1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 #define NUM_SEL_MNT_OPTS 5
98
99 extern struct security_operations *security_ops;
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
enforcing_setup(char * str)107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
selinux_enabled_setup(char * str)120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 static struct kmem_cache *sel_inode_cache;
133
134 /**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
142 *
143 */
selinux_secmark_enabled(void)144 static int selinux_secmark_enabled(void)
145 {
146 return (atomic_read(&selinux_secmark_refcount) > 0);
147 }
148
selinux_netcache_avc_callback(u32 event)149 static int selinux_netcache_avc_callback(u32 event)
150 {
151 if (event == AVC_CALLBACK_RESET) {
152 sel_netif_flush();
153 sel_netnode_flush();
154 sel_netport_flush();
155 synchronize_net();
156 }
157 return 0;
158 }
159
160 /*
161 * initialise the security for the init task
162 */
cred_init_security(void)163 static void cred_init_security(void)
164 {
165 struct cred *cred = (struct cred *) current->real_cred;
166 struct task_security_struct *tsec;
167
168 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
169 if (!tsec)
170 panic("SELinux: Failed to initialize initial task.\n");
171
172 tsec->osid = tsec->sid = SECINITSID_KERNEL;
173 cred->security = tsec;
174 }
175
176 /*
177 * get the security ID of a set of credentials
178 */
cred_sid(const struct cred * cred)179 static inline u32 cred_sid(const struct cred *cred)
180 {
181 const struct task_security_struct *tsec;
182
183 tsec = cred->security;
184 return tsec->sid;
185 }
186
187 /*
188 * get the objective security ID of a task
189 */
task_sid(const struct task_struct * task)190 static inline u32 task_sid(const struct task_struct *task)
191 {
192 u32 sid;
193
194 rcu_read_lock();
195 sid = cred_sid(__task_cred(task));
196 rcu_read_unlock();
197 return sid;
198 }
199
200 /*
201 * get the subjective security ID of the current task
202 */
current_sid(void)203 static inline u32 current_sid(void)
204 {
205 const struct task_security_struct *tsec = current_security();
206
207 return tsec->sid;
208 }
209
210 /* Allocate and free functions for each kind of security blob. */
211
inode_alloc_security(struct inode * inode)212 static int inode_alloc_security(struct inode *inode)
213 {
214 struct inode_security_struct *isec;
215 u32 sid = current_sid();
216
217 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
218 if (!isec)
219 return -ENOMEM;
220
221 mutex_init(&isec->lock);
222 INIT_LIST_HEAD(&isec->list);
223 isec->inode = inode;
224 isec->sid = SECINITSID_UNLABELED;
225 isec->sclass = SECCLASS_FILE;
226 isec->task_sid = sid;
227 inode->i_security = isec;
228
229 return 0;
230 }
231
inode_free_rcu(struct rcu_head * head)232 static void inode_free_rcu(struct rcu_head *head)
233 {
234 struct inode_security_struct *isec;
235
236 isec = container_of(head, struct inode_security_struct, rcu);
237 kmem_cache_free(sel_inode_cache, isec);
238 }
239
inode_free_security(struct inode * inode)240 static void inode_free_security(struct inode *inode)
241 {
242 struct inode_security_struct *isec = inode->i_security;
243 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
244
245 spin_lock(&sbsec->isec_lock);
246 if (!list_empty(&isec->list))
247 list_del_init(&isec->list);
248 spin_unlock(&sbsec->isec_lock);
249
250 /*
251 * The inode may still be referenced in a path walk and
252 * a call to selinux_inode_permission() can be made
253 * after inode_free_security() is called. Ideally, the VFS
254 * wouldn't do this, but fixing that is a much harder
255 * job. For now, simply free the i_security via RCU, and
256 * leave the current inode->i_security pointer intact.
257 * The inode will be freed after the RCU grace period too.
258 */
259 call_rcu(&isec->rcu, inode_free_rcu);
260 }
261
file_alloc_security(struct file * file)262 static int file_alloc_security(struct file *file)
263 {
264 struct file_security_struct *fsec;
265 u32 sid = current_sid();
266
267 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
268 if (!fsec)
269 return -ENOMEM;
270
271 fsec->sid = sid;
272 fsec->fown_sid = sid;
273 file->f_security = fsec;
274
275 return 0;
276 }
277
file_free_security(struct file * file)278 static void file_free_security(struct file *file)
279 {
280 struct file_security_struct *fsec = file->f_security;
281 file->f_security = NULL;
282 kfree(fsec);
283 }
284
superblock_alloc_security(struct super_block * sb)285 static int superblock_alloc_security(struct super_block *sb)
286 {
287 struct superblock_security_struct *sbsec;
288
289 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
290 if (!sbsec)
291 return -ENOMEM;
292
293 mutex_init(&sbsec->lock);
294 INIT_LIST_HEAD(&sbsec->isec_head);
295 spin_lock_init(&sbsec->isec_lock);
296 sbsec->sb = sb;
297 sbsec->sid = SECINITSID_UNLABELED;
298 sbsec->def_sid = SECINITSID_FILE;
299 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
300 sb->s_security = sbsec;
301
302 return 0;
303 }
304
superblock_free_security(struct super_block * sb)305 static void superblock_free_security(struct super_block *sb)
306 {
307 struct superblock_security_struct *sbsec = sb->s_security;
308 sb->s_security = NULL;
309 kfree(sbsec);
310 }
311
312 /* The file system's label must be initialized prior to use. */
313
314 static const char *labeling_behaviors[6] = {
315 "uses xattr",
316 "uses transition SIDs",
317 "uses task SIDs",
318 "uses genfs_contexts",
319 "not configured for labeling",
320 "uses mountpoint labeling",
321 };
322
323 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
324
inode_doinit(struct inode * inode)325 static inline int inode_doinit(struct inode *inode)
326 {
327 return inode_doinit_with_dentry(inode, NULL);
328 }
329
330 enum {
331 Opt_error = -1,
332 Opt_context = 1,
333 Opt_fscontext = 2,
334 Opt_defcontext = 3,
335 Opt_rootcontext = 4,
336 Opt_labelsupport = 5,
337 };
338
339 static const match_table_t tokens = {
340 {Opt_context, CONTEXT_STR "%s"},
341 {Opt_fscontext, FSCONTEXT_STR "%s"},
342 {Opt_defcontext, DEFCONTEXT_STR "%s"},
343 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
344 {Opt_labelsupport, LABELSUPP_STR},
345 {Opt_error, NULL},
346 };
347
348 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
349
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)350 static int may_context_mount_sb_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 const struct cred *cred)
353 {
354 const struct task_security_struct *tsec = cred->security;
355 int rc;
356
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELTO, NULL);
364 return rc;
365 }
366
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)367 static int may_context_mount_inode_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
369 const struct cred *cred)
370 {
371 const struct task_security_struct *tsec = cred->security;
372 int rc;
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__ASSOCIATE, NULL);
380 return rc;
381 }
382
sb_finish_set_opts(struct super_block * sb)383 static int sb_finish_set_opts(struct super_block *sb)
384 {
385 struct superblock_security_struct *sbsec = sb->s_security;
386 struct dentry *root = sb->s_root;
387 struct inode *root_inode = root->d_inode;
388 int rc = 0;
389
390 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
391 /* Make sure that the xattr handler exists and that no
392 error other than -ENODATA is returned by getxattr on
393 the root directory. -ENODATA is ok, as this may be
394 the first boot of the SELinux kernel before we have
395 assigned xattr values to the filesystem. */
396 if (!root_inode->i_op->getxattr) {
397 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
398 "xattr support\n", sb->s_id, sb->s_type->name);
399 rc = -EOPNOTSUPP;
400 goto out;
401 }
402 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
403 if (rc < 0 && rc != -ENODATA) {
404 if (rc == -EOPNOTSUPP)
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) has no security xattr handler\n",
407 sb->s_id, sb->s_type->name);
408 else
409 printk(KERN_WARNING "SELinux: (dev %s, type "
410 "%s) getxattr errno %d\n", sb->s_id,
411 sb->s_type->name, -rc);
412 goto out;
413 }
414 }
415
416 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
417
418 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
420 sb->s_id, sb->s_type->name);
421 else
422 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
423 sb->s_id, sb->s_type->name,
424 labeling_behaviors[sbsec->behavior-1]);
425
426 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
427 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
428 sbsec->behavior == SECURITY_FS_USE_NONE ||
429 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
430 sbsec->flags &= ~SE_SBLABELSUPP;
431
432 /* Special handling. Is genfs but also has in-core setxattr handler*/
433 if (!strcmp(sb->s_type->name, "sysfs") ||
434 !strcmp(sb->s_type->name, "pstore") ||
435 !strcmp(sb->s_type->name, "debugfs") ||
436 !strcmp(sb->s_type->name, "rootfs"))
437 sbsec->flags |= SE_SBLABELSUPP;
438
439 /* Initialize the root inode. */
440 rc = inode_doinit_with_dentry(root_inode, root);
441
442 /* Initialize any other inodes associated with the superblock, e.g.
443 inodes created prior to initial policy load or inodes created
444 during get_sb by a pseudo filesystem that directly
445 populates itself. */
446 spin_lock(&sbsec->isec_lock);
447 next_inode:
448 if (!list_empty(&sbsec->isec_head)) {
449 struct inode_security_struct *isec =
450 list_entry(sbsec->isec_head.next,
451 struct inode_security_struct, list);
452 struct inode *inode = isec->inode;
453 list_del_init(&isec->list);
454 spin_unlock(&sbsec->isec_lock);
455 inode = igrab(inode);
456 if (inode) {
457 if (!IS_PRIVATE(inode))
458 inode_doinit(inode);
459 iput(inode);
460 }
461 spin_lock(&sbsec->isec_lock);
462 goto next_inode;
463 }
464 spin_unlock(&sbsec->isec_lock);
465 out:
466 return rc;
467 }
468
469 /*
470 * This function should allow an FS to ask what it's mount security
471 * options were so it can use those later for submounts, displaying
472 * mount options, or whatever.
473 */
selinux_get_mnt_opts(const struct super_block * sb,struct security_mnt_opts * opts)474 static int selinux_get_mnt_opts(const struct super_block *sb,
475 struct security_mnt_opts *opts)
476 {
477 int rc = 0, i;
478 struct superblock_security_struct *sbsec = sb->s_security;
479 char *context = NULL;
480 u32 len;
481 char tmp;
482
483 security_init_mnt_opts(opts);
484
485 if (!(sbsec->flags & SE_SBINITIALIZED))
486 return -EINVAL;
487
488 if (!ss_initialized)
489 return -EINVAL;
490
491 tmp = sbsec->flags & SE_MNTMASK;
492 /* count the number of mount options for this sb */
493 for (i = 0; i < 8; i++) {
494 if (tmp & 0x01)
495 opts->num_mnt_opts++;
496 tmp >>= 1;
497 }
498 /* Check if the Label support flag is set */
499 if (sbsec->flags & SE_SBLABELSUPP)
500 opts->num_mnt_opts++;
501
502 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
503 if (!opts->mnt_opts) {
504 rc = -ENOMEM;
505 goto out_free;
506 }
507
508 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
509 if (!opts->mnt_opts_flags) {
510 rc = -ENOMEM;
511 goto out_free;
512 }
513
514 i = 0;
515 if (sbsec->flags & FSCONTEXT_MNT) {
516 rc = security_sid_to_context(sbsec->sid, &context, &len);
517 if (rc)
518 goto out_free;
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
521 }
522 if (sbsec->flags & CONTEXT_MNT) {
523 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
524 if (rc)
525 goto out_free;
526 opts->mnt_opts[i] = context;
527 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
528 }
529 if (sbsec->flags & DEFCONTEXT_MNT) {
530 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
531 if (rc)
532 goto out_free;
533 opts->mnt_opts[i] = context;
534 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
535 }
536 if (sbsec->flags & ROOTCONTEXT_MNT) {
537 struct inode *root = sbsec->sb->s_root->d_inode;
538 struct inode_security_struct *isec = root->i_security;
539
540 rc = security_sid_to_context(isec->sid, &context, &len);
541 if (rc)
542 goto out_free;
543 opts->mnt_opts[i] = context;
544 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
545 }
546 if (sbsec->flags & SE_SBLABELSUPP) {
547 opts->mnt_opts[i] = NULL;
548 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
549 }
550
551 BUG_ON(i != opts->num_mnt_opts);
552
553 return 0;
554
555 out_free:
556 security_free_mnt_opts(opts);
557 return rc;
558 }
559
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)560 static int bad_option(struct superblock_security_struct *sbsec, char flag,
561 u32 old_sid, u32 new_sid)
562 {
563 char mnt_flags = sbsec->flags & SE_MNTMASK;
564
565 /* check if the old mount command had the same options */
566 if (sbsec->flags & SE_SBINITIALIZED)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
569 return 1;
570
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
573 */
574 if (!(sbsec->flags & SE_SBINITIALIZED))
575 if (mnt_flags & flag)
576 return 1;
577 return 0;
578 }
579
580 /*
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
583 */
selinux_set_mnt_opts(struct super_block * sb,struct security_mnt_opts * opts)584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
586 {
587 const struct cred *cred = current_cred();
588 int rc = 0, i;
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
598
599 mutex_lock(&sbsec->lock);
600
601 if (!ss_initialized) {
602 if (!num_opts) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 goto out;
607 }
608 rc = -EINVAL;
609 printk(KERN_WARNING "SELinux: Unable to set superblock options "
610 "before the security server is initialized\n");
611 goto out;
612 }
613
614 /*
615 * Binary mount data FS will come through this function twice. Once
616 * from an explicit call and once from the generic calls from the vfs.
617 * Since the generic VFS calls will not contain any security mount data
618 * we need to skip the double mount verification.
619 *
620 * This does open a hole in which we will not notice if the first
621 * mount using this sb set explict options and a second mount using
622 * this sb does not set any security options. (The first options
623 * will be used for both mounts)
624 */
625 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
626 && (num_opts == 0))
627 goto out;
628
629 /*
630 * parse the mount options, check if they are valid sids.
631 * also check if someone is trying to mount the same sb more
632 * than once with different security options.
633 */
634 for (i = 0; i < num_opts; i++) {
635 u32 sid;
636
637 if (flags[i] == SE_SBLABELSUPP)
638 continue;
639 rc = security_context_to_sid(mount_options[i],
640 strlen(mount_options[i]), &sid);
641 if (rc) {
642 printk(KERN_WARNING "SELinux: security_context_to_sid"
643 "(%s) failed for (dev %s, type %s) errno=%d\n",
644 mount_options[i], sb->s_id, name, rc);
645 goto out;
646 }
647 switch (flags[i]) {
648 case FSCONTEXT_MNT:
649 fscontext_sid = sid;
650
651 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
652 fscontext_sid))
653 goto out_double_mount;
654
655 sbsec->flags |= FSCONTEXT_MNT;
656 break;
657 case CONTEXT_MNT:
658 context_sid = sid;
659
660 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
661 context_sid))
662 goto out_double_mount;
663
664 sbsec->flags |= CONTEXT_MNT;
665 break;
666 case ROOTCONTEXT_MNT:
667 rootcontext_sid = sid;
668
669 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
670 rootcontext_sid))
671 goto out_double_mount;
672
673 sbsec->flags |= ROOTCONTEXT_MNT;
674
675 break;
676 case DEFCONTEXT_MNT:
677 defcontext_sid = sid;
678
679 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
680 defcontext_sid))
681 goto out_double_mount;
682
683 sbsec->flags |= DEFCONTEXT_MNT;
684
685 break;
686 default:
687 rc = -EINVAL;
688 goto out;
689 }
690 }
691
692 if (sbsec->flags & SE_SBINITIALIZED) {
693 /* previously mounted with options, but not on this attempt? */
694 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
695 goto out_double_mount;
696 rc = 0;
697 goto out;
698 }
699
700 if (strcmp(sb->s_type->name, "proc") == 0)
701 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
702
703 if (!strcmp(sb->s_type->name, "debugfs") ||
704 !strcmp(sb->s_type->name, "sysfs") ||
705 !strcmp(sb->s_type->name, "pstore"))
706 sbsec->flags |= SE_SBGENFS;
707
708 /* Determine the labeling behavior to use for this filesystem type. */
709 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
710 if (rc) {
711 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
712 __func__, sb->s_type->name, rc);
713 goto out;
714 }
715
716 /* sets the context of the superblock for the fs being mounted. */
717 if (fscontext_sid) {
718 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
719 if (rc)
720 goto out;
721
722 sbsec->sid = fscontext_sid;
723 }
724
725 /*
726 * Switch to using mount point labeling behavior.
727 * sets the label used on all file below the mountpoint, and will set
728 * the superblock context if not already set.
