1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/config.h> 22 #include <linux/module.h> 23 #include <linux/init.h> 24 #include <linux/kernel.h> 25 #include <linux/ptrace.h> 26 #include <linux/errno.h> 27 #include <linux/sched.h> 28 #include <linux/security.h> 29 #include <linux/xattr.h> 30 #include <linux/capability.h> 31 #include <linux/unistd.h> 32 #include <linux/mm.h> 33 #include <linux/mman.h> 34 #include <linux/slab.h> 35 #include <linux/pagemap.h> 36 #include <linux/swap.h> 37 #include <linux/smp_lock.h> 38 #include <linux/spinlock.h> 39 #include <linux/syscalls.h> 40 #include <linux/file.h> 41 #include <linux/namei.h> 42 #include <linux/mount.h> 43 #include <linux/ext2_fs.h> 44 #include <linux/proc_fs.h> 45 #include <linux/kd.h> 46 #include <linux/netfilter_ipv4.h> 47 #include <linux/netfilter_ipv6.h> 48 #include <linux/tty.h> 49 #include <net/icmp.h> 50 #include <net/ip.h> /* for sysctl_local_port_range[] */ 51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 52 #include <asm/uaccess.h> 53 #include <asm/semaphore.h> 54 #include <asm/ioctls.h> 55 #include <linux/bitops.h> 56 #include <linux/interrupt.h> 57 #include <linux/netdevice.h> /* for network interface checks */ 58 #include <linux/netlink.h> 59 #include <linux/tcp.h> 60 #include <linux/udp.h> 61 #include <linux/quota.h> 62 #include <linux/un.h> /* for Unix socket types */ 63 #include <net/af_unix.h> /* for Unix socket types */ 64 #include <linux/parser.h> 65 #include <linux/nfs_mount.h> 66 #include <net/ipv6.h> 67 #include <linux/hugetlb.h> 68 #include <linux/personality.h> 69 #include <linux/sysctl.h> 70 #include <linux/audit.h> 71 #include <linux/string.h> 72 73 #include "avc.h" 74 #include "objsec.h" 75 #include "netif.h" 76 #include "xfrm.h" 77 78 #define XATTR_SELINUX_SUFFIX "selinux" 79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 80 81 extern unsigned int policydb_loaded_version; 82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 83 84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 85 int selinux_enforcing = 0; 86 87 static int __init enforcing_setup(char *str) 88 { 89 selinux_enforcing = simple_strtol(str,NULL,0); 90 return 1; 91 } 92 __setup("enforcing=", enforcing_setup); 93 #endif 94 95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 97 98 static int __init selinux_enabled_setup(char *str) 99 { 100 selinux_enabled = simple_strtol(str, NULL, 0); 101 return 1; 102 } 103 __setup("selinux=", selinux_enabled_setup); 104 #endif 105 106 /* Original (dummy) security module. */ 107 static struct security_operations *original_ops = NULL; 108 109 /* Minimal support for a secondary security module, 110 just to allow the use of the dummy or capability modules. 111 The owlsm module can alternatively be used as a secondary 112 module as long as CONFIG_OWLSM_FD is not enabled. */ 113 static struct security_operations *secondary_ops = NULL; 114 115 /* Lists of inode and superblock security structures initialized 116 before the policy was loaded. */ 117 static LIST_HEAD(superblock_security_head); 118 static DEFINE_SPINLOCK(sb_security_lock); 119 120 /* Allocate and free functions for each kind of security blob. */ 121 122 static int task_alloc_security(struct task_struct *task) 123 { 124 struct task_security_struct *tsec; 125 126 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 127 if (!tsec) 128 return -ENOMEM; 129 130 tsec->task = task; 131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 132 task->security = tsec; 133 134 return 0; 135 } 136 137 static void task_free_security(struct task_struct *task) 138 { 139 struct task_security_struct *tsec = task->security; 140 task->security = NULL; 141 kfree(tsec); 142 } 143 144 static int inode_alloc_security(struct inode *inode) 145 { 146 struct task_security_struct *tsec = current->security; 147 struct inode_security_struct *isec; 148 149 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL); 150 if (!isec) 151 return -ENOMEM; 152 153 init_MUTEX(&isec->sem); 154 INIT_LIST_HEAD(&isec->list); 155 isec->inode = inode; 156 isec->sid = SECINITSID_UNLABELED; 157 isec->sclass = SECCLASS_FILE; 158 isec->task_sid = tsec->sid; 159 inode->i_security = isec; 160 161 return 0; 162 } 163 164 static void inode_free_security(struct inode *inode) 165 { 166 struct inode_security_struct *isec = inode->i_security; 167 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 168 169 spin_lock(&sbsec->isec_lock); 170 if (!list_empty(&isec->list)) 171 list_del_init(&isec->list); 172 spin_unlock(&sbsec->isec_lock); 173 174 inode->i_security = NULL; 175 kfree(isec); 176 } 177 178 static int file_alloc_security(struct file *file) 179 { 180 struct task_security_struct *tsec = current->security; 181 struct file_security_struct *fsec; 182 183 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 184 if (!fsec) 185 return -ENOMEM; 186 187 fsec->file = file; 188 fsec->sid = tsec->sid; 189 fsec->fown_sid = tsec->sid; 190 file->f_security = fsec; 191 192 return 0; 193 } 194 195 static void file_free_security(struct file *file) 196 { 197 struct file_security_struct *fsec = file->f_security; 198 file->f_security = NULL; 199 kfree(fsec); 200 } 201 202 static int superblock_alloc_security(struct super_block *sb) 203 { 204 struct superblock_security_struct *sbsec; 205 206 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 207 if (!sbsec) 208 return -ENOMEM; 209 210 init_MUTEX(&sbsec->sem); 211 INIT_LIST_HEAD(&sbsec->list); 212 INIT_LIST_HEAD(&sbsec->isec_head); 213 spin_lock_init(&sbsec->isec_lock); 214 sbsec->sb = sb; 215 sbsec->sid = SECINITSID_UNLABELED; 216 sbsec->def_sid = SECINITSID_FILE; 217 sb->s_security = sbsec; 218 219 return 0; 220 } 221 222 static void superblock_free_security(struct super_block *sb) 223 { 224 struct superblock_security_struct *sbsec = sb->s_security; 225 226 spin_lock(&sb_security_lock); 227 if (!list_empty(&sbsec->list)) 228 list_del_init(&sbsec->list); 229 spin_unlock(&sb_security_lock); 230 231 sb->s_security = NULL; 232 kfree(sbsec); 233 } 234 235 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 236 { 237 struct sk_security_struct *ssec; 238 239 if (family != PF_UNIX) 240 return 0; 241 242 ssec = kzalloc(sizeof(*ssec), priority); 243 if (!ssec) 244 return -ENOMEM; 245 246 ssec->sk = sk; 247 ssec->peer_sid = SECINITSID_UNLABELED; 248 sk->sk_security = ssec; 249 250 return 0; 251 } 252 253 static void sk_free_security(struct sock *sk) 254 { 255 struct sk_security_struct *ssec = sk->sk_security; 256 257 if (sk->sk_family != PF_UNIX) 258 return; 259 260 sk->sk_security = NULL; 261 kfree(ssec); 262 } 263 264 /* The security server must be initialized before 265 any labeling or access decisions can be provided. */ 266 extern int ss_initialized; 267 268 /* The file system's label must be initialized prior to use. */ 269 270 static char *labeling_behaviors[6] = { 271 "uses xattr", 272 "uses transition SIDs", 273 "uses task SIDs", 274 "uses genfs_contexts", 275 "not configured for labeling", 276 "uses mountpoint labeling", 277 }; 278 279 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 280 281 static inline int inode_doinit(struct inode *inode) 282 { 283 return inode_doinit_with_dentry(inode, NULL); 284 } 285 286 enum { 287 Opt_context = 1, 288 Opt_fscontext = 2, 289 Opt_defcontext = 4, 290 }; 291 292 static match_table_t tokens = { 293 {Opt_context, "context=%s"}, 294 {Opt_fscontext, "fscontext=%s"}, 295 {Opt_defcontext, "defcontext=%s"}, 296 }; 297 298 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 299 300 static int try_context_mount(struct super_block *sb, void *data) 301 { 302 char *context = NULL, *defcontext = NULL; 303 const char *name; 304 u32 sid; 305 int alloc = 0, rc = 0, seen = 0; 306 struct task_security_struct *tsec = current->security; 307 struct superblock_security_struct *sbsec = sb->s_security; 308 309 if (!data) 310 goto out; 311 312 name = sb->s_type->name; 313 314 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 315 316 /* NFS we understand. */ 317 if (!strcmp(name, "nfs")) { 318 struct nfs_mount_data *d = data; 319 320 if (d->version < NFS_MOUNT_VERSION) 321 goto out; 322 323 if (d->context[0]) { 324 context = d->context; 325 seen |= Opt_context; 326 } 327 } else 328 goto out; 329 330 } else { 331 /* Standard string-based options. */ 332 char *p, *options = data; 333 334 while ((p = strsep(&options, ",")) != NULL) { 335 int token; 336 substring_t args[MAX_OPT_ARGS]; 337 338 if (!*p) 339 continue; 340 341 token = match_token(p, tokens, args); 342 343 switch (token) { 344 case Opt_context: 345 if (seen) { 346 rc = -EINVAL; 347 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 348 goto out_free; 349 } 350 context = match_strdup(&args[0]); 351 if (!context) { 352 rc = -ENOMEM; 353 goto out_free; 354 } 355 if (!alloc) 356 alloc = 1; 357 seen |= Opt_context; 358 break; 359 360 case Opt_fscontext: 361 if (seen & (Opt_context|Opt_fscontext)) { 362 rc = -EINVAL; 363 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 364 goto out_free; 365 } 366 context = match_strdup(&args[0]); 367 if (!context) { 368 rc = -ENOMEM; 369 goto out_free; 370 } 371 if (!alloc) 372 alloc = 1; 373 seen |= Opt_fscontext; 374 break; 375 376 case Opt_defcontext: 377 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 378 rc = -EINVAL; 379 printk(KERN_WARNING "SELinux: " 380 "defcontext option is invalid " 381 "for this filesystem type\n"); 382 goto out_free; 383 } 384 if (seen & (Opt_context|Opt_defcontext)) { 385 rc = -EINVAL; 386 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 387 goto out_free; 388 } 389 defcontext = match_strdup(&args[0]); 390 if (!defcontext) { 391 rc = -ENOMEM; 392 goto out_free; 393 } 394 if (!alloc) 395 alloc = 1; 396 seen |= Opt_defcontext; 397 break; 398 399 default: 400 rc = -EINVAL; 401 printk(KERN_WARNING "SELinux: unknown mount " 402 "option\n"); 403 goto out_free; 404 405 } 406 } 407 } 408 409 if (!seen) 410 goto out; 411 412 if (context) { 413 rc = security_context_to_sid(context, strlen(context), &sid); 414 if (rc) { 415 printk(KERN_WARNING "SELinux: security_context_to_sid" 416 "(%s) failed for (dev %s, type %s) errno=%d\n", 417 context, sb->s_id, name, rc); 418 goto out_free; 419 } 420 421 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 422 FILESYSTEM__RELABELFROM, NULL); 423 if (rc) 424 goto out_free; 425 426 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 427 FILESYSTEM__RELABELTO, NULL); 428 if (rc) 429 goto out_free; 430 431 sbsec->sid = sid; 432 433 if (seen & Opt_context) 434 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 435 } 436 437 if (defcontext) { 438 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); 439 if (rc) { 440 printk(KERN_WARNING "SELinux: security_context_to_sid" 441 "(%s) failed for (dev %s, type %s) errno=%d\n", 442 defcontext, sb->s_id, name, rc); 443 goto out_free; 444 } 445 446 if (sid == sbsec->def_sid) 447 goto out_free; 448 449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 450 FILESYSTEM__RELABELFROM, NULL); 451 if (rc) 452 goto out_free; 453 454 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 455 FILESYSTEM__ASSOCIATE, NULL); 456 if (rc) 457 goto out_free; 458 459 sbsec->def_sid = sid; 460 } 461 462 out_free: 463 if (alloc) { 464 kfree(context); 465 kfree(defcontext); 466 } 467 out: 468 return rc; 469 } 470 471 static int superblock_doinit(struct super_block *sb, void *data) 472 { 473 struct superblock_security_struct *sbsec = sb->s_security; 474 struct dentry *root = sb->s_root; 475 struct inode *inode = root->d_inode; 476 int rc = 0; 477 478 down(&sbsec->sem); 479 if (sbsec->initialized) 480 goto out; 481 482 if (!ss_initialized) { 483 /* Defer initialization until selinux_complete_init, 484 after the initial policy is loaded and the security 485 server is ready to handle calls. */ 486 spin_lock(&sb_security_lock); 487 if (list_empty(&sbsec->list)) 488 list_add(&sbsec->list, &superblock_security_head); 489 spin_unlock(&sb_security_lock); 490 goto out; 491 } 492 493 /* Determine the labeling behavior to use for this filesystem type. */ 494 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 495 if (rc) { 496 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 497 __FUNCTION__, sb->s_type->name, rc); 498 goto out; 499 } 500 501 rc = try_context_mount(sb, data); 502 if (rc) 503 goto out; 504 505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 506 /* Make sure that the xattr handler exists and that no 507 error other than -ENODATA is returned by getxattr on 508 the root directory. -ENODATA is ok, as this may be 509 the first boot of the SELinux kernel before we have 510 assigned xattr values to the filesystem. */ 511 if (!inode->i_op->getxattr) { 512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 513 "xattr support\n", sb->s_id, sb->s_type->name); 514 rc = -EOPNOTSUPP; 515 goto out; 516 } 517 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 518 if (rc < 0 && rc != -ENODATA) { 519 if (rc == -EOPNOTSUPP) 520 printk(KERN_WARNING "SELinux: (dev %s, type " 521 "%s) has no security xattr handler\n", 522 sb->s_id, sb->s_type->name); 523 else 524 printk(KERN_WARNING "SELinux: (dev %s, type " 525 "%s) getxattr errno %d\n", sb->s_id, 526 sb->s_type->name, -rc); 527 goto out; 528 } 529 } 530 531 if (strcmp(sb->s_type->name, "proc") == 0) 532 sbsec->proc = 1; 533 534 sbsec->initialized = 1; 535 536 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { 537 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", 538 sb->s_id, sb->s_type->name); 539 } 540 else { 541 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", 542 sb->s_id, sb->s_type->name, 543 labeling_behaviors[sbsec->behavior-1]); 544 } 545 546 /* Initialize the root inode. */ 547 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); 548 549 /* Initialize any other inodes associated with the superblock, e.g. 550 inodes created prior to initial policy load or inodes created 551 during get_sb by a pseudo filesystem that directly 552 populates itself. */ 553 spin_lock(&sbsec->isec_lock); 554 next_inode: 555 if (!list_empty(&sbsec->isec_head)) { 556 struct inode_security_struct *isec = 557 list_entry(sbsec->isec_head.next, 558 struct inode_security_struct, list); 559 struct inode *inode = isec->inode; 560 spin_unlock(&sbsec->isec_lock); 561 inode = igrab(inode); 562 if (inode) { 563 if (!IS_PRIVATE (inode)) 564 inode_doinit(inode); 565 iput(inode); 566 } 567 spin_lock(&sbsec->isec_lock); 568 list_del_init(&isec->list); 569 goto next_inode; 570 } 571 spin_unlock(&sbsec->isec_lock); 572 out: 573 up(&sbsec->sem); 574 return rc; 575 } 576 577 static inline u16 inode_mode_to_security_class(umode_t mode) 578 { 579 switch (mode & S_IFMT) { 580 case S_IFSOCK: 581 return SECCLASS_SOCK_FILE; 582 case S_IFLNK: 583 return SECCLASS_LNK_FILE; 584 case S_IFREG: 585 return SECCLASS_FILE; 586 case S_IFBLK: 587 return SECCLASS_BLK_FILE; 