1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/module.h> 22 #include <linux/init.h> 23 #include <linux/kernel.h> 24 #include <linux/ptrace.h> 25 #include <linux/errno.h> 26 #include <linux/sched.h> 27 #include <linux/security.h> 28 #include <linux/xattr.h> 29 #include <linux/capability.h> 30 #include <linux/unistd.h> 31 #include <linux/mm.h> 32 #include <linux/mman.h> 33 #include <linux/slab.h> 34 #include <linux/pagemap.h> 35 #include <linux/swap.h> 36 #include <linux/smp_lock.h> 37 #include <linux/spinlock.h> 38 #include <linux/syscalls.h> 39 #include <linux/file.h> 40 #include <linux/namei.h> 41 #include <linux/mount.h> 42 #include <linux/ext2_fs.h> 43 #include <linux/proc_fs.h> 44 #include <linux/kd.h> 45 #include <linux/netfilter_ipv4.h> 46 #include <linux/netfilter_ipv6.h> 47 #include <linux/tty.h> 48 #include <net/icmp.h> 49 #include <net/ip.h> /* for sysctl_local_port_range[] */ 50 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 51 #include <asm/uaccess.h> 52 #include <asm/semaphore.h> 53 #include <asm/ioctls.h> 54 #include <linux/bitops.h> 55 #include <linux/interrupt.h> 56 #include <linux/netdevice.h> /* for network interface checks */ 57 #include <linux/netlink.h> 58 #include <linux/tcp.h> 59 #include <linux/udp.h> 60 #include <linux/quota.h> 61 #include <linux/un.h> /* for Unix socket types */ 62 #include <net/af_unix.h> /* for Unix socket types */ 63 #include <linux/parser.h> 64 #include <linux/nfs_mount.h> 65 #include <net/ipv6.h> 66 #include <linux/hugetlb.h> 67 #include <linux/personality.h> 68 #include <linux/sysctl.h> 69 #include <linux/audit.h> 70 #include <linux/string.h> 71 #include <linux/selinux.h> 72 73 #include "avc.h" 74 #include "objsec.h" 75 #include "netif.h" 76 #include "xfrm.h" 77 78 #define XATTR_SELINUX_SUFFIX "selinux" 79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 80 81 extern unsigned int policydb_loaded_version; 82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 83 extern int selinux_compat_net; 84 85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 86 int selinux_enforcing = 0; 87 88 static int __init enforcing_setup(char *str) 89 { 90 selinux_enforcing = simple_strtol(str,NULL,0); 91 return 1; 92 } 93 __setup("enforcing=", enforcing_setup); 94 #endif 95 96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 98 99 static int __init selinux_enabled_setup(char *str) 100 { 101 selinux_enabled = simple_strtol(str, NULL, 0); 102 return 1; 103 } 104 __setup("selinux=", selinux_enabled_setup); 105 #else 106 int selinux_enabled = 1; 107 #endif 108 109 /* Original (dummy) security module. */ 110 static struct security_operations *original_ops = NULL; 111 112 /* Minimal support for a secondary security module, 113 just to allow the use of the dummy or capability modules. 114 The owlsm module can alternatively be used as a secondary 115 module as long as CONFIG_OWLSM_FD is not enabled. */ 116 static struct security_operations *secondary_ops = NULL; 117 118 /* Lists of inode and superblock security structures initialized 119 before the policy was loaded. */ 120 static LIST_HEAD(superblock_security_head); 121 static DEFINE_SPINLOCK(sb_security_lock); 122 123 static kmem_cache_t *sel_inode_cache; 124 125 /* Return security context for a given sid or just the context 126 length if the buffer is null or length is 0 */ 127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size) 128 { 129 char *context; 130 unsigned len; 131 int rc; 132 133 rc = security_sid_to_context(sid, &context, &len); 134 if (rc) 135 return rc; 136 137 if (!buffer || !size) 138 goto getsecurity_exit; 139 140 if (size < len) { 141 len = -ERANGE; 142 goto getsecurity_exit; 143 } 144 memcpy(buffer, context, len); 145 146 getsecurity_exit: 147 kfree(context); 148 return len; 149 } 150 151 /* Allocate and free functions for each kind of security blob. */ 152 153 static int task_alloc_security(struct task_struct *task) 154 { 155 struct task_security_struct *tsec; 156 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 158 if (!tsec) 159 return -ENOMEM; 160 161 tsec->task = task; 162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 163 task->security = tsec; 164 165 return 0; 166 } 167 168 static void task_free_security(struct task_struct *task) 169 { 170 struct task_security_struct *tsec = task->security; 171 task->security = NULL; 172 kfree(tsec); 173 } 174 175 static int inode_alloc_security(struct inode *inode) 176 { 177 struct task_security_struct *tsec = current->security; 178 struct inode_security_struct *isec; 179 180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL); 181 if (!isec) 182 return -ENOMEM; 183 184 memset(isec, 0, sizeof(*isec)); 185 init_MUTEX(&isec->sem); 186 INIT_LIST_HEAD(&isec->list); 187 isec->inode = inode; 188 isec->sid = SECINITSID_UNLABELED; 189 isec->sclass = SECCLASS_FILE; 190 isec->task_sid = tsec->sid; 191 inode->i_security = isec; 192 193 return 0; 194 } 195 196 static void inode_free_security(struct inode *inode) 197 { 198 struct inode_security_struct *isec = inode->i_security; 199 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 200 201 spin_lock(&sbsec->isec_lock); 202 if (!list_empty(&isec->list)) 203 list_del_init(&isec->list); 204 spin_unlock(&sbsec->isec_lock); 205 206 inode->i_security = NULL; 207 kmem_cache_free(sel_inode_cache, isec); 208 } 209 210 static int file_alloc_security(struct file *file) 211 { 212 struct task_security_struct *tsec = current->security; 213 struct file_security_struct *fsec; 214 215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 216 if (!fsec) 217 return -ENOMEM; 218 219 fsec->file = file; 220 fsec->sid = tsec->sid; 221 fsec->fown_sid = tsec->sid; 222 file->f_security = fsec; 223 224 return 0; 225 } 226 227 static void file_free_security(struct file *file) 228 { 229 struct file_security_struct *fsec = file->f_security; 230 file->f_security = NULL; 231 kfree(fsec); 232 } 233 234 static int superblock_alloc_security(struct super_block *sb) 235 { 236 struct superblock_security_struct *sbsec; 237 238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 239 if (!sbsec) 240 return -ENOMEM; 241 242 init_MUTEX(&sbsec->sem); 243 INIT_LIST_HEAD(&sbsec->list); 244 INIT_LIST_HEAD(&sbsec->isec_head); 245 spin_lock_init(&sbsec->isec_lock); 246 sbsec->sb = sb; 247 sbsec->sid = SECINITSID_UNLABELED; 248 sbsec->def_sid = SECINITSID_FILE; 249 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 250 sb->s_security = sbsec; 251 252 return 0; 253 } 254 255 static void superblock_free_security(struct super_block *sb) 256 { 257 struct superblock_security_struct *sbsec = sb->s_security; 258 259 spin_lock(&sb_security_lock); 260 if (!list_empty(&sbsec->list)) 261 list_del_init(&sbsec->list); 262 spin_unlock(&sb_security_lock); 263 264 sb->s_security = NULL; 265 kfree(sbsec); 266 } 267 268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 269 { 270 struct sk_security_struct *ssec; 271 272 if (family != PF_UNIX) 273 return 0; 274 275 ssec = kzalloc(sizeof(*ssec), priority); 276 if (!ssec) 277 return -ENOMEM; 278 279 ssec->sk = sk; 280 ssec->peer_sid = SECINITSID_UNLABELED; 281 sk->sk_security = ssec; 282 283 return 0; 284 } 285 286 static void sk_free_security(struct sock *sk) 287 { 288 struct sk_security_struct *ssec = sk->sk_security; 289 290 if (sk->sk_family != PF_UNIX) 291 return; 292 293 sk->sk_security = NULL; 294 kfree(ssec); 295 } 296 297 /* The security server must be initialized before 298 any labeling or access decisions can be provided. */ 299 extern int ss_initialized; 300 301 /* The file system's label must be initialized prior to use. */ 302 303 static char *labeling_behaviors[6] = { 304 "uses xattr", 305 "uses transition SIDs", 306 "uses task SIDs", 307 "uses genfs_contexts", 308 "not configured for labeling", 309 "uses mountpoint labeling", 310 }; 311 312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 313 314 static inline int inode_doinit(struct inode *inode) 315 { 316 return inode_doinit_with_dentry(inode, NULL); 317 } 318 319 enum { 320 Opt_context = 1, 321 Opt_fscontext = 2, 322 Opt_defcontext = 4, 323 Opt_rootcontext = 8, 324 }; 325 326 static match_table_t tokens = { 327 {Opt_context, "context=%s"}, 328 {Opt_fscontext, "fscontext=%s"}, 329 {Opt_defcontext, "defcontext=%s"}, 330 {Opt_rootcontext, "rootcontext=%s"}, 331 }; 332 333 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 334 335 static int may_context_mount_sb_relabel(u32 sid, 336 struct superblock_security_struct *sbsec, 337 struct task_security_struct *tsec) 338 { 339 int rc; 340 341 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 342 FILESYSTEM__RELABELFROM, NULL); 343 if (rc) 344 return rc; 345 346 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 347 FILESYSTEM__RELABELTO, NULL); 348 return rc; 349 } 350 351 static int may_context_mount_inode_relabel(u32 sid, 352 struct superblock_security_struct *sbsec, 353 struct task_security_struct *tsec) 354 { 355 int rc; 356 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 357 FILESYSTEM__RELABELFROM, NULL); 358 if (rc) 359 return rc; 360 361 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 362 FILESYSTEM__ASSOCIATE, NULL); 363 return rc; 364 } 365 366 static int try_context_mount(struct super_block *sb, void *data) 367 { 368 char *context = NULL, *defcontext = NULL; 369 char *fscontext = NULL, *rootcontext = NULL; 370 const char *name; 371 u32 sid; 372 int alloc = 0, rc = 0, seen = 0; 373 struct task_security_struct *tsec = current->security; 374 struct superblock_security_struct *sbsec = sb->s_security; 375 376 if (!data) 377 goto out; 378 379 name = sb->s_type->name; 380 381 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 382 383 /* NFS we understand. */ 384 if (!strcmp(name, "nfs")) { 385 struct nfs_mount_data *d = data; 386 387 if (d->version < NFS_MOUNT_VERSION) 388 goto out; 389 390 if (d->context[0]) { 391 context = d->context; 392 seen |= Opt_context; 393 } 394 } else 395 goto out; 396 397 } else { 398 /* Standard string-based options. */ 399 char *p, *options = data; 400 401 while ((p = strsep(&options, ",")) != NULL) { 402 int token; 403 substring_t args[MAX_OPT_ARGS]; 404 405 if (!*p) 406 continue; 407 408 token = match_token(p, tokens, args); 409 410 switch (token) { 411 case Opt_context: 412 if (seen & (Opt_context|Opt_defcontext)) { 413 rc = -EINVAL; 414 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 415 goto out_free; 416 } 417 context = match_strdup(&args[0]); 418 if (!context) { 419 rc = -ENOMEM; 420 goto out_free; 421 } 422 if (!alloc) 423 alloc = 1; 424 seen |= Opt_context; 425 break; 426 427 case Opt_fscontext: 428 if (seen & Opt_fscontext) { 429 rc = -EINVAL; 430 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 431 goto out_free; 432 } 433 fscontext = match_strdup(&args[0]); 434 if (!fscontext) { 435 rc = -ENOMEM; 436 goto out_free; 437 } 438 if (!alloc) 439 alloc = 1; 440 seen |= Opt_fscontext; 441 break; 442 443 case Opt_rootcontext: 444 if (seen & Opt_rootcontext) { 445 rc = -EINVAL; 446 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 447 goto out_free; 448 } 449 rootcontext = match_strdup(&args[0]); 450 if (!rootcontext) { 451 rc = -ENOMEM; 452 goto out_free; 453 } 454 if (!alloc) 455 alloc = 1; 456 seen |= Opt_rootcontext; 457 break; 458 459 case Opt_defcontext: 460 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 461 rc = -EINVAL; 462 printk(KERN_WARNING "SELinux: " 463 "defcontext option is invalid " 464 "for this filesystem type\n"); 465 goto out_free; 466 } 467 if (seen & (Opt_context|Opt_defcontext)) { 468 rc = -EINVAL; 469 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 470 goto out_free; 471 } 472 defcontext = match_strdup(&args[0]); 473 if (!defcontext) { 474 rc = -ENOMEM; 475 goto out_free; 476 } 477 if (!alloc) 478 alloc = 1; 479 seen |= Opt_defcontext; 480 break; 481 482 default: 483 rc = -EINVAL; 484 printk(KERN_WARNING "SELinux: unknown mount " 485 "option\n"); 486 goto out_free; 487 488 } 489 } 490 } 491 492 if (!seen) 493 goto out; 494 495 /* sets the context of the superblock for the fs being mounted. */ 496 if (fscontext) { 497 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid); 498 if (rc) { 499 printk(KERN_WARNING "SELinux: security_context_to_sid" 500 "(%s) failed for (dev %s, type %s) errno=%d\n", 501 fscontext, sb->s_id, name, rc); 502 goto out_free; 503 } 504 505 rc = may_context_mount_sb_relabel(sid, sbsec, tsec); 506 if (rc) 507 goto out_free; 508 509 sbsec->sid = sid; 510 } 511 512 /* 513 * Switch to using mount point labeling behavior. 514 * sets the label used on all file below the mountpoint, and will set 515 * the superblock context if not already set. 516 */ 517 if (context) { 518 rc = security_context_to_sid(context, strlen(context), &sid); 519 if (rc) { 520 printk(KERN_WARNING "SELinux: security_context_to_sid" 521 "(%s) failed for (dev %s, type %s) errno=%d\n", 522 context, sb->s_id, name, rc); 523 goto out_free; 524 } 525 526 rc = may_context_mount_sb_relabel(sid, sbsec, tsec); 527 if (rc) 528 goto out_free; 529 530 if (!fscontext) 531 sbsec->sid = sid; 532 sbsec->mntpoint_sid = sid; 533 534 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 535 } 536 537 if (rootcontext) { 538 struct inode *inode = sb->s_root->d_inode; 539 struct inode_security_struct *isec = inode->i_security; 540 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid); 541 if (rc) { 542 printk(KERN_WARNING "SELinux: security_context_to_sid" 543 "(%s) failed for (dev %s, type %s) errno=%d\n", 544 rootcontext, sb->s_id, name, rc); 545 goto out_free; 546 } 547 548 rc = may_context_mount_inode_relabel(sid, sbsec, tsec); 549 if (rc) 550 goto out_free; 551 552 isec->sid = sid; 553 isec->initialized = 1; 554 } 555 556 if (defcontext) { 557 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); 558 if (rc) { 559 printk(KERN_WARNING "SELinux: security_context_to_sid" 560 "(%s) failed for (dev %s, type %s) errno=%d\n", 561 defcontext, sb->s_id, name, rc); 562 goto out_free; 563 } 564 565 if (sid == sbsec->def_sid) 566 goto out_free; 567 568 rc = may_context_mount_inode_relabel(sid, sbsec, tsec); 569 if (rc) 570 goto out_free; 571 572 sbsec->def_sid = sid; 573 } 574 575 out_free: 576 if (alloc) { 577 kfree(context); 578 kfree(defcontext); 579 kfree(fscontext); 580 kfree(rootcontext); 581 } 582 out: 583 return rc; 584 } 585 586 static int superblock_doinit(struct super_block *sb, void *data) 587 { 588 struct superblock_security_struct *sbsec = sb->s_security; 589 struct dentry *root = sb->s_root; 590 struct inode *inode = root->d_inode; 591 int rc = 0; 592 593 down(&sbsec->sem); 594 if (sbsec->initialized) 595 goto out; 596 597 if (!ss_initialized) { 598 /* Defer initialization until selinux_complete_init, 599 after the initial policy is loaded and the security 600 server is ready to handle calls. */ 601 spin_lock(&sb_security_lock); 602 if (list_empty(&sbsec->list)) 603 list_add(&sbsec->list, &superblock_security_head); 604 spin_unlock(&sb_security_lock); 605 goto out; 606 } 607 608 /* Determine the labeling behavior to use for this filesystem type. */ 609 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 610 if (rc) { 611 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 612 __FUNCTION__, sb->s_type->name, rc); 613 goto out; 614 } 615 616 rc = try_context_mount(sb, data); 617 if (rc) 618 goto out; 619 620 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 621 /* Make sure that the xattr handler exists and that no 622 error other than -ENODATA is returned by getxattr on 623 the root directory. -ENODATA is ok, as this may be 624 the first boot of the SELinux kernel before we have 625 assigned xattr values to the filesystem. */ 626 if (!inode->i_op->getxattr) { 627 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 628 "xattr support\n", sb->s_id, sb->s_type->name); 629 rc = -EOPNOTSUPP; 630 goto out; 631 } 