1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 16 * Paul Moore <paul.moore@hp.com> 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 19 * 20 * This program is free software; you can redistribute it and/or modify 21 * it under the terms of the GNU General Public License version 2, 22 * as published by the Free Software Foundation. 23 */ 24 25 #include <linux/init.h> 26 #include <linux/kernel.h> 27 #include <linux/ptrace.h> 28 #include <linux/errno.h> 29 #include <linux/sched.h> 30 #include <linux/security.h> 31 #include <linux/xattr.h> 32 #include <linux/capability.h> 33 #include <linux/unistd.h> 34 #include <linux/mm.h> 35 #include <linux/mman.h> 36 #include <linux/slab.h> 37 #include <linux/pagemap.h> 38 #include <linux/swap.h> 39 #include <linux/spinlock.h> 40 #include <linux/syscalls.h> 41 #include <linux/file.h> 42 #include <linux/namei.h> 43 #include <linux/mount.h> 44 #include <linux/ext2_fs.h> 45 #include <linux/proc_fs.h> 46 #include <linux/kd.h> 47 #include <linux/netfilter_ipv4.h> 48 #include <linux/netfilter_ipv6.h> 49 #include <linux/tty.h> 50 #include <net/icmp.h> 51 #include <net/ip.h> /* for local_port_range[] */ 52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53 #include <net/net_namespace.h> 54 #include <net/netlabel.h> 55 #include <asm/uaccess.h> 56 #include <asm/ioctls.h> 57 #include <asm/atomic.h> 58 #include <linux/bitops.h> 59 #include <linux/interrupt.h> 60 #include <linux/netdevice.h> /* for network interface checks */ 61 #include <linux/netlink.h> 62 #include <linux/tcp.h> 63 #include <linux/udp.h> 64 #include <linux/dccp.h> 65 #include <linux/quota.h> 66 #include <linux/un.h> /* for Unix socket types */ 67 #include <net/af_unix.h> /* for Unix socket types */ 68 #include <linux/parser.h> 69 #include <linux/nfs_mount.h> 70 #include <net/ipv6.h> 71 #include <linux/hugetlb.h> 72 #include <linux/personality.h> 73 #include <linux/sysctl.h> 74 #include <linux/audit.h> 75 #include <linux/string.h> 76 #include <linux/selinux.h> 77 #include <linux/mutex.h> 78 79 #include "avc.h" 80 #include "objsec.h" 81 #include "netif.h" 82 #include "netnode.h" 83 #include "xfrm.h" 84 #include "netlabel.h" 85 86 #define XATTR_SELINUX_SUFFIX "selinux" 87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 88 89 #define NUM_SEL_MNT_OPTS 4 90 91 extern unsigned int policydb_loaded_version; 92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 93 extern int selinux_compat_net; 94 extern struct security_operations *security_ops; 95 96 /* SECMARK reference count */ 97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 98 99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 100 int selinux_enforcing = 0; 101 102 static int __init enforcing_setup(char *str) 103 { 104 selinux_enforcing = simple_strtol(str,NULL,0); 105 return 1; 106 } 107 __setup("enforcing=", enforcing_setup); 108 #endif 109 110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 112 113 static int __init selinux_enabled_setup(char *str) 114 { 115 selinux_enabled = simple_strtol(str, NULL, 0); 116 return 1; 117 } 118 __setup("selinux=", selinux_enabled_setup); 119 #else 120 int selinux_enabled = 1; 121 #endif 122 123 /* Original (dummy) security module. */ 124 static struct security_operations *original_ops = NULL; 125 126 /* Minimal support for a secondary security module, 127 just to allow the use of the dummy or capability modules. 128 The owlsm module can alternatively be used as a secondary 129 module as long as CONFIG_OWLSM_FD is not enabled. */ 130 static struct security_operations *secondary_ops = NULL; 131 132 /* Lists of inode and superblock security structures initialized 133 before the policy was loaded. */ 134 static LIST_HEAD(superblock_security_head); 135 static DEFINE_SPINLOCK(sb_security_lock); 136 137 static struct kmem_cache *sel_inode_cache; 138 139 /* Return security context for a given sid or just the context 140 length if the buffer is null or length is 0 */ 141 static int selinux_getsecurity(u32 sid, void *buffer, size_t size) 142 { 143 char *context; 144 unsigned len; 145 int rc; 146 147 rc = security_sid_to_context(sid, &context, &len); 148 if (rc) 149 return rc; 150 151 if (!buffer || !size) 152 goto getsecurity_exit; 153 154 if (size < len) { 155 len = -ERANGE; 156 goto getsecurity_exit; 157 } 158 memcpy(buffer, context, len); 159 160 getsecurity_exit: 161 kfree(context); 162 return len; 163 } 164 165 /** 166 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 167 * 168 * Description: 169 * This function checks the SECMARK reference counter to see if any SECMARK 170 * targets are currently configured, if the reference counter is greater than 171 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 172 * enabled, false (0) if SECMARK is disabled. 173 * 174 */ 175 static int selinux_secmark_enabled(void) 176 { 177 return (atomic_read(&selinux_secmark_refcount) > 0); 178 } 179 180 /* Allocate and free functions for each kind of security blob. */ 181 182 static int task_alloc_security(struct task_struct *task) 183 { 184 struct task_security_struct *tsec; 185 186 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 187 if (!tsec) 188 return -ENOMEM; 189 190 tsec->task = task; 191 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 192 task->security = tsec; 193 194 return 0; 195 } 196 197 static void task_free_security(struct task_struct *task) 198 { 199 struct task_security_struct *tsec = task->security; 200 task->security = NULL; 201 kfree(tsec); 202 } 203 204 static int inode_alloc_security(struct inode *inode) 205 { 206 struct task_security_struct *tsec = current->security; 207 struct inode_security_struct *isec; 208 209 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); 210 if (!isec) 211 return -ENOMEM; 212 213 mutex_init(&isec->lock); 214 INIT_LIST_HEAD(&isec->list); 215 isec->inode = inode; 216 isec->sid = SECINITSID_UNLABELED; 217 isec->sclass = SECCLASS_FILE; 218 isec->task_sid = tsec->sid; 219 inode->i_security = isec; 220 221 return 0; 222 } 223 224 static void inode_free_security(struct inode *inode) 225 { 226 struct inode_security_struct *isec = inode->i_security; 227 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 228 229 spin_lock(&sbsec->isec_lock); 230 if (!list_empty(&isec->list)) 231 list_del_init(&isec->list); 232 spin_unlock(&sbsec->isec_lock); 233 234 inode->i_security = NULL; 235 kmem_cache_free(sel_inode_cache, isec); 236 } 237 238 static int file_alloc_security(struct file *file) 239 { 240 struct task_security_struct *tsec = current->security; 241 struct file_security_struct *fsec; 242 243 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 244 if (!fsec) 245 return -ENOMEM; 246 247 fsec->file = file; 248 fsec->sid = tsec->sid; 249 fsec->fown_sid = tsec->sid; 250 file->f_security = fsec; 251 252 return 0; 253 } 254 255 static void file_free_security(struct file *file) 256 { 257 struct file_security_struct *fsec = file->f_security; 258 file->f_security = NULL; 259 kfree(fsec); 260 } 261 262 static int superblock_alloc_security(struct super_block *sb) 263 { 264 struct superblock_security_struct *sbsec; 265 266 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 267 if (!sbsec) 268 return -ENOMEM; 269 270 mutex_init(&sbsec->lock); 271 INIT_LIST_HEAD(&sbsec->list); 272 INIT_LIST_HEAD(&sbsec->isec_head); 273 spin_lock_init(&sbsec->isec_lock); 274 sbsec->sb = sb; 275 sbsec->sid = SECINITSID_UNLABELED; 276 sbsec->def_sid = SECINITSID_FILE; 277 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 278 sb->s_security = sbsec; 279 280 return 0; 281 } 282 283 static void superblock_free_security(struct super_block *sb) 284 { 285 struct superblock_security_struct *sbsec = sb->s_security; 286 287 spin_lock(&sb_security_lock); 288 if (!list_empty(&sbsec->list)) 289 list_del_init(&sbsec->list); 290 spin_unlock(&sb_security_lock); 291 292 sb->s_security = NULL; 293 kfree(sbsec); 294 } 295 296 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 297 { 298 struct sk_security_struct *ssec; 299 300 ssec = kzalloc(sizeof(*ssec), priority); 301 if (!ssec) 302 return -ENOMEM; 303 304 ssec->sk = sk; 305 ssec->peer_sid = SECINITSID_UNLABELED; 306 ssec->sid = SECINITSID_UNLABELED; 307 sk->sk_security = ssec; 308 309 selinux_netlbl_sk_security_init(ssec, family); 310 311 return 0; 312 } 313 314 static void sk_free_security(struct sock *sk) 315 { 316 struct sk_security_struct *ssec = sk->sk_security; 317 318 sk->sk_security = NULL; 319 kfree(ssec); 320 } 321 322 /* The security server must be initialized before 323 any labeling or access decisions can be provided. */ 324 extern int ss_initialized; 325 326 /* The file system's label must be initialized prior to use. */ 327 328 static char *labeling_behaviors[6] = { 329 "uses xattr", 330 "uses transition SIDs", 331 "uses task SIDs", 332 "uses genfs_contexts", 333 "not configured for labeling", 334 "uses mountpoint labeling", 335 }; 336 337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 338 339 static inline int inode_doinit(struct inode *inode) 340 { 341 return inode_doinit_with_dentry(inode, NULL); 342 } 343 344 enum { 345 Opt_error = -1, 346 Opt_context = 1, 347 Opt_fscontext = 2, 348 Opt_defcontext = 3, 349 Opt_rootcontext = 4, 350 }; 351 352 static match_table_t tokens = { 353 {Opt_context, "context=%s"}, 354 {Opt_fscontext, "fscontext=%s"}, 355 {Opt_defcontext, "defcontext=%s"}, 356 {Opt_rootcontext, "rootcontext=%s"}, 357 {Opt_error, NULL}, 358 }; 359 360 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 361 362 static int may_context_mount_sb_relabel(u32 sid, 363 struct superblock_security_struct *sbsec, 364 struct task_security_struct *tsec) 365 { 366 int rc; 367 368 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 369 FILESYSTEM__RELABELFROM, NULL); 370 if (rc) 371 return rc; 372 373 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 374 FILESYSTEM__RELABELTO, NULL); 375 return rc; 376 } 377 378 static int may_context_mount_inode_relabel(u32 sid, 379 struct superblock_security_struct *sbsec, 380 struct task_security_struct *tsec) 381 { 382 int rc; 383 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 384 FILESYSTEM__RELABELFROM, NULL); 385 if (rc) 386 return rc; 387 388 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 389 FILESYSTEM__ASSOCIATE, NULL); 390 return rc; 391 } 392 393 static int sb_finish_set_opts(struct super_block *sb) 394 { 395 struct superblock_security_struct *sbsec = sb->s_security; 396 struct dentry *root = sb->s_root; 397 struct inode *root_inode = root->d_inode; 398 int rc = 0; 399 400 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 401 /* Make sure that the xattr handler exists and that no 402 error other than -ENODATA is returned by getxattr on 403 the root directory. -ENODATA is ok, as this may be 404 the first boot of the SELinux kernel before we have 405 assigned xattr values to the filesystem. */ 406 if (!root_inode->i_op->getxattr) { 407 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 408 "xattr support\n", sb->s_id, sb->s_type->name); 409 rc = -EOPNOTSUPP; 410 goto out; 411 } 412 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 413 if (rc < 0 && rc != -ENODATA) { 414 if (rc == -EOPNOTSUPP) 415 printk(KERN_WARNING "SELinux: (dev %s, type " 416 "%s) has no security xattr handler\n", 417 sb->s_id, sb->s_type->name); 418 else 419 printk(KERN_WARNING "SELinux: (dev %s, type " 420 "%s) getxattr errno %d\n", sb->s_id, 421 sb->s_type->name, -rc); 422 goto out; 423 } 424 } 425 426 sbsec->initialized = 1; 427 428 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 429 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 430 sb->s_id, sb->s_type->name); 431 else 432 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 433 sb->s_id, sb->s_type->name, 434 labeling_behaviors[sbsec->behavior-1]); 435 436 /* Initialize the root inode. */ 437 rc = inode_doinit_with_dentry(root_inode, root); 438 439 /* Initialize any other inodes associated with the superblock, e.g. 440 inodes created prior to initial policy load or inodes created 441 during get_sb by a pseudo filesystem that directly 442 populates itself. */ 443 spin_lock(&sbsec->isec_lock); 444 next_inode: 445 if (!list_empty(&sbsec->isec_head)) { 446 struct inode_security_struct *isec = 447 list_entry(sbsec->isec_head.next, 448 struct inode_security_struct, list); 449 struct inode *inode = isec->inode; 450 spin_unlock(&sbsec->isec_lock); 451 inode = igrab(inode); 452 if (inode) { 453 if (!IS_PRIVATE(inode)) 454 inode_doinit(inode); 455 iput(inode); 456 } 457 spin_lock(&sbsec->isec_lock); 458 list_del_init(&isec->list); 459 goto next_inode; 460 } 461 spin_unlock(&sbsec->isec_lock); 462 out: 463 return rc; 464 } 465 466 /* 467 * This function should allow an FS to ask what it's mount security 468 * options were so it can use those later for submounts, displaying 469 * mount options, or whatever. 470 */ 471 static int selinux_get_mnt_opts(const struct super_block *sb, 472 char ***mount_options, int **mnt_opts_flags, 473 int *num_opts) 474 { 475 int rc = 0, i; 476 struct superblock_security_struct *sbsec = sb->s_security; 477 char *context = NULL; 478 u32 len; 479 char tmp; 480 481 *num_opts = 0; 482 *mount_options = NULL; 483 *mnt_opts_flags = NULL; 484 485 if (!sbsec->initialized) 486 return -EINVAL; 487 488 if (!ss_initialized) 489 return -EINVAL; 490 491 /* 492 * if we ever use sbsec flags for anything other than tracking mount 493 * settings this is going to need a mask 494 */ 495 tmp = sbsec->flags; 496 /* count the number of mount options for this sb */ 497 for (i = 0; i < 8; i++) { 498 if (tmp & 0x01) 499 (*num_opts)++; 500 tmp >>= 1; 501 } 502 503 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC); 504 if (!*mount_options) { 505 rc = -ENOMEM; 506 goto out_free; 507 } 508 509 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC); 510 if (!*mnt_opts_flags) { 511 rc = -ENOMEM; 512 goto out_free; 513 } 514 515 i = 0; 516 if (sbsec->flags & FSCONTEXT_MNT) { 517 rc = security_sid_to_context(sbsec->sid, &context, &len); 518 if (rc) 519 goto out_free; 520 (*mount_options)[i] = context; 521 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT; 522 } 523 if (sbsec->flags & CONTEXT_MNT) { 524 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 525 if (rc) 526 goto out_free; 527 (*mount_options)[i] = context; 528 (*mnt_opts_flags)[i++] = CONTEXT_MNT; 529 } 530 if (sbsec->flags & DEFCONTEXT_MNT) { 531 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 532 if (rc) 533 goto out_free; 534 (*mount_options)[i] = context; 535 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT; 536 } 537 if (sbsec->flags & ROOTCONTEXT_MNT) { 538 struct inode *root = sbsec->sb->s_root->d_inode; 539 struct inode_security_struct *isec = root->i_security; 540 541 rc = security_sid_to_context(isec->sid, &context, &len); 542 if (rc) 543 goto out_free; 544 (*mount_options)[i] = context; 545 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT; 546 } 547 548 BUG_ON(i != *num_opts); 549 550 return 0; 551 552 out_free: 553 /* don't leak context string if security_sid_to_context had an error */ 554 if (*mount_options && i) 555 for (; i > 0; i--) 556 kfree((*mount_options)[i-1]); 557 kfree(*mount_options); 558 *mount_options = NULL; 559 kfree(*mnt_opts_flags); 560 *mnt_opts_flags = NULL; 561 *num_opts = 0; 562 return rc; 563 } 564 565 static int bad_option(struct superblock_security_struct *sbsec, char flag, 566 u32 old_sid, u32 new_sid) 567 { 568 /* check if the old mount command had the same options */ 569 if (sbsec->initialized) 570 if (!(sbsec->flags & flag) || 571 (old_sid != new_sid)) 572 return 1; 573 574 /* check if we were passed the same options twice, 575 * aka someone passed context=a,context=b 576 */ 577 if (!sbsec->initialized) 578 if (sbsec->flags & flag) 579 return 1; 580 return 0; 581 } 582 /* 583 * Allow filesystems with binary mount data to explicitly set mount point 584 * labeling information. 585 */ 586 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options, 587 int *flags, int num_opts) 588 { 589 int rc = 0, i; 590 struct task_security_struct *tsec = current->security; 591 struct superblock_security_struct *sbsec = sb->s_security; 592 const char *name = sb->s_type->name; 593 struct inode *inode = sbsec->sb->s_root->d_inode; 594 struct inode_security_struct *root_isec = inode->i_security; 595 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 596 u32 defcontext_sid = 0; 597 598 mutex_lock(&sbsec->lock); 599 600 if (!ss_initialized) { 601 if (!num_opts) { 602 /* Defer initialization until selinux_complete_init, 603 after the initial policy is loaded and the security 604 server is ready to handle calls. */ 605 spin_lock(&sb_security_lock); 606 if (list_empty(&sbsec->list)) 607 list_add(&sbsec->list, &superblock_security_head); 608 spin_unlock(&sb_security_lock); 609 goto out; 610 } 611 rc = -EINVAL; 612 printk(KERN_WARNING "Unable to set superblock options before " 613 "the security server is initialized\n"); 614 goto out; 615 } 616 617 /* 618 * parse the mount options, check if they are valid sids. 619 * also check if someone is trying to mount the same sb more 620 * than once with different security options. 621 */ 622 for (i = 0; i < num_opts; i++) { 623 u32 sid; 624 rc = security_context_to_sid(mount_options[i], 625 strlen(mount_options[i]), &sid); 626 if (rc) { 627 printk(KERN_WARNING "SELinux: security_context_to_sid" 628 "(%s) failed for (dev %s, type %s) errno=%d\n", 629 mount_options[i], sb->s_id, name, rc); 630 goto out; 631 } 632 switch (flags[i]) { 633 case FSCONTEXT_MNT: 634 fscontext_sid = sid; 635 636 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 637 fscontext_sid)) 638 goto out_double_mount; 639 640 sbsec->flags |= FSCONTEXT_MNT; 641 break; 642 case CONTEXT_MNT: 643 context_sid = sid; 644 645 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 646 context_sid)) 647 goto out_double_mount; 648 649 sbsec->flags |= CONTEXT_MNT; 650 break; 651 case ROOTCONTEXT_MNT: 652 rootcontext_sid = sid; 653 654 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 655 rootcontext_sid)) 656 goto out_double_mount; 657 658 sbsec->flags |= ROOTCONTEXT_MNT; 659 660 break; 661 case DEFCONTEXT_MNT: 662 defcontext_sid = sid; 663 664 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 665 defcontext_sid)) 666 goto out_double_mount; 667 668 sbsec->flags |= DEFCONTEXT_MNT; 669 670 break; 671 default: 672 rc = -EINVAL; 673 goto out; 674 } 675 } 676 677 if (sbsec->initialized) { 678 /* previously mounted with options, but not on this attempt? */ 679 if (sbsec->flags && !num_opts) 680 goto out_double_mount; 681 rc = 0; 682 goto out; 683 } 684 685 if (strcmp(sb->s_type->name, "proc") == 0) 686 sbsec->proc = 1; 687 688 /* Determine the labeling behavior to use for this filesystem type. */ 689 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 690 if (rc) { 691 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 692 __FUNCTION__, sb->s_type->name, rc); 693 goto out; 694 } 695 696 /* sets the context of the superblock for the fs being mounted. */ 697 if (fscontext_sid) { 698 699 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec); 700 if (rc) 701 goto out; 702 703 sbsec->sid = fscontext_sid; 704 } 705 706 /* 707 * Switch to using mount point labeling behavior. 