588 case S_IFDIR: 589 return SECCLASS_DIR; 590 case S_IFCHR: 591 return SECCLASS_CHR_FILE; 592 case S_IFIFO: 593 return SECCLASS_FIFO_FILE; 594 595 } 596 597 return SECCLASS_FILE; 598 } 599 600 static inline int default_protocol_stream(int protocol) 601 { 602 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 603 } 604 605 static inline int default_protocol_dgram(int protocol) 606 { 607 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 608 } 609 610 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 611 { 612 switch (family) { 613 case PF_UNIX: 614 switch (type) { 615 case SOCK_STREAM: 616 case SOCK_SEQPACKET: 617 return SECCLASS_UNIX_STREAM_SOCKET; 618 case SOCK_DGRAM: 619 return SECCLASS_UNIX_DGRAM_SOCKET; 620 } 621 break; 622 case PF_INET: 623 case PF_INET6: 624 switch (type) { 625 case SOCK_STREAM: 626 if (default_protocol_stream(protocol)) 627 return SECCLASS_TCP_SOCKET; 628 else 629 return SECCLASS_RAWIP_SOCKET; 630 case SOCK_DGRAM: 631 if (default_protocol_dgram(protocol)) 632 return SECCLASS_UDP_SOCKET; 633 else 634 return SECCLASS_RAWIP_SOCKET; 635 default: 636 return SECCLASS_RAWIP_SOCKET; 637 } 638 break; 639 case PF_NETLINK: 640 switch (protocol) { 641 case NETLINK_ROUTE: 642 return SECCLASS_NETLINK_ROUTE_SOCKET; 643 case NETLINK_FIREWALL: 644 return SECCLASS_NETLINK_FIREWALL_SOCKET; 645 case NETLINK_INET_DIAG: 646 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 647 case NETLINK_NFLOG: 648 return SECCLASS_NETLINK_NFLOG_SOCKET; 649 case NETLINK_XFRM: 650 return SECCLASS_NETLINK_XFRM_SOCKET; 651 case NETLINK_SELINUX: 652 return SECCLASS_NETLINK_SELINUX_SOCKET; 653 case NETLINK_AUDIT: 654 return SECCLASS_NETLINK_AUDIT_SOCKET; 655 case NETLINK_IP6_FW: 656 return SECCLASS_NETLINK_IP6FW_SOCKET; 657 case NETLINK_DNRTMSG: 658 return SECCLASS_NETLINK_DNRT_SOCKET; 659 case NETLINK_KOBJECT_UEVENT: 660 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 661 default: 662 return SECCLASS_NETLINK_SOCKET; 663 } 664 case PF_PACKET: 665 return SECCLASS_PACKET_SOCKET; 666 case PF_KEY: 667 return SECCLASS_KEY_SOCKET; 668 } 669 670 return SECCLASS_SOCKET; 671 } 672 673 #ifdef CONFIG_PROC_FS 674 static int selinux_proc_get_sid(struct proc_dir_entry *de, 675 u16 tclass, 676 u32 *sid) 677 { 678 int buflen, rc; 679 char *buffer, *path, *end; 680 681 buffer = (char*)__get_free_page(GFP_KERNEL); 682 if (!buffer) 683 return -ENOMEM; 684 685 buflen = PAGE_SIZE; 686 end = buffer+buflen; 687 *--end = '\0'; 688 buflen--; 689 path = end-1; 690 *path = '/'; 691 while (de && de != de->parent) { 692 buflen -= de->namelen + 1; 693 if (buflen < 0) 694 break; 695 end -= de->namelen; 696 memcpy(end, de->name, de->namelen); 697 *--end = '/'; 698 path = end; 699 de = de->parent; 700 } 701 rc = security_genfs_sid("proc", path, tclass, sid); 702 free_page((unsigned long)buffer); 703 return rc; 704 } 705 #else 706 static int selinux_proc_get_sid(struct proc_dir_entry *de, 707 u16 tclass, 708 u32 *sid) 709 { 710 return -EINVAL; 711 } 712 #endif 713 714 /* The inode's security attributes must be initialized before first use. */ 715 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 716 { 717 struct superblock_security_struct *sbsec = NULL; 718 struct inode_security_struct *isec = inode->i_security; 719 u32 sid; 720 struct dentry *dentry; 721 #define INITCONTEXTLEN 255 722 char *context = NULL; 723 unsigned len = 0; 724 int rc = 0; 725 int hold_sem = 0; 726 727 if (isec->initialized) 728 goto out; 729 730 down(&isec->sem); 731 hold_sem = 1; 732 if (isec->initialized) 733 goto out; 734 735 sbsec = inode->i_sb->s_security; 736 if (!sbsec->initialized) { 737 /* Defer initialization until selinux_complete_init, 738 after the initial policy is loaded and the security 739 server is ready to handle calls. */ 740 spin_lock(&sbsec->isec_lock); 741 if (list_empty(&isec->list)) 742 list_add(&isec->list, &sbsec->isec_head); 743 spin_unlock(&sbsec->isec_lock); 744 goto out; 745 } 746 747 switch (sbsec->behavior) { 748 case SECURITY_FS_USE_XATTR: 749 if (!inode->i_op->getxattr) { 750 isec->sid = sbsec->def_sid; 751 break; 752 } 753 754 /* Need a dentry, since the xattr API requires one. 755 Life would be simpler if we could just pass the inode. */ 756 if (opt_dentry) { 757 /* Called from d_instantiate or d_splice_alias. */ 758 dentry = dget(opt_dentry); 759 } else { 760 /* Called from selinux_complete_init, try to find a dentry. */ 761 dentry = d_find_alias(inode); 762 } 763 if (!dentry) { 764 printk(KERN_WARNING "%s: no dentry for dev=%s " 765 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 766 inode->i_ino); 767 goto out; 768 } 769 770 len = INITCONTEXTLEN; 771 context = kmalloc(len, GFP_KERNEL); 772 if (!context) { 773 rc = -ENOMEM; 774 dput(dentry); 775 goto out; 776 } 777 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 778 context, len); 779 if (rc == -ERANGE) { 780 /* Need a larger buffer. Query for the right size. */ 781 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 782 NULL, 0); 783 if (rc < 0) { 784 dput(dentry); 785 goto out; 786 } 787 kfree(context); 788 len = rc; 789 context = kmalloc(len, GFP_KERNEL); 790 if (!context) { 791 rc = -ENOMEM; 792 dput(dentry); 793 goto out; 794 } 795 rc = inode->i_op->getxattr(dentry, 796 XATTR_NAME_SELINUX, 797 context, len); 798 } 799 dput(dentry); 800 if (rc < 0) { 801 if (rc != -ENODATA) { 802 printk(KERN_WARNING "%s: getxattr returned " 803 "%d for dev=%s ino=%ld\n", __FUNCTION__, 804 -rc, inode->i_sb->s_id, inode->i_ino); 805 kfree(context); 806 goto out; 807 } 808 /* Map ENODATA to the default file SID */ 809 sid = sbsec->def_sid; 810 rc = 0; 811 } else { 812 rc = security_context_to_sid_default(context, rc, &sid, 813 sbsec->def_sid); 814 if (rc) { 815 printk(KERN_WARNING "%s: context_to_sid(%s) " 816 "returned %d for dev=%s ino=%ld\n", 817 __FUNCTION__, context, -rc, 818 inode->i_sb->s_id, inode->i_ino); 819 kfree(context); 820 /* Leave with the unlabeled SID */ 821 rc = 0; 822 break; 823 } 824 } 825 kfree(context); 826 isec->sid = sid; 827 break; 828 case SECURITY_FS_USE_TASK: 829 isec->sid = isec->task_sid; 830 break; 831 case SECURITY_FS_USE_TRANS: 832 /* Default to the fs SID. */ 833 isec->sid = sbsec->sid; 834 835 /* Try to obtain a transition SID. */ 836 isec->sclass = inode_mode_to_security_class(inode->i_mode); 837 rc = security_transition_sid(isec->task_sid, 838 sbsec->sid, 839 isec->sclass, 840 &sid); 841 if (rc) 842 goto out; 843 isec->sid = sid; 844 break; 845 default: 846 /* Default to the fs SID. */ 847 isec->sid = sbsec->sid; 848 849 if (sbsec->proc) { 850 struct proc_inode *proci = PROC_I(inode); 851 if (proci->pde) { 852 isec->sclass = inode_mode_to_security_class(inode->i_mode); 853 rc = selinux_proc_get_sid(proci->pde, 854 isec->sclass, 855 &sid); 856 if (rc) 857 goto out; 858 isec->sid = sid; 859 } 860 } 861 break; 862 } 863 864 isec->initialized = 1; 865 866 out: 867 if (isec->sclass == SECCLASS_FILE) 868 isec->sclass = inode_mode_to_security_class(inode->i_mode); 869 870 if (hold_sem) 871 up(&isec->sem); 872 return rc; 873 } 874 875 /* Convert a Linux signal to an access vector. */ 876 static inline u32 signal_to_av(int sig) 877 { 878 u32 perm = 0; 879 880 switch (sig) { 881 case SIGCHLD: 882 /* Commonly granted from child to parent. */ 883 perm = PROCESS__SIGCHLD; 884 break; 885 case SIGKILL: 886 /* Cannot be caught or ignored */ 887 perm = PROCESS__SIGKILL; 888 break; 889 case SIGSTOP: 890 /* Cannot be caught or ignored */ 891 perm = PROCESS__SIGSTOP; 892 break; 893 default: 894 /* All other signals. */ 895 perm = PROCESS__SIGNAL; 896 break; 897 } 898 899 return perm; 900 } 901 902 /* Check permission betweeen a pair of tasks, e.g. signal checks, 903 fork check, ptrace check, etc. */ 904 static int task_has_perm(struct task_struct *tsk1, 905 struct task_struct *tsk2, 906 u32 perms) 907 { 908 struct task_security_struct *tsec1, *tsec2; 909 910 tsec1 = tsk1->security; 911 tsec2 = tsk2->security; 912 return avc_has_perm(tsec1->sid, tsec2->sid, 913 SECCLASS_PROCESS, perms, NULL); 914 } 915 916 /* Check whether a task is allowed to use a capability. */ 917 static int task_has_capability(struct task_struct *tsk, 918 int cap) 919 { 920 struct task_security_struct *tsec; 921 struct avc_audit_data ad; 922 923 tsec = tsk->security; 924 925 AVC_AUDIT_DATA_INIT(&ad,CAP); 926 ad.tsk = tsk; 927 ad.u.cap = cap; 928 929 return avc_has_perm(tsec->sid, tsec->sid, 930 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); 931 } 932 933 /* Check whether a task is allowed to use a system operation. */ 934 static int task_has_system(struct task_struct *tsk, 935 u32 perms) 936 { 937 struct task_security_struct *tsec; 938 939 tsec = tsk->security; 940 941 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 942 SECCLASS_SYSTEM, perms, NULL); 943 } 944 945 /* Check whether a task has a particular permission to an inode. 946 The 'adp' parameter is optional and allows other audit 947 data to be passed (e.g. the dentry). */ 948 static int inode_has_perm(struct task_struct *tsk, 949 struct inode *inode, 950 u32 perms, 951 struct avc_audit_data *adp) 952 { 953 struct task_security_struct *tsec; 954 struct inode_security_struct *isec; 955 struct avc_audit_data ad; 956 957 tsec = tsk->security; 958 isec = inode->i_security; 959 960 if (!adp) { 961 adp = &ad; 962 AVC_AUDIT_DATA_INIT(&ad, FS); 963 ad.u.fs.inode = inode; 964 } 965 966 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 967 } 968 969 /* Same as inode_has_perm, but pass explicit audit data containing 970 the dentry to help the auditing code to more easily generate the 971 pathname if needed. */ 972 static inline int dentry_has_perm(struct task_struct *tsk, 973 struct vfsmount *mnt, 974 struct dentry *dentry, 975 u32 av) 976 { 977 struct inode *inode = dentry->d_inode; 978 struct avc_audit_data ad; 979 AVC_AUDIT_DATA_INIT(&ad,FS); 980 ad.u.fs.mnt = mnt; 981 ad.u.fs.dentry = dentry; 982 return inode_has_perm(tsk, inode, av, &ad); 983 } 984 985 /* Check whether a task can use an open file descriptor to 986 access an inode in a given way. Check access to the 987 descriptor itself, and then use dentry_has_perm to 988 check a particular permission to the file. 989 Access to the descriptor is implicitly granted if it 990 has the same SID as the process. If av is zero, then 991 access to the file is not checked, e.g. for cases 992 where only the descriptor is affected like seek. */ 993 static int file_has_perm(struct task_struct *tsk, 994 struct file *file, 995 u32 av) 996 { 997 struct task_security_struct *tsec = tsk->security; 998 struct file_security_struct *fsec = file->f_security; 999 struct vfsmount *mnt = file->f_vfsmnt; 1000 struct dentry *dentry = file->f_dentry; 1001 struct inode *inode = dentry->d_inode; 1002 struct avc_audit_data ad; 1003 int rc; 1004 1005 AVC_AUDIT_DATA_INIT(&ad, FS); 1006 ad.u.fs.mnt = mnt; 1007 ad.u.fs.dentry = dentry; 1008 1009 if (tsec->sid != fsec->sid) { 1010 rc = avc_has_perm(tsec->sid, fsec->sid, 1011 SECCLASS_FD, 1012 FD__USE, 1013 &ad); 1014 if (rc) 1015 return rc; 1016 } 1017 1018 /* av is zero if only checking access to the descriptor. */ 1019 if (av) 1020 return inode_has_perm(tsk, inode, av, &ad); 1021 1022 return 0; 1023 } 1024 1025 /* Check whether a task can create a file. */ 1026 static int may_create(struct inode *dir, 1027 struct dentry *dentry, 1028 u16 tclass) 1029 { 1030 struct task_security_struct *tsec; 1031 struct inode_security_struct *dsec; 1032 struct superblock_security_struct *sbsec; 1033 u32 newsid; 1034 struct avc_audit_data ad; 1035 int rc; 1036 1037 tsec = current->security; 1038 dsec = dir->i_security; 1039 sbsec = dir->i_sb->s_security; 1040 1041 AVC_AUDIT_DATA_INIT(&ad, FS); 1042 ad.u.fs.dentry = dentry; 1043 1044 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1045 DIR__ADD_NAME | DIR__SEARCH, 1046 &ad); 1047 if (rc) 1048 return rc; 1049 1050 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1051 newsid = tsec->create_sid; 1052 } else { 1053 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1054 &newsid); 1055 if (rc) 1056 return rc; 1057 } 1058 1059 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1060 if (rc) 1061 return rc; 1062 1063 return avc_has_perm(newsid, sbsec->sid, 1064 SECCLASS_FILESYSTEM, 1065 FILESYSTEM__ASSOCIATE, &ad); 1066 } 1067 1068 #define MAY_LINK 0 1069 #define MAY_UNLINK 1 1070 #define MAY_RMDIR 2 1071 1072 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1073 static int may_link(struct inode *dir, 1074 struct dentry *dentry, 1075 int kind) 1076 1077 { 1078 struct task_security_struct *tsec; 1079 struct inode_security_struct *dsec, *isec; 1080 struct avc_audit_data ad; 1081 u32 av; 1082 int rc; 1083 1084 tsec = current->security; 1085 dsec = dir->i_security; 1086 isec = dentry->d_inode->i_security; 1087 1088 AVC_AUDIT_DATA_INIT(&ad, FS); 1089 ad.u.fs.dentry = dentry; 1090 1091 av = DIR__SEARCH; 1092 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1093 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1094 if (rc) 1095 return rc; 1096 1097 switch (kind) { 1098 case MAY_LINK: 1099 av = FILE__LINK; 1100 break; 1101 case MAY_UNLINK: 1102 av = FILE__UNLINK; 1103 break; 1104 case MAY_RMDIR: 1105 av = DIR__RMDIR; 1106 break; 1107 default: 1108 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1109 return 0; 1110 } 1111 1112 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1113 return rc; 1114 } 1115 1116 static inline int may_rename(struct inode *old_dir, 1117 struct dentry *old_dentry, 1118 struct inode *new_dir, 1119 struct dentry *new_dentry) 1120 { 1121 struct task_security_struct *tsec; 1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1123 struct avc_audit_data ad; 1124 u32 av; 1125 int old_is_dir, new_is_dir; 1126 int rc; 1127 1128 tsec = current->security; 1129 old_dsec = old_dir->i_security; 1130 old_isec = old_dentry->d_inode->i_security; 1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1132 new_dsec = new_dir->i_security; 1133 1134 AVC_AUDIT_DATA_INIT(&ad, FS); 1135 1136 ad.u.fs.dentry = old_dentry; 1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1138 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1139 if (rc) 1140 return rc; 1141 rc = avc_has_perm(tsec->sid, old_isec->sid, 1142 old_isec->sclass, FILE__RENAME, &ad); 1143 if (rc) 1144 return rc; 1145 if (old_is_dir && new_dir != old_dir) { 1146 rc = avc_has_perm(tsec->sid, old_isec->sid, 1147 old_isec->sclass, DIR__REPARENT, &ad); 1148 if (rc) 1149 return rc; 1150 } 1151 1152 ad.u.fs.dentry = new_dentry; 1153 av = DIR__ADD_NAME | DIR__SEARCH; 1154 if (new_dentry->d_inode) 1155 av |= DIR__REMOVE_NAME; 1156 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1157 if (rc) 1158 return rc; 1159 if (new_dentry->d_inode) { 1160 new_isec = new_dentry->d_inode->i_security; 1161 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1162 rc = avc_has_perm(tsec->sid, new_isec->sid, 1163 new_isec->sclass, 1164 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1165 if (rc) 1166 return rc; 1167 } 1168 1169 return 0; 1170 } 1171 1172 /* Check whether a task can perform a filesystem operation. */ 1173 static int superblock_has_perm(struct task_struct *tsk, 1174 struct super_block *sb, 1175 u32 perms, 1176 struct avc_audit_data *ad) 1177 { 1178 struct task_security_struct *tsec; 1179 struct superblock_security_struct *sbsec; 1180 1181 tsec = tsk->security; 1182 sbsec = sb->s_security; 1183 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1184 perms, ad); 1185 } 1186 1187 /* Convert a Linux mode and permission mask to an access vector. */ 1188 static inline u32 file_mask_to_av(int mode, int mask) 1189 { 1190 u32 av = 0; 1191 1192 if ((mode & S_IFMT) != S_IFDIR) { 1193 if (mask & MAY_EXEC) 1194 av |= FILE__EXECUTE; 1195 if (mask & MAY_READ) 1196 av |= FILE__READ; 1197 1198 if (mask & MAY_APPEND) 1199 av |= FILE__APPEND; 1200 else if (mask & MAY_WRITE) 1201 av |= FILE__WRITE; 1202 1203 } else { 1204 if (mask & MAY_EXEC) 1205 av |= DIR__SEARCH; 1206 if (mask & MAY_WRITE) 1207 av |= DIR__WRITE; 1208 if (mask & MAY_READ) 1209 av |= DIR__READ; 1210 } 1211 1212 return av; 1213 } 1214 1215 /* Convert a Linux file to an access vector. */ 1216 static inline u32 file_to_av(struct file *file) 1217 { 1218 u32 av = 0; 1219 1220 if (file->f_mode & FMODE_READ) 1221 av |= FILE__READ; 1222 if (file->f_mode & FMODE_WRITE) { 1223 if (file->f_flags & O_APPEND) 1224 av |= FILE__APPEND; 1225 else 1226 av |= FILE__WRITE; 1227 } 1228 1229 return av; 1230 } 1231 1232 /* Set an inode's SID to a specified value. */ 1233 static int inode_security_set_sid(struct inode *inode, u32 sid) 1234 { 1235 struct inode_security_struct *isec = inode->i_security; 1236 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 1237 1238 if (!sbsec->initialized) { 1239 /* Defer initialization to selinux_complete_init. */ 1240 return 0; 1241 } 1242 1243 down(&isec->sem); 1244 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1245 isec->sid = sid; 1246 isec->initialized = 1; 1247 up(&isec->sem); 1248 return 0; 1249 } 1250 1251 /* Hook functions begin here. */ 1252 1253 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1254 { 1255 struct task_security_struct *psec = parent->security; 1256 struct task_security_struct *csec = child->security; 1257 int rc; 1258 1259 rc = secondary_ops->ptrace(parent,child); 1260 if (rc) 1261 return rc; 1262 1263 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1264 /* Save the SID of the tracing process for later use in apply_creds. */ 1265 if (!(child->ptrace & PT_PTRACED) && !rc) 1266 csec->ptrace_sid = psec->sid; 1267 return rc; 1268 } 1269 1270 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1271 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1272 { 1273 int error; 1274 1275 error = task_has_perm(current, target, PROCESS__GETCAP); 1276 if (error) 1277 return error; 1278 1279 return secondary_ops->capget(target, effective, inheritable, permitted); 1280 } 1281 1282 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1283 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1284 { 1285 int error; 1286 1287 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1288 if (error) 1289 return error; 1290 1291 return task_has_perm(current, target, PROCESS__SETCAP); 1292 } 1293 1294 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1295 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1296 { 1297 secondary_ops->capset_set(target, effective, inheritable, permitted); 1298 } 1299 1300 static int selinux_capable(struct task_struct *tsk, int cap) 1301 { 1302 int rc; 1303 1304 rc = secondary_ops->capable(tsk, cap); 1305 if (rc) 1306 return rc; 1307 1308 return task_has_capability(tsk,cap); 1309 } 1310 1311 static int selinux_sysctl(ctl_table *table, int op) 1312 { 1313 int error = 0; 1314 u32 av; 1315 struct task_security_struct *tsec; 1316 u32 tsid; 1317 int rc; 1318 1319 rc = secondary_ops->sysctl(table, op); 1320 if (rc) 1321 return rc; 1322 1323 tsec = current->security; 1324 1325 rc = selinux_proc_get_sid(table->de, (op == 001) ? 1326 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1327 if (rc) { 1328 /* Default to the well-defined sysctl SID. */ 1329 tsid = SECINITSID_SYSCTL; 1330 } 1331 1332 /* The op values are "defined" in sysctl.c, thereby creating 1333 * a bad coupling between this module and sysctl.c */ 1334 if(op == 001) { 1335 error = avc_has_perm(tsec->sid, tsid, 1336 SECCLASS_DIR, DIR__SEARCH, NULL); 1337 } else { 1338 av = 0; 1339 if (op & 004) 1340 av |= FILE__READ; 1341 if (op & 002) 1342 av |= FILE__WRITE; 1343 if (av) 1344 error = avc_has_perm(tsec->sid, tsid, 1345 SECCLASS_FILE, av, NULL); 1346 } 1347 1348 return error; 1349 } 1350 1351 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1352 { 1353 int rc = 0; 1354 1355 if (!sb) 1356 return 0; 1357 1358 switch (cmds) { 1359 case Q_SYNC: 1360 case Q_QUOTAON: 1361 case Q_QUOTAOFF: 1362 case Q_SETINFO: 1363 case Q_SETQUOTA: 1364 rc = superblock_has_perm(current, 1365 sb, 1366 FILESYSTEM__QUOTAMOD, NULL); 1367 break; 1368 case Q_GETFMT: 1369 case Q_GETINFO: 1370 case Q_GETQUOTA: 1371 rc = superblock_has_perm(current, 1372 sb, 1373 FILESYSTEM__QUOTAGET, NULL); 1374 break; 1375 default: 1376 rc = 0; /* let the kernel handle invalid cmds */ 1377 break; 1378 } 1379 return rc; 1380 } 1381 1382 static int selinux_quota_on(struct dentry *dentry) 1383 { 1384 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1385 } 1386 1387 static int selinux_syslog(int type) 1388 { 1389 int rc; 1390 1391 rc = secondary_ops->syslog(type); 1392 if (rc) 1393 return rc; 1394 1395 switch (type) { 1396 case 3: /* Read last kernel messages */ 1397 case 10: /* Return size of the log buffer */ 1398 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1399 break; 1400 case 6: /* Disable logging to console */ 1401 case 7: /* Enable logging to console */ 1402 case 8: /* Set level of messages printed to console */ 1403 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1404 break; 1405 case 0: /* Close log */ 1406 case 1: /* Open log */ 1407 case 2: /* Read from log */ 1408 case 4: /* Read/clear last kernel messages */ 1409 case 5: /* Clear ring buffer */ 1410 default: 1411 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1412 break; 1413 } 1414 return rc; 1415 } 1416 1417 /* 1418 * Check that a process has enough memory to allocate a new virtual 1419 * mapping. 0 means there is enough memory for the allocation to 1420 * succeed and -ENOMEM implies there is not. 1421 * 1422 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1423 * if the capability is granted, but __vm_enough_memory requires 1 if 1424 * the capability is granted. 1425 * 1426 * Do not audit the selinux permission check, as this is applied to all 1427 * processes that allocate mappings. 1428 */ 1429 static int selinux_vm_enough_memory(long pages) 1430 { 1431 int rc, cap_sys_admin = 0; 1432 struct task_security_struct *tsec = current->security; 1433 1434 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1435 if (rc == 0) 1436 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1437 SECCLASS_CAPABILITY, 1438 CAP_TO_MASK(CAP_SYS_ADMIN), 1439 NULL); 1440 1441 if (rc == 0) 1442 cap_sys_admin = 1; 1443 1444 return __vm_enough_memory(pages, cap_sys_admin); 1445 } 1446 1447 /* binprm security operations */ 1448 1449 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1450 { 1451 struct bprm_security_struct *bsec; 1452 1453 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1454 if (!bsec) 1455 return -ENOMEM; 1456 1457 bsec->bprm = bprm; 1458 bsec->sid = SECINITSID_UNLABELED; 1459 bsec->set = 0; 1460 1461 bprm->security = bsec; 1462 return 0; 1463 } 1464 1465 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1466 { 1467 struct task_security_struct *tsec; 1468 struct inode *inode = bprm->file->f_dentry->d_inode; 1469 struct inode_security_struct *isec; 1470 struct bprm_security_struct *bsec; 1471 u32 newsid; 1472 struct avc_audit_data ad; 1473 int rc; 1474 1475 rc = secondary_ops->bprm_set_security(bprm); 1476 if (rc) 1477 return rc; 1478 1479 bsec = bprm->security; 1480 1481 if (bsec->set) 1482 return 0; 1483 1484 tsec = current->security; 1485 isec = inode->i_security; 1486 1487 /* Default to the current task SID. */ 1488 bsec->sid = tsec->sid; 1489 1490 /* Reset create SID on execve. */ 1491 tsec->create_sid = 0; 1492 1493 if (tsec->exec_sid) { 1494 newsid = tsec->exec_sid; 1495 /* Reset exec SID on execve. */ 1496 tsec->exec_sid = 0; 1497 } else { 1498 /* Check for a default transition on this program. */ 1499 rc = security_transition_sid(tsec->sid, isec->sid, 1500 SECCLASS_PROCESS, &newsid); 1501 if (rc) 1502 return rc; 1503 } 1504 1505 AVC_AUDIT_DATA_INIT(&ad, FS); 1506 ad.u.fs.mnt = bprm->file->f_vfsmnt; 1507 ad.u.fs.dentry = bprm->file->f_dentry; 1508 1509 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 1510 newsid = tsec->sid; 1511 1512 if (tsec->sid == newsid) { 1513 rc = avc_has_perm(tsec->sid, isec->sid, 1514 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1515 if (rc) 1516 return rc; 1517 } else { 1518 /* Check permissions for the transition. */ 1519 rc = avc_has_perm(tsec->sid, newsid, 1520 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1521 if (rc) 1522 return rc; 1523 1524 rc = avc_has_perm(newsid, isec->sid, 1525 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1526 if (rc) 1527 return rc; 1528 1529 /* Clear any possibly unsafe personality bits on exec: */ 1530 current->personality &= ~PER_CLEAR_ON_SETID; 1531 1532 /* Set the security field to the new SID. */ 1533 bsec->sid = newsid; 1534 } 1535 1536 bsec->set = 1; 1537 return 0; 1538 } 1539 1540 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1541 { 1542 return secondary_ops->bprm_check_security(bprm); 1543 } 1544 1545 1546 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1547 { 1548 struct task_security_struct *tsec = current->security; 1549 int atsecure = 0; 1550 1551 if (tsec->osid != tsec->sid) { 1552 /* Enable secure mode for SIDs transitions unless 1553 the noatsecure permission is granted between 1554 the two SIDs, i.e. ahp returns 0. */ 1555 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1556 SECCLASS_PROCESS, 1557 PROCESS__NOATSECURE, NULL); 1558 } 1559 1560 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1561 } 1562 1563 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1564 { 1565 kfree(bprm->security); 1566 bprm->security = NULL; 1567 } 1568 1569 extern struct vfsmount *selinuxfs_mount; 1570 extern struct dentry *selinux_null; 1571 1572 /* Derived from fs/exec.c:flush_old_files. */ 1573 static inline void flush_unauthorized_files(struct files_struct * files) 1574 { 1575 struct avc_audit_data ad; 1576 struct file *file, *devnull = NULL; 1577 struct tty_struct *tty = current->signal->tty; 1578 struct fdtable *fdt; 1579 long j = -1; 1580 1581 if (tty) { 1582 file_list_lock(); 1583 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 1584 if (file) { 1585 /* Revalidate access to controlling tty. 1586 Use inode_has_perm on the tty inode directly rather 1587 than using file_has_perm, as this particular open 1588 file may belong to another process and we are only 1589 interested in the inode-based check here. */ 1590 struct inode *inode = file->f_dentry->d_inode; 1591 if (inode_has_perm(current, inode, 1592 FILE__READ | FILE__WRITE, NULL)) { 1593 /* Reset controlling tty. */ 1594 current->signal->tty = NULL; 1595 current->signal->tty_old_pgrp = 0; 1596 } 1597 } 1598 file_list_unlock(); 1599 } 1600 1601 /* Revalidate access to inherited open files. */ 1602 1603 AVC_AUDIT_DATA_INIT(&ad,FS); 1604 1605 spin_lock(&files->file_lock); 1606 for (;;) { 1607 unsigned long set, i; 1608 int fd; 1609 1610 j++; 1611 i = j * __NFDBITS; 1612 fdt = files_fdtable(files); 1613 if (i >= fdt->max_fds || i >= fdt->max_fdset) 1614 break; 1615 set = fdt->open_fds->fds_bits[j]; 1616 if (!set) 1617 continue; 1618 spin_unlock(&files->file_lock); 1619 for ( ; set ; i++,set >>= 1) { 1620 if (set & 1) { 1621 file = fget(i); 1622 if (!file) 1623 continue; 1624 if (file_has_perm(current, 1625 file, 1626 file_to_av(file))) { 1627 sys_close(i); 1628 fd = get_unused_fd(); 1629 if (fd != i) { 1630 if (fd >= 0) 1631 put_unused_fd(fd); 1632 fput(file); 1633 continue; 1634 } 1635 if (devnull) { 1636 get_file(devnull); 1637 } else { 1638 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 1639 if (!devnull) { 1640 put_unused_fd(fd); 1641 fput(file); 1642 continue; 1643 } 1644 } 1645 fd_install(fd, devnull); 1646 } 1647 fput(file); 1648 } 1649 } 1650 spin_lock(&files->file_lock); 1651 1652 } 1653 spin_unlock(&files->file_lock); 1654 } 1655 1656 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 1657 { 1658 struct task_security_struct *tsec; 1659 struct bprm_security_struct *bsec; 1660 u32 sid; 1661 int rc; 1662 1663 secondary_ops->bprm_apply_creds(bprm, unsafe); 1664 1665 tsec = current->security; 1666 1667 bsec = bprm->security; 1668 sid = bsec->sid; 1669 1670 tsec->osid = tsec->sid; 1671 bsec->unsafe = 0; 1672 if (tsec->sid != sid) { 1673 /* Check for shared state. If not ok, leave SID 1674 unchanged and kill. */ 1675 if (unsafe & LSM_UNSAFE_SHARE) { 1676 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 1677 PROCESS__SHARE, NULL); 1678 if (rc) { 1679 bsec->unsafe = 1; 1680 return; 1681 } 1682 } 1683 1684 /* Check for ptracing, and update the task SID if ok. 1685 Otherwise, leave SID unchanged and kill. */ 1686 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 1687 rc = avc_has_perm(tsec->ptrace_sid, sid, 1688 SECCLASS_PROCESS, PROCESS__PTRACE, 1689 NULL); 1690 if (rc) { 1691 bsec->unsafe = 1; 1692 return; 1693 } 1694 } 1695 tsec->sid = sid; 1696 } 1697 } 1698 1699 /* 1700 * called after apply_creds without the task lock held 1701 */ 1702 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 1703 { 1704 struct task_security_struct *tsec; 1705 struct rlimit *rlim, *initrlim; 1706 struct itimerval itimer; 1707 struct bprm_security_struct *bsec; 1708 int rc, i; 1709 1710 tsec = current->security; 1711 bsec = bprm->security; 1712 1713 if (bsec->unsafe) { 1714 force_sig_specific(SIGKILL, current); 1715 return; 1716 } 1717 if (tsec->osid == tsec->sid) 1718 return; 1719 1720 /* Close files for which the new task SID is not authorized. */ 1721 flush_unauthorized_files(current->files); 1722 1723 /* Check whether the new SID can inherit signal state 1724 from the old SID. If not, clear itimers to avoid 1725 subsequent signal generation and flush and unblock 1726 signals. This must occur _after_ the task SID has 1727 been updated so that any kill done after the flush 1728 will be checked against the new SID. */ 1729 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1730 PROCESS__SIGINH, NULL); 1731 if (rc) { 1732 memset(&itimer, 0, sizeof itimer); 1733 for (i = 0; i < 3; i++) 1734 do_setitimer(i, &itimer, NULL); 1735 flush_signals(current); 1736 spin_lock_irq(¤t->sighand->siglock); 1737 flush_signal_handlers(current, 1); 1738 sigemptyset(¤t->blocked); 1739 recalc_sigpending(); 1740 spin_unlock_irq(¤t->sighand->siglock); 1741 } 1742 1743 /* Check whether the new SID can inherit resource limits 1744 from the old SID. If not, reset all soft limits to 1745 the lower of the current task's hard limit and the init 1746 task's soft limit. Note that the setting of hard limits 1747 (even to lower them) can be controlled by the setrlimit 1748 check. The inclusion of the init task's soft limit into 1749 the computation is to avoid resetting soft limits higher 1750 than the default soft limit for cases where the default 1751 is lower than the hard limit, e.g. RLIMIT_CORE or 1752 RLIMIT_STACK.