1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/sock.h>
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 extern struct security_operations *security_ops;
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
enforcing_setup(char * str)106 static int __init enforcing_setup(char *str)
107 {
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
111 return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
selinux_enabled_setup(char * str)119 static int __init selinux_enabled_setup(char *str)
120 {
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
124 return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132
133 /**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
142 *
143 */
selinux_secmark_enabled(void)144 static int selinux_secmark_enabled(void)
145 {
146 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148
149 /**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
selinux_peerlbl_enabled(void)159 static int selinux_peerlbl_enabled(void)
160 {
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163
selinux_netcache_avc_callback(u32 event)164 static int selinux_netcache_avc_callback(u32 event)
165 {
166 if (event == AVC_CALLBACK_RESET) {
167 sel_netif_flush();
168 sel_netnode_flush();
169 sel_netport_flush();
170 synchronize_net();
171 }
172 return 0;
173 }
174
175 /*
176 * initialise the security for the init task
177 */
cred_init_security(void)178 static void cred_init_security(void)
179 {
180 struct cred *cred = (struct cred *) current->real_cred;
181 struct task_security_struct *tsec;
182
183 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
184 if (!tsec)
185 panic("SELinux: Failed to initialize initial task.\n");
186
187 tsec->osid = tsec->sid = SECINITSID_KERNEL;
188 cred->security = tsec;
189 }
190
191 /*
192 * get the security ID of a set of credentials
193 */
cred_sid(const struct cred * cred)194 static inline u32 cred_sid(const struct cred *cred)
195 {
196 const struct task_security_struct *tsec;
197
198 tsec = cred->security;
199 return tsec->sid;
200 }
201
202 /*
203 * get the objective security ID of a task
204 */
task_sid(const struct task_struct * task)205 static inline u32 task_sid(const struct task_struct *task)
206 {
207 u32 sid;
208
209 rcu_read_lock();
210 sid = cred_sid(__task_cred(task));
211 rcu_read_unlock();
212 return sid;
213 }
214
215 /*
216 * get the subjective security ID of the current task
217 */
current_sid(void)218 static inline u32 current_sid(void)
219 {
220 const struct task_security_struct *tsec = current_security();
221
222 return tsec->sid;
223 }
224
225 /* Allocate and free functions for each kind of security blob. */
226
inode_alloc_security(struct inode * inode)227 static int inode_alloc_security(struct inode *inode)
228 {
229 struct inode_security_struct *isec;
230 u32 sid = current_sid();
231
232 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
233 if (!isec)
234 return -ENOMEM;
235
236 mutex_init(&isec->lock);
237 INIT_LIST_HEAD(&isec->list);
238 isec->inode = inode;
239 isec->sid = SECINITSID_UNLABELED;
240 isec->sclass = SECCLASS_FILE;
241 isec->task_sid = sid;
242 inode->i_security = isec;
243
244 return 0;
245 }
246
inode_free_rcu(struct rcu_head * head)247 static void inode_free_rcu(struct rcu_head *head)
248 {
249 struct inode_security_struct *isec;
250
251 isec = container_of(head, struct inode_security_struct, rcu);
252 kmem_cache_free(sel_inode_cache, isec);
253 }
254
inode_free_security(struct inode * inode)255 static void inode_free_security(struct inode *inode)
256 {
257 struct inode_security_struct *isec = inode->i_security;
258 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
259
260 spin_lock(&sbsec->isec_lock);
261 if (!list_empty(&isec->list))
262 list_del_init(&isec->list);
263 spin_unlock(&sbsec->isec_lock);
264
265 /*
266 * The inode may still be referenced in a path walk and
267 * a call to selinux_inode_permission() can be made
268 * after inode_free_security() is called. Ideally, the VFS
269 * wouldn't do this, but fixing that is a much harder
270 * job. For now, simply free the i_security via RCU, and
271 * leave the current inode->i_security pointer intact.
272 * The inode will be freed after the RCU grace period too.
273 */
274 call_rcu(&isec->rcu, inode_free_rcu);
275 }
276
file_alloc_security(struct file * file)277 static int file_alloc_security(struct file *file)
278 {
279 struct file_security_struct *fsec;
280 u32 sid = current_sid();
281
282 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
283 if (!fsec)
284 return -ENOMEM;
285
286 fsec->sid = sid;
287 fsec->fown_sid = sid;
288 file->f_security = fsec;
289
290 return 0;
291 }
292
file_free_security(struct file * file)293 static void file_free_security(struct file *file)
294 {
295 struct file_security_struct *fsec = file->f_security;
296 file->f_security = NULL;
297 kfree(fsec);
298 }
299
superblock_alloc_security(struct super_block * sb)300 static int superblock_alloc_security(struct super_block *sb)
301 {
302 struct superblock_security_struct *sbsec;
303
304 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
305 if (!sbsec)
306 return -ENOMEM;
307
308 mutex_init(&sbsec->lock);
309 INIT_LIST_HEAD(&sbsec->isec_head);
310 spin_lock_init(&sbsec->isec_lock);
311 sbsec->sb = sb;
312 sbsec->sid = SECINITSID_UNLABELED;
313 sbsec->def_sid = SECINITSID_FILE;
314 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
315 sb->s_security = sbsec;
316
317 return 0;
318 }
319
superblock_free_security(struct super_block * sb)320 static void superblock_free_security(struct super_block *sb)
321 {
322 struct superblock_security_struct *sbsec = sb->s_security;
323 sb->s_security = NULL;
324 kfree(sbsec);
325 }
326
327 /* The file system's label must be initialized prior to use. */
328
329 static const char *labeling_behaviors[7] = {
330 "uses xattr",
331 "uses transition SIDs",
332 "uses task SIDs",
333 "uses genfs_contexts",
334 "not configured for labeling",
335 "uses mountpoint labeling",
336 "uses native labeling",
337 };
338
339 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
340
inode_doinit(struct inode * inode)341 static inline int inode_doinit(struct inode *inode)
342 {
343 return inode_doinit_with_dentry(inode, NULL);
344 }
345
346 enum {
347 Opt_error = -1,
348 Opt_context = 1,
349 Opt_fscontext = 2,
350 Opt_defcontext = 3,
351 Opt_rootcontext = 4,
352 Opt_labelsupport = 5,
353 Opt_nextmntopt = 6,
354 };
355
356 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
357
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 {Opt_labelsupport, LABELSUPP_STR},
364 {Opt_error, NULL},
365 };
366
367 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)369 static int may_context_mount_sb_relabel(u32 sid,
370 struct superblock_security_struct *sbsec,
371 const struct cred *cred)
372 {
373 const struct task_security_struct *tsec = cred->security;
374 int rc;
375
376 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
377 FILESYSTEM__RELABELFROM, NULL);
378 if (rc)
379 return rc;
380
381 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
382 FILESYSTEM__RELABELTO, NULL);
383 return rc;
384 }
385
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)386 static int may_context_mount_inode_relabel(u32 sid,
387 struct superblock_security_struct *sbsec,
388 const struct cred *cred)
389 {
390 const struct task_security_struct *tsec = cred->security;
391 int rc;
392 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
393 FILESYSTEM__RELABELFROM, NULL);
394 if (rc)
395 return rc;
396
397 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
398 FILESYSTEM__ASSOCIATE, NULL);
399 return rc;
400 }
401
selinux_is_sblabel_mnt(struct super_block * sb)402 static int selinux_is_sblabel_mnt(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405
406 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
407 sbsec->behavior == SECURITY_FS_USE_TRANS ||
408 sbsec->behavior == SECURITY_FS_USE_TASK ||
409 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
410 /* Special handling. Genfs but also in-core setxattr handler */
411 !strcmp(sb->s_type->name, "sysfs") ||
412 !strcmp(sb->s_type->name, "pstore") ||
413 !strcmp(sb->s_type->name, "debugfs") ||
414 !strcmp(sb->s_type->name, "tracefs") ||
415 !strcmp(sb->s_type->name, "rootfs");
416 }
417
sb_finish_set_opts(struct super_block * sb)418 static int sb_finish_set_opts(struct super_block *sb)
419 {
420 struct superblock_security_struct *sbsec = sb->s_security;
421 struct dentry *root = sb->s_root;
422 struct inode *root_inode = root->d_inode;
423 int rc = 0;
424
425 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
426 /* Make sure that the xattr handler exists and that no
427 error other than -ENODATA is returned by getxattr on
428 the root directory. -ENODATA is ok, as this may be
429 the first boot of the SELinux kernel before we have
430 assigned xattr values to the filesystem. */
431 if (!root_inode->i_op->getxattr) {
432 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
433 "xattr support\n", sb->s_id, sb->s_type->name);
434 rc = -EOPNOTSUPP;
435 goto out;
436 }
437 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
438 if (rc < 0 && rc != -ENODATA) {
439 if (rc == -EOPNOTSUPP)
440 printk(KERN_WARNING "SELinux: (dev %s, type "
441 "%s) has no security xattr handler\n",
442 sb->s_id, sb->s_type->name);
443 else
444 printk(KERN_WARNING "SELinux: (dev %s, type "
445 "%s) getxattr errno %d\n", sb->s_id,
446 sb->s_type->name, -rc);
447 goto out;
448 }
449 }
450
451 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
452 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
453 sb->s_id, sb->s_type->name);
454 else
455 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
456 sb->s_id, sb->s_type->name,
457 labeling_behaviors[sbsec->behavior-1]);
458
459 sbsec->flags |= SE_SBINITIALIZED;
460 if (selinux_is_sblabel_mnt(sb))
461 sbsec->flags |= SBLABEL_MNT;
462
463 /* Initialize the root inode. */
464 rc = inode_doinit_with_dentry(root_inode, root);
465
466 /* Initialize any other inodes associated with the superblock, e.g.
467 inodes created prior to initial policy load or inodes created
468 during get_sb by a pseudo filesystem that directly
469 populates itself. */
470 spin_lock(&sbsec->isec_lock);
471 next_inode:
472 if (!list_empty(&sbsec->isec_head)) {
473 struct inode_security_struct *isec =
474 list_entry(sbsec->isec_head.next,
475 struct inode_security_struct, list);
476 struct inode *inode = isec->inode;
477 list_del_init(&isec->list);
478 spin_unlock(&sbsec->isec_lock);
479 inode = igrab(inode);
480 if (inode) {
481 if (!IS_PRIVATE(inode))
482 inode_doinit(inode);
483 iput(inode);
484 }
485 spin_lock(&sbsec->isec_lock);
486 goto next_inode;
487 }
488 spin_unlock(&sbsec->isec_lock);
489 out:
490 return rc;
491 }
492
493 /*
494 * This function should allow an FS to ask what it's mount security
495 * options were so it can use those later for submounts, displaying
496 * mount options, or whatever.
497 */
selinux_get_mnt_opts(const struct super_block * sb,struct security_mnt_opts * opts)498 static int selinux_get_mnt_opts(const struct super_block *sb,
499 struct security_mnt_opts *opts)
500 {
501 int rc = 0, i;
502 struct superblock_security_struct *sbsec = sb->s_security;
503 char *context = NULL;
504 u32 len;
505 char tmp;
506
507 security_init_mnt_opts(opts);
508
509 if (!(sbsec->flags & SE_SBINITIALIZED))
510 return -EINVAL;
511
512 if (!ss_initialized)
513 return -EINVAL;
514
515 /* make sure we always check enough bits to cover the mask */
516 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
517
518 tmp = sbsec->flags & SE_MNTMASK;
519 /* count the number of mount options for this sb */
520 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
521 if (tmp & 0x01)
522 opts->num_mnt_opts++;
523 tmp >>= 1;
524 }
525 /* Check if the Label support flag is set */
526 if (sbsec->flags & SBLABEL_MNT)
527 opts->num_mnt_opts++;
528
529 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
530 if (!opts->mnt_opts) {
531 rc = -ENOMEM;
532 goto out_free;
533 }
534
535 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
536 if (!opts->mnt_opts_flags) {
537 rc = -ENOMEM;
538 goto out_free;
539 }
540
541 i = 0;
542 if (sbsec->flags & FSCONTEXT_MNT) {
543 rc = security_sid_to_context(sbsec->sid, &context, &len);
544 if (rc)
545 goto out_free;
546 opts->mnt_opts[i] = context;
547 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
548 }
549 if (sbsec->flags & CONTEXT_MNT) {
550 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
551 if (rc)
552 goto out_free;
553 opts->mnt_opts[i] = context;
554 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
555 }
556 if (sbsec->flags & DEFCONTEXT_MNT) {
557 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
558 if (rc)
559 goto out_free;
560 opts->mnt_opts[i] = context;
561 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
562 }
563 if (sbsec->flags & ROOTCONTEXT_MNT) {
564 struct inode *root = sbsec->sb->s_root->d_inode;
565 struct inode_security_struct *isec = root->i_security;
566
567 rc = security_sid_to_context(isec->sid, &context, &len);
568 if (rc)
569 goto out_free;
570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
572 }
573 if (sbsec->flags & SBLABEL_MNT) {
574 opts->mnt_opts[i] = NULL;
575 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
576 }
577
578 BUG_ON(i != opts->num_mnt_opts);
579
580 return 0;
581
582 out_free:
583 security_free_mnt_opts(opts);
584 return rc;
585 }
586
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)587 static int bad_option(struct superblock_security_struct *sbsec, char flag,
588 u32 old_sid, u32 new_sid)
589 {
590 char mnt_flags = sbsec->flags & SE_MNTMASK;
591
592 /* check if the old mount command had the same options */
593 if (sbsec->flags & SE_SBINITIALIZED)
594 if (!(sbsec->flags & flag) ||
595 (old_sid != new_sid))
596 return 1;
597
598 /* check if we were passed the same options twice,
599 * aka someone passed context=a,context=b
600 */
601 if (!(sbsec->flags & SE_SBINITIALIZED))
602 if (mnt_flags & flag)
603 return 1;
604 return 0;
605 }
606
607 /*
608 * Allow filesystems with binary mount data to explicitly set mount point
609 * labeling information.
610 */
selinux_set_mnt_opts(struct super_block * sb,struct security_mnt_opts * opts,unsigned long kern_flags,unsigned long * set_kern_flags)611 static int selinux_set_mnt_opts(struct super_block *sb,
612 struct security_mnt_opts *opts,
613 unsigned long kern_flags,
614 unsigned long *set_kern_flags)
615 {
616 const struct cred *cred = current_cred();
617 int rc = 0, i;
618 struct superblock_security_struct *sbsec = sb->s_security;
619 const char *name = sb->s_type->name;
620 struct inode *inode = sbsec->sb->s_root->d_inode;
621 struct inode_security_struct *root_isec = inode->i_security;
622 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
623 u32 defcontext_sid = 0;
624 char **mount_options = opts->mnt_opts;
625 int *flags = opts->mnt_opts_flags;
626 int num_opts = opts->num_mnt_opts;
627
628 mutex_lock(&sbsec->lock);
629
630 if (!ss_initialized) {
631 if (!num_opts) {
632 /* Defer initialization until selinux_complete_init,
633 after the initial policy is loaded and the security
634 server is ready to handle calls. */
635 goto out;
636 }
637 rc = -EINVAL;
638 printk(KERN_WARNING "SELinux: Unable to set superblock options "
639 "before the security server is initialized\n");
640 goto out;
641 }
642 if (kern_flags && !set_kern_flags) {
643 /* Specifying internal flags without providing a place to
644 * place the results is not allowed */
645 rc = -EINVAL;
646 goto out;
647 }
648
649 /*
650 * Binary mount data FS will come through this function twice. Once
651 * from an explicit call and once from the generic calls from the vfs.
652 * Since the generic VFS calls will not contain any security mount data
653 * we need to skip the double mount verification.
654 *
655 * This does open a hole in which we will not notice if the first
656 * mount using this sb set explict options and a second mount using
657 * this sb does not set any security options. (The first options
658 * will be used for both mounts)
659 */
660 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
661 && (num_opts == 0))
662 goto out;
663
664 /*
665 * parse the mount options, check if they are valid sids.
666 * also check if someone is trying to mount the same sb more
667 * than once with different security options.
668 */
669 for (i = 0; i < num_opts; i++) {
670 u32 sid;
671
672 if (flags[i] == SBLABEL_MNT)
673 continue;
674 rc = security_context_to_sid(mount_options[i],
675 strlen(mount_options[i]), &sid, GFP_KERNEL);
676 if (rc) {
677 printk(KERN_WARNING "SELinux: security_context_to_sid"
678 "(%s) failed for (dev %s, type %s) errno=%d\n",
679 mount_options[i], sb->s_id, name, rc);
680 goto out;
681 }
682 switch (flags[i]) {
683 case FSCONTEXT_MNT:
684 fscontext_sid = sid;
685
686 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687 fscontext_sid))
688 goto out_double_mount;
689
690 sbsec->flags |= FSCONTEXT_MNT;
691 break;
692 case CONTEXT_MNT:
693 context_sid = sid;
694
695 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
696 context_sid))
697 goto out_double_mount;
698
699 sbsec->flags |= CONTEXT_MNT;
700 break;
701 case ROOTCONTEXT_MNT:
702 rootcontext_sid = sid;
703
704 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
705 rootcontext_sid))
706 goto out_double_mount;
707
708 sbsec->flags |= ROOTCONTEXT_MNT;
709
710 break;
711 case DEFCONTEXT_MNT:
712 defcontext_sid = sid;
713
714 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
715 defcontext_sid))
716 goto out_double_mount;
717
718 sbsec->flags |= DEFCONTEXT_MNT;
719
720 break;
721 default:
722 rc = -EINVAL;
723 goto out;
724 }
725 }
726
727 if (sbsec->flags & SE_SBINITIALIZED) {
728 /* previously mounted with options, but not on this attempt? */
729 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
730 goto out_double_mount;
731 rc = 0;
732 goto out;
733 }
734
735 if (strcmp(sb->s_type->name, "proc") == 0)
736 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
737
738 if (!strcmp(sb->s_type->name, "debugfs") ||
739 !strcmp(sb->s_type->name, "tracefs") ||
740 !strcmp(sb->s_type->name, "sysfs") ||
741 !strcmp(sb->s_type->name, "pstore"))
742 sbsec->flags |= SE_SBGENFS;
743
744 if (!sbsec->behavior) {
745 /*
746 * Determine the labeling behavior to use for this
747 * filesystem type.
748 */
749 rc = security_fs_use(sb);
750 if (rc) {
751 printk(KERN_WARNING
752 "%s: security_fs_use(%s) returned %d\n",
753 __func__, sb->s_type->name, rc);
754 goto out;
755 }
756 }
757 /* sets the context of the superblock for the fs being mounted. */
758 if (fscontext_sid) {
759 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
760 if (rc)
761 goto out;
762
763 sbsec->sid = fscontext_sid;
764 }
765
766 /*
767 * Switch to using mount point labeling behavior.
768 * sets the label used on all file below the mountpoint, and will set
769 * the superblock context if not already set.
