1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
17 */
18
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
30 #include <linux/mm.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
43 #include <linux/kd.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
46 #include <linux/tty.h>
47 #include <net/icmp.h>
48 #include <net/ip.h> /* for sysctl_local_port_range[] */
49 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
50 #include <asm/uaccess.h>
51 #include <asm/semaphore.h>
52 #include <asm/ioctls.h>
53 #include <linux/bitops.h>
54 #include <linux/interrupt.h>
55 #include <linux/netdevice.h> /* for network interface checks */
56 #include <linux/netlink.h>
57 #include <linux/tcp.h>
58 #include <linux/udp.h>
59 #include <linux/quota.h>
60 #include <linux/un.h> /* for Unix socket types */
61 #include <net/af_unix.h> /* for Unix socket types */
62 #include <linux/parser.h>
63 #include <linux/nfs_mount.h>
64 #include <net/ipv6.h>
65 #include <linux/hugetlb.h>
66 #include <linux/personality.h>
67 #include <linux/sysctl.h>
68
69 #include "avc.h"
70 #include "objsec.h"
71 #include "netif.h"
72
73 #define XATTR_SELINUX_SUFFIX "selinux"
74 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
75
76 extern unsigned int policydb_loaded_version;
77 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
78
79 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
80 int selinux_enforcing = 0;
81
82 static int __init enforcing_setup(char *str)
83 {
84 selinux_enforcing = simple_strtol(str,NULL,0);
85 return 1;
86 }
87 __setup("enforcing=", enforcing_setup);
88 #endif
89
90 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
91 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
92
93 static int __init selinux_enabled_setup(char *str)
94 {
95 selinux_enabled = simple_strtol(str, NULL, 0);
96 return 1;
97 }
98 __setup("selinux=", selinux_enabled_setup);
99 #endif
100
101 /* Original (dummy) security module. */
102 static struct security_operations *original_ops = NULL;
103
104 /* Minimal support for a secondary security module,
105 just to allow the use of the dummy or capability modules.
106 The owlsm module can alternatively be used as a secondary
107 module as long as CONFIG_OWLSM_FD is not enabled. */
108 static struct security_operations *secondary_ops = NULL;
109
110 /* Lists of inode and superblock security structures initialized
111 before the policy was loaded. */
112 static LIST_HEAD(superblock_security_head);
113 static DEFINE_SPINLOCK(sb_security_lock);
114
115 /* Allocate and free functions for each kind of security blob. */
116
117 static int task_alloc_security(struct task_struct *task)
118 {
119 struct task_security_struct *tsec;
120
121 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
122 if (!tsec)
123 return -ENOMEM;
124
125 memset(tsec, 0, sizeof(struct task_security_struct));
126 tsec->magic = SELINUX_MAGIC;
127 tsec->task = task;
128 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
129 task->security = tsec;
130
131 return 0;
132 }
133
134 static void task_free_security(struct task_struct *task)
135 {
136 struct task_security_struct *tsec = task->security;
137
138 if (!tsec || tsec->magic != SELINUX_MAGIC)
139 return;
140
141 task->security = NULL;
142 kfree(tsec);
143 }
144
145 static int inode_alloc_security(struct inode *inode)
146 {
147 struct task_security_struct *tsec = current->security;
148 struct inode_security_struct *isec;
149
150 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
151 if (!isec)
152 return -ENOMEM;
153
154 memset(isec, 0, sizeof(struct inode_security_struct));
155 init_MUTEX(&isec->sem);
156 INIT_LIST_HEAD(&isec->list);
157 isec->magic = SELINUX_MAGIC;
158 isec->inode = inode;
159 isec->sid = SECINITSID_UNLABELED;
160 isec->sclass = SECCLASS_FILE;
161 if (tsec && tsec->magic == SELINUX_MAGIC)
162 isec->task_sid = tsec->sid;
163 else
164 isec->task_sid = SECINITSID_UNLABELED;
165 inode->i_security = isec;
166
167 return 0;
168 }
169
170 static void inode_free_security(struct inode *inode)
171 {
172 struct inode_security_struct *isec = inode->i_security;
173 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
174
175 if (!isec || isec->magic != SELINUX_MAGIC)
176 return;
177
178 spin_lock(&sbsec->isec_lock);
179 if (!list_empty(&isec->list))
180 list_del_init(&isec->list);
181 spin_unlock(&sbsec->isec_lock);
182
183 inode->i_security = NULL;
184 kfree(isec);
185 }
186
187 static int file_alloc_security(struct file *file)
188 {
189 struct task_security_struct *tsec = current->security;
190 struct file_security_struct *fsec;
191
192 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
193 if (!fsec)
194 return -ENOMEM;
195
196 memset(fsec, 0, sizeof(struct file_security_struct));
197 fsec->magic = SELINUX_MAGIC;
198 fsec->file = file;
199 if (tsec && tsec->magic == SELINUX_MAGIC) {
200 fsec->sid = tsec->sid;
201 fsec->fown_sid = tsec->sid;
202 } else {
203 fsec->sid = SECINITSID_UNLABELED;
204 fsec->fown_sid = SECINITSID_UNLABELED;
205 }
206 file->f_security = fsec;
207
208 return 0;
209 }
210
211 static void file_free_security(struct file *file)
212 {
213 struct file_security_struct *fsec = file->f_security;
214
215 if (!fsec || fsec->magic != SELINUX_MAGIC)
216 return;
217
218 file->f_security = NULL;
219 kfree(fsec);
220 }
221
222 static int superblock_alloc_security(struct super_block *sb)
223 {
224 struct superblock_security_struct *sbsec;
225
226 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
227 if (!sbsec)
228 return -ENOMEM;
229
230 memset(sbsec, 0, sizeof(struct superblock_security_struct));
231 init_MUTEX(&sbsec->sem);
232 INIT_LIST_HEAD(&sbsec->list);
233 INIT_LIST_HEAD(&sbsec->isec_head);
234 spin_lock_init(&sbsec->isec_lock);
235 sbsec->magic = SELINUX_MAGIC;
236 sbsec->sb = sb;
237 sbsec->sid = SECINITSID_UNLABELED;
238 sbsec->def_sid = SECINITSID_FILE;
239 sb->s_security = sbsec;
240
241 return 0;
242 }
243
244 static void superblock_free_security(struct super_block *sb)
245 {
246 struct superblock_security_struct *sbsec = sb->s_security;
247
248 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249 return;
250
251 spin_lock(&sb_security_lock);
252 if (!list_empty(&sbsec->list))
253 list_del_init(&sbsec->list);
254 spin_unlock(&sb_security_lock);
255
256 sb->s_security = NULL;
257 kfree(sbsec);
258 }
259
260 #ifdef CONFIG_SECURITY_NETWORK
261 static int sk_alloc_security(struct sock *sk, int family, int priority)
262 {
263 struct sk_security_struct *ssec;
264
265 if (family != PF_UNIX)
266 return 0;
267
268 ssec = kmalloc(sizeof(*ssec), priority);
269 if (!ssec)
270 return -ENOMEM;
271
272 memset(ssec, 0, sizeof(*ssec));
273 ssec->magic = SELINUX_MAGIC;
274 ssec->sk = sk;
275 ssec->peer_sid = SECINITSID_UNLABELED;
276 sk->sk_security = ssec;
277
278 return 0;
279 }
280
281 static void sk_free_security(struct sock *sk)
282 {
283 struct sk_security_struct *ssec = sk->sk_security;
284
285 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
286 return;
287
288 sk->sk_security = NULL;
289 kfree(ssec);
290 }
291 #endif /* CONFIG_SECURITY_NETWORK */
292
293 /* The security server must be initialized before
294 any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300 "uses xattr",
301 "uses transition SIDs",
302 "uses task SIDs",
303 "uses genfs_contexts",
304 "not configured for labeling",
305 "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312 return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316 Opt_context = 1,
317 Opt_fscontext = 2,
318 Opt_defcontext = 4,
319 };
320
321 static match_table_t tokens = {
322 {Opt_context, "context=%s"},
323 {Opt_fscontext, "fscontext=%s"},
324 {Opt_defcontext, "defcontext=%s"},
325 };
326
327 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
328
329 static int try_context_mount(struct super_block *sb, void *data)
330 {
331 char *context = NULL, *defcontext = NULL;
332 const char *name;
333 u32 sid;
334 int alloc = 0, rc = 0, seen = 0;
335 struct task_security_struct *tsec = current->security;
336 struct superblock_security_struct *sbsec = sb->s_security;
337
338 if (!data)
339 goto out;
340
341 name = sb->s_type->name;
342
343 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344
345 /* NFS we understand. */
346 if (!strcmp(name, "nfs")) {
347 struct nfs_mount_data *d = data;
348
349 if (d->version < NFS_MOUNT_VERSION)
350 goto out;
351
352 if (d->context[0]) {
353 context = d->context;
354 seen |= Opt_context;
355 }
356 } else
357 goto out;
358
359 } else {
360 /* Standard string-based options. */
361 char *p, *options = data;
362
363 while ((p = strsep(&options, ",")) != NULL) {
364 int token;
365 substring_t args[MAX_OPT_ARGS];
366
367 if (!*p)
368 continue;
369
370 token = match_token(p, tokens, args);
371
372 switch (token) {
373 case Opt_context:
374 if (seen) {
375 rc = -EINVAL;
376 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377 goto out_free;
378 }
379 context = match_strdup(&args[0]);
380 if (!context) {
381 rc = -ENOMEM;
382 goto out_free;
383 }
384 if (!alloc)
385 alloc = 1;
386 seen |= Opt_context;
387 break;
388
389 case Opt_fscontext:
390 if (seen & (Opt_context|Opt_fscontext)) {
391 rc = -EINVAL;
392 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
393 goto out_free;
394 }
395 context = match_strdup(&args[0]);
396 if (!context) {
397 rc = -ENOMEM;
398 goto out_free;
399 }
400 if (!alloc)
401 alloc = 1;
402 seen |= Opt_fscontext;
403 break;
404
405 case Opt_defcontext:
406 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
407 rc = -EINVAL;
408 printk(KERN_WARNING "SELinux: "
409 "defcontext option is invalid "
410 "for this filesystem type\n");
411 goto out_free;
412 }
413 if (seen & (Opt_context|Opt_defcontext)) {
414 rc = -EINVAL;
415 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 goto out_free;
417 }
418 defcontext = match_strdup(&args[0]);
419 if (!defcontext) {
420 rc = -ENOMEM;
421 goto out_free;
422 }
423 if (!alloc)
424 alloc = 1;
425 seen |= Opt_defcontext;
426 break;
427
428 default:
429 rc = -EINVAL;
430 printk(KERN_WARNING "SELinux: unknown mount "
431 "option\n");
432 goto out_free;
433
434 }
435 }
436 }
437
438 if (!seen)
439 goto out;
440
441 if (context) {
442 rc = security_context_to_sid(context, strlen(context), &sid);
443 if (rc) {
444 printk(KERN_WARNING "SELinux: security_context_to_sid"
445 "(%s) failed for (dev %s, type %s) errno=%d\n",
446 context, sb->s_id, name, rc);
447 goto out_free;
448 }
449
450 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
451 FILESYSTEM__RELABELFROM, NULL);
452 if (rc)
453 goto out_free;
454
455 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
456 FILESYSTEM__RELABELTO, NULL);
457 if (rc)
458 goto out_free;
459
460 sbsec->sid = sid;
461
462 if (seen & Opt_context)
463 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
464 }
465
466 if (defcontext) {
467 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
468 if (rc) {
469 printk(KERN_WARNING "SELinux: security_context_to_sid"
470 "(%s) failed for (dev %s, type %s) errno=%d\n",
471 defcontext, sb->s_id, name, rc);
472 goto out_free;
473 }
474
475 if (sid == sbsec->def_sid)
476 goto out_free;
477
478 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__RELABELFROM, NULL);
480 if (rc)
481 goto out_free;
482
483 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
484 FILESYSTEM__ASSOCIATE, NULL);
485 if (rc)
486 goto out_free;
487
488 sbsec->def_sid = sid;
489 }
490
491 out_free:
492 if (alloc) {
493 kfree(context);
494 kfree(defcontext);
495 }
496 out:
497 return rc;
498 }
499
500 static int superblock_doinit(struct super_block *sb, void *data)
501 {
502 struct superblock_security_struct *sbsec = sb->s_security;
503 struct dentry *root = sb->s_root;
504 struct inode *inode = root->d_inode;
505 int rc = 0;
506
507 down(&sbsec->sem);
508 if (sbsec->initialized)
509 goto out;
510
511 if (!ss_initialized) {
512 /* Defer initialization until selinux_complete_init,
513 after the initial policy is loaded and the security
514 server is ready to handle calls. */
515 spin_lock(&sb_security_lock);
516 if (list_empty(&sbsec->list))
517 list_add(&sbsec->list, &superblock_security_head);
518 spin_unlock(&sb_security_lock);
519 goto out;
520 }
521
522 /* Determine the labeling behavior to use for this filesystem type. */
523 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
524 if (rc) {
525 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
526 __FUNCTION__, sb->s_type->name, rc);
527 goto out;
528 }
529
530 rc = try_context_mount(sb, data);
531 if (rc)
532 goto out;
533
534 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
535 /* Make sure that the xattr handler exists and that no
536 error other than -ENODATA is returned by getxattr on
537 the root directory. -ENODATA is ok, as this may be
538 the first boot of the SELinux kernel before we have
539 assigned xattr values to the filesystem. */
540 if (!inode->i_op->getxattr) {
541 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
542 "xattr support\n", sb->s_id, sb->s_type->name);
543 rc = -EOPNOTSUPP;
544 goto out;
545 }
546 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
547 if (rc < 0 && rc != -ENODATA) {
548 if (rc == -EOPNOTSUPP)
549 printk(KERN_WARNING "SELinux: (dev %s, type "
550 "%s) has no security xattr handler\n",
551 sb->s_id, sb->s_type->name);
552 else
553 printk(KERN_WARNING "SELinux: (dev %s, type "
554 "%s) getxattr errno %d\n", sb->s_id,
555 sb->s_type->name, -rc);
556 goto out;
557 }
558 }
559
560 if (strcmp(sb->s_type->name, "proc") == 0)
561 sbsec->proc = 1;
562
563 sbsec->initialized = 1;
564
565 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
566 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
567 sb->s_id, sb->s_type->name);
568 }
569 else {
570 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
571 sb->s_id, sb->s_type->name,
572 labeling_behaviors[sbsec->behavior-1]);
573 }
574
575 /* Initialize the root inode. */
576 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
577
578 /* Initialize any other inodes associated with the superblock, e.g.