*/ 1753 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 1754 PROCESS__RLIMITINH, NULL); 1755 if (rc) { 1756 for (i = 0; i < RLIM_NLIMITS; i++) { 1757 rlim = current->signal->rlim + i; 1758 initrlim = init_task.signal->rlim+i; 1759 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 1760 } 1761 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 1762 /* 1763 * This will cause RLIMIT_CPU calculations 1764 * to be refigured. 1765 */ 1766 current->it_prof_expires = jiffies_to_cputime(1); 1767 } 1768 } 1769 1770 /* Wake up the parent if it is waiting so that it can 1771 recheck wait permission to the new task SID. */ 1772 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 1773 } 1774 1775 /* superblock security operations */ 1776 1777 static int selinux_sb_alloc_security(struct super_block *sb) 1778 { 1779 return superblock_alloc_security(sb); 1780 } 1781 1782 static void selinux_sb_free_security(struct super_block *sb) 1783 { 1784 superblock_free_security(sb); 1785 } 1786 1787 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 1788 { 1789 if (plen > olen) 1790 return 0; 1791 1792 return !memcmp(prefix, option, plen); 1793 } 1794 1795 static inline int selinux_option(char *option, int len) 1796 { 1797 return (match_prefix("context=", sizeof("context=")-1, option, len) || 1798 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 1799 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len)); 1800 } 1801 1802 static inline void take_option(char **to, char *from, int *first, int len) 1803 { 1804 if (!*first) { 1805 **to = ','; 1806 *to += 1; 1807 } 1808 else 1809 *first = 0; 1810 memcpy(*to, from, len); 1811 *to += len; 1812 } 1813 1814 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 1815 { 1816 int fnosec, fsec, rc = 0; 1817 char *in_save, *in_curr, *in_end; 1818 char *sec_curr, *nosec_save, *nosec; 1819 1820 in_curr = orig; 1821 sec_curr = copy; 1822 1823 /* Binary mount data: just copy */ 1824 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 1825 copy_page(sec_curr, in_curr); 1826 goto out; 1827 } 1828 1829 nosec = (char *)get_zeroed_page(GFP_KERNEL); 1830 if (!nosec) { 1831 rc = -ENOMEM; 1832 goto out; 1833 } 1834 1835 nosec_save = nosec; 1836 fnosec = fsec = 1; 1837 in_save = in_end = orig; 1838 1839 do { 1840 if (*in_end == ',' || *in_end == '\0') { 1841 int len = in_end - in_curr; 1842 1843 if (selinux_option(in_curr, len)) 1844 take_option(&sec_curr, in_curr, &fsec, len); 1845 else 1846 take_option(&nosec, in_curr, &fnosec, len); 1847 1848 in_curr = in_end + 1; 1849 } 1850 } while (*in_end++); 1851 1852 strcpy(in_save, nosec_save); 1853 free_page((unsigned long)nosec_save); 1854 out: 1855 return rc; 1856 } 1857 1858 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 1859 { 1860 struct avc_audit_data ad; 1861 int rc; 1862 1863 rc = superblock_doinit(sb, data); 1864 if (rc) 1865 return rc; 1866 1867 AVC_AUDIT_DATA_INIT(&ad,FS); 1868 ad.u.fs.dentry = sb->s_root; 1869 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 1870 } 1871 1872 static int selinux_sb_statfs(struct super_block *sb) 1873 { 1874 struct avc_audit_data ad; 1875 1876 AVC_AUDIT_DATA_INIT(&ad,FS); 1877 ad.u.fs.dentry = sb->s_root; 1878 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad); 1879 } 1880 1881 static int selinux_mount(char * dev_name, 1882 struct nameidata *nd, 1883 char * type, 1884 unsigned long flags, 1885 void * data) 1886 { 1887 int rc; 1888 1889 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 1890 if (rc) 1891 return rc; 1892 1893 if (flags & MS_REMOUNT) 1894 return superblock_has_perm(current, nd->mnt->mnt_sb, 1895 FILESYSTEM__REMOUNT, NULL); 1896 else 1897 return dentry_has_perm(current, nd->mnt, nd->dentry, 1898 FILE__MOUNTON); 1899 } 1900 1901 static int selinux_umount(struct vfsmount *mnt, int flags) 1902 { 1903 int rc; 1904 1905 rc = secondary_ops->sb_umount(mnt, flags); 1906 if (rc) 1907 return rc; 1908 1909 return superblock_has_perm(current,mnt->mnt_sb, 1910 FILESYSTEM__UNMOUNT,NULL); 1911 } 1912 1913 /* inode security operations */ 1914 1915 static int selinux_inode_alloc_security(struct inode *inode) 1916 { 1917 return inode_alloc_security(inode); 1918 } 1919 1920 static void selinux_inode_free_security(struct inode *inode) 1921 { 1922 inode_free_security(inode); 1923 } 1924 1925 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 1926 char **name, void **value, 1927 size_t *len) 1928 { 1929 struct task_security_struct *tsec; 1930 struct inode_security_struct *dsec; 1931 struct superblock_security_struct *sbsec; 1932 struct inode_security_struct *isec; 1933 u32 newsid, clen; 1934 int rc; 1935 char *namep = NULL, *context; 1936 1937 tsec = current->security; 1938 dsec = dir->i_security; 1939 sbsec = dir->i_sb->s_security; 1940 isec = inode->i_security; 1941 1942 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1943 newsid = tsec->create_sid; 1944 } else { 1945 rc = security_transition_sid(tsec->sid, dsec->sid, 1946 inode_mode_to_security_class(inode->i_mode), 1947 &newsid); 1948 if (rc) { 1949 printk(KERN_WARNING "%s: " 1950 "security_transition_sid failed, rc=%d (dev=%s " 1951 "ino=%ld)\n", 1952 __FUNCTION__, 1953 -rc, inode->i_sb->s_id, inode->i_ino); 1954 return rc; 1955 } 1956 } 1957 1958 inode_security_set_sid(inode, newsid); 1959 1960 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 1961 return -EOPNOTSUPP; 1962 1963 if (name) { 1964 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 1965 if (!namep) 1966 return -ENOMEM; 1967 *name = namep; 1968 } 1969 1970 if (value && len) { 1971 rc = security_sid_to_context(newsid, &context, &clen); 1972 if (rc) { 1973 kfree(namep); 1974 return rc; 1975 } 1976 *value = context; 1977 *len = clen; 1978 } 1979 1980 return 0; 1981 } 1982 1983 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 1984 { 1985 return may_create(dir, dentry, SECCLASS_FILE); 1986 } 1987 1988 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 1989 { 1990 int rc; 1991 1992 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 1993 if (rc) 1994 return rc; 1995 return may_link(dir, old_dentry, MAY_LINK); 1996 } 1997 1998 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 1999 { 2000 int rc; 2001 2002 rc = secondary_ops->inode_unlink(dir, dentry); 2003 if (rc) 2004 return rc; 2005 return may_link(dir, dentry, MAY_UNLINK); 2006 } 2007 2008 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2009 { 2010 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2011 } 2012 2013 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2014 { 2015 return may_create(dir, dentry, SECCLASS_DIR); 2016 } 2017 2018 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2019 { 2020 return may_link(dir, dentry, MAY_RMDIR); 2021 } 2022 2023 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2024 { 2025 int rc; 2026 2027 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2028 if (rc) 2029 return rc; 2030 2031 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2032 } 2033 2034 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2035 struct inode *new_inode, struct dentry *new_dentry) 2036 { 2037 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2038 } 2039 2040 static int selinux_inode_readlink(struct dentry *dentry) 2041 { 2042 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2043 } 2044 2045 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2046 { 2047 int rc; 2048 2049 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2050 if (rc) 2051 return rc; 2052 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2053 } 2054 2055 static int selinux_inode_permission(struct inode *inode, int mask, 2056 struct nameidata *nd) 2057 { 2058 int rc; 2059 2060 rc = secondary_ops->inode_permission(inode, mask, nd); 2061 if (rc) 2062 return rc; 2063 2064 if (!mask) { 2065 /* No permission to check. Existence test. */ 2066 return 0; 2067 } 2068 2069 return inode_has_perm(current, inode, 2070 file_mask_to_av(inode->i_mode, mask), NULL); 2071 } 2072 2073 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2074 { 2075 int rc; 2076 2077 rc = secondary_ops->inode_setattr(dentry, iattr); 2078 if (rc) 2079 return rc; 2080 2081 if (iattr->ia_valid & ATTR_FORCE) 2082 return 0; 2083 2084 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2085 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2086 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2087 2088 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2089 } 2090 2091 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2092 { 2093 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2094 } 2095 2096 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2097 { 2098 struct task_security_struct *tsec = current->security; 2099 struct inode *inode = dentry->d_inode; 2100 struct inode_security_struct *isec = inode->i_security; 2101 struct superblock_security_struct *sbsec; 2102 struct avc_audit_data ad; 2103 u32 newsid; 2104 int rc = 0; 2105 2106 if (strcmp(name, XATTR_NAME_SELINUX)) { 2107 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2108 sizeof XATTR_SECURITY_PREFIX - 1) && 2109 !capable(CAP_SYS_ADMIN)) { 2110 /* A different attribute in the security namespace. 2111 Restrict to administrator. */ 2112 return -EPERM; 2113 } 2114 2115 /* Not an attribute we recognize, so just check the 2116 ordinary setattr permission. */ 2117 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2118 } 2119 2120 sbsec = inode->i_sb->s_security; 2121 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2122 return -EOPNOTSUPP; 2123 2124 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) 2125 return -EPERM; 2126 2127 AVC_AUDIT_DATA_INIT(&ad,FS); 2128 ad.u.fs.dentry = dentry; 2129 2130 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2131 FILE__RELABELFROM, &ad); 2132 if (rc) 2133 return rc; 2134 2135 rc = security_context_to_sid(value, size, &newsid); 2136 if (rc) 2137 return rc; 2138 2139 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2140 FILE__RELABELTO, &ad); 2141 if (rc) 2142 return rc; 2143 2144 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2145 isec->sclass); 2146 if (rc) 2147 return rc; 2148 2149 return avc_has_perm(newsid, 2150 sbsec->sid, 2151 SECCLASS_FILESYSTEM, 2152 FILESYSTEM__ASSOCIATE, 2153 &ad); 2154 } 2155 2156 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2157 void *value, size_t size, int flags) 2158 { 2159 struct inode *inode = dentry->d_inode; 2160 struct inode_security_struct *isec = inode->i_security; 2161 u32 newsid; 2162 int rc; 2163 2164 if (strcmp(name, XATTR_NAME_SELINUX)) { 2165 /* Not an attribute we recognize, so nothing to do. */ 2166 return; 2167 } 2168 2169 rc = security_context_to_sid(value, size, &newsid); 2170 if (rc) { 2171 printk(KERN_WARNING "%s: unable to obtain SID for context " 2172 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2173 return; 2174 } 2175 2176 isec->sid = newsid; 2177 return; 2178 } 2179 2180 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2181 { 2182 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2183 } 2184 2185 static int selinux_inode_listxattr (struct dentry *dentry) 2186 { 2187 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2188 } 2189 2190 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2191 { 2192 if (strcmp(name, XATTR_NAME_SELINUX)) { 2193 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2194 sizeof XATTR_SECURITY_PREFIX - 1) && 2195 !capable(CAP_SYS_ADMIN)) { 2196 /* A different attribute in the security namespace. 2197 Restrict to administrator. */ 2198 return -EPERM; 2199 } 2200 2201 /* Not an attribute we recognize, so just check the 2202 ordinary setattr permission. Might want a separate 2203 permission for removexattr. */ 2204 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2205 } 2206 2207 /* No one is allowed to remove a SELinux security label. 2208 You can change the label, but all data must be labeled. */ 2209 return -EACCES; 2210 } 2211 2212 /* 2213 * Copy the in-core inode security context value to the user. If the 2214 * getxattr() prior to this succeeded, check to see if we need to 2215 * canonicalize the value to be finally returned to the user. 2216 * 2217 * Permission check is handled by selinux_inode_getxattr hook. 2218 */ 2219 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) 2220 { 2221 struct inode_security_struct *isec = inode->i_security; 2222 char *context; 2223 unsigned len; 2224 int rc; 2225 2226 if (strcmp(name, XATTR_SELINUX_SUFFIX)) { 2227 rc = -EOPNOTSUPP; 2228 goto out; 2229 } 2230 2231 rc = security_sid_to_context(isec->sid, &context, &len); 2232 if (rc) 2233 goto out; 2234 2235 /* Probe for required buffer size */ 2236 if (!buffer || !size) { 2237 rc = len; 2238 goto out_free; 2239 } 2240 2241 if (size < len) { 2242 rc = -ERANGE; 2243 goto out_free; 2244 } 2245 2246 if (err > 0) { 2247 if ((len == err) && !