708 * sets the label used on all file below the mountpoint, and will set 709 * the superblock context if not already set. 710 */ 711 if (context_sid) { 712 if (!fscontext_sid) { 713 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); 714 if (rc) 715 goto out; 716 sbsec->sid = context_sid; 717 } else { 718 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec); 719 if (rc) 720 goto out; 721 } 722 if (!rootcontext_sid) 723 rootcontext_sid = context_sid; 724 725 sbsec->mntpoint_sid = context_sid; 726 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 727 } 728 729 if (rootcontext_sid) { 730 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec); 731 if (rc) 732 goto out; 733 734 root_isec->sid = rootcontext_sid; 735 root_isec->initialized = 1; 736 } 737 738 if (defcontext_sid) { 739 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 740 rc = -EINVAL; 741 printk(KERN_WARNING "SELinux: defcontext option is " 742 "invalid for this filesystem type\n"); 743 goto out; 744 } 745 746 if (defcontext_sid != sbsec->def_sid) { 747 rc = may_context_mount_inode_relabel(defcontext_sid, 748 sbsec, tsec); 749 if (rc) 750 goto out; 751 } 752 753 sbsec->def_sid = defcontext_sid; 754 } 755 756 rc = sb_finish_set_opts(sb); 757 out: 758 mutex_unlock(&sbsec->lock); 759 return rc; 760 out_double_mount: 761 rc = -EINVAL; 762 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 763 "security settings for (dev %s, type %s)\n", sb->s_id, name); 764 goto out; 765 } 766 767 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 768 struct super_block *newsb) 769 { 770 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 771 struct superblock_security_struct *newsbsec = newsb->s_security; 772 773 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 774 int set_context = (oldsbsec->flags & CONTEXT_MNT); 775 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 776 777 /* we can't error, we can't save the info, this shouldn't get called 778 * this early in the boot process. */ 779 BUG_ON(!ss_initialized); 780 781 /* this might go away sometime down the line if there is a new user 782 * of clone, but for now, nfs better not get here... */ 783 BUG_ON(newsbsec->initialized); 784 785 /* how can we clone if the old one wasn't set up?? */ 786 BUG_ON(!oldsbsec->initialized); 787 788 mutex_lock(&newsbsec->lock); 789 790 newsbsec->flags = oldsbsec->flags; 791 792 newsbsec->sid = oldsbsec->sid; 793 newsbsec->def_sid = oldsbsec->def_sid; 794 newsbsec->behavior = oldsbsec->behavior; 795 796 if (set_context) { 797 u32 sid = oldsbsec->mntpoint_sid; 798 799 if (!set_fscontext) 800 newsbsec->sid = sid; 801 if (!set_rootcontext) { 802 struct inode *newinode = newsb->s_root->d_inode; 803 struct inode_security_struct *newisec = newinode->i_security; 804 newisec->sid = sid; 805 } 806 newsbsec->mntpoint_sid = sid; 807 } 808 if (set_rootcontext) { 809 const struct inode *oldinode = oldsb->s_root->d_inode; 810 const struct inode_security_struct *oldisec = oldinode->i_security; 811 struct inode *newinode = newsb->s_root->d_inode; 812 struct inode_security_struct *newisec = newinode->i_security; 813 814 newisec->sid = oldisec->sid; 815 } 816 817 sb_finish_set_opts(newsb); 818 mutex_unlock(&newsbsec->lock); 819 } 820 821 /* 822 * string mount options parsing and call set the sbsec 823 */ 824 static int superblock_doinit(struct super_block *sb, void *data) 825 { 826 char *context = NULL, *defcontext = NULL; 827 char *fscontext = NULL, *rootcontext = NULL; 828 int rc = 0; 829 char *p, *options = data; 830 /* selinux only know about a fixed number of mount options */ 831 char *mnt_opts[NUM_SEL_MNT_OPTS]; 832 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0; 833 834 if (!data) 835 goto out; 836 837 /* with the nfs patch this will become a goto out; */ 838 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 839 const char *name = sb->s_type->name; 840 /* NFS we understand. */ 841 if (!strcmp(name, "nfs")) { 842 struct nfs_mount_data *d = data; 843 844 if (d->version != NFS_MOUNT_VERSION) 845 goto out; 846 847 if (d->context[0]) { 848 context = kstrdup(d->context, GFP_KERNEL); 849 if (!context) { 850 rc = -ENOMEM; 851 goto out; 852 } 853 } 854 goto build_flags; 855 } else 856 goto out; 857 } 858 859 /* Standard string-based options. */ 860 while ((p = strsep(&options, "|")) != NULL) { 861 int token; 862 substring_t args[MAX_OPT_ARGS]; 863 864 if (!*p) 865 continue; 866 867 token = match_token(p, tokens, args); 868 869 switch (token) { 870 case Opt_context: 871 if (context || defcontext) { 872 rc = -EINVAL; 873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 874 goto out_err; 875 } 876 context = match_strdup(&args[0]); 877 if (!context) { 878 rc = -ENOMEM; 879 goto out_err; 880 } 881 break; 882 883 case Opt_fscontext: 884 if (fscontext) { 885 rc = -EINVAL; 886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 887 goto out_err; 888 } 889 fscontext = match_strdup(&args[0]); 890 if (!fscontext) { 891 rc = -ENOMEM; 892 goto out_err; 893 } 894 break; 895 896 case Opt_rootcontext: 897 if (rootcontext) { 898 rc = -EINVAL; 899 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 900 goto out_err; 901 } 902 rootcontext = match_strdup(&args[0]); 903 if (!rootcontext) { 904 rc = -ENOMEM; 905 goto out_err; 906 } 907 break; 908 909 case Opt_defcontext: 910 if (context || defcontext) { 911 rc = -EINVAL; 912 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 913 goto out_err; 914 } 915 defcontext = match_strdup(&args[0]); 916 if (!defcontext) { 917 rc = -ENOMEM; 918 goto out_err; 919 } 920 break; 921 922 default: 923 rc = -EINVAL; 924 printk(KERN_WARNING "SELinux: unknown mount option\n"); 925 goto out_err; 926 927 } 928 } 929 930 build_flags: 931 if (fscontext) { 932 mnt_opts[num_mnt_opts] = fscontext; 933 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 934 } 935 if (context) { 936 mnt_opts[num_mnt_opts] = context; 937 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 938 } 939 if (rootcontext) { 940 mnt_opts[num_mnt_opts] = rootcontext; 941 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 942 } 943 if (defcontext) { 944 mnt_opts[num_mnt_opts] = defcontext; 945 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 946 } 947 948 out: 949 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts); 950 out_err: 951 kfree(context); 952 kfree(defcontext); 953 kfree(fscontext); 954 kfree(rootcontext); 955 return rc; 956 } 957 958 static inline u16 inode_mode_to_security_class(umode_t mode) 959 { 960 switch (mode & S_IFMT) { 961 case S_IFSOCK: 962 return SECCLASS_SOCK_FILE; 963 case S_IFLNK: 964 return SECCLASS_LNK_FILE; 965 case S_IFREG: 966 return SECCLASS_FILE; 967 case S_IFBLK: 968 return SECCLASS_BLK_FILE; 969 case S_IFDIR: 970 return SECCLASS_DIR; 971 case S_IFCHR: 972 return SECCLASS_CHR_FILE; 973 case S_IFIFO: 974 return SECCLASS_FIFO_FILE; 975 976 } 977 978 return SECCLASS_FILE; 979 } 980 981 static inline int default_protocol_stream(int protocol) 982 { 983 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 984 } 985 986 static inline int default_protocol_dgram(int protocol) 987 { 988 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 989 } 990 991 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 992 { 993 switch (family) { 994 case PF_UNIX: 995 switch (type) { 996 case SOCK_STREAM: 997 case SOCK_SEQPACKET: 998 return SECCLASS_UNIX_STREAM_SOCKET; 999 case SOCK_DGRAM: 1000 return SECCLASS_UNIX_DGRAM_SOCKET; 1001 } 1002 break; 1003 case PF_INET: 1004 case PF_INET6: 1005 switch (type) { 1006 case SOCK_STREAM: 1007 if (default_protocol_stream(protocol)) 1008 return SECCLASS_TCP_SOCKET; 1009 else 1010 return SECCLASS_RAWIP_SOCKET; 1011 case SOCK_DGRAM: 1012 if (default_protocol_dgram(protocol)) 1013 return SECCLASS_UDP_SOCKET; 1014 else 1015 return SECCLASS_RAWIP_SOCKET; 1016 case SOCK_DCCP: 1017 return SECCLASS_DCCP_SOCKET; 1018 default: 1019 return SECCLASS_RAWIP_SOCKET; 1020 } 1021 break; 1022 case PF_NETLINK: 1023 switch (protocol) { 1024 case NETLINK_ROUTE: 1025 return SECCLASS_NETLINK_ROUTE_SOCKET; 1026 case NETLINK_FIREWALL: 1027 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1028 case NETLINK_INET_DIAG: 1029 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1030 case NETLINK_NFLOG: 1031 return SECCLASS_NETLINK_NFLOG_SOCKET; 1032 case NETLINK_XFRM: 1033 return SECCLASS_NETLINK_XFRM_SOCKET; 1034 case NETLINK_SELINUX: 1035 return SECCLASS_NETLINK_SELINUX_SOCKET; 1036 case NETLINK_AUDIT: 1037 return SECCLASS_NETLINK_AUDIT_SOCKET; 1038 case NETLINK_IP6_FW: 1039 return SECCLASS_NETLINK_IP6FW_SOCKET; 1040 case NETLINK_DNRTMSG: 1041 return SECCLASS_NETLINK_DNRT_SOCKET; 1042 case NETLINK_KOBJECT_UEVENT: 1043 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1044 default: 1045 return SECCLASS_NETLINK_SOCKET; 1046 } 1047 case PF_PACKET: 1048 return SECCLASS_PACKET_SOCKET; 1049 case PF_KEY: 1050 return SECCLASS_KEY_SOCKET; 1051 case PF_APPLETALK: 1052 return SECCLASS_APPLETALK_SOCKET; 1053 } 1054 1055 return SECCLASS_SOCKET; 1056 } 1057 1058 #ifdef CONFIG_PROC_FS 1059 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1060 u16 tclass, 1061 u32 *sid) 1062 { 1063 int buflen, rc; 1064 char *buffer, *path, *end; 1065 1066 buffer = (char*)__get_free_page(GFP_KERNEL); 1067 if (!buffer) 1068 return -ENOMEM; 1069 1070 buflen = PAGE_SIZE; 1071 end = buffer+buflen; 1072 *--end = '\0'; 1073 buflen--; 1074 path = end-1; 1075 *path = '/'; 1076 while (de && de != de->parent) { 1077 buflen -= de->namelen + 1; 1078 if (buflen < 0) 1079 break; 1080 end -= de->namelen; 1081 memcpy(end, de->name, de->namelen); 1082 *--end = '/'; 1083 path = end; 1084 de = de->parent; 1085 } 1086 rc = security_genfs_sid("proc", path, tclass, sid); 1087 free_page((unsigned long)buffer); 1088 return rc; 1089 } 1090 #else 1091 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1092 u16 tclass, 1093 u32 *sid) 1094 { 1095 return -EINVAL; 1096 } 1097 #endif 1098 1099 /* The inode's security attributes must be initialized before first use. */ 1100 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1101 { 1102 struct superblock_security_struct *sbsec = NULL; 1103 struct inode_security_struct *isec = inode->i_security; 1104 u32 sid; 1105 struct dentry *dentry; 1106 #define INITCONTEXTLEN 255 1107 char *context = NULL; 1108 unsigned len = 0; 1109 int rc = 0; 1110 1111 if (isec->initialized) 1112 goto out; 1113 1114 mutex_lock(&isec->lock); 1115 if (isec->initialized) 1116 goto out_unlock; 1117 1118 sbsec = inode->i_sb->s_security; 1119 if (!sbsec->initialized) { 1120 /* Defer initialization until selinux_complete_init, 1121 after the initial policy is loaded and the security 1122 server is ready to handle calls. */ 1123 spin_lock(&sbsec->isec_lock); 1124 if (list_empty(&isec->list)) 1125 list_add(&isec->list, &sbsec->isec_head); 1126 spin_unlock(&sbsec->isec_lock); 1127 goto out_unlock; 1128 } 1129 1130 switch (sbsec->behavior) { 1131 case SECURITY_FS_USE_XATTR: 1132 if (!inode->i_op->getxattr) { 1133 isec->sid = sbsec->def_sid; 1134 break; 1135 } 1136 1137 /* Need a dentry, since the xattr API requires one. 1138 Life would be simpler if we could just pass the inode. */ 1139 if (opt_dentry) { 1140 /* Called from d_instantiate or d_splice_alias. */ 1141 dentry = dget(opt_dentry); 1142 } else { 1143 /* Called from selinux_complete_init, try to find a dentry. */ 1144 dentry = d_find_alias(inode); 1145 } 1146 if (!dentry) { 1147 printk(KERN_WARNING "%s: no dentry for dev=%s " 1148 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 1149 inode->i_ino); 1150 goto out_unlock; 1151 } 1152 1153 len = INITCONTEXTLEN; 1154 context = kmalloc(len, GFP_KERNEL); 1155 if (!context) { 1156 rc = -ENOMEM; 1157 dput(dentry); 1158 goto out_unlock; 1159 } 1160 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1161 context, len); 1162 if (rc == -ERANGE) { 1163 /* Need a larger buffer. Query for the right size. */ 1164 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1165 NULL, 0); 1166 if (rc < 0) { 1167 dput(dentry); 1168 goto out_unlock; 1169 } 1170 kfree(context); 1171 len = rc; 1172 context = kmalloc(len, GFP_KERNEL); 1173 if (!context) { 1174 rc = -ENOMEM; 1175 dput(dentry); 1176 goto out_unlock; 1177 } 1178 rc = inode->i_op->getxattr(dentry, 1179 XATTR_NAME_SELINUX, 1180 context, len); 1181 } 1182 dput(dentry); 1183 if (rc < 0) { 1184 if (rc != -ENODATA) { 1185 printk(KERN_WARNING "%s: getxattr returned " 1186 "%d for dev=%s ino=%ld\n", __FUNCTION__, 1187 -rc, inode->i_sb->s_id, inode->i_ino); 1188 kfree(context); 1189 goto out_unlock; 1190 } 1191 /* Map ENODATA to the default file SID */ 1192 sid = sbsec->def_sid; 1193 rc = 0; 1194 } else { 1195 rc = security_context_to_sid_default(context, rc, &sid, 1196 sbsec->def_sid); 1197 if (rc) { 1198 printk(KERN_WARNING "%s: context_to_sid(%s) " 1199 "returned %d for dev=%s ino=%ld\n", 1200 __FUNCTION__, context, -rc, 1201 inode->i_sb->s_id, inode->i_ino); 1202 kfree(context); 1203 /* Leave with the unlabeled SID */ 1204 rc = 0; 1205 break; 1206 } 1207 } 1208 kfree(context); 1209 isec->sid = sid; 1210 break; 1211 case SECURITY_FS_USE_TASK: 1212 isec->sid = isec->task_sid; 1213 break; 1214 case SECURITY_FS_USE_TRANS: 1215 /* Default to the fs SID. */ 1216 isec->sid = sbsec->sid; 1217 1218 /* Try to obtain a transition SID. */ 1219 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1220 rc = security_transition_sid(isec->task_sid, 1221 sbsec->sid, 1222 isec->sclass, 1223 &sid); 1224 if (rc) 1225 goto out_unlock; 1226 isec->sid = sid; 1227 break; 1228 case SECURITY_FS_USE_MNTPOINT: 1229 isec->sid = sbsec->mntpoint_sid; 1230 break; 1231 default: 1232 /* Default to the fs superblock SID. */ 1233 isec->sid = sbsec->sid; 1234 1235 if (sbsec->proc) { 1236 struct proc_inode *proci = PROC_I(inode); 1237 if (proci->pde) { 1238 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1239 rc = selinux_proc_get_sid(proci->pde, 1240 isec->sclass, 1241 &sid); 1242 if (rc) 1243 goto out_unlock; 1244 isec->sid = sid; 1245 } 1246 } 1247 break; 1248 } 1249 1250 isec->initialized = 1; 1251 1252 out_unlock: 1253 mutex_unlock(&isec->lock); 1254 out: 1255 if (isec->sclass == SECCLASS_FILE) 1256 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1257 return rc; 1258 } 1259 1260 /* Convert a Linux signal to an access vector. */ 1261 static inline u32 signal_to_av(int sig) 1262 { 1263 u32 perm = 0; 1264 1265 switch (sig) { 1266 case SIGCHLD: 1267 /* Commonly granted from child to parent. */ 1268 perm = PROCESS__SIGCHLD; 1269 break; 1270 case SIGKILL: 1271 /* Cannot be caught or ignored */ 1272 perm = PROCESS__SIGKILL; 1273 break; 1274 case SIGSTOP: 1275 /* Cannot be caught or ignored */ 1276 perm = PROCESS__SIGSTOP; 1277 break; 1278 default: 1279 /* All other signals. */ 1280 perm = PROCESS__SIGNAL; 1281 break; 1282 } 1283 1284 return perm; 1285 } 1286 1287 /* Check permission betweeen a pair of tasks, e.g. signal checks, 1288 fork check, ptrace check, etc. */ 1289 static int task_has_perm(struct task_struct *tsk1, 1290 struct task_struct *tsk2, 1291 u32 perms) 1292 { 1293 struct task_security_struct *tsec1, *tsec2; 1294 1295 tsec1 = tsk1->security; 1296 tsec2 = tsk2->security; 1297 return avc_has_perm(tsec1->sid, tsec2->sid, 1298 SECCLASS_PROCESS, perms, NULL); 1299 } 1300 1301 /* Check whether a task is allowed to use a capability. */ 1302 static int task_has_capability(struct task_struct *tsk, 1303 int cap) 1304 { 1305 struct task_security_struct *tsec; 1306 struct avc_audit_data ad; 1307 1308 tsec = tsk->security; 1309 1310 AVC_AUDIT_DATA_INIT(&ad,CAP); 1311 ad.tsk = tsk; 1312 ad.u.cap = cap; 1313 1314 return avc_has_perm(tsec->sid, tsec->sid, 1315 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); 1316 } 1317 1318 /* Check whether a task is allowed to use a system operation. */ 1319 static int task_has_system(struct task_struct *tsk, 1320 u32 perms) 1321 { 1322 struct task_security_struct *tsec; 1323 1324 tsec = tsk->security; 1325 1326 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1327 SECCLASS_SYSTEM, perms, NULL); 1328 } 1329 1330 /* Check whether a task has a particular permission to an inode. 