770 */
771 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
772 sbsec->behavior = SECURITY_FS_USE_NATIVE;
773 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
774 }
775
776 if (context_sid) {
777 if (!fscontext_sid) {
778 rc = may_context_mount_sb_relabel(context_sid, sbsec,
779 cred);
780 if (rc)
781 goto out;
782 sbsec->sid = context_sid;
783 } else {
784 rc = may_context_mount_inode_relabel(context_sid, sbsec,
785 cred);
786 if (rc)
787 goto out;
788 }
789 if (!rootcontext_sid)
790 rootcontext_sid = context_sid;
791
792 sbsec->mntpoint_sid = context_sid;
793 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
794 }
795
796 if (rootcontext_sid) {
797 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
798 cred);
799 if (rc)
800 goto out;
801
802 root_isec->sid = rootcontext_sid;
803 root_isec->initialized = 1;
804 }
805
806 if (defcontext_sid) {
807 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
808 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
809 rc = -EINVAL;
810 printk(KERN_WARNING "SELinux: defcontext option is "
811 "invalid for this filesystem type\n");
812 goto out;
813 }
814
815 if (defcontext_sid != sbsec->def_sid) {
816 rc = may_context_mount_inode_relabel(defcontext_sid,
817 sbsec, cred);
818 if (rc)
819 goto out;
820 }
821
822 sbsec->def_sid = defcontext_sid;
823 }
824
825 rc = sb_finish_set_opts(sb);
826 out:
827 mutex_unlock(&sbsec->lock);
828 return rc;
829 out_double_mount:
830 rc = -EINVAL;
831 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
832 "security settings for (dev %s, type %s)\n", sb->s_id, name);
833 goto out;
834 }
835
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)836 static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 const struct super_block *newsb)
838 {
839 struct superblock_security_struct *old = oldsb->s_security;
840 struct superblock_security_struct *new = newsb->s_security;
841 char oldflags = old->flags & SE_MNTMASK;
842 char newflags = new->flags & SE_MNTMASK;
843
844 if (oldflags != newflags)
845 goto mismatch;
846 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 goto mismatch;
848 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 goto mismatch;
850 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 goto mismatch;
852 if (oldflags & ROOTCONTEXT_MNT) {
853 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
854 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
855 if (oldroot->sid != newroot->sid)
856 goto mismatch;
857 }
858 return 0;
859 mismatch:
860 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
861 "different security settings for (dev %s, "
862 "type %s)\n", newsb->s_id, newsb->s_type->name);
863 return -EBUSY;
864 }
865
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb)866 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
867 struct super_block *newsb)
868 {
869 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
870 struct superblock_security_struct *newsbsec = newsb->s_security;
871
872 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
873 int set_context = (oldsbsec->flags & CONTEXT_MNT);
874 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
875
876 /*
877 * if the parent was able to be mounted it clearly had no special lsm
878 * mount options. thus we can safely deal with this superblock later
879 */
880 if (!ss_initialized)
881 return 0;
882
883 /* how can we clone if the old one wasn't set up?? */
884 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
885
886 /* if fs is reusing a sb, make sure that the contexts match */
887 if (newsbsec->flags & SE_SBINITIALIZED)
888 return selinux_cmp_sb_context(oldsb, newsb);
889
890 mutex_lock(&newsbsec->lock);
891
892 newsbsec->flags = oldsbsec->flags;
893
894 newsbsec->sid = oldsbsec->sid;
895 newsbsec->def_sid = oldsbsec->def_sid;
896 newsbsec->behavior = oldsbsec->behavior;
897
898 if (set_context) {
899 u32 sid = oldsbsec->mntpoint_sid;
900
901 if (!set_fscontext)
902 newsbsec->sid = sid;
903 if (!set_rootcontext) {
904 struct inode *newinode = newsb->s_root->d_inode;
905 struct inode_security_struct *newisec = newinode->i_security;
906 newisec->sid = sid;
907 }
908 newsbsec->mntpoint_sid = sid;
909 }
910 if (set_rootcontext) {
911 const struct inode *oldinode = oldsb->s_root->d_inode;
912 const struct inode_security_struct *oldisec = oldinode->i_security;
913 struct inode *newinode = newsb->s_root->d_inode;
914 struct inode_security_struct *newisec = newinode->i_security;
915
916 newisec->sid = oldisec->sid;
917 }
918
919 sb_finish_set_opts(newsb);
920 mutex_unlock(&newsbsec->lock);
921 return 0;
922 }
923
selinux_parse_opts_str(char * options,struct security_mnt_opts * opts)924 static int selinux_parse_opts_str(char *options,
925 struct security_mnt_opts *opts)
926 {
927 char *p;
928 char *context = NULL, *defcontext = NULL;
929 char *fscontext = NULL, *rootcontext = NULL;
930 int rc, num_mnt_opts = 0;
931
932 opts->num_mnt_opts = 0;
933
934 /* Standard string-based options. */
935 while ((p = strsep(&options, "|")) != NULL) {
936 int token;
937 substring_t args[MAX_OPT_ARGS];
938
939 if (!*p)
940 continue;
941
942 token = match_token(p, tokens, args);
943
944 switch (token) {
945 case Opt_context:
946 if (context || defcontext) {
947 rc = -EINVAL;
948 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
949 goto out_err;
950 }
951 context = match_strdup(&args[0]);
952 if (!context) {
953 rc = -ENOMEM;
954 goto out_err;
955 }
956 break;
957
958 case Opt_fscontext:
959 if (fscontext) {
960 rc = -EINVAL;
961 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
962 goto out_err;
963 }
964 fscontext = match_strdup(&args[0]);
965 if (!fscontext) {
966 rc = -ENOMEM;
967 goto out_err;
968 }
969 break;
970
971 case Opt_rootcontext:
972 if (rootcontext) {
973 rc = -EINVAL;
974 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
975 goto out_err;
976 }
977 rootcontext = match_strdup(&args[0]);
978 if (!rootcontext) {
979 rc = -ENOMEM;
980 goto out_err;
981 }
982 break;
983
984 case Opt_defcontext:
985 if (context || defcontext) {
986 rc = -EINVAL;
987 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
988 goto out_err;
989 }
990 defcontext = match_strdup(&args[0]);
991 if (!defcontext) {
992 rc = -ENOMEM;
993 goto out_err;
994 }
995 break;
996 case Opt_labelsupport:
997 break;
998 default:
999 rc = -EINVAL;
1000 printk(KERN_WARNING "SELinux: unknown mount option\n");
1001 goto out_err;
1002
1003 }
1004 }
1005
1006 rc = -ENOMEM;
1007 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1008 if (!opts->mnt_opts)
1009 goto out_err;
1010
1011 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1012 if (!opts->mnt_opts_flags) {
1013 kfree(opts->mnt_opts);
1014 goto out_err;
1015 }
1016
1017 if (fscontext) {
1018 opts->mnt_opts[num_mnt_opts] = fscontext;
1019 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1020 }
1021 if (context) {
1022 opts->mnt_opts[num_mnt_opts] = context;
1023 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1024 }
1025 if (rootcontext) {
1026 opts->mnt_opts[num_mnt_opts] = rootcontext;
1027 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1028 }
1029 if (defcontext) {
1030 opts->mnt_opts[num_mnt_opts] = defcontext;
1031 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1032 }
1033
1034 opts->num_mnt_opts = num_mnt_opts;
1035 return 0;
1036
1037 out_err:
1038 kfree(context);
1039 kfree(defcontext);
1040 kfree(fscontext);
1041 kfree(rootcontext);
1042 return rc;
1043 }
1044 /*
1045 * string mount options parsing and call set the sbsec
1046 */
superblock_doinit(struct super_block * sb,void * data)1047 static int superblock_doinit(struct super_block *sb, void *data)
1048 {
1049 int rc = 0;
1050 char *options = data;
1051 struct security_mnt_opts opts;
1052
1053 security_init_mnt_opts(&opts);
1054
1055 if (!data)
1056 goto out;
1057
1058 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1059
1060 rc = selinux_parse_opts_str(options, &opts);
1061 if (rc)
1062 goto out_err;
1063
1064 out:
1065 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1066
1067 out_err:
1068 security_free_mnt_opts(&opts);
1069 return rc;
1070 }
1071
selinux_write_opts(struct seq_file * m,struct security_mnt_opts * opts)1072 static void selinux_write_opts(struct seq_file *m,
1073 struct security_mnt_opts *opts)
1074 {
1075 int i;
1076 char *prefix;
1077
1078 for (i = 0; i < opts->num_mnt_opts; i++) {
1079 char *has_comma;
1080
1081 if (opts->mnt_opts[i])
1082 has_comma = strchr(opts->mnt_opts[i], ',');
1083 else
1084 has_comma = NULL;
1085
1086 switch (opts->mnt_opts_flags[i]) {
1087 case CONTEXT_MNT:
1088 prefix = CONTEXT_STR;
1089 break;
1090 case FSCONTEXT_MNT:
1091 prefix = FSCONTEXT_STR;
1092 break;
1093 case ROOTCONTEXT_MNT:
1094 prefix = ROOTCONTEXT_STR;
1095 break;
1096 case DEFCONTEXT_MNT:
1097 prefix = DEFCONTEXT_STR;
1098 break;
1099 case SBLABEL_MNT:
1100 seq_putc(m, ',');
1101 seq_puts(m, LABELSUPP_STR);
1102 continue;
1103 default:
1104 BUG();
1105 return;
1106 };
1107 /* we need a comma before each option */
1108 seq_putc(m, ',');
1109 seq_puts(m, prefix);
1110 if (has_comma)
1111 seq_putc(m, '\"');
1112 seq_puts(m, opts->mnt_opts[i]);
1113 if (has_comma)
1114 seq_putc(m, '\"');
1115 }
1116 }
1117
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1118 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1119 {
1120 struct security_mnt_opts opts;
1121 int rc;
1122
1123 rc = selinux_get_mnt_opts(sb, &opts);
1124 if (rc) {
1125 /* before policy load we may get EINVAL, don't show anything */
1126 if (rc == -EINVAL)
1127 rc = 0;
1128 return rc;
1129 }
1130
1131 selinux_write_opts(m, &opts);
1132
1133 security_free_mnt_opts(&opts);
1134
1135 return rc;
1136 }
1137
inode_mode_to_security_class(umode_t mode)1138 static inline u16 inode_mode_to_security_class(umode_t mode)
1139 {
1140 switch (mode & S_IFMT) {
1141 case S_IFSOCK:
1142 return SECCLASS_SOCK_FILE;
1143 case S_IFLNK:
1144 return SECCLASS_LNK_FILE;
1145 case S_IFREG:
1146 return SECCLASS_FILE;
1147 case S_IFBLK:
1148 return SECCLASS_BLK_FILE;
1149 case S_IFDIR:
1150 return SECCLASS_DIR;
1151 case S_IFCHR:
1152 return SECCLASS_CHR_FILE;
1153 case S_IFIFO:
1154 return SECCLASS_FIFO_FILE;
1155
1156 }
1157
1158 return SECCLASS_FILE;
1159 }
1160
default_protocol_stream(int protocol)1161 static inline int default_protocol_stream(int protocol)
1162 {
1163 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1164 }
1165
default_protocol_dgram(int protocol)1166 static inline int default_protocol_dgram(int protocol)
1167 {
1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1169 }
1170
socket_type_to_security_class(int family,int type,int protocol)1171 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1172 {
1173 switch (family) {
1174 case PF_UNIX:
1175 switch (type) {
1176 case SOCK_STREAM:
1177 case SOCK_SEQPACKET:
1178 return SECCLASS_UNIX_STREAM_SOCKET;
1179 case SOCK_DGRAM:
1180 return SECCLASS_UNIX_DGRAM_SOCKET;
1181 }
1182 break;
1183 case PF_INET:
1184 case PF_INET6:
1185 switch (type) {
1186 case SOCK_STREAM:
1187 if (default_protocol_stream(protocol))
1188 return SECCLASS_TCP_SOCKET;
1189 else
1190 return SECCLASS_RAWIP_SOCKET;
1191 case SOCK_DGRAM:
1192 if (default_protocol_dgram(protocol))
1193 return SECCLASS_UDP_SOCKET;
1194 else
1195 return SECCLASS_RAWIP_SOCKET;
1196 case SOCK_DCCP:
1197 return SECCLASS_DCCP_SOCKET;
1198 default:
1199 return SECCLASS_RAWIP_SOCKET;
1200 }
1201 break;
1202 case PF_NETLINK:
1203 switch (protocol) {
1204 case NETLINK_ROUTE:
1205 return SECCLASS_NETLINK_ROUTE_SOCKET;
1206 case NETLINK_FIREWALL:
1207 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1208 case NETLINK_SOCK_DIAG:
1209 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1210 case NETLINK_NFLOG:
1211 return SECCLASS_NETLINK_NFLOG_SOCKET;
1212 case NETLINK_XFRM:
1213 return SECCLASS_NETLINK_XFRM_SOCKET;
1214 case NETLINK_SELINUX:
1215 return SECCLASS_NETLINK_SELINUX_SOCKET;
1216 case NETLINK_AUDIT:
1217 return SECCLASS_NETLINK_AUDIT_SOCKET;
1218 case NETLINK_IP6_FW:
1219 return SECCLASS_NETLINK_IP6FW_SOCKET;
1220 case NETLINK_DNRTMSG:
1221 return SECCLASS_NETLINK_DNRT_SOCKET;
1222 case NETLINK_KOBJECT_UEVENT:
1223 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1224 default:
1225 return SECCLASS_NETLINK_SOCKET;
1226 }
1227 case PF_PACKET:
1228 return SECCLASS_PACKET_SOCKET;
1229 case PF_KEY:
1230 return SECCLASS_KEY_SOCKET;
1231 case PF_APPLETALK:
1232 return SECCLASS_APPLETALK_SOCKET;
1233 }
1234
1235 return SECCLASS_SOCKET;
1236 }
1237
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1238 static int selinux_genfs_get_sid(struct dentry *dentry,
1239 u16 tclass,
1240 u16 flags,
1241 u32 *sid)
1242 {
1243 int rc;
1244 struct super_block *sb = dentry->d_inode->i_sb;
1245 char *buffer, *path;
1246
1247 buffer = (char *)__get_free_page(GFP_KERNEL);
1248 if (!buffer)
1249 return -ENOMEM;
1250
1251 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1252 if (IS_ERR(path))
1253 rc = PTR_ERR(path);
1254 else {
1255 if (flags & SE_SBPROC) {
1256 /* each process gets a /proc/PID/ entry. Strip off the
1257 * PID part to get a valid selinux labeling.
1258 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1259 while (path[1] >= '0' && path[1] <= '9') {
1260 path[1] = '/';
1261 path++;
1262 }
1263 }
1264 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1265 }
1266 free_page((unsigned long)buffer);
1267 return rc;
1268 }
1269
1270 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1272 {
1273 struct superblock_security_struct *sbsec = NULL;
1274 struct inode_security_struct *isec = inode->i_security;
1275 u32 sid;
1276 struct dentry *dentry;
1277 #define INITCONTEXTLEN 255
1278 char *context = NULL;
1279 unsigned len = 0;
1280 int rc = 0;
1281
1282 if (isec->initialized)
1283 goto out;
1284
1285 mutex_lock(&isec->lock);
1286 if (isec->initialized)
1287 goto out_unlock;
1288
1289 sbsec = inode->i_sb->s_security;
1290 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1291 /* Defer initialization until selinux_complete_init,
1292 after the initial policy is loaded and the security
1293 server is ready to handle calls. */
1294 spin_lock(&sbsec->isec_lock);
1295 if (list_empty(&isec->list))
1296 list_add(&isec->list, &sbsec->isec_head);
1297 spin_unlock(&sbsec->isec_lock);
1298 goto out_unlock;
1299 }
1300
1301 switch (sbsec->behavior) {
1302 case SECURITY_FS_USE_NATIVE:
1303 break;
1304 case SECURITY_FS_USE_XATTR:
1305 if (!inode->i_op->getxattr) {
1306 isec->sid = sbsec->def_sid;
1307 break;
1308 }
1309
1310 /* Need a dentry, since the xattr API requires one.
1311 Life would be simpler if we could just pass the inode. */
1312 if (opt_dentry) {
1313 /* Called from d_instantiate or d_splice_alias. */
1314 dentry = dget(opt_dentry);
1315 } else {
1316 /* Called from selinux_complete_init, try to find a dentry. */
1317 dentry = d_find_alias(inode);
1318 }
1319 if (!dentry) {
1320 /*
1321 * this is can be hit on boot when a file is accessed
1322 * before the policy is loaded. When we load policy we
1323 * may find inodes that have no dentry on the
1324 * sbsec->isec_head list. No reason to complain as these
1325 * will get fixed up the next time we go through
1326 * inode_doinit with a dentry, before these inodes could
1327 * be used again by userspace.
1328 */
1329 goto out_unlock;
1330 }
1331
1332 len = INITCONTEXTLEN;
1333 context = kmalloc(len+1, GFP_NOFS);
1334 if (!context) {
1335 rc = -ENOMEM;
1336 dput(dentry);
1337 goto out_unlock;
1338 }
1339 context[len] = '\0';
1340 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1341 context, len);
1342 if (rc == -ERANGE) {
1343 kfree(context);
1344
1345 /* Need a larger buffer. Query for the right size. */
1346 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1347 NULL, 0);
1348 if (rc < 0) {
1349 dput(dentry);
1350 goto out_unlock;
1351 }
1352 len = rc;
1353 context = kmalloc(len+1, GFP_NOFS);
1354 if (!context) {
1355 rc = -ENOMEM;
1356 dput(dentry);
1357 goto out_unlock;
1358 }
1359 context[len] = '\0';
1360 rc = inode->i_op->getxattr(dentry,
1361 XATTR_NAME_SELINUX,
1362 context, len);
1363 }
1364 dput(dentry);
1365 if (rc < 0) {
1366 if (rc != -ENODATA) {
1367 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1368 "%d for dev=%s ino=%ld\n", __func__,
1369 -rc, inode->i_sb->s_id, inode->i_ino);
1370 kfree(context);
1371 goto out_unlock;
1372 }
1373 /* Map ENODATA to the default file SID */
1374 sid = sbsec->def_sid;
1375 rc = 0;
1376 } else {
1377 rc = security_context_to_sid_default(context, rc, &sid,
1378 sbsec->def_sid,
1379 GFP_NOFS);
1380 if (rc) {
1381 char *dev = inode->i_sb->s_id;
1382 unsigned long ino = inode->i_ino;
1383
1384 if (rc == -EINVAL) {
1385 if (printk_ratelimit())
1386 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1387 "context=%s. This indicates you may need to relabel the inode or the "
1388 "filesystem in question.\n", ino, dev, context);
1389 } else {
1390 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1391 "returned %d for dev=%s ino=%ld\n",
1392 __func__, context, -rc, dev, ino);
1393 }
1394 kfree(context);
1395 /* Leave with the unlabeled SID */
1396 rc = 0;
1397 break;
1398 }
1399 }
1400 kfree(context);
1401 isec->sid = sid;
1402 break;
1403 case SECURITY_FS_USE_TASK:
1404 isec->sid = isec->task_sid;
1405 break;
1406 case SECURITY_FS_USE_TRANS:
1407 /* Default to the fs SID. */
1408 isec->sid = sbsec->sid;
1409
1410 /* Try to obtain a transition SID. */
1411 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1412 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1413 isec->sclass, NULL, &sid);
1414 if (rc)
1415 goto out_unlock;
1416 isec->sid = sid;
1417 break;
1418 case SECURITY_FS_USE_MNTPOINT:
1419 isec->sid = sbsec->mntpoint_sid;
1420 break;
1421 default:
1422 /* Default to the fs superblock SID. */
1423 isec->sid = sbsec->sid;
1424
1425 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1426 /* We must have a dentry to determine the label on
1427 * procfs inodes */
1428 if (opt_dentry)
1429 /* Called from d_instantiate or
1430 * d_splice_alias. */
1431 dentry = dget(opt_dentry);
1432 else
1433 /* Called from selinux_complete_init, try to
1434 * find a dentry. */
1435 dentry = d_find_alias(inode);
1436 /*
1437 * This can be hit on boot when a file is accessed
1438 * before the policy is loaded. When we load policy we
1439 * may find inodes that have no dentry on the
1440 * sbsec->isec_head list. No reason to complain as
1441 * these will get fixed up the next time we go through
1442 * inode_doinit() with a dentry, before these inodes
1443 * could be used again by userspace.
1444 */
1445 if (!dentry)
1446 goto out_unlock;
1447 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1448 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1449 sbsec->flags, &sid);
1450 dput(dentry);
1451 if (rc)
1452 goto out_unlock;
1453 isec->sid = sid;
1454 }
1455 break;
1456 }
1457
1458 isec->initialized = 1;
1459
1460 out_unlock:
1461 mutex_unlock(&isec->lock);
1462 out:
1463 if (isec->sclass == SECCLASS_FILE)
1464 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1465 return rc;
1466 }
1467
1468 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1469 static inline u32 signal_to_av(int sig)
1470 {
1471 u32 perm = 0;
1472
1473 switch (sig) {
1474 case SIGCHLD:
1475 /* Commonly granted from child to parent. */
1476 perm = PROCESS__SIGCHLD;
1477 break;
1478 case SIGKILL:
1479 /* Cannot be caught or ignored */
1480 perm = PROCESS__SIGKILL;
1481 break;
1482 case SIGSTOP:
1483 /* Cannot be caught or ignored */
1484 perm = PROCESS__SIGSTOP;
1485 break;
1486 default:
1487 /* All other signals. */
1488 perm = PROCESS__SIGNAL;
1489 break;
1490 }
1491
1492 return perm;
1493 }
1494
1495 /*
1496 * Check permission between a pair of credentials
1497 * fork check, ptrace check, etc.
1498 */
cred_has_perm(const struct cred * actor,const struct cred * target,u32 perms)1499 static int cred_has_perm(const struct cred *actor,
1500 const struct cred *target,
1501 u32 perms)
1502 {
1503 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1504
1505 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1506 }
1507
1508 /*
1509 * Check permission between a pair of tasks, e.g. signal checks,
1510 * fork check, ptrace check, etc.
1511 * tsk1 is the actor and tsk2 is the target
1512 * - this uses the default subjective creds of tsk1
1513 */
task_has_perm(const struct task_struct * tsk1,const struct task_struct * tsk2,u32 perms)1514 static int task_has_perm(const struct task_struct *tsk1,
1515 const struct task_struct *tsk2,
1516 u32 perms)
1517 {
1518 const struct task_security_struct *__tsec1, *__tsec2;
1519 u32 sid1, sid2;
1520
1521 rcu_read_lock();
1522 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1523 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1524 rcu_read_unlock();
1525 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1526 }
1527
1528 /*
1529 * Check permission between current and another task, e.g. signal checks,
1530 * fork check, ptrace check, etc.
1531 * current is the actor and tsk2 is the target
1532 * - this uses current's subjective creds
1533 */
current_has_perm(const struct task_struct * tsk,u32 perms)1534 static int current_has_perm(const struct task_struct *tsk,
1535 u32 perms)
1536 {
1537 u32 sid, tsid;
1538
1539 sid = current_sid();
1540 tsid = task_sid(tsk);
1541 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1542 }
1543
1544 #if CAP_LAST_CAP > 63
1545 #error Fix SELinux to handle capabilities > 63.
1546 #endif
1547
1548 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,int audit)1549 static int cred_has_capability(const struct cred *cred,
1550 int cap, int audit)
1551 {
1552 struct common_audit_data ad;
1553 struct av_decision avd;
1554 u16 sclass;
1555 u32 sid = cred_sid(cred);
1556 u32 av = CAP_TO_MASK(cap);
1557 int rc;
1558
1559 ad.type = LSM_AUDIT_DATA_CAP;
1560 ad.u.cap = cap;
1561
1562 switch (CAP_TO_INDEX(cap)) {
1563 case 0:
1564 sclass = SECCLASS_CAPABILITY;
1565 break;
1566 case 1:
1567 sclass = SECCLASS_CAPABILITY2;
1568 break;
1569 default:
1570 printk(KERN_ERR
1571 "SELinux: out of range capability %d\n", cap);
1572 BUG();
1573 return -EINVAL;
1574 }
1575
1576 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1577 if (audit == SECURITY_CAP_AUDIT) {
1578 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1579 if (rc2)
1580 return rc2;
1581 }
1582 return rc;
1583 }
1584
1585 /* Check whether a task is allowed to use a system operation. */
task_has_system(struct task_struct * tsk,u32 perms)1586 static int task_has_system(struct task_struct *tsk,
1587 u32 perms)
1588 {
1589 u32 sid = task_sid(tsk);
1590
1591 return avc_has_perm(sid, SECINITSID_KERNEL,
1592 SECCLASS_SYSTEM, perms, NULL);
1593 }
1594
1595 /* Check whether a task has a particular permission to an inode.
1596 The 'adp' parameter is optional and allows other audit
1597 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1598 static int inode_has_perm(const struct cred *cred,
1599 struct inode *inode,
1600 u32 perms,
1601 struct common_audit_data *adp)
1602 {
1603 struct inode_security_struct *isec;
1604 u32 sid;
1605
1606 validate_creds(cred);
1607
1608 if (unlikely(IS_PRIVATE(inode)))
1609 return 0;
1610
1611 sid = cred_sid(cred);
1612 isec = inode->i_security;
1613
1614 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1615 }
1616
1617 /* Same as inode_has_perm, but pass explicit audit data containing
1618 the dentry to help the auditing code to more easily generate the
1619 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1620 static inline int dentry_has_perm(const struct cred *cred,
1621 struct dentry *dentry,
1622 u32 av)
1623 {
1624 struct inode *inode = dentry->d_inode;
1625 struct common_audit_data ad;
1626
1627 ad.type = LSM_AUDIT_DATA_DENTRY;
1628 ad.u.dentry = dentry;
1629 return inode_has_perm(cred, inode, av, &ad);
1630 }
1631
1632 /* Same as inode_has_perm, but pass explicit audit data containing
1633 the path to help the auditing code to more easily generate the
1634 pathname if needed. */
path_has_perm(const struct cred * cred,struct path * path,u32 av)1635 static inline int path_has_perm(const struct cred *cred,
1636 struct path *path,
1637 u32 av)
1638 {
1639 struct inode *inode = path->dentry->d_inode;
1640 struct common_audit_data ad;
1641
1642 ad.type = LSM_AUDIT_DATA_PATH;
1643 ad.u.path = *path;
1644 return inode_has_perm(cred, inode, av, &ad);
1645 }
1646
1647 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1648 static inline int file_path_has_perm(const struct cred *cred,
1649 struct file *file,
1650 u32 av)
1651 {
1652 struct common_audit_data ad;
1653
1654 ad.type = LSM_AUDIT_DATA_PATH;
1655 ad.u.path = file->f_path;
1656 return inode_has_perm(cred, file_inode(file), av, &ad);
1657 }
1658
1659 /* Check whether a task can use an open file descriptor to
1660 access an inode in a given way. Check access to the
1661 descriptor itself, and then use dentry_has_perm to
1662 check a particular permission to the file.