579 inodes created prior to initial policy load or inodes created
580 during get_sb by a pseudo filesystem that directly
581 populates itself. */
582 spin_lock(&sbsec->isec_lock);
583 next_inode:
584 if (!list_empty(&sbsec->isec_head)) {
585 struct inode_security_struct *isec =
586 list_entry(sbsec->isec_head.next,
587 struct inode_security_struct, list);
588 struct inode *inode = isec->inode;
589 spin_unlock(&sbsec->isec_lock);
590 inode = igrab(inode);
591 if (inode) {
592 inode_doinit(inode);
593 iput(inode);
594 }
595 spin_lock(&sbsec->isec_lock);
596 list_del_init(&isec->list);
597 goto next_inode;
598 }
599 spin_unlock(&sbsec->isec_lock);
600 out:
601 up(&sbsec->sem);
602 return rc;
603 }
604
605 static inline u16 inode_mode_to_security_class(umode_t mode)
606 {
607 switch (mode & S_IFMT) {
608 case S_IFSOCK:
609 return SECCLASS_SOCK_FILE;
610 case S_IFLNK:
611 return SECCLASS_LNK_FILE;
612 case S_IFREG:
613 return SECCLASS_FILE;
614 case S_IFBLK:
615 return SECCLASS_BLK_FILE;
616 case S_IFDIR:
617 return SECCLASS_DIR;
618 case S_IFCHR:
619 return SECCLASS_CHR_FILE;
620 case S_IFIFO:
621 return SECCLASS_FIFO_FILE;
622
623 }
624
625 return SECCLASS_FILE;
626 }
627
628 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
629 {
630 switch (family) {
631 case PF_UNIX:
632 switch (type) {
633 case SOCK_STREAM:
634 case SOCK_SEQPACKET:
635 return SECCLASS_UNIX_STREAM_SOCKET;
636 case SOCK_DGRAM:
637 return SECCLASS_UNIX_DGRAM_SOCKET;
638 }
639 break;
640 case PF_INET:
641 case PF_INET6:
642 switch (type) {
643 case SOCK_STREAM:
644 return SECCLASS_TCP_SOCKET;
645 case SOCK_DGRAM:
646 return SECCLASS_UDP_SOCKET;
647 case SOCK_RAW:
648 return SECCLASS_RAWIP_SOCKET;
649 }
650 break;
651 case PF_NETLINK:
652 switch (protocol) {
653 case NETLINK_ROUTE:
654 return SECCLASS_NETLINK_ROUTE_SOCKET;
655 case NETLINK_FIREWALL:
656 return SECCLASS_NETLINK_FIREWALL_SOCKET;
657 case NETLINK_TCPDIAG:
658 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
659 case NETLINK_NFLOG:
660 return SECCLASS_NETLINK_NFLOG_SOCKET;
661 case NETLINK_XFRM:
662 return SECCLASS_NETLINK_XFRM_SOCKET;
663 case NETLINK_SELINUX:
664 return SECCLASS_NETLINK_SELINUX_SOCKET;
665 case NETLINK_AUDIT:
666 return SECCLASS_NETLINK_AUDIT_SOCKET;
667 case NETLINK_IP6_FW:
668 return SECCLASS_NETLINK_IP6FW_SOCKET;
669 case NETLINK_DNRTMSG:
670 return SECCLASS_NETLINK_DNRT_SOCKET;
671 default:
672 return SECCLASS_NETLINK_SOCKET;
673 }
674 case PF_PACKET:
675 return SECCLASS_PACKET_SOCKET;
676 case PF_KEY:
677 return SECCLASS_KEY_SOCKET;
678 }
679
680 return SECCLASS_SOCKET;
681 }
682
683 #ifdef CONFIG_PROC_FS
684 static int selinux_proc_get_sid(struct proc_dir_entry *de,
685 u16 tclass,
686 u32 *sid)
687 {
688 int buflen, rc;
689 char *buffer, *path, *end;
690
691 buffer = (char*)__get_free_page(GFP_KERNEL);
692 if (!buffer)
693 return -ENOMEM;
694
695 buflen = PAGE_SIZE;
696 end = buffer+buflen;
697 *--end = '\0';
698 buflen--;
699 path = end-1;
700 *path = '/';
701 while (de && de != de->parent) {
702 buflen -= de->namelen + 1;
703 if (buflen < 0)
704 break;
705 end -= de->namelen;
706 memcpy(end, de->name, de->namelen);
707 *--end = '/';
708 path = end;
709 de = de->parent;
710 }
711 rc = security_genfs_sid("proc", path, tclass, sid);
712 free_page((unsigned long)buffer);
713 return rc;
714 }
715 #else
716 static int selinux_proc_get_sid(struct proc_dir_entry *de,
717 u16 tclass,
718 u32 *sid)
719 {
720 return -EINVAL;
721 }
722 #endif
723
724 /* The inode's security attributes must be initialized before first use. */
725 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
726 {
727 struct superblock_security_struct *sbsec = NULL;
728 struct inode_security_struct *isec = inode->i_security;
729 u32 sid;
730 struct dentry *dentry;
731 #define INITCONTEXTLEN 255
732 char *context = NULL;
733 unsigned len = 0;
734 int rc = 0;
735 int hold_sem = 0;
736
737 if (isec->initialized)
738 goto out;
739
740 down(&isec->sem);
741 hold_sem = 1;
742 if (isec->initialized)
743 goto out;
744
745 sbsec = inode->i_sb->s_security;
746 if (!sbsec->initialized) {
747 /* Defer initialization until selinux_complete_init,
748 after the initial policy is loaded and the security
749 server is ready to handle calls. */
750 spin_lock(&sbsec->isec_lock);
751 if (list_empty(&isec->list))
752 list_add(&isec->list, &sbsec->isec_head);
753 spin_unlock(&sbsec->isec_lock);
754 goto out;
755 }
756
757 switch (sbsec->behavior) {
758 case SECURITY_FS_USE_XATTR:
759 if (!inode->i_op->getxattr) {
760 isec->sid = sbsec->def_sid;
761 break;
762 }
763
764 /* Need a dentry, since the xattr API requires one.
765 Life would be simpler if we could just pass the inode. */
766 if (opt_dentry) {
767 /* Called from d_instantiate or d_splice_alias. */
768 dentry = dget(opt_dentry);
769 } else {
770 /* Called from selinux_complete_init, try to find a dentry. */
771 dentry = d_find_alias(inode);
772 }
773 if (!dentry) {
774 printk(KERN_WARNING "%s: no dentry for dev=%s "
775 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
776 inode->i_ino);
777 goto out;
778 }
779
780 len = INITCONTEXTLEN;
781 context = kmalloc(len, GFP_KERNEL);
782 if (!context) {
783 rc = -ENOMEM;
784 dput(dentry);
785 goto out;
786 }
787 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
788 context, len);
789 if (rc == -ERANGE) {
790 /* Need a larger buffer. Query for the right size. */
791 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
792 NULL, 0);
793 if (rc < 0) {
794 dput(dentry);
795 goto out;
796 }
797 kfree(context);
798 len = rc;
799 context = kmalloc(len, GFP_KERNEL);
800 if (!context) {
801 rc = -ENOMEM;
802 dput(dentry);
803 goto out;
804 }
805 rc = inode->i_op->getxattr(dentry,
806 XATTR_NAME_SELINUX,
807 context, len);
808 }
809 dput(dentry);
810 if (rc < 0) {
811 if (rc != -ENODATA) {
812 printk(KERN_WARNING "%s: getxattr returned "
813 "%d for dev=%s ino=%ld\n", __FUNCTION__,
814 -rc, inode->i_sb->s_id, inode->i_ino);
815 kfree(context);
816 goto out;
817 }
818 /* Map ENODATA to the default file SID */
819 sid = sbsec->def_sid;
820 rc = 0;
821 } else {
822 rc = security_context_to_sid(context, rc, &sid);
823 if (rc) {
824 printk(KERN_WARNING "%s: context_to_sid(%s) "
825 "returned %d for dev=%s ino=%ld\n",
826 __FUNCTION__, context, -rc,
827 inode->i_sb->s_id, inode->i_ino);
828 kfree(context);
829 goto out;
830 }
831 }
832 kfree(context);
833 isec->sid = sid;
834 break;
835 case SECURITY_FS_USE_TASK:
836 isec->sid = isec->task_sid;
837 break;
838 case SECURITY_FS_USE_TRANS:
839 /* Default to the fs SID. */
840 isec->sid = sbsec->sid;
841
842 /* Try to obtain a transition SID. */
843 isec->sclass = inode_mode_to_security_class(inode->i_mode);
844 rc = security_transition_sid(isec->task_sid,
845 sbsec->sid,
846 isec->sclass,
847 &sid);
848 if (rc)
849 goto out;
850 isec->sid = sid;
851 break;
852 default:
853 /* Default to the fs SID. */
854 isec->sid = sbsec->sid;
855
856 if (sbsec->proc) {
857 struct proc_inode *proci = PROC_I(inode);
858 if (proci->pde) {
859 isec->sclass = inode_mode_to_security_class(inode->i_mode);
860 rc = selinux_proc_get_sid(proci->pde,
861 isec->sclass,
862 &sid);
863 if (rc)
864 goto out;
865 isec->sid = sid;
866 }
867 }
868 break;
869 }
870
871 isec->initialized = 1;
872
873 out:
874 if (inode->i_sock) {
875 struct socket *sock = SOCKET_I(inode);
876 if (sock->sk) {
877 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
878 sock->sk->sk_type,
879 sock->sk->sk_protocol);
880 } else {
881 isec->sclass = SECCLASS_SOCKET;
882 }
883 } else {
884 isec->sclass = inode_mode_to_security_class(inode->i_mode);
885 }
886
887 if (hold_sem)
888 up(&isec->sem);
889 return rc;
890 }
891
892 /* Convert a Linux signal to an access vector. */
893 static inline u32 signal_to_av(int sig)
894 {
895 u32 perm = 0;
896
897 switch (sig) {
898 case SIGCHLD:
899 /* Commonly granted from child to parent. */
900 perm = PROCESS__SIGCHLD;
901 break;
902 case SIGKILL:
903 /* Cannot be caught or ignored */
904 perm = PROCESS__SIGKILL;
905 break;
906 case SIGSTOP:
907 /* Cannot be caught or ignored */
908 perm = PROCESS__SIGSTOP;
909 break;
910 default:
911 /* All other signals. */
912 perm = PROCESS__SIGNAL;
913 break;
914 }
915
916 return perm;
917 }
918
919 /* Check permission betweeen a pair of tasks, e.g. signal checks,
920 fork check, ptrace check, etc. */
921 int task_has_perm(struct task_struct *tsk1,
922 struct task_struct *tsk2,
923 u32 perms)
924 {
925 struct task_security_struct *tsec1, *tsec2;
926
927 tsec1 = tsk1->security;
928 tsec2 = tsk2->security;
929 return avc_has_perm(tsec1->sid, tsec2->sid,
930 SECCLASS_PROCESS, perms, NULL);
931 }
932
933 /* Check whether a task is allowed to use a capability. */
934 int task_has_capability(struct task_struct *tsk,
935 int cap)
936 {
937 struct task_security_struct *tsec;
938 struct avc_audit_data ad;
939
940 tsec = tsk->security;
941
942 AVC_AUDIT_DATA_INIT(&ad,CAP);
943 ad.tsk = tsk;
944 ad.u.cap = cap;
945
946 return avc_has_perm(tsec->sid, tsec->sid,
947 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
948 }
949
950 /* Check whether a task is allowed to use a system operation. */
951 int task_has_system(struct task_struct *tsk,
952 u32 perms)
953 {
954 struct task_security_struct *tsec;
955
956 tsec = tsk->security;
957
958 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
959 SECCLASS_SYSTEM, perms, NULL);
960 }
961
962 /* Check whether a task has a particular permission to an inode.
963 The 'adp' parameter is optional and allows other audit
964 data to be passed (e.g. the dentry). */
965 int inode_has_perm(struct task_struct *tsk,
966 struct inode *inode,
967 u32 perms,
968 struct avc_audit_data *adp)
969 {
970 struct task_security_struct *tsec;
971 struct inode_security_struct *isec;
972 struct avc_audit_data ad;
973
974 tsec = tsk->security;
975 isec = inode->i_security;
976
977 if (!adp) {
978 adp = &ad;
979 AVC_AUDIT_DATA_INIT(&ad, FS);
980 ad.u.fs.inode = inode;
981 }
982
983 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
984 }
985
986 /* Same as inode_has_perm, but pass explicit audit data containing
987 the dentry to help the auditing code to more easily generate the
988 pathname if needed. */
989 static inline int dentry_has_perm(struct task_struct *tsk,
990 struct vfsmount *mnt,
991 struct dentry *dentry,
992 u32 av)
993 {
994 struct inode *inode = dentry->d_inode;
995 struct avc_audit_data ad;
996 AVC_AUDIT_DATA_INIT(&ad,FS);
997 ad.u.fs.mnt = mnt;
998 ad.u.fs.dentry = dentry;
999 return inode_has_perm(tsk, inode, av, &ad);
1000 }
1001
1002 /* Check whether a task can use an open file descriptor to
1003 access an inode in a given way. Check access to the
1004 descriptor itself, and then use dentry_has_perm to
1005 check a particular permission to the file.