729 */
730 if (context_sid) {
731 if (!fscontext_sid) {
732 rc = may_context_mount_sb_relabel(context_sid, sbsec,
733 cred);
734 if (rc)
735 goto out;
736 sbsec->sid = context_sid;
737 } else {
738 rc = may_context_mount_inode_relabel(context_sid, sbsec,
739 cred);
740 if (rc)
741 goto out;
742 }
743 if (!rootcontext_sid)
744 rootcontext_sid = context_sid;
745
746 sbsec->mntpoint_sid = context_sid;
747 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
748 }
749
750 if (rootcontext_sid) {
751 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
752 cred);
753 if (rc)
754 goto out;
755
756 root_isec->sid = rootcontext_sid;
757 root_isec->initialized = 1;
758 }
759
760 if (defcontext_sid) {
761 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
762 rc = -EINVAL;
763 printk(KERN_WARNING "SELinux: defcontext option is "
764 "invalid for this filesystem type\n");
765 goto out;
766 }
767
768 if (defcontext_sid != sbsec->def_sid) {
769 rc = may_context_mount_inode_relabel(defcontext_sid,
770 sbsec, cred);
771 if (rc)
772 goto out;
773 }
774
775 sbsec->def_sid = defcontext_sid;
776 }
777
778 rc = sb_finish_set_opts(sb);
779 out:
780 mutex_unlock(&sbsec->lock);
781 return rc;
782 out_double_mount:
783 rc = -EINVAL;
784 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
785 "security settings for (dev %s, type %s)\n", sb->s_id, name);
786 goto out;
787 }
788
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)789 static int selinux_cmp_sb_context(const struct super_block *oldsb,
790 const struct super_block *newsb)
791 {
792 struct superblock_security_struct *old = oldsb->s_security;
793 struct superblock_security_struct *new = newsb->s_security;
794 char oldflags = old->flags & SE_MNTMASK;
795 char newflags = new->flags & SE_MNTMASK;
796
797 if (oldflags != newflags)
798 goto mismatch;
799 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
800 goto mismatch;
801 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
802 goto mismatch;
803 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
804 goto mismatch;
805 if (oldflags & ROOTCONTEXT_MNT) {
806 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
807 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
808 if (oldroot->sid != newroot->sid)
809 goto mismatch;
810 }
811 return 0;
812 mismatch:
813 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
814 "different security settings for (dev %s, "
815 "type %s)\n", newsb->s_id, newsb->s_type->name);
816 return -EBUSY;
817 }
818
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb)819 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
820 struct super_block *newsb)
821 {
822 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
823 struct superblock_security_struct *newsbsec = newsb->s_security;
824
825 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
826 int set_context = (oldsbsec->flags & CONTEXT_MNT);
827 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
828
829 /*
830 * if the parent was able to be mounted it clearly had no special lsm
831 * mount options. thus we can safely deal with this superblock later
832 */
833 if (!ss_initialized)
834 return 0;
835
836 /* how can we clone if the old one wasn't set up?? */
837 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
838
839 /* if fs is reusing a sb, make sure that the contexts match */
840 if (newsbsec->flags & SE_SBINITIALIZED)
841 return selinux_cmp_sb_context(oldsb, newsb);
842
843 mutex_lock(&newsbsec->lock);
844
845 newsbsec->flags = oldsbsec->flags;
846
847 newsbsec->sid = oldsbsec->sid;
848 newsbsec->def_sid = oldsbsec->def_sid;
849 newsbsec->behavior = oldsbsec->behavior;
850
851 if (set_context) {
852 u32 sid = oldsbsec->mntpoint_sid;
853
854 if (!set_fscontext)
855 newsbsec->sid = sid;
856 if (!set_rootcontext) {
857 struct inode *newinode = newsb->s_root->d_inode;
858 struct inode_security_struct *newisec = newinode->i_security;
859 newisec->sid = sid;
860 }
861 newsbsec->mntpoint_sid = sid;
862 }
863 if (set_rootcontext) {
864 const struct inode *oldinode = oldsb->s_root->d_inode;
865 const struct inode_security_struct *oldisec = oldinode->i_security;
866 struct inode *newinode = newsb->s_root->d_inode;
867 struct inode_security_struct *newisec = newinode->i_security;
868
869 newisec->sid = oldisec->sid;
870 }
871
872 sb_finish_set_opts(newsb);
873 mutex_unlock(&newsbsec->lock);
874 return 0;
875 }
876
selinux_parse_opts_str(char * options,struct security_mnt_opts * opts)877 static int selinux_parse_opts_str(char *options,
878 struct security_mnt_opts *opts)
879 {
880 char *p;
881 char *context = NULL, *defcontext = NULL;
882 char *fscontext = NULL, *rootcontext = NULL;
883 int rc, num_mnt_opts = 0;
884
885 opts->num_mnt_opts = 0;
886
887 /* Standard string-based options. */
888 while ((p = strsep(&options, "|")) != NULL) {
889 int token;
890 substring_t args[MAX_OPT_ARGS];
891
892 if (!*p)
893 continue;
894
895 token = match_token(p, tokens, args);
896
897 switch (token) {
898 case Opt_context:
899 if (context || defcontext) {
900 rc = -EINVAL;
901 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902 goto out_err;
903 }
904 context = match_strdup(&args[0]);
905 if (!context) {
906 rc = -ENOMEM;
907 goto out_err;
908 }
909 break;
910
911 case Opt_fscontext:
912 if (fscontext) {
913 rc = -EINVAL;
914 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
915 goto out_err;
916 }
917 fscontext = match_strdup(&args[0]);
918 if (!fscontext) {
919 rc = -ENOMEM;
920 goto out_err;
921 }
922 break;
923
924 case Opt_rootcontext:
925 if (rootcontext) {
926 rc = -EINVAL;
927 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
928 goto out_err;
929 }
930 rootcontext = match_strdup(&args[0]);
931 if (!rootcontext) {
932 rc = -ENOMEM;
933 goto out_err;
934 }
935 break;
936
937 case Opt_defcontext:
938 if (context || defcontext) {
939 rc = -EINVAL;
940 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
941 goto out_err;
942 }
943 defcontext = match_strdup(&args[0]);
944 if (!defcontext) {
945 rc = -ENOMEM;
946 goto out_err;
947 }
948 break;
949 case Opt_labelsupport:
950 break;
951 default:
952 rc = -EINVAL;
953 printk(KERN_WARNING "SELinux: unknown mount option\n");
954 goto out_err;
955
956 }
957 }
958
959 rc = -ENOMEM;
960 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
961 if (!opts->mnt_opts)
962 goto out_err;
963
964 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
965 if (!opts->mnt_opts_flags) {
966 kfree(opts->mnt_opts);
967 goto out_err;
968 }
969
970 if (fscontext) {
971 opts->mnt_opts[num_mnt_opts] = fscontext;
972 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
973 }
974 if (context) {
975 opts->mnt_opts[num_mnt_opts] = context;
976 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
977 }
978 if (rootcontext) {
979 opts->mnt_opts[num_mnt_opts] = rootcontext;
980 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
981 }
982 if (defcontext) {
983 opts->mnt_opts[num_mnt_opts] = defcontext;
984 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
985 }
986
987 opts->num_mnt_opts = num_mnt_opts;
988 return 0;
989
990 out_err:
991 kfree(context);
992 kfree(defcontext);
993 kfree(fscontext);
994 kfree(rootcontext);
995 return rc;
996 }
997 /*
998 * string mount options parsing and call set the sbsec
999 */
superblock_doinit(struct super_block * sb,void * data)1000 static int superblock_doinit(struct super_block *sb, void *data)
1001 {
1002 int rc = 0;
1003 char *options = data;
1004 struct security_mnt_opts opts;
1005
1006 security_init_mnt_opts(&opts);
1007
1008 if (!data)
1009 goto out;
1010
1011 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1012
1013 rc = selinux_parse_opts_str(options, &opts);
1014 if (rc)
1015 goto out_err;
1016
1017 out:
1018 rc = selinux_set_mnt_opts(sb, &opts);
1019
1020 out_err:
1021 security_free_mnt_opts(&opts);
1022 return rc;
1023 }
1024
selinux_write_opts(struct seq_file * m,struct security_mnt_opts * opts)1025 static void selinux_write_opts(struct seq_file *m,
1026 struct security_mnt_opts *opts)
1027 {
1028 int i;
1029 char *prefix;
1030
1031 for (i = 0; i < opts->num_mnt_opts; i++) {
1032 char *has_comma;
1033
1034 if (opts->mnt_opts[i])
1035 has_comma = strchr(opts->mnt_opts[i], ',');
1036 else
1037 has_comma = NULL;
1038
1039 switch (opts->mnt_opts_flags[i]) {
1040 case CONTEXT_MNT:
1041 prefix = CONTEXT_STR;
1042 break;
1043 case FSCONTEXT_MNT:
1044 prefix = FSCONTEXT_STR;
1045 break;
1046 case ROOTCONTEXT_MNT:
1047 prefix = ROOTCONTEXT_STR;
1048 break;
1049 case DEFCONTEXT_MNT:
1050 prefix = DEFCONTEXT_STR;
1051 break;
1052 case SE_SBLABELSUPP:
1053 seq_putc(m, ',');
1054 seq_puts(m, LABELSUPP_STR);
1055 continue;
1056 default:
1057 BUG();
1058 return;
1059 };
1060 /* we need a comma before each option */
1061 seq_putc(m, ',');
1062 seq_puts(m, prefix);
1063 if (has_comma)
1064 seq_putc(m, '\"');
1065 seq_puts(m, opts->mnt_opts[i]);
1066 if (has_comma)
1067 seq_putc(m, '\"');
1068 }
1069 }
1070
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1071 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072 {
1073 struct security_mnt_opts opts;
1074 int rc;
1075
1076 rc = selinux_get_mnt_opts(sb, &opts);
1077 if (rc) {
1078 /* before policy load we may get EINVAL, don't show anything */
1079 if (rc == -EINVAL)
1080 rc = 0;
1081 return rc;
1082 }
1083
1084 selinux_write_opts(m, &opts);
1085
1086 security_free_mnt_opts(&opts);
1087
1088 return rc;
1089 }
1090
inode_mode_to_security_class(umode_t mode)1091 static inline u16 inode_mode_to_security_class(umode_t mode)
1092 {
1093 switch (mode & S_IFMT) {
1094 case S_IFSOCK:
1095 return SECCLASS_SOCK_FILE;
1096 case S_IFLNK:
1097 return SECCLASS_LNK_FILE;
1098 case S_IFREG:
1099 return SECCLASS_FILE;
1100 case S_IFBLK:
1101 return SECCLASS_BLK_FILE;
1102 case S_IFDIR:
1103 return SECCLASS_DIR;
1104 case S_IFCHR:
1105 return SECCLASS_CHR_FILE;
1106 case S_IFIFO:
1107 return SECCLASS_FIFO_FILE;
1108
1109 }
1110
1111 return SECCLASS_FILE;
1112 }
1113
default_protocol_stream(int protocol)1114 static inline int default_protocol_stream(int protocol)
1115 {
1116 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1117 }
1118
default_protocol_dgram(int protocol)1119 static inline int default_protocol_dgram(int protocol)
1120 {
1121 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1122 }
1123
socket_type_to_security_class(int family,int type,int protocol)1124 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1125 {
1126 switch (family) {
1127 case PF_UNIX:
1128 switch (type) {
1129 case SOCK_STREAM:
1130 case SOCK_SEQPACKET:
1131 return SECCLASS_UNIX_STREAM_SOCKET;
1132 case SOCK_DGRAM:
1133 return SECCLASS_UNIX_DGRAM_SOCKET;
1134 }
1135 break;
1136 case PF_INET:
1137 case PF_INET6:
1138 switch (type) {
1139 case SOCK_STREAM:
1140 if (default_protocol_stream(protocol))
1141 return SECCLASS_TCP_SOCKET;
1142 else
1143 return SECCLASS_RAWIP_SOCKET;
1144 case SOCK_DGRAM:
1145 if (default_protocol_dgram(protocol))
1146 return SECCLASS_UDP_SOCKET;
1147 else
1148 return SECCLASS_RAWIP_SOCKET;
1149 case SOCK_DCCP:
1150 return SECCLASS_DCCP_SOCKET;
1151 default:
1152 return SECCLASS_RAWIP_SOCKET;
1153 }
1154 break;
1155 case PF_NETLINK:
1156 switch (protocol) {
1157 case NETLINK_ROUTE:
1158 return SECCLASS_NETLINK_ROUTE_SOCKET;
1159 case NETLINK_FIREWALL:
1160 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1161 case NETLINK_SOCK_DIAG:
1162 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1163 case NETLINK_NFLOG:
1164 return SECCLASS_NETLINK_NFLOG_SOCKET;
1165 case NETLINK_XFRM:
1166 return SECCLASS_NETLINK_XFRM_SOCKET;
1167 case NETLINK_SELINUX:
1168 return SECCLASS_NETLINK_SELINUX_SOCKET;
1169 case NETLINK_AUDIT:
1170 return SECCLASS_NETLINK_AUDIT_SOCKET;
1171 case NETLINK_IP6_FW:
1172 return SECCLASS_NETLINK_IP6FW_SOCKET;
1173 case NETLINK_DNRTMSG:
1174 return SECCLASS_NETLINK_DNRT_SOCKET;
1175 case NETLINK_KOBJECT_UEVENT:
1176 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1177 default:
1178 return SECCLASS_NETLINK_SOCKET;
1179 }
1180 case PF_PACKET:
1181 return SECCLASS_PACKET_SOCKET;
1182 case PF_KEY:
1183 return SECCLASS_KEY_SOCKET;
1184 case PF_APPLETALK:
1185 return SECCLASS_APPLETALK_SOCKET;
1186 }
1187
1188 return SECCLASS_SOCKET;
1189 }
1190
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1191 static int selinux_genfs_get_sid(struct dentry *dentry,
1192 u16 tclass,
1193 u16 flags,
1194 u32 *sid)
1195 {
1196 int rc;
1197 struct super_block *sb = dentry->d_inode->i_sb;
1198 char *buffer, *path;
1199
1200 buffer = (char *)__get_free_page(GFP_KERNEL);
1201 if (!buffer)
1202 return -ENOMEM;
1203
1204 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1205 if (IS_ERR(path))
1206 rc = PTR_ERR(path);
1207 else {
1208 if (flags & SE_SBPROC) {
1209 /* each process gets a /proc/PID/ entry. Strip off the
1210 * PID part to get a valid selinux labeling.
1211 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1212 while (path[1] >= '0' && path[1] <= '9') {
1213 path[1] = '/';
1214 path++;
1215 }
1216 }
1217 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1218 }
1219 free_page((unsigned long)buffer);
1220 return rc;
1221 }
1222
1223 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1224 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1225 {
1226 struct superblock_security_struct *sbsec = NULL;
1227 struct inode_security_struct *isec = inode->i_security;
1228 u32 sid;
1229 struct dentry *dentry;
1230 #define INITCONTEXTLEN 255
1231 char *context = NULL;
1232 unsigned len = 0;
1233 int rc = 0;
1234
1235 if (isec->initialized)
1236 goto out;
1237
1238 mutex_lock(&isec->lock);
1239 if (isec->initialized)
1240 goto out_unlock;
1241
1242 sbsec = inode->i_sb->s_security;
1243 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1244 /* Defer initialization until selinux_complete_init,
1245 after the initial policy is loaded and the security
1246 server is ready to handle calls. */
1247 spin_lock(&sbsec->isec_lock);
1248 if (list_empty(&isec->list))
1249 list_add(&isec->list, &sbsec->isec_head);
1250 spin_unlock(&sbsec->isec_lock);
1251 goto out_unlock;
1252 }
1253
1254 switch (sbsec->behavior) {
1255 case SECURITY_FS_USE_XATTR:
1256 if (!inode->i_op->getxattr) {
1257 isec->sid = sbsec->def_sid;
1258 break;
1259 }
1260
1261 /* Need a dentry, since the xattr API requires one.
1262 Life would be simpler if we could just pass the inode. */
1263 if (opt_dentry) {
1264 /* Called from d_instantiate or d_splice_alias. */
1265 dentry = dget(opt_dentry);
1266 } else {
1267 /* Called from selinux_complete_init, try to find a dentry. */
1268 dentry = d_find_alias(inode);
1269 }
1270 if (!dentry) {
1271 /*
1272 * this is can be hit on boot when a file is accessed
1273 * before the policy is loaded. When we load policy we
1274 * may find inodes that have no dentry on the
1275 * sbsec->isec_head list. No reason to complain as these
1276 * will get fixed up the next time we go through
1277 * inode_doinit with a dentry, before these inodes could
1278 * be used again by userspace.
1279 */
1280 goto out_unlock;
1281 }
1282
1283 len = INITCONTEXTLEN;
1284 context = kmalloc(len+1, GFP_NOFS);
1285 if (!context) {
1286 rc = -ENOMEM;
1287 dput(dentry);
1288 goto out_unlock;
1289 }
1290 context[len] = '\0';
1291 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1292 context, len);
1293 if (rc == -ERANGE) {
1294 kfree(context);
1295
1296 /* Need a larger buffer. Query for the right size. */
1297 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1298 NULL, 0);
1299 if (rc < 0) {
1300 dput(dentry);
1301 goto out_unlock;
1302 }
1303 len = rc;
1304 context = kmalloc(len+1, GFP_NOFS);
1305 if (!context) {
1306 rc = -ENOMEM;
1307 dput(dentry);
1308 goto out_unlock;
1309 }
1310 context[len] = '\0';
1311 rc = inode->i_op->getxattr(dentry,
1312 XATTR_NAME_SELINUX,
1313 context, len);
1314 }
1315 dput(dentry);
1316 if (rc < 0) {
1317 if (rc != -ENODATA) {
1318 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1319 "%d for dev=%s ino=%ld\n", __func__,
1320 -rc, inode->i_sb->s_id, inode->i_ino);
1321 kfree(context);
1322 goto out_unlock;
1323 }
1324 /* Map ENODATA to the default file SID */
1325 sid = sbsec->def_sid;
1326 rc = 0;
1327 } else {
1328 rc = security_context_to_sid_default(context, rc, &sid,
1329 sbsec->def_sid,
1330 GFP_NOFS);
1331 if (rc) {
1332 char *dev = inode->i_sb->s_id;
1333 unsigned long ino = inode->i_ino;
1334
1335 if (rc == -EINVAL) {
1336 if (printk_ratelimit())
1337 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1338 "context=%s. This indicates you may need to relabel the inode or the "
1339 "filesystem in question.\n", ino, dev, context);
1340 } else {
1341 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1342 "returned %d for dev=%s ino=%ld\n",
1343 __func__, context, -rc, dev, ino);
1344 }
1345 kfree(context);
1346 /* Leave with the unlabeled SID */
1347 rc = 0;
1348 break;
1349 }
1350 }
1351 kfree(context);
1352 isec->sid = sid;
1353 break;
1354 case SECURITY_FS_USE_TASK:
1355 isec->sid = isec->task_sid;
1356 break;
1357 case SECURITY_FS_USE_TRANS:
1358 /* Default to the fs SID. */
1359 isec->sid = sbsec->sid;
1360
1361 /* Try to obtain a transition SID. */
1362 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1363 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1364 isec->sclass, NULL, &sid);
1365 if (rc)
1366 goto out_unlock;
1367 isec->sid = sid;
1368 break;
1369 case SECURITY_FS_USE_MNTPOINT:
1370 isec->sid = sbsec->mntpoint_sid;
1371 break;
1372 default:
1373 /* Default to the fs superblock SID. */
1374 isec->sid = sbsec->sid;
1375
1376 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1377 /* We must have a dentry to determine the label on
1378 * procfs inodes */
1379 if (opt_dentry)
1380 /* Called from d_instantiate or
1381 * d_splice_alias. */
1382 dentry = dget(opt_dentry);
1383 else
1384 /* Called from selinux_complete_init, try to
1385 * find a dentry. */
1386 dentry = d_find_alias(inode);
1387 /*
1388 * This can be hit on boot when a file is accessed
1389 * before the policy is loaded. When we load policy we
1390 * may find inodes that have no dentry on the
1391 * sbsec->isec_head list. No reason to complain as
1392 * these will get fixed up the next time we go through
1393 * inode_doinit() with a dentry, before these inodes
1394 * could be used again by userspace.
1395 */
1396 if (!dentry)
1397 goto out_unlock;
1398 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1399 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1400 sbsec->flags, &sid);
1401 dput(dentry);
1402 if (rc)
1403 goto out_unlock;
1404 isec->sid = sid;
1405 }
1406 break;
1407 }
1408
1409 isec->initialized = 1;
1410
1411 out_unlock:
1412 mutex_unlock(&isec->lock);
1413 out:
1414 if (isec->sclass == SECCLASS_FILE)
1415 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1416 return rc;
1417 }
1418
1419 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1420 static inline u32 signal_to_av(int sig)
1421 {
1422 u32 perm = 0;
1423
1424 switch (sig) {
1425 case SIGCHLD:
1426 /* Commonly granted from child to parent. */
1427 perm = PROCESS__SIGCHLD;
1428 break;
1429 case SIGKILL:
1430 /* Cannot be caught or ignored */
1431 perm = PROCESS__SIGKILL;
1432 break;
1433 case SIGSTOP:
1434 /* Cannot be caught or ignored */
1435 perm = PROCESS__SIGSTOP;
1436 break;
1437 default:
1438 /* All other signals. */
1439 perm = PROCESS__SIGNAL;
1440 break;
1441 }
1442
1443 return perm;
1444 }
1445
1446 /*
1447 * Check permission between a pair of credentials
1448 * fork check, ptrace check, etc.
1449 */
cred_has_perm(const struct cred * actor,const struct cred * target,u32 perms)1450 static int cred_has_perm(const struct cred *actor,
1451 const struct cred *target,
1452 u32 perms)
1453 {
1454 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1455
1456 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1457 }
1458
1459 /*
1460 * Check permission between a pair of tasks, e.g. signal checks,
1461 * fork check, ptrace check, etc.
1462 * tsk1 is the actor and tsk2 is the target
1463 * - this uses the default subjective creds of tsk1
1464 */
task_has_perm(const struct task_struct * tsk1,const struct task_struct * tsk2,u32 perms)1465 static int task_has_perm(const struct task_struct *tsk1,
1466 const struct task_struct *tsk2,
1467 u32 perms)
1468 {
1469 const struct task_security_struct *__tsec1, *__tsec2;
1470 u32 sid1, sid2;
1471
1472 rcu_read_lock();
1473 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1474 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1475 rcu_read_unlock();
1476 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1477 }
1478
1479 /*
1480 * Check permission between current and another task, e.g. signal checks,
1481 * fork check, ptrace check, etc.
1482 * current is the actor and tsk2 is the target
1483 * - this uses current's subjective creds
1484 */
current_has_perm(const struct task_struct * tsk,u32 perms)1485 static int current_has_perm(const struct task_struct *tsk,
1486 u32 perms)
1487 {
1488 u32 sid, tsid;
1489
1490 sid = current_sid();
1491 tsid = task_sid(tsk);
1492 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1493 }
1494
1495 #if CAP_LAST_CAP > 63
1496 #error Fix SELinux to handle capabilities > 63.
1497 #endif
1498
1499 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,int audit)1500 static int cred_has_capability(const struct cred *cred,
1501 int cap, int audit)
1502 {
1503 struct common_audit_data ad;
1504 struct av_decision avd;
1505 u16 sclass;
1506 u32 sid = cred_sid(cred);
1507 u32 av = CAP_TO_MASK(cap);
1508 int rc;
1509
1510 ad.type = LSM_AUDIT_DATA_CAP;
1511 ad.u.cap = cap;
1512
1513 switch (CAP_TO_INDEX(cap)) {
1514 case 0:
1515 sclass = SECCLASS_CAPABILITY;
1516 break;
1517 case 1:
1518 sclass = SECCLASS_CAPABILITY2;
1519 break;
1520 default:
1521 printk(KERN_ERR
1522 "SELinux: out of range capability %d\n", cap);
1523 BUG();
1524 return -EINVAL;
1525 }
1526
1527 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1528 if (audit == SECURITY_CAP_AUDIT) {
1529 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1530 if (rc2)
1531 return rc2;
1532 }
1533 return rc;
1534 }
1535
1536 /* Check whether a task is allowed to use a system operation. */
task_has_system(struct task_struct * tsk,u32 perms)1537 static int task_has_system(struct task_struct *tsk,
1538 u32 perms)
1539 {
1540 u32 sid = task_sid(tsk);
1541
1542 return avc_has_perm(sid, SECINITSID_KERNEL,
1543 SECCLASS_SYSTEM, perms, NULL);
1544 }
1545
1546 /* Check whether a task has a particular permission to an inode.
1547 The 'adp' parameter is optional and allows other audit
1548 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp,unsigned flags)1549 static int inode_has_perm(const struct cred *cred,
1550 struct inode *inode,
1551 u32 perms,
1552 struct common_audit_data *adp,
1553 unsigned flags)
1554 {
1555 struct inode_security_struct *isec;
1556 u32 sid;
1557
1558 validate_creds(cred);
1559
1560 if (unlikely(IS_PRIVATE(inode)))
1561 return 0;
1562
1563 sid = cred_sid(cred);
1564 isec = inode->i_security;
1565
1566 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1567 }
1568
1569 /* Same as inode_has_perm, but pass explicit audit data containing
1570 the dentry to help the auditing code to more easily generate the
1571 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1572 static inline int dentry_has_perm(const struct cred *cred,
1573 struct dentry *dentry,
1574 u32 av)
1575 {
1576 struct inode *inode = dentry->d_inode;
1577 struct common_audit_data ad;
1578
1579 ad.type = LSM_AUDIT_DATA_DENTRY;
1580 ad.u.dentry = dentry;
1581 return inode_has_perm(cred, inode, av, &ad, 0);
1582 }
1583
1584 /* Same as inode_has_perm, but pass explicit audit data containing
1585 the path to help the auditing code to more easily generate the
1586 pathname if needed. */
path_has_perm(const struct cred * cred,struct path * path,u32 av)1587 static inline int path_has_perm(const struct cred *cred,
1588 struct path *path,
1589 u32 av)
1590 {
1591 struct inode *inode = path->dentry->d_inode;
1592 struct common_audit_data ad;
1593
1594 ad.type = LSM_AUDIT_DATA_PATH;
1595 ad.u.path = *path;
1596 return inode_has_perm(cred, inode, av, &ad, 0);
1597 }
1598
1599 /* Check whether a task can use an open file descriptor to
1600 access an inode in a given way. Check access to the
1601 descriptor itself, and then use dentry_has_perm to
1602 check a particular permission to the file.