1663 Access to the descriptor is implicitly granted if it
1664 has the same SID as the process. If av is zero, then
1665 access to the file is not checked, e.g. for cases
1666 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1667 static int file_has_perm(const struct cred *cred,
1668 struct file *file,
1669 u32 av)
1670 {
1671 struct file_security_struct *fsec = file->f_security;
1672 struct inode *inode = file_inode(file);
1673 struct common_audit_data ad;
1674 u32 sid = cred_sid(cred);
1675 int rc;
1676
1677 ad.type = LSM_AUDIT_DATA_PATH;
1678 ad.u.path = file->f_path;
1679
1680 if (sid != fsec->sid) {
1681 rc = avc_has_perm(sid, fsec->sid,
1682 SECCLASS_FD,
1683 FD__USE,
1684 &ad);
1685 if (rc)
1686 goto out;
1687 }
1688
1689 /* av is zero if only checking access to the descriptor. */
1690 rc = 0;
1691 if (av)
1692 rc = inode_has_perm(cred, inode, av, &ad);
1693
1694 out:
1695 return rc;
1696 }
1697
1698 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1699 static int may_create(struct inode *dir,
1700 struct dentry *dentry,
1701 u16 tclass)
1702 {
1703 const struct task_security_struct *tsec = current_security();
1704 struct inode_security_struct *dsec;
1705 struct superblock_security_struct *sbsec;
1706 u32 sid, newsid;
1707 struct common_audit_data ad;
1708 int rc;
1709
1710 dsec = dir->i_security;
1711 sbsec = dir->i_sb->s_security;
1712
1713 sid = tsec->sid;
1714 newsid = tsec->create_sid;
1715
1716 ad.type = LSM_AUDIT_DATA_DENTRY;
1717 ad.u.dentry = dentry;
1718
1719 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1720 DIR__ADD_NAME | DIR__SEARCH,
1721 &ad);
1722 if (rc)
1723 return rc;
1724
1725 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1726 rc = security_transition_sid(sid, dsec->sid, tclass,
1727 &dentry->d_name, &newsid);
1728 if (rc)
1729 return rc;
1730 }
1731
1732 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1733 if (rc)
1734 return rc;
1735
1736 return avc_has_perm(newsid, sbsec->sid,
1737 SECCLASS_FILESYSTEM,
1738 FILESYSTEM__ASSOCIATE, &ad);
1739 }
1740
1741 /* Check whether a task can create a key. */
may_create_key(u32 ksid,struct task_struct * ctx)1742 static int may_create_key(u32 ksid,
1743 struct task_struct *ctx)
1744 {
1745 u32 sid = task_sid(ctx);
1746
1747 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1748 }
1749
1750 #define MAY_LINK 0
1751 #define MAY_UNLINK 1
1752 #define MAY_RMDIR 2
1753
1754 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1755 static int may_link(struct inode *dir,
1756 struct dentry *dentry,
1757 int kind)
1758
1759 {
1760 struct inode_security_struct *dsec, *isec;
1761 struct common_audit_data ad;
1762 u32 sid = current_sid();
1763 u32 av;
1764 int rc;
1765
1766 dsec = dir->i_security;
1767 isec = dentry->d_inode->i_security;
1768
1769 ad.type = LSM_AUDIT_DATA_DENTRY;
1770 ad.u.dentry = dentry;
1771
1772 av = DIR__SEARCH;
1773 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1774 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1775 if (rc)
1776 return rc;
1777
1778 switch (kind) {
1779 case MAY_LINK:
1780 av = FILE__LINK;
1781 break;
1782 case MAY_UNLINK:
1783 av = FILE__UNLINK;
1784 break;
1785 case MAY_RMDIR:
1786 av = DIR__RMDIR;
1787 break;
1788 default:
1789 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1790 __func__, kind);
1791 return 0;
1792 }
1793
1794 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1795 return rc;
1796 }
1797
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1798 static inline int may_rename(struct inode *old_dir,
1799 struct dentry *old_dentry,
1800 struct inode *new_dir,
1801 struct dentry *new_dentry)
1802 {
1803 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1804 struct common_audit_data ad;
1805 u32 sid = current_sid();
1806 u32 av;
1807 int old_is_dir, new_is_dir;
1808 int rc;
1809
1810 old_dsec = old_dir->i_security;
1811 old_isec = old_dentry->d_inode->i_security;
1812 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1813 new_dsec = new_dir->i_security;
1814
1815 ad.type = LSM_AUDIT_DATA_DENTRY;
1816
1817 ad.u.dentry = old_dentry;
1818 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1819 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1820 if (rc)
1821 return rc;
1822 rc = avc_has_perm(sid, old_isec->sid,
1823 old_isec->sclass, FILE__RENAME, &ad);
1824 if (rc)
1825 return rc;
1826 if (old_is_dir && new_dir != old_dir) {
1827 rc = avc_has_perm(sid, old_isec->sid,
1828 old_isec->sclass, DIR__REPARENT, &ad);
1829 if (rc)
1830 return rc;
1831 }
1832
1833 ad.u.dentry = new_dentry;
1834 av = DIR__ADD_NAME | DIR__SEARCH;
1835 if (new_dentry->d_inode)
1836 av |= DIR__REMOVE_NAME;
1837 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1838 if (rc)
1839 return rc;
1840 if (new_dentry->d_inode) {
1841 new_isec = new_dentry->d_inode->i_security;
1842 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1843 rc = avc_has_perm(sid, new_isec->sid,
1844 new_isec->sclass,
1845 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1846 if (rc)
1847 return rc;
1848 }
1849
1850 return 0;
1851 }
1852
1853 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1854 static int superblock_has_perm(const struct cred *cred,
1855 struct super_block *sb,
1856 u32 perms,
1857 struct common_audit_data *ad)
1858 {
1859 struct superblock_security_struct *sbsec;
1860 u32 sid = cred_sid(cred);
1861
1862 sbsec = sb->s_security;
1863 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1864 }
1865
1866 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1867 static inline u32 file_mask_to_av(int mode, int mask)
1868 {
1869 u32 av = 0;
1870
1871 if (!S_ISDIR(mode)) {
1872 if (mask & MAY_EXEC)
1873 av |= FILE__EXECUTE;
1874 if (mask & MAY_READ)
1875 av |= FILE__READ;
1876
1877 if (mask & MAY_APPEND)
1878 av |= FILE__APPEND;
1879 else if (mask & MAY_WRITE)
1880 av |= FILE__WRITE;
1881
1882 } else {
1883 if (mask & MAY_EXEC)
1884 av |= DIR__SEARCH;
1885 if (mask & MAY_WRITE)
1886 av |= DIR__WRITE;
1887 if (mask & MAY_READ)
1888 av |= DIR__READ;
1889 }
1890
1891 return av;
1892 }
1893
1894 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)1895 static inline u32 file_to_av(struct file *file)
1896 {
1897 u32 av = 0;
1898
1899 if (file->f_mode & FMODE_READ)
1900 av |= FILE__READ;
1901 if (file->f_mode & FMODE_WRITE) {
1902 if (file->f_flags & O_APPEND)
1903 av |= FILE__APPEND;
1904 else
1905 av |= FILE__WRITE;
1906 }
1907 if (!av) {
1908 /*
1909 * Special file opened with flags 3 for ioctl-only use.
1910 */
1911 av = FILE__IOCTL;
1912 }
1913
1914 return av;
1915 }
1916
1917 /*
1918 * Convert a file to an access vector and include the correct open
1919 * open permission.
1920 */
open_file_to_av(struct file * file)1921 static inline u32 open_file_to_av(struct file *file)
1922 {
1923 u32 av = file_to_av(file);
1924
1925 if (selinux_policycap_openperm)
1926 av |= FILE__OPEN;
1927
1928 return av;
1929 }
1930
1931 /* Hook functions begin here. */
1932
selinux_binder_set_context_mgr(struct task_struct * mgr)1933 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1934 {
1935 u32 mysid = current_sid();
1936 u32 mgrsid = task_sid(mgr);
1937
1938 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1939 }
1940
selinux_binder_transaction(struct task_struct * from,struct task_struct * to)1941 static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1942 {
1943 u32 mysid = current_sid();
1944 u32 fromsid = task_sid(from);
1945 u32 tosid = task_sid(to);
1946 int rc;
1947
1948 if (mysid != fromsid) {
1949 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1950 if (rc)
1951 return rc;
1952 }
1953
1954 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1955 }
1956
selinux_binder_transfer_binder(struct task_struct * from,struct task_struct * to)1957 static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1958 {
1959 u32 fromsid = task_sid(from);
1960 u32 tosid = task_sid(to);
1961 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1962 }
1963
selinux_binder_transfer_file(struct task_struct * from,struct task_struct * to,struct file * file)1964 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1965 {
1966 u32 sid = task_sid(to);
1967 struct file_security_struct *fsec = file->f_security;
1968 struct inode *inode = file->f_path.dentry->d_inode;
1969 struct inode_security_struct *isec = inode->i_security;
1970 struct common_audit_data ad;
1971 int rc;
1972
1973 ad.type = LSM_AUDIT_DATA_PATH;
1974 ad.u.path = file->f_path;
1975
1976 if (sid != fsec->sid) {
1977 rc = avc_has_perm(sid, fsec->sid,
1978 SECCLASS_FD,
1979 FD__USE,
1980 &ad);
1981 if (rc)
1982 return rc;
1983 }
1984
1985 if (unlikely(IS_PRIVATE(inode)))
1986 return 0;
1987
1988 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1989 &ad);
1990 }
1991
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)1992 static int selinux_ptrace_access_check(struct task_struct *child,
1993 unsigned int mode)
1994 {
1995 int rc;
1996
1997 rc = cap_ptrace_access_check(child, mode);
1998 if (rc)
1999 return rc;
2000
2001 if (mode & PTRACE_MODE_READ) {
2002 u32 sid = current_sid();
2003 u32 csid = task_sid(child);
2004 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2005 }
2006
2007 return current_has_perm(child, PROCESS__PTRACE);
2008 }
2009
selinux_ptrace_traceme(struct task_struct * parent)2010 static int selinux_ptrace_traceme(struct task_struct *parent)
2011 {
2012 int rc;
2013
2014 rc = cap_ptrace_traceme(parent);
2015 if (rc)
2016 return rc;
2017
2018 return task_has_perm(parent, current, PROCESS__PTRACE);
2019 }
2020
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2021 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2022 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2023 {
2024 int error;
2025
2026 error = current_has_perm(target, PROCESS__GETCAP);
2027 if (error)
2028 return error;
2029
2030 return cap_capget(target, effective, inheritable, permitted);
2031 }
2032
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2033 static int selinux_capset(struct cred *new, const struct cred *old,
2034 const kernel_cap_t *effective,
2035 const kernel_cap_t *inheritable,
2036 const kernel_cap_t *permitted)
2037 {
2038 int error;
2039
2040 error = cap_capset(new, old,
2041 effective, inheritable, permitted);
2042 if (error)
2043 return error;
2044
2045 return cred_has_perm(old, new, PROCESS__SETCAP);
2046 }
2047
2048 /*
2049 * (This comment used to live with the selinux_task_setuid hook,
2050 * which was removed).
2051 *
2052 * Since setuid only affects the current process, and since the SELinux
2053 * controls are not based on the Linux identity attributes, SELinux does not
2054 * need to control this operation. However, SELinux does control the use of
2055 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2056 */
2057
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,int audit)2058 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2059 int cap, int audit)
2060 {
2061 int rc;
2062
2063 rc = cap_capable(cred, ns, cap, audit);
2064 if (rc)
2065 return rc;
2066
2067 return cred_has_capability(cred, cap, audit);
2068 }
2069
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2070 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2071 {
2072 const struct cred *cred = current_cred();
2073 int rc = 0;
2074
2075 if (!sb)
2076 return 0;
2077
2078 switch (cmds) {
2079 case Q_SYNC:
2080 case Q_QUOTAON:
2081 case Q_QUOTAOFF:
2082 case Q_SETINFO:
2083 case Q_SETQUOTA:
2084 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2085 break;
2086 case Q_GETFMT:
2087 case Q_GETINFO:
2088 case Q_GETQUOTA:
2089 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2090 break;
2091 default:
2092 rc = 0; /* let the kernel handle invalid cmds */
2093 break;
2094 }
2095 return rc;
2096 }
2097
selinux_quota_on(struct dentry * dentry)2098 static int selinux_quota_on(struct dentry *dentry)
2099 {
2100 const struct cred *cred = current_cred();
2101
2102 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2103 }
2104
selinux_syslog(int type)2105 static int selinux_syslog(int type)
2106 {
2107 int rc;
2108
2109 switch (type) {
2110 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2111 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2112 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2113 break;
2114 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2115 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2116 /* Set level of messages printed to console */
2117 case SYSLOG_ACTION_CONSOLE_LEVEL:
2118 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2119 break;
2120 case SYSLOG_ACTION_CLOSE: /* Close log */
2121 case SYSLOG_ACTION_OPEN: /* Open log */
2122 case SYSLOG_ACTION_READ: /* Read from log */
2123 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2124 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2125 default:
2126 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2127 break;
2128 }
2129 return rc;
2130 }
2131
2132 /*
2133 * Check that a process has enough memory to allocate a new virtual
2134 * mapping. 0 means there is enough memory for the allocation to
2135 * succeed and -ENOMEM implies there is not.
2136 *
2137 * Do not audit the selinux permission check, as this is applied to all
2138 * processes that allocate mappings.
2139 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2140 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2141 {
2142 int rc, cap_sys_admin = 0;
2143
2144 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2145 SECURITY_CAP_NOAUDIT);
2146 if (rc == 0)
2147 cap_sys_admin = 1;
2148
2149 return __vm_enough_memory(mm, pages, cap_sys_admin);
2150 }
2151
2152 /* binprm security operations */
2153
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2154 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2155 const struct task_security_struct *old_tsec,
2156 const struct task_security_struct *new_tsec)
2157 {
2158 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2159 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2160 int rc;
2161
2162 if (!nnp && !nosuid)
2163 return 0; /* neither NNP nor nosuid */
2164
2165 if (new_tsec->sid == old_tsec->sid)
2166 return 0; /* No change in credentials */
2167
2168 /*
2169 * The only transitions we permit under NNP or nosuid
2170 * are transitions to bounded SIDs, i.e. SIDs that are
2171 * guaranteed to only be allowed a subset of the permissions
2172 * of the current SID.
2173 */
2174 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2175 if (rc) {
2176 /*
2177 * On failure, preserve the errno values for NNP vs nosuid.
2178 * NNP: Operation not permitted for caller.
2179 * nosuid: Permission denied to file.
2180 */
2181 if (nnp)
2182 return -EPERM;
2183 else
2184 return -EACCES;
2185 }
2186 return 0;
2187 }
2188
selinux_bprm_set_creds(struct linux_binprm * bprm)2189 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2190 {
2191 const struct task_security_struct *old_tsec;
2192 struct task_security_struct *new_tsec;
2193 struct inode_security_struct *isec;
2194 struct common_audit_data ad;
2195 struct inode *inode = file_inode(bprm->file);
2196 int rc;
2197
2198 rc = cap_bprm_set_creds(bprm);
2199 if (rc)
2200 return rc;
2201
2202 /* SELinux context only depends on initial program or script and not
2203 * the script interpreter */
2204 if (bprm->cred_prepared)
2205 return 0;
2206
2207 old_tsec = current_security();
2208 new_tsec = bprm->cred->security;
2209 isec = inode->i_security;
2210
2211 /* Default to the current task SID. */
2212 new_tsec->sid = old_tsec->sid;
2213 new_tsec->osid = old_tsec->sid;
2214
2215 /* Reset fs, key, and sock SIDs on execve. */
2216 new_tsec->create_sid = 0;
2217 new_tsec->keycreate_sid = 0;
2218 new_tsec->sockcreate_sid = 0;
2219
2220 if (old_tsec->exec_sid) {
2221 new_tsec->sid = old_tsec->exec_sid;
2222 /* Reset exec SID on execve. */
2223 new_tsec->exec_sid = 0;
2224
2225 /* Fail on NNP or nosuid if not an allowed transition. */
2226 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2227 if (rc)
2228 return rc;
2229 } else {
2230 /* Check for a default transition on this program. */
2231 rc = security_transition_sid(old_tsec->sid, isec->sid,
2232 SECCLASS_PROCESS, NULL,
2233 &new_tsec->sid);
2234 if (rc)
2235 return rc;
2236
2237 /*
2238 * Fallback to old SID on NNP or nosuid if not an allowed
2239 * transition.
2240 */
2241 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2242 if (rc)
2243 new_tsec->sid = old_tsec->sid;
2244 }
2245
2246 ad.type = LSM_AUDIT_DATA_PATH;
2247 ad.u.path = bprm->file->f_path;
2248
2249 if (new_tsec->sid == old_tsec->sid) {
2250 rc = avc_has_perm(old_tsec->sid, isec->sid,
2251 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2252 if (rc)
2253 return rc;
2254 } else {
2255 /* Check permissions for the transition. */
2256 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2257 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2258 if (rc)
2259 return rc;
2260
2261 rc = avc_has_perm(new_tsec->sid, isec->sid,
2262 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2263 if (rc)
2264 return rc;
2265
2266 /* Check for shared state */
2267 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2268 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2269 SECCLASS_PROCESS, PROCESS__SHARE,
2270 NULL);
2271 if (rc)
2272 return -EPERM;
2273 }
2274
2275 /* Make sure that anyone attempting to ptrace over a task that
2276 * changes its SID has the appropriate permit */
2277 if (bprm->unsafe &
2278 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2279 struct task_struct *tracer;
2280 struct task_security_struct *sec;
2281 u32 ptsid = 0;
2282
2283 rcu_read_lock();
2284 tracer = ptrace_parent(current);
2285 if (likely(tracer != NULL)) {
2286 sec = __task_cred(tracer)->security;
2287 ptsid = sec->sid;
2288 }
2289 rcu_read_unlock();
2290
2291 if (ptsid != 0) {
2292 rc = avc_has_perm(ptsid, new_tsec->sid,
2293 SECCLASS_PROCESS,
2294 PROCESS__PTRACE, NULL);
2295 if (rc)
2296 return -EPERM;
2297 }
2298 }
2299
2300 /* Clear any possibly unsafe personality bits on exec: */
2301 bprm->per_clear |= PER_CLEAR_ON_SETID;
2302 }
2303
2304 return 0;
2305 }
2306
selinux_bprm_secureexec(struct linux_binprm * bprm)2307 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2308 {
2309 const struct task_security_struct *tsec = current_security();
2310 u32 sid, osid;
2311 int atsecure = 0;
2312
2313 sid = tsec->sid;
2314 osid = tsec->osid;
2315
2316 if (osid != sid) {
2317 /* Enable secure mode for SIDs transitions unless
2318 the noatsecure permission is granted between
2319 the two SIDs, i.e. ahp returns 0. */
2320 atsecure = avc_has_perm(osid, sid,
2321 SECCLASS_PROCESS,
2322 PROCESS__NOATSECURE, NULL);
2323 }
2324
2325 return (atsecure || cap_bprm_secureexec(bprm));
2326 }
2327
match_file(const void * p,struct file * file,unsigned fd)2328 static int match_file(const void *p, struct file *file, unsigned fd)
2329 {
2330 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2331 }
2332
2333 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2334 static inline void flush_unauthorized_files(const struct cred *cred,
2335 struct files_struct *files)
2336 {
2337 struct file *file, *devnull = NULL;
2338 struct tty_struct *tty;
2339 int drop_tty = 0;
2340 unsigned n;
2341
2342 tty = get_current_tty();
2343 if (tty) {
2344 spin_lock(&tty_files_lock);
2345 if (!list_empty(&tty->tty_files)) {
2346 struct tty_file_private *file_priv;
2347
2348 /* Revalidate access to controlling tty.
2349 Use file_path_has_perm on the tty path directly
2350 rather than using file_has_perm, as this particular
2351 open file may belong to another process and we are
2352 only interested in the inode-based check here. */
2353 file_priv = list_first_entry(&tty->tty_files,
2354 struct tty_file_private, list);
2355 file = file_priv->file;
2356 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2357 drop_tty = 1;
2358 }
2359 spin_unlock(&tty_files_lock);
2360 tty_kref_put(tty);
2361 }
2362 /* Reset controlling tty. */
2363 if (drop_tty)
2364 no_tty();
2365
2366 /* Revalidate access to inherited open files. */
2367 n = iterate_fd(files, 0, match_file, cred);
2368 if (!n) /* none found? */
2369 return;
2370
2371 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2372 if (IS_ERR(devnull))
2373 devnull = NULL;
2374 /* replace all the matching ones with this */
2375 do {
2376 replace_fd(n - 1, devnull, 0);
2377 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2378 if (devnull)
2379 fput(devnull);
2380 }
2381
2382 /*
2383 * Prepare a process for imminent new credential changes due to exec
2384 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2385 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2386 {
2387 struct task_security_struct *new_tsec;
2388 struct rlimit *rlim, *initrlim;
2389 int rc, i;
2390
2391 new_tsec = bprm->cred->security;
2392 if (new_tsec->sid == new_tsec->osid)
2393 return;
2394
2395 /* Close files for which the new task SID is not authorized. */
2396 flush_unauthorized_files(bprm->cred, current->files);
2397
2398 /* Always clear parent death signal on SID transitions. */
2399 current->pdeath_signal = 0;
2400
2401 /* Check whether the new SID can inherit resource limits from the old
2402 * SID. If not, reset all soft limits to the lower of the current
2403 * task's hard limit and the init task's soft limit.
2404 *
2405 * Note that the setting of hard limits (even to lower them) can be
2406 * controlled by the setrlimit check. The inclusion of the init task's
2407 * soft limit into the computation is to avoid resetting soft limits
2408 * higher than the default soft limit for cases where the default is
2409 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2410 */
2411 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2412 PROCESS__RLIMITINH, NULL);
2413 if (rc) {
2414 /* protect against do_prlimit() */
2415 task_lock(current);
2416 for (i = 0; i < RLIM_NLIMITS; i++) {
2417 rlim = current->signal->rlim + i;
2418 initrlim = init_task.signal->rlim + i;
2419 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2420 }
2421 task_unlock(current);
2422 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2423 }
2424 }
2425
2426 /*
2427 * Clean up the process immediately after the installation of new credentials
2428 * due to exec
2429 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2430 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2431 {
2432 const struct task_security_struct *tsec = current_security();
2433 struct itimerval itimer;
2434 u32 osid, sid;
2435 int rc, i;
2436
2437 osid = tsec->osid;
2438 sid = tsec->sid;
2439
2440 if (sid == osid)
2441 return;
2442
2443 /* Check whether the new SID can inherit signal state from the old SID.
2444 * If not, clear itimers to avoid subsequent signal generation and
2445 * flush and unblock signals.
2446 *
2447 * This must occur _after_ the task SID has been updated so that any
2448 * kill done after the flush will be checked against the new SID.
