1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/config.h> 22 #include <linux/module.h> 23 #include <linux/init.h> 24 #include <linux/kernel.h> 25 #include <linux/ptrace.h> 26 #include <linux/errno.h> 27 #include <linux/sched.h> 28 #include <linux/security.h> 29 #include <linux/xattr.h> 30 #include <linux/capability.h> 31 #include <linux/unistd.h> 32 #include <linux/mm.h> 33 #include <linux/mman.h> 34 #include <linux/slab.h> 35 #include <linux/pagemap.h> 36 #include <linux/swap.h> 37 #include <linux/smp_lock.h> 38 #include <linux/spinlock.h> 39 #include <linux/syscalls.h> 40 #include <linux/file.h> 41 #include <linux/namei.h> 42 #include <linux/mount.h> 43 #include <linux/ext2_fs.h> 44 #include <linux/proc_fs.h> 45 #include <linux/kd.h> 46 #include <linux/netfilter_ipv4.h> 47 #include <linux/netfilter_ipv6.h> 48 #include <linux/tty.h> 49 #include <net/icmp.h> 50 #include <net/ip.h> /* for sysctl_local_port_range[] */ 51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 52 #include <asm/uaccess.h> 53 #include <asm/semaphore.h> 54 #include <asm/ioctls.h> 55 #include <linux/bitops.h> 56 #include <linux/interrupt.h> 57 #include <linux/netdevice.h> /* for network interface checks */ 58 #include <linux/netlink.h> 59 #include <linux/tcp.h> 60 #include <linux/udp.h> 61 #include <linux/quota.h> 62 #include <linux/un.h> /* for Unix socket types */ 63 #include <net/af_unix.h> /* for Unix socket types */ 64 #include <linux/parser.h> 65 #include <linux/nfs_mount.h> 66 #include <net/ipv6.h> 67 #include <linux/hugetlb.h> 68 #include <linux/personality.h> 69 #include <linux/sysctl.h> 70 #include <linux/audit.h> 71 #include <linux/string.h> 72 73 #include "avc.h" 74 #include "objsec.h" 75 #include "netif.h" 76 77 #define XATTR_SELINUX_SUFFIX "selinux" 78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 79 80 extern unsigned int policydb_loaded_version; 81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 82 83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 84 int selinux_enforcing = 0; 85 86 static int __init enforcing_setup(char *str) 87 { 88 selinux_enforcing = simple_strtol(str,NULL,0); 89 return 1; 90 } 91 __setup("enforcing=", enforcing_setup); 92 #endif 93 94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 96 97 static int __init selinux_enabled_setup(char *str) 98 { 99 selinux_enabled = simple_strtol(str, NULL, 0); 100 return 1; 101 } 102 __setup("selinux=", selinux_enabled_setup); 103 #endif 104 105 /* Original (dummy) security module. */ 106 static struct security_operations *original_ops = NULL; 107 108 /* Minimal support for a secondary security module, 109 just to allow the use of the dummy or capability modules. 110 The owlsm module can alternatively be used as a secondary 111 module as long as CONFIG_OWLSM_FD is not enabled. */ 112 static struct security_operations *secondary_ops = NULL; 113 114 /* Lists of inode and superblock security structures initialized 115 before the policy was loaded. */ 116 static LIST_HEAD(superblock_security_head); 117 static DEFINE_SPINLOCK(sb_security_lock); 118 119 /* Allocate and free functions for each kind of security blob. */ 120 121 static int task_alloc_security(struct task_struct *task) 122 { 123 struct task_security_struct *tsec; 124 125 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL); 126 if (!tsec) 127 return -ENOMEM; 128 129 memset(tsec, 0, sizeof(struct task_security_struct)); 130 tsec->magic = SELINUX_MAGIC; 131 tsec->task = task; 132 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 133 task->security = tsec; 134 135 return 0; 136 } 137 138 static void task_free_security(struct task_struct *task) 139 { 140 struct task_security_struct *tsec = task->security; 141 142 if (!tsec || tsec->magic != SELINUX_MAGIC) 143 return; 144 145 task->security = NULL; 146 kfree(tsec); 147 } 148 149 static int inode_alloc_security(struct inode *inode) 150 { 151 struct task_security_struct *tsec = current->security; 152 struct inode_security_struct *isec; 153 154 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL); 155 if (!isec) 156 return -ENOMEM; 157 158 memset(isec, 0, sizeof(struct inode_security_struct)); 159 init_MUTEX(&isec->sem); 160 INIT_LIST_HEAD(&isec->list); 161 isec->magic = SELINUX_MAGIC; 162 isec->inode = inode; 163 isec->sid = SECINITSID_UNLABELED; 164 isec->sclass = SECCLASS_FILE; 165 if (tsec && tsec->magic == SELINUX_MAGIC) 166 isec->task_sid = tsec->sid; 167 else 168 isec->task_sid = SECINITSID_UNLABELED; 169 inode->i_security = isec; 170 171 return 0; 172 } 173 174 static void inode_free_security(struct inode *inode) 175 { 176 struct inode_security_struct *isec = inode->i_security; 177 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 178 179 if (!isec || isec->magic != SELINUX_MAGIC) 180 return; 181 182 spin_lock(&sbsec->isec_lock); 183 if (!list_empty(&isec->list)) 184 list_del_init(&isec->list); 185 spin_unlock(&sbsec->isec_lock); 186 187 inode->i_security = NULL; 188 kfree(isec); 189 } 190 191 static int file_alloc_security(struct file *file) 192 { 193 struct task_security_struct *tsec = current->security; 194 struct file_security_struct *fsec; 195 196 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC); 197 if (!fsec) 198 return -ENOMEM; 199 200 memset(fsec, 0, sizeof(struct file_security_struct)); 201 fsec->magic = SELINUX_MAGIC; 202 fsec->file = file; 203 if (tsec && tsec->magic == SELINUX_MAGIC) { 204 fsec->sid = tsec->sid; 205 fsec->fown_sid = tsec->sid; 206 } else { 207 fsec->sid = SECINITSID_UNLABELED; 208 fsec->fown_sid = SECINITSID_UNLABELED; 209 } 210 file->f_security = fsec; 211 212 return 0; 213 } 214 215 static void file_free_security(struct file *file) 216 { 217 struct file_security_struct *fsec = file->f_security; 218 219 if (!fsec || fsec->magic != SELINUX_MAGIC) 220 return; 221 222 file->f_security = NULL; 223 kfree(fsec); 224 } 225 226 static int superblock_alloc_security(struct super_block *sb) 227 { 228 struct superblock_security_struct *sbsec; 229 230 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 231 if (!sbsec) 232 return -ENOMEM; 233 234 memset(sbsec, 0, sizeof(struct superblock_security_struct)); 235 init_MUTEX(&sbsec->sem); 236 INIT_LIST_HEAD(&sbsec->list); 237 INIT_LIST_HEAD(&sbsec->isec_head); 238 spin_lock_init(&sbsec->isec_lock); 239 sbsec->magic = SELINUX_MAGIC; 240 sbsec->sb = sb; 241 sbsec->sid = SECINITSID_UNLABELED; 242 sbsec->def_sid = SECINITSID_FILE; 243 sb->s_security = sbsec; 244 245 return 0; 246 } 247 248 static void superblock_free_security(struct super_block *sb) 249 { 250 struct superblock_security_struct *sbsec = sb->s_security; 251 252 if (!sbsec || sbsec->magic != SELINUX_MAGIC) 253 return; 254 255 spin_lock(&sb_security_lock); 256 if (!list_empty(&sbsec->list)) 257 list_del_init(&sbsec->list); 258 spin_unlock(&sb_security_lock); 259 260 sb->s_security = NULL; 261 kfree(sbsec); 262 } 263 264 #ifdef CONFIG_SECURITY_NETWORK 265 static int sk_alloc_security(struct sock *sk, int family, int priority) 266 { 267 struct sk_security_struct *ssec; 268 269 if (family != PF_UNIX) 270 return 0; 271 272 ssec = kmalloc(sizeof(*ssec), priority); 273 if (!ssec) 274 return -ENOMEM; 275 276 memset(ssec, 0, sizeof(*ssec)); 277 ssec->magic = SELINUX_MAGIC; 278 ssec->sk = sk; 279 ssec->peer_sid = SECINITSID_UNLABELED; 280 sk->sk_security = ssec; 281 282 return 0; 283 } 284 285 static void sk_free_security(struct sock *sk) 286 { 287 struct sk_security_struct *ssec = sk->sk_security; 288 289 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC) 290 return; 291 292 sk->sk_security = NULL; 293 kfree(ssec); 294 } 295 #endif /* CONFIG_SECURITY_NETWORK */ 296 297 /* The security server must be initialized before 298 any labeling or access decisions can be provided. */ 299 extern int ss_initialized; 300 301 /* The file system's label must be initialized prior to use. */ 302 303 static char *labeling_behaviors[6] = { 304 "uses xattr", 305 "uses transition SIDs", 306 "uses task SIDs", 307 "uses genfs_contexts", 308 "not configured for labeling", 309 "uses mountpoint labeling", 310 }; 311 312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 313 314 static inline int inode_doinit(struct inode *inode) 315 { 316 return inode_doinit_with_dentry(inode, NULL); 317 } 318 319 enum { 320 Opt_context = 1, 321 Opt_fscontext = 2, 322 Opt_defcontext = 4, 323 }; 324 325 static match_table_t tokens = { 326 {Opt_context, "context=%s"}, 327 {Opt_fscontext, "fscontext=%s"}, 328 {Opt_defcontext, "defcontext=%s"}, 329 }; 330 331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 332 333 static int try_context_mount(struct super_block *sb, void *data) 334 { 335 char *context = NULL, *defcontext = NULL; 336 const char *name; 337 u32 sid; 338 int alloc = 0, rc = 0, seen = 0; 339 struct task_security_struct *tsec = current->security; 340 struct superblock_security_struct *sbsec = sb->s_security; 341 342 if (!data) 343 goto out; 344 345 name = sb->s_type->name; 346 347 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 348 349 /* NFS we understand. */ 350 if (!strcmp(name, "nfs")) { 351 struct nfs_mount_data *d = data; 352 353 if (d->version < NFS_MOUNT_VERSION) 354 goto out; 355 356 if (d->context[0]) { 357 context = d->context; 358 seen |= Opt_context; 359 } 360 } else 361 goto out; 362 363 } else { 364 /* Standard string-based options. */ 365 char *p, *options = data; 366 367 while ((p = strsep(&options, ",")) != NULL) { 368 int token; 369 substring_t args[MAX_OPT_ARGS]; 370 371 if (!*p) 372 continue; 373 374 token = match_token(p, tokens, args); 375 376 switch (token) { 377 case Opt_context: 378 if (seen) { 379 rc = -EINVAL; 380 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 381 goto out_free; 382 } 383 context = match_strdup(&args[0]); 384 if (!context) { 385 rc = -ENOMEM; 386 goto out_free; 387 } 388 if (!alloc) 389 alloc = 1; 390 seen |= Opt_context; 391 break; 392 393 case Opt_fscontext: 394 if (seen & (Opt_context|Opt_fscontext)) { 395 rc = -EINVAL; 396 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 397 goto out_free; 398 } 399 context = match_strdup(&args[0]); 400 if (!context) { 401 rc = -ENOMEM; 402 goto out_free; 403 } 404 if (!alloc) 405 alloc = 1; 406 seen |= Opt_fscontext; 407 break; 408 409 case Opt_defcontext: 410 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 411 rc = -EINVAL; 412 printk(KERN_WARNING "SELinux: " 413 "defcontext option is invalid " 414 "for this filesystem type\n"); 415 goto out_free; 416 } 417 if (seen & (Opt_context|Opt_defcontext)) { 418 rc = -EINVAL; 419 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 420 goto out_free; 421 } 422 defcontext = match_strdup(&args[0]); 423 if (!defcontext) { 424 rc = -ENOMEM; 425 goto out_free; 426 } 427 if (!alloc) 428 alloc = 1; 429 seen |= Opt_defcontext; 430 break; 431 432 default: 433 rc = -EINVAL; 434 printk(KERN_WARNING "SELinux: unknown mount " 435 "option\n"); 436 goto out_free; 437 438 } 439 } 440 } 441 442 if (!seen) 443 goto out; 444 445 if (context) { 446 rc = security_context_to_sid(context, strlen(context), &sid); 447 if (rc) { 448 printk(KERN_WARNING "SELinux: security_context_to_sid" 449 "(%s) failed for (dev %s, type %s) errno=%d\n", 450 context, sb->s_id, name, rc); 451 goto out_free; 452 } 453 454 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 455 FILESYSTEM__RELABELFROM, NULL); 456 if (rc) 457 goto out_free; 458 459 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 460 FILESYSTEM__RELABELTO, NULL); 461 if (rc) 462 goto out_free; 463 464 sbsec->sid = sid; 465 466 if (seen & Opt_context) 467 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 468 } 469 470 if (defcontext) { 471 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); 472 if (rc) { 473 printk(KERN_WARNING "SELinux: security_context_to_sid" 474 "(%s) failed for (dev %s, type %s) errno=%d\n", 475 defcontext, sb->s_id, name, rc); 476 goto out_free; 477 } 478 479 if (sid == sbsec->def_sid) 480 goto out_free; 481 482 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 483 FILESYSTEM__RELABELFROM, NULL); 484 if (rc) 485 goto out_free; 486 487 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 488 FILESYSTEM__ASSOCIATE, NULL); 489 if (rc) 490 goto out_free; 491 492 sbsec->def_sid = sid; 493 } 494 495 out_free: 496 if (alloc) { 497 kfree(context); 498 kfree(defcontext); 499 } 500 out: 501 return rc; 502 } 503 504 static int superblock_doinit(struct super_block *sb, void *data) 505 { 506 struct superblock_security_struct *sbsec = sb->s_security; 507 struct dentry *root = sb->s_root; 508 struct inode *inode = root->d_inode; 509 int rc = 0; 510 511 down(&sbsec->sem); 512 if (sbsec->initialized) 513 goto out; 514 515 if (!ss_initialized) { 516 /* Defer initialization until selinux_complete_init, 517 after the initial policy is loaded and the security 518 server is ready to handle calls. */ 519 spin_lock(&sb_security_lock); 520 if (list_empty(&sbsec->list)) 521 list_add(&sbsec->list, &superblock_security_head); 522 spin_unlock(&sb_security_lock); 523 goto out; 524 } 525 526 /* Determine the labeling behavior to use for this filesystem type. */ 527 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 528 if (rc) { 529 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 530 __FUNCTION__, sb->s_type->name, rc); 531 goto out; 532 } 533 534 rc = try_context_mount(sb, data); 535 if (rc) 536 goto out; 537 538 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 539 /* Make sure that the xattr handler exists and that no 540 error other than -ENODATA is returned by getxattr on 541 the root directory. -ENODATA is ok, as this may be 542 the first boot of the SELinux kernel before we have 543 assigned xattr values to the filesystem. */ 544 if (!inode->i_op->getxattr) { 545 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 546 "xattr support\n", sb->s_id, sb->s_type->name); 547 rc = -EOPNOTSUPP; 548 goto out; 549 } 550 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 551 if (rc < 0 && rc != -ENODATA) { 552 if (rc == -EOPNOTSUPP) 553 printk(KERN_WARNING "SELinux: (dev %s, type " 554 "%s) has no security xattr handler\n", 555 sb->s_id, sb->s_type->name); 556 else 557 printk(KERN_WARNING "SELinux: (dev %s, type " 558 "%s) getxattr errno %d\n", sb->s_id, 559 sb->s_type->name, -rc); 560 goto out; 561 } 562 } 563 564 if (strcmp(sb->s_type->name, "proc") == 0) 565 sbsec->proc = 1; 566 567 sbsec->initialized = 1; 568 569 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { 570 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", 571 sb->s_id, sb->s_type->name); 572 } 573 else { 574 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", 575 sb->s_id, sb->s_type->name, 576 labeling_behaviors[sbsec->behavior-1]); 577 } 578 579 /* Initialize the root inode. */ 580 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); 581 582 /* Initialize any other inodes associated