632 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 633 if (rc < 0 && rc != -ENODATA) { 634 if (rc == -EOPNOTSUPP) 635 printk(KERN_WARNING "SELinux: (dev %s, type " 636 "%s) has no security xattr handler\n", 637 sb->s_id, sb->s_type->name); 638 else 639 printk(KERN_WARNING "SELinux: (dev %s, type " 640 "%s) getxattr errno %d\n", sb->s_id, 641 sb->s_type->name, -rc); 642 goto out; 643 } 644 } 645 646 if (strcmp(sb->s_type->name, "proc") == 0) 647 sbsec->proc = 1; 648 649 sbsec->initialized = 1; 650 651 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { 652 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", 653 sb->s_id, sb->s_type->name); 654 } 655 else { 656 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", 657 sb->s_id, sb->s_type->name, 658 labeling_behaviors[sbsec->behavior-1]); 659 } 660 661 /* Initialize the root inode. */ 662 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); 663 664 /* Initialize any other inodes associated with the superblock, e.g. 665 inodes created prior to initial policy load or inodes created 666 during get_sb by a pseudo filesystem that directly 667 populates itself. */ 668 spin_lock(&sbsec->isec_lock); 669 next_inode: 670 if (!list_empty(&sbsec->isec_head)) { 671 struct inode_security_struct *isec = 672 list_entry(sbsec->isec_head.next, 673 struct inode_security_struct, list); 674 struct inode *inode = isec->inode; 675 spin_unlock(&sbsec->isec_lock); 676 inode = igrab(inode); 677 if (inode) { 678 if (!IS_PRIVATE (inode)) 679 inode_doinit(inode); 680 iput(inode); 681 } 682 spin_lock(&sbsec->isec_lock); 683 list_del_init(&isec->list); 684 goto next_inode; 685 } 686 spin_unlock(&sbsec->isec_lock); 687 out: 688 up(&sbsec->sem); 689 return rc; 690 } 691 692 static inline u16 inode_mode_to_security_class(umode_t mode) 693 { 694 switch (mode & S_IFMT) { 695 case S_IFSOCK: 696 return SECCLASS_SOCK_FILE; 697 case S_IFLNK: 698 return SECCLASS_LNK_FILE; 699 case S_IFREG: 700 return SECCLASS_FILE; 701 case S_IFBLK: 702 return SECCLASS_BLK_FILE; 703 case S_IFDIR: 704 return SECCLASS_DIR; 705 case S_IFCHR: 706 return SECCLASS_CHR_FILE; 707 case S_IFIFO: 708 return SECCLASS_FIFO_FILE; 709 710 } 711 712 return SECCLASS_FILE; 713 } 714 715 static inline int default_protocol_stream(int protocol) 716 { 717 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 718 } 719 720 static inline int default_protocol_dgram(int protocol) 721 { 722 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 723 } 724 725 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 726 { 727 switch (family) { 728 case PF_UNIX: 729 switch (type) { 730 case SOCK_STREAM: 731 case SOCK_SEQPACKET: 732 return SECCLASS_UNIX_STREAM_SOCKET; 733 case SOCK_DGRAM: 734 return SECCLASS_UNIX_DGRAM_SOCKET; 735 } 736 break; 737 case PF_INET: 738 case PF_INET6: 739 switch (type) { 740 case SOCK_STREAM: 741 if (default_protocol_stream(protocol)) 742 return SECCLASS_TCP_SOCKET; 743 else 744 return SECCLASS_RAWIP_SOCKET; 745 case SOCK_DGRAM: 746 if (default_protocol_dgram(protocol)) 747 return SECCLASS_UDP_SOCKET; 748 else 749 return SECCLASS_RAWIP_SOCKET; 750 default: 751 return SECCLASS_RAWIP_SOCKET; 752 } 753 break; 754 case PF_NETLINK: 755 switch (protocol) { 756 case NETLINK_ROUTE: 757 return SECCLASS_NETLINK_ROUTE_SOCKET; 758 case NETLINK_FIREWALL: 759 return SECCLASS_NETLINK_FIREWALL_SOCKET; 760 case NETLINK_INET_DIAG: 761 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 762 case NETLINK_NFLOG: 763 return SECCLASS_NETLINK_NFLOG_SOCKET; 764 case NETLINK_XFRM: 765 return SECCLASS_NETLINK_XFRM_SOCKET; 766 case NETLINK_SELINUX: 767 return SECCLASS_NETLINK_SELINUX_SOCKET; 768 case NETLINK_AUDIT: 769 return SECCLASS_NETLINK_AUDIT_SOCKET; 770 case NETLINK_IP6_FW: 771 return SECCLASS_NETLINK_IP6FW_SOCKET; 772 case NETLINK_DNRTMSG: 773 return SECCLASS_NETLINK_DNRT_SOCKET; 774 case NETLINK_KOBJECT_UEVENT: 775 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 776 default: 777 return SECCLASS_NETLINK_SOCKET; 778 } 779 case PF_PACKET: 780 return SECCLASS_PACKET_SOCKET; 781 case PF_KEY: 782 return SECCLASS_KEY_SOCKET; 783 case PF_APPLETALK: 784 return SECCLASS_APPLETALK_SOCKET; 785 } 786 787 return SECCLASS_SOCKET; 788 } 789 790 #ifdef CONFIG_PROC_FS 791 static int selinux_proc_get_sid(struct proc_dir_entry *de, 792 u16 tclass, 793 u32 *sid) 794 { 795 int buflen, rc; 796 char *buffer, *path, *end; 797 798 buffer = (char*)__get_free_page(GFP_KERNEL); 799 if (!buffer) 800 return -ENOMEM; 801 802 buflen = PAGE_SIZE; 803 end = buffer+buflen; 804 *--end = '\0'; 805 buflen--; 806 path = end-1; 807 *path = '/'; 808 while (de && de != de->parent) { 809 buflen -= de->namelen + 1; 810 if (buflen < 0) 811 break; 812 end -= de->namelen; 813 memcpy(end, de->name, de->namelen); 814 *--end = '/'; 815 path = end; 816 de = de->parent; 817 } 818 rc = security_genfs_sid("proc", path, tclass, sid); 819 free_page((unsigned long)buffer); 820 return rc; 821 } 822 #else 823 static int selinux_proc_get_sid(struct proc_dir_entry *de, 824 u16 tclass, 825 u32 *sid) 826 { 827 return -EINVAL; 828 } 829 #endif 830 831 /* The inode's security attributes must be initialized before first use. */ 832 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 833 { 834 struct superblock_security_struct *sbsec = NULL; 835 struct inode_security_struct *isec = inode->i_security; 836 u32 sid; 837 struct dentry *dentry; 838 #define INITCONTEXTLEN 255 839 char *context = NULL; 840 unsigned len = 0; 841 int rc = 0; 842 int hold_sem = 0; 843 844 if (isec->initialized) 845 goto out; 846 847 down(&isec->sem); 848 hold_sem = 1; 849 if (isec->initialized) 850 goto out; 851 852 sbsec = inode->i_sb->s_security; 853 if (!sbsec->initialized) { 854 /* Defer initialization until selinux_complete_init, 855 after the initial policy is loaded and the security 856 server is ready to handle calls. */ 857 spin_lock(&sbsec->isec_lock); 858 if (list_empty(&isec->list)) 859 list_add(&isec->list, &sbsec->isec_head); 860 spin_unlock(&sbsec->isec_lock); 861 goto out; 862 } 863 864 switch (sbsec->behavior) { 865 case SECURITY_FS_USE_XATTR: 866 if (!inode->i_op->getxattr) { 867 isec->sid = sbsec->def_sid; 868 break; 869 } 870 871 /* Need a dentry, since the xattr API requires one. 872 Life would be simpler if we could just pass the inode. */ 873 if (opt_dentry) { 874 /* Called from d_instantiate or d_splice_alias. */ 875 dentry = dget(opt_dentry); 876 } else { 877 /* Called from selinux_complete_init, try to find a dentry. */ 878 dentry = d_find_alias(inode); 879 } 880 if (!dentry) { 881 printk(KERN_WARNING "%s: no dentry for dev=%s " 882 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 883 inode->i_ino); 884 goto out; 885 } 886 887 len = INITCONTEXTLEN; 888 context = kmalloc(len, GFP_KERNEL); 889 if (!context) { 890 rc = -ENOMEM; 891 dput(dentry); 892 goto out; 893 } 894 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 895 context, len); 896 if (rc == -ERANGE) { 897 /* Need a larger buffer. Query for the right size. */ 898 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 899 NULL, 0); 900 if (rc < 0) { 901 dput(dentry); 902 goto out; 903 } 904 kfree(context); 905 len = rc; 906 context = kmalloc(len, GFP_KERNEL); 907 if (!context) { 908 rc = -ENOMEM; 909 dput(dentry); 910 goto out; 911 } 912 rc = inode->i_op->getxattr(dentry, 913 XATTR_NAME_SELINUX, 914 context, len); 915 } 916 dput(dentry); 917 if (rc < 0) { 918 if (rc != -ENODATA) { 919 printk(KERN_WARNING "%s: getxattr returned " 920 "%d for dev=%s ino=%ld\n", __FUNCTION__, 921 -rc, inode->i_sb->s_id, inode->i_ino); 922 kfree(context); 923 goto out; 924 } 925 /* Map ENODATA to the default file SID */ 926 sid = sbsec->def_sid; 927 rc = 0; 928 } else { 929 rc = security_context_to_sid_default(context, rc, &sid, 930 sbsec->def_sid); 931 if (rc) { 932 printk(KERN_WARNING "%s: context_to_sid(%s) " 933 "returned %d for dev=%s ino=%ld\n", 934 __FUNCTION__, context, -rc, 935 inode->i_sb->s_id, inode->i_ino); 936 kfree(context); 937 /* Leave with the unlabeled SID */ 938 rc = 0; 939 break; 940 } 941 } 942 kfree(context); 943 isec->sid = sid; 944 break; 945 case SECURITY_FS_USE_TASK: 946 isec->sid = isec->task_sid; 947 break; 948 case SECURITY_FS_USE_TRANS: 949 /* Default to the fs SID. */ 950 isec->sid = sbsec->sid; 951 952 /* Try to obtain a transition SID. */ 953 isec->sclass = inode_mode_to_security_class(inode->i_mode); 954 rc = security_transition_sid(isec->task_sid, 955 sbsec->sid, 956 isec->sclass, 957 &sid); 958 if (rc) 959 goto out; 960 isec->sid = sid; 961 break; 962 case SECURITY_FS_USE_MNTPOINT: 963 isec->sid = sbsec->mntpoint_sid; 964 break; 965 default: 966 /* Default to the fs superblock SID. */ 967 isec->sid = sbsec->sid; 968 969 if (sbsec->proc) { 970 struct proc_inode *proci = PROC_I(inode); 971 if (proci->pde) { 972 isec->sclass = inode_mode_to_security_class(inode->i_mode); 973 rc = selinux_proc_get_sid(proci->pde, 974 isec->sclass, 975 &sid); 976 if (rc) 977 goto out; 978 isec->sid = sid; 979 } 980 } 981 break; 982 } 983 984 isec->initialized = 1; 985 986 out: 987 if (isec->sclass == SECCLASS_FILE) 988 isec->sclass = inode_mode_to_security_class(inode->i_mode); 989 990 if (hold_sem) 991 up(&isec->sem); 992 return rc; 993 } 994 995 /* Convert a Linux signal to an access vector. */ 996 static inline u32 signal_to_av(int sig) 997 { 998 u32 perm = 0; 999 1000 switch (sig) { 1001 case SIGCHLD: 1002 /* Commonly granted from child to parent. */ 1003 perm = PROCESS__SIGCHLD; 1004 break; 1005 case SIGKILL: 1006 /* Cannot be caught or ignored */ 1007 perm = PROCESS__SIGKILL; 1008 break; 1009 case SIGSTOP: 1010 /* Cannot be caught or ignored */ 1011 perm = PROCESS__SIGSTOP; 1012 break; 1013 default: 1014 /* All other signals. */ 1015 perm = PROCESS__SIGNAL; 1016 break; 1017 } 1018 1019 return perm; 1020 } 1021 1022 /* Check permission betweeen a pair of tasks, e.g. signal checks, 1023 fork check, ptrace check, etc. */ 1024 static int task_has_perm(struct task_struct *tsk1, 1025 struct task_struct *tsk2, 1026 u32 perms) 1027 { 1028 struct task_security_struct *tsec1, *tsec2; 1029 1030 tsec1 = tsk1->security; 1031 tsec2 = tsk2->security; 1032 return avc_has_perm(tsec1->sid, tsec2->sid, 1033 SECCLASS_PROCESS, perms, NULL); 1034 } 1035 1036 /* Check whether a task is allowed to use a capability. */ 1037 static int task_has_capability(struct task_struct *tsk, 1038 int cap) 1039 { 1040 struct task_security_struct *tsec; 1041 struct avc_audit_data ad; 1042 1043 tsec = tsk->security; 1044 1045 AVC_AUDIT_DATA_INIT(&ad,CAP); 1046 ad.tsk = tsk; 1047 ad.u.cap = cap; 1048 1049 return avc_has_perm(tsec->sid, tsec->sid, 1050 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); 1051 } 1052 1053 /* Check whether a task is allowed to use a system operation. */ 1054 static int task_has_system(struct task_struct *tsk, 1055 u32 perms) 1056 { 1057 struct task_security_struct *tsec; 1058 1059 tsec = tsk->security; 1060 1061 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1062 SECCLASS_SYSTEM, perms, NULL); 1063 } 1064 1065 /* Check whether a task has a particular permission to an inode. 1066 The 'adp' parameter is optional and allows other audit 1067 data to be passed (e.g. the dentry). */ 1068 static int inode_has_perm(struct task_struct *tsk, 1069 struct inode *inode, 1070 u32 perms, 1071 struct avc_audit_data *adp) 1072 { 1073 struct task_security_struct *tsec; 1074 struct inode_security_struct *isec; 1075 struct avc_audit_data ad; 1076 1077 tsec = tsk->security; 1078 isec = inode->i_security; 1079 1080 if (!adp) { 1081 adp = &ad; 1082 AVC_AUDIT_DATA_INIT(&ad, FS); 1083 ad.u.fs.inode = inode; 1084 } 1085 1086 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1087 } 1088 1089 /* Same as inode_has_perm, but pass explicit audit data containing 1090 the dentry to help the auditing code to more easily generate the 1091 pathname if needed. */ 1092 static inline int dentry_has_perm(struct task_struct *tsk, 1093 struct vfsmount *mnt, 1094 struct dentry *dentry, 1095 u32 av) 1096 { 1097 struct inode *inode = dentry->d_inode; 1098 struct avc_audit_data ad; 1099 AVC_AUDIT_DATA_INIT(&ad,FS); 1100 ad.u.fs.mnt = mnt; 1101 ad.u.fs.dentry = dentry; 1102 return inode_has_perm(tsk, inode, av, &ad); 1103 } 1104 1105 /* Check whether a task can use an open file descriptor to 1106 access an inode in a given way. Check access to the 1107 descriptor itself, and then use dentry_has_perm to 1108 check a particular permission to the file. 1109 Access to the descriptor is implicitly granted if it 1110 has the same SID as the process. If av is zero, then 1111 access to the file is not checked, e.g. for cases 1112 where only the descriptor is affected like seek. */ 1113 static int file_has_perm(struct task_struct *tsk, 1114 struct file *file, 1115 u32 av) 1116 { 1117 struct task_security_struct *tsec = tsk->security; 1118 struct file_security_struct *fsec = file->f_security; 1119 struct vfsmount *mnt = file->f_vfsmnt; 1120 struct dentry *dentry = file->f_dentry; 1121 struct inode *inode = dentry->d_inode; 1122 struct avc_audit_data ad; 1123 int rc; 1124 1125 AVC_AUDIT_DATA_INIT(&ad, FS); 1126 ad.u.fs.mnt = mnt; 1127 ad.u.fs.dentry = dentry; 1128 1129 if (tsec->sid != fsec->sid) { 1130 rc = avc_has_perm(tsec->sid, fsec->sid, 1131 SECCLASS_FD, 1132 FD__USE, 1133 &ad); 1134 if (rc) 1135 return rc; 1136 } 1137 1138 /* av is zero if only checking access to the descriptor. */ 1139 if (av) 1140 return inode_has_perm(tsk, inode, av, &ad); 1141 1142 return 0; 1143 } 1144 1145 /* Check whether a task can create a file. */ 1146 static int may_create(struct inode *dir, 1147 struct dentry *dentry, 1148 u16 tclass) 1149 { 1150 struct task_security_struct *tsec; 1151 struct inode_security_struct *dsec; 1152 struct superblock_security_struct *sbsec; 1153 u32 newsid; 1154 struct avc_audit_data ad; 1155 int rc; 1156 1157 tsec = current->security; 1158 dsec = dir->i_security; 1159 sbsec = dir->i_sb->s_security; 1160 1161 AVC_AUDIT_DATA_INIT(&ad, FS); 1162 ad.u.fs.dentry = dentry; 1163 1164 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1165 DIR__ADD_NAME | DIR__SEARCH, 1166 &ad); 1167 if (rc) 1168 return rc; 1169 1170 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1171 newsid = tsec->create_sid; 1172 } else { 1173 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1174 &newsid); 1175 if (rc) 1176 return rc; 1177 } 1178 1179 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1180 if (rc) 1181 return rc; 1182 1183 return avc_has_perm(newsid, sbsec->sid, 1184 SECCLASS_FILESYSTEM, 1185 FILESYSTEM__ASSOCIATE, &ad); 1186 } 1187 1188 /* Check whether a task can create a key. */ 1189 static int may_create_key(u32 ksid, 1190 struct task_struct *ctx) 1191 { 1192 struct task_security_struct *tsec; 1193 1194 tsec = ctx->security; 1195 1196 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1197 } 1198 1199 #define MAY_LINK 0 1200 #define MAY_UNLINK 1 1201 #define MAY_RMDIR 2 1202 1203 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1204 static int may_link(struct inode *dir, 1205 struct dentry *dentry, 1206 int kind) 1207 1208 { 1209 struct task_security_struct *tsec; 1210 struct inode_security_struct *dsec, *isec; 1211 struct avc_audit_data ad; 1212 u32 av; 1213 int rc; 1214 1215 tsec = current->security; 1216 dsec = dir->i_security; 1217 isec = dentry->d_inode->i_security; 1218 1219 AVC_AUDIT_DATA_INIT(&ad, FS); 1220 ad.u.fs.dentry = dentry; 1221 1222 av = DIR__SEARCH; 1223 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1224 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1225 if (rc) 1226 return rc; 1227 1228 switch (kind) { 1229 case MAY_LINK: 1230 av = FILE__LINK; 1231 break; 1232 case MAY_UNLINK: 1233 av = FILE__UNLINK; 1234 break; 1235 case MAY_RMDIR: 1236 av = DIR__RMDIR; 1237 break; 1238 default: 1239 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1240 