286 287 static const char *labeling_behaviors[6] = { 288 "uses xattr", 289 "uses transition SIDs", 290 "uses task SIDs", 291 "uses genfs_contexts", 292 "not configured for labeling", 293 "uses mountpoint labeling", 294 }; 295 296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 297 298 static inline int inode_doinit(struct inode *inode) 299 { 300 return inode_doinit_with_dentry(inode, NULL); 301 } 302 303 enum { 304 Opt_error = -1, 305 Opt_context = 1, 306 Opt_fscontext = 2, 307 Opt_defcontext = 3, 308 Opt_rootcontext = 4, 309 Opt_labelsupport = 5, 310 }; 311 312 static const match_table_t tokens = { 313 {Opt_context, CONTEXT_STR "%s"}, 314 {Opt_fscontext, FSCONTEXT_STR "%s"}, 315 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 317 {Opt_labelsupport, LABELSUPP_STR}, 318 {Opt_error, NULL}, 319 }; 320 321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 322 323 static int may_context_mount_sb_relabel(u32 sid, 324 struct superblock_security_struct *sbsec, 325 const struct cred *cred) 326 { 327 const struct task_security_struct *tsec = cred->security; 328 int rc; 329 330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 331 FILESYSTEM__RELABELFROM, NULL); 332 if (rc) 333 return rc; 334 335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 336 FILESYSTEM__RELABELTO, NULL); 337 return rc; 338 } 339 340 static int may_context_mount_inode_relabel(u32 sid, 341 struct superblock_security_struct *sbsec, 342 const struct cred *cred) 343 { 344 const struct task_security_struct *tsec = cred->security; 345 int rc; 346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 347 FILESYSTEM__RELABELFROM, NULL); 348 if (rc) 349 return rc; 350 351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 352 FILESYSTEM__ASSOCIATE, NULL); 353 return rc; 354 } 355 356 static int sb_finish_set_opts(struct super_block *sb) 357 { 358 struct superblock_security_struct *sbsec = sb->s_security; 359 struct dentry *root = sb->s_root; 360 struct inode *root_inode = root->d_inode; 361 int rc = 0; 362 363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 364 /* Make sure that the xattr handler exists and that no 365 error other than -ENODATA is returned by getxattr on 366 the root directory. -ENODATA is ok, as this may be 367 the first boot of the SELinux kernel before we have 368 assigned xattr values to the filesystem. */ 369 if (!root_inode->i_op->getxattr) { 370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 371 "xattr support\n", sb->s_id, sb->s_type->name); 372 rc = -EOPNOTSUPP; 373 goto out; 374 } 375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 376 if (rc < 0 && rc != -ENODATA) { 377 if (rc == -EOPNOTSUPP) 378 printk(KERN_WARNING "SELinux: (dev %s, type " 379 "%s) has no security xattr handler\n", 380 sb->s_id, sb->s_type->name); 381 else 382 printk(KERN_WARNING "SELinux: (dev %s, type " 383 "%s) getxattr errno %d\n", sb->s_id, 384 sb->s_type->name, -rc); 385 goto out; 386 } 387 } 388 389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); 390 391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 393 sb->s_id, sb->s_type->name); 394 else 395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 396 sb->s_id, sb->s_type->name, 397 labeling_behaviors[sbsec->behavior-1]); 398 399 if (sbsec->behavior == SECURITY_FS_USE_GENFS || 400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT || 401 sbsec->behavior == SECURITY_FS_USE_NONE || 402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 403 sbsec->flags &= ~SE_SBLABELSUPP; 404 405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/ 406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0) 407 sbsec->flags |= SE_SBLABELSUPP; 408 409 /* Initialize the root inode. */ 410 rc = inode_doinit_with_dentry(root_inode, root); 411 412 /* Initialize any other inodes associated with the superblock, e.g. 413 inodes created prior to initial policy load or inodes created 414 during get_sb by a pseudo filesystem that directly 415 populates itself. */ 416 spin_lock(&sbsec->isec_lock); 417 next_inode: 418 if (!list_empty(&sbsec->isec_head)) { 419 struct inode_security_struct *isec = 420 list_entry(sbsec->isec_head.next, 421 struct inode_security_struct, list); 422 struct inode *inode = isec->inode; 423 spin_unlock(&sbsec->isec_lock); 424 inode = igrab(inode); 425 if (inode) { 426 if (!IS_PRIVATE(inode)) 427 inode_doinit(inode); 428 iput(inode); 429 } 430 spin_lock(&sbsec->isec_lock); 431 list_del_init(&isec->list); 432 goto next_inode; 433 } 434 spin_unlock(&sbsec->isec_lock); 435 out: 436 return rc; 437 } 438 439 /* 440 * This function should allow an FS to ask what it's mount security 441 * options were so it can use those later for submounts, displaying 442 * mount options, or whatever. 443 */ 444 static int selinux_get_mnt_opts(const struct super_block *sb, 445 struct security_mnt_opts *opts) 446 { 447 int rc = 0, i; 448 struct superblock_security_struct *sbsec = sb->s_security; 449 char *context = NULL; 450 u32 len; 451 char tmp; 452 453 security_init_mnt_opts(opts); 454 455 if (!(sbsec->flags & SE_SBINITIALIZED)) 456 return -EINVAL; 457 458 if (!ss_initialized) 459 return -EINVAL; 460 461 tmp = sbsec->flags & SE_MNTMASK; 462 /* count the number of mount options for this sb */ 463 for (i = 0; i < 8; i++) { 464 if (tmp & 0x01) 465 opts->num_mnt_opts++; 466 tmp >>= 1; 467 } 468 /* Check if the Label support flag is set */ 469 if (sbsec->flags & SE_SBLABELSUPP) 470 opts->num_mnt_opts++; 471 472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 473 if (!opts->mnt_opts) { 474 rc = -ENOMEM; 475 goto out_free; 476 } 477 478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 479 if (!opts->mnt_opts_flags) { 480 rc = -ENOMEM; 481 goto out_free; 482 } 483 484 i = 0; 485 if (sbsec->flags & FSCONTEXT_MNT) { 486 rc = security_sid_to_context(sbsec->sid, &context, &len); 487 if (rc) 488 goto out_free; 489 opts->mnt_opts[i] = context; 490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 491 } 492 if (sbsec->flags & CONTEXT_MNT) { 493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 494 if (rc) 495 goto out_free; 496 opts->mnt_opts[i] = context; 497 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 498 } 499 if (sbsec->flags & DEFCONTEXT_MNT) { 500 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 501 if (rc) 502 goto out_free; 503 opts->mnt_opts[i] = context; 504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 505 } 506 if (sbsec->flags & ROOTCONTEXT_MNT) { 507 struct inode *root = sbsec->sb->s_root->d_inode; 508 struct inode_security_struct *isec = root->i_security; 509 510 rc = security_sid_to_context(isec->sid, &context, &len); 511 if (rc) 512 goto out_free; 513 opts->mnt_opts[i] = context; 514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 515 } 516 if (sbsec->flags & SE_SBLABELSUPP) { 517 opts->mnt_opts[i] = NULL; 518 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; 519 } 520 521 BUG_ON(i != opts->num_mnt_opts); 522 523 return 0; 524 525 out_free: 526 security_free_mnt_opts(opts); 527 return rc; 528 } 529 530 static int bad_option(struct superblock_security_struct *sbsec, char flag, 531 u32 old_sid, u32 new_sid) 532 { 533 char mnt_flags = sbsec->flags & SE_MNTMASK; 534 535 /* check if the old mount command had the same options */ 536 if (sbsec->flags & SE_SBINITIALIZED) 537 if (!(sbsec->flags & flag) || 538 (old_sid != new_sid)) 539 return 1; 540 541 /* check if we were passed the same options twice, 542 * aka someone passed context=a,context=b 543 */ 544 if (!(sbsec->flags & SE_SBINITIALIZED)) 545 if (mnt_flags & flag) 546 return 1; 547 return 0; 548 } 549 550 /* 551 * Allow filesystems with binary mount data to explicitly set mount point 552 * labeling information. 553 */ 554 static int selinux_set_mnt_opts(struct super_block *sb, 555 struct security_mnt_opts *opts) 556 { 557 const struct cred *cred = current_cred(); 558 int rc = 0, i; 559 struct superblock_security_struct *sbsec = sb->s_security; 560 const char *name = sb->s_type->name; 561 struct inode *inode = sbsec->sb->s_root->d_inode; 562 struct inode_security_struct *root_isec = inode->i_security; 563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 564 u32 defcontext_sid = 0; 565 char **mount_options = opts->mnt_opts; 566 int *flags = opts->mnt_opts_flags; 567 int num_opts = opts->num_mnt_opts; 568 569 mutex_lock(&sbsec->lock); 570 571 if (!ss_initialized) { 572 if (!num_opts) { 573 /* Defer initialization until selinux_complete_init, 574 after the initial policy is loaded and the security 575 server is ready to handle calls. */ 576 goto out; 577 } 578 rc = -EINVAL; 579 printk(KERN_WARNING "SELinux: Unable to set superblock options " 580 "before the security server is initialized\n"); 581 goto out; 582 } 583 584 /* 585 * Binary mount data FS will come through this function twice. Once 586 * from an explicit call and once from the generic calls from the vfs. 587 * Since the generic VFS calls will not contain any security mount data 588 * we need to skip the double mount verification. 589 * 590 * This does open a hole in which we will not notice if the first 591 * mount using this sb set explict options and a second mount using 592 * this sb does not set any security options. (The first options 593 * will be used for both mounts) 594 */ 595 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 596 && (num_opts == 0)) 597 goto out; 598 599 /* 600 * parse the mount options, check if they are valid sids. 601 * also check if someone is trying to mount the same sb more 602 * than once with different security options. 603 */ 604 for (i = 0; i < num_opts; i++) { 605 u32 sid; 606 607 if (flags[i] == SE_SBLABELSUPP) 608 continue; 609 rc = security_context_to_sid(mount_options[i], 610 strlen(mount_options[i]), &sid); 611 if (rc) { 612 printk(KERN_WARNING "SELinux: security_context_to_sid" 613 "(%s) failed for (dev %s, type %s) errno=%d\n", 614 mount_options[i], sb->s_id, name, rc); 615 goto out; 616 } 617 switch (flags[i]) { 618 case FSCONTEXT_MNT: 619 fscontext_sid = sid; 620 621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 622 fscontext_sid)) 623 goto out_double_mount; 624 625 sbsec->flags |= FSCONTEXT_MNT; 626 break; 627 case CONTEXT_MNT: 628 context_sid = sid; 629 630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 631 context_sid)) 632 goto out_double_mount; 633 634 sbsec->flags |= CONTEXT_MNT; 635 break; 636 case ROOTCONTEXT_MNT: 637 rootcontext_sid = sid; 638 639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 640 rootcontext_sid)) 641 goto out_double_mount; 642 643 sbsec->flags |= ROOTCONTEXT_MNT; 644 645 break; 646 case DEFCONTEXT_MNT: 647 defcontext_sid = sid; 648 649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 650 defcontext_sid)) 651 goto out_double_mount; 652 653 sbsec->flags |= DEFCONTEXT_MNT; 654 655 break; 656 default: 657 rc = -EINVAL; 658 goto out; 659 } 660 } 661 662 if (sbsec->flags & SE_SBINITIALIZED) { 663 /* previously mounted with options, but not on this attempt? */ 664 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 665 goto out_double_mount; 666 rc = 0; 667 goto out; 668 } 669 670 if (strcmp(sb->s_type->name, "proc") == 0) 671 sbsec->flags |= SE_SBPROC; 672 673 /* Determine the labeling behavior to use for this filesystem type. */ 674 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); 675 if (rc) { 676 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 677 __func__, sb->s_type->name, rc); 678 goto out; 679 } 680 681 /* sets the context of the superblock for the fs being mounted. */ 682 if (fscontext_sid) { 683 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 684 if (rc) 685 goto out; 686 687 sbsec->sid = fscontext_sid; 688 } 689 690 /* 691 * Switch to using mount point labeling behavior. 692 * sets the label used on all file below the mountpoint, and will set 693 * the superblock context if not already set. 694 */ 695 if (context_sid) { 696 if (!fscontext_sid) { 697 rc = may_context_mount_sb_relabel(context_sid, sbsec, 698 cred); 699 if (rc) 700 goto out; 701 sbsec->sid = context_sid; 702 } else { 703 rc = may_context_mount_inode_relabel(context_sid, sbsec, 704 cred); 705 if (rc) 706 goto out; 707 } 708 if (!rootcontext_sid) 709 rootcontext_sid = context_sid; 710 711 sbsec->mntpoint_sid = context_sid; 712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 713 } 714 715 if (rootcontext_sid) { 716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 717 cred); 718 if (rc) 719 goto out; 720 721 root_isec->sid = rootcontext_sid; 722 root_isec->initialized = 1; 723 } 724 725 if (defcontext_sid) { 726 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 727 rc = -EINVAL; 728 printk(KERN_WARNING "SELinux: defcontext option is " 729 "invalid for this filesystem type\n"); 730 goto out; 731 } 732 733 if (defcontext_sid != sbsec->def_sid) { 734 rc = may_context_mount_inode_relabel(defcontext_sid, 735 sbsec, cred); 736 if (rc) 737 goto out; 738 } 739 740 sbsec->def_sid = defcontext_sid; 741 } 742 743 rc = sb_finish_set_opts(sb); 744 out: 745 mutex_unlock(&sbsec->lock); 746 return rc; 747 out_double_mount: 748 rc = -EINVAL; 749 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 750 "security settings for (dev %s, type %s)\n", sb->s_id, name); 751 goto out; 752 } 753 754 static int selinux_cmp_sb_context(const struct super_block *oldsb, 755 const struct super_block *newsb) 756 { 757 struct superblock_security_struct *old = oldsb->s_security; 758 struct superblock_security_struct *new = newsb->s_security; 759 char oldflags = old->flags & SE_MNTMASK; 760 char newflags = new->flags & SE_MNTMASK; 761 762 if (oldflags != newflags) 763 goto mismatch; 764 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 765 goto mismatch; 766 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 767 goto mismatch; 768 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 769 goto mismatch; 770 if (oldflags & ROOTCONTEXT_MNT) { 771 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security; 772 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security; 773 if (oldroot->sid != newroot->sid) 774 goto mismatch; 775 } 776 return 0; 777 mismatch: 778 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 779 "different security settings for (dev %s, " 780 "type %s)\n", newsb->s_id, newsb->s_type->name); 781 return -EBUSY; 782 } 783 784 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 785 struct super_block *newsb) 786 { 787 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 788 struct superblock_security_struct *newsbsec = newsb->s_security; 789 790 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 791 int set_context = (oldsbsec->flags & CONTEXT_MNT); 792 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 793 794 /* 795 * if the parent was able to be mounted it clearly had no special lsm 796 * mount options. thus we can safely deal with this superblock later 797 */ 798 if (!ss_initialized) 799 return 0; 800 801 /* how can we clone if the old one wasn't set up?? */ 802 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 803 804 /* if fs is reusing a sb, make sure that the contexts match */ 805 if (newsbsec->flags & SE_SBINITIALIZED) 806 return selinux_cmp_sb_context(oldsb, newsb); 807 808 mutex_lock(&newsbsec->lock); 809 810 newsbsec->flags = oldsbsec->flags; 811 812 newsbsec->sid = oldsbsec->sid; 813 newsbsec->def_sid = oldsbsec->def_sid; 814 newsbsec->behavior = oldsbsec->behavior; 815 816 if (set_context) { 817 u32 sid = oldsbsec->mntpoint_sid; 818 819 if (!set_fscontext) 820 newsbsec->sid = sid; 821 if (!set_rootcontext) { 822 struct inode *newinode = newsb->s_root->d_inode; 823 struct inode_security_struct *newisec = newinode->i_security; 824 newisec->sid = sid; 825 } 826 newsbsec->mntpoint_sid = sid; 827 } 828 if (set_rootcontext) { 829 const struct inode *oldinode = oldsb->s_root->d_inode; 830 const struct inode_security_struct *oldisec = oldinode->i_security; 831 struct inode *newinode = newsb->s_root->d_inode; 832 struct inode_security_struct *newisec = newinode->i_security; 833 834 newisec->sid = oldisec->sid; 835 } 836 837 sb_finish_set_opts(newsb); 838 mutex_unlock(&newsbsec->lock); 839 return 0; 840 } 841 842 static int selinux_parse_opts_str(char *options, 843 struct security_mnt_opts *opts) 844 { 845 char *p; 846 char *context = NULL, *defcontext = NULL; 847 char *fscontext = NULL, *rootcontext = NULL; 848 int rc, num_mnt_opts = 0; 849 850 opts->num_mnt_opts = 0; 851 852 /* Standard string-based options. */ 853 while ((p = strsep(&options, "|")) != NULL) { 854 int token; 855 substring_t args[MAX_OPT_ARGS]; 856 857 if (!