1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
enforcing_setup(char * str)103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
selinux_enabled_setup(char * str)116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
selinux_secmark_enabled(void)142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
selinux_peerlbl_enabled(void)157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
selinux_netcache_avc_callback(u32 event)162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
cred_init_security(void)176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
cred_sid(const struct cred * cred)192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
task_sid(const struct task_struct * task)203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
current_sid(void)216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
inode_alloc_security(struct inode * inode)225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
inode_free_rcu(struct rcu_head * head)245 static void inode_free_rcu(struct rcu_head *head)
246 {
247 struct inode_security_struct *isec;
248
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
251 }
252
inode_free_security(struct inode * inode)253 static void inode_free_security(struct inode *inode)
254 {
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
257
258 /*
259 * As not all inode security structures are in a list, we check for
260 * empty list outside of the lock to make sure that we won't waste
261 * time taking a lock doing nothing.
262 *
263 * The list_del_init() function can be safely called more than once.
264 * It should not be possible for this function to be called with
265 * concurrent list_add(), but for better safety against future changes
266 * in the code, we use list_empty_careful() here.
267 */
268 if (!list_empty_careful(&isec->list)) {
269 spin_lock(&sbsec->isec_lock);
270 list_del_init(&isec->list);
271 spin_unlock(&sbsec->isec_lock);
272 }
273
274 /*
275 * The inode may still be referenced in a path walk and
276 * a call to selinux_inode_permission() can be made
277 * after inode_free_security() is called. Ideally, the VFS
278 * wouldn't do this, but fixing that is a much harder
279 * job. For now, simply free the i_security via RCU, and
280 * leave the current inode->i_security pointer intact.
281 * The inode will be freed after the RCU grace period too.
282 */
283 call_rcu(&isec->rcu, inode_free_rcu);
284 }
285
file_alloc_security(struct file * file)286 static int file_alloc_security(struct file *file)
287 {
288 struct file_security_struct *fsec;
289 u32 sid = current_sid();
290
291 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
292 if (!fsec)
293 return -ENOMEM;
294
295 fsec->sid = sid;
296 fsec->fown_sid = sid;
297 file->f_security = fsec;
298
299 return 0;
300 }
301
file_free_security(struct file * file)302 static void file_free_security(struct file *file)
303 {
304 struct file_security_struct *fsec = file->f_security;
305 file->f_security = NULL;
306 kmem_cache_free(file_security_cache, fsec);
307 }
308
superblock_alloc_security(struct super_block * sb)309 static int superblock_alloc_security(struct super_block *sb)
310 {
311 struct superblock_security_struct *sbsec;
312
313 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
314 if (!sbsec)
315 return -ENOMEM;
316
317 mutex_init(&sbsec->lock);
318 INIT_LIST_HEAD(&sbsec->isec_head);
319 spin_lock_init(&sbsec->isec_lock);
320 sbsec->sb = sb;
321 sbsec->sid = SECINITSID_UNLABELED;
322 sbsec->def_sid = SECINITSID_FILE;
323 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
324 sb->s_security = sbsec;
325
326 return 0;
327 }
328
superblock_free_security(struct super_block * sb)329 static void superblock_free_security(struct super_block *sb)
330 {
331 struct superblock_security_struct *sbsec = sb->s_security;
332 sb->s_security = NULL;
333 kfree(sbsec);
334 }
335
336 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337
inode_doinit(struct inode * inode)338 static inline int inode_doinit(struct inode *inode)
339 {
340 return inode_doinit_with_dentry(inode, NULL);
341 }
342
343 enum {
344 Opt_error = -1,
345 Opt_context = 1,
346 Opt_fscontext = 2,
347 Opt_defcontext = 3,
348 Opt_rootcontext = 4,
349 Opt_labelsupport = 5,
350 Opt_nextmntopt = 6,
351 };
352
353 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
354
355 static const match_table_t tokens = {
356 {Opt_context, CONTEXT_STR "%s"},
357 {Opt_fscontext, FSCONTEXT_STR "%s"},
358 {Opt_defcontext, DEFCONTEXT_STR "%s"},
359 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
360 {Opt_labelsupport, LABELSUPP_STR},
361 {Opt_error, NULL},
362 };
363
364 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
365
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)366 static int may_context_mount_sb_relabel(u32 sid,
367 struct superblock_security_struct *sbsec,
368 const struct cred *cred)
369 {
370 const struct task_security_struct *tsec = cred->security;
371 int rc;
372
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__RELABELTO, NULL);
380 return rc;
381 }
382
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)383 static int may_context_mount_inode_relabel(u32 sid,
384 struct superblock_security_struct *sbsec,
385 const struct cred *cred)
386 {
387 const struct task_security_struct *tsec = cred->security;
388 int rc;
389 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELFROM, NULL);
391 if (rc)
392 return rc;
393
394 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 FILESYSTEM__ASSOCIATE, NULL);
396 return rc;
397 }
398
selinux_is_genfs_special_handling(struct super_block * sb)399 static int selinux_is_genfs_special_handling(struct super_block *sb)
400 {
401 /* Special handling. Genfs but also in-core setxattr handler */
402 return !strcmp(sb->s_type->name, "sysfs") ||
403 !strcmp(sb->s_type->name, "pstore") ||
404 !strcmp(sb->s_type->name, "debugfs") ||
405 !strcmp(sb->s_type->name, "tracefs") ||
406 !strcmp(sb->s_type->name, "rootfs");
407 }
408
selinux_is_sblabel_mnt(struct super_block * sb)409 static int selinux_is_sblabel_mnt(struct super_block *sb)
410 {
411 struct superblock_security_struct *sbsec = sb->s_security;
412
413 /*
414 * IMPORTANT: Double-check logic in this function when adding a new
415 * SECURITY_FS_USE_* definition!
416 */
417 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
418
419 switch (sbsec->behavior) {
420 case SECURITY_FS_USE_XATTR:
421 case SECURITY_FS_USE_TRANS:
422 case SECURITY_FS_USE_TASK:
423 case SECURITY_FS_USE_NATIVE:
424 return 1;
425
426 case SECURITY_FS_USE_GENFS:
427 return selinux_is_genfs_special_handling(sb);
428
429 /* Never allow relabeling on context mounts */
430 case SECURITY_FS_USE_MNTPOINT:
431 case SECURITY_FS_USE_NONE:
432 default:
433 return 0;
434 }
435 }
436
sb_finish_set_opts(struct super_block * sb)437 static int sb_finish_set_opts(struct super_block *sb)
438 {
439 struct superblock_security_struct *sbsec = sb->s_security;
440 struct dentry *root = sb->s_root;
441 struct inode *root_inode = d_backing_inode(root);
442 int rc = 0;
443
444 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
445 /* Make sure that the xattr handler exists and that no
446 error other than -ENODATA is returned by getxattr on
447 the root directory. -ENODATA is ok, as this may be
448 the first boot of the SELinux kernel before we have
449 assigned xattr values to the filesystem. */
450 if (!root_inode->i_op->getxattr) {
451 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
452 "xattr support\n", sb->s_id, sb->s_type->name);
453 rc = -EOPNOTSUPP;
454 goto out;
455 }
456 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
457 if (rc < 0 && rc != -ENODATA) {
458 if (rc == -EOPNOTSUPP)
459 printk(KERN_WARNING "SELinux: (dev %s, type "
460 "%s) has no security xattr handler\n",
461 sb->s_id, sb->s_type->name);
462 else
463 printk(KERN_WARNING "SELinux: (dev %s, type "
464 "%s) getxattr errno %d\n", sb->s_id,
465 sb->s_type->name, -rc);
466 goto out;
467 }
468 }
469
470 sbsec->flags |= SE_SBINITIALIZED;
471 if (selinux_is_sblabel_mnt(sb))
472 sbsec->flags |= SBLABEL_MNT;
473
474 /* Initialize the root inode. */
475 rc = inode_doinit_with_dentry(root_inode, root);
476
477 /* Initialize any other inodes associated with the superblock, e.g.
478 inodes created prior to initial policy load or inodes created
479 during get_sb by a pseudo filesystem that directly
480 populates itself. */
481 spin_lock(&sbsec->isec_lock);
482 next_inode:
483 if (!list_empty(&sbsec->isec_head)) {
484 struct inode_security_struct *isec =
485 list_entry(sbsec->isec_head.next,
486 struct inode_security_struct, list);
487 struct inode *inode = isec->inode;
488 list_del_init(&isec->list);
489 spin_unlock(&sbsec->isec_lock);
490 inode = igrab(inode);
491 if (inode) {
492 if (!IS_PRIVATE(inode))
493 inode_doinit(inode);
494 iput(inode);
495 }
496 spin_lock(&sbsec->isec_lock);
497 goto next_inode;
498 }
499 spin_unlock(&sbsec->isec_lock);
500 out:
501 return rc;
502 }
503
504 /*
505 * This function should allow an FS to ask what it's mount security
506 * options were so it can use those later for submounts, displaying
507 * mount options, or whatever.
508 */
selinux_get_mnt_opts(const struct super_block * sb,struct security_mnt_opts * opts)509 static int selinux_get_mnt_opts(const struct super_block *sb,
510 struct security_mnt_opts *opts)
511 {
512 int rc = 0, i;
513 struct superblock_security_struct *sbsec = sb->s_security;
514 char *context = NULL;
515 u32 len;
516 char tmp;
517
518 security_init_mnt_opts(opts);
519
520 if (!(sbsec->flags & SE_SBINITIALIZED))
521 return -EINVAL;
522
523 if (!ss_initialized)
524 return -EINVAL;
525
526 /* make sure we always check enough bits to cover the mask */
527 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
528
529 tmp = sbsec->flags & SE_MNTMASK;
530 /* count the number of mount options for this sb */
531 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
532 if (tmp & 0x01)
533 opts->num_mnt_opts++;
534 tmp >>= 1;
535 }
536 /* Check if the Label support flag is set */
537 if (sbsec->flags & SBLABEL_MNT)
538 opts->num_mnt_opts++;
539
540 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
541 if (!opts->mnt_opts) {
542 rc = -ENOMEM;
543 goto out_free;
544 }
545
546 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
547 if (!opts->mnt_opts_flags) {
548 rc = -ENOMEM;
549 goto out_free;
550 }
551
552 i = 0;
553 if (sbsec->flags & FSCONTEXT_MNT) {
554 rc = security_sid_to_context(sbsec->sid, &context, &len);
555 if (rc)
556 goto out_free;
557 opts->mnt_opts[i] = context;
558 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
559 }
560 if (sbsec->flags & CONTEXT_MNT) {
561 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
562 if (rc)
563 goto out_free;
564 opts->mnt_opts[i] = context;
565 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
566 }
567 if (sbsec->flags & DEFCONTEXT_MNT) {
568 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
569 if (rc)
570 goto out_free;
571 opts->mnt_opts[i] = context;
572 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
573 }
574 if (sbsec->flags & ROOTCONTEXT_MNT) {
575 struct inode *root = d_backing_inode(sbsec->sb->s_root);
576 struct inode_security_struct *isec = root->i_security;
577
578 rc = security_sid_to_context(isec->sid, &context, &len);
579 if (rc)
580 goto out_free;
581 opts->mnt_opts[i] = context;
582 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
583 }
584 if (sbsec->flags & SBLABEL_MNT) {
585 opts->mnt_opts[i] = NULL;
586 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
587 }
588
589 BUG_ON(i != opts->num_mnt_opts);
590
591 return 0;
592
593 out_free:
594 security_free_mnt_opts(opts);
595 return rc;
596 }
597
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)598 static int bad_option(struct superblock_security_struct *sbsec, char flag,
599 u32 old_sid, u32 new_sid)
600 {
601 char mnt_flags = sbsec->flags & SE_MNTMASK;
602
603 /* check if the old mount command had the same options */
604 if (sbsec->flags & SE_SBINITIALIZED)
605 if (!(sbsec->flags & flag) ||
606 (old_sid != new_sid))
607 return 1;
608
609 /* check if we were passed the same options twice,
610 * aka someone passed context=a,context=b
611 */
612 if (!(sbsec->flags & SE_SBINITIALIZED))
613 if (mnt_flags & flag)
614 return 1;
615 return 0;
616 }
617
618 /*
619 * Allow filesystems with binary mount data to explicitly set mount point
620 * labeling information.
621 */
selinux_set_mnt_opts(struct super_block * sb,struct security_mnt_opts * opts,unsigned long kern_flags,unsigned long * set_kern_flags)622 static int selinux_set_mnt_opts(struct super_block *sb,
623 struct security_mnt_opts *opts,
624 unsigned long kern_flags,
625 unsigned long *set_kern_flags)
626 {
627 const struct cred *cred = current_cred();
628 int rc = 0, i;
629 struct superblock_security_struct *sbsec = sb->s_security;
630 const char *name = sb->s_type->name;
631 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
632 struct inode_security_struct *root_isec = inode->i_security;
633 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
634 u32 defcontext_sid = 0;
635 char **mount_options = opts->mnt_opts;
636 int *flags = opts->mnt_opts_flags;
637 int num_opts = opts->num_mnt_opts;
638
639 mutex_lock(&sbsec->lock);
640
641 if (!ss_initialized) {
642 if (!num_opts) {
643 /* Defer initialization until selinux_complete_init,
644 after the initial policy is loaded and the security
645 server is ready to handle calls. */
646 goto out;
647 }
648 rc = -EINVAL;
649 printk(KERN_WARNING "SELinux: Unable to set superblock options "
650 "before the security server is initialized\n");
651 goto out;
652 }
653 if (kern_flags && !set_kern_flags) {
654 /* Specifying internal flags without providing a place to
655 * place the results is not allowed */
656 rc = -EINVAL;
657 goto out;
658 }
659
660 /*
661 * Binary mount data FS will come through this function twice. Once
662 * from an explicit call and once from the generic calls from the vfs.
663 * Since the generic VFS calls will not contain any security mount data
664 * we need to skip the double mount verification.
665 *
666 * This does open a hole in which we will not notice if the first
667 * mount using this sb set explict options and a second mount using
668 * this sb does not set any security options. (The first options
669 * will be used for both mounts)
670 */
671 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
672 && (num_opts == 0))
673 goto out;
674
675 /*
676 * parse the mount options, check if they are valid sids.
677 * also check if someone is trying to mount the same sb more
678 * than once with different security options.
679 */
680 for (i = 0; i < num_opts; i++) {
681 u32 sid;
682
683 if (flags[i] == SBLABEL_MNT)
684 continue;
685 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
686 if (rc) {
687 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
688 "(%s) failed for (dev %s, type %s) errno=%d\n",
689 mount_options[i], sb->s_id, name, rc);
690 goto out;
691 }
692 switch (flags[i]) {
693 case FSCONTEXT_MNT:
694 fscontext_sid = sid;
695
696 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
697 fscontext_sid))
698 goto out_double_mount;
699
700 sbsec->flags |= FSCONTEXT_MNT;
701 break;
702 case CONTEXT_MNT:
703 context_sid = sid;
704
705 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
706 context_sid))
707 goto out_double_mount;
708
709 sbsec->flags |= CONTEXT_MNT;
710 break;
711 case ROOTCONTEXT_MNT:
712 rootcontext_sid = sid;
713
714 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
715 rootcontext_sid))
716 goto out_double_mount;
717
718 sbsec->flags |= ROOTCONTEXT_MNT;
719
720 break;
721 case DEFCONTEXT_MNT:
722 defcontext_sid = sid;
723
724 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
725 defcontext_sid))
726 goto out_double_mount;
727
728 sbsec->flags |= DEFCONTEXT_MNT;
729
730 break;
731 default:
732 rc = -EINVAL;
733 goto out;
734 }
735 }
736
737 if (sbsec->flags & SE_SBINITIALIZED) {
738 /* previously mounted with options, but not on this attempt? */
739 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
740 goto out_double_mount;
741 rc = 0;
742 goto out;
743 }
744
745 if (strcmp(sb->s_type->name, "proc") == 0)
746 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
747
748 if (!strcmp(sb->s_type->name, "debugfs") ||
749 !strcmp(sb->s_type->name, "tracefs") ||
750 !strcmp(sb->s_type->name, "sysfs") ||
751 !strcmp(sb->s_type->name, "pstore"))
752 sbsec->flags |= SE_SBGENFS;
753
754 if (!sbsec->behavior) {
755 /*
756 * Determine the labeling behavior to use for this
757 * filesystem type.
758 */
759 rc = security_fs_use(sb);
760 if (rc) {
761 printk(KERN_WARNING
762 "%s: security_fs_use(%s) returned %d\n",
763 __func__, sb->s_type->name, rc);
764 goto out;
765 }
766 }
767 /* sets the context of the superblock for the fs being mounted. */
768 if (fscontext_sid) {
769 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
770 if (rc)
771 goto out;
772
773 sbsec->sid = fscontext_sid;
774 }
775
776 /*
777 * Switch to using mount point labeling behavior.
778 * sets the label used on all file below the mountpoint, and will set
779 * the superblock context if not already set.