2449 */
2450 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2451 if (rc) {
2452 memset(&itimer, 0, sizeof itimer);
2453 for (i = 0; i < 3; i++)
2454 do_setitimer(i, &itimer, NULL);
2455 spin_lock_irq(¤t->sighand->siglock);
2456 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2457 __flush_signals(current);
2458 flush_signal_handlers(current, 1);
2459 sigemptyset(¤t->blocked);
2460 }
2461 spin_unlock_irq(¤t->sighand->siglock);
2462 }
2463
2464 /* Wake up the parent if it is waiting so that it can recheck
2465 * wait permission to the new task SID. */
2466 read_lock(&tasklist_lock);
2467 __wake_up_parent(current, current->real_parent);
2468 read_unlock(&tasklist_lock);
2469 }
2470
2471 /* superblock security operations */
2472
selinux_sb_alloc_security(struct super_block * sb)2473 static int selinux_sb_alloc_security(struct super_block *sb)
2474 {
2475 return superblock_alloc_security(sb);
2476 }
2477
selinux_sb_free_security(struct super_block * sb)2478 static void selinux_sb_free_security(struct super_block *sb)
2479 {
2480 superblock_free_security(sb);
2481 }
2482
match_prefix(char * prefix,int plen,char * option,int olen)2483 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2484 {
2485 if (plen > olen)
2486 return 0;
2487
2488 return !memcmp(prefix, option, plen);
2489 }
2490
selinux_option(char * option,int len)2491 static inline int selinux_option(char *option, int len)
2492 {
2493 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2494 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2495 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2496 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2497 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2498 }
2499
take_option(char ** to,char * from,int * first,int len)2500 static inline void take_option(char **to, char *from, int *first, int len)
2501 {
2502 if (!*first) {
2503 **to = ',';
2504 *to += 1;
2505 } else
2506 *first = 0;
2507 memcpy(*to, from, len);
2508 *to += len;
2509 }
2510
take_selinux_option(char ** to,char * from,int * first,int len)2511 static inline void take_selinux_option(char **to, char *from, int *first,
2512 int len)
2513 {
2514 int current_size = 0;
2515
2516 if (!*first) {
2517 **to = '|';
2518 *to += 1;
2519 } else
2520 *first = 0;
2521
2522 while (current_size < len) {
2523 if (*from != '"') {
2524 **to = *from;
2525 *to += 1;
2526 }
2527 from += 1;
2528 current_size += 1;
2529 }
2530 }
2531
selinux_sb_copy_data(char * orig,char * copy)2532 static int selinux_sb_copy_data(char *orig, char *copy)
2533 {
2534 int fnosec, fsec, rc = 0;
2535 char *in_save, *in_curr, *in_end;
2536 char *sec_curr, *nosec_save, *nosec;
2537 int open_quote = 0;
2538
2539 in_curr = orig;
2540 sec_curr = copy;
2541
2542 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2543 if (!nosec) {
2544 rc = -ENOMEM;
2545 goto out;
2546 }
2547
2548 nosec_save = nosec;
2549 fnosec = fsec = 1;
2550 in_save = in_end = orig;
2551
2552 do {
2553 if (*in_end == '"')
2554 open_quote = !open_quote;
2555 if ((*in_end == ',' && open_quote == 0) ||
2556 *in_end == '\0') {
2557 int len = in_end - in_curr;
2558
2559 if (selinux_option(in_curr, len))
2560 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2561 else
2562 take_option(&nosec, in_curr, &fnosec, len);
2563
2564 in_curr = in_end + 1;
2565 }
2566 } while (*in_end++);
2567
2568 strcpy(in_save, nosec_save);
2569 free_page((unsigned long)nosec_save);
2570 out:
2571 return rc;
2572 }
2573
selinux_sb_remount(struct super_block * sb,void * data)2574 static int selinux_sb_remount(struct super_block *sb, void *data)
2575 {
2576 int rc, i, *flags;
2577 struct security_mnt_opts opts;
2578 char *secdata, **mount_options;
2579 struct superblock_security_struct *sbsec = sb->s_security;
2580
2581 if (!(sbsec->flags & SE_SBINITIALIZED))
2582 return 0;
2583
2584 if (!data)
2585 return 0;
2586
2587 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2588 return 0;
2589
2590 security_init_mnt_opts(&opts);
2591 secdata = alloc_secdata();
2592 if (!secdata)
2593 return -ENOMEM;
2594 rc = selinux_sb_copy_data(data, secdata);
2595 if (rc)
2596 goto out_free_secdata;
2597
2598 rc = selinux_parse_opts_str(secdata, &opts);
2599 if (rc)
2600 goto out_free_secdata;
2601
2602 mount_options = opts.mnt_opts;
2603 flags = opts.mnt_opts_flags;
2604
2605 for (i = 0; i < opts.num_mnt_opts; i++) {
2606 u32 sid;
2607 size_t len;
2608
2609 if (flags[i] == SBLABEL_MNT)
2610 continue;
2611 len = strlen(mount_options[i]);
2612 rc = security_context_to_sid(mount_options[i], len, &sid,
2613 GFP_KERNEL);
2614 if (rc) {
2615 printk(KERN_WARNING "SELinux: security_context_to_sid"
2616 "(%s) failed for (dev %s, type %s) errno=%d\n",
2617 mount_options[i], sb->s_id, sb->s_type->name, rc);
2618 goto out_free_opts;
2619 }
2620 rc = -EINVAL;
2621 switch (flags[i]) {
2622 case FSCONTEXT_MNT:
2623 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2624 goto out_bad_option;
2625 break;
2626 case CONTEXT_MNT:
2627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2628 goto out_bad_option;
2629 break;
2630 case ROOTCONTEXT_MNT: {
2631 struct inode_security_struct *root_isec;
2632 root_isec = sb->s_root->d_inode->i_security;
2633
2634 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2635 goto out_bad_option;
2636 break;
2637 }
2638 case DEFCONTEXT_MNT:
2639 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2640 goto out_bad_option;
2641 break;
2642 default:
2643 goto out_free_opts;
2644 }
2645 }
2646
2647 rc = 0;
2648 out_free_opts:
2649 security_free_mnt_opts(&opts);
2650 out_free_secdata:
2651 free_secdata(secdata);
2652 return rc;
2653 out_bad_option:
2654 printk(KERN_WARNING "SELinux: unable to change security options "
2655 "during remount (dev %s, type=%s)\n", sb->s_id,
2656 sb->s_type->name);
2657 goto out_free_opts;
2658 }
2659
selinux_sb_kern_mount(struct super_block * sb,int flags,void * data)2660 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2661 {
2662 const struct cred *cred = current_cred();
2663 struct common_audit_data ad;
2664 int rc;
2665
2666 rc = superblock_doinit(sb, data);
2667 if (rc)
2668 return rc;
2669
2670 /* Allow all mounts performed by the kernel */
2671 if (flags & MS_KERNMOUNT)
2672 return 0;
2673
2674 ad.type = LSM_AUDIT_DATA_DENTRY;
2675 ad.u.dentry = sb->s_root;
2676 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2677 }
2678
selinux_sb_statfs(struct dentry * dentry)2679 static int selinux_sb_statfs(struct dentry *dentry)
2680 {
2681 const struct cred *cred = current_cred();
2682 struct common_audit_data ad;
2683
2684 ad.type = LSM_AUDIT_DATA_DENTRY;
2685 ad.u.dentry = dentry->d_sb->s_root;
2686 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2687 }
2688
selinux_mount(const char * dev_name,struct path * path,const char * type,unsigned long flags,void * data)2689 static int selinux_mount(const char *dev_name,
2690 struct path *path,
2691 const char *type,
2692 unsigned long flags,
2693 void *data)
2694 {
2695 const struct cred *cred = current_cred();
2696
2697 if (flags & MS_REMOUNT)
2698 return superblock_has_perm(cred, path->dentry->d_sb,
2699 FILESYSTEM__REMOUNT, NULL);
2700 else
2701 return path_has_perm(cred, path, FILE__MOUNTON);
2702 }
2703
selinux_umount(struct vfsmount * mnt,int flags)2704 static int selinux_umount(struct vfsmount *mnt, int flags)
2705 {
2706 const struct cred *cred = current_cred();
2707
2708 return superblock_has_perm(cred, mnt->mnt_sb,
2709 FILESYSTEM__UNMOUNT, NULL);
2710 }
2711
2712 /* inode security operations */
2713
selinux_inode_alloc_security(struct inode * inode)2714 static int selinux_inode_alloc_security(struct inode *inode)
2715 {
2716 return inode_alloc_security(inode);
2717 }
2718
selinux_inode_free_security(struct inode * inode)2719 static void selinux_inode_free_security(struct inode *inode)
2720 {
2721 inode_free_security(inode);
2722 }
2723
selinux_dentry_init_security(struct dentry * dentry,int mode,struct qstr * name,void ** ctx,u32 * ctxlen)2724 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2725 struct qstr *name, void **ctx,
2726 u32 *ctxlen)
2727 {
2728 const struct cred *cred = current_cred();
2729 struct task_security_struct *tsec;
2730 struct inode_security_struct *dsec;
2731 struct superblock_security_struct *sbsec;
2732 struct inode *dir = dentry->d_parent->d_inode;
2733 u32 newsid;
2734 int rc;
2735
2736 tsec = cred->security;
2737 dsec = dir->i_security;
2738 sbsec = dir->i_sb->s_security;
2739
2740 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2741 newsid = tsec->create_sid;
2742 } else {
2743 rc = security_transition_sid(tsec->sid, dsec->sid,
2744 inode_mode_to_security_class(mode),
2745 name,
2746 &newsid);
2747 if (rc) {
2748 printk(KERN_WARNING
2749 "%s: security_transition_sid failed, rc=%d\n",
2750 __func__, -rc);
2751 return rc;
2752 }
2753 }
2754
2755 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2756 }
2757
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2758 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2759 const struct qstr *qstr,
2760 const char **name,
2761 void **value, size_t *len)
2762 {
2763 const struct task_security_struct *tsec = current_security();
2764 struct inode_security_struct *dsec;
2765 struct superblock_security_struct *sbsec;
2766 u32 sid, newsid, clen;
2767 int rc;
2768 char *context;
2769
2770 dsec = dir->i_security;
2771 sbsec = dir->i_sb->s_security;
2772
2773 sid = tsec->sid;
2774 newsid = tsec->create_sid;
2775
2776 if ((sbsec->flags & SE_SBINITIALIZED) &&
2777 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2778 newsid = sbsec->mntpoint_sid;
2779 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2780 rc = security_transition_sid(sid, dsec->sid,
2781 inode_mode_to_security_class(inode->i_mode),
2782 qstr, &newsid);
2783 if (rc) {
2784 printk(KERN_WARNING "%s: "
2785 "security_transition_sid failed, rc=%d (dev=%s "
2786 "ino=%ld)\n",
2787 __func__,
2788 -rc, inode->i_sb->s_id, inode->i_ino);
2789 return rc;
2790 }
2791 }
2792
2793 /* Possibly defer initialization to selinux_complete_init. */
2794 if (sbsec->flags & SE_SBINITIALIZED) {
2795 struct inode_security_struct *isec = inode->i_security;
2796 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2797 isec->sid = newsid;
2798 isec->initialized = 1;
2799 }
2800
2801 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2802 return -EOPNOTSUPP;
2803
2804 if (name)
2805 *name = XATTR_SELINUX_SUFFIX;
2806
2807 if (value && len) {
2808 rc = security_sid_to_context_force(newsid, &context, &clen);
2809 if (rc)
2810 return rc;
2811 *value = context;
2812 *len = clen;
2813 }
2814
2815 return 0;
2816 }
2817
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2818 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2819 {
2820 return may_create(dir, dentry, SECCLASS_FILE);
2821 }
2822
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2823 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2824 {
2825 return may_link(dir, old_dentry, MAY_LINK);
2826 }
2827
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2828 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2829 {
2830 return may_link(dir, dentry, MAY_UNLINK);
2831 }
2832
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2833 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2834 {
2835 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2836 }
2837
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2838 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2839 {
2840 return may_create(dir, dentry, SECCLASS_DIR);
2841 }
2842
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)2843 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2844 {
2845 return may_link(dir, dentry, MAY_RMDIR);
2846 }
2847
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)2848 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2849 {
2850 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2851 }
2852
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)2853 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2854 struct inode *new_inode, struct dentry *new_dentry)
2855 {
2856 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2857 }
2858
selinux_inode_readlink(struct dentry * dentry)2859 static int selinux_inode_readlink(struct dentry *dentry)
2860 {
2861 const struct cred *cred = current_cred();
2862
2863 return dentry_has_perm(cred, dentry, FILE__READ);
2864 }
2865
selinux_inode_follow_link(struct dentry * dentry,struct nameidata * nameidata)2866 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2867 {
2868 const struct cred *cred = current_cred();
2869
2870 return dentry_has_perm(cred, dentry, FILE__READ);
2871 }
2872
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result,unsigned flags)2873 static noinline int audit_inode_permission(struct inode *inode,
2874 u32 perms, u32 audited, u32 denied,
2875 int result,
2876 unsigned flags)
2877 {
2878 struct common_audit_data ad;
2879 struct inode_security_struct *isec = inode->i_security;
2880 int rc;
2881
2882 ad.type = LSM_AUDIT_DATA_INODE;
2883 ad.u.inode = inode;
2884
2885 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2886 audited, denied, result, &ad, flags);
2887 if (rc)
2888 return rc;
2889 return 0;
2890 }
2891
selinux_inode_permission(struct inode * inode,int mask)2892 static int selinux_inode_permission(struct inode *inode, int mask)
2893 {
2894 const struct cred *cred = current_cred();
2895 u32 perms;
2896 bool from_access;
2897 unsigned flags = mask & MAY_NOT_BLOCK;
2898 struct inode_security_struct *isec;
2899 u32 sid;
2900 struct av_decision avd;
2901 int rc, rc2;
2902 u32 audited, denied;
2903
2904 from_access = mask & MAY_ACCESS;
2905 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2906
2907 /* No permission to check. Existence test. */
2908 if (!mask)
2909 return 0;
2910
2911 validate_creds(cred);
2912
2913 if (unlikely(IS_PRIVATE(inode)))
2914 return 0;
2915
2916 perms = file_mask_to_av(inode->i_mode, mask);
2917
2918 sid = cred_sid(cred);
2919 isec = inode->i_security;
2920
2921 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2922 audited = avc_audit_required(perms, &avd, rc,
2923 from_access ? FILE__AUDIT_ACCESS : 0,
2924 &denied);
2925 if (likely(!audited))
2926 return rc;
2927
2928 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2929 if (rc2)
2930 return rc2;
2931 return rc;
2932 }
2933
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)2934 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2935 {
2936 const struct cred *cred = current_cred();
2937 unsigned int ia_valid = iattr->ia_valid;
2938 __u32 av = FILE__WRITE;
2939
2940 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2941 if (ia_valid & ATTR_FORCE) {
2942 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2943 ATTR_FORCE);
2944 if (!ia_valid)
2945 return 0;
2946 }
2947
2948 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2949 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2950 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2951
2952 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2953 && !(ia_valid & ATTR_FILE))
2954 av |= FILE__OPEN;
2955
2956 return dentry_has_perm(cred, dentry, av);
2957 }
2958
selinux_inode_getattr(struct vfsmount * mnt,struct dentry * dentry)2959 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2960 {
2961 const struct cred *cred = current_cred();
2962 struct path path;
2963
2964 path.dentry = dentry;
2965 path.mnt = mnt;
2966
2967 return path_has_perm(cred, &path, FILE__GETATTR);
2968 }
2969
selinux_inode_setotherxattr(struct dentry * dentry,const char * name)2970 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2971 {
2972 const struct cred *cred = current_cred();
2973
2974 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2975 sizeof XATTR_SECURITY_PREFIX - 1)) {
2976 if (!strcmp(name, XATTR_NAME_CAPS)) {
2977 if (!capable(CAP_SETFCAP))
2978 return -EPERM;
2979 } else if (!capable(CAP_SYS_ADMIN)) {
2980 /* A different attribute in the security namespace.
2981 Restrict to administrator. */
2982 return -EPERM;
2983 }
2984 }
2985
2986 /* Not an attribute we recognize, so just check the
2987 ordinary setattr permission. */
2988 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2989 }
2990
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)2991 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2992 const void *value, size_t size, int flags)
2993 {
2994 struct inode *inode = dentry->d_inode;
2995 struct inode_security_struct *isec = inode->i_security;
2996 struct superblock_security_struct *sbsec;
2997 struct common_audit_data ad;
2998 u32 newsid, sid = current_sid();
2999 int rc = 0;
3000
3001 if (strcmp(name, XATTR_NAME_SELINUX))
3002 return selinux_inode_setotherxattr(dentry, name);
3003
3004 sbsec = inode->i_sb->s_security;
3005 if (!(sbsec->flags & SBLABEL_MNT))
3006 return -EOPNOTSUPP;
3007
3008 if (!inode_owner_or_capable(inode))
3009 return -EPERM;
3010
3011 ad.type = LSM_AUDIT_DATA_DENTRY;
3012 ad.u.dentry = dentry;
3013
3014 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3015 FILE__RELABELFROM, &ad);
3016 if (rc)
3017 return rc;
3018
3019 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3020 if (rc == -EINVAL) {
3021 if (!capable(CAP_MAC_ADMIN)) {
3022 struct audit_buffer *ab;
3023 size_t audit_size;
3024 const char *str;
3025
3026 /* We strip a nul only if it is at the end, otherwise the
3027 * context contains a nul and we should audit that */
3028 if (value) {
3029 str = value;
3030 if (str[size - 1] == '\0')
3031 audit_size = size - 1;
3032 else
3033 audit_size = size;
3034 } else {
3035 str = "";
3036 audit_size = 0;
3037 }
3038 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3039 audit_log_format(ab, "op=setxattr invalid_context=");
3040 audit_log_n_untrustedstring(ab, value, audit_size);
3041 audit_log_end(ab);
3042
3043 return rc;
3044 }
3045 rc = security_context_to_sid_force(value, size, &newsid);
3046 }
3047 if (rc)
3048 return rc;
3049
3050 rc = avc_has_perm(sid, newsid, isec->sclass,
3051 FILE__RELABELTO, &ad);
3052 if (rc)
3053 return rc;
3054
3055 rc = security_validate_transition(isec->sid, newsid, sid,
3056 isec->sclass);
3057 if (rc)
3058 return rc;
3059
3060 return avc_has_perm(newsid,
3061 sbsec->sid,
3062 SECCLASS_FILESYSTEM,
3063 FILESYSTEM__ASSOCIATE,
3064 &ad);
3065 }
3066
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3067 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3068 const void *value, size_t size,
3069 int flags)
3070 {
3071 struct inode *inode = dentry->d_inode;
3072 struct inode_security_struct *isec = inode->i_security;
3073 u32 newsid;
3074 int rc;
3075
3076 if (strcmp(name, XATTR_NAME_SELINUX)) {
3077 /* Not an attribute we recognize, so nothing to do. */
3078 return;
3079 }
3080
3081 rc = security_context_to_sid_force(value, size, &newsid);
3082 if (rc) {
3083 printk(KERN_ERR "SELinux: unable to map context to SID"
3084 "for (%s, %lu), rc=%d\n",
3085 inode->i_sb->s_id, inode->i_ino, -rc);
3086 return;
3087 }
3088
3089 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3090 isec->sid = newsid;
3091 isec->initialized = 1;
3092
3093 return;
3094 }
3095
selinux_inode_getxattr(struct dentry * dentry,const char * name)3096 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3097 {
3098 const struct cred *cred = current_cred();
3099
3100 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3101 }
3102
selinux_inode_listxattr(struct dentry * dentry)3103 static int selinux_inode_listxattr(struct dentry *dentry)
3104 {
3105 const struct cred *cred = current_cred();
3106
3107 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3108 }
3109
selinux_inode_removexattr(struct dentry * dentry,const char * name)3110 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3111 {
3112 if (strcmp(name, XATTR_NAME_SELINUX))
3113 return selinux_inode_setotherxattr(dentry, name);
3114
3115 /* No one is allowed to remove a SELinux security label.
3116 You can change the label, but all data must be labeled. */
3117 return -EACCES;
3118 }
3119
3120 /*
3121 * Copy the inode security context value to the user.
3122 *
3123 * Permission check is handled by selinux_inode_getxattr hook.
3124 */
selinux_inode_getsecurity(const struct inode * inode,const char * name,void ** buffer,bool alloc)3125 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3126 {
3127 u32 size;
3128 int error;
3129 char *context = NULL;
3130 struct inode_security_struct *isec = inode->i_security;
3131
3132 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3133 return -EOPNOTSUPP;
3134
3135 /*
3136 * If the caller has CAP_MAC_ADMIN, then get the raw context
3137 * value even if it is not defined by current policy; otherwise,
3138 * use the in-core value under current policy.
3139 * Use the non-auditing forms of the permission checks since
3140 * getxattr may be called by unprivileged processes commonly
3141 * and lack of permission just means that we fall back to the
3142 * in-core context value, not a denial.
3143 */
3144 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3145 SECURITY_CAP_NOAUDIT);
3146 if (!error)
3147 error = security_sid_to_context_force(isec->sid, &context,
3148 &size);
3149 else
3150 error = security_sid_to_context(isec->sid, &context, &size);
3151 if (error)
3152 return error;
3153 error = size;
3154 if (alloc) {
3155 *buffer = context;
3156 goto out_nofree;
3157 }
3158 kfree(context);
3159 out_nofree:
3160 return error;
3161 }
3162
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3163 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3164 const void *value, size_t size, int flags)
3165 {
3166 struct inode_security_struct *isec = inode->i_security;
3167 u32 newsid;
3168 int rc;
3169
3170 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3171 return -EOPNOTSUPP;
3172
3173 if (!value || !size)
3174 return -EACCES;
3175
3176 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3177 if (rc)
3178 return rc;
3179
3180 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3181 isec->sid = newsid;
3182 isec->initialized = 1;
3183 return 0;
3184 }
3185
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3186 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3187 {
3188 const int len = sizeof(XATTR_NAME_SELINUX);
3189 if (buffer && len <= buffer_size)
3190 memcpy(buffer, XATTR_NAME_SELINUX, len);
3191 return len;
3192 }
3193
selinux_inode_getsecid(const struct inode * inode,u32 * secid)3194 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3195 {
3196 struct inode_security_struct *isec = inode->i_security;
3197 *secid = isec->sid;
3198 }
3199
3200 /* file security operations */
3201
selinux_revalidate_file_permission(struct file * file,int mask)3202 static int selinux_revalidate_file_permission(struct file *file, int mask)
3203 {
3204 const struct cred *cred = current_cred();
3205 struct inode *inode = file_inode(file);
3206
3207 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3208 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3209 mask |= MAY_APPEND;
3210
3211 return file_has_perm(cred, file,
3212 file_mask_to_av(inode->i_mode, mask));
3213 }
3214
selinux_file_permission(struct file * file,int mask)3215 static int selinux_file_permission(struct file *file, int mask)
3216 {
3217 struct inode *inode = file_inode(file);
3218 struct file_security_struct *fsec = file->f_security;
3219 struct inode_security_struct *isec = inode->i_security;
3220 u32 sid = current_sid();
3221
3222 if (!mask)
3223 /* No permission to check. Existence test. */
3224 return 0;
3225
3226 if (sid == fsec->sid && fsec->isid == isec->sid &&
3227 fsec->pseqno == avc_policy_seqno())
3228 /* No change since file_open check. */
3229 return 0;
3230
3231 return selinux_revalidate_file_permission(file, mask);
3232 }
3233
selinux_file_alloc_security(struct file * file)3234 static int selinux_file_alloc_security(struct file *file)
3235 {
3236 return file_alloc_security(file);
3237 }
3238
selinux_file_free_security(struct file * file)3239 static void selinux_file_free_security(struct file *file)
3240 {
3241 file_free_security(file);
3242 }
3243
3244 /*
3245 * Check whether a task has the ioctl permission and cmd
3246 * operation to an inode.