(memcmp(context, buffer, len))) { 2248 /* Don't need to canonicalize value */ 2249 rc = err; 2250 goto out_free; 2251 } 2252 memset(buffer, 0, size); 2253 } 2254 memcpy(buffer, context, len); 2255 rc = len; 2256 out_free: 2257 kfree(context); 2258 out: 2259 return rc; 2260 } 2261 2262 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2263 const void *value, size_t size, int flags) 2264 { 2265 struct inode_security_struct *isec = inode->i_security; 2266 u32 newsid; 2267 int rc; 2268 2269 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2270 return -EOPNOTSUPP; 2271 2272 if (!value || !size) 2273 return -EACCES; 2274 2275 rc = security_context_to_sid((void*)value, size, &newsid); 2276 if (rc) 2277 return rc; 2278 2279 isec->sid = newsid; 2280 return 0; 2281 } 2282 2283 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2284 { 2285 const int len = sizeof(XATTR_NAME_SELINUX); 2286 if (buffer && len <= buffer_size) 2287 memcpy(buffer, XATTR_NAME_SELINUX, len); 2288 return len; 2289 } 2290 2291 /* file security operations */ 2292 2293 static int selinux_file_permission(struct file *file, int mask) 2294 { 2295 struct inode *inode = file->f_dentry->d_inode; 2296 2297 if (!mask) { 2298 /* No permission to check. Existence test. */ 2299 return 0; 2300 } 2301 2302 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2303 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2304 mask |= MAY_APPEND; 2305 2306 return file_has_perm(current, file, 2307 file_mask_to_av(inode->i_mode, mask)); 2308 } 2309 2310 static int selinux_file_alloc_security(struct file *file) 2311 { 2312 return file_alloc_security(file); 2313 } 2314 2315 static void selinux_file_free_security(struct file *file) 2316 { 2317 file_free_security(file); 2318 } 2319 2320 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2321 unsigned long arg) 2322 { 2323 int error = 0; 2324 2325 switch (cmd) { 2326 case FIONREAD: 2327 /* fall through */ 2328 case FIBMAP: 2329 /* fall through */ 2330 case FIGETBSZ: 2331 /* fall through */ 2332 case EXT2_IOC_GETFLAGS: 2333 /* fall through */ 2334 case EXT2_IOC_GETVERSION: 2335 error = file_has_perm(current, file, FILE__GETATTR); 2336 break; 2337 2338 case EXT2_IOC_SETFLAGS: 2339 /* fall through */ 2340 case EXT2_IOC_SETVERSION: 2341 error = file_has_perm(current, file, FILE__SETATTR); 2342 break; 2343 2344 /* sys_ioctl() checks */ 2345 case FIONBIO: 2346 /* fall through */ 2347 case FIOASYNC: 2348 error = file_has_perm(current, file, 0); 2349 break; 2350 2351 case KDSKBENT: 2352 case KDSKBSENT: 2353 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2354 break; 2355 2356 /* default case assumes that the command will go 2357 * to the file's ioctl() function. 2358 */ 2359 default: 2360 error = file_has_perm(current, file, FILE__IOCTL); 2361 2362 } 2363 return error; 2364 } 2365 2366 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2367 { 2368 #ifndef CONFIG_PPC32 2369 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2370 /* 2371 * We are making executable an anonymous mapping or a 2372 * private file mapping that will also be writable. 2373 * This has an additional check. 2374 */ 2375 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2376 if (rc) 2377 return rc; 2378 } 2379 #endif 2380 2381 if (file) { 2382 /* read access is always possible with a mapping */ 2383 u32 av = FILE__READ; 2384 2385 /* write access only matters if the mapping is shared */ 2386 if (shared && (prot & PROT_WRITE)) 2387 av |= FILE__WRITE; 2388 2389 if (prot & PROT_EXEC) 2390 av |= FILE__EXECUTE; 2391 2392 return file_has_perm(current, file, av); 2393 } 2394 return 0; 2395 } 2396 2397 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2398 unsigned long prot, unsigned long flags) 2399 { 2400 int rc; 2401 2402 rc = secondary_ops->file_mmap(file, reqprot, prot, flags); 2403 if (rc) 2404 return rc; 2405 2406 if (selinux_checkreqprot) 2407 prot = reqprot; 2408 2409 return file_map_prot_check(file, prot, 2410 (flags & MAP_TYPE) == MAP_SHARED); 2411 } 2412 2413 static int selinux_file_mprotect(struct vm_area_struct *vma, 2414 unsigned long reqprot, 2415 unsigned long prot) 2416 { 2417 int rc; 2418 2419 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2420 if (rc) 2421 return rc; 2422 2423 if (selinux_checkreqprot) 2424 prot = reqprot; 2425 2426 #ifndef CONFIG_PPC32 2427 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2428 rc = 0; 2429 if (vma->vm_start >= vma->vm_mm->start_brk && 2430 vma->vm_end <= vma->vm_mm->brk) { 2431 rc = task_has_perm(current, current, 2432 PROCESS__EXECHEAP); 2433 } else if (!vma->vm_file && 2434 vma->vm_start <= vma->vm_mm->start_stack && 2435 vma->vm_end >= vma->vm_mm->start_stack) { 2436 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2437 } else if (vma->vm_file && vma->anon_vma) { 2438 /* 2439 * We are making executable a file mapping that has 2440 * had some COW done. Since pages might have been 2441 * written, check ability to execute the possibly 2442 * modified content. This typically should only 2443 * occur for text relocations. 2444 */ 2445 rc = file_has_perm(current, vma->vm_file, 2446 FILE__EXECMOD); 2447 } 2448 if (rc) 2449 return rc; 2450 } 2451 #endif 2452 2453 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2454 } 2455 2456 static int selinux_file_lock(struct file *file, unsigned int cmd) 2457 { 2458 return file_has_perm(current, file, FILE__LOCK); 2459 } 2460 2461 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2462 unsigned long arg) 2463 { 2464 int err = 0; 2465 2466 switch (cmd) { 2467 case F_SETFL: 2468 if (!file->f_dentry || !file->f_dentry->d_inode) { 2469 err = -EINVAL; 2470 break; 2471 } 2472 2473 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2474 err = file_has_perm(current, file,FILE__WRITE); 2475 break; 2476 } 2477 /* fall through */ 2478 case F_SETOWN: 2479 case F_SETSIG: 2480 case F_GETFL: 2481 case F_GETOWN: 2482 case F_GETSIG: 2483 /* Just check FD__USE permission */ 2484 err = file_has_perm(current, file, 0); 2485 break; 2486 case F_GETLK: 2487 case F_SETLK: 2488 case F_SETLKW: 2489 #if BITS_PER_LONG == 32 2490 case F_GETLK64: 2491 case F_SETLK64: 2492 case F_SETLKW64: 2493 #endif 2494 if (!file->f_dentry || !file->f_dentry->d_inode) { 2495 err = -EINVAL; 2496 break; 2497 } 2498 err = file_has_perm(current, file, FILE__LOCK); 2499 break; 2500 } 2501 2502 return err; 2503 } 2504 2505 static int selinux_file_set_fowner(struct file *file) 2506 { 2507 struct task_security_struct *tsec; 2508 struct file_security_struct *fsec; 2509 2510 tsec = current->security; 2511 fsec = file->f_security; 2512 fsec->fown_sid = tsec->sid; 2513 2514 return 0; 2515 } 2516 2517 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2518 struct fown_struct *fown, int signum) 2519 { 2520 struct file *file; 2521 u32 perm; 2522 struct task_security_struct *tsec; 2523 struct file_security_struct *fsec; 2524 2525 /* struct fown_struct is never outside the context of a struct file */ 2526 file = (struct file *)((long)fown - offsetof(struct file,f_owner)); 2527 2528 tsec = tsk->security; 2529 fsec = file->f_security; 2530 2531 if (!signum) 2532 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 2533 else 2534 perm = signal_to_av(signum); 2535 2536 return avc_has_perm(fsec->fown_sid, tsec->sid, 2537 SECCLASS_PROCESS, perm, NULL); 2538 } 2539 2540 static int selinux_file_receive(struct file *file) 2541 { 2542 return file_has_perm(current, file, file_to_av(file)); 2543 } 2544 2545 /* task security operations */ 2546 2547 static int selinux_task_create(unsigned long clone_flags) 2548 { 2549 int rc; 2550 2551 rc = secondary_ops->task_create(clone_flags); 2552 if (rc) 2553 return rc; 2554 2555 return task_has_perm(current, current, PROCESS__FORK); 2556 } 2557 2558 static int selinux_task_alloc_security(struct task_struct *tsk) 2559 { 2560 struct task_security_struct *tsec1, *tsec2; 2561 int rc; 2562 2563 tsec1 = current->security; 2564 2565 rc = task_alloc_security(tsk); 2566 if (rc) 2567 return rc; 2568 tsec2 = tsk->security; 2569 2570 tsec2->osid = tsec1->osid; 2571 tsec2->sid = tsec1->sid; 2572 2573 /* Retain the exec and create SIDs across fork */ 2574 tsec2->exec_sid = tsec1->exec_sid; 2575 tsec2->create_sid = tsec1->create_sid; 2576 2577 /* Retain ptracer SID across fork, if any. 2578 This will be reset by the ptrace hook upon any 2579 subsequent ptrace_attach operations. */ 2580 tsec2->ptrace_sid = tsec1->ptrace_sid; 2581 2582 return 0; 2583 } 2584 2585 static void selinux_task_free_security(struct task_struct *tsk) 2586 { 2587 task_free_security(tsk); 2588 } 2589 2590 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2591 { 2592 /* Since setuid only affects the current process, and 2593 since the SELinux controls are not based on the Linux 2594 identity attributes, SELinux does not need to control 2595 this operation. However, SELinux does control the use 2596 of the CAP_SETUID and CAP_SETGID capabilities using the 2597 capable hook. */ 2598 return 0; 2599 } 2600 2601 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 2602 { 2603 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 2604 } 2605 2606 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 2607 { 2608 /* See the comment for setuid above. */ 2609 return 0; 2610 } 2611 2612 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 2613 { 2614 return task_has_perm(current, p, PROCESS__SETPGID); 2615 } 2616 2617 static int selinux_task_getpgid(struct task_struct *p) 2618 { 2619 return task_has_perm(current, p, PROCESS__GETPGID); 2620 } 2621 2622 static int selinux_task_getsid(struct task_struct *p) 2623 { 2624 return task_has_perm(current, p, PROCESS__GETSESSION); 2625 } 2626 2627 static int selinux_task_setgroups(struct group_info *group_info) 2628 { 2629 /* See the comment for setuid above. */ 2630 return 0; 2631 } 2632 2633 static int selinux_task_setnice(struct task_struct *p, int nice) 2634 { 2635 int rc; 2636 2637 rc = secondary_ops->task_setnice(p, nice); 2638 if (rc) 2639 return rc; 2640 2641 return task_has_perm(current,p, PROCESS__SETSCHED); 2642 } 2643 2644 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 2645 { 2646 struct rlimit *old_rlim = current->signal->rlim + resource; 2647 int rc; 2648 2649 rc = secondary_ops->task_setrlimit(resource, new_rlim); 2650 if (rc) 2651 return rc; 2652 2653 /* Control the ability to change the hard limit (whether 2654 lowering or raising it), so that the hard limit can 2655 later be used as a safe reset point for the soft limit 2656 upon context transitions. See selinux_bprm_apply_creds. */ 2657 if (old_rlim->rlim_max != new_rlim->rlim_max) 2658 return task_has_perm(current, current, PROCESS__SETRLIMIT); 2659 2660 return 0; 2661 } 2662 2663 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 2664 { 2665 return task_has_perm(current, p, PROCESS__SETSCHED); 2666 } 2667 2668 static int selinux_task_getscheduler(struct task_struct *p) 2669 { 2670 return task_has_perm(current, p, PROCESS__GETSCHED); 2671 } 2672 2673 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig) 2674 { 2675 u32 perm; 2676 int rc; 2677 2678 rc = secondary_ops->task_kill(p, info, sig); 2679 if (rc) 2680 return rc; 2681 2682 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 2683 return 0; 2684 2685 if (!sig) 2686 perm = PROCESS__SIGNULL; /* null signal; existence test */ 2687 else 2688 perm = signal_to_av(sig); 2689 2690 return task_has_perm(current, p, perm); 2691 } 2692 2693 static int selinux_task_prctl(int option, 2694 unsigned long arg2, 2695 unsigned long arg3, 2696 unsigned long arg4, 2697 unsigned long arg5) 2698 { 2699 /* The current prctl operations do not appear to require 2700 any SELinux controls since they merely observe or modify 2701 the state of the current process. */ 2702 return 0; 2703 } 2704 2705 static int selinux_task_wait(struct task_struct *p) 2706 { 2707 u32 perm; 2708 2709 perm = signal_to_av(p->exit_signal); 2710 2711 return task_has_perm(p, current, perm); 2712 } 2713 2714 static void selinux_task_reparent_to_init(struct task_struct *p) 2715 { 2716 struct task_security_struct *tsec; 2717 2718 secondary_ops->task_reparent_to_init(p); 2719 2720 tsec = p->security; 2721 tsec->osid = tsec->sid; 2722 tsec->sid = SECINITSID_KERNEL; 2723 return; 2724 } 2725 2726 static void selinux_task_to_inode(struct task_struct *p, 2727 struct inode *inode) 2728 { 2729 struct task_security_struct *tsec = p->security; 2730 struct inode_security_struct *isec = inode->i_security; 2731 2732 isec->sid = tsec->sid; 2733 isec->initialized = 1; 2734 return; 2735 } 2736 2737 /* Returns error only if unable to parse addresses */ 2738 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) 2739 { 2740 int offset, ihlen, ret = -EINVAL; 2741 struct iphdr _iph, *ih; 2742 2743 offset = skb->nh.raw - skb->data; 2744 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 2745 if (ih == NULL) 2746 goto out; 2747 2748 ihlen = ih->ihl * 4; 2749 if (ihlen < sizeof(_iph)) 2750 goto out; 2751 2752 ad->u.net.v4info.saddr = ih->saddr; 2753 ad->u.net.v4info.daddr = ih->daddr; 2754 ret = 0; 2755 2756 switch (ih->protocol) { 2757 case IPPROTO_TCP: { 2758 struct tcphdr _tcph, *th; 2759 2760 if (ntohs(ih->frag_off) & IP_OFFSET) 2761 break; 2762 2763 offset += ihlen; 2764 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2765 if (th == NULL) 2766 break; 2767 2768 ad->u.net.sport = th->source; 2769 ad->u.net.dport = th->dest; 2770 break; 2771 } 2772 2773 case IPPROTO_UDP: { 2774 struct udphdr _udph, *uh; 2775 2776 if (ntohs(ih->frag_off) & IP_OFFSET) 2777 break; 2778 2779 offset += ihlen; 2780 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2781 if (uh == NULL) 2782 break; 2783 2784 ad->u.net.sport = uh->source; 2785 ad->u.net.dport = uh->dest; 2786 break; 2787 } 2788 2789 default: 2790 break; 2791 } 2792 out: 2793 return ret; 2794 } 2795 2796 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2797 2798 /* Returns error only if unable to parse addresses */ 2799 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad) 2800 { 2801 u8 nexthdr; 2802 int ret = -EINVAL, offset; 2803 struct ipv6hdr _ipv6h, *ip6; 2804 2805 offset = skb->nh.raw - skb->data; 2806 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 2807 if (ip6 == NULL) 2808 goto out; 2809 2810 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 2811 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 2812 ret = 0; 2813 2814 nexthdr = ip6->nexthdr; 2815 offset += sizeof(_ipv6h); 2816 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 2817 if (offset < 0) 2818 goto out; 2819 2820 switch (nexthdr) { 2821 case IPPROTO_TCP: { 2822 struct tcphdr _tcph, *th; 2823 2824 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 2825 if (th == NULL) 2826 break; 2827 2828 ad->u.net.sport = th->source; 2829 ad->u.net.dport = th->dest; 2830 break; 2831 } 2832 2833 case IPPROTO_UDP: { 2834 struct udphdr _udph, *uh; 2835 2836 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 2837 if (uh == NULL) 2838 break; 2839 2840 ad->u.net.sport = uh->source; 2841 ad->u.net.dport = uh->dest; 2842 break; 2843 } 2844 2845 /* includes fragments */ 2846 default: 2847 break; 2848 } 2849 out: 2850 return ret; 2851 } 2852 2853 #endif /* IPV6 */ 2854 2855 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 2856 char **addrp, int *len, int src) 2857 { 2858 int ret = 0; 2859 2860 switch (ad->u.net.family) { 2861 case PF_INET: 2862 ret = selinux_parse_skb_ipv4(skb, ad); 2863 if (ret || !addrp) 2864 break; 2865 *len = 4; 2866 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 2867 &ad->u.net.v4info.daddr); 2868 break; 2869 2870 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2871 case PF_INET6: 2872 ret = selinux_parse_skb_ipv6(skb, ad); 2873 if (ret || !addrp) 2874 break; 2875 *len = 16; 2876 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 2877 &ad->u.net.v6info.daddr); 2878 break; 2879 #endif /* IPV6 */ 2880 default: 2881 break; 2882 } 2883 2884 return ret; 2885 } 2886 2887 /* socket security operations */ 