1603 Access to the descriptor is implicitly granted if it
1604 has the same SID as the process. If av is zero, then
1605 access to the file is not checked, e.g. for cases
1606 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1607 static int file_has_perm(const struct cred *cred,
1608 struct file *file,
1609 u32 av)
1610 {
1611 struct file_security_struct *fsec = file->f_security;
1612 struct inode *inode = file_inode(file);
1613 struct common_audit_data ad;
1614 u32 sid = cred_sid(cred);
1615 int rc;
1616
1617 ad.type = LSM_AUDIT_DATA_PATH;
1618 ad.u.path = file->f_path;
1619
1620 if (sid != fsec->sid) {
1621 rc = avc_has_perm(sid, fsec->sid,
1622 SECCLASS_FD,
1623 FD__USE,
1624 &ad);
1625 if (rc)
1626 goto out;
1627 }
1628
1629 /* av is zero if only checking access to the descriptor. */
1630 rc = 0;
1631 if (av)
1632 rc = inode_has_perm(cred, inode, av, &ad, 0);
1633
1634 out:
1635 return rc;
1636 }
1637
1638 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1639 static int may_create(struct inode *dir,
1640 struct dentry *dentry,
1641 u16 tclass)
1642 {
1643 const struct task_security_struct *tsec = current_security();
1644 struct inode_security_struct *dsec;
1645 struct superblock_security_struct *sbsec;
1646 u32 sid, newsid;
1647 struct common_audit_data ad;
1648 int rc;
1649
1650 dsec = dir->i_security;
1651 sbsec = dir->i_sb->s_security;
1652
1653 sid = tsec->sid;
1654 newsid = tsec->create_sid;
1655
1656 ad.type = LSM_AUDIT_DATA_DENTRY;
1657 ad.u.dentry = dentry;
1658
1659 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1660 DIR__ADD_NAME | DIR__SEARCH,
1661 &ad);
1662 if (rc)
1663 return rc;
1664
1665 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1666 rc = security_transition_sid(sid, dsec->sid, tclass,
1667 &dentry->d_name, &newsid);
1668 if (rc)
1669 return rc;
1670 }
1671
1672 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1673 if (rc)
1674 return rc;
1675
1676 return avc_has_perm(newsid, sbsec->sid,
1677 SECCLASS_FILESYSTEM,
1678 FILESYSTEM__ASSOCIATE, &ad);
1679 }
1680
1681 /* Check whether a task can create a key. */
may_create_key(u32 ksid,struct task_struct * ctx)1682 static int may_create_key(u32 ksid,
1683 struct task_struct *ctx)
1684 {
1685 u32 sid = task_sid(ctx);
1686
1687 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1688 }
1689
1690 #define MAY_LINK 0
1691 #define MAY_UNLINK 1
1692 #define MAY_RMDIR 2
1693
1694 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1695 static int may_link(struct inode *dir,
1696 struct dentry *dentry,
1697 int kind)
1698
1699 {
1700 struct inode_security_struct *dsec, *isec;
1701 struct common_audit_data ad;
1702 u32 sid = current_sid();
1703 u32 av;
1704 int rc;
1705
1706 dsec = dir->i_security;
1707 isec = dentry->d_inode->i_security;
1708
1709 ad.type = LSM_AUDIT_DATA_DENTRY;
1710 ad.u.dentry = dentry;
1711
1712 av = DIR__SEARCH;
1713 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1714 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1715 if (rc)
1716 return rc;
1717
1718 switch (kind) {
1719 case MAY_LINK:
1720 av = FILE__LINK;
1721 break;
1722 case MAY_UNLINK:
1723 av = FILE__UNLINK;
1724 break;
1725 case MAY_RMDIR:
1726 av = DIR__RMDIR;
1727 break;
1728 default:
1729 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1730 __func__, kind);
1731 return 0;
1732 }
1733
1734 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1735 return rc;
1736 }
1737
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1738 static inline int may_rename(struct inode *old_dir,
1739 struct dentry *old_dentry,
1740 struct inode *new_dir,
1741 struct dentry *new_dentry)
1742 {
1743 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1744 struct common_audit_data ad;
1745 u32 sid = current_sid();
1746 u32 av;
1747 int old_is_dir, new_is_dir;
1748 int rc;
1749
1750 old_dsec = old_dir->i_security;
1751 old_isec = old_dentry->d_inode->i_security;
1752 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1753 new_dsec = new_dir->i_security;
1754
1755 ad.type = LSM_AUDIT_DATA_DENTRY;
1756
1757 ad.u.dentry = old_dentry;
1758 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1759 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1760 if (rc)
1761 return rc;
1762 rc = avc_has_perm(sid, old_isec->sid,
1763 old_isec->sclass, FILE__RENAME, &ad);
1764 if (rc)
1765 return rc;
1766 if (old_is_dir && new_dir != old_dir) {
1767 rc = avc_has_perm(sid, old_isec->sid,
1768 old_isec->sclass, DIR__REPARENT, &ad);
1769 if (rc)
1770 return rc;
1771 }
1772
1773 ad.u.dentry = new_dentry;
1774 av = DIR__ADD_NAME | DIR__SEARCH;
1775 if (new_dentry->d_inode)
1776 av |= DIR__REMOVE_NAME;
1777 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1778 if (rc)
1779 return rc;
1780 if (new_dentry->d_inode) {
1781 new_isec = new_dentry->d_inode->i_security;
1782 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1783 rc = avc_has_perm(sid, new_isec->sid,
1784 new_isec->sclass,
1785 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1786 if (rc)
1787 return rc;
1788 }
1789
1790 return 0;
1791 }
1792
1793 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1794 static int superblock_has_perm(const struct cred *cred,
1795 struct super_block *sb,
1796 u32 perms,
1797 struct common_audit_data *ad)
1798 {
1799 struct superblock_security_struct *sbsec;
1800 u32 sid = cred_sid(cred);
1801
1802 sbsec = sb->s_security;
1803 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1804 }
1805
1806 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1807 static inline u32 file_mask_to_av(int mode, int mask)
1808 {
1809 u32 av = 0;
1810
1811 if (!S_ISDIR(mode)) {
1812 if (mask & MAY_EXEC)
1813 av |= FILE__EXECUTE;
1814 if (mask & MAY_READ)
1815 av |= FILE__READ;
1816
1817 if (mask & MAY_APPEND)
1818 av |= FILE__APPEND;
1819 else if (mask & MAY_WRITE)
1820 av |= FILE__WRITE;
1821
1822 } else {
1823 if (mask & MAY_EXEC)
1824 av |= DIR__SEARCH;
1825 if (mask & MAY_WRITE)
1826 av |= DIR__WRITE;
1827 if (mask & MAY_READ)
1828 av |= DIR__READ;
1829 }
1830
1831 return av;
1832 }
1833
1834 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)1835 static inline u32 file_to_av(struct file *file)
1836 {
1837 u32 av = 0;
1838
1839 if (file->f_mode & FMODE_READ)
1840 av |= FILE__READ;
1841 if (file->f_mode & FMODE_WRITE) {
1842 if (file->f_flags & O_APPEND)
1843 av |= FILE__APPEND;
1844 else
1845 av |= FILE__WRITE;
1846 }
1847 if (!av) {
1848 /*
1849 * Special file opened with flags 3 for ioctl-only use.
1850 */
1851 av = FILE__IOCTL;
1852 }
1853
1854 return av;
1855 }
1856
1857 /*
1858 * Convert a file to an access vector and include the correct open
1859 * open permission.
1860 */
open_file_to_av(struct file * file)1861 static inline u32 open_file_to_av(struct file *file)
1862 {
1863 u32 av = file_to_av(file);
1864
1865 if (selinux_policycap_openperm)
1866 av |= FILE__OPEN;
1867
1868 return av;
1869 }
1870
1871 /* Hook functions begin here. */
1872
selinux_binder_set_context_mgr(struct task_struct * mgr)1873 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1874 {
1875 u32 mysid = current_sid();
1876 u32 mgrsid = task_sid(mgr);
1877
1878 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1879 }
1880
selinux_binder_transaction(struct task_struct * from,struct task_struct * to)1881 static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1882 {
1883 u32 mysid = current_sid();
1884 u32 fromsid = task_sid(from);
1885 u32 tosid = task_sid(to);
1886 int rc;
1887
1888 if (mysid != fromsid) {
1889 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1890 if (rc)
1891 return rc;
1892 }
1893
1894 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1895 }
1896
selinux_binder_transfer_binder(struct task_struct * from,struct task_struct * to)1897 static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1898 {
1899 u32 fromsid = task_sid(from);
1900 u32 tosid = task_sid(to);
1901 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1902 }
1903
selinux_binder_transfer_file(struct task_struct * from,struct task_struct * to,struct file * file)1904 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1905 {
1906 u32 sid = task_sid(to);
1907 struct file_security_struct *fsec = file->f_security;
1908 struct inode *inode = file->f_path.dentry->d_inode;
1909 struct inode_security_struct *isec = inode->i_security;
1910 struct common_audit_data ad;
1911 int rc;
1912
1913 ad.type = LSM_AUDIT_DATA_PATH;
1914 ad.u.path = file->f_path;
1915
1916 if (sid != fsec->sid) {
1917 rc = avc_has_perm(sid, fsec->sid,
1918 SECCLASS_FD,
1919 FD__USE,
1920 &ad);
1921 if (rc)
1922 return rc;
1923 }
1924
1925 if (unlikely(IS_PRIVATE(inode)))
1926 return 0;
1927
1928 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1929 &ad);
1930 }
1931
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)1932 static int selinux_ptrace_access_check(struct task_struct *child,
1933 unsigned int mode)
1934 {
1935 int rc;
1936
1937 rc = cap_ptrace_access_check(child, mode);
1938 if (rc)
1939 return rc;
1940
1941 if (mode & PTRACE_MODE_READ) {
1942 u32 sid = current_sid();
1943 u32 csid = task_sid(child);
1944 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1945 }
1946
1947 return current_has_perm(child, PROCESS__PTRACE);
1948 }
1949
selinux_ptrace_traceme(struct task_struct * parent)1950 static int selinux_ptrace_traceme(struct task_struct *parent)
1951 {
1952 int rc;
1953
1954 rc = cap_ptrace_traceme(parent);
1955 if (rc)
1956 return rc;
1957
1958 return task_has_perm(parent, current, PROCESS__PTRACE);
1959 }
1960
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)1961 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1962 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1963 {
1964 int error;
1965
1966 error = current_has_perm(target, PROCESS__GETCAP);
1967 if (error)
1968 return error;
1969
1970 return cap_capget(target, effective, inheritable, permitted);
1971 }
1972
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)1973 static int selinux_capset(struct cred *new, const struct cred *old,
1974 const kernel_cap_t *effective,
1975 const kernel_cap_t *inheritable,
1976 const kernel_cap_t *permitted)
1977 {
1978 int error;
1979
1980 error = cap_capset(new, old,
1981 effective, inheritable, permitted);
1982 if (error)
1983 return error;
1984
1985 return cred_has_perm(old, new, PROCESS__SETCAP);
1986 }
1987
1988 /*
1989 * (This comment used to live with the selinux_task_setuid hook,
1990 * which was removed).
1991 *
1992 * Since setuid only affects the current process, and since the SELinux
1993 * controls are not based on the Linux identity attributes, SELinux does not
1994 * need to control this operation. However, SELinux does control the use of
1995 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1996 */
1997
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,int audit)1998 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1999 int cap, int audit)
2000 {
2001 int rc;
2002
2003 rc = cap_capable(cred, ns, cap, audit);
2004 if (rc)
2005 return rc;
2006
2007 return cred_has_capability(cred, cap, audit);
2008 }
2009
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2010 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2011 {
2012 const struct cred *cred = current_cred();
2013 int rc = 0;
2014
2015 if (!sb)
2016 return 0;
2017
2018 switch (cmds) {
2019 case Q_SYNC:
2020 case Q_QUOTAON:
2021 case Q_QUOTAOFF:
2022 case Q_SETINFO:
2023 case Q_SETQUOTA:
2024 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2025 break;
2026 case Q_GETFMT:
2027 case Q_GETINFO:
2028 case Q_GETQUOTA:
2029 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2030 break;
2031 default:
2032 rc = 0; /* let the kernel handle invalid cmds */
2033 break;
2034 }
2035 return rc;
2036 }
2037
selinux_quota_on(struct dentry * dentry)2038 static int selinux_quota_on(struct dentry *dentry)
2039 {
2040 const struct cred *cred = current_cred();
2041
2042 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2043 }
2044
selinux_syslog(int type)2045 static int selinux_syslog(int type)
2046 {
2047 int rc;
2048
2049 switch (type) {
2050 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2051 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2052 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2053 break;
2054 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2055 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2056 /* Set level of messages printed to console */
2057 case SYSLOG_ACTION_CONSOLE_LEVEL:
2058 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2059 break;
2060 case SYSLOG_ACTION_CLOSE: /* Close log */
2061 case SYSLOG_ACTION_OPEN: /* Open log */
2062 case SYSLOG_ACTION_READ: /* Read from log */
2063 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2064 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2065 default:
2066 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2067 break;
2068 }
2069 return rc;
2070 }
2071
2072 /*
2073 * Check that a process has enough memory to allocate a new virtual
2074 * mapping. 0 means there is enough memory for the allocation to
2075 * succeed and -ENOMEM implies there is not.
2076 *
2077 * Do not audit the selinux permission check, as this is applied to all
2078 * processes that allocate mappings.
2079 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2080 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2081 {
2082 int rc, cap_sys_admin = 0;
2083
2084 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2085 SECURITY_CAP_NOAUDIT);
2086 if (rc == 0)
2087 cap_sys_admin = 1;
2088
2089 return __vm_enough_memory(mm, pages, cap_sys_admin);
2090 }
2091
2092 /* binprm security operations */
2093
selinux_bprm_set_creds(struct linux_binprm * bprm)2094 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2095 {
2096 const struct task_security_struct *old_tsec;
2097 struct task_security_struct *new_tsec;
2098 struct inode_security_struct *isec;
2099 struct common_audit_data ad;
2100 struct inode *inode = file_inode(bprm->file);
2101 int rc;
2102
2103 rc = cap_bprm_set_creds(bprm);
2104 if (rc)
2105 return rc;
2106
2107 /* SELinux context only depends on initial program or script and not
2108 * the script interpreter */
2109 if (bprm->cred_prepared)
2110 return 0;
2111
2112 old_tsec = current_security();
2113 new_tsec = bprm->cred->security;
2114 isec = inode->i_security;
2115
2116 /* Default to the current task SID. */
2117 new_tsec->sid = old_tsec->sid;
2118 new_tsec->osid = old_tsec->sid;
2119
2120 /* Reset fs, key, and sock SIDs on execve. */
2121 new_tsec->create_sid = 0;
2122 new_tsec->keycreate_sid = 0;
2123 new_tsec->sockcreate_sid = 0;
2124
2125 if (old_tsec->exec_sid) {
2126 new_tsec->sid = old_tsec->exec_sid;
2127 /* Reset exec SID on execve. */
2128 new_tsec->exec_sid = 0;
2129
2130 /*
2131 * Minimize confusion: if no_new_privs and a transition is
2132 * explicitly requested, then fail the exec.
2133 */
2134 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2135 return -EPERM;
2136 } else {
2137 /* Check for a default transition on this program. */
2138 rc = security_transition_sid(old_tsec->sid, isec->sid,
2139 SECCLASS_PROCESS, NULL,
2140 &new_tsec->sid);
2141 if (rc)
2142 return rc;
2143 }
2144
2145 ad.type = LSM_AUDIT_DATA_PATH;
2146 ad.u.path = bprm->file->f_path;
2147
2148 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2149 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2150 new_tsec->sid = old_tsec->sid;
2151
2152 if (new_tsec->sid == old_tsec->sid) {
2153 rc = avc_has_perm(old_tsec->sid, isec->sid,
2154 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2155 if (rc)
2156 return rc;
2157 } else {
2158 /* Check permissions for the transition. */
2159 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2160 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2161 if (rc)
2162 return rc;
2163
2164 rc = avc_has_perm(new_tsec->sid, isec->sid,
2165 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2166 if (rc)
2167 return rc;
2168
2169 /* Check for shared state */
2170 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2171 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2172 SECCLASS_PROCESS, PROCESS__SHARE,
2173 NULL);
2174 if (rc)
2175 return -EPERM;
2176 }
2177
2178 /* Make sure that anyone attempting to ptrace over a task that
2179 * changes its SID has the appropriate permit */
2180 if (bprm->unsafe &
2181 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2182 struct task_struct *tracer;
2183 struct task_security_struct *sec;
2184 u32 ptsid = 0;
2185
2186 rcu_read_lock();
2187 tracer = ptrace_parent(current);
2188 if (likely(tracer != NULL)) {
2189 sec = __task_cred(tracer)->security;
2190 ptsid = sec->sid;
2191 }
2192 rcu_read_unlock();
2193
2194 if (ptsid != 0) {
2195 rc = avc_has_perm(ptsid, new_tsec->sid,
2196 SECCLASS_PROCESS,
2197 PROCESS__PTRACE, NULL);
2198 if (rc)
2199 return -EPERM;
2200 }
2201 }
2202
2203 /* Clear any possibly unsafe personality bits on exec: */
2204 bprm->per_clear |= PER_CLEAR_ON_SETID;
2205 }
2206
2207 return 0;
2208 }
2209
selinux_bprm_secureexec(struct linux_binprm * bprm)2210 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2211 {
2212 const struct task_security_struct *tsec = current_security();
2213 u32 sid, osid;
2214 int atsecure = 0;
2215
2216 sid = tsec->sid;
2217 osid = tsec->osid;
2218
2219 if (osid != sid) {
2220 /* Enable secure mode for SIDs transitions unless
2221 the noatsecure permission is granted between
2222 the two SIDs, i.e. ahp returns 0. */
2223 atsecure = avc_has_perm(osid, sid,
2224 SECCLASS_PROCESS,
2225 PROCESS__NOATSECURE, NULL);
2226 }
2227
2228 return (atsecure || cap_bprm_secureexec(bprm));
2229 }
2230
match_file(const void * p,struct file * file,unsigned fd)2231 static int match_file(const void *p, struct file *file, unsigned fd)
2232 {
2233 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2234 }
2235
2236 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2237 static inline void flush_unauthorized_files(const struct cred *cred,
2238 struct files_struct *files)
2239 {
2240 struct file *file, *devnull = NULL;
2241 struct tty_struct *tty;
2242 int drop_tty = 0;
2243 unsigned n;
2244
2245 tty = get_current_tty();
2246 if (tty) {
2247 spin_lock(&tty_files_lock);
2248 if (!list_empty(&tty->tty_files)) {
2249 struct tty_file_private *file_priv;
2250
2251 /* Revalidate access to controlling tty.
2252 Use path_has_perm on the tty path directly rather
2253 than using file_has_perm, as this particular open
2254 file may belong to another process and we are only
2255 interested in the inode-based check here. */
2256 file_priv = list_first_entry(&tty->tty_files,
2257 struct tty_file_private, list);
2258 file = file_priv->file;
2259 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2260 drop_tty = 1;
2261 }
2262 spin_unlock(&tty_files_lock);
2263 tty_kref_put(tty);
2264 }
2265 /* Reset controlling tty. */
2266 if (drop_tty)
2267 no_tty();
2268
2269 /* Revalidate access to inherited open files. */
2270 n = iterate_fd(files, 0, match_file, cred);
2271 if (!n) /* none found? */
2272 return;
2273
2274 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2275 if (IS_ERR(devnull))
2276 devnull = NULL;
2277 /* replace all the matching ones with this */
2278 do {
2279 replace_fd(n - 1, devnull, 0);
2280 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2281 if (devnull)
2282 fput(devnull);
2283 }
2284
2285 /*
2286 * Prepare a process for imminent new credential changes due to exec
2287 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2288 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2289 {
2290 struct task_security_struct *new_tsec;
2291 struct rlimit *rlim, *initrlim;
2292 int rc, i;
2293
2294 new_tsec = bprm->cred->security;
2295 if (new_tsec->sid == new_tsec->osid)
2296 return;
2297
2298 /* Close files for which the new task SID is not authorized. */
2299 flush_unauthorized_files(bprm->cred, current->files);
2300
2301 /* Always clear parent death signal on SID transitions. */
2302 current->pdeath_signal = 0;
2303
2304 /* Check whether the new SID can inherit resource limits from the old
2305 * SID. If not, reset all soft limits to the lower of the current
2306 * task's hard limit and the init task's soft limit.
2307 *
2308 * Note that the setting of hard limits (even to lower them) can be
2309 * controlled by the setrlimit check. The inclusion of the init task's
2310 * soft limit into the computation is to avoid resetting soft limits
2311 * higher than the default soft limit for cases where the default is
2312 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2313 */
2314 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2315 PROCESS__RLIMITINH, NULL);
2316 if (rc) {
2317 /* protect against do_prlimit() */
2318 task_lock(current);
2319 for (i = 0; i < RLIM_NLIMITS; i++) {
2320 rlim = current->signal->rlim + i;
2321 initrlim = init_task.signal->rlim + i;
2322 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2323 }
2324 task_unlock(current);
2325 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2326 }
2327 }
2328
2329 /*
2330 * Clean up the process immediately after the installation of new credentials
2331 * due to exec
2332 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2333 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2334 {
2335 const struct task_security_struct *tsec = current_security();
2336 struct itimerval itimer;
2337 u32 osid, sid;
2338 int rc, i;
2339
2340 osid = tsec->osid;
2341 sid = tsec->sid;
2342
2343 if (sid == osid)
2344 return;
2345
2346 /* Check whether the new SID can inherit signal state from the old SID.
2347 * If not, clear itimers to avoid subsequent signal generation and
2348 * flush and unblock signals.
2349 *
2350 * This must occur _after_ the task SID has been updated so that any
2351 * kill done after the flush will be checked against the new SID.
