1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * <dgoeddel@trustedcs.com> 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 16 * Paul Moore <paul.moore@hp.com> 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 18 * Yuichi Nakamura <ynakam@hitachisoft.jp> 19 * 20 * This program is free software; you can redistribute it and/or modify 21 * it under the terms of the GNU General Public License version 2, 22 * as published by the Free Software Foundation. 23 */ 24 25 #include <linux/init.h> 26 #include <linux/kernel.h> 27 #include <linux/ptrace.h> 28 #include <linux/errno.h> 29 #include <linux/sched.h> 30 #include <linux/security.h> 31 #include <linux/xattr.h> 32 #include <linux/capability.h> 33 #include <linux/unistd.h> 34 #include <linux/mm.h> 35 #include <linux/mman.h> 36 #include <linux/slab.h> 37 #include <linux/pagemap.h> 38 #include <linux/swap.h> 39 #include <linux/spinlock.h> 40 #include <linux/syscalls.h> 41 #include <linux/file.h> 42 #include <linux/namei.h> 43 #include <linux/mount.h> 44 #include <linux/ext2_fs.h> 45 #include <linux/proc_fs.h> 46 #include <linux/kd.h> 47 #include <linux/netfilter_ipv4.h> 48 #include <linux/netfilter_ipv6.h> 49 #include <linux/tty.h> 50 #include <net/icmp.h> 51 #include <net/ip.h> /* for local_port_range[] */ 52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 53 #include <net/net_namespace.h> 54 #include <net/netlabel.h> 55 #include <asm/uaccess.h> 56 #include <asm/ioctls.h> 57 #include <asm/atomic.h> 58 #include <linux/bitops.h> 59 #include <linux/interrupt.h> 60 #include <linux/netdevice.h> /* for network interface checks */ 61 #include <linux/netlink.h> 62 #include <linux/tcp.h> 63 #include <linux/udp.h> 64 #include <linux/dccp.h> 65 #include <linux/quota.h> 66 #include <linux/un.h> /* for Unix socket types */ 67 #include <net/af_unix.h> /* for Unix socket types */ 68 #include <linux/parser.h> 69 #include <linux/nfs_mount.h> 70 #include <net/ipv6.h> 71 #include <linux/hugetlb.h> 72 #include <linux/personality.h> 73 #include <linux/sysctl.h> 74 #include <linux/audit.h> 75 #include <linux/string.h> 76 #include <linux/selinux.h> 77 #include <linux/mutex.h> 78 79 #include "avc.h" 80 #include "objsec.h" 81 #include "netif.h" 82 #include "netnode.h" 83 #include "xfrm.h" 84 #include "netlabel.h" 85 86 #define XATTR_SELINUX_SUFFIX "selinux" 87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 88 89 #define NUM_SEL_MNT_OPTS 4 90 91 extern unsigned int policydb_loaded_version; 92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 93 extern int selinux_compat_net; 94 extern struct security_operations *security_ops; 95 96 /* SECMARK reference count */ 97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 98 99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 100 int selinux_enforcing = 0; 101 102 static int __init enforcing_setup(char *str) 103 { 104 selinux_enforcing = simple_strtol(str,NULL,0); 105 return 1; 106 } 107 __setup("enforcing=", enforcing_setup); 108 #endif 109 110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 112 113 static int __init selinux_enabled_setup(char *str) 114 { 115 selinux_enabled = simple_strtol(str, NULL, 0); 116 return 1; 117 } 118 __setup("selinux=", selinux_enabled_setup); 119 #else 120 int selinux_enabled = 1; 121 #endif 122 123 /* Original (dummy) security module. */ 124 static struct security_operations *original_ops = NULL; 125 126 /* Minimal support for a secondary security module, 127 just to allow the use of the dummy or capability modules. 128 The owlsm module can alternatively be used as a secondary 129 module as long as CONFIG_OWLSM_FD is not enabled. */ 130 static struct security_operations *secondary_ops = NULL; 131 132 /* Lists of inode and superblock security structures initialized 133 before the policy was loaded. */ 134 static LIST_HEAD(superblock_security_head); 135 static DEFINE_SPINLOCK(sb_security_lock); 136 137 static struct kmem_cache *sel_inode_cache; 138 139 /** 140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 141 * 142 * Description: 143 * This function checks the SECMARK reference counter to see if any SECMARK 144 * targets are currently configured, if the reference counter is greater than 145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 146 * enabled, false (0) if SECMARK is disabled. 147 * 148 */ 149 static int selinux_secmark_enabled(void) 150 { 151 return (atomic_read(&selinux_secmark_refcount) > 0); 152 } 153 154 /* Allocate and free functions for each kind of security blob. */ 155 156 static int task_alloc_security(struct task_struct *task) 157 { 158 struct task_security_struct *tsec; 159 160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 161 if (!tsec) 162 return -ENOMEM; 163 164 tsec->task = task; 165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; 166 task->security = tsec; 167 168 return 0; 169 } 170 171 static void task_free_security(struct task_struct *task) 172 { 173 struct task_security_struct *tsec = task->security; 174 task->security = NULL; 175 kfree(tsec); 176 } 177 178 static int inode_alloc_security(struct inode *inode) 179 { 180 struct task_security_struct *tsec = current->security; 181 struct inode_security_struct *isec; 182 183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL); 184 if (!isec) 185 return -ENOMEM; 186 187 mutex_init(&isec->lock); 188 INIT_LIST_HEAD(&isec->list); 189 isec->inode = inode; 190 isec->sid = SECINITSID_UNLABELED; 191 isec->sclass = SECCLASS_FILE; 192 isec->task_sid = tsec->sid; 193 inode->i_security = isec; 194 195 return 0; 196 } 197 198 static void inode_free_security(struct inode *inode) 199 { 200 struct inode_security_struct *isec = inode->i_security; 201 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 202 203 spin_lock(&sbsec->isec_lock); 204 if (!list_empty(&isec->list)) 205 list_del_init(&isec->list); 206 spin_unlock(&sbsec->isec_lock); 207 208 inode->i_security = NULL; 209 kmem_cache_free(sel_inode_cache, isec); 210 } 211 212 static int file_alloc_security(struct file *file) 213 { 214 struct task_security_struct *tsec = current->security; 215 struct file_security_struct *fsec; 216 217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); 218 if (!fsec) 219 return -ENOMEM; 220 221 fsec->file = file; 222 fsec->sid = tsec->sid; 223 fsec->fown_sid = tsec->sid; 224 file->f_security = fsec; 225 226 return 0; 227 } 228 229 static void file_free_security(struct file *file) 230 { 231 struct file_security_struct *fsec = file->f_security; 232 file->f_security = NULL; 233 kfree(fsec); 234 } 235 236 static int superblock_alloc_security(struct super_block *sb) 237 { 238 struct superblock_security_struct *sbsec; 239 240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 241 if (!sbsec) 242 return -ENOMEM; 243 244 mutex_init(&sbsec->lock); 245 INIT_LIST_HEAD(&sbsec->list); 246 INIT_LIST_HEAD(&sbsec->isec_head); 247 spin_lock_init(&sbsec->isec_lock); 248 sbsec->sb = sb; 249 sbsec->sid = SECINITSID_UNLABELED; 250 sbsec->def_sid = SECINITSID_FILE; 251 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 252 sb->s_security = sbsec; 253 254 return 0; 255 } 256 257 static void superblock_free_security(struct super_block *sb) 258 { 259 struct superblock_security_struct *sbsec = sb->s_security; 260 261 spin_lock(&sb_security_lock); 262 if (!list_empty(&sbsec->list)) 263 list_del_init(&sbsec->list); 264 spin_unlock(&sb_security_lock); 265 266 sb->s_security = NULL; 267 kfree(sbsec); 268 } 269 270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 271 { 272 struct sk_security_struct *ssec; 273 274 ssec = kzalloc(sizeof(*ssec), priority); 275 if (!ssec) 276 return -ENOMEM; 277 278 ssec->sk = sk; 279 ssec->peer_sid = SECINITSID_UNLABELED; 280 ssec->sid = SECINITSID_UNLABELED; 281 sk->sk_security = ssec; 282 283 selinux_netlbl_sk_security_init(ssec, family); 284 285 return 0; 286 } 287 288 static void sk_free_security(struct sock *sk) 289 { 290 struct sk_security_struct *ssec = sk->sk_security; 291 292 sk->sk_security = NULL; 293 kfree(ssec); 294 } 295 296 /* The security server must be initialized before 297 any labeling or access decisions can be provided. */ 298 extern int ss_initialized; 299 300 /* The file system's label must be initialized prior to use. */ 301 302 static char *labeling_behaviors[6] = { 303 "uses xattr", 304 "uses transition SIDs", 305 "uses task SIDs", 306 "uses genfs_contexts", 307 "not configured for labeling", 308 "uses mountpoint labeling", 309 }; 310 311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 312 313 static inline int inode_doinit(struct inode *inode) 314 { 315 return inode_doinit_with_dentry(inode, NULL); 316 } 317 318 enum { 319 Opt_error = -1, 320 Opt_context = 1, 321 Opt_fscontext = 2, 322 Opt_defcontext = 3, 323 Opt_rootcontext = 4, 324 }; 325 326 static match_table_t tokens = { 327 {Opt_context, "context=%s"}, 328 {Opt_fscontext, "fscontext=%s"}, 329 {Opt_defcontext, "defcontext=%s"}, 330 {Opt_rootcontext, "rootcontext=%s"}, 331 {Opt_error, NULL}, 332 }; 333 334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 335 336 static int may_context_mount_sb_relabel(u32 sid, 337 struct superblock_security_struct *sbsec, 338 struct task_security_struct *tsec) 339 { 340 int rc; 341 342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 343 FILESYSTEM__RELABELFROM, NULL); 344 if (rc) 345 return rc; 346 347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 348 FILESYSTEM__RELABELTO, NULL); 349 return rc; 350 } 351 352 static int may_context_mount_inode_relabel(u32 sid, 353 struct superblock_security_struct *sbsec, 354 struct task_security_struct *tsec) 355 { 356 int rc; 357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 358 FILESYSTEM__RELABELFROM, NULL); 359 if (rc) 360 return rc; 361 362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 363 FILESYSTEM__ASSOCIATE, NULL); 364 return rc; 365 } 366 367 static int sb_finish_set_opts(struct super_block *sb) 368 { 369 struct superblock_security_struct *sbsec = sb->s_security; 370 struct dentry *root = sb->s_root; 371 struct inode *root_inode = root->d_inode; 372 int rc = 0; 373 374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 375 /* Make sure that the xattr handler exists and that no 376 error other than -ENODATA is returned by getxattr on 377 the root directory. -ENODATA is ok, as this may be 378 the first boot of the SELinux kernel before we have 379 assigned xattr values to the filesystem. */ 380 if (!root_inode->i_op->getxattr) { 381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 382 "xattr support\n", sb->s_id, sb->s_type->name); 383 rc = -EOPNOTSUPP; 384 goto out; 385 } 386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); 387 if (rc < 0 && rc != -ENODATA) { 388 if (rc == -EOPNOTSUPP) 389 printk(KERN_WARNING "SELinux: (dev %s, type " 390 "%s) has no security xattr handler\n", 391 sb->s_id, sb->s_type->name); 392 else 393 printk(KERN_WARNING "SELinux: (dev %s, type " 394 "%s) getxattr errno %d\n", sb->s_id, 395 sb->s_type->name, -rc); 396 goto out; 397 } 398 } 399 400 sbsec->initialized = 1; 401 402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 404 sb->s_id, sb->s_type->name); 405 else 406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 407 sb->s_id, sb->s_type->name, 408 labeling_behaviors[sbsec->behavior-1]); 409 410 /* Initialize the root inode. */ 411 rc = inode_doinit_with_dentry(root_inode, root); 412 413 /* Initialize any other inodes associated with the superblock, e.g. 414 inodes created prior to initial policy load or inodes created 415 during get_sb by a pseudo filesystem that directly 416 populates itself. */ 417 spin_lock(&sbsec->isec_lock); 418 next_inode: 419 if (!list_empty(&sbsec->isec_head)) { 420 struct inode_security_struct *isec = 421 list_entry(sbsec->isec_head.next, 422 struct inode_security_struct, list); 423 struct inode *inode = isec->inode; 424 spin_unlock(&sbsec->isec_lock); 425 inode = igrab(inode); 426 if (inode) { 427 if (!IS_PRIVATE(inode)) 428 inode_doinit(inode); 429 iput(inode); 430 } 431 spin_lock(&sbsec->isec_lock); 432 list_del_init(&isec->list); 433 goto next_inode; 434 } 435 spin_unlock(&sbsec->isec_lock); 436 out: 437 return rc; 438 } 439 440 /* 441 * This function should allow an FS to ask what it's mount security 442 * options were so it can use those later for submounts, displaying 443 * mount options, or whatever. 444 */ 445 static int selinux_get_mnt_opts(const struct super_block *sb, 446 char ***mount_options, int **mnt_opts_flags, 447 int *num_opts) 448 { 449 int rc = 0, i; 450 struct superblock_security_struct *sbsec = sb->s_security; 451 char *context = NULL; 452 u32 len; 453 char tmp; 454 455 *num_opts = 0; 456 *mount_options = NULL; 457 *mnt_opts_flags = NULL; 458 459 if (!sbsec->initialized) 460 return -EINVAL; 461 462 if (!ss_initialized) 463 return -EINVAL; 464 465 /* 466 * if we ever use sbsec flags for anything other than tracking mount 467 * settings this is going to need a mask 468 */ 469 tmp = sbsec->flags; 470 /* count the number of mount options for this sb */ 471 for (i = 0; i < 8; i++) { 472 if (tmp & 0x01) 473 (*num_opts)++; 474 tmp >>= 1; 475 } 476 477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC); 478 if (!*mount_options) { 479 rc = -ENOMEM; 480 goto out_free; 481 } 482 483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC); 484 if (!*mnt_opts_flags) { 485 rc = -ENOMEM; 486 goto out_free; 487 } 488 489 i = 0; 490 if (sbsec->flags & FSCONTEXT_MNT) { 491 rc = security_sid_to_context(sbsec->sid, &context, &len); 492 if (rc) 493 goto out_free; 494 (*mount_options)[i] = context; 495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT; 496 } 497 if (sbsec->flags & CONTEXT_MNT) { 498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 499 if (rc) 500 goto out_free; 501 (*mount_options)[i] = context; 502 (*mnt_opts_flags)[i++] = CONTEXT_MNT; 503 } 504 if (sbsec->flags & DEFCONTEXT_MNT) { 505 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 506 if (rc) 507 goto out_free; 508 (*mount_options)[i] = context; 509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT; 510 } 511 if (sbsec->flags & ROOTCONTEXT_MNT) { 512 struct inode *root = sbsec->sb->s_root->d_inode; 513 struct inode_security_struct *isec = root->i_security; 514 515 rc = security_sid_to_context(isec->sid, &context, &len); 516 if (rc) 517 goto out_free; 518 (*mount_options)[i] = context; 519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT; 520 } 521 522 BUG_ON(i != *num_opts); 523 524 return 0; 525 526 out_free: 527 /* don't leak context string if security_sid_to_context had an error */ 528 if (*mount_options && i) 529 for (; i > 0; i--) 530 kfree((*mount_options)[i-1]); 531 kfree(*mount_options); 532 *mount_options = NULL; 533 kfree(*mnt_opts_flags); 534 *mnt_opts_flags = NULL; 535 *num_opts = 0; 536 return rc; 537 } 538 539 static int bad_option(struct superblock_security_struct *sbsec, char flag, 540 u32 old_sid, u32 new_sid) 541 { 542 /* check if the old mount command had the same options */ 543 if (sbsec->initialized) 544 if (!(sbsec->flags & flag) || 545 (old_sid != new_sid)) 546 return 1; 547 548 /* check if we were passed the same options twice, 549 * aka someone passed context=a,context=b 550 */ 551 if (!sbsec->initialized) 552 if (sbsec->flags & flag) 553 return 1; 554 return 0; 555 } 556 /* 557 * Allow filesystems with binary mount data to explicitly set mount point 558 * labeling information. 559 */ 560 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options, 561 int *flags, int num_opts) 562 { 563 int rc = 0, i; 564 struct task_security_struct *tsec = current->security; 565 struct superblock_security_struct *sbsec = sb->s_security; 566 const char *name = sb->s_type->name; 567 struct inode *inode = sbsec->sb->s_root->d_inode; 568 struct inode_security_struct *root_isec = inode->i_security; 569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 570 u32 defcontext_sid = 0; 571 572 mutex_lock(&sbsec->lock); 573 574 if (!ss_initialized) { 575 if (!num_opts) { 576 /* Defer initialization until selinux_complete_init, 577 after the initial policy is loaded and the security 578 server is ready to handle calls. */ 579 spin_lock(&sb_security_lock); 580 if (list_empty(&sbsec->list)) 581 list_add(&sbsec->list, &superblock_security_head); 582 spin_unlock(&sb_security_lock); 583 goto out; 584 } 585 rc = -EINVAL; 586 printk(KERN_WARNING "Unable to set superblock options before " 587 "the security server is initialized\n"); 588 goto out; 589 } 590 591 /* 592 * parse the mount options, check if they are valid sids. 593 * also check if someone is trying to mount the same sb more 594 * than once with different security options. 595 */ 596 for (i = 0; i < num_opts; i++) { 597 u32 sid; 598 rc = security_context_to_sid(mount_options[i], 599 strlen(mount_options[i]), &sid); 600 if (rc) { 601 printk(KERN_WARNING "SELinux: security_context_to_sid" 602 "(%s) failed for (dev %s, type %s) errno=%d\n", 603 mount_options[i], sb->s_id, name, rc); 604 goto out; 605 } 606 switch (flags[i]) { 607 case FSCONTEXT_MNT: 608 fscontext_sid = sid; 609 610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 611 fscontext_sid)) 612 goto out_double_mount; 613 614 sbsec->flags |= FSCONTEXT_MNT; 615 break; 616 case CONTEXT_MNT: 617 context_sid = sid; 618 619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 620 context_sid)) 621 goto out_double_mount; 622 623 sbsec->flags |= CONTEXT_MNT; 624 break; 625 case ROOTCONTEXT_MNT: 626 rootcontext_sid = sid; 627 628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 629 rootcontext_sid)) 630 goto out_double_mount; 631 632 sbsec->flags |= ROOTCONTEXT_MNT; 633 634 break; 635 case DEFCONTEXT_MNT: 636 defcontext_sid = sid; 637 638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 639 defcontext_sid)) 640 goto out_double_mount; 641 642 sbsec->flags |= DEFCONTEXT_MNT; 643 644 break; 645 default: 646 rc = -EINVAL; 647 goto out; 648 } 649 } 650 651 if (sbsec->initialized) { 652 /* previously mounted with options, but not on this attempt? */ 653 if (sbsec->flags && !num_opts) 654 goto out_double_mount; 655 rc = 0; 656 goto out; 657 } 658 659 if (strcmp(sb->s_type->name, "proc") == 0) 660 sbsec->proc = 1; 661 662 /* Determine the labeling behavior to use for this filesystem type. */ 663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); 664 if (rc) { 665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 666 __FUNCTION__, sb->s_type->name, rc); 667 goto out; 668 } 669 670 /* sets the context of the superblock for the fs being mounted. */ 671 if (fscontext_sid) { 672 673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec); 674 if (rc) 675 goto out; 676 677 sbsec->sid = fscontext_sid; 678 } 679 680 /* 681 * Switch to using mount point labeling behavior. 