3247 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3248 int ioctl_has_perm(const struct cred *cred, struct file *file,
3249 u32 requested, u16 cmd)
3250 {
3251 struct common_audit_data ad;
3252 struct file_security_struct *fsec = file->f_security;
3253 struct inode *inode = file_inode(file);
3254 struct inode_security_struct *isec = inode->i_security;
3255 struct lsm_ioctlop_audit ioctl;
3256 u32 ssid = cred_sid(cred);
3257 int rc;
3258 u8 driver = cmd >> 8;
3259 u8 xperm = cmd & 0xff;
3260
3261 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3262 ad.u.op = &ioctl;
3263 ad.u.op->cmd = cmd;
3264 ad.u.op->path = file->f_path;
3265
3266 if (ssid != fsec->sid) {
3267 rc = avc_has_perm(ssid, fsec->sid,
3268 SECCLASS_FD,
3269 FD__USE,
3270 &ad);
3271 if (rc)
3272 goto out;
3273 }
3274
3275 if (unlikely(IS_PRIVATE(inode)))
3276 return 0;
3277
3278 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3279 requested, driver, xperm, &ad);
3280 out:
3281 return rc;
3282 }
3283
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3284 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3285 unsigned long arg)
3286 {
3287 const struct cred *cred = current_cred();
3288 int error = 0;
3289
3290 switch (cmd) {
3291 case FIONREAD:
3292 /* fall through */
3293 case FIBMAP:
3294 /* fall through */
3295 case FIGETBSZ:
3296 /* fall through */
3297 case FS_IOC_GETFLAGS:
3298 /* fall through */
3299 case FS_IOC_GETVERSION:
3300 error = file_has_perm(cred, file, FILE__GETATTR);
3301 break;
3302
3303 case FS_IOC_SETFLAGS:
3304 /* fall through */
3305 case FS_IOC_SETVERSION:
3306 error = file_has_perm(cred, file, FILE__SETATTR);
3307 break;
3308
3309 /* sys_ioctl() checks */
3310 case FIONBIO:
3311 /* fall through */
3312 case FIOASYNC:
3313 error = file_has_perm(cred, file, 0);
3314 break;
3315
3316 case KDSKBENT:
3317 case KDSKBSENT:
3318 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3319 SECURITY_CAP_AUDIT);
3320 break;
3321
3322 /* default case assumes that the command will go
3323 * to the file's ioctl() function.
3324 */
3325 default:
3326 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3327 }
3328 return error;
3329 }
3330
3331 static int default_noexec;
3332
file_map_prot_check(struct file * file,unsigned long prot,int shared)3333 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3334 {
3335 const struct cred *cred = current_cred();
3336 int rc = 0;
3337
3338 if (default_noexec &&
3339 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3340 /*
3341 * We are making executable an anonymous mapping or a
3342 * private file mapping that will also be writable.
3343 * This has an additional check.
3344 */
3345 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3346 if (rc)
3347 goto error;
3348 }
3349
3350 if (file) {
3351 /* read access is always possible with a mapping */
3352 u32 av = FILE__READ;
3353
3354 /* write access only matters if the mapping is shared */
3355 if (shared && (prot & PROT_WRITE))
3356 av |= FILE__WRITE;
3357
3358 if (prot & PROT_EXEC)
3359 av |= FILE__EXECUTE;
3360
3361 return file_has_perm(cred, file, av);
3362 }
3363
3364 error:
3365 return rc;
3366 }
3367
selinux_mmap_addr(unsigned long addr)3368 static int selinux_mmap_addr(unsigned long addr)
3369 {
3370 int rc;
3371
3372 /* do DAC check on address space usage */
3373 rc = cap_mmap_addr(addr);
3374 if (rc)
3375 return rc;
3376
3377 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3378 u32 sid = current_sid();
3379 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3380 MEMPROTECT__MMAP_ZERO, NULL);
3381 }
3382
3383 return rc;
3384 }
3385
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3386 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3387 unsigned long prot, unsigned long flags)
3388 {
3389 if (selinux_checkreqprot)
3390 prot = reqprot;
3391
3392 return file_map_prot_check(file, prot,
3393 (flags & MAP_TYPE) == MAP_SHARED);
3394 }
3395
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3396 static int selinux_file_mprotect(struct vm_area_struct *vma,
3397 unsigned long reqprot,
3398 unsigned long prot)
3399 {
3400 const struct cred *cred = current_cred();
3401
3402 if (selinux_checkreqprot)
3403 prot = reqprot;
3404
3405 if (default_noexec &&
3406 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3407 int rc = 0;
3408 if (vma->vm_start >= vma->vm_mm->start_brk &&
3409 vma->vm_end <= vma->vm_mm->brk) {
3410 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3411 } else if (!vma->vm_file &&
3412 vma->vm_start <= vma->vm_mm->start_stack &&
3413 vma->vm_end >= vma->vm_mm->start_stack) {
3414 rc = current_has_perm(current, PROCESS__EXECSTACK);
3415 } else if (vma->vm_file && vma->anon_vma) {
3416 /*
3417 * We are making executable a file mapping that has
3418 * had some COW done. Since pages might have been
3419 * written, check ability to execute the possibly
3420 * modified content. This typically should only
3421 * occur for text relocations.
3422 */
3423 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3424 }
3425 if (rc)
3426 return rc;
3427 }
3428
3429 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3430 }
3431
selinux_file_lock(struct file * file,unsigned int cmd)3432 static int selinux_file_lock(struct file *file, unsigned int cmd)
3433 {
3434 const struct cred *cred = current_cred();
3435
3436 return file_has_perm(cred, file, FILE__LOCK);
3437 }
3438
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3439 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3440 unsigned long arg)
3441 {
3442 const struct cred *cred = current_cred();
3443 int err = 0;
3444
3445 switch (cmd) {
3446 case F_SETFL:
3447 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3448 err = file_has_perm(cred, file, FILE__WRITE);
3449 break;
3450 }
3451 /* fall through */
3452 case F_SETOWN:
3453 case F_SETSIG:
3454 case F_GETFL:
3455 case F_GETOWN:
3456 case F_GETSIG:
3457 case F_GETOWNER_UIDS:
3458 /* Just check FD__USE permission */
3459 err = file_has_perm(cred, file, 0);
3460 break;
3461 case F_GETLK:
3462 case F_SETLK:
3463 case F_SETLKW:
3464 case F_OFD_GETLK:
3465 case F_OFD_SETLK:
3466 case F_OFD_SETLKW:
3467 #if BITS_PER_LONG == 32
3468 case F_GETLK64:
3469 case F_SETLK64:
3470 case F_SETLKW64:
3471 #endif
3472 err = file_has_perm(cred, file, FILE__LOCK);
3473 break;
3474 }
3475
3476 return err;
3477 }
3478
selinux_file_set_fowner(struct file * file)3479 static void selinux_file_set_fowner(struct file *file)
3480 {
3481 struct file_security_struct *fsec;
3482
3483 fsec = file->f_security;
3484 fsec->fown_sid = current_sid();
3485 }
3486
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3487 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3488 struct fown_struct *fown, int signum)
3489 {
3490 struct file *file;
3491 u32 sid = task_sid(tsk);
3492 u32 perm;
3493 struct file_security_struct *fsec;
3494
3495 /* struct fown_struct is never outside the context of a struct file */
3496 file = container_of(fown, struct file, f_owner);
3497
3498 fsec = file->f_security;
3499
3500 if (!signum)
3501 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3502 else
3503 perm = signal_to_av(signum);
3504
3505 return avc_has_perm(fsec->fown_sid, sid,
3506 SECCLASS_PROCESS, perm, NULL);
3507 }
3508
selinux_file_receive(struct file * file)3509 static int selinux_file_receive(struct file *file)
3510 {
3511 const struct cred *cred = current_cred();
3512
3513 return file_has_perm(cred, file, file_to_av(file));
3514 }
3515
selinux_file_open(struct file * file,const struct cred * cred)3516 static int selinux_file_open(struct file *file, const struct cred *cred)
3517 {
3518 struct file_security_struct *fsec;
3519 struct inode_security_struct *isec;
3520
3521 fsec = file->f_security;
3522 isec = file_inode(file)->i_security;
3523 /*
3524 * Save inode label and policy sequence number
3525 * at open-time so that selinux_file_permission
3526 * can determine whether revalidation is necessary.
3527 * Task label is already saved in the file security
3528 * struct as its SID.
3529 */
3530 fsec->isid = isec->sid;
3531 fsec->pseqno = avc_policy_seqno();
3532 /*
3533 * Since the inode label or policy seqno may have changed
3534 * between the selinux_inode_permission check and the saving
3535 * of state above, recheck that access is still permitted.
3536 * Otherwise, access might never be revalidated against the
3537 * new inode label or new policy.
3538 * This check is not redundant - do not remove.
3539 */
3540 return file_path_has_perm(cred, file, open_file_to_av(file));
3541 }
3542
3543 /* task security operations */
3544
selinux_task_create(unsigned long clone_flags)3545 static int selinux_task_create(unsigned long clone_flags)
3546 {
3547 return current_has_perm(current, PROCESS__FORK);
3548 }
3549
3550 /*
3551 * allocate the SELinux part of blank credentials
3552 */
selinux_cred_alloc_blank(struct cred * cred,gfp_t gfp)3553 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3554 {
3555 struct task_security_struct *tsec;
3556
3557 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3558 if (!tsec)
3559 return -ENOMEM;
3560
3561 cred->security = tsec;
3562 return 0;
3563 }
3564
3565 /*
3566 * detach and free the LSM part of a set of credentials
3567 */
selinux_cred_free(struct cred * cred)3568 static void selinux_cred_free(struct cred *cred)
3569 {
3570 struct task_security_struct *tsec = cred->security;
3571
3572 /*
3573 * cred->security == NULL if security_cred_alloc_blank() or
3574 * security_prepare_creds() returned an error.
3575 */
3576 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3577 cred->security = (void *) 0x7UL;
3578 kfree(tsec);
3579 }
3580
3581 /*
3582 * prepare a new set of credentials for modification
3583 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3584 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3585 gfp_t gfp)
3586 {
3587 const struct task_security_struct *old_tsec;
3588 struct task_security_struct *tsec;
3589
3590 old_tsec = old->security;
3591
3592 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3593 if (!tsec)
3594 return -ENOMEM;
3595
3596 new->security = tsec;
3597 return 0;
3598 }
3599
3600 /*
3601 * transfer the SELinux data to a blank set of creds
3602 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3603 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3604 {
3605 const struct task_security_struct *old_tsec = old->security;
3606 struct task_security_struct *tsec = new->security;
3607
3608 *tsec = *old_tsec;
3609 }
3610
3611 /*
3612 * set the security data for a kernel service
3613 * - all the creation contexts are set to unlabelled
3614 */
selinux_kernel_act_as(struct cred * new,u32 secid)3615 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3616 {
3617 struct task_security_struct *tsec = new->security;
3618 u32 sid = current_sid();
3619 int ret;
3620
3621 ret = avc_has_perm(sid, secid,
3622 SECCLASS_KERNEL_SERVICE,
3623 KERNEL_SERVICE__USE_AS_OVERRIDE,
3624 NULL);
3625 if (ret == 0) {
3626 tsec->sid = secid;
3627 tsec->create_sid = 0;
3628 tsec->keycreate_sid = 0;
3629 tsec->sockcreate_sid = 0;
3630 }
3631 return ret;
3632 }
3633
3634 /*
3635 * set the file creation context in a security record to the same as the
3636 * objective context of the specified inode
3637 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3638 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3639 {
3640 struct inode_security_struct *isec = inode->i_security;
3641 struct task_security_struct *tsec = new->security;
3642 u32 sid = current_sid();
3643 int ret;
3644
3645 ret = avc_has_perm(sid, isec->sid,
3646 SECCLASS_KERNEL_SERVICE,
3647 KERNEL_SERVICE__CREATE_FILES_AS,
3648 NULL);
3649
3650 if (ret == 0)
3651 tsec->create_sid = isec->sid;
3652 return ret;
3653 }
3654
selinux_kernel_module_request(char * kmod_name)3655 static int selinux_kernel_module_request(char *kmod_name)
3656 {
3657 u32 sid;
3658 struct common_audit_data ad;
3659
3660 sid = task_sid(current);
3661
3662 ad.type = LSM_AUDIT_DATA_KMOD;
3663 ad.u.kmod_name = kmod_name;
3664
3665 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3666 SYSTEM__MODULE_REQUEST, &ad);
3667 }
3668
selinux_kernel_module_from_file(struct file * file)3669 static int selinux_kernel_module_from_file(struct file *file)
3670 {
3671 struct common_audit_data ad;
3672 struct inode_security_struct *isec;
3673 struct file_security_struct *fsec;
3674 struct inode *inode;
3675 u32 sid = current_sid();
3676 int rc;
3677
3678 /* init_module */
3679 if (file == NULL)
3680 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3681 SYSTEM__MODULE_LOAD, NULL);
3682
3683 /* finit_module */
3684 ad.type = LSM_AUDIT_DATA_PATH;
3685 ad.u.path = file->f_path;
3686
3687 inode = file_inode(file);
3688 isec = inode->i_security;
3689 fsec = file->f_security;
3690
3691 if (sid != fsec->sid) {
3692 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3693 if (rc)
3694 return rc;
3695 }
3696
3697 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3698 SYSTEM__MODULE_LOAD, &ad);
3699 }
3700
selinux_task_setpgid(struct task_struct * p,pid_t pgid)3701 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3702 {
3703 return current_has_perm(p, PROCESS__SETPGID);
3704 }
3705
selinux_task_getpgid(struct task_struct * p)3706 static int selinux_task_getpgid(struct task_struct *p)
3707 {
3708 return current_has_perm(p, PROCESS__GETPGID);
3709 }
3710
selinux_task_getsid(struct task_struct * p)3711 static int selinux_task_getsid(struct task_struct *p)
3712 {
3713 return current_has_perm(p, PROCESS__GETSESSION);
3714 }
3715
selinux_task_getsecid(struct task_struct * p,u32 * secid)3716 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3717 {
3718 *secid = task_sid(p);
3719 }
3720
selinux_task_setnice(struct task_struct * p,int nice)3721 static int selinux_task_setnice(struct task_struct *p, int nice)
3722 {
3723 int rc;
3724
3725 rc = cap_task_setnice(p, nice);
3726 if (rc)
3727 return rc;
3728
3729 return current_has_perm(p, PROCESS__SETSCHED);
3730 }
3731
selinux_task_setioprio(struct task_struct * p,int ioprio)3732 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3733 {
3734 int rc;
3735
3736 rc = cap_task_setioprio(p, ioprio);
3737 if (rc)
3738 return rc;
3739
3740 return current_has_perm(p, PROCESS__SETSCHED);
3741 }
3742
selinux_task_getioprio(struct task_struct * p)3743 static int selinux_task_getioprio(struct task_struct *p)
3744 {
3745 return current_has_perm(p, PROCESS__GETSCHED);
3746 }
3747
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)3748 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3749 struct rlimit *new_rlim)
3750 {
3751 struct rlimit *old_rlim = p->signal->rlim + resource;
3752
3753 /* Control the ability to change the hard limit (whether
3754 lowering or raising it), so that the hard limit can
3755 later be used as a safe reset point for the soft limit
3756 upon context transitions. See selinux_bprm_committing_creds. */
3757 if (old_rlim->rlim_max != new_rlim->rlim_max)
3758 return current_has_perm(p, PROCESS__SETRLIMIT);
3759
3760 return 0;
3761 }
3762
selinux_task_setscheduler(struct task_struct * p)3763 static int selinux_task_setscheduler(struct task_struct *p)
3764 {
3765 int rc;
3766
3767 rc = cap_task_setscheduler(p);
3768 if (rc)
3769 return rc;
3770
3771 return current_has_perm(p, PROCESS__SETSCHED);
3772 }
3773
selinux_task_getscheduler(struct task_struct * p)3774 static int selinux_task_getscheduler(struct task_struct *p)
3775 {
3776 return current_has_perm(p, PROCESS__GETSCHED);
3777 }
3778
selinux_task_movememory(struct task_struct * p)3779 static int selinux_task_movememory(struct task_struct *p)
3780 {
3781 return current_has_perm(p, PROCESS__SETSCHED);
3782 }
3783
selinux_task_kill(struct task_struct * p,struct siginfo * info,int sig,u32 secid)3784 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3785 int sig, u32 secid)
3786 {
3787 u32 perm;
3788 int rc;
3789
3790 if (!sig)
3791 perm = PROCESS__SIGNULL; /* null signal; existence test */
3792 else
3793 perm = signal_to_av(sig);
3794 if (secid)
3795 rc = avc_has_perm(secid, task_sid(p),
3796 SECCLASS_PROCESS, perm, NULL);
3797 else
3798 rc = current_has_perm(p, perm);
3799 return rc;
3800 }
3801
selinux_task_wait(struct task_struct * p)3802 static int selinux_task_wait(struct task_struct *p)
3803 {
3804 return task_has_perm(p, current, PROCESS__SIGCHLD);
3805 }
3806
selinux_task_to_inode(struct task_struct * p,struct inode * inode)3807 static void selinux_task_to_inode(struct task_struct *p,
3808 struct inode *inode)
3809 {
3810 struct inode_security_struct *isec = inode->i_security;
3811 u32 sid = task_sid(p);
3812
3813 isec->sid = sid;
3814 isec->initialized = 1;
3815 }
3816
3817 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)3818 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3819 struct common_audit_data *ad, u8 *proto)
3820 {
3821 int offset, ihlen, ret = -EINVAL;
3822 struct iphdr _iph, *ih;
3823
3824 offset = skb_network_offset(skb);
3825 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3826 if (ih == NULL)
3827 goto out;
3828
3829 ihlen = ih->ihl * 4;
3830 if (ihlen < sizeof(_iph))
3831 goto out;
3832
3833 ad->u.net->v4info.saddr = ih->saddr;
3834 ad->u.net->v4info.daddr = ih->daddr;
3835 ret = 0;
3836
3837 if (proto)
3838 *proto = ih->protocol;
3839
3840 switch (ih->protocol) {
3841 case IPPROTO_TCP: {
3842 struct tcphdr _tcph, *th;
3843
3844 if (ntohs(ih->frag_off) & IP_OFFSET)
3845 break;
3846
3847 offset += ihlen;
3848 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3849 if (th == NULL)
3850 break;
3851
3852 ad->u.net->sport = th->source;
3853 ad->u.net->dport = th->dest;
3854 break;
3855 }
3856
3857 case IPPROTO_UDP: {
3858 struct udphdr _udph, *uh;
3859
3860 if (ntohs(ih->frag_off) & IP_OFFSET)
3861 break;
3862
3863 offset += ihlen;
3864 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3865 if (uh == NULL)
3866 break;
3867
3868 ad->u.net->sport = uh->source;
3869 ad->u.net->dport = uh->dest;
3870 break;
3871 }
3872
3873 case IPPROTO_DCCP: {
3874 struct dccp_hdr _dccph, *dh;
3875
3876 if (ntohs(ih->frag_off) & IP_OFFSET)
3877 break;
3878
3879 offset += ihlen;
3880 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3881 if (dh == NULL)
3882 break;
3883
3884 ad->u.net->sport = dh->dccph_sport;
3885 ad->u.net->dport = dh->dccph_dport;
3886 break;
3887 }
3888
3889 default:
3890 break;
3891 }
3892 out:
3893 return ret;
3894 }
3895
3896 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3897
3898 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)3899 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3900 struct common_audit_data *ad, u8 *proto)
3901 {
3902 u8 nexthdr;
3903 int ret = -EINVAL, offset;
3904 struct ipv6hdr _ipv6h, *ip6;
3905 __be16 frag_off;
3906
3907 offset = skb_network_offset(skb);
3908 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3909 if (ip6 == NULL)
3910 goto out;
3911
3912 ad->u.net->v6info.saddr = ip6->saddr;
3913 ad->u.net->v6info.daddr = ip6->daddr;
3914 ret = 0;
3915
3916 nexthdr = ip6->nexthdr;
3917 offset += sizeof(_ipv6h);
3918 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3919 if (offset < 0)
3920 goto out;
3921
3922 if (proto)
3923 *proto = nexthdr;
3924
3925 switch (nexthdr) {
3926 case IPPROTO_TCP: {
3927 struct tcphdr _tcph, *th;
3928
3929 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3930 if (th == NULL)
3931 break;
3932
3933 ad->u.net->sport = th->source;
3934 ad->u.net->dport = th->dest;
3935 break;
3936 }
3937
3938 case IPPROTO_UDP: {
3939 struct udphdr _udph, *uh;
3940
3941 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3942 if (uh == NULL)
3943 break;
3944
3945 ad->u.net->sport = uh->source;
3946 ad->u.net->dport = uh->dest;
3947 break;
3948 }
3949
3950 case IPPROTO_DCCP: {
3951 struct dccp_hdr _dccph, *dh;
3952
3953 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3954 if (dh == NULL)
3955 break;
3956
3957 ad->u.net->sport = dh->dccph_sport;
3958 ad->u.net->dport = dh->dccph_dport;
3959 break;
3960 }
3961
3962 /* includes fragments */
3963 default:
3964 break;
3965 }
3966 out:
3967 return ret;
3968 }
3969
3970 #endif /* IPV6 */
3971
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)3972 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3973 char **_addrp, int src, u8 *proto)
3974 {
3975 char *addrp;
3976 int ret;
3977
3978 switch (ad->u.net->family) {
3979 case PF_INET:
3980 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3981 if (ret)
3982 goto parse_error;
3983 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3984 &ad->u.net->v4info.daddr);
3985 goto okay;
3986
3987 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3988 case PF_INET6:
3989 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3990 if (ret)
3991 goto parse_error;
3992 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3993 &ad->u.net->v6info.daddr);
3994 goto okay;
3995 #endif /* IPV6 */
3996 default:
3997 addrp = NULL;
3998 goto okay;
3999 }
4000
4001 parse_error:
4002 printk(KERN_WARNING
4003 "SELinux: failure in selinux_parse_skb(),"
4004 " unable to parse packet\n");
4005 return ret;
4006
4007 okay:
4008 if (_addrp)
4009 *_addrp = addrp;
4010 return 0;
4011 }
4012
4013 /**
4014 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4015 * @skb: the packet
4016 * @family: protocol family
4017 * @sid: the packet's peer label SID
4018 *
4019 * Description:
4020 * Check the various different forms of network peer labeling and determine
4021 * the peer label/SID for the packet; most of the magic actually occurs in
4022 * the security server function security_net_peersid_cmp(). The function
4023 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4024 * or -EACCES if @sid is invalid due to inconsistencies with the different
4025 * peer labels.
4026 *
4027 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4028 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4029 {
4030 int err;
4031 u32 xfrm_sid;
4032 u32 nlbl_sid;
4033 u32 nlbl_type;
4034
4035 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4036 if (unlikely(err))
4037 return -EACCES;
4038 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4039 if (unlikely(err))
4040 return -EACCES;
4041
4042 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4043 if (unlikely(err)) {
4044 printk(KERN_WARNING
4045 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4046 " unable to determine packet's peer label\n");
4047 return -EACCES;
4048 }
4049
4050 return 0;
4051 }
4052
4053 /**
4054 * selinux_conn_sid - Determine the child socket label for a connection
4055 * @sk_sid: the parent socket's SID
4056 * @skb_sid: the packet's SID
4057 * @conn_sid: the resulting connection SID
4058 *
4059 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4060 * combined with the MLS information from @skb_sid in order to create
4061 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4062 * of @sk_sid. Returns zero on success, negative values on failure.