1331 The 'adp' parameter is optional and allows other audit 1332 data to be passed (e.g. the dentry). */ 1333 static int inode_has_perm(struct task_struct *tsk, 1334 struct inode *inode, 1335 u32 perms, 1336 struct avc_audit_data *adp) 1337 { 1338 struct task_security_struct *tsec; 1339 struct inode_security_struct *isec; 1340 struct avc_audit_data ad; 1341 1342 if (unlikely (IS_PRIVATE (inode))) 1343 return 0; 1344 1345 tsec = tsk->security; 1346 isec = inode->i_security; 1347 1348 if (!adp) { 1349 adp = &ad; 1350 AVC_AUDIT_DATA_INIT(&ad, FS); 1351 ad.u.fs.inode = inode; 1352 } 1353 1354 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1355 } 1356 1357 /* Same as inode_has_perm, but pass explicit audit data containing 1358 the dentry to help the auditing code to more easily generate the 1359 pathname if needed. */ 1360 static inline int dentry_has_perm(struct task_struct *tsk, 1361 struct vfsmount *mnt, 1362 struct dentry *dentry, 1363 u32 av) 1364 { 1365 struct inode *inode = dentry->d_inode; 1366 struct avc_audit_data ad; 1367 AVC_AUDIT_DATA_INIT(&ad,FS); 1368 ad.u.fs.mnt = mnt; 1369 ad.u.fs.dentry = dentry; 1370 return inode_has_perm(tsk, inode, av, &ad); 1371 } 1372 1373 /* Check whether a task can use an open file descriptor to 1374 access an inode in a given way. Check access to the 1375 descriptor itself, and then use dentry_has_perm to 1376 check a particular permission to the file. 1377 Access to the descriptor is implicitly granted if it 1378 has the same SID as the process. If av is zero, then 1379 access to the file is not checked, e.g. for cases 1380 where only the descriptor is affected like seek. */ 1381 static int file_has_perm(struct task_struct *tsk, 1382 struct file *file, 1383 u32 av) 1384 { 1385 struct task_security_struct *tsec = tsk->security; 1386 struct file_security_struct *fsec = file->f_security; 1387 struct vfsmount *mnt = file->f_path.mnt; 1388 struct dentry *dentry = file->f_path.dentry; 1389 struct inode *inode = dentry->d_inode; 1390 struct avc_audit_data ad; 1391 int rc; 1392 1393 AVC_AUDIT_DATA_INIT(&ad, FS); 1394 ad.u.fs.mnt = mnt; 1395 ad.u.fs.dentry = dentry; 1396 1397 if (tsec->sid != fsec->sid) { 1398 rc = avc_has_perm(tsec->sid, fsec->sid, 1399 SECCLASS_FD, 1400 FD__USE, 1401 &ad); 1402 if (rc) 1403 return rc; 1404 } 1405 1406 /* av is zero if only checking access to the descriptor. */ 1407 if (av) 1408 return inode_has_perm(tsk, inode, av, &ad); 1409 1410 return 0; 1411 } 1412 1413 /* Check whether a task can create a file. */ 1414 static int may_create(struct inode *dir, 1415 struct dentry *dentry, 1416 u16 tclass) 1417 { 1418 struct task_security_struct *tsec; 1419 struct inode_security_struct *dsec; 1420 struct superblock_security_struct *sbsec; 1421 u32 newsid; 1422 struct avc_audit_data ad; 1423 int rc; 1424 1425 tsec = current->security; 1426 dsec = dir->i_security; 1427 sbsec = dir->i_sb->s_security; 1428 1429 AVC_AUDIT_DATA_INIT(&ad, FS); 1430 ad.u.fs.dentry = dentry; 1431 1432 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1433 DIR__ADD_NAME | DIR__SEARCH, 1434 &ad); 1435 if (rc) 1436 return rc; 1437 1438 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1439 newsid = tsec->create_sid; 1440 } else { 1441 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1442 &newsid); 1443 if (rc) 1444 return rc; 1445 } 1446 1447 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1448 if (rc) 1449 return rc; 1450 1451 return avc_has_perm(newsid, sbsec->sid, 1452 SECCLASS_FILESYSTEM, 1453 FILESYSTEM__ASSOCIATE, &ad); 1454 } 1455 1456 /* Check whether a task can create a key. */ 1457 static int may_create_key(u32 ksid, 1458 struct task_struct *ctx) 1459 { 1460 struct task_security_struct *tsec; 1461 1462 tsec = ctx->security; 1463 1464 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1465 } 1466 1467 #define MAY_LINK 0 1468 #define MAY_UNLINK 1 1469 #define MAY_RMDIR 2 1470 1471 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1472 static int may_link(struct inode *dir, 1473 struct dentry *dentry, 1474 int kind) 1475 1476 { 1477 struct task_security_struct *tsec; 1478 struct inode_security_struct *dsec, *isec; 1479 struct avc_audit_data ad; 1480 u32 av; 1481 int rc; 1482 1483 tsec = current->security; 1484 dsec = dir->i_security; 1485 isec = dentry->d_inode->i_security; 1486 1487 AVC_AUDIT_DATA_INIT(&ad, FS); 1488 ad.u.fs.dentry = dentry; 1489 1490 av = DIR__SEARCH; 1491 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1492 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1493 if (rc) 1494 return rc; 1495 1496 switch (kind) { 1497 case MAY_LINK: 1498 av = FILE__LINK; 1499 break; 1500 case MAY_UNLINK: 1501 av = FILE__UNLINK; 1502 break; 1503 case MAY_RMDIR: 1504 av = DIR__RMDIR; 1505 break; 1506 default: 1507 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1508 return 0; 1509 } 1510 1511 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1512 return rc; 1513 } 1514 1515 static inline int may_rename(struct inode *old_dir, 1516 struct dentry *old_dentry, 1517 struct inode *new_dir, 1518 struct dentry *new_dentry) 1519 { 1520 struct task_security_struct *tsec; 1521 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1522 struct avc_audit_data ad; 1523 u32 av; 1524 int old_is_dir, new_is_dir; 1525 int rc; 1526 1527 tsec = current->security; 1528 old_dsec = old_dir->i_security; 1529 old_isec = old_dentry->d_inode->i_security; 1530 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1531 new_dsec = new_dir->i_security; 1532 1533 AVC_AUDIT_DATA_INIT(&ad, FS); 1534 1535 ad.u.fs.dentry = old_dentry; 1536 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1537 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1538 if (rc) 1539 return rc; 1540 rc = avc_has_perm(tsec->sid, old_isec->sid, 1541 old_isec->sclass, FILE__RENAME, &ad); 1542 if (rc) 1543 return rc; 1544 if (old_is_dir && new_dir != old_dir) { 1545 rc = avc_has_perm(tsec->sid, old_isec->sid, 1546 old_isec->sclass, DIR__REPARENT, &ad); 1547 if (rc) 1548 return rc; 1549 } 1550 1551 ad.u.fs.dentry = new_dentry; 1552 av = DIR__ADD_NAME | DIR__SEARCH; 1553 if (new_dentry->d_inode) 1554 av |= DIR__REMOVE_NAME; 1555 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1556 if (rc) 1557 return rc; 1558 if (new_dentry->d_inode) { 1559 new_isec = new_dentry->d_inode->i_security; 1560 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1561 rc = avc_has_perm(tsec->sid, new_isec->sid, 1562 new_isec->sclass, 1563 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1564 if (rc) 1565 return rc; 1566 } 1567 1568 return 0; 1569 } 1570 1571 /* Check whether a task can perform a filesystem operation. */ 1572 static int superblock_has_perm(struct task_struct *tsk, 1573 struct super_block *sb, 1574 u32 perms, 1575 struct avc_audit_data *ad) 1576 { 1577 struct task_security_struct *tsec; 1578 struct superblock_security_struct *sbsec; 1579 1580 tsec = tsk->security; 1581 sbsec = sb->s_security; 1582 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1583 perms, ad); 1584 } 1585 1586 /* Convert a Linux mode and permission mask to an access vector. */ 1587 static inline u32 file_mask_to_av(int mode, int mask) 1588 { 1589 u32 av = 0; 1590 1591 if ((mode & S_IFMT) != S_IFDIR) { 1592 if (mask & MAY_EXEC) 1593 av |= FILE__EXECUTE; 1594 if (mask & MAY_READ) 1595 av |= FILE__READ; 1596 1597 if (mask & MAY_APPEND) 1598 av |= FILE__APPEND; 1599 else if (mask & MAY_WRITE) 1600 av |= FILE__WRITE; 1601 1602 } else { 1603 if (mask & MAY_EXEC) 1604 av |= DIR__SEARCH; 1605 if (mask & MAY_WRITE) 1606 av |= DIR__WRITE; 1607 if (mask & MAY_READ) 1608 av |= DIR__READ; 1609 } 1610 1611 return av; 1612 } 1613 1614 /* Convert a Linux file to an access vector. */ 1615 static inline u32 file_to_av(struct file *file) 1616 { 1617 u32 av = 0; 1618 1619 if (file->f_mode & FMODE_READ) 1620 av |= FILE__READ; 1621 if (file->f_mode & FMODE_WRITE) { 1622 if (file->f_flags & O_APPEND) 1623 av |= FILE__APPEND; 1624 else 1625 av |= FILE__WRITE; 1626 } 1627 1628 return av; 1629 } 1630 1631 /* Hook functions begin here. */ 1632 1633 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1634 { 1635 struct task_security_struct *psec = parent->security; 1636 struct task_security_struct *csec = child->security; 1637 int rc; 1638 1639 rc = secondary_ops->ptrace(parent,child); 1640 if (rc) 1641 return rc; 1642 1643 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1644 /* Save the SID of the tracing process for later use in apply_creds. */ 1645 if (!(child->ptrace & PT_PTRACED) && !rc) 1646 csec->ptrace_sid = psec->sid; 1647 return rc; 1648 } 1649 1650 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1651 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1652 { 1653 int error; 1654 1655 error = task_has_perm(current, target, PROCESS__GETCAP); 1656 if (error) 1657 return error; 1658 1659 return secondary_ops->capget(target, effective, inheritable, permitted); 1660 } 1661 1662 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1663 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1664 { 1665 int error; 1666 1667 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1668 if (error) 1669 return error; 1670 1671 return task_has_perm(current, target, PROCESS__SETCAP); 1672 } 1673 1674 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1675 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1676 { 1677 secondary_ops->capset_set(target, effective, inheritable, permitted); 1678 } 1679 1680 static int selinux_capable(struct task_struct *tsk, int cap) 1681 { 1682 int rc; 1683 1684 rc = secondary_ops->capable(tsk, cap); 1685 if (rc) 1686 return rc; 1687 1688 return task_has_capability(tsk,cap); 1689 } 1690 1691 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1692 { 1693 int buflen, rc; 1694 char *buffer, *path, *end; 1695 1696 rc = -ENOMEM; 1697 buffer = (char*)__get_free_page(GFP_KERNEL); 1698 if (!buffer) 1699 goto out; 1700 1701 buflen = PAGE_SIZE; 1702 end = buffer+buflen; 1703 *--end = '\0'; 1704 buflen--; 1705 path = end-1; 1706 *path = '/'; 1707 while (table) { 1708 const char *name = table->procname; 1709 size_t namelen = strlen(name); 1710 buflen -= namelen + 1; 1711 if (buflen < 0) 1712 goto out_free; 1713 end -= namelen; 1714 memcpy(end, name, namelen); 1715 *--end = '/'; 1716 path = end; 1717 table = table->parent; 1718 } 1719 buflen -= 4; 1720 if (buflen < 0) 1721 goto out_free; 1722 end -= 4; 1723 memcpy(end, "/sys", 4); 1724 path = end; 1725 rc = security_genfs_sid("proc", path, tclass, sid); 1726 out_free: 1727 free_page((unsigned long)buffer); 1728 out: 1729 return rc; 1730 } 1731 1732 static int selinux_sysctl(ctl_table *table, int op) 1733 { 1734 int error = 0; 1735 u32 av; 1736 struct task_security_struct *tsec; 1737 u32 tsid; 1738 int rc; 1739 1740 rc = secondary_ops->sysctl(table, op); 1741 if (rc) 1742 return rc; 1743 1744 tsec = current->security; 1745 1746 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1747 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1748 if (rc) { 1749 /* Default to the well-defined sysctl SID. */ 1750 tsid = SECINITSID_SYSCTL; 1751 } 1752 1753 /* The op values are "defined" in sysctl.c, thereby creating 1754 * a bad coupling between this module and sysctl.c */ 1755 if(op == 001) { 1756 error = avc_has_perm(tsec->sid, tsid, 1757 SECCLASS_DIR, DIR__SEARCH, NULL); 1758 } else { 1759 av = 0; 1760 if (op & 004) 1761 av |= FILE__READ; 1762 if (op & 002) 1763 av |= FILE__WRITE; 1764 if (av) 1765 error = avc_has_perm(tsec->sid, tsid, 1766 SECCLASS_FILE, av, NULL); 1767 } 1768 1769 return error; 1770 } 1771 1772 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1773 { 1774 int rc = 0; 1775 1776 if (!sb) 1777 return 0; 1778 1779 switch (cmds) { 1780 case Q_SYNC: 1781 case Q_QUOTAON: 1782 case Q_QUOTAOFF: 1783 case Q_SETINFO: 1784 case Q_SETQUOTA: 1785 rc = superblock_has_perm(current, 1786 sb, 1787 FILESYSTEM__QUOTAMOD, NULL); 1788 break; 1789 case Q_GETFMT: 1790 case Q_GETINFO: 1791 case Q_GETQUOTA: 1792 rc = superblock_has_perm(current, 1793 sb, 1794 FILESYSTEM__QUOTAGET, NULL); 1795 break; 1796 default: 1797 rc = 0; /* let the kernel handle invalid cmds */ 1798 break; 1799 } 1800 return rc; 1801 } 1802 1803 static int selinux_quota_on(struct dentry *dentry) 1804 { 1805 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1806 } 1807 1808 static int selinux_syslog(int type) 1809 { 1810 int rc; 1811 1812 rc = secondary_ops->syslog(type); 1813 if (rc) 1814 return rc; 1815 1816 switch (type) { 1817 case 3: /* Read last kernel messages */ 1818 case 10: /* Return size of the log buffer */ 1819 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1820 break; 1821 case 6: /* Disable logging to console */ 1822 case 7: /* Enable logging to console */ 1823 case 8: /* Set level of messages printed to console */ 1824 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1825 break; 1826 case 0: /* Close log */ 1827 case 1: /* Open log */ 1828 case 2: /* Read from log */ 1829 case 4: /* Read/clear last kernel messages */ 1830 case 5: /* Clear ring buffer */ 1831 default: 1832 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1833 break; 1834 } 1835 return rc; 1836 } 1837 1838 /* 1839 * Check that a process has enough memory to allocate a new virtual 1840 * mapping. 0 means there is enough memory for the allocation to 1841 * succeed and -ENOMEM implies there is not. 1842 * 1843 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1844 * if the capability is granted, but __vm_enough_memory requires 1 if 1845 * the capability is granted. 1846 * 1847 * Do not audit the selinux permission check, as this is applied to all 1848 * processes that allocate mappings. 1849 */ 1850 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1851 { 1852 int rc, cap_sys_admin = 0; 1853 struct task_security_struct *tsec = current->security; 1854 1855 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1856 if (rc == 0) 1857 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1858 SECCLASS_CAPABILITY, 1859 CAP_TO_MASK(CAP_SYS_ADMIN), 1860 0, 1861 NULL); 1862 1863 if (rc == 0) 1864 cap_sys_admin = 1; 1865 1866 return __vm_enough_memory(mm, pages, cap_sys_admin); 1867 } 1868 1869 /* binprm security operations */ 1870 1871 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1872 { 1873 struct bprm_security_struct *bsec; 1874 1875 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1876 if (!bsec) 1877 return -ENOMEM; 1878 1879 bsec->bprm = bprm; 1880 bsec->sid = SECINITSID_UNLABELED; 1881 bsec->set = 0; 1882 1883 bprm->security = bsec; 1884 return 0; 1885 } 1886 1887 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1888 { 1889 struct task_security_struct *tsec; 1890 struct inode *inode = bprm->file->f_path.dentry->d_inode; 1891 struct inode_security_struct *isec; 1892 struct bprm_security_struct *bsec; 1893 u32 newsid; 1894 struct avc_audit_data ad; 1895 int rc; 1896 1897 rc = secondary_ops->bprm_set_security(bprm); 1898 if (rc) 1899 return rc; 1900 1901 bsec = bprm->security; 1902 1903 if (bsec->set) 1904 return 0; 1905 1906 tsec = current->security; 1907 isec = inode->i_security; 1908 1909 /* Default to the current task SID. */ 1910 bsec->sid = tsec->sid; 1911 1912 /* Reset fs, key, and sock SIDs on execve. */ 1913 tsec->create_sid = 0; 1914 tsec->keycreate_sid = 0; 1915 tsec->sockcreate_sid = 0; 1916 1917 if (tsec->exec_sid) { 1918 newsid = tsec->exec_sid; 1919 /* Reset exec SID on execve. */ 1920 tsec->exec_sid = 0; 1921 } else { 1922 /* Check for a default transition on this program. */ 1923 rc = security_transition_sid(tsec->sid, isec->sid, 1924 SECCLASS_PROCESS, &newsid); 1925 if (rc) 1926 return rc; 1927 } 1928 1929 AVC_AUDIT_DATA_INIT(&ad, FS); 1930 ad.u.fs.mnt = bprm->file->f_path.mnt; 1931 ad.u.fs.dentry = bprm->file->f_path.dentry; 1932 1933 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1934 newsid = tsec->sid; 1935 1936 if (tsec->sid == newsid) { 1937 rc = avc_has_perm(tsec->sid, isec->sid, 1938 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1939 if (rc) 1940 return rc; 1941 } else { 1942 /* Check permissions for the transition. */ 1943 rc = avc_has_perm(tsec->sid, newsid, 1944 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1945 if (rc) 1946 return rc; 1947 1948 rc = avc_has_perm(newsid, isec->sid, 1949 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1950 if (rc) 1951 return rc; 1952 1953 /* Clear any possibly unsafe personality bits on exec: */ 1954 current->personality &= ~PER_CLEAR_ON_SETID; 1955 1956 /* Set the security field to the new SID. */ 1957 bsec->sid = newsid; 1958 } 1959 1960 bsec->set = 1; 1961 return 0; 1962 } 1963 1964 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1965 { 1966 return secondary_ops->bprm_check_security(bprm); 1967 } 1968 1969 1970 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1971 { 1972 struct task_security_struct *tsec = current->security; 1973 int atsecure = 0; 1974 1975 if (tsec->osid != tsec->sid) { 1976 /* Enable secure mode for SIDs transitions unless 1977 the noatsecure permission is granted between 1978 the two SIDs, i.e. ahp returns 0. */ 1979 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1980 SECCLASS_PROCESS, 1981 PROCESS__NOATSECURE, NULL); 1982 } 1983 1984 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1985 } 1986 1987 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1988 { 1989 kfree(bprm->security); 1990 bprm->security = NULL; 1991 } 1992 1993 extern struct vfsmount *selinuxfs_mount; 1994 extern struct dentry *selinux_null; 1995 1996 /* Derived from fs/exec.c:flush_old_files. */ 1997 static inline void flush_unauthorized_files(struct files_struct * files) 1998 { 1999 struct avc_audit_data ad; 2000 struct file *file, *devnull = NULL; 2001 struct tty_struct *tty; 2002 struct fdtable *fdt; 2003 long j = -1; 2004 int drop_tty = 0; 2005 2006 mutex_lock(&tty_mutex); 2007 tty = get_current_tty(); 2008 if (tty) { 2009 file_list_lock(); 2010 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 2011 if (file) { 2012 /* Revalidate access to controlling tty. 2013 Use inode_has_perm on the tty inode directly rather 2014 than using file_has_perm, as this particular open 2015 file may belong to another process and we are only 2016 interested in the inode-based check here. */ 2017 struct inode *inode = file->f_path.dentry->d_inode; 2018 if (inode_has_perm(current, inode, 2019 FILE__READ | FILE__WRITE, NULL)) { 2020 drop_tty = 1; 2021 } 2022 } 2023 file_list_unlock(); 2024 } 2025 mutex_unlock(&tty_mutex); 2026 /* Reset controlling tty. */ 2027 if (drop_tty) 2028 no_tty(); 2029 2030 /* Revalidate access to inherited open files. */ 2031 2032 AVC_AUDIT_DATA_INIT(&ad,FS); 2033 2034 spin_lock(&files->file_lock); 2035 for (;;) { 2036 unsigned long set, i; 2037 int fd; 2038 2039 j++; 2040 i = j * __NFDBITS; 2041 fdt = files_fdtable(files); 2042 if (i >= fdt->max_fds) 2043 break; 2044 set = fdt->open_fds->fds_bits[j]; 2045 if (!set) 2046 continue; 2047 spin_unlock(&files->file_lock); 2048 for ( ; set ; i++,set >>= 1) { 2049 if (set & 1) { 2050 file = fget(i); 2051 if (!file) 2052 continue; 2053 if (file_has_perm(current, 2054 file, 2055 file_to_av(file))) { 2056 sys_close(i); 2057 fd = get_unused_fd(); 2058 if (fd != i) { 2059 if (fd >= 0) 2060 put_unused_fd(fd); 2061 fput(file); 2062 continue; 2063 } 2064 if (devnull) { 2065 get_file(devnull); 2066 } else { 2067 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2068 if (IS_ERR(devnull)) { 2069 devnull = NULL; 2070 put_unused_fd(fd); 2071 fput(file); 2072 continue; 2073 } 2074 } 2075 fd_install(fd, devnull); 2076 } 2077 fput(file); 2078 } 2079 } 2080 spin_lock(&files->file_lock); 2081 2082 } 2083 spin_unlock(&files->file_lock); 2084 } 2085 2086 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 2087 { 2088 struct task_security_struct *tsec; 2089 struct bprm_security_struct *bsec; 2090 u32 sid; 2091 int rc; 2092 2093 secondary_ops->bprm_apply_creds(bprm, unsafe); 2094 2095 tsec = current->security; 2096 2097 bsec = bprm->security; 2098 sid = bsec->sid; 2099 2100 tsec->osid = tsec->sid; 2101 bsec->unsafe = 0; 2102 if (tsec->sid != sid) { 2103 /* Check for shared state. If not ok, leave SID 2104 unchanged and kill. */ 2105 if (unsafe & LSM_UNSAFE_SHARE) { 2106 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 2107 PROCESS__SHARE, NULL); 2108 if (rc) { 2109 bsec->unsafe = 1; 2110 return; 2111 } 2112 } 2113 2114 /* Check for ptracing, and update the task SID if ok. 2115 Otherwise, leave SID unchanged and kill. */ 2116 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2117 rc = avc_has_perm(tsec->ptrace_sid, sid, 2118 SECCLASS_PROCESS, PROCESS__PTRACE, 2119 NULL); 2120 if (rc) { 2121 bsec->unsafe = 1; 2122 return; 2123 } 2124 } 2125 tsec->sid = sid; 2126 } 2127 } 2128 2129 /* 2130 * called after apply_creds without the task lock held 2131 */ 2132 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2133 { 2134 struct task_security_struct *tsec; 2135 struct rlimit *rlim, *initrlim; 2136 struct itimerval itimer; 2137 struct bprm_security_struct *bsec; 2138 int rc, i; 2139 2140 tsec = current->security; 2141 bsec = bprm->security; 2142 2143 if (bsec->unsafe) { 2144 force_sig_specific(SIGKILL, current); 2145 return; 2146 } 2147 if (tsec->osid == tsec->sid) 2148 return; 2149 2150 /* Close files for which the new task SID is not authorized. */ 2151 flush_unauthorized_files(current->files); 2152 2153 /* Check whether the new SID can inherit signal state 2154 from the old SID. If not, clear itimers to avoid 2155 subsequent signal generation and flush and unblock 2156 signals. This must occur _after_ the task SID has 2157 been updated so that any kill done after the flush 2158 will be checked against the new SID. */ 2159 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2160 PROCESS__SIGINH, NULL); 2161 if (rc) { 2162 memset(&itimer, 0, sizeof itimer); 2163 for (i = 0; i < 3; i++) 2164 do_setitimer(i, &itimer, NULL); 2165 flush_signals(current); 2166 spin_lock_irq(¤t->sighand->siglock); 2167 flush_signal_handlers(current, 1); 2168 sigemptyset(¤t->blocked); 2169 recalc_sigpending(); 2170 spin_unlock_irq(¤t->sighand->siglock); 2171 } 2172 2173 /* Always clear parent death signal on SID transitions. */ 2174 current->pdeath_signal = 0; 2175 2176 /* Check whether the new SID can inherit resource limits 2177 from the old SID. If not, reset all soft limits to 2178 the lower of the current task's hard limit and the init 2179 task's soft limit. Note that the setting of hard limits 2180 (even to lower them) can be controlled by the setrlimit 2181 check. The inclusion of the init task's soft limit into 2182 the computation is to avoid resetting soft limits higher 2183 than the default soft limit for cases where the default 2184 is lower than the hard limit, e.g. RLIMIT_CORE or 2185 RLIMIT_STACK.