with the superblock, e.g. 583 inodes created prior to initial policy load or inodes created 584 during get_sb by a pseudo filesystem that directly 585 populates itself. */ 586 spin_lock(&sbsec->isec_lock); 587 next_inode: 588 if (!list_empty(&sbsec->isec_head)) { 589 struct inode_security_struct *isec = 590 list_entry(sbsec->isec_head.next, 591 struct inode_security_struct, list); 592 struct inode *inode = isec->inode; 593 spin_unlock(&sbsec->isec_lock); 594 inode = igrab(inode); 595 if (inode) { 596 if (!IS_PRIVATE (inode)) 597 inode_doinit(inode); 598 iput(inode); 599 } 600 spin_lock(&sbsec->isec_lock); 601 list_del_init(&isec->list); 602 goto next_inode; 603 } 604 spin_unlock(&sbsec->isec_lock); 605 out: 606 up(&sbsec->sem); 607 return rc; 608 } 609 610 static inline u16 inode_mode_to_security_class(umode_t mode) 611 { 612 switch (mode & S_IFMT) { 613 case S_IFSOCK: 614 return SECCLASS_SOCK_FILE; 615 case S_IFLNK: 616 return SECCLASS_LNK_FILE; 617 case S_IFREG: 618 return SECCLASS_FILE; 619 case S_IFBLK: 620 return SECCLASS_BLK_FILE; 621 case S_IFDIR: 622 return SECCLASS_DIR; 623 case S_IFCHR: 624 return SECCLASS_CHR_FILE; 625 case S_IFIFO: 626 return SECCLASS_FIFO_FILE; 627 628 } 629 630 return SECCLASS_FILE; 631 } 632 633 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 634 { 635 switch (family) { 636 case PF_UNIX: 637 switch (type) { 638 case SOCK_STREAM: 639 case SOCK_SEQPACKET: 640 return SECCLASS_UNIX_STREAM_SOCKET; 641 case SOCK_DGRAM: 642 return SECCLASS_UNIX_DGRAM_SOCKET; 643 } 644 break; 645 case PF_INET: 646 case PF_INET6: 647 switch (type) { 648 case SOCK_STREAM: 649 return SECCLASS_TCP_SOCKET; 650 case SOCK_DGRAM: 651 return SECCLASS_UDP_SOCKET; 652 case SOCK_RAW: 653 return SECCLASS_RAWIP_SOCKET; 654 } 655 break; 656 case PF_NETLINK: 657 switch (protocol) { 658 case NETLINK_ROUTE: 659 return SECCLASS_NETLINK_ROUTE_SOCKET; 660 case NETLINK_FIREWALL: 661 return SECCLASS_NETLINK_FIREWALL_SOCKET; 662 case NETLINK_INET_DIAG: 663 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 664 case NETLINK_NFLOG: 665 return SECCLASS_NETLINK_NFLOG_SOCKET; 666 case NETLINK_XFRM: 667 return SECCLASS_NETLINK_XFRM_SOCKET; 668 case NETLINK_SELINUX: 669 return SECCLASS_NETLINK_SELINUX_SOCKET; 670 case NETLINK_AUDIT: 671 return SECCLASS_NETLINK_AUDIT_SOCKET; 672 case NETLINK_IP6_FW: 673 return SECCLASS_NETLINK_IP6FW_SOCKET; 674 case NETLINK_DNRTMSG: 675 return SECCLASS_NETLINK_DNRT_SOCKET; 676 case NETLINK_KOBJECT_UEVENT: 677 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 678 default: 679 return SECCLASS_NETLINK_SOCKET; 680 } 681 case PF_PACKET: 682 return SECCLASS_PACKET_SOCKET; 683 case PF_KEY: 684 return SECCLASS_KEY_SOCKET; 685 } 686 687 return SECCLASS_SOCKET; 688 } 689 690 #ifdef CONFIG_PROC_FS 691 static int selinux_proc_get_sid(struct proc_dir_entry *de, 692 u16 tclass, 693 u32 *sid) 694 { 695 int buflen, rc; 696 char *buffer, *path, *end; 697 698 buffer = (char*)__get_free_page(GFP_KERNEL); 699 if (!buffer) 700 return -ENOMEM; 701 702 buflen = PAGE_SIZE; 703 end = buffer+buflen; 704 *--end = '\0'; 705 buflen--; 706 path = end-1; 707 *path = '/'; 708 while (de && de != de->parent) { 709 buflen -= de->namelen + 1; 710 if (buflen < 0) 711 break; 712 end -= de->namelen; 713 memcpy(end, de->name, de->namelen); 714 *--end = '/'; 715 path = end; 716 de = de->parent; 717 } 718 rc = security_genfs_sid("proc", path, tclass, sid); 719 free_page((unsigned long)buffer); 720 return rc; 721 } 722 #else 723 static int selinux_proc_get_sid(struct proc_dir_entry *de, 724 u16 tclass, 725 u32 *sid) 726 { 727 return -EINVAL; 728 } 729 #endif 730 731 /* The inode's security attributes must be initialized before first use. */ 732 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 733 { 734 struct superblock_security_struct *sbsec = NULL; 735 struct inode_security_struct *isec = inode->i_security; 736 u32 sid; 737 struct dentry *dentry; 738 #define INITCONTEXTLEN 255 739 char *context = NULL; 740 unsigned len = 0; 741 int rc = 0; 742 int hold_sem = 0; 743 744 if (isec->initialized) 745 goto out; 746 747 down(&isec->sem); 748 hold_sem = 1; 749 if (isec->initialized) 750 goto out; 751 752 sbsec = inode->i_sb->s_security; 753 if (!sbsec->initialized) { 754 /* Defer initialization until selinux_complete_init, 755 after the initial policy is loaded and the security 756 server is ready to handle calls. */ 757 spin_lock(&sbsec->isec_lock); 758 if (list_empty(&isec->list)) 759 list_add(&isec->list, &sbsec->isec_head); 760 spin_unlock(&sbsec->isec_lock); 761 goto out; 762 } 763 764 switch (sbsec->behavior) { 765 case SECURITY_FS_USE_XATTR: 766 if (!inode->i_op->getxattr) { 767 isec->sid = sbsec->def_sid; 768 break; 769 } 770 771 /* Need a dentry, since the xattr API requires one. 772 Life would be simpler if we could just pass the inode. */ 773 if (opt_dentry) { 774 /* Called from d_instantiate or d_splice_alias. */ 775 dentry = dget(opt_dentry); 776 } else { 777 /* Called from selinux_complete_init, try to find a dentry. */ 778 dentry = d_find_alias(inode); 779 } 780 if (!dentry) { 781 printk(KERN_WARNING "%s: no dentry for dev=%s " 782 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 783 inode->i_ino); 784 goto out; 785 } 786 787 len = INITCONTEXTLEN; 788 context = kmalloc(len, GFP_KERNEL); 789 if (!context) { 790 rc = -ENOMEM; 791 dput(dentry); 792 goto out; 793 } 794 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 795 context, len); 796 if (rc == -ERANGE) { 797 /* Need a larger buffer. Query for the right size. */ 798 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 799 NULL, 0); 800 if (rc < 0) { 801 dput(dentry); 802 goto out; 803 } 804 kfree(context); 805 len = rc; 806 context = kmalloc(len, GFP_KERNEL); 807 if (!context) { 808 rc = -ENOMEM; 809 dput(dentry); 810 goto out; 811 } 812 rc = inode->i_op->getxattr(dentry, 813 XATTR_NAME_SELINUX, 814 context, len); 815 } 816 dput(dentry); 817 if (rc < 0) { 818 if (rc != -ENODATA) { 819 printk(KERN_WARNING "%s: getxattr returned " 820 "%d for dev=%s ino=%ld\n", __FUNCTION__, 821 -rc, inode->i_sb->s_id, inode->i_ino); 822 kfree(context); 823 goto out; 824 } 825 /* Map ENODATA to the default file SID */ 826 sid = sbsec->def_sid; 827 rc = 0; 828 } else { 829 rc = security_context_to_sid_default(context, rc, &sid, 830 sbsec->def_sid); 831 if (rc) { 832 printk(KERN_WARNING "%s: context_to_sid(%s) " 833 "returned %d for dev=%s ino=%ld\n", 834 __FUNCTION__, context, -rc, 835 inode->i_sb->s_id, inode->i_ino); 836 kfree(context); 837 /* Leave with the unlabeled SID */ 838 rc = 0; 839 break; 840 } 841 } 842 kfree(context); 843 isec->sid = sid; 844 break; 845 case SECURITY_FS_USE_TASK: 846 isec->sid = isec->task_sid; 847 break; 848 case SECURITY_FS_USE_TRANS: 849 /* Default to the fs SID. */ 850 isec->sid = sbsec->sid; 851 852 /* Try to obtain a transition SID. */ 853 isec->sclass = inode_mode_to_security_class(inode->i_mode); 854 rc = security_transition_sid(isec->task_sid, 855 sbsec->sid, 856 isec->sclass, 857 &sid); 858 if (rc) 859 goto out; 860 isec->sid = sid; 861 break; 862 default: 863 /* Default to the fs SID. */ 864 isec->sid = sbsec->sid; 865 866 if (sbsec->proc) { 867 struct proc_inode *proci = PROC_I(inode); 868 if (proci->pde) { 869 isec->sclass = inode_mode_to_security_class(inode->i_mode); 870 rc = selinux_proc_get_sid(proci->pde, 871 isec->sclass, 872 &sid); 873 if (rc) 874 goto out; 875 isec->sid = sid; 876 } 877 } 878 break; 879 } 880 881 isec->initialized = 1; 882 883 out: 884 if (isec->sclass == SECCLASS_FILE) 885 isec->sclass = inode_mode_to_security_class(inode->i_mode); 886 887 if (hold_sem) 888 up(&isec->sem); 889 return rc; 890 } 891 892 /* Convert a Linux signal to an access vector. */ 893 static inline u32 signal_to_av(int sig) 894 { 895 u32 perm = 0; 896 897 switch (sig) { 898 case SIGCHLD: 899 /* Commonly granted from child to parent. */ 900 perm = PROCESS__SIGCHLD; 901 break; 902 case SIGKILL: 903 /* Cannot be caught or ignored */ 904 perm = PROCESS__SIGKILL; 905 break; 906 case SIGSTOP: 907 /* Cannot be caught or ignored */ 908 perm = PROCESS__SIGSTOP; 909 break; 910 default: 911 /* All other signals. */ 912 perm = PROCESS__SIGNAL; 913 break; 914 } 915 916 return perm; 917 } 918 919 /* Check permission betweeen a pair of tasks, e.g. signal checks, 920 fork check, ptrace check, etc. */ 921 static int task_has_perm(struct task_struct *tsk1, 922 struct task_struct *tsk2, 923 u32 perms) 924 { 925 struct task_security_struct *tsec1, *tsec2; 926 927 tsec1 = tsk1->security; 928 tsec2 = tsk2->security; 929 return avc_has_perm(tsec1->sid, tsec2->sid, 930 SECCLASS_PROCESS, perms, NULL); 931 } 932 933 /* Check whether a task is allowed to use a capability. */ 934 static int task_has_capability(struct task_struct *tsk, 935 int cap) 936 { 937 struct task_security_struct *tsec; 938 struct avc_audit_data ad; 939 940 tsec = tsk->security; 941 942 AVC_AUDIT_DATA_INIT(&ad,CAP); 943 ad.tsk = tsk; 944 ad.u.cap = cap; 945 946 return avc_has_perm(tsec->sid, tsec->sid, 947 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); 948 } 949 950 /* Check whether a task is allowed to use a system operation. */ 951 static int task_has_system(struct task_struct *tsk, 952 u32 perms) 953 { 954 struct task_security_struct *tsec; 955 956 tsec = tsk->security; 957 958 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 959 SECCLASS_SYSTEM, perms, NULL); 960 } 961 962 /* Check whether a task has a particular permission to an inode. 963 The 'adp' parameter is optional and allows other audit 964 data to be passed (e.g. the dentry). */ 965 static int inode_has_perm(struct task_struct *tsk, 966 struct inode *inode, 967 u32 perms, 968 struct avc_audit_data *adp) 969 { 970 struct task_security_struct *tsec; 971 struct inode_security_struct *isec; 972 struct avc_audit_data ad; 973 974 tsec = tsk->security; 975 isec = inode->i_security; 976 977 if (!adp) { 978 adp = &ad; 979 AVC_AUDIT_DATA_INIT(&ad, FS); 980 ad.u.fs.inode = inode; 981 } 982 983 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 984 } 985 986 /* Same as inode_has_perm, but pass explicit audit data containing 987 the dentry to help the auditing code to more easily generate the 988 pathname if needed. */ 989 static inline int dentry_has_perm(struct task_struct *tsk, 990 struct vfsmount *mnt, 991 struct dentry *dentry, 992 u32 av) 993 { 994 struct inode *inode = dentry->d_inode; 995 struct avc_audit_data ad; 996 AVC_AUDIT_DATA_INIT(&ad,FS); 997 ad.u.fs.mnt = mnt; 998 ad.u.fs.dentry = dentry; 999 return inode_has_perm(tsk, inode, av, &ad); 1000 } 1001 1002 /* Check whether a task can use an open file descriptor to 1003 access an inode in a given way. Check access to the 1004 descriptor itself, and then use dentry_has_perm to 1005 check a particular permission to the file. 1006 Access to the descriptor is implicitly granted if it 1007 has the same SID as the process. If av is zero, then 1008 access to the file is not checked, e.g. for cases 1009 where only the descriptor is affected like seek. */ 1010 static inline int file_has_perm(struct task_struct *tsk, 1011 struct file *file, 1012 u32 av) 1013 { 1014 struct task_security_struct *tsec = tsk->security; 1015 struct file_security_struct *fsec = file->f_security; 1016 struct vfsmount *mnt = file->f_vfsmnt; 1017 struct dentry *dentry = file->f_dentry; 1018 struct inode *inode = dentry->d_inode; 1019 struct avc_audit_data ad; 1020 int rc; 1021 1022 AVC_AUDIT_DATA_INIT(&ad, FS); 1023 ad.u.fs.mnt = mnt; 1024 ad.u.fs.dentry = dentry; 1025 1026 if (tsec->sid != fsec->sid) { 1027 rc = avc_has_perm(tsec->sid, fsec->sid, 1028 SECCLASS_FD, 1029 FD__USE, 1030 &ad); 1031 if (rc) 1032 return rc; 1033 } 1034 1035 /* av is zero if only checking access to the descriptor. */ 1036 if (av) 1037 return inode_has_perm(tsk, inode, av, &ad); 1038 1039 return 0; 1040 } 1041 1042 /* Check whether a task can create a file. */ 1043 static int may_create(struct inode *dir, 1044 struct dentry *dentry, 1045 u16 tclass) 1046 { 1047 struct task_security_struct *tsec; 1048 struct inode_security_struct *dsec; 1049 struct superblock_security_struct *sbsec; 1050 u32 newsid; 1051 struct avc_audit_data ad; 1052 int rc; 1053 1054 tsec = current->security; 1055 dsec = dir->i_security; 1056 sbsec = dir->i_sb->s_security; 1057 1058 AVC_AUDIT_DATA_INIT(&ad, FS); 1059 ad.u.fs.dentry = dentry; 1060 1061 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1062 DIR__ADD_NAME | DIR__SEARCH, 1063 &ad); 1064 if (rc) 1065 return rc; 1066 1067 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1068 newsid = tsec->create_sid; 1069 } else { 1070 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1071 &newsid); 1072 if (rc) 1073 return rc; 1074 } 1075 1076 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1077 if (rc) 1078 return rc; 1079 1080 return avc_has_perm(newsid, sbsec->sid, 1081 SECCLASS_FILESYSTEM, 1082 FILESYSTEM__ASSOCIATE, &ad); 1083 } 1084 1085 #define MAY_LINK 0 1086 #define MAY_UNLINK 1 1087 #define MAY_RMDIR 2 1088 1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1090 static int may_link(struct inode *dir, 1091 struct dentry *dentry, 1092 int kind) 1093 1094 { 1095 struct task_security_struct *tsec; 1096 struct inode_security_struct *dsec, *isec; 1097 struct avc_audit_data ad; 1098 u32 av; 1099 int rc; 1100 1101 tsec = current->security; 1102 dsec = dir->i_security; 1103 isec = dentry->d_inode->i_security; 1104 1105 AVC_AUDIT_DATA_INIT(&ad, FS); 1106 ad.u.fs.dentry = dentry; 1107 1108 av = DIR__SEARCH; 1109 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1110 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1111 if (rc) 1112 return rc; 1113 1114 switch (kind) { 1115 case MAY_LINK: 1116 av = FILE__LINK; 1117 break; 1118 case MAY_UNLINK: 1119 av = FILE__UNLINK; 1120 break; 1121 case MAY_RMDIR: 1122 av = DIR__RMDIR; 1123 break; 1124 default: 1125 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1126 return 0; 1127 } 1128 1129 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1130 return rc; 1131 } 1132 1133 static inline int may_rename(struct inode *old_dir, 1134 struct dentry *old_dentry, 1135 struct inode *new_dir, 1136 struct dentry *new_dentry) 1137 { 1138 struct task_security_struct *tsec; 1139 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1140 struct avc_audit_data ad; 1141 u32 av; 1142 int old_is_dir, new_is_dir; 1143 int rc; 1144 1145 tsec = current->security; 1146 old_dsec = old_dir->i_security; 1147 old_isec = old_dentry->d_inode->i_security; 1148 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1149 new_dsec = new_dir->i_security; 1150 1151 AVC_AUDIT_DATA_INIT(&ad, FS); 1152 1153 ad.u.fs.dentry = old_dentry; 1154 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1155 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1156 if (rc) 1157 return rc; 1158 rc = avc_has_perm(tsec->sid, old_isec->sid, 