682 * sets the label used on all file below the mountpoint, and will set 683 * the superblock context if not already set. 684 */ 685 if (context_sid) { 686 if (!fscontext_sid) { 687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); 688 if (rc) 689 goto out; 690 sbsec->sid = context_sid; 691 } else { 692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec); 693 if (rc) 694 goto out; 695 } 696 if (!rootcontext_sid) 697 rootcontext_sid = context_sid; 698 699 sbsec->mntpoint_sid = context_sid; 700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 701 } 702 703 if (rootcontext_sid) { 704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec); 705 if (rc) 706 goto out; 707 708 root_isec->sid = rootcontext_sid; 709 root_isec->initialized = 1; 710 } 711 712 if (defcontext_sid) { 713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) { 714 rc = -EINVAL; 715 printk(KERN_WARNING "SELinux: defcontext option is " 716 "invalid for this filesystem type\n"); 717 goto out; 718 } 719 720 if (defcontext_sid != sbsec->def_sid) { 721 rc = may_context_mount_inode_relabel(defcontext_sid, 722 sbsec, tsec); 723 if (rc) 724 goto out; 725 } 726 727 sbsec->def_sid = defcontext_sid; 728 } 729 730 rc = sb_finish_set_opts(sb); 731 out: 732 mutex_unlock(&sbsec->lock); 733 return rc; 734 out_double_mount: 735 rc = -EINVAL; 736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 737 "security settings for (dev %s, type %s)\n", sb->s_id, name); 738 goto out; 739 } 740 741 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 742 struct super_block *newsb) 743 { 744 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 745 struct superblock_security_struct *newsbsec = newsb->s_security; 746 747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 748 int set_context = (oldsbsec->flags & CONTEXT_MNT); 749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 750 751 /* we can't error, we can't save the info, this shouldn't get called 752 * this early in the boot process. */ 753 BUG_ON(!ss_initialized); 754 755 /* this might go away sometime down the line if there is a new user 756 * of clone, but for now, nfs better not get here... */ 757 BUG_ON(newsbsec->initialized); 758 759 /* how can we clone if the old one wasn't set up?? */ 760 BUG_ON(!oldsbsec->initialized); 761 762 mutex_lock(&newsbsec->lock); 763 764 newsbsec->flags = oldsbsec->flags; 765 766 newsbsec->sid = oldsbsec->sid; 767 newsbsec->def_sid = oldsbsec->def_sid; 768 newsbsec->behavior = oldsbsec->behavior; 769 770 if (set_context) { 771 u32 sid = oldsbsec->mntpoint_sid; 772 773 if (!set_fscontext) 774 newsbsec->sid = sid; 775 if (!set_rootcontext) { 776 struct inode *newinode = newsb->s_root->d_inode; 777 struct inode_security_struct *newisec = newinode->i_security; 778 newisec->sid = sid; 779 } 780 newsbsec->mntpoint_sid = sid; 781 } 782 if (set_rootcontext) { 783 const struct inode *oldinode = oldsb->s_root->d_inode; 784 const struct inode_security_struct *oldisec = oldinode->i_security; 785 struct inode *newinode = newsb->s_root->d_inode; 786 struct inode_security_struct *newisec = newinode->i_security; 787 788 newisec->sid = oldisec->sid; 789 } 790 791 sb_finish_set_opts(newsb); 792 mutex_unlock(&newsbsec->lock); 793 } 794 795 /* 796 * string mount options parsing and call set the sbsec 797 */ 798 static int superblock_doinit(struct super_block *sb, void *data) 799 { 800 char *context = NULL, *defcontext = NULL; 801 char *fscontext = NULL, *rootcontext = NULL; 802 int rc = 0; 803 char *p, *options = data; 804 /* selinux only know about a fixed number of mount options */ 805 char *mnt_opts[NUM_SEL_MNT_OPTS]; 806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0; 807 808 if (!data) 809 goto out; 810 811 /* with the nfs patch this will become a goto out; */ 812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { 813 const char *name = sb->s_type->name; 814 /* NFS we understand. */ 815 if (!strcmp(name, "nfs")) { 816 struct nfs_mount_data *d = data; 817 818 if (d->version != NFS_MOUNT_VERSION) 819 goto out; 820 821 if (d->context[0]) { 822 context = kstrdup(d->context, GFP_KERNEL); 823 if (!context) { 824 rc = -ENOMEM; 825 goto out; 826 } 827 } 828 goto build_flags; 829 } else 830 goto out; 831 } 832 833 /* Standard string-based options. */ 834 while ((p = strsep(&options, "|")) != NULL) { 835 int token; 836 substring_t args[MAX_OPT_ARGS]; 837 838 if (!*p) 839 continue; 840 841 token = match_token(p, tokens, args); 842 843 switch (token) { 844 case Opt_context: 845 if (context || defcontext) { 846 rc = -EINVAL; 847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 848 goto out_err; 849 } 850 context = match_strdup(&args[0]); 851 if (!context) { 852 rc = -ENOMEM; 853 goto out_err; 854 } 855 break; 856 857 case Opt_fscontext: 858 if (fscontext) { 859 rc = -EINVAL; 860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 861 goto out_err; 862 } 863 fscontext = match_strdup(&args[0]); 864 if (!fscontext) { 865 rc = -ENOMEM; 866 goto out_err; 867 } 868 break; 869 870 case Opt_rootcontext: 871 if (rootcontext) { 872 rc = -EINVAL; 873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 874 goto out_err; 875 } 876 rootcontext = match_strdup(&args[0]); 877 if (!rootcontext) { 878 rc = -ENOMEM; 879 goto out_err; 880 } 881 break; 882 883 case Opt_defcontext: 884 if (context || defcontext) { 885 rc = -EINVAL; 886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 887 goto out_err; 888 } 889 defcontext = match_strdup(&args[0]); 890 if (!defcontext) { 891 rc = -ENOMEM; 892 goto out_err; 893 } 894 break; 895 896 default: 897 rc = -EINVAL; 898 printk(KERN_WARNING "SELinux: unknown mount option\n"); 899 goto out_err; 900 901 } 902 } 903 904 build_flags: 905 if (fscontext) { 906 mnt_opts[num_mnt_opts] = fscontext; 907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 908 } 909 if (context) { 910 mnt_opts[num_mnt_opts] = context; 911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 912 } 913 if (rootcontext) { 914 mnt_opts[num_mnt_opts] = rootcontext; 915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 916 } 917 if (defcontext) { 918 mnt_opts[num_mnt_opts] = defcontext; 919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 920 } 921 922 out: 923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts); 924 out_err: 925 kfree(context); 926 kfree(defcontext); 927 kfree(fscontext); 928 kfree(rootcontext); 929 return rc; 930 } 931 932 static inline u16 inode_mode_to_security_class(umode_t mode) 933 { 934 switch (mode & S_IFMT) { 935 case S_IFSOCK: 936 return SECCLASS_SOCK_FILE; 937 case S_IFLNK: 938 return SECCLASS_LNK_FILE; 939 case S_IFREG: 940 return SECCLASS_FILE; 941 case S_IFBLK: 942 return SECCLASS_BLK_FILE; 943 case S_IFDIR: 944 return SECCLASS_DIR; 945 case S_IFCHR: 946 return SECCLASS_CHR_FILE; 947 case S_IFIFO: 948 return SECCLASS_FIFO_FILE; 949 950 } 951 952 return SECCLASS_FILE; 953 } 954 955 static inline int default_protocol_stream(int protocol) 956 { 957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 958 } 959 960 static inline int default_protocol_dgram(int protocol) 961 { 962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 963 } 964 965 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 966 { 967 switch (family) { 968 case PF_UNIX: 969 switch (type) { 970 case SOCK_STREAM: 971 case SOCK_SEQPACKET: 972 return SECCLASS_UNIX_STREAM_SOCKET; 973 case SOCK_DGRAM: 974 return SECCLASS_UNIX_DGRAM_SOCKET; 975 } 976 break; 977 case PF_INET: 978 case PF_INET6: 979 switch (type) { 980 case SOCK_STREAM: 981 if (default_protocol_stream(protocol)) 982 return SECCLASS_TCP_SOCKET; 983 else 984 return SECCLASS_RAWIP_SOCKET; 985 case SOCK_DGRAM: 986 if (default_protocol_dgram(protocol)) 987 return SECCLASS_UDP_SOCKET; 988 else 989 return SECCLASS_RAWIP_SOCKET; 990 case SOCK_DCCP: 991 return SECCLASS_DCCP_SOCKET; 992 default: 993 return SECCLASS_RAWIP_SOCKET; 994 } 995 break; 996 case PF_NETLINK: 997 switch (protocol) { 998 case NETLINK_ROUTE: 999 return SECCLASS_NETLINK_ROUTE_SOCKET; 1000 case NETLINK_FIREWALL: 1001 return SECCLASS_NETLINK_FIREWALL_SOCKET; 1002 case NETLINK_INET_DIAG: 1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1004 case NETLINK_NFLOG: 1005 return SECCLASS_NETLINK_NFLOG_SOCKET; 1006 case NETLINK_XFRM: 1007 return SECCLASS_NETLINK_XFRM_SOCKET; 1008 case NETLINK_SELINUX: 1009 return SECCLASS_NETLINK_SELINUX_SOCKET; 1010 case NETLINK_AUDIT: 1011 return SECCLASS_NETLINK_AUDIT_SOCKET; 1012 case NETLINK_IP6_FW: 1013 return SECCLASS_NETLINK_IP6FW_SOCKET; 1014 case NETLINK_DNRTMSG: 1015 return SECCLASS_NETLINK_DNRT_SOCKET; 1016 case NETLINK_KOBJECT_UEVENT: 1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1018 default: 1019 return SECCLASS_NETLINK_SOCKET; 1020 } 1021 case PF_PACKET: 1022 return SECCLASS_PACKET_SOCKET; 1023 case PF_KEY: 1024 return SECCLASS_KEY_SOCKET; 1025 case PF_APPLETALK: 1026 return SECCLASS_APPLETALK_SOCKET; 1027 } 1028 1029 return SECCLASS_SOCKET; 1030 } 1031 1032 #ifdef CONFIG_PROC_FS 1033 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1034 u16 tclass, 1035 u32 *sid) 1036 { 1037 int buflen, rc; 1038 char *buffer, *path, *end; 1039 1040 buffer = (char*)__get_free_page(GFP_KERNEL); 1041 if (!buffer) 1042 return -ENOMEM; 1043 1044 buflen = PAGE_SIZE; 1045 end = buffer+buflen; 1046 *--end = '\0'; 1047 buflen--; 1048 path = end-1; 1049 *path = '/'; 1050 while (de && de != de->parent) { 1051 buflen -= de->namelen + 1; 1052 if (buflen < 0) 1053 break; 1054 end -= de->namelen; 1055 memcpy(end, de->name, de->namelen); 1056 *--end = '/'; 1057 path = end; 1058 de = de->parent; 1059 } 1060 rc = security_genfs_sid("proc", path, tclass, sid); 1061 free_page((unsigned long)buffer); 1062 return rc; 1063 } 1064 #else 1065 static int selinux_proc_get_sid(struct proc_dir_entry *de, 1066 u16 tclass, 1067 u32 *sid) 1068 { 1069 return -EINVAL; 1070 } 1071 #endif 1072 1073 /* The inode's security attributes must be initialized before first use. */ 1074 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1075 { 1076 struct superblock_security_struct *sbsec = NULL; 1077 struct inode_security_struct *isec = inode->i_security; 1078 u32 sid; 1079 struct dentry *dentry; 1080 #define INITCONTEXTLEN 255 1081 char *context = NULL; 1082 unsigned len = 0; 1083 int rc = 0; 1084 1085 if (isec->initialized) 1086 goto out; 1087 1088 mutex_lock(&isec->lock); 1089 if (isec->initialized) 1090 goto out_unlock; 1091 1092 sbsec = inode->i_sb->s_security; 1093 if (!sbsec->initialized) { 1094 /* Defer initialization until selinux_complete_init, 1095 after the initial policy is loaded and the security 1096 server is ready to handle calls. */ 1097 spin_lock(&sbsec->isec_lock); 1098 if (list_empty(&isec->list)) 1099 list_add(&isec->list, &sbsec->isec_head); 1100 spin_unlock(&sbsec->isec_lock); 1101 goto out_unlock; 1102 } 1103 1104 switch (sbsec->behavior) { 1105 case SECURITY_FS_USE_XATTR: 1106 if (!inode->i_op->getxattr) { 1107 isec->sid = sbsec->def_sid; 1108 break; 1109 } 1110 1111 /* Need a dentry, since the xattr API requires one. 1112 Life would be simpler if we could just pass the inode. */ 1113 if (opt_dentry) { 1114 /* Called from d_instantiate or d_splice_alias. */ 1115 dentry = dget(opt_dentry); 1116 } else { 1117 /* Called from selinux_complete_init, try to find a dentry. */ 1118 dentry = d_find_alias(inode); 1119 } 1120 if (!dentry) { 1121 printk(KERN_WARNING "%s: no dentry for dev=%s " 1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, 1123 inode->i_ino); 1124 goto out_unlock; 1125 } 1126 1127 len = INITCONTEXTLEN; 1128 context = kmalloc(len, GFP_KERNEL); 1129 if (!context) { 1130 rc = -ENOMEM; 1131 dput(dentry); 1132 goto out_unlock; 1133 } 1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1135 context, len); 1136 if (rc == -ERANGE) { 1137 /* Need a larger buffer. Query for the right size. */ 1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1139 NULL, 0); 1140 if (rc < 0) { 1141 dput(dentry); 1142 goto out_unlock; 1143 } 1144 kfree(context); 1145 len = rc; 1146 context = kmalloc(len, GFP_KERNEL); 1147 if (!context) { 1148 rc = -ENOMEM; 1149 dput(dentry); 1150 goto out_unlock; 1151 } 1152 rc = inode->i_op->getxattr(dentry, 1153 XATTR_NAME_SELINUX, 1154 context, len); 1155 } 1156 dput(dentry); 1157 if (rc < 0) { 1158 if (rc != -ENODATA) { 1159 printk(KERN_WARNING "%s: getxattr returned " 1160 "%d for dev=%s ino=%ld\n", __FUNCTION__, 1161 -rc, inode->i_sb->s_id, inode->i_ino); 1162 kfree(context); 1163 goto out_unlock; 1164 } 1165 /* Map ENODATA to the default file SID */ 1166 sid = sbsec->def_sid; 1167 rc = 0; 1168 } else { 1169 rc = security_context_to_sid_default(context, rc, &sid, 1170 sbsec->def_sid); 1171 if (rc) { 1172 printk(KERN_WARNING "%s: context_to_sid(%s) " 1173 "returned %d for dev=%s ino=%ld\n", 1174 __FUNCTION__, context, -rc, 1175 inode->i_sb->s_id, inode->i_ino); 1176 kfree(context); 1177 /* Leave with the unlabeled SID */ 1178 rc = 0; 1179 break; 1180 } 1181 } 1182 kfree(context); 1183 isec->sid = sid; 1184 break; 1185 case SECURITY_FS_USE_TASK: 1186 isec->sid = isec->task_sid; 1187 break; 1188 case SECURITY_FS_USE_TRANS: 1189 /* Default to the fs SID. */ 1190 isec->sid = sbsec->sid; 1191 1192 /* Try to obtain a transition SID. */ 1193 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1194 rc = security_transition_sid(isec->task_sid, 1195 sbsec->sid, 1196 isec->sclass, 1197 &sid); 1198 if (rc) 1199 goto out_unlock; 1200 isec->sid = sid; 1201 break; 1202 case SECURITY_FS_USE_MNTPOINT: 1203 isec->sid = sbsec->mntpoint_sid; 1204 break; 1205 default: 1206 /* Default to the fs superblock SID. */ 1207 isec->sid = sbsec->sid; 1208 1209 if (sbsec->proc) { 1210 struct proc_inode *proci = PROC_I(inode); 1211 if (proci->pde) { 1212 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1213 rc = selinux_proc_get_sid(proci->pde, 1214 isec->sclass, 1215 &sid); 1216 if (rc) 1217 goto out_unlock; 1218 isec->sid = sid; 1219 } 1220 } 1221 break; 1222 } 1223 1224 isec->initialized = 1; 1225 1226 out_unlock: 1227 mutex_unlock(&isec->lock); 1228 out: 1229 if (isec->sclass == SECCLASS_FILE) 1230 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1231 return rc; 1232 } 1233 1234 /* Convert a Linux signal to an access vector. */ 1235 static inline u32 signal_to_av(int sig) 1236 { 1237 u32 perm = 0; 1238 1239 switch (sig) { 1240 case SIGCHLD: 1241 /* Commonly granted from child to parent. */ 1242 perm = PROCESS__SIGCHLD; 1243 break; 1244 case SIGKILL: 1245 /* Cannot be caught or ignored */ 1246 perm = PROCESS__SIGKILL; 1247 break; 1248 case SIGSTOP: 1249 /* Cannot be caught or ignored */ 1250 perm = PROCESS__SIGSTOP; 1251 break; 1252 default: 1253 /* All other signals. */ 1254 perm = PROCESS__SIGNAL; 1255 break; 1256 } 1257 1258 return perm; 1259 } 1260 1261 /* Check permission betweeen a pair of tasks, e.g. signal checks, 1262 fork check, ptrace check, etc. */ 1263 static int task_has_perm(struct task_struct *tsk1, 1264 struct task_struct *tsk2, 1265 u32 perms) 1266 { 1267 struct task_security_struct *tsec1, *tsec2; 1268 1269 tsec1 = tsk1->security; 1270 tsec2 = tsk2->security; 1271 return avc_has_perm(tsec1->sid, tsec2->sid, 1272 SECCLASS_PROCESS, perms, NULL); 1273 } 1274 1275 #if CAP_LAST_CAP > 63 1276 #error Fix SELinux to handle capabilities > 63. 1277 #endif 1278 1279 /* Check whether a task is allowed to use a capability. */ 1280 static int task_has_capability(struct task_struct *tsk, 1281 int cap) 1282 { 1283 struct task_security_struct *tsec; 1284 struct avc_audit_data ad; 1285 u16 sclass; 1286 u32 av = CAP_TO_MASK(cap); 1287 1288 tsec = tsk->security; 1289 1290 AVC_AUDIT_DATA_INIT(&ad,CAP); 1291 ad.tsk = tsk; 1292 ad.u.cap = cap; 1293 1294 switch (CAP_TO_INDEX(cap)) { 1295 case 0: 1296 sclass = SECCLASS_CAPABILITY; 1297 break; 1298 case 1: 1299 sclass = SECCLASS_CAPABILITY2; 1300 break; 1301 default: 1302 printk(KERN_ERR 1303 "SELinux: out of range capability %d\n", cap); 1304 BUG(); 1305 } 1306 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); 1307 } 1308 1309 /* Check whether a task is allowed to use a system operation. */ 1310 static int task_has_system(struct task_struct *tsk, 1311 u32 perms) 1312 { 1313 struct task_security_struct *tsec; 1314 1315 tsec = tsk->security; 1316 1317 return avc_has_perm(tsec->sid, SECINITSID_KERNEL, 1318 SECCLASS_SYSTEM, perms, NULL); 1319 } 1320 1321 /* Check whether a task has a particular permission to an inode. 