*p) 858 continue; 859 860 token = match_token(p, tokens, args); 861 862 switch (token) { 863 case Opt_context: 864 if (context || defcontext) { 865 rc = -EINVAL; 866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 867 goto out_err; 868 } 869 context = match_strdup(&args[0]); 870 if (!context) { 871 rc = -ENOMEM; 872 goto out_err; 873 } 874 break; 875 876 case Opt_fscontext: 877 if (fscontext) { 878 rc = -EINVAL; 879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 880 goto out_err; 881 } 882 fscontext = match_strdup(&args[0]); 883 if (!fscontext) { 884 rc = -ENOMEM; 885 goto out_err; 886 } 887 break; 888 889 case Opt_rootcontext: 890 if (rootcontext) { 891 rc = -EINVAL; 892 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 893 goto out_err; 894 } 895 rootcontext = match_strdup(&args[0]); 896 if (!rootcontext) { 897 rc = -ENOMEM; 898 goto out_err; 899 } 900 break; 901 902 case Opt_defcontext: 903 if (context || defcontext) { 904 rc = -EINVAL; 905 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 906 goto out_err; 907 } 908 defcontext = match_strdup(&args[0]); 909 if (!defcontext) { 910 rc = -ENOMEM; 911 goto out_err; 912 } 913 break; 914 case Opt_labelsupport: 915 break; 916 default: 917 rc = -EINVAL; 918 printk(KERN_WARNING "SELinux: unknown mount option\n"); 919 goto out_err; 920 921 } 922 } 923 924 rc = -ENOMEM; 925 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 926 if (!opts->mnt_opts) 927 goto out_err; 928 929 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 930 if (!opts->mnt_opts_flags) { 931 kfree(opts->mnt_opts); 932 goto out_err; 933 } 934 935 if (fscontext) { 936 opts->mnt_opts[num_mnt_opts] = fscontext; 937 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 938 } 939 if (context) { 940 opts->mnt_opts[num_mnt_opts] = context; 941 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 942 } 943 if (rootcontext) { 944 opts->mnt_opts[num_mnt_opts] = rootcontext; 945 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 946 } 947 if (defcontext) { 948 opts->mnt_opts[num_mnt_opts] = defcontext; 949 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 950 } 951 952 opts->num_mnt_opts = num_mnt_opts; 953 return 0; 954 955 out_err: 956 kfree(context); 957 kfree(defcontext); 958 kfree(fscontext); 959 kfree(rootcontext); 960 return rc; 961 } 962 /* 963 * string mount options parsing and call set the sbsec 964 */ 965 static int superblock_doinit(struct super_block *sb, void *data) 966 { 967 int rc = 0; 968 char *options = data; 969 struct security_mnt_opts opts; 970 971 security_init_mnt_opts(&opts); 972 973 if (!data) 974 goto out; 975 976 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 977 978 rc = selinux_parse_opts_str(options, &opts); 979 if (rc) 980 goto out_err; 981 982 out: 983 rc = selinux_set_mnt_opts(sb, &opts); 984 985 out_err: 986 security_free_mnt_opts(&opts); 987 return rc; 988 } 989 990 static void selinux_write_opts(struct seq_file *m, 991 struct security_mnt_opts *opts) 992 { 993 int i; 994 char *prefix; 995 996 for (i = 0; i < opts->num_mnt_opts; i++) { 997 char *has_comma; 998 999 if (opts->mnt_opts[i]) 1000 has_comma = strchr(opts->mnt_opts[i], ','); 1001 else 1002 has_comma = NULL; 1003 1004 switch (opts->mnt_opts_flags[i]) { 1005 case CONTEXT_MNT: 1006 prefix = CONTEXT_STR; 1007 break; 1008 case FSCONTEXT_MNT: 1009 prefix = FSCONTEXT_STR; 1010 break; 1011 case ROOTCONTEXT_MNT: 1012 prefix = ROOTCONTEXT_STR; 1013 break; 1014 case DEFCONTEXT_MNT: 1015 prefix = DEFCONTEXT_STR; 1016 break; 1017 case SE_SBLABELSUPP: 1018 seq_putc(m, ','); 1019 seq_puts(m, LABELSUPP_STR); 1020 continue; 1021 default: 1022 BUG(); 1023 return; 1024 }; 1025 /* we need a comma before each option */ 1026 seq_putc(m, ','); 1027 seq_puts(m, prefix); 1028 if (has_comma) 1029 seq_putc(m, '\"'); 1030 seq_puts(m, opts->mnt_opts[i]); 1031 if (has_comma) 1032 seq_putc(m, '\"'); 1033 } 1034 } 1035 1036 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1037 { 1038 struct security_mnt_opts opts; 1039 int rc; 1040 1041 rc = selinux_get_mnt_opts(sb, &opts); 1042 if (rc) { 1043 /* before policy load we may get EINVAL, don't show anything */ 1044 if (rc == -EINVAL) 1045 rc = 0; 1046 return rc; 1047 } 1048 1049 selinux_write_opts(m, &opts); 1050 1051 security_free_mnt_opts(&opts); 1052 1053 return rc; 1054 } 1055 1056 static inline u16 inode_mode_to_security_class(umode_t mode) 1057 { 1058 switch (mode & S_IFMT) { 1059 case S_IFSOCK: 1060 return SECCLASS_SOCK_FILE; 1061 case S_IFLNK: 1062 return SECCLASS_LNK_FILE; 1063 case S_IFREG: 1064 return SECCLASS_FILE; 1065 case S_IFBLK: 1066 return SECCLASS_BLK_FILE; 1067 case S_IFDIR: 1068 return SECCLASS_DIR; 1069 case S_IFCHR: 1070 return SECCLASS_CHR_FILE; 1071 case S_IFIFO: 1072 return SECCLASS_FIFO_FILE; 1073 1074 } 1075 1076 return SECCLASS_FILE; 1077 } 1078 1079 static inline int default_protocol_stream(int protocol) 1080 { 1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1082 } 1083 1084 static inline int default_protocol_dgram(int protocol) 1085 { 1086 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1087 } 1088 1089 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1090 { 1091 switch (family) { 1092 case PF_UNIX: 1093 switch (type) { 1094 case SOCK_STREAM: 1095 case SOCK_SEQPACKET: 1096 return SECCLASS_UNIX_STREAM_SOCKET; 1097 case SOCK_DGRAM: 1098 return SECCLASS_UNIX_DGRAM_SOCKET; 1099 } 1100 break; 1101 case PF_INET: 1102 case PF_INET6: 1103 switch (type) { 1104 case SOCK_STREAM: 1105 if (default_protocol_stream(protocol)) 1106 return SECCLASS_TCP_SOCKET; 1107 else 1108 return SECCLASS_RAWIP_SOCKET; 1109 case SOCK_DGRAM: 1110 if (default_protocol_dgram(protocol)) 1111 return SECCLASS_UDP_SOCKET; 1112 else 1113 return SECCLASS_RAWIP_SOCKET; 1114 case SOCK_DCCP: 1115 return SECCLASS_DCCP_SOCKET; 1116 default: 1117 return SECCLASS_RAWIP_SOCKET; 1118 } 1119 break; 1120 case PF_NETLINK: 1121 switch (protocol) { 1122 case NETLINK_ROUTE: 1123 return SECCLASS_NETLINK_ROUTE_SOCKET; 1124 case NETLINK_FIREWALL: 1125 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1126 case NETLINK_SOCK_DIAG: 1127 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1128 case NETLINK_NFLOG: 1129 return SECCLASS_NETLINK_NFLOG_SOCKET; 1130 case NETLINK_XFRM: 1131 return SECCLASS_NETLINK_XFRM_SOCKET; 1132 case NETLINK_SELINUX: 1133 return SECCLASS_NETLINK_SELINUX_SOCKET; 1134 case NETLINK_AUDIT: 1135 return SECCLASS_NETLINK_AUDIT_SOCKET; 1136 case NETLINK_IP6_FW: 1137 return SECCLASS_NETLINK_IP6FW_SOCKET; 1138 case NETLINK_DNRTMSG: 1139 return SECCLASS_NETLINK_DNRT_SOCKET; 1140 case NETLINK_KOBJECT_UEVENT: 1141 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1142 default: 1143 return SECCLASS_NETLINK_SOCKET; 1144 } 1145 case PF_PACKET: 1146 return SECCLASS_PACKET_SOCKET; 1147 case PF_KEY: 1148 return SECCLASS_KEY_SOCKET; 1149 case PF_APPLETALK: 1150 return SECCLASS_APPLETALK_SOCKET; 1151 } 1152 1153 return SECCLASS_SOCKET; 1154 } 1155 1156 #ifdef CONFIG_PROC_FS 1157 static int selinux_proc_get_sid(struct dentry *dentry, 1158 u16 tclass, 1159 u32 *sid) 1160 { 1161 int rc; 1162 char *buffer, *path; 1163 1164 buffer = (char *)__get_free_page(GFP_KERNEL); 1165 if (!buffer) 1166 return -ENOMEM; 1167 1168 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1169 if (IS_ERR(path)) 1170 rc = PTR_ERR(path); 1171 else { 1172 /* each process gets a /proc/PID/ entry. Strip off the 1173 * PID part to get a valid selinux labeling. 1174 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1175 while (path[1] >= '0' && path[1] <= '9') { 1176 path[1] = '/'; 1177 path++; 1178 } 1179 rc = security_genfs_sid("proc", path, tclass, sid); 1180 } 1181 free_page((unsigned long)buffer); 1182 return rc; 1183 } 1184 #else 1185 static int selinux_proc_get_sid(struct dentry *dentry, 1186 u16 tclass, 1187 u32 *sid) 1188 { 1189 return -EINVAL; 1190 } 1191 #endif 1192 1193 /* The inode's security attributes must be initialized before first use. */ 1194 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1195 { 1196 struct superblock_security_struct *sbsec = NULL; 1197 struct inode_security_struct *isec = inode->i_security; 1198 u32 sid; 1199 struct dentry *dentry; 1200 #define INITCONTEXTLEN 255 1201 char *context = NULL; 1202 unsigned len = 0; 1203 int rc = 0; 1204 1205 if (isec->initialized) 1206 goto out; 1207 1208 mutex_lock(&isec->lock); 1209 if (isec->initialized) 1210 goto out_unlock; 1211 1212 sbsec = inode->i_sb->s_security; 1213 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1214 /* Defer initialization until selinux_complete_init, 1215 after the initial policy is loaded and the security 1216 server is ready to handle calls. */ 1217 spin_lock(&sbsec->isec_lock); 1218 if (list_empty(&isec->list)) 1219 list_add(&isec->list, &sbsec->isec_head); 1220 spin_unlock(&sbsec->isec_lock); 1221 goto out_unlock; 1222 } 1223 1224 switch (sbsec->behavior) { 1225 case SECURITY_FS_USE_XATTR: 1226 if (!inode->i_op->getxattr) { 1227 isec->sid = sbsec->def_sid; 1228 break; 1229 } 1230 1231 /* Need a dentry, since the xattr API requires one. 1232 Life would be simpler if we could just pass the inode. */ 1233 if (opt_dentry) { 1234 /* Called from d_instantiate or d_splice_alias. */ 1235 dentry = dget(opt_dentry); 1236 } else { 1237 /* Called from selinux_complete_init, try to find a dentry. */ 1238 dentry = d_find_alias(inode); 1239 } 1240 if (!dentry) { 1241 /* 1242 * this is can be hit on boot when a file is accessed 1243 * before the policy is loaded. When we load policy we 1244 * may find inodes that have no dentry on the 1245 * sbsec->isec_head list. No reason to complain as these 1246 * will get fixed up the next time we go through 1247 * inode_doinit with a dentry, before these inodes could 1248 * be used again by userspace. 1249 */ 1250 goto out_unlock; 1251 } 1252 1253 len = INITCONTEXTLEN; 1254 context = kmalloc(len+1, GFP_NOFS); 1255 if (!context) { 1256 rc = -ENOMEM; 1257 dput(dentry); 1258 goto out_unlock; 1259 } 1260 context[len] = '\0'; 1261 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1262 context, len); 1263 if (rc == -ERANGE) { 1264 kfree(context); 1265 1266 /* Need a larger buffer. Query for the right size. */ 1267 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1268 NULL, 0); 1269 if (rc < 0) { 1270 dput(dentry); 1271 goto out_unlock; 1272 } 1273 len = rc; 1274 context = kmalloc(len+1, GFP_NOFS); 1275 if (!context) { 1276 rc = -ENOMEM; 1277 dput(dentry); 1278 goto out_unlock; 1279 } 1280 context[len] = '\0'; 1281 rc = inode->i_op->getxattr(dentry, 1282 XATTR_NAME_SELINUX, 1283 context, len); 1284 } 1285 dput(dentry); 1286 if (rc < 0) { 1287 if (rc != -ENODATA) { 1288 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1289 "%d for dev=%s ino=%ld\n", __func__, 1290 -rc, inode->i_sb->s_id, inode->i_ino); 1291 kfree(context); 1292 goto out_unlock; 1293 } 1294 /* Map ENODATA to the default file SID */ 1295 sid = sbsec->def_sid; 1296 rc = 0; 1297 } else { 1298 rc = security_context_to_sid_default(context, rc, &sid, 1299 sbsec->def_sid, 1300 GFP_NOFS); 1301 if (rc) { 1302 char *dev = inode->i_sb->s_id; 1303 unsigned long ino = inode->i_ino; 1304 1305 if (rc == -EINVAL) { 1306 if (printk_ratelimit()) 1307 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1308 "context=%s. This indicates you may need to relabel the inode or the " 1309 "filesystem in question.\n", ino, dev, context); 1310 } else { 1311 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1312 "returned %d for dev=%s ino=%ld\n", 1313 __func__, context, -rc, dev, ino); 1314 } 1315 kfree(context); 1316 /* Leave with the unlabeled SID */ 1317 rc = 0; 1318 break; 1319 } 1320 } 1321 kfree(context); 1322 isec->sid = sid; 1323 break; 1324 case SECURITY_FS_USE_TASK: 1325 isec->sid = isec->task_sid; 1326 break; 1327 case SECURITY_FS_USE_TRANS: 1328 /* Default to the fs SID. */ 1329 isec->sid = sbsec->sid; 1330 1331 /* Try to obtain a transition SID. */ 1332 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1333 rc = security_transition_sid(isec->task_sid, sbsec->sid, 1334 isec->sclass, NULL, &sid); 1335 if (rc) 1336 goto out_unlock; 1337 isec->sid = sid; 1338 break; 1339 case SECURITY_FS_USE_MNTPOINT: 1340 isec->sid = sbsec->mntpoint_sid; 1341 break; 1342 default: 1343 /* Default to the fs superblock SID. */ 1344 isec->sid = sbsec->sid; 1345 1346 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1347 if (opt_dentry) { 1348 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1349 rc = selinux_proc_get_sid(opt_dentry, 1350 isec->sclass, 1351 &sid); 1352 if (rc) 1353 goto out_unlock; 1354 isec->sid = sid; 1355 } 1356 } 1357 break; 1358 } 1359 1360 isec->initialized = 1; 1361 1362 out_unlock: 1363 mutex_unlock(&isec->lock); 1364 out: 1365 if (isec->sclass == SECCLASS_FILE) 1366 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1367 return rc; 1368 } 1369 1370 /* Convert a Linux signal to an access vector. */ 1371 static inline u32 signal_to_av(int sig) 1372 { 1373 u32 perm = 0; 1374 1375 switch (sig) { 1376 case SIGCHLD: 1377 /* Commonly granted from child to parent. */ 1378 perm = PROCESS__SIGCHLD; 1379 break; 1380 case SIGKILL: 1381 /* Cannot be caught or ignored */ 1382 perm = PROCESS__SIGKILL; 1383 break; 1384 case SIGSTOP: 1385 /* Cannot be caught or ignored */ 1386 perm = PROCESS__SIGSTOP; 1387 break; 1388 default: 1389 /* All other signals. */ 1390 perm = PROCESS__SIGNAL; 1391 break; 1392 } 1393 1394 return perm; 1395 } 1396 1397 /* 1398 * Check permission between a pair of credentials 1399 * fork check, ptrace check, etc. 1400 */ 1401 static int cred_has_perm(const struct cred *actor, 1402 const struct cred *target, 1403 u32 perms) 1404 { 1405 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1406 1407 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1408 } 1409 1410 /* 1411 * Check permission between a pair of tasks, e.g. signal checks, 1412 * fork check, ptrace check, etc. 1413 * tsk1 is the actor and tsk2 is the target 1414 * - this uses the default subjective creds of tsk1 1415 */ 1416 static int task_has_perm(const struct task_struct *tsk1, 1417 const struct task_struct *tsk2, 1418 u32 perms) 1419 { 1420 const struct task_security_struct *__tsec1, *__tsec2; 1421 u32 sid1, sid2; 1422 1423 rcu_read_lock(); 1424 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1425 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1426 rcu_read_unlock(); 1427 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1428 } 1429 1430 /* 1431 * Check permission between current and another task, e.g. signal checks, 1432 * fork check, ptrace check, etc. 1433 * current is the actor and tsk2 is the target 1434 * - this uses current's subjective creds 1435 */ 1436 static int current_has_perm(const struct task_struct *tsk, 1437 u32 perms) 1438 { 1439 u32 sid, tsid; 1440 1441 sid = current_sid(); 1442 tsid = task_sid(tsk); 1443 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1444 } 1445 1446 #if CAP_LAST_CAP > 63 1447 #error Fix SELinux to handle capabilities > 63. 1448 #endif 1449 1450 /* Check whether a task is allowed to use a capability. */ 1451 static int cred_has_capability(const struct cred *cred, 1452 int cap, int audit) 1453 { 1454 struct common_audit_data ad; 1455 struct av_decision avd; 1456 u16 sclass; 1457 u32 sid = cred_sid(cred); 1458 u32 av = CAP_TO_MASK(cap); 1459 int rc; 1460 1461 ad.type = LSM_AUDIT_DATA_CAP; 1462 ad.u.cap = cap; 1463 1464 switch (CAP_TO_INDEX(cap)) { 1465 case 0: 1466 sclass = SECCLASS_CAPABILITY; 1467 break; 1468 case 1: 1469 sclass = SECCLASS_CAPABILITY2; 1470 break; 1471 default: 1472 printk(KERN_ERR 1473 "SELinux: out of range capability %d\n", cap); 1474 BUG(); 1475 return -EINVAL; 1476 } 1477 1478 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1479 if (audit == SECURITY_CAP_AUDIT) { 1480 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1481 if (rc2) 1482 return rc2; 1483 } 1484 return rc; 1485 } 1486 1487 /* Check whether a task is allowed to use a system operation. */ 1488 static int task_has_system(struct task_struct *tsk, 1489 u32 perms) 1490 { 1491 u32 sid = task_sid(tsk); 1492 1493 return avc_has_perm(sid, SECINITSID_KERNEL, 1494 SECCLASS_SYSTEM, perms, NULL); 1495 } 1496 1497 /* Check whether a task has a particular permission to an inode. 1498 The 'adp' parameter is optional and allows other audit 1499 data to be passed (e.g. the dentry). */ 1500 static int inode_has_perm(const struct cred *cred, 1501 struct inode *inode, 1502 u32 perms, 1503 struct common_audit_data *adp, 1504 unsigned flags) 1505 { 1506 struct inode_security_struct *isec; 1507 u32 sid; 1508 1509 validate_creds(cred); 1510 1511 if (unlikely(IS_PRIVATE(inode))) 1512 return 0; 1513 1514 sid = cred_sid(cred); 1515 isec = inode->i_security; 1516 1517 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); 1518 } 1519 1520 /* Same as inode_has_perm, but pass explicit audit data containing 1521 the dentry to help the auditing code to more easily generate the 1522 pathname if needed. */ 1523 static inline int dentry_has_perm(const struct cred *cred, 1524 struct dentry *dentry, 1525 u32 av) 1526 { 1527 struct inode *inode = dentry->d_inode; 1528 struct common_audit_data ad; 1529 1530 ad.type = LSM_AUDIT_DATA_DENTRY; 1531 ad.u.dentry = dentry; 1532 return inode_has_perm(cred, inode, av, &ad, 0); 1533 } 1534 1535 /* Same as inode_has_perm, but pass explicit audit data containing 1536 the path to help the auditing code to more easily generate the 1537 pathname if needed. */ 1538 static inline int path_has_perm(const struct cred *cred, 1539 struct path *path, 1540 u32 av) 1541 { 1542 struct inode *inode = path->dentry->d_inode; 1543 struct common_audit_data ad; 1544 1545 ad.type = LSM_AUDIT_DATA_PATH; 1546 ad.u.path = *path; 1547 return inode_has_perm(cred, inode, av, &ad, 0); 1548 } 1549 1550 /* Check whether a task can use an open file descriptor to 1551 access an inode in a given way. Check access to the 1552 descriptor itself, and then use dentry_has_perm to 1553 check a particular permission to the file. 1554 Access to the descriptor is implicitly granted if it 1555 has the same SID as the process. If av is zero, then 1556 access to the file is not checked, e.g. for cases 1557 where only the descriptor is affected like seek. */ 1558 static int file_has_perm(const struct cred *cred, 1559 struct file *file, 1560 u32 av) 1561 { 1562 struct file_security_struct *fsec = file->f_security; 1563 struct inode *inode = file_inode(file); 1564 struct common_audit_data ad; 1565 u32 sid = cred_sid(cred); 1566 int rc; 1567 1568 ad.type = LSM_AUDIT_DATA_PATH; 1569 ad.u.path = file->f_path; 1570 1571 if (sid != fsec->sid) { 1572 rc = avc_has_perm(sid, fsec->sid, 1573 SECCLASS_FD, 1574 FD__USE, 1575 &ad); 1576 if (rc) 1577 goto out; 1578 } 1579 1580 /* av is zero if only checking access to the descriptor. */ 1581 rc = 0; 1582 if (av) 1583 rc = inode_has_perm(cred, inode, av, &ad, 0); 1584 1585 out: 1586 return rc; 1587 } 1588 1589 /* Check whether a task can create a file. */ 1590 static int may_create(struct inode *dir, 1591 struct dentry *dentry, 1592 u16 tclass) 1593 { 1594 const struct task_security_struct *tsec = current_security(); 1595 struct inode_security_struct *dsec; 1596 struct superblock_security_struct *sbsec; 1597 u32 sid, newsid; 1598 struct common_audit_data ad; 1599 int rc; 1600 1601 dsec = dir->i_security; 1602 sbsec = dir->i_sb->s_security; 1603 1604 sid = tsec->sid; 1605 newsid = tsec->create_sid; 1606 1607 ad.type = LSM_AUDIT_DATA_DENTRY; 1608 ad.u.dentry = dentry; 1609 1610 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1611 DIR__ADD_NAME | DIR__SEARCH, 1612 &ad); 1613 if (rc) 1614 return rc; 1615 1616 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1617 rc = security_transition_sid(sid, dsec->sid, tclass, 1618 &dentry->d_name, &newsid); 1619 if (rc) 1620 return rc; 1621 } 1622 1623 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1624 if (rc) 1625 return rc; 1626 1627 return avc_has_perm(newsid, sbsec->sid, 1628 SECCLASS_FILESYSTEM, 1629 FILESYSTEM__ASSOCIATE, &ad); 1630 } 1631 1632 /* Check whether a task can create a key. */ 1633 static int may_create_key(u32 ksid, 1634 struct task_struct *ctx) 1635 { 1636 u32 sid = task_sid(ctx); 1637 1638 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1639 } 1640 1641 #define MAY_LINK 0 1642 #define MAY_UNLINK 1 1643 #define MAY_RMDIR 2 1644 1645 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1646 static int may_link(struct inode *dir, 1647 struct dentry *dentry, 1648 int kind) 1649 1650 { 1651 struct inode_security_struct *dsec, *isec; 1652 struct common_audit_data ad; 1653 u32 sid = current_sid(); 1654 u32 av; 1655 int rc; 1656 1657 dsec = dir->i_security; 1658 isec = dentry->d_inode->i_security; 1659 1660 ad.type = LSM_AUDIT_DATA_DENTRY; 1661 ad.u.dentry = dentry; 1662 1663 av = DIR__SEARCH; 1664 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1665 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1666 if (rc) 1667 return rc; 1668 1669 switch (kind) { 1670 case MAY_LINK: 1671 av = FILE__LINK; 1672 break; 1673 case MAY_UNLINK: 1674 av = FILE__UNLINK; 1675 break; 1676 case MAY_RMDIR: 1677 av = DIR__RMDIR; 1678 break; 1679 default: 1680 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1681 __func__, kind); 1682 return 0; 1683 } 1684 1685 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1686 return rc; 1687 } 1688 1689 static inline int may_rename(struct inode *old_dir, 1690 struct dentry *old_dentry, 1691 struct inode *new_dir, 1692 struct dentry *new_dentry) 1693 { 1694 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1695 struct common_audit_data ad; 1696 u32 sid = current_sid(); 1697 u32 av; 1698 int old_is_dir, new_is_dir; 1699 int rc; 1700 1701 old_dsec = old_dir->i_security; 1702 old_isec = old_dentry->d_inode->i_security; 1703 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1704 new_dsec = new_dir->i_security; 1705 1706 ad.type = LSM_AUDIT_DATA_DENTRY; 1707 1708 ad.u.dentry = old_dentry; 1709 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1710 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1711 if (rc) 1712 return rc; 1713 rc = avc_has_perm(sid, old_isec->sid, 1714 old_isec->sclass, FILE__RENAME, &ad); 1715 if (rc) 1716 return rc; 1717 if (old_is_dir && new_dir != old_dir) { 1718 rc = avc_has_perm(sid, old_isec->sid, 1719 old_isec->sclass, DIR__REPARENT, &ad); 1720 if (rc) 1721 return rc; 1722 } 1723 1724 ad.u.dentry = new_dentry; 1725 av = DIR__ADD_NAME | DIR__SEARCH; 1726 if (new_dentry->d_inode) 1727 av |= DIR__REMOVE_NAME; 1728 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1729 if (rc) 1730 return rc; 1731 if (new_dentry->d_inode) { 1732 new_isec = new_dentry->d_inode->i_security; 1733 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1734 rc = avc_has_perm(sid, new_isec->sid, 1735 new_isec->sclass, 1736 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1737 if (rc) 1738 return rc; 1739 } 1740 1741 return 0; 1742 } 1743 1744 /* Check whether a task can perform a filesystem operation. */ 1745 static int superblock_has_perm(const struct cred *cred, 1746 struct super_block *sb, 1747 u32 perms, 1748 struct common_audit_data *ad) 1749 { 1750 struct superblock_security_struct *sbsec; 1751 u32 sid = cred_sid(cred); 1752 1753 sbsec = sb->s_security; 1754 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1755 } 1756 1757 /* Convert a Linux mode and permission mask to an access vector. */ 1758 static inline u32 file_mask_to_av(int mode, int mask) 1759 { 1760 u32 av = 0; 1761 1762 if (!S_ISDIR(mode)) { 1763 if (mask & MAY_EXEC) 1764 av |= FILE__EXECUTE; 1765 if (mask & MAY_READ) 1766 av |= FILE__READ; 1767 1768 if (mask & MAY_APPEND) 1769 av |= FILE__APPEND; 1770 else if (mask & MAY_WRITE) 1771 av |= FILE__WRITE; 1772 1773 } else { 1774 if (mask & MAY_EXEC) 1775 av |= DIR__SEARCH; 1776 if (mask & MAY_WRITE) 1777 av |= DIR__WRITE; 1778 if (mask & MAY_READ) 1779 av |= DIR__READ; 1780 } 1781 1782 return av; 1783 } 1784 1785 /* Convert a Linux file to an access vector. */ 1786 static inline u32 file_to_av(struct file *file) 1787 { 1788 u32 av = 0; 1789 1790 if (file->f_mode & FMODE_READ) 1791 av |= FILE__READ; 1792 if (file->f_mode & FMODE_WRITE) { 1793 if (file->f_flags & O_APPEND) 1794 av |= FILE__APPEND; 1795 else 1796 av |= FILE__WRITE; 1797 } 1798 if (!av) { 1799 /* 1800 * Special file opened with flags 3 for ioctl-only use. 1801 */ 1802 av = FILE__IOCTL; 1803 } 1804 1805 return av; 1806 } 1807 1808 /* 1809 * Convert a file to an access vector and include the correct open 1810 * open permission. 