780 */
781 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
782 sbsec->behavior = SECURITY_FS_USE_NATIVE;
783 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
784 }
785
786 if (context_sid) {
787 if (!fscontext_sid) {
788 rc = may_context_mount_sb_relabel(context_sid, sbsec,
789 cred);
790 if (rc)
791 goto out;
792 sbsec->sid = context_sid;
793 } else {
794 rc = may_context_mount_inode_relabel(context_sid, sbsec,
795 cred);
796 if (rc)
797 goto out;
798 }
799 if (!rootcontext_sid)
800 rootcontext_sid = context_sid;
801
802 sbsec->mntpoint_sid = context_sid;
803 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
804 }
805
806 if (rootcontext_sid) {
807 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
808 cred);
809 if (rc)
810 goto out;
811
812 root_isec->sid = rootcontext_sid;
813 root_isec->initialized = 1;
814 }
815
816 if (defcontext_sid) {
817 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
818 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
819 rc = -EINVAL;
820 printk(KERN_WARNING "SELinux: defcontext option is "
821 "invalid for this filesystem type\n");
822 goto out;
823 }
824
825 if (defcontext_sid != sbsec->def_sid) {
826 rc = may_context_mount_inode_relabel(defcontext_sid,
827 sbsec, cred);
828 if (rc)
829 goto out;
830 }
831
832 sbsec->def_sid = defcontext_sid;
833 }
834
835 rc = sb_finish_set_opts(sb);
836 out:
837 mutex_unlock(&sbsec->lock);
838 return rc;
839 out_double_mount:
840 rc = -EINVAL;
841 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
842 "security settings for (dev %s, type %s)\n", sb->s_id, name);
843 goto out;
844 }
845
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)846 static int selinux_cmp_sb_context(const struct super_block *oldsb,
847 const struct super_block *newsb)
848 {
849 struct superblock_security_struct *old = oldsb->s_security;
850 struct superblock_security_struct *new = newsb->s_security;
851 char oldflags = old->flags & SE_MNTMASK;
852 char newflags = new->flags & SE_MNTMASK;
853
854 if (oldflags != newflags)
855 goto mismatch;
856 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
857 goto mismatch;
858 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
859 goto mismatch;
860 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
861 goto mismatch;
862 if (oldflags & ROOTCONTEXT_MNT) {
863 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
864 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
865 if (oldroot->sid != newroot->sid)
866 goto mismatch;
867 }
868 return 0;
869 mismatch:
870 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
871 "different security settings for (dev %s, "
872 "type %s)\n", newsb->s_id, newsb->s_type->name);
873 return -EBUSY;
874 }
875
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb)876 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
877 struct super_block *newsb)
878 {
879 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
880 struct superblock_security_struct *newsbsec = newsb->s_security;
881
882 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
883 int set_context = (oldsbsec->flags & CONTEXT_MNT);
884 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
885
886 /*
887 * if the parent was able to be mounted it clearly had no special lsm
888 * mount options. thus we can safely deal with this superblock later
889 */
890 if (!ss_initialized)
891 return 0;
892
893 /* how can we clone if the old one wasn't set up?? */
894 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
895
896 /* if fs is reusing a sb, make sure that the contexts match */
897 if (newsbsec->flags & SE_SBINITIALIZED)
898 return selinux_cmp_sb_context(oldsb, newsb);
899
900 mutex_lock(&newsbsec->lock);
901
902 newsbsec->flags = oldsbsec->flags;
903
904 newsbsec->sid = oldsbsec->sid;
905 newsbsec->def_sid = oldsbsec->def_sid;
906 newsbsec->behavior = oldsbsec->behavior;
907
908 if (set_context) {
909 u32 sid = oldsbsec->mntpoint_sid;
910
911 if (!set_fscontext)
912 newsbsec->sid = sid;
913 if (!set_rootcontext) {
914 struct inode *newinode = d_backing_inode(newsb->s_root);
915 struct inode_security_struct *newisec = newinode->i_security;
916 newisec->sid = sid;
917 }
918 newsbsec->mntpoint_sid = sid;
919 }
920 if (set_rootcontext) {
921 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
922 const struct inode_security_struct *oldisec = oldinode->i_security;
923 struct inode *newinode = d_backing_inode(newsb->s_root);
924 struct inode_security_struct *newisec = newinode->i_security;
925
926 newisec->sid = oldisec->sid;
927 }
928
929 sb_finish_set_opts(newsb);
930 mutex_unlock(&newsbsec->lock);
931 return 0;
932 }
933
selinux_parse_opts_str(char * options,struct security_mnt_opts * opts)934 static int selinux_parse_opts_str(char *options,
935 struct security_mnt_opts *opts)
936 {
937 char *p;
938 char *context = NULL, *defcontext = NULL;
939 char *fscontext = NULL, *rootcontext = NULL;
940 int rc, num_mnt_opts = 0;
941
942 opts->num_mnt_opts = 0;
943
944 /* Standard string-based options. */
945 while ((p = strsep(&options, "|")) != NULL) {
946 int token;
947 substring_t args[MAX_OPT_ARGS];
948
949 if (!*p)
950 continue;
951
952 token = match_token(p, tokens, args);
953
954 switch (token) {
955 case Opt_context:
956 if (context || defcontext) {
957 rc = -EINVAL;
958 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
959 goto out_err;
960 }
961 context = match_strdup(&args[0]);
962 if (!context) {
963 rc = -ENOMEM;
964 goto out_err;
965 }
966 break;
967
968 case Opt_fscontext:
969 if (fscontext) {
970 rc = -EINVAL;
971 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
972 goto out_err;
973 }
974 fscontext = match_strdup(&args[0]);
975 if (!fscontext) {
976 rc = -ENOMEM;
977 goto out_err;
978 }
979 break;
980
981 case Opt_rootcontext:
982 if (rootcontext) {
983 rc = -EINVAL;
984 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
985 goto out_err;
986 }
987 rootcontext = match_strdup(&args[0]);
988 if (!rootcontext) {
989 rc = -ENOMEM;
990 goto out_err;
991 }
992 break;
993
994 case Opt_defcontext:
995 if (context || defcontext) {
996 rc = -EINVAL;
997 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
998 goto out_err;
999 }
1000 defcontext = match_strdup(&args[0]);
1001 if (!defcontext) {
1002 rc = -ENOMEM;
1003 goto out_err;
1004 }
1005 break;
1006 case Opt_labelsupport:
1007 break;
1008 default:
1009 rc = -EINVAL;
1010 printk(KERN_WARNING "SELinux: unknown mount option\n");
1011 goto out_err;
1012
1013 }
1014 }
1015
1016 rc = -ENOMEM;
1017 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1018 if (!opts->mnt_opts)
1019 goto out_err;
1020
1021 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1022 if (!opts->mnt_opts_flags) {
1023 kfree(opts->mnt_opts);
1024 goto out_err;
1025 }
1026
1027 if (fscontext) {
1028 opts->mnt_opts[num_mnt_opts] = fscontext;
1029 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1030 }
1031 if (context) {
1032 opts->mnt_opts[num_mnt_opts] = context;
1033 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1034 }
1035 if (rootcontext) {
1036 opts->mnt_opts[num_mnt_opts] = rootcontext;
1037 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1038 }
1039 if (defcontext) {
1040 opts->mnt_opts[num_mnt_opts] = defcontext;
1041 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1042 }
1043
1044 opts->num_mnt_opts = num_mnt_opts;
1045 return 0;
1046
1047 out_err:
1048 kfree(context);
1049 kfree(defcontext);
1050 kfree(fscontext);
1051 kfree(rootcontext);
1052 return rc;
1053 }
1054 /*
1055 * string mount options parsing and call set the sbsec
1056 */
superblock_doinit(struct super_block * sb,void * data)1057 static int superblock_doinit(struct super_block *sb, void *data)
1058 {
1059 int rc = 0;
1060 char *options = data;
1061 struct security_mnt_opts opts;
1062
1063 security_init_mnt_opts(&opts);
1064
1065 if (!data)
1066 goto out;
1067
1068 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1069
1070 rc = selinux_parse_opts_str(options, &opts);
1071 if (rc)
1072 goto out_err;
1073
1074 out:
1075 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1076
1077 out_err:
1078 security_free_mnt_opts(&opts);
1079 return rc;
1080 }
1081
selinux_write_opts(struct seq_file * m,struct security_mnt_opts * opts)1082 static void selinux_write_opts(struct seq_file *m,
1083 struct security_mnt_opts *opts)
1084 {
1085 int i;
1086 char *prefix;
1087
1088 for (i = 0; i < opts->num_mnt_opts; i++) {
1089 char *has_comma;
1090
1091 if (opts->mnt_opts[i])
1092 has_comma = strchr(opts->mnt_opts[i], ',');
1093 else
1094 has_comma = NULL;
1095
1096 switch (opts->mnt_opts_flags[i]) {
1097 case CONTEXT_MNT:
1098 prefix = CONTEXT_STR;
1099 break;
1100 case FSCONTEXT_MNT:
1101 prefix = FSCONTEXT_STR;
1102 break;
1103 case ROOTCONTEXT_MNT:
1104 prefix = ROOTCONTEXT_STR;
1105 break;
1106 case DEFCONTEXT_MNT:
1107 prefix = DEFCONTEXT_STR;
1108 break;
1109 case SBLABEL_MNT:
1110 seq_putc(m, ',');
1111 seq_puts(m, LABELSUPP_STR);
1112 continue;
1113 default:
1114 BUG();
1115 return;
1116 };
1117 /* we need a comma before each option */
1118 seq_putc(m, ',');
1119 seq_puts(m, prefix);
1120 if (has_comma)
1121 seq_putc(m, '\"');
1122 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1123 if (has_comma)
1124 seq_putc(m, '\"');
1125 }
1126 }
1127
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1128 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1129 {
1130 struct security_mnt_opts opts;
1131 int rc;
1132
1133 rc = selinux_get_mnt_opts(sb, &opts);
1134 if (rc) {
1135 /* before policy load we may get EINVAL, don't show anything */
1136 if (rc == -EINVAL)
1137 rc = 0;
1138 return rc;
1139 }
1140
1141 selinux_write_opts(m, &opts);
1142
1143 security_free_mnt_opts(&opts);
1144
1145 return rc;
1146 }
1147
inode_mode_to_security_class(umode_t mode)1148 static inline u16 inode_mode_to_security_class(umode_t mode)
1149 {
1150 switch (mode & S_IFMT) {
1151 case S_IFSOCK:
1152 return SECCLASS_SOCK_FILE;
1153 case S_IFLNK:
1154 return SECCLASS_LNK_FILE;
1155 case S_IFREG:
1156 return SECCLASS_FILE;
1157 case S_IFBLK:
1158 return SECCLASS_BLK_FILE;
1159 case S_IFDIR:
1160 return SECCLASS_DIR;
1161 case S_IFCHR:
1162 return SECCLASS_CHR_FILE;
1163 case S_IFIFO:
1164 return SECCLASS_FIFO_FILE;
1165
1166 }
1167
1168 return SECCLASS_FILE;
1169 }
1170
default_protocol_stream(int protocol)1171 static inline int default_protocol_stream(int protocol)
1172 {
1173 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1174 }
1175
default_protocol_dgram(int protocol)1176 static inline int default_protocol_dgram(int protocol)
1177 {
1178 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1179 }
1180
socket_type_to_security_class(int family,int type,int protocol)1181 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1182 {
1183 switch (family) {
1184 case PF_UNIX:
1185 switch (type) {
1186 case SOCK_STREAM:
1187 case SOCK_SEQPACKET:
1188 return SECCLASS_UNIX_STREAM_SOCKET;
1189 case SOCK_DGRAM:
1190 return SECCLASS_UNIX_DGRAM_SOCKET;
1191 }
1192 break;
1193 case PF_INET:
1194 case PF_INET6:
1195 switch (type) {
1196 case SOCK_STREAM:
1197 if (default_protocol_stream(protocol))
1198 return SECCLASS_TCP_SOCKET;
1199 else
1200 return SECCLASS_RAWIP_SOCKET;
1201 case SOCK_DGRAM:
1202 if (default_protocol_dgram(protocol))
1203 return SECCLASS_UDP_SOCKET;
1204 else
1205 return SECCLASS_RAWIP_SOCKET;
1206 case SOCK_DCCP:
1207 return SECCLASS_DCCP_SOCKET;
1208 default:
1209 return SECCLASS_RAWIP_SOCKET;
1210 }
1211 break;
1212 case PF_NETLINK:
1213 switch (protocol) {
1214 case NETLINK_ROUTE:
1215 return SECCLASS_NETLINK_ROUTE_SOCKET;
1216 case NETLINK_SOCK_DIAG:
1217 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1218 case NETLINK_NFLOG:
1219 return SECCLASS_NETLINK_NFLOG_SOCKET;
1220 case NETLINK_XFRM:
1221 return SECCLASS_NETLINK_XFRM_SOCKET;
1222 case NETLINK_SELINUX:
1223 return SECCLASS_NETLINK_SELINUX_SOCKET;
1224 case NETLINK_ISCSI:
1225 return SECCLASS_NETLINK_ISCSI_SOCKET;
1226 case NETLINK_AUDIT:
1227 return SECCLASS_NETLINK_AUDIT_SOCKET;
1228 case NETLINK_FIB_LOOKUP:
1229 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1230 case NETLINK_CONNECTOR:
1231 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1232 case NETLINK_NETFILTER:
1233 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1234 case NETLINK_DNRTMSG:
1235 return SECCLASS_NETLINK_DNRT_SOCKET;
1236 case NETLINK_KOBJECT_UEVENT:
1237 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1238 case NETLINK_GENERIC:
1239 return SECCLASS_NETLINK_GENERIC_SOCKET;
1240 case NETLINK_SCSITRANSPORT:
1241 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1242 case NETLINK_RDMA:
1243 return SECCLASS_NETLINK_RDMA_SOCKET;
1244 case NETLINK_CRYPTO:
1245 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1246 default:
1247 return SECCLASS_NETLINK_SOCKET;
1248 }
1249 case PF_PACKET:
1250 return SECCLASS_PACKET_SOCKET;
1251 case PF_KEY:
1252 return SECCLASS_KEY_SOCKET;
1253 case PF_APPLETALK:
1254 return SECCLASS_APPLETALK_SOCKET;
1255 }
1256
1257 return SECCLASS_SOCKET;
1258 }
1259
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1260 static int selinux_genfs_get_sid(struct dentry *dentry,
1261 u16 tclass,
1262 u16 flags,
1263 u32 *sid)
1264 {
1265 int rc;
1266 struct super_block *sb = dentry->d_inode->i_sb;
1267 char *buffer, *path;
1268
1269 buffer = (char *)__get_free_page(GFP_KERNEL);
1270 if (!buffer)
1271 return -ENOMEM;
1272
1273 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1274 if (IS_ERR(path))
1275 rc = PTR_ERR(path);
1276 else {
1277 if (flags & SE_SBPROC) {
1278 /* each process gets a /proc/PID/ entry. Strip off the
1279 * PID part to get a valid selinux labeling.
1280 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1281 while (path[1] >= '0' && path[1] <= '9') {
1282 path[1] = '/';
1283 path++;
1284 }
1285 }
1286 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1287 }
1288 free_page((unsigned long)buffer);
1289 return rc;
1290 }
1291
1292 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1294 {
1295 struct superblock_security_struct *sbsec = NULL;
1296 struct inode_security_struct *isec = inode->i_security;
1297 u32 sid;
1298 struct dentry *dentry;
1299 #define INITCONTEXTLEN 255
1300 char *context = NULL;
1301 unsigned len = 0;
1302 int rc = 0;
1303
1304 if (isec->initialized)
1305 goto out;
1306
1307 mutex_lock(&isec->lock);
1308 if (isec->initialized)
1309 goto out_unlock;
1310
1311 sbsec = inode->i_sb->s_security;
1312 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1313 /* Defer initialization until selinux_complete_init,
1314 after the initial policy is loaded and the security
1315 server is ready to handle calls. */
1316 spin_lock(&sbsec->isec_lock);
1317 if (list_empty(&isec->list))
1318 list_add(&isec->list, &sbsec->isec_head);
1319 spin_unlock(&sbsec->isec_lock);
1320 goto out_unlock;
1321 }
1322
1323 switch (sbsec->behavior) {
1324 case SECURITY_FS_USE_NATIVE:
1325 break;
1326 case SECURITY_FS_USE_XATTR:
1327 if (!inode->i_op->getxattr) {
1328 isec->sid = sbsec->def_sid;
1329 break;
1330 }
1331
1332 /* Need a dentry, since the xattr API requires one.
1333 Life would be simpler if we could just pass the inode. */
1334 if (opt_dentry) {
1335 /* Called from d_instantiate or d_splice_alias. */
1336 dentry = dget(opt_dentry);
1337 } else {
1338 /* Called from selinux_complete_init, try to find a dentry. */
1339 dentry = d_find_alias(inode);
1340 }
1341 if (!dentry) {
1342 /*
1343 * this is can be hit on boot when a file is accessed
1344 * before the policy is loaded. When we load policy we
1345 * may find inodes that have no dentry on the
1346 * sbsec->isec_head list. No reason to complain as these
1347 * will get fixed up the next time we go through
1348 * inode_doinit with a dentry, before these inodes could
1349 * be used again by userspace.
1350 */
1351 goto out_unlock;
1352 }
1353
1354 len = INITCONTEXTLEN;
1355 context = kmalloc(len+1, GFP_NOFS);
1356 if (!context) {
1357 rc = -ENOMEM;
1358 dput(dentry);
1359 goto out_unlock;
1360 }
1361 context[len] = '\0';
1362 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1363 context, len);
1364 if (rc == -ERANGE) {
1365 kfree(context);
1366
1367 /* Need a larger buffer. Query for the right size. */
1368 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1369 NULL, 0);
1370 if (rc < 0) {
1371 dput(dentry);
1372 goto out_unlock;
1373 }
1374 len = rc;
1375 context = kmalloc(len+1, GFP_NOFS);
1376 if (!context) {
1377 rc = -ENOMEM;
1378 dput(dentry);
1379 goto out_unlock;
1380 }
1381 context[len] = '\0';
1382 rc = inode->i_op->getxattr(dentry,
1383 XATTR_NAME_SELINUX,
1384 context, len);
1385 }
1386 dput(dentry);
1387 if (rc < 0) {
1388 if (rc != -ENODATA) {
1389 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1390 "%d for dev=%s ino=%ld\n", __func__,
1391 -rc, inode->i_sb->s_id, inode->i_ino);
1392 kfree(context);
1393 goto out_unlock;
1394 }
1395 /* Map ENODATA to the default file SID */
1396 sid = sbsec->def_sid;
1397 rc = 0;
1398 } else {
1399 rc = security_context_to_sid_default(context, rc, &sid,
1400 sbsec->def_sid,
1401 GFP_NOFS);
1402 if (rc) {
1403 char *dev = inode->i_sb->s_id;
1404 unsigned long ino = inode->i_ino;
1405
1406 if (rc == -EINVAL) {
1407 if (printk_ratelimit())
1408 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1409 "context=%s. This indicates you may need to relabel the inode or the "
1410 "filesystem in question.\n", ino, dev, context);
1411 } else {
1412 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1413 "returned %d for dev=%s ino=%ld\n",
1414 __func__, context, -rc, dev, ino);
1415 }
1416 kfree(context);
1417 /* Leave with the unlabeled SID */
1418 rc = 0;
1419 break;
1420 }
1421 }
1422 kfree(context);
1423 isec->sid = sid;
1424 break;
1425 case SECURITY_FS_USE_TASK:
1426 isec->sid = isec->task_sid;
1427 break;
1428 case SECURITY_FS_USE_TRANS:
1429 /* Default to the fs SID. */
1430 isec->sid = sbsec->sid;
1431
1432 /* Try to obtain a transition SID. */
1433 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1434 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1435 isec->sclass, NULL, &sid);
1436 if (rc)
1437 goto out_unlock;
1438 isec->sid = sid;
1439 break;
1440 case SECURITY_FS_USE_MNTPOINT:
1441 isec->sid = sbsec->mntpoint_sid;
1442 break;
1443 default:
1444 /* Default to the fs superblock SID. */
1445 isec->sid = sbsec->sid;
1446
1447 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1448 /* We must have a dentry to determine the label on
1449 * procfs inodes */
1450 if (opt_dentry)
1451 /* Called from d_instantiate or
1452 * d_splice_alias. */
1453 dentry = dget(opt_dentry);
1454 else
1455 /* Called from selinux_complete_init, try to
1456 * find a dentry. */
1457 dentry = d_find_alias(inode);
1458 /*
1459 * This can be hit on boot when a file is accessed
1460 * before the policy is loaded. When we load policy we
1461 * may find inodes that have no dentry on the
1462 * sbsec->isec_head list. No reason to complain as
1463 * these will get fixed up the next time we go through
1464 * inode_doinit() with a dentry, before these inodes
1465 * could be used again by userspace.
1466 */
1467 if (!dentry)
1468 goto out_unlock;
1469 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1470 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1471 sbsec->flags, &sid);
1472 dput(dentry);
1473 if (rc)
1474 goto out_unlock;
1475 isec->sid = sid;
1476 }
1477 break;
1478 }
1479
1480 isec->initialized = 1;
1481
1482 out_unlock:
1483 mutex_unlock(&isec->lock);
1484 out:
1485 if (isec->sclass == SECCLASS_FILE)
1486 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1487 return rc;
1488 }
1489
1490 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1491 static inline u32 signal_to_av(int sig)
1492 {
1493 u32 perm = 0;
1494
1495 switch (sig) {
1496 case SIGCHLD:
1497 /* Commonly granted from child to parent. */
1498 perm = PROCESS__SIGCHLD;
1499 break;
1500 case SIGKILL:
1501 /* Cannot be caught or ignored */
1502 perm = PROCESS__SIGKILL;
1503 break;
1504 case SIGSTOP:
1505 /* Cannot be caught or ignored */
1506 perm = PROCESS__SIGSTOP;
1507 break;
1508 default:
1509 /* All other signals. */
1510 perm = PROCESS__SIGNAL;
1511 break;
1512 }
1513
1514 return perm;
1515 }
1516
1517 /*
1518 * Check permission between a pair of credentials
1519 * fork check, ptrace check, etc.
1520 */
cred_has_perm(const struct cred * actor,const struct cred * target,u32 perms)1521 static int cred_has_perm(const struct cred *actor,
1522 const struct cred *target,
1523 u32 perms)
1524 {
1525 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1526
1527 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1528 }
1529
1530 /*
1531 * Check permission between a pair of tasks, e.g. signal checks,
1532 * fork check, ptrace check, etc.
1533 * tsk1 is the actor and tsk2 is the target
1534 * - this uses the default subjective creds of tsk1
1535 */
task_has_perm(const struct task_struct * tsk1,const struct task_struct * tsk2,u32 perms)1536 static int task_has_perm(const struct task_struct *tsk1,
1537 const struct task_struct *tsk2,
1538 u32 perms)
1539 {
1540 const struct task_security_struct *__tsec1, *__tsec2;
1541 u32 sid1, sid2;
1542
1543 rcu_read_lock();
1544 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1545 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1546 rcu_read_unlock();
1547 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1548 }
1549
1550 /*
1551 * Check permission between current and another task, e.g. signal checks,
1552 * fork check, ptrace check, etc.
1553 * current is the actor and tsk2 is the target
1554 * - this uses current's subjective creds
1555 */
current_has_perm(const struct task_struct * tsk,u32 perms)1556 static int current_has_perm(const struct task_struct *tsk,
1557 u32 perms)
1558 {
1559 u32 sid, tsid;
1560
1561 sid = current_sid();
1562 tsid = task_sid(tsk);
1563 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1564 }
1565
1566 #if CAP_LAST_CAP > 63
1567 #error Fix SELinux to handle capabilities > 63.
1568 #endif
1569
1570 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,int audit)1571 static int cred_has_capability(const struct cred *cred,
1572 int cap, int audit)
1573 {
1574 struct common_audit_data ad;
1575 struct av_decision avd;
1576 u16 sclass;
1577 u32 sid = cred_sid(cred);
1578 u32 av = CAP_TO_MASK(cap);
1579 int rc;
1580
1581 ad.type = LSM_AUDIT_DATA_CAP;
1582 ad.u.cap = cap;
1583
1584 switch (CAP_TO_INDEX(cap)) {
1585 case 0:
1586 sclass = SECCLASS_CAPABILITY;
1587 break;
1588 case 1:
1589 sclass = SECCLASS_CAPABILITY2;
1590 break;
1591 default:
1592 printk(KERN_ERR
1593 "SELinux: out of range capability %d\n", cap);
1594 BUG();
1595 return -EINVAL;
1596 }
1597
1598 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1599 if (audit == SECURITY_CAP_AUDIT) {
1600 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1601 if (rc2)
1602 return rc2;
1603 }
1604 return rc;
1605 }
1606
1607 /* Check whether a task is allowed to use a system operation. */
task_has_system(struct task_struct * tsk,u32 perms)1608 static int task_has_system(struct task_struct *tsk,
1609 u32 perms)
1610 {
1611 u32 sid = task_sid(tsk);
1612
1613 return avc_has_perm(sid, SECINITSID_KERNEL,
1614 SECCLASS_SYSTEM, perms, NULL);
1615 }
1616
1617 /* Check whether a task has a particular permission to an inode.
1618 The 'adp' parameter is optional and allows other audit
1619 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1620 static int inode_has_perm(const struct cred *cred,
1621 struct inode *inode,
1622 u32 perms,
1623 struct common_audit_data *adp)
1624 {
1625 struct inode_security_struct *isec;
1626 u32 sid;
1627
1628 validate_creds(cred);
1629
1630 if (unlikely(IS_PRIVATE(inode)))
1631 return 0;
1632
1633 sid = cred_sid(cred);
1634 isec = inode->i_security;
1635
1636 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1637 }
1638
1639 /* Same as inode_has_perm, but pass explicit audit data containing
1640 the dentry to help the auditing code to more easily generate the
1641 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1642 static inline int dentry_has_perm(const struct cred *cred,
1643 struct dentry *dentry,
1644 u32 av)
1645 {
1646 struct inode *inode = d_backing_inode(dentry);
1647 struct common_audit_data ad;
1648
1649 ad.type = LSM_AUDIT_DATA_DENTRY;
1650 ad.u.dentry = dentry;
1651 return inode_has_perm(cred, inode, av, &ad);
1652 }
1653
1654 /* Same as inode_has_perm, but pass explicit audit data containing
1655 the path to help the auditing code to more easily generate the
1656 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1657 static inline int path_has_perm(const struct cred *cred,
1658 const struct path *path,
1659 u32 av)
1660 {
1661 struct inode *inode = d_backing_inode(path->dentry);
1662 struct common_audit_data ad;
1663
1664 ad.type = LSM_AUDIT_DATA_PATH;
1665 ad.u.path = *path;
1666 return inode_has_perm(cred, inode, av, &ad);
1667 }
1668
1669 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1670 static inline int file_path_has_perm(const struct cred *cred,
1671 struct file *file,
1672 u32 av)
1673 {
1674 struct common_audit_data ad;
1675
1676 ad.type = LSM_AUDIT_DATA_PATH;
1677 ad.u.path = file->f_path;
1678 return inode_has_perm(cred, file_inode(file), av, &ad);
1679 }
1680
1681 /* Check whether a task can use an open file descriptor to
1682 access an inode in a given way. Check access to the
1683 descriptor itself, and then use dentry_has_perm to
1684 check a particular permission to the file.