1322 The 'adp' parameter is optional and allows other audit 1323 data to be passed (e.g. the dentry). */ 1324 static int inode_has_perm(struct task_struct *tsk, 1325 struct inode *inode, 1326 u32 perms, 1327 struct avc_audit_data *adp) 1328 { 1329 struct task_security_struct *tsec; 1330 struct inode_security_struct *isec; 1331 struct avc_audit_data ad; 1332 1333 if (unlikely (IS_PRIVATE (inode))) 1334 return 0; 1335 1336 tsec = tsk->security; 1337 isec = inode->i_security; 1338 1339 if (!adp) { 1340 adp = &ad; 1341 AVC_AUDIT_DATA_INIT(&ad, FS); 1342 ad.u.fs.inode = inode; 1343 } 1344 1345 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); 1346 } 1347 1348 /* Same as inode_has_perm, but pass explicit audit data containing 1349 the dentry to help the auditing code to more easily generate the 1350 pathname if needed. */ 1351 static inline int dentry_has_perm(struct task_struct *tsk, 1352 struct vfsmount *mnt, 1353 struct dentry *dentry, 1354 u32 av) 1355 { 1356 struct inode *inode = dentry->d_inode; 1357 struct avc_audit_data ad; 1358 AVC_AUDIT_DATA_INIT(&ad,FS); 1359 ad.u.fs.mnt = mnt; 1360 ad.u.fs.dentry = dentry; 1361 return inode_has_perm(tsk, inode, av, &ad); 1362 } 1363 1364 /* Check whether a task can use an open file descriptor to 1365 access an inode in a given way. Check access to the 1366 descriptor itself, and then use dentry_has_perm to 1367 check a particular permission to the file. 1368 Access to the descriptor is implicitly granted if it 1369 has the same SID as the process. If av is zero, then 1370 access to the file is not checked, e.g. for cases 1371 where only the descriptor is affected like seek. */ 1372 static int file_has_perm(struct task_struct *tsk, 1373 struct file *file, 1374 u32 av) 1375 { 1376 struct task_security_struct *tsec = tsk->security; 1377 struct file_security_struct *fsec = file->f_security; 1378 struct vfsmount *mnt = file->f_path.mnt; 1379 struct dentry *dentry = file->f_path.dentry; 1380 struct inode *inode = dentry->d_inode; 1381 struct avc_audit_data ad; 1382 int rc; 1383 1384 AVC_AUDIT_DATA_INIT(&ad, FS); 1385 ad.u.fs.mnt = mnt; 1386 ad.u.fs.dentry = dentry; 1387 1388 if (tsec->sid != fsec->sid) { 1389 rc = avc_has_perm(tsec->sid, fsec->sid, 1390 SECCLASS_FD, 1391 FD__USE, 1392 &ad); 1393 if (rc) 1394 return rc; 1395 } 1396 1397 /* av is zero if only checking access to the descriptor. */ 1398 if (av) 1399 return inode_has_perm(tsk, inode, av, &ad); 1400 1401 return 0; 1402 } 1403 1404 /* Check whether a task can create a file. */ 1405 static int may_create(struct inode *dir, 1406 struct dentry *dentry, 1407 u16 tclass) 1408 { 1409 struct task_security_struct *tsec; 1410 struct inode_security_struct *dsec; 1411 struct superblock_security_struct *sbsec; 1412 u32 newsid; 1413 struct avc_audit_data ad; 1414 int rc; 1415 1416 tsec = current->security; 1417 dsec = dir->i_security; 1418 sbsec = dir->i_sb->s_security; 1419 1420 AVC_AUDIT_DATA_INIT(&ad, FS); 1421 ad.u.fs.dentry = dentry; 1422 1423 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, 1424 DIR__ADD_NAME | DIR__SEARCH, 1425 &ad); 1426 if (rc) 1427 return rc; 1428 1429 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 1430 newsid = tsec->create_sid; 1431 } else { 1432 rc = security_transition_sid(tsec->sid, dsec->sid, tclass, 1433 &newsid); 1434 if (rc) 1435 return rc; 1436 } 1437 1438 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); 1439 if (rc) 1440 return rc; 1441 1442 return avc_has_perm(newsid, sbsec->sid, 1443 SECCLASS_FILESYSTEM, 1444 FILESYSTEM__ASSOCIATE, &ad); 1445 } 1446 1447 /* Check whether a task can create a key. */ 1448 static int may_create_key(u32 ksid, 1449 struct task_struct *ctx) 1450 { 1451 struct task_security_struct *tsec; 1452 1453 tsec = ctx->security; 1454 1455 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1456 } 1457 1458 #define MAY_LINK 0 1459 #define MAY_UNLINK 1 1460 #define MAY_RMDIR 2 1461 1462 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1463 static int may_link(struct inode *dir, 1464 struct dentry *dentry, 1465 int kind) 1466 1467 { 1468 struct task_security_struct *tsec; 1469 struct inode_security_struct *dsec, *isec; 1470 struct avc_audit_data ad; 1471 u32 av; 1472 int rc; 1473 1474 tsec = current->security; 1475 dsec = dir->i_security; 1476 isec = dentry->d_inode->i_security; 1477 1478 AVC_AUDIT_DATA_INIT(&ad, FS); 1479 ad.u.fs.dentry = dentry; 1480 1481 av = DIR__SEARCH; 1482 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1483 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); 1484 if (rc) 1485 return rc; 1486 1487 switch (kind) { 1488 case MAY_LINK: 1489 av = FILE__LINK; 1490 break; 1491 case MAY_UNLINK: 1492 av = FILE__UNLINK; 1493 break; 1494 case MAY_RMDIR: 1495 av = DIR__RMDIR; 1496 break; 1497 default: 1498 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); 1499 return 0; 1500 } 1501 1502 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); 1503 return rc; 1504 } 1505 1506 static inline int may_rename(struct inode *old_dir, 1507 struct dentry *old_dentry, 1508 struct inode *new_dir, 1509 struct dentry *new_dentry) 1510 { 1511 struct task_security_struct *tsec; 1512 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1513 struct avc_audit_data ad; 1514 u32 av; 1515 int old_is_dir, new_is_dir; 1516 int rc; 1517 1518 tsec = current->security; 1519 old_dsec = old_dir->i_security; 1520 old_isec = old_dentry->d_inode->i_security; 1521 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1522 new_dsec = new_dir->i_security; 1523 1524 AVC_AUDIT_DATA_INIT(&ad, FS); 1525 1526 ad.u.fs.dentry = old_dentry; 1527 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, 1528 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1529 if (rc) 1530 return rc; 1531 rc = avc_has_perm(tsec->sid, old_isec->sid, 1532 old_isec->sclass, FILE__RENAME, &ad); 1533 if (rc) 1534 return rc; 1535 if (old_is_dir && new_dir != old_dir) { 1536 rc = avc_has_perm(tsec->sid, old_isec->sid, 1537 old_isec->sclass, DIR__REPARENT, &ad); 1538 if (rc) 1539 return rc; 1540 } 1541 1542 ad.u.fs.dentry = new_dentry; 1543 av = DIR__ADD_NAME | DIR__SEARCH; 1544 if (new_dentry->d_inode) 1545 av |= DIR__REMOVE_NAME; 1546 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1547 if (rc) 1548 return rc; 1549 if (new_dentry->d_inode) { 1550 new_isec = new_dentry->d_inode->i_security; 1551 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); 1552 rc = avc_has_perm(tsec->sid, new_isec->sid, 1553 new_isec->sclass, 1554 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1555 if (rc) 1556 return rc; 1557 } 1558 1559 return 0; 1560 } 1561 1562 /* Check whether a task can perform a filesystem operation. */ 1563 static int superblock_has_perm(struct task_struct *tsk, 1564 struct super_block *sb, 1565 u32 perms, 1566 struct avc_audit_data *ad) 1567 { 1568 struct task_security_struct *tsec; 1569 struct superblock_security_struct *sbsec; 1570 1571 tsec = tsk->security; 1572 sbsec = sb->s_security; 1573 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 1574 perms, ad); 1575 } 1576 1577 /* Convert a Linux mode and permission mask to an access vector. */ 1578 static inline u32 file_mask_to_av(int mode, int mask) 1579 { 1580 u32 av = 0; 1581 1582 if ((mode & S_IFMT) != S_IFDIR) { 1583 if (mask & MAY_EXEC) 1584 av |= FILE__EXECUTE; 1585 if (mask & MAY_READ) 1586 av |= FILE__READ; 1587 1588 if (mask & MAY_APPEND) 1589 av |= FILE__APPEND; 1590 else if (mask & MAY_WRITE) 1591 av |= FILE__WRITE; 1592 1593 } else { 1594 if (mask & MAY_EXEC) 1595 av |= DIR__SEARCH; 1596 if (mask & MAY_WRITE) 1597 av |= DIR__WRITE; 1598 if (mask & MAY_READ) 1599 av |= DIR__READ; 1600 } 1601 1602 return av; 1603 } 1604 1605 /* Convert a Linux file to an access vector. */ 1606 static inline u32 file_to_av(struct file *file) 1607 { 1608 u32 av = 0; 1609 1610 if (file->f_mode & FMODE_READ) 1611 av |= FILE__READ; 1612 if (file->f_mode & FMODE_WRITE) { 1613 if (file->f_flags & O_APPEND) 1614 av |= FILE__APPEND; 1615 else 1616 av |= FILE__WRITE; 1617 } 1618 1619 return av; 1620 } 1621 1622 /* Hook functions begin here. */ 1623 1624 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) 1625 { 1626 struct task_security_struct *psec = parent->security; 1627 struct task_security_struct *csec = child->security; 1628 int rc; 1629 1630 rc = secondary_ops->ptrace(parent,child); 1631 if (rc) 1632 return rc; 1633 1634 rc = task_has_perm(parent, child, PROCESS__PTRACE); 1635 /* Save the SID of the tracing process for later use in apply_creds. */ 1636 if (!(child->ptrace & PT_PTRACED) && !rc) 1637 csec->ptrace_sid = psec->sid; 1638 return rc; 1639 } 1640 1641 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 1642 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1643 { 1644 int error; 1645 1646 error = task_has_perm(current, target, PROCESS__GETCAP); 1647 if (error) 1648 return error; 1649 1650 return secondary_ops->capget(target, effective, inheritable, permitted); 1651 } 1652 1653 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, 1654 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1655 { 1656 int error; 1657 1658 error = secondary_ops->capset_check(target, effective, inheritable, permitted); 1659 if (error) 1660 return error; 1661 1662 return task_has_perm(current, target, PROCESS__SETCAP); 1663 } 1664 1665 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, 1666 kernel_cap_t *inheritable, kernel_cap_t *permitted) 1667 { 1668 secondary_ops->capset_set(target, effective, inheritable, permitted); 1669 } 1670 1671 static int selinux_capable(struct task_struct *tsk, int cap) 1672 { 1673 int rc; 1674 1675 rc = secondary_ops->capable(tsk, cap); 1676 if (rc) 1677 return rc; 1678 1679 return task_has_capability(tsk,cap); 1680 } 1681 1682 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid) 1683 { 1684 int buflen, rc; 1685 char *buffer, *path, *end; 1686 1687 rc = -ENOMEM; 1688 buffer = (char*)__get_free_page(GFP_KERNEL); 1689 if (!buffer) 1690 goto out; 1691 1692 buflen = PAGE_SIZE; 1693 end = buffer+buflen; 1694 *--end = '\0'; 1695 buflen--; 1696 path = end-1; 1697 *path = '/'; 1698 while (table) { 1699 const char *name = table->procname; 1700 size_t namelen = strlen(name); 1701 buflen -= namelen + 1; 1702 if (buflen < 0) 1703 goto out_free; 1704 end -= namelen; 1705 memcpy(end, name, namelen); 1706 *--end = '/'; 1707 path = end; 1708 table = table->parent; 1709 } 1710 buflen -= 4; 1711 if (buflen < 0) 1712 goto out_free; 1713 end -= 4; 1714 memcpy(end, "/sys", 4); 1715 path = end; 1716 rc = security_genfs_sid("proc", path, tclass, sid); 1717 out_free: 1718 free_page((unsigned long)buffer); 1719 out: 1720 return rc; 1721 } 1722 1723 static int selinux_sysctl(ctl_table *table, int op) 1724 { 1725 int error = 0; 1726 u32 av; 1727 struct task_security_struct *tsec; 1728 u32 tsid; 1729 int rc; 1730 1731 rc = secondary_ops->sysctl(table, op); 1732 if (rc) 1733 return rc; 1734 1735 tsec = current->security; 1736 1737 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1738 SECCLASS_DIR : SECCLASS_FILE, &tsid); 1739 if (rc) { 1740 /* Default to the well-defined sysctl SID. */ 1741 tsid = SECINITSID_SYSCTL; 1742 } 1743 1744 /* The op values are "defined" in sysctl.c, thereby creating 1745 * a bad coupling between this module and sysctl.c */ 1746 if(op == 001) { 1747 error = avc_has_perm(tsec->sid, tsid, 1748 SECCLASS_DIR, DIR__SEARCH, NULL); 1749 } else { 1750 av = 0; 1751 if (op & 004) 1752 av |= FILE__READ; 1753 if (op & 002) 1754 av |= FILE__WRITE; 1755 if (av) 1756 error = avc_has_perm(tsec->sid, tsid, 1757 SECCLASS_FILE, av, NULL); 1758 } 1759 1760 return error; 1761 } 1762 1763 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 1764 { 1765 int rc = 0; 1766 1767 if (!sb) 1768 return 0; 1769 1770 switch (cmds) { 1771 case Q_SYNC: 1772 case Q_QUOTAON: 1773 case Q_QUOTAOFF: 1774 case Q_SETINFO: 1775 case Q_SETQUOTA: 1776 rc = superblock_has_perm(current, 1777 sb, 1778 FILESYSTEM__QUOTAMOD, NULL); 1779 break; 1780 case Q_GETFMT: 1781 case Q_GETINFO: 1782 case Q_GETQUOTA: 1783 rc = superblock_has_perm(current, 1784 sb, 1785 FILESYSTEM__QUOTAGET, NULL); 1786 break; 1787 default: 1788 rc = 0; /* let the kernel handle invalid cmds */ 1789 break; 1790 } 1791 return rc; 1792 } 1793 1794 static int selinux_quota_on(struct dentry *dentry) 1795 { 1796 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); 1797 } 1798 1799 static int selinux_syslog(int type) 1800 { 1801 int rc; 1802 1803 rc = secondary_ops->syslog(type); 1804 if (rc) 1805 return rc; 1806 1807 switch (type) { 1808 case 3: /* Read last kernel messages */ 1809 case 10: /* Return size of the log buffer */ 1810 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 1811 break; 1812 case 6: /* Disable logging to console */ 1813 case 7: /* Enable logging to console */ 1814 case 8: /* Set level of messages printed to console */ 1815 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 1816 break; 1817 case 0: /* Close log */ 1818 case 1: /* Open log */ 1819 case 2: /* Read from log */ 1820 case 4: /* Read/clear last kernel messages */ 1821 case 5: /* Clear ring buffer */ 1822 default: 1823 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 1824 break; 1825 } 1826 return rc; 1827 } 1828 1829 /* 1830 * Check that a process has enough memory to allocate a new virtual 1831 * mapping. 0 means there is enough memory for the allocation to 1832 * succeed and -ENOMEM implies there is not. 1833 * 1834 * Note that secondary_ops->capable and task_has_perm_noaudit return 0 1835 * if the capability is granted, but __vm_enough_memory requires 1 if 1836 * the capability is granted. 1837 * 1838 * Do not audit the selinux permission check, as this is applied to all 1839 * processes that allocate mappings. 1840 */ 1841 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 1842 { 1843 int rc, cap_sys_admin = 0; 1844 struct task_security_struct *tsec = current->security; 1845 1846 rc = secondary_ops->capable(current, CAP_SYS_ADMIN); 1847 if (rc == 0) 1848 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, 1849 SECCLASS_CAPABILITY, 1850 CAP_TO_MASK(CAP_SYS_ADMIN), 1851 0, 1852 NULL); 1853 1854 if (rc == 0) 1855 cap_sys_admin = 1; 1856 1857 return __vm_enough_memory(mm, pages, cap_sys_admin); 1858 } 1859 1860 /* binprm security operations */ 1861 1862 static int selinux_bprm_alloc_security(struct linux_binprm *bprm) 1863 { 1864 struct bprm_security_struct *bsec; 1865 1866 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); 1867 if (!bsec) 1868 return -ENOMEM; 1869 1870 bsec->bprm = bprm; 1871 bsec->sid = SECINITSID_UNLABELED; 1872 bsec->set = 0; 1873 1874 bprm->security = bsec; 1875 return 0; 1876 } 1877 1878 static int selinux_bprm_set_security(struct linux_binprm *bprm) 1879 { 1880 struct task_security_struct *tsec; 1881 struct inode *inode = bprm->file->f_path.dentry->d_inode; 1882 struct inode_security_struct *isec; 1883 struct bprm_security_struct *bsec; 1884 u32 newsid; 1885 struct avc_audit_data ad; 1886 int rc; 1887 1888 rc = secondary_ops->bprm_set_security(bprm); 1889 if (rc) 1890 return rc; 1891 1892 bsec = bprm->security; 1893 1894 if (bsec->set) 1895 return 0; 1896 1897 tsec = current->security; 1898 isec = inode->i_security; 1899 1900 /* Default to the current task SID. */ 1901 bsec->sid = tsec->sid; 1902 1903 /* Reset fs, key, and sock SIDs on execve. */ 1904 tsec->create_sid = 0; 1905 tsec->keycreate_sid = 0; 1906 tsec->sockcreate_sid = 0; 1907 1908 if (tsec->exec_sid) { 1909 newsid = tsec->exec_sid; 1910 /* Reset exec SID on execve. */ 1911 tsec->exec_sid = 0; 1912 } else { 1913 /* Check for a default transition on this program. */ 1914 rc = security_transition_sid(tsec->sid, isec->sid, 1915 SECCLASS_PROCESS, &newsid); 1916 if (rc) 1917 return rc; 1918 } 1919 1920 AVC_AUDIT_DATA_INIT(&ad, FS); 1921 ad.u.fs.mnt = bprm->file->f_path.mnt; 1922 ad.u.fs.dentry = bprm->file->f_path.dentry; 1923 1924 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 1925 newsid = tsec->sid; 1926 1927 if (tsec->sid == newsid) { 1928 rc = avc_has_perm(tsec->sid, isec->sid, 1929 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 1930 if (rc) 1931 return rc; 1932 } else { 1933 /* Check permissions for the transition. */ 1934 rc = avc_has_perm(tsec->sid, newsid, 1935 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 1936 if (rc) 1937 return rc; 1938 1939 rc = avc_has_perm(newsid, isec->sid, 1940 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 1941 if (rc) 1942 return rc; 1943 1944 /* Clear any possibly unsafe personality bits on exec: */ 1945 current->personality &= ~PER_CLEAR_ON_SETID; 1946 1947 /* Set the security field to the new SID. */ 1948 bsec->sid = newsid; 1949 } 1950 1951 bsec->set = 1; 1952 return 0; 1953 } 1954 1955 static int selinux_bprm_check_security (struct linux_binprm *bprm) 1956 { 1957 return secondary_ops->bprm_check_security(bprm); 1958 } 1959 1960 1961 static int selinux_bprm_secureexec (struct linux_binprm *bprm) 1962 { 1963 struct task_security_struct *tsec = current->security; 1964 int atsecure = 0; 1965 1966 if (tsec->osid != tsec->sid) { 1967 /* Enable secure mode for SIDs transitions unless 1968 the noatsecure permission is granted between 1969 the two SIDs, i.e. ahp returns 0. */ 1970 atsecure = avc_has_perm(tsec->osid, tsec->sid, 1971 SECCLASS_PROCESS, 1972 PROCESS__NOATSECURE, NULL); 1973 } 1974 1975 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 1976 } 1977 1978 static void selinux_bprm_free_security(struct linux_binprm *bprm) 1979 { 1980 kfree(bprm->security); 1981 bprm->security = NULL; 1982 } 1983 1984 extern struct vfsmount *selinuxfs_mount; 1985 extern struct dentry *selinux_null; 1986 1987 /* Derived from fs/exec.c:flush_old_files. */ 1988 static inline void flush_unauthorized_files(struct files_struct * files) 1989 { 1990 struct avc_audit_data ad; 1991 struct file *file, *devnull = NULL; 1992 struct tty_struct *tty; 1993 struct fdtable *fdt; 1994 long j = -1; 1995 int drop_tty = 0; 1996 1997 mutex_lock(&tty_mutex); 1998 tty = get_current_tty(); 1999 if (tty) { 2000 file_list_lock(); 2001 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 2002 if (file) { 2003 /* Revalidate access to controlling tty. 2004 Use inode_has_perm on the tty inode directly rather 2005 than using file_has_perm, as this particular open 2006 file may belong to another process and we are only 2007 interested in the inode-based check here. */ 2008 struct inode *inode = file->f_path.dentry->d_inode; 2009 if (inode_has_perm(current, inode, 2010 FILE__READ | FILE__WRITE, NULL)) { 2011 drop_tty = 1; 2012 } 2013 } 2014 file_list_unlock(); 2015 } 2016 mutex_unlock(&tty_mutex); 2017 /* Reset controlling tty. */ 2018 if (drop_tty) 2019 no_tty(); 2020 2021 /* Revalidate access to inherited open files. */ 2022 2023 AVC_AUDIT_DATA_INIT(&ad,FS); 2024 2025 spin_lock(&files->file_lock); 2026 for (;;) { 2027 unsigned long set, i; 2028 int fd; 2029 2030 j++; 2031 i = j * __NFDBITS; 2032 fdt = files_fdtable(files); 2033 if (i >= fdt->max_fds) 2034 break; 2035 set = fdt->open_fds->fds_bits[j]; 2036 if (!set) 2037 continue; 2038 spin_unlock(&files->file_lock); 2039 for ( ; set ; i++,set >>= 1) { 2040 if (set & 1) { 2041 file = fget(i); 2042 if (!file) 2043 continue; 2044 if (file_has_perm(current, 2045 file, 2046 file_to_av(file))) { 2047 sys_close(i); 2048 fd = get_unused_fd(); 2049 if (fd != i) { 2050 if (fd >= 0) 2051 put_unused_fd(fd); 2052 fput(file); 2053 continue; 2054 } 2055 if (devnull) { 2056 get_file(devnull); 2057 } else { 2058 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); 2059 if (IS_ERR(devnull)) { 2060 devnull = NULL; 2061 put_unused_fd(fd); 2062 fput(file); 2063 continue; 2064 } 2065 } 2066 fd_install(fd, devnull); 2067 } 2068 fput(file); 2069 } 2070 } 2071 spin_lock(&files->file_lock); 2072 2073 } 2074 spin_unlock(&files->file_lock); 2075 } 2076 2077 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) 2078 { 2079 struct task_security_struct *tsec; 2080 struct bprm_security_struct *bsec; 2081 u32 sid; 2082 int rc; 2083 2084 secondary_ops->bprm_apply_creds(bprm, unsafe); 2085 2086 tsec = current->security; 2087 2088 bsec = bprm->security; 2089 sid = bsec->sid; 2090 2091 tsec->osid = tsec->sid; 2092 bsec->unsafe = 0; 2093 if (tsec->sid != sid) { 2094 /* Check for shared state. If not ok, leave SID 2095 unchanged and kill. */ 2096 if (unsafe & LSM_UNSAFE_SHARE) { 2097 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 2098 PROCESS__SHARE, NULL); 2099 if (rc) { 2100 bsec->unsafe = 1; 2101 return; 2102 } 2103 } 2104 2105 /* Check for ptracing, and update the task SID if ok. 2106 Otherwise, leave SID unchanged and kill. */ 2107 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2108 rc = avc_has_perm(tsec->ptrace_sid, sid, 2109 SECCLASS_PROCESS, PROCESS__PTRACE, 2110 NULL); 2111 if (rc) { 2112 bsec->unsafe = 1; 2113 return; 2114 } 2115 } 2116 tsec->sid = sid; 2117 } 2118 } 2119 2120 /* 2121 * called after apply_creds without the task lock held 2122 */ 2123 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) 2124 { 2125 struct task_security_struct *tsec; 2126 struct rlimit *rlim, *initrlim; 2127 struct itimerval itimer; 2128 struct bprm_security_struct *bsec; 2129 int rc, i; 2130 2131 tsec = current->security; 2132 bsec = bprm->security; 2133 2134 if (bsec->unsafe) { 2135 force_sig_specific(SIGKILL, current); 2136 return; 2137 } 2138 if (tsec->osid == tsec->sid) 2139 return; 2140 2141 /* Close files for which the new task SID is not authorized. */ 2142 flush_unauthorized_files(current->files); 2143 2144 /* Check whether the new SID can inherit signal state 2145 from the old SID. If not, clear itimers to avoid 2146 subsequent signal generation and flush and unblock 2147 signals. This must occur _after_ the task SID has 2148 been updated so that any kill done after the flush 2149 will be checked against the new SID. */ 2150 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2151 PROCESS__SIGINH, NULL); 2152 if (rc) { 2153 memset(&itimer, 0, sizeof itimer); 2154 for (i = 0; i < 3; i++) 2155 do_setitimer(i, &itimer, NULL); 2156 flush_signals(current); 2157 spin_lock_irq(¤t->sighand->siglock); 2158 flush_signal_handlers(current, 1); 2159 sigemptyset(¤t->blocked); 2160 recalc_sigpending(); 2161 spin_unlock_irq(¤t->sighand->siglock); 2162 } 2163 2164 /* Always clear parent death signal on SID transitions. */ 2165 current->pdeath_signal = 0; 2166 2167 /* Check whether the new SID can inherit resource limits 2168 from the old SID. If not, reset all soft limits to 2169 the lower of the current task's hard limit and the init 2170 task's soft limit. Note that the setting of hard limits 2171 (even to lower them) can be controlled by the setrlimit 2172 check. The inclusion of the init task's soft limit into 2173 the computation is to avoid resetting soft limits higher 2174 than the default soft limit for cases where the default 2175 is lower than the hard limit, e.g. RLIMIT_CORE or 2176 RLIMIT_STACK.