return 0; 1241 } 1242 1243 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1244 return rc; 1245 } 1246 1247 static inline int may_rename(struct inode *old_dir, 1248 struct dentry *old_dentry, 1249 struct inode *new_dir, 1250 struct dentry *new_dentry) 1251 { 1252 struct task_security_struct *tsec; 1253 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1254 struct avc_audit_data ad; 1255 u32 av; 1256 int old_is_dir, new_is_dir; 1257 int rc; 1258 1259 tsec = current->security; 1260 old_dsec = old_dir->i_security; 1261 old_isec = old_dentry->d_inode->i_security; 1262 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1263 new_dsec = new_dir->i_security; 1264 1265 AVC_AUDIT_DATA_INIT(&ad, FS); 1266 1267 ad.u.fs.dentry = old_dentry; 1268 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1269 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1270 if (rc) 1271 return rc; 1272 rc = avc_has_perm(tsec->sid, old_isec->sid, 1273 old_isec->sclass, FILE__RENAME, &ad); 1274 if (rc) 1275 return rc; 1276 if (old_is_dir && new_dir != old_dir) { 1277 rc = avc_has_perm(tsec->sid, old_isec->sid, 1278 old_isec->sclass, DIR__REPARENT, &ad); 1279 if (rc) 1280 return rc; 1281 } 1282 1283 ad.u.fs.dentry = new_dentry; 1284 av = DIR__ADD_NAME | DIR__SEARCH; 1285 if (new_dentry->d_inode) 1286 av |= DIR__REMOVE_NAME; 1287 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1288 if (rc) 1289 return rc; 1290 if (new_dentry->d_inode) { 1291 new_isec = new_dentry->d_inode->i_security; 1292 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1293 rc = avc_has_perm(tsec->sid, new_isec->sid, 1294 new_isec->sclass, 1295 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1296 if (rc) 1297 return rc; 1298 } 1299 1300 return 0; 1301 } 1302 1303 /* Check whether a task can perform a filesystem operation. */ 1304 static int superblock_has_perm(struct task_struct *tsk, 1305 struct super_block *sb, 1306 u32 perms, 1307 struct avc_audit_data *ad) 1308 { 1309 struct task_security_struct *tsec; 1310 struct superblock_security_struct *sbsec; 1311 1312 tsec = tsk->security; 1313 sbsec = sb->s_security; 1314 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1315 perms, ad); 1316 } 1317 1318 /* Convert a Linux mode and permission mask to an access vector. */ 1319 static inline u32 file_mask_to_av(int mode, int mask) 1320 { 1321 u32 av = 0; 1322 1323 if ((mode & S_IFMT) != S_IFDIR) { 1324 if (mask & MAY_EXEC) 1325 av |= FILE__EXECUTE; 1326 if (mask & MAY_READ) 1327 av |= FILE__READ; 1328 1329 if (mask & MAY_APPEND) 1330 av |= FILE__APPEND; 1331 else if (mask & MAY_WRITE) 1332 av |= FILE__WRITE; 1333 1334 } else { 1335 if (mask & MAY_EXEC) 1336 av |= DIR__SEARCH; 1337 if (mask & MAY_WRITE) 1338 av |= DIR__WRITE; 1339 if (mask & MAY_READ) 1340 av |= DIR__READ; 1341 } 1342 1343 return av; 1344 } 1345 1346 /* Convert a Linux file to an access vector. */ 1347 static inline u32 file_to_av(struct file *file) 1348 { 1349 u32 av = 0; 1350 1351 if (file->f_mode & FMODE_READ) 1352 av |= FILE__READ; 1353 if (file->f_mode & FMODE_WRITE) { 1354 if (file->f_flags & O_APPEND) 1355 av |= FILE__APPEND; 1356 else 1357 av |= FILE__WRITE; 1358 } 1359 1360 return av; 1361 } 1362 1363 /* Set an inode's SID to a specified value. */ 1364 static int inode_security_set_sid(struct inode *inode, u32 sid) 1365 { 1366 struct inode_security_struct *isec = inode->i_security; 1367 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 1368 1369 if (!sbsec->initialized) { 1370 /* Defer initialization to selinux_complete_init. */ 1371 return 0; 1372 } 1373 1374 down(&isec->sem); 1375 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1376 isec->sid = sid; 1377 isec->initialized = 1; 1378 up(&isec->sem); 1379 return 0; 1380 } 1381 1382 /* Hook functions begin here. */ 1383 1384 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1385 { 1386 struct task_security_struct *psec = parent->security; 1387 struct task_security_struct *csec = child->security; 1388 int rc; 1389 1390 rc = secondary_ops->ptrace(parent,child); 1391 if (rc) 1392 return rc; 1393 1394 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1395 /* Save the SID of the tracing process for later use in apply_creds. */ 1396 if (!(child->ptrace & PT_PTRACED) && !rc) 1397 csec->ptrace_sid = psec->sid; 1398 return rc; 1399 } 1400 1401 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1402 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1403 { 1404 int error; 1405 1406 error = task_has_perm(current, target, PROCESS__GETCAP); 1407 if (error) 1408 return error; 1409 1410 return secondary_ops->capget(target, effective, inheritable, permitted); 1411 } 1412 1413 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1414 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1415 { 1416 int error; 1417 1418 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1419 if (error) 1420 return error; 1421 1422 return task_has_perm(current, target, PROCESS__SETCAP); 1423 } 1424 1425 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1426 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1427 { 1428 secondary_ops->capset_set(target, effective, inheritable, permitted); 1429 } 1430 1431 static int selinux_capable(struct task_struct *tsk, int cap) 1432 { 1433 int rc; 1434 1435 rc = secondary_ops->capable(tsk, cap); 1436 if (rc) 1437 return rc; 1438 1439 return task_has_capability(tsk,cap); 1440 } 1441 1442 static int selinux_sysctl(ctl_table *table, int op) 1443 { 1444 int error = 0; 1445 u32 av; 1446 struct task_security_struct *tsec; 1447 u32 tsid; 1448 int rc; 1449 1450 rc = secondary_ops->sysctl(table, op); 1451 if (rc) 1452 return rc; 1453 1454 tsec = current->security; 1455 1456 rc = selinux_proc_get_sid(table->de, (op == 001) ? 1457 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1458 if (rc) { 1459 /* Default to the well-defined sysctl SID. */ 1460 tsid = SECINITSID_SYSCTL; 1461 } 1462 1463 /* The op values are "defined" in sysctl.c, thereby creating 1464 * a bad coupling between this module and sysctl.c */ 1465 if(op == 001) { 1466 error = avc_has_perm(tsec->sid, tsid, 1467 SECCLASS_DIR, DIR__SEARCH, NULL); 1468 } else { 1469 av = 0; 1470 if (op & 004) 1471 av |= FILE__READ; 1472 if (op & 002) 1473 av |= FILE__WRITE; 1474 if (av) 1475 error = avc_has_perm(tsec->sid, tsid, 1476 SECCLASS_FILE, av, NULL); 1477 } 1478 1479 return error; 1480 } 1481 1482 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1483 { 1484 int rc = 0; 1485 1486 if (!sb) 1487 return 0; 1488 1489 switch (cmds) { 1490 case Q_SYNC: 1491 case Q_QUOTAON: 1492 case Q_QUOTAOFF: 1493 case Q_SETINFO: 1494 case Q_SETQUOTA: 1495 rc = superblock_has_perm(current, 1496 sb, 1497 FILESYSTEM__QUOTAMOD, NULL); 1498 break; 1499 case Q_GETFMT: 1500 case Q_GETINFO: 1501 case Q_GETQUOTA: 1502 rc = superblock_has_perm(current, 1503 sb, 1504 FILESYSTEM__QUOTAGET, NULL); 1505 break; 1506 default: 1507 rc = 0; /* let the kernel handle invalid cmds */ 1508 break; 1509 } 1510 return rc; 1511 } 1512 1513 static int selinux_quota_on(struct dentry *dentry) 1514 { 1515 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1516 } 1517 1518 static int selinux_syslog(int type) 1519 { 1520 int rc; 1521 1522 rc = secondary_ops->syslog(type); 1523 if (rc) 1524 return rc; 1525 1526 switch (type) { 1527 case 3: /* Read last kernel messages */ 1528 case 10: /* Return size of the log buffer */ 1529 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1530 break; 1531 case 6: /* Disable logging to console */ 1532 case 7: /* Enable logging to console */ 1533 case 8: /* Set level of messages printed to console */ 1534 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1535 break; 1536 case 0: /* Close log */ 1537 case 1: /* Open log */ 1538 case 2: /* Read from log */ 1539 case 4: /* Read/clear last kernel messages */ 1540 case 5: /* Clear ring buffer */ 1541 default: 1542 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1543 break; 1544 } 1545 return rc; 1546 } 1547 1548 /* 1549 * Check that a process has enough memory to allocate a new virtual 1550 * mapping. 0 means there is enough memory for the allocation to 1551 * succeed and -ENOMEM implies there is not. 1552 * 1553 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1554 * if the capability is granted, but __vm_enough_memory requires 1 if 1555 * the capability is granted. 1556 * 1557 * Do not audit the selinux permission check, as this is applied to all 1558 * processes that allocate mappings. 1559 */ 1560 static int selinux_vm_enough_memory(long pages) 1561 { 1562 int rc, cap_sys_admin = 0; 1563 struct task_security_struct *tsec = current->security; 1564 1565 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1566 if (rc == 0) 1567 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1568 SECCLASS_CAPABILITY, 1569 CAP_TO_MASK(CAP_SYS_ADMIN), 1570 NULL); 1571 1572 if (rc == 0) 1573 cap_sys_admin = 1; 1574 1575 return __vm_enough_memory(pages, cap_sys_admin); 1576 } 1577 1578 /* binprm security operations */ 1579 1580 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1581 { 1582 struct bprm_security_struct *bsec; 1583 1584 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1585 if (!bsec) 1586 return -ENOMEM; 1587 1588 bsec->bprm = bprm; 1589 bsec->sid = SECINITSID_UNLABELED; 1590 bsec->set = 0; 1591 1592 bprm->security = bsec; 1593 return 0; 1594 } 1595 1596 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1597 { 1598 struct task_security_struct *tsec; 1599 struct inode *inode = bprm->file->f_dentry->d_inode; 1600 struct inode_security_struct *isec; 1601 struct bprm_security_struct *bsec; 1602 u32 newsid; 1603 struct avc_audit_data ad; 1604 int rc; 1605 1606 rc = secondary_ops->bprm_set_security(bprm); 1607 if (rc) 1608 return rc; 1609 1610 bsec = bprm->security; 1611 1612 if (bsec->set) 1613 return 0; 1614 1615 tsec = current->security; 1616 isec = inode->i_security; 1617 1618 /* Default to the current task SID. */ 1619 bsec->sid = tsec->sid; 1620 1621 /* Reset fs, key, and sock SIDs on execve. */ 1622 tsec->create_sid = 0; 1623 tsec->keycreate_sid = 0; 1624 tsec->sockcreate_sid = 0; 1625 1626 if (tsec->exec_sid) { 1627 newsid = tsec->exec_sid; 1628 /* Reset exec SID on execve. */ 1629 tsec->exec_sid = 0; 1630 } else { 1631 /* Check for a default transition on this program. */ 1632 rc = security_transition_sid(tsec->sid, isec->sid, 1633 SECCLASS_PROCESS, &newsid); 1634 if (rc) 1635 return rc; 1636 } 1637 1638 AVC_AUDIT_DATA_INIT(&ad, FS); 1639 ad.u.fs.mnt = bprm->file->f_vfsmnt; 1640 ad.u.fs.dentry = bprm->file->f_dentry; 1641 1642 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 1643 newsid = tsec->sid; 1644 1645 if (tsec->sid == newsid) { 1646 rc = avc_has_perm(tsec->sid, isec->sid, 1647 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1648 if (rc) 1649 return rc; 1650 } else { 1651 /* Check permissions for the transition. */ 1652 rc = avc_has_perm(tsec->sid, newsid, 1653 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1654 if (rc) 1655 return rc; 1656 1657 rc = avc_has_perm(newsid, isec->sid, 1658 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1659 if (rc) 1660 return rc; 1661 1662 /* Clear any possibly unsafe personality bits on exec: */ 1663 current->personality &= ~PER_CLEAR_ON_SETID; 1664 1665 /* Set the security field to the new SID. */ 1666 bsec->sid = newsid; 1667 } 1668 1669 bsec->set = 1; 1670 return 0; 1671 } 1672 1673 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1674 { 1675 return secondary_ops->bprm_check_security(bprm); 1676 } 1677 1678 1679 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1680 { 1681 struct task_security_struct *tsec = current->security; 1682 int atsecure = 0; 1683 1684 if (tsec->osid != tsec->sid) { 1685 /* Enable secure mode for SIDs transitions unless 1686 the noatsecure permission is granted between 1687 the two SIDs, i.e. ahp returns 0. */ 1688 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1689 SECCLASS_PROCESS, 1690 PROCESS__NOATSECURE, NULL); 1691 } 1692 1693 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1694 } 1695 1696 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1697 { 1698 kfree(bprm->security); 1699 bprm->security = NULL; 1700 } 1701 1702 extern struct vfsmount *selinuxfs_mount; 1703 extern struct dentry *selinux_null; 1704 1705 /* Derived from fs/exec.c:flush_old_files. */ 1706 static inline void flush_unauthorized_files(struct files_struct * files) 1707 { 1708 struct avc_audit_data ad; 1709 struct file *file, *devnull = NULL; 1710 struct tty_struct *tty = current->signal->tty; 1711 struct fdtable *fdt; 1712 long j = -1; 1713 1714 if (tty) { 1715 file_list_lock(); 1716 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 1717 if (file) { 1718 /* Revalidate access to controlling tty. 1719 Use inode_has_perm on the tty inode directly rather 1720 than using file_has_perm, as this particular open 1721 file may belong to another process and we are only 1722 interested in the inode-based check here. */ 1723 struct inode *inode = file->f_dentry->d_inode; 1724 if (inode_has_perm(current, inode, 1725 FILE__READ | FILE__WRITE, NULL)) { 1726 /* Reset controlling tty. */ 1727 current->signal->tty = NULL; 1728 current->signal->tty_old_pgrp = 0; 1729 } 1730 } 1731 file_list_unlock(); 1732 } 1733 1734 /* Revalidate access to inherited open files. */ 1735 1736 AVC_AUDIT_DATA_INIT(&ad,FS); 1737 1738 spin_lock(&files->file_lock); 1739 for (;;) { 1740 unsigned long set, i; 1741 int fd; 1742 1743 j++; 1744 i = j * __NFDBITS; 1745 fdt = files_fdtable(files); 1746 if (i >= fdt->max_fds || i >= fdt->max_fdset) 1747 break; 1748 set = fdt->open_fds->fds_bits[j]; 1749 if (!set) 1750 continue; 1751 spin_unlock(&files->file_lock); 1752 for ( ; set ; i++,set >>= 1) { 1753 if (set & 1) { 1754 file = fget(i); 1755 if (!file) 1756 continue; 1757 if (file_has_perm(current, 1758 file, 1759 file_to_av(file))) { 1760 sys_close(i); 1761 fd = get_unused_fd(); 1762 if (fd != i) { 1763 if (fd >= 0) 1764 put_unused_fd(fd); 1765 fput(file); 1766 continue; 1767 } 1768 if (devnull) { 1769 get_file(devnull); 1770 } else { 1771 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 1772 if (!devnull) { 1773 put_unused_fd(fd); 1774 fput(file); 1775 continue; 1776 } 1777 } 1778 fd_install(fd, devnull); 1779 } 1780 fput(file); 1781 } 1782 } 1783 spin_lock(&files->file_lock); 1784 1785 } 1786 spin_unlock(&files->file_lock); 1787 } 1788 1789 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 1790 { 1791 struct task_security_struct *tsec; 1792 struct bprm_security_struct *bsec; 1793 u32 sid; 1794 int rc; 1795 1796 secondary_ops->bprm_apply_creds(bprm, unsafe); 1797 1798 tsec = current->security; 1799 1800 bsec = bprm->security; 1801 sid = bsec->sid; 1802 1803 tsec->osid = tsec->sid; 1804 bsec->unsafe = 0; 1805 if (tsec->sid != sid) { 1806 /* Check for shared state. If not ok, leave SID 1807 unchanged and kill. */ 1808 if (unsafe & LSM_UNSAFE_SHARE) { 1809 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 1810 PROCESS__SHARE, NULL); 1811 if (rc) { 1812 bsec->unsafe = 1; 1813 return; 1814 } 1815 } 1816 1817 /* Check for ptracing, and update the task SID if ok. 1818 Otherwise, leave SID unchanged and kill. */ 1819 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 1820 rc = avc_has_perm(tsec->ptrace_sid, sid, 1821 SECCLASS_PROCESS, PROCESS__PTRACE, 1822 NULL); 1823 if (rc) { 1824 bsec->unsafe = 1; 1825 return; 1826 } 1827 } 1828 tsec->sid = sid; 1829 } 1830 } 1831 1832 /* 1833 * called after apply_creds without the task lock held 1834 */ 1835 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 1836 { 1837 struct task_security_struct *tsec; 1838 struct rlimit *rlim, *initrlim; 1839 struct itimerval itimer; 1840 struct bprm_security_struct *bsec; 1841 int rc, i; 1842 1843 tsec = current->security; 1844 bsec = bprm->security; 1845 1846 if (bsec->unsafe) { 1847 force_sig_specific(SIGKILL, current); 1848 return; 1849 } 1850 if (tsec->osid == tsec->sid) 1851 return; 1852 1853 /* Close files for which the new task SID is not authorized. */ 1854 flush_unauthorized_files(current->files); 1855 1856 /* Check whether the new SID can inherit signal state 1857 from the old SID. If not, clear itimers to avoid 1858 subsequent signal generation and flush and unblock 1859 signals. This must occur _after_ the task SID has 1860 been updated so that any kill done after the flush 1861 will be checked against the new SID. */ 1862 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1863 PROCESS__SIGINH, NULL); 1864 if (rc) { 1865 memset(&itimer, 0, sizeof itimer); 1866 for (i = 0; i < 3; i++) 1867 do_setitimer(i, &itimer, NULL); 1868 flush_signals(current); 1869 spin_lock_irq(¤t->sighand->siglock); 1870 flush_signal_handlers(current, 1); 1871 sigemptyset(¤t->blocked); 1872 recalc_sigpending(); 1873 spin_unlock_irq(¤t->sighand->siglock); 1874 } 1875 1876 /* Check whether the new SID can inherit resource limits 1877 from the old SID. If not, reset all soft limits to 1878 the lower of the current task's hard limit and the init 1879 task's soft limit. Note that the setting of hard limits 1880 (even to lower them) can be controlled by the setrlimit 1881 check. The inclusion of the init task's soft limit into 1882 the computation is to avoid resetting soft limits higher 1883 than the default soft limit for cases where the default 1884 is lower than the hard limit, e.g. RLIMIT_CORE or 1885 RLIMIT_STACK.