1685 Access to the descriptor is implicitly granted if it
1686 has the same SID as the process. If av is zero, then
1687 access to the file is not checked, e.g. for cases
1688 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1689 static int file_has_perm(const struct cred *cred,
1690 struct file *file,
1691 u32 av)
1692 {
1693 struct file_security_struct *fsec = file->f_security;
1694 struct inode *inode = file_inode(file);
1695 struct common_audit_data ad;
1696 u32 sid = cred_sid(cred);
1697 int rc;
1698
1699 ad.type = LSM_AUDIT_DATA_PATH;
1700 ad.u.path = file->f_path;
1701
1702 if (sid != fsec->sid) {
1703 rc = avc_has_perm(sid, fsec->sid,
1704 SECCLASS_FD,
1705 FD__USE,
1706 &ad);
1707 if (rc)
1708 goto out;
1709 }
1710
1711 /* av is zero if only checking access to the descriptor. */
1712 rc = 0;
1713 if (av)
1714 rc = inode_has_perm(cred, inode, av, &ad);
1715
1716 out:
1717 return rc;
1718 }
1719
1720 /*
1721 * Determine the label for an inode that might be unioned.
1722 */
selinux_determine_inode_label(const struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1723 static int selinux_determine_inode_label(const struct inode *dir,
1724 const struct qstr *name,
1725 u16 tclass,
1726 u32 *_new_isid)
1727 {
1728 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1729 const struct inode_security_struct *dsec = dir->i_security;
1730 const struct task_security_struct *tsec = current_security();
1731
1732 if ((sbsec->flags & SE_SBINITIALIZED) &&
1733 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1734 *_new_isid = sbsec->mntpoint_sid;
1735 } else if ((sbsec->flags & SBLABEL_MNT) &&
1736 tsec->create_sid) {
1737 *_new_isid = tsec->create_sid;
1738 } else {
1739 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1740 name, _new_isid);
1741 }
1742
1743 return 0;
1744 }
1745
1746 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1747 static int may_create(struct inode *dir,
1748 struct dentry *dentry,
1749 u16 tclass)
1750 {
1751 const struct task_security_struct *tsec = current_security();
1752 struct inode_security_struct *dsec;
1753 struct superblock_security_struct *sbsec;
1754 u32 sid, newsid;
1755 struct common_audit_data ad;
1756 int rc;
1757
1758 dsec = dir->i_security;
1759 sbsec = dir->i_sb->s_security;
1760
1761 sid = tsec->sid;
1762
1763 ad.type = LSM_AUDIT_DATA_DENTRY;
1764 ad.u.dentry = dentry;
1765
1766 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1767 DIR__ADD_NAME | DIR__SEARCH,
1768 &ad);
1769 if (rc)
1770 return rc;
1771
1772 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1773 &newsid);
1774 if (rc)
1775 return rc;
1776
1777 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1778 if (rc)
1779 return rc;
1780
1781 return avc_has_perm(newsid, sbsec->sid,
1782 SECCLASS_FILESYSTEM,
1783 FILESYSTEM__ASSOCIATE, &ad);
1784 }
1785
1786 /* Check whether a task can create a key. */
may_create_key(u32 ksid,struct task_struct * ctx)1787 static int may_create_key(u32 ksid,
1788 struct task_struct *ctx)
1789 {
1790 u32 sid = task_sid(ctx);
1791
1792 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1793 }
1794
1795 #define MAY_LINK 0
1796 #define MAY_UNLINK 1
1797 #define MAY_RMDIR 2
1798
1799 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1800 static int may_link(struct inode *dir,
1801 struct dentry *dentry,
1802 int kind)
1803
1804 {
1805 struct inode_security_struct *dsec, *isec;
1806 struct common_audit_data ad;
1807 u32 sid = current_sid();
1808 u32 av;
1809 int rc;
1810
1811 dsec = dir->i_security;
1812 isec = d_backing_inode(dentry)->i_security;
1813
1814 ad.type = LSM_AUDIT_DATA_DENTRY;
1815 ad.u.dentry = dentry;
1816
1817 av = DIR__SEARCH;
1818 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1819 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1820 if (rc)
1821 return rc;
1822
1823 switch (kind) {
1824 case MAY_LINK:
1825 av = FILE__LINK;
1826 break;
1827 case MAY_UNLINK:
1828 av = FILE__UNLINK;
1829 break;
1830 case MAY_RMDIR:
1831 av = DIR__RMDIR;
1832 break;
1833 default:
1834 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1835 __func__, kind);
1836 return 0;
1837 }
1838
1839 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1840 return rc;
1841 }
1842
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1843 static inline int may_rename(struct inode *old_dir,
1844 struct dentry *old_dentry,
1845 struct inode *new_dir,
1846 struct dentry *new_dentry)
1847 {
1848 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1849 struct common_audit_data ad;
1850 u32 sid = current_sid();
1851 u32 av;
1852 int old_is_dir, new_is_dir;
1853 int rc;
1854
1855 old_dsec = old_dir->i_security;
1856 old_isec = d_backing_inode(old_dentry)->i_security;
1857 old_is_dir = d_is_dir(old_dentry);
1858 new_dsec = new_dir->i_security;
1859
1860 ad.type = LSM_AUDIT_DATA_DENTRY;
1861
1862 ad.u.dentry = old_dentry;
1863 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1864 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1865 if (rc)
1866 return rc;
1867 rc = avc_has_perm(sid, old_isec->sid,
1868 old_isec->sclass, FILE__RENAME, &ad);
1869 if (rc)
1870 return rc;
1871 if (old_is_dir && new_dir != old_dir) {
1872 rc = avc_has_perm(sid, old_isec->sid,
1873 old_isec->sclass, DIR__REPARENT, &ad);
1874 if (rc)
1875 return rc;
1876 }
1877
1878 ad.u.dentry = new_dentry;
1879 av = DIR__ADD_NAME | DIR__SEARCH;
1880 if (d_is_positive(new_dentry))
1881 av |= DIR__REMOVE_NAME;
1882 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1883 if (rc)
1884 return rc;
1885 if (d_is_positive(new_dentry)) {
1886 new_isec = d_backing_inode(new_dentry)->i_security;
1887 new_is_dir = d_is_dir(new_dentry);
1888 rc = avc_has_perm(sid, new_isec->sid,
1889 new_isec->sclass,
1890 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1891 if (rc)
1892 return rc;
1893 }
1894
1895 return 0;
1896 }
1897
1898 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1899 static int superblock_has_perm(const struct cred *cred,
1900 struct super_block *sb,
1901 u32 perms,
1902 struct common_audit_data *ad)
1903 {
1904 struct superblock_security_struct *sbsec;
1905 u32 sid = cred_sid(cred);
1906
1907 sbsec = sb->s_security;
1908 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1909 }
1910
1911 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1912 static inline u32 file_mask_to_av(int mode, int mask)
1913 {
1914 u32 av = 0;
1915
1916 if (!S_ISDIR(mode)) {
1917 if (mask & MAY_EXEC)
1918 av |= FILE__EXECUTE;
1919 if (mask & MAY_READ)
1920 av |= FILE__READ;
1921
1922 if (mask & MAY_APPEND)
1923 av |= FILE__APPEND;
1924 else if (mask & MAY_WRITE)
1925 av |= FILE__WRITE;
1926
1927 } else {
1928 if (mask & MAY_EXEC)
1929 av |= DIR__SEARCH;
1930 if (mask & MAY_WRITE)
1931 av |= DIR__WRITE;
1932 if (mask & MAY_READ)
1933 av |= DIR__READ;
1934 }
1935
1936 return av;
1937 }
1938
1939 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)1940 static inline u32 file_to_av(struct file *file)
1941 {
1942 u32 av = 0;
1943
1944 if (file->f_mode & FMODE_READ)
1945 av |= FILE__READ;
1946 if (file->f_mode & FMODE_WRITE) {
1947 if (file->f_flags & O_APPEND)
1948 av |= FILE__APPEND;
1949 else
1950 av |= FILE__WRITE;
1951 }
1952 if (!av) {
1953 /*
1954 * Special file opened with flags 3 for ioctl-only use.
1955 */
1956 av = FILE__IOCTL;
1957 }
1958
1959 return av;
1960 }
1961
1962 /*
1963 * Convert a file to an access vector and include the correct open
1964 * open permission.
1965 */
open_file_to_av(struct file * file)1966 static inline u32 open_file_to_av(struct file *file)
1967 {
1968 u32 av = file_to_av(file);
1969 struct inode *inode = file_inode(file);
1970
1971 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
1972 av |= FILE__OPEN;
1973
1974 return av;
1975 }
1976
1977 /* Hook functions begin here. */
1978
selinux_binder_set_context_mgr(const struct cred * mgr)1979 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1980 {
1981 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
1982 BINDER__SET_CONTEXT_MGR, NULL);
1983 }
1984
selinux_binder_transaction(const struct cred * from,const struct cred * to)1985 static int selinux_binder_transaction(const struct cred *from,
1986 const struct cred *to)
1987 {
1988 u32 mysid = current_sid();
1989 u32 fromsid = cred_sid(from);
1990 u32 tosid = cred_sid(to);
1991 int rc;
1992
1993 if (mysid != fromsid) {
1994 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1995 BINDER__IMPERSONATE, NULL);
1996 if (rc)
1997 return rc;
1998 }
1999
2000 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2001 NULL);
2002 }
2003
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2004 static int selinux_binder_transfer_binder(const struct cred *from,
2005 const struct cred *to)
2006 {
2007 return avc_has_perm(cred_sid(from), cred_sid(to),
2008 SECCLASS_BINDER, BINDER__TRANSFER,
2009 NULL);
2010 }
2011
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,struct file * file)2012 static int selinux_binder_transfer_file(const struct cred *from,
2013 const struct cred *to,
2014 struct file *file)
2015 {
2016 u32 sid = cred_sid(to);
2017 struct file_security_struct *fsec = file->f_security;
2018 struct inode *inode = d_backing_inode(file->f_path.dentry);
2019 struct inode_security_struct *isec = inode->i_security;
2020 struct common_audit_data ad;
2021 int rc;
2022
2023 ad.type = LSM_AUDIT_DATA_PATH;
2024 ad.u.path = file->f_path;
2025
2026 if (sid != fsec->sid) {
2027 rc = avc_has_perm(sid, fsec->sid,
2028 SECCLASS_FD,
2029 FD__USE,
2030 &ad);
2031 if (rc)
2032 return rc;
2033 }
2034
2035 if (unlikely(IS_PRIVATE(inode)))
2036 return 0;
2037
2038 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2039 &ad);
2040 }
2041
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2042 static int selinux_ptrace_access_check(struct task_struct *child,
2043 unsigned int mode)
2044 {
2045 if (mode & PTRACE_MODE_READ) {
2046 u32 sid = current_sid();
2047 u32 csid = task_sid(child);
2048 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2049 }
2050
2051 return current_has_perm(child, PROCESS__PTRACE);
2052 }
2053
selinux_ptrace_traceme(struct task_struct * parent)2054 static int selinux_ptrace_traceme(struct task_struct *parent)
2055 {
2056 return task_has_perm(parent, current, PROCESS__PTRACE);
2057 }
2058
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2059 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2060 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2061 {
2062 return current_has_perm(target, PROCESS__GETCAP);
2063 }
2064
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2065 static int selinux_capset(struct cred *new, const struct cred *old,
2066 const kernel_cap_t *effective,
2067 const kernel_cap_t *inheritable,
2068 const kernel_cap_t *permitted)
2069 {
2070 return cred_has_perm(old, new, PROCESS__SETCAP);
2071 }
2072
2073 /*
2074 * (This comment used to live with the selinux_task_setuid hook,
2075 * which was removed).
2076 *
2077 * Since setuid only affects the current process, and since the SELinux
2078 * controls are not based on the Linux identity attributes, SELinux does not
2079 * need to control this operation. However, SELinux does control the use of
2080 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2081 */
2082
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,int audit)2083 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2084 int cap, int audit)
2085 {
2086 return cred_has_capability(cred, cap, audit);
2087 }
2088
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2089 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2090 {
2091 const struct cred *cred = current_cred();
2092 int rc = 0;
2093
2094 if (!sb)
2095 return 0;
2096
2097 switch (cmds) {
2098 case Q_SYNC:
2099 case Q_QUOTAON:
2100 case Q_QUOTAOFF:
2101 case Q_SETINFO:
2102 case Q_SETQUOTA:
2103 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2104 break;
2105 case Q_GETFMT:
2106 case Q_GETINFO:
2107 case Q_GETQUOTA:
2108 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2109 break;
2110 default:
2111 rc = 0; /* let the kernel handle invalid cmds */
2112 break;
2113 }
2114 return rc;
2115 }
2116
selinux_quota_on(struct dentry * dentry)2117 static int selinux_quota_on(struct dentry *dentry)
2118 {
2119 const struct cred *cred = current_cred();
2120
2121 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2122 }
2123
selinux_syslog(int type)2124 static int selinux_syslog(int type)
2125 {
2126 int rc;
2127
2128 switch (type) {
2129 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2130 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2131 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2132 break;
2133 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2134 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2135 /* Set level of messages printed to console */
2136 case SYSLOG_ACTION_CONSOLE_LEVEL:
2137 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2138 break;
2139 case SYSLOG_ACTION_CLOSE: /* Close log */
2140 case SYSLOG_ACTION_OPEN: /* Open log */
2141 case SYSLOG_ACTION_READ: /* Read from log */
2142 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2143 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2144 default:
2145 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2146 break;
2147 }
2148 return rc;
2149 }
2150
2151 /*
2152 * Check that a process has enough memory to allocate a new virtual
2153 * mapping. 0 means there is enough memory for the allocation to
2154 * succeed and -ENOMEM implies there is not.
2155 *
2156 * Do not audit the selinux permission check, as this is applied to all
2157 * processes that allocate mappings.
2158 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2159 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2160 {
2161 int rc, cap_sys_admin = 0;
2162
2163 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2164 SECURITY_CAP_NOAUDIT);
2165 if (rc == 0)
2166 cap_sys_admin = 1;
2167
2168 return cap_sys_admin;
2169 }
2170
2171 /* binprm security operations */
2172
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2173 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2174 const struct task_security_struct *old_tsec,
2175 const struct task_security_struct *new_tsec)
2176 {
2177 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2178 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2179 int rc;
2180
2181 if (!nnp && !nosuid)
2182 return 0; /* neither NNP nor nosuid */
2183
2184 if (new_tsec->sid == old_tsec->sid)
2185 return 0; /* No change in credentials */
2186
2187 /*
2188 * The only transitions we permit under NNP or nosuid
2189 * are transitions to bounded SIDs, i.e. SIDs that are
2190 * guaranteed to only be allowed a subset of the permissions
2191 * of the current SID.
2192 */
2193 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2194 if (rc) {
2195 /*
2196 * On failure, preserve the errno values for NNP vs nosuid.
2197 * NNP: Operation not permitted for caller.
2198 * nosuid: Permission denied to file.
2199 */
2200 if (nnp)
2201 return -EPERM;
2202 else
2203 return -EACCES;
2204 }
2205 return 0;
2206 }
2207
selinux_bprm_set_creds(struct linux_binprm * bprm)2208 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2209 {
2210 const struct task_security_struct *old_tsec;
2211 struct task_security_struct *new_tsec;
2212 struct inode_security_struct *isec;
2213 struct common_audit_data ad;
2214 struct inode *inode = file_inode(bprm->file);
2215 int rc;
2216
2217 /* SELinux context only depends on initial program or script and not
2218 * the script interpreter */
2219 if (bprm->cred_prepared)
2220 return 0;
2221
2222 old_tsec = current_security();
2223 new_tsec = bprm->cred->security;
2224 isec = inode->i_security;
2225
2226 /* Default to the current task SID. */
2227 new_tsec->sid = old_tsec->sid;
2228 new_tsec->osid = old_tsec->sid;
2229
2230 /* Reset fs, key, and sock SIDs on execve. */
2231 new_tsec->create_sid = 0;
2232 new_tsec->keycreate_sid = 0;
2233 new_tsec->sockcreate_sid = 0;
2234
2235 if (old_tsec->exec_sid) {
2236 new_tsec->sid = old_tsec->exec_sid;
2237 /* Reset exec SID on execve. */
2238 new_tsec->exec_sid = 0;
2239
2240 /* Fail on NNP or nosuid if not an allowed transition. */
2241 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2242 if (rc)
2243 return rc;
2244 } else {
2245 /* Check for a default transition on this program. */
2246 rc = security_transition_sid(old_tsec->sid, isec->sid,
2247 SECCLASS_PROCESS, NULL,
2248 &new_tsec->sid);
2249 if (rc)
2250 return rc;
2251
2252 /*
2253 * Fallback to old SID on NNP or nosuid if not an allowed
2254 * transition.
2255 */
2256 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2257 if (rc)
2258 new_tsec->sid = old_tsec->sid;
2259 }
2260
2261 ad.type = LSM_AUDIT_DATA_PATH;
2262 ad.u.path = bprm->file->f_path;
2263
2264 if (new_tsec->sid == old_tsec->sid) {
2265 rc = avc_has_perm(old_tsec->sid, isec->sid,
2266 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2267 if (rc)
2268 return rc;
2269 } else {
2270 /* Check permissions for the transition. */
2271 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2272 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2273 if (rc)
2274 return rc;
2275
2276 rc = avc_has_perm(new_tsec->sid, isec->sid,
2277 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2278 if (rc)
2279 return rc;
2280
2281 /* Check for shared state */
2282 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2283 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2284 SECCLASS_PROCESS, PROCESS__SHARE,
2285 NULL);
2286 if (rc)
2287 return -EPERM;
2288 }
2289
2290 /* Make sure that anyone attempting to ptrace over a task that
2291 * changes its SID has the appropriate permit */
2292 if (bprm->unsafe &
2293 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2294 struct task_struct *tracer;
2295 struct task_security_struct *sec;
2296 u32 ptsid = 0;
2297
2298 rcu_read_lock();
2299 tracer = ptrace_parent(current);
2300 if (likely(tracer != NULL)) {
2301 sec = __task_cred(tracer)->security;
2302 ptsid = sec->sid;
2303 }
2304 rcu_read_unlock();
2305
2306 if (ptsid != 0) {
2307 rc = avc_has_perm(ptsid, new_tsec->sid,
2308 SECCLASS_PROCESS,
2309 PROCESS__PTRACE, NULL);
2310 if (rc)
2311 return -EPERM;
2312 }
2313 }
2314
2315 /* Clear any possibly unsafe personality bits on exec: */
2316 bprm->per_clear |= PER_CLEAR_ON_SETID;
2317 }
2318
2319 return 0;
2320 }
2321
selinux_bprm_secureexec(struct linux_binprm * bprm)2322 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2323 {
2324 const struct task_security_struct *tsec = current_security();
2325 u32 sid, osid;
2326 int atsecure = 0;
2327
2328 sid = tsec->sid;
2329 osid = tsec->osid;
2330
2331 if (osid != sid) {
2332 /* Enable secure mode for SIDs transitions unless
2333 the noatsecure permission is granted between
2334 the two SIDs, i.e. ahp returns 0. */
2335 atsecure = avc_has_perm(osid, sid,
2336 SECCLASS_PROCESS,
2337 PROCESS__NOATSECURE, NULL);
2338 }
2339
2340 return !!atsecure;
2341 }
2342
match_file(const void * p,struct file * file,unsigned fd)2343 static int match_file(const void *p, struct file *file, unsigned fd)
2344 {
2345 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2346 }
2347
2348 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2349 static inline void flush_unauthorized_files(const struct cred *cred,
2350 struct files_struct *files)
2351 {
2352 struct file *file, *devnull = NULL;
2353 struct tty_struct *tty;
2354 int drop_tty = 0;
2355 unsigned n;
2356
2357 tty = get_current_tty();
2358 if (tty) {
2359 spin_lock(&tty_files_lock);
2360 if (!list_empty(&tty->tty_files)) {
2361 struct tty_file_private *file_priv;
2362
2363 /* Revalidate access to controlling tty.
2364 Use file_path_has_perm on the tty path directly
2365 rather than using file_has_perm, as this particular
2366 open file may belong to another process and we are
2367 only interested in the inode-based check here. */
2368 file_priv = list_first_entry(&tty->tty_files,
2369 struct tty_file_private, list);
2370 file = file_priv->file;
2371 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2372 drop_tty = 1;
2373 }
2374 spin_unlock(&tty_files_lock);
2375 tty_kref_put(tty);
2376 }
2377 /* Reset controlling tty. */
2378 if (drop_tty)
2379 no_tty();
2380
2381 /* Revalidate access to inherited open files. */
2382 n = iterate_fd(files, 0, match_file, cred);
2383 if (!n) /* none found? */
2384 return;
2385
2386 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2387 if (IS_ERR(devnull))
2388 devnull = NULL;
2389 /* replace all the matching ones with this */
2390 do {
2391 replace_fd(n - 1, devnull, 0);
2392 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2393 if (devnull)
2394 fput(devnull);
2395 }
2396
2397 /*
2398 * Prepare a process for imminent new credential changes due to exec
2399 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2400 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2401 {
2402 struct task_security_struct *new_tsec;
2403 struct rlimit *rlim, *initrlim;
2404 int rc, i;
2405
2406 new_tsec = bprm->cred->security;
2407 if (new_tsec->sid == new_tsec->osid)
2408 return;
2409
2410 /* Close files for which the new task SID is not authorized. */
2411 flush_unauthorized_files(bprm->cred, current->files);
2412
2413 /* Always clear parent death signal on SID transitions. */
2414 current->pdeath_signal = 0;
2415
2416 /* Check whether the new SID can inherit resource limits from the old
2417 * SID. If not, reset all soft limits to the lower of the current
2418 * task's hard limit and the init task's soft limit.
2419 *
2420 * Note that the setting of hard limits (even to lower them) can be
2421 * controlled by the setrlimit check. The inclusion of the init task's
2422 * soft limit into the computation is to avoid resetting soft limits
2423 * higher than the default soft limit for cases where the default is
2424 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2425 */
2426 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2427 PROCESS__RLIMITINH, NULL);
2428 if (rc) {
2429 /* protect against do_prlimit() */
2430 task_lock(current);
2431 for (i = 0; i < RLIM_NLIMITS; i++) {
2432 rlim = current->signal->rlim + i;
2433 initrlim = init_task.signal->rlim + i;
2434 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2435 }
2436 task_unlock(current);
2437 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2438 }
2439 }
2440
2441 /*
2442 * Clean up the process immediately after the installation of new credentials
2443 * due to exec
2444 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2445 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2446 {
2447 const struct task_security_struct *tsec = current_security();
2448 struct itimerval itimer;
2449 u32 osid, sid;
2450 int rc, i;
2451
2452 osid = tsec->osid;
2453 sid = tsec->sid;
2454
2455 if (sid == osid)
2456 return;
2457
2458 /* Check whether the new SID can inherit signal state from the old SID.