*/ 2177 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, 2178 PROCESS__RLIMITINH, NULL); 2179 if (rc) { 2180 for (i = 0; i < RLIM_NLIMITS; i++) { 2181 rlim = current->signal->rlim + i; 2182 initrlim = init_task.signal->rlim+i; 2183 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); 2184 } 2185 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { 2186 /* 2187 * This will cause RLIMIT_CPU calculations 2188 * to be refigured. 2189 */ 2190 current->it_prof_expires = jiffies_to_cputime(1); 2191 } 2192 } 2193 2194 /* Wake up the parent if it is waiting so that it can 2195 recheck wait permission to the new task SID. */ 2196 wake_up_interruptible(¤t->parent->signal->wait_chldexit); 2197 } 2198 2199 /* superblock security operations */ 2200 2201 static int selinux_sb_alloc_security(struct super_block *sb) 2202 { 2203 return superblock_alloc_security(sb); 2204 } 2205 2206 static void selinux_sb_free_security(struct super_block *sb) 2207 { 2208 superblock_free_security(sb); 2209 } 2210 2211 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2212 { 2213 if (plen > olen) 2214 return 0; 2215 2216 return !memcmp(prefix, option, plen); 2217 } 2218 2219 static inline int selinux_option(char *option, int len) 2220 { 2221 return (match_prefix("context=", sizeof("context=")-1, option, len) || 2222 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || 2223 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) || 2224 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len)); 2225 } 2226 2227 static inline void take_option(char **to, char *from, int *first, int len) 2228 { 2229 if (!*first) { 2230 **to = ','; 2231 *to += 1; 2232 } else 2233 *first = 0; 2234 memcpy(*to, from, len); 2235 *to += len; 2236 } 2237 2238 static inline void take_selinux_option(char **to, char *from, int *first, 2239 int len) 2240 { 2241 int current_size = 0; 2242 2243 if (!*first) { 2244 **to = '|'; 2245 *to += 1; 2246 } 2247 else 2248 *first = 0; 2249 2250 while (current_size < len) { 2251 if (*from != '"') { 2252 **to = *from; 2253 *to += 1; 2254 } 2255 from += 1; 2256 current_size += 1; 2257 } 2258 } 2259 2260 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) 2261 { 2262 int fnosec, fsec, rc = 0; 2263 char *in_save, *in_curr, *in_end; 2264 char *sec_curr, *nosec_save, *nosec; 2265 int open_quote = 0; 2266 2267 in_curr = orig; 2268 sec_curr = copy; 2269 2270 /* Binary mount data: just copy */ 2271 if (type->fs_flags & FS_BINARY_MOUNTDATA) { 2272 copy_page(sec_curr, in_curr); 2273 goto out; 2274 } 2275 2276 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2277 if (!nosec) { 2278 rc = -ENOMEM; 2279 goto out; 2280 } 2281 2282 nosec_save = nosec; 2283 fnosec = fsec = 1; 2284 in_save = in_end = orig; 2285 2286 do { 2287 if (*in_end == '"') 2288 open_quote = !open_quote; 2289 if ((*in_end == ',' && open_quote == 0) || 2290 *in_end == '\0') { 2291 int len = in_end - in_curr; 2292 2293 if (selinux_option(in_curr, len)) 2294 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2295 else 2296 take_option(&nosec, in_curr, &fnosec, len); 2297 2298 in_curr = in_end + 1; 2299 } 2300 } while (*in_end++); 2301 2302 strcpy(in_save, nosec_save); 2303 free_page((unsigned long)nosec_save); 2304 out: 2305 return rc; 2306 } 2307 2308 static int selinux_sb_kern_mount(struct super_block *sb, void *data) 2309 { 2310 struct avc_audit_data ad; 2311 int rc; 2312 2313 rc = superblock_doinit(sb, data); 2314 if (rc) 2315 return rc; 2316 2317 AVC_AUDIT_DATA_INIT(&ad,FS); 2318 ad.u.fs.dentry = sb->s_root; 2319 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); 2320 } 2321 2322 static int selinux_sb_statfs(struct dentry *dentry) 2323 { 2324 struct avc_audit_data ad; 2325 2326 AVC_AUDIT_DATA_INIT(&ad,FS); 2327 ad.u.fs.dentry = dentry->d_sb->s_root; 2328 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2329 } 2330 2331 static int selinux_mount(char * dev_name, 2332 struct nameidata *nd, 2333 char * type, 2334 unsigned long flags, 2335 void * data) 2336 { 2337 int rc; 2338 2339 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2340 if (rc) 2341 return rc; 2342 2343 if (flags & MS_REMOUNT) 2344 return superblock_has_perm(current, nd->mnt->mnt_sb, 2345 FILESYSTEM__REMOUNT, NULL); 2346 else 2347 return dentry_has_perm(current, nd->mnt, nd->dentry, 2348 FILE__MOUNTON); 2349 } 2350 2351 static int selinux_umount(struct vfsmount *mnt, int flags) 2352 { 2353 int rc; 2354 2355 rc = secondary_ops->sb_umount(mnt, flags); 2356 if (rc) 2357 return rc; 2358 2359 return superblock_has_perm(current,mnt->mnt_sb, 2360 FILESYSTEM__UNMOUNT,NULL); 2361 } 2362 2363 /* inode security operations */ 2364 2365 static int selinux_inode_alloc_security(struct inode *inode) 2366 { 2367 return inode_alloc_security(inode); 2368 } 2369 2370 static void selinux_inode_free_security(struct inode *inode) 2371 { 2372 inode_free_security(inode); 2373 } 2374 2375 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2376 char **name, void **value, 2377 size_t *len) 2378 { 2379 struct task_security_struct *tsec; 2380 struct inode_security_struct *dsec; 2381 struct superblock_security_struct *sbsec; 2382 u32 newsid, clen; 2383 int rc; 2384 char *namep = NULL, *context; 2385 2386 tsec = current->security; 2387 dsec = dir->i_security; 2388 sbsec = dir->i_sb->s_security; 2389 2390 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { 2391 newsid = tsec->create_sid; 2392 } else { 2393 rc = security_transition_sid(tsec->sid, dsec->sid, 2394 inode_mode_to_security_class(inode->i_mode), 2395 &newsid); 2396 if (rc) { 2397 printk(KERN_WARNING "%s: " 2398 "security_transition_sid failed, rc=%d (dev=%s " 2399 "ino=%ld)\n", 2400 __FUNCTION__, 2401 -rc, inode->i_sb->s_id, inode->i_ino); 2402 return rc; 2403 } 2404 } 2405 2406 /* Possibly defer initialization to selinux_complete_init. */ 2407 if (sbsec->initialized) { 2408 struct inode_security_struct *isec = inode->i_security; 2409 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2410 isec->sid = newsid; 2411 isec->initialized = 1; 2412 } 2413 2414 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2415 return -EOPNOTSUPP; 2416 2417 if (name) { 2418 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); 2419 if (!namep) 2420 return -ENOMEM; 2421 *name = namep; 2422 } 2423 2424 if (value && len) { 2425 rc = security_sid_to_context(newsid, &context, &clen); 2426 if (rc) { 2427 kfree(namep); 2428 return rc; 2429 } 2430 *value = context; 2431 *len = clen; 2432 } 2433 2434 return 0; 2435 } 2436 2437 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) 2438 { 2439 return may_create(dir, dentry, SECCLASS_FILE); 2440 } 2441 2442 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2443 { 2444 int rc; 2445 2446 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); 2447 if (rc) 2448 return rc; 2449 return may_link(dir, old_dentry, MAY_LINK); 2450 } 2451 2452 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2453 { 2454 int rc; 2455 2456 rc = secondary_ops->inode_unlink(dir, dentry); 2457 if (rc) 2458 return rc; 2459 return may_link(dir, dentry, MAY_UNLINK); 2460 } 2461 2462 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2463 { 2464 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2465 } 2466 2467 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) 2468 { 2469 return may_create(dir, dentry, SECCLASS_DIR); 2470 } 2471 2472 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2473 { 2474 return may_link(dir, dentry, MAY_RMDIR); 2475 } 2476 2477 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2478 { 2479 int rc; 2480 2481 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); 2482 if (rc) 2483 return rc; 2484 2485 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2486 } 2487 2488 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2489 struct inode *new_inode, struct dentry *new_dentry) 2490 { 2491 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2492 } 2493 2494 static int selinux_inode_readlink(struct dentry *dentry) 2495 { 2496 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2497 } 2498 2499 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2500 { 2501 int rc; 2502 2503 rc = secondary_ops->inode_follow_link(dentry,nameidata); 2504 if (rc) 2505 return rc; 2506 return dentry_has_perm(current, NULL, dentry, FILE__READ); 2507 } 2508 2509 static int selinux_inode_permission(struct inode *inode, int mask, 2510 struct nameidata *nd) 2511 { 2512 int rc; 2513 2514 rc = secondary_ops->inode_permission(inode, mask, nd); 2515 if (rc) 2516 return rc; 2517 2518 if (!mask) { 2519 /* No permission to check. Existence test. */ 2520 return 0; 2521 } 2522 2523 return inode_has_perm(current, inode, 2524 file_mask_to_av(inode->i_mode, mask), NULL); 2525 } 2526 2527 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2528 { 2529 int rc; 2530 2531 rc = secondary_ops->inode_setattr(dentry, iattr); 2532 if (rc) 2533 return rc; 2534 2535 if (iattr->ia_valid & ATTR_FORCE) 2536 return 0; 2537 2538 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2539 ATTR_ATIME_SET | ATTR_MTIME_SET)) 2540 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2541 2542 return dentry_has_perm(current, NULL, dentry, FILE__WRITE); 2543 } 2544 2545 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2546 { 2547 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); 2548 } 2549 2550 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name) 2551 { 2552 if (!strncmp(name, XATTR_SECURITY_PREFIX, 2553 sizeof XATTR_SECURITY_PREFIX - 1)) { 2554 if (!strcmp(name, XATTR_NAME_CAPS)) { 2555 if (!capable(CAP_SETFCAP)) 2556 return -EPERM; 2557 } else if (!capable(CAP_SYS_ADMIN)) { 2558 /* A different attribute in the security namespace. 2559 Restrict to administrator. */ 2560 return -EPERM; 2561 } 2562 } 2563 2564 /* Not an attribute we recognize, so just check the 2565 ordinary setattr permission. */ 2566 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); 2567 } 2568 2569 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) 2570 { 2571 struct task_security_struct *tsec = current->security; 2572 struct inode *inode = dentry->d_inode; 2573 struct inode_security_struct *isec = inode->i_security; 2574 struct superblock_security_struct *sbsec; 2575 struct avc_audit_data ad; 2576 u32 newsid; 2577 int rc = 0; 2578 2579 if (strcmp(name, XATTR_NAME_SELINUX)) 2580 return selinux_inode_setotherxattr(dentry, name); 2581 2582 sbsec = inode->i_sb->s_security; 2583 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2584 return -EOPNOTSUPP; 2585 2586 if (!is_owner_or_cap(inode)) 2587 return -EPERM; 2588 2589 AVC_AUDIT_DATA_INIT(&ad,FS); 2590 ad.u.fs.dentry = dentry; 2591 2592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, 2593 FILE__RELABELFROM, &ad); 2594 if (rc) 2595 return rc; 2596 2597 rc = security_context_to_sid(value, size, &newsid); 2598 if (rc) 2599 return rc; 2600 2601 rc = avc_has_perm(tsec->sid, newsid, isec->sclass, 2602 FILE__RELABELTO, &ad); 2603 if (rc) 2604 return rc; 2605 2606 rc = security_validate_transition(isec->sid, newsid, tsec->sid, 2607 isec->sclass); 2608 if (rc) 2609 return rc; 2610 2611 return avc_has_perm(newsid, 2612 sbsec->sid, 2613 SECCLASS_FILESYSTEM, 2614 FILESYSTEM__ASSOCIATE, 2615 &ad); 2616 } 2617 2618 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, 2619 void *value, size_t size, int flags) 2620 { 2621 struct inode *inode = dentry->d_inode; 2622 struct inode_security_struct *isec = inode->i_security; 2623 u32 newsid; 2624 int rc; 2625 2626 if (strcmp(name, XATTR_NAME_SELINUX)) { 2627 /* Not an attribute we recognize, so nothing to do. */ 2628 return; 2629 } 2630 2631 rc = security_context_to_sid(value, size, &newsid); 2632 if (rc) { 2633 printk(KERN_WARNING "%s: unable to obtain SID for context " 2634 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); 2635 return; 2636 } 2637 2638 isec->sid = newsid; 2639 return; 2640 } 2641 2642 static int selinux_inode_getxattr (struct dentry *dentry, char *name) 2643 { 2644 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2645 } 2646 2647 static int selinux_inode_listxattr (struct dentry *dentry) 2648 { 2649 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); 2650 } 2651 2652 static int selinux_inode_removexattr (struct dentry *dentry, char *name) 2653 { 2654 if (strcmp(name, XATTR_NAME_SELINUX)) 2655 return selinux_inode_setotherxattr(dentry, name); 2656 2657 /* No one is allowed to remove a SELinux security label. 2658 You can change the label, but all data must be labeled. */ 2659 return -EACCES; 2660 } 2661 2662 /* 2663 * Copy the in-core inode security context value to the user. If the 2664 * getxattr() prior to this succeeded, check to see if we need to 2665 * canonicalize the value to be finally returned to the user. 2666 * 2667 * Permission check is handled by selinux_inode_getxattr hook. 2668 */ 2669 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 2670 { 2671 u32 size; 2672 int error; 2673 char *context = NULL; 2674 struct inode_security_struct *isec = inode->i_security; 2675 2676 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2677 return -EOPNOTSUPP; 2678 2679 error = security_sid_to_context(isec->sid, &context, &size); 2680 if (error) 2681 return error; 2682 error = size; 2683 if (alloc) { 2684 *buffer = context; 2685 goto out_nofree; 2686 } 2687 kfree(context); 2688 out_nofree: 2689 return error; 2690 } 2691 2692 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 2693 const void *value, size_t size, int flags) 2694 { 2695 struct inode_security_struct *isec = inode->i_security; 2696 u32 newsid; 2697 int rc; 2698 2699 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 2700 return -EOPNOTSUPP; 2701 2702 if (!value || !size) 2703 return -EACCES; 2704 2705 rc = security_context_to_sid((void*)value, size, &newsid); 2706 if (rc) 2707 return rc; 2708 2709 isec->sid = newsid; 2710 return 0; 2711 } 2712 2713 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2714 { 2715 const int len = sizeof(XATTR_NAME_SELINUX); 2716 if (buffer && len <= buffer_size) 2717 memcpy(buffer, XATTR_NAME_SELINUX, len); 2718 return len; 2719 } 2720 2721 static int selinux_inode_need_killpriv(struct dentry *dentry) 2722 { 2723 return secondary_ops->inode_need_killpriv(dentry); 2724 } 2725 2726 static int selinux_inode_killpriv(struct dentry *dentry) 2727 { 2728 return secondary_ops->inode_killpriv(dentry); 2729 } 2730 2731 /* file security operations */ 2732 2733 static int selinux_revalidate_file_permission(struct file *file, int mask) 2734 { 2735 int rc; 2736 struct inode *inode = file->f_path.dentry->d_inode; 2737 2738 if (!mask) { 2739 /* No permission to check. Existence test. */ 2740 return 0; 2741 } 2742 2743 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2744 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2745 mask |= MAY_APPEND; 2746 2747 rc = file_has_perm(current, file, 2748 file_mask_to_av(inode->i_mode, mask)); 2749 if (rc) 2750 return rc; 2751 2752 return selinux_netlbl_inode_permission(inode, mask); 2753 } 2754 2755 static int selinux_file_permission(struct file *file, int mask) 2756 { 2757 struct inode *inode = file->f_path.dentry->d_inode; 2758 struct task_security_struct *tsec = current->security; 2759 struct file_security_struct *fsec = file->f_security; 2760 struct inode_security_struct *isec = inode->i_security; 2761 2762 if (!mask) { 2763 /* No permission to check. Existence test. */ 2764 return 0; 2765 } 2766 2767 if (tsec->sid == fsec->sid && fsec->isid == isec->sid 2768 && fsec->pseqno == avc_policy_seqno()) 2769 return selinux_netlbl_inode_permission(inode, mask); 2770 2771 return selinux_revalidate_file_permission(file, mask); 2772 } 2773 2774 static int selinux_file_alloc_security(struct file *file) 2775 { 2776 return file_alloc_security(file); 2777 } 2778 2779 static void selinux_file_free_security(struct file *file) 2780 { 2781 file_free_security(file); 2782 } 2783 2784 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 2785 unsigned long arg) 2786 { 2787 int error = 0; 2788 2789 switch (cmd) { 2790 case FIONREAD: 2791 /* fall through */ 2792 case FIBMAP: 2793 /* fall through */ 2794 case FIGETBSZ: 2795 /* fall through */ 2796 case EXT2_IOC_GETFLAGS: 2797 /* fall through */ 2798 case EXT2_IOC_GETVERSION: 2799 error = file_has_perm(current, file, FILE__GETATTR); 2800 break; 2801 2802 case EXT2_IOC_SETFLAGS: 2803 /* fall through */ 2804 case EXT2_IOC_SETVERSION: 2805 error = file_has_perm(current, file, FILE__SETATTR); 2806 break; 2807 2808 /* sys_ioctl() checks */ 2809 case FIONBIO: 2810 /* fall through */ 2811 case FIOASYNC: 2812 error = file_has_perm(current, file, 0); 2813 break; 2814 2815 case KDSKBENT: 2816 case KDSKBSENT: 2817 error = task_has_capability(current,CAP_SYS_TTY_CONFIG); 2818 break; 2819 2820 /* default case assumes that the command will go 2821 * to the file's ioctl() function. 2822 */ 2823 default: 2824 error = file_has_perm(current, file, FILE__IOCTL); 2825 2826 } 2827 return error; 2828 } 2829 2830 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 2831 { 2832 #ifndef CONFIG_PPC32 2833 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 2834 /* 2835 * We are making executable an anonymous mapping or a 2836 * private file mapping that will also be writable. 2837 * This has an additional check. 