*/ 2186 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2187 PROCESS__RLIMITINH, NULL); 2188 if (rc) { 2189 for (i = 0; i < RLIM_NLIMITS; i++) { 2190 rlim = current->signal->rlim + i; 2191 initrlim = init_task.signal->rlim+i; 2192 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2193 } 2194 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2195 /* 2196 * This will cause RLIMIT_CPU calculations 2197 * to be refigured. 2198 */ 2199 current->it_prof_expires = jiffies_to_cputime(1); 2200 } 2201 } 2202 2203 /* Wake up the parent if it is waiting so that it can 2204 recheck wait permission to the new task SID. */ 2205 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 2206 } 2207 2208 /* superblock security operations */ 2209 2210 static int selinux_sb_alloc_security(struct super_block *sb) 2211 { 2212 return superblock_alloc_security(sb); 2213 } 2214 2215 static void selinux_sb_free_security(struct super_block *sb) 2216 { 2217 superblock_free_security(sb); 2218 } 2219 2220 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2221 { 2222 if (plen > olen) 2223 return 0; 2224 2225 return !memcmp(prefix, option, plen); 2226 } 2227 2228 static inline int selinux_option(char *option, int len) 2229 { 2230 return (match_prefix("context=", sizeof("context=")-1, option, len) || 2231 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 2232 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) || 2233 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len)); 2234 } 2235 2236 static inline void take_option(char **to, char *from, int *first, int len) 2237 { 2238 if (!*first) { 2239 **to = ','; 2240 *to += 1; 2241 } else 2242 *first = 0; 2243 memcpy(*to, from, len); 2244 *to += len; 2245 } 2246 2247 static inline void take_selinux_option(char **to, char *from, int *first, 2248 int len) 2249 { 2250 int current_size = 0; 2251 2252 if (!*first) { 2253 **to = '|'; 2254 *to += 1; 2255 } 2256 else 2257 *first = 0; 2258 2259 while (current_size < len) { 2260 if (*from != '"') { 2261 **to = *from; 2262 *to += 1; 2263 } 2264 from += 1; 2265 current_size += 1; 2266 } 2267 } 2268 2269 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 2270 { 2271 int fnosec, fsec, rc = 0; 2272 char *in_save, *in_curr, *in_end; 2273 char *sec_curr, *nosec_save, *nosec; 2274 int open_quote = 0; 2275 2276 in_curr = orig; 2277 sec_curr = copy; 2278 2279 /* Binary mount data: just copy */ 2280 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 2281 copy_page(sec_curr, in_curr); 2282 goto out; 2283 } 2284 2285 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2286 if (!nosec) { 2287 rc = -ENOMEM; 2288 goto out; 2289 } 2290 2291 nosec_save = nosec; 2292 fnosec = fsec = 1; 2293 in_save = in_end = orig; 2294 2295 do { 2296 if (*in_end == '"') 2297 open_quote = !open_quote; 2298 if ((*in_end == ',' && open_quote == 0) || 2299 *in_end == '\0') { 2300 int len = in_end - in_curr; 2301 2302 if (selinux_option(in_curr, len)) 2303 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2304 else 2305 take_option(&nosec, in_curr, &fnosec, len); 2306 2307 in_curr = in_end + 1; 2308 } 2309 } while (*in_end++); 2310 2311 strcpy(in_save, nosec_save); 2312 free_page((unsigned long)nosec_save); 2313 out: 2314 return rc; 2315 } 2316 2317 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 2318 { 2319 struct avc_audit_data ad; 2320 int rc; 2321 2322 rc = superblock_doinit(sb, data); 2323 if (rc) 2324 return rc; 2325 2326 AVC_AUDIT_DATA_INIT(&ad,FS); 2327 ad.u.fs.dentry = sb->s_root; 2328 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2329 } 2330 2331 static int selinux_sb_statfs(struct dentry *dentry) 2332 { 2333 struct avc_audit_data ad; 2334 2335 AVC_AUDIT_DATA_INIT(&ad,FS); 2336 ad.u.fs.dentry = dentry->d_sb->s_root; 2337 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2338 } 2339 2340 static int selinux_mount(char * dev_name, 2341 struct nameidata *nd, 2342 char * type, 2343 unsigned long flags, 2344 void * data) 2345 { 2346 int rc; 2347 2348 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2349 if (rc) 2350 return rc; 2351 2352 if (flags & MS_REMOUNT) 2353 return superblock_has_perm(current, nd->mnt->mnt_sb, 2354 FILESYSTEM__REMOUNT, NULL); 2355 else 2356 return dentry_has_perm(current, nd->mnt, nd->dentry, 2357 FILE__MOUNTON); 2358 } 2359 2360 static int selinux_umount(struct vfsmount *mnt, int flags) 2361 { 2362 int rc; 2363 2364 rc = secondary_ops->sb_umount(mnt, flags); 2365 if (rc) 2366 return rc; 2367 2368 return superblock_has_perm(current,mnt->mnt_sb, 2369 FILESYSTEM__UNMOUNT,NULL); 2370 } 2371 2372 /* inode security operations */ 2373 2374 static int selinux_inode_alloc_security(struct inode *inode) 2375 { 2376 return inode_alloc_security(inode); 2377 } 2378 2379 static void selinux_inode_free_security(struct inode *inode) 2380 { 2381 inode_free_security(inode); 2382 } 2383 2384 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2385 char **name, void **value, 2386 size_t *len) 2387 { 2388 struct task_security_struct *tsec; 2389 struct inode_security_struct *dsec; 2390 struct superblock_security_struct *sbsec; 2391 u32 newsid, clen; 2392 int rc; 2393 char *namep = NULL, *context; 2394 2395 tsec = current->security; 2396 dsec = dir->i_security; 2397 sbsec = dir->i_sb->s_security; 2398 2399 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2400 newsid = tsec->create_sid; 2401 } else { 2402 rc = security_transition_sid(tsec->sid, dsec->sid, 2403 inode_mode_to_security_class(inode->i_mode), 2404 &newsid); 2405 if (rc) { 2406 printk(KERN_WARNING "%s: " 2407 "security_transition_sid failed, rc=%d (dev=%s " 2408 "ino=%ld)\n", 2409 __FUNCTION__, 2410 -rc, inode->i_sb->s_id, inode->i_ino); 2411 return rc; 2412 } 2413 } 2414 2415 /* Possibly defer initialization to selinux_complete_init. */ 2416 if (sbsec->initialized) { 2417 struct inode_security_struct *isec = inode->i_security; 2418 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2419 isec->sid = newsid; 2420 isec->initialized = 1; 2421 } 2422 2423 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2424 return -EOPNOTSUPP; 2425 2426 if (name) { 2427 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 2428 if (!namep) 2429 return -ENOMEM; 2430 *name = namep; 2431 } 2432 2433 if (value && len) { 2434 rc = security_sid_to_context(newsid, &context, &clen); 2435 if (rc) { 2436 kfree(namep); 2437 return rc; 2438 } 2439 *value = context; 2440 *len = clen; 2441 } 2442 2443 return 0; 2444 } 2445 2446 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2447 { 2448 return may_create(dir, dentry, SECCLASS_FILE); 2449 } 2450 2451 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2452 { 2453 int rc; 2454 2455 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2456 if (rc) 2457 return rc; 2458 return may_link(dir, old_dentry, MAY_LINK); 2459 } 2460 2461 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2462 { 2463 int rc; 2464 2465 rc = secondary_ops->inode_unlink(dir, dentry); 2466 if (rc) 2467 return rc; 2468 return may_link(dir, dentry, MAY_UNLINK); 2469 } 2470 2471 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2472 { 2473 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2474 } 2475 2476 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2477 { 2478 return may_create(dir, dentry, SECCLASS_DIR); 2479 } 2480 2481 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2482 { 2483 return may_link(dir, dentry, MAY_RMDIR); 2484 } 2485 2486 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2487 { 2488 int rc; 2489 2490 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2491 if (rc) 2492 return rc; 2493 2494 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2495 } 2496 2497 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2498 struct inode *new_inode, struct dentry *new_dentry) 2499 { 2500 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2501 } 2502 2503 static int selinux_inode_readlink(struct dentry *dentry) 2504 { 2505 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2506 } 2507 2508 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2509 { 2510 int rc; 2511 2512 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2513 if (rc) 2514 return rc; 2515 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2516 } 2517 2518 static int selinux_inode_permission(struct inode *inode, int mask, 2519 struct nameidata *nd) 2520 { 2521 int rc; 2522 2523 rc = secondary_ops->inode_permission(inode, mask, nd); 2524 if (rc) 2525 return rc; 2526 2527 if (!mask) { 2528 /* No permission to check. Existence test. */ 2529 return 0; 2530 } 2531 2532 return inode_has_perm(current, inode, 2533 file_mask_to_av(inode->i_mode, mask), NULL); 2534 } 2535 2536 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2537 { 2538 int rc; 2539 2540 rc = secondary_ops->inode_setattr(dentry, iattr); 2541 if (rc) 2542 return rc; 2543 2544 if (iattr->ia_valid & ATTR_FORCE) 2545 return 0; 2546 2547 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2548 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2549 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2550 2551 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2552 } 2553 2554 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2555 { 2556 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2557 } 2558 2559 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name) 2560 { 2561 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2562 sizeof XATTR_SECURITY_PREFIX - 1)) { 2563 if (!strcmp(name, XATTR_NAME_CAPS)) { 2564 if (!capable(CAP_SETFCAP)) 2565 return -EPERM; 2566 } else if (!capable(CAP_SYS_ADMIN)) { 2567 /* A different attribute in the security namespace. 2568 Restrict to administrator. */ 2569 return -EPERM; 2570 } 2571 } 2572 2573 /* Not an attribute we recognize, so just check the 2574 ordinary setattr permission. */ 2575 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2576 } 2577 2578 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2579 { 2580 struct task_security_struct *tsec = current->security; 2581 struct inode *inode = dentry->d_inode; 2582 struct inode_security_struct *isec = inode->i_security; 2583 struct superblock_security_struct *sbsec; 2584 struct avc_audit_data ad; 2585 u32 newsid; 2586 int rc = 0; 2587 2588 if (strcmp(name, XATTR_NAME_SELINUX)) 2589 return selinux_inode_setotherxattr(dentry, name); 2590 2591 sbsec = inode->i_sb->s_security; 2592 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2593 return -EOPNOTSUPP; 2594 2595 if (!is_owner_or_cap(inode)) 2596 return -EPERM; 2597 2598 AVC_AUDIT_DATA_INIT(&ad,FS); 2599 ad.u.fs.dentry = dentry; 2600 2601 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2602 FILE__RELABELFROM, &ad); 2603 if (rc) 2604 return rc; 2605 2606 rc = security_context_to_sid(value, size, &newsid); 2607 if (rc) 2608 return rc; 2609 2610 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2611 FILE__RELABELTO, &ad); 2612 if (rc) 2613 return rc; 2614 2615 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2616 isec->sclass); 2617 if (rc) 2618 return rc; 2619 2620 return avc_has_perm(newsid, 2621 sbsec->sid, 2622 SECCLASS_FILESYSTEM, 2623 FILESYSTEM__ASSOCIATE, 2624 &ad); 2625 } 2626 2627 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2628 void *value, size_t size, int flags) 2629 { 2630 struct inode *inode = dentry->d_inode; 2631 struct inode_security_struct *isec = inode->i_security; 2632 u32 newsid; 2633 int rc; 2634 2635 if (strcmp(name, XATTR_NAME_SELINUX)) { 2636 /* Not an attribute we recognize, so nothing to do. */ 2637 return; 2638 } 2639 2640 rc = security_context_to_sid(value, size, &newsid); 2641 if (rc) { 2642 printk(KERN_WARNING "%s: unable to obtain SID for context " 2643 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2644 return; 2645 } 2646 2647 isec->sid = newsid; 2648 return; 2649 } 2650 2651 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2652 { 2653 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2654 } 2655 2656 static int selinux_inode_listxattr (struct dentry *dentry) 2657 { 2658 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2659 } 2660 2661 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2662 { 2663 if (strcmp(name, XATTR_NAME_SELINUX)) 2664 return selinux_inode_setotherxattr(dentry, name); 2665 2666 /* No one is allowed to remove a SELinux security label. 2667 You can change the label, but all data must be labeled. */ 2668 return -EACCES; 2669 } 2670 2671 /* 2672 * Copy the in-core inode security context value to the user. If the 2673 * getxattr() prior to this succeeded, check to see if we need to 2674 * canonicalize the value to be finally returned to the user. 2675 * 2676 * Permission check is handled by selinux_inode_getxattr hook. 2677 */ 2678 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) 2679 { 2680 struct inode_security_struct *isec = inode->i_security; 2681 2682 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2683 return -EOPNOTSUPP; 2684 2685 return selinux_getsecurity(isec->sid, buffer, size); 2686 } 2687 2688 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2689 const void *value, size_t size, int flags) 2690 { 2691 struct inode_security_struct *isec = inode->i_security; 2692 u32 newsid; 2693 int rc; 2694 2695 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2696 return -EOPNOTSUPP; 2697 2698 if (!value || !size) 2699 return -EACCES; 2700 2701 rc = security_context_to_sid((void*)value, size, &newsid); 2702 if (rc) 2703 return rc; 2704 2705 isec->sid = newsid; 2706 return 0; 2707 } 2708 2709 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2710 { 2711 const int len = sizeof(XATTR_NAME_SELINUX); 2712 if (buffer && len <= buffer_size) 2713 memcpy(buffer, XATTR_NAME_SELINUX, len); 2714 return len; 2715 } 2716 2717 static int selinux_inode_need_killpriv(struct dentry *dentry) 2718 { 2719 return secondary_ops->inode_need_killpriv(dentry); 2720 } 2721 2722 static int selinux_inode_killpriv(struct dentry *dentry) 2723 { 2724 return secondary_ops->inode_killpriv(dentry); 2725 } 2726 2727 /* file security operations */ 2728 2729 static int selinux_revalidate_file_permission(struct file *file, int mask) 2730 { 2731 int rc; 2732 struct inode *inode = file->f_path.dentry->d_inode; 2733 2734 if (!mask) { 2735 /* No permission to check. Existence test. */ 2736 return 0; 2737 } 2738 2739 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2740 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2741 mask |= MAY_APPEND; 2742 2743 rc = file_has_perm(current, file, 2744 file_mask_to_av(inode->i_mode, mask)); 2745 if (rc) 2746 return rc; 2747 2748 return selinux_netlbl_inode_permission(inode, mask); 2749 } 2750 2751 static int selinux_file_permission(struct file *file, int mask) 2752 { 2753 struct inode *inode = file->f_path.dentry->d_inode; 2754 struct task_security_struct *tsec = current->security; 2755 struct file_security_struct *fsec = file->f_security; 2756 struct inode_security_struct *isec = inode->i_security; 2757 2758 if (!mask) { 2759 /* No permission to check. Existence test. */ 2760 return 0; 2761 } 2762 2763 if (tsec->sid == fsec->sid && fsec->isid == isec->sid 2764 && fsec->pseqno == avc_policy_seqno()) 2765 return selinux_netlbl_inode_permission(inode, mask); 2766 2767 return selinux_revalidate_file_permission(file, mask); 2768 } 2769 2770 static int selinux_file_alloc_security(struct file *file) 2771 { 2772 return file_alloc_security(file); 2773 } 2774 2775 static void selinux_file_free_security(struct file *file) 2776 { 2777 file_free_security(file); 2778 } 2779 2780 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2781 unsigned long arg) 2782 { 2783 int error = 0; 2784 2785 switch (cmd) { 2786 case FIONREAD: 2787 /* fall through */ 2788 case FIBMAP: 2789 /* fall through */ 2790 case FIGETBSZ: 2791 /* fall through */ 2792 case EXT2_IOC_GETFLAGS: 2793 /* fall through */ 2794 case EXT2_IOC_GETVERSION: 2795 error = file_has_perm(current, file, FILE__GETATTR); 2796 break; 2797 2798 case EXT2_IOC_SETFLAGS: 2799 /* fall through */ 2800 case EXT2_IOC_SETVERSION: 2801 error = file_has_perm(current, file, FILE__SETATTR); 2802 break; 2803 2804 /* sys_ioctl() checks */ 2805 case FIONBIO: 2806 /* fall through */ 2807 case FIOASYNC: 2808 error = file_has_perm(current, file, 0); 2809 break; 2810 2811 case KDSKBENT: 2812 case KDSKBSENT: 2813 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2814 break; 2815 2816 /* default case assumes that the command will go 2817 * to the file's ioctl() function. 2818 */ 2819 default: 2820 error = file_has_perm(current, file, FILE__IOCTL); 2821 2822 } 2823 return error; 2824 } 2825 2826 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2827 { 2828 #ifndef CONFIG_PPC32 2829 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2830 /* 2831 * We are making executable an anonymous mapping or a 2832 * private file mapping that will also be writable. 2833 * This has an additional check. 