*/ 1886 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1887 PROCESS__RLIMITINH, NULL); 1888 if (rc) { 1889 for (i = 0; i < RLIM_NLIMITS; i++) { 1890 rlim = current->signal->rlim + i; 1891 initrlim = init_task.signal->rlim+i; 1892 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 1893 } 1894 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 1895 /* 1896 * This will cause RLIMIT_CPU calculations 1897 * to be refigured. 1898 */ 1899 current->it_prof_expires = jiffies_to_cputime(1); 1900 } 1901 } 1902 1903 /* Wake up the parent if it is waiting so that it can 1904 recheck wait permission to the new task SID. */ 1905 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 1906 } 1907 1908 /* superblock security operations */ 1909 1910 static int selinux_sb_alloc_security(struct super_block *sb) 1911 { 1912 return superblock_alloc_security(sb); 1913 } 1914 1915 static void selinux_sb_free_security(struct super_block *sb) 1916 { 1917 superblock_free_security(sb); 1918 } 1919 1920 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 1921 { 1922 if (plen > olen) 1923 return 0; 1924 1925 return !memcmp(prefix, option, plen); 1926 } 1927 1928 static inline int selinux_option(char *option, int len) 1929 { 1930 return (match_prefix("context=", sizeof("context=")-1, option, len) || 1931 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 1932 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) || 1933 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len)); 1934 } 1935 1936 static inline void take_option(char **to, char *from, int *first, int len) 1937 { 1938 if (!*first) { 1939 **to = ','; 1940 *to += 1; 1941 } 1942 else 1943 *first = 0; 1944 memcpy(*to, from, len); 1945 *to += len; 1946 } 1947 1948 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 1949 { 1950 int fnosec, fsec, rc = 0; 1951 char *in_save, *in_curr, *in_end; 1952 char *sec_curr, *nosec_save, *nosec; 1953 1954 in_curr = orig; 1955 sec_curr = copy; 1956 1957 /* Binary mount data: just copy */ 1958 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 1959 copy_page(sec_curr, in_curr); 1960 goto out; 1961 } 1962 1963 nosec = (char *)get_zeroed_page(GFP_KERNEL); 1964 if (!nosec) { 1965 rc = -ENOMEM; 1966 goto out; 1967 } 1968 1969 nosec_save = nosec; 1970 fnosec = fsec = 1; 1971 in_save = in_end = orig; 1972 1973 do { 1974 if (*in_end == ',' || *in_end == '\0') { 1975 int len = in_end - in_curr; 1976 1977 if (selinux_option(in_curr, len)) 1978 take_option(&sec_curr, in_curr, &fsec, len); 1979 else 1980 take_option(&nosec, in_curr, &fnosec, len); 1981 1982 in_curr = in_end + 1; 1983 } 1984 } while (*in_end++); 1985 1986 strcpy(in_save, nosec_save); 1987 free_page((unsigned long)nosec_save); 1988 out: 1989 return rc; 1990 } 1991 1992 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 1993 { 1994 struct avc_audit_data ad; 1995 int rc; 1996 1997 rc = superblock_doinit(sb, data); 1998 if (rc) 1999 return rc; 2000 2001 AVC_AUDIT_DATA_INIT(&ad,FS); 2002 ad.u.fs.dentry = sb->s_root; 2003 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2004 } 2005 2006 static int selinux_sb_statfs(struct dentry *dentry) 2007 { 2008 struct avc_audit_data ad; 2009 2010 AVC_AUDIT_DATA_INIT(&ad,FS); 2011 ad.u.fs.dentry = dentry->d_sb->s_root; 2012 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2013 } 2014 2015 static int selinux_mount(char * dev_name, 2016 struct nameidata *nd, 2017 char * type, 2018 unsigned long flags, 2019 void * data) 2020 { 2021 int rc; 2022 2023 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2024 if (rc) 2025 return rc; 2026 2027 if (flags & MS_REMOUNT) 2028 return superblock_has_perm(current, nd->mnt->mnt_sb, 2029 FILESYSTEM__REMOUNT, NULL); 2030 else 2031 return dentry_has_perm(current, nd->mnt, nd->dentry, 2032 FILE__MOUNTON); 2033 } 2034 2035 static int selinux_umount(struct vfsmount *mnt, int flags) 2036 { 2037 int rc; 2038 2039 rc = secondary_ops->sb_umount(mnt, flags); 2040 if (rc) 2041 return rc; 2042 2043 return superblock_has_perm(current,mnt->mnt_sb, 2044 FILESYSTEM__UNMOUNT,NULL); 2045 } 2046 2047 /* inode security operations */ 2048 2049 static int selinux_inode_alloc_security(struct inode *inode) 2050 { 2051 return inode_alloc_security(inode); 2052 } 2053 2054 static void selinux_inode_free_security(struct inode *inode) 2055 { 2056 inode_free_security(inode); 2057 } 2058 2059 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2060 char **name, void **value, 2061 size_t *len) 2062 { 2063 struct task_security_struct *tsec; 2064 struct inode_security_struct *dsec; 2065 struct superblock_security_struct *sbsec; 2066 u32 newsid, clen; 2067 int rc; 2068 char *namep = NULL, *context; 2069 2070 tsec = current->security; 2071 dsec = dir->i_security; 2072 sbsec = dir->i_sb->s_security; 2073 2074 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2075 newsid = tsec->create_sid; 2076 } else { 2077 rc = security_transition_sid(tsec->sid, dsec->sid, 2078 inode_mode_to_security_class(inode->i_mode), 2079 &newsid); 2080 if (rc) { 2081 printk(KERN_WARNING "%s: " 2082 "security_transition_sid failed, rc=%d (dev=%s " 2083 "ino=%ld)\n", 2084 __FUNCTION__, 2085 -rc, inode->i_sb->s_id, inode->i_ino); 2086 return rc; 2087 } 2088 } 2089 2090 inode_security_set_sid(inode, newsid); 2091 2092 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2093 return -EOPNOTSUPP; 2094 2095 if (name) { 2096 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 2097 if (!namep) 2098 return -ENOMEM; 2099 *name = namep; 2100 } 2101 2102 if (value && len) { 2103 rc = security_sid_to_context(newsid, &context, &clen); 2104 if (rc) { 2105 kfree(namep); 2106 return rc; 2107 } 2108 *value = context; 2109 *len = clen; 2110 } 2111 2112 return 0; 2113 } 2114 2115 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2116 { 2117 return may_create(dir, dentry, SECCLASS_FILE); 2118 } 2119 2120 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2121 { 2122 int rc; 2123 2124 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2125 if (rc) 2126 return rc; 2127 return may_link(dir, old_dentry, MAY_LINK); 2128 } 2129 2130 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2131 { 2132 int rc; 2133 2134 rc = secondary_ops->inode_unlink(dir, dentry); 2135 if (rc) 2136 return rc; 2137 return may_link(dir, dentry, MAY_UNLINK); 2138 } 2139 2140 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2141 { 2142 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2143 } 2144 2145 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2146 { 2147 return may_create(dir, dentry, SECCLASS_DIR); 2148 } 2149 2150 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2151 { 2152 return may_link(dir, dentry, MAY_RMDIR); 2153 } 2154 2155 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2156 { 2157 int rc; 2158 2159 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2160 if (rc) 2161 return rc; 2162 2163 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2164 } 2165 2166 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2167 struct inode *new_inode, struct dentry *new_dentry) 2168 { 2169 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2170 } 2171 2172 static int selinux_inode_readlink(struct dentry *dentry) 2173 { 2174 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2175 } 2176 2177 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2178 { 2179 int rc; 2180 2181 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2182 if (rc) 2183 return rc; 2184 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2185 } 2186 2187 static int selinux_inode_permission(struct inode *inode, int mask, 2188 struct nameidata *nd) 2189 { 2190 int rc; 2191 2192 rc = secondary_ops->inode_permission(inode, mask, nd); 2193 if (rc) 2194 return rc; 2195 2196 if (!mask) { 2197 /* No permission to check. Existence test. */ 2198 return 0; 2199 } 2200 2201 return inode_has_perm(current, inode, 2202 file_mask_to_av(inode->i_mode, mask), NULL); 2203 } 2204 2205 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2206 { 2207 int rc; 2208 2209 rc = secondary_ops->inode_setattr(dentry, iattr); 2210 if (rc) 2211 return rc; 2212 2213 if (iattr->ia_valid & ATTR_FORCE) 2214 return 0; 2215 2216 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2217 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2218 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2219 2220 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2221 } 2222 2223 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2224 { 2225 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2226 } 2227 2228 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2229 { 2230 struct task_security_struct *tsec = current->security; 2231 struct inode *inode = dentry->d_inode; 2232 struct inode_security_struct *isec = inode->i_security; 2233 struct superblock_security_struct *sbsec; 2234 struct avc_audit_data ad; 2235 u32 newsid; 2236 int rc = 0; 2237 2238 if (strcmp(name, XATTR_NAME_SELINUX)) { 2239 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2240 sizeof XATTR_SECURITY_PREFIX - 1) && 2241 !capable(CAP_SYS_ADMIN)) { 2242 /* A different attribute in the security namespace. 2243 Restrict to administrator. */ 2244 return -EPERM; 2245 } 2246 2247 /* Not an attribute we recognize, so just check the 2248 ordinary setattr permission. */ 2249 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2250 } 2251 2252 sbsec = inode->i_sb->s_security; 2253 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2254 return -EOPNOTSUPP; 2255 2256 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) 2257 return -EPERM; 2258 2259 AVC_AUDIT_DATA_INIT(&ad,FS); 2260 ad.u.fs.dentry = dentry; 2261 2262 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2263 FILE__RELABELFROM, &ad); 2264 if (rc) 2265 return rc; 2266 2267 rc = security_context_to_sid(value, size, &newsid); 2268 if (rc) 2269 return rc; 2270 2271 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2272 FILE__RELABELTO, &ad); 2273 if (rc) 2274 return rc; 2275 2276 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2277 isec->sclass); 2278 if (rc) 2279 return rc; 2280 2281 return avc_has_perm(newsid, 2282 sbsec->sid, 2283 SECCLASS_FILESYSTEM, 2284 FILESYSTEM__ASSOCIATE, 2285 &ad); 2286 } 2287 2288 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2289 void *value, size_t size, int flags) 2290 { 2291 struct inode *inode = dentry->d_inode; 2292 struct inode_security_struct *isec = inode->i_security; 2293 u32 newsid; 2294 int rc; 2295 2296 if (strcmp(name, XATTR_NAME_SELINUX)) { 2297 /* Not an attribute we recognize, so nothing to do. */ 2298 return; 2299 } 2300 2301 rc = security_context_to_sid(value, size, &newsid); 2302 if (rc) { 2303 printk(KERN_WARNING "%s: unable to obtain SID for context " 2304 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2305 return; 2306 } 2307 2308 isec->sid = newsid; 2309 return; 2310 } 2311 2312 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2313 { 2314 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2315 } 2316 2317 static int selinux_inode_listxattr (struct dentry *dentry) 2318 { 2319 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2320 } 2321 2322 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2323 { 2324 if (strcmp(name, XATTR_NAME_SELINUX)) { 2325 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2326 sizeof XATTR_SECURITY_PREFIX - 1) && 2327 !capable(CAP_SYS_ADMIN)) { 2328 /* A different attribute in the security namespace. 2329 Restrict to administrator. */ 2330 return -EPERM; 2331 } 2332 2333 /* Not an attribute we recognize, so just check the 2334 ordinary setattr permission. Might want a separate 2335 permission for removexattr. */ 2336 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2337 } 2338 2339 /* No one is allowed to remove a SELinux security label. 2340 You can change the label, but all data must be labeled. */ 2341 return -EACCES; 2342 } 2343 2344 static const char *selinux_inode_xattr_getsuffix(void) 2345 { 2346 return XATTR_SELINUX_SUFFIX; 2347 } 2348 2349 /* 2350 * Copy the in-core inode security context value to the user. If the 2351 * getxattr() prior to this succeeded, check to see if we need to 2352 * canonicalize the value to be finally returned to the user. 2353 * 2354 * Permission check is handled by selinux_inode_getxattr hook. 2355 */ 2356 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) 2357 { 2358 struct inode_security_struct *isec = inode->i_security; 2359 2360 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2361 return -EOPNOTSUPP; 2362 2363 return selinux_getsecurity(isec->sid, buffer, size); 2364 } 2365 2366 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2367 const void *value, size_t size, int flags) 2368 { 2369 struct inode_security_struct *isec = inode->i_security; 2370 u32 newsid; 2371 int rc; 2372 2373 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2374 return -EOPNOTSUPP; 2375 2376 if (!value || !size) 2377 return -EACCES; 2378 2379 rc = security_context_to_sid((void*)value, size, &newsid); 2380 if (rc) 2381 return rc; 2382 2383 isec->sid = newsid; 2384 return 0; 2385 } 2386 2387 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2388 { 2389 const int len = sizeof(XATTR_NAME_SELINUX); 2390 if (buffer && len <= buffer_size) 2391 memcpy(buffer, XATTR_NAME_SELINUX, len); 2392 return len; 2393 } 2394 2395 /* file security operations */ 2396 2397 static int selinux_file_permission(struct file *file, int mask) 2398 { 2399 struct inode *inode = file->f_dentry->d_inode; 2400 2401 if (!mask) { 2402 /* No permission to check. Existence test. */ 2403 return 0; 2404 } 2405 2406 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2407 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2408 mask |= MAY_APPEND; 2409 2410 return file_has_perm(current, file, 2411 file_mask_to_av(inode->i_mode, mask)); 2412 } 2413 2414 static int selinux_file_alloc_security(struct file *file) 2415 { 2416 return file_alloc_security(file); 2417 } 2418 2419 static void selinux_file_free_security(struct file *file) 2420 { 2421 file_free_security(file); 2422 } 2423 2424 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2425 unsigned long arg) 2426 { 2427 int error = 0; 2428 2429 switch (cmd) { 2430 case FIONREAD: 2431 /* fall through */ 2432 case FIBMAP: 2433 /* fall through */ 2434 case FIGETBSZ: 2435 /* fall through */ 2436 case EXT2_IOC_GETFLAGS: 2437 /* fall through */ 2438 case EXT2_IOC_GETVERSION: 2439 error = file_has_perm(current, file, FILE__GETATTR); 2440 break; 2441 2442 case EXT2_IOC_SETFLAGS: 2443 /* fall through */ 2444 case EXT2_IOC_SETVERSION: 2445 error = file_has_perm(current, file, FILE__SETATTR); 2446 break; 2447 2448 /* sys_ioctl() checks */ 2449 case FIONBIO: 2450 /* fall through */ 2451 case FIOASYNC: 2452 error = file_has_perm(current, file, 0); 2453 break; 2454 2455 case KDSKBENT: 2456 case KDSKBSENT: 2457 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2458 break; 2459 2460 /* default case assumes that the command will go 2461 * to the file's ioctl() function. 