1811 */ 1812 static inline u32 open_file_to_av(struct file *file) 1813 { 1814 u32 av = file_to_av(file); 1815 1816 if (selinux_policycap_openperm) 1817 av |= FILE__OPEN; 1818 1819 return av; 1820 } 1821 1822 /* Hook functions begin here. */ 1823 1824 static int selinux_ptrace_access_check(struct task_struct *child, 1825 unsigned int mode) 1826 { 1827 int rc; 1828 1829 rc = cap_ptrace_access_check(child, mode); 1830 if (rc) 1831 return rc; 1832 1833 if (mode & PTRACE_MODE_READ) { 1834 u32 sid = current_sid(); 1835 u32 csid = task_sid(child); 1836 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 1837 } 1838 1839 return current_has_perm(child, PROCESS__PTRACE); 1840 } 1841 1842 static int selinux_ptrace_traceme(struct task_struct *parent) 1843 { 1844 int rc; 1845 1846 rc = cap_ptrace_traceme(parent); 1847 if (rc) 1848 return rc; 1849 1850 return task_has_perm(parent, current, PROCESS__PTRACE); 1851 } 1852 1853 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1854 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1855 { 1856 int error; 1857 1858 error = current_has_perm(target, PROCESS__GETCAP); 1859 if (error) 1860 return error; 1861 1862 return cap_capget(target, effective, inheritable, permitted); 1863 } 1864 1865 static int selinux_capset(struct cred *new, const struct cred *old, 1866 const kernel_cap_t *effective, 1867 const kernel_cap_t *inheritable, 1868 const kernel_cap_t *permitted) 1869 { 1870 int error; 1871 1872 error = cap_capset(new, old, 1873 effective, inheritable, permitted); 1874 if (error) 1875 return error; 1876 1877 return cred_has_perm(old, new, PROCESS__SETCAP); 1878 } 1879 1880 /* 1881 * (This comment used to live with the selinux_task_setuid hook, 1882 * which was removed). 1883 * 1884 * Since setuid only affects the current process, and since the SELinux 1885 * controls are not based on the Linux identity attributes, SELinux does not 1886 * need to control this operation. However, SELinux does control the use of 1887 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 1888 */ 1889 1890 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 1891 int cap, int audit) 1892 { 1893 int rc; 1894 1895 rc = cap_capable(cred, ns, cap, audit); 1896 if (rc) 1897 return rc; 1898 1899 return cred_has_capability(cred, cap, audit); 1900 } 1901 1902 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1903 { 1904 const struct cred *cred = current_cred(); 1905 int rc = 0; 1906 1907 if (!sb) 1908 return 0; 1909 1910 switch (cmds) { 1911 case Q_SYNC: 1912 case Q_QUOTAON: 1913 case Q_QUOTAOFF: 1914 case Q_SETINFO: 1915 case Q_SETQUOTA: 1916 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 1917 break; 1918 case Q_GETFMT: 1919 case Q_GETINFO: 1920 case Q_GETQUOTA: 1921 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 1922 break; 1923 default: 1924 rc = 0; /* let the kernel handle invalid cmds */ 1925 break; 1926 } 1927 return rc; 1928 } 1929 1930 static int selinux_quota_on(struct dentry *dentry) 1931 { 1932 const struct cred *cred = current_cred(); 1933 1934 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 1935 } 1936 1937 static int selinux_syslog(int type) 1938 { 1939 int rc; 1940 1941 switch (type) { 1942 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1943 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1944 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1945 break; 1946 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 1947 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 1948 /* Set level of messages printed to console */ 1949 case SYSLOG_ACTION_CONSOLE_LEVEL: 1950 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1951 break; 1952 case SYSLOG_ACTION_CLOSE: /* Close log */ 1953 case SYSLOG_ACTION_OPEN: /* Open log */ 1954 case SYSLOG_ACTION_READ: /* Read from log */ 1955 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 1956 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 1957 default: 1958 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1959 break; 1960 } 1961 return rc; 1962 } 1963 1964 /* 1965 * Check that a process has enough memory to allocate a new virtual 1966 * mapping. 0 means there is enough memory for the allocation to 1967 * succeed and -ENOMEM implies there is not. 1968 * 1969 * Do not audit the selinux permission check, as this is applied to all 1970 * processes that allocate mappings. 1971 */ 1972 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1973 { 1974 int rc, cap_sys_admin = 0; 1975 1976 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, 1977 SECURITY_CAP_NOAUDIT); 1978 if (rc == 0) 1979 cap_sys_admin = 1; 1980 1981 return __vm_enough_memory(mm, pages, cap_sys_admin); 1982 } 1983 1984 /* binprm security operations */ 1985 1986 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 1987 { 1988 const struct task_security_struct *old_tsec; 1989 struct task_security_struct *new_tsec; 1990 struct inode_security_struct *isec; 1991 struct common_audit_data ad; 1992 struct inode *inode = file_inode(bprm->file); 1993 int rc; 1994 1995 rc = cap_bprm_set_creds(bprm); 1996 if (rc) 1997 return rc; 1998 1999 /* SELinux context only depends on initial program or script and not 2000 * the script interpreter */ 2001 if (bprm->cred_prepared) 2002 return 0; 2003 2004 old_tsec = current_security(); 2005 new_tsec = bprm->cred->security; 2006 isec = inode->i_security; 2007 2008 /* Default to the current task SID. */ 2009 new_tsec->sid = old_tsec->sid; 2010 new_tsec->osid = old_tsec->sid; 2011 2012 /* Reset fs, key, and sock SIDs on execve. */ 2013 new_tsec->create_sid = 0; 2014 new_tsec->keycreate_sid = 0; 2015 new_tsec->sockcreate_sid = 0; 2016 2017 if (old_tsec->exec_sid) { 2018 new_tsec->sid = old_tsec->exec_sid; 2019 /* Reset exec SID on execve. */ 2020 new_tsec->exec_sid = 0; 2021 2022 /* 2023 * Minimize confusion: if no_new_privs and a transition is 2024 * explicitly requested, then fail the exec. 2025 */ 2026 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) 2027 return -EPERM; 2028 } else { 2029 /* Check for a default transition on this program. */ 2030 rc = security_transition_sid(old_tsec->sid, isec->sid, 2031 SECCLASS_PROCESS, NULL, 2032 &new_tsec->sid); 2033 if (rc) 2034 return rc; 2035 } 2036 2037 ad.type = LSM_AUDIT_DATA_PATH; 2038 ad.u.path = bprm->file->f_path; 2039 2040 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) || 2041 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) 2042 new_tsec->sid = old_tsec->sid; 2043 2044 if (new_tsec->sid == old_tsec->sid) { 2045 rc = avc_has_perm(old_tsec->sid, isec->sid, 2046 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2047 if (rc) 2048 return rc; 2049 } else { 2050 /* Check permissions for the transition. */ 2051 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2052 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2053 if (rc) 2054 return rc; 2055 2056 rc = avc_has_perm(new_tsec->sid, isec->sid, 2057 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2058 if (rc) 2059 return rc; 2060 2061 /* Check for shared state */ 2062 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2063 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2064 SECCLASS_PROCESS, PROCESS__SHARE, 2065 NULL); 2066 if (rc) 2067 return -EPERM; 2068 } 2069 2070 /* Make sure that anyone attempting to ptrace over a task that 2071 * changes its SID has the appropriate permit */ 2072 if (bprm->unsafe & 2073 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2074 struct task_struct *tracer; 2075 struct task_security_struct *sec; 2076 u32 ptsid = 0; 2077 2078 rcu_read_lock(); 2079 tracer = ptrace_parent(current); 2080 if (likely(tracer != NULL)) { 2081 sec = __task_cred(tracer)->security; 2082 ptsid = sec->sid; 2083 } 2084 rcu_read_unlock(); 2085 2086 if (ptsid != 0) { 2087 rc = avc_has_perm(ptsid, new_tsec->sid, 2088 SECCLASS_PROCESS, 2089 PROCESS__PTRACE, NULL); 2090 if (rc) 2091 return -EPERM; 2092 } 2093 } 2094 2095 /* Clear any possibly unsafe personality bits on exec: */ 2096 bprm->per_clear |= PER_CLEAR_ON_SETID; 2097 } 2098 2099 return 0; 2100 } 2101 2102 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2103 { 2104 const struct task_security_struct *tsec = current_security(); 2105 u32 sid, osid; 2106 int atsecure = 0; 2107 2108 sid = tsec->sid; 2109 osid = tsec->osid; 2110 2111 if (osid != sid) { 2112 /* Enable secure mode for SIDs transitions unless 2113 the noatsecure permission is granted between 2114 the two SIDs, i.e. ahp returns 0. */ 2115 atsecure = avc_has_perm(osid, sid, 2116 SECCLASS_PROCESS, 2117 PROCESS__NOATSECURE, NULL); 2118 } 2119 2120 return (atsecure || cap_bprm_secureexec(bprm)); 2121 } 2122 2123 static int match_file(const void *p, struct file *file, unsigned fd) 2124 { 2125 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2126 } 2127 2128 /* Derived from fs/exec.c:flush_old_files. */ 2129 static inline void flush_unauthorized_files(const struct cred *cred, 2130 struct files_struct *files) 2131 { 2132 struct file *file, *devnull = NULL; 2133 struct tty_struct *tty; 2134 int drop_tty = 0; 2135 unsigned n; 2136 2137 tty = get_current_tty(); 2138 if (tty) { 2139 spin_lock(&tty_files_lock); 2140 if (!list_empty(&tty->tty_files)) { 2141 struct tty_file_private *file_priv; 2142 2143 /* Revalidate access to controlling tty. 2144 Use path_has_perm on the tty path directly rather 2145 than using file_has_perm, as this particular open 2146 file may belong to another process and we are only 2147 interested in the inode-based check here. */ 2148 file_priv = list_first_entry(&tty->tty_files, 2149 struct tty_file_private, list); 2150 file = file_priv->file; 2151 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE)) 2152 drop_tty = 1; 2153 } 2154 spin_unlock(&tty_files_lock); 2155 tty_kref_put(tty); 2156 } 2157 /* Reset controlling tty. */ 2158 if (drop_tty) 2159 no_tty(); 2160 2161 /* Revalidate access to inherited open files. */ 2162 n = iterate_fd(files, 0, match_file, cred); 2163 if (!n) /* none found? */ 2164 return; 2165 2166 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2167 if (IS_ERR(devnull)) 2168 devnull = NULL; 2169 /* replace all the matching ones with this */ 2170 do { 2171 replace_fd(n - 1, devnull, 0); 2172 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2173 if (devnull) 2174 fput(devnull); 2175 } 2176 2177 /* 2178 * Prepare a process for imminent new credential changes due to exec 2179 */ 2180 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2181 { 2182 struct task_security_struct *new_tsec; 2183 struct rlimit *rlim, *initrlim; 2184 int rc, i; 2185 2186 new_tsec = bprm->cred->security; 2187 if (new_tsec->sid == new_tsec->osid) 2188 return; 2189 2190 /* Close files for which the new task SID is not authorized. */ 2191 flush_unauthorized_files(bprm->cred, current->files); 2192 2193 /* Always clear parent death signal on SID transitions. */ 2194 current->pdeath_signal = 0; 2195 2196 /* Check whether the new SID can inherit resource limits from the old 2197 * SID. If not, reset all soft limits to the lower of the current 2198 * task's hard limit and the init task's soft limit. 2199 * 2200 * Note that the setting of hard limits (even to lower them) can be 2201 * controlled by the setrlimit check. The inclusion of the init task's 2202 * soft limit into the computation is to avoid resetting soft limits 2203 * higher than the default soft limit for cases where the default is 2204 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2205 */ 2206 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2207 PROCESS__RLIMITINH, NULL); 2208 if (rc) { 2209 /* protect against do_prlimit() */ 2210 task_lock(current); 2211 for (i = 0; i < RLIM_NLIMITS; i++) { 2212 rlim = current->signal->rlim + i; 2213 initrlim = init_task.signal->rlim + i; 2214 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2215 } 2216 task_unlock(current); 2217 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2218 } 2219 } 2220 2221 /* 2222 * Clean up the process immediately after the installation of new credentials 2223 * due to exec 2224 */ 2225 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2226 { 2227 const struct task_security_struct *tsec = current_security(); 2228 struct itimerval itimer; 2229 u32 osid, sid; 2230 int rc, i; 2231 2232 osid = tsec->osid; 2233 sid = tsec->sid; 2234 2235 if (sid == osid) 2236 return; 2237 2238 /* Check whether the new SID can inherit signal state from the old SID. 2239 * If not, clear itimers to avoid subsequent signal generation and 2240 * flush and unblock signals. 2241 * 2242 * This must occur _after_ the task SID has been updated so that any 2243 * kill done after the flush will be checked against the new SID. 2244 */ 2245 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2246 if (rc) { 2247 memset(&itimer, 0, sizeof itimer); 2248 for (i = 0; i < 3; i++) 2249 do_setitimer(i, &itimer, NULL); 2250 spin_lock_irq(¤t->sighand->siglock); 2251 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { 2252 __flush_signals(current); 2253 flush_signal_handlers(current, 1); 2254 sigemptyset(¤t->blocked); 2255 } 2256 spin_unlock_irq(¤t->sighand->siglock); 2257 } 2258 2259 /* Wake up the parent if it is waiting so that it can recheck 2260 * wait permission to the new task SID. */ 2261 read_lock(&tasklist_lock); 2262 __wake_up_parent(current, current->real_parent); 2263 read_unlock(&tasklist_lock); 2264 } 2265 2266 /* superblock security operations */ 2267 2268 static int selinux_sb_alloc_security(struct super_block *sb) 2269 { 2270 return superblock_alloc_security(sb); 2271 } 2272 2273 static void selinux_sb_free_security(struct super_block *sb) 2274 { 2275 superblock_free_security(sb); 2276 } 2277 2278 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2279 { 2280 if (plen > olen) 2281 return 0; 2282 2283 return !memcmp(prefix, option, plen); 2284 } 2285 2286 static inline int selinux_option(char *option, int len) 2287 { 2288 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2289 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2290 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2291 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2292 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2293 } 2294 2295 static inline void take_option(char **to, char *from, int *first, int len) 2296 { 2297 if (!*first) { 2298 **to = ','; 2299 *to += 1; 2300 } else 2301 *first = 0; 2302 memcpy(*to, from, len); 2303 *to += len; 2304 } 2305 2306 static inline void take_selinux_option(char **to, char *from, int *first, 2307 int len) 2308 { 2309 int current_size = 0; 2310 2311 if (!*first) { 2312 **to = '|'; 2313 *to += 1; 2314 } else 2315 *first = 0; 2316 2317 while (current_size < len) { 2318 if (*from != '"') { 2319 **to = *from; 2320 *to += 1; 2321 } 2322 from += 1; 2323 current_size += 1; 2324 } 2325 } 2326 2327 static int selinux_sb_copy_data(char *orig, char *copy) 2328 { 2329 int fnosec, fsec, rc = 0; 2330 char *in_save, *in_curr, *in_end; 2331 char *sec_curr, *nosec_save, *nosec; 2332 int open_quote = 0; 2333 2334 in_curr = orig; 2335 sec_curr = copy; 2336 2337 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2338 if (!nosec) { 2339 rc = -ENOMEM; 2340 goto out; 2341 } 2342 2343 nosec_save = nosec; 2344 fnosec = fsec = 1; 2345 in_save = in_end = orig; 2346 2347 do { 2348 if (*in_end == '"') 2349 open_quote = !open_quote; 2350 if ((*in_end == ',' && open_quote == 0) || 2351 *in_end == '\0') { 2352 int len = in_end - in_curr; 2353 2354 if (selinux_option(in_curr, len)) 2355 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2356 else 2357 take_option(&nosec, in_curr, &fnosec, len); 2358 2359 in_curr = in_end + 1; 2360 } 2361 } while (*in_end++); 2362 2363 strcpy(in_save, nosec_save); 2364 free_page((unsigned long)nosec_save); 2365 out: 2366 return rc; 2367 } 2368 2369 static int selinux_sb_remount(struct super_block *sb, void *data) 2370 { 2371 int rc, i, *flags; 2372 struct security_mnt_opts opts; 2373 char *secdata, **mount_options; 2374 struct superblock_security_struct *sbsec = sb->s_security; 2375 2376 if (!