1006 Access to the descriptor is implicitly granted if it
1007 has the same SID as the process. If av is zero, then
1008 access to the file is not checked, e.g. for cases
1009 where only the descriptor is affected like seek. */
1010 static inline int file_has_perm(struct task_struct *tsk,
1011 struct file *file,
1012 u32 av)
1013 {
1014 struct task_security_struct *tsec = tsk->security;
1015 struct file_security_struct *fsec = file->f_security;
1016 struct vfsmount *mnt = file->f_vfsmnt;
1017 struct dentry *dentry = file->f_dentry;
1018 struct inode *inode = dentry->d_inode;
1019 struct avc_audit_data ad;
1020 int rc;
1021
1022 AVC_AUDIT_DATA_INIT(&ad, FS);
1023 ad.u.fs.mnt = mnt;
1024 ad.u.fs.dentry = dentry;
1025
1026 if (tsec->sid != fsec->sid) {
1027 rc = avc_has_perm(tsec->sid, fsec->sid,
1028 SECCLASS_FD,
1029 FD__USE,
1030 &ad);
1031 if (rc)
1032 return rc;
1033 }
1034
1035 /* av is zero if only checking access to the descriptor. */
1036 if (av)
1037 return inode_has_perm(tsk, inode, av, &ad);
1038
1039 return 0;
1040 }
1041
1042 /* Check whether a task can create a file. */
1043 static int may_create(struct inode *dir,
1044 struct dentry *dentry,
1045 u16 tclass)
1046 {
1047 struct task_security_struct *tsec;
1048 struct inode_security_struct *dsec;
1049 struct superblock_security_struct *sbsec;
1050 u32 newsid;
1051 struct avc_audit_data ad;
1052 int rc;
1053
1054 tsec = current->security;
1055 dsec = dir->i_security;
1056 sbsec = dir->i_sb->s_security;
1057
1058 AVC_AUDIT_DATA_INIT(&ad, FS);
1059 ad.u.fs.dentry = dentry;
1060
1061 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1062 DIR__ADD_NAME | DIR__SEARCH,
1063 &ad);
1064 if (rc)
1065 return rc;
1066
1067 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1068 newsid = tsec->create_sid;
1069 } else {
1070 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1071 &newsid);
1072 if (rc)
1073 return rc;
1074 }
1075
1076 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1077 if (rc)
1078 return rc;
1079
1080 return avc_has_perm(newsid, sbsec->sid,
1081 SECCLASS_FILESYSTEM,
1082 FILESYSTEM__ASSOCIATE, &ad);
1083 }
1084
1085 #define MAY_LINK 0
1086 #define MAY_UNLINK 1
1087 #define MAY_RMDIR 2
1088
1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1090 static int may_link(struct inode *dir,
1091 struct dentry *dentry,
1092 int kind)
1093
1094 {
1095 struct task_security_struct *tsec;
1096 struct inode_security_struct *dsec, *isec;
1097 struct avc_audit_data ad;
1098 u32 av;
1099 int rc;
1100
1101 tsec = current->security;
1102 dsec = dir->i_security;
1103 isec = dentry->d_inode->i_security;
1104
1105 AVC_AUDIT_DATA_INIT(&ad, FS);
1106 ad.u.fs.dentry = dentry;
1107
1108 av = DIR__SEARCH;
1109 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1110 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111 if (rc)
1112 return rc;
1113
1114 switch (kind) {
1115 case MAY_LINK:
1116 av = FILE__LINK;
1117 break;
1118 case MAY_UNLINK:
1119 av = FILE__UNLINK;
1120 break;
1121 case MAY_RMDIR:
1122 av = DIR__RMDIR;
1123 break;
1124 default:
1125 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1126 return 0;
1127 }
1128
1129 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1130 return rc;
1131 }
1132
1133 static inline int may_rename(struct inode *old_dir,
1134 struct dentry *old_dentry,
1135 struct inode *new_dir,
1136 struct dentry *new_dentry)
1137 {
1138 struct task_security_struct *tsec;
1139 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1140 struct avc_audit_data ad;
1141 u32 av;
1142 int old_is_dir, new_is_dir;
1143 int rc;
1144
1145 tsec = current->security;
1146 old_dsec = old_dir->i_security;
1147 old_isec = old_dentry->d_inode->i_security;
1148 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1149 new_dsec = new_dir->i_security;
1150
1151 AVC_AUDIT_DATA_INIT(&ad, FS);
1152
1153 ad.u.fs.dentry = old_dentry;
1154 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1155 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1156 if (rc)
1157 return rc;
1158 rc = avc_has_perm(tsec->sid, old_isec->sid,
1159 old_isec->sclass, FILE__RENAME, &ad);
1160 if (rc)
1161 return rc;
1162 if (old_is_dir && new_dir != old_dir) {
1163 rc = avc_has_perm(tsec->sid, old_isec->sid,
1164 old_isec->sclass, DIR__REPARENT, &ad);
1165 if (rc)
1166 return rc;
1167 }
1168
1169 ad.u.fs.dentry = new_dentry;
1170 av = DIR__ADD_NAME | DIR__SEARCH;
1171 if (new_dentry->d_inode)
1172 av |= DIR__REMOVE_NAME;
1173 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1174 if (rc)
1175 return rc;
1176 if (new_dentry->d_inode) {
1177 new_isec = new_dentry->d_inode->i_security;
1178 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1179 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180 new_isec->sclass,
1181 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1182 if (rc)
1183 return rc;
1184 }
1185
1186 return 0;
1187 }
1188
1189 /* Check whether a task can perform a filesystem operation. */
1190 int superblock_has_perm(struct task_struct *tsk,
1191 struct super_block *sb,
1192 u32 perms,
1193 struct avc_audit_data *ad)
1194 {
1195 struct task_security_struct *tsec;
1196 struct superblock_security_struct *sbsec;
1197
1198 tsec = tsk->security;
1199 sbsec = sb->s_security;
1200 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1201 perms, ad);
1202 }
1203
1204 /* Convert a Linux mode and permission mask to an access vector. */
1205 static inline u32 file_mask_to_av(int mode, int mask)
1206 {
1207 u32 av = 0;
1208
1209 if ((mode & S_IFMT) != S_IFDIR) {
1210 if (mask & MAY_EXEC)
1211 av |= FILE__EXECUTE;
1212 if (mask & MAY_READ)
1213 av |= FILE__READ;
1214
1215 if (mask & MAY_APPEND)
1216 av |= FILE__APPEND;
1217 else if (mask & MAY_WRITE)
1218 av |= FILE__WRITE;
1219
1220 } else {
1221 if (mask & MAY_EXEC)
1222 av |= DIR__SEARCH;
1223 if (mask & MAY_WRITE)
1224 av |= DIR__WRITE;
1225 if (mask & MAY_READ)
1226 av |= DIR__READ;
1227 }
1228
1229 return av;
1230 }
1231
1232 /* Convert a Linux file to an access vector. */
1233 static inline u32 file_to_av(struct file *file)
1234 {
1235 u32 av = 0;
1236
1237 if (file->f_mode & FMODE_READ)
1238 av |= FILE__READ;
1239 if (file->f_mode & FMODE_WRITE) {
1240 if (file->f_flags & O_APPEND)
1241 av |= FILE__APPEND;
1242 else
1243 av |= FILE__WRITE;
1244 }
1245
1246 return av;
1247 }
1248
1249 /* Set an inode's SID to a specified value. */
1250 int inode_security_set_sid(struct inode *inode, u32 sid)
1251 {
1252 struct inode_security_struct *isec = inode->i_security;
1253 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254
1255 if (!sbsec->initialized) {
1256 /* Defer initialization to selinux_complete_init. */
1257 return 0;
1258 }
1259
1260 down(&isec->sem);
1261 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262 isec->sid = sid;
1263 isec->initialized = 1;
1264 up(&isec->sem);
1265 return 0;
1266 }
1267
1268 /* Set the security attributes on a newly created file. */
1269 static int post_create(struct inode *dir,
1270 struct dentry *dentry)
1271 {
1272
1273 struct task_security_struct *tsec;
1274 struct inode *inode;
1275 struct inode_security_struct *dsec;
1276 struct superblock_security_struct *sbsec;
1277 u32 newsid;
1278 char *context;
1279 unsigned int len;
1280 int rc;
1281
1282 tsec = current->security;
1283 dsec = dir->i_security;
1284 sbsec = dir->i_sb->s_security;
1285
1286 inode = dentry->d_inode;
1287 if (!inode) {
1288 /* Some file system types (e.g. NFS) may not instantiate
1289 a dentry for all create operations (e.g. symlink),
1290 so we have to check to see if the inode is non-NULL. */
1291 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1292 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1293 return 0;
1294 }
1295
1296 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1297 newsid = tsec->create_sid;
1298 } else {
1299 rc = security_transition_sid(tsec->sid, dsec->sid,
1300 inode_mode_to_security_class(inode->i_mode),
1301 &newsid);
1302 if (rc) {
1303 printk(KERN_WARNING "post_create: "
1304 "security_transition_sid failed, rc=%d (dev=%s "
1305 "ino=%ld)\n",
1306 -rc, inode->i_sb->s_id, inode->i_ino);
1307 return rc;
1308 }
1309 }
1310
1311 rc = inode_security_set_sid(inode, newsid);
1312 if (rc) {
1313 printk(KERN_WARNING "post_create: inode_security_set_sid "
1314 "failed, rc=%d (dev=%s ino=%ld)\n",
1315 -rc, inode->i_sb->s_id, inode->i_ino);
1316 return rc;
1317 }
1318
1319 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1320 inode->i_op->setxattr) {
1321 /* Use extended attributes. */
1322 rc = security_sid_to_context(newsid, &context, &len);
1323 if (rc) {
1324 printk(KERN_WARNING "post_create: sid_to_context "
1325 "failed, rc=%d (dev=%s ino=%ld)\n",
1326 -rc, inode->i_sb->s_id, inode->i_ino);
1327 return rc;
1328 }
1329 down(&inode->i_sem);
1330 rc = inode->i_op->setxattr(dentry,
1331 XATTR_NAME_SELINUX,
1332 context, len, 0);
1333 up(&inode->i_sem);
1334 kfree(context);
1335 if (rc < 0) {
1336 printk(KERN_WARNING "post_create: setxattr failed, "
1337 "rc=%d (dev=%s ino=%ld)\n",
1338 -rc, inode->i_sb->s_id, inode->i_ino);
1339 return rc;
1340 }
1341 }
1342
1343 return 0;
1344 }
1345
1346
1347 /* Hook functions begin here. */
1348
1349 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1350 {
1351 struct task_security_struct *psec = parent->security;
1352 struct task_security_struct *csec = child->security;
1353 int rc;
1354
1355 rc = secondary_ops->ptrace(parent,child);
1356 if (rc)
1357 return rc;
1358
1359 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1360 /* Save the SID of the tracing process for later use in apply_creds. */
1361 if (!rc)
1362 csec->ptrace_sid = psec->sid;
1363 return rc;
1364 }
1365
1366 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1367 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1368 {
1369 int error;
1370
1371 error = task_has_perm(current, target, PROCESS__GETCAP);
1372 if (error)
1373 return error;
1374
1375 return secondary_ops->capget(target, effective, inheritable, permitted);
1376 }
1377
1378 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1379 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1380 {
1381 int error;
1382
1383 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1384 if (error)
1385 return error;
1386
1387 return task_has_perm(current, target, PROCESS__SETCAP);
1388 }
1389
1390 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1391 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1392 {
1393 secondary_ops->capset_set(target, effective, inheritable, permitted);
1394 }
1395
1396 static int selinux_capable(struct task_struct *tsk, int cap)
1397 {
1398 int rc;
1399
1400 rc = secondary_ops->capable(tsk, cap);
1401 if (rc)
1402 return rc;
1403
1404 return task_has_capability(tsk,cap);
1405 }
1406
1407 static int selinux_sysctl(ctl_table *table, int op)
1408 {
1409 int error = 0;
1410 u32 av;
1411 struct task_security_struct *tsec;
1412 u32 tsid;
1413 int rc;
1414
1415 rc = secondary_ops->sysctl(table, op);
1416 if (rc)
1417 return rc;
1418
1419 tsec = current->security;
1420
1421 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1422 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1423 if (rc) {
1424 /* Default to the well-defined sysctl SID. */
1425 tsid = SECINITSID_SYSCTL;
1426 }
1427
1428 /* The op values are "defined" in sysctl.c, thereby creating
1429 * a bad coupling between this module and sysctl.c */
1430 if(op == 001) {
1431 error = avc_has_perm(tsec->sid, tsid,
1432 SECCLASS_DIR, DIR__SEARCH, NULL);
1433 } else {
1434 av = 0;
1435 if (op & 004)
1436 av |= FILE__READ;
1437 if (op & 002)
1438 av |= FILE__WRITE;
1439 if (av)
1440 error = avc_has_perm(tsec->sid, tsid,
1441 SECCLASS_FILE, av, NULL);
1442 }
1443
1444 return error;
1445 }
1446
1447 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1448 {
1449 int rc = 0;
1450
1451 if (!sb)
1452 return 0;
1453
1454 switch (cmds) {
1455 case Q_SYNC:
1456 case Q_QUOTAON:
1457 case Q_QUOTAOFF:
1458 case Q_SETINFO:
1459 case Q_SETQUOTA:
1460 rc = superblock_has_perm(current,
1461 sb,
1462 FILESYSTEM__QUOTAMOD, NULL);
1463 break;
1464 case Q_GETFMT:
1465 case Q_GETINFO:
1466 case Q_GETQUOTA:
1467 rc = superblock_has_perm(current,
1468 sb,
1469 FILESYSTEM__QUOTAGET, NULL);
1470 break;
1471 default:
1472 rc = 0; /* let the kernel handle invalid cmds */
1473 break;
1474 }
1475 return rc;
1476 }
1477
1478 static int selinux_quota_on(struct dentry *dentry)
1479 {
1480 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1481 }
1482
1483 static int selinux_syslog(int type)
1484 {
1485 int rc;
1486
1487 rc = secondary_ops->syslog(type);
1488 if (rc)
1489 return rc;
1490
1491 switch (type) {
1492 case 3: /* Read last kernel messages */
1493 case 10: /* Return size of the log buffer */
1494 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1495 break;
1496 case 6: /* Disable logging to console */
1497 case 7: /* Enable logging to console */
1498 case 8: /* Set level of messages printed to console */
1499 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1500 break;
1501 case 0: /* Close log */
1502 case 1: /* Open log */
1503 case 2: /* Read from log */
1504 case 4: /* Read/clear last kernel messages */
1505 case 5: /* Clear ring buffer */
1506 default:
1507 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1508 break;
1509 }
1510 return rc;
1511 }
1512
1513 /*
1514 * Check that a process has enough memory to allocate a new virtual
1515 * mapping. 0 means there is enough memory for the allocation to
1516 * succeed and -ENOMEM implies there is not.
1517 *
1518 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1519 * if the capability is granted, but __vm_enough_memory requires 1 if
1520 * the capability is granted.
1521 *
1522 * Do not audit the selinux permission check, as this is applied to all
1523 * processes that allocate mappings.
1524 */
1525 static int selinux_vm_enough_memory(long pages)
1526 {
1527 int rc, cap_sys_admin = 0;
1528 struct task_security_struct *tsec = current->security;
1529
1530 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1531 if (rc == 0)
1532 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1533 SECCLASS_CAPABILITY,
1534 CAP_TO_MASK(CAP_SYS_ADMIN),
1535 NULL);
1536
1537 if (rc == 0)
1538 cap_sys_admin = 1;
1539
1540 return __vm_enough_memory(pages, cap_sys_admin);
1541 }
1542
1543 /* binprm security operations */
1544
1545 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1546 {
1547 struct bprm_security_struct *bsec;
1548
1549 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1550 if (!bsec)
1551 return -ENOMEM;
1552
1553 memset(bsec, 0, sizeof *bsec);
1554 bsec->magic = SELINUX_MAGIC;
1555 bsec->bprm = bprm;
1556 bsec->sid = SECINITSID_UNLABELED;
1557 bsec->set = 0;
1558
1559 bprm->security = bsec;
1560 return 0;
1561 }
1562
1563 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1564 {
1565 struct task_security_struct *tsec;
1566 struct inode *inode = bprm->file->f_dentry->d_inode;
1567 struct inode_security_struct *isec;
1568 struct bprm_security_struct *bsec;
1569 u32 newsid;
1570 struct avc_audit_data ad;
1571 int rc;
1572
1573 rc = secondary_ops->bprm_set_security(bprm);
1574 if (rc)
1575 return rc;
1576
1577 bsec = bprm->security;
1578
1579 if (bsec->set)
1580 return 0;
1581
1582 tsec = current->security;
1583 isec = inode->i_security;
1584
1585 /* Default to the current task SID. */
1586 bsec->sid = tsec->sid;
1587
1588 /* Reset create SID on execve. */
1589 tsec->create_sid = 0;
1590
1591 if (tsec->exec_sid) {
1592 newsid = tsec->exec_sid;
1593 /* Reset exec SID on execve. */
1594 tsec->exec_sid = 0;
1595 } else {
1596 /* Check for a default transition on this program. */
1597 rc = security_transition_sid(tsec->sid, isec->sid,
1598 SECCLASS_PROCESS, &newsid);
1599 if (rc)
1600 return rc;
1601 }
1602
1603 AVC_AUDIT_DATA_INIT(&ad, FS);
1604 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1605 ad.u.fs.dentry = bprm->file->f_dentry;
1606
1607 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1608 newsid = tsec->sid;
1609
1610 if (tsec->sid == newsid) {
1611 rc = avc_has_perm(tsec->sid, isec->sid,
1612 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1613 if (rc)
1614 return rc;
1615 } else {
1616 /* Check permissions for the transition. */
1617 rc = avc_has_perm(tsec->sid, newsid,
1618 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1619 if (rc)
1620 return rc;
1621
1622 rc = avc_has_perm(newsid, isec->sid,
1623 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1624 if (rc)
1625 return rc;
1626
1627 /* Clear any possibly unsafe personality bits on exec: */
1628 current->personality &= ~PER_CLEAR_ON_SETID;
1629
1630 /* Set the security field to the new SID. */
1631 bsec->sid = newsid;
1632 }
1633
1634 bsec->set = 1;
1635 return 0;
1636 }
1637
1638 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1639 {
1640 return secondary_ops->bprm_check_security(bprm);
1641 }
1642
1643
1644 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1645 {
1646 struct task_security_struct *tsec = current->security;
1647 int atsecure = 0;
1648
1649 if (tsec->osid != tsec->sid) {
1650 /* Enable secure mode for SIDs transitions unless
1651 the noatsecure permission is granted between
1652 the two SIDs, i.e. ahp returns 0. */
1653 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1654 SECCLASS_PROCESS,
1655 PROCESS__NOATSECURE, NULL);
1656 }
1657
1658 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1659 }
1660
1661 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1662 {
1663 struct bprm_security_struct *bsec = bprm->security;
1664 bprm->security = NULL;
1665 kfree(bsec);
1666 }
1667
1668 extern struct vfsmount *selinuxfs_mount;
1669 extern struct dentry *selinux_null;
1670
1671 /* Derived from fs/exec.c:flush_old_files. */
1672 static inline void flush_unauthorized_files(struct files_struct * files)
1673 {
1674 struct avc_audit_data ad;
1675 struct file *file, *devnull = NULL;
1676 struct tty_struct *tty = current->signal->tty;
1677 long j = -1;
1678
1679 if (tty) {
1680 file_list_lock();
1681 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1682 if (file) {
1683 /* Revalidate access to controlling tty.