2462 */ 2463 default: 2464 error = file_has_perm(current, file, FILE__IOCTL); 2465 2466 } 2467 return error; 2468 } 2469 2470 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2471 { 2472 #ifndef CONFIG_PPC32 2473 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2474 /* 2475 * We are making executable an anonymous mapping or a 2476 * private file mapping that will also be writable. 2477 * This has an additional check. 2478 */ 2479 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2480 if (rc) 2481 return rc; 2482 } 2483 #endif 2484 2485 if (file) { 2486 /* read access is always possible with a mapping */ 2487 u32 av = FILE__READ; 2488 2489 /* write access only matters if the mapping is shared */ 2490 if (shared && (prot & PROT_WRITE)) 2491 av |= FILE__WRITE; 2492 2493 if (prot & PROT_EXEC) 2494 av |= FILE__EXECUTE; 2495 2496 return file_has_perm(current, file, av); 2497 } 2498 return 0; 2499 } 2500 2501 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2502 unsigned long prot, unsigned long flags) 2503 { 2504 int rc; 2505 2506 rc = secondary_ops->file_mmap(file, reqprot, prot, flags); 2507 if (rc) 2508 return rc; 2509 2510 if (selinux_checkreqprot) 2511 prot = reqprot; 2512 2513 return file_map_prot_check(file, prot, 2514 (flags & MAP_TYPE) == MAP_SHARED); 2515 } 2516 2517 static int selinux_file_mprotect(struct vm_area_struct *vma, 2518 unsigned long reqprot, 2519 unsigned long prot) 2520 { 2521 int rc; 2522 2523 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2524 if (rc) 2525 return rc; 2526 2527 if (selinux_checkreqprot) 2528 prot = reqprot; 2529 2530 #ifndef CONFIG_PPC32 2531 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2532 rc = 0; 2533 if (vma->vm_start >= vma->vm_mm->start_brk && 2534 vma->vm_end <= vma->vm_mm->brk) { 2535 rc = task_has_perm(current, current, 2536 PROCESS__EXECHEAP); 2537 } else if (!vma->vm_file && 2538 vma->vm_start <= vma->vm_mm->start_stack && 2539 vma->vm_end >= vma->vm_mm->start_stack) { 2540 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2541 } else if (vma->vm_file && vma->anon_vma) { 2542 /* 2543 * We are making executable a file mapping that has 2544 * had some COW done. Since pages might have been 2545 * written, check ability to execute the possibly 2546 * modified content. This typically should only 2547 * occur for text relocations. 2548 */ 2549 rc = file_has_perm(current, vma->vm_file, 2550 FILE__EXECMOD); 2551 } 2552 if (rc) 2553 return rc; 2554 } 2555 #endif 2556 2557 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2558 } 2559 2560 static int selinux_file_lock(struct file *file, unsigned int cmd) 2561 { 2562 return file_has_perm(current, file, FILE__LOCK); 2563 } 2564 2565 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2566 unsigned long arg) 2567 { 2568 int err = 0; 2569 2570 switch (cmd) { 2571 case F_SETFL: 2572 if (!file->f_dentry || !file->f_dentry->d_inode) { 2573 err = -EINVAL; 2574 break; 2575 } 2576 2577 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2578 err = file_has_perm(current, file,FILE__WRITE); 2579 break; 2580 } 2581 /* fall through */ 2582 case F_SETOWN: 2583 case F_SETSIG: 2584 case F_GETFL: 2585 case F_GETOWN: 2586 case F_GETSIG: 2587 /* Just check FD__USE permission */ 2588 err = file_has_perm(current, file, 0); 2589 break; 2590 case F_GETLK: 2591 case F_SETLK: 2592 case F_SETLKW: 2593 #if BITS_PER_LONG == 32 2594 case F_GETLK64: 2595 case F_SETLK64: 2596 case F_SETLKW64: 2597 #endif 2598 if (!file->f_dentry || !file->f_dentry->d_inode) { 2599 err = -EINVAL; 2600 break; 2601 } 2602 err = file_has_perm(current, file, FILE__LOCK); 2603 break; 2604 } 2605 2606 return err; 2607 } 2608 2609 static int selinux_file_set_fowner(struct file *file) 2610 { 2611 struct task_security_struct *tsec; 2612 struct file_security_struct *fsec; 2613 2614 tsec = current->security; 2615 fsec = file->f_security; 2616 fsec->fown_sid = tsec->sid; 2617 2618 return 0; 2619 } 2620 2621 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2622 struct fown_struct *fown, int signum) 2623 { 2624 struct file *file; 2625 u32 perm; 2626 struct task_security_struct *tsec; 2627 struct file_security_struct *fsec; 2628 2629 /* struct fown_struct is never outside the context of a struct file */ 2630 file = (struct file *)((long)fown - offsetof(struct file,f_owner)); 2631 2632 tsec = tsk->security; 2633 fsec = file->f_security; 2634 2635 if (!signum) 2636 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 2637 else 2638 perm = signal_to_av(signum); 2639 2640 return avc_has_perm(fsec->fown_sid, tsec->sid, 2641 SECCLASS_PROCESS, perm, NULL); 2642 } 2643 2644 static int selinux_file_receive(struct file *file) 2645 { 2646 return file_has_perm(current, file, file_to_av(file)); 2647 } 2648 2649 /* task security operations */ 2650 2651 static int selinux_task_create(unsigned long clone_flags) 2652 { 2653 int rc; 2654 2655 rc = secondary_ops->task_create(clone_flags); 2656 if (rc) 2657 return rc; 2658 2659 return task_has_perm(current, current, PROCESS__FORK); 2660 } 2661 2662 static int selinux_task_alloc_security(struct task_struct *tsk) 2663 { 2664 struct task_security_struct *tsec1, *tsec2; 2665 int rc; 2666 2667 tsec1 = current->security; 2668 2669 rc = task_alloc_security(tsk); 2670 if (rc) 2671 return rc; 2672 tsec2 = tsk->security; 2673 2674 tsec2->osid = tsec1->osid; 2675 tsec2->sid = tsec1->sid; 2676 2677 /* Retain the exec, fs, key, and sock SIDs across fork */ 2678 tsec2->exec_sid = tsec1->exec_sid; 2679 tsec2->create_sid = tsec1->create_sid; 2680 tsec2->keycreate_sid = tsec1->keycreate_sid; 2681 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 2682 2683 /* Retain ptracer SID across fork, if any. 2684 This will be reset by the ptrace hook upon any 2685 subsequent ptrace_attach operations. */ 2686 tsec2->ptrace_sid = tsec1->ptrace_sid; 2687 2688 return 0; 2689 } 2690 2691 static void selinux_task_free_security(struct task_struct *tsk) 2692 { 2693 task_free_security(tsk); 2694 } 2695 2696 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2697 { 2698 /* Since setuid only affects the current process, and 2699 since the SELinux controls are not based on the Linux 2700 identity attributes, SELinux does not need to control 2701 this operation. However, SELinux does control the use 2702 of the CAP_SETUID and CAP_SETGID capabilities using the 2703 capable hook. */ 2704 return 0; 2705 } 2706 2707 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2708 { 2709 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 2710 } 2711 2712 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 2713 { 2714 /* See the comment for setuid above. */ 2715 return 0; 2716 } 2717 2718 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 2719 { 2720 return task_has_perm(current, p, PROCESS__SETPGID); 2721 } 2722 2723 static int selinux_task_getpgid(struct task_struct *p) 2724 { 2725 return task_has_perm(current, p, PROCESS__GETPGID); 2726 } 2727 2728 static int selinux_task_getsid(struct task_struct *p) 2729 { 2730 return task_has_perm(current, p, PROCESS__GETSESSION); 2731 } 2732 2733 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 2734 { 2735 selinux_get_task_sid(p, secid); 2736 } 2737 2738 static int selinux_task_setgroups(struct group_info *group_info) 2739 { 2740 /* See the comment for setuid above. */ 2741 return 0; 2742 } 2743 2744 static int selinux_task_setnice(struct task_struct *p, int nice) 2745 { 2746 int rc; 2747 2748 rc = secondary_ops->task_setnice(p, nice); 2749 if (rc) 2750 return rc; 2751 2752 return task_has_perm(current,p, PROCESS__SETSCHED); 2753 } 2754 2755 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 2756 { 2757 return task_has_perm(current, p, PROCESS__SETSCHED); 2758 } 2759 2760 static int selinux_task_getioprio(struct task_struct *p) 2761 { 2762 return task_has_perm(current, p, PROCESS__GETSCHED); 2763 } 2764 2765 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 2766 { 2767 struct rlimit *old_rlim = current->signal->rlim + resource; 2768 int rc; 2769 2770 rc = secondary_ops->task_setrlimit(resource, new_rlim); 2771 if (rc) 2772 return rc; 2773 2774 /* Control the ability to change the hard limit (whether 2775 lowering or raising it), so that the hard limit can 2776 later be used as a safe reset point for the soft limit 2777 upon context transitions. See selinux_bprm_apply_creds. */ 2778 if (old_rlim->rlim_max != new_rlim->rlim_max) 2779 return task_has_perm(current, current, PROCESS__SETRLIMIT); 2780 2781 return 0; 2782 } 2783 2784 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 2785 { 2786 return task_has_perm(current, p, PROCESS__SETSCHED); 2787 } 2788 2789 static int selinux_task_getscheduler(struct task_struct *p) 2790 { 2791 return task_has_perm(current, p, PROCESS__GETSCHED); 2792 } 2793 2794 static int selinux_task_movememory(struct task_struct *p) 2795 { 2796 return task_has_perm(current, p, PROCESS__SETSCHED); 2797 } 2798 2799 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 2800 int sig, u32 secid) 2801 { 2802 u32 perm; 2803 int rc; 2804 struct task_security_struct *tsec; 2805 2806 rc = secondary_ops->task_kill(p, info, sig, secid); 2807 if (rc) 2808 return rc; 2809 2810 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 2811 return 0; 2812 2813 if (!sig) 2814 perm = PROCESS__SIGNULL; /* null signal; existence test */ 2815 else 2816 perm = signal_to_av(sig); 2817 tsec = p->security; 2818 if (secid) 2819 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 2820 else 2821 rc = task_has_perm(current, p, perm); 2822 return rc; 2823 } 2824 2825 static int selinux_task_prctl(int option, 2826 unsigned long arg2, 2827 unsigned long arg3, 2828 unsigned long arg4, 2829 unsigned long arg5) 2830 { 2831 /* The current prctl operations do not appear to require 2832 any SELinux controls since they merely observe or modify 2833 the state of the current process. */ 2834 return 0; 2835 } 2836 2837 static int selinux_task_wait(struct task_struct *p) 2838 { 2839 u32 perm; 2840 2841 perm = signal_to_av(p->exit_signal); 2842 2843 return task_has_perm(p, current, perm); 2844 } 2845 2846 static void selinux_task_reparent_to_init(struct task_struct *p) 2847 { 2848 struct task_security_struct *tsec; 2849 2850 secondary_ops->task_reparent_to_init(p); 2851 2852 tsec = p->security; 2853 tsec->osid = tsec->sid; 2854 tsec->sid = SECINITSID_KERNEL; 2855 return; 2856 } 2857 2858 static void selinux_task_to_inode(struct task_struct *p, 2859 struct inode *inode) 2860 { 2861 struct task_security_struct *tsec = p->security; 2862 struct inode_security_struct *isec = inode->i_security; 2863 2864 isec->sid = tsec->sid; 2865 isec->initialized = 1; 2866 return; 2867 } 2868 2869 /* Returns error only if unable to parse addresses */ 2870 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) 2871 { 2872 int offset, ihlen, ret = -EINVAL; 2873 struct iphdr _iph, *ih; 2874 2875 offset = skb->nh.raw - skb->data; 2876 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 2877 if (ih == NULL) 2878 goto out; 2879 2880 ihlen = ih->ihl * 4; 2881 if (ihlen < sizeof(_iph)) 2882 goto out; 2883 2884 ad->u.net.v4info.saddr = ih->saddr; 2885 ad->u.net.v4info.daddr = ih->daddr; 2886 ret = 0; 2887 2888 switch (ih->protocol) { 2889 case IPPROTO_TCP: { 2890 struct tcphdr _tcph, *th; 2891 2892 if (ntohs(ih->frag_off) & IP_OFFSET) 2893 break; 2894 2895 offset += ihlen; 2896 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2897 if (th == NULL) 2898 break; 2899 2900 ad->u.net.sport = th->source; 2901 ad->u.net.dport = th->dest; 2902 break; 2903 } 2904 2905 case IPPROTO_UDP: { 2906 struct udphdr _udph, *uh; 2907 2908 if (ntohs(ih->frag_off) & IP_OFFSET) 2909 break; 2910 2911 offset += ihlen; 2912 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2913 if (uh == NULL) 2914 break; 2915 2916 ad->u.net.sport = uh->source; 2917 ad->u.net.dport = uh->dest; 2918 break; 2919 } 2920 2921 default: 2922 break; 2923 } 2924 out: 2925 return ret; 2926 } 2927 2928 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2929 2930 /* Returns error only if unable to parse addresses */ 2931 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad) 2932 { 2933 u8 nexthdr; 2934 int ret = -EINVAL, offset; 2935 struct ipv6hdr _ipv6h, *ip6; 2936 2937 offset = skb->nh.raw - skb->data; 2938 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 2939 if (ip6 == NULL) 2940 goto out; 2941 2942 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 2943 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 2944 ret = 0; 2945 2946 nexthdr = ip6->nexthdr; 2947 offset += sizeof(_ipv6h); 2948 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 2949 if (offset < 0) 2950 goto out; 2951 2952 switch (nexthdr) { 2953 case IPPROTO_TCP: { 2954 struct tcphdr _tcph, *th; 2955 2956 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2957 if (th == NULL) 2958 break; 2959 2960 ad->u.net.sport = th->source; 2961 ad->u.net.dport = th->dest; 2962 break; 2963 } 2964 2965 case IPPROTO_UDP: { 2966 struct udphdr _udph, *uh; 2967 2968 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2969 if (uh == NULL) 2970 break; 2971 2972 ad->u.net.sport = uh->source; 2973 ad->u.net.dport = uh->dest; 2974 break; 2975 } 2976 2977 /* includes fragments */ 2978 default: 2979 break; 2980 } 2981 out: 2982 return ret; 2983 } 2984 2985 #endif /* IPV6 */ 2986 2987 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 2988 char **addrp, int *len, int src) 2989 { 2990 int ret = 0; 2991 2992 switch (ad->u.net.family) { 2993 case PF_INET: 2994 ret = selinux_parse_skb_ipv4(skb, ad); 2995 if (ret || !addrp) 2996 break; 2997 *len = 4; 2998 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 2999 &ad->u.net.v4info.daddr); 3000 break; 3001 3002 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3003 case PF_INET6: 3004 ret = selinux_parse_skb_ipv6(skb, ad); 3005 if (ret || !addrp) 3006 break; 3007 *len = 16; 3008 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3009 &ad->u.net.v6info.daddr); 3010 break; 3011 #endif /* IPV6 */ 3012 default: 3013 break; 3014 } 3015 3016 return ret; 3017 } 3018 3019 /* socket security operations */ 3020 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3021 u32 perms) 3022 { 3023 struct inode_security_struct *isec; 3024 struct task_security_struct *tsec; 3025 struct avc_audit_data ad; 3026 int err = 0; 3027 3028 tsec = task->security; 3029 isec = SOCK_INODE(sock)->i_security; 3030 3031 if (isec->sid == SECINITSID_KERNEL) 3032 goto out; 3033 3034 AVC_AUDIT_DATA_INIT(&ad,NET); 3035 ad.u.net.sk = sock->sk; 3036 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3037 3038 out: 3039 return err; 3040 } 3041 3042 static int selinux_socket_create(int family, int type, 3043 int protocol, int kern) 3044 { 3045 int err = 0; 3046 struct task_security_struct *tsec; 3047 u32 newsid; 3048 3049 if (kern) 3050 goto out; 3051 3052 tsec = current->security; 3053 newsid = tsec->sockcreate_sid ? : tsec->sid; 3054 err = avc_has_perm(tsec->sid, newsid, 3055 socket_type_to_security_class(family, type, 3056 protocol), SOCKET__CREATE, NULL); 3057 3058 out: 3059 return err; 3060 } 3061 3062 static void selinux_socket_post_create(struct