(sbsec->flags & SE_SBINITIALIZED)) 2377 return 0; 2378 2379 if (!data) 2380 return 0; 2381 2382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2383 return 0; 2384 2385 security_init_mnt_opts(&opts); 2386 secdata = alloc_secdata(); 2387 if (!secdata) 2388 return -ENOMEM; 2389 rc = selinux_sb_copy_data(data, secdata); 2390 if (rc) 2391 goto out_free_secdata; 2392 2393 rc = selinux_parse_opts_str(secdata, &opts); 2394 if (rc) 2395 goto out_free_secdata; 2396 2397 mount_options = opts.mnt_opts; 2398 flags = opts.mnt_opts_flags; 2399 2400 for (i = 0; i < opts.num_mnt_opts; i++) { 2401 u32 sid; 2402 size_t len; 2403 2404 if (flags[i] == SE_SBLABELSUPP) 2405 continue; 2406 len = strlen(mount_options[i]); 2407 rc = security_context_to_sid(mount_options[i], len, &sid); 2408 if (rc) { 2409 printk(KERN_WARNING "SELinux: security_context_to_sid" 2410 "(%s) failed for (dev %s, type %s) errno=%d\n", 2411 mount_options[i], sb->s_id, sb->s_type->name, rc); 2412 goto out_free_opts; 2413 } 2414 rc = -EINVAL; 2415 switch (flags[i]) { 2416 case FSCONTEXT_MNT: 2417 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2418 goto out_bad_option; 2419 break; 2420 case CONTEXT_MNT: 2421 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2422 goto out_bad_option; 2423 break; 2424 case ROOTCONTEXT_MNT: { 2425 struct inode_security_struct *root_isec; 2426 root_isec = sb->s_root->d_inode->i_security; 2427 2428 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2429 goto out_bad_option; 2430 break; 2431 } 2432 case DEFCONTEXT_MNT: 2433 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2434 goto out_bad_option; 2435 break; 2436 default: 2437 goto out_free_opts; 2438 } 2439 } 2440 2441 rc = 0; 2442 out_free_opts: 2443 security_free_mnt_opts(&opts); 2444 out_free_secdata: 2445 free_secdata(secdata); 2446 return rc; 2447 out_bad_option: 2448 printk(KERN_WARNING "SELinux: unable to change security options " 2449 "during remount (dev %s, type=%s)\n", sb->s_id, 2450 sb->s_type->name); 2451 goto out_free_opts; 2452 } 2453 2454 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2455 { 2456 const struct cred *cred = current_cred(); 2457 struct common_audit_data ad; 2458 int rc; 2459 2460 rc = superblock_doinit(sb, data); 2461 if (rc) 2462 return rc; 2463 2464 /* Allow all mounts performed by the kernel */ 2465 if (flags & MS_KERNMOUNT) 2466 return 0; 2467 2468 ad.type = LSM_AUDIT_DATA_DENTRY; 2469 ad.u.dentry = sb->s_root; 2470 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2471 } 2472 2473 static int selinux_sb_statfs(struct dentry *dentry) 2474 { 2475 const struct cred *cred = current_cred(); 2476 struct common_audit_data ad; 2477 2478 ad.type = LSM_AUDIT_DATA_DENTRY; 2479 ad.u.dentry = dentry->d_sb->s_root; 2480 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2481 } 2482 2483 static int selinux_mount(const char *dev_name, 2484 struct path *path, 2485 const char *type, 2486 unsigned long flags, 2487 void *data) 2488 { 2489 const struct cred *cred = current_cred(); 2490 2491 if (flags & MS_REMOUNT) 2492 return superblock_has_perm(cred, path->dentry->d_sb, 2493 FILESYSTEM__REMOUNT, NULL); 2494 else 2495 return path_has_perm(cred, path, FILE__MOUNTON); 2496 } 2497 2498 static int selinux_umount(struct vfsmount *mnt, int flags) 2499 { 2500 const struct cred *cred = current_cred(); 2501 2502 return superblock_has_perm(cred, mnt->mnt_sb, 2503 FILESYSTEM__UNMOUNT, NULL); 2504 } 2505 2506 /* inode security operations */ 2507 2508 static int selinux_inode_alloc_security(struct inode *inode) 2509 { 2510 return inode_alloc_security(inode); 2511 } 2512 2513 static void selinux_inode_free_security(struct inode *inode) 2514 { 2515 inode_free_security(inode); 2516 } 2517 2518 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2519 const struct qstr *qstr, char **name, 2520 void **value, size_t *len) 2521 { 2522 const struct task_security_struct *tsec = current_security(); 2523 struct inode_security_struct *dsec; 2524 struct superblock_security_struct *sbsec; 2525 u32 sid, newsid, clen; 2526 int rc; 2527 char *namep = NULL, *context; 2528 2529 dsec = dir->i_security; 2530 sbsec = dir->i_sb->s_security; 2531 2532 sid = tsec->sid; 2533 newsid = tsec->create_sid; 2534 2535 if ((sbsec->flags & SE_SBINITIALIZED) && 2536 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) 2537 newsid = sbsec->mntpoint_sid; 2538 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 2539 rc = security_transition_sid(sid, dsec->sid, 2540 inode_mode_to_security_class(inode->i_mode), 2541 qstr, &newsid); 2542 if (rc) { 2543 printk(KERN_WARNING "%s: " 2544 "security_transition_sid failed, rc=%d (dev=%s " 2545 "ino=%ld)\n", 2546 __func__, 2547 -rc, inode->i_sb->s_id, inode->i_ino); 2548 return rc; 2549 } 2550 } 2551 2552 /* Possibly defer initialization to selinux_complete_init. */ 2553 if (sbsec->flags & SE_SBINITIALIZED) { 2554 struct inode_security_struct *isec = inode->i_security; 2555 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2556 isec->sid = newsid; 2557 isec->initialized = 1; 2558 } 2559 2560 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) 2561 return -EOPNOTSUPP; 2562 2563 if (name) { 2564 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); 2565 if (!namep) 2566 return -ENOMEM; 2567 *name = namep; 2568 } 2569 2570 if (value && len) { 2571 rc = security_sid_to_context_force(newsid, &context, &clen); 2572 if (rc) { 2573 kfree(namep); 2574 return rc; 2575 } 2576 *value = context; 2577 *len = clen; 2578 } 2579 2580 return 0; 2581 } 2582 2583 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2584 { 2585 return may_create(dir, dentry, SECCLASS_FILE); 2586 } 2587 2588 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2589 { 2590 return may_link(dir, old_dentry, MAY_LINK); 2591 } 2592 2593 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2594 { 2595 return may_link(dir, dentry, MAY_UNLINK); 2596 } 2597 2598 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2599 { 2600 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2601 } 2602 2603 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2604 { 2605 return may_create(dir, dentry, SECCLASS_DIR); 2606 } 2607 2608 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2609 { 2610 return may_link(dir, dentry, MAY_RMDIR); 2611 } 2612 2613 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2614 { 2615 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2616 } 2617 2618 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2619 struct inode *new_inode, struct dentry *new_dentry) 2620 { 2621 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2622 } 2623 2624 static int selinux_inode_readlink(struct dentry *dentry) 2625 { 2626 const struct cred *cred = current_cred(); 2627 2628 return dentry_has_perm(cred, dentry, FILE__READ); 2629 } 2630 2631 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2632 { 2633 const struct cred *cred = current_cred(); 2634 2635 return dentry_has_perm(cred, dentry, FILE__READ); 2636 } 2637 2638 static noinline int audit_inode_permission(struct inode *inode, 2639 u32 perms, u32 audited, u32 denied, 2640 unsigned flags) 2641 { 2642 struct common_audit_data ad; 2643 struct inode_security_struct *isec = inode->i_security; 2644 int rc; 2645 2646 ad.type = LSM_AUDIT_DATA_INODE; 2647 ad.u.inode = inode; 2648 2649 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 2650 audited, denied, &ad, flags); 2651 if (rc) 2652 return rc; 2653 return 0; 2654 } 2655 2656 static int selinux_inode_permission(struct inode *inode, int mask) 2657 { 2658 const struct cred *cred = current_cred(); 2659 u32 perms; 2660 bool from_access; 2661 unsigned flags = mask & MAY_NOT_BLOCK; 2662 struct inode_security_struct *isec; 2663 u32 sid; 2664 struct av_decision avd; 2665 int rc, rc2; 2666 u32 audited, denied; 2667 2668 from_access = mask & MAY_ACCESS; 2669 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2670 2671 /* No permission to check. Existence test. */ 2672 if (!mask) 2673 return 0; 2674 2675 validate_creds(cred); 2676 2677 if (unlikely(IS_PRIVATE(inode))) 2678 return 0; 2679 2680 perms = file_mask_to_av(inode->i_mode, mask); 2681 2682 sid = cred_sid(cred); 2683 isec = inode->i_security; 2684 2685 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 2686 audited = avc_audit_required(perms, &avd, rc, 2687 from_access ? FILE__AUDIT_ACCESS : 0, 2688 &denied); 2689 if (likely(!audited)) 2690 return rc; 2691 2692 rc2 = audit_inode_permission(inode, perms, audited, denied, flags); 2693 if (rc2) 2694 return rc2; 2695 return rc; 2696 } 2697 2698 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2699 { 2700 const struct cred *cred = current_cred(); 2701 unsigned int ia_valid = iattr->ia_valid; 2702 __u32 av = FILE__WRITE; 2703 2704 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 2705 if (ia_valid & ATTR_FORCE) { 2706 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 2707 ATTR_FORCE); 2708 if (!ia_valid) 2709 return 0; 2710 } 2711 2712 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2713 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 2714 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2715 2716 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)) 2717 av |= FILE__OPEN; 2718 2719 return dentry_has_perm(cred, dentry, av); 2720 } 2721 2722 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2723 { 2724 const struct cred *cred = current_cred(); 2725 struct path path; 2726 2727 path.dentry = dentry; 2728 path.mnt = mnt; 2729 2730 return path_has_perm(cred, &path, FILE__GETATTR); 2731 } 2732 2733 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2734 { 2735 const struct cred *cred = current_cred(); 2736 2737 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2738 sizeof XATTR_SECURITY_PREFIX - 1)) { 2739 if (!strcmp(name, XATTR_NAME_CAPS)) { 2740 if (!capable(CAP_SETFCAP)) 2741 return -EPERM; 2742 } else if (!capable(CAP_SYS_ADMIN)) { 2743 /* A different attribute in the security namespace. 2744 Restrict to administrator. */ 2745 return -EPERM; 2746 } 2747 } 2748 2749 /* Not an attribute we recognize, so just check the 2750 ordinary setattr permission. */ 2751 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2752 } 2753 2754 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2755 const void *value, size_t size, int flags) 2756 { 2757 struct inode *inode = dentry->d_inode; 2758 struct inode_security_struct *isec = inode->i_security; 2759 struct superblock_security_struct *sbsec; 2760 struct common_audit_data ad; 2761 u32 newsid, sid = current_sid(); 2762 int rc = 0; 2763 2764 if (strcmp(name, XATTR_NAME_SELINUX)) 2765 return selinux_inode_setotherxattr(dentry, name); 2766 2767 sbsec = inode->i_sb->s_security; 2768 if (!(sbsec->flags & SE_SBLABELSUPP)) 2769 return -EOPNOTSUPP; 2770 2771 if (!inode_owner_or_capable(inode)) 2772 return -EPERM; 2773 2774 ad.type = LSM_AUDIT_DATA_DENTRY; 2775 ad.u.dentry = dentry; 2776 2777 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2778 FILE__RELABELFROM, &ad); 2779 if (rc) 2780 return rc; 2781 2782 rc = security_context_to_sid(value, size, &newsid); 2783 if (rc == -EINVAL) { 2784 if (!capable(CAP_MAC_ADMIN)) { 2785 struct audit_buffer *ab; 2786 size_t audit_size; 2787 const char *str; 2788 2789 /* We strip a nul only if it is at the end, otherwise the 2790 * context contains a nul and we should audit that */ 2791 if (value) { 2792 str = value; 2793 if (str[size - 1] == '\0') 2794 audit_size = size - 1; 2795 else 2796 audit_size = size; 2797 } else { 2798 str = ""; 2799 audit_size = 0; 2800 } 2801 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 2802 audit_log_format(ab, "op=setxattr invalid_context="); 2803 audit_log_n_untrustedstring(ab, value, audit_size); 2804 audit_log_end(ab); 2805 2806 return rc; 2807 } 2808 rc = security_context_to_sid_force(value, size, &newsid); 2809 } 2810 if (rc) 2811 return rc; 2812 2813 rc = avc_has_perm(sid, newsid, isec->sclass, 2814 FILE__RELABELTO, &ad); 2815 if (rc) 2816 return rc; 2817 2818 rc = security_validate_transition(isec->sid, newsid, sid, 2819 isec->sclass); 2820 if (rc) 2821 return rc; 2822 2823 return avc_has_perm(newsid, 2824 sbsec->sid, 2825 SECCLASS_FILESYSTEM, 2826 FILESYSTEM__ASSOCIATE, 2827 &ad); 2828 } 2829 2830 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 2831 const void *value, size_t size, 2832 int flags) 2833 { 2834 struct inode *inode = dentry->d_inode; 2835 struct inode_security_struct *isec = inode->i_security; 2836 u32 newsid; 2837 int rc; 2838 2839 if (strcmp(name, XATTR_NAME_SELINUX)) { 2840 /* Not an attribute we recognize, so nothing to do. */ 2841 return; 2842 } 2843 2844 rc = security_context_to_sid_force(value, size, &newsid); 2845 if (rc) { 2846 printk(KERN_ERR "SELinux: unable to map context to SID" 2847 "for (%s, %lu), rc=%d\n", 2848 inode->i_sb->s_id, inode->i_ino, -rc); 2849 return; 2850 } 2851 2852 isec->sid = newsid; 2853 return; 2854 } 2855 2856 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 2857 { 2858 const struct cred *cred = current_cred(); 2859 2860 return dentry_has_perm(cred, dentry, FILE__GETATTR); 2861 } 2862 2863 static int selinux_inode_listxattr(struct dentry *dentry) 2864 { 2865 const struct cred *cred = current_cred(); 2866 2867 return dentry_has_perm(cred, dentry, FILE__GETATTR); 2868 } 2869 2870 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 2871 { 2872 if (strcmp(name, XATTR_NAME_SELINUX)) 2873 return selinux_inode_setotherxattr(dentry, name); 2874 2875 /* No one is allowed to remove a SELinux security label. 2876 You can change the label, but all data must be labeled. */ 2877 return -EACCES; 2878 } 2879 2880 /* 2881 * Copy the inode security context value to the user. 2882 * 2883 * Permission check is handled by selinux_inode_getxattr hook. 2884 */ 2885 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2886 { 2887 u32 size; 2888 int error; 2889 char *context = NULL; 2890 struct inode_security_struct *isec = inode->i_security; 2891 2892 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2893 return -EOPNOTSUPP; 2894 2895 /* 2896 * If the caller has CAP_MAC_ADMIN, then get the raw context 2897 * value even if it is not defined by current policy; otherwise, 2898 * use the in-core value under current policy. 2899 * Use the non-auditing forms of the permission checks since 2900 * getxattr may be called by unprivileged processes commonly 2901 * and lack of permission just means that we fall back to the 2902 * in-core context value, not a denial. 2903 */ 2904 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 2905 SECURITY_CAP_NOAUDIT); 2906 if (!error) 2907 error = security_sid_to_context_force(isec->sid, &context, 2908 &size); 2909 else 2910 error = security_sid_to_context(isec->sid, &context, &size); 2911 if (error) 2912 return error; 2913 error = size; 2914 if (alloc) { 2915 *buffer = context; 2916 goto out_nofree; 2917 } 2918 kfree(context); 2919 out_nofree: 2920 return error; 2921 } 2922 2923 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2924 const void *value, size_t size, int flags) 2925 { 2926 struct inode_security_struct *isec = inode->i_security; 2927 u32 newsid; 2928 int rc; 2929 2930 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2931 return -EOPNOTSUPP; 2932 2933 if (!value || !size) 2934 return -EACCES; 2935 2936 rc = security_context_to_sid((void *)value, size, &newsid); 2937 if (rc) 2938 return rc; 2939 2940 isec->sid = newsid; 2941 isec->initialized = 1; 2942 return 0; 2943 } 2944 2945 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2946 { 2947 const int len = sizeof(XATTR_NAME_SELINUX); 2948 if (buffer && len <= buffer_size) 2949 memcpy(buffer, XATTR_NAME_SELINUX, len); 2950 return len; 2951 } 2952 2953 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2954 { 2955 struct inode_security_struct *isec = inode->i_security; 2956 *secid = isec->sid; 2957 } 2958 2959 /* file security operations */ 2960 2961 static int selinux_revalidate_file_permission(struct file *file, int mask) 2962 { 2963 const struct cred *cred = current_cred(); 2964 struct inode *inode = file_inode(file); 2965 2966 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2967 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2968 mask |= MAY_APPEND; 2969 2970 return file_has_perm(cred, file, 2971 file_mask_to_av(inode->i_mode, mask)); 2972 } 2973 2974 static int selinux_file_permission(struct file *file, int mask) 2975 { 2976 struct inode *inode = file_inode(file); 2977 struct file_security_struct *fsec = file->f_security; 2978 struct inode_security_struct *isec = inode->i_security; 2979 u32 sid = current_sid(); 2980 2981 if (!mask) 2982 /* No permission to check. Existence test. */ 2983 return 0; 2984 2985 if (sid == fsec->sid && fsec->isid == isec->sid && 2986 fsec->pseqno == avc_policy_seqno()) 2987 /* No change since file_open check. */ 2988 return 0; 2989 2990 return selinux_revalidate_file_permission(file, mask); 2991 } 2992 2993 static int selinux_file_alloc_security(struct file *file) 2994 { 2995 return file_alloc_security(file); 2996 } 2997 2998 static void selinux_file_free_security(struct file *file) 2999 { 3000 file_free_security(file); 3001 } 3002 3003 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3004 unsigned long arg) 3005 { 3006 const struct cred *cred = current_cred(); 3007 int error = 0; 3008 3009 switch (cmd) { 3010 case FIONREAD: 3011 /* fall through */ 3012 case FIBMAP: 3013 /* fall through */ 3014 case FIGETBSZ: 3015 /* fall through */ 3016 case FS_IOC_GETFLAGS: 3017 /* fall through */ 3018 case FS_IOC_GETVERSION: 3019 error = file_has_perm(cred, file, FILE__GETATTR); 3020 break; 3021 3022 case FS_IOC_SETFLAGS: 3023 /* fall through */ 3024 case FS_IOC_SETVERSION: 3025 error = file_has_perm(cred, file, FILE__SETATTR); 3026 break; 3027 3028 /* sys_ioctl() checks */ 3029 case FIONBIO: 3030 /* fall through */ 3031 case FIOASYNC: 3032 error = file_has_perm(cred, file, 0); 3033 break; 3034 3035 case KDSKBENT: 3036 case KDSKBSENT: 3037 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3038 SECURITY_CAP_AUDIT); 3039 break; 3040 3041 /* default case assumes that the command will go 3042 * to the file's ioctl() function. 3043 */ 3044 default: 3045 error = file_has_perm(cred, file, FILE__IOCTL); 3046 } 3047 return error; 3048 } 3049 3050 static int default_noexec; 3051 3052 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3053 { 3054 const struct cred *cred = current_cred(); 3055 int rc = 0; 3056 3057 if (default_noexec && 3058 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3059 /* 3060 * We are making executable an anonymous mapping or a 3061 * private file mapping that will also be writable. 3062 * This has an additional check. 3063 */ 3064 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3065 if (rc) 3066 goto error; 3067 } 3068 3069 if (file) { 3070 /* read access is always possible with a mapping */ 3071 u32 av = FILE__READ; 3072 3073 /* write access only matters if the mapping is shared */ 3074 if (shared && (prot & PROT_WRITE)) 3075 av |= FILE__WRITE; 3076 3077 if (prot & PROT_EXEC) 3078 av |= FILE__EXECUTE; 3079 3080 return file_has_perm(cred, file, av); 3081 } 3082 3083 error: 3084 return rc; 3085 } 3086 3087 static int selinux_mmap_addr(unsigned long addr) 3088 { 3089 int rc = 0; 3090 u32 sid = current_sid(); 3091 3092 /* 3093 * notice that we are intentionally putting the SELinux check before 3094 * the secondary cap_file_mmap check. This is such a likely attempt 3095 * at bad behaviour/exploit that we always want to get the AVC, even 3096 * if DAC would have also denied the operation. 