2834 */ 2835 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2836 if (rc) 2837 return rc; 2838 } 2839 #endif 2840 2841 if (file) { 2842 /* read access is always possible with a mapping */ 2843 u32 av = FILE__READ; 2844 2845 /* write access only matters if the mapping is shared */ 2846 if (shared && (prot & PROT_WRITE)) 2847 av |= FILE__WRITE; 2848 2849 if (prot & PROT_EXEC) 2850 av |= FILE__EXECUTE; 2851 2852 return file_has_perm(current, file, av); 2853 } 2854 return 0; 2855 } 2856 2857 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2858 unsigned long prot, unsigned long flags, 2859 unsigned long addr, unsigned long addr_only) 2860 { 2861 int rc = 0; 2862 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2863 2864 if (addr < mmap_min_addr) 2865 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2866 MEMPROTECT__MMAP_ZERO, NULL); 2867 if (rc || addr_only) 2868 return rc; 2869 2870 if (selinux_checkreqprot) 2871 prot = reqprot; 2872 2873 return file_map_prot_check(file, prot, 2874 (flags & MAP_TYPE) == MAP_SHARED); 2875 } 2876 2877 static int selinux_file_mprotect(struct vm_area_struct *vma, 2878 unsigned long reqprot, 2879 unsigned long prot) 2880 { 2881 int rc; 2882 2883 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2884 if (rc) 2885 return rc; 2886 2887 if (selinux_checkreqprot) 2888 prot = reqprot; 2889 2890 #ifndef CONFIG_PPC32 2891 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2892 rc = 0; 2893 if (vma->vm_start >= vma->vm_mm->start_brk && 2894 vma->vm_end <= vma->vm_mm->brk) { 2895 rc = task_has_perm(current, current, 2896 PROCESS__EXECHEAP); 2897 } else if (!vma->vm_file && 2898 vma->vm_start <= vma->vm_mm->start_stack && 2899 vma->vm_end >= vma->vm_mm->start_stack) { 2900 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2901 } else if (vma->vm_file && vma->anon_vma) { 2902 /* 2903 * We are making executable a file mapping that has 2904 * had some COW done. Since pages might have been 2905 * written, check ability to execute the possibly 2906 * modified content. This typically should only 2907 * occur for text relocations. 2908 */ 2909 rc = file_has_perm(current, vma->vm_file, 2910 FILE__EXECMOD); 2911 } 2912 if (rc) 2913 return rc; 2914 } 2915 #endif 2916 2917 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2918 } 2919 2920 static int selinux_file_lock(struct file *file, unsigned int cmd) 2921 { 2922 return file_has_perm(current, file, FILE__LOCK); 2923 } 2924 2925 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2926 unsigned long arg) 2927 { 2928 int err = 0; 2929 2930 switch (cmd) { 2931 case F_SETFL: 2932 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2933 err = -EINVAL; 2934 break; 2935 } 2936 2937 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2938 err = file_has_perm(current, file,FILE__WRITE); 2939 break; 2940 } 2941 /* fall through */ 2942 case F_SETOWN: 2943 case F_SETSIG: 2944 case F_GETFL: 2945 case F_GETOWN: 2946 case F_GETSIG: 2947 /* Just check FD__USE permission */ 2948 err = file_has_perm(current, file, 0); 2949 break; 2950 case F_GETLK: 2951 case F_SETLK: 2952 case F_SETLKW: 2953 #if BITS_PER_LONG == 32 2954 case F_GETLK64: 2955 case F_SETLK64: 2956 case F_SETLKW64: 2957 #endif 2958 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2959 err = -EINVAL; 2960 break; 2961 } 2962 err = file_has_perm(current, file, FILE__LOCK); 2963 break; 2964 } 2965 2966 return err; 2967 } 2968 2969 static int selinux_file_set_fowner(struct file *file) 2970 { 2971 struct task_security_struct *tsec; 2972 struct file_security_struct *fsec; 2973 2974 tsec = current->security; 2975 fsec = file->f_security; 2976 fsec->fown_sid = tsec->sid; 2977 2978 return 0; 2979 } 2980 2981 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2982 struct fown_struct *fown, int signum) 2983 { 2984 struct file *file; 2985 u32 perm; 2986 struct task_security_struct *tsec; 2987 struct file_security_struct *fsec; 2988 2989 /* struct fown_struct is never outside the context of a struct file */ 2990 file = container_of(fown, struct file, f_owner); 2991 2992 tsec = tsk->security; 2993 fsec = file->f_security; 2994 2995 if (!signum) 2996 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 2997 else 2998 perm = signal_to_av(signum); 2999 3000 return avc_has_perm(fsec->fown_sid, tsec->sid, 3001 SECCLASS_PROCESS, perm, NULL); 3002 } 3003 3004 static int selinux_file_receive(struct file *file) 3005 { 3006 return file_has_perm(current, file, file_to_av(file)); 3007 } 3008 3009 static int selinux_dentry_open(struct file *file) 3010 { 3011 struct file_security_struct *fsec; 3012 struct inode *inode; 3013 struct inode_security_struct *isec; 3014 inode = file->f_path.dentry->d_inode; 3015 fsec = file->f_security; 3016 isec = inode->i_security; 3017 /* 3018 * Save inode label and policy sequence number 3019 * at open-time so that selinux_file_permission 3020 * can determine whether revalidation is necessary. 3021 * Task label is already saved in the file security 3022 * struct as its SID. 3023 */ 3024 fsec->isid = isec->sid; 3025 fsec->pseqno = avc_policy_seqno(); 3026 /* 3027 * Since the inode label or policy seqno may have changed 3028 * between the selinux_inode_permission check and the saving 3029 * of state above, recheck that access is still permitted. 3030 * Otherwise, access might never be revalidated against the 3031 * new inode label or new policy. 3032 * This check is not redundant - do not remove. 3033 */ 3034 return inode_has_perm(current, inode, file_to_av(file), NULL); 3035 } 3036 3037 /* task security operations */ 3038 3039 static int selinux_task_create(unsigned long clone_flags) 3040 { 3041 int rc; 3042 3043 rc = secondary_ops->task_create(clone_flags); 3044 if (rc) 3045 return rc; 3046 3047 return task_has_perm(current, current, PROCESS__FORK); 3048 } 3049 3050 static int selinux_task_alloc_security(struct task_struct *tsk) 3051 { 3052 struct task_security_struct *tsec1, *tsec2; 3053 int rc; 3054 3055 tsec1 = current->security; 3056 3057 rc = task_alloc_security(tsk); 3058 if (rc) 3059 return rc; 3060 tsec2 = tsk->security; 3061 3062 tsec2->osid = tsec1->osid; 3063 tsec2->sid = tsec1->sid; 3064 3065 /* Retain the exec, fs, key, and sock SIDs across fork */ 3066 tsec2->exec_sid = tsec1->exec_sid; 3067 tsec2->create_sid = tsec1->create_sid; 3068 tsec2->keycreate_sid = tsec1->keycreate_sid; 3069 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 3070 3071 /* Retain ptracer SID across fork, if any. 3072 This will be reset by the ptrace hook upon any 3073 subsequent ptrace_attach operations. */ 3074 tsec2->ptrace_sid = tsec1->ptrace_sid; 3075 3076 return 0; 3077 } 3078 3079 static void selinux_task_free_security(struct task_struct *tsk) 3080 { 3081 task_free_security(tsk); 3082 } 3083 3084 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3085 { 3086 /* Since setuid only affects the current process, and 3087 since the SELinux controls are not based on the Linux 3088 identity attributes, SELinux does not need to control 3089 this operation. However, SELinux does control the use 3090 of the CAP_SETUID and CAP_SETGID capabilities using the 3091 capable hook. */ 3092 return 0; 3093 } 3094 3095 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3096 { 3097 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3098 } 3099 3100 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3101 { 3102 /* See the comment for setuid above. */ 3103 return 0; 3104 } 3105 3106 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3107 { 3108 return task_has_perm(current, p, PROCESS__SETPGID); 3109 } 3110 3111 static int selinux_task_getpgid(struct task_struct *p) 3112 { 3113 return task_has_perm(current, p, PROCESS__GETPGID); 3114 } 3115 3116 static int selinux_task_getsid(struct task_struct *p) 3117 { 3118 return task_has_perm(current, p, PROCESS__GETSESSION); 3119 } 3120 3121 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3122 { 3123 selinux_get_task_sid(p, secid); 3124 } 3125 3126 static int selinux_task_setgroups(struct group_info *group_info) 3127 { 3128 /* See the comment for setuid above. */ 3129 return 0; 3130 } 3131 3132 static int selinux_task_setnice(struct task_struct *p, int nice) 3133 { 3134 int rc; 3135 3136 rc = secondary_ops->task_setnice(p, nice); 3137 if (rc) 3138 return rc; 3139 3140 return task_has_perm(current,p, PROCESS__SETSCHED); 3141 } 3142 3143 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3144 { 3145 int rc; 3146 3147 rc = secondary_ops->task_setioprio(p, ioprio); 3148 if (rc) 3149 return rc; 3150 3151 return task_has_perm(current, p, PROCESS__SETSCHED); 3152 } 3153 3154 static int selinux_task_getioprio(struct task_struct *p) 3155 { 3156 return task_has_perm(current, p, PROCESS__GETSCHED); 3157 } 3158 3159 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3160 { 3161 struct rlimit *old_rlim = current->signal->rlim + resource; 3162 int rc; 3163 3164 rc = secondary_ops->task_setrlimit(resource, new_rlim); 3165 if (rc) 3166 return rc; 3167 3168 /* Control the ability to change the hard limit (whether 3169 lowering or raising it), so that the hard limit can 3170 later be used as a safe reset point for the soft limit 3171 upon context transitions. See selinux_bprm_apply_creds. */ 3172 if (old_rlim->rlim_max != new_rlim->rlim_max) 3173 return task_has_perm(current, current, PROCESS__SETRLIMIT); 3174 3175 return 0; 3176 } 3177 3178 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 3179 { 3180 int rc; 3181 3182 rc = secondary_ops->task_setscheduler(p, policy, lp); 3183 if (rc) 3184 return rc; 3185 3186 return task_has_perm(current, p, PROCESS__SETSCHED); 3187 } 3188 3189 static int selinux_task_getscheduler(struct task_struct *p) 3190 { 3191 return task_has_perm(current, p, PROCESS__GETSCHED); 3192 } 3193 3194 static int selinux_task_movememory(struct task_struct *p) 3195 { 3196 return task_has_perm(current, p, PROCESS__SETSCHED); 3197 } 3198 3199 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3200 int sig, u32 secid) 3201 { 3202 u32 perm; 3203 int rc; 3204 struct task_security_struct *tsec; 3205 3206 rc = secondary_ops->task_kill(p, info, sig, secid); 3207 if (rc) 3208 return rc; 3209 3210 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 3211 return 0; 3212 3213 if (!sig) 3214 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3215 else 3216 perm = signal_to_av(sig); 3217 tsec = p->security; 3218 if (secid) 3219 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3220 else 3221 rc = task_has_perm(current, p, perm); 3222 return rc; 3223 } 3224 3225 static int selinux_task_prctl(int option, 3226 unsigned long arg2, 3227 unsigned long arg3, 3228 unsigned long arg4, 3229 unsigned long arg5) 3230 { 3231 /* The current prctl operations do not appear to require 3232 any SELinux controls since they merely observe or modify 3233 the state of the current process. */ 3234 return 0; 3235 } 3236 3237 static int selinux_task_wait(struct task_struct *p) 3238 { 3239 return task_has_perm(p, current, PROCESS__SIGCHLD); 3240 } 3241 3242 static void selinux_task_reparent_to_init(struct task_struct *p) 3243 { 3244 struct task_security_struct *tsec; 3245 3246 secondary_ops->task_reparent_to_init(p); 3247 3248 tsec = p->security; 3249 tsec->osid = tsec->sid; 3250 tsec->sid = SECINITSID_KERNEL; 3251 return; 3252 } 3253 3254 static void selinux_task_to_inode(struct task_struct *p, 3255 struct inode *inode) 3256 { 3257 struct task_security_struct *tsec = p->security; 3258 struct inode_security_struct *isec = inode->i_security; 3259 3260 isec->sid = tsec->sid; 3261 isec->initialized = 1; 3262 return; 3263 } 3264 3265 /* Returns error only if unable to parse addresses */ 3266 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3267 struct avc_audit_data *ad, u8 *proto) 3268 { 3269 int offset, ihlen, ret = -EINVAL; 3270 struct iphdr _iph, *ih; 3271 3272 offset = skb_network_offset(skb); 3273 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3274 if (ih == NULL) 3275 goto out; 3276 3277 ihlen = ih->ihl * 4; 3278 if (ihlen < sizeof(_iph)) 3279 goto out; 3280 3281 ad->u.net.v4info.saddr = ih->saddr; 3282 ad->u.net.v4info.daddr = ih->daddr; 3283 ret = 0; 3284 3285 if (proto) 3286 *proto = ih->protocol; 3287 3288 switch (ih->protocol) { 3289 case IPPROTO_TCP: { 3290 struct tcphdr _tcph, *th; 3291 3292 if (ntohs(ih->frag_off) & IP_OFFSET) 3293 break; 3294 3295 offset += ihlen; 3296 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3297 if (th == NULL) 3298 break; 3299 3300 ad->u.net.sport = th->source; 3301 ad->u.net.dport = th->dest; 3302 break; 3303 } 3304 3305 case IPPROTO_UDP: { 3306 struct udphdr _udph, *uh; 3307 3308 if (ntohs(ih->frag_off) & IP_OFFSET) 3309 break; 3310 3311 offset += ihlen; 3312 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3313 if (uh == NULL) 3314 break; 3315 3316 ad->u.net.sport = uh->source; 3317 ad->u.net.dport = uh->dest; 3318 break; 3319 } 3320 3321 case IPPROTO_DCCP: { 3322 struct dccp_hdr _dccph, *dh; 3323 3324 if (ntohs(ih->frag_off) & IP_OFFSET) 3325 break; 3326 3327 offset += ihlen; 3328 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3329 if (dh == NULL) 3330 break; 3331 3332 ad->u.net.sport = dh->dccph_sport; 3333 ad->u.net.dport = dh->dccph_dport; 3334 break; 3335 } 3336 3337 default: 3338 break; 3339 } 3340 out: 3341 return ret; 3342 } 3343 3344 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3345 3346 /* Returns error only if unable to parse addresses */ 3347 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3348 struct avc_audit_data *ad, u8 *proto) 3349 { 3350 u8 nexthdr; 3351 int ret = -EINVAL, offset; 3352 struct ipv6hdr _ipv6h, *ip6; 3353 3354 offset = skb_network_offset(skb); 3355 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3356 if (ip6 == NULL) 3357 goto out; 3358 3359 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3360 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3361 ret = 0; 3362 3363 nexthdr = ip6->nexthdr; 3364 offset += sizeof(_ipv6h); 3365 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3366 if (offset < 0) 3367 goto out; 3368 3369 if (proto) 3370 *proto = nexthdr; 3371 3372 switch (nexthdr) { 3373 case IPPROTO_TCP: { 3374 struct tcphdr _tcph, *th; 3375 3376 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3377 if (th == NULL) 3378 break; 3379 3380 ad->u.net.sport = th->source; 3381 ad->u.net.dport = th->dest; 3382 break; 3383 } 3384 3385 case IPPROTO_UDP: { 3386 struct udphdr _udph, *uh; 3387 3388 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3389 if (uh == NULL) 3390 break; 3391 3392 ad->u.net.sport = uh->source; 3393 ad->u.net.dport = uh->dest; 3394 break; 3395 } 3396 3397 case IPPROTO_DCCP: { 3398 struct dccp_hdr _dccph, *dh; 3399 3400 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3401 if (dh == NULL) 3402 break; 3403 3404 ad->u.net.sport = dh->dccph_sport; 3405 ad->u.net.dport = dh->dccph_dport; 3406 break; 3407 } 3408 3409 /* includes fragments */ 3410 default: 3411 break; 3412 } 3413 out: 3414 return ret; 3415 } 3416 3417 #endif /* IPV6 */ 3418 3419 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3420 char **addrp, int src, u8 *proto) 3421 { 3422 int ret = 0; 3423 3424 switch (ad->u.net.family) { 3425 case PF_INET: 3426 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3427 if (ret || !addrp) 3428 break; 3429 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3430 &ad->u.net.v4info.daddr); 3431 break; 3432 3433 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3434 case PF_INET6: 3435 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3436 if (ret || !addrp) 3437 break; 3438 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3439 &ad->u.net.v6info.daddr); 3440 break; 3441 #endif /* IPV6 */ 3442 default: 3443 break; 3444 } 3445 3446 if (unlikely(ret)) 3447 printk(KERN_WARNING 3448 "SELinux: failure in selinux_parse_skb()," 3449 " unable to parse packet\n"); 3450 3451 return ret; 3452 } 3453 3454 /** 3455 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3456 * @skb: the packet 3457 * @family: protocol family 3458 * @sid: the packet's peer label SID 3459 * 3460 * Description: 3461 * Check the various different forms of network peer labeling and determine 3462 * the peer label/SID for the packet; most of the magic actually occurs in 3463 * the security server function security_net_peersid_cmp(). The function 3464 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3465 * or -EACCES if @sid is invalid due to inconsistencies with the different 3466 * peer labels. 3467 * 3468 */ 3469 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3470 { 3471 int err; 3472 u32 xfrm_sid; 3473 u32 nlbl_sid; 3474 u32 nlbl_type; 3475 3476 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3477 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3478 3479 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3480 if (unlikely(err)) { 3481 printk(KERN_WARNING 3482 "SELinux: failure in selinux_skb_peerlbl_sid()," 3483 " unable to determine packet's peer label\n"); 3484 return -EACCES; 3485 } 3486 3487 return 0; 3488 } 3489 3490 /* socket security operations */ 3491 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3492 u32 perms) 3493 { 3494 struct inode_security_struct *isec; 3495 struct task_security_struct *tsec; 3496 struct avc_audit_data ad; 3497 int err = 0; 3498 3499 tsec = task->security; 3500 isec = SOCK_INODE(sock)->i_security; 3501 3502 if (isec->sid == SECINITSID_KERNEL) 3503 goto out; 3504 3505 AVC_AUDIT_DATA_INIT(&ad,NET); 3506 ad.u.net.sk = sock->sk; 3507 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3508 3509 out: 3510 return err; 3511 } 3512 3513 static int selinux_socket_create(int family, int type, 3514 int protocol, int kern) 3515 { 3516 int err = 0; 3517 struct task_security_struct *tsec; 3518 u32 newsid; 3519 3520 if (kern) 3521 goto out; 3522 3523 tsec = current->security; 3524 newsid = tsec->sockcreate_sid ? : tsec->sid; 3525 err = avc_has_perm(tsec->sid, newsid, 3526 socket_type_to_security_class(family, type, 3527 protocol), SOCKET__CREATE, NULL); 3528 3529 out: 3530 return err; 3531 } 3532 3533 static int selinux_socket_post_create(struct socket *sock, int family, 3534 int type, int protocol, int kern) 3535 { 3536 int err = 0; 3537 struct inode_security_struct *isec; 3538 struct task_security_struct *tsec; 3539 struct sk_security_struct *sksec; 3540 u32 newsid; 3541 3542 isec = SOCK_INODE(sock)->i_security; 3543 3544 tsec = current->security; 3545 newsid = tsec->sockcreate_sid ? : tsec->sid; 3546 isec->sclass = socket_type_to_security_class(family, type, protocol); 3547 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3548 isec->initialized = 1; 3549 3550 if (sock->sk) { 3551 sksec = sock->sk->sk_security; 3552 sksec->sid = isec->sid; 3553 sksec->sclass = isec->sclass; 3554 err = selinux_netlbl_socket_post_create(sock); 3555 } 3556 3557 return err; 3558 } 3559 3560 /* Range of port numbers used to automatically bind. 3561 Need to determine whether we should perform a name_bind 3562 permission check between the socket and the port number. */ 3563 3564 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3565 { 3566 u16 family; 3567 int err; 3568 3569 err = socket_has_perm(current, sock, SOCKET__BIND); 3570 if (err) 3571 goto out; 3572 3573 /* 3574 * If PF_INET or PF_INET6, check name_bind permission for the port. 3575 * Multiple address binding for SCTP is not supported yet: we just 3576 * check the