socket *sock, int family, 3063 int type, int protocol, int kern) 3064 { 3065 struct inode_security_struct *isec; 3066 struct task_security_struct *tsec; 3067 u32 newsid; 3068 3069 isec = SOCK_INODE(sock)->i_security; 3070 3071 tsec = current->security; 3072 newsid = tsec->sockcreate_sid ? : tsec->sid; 3073 isec->sclass = socket_type_to_security_class(family, type, protocol); 3074 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3075 isec->initialized = 1; 3076 3077 return; 3078 } 3079 3080 /* Range of port numbers used to automatically bind. 3081 Need to determine whether we should perform a name_bind 3082 permission check between the socket and the port number. */ 3083 #define ip_local_port_range_0 sysctl_local_port_range[0] 3084 #define ip_local_port_range_1 sysctl_local_port_range[1] 3085 3086 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3087 { 3088 u16 family; 3089 int err; 3090 3091 err = socket_has_perm(current, sock, SOCKET__BIND); 3092 if (err) 3093 goto out; 3094 3095 /* 3096 * If PF_INET or PF_INET6, check name_bind permission for the port. 3097 * Multiple address binding for SCTP is not supported yet: we just 3098 * check the first address now. 3099 */ 3100 family = sock->sk->sk_family; 3101 if (family == PF_INET || family == PF_INET6) { 3102 char *addrp; 3103 struct inode_security_struct *isec; 3104 struct task_security_struct *tsec; 3105 struct avc_audit_data ad; 3106 struct sockaddr_in *addr4 = NULL; 3107 struct sockaddr_in6 *addr6 = NULL; 3108 unsigned short snum; 3109 struct sock *sk = sock->sk; 3110 u32 sid, node_perm, addrlen; 3111 3112 tsec = current->security; 3113 isec = SOCK_INODE(sock)->i_security; 3114 3115 if (family == PF_INET) { 3116 addr4 = (struct sockaddr_in *)address; 3117 snum = ntohs(addr4->sin_port); 3118 addrlen = sizeof(addr4->sin_addr.s_addr); 3119 addrp = (char *)&addr4->sin_addr.s_addr; 3120 } else { 3121 addr6 = (struct sockaddr_in6 *)address; 3122 snum = ntohs(addr6->sin6_port); 3123 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3124 addrp = (char *)&addr6->sin6_addr.s6_addr; 3125 } 3126 3127 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) || 3128 snum > ip_local_port_range_1)) { 3129 err = security_port_sid(sk->sk_family, sk->sk_type, 3130 sk->sk_protocol, snum, &sid); 3131 if (err) 3132 goto out; 3133 AVC_AUDIT_DATA_INIT(&ad,NET); 3134 ad.u.net.sport = htons(snum); 3135 ad.u.net.family = family; 3136 err = avc_has_perm(isec->sid, sid, 3137 isec->sclass, 3138 SOCKET__NAME_BIND, &ad); 3139 if (err) 3140 goto out; 3141 } 3142 3143 switch(isec->sclass) { 3144 case SECCLASS_TCP_SOCKET: 3145 node_perm = TCP_SOCKET__NODE_BIND; 3146 break; 3147 3148 case SECCLASS_UDP_SOCKET: 3149 node_perm = UDP_SOCKET__NODE_BIND; 3150 break; 3151 3152 default: 3153 node_perm = RAWIP_SOCKET__NODE_BIND; 3154 break; 3155 } 3156 3157 err = security_node_sid(family, addrp, addrlen, &sid); 3158 if (err) 3159 goto out; 3160 3161 AVC_AUDIT_DATA_INIT(&ad,NET); 3162 ad.u.net.sport = htons(snum); 3163 ad.u.net.family = family; 3164 3165 if (family == PF_INET) 3166 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3167 else 3168 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3169 3170 err = avc_has_perm(isec->sid, sid, 3171 isec->sclass, node_perm, &ad); 3172 if (err) 3173 goto out; 3174 } 3175 out: 3176 return err; 3177 } 3178 3179 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3180 { 3181 struct inode_security_struct *isec; 3182 int err; 3183 3184 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3185 if (err) 3186 return err; 3187 3188 /* 3189 * If a TCP socket, check name_connect permission for the port. 3190 */ 3191 isec = SOCK_INODE(sock)->i_security; 3192 if (isec->sclass == SECCLASS_TCP_SOCKET) { 3193 struct sock *sk = sock->sk; 3194 struct avc_audit_data ad; 3195 struct sockaddr_in *addr4 = NULL; 3196 struct sockaddr_in6 *addr6 = NULL; 3197 unsigned short snum; 3198 u32 sid; 3199 3200 if (sk->sk_family == PF_INET) { 3201 addr4 = (struct sockaddr_in *)address; 3202 if (addrlen < sizeof(struct sockaddr_in)) 3203 return -EINVAL; 3204 snum = ntohs(addr4->sin_port); 3205 } else { 3206 addr6 = (struct sockaddr_in6 *)address; 3207 if (addrlen < SIN6_LEN_RFC2133) 3208 return -EINVAL; 3209 snum = ntohs(addr6->sin6_port); 3210 } 3211 3212 err = security_port_sid(sk->sk_family, sk->sk_type, 3213 sk->sk_protocol, snum, &sid); 3214 if (err) 3215 goto out; 3216 3217 AVC_AUDIT_DATA_INIT(&ad,NET); 3218 ad.u.net.dport = htons(snum); 3219 ad.u.net.family = sk->sk_family; 3220 err = avc_has_perm(isec->sid, sid, isec->sclass, 3221 TCP_SOCKET__NAME_CONNECT, &ad); 3222 if (err) 3223 goto out; 3224 } 3225 3226 out: 3227 return err; 3228 } 3229 3230 static int selinux_socket_listen(struct socket *sock, int backlog) 3231 { 3232 return socket_has_perm(current, sock, SOCKET__LISTEN); 3233 } 3234 3235 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3236 { 3237 int err; 3238 struct inode_security_struct *isec; 3239 struct inode_security_struct *newisec; 3240 3241 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3242 if (err) 3243 return err; 3244 3245 newisec = SOCK_INODE(newsock)->i_security; 3246 3247 isec = SOCK_INODE(sock)->i_security; 3248 newisec->sclass = isec->sclass; 3249 newisec->sid = isec->sid; 3250 newisec->initialized = 1; 3251 3252 return 0; 3253 } 3254 3255 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3256 int size) 3257 { 3258 return socket_has_perm(current, sock, SOCKET__WRITE); 3259 } 3260 3261 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3262 int size, int flags) 3263 { 3264 return socket_has_perm(current, sock, SOCKET__READ); 3265 } 3266 3267 static int selinux_socket_getsockname(struct socket *sock) 3268 { 3269 return socket_has_perm(current, sock, SOCKET__GETATTR); 3270 } 3271 3272 static int selinux_socket_getpeername(struct socket *sock) 3273 { 3274 return socket_has_perm(current, sock, SOCKET__GETATTR); 3275 } 3276 3277 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3278 { 3279 return socket_has_perm(current, sock, SOCKET__SETOPT); 3280 } 3281 3282 static int selinux_socket_getsockopt(struct socket *sock, int level, 3283 int optname) 3284 { 3285 return socket_has_perm(current, sock, SOCKET__GETOPT); 3286 } 3287 3288 static int selinux_socket_shutdown(struct socket *sock, int how) 3289 { 3290 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3291 } 3292 3293 static int selinux_socket_unix_stream_connect(struct socket *sock, 3294 struct socket *other, 3295 struct sock *newsk) 3296 { 3297 struct sk_security_struct *ssec; 3298 struct inode_security_struct *isec; 3299 struct inode_security_struct *other_isec; 3300 struct avc_audit_data ad; 3301 int err; 3302 3303 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3304 if (err) 3305 return err; 3306 3307 isec = SOCK_INODE(sock)->i_security; 3308 other_isec = SOCK_INODE(other)->i_security; 3309 3310 AVC_AUDIT_DATA_INIT(&ad,NET); 3311 ad.u.net.sk = other->sk; 3312 3313 err = avc_has_perm(isec->sid, other_isec->sid, 3314 isec->sclass, 3315 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3316 if (err) 3317 return err; 3318 3319 /* connecting socket */ 3320 ssec = sock->sk->sk_security; 3321 ssec->peer_sid = other_isec->sid; 3322 3323 /* server child socket */ 3324 ssec = newsk->sk_security; 3325 ssec->peer_sid = isec->sid; 3326 3327 return 0; 3328 } 3329 3330 static int selinux_socket_unix_may_send(struct socket *sock, 3331 struct socket *other) 3332 { 3333 struct inode_security_struct *isec; 3334 struct inode_security_struct *other_isec; 3335 struct avc_audit_data ad; 3336 int err; 3337 3338 isec = SOCK_INODE(sock)->i_security; 3339 other_isec = SOCK_INODE(other)->i_security; 3340 3341 AVC_AUDIT_DATA_INIT(&ad,NET); 3342 ad.u.net.sk = other->sk; 3343 3344 err = avc_has_perm(isec->sid, other_isec->sid, 3345 isec->sclass, SOCKET__SENDTO, &ad); 3346 if (err) 3347 return err; 3348 3349 return 0; 3350 } 3351 3352 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3353 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class, 3354 u16 family, char *addrp, int len) 3355 { 3356 int err = 0; 3357 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3358 3359 if (!skb->dev) 3360 goto out; 3361 3362 err = sel_netif_sids(skb->dev, &if_sid, NULL); 3363 if (err) 3364 goto out; 3365 3366 switch (sock_class) { 3367 case SECCLASS_UDP_SOCKET: 3368 netif_perm = NETIF__UDP_RECV; 3369 node_perm = NODE__UDP_RECV; 3370 recv_perm = UDP_SOCKET__RECV_MSG; 3371 break; 3372 3373 case SECCLASS_TCP_SOCKET: 3374 netif_perm = NETIF__TCP_RECV; 3375 node_perm = NODE__TCP_RECV; 3376 recv_perm = TCP_SOCKET__RECV_MSG; 3377 break; 3378 3379 default: 3380 netif_perm = NETIF__RAWIP_RECV; 3381 node_perm = NODE__RAWIP_RECV; 3382 break; 3383 } 3384 3385 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3386 if (err) 3387 goto out; 3388 3389 err = security_node_sid(family, addrp, len, &node_sid); 3390 if (err) 3391 goto out; 3392 3393 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3394 if (err) 3395 goto out; 3396 3397 if (recv_perm) { 3398 u32 port_sid; 3399 3400 err = security_port_sid(sk->sk_family, sk->sk_type, 3401 sk->sk_protocol, ntohs(ad->u.net.sport), 3402 &port_sid); 3403 if (err) 3404 goto out; 3405 3406 err = avc_has_perm(sock_sid, port_sid, 3407 sock_class, recv_perm, ad); 3408 } 3409 3410 out: 3411 return err; 3412 } 3413 3414 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3415 { 3416 u16 family; 3417 u16 sock_class = 0; 3418 char *addrp; 3419 int len, err = 0; 3420 u32 sock_sid = 0; 3421 struct socket *sock; 3422 struct avc_audit_data ad; 3423 3424 family = sk->sk_family; 3425 if (family != PF_INET && family != PF_INET6) 3426 goto out; 3427 3428 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3429 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) 3430 family = PF_INET; 3431 3432 read_lock_bh(&sk->sk_callback_lock); 3433 sock = sk->sk_socket; 3434 if (sock) { 3435 struct inode *inode; 3436 inode = SOCK_INODE(sock); 3437 if (inode) { 3438 struct inode_security_struct *isec; 3439 isec = inode->i_security; 3440 sock_sid = isec->sid; 3441 sock_class = isec->sclass; 3442 } 3443 } 3444 read_unlock_bh(&sk->sk_callback_lock); 3445 if (!sock_sid) 3446 goto out; 3447 3448 AVC_AUDIT_DATA_INIT(&ad, NET); 3449 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]"; 3450 ad.u.net.family = family; 3451 3452 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); 3453 if (err) 3454 goto out; 3455 3456 if (selinux_compat_net) 3457 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid, 3458 sock_class, family, 3459 addrp, len); 3460 else 3461 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET, 3462 PACKET__RECV, &ad); 3463 if (err) 3464 goto out; 3465 3466 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb); 3467 out: 3468 return err; 3469 } 3470 3471 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 3472 int __user *optlen, unsigned len) 3473 { 3474 int err = 0; 3475 char *scontext; 3476 u32 scontext_len; 3477 struct sk_security_struct *ssec; 3478 struct inode_security_struct *isec; 3479 u32 peer_sid = 0; 3480 3481 isec = SOCK_INODE(sock)->i_security; 3482 3483 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */ 3484 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) { 3485 ssec = sock->sk->sk_security; 3486 peer_sid = ssec->peer_sid; 3487 } 3488 else if (isec->sclass == SECCLASS_TCP_SOCKET) { 3489 peer_sid = selinux_socket_getpeer_stream(sock->sk); 3490 3491 if (peer_sid == SECSID_NULL) { 3492 err = -ENOPROTOOPT; 3493 goto out; 3494 } 3495 } 3496 else { 3497 err = -ENOPROTOOPT; 3498 goto out; 3499 } 3500 3501 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 3502 3503 if (err) 3504 goto out; 3505 3506 if (scontext_len > len) { 3507 err = -ERANGE; 3508 goto out_len; 3509 } 3510 3511 if (copy_to_user(optval, scontext, scontext_len)) 3512 err = -EFAULT; 3513 3514 out_len: 3515 if (put_user(scontext_len, optlen)) 3516 err = -EFAULT; 3517 3518 kfree(scontext); 3519 out: 3520 return err; 3521 } 3522 3523 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen) 3524 { 3525 int err = 0; 3526 u32 peer_sid; 3527 3528 if (skb->sk->sk_family == PF_UNIX) 3529 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket), 3530 &peer_sid); 3531 else 3532 peer_sid = selinux_socket_getpeer_dgram(skb); 3533 3534 if (peer_sid == SECSID_NULL) 3535 return -EINVAL; 3536 3537 err = security_sid_to_context(peer_sid, secdata, seclen); 3538 if (err) 3539 return err; 3540 3541 return 0; 3542 } 3543 3544 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 3545 { 3546 return sk_alloc_security(sk, family, priority); 3547 } 3548 3549 static void selinux_sk_free_security(struct sock *sk) 3550 { 3551 sk_free_security(sk); 3552 } 3553 3554 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3555 { 3556 struct inode_security_struct *isec; 3557 u32 sock_sid = SECINITSID_ANY_SOCKET; 3558 3559 if (!sk) 3560 return selinux_no_sk_sid(fl); 3561 3562 read_lock_bh(&sk->sk_callback_lock); 3563 isec = get_sock_isec(sk); 3564 3565 if (isec) 3566 sock_sid = isec->sid; 3567 3568 read_unlock_bh(&sk->sk_callback_lock); 3569 return sock_sid; 3570 } 3571 3572 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3573 { 3574 int err = 0; 3575 u32 perm; 3576 struct nlmsghdr *nlh; 3577 struct socket *sock = sk->sk_socket; 3578 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3579 3580 if (skb->len < NLMSG_SPACE(0)) { 3581 err = -EINVAL; 3582 goto out; 3583 } 3584 nlh = (struct nlmsghdr *)skb->data; 3585 3586 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3587 if (err) { 3588 if (err == -EINVAL) { 3589 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 3590 "SELinux: unrecognized netlink message" 3591 " type=%hu for sclass=%hu\n", 3592 nlh->nlmsg_type, isec->sclass); 3593 if (!selinux_enforcing) 3594 err = 0; 3595 } 3596 3597 /* Ignore */ 3598 if (err == -ENOENT) 3599 err = 0; 3600 goto out; 3601 } 3602 3603 err = socket_has_perm(current, sock, perm); 3604 out: 3605 return err; 3606 } 3607 3608 #ifdef CONFIG_NETFILTER 3609 3610 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev, 3611 struct inode_security_struct *isec, 3612 struct avc_audit_data *ad, 3613 u16 family, char *addrp, int len) 3614 { 3615 int err; 3616 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 3617 3618 err = sel_netif_sids(dev, &if_sid, NULL); 3619 if (err) 3620 goto out; 3621 3622 switch (isec->sclass) { 3623 case SECCLASS_UDP_SOCKET: 3624 netif_perm = NETIF__UDP_SEND; 3625 node_perm = NODE__UDP_SEND; 3626 send_perm = UDP_SOCKET__SEND_MSG; 3627 break; 3628 3629 case SECCLASS_TCP_SOCKET: 3630 netif_perm = NETIF__TCP_SEND; 3631 node_perm = NODE__TCP_SEND; 3632 send_perm = TCP_SOCKET__SEND_MSG; 3633 break; 3634 3635 default: 3636 netif_perm = NETIF__RAWIP_SEND; 3637 node_perm = NODE__RAWIP_SEND; 3638 break; 3639 } 3640 3641 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3642 if (err) 3643 goto out; 3644 3645 err = security_node_sid(family, addrp, len, &node_sid); 3646 if (err) 3647 goto out; 3648 3649 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad); 3650 if (err) 3651 goto out; 3652 3653 if (send_perm) { 3654 u32 port_sid; 3655 3656 err = security_port_sid(sk->sk_family, 3657 sk->sk_type, 3658 sk->sk_protocol, 3659 ntohs(ad->u.net.dport), 3660 &port_sid); 3661 if (err) 3662 goto out; 3663 3664 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3665 send_perm, ad); 3666 } 3667 out: 3668 return err; 3669 } 3670 3671 static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 3672 struct sk_buff **pskb, 3673 const struct net_device *in, 3674 const struct net_device *out, 3675 int (*okfn)(struct sk_buff *), 3676 u16 family) 3677 { 3678 char *addrp; 3679 int len, err = 0; 3680 struct sock *sk; 3681 struct socket *sock; 3682 struct inode *inode; 3683 struct sk_buff *skb = *pskb; 3684 struct inode_security_struct *isec; 3685 struct