2352 */
2353 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2354 if (rc) {
2355 memset(&itimer, 0, sizeof itimer);
2356 for (i = 0; i < 3; i++)
2357 do_setitimer(i, &itimer, NULL);
2358 spin_lock_irq(¤t->sighand->siglock);
2359 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2360 __flush_signals(current);
2361 flush_signal_handlers(current, 1);
2362 sigemptyset(¤t->blocked);
2363 }
2364 spin_unlock_irq(¤t->sighand->siglock);
2365 }
2366
2367 /* Wake up the parent if it is waiting so that it can recheck
2368 * wait permission to the new task SID. */
2369 read_lock(&tasklist_lock);
2370 __wake_up_parent(current, current->real_parent);
2371 read_unlock(&tasklist_lock);
2372 }
2373
2374 /* superblock security operations */
2375
selinux_sb_alloc_security(struct super_block * sb)2376 static int selinux_sb_alloc_security(struct super_block *sb)
2377 {
2378 return superblock_alloc_security(sb);
2379 }
2380
selinux_sb_free_security(struct super_block * sb)2381 static void selinux_sb_free_security(struct super_block *sb)
2382 {
2383 superblock_free_security(sb);
2384 }
2385
match_prefix(char * prefix,int plen,char * option,int olen)2386 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2387 {
2388 if (plen > olen)
2389 return 0;
2390
2391 return !memcmp(prefix, option, plen);
2392 }
2393
selinux_option(char * option,int len)2394 static inline int selinux_option(char *option, int len)
2395 {
2396 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2397 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2398 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2399 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2400 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2401 }
2402
take_option(char ** to,char * from,int * first,int len)2403 static inline void take_option(char **to, char *from, int *first, int len)
2404 {
2405 if (!*first) {
2406 **to = ',';
2407 *to += 1;
2408 } else
2409 *first = 0;
2410 memcpy(*to, from, len);
2411 *to += len;
2412 }
2413
take_selinux_option(char ** to,char * from,int * first,int len)2414 static inline void take_selinux_option(char **to, char *from, int *first,
2415 int len)
2416 {
2417 int current_size = 0;
2418
2419 if (!*first) {
2420 **to = '|';
2421 *to += 1;
2422 } else
2423 *first = 0;
2424
2425 while (current_size < len) {
2426 if (*from != '"') {
2427 **to = *from;
2428 *to += 1;
2429 }
2430 from += 1;
2431 current_size += 1;
2432 }
2433 }
2434
selinux_sb_copy_data(char * orig,char * copy)2435 static int selinux_sb_copy_data(char *orig, char *copy)
2436 {
2437 int fnosec, fsec, rc = 0;
2438 char *in_save, *in_curr, *in_end;
2439 char *sec_curr, *nosec_save, *nosec;
2440 int open_quote = 0;
2441
2442 in_curr = orig;
2443 sec_curr = copy;
2444
2445 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2446 if (!nosec) {
2447 rc = -ENOMEM;
2448 goto out;
2449 }
2450
2451 nosec_save = nosec;
2452 fnosec = fsec = 1;
2453 in_save = in_end = orig;
2454
2455 do {
2456 if (*in_end == '"')
2457 open_quote = !open_quote;
2458 if ((*in_end == ',' && open_quote == 0) ||
2459 *in_end == '\0') {
2460 int len = in_end - in_curr;
2461
2462 if (selinux_option(in_curr, len))
2463 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2464 else
2465 take_option(&nosec, in_curr, &fnosec, len);
2466
2467 in_curr = in_end + 1;
2468 }
2469 } while (*in_end++);
2470
2471 strcpy(in_save, nosec_save);
2472 free_page((unsigned long)nosec_save);
2473 out:
2474 return rc;
2475 }
2476
selinux_sb_remount(struct super_block * sb,void * data)2477 static int selinux_sb_remount(struct super_block *sb, void *data)
2478 {
2479 int rc, i, *flags;
2480 struct security_mnt_opts opts;
2481 char *secdata, **mount_options;
2482 struct superblock_security_struct *sbsec = sb->s_security;
2483
2484 if (!(sbsec->flags & SE_SBINITIALIZED))
2485 return 0;
2486
2487 if (!data)
2488 return 0;
2489
2490 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2491 return 0;
2492
2493 security_init_mnt_opts(&opts);
2494 secdata = alloc_secdata();
2495 if (!secdata)
2496 return -ENOMEM;
2497 rc = selinux_sb_copy_data(data, secdata);
2498 if (rc)
2499 goto out_free_secdata;
2500
2501 rc = selinux_parse_opts_str(secdata, &opts);
2502 if (rc)
2503 goto out_free_secdata;
2504
2505 mount_options = opts.mnt_opts;
2506 flags = opts.mnt_opts_flags;
2507
2508 for (i = 0; i < opts.num_mnt_opts; i++) {
2509 u32 sid;
2510 size_t len;
2511
2512 if (flags[i] == SE_SBLABELSUPP)
2513 continue;
2514 len = strlen(mount_options[i]);
2515 rc = security_context_to_sid(mount_options[i], len, &sid);
2516 if (rc) {
2517 printk(KERN_WARNING "SELinux: security_context_to_sid"
2518 "(%s) failed for (dev %s, type %s) errno=%d\n",
2519 mount_options[i], sb->s_id, sb->s_type->name, rc);
2520 goto out_free_opts;
2521 }
2522 rc = -EINVAL;
2523 switch (flags[i]) {
2524 case FSCONTEXT_MNT:
2525 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2526 goto out_bad_option;
2527 break;
2528 case CONTEXT_MNT:
2529 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2530 goto out_bad_option;
2531 break;
2532 case ROOTCONTEXT_MNT: {
2533 struct inode_security_struct *root_isec;
2534 root_isec = sb->s_root->d_inode->i_security;
2535
2536 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2537 goto out_bad_option;
2538 break;
2539 }
2540 case DEFCONTEXT_MNT:
2541 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2542 goto out_bad_option;
2543 break;
2544 default:
2545 goto out_free_opts;
2546 }
2547 }
2548
2549 rc = 0;
2550 out_free_opts:
2551 security_free_mnt_opts(&opts);
2552 out_free_secdata:
2553 free_secdata(secdata);
2554 return rc;
2555 out_bad_option:
2556 printk(KERN_WARNING "SELinux: unable to change security options "
2557 "during remount (dev %s, type=%s)\n", sb->s_id,
2558 sb->s_type->name);
2559 goto out_free_opts;
2560 }
2561
selinux_sb_kern_mount(struct super_block * sb,int flags,void * data)2562 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2563 {
2564 const struct cred *cred = current_cred();
2565 struct common_audit_data ad;
2566 int rc;
2567
2568 rc = superblock_doinit(sb, data);
2569 if (rc)
2570 return rc;
2571
2572 /* Allow all mounts performed by the kernel */
2573 if (flags & MS_KERNMOUNT)
2574 return 0;
2575
2576 ad.type = LSM_AUDIT_DATA_DENTRY;
2577 ad.u.dentry = sb->s_root;
2578 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2579 }
2580
selinux_sb_statfs(struct dentry * dentry)2581 static int selinux_sb_statfs(struct dentry *dentry)
2582 {
2583 const struct cred *cred = current_cred();
2584 struct common_audit_data ad;
2585
2586 ad.type = LSM_AUDIT_DATA_DENTRY;
2587 ad.u.dentry = dentry->d_sb->s_root;
2588 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2589 }
2590
selinux_mount(const char * dev_name,struct path * path,const char * type,unsigned long flags,void * data)2591 static int selinux_mount(const char *dev_name,
2592 struct path *path,
2593 const char *type,
2594 unsigned long flags,
2595 void *data)
2596 {
2597 const struct cred *cred = current_cred();
2598
2599 if (flags & MS_REMOUNT)
2600 return superblock_has_perm(cred, path->dentry->d_sb,
2601 FILESYSTEM__REMOUNT, NULL);
2602 else
2603 return path_has_perm(cred, path, FILE__MOUNTON);
2604 }
2605
selinux_umount(struct vfsmount * mnt,int flags)2606 static int selinux_umount(struct vfsmount *mnt, int flags)
2607 {
2608 const struct cred *cred = current_cred();
2609
2610 return superblock_has_perm(cred, mnt->mnt_sb,
2611 FILESYSTEM__UNMOUNT, NULL);
2612 }
2613
2614 /* inode security operations */
2615
selinux_inode_alloc_security(struct inode * inode)2616 static int selinux_inode_alloc_security(struct inode *inode)
2617 {
2618 return inode_alloc_security(inode);
2619 }
2620
selinux_inode_free_security(struct inode * inode)2621 static void selinux_inode_free_security(struct inode *inode)
2622 {
2623 inode_free_security(inode);
2624 }
2625
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,char ** name,void ** value,size_t * len)2626 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2627 const struct qstr *qstr, char **name,
2628 void **value, size_t *len)
2629 {
2630 const struct task_security_struct *tsec = current_security();
2631 struct inode_security_struct *dsec;
2632 struct superblock_security_struct *sbsec;
2633 u32 sid, newsid, clen;
2634 int rc;
2635 char *namep = NULL, *context;
2636
2637 dsec = dir->i_security;
2638 sbsec = dir->i_sb->s_security;
2639
2640 sid = tsec->sid;
2641 newsid = tsec->create_sid;
2642
2643 if ((sbsec->flags & SE_SBINITIALIZED) &&
2644 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2645 newsid = sbsec->mntpoint_sid;
2646 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2647 rc = security_transition_sid(sid, dsec->sid,
2648 inode_mode_to_security_class(inode->i_mode),
2649 qstr, &newsid);
2650 if (rc) {
2651 printk(KERN_WARNING "%s: "
2652 "security_transition_sid failed, rc=%d (dev=%s "
2653 "ino=%ld)\n",
2654 __func__,
2655 -rc, inode->i_sb->s_id, inode->i_ino);
2656 return rc;
2657 }
2658 }
2659
2660 /* Possibly defer initialization to selinux_complete_init. */
2661 if (sbsec->flags & SE_SBINITIALIZED) {
2662 struct inode_security_struct *isec = inode->i_security;
2663 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2664 isec->sid = newsid;
2665 isec->initialized = 1;
2666 }
2667
2668 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2669 return -EOPNOTSUPP;
2670
2671 if (name) {
2672 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2673 if (!namep)
2674 return -ENOMEM;
2675 *name = namep;
2676 }
2677
2678 if (value && len) {
2679 rc = security_sid_to_context_force(newsid, &context, &clen);
2680 if (rc) {
2681 kfree(namep);
2682 return rc;
2683 }
2684 *value = context;
2685 *len = clen;
2686 }
2687
2688 return 0;
2689 }
2690
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2691 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2692 {
2693 return may_create(dir, dentry, SECCLASS_FILE);
2694 }
2695
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2696 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2697 {
2698 return may_link(dir, old_dentry, MAY_LINK);
2699 }
2700
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2701 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2702 {
2703 return may_link(dir, dentry, MAY_UNLINK);
2704 }
2705
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2706 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2707 {
2708 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2709 }
2710
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2711 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2712 {
2713 return may_create(dir, dentry, SECCLASS_DIR);
2714 }
2715
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)2716 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2717 {
2718 return may_link(dir, dentry, MAY_RMDIR);
2719 }
2720
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)2721 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2722 {
2723 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2724 }
2725
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)2726 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2727 struct inode *new_inode, struct dentry *new_dentry)
2728 {
2729 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2730 }
2731
selinux_inode_readlink(struct dentry * dentry)2732 static int selinux_inode_readlink(struct dentry *dentry)
2733 {
2734 const struct cred *cred = current_cred();
2735
2736 return dentry_has_perm(cred, dentry, FILE__READ);
2737 }
2738
selinux_inode_follow_link(struct dentry * dentry,struct nameidata * nameidata)2739 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2740 {
2741 const struct cred *cred = current_cred();
2742
2743 return dentry_has_perm(cred, dentry, FILE__READ);
2744 }
2745
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result,unsigned flags)2746 static noinline int audit_inode_permission(struct inode *inode,
2747 u32 perms, u32 audited, u32 denied,
2748 int result,
2749 unsigned flags)
2750 {
2751 struct common_audit_data ad;
2752 struct inode_security_struct *isec = inode->i_security;
2753 int rc;
2754
2755 ad.type = LSM_AUDIT_DATA_INODE;
2756 ad.u.inode = inode;
2757
2758 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2759 audited, denied, result, &ad, flags);
2760 if (rc)
2761 return rc;
2762 return 0;
2763 }
2764
selinux_inode_permission(struct inode * inode,int mask)2765 static int selinux_inode_permission(struct inode *inode, int mask)
2766 {
2767 const struct cred *cred = current_cred();
2768 u32 perms;
2769 bool from_access;
2770 unsigned flags = mask & MAY_NOT_BLOCK;
2771 struct inode_security_struct *isec;
2772 u32 sid;
2773 struct av_decision avd;
2774 int rc, rc2;
2775 u32 audited, denied;
2776
2777 from_access = mask & MAY_ACCESS;
2778 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2779
2780 /* No permission to check. Existence test. */
2781 if (!mask)
2782 return 0;
2783
2784 validate_creds(cred);
2785
2786 if (unlikely(IS_PRIVATE(inode)))
2787 return 0;
2788
2789 perms = file_mask_to_av(inode->i_mode, mask);
2790
2791 sid = cred_sid(cred);
2792 isec = inode->i_security;
2793
2794 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2795 audited = avc_audit_required(perms, &avd, rc,
2796 from_access ? FILE__AUDIT_ACCESS : 0,
2797 &denied);
2798 if (likely(!audited))
2799 return rc;
2800
2801 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2802 if (rc2)
2803 return rc2;
2804 return rc;
2805 }
2806
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)2807 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2808 {
2809 const struct cred *cred = current_cred();
2810 unsigned int ia_valid = iattr->ia_valid;
2811 __u32 av = FILE__WRITE;
2812
2813 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2814 if (ia_valid & ATTR_FORCE) {
2815 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2816 ATTR_FORCE);
2817 if (!ia_valid)
2818 return 0;
2819 }
2820
2821 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2822 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2823 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2824
2825 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2826 && !(ia_valid & ATTR_FILE))
2827 av |= FILE__OPEN;
2828
2829 return dentry_has_perm(cred, dentry, av);
2830 }
2831
selinux_inode_getattr(struct vfsmount * mnt,struct dentry * dentry)2832 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2833 {
2834 const struct cred *cred = current_cred();
2835 struct path path;
2836
2837 path.dentry = dentry;
2838 path.mnt = mnt;
2839
2840 return path_has_perm(cred, &path, FILE__GETATTR);
2841 }
2842
selinux_inode_setotherxattr(struct dentry * dentry,const char * name)2843 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2844 {
2845 const struct cred *cred = current_cred();
2846
2847 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2848 sizeof XATTR_SECURITY_PREFIX - 1)) {
2849 if (!strcmp(name, XATTR_NAME_CAPS)) {
2850 if (!capable(CAP_SETFCAP))
2851 return -EPERM;
2852 } else if (!capable(CAP_SYS_ADMIN)) {
2853 /* A different attribute in the security namespace.
2854 Restrict to administrator. */
2855 return -EPERM;
2856 }
2857 }
2858
2859 /* Not an attribute we recognize, so just check the
2860 ordinary setattr permission. */
2861 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2862 }
2863
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)2864 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2865 const void *value, size_t size, int flags)
2866 {
2867 struct inode *inode = dentry->d_inode;
2868 struct inode_security_struct *isec = inode->i_security;
2869 struct superblock_security_struct *sbsec;
2870 struct common_audit_data ad;
2871 u32 newsid, sid = current_sid();
2872 int rc = 0;
2873
2874 if (strcmp(name, XATTR_NAME_SELINUX))
2875 return selinux_inode_setotherxattr(dentry, name);
2876
2877 sbsec = inode->i_sb->s_security;
2878 if (!(sbsec->flags & SE_SBLABELSUPP))
2879 return -EOPNOTSUPP;
2880
2881 if (!inode_owner_or_capable(inode))
2882 return -EPERM;
2883
2884 ad.type = LSM_AUDIT_DATA_DENTRY;
2885 ad.u.dentry = dentry;
2886
2887 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2888 FILE__RELABELFROM, &ad);
2889 if (rc)
2890 return rc;
2891
2892 rc = security_context_to_sid(value, size, &newsid);
2893 if (rc == -EINVAL) {
2894 if (!capable(CAP_MAC_ADMIN)) {
2895 struct audit_buffer *ab;
2896 size_t audit_size;
2897 const char *str;
2898
2899 /* We strip a nul only if it is at the end, otherwise the
2900 * context contains a nul and we should audit that */
2901 if (value) {
2902 str = value;
2903 if (str[size - 1] == '\0')
2904 audit_size = size - 1;
2905 else
2906 audit_size = size;
2907 } else {
2908 str = "";
2909 audit_size = 0;
2910 }
2911 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2912 audit_log_format(ab, "op=setxattr invalid_context=");
2913 audit_log_n_untrustedstring(ab, value, audit_size);
2914 audit_log_end(ab);
2915
2916 return rc;
2917 }
2918 rc = security_context_to_sid_force(value, size, &newsid);
2919 }
2920 if (rc)
2921 return rc;
2922
2923 rc = avc_has_perm(sid, newsid, isec->sclass,
2924 FILE__RELABELTO, &ad);
2925 if (rc)
2926 return rc;
2927
2928 rc = security_validate_transition(isec->sid, newsid, sid,
2929 isec->sclass);
2930 if (rc)
2931 return rc;
2932
2933 return avc_has_perm(newsid,
2934 sbsec->sid,
2935 SECCLASS_FILESYSTEM,
2936 FILESYSTEM__ASSOCIATE,
2937 &ad);
2938 }
2939
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)2940 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2941 const void *value, size_t size,
2942 int flags)
2943 {
2944 struct inode *inode = dentry->d_inode;
2945 struct inode_security_struct *isec = inode->i_security;
2946 u32 newsid;
2947 int rc;
2948
2949 if (strcmp(name, XATTR_NAME_SELINUX)) {
2950 /* Not an attribute we recognize, so nothing to do. */
2951 return;
2952 }
2953
2954 rc = security_context_to_sid_force(value, size, &newsid);
2955 if (rc) {
2956 printk(KERN_ERR "SELinux: unable to map context to SID"
2957 "for (%s, %lu), rc=%d\n",
2958 inode->i_sb->s_id, inode->i_ino, -rc);
2959 return;
2960 }
2961
2962 isec->sid = newsid;
2963 return;
2964 }
2965
selinux_inode_getxattr(struct dentry * dentry,const char * name)2966 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2967 {
2968 const struct cred *cred = current_cred();
2969
2970 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2971 }
2972
selinux_inode_listxattr(struct dentry * dentry)2973 static int selinux_inode_listxattr(struct dentry *dentry)
2974 {
2975 const struct cred *cred = current_cred();
2976
2977 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2978 }
2979
selinux_inode_removexattr(struct dentry * dentry,const char * name)2980 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2981 {
2982 if (strcmp(name, XATTR_NAME_SELINUX))
2983 return selinux_inode_setotherxattr(dentry, name);
2984
2985 /* No one is allowed to remove a SELinux security label.
2986 You can change the label, but all data must be labeled. */
2987 return -EACCES;
2988 }
2989
2990 /*
2991 * Copy the inode security context value to the user.
2992 *
2993 * Permission check is handled by selinux_inode_getxattr hook.
2994 */
selinux_inode_getsecurity(const struct inode * inode,const char * name,void ** buffer,bool alloc)2995 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2996 {
2997 u32 size;
2998 int error;
2999 char *context = NULL;
3000 struct inode_security_struct *isec = inode->i_security;
3001
3002 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3003 return -EOPNOTSUPP;
3004
3005 /*
3006 * If the caller has CAP_MAC_ADMIN, then get the raw context
3007 * value even if it is not defined by current policy; otherwise,
3008 * use the in-core value under current policy.
3009 * Use the non-auditing forms of the permission checks since
3010 * getxattr may be called by unprivileged processes commonly
3011 * and lack of permission just means that we fall back to the
3012 * in-core context value, not a denial.
3013 */
3014 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3015 SECURITY_CAP_NOAUDIT);
3016 if (!error)
3017 error = security_sid_to_context_force(isec->sid, &context,
3018 &size);
3019 else
3020 error = security_sid_to_context(isec->sid, &context, &size);
3021 if (error)
3022 return error;
3023 error = size;
3024 if (alloc) {
3025 *buffer = context;
3026 goto out_nofree;
3027 }
3028 kfree(context);
3029 out_nofree:
3030 return error;
3031 }
3032
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3033 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3034 const void *value, size_t size, int flags)
3035 {
3036 struct inode_security_struct *isec = inode->i_security;
3037 u32 newsid;
3038 int rc;
3039
3040 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3041 return -EOPNOTSUPP;
3042
3043 if (!value || !size)
3044 return -EACCES;
3045
3046 rc = security_context_to_sid((void *)value, size, &newsid);
3047 if (rc)
3048 return rc;
3049
3050 isec->sid = newsid;
3051 isec->initialized = 1;
3052 return 0;
3053 }
3054
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3055 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3056 {
3057 const int len = sizeof(XATTR_NAME_SELINUX);
3058 if (buffer && len <= buffer_size)
3059 memcpy(buffer, XATTR_NAME_SELINUX, len);
3060 return len;
3061 }
3062
selinux_inode_getsecid(const struct inode * inode,u32 * secid)3063 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3064 {
3065 struct inode_security_struct *isec = inode->i_security;
3066 *secid = isec->sid;
3067 }
3068
3069 /* file security operations */
3070
selinux_revalidate_file_permission(struct file * file,int mask)3071 static int selinux_revalidate_file_permission(struct file *file, int mask)
3072 {
3073 const struct cred *cred = current_cred();
3074 struct inode *inode = file_inode(file);
3075
3076 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3077 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3078 mask |= MAY_APPEND;
3079
3080 return file_has_perm(cred, file,
3081 file_mask_to_av(inode->i_mode, mask));
3082 }
3083
selinux_file_permission(struct file * file,int mask)3084 static int selinux_file_permission(struct file *file, int mask)
3085 {
3086 struct inode *inode = file_inode(file);
3087 struct file_security_struct *fsec = file->f_security;
3088 struct inode_security_struct *isec = inode->i_security;
3089 u32 sid = current_sid();
3090
3091 if (!mask)
3092 /* No permission to check. Existence test. */
3093 return 0;
3094
3095 if (sid == fsec->sid && fsec->isid == isec->sid &&
3096 fsec->pseqno == avc_policy_seqno())
3097 /* No change since file_open check. */
3098 return 0;
3099
3100 return selinux_revalidate_file_permission(file, mask);
3101 }
3102
selinux_file_alloc_security(struct file * file)3103 static int selinux_file_alloc_security(struct file *file)
3104 {
3105 return file_alloc_security(file);
3106 }
3107
selinux_file_free_security(struct file * file)3108 static void selinux_file_free_security(struct file *file)
3109 {
3110 file_free_security(file);
3111 }
3112
3113 /*
3114 * Check whether a task has the ioctl permission and cmd
3115 * operation to an inode.
3116 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3117 int ioctl_has_perm(const struct cred *cred, struct file *file,
3118 u32 requested, u16 cmd)
3119 {
3120 struct common_audit_data ad;
3121 struct file_security_struct *fsec = file->f_security;
3122 struct inode *inode = file_inode(file);
3123 struct inode_security_struct *isec = inode->i_security;
3124 struct lsm_ioctlop_audit ioctl;
3125 u32 ssid = cred_sid(cred);
3126 int rc;
3127 u8 driver = cmd >> 8;
3128 u8 xperm = cmd & 0xff;
3129
3130 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3131 ad.u.op = &ioctl;
3132 ad.u.op->cmd = cmd;
3133 ad.u.op->path = file->f_path;
3134
3135 if (ssid != fsec->sid) {
3136 rc = avc_has_perm(ssid, fsec->sid,
3137 SECCLASS_FD,
3138 FD__USE,
3139 &ad);
3140 if (rc)
3141 goto out;
3142 }
3143
3144 if (unlikely(IS_PRIVATE(inode)))
3145 return 0;
3146
3147 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3148 requested, driver, xperm, &ad);
3149 out:
3150 return rc;
3151 }
3152
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3153 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3154 unsigned long arg)
3155 {
3156 const struct cred *cred = current_cred();
3157 int error = 0;
3158
3159 switch (cmd) {
3160 case FIONREAD:
3161 /* fall through */
3162 case FIBMAP:
3163 /* fall through */
3164 case FIGETBSZ:
3165 /* fall through */
3166 case FS_IOC_GETFLAGS:
3167 /* fall through */
3168 case FS_IOC_GETVERSION:
3169 error = file_has_perm(cred, file, FILE__GETATTR);
3170 break;
3171
3172 case FS_IOC_SETFLAGS:
3173 /* fall through */
3174 case FS_IOC_SETVERSION:
3175 error = file_has_perm(cred, file, FILE__SETATTR);
3176 break;
3177
3178 /* sys_ioctl() checks */
3179 case FIONBIO:
3180 /* fall through */
3181 case FIOASYNC:
3182 error = file_has_perm(cred, file, 0);
3183 break;
3184
3185 case KDSKBENT:
3186 case KDSKBSENT:
3187 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3188 SECURITY_CAP_AUDIT);
3189 break;
3190
3191 /* default case assumes that the command will go
3192 * to the file's ioctl() function.