3097 */ 3098 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3099 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3100 MEMPROTECT__MMAP_ZERO, NULL); 3101 if (rc) 3102 return rc; 3103 } 3104 3105 /* do DAC check on address space usage */ 3106 return cap_mmap_addr(addr); 3107 } 3108 3109 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3110 unsigned long prot, unsigned long flags) 3111 { 3112 if (selinux_checkreqprot) 3113 prot = reqprot; 3114 3115 return file_map_prot_check(file, prot, 3116 (flags & MAP_TYPE) == MAP_SHARED); 3117 } 3118 3119 static int selinux_file_mprotect(struct vm_area_struct *vma, 3120 unsigned long reqprot, 3121 unsigned long prot) 3122 { 3123 const struct cred *cred = current_cred(); 3124 3125 if (selinux_checkreqprot) 3126 prot = reqprot; 3127 3128 if (default_noexec && 3129 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3130 int rc = 0; 3131 if (vma->vm_start >= vma->vm_mm->start_brk && 3132 vma->vm_end <= vma->vm_mm->brk) { 3133 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3134 } else if (!vma->vm_file && 3135 vma->vm_start <= vma->vm_mm->start_stack && 3136 vma->vm_end >= vma->vm_mm->start_stack) { 3137 rc = current_has_perm(current, PROCESS__EXECSTACK); 3138 } else if (vma->vm_file && vma->anon_vma) { 3139 /* 3140 * We are making executable a file mapping that has 3141 * had some COW done. Since pages might have been 3142 * written, check ability to execute the possibly 3143 * modified content. This typically should only 3144 * occur for text relocations. 3145 */ 3146 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3147 } 3148 if (rc) 3149 return rc; 3150 } 3151 3152 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3153 } 3154 3155 static int selinux_file_lock(struct file *file, unsigned int cmd) 3156 { 3157 const struct cred *cred = current_cred(); 3158 3159 return file_has_perm(cred, file, FILE__LOCK); 3160 } 3161 3162 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3163 unsigned long arg) 3164 { 3165 const struct cred *cred = current_cred(); 3166 int err = 0; 3167 3168 switch (cmd) { 3169 case F_SETFL: 3170 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3171 err = file_has_perm(cred, file, FILE__WRITE); 3172 break; 3173 } 3174 /* fall through */ 3175 case F_SETOWN: 3176 case F_SETSIG: 3177 case F_GETFL: 3178 case F_GETOWN: 3179 case F_GETSIG: 3180 case F_GETOWNER_UIDS: 3181 /* Just check FD__USE permission */ 3182 err = file_has_perm(cred, file, 0); 3183 break; 3184 case F_GETLK: 3185 case F_SETLK: 3186 case F_SETLKW: 3187 #if BITS_PER_LONG == 32 3188 case F_GETLK64: 3189 case F_SETLK64: 3190 case F_SETLKW64: 3191 #endif 3192 err = file_has_perm(cred, file, FILE__LOCK); 3193 break; 3194 } 3195 3196 return err; 3197 } 3198 3199 static int selinux_file_set_fowner(struct file *file) 3200 { 3201 struct file_security_struct *fsec; 3202 3203 fsec = file->f_security; 3204 fsec->fown_sid = current_sid(); 3205 3206 return 0; 3207 } 3208 3209 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3210 struct fown_struct *fown, int signum) 3211 { 3212 struct file *file; 3213 u32 sid = task_sid(tsk); 3214 u32 perm; 3215 struct file_security_struct *fsec; 3216 3217 /* struct fown_struct is never outside the context of a struct file */ 3218 file = container_of(fown, struct file, f_owner); 3219 3220 fsec = file->f_security; 3221 3222 if (!signum) 3223 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3224 else 3225 perm = signal_to_av(signum); 3226 3227 return avc_has_perm(fsec->fown_sid, sid, 3228 SECCLASS_PROCESS, perm, NULL); 3229 } 3230 3231 static int selinux_file_receive(struct file *file) 3232 { 3233 const struct cred *cred = current_cred(); 3234 3235 return file_has_perm(cred, file, file_to_av(file)); 3236 } 3237 3238 static int selinux_file_open(struct file *file, const struct cred *cred) 3239 { 3240 struct file_security_struct *fsec; 3241 struct inode_security_struct *isec; 3242 3243 fsec = file->f_security; 3244 isec = file_inode(file)->i_security; 3245 /* 3246 * Save inode label and policy sequence number 3247 * at open-time so that selinux_file_permission 3248 * can determine whether revalidation is necessary. 3249 * Task label is already saved in the file security 3250 * struct as its SID. 3251 */ 3252 fsec->isid = isec->sid; 3253 fsec->pseqno = avc_policy_seqno(); 3254 /* 3255 * Since the inode label or policy seqno may have changed 3256 * between the selinux_inode_permission check and the saving 3257 * of state above, recheck that access is still permitted. 3258 * Otherwise, access might never be revalidated against the 3259 * new inode label or new policy. 3260 * This check is not redundant - do not remove. 3261 */ 3262 return path_has_perm(cred, &file->f_path, open_file_to_av(file)); 3263 } 3264 3265 /* task security operations */ 3266 3267 static int selinux_task_create(unsigned long clone_flags) 3268 { 3269 return current_has_perm(current, PROCESS__FORK); 3270 } 3271 3272 /* 3273 * allocate the SELinux part of blank credentials 3274 */ 3275 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3276 { 3277 struct task_security_struct *tsec; 3278 3279 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3280 if (!tsec) 3281 return -ENOMEM; 3282 3283 cred->security = tsec; 3284 return 0; 3285 } 3286 3287 /* 3288 * detach and free the LSM part of a set of credentials 3289 */ 3290 static void selinux_cred_free(struct cred *cred) 3291 { 3292 struct task_security_struct *tsec = cred->security; 3293 3294 /* 3295 * cred->security == NULL if security_cred_alloc_blank() or 3296 * security_prepare_creds() returned an error. 3297 */ 3298 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3299 cred->security = (void *) 0x7UL; 3300 kfree(tsec); 3301 } 3302 3303 /* 3304 * prepare a new set of credentials for modification 3305 */ 3306 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3307 gfp_t gfp) 3308 { 3309 const struct task_security_struct *old_tsec; 3310 struct task_security_struct *tsec; 3311 3312 old_tsec = old->security; 3313 3314 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3315 if (!tsec) 3316 return -ENOMEM; 3317 3318 new->security = tsec; 3319 return 0; 3320 } 3321 3322 /* 3323 * transfer the SELinux data to a blank set of creds 3324 */ 3325 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3326 { 3327 const struct task_security_struct *old_tsec = old->security; 3328 struct task_security_struct *tsec = new->security; 3329 3330 *tsec = *old_tsec; 3331 } 3332 3333 /* 3334 * set the security data for a kernel service 3335 * - all the creation contexts are set to unlabelled 3336 */ 3337 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3338 { 3339 struct task_security_struct *tsec = new->security; 3340 u32 sid = current_sid(); 3341 int ret; 3342 3343 ret = avc_has_perm(sid, secid, 3344 SECCLASS_KERNEL_SERVICE, 3345 KERNEL_SERVICE__USE_AS_OVERRIDE, 3346 NULL); 3347 if (ret == 0) { 3348 tsec->sid = secid; 3349 tsec->create_sid = 0; 3350 tsec->keycreate_sid = 0; 3351 tsec->sockcreate_sid = 0; 3352 } 3353 return ret; 3354 } 3355 3356 /* 3357 * set the file creation context in a security record to the same as the 3358 * objective context of the specified inode 3359 */ 3360 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3361 { 3362 struct inode_security_struct *isec = inode->i_security; 3363 struct task_security_struct *tsec = new->security; 3364 u32 sid = current_sid(); 3365 int ret; 3366 3367 ret = avc_has_perm(sid, isec->sid, 3368 SECCLASS_KERNEL_SERVICE, 3369 KERNEL_SERVICE__CREATE_FILES_AS, 3370 NULL); 3371 3372 if (ret == 0) 3373 tsec->create_sid = isec->sid; 3374 return ret; 3375 } 3376 3377 static int selinux_kernel_module_request(char *kmod_name) 3378 { 3379 u32 sid; 3380 struct common_audit_data ad; 3381 3382 sid = task_sid(current); 3383 3384 ad.type = LSM_AUDIT_DATA_KMOD; 3385 ad.u.kmod_name = kmod_name; 3386 3387 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3388 SYSTEM__MODULE_REQUEST, &ad); 3389 } 3390 3391 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3392 { 3393 return current_has_perm(p, PROCESS__SETPGID); 3394 } 3395 3396 static int selinux_task_getpgid(struct task_struct *p) 3397 { 3398 return current_has_perm(p, PROCESS__GETPGID); 3399 } 3400 3401 static int selinux_task_getsid(struct task_struct *p) 3402 { 3403 return current_has_perm(p, PROCESS__GETSESSION); 3404 } 3405 3406 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3407 { 3408 *secid = task_sid(p); 3409 } 3410 3411 static int selinux_task_setnice(struct task_struct *p, int nice) 3412 { 3413 int rc; 3414 3415 rc = cap_task_setnice(p, nice); 3416 if (rc) 3417 return rc; 3418 3419 return current_has_perm(p, PROCESS__SETSCHED); 3420 } 3421 3422 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3423 { 3424 int rc; 3425 3426 rc = cap_task_setioprio(p, ioprio); 3427 if (rc) 3428 return rc; 3429 3430 return current_has_perm(p, PROCESS__SETSCHED); 3431 } 3432 3433 static int selinux_task_getioprio(struct task_struct *p) 3434 { 3435 return current_has_perm(p, PROCESS__GETSCHED); 3436 } 3437 3438 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3439 struct rlimit *new_rlim) 3440 { 3441 struct rlimit *old_rlim = p->signal->rlim + resource; 3442 3443 /* Control the ability to change the hard limit (whether 3444 lowering or raising it), so that the hard limit can 3445 later be used as a safe reset point for the soft limit 3446 upon context transitions. See selinux_bprm_committing_creds. */ 3447 if (old_rlim->rlim_max != new_rlim->rlim_max) 3448 return current_has_perm(p, PROCESS__SETRLIMIT); 3449 3450 return 0; 3451 } 3452 3453 static int selinux_task_setscheduler(struct task_struct *p) 3454 { 3455 int rc; 3456 3457 rc = cap_task_setscheduler(p); 3458 if (rc) 3459 return rc; 3460 3461 return current_has_perm(p, PROCESS__SETSCHED); 3462 } 3463 3464 static int selinux_task_getscheduler(struct task_struct *p) 3465 { 3466 return current_has_perm(p, PROCESS__GETSCHED); 3467 } 3468 3469 static int selinux_task_movememory(struct task_struct *p) 3470 { 3471 return current_has_perm(p, PROCESS__SETSCHED); 3472 } 3473 3474 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3475 int sig, u32 secid) 3476 { 3477 u32 perm; 3478 int rc; 3479 3480 if (!sig) 3481 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3482 else 3483 perm = signal_to_av(sig); 3484 if (secid) 3485 rc = avc_has_perm(secid, task_sid(p), 3486 SECCLASS_PROCESS, perm, NULL); 3487 else 3488 rc = current_has_perm(p, perm); 3489 return rc; 3490 } 3491 3492 static int selinux_task_wait(struct task_struct *p) 3493 { 3494 return task_has_perm(p, current, PROCESS__SIGCHLD); 3495 } 3496 3497 static void selinux_task_to_inode(struct task_struct *p, 3498 struct inode *inode) 3499 { 3500 struct inode_security_struct *isec = inode->i_security; 3501 u32 sid = task_sid(p); 3502 3503 isec->sid = sid; 3504 isec->initialized = 1; 3505 } 3506 3507 /* Returns error only if unable to parse addresses */ 3508 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3509 struct common_audit_data *ad, u8 *proto) 3510 { 3511 int offset, ihlen, ret = -EINVAL; 3512 struct iphdr _iph, *ih; 3513 3514 offset = skb_network_offset(skb); 3515 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3516 if (ih == NULL) 3517 goto out; 3518 3519 ihlen = ih->ihl * 4; 3520 if (ihlen < sizeof(_iph)) 3521 goto out; 3522 3523 ad->u.net->v4info.saddr = ih->saddr; 3524 ad->u.net->v4info.daddr = ih->daddr; 3525 ret = 0; 3526 3527 if (proto) 3528 *proto = ih->protocol; 3529 3530 switch (ih->protocol) { 3531 case IPPROTO_TCP: { 3532 struct tcphdr _tcph, *th; 3533 3534 if (ntohs(ih->frag_off) & IP_OFFSET) 3535 break; 3536 3537 offset += ihlen; 3538 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3539 if (th == NULL) 3540 break; 3541 3542 ad->u.net->sport = th->source; 3543 ad->u.net->dport = th->dest; 3544 break; 3545 } 3546 3547 case IPPROTO_UDP: { 3548 struct udphdr _udph, *uh; 3549 3550 if (ntohs(ih->frag_off) & IP_OFFSET) 3551 break; 3552 3553 offset += ihlen; 3554 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3555 if (uh == NULL) 3556 break; 3557 3558 ad->u.net->sport = uh->source; 3559 ad->u.net->dport = uh->dest; 3560 break; 3561 } 3562 3563 case IPPROTO_DCCP: { 3564 struct dccp_hdr _dccph, *dh; 3565 3566 if (ntohs(ih->frag_off) & IP_OFFSET) 3567 break; 3568 3569 offset += ihlen; 3570 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3571 if (dh == NULL) 3572 break; 3573 3574 ad->u.net->sport = dh->dccph_sport; 3575 ad->u.net->dport = dh->dccph_dport; 3576 break; 3577 } 3578 3579 default: 3580 break; 3581 } 3582 out: 3583 return ret; 3584 } 3585 3586 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3587 3588 /* Returns error only if unable to parse addresses */ 3589 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3590 struct common_audit_data *ad, u8 *proto) 3591 { 3592 u8 nexthdr; 3593 int ret = -EINVAL, offset; 3594 struct ipv6hdr _ipv6h, *ip6; 3595 __be16 frag_off; 3596 3597 offset = skb_network_offset(skb); 3598 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3599 if (ip6 == NULL) 3600 goto out; 3601 3602 ad->u.net->v6info.saddr = ip6->saddr; 3603 ad->u.net->v6info.daddr = ip6->daddr; 3604 ret = 0; 3605 3606 nexthdr = ip6->nexthdr; 3607 offset += sizeof(_ipv6h); 3608 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3609 if (offset < 0) 3610 goto out; 3611 3612 if (proto) 3613 *proto = nexthdr; 3614 3615 switch (nexthdr) { 3616 case IPPROTO_TCP: { 3617 struct tcphdr _tcph, *th; 3618 3619 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3620 if (th == NULL) 3621 break; 3622 3623 ad->u.net->sport = th->source; 3624 ad->u.net->dport = th->dest; 3625 break; 3626 } 3627 3628 case IPPROTO_UDP: { 3629 struct udphdr _udph, *uh; 3630 3631 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3632 if (uh == NULL) 3633 break; 3634 3635 ad->u.net->sport = uh->source; 3636 ad->u.net->dport = uh->dest; 3637 break; 3638 } 3639 3640 case IPPROTO_DCCP: { 3641 struct dccp_hdr _dccph, *dh; 3642 3643 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3644 if (dh == NULL) 3645 break; 3646 3647 ad->u.net->sport = dh->dccph_sport; 3648 ad->u.net->dport = dh->dccph_dport; 3649 break; 3650 } 3651 3652 /* includes fragments */ 3653 default: 3654 break; 3655 } 3656 out: 3657 return ret; 3658 } 3659 3660 #endif /* IPV6 */ 3661 3662 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 3663 char **_addrp, int src, u8 *proto) 3664 { 3665 char *addrp; 3666 int ret; 3667 3668 switch (ad->u.net->family) { 3669 case PF_INET: 3670 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3671 if (ret) 3672 goto parse_error; 3673 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 3674 &ad->u.net->v4info.daddr); 3675 goto okay; 3676 3677 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3678 case PF_INET6: 3679 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3680 if (ret) 3681 goto parse_error; 3682 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 3683 &ad->u.net->v6info.daddr); 3684 goto okay; 3685 #endif /* IPV6 */ 3686 default: 3687 addrp = NULL; 3688 goto okay; 3689 } 3690 3691 parse_error: 3692 printk(KERN_WARNING 3693 "SELinux: failure in selinux_parse_skb()," 3694 " unable to parse packet\n"); 3695 return ret; 3696 3697 okay: 3698 if (_addrp) 3699 *_addrp = addrp; 3700 return 0; 3701 } 3702 3703 /** 3704 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3705 * @skb: the packet 3706 * @family: protocol family 3707 * @sid: the packet's peer label SID 3708 * 3709 * Description: 3710 * Check the various different forms of network peer labeling and determine 3711 * the peer label/SID for the packet; most of the magic actually occurs in 3712 * the security server function security_net_peersid_cmp(). The function 3713 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3714 * or -EACCES if @sid is invalid due to inconsistencies with the different 3715 * peer labels. 3716 * 3717 */ 3718 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3719 { 3720 int err; 3721 u32 xfrm_sid; 3722 u32 nlbl_sid; 3723 u32 nlbl_type; 3724 3725 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3726 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3727 3728 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3729 if (unlikely(err)) { 3730 printk(KERN_WARNING 3731 "SELinux: failure in selinux_skb_peerlbl_sid()," 3732 " unable to determine packet's peer label\n"); 3733 return -EACCES; 3734 } 3735 3736 return 0; 3737 } 3738 3739 /* socket security operations */ 3740 3741 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 3742 u16 secclass, u32 *socksid) 3743 { 3744 if (tsec->sockcreate_sid > SECSID_NULL) { 3745 *socksid = tsec->sockcreate_sid; 3746 return 0; 3747 } 3748 3749 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 3750 socksid); 3751 } 3752 3753 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 3754 { 3755 struct sk_security_struct *sksec = sk->sk_security; 3756 struct common_audit_data ad; 3757 struct lsm_network_audit net = {0,}; 3758 u32 tsid = task_sid(task); 3759 3760 if (sksec->sid == SECINITSID_KERNEL) 3761 return 0; 3762 3763 ad.type = LSM_AUDIT_DATA_NET; 3764 ad.u.net = &net; 3765 ad.u.net->sk = sk; 3766 3767 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); 3768 } 3769 3770 static int selinux_socket_create(int family, int type, 3771 int protocol, int kern) 3772 { 3773 const struct task_security_struct *tsec = current_security(); 3774 u32 newsid; 3775 u16 secclass; 3776 int rc; 3777 3778 if (kern) 3779 return 0; 3780 3781 secclass = socket_type_to_security_class(family, type, protocol); 3782 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 3783 if (rc) 3784 return rc; 3785 3786 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 3787 } 3788 3789 static int selinux_socket_post_create(struct socket *sock, int family, 3790 int type, int protocol, int kern) 3791 { 3792 const struct task_security_struct *tsec = current_security(); 3793 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3794 struct sk_security_struct *sksec; 3795 int err = 0; 3796 3797 isec->sclass = socket_type_to_security_class(family, type, protocol); 3798 3799 if (kern) 3800 isec->sid = SECINITSID_KERNEL; 3801 else { 3802 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); 3803 if (err) 3804 return err; 3805 } 3806 3807 isec->initialized = 1; 3808 3809 if (sock->sk) { 3810 sksec = sock->sk->sk_security; 3811 sksec->sid = isec->sid; 3812 sksec->sclass = isec->sclass; 3813 err = selinux_netlbl_socket_post_create(sock->sk, family); 3814 } 3815 3816 return err; 3817 } 3818 3819 /* Range of port numbers used to automatically bind. 3820 Need to determine whether we should perform a name_bind 3821 permission check between the socket and the port number. */ 3822 3823 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3824 { 3825 struct sock *sk = sock->sk; 3826 u16 family; 3827 int err; 3828 3829 err = sock_has_perm(current, sk, SOCKET__BIND); 3830 if (err) 3831 goto out; 3832 3833 /* 3834 * If PF_INET or PF_INET6, check name_bind permission for the port. 3835 * Multiple address binding for SCTP is not supported yet: we just 3836 * check the first address now. 3837 */ 3838 family = sk->sk_family; 3839 if (family == PF_INET || family == PF_INET6) { 3840 char *addrp; 3841 struct sk_security_struct *sksec = sk->sk_security; 3842 struct common_audit_data ad; 3843 struct lsm_network_audit net = {0,}; 3844 struct sockaddr_in *addr4 = NULL; 3845 struct sockaddr_in6 *addr6 = NULL; 3846 unsigned short snum; 3847 u32 sid, node_perm; 3848 3849 if (family == PF_INET) { 3850 addr4 = (struct sockaddr_in *)address; 3851 snum = ntohs(addr4->sin_port); 3852 addrp = (char *)&addr4->sin_addr.s_addr; 3853 } else { 3854 addr6 = (struct sockaddr_in6 *)address; 