1684 Use inode_has_perm on the tty inode directly rather
1685 than using file_has_perm, as this particular open
1686 file may belong to another process and we are only
1687 interested in the inode-based check here. */
1688 struct inode *inode = file->f_dentry->d_inode;
1689 if (inode_has_perm(current, inode,
1690 FILE__READ | FILE__WRITE, NULL)) {
1691 /* Reset controlling tty. */
1692 current->signal->tty = NULL;
1693 current->signal->tty_old_pgrp = 0;
1694 }
1695 }
1696 file_list_unlock();
1697 }
1698
1699 /* Revalidate access to inherited open files. */
1700
1701 AVC_AUDIT_DATA_INIT(&ad,FS);
1702
1703 spin_lock(&files->file_lock);
1704 for (;;) {
1705 unsigned long set, i;
1706 int fd;
1707
1708 j++;
1709 i = j * __NFDBITS;
1710 if (i >= files->max_fds || i >= files->max_fdset)
1711 break;
1712 set = files->open_fds->fds_bits[j];
1713 if (!set)
1714 continue;
1715 spin_unlock(&files->file_lock);
1716 for ( ; set ; i++,set >>= 1) {
1717 if (set & 1) {
1718 file = fget(i);
1719 if (!file)
1720 continue;
1721 if (file_has_perm(current,
1722 file,
1723 file_to_av(file))) {
1724 sys_close(i);
1725 fd = get_unused_fd();
1726 if (fd != i) {
1727 if (fd >= 0)
1728 put_unused_fd(fd);
1729 fput(file);
1730 continue;
1731 }
1732 if (devnull) {
1733 atomic_inc(&devnull->f_count);
1734 } else {
1735 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1736 if (!devnull) {
1737 put_unused_fd(fd);
1738 fput(file);
1739 continue;
1740 }
1741 }
1742 fd_install(fd, devnull);
1743 }
1744 fput(file);
1745 }
1746 }
1747 spin_lock(&files->file_lock);
1748
1749 }
1750 spin_unlock(&files->file_lock);
1751 }
1752
1753 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1754 {
1755 struct task_security_struct *tsec;
1756 struct bprm_security_struct *bsec;
1757 u32 sid;
1758 int rc;
1759
1760 secondary_ops->bprm_apply_creds(bprm, unsafe);
1761
1762 tsec = current->security;
1763
1764 bsec = bprm->security;
1765 sid = bsec->sid;
1766
1767 tsec->osid = tsec->sid;
1768 bsec->unsafe = 0;
1769 if (tsec->sid != sid) {
1770 /* Check for shared state. If not ok, leave SID
1771 unchanged and kill. */
1772 if (unsafe & LSM_UNSAFE_SHARE) {
1773 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1774 PROCESS__SHARE, NULL);
1775 if (rc) {
1776 bsec->unsafe = 1;
1777 return;
1778 }
1779 }
1780
1781 /* Check for ptracing, and update the task SID if ok.
1782 Otherwise, leave SID unchanged and kill. */
1783 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1784 rc = avc_has_perm(tsec->ptrace_sid, sid,
1785 SECCLASS_PROCESS, PROCESS__PTRACE,
1786 NULL);
1787 if (rc) {
1788 bsec->unsafe = 1;
1789 return;
1790 }
1791 }
1792 tsec->sid = sid;
1793 }
1794 }
1795
1796 /*
1797 * called after apply_creds without the task lock held
1798 */
1799 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1800 {
1801 struct task_security_struct *tsec;
1802 struct rlimit *rlim, *initrlim;
1803 struct itimerval itimer;
1804 struct bprm_security_struct *bsec;
1805 int rc, i;
1806
1807 tsec = current->security;
1808 bsec = bprm->security;
1809
1810 if (bsec->unsafe) {
1811 force_sig_specific(SIGKILL, current);
1812 return;
1813 }
1814 if (tsec->osid == tsec->sid)
1815 return;
1816
1817 /* Close files for which the new task SID is not authorized. */
1818 flush_unauthorized_files(current->files);
1819
1820 /* Check whether the new SID can inherit signal state
1821 from the old SID. If not, clear itimers to avoid
1822 subsequent signal generation and flush and unblock
1823 signals. This must occur _after_ the task SID has
1824 been updated so that any kill done after the flush
1825 will be checked against the new SID. */
1826 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1827 PROCESS__SIGINH, NULL);
1828 if (rc) {
1829 memset(&itimer, 0, sizeof itimer);
1830 for (i = 0; i < 3; i++)
1831 do_setitimer(i, &itimer, NULL);
1832 flush_signals(current);
1833 spin_lock_irq(¤t->sighand->siglock);
1834 flush_signal_handlers(current, 1);
1835 sigemptyset(¤t->blocked);
1836 recalc_sigpending();
1837 spin_unlock_irq(¤t->sighand->siglock);
1838 }
1839
1840 /* Check whether the new SID can inherit resource limits
1841 from the old SID. If not, reset all soft limits to
1842 the lower of the current task's hard limit and the init
1843 task's soft limit. Note that the setting of hard limits
1844 (even to lower them) can be controlled by the setrlimit
1845 check. The inclusion of the init task's soft limit into
1846 the computation is to avoid resetting soft limits higher
1847 than the default soft limit for cases where the default
1848 is lower than the hard limit, e.g. RLIMIT_CORE or
1849 RLIMIT_STACK.*/
1850 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1851 PROCESS__RLIMITINH, NULL);
1852 if (rc) {
1853 for (i = 0; i < RLIM_NLIMITS; i++) {
1854 rlim = current->signal->rlim + i;
1855 initrlim = init_task.signal->rlim+i;
1856 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1857 }
1858 }
1859
1860 /* Wake up the parent if it is waiting so that it can
1861 recheck wait permission to the new task SID. */
1862 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1863 }
1864
1865 /* superblock security operations */
1866
1867 static int selinux_sb_alloc_security(struct super_block *sb)
1868 {
1869 return superblock_alloc_security(sb);
1870 }
1871
1872 static void selinux_sb_free_security(struct super_block *sb)
1873 {
1874 superblock_free_security(sb);
1875 }
1876
1877 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1878 {
1879 if (plen > olen)
1880 return 0;
1881
1882 return !memcmp(prefix, option, plen);
1883 }
1884
1885 static inline int selinux_option(char *option, int len)
1886 {
1887 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1888 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1889 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1890 }
1891
1892 static inline void take_option(char **to, char *from, int *first, int len)
1893 {
1894 if (!*first) {
1895 **to = ',';
1896 *to += 1;
1897 }
1898 else
1899 *first = 0;
1900 memcpy(*to, from, len);
1901 *to += len;
1902 }
1903
1904 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1905 {
1906 int fnosec, fsec, rc = 0;
1907 char *in_save, *in_curr, *in_end;
1908 char *sec_curr, *nosec_save, *nosec;
1909
1910 in_curr = orig;
1911 sec_curr = copy;
1912
1913 /* Binary mount data: just copy */
1914 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1915 copy_page(sec_curr, in_curr);
1916 goto out;
1917 }
1918
1919 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1920 if (!nosec) {
1921 rc = -ENOMEM;
1922 goto out;
1923 }
1924
1925 nosec_save = nosec;
1926 fnosec = fsec = 1;
1927 in_save = in_end = orig;
1928
1929 do {
1930 if (*in_end == ',' || *in_end == '\0') {
1931 int len = in_end - in_curr;
1932
1933 if (selinux_option(in_curr, len))
1934 take_option(&sec_curr, in_curr, &fsec, len);
1935 else
1936 take_option(&nosec, in_curr, &fnosec, len);
1937
1938 in_curr = in_end + 1;
1939 }
1940 } while (*in_end++);
1941
1942 copy_page(in_save, nosec_save);
1943 out:
1944 return rc;
1945 }
1946
1947 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1948 {
1949 struct avc_audit_data ad;
1950 int rc;
1951
1952 rc = superblock_doinit(sb, data);
1953 if (rc)
1954 return rc;
1955
1956 AVC_AUDIT_DATA_INIT(&ad,FS);
1957 ad.u.fs.dentry = sb->s_root;
1958 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1959 }
1960
1961 static int selinux_sb_statfs(struct super_block *sb)
1962 {
1963 struct avc_audit_data ad;
1964
1965 AVC_AUDIT_DATA_INIT(&ad,FS);
1966 ad.u.fs.dentry = sb->s_root;
1967 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1968 }
1969
1970 static int selinux_mount(char * dev_name,
1971 struct nameidata *nd,
1972 char * type,
1973 unsigned long flags,
1974 void * data)
1975 {
1976 int rc;
1977
1978 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1979 if (rc)
1980 return rc;
1981
1982 if (flags & MS_REMOUNT)
1983 return superblock_has_perm(current, nd->mnt->mnt_sb,
1984 FILESYSTEM__REMOUNT, NULL);
1985 else
1986 return dentry_has_perm(current, nd->mnt, nd->dentry,
1987 FILE__MOUNTON);
1988 }
1989
1990 static int selinux_umount(struct vfsmount *mnt, int flags)
1991 {
1992 int rc;
1993
1994 rc = secondary_ops->sb_umount(mnt, flags);
1995 if (rc)
1996 return rc;
1997
1998 return superblock_has_perm(current,mnt->mnt_sb,
1999 FILESYSTEM__UNMOUNT,NULL);
2000 }
2001
2002 /* inode security operations */
2003
2004 static int selinux_inode_alloc_security(struct inode *inode)
2005 {
2006 return inode_alloc_security(inode);
2007 }
2008
2009 static void selinux_inode_free_security(struct inode *inode)
2010 {
2011 inode_free_security(inode);
2012 }
2013
2014 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2015 {
2016 return may_create(dir, dentry, SECCLASS_FILE);
2017 }
2018
2019 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2020 {
2021 post_create(dir, dentry);
2022 }
2023
2024 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2025 {
2026 int rc;
2027
2028 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2029 if (rc)
2030 return rc;
2031 return may_link(dir, old_dentry, MAY_LINK);
2032 }
2033
2034 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2035 {
2036 return;
2037 }
2038
2039 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2040 {
2041 int rc;
2042
2043 rc = secondary_ops->inode_unlink(dir, dentry);
2044 if (rc)
2045 return rc;
2046 return may_link(dir, dentry, MAY_UNLINK);
2047 }
2048
2049 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2050 {
2051 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2052 }
2053
2054 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2055 {
2056 post_create(dir, dentry);
2057 }
2058
2059 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2060 {
2061 return may_create(dir, dentry, SECCLASS_DIR);
2062 }
2063
2064 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2065 {
2066 post_create(dir, dentry);
2067 }
2068
2069 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2070 {
2071 return may_link(dir, dentry, MAY_RMDIR);
2072 }
2073
2074 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2075 {
2076 int rc;
2077
2078 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2079 if (rc)
2080 return rc;
2081
2082 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2083 }
2084
2085 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2086 {
2087 post_create(dir, dentry);
2088 }
2089
2090 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2091 struct inode *new_inode, struct dentry *new_dentry)
2092 {
2093 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2094 }
2095
2096 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2097 struct inode *new_inode, struct dentry *new_dentry)
2098 {
2099 return;
2100 }
2101
2102 static int selinux_inode_readlink(struct dentry *dentry)
2103 {
2104 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2105 }
2106
2107 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2108 {
2109 int rc;
2110
2111 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2112 if (rc)
2113 return rc;
2114 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2115 }
2116
2117 static int selinux_inode_permission(struct inode *inode, int mask,
2118 struct nameidata *nd)
2119 {
2120 int rc;
2121
2122 rc = secondary_ops->inode_permission(inode, mask, nd);
2123 if (rc)
2124 return rc;
2125
2126 if (!mask) {
2127 /* No permission to check. Existence test. */
2128 return 0;
2129 }
2130
2131 return inode_has_perm(current, inode,
2132 file_mask_to_av(inode->i_mode, mask), NULL);
2133 }
2134
2135 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2136 {
2137 int rc;
2138
2139 rc = secondary_ops->inode_setattr(dentry, iattr);
2140 if (rc)
2141 return rc;
2142
2143 if (iattr->ia_valid & ATTR_FORCE)
2144 return 0;
2145
2146 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2147 ATTR_ATIME_SET | ATTR_MTIME_SET))
2148 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2149
2150 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2151 }
2152
2153 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2154 {
2155 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2156 }
2157
2158 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2159 {
2160 struct task_security_struct *tsec = current->security;
2161 struct inode *inode = dentry->d_inode;
2162 struct inode_security_struct *isec = inode->i_security;
2163 struct superblock_security_struct *sbsec;
2164 struct avc_audit_data ad;
2165 u32 newsid;
2166 int rc = 0;
2167
2168 if (strcmp(name, XATTR_NAME_SELINUX)) {
2169 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2170 sizeof XATTR_SECURITY_PREFIX - 1) &&
2171 !capable(CAP_SYS_ADMIN)) {
2172 /* A different attribute in the security namespace.
2173 Restrict to administrator. */
2174 return -EPERM;
2175 }
2176
2177 /* Not an attribute we recognize, so just check the
2178 ordinary setattr permission. */
2179 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2180 }
2181
2182 sbsec = inode->i_sb->s_security;
2183 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2184 return -EOPNOTSUPP;
2185
2186 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2187 return -EPERM;
2188
2189 AVC_AUDIT_DATA_INIT(&ad,FS);
2190 ad.u.fs.dentry = dentry;
2191
2192 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2193 FILE__RELABELFROM, &ad);
2194 if (rc)
2195 return rc;
2196
2197 rc = security_context_to_sid(value, size, &newsid);
2198 if (rc)
2199 return rc;
2200
2201 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2202 FILE__RELABELTO, &ad);
2203 if (rc)
2204 return rc;
2205
2206 return avc_has_perm(newsid,
2207 sbsec->sid,
2208 SECCLASS_FILESYSTEM,
2209 FILESYSTEM__ASSOCIATE,
2210 &ad);
2211 }
2212
2213 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2214 void *value, size_t size, int flags)
2215 {
2216 struct inode *inode = dentry->d_inode;
2217 struct inode_security_struct *isec = inode->i_security;
2218 u32 newsid;
2219 int rc;
2220
2221 if (strcmp(name, XATTR_NAME_SELINUX)) {
2222 /* Not an attribute we recognize, so nothing to do. */
2223 return;
2224 }
2225
2226 rc = security_context_to_sid(value, size, &newsid);
2227 if (rc) {
2228 printk(KERN_WARNING "%s: unable to obtain SID for context "
2229 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2230 return;
2231 }
2232
2233 isec->sid = newsid;
2234 return;
2235 }
2236
2237 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2238 {
2239 struct inode *inode = dentry->d_inode;
2240 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2241
2242 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2243 return -EOPNOTSUPP;
2244
2245 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2246 }
2247
2248 static int selinux_inode_listxattr (struct dentry *dentry)
2249 {
2250 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2251 }
2252
2253 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2254 {
2255 if (strcmp(name, XATTR_NAME_SELINUX)) {
2256 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2257 sizeof XATTR_SECURITY_PREFIX - 1) &&
2258 !capable(CAP_SYS_ADMIN)) {
2259 /* A different attribute in the security namespace.
2260 Restrict to administrator. */
2261 return -EPERM;
2262 }
2263
2264 /* Not an attribute we recognize, so just check the
2265 ordinary setattr permission. Might want a separate
2266 permission for removexattr. */
2267 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2268 }
2269
2270 /* No one is allowed to remove a SELinux security label.