2888 static int socket_has_perm(struct task_struct *task, struct socket *sock, 2889 u32 perms) 2890 { 2891 struct inode_security_struct *isec; 2892 struct task_security_struct *tsec; 2893 struct avc_audit_data ad; 2894 int err = 0; 2895 2896 tsec = task->security; 2897 isec = SOCK_INODE(sock)->i_security; 2898 2899 if (isec->sid == SECINITSID_KERNEL) 2900 goto out; 2901 2902 AVC_AUDIT_DATA_INIT(&ad,NET); 2903 ad.u.net.sk = sock->sk; 2904 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 2905 2906 out: 2907 return err; 2908 } 2909 2910 static int selinux_socket_create(int family, int type, 2911 int protocol, int kern) 2912 { 2913 int err = 0; 2914 struct task_security_struct *tsec; 2915 2916 if (kern) 2917 goto out; 2918 2919 tsec = current->security; 2920 err = avc_has_perm(tsec->sid, tsec->sid, 2921 socket_type_to_security_class(family, type, 2922 protocol), SOCKET__CREATE, NULL); 2923 2924 out: 2925 return err; 2926 } 2927 2928 static void selinux_socket_post_create(struct socket *sock, int family, 2929 int type, int protocol, int kern) 2930 { 2931 struct inode_security_struct *isec; 2932 struct task_security_struct *tsec; 2933 2934 isec = SOCK_INODE(sock)->i_security; 2935 2936 tsec = current->security; 2937 isec->sclass = socket_type_to_security_class(family, type, protocol); 2938 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid; 2939 isec->initialized = 1; 2940 2941 return; 2942 } 2943 2944 /* Range of port numbers used to automatically bind. 2945 Need to determine whether we should perform a name_bind 2946 permission check between the socket and the port number. */ 2947 #define ip_local_port_range_0 sysctl_local_port_range[0] 2948 #define ip_local_port_range_1 sysctl_local_port_range[1] 2949 2950 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 2951 { 2952 u16 family; 2953 int err; 2954 2955 err = socket_has_perm(current, sock, SOCKET__BIND); 2956 if (err) 2957 goto out; 2958 2959 /* 2960 * If PF_INET or PF_INET6, check name_bind permission for the port. 2961 * Multiple address binding for SCTP is not supported yet: we just 2962 * check the first address now. 2963 */ 2964 family = sock->sk->sk_family; 2965 if (family == PF_INET || family == PF_INET6) { 2966 char *addrp; 2967 struct inode_security_struct *isec; 2968 struct task_security_struct *tsec; 2969 struct avc_audit_data ad; 2970 struct sockaddr_in *addr4 = NULL; 2971 struct sockaddr_in6 *addr6 = NULL; 2972 unsigned short snum; 2973 struct sock *sk = sock->sk; 2974 u32 sid, node_perm, addrlen; 2975 2976 tsec = current->security; 2977 isec = SOCK_INODE(sock)->i_security; 2978 2979 if (family == PF_INET) { 2980 addr4 = (struct sockaddr_in *)address; 2981 snum = ntohs(addr4->sin_port); 2982 addrlen = sizeof(addr4->sin_addr.s_addr); 2983 addrp = (char *)&addr4->sin_addr.s_addr; 2984 } else { 2985 addr6 = (struct sockaddr_in6 *)address; 2986 snum = ntohs(addr6->sin6_port); 2987 addrlen = sizeof(addr6->sin6_addr.s6_addr); 2988 addrp = (char *)&addr6->sin6_addr.s6_addr; 2989 } 2990 2991 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) || 2992 snum > ip_local_port_range_1)) { 2993 err = security_port_sid(sk->sk_family, sk->sk_type, 2994 sk->sk_protocol, snum, &sid); 2995 if (err) 2996 goto out; 2997 AVC_AUDIT_DATA_INIT(&ad,NET); 2998 ad.u.net.sport = htons(snum); 2999 ad.u.net.family = family; 3000 err = avc_has_perm(isec->sid, sid, 3001 isec->sclass, 3002 SOCKET__NAME_BIND, &ad); 3003 if (err) 3004 goto out; 3005 } 3006 3007 switch(isec->sclass) { 3008 case SECCLASS_TCP_SOCKET: 3009 node_perm = TCP_SOCKET__NODE_BIND; 3010 break; 3011 3012 case SECCLASS_UDP_SOCKET: 3013 node_perm = UDP_SOCKET__NODE_BIND; 3014 break; 3015 3016 default: 3017 node_perm = RAWIP_SOCKET__NODE_BIND; 3018 break; 3019 } 3020 3021 err = security_node_sid(family, addrp, addrlen, &sid); 3022 if (err) 3023 goto out; 3024 3025 AVC_AUDIT_DATA_INIT(&ad,NET); 3026 ad.u.net.sport = htons(snum); 3027 ad.u.net.family = family; 3028 3029 if (family == PF_INET) 3030 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3031 else 3032 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3033 3034 err = avc_has_perm(isec->sid, sid, 3035 isec->sclass, node_perm, &ad); 3036 if (err) 3037 goto out; 3038 } 3039 out: 3040 return err; 3041 } 3042 3043 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3044 { 3045 struct inode_security_struct *isec; 3046 int err; 3047 3048 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3049 if (err) 3050 return err; 3051 3052 /* 3053 * If a TCP socket, check name_connect permission for the port. 3054 */ 3055 isec = SOCK_INODE(sock)->i_security; 3056 if (isec->sclass == SECCLASS_TCP_SOCKET) { 3057 struct sock *sk = sock->sk; 3058 struct avc_audit_data ad; 3059 struct sockaddr_in *addr4 = NULL; 3060 struct sockaddr_in6 *addr6 = NULL; 3061 unsigned short snum; 3062 u32 sid; 3063 3064 if (sk->sk_family == PF_INET) { 3065 addr4 = (struct sockaddr_in *)address; 3066 if (addrlen < sizeof(struct sockaddr_in)) 3067 return -EINVAL; 3068 snum = ntohs(addr4->sin_port); 3069 } else { 3070 addr6 = (struct sockaddr_in6 *)address; 3071 if (addrlen < SIN6_LEN_RFC2133) 3072 return -EINVAL; 3073 snum = ntohs(addr6->sin6_port); 3074 } 3075 3076 err = security_port_sid(sk->sk_family, sk->sk_type, 3077 sk->sk_protocol, snum, &sid); 3078 if (err) 3079 goto out; 3080 3081 AVC_AUDIT_DATA_INIT(&ad,NET); 3082 ad.u.net.dport = htons(snum); 3083 ad.u.net.family = sk->sk_family; 3084 err = avc_has_perm(isec->sid, sid, isec->sclass, 3085 TCP_SOCKET__NAME_CONNECT, &ad); 3086 if (err) 3087 goto out; 3088 } 3089 3090 out: 3091 return err; 3092 } 3093 3094 static int selinux_socket_listen(struct socket *sock, int backlog) 3095 { 3096 return socket_has_perm(current, sock, SOCKET__LISTEN); 3097 } 3098 3099 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3100 { 3101 int err; 3102 struct inode_security_struct *isec; 3103 struct inode_security_struct *newisec; 3104 3105 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3106 if (err) 3107 return err; 3108 3109 newisec = SOCK_INODE(newsock)->i_security; 3110 3111 isec = SOCK_INODE(sock)->i_security; 3112 newisec->sclass = isec->sclass; 3113 newisec->sid = isec->sid; 3114 newisec->initialized = 1; 3115 3116 return 0; 3117 } 3118 3119 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3120 int size) 3121 { 3122 return socket_has_perm(current, sock, SOCKET__WRITE); 3123 } 3124 3125 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3126 int size, int flags) 3127 { 3128 return socket_has_perm(current, sock, SOCKET__READ); 3129 } 3130 3131 static int selinux_socket_getsockname(struct socket *sock) 3132 { 3133 return socket_has_perm(current, sock, SOCKET__GETATTR); 3134 } 3135 3136 static int selinux_socket_getpeername(struct socket *sock) 3137 { 3138 return socket_has_perm(current, sock, SOCKET__GETATTR); 3139 } 3140 3141 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3142 { 3143 return socket_has_perm(current, sock, SOCKET__SETOPT); 3144 } 3145 3146 static int selinux_socket_getsockopt(struct socket *sock, int level, 3147 int optname) 3148 { 3149 return socket_has_perm(current, sock, SOCKET__GETOPT); 3150 } 3151 3152 static int selinux_socket_shutdown(struct socket *sock, int how) 3153 { 3154 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3155 } 3156 3157 static int selinux_socket_unix_stream_connect(struct socket *sock, 3158 struct socket *other, 3159 struct sock *newsk) 3160 { 3161 struct sk_security_struct *ssec; 3162 struct inode_security_struct *isec; 3163 struct inode_security_struct *other_isec; 3164 struct avc_audit_data ad; 3165 int err; 3166 3167 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3168 if (err) 3169 return err; 3170 3171 isec = SOCK_INODE(sock)->i_security; 3172 other_isec = SOCK_INODE(other)->i_security; 3173 3174 AVC_AUDIT_DATA_INIT(&ad,NET); 3175 ad.u.net.sk = other->sk; 3176 3177 err = avc_has_perm(isec->sid, other_isec->sid, 3178 isec->sclass, 3179 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3180 if (err) 3181 return err; 3182 3183 /* connecting socket */ 3184 ssec = sock->sk->sk_security; 3185 ssec->peer_sid = other_isec->sid; 3186 3187 /* server child socket */ 3188 ssec = newsk->sk_security; 3189 ssec->peer_sid = isec->sid; 3190 3191 return 0; 3192 } 3193 3194 static int selinux_socket_unix_may_send(struct socket *sock, 3195 struct socket *other) 3196 { 3197 struct inode_security_struct *isec; 3198 struct inode_security_struct *other_isec; 3199 struct avc_audit_data ad; 3200 int err; 3201 3202 isec = SOCK_INODE(sock)->i_security; 3203 other_isec = SOCK_INODE(other)->i_security; 3204 3205 AVC_AUDIT_DATA_INIT(&ad,NET); 3206 ad.u.net.sk = other->sk; 3207 3208 err = avc_has_perm(isec->sid, other_isec->sid, 3209 isec->sclass, SOCKET__SENDTO, &ad); 3210 if (err) 3211 return err; 3212 3213 return 0; 3214 } 3215 3216 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3217 { 3218 u16 family; 3219 char *addrp; 3220 int len, err = 0; 3221 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3222 u32 sock_sid = 0; 3223 u16 sock_class = 0; 3224 struct socket *sock; 3225 struct net_device *dev; 3226 struct avc_audit_data ad; 3227 3228 family = sk->sk_family; 3229 if (family != PF_INET && family != PF_INET6) 3230 goto out; 3231 3232 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3233 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) 3234 family = PF_INET; 3235 3236 read_lock_bh(&sk->sk_callback_lock); 3237 sock = sk->sk_socket; 3238 if (sock) { 3239 struct inode *inode; 3240 inode = SOCK_INODE(sock); 3241 if (inode) { 3242 struct inode_security_struct *isec; 3243 isec = inode->i_security; 3244 sock_sid = isec->sid; 3245 sock_class = isec->sclass; 3246 } 3247 } 3248 read_unlock_bh(&sk->sk_callback_lock); 3249 if (!sock_sid) 3250 goto out; 3251 3252 dev = skb->dev; 3253 if (!dev) 3254 goto out; 3255 3256 err = sel_netif_sids(dev, &if_sid, NULL); 3257 if (err) 3258 goto out; 3259 3260 switch (sock_class) { 3261 case SECCLASS_UDP_SOCKET: 3262 netif_perm = NETIF__UDP_RECV; 3263 node_perm = NODE__UDP_RECV; 3264 recv_perm = UDP_SOCKET__RECV_MSG; 3265 break; 3266 3267 case SECCLASS_TCP_SOCKET: 3268 netif_perm = NETIF__TCP_RECV; 3269 node_perm = NODE__TCP_RECV; 3270 recv_perm = TCP_SOCKET__RECV_MSG; 3271 break; 3272 3273 default: 3274 netif_perm = NETIF__RAWIP_RECV; 3275 node_perm = NODE__RAWIP_RECV; 3276 break; 3277 } 3278 3279 AVC_AUDIT_DATA_INIT(&ad, NET); 3280 ad.u.net.netif = dev->name; 3281 ad.u.net.family = family; 3282 3283 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); 3284 if (err) 3285 goto out; 3286 3287 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad); 3288 if (err) 3289 goto out; 3290 3291 /* Fixme: this lookup is inefficient */ 3292 err = security_node_sid(family, addrp, len, &node_sid); 3293 if (err) 3294 goto out; 3295 3296 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad); 3297 if (err) 3298 goto out; 3299 3300 if (recv_perm) { 3301 u32 port_sid; 3302 3303 /* Fixme: make this more efficient */ 3304 err = security_port_sid(sk->sk_family, sk->sk_type, 3305 sk->sk_protocol, ntohs(ad.u.net.sport), 3306 &port_sid); 3307 if (err) 3308 goto out; 3309 3310 err = avc_has_perm(sock_sid, port_sid, 3311 sock_class, recv_perm, &ad); 3312 } 3313 3314 if (!err) 3315 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb); 3316 3317 out: 3318 return err; 3319 } 3320 3321 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval, 3322 int __user *optlen, unsigned len) 3323 { 3324 int err = 0; 3325 char *scontext; 3326 u32 scontext_len; 3327 struct sk_security_struct *ssec; 3328 struct inode_security_struct *isec; 3329 3330 isec = SOCK_INODE(sock)->i_security; 3331 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) { 3332 err = -ENOPROTOOPT; 3333 goto out; 3334 } 3335 3336 ssec = sock->sk->sk_security; 3337 3338 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len); 3339 if (err) 3340 goto out; 3341 3342 if (scontext_len > len) { 3343 err = -ERANGE; 3344 goto out_len; 3345 } 3346 3347 if (copy_to_user(optval, scontext, scontext_len)) 3348 err = -EFAULT; 3349 3350 out_len: 3351 if (put_user(scontext_len, optlen)) 3352 err = -EFAULT; 3353 3354 kfree(scontext); 3355 out: 3356 return err; 3357 } 3358 3359 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 3360 { 3361 return sk_alloc_security(sk, family, priority); 3362 } 3363 3364 static void selinux_sk_free_security(struct sock *sk) 3365 { 3366 sk_free_security(sk); 3367 } 3368 3369 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3370 { 3371 struct inode_security_struct *isec; 3372 u32 sock_sid = SECINITSID_ANY_SOCKET; 3373 3374 if (!sk) 3375 return selinux_no_sk_sid(fl); 3376 3377 read_lock_bh(&sk->sk_callback_lock); 3378 isec = get_sock_isec(sk); 3379 3380 if (isec) 3381 sock_sid = isec->sid; 3382 3383 read_unlock_bh(&sk->sk_callback_lock); 3384 return sock_sid; 3385 } 3386 3387 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3388 { 3389 int err = 0; 3390 u32 perm; 3391 struct nlmsghdr *nlh; 3392 struct socket *sock = sk->sk_socket; 3393 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3394 3395 if (skb->len < NLMSG_SPACE(0)) { 3396 err = -EINVAL; 3397 goto out; 3398 } 3399 nlh = (struct nlmsghdr *)skb->data; 3400 3401 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3402 if (err) { 3403 if (err == -EINVAL) { 3404 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 3405 "SELinux: unrecognized netlink message" 3406 " type=%hu for sclass=%hu\n", 3407 nlh->nlmsg_type, isec->sclass); 3408 if (!selinux_enforcing) 3409 err = 0; 3410 } 3411 3412 /* Ignore */ 3413 if (err == -ENOENT) 3414 err = 0; 3415 goto out; 3416 } 3417 3418 err = socket_has_perm(current, sock, perm); 3419 out: 3420 return err; 3421 } 3422 3423 #ifdef CONFIG_NETFILTER 3424 3425 static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 3426 struct sk_buff **pskb, 3427 const struct net_device *in, 3428 const struct net_device *out, 3429 int (*okfn)(struct sk_buff *), 3430 u16 family) 3431 { 3432 char *addrp; 3433 int len, err = NF_ACCEPT; 3434 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 3435 struct sock *sk; 3436 struct socket *sock; 3437 struct inode *inode; 3438 struct sk_buff *skb = *pskb; 3439 struct inode_security_struct *isec; 3440 struct avc_audit_data ad; 3441 struct net_device *dev = (struct net_device *)out; 3442 3443 sk = skb->sk; 3444 if (!sk) 3445 goto out; 3446 3447 sock = sk->sk_socket; 3448 if (!sock) 3449 goto out; 3450 3451 inode = SOCK_INODE(sock); 3452 if (!inode) 3453 goto out; 3454 3455 err = sel_netif_sids(dev, &if_sid, NULL); 3456 if (err) 3457 goto out; 3458 3459 isec = inode->i_security; 3460 3461 switch (isec->sclass) { 3462 case SECCLASS_UDP_SOCKET: 3463 netif_perm = NETIF__UDP_SEND; 3464 node_perm = NODE__UDP_SEND; 3465 send_perm = UDP_SOCKET__SEND_MSG; 3466 break; 3467 3468 case SECCLASS_TCP_SOCKET: 3469 