3855 snum = ntohs(addr6->sin6_port); 3856 addrp = (char *)&addr6->sin6_addr.s6_addr; 3857 } 3858 3859 if (snum) { 3860 int low, high; 3861 3862 inet_get_local_port_range(&low, &high); 3863 3864 if (snum < max(PROT_SOCK, low) || snum > high) { 3865 err = sel_netport_sid(sk->sk_protocol, 3866 snum, &sid); 3867 if (err) 3868 goto out; 3869 ad.type = LSM_AUDIT_DATA_NET; 3870 ad.u.net = &net; 3871 ad.u.net->sport = htons(snum); 3872 ad.u.net->family = family; 3873 err = avc_has_perm(sksec->sid, sid, 3874 sksec->sclass, 3875 SOCKET__NAME_BIND, &ad); 3876 if (err) 3877 goto out; 3878 } 3879 } 3880 3881 switch (sksec->sclass) { 3882 case SECCLASS_TCP_SOCKET: 3883 node_perm = TCP_SOCKET__NODE_BIND; 3884 break; 3885 3886 case SECCLASS_UDP_SOCKET: 3887 node_perm = UDP_SOCKET__NODE_BIND; 3888 break; 3889 3890 case SECCLASS_DCCP_SOCKET: 3891 node_perm = DCCP_SOCKET__NODE_BIND; 3892 break; 3893 3894 default: 3895 node_perm = RAWIP_SOCKET__NODE_BIND; 3896 break; 3897 } 3898 3899 err = sel_netnode_sid(addrp, family, &sid); 3900 if (err) 3901 goto out; 3902 3903 ad.type = LSM_AUDIT_DATA_NET; 3904 ad.u.net = &net; 3905 ad.u.net->sport = htons(snum); 3906 ad.u.net->family = family; 3907 3908 if (family == PF_INET) 3909 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 3910 else 3911 ad.u.net->v6info.saddr = addr6->sin6_addr; 3912 3913 err = avc_has_perm(sksec->sid, sid, 3914 sksec->sclass, node_perm, &ad); 3915 if (err) 3916 goto out; 3917 } 3918 out: 3919 return err; 3920 } 3921 3922 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3923 { 3924 struct sock *sk = sock->sk; 3925 struct sk_security_struct *sksec = sk->sk_security; 3926 int err; 3927 3928 err = sock_has_perm(current, sk, SOCKET__CONNECT); 3929 if (err) 3930 return err; 3931 3932 /* 3933 * If a TCP or DCCP socket, check name_connect permission for the port. 3934 */ 3935 if (sksec->sclass == SECCLASS_TCP_SOCKET || 3936 sksec->sclass == SECCLASS_DCCP_SOCKET) { 3937 struct common_audit_data ad; 3938 struct lsm_network_audit net = {0,}; 3939 struct sockaddr_in *addr4 = NULL; 3940 struct sockaddr_in6 *addr6 = NULL; 3941 unsigned short snum; 3942 u32 sid, perm; 3943 3944 if (sk->sk_family == PF_INET) { 3945 addr4 = (struct sockaddr_in *)address; 3946 if (addrlen < sizeof(struct sockaddr_in)) 3947 return -EINVAL; 3948 snum = ntohs(addr4->sin_port); 3949 } else { 3950 addr6 = (struct sockaddr_in6 *)address; 3951 if (addrlen < SIN6_LEN_RFC2133) 3952 return -EINVAL; 3953 snum = ntohs(addr6->sin6_port); 3954 } 3955 3956 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 3957 if (err) 3958 goto out; 3959 3960 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 3961 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3962 3963 ad.type = LSM_AUDIT_DATA_NET; 3964 ad.u.net = &net; 3965 ad.u.net->dport = htons(snum); 3966 ad.u.net->family = sk->sk_family; 3967 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 3968 if (err) 3969 goto out; 3970 } 3971 3972 err = selinux_netlbl_socket_connect(sk, address); 3973 3974 out: 3975 return err; 3976 } 3977 3978 static int selinux_socket_listen(struct socket *sock, int backlog) 3979 { 3980 return sock_has_perm(current, sock->sk, SOCKET__LISTEN); 3981 } 3982 3983 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3984 { 3985 int err; 3986 struct inode_security_struct *isec; 3987 struct inode_security_struct *newisec; 3988 3989 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); 3990 if (err) 3991 return err; 3992 3993 newisec = SOCK_INODE(newsock)->i_security; 3994 3995 isec = SOCK_INODE(sock)->i_security; 3996 newisec->sclass = isec->sclass; 3997 newisec->sid = isec->sid; 3998 newisec->initialized = 1; 3999 4000 return 0; 4001 } 4002 4003 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4004 int size) 4005 { 4006 return sock_has_perm(current, sock->sk, SOCKET__WRITE); 4007 } 4008 4009 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4010 int size, int flags) 4011 { 4012 return sock_has_perm(current, sock->sk, SOCKET__READ); 4013 } 4014 4015 static int selinux_socket_getsockname(struct socket *sock) 4016 { 4017 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4018 } 4019 4020 static int selinux_socket_getpeername(struct socket *sock) 4021 { 4022 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4023 } 4024 4025 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4026 { 4027 int err; 4028 4029 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); 4030 if (err) 4031 return err; 4032 4033 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4034 } 4035 4036 static int selinux_socket_getsockopt(struct socket *sock, int level, 4037 int optname) 4038 { 4039 return sock_has_perm(current, sock->sk, SOCKET__GETOPT); 4040 } 4041 4042 static int selinux_socket_shutdown(struct socket *sock, int how) 4043 { 4044 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); 4045 } 4046 4047 static int selinux_socket_unix_stream_connect(struct sock *sock, 4048 struct sock *other, 4049 struct sock *newsk) 4050 { 4051 struct sk_security_struct *sksec_sock = sock->sk_security; 4052 struct sk_security_struct *sksec_other = other->sk_security; 4053 struct sk_security_struct *sksec_new = newsk->sk_security; 4054 struct common_audit_data ad; 4055 struct lsm_network_audit net = {0,}; 4056 int err; 4057 4058 ad.type = LSM_AUDIT_DATA_NET; 4059 ad.u.net = &net; 4060 ad.u.net->sk = other; 4061 4062 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4063 sksec_other->sclass, 4064 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4065 if (err) 4066 return err; 4067 4068 /* server child socket */ 4069 sksec_new->peer_sid = sksec_sock->sid; 4070 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4071 &sksec_new->sid); 4072 if (err) 4073 return err; 4074 4075 /* connecting socket */ 4076 sksec_sock->peer_sid = sksec_new->sid; 4077 4078 return 0; 4079 } 4080 4081 static int selinux_socket_unix_may_send(struct socket *sock, 4082 struct socket *other) 4083 { 4084 struct sk_security_struct *ssec = sock->sk->sk_security; 4085 struct sk_security_struct *osec = other->sk->sk_security; 4086 struct common_audit_data ad; 4087 struct lsm_network_audit net = {0,}; 4088 4089 ad.type = LSM_AUDIT_DATA_NET; 4090 ad.u.net = &net; 4091 ad.u.net->sk = other->sk; 4092 4093 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4094 &ad); 4095 } 4096 4097 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4098 u32 peer_sid, 4099 struct common_audit_data *ad) 4100 { 4101 int err; 4102 u32 if_sid; 4103 u32 node_sid; 4104 4105 err = sel_netif_sid(ifindex, &if_sid); 4106 if (err) 4107 return err; 4108 err = avc_has_perm(peer_sid, if_sid, 4109 SECCLASS_NETIF, NETIF__INGRESS, ad); 4110 if (err) 4111 return err; 4112 4113 err = sel_netnode_sid(addrp, family, &node_sid); 4114 if (err) 4115 return err; 4116 return avc_has_perm(peer_sid, node_sid, 4117 SECCLASS_NODE, NODE__RECVFROM, ad); 4118 } 4119 4120 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4121 u16 family) 4122 { 4123 int err = 0; 4124 struct sk_security_struct *sksec = sk->sk_security; 4125 u32 sk_sid = sksec->sid; 4126 struct common_audit_data ad; 4127 struct lsm_network_audit net = {0,}; 4128 char *addrp; 4129 4130 ad.type = LSM_AUDIT_DATA_NET; 4131 ad.u.net = &net; 4132 ad.u.net->netif = skb->skb_iif; 4133 ad.u.net->family = family; 4134 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4135 if (err) 4136 return err; 4137 4138 if (selinux_secmark_enabled()) { 4139 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4140 PACKET__RECV, &ad); 4141 if (err) 4142 return err; 4143 } 4144 4145 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4146 if (err) 4147 return err; 4148 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4149 4150 return err; 4151 } 4152 4153 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4154 { 4155 int err; 4156 struct sk_security_struct *sksec = sk->sk_security; 4157 u16 family = sk->sk_family; 4158 u32 sk_sid = sksec->sid; 4159 struct common_audit_data ad; 4160 struct lsm_network_audit net = {0,}; 4161 char *addrp; 4162 u8 secmark_active; 4163 u8 peerlbl_active; 4164 4165 if (family != PF_INET && family != PF_INET6) 4166 return 0; 4167 4168 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4169 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4170 family = PF_INET; 4171 4172 /* If any sort of compatibility mode is enabled then handoff processing 4173 * to the selinux_sock_rcv_skb_compat() function to deal with the 4174 * special handling. We do this in an attempt to keep this function 4175 * as fast and as clean as possible. */ 4176 if (!selinux_policycap_netpeer) 4177 return selinux_sock_rcv_skb_compat(sk, skb, family); 4178 4179 secmark_active = selinux_secmark_enabled(); 4180 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4181 if (!secmark_active && !peerlbl_active) 4182 return 0; 4183 4184 ad.type = LSM_AUDIT_DATA_NET; 4185 ad.u.net = &net; 4186 ad.u.net->netif = skb->skb_iif; 4187 ad.u.net->family = family; 4188 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4189 if (err) 4190 return err; 4191 4192 if (peerlbl_active) { 4193 u32 peer_sid; 4194 4195 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4196 if (err) 4197 return err; 4198 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, 4199 peer_sid, &ad); 4200 if (err) { 4201 selinux_netlbl_err(skb, err, 0); 4202 return err; 4203 } 4204 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4205 PEER__RECV, &ad); 4206 if (err) 4207 selinux_netlbl_err(skb, err, 0); 4208 } 4209 4210 if (secmark_active) { 4211 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4212 PACKET__RECV, &ad); 4213 if (err) 4214 return err; 4215 } 4216 4217 return err; 4218 } 4219 4220 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4221 int __user *optlen, unsigned len) 4222 { 4223 int err = 0; 4224 char *scontext; 4225 u32 scontext_len; 4226 struct sk_security_struct *sksec = sock->sk->sk_security; 4227 u32 peer_sid = SECSID_NULL; 4228 4229 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4230 sksec->sclass == SECCLASS_TCP_SOCKET) 4231 peer_sid = sksec->peer_sid; 4232 if (peer_sid == SECSID_NULL) 4233 return -ENOPROTOOPT; 4234 4235 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4236 if (err) 4237 return err; 4238 4239 if (scontext_len > len) { 4240 err = -ERANGE; 4241 goto out_len; 4242 } 4243 4244 if (copy_to_user(optval, scontext, scontext_len)) 4245 err = -EFAULT; 4246 4247 out_len: 4248 if (put_user(scontext_len, optlen)) 4249 err = -EFAULT; 4250 kfree(scontext); 4251 return err; 4252 } 4253 4254 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4255 { 4256 u32 peer_secid = SECSID_NULL; 4257 u16 family; 4258 4259 if (skb && skb->protocol == htons(ETH_P_IP)) 4260 family = PF_INET; 4261 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4262 family = PF_INET6; 4263 else if (sock) 4264 family = sock->sk->sk_family; 4265 else 4266 goto out; 4267 4268 if (sock && family == PF_UNIX) 4269 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); 4270 else if (skb) 4271 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4272 4273 out: 4274 *secid = peer_secid; 4275 if (peer_secid == SECSID_NULL) 4276 return -EINVAL; 4277 return 0; 4278 } 4279 4280 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4281 { 4282 struct sk_security_struct *sksec; 4283 4284 sksec = kzalloc(sizeof(*sksec), priority); 4285 if (!sksec) 4286 return -ENOMEM; 4287 4288 sksec->peer_sid = SECINITSID_UNLABELED; 4289 sksec->sid = SECINITSID_UNLABELED; 4290 selinux_netlbl_sk_security_reset(sksec); 4291 sk->sk_security = sksec; 4292 4293 return 0; 4294 } 4295 4296 static void selinux_sk_free_security(struct sock *sk) 4297 { 4298 struct sk_security_struct *sksec = sk->sk_security; 4299 4300 sk->sk_security = NULL; 4301 selinux_netlbl_sk_security_free(sksec); 4302 kfree(sksec); 4303 } 4304 4305 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4306 { 4307 struct sk_security_struct *sksec = sk->sk_security; 4308 struct sk_security_struct *newsksec = newsk->sk_security; 4309 4310 newsksec->sid = sksec->sid; 4311 newsksec->peer_sid = sksec->peer_sid; 4312 newsksec->sclass = sksec->sclass; 4313 4314 selinux_netlbl_sk_security_reset(newsksec); 4315 } 4316 4317 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4318 { 4319 if (!sk) 4320 *secid = SECINITSID_ANY_SOCKET; 4321 else { 4322 struct sk_security_struct *sksec = sk->sk_security; 4323 4324 *secid = sksec->sid; 4325 } 4326 } 4327 4328 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4329 { 4330 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4331 struct sk_security_struct *sksec = sk->sk_security; 4332 4333 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4334 sk->sk_family == PF_UNIX) 4335 isec->sid = sksec->sid; 4336 sksec->sclass = isec->sclass; 4337 } 4338 4339 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4340 struct request_sock *req) 4341 { 4342 struct sk_security_struct *sksec = sk->sk_security; 4343 int err; 4344 u16 family = sk->sk_family; 4345 u32 newsid; 4346 u32 peersid; 4347 4348 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4349 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4350 family = PF_INET; 4351 4352 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4353 if (err) 4354 return err; 4355 if (peersid == SECSID_NULL) { 4356 req->secid = sksec->sid; 4357 req->peer_secid = SECSID_NULL; 4358 } else { 4359 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4360 if (err) 4361 return err; 4362 req->secid = newsid; 4363 req->peer_secid = peersid; 4364 } 4365 4366 return selinux_netlbl_inet_conn_request(req, family); 4367 } 4368 4369 static void selinux_inet_csk_clone(struct sock *newsk, 4370 const struct request_sock *req) 4371 { 4372 struct sk_security_struct *newsksec = newsk->sk_security; 4373 4374 newsksec->sid = req->secid; 4375 newsksec->peer_sid = req->peer_secid; 4376 /* NOTE: Ideally, we should also get the isec->sid for the 4377 new socket in sync, but we don't have the isec available yet. 4378 So we will wait until sock_graft to do it, by which 4379 time it will have been created and available. */ 4380 4381 /* We don't need to take any sort of lock here as we are the only 4382 * thread with access to newsksec */ 4383 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4384 } 4385 4386 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4387 { 4388 u16 family = sk->sk_family; 4389 struct sk_security_struct *sksec = sk->sk_security; 4390 4391 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4392 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4393 family = PF_INET; 4394 4395 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4396 } 4397 4398 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk) 4399 { 4400 skb_set_owner_w(skb, sk); 4401 } 4402 4403 static int selinux_secmark_relabel_packet(u32 sid) 4404 { 4405 const struct task_security_struct *__tsec; 4406 u32 tsid; 4407 4408 __tsec = current_security(); 4409 tsid = __tsec->sid; 4410 4411 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4412 } 4413 4414 static void selinux_secmark_refcount_inc(void) 4415 { 4416 atomic_inc(&selinux_secmark_refcount); 4417 } 4418 4419 static void selinux_secmark_refcount_dec(void) 4420 { 4421 atomic_dec(&selinux_secmark_refcount); 4422 } 4423 4424 static void selinux_req_classify_flow(const struct request_sock *req, 4425 struct flowi *fl) 4426 { 4427 fl->flowi_secid = req->secid; 4428 } 4429 4430 static int selinux_tun_dev_alloc_security(void **security) 4431 { 4432 struct tun_security_struct *tunsec; 4433 4434 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 4435 if (!tunsec) 4436 return -ENOMEM; 4437 tunsec->sid = current_sid(); 4438 4439 *security = tunsec; 4440 return 0; 4441 } 4442 4443 static void selinux_tun_dev_free_security(void *security) 4444 { 4445 kfree(security); 4446 } 4447 4448 static int selinux_tun_dev_create(void) 4449 { 4450 u32 sid = current_sid(); 4451 4452 /* we aren't taking into account the "sockcreate" SID since the socket 4453 * that is being created here is not a socket in the traditional sense, 4454 * instead it is a private sock, accessible only to the kernel, and 4455 * representing a wide range of network traffic spanning multiple 4456 * connections unlike traditional sockets - check the TUN driver to 4457 * get a better understanding of why this socket is special */ 4458 4459 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4460 NULL); 4461 } 4462 4463 static int selinux_tun_dev_attach_queue(void *security) 4464 { 4465 struct tun_security_struct *tunsec = security; 4466 4467 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 4468 TUN_SOCKET__ATTACH_QUEUE, NULL); 4469 } 4470 4471 static int selinux_tun_dev_attach(struct sock *sk, void *security) 4472 { 4473 struct tun_security_struct *tunsec = security; 4474 struct sk_security_struct *sksec = sk->sk_security; 4475 4476 /* we don't currently perform any NetLabel based labeling here and it 4477 * isn't clear that we would want to do so anyway; while we could apply 4478 * labeling without the support of the TUN user the resulting labeled 4479 * traffic from the other end of the connection would almost certainly 4480 * cause confusion to the TUN user that had no idea network labeling 4481 * protocols were being used */ 4482 4483 sksec->sid = tunsec->sid; 4484 sksec->sclass = SECCLASS_TUN_SOCKET; 4485 4486 return 0; 4487 } 4488 4489 static int selinux_tun_dev_open(void *security) 4490 { 4491 struct tun_security_struct *tunsec = security; 4492 u32 sid = current_sid(); 4493 int err; 4494 4495 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 4496 TUN_SOCKET__RELABELFROM, NULL); 4497 if (err) 4498 return err; 4499 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4500 TUN_SOCKET__RELABELTO, NULL); 4501 if (err) 4502 return err; 4503 tunsec->sid = sid; 4504 4505 return 0; 4506 } 4507 4508 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4509 { 4510 int err = 0; 4511 u32 perm; 4512 struct nlmsghdr *nlh; 4513 struct sk_security_struct *sksec = sk->sk_security; 4514 4515 if (skb->len < NLMSG_HDRLEN) { 4516 err = -EINVAL; 4517 goto out; 4518 } 4519 nlh = nlmsg_hdr(skb); 4520 4521 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4522 if (err) { 4523 if (err == -EINVAL) { 4524 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4525 "SELinux: unrecognized netlink message" 4526 " type=%hu for sclass=%hu\n", 4527 nlh->nlmsg_type, sksec->sclass); 4528 if (!selinux_enforcing || security_get_allow_unknown()) 4529 err = 0; 4530 } 4531 4532 /* Ignore */ 4533 if (err == -ENOENT) 4534 err = 0; 4535 goto out; 4536 } 4537 4538 err = sock_has_perm(current, sk, perm); 4539 out: 4540 return err; 4541 } 4542 4543 #ifdef CONFIG_NETFILTER 4544 4545 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4546 u16 family) 4547 { 4548 int err; 4549 char *addrp; 4550 u32 peer_sid; 4551 struct common_audit_data ad; 4552 struct lsm_network_audit net = {0,}; 4553 u8 secmark_active; 4554 u8 netlbl_active; 4555 u8 peerlbl_active; 4556 4557 if (!selinux_policycap_netpeer) 4558 return NF_ACCEPT; 4559 4560 secmark_active = selinux_secmark_enabled(); 4561 netlbl_active = netlbl_enabled(); 4562 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4563 if (!secmark_active && !peerlbl_active) 4564 return NF_ACCEPT; 4565 4566 