2459 * If not, clear itimers to avoid subsequent signal generation and
2460 * flush and unblock signals.
2461 *
2462 * This must occur _after_ the task SID has been updated so that any
2463 * kill done after the flush will be checked against the new SID.
2464 */
2465 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2466 if (rc) {
2467 memset(&itimer, 0, sizeof itimer);
2468 for (i = 0; i < 3; i++)
2469 do_setitimer(i, &itimer, NULL);
2470 spin_lock_irq(¤t->sighand->siglock);
2471 if (!fatal_signal_pending(current)) {
2472 flush_sigqueue(¤t->pending);
2473 flush_sigqueue(¤t->signal->shared_pending);
2474 flush_signal_handlers(current, 1);
2475 sigemptyset(¤t->blocked);
2476 recalc_sigpending();
2477 }
2478 spin_unlock_irq(¤t->sighand->siglock);
2479 }
2480
2481 /* Wake up the parent if it is waiting so that it can recheck
2482 * wait permission to the new task SID. */
2483 read_lock(&tasklist_lock);
2484 __wake_up_parent(current, current->real_parent);
2485 read_unlock(&tasklist_lock);
2486 }
2487
2488 /* superblock security operations */
2489
selinux_sb_alloc_security(struct super_block * sb)2490 static int selinux_sb_alloc_security(struct super_block *sb)
2491 {
2492 return superblock_alloc_security(sb);
2493 }
2494
selinux_sb_free_security(struct super_block * sb)2495 static void selinux_sb_free_security(struct super_block *sb)
2496 {
2497 superblock_free_security(sb);
2498 }
2499
match_prefix(char * prefix,int plen,char * option,int olen)2500 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2501 {
2502 if (plen > olen)
2503 return 0;
2504
2505 return !memcmp(prefix, option, plen);
2506 }
2507
selinux_option(char * option,int len)2508 static inline int selinux_option(char *option, int len)
2509 {
2510 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2511 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2512 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2513 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2514 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2515 }
2516
take_option(char ** to,char * from,int * first,int len)2517 static inline void take_option(char **to, char *from, int *first, int len)
2518 {
2519 if (!*first) {
2520 **to = ',';
2521 *to += 1;
2522 } else
2523 *first = 0;
2524 memcpy(*to, from, len);
2525 *to += len;
2526 }
2527
take_selinux_option(char ** to,char * from,int * first,int len)2528 static inline void take_selinux_option(char **to, char *from, int *first,
2529 int len)
2530 {
2531 int current_size = 0;
2532
2533 if (!*first) {
2534 **to = '|';
2535 *to += 1;
2536 } else
2537 *first = 0;
2538
2539 while (current_size < len) {
2540 if (*from != '"') {
2541 **to = *from;
2542 *to += 1;
2543 }
2544 from += 1;
2545 current_size += 1;
2546 }
2547 }
2548
selinux_sb_copy_data(char * orig,char * copy)2549 static int selinux_sb_copy_data(char *orig, char *copy)
2550 {
2551 int fnosec, fsec, rc = 0;
2552 char *in_save, *in_curr, *in_end;
2553 char *sec_curr, *nosec_save, *nosec;
2554 int open_quote = 0;
2555
2556 in_curr = orig;
2557 sec_curr = copy;
2558
2559 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2560 if (!nosec) {
2561 rc = -ENOMEM;
2562 goto out;
2563 }
2564
2565 nosec_save = nosec;
2566 fnosec = fsec = 1;
2567 in_save = in_end = orig;
2568
2569 do {
2570 if (*in_end == '"')
2571 open_quote = !open_quote;
2572 if ((*in_end == ',' && open_quote == 0) ||
2573 *in_end == '\0') {
2574 int len = in_end - in_curr;
2575
2576 if (selinux_option(in_curr, len))
2577 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2578 else
2579 take_option(&nosec, in_curr, &fnosec, len);
2580
2581 in_curr = in_end + 1;
2582 }
2583 } while (*in_end++);
2584
2585 strcpy(in_save, nosec_save);
2586 free_page((unsigned long)nosec_save);
2587 out:
2588 return rc;
2589 }
2590
selinux_sb_remount(struct super_block * sb,void * data)2591 static int selinux_sb_remount(struct super_block *sb, void *data)
2592 {
2593 int rc, i, *flags;
2594 struct security_mnt_opts opts;
2595 char *secdata, **mount_options;
2596 struct superblock_security_struct *sbsec = sb->s_security;
2597
2598 if (!(sbsec->flags & SE_SBINITIALIZED))
2599 return 0;
2600
2601 if (!data)
2602 return 0;
2603
2604 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2605 return 0;
2606
2607 security_init_mnt_opts(&opts);
2608 secdata = alloc_secdata();
2609 if (!secdata)
2610 return -ENOMEM;
2611 rc = selinux_sb_copy_data(data, secdata);
2612 if (rc)
2613 goto out_free_secdata;
2614
2615 rc = selinux_parse_opts_str(secdata, &opts);
2616 if (rc)
2617 goto out_free_secdata;
2618
2619 mount_options = opts.mnt_opts;
2620 flags = opts.mnt_opts_flags;
2621
2622 for (i = 0; i < opts.num_mnt_opts; i++) {
2623 u32 sid;
2624
2625 if (flags[i] == SBLABEL_MNT)
2626 continue;
2627 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2628 if (rc) {
2629 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2630 "(%s) failed for (dev %s, type %s) errno=%d\n",
2631 mount_options[i], sb->s_id, sb->s_type->name, rc);
2632 goto out_free_opts;
2633 }
2634 rc = -EINVAL;
2635 switch (flags[i]) {
2636 case FSCONTEXT_MNT:
2637 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2638 goto out_bad_option;
2639 break;
2640 case CONTEXT_MNT:
2641 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2642 goto out_bad_option;
2643 break;
2644 case ROOTCONTEXT_MNT: {
2645 struct inode_security_struct *root_isec;
2646 root_isec = d_backing_inode(sb->s_root)->i_security;
2647
2648 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2649 goto out_bad_option;
2650 break;
2651 }
2652 case DEFCONTEXT_MNT:
2653 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2654 goto out_bad_option;
2655 break;
2656 default:
2657 goto out_free_opts;
2658 }
2659 }
2660
2661 rc = 0;
2662 out_free_opts:
2663 security_free_mnt_opts(&opts);
2664 out_free_secdata:
2665 free_secdata(secdata);
2666 return rc;
2667 out_bad_option:
2668 printk(KERN_WARNING "SELinux: unable to change security options "
2669 "during remount (dev %s, type=%s)\n", sb->s_id,
2670 sb->s_type->name);
2671 goto out_free_opts;
2672 }
2673
selinux_sb_kern_mount(struct super_block * sb,int flags,void * data)2674 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2675 {
2676 const struct cred *cred = current_cred();
2677 struct common_audit_data ad;
2678 int rc;
2679
2680 rc = superblock_doinit(sb, data);
2681 if (rc)
2682 return rc;
2683
2684 /* Allow all mounts performed by the kernel */
2685 if (flags & MS_KERNMOUNT)
2686 return 0;
2687
2688 ad.type = LSM_AUDIT_DATA_DENTRY;
2689 ad.u.dentry = sb->s_root;
2690 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2691 }
2692
selinux_sb_statfs(struct dentry * dentry)2693 static int selinux_sb_statfs(struct dentry *dentry)
2694 {
2695 const struct cred *cred = current_cred();
2696 struct common_audit_data ad;
2697
2698 ad.type = LSM_AUDIT_DATA_DENTRY;
2699 ad.u.dentry = dentry->d_sb->s_root;
2700 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2701 }
2702
selinux_mount(const char * dev_name,struct path * path,const char * type,unsigned long flags,void * data)2703 static int selinux_mount(const char *dev_name,
2704 struct path *path,
2705 const char *type,
2706 unsigned long flags,
2707 void *data)
2708 {
2709 const struct cred *cred = current_cred();
2710
2711 if (flags & MS_REMOUNT)
2712 return superblock_has_perm(cred, path->dentry->d_sb,
2713 FILESYSTEM__REMOUNT, NULL);
2714 else
2715 return path_has_perm(cred, path, FILE__MOUNTON);
2716 }
2717
selinux_umount(struct vfsmount * mnt,int flags)2718 static int selinux_umount(struct vfsmount *mnt, int flags)
2719 {
2720 const struct cred *cred = current_cred();
2721
2722 return superblock_has_perm(cred, mnt->mnt_sb,
2723 FILESYSTEM__UNMOUNT, NULL);
2724 }
2725
2726 /* inode security operations */
2727
selinux_inode_alloc_security(struct inode * inode)2728 static int selinux_inode_alloc_security(struct inode *inode)
2729 {
2730 return inode_alloc_security(inode);
2731 }
2732
selinux_inode_free_security(struct inode * inode)2733 static void selinux_inode_free_security(struct inode *inode)
2734 {
2735 inode_free_security(inode);
2736 }
2737
selinux_dentry_init_security(struct dentry * dentry,int mode,struct qstr * name,void ** ctx,u32 * ctxlen)2738 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2739 struct qstr *name, void **ctx,
2740 u32 *ctxlen)
2741 {
2742 u32 newsid;
2743 int rc;
2744
2745 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2746 inode_mode_to_security_class(mode),
2747 &newsid);
2748 if (rc)
2749 return rc;
2750
2751 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2752 }
2753
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2754 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2755 const struct qstr *qstr,
2756 const char **name,
2757 void **value, size_t *len)
2758 {
2759 const struct task_security_struct *tsec = current_security();
2760 struct inode_security_struct *dsec;
2761 struct superblock_security_struct *sbsec;
2762 u32 sid, newsid, clen;
2763 int rc;
2764 char *context;
2765
2766 dsec = dir->i_security;
2767 sbsec = dir->i_sb->s_security;
2768
2769 sid = tsec->sid;
2770 newsid = tsec->create_sid;
2771
2772 rc = selinux_determine_inode_label(
2773 dir, qstr,
2774 inode_mode_to_security_class(inode->i_mode),
2775 &newsid);
2776 if (rc)
2777 return rc;
2778
2779 /* Possibly defer initialization to selinux_complete_init. */
2780 if (sbsec->flags & SE_SBINITIALIZED) {
2781 struct inode_security_struct *isec = inode->i_security;
2782 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2783 isec->sid = newsid;
2784 isec->initialized = 1;
2785 }
2786
2787 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2788 return -EOPNOTSUPP;
2789
2790 if (name)
2791 *name = XATTR_SELINUX_SUFFIX;
2792
2793 if (value && len) {
2794 rc = security_sid_to_context_force(newsid, &context, &clen);
2795 if (rc)
2796 return rc;
2797 *value = context;
2798 *len = clen;
2799 }
2800
2801 return 0;
2802 }
2803
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2804 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2805 {
2806 return may_create(dir, dentry, SECCLASS_FILE);
2807 }
2808
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2809 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2810 {
2811 return may_link(dir, old_dentry, MAY_LINK);
2812 }
2813
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2814 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2815 {
2816 return may_link(dir, dentry, MAY_UNLINK);
2817 }
2818
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2819 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2820 {
2821 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2822 }
2823
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2824 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2825 {
2826 return may_create(dir, dentry, SECCLASS_DIR);
2827 }
2828
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)2829 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2830 {
2831 return may_link(dir, dentry, MAY_RMDIR);
2832 }
2833
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)2834 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2835 {
2836 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2837 }
2838
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)2839 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2840 struct inode *new_inode, struct dentry *new_dentry)
2841 {
2842 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2843 }
2844
selinux_inode_readlink(struct dentry * dentry)2845 static int selinux_inode_readlink(struct dentry *dentry)
2846 {
2847 const struct cred *cred = current_cred();
2848
2849 return dentry_has_perm(cred, dentry, FILE__READ);
2850 }
2851
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)2852 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2853 bool rcu)
2854 {
2855 const struct cred *cred = current_cred();
2856 struct common_audit_data ad;
2857 struct inode_security_struct *isec;
2858 u32 sid;
2859
2860 validate_creds(cred);
2861
2862 ad.type = LSM_AUDIT_DATA_DENTRY;
2863 ad.u.dentry = dentry;
2864 sid = cred_sid(cred);
2865 isec = inode->i_security;
2866
2867 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2868 rcu ? MAY_NOT_BLOCK : 0);
2869 }
2870
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result,unsigned flags)2871 static noinline int audit_inode_permission(struct inode *inode,
2872 u32 perms, u32 audited, u32 denied,
2873 int result,
2874 unsigned flags)
2875 {
2876 struct common_audit_data ad;
2877 struct inode_security_struct *isec = inode->i_security;
2878 int rc;
2879
2880 ad.type = LSM_AUDIT_DATA_INODE;
2881 ad.u.inode = inode;
2882
2883 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2884 audited, denied, result, &ad, flags);
2885 if (rc)
2886 return rc;
2887 return 0;
2888 }
2889
selinux_inode_permission(struct inode * inode,int mask)2890 static int selinux_inode_permission(struct inode *inode, int mask)
2891 {
2892 const struct cred *cred = current_cred();
2893 u32 perms;
2894 bool from_access;
2895 unsigned flags = mask & MAY_NOT_BLOCK;
2896 struct inode_security_struct *isec;
2897 u32 sid;
2898 struct av_decision avd;
2899 int rc, rc2;
2900 u32 audited, denied;
2901
2902 from_access = mask & MAY_ACCESS;
2903 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2904
2905 /* No permission to check. Existence test. */
2906 if (!mask)
2907 return 0;
2908
2909 validate_creds(cred);
2910
2911 if (unlikely(IS_PRIVATE(inode)))
2912 return 0;
2913
2914 perms = file_mask_to_av(inode->i_mode, mask);
2915
2916 sid = cred_sid(cred);
2917 isec = inode->i_security;
2918
2919 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2920 audited = avc_audit_required(perms, &avd, rc,
2921 from_access ? FILE__AUDIT_ACCESS : 0,
2922 &denied);
2923 if (likely(!audited))
2924 return rc;
2925
2926 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2927 if (rc2)
2928 return rc2;
2929 return rc;
2930 }
2931
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)2932 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2933 {
2934 const struct cred *cred = current_cred();
2935 struct inode *inode = d_backing_inode(dentry);
2936 unsigned int ia_valid = iattr->ia_valid;
2937 __u32 av = FILE__WRITE;
2938
2939 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2940 if (ia_valid & ATTR_FORCE) {
2941 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2942 ATTR_FORCE);
2943 if (!ia_valid)
2944 return 0;
2945 }
2946
2947 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2948 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2949 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2950
2951 if (selinux_policycap_openperm &&
2952 inode->i_sb->s_magic != SOCKFS_MAGIC &&
2953 (ia_valid & ATTR_SIZE) &&
2954 !(ia_valid & ATTR_FILE))
2955 av |= FILE__OPEN;
2956
2957 return dentry_has_perm(cred, dentry, av);
2958 }
2959
selinux_inode_getattr(const struct path * path)2960 static int selinux_inode_getattr(const struct path *path)
2961 {
2962 return path_has_perm(current_cred(), path, FILE__GETATTR);
2963 }
2964
selinux_inode_setotherxattr(struct dentry * dentry,const char * name)2965 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2966 {
2967 const struct cred *cred = current_cred();
2968
2969 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2970 sizeof XATTR_SECURITY_PREFIX - 1)) {
2971 if (!strcmp(name, XATTR_NAME_CAPS)) {
2972 if (!capable(CAP_SETFCAP))
2973 return -EPERM;
2974 } else if (!capable(CAP_SYS_ADMIN)) {
2975 /* A different attribute in the security namespace.
2976 Restrict to administrator. */
2977 return -EPERM;
2978 }
2979 }
2980
2981 /* Not an attribute we recognize, so just check the
2982 ordinary setattr permission. */
2983 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2984 }
2985
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)2986 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2987 const void *value, size_t size, int flags)
2988 {
2989 struct inode *inode = d_backing_inode(dentry);
2990 struct inode_security_struct *isec = inode->i_security;
2991 struct superblock_security_struct *sbsec;
2992 struct common_audit_data ad;
2993 u32 newsid, sid = current_sid();
2994 int rc = 0;
2995
2996 if (strcmp(name, XATTR_NAME_SELINUX))
2997 return selinux_inode_setotherxattr(dentry, name);
2998
2999 sbsec = inode->i_sb->s_security;
3000 if (!(sbsec->flags & SBLABEL_MNT))
3001 return -EOPNOTSUPP;
3002
3003 if (!inode_owner_or_capable(inode))
3004 return -EPERM;
3005
3006 ad.type = LSM_AUDIT_DATA_DENTRY;
3007 ad.u.dentry = dentry;
3008
3009 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3010 FILE__RELABELFROM, &ad);
3011 if (rc)
3012 return rc;
3013
3014 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3015 if (rc == -EINVAL) {
3016 if (!capable(CAP_MAC_ADMIN)) {
3017 struct audit_buffer *ab;
3018 size_t audit_size;
3019 const char *str;
3020
3021 /* We strip a nul only if it is at the end, otherwise the
3022 * context contains a nul and we should audit that */
3023 if (value) {
3024 str = value;
3025 if (str[size - 1] == '\0')
3026 audit_size = size - 1;
3027 else
3028 audit_size = size;
3029 } else {
3030 str = "";
3031 audit_size = 0;
3032 }
3033 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3034 audit_log_format(ab, "op=setxattr invalid_context=");
3035 audit_log_n_untrustedstring(ab, value, audit_size);
3036 audit_log_end(ab);
3037
3038 return rc;
3039 }
3040 rc = security_context_to_sid_force(value, size, &newsid);
3041 }
3042 if (rc)
3043 return rc;
3044
3045 rc = avc_has_perm(sid, newsid, isec->sclass,
3046 FILE__RELABELTO, &ad);
3047 if (rc)
3048 return rc;
3049
3050 rc = security_validate_transition(isec->sid, newsid, sid,
3051 isec->sclass);
3052 if (rc)
3053 return rc;
3054
3055 return avc_has_perm(newsid,
3056 sbsec->sid,
3057 SECCLASS_FILESYSTEM,
3058 FILESYSTEM__ASSOCIATE,
3059 &ad);
3060 }
3061
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3062 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3063 const void *value, size_t size,
3064 int flags)
3065 {
3066 struct inode *inode = d_backing_inode(dentry);
3067 struct inode_security_struct *isec = inode->i_security;
3068 u32 newsid;
3069 int rc;
3070
3071 if (strcmp(name, XATTR_NAME_SELINUX)) {
3072 /* Not an attribute we recognize, so nothing to do. */
3073 return;
3074 }
3075
3076 rc = security_context_to_sid_force(value, size, &newsid);
3077 if (rc) {
3078 printk(KERN_ERR "SELinux: unable to map context to SID"
3079 "for (%s, %lu), rc=%d\n",
3080 inode->i_sb->s_id, inode->i_ino, -rc);
3081 return;
3082 }
3083
3084 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3085 isec->sid = newsid;
3086 isec->initialized = 1;
3087
3088 return;
3089 }
3090
selinux_inode_getxattr(struct dentry * dentry,const char * name)3091 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3092 {
3093 const struct cred *cred = current_cred();
3094
3095 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3096 }
3097
selinux_inode_listxattr(struct dentry * dentry)3098 static int selinux_inode_listxattr(struct dentry *dentry)
3099 {
3100 const struct cred *cred = current_cred();
3101
3102 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3103 }
3104
selinux_inode_removexattr(struct dentry * dentry,const char * name)3105 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3106 {
3107 if (strcmp(name, XATTR_NAME_SELINUX))
3108 return selinux_inode_setotherxattr(dentry, name);
3109
3110 /* No one is allowed to remove a SELinux security label.
3111 You can change the label, but all data must be labeled. */
3112 return -EACCES;
3113 }
3114
3115 /*
3116 * Copy the inode security context value to the user.
3117 *
3118 * Permission check is handled by selinux_inode_getxattr hook.
3119 */
selinux_inode_getsecurity(const struct inode * inode,const char * name,void ** buffer,bool alloc)3120 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3121 {
3122 u32 size;
3123 int error;
3124 char *context = NULL;
3125 struct inode_security_struct *isec = inode->i_security;
3126
3127 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3128 return -EOPNOTSUPP;
3129
3130 /*
3131 * If the caller has CAP_MAC_ADMIN, then get the raw context
3132 * value even if it is not defined by current policy; otherwise,
3133 * use the in-core value under current policy.
3134 * Use the non-auditing forms of the permission checks since
3135 * getxattr may be called by unprivileged processes commonly
3136 * and lack of permission just means that we fall back to the
3137 * in-core context value, not a denial.