1159 old_isec->sclass, FILE__RENAME, &ad); 1160 if (rc) 1161 return rc; 1162 if (old_is_dir && new_dir != old_dir) { 1163 rc = avc_has_perm(tsec->sid, old_isec->sid, 1164 old_isec->sclass, DIR__REPARENT, &ad); 1165 if (rc) 1166 return rc; 1167 } 1168 1169 ad.u.fs.dentry = new_dentry; 1170 av = DIR__ADD_NAME | DIR__SEARCH; 1171 if (new_dentry->d_inode) 1172 av |= DIR__REMOVE_NAME; 1173 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1174 if (rc) 1175 return rc; 1176 if (new_dentry->d_inode) { 1177 new_isec = new_dentry->d_inode->i_security; 1178 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1179 rc = avc_has_perm(tsec->sid, new_isec->sid, 1180 new_isec->sclass, 1181 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1182 if (rc) 1183 return rc; 1184 } 1185 1186 return 0; 1187 } 1188 1189 /* Check whether a task can perform a filesystem operation. */ 1190 static int superblock_has_perm(struct task_struct *tsk, 1191 struct super_block *sb, 1192 u32 perms, 1193 struct avc_audit_data *ad) 1194 { 1195 struct task_security_struct *tsec; 1196 struct superblock_security_struct *sbsec; 1197 1198 tsec = tsk->security; 1199 sbsec = sb->s_security; 1200 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1201 perms, ad); 1202 } 1203 1204 /* Convert a Linux mode and permission mask to an access vector. */ 1205 static inline u32 file_mask_to_av(int mode, int mask) 1206 { 1207 u32 av = 0; 1208 1209 if ((mode & S_IFMT) != S_IFDIR) { 1210 if (mask & MAY_EXEC) 1211 av |= FILE__EXECUTE; 1212 if (mask & MAY_READ) 1213 av |= FILE__READ; 1214 1215 if (mask & MAY_APPEND) 1216 av |= FILE__APPEND; 1217 else if (mask & MAY_WRITE) 1218 av |= FILE__WRITE; 1219 1220 } else { 1221 if (mask & MAY_EXEC) 1222 av |= DIR__SEARCH; 1223 if (mask & MAY_WRITE) 1224 av |= DIR__WRITE; 1225 if (mask & MAY_READ) 1226 av |= DIR__READ; 1227 } 1228 1229 return av; 1230 } 1231 1232 /* Convert a Linux file to an access vector. */ 1233 static inline u32 file_to_av(struct file *file) 1234 { 1235 u32 av = 0; 1236 1237 if (file->f_mode & FMODE_READ) 1238 av |= FILE__READ; 1239 if (file->f_mode & FMODE_WRITE) { 1240 if (file->f_flags & O_APPEND) 1241 av |= FILE__APPEND; 1242 else 1243 av |= FILE__WRITE; 1244 } 1245 1246 return av; 1247 } 1248 1249 /* Set an inode's SID to a specified value. */ 1250 static int inode_security_set_sid(struct inode *inode, u32 sid) 1251 { 1252 struct inode_security_struct *isec = inode->i_security; 1253 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 1254 1255 if (!sbsec->initialized) { 1256 /* Defer initialization to selinux_complete_init. */ 1257 return 0; 1258 } 1259 1260 down(&isec->sem); 1261 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1262 isec->sid = sid; 1263 isec->initialized = 1; 1264 up(&isec->sem); 1265 return 0; 1266 } 1267 1268 /* Hook functions begin here. */ 1269 1270 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1271 { 1272 struct task_security_struct *psec = parent->security; 1273 struct task_security_struct *csec = child->security; 1274 int rc; 1275 1276 rc = secondary_ops->ptrace(parent,child); 1277 if (rc) 1278 return rc; 1279 1280 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1281 /* Save the SID of the tracing process for later use in apply_creds. */ 1282 if (!rc) 1283 csec->ptrace_sid = psec->sid; 1284 return rc; 1285 } 1286 1287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1288 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1289 { 1290 int error; 1291 1292 error = task_has_perm(current, target, PROCESS__GETCAP); 1293 if (error) 1294 return error; 1295 1296 return secondary_ops->capget(target, effective, inheritable, permitted); 1297 } 1298 1299 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1300 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1301 { 1302 int error; 1303 1304 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1305 if (error) 1306 return error; 1307 1308 return task_has_perm(current, target, PROCESS__SETCAP); 1309 } 1310 1311 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1312 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1313 { 1314 secondary_ops->capset_set(target, effective, inheritable, permitted); 1315 } 1316 1317 static int selinux_capable(struct task_struct *tsk, int cap) 1318 { 1319 int rc; 1320 1321 rc = secondary_ops->capable(tsk, cap); 1322 if (rc) 1323 return rc; 1324 1325 return task_has_capability(tsk,cap); 1326 } 1327 1328 static int selinux_sysctl(ctl_table *table, int op) 1329 { 1330 int error = 0; 1331 u32 av; 1332 struct task_security_struct *tsec; 1333 u32 tsid; 1334 int rc; 1335 1336 rc = secondary_ops->sysctl(table, op); 1337 if (rc) 1338 return rc; 1339 1340 tsec = current->security; 1341 1342 rc = selinux_proc_get_sid(table->de, (op == 001) ? 1343 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1344 if (rc) { 1345 /* Default to the well-defined sysctl SID. */ 1346 tsid = SECINITSID_SYSCTL; 1347 } 1348 1349 /* The op values are "defined" in sysctl.c, thereby creating 1350 * a bad coupling between this module and sysctl.c */ 1351 if(op == 001) { 1352 error = avc_has_perm(tsec->sid, tsid, 1353 SECCLASS_DIR, DIR__SEARCH, NULL); 1354 } else { 1355 av = 0; 1356 if (op & 004) 1357 av |= FILE__READ; 1358 if (op & 002) 1359 av |= FILE__WRITE; 1360 if (av) 1361 error = avc_has_perm(tsec->sid, tsid, 1362 SECCLASS_FILE, av, NULL); 1363 } 1364 1365 return error; 1366 } 1367 1368 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1369 { 1370 int rc = 0; 1371 1372 if (!sb) 1373 return 0; 1374 1375 switch (cmds) { 1376 case Q_SYNC: 1377 case Q_QUOTAON: 1378 case Q_QUOTAOFF: 1379 case Q_SETINFO: 1380 case Q_SETQUOTA: 1381 rc = superblock_has_perm(current, 1382 sb, 1383 FILESYSTEM__QUOTAMOD, NULL); 1384 break; 1385 case Q_GETFMT: 1386 case Q_GETINFO: 1387 case Q_GETQUOTA: 1388 rc = superblock_has_perm(current, 1389 sb, 1390 FILESYSTEM__QUOTAGET, NULL); 1391 break; 1392 default: 1393 rc = 0; /* let the kernel handle invalid cmds */ 1394 break; 1395 } 1396 return rc; 1397 } 1398 1399 static int selinux_quota_on(struct dentry *dentry) 1400 { 1401 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1402 } 1403 1404 static int selinux_syslog(int type) 1405 { 1406 int rc; 1407 1408 rc = secondary_ops->syslog(type); 1409 if (rc) 1410 return rc; 1411 1412 switch (type) { 1413 case 3: /* Read last kernel messages */ 1414 case 10: /* Return size of the log buffer */ 1415 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1416 break; 1417 case 6: /* Disable logging to console */ 1418 case 7: /* Enable logging to console */ 1419 case 8: /* Set level of messages printed to console */ 1420 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1421 break; 1422 case 0: /* Close log */ 1423 case 1: /* Open log */ 1424 case 2: /* Read from log */ 1425 case 4: /* Read/clear last kernel messages */ 1426 case 5: /* Clear ring buffer */ 1427 default: 1428 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1429 break; 1430 } 1431 return rc; 1432 } 1433 1434 /* 1435 * Check that a process has enough memory to allocate a new virtual 1436 * mapping. 0 means there is enough memory for the allocation to 1437 * succeed and -ENOMEM implies there is not. 1438 * 1439 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1440 * if the capability is granted, but __vm_enough_memory requires 1 if 1441 * the capability is granted. 1442 * 1443 * Do not audit the selinux permission check, as this is applied to all 1444 * processes that allocate mappings. 1445 */ 1446 static int selinux_vm_enough_memory(long pages) 1447 { 1448 int rc, cap_sys_admin = 0; 1449 struct task_security_struct *tsec = current->security; 1450 1451 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1452 if (rc == 0) 1453 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1454 SECCLASS_CAPABILITY, 1455 CAP_TO_MASK(CAP_SYS_ADMIN), 1456 NULL); 1457 1458 if (rc == 0) 1459 cap_sys_admin = 1; 1460 1461 return __vm_enough_memory(pages, cap_sys_admin); 1462 } 1463 1464 /* binprm security operations */ 1465 1466 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1467 { 1468 struct bprm_security_struct *bsec; 1469 1470 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1471 if (!bsec) 1472 return -ENOMEM; 1473 1474 memset(bsec, 0, sizeof *bsec); 1475 bsec->magic = SELINUX_MAGIC; 1476 bsec->bprm = bprm; 1477 bsec->sid = SECINITSID_UNLABELED; 1478 bsec->set = 0; 1479 1480 bprm->security = bsec; 1481 return 0; 1482 } 1483 1484 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1485 { 1486 struct task_security_struct *tsec; 1487 struct inode *inode = bprm->file->f_dentry->d_inode; 1488 struct inode_security_struct *isec; 1489 struct bprm_security_struct *bsec; 1490 u32 newsid; 1491 struct avc_audit_data ad; 1492 int rc; 1493 1494 rc = secondary_ops->bprm_set_security(bprm); 1495 if (rc) 1496 return rc; 1497 1498 bsec = bprm->security; 1499 1500 if (bsec->set) 1501 return 0; 1502 1503 tsec = current->security; 1504 isec = inode->i_security; 1505 1506 /* Default to the current task SID. */ 1507 bsec->sid = tsec->sid; 1508 1509 /* Reset create SID on execve. */ 1510 tsec->create_sid = 0; 1511 1512 if (tsec->exec_sid) { 1513 newsid = tsec->exec_sid; 1514 /* Reset exec SID on execve. */ 1515 tsec->exec_sid = 0; 1516 } else { 1517 /* Check for a default transition on this program. */ 1518 rc = security_transition_sid(tsec->sid, isec->sid, 1519 SECCLASS_PROCESS, &newsid); 1520 if (rc) 1521 return rc; 1522 } 1523 1524 AVC_AUDIT_DATA_INIT(&ad, FS); 1525 ad.u.fs.mnt = bprm->file->f_vfsmnt; 1526 ad.u.fs.dentry = bprm->file->f_dentry; 1527 1528 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 1529 newsid = tsec->sid; 1530 1531 if (tsec->sid == newsid) { 1532 rc = avc_has_perm(tsec->sid, isec->sid, 1533 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1534 if (rc) 1535 return rc; 1536 } else { 1537 /* Check permissions for the transition. */ 1538 rc = avc_has_perm(tsec->sid, newsid, 1539 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1540 if (rc) 1541 return rc; 1542 1543 rc = avc_has_perm(newsid, isec->sid, 1544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1545 if (rc) 1546 return rc; 1547 1548 /* Clear any possibly unsafe personality bits on exec: */ 1549 current->personality &= ~PER_CLEAR_ON_SETID; 1550 1551 /* Set the security field to the new SID. */ 1552 bsec->sid = newsid; 1553 } 1554 1555 bsec->set = 1; 1556 return 0; 1557 } 1558 1559 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1560 { 1561 return secondary_ops->bprm_check_security(bprm); 1562 } 1563 1564 1565 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1566 { 1567 struct task_security_struct *tsec = current->security; 1568 int atsecure = 0; 1569 1570 if (tsec->osid != tsec->sid) { 1571 /* Enable secure mode for SIDs transitions unless 1572 the noatsecure permission is granted between 1573 the two SIDs, i.e. ahp returns 0. */ 1574 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1575 SECCLASS_PROCESS, 1576 PROCESS__NOATSECURE, NULL); 1577 } 1578 1579 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1580 } 1581 1582 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1583 { 1584 kfree(bprm->security); 1585 bprm->security = NULL; 1586 } 1587 1588 extern struct vfsmount *selinuxfs_mount; 1589 extern struct dentry *selinux_null; 1590 1591 /* Derived from fs/exec.c:flush_old_files. */ 1592 static inline void flush_unauthorized_files(struct files_struct * files) 1593 { 1594 struct avc_audit_data ad; 1595 struct file *file, *devnull = NULL; 1596 struct tty_struct *tty = current->signal->tty; 1597 struct fdtable *fdt; 1598 long j = -1; 1599 1600 if (tty) { 1601 file_list_lock(); 1602 file = list_entry(tty->tty_files.next, typeof(*file), f_list); 1603 if (file) { 1604 /* Revalidate access to controlling tty. 1605 Use inode_has_perm on the tty inode directly rather 1606 than using file_has_perm, as this particular open 1607 file may belong to another process and we are only 1608 interested in the inode-based check here. */ 1609 struct inode *inode = file->f_dentry->d_inode; 1610 if (inode_has_perm(current, inode, 1611 FILE__READ | FILE__WRITE, NULL)) { 1612 /* Reset controlling tty. */ 1613 current->signal->tty = NULL; 1614 current->signal->tty_old_pgrp = 0; 1615 } 1616 } 1617 file_list_unlock(); 1618 } 1619 1620 /* Revalidate access to inherited open files. */ 1621 1622 AVC_AUDIT_DATA_INIT(&ad,FS); 1623 1624 spin_lock(&files->file_lock); 1625 for (;;) { 1626 unsigned long set, i; 1627 int fd; 1628 1629 j++; 1630 i = j * __NFDBITS; 1631 fdt = files_fdtable(files); 1632 if (i >= fdt->max_fds || i >= fdt->max_fdset) 1633 break; 1634 set = fdt->open_fds->fds_bits[j]; 1635 if (!set) 1636 continue; 1637 spin_unlock(&files->file_lock); 1638 for ( ; set ; i++,set >>= 1) { 1639 if (set & 1) { 1640 file = fget(i); 1641 if (!file) 1642 continue; 1643 if (file_has_perm(current, 1644 file, 1645 file_to_av(file))) { 1646 sys_close(i); 1647 fd = get_unused_fd(); 1648 if (fd != i) { 1649 if (fd >= 0) 1650 put_unused_fd(fd); 1651 fput(file); 1652 continue; 1653 } 1654 if (devnull) { 1655 rcuref_inc(&devnull->f_count); 1656 } else { 1657 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 1658 if (!devnull) { 1659 put_unused_fd(fd); 1660 fput(file); 1661 continue; 1662 } 1663 } 1664 fd_install(fd, devnull); 1665 } 1666 fput(file); 1667 } 1668 } 1669 spin_lock(&files->file_lock); 1670 1671 } 1672 spin_unlock(&files->file_lock); 1673 } 1674 1675 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 1676 { 1677 struct task_security_struct *tsec; 1678 struct bprm_security_struct *bsec; 1679 u32 sid; 1680 int rc; 1681 1682 secondary_ops->bprm_apply_creds(bprm, unsafe); 1683 1684 tsec = current->security; 1685 1686 bsec = bprm->security; 1687 sid = bsec->sid; 1688 1689 tsec->osid = tsec->sid; 1690 bsec->unsafe = 0; 1691 if (tsec->sid != sid) { 1692 /* Check for shared state. If not ok, leave SID 1693 unchanged and kill. */ 1694 if (unsafe & LSM_UNSAFE_SHARE) { 1695 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 1696 PROCESS__SHARE, NULL); 1697 if (rc) { 1698 bsec->unsafe = 1; 1699 return; 1700 } 1701 } 1702 1703 /* Check for ptracing, and update the task SID if ok. 1704 Otherwise, leave SID unchanged and kill. */ 1705 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 1706 rc = avc_has_perm(tsec->ptrace_sid, sid, 1707 SECCLASS_PROCESS, PROCESS__PTRACE, 1708 NULL); 1709 if (rc) { 1710 bsec->unsafe = 1; 1711 return; 1712 } 1713 } 1714 tsec->sid = sid; 1715 } 1716 } 1717 1718 /* 1719 * called after apply_creds without the task lock held 1720 */ 1721 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 1722 { 1723 struct task_security_struct *tsec; 1724 struct rlimit *rlim, *initrlim; 1725 struct itimerval itimer; 1726 struct bprm_security_struct *bsec; 1727 int rc, i; 1728 1729 tsec = current->security; 1730 bsec = bprm->security; 1731 1732 if (bsec->unsafe) { 1733 force_sig_specific(SIGKILL, current); 1734 return; 1735 } 1736 if (tsec->osid == tsec->sid) 1737 return; 1738 1739 /* Close files for which the new task SID is not authorized. */ 1740 flush_unauthorized_files(current->files); 1741 1742 /* Check whether the new SID can inherit signal state 1743 from the old SID. If not, clear itimers to avoid 1744 subsequent signal generation and flush and unblock 1745 signals. This must occur _after_ the task SID has 1746 been updated so that any kill done after the flush 1747 will be checked against the new SID. */ 1748 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1749 PROCESS__SIGINH, NULL); 1750 if (rc) { 1751 memset(&itimer, 0, sizeof itimer); 1752 for (i = 0; i < 3; i++) 1753 do_setitimer(i, &itimer, NULL); 1754 flush_signals(current); 1755 spin_lock_irq(¤t->sighand->siglock); 1756 flush_signal_handlers(current, 1); 1757 sigemptyset(¤t->blocked); 1758 recalc_sigpending(); 1759 spin_unlock_irq(¤t->sighand->siglock); 1760 } 1761 1762 /* Check whether the new SID can inherit resource limits 1763 from the old SID. If not, reset all soft limits to 1764 the lower of the current task's hard limit and the init 1765 task's soft limit. Note that the setting of hard limits 1766 (even to lower them) can be controlled by the setrlimit 1767 check. The inclusion of the init task's soft limit into 1768 the computation is to avoid resetting soft limits higher 1769 than the default soft limit for cases where the default 1770 is lower than the hard limit, e.g. RLIMIT_CORE or 1771 RLIMIT_STACK.