3193 */
3194 default:
3195 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3196 }
3197 return error;
3198 }
3199
3200 static int default_noexec;
3201
file_map_prot_check(struct file * file,unsigned long prot,int shared)3202 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3203 {
3204 const struct cred *cred = current_cred();
3205 int rc = 0;
3206
3207 if (default_noexec &&
3208 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3209 /*
3210 * We are making executable an anonymous mapping or a
3211 * private file mapping that will also be writable.
3212 * This has an additional check.
3213 */
3214 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3215 if (rc)
3216 goto error;
3217 }
3218
3219 if (file) {
3220 /* read access is always possible with a mapping */
3221 u32 av = FILE__READ;
3222
3223 /* write access only matters if the mapping is shared */
3224 if (shared && (prot & PROT_WRITE))
3225 av |= FILE__WRITE;
3226
3227 if (prot & PROT_EXEC)
3228 av |= FILE__EXECUTE;
3229
3230 return file_has_perm(cred, file, av);
3231 }
3232
3233 error:
3234 return rc;
3235 }
3236
selinux_mmap_addr(unsigned long addr)3237 static int selinux_mmap_addr(unsigned long addr)
3238 {
3239 int rc;
3240
3241 /* do DAC check on address space usage */
3242 rc = cap_mmap_addr(addr);
3243 if (rc)
3244 return rc;
3245
3246 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3247 u32 sid = current_sid();
3248 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3249 MEMPROTECT__MMAP_ZERO, NULL);
3250 }
3251
3252 return rc;
3253 }
3254
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3255 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3256 unsigned long prot, unsigned long flags)
3257 {
3258 if (selinux_checkreqprot)
3259 prot = reqprot;
3260
3261 return file_map_prot_check(file, prot,
3262 (flags & MAP_TYPE) == MAP_SHARED);
3263 }
3264
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3265 static int selinux_file_mprotect(struct vm_area_struct *vma,
3266 unsigned long reqprot,
3267 unsigned long prot)
3268 {
3269 const struct cred *cred = current_cred();
3270
3271 if (selinux_checkreqprot)
3272 prot = reqprot;
3273
3274 if (default_noexec &&
3275 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3276 int rc = 0;
3277 if (vma->vm_start >= vma->vm_mm->start_brk &&
3278 vma->vm_end <= vma->vm_mm->brk) {
3279 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3280 } else if (!vma->vm_file &&
3281 vma->vm_start <= vma->vm_mm->start_stack &&
3282 vma->vm_end >= vma->vm_mm->start_stack) {
3283 rc = current_has_perm(current, PROCESS__EXECSTACK);
3284 } else if (vma->vm_file && vma->anon_vma) {
3285 /*
3286 * We are making executable a file mapping that has
3287 * had some COW done. Since pages might have been
3288 * written, check ability to execute the possibly
3289 * modified content. This typically should only
3290 * occur for text relocations.
3291 */
3292 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3293 }
3294 if (rc)
3295 return rc;
3296 }
3297
3298 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3299 }
3300
selinux_file_lock(struct file * file,unsigned int cmd)3301 static int selinux_file_lock(struct file *file, unsigned int cmd)
3302 {
3303 const struct cred *cred = current_cred();
3304
3305 return file_has_perm(cred, file, FILE__LOCK);
3306 }
3307
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3308 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3309 unsigned long arg)
3310 {
3311 const struct cred *cred = current_cred();
3312 int err = 0;
3313
3314 switch (cmd) {
3315 case F_SETFL:
3316 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3317 err = file_has_perm(cred, file, FILE__WRITE);
3318 break;
3319 }
3320 /* fall through */
3321 case F_SETOWN:
3322 case F_SETSIG:
3323 case F_GETFL:
3324 case F_GETOWN:
3325 case F_GETSIG:
3326 case F_GETOWNER_UIDS:
3327 /* Just check FD__USE permission */
3328 err = file_has_perm(cred, file, 0);
3329 break;
3330 case F_GETLK:
3331 case F_SETLK:
3332 case F_SETLKW:
3333 #if BITS_PER_LONG == 32
3334 case F_GETLK64:
3335 case F_SETLK64:
3336 case F_SETLKW64:
3337 #endif
3338 err = file_has_perm(cred, file, FILE__LOCK);
3339 break;
3340 }
3341
3342 return err;
3343 }
3344
selinux_file_set_fowner(struct file * file)3345 static int selinux_file_set_fowner(struct file *file)
3346 {
3347 struct file_security_struct *fsec;
3348
3349 fsec = file->f_security;
3350 fsec->fown_sid = current_sid();
3351
3352 return 0;
3353 }
3354
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3355 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3356 struct fown_struct *fown, int signum)
3357 {
3358 struct file *file;
3359 u32 sid = task_sid(tsk);
3360 u32 perm;
3361 struct file_security_struct *fsec;
3362
3363 /* struct fown_struct is never outside the context of a struct file */
3364 file = container_of(fown, struct file, f_owner);
3365
3366 fsec = file->f_security;
3367
3368 if (!signum)
3369 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3370 else
3371 perm = signal_to_av(signum);
3372
3373 return avc_has_perm(fsec->fown_sid, sid,
3374 SECCLASS_PROCESS, perm, NULL);
3375 }
3376
selinux_file_receive(struct file * file)3377 static int selinux_file_receive(struct file *file)
3378 {
3379 const struct cred *cred = current_cred();
3380
3381 return file_has_perm(cred, file, file_to_av(file));
3382 }
3383
selinux_file_open(struct file * file,const struct cred * cred)3384 static int selinux_file_open(struct file *file, const struct cred *cred)
3385 {
3386 struct file_security_struct *fsec;
3387 struct inode_security_struct *isec;
3388
3389 fsec = file->f_security;
3390 isec = file_inode(file)->i_security;
3391 /*
3392 * Save inode label and policy sequence number
3393 * at open-time so that selinux_file_permission
3394 * can determine whether revalidation is necessary.
3395 * Task label is already saved in the file security
3396 * struct as its SID.
3397 */
3398 fsec->isid = isec->sid;
3399 fsec->pseqno = avc_policy_seqno();
3400 /*
3401 * Since the inode label or policy seqno may have changed
3402 * between the selinux_inode_permission check and the saving
3403 * of state above, recheck that access is still permitted.
3404 * Otherwise, access might never be revalidated against the
3405 * new inode label or new policy.
3406 * This check is not redundant - do not remove.
3407 */
3408 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3409 }
3410
3411 /* task security operations */
3412
selinux_task_create(unsigned long clone_flags)3413 static int selinux_task_create(unsigned long clone_flags)
3414 {
3415 return current_has_perm(current, PROCESS__FORK);
3416 }
3417
3418 /*
3419 * allocate the SELinux part of blank credentials
3420 */
selinux_cred_alloc_blank(struct cred * cred,gfp_t gfp)3421 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3422 {
3423 struct task_security_struct *tsec;
3424
3425 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3426 if (!tsec)
3427 return -ENOMEM;
3428
3429 cred->security = tsec;
3430 return 0;
3431 }
3432
3433 /*
3434 * detach and free the LSM part of a set of credentials
3435 */
selinux_cred_free(struct cred * cred)3436 static void selinux_cred_free(struct cred *cred)
3437 {
3438 struct task_security_struct *tsec = cred->security;
3439
3440 /*
3441 * cred->security == NULL if security_cred_alloc_blank() or
3442 * security_prepare_creds() returned an error.
3443 */
3444 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3445 cred->security = (void *) 0x7UL;
3446 kfree(tsec);
3447 }
3448
3449 /*
3450 * prepare a new set of credentials for modification
3451 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3452 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3453 gfp_t gfp)
3454 {
3455 const struct task_security_struct *old_tsec;
3456 struct task_security_struct *tsec;
3457
3458 old_tsec = old->security;
3459
3460 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3461 if (!tsec)
3462 return -ENOMEM;
3463
3464 new->security = tsec;
3465 return 0;
3466 }
3467
3468 /*
3469 * transfer the SELinux data to a blank set of creds
3470 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3471 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3472 {
3473 const struct task_security_struct *old_tsec = old->security;
3474 struct task_security_struct *tsec = new->security;
3475
3476 *tsec = *old_tsec;
3477 }
3478
3479 /*
3480 * set the security data for a kernel service
3481 * - all the creation contexts are set to unlabelled
3482 */
selinux_kernel_act_as(struct cred * new,u32 secid)3483 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3484 {
3485 struct task_security_struct *tsec = new->security;
3486 u32 sid = current_sid();
3487 int ret;
3488
3489 ret = avc_has_perm(sid, secid,
3490 SECCLASS_KERNEL_SERVICE,
3491 KERNEL_SERVICE__USE_AS_OVERRIDE,
3492 NULL);
3493 if (ret == 0) {
3494 tsec->sid = secid;
3495 tsec->create_sid = 0;
3496 tsec->keycreate_sid = 0;
3497 tsec->sockcreate_sid = 0;
3498 }
3499 return ret;
3500 }
3501
3502 /*
3503 * set the file creation context in a security record to the same as the
3504 * objective context of the specified inode
3505 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3506 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3507 {
3508 struct inode_security_struct *isec = inode->i_security;
3509 struct task_security_struct *tsec = new->security;
3510 u32 sid = current_sid();
3511 int ret;
3512
3513 ret = avc_has_perm(sid, isec->sid,
3514 SECCLASS_KERNEL_SERVICE,
3515 KERNEL_SERVICE__CREATE_FILES_AS,
3516 NULL);
3517
3518 if (ret == 0)
3519 tsec->create_sid = isec->sid;
3520 return ret;
3521 }
3522
selinux_kernel_module_request(char * kmod_name)3523 static int selinux_kernel_module_request(char *kmod_name)
3524 {
3525 u32 sid;
3526 struct common_audit_data ad;
3527
3528 sid = task_sid(current);
3529
3530 ad.type = LSM_AUDIT_DATA_KMOD;
3531 ad.u.kmod_name = kmod_name;
3532
3533 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3534 SYSTEM__MODULE_REQUEST, &ad);
3535 }
3536
selinux_kernel_module_from_file(struct file * file)3537 static int selinux_kernel_module_from_file(struct file *file)
3538 {
3539 struct common_audit_data ad;
3540 struct inode_security_struct *isec;
3541 struct file_security_struct *fsec;
3542 struct inode *inode;
3543 u32 sid = current_sid();
3544 int rc;
3545
3546 /* init_module */
3547 if (file == NULL)
3548 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3549 SYSTEM__MODULE_LOAD, NULL);
3550
3551 /* finit_module */
3552 ad.type = LSM_AUDIT_DATA_PATH;
3553 ad.u.path = file->f_path;
3554
3555 inode = file_inode(file);
3556 isec = inode->i_security;
3557 fsec = file->f_security;
3558
3559 if (sid != fsec->sid) {
3560 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3561 if (rc)
3562 return rc;
3563 }
3564
3565 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3566 SYSTEM__MODULE_LOAD, &ad);
3567 }
3568
selinux_task_setpgid(struct task_struct * p,pid_t pgid)3569 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3570 {
3571 return current_has_perm(p, PROCESS__SETPGID);
3572 }
3573
selinux_task_getpgid(struct task_struct * p)3574 static int selinux_task_getpgid(struct task_struct *p)
3575 {
3576 return current_has_perm(p, PROCESS__GETPGID);
3577 }
3578
selinux_task_getsid(struct task_struct * p)3579 static int selinux_task_getsid(struct task_struct *p)
3580 {
3581 return current_has_perm(p, PROCESS__GETSESSION);
3582 }
3583
selinux_task_getsecid(struct task_struct * p,u32 * secid)3584 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3585 {
3586 *secid = task_sid(p);
3587 }
3588
selinux_task_setnice(struct task_struct * p,int nice)3589 static int selinux_task_setnice(struct task_struct *p, int nice)
3590 {
3591 int rc;
3592
3593 rc = cap_task_setnice(p, nice);
3594 if (rc)
3595 return rc;
3596
3597 return current_has_perm(p, PROCESS__SETSCHED);
3598 }
3599
selinux_task_setioprio(struct task_struct * p,int ioprio)3600 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3601 {
3602 int rc;
3603
3604 rc = cap_task_setioprio(p, ioprio);
3605 if (rc)
3606 return rc;
3607
3608 return current_has_perm(p, PROCESS__SETSCHED);
3609 }
3610
selinux_task_getioprio(struct task_struct * p)3611 static int selinux_task_getioprio(struct task_struct *p)
3612 {
3613 return current_has_perm(p, PROCESS__GETSCHED);
3614 }
3615
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)3616 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3617 struct rlimit *new_rlim)
3618 {
3619 struct rlimit *old_rlim = p->signal->rlim + resource;
3620
3621 /* Control the ability to change the hard limit (whether
3622 lowering or raising it), so that the hard limit can
3623 later be used as a safe reset point for the soft limit
3624 upon context transitions. See selinux_bprm_committing_creds. */
3625 if (old_rlim->rlim_max != new_rlim->rlim_max)
3626 return current_has_perm(p, PROCESS__SETRLIMIT);
3627
3628 return 0;
3629 }
3630
selinux_task_setscheduler(struct task_struct * p)3631 static int selinux_task_setscheduler(struct task_struct *p)
3632 {
3633 int rc;
3634
3635 rc = cap_task_setscheduler(p);
3636 if (rc)
3637 return rc;
3638
3639 return current_has_perm(p, PROCESS__SETSCHED);
3640 }
3641
selinux_task_getscheduler(struct task_struct * p)3642 static int selinux_task_getscheduler(struct task_struct *p)
3643 {
3644 return current_has_perm(p, PROCESS__GETSCHED);
3645 }
3646
selinux_task_movememory(struct task_struct * p)3647 static int selinux_task_movememory(struct task_struct *p)
3648 {
3649 return current_has_perm(p, PROCESS__SETSCHED);
3650 }
3651
selinux_task_kill(struct task_struct * p,struct siginfo * info,int sig,u32 secid)3652 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3653 int sig, u32 secid)
3654 {
3655 u32 perm;
3656 int rc;
3657
3658 if (!sig)
3659 perm = PROCESS__SIGNULL; /* null signal; existence test */
3660 else
3661 perm = signal_to_av(sig);
3662 if (secid)
3663 rc = avc_has_perm(secid, task_sid(p),
3664 SECCLASS_PROCESS, perm, NULL);
3665 else
3666 rc = current_has_perm(p, perm);
3667 return rc;
3668 }
3669
selinux_task_wait(struct task_struct * p)3670 static int selinux_task_wait(struct task_struct *p)
3671 {
3672 return task_has_perm(p, current, PROCESS__SIGCHLD);
3673 }
3674
selinux_task_to_inode(struct task_struct * p,struct inode * inode)3675 static void selinux_task_to_inode(struct task_struct *p,
3676 struct inode *inode)
3677 {
3678 struct inode_security_struct *isec = inode->i_security;
3679 u32 sid = task_sid(p);
3680
3681 isec->sid = sid;
3682 isec->initialized = 1;
3683 }
3684
3685 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)3686 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3687 struct common_audit_data *ad, u8 *proto)
3688 {
3689 int offset, ihlen, ret = -EINVAL;
3690 struct iphdr _iph, *ih;
3691
3692 offset = skb_network_offset(skb);
3693 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3694 if (ih == NULL)
3695 goto out;
3696
3697 ihlen = ih->ihl * 4;
3698 if (ihlen < sizeof(_iph))
3699 goto out;
3700
3701 ad->u.net->v4info.saddr = ih->saddr;
3702 ad->u.net->v4info.daddr = ih->daddr;
3703 ret = 0;
3704
3705 if (proto)
3706 *proto = ih->protocol;
3707
3708 switch (ih->protocol) {
3709 case IPPROTO_TCP: {
3710 struct tcphdr _tcph, *th;
3711
3712 if (ntohs(ih->frag_off) & IP_OFFSET)
3713 break;
3714
3715 offset += ihlen;
3716 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3717 if (th == NULL)
3718 break;
3719
3720 ad->u.net->sport = th->source;
3721 ad->u.net->dport = th->dest;
3722 break;
3723 }
3724
3725 case IPPROTO_UDP: {
3726 struct udphdr _udph, *uh;
3727
3728 if (ntohs(ih->frag_off) & IP_OFFSET)
3729 break;
3730
3731 offset += ihlen;
3732 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3733 if (uh == NULL)
3734 break;
3735
3736 ad->u.net->sport = uh->source;
3737 ad->u.net->dport = uh->dest;
3738 break;
3739 }
3740
3741 case IPPROTO_DCCP: {
3742 struct dccp_hdr _dccph, *dh;
3743
3744 if (ntohs(ih->frag_off) & IP_OFFSET)
3745 break;
3746
3747 offset += ihlen;
3748 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3749 if (dh == NULL)
3750 break;
3751
3752 ad->u.net->sport = dh->dccph_sport;
3753 ad->u.net->dport = dh->dccph_dport;
3754 break;
3755 }
3756
3757 default:
3758 break;
3759 }
3760 out:
3761 return ret;
3762 }
3763
3764 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3765
3766 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)3767 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3768 struct common_audit_data *ad, u8 *proto)
3769 {
3770 u8 nexthdr;
3771 int ret = -EINVAL, offset;
3772 struct ipv6hdr _ipv6h, *ip6;
3773 __be16 frag_off;
3774
3775 offset = skb_network_offset(skb);
3776 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3777 if (ip6 == NULL)
3778 goto out;
3779
3780 ad->u.net->v6info.saddr = ip6->saddr;
3781 ad->u.net->v6info.daddr = ip6->daddr;
3782 ret = 0;
3783
3784 nexthdr = ip6->nexthdr;
3785 offset += sizeof(_ipv6h);
3786 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3787 if (offset < 0)
3788 goto out;
3789
3790 if (proto)
3791 *proto = nexthdr;
3792
3793 switch (nexthdr) {
3794 case IPPROTO_TCP: {
3795 struct tcphdr _tcph, *th;
3796
3797 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3798 if (th == NULL)
3799 break;
3800
3801 ad->u.net->sport = th->source;
3802 ad->u.net->dport = th->dest;
3803 break;
3804 }
3805
3806 case IPPROTO_UDP: {
3807 struct udphdr _udph, *uh;
3808
3809 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3810 if (uh == NULL)
3811 break;
3812
3813 ad->u.net->sport = uh->source;
3814 ad->u.net->dport = uh->dest;
3815 break;
3816 }
3817
3818 case IPPROTO_DCCP: {
3819 struct dccp_hdr _dccph, *dh;
3820
3821 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3822 if (dh == NULL)
3823 break;
3824
3825 ad->u.net->sport = dh->dccph_sport;
3826 ad->u.net->dport = dh->dccph_dport;
3827 break;
3828 }
3829
3830 /* includes fragments */
3831 default:
3832 break;
3833 }
3834 out:
3835 return ret;
3836 }
3837
3838 #endif /* IPV6 */
3839
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)3840 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3841 char **_addrp, int src, u8 *proto)
3842 {
3843 char *addrp;
3844 int ret;
3845
3846 switch (ad->u.net->family) {
3847 case PF_INET:
3848 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3849 if (ret)
3850 goto parse_error;
3851 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3852 &ad->u.net->v4info.daddr);
3853 goto okay;
3854
3855 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3856 case PF_INET6:
3857 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3858 if (ret)
3859 goto parse_error;
3860 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3861 &ad->u.net->v6info.daddr);
3862 goto okay;
3863 #endif /* IPV6 */
3864 default:
3865 addrp = NULL;
3866 goto okay;
3867 }
3868
3869 parse_error:
3870 printk(KERN_WARNING
3871 "SELinux: failure in selinux_parse_skb(),"
3872 " unable to parse packet\n");
3873 return ret;
3874
3875 okay:
3876 if (_addrp)
3877 *_addrp = addrp;
3878 return 0;
3879 }
3880
3881 /**
3882 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3883 * @skb: the packet
3884 * @family: protocol family
3885 * @sid: the packet's peer label SID
3886 *
3887 * Description:
3888 * Check the various different forms of network peer labeling and determine
3889 * the peer label/SID for the packet; most of the magic actually occurs in
3890 * the security server function security_net_peersid_cmp(). The function
3891 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3892 * or -EACCES if @sid is invalid due to inconsistencies with the different
3893 * peer labels.