2838 */ 2839 int rc = task_has_perm(current, current, PROCESS__EXECMEM); 2840 if (rc) 2841 return rc; 2842 } 2843 #endif 2844 2845 if (file) { 2846 /* read access is always possible with a mapping */ 2847 u32 av = FILE__READ; 2848 2849 /* write access only matters if the mapping is shared */ 2850 if (shared && (prot & PROT_WRITE)) 2851 av |= FILE__WRITE; 2852 2853 if (prot & PROT_EXEC) 2854 av |= FILE__EXECUTE; 2855 2856 return file_has_perm(current, file, av); 2857 } 2858 return 0; 2859 } 2860 2861 static int selinux_file_mmap(struct file *file, unsigned long reqprot, 2862 unsigned long prot, unsigned long flags, 2863 unsigned long addr, unsigned long addr_only) 2864 { 2865 int rc = 0; 2866 u32 sid = ((struct task_security_struct*)(current->security))->sid; 2867 2868 if (addr < mmap_min_addr) 2869 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 2870 MEMPROTECT__MMAP_ZERO, NULL); 2871 if (rc || addr_only) 2872 return rc; 2873 2874 if (selinux_checkreqprot) 2875 prot = reqprot; 2876 2877 return file_map_prot_check(file, prot, 2878 (flags & MAP_TYPE) == MAP_SHARED); 2879 } 2880 2881 static int selinux_file_mprotect(struct vm_area_struct *vma, 2882 unsigned long reqprot, 2883 unsigned long prot) 2884 { 2885 int rc; 2886 2887 rc = secondary_ops->file_mprotect(vma, reqprot, prot); 2888 if (rc) 2889 return rc; 2890 2891 if (selinux_checkreqprot) 2892 prot = reqprot; 2893 2894 #ifndef CONFIG_PPC32 2895 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 2896 rc = 0; 2897 if (vma->vm_start >= vma->vm_mm->start_brk && 2898 vma->vm_end <= vma->vm_mm->brk) { 2899 rc = task_has_perm(current, current, 2900 PROCESS__EXECHEAP); 2901 } else if (!vma->vm_file && 2902 vma->vm_start <= vma->vm_mm->start_stack && 2903 vma->vm_end >= vma->vm_mm->start_stack) { 2904 rc = task_has_perm(current, current, PROCESS__EXECSTACK); 2905 } else if (vma->vm_file && vma->anon_vma) { 2906 /* 2907 * We are making executable a file mapping that has 2908 * had some COW done. Since pages might have been 2909 * written, check ability to execute the possibly 2910 * modified content. This typically should only 2911 * occur for text relocations. 2912 */ 2913 rc = file_has_perm(current, vma->vm_file, 2914 FILE__EXECMOD); 2915 } 2916 if (rc) 2917 return rc; 2918 } 2919 #endif 2920 2921 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 2922 } 2923 2924 static int selinux_file_lock(struct file *file, unsigned int cmd) 2925 { 2926 return file_has_perm(current, file, FILE__LOCK); 2927 } 2928 2929 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 2930 unsigned long arg) 2931 { 2932 int err = 0; 2933 2934 switch (cmd) { 2935 case F_SETFL: 2936 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2937 err = -EINVAL; 2938 break; 2939 } 2940 2941 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 2942 err = file_has_perm(current, file,FILE__WRITE); 2943 break; 2944 } 2945 /* fall through */ 2946 case F_SETOWN: 2947 case F_SETSIG: 2948 case F_GETFL: 2949 case F_GETOWN: 2950 case F_GETSIG: 2951 /* Just check FD__USE permission */ 2952 err = file_has_perm(current, file, 0); 2953 break; 2954 case F_GETLK: 2955 case F_SETLK: 2956 case F_SETLKW: 2957 #if BITS_PER_LONG == 32 2958 case F_GETLK64: 2959 case F_SETLK64: 2960 case F_SETLKW64: 2961 #endif 2962 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { 2963 err = -EINVAL; 2964 break; 2965 } 2966 err = file_has_perm(current, file, FILE__LOCK); 2967 break; 2968 } 2969 2970 return err; 2971 } 2972 2973 static int selinux_file_set_fowner(struct file *file) 2974 { 2975 struct task_security_struct *tsec; 2976 struct file_security_struct *fsec; 2977 2978 tsec = current->security; 2979 fsec = file->f_security; 2980 fsec->fown_sid = tsec->sid; 2981 2982 return 0; 2983 } 2984 2985 static int selinux_file_send_sigiotask(struct task_struct *tsk, 2986 struct fown_struct *fown, int signum) 2987 { 2988 struct file *file; 2989 u32 perm; 2990 struct task_security_struct *tsec; 2991 struct file_security_struct *fsec; 2992 2993 /* struct fown_struct is never outside the context of a struct file */ 2994 file = container_of(fown, struct file, f_owner); 2995 2996 tsec = tsk->security; 2997 fsec = file->f_security; 2998 2999 if (!signum) 3000 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3001 else 3002 perm = signal_to_av(signum); 3003 3004 return avc_has_perm(fsec->fown_sid, tsec->sid, 3005 SECCLASS_PROCESS, perm, NULL); 3006 } 3007 3008 static int selinux_file_receive(struct file *file) 3009 { 3010 return file_has_perm(current, file, file_to_av(file)); 3011 } 3012 3013 static int selinux_dentry_open(struct file *file) 3014 { 3015 struct file_security_struct *fsec; 3016 struct inode *inode; 3017 struct inode_security_struct *isec; 3018 inode = file->f_path.dentry->d_inode; 3019 fsec = file->f_security; 3020 isec = inode->i_security; 3021 /* 3022 * Save inode label and policy sequence number 3023 * at open-time so that selinux_file_permission 3024 * can determine whether revalidation is necessary. 3025 * Task label is already saved in the file security 3026 * struct as its SID. 3027 */ 3028 fsec->isid = isec->sid; 3029 fsec->pseqno = avc_policy_seqno(); 3030 /* 3031 * Since the inode label or policy seqno may have changed 3032 * between the selinux_inode_permission check and the saving 3033 * of state above, recheck that access is still permitted. 3034 * Otherwise, access might never be revalidated against the 3035 * new inode label or new policy. 3036 * This check is not redundant - do not remove. 3037 */ 3038 return inode_has_perm(current, inode, file_to_av(file), NULL); 3039 } 3040 3041 /* task security operations */ 3042 3043 static int selinux_task_create(unsigned long clone_flags) 3044 { 3045 int rc; 3046 3047 rc = secondary_ops->task_create(clone_flags); 3048 if (rc) 3049 return rc; 3050 3051 return task_has_perm(current, current, PROCESS__FORK); 3052 } 3053 3054 static int selinux_task_alloc_security(struct task_struct *tsk) 3055 { 3056 struct task_security_struct *tsec1, *tsec2; 3057 int rc; 3058 3059 tsec1 = current->security; 3060 3061 rc = task_alloc_security(tsk); 3062 if (rc) 3063 return rc; 3064 tsec2 = tsk->security; 3065 3066 tsec2->osid = tsec1->osid; 3067 tsec2->sid = tsec1->sid; 3068 3069 /* Retain the exec, fs, key, and sock SIDs across fork */ 3070 tsec2->exec_sid = tsec1->exec_sid; 3071 tsec2->create_sid = tsec1->create_sid; 3072 tsec2->keycreate_sid = tsec1->keycreate_sid; 3073 tsec2->sockcreate_sid = tsec1->sockcreate_sid; 3074 3075 /* Retain ptracer SID across fork, if any. 3076 This will be reset by the ptrace hook upon any 3077 subsequent ptrace_attach operations. */ 3078 tsec2->ptrace_sid = tsec1->ptrace_sid; 3079 3080 return 0; 3081 } 3082 3083 static void selinux_task_free_security(struct task_struct *tsk) 3084 { 3085 task_free_security(tsk); 3086 } 3087 3088 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3089 { 3090 /* Since setuid only affects the current process, and 3091 since the SELinux controls are not based on the Linux 3092 identity attributes, SELinux does not need to control 3093 this operation. However, SELinux does control the use 3094 of the CAP_SETUID and CAP_SETGID capabilities using the 3095 capable hook. */ 3096 return 0; 3097 } 3098 3099 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 3100 { 3101 return secondary_ops->task_post_setuid(id0,id1,id2,flags); 3102 } 3103 3104 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) 3105 { 3106 /* See the comment for setuid above. */ 3107 return 0; 3108 } 3109 3110 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3111 { 3112 return task_has_perm(current, p, PROCESS__SETPGID); 3113 } 3114 3115 static int selinux_task_getpgid(struct task_struct *p) 3116 { 3117 return task_has_perm(current, p, PROCESS__GETPGID); 3118 } 3119 3120 static int selinux_task_getsid(struct task_struct *p) 3121 { 3122 return task_has_perm(current, p, PROCESS__GETSESSION); 3123 } 3124 3125 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3126 { 3127 selinux_get_task_sid(p, secid); 3128 } 3129 3130 static int selinux_task_setgroups(struct group_info *group_info) 3131 { 3132 /* See the comment for setuid above. */ 3133 return 0; 3134 } 3135 3136 static int selinux_task_setnice(struct task_struct *p, int nice) 3137 { 3138 int rc; 3139 3140 rc = secondary_ops->task_setnice(p, nice); 3141 if (rc) 3142 return rc; 3143 3144 return task_has_perm(current,p, PROCESS__SETSCHED); 3145 } 3146 3147 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3148 { 3149 int rc; 3150 3151 rc = secondary_ops->task_setioprio(p, ioprio); 3152 if (rc) 3153 return rc; 3154 3155 return task_has_perm(current, p, PROCESS__SETSCHED); 3156 } 3157 3158 static int selinux_task_getioprio(struct task_struct *p) 3159 { 3160 return task_has_perm(current, p, PROCESS__GETSCHED); 3161 } 3162 3163 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3164 { 3165 struct rlimit *old_rlim = current->signal->rlim + resource; 3166 int rc; 3167 3168 rc = secondary_ops->task_setrlimit(resource, new_rlim); 3169 if (rc) 3170 return rc; 3171 3172 /* Control the ability to change the hard limit (whether 3173 lowering or raising it), so that the hard limit can 3174 later be used as a safe reset point for the soft limit 3175 upon context transitions. See selinux_bprm_apply_creds. */ 3176 if (old_rlim->rlim_max != new_rlim->rlim_max) 3177 return task_has_perm(current, current, PROCESS__SETRLIMIT); 3178 3179 return 0; 3180 } 3181 3182 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) 3183 { 3184 int rc; 3185 3186 rc = secondary_ops->task_setscheduler(p, policy, lp); 3187 if (rc) 3188 return rc; 3189 3190 return task_has_perm(current, p, PROCESS__SETSCHED); 3191 } 3192 3193 static int selinux_task_getscheduler(struct task_struct *p) 3194 { 3195 return task_has_perm(current, p, PROCESS__GETSCHED); 3196 } 3197 3198 static int selinux_task_movememory(struct task_struct *p) 3199 { 3200 return task_has_perm(current, p, PROCESS__SETSCHED); 3201 } 3202 3203 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3204 int sig, u32 secid) 3205 { 3206 u32 perm; 3207 int rc; 3208 struct task_security_struct *tsec; 3209 3210 rc = secondary_ops->task_kill(p, info, sig, secid); 3211 if (rc) 3212 return rc; 3213 3214 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 3215 return 0; 3216 3217 if (!sig) 3218 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3219 else 3220 perm = signal_to_av(sig); 3221 tsec = p->security; 3222 if (secid) 3223 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL); 3224 else 3225 rc = task_has_perm(current, p, perm); 3226 return rc; 3227 } 3228 3229 static int selinux_task_prctl(int option, 3230 unsigned long arg2, 3231 unsigned long arg3, 3232 unsigned long arg4, 3233 unsigned long arg5) 3234 { 3235 /* The current prctl operations do not appear to require 3236 any SELinux controls since they merely observe or modify 3237 the state of the current process. */ 3238 return 0; 3239 } 3240 3241 static int selinux_task_wait(struct task_struct *p) 3242 { 3243 return task_has_perm(p, current, PROCESS__SIGCHLD); 3244 } 3245 3246 static void selinux_task_reparent_to_init(struct task_struct *p) 3247 { 3248 struct task_security_struct *tsec; 3249 3250 secondary_ops->task_reparent_to_init(p); 3251 3252 tsec = p->security; 3253 tsec->osid = tsec->sid; 3254 tsec->sid = SECINITSID_KERNEL; 3255 return; 3256 } 3257 3258 static void selinux_task_to_inode(struct task_struct *p, 3259 struct inode *inode) 3260 { 3261 struct task_security_struct *tsec = p->security; 3262 struct inode_security_struct *isec = inode->i_security; 3263 3264 isec->sid = tsec->sid; 3265 isec->initialized = 1; 3266 return; 3267 } 3268 3269 /* Returns error only if unable to parse addresses */ 3270 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3271 struct avc_audit_data *ad, u8 *proto) 3272 { 3273 int offset, ihlen, ret = -EINVAL; 3274 struct iphdr _iph, *ih; 3275 3276 offset = skb_network_offset(skb); 3277 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3278 if (ih == NULL) 3279 goto out; 3280 3281 ihlen = ih->ihl * 4; 3282 if (ihlen < sizeof(_iph)) 3283 goto out; 3284 3285 ad->u.net.v4info.saddr = ih->saddr; 3286 ad->u.net.v4info.daddr = ih->daddr; 3287 ret = 0; 3288 3289 if (proto) 3290 *proto = ih->protocol; 3291 3292 switch (ih->protocol) { 3293 case IPPROTO_TCP: { 3294 struct tcphdr _tcph, *th; 3295 3296 if (ntohs(ih->frag_off) & IP_OFFSET) 3297 break; 3298 3299 offset += ihlen; 3300 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3301 if (th == NULL) 3302 break; 3303 3304 ad->u.net.sport = th->source; 3305 ad->u.net.dport = th->dest; 3306 break; 3307 } 3308 3309 case IPPROTO_UDP: { 3310 struct udphdr _udph, *uh; 3311 3312 if (ntohs(ih->frag_off) & IP_OFFSET) 3313 break; 3314 3315 offset += ihlen; 3316 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3317 if (uh == NULL) 3318 break; 3319 3320 ad->u.net.sport = uh->source; 3321 ad->u.net.dport = uh->dest; 3322 break; 3323 } 3324 3325 case IPPROTO_DCCP: { 3326 struct dccp_hdr _dccph, *dh; 3327 3328 if (ntohs(ih->frag_off) & IP_OFFSET) 3329 break; 3330 3331 offset += ihlen; 3332 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3333 if (dh == NULL) 3334 break; 3335 3336 ad->u.net.sport = dh->dccph_sport; 3337 ad->u.net.dport = dh->dccph_dport; 3338 break; 3339 } 3340 3341 default: 3342 break; 3343 } 3344 out: 3345 return ret; 3346 } 3347 3348 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3349 3350 /* Returns error only if unable to parse addresses */ 3351 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3352 struct avc_audit_data *ad, u8 *proto) 3353 { 3354 u8 nexthdr; 3355 int ret = -EINVAL, offset; 3356 struct ipv6hdr _ipv6h, *ip6; 3357 3358 offset = skb_network_offset(skb); 3359 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3360 if (ip6 == NULL) 3361 goto out; 3362 3363 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); 3364 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); 3365 ret = 0; 3366 3367 nexthdr = ip6->nexthdr; 3368 offset += sizeof(_ipv6h); 3369 offset = ipv6_skip_exthdr(skb, offset, &nexthdr); 3370 if (offset < 0) 3371 goto out; 3372 3373 if (proto) 3374 *proto = nexthdr; 3375 3376 switch (nexthdr) { 3377 case IPPROTO_TCP: { 3378 struct tcphdr _tcph, *th; 3379 3380 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3381 if (th == NULL) 3382 break; 3383 3384 ad->u.net.sport = th->source; 3385 ad->u.net.dport = th->dest; 3386 break; 3387 } 3388 3389 case IPPROTO_UDP: { 3390 struct udphdr _udph, *uh; 3391 3392 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3393 if (uh == NULL) 3394 break; 3395 3396 ad->u.net.sport = uh->source; 3397 ad->u.net.dport = uh->dest; 3398 break; 3399 } 3400 3401 case IPPROTO_DCCP: { 3402 struct dccp_hdr _dccph, *dh; 3403 3404 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3405 if (dh == NULL) 3406 break; 3407 3408 ad->u.net.sport = dh->dccph_sport; 3409 ad->u.net.dport = dh->dccph_dport; 3410 break; 3411 } 3412 3413 /* includes fragments */ 3414 default: 3415 break; 3416 } 3417 out: 3418 return ret; 3419 } 3420 3421 #endif /* IPV6 */ 3422 3423 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3424 char **addrp, int src, u8 *proto) 3425 { 3426 int ret = 0; 3427 3428 switch (ad->u.net.family) { 3429 case PF_INET: 3430 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3431 if (ret || !addrp) 3432 break; 3433 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3434 &ad->u.net.v4info.daddr); 3435 break; 3436 3437 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3438 case PF_INET6: 3439 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3440 if (ret || !addrp) 3441 break; 3442 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3443 &ad->u.net.v6info.daddr); 3444 break; 3445 #endif /* IPV6 */ 3446 default: 3447 break; 3448 } 3449 3450 if (unlikely(ret)) 3451 printk(KERN_WARNING 3452 "SELinux: failure in selinux_parse_skb()," 3453 " unable to parse packet\n"); 3454 3455 return ret; 3456 } 3457 3458 /** 3459 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 3460 * @skb: the packet 3461 * @family: protocol family 3462 * @sid: the packet's peer label SID 3463 * 3464 * Description: 3465 * Check the various different forms of network peer labeling and determine 3466 * the peer label/SID for the packet; most of the magic actually occurs in 3467 * the security server function security_net_peersid_cmp(). The function 3468 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 3469 * or -EACCES if @sid is invalid due to inconsistencies with the different 3470 * peer labels. 3471 * 3472 */ 3473 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3474 { 3475 int err; 3476 u32 xfrm_sid; 3477 u32 nlbl_sid; 3478 u32 nlbl_type; 3479 3480 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3481 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3482 3483 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3484 if (unlikely(err)) { 3485 printk(KERN_WARNING 3486 "SELinux: failure in selinux_skb_peerlbl_sid()," 3487 " unable to determine packet's peer label\n"); 3488 return -EACCES; 3489 } 3490 3491 return 0; 3492 } 3493 3494 /* socket security operations */ 3495 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3496 u32 perms) 3497 { 3498 struct inode_security_struct *isec; 3499 struct task_security_struct *tsec; 3500 struct avc_audit_data ad; 3501 int err = 0; 3502 3503 tsec = task->security; 3504 isec = SOCK_INODE(sock)->i_security; 3505 3506 if (isec->sid == SECINITSID_KERNEL) 3507 goto out; 3508 3509 AVC_AUDIT_DATA_INIT(&ad,NET); 3510 ad.u.net.sk = sock->sk; 3511 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 3512 3513 out: 3514 return err; 3515 } 3516 3517 static int selinux_socket_create(int family, int type, 3518 int protocol, int kern) 3519 { 3520 int err = 0; 3521 struct task_security_struct *tsec; 3522 u32 newsid; 3523 3524 if (kern) 3525 goto out; 3526 3527 tsec = current->security; 3528 newsid = tsec->sockcreate_sid ? : tsec->sid; 3529 err = avc_has_perm(tsec->sid, newsid, 3530 socket_type_to_security_class(family, type, 3531 protocol), SOCKET__CREATE, NULL); 3532 3533 out: 3534 return err; 3535 } 3536 3537 static int selinux_socket_post_create(struct socket *sock, int family, 3538 int type, int protocol, int kern) 3539 { 3540 int err = 0; 3541 struct inode_security_struct *isec; 3542 struct task_security_struct *tsec; 3543 struct sk_security_struct *sksec; 3544 u32 newsid; 3545 3546 isec = SOCK_INODE(sock)->i_security; 3547 3548 tsec = current->security; 3549 newsid = tsec->sockcreate_sid ? : tsec->sid; 3550 isec->sclass = socket_type_to_security_class(family, type, protocol); 3551 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3552 isec->initialized = 1; 3553 3554 if (sock->sk) { 3555 sksec = sock->sk->sk_security; 3556 sksec->sid = isec->sid; 3557 sksec->sclass = isec->sclass; 3558 err = selinux_netlbl_socket_post_create(sock); 3559 } 3560 3561 return err; 3562 } 3563 3564 /* Range of port numbers used to automatically bind. 3565 Need to determine whether we should perform a name_bind 3566 permission check between the socket and the port number. */ 3567 3568 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 3569 { 3570 u16 family; 3571 int err; 3572 3573 err = socket_has_perm(current, sock, SOCKET__BIND); 3574 if (err) 3575 goto out; 3576 3577 /* 3578 * If PF_INET or PF_INET6, check name_bind permission for the port. 3579 * Multiple address binding for SCTP is not supported yet: we just 3580 * check the first address now. 3581 */ 3582 family = sock->sk->sk_family; 3583 if (family == PF_INET || family == PF_INET6) { 3584 char *addrp; 3585 struct inode_security_struct *isec; 3586 struct task_security_struct *tsec; 3587 struct avc_audit_data ad; 3588 struct sockaddr_in *addr4 = NULL; 3589 struct sockaddr_in6 *addr6 = NULL; 3590 unsigned short snum; 3591 struct sock *sk = sock->sk; 3592 u32 sid, node_perm, addrlen; 3593 3594 tsec = current->security; 3595 isec = SOCK_INODE(sock)->i_security; 3596 3597 if (family == PF_INET) { 3598 addr4 = (struct sockaddr_in *)address; 3599 snum = ntohs(addr4->sin_port); 3600 addrlen = sizeof(addr4->sin_addr.s_addr); 3601 addrp = (char *)&addr4->sin_addr.s_addr; 3602 } else { 3603 addr6 = (struct sockaddr_in6 *)address; 3604 snum = ntohs(addr6->sin6_port); 3605 addrlen = sizeof(addr6->sin6_addr.s6_addr); 3606 addrp = (char *)&addr6->sin6_addr.s6_addr; 3607 } 3608 3609 if (snum) { 3610 int low, high; 3611 3612 inet_get_local_port_range(&low, &high); 3613 3614 if (snum < max(PROT_SOCK, low) || snum > high) { 3615 err = security_port_sid(sk->sk_family, 3616 sk->sk_type, 3617 sk->sk_protocol, snum, 3618 &sid); 3619 if (err) 3620 goto out; 3621 AVC_AUDIT_DATA_INIT(&ad,NET); 3622 ad.u.net.sport = htons(snum); 3623 ad.u.net.family = family; 3624 err = avc_has_perm(isec->sid, sid, 3625 isec->sclass, 3626 SOCKET__NAME_BIND, &ad); 3627 if (err) 3628 goto out; 3629 } 3630 } 3631 3632 switch(isec->sclass) { 3633 case SECCLASS_TCP_SOCKET: 3634 node_perm = TCP_SOCKET__NODE_BIND; 3635 break; 3636 3637 case SECCLASS_UDP_SOCKET: 3638 node_perm = UDP_SOCKET__NODE_BIND; 3639 break; 3640 3641 case SECCLASS_DCCP_SOCKET: 3642 node_perm = DCCP_SOCKET__NODE_BIND; 3643 break; 3644 3645 default: 3646 node_perm = RAWIP_SOCKET__NODE_BIND; 3647 break; 3648 } 3649 3650 err = sel_netnode_sid(addrp, family, &sid); 3651 if (err) 3652 goto out; 3653 3654 AVC_AUDIT_DATA_INIT(&ad,NET); 3655 ad.u.net.sport = htons(snum); 3656 ad.u.net.family = family; 3657 3658 if (family == PF_INET) 3659 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; 3660 else 3661 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); 3662 3663 err = avc_has_perm(isec->sid, sid, 3664 isec->sclass, node_perm, &ad); 3665 if (err) 3666 goto out; 3667 } 3668 out: 3669 return err; 3670 } 3671 3672 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 3673 { 3674 struct inode_security_struct *isec; 3675 int err; 3676 3677 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3678 if (err) 3679 return err; 3680 3681 /* 3682 * If a TCP or DCCP socket, check name_connect permission for the port. 3683 */ 3684 isec = SOCK_INODE(sock)->i_security; 3685 if (isec->sclass == SECCLASS_TCP_SOCKET || 3686 isec->sclass == SECCLASS_DCCP_SOCKET) { 3687 struct sock *sk = sock->sk; 3688 struct avc_audit_data ad; 3689 struct sockaddr_in *addr4 = NULL; 3690 struct sockaddr_in6 *addr6 = NULL; 3691 unsigned short snum; 3692 u32 sid, perm; 3693 3694 if (sk->sk_family == PF_INET) { 3695 addr4 = (struct sockaddr_in *)address; 3696 if (addrlen < sizeof(struct sockaddr_in)) 3697 return -EINVAL; 3698 snum = ntohs(addr4->sin_port); 3699 } else { 3700 addr6 = (struct sockaddr_in6 *)address; 3701 if (addrlen < SIN6_LEN_RFC2133) 3702 return -EINVAL; 3703 snum = ntohs(addr6->sin6_port); 3704 } 3705 3706 err = security_port_sid(sk->sk_family, sk->sk_type, 3707 sk->sk_protocol, snum, &sid); 3708 if (err) 3709 goto out; 3710 3711 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3712 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3713 3714 AVC_AUDIT_DATA_INIT(&ad,NET); 3715 ad.u.net.dport = htons(snum); 3716 ad.u.net.family = sk->sk_family; 3717 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3718 if (err) 3719 goto out; 3720 } 3721 3722 out: 3723 return err; 3724 } 3725 3726 static int selinux_socket_listen(struct socket *sock, int backlog) 3727 { 3728 return socket_has_perm(current, sock, SOCKET__LISTEN); 3729 } 3730 3731 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 3732 { 3733 int err; 3734 struct inode_security_struct *isec; 3735 struct inode_security_struct *newisec; 3736 3737 err = socket_has_perm(current, sock, SOCKET__ACCEPT); 3738 if (err) 3739 return err; 3740 3741 newisec = SOCK_INODE(newsock)->i_security; 3742 3743 isec = SOCK_INODE(sock)->i_security; 3744 newisec->sclass = isec->sclass; 3745 newisec->sid = isec->sid; 3746 newisec->initialized = 1; 3747 3748 return 0; 3749 } 3750 3751 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3752 int size) 3753 { 3754 int rc; 3755 3756 rc = socket_has_perm(current, sock, SOCKET__WRITE); 3757 if (rc) 3758 return rc; 3759 3760 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE); 3761 } 3762 3763 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3764 int size, int flags) 3765 { 3766 return socket_has_perm(current, sock, SOCKET__READ); 3767 } 3768 3769 static int selinux_socket_getsockname(struct socket *sock) 3770 { 3771 return socket_has_perm(current, sock, SOCKET__GETATTR); 3772 } 3773 3774 static int selinux_socket_getpeername(struct socket *sock) 3775 { 3776 return socket_has_perm(current, sock, SOCKET__GETATTR); 3777 } 3778 3779 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3780 { 3781 int err; 3782 3783 err = socket_has_perm(current, sock, SOCKET__SETOPT); 3784 if (err) 3785 return err; 3786 3787 return selinux_netlbl_socket_setsockopt(sock, level, optname); 3788 } 3789 3790 static int selinux_socket_getsockopt(struct socket *sock, int level, 3791 int optname) 3792 { 3793 return socket_has_perm(current, sock, SOCKET__GETOPT); 3794 } 3795 3796 static int selinux_socket_shutdown(struct socket *sock, int how) 3797 { 3798 return socket_has_perm(current, sock, SOCKET__SHUTDOWN); 3799 } 3800 3801 static int selinux_socket_unix_stream_connect(struct socket *sock, 3802 struct socket *other, 3803 struct sock *newsk) 3804 { 3805 struct sk_security_struct *ssec; 3806 struct inode_security_struct *isec; 3807 struct inode_security_struct *other_isec; 3808 struct avc_audit_data ad; 3809 int err; 3810 3811 err = secondary_ops->unix_stream_connect(sock, other, newsk); 3812 if (err) 3813 return err; 3814 3815 isec = SOCK_INODE(sock)->i_security; 3816 other_isec = SOCK_INODE(other)->i_security; 3817 3818 AVC_AUDIT_DATA_INIT(&ad,NET); 3819 ad.u.net.sk = other->sk; 3820 3821 err = avc_has_perm(isec->sid, other_isec->sid, 3822 isec->sclass, 3823 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 3824 if (err) 3825 return err; 3826 3827 /* connecting socket */ 3828 ssec = sock->sk->sk_security; 3829 ssec->peer_sid = other_isec->sid; 3830 3831 /* server child socket */ 3832 ssec = newsk->sk_security; 3833 ssec->peer_sid = isec->sid; 3834 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid); 3835 3836 return err; 3837 } 3838 3839 static int selinux_socket_unix_may_send(struct socket *sock, 3840 struct socket *other) 3841 { 3842 struct inode_security_struct *isec; 3843 struct inode_security_struct *other_isec; 3844 struct avc_audit_data ad; 3845 int err; 3846 3847 isec = SOCK_INODE(sock)->i_security; 3848 other_isec = SOCK_INODE(other)->i_security; 3849 3850 AVC_AUDIT_DATA_INIT(&ad,NET); 3851 ad.u.net.sk = other->sk; 3852 3853 err = avc_has_perm(isec->sid, other_isec->sid, 3854 isec->sclass, SOCKET__SENDTO, &ad); 3855 if (err) 3856 return err; 3857 3858 return 0; 3859 } 3860 3861 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 3862 u32 peer_sid, 3863 struct avc_audit_data *ad) 3864 { 3865 int err; 3866 u32 if_sid; 3867 u32 node_sid; 3868 3869 err = sel_netif_sid(ifindex, &if_sid); 3870 if (err) 3871 return err; 3872 err = avc_has_perm(peer_sid, if_sid, 3873 SECCLASS_NETIF, NETIF__INGRESS, ad); 3874 if (err) 3875 return err; 3876 3877 err = sel_netnode_sid(addrp, family, &node_sid); 3878 if (err) 3879 return err; 3880 return avc_has_perm(peer_sid, node_sid, 3881 SECCLASS_NODE, NODE__RECVFROM, ad); 3882 } 3883 3884 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, 3885 struct sk_buff *skb, 3886 struct avc_audit_data *ad, 3887 u16 family, 3888 char *addrp) 3889 { 3890 int err; 3891 struct sk_security_struct *sksec = sk->sk_security; 3892 u16 sk_class; 3893 u32 netif_perm, node_perm, recv_perm; 3894 u32 port_sid, node_sid, if_sid, sk_sid; 3895 3896 sk_sid = sksec->sid; 3897 sk_class = sksec->sclass; 3898 3899 switch (sk_class) { 3900 case SECCLASS_UDP_SOCKET: 3901 netif_perm = NETIF__UDP_RECV; 3902 node_perm = NODE__UDP_RECV; 3903 recv_perm = UDP_SOCKET__RECV_MSG; 3904 break; 3905 case SECCLASS_TCP_SOCKET: 3906 netif_perm = NETIF__TCP_RECV; 3907 node_perm = NODE__TCP_RECV; 3908 recv_perm = TCP_SOCKET__RECV_MSG; 3909 break; 3910 case SECCLASS_DCCP_SOCKET: 3911 netif_perm = NETIF__DCCP_RECV; 3912 node_perm = NODE__DCCP_RECV; 3913 recv_perm = DCCP_SOCKET__RECV_MSG; 3914 break; 3915 default: 3916 netif_perm = NETIF__RAWIP_RECV; 3917 node_perm = NODE__RAWIP_RECV; 3918 recv_perm = 0; 3919 break; 3920 } 3921 3922 err = sel_netif_sid(skb->iif, &if_sid); 3923 if (err) 3924 return err; 3925 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3926 if (err) 3927 return err; 3928 3929 err = sel_netnode_sid(addrp, family, &node_sid); 3930 if (err) 3931 return err; 3932 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3933 if (err) 3934 return err; 3935 3936 if (!recv_perm) 3937 return 0; 3938 err = security_port_sid(sk->sk_family, sk->sk_type, 3939 sk->sk_protocol, ntohs(ad->u.net.sport), 3940 &port_sid); 3941 if (unlikely(err)) { 3942 printk(KERN_WARNING 3943 "SELinux: failure in" 3944 " selinux_sock_rcv_skb_iptables_compat()," 3945 " network port label not found\n"); 3946 return err; 3947 } 3948 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 3949 } 3950 3951 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3952 struct avc_audit_data *ad, 3953 u16 family, char *addrp) 3954 { 3955 int err; 3956 struct sk_security_struct *sksec = sk->sk_security; 3957 u32 peer_sid; 3958 u32 sk_sid = sksec->sid; 3959 3960 if (selinux_compat_net) 3961 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad, 3962 family, addrp); 3963 else 3964 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 3965 PACKET__RECV, ad); 3966 if (err) 3967 return err; 3968 3969 if (selinux_policycap_netpeer) { 3970 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 3971 if (err) 3972 return err; 3973 err = avc_has_perm(sk_sid, peer_sid, 3974 SECCLASS_PEER, PEER__RECV, ad); 3975 } else { 3976 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad); 3977 if (err) 3978 return err; 3979 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad); 3980 } 3981 3982 return err; 3983 } 3984 3985 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3986 { 3987 int err; 3988 struct sk_security_struct *sksec = sk->sk_security; 3989 u16 family = sk->sk_family; 3990 u32 sk_sid = sksec->sid; 3991 struct avc_audit_data ad; 3992 char *addrp; 3993 3994 if (family != PF_INET && family != PF_INET6) 3995 return 0; 3996 3997 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3998 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3999 family = PF_INET; 4000 4001 AVC_AUDIT_DATA_INIT(&ad, NET); 4002 ad.u.net.netif = skb->iif; 4003 ad.u.net.family = family; 4004 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4005 if (err) 4006 return err; 4007 4008 /* If any sort of compatibility mode is enabled then handoff processing 4009 * to the selinux_sock_rcv_skb_compat() function to deal with the 4010 * special handling. We do this in an attempt to keep this function 4011 * as fast and as clean as possible. */ 4012 if (selinux_compat_net || !selinux_policycap_netpeer) 4013 return selinux_sock_rcv_skb_compat(sk, skb, &ad, 4014 family, addrp); 4015 4016 if (netlbl_enabled() || selinux_xfrm_enabled()) { 4017 u32 peer_sid; 4018 4019 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4020 if (err) 4021 return err; 4022 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4023 peer_sid, &ad); 4024 if (err) 4025 return err; 4026 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4027 PEER__RECV, &ad); 4028 } 4029 4030 if (selinux_secmark_enabled()) { 4031 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4032 PACKET__RECV, &ad); 4033 if (err) 4034 return err; 4035 } 4036 4037 return err; 4038 } 4039 4040 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4041 int __user *optlen, unsigned len) 4042 { 4043 int err = 0; 4044 char *scontext; 4045 u32 scontext_len; 4046 struct sk_security_struct *ssec; 4047 struct inode_security_struct *isec; 4048 u32 peer_sid = SECSID_NULL; 4049 4050 isec = SOCK_INODE(sock)->i_security; 4051 4052 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4053 isec->sclass == SECCLASS_TCP_SOCKET) { 4054 ssec = sock->sk->sk_security; 4055 peer_sid = ssec->peer_sid; 4056 } 4057 if (peer_sid == SECSID_NULL) { 4058 err = -ENOPROTOOPT; 4059 goto out; 4060 } 4061 4062 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4063 4064 if (err) 4065 goto out; 4066 4067 if (scontext_len > len) { 4068 err = -ERANGE; 4069 goto out_len; 4070 } 4071 4072 if (copy_to_user(optval, scontext, scontext_len)) 4073 err = -EFAULT; 4074 4075 out_len: 4076 if (put_user(scontext_len, optlen)) 4077 err = -EFAULT; 4078 4079 kfree(scontext); 4080 out: 4081 return err; 4082 } 4083 4084 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4085 { 4086 u32 peer_secid = SECSID_NULL; 4087 u16 family; 4088 4089 if (sock) 4090 family = sock->sk->sk_family; 4091 else if (skb && skb->sk) 4092 family = skb->sk->sk_family; 4093 else 4094 goto out; 4095 4096 if (sock && family == PF_UNIX) 4097 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 4098 else if (skb) 4099 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4100 4101 out: 4102 *secid = peer_secid; 4103 if (peer_secid == SECSID_NULL) 4104 return -EINVAL; 4105 return 0; 4106 } 4107 4108 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4109 { 4110 return sk_alloc_security(sk, family, priority); 4111 } 4112 4113 static void selinux_sk_free_security(struct sock *sk) 4114 { 4115 sk_free_security(sk); 4116 } 4117 4118 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4119 { 4120 struct sk_security_struct *ssec = sk->sk_security; 4121 struct sk_security_struct *newssec = newsk->sk_security; 4122 4123 newssec->sid = ssec->sid; 4124 newssec->peer_sid = ssec->peer_sid; 4125 newssec->sclass = ssec->sclass; 4126 4127 selinux_netlbl_sk_security_clone(ssec, newssec); 4128 } 4129 4130 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4131 { 4132 if (!sk) 4133 *secid = SECINITSID_ANY_SOCKET; 4134 else { 4135 struct sk_security_struct *sksec = sk->sk_security; 4136 4137 *secid = sksec->sid; 4138 } 4139 } 4140 4141 static void selinux_sock_graft(struct sock* sk, struct socket *parent) 4142 { 4143 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4144 struct sk_security_struct *sksec = sk->sk_security; 4145 4146 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4147 sk->sk_family == PF_UNIX) 4148 isec->sid = sksec->sid; 4149 sksec->sclass = isec->sclass; 4150 4151 selinux_netlbl_sock_graft(sk, parent); 4152 } 4153 4154 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4155 struct request_sock *req) 4156 { 4157 struct sk_security_struct *sksec = sk->sk_security; 4158 int err; 4159 u32 newsid; 4160 u32 peersid; 4161 4162 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid); 4163 if (err) 4164 return err; 4165 if (peersid == SECSID_NULL) { 4166 req->secid = sksec->sid; 4167 req->peer_secid = SECSID_NULL; 4168 return 0; 4169 } 4170 4171 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4172 if (err) 4173 return err; 4174 4175 req->secid = newsid; 4176 req->peer_secid = peersid; 4177 return 0; 4178 } 4179 4180 static void selinux_inet_csk_clone(struct sock *newsk, 4181 const struct request_sock *req) 4182 { 4183 struct sk_security_struct *newsksec = newsk->sk_security; 4184 4185 newsksec->sid = req->secid; 4186 newsksec->peer_sid = req->peer_secid; 4187 /* NOTE: Ideally, we should also get the isec->sid for the 4188 new socket in sync, but we don't have the isec available yet. 4189 So we will wait until sock_graft to do it, by which 4190 time it will have been created and available. */ 4191 4192 /* We don't need to take any sort of lock here as we are the only 4193 * thread with access to newsksec */ 4194 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4195 } 4196 4197 static void selinux_inet_conn_established(struct sock *sk, 4198 struct sk_buff *skb) 4199 { 4200 struct sk_security_struct *sksec = sk->sk_security; 4201 4202 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid); 4203 } 4204 4205 static void selinux_req_classify_flow(const struct request_sock *req, 4206 struct flowi *fl) 4207 { 4208 fl->secid = req->secid; 4209 } 4210 4211 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4212 { 4213 int err = 0; 4214 u32 perm; 4215 struct nlmsghdr *nlh; 4216 struct socket *sock = sk->sk_socket; 4217 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4218 4219 if (skb->len < NLMSG_SPACE(0)) { 4220 err = -EINVAL; 4221 goto out; 4222 } 4223 nlh = nlmsg_hdr(skb); 4224 4225 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 4226 if (err) { 4227 if (err == -EINVAL) { 4228 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, 4229 "SELinux: unrecognized netlink message" 4230 " type=%hu for sclass=%hu\n", 4231 nlh->nlmsg_type, isec->sclass); 4232 if (!selinux_enforcing) 4233 err = 0; 4234 } 4235 4236 /* Ignore */ 4237 if (err == -ENOENT) 4238 err = 0; 4239 goto out; 4240 } 4241 4242 err = socket_has_perm(current, sock, perm); 4243 out: 4244 return err; 4245 } 4246 4247 #ifdef CONFIG_NETFILTER 4248 4249 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4250 u16 family) 4251 { 4252 char *addrp; 4253 u32 peer_sid; 4254 struct avc_audit_data ad; 4255 u8 secmark_active; 4256 u8 peerlbl_active; 4257 4258 if (!selinux_policycap_netpeer) 4259 return NF_ACCEPT; 4260 4261 secmark_active = selinux_secmark_enabled(); 4262 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4263 if (!secmark_active && !peerlbl_active) 4264 return NF_ACCEPT; 4265 4266 AVC_AUDIT_DATA_INIT(&ad, NET); 4267 ad.u.net.netif = ifindex; 4268 ad.u.net.family = family; 4269 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4270 return NF_DROP; 4271 4272 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4273 return NF_DROP; 4274 4275 if (peerlbl_active) 4276 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4277 peer_sid, &ad) != 0) 4278 return NF_DROP; 4279 4280 if (secmark_active) 4281 if (avc_has_perm(peer_sid, skb->secmark, 4282 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 4283 return NF_DROP; 4284 4285 return NF_ACCEPT; 4286 } 4287 4288 static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4289 struct sk_buff *skb, 4290 const struct net_device *in, 4291 const struct net_device *out, 4292 int (*okfn)(struct sk_buff *)) 4293 { 4294 return selinux_ip_forward(skb, in->ifindex, PF_INET); 4295 } 4296 4297 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4298 