*/ 1772 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1773 PROCESS__RLIMITINH, NULL); 1774 if (rc) { 1775 for (i = 0; i < RLIM_NLIMITS; i++) { 1776 rlim = current->signal->rlim + i; 1777 initrlim = init_task.signal->rlim+i; 1778 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 1779 } 1780 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 1781 /* 1782 * This will cause RLIMIT_CPU calculations 1783 * to be refigured. 1784 */ 1785 current->it_prof_expires = jiffies_to_cputime(1); 1786 } 1787 } 1788 1789 /* Wake up the parent if it is waiting so that it can 1790 recheck wait permission to the new task SID. */ 1791 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 1792 } 1793 1794 /* superblock security operations */ 1795 1796 static int selinux_sb_alloc_security(struct super_block *sb) 1797 { 1798 return superblock_alloc_security(sb); 1799 } 1800 1801 static void selinux_sb_free_security(struct super_block *sb) 1802 { 1803 superblock_free_security(sb); 1804 } 1805 1806 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 1807 { 1808 if (plen > olen) 1809 return 0; 1810 1811 return !memcmp(prefix, option, plen); 1812 } 1813 1814 static inline int selinux_option(char *option, int len) 1815 { 1816 return (match_prefix("context=", sizeof("context=")-1, option, len) || 1817 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 1818 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len)); 1819 } 1820 1821 static inline void take_option(char **to, char *from, int *first, int len) 1822 { 1823 if (!*first) { 1824 **to = ','; 1825 *to += 1; 1826 } 1827 else 1828 *first = 0; 1829 memcpy(*to, from, len); 1830 *to += len; 1831 } 1832 1833 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 1834 { 1835 int fnosec, fsec, rc = 0; 1836 char *in_save, *in_curr, *in_end; 1837 char *sec_curr, *nosec_save, *nosec; 1838 1839 in_curr = orig; 1840 sec_curr = copy; 1841 1842 /* Binary mount data: just copy */ 1843 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 1844 copy_page(sec_curr, in_curr); 1845 goto out; 1846 } 1847 1848 nosec = (char *)get_zeroed_page(GFP_KERNEL); 1849 if (!nosec) { 1850 rc = -ENOMEM; 1851 goto out; 1852 } 1853 1854 nosec_save = nosec; 1855 fnosec = fsec = 1; 1856 in_save = in_end = orig; 1857 1858 do { 1859 if (*in_end == ',' || *in_end == '\0') { 1860 int len = in_end - in_curr; 1861 1862 if (selinux_option(in_curr, len)) 1863 take_option(&sec_curr, in_curr, &fsec, len); 1864 else 1865 take_option(&nosec, in_curr, &fnosec, len); 1866 1867 in_curr = in_end + 1; 1868 } 1869 } while (*in_end++); 1870 1871 strcpy(in_save, nosec_save); 1872 free_page((unsigned long)nosec_save); 1873 out: 1874 return rc; 1875 } 1876 1877 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 1878 { 1879 struct avc_audit_data ad; 1880 int rc; 1881 1882 rc = superblock_doinit(sb, data); 1883 if (rc) 1884 return rc; 1885 1886 AVC_AUDIT_DATA_INIT(&ad,FS); 1887 ad.u.fs.dentry = sb->s_root; 1888 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 1889 } 1890 1891 static int selinux_sb_statfs(struct super_block *sb) 1892 { 1893 struct avc_audit_data ad; 1894 1895 AVC_AUDIT_DATA_INIT(&ad,FS); 1896 ad.u.fs.dentry = sb->s_root; 1897 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad); 1898 } 1899 1900 static int selinux_mount(char * dev_name, 1901 struct nameidata *nd, 1902 char * type, 1903 unsigned long flags, 1904 void * data) 1905 { 1906 int rc; 1907 1908 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 1909 if (rc) 1910 return rc; 1911 1912 if (flags & MS_REMOUNT) 1913 return superblock_has_perm(current, nd->mnt->mnt_sb, 1914 FILESYSTEM__REMOUNT, NULL); 1915 else 1916 return dentry_has_perm(current, nd->mnt, nd->dentry, 1917 FILE__MOUNTON); 1918 } 1919 1920 static int selinux_umount(struct vfsmount *mnt, int flags) 1921 { 1922 int rc; 1923 1924 rc = secondary_ops->sb_umount(mnt, flags); 1925 if (rc) 1926 return rc; 1927 1928 return superblock_has_perm(current,mnt->mnt_sb, 1929 FILESYSTEM__UNMOUNT,NULL); 1930 } 1931 1932 /* inode security operations */ 1933 1934 static int selinux_inode_alloc_security(struct inode *inode) 1935 { 1936 return inode_alloc_security(inode); 1937 } 1938 1939 static void selinux_inode_free_security(struct inode *inode) 1940 { 1941 inode_free_security(inode); 1942 } 1943 1944 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 1945 char **name, void **value, 1946 size_t *len) 1947 { 1948 struct task_security_struct *tsec; 1949 struct inode_security_struct *dsec; 1950 struct superblock_security_struct *sbsec; 1951 struct inode_security_struct *isec; 1952 u32 newsid, clen; 1953 int rc; 1954 char *namep = NULL, *context; 1955 1956 tsec = current->security; 1957 dsec = dir->i_security; 1958 sbsec = dir->i_sb->s_security; 1959 isec = inode->i_security; 1960 1961 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1962 newsid = tsec->create_sid; 1963 } else { 1964 rc = security_transition_sid(tsec->sid, dsec->sid, 1965 inode_mode_to_security_class(inode->i_mode), 1966 &newsid); 1967 if (rc) { 1968 printk(KERN_WARNING "%s: " 1969 "security_transition_sid failed, rc=%d (dev=%s " 1970 "ino=%ld)\n", 1971 __FUNCTION__, 1972 -rc, inode->i_sb->s_id, inode->i_ino); 1973 return rc; 1974 } 1975 } 1976 1977 inode_security_set_sid(inode, newsid); 1978 1979 if (name) { 1980 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 1981 if (!namep) 1982 return -ENOMEM; 1983 *name = namep; 1984 } 1985 1986 if (value && len) { 1987 rc = security_sid_to_context(newsid, &context, &clen); 1988 if (rc) { 1989 kfree(namep); 1990 return rc; 1991 } 1992 *value = context; 1993 *len = clen; 1994 } 1995 1996 return 0; 1997 } 1998 1999 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2000 { 2001 return may_create(dir, dentry, SECCLASS_FILE); 2002 } 2003 2004 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2005 { 2006 int rc; 2007 2008 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2009 if (rc) 2010 return rc; 2011 return may_link(dir, old_dentry, MAY_LINK); 2012 } 2013 2014 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2015 { 2016 int rc; 2017 2018 rc = secondary_ops->inode_unlink(dir, dentry); 2019 if (rc) 2020 return rc; 2021 return may_link(dir, dentry, MAY_UNLINK); 2022 } 2023 2024 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2025 { 2026 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2027 } 2028 2029 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2030 { 2031 return may_create(dir, dentry, SECCLASS_DIR); 2032 } 2033 2034 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2035 { 2036 return may_link(dir, dentry, MAY_RMDIR); 2037 } 2038 2039 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2040 { 2041 int rc; 2042 2043 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2044 if (rc) 2045 return rc; 2046 2047 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2048 } 2049 2050 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2051 struct inode *new_inode, struct dentry *new_dentry) 2052 { 2053 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2054 } 2055 2056 static int selinux_inode_readlink(struct dentry *dentry) 2057 { 2058 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2059 } 2060 2061 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2062 { 2063 int rc; 2064 2065 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2066 if (rc) 2067 return rc; 2068 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2069 } 2070 2071 static int selinux_inode_permission(struct inode *inode, int mask, 2072 struct nameidata *nd) 2073 { 2074 int rc; 2075 2076 rc = secondary_ops->inode_permission(inode, mask, nd); 2077 if (rc) 2078 return rc; 2079 2080 if (!mask) { 2081 /* No permission to check. Existence test. */ 2082 return 0; 2083 } 2084 2085 return inode_has_perm(current, inode, 2086 file_mask_to_av(inode->i_mode, mask), NULL); 2087 } 2088 2089 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2090 { 2091 int rc; 2092 2093 rc = secondary_ops->inode_setattr(dentry, iattr); 2094 if (rc) 2095 return rc; 2096 2097 if (iattr->ia_valid & ATTR_FORCE) 2098 return 0; 2099 2100 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2101 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2102 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2103 2104 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2105 } 2106 2107 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2108 { 2109 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2110 } 2111 2112 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2113 { 2114 struct task_security_struct *tsec = current->security; 2115 struct inode *inode = dentry->d_inode; 2116 struct inode_security_struct *isec = inode->i_security; 2117 struct superblock_security_struct *sbsec; 2118 struct avc_audit_data ad; 2119 u32 newsid; 2120 int rc = 0; 2121 2122 if (strcmp(name, XATTR_NAME_SELINUX)) { 2123 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2124 sizeof XATTR_SECURITY_PREFIX - 1) && 2125 !capable(CAP_SYS_ADMIN)) { 2126 /* A different attribute in the security namespace. 2127 Restrict to administrator. */ 2128 return -EPERM; 2129 } 2130 2131 /* Not an attribute we recognize, so just check the 2132 ordinary setattr permission. */ 2133 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2134 } 2135 2136 sbsec = inode->i_sb->s_security; 2137 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2138 return -EOPNOTSUPP; 2139 2140 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) 2141 return -EPERM; 2142 2143 AVC_AUDIT_DATA_INIT(&ad,FS); 2144 ad.u.fs.dentry = dentry; 2145 2146 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2147 FILE__RELABELFROM, &ad); 2148 if (rc) 2149 return rc; 2150 2151 rc = security_context_to_sid(value, size, &newsid); 2152 if (rc) 2153 return rc; 2154 2155 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2156 FILE__RELABELTO, &ad); 2157 if (rc) 2158 return rc; 2159 2160 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2161 isec->sclass); 2162 if (rc) 2163 return rc; 2164 2165 return avc_has_perm(newsid, 2166 sbsec->sid, 2167 SECCLASS_FILESYSTEM, 2168 FILESYSTEM__ASSOCIATE, 2169 &ad); 2170 } 2171 2172 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2173 void *value, size_t size, int flags) 2174 { 2175 struct inode *inode = dentry->d_inode; 2176 struct inode_security_struct *isec = inode->i_security; 2177 u32 newsid; 2178 int rc; 2179 2180 if (strcmp(name, XATTR_NAME_SELINUX)) { 2181 /* Not an attribute we recognize, so nothing to do. */ 2182 return; 2183 } 2184 2185 rc = security_context_to_sid(value, size, &newsid); 2186 if (rc) { 2187 printk(KERN_WARNING "%s: unable to obtain SID for context " 2188 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2189 return; 2190 } 2191 2192 isec->sid = newsid; 2193 return; 2194 } 2195 2196 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2197 { 2198 struct inode *inode = dentry->d_inode; 2199 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 2200 2201 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2202 return -EOPNOTSUPP; 2203 2204 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2205 } 2206 2207 static int selinux_inode_listxattr (struct dentry *dentry) 2208 { 2209 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2210 } 2211 2212 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2213 { 2214 if (strcmp(name, XATTR_NAME_SELINUX)) { 2215 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2216 sizeof XATTR_SECURITY_PREFIX - 1) && 2217 !capable(CAP_SYS_ADMIN)) { 2218 /* A different attribute in the security namespace. 2219 Restrict to administrator. */ 2220 return -EPERM; 2221 } 2222 2223 /* Not an attribute we recognize, so just check the 2224 ordinary setattr permission. Might want a separate 2225 permission for removexattr. */ 2226 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2227 } 2228 2229 /* No one is allowed to remove a SELinux security label. 2230 You can change the label, but all data must be labeled. */ 2231 return -EACCES; 2232 } 2233 2234 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 2235 { 2236 struct inode_security_struct *isec = inode->i_security; 2237 char *context; 2238 unsigned len; 2239 int rc; 2240 2241 /* Permission check handled by selinux_inode_getxattr hook.