2271 You can change the label, but all data must be labeled. */
2272 return -EACCES;
2273 }
2274
2275 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2276 {
2277 struct inode_security_struct *isec = inode->i_security;
2278 char *context;
2279 unsigned len;
2280 int rc;
2281
2282 /* Permission check handled by selinux_inode_getxattr hook.*/
2283
2284 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2285 return -EOPNOTSUPP;
2286
2287 rc = security_sid_to_context(isec->sid, &context, &len);
2288 if (rc)
2289 return rc;
2290
2291 if (!buffer || !size) {
2292 kfree(context);
2293 return len;
2294 }
2295 if (size < len) {
2296 kfree(context);
2297 return -ERANGE;
2298 }
2299 memcpy(buffer, context, len);
2300 kfree(context);
2301 return len;
2302 }
2303
2304 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2305 const void *value, size_t size, int flags)
2306 {
2307 struct inode_security_struct *isec = inode->i_security;
2308 u32 newsid;
2309 int rc;
2310
2311 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2312 return -EOPNOTSUPP;
2313
2314 if (!value || !size)
2315 return -EACCES;
2316
2317 rc = security_context_to_sid((void*)value, size, &newsid);
2318 if (rc)
2319 return rc;
2320
2321 isec->sid = newsid;
2322 return 0;
2323 }
2324
2325 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2326 {
2327 const int len = sizeof(XATTR_NAME_SELINUX);
2328 if (buffer && len <= buffer_size)
2329 memcpy(buffer, XATTR_NAME_SELINUX, len);
2330 return len;
2331 }
2332
2333 /* file security operations */
2334
2335 static int selinux_file_permission(struct file *file, int mask)
2336 {
2337 struct inode *inode = file->f_dentry->d_inode;
2338
2339 if (!mask) {
2340 /* No permission to check. Existence test. */
2341 return 0;
2342 }
2343
2344 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2345 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2346 mask |= MAY_APPEND;
2347
2348 return file_has_perm(current, file,
2349 file_mask_to_av(inode->i_mode, mask));
2350 }
2351
2352 static int selinux_file_alloc_security(struct file *file)
2353 {
2354 return file_alloc_security(file);
2355 }
2356
2357 static void selinux_file_free_security(struct file *file)
2358 {
2359 file_free_security(file);
2360 }
2361
2362 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2363 unsigned long arg)
2364 {
2365 int error = 0;
2366
2367 switch (cmd) {
2368 case FIONREAD:
2369 /* fall through */
2370 case FIBMAP:
2371 /* fall through */
2372 case FIGETBSZ:
2373 /* fall through */
2374 case EXT2_IOC_GETFLAGS:
2375 /* fall through */
2376 case EXT2_IOC_GETVERSION:
2377 error = file_has_perm(current, file, FILE__GETATTR);
2378 break;
2379
2380 case EXT2_IOC_SETFLAGS:
2381 /* fall through */
2382 case EXT2_IOC_SETVERSION:
2383 error = file_has_perm(current, file, FILE__SETATTR);
2384 break;
2385
2386 /* sys_ioctl() checks */
2387 case FIONBIO:
2388 /* fall through */
2389 case FIOASYNC:
2390 error = file_has_perm(current, file, 0);
2391 break;
2392
2393 case KDSKBENT:
2394 case KDSKBSENT:
2395 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2396 break;
2397
2398 /* default case assumes that the command will go
2399 * to the file's ioctl() function.
2400 */
2401 default:
2402 error = file_has_perm(current, file, FILE__IOCTL);
2403
2404 }
2405 return error;
2406 }
2407
2408 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2409 {
2410 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2411 /*
2412 * We are making executable an anonymous mapping or a
2413 * private file mapping that will also be writable.
2414 * This has an additional check.
2415 */
2416 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2417 if (rc)
2418 return rc;
2419 }
2420
2421 if (file) {
2422 /* read access is always possible with a mapping */
2423 u32 av = FILE__READ;
2424
2425 /* write access only matters if the mapping is shared */
2426 if (shared && (prot & PROT_WRITE))
2427 av |= FILE__WRITE;
2428
2429 if (prot & PROT_EXEC)
2430 av |= FILE__EXECUTE;
2431
2432 return file_has_perm(current, file, av);
2433 }
2434 return 0;
2435 }
2436
2437 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2438 {
2439 int rc;
2440
2441 rc = secondary_ops->file_mmap(file, prot, flags);
2442 if (rc)
2443 return rc;
2444
2445 return file_map_prot_check(file, prot,
2446 (flags & MAP_TYPE) == MAP_SHARED);
2447 }
2448
2449 static int selinux_file_mprotect(struct vm_area_struct *vma,
2450 unsigned long prot)
2451 {
2452 int rc;
2453
2454 rc = secondary_ops->file_mprotect(vma, prot);
2455 if (rc)
2456 return rc;
2457
2458 if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2459 /*
2460 * We are making executable a file mapping that has
2461 * had some COW done. Since pages might have been written,
2462 * check ability to execute the possibly modified content.
2463 * This typically should only occur for text relocations.
2464 */
2465 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2466 if (rc)
2467 return rc;
2468 }
2469
2470 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2471 }
2472
2473 static int selinux_file_lock(struct file *file, unsigned int cmd)
2474 {
2475 return file_has_perm(current, file, FILE__LOCK);
2476 }
2477
2478 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2479 unsigned long arg)
2480 {
2481 int err = 0;
2482
2483 switch (cmd) {
2484 case F_SETFL:
2485 if (!file->f_dentry || !file->f_dentry->d_inode) {
2486 err = -EINVAL;
2487 break;
2488 }
2489
2490 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2491 err = file_has_perm(current, file,FILE__WRITE);
2492 break;
2493 }
2494 /* fall through */
2495 case F_SETOWN:
2496 case F_SETSIG:
2497 case F_GETFL:
2498 case F_GETOWN:
2499 case F_GETSIG:
2500 /* Just check FD__USE permission */
2501 err = file_has_perm(current, file, 0);
2502 break;
2503 case F_GETLK:
2504 case F_SETLK:
2505 case F_SETLKW:
2506 #if BITS_PER_LONG == 32
2507 case F_GETLK64:
2508 case F_SETLK64:
2509 case F_SETLKW64:
2510 #endif
2511 if (!file->f_dentry || !file->f_dentry->d_inode) {
2512 err = -EINVAL;
2513 break;
2514 }
2515 err = file_has_perm(current, file, FILE__LOCK);
2516 break;
2517 }
2518
2519 return err;
2520 }
2521
2522 static int selinux_file_set_fowner(struct file *file)
2523 {
2524 struct task_security_struct *tsec;
2525 struct file_security_struct *fsec;
2526
2527 tsec = current->security;
2528 fsec = file->f_security;
2529 fsec->fown_sid = tsec->sid;
2530
2531 return 0;
2532 }
2533
2534 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2535 struct fown_struct *fown, int signum)
2536 {
2537 struct file *file;
2538 u32 perm;
2539 struct task_security_struct *tsec;
2540 struct file_security_struct *fsec;
2541
2542 /* struct fown_struct is never outside the context of a struct file */
2543 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2544
2545 tsec = tsk->security;
2546 fsec = file->f_security;
2547
2548 if (!signum)
2549 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2550 else
2551 perm = signal_to_av(signum);
2552
2553 return avc_has_perm(fsec->fown_sid, tsec->sid,
2554 SECCLASS_PROCESS, perm, NULL);
2555 }
2556
2557 static int selinux_file_receive(struct file *file)
2558 {
2559 return file_has_perm(current, file, file_to_av(file));
2560 }
2561
2562 /* task security operations */
2563
2564 static int selinux_task_create(unsigned long clone_flags)
2565 {
2566 int rc;
2567
2568 rc = secondary_ops->task_create(clone_flags);
2569 if (rc)
2570 return rc;
2571
2572 return task_has_perm(current, current, PROCESS__FORK);
2573 }
2574
2575 static int selinux_task_alloc_security(struct task_struct *tsk)
2576 {
2577 struct task_security_struct *tsec1, *tsec2;
2578 int rc;
2579
2580 tsec1 = current->security;
2581
2582 rc = task_alloc_security(tsk);
2583 if (rc)
2584 return rc;
2585 tsec2 = tsk->security;
2586
2587 tsec2->osid = tsec1->osid;
2588 tsec2->sid = tsec1->sid;
2589
2590 /* Retain the exec and create SIDs across fork */
2591 tsec2->exec_sid = tsec1->exec_sid;
2592 tsec2->create_sid = tsec1->create_sid;
2593
2594 /* Retain ptracer SID across fork, if any.
2595 This will be reset by the ptrace hook upon any
2596 subsequent ptrace_attach operations. */
2597 tsec2->ptrace_sid = tsec1->ptrace_sid;
2598
2599 return 0;
2600 }
2601
2602 static void selinux_task_free_security(struct task_struct *tsk)
2603 {
2604 task_free_security(tsk);
2605 }
2606
2607 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2608 {
2609 /* Since setuid only affects the current process, and
2610 since the SELinux controls are not based on the Linux
2611 identity attributes, SELinux does not need to control
2612 this operation. However, SELinux does control the use
2613 of the CAP_SETUID and CAP_SETGID capabilities using the
2614 capable hook. */
2615 return 0;
2616 }
2617
2618 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2619 {
2620 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2621 }
2622
2623 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2624 {
2625 /* See the comment for setuid above. */
2626 return 0;
2627 }
2628
2629 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2630 {
2631 return task_has_perm(current, p, PROCESS__SETPGID);
2632 }
2633
2634 static int selinux_task_getpgid(struct task_struct *p)
2635 {
2636 return task_has_perm(current, p, PROCESS__GETPGID);
2637 }
2638
2639 static int selinux_task_getsid(struct task_struct *p)
2640 {
2641 return task_has_perm(current, p, PROCESS__GETSESSION);
2642 }
2643
2644 static int selinux_task_setgroups(struct group_info *group_info)
2645 {
2646 /* See the comment for setuid above. */
2647 return 0;
2648 }
2649
2650 static int selinux_task_setnice(struct task_struct *p, int nice)
2651 {
2652 int rc;
2653
2654 rc = secondary_ops->task_setnice(p, nice);
2655 if (rc)
2656 return rc;
2657
2658 return task_has_perm(current,p, PROCESS__SETSCHED);
2659 }
2660
2661 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2662 {
2663 struct rlimit *old_rlim = current->signal->rlim + resource;
2664 int rc;
2665
2666 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2667 if (rc)
2668 return rc;
2669
2670 /* Control the ability to change the hard limit (whether
2671 lowering or raising it), so that the hard limit can
2672 later be used as a safe reset point for the soft limit
2673 upon context transitions. See selinux_bprm_apply_creds. */
2674 if (old_rlim->rlim_max != new_rlim->rlim_max)
2675 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2676
2677 return 0;
2678 }
2679
2680 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2681 {
2682 return task_has_perm(current, p, PROCESS__SETSCHED);
2683 }
2684
2685 static int selinux_task_getscheduler(struct task_struct *p)
2686 {
2687 return task_has_perm(current, p, PROCESS__GETSCHED);
2688 }
2689
2690 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2691 {
2692 u32 perm;
2693 int rc;
2694
2695 rc = secondary_ops->task_kill(p, info, sig);
2696 if (rc)
2697 return rc;
2698
2699 if (info && ((unsigned long)info == 1 ||
2700 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2701 return 0;
2702
2703 if (!sig)
2704 perm = PROCESS__SIGNULL; /* null signal; existence test */
2705 else
2706 perm = signal_to_av(sig);
2707
2708 return task_has_perm(current, p, perm);
2709 }
2710
2711 static int selinux_task_prctl(int option,
2712 unsigned long arg2,
2713 unsigned long arg3,
2714 unsigned long arg4,
2715 unsigned long arg5)
2716 {
2717 /* The current prctl operations do not appear to require
2718 any SELinux controls since they merely observe or modify
2719 the state of the current process. */
2720 return 0;
2721 }
2722
2723 static int selinux_task_wait(struct task_struct *p)
2724 {
2725 u32 perm;
2726
2727 perm = signal_to_av(p->exit_signal);
2728
2729 return task_has_perm(p, current, perm);
2730 }
2731
2732 static void selinux_task_reparent_to_init(struct task_struct *p)
2733 {
2734 struct task_security_struct *tsec;
2735
2736 secondary_ops->task_reparent_to_init(p);
2737
2738 tsec = p->security;
2739 tsec->osid = tsec->sid;
2740 tsec->sid = SECINITSID_KERNEL;
2741 return;
2742 }
2743
2744 static void selinux_task_to_inode(struct task_struct *p,
2745 struct inode *inode)
2746 {
2747 struct task_security_struct *tsec = p->security;
2748 struct inode_security_struct *isec = inode->i_security;
2749
2750 isec->sid = tsec->sid;
2751 isec->initialized = 1;
2752 return;
2753 }
2754
2755 #ifdef CONFIG_SECURITY_NETWORK
2756
2757 /* Returns error only if unable to parse addresses */
2758 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2759 {
2760 int offset, ihlen, ret = -EINVAL;
2761 struct iphdr _iph, *ih;
2762
2763 offset = skb->nh.raw - skb->data;
2764 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2765 if (ih == NULL)
2766 goto out;
2767
2768 ihlen = ih->ihl * 4;
2769 if (ihlen < sizeof(_iph))
2770 goto out;
2771
2772 ad->u.net.v4info.saddr = ih->saddr;
2773 ad->u.net.v4info.daddr = ih->daddr;
2774 ret = 0;
2775
2776 switch (ih->protocol) {
2777 case IPPROTO_TCP: {
2778 struct tcphdr _tcph, *th;
2779
2780 if (ntohs(ih->frag_off) & IP_OFFSET)
2781 break;
2782
2783 offset += ihlen;
2784 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2785 if (th == NULL)
2786 break;
2787
2788 ad->u.net.sport = th->source;
2789 ad->u.net.dport = th->dest;
2790 break;
2791 }
2792
2793 case IPPROTO_UDP: {
2794 struct udphdr _udph, *uh;
2795
2796 if (ntohs(ih->frag_off) & IP_OFFSET)
2797 break;
2798
2799 offset += ihlen;
2800 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2801 if (uh == NULL)
2802 break;
2803
2804 ad->u.net.sport = uh->source;
2805 ad->u.net.dport = uh->dest;
2806 break;
2807 }
2808
2809 default:
2810 break;
2811 }
2812 out:
2813 return ret;
2814 }
2815
2816 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2817
2818 /* Returns error only if unable to parse addresses */
2819 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2820 {
2821 u8 nexthdr;
2822 int ret = -EINVAL, offset;
2823 struct ipv6hdr _ipv6h, *ip6;
2824
2825 offset = skb->nh.raw - skb->data;
2826 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2827 if (ip6 == NULL)
2828 goto out;
2829
2830 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2831 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2832 ret = 0;
2833
2834 nexthdr = ip6->nexthdr;
2835 offset += sizeof(_ipv6h);
2836 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2837 skb->tail - skb->head - offset);
2838 if (offset < 0)
2839 goto out;
2840
2841 switch (nexthdr) {
2842 case IPPROTO_TCP: {
2843 struct tcphdr _tcph, *th;
2844
2845 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2846 if (th == NULL)
2847 break;
2848
2849 ad->u.net.sport = th->source;
2850 ad->u.net.dport = th->dest;
2851 break;
2852 }
2853
2854 case IPPROTO_UDP: {
2855 struct udphdr _udph, *uh;
2856
2857 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2858 if (uh == NULL)
2859 break;
2860
2861 ad->u.net.sport = uh->source;
2862 ad->u.net.dport = uh->dest;
2863 break;
2864 }
2865
2866 /* includes fragments */
2867 default:
2868 break;
2869 }
2870 out:
2871 return ret;
2872 }
2873
2874 #endif /* IPV6 */
2875
2876 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2877 char **addrp, int *len, int src)
2878 {
2879 int ret = 0;
2880
2881 switch (ad->u.net.family) {
2882 case PF_INET:
2883 ret = selinux_parse_skb_ipv4(skb, ad);
2884 if (ret || !addrp)
2885 break;
2886 *len = 4;
2887 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2888 &ad->u.net.v4info.daddr);
2889 break;
2890
2891 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2892 case PF_INET6:
2893 ret = selinux_parse_skb_ipv6(skb, ad);
2894 if (ret || !addrp)
2895 break;
2896 *len = 16;
2897 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2898 &ad->u.net.v6info.daddr);
2899 break;
2900 #endif /* IPV6 */
2901 default:
2902 break;
2903 }
2904
2905 return ret;
2906 }
2907
2908 /* socket security operations */
2909 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2910 u32 perms)
2911 {
2912 struct inode_security_struct *isec;
2913 struct task_security_struct *tsec;
2914 struct avc_audit_data ad;
2915 int err = 0;
2916
2917 tsec = task->security;
2918 isec = SOCK_INODE(sock)->i_security;
2919
2920 if (isec->sid == SECINITSID_KERNEL)
2921 goto out;
2922
2923 AVC_AUDIT_DATA_INIT(&ad,NET);
2924 ad.u.net.sk = sock->sk;
2925 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2926
2927 out:
2928 return err;
2929 }
2930
2931 static int selinux_socket_create(int family, int type,
2932 int protocol, int kern)
2933 {
2934 int err = 0;
2935 struct task_security_struct *tsec;
2936
2937 if (kern)
2938 goto out;
2939
2940 tsec = current->security;
2941 err = avc_has_perm(tsec->sid, tsec->sid,
2942 socket_type_to_security_class(family, type,
2943 protocol), SOCKET__CREATE, NULL);
2944
2945 out:
2946 return err;
2947 }
2948
2949 static void selinux_socket_post_create(struct socket *sock, int family,
2950 int type, int protocol, int kern)
2951 {
2952 int err;
2953 struct inode_security_struct *isec;
2954 struct task_security_struct *tsec;
2955
2956 err = inode_doinit(SOCK_INODE(sock));
2957 if (err < 0)
2958 return;
2959 isec = SOCK_INODE(sock)->i_security;
2960
2961 tsec = current->security;
2962 isec->sclass = socket_type_to_security_class(family, type, protocol);
2963 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2964
2965 return;
2966 }
2967
2968 /* Range of port numbers used to automatically bind.