netif_perm = NETIF__TCP_SEND; 3470 node_perm = NODE__TCP_SEND; 3471 send_perm = TCP_SOCKET__SEND_MSG; 3472 break; 3473 3474 default: 3475 netif_perm = NETIF__RAWIP_SEND; 3476 node_perm = NODE__RAWIP_SEND; 3477 break; 3478 } 3479 3480 3481 AVC_AUDIT_DATA_INIT(&ad, NET); 3482 ad.u.net.netif = dev->name; 3483 ad.u.net.family = family; 3484 3485 err = selinux_parse_skb(skb, &ad, &addrp, 3486 &len, 0) ? NF_DROP : NF_ACCEPT; 3487 if (err != NF_ACCEPT) 3488 goto out; 3489 3490 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, 3491 netif_perm, &ad) ? NF_DROP : NF_ACCEPT; 3492 if (err != NF_ACCEPT) 3493 goto out; 3494 3495 /* Fixme: this lookup is inefficient */ 3496 err = security_node_sid(family, addrp, len, 3497 &node_sid) ? NF_DROP : NF_ACCEPT; 3498 if (err != NF_ACCEPT) 3499 goto out; 3500 3501 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, 3502 node_perm, &ad) ? NF_DROP : NF_ACCEPT; 3503 if (err != NF_ACCEPT) 3504 goto out; 3505 3506 if (send_perm) { 3507 u32 port_sid; 3508 3509 /* Fixme: make this more efficient */ 3510 err = security_port_sid(sk->sk_family, 3511 sk->sk_type, 3512 sk->sk_protocol, 3513 ntohs(ad.u.net.dport), 3514 &port_sid) ? NF_DROP : NF_ACCEPT; 3515 if (err != NF_ACCEPT) 3516 goto out; 3517 3518 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3519 send_perm, &ad) ? NF_DROP : NF_ACCEPT; 3520 } 3521 3522 if (err != NF_ACCEPT) 3523 goto out; 3524 3525 err = selinux_xfrm_postroute_last(isec->sid, skb); 3526 3527 out: 3528 return err; 3529 } 3530 3531 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3532 struct sk_buff **pskb, 3533 const struct net_device *in, 3534 const struct net_device *out, 3535 int (*okfn)(struct sk_buff *)) 3536 { 3537 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET); 3538 } 3539 3540 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3541 3542 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, 3543 struct sk_buff **pskb, 3544 const struct net_device *in, 3545 const struct net_device *out, 3546 int (*okfn)(struct sk_buff *)) 3547 { 3548 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6); 3549 } 3550 3551 #endif /* IPV6 */ 3552 3553 #endif /* CONFIG_NETFILTER */ 3554 3555 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3556 { 3557 struct task_security_struct *tsec; 3558 struct av_decision avd; 3559 int err; 3560 3561 err = secondary_ops->netlink_send(sk, skb); 3562 if (err) 3563 return err; 3564 3565 tsec = current->security; 3566 3567 avd.allowed = 0; 3568 avc_has_perm_noaudit(tsec->sid, tsec->sid, 3569 SECCLASS_CAPABILITY, ~0, &avd); 3570 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); 3571 3572 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 3573 err = selinux_nlmsg_perm(sk, skb); 3574 3575 return err; 3576 } 3577 3578 static int selinux_netlink_recv(struct sk_buff *skb) 3579 { 3580 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) 3581 return -EPERM; 3582 return 0; 3583 } 3584 3585 static int ipc_alloc_security(struct task_struct *task, 3586 struct kern_ipc_perm *perm, 3587 u16 sclass) 3588 { 3589 struct task_security_struct *tsec = task->security; 3590 struct ipc_security_struct *isec; 3591 3592 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 3593 if (!isec) 3594 return -ENOMEM; 3595 3596 isec->sclass = sclass; 3597 isec->ipc_perm = perm; 3598 isec->sid = tsec->sid; 3599 perm->security = isec; 3600 3601 return 0; 3602 } 3603 3604 static void ipc_free_security(struct kern_ipc_perm *perm) 3605 { 3606 struct ipc_security_struct *isec = perm->security; 3607 perm->security = NULL; 3608 kfree(isec); 3609 } 3610 3611 static int msg_msg_alloc_security(struct msg_msg *msg) 3612 { 3613 struct msg_security_struct *msec; 3614 3615 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 3616 if (!msec) 3617 return -ENOMEM; 3618 3619 msec->msg = msg; 3620 msec->sid = SECINITSID_UNLABELED; 3621 msg->security = msec; 3622 3623 return 0; 3624 } 3625 3626 static void msg_msg_free_security(struct msg_msg *msg) 3627 { 3628 struct msg_security_struct *msec = msg->security; 3629 3630 msg->security = NULL; 3631 kfree(msec); 3632 } 3633 3634 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 3635 u32 perms) 3636 { 3637 struct task_security_struct *tsec; 3638 struct ipc_security_struct *isec; 3639 struct avc_audit_data ad; 3640 3641 tsec = current->security; 3642 isec = ipc_perms->security; 3643 3644 AVC_AUDIT_DATA_INIT(&ad, IPC); 3645 ad.u.ipc_id = ipc_perms->key; 3646 3647 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3648 } 3649 3650 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 3651 { 3652 return msg_msg_alloc_security(msg); 3653 } 3654 3655 static void selinux_msg_msg_free_security(struct msg_msg *msg) 3656 { 3657 msg_msg_free_security(msg); 3658 } 3659 3660 /* message queue security operations */ 3661 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 3662 { 3663 struct task_security_struct *tsec; 3664 struct ipc_security_struct *isec; 3665 struct avc_audit_data ad; 3666 int rc; 3667 3668 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 3669 if (rc) 3670 return rc; 3671 3672 tsec = current->security; 3673 isec = msq->q_perm.security; 3674 3675 AVC_AUDIT_DATA_INIT(&ad, IPC); 3676 ad.u.ipc_id = msq->q_perm.key; 3677 3678 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3679 MSGQ__CREATE, &ad); 3680 if (rc) { 3681 ipc_free_security(&msq->q_perm); 3682 return rc; 3683 } 3684 return 0; 3685 } 3686 3687 static void selinux_msg_queue_free_security(struct msg_queue *msq) 3688 { 3689 ipc_free_security(&msq->q_perm); 3690 } 3691 3692 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 3693 { 3694 struct task_security_struct *tsec; 3695 struct ipc_security_struct *isec; 3696 struct avc_audit_data ad; 3697 3698 tsec = current->security; 3699 isec = msq->q_perm.security; 3700 3701 AVC_AUDIT_DATA_INIT(&ad, IPC); 3702 ad.u.ipc_id = msq->q_perm.key; 3703 3704 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3705 MSGQ__ASSOCIATE, &ad); 3706 } 3707 3708 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3709 { 3710 int err; 3711 int perms; 3712 3713 switch(cmd) { 3714 case IPC_INFO: 3715 case MSG_INFO: 3716 /* No specific object, just general system-wide information. */ 3717 return task_has_system(current, SYSTEM__IPC_INFO); 3718 case IPC_STAT: 3719 case MSG_STAT: 3720 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 3721 break; 3722 case IPC_SET: 3723 perms = MSGQ__SETATTR; 3724 break; 3725 case IPC_RMID: 3726 perms = MSGQ__DESTROY; 3727 break; 3728 default: 3729 return 0; 3730 } 3731 3732 err = ipc_has_perm(&msq->q_perm, perms); 3733 return err; 3734 } 3735 3736 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 3737 { 3738 struct task_security_struct *tsec; 3739 struct ipc_security_struct *isec; 3740 struct msg_security_struct *msec; 3741 struct avc_audit_data ad; 3742 int rc; 3743 3744 tsec = current->security; 3745 isec = msq->q_perm.security; 3746 msec = msg->security; 3747 3748 /* 3749 * First time through, need to assign label to the message 3750 */ 3751 if (msec->sid == SECINITSID_UNLABELED) { 3752 /* 3753 * Compute new sid based on current process and 3754 * message queue this message will be stored in 3755 */ 3756 rc = security_transition_sid(tsec->sid, 3757 isec->sid, 3758 SECCLASS_MSG, 3759 &msec->sid); 3760 if (rc) 3761 return rc; 3762 } 3763 3764 AVC_AUDIT_DATA_INIT(&ad, IPC); 3765 ad.u.ipc_id = msq->q_perm.key; 3766 3767 /* Can this process write to the queue? */ 3768 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 3769 MSGQ__WRITE, &ad); 3770 if (!rc) 3771 /* Can this process send the message */ 3772 rc = avc_has_perm(tsec->sid, msec->sid, 3773 SECCLASS_MSG, MSG__SEND, &ad); 3774 if (!rc) 3775 /* Can the message be put in the queue? */ 3776 rc = avc_has_perm(msec->sid, isec->sid, 3777 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 3778 3779 return rc; 3780 } 3781 3782 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3783 struct task_struct *target, 3784 long type, int mode) 3785 { 3786 struct task_security_struct *tsec; 3787 struct ipc_security_struct *isec; 3788 struct msg_security_struct *msec; 3789 struct avc_audit_data ad; 3790 int rc; 3791 3792 tsec = target->security; 3793 isec = msq->q_perm.security; 3794 msec = msg->security; 3795 3796 AVC_AUDIT_DATA_INIT(&ad, IPC); 3797 ad.u.ipc_id = msq->q_perm.key; 3798 3799 rc = avc_has_perm(tsec->sid, isec->sid, 3800 SECCLASS_MSGQ, MSGQ__READ, &ad); 3801 if (!rc) 3802 rc = avc_has_perm(tsec->sid, msec->sid, 3803 SECCLASS_MSG, MSG__RECEIVE, &ad); 3804 return rc; 3805 } 3806 3807 /* Shared Memory security operations */ 3808 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 3809 { 3810 struct task_security_struct *tsec; 3811 struct ipc_security_struct *isec; 3812 struct avc_audit_data ad; 3813 int rc; 3814 3815 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 3816 if (rc) 3817 return rc; 3818 3819 tsec = current->security; 3820 isec = shp->shm_perm.security; 3821 3822 AVC_AUDIT_DATA_INIT(&ad, IPC); 3823 ad.u.ipc_id = shp->shm_perm.key; 3824 3825 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 3826 SHM__CREATE, &ad); 3827 if (rc) { 3828 ipc_free_security(&shp->shm_perm); 3829 return rc; 3830 } 3831 return 0; 3832 } 3833 3834 static void selinux_shm_free_security(struct shmid_kernel *shp) 3835 { 3836 ipc_free_security(&shp->shm_perm); 3837 } 3838 3839 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 3840 { 3841 struct task_security_struct *tsec; 3842 struct ipc_security_struct *isec; 3843 struct avc_audit_data ad; 3844 3845 tsec = current->security; 3846 isec = shp->shm_perm.security; 3847 3848 AVC_AUDIT_DATA_INIT(&ad, IPC); 3849 ad.u.ipc_id = shp->shm_perm.key; 3850 3851 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 3852 SHM__ASSOCIATE, &ad); 3853 } 3854 3855 /* Note, at this point, shp is locked down */ 3856 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 3857 { 3858 int perms; 3859 int err; 3860 3861 switch(cmd) { 3862 case IPC_INFO: 3863 case SHM_INFO: 3864 /* No specific object, just general system-wide information. */ 3865 return task_has_system(current, SYSTEM__IPC_INFO); 3866 case IPC_STAT: 3867 case SHM_STAT: 3868 perms = SHM__GETATTR | SHM__ASSOCIATE; 3869 break; 3870 case IPC_SET: 3871 perms = SHM__SETATTR; 3872 break; 3873 case SHM_LOCK: 3874 case SHM_UNLOCK: 3875 perms = SHM__LOCK; 3876 break; 3877 case IPC_RMID: 3878 perms = SHM__DESTROY; 3879 break; 3880 default: 3881 return 0; 3882 } 3883 3884 err = ipc_has_perm(&shp->shm_perm, perms); 3885 return err; 3886 } 3887 3888 static int selinux_shm_shmat(struct shmid_kernel *shp, 3889 char __user *shmaddr, int shmflg) 3890 { 3891 u32 perms; 3892 int rc; 3893 3894 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 3895 if (rc) 3896 return rc; 3897 3898 if (shmflg & SHM_RDONLY) 3899 perms = SHM__READ; 3900 else 3901 perms = SHM__READ | SHM__WRITE; 3902 3903 return ipc_has_perm(&shp->shm_perm, perms); 3904 } 3905 3906 /* Semaphore security operations */ 3907 static int selinux_sem_alloc_security(struct sem_array *sma) 3908 { 3909 struct task_security_struct *tsec; 3910 struct ipc_security_struct *isec; 3911 struct avc_audit_data ad; 3912 int rc; 3913 3914 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 3915 if (rc) 3916 return rc; 3917 3918 tsec = current->security; 3919 isec = sma->sem_perm.security; 3920 3921 AVC_AUDIT_DATA_INIT(&ad, IPC); 3922 ad.u.ipc_id = sma->sem_perm.key; 3923 3924 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 3925 SEM__CREATE, &ad); 3926 if (rc) { 3927 ipc_free_security(&sma->sem_perm); 3928 return rc; 3929 } 3930 return 0; 3931 } 3932 3933 static void selinux_sem_free_security(struct sem_array *sma) 3934 { 3935 ipc_free_security(&sma->sem_perm); 3936 } 3937 3938 static int selinux_sem_associate(struct sem_array *sma, int semflg) 3939 { 3940 struct task_security_struct *tsec; 3941 struct ipc_security_struct *isec; 3942 struct avc_audit_data ad; 3943 3944 tsec = current->security; 3945 isec = sma->sem_perm.security; 3946 3947 AVC_AUDIT_DATA_INIT(&ad, IPC); 3948 ad.u.ipc_id = sma->sem_perm.key; 3949 3950 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 3951 SEM__ASSOCIATE, &ad); 3952 } 3953 3954 /* Note, at this point, sma is locked down */ 3955 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 3956 { 3957 int err; 3958 u32 perms; 3959 3960 switch(cmd) { 3961 case IPC_INFO: 3962 case SEM_INFO: 3963 /* No specific object, just general system-wide information. */ 3964 return task_has_system(current, SYSTEM__IPC_INFO); 3965 case GETPID: 3966 case GETNCNT: 3967 case GETZCNT: 3968 perms = SEM__GETATTR; 3969 break; 3970 case GETVAL: 3971 case GETALL: 3972 perms = SEM__READ; 3973 break; 3974 case SETVAL: 3975 case SETALL: 3976 perms = SEM__WRITE; 3977 break; 3978 case IPC_RMID: 3979 perms = SEM__DESTROY; 3980 break; 3981 case IPC_SET: 3982 perms = SEM__SETATTR; 3983 break; 3984 case IPC_STAT: 3985 case SEM_STAT: 3986 perms = SEM__GETATTR | SEM__ASSOCIATE; 3987 break; 3988 default: 3989 return 0; 3990 } 3991 3992 err = ipc_has_perm(&sma->sem_perm, perms); 3993 return err; 3994 } 3995 3996 static int selinux_sem_semop(struct sem_array *sma, 3997 struct sembuf *sops, unsigned nsops, int alter) 3998 { 3999 u32 perms; 4000 4001 if (alter) 4002 perms = SEM__READ | SEM__WRITE; 4003 else 4004 perms = SEM__READ; 4005 4006 return ipc_has_perm(&sma->sem_perm, perms); 4007 } 4008 4009 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4010 { 4011 u32 av = 0; 4012 4013 av = 0; 4014 if (flag & S_IRUGO) 4015 av |= IPC__UNIX_READ; 4016 if (flag & S_IWUGO) 4017 av |= IPC__UNIX_WRITE; 4018 4019 if (av == 0) 4020 return 0; 4021 4022 return ipc_has_perm(ipcp, av); 4023 } 4024 4025 /* module stacking operations */ 4026 static int selinux_register_security (const char *name, struct security_operations *ops) 4027 { 4028 if (secondary_ops != original_ops) { 4029 printk(KERN_INFO "%s: There is already a secondary security " 4030 "module registered.\n", __FUNCTION__); 4031 return -EINVAL; 4032 } 4033 4034 secondary_ops = ops; 4035 4036 printk(KERN_INFO "%s: Registering secondary module %s\n", 4037 __FUNCTION__, 4038 name); 4039 4040 return 0; 4041 } 4042 4043 static int selinux_unregister_security (const char *name, struct security_operations *ops) 4044 { 4045 if (ops != secondary_ops) { 4046 printk (KERN_INFO "%s: trying to unregister a security module " 4047 "that is not registered.