3138 */
3139 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3140 SECURITY_CAP_NOAUDIT);
3141 if (!error)
3142 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3143 SECURITY_CAP_NOAUDIT);
3144 if (!error)
3145 error = security_sid_to_context_force(isec->sid, &context,
3146 &size);
3147 else
3148 error = security_sid_to_context(isec->sid, &context, &size);
3149 if (error)
3150 return error;
3151 error = size;
3152 if (alloc) {
3153 *buffer = context;
3154 goto out_nofree;
3155 }
3156 kfree(context);
3157 out_nofree:
3158 return error;
3159 }
3160
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3161 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3162 const void *value, size_t size, int flags)
3163 {
3164 struct inode_security_struct *isec = inode->i_security;
3165 u32 newsid;
3166 int rc;
3167
3168 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3169 return -EOPNOTSUPP;
3170
3171 if (!value || !size)
3172 return -EACCES;
3173
3174 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3175 if (rc)
3176 return rc;
3177
3178 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3179 isec->sid = newsid;
3180 isec->initialized = 1;
3181 return 0;
3182 }
3183
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3184 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3185 {
3186 const int len = sizeof(XATTR_NAME_SELINUX);
3187 if (buffer && len <= buffer_size)
3188 memcpy(buffer, XATTR_NAME_SELINUX, len);
3189 return len;
3190 }
3191
selinux_inode_getsecid(const struct inode * inode,u32 * secid)3192 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3193 {
3194 struct inode_security_struct *isec = inode->i_security;
3195 *secid = isec->sid;
3196 }
3197
3198 /* file security operations */
3199
selinux_revalidate_file_permission(struct file * file,int mask)3200 static int selinux_revalidate_file_permission(struct file *file, int mask)
3201 {
3202 const struct cred *cred = current_cred();
3203 struct inode *inode = file_inode(file);
3204
3205 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3206 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3207 mask |= MAY_APPEND;
3208
3209 return file_has_perm(cred, file,
3210 file_mask_to_av(inode->i_mode, mask));
3211 }
3212
selinux_file_permission(struct file * file,int mask)3213 static int selinux_file_permission(struct file *file, int mask)
3214 {
3215 struct inode *inode = file_inode(file);
3216 struct file_security_struct *fsec = file->f_security;
3217 struct inode_security_struct *isec = inode->i_security;
3218 u32 sid = current_sid();
3219
3220 if (!mask)
3221 /* No permission to check. Existence test. */
3222 return 0;
3223
3224 if (sid == fsec->sid && fsec->isid == isec->sid &&
3225 fsec->pseqno == avc_policy_seqno())
3226 /* No change since file_open check. */
3227 return 0;
3228
3229 return selinux_revalidate_file_permission(file, mask);
3230 }
3231
selinux_file_alloc_security(struct file * file)3232 static int selinux_file_alloc_security(struct file *file)
3233 {
3234 return file_alloc_security(file);
3235 }
3236
selinux_file_free_security(struct file * file)3237 static void selinux_file_free_security(struct file *file)
3238 {
3239 file_free_security(file);
3240 }
3241
3242 /*
3243 * Check whether a task has the ioctl permission and cmd
3244 * operation to an inode.
3245 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3246 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3247 u32 requested, u16 cmd)
3248 {
3249 struct common_audit_data ad;
3250 struct file_security_struct *fsec = file->f_security;
3251 struct inode *inode = file_inode(file);
3252 struct inode_security_struct *isec = inode->i_security;
3253 struct lsm_ioctlop_audit ioctl;
3254 u32 ssid = cred_sid(cred);
3255 int rc;
3256 u8 driver = cmd >> 8;
3257 u8 xperm = cmd & 0xff;
3258
3259 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3260 ad.u.op = &ioctl;
3261 ad.u.op->cmd = cmd;
3262 ad.u.op->path = file->f_path;
3263
3264 if (ssid != fsec->sid) {
3265 rc = avc_has_perm(ssid, fsec->sid,
3266 SECCLASS_FD,
3267 FD__USE,
3268 &ad);
3269 if (rc)
3270 goto out;
3271 }
3272
3273 if (unlikely(IS_PRIVATE(inode)))
3274 return 0;
3275
3276 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3277 requested, driver, xperm, &ad);
3278 out:
3279 return rc;
3280 }
3281
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3282 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3283 unsigned long arg)
3284 {
3285 const struct cred *cred = current_cred();
3286 int error = 0;
3287
3288 switch (cmd) {
3289 case FIONREAD:
3290 /* fall through */
3291 case FIBMAP:
3292 /* fall through */
3293 case FIGETBSZ:
3294 /* fall through */
3295 case FS_IOC_GETFLAGS:
3296 /* fall through */
3297 case FS_IOC_GETVERSION:
3298 error = file_has_perm(cred, file, FILE__GETATTR);
3299 break;
3300
3301 case FS_IOC_SETFLAGS:
3302 /* fall through */
3303 case FS_IOC_SETVERSION:
3304 error = file_has_perm(cred, file, FILE__SETATTR);
3305 break;
3306
3307 /* sys_ioctl() checks */
3308 case FIONBIO:
3309 /* fall through */
3310 case FIOASYNC:
3311 error = file_has_perm(cred, file, 0);
3312 break;
3313
3314 case KDSKBENT:
3315 case KDSKBSENT:
3316 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3317 SECURITY_CAP_AUDIT);
3318 break;
3319
3320 /* default case assumes that the command will go
3321 * to the file's ioctl() function.
3322 */
3323 default:
3324 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3325 }
3326 return error;
3327 }
3328
3329 static int default_noexec;
3330
file_map_prot_check(struct file * file,unsigned long prot,int shared)3331 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3332 {
3333 const struct cred *cred = current_cred();
3334 int rc = 0;
3335
3336 if (default_noexec &&
3337 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3338 (!shared && (prot & PROT_WRITE)))) {
3339 /*
3340 * We are making executable an anonymous mapping or a
3341 * private file mapping that will also be writable.
3342 * This has an additional check.
3343 */
3344 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3345 if (rc)
3346 goto error;
3347 }
3348
3349 if (file) {
3350 /* read access is always possible with a mapping */
3351 u32 av = FILE__READ;
3352
3353 /* write access only matters if the mapping is shared */
3354 if (shared && (prot & PROT_WRITE))
3355 av |= FILE__WRITE;
3356
3357 if (prot & PROT_EXEC)
3358 av |= FILE__EXECUTE;
3359
3360 return file_has_perm(cred, file, av);
3361 }
3362
3363 error:
3364 return rc;
3365 }
3366
selinux_mmap_addr(unsigned long addr)3367 static int selinux_mmap_addr(unsigned long addr)
3368 {
3369 int rc = 0;
3370
3371 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3372 u32 sid = current_sid();
3373 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3374 MEMPROTECT__MMAP_ZERO, NULL);
3375 }
3376
3377 return rc;
3378 }
3379
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3380 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3381 unsigned long prot, unsigned long flags)
3382 {
3383 if (selinux_checkreqprot)
3384 prot = reqprot;
3385
3386 return file_map_prot_check(file, prot,
3387 (flags & MAP_TYPE) == MAP_SHARED);
3388 }
3389
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3390 static int selinux_file_mprotect(struct vm_area_struct *vma,
3391 unsigned long reqprot,
3392 unsigned long prot)
3393 {
3394 const struct cred *cred = current_cred();
3395
3396 if (selinux_checkreqprot)
3397 prot = reqprot;
3398
3399 if (default_noexec &&
3400 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3401 int rc = 0;
3402 if (vma->vm_start >= vma->vm_mm->start_brk &&
3403 vma->vm_end <= vma->vm_mm->brk) {
3404 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3405 } else if (!vma->vm_file &&
3406 vma->vm_start <= vma->vm_mm->start_stack &&
3407 vma->vm_end >= vma->vm_mm->start_stack) {
3408 rc = current_has_perm(current, PROCESS__EXECSTACK);
3409 } else if (vma->vm_file && vma->anon_vma) {
3410 /*
3411 * We are making executable a file mapping that has
3412 * had some COW done. Since pages might have been
3413 * written, check ability to execute the possibly
3414 * modified content. This typically should only
3415 * occur for text relocations.
3416 */
3417 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3418 }
3419 if (rc)
3420 return rc;
3421 }
3422
3423 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3424 }
3425
selinux_file_lock(struct file * file,unsigned int cmd)3426 static int selinux_file_lock(struct file *file, unsigned int cmd)
3427 {
3428 const struct cred *cred = current_cred();
3429
3430 return file_has_perm(cred, file, FILE__LOCK);
3431 }
3432
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3433 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3434 unsigned long arg)
3435 {
3436 const struct cred *cred = current_cred();
3437 int err = 0;
3438
3439 switch (cmd) {
3440 case F_SETFL:
3441 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3442 err = file_has_perm(cred, file, FILE__WRITE);
3443 break;
3444 }
3445 /* fall through */
3446 case F_SETOWN:
3447 case F_SETSIG:
3448 case F_GETFL:
3449 case F_GETOWN:
3450 case F_GETSIG:
3451 case F_GETOWNER_UIDS:
3452 /* Just check FD__USE permission */
3453 err = file_has_perm(cred, file, 0);
3454 break;
3455 case F_GETLK:
3456 case F_SETLK:
3457 case F_SETLKW:
3458 case F_OFD_GETLK:
3459 case F_OFD_SETLK:
3460 case F_OFD_SETLKW:
3461 #if BITS_PER_LONG == 32
3462 case F_GETLK64:
3463 case F_SETLK64:
3464 case F_SETLKW64:
3465 #endif
3466 err = file_has_perm(cred, file, FILE__LOCK);
3467 break;
3468 }
3469
3470 return err;
3471 }
3472
selinux_file_set_fowner(struct file * file)3473 static void selinux_file_set_fowner(struct file *file)
3474 {
3475 struct file_security_struct *fsec;
3476
3477 fsec = file->f_security;
3478 fsec->fown_sid = current_sid();
3479 }
3480
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3481 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3482 struct fown_struct *fown, int signum)
3483 {
3484 struct file *file;
3485 u32 sid = task_sid(tsk);
3486 u32 perm;
3487 struct file_security_struct *fsec;
3488
3489 /* struct fown_struct is never outside the context of a struct file */
3490 file = container_of(fown, struct file, f_owner);
3491
3492 fsec = file->f_security;
3493
3494 if (!signum)
3495 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3496 else
3497 perm = signal_to_av(signum);
3498
3499 return avc_has_perm(fsec->fown_sid, sid,
3500 SECCLASS_PROCESS, perm, NULL);
3501 }
3502
selinux_file_receive(struct file * file)3503 static int selinux_file_receive(struct file *file)
3504 {
3505 const struct cred *cred = current_cred();
3506
3507 return file_has_perm(cred, file, file_to_av(file));
3508 }
3509
selinux_file_open(struct file * file,const struct cred * cred)3510 static int selinux_file_open(struct file *file, const struct cred *cred)
3511 {
3512 struct file_security_struct *fsec;
3513 struct inode_security_struct *isec;
3514
3515 fsec = file->f_security;
3516 isec = file_inode(file)->i_security;
3517 /*
3518 * Save inode label and policy sequence number
3519 * at open-time so that selinux_file_permission
3520 * can determine whether revalidation is necessary.
3521 * Task label is already saved in the file security
3522 * struct as its SID.
3523 */
3524 fsec->isid = isec->sid;
3525 fsec->pseqno = avc_policy_seqno();
3526 /*
3527 * Since the inode label or policy seqno may have changed
3528 * between the selinux_inode_permission check and the saving
3529 * of state above, recheck that access is still permitted.
3530 * Otherwise, access might never be revalidated against the
3531 * new inode label or new policy.
3532 * This check is not redundant - do not remove.
3533 */
3534 return file_path_has_perm(cred, file, open_file_to_av(file));
3535 }
3536
3537 /* task security operations */
3538
selinux_task_create(unsigned long clone_flags)3539 static int selinux_task_create(unsigned long clone_flags)
3540 {
3541 return current_has_perm(current, PROCESS__FORK);
3542 }
3543
3544 /*
3545 * allocate the SELinux part of blank credentials
3546 */
selinux_cred_alloc_blank(struct cred * cred,gfp_t gfp)3547 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3548 {
3549 struct task_security_struct *tsec;
3550
3551 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3552 if (!tsec)
3553 return -ENOMEM;
3554
3555 cred->security = tsec;
3556 return 0;
3557 }
3558
3559 /*
3560 * detach and free the LSM part of a set of credentials
3561 */
selinux_cred_free(struct cred * cred)3562 static void selinux_cred_free(struct cred *cred)
3563 {
3564 struct task_security_struct *tsec = cred->security;
3565
3566 /*
3567 * cred->security == NULL if security_cred_alloc_blank() or
3568 * security_prepare_creds() returned an error.
3569 */
3570 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3571 cred->security = (void *) 0x7UL;
3572 kfree(tsec);
3573 }
3574
3575 /*
3576 * prepare a new set of credentials for modification
3577 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3578 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3579 gfp_t gfp)
3580 {
3581 const struct task_security_struct *old_tsec;
3582 struct task_security_struct *tsec;
3583
3584 old_tsec = old->security;
3585
3586 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3587 if (!tsec)
3588 return -ENOMEM;
3589
3590 new->security = tsec;
3591 return 0;
3592 }
3593
3594 /*
3595 * transfer the SELinux data to a blank set of creds
3596 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3597 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3598 {
3599 const struct task_security_struct *old_tsec = old->security;
3600 struct task_security_struct *tsec = new->security;
3601
3602 *tsec = *old_tsec;
3603 }
3604
3605 /*
3606 * set the security data for a kernel service
3607 * - all the creation contexts are set to unlabelled
3608 */
selinux_kernel_act_as(struct cred * new,u32 secid)3609 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3610 {
3611 struct task_security_struct *tsec = new->security;
3612 u32 sid = current_sid();
3613 int ret;
3614
3615 ret = avc_has_perm(sid, secid,
3616 SECCLASS_KERNEL_SERVICE,
3617 KERNEL_SERVICE__USE_AS_OVERRIDE,
3618 NULL);
3619 if (ret == 0) {
3620 tsec->sid = secid;
3621 tsec->create_sid = 0;
3622 tsec->keycreate_sid = 0;
3623 tsec->sockcreate_sid = 0;
3624 }
3625 return ret;
3626 }
3627
3628 /*
3629 * set the file creation context in a security record to the same as the
3630 * objective context of the specified inode
3631 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3632 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3633 {
3634 struct inode_security_struct *isec = inode->i_security;
3635 struct task_security_struct *tsec = new->security;
3636 u32 sid = current_sid();
3637 int ret;
3638
3639 ret = avc_has_perm(sid, isec->sid,
3640 SECCLASS_KERNEL_SERVICE,
3641 KERNEL_SERVICE__CREATE_FILES_AS,
3642 NULL);
3643
3644 if (ret == 0)
3645 tsec->create_sid = isec->sid;
3646 return ret;
3647 }
3648
selinux_kernel_module_request(char * kmod_name)3649 static int selinux_kernel_module_request(char *kmod_name)
3650 {
3651 u32 sid;
3652 struct common_audit_data ad;
3653
3654 sid = task_sid(current);
3655
3656 ad.type = LSM_AUDIT_DATA_KMOD;
3657 ad.u.kmod_name = kmod_name;
3658
3659 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3660 SYSTEM__MODULE_REQUEST, &ad);
3661 }
3662
selinux_kernel_module_from_file(struct file * file)3663 static int selinux_kernel_module_from_file(struct file *file)
3664 {
3665 struct common_audit_data ad;
3666 struct inode_security_struct *isec;
3667 struct file_security_struct *fsec;
3668 struct inode *inode;
3669 u32 sid = current_sid();
3670 int rc;
3671
3672 /* init_module */
3673 if (file == NULL)
3674 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3675 SYSTEM__MODULE_LOAD, NULL);
3676
3677 /* finit_module */
3678 ad.type = LSM_AUDIT_DATA_PATH;
3679 ad.u.path = file->f_path;
3680
3681 inode = file_inode(file);
3682 isec = inode->i_security;
3683 fsec = file->f_security;
3684
3685 if (sid != fsec->sid) {
3686 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3687 if (rc)
3688 return rc;
3689 }
3690
3691 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3692 SYSTEM__MODULE_LOAD, &ad);
3693 }
3694
selinux_task_setpgid(struct task_struct * p,pid_t pgid)3695 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3696 {
3697 return current_has_perm(p, PROCESS__SETPGID);
3698 }
3699
selinux_task_getpgid(struct task_struct * p)3700 static int selinux_task_getpgid(struct task_struct *p)
3701 {
3702 return current_has_perm(p, PROCESS__GETPGID);
3703 }
3704
selinux_task_getsid(struct task_struct * p)3705 static int selinux_task_getsid(struct task_struct *p)
3706 {
3707 return current_has_perm(p, PROCESS__GETSESSION);
3708 }
3709
selinux_task_getsecid(struct task_struct * p,u32 * secid)3710 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3711 {
3712 *secid = task_sid(p);
3713 }
3714
selinux_task_setnice(struct task_struct * p,int nice)3715 static int selinux_task_setnice(struct task_struct *p, int nice)
3716 {
3717 return current_has_perm(p, PROCESS__SETSCHED);
3718 }
3719
selinux_task_setioprio(struct task_struct * p,int ioprio)3720 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3721 {
3722 return current_has_perm(p, PROCESS__SETSCHED);
3723 }
3724
selinux_task_getioprio(struct task_struct * p)3725 static int selinux_task_getioprio(struct task_struct *p)
3726 {
3727 return current_has_perm(p, PROCESS__GETSCHED);
3728 }
3729
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)3730 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3731 struct rlimit *new_rlim)
3732 {
3733 struct rlimit *old_rlim = p->signal->rlim + resource;
3734
3735 /* Control the ability to change the hard limit (whether
3736 lowering or raising it), so that the hard limit can
3737 later be used as a safe reset point for the soft limit
3738 upon context transitions. See selinux_bprm_committing_creds. */
3739 if (old_rlim->rlim_max != new_rlim->rlim_max)
3740 return current_has_perm(p, PROCESS__SETRLIMIT);
3741
3742 return 0;
3743 }
3744
selinux_task_setscheduler(struct task_struct * p)3745 static int selinux_task_setscheduler(struct task_struct *p)
3746 {
3747 return current_has_perm(p, PROCESS__SETSCHED);
3748 }
3749
selinux_task_getscheduler(struct task_struct * p)3750 static int selinux_task_getscheduler(struct task_struct *p)
3751 {
3752 return current_has_perm(p, PROCESS__GETSCHED);
3753 }
3754
selinux_task_movememory(struct task_struct * p)3755 static int selinux_task_movememory(struct task_struct *p)
3756 {
3757 return current_has_perm(p, PROCESS__SETSCHED);
3758 }
3759
selinux_task_kill(struct task_struct * p,struct siginfo * info,int sig,u32 secid)3760 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3761 int sig, u32 secid)
3762 {
3763 u32 perm;
3764 int rc;
3765
3766 if (!sig)
3767 perm = PROCESS__SIGNULL; /* null signal; existence test */
3768 else
3769 perm = signal_to_av(sig);
3770 if (secid)
3771 rc = avc_has_perm(secid, task_sid(p),
3772 SECCLASS_PROCESS, perm, NULL);
3773 else
3774 rc = current_has_perm(p, perm);
3775 return rc;
3776 }
3777
selinux_task_wait(struct task_struct * p)3778 static int selinux_task_wait(struct task_struct *p)
3779 {
3780 return task_has_perm(p, current, PROCESS__SIGCHLD);
3781 }
3782
selinux_task_to_inode(struct task_struct * p,struct inode * inode)3783 static void selinux_task_to_inode(struct task_struct *p,
3784 struct inode *inode)
3785 {
3786 struct inode_security_struct *isec = inode->i_security;
3787 u32 sid = task_sid(p);
3788
3789 isec->sid = sid;
3790 isec->initialized = 1;
3791 }
3792
3793 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)3794 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3795 struct common_audit_data *ad, u8 *proto)
3796 {
3797 int offset, ihlen, ret = -EINVAL;
3798 struct iphdr _iph, *ih;
3799
3800 offset = skb_network_offset(skb);
3801 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3802 if (ih == NULL)
3803 goto out;
3804
3805 ihlen = ih->ihl * 4;
3806 if (ihlen < sizeof(_iph))
3807 goto out;
3808
3809 ad->u.net->v4info.saddr = ih->saddr;
3810 ad->u.net->v4info.daddr = ih->daddr;
3811 ret = 0;
3812
3813 if (proto)
3814 *proto = ih->protocol;
3815
3816 switch (ih->protocol) {
3817 case IPPROTO_TCP: {
3818 struct tcphdr _tcph, *th;
3819
3820 if (ntohs(ih->frag_off) & IP_OFFSET)
3821 break;
3822
3823 offset += ihlen;
3824 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3825 if (th == NULL)
3826 break;
3827
3828 ad->u.net->sport = th->source;
3829 ad->u.net->dport = th->dest;
3830 break;
3831 }
3832
3833 case IPPROTO_UDP: {
3834 struct udphdr _udph, *uh;
3835
3836 if (ntohs(ih->frag_off) & IP_OFFSET)
3837 break;
3838
3839 offset += ihlen;
3840 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3841 if (uh == NULL)
3842 break;
3843
3844 ad->u.net->sport = uh->source;
3845 ad->u.net->dport = uh->dest;
3846 break;
3847 }
3848
3849 case IPPROTO_DCCP: {
3850 struct dccp_hdr _dccph, *dh;
3851
3852 if (ntohs(ih->frag_off) & IP_OFFSET)
3853 break;
3854
3855 offset += ihlen;
3856 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3857 if (dh == NULL)
3858 break;
3859
3860 ad->u.net->sport = dh->dccph_sport;
3861 ad->u.net->dport = dh->dccph_dport;
3862 break;
3863 }
3864
3865 default:
3866 break;
3867 }
3868 out:
3869 return ret;
3870 }
3871
3872 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3873
3874 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)3875 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3876 struct common_audit_data *ad, u8 *proto)
3877 {
3878 u8 nexthdr;
3879 int ret = -EINVAL, offset;
3880 struct ipv6hdr _ipv6h, *ip6;
3881 __be16 frag_off;
3882
3883 offset = skb_network_offset(skb);
3884 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3885 if (ip6 == NULL)
3886 goto out;
3887
3888 ad->u.net->v6info.saddr = ip6->saddr;
3889 ad->u.net->v6info.daddr = ip6->daddr;
3890 ret = 0;
3891
3892 nexthdr = ip6->nexthdr;
3893 offset += sizeof(_ipv6h);
3894 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3895 if (offset < 0)
3896 goto out;
3897
3898 if (proto)
3899 *proto = nexthdr;
3900
3901 switch (nexthdr) {
3902 case IPPROTO_TCP: {
3903 struct tcphdr _tcph, *th;
3904
3905 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3906 if (th == NULL)
3907 break;
3908
3909 ad->u.net->sport = th->source;
3910 ad->u.net->dport = th->dest;
3911 break;
3912 }
3913
3914 case IPPROTO_UDP: {
3915 struct udphdr _udph, *uh;
3916
3917 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3918 if (uh == NULL)
3919 break;
3920
3921 ad->u.net->sport = uh->source;
3922 ad->u.net->dport = uh->dest;
3923 break;
3924 }
3925
3926 case IPPROTO_DCCP: {
3927 struct dccp_hdr _dccph, *dh;
3928
3929 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3930 if (dh == NULL)
3931 break;
3932
3933 ad->u.net->sport = dh->dccph_sport;
3934 ad->u.net->dport = dh->dccph_dport;
3935 break;
3936 }
3937
3938 /* includes fragments */
3939 default:
3940 break;
3941 }
3942 out:
3943 return ret;
3944 }
3945
3946 #endif /* IPV6 */
3947
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)3948 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3949 char **_addrp, int src, u8 *proto)
3950 {
3951 char *addrp;
3952 int ret;
3953
3954 switch (ad->u.net->family) {
3955 case PF_INET:
3956 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3957 if (ret)
3958 goto parse_error;
3959 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3960 &ad->u.net->v4info.daddr);
3961 goto okay;
3962
3963 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3964 case PF_INET6:
3965 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3966 if (ret)
3967 goto parse_error;
3968 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3969 &ad->u.net->v6info.daddr);
3970 goto okay;
3971 #endif /* IPV6 */
3972 default:
3973 addrp = NULL;
3974 goto okay;
3975 }
3976
3977 parse_error:
3978 printk(KERN_WARNING
3979 "SELinux: failure in selinux_parse_skb(),"
3980 " unable to parse packet\n");
3981 return ret;
3982
3983 okay:
3984 if (_addrp)
3985 *_addrp = addrp;
3986 return 0;
3987 }
3988
3989 /**
3990 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3991 * @skb: the packet
3992 * @family: protocol family
3993 * @sid: the packet's peer label SID
3994 *
3995 * Description:
3996 * Check the various different forms of network peer labeling and determine
3997 * the peer label/SID for the packet; most of the magic actually occurs in
3998 * the security server function security_net_peersid_cmp(). The function
3999 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4000 * or -EACCES if @sid is invalid due to inconsistencies with the different
4001 * peer labels.