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4567 return NF_DROP; 4568 4569 ad.type = LSM_AUDIT_DATA_NET; 4570 ad.u.net = &net; 4571 ad.u.net->netif = ifindex; 4572 ad.u.net->family = family; 4573 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4574 return NF_DROP; 4575 4576 if (peerlbl_active) { 4577 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4578 peer_sid, &ad); 4579 if (err) { 4580 selinux_netlbl_err(skb, err, 1); 4581 return NF_DROP; 4582 } 4583 } 4584 4585 if (secmark_active) 4586 if (avc_has_perm(peer_sid, skb->secmark, 4587 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4588 return NF_DROP; 4589 4590 if (netlbl_active) 4591 /* we do this in the FORWARD path and not the POST_ROUTING 4592 * path because we want to make sure we apply the necessary 4593 * labeling before IPsec is applied so we can leverage AH 4594 * protection */ 4595 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 4596 return NF_DROP; 4597 4598 return NF_ACCEPT; 4599 } 4600 4601 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4602 struct sk_buff *skb, 4603 const struct net_device *in, 4604 const struct net_device *out, 4605 int (*okfn)(struct sk_buff *)) 4606 { 4607 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4608 } 4609 4610 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4611 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4612 struct sk_buff *skb, 4613 const struct net_device *in, 4614 const struct net_device *out, 4615 int (*okfn)(struct sk_buff *)) 4616 { 4617 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4618 } 4619 #endif /* IPV6 */ 4620 4621 static unsigned int selinux_ip_output(struct sk_buff *skb, 4622 u16 family) 4623 { 4624 u32 sid; 4625 4626 if (!netlbl_enabled()) 4627 return NF_ACCEPT; 4628 4629 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4630 * because we want to make sure we apply the necessary labeling 4631 * before IPsec is applied so we can leverage AH protection */ 4632 if (skb->sk) { 4633 struct sk_security_struct *sksec = skb->sk->sk_security; 4634 sid = sksec->sid; 4635 } else 4636 sid = SECINITSID_KERNEL; 4637 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4638 return NF_DROP; 4639 4640 return NF_ACCEPT; 4641 } 4642 4643 static unsigned int selinux_ipv4_output(unsigned int hooknum, 4644 struct sk_buff *skb, 4645 const struct net_device *in, 4646 const struct net_device *out, 4647 int (*okfn)(struct sk_buff *)) 4648 { 4649 return selinux_ip_output(skb, PF_INET); 4650 } 4651 4652 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4653 int ifindex, 4654 u16 family) 4655 { 4656 struct sock *sk = skb->sk; 4657 struct sk_security_struct *sksec; 4658 struct common_audit_data ad; 4659 struct lsm_network_audit net = {0,}; 4660 char *addrp; 4661 u8 proto; 4662 4663 if (sk == NULL) 4664 return NF_ACCEPT; 4665 sksec = sk->sk_security; 4666 4667 ad.type = LSM_AUDIT_DATA_NET; 4668 ad.u.net = &net; 4669 ad.u.net->netif = ifindex; 4670 ad.u.net->family = family; 4671 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4672 return NF_DROP; 4673 4674 if (selinux_secmark_enabled()) 4675 if (avc_has_perm(sksec->sid, skb->secmark, 4676 SECCLASS_PACKET, PACKET__SEND, &ad)) 4677 return NF_DROP_ERR(-ECONNREFUSED); 4678 4679 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4680 return NF_DROP_ERR(-ECONNREFUSED); 4681 4682 return NF_ACCEPT; 4683 } 4684 4685 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4686 u16 family) 4687 { 4688 u32 secmark_perm; 4689 u32 peer_sid; 4690 struct sock *sk; 4691 struct common_audit_data ad; 4692 struct lsm_network_audit net = {0,}; 4693 char *addrp; 4694 u8 secmark_active; 4695 u8 peerlbl_active; 4696 4697 /* If any sort of compatibility mode is enabled then handoff processing 4698 * to the selinux_ip_postroute_compat() function to deal with the 4699 * special handling. We do this in an attempt to keep this function 4700 * as fast and as clean as possible. */ 4701 if (!selinux_policycap_netpeer) 4702 return selinux_ip_postroute_compat(skb, ifindex, family); 4703 #ifdef CONFIG_XFRM 4704 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4705 * packet transformation so allow the packet to pass without any checks 4706 * since we'll have another chance to perform access control checks 4707 * when the packet is on it's final way out. 4708 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4709 * is NULL, in this case go ahead and apply access control. */ 4710 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) 4711 return NF_ACCEPT; 4712 #endif 4713 secmark_active = selinux_secmark_enabled(); 4714 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4715 if (!secmark_active && !peerlbl_active) 4716 return NF_ACCEPT; 4717 4718 /* if the packet is being forwarded then get the peer label from the 4719 * packet itself; otherwise check to see if it is from a local 4720 * application or the kernel, if from an application get the peer label 4721 * from the sending socket, otherwise use the kernel's sid */ 4722 sk = skb->sk; 4723 if (sk == NULL) { 4724 if (skb->skb_iif) { 4725 secmark_perm = PACKET__FORWARD_OUT; 4726 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4727 return NF_DROP; 4728 } else { 4729 secmark_perm = PACKET__SEND; 4730 peer_sid = SECINITSID_KERNEL; 4731 } 4732 } else { 4733 struct sk_security_struct *sksec = sk->sk_security; 4734 peer_sid = sksec->sid; 4735 secmark_perm = PACKET__SEND; 4736 } 4737 4738 ad.type = LSM_AUDIT_DATA_NET; 4739 ad.u.net = &net; 4740 ad.u.net->netif = ifindex; 4741 ad.u.net->family = family; 4742 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4743 return NF_DROP; 4744 4745 if (secmark_active) 4746 if (avc_has_perm(peer_sid, skb->secmark, 4747 SECCLASS_PACKET, secmark_perm, &ad)) 4748 return NF_DROP_ERR(-ECONNREFUSED); 4749 4750 if (peerlbl_active) { 4751 u32 if_sid; 4752 u32 node_sid; 4753 4754 if (sel_netif_sid(ifindex, &if_sid)) 4755 return NF_DROP; 4756 if (avc_has_perm(peer_sid, if_sid, 4757 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4758 return NF_DROP_ERR(-ECONNREFUSED); 4759 4760 if (sel_netnode_sid(addrp, family, &node_sid)) 4761 return NF_DROP; 4762 if (avc_has_perm(peer_sid, node_sid, 4763 SECCLASS_NODE, NODE__SENDTO, &ad)) 4764 return NF_DROP_ERR(-ECONNREFUSED); 4765 } 4766 4767 return NF_ACCEPT; 4768 } 4769 4770 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4771 struct sk_buff *skb, 4772 const struct net_device *in, 4773 const struct net_device *out, 4774 int (*okfn)(struct sk_buff *)) 4775 { 4776 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4777 } 4778 4779 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4780 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4781 struct sk_buff *skb, 4782 const struct net_device *in, 4783 const struct net_device *out, 4784 int (*okfn)(struct sk_buff *)) 4785 { 4786 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4787 } 4788 #endif /* IPV6 */ 4789 4790 #endif /* CONFIG_NETFILTER */ 4791 4792 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4793 { 4794 int err; 4795 4796 err = cap_netlink_send(sk, skb); 4797 if (err) 4798 return err; 4799 4800 return selinux_nlmsg_perm(sk, skb); 4801 } 4802 4803 static int ipc_alloc_security(struct task_struct *task, 4804 struct kern_ipc_perm *perm, 4805 u16 sclass) 4806 { 4807 struct ipc_security_struct *isec; 4808 u32 sid; 4809 4810 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4811 if (!isec) 4812 return -ENOMEM; 4813 4814 sid = task_sid(task); 4815 isec->sclass = sclass; 4816 isec->sid = sid; 4817 perm->security = isec; 4818 4819 return 0; 4820 } 4821 4822 static void ipc_free_security(struct kern_ipc_perm *perm) 4823 { 4824 struct ipc_security_struct *isec = perm->security; 4825 perm->security = NULL; 4826 kfree(isec); 4827 } 4828 4829 static int msg_msg_alloc_security(struct msg_msg *msg) 4830 { 4831 struct msg_security_struct *msec; 4832 4833 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4834 if (!msec) 4835 return -ENOMEM; 4836 4837 msec->sid = SECINITSID_UNLABELED; 4838 msg->security = msec; 4839 4840 return 0; 4841 } 4842 4843 static void msg_msg_free_security(struct msg_msg *msg) 4844 { 4845 struct msg_security_struct *msec = msg->security; 4846 4847 msg->security = NULL; 4848 kfree(msec); 4849 } 4850 4851 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4852 u32 perms) 4853 { 4854 struct ipc_security_struct *isec; 4855 struct common_audit_data ad; 4856 u32 sid = current_sid(); 4857 4858 isec = ipc_perms->security; 4859 4860 ad.type = LSM_AUDIT_DATA_IPC; 4861 ad.u.ipc_id = ipc_perms->key; 4862 4863 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4864 } 4865 4866 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4867 { 4868 return msg_msg_alloc_security(msg); 4869 } 4870 4871 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4872 { 4873 msg_msg_free_security(msg); 4874 } 4875 4876 /* message queue security operations */ 4877 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4878 { 4879 struct ipc_security_struct *isec; 4880 struct common_audit_data ad; 4881 u32 sid = current_sid(); 4882 int rc; 4883 4884 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4885 if (rc) 4886 return rc; 4887 4888 isec = msq->q_perm.security; 4889 4890 ad.type = LSM_AUDIT_DATA_IPC; 4891 ad.u.ipc_id = msq->q_perm.key; 4892 4893 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4894 MSGQ__CREATE, &ad); 4895 if (rc) { 4896 ipc_free_security(&msq->q_perm); 4897 return rc; 4898 } 4899 return 0; 4900 } 4901 4902 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4903 { 4904 ipc_free_security(&msq->q_perm); 4905 } 4906 4907 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4908 { 4909 struct ipc_security_struct *isec; 4910 struct common_audit_data ad; 4911 u32 sid = current_sid(); 4912 4913 isec = msq->q_perm.security; 4914 4915 ad.type = LSM_AUDIT_DATA_IPC; 4916 ad.u.ipc_id = msq->q_perm.key; 4917 4918 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4919 MSGQ__ASSOCIATE, &ad); 4920 } 4921 4922 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4923 { 4924 int err; 4925 int perms; 4926 4927 switch (cmd) { 4928 case IPC_INFO: 4929 case MSG_INFO: 4930 /* No specific object, just general system-wide information. */ 4931 return task_has_system(current, SYSTEM__IPC_INFO); 4932 case IPC_STAT: 4933 case MSG_STAT: 4934 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4935 break; 4936 case IPC_SET: 4937 perms = MSGQ__SETATTR; 4938 break; 4939 case IPC_RMID: 4940 perms = MSGQ__DESTROY; 4941 break; 4942 default: 4943 return 0; 4944 } 4945 4946 err = ipc_has_perm(&msq->q_perm, perms); 4947 return err; 4948 } 4949 4950 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4951 { 4952 struct ipc_security_struct *isec; 4953 struct msg_security_struct *msec; 4954 struct common_audit_data ad; 4955 u32 sid = current_sid(); 4956 int rc; 4957 4958 isec = msq->q_perm.security; 4959 msec = msg->security; 4960 4961 /* 4962 * First time through, need to assign label to the message 4963 */ 4964 if (msec->sid == SECINITSID_UNLABELED) { 4965 /* 4966 * Compute new sid based on current process and 4967 * message queue this message will be stored in 4968 */ 4969 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 4970 NULL, &msec->sid); 4971 if (rc) 4972 return rc; 4973 } 4974 4975 ad.type = LSM_AUDIT_DATA_IPC; 4976 ad.u.ipc_id = msq->q_perm.key; 4977 4978 /* Can this process write to the queue? */ 4979 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4980 MSGQ__WRITE, &ad); 4981 if (!rc) 4982 /* Can this process send the message */ 4983 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 4984 MSG__SEND, &ad); 4985 if (!rc) 4986 /* Can the message be put in the queue? */ 4987 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 4988 MSGQ__ENQUEUE, &ad); 4989 4990 return rc; 4991 } 4992 4993 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4994 struct task_struct *target, 4995 long type, int mode) 4996 { 4997 struct ipc_security_struct *isec; 4998 struct msg_security_struct *msec; 4999 struct common_audit_data ad; 5000 u32 sid = task_sid(target); 5001 int rc; 5002 5003 isec = msq->q_perm.security; 5004 msec = msg->security; 5005 5006 ad.type = LSM_AUDIT_DATA_IPC; 5007 ad.u.ipc_id = msq->q_perm.key; 5008 5009 rc = avc_has_perm(sid, isec->sid, 5010 SECCLASS_MSGQ, MSGQ__READ, &ad); 5011 if (!rc) 5012 rc = avc_has_perm(sid, msec->sid, 5013 SECCLASS_MSG, MSG__RECEIVE, &ad); 5014 return rc; 5015 } 5016 5017 /* Shared Memory security operations */ 5018 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5019 { 5020 struct ipc_security_struct *isec; 5021 struct common_audit_data ad; 5022 u32 sid = current_sid(); 5023 int rc; 5024 5025 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5026 if (rc) 5027 return rc; 5028 5029 isec = shp->shm_perm.security; 5030 5031 ad.type = LSM_AUDIT_DATA_IPC; 5032 ad.u.ipc_id = shp->shm_perm.key; 5033 5034 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5035 SHM__CREATE, &ad); 5036 if (rc) { 5037 ipc_free_security(&shp->shm_perm); 5038 return rc; 5039 } 5040 return 0; 5041 } 5042 5043 static void selinux_shm_free_security(struct shmid_kernel *shp) 5044 { 5045 ipc_free_security(&shp->shm_perm); 5046 } 5047 5048 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5049 { 5050 struct ipc_security_struct *isec; 5051 struct common_audit_data ad; 5052 u32 sid = current_sid(); 5053 5054 isec = shp->shm_perm.security; 5055 5056 ad.type = LSM_AUDIT_DATA_IPC; 5057 ad.u.ipc_id = shp->shm_perm.key; 5058 5059 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5060 SHM__ASSOCIATE, &ad); 5061 } 5062 5063 /* Note, at this point, shp is locked down */ 5064 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5065 { 5066 int perms; 5067 int err; 5068 5069 switch (cmd) { 5070 case IPC_INFO: 5071 case SHM_INFO: 5072 /* No specific object, just general system-wide information. */ 5073 return task_has_system(current, SYSTEM__IPC_INFO); 5074 case IPC_STAT: 5075 case SHM_STAT: 5076 perms = SHM__GETATTR | SHM__ASSOCIATE; 5077 break; 5078 case IPC_SET: 5079 perms = SHM__SETATTR; 5080 break; 5081 case SHM_LOCK: 5082 case SHM_UNLOCK: 5083 perms = SHM__LOCK; 5084 break; 5085 case IPC_RMID: 5086 perms = SHM__DESTROY; 5087 break; 5088 default: 5089 return 0; 5090 } 5091 5092 err = ipc_has_perm(&shp->shm_perm, perms); 5093 return err; 5094 } 5095 5096 static int selinux_shm_shmat(struct shmid_kernel *shp, 5097 char __user *shmaddr, int shmflg) 5098 { 5099 u32 perms; 5100 5101 if (shmflg & SHM_RDONLY) 5102 perms = SHM__READ; 5103 else 5104 perms = SHM__READ | SHM__WRITE; 5105 5106 return ipc_has_perm(&shp->shm_perm, perms); 5107 } 5108 5109 /* Semaphore security operations */ 5110 static int selinux_sem_alloc_security(struct sem_array *sma) 5111 { 5112 struct ipc_security_struct *isec; 5113 struct common_audit_data ad; 5114 u32 sid = current_sid(); 5115 int rc; 5116 5117 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5118 if (rc) 5119 return rc; 5120 5121 isec = sma->sem_perm.security; 5122 5123 ad.type = LSM_AUDIT_DATA_IPC; 5124 ad.u.ipc_id = sma->sem_perm.key; 5125 5126 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5127 SEM__CREATE, &ad); 5128 if (rc) { 5129 ipc_free_security(&sma->sem_perm); 5130 return rc; 5131 } 5132 return 0; 5133 } 5134 5135 static void selinux_sem_free_security(struct sem_array *sma) 5136 { 5137 ipc_free_security(&sma->sem_perm); 5138 } 5139 5140 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5141 { 5142 struct ipc_security_struct *isec; 5143 struct common_audit_data ad; 5144 u32 sid = current_sid(); 5145 5146 isec = sma->sem_perm.security; 5147 5148 ad.type = LSM_AUDIT_DATA_IPC; 5149 ad.u.ipc_id = sma->sem_perm.key; 5150 5151 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5152 SEM__ASSOCIATE, &ad); 5153 } 5154 5155 /* Note, at this point, sma is locked down */ 5156 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5157 { 5158 int err; 5159 u32 perms; 5160 5161 switch (cmd) { 5162 case IPC_INFO: 5163 case SEM_INFO: 5164 /* No specific object, just general system-wide information. */ 5165 return task_has_system(current, SYSTEM__IPC_INFO); 5166 case GETPID: 5167 case GETNCNT: 5168 case GETZCNT: 5169 perms = SEM__GETATTR; 5170 break; 5171 case GETVAL: 5172 case GETALL: 5173 perms = SEM__READ; 5174 break; 5175 case SETVAL: 5176 case SETALL: 5177 perms = SEM__WRITE; 5178 break; 5179 case IPC_RMID: 5180 perms = SEM__DESTROY; 5181 break; 5182 case IPC_SET: 5183 perms = SEM__SETATTR; 5184 break; 5185 case IPC_STAT: 5186 case SEM_STAT: 5187 perms = SEM__GETATTR | SEM__ASSOCIATE; 5188 break; 5189 default: 5190 return 0; 5191 } 5192 5193 err = ipc_has_perm(&sma->sem_perm, perms); 5194 return err; 5195 } 5196 5197 static int selinux_sem_semop(struct sem_array *sma, 5198 struct sembuf *sops, unsigned nsops, int alter) 5199 { 5200 u32 perms; 5201 5202 if (alter) 5203 perms = SEM__READ | SEM__WRITE; 5204 else 5205 perms = SEM__READ; 5206 5207 return ipc_has_perm(&sma->sem_perm, perms); 5208 } 5209 5210 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5211 { 5212 u32 av = 0; 5213 5214 av = 0; 5215 if (flag & S_IRUGO) 5216 av |= IPC__UNIX_READ; 5217 if (flag & S_IWUGO) 5218 av |= IPC__UNIX_WRITE; 5219 5220 if (av == 0) 5221 return 0; 5222 5223 return ipc_has_perm(ipcp, av); 5224 } 5225 5226 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5227 { 5228 struct ipc_security_struct *isec = ipcp->security; 5229 *secid = isec->sid; 5230 } 5231 5232 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5233 { 5234 if (inode) 5235 inode_doinit_with_dentry(inode, dentry); 5236 } 5237 5238 static int selinux_getprocattr(struct task_struct *p, 5239 char *name, char **value) 5240 { 5241 const struct task_security_struct *__tsec; 5242 u32 sid; 5243 int error; 5244 unsigned len; 5245 5246 if (current != p) { 5247 error = current_has_perm(p, PROCESS__GETATTR); 5248 if (error) 5249 return error; 5250 } 5251 5252 rcu_read_lock(); 5253 __tsec = __task_cred(p)->security; 5254 5255 if (!strcmp(name, "current")) 5256 sid = __tsec->sid; 5257 else if (!strcmp(name, "prev")) 5258 sid = __tsec->osid; 5259 else if (!strcmp(name, "exec")) 5260 sid = __tsec->exec_sid; 5261 else if (!strcmp(name, "fscreate")) 5262 sid = __tsec->create_sid; 5263 else if (!strcmp(name, "keycreate")) 5264 sid = __tsec->keycreate_sid; 5265 else if (!strcmp(name, "sockcreate")) 5266 sid = __tsec->sockcreate_sid; 5267 else 5268 goto invalid; 5269 rcu_read_unlock(); 5270 5271 if (!sid) 5272 return 0; 5273 5274 error = security_sid_to_context(sid, value, &len); 5275 if (error) 5276 return error; 5277 return len; 5278 5279 invalid: 5280 rcu_read_unlock(); 5281 return -EINVAL; 5282 } 5283 5284 static int selinux_setprocattr(struct task_struct *p, 5285 char *name, void *value, size_t size) 5286 { 5287 struct task_security_struct *tsec; 5288 struct task_struct *tracer; 5289 struct cred *new; 5290 u32 sid = 0, ptsid; 5291 int error; 5292 char *str = value; 5293 5294 if (current != p) { 5295 /* SELinux only allows a process to change its own 5296 security attributes. */ 5297 return -EACCES; 5298 } 5299 5300 /* 5301 * Basic control over ability to set these attributes at all. 5302 * current == p, but we'll pass them separately in case the 5303 * above restriction is ever removed. 