first address now. 3577 */ 3578 family = sock->sk->sk_family; 3579 if (family == PF_INET || family == PF_INET6) { 3580 char *addrp; 3581 struct inode_security_struct *isec; 3582 struct task_security_struct *tsec; 3583 struct avc_audit_data ad; 3584 struct sockaddr_in *addr4 = NULL; 3585 struct sockaddr_in6 *addr6 = NULL; 3586 unsigned short snum; 3587 struct sock *sk = sock->sk; 3588 u32 sid, node_perm, addrlen; 3589 3590 tsec = current->security; 3591 isec = SOCK_INODE(sock)->i_security; 3592 3593 if (family == PF_INET) { 3594 addr4 = (struct sockaddr_in *)address; 3595 snum = ntohs(addr4->sin_port); 3596 addrlen = sizeof(addr4->sin_addr.s_addr); 3597 addrp = (char *)&addr4->sin_addr.s_addr; 3598 } else { 3599 addr6 = (struct sockaddr_in6 *)address; 3600 snum = ntohs(addr6->sin6_port); 3601 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3602 addrp = (char *)&addr6->sin6_addr.s6_addr; 3603 } 3604 3605 if (snum) { 3606 int low, high; 3607 3608 inet_get_local_port_range(&low, &high); 3609 3610 if (snum < max(PROT_SOCK, low) || snum > high) { 3611 err = security_port_sid(sk->sk_family, 3612 sk->sk_type, 3613 sk->sk_protocol, snum, 3614 &sid); 3615 if (err) 3616 goto out; 3617 AVC_AUDIT_DATA_INIT(&ad,NET); 3618 ad.u.net.sport = htons(snum); 3619 ad.u.net.family = family; 3620 err = avc_has_perm(isec->sid, sid, 3621 isec->sclass, 3622 SOCKET__NAME_BIND, &ad); 3623 if (err) 3624 goto out; 3625 } 3626 } 3627 3628 switch(isec->sclass) { 3629 case SECCLASS_TCP_SOCKET: 3630 node_perm = TCP_SOCKET__NODE_BIND; 3631 break; 3632 3633 case SECCLASS_UDP_SOCKET: 3634 node_perm = UDP_SOCKET__NODE_BIND; 3635 break; 3636 3637 case SECCLASS_DCCP_SOCKET: 3638 node_perm = DCCP_SOCKET__NODE_BIND; 3639 break; 3640 3641 default: 3642 node_perm = RAWIP_SOCKET__NODE_BIND; 3643 break; 3644 } 3645 3646 err = sel_netnode_sid(addrp, family, &sid); 3647 if (err) 3648 goto out; 3649 3650 AVC_AUDIT_DATA_INIT(&ad,NET); 3651 ad.u.net.sport = htons(snum); 3652 ad.u.net.family = family; 3653 3654 if (family == PF_INET) 3655 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3656 else 3657 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3658 3659 err = avc_has_perm(isec->sid, sid, 3660 isec->sclass, node_perm, &ad); 3661 if (err) 3662 goto out; 3663 } 3664 out: 3665 return err; 3666 } 3667 3668 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3669 { 3670 struct inode_security_struct *isec; 3671 int err; 3672 3673 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3674 if (err) 3675 return err; 3676 3677 /* 3678 * If a TCP or DCCP socket, check name_connect permission for the port. 3679 */ 3680 isec = SOCK_INODE(sock)->i_security; 3681 if (isec->sclass == SECCLASS_TCP_SOCKET || 3682 isec->sclass == SECCLASS_DCCP_SOCKET) { 3683 struct sock *sk = sock->sk; 3684 struct avc_audit_data ad; 3685 struct sockaddr_in *addr4 = NULL; 3686 struct sockaddr_in6 *addr6 = NULL; 3687 unsigned short snum; 3688 u32 sid, perm; 3689 3690 if (sk->sk_family == PF_INET) { 3691 addr4 = (struct sockaddr_in *)address; 3692 if (addrlen < sizeof(struct sockaddr_in)) 3693 return -EINVAL; 3694 snum = ntohs(addr4->sin_port); 3695 } else { 3696 addr6 = (struct sockaddr_in6 *)address; 3697 if (addrlen < SIN6_LEN_RFC2133) 3698 return -EINVAL; 3699 snum = ntohs(addr6->sin6_port); 3700 } 3701 3702 err = security_port_sid(sk->sk_family, sk->sk_type, 3703 sk->sk_protocol, snum, &sid); 3704 if (err) 3705 goto out; 3706 3707 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3708 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3709 3710 AVC_AUDIT_DATA_INIT(&ad,NET); 3711 ad.u.net.dport = htons(snum); 3712 ad.u.net.family = sk->sk_family; 3713 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3714 if (err) 3715 goto out; 3716 } 3717 3718 out: 3719 return err; 3720 } 3721 3722 static int selinux_socket_listen(struct socket *sock, int backlog) 3723 { 3724 return socket_has_perm(current, sock, SOCKET__LISTEN); 3725 } 3726 3727 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3728 { 3729 int err; 3730 struct inode_security_struct *isec; 3731 struct inode_security_struct *newisec; 3732 3733 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3734 if (err) 3735 return err; 3736 3737 newisec = SOCK_INODE(newsock)->i_security; 3738 3739 isec = SOCK_INODE(sock)->i_security; 3740 newisec->sclass = isec->sclass; 3741 newisec->sid = isec->sid; 3742 newisec->initialized = 1; 3743 3744 return 0; 3745 } 3746 3747 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3748 int size) 3749 { 3750 int rc; 3751 3752 rc = socket_has_perm(current, sock, SOCKET__WRITE); 3753 if (rc) 3754 return rc; 3755 3756 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); 3757 } 3758 3759 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3760 int size, int flags) 3761 { 3762 return socket_has_perm(current, sock, SOCKET__READ); 3763 } 3764 3765 static int selinux_socket_getsockname(struct socket *sock) 3766 { 3767 return socket_has_perm(current, sock, SOCKET__GETATTR); 3768 } 3769 3770 static int selinux_socket_getpeername(struct socket *sock) 3771 { 3772 return socket_has_perm(current, sock, SOCKET__GETATTR); 3773 } 3774 3775 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3776 { 3777 int err; 3778 3779 err = socket_has_perm(current, sock, SOCKET__SETOPT); 3780 if (err) 3781 return err; 3782 3783 return selinux_netlbl_socket_setsockopt(sock, level, optname); 3784 } 3785 3786 static int selinux_socket_getsockopt(struct socket *sock, int level, 3787 int optname) 3788 { 3789 return socket_has_perm(current, sock, SOCKET__GETOPT); 3790 } 3791 3792 static int selinux_socket_shutdown(struct socket *sock, int how) 3793 { 3794 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3795 } 3796 3797 static int selinux_socket_unix_stream_connect(struct socket *sock, 3798 struct socket *other, 3799 struct sock *newsk) 3800 { 3801 struct sk_security_struct *ssec; 3802 struct inode_security_struct *isec; 3803 struct inode_security_struct *other_isec; 3804 struct avc_audit_data ad; 3805 int err; 3806 3807 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3808 if (err) 3809 return err; 3810 3811 isec = SOCK_INODE(sock)->i_security; 3812 other_isec = SOCK_INODE(other)->i_security; 3813 3814 AVC_AUDIT_DATA_INIT(&ad,NET); 3815 ad.u.net.sk = other->sk; 3816 3817 err = avc_has_perm(isec->sid, other_isec->sid, 3818 isec->sclass, 3819 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3820 if (err) 3821 return err; 3822 3823 /* connecting socket */ 3824 ssec = sock->sk->sk_security; 3825 ssec->peer_sid = other_isec->sid; 3826 3827 /* server child socket */ 3828 ssec = newsk->sk_security; 3829 ssec->peer_sid = isec->sid; 3830 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 3831 3832 return err; 3833 } 3834 3835 static int selinux_socket_unix_may_send(struct socket *sock, 3836 struct socket *other) 3837 { 3838 struct inode_security_struct *isec; 3839 struct inode_security_struct *other_isec; 3840 struct avc_audit_data ad; 3841 int err; 3842 3843 isec = SOCK_INODE(sock)->i_security; 3844 other_isec = SOCK_INODE(other)->i_security; 3845 3846 AVC_AUDIT_DATA_INIT(&ad,NET); 3847 ad.u.net.sk = other->sk; 3848 3849 err = avc_has_perm(isec->sid, other_isec->sid, 3850 isec->sclass, SOCKET__SENDTO, &ad); 3851 if (err) 3852 return err; 3853 3854 return 0; 3855 } 3856 3857 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 3858 u32 peer_sid, 3859 struct avc_audit_data *ad) 3860 { 3861 int err; 3862 u32 if_sid; 3863 u32 node_sid; 3864 3865 err = sel_netif_sid(ifindex, &if_sid); 3866 if (err) 3867 return err; 3868 err = avc_has_perm(peer_sid, if_sid, 3869 SECCLASS_NETIF, NETIF__INGRESS, ad); 3870 if (err) 3871 return err; 3872 3873 err = sel_netnode_sid(addrp, family, &node_sid); 3874 if (err) 3875 return err; 3876 return avc_has_perm(peer_sid, node_sid, 3877 SECCLASS_NODE, NODE__RECVFROM, ad); 3878 } 3879 3880 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, 3881 struct sk_buff *skb, 3882 struct avc_audit_data *ad, 3883 u16 family, 3884 char *addrp) 3885 { 3886 int err; 3887 struct sk_security_struct *sksec = sk->sk_security; 3888 u16 sk_class; 3889 u32 netif_perm, node_perm, recv_perm; 3890 u32 port_sid, node_sid, if_sid, sk_sid; 3891 3892 sk_sid = sksec->sid; 3893 sk_class = sksec->sclass; 3894 3895 switch (sk_class) { 3896 case SECCLASS_UDP_SOCKET: 3897 netif_perm = NETIF__UDP_RECV; 3898 node_perm = NODE__UDP_RECV; 3899 recv_perm = UDP_SOCKET__RECV_MSG; 3900 break; 3901 case SECCLASS_TCP_SOCKET: 3902 netif_perm = NETIF__TCP_RECV; 3903 node_perm = NODE__TCP_RECV; 3904 recv_perm = TCP_SOCKET__RECV_MSG; 3905 break; 3906 case SECCLASS_DCCP_SOCKET: 3907 netif_perm = NETIF__DCCP_RECV; 3908 node_perm = NODE__DCCP_RECV; 3909 recv_perm = DCCP_SOCKET__RECV_MSG; 3910 break; 3911 default: 3912 netif_perm = NETIF__RAWIP_RECV; 3913 node_perm = NODE__RAWIP_RECV; 3914 recv_perm = 0; 3915 break; 3916 } 3917 3918 err = sel_netif_sid(skb->iif, &if_sid); 3919 if (err) 3920 return err; 3921 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3922 if (err) 3923 return err; 3924 3925 err = sel_netnode_sid(addrp, family, &node_sid); 3926 if (err) 3927 return err; 3928 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3929 if (err) 3930 return err; 3931 3932 if (!recv_perm) 3933 return 0; 3934 err = security_port_sid(sk->sk_family, sk->sk_type, 3935 sk->sk_protocol, ntohs(ad->u.net.sport), 3936 &port_sid); 3937 if (unlikely(err)) { 3938 printk(KERN_WARNING 3939 "SELinux: failure in" 3940 " selinux_sock_rcv_skb_iptables_compat()," 3941 " network port label not found\n"); 3942 return err; 3943 } 3944 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 3945 } 3946 3947 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3948 struct avc_audit_data *ad, 3949 u16 family, char *addrp) 3950 { 3951 int err; 3952 struct sk_security_struct *sksec = sk->sk_security; 3953 u32 peer_sid; 3954 u32 sk_sid = sksec->sid; 3955 3956 if (selinux_compat_net) 3957 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad, 3958 family, addrp); 3959 else 3960 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 3961 PACKET__RECV, ad); 3962 if (err) 3963 return err; 3964 3965 if (selinux_policycap_netpeer) { 3966 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 3967 if (err) 3968 return err; 3969 err = avc_has_perm(sk_sid, peer_sid, 3970 SECCLASS_PEER, PEER__RECV, ad); 3971 } else { 3972 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad); 3973 if (err) 3974 return err; 3975 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad); 3976 } 3977 3978 return err; 3979 } 3980 3981 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3982 { 3983 int err; 3984 struct sk_security_struct *sksec = sk->sk_security; 3985 u16 family = sk->sk_family; 3986 u32 sk_sid = sksec->sid; 3987 struct avc_audit_data ad; 3988 char *addrp; 3989 3990 if (family != PF_INET && family != PF_INET6) 3991 return 0; 3992 3993 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3994 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3995 family = PF_INET; 3996 3997 AVC_AUDIT_DATA_INIT(&ad, NET); 3998 ad.u.net.netif = skb->iif; 3999 ad.u.net.family = family; 4000 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4001 if (err) 4002 return err; 4003 4004 /* If any sort of compatibility mode is enabled then handoff processing 4005 * to the selinux_sock_rcv_skb_compat() function to deal with the 4006 * special handling. We do this in an attempt to keep this function 4007 * as fast and as clean as possible. */ 4008 if (selinux_compat_net || !selinux_policycap_netpeer) 4009 return selinux_sock_rcv_skb_compat(sk, skb, &ad, 4010 family, addrp); 4011 4012 if (netlbl_enabled() || selinux_xfrm_enabled()) { 4013 u32 peer_sid; 4014 4015 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4016 if (err) 4017 return err; 4018 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4019 peer_sid, &ad); 4020 if (err) 4021 return err; 4022 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4023 PEER__RECV, &ad); 4024 } 4025 4026 if (selinux_secmark_enabled()) { 4027 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4028 PACKET__RECV, &ad); 4029 if (err) 4030 return err; 4031 } 4032 4033 return err; 4034 } 4035 4036 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4037 int __user *optlen, unsigned len) 4038 { 4039 int err = 0; 4040 char *scontext; 4041 u32 scontext_len; 4042 struct sk_security_struct *ssec; 4043 struct inode_security_struct *isec; 4044 u32 peer_sid = SECSID_NULL; 4045 4046 isec = SOCK_INODE(sock)->i_security; 4047 4048 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4049 isec->sclass == SECCLASS_TCP_SOCKET) { 4050 ssec = sock->sk->sk_security; 4051 peer_sid = ssec->peer_sid; 4052 } 4053 if (peer_sid == SECSID_NULL) { 4054 err = -ENOPROTOOPT; 4055 goto out; 4056 } 4057 4058 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4059 4060 if (err) 4061 goto out; 4062 4063 if (scontext_len > len) { 4064 err = -ERANGE; 4065 goto out_len; 4066 } 4067 4068 if (copy_to_user(optval, scontext, scontext_len)) 4069 err = -EFAULT; 4070 4071 out_len: 4072 if (put_user(scontext_len, optlen)) 4073 err = -EFAULT; 4074 4075 kfree(scontext); 4076 out: 4077 return err; 4078 } 4079 4080 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4081 { 4082 u32 peer_secid = SECSID_NULL; 4083 u16 family; 4084 4085 if (sock) 4086 family = sock->sk->sk_family; 4087 else if (skb && skb->sk) 4088 family = skb->sk->sk_family; 4089 else 4090 goto out; 4091 4092 if (sock && family == PF_UNIX) 4093 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 4094 else if (skb) 4095 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4096 4097 out: 4098 *secid = peer_secid; 4099 if (peer_secid == SECSID_NULL) 4100 return -EINVAL; 4101 return 0; 4102 } 4103 4104 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4105 { 4106 return sk_alloc_security(sk, family, priority); 4107 } 4108 4109 static void selinux_sk_free_security(struct sock *sk) 4110 { 4111 sk_free_security(sk); 4112 } 4113 4114 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4115 { 4116 struct sk_security_struct *ssec = sk->sk_security; 4117 struct sk_security_struct *newssec = newsk->sk_security; 4118 4119 newssec->sid = ssec->sid; 4120 newssec->peer_sid = ssec->peer_sid; 4121 newssec->sclass = ssec->sclass; 4122 4123 selinux_netlbl_sk_security_clone(ssec, newssec); 4124 } 4125 4126 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4127 { 4128 if (!sk) 4129 *secid = SECINITSID_ANY_SOCKET; 4130 else { 4131 struct sk_security_struct *sksec = sk->sk_security; 4132 4133 *secid = sksec->sid; 4134 } 4135 } 4136 4137 static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4138 { 4139 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4140 struct sk_security_struct *sksec = sk->sk_security; 4141 4142 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4143 sk->sk_family == PF_UNIX) 4144 isec->sid = sksec->sid; 4145 sksec->sclass = isec->sclass; 4146 4147 selinux_netlbl_sock_graft(sk, parent); 4148 } 4149 4150 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4151 struct request_sock *req) 4152 { 4153 struct sk_security_struct *sksec = sk->sk_security; 4154 int err; 4155 u32 newsid; 4156 u32 peersid; 4157 4158 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid); 4159 if (err) 4160 return err; 4161 if (peersid == SECSID_NULL) { 4162 req->secid = sksec->sid; 4163 req->peer_secid = SECSID_NULL; 4164 return 0; 4165 } 4166 4167 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4168 if (err) 4169 return err; 4170 4171 req->secid = newsid; 4172 req->peer_secid = peersid; 4173 return 0; 4174 } 4175 4176 static void selinux_inet_csk_clone(struct sock *newsk, 4177 const struct request_sock *req) 4178 { 4179 struct sk_security_struct *newsksec = newsk->sk_security; 4180 4181 newsksec->sid = req->secid; 4182 newsksec->peer_sid = req->peer_secid; 4183 /* NOTE: Ideally, we should also get the isec->sid for the 4184 new socket in sync, but we don't have the isec available yet. 4185 So we will wait until sock_graft to do it, by which 4186 time it will have been created and available. */ 4187 4188 /* We don't need to take any sort of lock here as we are the only 4189 * thread with access to newsksec */ 4190 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4191 } 4192 4193 static void selinux_inet_conn_established(struct sock *sk, 4194 struct sk_buff *skb) 4195 { 4196 struct sk_security_struct *sksec = sk->sk_security; 4197 4198 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid); 4199 } 4200 4201 static void selinux_req_classify_flow(const struct request_sock *req, 4202 struct flowi *fl) 4203 { 4204 fl->secid = req->secid; 4205 } 4206 4207 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4208 { 4209 int err = 0; 4210 u32 perm; 4211 struct nlmsghdr *nlh; 4212 struct socket *sock = sk->sk_socket; 4213 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4214 4215 if (skb->len < NLMSG_SPACE(0)) { 4216 err = -EINVAL; 4217 goto out; 4218 } 4219 nlh = nlmsg_hdr(skb); 4220 4221 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4222 if (err) { 4223 if (err == -EINVAL) { 4224 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4225 "SELinux: unrecognized netlink message" 4226 " type=%hu for sclass=%hu\n", 4227 nlh->nlmsg_type, isec->sclass); 4228 if (!selinux_enforcing) 4229 err = 0; 4230 } 4231 4232 /* Ignore */ 4233 if (err == -ENOENT) 4234 err = 0; 4235 goto out; 4236 } 4237 4238 err = socket_has_perm(current, sock, perm); 4239 out: 4240 return err; 4241 } 4242 4243 #ifdef CONFIG_NETFILTER 4244 4245 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4246 u16 family) 4247 { 4248 char *addrp; 4249 u32 peer_sid; 4250 struct avc_audit_data ad; 4251 u8 secmark_active; 4252 u8 peerlbl_active; 4253 4254 if (!selinux_policycap_netpeer) 4255 return NF_ACCEPT; 4256 4257 secmark_active = selinux_secmark_enabled(); 4258 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4259 if (!secmark_active && !peerlbl_active) 4260 return NF_ACCEPT; 4261 4262 AVC_AUDIT_DATA_INIT(&ad, NET); 4263 ad.u.net.netif = ifindex; 4264 ad.u.net.family = family; 4265 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4266 return NF_DROP; 4267 4268 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4269 return NF_DROP; 4270 4271 if (peerlbl_active) 4272 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4273 peer_sid, &ad) != 0) 4274 return NF_DROP; 4275 4276 if (secmark_active) 4277 if (avc_has_perm(peer_sid, skb->secmark, 4278 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4279 return NF_DROP; 4280 4281 return NF_ACCEPT; 4282 } 4283 4284 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4285 struct sk_buff *skb, 4286 const struct net_device *in, 4287 const struct net_device *out, 4288 int (*okfn)(struct sk_buff *)) 4289 { 4290 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4291 } 4292 4293 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4294 