4002 *
4003 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4004 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4005 {
4006 int err;
4007 u32 xfrm_sid;
4008 u32 nlbl_sid;
4009 u32 nlbl_type;
4010
4011 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4012 if (unlikely(err))
4013 return -EACCES;
4014 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4015 if (unlikely(err))
4016 return -EACCES;
4017
4018 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4019 if (unlikely(err)) {
4020 printk(KERN_WARNING
4021 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4022 " unable to determine packet's peer label\n");
4023 return -EACCES;
4024 }
4025
4026 return 0;
4027 }
4028
4029 /**
4030 * selinux_conn_sid - Determine the child socket label for a connection
4031 * @sk_sid: the parent socket's SID
4032 * @skb_sid: the packet's SID
4033 * @conn_sid: the resulting connection SID
4034 *
4035 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4036 * combined with the MLS information from @skb_sid in order to create
4037 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4038 * of @sk_sid. Returns zero on success, negative values on failure.
4039 *
4040 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4041 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4042 {
4043 int err = 0;
4044
4045 if (skb_sid != SECSID_NULL)
4046 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4047 else
4048 *conn_sid = sk_sid;
4049
4050 return err;
4051 }
4052
4053 /* socket security operations */
4054
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4055 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4056 u16 secclass, u32 *socksid)
4057 {
4058 if (tsec->sockcreate_sid > SECSID_NULL) {
4059 *socksid = tsec->sockcreate_sid;
4060 return 0;
4061 }
4062
4063 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4064 socksid);
4065 }
4066
sock_has_perm(struct task_struct * task,struct sock * sk,u32 perms)4067 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4068 {
4069 struct sk_security_struct *sksec = sk->sk_security;
4070 struct common_audit_data ad;
4071 struct lsm_network_audit net = {0,};
4072 u32 tsid = task_sid(task);
4073
4074 if (!sksec)
4075 return -EFAULT;
4076 if (sksec->sid == SECINITSID_KERNEL)
4077 return 0;
4078
4079 ad.type = LSM_AUDIT_DATA_NET;
4080 ad.u.net = &net;
4081 ad.u.net->sk = sk;
4082
4083 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4084 }
4085
selinux_socket_create(int family,int type,int protocol,int kern)4086 static int selinux_socket_create(int family, int type,
4087 int protocol, int kern)
4088 {
4089 const struct task_security_struct *tsec = current_security();
4090 u32 newsid;
4091 u16 secclass;
4092 int rc;
4093
4094 if (kern)
4095 return 0;
4096
4097 secclass = socket_type_to_security_class(family, type, protocol);
4098 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4099 if (rc)
4100 return rc;
4101
4102 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4103 }
4104
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4105 static int selinux_socket_post_create(struct socket *sock, int family,
4106 int type, int protocol, int kern)
4107 {
4108 const struct task_security_struct *tsec = current_security();
4109 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4110 struct sk_security_struct *sksec;
4111 int err = 0;
4112
4113 isec->sclass = socket_type_to_security_class(family, type, protocol);
4114
4115 if (kern)
4116 isec->sid = SECINITSID_KERNEL;
4117 else {
4118 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4119 if (err)
4120 return err;
4121 }
4122
4123 isec->initialized = 1;
4124
4125 if (sock->sk) {
4126 sksec = sock->sk->sk_security;
4127 sksec->sid = isec->sid;
4128 sksec->sclass = isec->sclass;
4129 err = selinux_netlbl_socket_post_create(sock->sk, family);
4130 }
4131
4132 return err;
4133 }
4134
4135 /* Range of port numbers used to automatically bind.
4136 Need to determine whether we should perform a name_bind
4137 permission check between the socket and the port number. */
4138
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4139 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4140 {
4141 struct sock *sk = sock->sk;
4142 u16 family;
4143 int err;
4144
4145 err = sock_has_perm(current, sk, SOCKET__BIND);
4146 if (err)
4147 goto out;
4148
4149 /*
4150 * If PF_INET or PF_INET6, check name_bind permission for the port.
4151 * Multiple address binding for SCTP is not supported yet: we just
4152 * check the first address now.
4153 */
4154 family = sk->sk_family;
4155 if (family == PF_INET || family == PF_INET6) {
4156 char *addrp;
4157 struct sk_security_struct *sksec = sk->sk_security;
4158 struct common_audit_data ad;
4159 struct lsm_network_audit net = {0,};
4160 struct sockaddr_in *addr4 = NULL;
4161 struct sockaddr_in6 *addr6 = NULL;
4162 unsigned short snum;
4163 u32 sid, node_perm;
4164
4165 if (family == PF_INET) {
4166 if (addrlen < sizeof(struct sockaddr_in)) {
4167 err = -EINVAL;
4168 goto out;
4169 }
4170 addr4 = (struct sockaddr_in *)address;
4171 snum = ntohs(addr4->sin_port);
4172 addrp = (char *)&addr4->sin_addr.s_addr;
4173 } else {
4174 if (addrlen < SIN6_LEN_RFC2133) {
4175 err = -EINVAL;
4176 goto out;
4177 }
4178 addr6 = (struct sockaddr_in6 *)address;
4179 snum = ntohs(addr6->sin6_port);
4180 addrp = (char *)&addr6->sin6_addr.s6_addr;
4181 }
4182
4183 if (snum) {
4184 int low, high;
4185
4186 inet_get_local_port_range(sock_net(sk), &low, &high);
4187
4188 if (snum < max(PROT_SOCK, low) || snum > high) {
4189 err = sel_netport_sid(sk->sk_protocol,
4190 snum, &sid);
4191 if (err)
4192 goto out;
4193 ad.type = LSM_AUDIT_DATA_NET;
4194 ad.u.net = &net;
4195 ad.u.net->sport = htons(snum);
4196 ad.u.net->family = family;
4197 err = avc_has_perm(sksec->sid, sid,
4198 sksec->sclass,
4199 SOCKET__NAME_BIND, &ad);
4200 if (err)
4201 goto out;
4202 }
4203 }
4204
4205 switch (sksec->sclass) {
4206 case SECCLASS_TCP_SOCKET:
4207 node_perm = TCP_SOCKET__NODE_BIND;
4208 break;
4209
4210 case SECCLASS_UDP_SOCKET:
4211 node_perm = UDP_SOCKET__NODE_BIND;
4212 break;
4213
4214 case SECCLASS_DCCP_SOCKET:
4215 node_perm = DCCP_SOCKET__NODE_BIND;
4216 break;
4217
4218 default:
4219 node_perm = RAWIP_SOCKET__NODE_BIND;
4220 break;
4221 }
4222
4223 err = sel_netnode_sid(addrp, family, &sid);
4224 if (err)
4225 goto out;
4226
4227 ad.type = LSM_AUDIT_DATA_NET;
4228 ad.u.net = &net;
4229 ad.u.net->sport = htons(snum);
4230 ad.u.net->family = family;
4231
4232 if (family == PF_INET)
4233 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4234 else
4235 ad.u.net->v6info.saddr = addr6->sin6_addr;
4236
4237 err = avc_has_perm(sksec->sid, sid,
4238 sksec->sclass, node_perm, &ad);
4239 if (err)
4240 goto out;
4241 }
4242 out:
4243 return err;
4244 }
4245
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4246 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4247 {
4248 struct sock *sk = sock->sk;
4249 struct sk_security_struct *sksec = sk->sk_security;
4250 int err;
4251
4252 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4253 if (err)
4254 return err;
4255
4256 /*
4257 * If a TCP or DCCP socket, check name_connect permission for the port.
4258 */
4259 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4260 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4261 struct common_audit_data ad;
4262 struct lsm_network_audit net = {0,};
4263 struct sockaddr_in *addr4 = NULL;
4264 struct sockaddr_in6 *addr6 = NULL;
4265 unsigned short snum;
4266 u32 sid, perm;
4267
4268 if (sk->sk_family == PF_INET) {
4269 addr4 = (struct sockaddr_in *)address;
4270 if (addrlen < sizeof(struct sockaddr_in))
4271 return -EINVAL;
4272 snum = ntohs(addr4->sin_port);
4273 } else {
4274 addr6 = (struct sockaddr_in6 *)address;
4275 if (addrlen < SIN6_LEN_RFC2133)
4276 return -EINVAL;
4277 snum = ntohs(addr6->sin6_port);
4278 }
4279
4280 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4281 if (err)
4282 goto out;
4283
4284 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4285 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4286
4287 ad.type = LSM_AUDIT_DATA_NET;
4288 ad.u.net = &net;
4289 ad.u.net->dport = htons(snum);
4290 ad.u.net->family = sk->sk_family;
4291 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4292 if (err)
4293 goto out;
4294 }
4295
4296 err = selinux_netlbl_socket_connect(sk, address);
4297
4298 out:
4299 return err;
4300 }
4301
selinux_socket_listen(struct socket * sock,int backlog)4302 static int selinux_socket_listen(struct socket *sock, int backlog)
4303 {
4304 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4305 }
4306
selinux_socket_accept(struct socket * sock,struct socket * newsock)4307 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4308 {
4309 int err;
4310 struct inode_security_struct *isec;
4311 struct inode_security_struct *newisec;
4312
4313 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4314 if (err)
4315 return err;
4316
4317 newisec = SOCK_INODE(newsock)->i_security;
4318
4319 isec = SOCK_INODE(sock)->i_security;
4320 newisec->sclass = isec->sclass;
4321 newisec->sid = isec->sid;
4322 newisec->initialized = 1;
4323
4324 return 0;
4325 }
4326
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4327 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4328 int size)
4329 {
4330 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4331 }
4332
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4333 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4334 int size, int flags)
4335 {
4336 return sock_has_perm(current, sock->sk, SOCKET__READ);
4337 }
4338
selinux_socket_getsockname(struct socket * sock)4339 static int selinux_socket_getsockname(struct socket *sock)
4340 {
4341 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4342 }
4343
selinux_socket_getpeername(struct socket * sock)4344 static int selinux_socket_getpeername(struct socket *sock)
4345 {
4346 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4347 }
4348
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4349 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4350 {
4351 int err;
4352
4353 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4354 if (err)
4355 return err;
4356
4357 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4358 }
4359
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4360 static int selinux_socket_getsockopt(struct socket *sock, int level,
4361 int optname)
4362 {
4363 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4364 }
4365
selinux_socket_shutdown(struct socket * sock,int how)4366 static int selinux_socket_shutdown(struct socket *sock, int how)
4367 {
4368 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4369 }
4370
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4371 static int selinux_socket_unix_stream_connect(struct sock *sock,
4372 struct sock *other,
4373 struct sock *newsk)
4374 {
4375 struct sk_security_struct *sksec_sock = sock->sk_security;
4376 struct sk_security_struct *sksec_other = other->sk_security;
4377 struct sk_security_struct *sksec_new = newsk->sk_security;
4378 struct common_audit_data ad;
4379 struct lsm_network_audit net = {0,};
4380 int err;
4381
4382 ad.type = LSM_AUDIT_DATA_NET;
4383 ad.u.net = &net;
4384 ad.u.net->sk = other;
4385
4386 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4387 sksec_other->sclass,
4388 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4389 if (err)
4390 return err;
4391
4392 /* server child socket */
4393 sksec_new->peer_sid = sksec_sock->sid;
4394 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4395 &sksec_new->sid);
4396 if (err)
4397 return err;
4398
4399 /* connecting socket */
4400 sksec_sock->peer_sid = sksec_new->sid;
4401
4402 return 0;
4403 }
4404
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4405 static int selinux_socket_unix_may_send(struct socket *sock,
4406 struct socket *other)
4407 {
4408 struct sk_security_struct *ssec = sock->sk->sk_security;
4409 struct sk_security_struct *osec = other->sk->sk_security;
4410 struct common_audit_data ad;
4411 struct lsm_network_audit net = {0,};
4412
4413 ad.type = LSM_AUDIT_DATA_NET;
4414 ad.u.net = &net;
4415 ad.u.net->sk = other->sk;
4416
4417 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4418 &ad);
4419 }
4420
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4421 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4422 char *addrp, u16 family, u32 peer_sid,
4423 struct common_audit_data *ad)
4424 {
4425 int err;
4426 u32 if_sid;
4427 u32 node_sid;
4428
4429 err = sel_netif_sid(ns, ifindex, &if_sid);
4430 if (err)
4431 return err;
4432 err = avc_has_perm(peer_sid, if_sid,
4433 SECCLASS_NETIF, NETIF__INGRESS, ad);
4434 if (err)
4435 return err;
4436
4437 err = sel_netnode_sid(addrp, family, &node_sid);
4438 if (err)
4439 return err;
4440 return avc_has_perm(peer_sid, node_sid,
4441 SECCLASS_NODE, NODE__RECVFROM, ad);
4442 }
4443
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)4444 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4445 u16 family)
4446 {
4447 int err = 0;
4448 struct sk_security_struct *sksec = sk->sk_security;
4449 u32 sk_sid = sksec->sid;
4450 struct common_audit_data ad;
4451 struct lsm_network_audit net = {0,};
4452 char *addrp;
4453
4454 ad.type = LSM_AUDIT_DATA_NET;
4455 ad.u.net = &net;
4456 ad.u.net->netif = skb->skb_iif;
4457 ad.u.net->family = family;
4458 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4459 if (err)
4460 return err;
4461
4462 if (selinux_secmark_enabled()) {
4463 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4464 PACKET__RECV, &ad);
4465 if (err)
4466 return err;
4467 }
4468
4469 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4470 if (err)
4471 return err;
4472 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4473
4474 return err;
4475 }
4476
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)4477 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4478 {
4479 int err;
4480 struct sk_security_struct *sksec = sk->sk_security;
4481 u16 family = sk->sk_family;
4482 u32 sk_sid = sksec->sid;
4483 struct common_audit_data ad;
4484 struct lsm_network_audit net = {0,};
4485 char *addrp;
4486 u8 secmark_active;
4487 u8 peerlbl_active;
4488
4489 if (family != PF_INET && family != PF_INET6)
4490 return 0;
4491
4492 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4493 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4494 family = PF_INET;
4495
4496 /* If any sort of compatibility mode is enabled then handoff processing
4497 * to the selinux_sock_rcv_skb_compat() function to deal with the
4498 * special handling. We do this in an attempt to keep this function
4499 * as fast and as clean as possible. */
4500 if (!selinux_policycap_netpeer)
4501 return selinux_sock_rcv_skb_compat(sk, skb, family);
4502
4503 secmark_active = selinux_secmark_enabled();
4504 peerlbl_active = selinux_peerlbl_enabled();
4505 if (!secmark_active && !peerlbl_active)
4506 return 0;
4507
4508 ad.type = LSM_AUDIT_DATA_NET;
4509 ad.u.net = &net;
4510 ad.u.net->netif = skb->skb_iif;
4511 ad.u.net->family = family;
4512 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4513 if (err)
4514 return err;
4515
4516 if (peerlbl_active) {
4517 u32 peer_sid;
4518
4519 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4520 if (err)
4521 return err;
4522 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4523 addrp, family, peer_sid, &ad);
4524 if (err) {
4525 selinux_netlbl_err(skb, err, 0);
4526 return err;
4527 }
4528 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4529 PEER__RECV, &ad);
4530 if (err) {
4531 selinux_netlbl_err(skb, err, 0);
4532 return err;
4533 }
4534 }
4535
4536 if (secmark_active) {
4537 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4538 PACKET__RECV, &ad);
4539 if (err)
4540 return err;
4541 }
4542
4543 return err;
4544 }
4545
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)4546 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4547 int __user *optlen, unsigned len)
4548 {
4549 int err = 0;
4550 char *scontext;
4551 u32 scontext_len;
4552 struct sk_security_struct *sksec = sock->sk->sk_security;
4553 u32 peer_sid = SECSID_NULL;
4554
4555 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4556 sksec->sclass == SECCLASS_TCP_SOCKET)
4557 peer_sid = sksec->peer_sid;
4558 if (peer_sid == SECSID_NULL)
4559 return -ENOPROTOOPT;
4560
4561 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4562 if (err)
4563 return err;
4564
4565 if (scontext_len > len) {
4566 err = -ERANGE;
4567 goto out_len;
4568 }
4569
4570 if (copy_to_user(optval, scontext, scontext_len))
4571 err = -EFAULT;
4572
4573 out_len:
4574 if (put_user(scontext_len, optlen))
4575 err = -EFAULT;
4576 kfree(scontext);
4577 return err;
4578 }
4579
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)4580 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4581 {
4582 u32 peer_secid = SECSID_NULL;
4583 u16 family;
4584
4585 if (skb && skb->protocol == htons(ETH_P_IP))
4586 family = PF_INET;
4587 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4588 family = PF_INET6;
4589 else if (sock)
4590 family = sock->sk->sk_family;
4591 else
4592 goto out;
4593
4594 if (sock && family == PF_UNIX)
4595 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4596 else if (skb)
4597 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4598
4599 out:
4600 *secid = peer_secid;
4601 if (peer_secid == SECSID_NULL)
4602 return -EINVAL;
4603 return 0;
4604 }
4605
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)4606 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4607 {
4608 struct sk_security_struct *sksec;
4609
4610 sksec = kzalloc(sizeof(*sksec), priority);
4611 if (!sksec)
4612 return -ENOMEM;
4613
4614 sksec->peer_sid = SECINITSID_UNLABELED;
4615 sksec->sid = SECINITSID_UNLABELED;
4616 sksec->sclass = SECCLASS_SOCKET;
4617 selinux_netlbl_sk_security_reset(sksec);
4618 sk->sk_security = sksec;
4619
4620 return 0;
4621 }
4622
selinux_sk_free_security(struct sock * sk)4623 static void selinux_sk_free_security(struct sock *sk)
4624 {
4625 struct sk_security_struct *sksec = sk->sk_security;
4626
4627 sk->sk_security = NULL;
4628 selinux_netlbl_sk_security_free(sksec);
4629 kfree(sksec);
4630 }
4631
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)4632 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4633 {
4634 struct sk_security_struct *sksec = sk->sk_security;
4635 struct sk_security_struct *newsksec = newsk->sk_security;
4636
4637 newsksec->sid = sksec->sid;
4638 newsksec->peer_sid = sksec->peer_sid;
4639 newsksec->sclass = sksec->sclass;
4640
4641 selinux_netlbl_sk_security_reset(newsksec);
4642 }
4643
selinux_sk_getsecid(struct sock * sk,u32 * secid)4644 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4645 {
4646 if (!sk)
4647 *secid = SECINITSID_ANY_SOCKET;
4648 else {
4649 struct sk_security_struct *sksec = sk->sk_security;
4650
4651 *secid = sksec->sid;
4652 }
4653 }
4654
selinux_sock_graft(struct sock * sk,struct socket * parent)4655 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4656 {
4657 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4658 struct sk_security_struct *sksec = sk->sk_security;
4659
4660 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4661 sk->sk_family == PF_UNIX)
4662 isec->sid = sksec->sid;
4663 sksec->sclass = isec->sclass;
4664 }
4665
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)4666 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4667 struct request_sock *req)
4668 {
4669 struct sk_security_struct *sksec = sk->sk_security;
4670 int err;
4671 u16 family = req->rsk_ops->family;
4672 u32 connsid;
4673 u32 peersid;
4674
4675 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4676 if (err)
4677 return err;
4678 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4679 if (err)
4680 return err;
4681 req->secid = connsid;
4682 req->peer_secid = peersid;
4683
4684 return selinux_netlbl_inet_conn_request(req, family);
4685 }
4686
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)4687 static void selinux_inet_csk_clone(struct sock *newsk,
4688 const struct request_sock *req)
4689 {
4690 struct sk_security_struct *newsksec = newsk->sk_security;
4691
4692 newsksec->sid = req->secid;
4693 newsksec->peer_sid = req->peer_secid;
4694 /* NOTE: Ideally, we should also get the isec->sid for the
4695 new socket in sync, but we don't have the isec available yet.