static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4299 struct sk_buff *skb, 4300 const struct net_device *in, 4301 const struct net_device *out, 4302 int (*okfn)(struct sk_buff *)) 4303 { 4304 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4305 } 4306 #endif /* IPV6 */ 4307 4308 static int selinux_ip_postroute_iptables_compat(struct sock *sk, 4309 int ifindex, 4310 struct avc_audit_data *ad, 4311 u16 family, char *addrp) 4312 { 4313 int err; 4314 struct sk_security_struct *sksec = sk->sk_security; 4315 u16 sk_class; 4316 u32 netif_perm, node_perm, send_perm; 4317 u32 port_sid, node_sid, if_sid, sk_sid; 4318 4319 sk_sid = sksec->sid; 4320 sk_class = sksec->sclass; 4321 4322 switch (sk_class) { 4323 case SECCLASS_UDP_SOCKET: 4324 netif_perm = NETIF__UDP_SEND; 4325 node_perm = NODE__UDP_SEND; 4326 send_perm = UDP_SOCKET__SEND_MSG; 4327 break; 4328 case SECCLASS_TCP_SOCKET: 4329 netif_perm = NETIF__TCP_SEND; 4330 node_perm = NODE__TCP_SEND; 4331 send_perm = TCP_SOCKET__SEND_MSG; 4332 break; 4333 case SECCLASS_DCCP_SOCKET: 4334 netif_perm = NETIF__DCCP_SEND; 4335 node_perm = NODE__DCCP_SEND; 4336 send_perm = DCCP_SOCKET__SEND_MSG; 4337 break; 4338 default: 4339 netif_perm = NETIF__RAWIP_SEND; 4340 node_perm = NODE__RAWIP_SEND; 4341 send_perm = 0; 4342 break; 4343 } 4344 4345 err = sel_netif_sid(ifindex, &if_sid); 4346 if (err) 4347 return err; 4348 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4349 return err; 4350 4351 err = sel_netnode_sid(addrp, family, &node_sid); 4352 if (err) 4353 return err; 4354 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad); 4355 if (err) 4356 return err; 4357 4358 if (send_perm != 0) 4359 return 0; 4360 4361 err = security_port_sid(sk->sk_family, sk->sk_type, 4362 sk->sk_protocol, ntohs(ad->u.net.dport), 4363 &port_sid); 4364 if (unlikely(err)) { 4365 printk(KERN_WARNING 4366 "SELinux: failure in" 4367 " selinux_ip_postroute_iptables_compat()," 4368 " network port label not found\n"); 4369 return err; 4370 } 4371 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4372 } 4373 4374 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4375 int ifindex, 4376 struct avc_audit_data *ad, 4377 u16 family, 4378 char *addrp, 4379 u8 proto) 4380 { 4381 struct sock *sk = skb->sk; 4382 struct sk_security_struct *sksec; 4383 4384 if (sk == NULL) 4385 return NF_ACCEPT; 4386 sksec = sk->sk_security; 4387 4388 if (selinux_compat_net) { 4389 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex, 4390 ad, family, addrp)) 4391 return NF_DROP; 4392 } else { 4393 if (avc_has_perm(sksec->sid, skb->secmark, 4394 SECCLASS_PACKET, PACKET__SEND, ad)) 4395 return NF_DROP; 4396 } 4397 4398 if (selinux_policycap_netpeer) 4399 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto)) 4400 return NF_DROP; 4401 4402 return NF_ACCEPT; 4403 } 4404 4405 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 4406 u16 family) 4407 { 4408 u32 secmark_perm; 4409 u32 peer_sid; 4410 struct sock *sk; 4411 struct avc_audit_data ad; 4412 char *addrp; 4413 u8 proto; 4414 u8 secmark_active; 4415 u8 peerlbl_active; 4416 4417 AVC_AUDIT_DATA_INIT(&ad, NET); 4418 ad.u.net.netif = ifindex; 4419 ad.u.net.family = family; 4420 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4421 return NF_DROP; 4422 4423 /* If any sort of compatibility mode is enabled then handoff processing 4424 * to the selinux_ip_postroute_compat() function to deal with the 4425 * special handling. We do this in an attempt to keep this function 4426 * as fast and as clean as possible. */ 4427 if (selinux_compat_net || !selinux_policycap_netpeer) 4428 return selinux_ip_postroute_compat(skb, ifindex, &ad, 4429 family, addrp, proto); 4430 4431 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4432 * packet transformation so allow the packet to pass without any checks 4433 * since we'll have another chance to perform access control checks 4434 * when the packet is on it's final way out. 4435 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4436 * is NULL, in this case go ahead and apply access control. */ 4437 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4438 return NF_ACCEPT; 4439 4440 secmark_active = selinux_secmark_enabled(); 4441 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4442 if (!secmark_active && !peerlbl_active) 4443 return NF_ACCEPT; 4444 4445 /* if the packet is locally generated (skb->sk != NULL) then use the 4446 * socket's label as the peer label, otherwise the packet is being 4447 * forwarded through this system and we need to fetch the peer label 4448 * directly from the packet */ 4449 sk = skb->sk; 4450 if (sk) { 4451 struct sk_security_struct *sksec = sk->sk_security; 4452 peer_sid = sksec->sid; 4453 secmark_perm = PACKET__SEND; 4454 } else { 4455 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4456 return NF_DROP; 4457 secmark_perm = PACKET__FORWARD_OUT; 4458 } 4459 4460 if (secmark_active) 4461 if (avc_has_perm(peer_sid, skb->secmark, 4462 SECCLASS_PACKET, secmark_perm, &ad)) 4463 return NF_DROP; 4464 4465 if (peerlbl_active) { 4466 u32 if_sid; 4467 u32 node_sid; 4468 4469 if (sel_netif_sid(ifindex, &if_sid)) 4470 return NF_DROP; 4471 if (avc_has_perm(peer_sid, if_sid, 4472 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 4473 return NF_DROP; 4474 4475 if (sel_netnode_sid(addrp, family, &node_sid)) 4476 return NF_DROP; 4477 if (avc_has_perm(peer_sid, node_sid, 4478 SECCLASS_NODE, NODE__SENDTO, &ad)) 4479 return NF_DROP; 4480 } 4481 4482 return NF_ACCEPT; 4483 } 4484 4485 static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4486 struct sk_buff *skb, 4487 const struct net_device *in, 4488 const struct net_device *out, 4489 int (*okfn)(struct sk_buff *)) 4490 { 4491 return selinux_ip_postroute(skb, out->ifindex, PF_INET); 4492 } 4493 4494 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4495 static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4496 struct sk_buff *skb, 4497 const struct net_device *in, 4498 const struct net_device *out, 4499 int (*okfn)(struct sk_buff *)) 4500 { 4501 return selinux_ip_postroute(skb, out->ifindex, PF_INET6); 4502 } 4503 #endif /* IPV6 */ 4504 4505 #endif /* CONFIG_NETFILTER */ 4506 4507 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 4508 { 4509 int err; 4510 4511 err = secondary_ops->netlink_send(sk, skb); 4512 if (err) 4513 return err; 4514 4515 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4516 err = selinux_nlmsg_perm(sk, skb); 4517 4518 return err; 4519 } 4520 4521 static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4522 { 4523 int err; 4524 struct avc_audit_data ad; 4525 4526 err = secondary_ops->netlink_recv(skb, capability); 4527 if (err) 4528 return err; 4529 4530 AVC_AUDIT_DATA_INIT(&ad, CAP); 4531 ad.u.cap = capability; 4532 4533 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4534 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4535 } 4536 4537 static int ipc_alloc_security(struct task_struct *task, 4538 struct kern_ipc_perm *perm, 4539 u16 sclass) 4540 { 4541 struct task_security_struct *tsec = task->security; 4542 struct ipc_security_struct *isec; 4543 4544 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 4545 if (!isec) 4546 return -ENOMEM; 4547 4548 isec->sclass = sclass; 4549 isec->ipc_perm = perm; 4550 isec->sid = tsec->sid; 4551 perm->security = isec; 4552 4553 return 0; 4554 } 4555 4556 static void ipc_free_security(struct kern_ipc_perm *perm) 4557 { 4558 struct ipc_security_struct *isec = perm->security; 4559 perm->security = NULL; 4560 kfree(isec); 4561 } 4562 4563 static int msg_msg_alloc_security(struct msg_msg *msg) 4564 { 4565 struct msg_security_struct *msec; 4566 4567 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 4568 if (!msec) 4569 return -ENOMEM; 4570 4571 msec->msg = msg; 4572 msec->sid = SECINITSID_UNLABELED; 4573 msg->security = msec; 4574 4575 return 0; 4576 } 4577 4578 static void msg_msg_free_security(struct msg_msg *msg) 4579 { 4580 struct msg_security_struct *msec = msg->security; 4581 4582 msg->security = NULL; 4583 kfree(msec); 4584 } 4585 4586 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 4587 u32 perms) 4588 { 4589 struct task_security_struct *tsec; 4590 struct ipc_security_struct *isec; 4591 struct avc_audit_data ad; 4592 4593 tsec = current->security; 4594 isec = ipc_perms->security; 4595 4596 AVC_AUDIT_DATA_INIT(&ad, IPC); 4597 ad.u.ipc_id = ipc_perms->key; 4598 4599 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); 4600 } 4601 4602 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 4603 { 4604 return msg_msg_alloc_security(msg); 4605 } 4606 4607 static void selinux_msg_msg_free_security(struct msg_msg *msg) 4608 { 4609 msg_msg_free_security(msg); 4610 } 4611 4612 /* message queue security operations */ 4613 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4614 { 4615 struct task_security_struct *tsec; 4616 struct ipc_security_struct *isec; 4617 struct avc_audit_data ad; 4618 int rc; 4619 4620 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 4621 if (rc) 4622 return rc; 4623 4624 tsec = current->security; 4625 isec = msq->q_perm.security; 4626 4627 AVC_AUDIT_DATA_INIT(&ad, IPC); 4628 ad.u.ipc_id = msq->q_perm.key; 4629 4630 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4631 MSGQ__CREATE, &ad); 4632 if (rc) { 4633 ipc_free_security(&msq->q_perm); 4634 return rc; 4635 } 4636 return 0; 4637 } 4638 4639 static void selinux_msg_queue_free_security(struct msg_queue *msq) 4640 { 4641 ipc_free_security(&msq->q_perm); 4642 } 4643 4644 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4645 { 4646 struct task_security_struct *tsec; 4647 struct ipc_security_struct *isec; 4648 struct avc_audit_data ad; 4649 4650 tsec = current->security; 4651 isec = msq->q_perm.security; 4652 4653 AVC_AUDIT_DATA_INIT(&ad, IPC); 4654 ad.u.ipc_id = msq->q_perm.key; 4655 4656 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4657 MSGQ__ASSOCIATE, &ad); 4658 } 4659 4660 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 4661 { 4662 int err; 4663 int perms; 4664 4665 switch(cmd) { 4666 case IPC_INFO: 4667 case MSG_INFO: 4668 /* No specific object, just general system-wide information. */ 4669 return task_has_system(current, SYSTEM__IPC_INFO); 4670 case IPC_STAT: 4671 case MSG_STAT: 4672 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 4673 break; 4674 case IPC_SET: 4675 perms = MSGQ__SETATTR; 4676 break; 4677 case IPC_RMID: 4678 perms = MSGQ__DESTROY; 4679 break; 4680 default: 4681 return 0; 4682 } 4683 4684 err = ipc_has_perm(&msq->q_perm, perms); 4685 return err; 4686 } 4687 4688 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 4689 { 4690 struct task_security_struct *tsec; 4691 struct ipc_security_struct *isec; 4692 struct msg_security_struct *msec; 4693 struct avc_audit_data ad; 4694 int rc; 4695 4696 tsec = current->security; 4697 isec = msq->q_perm.security; 4698 msec = msg->security; 4699 4700 /* 4701 * First time through, need to assign label to the message 4702 */ 4703 if (msec->sid == SECINITSID_UNLABELED) { 4704 /* 4705 * Compute new sid based on current process and 4706 * message queue this message will be stored in 4707 */ 4708 rc = security_transition_sid(tsec->sid, 4709 isec->sid, 4710 SECCLASS_MSG, 4711 &msec->sid); 4712 if (rc) 4713 return rc; 4714 } 4715 4716 AVC_AUDIT_DATA_INIT(&ad, IPC); 4717 ad.u.ipc_id = msq->q_perm.key; 4718 4719 /* Can this process write to the queue? */ 4720 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, 4721 MSGQ__WRITE, &ad); 4722 if (!rc) 4723 /* Can this process send the message */ 4724 rc = avc_has_perm(tsec->sid, msec->sid, 4725 SECCLASS_MSG, MSG__SEND, &ad); 4726 if (!rc) 4727 /* Can the message be put in the queue? */ 4728 rc = avc_has_perm(msec->sid, isec->sid, 4729 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); 4730 4731 return rc; 4732 } 4733 4734 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 4735 struct task_struct *target, 4736 long type, int mode) 4737 { 4738 struct task_security_struct *tsec; 4739 struct ipc_security_struct *isec; 4740 struct msg_security_struct *msec; 4741 struct avc_audit_data ad; 4742 int rc; 4743 4744 tsec = target->security; 4745 isec = msq->q_perm.security; 4746 msec = msg->security; 4747 4748 AVC_AUDIT_DATA_INIT(&ad, IPC); 4749 ad.u.ipc_id = msq->q_perm.key; 4750 4751 rc = avc_has_perm(tsec->sid, isec->sid, 4752 SECCLASS_MSGQ, MSGQ__READ, &ad); 4753 if (!rc) 4754 rc = avc_has_perm(tsec->sid, msec->sid, 4755 SECCLASS_MSG, MSG__RECEIVE, &ad); 4756 return rc; 4757 } 4758 4759 /* Shared Memory security operations */ 4760 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4761 { 4762 struct task_security_struct *tsec; 4763 struct ipc_security_struct *isec; 4764 struct avc_audit_data ad; 4765 int rc; 4766 4767 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 4768 if (rc) 4769 return rc; 4770 4771 tsec = current->security; 4772 isec = shp->shm_perm.security; 4773 4774 AVC_AUDIT_DATA_INIT(&ad, IPC); 4775 ad.u.ipc_id = shp->shm_perm.key; 4776 4777 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4778 SHM__CREATE, &ad); 4779 if (rc) { 4780 ipc_free_security(&shp->shm_perm); 4781 return rc; 4782 } 4783 return 0; 4784 } 4785 4786 static void selinux_shm_free_security(struct shmid_kernel *shp) 4787 { 4788 ipc_free_security(&shp->shm_perm); 4789 } 4790 4791 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4792 { 4793 struct task_security_struct *tsec; 4794 struct ipc_security_struct *isec; 4795 struct avc_audit_data ad; 4796 4797 tsec = current->security; 4798 isec = shp->shm_perm.security; 4799 4800 AVC_AUDIT_DATA_INIT(&ad, IPC); 4801 ad.u.ipc_id = shp->shm_perm.key; 4802 4803 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, 4804 SHM__ASSOCIATE, &ad); 4805 } 4806 4807 /* Note, at this point, shp is locked down */ 4808 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 4809 { 4810 int perms; 4811 int err; 4812 4813 switch(cmd) { 4814 case IPC_INFO: 4815 case SHM_INFO: 4816 /* No specific object, just general system-wide information. */ 4817 return task_has_system(current, SYSTEM__IPC_INFO); 4818 case IPC_STAT: 4819 case SHM_STAT: 4820 perms = SHM__GETATTR | SHM__ASSOCIATE; 4821 break; 4822 case IPC_SET: 4823 perms = SHM__SETATTR; 4824 break; 4825 case SHM_LOCK: 4826 case SHM_UNLOCK: 4827 perms = SHM__LOCK; 4828 break; 4829 case IPC_RMID: 4830 perms = SHM__DESTROY; 4831 break; 4832 default: 4833 return 0; 4834 } 4835 4836 err = ipc_has_perm(&shp->shm_perm, perms); 4837 return err; 4838 } 4839 4840 static int selinux_shm_shmat(struct shmid_kernel *shp, 4841 char __user *shmaddr, int shmflg) 4842 { 4843 u32 perms; 4844 int rc; 4845 4846 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); 4847 if (rc) 4848 return rc; 4849 4850 if (shmflg & SHM_RDONLY) 4851 perms = SHM__READ; 4852 else 4853 perms = SHM__READ | SHM__WRITE; 4854 4855 return ipc_has_perm(&shp->shm_perm, perms); 4856 } 4857 4858 /* Semaphore security operations */ 4859 static int selinux_sem_alloc_security(struct sem_array *sma) 4860 { 4861 struct task_security_struct *tsec; 4862 struct ipc_security_struct *isec; 4863 struct avc_audit_data ad; 4864 int rc; 4865 4866 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 4867 if (rc) 4868 return rc; 4869 4870 tsec = current->security; 4871 isec = sma->sem_perm.security; 4872 4873 AVC_AUDIT_DATA_INIT(&ad, IPC); 4874 ad.u.ipc_id = sma->sem_perm.key; 4875 4876 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4877 SEM__CREATE, &ad); 4878 if (rc) { 4879 ipc_free_security(&sma->sem_perm); 4880 return rc; 4881 } 4882 return 0; 4883 } 4884 4885 static void selinux_sem_free_security(struct sem_array *sma) 4886 { 4887 ipc_free_security(&sma->sem_perm); 4888 } 4889 4890 static int selinux_sem_associate(struct sem_array *sma, int semflg) 4891 { 4892 struct task_security_struct *tsec; 4893 struct ipc_security_struct *isec; 4894 struct avc_audit_data ad; 4895 4896 tsec = current->security; 4897 isec = sma->sem_perm.security; 4898 4899 AVC_AUDIT_DATA_INIT(&ad, IPC); 4900 ad.u.ipc_id = sma->sem_perm.key; 4901 4902 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, 4903 SEM__ASSOCIATE, &ad); 4904 } 4905 4906 /* Note, at this point, sma is locked down */ 4907 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 4908 { 4909 int err; 4910 u32 perms; 4911 4912 switch(cmd) { 4913 case IPC_INFO: 4914 case SEM_INFO: 4915 /* No specific object, just general system-wide information. */ 4916 return task_has_system(current, SYSTEM__IPC_INFO); 4917 case GETPID: 4918 case GETNCNT: 4919 case GETZCNT: 4920 perms = SEM__GETATTR; 4921 break; 4922 case GETVAL: 4923 case GETALL: 4924 perms = SEM__READ; 4925 break; 4926 case SETVAL: 4927 case SETALL: 4928 perms = SEM__WRITE; 4929 break; 4930 case IPC_RMID: 4931 perms = SEM__DESTROY; 4932 break; 4933 case IPC_SET: 4934 perms = SEM__SETATTR; 4935 break; 4936 case IPC_STAT: 4937 case SEM_STAT: 4938 perms = SEM__GETATTR | SEM__ASSOCIATE; 4939 break; 4940 default: 4941 return 0; 4942 } 4943 4944 err = ipc_has_perm(&sma->sem_perm, perms); 4945 return err; 4946 } 4947 4948 static int selinux_sem_semop(struct sem_array *sma, 4949 struct sembuf *sops, unsigned nsops, int alter) 4950 { 4951 u32 perms; 4952 4953 if (alter) 4954 perms = SEM__READ | SEM__WRITE; 4955 else 4956 perms = SEM__READ; 4957 4958 return ipc_has_perm(&sma->sem_perm, perms); 4959 } 4960 4961 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 4962 { 4963 u32 av = 0; 4964 4965 av = 0; 4966 if (flag & S_IRUGO) 4967 av |= IPC__UNIX_READ; 4968 if (flag & S_IWUGO) 4969 av |= IPC__UNIX_WRITE; 4970 4971 if (av == 0) 4972 return 0; 4973 4974 return ipc_has_perm(ipcp, av); 4975 } 4976 4977 /* module stacking operations */ 4978 static int selinux_register_security (const char *name, struct security_operations *ops) 4979 { 4980 if (secondary_ops != original_ops) { 4981 printk(KERN_ERR "%s: There is already a secondary security " 4982 "module registered.\n", __FUNCTION__); 4983 return -EINVAL; 4984 } 4985 4986 secondary_ops = ops; 4987 4988 printk(KERN_INFO "%s: Registering secondary module %s\n", 4989 __FUNCTION__, 4990 name); 4991 4992 return 0; 4993 } 4994 4995 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) 4996 { 4997 if (inode) 4998 inode_doinit_with_dentry(inode, dentry); 4999 } 5000 5001 static int selinux_getprocattr(struct task_struct *p, 5002 char *name, char **value) 5003 { 5004 struct task_security_struct *tsec; 5005 u32 sid; 5006 int error; 5007 unsigned len; 5008 5009 if (current != p) { 5010 error = task_has_perm(current, p, PROCESS__GETATTR); 5011 if (error) 5012 return error; 5013 } 5014 5015 tsec = p->security; 5016 5017 if (!strcmp(name, "current")) 5018 sid = tsec->sid; 5019 else if (!strcmp(name, "prev")) 5020 sid = tsec->osid; 5021 else if (!strcmp(name, "exec")) 5022 sid = tsec->exec_sid; 5023 else if (!strcmp(name, "fscreate")) 5024 sid = tsec->create_sid; 5025 else if (!strcmp(name, "keycreate")) 5026 sid = tsec->keycreate_sid; 5027 else if (!strcmp(name, "sockcreate")) 5028 sid = tsec->sockcreate_sid; 5029 else 5030 return -EINVAL; 5031 5032 if (!sid) 5033 return 0; 5034 5035 error = security_sid_to_context(sid, value, &len); 5036 if (error) 5037 return error; 5038 return len; 5039 } 5040 5041 static int selinux_setprocattr(struct task_struct *p, 5042 char *name, void *value, size_t size) 5043 { 5044 struct task_security_struct *tsec; 5045 u32 sid = 0; 5046 int error; 5047 char *str = value; 5048 5049 if (current != p) { 5050 /* SELinux only allows a process to change its own 5051 security attributes. */ 5052 return -EACCES; 5053 } 5054 5055 /* 5056 * Basic control over ability to set these attributes at all. 5057 * current == p, but we'll pass them separately in case the 5058 * above restriction is ever removed. 