4063 *
4064 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4065 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4066 {
4067 int err = 0;
4068
4069 if (skb_sid != SECSID_NULL)
4070 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4071 else
4072 *conn_sid = sk_sid;
4073
4074 return err;
4075 }
4076
4077 /* socket security operations */
4078
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4079 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4080 u16 secclass, u32 *socksid)
4081 {
4082 if (tsec->sockcreate_sid > SECSID_NULL) {
4083 *socksid = tsec->sockcreate_sid;
4084 return 0;
4085 }
4086
4087 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4088 socksid);
4089 }
4090
sock_has_perm(struct task_struct * task,struct sock * sk,u32 perms)4091 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4092 {
4093 struct sk_security_struct *sksec = sk->sk_security;
4094 struct common_audit_data ad;
4095 struct lsm_network_audit net = {0,};
4096 u32 tsid = task_sid(task);
4097
4098 if (!sksec)
4099 return -EFAULT;
4100 if (sksec->sid == SECINITSID_KERNEL)
4101 return 0;
4102
4103 ad.type = LSM_AUDIT_DATA_NET;
4104 ad.u.net = &net;
4105 ad.u.net->sk = sk;
4106
4107 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4108 }
4109
selinux_socket_create(int family,int type,int protocol,int kern)4110 static int selinux_socket_create(int family, int type,
4111 int protocol, int kern)
4112 {
4113 const struct task_security_struct *tsec = current_security();
4114 u32 newsid;
4115 u16 secclass;
4116 int rc;
4117
4118 if (kern)
4119 return 0;
4120
4121 secclass = socket_type_to_security_class(family, type, protocol);
4122 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4123 if (rc)
4124 return rc;
4125
4126 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4127 }
4128
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4129 static int selinux_socket_post_create(struct socket *sock, int family,
4130 int type, int protocol, int kern)
4131 {
4132 const struct task_security_struct *tsec = current_security();
4133 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4134 struct sk_security_struct *sksec;
4135 int err = 0;
4136
4137 isec->sclass = socket_type_to_security_class(family, type, protocol);
4138
4139 if (kern)
4140 isec->sid = SECINITSID_KERNEL;
4141 else {
4142 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4143 if (err)
4144 return err;
4145 }
4146
4147 isec->initialized = 1;
4148
4149 if (sock->sk) {
4150 sksec = sock->sk->sk_security;
4151 sksec->sid = isec->sid;
4152 sksec->sclass = isec->sclass;
4153 err = selinux_netlbl_socket_post_create(sock->sk, family);
4154 }
4155
4156 return err;
4157 }
4158
4159 /* Range of port numbers used to automatically bind.
4160 Need to determine whether we should perform a name_bind
4161 permission check between the socket and the port number. */
4162
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4163 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4164 {
4165 struct sock *sk = sock->sk;
4166 u16 family;
4167 int err;
4168
4169 err = sock_has_perm(current, sk, SOCKET__BIND);
4170 if (err)
4171 goto out;
4172
4173 /*
4174 * If PF_INET or PF_INET6, check name_bind permission for the port.
4175 * Multiple address binding for SCTP is not supported yet: we just
4176 * check the first address now.
4177 */
4178 family = sk->sk_family;
4179 if (family == PF_INET || family == PF_INET6) {
4180 char *addrp;
4181 struct sk_security_struct *sksec = sk->sk_security;
4182 struct common_audit_data ad;
4183 struct lsm_network_audit net = {0,};
4184 struct sockaddr_in *addr4 = NULL;
4185 struct sockaddr_in6 *addr6 = NULL;
4186 unsigned short snum;
4187 u32 sid, node_perm;
4188
4189 if (family == PF_INET) {
4190 addr4 = (struct sockaddr_in *)address;
4191 snum = ntohs(addr4->sin_port);
4192 addrp = (char *)&addr4->sin_addr.s_addr;
4193 } else {
4194 addr6 = (struct sockaddr_in6 *)address;
4195 snum = ntohs(addr6->sin6_port);
4196 addrp = (char *)&addr6->sin6_addr.s6_addr;
4197 }
4198
4199 if (snum) {
4200 int low, high;
4201
4202 inet_get_local_port_range(sock_net(sk), &low, &high);
4203
4204 if (snum < max(PROT_SOCK, low) || snum > high) {
4205 err = sel_netport_sid(sk->sk_protocol,
4206 snum, &sid);
4207 if (err)
4208 goto out;
4209 ad.type = LSM_AUDIT_DATA_NET;
4210 ad.u.net = &net;
4211 ad.u.net->sport = htons(snum);
4212 ad.u.net->family = family;
4213 err = avc_has_perm(sksec->sid, sid,
4214 sksec->sclass,
4215 SOCKET__NAME_BIND, &ad);
4216 if (err)
4217 goto out;
4218 }
4219 }
4220
4221 switch (sksec->sclass) {
4222 case SECCLASS_TCP_SOCKET:
4223 node_perm = TCP_SOCKET__NODE_BIND;
4224 break;
4225
4226 case SECCLASS_UDP_SOCKET:
4227 node_perm = UDP_SOCKET__NODE_BIND;
4228 break;
4229
4230 case SECCLASS_DCCP_SOCKET:
4231 node_perm = DCCP_SOCKET__NODE_BIND;
4232 break;
4233
4234 default:
4235 node_perm = RAWIP_SOCKET__NODE_BIND;
4236 break;
4237 }
4238
4239 err = sel_netnode_sid(addrp, family, &sid);
4240 if (err)
4241 goto out;
4242
4243 ad.type = LSM_AUDIT_DATA_NET;
4244 ad.u.net = &net;
4245 ad.u.net->sport = htons(snum);
4246 ad.u.net->family = family;
4247
4248 if (family == PF_INET)
4249 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4250 else
4251 ad.u.net->v6info.saddr = addr6->sin6_addr;
4252
4253 err = avc_has_perm(sksec->sid, sid,
4254 sksec->sclass, node_perm, &ad);
4255 if (err)
4256 goto out;
4257 }
4258 out:
4259 return err;
4260 }
4261
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4262 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4263 {
4264 struct sock *sk = sock->sk;
4265 struct sk_security_struct *sksec = sk->sk_security;
4266 int err;
4267
4268 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4269 if (err)
4270 return err;
4271
4272 /*
4273 * If a TCP or DCCP socket, check name_connect permission for the port.
4274 */
4275 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4276 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4277 struct common_audit_data ad;
4278 struct lsm_network_audit net = {0,};
4279 struct sockaddr_in *addr4 = NULL;
4280 struct sockaddr_in6 *addr6 = NULL;
4281 unsigned short snum;
4282 u32 sid, perm;
4283
4284 if (sk->sk_family == PF_INET) {
4285 addr4 = (struct sockaddr_in *)address;
4286 if (addrlen < sizeof(struct sockaddr_in))
4287 return -EINVAL;
4288 snum = ntohs(addr4->sin_port);
4289 } else {
4290 addr6 = (struct sockaddr_in6 *)address;
4291 if (addrlen < SIN6_LEN_RFC2133)
4292 return -EINVAL;
4293 snum = ntohs(addr6->sin6_port);
4294 }
4295
4296 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4297 if (err)
4298 goto out;
4299
4300 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4301 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4302
4303 ad.type = LSM_AUDIT_DATA_NET;
4304 ad.u.net = &net;
4305 ad.u.net->dport = htons(snum);
4306 ad.u.net->family = sk->sk_family;
4307 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4308 if (err)
4309 goto out;
4310 }
4311
4312 err = selinux_netlbl_socket_connect(sk, address);
4313
4314 out:
4315 return err;
4316 }
4317
selinux_socket_listen(struct socket * sock,int backlog)4318 static int selinux_socket_listen(struct socket *sock, int backlog)
4319 {
4320 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4321 }
4322
selinux_socket_accept(struct socket * sock,struct socket * newsock)4323 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4324 {
4325 int err;
4326 struct inode_security_struct *isec;
4327 struct inode_security_struct *newisec;
4328
4329 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4330 if (err)
4331 return err;
4332
4333 newisec = SOCK_INODE(newsock)->i_security;
4334
4335 isec = SOCK_INODE(sock)->i_security;
4336 newisec->sclass = isec->sclass;
4337 newisec->sid = isec->sid;
4338 newisec->initialized = 1;
4339
4340 return 0;
4341 }
4342
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4343 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4344 int size)
4345 {
4346 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4347 }
4348
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4349 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4350 int size, int flags)
4351 {
4352 return sock_has_perm(current, sock->sk, SOCKET__READ);
4353 }
4354
selinux_socket_getsockname(struct socket * sock)4355 static int selinux_socket_getsockname(struct socket *sock)
4356 {
4357 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4358 }
4359
selinux_socket_getpeername(struct socket * sock)4360 static int selinux_socket_getpeername(struct socket *sock)
4361 {
4362 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4363 }
4364
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4365 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4366 {
4367 int err;
4368
4369 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4370 if (err)
4371 return err;
4372
4373 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4374 }
4375
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4376 static int selinux_socket_getsockopt(struct socket *sock, int level,
4377 int optname)
4378 {
4379 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4380 }
4381
selinux_socket_shutdown(struct socket * sock,int how)4382 static int selinux_socket_shutdown(struct socket *sock, int how)
4383 {
4384 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4385 }
4386
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4387 static int selinux_socket_unix_stream_connect(struct sock *sock,
4388 struct sock *other,
4389 struct sock *newsk)
4390 {
4391 struct sk_security_struct *sksec_sock = sock->sk_security;
4392 struct sk_security_struct *sksec_other = other->sk_security;
4393 struct sk_security_struct *sksec_new = newsk->sk_security;
4394 struct common_audit_data ad;
4395 struct lsm_network_audit net = {0,};
4396 int err;
4397
4398 ad.type = LSM_AUDIT_DATA_NET;
4399 ad.u.net = &net;
4400 ad.u.net->sk = other;
4401
4402 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4403 sksec_other->sclass,
4404 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4405 if (err)
4406 return err;
4407
4408 /* server child socket */
4409 sksec_new->peer_sid = sksec_sock->sid;
4410 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4411 &sksec_new->sid);
4412 if (err)
4413 return err;
4414
4415 /* connecting socket */
4416 sksec_sock->peer_sid = sksec_new->sid;
4417
4418 return 0;
4419 }
4420
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4421 static int selinux_socket_unix_may_send(struct socket *sock,
4422 struct socket *other)
4423 {
4424 struct sk_security_struct *ssec = sock->sk->sk_security;
4425 struct sk_security_struct *osec = other->sk->sk_security;
4426 struct common_audit_data ad;
4427 struct lsm_network_audit net = {0,};
4428
4429 ad.type = LSM_AUDIT_DATA_NET;
4430 ad.u.net = &net;
4431 ad.u.net->sk = other->sk;
4432
4433 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4434 &ad);
4435 }
4436
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4437 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4438 char *addrp, u16 family, u32 peer_sid,
4439 struct common_audit_data *ad)
4440 {
4441 int err;
4442 u32 if_sid;
4443 u32 node_sid;
4444
4445 err = sel_netif_sid(ns, ifindex, &if_sid);
4446 if (err)
4447 return err;
4448 err = avc_has_perm(peer_sid, if_sid,
4449 SECCLASS_NETIF, NETIF__INGRESS, ad);
4450 if (err)
4451 return err;
4452
4453 err = sel_netnode_sid(addrp, family, &node_sid);
4454 if (err)
4455 return err;
4456 return avc_has_perm(peer_sid, node_sid,
4457 SECCLASS_NODE, NODE__RECVFROM, ad);
4458 }
4459
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)4460 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4461 u16 family)
4462 {
4463 int err = 0;
4464 struct sk_security_struct *sksec = sk->sk_security;
4465 u32 sk_sid = sksec->sid;
4466 struct common_audit_data ad;
4467 struct lsm_network_audit net = {0,};
4468 char *addrp;
4469
4470 ad.type = LSM_AUDIT_DATA_NET;
4471 ad.u.net = &net;
4472 ad.u.net->netif = skb->skb_iif;
4473 ad.u.net->family = family;
4474 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4475 if (err)
4476 return err;
4477
4478 if (selinux_secmark_enabled()) {
4479 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4480 PACKET__RECV, &ad);
4481 if (err)
4482 return err;
4483 }
4484
4485 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4486 if (err)
4487 return err;
4488 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4489
4490 return err;
4491 }
4492
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)4493 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4494 {
4495 int err;
4496 struct sk_security_struct *sksec = sk->sk_security;
4497 u16 family = sk->sk_family;
4498 u32 sk_sid = sksec->sid;
4499 struct common_audit_data ad;
4500 struct lsm_network_audit net = {0,};
4501 char *addrp;
4502 u8 secmark_active;
4503 u8 peerlbl_active;
4504
4505 if (family != PF_INET && family != PF_INET6)
4506 return 0;
4507
4508 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4509 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4510 family = PF_INET;
4511
4512 /* If any sort of compatibility mode is enabled then handoff processing
4513 * to the selinux_sock_rcv_skb_compat() function to deal with the
4514 * special handling. We do this in an attempt to keep this function
4515 * as fast and as clean as possible. */
4516 if (!selinux_policycap_netpeer)
4517 return selinux_sock_rcv_skb_compat(sk, skb, family);
4518
4519 secmark_active = selinux_secmark_enabled();
4520 peerlbl_active = selinux_peerlbl_enabled();
4521 if (!secmark_active && !peerlbl_active)
4522 return 0;
4523
4524 ad.type = LSM_AUDIT_DATA_NET;
4525 ad.u.net = &net;
4526 ad.u.net->netif = skb->skb_iif;
4527 ad.u.net->family = family;
4528 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4529 if (err)
4530 return err;
4531
4532 if (peerlbl_active) {
4533 u32 peer_sid;
4534
4535 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4536 if (err)
4537 return err;
4538 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4539 addrp, family, peer_sid, &ad);
4540 if (err) {
4541 selinux_netlbl_err(skb, err, 0);
4542 return err;
4543 }
4544 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4545 PEER__RECV, &ad);
4546 if (err) {
4547 selinux_netlbl_err(skb, err, 0);
4548 return err;
4549 }
4550 }
4551
4552 if (secmark_active) {
4553 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4554 PACKET__RECV, &ad);
4555 if (err)
4556 return err;
4557 }
4558
4559 return err;
4560 }
4561
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)4562 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4563 int __user *optlen, unsigned len)
4564 {
4565 int err = 0;
4566 char *scontext;
4567 u32 scontext_len;
4568 struct sk_security_struct *sksec = sock->sk->sk_security;
4569 u32 peer_sid = SECSID_NULL;
4570
4571 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4572 sksec->sclass == SECCLASS_TCP_SOCKET)
4573 peer_sid = sksec->peer_sid;
4574 if (peer_sid == SECSID_NULL)
4575 return -ENOPROTOOPT;
4576
4577 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4578 if (err)
4579 return err;
4580
4581 if (scontext_len > len) {
4582 err = -ERANGE;
4583 goto out_len;
4584 }
4585
4586 if (copy_to_user(optval, scontext, scontext_len))
4587 err = -EFAULT;
4588
4589 out_len:
4590 if (put_user(scontext_len, optlen))
4591 err = -EFAULT;
4592 kfree(scontext);
4593 return err;
4594 }
4595
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)4596 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4597 {
4598 u32 peer_secid = SECSID_NULL;
4599 u16 family;
4600
4601 if (skb && skb->protocol == htons(ETH_P_IP))
4602 family = PF_INET;
4603 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4604 family = PF_INET6;
4605 else if (sock)
4606 family = sock->sk->sk_family;
4607 else
4608 goto out;
4609
4610 if (sock && family == PF_UNIX)
4611 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4612 else if (skb)
4613 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4614
4615 out:
4616 *secid = peer_secid;
4617 if (peer_secid == SECSID_NULL)
4618 return -EINVAL;
4619 return 0;
4620 }
4621
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)4622 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4623 {
4624 struct sk_security_struct *sksec;
4625
4626 sksec = kzalloc(sizeof(*sksec), priority);
4627 if (!sksec)
4628 return -ENOMEM;
4629
4630 sksec->peer_sid = SECINITSID_UNLABELED;
4631 sksec->sid = SECINITSID_UNLABELED;
4632 selinux_netlbl_sk_security_reset(sksec);
4633 sk->sk_security = sksec;
4634
4635 return 0;
4636 }
4637
selinux_sk_free_security(struct sock * sk)4638 static void selinux_sk_free_security(struct sock *sk)
4639 {
4640 struct sk_security_struct *sksec = sk->sk_security;
4641
4642 sk->sk_security = NULL;
4643 selinux_netlbl_sk_security_free(sksec);
4644 kfree(sksec);
4645 }
4646
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)4647 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4648 {
4649 struct sk_security_struct *sksec = sk->sk_security;
4650 struct sk_security_struct *newsksec = newsk->sk_security;
4651
4652 newsksec->sid = sksec->sid;
4653 newsksec->peer_sid = sksec->peer_sid;
4654 newsksec->sclass = sksec->sclass;
4655
4656 selinux_netlbl_sk_security_reset(newsksec);
4657 }
4658
selinux_sk_getsecid(struct sock * sk,u32 * secid)4659 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4660 {
4661 if (!sk)
4662 *secid = SECINITSID_ANY_SOCKET;
4663 else {
4664 struct sk_security_struct *sksec = sk->sk_security;
4665
4666 *secid = sksec->sid;
4667 }
4668 }
4669
selinux_sock_graft(struct sock * sk,struct socket * parent)4670 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4671 {
4672 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4673 struct sk_security_struct *sksec = sk->sk_security;
4674
4675 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4676 sk->sk_family == PF_UNIX)
4677 isec->sid = sksec->sid;
4678 sksec->sclass = isec->sclass;
4679 }
4680
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)4681 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4682 struct request_sock *req)
4683 {
4684 struct sk_security_struct *sksec = sk->sk_security;
4685 int err;
4686 u16 family = req->rsk_ops->family;
4687 u32 connsid;
4688 u32 peersid;
4689
4690 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4691 if (err)
4692 return err;
4693 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4694 if (err)
4695 return err;
4696 req->secid = connsid;
4697 req->peer_secid = peersid;
4698
4699 return selinux_netlbl_inet_conn_request(req, family);
4700 }
4701
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)4702 static void selinux_inet_csk_clone(struct sock *newsk,
4703 const struct request_sock *req)
4704 {
4705 struct sk_security_struct *newsksec = newsk->sk_security;
4706
4707 newsksec->sid = req->secid;
4708 newsksec->peer_sid = req->peer_secid;
4709 /* NOTE: Ideally, we should also get the isec->sid for the
4710 new socket in sync, but we don't have the isec available yet.
4711 So we will wait until sock_graft to do it, by which
4712 time it will have been created and available. */
4713
4714 /* We don't need to take any sort of lock here as we are the only
4715 * thread with access to newsksec */
4716 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4717 }
4718
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)4719 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4720 {
4721 u16 family = sk->sk_family;
4722 struct sk_security_struct *sksec = sk->sk_security;
4723
4724 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4725 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4726 family = PF_INET;
4727
4728 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4729 }
4730
selinux_skb_owned_by(struct sk_buff * skb,struct sock * sk)4731 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4732 {
4733 skb_set_owner_w(skb, sk);
4734 }
4735
selinux_secmark_relabel_packet(u32 sid)4736 static int selinux_secmark_relabel_packet(u32 sid)
4737 {
4738 const struct task_security_struct *__tsec;
4739 u32 tsid;
4740
4741 __tsec = current_security();
4742 tsid = __tsec->sid;
4743
4744 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4745 }
4746
selinux_secmark_refcount_inc(void)4747 static void selinux_secmark_refcount_inc(void)
4748 {
4749 atomic_inc(&selinux_secmark_refcount);
4750 }
4751
selinux_secmark_refcount_dec(void)4752 static void selinux_secmark_refcount_dec(void)
4753 {
4754 atomic_dec(&selinux_secmark_refcount);
4755 }
4756
selinux_req_classify_flow(const struct request_sock * req,struct flowi * fl)4757 static void selinux_req_classify_flow(const struct request_sock *req,
4758 struct flowi *fl)
4759 {
4760 fl->flowi_secid = req->secid;
4761 }
4762
selinux_tun_dev_alloc_security(void ** security)4763 static int selinux_tun_dev_alloc_security(void **security)
4764 {
4765 struct tun_security_struct *tunsec;
4766
4767 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4768 if (!tunsec)
4769 return -ENOMEM;
4770 tunsec->sid = current_sid();
4771
4772 *security = tunsec;
4773 return 0;
4774 }
4775
selinux_tun_dev_free_security(void * security)4776 static void selinux_tun_dev_free_security(void *security)
4777 {
4778 kfree(security);
4779 }
4780
selinux_tun_dev_create(void)4781 static int selinux_tun_dev_create(void)
4782 {
4783 u32 sid = current_sid();
4784
4785 /* we aren't taking into account the "sockcreate" SID since the socket
4786 * that is being created here is not a socket in the traditional sense,
4787 * instead it is a private sock, accessible only to the kernel, and
4788 * representing a wide range of network traffic spanning multiple
4789 * connections unlike traditional sockets - check the TUN driver to
4790 * get a better understanding of why this socket is special */
4791
4792 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4793 NULL);
4794 }
4795
selinux_tun_dev_attach_queue(void * security)4796 static int selinux_tun_dev_attach_queue(void *security)
4797 {
4798 struct tun_security_struct *tunsec = security;
4799
4800 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4801 TUN_SOCKET__ATTACH_QUEUE, NULL);
4802 }
4803
selinux_tun_dev_attach(struct sock * sk,void * security)4804 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4805 {
4806 struct tun_security_struct *tunsec = security;
4807 struct sk_security_struct *sksec = sk->sk_security;
4808
4809 /* we don't currently perform any NetLabel based labeling here and it
4810 * isn't clear that we would want to do so anyway; while we could apply
4811 * labeling without the support of the TUN user the resulting labeled
4812 * traffic from the other end of the connection would almost certainly
4813 * cause confusion to the TUN user that had no idea network labeling
4814 * protocols were being used */
4815
4816 sksec->sid = tunsec->sid;
4817 sksec->sclass = SECCLASS_TUN_SOCKET;
4818
4819 return 0;
4820 }
4821
selinux_tun_dev_open(void * security)4822 static int selinux_tun_dev_open(void *security)
4823 {
4824 struct tun_security_struct *tunsec = security;
4825 u32 sid = current_sid();
4826 int err;
4827
4828 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4829 TUN_SOCKET__RELABELFROM, NULL);
4830 if (err)
4831 return err;
4832 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4833 TUN_SOCKET__RELABELTO, NULL);
4834 if (err)
4835 return err;
4836 tunsec->sid = sid;
4837
4838 return 0;
4839 }
4840
selinux_nlmsg_perm(struct sock * sk,struct sk_buff * skb)4841 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4842 {
4843 int err = 0;
4844 u32 perm;
4845 struct nlmsghdr *nlh;
4846 struct sk_security_struct *sksec = sk->sk_security;
4847
4848 if (skb->len < NLMSG_HDRLEN) {
4849 err = -EINVAL;
4850 goto out;
4851 }
4852 nlh = nlmsg_hdr(skb);
4853
4854 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4855 if (err) {
4856 if (err == -EINVAL) {
4857 printk(KERN_WARNING
4858 "SELinux: unrecognized netlink message:"
4859 " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4860 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4861 if (!selinux_enforcing || security_get_allow_unknown())
4862 err = 0;
4863 }
4864
4865 /* Ignore */
4866 if (err == -ENOENT)
4867 err = 0;
4868 goto out;
4869 }
4870
4871 err = sock_has_perm(current, sk, perm);
4872 out:
4873 return err;
4874 }
4875
4876 #ifdef CONFIG_NETFILTER
4877
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)4878 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4879 const struct net_device *indev,
4880 u16 family)
4881 {
4882 int err;
4883 char *addrp;
4884 u32 peer_sid;
4885 struct common_audit_data ad;
4886 struct lsm_network_audit net = {0,};
4887 u8 secmark_active;
4888 u8 netlbl_active;
4889 u8 peerlbl_active;
4890
4891 if (!selinux_policycap_netpeer)
4892 return NF_ACCEPT;
4893
4894 secmark_active = selinux_secmark_enabled();
4895 netlbl_active = netlbl_enabled();
4896 peerlbl_active = selinux_peerlbl_enabled();
4897 if (!secmark_active && !peerlbl_active)
4898 return NF_ACCEPT;
4899
4900 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4901 return NF_DROP;
4902
4903 ad.type = LSM_AUDIT_DATA_NET;
4904 ad.u.net = &net;
4905 ad.u.net->netif = indev->ifindex;
4906 ad.u.net->family = family;
4907 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4908 return NF_DROP;
4909
4910 if (peerlbl_active) {
4911 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4912 addrp, family, peer_sid, &ad);
4913 if (err) {
4914 selinux_netlbl_err(skb, err, 1);
4915 return NF_DROP;
4916 }
4917 }
4918
4919 if (secmark_active)
4920 if (avc_has_perm(peer_sid, skb->secmark,
4921 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4922 return NF_DROP;
4923
4924 if (netlbl_active)
4925 /* we do this in the FORWARD path and not the POST_ROUTING
4926 * path because we want to make sure we apply the necessary
4927 * labeling before IPsec is applied so we can leverage AH
4928 * protection */
4929 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4930 return NF_DROP;
4931
4932 return NF_ACCEPT;
4933 }
4934
selinux_ipv4_forward(const struct nf_hook_ops * ops,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4935 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4936 struct sk_buff *skb,
4937 const struct net_device *in,
4938 const struct net_device *out,
4939 int (*okfn)(struct sk_buff *))
4940 {
4941 return selinux_ip_forward(skb, in, PF_INET);
4942 }
4943
4944 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
selinux_ipv6_forward(const struct nf_hook_ops * ops,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4945 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4946 struct sk_buff *skb,
4947 const struct net_device *in,
4948 const struct net_device *out,
4949 int (*okfn)(struct sk_buff *))
4950 {
4951 return selinux_ip_forward(skb, in, PF_INET6);
4952 }
4953 #endif /* IPV6 */
4954
selinux_ip_output(struct sk_buff * skb,u16 family)4955 static unsigned int selinux_ip_output(struct sk_buff *skb,
4956 u16 family)
4957 {
4958 struct sock *sk;
4959 u32 sid;
4960
4961 if (!netlbl_enabled())
4962 return NF_ACCEPT;
4963
4964 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4965 * because we want to make sure we apply the necessary labeling
4966 * before IPsec is applied so we can leverage AH protection */
4967 sk = skb->sk;
4968 if (sk) {
4969 struct sk_security_struct *sksec;
4970
4971 if (sk->sk_state == TCP_LISTEN)
4972 /* if the socket is the listening state then this
4973 * packet is a SYN-ACK packet which means it needs to
4974 * be labeled based on the connection/request_sock and
4975 * not the parent socket. unfortunately, we can't
4976 * lookup the request_sock yet as it isn't queued on
4977 * the parent socket until after the SYN-ACK is sent.