\n", __FUNCTION__); 4048 return -EINVAL; 4049 } 4050 4051 secondary_ops = original_ops; 4052 4053 return 0; 4054 } 4055 4056 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4057 { 4058 if (inode) 4059 inode_doinit_with_dentry(inode, dentry); 4060 } 4061 4062 static int selinux_getprocattr(struct task_struct *p, 4063 char *name, void *value, size_t size) 4064 { 4065 struct task_security_struct *tsec; 4066 u32 sid, len; 4067 char *context; 4068 int error; 4069 4070 if (current != p) { 4071 error = task_has_perm(current, p, PROCESS__GETATTR); 4072 if (error) 4073 return error; 4074 } 4075 4076 if (!size) 4077 return -ERANGE; 4078 4079 tsec = p->security; 4080 4081 if (!strcmp(name, "current")) 4082 sid = tsec->sid; 4083 else if (!strcmp(name, "prev")) 4084 sid = tsec->osid; 4085 else if (!strcmp(name, "exec")) 4086 sid = tsec->exec_sid; 4087 else if (!strcmp(name, "fscreate")) 4088 sid = tsec->create_sid; 4089 else 4090 return -EINVAL; 4091 4092 if (!sid) 4093 return 0; 4094 4095 error = security_sid_to_context(sid, &context, &len); 4096 if (error) 4097 return error; 4098 if (len > size) { 4099 kfree(context); 4100 return -ERANGE; 4101 } 4102 memcpy(value, context, len); 4103 kfree(context); 4104 return len; 4105 } 4106 4107 static int selinux_setprocattr(struct task_struct *p, 4108 char *name, void *value, size_t size) 4109 { 4110 struct task_security_struct *tsec; 4111 u32 sid = 0; 4112 int error; 4113 char *str = value; 4114 4115 if (current != p) { 4116 /* SELinux only allows a process to change its own 4117 security attributes. */ 4118 return -EACCES; 4119 } 4120 4121 /* 4122 * Basic control over ability to set these attributes at all. 4123 * current == p, but we'll pass them separately in case the 4124 * above restriction is ever removed. 4125 */ 4126 if (!strcmp(name, "exec")) 4127 error = task_has_perm(current, p, PROCESS__SETEXEC); 4128 else if (!strcmp(name, "fscreate")) 4129 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 4130 else if (!strcmp(name, "current")) 4131 error = task_has_perm(current, p, PROCESS__SETCURRENT); 4132 else 4133 error = -EINVAL; 4134 if (error) 4135 return error; 4136 4137 /* Obtain a SID for the context, if one was specified. */ 4138 if (size && str[1] && str[1] != '\n') { 4139 if (str[size-1] == '\n') { 4140 str[size-1] = 0; 4141 size--; 4142 } 4143 error = security_context_to_sid(value, size, &sid); 4144 if (error) 4145 return error; 4146 } 4147 4148 /* Permission checking based on the specified context is 4149 performed during the actual operation (execve, 4150 open/mkdir/...), when we know the full context of the 4151 operation. See selinux_bprm_set_security for the execve 4152 checks and may_create for the file creation checks. The 4153 operation will then fail if the context is not permitted. */ 4154 tsec = p->security; 4155 if (!strcmp(name, "exec")) 4156 tsec->exec_sid = sid; 4157 else if (!strcmp(name, "fscreate")) 4158 tsec->create_sid = sid; 4159 else if (!strcmp(name, "current")) { 4160 struct av_decision avd; 4161 4162 if (sid == 0) 4163 return -EINVAL; 4164 4165 /* Only allow single threaded processes to change context */ 4166 if (atomic_read(&p->mm->mm_users) != 1) { 4167 struct task_struct *g, *t; 4168 struct mm_struct *mm = p->mm; 4169 read_lock(&tasklist_lock); 4170 do_each_thread(g, t) 4171 if (t->mm == mm && t != p) { 4172 read_unlock(&tasklist_lock); 4173 return -EPERM; 4174 } 4175 while_each_thread(g, t); 4176 read_unlock(&tasklist_lock); 4177 } 4178 4179 /* Check permissions for the transition. */ 4180 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 4181 PROCESS__DYNTRANSITION, NULL); 4182 if (error) 4183 return error; 4184 4185 /* Check for ptracing, and update the task SID if ok. 4186 Otherwise, leave SID unchanged and fail. */ 4187 task_lock(p); 4188 if (p->ptrace & PT_PTRACED) { 4189 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 4190 SECCLASS_PROCESS, 4191 PROCESS__PTRACE, &avd); 4192 if (!error) 4193 tsec->sid = sid; 4194 task_unlock(p); 4195 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 4196 PROCESS__PTRACE, &avd, error, NULL); 4197 if (error) 4198 return error; 4199 } else { 4200 tsec->sid = sid; 4201 task_unlock(p); 4202 } 4203 } 4204 else 4205 return -EINVAL; 4206 4207 return size; 4208 } 4209 4210 static struct security_operations selinux_ops = { 4211 .ptrace = selinux_ptrace, 4212 .capget = selinux_capget, 4213 .capset_check = selinux_capset_check, 4214 .capset_set = selinux_capset_set, 4215 .sysctl = selinux_sysctl, 4216 .capable = selinux_capable, 4217 .quotactl = selinux_quotactl, 4218 .quota_on = selinux_quota_on, 4219 .syslog = selinux_syslog, 4220 .vm_enough_memory = selinux_vm_enough_memory, 4221 4222 .netlink_send = selinux_netlink_send, 4223 .netlink_recv = selinux_netlink_recv, 4224 4225 .bprm_alloc_security = selinux_bprm_alloc_security, 4226 .bprm_free_security = selinux_bprm_free_security, 4227 .bprm_apply_creds = selinux_bprm_apply_creds, 4228 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 4229 .bprm_set_security = selinux_bprm_set_security, 4230 .bprm_check_security = selinux_bprm_check_security, 4231 .bprm_secureexec = selinux_bprm_secureexec, 4232 4233 .sb_alloc_security = selinux_sb_alloc_security, 4234 .sb_free_security = selinux_sb_free_security, 4235 .sb_copy_data = selinux_sb_copy_data, 4236 .sb_kern_mount = selinux_sb_kern_mount, 4237 .sb_statfs = selinux_sb_statfs, 4238 .sb_mount = selinux_mount, 4239 .sb_umount = selinux_umount, 4240 4241 .inode_alloc_security = selinux_inode_alloc_security, 4242 .inode_free_security = selinux_inode_free_security, 4243 .inode_init_security = selinux_inode_init_security, 4244 .inode_create = selinux_inode_create, 4245 .inode_link = selinux_inode_link, 4246 .inode_unlink = selinux_inode_unlink, 4247 .inode_symlink = selinux_inode_symlink, 4248 .inode_mkdir = selinux_inode_mkdir, 4249 .inode_rmdir = selinux_inode_rmdir, 4250 .inode_mknod = selinux_inode_mknod, 4251 .inode_rename = selinux_inode_rename, 4252 .inode_readlink = selinux_inode_readlink, 4253 .inode_follow_link = selinux_inode_follow_link, 4254 .inode_permission = selinux_inode_permission, 4255 .inode_setattr = selinux_inode_setattr, 4256 .inode_getattr = selinux_inode_getattr, 4257 .inode_setxattr = selinux_inode_setxattr, 4258 .inode_post_setxattr = selinux_inode_post_setxattr, 4259 .inode_getxattr = selinux_inode_getxattr, 4260 .inode_listxattr = selinux_inode_listxattr, 4261 .inode_removexattr = selinux_inode_removexattr, 4262 .inode_getsecurity = selinux_inode_getsecurity, 4263 .inode_setsecurity = selinux_inode_setsecurity, 4264 .inode_listsecurity = selinux_inode_listsecurity, 4265 4266 .file_permission = selinux_file_permission, 4267 .file_alloc_security = selinux_file_alloc_security, 4268 .file_free_security = selinux_file_free_security, 4269 .file_ioctl = selinux_file_ioctl, 4270 .file_mmap = selinux_file_mmap, 4271 .file_mprotect = selinux_file_mprotect, 4272 .file_lock = selinux_file_lock, 4273 .file_fcntl = selinux_file_fcntl, 4274 .file_set_fowner = selinux_file_set_fowner, 4275 .file_send_sigiotask = selinux_file_send_sigiotask, 4276 .file_receive = selinux_file_receive, 4277 4278 .task_create = selinux_task_create, 4279 .task_alloc_security = selinux_task_alloc_security, 4280 .task_free_security = selinux_task_free_security, 4281 .task_setuid = selinux_task_setuid, 4282 .task_post_setuid = selinux_task_post_setuid, 4283 .task_setgid = selinux_task_setgid, 4284 .task_setpgid = selinux_task_setpgid, 4285 .task_getpgid = selinux_task_getpgid, 4286 .task_getsid = selinux_task_getsid, 4287 .task_setgroups = selinux_task_setgroups, 4288 .task_setnice = selinux_task_setnice, 4289 .task_setrlimit = selinux_task_setrlimit, 4290 .task_setscheduler = selinux_task_setscheduler, 4291 .task_getscheduler = selinux_task_getscheduler, 4292 .task_kill = selinux_task_kill, 4293 .task_wait = selinux_task_wait, 4294 .task_prctl = selinux_task_prctl, 4295 .task_reparent_to_init = selinux_task_reparent_to_init, 4296 .task_to_inode = selinux_task_to_inode, 4297 4298 .ipc_permission = selinux_ipc_permission, 4299 4300 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 4301 .msg_msg_free_security = selinux_msg_msg_free_security, 4302 4303 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 4304 .msg_queue_free_security = selinux_msg_queue_free_security, 4305 .msg_queue_associate = selinux_msg_queue_associate, 4306 .msg_queue_msgctl = selinux_msg_queue_msgctl, 4307 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 4308 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 4309 4310 .shm_alloc_security = selinux_shm_alloc_security, 4311 .shm_free_security = selinux_shm_free_security, 4312 .shm_associate = selinux_shm_associate, 4313 .shm_shmctl = selinux_shm_shmctl, 4314 .shm_shmat = selinux_shm_shmat, 4315 4316 .sem_alloc_security = selinux_sem_alloc_security, 4317 .sem_free_security = selinux_sem_free_security, 4318 .sem_associate = selinux_sem_associate, 4319 .sem_semctl = selinux_sem_semctl, 4320 .sem_semop = selinux_sem_semop, 4321 4322 .register_security = selinux_register_security, 4323 .unregister_security = selinux_unregister_security, 4324 4325 .d_instantiate = selinux_d_instantiate, 4326 4327 .getprocattr = selinux_getprocattr, 4328 .setprocattr = selinux_setprocattr, 4329 4330 .unix_stream_connect = selinux_socket_unix_stream_connect, 4331 .unix_may_send = selinux_socket_unix_may_send, 4332 4333 .socket_create = selinux_socket_create, 4334 .socket_post_create = selinux_socket_post_create, 4335 .socket_bind = selinux_socket_bind, 4336 .socket_connect = selinux_socket_connect, 4337 .socket_listen = selinux_socket_listen, 4338 .socket_accept = selinux_socket_accept, 4339 .socket_sendmsg = selinux_socket_sendmsg, 4340 .socket_recvmsg = selinux_socket_recvmsg, 4341 .socket_getsockname = selinux_socket_getsockname, 4342 .socket_getpeername = selinux_socket_getpeername, 4343 .socket_getsockopt = selinux_socket_getsockopt, 4344 .socket_setsockopt = selinux_socket_setsockopt, 4345 .socket_shutdown = selinux_socket_shutdown, 4346 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4347 .socket_getpeersec = selinux_socket_getpeersec, 4348 .sk_alloc_security = selinux_sk_alloc_security, 4349 .sk_free_security = selinux_sk_free_security, 4350 .sk_getsid = selinux_sk_getsid_security, 4351 4352 #ifdef CONFIG_SECURITY_NETWORK_XFRM 4353 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4354 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 4355 .xfrm_policy_free_security = selinux_xfrm_policy_free, 4356 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 4357 .xfrm_state_free_security = selinux_xfrm_state_free, 4358 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 4359 #endif 4360 }; 4361 4362 static __init int selinux_init(void) 4363 { 4364 struct task_security_struct *tsec; 4365 4366 if (!selinux_enabled) { 4367 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 4368 return 0; 4369 } 4370 4371 printk(KERN_INFO "SELinux: Initializing.\n"); 4372 4373 /* Set the security state for the initial task. */ 4374 if (task_alloc_security(current)) 4375 panic("SELinux: Failed to initialize initial task.\n"); 4376 tsec = current->security; 4377 tsec->osid = tsec->sid = SECINITSID_KERNEL; 4378 4379 avc_init(); 4380 4381 original_ops = secondary_ops = security_ops; 4382 if (!secondary_ops) 4383 panic ("SELinux: No initial security operations\n"); 4384 if (register_security (&selinux_ops)) 4385 panic("SELinux: Unable to register with kernel.\n"); 4386 4387 if (selinux_enforcing) { 4388 printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); 4389 } else { 4390 printk(KERN_INFO "SELinux: Starting in permissive mode\n"); 4391 } 4392 return 0; 4393 } 4394 4395 void selinux_complete_init(void) 4396 { 4397 printk(KERN_INFO "SELinux: Completing initialization.\n"); 4398 4399 /* Set up any superblocks initialized prior to the policy load. */ 4400 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); 4401 spin_lock(&sb_security_lock); 4402 next_sb: 4403 if (!list_empty(&superblock_security_head)) { 4404 struct superblock_security_struct *sbsec = 4405 list_entry(superblock_security_head.next, 4406 struct superblock_security_struct, 4407 list); 4408 struct super_block *sb = sbsec->sb; 4409 spin_lock(&sb_lock); 4410 sb->s_count++; 4411 spin_unlock(&sb_lock); 4412 spin_unlock(&sb_security_lock); 4413 down_read(&sb->s_umount); 4414 if (sb->s_root) 4415 superblock_doinit(sb, NULL); 4416 drop_super(sb); 4417 spin_lock(&sb_security_lock); 4418 list_del_init(&sbsec->list); 4419 goto next_sb; 4420 } 4421 spin_unlock(&sb_security_lock); 4422 } 4423 4424 /* SELinux requires early initialization in order to label 4425 all processes and objects when they are created. */ 4426 security_initcall(selinux_init); 4427 4428 #if defined(CONFIG_NETFILTER) 4429 4430 static struct nf_hook_ops selinux_ipv4_op = { 4431 .hook = selinux_ipv4_postroute_last, 4432 .owner = THIS_MODULE, 4433 .pf = PF_INET, 4434 .hooknum = NF_IP_POST_ROUTING, 4435 .priority = NF_IP_PRI_SELINUX_LAST, 4436 }; 4437 4438 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4439 4440 static struct nf_hook_ops selinux_ipv6_op = { 4441 .hook = selinux_ipv6_postroute_last, 4442 .owner = THIS_MODULE, 4443 .pf = PF_INET6, 4444 .hooknum = NF_IP6_POST_ROUTING, 4445 .priority = NF_IP6_PRI_SELINUX_LAST, 4446 }; 4447 4448 #endif /* IPV6 */ 4449 4450 static int __init selinux_nf_ip_init(void) 4451 { 4452 int err = 0; 4453 4454 if (!selinux_enabled) 4455 goto out; 4456 4457 printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); 4458 4459 err = nf_register_hook(&selinux_ipv4_op); 4460 if (err) 4461 panic("SELinux: nf_register_hook for IPv4: error %d\n", err); 4462 4463 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4464 4465 err = nf_register_hook(&selinux_ipv6_op); 4466 if (err) 4467 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4468 4469 #endif /* IPV6 */ 4470 4471 out: 4472 return err; 4473 } 4474 4475 __initcall(selinux_nf_ip_init); 4476 4477 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4478 static void selinux_nf_ip_exit(void) 4479 { 4480 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); 4481 4482 nf_unregister_hook(&selinux_ipv4_op); 4483 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4484 nf_unregister_hook(&selinux_ipv6_op); 4485 #endif /* IPV6 */ 4486 } 4487 #endif 4488 4489 #else /* CONFIG_NETFILTER */ 4490 4491 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4492 #define selinux_nf_ip_exit() 4493 #endif 4494 4495 #endif /* CONFIG_NETFILTER */ 4496 4497 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 4498 int selinux_disable(void) 4499 { 4500 extern void exit_sel_fs(void); 4501 static int selinux_disabled = 0; 4502 4503 if (ss_initialized) { 4504 /* Not permitted after initial policy load. */ 4505 return -EINVAL; 4506 } 4507 4508 if (selinux_disabled) { 4509 /* Only do this once. */ 4510 return -EINVAL; 4511 } 4512 4513 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 4514 4515 selinux_disabled = 1; 4516 4517 /* Reset security_ops to the secondary module, dummy or capability. */ 4518 security_ops = secondary_ops; 4519 4520 /* Unregister netfilter hooks. */ 4521 selinux_nf_ip_exit(); 4522 4523 /* Unregister selinuxfs. */ 4524 exit_sel_fs(); 4525 4526 return 0; 4527 } 4528 #endif 4529 4530 4531