aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2018-03-05 11:47:56 -0500
committerPaul Moore <paul@paul-moore.com>2018-03-20 16:58:17 -0400
commit6b6bc6205d98796361962ee282a063f18ba8dc57 (patch)
treeb9e6f6492606000e1d8826b4eb2c882726c61722 /security/selinux/hooks.c
parent0619f0f5e36f12e100ef294f5980cfe7c93ff23e (diff)
selinux: wrap AVC state
Wrap the AVC state within the selinux_state structure and pass it explicitly to all AVC functions. The AVC private state is encapsulated in a selinux_avc structure that is referenced from the selinux_state. This change should have no effect on SELinux behavior or APIs (userspace or LSM). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: James Morris <james.morris@microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c398
1 files changed, 265 insertions, 133 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e7eaef2ea021..21b377aef69a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -468,12 +468,14 @@ static int may_context_mount_sb_relabel(u32 sid,
468 const struct task_security_struct *tsec = cred->security; 468 const struct task_security_struct *tsec = cred->security;
469 int rc; 469 int rc;
470 470
471 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL); 473 FILESYSTEM__RELABELFROM, NULL);
473 if (rc) 474 if (rc)
474 return rc; 475 return rc;
475 476
476 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
477 FILESYSTEM__RELABELTO, NULL); 479 FILESYSTEM__RELABELTO, NULL);
478 return rc; 480 return rc;
479} 481}
@@ -484,12 +486,14 @@ static int may_context_mount_inode_relabel(u32 sid,
484{ 486{
485 const struct task_security_struct *tsec = cred->security; 487 const struct task_security_struct *tsec = cred->security;
486 int rc; 488 int rc;
487 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
488 FILESYSTEM__RELABELFROM, NULL); 491 FILESYSTEM__RELABELFROM, NULL);
489 if (rc) 492 if (rc)
490 return rc; 493 return rc;
491 494
492 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
493 FILESYSTEM__ASSOCIATE, NULL); 497 FILESYSTEM__ASSOCIATE, NULL);
494 return rc; 498 return rc;
495} 499}
@@ -1774,9 +1778,11 @@ static int cred_has_capability(const struct cred *cred,
1774 return -EINVAL; 1778 return -EINVAL;
1775 } 1779 }
1776 1780
1777 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1778 if (audit == SECURITY_CAP_AUDIT) { 1783 if (audit == SECURITY_CAP_AUDIT) {
1779 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1780 if (rc2) 1786 if (rc2)
1781 return rc2; 1787 return rc2;
1782 } 1788 }
@@ -1802,7 +1808,8 @@ static int inode_has_perm(const struct cred *cred,
1802 sid = cred_sid(cred); 1808 sid = cred_sid(cred);
1803 isec = inode->i_security; 1809 isec = inode->i_security;
1804 1810
1805 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1806} 1813}
1807 1814
1808/* Same as inode_has_perm, but pass explicit audit data containing 1815/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1875,7 +1882,8 @@ static int file_has_perm(const struct cred *cred,
1875 ad.u.file = file; 1882 ad.u.file = file;
1876 1883
1877 if (sid != fsec->sid) { 1884 if (sid != fsec->sid) {
1878 rc = avc_has_perm(sid, fsec->sid, 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1879 SECCLASS_FD, 1887 SECCLASS_FD,
1880 FD__USE, 1888 FD__USE,
1881 &ad); 1889 &ad);
@@ -1945,7 +1953,8 @@ static int may_create(struct inode *dir,
1945 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1946 ad.u.dentry = dentry; 1954 ad.u.dentry = dentry;
1947 1955
1948 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1949 DIR__ADD_NAME | DIR__SEARCH, 1958 DIR__ADD_NAME | DIR__SEARCH,
1950 &ad); 1959 &ad);
1951 if (rc) 1960 if (rc)
@@ -1956,11 +1965,13 @@ static int may_create(struct inode *dir,
1956 if (rc) 1965 if (rc)
1957 return rc; 1966 return rc;
1958 1967
1959 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1960 if (rc) 1970 if (rc)
1961 return rc; 1971 return rc;
1962 1972