4978 * the "solution" is to simply pass the packet as-is
4979 * as any IP option based labeling should be copied
4980 * from the initial connection request (in the IP
4981 * layer). it is far from ideal, but until we get a
4982 * security label in the packet itself this is the
4983 * best we can do. */
4984 return NF_ACCEPT;
4985
4986 /* standard practice, label using the parent socket */
4987 sksec = sk->sk_security;
4988 sid = sksec->sid;
4989 } else
4990 sid = SECINITSID_KERNEL;
4991 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4992 return NF_DROP;
4993
4994 return NF_ACCEPT;
4995 }
4996
selinux_ipv4_output(const struct nf_hook_ops * ops,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))4997 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4998 struct sk_buff *skb,
4999 const struct net_device *in,
5000 const struct net_device *out,
5001 int (*okfn)(struct sk_buff *))
5002 {
5003 return selinux_ip_output(skb, PF_INET);
5004 }
5005
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5006 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5007 int ifindex,
5008 u16 family)
5009 {
5010 struct sock *sk = skb->sk;
5011 struct sk_security_struct *sksec;
5012 struct common_audit_data ad;
5013 struct lsm_network_audit net = {0,};
5014 char *addrp;
5015 u8 proto;
5016
5017 if (sk == NULL)
5018 return NF_ACCEPT;
5019 sksec = sk->sk_security;
5020
5021 ad.type = LSM_AUDIT_DATA_NET;
5022 ad.u.net = &net;
5023 ad.u.net->netif = ifindex;
5024 ad.u.net->family = family;
5025 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5026 return NF_DROP;
5027
5028 if (selinux_secmark_enabled())
5029 if (avc_has_perm(sksec->sid, skb->secmark,
5030 SECCLASS_PACKET, PACKET__SEND, &ad))
5031 return NF_DROP_ERR(-ECONNREFUSED);
5032
5033 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5034 return NF_DROP_ERR(-ECONNREFUSED);
5035
5036 return NF_ACCEPT;
5037 }
5038
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5039 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5040 const struct net_device *outdev,
5041 u16 family)
5042 {
5043 u32 secmark_perm;
5044 u32 peer_sid;
5045 int ifindex = outdev->ifindex;
5046 struct sock *sk;
5047 struct common_audit_data ad;
5048 struct lsm_network_audit net = {0,};
5049 char *addrp;
5050 u8 secmark_active;
5051 u8 peerlbl_active;
5052
5053 /* If any sort of compatibility mode is enabled then handoff processing
5054 * to the selinux_ip_postroute_compat() function to deal with the
5055 * special handling. We do this in an attempt to keep this function
5056 * as fast and as clean as possible. */
5057 if (!selinux_policycap_netpeer)
5058 return selinux_ip_postroute_compat(skb, ifindex, family);
5059
5060 secmark_active = selinux_secmark_enabled();
5061 peerlbl_active = selinux_peerlbl_enabled();
5062 if (!secmark_active && !peerlbl_active)
5063 return NF_ACCEPT;
5064
5065 sk = skb->sk;
5066
5067 #ifdef CONFIG_XFRM
5068 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5069 * packet transformation so allow the packet to pass without any checks
5070 * since we'll have another chance to perform access control checks
5071 * when the packet is on it's final way out.
5072 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5073 * is NULL, in this case go ahead and apply access control.
5074 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5075 * TCP listening state we cannot wait until the XFRM processing
5076 * is done as we will miss out on the SA label if we do;
5077 * unfortunately, this means more work, but it is only once per
5078 * connection. */
5079 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5080 !(sk != NULL && sk->sk_state == TCP_LISTEN))
5081 return NF_ACCEPT;
5082 #endif
5083
5084 if (sk == NULL) {
5085 /* Without an associated socket the packet is either coming
5086 * from the kernel or it is being forwarded; check the packet
5087 * to determine which and if the packet is being forwarded
5088 * query the packet directly to determine the security label. */
5089 if (skb->skb_iif) {
5090 secmark_perm = PACKET__FORWARD_OUT;
5091 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5092 return NF_DROP;
5093 } else {
5094 secmark_perm = PACKET__SEND;
5095 peer_sid = SECINITSID_KERNEL;
5096 }
5097 } else if (sk->sk_state == TCP_LISTEN) {
5098 /* Locally generated packet but the associated socket is in the
5099 * listening state which means this is a SYN-ACK packet. In
5100 * this particular case the correct security label is assigned
5101 * to the connection/request_sock but unfortunately we can't
5102 * query the request_sock as it isn't queued on the parent
5103 * socket until after the SYN-ACK packet is sent; the only
5104 * viable choice is to regenerate the label like we do in
5105 * selinux_inet_conn_request(). See also selinux_ip_output()
5106 * for similar problems. */
5107 u32 skb_sid;
5108 struct sk_security_struct *sksec = sk->sk_security;
5109 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5110 return NF_DROP;
5111 /* At this point, if the returned skb peerlbl is SECSID_NULL
5112 * and the packet has been through at least one XFRM
5113 * transformation then we must be dealing with the "final"
5114 * form of labeled IPsec packet; since we've already applied
5115 * all of our access controls on this packet we can safely
5116 * pass the packet. */
5117 if (skb_sid == SECSID_NULL) {
5118 switch (family) {
5119 case PF_INET:
5120 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5121 return NF_ACCEPT;
5122 break;
5123 case PF_INET6:
5124 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5125 return NF_ACCEPT;
5126 break;
5127 default:
5128 return NF_DROP_ERR(-ECONNREFUSED);
5129 }
5130 }
5131 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5132 return NF_DROP;
5133 secmark_perm = PACKET__SEND;
5134 } else {
5135 /* Locally generated packet, fetch the security label from the
5136 * associated socket. */
5137 struct sk_security_struct *sksec = sk->sk_security;
5138 peer_sid = sksec->sid;
5139 secmark_perm = PACKET__SEND;
5140 }
5141
5142 ad.type = LSM_AUDIT_DATA_NET;
5143 ad.u.net = &net;
5144 ad.u.net->netif = ifindex;
5145 ad.u.net->family = family;
5146 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5147 return NF_DROP;
5148
5149 if (secmark_active)
5150 if (avc_has_perm(peer_sid, skb->secmark,
5151 SECCLASS_PACKET, secmark_perm, &ad))
5152 return NF_DROP_ERR(-ECONNREFUSED);
5153
5154 if (peerlbl_active) {
5155 u32 if_sid;
5156 u32 node_sid;
5157
5158 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5159 return NF_DROP;
5160 if (avc_has_perm(peer_sid, if_sid,
5161 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5162 return NF_DROP_ERR(-ECONNREFUSED);
5163
5164 if (sel_netnode_sid(addrp, family, &node_sid))
5165 return NF_DROP;
5166 if (avc_has_perm(peer_sid, node_sid,
5167 SECCLASS_NODE, NODE__SENDTO, &ad))
5168 return NF_DROP_ERR(-ECONNREFUSED);
5169 }
5170
5171 return NF_ACCEPT;
5172 }
5173
selinux_ipv4_postroute(const struct nf_hook_ops * ops,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))5174 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5175 struct sk_buff *skb,
5176 const struct net_device *in,
5177 const struct net_device *out,
5178 int (*okfn)(struct sk_buff *))
5179 {
5180 return selinux_ip_postroute(skb, out, PF_INET);
5181 }
5182
5183 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
selinux_ipv6_postroute(const struct nf_hook_ops * ops,struct sk_buff * skb,const struct net_device * in,const struct net_device * out,int (* okfn)(struct sk_buff *))5184 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5185 struct sk_buff *skb,
5186 const struct net_device *in,
5187 const struct net_device *out,
5188 int (*okfn)(struct sk_buff *))
5189 {
5190 return selinux_ip_postroute(skb, out, PF_INET6);
5191 }
5192 #endif /* IPV6 */
5193
5194 #endif /* CONFIG_NETFILTER */
5195
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5196 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5197 {
5198 int err;
5199
5200 err = cap_netlink_send(sk, skb);
5201 if (err)
5202 return err;
5203
5204 return selinux_nlmsg_perm(sk, skb);
5205 }
5206
ipc_alloc_security(struct task_struct * task,struct kern_ipc_perm * perm,u16 sclass)5207 static int ipc_alloc_security(struct task_struct *task,
5208 struct kern_ipc_perm *perm,
5209 u16 sclass)
5210 {
5211 struct ipc_security_struct *isec;
5212 u32 sid;
5213
5214 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5215 if (!isec)
5216 return -ENOMEM;
5217
5218 sid = task_sid(task);
5219 isec->sclass = sclass;
5220 isec->sid = sid;
5221 perm->security = isec;
5222
5223 return 0;
5224 }
5225
ipc_free_security(struct kern_ipc_perm * perm)5226 static void ipc_free_security(struct kern_ipc_perm *perm)
5227 {
5228 struct ipc_security_struct *isec = perm->security;
5229 perm->security = NULL;
5230 kfree(isec);
5231 }
5232
msg_msg_alloc_security(struct msg_msg * msg)5233 static int msg_msg_alloc_security(struct msg_msg *msg)
5234 {
5235 struct msg_security_struct *msec;
5236
5237 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5238 if (!msec)
5239 return -ENOMEM;
5240
5241 msec->sid = SECINITSID_UNLABELED;
5242 msg->security = msec;
5243
5244 return 0;
5245 }
5246
msg_msg_free_security(struct msg_msg * msg)5247 static void msg_msg_free_security(struct msg_msg *msg)
5248 {
5249 struct msg_security_struct *msec = msg->security;
5250
5251 msg->security = NULL;
5252 kfree(msec);
5253 }
5254
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5255 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5256 u32 perms)
5257 {
5258 struct ipc_security_struct *isec;
5259 struct common_audit_data ad;
5260 u32 sid = current_sid();
5261
5262 isec = ipc_perms->security;
5263
5264 ad.type = LSM_AUDIT_DATA_IPC;
5265 ad.u.ipc_id = ipc_perms->key;
5266
5267 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5268 }
5269
selinux_msg_msg_alloc_security(struct msg_msg * msg)5270 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5271 {
5272 return msg_msg_alloc_security(msg);
5273 }
5274
selinux_msg_msg_free_security(struct msg_msg * msg)5275 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5276 {
5277 msg_msg_free_security(msg);
5278 }
5279
5280 /* message queue security operations */
selinux_msg_queue_alloc_security(struct msg_queue * msq)5281 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5282 {
5283 struct ipc_security_struct *isec;
5284 struct common_audit_data ad;
5285 u32 sid = current_sid();
5286 int rc;
5287
5288 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5289 if (rc)
5290 return rc;
5291
5292 isec = msq->q_perm.security;
5293
5294 ad.type = LSM_AUDIT_DATA_IPC;
5295 ad.u.ipc_id = msq->q_perm.key;
5296
5297 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5298 MSGQ__CREATE, &ad);
5299 if (rc) {
5300 ipc_free_security(&msq->q_perm);
5301 return rc;
5302 }
5303 return 0;
5304 }
5305
selinux_msg_queue_free_security(struct msg_queue * msq)5306 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5307 {
5308 ipc_free_security(&msq->q_perm);
5309 }
5310
selinux_msg_queue_associate(struct msg_queue * msq,int msqflg)5311 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5312 {
5313 struct ipc_security_struct *isec;
5314 struct common_audit_data ad;
5315 u32 sid = current_sid();
5316
5317 isec = msq->q_perm.security;
5318
5319 ad.type = LSM_AUDIT_DATA_IPC;
5320 ad.u.ipc_id = msq->q_perm.key;
5321
5322 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5323 MSGQ__ASSOCIATE, &ad);
5324 }
5325
selinux_msg_queue_msgctl(struct msg_queue * msq,int cmd)5326 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5327 {
5328 int err;
5329 int perms;
5330
5331 switch (cmd) {
5332 case IPC_INFO:
5333 case MSG_INFO:
5334 /* No specific object, just general system-wide information. */
5335 return task_has_system(current, SYSTEM__IPC_INFO);
5336 case IPC_STAT:
5337 case MSG_STAT:
5338 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5339 break;
5340 case IPC_SET:
5341 perms = MSGQ__SETATTR;
5342 break;
5343 case IPC_RMID:
5344 perms = MSGQ__DESTROY;
5345 break;
5346 default:
5347 return 0;
5348 }
5349
5350 err = ipc_has_perm(&msq->q_perm, perms);
5351 return err;
5352 }
5353
selinux_msg_queue_msgsnd(struct msg_queue * msq,struct msg_msg * msg,int msqflg)5354 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5355 {
5356 struct ipc_security_struct *isec;
5357 struct msg_security_struct *msec;
5358 struct common_audit_data ad;
5359 u32 sid = current_sid();
5360 int rc;
5361
5362 isec = msq->q_perm.security;
5363 msec = msg->security;
5364
5365 /*
5366 * First time through, need to assign label to the message
5367 */
5368 if (msec->sid == SECINITSID_UNLABELED) {
5369 /*
5370 * Compute new sid based on current process and
5371 * message queue this message will be stored in
5372 */
5373 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5374 NULL, &msec->sid);
5375 if (rc)
5376 return rc;
5377 }
5378
5379 ad.type = LSM_AUDIT_DATA_IPC;
5380 ad.u.ipc_id = msq->q_perm.key;
5381
5382 /* Can this process write to the queue? */
5383 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5384 MSGQ__WRITE, &ad);
5385 if (!rc)
5386 /* Can this process send the message */
5387 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5388 MSG__SEND, &ad);
5389 if (!rc)
5390 /* Can the message be put in the queue? */
5391 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5392 MSGQ__ENQUEUE, &ad);
5393
5394 return rc;
5395 }
5396
selinux_msg_queue_msgrcv(struct msg_queue * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)5397 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5398 struct task_struct *target,
5399 long type, int mode)
5400 {
5401 struct ipc_security_struct *isec;
5402 struct msg_security_struct *msec;
5403 struct common_audit_data ad;
5404 u32 sid = task_sid(target);
5405 int rc;
5406
5407 isec = msq->q_perm.security;
5408 msec = msg->security;
5409
5410 ad.type = LSM_AUDIT_DATA_IPC;
5411 ad.u.ipc_id = msq->q_perm.key;
5412
5413 rc = avc_has_perm(sid, isec->sid,
5414 SECCLASS_MSGQ, MSGQ__READ, &ad);
5415 if (!rc)
5416 rc = avc_has_perm(sid, msec->sid,
5417 SECCLASS_MSG, MSG__RECEIVE, &ad);
5418 return rc;
5419 }
5420
5421 /* Shared Memory security operations */
selinux_shm_alloc_security(struct shmid_kernel * shp)5422 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5423 {
5424 struct ipc_security_struct *isec;
5425 struct common_audit_data ad;
5426 u32 sid = current_sid();
5427 int rc;
5428
5429 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5430 if (rc)
5431 return rc;
5432
5433 isec = shp->shm_perm.security;
5434
5435 ad.type = LSM_AUDIT_DATA_IPC;
5436 ad.u.ipc_id = shp->shm_perm.key;
5437
5438 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5439 SHM__CREATE, &ad);
5440 if (rc) {
5441 ipc_free_security(&shp->shm_perm);
5442 return rc;
5443 }
5444 return 0;
5445 }
5446
selinux_shm_free_security(struct shmid_kernel * shp)5447 static void selinux_shm_free_security(struct shmid_kernel *shp)
5448 {
5449 ipc_free_security(&shp->shm_perm);
5450 }
5451
selinux_shm_associate(struct shmid_kernel * shp,int shmflg)5452 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5453 {
5454 struct ipc_security_struct *isec;
5455 struct common_audit_data ad;
5456 u32 sid = current_sid();
5457
5458 isec = shp->shm_perm.security;
5459
5460 ad.type = LSM_AUDIT_DATA_IPC;
5461 ad.u.ipc_id = shp->shm_perm.key;
5462
5463 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5464 SHM__ASSOCIATE, &ad);
5465 }
5466
5467 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct shmid_kernel * shp,int cmd)5468 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5469 {
5470 int perms;
5471 int err;
5472
5473 switch (cmd) {
5474 case IPC_INFO:
5475 case SHM_INFO:
5476 /* No specific object, just general system-wide information. */
5477 return task_has_system(current, SYSTEM__IPC_INFO);
5478 case IPC_STAT:
5479 case SHM_STAT:
5480 perms = SHM__GETATTR | SHM__ASSOCIATE;
5481 break;
5482 case IPC_SET:
5483 perms = SHM__SETATTR;
5484 break;
5485 case SHM_LOCK:
5486 case SHM_UNLOCK:
5487 perms = SHM__LOCK;
5488 break;
5489 case IPC_RMID:
5490 perms = SHM__DESTROY;
5491 break;
5492 default:
5493 return 0;
5494 }
5495
5496 err = ipc_has_perm(&shp->shm_perm, perms);
5497 return err;
5498 }
5499
selinux_shm_shmat(struct shmid_kernel * shp,char __user * shmaddr,int shmflg)5500 static int selinux_shm_shmat(struct shmid_kernel *shp,
5501 char __user *shmaddr, int shmflg)
5502 {
5503 u32 perms;
5504
5505 if (shmflg & SHM_RDONLY)
5506 perms = SHM__READ;
5507 else
5508 perms = SHM__READ | SHM__WRITE;
5509
5510 return ipc_has_perm(&shp->shm_perm, perms);
5511 }
5512
5513 /* Semaphore security operations */
selinux_sem_alloc_security(struct sem_array * sma)5514 static int selinux_sem_alloc_security(struct sem_array *sma)
5515 {
5516 struct ipc_security_struct *isec;
5517 struct common_audit_data ad;
5518 u32 sid = current_sid();
5519 int rc;
5520
5521 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5522 if (rc)
5523 return rc;
5524
5525 isec = sma->sem_perm.security;
5526
5527 ad.type = LSM_AUDIT_DATA_IPC;
5528 ad.u.ipc_id = sma->sem_perm.key;
5529
5530 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5531 SEM__CREATE, &ad);
5532 if (rc) {
5533 ipc_free_security(&sma->sem_perm);
5534 return rc;
5535 }
5536 return 0;
5537 }
5538
selinux_sem_free_security(struct sem_array * sma)5539 static void selinux_sem_free_security(struct sem_array *sma)
5540 {
5541 ipc_free_security(&sma->sem_perm);
5542 }
5543
selinux_sem_associate(struct sem_array * sma,int semflg)5544 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5545 {
5546 struct ipc_security_struct *isec;
5547 struct common_audit_data ad;
5548 u32 sid = current_sid();
5549
5550 isec = sma->sem_perm.security;
5551
5552 ad.type = LSM_AUDIT_DATA_IPC;
5553 ad.u.ipc_id = sma->sem_perm.key;
5554
5555 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5556 SEM__ASSOCIATE, &ad);
5557 }
5558
5559 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct sem_array * sma,int cmd)5560 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5561 {
5562 int err;
5563 u32 perms;
5564
5565 switch (cmd) {
5566 case IPC_INFO:
5567 case SEM_INFO:
5568 /* No specific object, just general system-wide information. */
5569 return task_has_system(current, SYSTEM__IPC_INFO);
5570 case GETPID:
5571 case GETNCNT:
5572 case GETZCNT:
5573 perms = SEM__GETATTR;
5574 break;
5575 case GETVAL:
5576 case GETALL:
5577 perms = SEM__READ;
5578 break;
5579 case SETVAL:
5580 case SETALL:
5581 perms = SEM__WRITE;
5582 break;
5583 case IPC_RMID:
5584 perms = SEM__DESTROY;
5585 break;
5586 case IPC_SET:
5587 perms = SEM__SETATTR;
5588 break;
5589 case IPC_STAT:
5590 case SEM_STAT:
5591 perms = SEM__GETATTR | SEM__ASSOCIATE;
5592 break;
5593 default:
5594 return 0;
5595 }
5596
5597 err = ipc_has_perm(&sma->sem_perm, perms);
5598 return err;
5599 }
5600
selinux_sem_semop(struct sem_array * sma,struct sembuf * sops,unsigned nsops,int alter)5601 static int selinux_sem_semop(struct sem_array *sma,
5602 struct sembuf *sops, unsigned nsops, int alter)
5603 {
5604 u32 perms;
5605
5606 if (alter)
5607 perms = SEM__READ | SEM__WRITE;
5608 else
5609 perms = SEM__READ;
5610
5611 return ipc_has_perm(&sma->sem_perm, perms);
5612 }
5613
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)5614 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5615 {
5616 u32 av = 0;
5617
5618 av = 0;
5619 if (flag & S_IRUGO)
5620 av |= IPC__UNIX_READ;
5621 if (flag & S_IWUGO)
5622 av |= IPC__UNIX_WRITE;
5623
5624 if (av == 0)
5625 return 0;
5626
5627 return ipc_has_perm(ipcp, av);
5628 }
5629
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)5630 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5631 {
5632 struct ipc_security_struct *isec = ipcp->security;
5633 *secid = isec->sid;
5634 }
5635
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)5636 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5637 {
5638 if (inode)
5639 inode_doinit_with_dentry(inode, dentry);
5640 }
5641
selinux_getprocattr(struct task_struct * p,char * name,char ** value)5642 static int selinux_getprocattr(struct task_struct *p,
5643 char *name, char **value)
5644 {
5645 const struct task_security_struct *__tsec;
5646 u32 sid;
5647 int error;
5648 unsigned len;
5649
5650 if (current != p) {
5651 error = current_has_perm(p, PROCESS__GETATTR);
5652 if (error)
5653 return error;
5654 }
5655
5656 rcu_read_lock();
5657 __tsec = __task_cred(p)->security;
5658
5659 if (!strcmp(name, "current"))
5660 sid = __tsec->sid;
5661 else if (!strcmp(name, "prev"))
5662 sid = __tsec->osid;
5663 else if (!strcmp(name, "exec"))
5664 sid = __tsec->exec_sid;
5665 else if (!strcmp(name, "fscreate"))
5666 sid = __tsec->create_sid;
5667 else if (!strcmp(name, "keycreate"))
5668 sid = __tsec->keycreate_sid;
5669 else if (!strcmp(name, "sockcreate"))
5670 sid = __tsec->sockcreate_sid;
5671 else
5672 goto invalid;
5673 rcu_read_unlock();
5674
5675 if (!sid)
5676 return 0;
5677
5678 error = security_sid_to_context(sid, value, &len);
5679 if (error)
5680 return error;
5681 return len;
5682
5683 invalid:
5684 rcu_read_unlock();
5685 return -EINVAL;
5686 }
5687
selinux_setprocattr(struct task_struct * p,char * name,void * value,size_t size)5688 static int selinux_setprocattr(struct task_struct *p,
5689 char *name, void *value, size_t size)
5690 {
5691 struct task_security_struct *tsec;
5692 struct task_struct *tracer;
5693 struct cred *new;
5694 u32 sid = 0, ptsid;
5695 int error;
5696 char *str = value;
5697
5698 if (current != p) {
5699 /* SELinux only allows a process to change its own
5700 security attributes. */
5701 return -EACCES;
5702 }
5703
5704 /*
5705 * Basic control over ability to set these attributes at all.