*/ 2242 2243 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2244 return -EOPNOTSUPP; 2245 2246 rc = security_sid_to_context(isec->sid, &context, &len); 2247 if (rc) 2248 return rc; 2249 2250 if (!buffer || !size) { 2251 kfree(context); 2252 return len; 2253 } 2254 if (size < len) { 2255 kfree(context); 2256 return -ERANGE; 2257 } 2258 memcpy(buffer, context, len); 2259 kfree(context); 2260 return len; 2261 } 2262 2263 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2264 const void *value, size_t size, int flags) 2265 { 2266 struct inode_security_struct *isec = inode->i_security; 2267 u32 newsid; 2268 int rc; 2269 2270 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2271 return -EOPNOTSUPP; 2272 2273 if (!value || !size) 2274 return -EACCES; 2275 2276 rc = security_context_to_sid((void*)value, size, &newsid); 2277 if (rc) 2278 return rc; 2279 2280 isec->sid = newsid; 2281 return 0; 2282 } 2283 2284 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2285 { 2286 const int len = sizeof(XATTR_NAME_SELINUX); 2287 if (buffer && len <= buffer_size) 2288 memcpy(buffer, XATTR_NAME_SELINUX, len); 2289 return len; 2290 } 2291 2292 /* file security operations */ 2293 2294 static int selinux_file_permission(struct file *file, int mask) 2295 { 2296 struct inode *inode = file->f_dentry->d_inode; 2297 2298 if (!mask) { 2299 /* No permission to check. Existence test. */ 2300 return 0; 2301 } 2302 2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2305 mask |= MAY_APPEND; 2306 2307 return file_has_perm(current, file, 2308 file_mask_to_av(inode->i_mode, mask)); 2309 } 2310 2311 static int selinux_file_alloc_security(struct file *file) 2312 { 2313 return file_alloc_security(file); 2314 } 2315 2316 static void selinux_file_free_security(struct file *file) 2317 { 2318 file_free_security(file); 2319 } 2320 2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2322 unsigned long arg) 2323 { 2324 int error = 0; 2325 2326 switch (cmd) { 2327 case FIONREAD: 2328 /* fall through */ 2329 case FIBMAP: 2330 /* fall through */ 2331 case FIGETBSZ: 2332 /* fall through */ 2333 case EXT2_IOC_GETFLAGS: 2334 /* fall through */ 2335 case EXT2_IOC_GETVERSION: 2336 error = file_has_perm(current, file, FILE__GETATTR); 2337 break; 2338 2339 case EXT2_IOC_SETFLAGS: 2340 /* fall through */ 2341 case EXT2_IOC_SETVERSION: 2342 error = file_has_perm(current, file, FILE__SETATTR); 2343 break; 2344 2345 /* sys_ioctl() checks */ 2346 case FIONBIO: 2347 /* fall through */ 2348 case FIOASYNC: 2349 error = file_has_perm(current, file, 0); 2350 break; 2351 2352 case KDSKBENT: 2353 case KDSKBSENT: 2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2355 break; 2356 2357 /* default case assumes that the command will go 2358 * to the file's ioctl() function. 2359 */ 2360 default: 2361 error = file_has_perm(current, file, FILE__IOCTL); 2362 2363 } 2364 return error; 2365 } 2366 2367 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2368 { 2369 #ifndef CONFIG_PPC32 2370 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2371 /* 2372 * We are making executable an anonymous mapping or a 2373 * private file mapping that will also be writable. 2374 * This has an additional check. 2375 */ 2376 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2377 if (rc) 2378 return rc; 2379 } 2380 #endif 2381 2382 if (file) { 2383 /* read access is always possible with a mapping */ 2384 u32 av = FILE__READ; 2385 2386 /* write access only matters if the mapping is shared */ 2387 if (shared && (prot & PROT_WRITE)) 2388 av |= FILE__WRITE; 2389 2390 if (prot & PROT_EXEC) 2391 av |= FILE__EXECUTE; 2392 2393 return file_has_perm(current, file, av); 2394 } 2395 return 0; 2396 } 2397 2398 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2399 unsigned long prot, unsigned long flags) 2400 { 2401 int rc; 2402 2403 rc = secondary_ops->file_mmap(file, reqprot, prot, flags); 2404 if (rc) 2405 return rc; 2406 2407 if (selinux_checkreqprot) 2408 prot = reqprot; 2409 2410 return file_map_prot_check(file, prot, 2411 (flags & MAP_TYPE) == MAP_SHARED); 2412 } 2413 2414 static int selinux_file_mprotect(struct vm_area_struct *vma, 2415 unsigned long reqprot, 2416 unsigned long prot) 2417 { 2418 int rc; 2419 2420 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2421 if (rc) 2422 return rc; 2423 2424 if (selinux_checkreqprot) 2425 prot = reqprot; 2426 2427 #ifndef CONFIG_PPC32 2428 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) && 2429 (vma->vm_start >= vma->vm_mm->start_brk && 2430 vma->vm_end <= vma->vm_mm->brk)) { 2431 /* 2432 * We are making an executable mapping in the brk region. 2433 * This has an additional execheap check. 2434 */ 2435 rc = task_has_perm(current, current, PROCESS__EXECHEAP); 2436 if (rc) 2437 return rc; 2438 } 2439 if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { 2440 /* 2441 * We are making executable a file mapping that has 2442 * had some COW done. Since pages might have been written, 2443 * check ability to execute the possibly modified content. 2444 * This typically should only occur for text relocations. 2445 */ 2446 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD); 2447 if (rc) 2448 return rc; 2449 } 2450 if (!vma->vm_file && (prot & PROT_EXEC) && 2451 vma->vm_start <= vma->vm_mm->start_stack && 2452 vma->vm_end >= vma->vm_mm->start_stack) { 2453 /* Attempt to make the process stack executable. 2454 * This has an additional execstack check. 2455 */ 2456 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2457 if (rc) 2458 return rc; 2459 } 2460 #endif 2461 2462 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2463 } 2464 2465 static int selinux_file_lock(struct file *file, unsigned int cmd) 2466 { 2467 return file_has_perm(current, file, FILE__LOCK); 2468 } 2469 2470 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2471 unsigned long arg) 2472 { 2473 int err = 0; 2474 2475 switch (cmd) { 2476 case F_SETFL: 2477 if (!file->f_dentry || !file->f_dentry->d_inode) { 2478 err = -EINVAL; 2479 break; 2480 } 2481 2482 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2483 err = file_has_perm(current, file,FILE__WRITE); 2484 break; 2485 } 2486 /* fall through */ 2487 case F_SETOWN: 2488 case F_SETSIG: 2489 case F_GETFL: 2490 case F_GETOWN: 2491 case F_GETSIG: 2492 /* Just check FD__USE permission */ 2493 err = file_has_perm(current, file, 0); 2494 break; 2495 case F_GETLK: 2496 case F_SETLK: 2497 case F_SETLKW: 2498 #if BITS_PER_LONG == 32 2499 case F_GETLK64: 2500 case F_SETLK64: 2501 case F_SETLKW64: 2502 #endif 2503 if (!file->f_dentry || !file->f_dentry->d_inode) { 2504 err = -EINVAL; 2505 break; 2506 } 2507 err = file_has_perm(current, file, FILE__LOCK); 2508 break; 2509 } 2510 2511 return err; 2512 } 2513 2514 static int selinux_file_set_fowner(struct file *file) 2515 { 2516 struct task_security_struct *tsec; 2517 struct file_security_struct *fsec; 2518 2519 tsec = current->security; 2520 fsec = file->f_security; 2521 fsec->fown_sid = tsec->sid; 2522 2523 return 0; 2524 } 2525 2526 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2527 struct fown_struct *fown, int signum) 2528 { 2529 struct file *file; 2530 u32 perm; 2531 struct task_security_struct *tsec; 2532 struct file_security_struct *fsec; 2533 2534 /* struct fown_struct is never outside the context of a struct file */ 2535 file = (struct file *)((long)fown - offsetof(struct file,f_owner)); 2536 2537 tsec = tsk->security; 2538 fsec = file->f_security; 2539 2540 if (!signum) 2541 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 2542 else 2543 perm = signal_to_av(signum); 2544 2545 return avc_has_perm(fsec->fown_sid, tsec->sid, 2546 SECCLASS_PROCESS, perm, NULL); 2547 } 2548 2549 static int selinux_file_receive(struct file *file) 2550 { 2551 return file_has_perm(current, file, file_to_av(file)); 2552 } 2553 2554 /* task security operations */ 2555 2556 static int selinux_task_create(unsigned long clone_flags) 2557 { 2558 int rc; 2559 2560 rc = secondary_ops->task_create(clone_flags); 2561 if (rc) 2562 return rc; 2563 2564 return task_has_perm(current, current, PROCESS__FORK); 2565 } 2566 2567 static int selinux_task_alloc_security(struct task_struct *tsk) 2568 { 2569 struct task_security_struct *tsec1, *tsec2; 2570 int rc; 2571 2572 tsec1 = current->security; 2573 2574 rc = task_alloc_security(tsk); 2575 if (rc) 2576 return rc; 2577 tsec2 = tsk->security; 2578 2579 tsec2->osid = tsec1->osid; 2580 tsec2->sid = tsec1->sid; 2581 2582 /* Retain the exec and create SIDs across fork */ 2583 tsec2->exec_sid = tsec1->exec_sid; 2584 tsec2->create_sid = tsec1->create_sid; 2585 2586 /* Retain ptracer SID across fork, if any. 2587 This will be reset by the ptrace hook upon any 2588 subsequent ptrace_attach operations. */ 2589 tsec2->ptrace_sid = tsec1->ptrace_sid; 2590 2591 return 0; 2592 } 2593 2594 static void selinux_task_free_security(struct task_struct *tsk) 2595 { 2596 task_free_security(tsk); 2597 } 2598 2599 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2600 { 2601 /* Since setuid only affects the current process, and 2602 since the SELinux controls are not based on the Linux 2603 identity attributes, SELinux does not need to control 2604 this operation. However, SELinux does control the use 2605 of the CAP_SETUID and CAP_SETGID capabilities using the 2606 capable hook. */ 2607 return 0; 2608 } 2609 2610 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2611 { 2612 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 2613 } 2614 2615 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 2616 { 2617 /* See the comment for setuid above. */ 2618 return 0; 2619 } 2620 2621 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 2622 { 2623 return task_has_perm(current, p, PROCESS__SETPGID); 2624 } 2625 2626 static int selinux_task_getpgid(struct task_struct *p) 2627 { 2628 return task_has_perm(current, p, PROCESS__GETPGID); 2629 } 2630 2631 static int selinux_task_getsid(struct task_struct *p) 2632 { 2633 return task_has_perm(current, p, PROCESS__GETSESSION); 2634 } 2635 2636 static int selinux_task_setgroups(struct group_info *group_info) 2637 { 2638 /* See the comment for setuid above. */ 2639 return 0; 2640 } 2641 2642 static int selinux_task_setnice(struct task_struct *p, int nice) 2643 { 2644 int rc; 2645 2646 rc = secondary_ops->task_setnice(p, nice); 2647 if (rc) 2648 return rc; 2649 2650 return task_has_perm(current,p, PROCESS__SETSCHED); 2651 } 2652 2653 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 2654 { 2655 struct rlimit *old_rlim = current->signal->rlim + resource; 2656 int rc; 2657 2658 rc = secondary_ops->task_setrlimit(resource, new_rlim); 2659 if (rc) 2660 return rc; 2661 2662 /* Control the ability to change the hard limit (whether 2663 lowering or raising it), so that the hard limit can 2664 later be used as a safe reset point for the soft limit 2665 upon context transitions. See selinux_bprm_apply_creds. */ 2666 if (old_rlim->rlim_max != new_rlim->rlim_max) 2667 return task_has_perm(current, current, PROCESS__SETRLIMIT); 2668 2669 return 0; 2670 } 2671 2672 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 2673 { 2674 return task_has_perm(current, p, PROCESS__SETSCHED); 2675 } 2676 2677 static int selinux_task_getscheduler(struct task_struct *p) 2678 { 2679 return task_has_perm(current, p, PROCESS__GETSCHED); 2680 } 2681 2682 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig) 2683 { 2684 u32 perm; 2685 int rc; 2686 2687 rc = secondary_ops->task_kill(p, info, sig); 2688 if (rc) 2689 return rc; 2690 2691 if (info && ((unsigned long)info == 1 || 2692 (unsigned long)info == 2 || SI_FROMKERNEL(info))) 2693 return 0; 2694 2695 if (!sig) 2696 perm = PROCESS__SIGNULL; /* null signal; existence test */ 2697 else 2698 perm = signal_to_av(sig); 2699 2700 return task_has_perm(current, p, perm); 2701 } 2702 2703 static int selinux_task_prctl(int option, 2704 unsigned long arg2, 2705 unsigned long arg3, 2706 unsigned long arg4, 2707 unsigned long arg5) 2708 { 2709 /* The current prctl operations do not appear to require 2710 any SELinux controls since they merely observe or modify 2711 the state of the current process. */ 2712 return 0; 2713 } 2714 2715 static int selinux_task_wait(struct task_struct *p) 2716 { 2717 u32 perm; 2718 2719 perm = signal_to_av(p->exit_signal); 2720 2721 return task_has_perm(p, current, perm); 2722 } 2723 2724 static void selinux_task_reparent_to_init(struct task_struct *p) 2725 { 2726 struct task_security_struct *tsec; 2727 2728 secondary_ops->task_reparent_to_init(p); 2729 2730 tsec = p->security; 2731 tsec->osid = tsec->sid; 2732 tsec->sid = SECINITSID_KERNEL; 2733 return; 2734 } 2735 2736 static void selinux_task_to_inode(struct task_struct *p, 2737 struct inode *inode) 2738 { 2739 struct task_security_struct *tsec = p->security; 2740 struct inode_security_struct *isec = inode->i_security; 2741 2742 isec->sid = tsec->sid; 2743 isec->initialized = 1; 2744 return; 2745 } 2746 2747 #ifdef CONFIG_SECURITY_NETWORK 2748 2749 /* Returns error only if unable to parse addresses */ 2750 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) 2751 { 2752 int offset, ihlen, ret = -EINVAL; 2753 struct iphdr _iph, *ih; 2754 2755 offset = skb->nh.raw - skb->data; 2756 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 2757 if (ih == NULL) 2758 goto out; 2759 2760 ihlen = ih->ihl * 4; 2761 if (ihlen < sizeof(_iph)) 2762 goto out; 2763 2764 ad->u.net.v4info.saddr = ih->saddr; 2765 ad->u.net.v4info.daddr = ih->daddr; 2766 ret = 0; 2767 2768 switch (ih->protocol) { 2769 case IPPROTO_TCP: { 2770 struct tcphdr _tcph, *th; 2771 2772 if (ntohs(ih->frag_off) & IP_OFFSET) 2773 break; 2774 2775 offset += ihlen; 2776 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2777 if (th == NULL) 2778 break; 2779 2780 ad->u.net.sport = th->source; 2781 ad->u.net.dport = th->dest; 2782 break; 2783 } 2784 2785 case IPPROTO_UDP: { 2786 struct udphdr _udph, *uh; 2787 2788 if (ntohs(ih->frag_off) & IP_OFFSET) 2789 break; 2790 2791 offset += ihlen; 2792 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2793 if (uh == NULL) 2794 break; 2795 2796 ad->u.net.sport = uh->source; 2797 ad->u.net.dport = uh->dest; 2798 break; 2799 } 2800 2801 default: 2802 break; 2803 } 2804 out: 2805 return ret; 2806 } 2807 2808 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2809 2810 /* Returns error only if unable to parse addresses */ 2811 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad) 2812 { 2813 u8 nexthdr; 2814 int ret = -EINVAL, offset; 2815 struct ipv6hdr _ipv6h, *ip6; 2816 2817 offset = skb->nh.raw - skb->data; 2818 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 2819 if (ip6 == NULL) 2820 goto out; 2821 2822 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 2823 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 2824 ret = 0; 2825 2826 nexthdr = ip6->nexthdr; 2827 offset += sizeof(_ipv6h); 2828 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 2829 if (offset < 0) 2830 goto out; 2831 2832 switch (nexthdr) { 2833 case IPPROTO_TCP: { 2834 struct tcphdr _tcph, *th; 2835 2836 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2837 if (th == NULL) 2838 break; 2839 2840 ad->u.net.sport = th->source; 2841 ad->u.net.dport = th->dest; 2842 break; 2843 } 2844 2845 case IPPROTO_UDP: { 2846 struct udphdr _udph, *uh; 2847 2848 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2849 if (uh == NULL) 2850 break; 2851 2852 ad->u.net.sport = uh->source; 2853 ad->u.net.dport = uh->dest; 2854 break; 2855 } 2856 2857 /* includes fragments */ 2858 default: 2859 break; 2860 } 2861 out: 2862 return ret; 2863 } 2864 2865 #endif /* IPV6 */ 2866 2867 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 2868 char **addrp, int *len, int src) 2869 { 2870 int ret = 0; 2871 2872 switch (ad->u.net.family) { 2873 case PF_INET: 2874 ret = selinux_parse_skb_ipv4(skb, ad); 2875 if (ret || !addrp) 2876 break; 2877 *len = 4; 2878 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 2879 &ad->u.net.v4info.daddr); 2880 break; 2881 2882 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2883 case PF_INET6: 2884 ret = selinux_parse_skb_ipv6(skb, ad); 2885 if (ret || !addrp) 2886 break; 2887 *len = 16; 2888 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 2889 &ad->u.net.v6info.daddr); 2890 break; 2891 #endif /* IPV6 */ 2892 default: 2893 break; 2894 } 2895 2896 return ret; 2897 } 2898 2899 /* socket security operations */ 2900 static int socket_has_perm(struct task_struct *task, struct socket *sock, 2901 u32 perms) 2902 { 2903 struct inode_security_struct *isec; 2904 struct task_security_struct *tsec; 2905 struct avc_audit_data ad; 2906 int err = 0; 2907 2908 tsec = task->security; 2909 isec = SOCK_INODE(sock)->i_security; 2910 2911 if (isec->sid == SECINITSID_KERNEL) 2912 goto out; 2913 2914 AVC_AUDIT_DATA_INIT(&ad,NET); 2915 ad.u.net.sk = sock->sk; 2916 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 2917 2918 out: 2919 return err; 2920 } 2921 2922 static int selinux_socket_create(int family, int type, 2923 int protocol, int kern) 2924 { 2925 int err = 0; 2926 struct task_security_struct *tsec; 2927 2928 if (kern) 2929 goto out; 2930 2931 tsec = current->security; 2932 err = avc_has_perm(tsec->sid, tsec->sid, 2933 socket_type_to_security_class(family, type, 2934 protocol), SOCKET__CREATE, NULL); 2935 2936 out: 2937 return err; 2938 } 2939 2940 static void selinux_socket_post_create(struct socket *sock, int family, 2941 int type, int protocol, int kern) 2942 { 2943 struct inode_security_struct *isec; 2944 struct task_security_struct *tsec; 2945 2946 isec = SOCK_INODE(sock)->i_security; 2947 2948 tsec = current->security; 2949 isec->sclass = socket_type_to_security_class(family, type, protocol); 2950 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid; 2951 isec->initialized = 1; 2952 2953 return; 2954 } 2955 2956 /* Range of port numbers used to automatically bind. 2957 Need to determine whether we should perform a name_bind 2958 permission check between the socket and the port number. */ 2959 #define ip_local_port_range_0 sysctl_local_port_range[0] 2960 #define ip_local_port_range_1 sysctl_local_port_range[1] 2961 2962 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 2963 { 2964 u16 family; 2965 int err; 2966 2967 err = socket_has_perm(current, sock, SOCKET__BIND); 2968 if (err) 2969 goto out; 2970 2971 /* 2972 * If PF_INET or PF_INET6, check name_bind permission for the port. 2973 */ 2974 family = sock->sk->sk_family; 2975 if (family == PF_INET || family == PF_INET6) { 2976 char *addrp; 2977 struct inode_security_struct *isec; 2978 struct task_security_struct *tsec; 2979 struct avc_audit_data ad; 2980 struct sockaddr_in *addr4 = NULL; 2981 struct sockaddr_in6 *addr6 = NULL; 2982 unsigned short snum; 2983 struct sock *sk = sock->sk; 2984 u32 sid, node_perm, addrlen; 2985 2986 tsec = current->security; 2987 isec = SOCK_INODE(sock)->i_security; 2988 2989 if (family == PF_INET) { 2990 addr4 = (struct sockaddr_in *)address; 2991 snum = ntohs(addr4->sin_port); 2992 addrlen = sizeof(addr4->sin_addr.s_addr); 2993 addrp = (char *)&addr4->sin_addr.s_addr; 2994 } else { 2995 addr6 = (struct sockaddr_in6 *)address; 2996 snum = ntohs(addr6->sin6_port); 2997 addrlen = sizeof(addr6->sin6_addr.s6_addr); 2998 addrp = (char *)&addr6->sin6_addr.s6_addr; 2999 } 3000 3001 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) || 3002 snum > ip_local_port_range_1)) { 3003 err = security_port_sid(sk->sk_family, sk->sk_type, 3004 sk->sk_protocol, snum, &sid); 3005 if (err) 3006 goto out; 3007 AVC_AUDIT_DATA_INIT(&ad,NET); 3008 ad.u.net.sport = htons(snum); 3009 ad.u.net.family = family; 3010 err = avc_has_perm(isec->sid, sid, 3011 isec->sclass, 3012 SOCKET__NAME_BIND, &ad); 3013 if (err) 3014 goto out; 3015 } 3016 3017 switch(sk->sk_protocol) { 3018 case IPPROTO_TCP: 3019 node_perm = TCP_SOCKET__NODE_BIND; 3020 break; 3021 3022 case IPPROTO_UDP: 3023 node_perm = UDP_SOCKET__NODE_BIND; 3024 break; 3025 3026 default: 3027 node_perm = RAWIP_SOCKET__NODE_BIND; 3028 break; 3029 } 3030 3031 err = security_node_sid(family, addrp, addrlen, &sid); 3032 if (err) 3033 goto out; 3034 3035 AVC_AUDIT_DATA_INIT(&ad,NET); 3036 ad.u.net.sport = htons(snum); 3037 ad.u.net.family = family; 3038 3039 if (family == PF_INET) 3040 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3041 else 3042 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3043 3044 err = avc_has_perm(isec->sid, sid, 3045 isec->sclass, node_perm, &ad); 3046 if (err) 3047 goto out; 3048 } 3049 out: 3050 return err; 3051 } 3052 3053 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3054 { 3055 struct inode_security_struct *isec; 3056 int err; 3057 3058 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3059 if (err) 3060 return err; 3061 3062 /* 3063 * If a TCP socket, check name_connect permission for the port. 3064 */ 3065 isec = SOCK_INODE(sock)->i_security; 3066 if (isec->sclass == SECCLASS_TCP_SOCKET) { 3067 struct sock *sk = sock->sk; 3068 struct avc_audit_data ad; 3069 struct sockaddr_in *addr4 = NULL; 3070 struct sockaddr_in6 *addr6 = NULL; 3071 unsigned short snum; 3072 u32 sid; 3073 3074 if (sk->sk_family == PF_INET) { 3075 addr4 = (struct sockaddr_in *)address; 3076 if (addrlen < sizeof(struct sockaddr_in)) 3077 return -EINVAL; 3078 snum = ntohs(addr4->sin_port); 3079 } else { 3080 addr6 = (struct sockaddr_in6 *)address; 3081 if (addrlen < SIN6_LEN_RFC2133) 3082 return -EINVAL; 3083 snum = ntohs(addr6->sin6_port); 3084 } 3085 3086 err = security_port_sid(sk->sk_family, sk->sk_type, 3087 sk->sk_protocol, snum, &sid); 3088 if (err) 3089 goto out; 3090 3091 AVC_AUDIT_DATA_INIT(&ad,NET); 3092 ad.u.net.dport = htons(snum); 3093 ad.u.net.family = sk->sk_family; 3094 err = avc_has_perm(isec->sid, sid, isec->sclass, 3095 TCP_SOCKET__NAME_CONNECT, &ad); 3096 if (err) 3097 goto out; 3098 } 3099 3100 out: 3101 return err; 3102 } 3103 3104 static int selinux_socket_listen(struct socket *sock, int backlog) 3105 { 3106 return socket_has_perm(current, sock, SOCKET__LISTEN); 3107 } 3108 3109 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3110 { 3111 int err; 3112 struct inode_security_struct *isec; 3113 struct inode_security_struct *newisec; 3114 3115 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3116 if (err) 3117 return err; 3118 3119 newisec = SOCK_INODE(newsock)->i_security; 3120 3121 isec = SOCK_INODE(sock)->i_security; 3122 newisec->sclass = isec->sclass; 3123 newisec->sid = isec->sid; 3124 newisec->initialized = 1; 3125 3126 return 0; 3127 } 3128 3129 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3130 int size) 3131 { 3132 return socket_has_perm(current, sock, SOCKET__WRITE); 3133 } 3134 3135 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3136 int size, int flags) 3137 { 3138 return socket_has_perm(current, sock, SOCKET__READ); 3139 } 3140 3141 static int selinux_socket_getsockname(struct socket *sock) 3142 { 3143 return socket_has_perm(current, sock, SOCKET__GETATTR); 3144 } 3145 3146 static int selinux_socket_getpeername(struct socket *sock) 3147 { 3148 return socket_has_perm(current, sock, SOCKET__GETATTR); 3149 } 3150 3151 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3152 { 3153 return socket_has_perm(current, sock, SOCKET__SETOPT); 3154 } 3155 3156 static int selinux_socket_getsockopt(struct socket *sock, int level, 3157 int optname) 3158 { 3159 return socket_has_perm(current, sock, SOCKET__GETOPT); 3160 } 3161 3162 static int selinux_socket_shutdown(struct socket *sock, int how) 3163 { 3164 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3165 } 3166 3167 static int selinux_socket_unix_stream_connect(struct socket *sock, 3168 struct socket *other, 3169 struct sock *newsk) 3170 { 3171 struct sk_security_struct *ssec; 3172 struct inode_security_struct *isec; 3173 struct inode_security_struct *other_isec; 3174 struct avc_audit_data ad; 3175 int err; 3176 3177 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3178 if (err) 3179 return err; 3180 3181 isec = SOCK_INODE(sock)->i_security; 3182 other_isec = SOCK_INODE(other)->i_security; 3183 3184 AVC_AUDIT_DATA_INIT(&ad,NET); 3185 ad.u.net.sk = other->sk; 3186 3187 err = avc_has_perm(isec->sid, other_isec->sid, 3188 isec->sclass, 3189 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3190 if (err) 3191 return err; 3192 3193 /* connecting socket */ 3194 ssec = sock->sk->sk_security; 3195 ssec->peer_sid = other_isec->sid; 3196 3197 /* server child socket */ 3198 ssec = newsk->sk_security; 3199 ssec->peer_sid = isec->sid; 3200 3201 return 0; 3202 } 3203 3204 static int selinux_socket_unix_may_send(struct socket *sock, 3205 struct socket *other) 3206 { 3207 struct inode_security_struct *isec; 3208 struct inode_security_struct *other_isec; 3209 struct avc_audit_data ad; 3210 int err; 3211 3212 isec = SOCK_INODE(sock)->i_security; 3213 other_isec = SOCK_INODE(other)->i_security; 3214 3215 AVC_AUDIT_DATA_INIT(&ad,NET); 3216 ad.u.net.sk = other->sk; 3217 3218 err = avc_has_perm(isec->sid, other_isec->sid, 3219 isec->sclass, SOCKET__SENDTO, &ad); 3220 if (err) 3221 return err; 3222 3223 return 0; 3224 } 3225 3226 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3227 { 3228 u16 family; 3229 char *addrp; 3230 int len, err = 0; 3231 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3232 u32 sock_sid = 0; 3233 u16 sock_class = 0; 3234 struct socket *sock; 3235 struct net_device *dev; 3236 struct avc_audit_data ad; 3237 3238 family = sk->sk_family; 3239 if (family != PF_INET && family != PF_INET6) 3240 goto out; 3241 3242 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3243 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) 3244 family = PF_INET; 3245 3246 read_lock_bh(&sk->sk_callback_lock); 3247 sock = sk->sk_socket; 3248 if (sock) { 3249 struct inode *inode; 3250 inode = SOCK_INODE(sock); 3251 if (inode) { 3252 struct inode_security_struct *isec; 3253 isec = inode->i_security; 3254 sock_sid = isec->sid; 3255 sock_class = isec->sclass; 3256 } 3257 } 3258 read_unlock_bh(&sk->sk_callback_lock); 3259 if (!sock_sid) 3260 goto out; 3261 3262 dev = skb->dev; 3263 if (!dev) 3264 goto out; 3265 3266 err = sel_netif_sids(dev, &if_sid, NULL); 3267 if (err) 3268 goto out; 3269 3270 switch (sock_class) { 3271 case SECCLASS_UDP_SOCKET: 3272 netif_perm = NETIF__UDP_RECV; 3273 node_perm = NODE__UDP_RECV; 3274 recv_perm = UDP_SOCKET__RECV_MSG; 3275 break; 3276 3277 case SECCLASS_TCP_SOCKET: 3278 netif_perm = NETIF__TCP_RECV; 3279 node_perm = NODE__TCP_RECV; 3280 recv_perm = TCP_SOCKET__RECV_MSG; 3281 break; 3282 3283 default: 3284 netif_perm = NETIF__RAWIP_RECV; 3285 node_perm = NODE__RAWIP_RECV; 3286 break; 3287 } 3288 3289 AVC_AUDIT_DATA_INIT(&ad, NET); 3290 ad.u.net.netif = dev->name; 3291 ad.u.net.family = family; 3292 3293 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); 3294 if (err) 3295 goto out; 3296 3297 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad); 3298 if (err) 3299 goto out; 3300 3301 /* Fixme: this lookup is inefficient */ 3302 err = security_node_sid(family, addrp, len, &node_sid); 3303 if (err) 3304 goto out; 3305 3306 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad); 3307 if (err) 3308 goto out; 3309 3310 if (recv_perm) { 3311 u32 port_sid; 3312 3313 /* Fixme: make this more efficient */ 3314 err = security_port_sid(sk->sk_family, sk->sk_type, 3315 sk->sk_protocol, ntohs(ad.u.net.sport), 3316 &port_sid); 3317 if (err) 3318 goto out; 3319 3320 err = avc_has_perm(sock_sid, port_sid, 3321 sock_class, recv_perm, &ad); 3322 } 3323 out: 3324 return err; 3325 } 3326 3327 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval, 3328 int __user *optlen, unsigned len) 3329 { 3330 int err = 0; 3331 char *scontext; 3332 u32 scontext_len; 3333 struct sk_security_struct *ssec; 3334 struct inode_security_struct *isec; 3335 3336 isec = SOCK_INODE(sock)->i_security; 3337 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) { 3338 err = -ENOPROTOOPT; 3339 goto out; 3340 } 3341 3342 ssec = sock->sk->sk_security; 3343 3344 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len); 3345 if (err) 3346 goto out; 3347 3348 if (scontext_len > len) { 3349 err = -ERANGE; 3350 goto out_len; 3351 } 3352 3353 if (copy_to_user(optval, scontext, scontext_len)) 3354 err = -EFAULT; 3355 3356 out_len: 3357 if (put_user(scontext_len, optlen)) 3358 err = -EFAULT; 3359 3360 kfree(scontext); 3361 out: 3362 return err; 3363 } 3364 3365 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority) 3366 { 3367 return sk_alloc_security(sk, family, priority); 3368 } 3369 3370 static void selinux_sk_free_security(struct sock *sk) 3371 { 3372 sk_free_security(sk); 3373 } 3374 3375 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3376 { 3377 int err = 0; 3378 u32 perm; 3379 struct nlmsghdr *nlh; 3380 struct socket *sock = sk->sk_socket; 3381 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3382 3383 if (skb->len < NLMSG_SPACE(0)) { 3384 err = -EINVAL; 3385 goto out; 3386 } 3387 nlh = (struct nlmsghdr *)skb->data; 3388 3389 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3390 if (err) { 3391 if (err == -EINVAL) { 3392 audit_log(current->audit_context, AUDIT_SELINUX_ERR, 3393 "SELinux: unrecognized netlink message" 3394 " type=%hu for sclass=%hu\n", 3395 nlh->nlmsg_type, isec->sclass); 3396 if (!selinux_enforcing) 3397 err = 0; 3398 } 3399 3400 /* Ignore */ 3401 if (err == -ENOENT) 3402 err = 0; 3403 goto out; 3404 } 3405 3406 err = socket_has_perm(current, sock, perm); 3407 out: 3408 return err; 3409 } 3410 3411 #ifdef CONFIG_NETFILTER 3412 3413 static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 3414 struct sk_buff **pskb, 3415 const struct net_device *in, 3416 const struct net_device *out, 3417 int (*okfn)(struct sk_buff *), 3418 u16 family) 3419 { 3420 char *addrp; 3421 int len, err = NF_ACCEPT; 3422 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 3423 struct sock *sk; 3424 struct socket *sock; 3425 struct inode *inode; 3426 struct sk_buff *skb = *pskb; 3427 struct inode_security_struct *isec; 3428 struct avc_audit_data ad; 3429 struct net_device *dev = (struct net_device *)out; 3430 3431 sk = skb->sk; 3432 if (!sk) 3433 goto out; 3434 3435 sock = sk->sk_socket; 3436 if (!sock) 3437 goto out; 3438 3439 inode = SOCK_INODE(sock); 3440 if (!inode) 3441 goto out; 3442 3443 err = sel_netif_sids(dev, &if_sid, NULL); 3444 if (err) 3445 goto out; 3446 3447 isec = inode->i_security; 3448 3449 switch (isec->sclass) { 3450 case SECCLASS_UDP_SOCKET: 3451 netif_perm = NETIF__UDP_SEND; 3452 node_perm = NODE__UDP_SEND; 3453 send_perm = UDP_SOCKET__SEND_MSG; 3454 break; 3455 3456 case SECCLASS_TCP_SOCKET: 3457 netif_perm = NETIF__TCP_SEND; 3458 node_perm = NODE__TCP_SEND; 3459 send_perm = TCP_SOCKET__SEND_MSG; 3460 break; 3461 3462 default: 3463 netif_perm = NETIF__RAWIP_SEND; 3464 node_perm = NODE__RAWIP_SEND; 3465 break; 3466 } 3467 3468 3469 AVC_AUDIT_DATA_INIT(&ad, NET); 3470 ad.u.net.netif = dev->name; 3471 ad.u.net.family = family; 3472 3473 err = selinux_parse_skb(skb, &ad, &addrp, 3474 &len, 0) ? NF_DROP : NF_ACCEPT; 3475 if (err != NF_ACCEPT) 3476 goto out; 3477 3478 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, 3479 netif_perm, &ad) ? NF_DROP : NF_ACCEPT; 3480 if (err != NF_ACCEPT) 3481 goto out; 3482 3483 /* Fixme: this lookup is inefficient */ 3484 err = security_node_sid(family, addrp, len, 3485 &node_sid) ? NF_DROP : NF_ACCEPT; 3486 if (err != NF_ACCEPT) 3487 goto out; 3488 3489 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, 3490 node_perm, &ad) ? NF_DROP : NF_ACCEPT; 3491 if (err != NF_ACCEPT) 3492 goto out; 3493 3494 if (send_perm) { 3495 u32 port_sid; 3496 3497 /* Fixme: make this more efficient */ 3498 err = security_port_sid(sk->sk_family, 3499 sk->sk_type, 3500 sk->sk_protocol, 3501 ntohs(ad.u.net.dport), 3502 &port_sid) ? NF_DROP : NF_ACCEPT; 3503 if (err != NF_ACCEPT) 3504 goto out; 3505 3506 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3507 send_perm, &ad) ? NF_DROP : NF_ACCEPT; 3508 } 3509 3510 out: 3511 return err; 3512 } 3513 3514 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3515 struct sk_buff **pskb, 3516 const struct net_device *in, 3517 const struct net_device *out, 3518 int (*okfn)(struct sk_buff *)) 3519 { 3520 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET); 3521 } 3522 3523 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3524 3525 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, 3526 struct sk_buff **pskb, 3527 const struct net_device *in, 3528 const struct net_device *out, 3529 int (*okfn)(struct sk_buff *)) 3530 { 3531 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6); 3532 } 3533 3534 #endif /* IPV6 */ 3535 3536 #endif /* CONFIG_NETFILTER */ 3537 3538 #else 3539 3540 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3541 { 3542 return 0; 3543 } 3544 3545 #endif /* CONFIG_SECURITY_NETWORK */ 3546 3547 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3548 { 3549 struct task_security_struct *tsec; 3550 struct av_decision avd; 3551 int err; 3552 3553 err = secondary_ops->netlink_send(sk, skb); 3554 if (err) 3555 return err; 3556 3557 tsec = current->security; 3558 3559 avd.allowed = 0; 3560 avc_has_perm_noaudit(tsec->sid, tsec->sid, 3561 SECCLASS_CAPABILITY, ~0, &avd); 3562 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); 3563 3564 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 3565 err = selinux_nlmsg_perm(sk, skb); 3566 3567 return err; 3568 } 3569 3570 static int selinux_netlink_recv(struct sk_buff *skb) 3571 { 3572 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) 3573 return -EPERM; 3574 return 0; 3575 } 3576 3577 static int ipc_alloc_security(struct task_struct *task, 3578 struct kern_ipc_perm *perm, 3579 u16 sclass) 3580 { 3581 struct task_security_struct *tsec = task->security; 3582 struct ipc_security_struct *isec; 3583 3584 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 3585 if (!isec) 3586 return -ENOMEM; 3587 3588 memset(isec, 0, sizeof(struct ipc_security_struct)); 3589 isec->magic = SELINUX_MAGIC; 3590 isec->sclass = sclass; 3591 isec->ipc_perm = perm; 3592 if (tsec) { 3593 isec->sid = tsec->sid; 3594 } else { 3595 isec->sid = SECINITSID_UNLABELED; 3596 } 3597 perm->security = isec; 3598 3599 return 0; 3600 } 3601 3602 static void ipc_free_security(struct kern_ipc_perm *perm) 3603 { 3604 struct ipc_security_struct *isec = perm->security; 3605 if (!isec || isec->magic != SELINUX_MAGIC) 3606 return; 3607 3608 perm->security = NULL; 3609 kfree(isec); 3610 } 3611 3612 static int msg_msg_alloc_security(struct msg_msg *msg) 3613 { 3614 struct msg_security_struct *msec; 3615 3616 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 3617 if (!msec) 3618 return -ENOMEM; 3619 3620 memset(msec, 0, sizeof(struct msg_security_struct)); 3621 msec->magic = SELINUX_MAGIC; 3622 msec->msg = msg; 3623 msec->sid = SECINITSID_UNLABELED; 3624 msg->security = msec; 3625 3626 return 0; 3627 } 3628 3629 static void msg_msg_free_security(struct msg_msg *msg) 3630 { 3631 struct msg_security_struct *msec = msg->security; 3632 if (!msec || msec->magic != SELINUX_MAGIC) 3633 return; 3634 3635 msg->security = NULL; 3636 kfree(msec); 3637 } 3638 3639 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 3640 u32 perms) 3641 { 3642 struct task_security_struct *tsec; 3643 struct ipc_security_struct *isec; 3644 struct avc_audit_data ad; 3645 3646 tsec = current->security; 3647 isec = ipc_perms->security; 3648 3649 AVC_AUDIT_DATA_INIT(&ad, IPC); 3650 ad.u.ipc_id = ipc_perms->key; 3651 3652 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3653 } 3654 3655 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 3656 { 3657 return msg_msg_alloc_security(msg); 3658 } 3659 3660 static void selinux_msg_msg_free_security(struct msg_msg *msg) 3661 { 3662 msg_msg_free_security(msg); 3663 } 3664 3665 /* message queue security operations */ 3666 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 3667 { 3668 struct task_security_struct *tsec; 3669 struct ipc_security_struct *isec; 3670 struct avc_audit_data ad; 3671 int rc; 3672 3673 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 3674 if (rc) 3675 return rc; 3676 3677 tsec = current->security; 3678 isec = msq->q_perm.security; 3679 3680 AVC_AUDIT_DATA_INIT(&ad, IPC); 3681 ad.u.ipc_id = msq->q_perm.key; 3682 3683 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3684 MSGQ__CREATE, &ad); 3685 if (rc) { 3686 ipc_free_security(&msq->q_perm); 3687 return rc; 3688 } 3689 return 0; 3690 } 3691 3692 static void selinux_msg_queue_free_security(struct msg_queue *msq) 3693 { 3694 ipc_free_security(&msq->q_perm); 3695 } 3696 3697 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 3698 { 3699 struct task_security_struct *tsec; 3700 struct ipc_security_struct *isec; 3701 struct avc_audit_data ad; 3702 3703 tsec = current->security; 3704 isec = msq->q_perm.security; 3705 3706 AVC_AUDIT_DATA_INIT(&ad, IPC); 3707 ad.u.ipc_id = msq->q_perm.key; 3708 3709 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3710 MSGQ__ASSOCIATE, &ad); 3711 } 3712 3713 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3714 { 3715 int err; 3716 int perms; 3717 3718 switch(cmd) { 3719 case IPC_INFO: 3720 case MSG_INFO: 3721 /* No specific object, just general system-wide information. */ 3722 return task_has_system(current, SYSTEM__IPC_INFO); 3723 case IPC_STAT: 3724 case MSG_STAT: 3725 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 3726 break; 3727 case IPC_SET: 3728 perms = MSGQ__SETATTR; 3729 break; 3730 case IPC_RMID: 3731 perms = MSGQ__DESTROY; 3732 break; 3733 default: 3734 return 0; 3735 } 3736 3737 err = ipc_has_perm(&msq->q_perm, perms); 3738 return err; 3739 } 3740 3741 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 3742 { 3743 struct task_security_struct *tsec; 3744 struct ipc_security_struct *isec; 3745 struct msg_security_struct *msec; 3746 struct avc_audit_data ad; 3747 int rc; 3748 3749 tsec = current->security; 3750 isec = msq->q_perm.security; 3751 msec = msg->security; 3752 3753 /* 3754 * First time through, need to assign label to the message 3755 */ 3756 if (msec->sid == SECINITSID_UNLABELED) { 3757 /* 3758 * Compute new sid based on current process and 3759 * message queue this message will be stored in 3760 */ 3761 rc = security_transition_sid(tsec->sid, 3762 isec->sid, 3763 SECCLASS_MSG, 3764 &msec->sid); 3765 if (rc) 3766 return rc; 3767 } 3768 3769 AVC_AUDIT_DATA_INIT(&ad, IPC); 3770 ad.u.ipc_id = msq->q_perm.key; 3771 3772 /* Can this process write to the queue? */ 3773 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3774 MSGQ__WRITE, &ad); 3775 if (!rc) 3776 /* Can this process send the message */ 3777 rc = avc_has_perm(tsec->sid, msec->sid, 3778 SECCLASS_MSG, MSG__SEND, &ad); 3779 if (!rc) 3780 /* Can the message be put in the queue? */ 3781 rc = avc_has_perm(msec->sid, isec->sid, 3782 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 3783 3784 return rc; 3785 } 3786 3787 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3788 struct task_struct *target, 3789 long type, int mode) 3790 { 3791 struct task_security_struct *tsec; 3792 struct ipc_security_struct *isec; 3793 struct msg_security_struct *msec; 3794 struct avc_audit_data ad; 3795 int rc; 3796 3797 tsec = target->security; 3798 isec = msq->q_perm.security; 3799 msec = msg->security; 3800 3801 AVC_AUDIT_DATA_INIT(&ad, IPC); 3802 ad.u.ipc_id = msq->q_perm.key; 3803 3804 rc = avc_has_perm(tsec->sid, isec->sid, 3805 SECCLASS_MSGQ, MSGQ__READ, &ad); 3806 if (!rc) 3807 rc = avc_has_perm(tsec->sid, msec->sid, 3808 SECCLASS_MSG, MSG__RECEIVE, &ad); 3809 return rc; 3810 } 3811 3812 /* Shared Memory security operations */ 3813 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 3814 { 3815 struct task_security_struct *tsec; 3816 struct ipc_security_struct *isec; 3817 struct avc_audit_data ad; 3818 int rc; 3819 3820 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 3821 if (rc) 3822 return rc; 3823 3824 tsec = current->security; 3825 isec = shp->shm_perm.security; 3826 3827 AVC_AUDIT_DATA_INIT(&ad, IPC); 3828 ad.u.ipc_id = shp->shm_perm.key; 3829 3830 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 3831 SHM__CREATE, &ad); 3832 if (rc) { 3833 ipc_free_security(&shp->shm_perm); 3834 return rc; 3835 } 3836 return 0; 3837 } 3838 3839 static void selinux_shm_free_security(struct shmid_kernel *shp) 3840 { 3841 ipc_free_security(&shp->shm_perm); 3842 } 3843 3844 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 3845 { 3846 struct task_security_struct *tsec; 3847 struct ipc_security_struct *isec; 3848 struct avc_audit_data ad; 3849 3850 tsec = current->security; 3851 isec = shp->shm_perm.security; 3852 3853 AVC_AUDIT_DATA_INIT(&ad, IPC); 3854 ad.u.ipc_id = shp->shm_perm.key; 3855 3856 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 3857 SHM__ASSOCIATE, &ad); 3858 } 3859 3860 /* Note, at this point, shp is locked down */ 3861 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 3862 { 3863 int perms; 3864 int err; 3865 3866 switch(cmd) { 3867 case IPC_INFO: 3868 case SHM_INFO: 3869 /* No specific object, just general system-wide information. */ 3870 return task_has_system(current, SYSTEM__IPC_INFO); 3871 case IPC_STAT: 3872 case SHM_STAT: 3873 perms = SHM__GETATTR | SHM__ASSOCIATE; 3874 break; 3875 case IPC_SET: 3876 perms = SHM__SETATTR; 3877 break; 3878 case SHM_LOCK: 3879 case SHM_UNLOCK: 3880 perms = SHM__LOCK; 3881 break; 3882 case IPC_RMID: 3883 perms = SHM__DESTROY; 3884 break; 3885 default: 3886 return 0; 3887 } 3888 3889 err = ipc_has_perm(&shp->shm_perm, perms); 3890 return err; 3891 } 3892 3893 static int selinux_shm_shmat(struct shmid_kernel *shp, 3894 char __user *shmaddr, int shmflg) 3895 { 3896 u32 perms; 3897 int rc; 3898 3899 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 3900 if (rc) 3901 return rc; 3902 3903 if (shmflg & SHM_RDONLY) 3904 perms = SHM__READ; 3905 else 3906 perms = SHM__READ | SHM__WRITE; 3907 3908 return ipc_has_perm(&shp->shm_perm, perms); 3909 } 3910 3911 /* Semaphore security operations */ 3912 static int selinux_sem_alloc_security(struct sem_array *sma) 3913 { 3914 struct task_security_struct *tsec; 3915 struct ipc_security_struct *isec; 3916 struct avc_audit_data ad; 3917 int rc; 3918 3919 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 3920 if (rc) 3921 return rc; 3922 3923 tsec = current->security; 3924 isec = sma->sem_perm.security; 3925 3926 AVC_AUDIT_DATA_INIT(&ad, IPC); 3927 ad.u.ipc_id = sma->sem_perm.key; 3928 3929 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 3930 SEM__CREATE, &ad); 3931 if (rc) { 3932 ipc_free_security(&sma->sem_perm); 3933 return rc; 3934 } 3935 return 0; 3936 } 3937 3938 static void selinux_sem_free_security(struct sem_array *sma) 3939 { 3940 ipc_free_security(&sma->sem_perm); 3941 } 3942 3943 static int selinux_sem_associate(struct sem_array *sma, int semflg) 3944 { 3945 struct task_security_struct *tsec; 3946 struct ipc_security_struct *isec; 3947 struct avc_audit_data ad; 3948 3949 tsec = current->security; 3950 isec = sma->sem_perm.security; 3951 3952 AVC_AUDIT_DATA_INIT(&ad, IPC); 3953 ad.u.ipc_id = sma->sem_perm.key; 3954 3955 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 3956 SEM__ASSOCIATE, &ad); 3957 } 3958 3959 /* Note, at this point, sma is locked down */ 3960 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 3961 { 3962 int err; 3963 u32 perms; 3964 3965 switch(cmd) { 3966 case IPC_INFO: 3967 case SEM_INFO: 3968 /* No specific object, just general system-wide information. */ 3969 return task_has_system(current, SYSTEM__IPC_INFO); 3970 case GETPID: 3971 case GETNCNT: 3972 case GETZCNT: 3973 perms = SEM__GETATTR; 3974 break; 3975 case GETVAL: 3976 case GETALL: 3977 perms = SEM__READ; 3978 break; 3979 case SETVAL: 3980 case SETALL: 3981 perms = SEM__WRITE; 3982 break; 3983 case IPC_RMID: 3984 perms = SEM__DESTROY; 3985 break; 3986 case IPC_SET: 3987 perms = SEM__SETATTR; 3988 break; 3989 case IPC_STAT: 3990 case SEM_STAT: 3991 perms = SEM__GETATTR | SEM__ASSOCIATE; 3992 break; 3993 default: 3994 return 0; 3995 } 3996 3997 err = ipc_has_perm(&sma->sem_perm, perms); 3998 return err; 3999 } 4000 4001 static int selinux_sem_semop(struct sem_array *sma, 4002 struct sembuf *sops, unsigned nsops, int alter) 4003 { 4004 u32 perms; 4005 4006 if (alter) 4007 perms = SEM__READ | SEM__WRITE; 4008 else 4009 perms = SEM__READ; 4010 4011 return ipc_has_perm(&sma->sem_perm, perms); 4012 } 4013 4014 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4015 { 4016 u32 av = 0; 4017 4018 av = 0; 4019 if (flag & S_IRUGO) 4020 av |= IPC__UNIX_READ; 4021 if (flag & S_IWUGO) 4022 av |= IPC__UNIX_WRITE; 4023 4024 if (av == 0) 4025 return 0; 4026 4027 return ipc_has_perm(ipcp, av); 4028 } 4029 4030 /* module stacking operations */ 4031 static int selinux_register_security (const char *name, struct security_operations *ops) 4032 { 4033 if (secondary_ops != original_ops) { 4034 printk(KERN_INFO "%s: There is already a secondary security " 4035 "module registered.\n", __FUNCTION__); 4036 return -EINVAL; 4037 } 4038 4039 secondary_ops = ops; 4040 4041 printk(KERN_INFO "%s: Registering secondary module %s\n", 4042 __FUNCTION__, 4043 name); 4044 4045 return 0; 4046 } 4047 4048 static int selinux_unregister_security (const char *name, struct security_operations *ops) 4049 { 4050 if (ops != secondary_ops) { 4051 printk (KERN_INFO "%s: trying to unregister a security module " 4052 "that is not registered.