3894 *
3895 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)3896 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3897 {
3898 int err;
3899 u32 xfrm_sid;
3900 u32 nlbl_sid;
3901 u32 nlbl_type;
3902
3903 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3904 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3905
3906 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3907 if (unlikely(err)) {
3908 printk(KERN_WARNING
3909 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3910 " unable to determine packet's peer label\n");
3911 return -EACCES;
3912 }
3913
3914 return 0;
3915 }
3916
3917 /* socket security operations */
3918
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)3919 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3920 u16 secclass, u32 *socksid)
3921 {
3922 if (tsec->sockcreate_sid > SECSID_NULL) {
3923 *socksid = tsec->sockcreate_sid;
3924 return 0;
3925 }
3926
3927 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3928 socksid);
3929 }
3930
sock_has_perm(struct task_struct * task,struct sock * sk,u32 perms)3931 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3932 {
3933 struct sk_security_struct *sksec = sk->sk_security;
3934 struct common_audit_data ad;
3935 struct lsm_network_audit net = {0,};
3936 u32 tsid = task_sid(task);
3937
3938 if (sksec->sid == SECINITSID_KERNEL)
3939 return 0;
3940
3941 ad.type = LSM_AUDIT_DATA_NET;
3942 ad.u.net = &net;
3943 ad.u.net->sk = sk;
3944
3945 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3946 }
3947
selinux_socket_create(int family,int type,int protocol,int kern)3948 static int selinux_socket_create(int family, int type,
3949 int protocol, int kern)
3950 {
3951 const struct task_security_struct *tsec = current_security();
3952 u32 newsid;
3953 u16 secclass;
3954 int rc;
3955
3956 if (kern)
3957 return 0;
3958
3959 secclass = socket_type_to_security_class(family, type, protocol);
3960 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3961 if (rc)
3962 return rc;
3963
3964 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3965 }
3966
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)3967 static int selinux_socket_post_create(struct socket *sock, int family,
3968 int type, int protocol, int kern)
3969 {
3970 const struct task_security_struct *tsec = current_security();
3971 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3972 struct sk_security_struct *sksec;
3973 int err = 0;
3974
3975 isec->sclass = socket_type_to_security_class(family, type, protocol);
3976
3977 if (kern)
3978 isec->sid = SECINITSID_KERNEL;
3979 else {
3980 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3981 if (err)
3982 return err;
3983 }
3984
3985 isec->initialized = 1;
3986
3987 if (sock->sk) {
3988 sksec = sock->sk->sk_security;
3989 sksec->sid = isec->sid;
3990 sksec->sclass = isec->sclass;
3991 err = selinux_netlbl_socket_post_create(sock->sk, family);
3992 }
3993
3994 return err;
3995 }
3996
3997 /* Range of port numbers used to automatically bind.
3998 Need to determine whether we should perform a name_bind
3999 permission check between the socket and the port number. */
4000
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4001 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4002 {
4003 struct sock *sk = sock->sk;
4004 u16 family;
4005 int err;
4006
4007 err = sock_has_perm(current, sk, SOCKET__BIND);
4008 if (err)
4009 goto out;
4010
4011 /*
4012 * If PF_INET or PF_INET6, check name_bind permission for the port.
4013 * Multiple address binding for SCTP is not supported yet: we just
4014 * check the first address now.
4015 */
4016 family = sk->sk_family;
4017 if (family == PF_INET || family == PF_INET6) {
4018 char *addrp;
4019 struct sk_security_struct *sksec = sk->sk_security;
4020 struct common_audit_data ad;
4021 struct lsm_network_audit net = {0,};
4022 struct sockaddr_in *addr4 = NULL;
4023 struct sockaddr_in6 *addr6 = NULL;
4024 unsigned short snum;
4025 u32 sid, node_perm;
4026
4027 if (family == PF_INET) {
4028 addr4 = (struct sockaddr_in *)address;
4029 snum = ntohs(addr4->sin_port);
4030 addrp = (char *)&addr4->sin_addr.s_addr;
4031 } else {
4032 addr6 = (struct sockaddr_in6 *)address;
4033 snum = ntohs(addr6->sin6_port);
4034 addrp = (char *)&addr6->sin6_addr.s6_addr;
4035 }
4036
4037 if (snum) {
4038 int low, high;
4039
4040 inet_get_local_port_range(&low, &high);
4041
4042 if (snum < max(PROT_SOCK, low) || snum > high) {
4043 err = sel_netport_sid(sk->sk_protocol,
4044 snum, &sid);
4045 if (err)
4046 goto out;
4047 ad.type = LSM_AUDIT_DATA_NET;
4048 ad.u.net = &net;
4049 ad.u.net->sport = htons(snum);
4050 ad.u.net->family = family;
4051 err = avc_has_perm(sksec->sid, sid,
4052 sksec->sclass,
4053 SOCKET__NAME_BIND, &ad);
4054 if (err)
4055 goto out;
4056 }
4057 }
4058
4059 switch (sksec->sclass) {
4060 case SECCLASS_TCP_SOCKET:
4061 node_perm = TCP_SOCKET__NODE_BIND;
4062 break;
4063
4064 case SECCLASS_UDP_SOCKET:
4065 node_perm = UDP_SOCKET__NODE_BIND;
4066 break;
4067
4068 case SECCLASS_DCCP_SOCKET:
4069 node_perm = DCCP_SOCKET__NODE_BIND;
4070 break;
4071
4072 default:
4073 node_perm = RAWIP_SOCKET__NODE_BIND;
4074 break;
4075 }
4076
4077 err = sel_netnode_sid(addrp, family, &sid);
4078 if (err)
4079 goto out;
4080
4081 ad.type = LSM_AUDIT_DATA_NET;
4082 ad.u.net = &net;
4083 ad.u.net->sport = htons(snum);
4084 ad.u.net->family = family;
4085
4086 if (family == PF_INET)
4087 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4088 else
4089 ad.u.net->v6info.saddr = addr6->sin6_addr;
4090
4091 err = avc_has_perm(sksec->sid, sid,
4092 sksec->sclass, node_perm, &ad);
4093 if (err)
4094 goto out;
4095 }
4096 out:
4097 return err;
4098 }
4099
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4100 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4101 {
4102 struct sock *sk = sock->sk;
4103 struct sk_security_struct *sksec = sk->sk_security;
4104 int err;
4105
4106 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4107 if (err)
4108 return err;
4109
4110 /*
4111 * If a TCP or DCCP socket, check name_connect permission for the port.
4112 */
4113 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4114 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4115 struct common_audit_data ad;
4116 struct lsm_network_audit net = {0,};
4117 struct sockaddr_in *addr4 = NULL;
4118 struct sockaddr_in6 *addr6 = NULL;
4119 unsigned short snum;
4120 u32 sid, perm;
4121
4122 if (sk->sk_family == PF_INET) {
4123 addr4 = (struct sockaddr_in *)address;
4124 if (addrlen < sizeof(struct sockaddr_in))
4125 return -EINVAL;
4126 snum = ntohs(addr4->sin_port);
4127 } else {
4128 addr6 = (struct sockaddr_in6 *)address;
4129 if (addrlen < SIN6_LEN_RFC2133)
4130 return -EINVAL;
4131 snum = ntohs(addr6->sin6_port);
4132 }
4133
4134 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4135 if (err)
4136 goto out;
4137
4138 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4139 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4140
4141 ad.type = LSM_AUDIT_DATA_NET;
4142 ad.u.net = &net;
4143 ad.u.net->dport = htons(snum);
4144 ad.u.net->family = sk->sk_family;
4145 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4146 if (err)
4147 goto out;
4148 }
4149
4150 err = selinux_netlbl_socket_connect(sk, address);
4151
4152 out:
4153 return err;
4154 }
4155
selinux_socket_listen(struct socket * sock,int backlog)4156 static int selinux_socket_listen(struct socket *sock, int backlog)
4157 {
4158 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4159 }
4160
selinux_socket_accept(struct socket * sock,struct socket * newsock)4161 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4162 {
4163 int err;
4164 struct inode_security_struct *isec;
4165 struct inode_security_struct *newisec;
4166
4167 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4168 if (err)
4169 return err;
4170
4171 newisec = SOCK_INODE(newsock)->i_security;
4172
4173 isec = SOCK_INODE(sock)->i_security;
4174 newisec->sclass = isec->sclass;
4175 newisec->sid = isec->sid;
4176 newisec->initialized = 1;
4177
4178 return 0;
4179 }
4180
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4181 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4182 int size)
4183 {
4184 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4185 }
4186
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4187 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4188 int size, int flags)
4189 {
4190 return sock_has_perm(current, sock->sk, SOCKET__READ);
4191 }
4192
selinux_socket_getsockname(struct socket * sock)4193 static int selinux_socket_getsockname(struct socket *sock)
4194 {
4195 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4196 }
4197
selinux_socket_getpeername(struct socket * sock)4198 static int selinux_socket_getpeername(struct socket *sock)
4199 {
4200 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4201 }
4202
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4203 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4204 {
4205 int err;
4206
4207 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4208 if (err)
4209 return err;
4210
4211 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4212 }
4213
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4214 static int selinux_socket_getsockopt(struct socket *sock, int level,
4215 int optname)
4216 {
4217 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4218 }
4219
selinux_socket_shutdown(struct socket * sock,int how)4220 static int selinux_socket_shutdown(struct socket *sock, int how)
4221 {
4222 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4223 }
4224
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4225 static int selinux_socket_unix_stream_connect(struct sock *sock,
4226 struct sock *other,
4227 struct sock *newsk)
4228 {
4229 struct sk_security_struct *sksec_sock = sock->sk_security;
4230 struct sk_security_struct *sksec_other = other->sk_security;
4231 struct sk_security_struct *sksec_new = newsk->sk_security;
4232 struct common_audit_data ad;
4233 struct lsm_network_audit net = {0,};
4234 int err;
4235
4236 ad.type = LSM_AUDIT_DATA_NET;
4237 ad.u.net = &net;
4238 ad.u.net->sk = other;
4239
4240 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4241 sksec_other->sclass,
4242 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4243 if (err)
4244 return err;
4245
4246 /* server child socket */
4247 sksec_new->peer_sid = sksec_sock->sid;
4248 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4249 &sksec_new->sid);
4250 if (err)
4251 return err;
4252
4253 /* connecting socket */
4254 sksec_sock->peer_sid = sksec_new->sid;
4255
4256 return 0;
4257 }
4258
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4259 static int selinux_socket_unix_may_send(struct socket *sock,
4260 struct socket *other)
4261 {
4262 struct sk_security_struct *ssec = sock->sk->sk_security;
4263 struct sk_security_struct *osec = other->sk->sk_security;
4264 struct common_audit_data ad;
4265 struct lsm_network_audit net = {0,};
4266
4267 ad.type = LSM_AUDIT_DATA_NET;
4268 ad.u.net = &net;
4269 ad.u.net->sk = other->sk;
4270
4271 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4272 &ad);
4273 }
4274
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4275 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4276 char *addrp, u16 family, u32 peer_sid,
4277 struct common_audit_data *ad)
4278 {
4279 int err;
4280 u32 if_sid;
4281 u32 node_sid;
4282
4283 err = sel_netif_sid(ns, ifindex, &if_sid);
4284 if (err)
4285 return err;
4286 err = avc_has_perm(peer_sid, if_sid,
4287 SECCLASS_NETIF, NETIF__INGRESS, ad);
4288 if (err)
4289 return err;
4290
4291 err = sel_netnode_sid(addrp, family, &node_sid);
4292 if (err)
4293 return err;
4294 return avc_has_perm(peer_sid, node_sid,
4295 SECCLASS_NODE, NODE__RECVFROM, ad);
4296 }
4297
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)4298 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4299 u16 family)
4300 {
4301 int err = 0;
4302 struct sk_security_struct *sksec = sk->sk_security;
4303 u32 sk_sid = sksec->sid;
4304 struct common_audit_data ad;
4305 struct lsm_network_audit net = {0,};
4306 char *addrp;
4307
4308 ad.type = LSM_AUDIT_DATA_NET;
4309 ad.u.net = &net;
4310 ad.u.net->netif = skb->skb_iif;
4311 ad.u.net->family = family;
4312 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4313 if (err)
4314 return err;
4315
4316 if (selinux_secmark_enabled()) {
4317 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4318 PACKET__RECV, &ad);
4319 if (err)
4320 return err;
4321 }
4322
4323 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4324 if (err)
4325 return err;
4326 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4327
4328 return err;
4329 }
4330
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)4331 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4332 {
4333 int err;
4334 struct sk_security_struct *sksec = sk->sk_security;
4335 u16 family = sk->sk_family;
4336 u32 sk_sid = sksec->sid;
4337 struct common_audit_data ad;
4338 struct lsm_network_audit net = {0,};
4339 char *addrp;
4340 u8 secmark_active;
4341 u8 peerlbl_active;
4342
4343 if (family != PF_INET && family != PF_INET6)
4344 return 0;
4345
4346 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4347 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4348 family = PF_INET;
4349
4350 /* If any sort of compatibility mode is enabled then handoff processing
4351 * to the selinux_sock_rcv_skb_compat() function to deal with the
4352 * special handling. We do this in an attempt to keep this function
4353 * as fast and as clean as possible. */
4354 if (!selinux_policycap_netpeer)
4355 return selinux_sock_rcv_skb_compat(sk, skb, family);
4356
4357 secmark_active = selinux_secmark_enabled();
4358 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4359 if (!secmark_active && !peerlbl_active)
4360 return 0;
4361
4362 ad.type = LSM_AUDIT_DATA_NET;
4363 ad.u.net = &net;
4364 ad.u.net->netif = skb->skb_iif;
4365 ad.u.net->family = family;
4366 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4367 if (err)
4368 return err;
4369
4370 if (peerlbl_active) {
4371 u32 peer_sid;
4372
4373 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4374 if (err)
4375 return err;
4376 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4377 addrp, family, peer_sid, &ad);
4378 if (err) {
4379 selinux_netlbl_err(skb, err, 0);
4380 return err;
4381 }
4382 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4383 PEER__RECV, &ad);
4384 if (err)
4385 selinux_netlbl_err(skb, err, 0);
4386 }
4387
4388 if (secmark_active) {
4389 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4390 PACKET__RECV, &ad);
4391 if (err)
4392 return err;
4393 }
4394
4395 return err;
4396 }
4397
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)4398 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4399 int __user *optlen, unsigned len)
4400 {
4401 int err = 0;
4402 char *scontext;
4403 u32 scontext_len;
4404 struct sk_security_struct *sksec = sock->sk->sk_security;
4405 u32 peer_sid = SECSID_NULL;
4406
4407 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4408 sksec->sclass == SECCLASS_TCP_SOCKET)
4409 peer_sid = sksec->peer_sid;
4410 if (peer_sid == SECSID_NULL)
4411 return -ENOPROTOOPT;
4412
4413 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4414 if (err)
4415 return err;
4416
4417 if (scontext_len > len) {
4418 err = -ERANGE;
4419 goto out_len;
4420 }
4421
4422 if (copy_to_user(optval, scontext, scontext_len))
4423 err = -EFAULT;
4424
4425 out_len:
4426 if (put_user(scontext_len, optlen))
4427 err = -EFAULT;
4428 kfree(scontext);
4429 return err;
4430 }
4431
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)4432 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4433 {
4434 u32 peer_secid = SECSID_NULL;
4435 u16 family;
4436
4437 if (skb && skb->protocol == htons(ETH_P_IP))
4438 family = PF_INET;
4439 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4440 family = PF_INET6;
4441 else if (sock)
4442 family = sock->sk->sk_family;
4443 else
4444 goto out;
4445
4446 if (sock && family == PF_UNIX)
4447 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4448 else if (skb)
4449 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4450
4451 out:
4452 *secid = peer_secid;
4453 if (peer_secid == SECSID_NULL)
4454 return -EINVAL;
4455 return 0;
4456 }
4457
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)4458 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4459 {
4460 struct sk_security_struct *sksec;
4461
4462 sksec = kzalloc(sizeof(*sksec), priority);
4463 if (!sksec)
4464 return -ENOMEM;
4465
4466 sksec->peer_sid = SECINITSID_UNLABELED;
4467 sksec->sid = SECINITSID_UNLABELED;
4468 selinux_netlbl_sk_security_reset(sksec);
4469 sk->sk_security = sksec;
4470
4471 return 0;
4472 }
4473
selinux_sk_free_security(struct sock * sk)4474 static void selinux_sk_free_security(struct sock *sk)
4475 {
4476 struct sk_security_struct *sksec = sk->sk_security;
4477
4478 sk->sk_security = NULL;
4479 selinux_netlbl_sk_security_free(sksec);
4480 kfree(sksec);
4481 }
4482
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)4483 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4484 {
4485 struct sk_security_struct *sksec = sk->sk_security;
4486 struct sk_security_struct *newsksec = newsk->sk_security;
4487
4488 newsksec->sid = sksec->sid;
4489 newsksec->peer_sid = sksec->peer_sid;
4490 newsksec->sclass = sksec->sclass;
4491
4492 selinux_netlbl_sk_security_reset(newsksec);
4493 }
4494
selinux_sk_getsecid(struct sock * sk,u32 * secid)4495 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4496 {
4497 if (!sk)
4498 *secid = SECINITSID_ANY_SOCKET;
4499 else {
4500 struct sk_security_struct *sksec = sk->sk_security;
4501
4502 *secid = sksec->sid;
4503 }
4504 }
4505
selinux_sock_graft(struct sock * sk,struct socket * parent)4506 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4507 {
4508 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4509 struct sk_security_struct *sksec = sk->sk_security;
4510
4511 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4512 sk->sk_family == PF_UNIX)
4513 isec->sid = sksec->sid;
4514 sksec->sclass = isec->sclass;
4515 }
4516
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)4517 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4518 struct request_sock *req)
4519 {
4520 struct sk_security_struct *sksec = sk->sk_security;
4521 int err;
4522 u16 family = sk->sk_family;
4523 u32 newsid;
4524 u32 peersid;
4525
4526 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4527 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4528 family = PF_INET;
4529
4530 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4531 if (err)
4532 return err;
4533 if (peersid == SECSID_NULL) {
4534 req->secid = sksec->sid;
4535 req->peer_secid = SECSID_NULL;
4536 } else {
4537 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4538 if (err)
4539 return err;
4540 req->secid = newsid;
4541 req->peer_secid = peersid;
4542 }
4543
4544 return selinux_netlbl_inet_conn_request(req, family);
4545 }
4546
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)4547 static void selinux_inet_csk_clone(struct sock *newsk,
4548 const struct request_sock *req)
4549 {
4550 struct sk_security_struct *newsksec = newsk->sk_security;
4551
4552 newsksec->sid = req->secid;
4553 newsksec->peer_sid = req->peer_secid;
4554 /* NOTE: Ideally, we should also get the isec->sid for the
4555 new socket in sync, but we don't have the isec available yet.