avc_audit_data ad; 3686 struct net_device *dev = (struct net_device *)out; 3687 3688 sk = skb->sk; 3689 if (!sk) 3690 goto out; 3691 3692 sock = sk->sk_socket; 3693 if (!sock) 3694 goto out; 3695 3696 inode = SOCK_INODE(sock); 3697 if (!inode) 3698 goto out; 3699 3700 isec = inode->i_security; 3701 3702 AVC_AUDIT_DATA_INIT(&ad, NET); 3703 ad.u.net.netif = dev->name; 3704 ad.u.net.family = family; 3705 3706 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0); 3707 if (err) 3708 goto out; 3709 3710 if (selinux_compat_net) 3711 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad, 3712 family, addrp, len); 3713 else 3714 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET, 3715 PACKET__SEND, &ad); 3716 3717 if (err) 3718 goto out; 3719 3720 err = selinux_xfrm_postroute_last(isec->sid, skb); 3721 out: 3722 return err ? NF_DROP : NF_ACCEPT; 3723 } 3724 3725 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3726 struct sk_buff **pskb, 3727 const struct net_device *in, 3728 const struct net_device *out, 3729 int (*okfn)(struct sk_buff *)) 3730 { 3731 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET); 3732 } 3733 3734 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3735 3736 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, 3737 struct sk_buff **pskb, 3738 const struct net_device *in, 3739 const struct net_device *out, 3740 int (*okfn)(struct sk_buff *)) 3741 { 3742 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6); 3743 } 3744 3745 #endif /* IPV6 */ 3746 3747 #endif /* CONFIG_NETFILTER */ 3748 3749 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3750 { 3751 int err; 3752 3753 err = secondary_ops->netlink_send(sk, skb); 3754 if (err) 3755 return err; 3756 3757 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 3758 err = selinux_nlmsg_perm(sk, skb); 3759 3760 return err; 3761 } 3762 3763 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 3764 { 3765 int err; 3766 struct avc_audit_data ad; 3767 3768 err = secondary_ops->netlink_recv(skb, capability); 3769 if (err) 3770 return err; 3771 3772 AVC_AUDIT_DATA_INIT(&ad, CAP); 3773 ad.u.cap = capability; 3774 3775 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 3776 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 3777 } 3778 3779 static int ipc_alloc_security(struct task_struct *task, 3780 struct kern_ipc_perm *perm, 3781 u16 sclass) 3782 { 3783 struct task_security_struct *tsec = task->security; 3784 struct ipc_security_struct *isec; 3785 3786 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 3787 if (!isec) 3788 return -ENOMEM; 3789 3790 isec->sclass = sclass; 3791 isec->ipc_perm = perm; 3792 isec->sid = tsec->sid; 3793 perm->security = isec; 3794 3795 return 0; 3796 } 3797 3798 static void ipc_free_security(struct kern_ipc_perm *perm) 3799 { 3800 struct ipc_security_struct *isec = perm->security; 3801 perm->security = NULL; 3802 kfree(isec); 3803 } 3804 3805 static int msg_msg_alloc_security(struct msg_msg *msg) 3806 { 3807 struct msg_security_struct *msec; 3808 3809 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 3810 if (!msec) 3811 return -ENOMEM; 3812 3813 msec->msg = msg; 3814 msec->sid = SECINITSID_UNLABELED; 3815 msg->security = msec; 3816 3817 return 0; 3818 } 3819 3820 static void msg_msg_free_security(struct msg_msg *msg) 3821 { 3822 struct msg_security_struct *msec = msg->security; 3823 3824 msg->security = NULL; 3825 kfree(msec); 3826 } 3827 3828 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 3829 u32 perms) 3830 { 3831 struct task_security_struct *tsec; 3832 struct ipc_security_struct *isec; 3833 struct avc_audit_data ad; 3834 3835 tsec = current->security; 3836 isec = ipc_perms->security; 3837 3838 AVC_AUDIT_DATA_INIT(&ad, IPC); 3839 ad.u.ipc_id = ipc_perms->key; 3840 3841 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3842 } 3843 3844 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 3845 { 3846 return msg_msg_alloc_security(msg); 3847 } 3848 3849 static void selinux_msg_msg_free_security(struct msg_msg *msg) 3850 { 3851 msg_msg_free_security(msg); 3852 } 3853 3854 /* message queue security operations */ 3855 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 3856 { 3857 struct task_security_struct *tsec; 3858 struct ipc_security_struct *isec; 3859 struct avc_audit_data ad; 3860 int rc; 3861 3862 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 3863 if (rc) 3864 return rc; 3865 3866 tsec = current->security; 3867 isec = msq->q_perm.security; 3868 3869 AVC_AUDIT_DATA_INIT(&ad, IPC); 3870 ad.u.ipc_id = msq->q_perm.key; 3871 3872 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3873 MSGQ__CREATE, &ad); 3874 if (rc) { 3875 ipc_free_security(&msq->q_perm); 3876 return rc; 3877 } 3878 return 0; 3879 } 3880 3881 static void selinux_msg_queue_free_security(struct msg_queue *msq) 3882 { 3883 ipc_free_security(&msq->q_perm); 3884 } 3885 3886 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 3887 { 3888 struct task_security_struct *tsec; 3889 struct ipc_security_struct *isec; 3890 struct avc_audit_data ad; 3891 3892 tsec = current->security; 3893 isec = msq->q_perm.security; 3894 3895 AVC_AUDIT_DATA_INIT(&ad, IPC); 3896 ad.u.ipc_id = msq->q_perm.key; 3897 3898 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3899 MSGQ__ASSOCIATE, &ad); 3900 } 3901 3902 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3903 { 3904 int err; 3905 int perms; 3906 3907 switch(cmd) { 3908 case IPC_INFO: 3909 case MSG_INFO: 3910 /* No specific object, just general system-wide information. */ 3911 return task_has_system(current, SYSTEM__IPC_INFO); 3912 case IPC_STAT: 3913 case MSG_STAT: 3914 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 3915 break; 3916 case IPC_SET: 3917 perms = MSGQ__SETATTR; 3918 break; 3919 case IPC_RMID: 3920 perms = MSGQ__DESTROY; 3921 break; 3922 default: 3923 return 0; 3924 } 3925 3926 err = ipc_has_perm(&msq->q_perm, perms); 3927 return err; 3928 } 3929 3930 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 3931 { 3932 struct task_security_struct *tsec; 3933 struct ipc_security_struct *isec; 3934 struct msg_security_struct *msec; 3935 struct avc_audit_data ad; 3936 int rc; 3937 3938 tsec = current->security; 3939 isec = msq->q_perm.security; 3940 msec = msg->security; 3941 3942 /* 3943 * First time through, need to assign label to the message 3944 */ 3945 if (msec->sid == SECINITSID_UNLABELED) { 3946 /* 3947 * Compute new sid based on current process and 3948 * message queue this message will be stored in 3949 */ 3950 rc = security_transition_sid(tsec->sid, 3951 isec->sid, 3952 SECCLASS_MSG, 3953 &msec->sid); 3954 if (rc) 3955 return rc; 3956 } 3957 3958 AVC_AUDIT_DATA_INIT(&ad, IPC); 3959 ad.u.ipc_id = msq->q_perm.key; 3960 3961 /* Can this process write to the queue? */ 3962 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3963 MSGQ__WRITE, &ad); 3964 if (!rc) 3965 /* Can this process send the message */ 3966 rc = avc_has_perm(tsec->sid, msec->sid, 3967 SECCLASS_MSG, MSG__SEND, &ad); 3968 if (!rc) 3969 /* Can the message be put in the queue? */ 3970 rc = avc_has_perm(msec->sid, isec->sid, 3971 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 3972 3973 return rc; 3974 } 3975 3976 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3977 struct task_struct *target, 3978 long type, int mode) 3979 { 3980 struct task_security_struct *tsec; 3981 struct ipc_security_struct *isec; 3982 struct msg_security_struct *msec; 3983 struct avc_audit_data ad; 3984 int rc; 3985 3986 tsec = target->security; 3987 isec = msq->q_perm.security; 3988 msec = msg->security; 3989 3990 AVC_AUDIT_DATA_INIT(&ad, IPC); 3991 ad.u.ipc_id = msq->q_perm.key; 3992 3993 rc = avc_has_perm(tsec->sid, isec->sid, 3994 SECCLASS_MSGQ, MSGQ__READ, &ad); 3995 if (!rc) 3996 rc = avc_has_perm(tsec->sid, msec->sid, 3997 SECCLASS_MSG, MSG__RECEIVE, &ad); 3998 return rc; 3999 } 4000 4001 /* Shared Memory security operations */ 4002 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4003 { 4004 struct task_security_struct *tsec; 4005 struct ipc_security_struct *isec; 4006 struct avc_audit_data ad; 4007 int rc; 4008 4009 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4010 if (rc) 4011 return rc; 4012 4013 tsec = current->security; 4014 isec = shp->shm_perm.security; 4015 4016 AVC_AUDIT_DATA_INIT(&ad, IPC); 4017 ad.u.ipc_id = shp->shm_perm.key; 4018 4019 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4020 SHM__CREATE, &ad); 4021 if (rc) { 4022 ipc_free_security(&shp->shm_perm); 4023 return rc; 4024 } 4025 return 0; 4026 } 4027 4028 static void selinux_shm_free_security(struct shmid_kernel *shp) 4029 { 4030 ipc_free_security(&shp->shm_perm); 4031 } 4032 4033 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4034 { 4035 struct task_security_struct *tsec; 4036 struct ipc_security_struct *isec; 4037 struct avc_audit_data ad; 4038 4039 tsec = current->security; 4040 isec = shp->shm_perm.security; 4041 4042 AVC_AUDIT_DATA_INIT(&ad, IPC); 4043 ad.u.ipc_id = shp->shm_perm.key; 4044 4045 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4046 SHM__ASSOCIATE, &ad); 4047 } 4048 4049 /* Note, at this point, shp is locked down */ 4050 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4051 { 4052 int perms; 4053 int err; 4054 4055 switch(cmd) { 4056 case IPC_INFO: 4057 case SHM_INFO: 4058 /* No specific object, just general system-wide information. */ 4059 return task_has_system(current, SYSTEM__IPC_INFO); 4060 case IPC_STAT: 4061 case SHM_STAT: 4062 perms = SHM__GETATTR | SHM__ASSOCIATE; 4063 break; 4064 case IPC_SET: 4065 perms = SHM__SETATTR; 4066 break; 4067 case SHM_LOCK: 4068 case SHM_UNLOCK: 4069 perms = SHM__LOCK; 4070 break; 4071 case IPC_RMID: 4072 perms = SHM__DESTROY; 4073 break; 4074 default: 4075 return 0; 4076 } 4077 4078 err = ipc_has_perm(&shp->shm_perm, perms); 4079 return err; 4080 } 4081 4082 static int selinux_shm_shmat(struct shmid_kernel *shp, 4083 char __user *shmaddr, int shmflg) 4084 { 4085 u32 perms; 4086 int rc; 4087 4088 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4089 if (rc) 4090 return rc; 4091 4092 if (shmflg & SHM_RDONLY) 4093 perms = SHM__READ; 4094 else 4095 perms = SHM__READ | SHM__WRITE; 4096 4097 return ipc_has_perm(&shp->shm_perm, perms); 4098 } 4099 4100 /* Semaphore security operations */ 4101 static int selinux_sem_alloc_security(struct sem_array *sma) 4102 { 4103 struct task_security_struct *tsec; 4104 struct ipc_security_struct *isec; 4105 struct avc_audit_data ad; 4106 int rc; 4107 4108 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4109 if (rc) 4110 return rc; 4111 4112 tsec = current->security; 4113 isec = sma->sem_perm.security; 4114 4115 AVC_AUDIT_DATA_INIT(&ad, IPC); 4116 ad.u.ipc_id = sma->sem_perm.key; 4117 4118 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4119 SEM__CREATE, &ad); 4120 if (rc) { 4121 ipc_free_security(&sma->sem_perm); 4122 return rc; 4123 } 4124 return 0; 4125 } 4126 4127 static void selinux_sem_free_security(struct sem_array *sma) 4128 { 4129 ipc_free_security(&sma->sem_perm); 4130 } 4131 4132 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4133 { 4134 struct task_security_struct *tsec; 4135 struct ipc_security_struct *isec; 4136 struct avc_audit_data ad; 4137 4138 tsec = current->security; 4139 isec = sma->sem_perm.security; 4140 4141 AVC_AUDIT_DATA_INIT(&ad, IPC); 4142 ad.u.ipc_id = sma->sem_perm.key; 4143 4144 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4145 SEM__ASSOCIATE, &ad); 4146 } 4147 4148 /* Note, at this point, sma is locked down */ 4149 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4150 { 4151 int err; 4152 u32 perms; 4153 4154 switch(cmd) { 4155 case IPC_INFO: 4156 case SEM_INFO: 4157 /* No specific object, just general system-wide information. */ 4158 return task_has_system(current, SYSTEM__IPC_INFO); 4159 case GETPID: 4160 case GETNCNT: 4161 case GETZCNT: 4162 perms = SEM__GETATTR; 4163 break; 4164 case GETVAL: 4165 case GETALL: 4166 perms = SEM__READ; 4167 break; 4168 case SETVAL: 4169 case SETALL: 4170 perms = SEM__WRITE; 4171 break; 4172 case IPC_RMID: 4173 perms = SEM__DESTROY; 4174 break; 4175 case IPC_SET: 4176 perms = SEM__SETATTR; 4177 break; 4178 case IPC_STAT: 4179 case SEM_STAT: 4180 perms = SEM__GETATTR | SEM__ASSOCIATE; 4181 break; 4182 default: 4183 return 0; 4184 } 4185 4186 err = ipc_has_perm(&sma->sem_perm, perms); 4187 return err; 4188 } 4189 4190 static int selinux_sem_semop(struct sem_array *sma, 4191 struct sembuf *sops, unsigned nsops, int alter) 4192 { 4193 u32 perms; 4194 4195 if (alter) 4196 perms = SEM__READ | SEM__WRITE; 4197 else 4198 perms = SEM__READ; 4199 4200 return ipc_has_perm(&sma->sem_perm, perms); 4201 } 4202 4203 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4204 { 4205 u32 av = 0; 4206 4207 av = 0; 4208 if (flag & S_IRUGO) 4209 av |= IPC__UNIX_READ; 4210 if (flag & S_IWUGO) 4211 av |= IPC__UNIX_WRITE; 4212 4213 if (av == 0) 4214 return 0; 4215 4216 return ipc_has_perm(ipcp, av); 4217 } 4218 4219 /* module stacking operations */ 4220 static int selinux_register_security (const char *name, struct security_operations *ops) 4221 { 4222 if (secondary_ops != original_ops) { 4223 printk(KERN_INFO "%s: There is already a secondary security " 4224 "module registered.\n", __FUNCTION__); 4225 return -EINVAL; 4226 } 4227 4228 secondary_ops = ops; 4229 4230 printk(KERN_INFO "%s: Registering secondary module %s\n", 4231 __FUNCTION__, 4232 name); 4233 4234 return 0; 4235 } 4236 4237 static int selinux_unregister_security (const char *name, struct security_operations *ops) 4238 { 4239 if (ops != secondary_ops) { 4240 printk (KERN_INFO "%s: trying to unregister a security module " 4241 "that is not registered.\n", __FUNCTION__); 4242 return -EINVAL; 4243 } 4244 4245 secondary_ops = original_ops; 4246 4247 return 0; 4248 } 4249 4250 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4251 { 4252 if (inode) 4253 inode_doinit_with_dentry(inode, dentry); 4254 } 4255 4256 static int selinux_getprocattr(struct task_struct *p, 4257 char *name, void *value, size_t size) 4258 { 4259 struct task_security_struct *tsec; 4260 u32 sid; 4261 int error; 4262 4263 if (current != p) { 4264 error = task_has_perm(current, p, PROCESS__GETATTR); 4265 if (error) 4266 return error; 4267 } 4268 4269 tsec = p->security; 4270 4271 if (!strcmp(name, "current")) 4272 sid = tsec->sid; 4273 else if (!strcmp(name, "prev")) 4274 sid = tsec->osid; 4275 else if (!strcmp(name, "exec")) 4276 sid = tsec->exec_sid; 4277 else if (!strcmp(name, "fscreate")) 4278 sid = tsec->create_sid; 4279 else if (!strcmp(name, "keycreate")) 4280 sid = tsec->keycreate_sid; 4281 else if (!strcmp(name, "sockcreate")) 4282 sid = tsec->sockcreate_sid; 4283 else 4284 return -EINVAL; 4285 4286 if (!sid) 4287 return 0; 4288 4289 return selinux_getsecurity(sid, value, size); 4290 } 4291 4292 static int selinux_setprocattr(struct task_struct *p, 4293 char *name, void *value, size_t size) 4294 { 4295 struct task_security_struct *tsec; 4296 u32 sid = 0; 4297 int error; 4298 char *str = value; 4299 4300 if (current != p) { 4301 /* SELinux only allows a process to change its own 4302 security attributes. */ 4303 return -EACCES; 4304 } 4305 4306 /* 4307 * Basic control over ability to set these attributes at all. 4308 * current == p, but we'll pass them separately in case the 4309 * above restriction is ever removed. 