1963 return avc_has_perm(newsid, sbsec->sid, 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1964 SECCLASS_FILESYSTEM, 1975 SECCLASS_FILESYSTEM,
1965 FILESYSTEM__ASSOCIATE, &ad); 1976 FILESYSTEM__ASSOCIATE, &ad);
1966} 1977}
@@ -1989,7 +2000,8 @@ static int may_link(struct inode *dir,
1989 2000
1990 av = DIR__SEARCH; 2001 av = DIR__SEARCH;
1991 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1992 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1993 if (rc) 2005 if (rc)
1994 return rc; 2006 return rc;
1995 2007
@@ -2009,7 +2021,8 @@ static int may_link(struct inode *dir,
2009 return 0; 2021 return 0;
2010 } 2022 }
2011 2023
2012 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
2013 return rc; 2026 return rc;
2014} 2027}
2015 2028
@@ -2033,16 +2046,19 @@ static inline int may_rename(struct inode *old_dir,
2033 ad.type = LSM_AUDIT_DATA_DENTRY; 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
2034 2047
2035 ad.u.dentry = old_dentry; 2048 ad.u.dentry = old_dentry;
2036 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2037 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2038 if (rc) 2052 if (rc)
2039 return rc; 2053 return rc;
2040 rc = avc_has_perm(sid, old_isec->sid, 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
2041 old_isec->sclass, FILE__RENAME, &ad); 2056 old_isec->sclass, FILE__RENAME, &ad);
2042 if (rc) 2057 if (rc)
2043 return rc; 2058 return rc;
2044 if (old_is_dir && new_dir != old_dir) { 2059 if (old_is_dir && new_dir != old_dir) {
2045 rc = avc_has_perm(sid, old_isec->sid, 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
2046 old_isec->sclass, DIR__REPARENT, &ad); 2062 old_isec->sclass, DIR__REPARENT, &ad);
2047 if (rc) 2063 if (rc)
2048 return rc; 2064 return rc;
@@ -2052,13 +2068,15 @@ static inline int may_rename(struct inode *old_dir,
2052 av = DIR__ADD_NAME | DIR__SEARCH; 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2053 if (d_is_positive(new_dentry)) 2069 if (d_is_positive(new_dentry))
2054 av |= DIR__REMOVE_NAME; 2070 av |= DIR__REMOVE_NAME;
2055 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2056 if (rc) 2073 if (rc)
2057 return rc; 2074 return rc;
2058 if (d_is_positive(new_dentry)) { 2075 if (d_is_positive(new_dentry)) {
2059 new_isec = backing_inode_security(new_dentry); 2076 new_isec = backing_inode_security(new_dentry);
2060 new_is_dir = d_is_dir(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry);
2061 rc = avc_has_perm(sid, new_isec->sid, 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
2062 new_isec->sclass, 2080 new_isec->sclass,
2063 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2064 if (rc) 2082 if (rc)
@@ -2078,7 +2096,8 @@ static int superblock_has_perm(const struct cred *cred,
2078 u32 sid = cred_sid(cred); 2096 u32 sid = cred_sid(cred);
2079 2097
2080 sbsec = sb->s_security; 2098 sbsec = sb->s_security;
2081 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2082} 2101}
2083 2102
2084/* Convert a Linux mode and permission mask to an access vector. */ 2103/* Convert a Linux mode and permission mask to an access vector. */
@@ -2155,7 +2174,8 @@ static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2155 u32 mysid = current_sid(); 2174 u32 mysid = current_sid();
2156 u32 mgrsid = task_sid(mgr); 2175 u32 mgrsid = task_sid(mgr);
2157 2176
2158 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2159 BINDER__SET_CONTEXT_MGR, NULL); 2179 BINDER__SET_CONTEXT_MGR, NULL);
2160} 2180}
2161 2181
@@ -2168,13 +2188,15 @@ static int selinux_binder_transaction(struct task_struct *from,
2168 int rc; 2188 int rc;
2169 2189
2170 if (mysid != fromsid) { 2190 if (mysid != fromsid) {
2171 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2172 BINDER__IMPERSONATE, NULL); 2193 BINDER__IMPERSONATE, NULL);
2173 if (rc) 2194 if (rc)
2174 return rc; 2195 return rc;
2175 } 2196 }
2176 2197
2177 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2178 NULL); 2200 NULL);
2179} 2201}
2180 2202