2969 Need to determine whether we should perform a name_bind
2970 permission check between the socket and the port number. */
2971 #define ip_local_port_range_0 sysctl_local_port_range[0]
2972 #define ip_local_port_range_1 sysctl_local_port_range[1]
2973
2974 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2975 {
2976 u16 family;
2977 int err;
2978
2979 err = socket_has_perm(current, sock, SOCKET__BIND);
2980 if (err)
2981 goto out;
2982
2983 /*
2984 * If PF_INET or PF_INET6, check name_bind permission for the port.
2985 */
2986 family = sock->sk->sk_family;
2987 if (family == PF_INET || family == PF_INET6) {
2988 char *addrp;
2989 struct inode_security_struct *isec;
2990 struct task_security_struct *tsec;
2991 struct avc_audit_data ad;
2992 struct sockaddr_in *addr4 = NULL;
2993 struct sockaddr_in6 *addr6 = NULL;
2994 unsigned short snum;
2995 struct sock *sk = sock->sk;
2996 u32 sid, node_perm, addrlen;
2997
2998 tsec = current->security;
2999 isec = SOCK_INODE(sock)->i_security;
3000
3001 if (family == PF_INET) {
3002 addr4 = (struct sockaddr_in *)address;
3003 snum = ntohs(addr4->sin_port);
3004 addrlen = sizeof(addr4->sin_addr.s_addr);
3005 addrp = (char *)&addr4->sin_addr.s_addr;
3006 } else {
3007 addr6 = (struct sockaddr_in6 *)address;
3008 snum = ntohs(addr6->sin6_port);
3009 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3010 addrp = (char *)&addr6->sin6_addr.s6_addr;
3011 }
3012
3013 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3014 snum > ip_local_port_range_1)) {
3015 err = security_port_sid(sk->sk_family, sk->sk_type,
3016 sk->sk_protocol, snum, &sid);
3017 if (err)
3018 goto out;
3019 AVC_AUDIT_DATA_INIT(&ad,NET);
3020 ad.u.net.sport = htons(snum);
3021 ad.u.net.family = family;
3022 err = avc_has_perm(isec->sid, sid,
3023 isec->sclass,
3024 SOCKET__NAME_BIND, &ad);
3025 if (err)
3026 goto out;
3027 }
3028
3029 switch(sk->sk_protocol) {
3030 case IPPROTO_TCP:
3031 node_perm = TCP_SOCKET__NODE_BIND;
3032 break;
3033
3034 case IPPROTO_UDP:
3035 node_perm = UDP_SOCKET__NODE_BIND;
3036 break;
3037
3038 default:
3039 node_perm = RAWIP_SOCKET__NODE_BIND;
3040 break;
3041 }
3042
3043 err = security_node_sid(family, addrp, addrlen, &sid);
3044 if (err)
3045 goto out;
3046
3047 AVC_AUDIT_DATA_INIT(&ad,NET);
3048 ad.u.net.sport = htons(snum);
3049 ad.u.net.family = family;
3050
3051 if (family == PF_INET)
3052 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3053 else
3054 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3055
3056 err = avc_has_perm(isec->sid, sid,
3057 isec->sclass, node_perm, &ad);
3058 if (err)
3059 goto out;
3060 }
3061 out:
3062 return err;
3063 }
3064
3065 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3066 {
3067 return socket_has_perm(current, sock, SOCKET__CONNECT);
3068 }
3069
3070 static int selinux_socket_listen(struct socket *sock, int backlog)
3071 {
3072 return socket_has_perm(current, sock, SOCKET__LISTEN);
3073 }
3074
3075 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3076 {
3077 int err;
3078 struct inode_security_struct *isec;
3079 struct inode_security_struct *newisec;
3080
3081 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3082 if (err)
3083 return err;
3084
3085 err = inode_doinit(SOCK_INODE(newsock));
3086 if (err < 0)
3087 return err;
3088 newisec = SOCK_INODE(newsock)->i_security;
3089
3090 isec = SOCK_INODE(sock)->i_security;
3091 newisec->sclass = isec->sclass;
3092 newisec->sid = isec->sid;
3093
3094 return 0;
3095 }
3096
3097 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3098 int size)
3099 {
3100 return socket_has_perm(current, sock, SOCKET__WRITE);
3101 }
3102
3103 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3104 int size, int flags)
3105 {
3106 return socket_has_perm(current, sock, SOCKET__READ);
3107 }
3108
3109 static int selinux_socket_getsockname(struct socket *sock)
3110 {
3111 return socket_has_perm(current, sock, SOCKET__GETATTR);
3112 }
3113
3114 static int selinux_socket_getpeername(struct socket *sock)
3115 {
3116 return socket_has_perm(current, sock, SOCKET__GETATTR);
3117 }
3118
3119 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3120 {
3121 return socket_has_perm(current, sock, SOCKET__SETOPT);
3122 }
3123
3124 static int selinux_socket_getsockopt(struct socket *sock, int level,
3125 int optname)
3126 {
3127 return socket_has_perm(current, sock, SOCKET__GETOPT);
3128 }
3129
3130 static int selinux_socket_shutdown(struct socket *sock, int how)
3131 {
3132 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3133 }
3134
3135 static int selinux_socket_unix_stream_connect(struct socket *sock,
3136 struct socket *other,
3137 struct sock *newsk)
3138 {
3139 struct sk_security_struct *ssec;
3140 struct inode_security_struct *isec;
3141 struct inode_security_struct *other_isec;
3142 struct avc_audit_data ad;
3143 int err;
3144
3145 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3146 if (err)
3147 return err;
3148
3149 isec = SOCK_INODE(sock)->i_security;
3150 other_isec = SOCK_INODE(other)->i_security;
3151
3152 AVC_AUDIT_DATA_INIT(&ad,NET);
3153 ad.u.net.sk = other->sk;
3154
3155 err = avc_has_perm(isec->sid, other_isec->sid,
3156 isec->sclass,
3157 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3158 if (err)
3159 return err;
3160
3161 /* connecting socket */
3162 ssec = sock->sk->sk_security;
3163 ssec->peer_sid = other_isec->sid;
3164
3165 /* server child socket */
3166 ssec = newsk->sk_security;
3167 ssec->peer_sid = isec->sid;
3168
3169 return 0;
3170 }
3171
3172 static int selinux_socket_unix_may_send(struct socket *sock,
3173 struct socket *other)
3174 {
3175 struct inode_security_struct *isec;
3176 struct inode_security_struct *other_isec;
3177 struct avc_audit_data ad;
3178 int err;
3179
3180 isec = SOCK_INODE(sock)->i_security;
3181 other_isec = SOCK_INODE(other)->i_security;
3182
3183 AVC_AUDIT_DATA_INIT(&ad,NET);
3184 ad.u.net.sk = other->sk;
3185
3186 err = avc_has_perm(isec->sid, other_isec->sid,
3187 isec->sclass, SOCKET__SENDTO, &ad);
3188 if (err)
3189 return err;
3190
3191 return 0;
3192 }
3193
3194 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3195 {
3196 u16 family;
3197 char *addrp;
3198 int len, err = 0;
3199 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3200 u32 sock_sid = 0;
3201 u16 sock_class = 0;
3202 struct socket *sock;
3203 struct net_device *dev;
3204 struct avc_audit_data ad;
3205
3206 family = sk->sk_family;
3207 if (family != PF_INET && family != PF_INET6)
3208 goto out;
3209
3210 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3211 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3212 family = PF_INET;
3213
3214 read_lock_bh(&sk->sk_callback_lock);
3215 sock = sk->sk_socket;
3216 if (sock) {
3217 struct inode *inode;
3218 inode = SOCK_INODE(sock);
3219 if (inode) {
3220 struct inode_security_struct *isec;
3221 isec = inode->i_security;
3222 sock_sid = isec->sid;
3223 sock_class = isec->sclass;
3224 }
3225 }
3226 read_unlock_bh(&sk->sk_callback_lock);
3227 if (!sock_sid)
3228 goto out;
3229
3230 dev = skb->dev;
3231 if (!dev)
3232 goto out;
3233
3234 err = sel_netif_sids(dev, &if_sid, NULL);
3235 if (err)
3236 goto out;
3237
3238 switch (sock_class) {
3239 case SECCLASS_UDP_SOCKET:
3240 netif_perm = NETIF__UDP_RECV;
3241 node_perm = NODE__UDP_RECV;
3242 recv_perm = UDP_SOCKET__RECV_MSG;
3243 break;
3244
3245 case SECCLASS_TCP_SOCKET:
3246 netif_perm = NETIF__TCP_RECV;
3247 node_perm = NODE__TCP_RECV;
3248 recv_perm = TCP_SOCKET__RECV_MSG;
3249 break;
3250
3251 default:
3252 netif_perm = NETIF__RAWIP_RECV;
3253 node_perm = NODE__RAWIP_RECV;
3254 break;
3255 }
3256
3257 AVC_AUDIT_DATA_INIT(&ad, NET);
3258 ad.u.net.netif = dev->name;
3259 ad.u.net.family = family;
3260
3261 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3262 if (err)
3263 goto out;
3264
3265 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3266 if (err)
3267 goto out;
3268
3269 /* Fixme: this lookup is inefficient */
3270 err = security_node_sid(family, addrp, len, &node_sid);
3271 if (err)
3272 goto out;
3273
3274 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3275 if (err)
3276 goto out;
3277
3278 if (recv_perm) {
3279 u32 port_sid;
3280
3281 /* Fixme: make this more efficient */
3282 err = security_port_sid(sk->sk_family, sk->sk_type,
3283 sk->sk_protocol, ntohs(ad.u.net.sport),
3284 &port_sid);
3285 if (err)
3286 goto out;
3287
3288 err = avc_has_perm(sock_sid, port_sid,
3289 sock_class, recv_perm, &ad);
3290 }
3291 out:
3292 return err;
3293 }
3294
3295 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3296 int __user *optlen, unsigned len)
3297 {
3298 int err = 0;
3299 char *scontext;
3300 u32 scontext_len;
3301 struct sk_security_struct *ssec;
3302 struct inode_security_struct *isec;
3303
3304 isec = SOCK_INODE(sock)->i_security;
3305 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3306 err = -ENOPROTOOPT;
3307 goto out;
3308 }
3309
3310 ssec = sock->sk->sk_security;
3311
3312 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3313 if (err)
3314 goto out;
3315
3316 if (scontext_len > len) {
3317 err = -ERANGE;
3318 goto out_len;
3319 }
3320
3321 if (copy_to_user(optval, scontext, scontext_len))
3322 err = -EFAULT;
3323
3324 out_len:
3325 if (put_user(scontext_len, optlen))
3326 err = -EFAULT;
3327
3328 kfree(scontext);
3329 out:
3330 return err;
3331 }
3332
3333 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3334 {
3335 return sk_alloc_security(sk, family, priority);
3336 }
3337
3338 static void selinux_sk_free_security(struct sock *sk)
3339 {
3340 sk_free_security(sk);
3341 }
3342
3343 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3344 {
3345 int err = 0;
3346 u32 perm;
3347 struct nlmsghdr *nlh;
3348 struct socket *sock = sk->sk_socket;
3349 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3350
3351 if (skb->len < NLMSG_SPACE(0)) {
3352 err = -EINVAL;
3353 goto out;
3354 }
3355 nlh = (struct nlmsghdr *)skb->data;
3356
3357 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3358 if (err) {
3359 /* Ignore */
3360 if (err == -ENOENT)
3361 err = 0;
3362 goto out;
3363 }
3364
3365 err = socket_has_perm(current, sock, perm);
3366 out:
3367 return err;
3368 }
3369
3370 #ifdef CONFIG_NETFILTER
3371
3372 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3373 struct sk_buff **pskb,
3374 const struct net_device *in,
3375 const struct net_device *out,
3376 int (*okfn)(struct sk_buff *),
3377 u16 family)
3378 {
3379 char *addrp;
3380 int len, err = NF_ACCEPT;
3381 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3382 struct sock *sk;
3383 struct socket *sock;
3384 struct inode *inode;
3385 struct sk_buff *skb = *pskb;
3386 struct inode_security_struct *isec;
3387 struct avc_audit_data ad;
3388 struct net_device *dev = (struct net_device *)out;
3389
3390 sk = skb->sk;
3391 if (!sk)
3392 goto out;
3393
3394 sock = sk->sk_socket;
3395 if (!sock)
3396 goto out;
3397
3398 inode = SOCK_INODE(sock);
3399 if (!inode)
3400 goto out;
3401
3402 err = sel_netif_sids(dev, &if_sid, NULL);
3403 if (err)
3404 goto out;
3405
3406 isec = inode->i_security;
3407
3408 switch (isec->sclass) {
3409 case SECCLASS_UDP_SOCKET:
3410 netif_perm = NETIF__UDP_SEND;
3411 node_perm = NODE__UDP_SEND;
3412 send_perm = UDP_SOCKET__SEND_MSG;
3413 break;
3414
3415 case SECCLASS_TCP_SOCKET:
3416 netif_perm = NETIF__TCP_SEND;
3417 node_perm = NODE__TCP_SEND;
3418 send_perm = TCP_SOCKET__SEND_MSG;
3419 break;
3420
3421 default:
3422 netif_perm = NETIF__RAWIP_SEND;
3423 node_perm = NODE__RAWIP_SEND;
3424 break;
3425 }
3426
3427
3428 AVC_AUDIT_DATA_INIT(&ad, NET);
3429 ad.u.net.netif = dev->name;
3430 ad.u.net.family = family;
3431
3432 err = selinux_parse_skb(skb, &ad, &addrp,
3433 &len, 0) ? NF_DROP : NF_ACCEPT;
3434 if (err != NF_ACCEPT)
3435 goto out;
3436
3437 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3438 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3439 if (err != NF_ACCEPT)
3440 goto out;
3441
3442 /* Fixme: this lookup is inefficient */
3443 err = security_node_sid(family, addrp, len,
3444 &node_sid) ? NF_DROP : NF_ACCEPT;
3445 if (err != NF_ACCEPT)
3446 goto out;
3447
3448 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3449 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3450 if (err != NF_ACCEPT)
3451 goto out;
3452
3453 if (send_perm) {
3454 u32 port_sid;
3455
3456 /* Fixme: make this more efficient */
3457 err = security_port_sid(sk->sk_family,
3458 sk->sk_type,
3459 sk->sk_protocol,
3460 ntohs(ad.u.net.dport),
3461 &port_sid) ? NF_DROP : NF_ACCEPT;
3462 if (err != NF_ACCEPT)
3463 goto out;
3464
3465 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3466 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3467 }
3468
3469 out:
3470 return err;
3471 }
3472
3473 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3474 struct sk_buff **pskb,
3475 const struct net_device *in,
3476 const struct net_device *out,
3477 int (*okfn)(struct sk_buff *))
3478 {
3479 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3480 }
3481
3482 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3483
3484 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3485 struct sk_buff **pskb,
3486 const struct net_device *in,
3487 const struct net_device *out,
3488 int (*okfn)(struct sk_buff *))
3489 {
3490 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3491 }
3492
3493 #endif /* IPV6 */
3494
3495 #endif /* CONFIG_NETFILTER */
3496
3497 #else
3498
3499 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3500 {
3501 return 0;
3502 }
3503
3504 #endif /* CONFIG_SECURITY_NETWORK */
3505
3506 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3507 {
3508 struct task_security_struct *tsec;
3509 struct av_decision avd;
3510 int err;
3511
3512 err = secondary_ops->netlink_send(sk, skb);
3513 if (err)
3514 return err;
3515
3516 tsec = current->security;
3517
3518 avd.allowed = 0;
3519 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3520 SECCLASS_CAPABILITY, ~0, &avd);
3521 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3522