4556 So we will wait until sock_graft to do it, by which
4557 time it will have been created and available. */
4558
4559 /* We don't need to take any sort of lock here as we are the only
4560 * thread with access to newsksec */
4561 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4562 }
4563
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)4564 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4565 {
4566 u16 family = sk->sk_family;
4567 struct sk_security_struct *sksec = sk->sk_security;
4568
4569 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4570 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4571 family = PF_INET;
4572
4573 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4574 }
4575
selinux_skb_owned_by(struct sk_buff * skb,struct sock * sk)4576 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4577 {
4578 skb_set_owner_w(skb, sk);
4579 }
4580
selinux_secmark_relabel_packet(u32 sid)4581 static int selinux_secmark_relabel_packet(u32 sid)
4582 {
4583 const struct task_security_struct *__tsec;
4584 u32 tsid;
4585
4586 __tsec = current_security();
4587 tsid = __tsec->sid;
4588
4589 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4590 }
4591
selinux_secmark_refcount_inc(void)4592 static void selinux_secmark_refcount_inc(void)
4593 {
4594 atomic_inc(&selinux_secmark_refcount);
4595 }
4596
selinux_secmark_refcount_dec(void)4597 static void selinux_secmark_refcount_dec(void)
4598 {
4599 atomic_dec(&selinux_secmark_refcount);
4600 }
4601
selinux_req_classify_flow(const struct request_sock * req,struct flowi * fl)4602 static void selinux_req_classify_flow(const struct request_sock *req,
4603 struct flowi *fl)
4604 {
4605 fl->flowi_secid = req->secid;
4606 }
4607
selinux_tun_dev_alloc_security(void ** security)4608 static int selinux_tun_dev_alloc_security(void **security)
4609 {
4610 struct tun_security_struct *tunsec;
4611
4612 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4613 if (!tunsec)
4614 return -ENOMEM;
4615 tunsec->sid = current_sid();
4616
4617 *security = tunsec;
4618 return 0;
4619 }
4620
selinux_tun_dev_free_security(void * security)4621 static void selinux_tun_dev_free_security(void *security)
4622 {
4623 kfree(security);
4624 }
4625
selinux_tun_dev_create(void)4626 static int selinux_tun_dev_create(void)
4627 {
4628 u32 sid = current_sid();
4629
4630 /* we aren't taking into account the "sockcreate" SID since the socket
4631 * that is being created here is not a socket in the traditional sense,
4632 * instead it is a private sock, accessible only to the kernel, and
4633 * representing a wide range of network traffic spanning multiple
4634 * connections unlike traditional sockets - check the TUN driver to
4635 * get a better understanding of why this socket is special */
4636
4637 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4638 NULL);
4639 }
4640
selinux_tun_dev_attach_queue(void * security)4641 static int selinux_tun_dev_attach_queue(void *security)
4642 {
4643 struct tun_security_struct *tunsec = security;
4644
4645 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4646 TUN_SOCKET__ATTACH_QUEUE, NULL);
4647 }
4648
selinux_tun_dev_attach(struct sock * sk,void * security)4649 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4650 {
4651 struct tun_security_struct *tunsec = security;
4652 struct sk_security_struct *sksec = sk->sk_security;
4653
4654 /* we don't currently perform any NetLabel based labeling here and it
4655 * isn't clear that we would want to do so anyway; while we could apply
4656 * labeling without the support of the TUN user the resulting labeled
4657 * traffic from the other end of the connection would almost certainly
4658 * cause confusion to the TUN user that had no idea network labeling
4659 * protocols were being used */
4660
4661 sksec->sid = tunsec->sid;
4662 sksec->sclass = SECCLASS_TUN_SOCKET;
4663
4664 return 0;
4665 }
4666
selinux_tun_dev_open(void * security)4667 static int selinux_tun_dev_open(void *security)
4668 {
4669 struct tun_security_struct *tunsec = security;
4670 u32 sid = current_sid();
4671 int err;
4672
4673 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4674 TUN_SOCKET__RELABELFROM, NULL);
4675 if (err)
4676 return err;
4677 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4678 TUN_SOCKET__RELABELTO, NULL);
4679 if (err)
4680 return err;
4681 tunsec->sid = sid;
4682
4683 return 0;
4684 }
4685
selinux_nlmsg_perm(struct sock * sk,struct sk_buff * skb)4686 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4687 {
4688 int err = 0;
4689 u32 perm;
4690 struct nlmsghdr *nlh;
4691 struct sk_security_struct *sksec = sk->sk_security;
4692
4693 if (skb->len < NLMSG_HDRLEN) {
4694 err = -EINVAL;
4695 goto out;
4696 }
4697 nlh = nlmsg_hdr(skb);
4698
4699 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4700 if (err) {
4701 if (err == -EINVAL) {
4702 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4703 "SELinux: unrecognized netlink message"
4704 " type=%hu for sclass=%hu\n",
4705 nlh->nlmsg_type, sksec->sclass);
4706 if (!selinux_enforcing || security_get_allow_unknown())
4707 err = 0;
4708 }
4709
4710 /* Ignore */
4711 if (err == -ENOENT)
4712 err = 0;
4713 goto out;
4714 }
4715
4716 err = sock_has_perm(current, sk, perm);
4717 out:
4718 return err;
4719 }
4720
4721 #ifdef CONFIG_NETFILTER
4722
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)4723 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4724 const struct net_device *indev,
4725 u16 family)
4726 {
4727 int err;
4728 char *addrp;
4729 u32 peer_sid;
4730 struct common_audit_data ad;
4731 struct lsm_network_audit net = {0,};
4732 u8 secmark_active;
4733 u8 netlbl_active;
4734 u8 peerlbl_active;
4735
4736 if (!selinux_policycap_netpeer)
4737 return NF_ACCEPT;
4738
4739 secmark_active = selinux_secmark_enabled();
4740 netlbl_active = netlbl_enabled();
4741 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4742 if (!secmark_active && !peerlbl_active)
4743 return NF_ACCEPT;
4744
4745 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4746 return NF_DROP;
4747
4748 ad.type = LSM_AUDIT_DATA_NET;
4749 ad.u.net = &net;
4750 ad.u.net->netif = indev->ifindex;
4751 ad.u.net->family = family;
4752 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4753 return NF_DROP;
4754
4755 if (peerlbl_active) {
4756 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4757 addrp, family, peer_sid, &ad);
4758 if (err) {
4759 selinux_netlbl_err(skb, err, 1);
4760 return NF_DROP;
4761 }
4762 }
4763
4764 if (secmark_active)
4765 if (avc_has_perm(peer_sid, skb->secmark,
4766 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4767 return NF_DROP;
4768
4769 if (netlbl_active)
4770 /* we do this in the FORWARD path and not the POST_ROUTING
4771 * path because we want to make sure we apply the necessary
4772 * labeling before IPsec is applied so we can leverage AH
4773 * protection */
4774 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4775 return NF_DROP;
4776
4777 return NF_ACCEPT;
4778 }
4779
selinux_ipv4_forward(unsigned int hooknum,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4780 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4781 struct sk_buff *skb,
4782 const struct net_device *in,
4783 const struct net_device *out,
4784 int (*okfn)(struct sk_buff *))
4785 {
4786 return selinux_ip_forward(skb, in, PF_INET);
4787 }
4788
4789 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
selinux_ipv6_forward(unsigned int hooknum,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4790 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4791 struct sk_buff *skb,
4792 const struct net_device *in,
4793 const struct net_device *out,
4794 int (*okfn)(struct sk_buff *))
4795 {
4796 return selinux_ip_forward(skb, in, PF_INET6);
4797 }
4798 #endif /* IPV6 */
4799
selinux_ip_output(struct sk_buff * skb,u16 family)4800 static unsigned int selinux_ip_output(struct sk_buff *skb,
4801 u16 family)
4802 {
4803 u32 sid;
4804
4805 if (!netlbl_enabled())
4806 return NF_ACCEPT;
4807
4808 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4809 * because we want to make sure we apply the necessary labeling
4810 * before IPsec is applied so we can leverage AH protection */
4811 if (skb->sk) {
4812 struct sk_security_struct *sksec = skb->sk->sk_security;
4813 sid = sksec->sid;
4814 } else
4815 sid = SECINITSID_KERNEL;
4816 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4817 return NF_DROP;
4818
4819 return NF_ACCEPT;
4820 }
4821
selinux_ipv4_output(unsigned int hooknum,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4822 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4823 struct sk_buff *skb,
4824 const struct net_device *in,
4825 const struct net_device *out,
4826 int (*okfn)(struct sk_buff *))
4827 {
4828 return selinux_ip_output(skb, PF_INET);
4829 }
4830
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)4831 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4832 int ifindex,
4833 u16 family)
4834 {
4835 struct sock *sk = skb->sk;
4836 struct sk_security_struct *sksec;
4837 struct common_audit_data ad;
4838 struct lsm_network_audit net = {0,};
4839 char *addrp;
4840 u8 proto;
4841
4842 if (sk == NULL)
4843 return NF_ACCEPT;
4844 sksec = sk->sk_security;
4845
4846 ad.type = LSM_AUDIT_DATA_NET;
4847 ad.u.net = &net;
4848 ad.u.net->netif = ifindex;
4849 ad.u.net->family = family;
4850 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4851 return NF_DROP;
4852
4853 if (selinux_secmark_enabled())
4854 if (avc_has_perm(sksec->sid, skb->secmark,
4855 SECCLASS_PACKET, PACKET__SEND, &ad))
4856 return NF_DROP_ERR(-ECONNREFUSED);
4857
4858 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4859 return NF_DROP_ERR(-ECONNREFUSED);
4860
4861 return NF_ACCEPT;
4862 }
4863
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)4864 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4865 const struct net_device *outdev,
4866 u16 family)
4867 {
4868 u32 secmark_perm;
4869 u32 peer_sid;
4870 int ifindex = outdev->ifindex;
4871 struct sock *sk;
4872 struct common_audit_data ad;
4873 struct lsm_network_audit net = {0,};
4874 char *addrp;
4875 u8 secmark_active;
4876 u8 peerlbl_active;
4877
4878 /* If any sort of compatibility mode is enabled then handoff processing
4879 * to the selinux_ip_postroute_compat() function to deal with the
4880 * special handling. We do this in an attempt to keep this function
4881 * as fast and as clean as possible. */
4882 if (!selinux_policycap_netpeer)
4883 return selinux_ip_postroute_compat(skb, ifindex, family);
4884 #ifdef CONFIG_XFRM
4885 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4886 * packet transformation so allow the packet to pass without any checks
4887 * since we'll have another chance to perform access control checks
4888 * when the packet is on it's final way out.
4889 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4890 * is NULL, in this case go ahead and apply access control. */
4891 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4892 return NF_ACCEPT;
4893 #endif
4894 secmark_active = selinux_secmark_enabled();
4895 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4896 if (!secmark_active && !peerlbl_active)
4897 return NF_ACCEPT;
4898
4899 /* if the packet is being forwarded then get the peer label from the
4900 * packet itself; otherwise check to see if it is from a local
4901 * application or the kernel, if from an application get the peer label
4902 * from the sending socket, otherwise use the kernel's sid */
4903 sk = skb->sk;
4904 if (sk == NULL) {
4905 if (skb->skb_iif) {
4906 secmark_perm = PACKET__FORWARD_OUT;
4907 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4908 return NF_DROP;
4909 } else {
4910 secmark_perm = PACKET__SEND;
4911 peer_sid = SECINITSID_KERNEL;
4912 }
4913 } else {
4914 struct sk_security_struct *sksec = sk->sk_security;
4915 peer_sid = sksec->sid;
4916 secmark_perm = PACKET__SEND;
4917 }
4918
4919 ad.type = LSM_AUDIT_DATA_NET;
4920 ad.u.net = &net;
4921 ad.u.net->netif = ifindex;
4922 ad.u.net->family = family;
4923 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4924 return NF_DROP;
4925
4926 if (secmark_active)
4927 if (avc_has_perm(peer_sid, skb->secmark,
4928 SECCLASS_PACKET, secmark_perm, &ad))
4929 return NF_DROP_ERR(-ECONNREFUSED);
4930
4931 if (peerlbl_active) {
4932 u32 if_sid;
4933 u32 node_sid;
4934
4935 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
4936 return NF_DROP;
4937 if (avc_has_perm(peer_sid, if_sid,
4938 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4939 return NF_DROP_ERR(-ECONNREFUSED);
4940
4941 if (sel_netnode_sid(addrp, family, &node_sid))
4942 return NF_DROP;
4943 if (avc_has_perm(peer_sid, node_sid,
4944 SECCLASS_NODE, NODE__SENDTO, &ad))
4945 return NF_DROP_ERR(-ECONNREFUSED);
4946 }
4947
4948 return NF_ACCEPT;
4949 }
4950
selinux_ipv4_postroute(unsigned int hooknum,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4951 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4952 struct sk_buff *skb,
4953 const struct net_device *in,
4954 const struct net_device *out,
4955 int (*okfn)(struct sk_buff *))
4956 {
4957 return selinux_ip_postroute(skb, out, PF_INET);
4958 }
4959
4960 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
selinux_ipv6_postroute(unsigned int hooknum,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4961 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4962 struct sk_buff *skb,
4963 const struct net_device *in,
4964 const struct net_device *out,
4965 int (*okfn)(struct sk_buff *))
4966 {
4967 return selinux_ip_postroute(skb, out, PF_INET6);
4968 }
4969 #endif /* IPV6 */
4970
4971 #endif /* CONFIG_NETFILTER */
4972
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)4973 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4974 {
4975 int err;
4976
4977 err = cap_netlink_send(sk, skb);
4978 if (err)
4979 return err;
4980
4981 return selinux_nlmsg_perm(sk, skb);
4982 }
4983
ipc_alloc_security(struct task_struct * task,struct kern_ipc_perm * perm,u16 sclass)4984 static int ipc_alloc_security(struct task_struct *task,
4985 struct kern_ipc_perm *perm,
4986 u16 sclass)
4987 {
4988 struct ipc_security_struct *isec;
4989 u32 sid;
4990
4991 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4992 if (!isec)
4993 return -ENOMEM;
4994
4995 sid = task_sid(task);
4996 isec->sclass = sclass;
4997 isec->sid = sid;
4998 perm->security = isec;
4999
5000 return 0;
5001 }
5002
ipc_free_security(struct kern_ipc_perm * perm)5003 static void ipc_free_security(struct kern_ipc_perm *perm)
5004 {
5005 struct ipc_security_struct *isec = perm->security;
5006 perm->security = NULL;
5007 kfree(isec);
5008 }
5009
msg_msg_alloc_security(struct msg_msg * msg)5010 static int msg_msg_alloc_security(struct msg_msg *msg)
5011 {
5012 struct msg_security_struct *msec;
5013
5014 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5015 if (!msec)
5016 return -ENOMEM;
5017
5018 msec->sid = SECINITSID_UNLABELED;
5019 msg->security = msec;
5020
5021 return 0;
5022 }
5023
msg_msg_free_security(struct msg_msg * msg)5024 static void msg_msg_free_security(struct msg_msg *msg)
5025 {
5026 struct msg_security_struct *msec = msg->security;
5027
5028 msg->security = NULL;
5029 kfree(msec);
5030 }
5031
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5032 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5033 u32 perms)
5034 {
5035 struct ipc_security_struct *isec;
5036 struct common_audit_data ad;
5037 u32 sid = current_sid();
5038
5039 isec = ipc_perms->security;
5040
5041 ad.type = LSM_AUDIT_DATA_IPC;
5042 ad.u.ipc_id = ipc_perms->key;
5043
5044 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5045 }
5046
selinux_msg_msg_alloc_security(struct msg_msg * msg)5047 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5048 {
5049 return msg_msg_alloc_security(msg);
5050 }
5051
selinux_msg_msg_free_security(struct msg_msg * msg)5052 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5053 {
5054 msg_msg_free_security(msg);
5055 }
5056
5057 /* message queue security operations */
selinux_msg_queue_alloc_security(struct msg_queue * msq)5058 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5059 {
5060 struct ipc_security_struct *isec;
5061 struct common_audit_data ad;
5062 u32 sid = current_sid();
5063 int rc;
5064
5065 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5066 if (rc)
5067 return rc;
5068
5069 isec = msq->q_perm.security;
5070
5071 ad.type = LSM_AUDIT_DATA_IPC;
5072 ad.u.ipc_id = msq->q_perm.key;
5073
5074 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5075 MSGQ__CREATE, &ad);
5076 if (rc) {
5077 ipc_free_security(&msq->q_perm);
5078 return rc;
5079 }
5080 return 0;
5081 }
5082
selinux_msg_queue_free_security(struct msg_queue * msq)5083 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5084 {
5085 ipc_free_security(&msq->q_perm);
5086 }
5087
selinux_msg_queue_associate(struct msg_queue * msq,int msqflg)5088 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5089 {
5090 struct ipc_security_struct *isec;
5091 struct common_audit_data ad;
5092 u32 sid = current_sid();
5093
5094 isec = msq->q_perm.security;
5095
5096 ad.type = LSM_AUDIT_DATA_IPC;
5097 ad.u.ipc_id = msq->q_perm.key;
5098
5099 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5100 MSGQ__ASSOCIATE, &ad);
5101 }
5102
selinux_msg_queue_msgctl(struct msg_queue * msq,int cmd)5103 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5104 {
5105 int err;
5106 int perms;
5107
5108 switch (cmd) {
5109 case IPC_INFO:
5110 case MSG_INFO:
5111 /* No specific object, just general system-wide information. */
5112 return task_has_system(current, SYSTEM__IPC_INFO);
5113 case IPC_STAT:
5114 case MSG_STAT:
5115 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5116 break;
5117 case IPC_SET:
5118 perms = MSGQ__SETATTR;
5119 break;
5120 case IPC_RMID:
5121 perms = MSGQ__DESTROY;
5122 break;
5123 default:
5124 return 0;
5125 }
5126
5127 err = ipc_has_perm(&msq->q_perm, perms);
5128 return err;
5129 }
5130
selinux_msg_queue_msgsnd(struct msg_queue * msq,struct msg_msg * msg,int msqflg)5131 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5132 {
5133 struct ipc_security_struct *isec;
5134 struct msg_security_struct *msec;
5135 struct common_audit_data ad;
5136 u32 sid = current_sid();
5137 int rc;
5138
5139 isec = msq->q_perm.security;
5140 msec = msg->security;
5141
5142 /*
5143 * First time through, need to assign label to the message
5144 */
5145 if (msec->sid == SECINITSID_UNLABELED) {
5146 /*
5147 * Compute new sid based on current process and
5148 * message queue this message will be stored in
5149 */
5150 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5151 NULL, &msec->sid);
5152 if (rc)
5153 return rc;
5154 }
5155
5156 ad.type = LSM_AUDIT_DATA_IPC;
5157 ad.u.ipc_id = msq->q_perm.key;
5158
5159 /* Can this process write to the queue? */
5160 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5161 MSGQ__WRITE, &ad);
5162 if (!rc)
5163 /* Can this process send the message */
5164 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5165 MSG__SEND, &ad);
5166 if (!rc)
5167 /* Can the message be put in the queue? */
5168 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5169 MSGQ__ENQUEUE, &ad);
5170
5171 return rc;
5172 }
5173
selinux_msg_queue_msgrcv(struct msg_queue * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)5174 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5175 struct task_struct *target,
5176 long type, int mode)
5177 {
5178 struct ipc_security_struct *isec;
5179 struct msg_security_struct *msec;
5180 struct common_audit_data ad;
5181 u32 sid = task_sid(target);
5182 int rc;
5183
5184 isec = msq->q_perm.security;
5185 msec = msg->security;
5186
5187 ad.type = LSM_AUDIT_DATA_IPC;
5188 ad.u.ipc_id = msq->q_perm.key;
5189
5190 rc = avc_has_perm(sid, isec->sid,
5191 SECCLASS_MSGQ, MSGQ__READ, &ad);
5192 if (!rc)
5193 rc = avc_has_perm(sid, msec->sid,
5194 SECCLASS_MSG, MSG__RECEIVE, &ad);
5195 return rc;
5196 }
5197
5198 /* Shared Memory security operations */
selinux_shm_alloc_security(struct shmid_kernel * shp)5199 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5200 {
5201 struct ipc_security_struct *isec;
5202 struct common_audit_data ad;
5203 u32 sid = current_sid();
5204 int rc;
5205
5206 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5207 if (rc)
5208 return rc;
5209
5210 isec = shp->shm_perm.security;
5211
5212 ad.type = LSM_AUDIT_DATA_IPC;
5213 ad.u.ipc_id = shp->shm_perm.key;
5214
5215 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5216 SHM__CREATE, &ad);
5217 if (rc) {
5218 ipc_free_security(&shp->shm_perm);
5219 return rc;
5220 }
5221 return 0;
5222 }
5223
selinux_shm_free_security(struct shmid_kernel * shp)5224 static void selinux_shm_free_security(struct shmid_kernel *shp)
5225 {
5226 ipc_free_security(&shp->shm_perm);
5227 }
5228
selinux_shm_associate(struct shmid_kernel * shp,int shmflg)5229 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5230 {
5231 struct ipc_security_struct *isec;
5232 struct common_audit_data ad;
5233 u32 sid = current_sid();
5234
5235 isec = shp->shm_perm.security;
5236
5237 ad.type = LSM_AUDIT_DATA_IPC;
5238 ad.u.ipc_id = shp->shm_perm.key;
5239
5240 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5241 SHM__ASSOCIATE, &ad);
5242 }
5243
5244 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct shmid_kernel * shp,int cmd)5245 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5246 {
5247 int perms;
5248 int err;
5249
5250 switch (cmd) {
5251 case IPC_INFO:
5252 case SHM_INFO:
5253 /* No specific object, just general system-wide information. */
5254 return task_has_system(current, SYSTEM__IPC_INFO);
5255 case IPC_STAT:
5256 case SHM_STAT:
5257 perms = SHM__GETATTR | SHM__ASSOCIATE;
5258 break;
5259 case IPC_SET:
5260 perms = SHM__SETATTR;
5261 break;
5262 case SHM_LOCK:
5263 case SHM_UNLOCK:
5264 perms = SHM__LOCK;
5265 break;
5266 case IPC_RMID:
5267 perms = SHM__DESTROY;
5268 break;
5269 default:
5270 return 0;
5271 }
5272
5273 err = ipc_has_perm(&shp->shm_perm, perms);
5274 return err;
5275 }
5276
selinux_shm_shmat(struct shmid_kernel * shp,char __user * shmaddr,int shmflg)5277 static int selinux_shm_shmat(struct shmid_kernel *shp,
5278 char __user *shmaddr, int shmflg)
5279 {
5280 u32 perms;
5281
5282 if (shmflg & SHM_RDONLY)
5283 perms = SHM__READ;
5284 else
5285 perms = SHM__READ | SHM__WRITE;
5286
5287 return ipc_has_perm(&shp->shm_perm, perms);
5288 }
5289
5290 /* Semaphore security operations */
selinux_sem_alloc_security(struct sem_array * sma)5291 static int selinux_sem_alloc_security(struct sem_array *sma)
5292 {
5293 struct ipc_security_struct *isec;
5294 struct common_audit_data ad;
5295 u32 sid = current_sid();
5296 int rc;
5297
5298 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5299 if (rc)
5300 return rc;
5301
5302 isec = sma->sem_perm.security;
5303
5304 ad.type = LSM_AUDIT_DATA_IPC;
5305 ad.u.ipc_id = sma->sem_perm.key;
5306
5307 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5308 SEM__CREATE, &ad);
5309 if (rc) {
5310 ipc_free_security(&sma->sem_perm);
5311 return rc;
5312 }
5313 return 0;
5314 }
5315
selinux_sem_free_security(struct sem_array * sma)5316 static void selinux_sem_free_security(struct sem_array *sma)
5317 {
5318 ipc_free_security(&sma->sem_perm);
5319 }
5320
selinux_sem_associate(struct sem_array * sma,int semflg)5321 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5322 {
5323 struct ipc_security_struct *isec;
5324 struct common_audit_data ad;
5325 u32 sid = current_sid();
5326
5327 isec = sma->sem_perm.security;
5328
5329 ad.type = LSM_AUDIT_DATA_IPC;
5330 ad.u.ipc_id = sma->sem_perm.key;
5331
5332 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5333 SEM__ASSOCIATE, &ad);
5334 }
5335
5336 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct sem_array * sma,int cmd)5337 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5338 {
5339 int err;
5340 u32 perms;
5341
5342 switch (cmd) {
5343 case IPC_INFO:
5344 case SEM_INFO:
5345 /* No specific object, just general system-wide information. */
5346 return task_has_system(current, SYSTEM__IPC_INFO);
5347 case GETPID:
5348 case GETNCNT:
5349 case GETZCNT:
5350 perms = SEM__GETATTR;
5351 break;
5352 case GETVAL:
5353 case GETALL:
5354 perms = SEM__READ;
5355 break;
5356 case SETVAL:
5357 case SETALL:
5358 perms = SEM__WRITE;
5359 break;
5360 case IPC_RMID:
5361 perms = SEM__DESTROY;
5362 break;
5363 case IPC_SET:
5364 perms = SEM__SETATTR;
5365 break;
5366 case IPC_STAT:
5367 case SEM_STAT:
5368 perms = SEM__GETATTR | SEM__ASSOCIATE;
5369 break;
5370 default:
5371 return 0;
5372 }
5373
5374 err = ipc_has_perm(&sma->sem_perm, perms);
5375 return err;
5376 }
5377
selinux_sem_semop(struct sem_array * sma,struct sembuf * sops,unsigned nsops,int alter)5378 static int selinux_sem_semop(struct sem_array *sma,
5379 struct sembuf *sops, unsigned nsops, int alter)
5380 {
5381 u32 perms;
5382
5383 if (alter)
5384 perms = SEM__READ | SEM__WRITE;
5385 else
5386 perms = SEM__READ;
5387
5388 return ipc_has_perm(&sma->sem_perm, perms);
5389 }
5390
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)5391 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5392 {
5393 u32 av = 0;
5394
5395 av = 0;
5396 if (flag & S_IRUGO)
5397 av |= IPC__UNIX_READ;
5398 if (flag & S_IWUGO)
5399 av |= IPC__UNIX_WRITE;
5400
5401 if (av == 0)
5402 return 0;
5403
5404 return ipc_has_perm(ipcp, av);
5405 }
5406
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)5407 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5408 {
5409 struct ipc_security_struct *isec = ipcp->security;
5410 *secid = isec->sid;
5411 }
5412
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)5413 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5414 {
5415 if (inode)
5416 inode_doinit_with_dentry(inode, dentry);
5417 }
5418
selinux_getprocattr(struct task_struct * p,char * name,char ** value)5419 static int selinux_getprocattr(struct task_struct *p,
5420 char *name, char **value)
5421 {
5422 const struct task_security_struct *__tsec;
5423 u32 sid;
5424 int error;
5425 unsigned len;
5426
5427 if (current != p) {
5428 error = current_has_perm(p, PROCESS__GETATTR);
5429 if (error)
5430 return error;
5431 }
5432
5433 rcu_read_lock();
5434 __tsec = __task_cred(p)->security;
5435
5436 if (!strcmp(name, "current"))
5437 sid = __tsec->sid;
5438 else if (!strcmp(name, "prev"))
5439 sid = __tsec->osid;
5440 else if (!strcmp(name, "exec"))
5441 sid = __tsec->exec_sid;
5442 else if (!strcmp(name, "fscreate"))
5443 sid = __tsec->create_sid;
5444 else if (!strcmp(name, "keycreate"))
5445 sid = __tsec->keycreate_sid;
5446 else if (!strcmp(name, "sockcreate"))
5447 sid = __tsec->sockcreate_sid;
5448 else
5449 goto invalid;
5450 rcu_read_unlock();
5451
5452 if (!sid)
5453 return 0;
5454
5455 error = security_sid_to_context(sid, value, &len);
5456 if (error)
5457 return error;
5458 return len;
5459
5460 invalid:
5461 rcu_read_unlock();
5462 return -EINVAL;
5463 }
5464
selinux_setprocattr(struct task_struct * p,char * name,void * value,size_t size)5465 static int selinux_setprocattr(struct task_struct *p,
5466 char *name, void *value, size_t size)
5467 {
5468 struct task_security_struct *tsec;
5469 struct task_struct *tracer;
5470 struct cred *new;
5471 u32 sid = 0, ptsid;
5472 int error;
5473 char *str = value;
5474
5475 if (current != p) {
5476 /* SELinux only allows a process to change its own
5477 security attributes. */
5478 return -EACCES;
5479 }
5480
5481 /*
5482 * Basic control over ability to set these attributes at all.