4310 */ 4311 if (!strcmp(name, "exec")) 4312 error = task_has_perm(current, p, PROCESS__SETEXEC); 4313 else if (!strcmp(name, "fscreate")) 4314 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 4315 else if (!strcmp(name, "keycreate")) 4316 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 4317 else if (!strcmp(name, "sockcreate")) 4318 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 4319 else if (!strcmp(name, "current")) 4320 error = task_has_perm(current, p, PROCESS__SETCURRENT); 4321 else 4322 error = -EINVAL; 4323 if (error) 4324 return error; 4325 4326 /* Obtain a SID for the context, if one was specified. */ 4327 if (size && str[1] && str[1] != '\n') { 4328 if (str[size-1] == '\n') { 4329 str[size-1] = 0; 4330 size--; 4331 } 4332 error = security_context_to_sid(value, size, &sid); 4333 if (error) 4334 return error; 4335 } 4336 4337 /* Permission checking based on the specified context is 4338 performed during the actual operation (execve, 4339 open/mkdir/...), when we know the full context of the 4340 operation. See selinux_bprm_set_security for the execve 4341 checks and may_create for the file creation checks. The 4342 operation will then fail if the context is not permitted. */ 4343 tsec = p->security; 4344 if (!strcmp(name, "exec")) 4345 tsec->exec_sid = sid; 4346 else if (!strcmp(name, "fscreate")) 4347 tsec->create_sid = sid; 4348 else if (!strcmp(name, "keycreate")) { 4349 error = may_create_key(sid, p); 4350 if (error) 4351 return error; 4352 tsec->keycreate_sid = sid; 4353 } else if (!strcmp(name, "sockcreate")) 4354 tsec->sockcreate_sid = sid; 4355 else if (!strcmp(name, "current")) { 4356 struct av_decision avd; 4357 4358 if (sid == 0) 4359 return -EINVAL; 4360 4361 /* Only allow single threaded processes to change context */ 4362 if (atomic_read(&p->mm->mm_users) != 1) { 4363 struct task_struct *g, *t; 4364 struct mm_struct *mm = p->mm; 4365 read_lock(&tasklist_lock); 4366 do_each_thread(g, t) 4367 if (t->mm == mm && t != p) { 4368 read_unlock(&tasklist_lock); 4369 return -EPERM; 4370 } 4371 while_each_thread(g, t); 4372 read_unlock(&tasklist_lock); 4373 } 4374 4375 /* Check permissions for the transition. */ 4376 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 4377 PROCESS__DYNTRANSITION, NULL); 4378 if (error) 4379 return error; 4380 4381 /* Check for ptracing, and update the task SID if ok. 4382 Otherwise, leave SID unchanged and fail. */ 4383 task_lock(p); 4384 if (p->ptrace & PT_PTRACED) { 4385 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 4386 SECCLASS_PROCESS, 4387 PROCESS__PTRACE, &avd); 4388 if (!error) 4389 tsec->sid = sid; 4390 task_unlock(p); 4391 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 4392 PROCESS__PTRACE, &avd, error, NULL); 4393 if (error) 4394 return error; 4395 } else { 4396 tsec->sid = sid; 4397 task_unlock(p); 4398 } 4399 } 4400 else 4401 return -EINVAL; 4402 4403 return size; 4404 } 4405 4406 #ifdef CONFIG_KEYS 4407 4408 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 4409 unsigned long flags) 4410 { 4411 struct task_security_struct *tsec = tsk->security; 4412 struct key_security_struct *ksec; 4413 4414 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 4415 if (!ksec) 4416 return -ENOMEM; 4417 4418 ksec->obj = k; 4419 if (tsec->keycreate_sid) 4420 ksec->sid = tsec->keycreate_sid; 4421 else 4422 ksec->sid = tsec->sid; 4423 k->security = ksec; 4424 4425 return 0; 4426 } 4427 4428 static void selinux_key_free(struct key *k) 4429 { 4430 struct key_security_struct *ksec = k->security; 4431 4432 k->security = NULL; 4433 kfree(ksec); 4434 } 4435 4436 static int selinux_key_permission(key_ref_t key_ref, 4437 struct task_struct *ctx, 4438 key_perm_t perm) 4439 { 4440 struct key *key; 4441 struct task_security_struct *tsec; 4442 struct key_security_struct *ksec; 4443 4444 key = key_ref_to_ptr(key_ref); 4445 4446 tsec = ctx->security; 4447 ksec = key->security; 4448 4449 /* if no specific permissions are requested, we skip the 4450 permission check. No serious, additional covert channels 4451 appear to be created. */ 4452 if (perm == 0) 4453 return 0; 4454 4455 return avc_has_perm(tsec->sid, ksec->sid, 4456 SECCLASS_KEY, perm, NULL); 4457 } 4458 4459 #endif 4460 4461 static struct security_operations selinux_ops = { 4462 .ptrace = selinux_ptrace, 4463 .capget = selinux_capget, 4464 .capset_check = selinux_capset_check, 4465 .capset_set = selinux_capset_set, 4466 .sysctl = selinux_sysctl, 4467 .capable = selinux_capable, 4468 .quotactl = selinux_quotactl, 4469 .quota_on = selinux_quota_on, 4470 .syslog = selinux_syslog, 4471 .vm_enough_memory = selinux_vm_enough_memory, 4472 4473 .netlink_send = selinux_netlink_send, 4474 .netlink_recv = selinux_netlink_recv, 4475 4476 .bprm_alloc_security = selinux_bprm_alloc_security, 4477 .bprm_free_security = selinux_bprm_free_security, 4478 .bprm_apply_creds = selinux_bprm_apply_creds, 4479 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 4480 .bprm_set_security = selinux_bprm_set_security, 4481 .bprm_check_security = selinux_bprm_check_security, 4482 .bprm_secureexec = selinux_bprm_secureexec, 4483 4484 .sb_alloc_security = selinux_sb_alloc_security, 4485 .sb_free_security = selinux_sb_free_security, 4486 .sb_copy_data = selinux_sb_copy_data, 4487 .sb_kern_mount = selinux_sb_kern_mount, 4488 .sb_statfs = selinux_sb_statfs, 4489 .sb_mount = selinux_mount, 4490 .sb_umount = selinux_umount, 4491 4492 .inode_alloc_security = selinux_inode_alloc_security, 4493 .inode_free_security = selinux_inode_free_security, 4494 .inode_init_security = selinux_inode_init_security, 4495 .inode_create = selinux_inode_create, 4496 .inode_link = selinux_inode_link, 4497 .inode_unlink = selinux_inode_unlink, 4498 .inode_symlink = selinux_inode_symlink, 4499 .inode_mkdir = selinux_inode_mkdir, 4500 .inode_rmdir = selinux_inode_rmdir, 4501 .inode_mknod = selinux_inode_mknod, 4502 .inode_rename = selinux_inode_rename, 4503 .inode_readlink = selinux_inode_readlink, 4504 .inode_follow_link = selinux_inode_follow_link, 4505 .inode_permission = selinux_inode_permission, 4506 .inode_setattr = selinux_inode_setattr, 4507 .inode_getattr = selinux_inode_getattr, 4508 .inode_setxattr = selinux_inode_setxattr, 4509 .inode_post_setxattr = selinux_inode_post_setxattr, 4510 .inode_getxattr = selinux_inode_getxattr, 4511 .inode_listxattr = selinux_inode_listxattr, 4512 .inode_removexattr = selinux_inode_removexattr, 4513 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix, 4514 .inode_getsecurity = selinux_inode_getsecurity, 4515 .inode_setsecurity = selinux_inode_setsecurity, 4516 .inode_listsecurity = selinux_inode_listsecurity, 4517 4518 .file_permission = selinux_file_permission, 4519 .file_alloc_security = selinux_file_alloc_security, 4520 .file_free_security = selinux_file_free_security, 4521 .file_ioctl = selinux_file_ioctl, 4522 .file_mmap = selinux_file_mmap, 4523 .file_mprotect = selinux_file_mprotect, 4524 .file_lock = selinux_file_lock, 4525 .file_fcntl = selinux_file_fcntl, 4526 .file_set_fowner = selinux_file_set_fowner, 4527 .file_send_sigiotask = selinux_file_send_sigiotask, 4528 .file_receive = selinux_file_receive, 4529 4530 .task_create = selinux_task_create, 4531 .task_alloc_security = selinux_task_alloc_security, 4532 .task_free_security = selinux_task_free_security, 4533 .task_setuid = selinux_task_setuid, 4534 .task_post_setuid = selinux_task_post_setuid, 4535 .task_setgid = selinux_task_setgid, 4536 .task_setpgid = selinux_task_setpgid, 4537 .task_getpgid = selinux_task_getpgid, 4538 .task_getsid = selinux_task_getsid, 4539 .task_getsecid = selinux_task_getsecid, 4540 .task_setgroups = selinux_task_setgroups, 4541 .task_setnice = selinux_task_setnice, 4542 .task_setioprio = selinux_task_setioprio, 4543 .task_getioprio = selinux_task_getioprio, 4544 .task_setrlimit = selinux_task_setrlimit, 4545 .task_setscheduler = selinux_task_setscheduler, 4546 .task_getscheduler = selinux_task_getscheduler, 4547 .task_movememory = selinux_task_movememory, 4548 .task_kill = selinux_task_kill, 4549 .task_wait = selinux_task_wait, 4550 .task_prctl = selinux_task_prctl, 4551 .task_reparent_to_init = selinux_task_reparent_to_init, 4552 .task_to_inode = selinux_task_to_inode, 4553 4554 .ipc_permission = selinux_ipc_permission, 4555 4556 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 4557 .msg_msg_free_security = selinux_msg_msg_free_security, 4558 4559 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 4560 .msg_queue_free_security = selinux_msg_queue_free_security, 4561 .msg_queue_associate = selinux_msg_queue_associate, 4562 .msg_queue_msgctl = selinux_msg_queue_msgctl, 4563 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 4564 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 4565 4566 .shm_alloc_security = selinux_shm_alloc_security, 4567 .shm_free_security = selinux_shm_free_security, 4568 .shm_associate = selinux_shm_associate, 4569 .shm_shmctl = selinux_shm_shmctl, 4570 .shm_shmat = selinux_shm_shmat, 4571 4572 .sem_alloc_security = selinux_sem_alloc_security, 4573 .sem_free_security = selinux_sem_free_security, 4574 .sem_associate = selinux_sem_associate, 4575 .sem_semctl = selinux_sem_semctl, 4576 .sem_semop = selinux_sem_semop, 4577 4578 .register_security = selinux_register_security, 4579 .unregister_security = selinux_unregister_security, 4580 4581 .d_instantiate = selinux_d_instantiate, 4582 4583 .getprocattr = selinux_getprocattr, 4584 .setprocattr = selinux_setprocattr, 4585 4586 .unix_stream_connect = selinux_socket_unix_stream_connect, 4587 .unix_may_send = selinux_socket_unix_may_send, 4588 4589 .socket_create = selinux_socket_create, 4590 .socket_post_create = selinux_socket_post_create, 4591 .socket_bind = selinux_socket_bind, 4592 .socket_connect = selinux_socket_connect, 4593 .socket_listen = selinux_socket_listen, 4594 .socket_accept = selinux_socket_accept, 4595 .socket_sendmsg = selinux_socket_sendmsg, 4596 .socket_recvmsg = selinux_socket_recvmsg, 4597 .socket_getsockname = selinux_socket_getsockname, 4598 .socket_getpeername = selinux_socket_getpeername, 4599 .socket_getsockopt = selinux_socket_getsockopt, 4600 .socket_setsockopt = selinux_socket_setsockopt, 4601 .socket_shutdown = selinux_socket_shutdown, 4602 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4603 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 4604 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 4605 .sk_alloc_security = selinux_sk_alloc_security, 4606 .sk_free_security = selinux_sk_free_security, 4607 .sk_getsid = selinux_sk_getsid_security, 4608 4609 #ifdef CONFIG_SECURITY_NETWORK_XFRM 4610 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4611 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 4612 .xfrm_policy_free_security = selinux_xfrm_policy_free, 4613 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 4614 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 4615 .xfrm_state_free_security = selinux_xfrm_state_free, 4616 .xfrm_state_delete_security = selinux_xfrm_state_delete, 4617 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 4618 #endif 4619 4620 #ifdef CONFIG_KEYS 4621 .key_alloc = selinux_key_alloc, 4622 .key_free = selinux_key_free, 4623 .key_permission = selinux_key_permission, 4624 #endif 4625 }; 4626 4627 static __init int selinux_init(void) 4628 { 4629 struct task_security_struct *tsec; 4630 4631 if (!selinux_enabled) { 4632 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 4633 return 0; 4634 } 4635 4636 printk(KERN_INFO "SELinux: Initializing.\n"); 4637 4638 /* Set the security state for the initial task. */ 4639 if (task_alloc_security(current)) 4640 panic("SELinux: Failed to initialize initial task.\n"); 4641 tsec = current->security; 4642 tsec->osid = tsec->sid = SECINITSID_KERNEL; 4643 4644 sel_inode_cache = kmem_cache_create("selinux_inode_security", 4645 sizeof(struct inode_security_struct), 4646 0, SLAB_PANIC, NULL, NULL); 4647 avc_init(); 4648 4649 original_ops = secondary_ops = security_ops; 4650 if (!secondary_ops) 4651 panic ("SELinux: No initial security operations\n"); 4652 if (register_security (&selinux_ops)) 4653 panic("SELinux: Unable to register with kernel.\n"); 4654 4655 if (selinux_enforcing) { 4656 printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); 4657 } else { 4658 printk(KERN_INFO "SELinux: Starting in permissive mode\n"); 4659 } 4660 4661 #ifdef CONFIG_KEYS 4662 /* Add security information to initial keyrings */ 4663 selinux_key_alloc(&root_user_keyring, current, 4664 KEY_ALLOC_NOT_IN_QUOTA); 4665 selinux_key_alloc(&root_session_keyring, current, 4666 KEY_ALLOC_NOT_IN_QUOTA); 4667 #endif 4668 4669 return 0; 4670 } 4671 4672 void selinux_complete_init(void) 4673 { 4674 printk(KERN_INFO "SELinux: Completing initialization.\n"); 4675 4676 /* Set up any superblocks initialized prior to the policy load. */ 4677 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); 4678 spin_lock(&sb_lock); 4679 spin_lock(&sb_security_lock); 4680 next_sb: 4681 if (!list_empty(&superblock_security_head)) { 4682 struct superblock_security_struct *sbsec = 4683 list_entry(superblock_security_head.next, 4684 struct superblock_security_struct, 4685 list); 4686 struct super_block *sb = sbsec->sb; 4687 sb->s_count++; 4688 spin_unlock(&sb_security_lock); 4689 spin_unlock(&sb_lock); 4690 down_read(&sb->s_umount); 4691 if (sb->s_root) 4692 superblock_doinit(sb, NULL); 4693 drop_super(sb); 4694 spin_lock(&sb_lock); 4695 spin_lock(&sb_security_lock); 4696 list_del_init(&sbsec->list); 4697 goto next_sb; 4698 } 4699 spin_unlock(&sb_security_lock); 4700 spin_unlock(&sb_lock); 4701 } 4702 4703 /* SELinux requires early initialization in order to label 4704 all processes and objects when they are created. */ 4705 security_initcall(selinux_init); 4706 4707 #if defined(CONFIG_NETFILTER) 4708 4709 static struct nf_hook_ops selinux_ipv4_op = { 4710 .hook = selinux_ipv4_postroute_last, 4711 .owner = THIS_MODULE, 4712 .pf = PF_INET, 4713 .hooknum = NF_IP_POST_ROUTING, 4714 .priority = NF_IP_PRI_SELINUX_LAST, 4715 }; 4716 4717 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4718 4719 static struct nf_hook_ops selinux_ipv6_op = { 4720 .hook = selinux_ipv6_postroute_last, 4721 .owner = THIS_MODULE, 4722 .pf = PF_INET6, 4723 .hooknum = NF_IP6_POST_ROUTING, 4724 .priority = NF_IP6_PRI_SELINUX_LAST, 4725 }; 4726 4727 #endif /* IPV6 */ 4728 4729 static int __init selinux_nf_ip_init(void) 4730 { 4731 int err = 0; 4732 4733 if (!selinux_enabled) 4734 goto out; 4735 4736 printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); 4737 4738 err = nf_register_hook(&selinux_ipv4_op); 4739 if (err) 4740 panic("SELinux: nf_register_hook for IPv4: error %d\n", err); 4741 4742 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4743 4744 err = nf_register_hook(&selinux_ipv6_op); 4745 if (err) 4746 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4747 4748 #endif /* IPV6 */ 4749 4750 out: 4751 return err; 4752 } 4753 4754 __initcall(selinux_nf_ip_init); 4755 4756 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4757 static void selinux_nf_ip_exit(void) 4758 { 4759 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); 4760 4761 nf_unregister_hook(&selinux_ipv4_op); 4762 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4763 nf_unregister_hook(&selinux_ipv6_op); 4764 #endif /* IPV6 */ 4765 } 4766 #endif 4767 4768 #else /* CONFIG_NETFILTER */ 4769 4770 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4771 #define selinux_nf_ip_exit() 4772 #endif 4773 4774 #endif /* CONFIG_NETFILTER */ 4775 4776 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4777 int selinux_disable(void) 4778 { 4779 extern void exit_sel_fs(void); 4780 static int selinux_disabled = 0; 4781 4782 if (ss_initialized) { 4783 /* Not permitted after initial policy load. */ 4784 return -EINVAL; 4785 } 4786 4787 if (selinux_disabled) { 4788 /* Only do this once. */ 4789 return -EINVAL; 4790 } 4791 4792 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 4793 4794 selinux_disabled = 1; 4795 selinux_enabled = 0; 4796 4797 /* Reset security_ops to the secondary module, dummy or capability. */ 4798 security_ops = secondary_ops; 4799 4800 /* Unregister netfilter hooks. */ 4801 selinux_nf_ip_exit(); 4802 4803 /* Unregister selinuxfs. */ 4804 exit_sel_fs(); 4805 4806 return 0; 4807 } 4808 #endif 4809 4810 4811