3523 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3524 err = selinux_nlmsg_perm(sk, skb);
3525
3526 return err;
3527 }
3528
3529 static int selinux_netlink_recv(struct sk_buff *skb)
3530 {
3531 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3532 return -EPERM;
3533 return 0;
3534 }
3535
3536 static int ipc_alloc_security(struct task_struct *task,
3537 struct kern_ipc_perm *perm,
3538 u16 sclass)
3539 {
3540 struct task_security_struct *tsec = task->security;
3541 struct ipc_security_struct *isec;
3542
3543 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3544 if (!isec)
3545 return -ENOMEM;
3546
3547 memset(isec, 0, sizeof(struct ipc_security_struct));
3548 isec->magic = SELINUX_MAGIC;
3549 isec->sclass = sclass;
3550 isec->ipc_perm = perm;
3551 if (tsec) {
3552 isec->sid = tsec->sid;
3553 } else {
3554 isec->sid = SECINITSID_UNLABELED;
3555 }
3556 perm->security = isec;
3557
3558 return 0;
3559 }
3560
3561 static void ipc_free_security(struct kern_ipc_perm *perm)
3562 {
3563 struct ipc_security_struct *isec = perm->security;
3564 if (!isec || isec->magic != SELINUX_MAGIC)
3565 return;
3566
3567 perm->security = NULL;
3568 kfree(isec);
3569 }
3570
3571 static int msg_msg_alloc_security(struct msg_msg *msg)
3572 {
3573 struct msg_security_struct *msec;
3574
3575 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3576 if (!msec)
3577 return -ENOMEM;
3578
3579 memset(msec, 0, sizeof(struct msg_security_struct));
3580 msec->magic = SELINUX_MAGIC;
3581 msec->msg = msg;
3582 msec->sid = SECINITSID_UNLABELED;
3583 msg->security = msec;
3584
3585 return 0;
3586 }
3587
3588 static void msg_msg_free_security(struct msg_msg *msg)
3589 {
3590 struct msg_security_struct *msec = msg->security;
3591 if (!msec || msec->magic != SELINUX_MAGIC)
3592 return;
3593
3594 msg->security = NULL;
3595 kfree(msec);
3596 }
3597
3598 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3599 u16 sclass, u32 perms)
3600 {
3601 struct task_security_struct *tsec;
3602 struct ipc_security_struct *isec;
3603 struct avc_audit_data ad;
3604
3605 tsec = current->security;
3606 isec = ipc_perms->security;
3607
3608 AVC_AUDIT_DATA_INIT(&ad, IPC);
3609 ad.u.ipc_id = ipc_perms->key;
3610
3611 return avc_has_perm(tsec->sid, isec->sid, sclass, perms, &ad);
3612 }
3613
3614 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3615 {
3616 return msg_msg_alloc_security(msg);
3617 }
3618
3619 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3620 {
3621 msg_msg_free_security(msg);
3622 }
3623
3624 /* message queue security operations */
3625 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3626 {
3627 struct task_security_struct *tsec;
3628 struct ipc_security_struct *isec;
3629 struct avc_audit_data ad;
3630 int rc;
3631
3632 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3633 if (rc)
3634 return rc;
3635
3636 tsec = current->security;
3637 isec = msq->q_perm.security;
3638
3639 AVC_AUDIT_DATA_INIT(&ad, IPC);
3640 ad.u.ipc_id = msq->q_perm.key;
3641
3642 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3643 MSGQ__CREATE, &ad);
3644 if (rc) {
3645 ipc_free_security(&msq->q_perm);
3646 return rc;
3647 }
3648 return 0;
3649 }
3650
3651 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3652 {
3653 ipc_free_security(&msq->q_perm);
3654 }
3655
3656 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3657 {
3658 struct task_security_struct *tsec;
3659 struct ipc_security_struct *isec;
3660 struct avc_audit_data ad;
3661
3662 tsec = current->security;
3663 isec = msq->q_perm.security;
3664
3665 AVC_AUDIT_DATA_INIT(&ad, IPC);
3666 ad.u.ipc_id = msq->q_perm.key;
3667
3668 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3669 MSGQ__ASSOCIATE, &ad);
3670 }
3671
3672 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3673 {
3674 int err;
3675 int perms;
3676
3677 switch(cmd) {
3678 case IPC_INFO:
3679 case MSG_INFO:
3680 /* No specific object, just general system-wide information. */
3681 return task_has_system(current, SYSTEM__IPC_INFO);
3682 case IPC_STAT:
3683 case MSG_STAT:
3684 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3685 break;
3686 case IPC_SET:
3687 perms = MSGQ__SETATTR;
3688 break;
3689 case IPC_RMID:
3690 perms = MSGQ__DESTROY;
3691 break;
3692 default:
3693 return 0;
3694 }
3695
3696 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3697 return err;
3698 }
3699
3700 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3701 {
3702 struct task_security_struct *tsec;
3703 struct ipc_security_struct *isec;
3704 struct msg_security_struct *msec;
3705 struct avc_audit_data ad;
3706 int rc;
3707
3708 tsec = current->security;
3709 isec = msq->q_perm.security;
3710 msec = msg->security;
3711
3712 /*
3713 * First time through, need to assign label to the message
3714 */
3715 if (msec->sid == SECINITSID_UNLABELED) {
3716 /*
3717 * Compute new sid based on current process and
3718 * message queue this message will be stored in
3719 */
3720 rc = security_transition_sid(tsec->sid,
3721 isec->sid,
3722 SECCLASS_MSG,
3723 &msec->sid);
3724 if (rc)
3725 return rc;
3726 }
3727
3728 AVC_AUDIT_DATA_INIT(&ad, IPC);
3729 ad.u.ipc_id = msq->q_perm.key;
3730
3731 /* Can this process write to the queue? */
3732 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3733 MSGQ__WRITE, &ad);
3734 if (!rc)
3735 /* Can this process send the message */
3736 rc = avc_has_perm(tsec->sid, msec->sid,
3737 SECCLASS_MSG, MSG__SEND, &ad);
3738 if (!rc)
3739 /* Can the message be put in the queue? */
3740 rc = avc_has_perm(msec->sid, isec->sid,
3741 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3742
3743 return rc;
3744 }
3745
3746 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3747 struct task_struct *target,
3748 long type, int mode)
3749 {
3750 struct task_security_struct *tsec;
3751 struct ipc_security_struct *isec;
3752 struct msg_security_struct *msec;
3753 struct avc_audit_data ad;
3754 int rc;
3755
3756 tsec = target->security;
3757 isec = msq->q_perm.security;
3758 msec = msg->security;
3759
3760 AVC_AUDIT_DATA_INIT(&ad, IPC);
3761 ad.u.ipc_id = msq->q_perm.key;
3762
3763 rc = avc_has_perm(tsec->sid, isec->sid,
3764 SECCLASS_MSGQ, MSGQ__READ, &ad);
3765 if (!rc)
3766 rc = avc_has_perm(tsec->sid, msec->sid,
3767 SECCLASS_MSG, MSG__RECEIVE, &ad);
3768 return rc;
3769 }
3770
3771 /* Shared Memory security operations */
3772 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3773 {
3774 struct task_security_struct *tsec;
3775 struct ipc_security_struct *isec;
3776 struct avc_audit_data ad;
3777 int rc;
3778
3779 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3780 if (rc)
3781 return rc;
3782
3783 tsec = current->security;
3784 isec = shp->shm_perm.security;
3785
3786 AVC_AUDIT_DATA_INIT(&ad, IPC);
3787 ad.u.ipc_id = shp->shm_perm.key;
3788
3789 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3790 SHM__CREATE, &ad);
3791 if (rc) {
3792 ipc_free_security(&shp->shm_perm);
3793 return rc;
3794 }
3795 return 0;
3796 }
3797
3798 static void selinux_shm_free_security(struct shmid_kernel *shp)
3799 {
3800 ipc_free_security(&shp->shm_perm);
3801 }
3802
3803 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3804 {
3805 struct task_security_struct *tsec;
3806 struct ipc_security_struct *isec;
3807 struct avc_audit_data ad;
3808
3809 tsec = current->security;
3810 isec = shp->shm_perm.security;
3811
3812 AVC_AUDIT_DATA_INIT(&ad, IPC);
3813 ad.u.ipc_id = shp->shm_perm.key;
3814
3815 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3816 SHM__ASSOCIATE, &ad);
3817 }
3818
3819 /* Note, at this point, shp is locked down */
3820 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3821 {
3822 int perms;
3823 int err;
3824
3825 switch(cmd) {
3826 case IPC_INFO:
3827 case SHM_INFO:
3828 /* No specific object, just general system-wide information. */
3829 return task_has_system(current, SYSTEM__IPC_INFO);
3830 case IPC_STAT:
3831 case SHM_STAT:
3832 perms = SHM__GETATTR | SHM__ASSOCIATE;
3833 break;
3834 case IPC_SET:
3835 perms = SHM__SETATTR;
3836 break;
3837 case SHM_LOCK:
3838 case SHM_UNLOCK:
3839 perms = SHM__LOCK;
3840 break;
3841 case IPC_RMID:
3842 perms = SHM__DESTROY;
3843 break;
3844 default:
3845 return 0;
3846 }
3847
3848 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3849 return err;
3850 }
3851
3852 static int selinux_shm_shmat(struct shmid_kernel *shp,
3853 char __user *shmaddr, int shmflg)
3854 {
3855 u32 perms;
3856 int rc;
3857
3858 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3859 if (rc)
3860 return rc;
3861
3862 if (shmflg & SHM_RDONLY)
3863 perms = SHM__READ;
3864 else
3865 perms = SHM__READ | SHM__WRITE;
3866
3867 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3868 }
3869
3870 /* Semaphore security operations */
3871 static int selinux_sem_alloc_security(struct sem_array *sma)
3872 {
3873 struct task_security_struct *tsec;
3874 struct ipc_security_struct *isec;
3875 struct avc_audit_data ad;
3876 int rc;
3877
3878 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3879 if (rc)
3880 return rc;
3881
3882 tsec = current->security;
3883 isec = sma->sem_perm.security;
3884
3885 AVC_AUDIT_DATA_INIT(&ad, IPC);
3886 ad.u.ipc_id = sma->sem_perm.key;
3887
3888 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3889 SEM__CREATE, &ad);
3890 if (rc) {
3891 ipc_free_security(&sma->sem_perm);
3892 return rc;
3893 }
3894 return 0;
3895 }
3896
3897 static void selinux_sem_free_security(struct sem_array *sma)
3898 {
3899 ipc_free_security(&sma->sem_perm);
3900 }
3901
3902 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3903 {
3904 struct task_security_struct *tsec;
3905 struct ipc_security_struct *isec;
3906 struct avc_audit_data ad;
3907
3908 tsec = current->security;
3909 isec = sma->sem_perm.security;
3910
3911 AVC_AUDIT_DATA_INIT(&ad, IPC);
3912 ad.u.ipc_id = sma->sem_perm.key;
3913
3914 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3915 SEM__ASSOCIATE, &ad);
3916 }
3917
3918 /* Note, at this point, sma is locked down */
3919 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3920 {
3921 int err;
3922 u32 perms;
3923
3924 switch(cmd) {
3925 case IPC_INFO:
3926 case SEM_INFO:
3927 /* No specific object, just general system-wide information. */
3928 return task_has_system(current, SYSTEM__IPC_INFO);
3929 case GETPID:
3930 case GETNCNT:
3931 case GETZCNT:
3932 perms = SEM__GETATTR;
3933 break;
3934 case GETVAL:
3935 case GETALL:
3936 perms = SEM__READ;
3937 break;
3938 case SETVAL:
3939 case SETALL:
3940 perms = SEM__WRITE;
3941 break;
3942 case IPC_RMID:
3943 perms = SEM__DESTROY;
3944 break;
3945 case IPC_SET:
3946 perms = SEM__SETATTR;
3947 break;
3948 case IPC_STAT:
3949 case SEM_STAT:
3950 perms = SEM__GETATTR | SEM__ASSOCIATE;
3951 break;
3952 default:
3953 return 0;
3954 }
3955
3956 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3957 return err;
3958 }
3959
3960 static int selinux_sem_semop(struct sem_array *sma,
3961 struct sembuf *sops, unsigned nsops, int alter)
3962 {
3963 u32 perms;
3964
3965 if (alter)
3966 perms = SEM__READ | SEM__WRITE;
3967 else
3968 perms = SEM__READ;
3969
3970 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3971 }
3972
3973 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
3974 {
3975 struct ipc_security_struct *isec = ipcp->security;
3976 u16 sclass = SECCLASS_IPC;
3977 u32 av = 0;
3978
3979 if (isec && isec->magic == SELINUX_MAGIC)
3980 sclass = isec->sclass;
3981
3982 av = 0;
3983 if (flag & S_IRUGO)
3984 av |= IPC__UNIX_READ;
3985 if (flag & S_IWUGO)
3986 av |= IPC__UNIX_WRITE;
3987
3988 if (av == 0)
3989 return 0;
3990
3991 return ipc_has_perm(ipcp, sclass, av);
3992 }
3993
3994 /* module stacking operations */
3995 int selinux_register_security (const char *name, struct security_operations *ops)
3996 {
3997 if (secondary_ops != original_ops) {
3998 printk(KERN_INFO "%s: There is already a secondary security "
3999 "module registered.\n", __FUNCTION__);
4000 return -EINVAL;
4001 }
4002
4003 secondary_ops = ops;
4004
4005 printk(KERN_INFO "%s: Registering secondary module %s\n",
4006 __FUNCTION__,
4007 name);
4008
4009 return 0;
4010 }
4011
4012 int selinux_unregister_security (const char *name, struct security_operations *ops)
4013 {
4014 if (ops != secondary_ops) {
4015 printk (KERN_INFO "%s: trying to unregister a security module "
4016 "that is not registered.\n", __FUNCTION__);
4017 return -EINVAL;
4018 }
4019
4020 secondary_ops = original_ops;
4021
4022 return 0;
4023 }
4024
4025 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4026 {
4027 if (inode)
4028 inode_doinit_with_dentry(inode, dentry);
4029 }
4030
4031 static int selinux_getprocattr(struct task_struct *p,
4032 char *name, void *value, size_t size)
4033 {
4034 struct task_security_struct *tsec;
4035 u32 sid, len;
4036 char *context;
4037 int error;
4038
4039 if (current != p) {
4040 error = task_has_perm(current, p, PROCESS__GETATTR);
4041 if (error)
4042 return error;
4043 }
4044
4045 if (!size)
4046 return -ERANGE;
4047
4048 tsec = p->security;
4049
4050 if (!strcmp(name, "current"))
4051 sid = tsec->sid;
4052 else if (!strcmp(name, "prev"))
4053 sid = tsec->osid;
4054 else if (!strcmp(name, "exec"))
4055 sid = tsec->exec_sid;
4056 else if (!strcmp(name, "fscreate"))
4057 sid = tsec->create_sid;
4058 else
4059 return -EINVAL;
4060
4061 if (!sid)
4062 return 0;
4063
4064 error = security_sid_to_context(sid, &context, &len);
4065 if (error)
4066 return error;
4067 if (len > size) {
4068 kfree(context);
4069 return -ERANGE;
4070 }
4071 memcpy(value, context, len);
4072 kfree(context);
4073 return len;
4074 }
4075
4076 static int selinux_setprocattr(struct task_struct *p,
4077 char *name, void *value, size_t size)
4078 {
4079 struct task_security_struct *tsec;
4080 u32 sid = 0;
4081 int error;
4082
4083 if (current != p) {
4084 /* SELinux only allows a process to change its own
4085 security attributes. */
4086 return -EACCES;
4087 }
4088
4089 /*
4090 * Basic control over ability to set these attributes at all.