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4295 struct sk_buff *skb, 4296 const struct net_device *in, 4297 const struct net_device *out, 4298 int (*okfn)(struct sk_buff *)) 4299 { 4300 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4301 } 4302 #endif /* IPV6 */ 4303 4304 static int selinux_ip_postroute_iptables_compat(struct sock *sk, 4305 int ifindex, 4306 struct avc_audit_data *ad, 4307 u16 family, char *addrp) 4308 { 4309 int err; 4310 struct sk_security_struct *sksec = sk->sk_security; 4311 u16 sk_class; 4312 u32 netif_perm, node_perm, send_perm; 4313 u32 port_sid, node_sid, if_sid, sk_sid; 4314 4315 sk_sid = sksec->sid; 4316 sk_class = sksec->sclass; 4317 4318 switch (sk_class) { 4319 case SECCLASS_UDP_SOCKET: 4320 netif_perm = NETIF__UDP_SEND; 4321 node_perm = NODE__UDP_SEND; 4322 send_perm = UDP_SOCKET__SEND_MSG; 4323 break; 4324 case SECCLASS_TCP_SOCKET: 4325 netif_perm = NETIF__TCP_SEND; 4326 node_perm = NODE__TCP_SEND; 4327 send_perm = TCP_SOCKET__SEND_MSG; 4328 break; 4329 case SECCLASS_DCCP_SOCKET: 4330 netif_perm = NETIF__DCCP_SEND; 4331 node_perm = NODE__DCCP_SEND; 4332 send_perm = DCCP_SOCKET__SEND_MSG; 4333 break; 4334 default: 4335 netif_perm = NETIF__RAWIP_SEND; 4336 node_perm = NODE__RAWIP_SEND; 4337 send_perm = 0; 4338 break; 4339 } 4340 4341 err = sel_netif_sid(ifindex, &if_sid); 4342 if (err) 4343 return err; 4344 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4345 return err; 4346 4347 err = sel_netnode_sid(addrp, family, &node_sid); 4348 if (err) 4349 return err; 4350 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 4351 if (err) 4352 return err; 4353 4354 if (send_perm != 0) 4355 return 0; 4356 4357 err = security_port_sid(sk->sk_family, sk->sk_type, 4358 sk->sk_protocol, ntohs(ad->u.net.dport), 4359 &port_sid); 4360 if (unlikely(err)) { 4361 printk(KERN_WARNING 4362 "SELinux: failure in" 4363 " selinux_ip_postroute_iptables_compat()," 4364 " network port label not found\n"); 4365 return err; 4366 } 4367 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4368 } 4369 4370 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4371 int ifindex, 4372 struct avc_audit_data *ad, 4373 u16 family, 4374 char *addrp, 4375 u8 proto) 4376 { 4377 struct sock *sk = skb->sk; 4378 struct sk_security_struct *sksec; 4379 4380 if (sk == NULL) 4381 return NF_ACCEPT; 4382 sksec = sk->sk_security; 4383 4384 if (selinux_compat_net) { 4385 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4386 ad, family, addrp)) 4387 return NF_DROP; 4388 } else { 4389 if (avc_has_perm(sksec->sid, skb->secmark, 4390 SECCLASS_PACKET, PACKET__SEND, ad)) 4391 return NF_DROP; 4392 } 4393 4394 if (selinux_policycap_netpeer) 4395 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto)) 4396 return NF_DROP; 4397 4398 return NF_ACCEPT; 4399 } 4400 4401 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4402 u16 family) 4403 { 4404 u32 secmark_perm; 4405 u32 peer_sid; 4406 struct sock *sk; 4407 struct avc_audit_data ad; 4408 char *addrp; 4409 u8 proto; 4410 u8 secmark_active; 4411 u8 peerlbl_active; 4412 4413 AVC_AUDIT_DATA_INIT(&ad, NET); 4414 ad.u.net.netif = ifindex; 4415 ad.u.net.family = family; 4416 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4417 return NF_DROP; 4418 4419 /* If any sort of compatibility mode is enabled then handoff processing 4420 * to the selinux_ip_postroute_compat() function to deal with the 4421 * special handling. We do this in an attempt to keep this function 4422 * as fast and as clean as possible. */ 4423 if (selinux_compat_net || !selinux_policycap_netpeer) 4424 return selinux_ip_postroute_compat(skb, ifindex, &ad, 4425 family, addrp, proto); 4426 4427 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4428 * packet transformation so allow the packet to pass without any checks 4429 * since we'll have another chance to perform access control checks 4430 * when the packet is on it's final way out. 4431 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4432 * is NULL, in this case go ahead and apply access control. */ 4433 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4434 return NF_ACCEPT; 4435 4436 secmark_active = selinux_secmark_enabled(); 4437 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4438 if (!secmark_active && !peerlbl_active) 4439 return NF_ACCEPT; 4440 4441 /* if the packet is locally generated (skb->sk != NULL) then use the 4442 * socket's label as the peer label, otherwise the packet is being 4443 * forwarded through this system and we need to fetch the peer label 4444 * directly from the packet */ 4445 sk = skb->sk; 4446 if (sk) { 4447 struct sk_security_struct *sksec = sk->sk_security; 4448 peer_sid = sksec->sid; 4449 secmark_perm = PACKET__SEND; 4450 } else { 4451 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4452 return NF_DROP; 4453 secmark_perm = PACKET__FORWARD_OUT; 4454 } 4455 4456 if (secmark_active) 4457 if (avc_has_perm(peer_sid, skb->secmark, 4458 SECCLASS_PACKET, secmark_perm, &ad)) 4459 return NF_DROP; 4460 4461 if (peerlbl_active) { 4462 u32 if_sid; 4463 u32 node_sid; 4464 4465 if (sel_netif_sid(ifindex, &if_sid)) 4466 return NF_DROP; 4467 if (avc_has_perm(peer_sid, if_sid, 4468 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4469 return NF_DROP; 4470 4471 if (sel_netnode_sid(addrp, family, &node_sid)) 4472 return NF_DROP; 4473 if (avc_has_perm(peer_sid, node_sid, 4474 SECCLASS_NODE, NODE__SENDTO, &ad)) 4475 return NF_DROP; 4476 } 4477 4478 return NF_ACCEPT; 4479 } 4480 4481 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4482 struct sk_buff *skb, 4483 const struct net_device *in, 4484 const struct net_device *out, 4485 int (*okfn)(struct sk_buff *)) 4486 { 4487 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4488 } 4489 4490 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4491 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4492 struct sk_buff *skb, 4493 const struct net_device *in, 4494 const struct net_device *out, 4495 int (*okfn)(struct sk_buff *)) 4496 { 4497 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4498 } 4499 #endif /* IPV6 */ 4500 4501 #endif /* CONFIG_NETFILTER */ 4502 4503 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4504 { 4505 int err; 4506 4507 err = secondary_ops->netlink_send(sk, skb); 4508 if (err) 4509 return err; 4510 4511 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4512 err = selinux_nlmsg_perm(sk, skb); 4513 4514 return err; 4515 } 4516 4517 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4518 { 4519 int err; 4520 struct avc_audit_data ad; 4521 4522 err = secondary_ops->netlink_recv(skb, capability); 4523 if (err) 4524 return err; 4525 4526 AVC_AUDIT_DATA_INIT(&ad, CAP); 4527 ad.u.cap = capability; 4528 4529 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4530 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4531 } 4532 4533 static int ipc_alloc_security(struct task_struct *task, 4534 struct kern_ipc_perm *perm, 4535 u16 sclass) 4536 { 4537 struct task_security_struct *tsec = task->security; 4538 struct ipc_security_struct *isec; 4539 4540 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4541 if (!isec) 4542 return -ENOMEM; 4543 4544 isec->sclass = sclass; 4545 isec->ipc_perm = perm; 4546 isec->sid = tsec->sid; 4547 perm->security = isec; 4548 4549 return 0; 4550 } 4551 4552 static void ipc_free_security(struct kern_ipc_perm *perm) 4553 { 4554 struct ipc_security_struct *isec = perm->security; 4555 perm->security = NULL; 4556 kfree(isec); 4557 } 4558 4559 static int msg_msg_alloc_security(struct msg_msg *msg) 4560 { 4561 struct msg_security_struct *msec; 4562 4563 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4564 if (!msec) 4565 return -ENOMEM; 4566 4567 msec->msg = msg; 4568 msec->sid = SECINITSID_UNLABELED; 4569 msg->security = msec; 4570 4571 return 0; 4572 } 4573 4574 static void msg_msg_free_security(struct msg_msg *msg) 4575 { 4576 struct msg_security_struct *msec = msg->security; 4577 4578 msg->security = NULL; 4579 kfree(msec); 4580 } 4581 4582 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4583 u32 perms) 4584 { 4585 struct task_security_struct *tsec; 4586 struct ipc_security_struct *isec; 4587 struct avc_audit_data ad; 4588 4589 tsec = current->security; 4590 isec = ipc_perms->security; 4591 4592 AVC_AUDIT_DATA_INIT(&ad, IPC); 4593 ad.u.ipc_id = ipc_perms->key; 4594 4595 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 4596 } 4597 4598 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4599 { 4600 return msg_msg_alloc_security(msg); 4601 } 4602 4603 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4604 { 4605 msg_msg_free_security(msg); 4606 } 4607 4608 /* message queue security operations */ 4609 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4610 { 4611 struct task_security_struct *tsec; 4612 struct ipc_security_struct *isec; 4613 struct avc_audit_data ad; 4614 int rc; 4615 4616 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4617 if (rc) 4618 return rc; 4619 4620 tsec = current->security; 4621 isec = msq->q_perm.security; 4622 4623 AVC_AUDIT_DATA_INIT(&ad, IPC); 4624 ad.u.ipc_id = msq->q_perm.key; 4625 4626 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4627 MSGQ__CREATE, &ad); 4628 if (rc) { 4629 ipc_free_security(&msq->q_perm); 4630 return rc; 4631 } 4632 return 0; 4633 } 4634 4635 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4636 { 4637 ipc_free_security(&msq->q_perm); 4638 } 4639 4640 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4641 { 4642 struct task_security_struct *tsec; 4643 struct ipc_security_struct *isec; 4644 struct avc_audit_data ad; 4645 4646 tsec = current->security; 4647 isec = msq->q_perm.security; 4648 4649 AVC_AUDIT_DATA_INIT(&ad, IPC); 4650 ad.u.ipc_id = msq->q_perm.key; 4651 4652 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4653 MSGQ__ASSOCIATE, &ad); 4654 } 4655 4656 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4657 { 4658 int err; 4659 int perms; 4660 4661 switch(cmd) { 4662 case IPC_INFO: 4663 case MSG_INFO: 4664 /* No specific object, just general system-wide information. */ 4665 return task_has_system(current, SYSTEM__IPC_INFO); 4666 case IPC_STAT: 4667 case MSG_STAT: 4668 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4669 break; 4670 case IPC_SET: 4671 perms = MSGQ__SETATTR; 4672 break; 4673 case IPC_RMID: 4674 perms = MSGQ__DESTROY; 4675 break; 4676 default: 4677 return 0; 4678 } 4679 4680 err = ipc_has_perm(&msq->q_perm, perms); 4681 return err; 4682 } 4683 4684 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4685 { 4686 struct task_security_struct *tsec; 4687 struct ipc_security_struct *isec; 4688 struct msg_security_struct *msec; 4689 struct avc_audit_data ad; 4690 int rc; 4691 4692 tsec = current->security; 4693 isec = msq->q_perm.security; 4694 msec = msg->security; 4695 4696 /* 4697 * First time through, need to assign label to the message 4698 */ 4699 if (msec->sid == SECINITSID_UNLABELED) { 4700 /* 4701 * Compute new sid based on current process and 4702 * message queue this message will be stored in 4703 */ 4704 rc = security_transition_sid(tsec->sid, 4705 isec->sid, 4706 SECCLASS_MSG, 4707 &msec->sid); 4708 if (rc) 4709 return rc; 4710 } 4711 4712 AVC_AUDIT_DATA_INIT(&ad, IPC); 4713 ad.u.ipc_id = msq->q_perm.key; 4714 4715 /* Can this process write to the queue? */ 4716 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4717 MSGQ__WRITE, &ad); 4718 if (!rc) 4719 /* Can this process send the message */ 4720 rc = avc_has_perm(tsec->sid, msec->sid, 4721 SECCLASS_MSG, MSG__SEND, &ad); 4722 if (!rc) 4723 /* Can the message be put in the queue? */ 4724 rc = avc_has_perm(msec->sid, isec->sid, 4725 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 4726 4727 return rc; 4728 } 4729 4730 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4731 struct task_struct *target, 4732 long type, int mode) 4733 { 4734 struct task_security_struct *tsec; 4735 struct ipc_security_struct *isec; 4736 struct msg_security_struct *msec; 4737 struct avc_audit_data ad; 4738 int rc; 4739 4740 tsec = target->security; 4741 isec = msq->q_perm.security; 4742 msec = msg->security; 4743 4744 AVC_AUDIT_DATA_INIT(&ad, IPC); 4745 ad.u.ipc_id = msq->q_perm.key; 4746 4747 rc = avc_has_perm(tsec->sid, isec->sid, 4748 SECCLASS_MSGQ, MSGQ__READ, &ad); 4749 if (!rc) 4750 rc = avc_has_perm(tsec->sid, msec->sid, 4751 SECCLASS_MSG, MSG__RECEIVE, &ad); 4752 return rc; 4753 } 4754 4755 /* Shared Memory security operations */ 4756 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4757 { 4758 struct task_security_struct *tsec; 4759 struct ipc_security_struct *isec; 4760 struct avc_audit_data ad; 4761 int rc; 4762 4763 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4764 if (rc) 4765 return rc; 4766 4767 tsec = current->security; 4768 isec = shp->shm_perm.security; 4769 4770 AVC_AUDIT_DATA_INIT(&ad, IPC); 4771 ad.u.ipc_id = shp->shm_perm.key; 4772 4773 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4774 SHM__CREATE, &ad); 4775 if (rc) { 4776 ipc_free_security(&shp->shm_perm); 4777 return rc; 4778 } 4779 return 0; 4780 } 4781 4782 static void selinux_shm_free_security(struct shmid_kernel *shp) 4783 { 4784 ipc_free_security(&shp->shm_perm); 4785 } 4786 4787 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4788 { 4789 struct task_security_struct *tsec; 4790 struct ipc_security_struct *isec; 4791 struct avc_audit_data ad; 4792 4793 tsec = current->security; 4794 isec = shp->shm_perm.security; 4795 4796 AVC_AUDIT_DATA_INIT(&ad, IPC); 4797 ad.u.ipc_id = shp->shm_perm.key; 4798 4799 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4800 SHM__ASSOCIATE, &ad); 4801 } 4802 4803 /* Note, at this point, shp is locked down */ 4804 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4805 { 4806 int perms; 4807 int err; 4808 4809 switch(cmd) { 4810 case IPC_INFO: 4811 case SHM_INFO: 4812 /* No specific object, just general system-wide information. */ 4813 return task_has_system(current, SYSTEM__IPC_INFO); 4814 case IPC_STAT: 4815 case SHM_STAT: 4816 perms = SHM__GETATTR | SHM__ASSOCIATE; 4817 break; 4818 case IPC_SET: 4819 perms = SHM__SETATTR; 4820 break; 4821 case SHM_LOCK: 4822 case SHM_UNLOCK: 4823 perms = SHM__LOCK; 4824 break; 4825 case IPC_RMID: 4826 perms = SHM__DESTROY; 4827 break; 4828 default: 4829 return 0; 4830 } 4831 4832 err = ipc_has_perm(&shp->shm_perm, perms); 4833 return err; 4834 } 4835 4836 static int selinux_shm_shmat(struct shmid_kernel *shp, 4837 char __user *shmaddr, int shmflg) 4838 { 4839 u32 perms; 4840 int rc; 4841 4842 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4843 if (rc) 4844 return rc; 4845 4846 if (shmflg & SHM_RDONLY) 4847 perms = SHM__READ; 4848 else 4849 perms = SHM__READ | SHM__WRITE; 4850 4851 return ipc_has_perm(&shp->shm_perm, perms); 4852 } 4853 4854 /* Semaphore security operations */ 4855 static int selinux_sem_alloc_security(struct sem_array *sma) 4856 { 4857 struct task_security_struct *tsec; 4858 struct ipc_security_struct *isec; 4859 struct avc_audit_data ad; 4860 int rc; 4861 4862 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4863 if (rc) 4864 return rc; 4865 4866 tsec = current->security; 4867 isec = sma->sem_perm.security; 4868 4869 AVC_AUDIT_DATA_INIT(&ad, IPC); 4870 ad.u.ipc_id = sma->sem_perm.key; 4871 4872 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4873 SEM__CREATE, &ad); 4874 if (rc) { 4875 ipc_free_security(&sma->sem_perm); 4876 return rc; 4877 } 4878 return 0; 4879 } 4880 4881 static void selinux_sem_free_security(struct sem_array *sma) 4882 { 4883 ipc_free_security(&sma->sem_perm); 4884 } 4885 4886 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4887 { 4888 struct task_security_struct *tsec; 4889 struct ipc_security_struct *isec; 4890 struct avc_audit_data ad; 4891 4892 tsec = current->security; 4893 isec = sma->sem_perm.security; 4894 4895 AVC_AUDIT_DATA_INIT(&ad, IPC); 4896 ad.u.ipc_id = sma->sem_perm.key; 4897 4898 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4899 SEM__ASSOCIATE, &ad); 4900 } 4901 4902 /* Note, at this point, sma is locked down */ 4903 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4904 { 4905 int err; 4906 u32 perms; 4907 4908 switch(cmd) { 4909 case IPC_INFO: 4910 case SEM_INFO: 4911 /* No specific object, just general system-wide information. */ 4912 return task_has_system(current, SYSTEM__IPC_INFO); 4913 case GETPID: 4914 case GETNCNT: 4915 case GETZCNT: 4916 perms = SEM__GETATTR; 4917 break; 4918 case GETVAL: 4919 case GETALL: 4920 perms = SEM__READ; 4921 break; 4922 case SETVAL: 4923 case SETALL: 4924 perms = SEM__WRITE; 4925 break; 4926 case IPC_RMID: 4927 perms = SEM__DESTROY; 4928 break; 4929 case IPC_SET: 4930 perms = SEM__SETATTR; 4931 break; 4932 case IPC_STAT: 4933 case SEM_STAT: 4934 perms = SEM__GETATTR | SEM__ASSOCIATE; 4935 break; 4936 default: 4937 return 0; 4938 } 4939 4940 err = ipc_has_perm(&sma->sem_perm, perms); 4941 return err; 4942 } 4943 4944 static int selinux_sem_semop(struct sem_array *sma, 4945 struct sembuf *sops, unsigned nsops, int alter) 4946 { 4947 u32 perms; 4948 4949 if (alter) 4950 perms = SEM__READ | SEM__WRITE; 4951 else 4952 perms = SEM__READ; 4953 4954 return ipc_has_perm(&sma->sem_perm, perms); 4955 } 4956 4957 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4958 { 4959 u32 av = 0; 4960 4961 av = 0; 4962 if (flag & S_IRUGO) 4963 av |= IPC__UNIX_READ; 4964 if (flag & S_IWUGO) 4965 av |= IPC__UNIX_WRITE; 4966 4967 if (av == 0) 4968 return 0; 4969 4970 return ipc_has_perm(ipcp, av); 4971 } 4972 4973 /* module stacking operations */ 4974 static int selinux_register_security (const char *name, struct security_operations *ops) 4975 { 4976 if (secondary_ops != original_ops) { 4977 printk(KERN_ERR "%s: There is already a secondary security " 4978 "module registered.\n", __FUNCTION__); 4979 return -EINVAL; 4980 } 4981 4982 secondary_ops = ops; 4983 4984 printk(KERN_INFO "%s: Registering secondary module %s\n", 4985 __FUNCTION__, 4986 name); 4987 4988 return 0; 4989 } 4990 4991 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4992 { 4993 if (inode) 4994 inode_doinit_with_dentry(inode, dentry); 4995 } 4996 4997 static int selinux_getprocattr(struct task_struct *p, 4998 char *name, char **value) 4999 { 5000 struct task_security_struct *tsec; 5001 u32 sid; 5002 int error; 5003 unsigned len; 5004 5005 if (current != p) { 5006 error = task_has_perm(current, p, PROCESS__GETATTR); 5007 if (error) 5008 return error; 5009 } 5010 5011 tsec = p->security; 5012 5013 if (!strcmp(name, "current")) 5014 sid = tsec->sid; 5015 else if (!strcmp(name, "prev")) 5016 sid = tsec->osid; 5017 else if (!strcmp(name, "exec")) 5018 sid = tsec->exec_sid; 5019 else if (!strcmp(name, "fscreate")) 5020 sid = tsec->create_sid; 5021 else if (!strcmp(name, "keycreate")) 5022 sid = tsec->keycreate_sid; 5023 else if (!strcmp(name, "sockcreate")) 5024 sid = tsec->sockcreate_sid; 5025 else 5026 return -EINVAL; 5027 5028 if (!sid) 5029 return 0; 5030 5031 error = security_sid_to_context(sid, value, &len); 5032 if (error) 5033 return error; 5034 return len; 5035 } 5036 5037 static int selinux_setprocattr(struct task_struct *p, 5038 char *name, void *value, size_t size) 5039 { 5040 struct task_security_struct *tsec; 5041 u32 sid = 0; 5042 int error; 5043 char *str = value; 5044 5045 if (current != p) { 5046 /* SELinux only allows a process to change its own 5047 security attributes. */ 5048 return -EACCES; 5049 } 5050 5051 /* 5052 * Basic control over ability to set these attributes at all. 5053 * current == p, but we'll pass them separately in case the 5054 * above restriction is ever removed. 