\n", __FUNCTION__); 4053 return -EINVAL; 4054 } 4055 4056 secondary_ops = original_ops; 4057 4058 return 0; 4059 } 4060 4061 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4062 { 4063 if (inode) 4064 inode_doinit_with_dentry(inode, dentry); 4065 } 4066 4067 static int selinux_getprocattr(struct task_struct *p, 4068 char *name, void *value, size_t size) 4069 { 4070 struct task_security_struct *tsec; 4071 u32 sid, len; 4072 char *context; 4073 int error; 4074 4075 if (current != p) { 4076 error = task_has_perm(current, p, PROCESS__GETATTR); 4077 if (error) 4078 return error; 4079 } 4080 4081 if (!size) 4082 return -ERANGE; 4083 4084 tsec = p->security; 4085 4086 if (!strcmp(name, "current")) 4087 sid = tsec->sid; 4088 else if (!strcmp(name, "prev")) 4089 sid = tsec->osid; 4090 else if (!strcmp(name, "exec")) 4091 sid = tsec->exec_sid; 4092 else if (!strcmp(name, "fscreate")) 4093 sid = tsec->create_sid; 4094 else 4095 return -EINVAL; 4096 4097 if (!sid) 4098 return 0; 4099 4100 error = security_sid_to_context(sid, &context, &len); 4101 if (error) 4102 return error; 4103 if (len > size) { 4104 kfree(context); 4105 return -ERANGE; 4106 } 4107 memcpy(value, context, len); 4108 kfree(context); 4109 return len; 4110 } 4111 4112 static int selinux_setprocattr(struct task_struct *p, 4113 char *name, void *value, size_t size) 4114 { 4115 struct task_security_struct *tsec; 4116 u32 sid = 0; 4117 int error; 4118 char *str = value; 4119 4120 if (current != p) { 4121 /* SELinux only allows a process to change its own 4122 security attributes. */ 4123 return -EACCES; 4124 } 4125 4126 /* 4127 * Basic control over ability to set these attributes at all. 4128 * current == p, but we'll pass them separately in case the 4129 * above restriction is ever removed. 4130 */ 4131 if (!strcmp(name, "exec")) 4132 error = task_has_perm(current, p, PROCESS__SETEXEC); 4133 else if (!strcmp(name, "fscreate")) 4134 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 4135 else if (!strcmp(name, "current")) 4136 error = task_has_perm(current, p, PROCESS__SETCURRENT); 4137 else 4138 error = -EINVAL; 4139 if (error) 4140 return error; 4141 4142 /* Obtain a SID for the context, if one was specified. */ 4143 if (size && str[1] && str[1] != '\n') { 4144 if (str[size-1] == '\n') { 4145 str[size-1] = 0; 4146 size--; 4147 } 4148 error = security_context_to_sid(value, size, &sid); 4149 if (error) 4150 return error; 4151 } 4152 4153 /* Permission checking based on the specified context is 4154 performed during the actual operation (execve, 4155 open/mkdir/...), when we know the full context of the 4156 operation. See selinux_bprm_set_security for the execve 4157 checks and may_create for the file creation checks. The 4158 operation will then fail if the context is not permitted. */ 4159 tsec = p->security; 4160 if (!strcmp(name, "exec")) 4161 tsec->exec_sid = sid; 4162 else if (!strcmp(name, "fscreate")) 4163 tsec->create_sid = sid; 4164 else if (!strcmp(name, "current")) { 4165 struct av_decision avd; 4166 4167 if (sid == 0) 4168 return -EINVAL; 4169 4170 /* Only allow single threaded processes to change context */ 4171 if (atomic_read(&p->mm->mm_users) != 1) { 4172 struct task_struct *g, *t; 4173 struct mm_struct *mm = p->mm; 4174 read_lock(&tasklist_lock); 4175 do_each_thread(g, t) 4176 if (t->mm == mm && t != p) { 4177 read_unlock(&tasklist_lock); 4178 return -EPERM; 4179 } 4180 while_each_thread(g, t); 4181 read_unlock(&tasklist_lock); 4182 } 4183 4184 /* Check permissions for the transition. */ 4185 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 4186 PROCESS__DYNTRANSITION, NULL); 4187 if (error) 4188 return error; 4189 4190 /* Check for ptracing, and update the task SID if ok. 4191 Otherwise, leave SID unchanged and fail. */ 4192 task_lock(p); 4193 if (p->ptrace & PT_PTRACED) { 4194 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 4195 SECCLASS_PROCESS, 4196 PROCESS__PTRACE, &avd); 4197 if (!error) 4198 tsec->sid = sid; 4199 task_unlock(p); 4200 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 4201 PROCESS__PTRACE, &avd, error, NULL); 4202 if (error) 4203 return error; 4204 } else { 4205 tsec->sid = sid; 4206 task_unlock(p); 4207 } 4208 } 4209 else 4210 return -EINVAL; 4211 4212 return size; 4213 } 4214 4215 static struct security_operations selinux_ops = { 4216 .ptrace = selinux_ptrace, 4217 .capget = selinux_capget, 4218 .capset_check = selinux_capset_check, 4219 .capset_set = selinux_capset_set, 4220 .sysctl = selinux_sysctl, 4221 .capable = selinux_capable, 4222 .quotactl = selinux_quotactl, 4223 .quota_on = selinux_quota_on, 4224 .syslog = selinux_syslog, 4225 .vm_enough_memory = selinux_vm_enough_memory, 4226 4227 .netlink_send = selinux_netlink_send, 4228 .netlink_recv = selinux_netlink_recv, 4229 4230 .bprm_alloc_security = selinux_bprm_alloc_security, 4231 .bprm_free_security = selinux_bprm_free_security, 4232 .bprm_apply_creds = selinux_bprm_apply_creds, 4233 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 4234 .bprm_set_security = selinux_bprm_set_security, 4235 .bprm_check_security = selinux_bprm_check_security, 4236 .bprm_secureexec = selinux_bprm_secureexec, 4237 4238 .sb_alloc_security = selinux_sb_alloc_security, 4239 .sb_free_security = selinux_sb_free_security, 4240 .sb_copy_data = selinux_sb_copy_data, 4241 .sb_kern_mount = selinux_sb_kern_mount, 4242 .sb_statfs = selinux_sb_statfs, 4243 .sb_mount = selinux_mount, 4244 .sb_umount = selinux_umount, 4245 4246 .inode_alloc_security = selinux_inode_alloc_security, 4247 .inode_free_security = selinux_inode_free_security, 4248 .inode_init_security = selinux_inode_init_security, 4249 .inode_create = selinux_inode_create, 4250 .inode_link = selinux_inode_link, 4251 .inode_unlink = selinux_inode_unlink, 4252 .inode_symlink = selinux_inode_symlink, 4253 .inode_mkdir = selinux_inode_mkdir, 4254 .inode_rmdir = selinux_inode_rmdir, 4255 .inode_mknod = selinux_inode_mknod, 4256 .inode_rename = selinux_inode_rename, 4257 .inode_readlink = selinux_inode_readlink, 4258 .inode_follow_link = selinux_inode_follow_link, 4259 .inode_permission = selinux_inode_permission, 4260 .inode_setattr = selinux_inode_setattr, 4261 .inode_getattr = selinux_inode_getattr, 4262 .inode_setxattr = selinux_inode_setxattr, 4263 .inode_post_setxattr = selinux_inode_post_setxattr, 4264 .inode_getxattr = selinux_inode_getxattr, 4265 .inode_listxattr = selinux_inode_listxattr, 4266 .inode_removexattr = selinux_inode_removexattr, 4267 .inode_getsecurity = selinux_inode_getsecurity, 4268 .inode_setsecurity = selinux_inode_setsecurity, 4269 .inode_listsecurity = selinux_inode_listsecurity, 4270 4271 .file_permission = selinux_file_permission, 4272 .file_alloc_security = selinux_file_alloc_security, 4273 .file_free_security = selinux_file_free_security, 4274 .file_ioctl = selinux_file_ioctl, 4275 .file_mmap = selinux_file_mmap, 4276 .file_mprotect = selinux_file_mprotect, 4277 .file_lock = selinux_file_lock, 4278 .file_fcntl = selinux_file_fcntl, 4279 .file_set_fowner = selinux_file_set_fowner, 4280 .file_send_sigiotask = selinux_file_send_sigiotask, 4281 .file_receive = selinux_file_receive, 4282 4283 .task_create = selinux_task_create, 4284 .task_alloc_security = selinux_task_alloc_security, 4285 .task_free_security = selinux_task_free_security, 4286 .task_setuid = selinux_task_setuid, 4287 .task_post_setuid = selinux_task_post_setuid, 4288 .task_setgid = selinux_task_setgid, 4289 .task_setpgid = selinux_task_setpgid, 4290 .task_getpgid = selinux_task_getpgid, 4291 .task_getsid = selinux_task_getsid, 4292 .task_setgroups = selinux_task_setgroups, 4293 .task_setnice = selinux_task_setnice, 4294 .task_setrlimit = selinux_task_setrlimit, 4295 .task_setscheduler = selinux_task_setscheduler, 4296 .task_getscheduler = selinux_task_getscheduler, 4297 .task_kill = selinux_task_kill, 4298 .task_wait = selinux_task_wait, 4299 .task_prctl = selinux_task_prctl, 4300 .task_reparent_to_init = selinux_task_reparent_to_init, 4301 .task_to_inode = selinux_task_to_inode, 4302 4303 .ipc_permission = selinux_ipc_permission, 4304 4305 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 4306 .msg_msg_free_security = selinux_msg_msg_free_security, 4307 4308 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 4309 .msg_queue_free_security = selinux_msg_queue_free_security, 4310 .msg_queue_associate = selinux_msg_queue_associate, 4311 .msg_queue_msgctl = selinux_msg_queue_msgctl, 4312 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 4313 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 4314 4315 .shm_alloc_security = selinux_shm_alloc_security, 4316 .shm_free_security = selinux_shm_free_security, 4317 .shm_associate = selinux_shm_associate, 4318 .shm_shmctl = selinux_shm_shmctl, 4319 .shm_shmat = selinux_shm_shmat, 4320 4321 .sem_alloc_security = selinux_sem_alloc_security, 4322 .sem_free_security = selinux_sem_free_security, 4323 .sem_associate = selinux_sem_associate, 4324 .sem_semctl = selinux_sem_semctl, 4325 .sem_semop = selinux_sem_semop, 4326 4327 .register_security = selinux_register_security, 4328 .unregister_security = selinux_unregister_security, 4329 4330 .d_instantiate = selinux_d_instantiate, 4331 4332 .getprocattr = selinux_getprocattr, 4333 .setprocattr = selinux_setprocattr, 4334 4335 #ifdef CONFIG_SECURITY_NETWORK 4336 .unix_stream_connect = selinux_socket_unix_stream_connect, 4337 .unix_may_send = selinux_socket_unix_may_send, 4338 4339 .socket_create = selinux_socket_create, 4340 .socket_post_create = selinux_socket_post_create, 4341 .socket_bind = selinux_socket_bind, 4342 .socket_connect = selinux_socket_connect, 4343 .socket_listen = selinux_socket_listen, 4344 .socket_accept = selinux_socket_accept, 4345 .socket_sendmsg = selinux_socket_sendmsg, 4346 .socket_recvmsg = selinux_socket_recvmsg, 4347 .socket_getsockname = selinux_socket_getsockname, 4348 .socket_getpeername = selinux_socket_getpeername, 4349 .socket_getsockopt = selinux_socket_getsockopt, 4350 .socket_setsockopt = selinux_socket_setsockopt, 4351 .socket_shutdown = selinux_socket_shutdown, 4352 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4353 .socket_getpeersec = selinux_socket_getpeersec, 4354 .sk_alloc_security = selinux_sk_alloc_security, 4355 .sk_free_security = selinux_sk_free_security, 4356 #endif 4357 }; 4358 4359 static __init int selinux_init(void) 4360 { 4361 struct task_security_struct *tsec; 4362 4363 if (!selinux_enabled) { 4364 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 4365 return 0; 4366 } 4367 4368 printk(KERN_INFO "SELinux: Initializing.\n"); 4369 4370 /* Set the security state for the initial task. */ 4371 if (task_alloc_security(current)) 4372 panic("SELinux: Failed to initialize initial task.\n"); 4373 tsec = current->security; 4374 tsec->osid = tsec->sid = SECINITSID_KERNEL; 4375 4376 avc_init(); 4377 4378 original_ops = secondary_ops = security_ops; 4379 if (!secondary_ops) 4380 panic ("SELinux: No initial security operations\n"); 4381 if (register_security (&selinux_ops)) 4382 panic("SELinux: Unable to register with kernel.\n"); 4383 4384 if (selinux_enforcing) { 4385 printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); 4386 } else { 4387 printk(KERN_INFO "SELinux: Starting in permissive mode\n"); 4388 } 4389 return 0; 4390 } 4391 4392 void selinux_complete_init(void) 4393 { 4394 printk(KERN_INFO "SELinux: Completing initialization.\n"); 4395 4396 /* Set up any superblocks initialized prior to the policy load. */ 4397 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); 4398 spin_lock(&sb_security_lock); 4399 next_sb: 4400 if (!list_empty(&superblock_security_head)) { 4401 struct superblock_security_struct *sbsec = 4402 list_entry(superblock_security_head.next, 4403 struct superblock_security_struct, 4404 list); 4405 struct super_block *sb = sbsec->sb; 4406 spin_lock(&sb_lock); 4407 sb->s_count++; 4408 spin_unlock(&sb_lock); 4409 spin_unlock(&sb_security_lock); 4410 down_read(&sb->s_umount); 4411 if (sb->s_root) 4412 superblock_doinit(sb, NULL); 4413 drop_super(sb); 4414 spin_lock(&sb_security_lock); 4415 list_del_init(&sbsec->list); 4416 goto next_sb; 4417 } 4418 spin_unlock(&sb_security_lock); 4419 } 4420 4421 /* SELinux requires early initialization in order to label 4422 all processes and objects when they are created. */ 4423 security_initcall(selinux_init); 4424 4425 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) 4426 4427 static struct nf_hook_ops selinux_ipv4_op = { 4428 .hook = selinux_ipv4_postroute_last, 4429 .owner = THIS_MODULE, 4430 .pf = PF_INET, 4431 .hooknum = NF_IP_POST_ROUTING, 4432 .priority = NF_IP_PRI_SELINUX_LAST, 4433 }; 4434 4435 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4436 4437 static struct nf_hook_ops selinux_ipv6_op = { 4438 .hook = selinux_ipv6_postroute_last, 4439 .owner = THIS_MODULE, 4440 .pf = PF_INET6, 4441 .hooknum = NF_IP6_POST_ROUTING, 4442 .priority = NF_IP6_PRI_SELINUX_LAST, 4443 }; 4444 4445 #endif /* IPV6 */ 4446 4447 static int __init selinux_nf_ip_init(void) 4448 { 4449 int err = 0; 4450 4451 if (!selinux_enabled) 4452 goto out; 4453 4454 printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); 4455 4456 err = nf_register_hook(&selinux_ipv4_op); 4457 if (err) 4458 panic("SELinux: nf_register_hook for IPv4: error %d\n", err); 4459 4460 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4461 4462 err = nf_register_hook(&selinux_ipv6_op); 4463 if (err) 4464 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4465 4466 #endif /* IPV6 */ 4467 out: 4468 return err; 4469 } 4470 4471 __initcall(selinux_nf_ip_init); 4472 4473 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4474 static void selinux_nf_ip_exit(void) 4475 { 4476 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); 4477 4478 nf_unregister_hook(&selinux_ipv4_op); 4479 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4480 nf_unregister_hook(&selinux_ipv6_op); 4481 #endif /* IPV6 */ 4482 } 4483 #endif 4484 4485 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ 4486 4487 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4488 #define selinux_nf_ip_exit() 4489 #endif 4490 4491 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ 4492 4493 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4494 int selinux_disable(void) 4495 { 4496 extern void exit_sel_fs(void); 4497 static int selinux_disabled = 0; 4498 4499 if (ss_initialized) { 4500 /* Not permitted after initial policy load. */ 4501 return -EINVAL; 4502 } 4503 4504 if (selinux_disabled) { 4505 /* Only do this once. */ 4506 return -EINVAL; 4507 } 4508 4509 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 4510 4511 selinux_disabled = 1; 4512 4513 /* Reset security_ops to the secondary module, dummy or capability. */ 4514 security_ops = secondary_ops; 4515 4516 /* Unregister netfilter hooks. */ 4517 selinux_nf_ip_exit(); 4518 4519 /* Unregister selinuxfs. */ 4520 exit_sel_fs(); 4521 4522 return 0; 4523 } 4524 #endif 4525 4526 4527