5706 * current == p, but we'll pass them separately in case the
5707 * above restriction is ever removed.
5708 */
5709 if (!strcmp(name, "exec"))
5710 error = current_has_perm(p, PROCESS__SETEXEC);
5711 else if (!strcmp(name, "fscreate"))
5712 error = current_has_perm(p, PROCESS__SETFSCREATE);
5713 else if (!strcmp(name, "keycreate"))
5714 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5715 else if (!strcmp(name, "sockcreate"))
5716 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5717 else if (!strcmp(name, "current"))
5718 error = current_has_perm(p, PROCESS__SETCURRENT);
5719 else
5720 error = -EINVAL;
5721 if (error)
5722 return error;
5723
5724 /* Obtain a SID for the context, if one was specified. */
5725 if (size && str[0] && str[0] != '\n') {
5726 if (str[size-1] == '\n') {
5727 str[size-1] = 0;
5728 size--;
5729 }
5730 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5731 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5732 if (!capable(CAP_MAC_ADMIN)) {
5733 struct audit_buffer *ab;
5734 size_t audit_size;
5735
5736 /* We strip a nul only if it is at the end, otherwise the
5737 * context contains a nul and we should audit that */
5738 if (str[size - 1] == '\0')
5739 audit_size = size - 1;
5740 else
5741 audit_size = size;
5742 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5743 audit_log_format(ab, "op=fscreate invalid_context=");
5744 audit_log_n_untrustedstring(ab, value, audit_size);
5745 audit_log_end(ab);
5746
5747 return error;
5748 }
5749 error = security_context_to_sid_force(value, size,
5750 &sid);
5751 }
5752 if (error)
5753 return error;
5754 }
5755
5756 new = prepare_creds();
5757 if (!new)
5758 return -ENOMEM;
5759
5760 /* Permission checking based on the specified context is
5761 performed during the actual operation (execve,
5762 open/mkdir/...), when we know the full context of the
5763 operation. See selinux_bprm_set_creds for the execve
5764 checks and may_create for the file creation checks. The
5765 operation will then fail if the context is not permitted. */
5766 tsec = new->security;
5767 if (!strcmp(name, "exec")) {
5768 tsec->exec_sid = sid;
5769 } else if (!strcmp(name, "fscreate")) {
5770 tsec->create_sid = sid;
5771 } else if (!strcmp(name, "keycreate")) {
5772 error = may_create_key(sid, p);
5773 if (error)
5774 goto abort_change;
5775 tsec->keycreate_sid = sid;
5776 } else if (!strcmp(name, "sockcreate")) {
5777 tsec->sockcreate_sid = sid;
5778 } else if (!strcmp(name, "current")) {
5779 error = -EINVAL;
5780 if (sid == 0)
5781 goto abort_change;
5782
5783 /* Only allow single threaded processes to change context */
5784 error = -EPERM;
5785 if (!current_is_single_threaded()) {
5786 error = security_bounded_transition(tsec->sid, sid);
5787 if (error)
5788 goto abort_change;
5789 }
5790
5791 /* Check permissions for the transition. */
5792 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5793 PROCESS__DYNTRANSITION, NULL);
5794 if (error)
5795 goto abort_change;
5796
5797 /* Check for ptracing, and update the task SID if ok.
5798 Otherwise, leave SID unchanged and fail. */
5799 ptsid = 0;
5800 rcu_read_lock();
5801 tracer = ptrace_parent(p);
5802 if (tracer)
5803 ptsid = task_sid(tracer);
5804 rcu_read_unlock();
5805
5806 if (tracer) {
5807 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5808 PROCESS__PTRACE, NULL);
5809 if (error)
5810 goto abort_change;
5811 }
5812
5813 tsec->sid = sid;
5814 } else {
5815 error = -EINVAL;
5816 goto abort_change;
5817 }
5818
5819 commit_creds(new);
5820 return size;
5821
5822 abort_change:
5823 abort_creds(new);
5824 return error;
5825 }
5826
selinux_ismaclabel(const char * name)5827 static int selinux_ismaclabel(const char *name)
5828 {
5829 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5830 }
5831
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)5832 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5833 {
5834 return security_sid_to_context(secid, secdata, seclen);
5835 }
5836
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)5837 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5838 {
5839 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5840 }
5841
selinux_release_secctx(char * secdata,u32 seclen)5842 static void selinux_release_secctx(char *secdata, u32 seclen)
5843 {
5844 kfree(secdata);
5845 }
5846
5847 /*
5848 * called with inode->i_mutex locked
5849 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)5850 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5851 {
5852 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5853 }
5854
5855 /*
5856 * called with inode->i_mutex locked
5857 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)5858 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5859 {
5860 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5861 }
5862
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)5863 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5864 {
5865 int len = 0;
5866 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5867 ctx, true);
5868 if (len < 0)
5869 return len;
5870 *ctxlen = len;
5871 return 0;
5872 }
5873 #ifdef CONFIG_KEYS
5874
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)5875 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5876 unsigned long flags)
5877 {
5878 const struct task_security_struct *tsec;
5879 struct key_security_struct *ksec;
5880
5881 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5882 if (!ksec)
5883 return -ENOMEM;
5884
5885 tsec = cred->security;
5886 if (tsec->keycreate_sid)
5887 ksec->sid = tsec->keycreate_sid;
5888 else
5889 ksec->sid = tsec->sid;
5890
5891 k->security = ksec;
5892 return 0;
5893 }
5894
selinux_key_free(struct key * k)5895 static void selinux_key_free(struct key *k)
5896 {
5897 struct key_security_struct *ksec = k->security;
5898
5899 k->security = NULL;
5900 kfree(ksec);
5901 }
5902
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,unsigned perm)5903 static int selinux_key_permission(key_ref_t key_ref,
5904 const struct cred *cred,
5905 unsigned perm)
5906 {
5907 struct key *key;
5908 struct key_security_struct *ksec;
5909 u32 sid;
5910
5911 /* if no specific permissions are requested, we skip the
5912 permission check. No serious, additional covert channels
5913 appear to be created. */
5914 if (perm == 0)
5915 return 0;
5916
5917 sid = cred_sid(cred);
5918
5919 key = key_ref_to_ptr(key_ref);
5920 ksec = key->security;
5921
5922 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5923 }
5924
selinux_key_getsecurity(struct key * key,char ** _buffer)5925 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5926 {
5927 struct key_security_struct *ksec = key->security;
5928 char *context = NULL;
5929 unsigned len;
5930 int rc;
5931
5932 rc = security_sid_to_context(ksec->sid, &context, &len);
5933 if (!rc)
5934 rc = len;
5935 *_buffer = context;
5936 return rc;
5937 }
5938
5939 #endif
5940
5941 static struct security_operations selinux_ops = {
5942 .name = "selinux",
5943
5944 .binder_set_context_mgr = selinux_binder_set_context_mgr,
5945 .binder_transaction = selinux_binder_transaction,
5946 .binder_transfer_binder = selinux_binder_transfer_binder,
5947 .binder_transfer_file = selinux_binder_transfer_file,
5948
5949 .ptrace_access_check = selinux_ptrace_access_check,
5950 .ptrace_traceme = selinux_ptrace_traceme,
5951 .capget = selinux_capget,
5952 .capset = selinux_capset,
5953 .capable = selinux_capable,
5954 .quotactl = selinux_quotactl,
5955 .quota_on = selinux_quota_on,
5956 .syslog = selinux_syslog,
5957 .vm_enough_memory = selinux_vm_enough_memory,
5958
5959 .netlink_send = selinux_netlink_send,
5960
5961 .bprm_set_creds = selinux_bprm_set_creds,
5962 .bprm_committing_creds = selinux_bprm_committing_creds,
5963 .bprm_committed_creds = selinux_bprm_committed_creds,
5964 .bprm_secureexec = selinux_bprm_secureexec,
5965
5966 .sb_alloc_security = selinux_sb_alloc_security,
5967 .sb_free_security = selinux_sb_free_security,
5968 .sb_copy_data = selinux_sb_copy_data,
5969 .sb_remount = selinux_sb_remount,
5970 .sb_kern_mount = selinux_sb_kern_mount,
5971 .sb_show_options = selinux_sb_show_options,
5972 .sb_statfs = selinux_sb_statfs,
5973 .sb_mount = selinux_mount,
5974 .sb_umount = selinux_umount,
5975 .sb_set_mnt_opts = selinux_set_mnt_opts,
5976 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5977 .sb_parse_opts_str = selinux_parse_opts_str,
5978
5979 .dentry_init_security = selinux_dentry_init_security,
5980
5981 .inode_alloc_security = selinux_inode_alloc_security,
5982 .inode_free_security = selinux_inode_free_security,
5983 .inode_init_security = selinux_inode_init_security,
5984 .inode_create = selinux_inode_create,
5985 .inode_link = selinux_inode_link,
5986 .inode_unlink = selinux_inode_unlink,
5987 .inode_symlink = selinux_inode_symlink,
5988 .inode_mkdir = selinux_inode_mkdir,
5989 .inode_rmdir = selinux_inode_rmdir,
5990 .inode_mknod = selinux_inode_mknod,
5991 .inode_rename = selinux_inode_rename,
5992 .inode_readlink = selinux_inode_readlink,
5993 .inode_follow_link = selinux_inode_follow_link,
5994 .inode_permission = selinux_inode_permission,
5995 .inode_setattr = selinux_inode_setattr,
5996 .inode_getattr = selinux_inode_getattr,
5997 .inode_setxattr = selinux_inode_setxattr,
5998 .inode_post_setxattr = selinux_inode_post_setxattr,
5999 .inode_getxattr = selinux_inode_getxattr,
6000 .inode_listxattr = selinux_inode_listxattr,
6001 .inode_removexattr = selinux_inode_removexattr,
6002 .inode_getsecurity = selinux_inode_getsecurity,
6003 .inode_setsecurity = selinux_inode_setsecurity,
6004 .inode_listsecurity = selinux_inode_listsecurity,
6005 .inode_getsecid = selinux_inode_getsecid,
6006
6007 .file_permission = selinux_file_permission,
6008 .file_alloc_security = selinux_file_alloc_security,
6009 .file_free_security = selinux_file_free_security,
6010 .file_ioctl = selinux_file_ioctl,
6011 .mmap_file = selinux_mmap_file,
6012 .mmap_addr = selinux_mmap_addr,
6013 .file_mprotect = selinux_file_mprotect,
6014 .file_lock = selinux_file_lock,
6015 .file_fcntl = selinux_file_fcntl,
6016 .file_set_fowner = selinux_file_set_fowner,
6017 .file_send_sigiotask = selinux_file_send_sigiotask,
6018 .file_receive = selinux_file_receive,
6019
6020 .file_open = selinux_file_open,
6021
6022 .task_create = selinux_task_create,
6023 .cred_alloc_blank = selinux_cred_alloc_blank,
6024 .cred_free = selinux_cred_free,
6025 .cred_prepare = selinux_cred_prepare,
6026 .cred_transfer = selinux_cred_transfer,
6027 .kernel_act_as = selinux_kernel_act_as,
6028 .kernel_create_files_as = selinux_kernel_create_files_as,
6029 .kernel_module_request = selinux_kernel_module_request,
6030 .kernel_module_from_file = selinux_kernel_module_from_file,
6031 .task_setpgid = selinux_task_setpgid,
6032 .task_getpgid = selinux_task_getpgid,
6033 .task_getsid = selinux_task_getsid,
6034 .task_getsecid = selinux_task_getsecid,
6035 .task_setnice = selinux_task_setnice,
6036 .task_setioprio = selinux_task_setioprio,
6037 .task_getioprio = selinux_task_getioprio,
6038 .task_setrlimit = selinux_task_setrlimit,
6039 .task_setscheduler = selinux_task_setscheduler,
6040 .task_getscheduler = selinux_task_getscheduler,
6041 .task_movememory = selinux_task_movememory,
6042 .task_kill = selinux_task_kill,
6043 .task_wait = selinux_task_wait,
6044 .task_to_inode = selinux_task_to_inode,
6045
6046 .ipc_permission = selinux_ipc_permission,
6047 .ipc_getsecid = selinux_ipc_getsecid,
6048
6049 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
6050 .msg_msg_free_security = selinux_msg_msg_free_security,
6051
6052 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
6053 .msg_queue_free_security = selinux_msg_queue_free_security,
6054 .msg_queue_associate = selinux_msg_queue_associate,
6055 .msg_queue_msgctl = selinux_msg_queue_msgctl,
6056 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
6057 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
6058
6059 .shm_alloc_security = selinux_shm_alloc_security,
6060 .shm_free_security = selinux_shm_free_security,
6061 .shm_associate = selinux_shm_associate,
6062 .shm_shmctl = selinux_shm_shmctl,
6063 .shm_shmat = selinux_shm_shmat,
6064
6065 .sem_alloc_security = selinux_sem_alloc_security,
6066 .sem_free_security = selinux_sem_free_security,
6067 .sem_associate = selinux_sem_associate,
6068 .sem_semctl = selinux_sem_semctl,
6069 .sem_semop = selinux_sem_semop,
6070
6071 .d_instantiate = selinux_d_instantiate,
6072
6073 .getprocattr = selinux_getprocattr,
6074 .setprocattr = selinux_setprocattr,
6075
6076 .ismaclabel = selinux_ismaclabel,
6077 .secid_to_secctx = selinux_secid_to_secctx,
6078 .secctx_to_secid = selinux_secctx_to_secid,
6079 .release_secctx = selinux_release_secctx,
6080 .inode_notifysecctx = selinux_inode_notifysecctx,
6081 .inode_setsecctx = selinux_inode_setsecctx,
6082 .inode_getsecctx = selinux_inode_getsecctx,
6083
6084 .unix_stream_connect = selinux_socket_unix_stream_connect,
6085 .unix_may_send = selinux_socket_unix_may_send,
6086
6087 .socket_create = selinux_socket_create,
6088 .socket_post_create = selinux_socket_post_create,
6089 .socket_bind = selinux_socket_bind,
6090 .socket_connect = selinux_socket_connect,
6091 .socket_listen = selinux_socket_listen,
6092 .socket_accept = selinux_socket_accept,
6093 .socket_sendmsg = selinux_socket_sendmsg,
6094 .socket_recvmsg = selinux_socket_recvmsg,
6095 .socket_getsockname = selinux_socket_getsockname,
6096 .socket_getpeername = selinux_socket_getpeername,
6097 .socket_getsockopt = selinux_socket_getsockopt,
6098 .socket_setsockopt = selinux_socket_setsockopt,
6099 .socket_shutdown = selinux_socket_shutdown,
6100 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
6101 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
6102 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
6103 .sk_alloc_security = selinux_sk_alloc_security,
6104 .sk_free_security = selinux_sk_free_security,
6105 .sk_clone_security = selinux_sk_clone_security,
6106 .sk_getsecid = selinux_sk_getsecid,
6107 .sock_graft = selinux_sock_graft,
6108 .inet_conn_request = selinux_inet_conn_request,
6109 .inet_csk_clone = selinux_inet_csk_clone,
6110 .inet_conn_established = selinux_inet_conn_established,
6111 .secmark_relabel_packet = selinux_secmark_relabel_packet,
6112 .secmark_refcount_inc = selinux_secmark_refcount_inc,
6113 .secmark_refcount_dec = selinux_secmark_refcount_dec,
6114 .req_classify_flow = selinux_req_classify_flow,
6115 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
6116 .tun_dev_free_security = selinux_tun_dev_free_security,
6117 .tun_dev_create = selinux_tun_dev_create,
6118 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
6119 .tun_dev_attach = selinux_tun_dev_attach,
6120 .tun_dev_open = selinux_tun_dev_open,
6121 .skb_owned_by = selinux_skb_owned_by,
6122
6123 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6124 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
6125 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
6126 .xfrm_policy_free_security = selinux_xfrm_policy_free,
6127 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
6128 .xfrm_state_alloc = selinux_xfrm_state_alloc,
6129 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
6130 .xfrm_state_free_security = selinux_xfrm_state_free,
6131 .xfrm_state_delete_security = selinux_xfrm_state_delete,
6132 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
6133 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
6134 .xfrm_decode_session = selinux_xfrm_decode_session,
6135 #endif
6136
6137 #ifdef CONFIG_KEYS
6138 .key_alloc = selinux_key_alloc,
6139 .key_free = selinux_key_free,
6140 .key_permission = selinux_key_permission,
6141 .key_getsecurity = selinux_key_getsecurity,
6142 #endif
6143
6144 #ifdef CONFIG_AUDIT
6145 .audit_rule_init = selinux_audit_rule_init,
6146 .audit_rule_known = selinux_audit_rule_known,
6147 .audit_rule_match = selinux_audit_rule_match,
6148 .audit_rule_free = selinux_audit_rule_free,
6149 #endif
6150 };
6151
selinux_init(void)6152 static __init int selinux_init(void)
6153 {
6154 if (!security_module_enable(&selinux_ops)) {
6155 selinux_enabled = 0;
6156 return 0;
6157 }
6158
6159 if (!selinux_enabled) {
6160 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6161 return 0;
6162 }
6163
6164 printk(KERN_INFO "SELinux: Initializing.\n");
6165
6166 /* Set the security state for the initial task. */
6167 cred_init_security();
6168
6169 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6170
6171 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6172 sizeof(struct inode_security_struct),
6173 0, SLAB_PANIC, NULL);
6174 avc_init();
6175
6176 if (register_security(&selinux_ops))
6177 panic("SELinux: Unable to register with kernel.\n");
6178
6179 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6180 panic("SELinux: Unable to register AVC netcache callback\n");
6181
6182 if (selinux_enforcing)
6183 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6184 else
6185 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6186
6187 return 0;
6188 }
6189
delayed_superblock_init(struct super_block * sb,void * unused)6190 static void delayed_superblock_init(struct super_block *sb, void *unused)
6191 {
6192 superblock_doinit(sb, NULL);
6193 }
6194
selinux_complete_init(void)6195 void selinux_complete_init(void)
6196 {
6197 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6198
6199 /* Set up any superblocks initialized prior to the policy load. */
6200 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6201 iterate_supers(delayed_superblock_init, NULL);
6202 }
6203
6204 /* SELinux requires early initialization in order to label
6205 all processes and objects when they are created. */
6206 security_initcall(selinux_init);
6207
6208 #if defined(CONFIG_NETFILTER)
6209
6210 static struct nf_hook_ops selinux_nf_ops[] = {
6211 {
6212 .hook = selinux_ipv4_postroute,
6213 .owner = THIS_MODULE,
6214 .pf = NFPROTO_IPV4,
6215 .hooknum = NF_INET_POST_ROUTING,
6216 .priority = NF_IP_PRI_SELINUX_LAST,
6217 },
6218 {
6219 .hook = selinux_ipv4_forward,
6220 .owner = THIS_MODULE,
6221 .pf = NFPROTO_IPV4,
6222 .hooknum = NF_INET_FORWARD,
6223 .priority = NF_IP_PRI_SELINUX_FIRST,
6224 },
6225 {
6226 .hook = selinux_ipv4_output,
6227 .owner = THIS_MODULE,
6228 .pf = NFPROTO_IPV4,
6229 .hooknum = NF_INET_LOCAL_OUT,
6230 .priority = NF_IP_PRI_SELINUX_FIRST,
6231 },
6232 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6233 {
6234 .hook = selinux_ipv6_postroute,
6235 .owner = THIS_MODULE,
6236 .pf = NFPROTO_IPV6,
6237 .hooknum = NF_INET_POST_ROUTING,
6238 .priority = NF_IP6_PRI_SELINUX_LAST,
6239 },
6240 {
6241 .hook = selinux_ipv6_forward,
6242 .owner = THIS_MODULE,
6243 .pf = NFPROTO_IPV6,
6244 .hooknum = NF_INET_FORWARD,
6245 .priority = NF_IP6_PRI_SELINUX_FIRST,
6246 },
6247 #endif /* IPV6 */
6248 };
6249
selinux_nf_ip_init(void)6250 static int __init selinux_nf_ip_init(void)
6251 {
6252 int err;
6253
6254 if (!selinux_enabled)
6255 return 0;
6256
6257 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6258
6259 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6260 if (err)
6261 panic("SELinux: nf_register_hooks: error %d\n", err);
6262
6263 return 0;
6264 }
6265
6266 __initcall(selinux_nf_ip_init);
6267
6268 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)6269 static void selinux_nf_ip_exit(void)
6270 {
6271 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6272
6273 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6274 }
6275 #endif
6276
6277 #else /* CONFIG_NETFILTER */
6278
6279 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6280 #define selinux_nf_ip_exit()
6281 #endif
6282
6283 #endif /* CONFIG_NETFILTER */
6284
6285 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6286 static int selinux_disabled;
6287
selinux_disable(void)6288 int selinux_disable(void)
6289 {
6290 if (ss_initialized) {
6291 /* Not permitted after initial policy load. */
6292 return -EINVAL;
6293 }
6294
6295 if (selinux_disabled) {
6296 /* Only do this once. */
6297 return -EINVAL;
6298 }
6299
6300 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6301
6302 selinux_disabled = 1;
6303 selinux_enabled = 0;
6304
6305 reset_security_ops();
6306
6307 /* Try to destroy the avc node cache */
6308 avc_disable();
6309
6310 /* Unregister netfilter hooks. */
6311 selinux_nf_ip_exit();
6312
6313 /* Unregister selinuxfs. */
6314 exit_sel_fs();
6315
6316 return 0;
6317 }
6318 #endif
6319