4696 So we will wait until sock_graft to do it, by which
4697 time it will have been created and available. */
4698
4699 /* We don't need to take any sort of lock here as we are the only
4700 * thread with access to newsksec */
4701 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4702 }
4703
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)4704 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4705 {
4706 u16 family = sk->sk_family;
4707 struct sk_security_struct *sksec = sk->sk_security;
4708
4709 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4710 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4711 family = PF_INET;
4712
4713 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4714 }
4715
selinux_secmark_relabel_packet(u32 sid)4716 static int selinux_secmark_relabel_packet(u32 sid)
4717 {
4718 const struct task_security_struct *__tsec;
4719 u32 tsid;
4720
4721 __tsec = current_security();
4722 tsid = __tsec->sid;
4723
4724 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4725 }
4726
selinux_secmark_refcount_inc(void)4727 static void selinux_secmark_refcount_inc(void)
4728 {
4729 atomic_inc(&selinux_secmark_refcount);
4730 }
4731
selinux_secmark_refcount_dec(void)4732 static void selinux_secmark_refcount_dec(void)
4733 {
4734 atomic_dec(&selinux_secmark_refcount);
4735 }
4736
selinux_req_classify_flow(const struct request_sock * req,struct flowi * fl)4737 static void selinux_req_classify_flow(const struct request_sock *req,
4738 struct flowi *fl)
4739 {
4740 fl->flowi_secid = req->secid;
4741 }
4742
selinux_tun_dev_alloc_security(void ** security)4743 static int selinux_tun_dev_alloc_security(void **security)
4744 {
4745 struct tun_security_struct *tunsec;
4746
4747 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4748 if (!tunsec)
4749 return -ENOMEM;
4750 tunsec->sid = current_sid();
4751
4752 *security = tunsec;
4753 return 0;
4754 }
4755
selinux_tun_dev_free_security(void * security)4756 static void selinux_tun_dev_free_security(void *security)
4757 {
4758 kfree(security);
4759 }
4760
selinux_tun_dev_create(void)4761 static int selinux_tun_dev_create(void)
4762 {
4763 u32 sid = current_sid();
4764
4765 /* we aren't taking into account the "sockcreate" SID since the socket
4766 * that is being created here is not a socket in the traditional sense,
4767 * instead it is a private sock, accessible only to the kernel, and
4768 * representing a wide range of network traffic spanning multiple
4769 * connections unlike traditional sockets - check the TUN driver to
4770 * get a better understanding of why this socket is special */
4771
4772 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4773 NULL);
4774 }
4775
selinux_tun_dev_attach_queue(void * security)4776 static int selinux_tun_dev_attach_queue(void *security)
4777 {
4778 struct tun_security_struct *tunsec = security;
4779
4780 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4781 TUN_SOCKET__ATTACH_QUEUE, NULL);
4782 }
4783
selinux_tun_dev_attach(struct sock * sk,void * security)4784 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4785 {
4786 struct tun_security_struct *tunsec = security;
4787 struct sk_security_struct *sksec = sk->sk_security;
4788
4789 /* we don't currently perform any NetLabel based labeling here and it
4790 * isn't clear that we would want to do so anyway; while we could apply
4791 * labeling without the support of the TUN user the resulting labeled
4792 * traffic from the other end of the connection would almost certainly
4793 * cause confusion to the TUN user that had no idea network labeling
4794 * protocols were being used */
4795
4796 sksec->sid = tunsec->sid;
4797 sksec->sclass = SECCLASS_TUN_SOCKET;
4798
4799 return 0;
4800 }
4801
selinux_tun_dev_open(void * security)4802 static int selinux_tun_dev_open(void *security)
4803 {
4804 struct tun_security_struct *tunsec = security;
4805 u32 sid = current_sid();
4806 int err;
4807
4808 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4809 TUN_SOCKET__RELABELFROM, NULL);
4810 if (err)
4811 return err;
4812 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4813 TUN_SOCKET__RELABELTO, NULL);
4814 if (err)
4815 return err;
4816 tunsec->sid = sid;
4817
4818 return 0;
4819 }
4820
selinux_nlmsg_perm(struct sock * sk,struct sk_buff * skb)4821 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4822 {
4823 int rc = 0;
4824 unsigned int msg_len;
4825 unsigned int data_len = skb->len;
4826 unsigned char *data = skb->data;
4827 struct nlmsghdr *nlh;
4828 struct sk_security_struct *sksec = sk->sk_security;
4829 u16 sclass = sksec->sclass;
4830 u32 perm;
4831
4832 while (data_len >= nlmsg_total_size(0)) {
4833 nlh = (struct nlmsghdr *)data;
4834
4835 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
4836 * users which means we can't reject skb's with bogus
4837 * length fields; our solution is to follow what
4838 * netlink_rcv_skb() does and simply skip processing at
4839 * messages with length fields that are clearly junk
4840 */
4841 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
4842 return 0;
4843
4844 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
4845 if (rc == 0) {
4846 rc = sock_has_perm(current, sk, perm);
4847 if (rc)
4848 return rc;
4849 } else if (rc == -EINVAL) {
4850 /* -EINVAL is a missing msg/perm mapping */
4851 pr_warn_ratelimited("SELinux: unrecognized netlink"
4852 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4853 " pid=%d comm=%s\n",
4854 sk->sk_protocol, nlh->nlmsg_type,
4855 secclass_map[sclass - 1].name,
4856 task_pid_nr(current), current->comm);
4857 if (selinux_enforcing && !security_get_allow_unknown())
4858 return rc;
4859 rc = 0;
4860 } else if (rc == -ENOENT) {
4861 /* -ENOENT is a missing socket/class mapping, ignore */
4862 rc = 0;
4863 } else {
4864 return rc;
4865 }
4866
4867 /* move to the next message after applying netlink padding */
4868 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
4869 if (msg_len >= data_len)
4870 return 0;
4871 data_len -= msg_len;
4872 data += msg_len;
4873 }
4874
4875 return rc;
4876 }
4877
4878 #ifdef CONFIG_NETFILTER
4879
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)4880 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4881 const struct net_device *indev,
4882 u16 family)
4883 {
4884 int err;
4885 char *addrp;
4886 u32 peer_sid;
4887 struct common_audit_data ad;
4888 struct lsm_network_audit net = {0,};
4889 u8 secmark_active;
4890 u8 netlbl_active;
4891 u8 peerlbl_active;
4892
4893 if (!selinux_policycap_netpeer)
4894 return NF_ACCEPT;
4895
4896 secmark_active = selinux_secmark_enabled();
4897 netlbl_active = netlbl_enabled();
4898 peerlbl_active = selinux_peerlbl_enabled();
4899 if (!secmark_active && !peerlbl_active)
4900 return NF_ACCEPT;
4901
4902 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4903 return NF_DROP;
4904
4905 ad.type = LSM_AUDIT_DATA_NET;
4906 ad.u.net = &net;
4907 ad.u.net->netif = indev->ifindex;
4908 ad.u.net->family = family;
4909 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4910 return NF_DROP;
4911
4912 if (peerlbl_active) {
4913 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4914 addrp, family, peer_sid, &ad);
4915 if (err) {
4916 selinux_netlbl_err(skb, err, 1);
4917 return NF_DROP;
4918 }
4919 }
4920
4921 if (secmark_active)
4922 if (avc_has_perm(peer_sid, skb->secmark,
4923 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4924 return NF_DROP;
4925
4926 if (netlbl_active)
4927 /* we do this in the FORWARD path and not the POST_ROUTING
4928 * path because we want to make sure we apply the necessary
4929 * labeling before IPsec is applied so we can leverage AH
4930 * protection */
4931 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4932 return NF_DROP;
4933
4934 return NF_ACCEPT;
4935 }
4936
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)4937 static unsigned int selinux_ipv4_forward(void *priv,
4938 struct sk_buff *skb,
4939 const struct nf_hook_state *state)
4940 {
4941 return selinux_ip_forward(skb, state->in, PF_INET);
4942 }
4943
4944 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)4945 static unsigned int selinux_ipv6_forward(void *priv,
4946 struct sk_buff *skb,
4947 const struct nf_hook_state *state)
4948 {
4949 return selinux_ip_forward(skb, state->in, PF_INET6);
4950 }
4951 #endif /* IPV6 */
4952
selinux_ip_output(struct sk_buff * skb,u16 family)4953 static unsigned int selinux_ip_output(struct sk_buff *skb,
4954 u16 family)
4955 {
4956 struct sock *sk;
4957 u32 sid;
4958
4959 if (!netlbl_enabled())
4960 return NF_ACCEPT;
4961
4962 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4963 * because we want to make sure we apply the necessary labeling
4964 * before IPsec is applied so we can leverage AH protection */
4965 sk = skb->sk;
4966 if (sk) {
4967 struct sk_security_struct *sksec;
4968
4969 if (sk_listener(sk))
4970 /* if the socket is the listening state then this
4971 * packet is a SYN-ACK packet which means it needs to
4972 * be labeled based on the connection/request_sock and
4973 * not the parent socket. unfortunately, we can't
4974 * lookup the request_sock yet as it isn't queued on
4975 * the parent socket until after the SYN-ACK is sent.
4976 * the "solution" is to simply pass the packet as-is
4977 * as any IP option based labeling should be copied
4978 * from the initial connection request (in the IP
4979 * layer). it is far from ideal, but until we get a
4980 * security label in the packet itself this is the
4981 * best we can do. */
4982 return NF_ACCEPT;
4983
4984 /* standard practice, label using the parent socket */
4985 sksec = sk->sk_security;
4986 sid = sksec->sid;
4987 } else
4988 sid = SECINITSID_KERNEL;
4989 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4990 return NF_DROP;
4991
4992 return NF_ACCEPT;
4993 }
4994
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)4995 static unsigned int selinux_ipv4_output(void *priv,
4996 struct sk_buff *skb,
4997 const struct nf_hook_state *state)
4998 {
4999 return selinux_ip_output(skb, PF_INET);
5000 }
5001
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5002 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5003 int ifindex,
5004 u16 family)
5005 {
5006 struct sock *sk = skb_to_full_sk(skb);
5007 struct sk_security_struct *sksec;
5008 struct common_audit_data ad;
5009 struct lsm_network_audit net = {0,};
5010 char *addrp;
5011 u8 proto = 0;
5012
5013 if (sk == NULL)
5014 return NF_ACCEPT;
5015 sksec = sk->sk_security;
5016
5017 ad.type = LSM_AUDIT_DATA_NET;
5018 ad.u.net = &net;
5019 ad.u.net->netif = ifindex;
5020 ad.u.net->family = family;
5021 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5022 return NF_DROP;
5023
5024 if (selinux_secmark_enabled())
5025 if (avc_has_perm(sksec->sid, skb->secmark,
5026 SECCLASS_PACKET, PACKET__SEND, &ad))
5027 return NF_DROP_ERR(-ECONNREFUSED);
5028
5029 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5030 return NF_DROP_ERR(-ECONNREFUSED);
5031
5032 return NF_ACCEPT;
5033 }
5034
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5035 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5036 const struct net_device *outdev,
5037 u16 family)
5038 {
5039 u32 secmark_perm;
5040 u32 peer_sid;
5041 int ifindex = outdev->ifindex;
5042 struct sock *sk;
5043 struct common_audit_data ad;
5044 struct lsm_network_audit net = {0,};
5045 char *addrp;
5046 u8 secmark_active;
5047 u8 peerlbl_active;
5048
5049 /* If any sort of compatibility mode is enabled then handoff processing
5050 * to the selinux_ip_postroute_compat() function to deal with the
5051 * special handling. We do this in an attempt to keep this function
5052 * as fast and as clean as possible. */
5053 if (!selinux_policycap_netpeer)
5054 return selinux_ip_postroute_compat(skb, ifindex, family);
5055
5056 secmark_active = selinux_secmark_enabled();
5057 peerlbl_active = selinux_peerlbl_enabled();
5058 if (!secmark_active && !peerlbl_active)
5059 return NF_ACCEPT;
5060
5061 sk = skb_to_full_sk(skb);
5062
5063 #ifdef CONFIG_XFRM
5064 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5065 * packet transformation so allow the packet to pass without any checks
5066 * since we'll have another chance to perform access control checks
5067 * when the packet is on it's final way out.
5068 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5069 * is NULL, in this case go ahead and apply access control.
5070 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5071 * TCP listening state we cannot wait until the XFRM processing
5072 * is done as we will miss out on the SA label if we do;
5073 * unfortunately, this means more work, but it is only once per
5074 * connection. */
5075 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5076 !(sk && sk_listener(sk)))
5077 return NF_ACCEPT;
5078 #endif
5079
5080 if (sk == NULL) {
5081 /* Without an associated socket the packet is either coming
5082 * from the kernel or it is being forwarded; check the packet
5083 * to determine which and if the packet is being forwarded
5084 * query the packet directly to determine the security label. */
5085 if (skb->skb_iif) {
5086 secmark_perm = PACKET__FORWARD_OUT;
5087 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5088 return NF_DROP;
5089 } else {
5090 secmark_perm = PACKET__SEND;
5091 peer_sid = SECINITSID_KERNEL;
5092 }
5093 } else if (sk_listener(sk)) {
5094 /* Locally generated packet but the associated socket is in the
5095 * listening state which means this is a SYN-ACK packet. In
5096 * this particular case the correct security label is assigned
5097 * to the connection/request_sock but unfortunately we can't
5098 * query the request_sock as it isn't queued on the parent
5099 * socket until after the SYN-ACK packet is sent; the only
5100 * viable choice is to regenerate the label like we do in
5101 * selinux_inet_conn_request(). See also selinux_ip_output()
5102 * for similar problems. */
5103 u32 skb_sid;
5104 struct sk_security_struct *sksec;
5105
5106 sksec = sk->sk_security;
5107 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5108 return NF_DROP;
5109 /* At this point, if the returned skb peerlbl is SECSID_NULL
5110 * and the packet has been through at least one XFRM
5111 * transformation then we must be dealing with the "final"
5112 * form of labeled IPsec packet; since we've already applied
5113 * all of our access controls on this packet we can safely
5114 * pass the packet. */
5115 if (skb_sid == SECSID_NULL) {
5116 switch (family) {
5117 case PF_INET:
5118 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5119 return NF_ACCEPT;
5120 break;
5121 case PF_INET6:
5122 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5123 return NF_ACCEPT;
5124 break;
5125 default:
5126 return NF_DROP_ERR(-ECONNREFUSED);
5127 }
5128 }
5129 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5130 return NF_DROP;
5131 secmark_perm = PACKET__SEND;
5132 } else {
5133 /* Locally generated packet, fetch the security label from the
5134 * associated socket. */
5135 struct sk_security_struct *sksec = sk->sk_security;
5136 peer_sid = sksec->sid;
5137 secmark_perm = PACKET__SEND;
5138 }
5139
5140 ad.type = LSM_AUDIT_DATA_NET;
5141 ad.u.net = &net;
5142 ad.u.net->netif = ifindex;
5143 ad.u.net->family = family;
5144 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5145 return NF_DROP;
5146
5147 if (secmark_active)
5148 if (avc_has_perm(peer_sid, skb->secmark,
5149 SECCLASS_PACKET, secmark_perm, &ad))
5150 return NF_DROP_ERR(-ECONNREFUSED);
5151
5152 if (peerlbl_active) {
5153 u32 if_sid;
5154 u32 node_sid;
5155
5156 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5157 return NF_DROP;
5158 if (avc_has_perm(peer_sid, if_sid,
5159 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5160 return NF_DROP_ERR(-ECONNREFUSED);
5161
5162 if (sel_netnode_sid(addrp, family, &node_sid))
5163 return NF_DROP;
5164 if (avc_has_perm(peer_sid, node_sid,
5165 SECCLASS_NODE, NODE__SENDTO, &ad))
5166 return NF_DROP_ERR(-ECONNREFUSED);
5167 }
5168
5169 return NF_ACCEPT;
5170 }
5171
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5172 static unsigned int selinux_ipv4_postroute(void *priv,
5173 struct sk_buff *skb,
5174 const struct nf_hook_state *state)
5175 {
5176 return selinux_ip_postroute(skb, state->out, PF_INET);
5177 }
5178
5179 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5180 static unsigned int selinux_ipv6_postroute(void *priv,
5181 struct sk_buff *skb,
5182 const struct nf_hook_state *state)
5183 {
5184 return selinux_ip_postroute(skb, state->out, PF_INET6);
5185 }
5186 #endif /* IPV6 */
5187
5188 #endif /* CONFIG_NETFILTER */
5189
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5190 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5191 {
5192 return selinux_nlmsg_perm(sk, skb);
5193 }
5194
ipc_alloc_security(struct task_struct * task,struct kern_ipc_perm * perm,u16 sclass)5195 static int ipc_alloc_security(struct task_struct *task,
5196 struct kern_ipc_perm *perm,
5197 u16 sclass)
5198 {
5199 struct ipc_security_struct *isec;
5200 u32 sid;
5201
5202 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5203 if (!isec)
5204 return -ENOMEM;
5205
5206 sid = task_sid(task);
5207 isec->sclass = sclass;
5208 isec->sid = sid;
5209 perm->security = isec;
5210
5211 return 0;
5212 }
5213
ipc_free_security(struct kern_ipc_perm * perm)5214 static void ipc_free_security(struct kern_ipc_perm *perm)
5215 {
5216 struct ipc_security_struct *isec = perm->security;
5217 perm->security = NULL;
5218 kfree(isec);
5219 }
5220
msg_msg_alloc_security(struct msg_msg * msg)5221 static int msg_msg_alloc_security(struct msg_msg *msg)
5222 {
5223 struct msg_security_struct *msec;
5224
5225 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5226 if (!msec)
5227 return -ENOMEM;
5228
5229 msec->sid = SECINITSID_UNLABELED;
5230 msg->security = msec;
5231
5232 return 0;
5233 }
5234
msg_msg_free_security(struct msg_msg * msg)5235 static void msg_msg_free_security(struct msg_msg *msg)
5236 {
5237 struct msg_security_struct *msec = msg->security;
5238
5239 msg->security = NULL;
5240 kfree(msec);
5241 }
5242
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5243 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5244 u32 perms)
5245 {
5246 struct ipc_security_struct *isec;
5247 struct common_audit_data ad;
5248 u32 sid = current_sid();
5249
5250 isec = ipc_perms->security;
5251
5252 ad.type = LSM_AUDIT_DATA_IPC;
5253 ad.u.ipc_id = ipc_perms->key;
5254
5255 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5256 }
5257
selinux_msg_msg_alloc_security(struct msg_msg * msg)5258 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5259 {
5260 return msg_msg_alloc_security(msg);
5261 }
5262
selinux_msg_msg_free_security(struct msg_msg * msg)5263 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5264 {
5265 msg_msg_free_security(msg);
5266 }
5267
5268 /* message queue security operations */
selinux_msg_queue_alloc_security(struct msg_queue * msq)5269 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5270 {
5271 struct ipc_security_struct *isec;
5272 struct common_audit_data ad;
5273 u32 sid = current_sid();
5274 int rc;
5275
5276 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5277 if (rc)
5278 return rc;
5279
5280 isec = msq->q_perm.security;
5281
5282 ad.type = LSM_AUDIT_DATA_IPC;
5283 ad.u.ipc_id = msq->q_perm.key;
5284
5285 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5286 MSGQ__CREATE, &ad);
5287 if (rc) {
5288 ipc_free_security(&msq->q_perm);
5289 return rc;
5290 }
5291 return 0;
5292 }
5293
selinux_msg_queue_free_security(struct msg_queue * msq)5294 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5295 {
5296 ipc_free_security(&msq->q_perm);
5297 }
5298
selinux_msg_queue_associate(struct msg_queue * msq,int msqflg)5299 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5300 {
5301 struct ipc_security_struct *isec;
5302 struct common_audit_data ad;
5303 u32 sid = current_sid();
5304
5305 isec = msq->q_perm.security;
5306
5307 ad.type = LSM_AUDIT_DATA_IPC;
5308 ad.u.ipc_id = msq->q_perm.key;
5309
5310 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5311 MSGQ__ASSOCIATE, &ad);
5312 }
5313
selinux_msg_queue_msgctl(struct msg_queue * msq,int cmd)5314 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5315 {
5316 int err;
5317 int perms;
5318
5319 switch (cmd) {
5320 case IPC_INFO:
5321 case MSG_INFO:
5322 /* No specific object, just general system-wide information. */
5323 return task_has_system(current, SYSTEM__IPC_INFO);
5324 case IPC_STAT:
5325 case MSG_STAT:
5326 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5327 break;
5328 case IPC_SET:
5329 perms = MSGQ__SETATTR;
5330 break;
5331 case IPC_RMID:
5332 perms = MSGQ__DESTROY;
5333 break;
5334 default:
5335 return 0;
5336 }
5337
5338 err = ipc_has_perm(&msq->q_perm, perms);
5339 return err;
5340 }
5341
selinux_msg_queue_msgsnd(struct msg_queue * msq,struct msg_msg * msg,int msqflg)5342 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5343 {
5344 struct ipc_security_struct *isec;
5345 struct msg_security_struct *msec;
5346 struct common_audit_data ad;
5347 u32 sid = current_sid();
5348 int rc;
5349
5350 isec = msq->q_perm.security;
5351 msec = msg->security;
5352
5353 /*
5354 * First time through, need to assign label to the message
5355 */
5356 if (msec->sid == SECINITSID_UNLABELED) {
5357 /*
5358 * Compute new sid based on current process and
5359 * message queue this message will be stored in
5360 */
5361 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5362 NULL, &msec->sid);
5363 if (rc)
5364 return rc;
5365 }
5366
5367 ad.type = LSM_AUDIT_DATA_IPC;
5368 ad.u.ipc_id = msq->q_perm.key;
5369
5370 /* Can this process write to the queue? */
5371 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5372 MSGQ__WRITE, &ad);
5373 if (!rc)
5374 /* Can this process send the message */
5375 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5376 MSG__SEND, &ad);
5377 if (!rc)
5378 /* Can the message be put in the queue? */
5379 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5380 MSGQ__ENQUEUE, &ad);
5381
5382 return rc;
5383 }
5384
selinux_msg_queue_msgrcv(struct msg_queue * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)5385 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5386 struct task_struct *target,
5387 long type, int mode)
5388 {
5389 struct ipc_security_struct *isec;
5390 struct msg_security_struct *msec;
5391 struct common_audit_data ad;
5392 u32 sid = task_sid(target);
5393 int rc;
5394
5395 isec = msq->q_perm.security;
5396 msec = msg->security;
5397
5398 ad.type = LSM_AUDIT_DATA_IPC;
5399 ad.u.ipc_id = msq->q_perm.key;
5400
5401 rc = avc_has_perm(sid, isec->sid,
5402 SECCLASS_MSGQ, MSGQ__READ, &ad);
5403 if (!rc)
5404 rc = avc_has_perm(sid, msec->sid,
5405 SECCLASS_MSG, MSG__RECEIVE, &ad);
5406 return rc;
5407 }
5408
5409 /* Shared Memory security operations */
selinux_shm_alloc_security(struct shmid_kernel * shp)5410 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5411 {
5412 struct ipc_security_struct *isec;
5413 struct common_audit_data ad;
5414 u32 sid = current_sid();
5415 int rc;
5416
5417 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5418 if (rc)
5419 return rc;
5420
5421 isec = shp->shm_perm.security;
5422
5423 ad.type = LSM_AUDIT_DATA_IPC;
5424 ad.u.ipc_id = shp->shm_perm.key;
5425
5426 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5427 SHM__CREATE, &ad);
5428 if (rc) {
5429 ipc_free_security(&shp->shm_perm);
5430 return rc;
5431 }
5432 return 0;
5433 }
5434
selinux_shm_free_security(struct shmid_kernel * shp)5435 static void selinux_shm_free_security(struct shmid_kernel *shp)
5436 {
5437 ipc_free_security(&shp->shm_perm);
5438 }
5439
selinux_shm_associate(struct shmid_kernel * shp,int shmflg)5440 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5441 {
5442 struct ipc_security_struct *isec;
5443 struct common_audit_data ad;
5444 u32 sid = current_sid();
5445
5446 isec = shp->shm_perm.security;
5447
5448 ad.type = LSM_AUDIT_DATA_IPC;
5449 ad.u.ipc_id = shp->shm_perm.key;
5450
5451 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5452 SHM__ASSOCIATE, &ad);
5453 }
5454
5455 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct shmid_kernel * shp,int cmd)5456 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5457 {
5458 int perms;
5459 int err;
5460
5461 switch (cmd) {
5462 case IPC_INFO:
5463 case SHM_INFO:
5464 /* No specific object, just general system-wide information. */
5465 return task_has_system(current, SYSTEM__IPC_INFO);
5466 case IPC_STAT:
5467 case SHM_STAT:
5468 perms = SHM__GETATTR | SHM__ASSOCIATE;
5469 break;
5470 case IPC_SET:
5471 perms = SHM__SETATTR;
5472 break;
5473 case SHM_LOCK:
5474 case SHM_UNLOCK:
5475 perms = SHM__LOCK;
5476 break;
5477 case IPC_RMID:
5478 perms = SHM__DESTROY;
5479 break;
5480 default:
5481 return 0;
5482 }
5483
5484 err = ipc_has_perm(&shp->shm_perm, perms);
5485 return err;
5486 }
5487
selinux_shm_shmat(struct shmid_kernel * shp,char __user * shmaddr,int shmflg)5488 static int selinux_shm_shmat(struct shmid_kernel *shp,
5489 char __user *shmaddr, int shmflg)
5490 {
5491 u32 perms;
5492
5493 if (shmflg & SHM_RDONLY)
5494 perms = SHM__READ;
5495 else
5496 perms = SHM__READ | SHM__WRITE;
5497
5498 return ipc_has_perm(&shp->shm_perm, perms);
5499 }
5500
5501 /* Semaphore security operations */
selinux_sem_alloc_security(struct sem_array * sma)5502 static int selinux_sem_alloc_security(struct sem_array *sma)
5503 {
5504 struct ipc_security_struct *isec;
5505 struct common_audit_data ad;
5506 u32 sid = current_sid();
5507 int rc;
5508
5509 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5510 if (rc)
5511 return rc;
5512
5513 isec = sma->sem_perm.security;
5514
5515 ad.type = LSM_AUDIT_DATA_IPC;
5516 ad.u.ipc_id = sma->sem_perm.key;
5517
5518 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5519 SEM__CREATE, &ad);
5520 if (rc) {
5521 ipc_free_security(&sma->sem_perm);
5522 return rc;
5523 }
5524 return 0;
5525 }
5526
selinux_sem_free_security(struct sem_array * sma)5527 static void selinux_sem_free_security(struct sem_array *sma)
5528 {
5529 ipc_free_security(&sma->sem_perm);
5530 }
5531