4091 * current == p, but we'll pass them separately in case the
4092 * above restriction is ever removed.
4093 */
4094 if (!strcmp(name, "exec"))
4095 error = task_has_perm(current, p, PROCESS__SETEXEC);
4096 else if (!strcmp(name, "fscreate"))
4097 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4098 else if (!strcmp(name, "current"))
4099 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4100 else
4101 error = -EINVAL;
4102 if (error)
4103 return error;
4104
4105 /* Obtain a SID for the context, if one was specified. */
4106 if (size) {
4107 int error;
4108 error = security_context_to_sid(value, size, &sid);
4109 if (error)
4110 return error;
4111 }
4112
4113 /* Permission checking based on the specified context is
4114 performed during the actual operation (execve,
4115 open/mkdir/...), when we know the full context of the
4116 operation. See selinux_bprm_set_security for the execve
4117 checks and may_create for the file creation checks. The
4118 operation will then fail if the context is not permitted. */
4119 tsec = p->security;
4120 if (!strcmp(name, "exec"))
4121 tsec->exec_sid = sid;
4122 else if (!strcmp(name, "fscreate"))
4123 tsec->create_sid = sid;
4124 else if (!strcmp(name, "current")) {
4125 struct av_decision avd;
4126
4127 if (sid == 0)
4128 return -EINVAL;
4129
4130 /* Only allow single threaded processes to change context */
4131 if (atomic_read(&p->mm->mm_users) != 1) {
4132 struct task_struct *g, *t;
4133 struct mm_struct *mm = p->mm;
4134 read_lock(&tasklist_lock);
4135 do_each_thread(g, t)
4136 if (t->mm == mm && t != p) {
4137 read_unlock(&tasklist_lock);
4138 return -EPERM;
4139 }
4140 while_each_thread(g, t);
4141 read_unlock(&tasklist_lock);
4142 }
4143
4144 /* Check permissions for the transition. */
4145 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4146 PROCESS__DYNTRANSITION, NULL);
4147 if (error)
4148 return error;
4149
4150 /* Check for ptracing, and update the task SID if ok.
4151 Otherwise, leave SID unchanged and fail. */
4152 task_lock(p);
4153 if (p->ptrace & PT_PTRACED) {
4154 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4155 SECCLASS_PROCESS,
4156 PROCESS__PTRACE, &avd);
4157 if (!error)
4158 tsec->sid = sid;
4159 task_unlock(p);
4160 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4161 PROCESS__PTRACE, &avd, error, NULL);
4162 if (error)
4163 return error;
4164 } else {
4165 tsec->sid = sid;
4166 task_unlock(p);
4167 }
4168 }
4169 else
4170 return -EINVAL;
4171
4172 return size;
4173 }
4174
4175 struct security_operations selinux_ops = {
4176 .ptrace = selinux_ptrace,
4177 .capget = selinux_capget,
4178 .capset_check = selinux_capset_check,
4179 .capset_set = selinux_capset_set,
4180 .sysctl = selinux_sysctl,
4181 .capable = selinux_capable,
4182 .quotactl = selinux_quotactl,
4183 .quota_on = selinux_quota_on,
4184 .syslog = selinux_syslog,
4185 .vm_enough_memory = selinux_vm_enough_memory,
4186
4187 .netlink_send = selinux_netlink_send,
4188 .netlink_recv = selinux_netlink_recv,
4189
4190 .bprm_alloc_security = selinux_bprm_alloc_security,
4191 .bprm_free_security = selinux_bprm_free_security,
4192 .bprm_apply_creds = selinux_bprm_apply_creds,
4193 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4194 .bprm_set_security = selinux_bprm_set_security,
4195 .bprm_check_security = selinux_bprm_check_security,
4196 .bprm_secureexec = selinux_bprm_secureexec,
4197
4198 .sb_alloc_security = selinux_sb_alloc_security,
4199 .sb_free_security = selinux_sb_free_security,
4200 .sb_copy_data = selinux_sb_copy_data,
4201 .sb_kern_mount = selinux_sb_kern_mount,
4202 .sb_statfs = selinux_sb_statfs,
4203 .sb_mount = selinux_mount,
4204 .sb_umount = selinux_umount,
4205
4206 .inode_alloc_security = selinux_inode_alloc_security,
4207 .inode_free_security = selinux_inode_free_security,
4208 .inode_create = selinux_inode_create,
4209 .inode_post_create = selinux_inode_post_create,
4210 .inode_link = selinux_inode_link,
4211 .inode_post_link = selinux_inode_post_link,
4212 .inode_unlink = selinux_inode_unlink,
4213 .inode_symlink = selinux_inode_symlink,
4214 .inode_post_symlink = selinux_inode_post_symlink,
4215 .inode_mkdir = selinux_inode_mkdir,
4216 .inode_post_mkdir = selinux_inode_post_mkdir,
4217 .inode_rmdir = selinux_inode_rmdir,
4218 .inode_mknod = selinux_inode_mknod,
4219 .inode_post_mknod = selinux_inode_post_mknod,
4220 .inode_rename = selinux_inode_rename,
4221 .inode_post_rename = selinux_inode_post_rename,
4222 .inode_readlink = selinux_inode_readlink,
4223 .inode_follow_link = selinux_inode_follow_link,
4224 .inode_permission = selinux_inode_permission,
4225 .inode_setattr = selinux_inode_setattr,
4226 .inode_getattr = selinux_inode_getattr,
4227 .inode_setxattr = selinux_inode_setxattr,
4228 .inode_post_setxattr = selinux_inode_post_setxattr,
4229 .inode_getxattr = selinux_inode_getxattr,
4230 .inode_listxattr = selinux_inode_listxattr,
4231 .inode_removexattr = selinux_inode_removexattr,
4232 .inode_getsecurity = selinux_inode_getsecurity,
4233 .inode_setsecurity = selinux_inode_setsecurity,
4234 .inode_listsecurity = selinux_inode_listsecurity,
4235
4236 .file_permission = selinux_file_permission,
4237 .file_alloc_security = selinux_file_alloc_security,
4238 .file_free_security = selinux_file_free_security,
4239 .file_ioctl = selinux_file_ioctl,
4240 .file_mmap = selinux_file_mmap,
4241 .file_mprotect = selinux_file_mprotect,
4242 .file_lock = selinux_file_lock,
4243 .file_fcntl = selinux_file_fcntl,
4244 .file_set_fowner = selinux_file_set_fowner,
4245 .file_send_sigiotask = selinux_file_send_sigiotask,
4246 .file_receive = selinux_file_receive,
4247
4248 .task_create = selinux_task_create,
4249 .task_alloc_security = selinux_task_alloc_security,
4250 .task_free_security = selinux_task_free_security,
4251 .task_setuid = selinux_task_setuid,
4252 .task_post_setuid = selinux_task_post_setuid,
4253 .task_setgid = selinux_task_setgid,
4254 .task_setpgid = selinux_task_setpgid,
4255 .task_getpgid = selinux_task_getpgid,
4256 .task_getsid = selinux_task_getsid,
4257 .task_setgroups = selinux_task_setgroups,
4258 .task_setnice = selinux_task_setnice,
4259 .task_setrlimit = selinux_task_setrlimit,
4260 .task_setscheduler = selinux_task_setscheduler,
4261 .task_getscheduler = selinux_task_getscheduler,
4262 .task_kill = selinux_task_kill,
4263 .task_wait = selinux_task_wait,
4264 .task_prctl = selinux_task_prctl,
4265 .task_reparent_to_init = selinux_task_reparent_to_init,
4266 .task_to_inode = selinux_task_to_inode,
4267
4268 .ipc_permission = selinux_ipc_permission,
4269
4270 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4271 .msg_msg_free_security = selinux_msg_msg_free_security,
4272
4273 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4274 .msg_queue_free_security = selinux_msg_queue_free_security,
4275 .msg_queue_associate = selinux_msg_queue_associate,
4276 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4277 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4278 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4279
4280 .shm_alloc_security = selinux_shm_alloc_security,
4281 .shm_free_security = selinux_shm_free_security,
4282 .shm_associate = selinux_shm_associate,
4283 .shm_shmctl = selinux_shm_shmctl,
4284 .shm_shmat = selinux_shm_shmat,
4285
4286 .sem_alloc_security = selinux_sem_alloc_security,
4287 .sem_free_security = selinux_sem_free_security,
4288 .sem_associate = selinux_sem_associate,
4289 .sem_semctl = selinux_sem_semctl,
4290 .sem_semop = selinux_sem_semop,
4291
4292 .register_security = selinux_register_security,
4293 .unregister_security = selinux_unregister_security,
4294
4295 .d_instantiate = selinux_d_instantiate,
4296
4297 .getprocattr = selinux_getprocattr,
4298 .setprocattr = selinux_setprocattr,
4299
4300 #ifdef CONFIG_SECURITY_NETWORK
4301 .unix_stream_connect = selinux_socket_unix_stream_connect,
4302 .unix_may_send = selinux_socket_unix_may_send,
4303
4304 .socket_create = selinux_socket_create,
4305 .socket_post_create = selinux_socket_post_create,
4306 .socket_bind = selinux_socket_bind,
4307 .socket_connect = selinux_socket_connect,
4308 .socket_listen = selinux_socket_listen,
4309 .socket_accept = selinux_socket_accept,
4310 .socket_sendmsg = selinux_socket_sendmsg,
4311 .socket_recvmsg = selinux_socket_recvmsg,
4312 .socket_getsockname = selinux_socket_getsockname,
4313 .socket_getpeername = selinux_socket_getpeername,
4314 .socket_getsockopt = selinux_socket_getsockopt,
4315 .socket_setsockopt = selinux_socket_setsockopt,
4316 .socket_shutdown = selinux_socket_shutdown,
4317 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4318 .socket_getpeersec = selinux_socket_getpeersec,
4319 .sk_alloc_security = selinux_sk_alloc_security,
4320 .sk_free_security = selinux_sk_free_security,
4321 #endif
4322 };
4323
4324 __init int selinux_init(void)
4325 {
4326 struct task_security_struct *tsec;
4327
4328 if (!selinux_enabled) {
4329 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4330 return 0;
4331 }
4332
4333 printk(KERN_INFO "SELinux: Initializing.\n");
4334
4335 /* Set the security state for the initial task. */
4336 if (task_alloc_security(current))
4337 panic("SELinux: Failed to initialize initial task.\n");
4338 tsec = current->security;
4339 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4340
4341 avc_init();
4342
4343 original_ops = secondary_ops = security_ops;
4344 if (!secondary_ops)
4345 panic ("SELinux: No initial security operations\n");
4346 if (register_security (&selinux_ops))
4347 panic("SELinux: Unable to register with kernel.\n");
4348
4349 if (selinux_enforcing) {
4350 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4351 } else {
4352 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4353 }
4354 return 0;
4355 }
4356
4357 void selinux_complete_init(void)
4358 {
4359 printk(KERN_INFO "SELinux: Completing initialization.\n");
4360
4361 /* Set up any superblocks initialized prior to the policy load. */
4362 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4363 spin_lock(&sb_security_lock);
4364 next_sb:
4365 if (!list_empty(&superblock_security_head)) {
4366 struct superblock_security_struct *sbsec =
4367 list_entry(superblock_security_head.next,
4368 struct superblock_security_struct,
4369 list);
4370 struct super_block *sb = sbsec->sb;
4371 spin_lock(&sb_lock);
4372 sb->s_count++;
4373 spin_unlock(&sb_lock);
4374 spin_unlock(&sb_security_lock);
4375 down_read(&sb->s_umount);
4376 if (sb->s_root)
4377 superblock_doinit(sb, NULL);
4378 drop_super(sb);
4379 spin_lock(&sb_security_lock);
4380 list_del_init(&sbsec->list);
4381 goto next_sb;
4382 }
4383 spin_unlock(&sb_security_lock);
4384 }
4385
4386 /* SELinux requires early initialization in order to label
4387 all processes and objects when they are created. */
4388 security_initcall(selinux_init);
4389
4390 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4391
4392 static struct nf_hook_ops selinux_ipv4_op = {
4393 .hook = selinux_ipv4_postroute_last,
4394 .owner = THIS_MODULE,
4395 .pf = PF_INET,
4396 .hooknum = NF_IP_POST_ROUTING,
4397 .priority = NF_IP_PRI_SELINUX_LAST,
4398 };
4399
4400 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4401
4402 static struct nf_hook_ops selinux_ipv6_op = {
4403 .hook = selinux_ipv6_postroute_last,
4404 .owner = THIS_MODULE,
4405 .pf = PF_INET6,
4406 .hooknum = NF_IP6_POST_ROUTING,
4407 .priority = NF_IP6_PRI_SELINUX_LAST,
4408 };
4409
4410 #endif /* IPV6 */
4411
4412 static int __init selinux_nf_ip_init(void)
4413 {
4414 int err = 0;
4415
4416 if (!selinux_enabled)
4417 goto out;
4418
4419 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4420
4421 err = nf_register_hook(&selinux_ipv4_op);
4422 if (err)
4423 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4424
4425 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4426
4427 err = nf_register_hook(&selinux_ipv6_op);
4428 if (err)
4429 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4430
4431 #endif /* IPV6 */
4432 out:
4433 return err;
4434 }
4435
4436 __initcall(selinux_nf_ip_init);
4437
4438 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4439 static void selinux_nf_ip_exit(void)
4440 {
4441 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4442
4443 nf_unregister_hook(&selinux_ipv4_op);
4444 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4445 nf_unregister_hook(&selinux_ipv6_op);
4446 #endif /* IPV6 */
4447 }
4448 #endif
4449
4450 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4451
4452 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4453 #define selinux_nf_ip_exit()
4454 #endif
4455
4456 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4457
4458 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4459 int selinux_disable(void)
4460 {
4461 extern void exit_sel_fs(void);
4462 static int selinux_disabled = 0;
4463
4464 if (ss_initialized) {
4465 /* Not permitted after initial policy load. */
4466 return -EINVAL;
4467 }
4468
4469 if (selinux_disabled) {
4470 /* Only do this once. */
4471 return -EINVAL;
4472 }
4473
4474 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4475
4476 selinux_disabled = 1;
4477
4478 /* Reset security_ops to the secondary module, dummy or capability. */
4479 security_ops = secondary_ops;
4480
4481 /* Unregister netfilter hooks. */
4482 selinux_nf_ip_exit();
4483
4484 /* Unregister selinuxfs. */
4485 exit_sel_fs();
4486
4487 return 0;
4488 }
4489 #endif
4490
4491
4492
|
This page was automatically generated by the
LXR engine.
|