5483 * current == p, but we'll pass them separately in case the
5484 * above restriction is ever removed.
5485 */
5486 if (!strcmp(name, "exec"))
5487 error = current_has_perm(p, PROCESS__SETEXEC);
5488 else if (!strcmp(name, "fscreate"))
5489 error = current_has_perm(p, PROCESS__SETFSCREATE);
5490 else if (!strcmp(name, "keycreate"))
5491 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5492 else if (!strcmp(name, "sockcreate"))
5493 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5494 else if (!strcmp(name, "current"))
5495 error = current_has_perm(p, PROCESS__SETCURRENT);
5496 else
5497 error = -EINVAL;
5498 if (error)
5499 return error;
5500
5501 /* Obtain a SID for the context, if one was specified. */
5502 if (size && str[0] && str[0] != '\n') {
5503 if (str[size-1] == '\n') {
5504 str[size-1] = 0;
5505 size--;
5506 }
5507 error = security_context_to_sid(value, size, &sid);
5508 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5509 if (!capable(CAP_MAC_ADMIN)) {
5510 struct audit_buffer *ab;
5511 size_t audit_size;
5512
5513 /* We strip a nul only if it is at the end, otherwise the
5514 * context contains a nul and we should audit that */
5515 if (str[size - 1] == '\0')
5516 audit_size = size - 1;
5517 else
5518 audit_size = size;
5519 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5520 audit_log_format(ab, "op=fscreate invalid_context=");
5521 audit_log_n_untrustedstring(ab, value, audit_size);
5522 audit_log_end(ab);
5523
5524 return error;
5525 }
5526 error = security_context_to_sid_force(value, size,
5527 &sid);
5528 }
5529 if (error)
5530 return error;
5531 }
5532
5533 new = prepare_creds();
5534 if (!new)
5535 return -ENOMEM;
5536
5537 /* Permission checking based on the specified context is
5538 performed during the actual operation (execve,
5539 open/mkdir/...), when we know the full context of the
5540 operation. See selinux_bprm_set_creds for the execve
5541 checks and may_create for the file creation checks. The
5542 operation will then fail if the context is not permitted. */
5543 tsec = new->security;
5544 if (!strcmp(name, "exec")) {
5545 tsec->exec_sid = sid;
5546 } else if (!strcmp(name, "fscreate")) {
5547 tsec->create_sid = sid;
5548 } else if (!strcmp(name, "keycreate")) {
5549 error = may_create_key(sid, p);
5550 if (error)
5551 goto abort_change;
5552 tsec->keycreate_sid = sid;
5553 } else if (!strcmp(name, "sockcreate")) {
5554 tsec->sockcreate_sid = sid;
5555 } else if (!strcmp(name, "current")) {
5556 error = -EINVAL;
5557 if (sid == 0)
5558 goto abort_change;
5559
5560 /* Only allow single threaded processes to change context */
5561 error = -EPERM;
5562 if (!current_is_single_threaded()) {
5563 error = security_bounded_transition(tsec->sid, sid);
5564 if (error)
5565 goto abort_change;
5566 }
5567
5568 /* Check permissions for the transition. */
5569 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5570 PROCESS__DYNTRANSITION, NULL);
5571 if (error)
5572 goto abort_change;
5573
5574 /* Check for ptracing, and update the task SID if ok.
5575 Otherwise, leave SID unchanged and fail. */
5576 ptsid = 0;
5577 task_lock(p);
5578 tracer = ptrace_parent(p);
5579 if (tracer)
5580 ptsid = task_sid(tracer);
5581 task_unlock(p);
5582
5583 if (tracer) {
5584 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5585 PROCESS__PTRACE, NULL);
5586 if (error)
5587 goto abort_change;
5588 }
5589
5590 tsec->sid = sid;
5591 } else {
5592 error = -EINVAL;
5593 goto abort_change;
5594 }
5595
5596 commit_creds(new);
5597 return size;
5598
5599 abort_change:
5600 abort_creds(new);
5601 return error;
5602 }
5603
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)5604 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5605 {
5606 return security_sid_to_context(secid, secdata, seclen);
5607 }
5608
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)5609 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5610 {
5611 return security_context_to_sid(secdata, seclen, secid);
5612 }
5613
selinux_release_secctx(char * secdata,u32 seclen)5614 static void selinux_release_secctx(char *secdata, u32 seclen)
5615 {
5616 kfree(secdata);
5617 }
5618
5619 /*
5620 * called with inode->i_mutex locked
5621 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)5622 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5623 {
5624 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5625 }
5626
5627 /*
5628 * called with inode->i_mutex locked
5629 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)5630 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5631 {
5632 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5633 }
5634
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)5635 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5636 {
5637 int len = 0;
5638 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5639 ctx, true);
5640 if (len < 0)
5641 return len;
5642 *ctxlen = len;
5643 return 0;
5644 }
5645 #ifdef CONFIG_KEYS
5646
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)5647 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5648 unsigned long flags)
5649 {
5650 const struct task_security_struct *tsec;
5651 struct key_security_struct *ksec;
5652
5653 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5654 if (!ksec)
5655 return -ENOMEM;
5656
5657 tsec = cred->security;
5658 if (tsec->keycreate_sid)
5659 ksec->sid = tsec->keycreate_sid;
5660 else
5661 ksec->sid = tsec->sid;
5662
5663 k->security = ksec;
5664 return 0;
5665 }
5666
selinux_key_free(struct key * k)5667 static void selinux_key_free(struct key *k)
5668 {
5669 struct key_security_struct *ksec = k->security;
5670
5671 k->security = NULL;
5672 kfree(ksec);
5673 }
5674
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,key_perm_t perm)5675 static int selinux_key_permission(key_ref_t key_ref,
5676 const struct cred *cred,
5677 key_perm_t perm)
5678 {
5679 struct key *key;
5680 struct key_security_struct *ksec;
5681 u32 sid;
5682
5683 /* if no specific permissions are requested, we skip the
5684 permission check. No serious, additional covert channels
5685 appear to be created. */
5686 if (perm == 0)
5687 return 0;
5688
5689 sid = cred_sid(cred);
5690
5691 key = key_ref_to_ptr(key_ref);
5692 ksec = key->security;
5693
5694 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5695 }
5696
selinux_key_getsecurity(struct key * key,char ** _buffer)5697 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5698 {
5699 struct key_security_struct *ksec = key->security;
5700 char *context = NULL;
5701 unsigned len;
5702 int rc;
5703
5704 rc = security_sid_to_context(ksec->sid, &context, &len);
5705 if (!rc)
5706 rc = len;
5707 *_buffer = context;
5708 return rc;
5709 }
5710
5711 #endif
5712
5713 static struct security_operations selinux_ops = {
5714 .name = "selinux",
5715
5716 .binder_set_context_mgr = selinux_binder_set_context_mgr,
5717 .binder_transaction = selinux_binder_transaction,
5718 .binder_transfer_binder = selinux_binder_transfer_binder,
5719 .binder_transfer_file = selinux_binder_transfer_file,
5720
5721 .ptrace_access_check = selinux_ptrace_access_check,
5722 .ptrace_traceme = selinux_ptrace_traceme,
5723 .capget = selinux_capget,
5724 .capset = selinux_capset,
5725 .capable = selinux_capable,
5726 .quotactl = selinux_quotactl,
5727 .quota_on = selinux_quota_on,
5728 .syslog = selinux_syslog,
5729 .vm_enough_memory = selinux_vm_enough_memory,
5730
5731 .netlink_send = selinux_netlink_send,
5732
5733 .bprm_set_creds = selinux_bprm_set_creds,
5734 .bprm_committing_creds = selinux_bprm_committing_creds,
5735 .bprm_committed_creds = selinux_bprm_committed_creds,
5736 .bprm_secureexec = selinux_bprm_secureexec,
5737
5738 .sb_alloc_security = selinux_sb_alloc_security,
5739 .sb_free_security = selinux_sb_free_security,
5740 .sb_copy_data = selinux_sb_copy_data,
5741 .sb_remount = selinux_sb_remount,
5742 .sb_kern_mount = selinux_sb_kern_mount,
5743 .sb_show_options = selinux_sb_show_options,
5744 .sb_statfs = selinux_sb_statfs,
5745 .sb_mount = selinux_mount,
5746 .sb_umount = selinux_umount,
5747 .sb_set_mnt_opts = selinux_set_mnt_opts,
5748 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5749 .sb_parse_opts_str = selinux_parse_opts_str,
5750
5751
5752 .inode_alloc_security = selinux_inode_alloc_security,
5753 .inode_free_security = selinux_inode_free_security,
5754 .inode_init_security = selinux_inode_init_security,
5755 .inode_create = selinux_inode_create,
5756 .inode_link = selinux_inode_link,
5757 .inode_unlink = selinux_inode_unlink,
5758 .inode_symlink = selinux_inode_symlink,
5759 .inode_mkdir = selinux_inode_mkdir,
5760 .inode_rmdir = selinux_inode_rmdir,
5761 .inode_mknod = selinux_inode_mknod,
5762 .inode_rename = selinux_inode_rename,
5763 .inode_readlink = selinux_inode_readlink,
5764 .inode_follow_link = selinux_inode_follow_link,
5765 .inode_permission = selinux_inode_permission,
5766 .inode_setattr = selinux_inode_setattr,
5767 .inode_getattr = selinux_inode_getattr,
5768 .inode_setxattr = selinux_inode_setxattr,
5769 .inode_post_setxattr = selinux_inode_post_setxattr,
5770 .inode_getxattr = selinux_inode_getxattr,
5771 .inode_listxattr = selinux_inode_listxattr,
5772 .inode_removexattr = selinux_inode_removexattr,
5773 .inode_getsecurity = selinux_inode_getsecurity,
5774 .inode_setsecurity = selinux_inode_setsecurity,
5775 .inode_listsecurity = selinux_inode_listsecurity,
5776 .inode_getsecid = selinux_inode_getsecid,
5777
5778 .file_permission = selinux_file_permission,
5779 .file_alloc_security = selinux_file_alloc_security,
5780 .file_free_security = selinux_file_free_security,
5781 .file_ioctl = selinux_file_ioctl,
5782 .mmap_file = selinux_mmap_file,
5783 .mmap_addr = selinux_mmap_addr,
5784 .file_mprotect = selinux_file_mprotect,
5785 .file_lock = selinux_file_lock,
5786 .file_fcntl = selinux_file_fcntl,
5787 .file_set_fowner = selinux_file_set_fowner,
5788 .file_send_sigiotask = selinux_file_send_sigiotask,
5789 .file_receive = selinux_file_receive,
5790
5791 .file_open = selinux_file_open,
5792
5793 .task_create = selinux_task_create,
5794 .cred_alloc_blank = selinux_cred_alloc_blank,
5795 .cred_free = selinux_cred_free,
5796 .cred_prepare = selinux_cred_prepare,
5797 .cred_transfer = selinux_cred_transfer,
5798 .kernel_act_as = selinux_kernel_act_as,
5799 .kernel_create_files_as = selinux_kernel_create_files_as,
5800 .kernel_module_request = selinux_kernel_module_request,
5801 .kernel_module_from_file = selinux_kernel_module_from_file,
5802 .task_setpgid = selinux_task_setpgid,
5803 .task_getpgid = selinux_task_getpgid,
5804 .task_getsid = selinux_task_getsid,
5805 .task_getsecid = selinux_task_getsecid,
5806 .task_setnice = selinux_task_setnice,
5807 .task_setioprio = selinux_task_setioprio,
5808 .task_getioprio = selinux_task_getioprio,
5809 .task_setrlimit = selinux_task_setrlimit,
5810 .task_setscheduler = selinux_task_setscheduler,
5811 .task_getscheduler = selinux_task_getscheduler,
5812 .task_movememory = selinux_task_movememory,
5813 .task_kill = selinux_task_kill,
5814 .task_wait = selinux_task_wait,
5815 .task_to_inode = selinux_task_to_inode,
5816
5817 .ipc_permission = selinux_ipc_permission,
5818 .ipc_getsecid = selinux_ipc_getsecid,
5819
5820 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5821 .msg_msg_free_security = selinux_msg_msg_free_security,
5822
5823 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5824 .msg_queue_free_security = selinux_msg_queue_free_security,
5825 .msg_queue_associate = selinux_msg_queue_associate,
5826 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5827 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5828 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5829
5830 .shm_alloc_security = selinux_shm_alloc_security,
5831 .shm_free_security = selinux_shm_free_security,
5832 .shm_associate = selinux_shm_associate,
5833 .shm_shmctl = selinux_shm_shmctl,
5834 .shm_shmat = selinux_shm_shmat,
5835
5836 .sem_alloc_security = selinux_sem_alloc_security,
5837 .sem_free_security = selinux_sem_free_security,
5838 .sem_associate = selinux_sem_associate,
5839 .sem_semctl = selinux_sem_semctl,
5840 .sem_semop = selinux_sem_semop,
5841
5842 .d_instantiate = selinux_d_instantiate,
5843
5844 .getprocattr = selinux_getprocattr,
5845 .setprocattr = selinux_setprocattr,
5846
5847 .secid_to_secctx = selinux_secid_to_secctx,
5848 .secctx_to_secid = selinux_secctx_to_secid,
5849 .release_secctx = selinux_release_secctx,
5850 .inode_notifysecctx = selinux_inode_notifysecctx,
5851 .inode_setsecctx = selinux_inode_setsecctx,
5852 .inode_getsecctx = selinux_inode_getsecctx,
5853
5854 .unix_stream_connect = selinux_socket_unix_stream_connect,
5855 .unix_may_send = selinux_socket_unix_may_send,
5856
5857 .socket_create = selinux_socket_create,
5858 .socket_post_create = selinux_socket_post_create,
5859 .socket_bind = selinux_socket_bind,
5860 .socket_connect = selinux_socket_connect,
5861 .socket_listen = selinux_socket_listen,
5862 .socket_accept = selinux_socket_accept,
5863 .socket_sendmsg = selinux_socket_sendmsg,
5864 .socket_recvmsg = selinux_socket_recvmsg,
5865 .socket_getsockname = selinux_socket_getsockname,
5866 .socket_getpeername = selinux_socket_getpeername,
5867 .socket_getsockopt = selinux_socket_getsockopt,
5868 .socket_setsockopt = selinux_socket_setsockopt,
5869 .socket_shutdown = selinux_socket_shutdown,
5870 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5871 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5872 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5873 .sk_alloc_security = selinux_sk_alloc_security,
5874 .sk_free_security = selinux_sk_free_security,
5875 .sk_clone_security = selinux_sk_clone_security,
5876 .sk_getsecid = selinux_sk_getsecid,
5877 .sock_graft = selinux_sock_graft,
5878 .inet_conn_request = selinux_inet_conn_request,
5879 .inet_csk_clone = selinux_inet_csk_clone,
5880 .inet_conn_established = selinux_inet_conn_established,
5881 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5882 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5883 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5884 .req_classify_flow = selinux_req_classify_flow,
5885 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5886 .tun_dev_free_security = selinux_tun_dev_free_security,
5887 .tun_dev_create = selinux_tun_dev_create,
5888 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5889 .tun_dev_attach = selinux_tun_dev_attach,
5890 .tun_dev_open = selinux_tun_dev_open,
5891 .skb_owned_by = selinux_skb_owned_by,
5892
5893 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5894 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5895 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5896 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5897 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5898 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5899 .xfrm_state_free_security = selinux_xfrm_state_free,
5900 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5901 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5902 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5903 .xfrm_decode_session = selinux_xfrm_decode_session,
5904 #endif
5905
5906 #ifdef CONFIG_KEYS
5907 .key_alloc = selinux_key_alloc,
5908 .key_free = selinux_key_free,
5909 .key_permission = selinux_key_permission,
5910 .key_getsecurity = selinux_key_getsecurity,
5911 #endif
5912
5913 #ifdef CONFIG_AUDIT
5914 .audit_rule_init = selinux_audit_rule_init,
5915 .audit_rule_known = selinux_audit_rule_known,
5916 .audit_rule_match = selinux_audit_rule_match,
5917 .audit_rule_free = selinux_audit_rule_free,
5918 #endif
5919 };
5920
selinux_init(void)5921 static __init int selinux_init(void)
5922 {
5923 if (!security_module_enable(&selinux_ops)) {
5924 selinux_enabled = 0;
5925 return 0;
5926 }
5927
5928 if (!selinux_enabled) {
5929 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5930 return 0;
5931 }
5932
5933 printk(KERN_INFO "SELinux: Initializing.\n");
5934
5935 /* Set the security state for the initial task. */
5936 cred_init_security();
5937
5938 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5939
5940 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5941 sizeof(struct inode_security_struct),
5942 0, SLAB_PANIC, NULL);
5943 avc_init();
5944
5945 if (register_security(&selinux_ops))
5946 panic("SELinux: Unable to register with kernel.\n");
5947
5948 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
5949 panic("SELinux: Unable to register AVC netcache callback\n");
5950
5951 if (selinux_enforcing)
5952 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5953 else
5954 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5955
5956 return 0;
5957 }
5958
delayed_superblock_init(struct super_block * sb,void * unused)5959 static void delayed_superblock_init(struct super_block *sb, void *unused)
5960 {
5961 superblock_doinit(sb, NULL);
5962 }
5963
selinux_complete_init(void)5964 void selinux_complete_init(void)
5965 {
5966 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5967
5968 /* Set up any superblocks initialized prior to the policy load. */
5969 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5970 iterate_supers(delayed_superblock_init, NULL);
5971 }
5972
5973 /* SELinux requires early initialization in order to label
5974 all processes and objects when they are created. */
5975 security_initcall(selinux_init);
5976
5977 #if defined(CONFIG_NETFILTER)
5978
5979 static struct nf_hook_ops selinux_ipv4_ops[] = {
5980 {
5981 .hook = selinux_ipv4_postroute,
5982 .owner = THIS_MODULE,
5983 .pf = NFPROTO_IPV4,
5984 .hooknum = NF_INET_POST_ROUTING,
5985 .priority = NF_IP_PRI_SELINUX_LAST,
5986 },
5987 {
5988 .hook = selinux_ipv4_forward,
5989 .owner = THIS_MODULE,
5990 .pf = NFPROTO_IPV4,
5991 .hooknum = NF_INET_FORWARD,
5992 .priority = NF_IP_PRI_SELINUX_FIRST,
5993 },
5994 {
5995 .hook = selinux_ipv4_output,
5996 .owner = THIS_MODULE,
5997 .pf = NFPROTO_IPV4,
5998 .hooknum = NF_INET_LOCAL_OUT,
5999 .priority = NF_IP_PRI_SELINUX_FIRST,
6000 }
6001 };
6002
6003 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6004
6005 static struct nf_hook_ops selinux_ipv6_ops[] = {
6006 {
6007 .hook = selinux_ipv6_postroute,
6008 .owner = THIS_MODULE,
6009 .pf = NFPROTO_IPV6,
6010 .hooknum = NF_INET_POST_ROUTING,
6011 .priority = NF_IP6_PRI_SELINUX_LAST,
6012 },
6013 {
6014 .hook = selinux_ipv6_forward,
6015 .owner = THIS_MODULE,
6016 .pf = NFPROTO_IPV6,
6017 .hooknum = NF_INET_FORWARD,
6018 .priority = NF_IP6_PRI_SELINUX_FIRST,
6019 }
6020 };
6021
6022 #endif /* IPV6 */
6023
selinux_nf_ip_init(void)6024 static int __init selinux_nf_ip_init(void)
6025 {
6026 int err = 0;
6027
6028 if (!selinux_enabled)
6029 goto out;
6030
6031 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6032
6033 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6034 if (err)
6035 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
6036
6037 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6038 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6039 if (err)
6040 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
6041 #endif /* IPV6 */
6042
6043 out:
6044 return err;
6045 }
6046
6047 __initcall(selinux_nf_ip_init);
6048
6049 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)6050 static void selinux_nf_ip_exit(void)
6051 {
6052 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6053
6054 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6055 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6056 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6057 #endif /* IPV6 */
6058 }
6059 #endif
6060
6061 #else /* CONFIG_NETFILTER */
6062
6063 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6064 #define selinux_nf_ip_exit()
6065 #endif
6066
6067 #endif /* CONFIG_NETFILTER */
6068
6069 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6070 static int selinux_disabled;
6071
selinux_disable(void)6072 int selinux_disable(void)
6073 {
6074 if (ss_initialized) {
6075 /* Not permitted after initial policy load. */
6076 return -EINVAL;
6077 }
6078
6079 if (selinux_disabled) {
6080 /* Only do this once. */
6081 return -EINVAL;
6082 }
6083
6084 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6085
6086 selinux_disabled = 1;
6087 selinux_enabled = 0;
6088
6089 reset_security_ops();
6090
6091 /* Try to destroy the avc node cache */
6092 avc_disable();
6093
6094 /* Unregister netfilter hooks. */
6095 selinux_nf_ip_exit();
6096
6097 /* Unregister selinuxfs. */
6098 exit_sel_fs();
6099
6100 return 0;
6101 }
6102 #endif
6103