selinux_sem_associate(struct sem_array * sma,int semflg)5532 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5533 {
5534 struct ipc_security_struct *isec;
5535 struct common_audit_data ad;
5536 u32 sid = current_sid();
5537
5538 isec = sma->sem_perm.security;
5539
5540 ad.type = LSM_AUDIT_DATA_IPC;
5541 ad.u.ipc_id = sma->sem_perm.key;
5542
5543 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5544 SEM__ASSOCIATE, &ad);
5545 }
5546
5547 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct sem_array * sma,int cmd)5548 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5549 {
5550 int err;
5551 u32 perms;
5552
5553 switch (cmd) {
5554 case IPC_INFO:
5555 case SEM_INFO:
5556 /* No specific object, just general system-wide information. */
5557 return task_has_system(current, SYSTEM__IPC_INFO);
5558 case GETPID:
5559 case GETNCNT:
5560 case GETZCNT:
5561 perms = SEM__GETATTR;
5562 break;
5563 case GETVAL:
5564 case GETALL:
5565 perms = SEM__READ;
5566 break;
5567 case SETVAL:
5568 case SETALL:
5569 perms = SEM__WRITE;
5570 break;
5571 case IPC_RMID:
5572 perms = SEM__DESTROY;
5573 break;
5574 case IPC_SET:
5575 perms = SEM__SETATTR;
5576 break;
5577 case IPC_STAT:
5578 case SEM_STAT:
5579 perms = SEM__GETATTR | SEM__ASSOCIATE;
5580 break;
5581 default:
5582 return 0;
5583 }
5584
5585 err = ipc_has_perm(&sma->sem_perm, perms);
5586 return err;
5587 }
5588
selinux_sem_semop(struct sem_array * sma,struct sembuf * sops,unsigned nsops,int alter)5589 static int selinux_sem_semop(struct sem_array *sma,
5590 struct sembuf *sops, unsigned nsops, int alter)
5591 {
5592 u32 perms;
5593
5594 if (alter)
5595 perms = SEM__READ | SEM__WRITE;
5596 else
5597 perms = SEM__READ;
5598
5599 return ipc_has_perm(&sma->sem_perm, perms);
5600 }
5601
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)5602 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5603 {
5604 u32 av = 0;
5605
5606 av = 0;
5607 if (flag & S_IRUGO)
5608 av |= IPC__UNIX_READ;
5609 if (flag & S_IWUGO)
5610 av |= IPC__UNIX_WRITE;
5611
5612 if (av == 0)
5613 return 0;
5614
5615 return ipc_has_perm(ipcp, av);
5616 }
5617
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)5618 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5619 {
5620 struct ipc_security_struct *isec = ipcp->security;
5621 *secid = isec->sid;
5622 }
5623
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)5624 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5625 {
5626 if (inode)
5627 inode_doinit_with_dentry(inode, dentry);
5628 }
5629
selinux_getprocattr(struct task_struct * p,char * name,char ** value)5630 static int selinux_getprocattr(struct task_struct *p,
5631 char *name, char **value)
5632 {
5633 const struct task_security_struct *__tsec;
5634 u32 sid;
5635 int error;
5636 unsigned len;
5637
5638 if (current != p) {
5639 error = current_has_perm(p, PROCESS__GETATTR);
5640 if (error)
5641 return error;
5642 }
5643
5644 rcu_read_lock();
5645 __tsec = __task_cred(p)->security;
5646
5647 if (!strcmp(name, "current"))
5648 sid = __tsec->sid;
5649 else if (!strcmp(name, "prev"))
5650 sid = __tsec->osid;
5651 else if (!strcmp(name, "exec"))
5652 sid = __tsec->exec_sid;
5653 else if (!strcmp(name, "fscreate"))
5654 sid = __tsec->create_sid;
5655 else if (!strcmp(name, "keycreate"))
5656 sid = __tsec->keycreate_sid;
5657 else if (!strcmp(name, "sockcreate"))
5658 sid = __tsec->sockcreate_sid;
5659 else
5660 goto invalid;
5661 rcu_read_unlock();
5662
5663 if (!sid)
5664 return 0;
5665
5666 error = security_sid_to_context(sid, value, &len);
5667 if (error)
5668 return error;
5669 return len;
5670
5671 invalid:
5672 rcu_read_unlock();
5673 return -EINVAL;
5674 }
5675
selinux_setprocattr(struct task_struct * p,char * name,void * value,size_t size)5676 static int selinux_setprocattr(struct task_struct *p,
5677 char *name, void *value, size_t size)
5678 {
5679 struct task_security_struct *tsec;
5680 struct task_struct *tracer;
5681 struct cred *new;
5682 u32 sid = 0, ptsid;
5683 int error;
5684 char *str = value;
5685
5686 if (current != p) {
5687 /* SELinux only allows a process to change its own
5688 security attributes. */
5689 return -EACCES;
5690 }
5691
5692 /*
5693 * Basic control over ability to set these attributes at all.
5694 * current == p, but we'll pass them separately in case the
5695 * above restriction is ever removed.
5696 */
5697 if (!strcmp(name, "exec"))
5698 error = current_has_perm(p, PROCESS__SETEXEC);
5699 else if (!strcmp(name, "fscreate"))
5700 error = current_has_perm(p, PROCESS__SETFSCREATE);
5701 else if (!strcmp(name, "keycreate"))
5702 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5703 else if (!strcmp(name, "sockcreate"))
5704 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5705 else if (!strcmp(name, "current"))
5706 error = current_has_perm(p, PROCESS__SETCURRENT);
5707 else
5708 error = -EINVAL;
5709 if (error)
5710 return error;
5711
5712 /* Obtain a SID for the context, if one was specified. */
5713 if (size && str[0] && str[0] != '\n') {
5714 if (str[size-1] == '\n') {
5715 str[size-1] = 0;
5716 size--;
5717 }
5718 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5719 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5720 if (!capable(CAP_MAC_ADMIN)) {
5721 struct audit_buffer *ab;
5722 size_t audit_size;
5723
5724 /* We strip a nul only if it is at the end, otherwise the
5725 * context contains a nul and we should audit that */
5726 if (str[size - 1] == '\0')
5727 audit_size = size - 1;
5728 else
5729 audit_size = size;
5730 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5731 audit_log_format(ab, "op=fscreate invalid_context=");
5732 audit_log_n_untrustedstring(ab, value, audit_size);
5733 audit_log_end(ab);
5734
5735 return error;
5736 }
5737 error = security_context_to_sid_force(value, size,
5738 &sid);
5739 }
5740 if (error)
5741 return error;
5742 }
5743
5744 new = prepare_creds();
5745 if (!new)
5746 return -ENOMEM;
5747
5748 /* Permission checking based on the specified context is
5749 performed during the actual operation (execve,
5750 open/mkdir/...), when we know the full context of the
5751 operation. See selinux_bprm_set_creds for the execve
5752 checks and may_create for the file creation checks. The
5753 operation will then fail if the context is not permitted. */
5754 tsec = new->security;
5755 if (!strcmp(name, "exec")) {
5756 tsec->exec_sid = sid;
5757 } else if (!strcmp(name, "fscreate")) {
5758 tsec->create_sid = sid;
5759 } else if (!strcmp(name, "keycreate")) {
5760 error = may_create_key(sid, p);
5761 if (error)
5762 goto abort_change;
5763 tsec->keycreate_sid = sid;
5764 } else if (!strcmp(name, "sockcreate")) {
5765 tsec->sockcreate_sid = sid;
5766 } else if (!strcmp(name, "current")) {
5767 error = -EINVAL;
5768 if (sid == 0)
5769 goto abort_change;
5770
5771 /* Only allow single threaded processes to change context */
5772 error = -EPERM;
5773 if (!current_is_single_threaded()) {
5774 error = security_bounded_transition(tsec->sid, sid);
5775 if (error)
5776 goto abort_change;
5777 }
5778
5779 /* Check permissions for the transition. */
5780 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5781 PROCESS__DYNTRANSITION, NULL);
5782 if (error)
5783 goto abort_change;
5784
5785 /* Check for ptracing, and update the task SID if ok.
5786 Otherwise, leave SID unchanged and fail. */
5787 ptsid = 0;
5788 rcu_read_lock();
5789 tracer = ptrace_parent(p);
5790 if (tracer)
5791 ptsid = task_sid(tracer);
5792 rcu_read_unlock();
5793
5794 if (tracer) {
5795 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5796 PROCESS__PTRACE, NULL);
5797 if (error)
5798 goto abort_change;
5799 }
5800
5801 tsec->sid = sid;
5802 } else {
5803 error = -EINVAL;
5804 goto abort_change;
5805 }
5806
5807 commit_creds(new);
5808 return size;
5809
5810 abort_change:
5811 abort_creds(new);
5812 return error;
5813 }
5814
selinux_ismaclabel(const char * name)5815 static int selinux_ismaclabel(const char *name)
5816 {
5817 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5818 }
5819
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)5820 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5821 {
5822 return security_sid_to_context(secid, secdata, seclen);
5823 }
5824
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)5825 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5826 {
5827 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5828 }
5829
selinux_release_secctx(char * secdata,u32 seclen)5830 static void selinux_release_secctx(char *secdata, u32 seclen)
5831 {
5832 kfree(secdata);
5833 }
5834
5835 /*
5836 * called with inode->i_mutex locked
5837 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)5838 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5839 {
5840 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5841 }
5842
5843 /*
5844 * called with inode->i_mutex locked
5845 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)5846 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5847 {
5848 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5849 }
5850
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)5851 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5852 {
5853 int len = 0;
5854 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5855 ctx, true);
5856 if (len < 0)
5857 return len;
5858 *ctxlen = len;
5859 return 0;
5860 }
5861 #ifdef CONFIG_KEYS
5862
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)5863 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5864 unsigned long flags)
5865 {
5866 const struct task_security_struct *tsec;
5867 struct key_security_struct *ksec;
5868
5869 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5870 if (!ksec)
5871 return -ENOMEM;
5872
5873 tsec = cred->security;
5874 if (tsec->keycreate_sid)
5875 ksec->sid = tsec->keycreate_sid;
5876 else
5877 ksec->sid = tsec->sid;
5878
5879 k->security = ksec;
5880 return 0;
5881 }
5882
selinux_key_free(struct key * k)5883 static void selinux_key_free(struct key *k)
5884 {
5885 struct key_security_struct *ksec = k->security;
5886
5887 k->security = NULL;
5888 kfree(ksec);
5889 }
5890
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,unsigned perm)5891 static int selinux_key_permission(key_ref_t key_ref,
5892 const struct cred *cred,
5893 unsigned perm)
5894 {
5895 struct key *key;
5896 struct key_security_struct *ksec;
5897 u32 sid;
5898
5899 /* if no specific permissions are requested, we skip the
5900 permission check. No serious, additional covert channels
5901 appear to be created. */
5902 if (perm == 0)
5903 return 0;
5904
5905 sid = cred_sid(cred);
5906
5907 key = key_ref_to_ptr(key_ref);
5908 ksec = key->security;
5909
5910 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5911 }
5912
selinux_key_getsecurity(struct key * key,char ** _buffer)5913 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5914 {
5915 struct key_security_struct *ksec = key->security;
5916 char *context = NULL;
5917 unsigned len;
5918 int rc;
5919
5920 rc = security_sid_to_context(ksec->sid, &context, &len);
5921 if (!rc)
5922 rc = len;
5923 *_buffer = context;
5924 return rc;
5925 }
5926
5927 #endif
5928
5929 static struct security_hook_list selinux_hooks[] = {
5930 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5931 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5932 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5933 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5934
5935 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5936 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5937 LSM_HOOK_INIT(capget, selinux_capget),
5938 LSM_HOOK_INIT(capset, selinux_capset),
5939 LSM_HOOK_INIT(capable, selinux_capable),
5940 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5941 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5942 LSM_HOOK_INIT(syslog, selinux_syslog),
5943 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5944
5945 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5946
5947 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5948 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5949 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5950 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5951
5952 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5953 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5954 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5955 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5956 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5957 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5958 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5959 LSM_HOOK_INIT(sb_mount, selinux_mount),
5960 LSM_HOOK_INIT(sb_umount, selinux_umount),
5961 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5962 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5963 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5964
5965 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5966
5967 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5968 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5969 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5970 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5971 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5972 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5973 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5974 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5975 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5976 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5977 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5978 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5979 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5980 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5981 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5982 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5983 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5984 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5985 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5986 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5987 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5988 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5989 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5990 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5991 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
5992
5993 LSM_HOOK_INIT(file_permission, selinux_file_permission),
5994 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
5995 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
5996 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
5997 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
5998 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
5999 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6000 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6001 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6002 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6003 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6004 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6005
6006 LSM_HOOK_INIT(file_open, selinux_file_open),
6007
6008 LSM_HOOK_INIT(task_create, selinux_task_create),
6009 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6010 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6011 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6012 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6013 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6014 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6015 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6016 LSM_HOOK_INIT(kernel_module_from_file, selinux_kernel_module_from_file),
6017 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6018 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6019 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6020 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6021 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6022 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6023 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6024 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6025 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6026 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6027 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6028 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6029 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6030 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6031
6032 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6033 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6034
6035 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6036 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6037
6038 LSM_HOOK_INIT(msg_queue_alloc_security,
6039 selinux_msg_queue_alloc_security),
6040 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6041 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6042 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6043 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6044 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6045
6046 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6047 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6048 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6049 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6050 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6051
6052 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6053 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6054 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6055 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6056 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6057
6058 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6059
6060 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6061 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6062
6063 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6064 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6065 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6066 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6067 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6068 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6069 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6070
6071 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6072 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6073
6074 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6075 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6076 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6077 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6078 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6079 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6080 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6081 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6082 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6083 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6084 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6085 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6086 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6087 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6088 LSM_HOOK_INIT(socket_getpeersec_stream,
6089 selinux_socket_getpeersec_stream),
6090 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6091 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6092 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6093 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6094 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6095 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6096 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6097 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6098 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6099 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6100 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6101 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6102 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6103 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6104 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6105 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6106 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6107 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6108 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6109
6110 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6111 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6112 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6113 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6114 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6115 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6116 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6117 selinux_xfrm_state_alloc_acquire),
6118 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6119 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6120 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6121 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6122 selinux_xfrm_state_pol_flow_match),
6123 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6124 #endif
6125
6126 #ifdef CONFIG_KEYS
6127 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6128 LSM_HOOK_INIT(key_free, selinux_key_free),
6129 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6130 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6131 #endif
6132
6133 #ifdef CONFIG_AUDIT
6134 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6135 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6136 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6137 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6138 #endif
6139 };
6140
selinux_init(void)6141 static __init int selinux_init(void)
6142 {
6143 if (!security_module_enable("selinux")) {
6144 selinux_enabled = 0;
6145 return 0;
6146 }
6147
6148 if (!selinux_enabled) {
6149 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6150 return 0;
6151 }
6152
6153 printk(KERN_INFO "SELinux: Initializing.\n");
6154
6155 /* Set the security state for the initial task. */
6156 cred_init_security();
6157
6158 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6159
6160 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6161 sizeof(struct inode_security_struct),
6162 0, SLAB_PANIC, NULL);
6163 file_security_cache = kmem_cache_create("selinux_file_security",
6164 sizeof(struct file_security_struct),
6165 0, SLAB_PANIC, NULL);
6166 avc_init();
6167
6168 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6169
6170 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6171 panic("SELinux: Unable to register AVC netcache callback\n");
6172
6173 if (selinux_enforcing)
6174 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6175 else
6176 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6177
6178 return 0;
6179 }
6180
delayed_superblock_init(struct super_block * sb,void * unused)6181 static void delayed_superblock_init(struct super_block *sb, void *unused)
6182 {
6183 superblock_doinit(sb, NULL);
6184 }
6185
selinux_complete_init(void)6186 void selinux_complete_init(void)
6187 {
6188 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6189
6190 /* Set up any superblocks initialized prior to the policy load. */
6191 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6192 iterate_supers(delayed_superblock_init, NULL);
6193 }
6194
6195 /* SELinux requires early initialization in order to label
6196 all processes and objects when they are created. */
6197 security_initcall(selinux_init);
6198
6199 #if defined(CONFIG_NETFILTER)
6200
6201 static struct nf_hook_ops selinux_nf_ops[] = {
6202 {
6203 .hook = selinux_ipv4_postroute,
6204 .pf = NFPROTO_IPV4,
6205 .hooknum = NF_INET_POST_ROUTING,
6206 .priority = NF_IP_PRI_SELINUX_LAST,
6207 },
6208 {
6209 .hook = selinux_ipv4_forward,
6210 .pf = NFPROTO_IPV4,
6211 .hooknum = NF_INET_FORWARD,
6212 .priority = NF_IP_PRI_SELINUX_FIRST,
6213 },
6214 {
6215 .hook = selinux_ipv4_output,
6216 .pf = NFPROTO_IPV4,
6217 .hooknum = NF_INET_LOCAL_OUT,
6218 .priority = NF_IP_PRI_SELINUX_FIRST,
6219 },
6220 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6221 {
6222 .hook = selinux_ipv6_postroute,
6223 .pf = NFPROTO_IPV6,
6224 .hooknum = NF_INET_POST_ROUTING,
6225 .priority = NF_IP6_PRI_SELINUX_LAST,
6226 },
6227 {
6228 .hook = selinux_ipv6_forward,
6229 .pf = NFPROTO_IPV6,
6230 .hooknum = NF_INET_FORWARD,
6231 .priority = NF_IP6_PRI_SELINUX_FIRST,
6232 },
6233 #endif /* IPV6 */
6234 };
6235
selinux_nf_ip_init(void)6236 static int __init selinux_nf_ip_init(void)
6237 {
6238 int err;
6239
6240 if (!selinux_enabled)
6241 return 0;
6242
6243 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6244
6245 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6246 if (err)
6247 panic("SELinux: nf_register_hooks: error %d\n", err);
6248
6249 return 0;
6250 }
6251
6252 __initcall(selinux_nf_ip_init);
6253
6254 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)6255 static void selinux_nf_ip_exit(void)
6256 {
6257 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6258
6259 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6260 }
6261 #endif
6262
6263 #else /* CONFIG_NETFILTER */
6264
6265 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6266 #define selinux_nf_ip_exit()
6267 #endif
6268
6269 #endif /* CONFIG_NETFILTER */
6270
6271 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6272 static int selinux_disabled;
6273
selinux_disable(void)6274 int selinux_disable(void)
6275 {
6276 if (ss_initialized) {
6277 /* Not permitted after initial policy load. */
6278 return -EINVAL;
6279 }
6280
6281 if (selinux_disabled) {
6282 /* Only do this once. */
6283 return -EINVAL;
6284 }
6285
6286 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6287
6288 selinux_disabled = 1;
6289 selinux_enabled = 0;
6290
6291 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6292
6293 /* Try to destroy the avc node cache */
6294 avc_disable();
6295
6296 /* Unregister netfilter hooks. */
6297 selinux_nf_ip_exit();
6298
6299 /* Unregister selinuxfs. */
6300 exit_sel_fs();
6301
6302 return 0;
6303 }
6304 #endif
6305