5055 */ 5056 if (!strcmp(name, "exec")) 5057 error = task_has_perm(current, p, PROCESS__SETEXEC); 5058 else if (!strcmp(name, "fscreate")) 5059 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 5060 else if (!strcmp(name, "keycreate")) 5061 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 5062 else if (!strcmp(name, "sockcreate")) 5063 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 5064 else if (!strcmp(name, "current")) 5065 error = task_has_perm(current, p, PROCESS__SETCURRENT); 5066 else 5067 error = -EINVAL; 5068 if (error) 5069 return error; 5070 5071 /* Obtain a SID for the context, if one was specified. */ 5072 if (size && str[1] && str[1] != '\n') { 5073 if (str[size-1] == '\n') { 5074 str[size-1] = 0; 5075 size--; 5076 } 5077 error = security_context_to_sid(value, size, &sid); 5078 if (error) 5079 return error; 5080 } 5081 5082 /* Permission checking based on the specified context is 5083 performed during the actual operation (execve, 5084 open/mkdir/...), when we know the full context of the 5085 operation. See selinux_bprm_set_security for the execve 5086 checks and may_create for the file creation checks. The 5087 operation will then fail if the context is not permitted. */ 5088 tsec = p->security; 5089 if (!strcmp(name, "exec")) 5090 tsec->exec_sid = sid; 5091 else if (!strcmp(name, "fscreate")) 5092 tsec->create_sid = sid; 5093 else if (!strcmp(name, "keycreate")) { 5094 error = may_create_key(sid, p); 5095 if (error) 5096 return error; 5097 tsec->keycreate_sid = sid; 5098 } else if (!strcmp(name, "sockcreate")) 5099 tsec->sockcreate_sid = sid; 5100 else if (!strcmp(name, "current")) { 5101 struct av_decision avd; 5102 5103 if (sid == 0) 5104 return -EINVAL; 5105 5106 /* Only allow single threaded processes to change context */ 5107 if (atomic_read(&p->mm->mm_users) != 1) { 5108 struct task_struct *g, *t; 5109 struct mm_struct *mm = p->mm; 5110 read_lock(&tasklist_lock); 5111 do_each_thread(g, t) 5112 if (t->mm == mm && t != p) { 5113 read_unlock(&tasklist_lock); 5114 return -EPERM; 5115 } 5116 while_each_thread(g, t); 5117 read_unlock(&tasklist_lock); 5118 } 5119 5120 /* Check permissions for the transition. */ 5121 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5122 PROCESS__DYNTRANSITION, NULL); 5123 if (error) 5124 return error; 5125 5126 /* Check for ptracing, and update the task SID if ok. 5127 Otherwise, leave SID unchanged and fail. */ 5128 task_lock(p); 5129 if (p->ptrace & PT_PTRACED) { 5130 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 5131 SECCLASS_PROCESS, 5132 PROCESS__PTRACE, 0, &avd); 5133 if (!error) 5134 tsec->sid = sid; 5135 task_unlock(p); 5136 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 5137 PROCESS__PTRACE, &avd, error, NULL); 5138 if (error) 5139 return error; 5140 } else { 5141 tsec->sid = sid; 5142 task_unlock(p); 5143 } 5144 } 5145 else 5146 return -EINVAL; 5147 5148 return size; 5149 } 5150 5151 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5152 { 5153 return security_sid_to_context(secid, secdata, seclen); 5154 } 5155 5156 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) 5157 { 5158 return security_context_to_sid(secdata, seclen, secid); 5159 } 5160 5161 static void selinux_release_secctx(char *secdata, u32 seclen) 5162 { 5163 kfree(secdata); 5164 } 5165 5166 #ifdef CONFIG_KEYS 5167 5168 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5169 unsigned long flags) 5170 { 5171 struct task_security_struct *tsec = tsk->security; 5172 struct key_security_struct *ksec; 5173 5174 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5175 if (!ksec) 5176 return -ENOMEM; 5177 5178 ksec->obj = k; 5179 if (tsec->keycreate_sid) 5180 ksec->sid = tsec->keycreate_sid; 5181 else 5182 ksec->sid = tsec->sid; 5183 k->security = ksec; 5184 5185 return 0; 5186 } 5187 5188 static void selinux_key_free(struct key *k) 5189 { 5190 struct key_security_struct *ksec = k->security; 5191 5192 k->security = NULL; 5193 kfree(ksec); 5194 } 5195 5196 static int selinux_key_permission(key_ref_t key_ref, 5197 struct task_struct *ctx, 5198 key_perm_t perm) 5199 { 5200 struct key *key; 5201 struct task_security_struct *tsec; 5202 struct key_security_struct *ksec; 5203 5204 key = key_ref_to_ptr(key_ref); 5205 5206 tsec = ctx->security; 5207 ksec = key->security; 5208 5209 /* if no specific permissions are requested, we skip the 5210 permission check. No serious, additional covert channels 5211 appear to be created. */ 5212 if (perm == 0) 5213 return 0; 5214 5215 return avc_has_perm(tsec->sid, ksec->sid, 5216 SECCLASS_KEY, perm, NULL); 5217 } 5218 5219 #endif 5220 5221 static struct security_operations selinux_ops = { 5222 .ptrace = selinux_ptrace, 5223 .capget = selinux_capget, 5224 .capset_check = selinux_capset_check, 5225 .capset_set = selinux_capset_set, 5226 .sysctl = selinux_sysctl, 5227 .capable = selinux_capable, 5228 .quotactl = selinux_quotactl, 5229 .quota_on = selinux_quota_on, 5230 .syslog = selinux_syslog, 5231 .vm_enough_memory = selinux_vm_enough_memory, 5232 5233 .netlink_send = selinux_netlink_send, 5234 .netlink_recv = selinux_netlink_recv, 5235 5236 .bprm_alloc_security = selinux_bprm_alloc_security, 5237 .bprm_free_security = selinux_bprm_free_security, 5238 .bprm_apply_creds = selinux_bprm_apply_creds, 5239 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 5240 .bprm_set_security = selinux_bprm_set_security, 5241 .bprm_check_security = selinux_bprm_check_security, 5242 .bprm_secureexec = selinux_bprm_secureexec, 5243 5244 .sb_alloc_security = selinux_sb_alloc_security, 5245 .sb_free_security = selinux_sb_free_security, 5246 .sb_copy_data = selinux_sb_copy_data, 5247 .sb_kern_mount = selinux_sb_kern_mount, 5248 .sb_statfs = selinux_sb_statfs, 5249 .sb_mount = selinux_mount, 5250 .sb_umount = selinux_umount, 5251 .sb_get_mnt_opts = selinux_get_mnt_opts, 5252 .sb_set_mnt_opts = selinux_set_mnt_opts, 5253 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5254 5255 .inode_alloc_security = selinux_inode_alloc_security, 5256 .inode_free_security = selinux_inode_free_security, 5257 .inode_init_security = selinux_inode_init_security, 5258 .inode_create = selinux_inode_create, 5259 .inode_link = selinux_inode_link, 5260 .inode_unlink = selinux_inode_unlink, 5261 .inode_symlink = selinux_inode_symlink, 5262 .inode_mkdir = selinux_inode_mkdir, 5263 .inode_rmdir = selinux_inode_rmdir, 5264 .inode_mknod = selinux_inode_mknod, 5265 .inode_rename = selinux_inode_rename, 5266 .inode_readlink = selinux_inode_readlink, 5267 .inode_follow_link = selinux_inode_follow_link, 5268 .inode_permission = selinux_inode_permission, 5269 .inode_setattr = selinux_inode_setattr, 5270 .inode_getattr = selinux_inode_getattr, 5271 .inode_setxattr = selinux_inode_setxattr, 5272 .inode_post_setxattr = selinux_inode_post_setxattr, 5273 .inode_getxattr = selinux_inode_getxattr, 5274 .inode_listxattr = selinux_inode_listxattr, 5275 .inode_removexattr = selinux_inode_removexattr, 5276 .inode_getsecurity = selinux_inode_getsecurity, 5277 .inode_setsecurity = selinux_inode_setsecurity, 5278 .inode_listsecurity = selinux_inode_listsecurity, 5279 .inode_need_killpriv = selinux_inode_need_killpriv, 5280 .inode_killpriv = selinux_inode_killpriv, 5281 5282 .file_permission = selinux_file_permission, 5283 .file_alloc_security = selinux_file_alloc_security, 5284 .file_free_security = selinux_file_free_security, 5285 .file_ioctl = selinux_file_ioctl, 5286 .file_mmap = selinux_file_mmap, 5287 .file_mprotect = selinux_file_mprotect, 5288 .file_lock = selinux_file_lock, 5289 .file_fcntl = selinux_file_fcntl, 5290 .file_set_fowner = selinux_file_set_fowner, 5291 .file_send_sigiotask = selinux_file_send_sigiotask, 5292 .file_receive = selinux_file_receive, 5293 5294 .dentry_open = selinux_dentry_open, 5295 5296 .task_create = selinux_task_create, 5297 .task_alloc_security = selinux_task_alloc_security, 5298 .task_free_security = selinux_task_free_security, 5299 .task_setuid = selinux_task_setuid, 5300 .task_post_setuid = selinux_task_post_setuid, 5301 .task_setgid = selinux_task_setgid, 5302 .task_setpgid = selinux_task_setpgid, 5303 .task_getpgid = selinux_task_getpgid, 5304 .task_getsid = selinux_task_getsid, 5305 .task_getsecid = selinux_task_getsecid, 5306 .task_setgroups = selinux_task_setgroups, 5307 .task_setnice = selinux_task_setnice, 5308 .task_setioprio = selinux_task_setioprio, 5309 .task_getioprio = selinux_task_getioprio, 5310 .task_setrlimit = selinux_task_setrlimit, 5311 .task_setscheduler = selinux_task_setscheduler, 5312 .task_getscheduler = selinux_task_getscheduler, 5313 .task_movememory = selinux_task_movememory, 5314 .task_kill = selinux_task_kill, 5315 .task_wait = selinux_task_wait, 5316 .task_prctl = selinux_task_prctl, 5317 .task_reparent_to_init = selinux_task_reparent_to_init, 5318 .task_to_inode = selinux_task_to_inode, 5319 5320 .ipc_permission = selinux_ipc_permission, 5321 5322 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5323 .msg_msg_free_security = selinux_msg_msg_free_security, 5324 5325 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5326 .msg_queue_free_security = selinux_msg_queue_free_security, 5327 .msg_queue_associate = selinux_msg_queue_associate, 5328 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5329 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5330 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5331 5332 .shm_alloc_security = selinux_shm_alloc_security, 5333 .shm_free_security = selinux_shm_free_security, 5334 .shm_associate = selinux_shm_associate, 5335 .shm_shmctl = selinux_shm_shmctl, 5336 .shm_shmat = selinux_shm_shmat, 5337 5338 .sem_alloc_security = selinux_sem_alloc_security, 5339 .sem_free_security = selinux_sem_free_security, 5340 .sem_associate = selinux_sem_associate, 5341 .sem_semctl = selinux_sem_semctl, 5342 .sem_semop = selinux_sem_semop, 5343 5344 .register_security = selinux_register_security, 5345 5346 .d_instantiate = selinux_d_instantiate, 5347 5348 .getprocattr = selinux_getprocattr, 5349 .setprocattr = selinux_setprocattr, 5350 5351 .secid_to_secctx = selinux_secid_to_secctx, 5352 .secctx_to_secid = selinux_secctx_to_secid, 5353 .release_secctx = selinux_release_secctx, 5354 5355 .unix_stream_connect = selinux_socket_unix_stream_connect, 5356 .unix_may_send = selinux_socket_unix_may_send, 5357 5358 .socket_create = selinux_socket_create, 5359 .socket_post_create = selinux_socket_post_create, 5360 .socket_bind = selinux_socket_bind, 5361 .socket_connect = selinux_socket_connect, 5362 .socket_listen = selinux_socket_listen, 5363 .socket_accept = selinux_socket_accept, 5364 .socket_sendmsg = selinux_socket_sendmsg, 5365 .socket_recvmsg = selinux_socket_recvmsg, 5366 .socket_getsockname = selinux_socket_getsockname, 5367 .socket_getpeername = selinux_socket_getpeername, 5368 .socket_getsockopt = selinux_socket_getsockopt, 5369 .socket_setsockopt = selinux_socket_setsockopt, 5370 .socket_shutdown = selinux_socket_shutdown, 5371 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5372 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5373 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5374 .sk_alloc_security = selinux_sk_alloc_security, 5375 .sk_free_security = selinux_sk_free_security, 5376 .sk_clone_security = selinux_sk_clone_security, 5377 .sk_getsecid = selinux_sk_getsecid, 5378 .sock_graft = selinux_sock_graft, 5379 .inet_conn_request = selinux_inet_conn_request, 5380 .inet_csk_clone = selinux_inet_csk_clone, 5381 .inet_conn_established = selinux_inet_conn_established, 5382 .req_classify_flow = selinux_req_classify_flow, 5383 5384 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5385 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5386 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5387 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5388 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5389 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5390 .xfrm_state_free_security = selinux_xfrm_state_free, 5391 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5392 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5393 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5394 .xfrm_decode_session = selinux_xfrm_decode_session, 5395 #endif 5396 5397 #ifdef CONFIG_KEYS 5398 .key_alloc = selinux_key_alloc, 5399 .key_free = selinux_key_free, 5400 .key_permission = selinux_key_permission, 5401 #endif 5402 }; 5403 5404 static __init int selinux_init(void) 5405 { 5406 struct task_security_struct *tsec; 5407 5408 if (!selinux_enabled) { 5409 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5410 return 0; 5411 } 5412 5413 printk(KERN_INFO "SELinux: Initializing.\n"); 5414 5415 /* Set the security state for the initial task. */ 5416 if (task_alloc_security(current)) 5417 panic("SELinux: Failed to initialize initial task.\n"); 5418 tsec = current->security; 5419 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5420 5421 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5422 sizeof(struct inode_security_struct), 5423 0, SLAB_PANIC, NULL); 5424 avc_init(); 5425 5426 original_ops = secondary_ops = security_ops; 5427 if (!secondary_ops) 5428 panic ("SELinux: No initial security operations\n"); 5429 if (register_security (&selinux_ops)) 5430 panic("SELinux: Unable to register with kernel.\n"); 5431 5432 if (selinux_enforcing) { 5433 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5434 } else { 5435 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5436 } 5437 5438 #ifdef CONFIG_KEYS 5439 /* Add security information to initial keyrings */ 5440 selinux_key_alloc(&root_user_keyring, current, 5441 KEY_ALLOC_NOT_IN_QUOTA); 5442 selinux_key_alloc(&root_session_keyring, current, 5443 KEY_ALLOC_NOT_IN_QUOTA); 5444 #endif 5445 5446 return 0; 5447 } 5448 5449 void selinux_complete_init(void) 5450 { 5451 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5452 5453 /* Set up any superblocks initialized prior to the policy load. */ 5454 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5455 spin_lock(&sb_lock); 5456 spin_lock(&sb_security_lock); 5457 next_sb: 5458 if (!list_empty(&superblock_security_head)) { 5459 struct superblock_security_struct *sbsec = 5460 list_entry(superblock_security_head.next, 5461 struct superblock_security_struct, 5462 list); 5463 struct super_block *sb = sbsec->sb; 5464 sb->s_count++; 5465 spin_unlock(&sb_security_lock); 5466 spin_unlock(&sb_lock); 5467 down_read(&sb->s_umount); 5468 if (sb->s_root) 5469 superblock_doinit(sb, NULL); 5470 drop_super(sb); 5471 spin_lock(&sb_lock); 5472 spin_lock(&sb_security_lock); 5473 list_del_init(&sbsec->list); 5474 goto next_sb; 5475 } 5476 spin_unlock(&sb_security_lock); 5477 spin_unlock(&sb_lock); 5478 } 5479 5480 /* SELinux requires early initialization in order to label 5481 all processes and objects when they are created. */ 5482 security_initcall(selinux_init); 5483 5484 #if defined(CONFIG_NETFILTER) 5485 5486 static struct nf_hook_ops selinux_ipv4_ops[] = { 5487 { 5488 .hook = selinux_ipv4_postroute, 5489 .owner = THIS_MODULE, 5490 .pf = PF_INET, 5491 .hooknum = NF_INET_POST_ROUTING, 5492 .priority = NF_IP_PRI_SELINUX_LAST, 5493 }, 5494 { 5495 .hook = selinux_ipv4_forward, 5496 .owner = THIS_MODULE, 5497 .pf = PF_INET, 5498 .hooknum = NF_INET_FORWARD, 5499 .priority = NF_IP_PRI_SELINUX_FIRST, 5500 } 5501 }; 5502 5503 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5504 5505 static struct nf_hook_ops selinux_ipv6_ops[] = { 5506 { 5507 .hook = selinux_ipv6_postroute, 5508 .owner = THIS_MODULE, 5509 .pf = PF_INET6, 5510 .hooknum = NF_INET_POST_ROUTING, 5511 .priority = NF_IP6_PRI_SELINUX_LAST, 5512 }, 5513 { 5514 .hook = selinux_ipv6_forward, 5515 .owner = THIS_MODULE, 5516 .pf = PF_INET6, 5517 .hooknum = NF_INET_FORWARD, 5518 .priority = NF_IP6_PRI_SELINUX_FIRST, 5519 } 5520 }; 5521 5522 #endif /* IPV6 */ 5523 5524 static int __init selinux_nf_ip_init(void) 5525 { 5526 int err = 0; 5527 u32 iter; 5528 5529 if (!selinux_enabled) 5530 goto out; 5531 5532 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5533 5534 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) { 5535 err = nf_register_hook(&selinux_ipv4_ops[iter]); 5536 if (err) 5537 panic("SELinux: nf_register_hook for IPv4: error %d\n", 5538 err); 5539 } 5540 5541 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5542 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) { 5543 err = nf_register_hook(&selinux_ipv6_ops[iter]); 5544 if (err) 5545 panic("SELinux: nf_register_hook for IPv6: error %d\n", 5546 err); 5547 } 5548 #endif /* IPV6 */ 5549 5550 out: 5551 return err; 5552 } 5553 5554 __initcall(selinux_nf_ip_init); 5555 5556 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5557 static void selinux_nf_ip_exit(void) 5558 { 5559 u32 iter; 5560 5561 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5562 5563 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) 5564 nf_unregister_hook(&selinux_ipv4_ops[iter]); 5565 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5566 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) 5567 nf_unregister_hook(&selinux_ipv6_ops[iter]); 5568 #endif /* IPV6 */ 5569 } 5570 #endif 5571 5572 #else /* CONFIG_NETFILTER */ 5573 5574 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5575 #define selinux_nf_ip_exit() 5576 #endif 5577 5578 #endif /* CONFIG_NETFILTER */ 5579 5580 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5581 int selinux_disable(void) 5582 { 5583 extern void exit_sel_fs(void); 5584 static int selinux_disabled = 0; 5585 5586 if (ss_initialized) { 5587 /* Not permitted after initial policy load. */ 5588 return -EINVAL; 5589 } 5590 5591 if (selinux_disabled) { 5592 /* Only do this once. */ 5593 return -EINVAL; 5594 } 5595 5596 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5597 5598 selinux_disabled = 1; 5599 selinux_enabled = 0; 5600 5601 /* Reset security_ops to the secondary module, dummy or capability. */ 5602 security_ops = secondary_ops; 5603 5604 /* Unregister netfilter hooks. */ 5605 selinux_nf_ip_exit(); 5606 5607 /* Unregister selinuxfs. */ 5608 exit_sel_fs(); 5609 5610 return 0; 5611 } 5612 #endif 5613 5614 5615