5059 */ 5060 if (!strcmp(name, "exec")) 5061 error = task_has_perm(current, p, PROCESS__SETEXEC); 5062 else if (!strcmp(name, "fscreate")) 5063 error = task_has_perm(current, p, PROCESS__SETFSCREATE); 5064 else if (!strcmp(name, "keycreate")) 5065 error = task_has_perm(current, p, PROCESS__SETKEYCREATE); 5066 else if (!strcmp(name, "sockcreate")) 5067 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE); 5068 else if (!strcmp(name, "current")) 5069 error = task_has_perm(current, p, PROCESS__SETCURRENT); 5070 else 5071 error = -EINVAL; 5072 if (error) 5073 return error; 5074 5075 /* Obtain a SID for the context, if one was specified. */ 5076 if (size && str[1] && str[1] != '\n') { 5077 if (str[size-1] == '\n') { 5078 str[size-1] = 0; 5079 size--; 5080 } 5081 error = security_context_to_sid(value, size, &sid); 5082 if (error) 5083 return error; 5084 } 5085 5086 /* Permission checking based on the specified context is 5087 performed during the actual operation (execve, 5088 open/mkdir/...), when we know the full context of the 5089 operation. See selinux_bprm_set_security for the execve 5090 checks and may_create for the file creation checks. The 5091 operation will then fail if the context is not permitted. */ 5092 tsec = p->security; 5093 if (!strcmp(name, "exec")) 5094 tsec->exec_sid = sid; 5095 else if (!strcmp(name, "fscreate")) 5096 tsec->create_sid = sid; 5097 else if (!strcmp(name, "keycreate")) { 5098 error = may_create_key(sid, p); 5099 if (error) 5100 return error; 5101 tsec->keycreate_sid = sid; 5102 } else if (!strcmp(name, "sockcreate")) 5103 tsec->sockcreate_sid = sid; 5104 else if (!strcmp(name, "current")) { 5105 struct av_decision avd; 5106 5107 if (sid == 0) 5108 return -EINVAL; 5109 5110 /* Only allow single threaded processes to change context */ 5111 if (atomic_read(&p->mm->mm_users) != 1) { 5112 struct task_struct *g, *t; 5113 struct mm_struct *mm = p->mm; 5114 read_lock(&tasklist_lock); 5115 do_each_thread(g, t) 5116 if (t->mm == mm && t != p) { 5117 read_unlock(&tasklist_lock); 5118 return -EPERM; 5119 } 5120 while_each_thread(g, t); 5121 read_unlock(&tasklist_lock); 5122 } 5123 5124 /* Check permissions for the transition. */ 5125 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5126 PROCESS__DYNTRANSITION, NULL); 5127 if (error) 5128 return error; 5129 5130 /* Check for ptracing, and update the task SID if ok. 5131 Otherwise, leave SID unchanged and fail. */ 5132 task_lock(p); 5133 if (p->ptrace & PT_PTRACED) { 5134 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, 5135 SECCLASS_PROCESS, 5136 PROCESS__PTRACE, 0, &avd); 5137 if (!error) 5138 tsec->sid = sid; 5139 task_unlock(p); 5140 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, 5141 PROCESS__PTRACE, &avd, error, NULL); 5142 if (error) 5143 return error; 5144 } else { 5145 tsec->sid = sid; 5146 task_unlock(p); 5147 } 5148 } 5149 else 5150 return -EINVAL; 5151 5152 return size; 5153 } 5154 5155 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5156 { 5157 return security_sid_to_context(secid, secdata, seclen); 5158 } 5159 5160 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) 5161 { 5162 return security_context_to_sid(secdata, seclen, secid); 5163 } 5164 5165 static void selinux_release_secctx(char *secdata, u32 seclen) 5166 { 5167 kfree(secdata); 5168 } 5169 5170 #ifdef CONFIG_KEYS 5171 5172 static int selinux_key_alloc(struct key *k, struct task_struct *tsk, 5173 unsigned long flags) 5174 { 5175 struct task_security_struct *tsec = tsk->security; 5176 struct key_security_struct *ksec; 5177 5178 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 5179 if (!ksec) 5180 return -ENOMEM; 5181 5182 ksec->obj = k; 5183 if (tsec->keycreate_sid) 5184 ksec->sid = tsec->keycreate_sid; 5185 else 5186 ksec->sid = tsec->sid; 5187 k->security = ksec; 5188 5189 return 0; 5190 } 5191 5192 static void selinux_key_free(struct key *k) 5193 { 5194 struct key_security_struct *ksec = k->security; 5195 5196 k->security = NULL; 5197 kfree(ksec); 5198 } 5199 5200 static int selinux_key_permission(key_ref_t key_ref, 5201 struct task_struct *ctx, 5202 key_perm_t perm) 5203 { 5204 struct key *key; 5205 struct task_security_struct *tsec; 5206 struct key_security_struct *ksec; 5207 5208 key = key_ref_to_ptr(key_ref); 5209 5210 tsec = ctx->security; 5211 ksec = key->security; 5212 5213 /* if no specific permissions are requested, we skip the 5214 permission check. No serious, additional covert channels 5215 appear to be created. */ 5216 if (perm == 0) 5217 return 0; 5218 5219 return avc_has_perm(tsec->sid, ksec->sid, 5220 SECCLASS_KEY, perm, NULL); 5221 } 5222 5223 #endif 5224 5225 static struct security_operations selinux_ops = { 5226 .ptrace = selinux_ptrace, 5227 .capget = selinux_capget, 5228 .capset_check = selinux_capset_check, 5229 .capset_set = selinux_capset_set, 5230 .sysctl = selinux_sysctl, 5231 .capable = selinux_capable, 5232 .quotactl = selinux_quotactl, 5233 .quota_on = selinux_quota_on, 5234 .syslog = selinux_syslog, 5235 .vm_enough_memory = selinux_vm_enough_memory, 5236 5237 .netlink_send = selinux_netlink_send, 5238 .netlink_recv = selinux_netlink_recv, 5239 5240 .bprm_alloc_security = selinux_bprm_alloc_security, 5241 .bprm_free_security = selinux_bprm_free_security, 5242 .bprm_apply_creds = selinux_bprm_apply_creds, 5243 .bprm_post_apply_creds = selinux_bprm_post_apply_creds, 5244 .bprm_set_security = selinux_bprm_set_security, 5245 .bprm_check_security = selinux_bprm_check_security, 5246 .bprm_secureexec = selinux_bprm_secureexec, 5247 5248 .sb_alloc_security = selinux_sb_alloc_security, 5249 .sb_free_security = selinux_sb_free_security, 5250 .sb_copy_data = selinux_sb_copy_data, 5251 .sb_kern_mount = selinux_sb_kern_mount, 5252 .sb_statfs = selinux_sb_statfs, 5253 .sb_mount = selinux_mount, 5254 .sb_umount = selinux_umount, 5255 .sb_get_mnt_opts = selinux_get_mnt_opts, 5256 .sb_set_mnt_opts = selinux_set_mnt_opts, 5257 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5258 5259 .inode_alloc_security = selinux_inode_alloc_security, 5260 .inode_free_security = selinux_inode_free_security, 5261 .inode_init_security = selinux_inode_init_security, 5262 .inode_create = selinux_inode_create, 5263 .inode_link = selinux_inode_link, 5264 .inode_unlink = selinux_inode_unlink, 5265 .inode_symlink = selinux_inode_symlink, 5266 .inode_mkdir = selinux_inode_mkdir, 5267 .inode_rmdir = selinux_inode_rmdir, 5268 .inode_mknod = selinux_inode_mknod, 5269 .inode_rename = selinux_inode_rename, 5270 .inode_readlink = selinux_inode_readlink, 5271 .inode_follow_link = selinux_inode_follow_link, 5272 .inode_permission = selinux_inode_permission, 5273 .inode_setattr = selinux_inode_setattr, 5274 .inode_getattr = selinux_inode_getattr, 5275 .inode_setxattr = selinux_inode_setxattr, 5276 .inode_post_setxattr = selinux_inode_post_setxattr, 5277 .inode_getxattr = selinux_inode_getxattr, 5278 .inode_listxattr = selinux_inode_listxattr, 5279 .inode_removexattr = selinux_inode_removexattr, 5280 .inode_getsecurity = selinux_inode_getsecurity, 5281 .inode_setsecurity = selinux_inode_setsecurity, 5282 .inode_listsecurity = selinux_inode_listsecurity, 5283 .inode_need_killpriv = selinux_inode_need_killpriv, 5284 .inode_killpriv = selinux_inode_killpriv, 5285 5286 .file_permission = selinux_file_permission, 5287 .file_alloc_security = selinux_file_alloc_security, 5288 .file_free_security = selinux_file_free_security, 5289 .file_ioctl = selinux_file_ioctl, 5290 .file_mmap = selinux_file_mmap, 5291 .file_mprotect = selinux_file_mprotect, 5292 .file_lock = selinux_file_lock, 5293 .file_fcntl = selinux_file_fcntl, 5294 .file_set_fowner = selinux_file_set_fowner, 5295 .file_send_sigiotask = selinux_file_send_sigiotask, 5296 .file_receive = selinux_file_receive, 5297 5298 .dentry_open = selinux_dentry_open, 5299 5300 .task_create = selinux_task_create, 5301 .task_alloc_security = selinux_task_alloc_security, 5302 .task_free_security = selinux_task_free_security, 5303 .task_setuid = selinux_task_setuid, 5304 .task_post_setuid = selinux_task_post_setuid, 5305 .task_setgid = selinux_task_setgid, 5306 .task_setpgid = selinux_task_setpgid, 5307 .task_getpgid = selinux_task_getpgid, 5308 .task_getsid = selinux_task_getsid, 5309 .task_getsecid = selinux_task_getsecid, 5310 .task_setgroups = selinux_task_setgroups, 5311 .task_setnice = selinux_task_setnice, 5312 .task_setioprio = selinux_task_setioprio, 5313 .task_getioprio = selinux_task_getioprio, 5314 .task_setrlimit = selinux_task_setrlimit, 5315 .task_setscheduler = selinux_task_setscheduler, 5316 .task_getscheduler = selinux_task_getscheduler, 5317 .task_movememory = selinux_task_movememory, 5318 .task_kill = selinux_task_kill, 5319 .task_wait = selinux_task_wait, 5320 .task_prctl = selinux_task_prctl, 5321 .task_reparent_to_init = selinux_task_reparent_to_init, 5322 .task_to_inode = selinux_task_to_inode, 5323 5324 .ipc_permission = selinux_ipc_permission, 5325 5326 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5327 .msg_msg_free_security = selinux_msg_msg_free_security, 5328 5329 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5330 .msg_queue_free_security = selinux_msg_queue_free_security, 5331 .msg_queue_associate = selinux_msg_queue_associate, 5332 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5333 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5334 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5335 5336 .shm_alloc_security = selinux_shm_alloc_security, 5337 .shm_free_security = selinux_shm_free_security, 5338 .shm_associate = selinux_shm_associate, 5339 .shm_shmctl = selinux_shm_shmctl, 5340 .shm_shmat = selinux_shm_shmat, 5341 5342 .sem_alloc_security = selinux_sem_alloc_security, 5343 .sem_free_security = selinux_sem_free_security, 5344 .sem_associate = selinux_sem_associate, 5345 .sem_semctl = selinux_sem_semctl, 5346 .sem_semop = selinux_sem_semop, 5347 5348 .register_security = selinux_register_security, 5349 5350 .d_instantiate = selinux_d_instantiate, 5351 5352 .getprocattr = selinux_getprocattr, 5353 .setprocattr = selinux_setprocattr, 5354 5355 .secid_to_secctx = selinux_secid_to_secctx, 5356 .secctx_to_secid = selinux_secctx_to_secid, 5357 .release_secctx = selinux_release_secctx, 5358 5359 .unix_stream_connect = selinux_socket_unix_stream_connect, 5360 .unix_may_send = selinux_socket_unix_may_send, 5361 5362 .socket_create = selinux_socket_create, 5363 .socket_post_create = selinux_socket_post_create, 5364 .socket_bind = selinux_socket_bind, 5365 .socket_connect = selinux_socket_connect, 5366 .socket_listen = selinux_socket_listen, 5367 .socket_accept = selinux_socket_accept, 5368 .socket_sendmsg = selinux_socket_sendmsg, 5369 .socket_recvmsg = selinux_socket_recvmsg, 5370 .socket_getsockname = selinux_socket_getsockname, 5371 .socket_getpeername = selinux_socket_getpeername, 5372 .socket_getsockopt = selinux_socket_getsockopt, 5373 .socket_setsockopt = selinux_socket_setsockopt, 5374 .socket_shutdown = selinux_socket_shutdown, 5375 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5376 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5377 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5378 .sk_alloc_security = selinux_sk_alloc_security, 5379 .sk_free_security = selinux_sk_free_security, 5380 .sk_clone_security = selinux_sk_clone_security, 5381 .sk_getsecid = selinux_sk_getsecid, 5382 .sock_graft = selinux_sock_graft, 5383 .inet_conn_request = selinux_inet_conn_request, 5384 .inet_csk_clone = selinux_inet_csk_clone, 5385 .inet_conn_established = selinux_inet_conn_established, 5386 .req_classify_flow = selinux_req_classify_flow, 5387 5388 #ifdef CONFIG_SECURITY_NETWORK_XFRM 5389 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5390 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5391 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5392 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5393 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5394 .xfrm_state_free_security = selinux_xfrm_state_free, 5395 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5396 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5397 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 5398 .xfrm_decode_session = selinux_xfrm_decode_session, 5399 #endif 5400 5401 #ifdef CONFIG_KEYS 5402 .key_alloc = selinux_key_alloc, 5403 .key_free = selinux_key_free, 5404 .key_permission = selinux_key_permission, 5405 #endif 5406 }; 5407 5408 static __init int selinux_init(void) 5409 { 5410 struct task_security_struct *tsec; 5411 5412 if (!selinux_enabled) { 5413 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5414 return 0; 5415 } 5416 5417 printk(KERN_INFO "SELinux: Initializing.\n"); 5418 5419 /* Set the security state for the initial task. */ 5420 if (task_alloc_security(current)) 5421 panic("SELinux: Failed to initialize initial task.\n"); 5422 tsec = current->security; 5423 tsec->osid = tsec->sid = SECINITSID_KERNEL; 5424 5425 sel_inode_cache = kmem_cache_create("selinux_inode_security", 5426 sizeof(struct inode_security_struct), 5427 0, SLAB_PANIC, NULL); 5428 avc_init(); 5429 5430 original_ops = secondary_ops = security_ops; 5431 if (!secondary_ops) 5432 panic ("SELinux: No initial security operations\n"); 5433 if (register_security (&selinux_ops)) 5434 panic("SELinux: Unable to register with kernel.\n"); 5435 5436 if (selinux_enforcing) { 5437 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 5438 } else { 5439 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 5440 } 5441 5442 #ifdef CONFIG_KEYS 5443 /* Add security information to initial keyrings */ 5444 selinux_key_alloc(&root_user_keyring, current, 5445 KEY_ALLOC_NOT_IN_QUOTA); 5446 selinux_key_alloc(&root_session_keyring, current, 5447 KEY_ALLOC_NOT_IN_QUOTA); 5448 #endif 5449 5450 return 0; 5451 } 5452 5453 void selinux_complete_init(void) 5454 { 5455 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 5456 5457 /* Set up any superblocks initialized prior to the policy load. */ 5458 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 5459 spin_lock(&sb_lock); 5460 spin_lock(&sb_security_lock); 5461 next_sb: 5462 if (!list_empty(&superblock_security_head)) { 5463 struct superblock_security_struct *sbsec = 5464 list_entry(superblock_security_head.next, 5465 struct superblock_security_struct, 5466 list); 5467 struct super_block *sb = sbsec->sb; 5468 sb->s_count++; 5469 spin_unlock(&sb_security_lock); 5470 spin_unlock(&sb_lock); 5471 down_read(&sb->s_umount); 5472 if (sb->s_root) 5473 superblock_doinit(sb, NULL); 5474 drop_super(sb); 5475 spin_lock(&sb_lock); 5476 spin_lock(&sb_security_lock); 5477 list_del_init(&sbsec->list); 5478 goto next_sb; 5479 } 5480 spin_unlock(&sb_security_lock); 5481 spin_unlock(&sb_lock); 5482 } 5483 5484 /* SELinux requires early initialization in order to label 5485 all processes and objects when they are created. */ 5486 security_initcall(selinux_init); 5487 5488 #if defined(CONFIG_NETFILTER) 5489 5490 static struct nf_hook_ops selinux_ipv4_ops[] = { 5491 { 5492 .hook = selinux_ipv4_postroute, 5493 .owner = THIS_MODULE, 5494 .pf = PF_INET, 5495 .hooknum = NF_INET_POST_ROUTING, 5496 .priority = NF_IP_PRI_SELINUX_LAST, 5497 }, 5498 { 5499 .hook = selinux_ipv4_forward, 5500 .owner = THIS_MODULE, 5501 .pf = PF_INET, 5502 .hooknum = NF_INET_FORWARD, 5503 .priority = NF_IP_PRI_SELINUX_FIRST, 5504 } 5505 }; 5506 5507 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5508 5509 static struct nf_hook_ops selinux_ipv6_ops[] = { 5510 { 5511 .hook = selinux_ipv6_postroute, 5512 .owner = THIS_MODULE, 5513 .pf = PF_INET6, 5514 .hooknum = NF_INET_POST_ROUTING, 5515 .priority = NF_IP6_PRI_SELINUX_LAST, 5516 }, 5517 { 5518 .hook = selinux_ipv6_forward, 5519 .owner = THIS_MODULE, 5520 .pf = PF_INET6, 5521 .hooknum = NF_INET_FORWARD, 5522 .priority = NF_IP6_PRI_SELINUX_FIRST, 5523 } 5524 }; 5525 5526 #endif /* IPV6 */ 5527 5528 static int __init selinux_nf_ip_init(void) 5529 { 5530 int err = 0; 5531 u32 iter; 5532 5533 if (!selinux_enabled) 5534 goto out; 5535 5536 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 5537 5538 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) { 5539 err = nf_register_hook(&selinux_ipv4_ops[iter]); 5540 if (err) 5541 panic("SELinux: nf_register_hook for IPv4: error %d\n", 5542 err); 5543 } 5544 5545 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5546 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) { 5547 err = nf_register_hook(&selinux_ipv6_ops[iter]); 5548 if (err) 5549 panic("SELinux: nf_register_hook for IPv6: error %d\n", 5550 err); 5551 } 5552 #endif /* IPV6 */ 5553 5554 out: 5555 return err; 5556 } 5557 5558 __initcall(selinux_nf_ip_init); 5559 5560 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5561 static void selinux_nf_ip_exit(void) 5562 { 5563 u32 iter; 5564 5565 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 5566 5567 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) 5568 nf_unregister_hook(&selinux_ipv4_ops[iter]); 5569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5570 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) 5571 nf_unregister_hook(&selinux_ipv6_ops[iter]); 5572 #endif /* IPV6 */ 5573 } 5574 #endif 5575 5576 #else /* CONFIG_NETFILTER */ 5577 5578 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5579 #define selinux_nf_ip_exit() 5580 #endif 5581 5582 #endif /* CONFIG_NETFILTER */ 5583 5584 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 5585 int selinux_disable(void) 5586 { 5587 extern void exit_sel_fs(void); 5588 static int selinux_disabled = 0; 5589 5590 if (ss_initialized) { 5591 /* Not permitted after initial policy load. */ 5592 return -EINVAL; 5593 } 5594 5595 if (selinux_disabled) { 5596 /* Only do this once. */ 5597 return -EINVAL; 5598 } 5599 5600 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 5601 5602 selinux_disabled = 1; 5603 selinux_enabled = 0; 5604 5605 /* Reset security_ops to the secondary module, dummy or capability. */ 5606 security_ops = secondary_ops; 5607 5608 /* Unregister netfilter hooks. */ 5609 selinux_nf_ip_exit(); 5610 5611 /* Unregister selinuxfs. */ 5612 exit_sel_fs(); 5613 5614 return 0; 5615 } 5616 #endif 5617 5618 5619