5304 */ 5305 if (!strcmp(name, "exec")) 5306 error = current_has_perm(p, PROCESS__SETEXEC); 5307 else if (!strcmp(name, "fscreate")) 5308 error = current_has_perm(p, PROCESS__SETFSCREATE); 5309 else if (!strcmp(name, "keycreate")) 5310 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5311 else if (!strcmp(name, "sockcreate")) 5312 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5313 else if (!strcmp(name, "current")) 5314 error = current_has_perm(p, PROCESS__SETCURRENT); 5315 else 5316 error = -EINVAL; 5317 if (error) 5318 return error; 5319 5320 /* Obtain a SID for the context, if one was specified. */ 5321 if (size && str[1] && str[1] != '\n') { 5322 if (str[size-1] == '\n') { 5323 str[size-1] = 0; 5324 size--; 5325 } 5326 error = security_context_to_sid(value, size, &sid); 5327 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5328 if (!capable(CAP_MAC_ADMIN)) { 5329 struct audit_buffer *ab; 5330 size_t audit_size; 5331 5332 /* We strip a nul only if it is at the end, otherwise the 5333 * context contains a nul and we should audit that */ 5334 if (str[size - 1] == '\0') 5335 audit_size = size - 1; 5336 else 5337 audit_size = size; 5338 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5339 audit_log_format(ab, "op=fscreate invalid_context="); 5340 audit_log_n_untrustedstring(ab, value, audit_size); 5341 audit_log_end(ab); 5342 5343 return error; 5344 } 5345 error = security_context_to_sid_force(value, size, 5346 &sid); 5347 } 5348 if (error) 5349 return error; 5350 } 5351 5352 new = prepare_creds(); 5353 if (!new) 5354 return -ENOMEM; 5355 5356 /* Permission checking based on the specified context is 5357 performed during the actual operation (execve, 5358 open/mkdir/...), when we know the full context of the 5359 operation. See selinux_bprm_set_creds for the execve 5360 checks and may_create for the file creation checks. The 5361 operation will then fail if the context is not permitted. */ 5362 tsec = new->security; 5363 if (!strcmp(name, "exec")) { 5364 tsec->exec_sid = sid; 5365 } else if (!strcmp(name, "fscreate")) { 5366 tsec->create_sid = sid; 5367 } else if (!strcmp(name, "keycreate")) { 5368 error = may_create_key(sid, p); 5369 if (error) 5370 goto abort_change; 5371 tsec->keycreate_sid = sid; 5372 } else if (!strcmp(name, "sockcreate")) { 5373 tsec->sockcreate_sid = sid; 5374 } else if (!strcmp(name, "current")) { 5375 error = -EINVAL; 5376 if (sid == 0) 5377 goto abort_change; 5378 5379 /* Only allow single threaded processes to change context */ 5380 error = -EPERM; 5381 if (!current_is_single_threaded()) { 5382 error = security_bounded_transition(tsec->sid, sid); 5383 if (error) 5384 goto abort_change; 5385 } 5386 5387 /* Check permissions for the transition. */ 5388 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5389 PROCESS__DYNTRANSITION, NULL); 5390 if (error) 5391 goto abort_change; 5392 5393 /* Check for ptracing, and update the task SID if ok. 5394 Otherwise, leave SID unchanged and fail. */ 5395 ptsid = 0; 5396 task_lock(p); 5397 tracer = ptrace_parent(p); 5398 if (tracer) 5399 ptsid = task_sid(tracer); 5400 task_unlock(p); 5401 5402 if (tracer) { 5403 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5404 PROCESS__PTRACE, NULL); 5405 if (error) 5406 goto abort_change; 5407 } 5408 5409 tsec->sid = sid; 5410 } else { 5411 error = -EINVAL; 5412 goto abort_change; 5413 } 5414 5415 commit_creds(new); 5416 return size; 5417 5418 abort_change: 5419 abort_creds(new); 5420 return error; 5421 } 5422 5423 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5424 { 5425 return security_sid_to_context(secid, secdata, seclen); 5426 } 5427 5428 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5429 { 5430 return security_context_to_sid(secdata, seclen, secid); 5431 } 5432 5433 static void selinux_release_secctx(char *secdata, u32 seclen) 5434 { 5435 kfree(secdata); 5436 } 5437 5438 /* 5439 * called with inode->i_mutex locked 5440 */ 5441 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5442 { 5443 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5444 } 5445 5446 /* 5447 * called with inode->i_mutex locked 5448 */ 5449 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 5450 { 5451 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 5452 } 5453 5454 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 5455 { 5456 int len = 0; 5457 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 5458 ctx, true); 5459 if (len < 0) 5460 return len; 5461 *ctxlen = len; 5462 return 0; 5463 } 5464 #ifdef CONFIG_KEYS 5465 5466 static int selinux_key_alloc(struct key *k, const struct cred *cred, 5467 unsigned long flags) 5468 { 5469 const struct task_security_struct *tsec; 5470 struct key_security_struct *ksec; 5471 5472 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5473 if (!ksec) 5474 return -ENOMEM; 5475 5476 tsec = cred->security; 5477 if (tsec->keycreate_sid) 5478 ksec->sid = tsec->keycreate_sid; 5479 else 5480 ksec->sid = tsec->sid; 5481 5482 k->security = ksec; 5483 return 0; 5484 } 5485 5486 static void selinux_key_free(struct key *k) 5487 { 5488 struct key_security_struct *ksec = k->security; 5489 5490 k->security = NULL; 5491 kfree(ksec); 5492 } 5493 5494 static int selinux_key_permission(key_ref_t key_ref, 5495 const struct cred *cred, 5496 key_perm_t perm) 5497 { 5498 struct key *key; 5499 struct key_security_struct *ksec; 5500 u32 sid; 5501 5502 /* if no specific permissions are requested, we skip the 5503 permission check. No serious, additional covert channels 5504 appear to be created. */ 5505 if (perm == 0) 5506 return 0; 5507 5508 sid = cred_sid(cred); 5509 5510 key = key_ref_to_ptr(key_ref); 5511 ksec = key->security; 5512 5513 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 5514 } 5515 5516 static int selinux_key_getsecurity(struct key *key, char **_buffer) 5517 { 5518 struct key_security_struct *ksec = key->security; 5519 char *context = NULL; 5520 unsigned len; 5521 int rc; 5522 5523 rc = security_sid_to_context(ksec->sid, &context, &len); 5524 if (!rc) 5525 rc = len; 5526 *_buffer = context; 5527 return rc; 5528 } 5529 5530 #endif 5531 5532 static struct security_operations selinux_ops = { 5533 .name = "selinux", 5534 5535 .ptrace_access_check = selinux_ptrace_access_check, 5536 .ptrace_traceme = selinux_ptrace_traceme, 5537 .capget = selinux_capget, 5538 .capset = selinux_capset, 5539 .capable = selinux_capable, 5540 .quotactl = selinux_quotactl, 5541 .quota_on = selinux_quota_on, 5542 .syslog = selinux_syslog, 5543 .vm_enough_memory = selinux_vm_enough_memory, 5544 5545 .netlink_send = selinux_netlink_send, 5546 5547 .bprm_set_creds = selinux_bprm_set_creds, 5548 .bprm_committing_creds = selinux_bprm_committing_creds, 5549 .bprm_committed_creds = selinux_bprm_committed_creds, 5550 .bprm_secureexec = selinux_bprm_secureexec, 5551 5552 .sb_alloc_security = selinux_sb_alloc_security, 5553 .sb_free_security = selinux_sb_free_security, 5554 .sb_copy_data = selinux_sb_copy_data, 5555 .sb_remount = selinux_sb_remount, 5556 .sb_kern_mount = selinux_sb_kern_mount, 5557 .sb_show_options = selinux_sb_show_options, 5558 .sb_statfs = selinux_sb_statfs, 5559 .sb_mount = selinux_mount, 5560 .sb_umount = selinux_umount, 5561 .sb_set_mnt_opts = selinux_set_mnt_opts, 5562 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5563 .sb_parse_opts_str = selinux_parse_opts_str, 5564 5565 5566 .inode_alloc_security = selinux_inode_alloc_security, 5567 .inode_free_security = selinux_inode_free_security, 5568 .inode_init_security = selinux_inode_init_security, 5569 .inode_create = selinux_inode_create, 5570 .inode_link = selinux_inode_link, 5571 .inode_unlink = selinux_inode_unlink, 5572 .inode_symlink = selinux_inode_symlink, 5573 .inode_mkdir = selinux_inode_mkdir, 5574 .inode_rmdir = selinux_inode_rmdir, 5575 .inode_mknod = selinux_inode_mknod, 5576 .inode_rename = selinux_inode_rename, 5577 .inode_readlink = selinux_inode_readlink, 5578 .inode_follow_link = selinux_inode_follow_link, 5579 .inode_permission = selinux_inode_permission, 5580 .inode_setattr = selinux_inode_setattr, 5581 .inode_getattr = selinux_inode_getattr, 5582 .inode_setxattr = selinux_inode_setxattr, 5583 .inode_post_setxattr = selinux_inode_post_setxattr, 5584 .inode_getxattr = selinux_inode_getxattr, 5585 .inode_listxattr = selinux_inode_listxattr, 5586 .inode_removexattr = selinux_inode_removexattr, 5587 .inode_getsecurity = selinux_inode_getsecurity, 5588 .inode_setsecurity = selinux_inode_setsecurity, 5589 .inode_listsecurity = selinux_inode_listsecurity, 5590 .inode_getsecid = selinux_inode_getsecid, 5591 5592 .file_permission = selinux_file_permission, 5593 .file_alloc_security = selinux_file_alloc_security, 5594 .file_free_security = selinux_file_free_security, 5595 .file_ioctl = selinux_file_ioctl, 5596 .mmap_file = selinux_mmap_file, 5597 .mmap_addr = selinux_mmap_addr, 5598 .file_mprotect = selinux_file_mprotect, 5599 .file_lock = selinux_file_lock, 5600 .file_fcntl = selinux_file_fcntl, 5601 .file_set_fowner = selinux_file_set_fowner, 5602 .file_send_sigiotask = selinux_file_send_sigiotask, 5603 .file_receive = selinux_file_receive, 5604 5605 .file_open = selinux_file_open, 5606 5607 .task_create = selinux_task_create, 5608 .cred_alloc_blank = selinux_cred_alloc_blank, 5609 .cred_free = selinux_cred_free, 5610 .cred_prepare = selinux_cred_prepare, 5611 .cred_transfer = selinux_cred_transfer, 5612 .kernel_act_as = selinux_kernel_act_as, 5613 .kernel_create_files_as = selinux_kernel_create_files_as, 5614 .kernel_module_request = selinux_kernel_module_request, 5615 .task_setpgid = selinux_task_setpgid, 5616 .task_getpgid = selinux_task_getpgid, 5617 .task_getsid = selinux_task_getsid, 5618 .task_getsecid = selinux_task_getsecid, 5619 .task_setnice = selinux_task_setnice, 5620 .task_setioprio = selinux_task_setioprio, 5621 .task_getioprio = selinux_task_getioprio, 5622 .task_setrlimit = selinux_task_setrlimit, 5623 .task_setscheduler = selinux_task_setscheduler, 5624 .task_getscheduler = selinux_task_getscheduler, 5625 .task_movememory = selinux_task_movememory, 5626 .task_kill = selinux_task_kill, 5627 .task_wait = selinux_task_wait, 5628 .task_to_inode = selinux_task_to_inode, 5629 5630 .ipc_permission = selinux_ipc_permission, 5631 .ipc_getsecid = selinux_ipc_getsecid, 5632 5633 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5634 .msg_msg_free_security = selinux_msg_msg_free_security, 5635 5636 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5637 .msg_queue_free_security = selinux_msg_queue_free_security, 5638 .msg_queue_associate = selinux_msg_queue_associate, 5639 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5640 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5641 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5642 5643 .shm_alloc_security = selinux_shm_alloc_security, 5644 .shm_free_security = selinux_shm_free_security, 5645 .shm_associate = selinux_shm_associate, 5646 .shm_shmctl = selinux_shm_shmctl, 5647 .shm_shmat = selinux_shm_shmat, 5648 5649 .sem_alloc_security = selinux_sem_alloc_security, 5650 .sem_free_security = selinux_sem_free_security, 5651 .sem_associate = selinux_sem_associate, 5652 .sem_semctl = selinux_sem_semctl, 5653 .sem_semop = selinux_sem_semop, 5654 5655 .d_instantiate = selinux_d_instantiate, 5656 5657 .getprocattr = selinux_getprocattr, 5658 .setprocattr = selinux_setprocattr, 5659 5660 .secid_to_secctx = selinux_secid_to_secctx, 5661 .secctx_to_secid = selinux_secctx_to_secid, 5662 .release_secctx = selinux_release_secctx, 5663 .inode_notifysecctx = selinux_inode_notifysecctx, 5664 .inode_setsecctx = selinux_inode_setsecctx, 5665 .inode_getsecctx = selinux_inode_getsecctx, 5666 5667 .unix_stream_connect = selinux_socket_unix_stream_connect, 5668 .unix_may_send = selinux_socket_unix_may_send, 5669 5670 .socket_create = selinux_socket_create, 5671 .socket_post_create = selinux_socket_post_create, 5672 .socket_bind = selinux_socket_bind, 5673 .socket_connect = selinux_socket_connect, 5674 .socket_listen = selinux_socket_listen, 5675 .socket_accept = selinux_socket_accept, 5676 .socket_sendmsg = selinux_socket_sendmsg, 5677 .socket_recvmsg = selinux_socket_recvmsg, 5678 .socket_getsockname = selinux_socket_getsockname, 5679 .socket_getpeername = selinux_socket_getpeername, 5680 .socket_getsockopt = selinux_socket_getsockopt, 5681 .socket_setsockopt = selinux_socket_setsockopt, 5682 .socket_shutdown = selinux_socket_shutdown, 5683 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5684 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5685 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5686 .sk_alloc_security = selinux_sk_alloc_security, 5687 .sk_free_security = selinux_sk_free_security, 5688 .sk_clone_security = selinux_sk_clone_security, 5689 .sk_getsecid = selinux_sk_getsecid, 5690 .sock_graft = selinux_sock_graft, 5691 .inet_conn_request = selinux_inet_conn_request, 5692 .inet_csk_clone = selinux_inet_csk_clone, 5693 .inet_conn_established = selinux_inet_conn_established, 5694 .secmark_relabel_packet = selinux_secmark_relabel_packet, 5695 .secmark_refcount_inc = selinux_secmark_refcount_inc, 5696 .secmark_refcount_dec = selinux_secmark_refcount_dec, 5697 .req_classify_flow = selinux_req_classify_flow, 5698 .tun_dev_alloc_security = selinux_tun_dev_alloc_security, 5699 .tun_dev_free_security = selinux_tun_dev_free_security, 5700 .tun_dev_create = selinux_tun_dev_create, 5701 .tun_dev_attach_queue = selinux_tun_dev_attach_queue, 5702 .tun_dev_attach = selinux_tun_dev_attach, 5703 .tun_dev_open = selinux_tun_dev_open, 5704 .skb_owned_by = selinux_skb_owned_by, 5705 5706 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5707 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5708 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5709 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5710 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5711 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5712 .xfrm_state_free_security = selinux_xfrm_state_free, 5713 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5714 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5715 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5716 .xfrm_decode_session = selinux_xfrm_decode_session, 5717 #endif 5718 5719 #ifdef CONFIG_KEYS 5720 .key_alloc = selinux_key_alloc, 5721 .key_free = selinux_key_free, 5722 .key_permission = selinux_key_permission, 5723 .key_getsecurity = selinux_key_getsecurity, 5724 #endif 5725 5726 #ifdef CONFIG_AUDIT 5727 .audit_rule_init = selinux_audit_rule_init, 5728 .audit_rule_known = selinux_audit_rule_known, 5729 .audit_rule_match = selinux_audit_rule_match, 5730 .audit_rule_free = selinux_audit_rule_free, 5731 #endif 5732 }; 5733 5734 static __init int selinux_init(void) 5735 { 5736 if (!security_module_enable(&selinux_ops)) { 5737 selinux_enabled = 0; 5738 return 0; 5739 } 5740 5741 if (!selinux_enabled) { 5742 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5743 return 0; 5744 } 5745 5746 printk(KERN_INFO "SELinux: Initializing.\n"); 5747 5748 /* Set the security state for the initial task. */ 5749 cred_init_security(); 5750 5751 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 5752 5753 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5754 sizeof(struct inode_security_struct), 5755 0, SLAB_PANIC, NULL); 5756 avc_init(); 5757 5758 if (register_security(&selinux_ops)) 5759 panic("SELinux: Unable to register with kernel.\n"); 5760 5761 if (selinux_enforcing) 5762 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5763 else 5764 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5765 5766 return 0; 5767 } 5768 5769 static void delayed_superblock_init(struct super_block *sb, void *unused) 5770 { 5771 superblock_doinit(sb, NULL); 5772 } 5773 5774 void selinux_complete_init(void) 5775 { 5776 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5777 5778 /* Set up any superblocks initialized prior to the policy load. */ 5779 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5780 iterate_supers(delayed_superblock_init, NULL); 5781 } 5782 5783 /* SELinux requires early initialization in order to label 5784 all processes and objects when they are created. */ 5785 security_initcall(selinux_init); 5786 5787 #if defined(CONFIG_NETFILTER) 5788 5789 static struct nf_hook_ops selinux_ipv4_ops[] = { 5790 { 5791 .hook = selinux_ipv4_postroute, 5792 .owner = THIS_MODULE, 5793 .pf = NFPROTO_IPV4, 5794 .hooknum = NF_INET_POST_ROUTING, 5795 .priority = NF_IP_PRI_SELINUX_LAST, 5796 }, 5797 { 5798 .hook = selinux_ipv4_forward, 5799 .owner = THIS_MODULE, 5800 .pf = NFPROTO_IPV4, 5801 .hooknum = NF_INET_FORWARD, 5802 .priority = NF_IP_PRI_SELINUX_FIRST, 5803 }, 5804 { 5805 .hook = selinux_ipv4_output, 5806 .owner = THIS_MODULE, 5807 .pf = NFPROTO_IPV4, 5808 .hooknum = NF_INET_LOCAL_OUT, 5809 .priority = NF_IP_PRI_SELINUX_FIRST, 5810 } 5811 }; 5812 5813 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5814 5815 static struct nf_hook_ops selinux_ipv6_ops[] = { 5816 { 5817 .hook = selinux_ipv6_postroute, 5818 .owner = THIS_MODULE, 5819 .pf = NFPROTO_IPV6, 5820 .hooknum = NF_INET_POST_ROUTING, 5821 .priority = NF_IP6_PRI_SELINUX_LAST, 5822 }, 5823 { 5824 .hook = selinux_ipv6_forward, 5825 .owner = THIS_MODULE, 5826 .pf = NFPROTO_IPV6, 5827 .hooknum = NF_INET_FORWARD, 5828 .priority = NF_IP6_PRI_SELINUX_FIRST, 5829 } 5830 }; 5831 5832 #endif /* IPV6 */ 5833 5834 static int __init selinux_nf_ip_init(void) 5835 { 5836 int err = 0; 5837 5838 if (!selinux_enabled) 5839 goto out; 5840 5841 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5842 5843 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5844 if (err) 5845 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 5846 5847 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5848 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5849 if (err) 5850 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); 5851 #endif /* IPV6 */ 5852 5853 out: 5854 return err; 5855 } 5856 5857 __initcall(selinux_nf_ip_init); 5858 5859 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5860 static void selinux_nf_ip_exit(void) 5861 { 5862 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5863 5864 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 5865 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5866 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 5867 #endif /* IPV6 */ 5868 } 5869 #endif 5870 5871 #else /* CONFIG_NETFILTER */ 5872 5873 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5874 #define selinux_nf_ip_exit() 5875 #endif 5876 5877 #endif /* CONFIG_NETFILTER */ 5878 5879 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5880 static int selinux_disabled; 5881 5882 int selinux_disable(void) 5883 { 5884 if (ss_initialized) { 5885 /* Not permitted after initial policy load. */ 5886 return -EINVAL; 5887 } 5888 5889 if (selinux_disabled) { 5890 /* Only do this once. */ 5891 return -EINVAL; 5892 } 5893 5894 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5895 5896 selinux_disabled = 1; 5897 selinux_enabled = 0; 5898 5899 reset_security_ops(); 5900 5901 /* Try to destroy the avc node cache */ 5902 avc_disable(); 5903 5904 /* Unregister netfilter hooks. */ 5905 selinux_nf_ip_exit(); 5906 5907 /* Unregister selinuxfs. */ 5908 exit_sel_fs(); 5909 5910 return 0; 5911 } 5912 #endif 5913