@@ -2184,7 +2206,8 @@ static int selinux_binder_transfer_binder(struct task_struct *from,
2184 u32 fromsid = task_sid(from); 2206 u32 fromsid = task_sid(from);
2185 u32 tosid = task_sid(to); 2207 u32 tosid = task_sid(to);
2186 2208
2187 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2188 NULL); 2211 NULL);
2189} 2212}
2190 2213
@@ -2203,7 +2226,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2203 ad.u.path = file->f_path; 2226 ad.u.path = file->f_path;
2204 2227
2205 if (sid != fsec->sid) { 2228 if (sid != fsec->sid) {
2206 rc = avc_has_perm(sid, fsec->sid, 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
2207 SECCLASS_FD, 2231 SECCLASS_FD,
2208 FD__USE, 2232 FD__USE,
2209 &ad); 2233 &ad);
@@ -2221,7 +2245,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2221 return 0; 2245 return 0;
2222 2246
2223 isec = backing_inode_security(dentry); 2247 isec = backing_inode_security(dentry);
2224 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2225 &ad); 2250 &ad);
2226} 2251}
2227 2252
@@ -2232,21 +2257,25 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2232 u32 csid = task_sid(child); 2257 u32 csid = task_sid(child);
2233 2258
2234 if (mode & PTRACE_MODE_READ) 2259 if (mode & PTRACE_MODE_READ)
2235 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2236 2262
2237 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2238} 2265}
2239 2266
2240static int selinux_ptrace_traceme(struct task_struct *parent) 2267static int selinux_ptrace_traceme(struct task_struct *parent)
2241{ 2268{
2242 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2243 PROCESS__PTRACE, NULL); 2271 PROCESS__PTRACE, NULL);
2244} 2272}
2245 2273
2246static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2247 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2248{ 2276{
2249 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2250 PROCESS__GETCAP, NULL); 2279 PROCESS__GETCAP, NULL);
2251} 2280}
2252 2281
@@ -2255,7 +2284,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2255 const kernel_cap_t *inheritable, 2284 const kernel_cap_t *inheritable,
2256 const kernel_cap_t *permitted) 2285 const kernel_cap_t *permitted)
2257{ 2286{
2258 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2259 PROCESS__SETCAP, NULL); 2289 PROCESS__SETCAP, NULL);
2260} 2290}
2261 2291
@@ -2315,18 +2345,21 @@ static int selinux_syslog(int type)
2315 switch (type) { 2345 switch (type) {
2316 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2317 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2318 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2319 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2320 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2321 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2322 /* Set level of messages printed to console */ 2353 /* Set level of messages printed to console */
2323 case SYSLOG_ACTION_CONSOLE_LEVEL: 2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2324 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2325 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2326 NULL); 2358 NULL);
2327 } 2359 }
2328 /* All other syslog types */ 2360 /* All other syslog types */
2329 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2330 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2331} 2364}
2332 2365
@@ -2393,7 +2426,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2393 av |= PROCESS2__NNP_TRANSITION; 2426 av |= PROCESS2__NNP_TRANSITION;
2394 if (nosuid) 2427 if (nosuid)
2395 av |= PROCESS2__NOSUID_TRANSITION; 2428 av |= PROCESS2__NOSUID_TRANSITION;
2396 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2397 SECCLASS_PROCESS2, av, NULL); 2431 SECCLASS_PROCESS2, av, NULL);
2398 if (!rc) 2432 if (!rc)
2399 return 0; 2433 return 0;
@@ -2476,25 +2510,29 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2476 ad.u.file = bprm->file; 2510 ad.u.file = bprm->file;
2477 2511
2478 if (new_tsec->sid == old_tsec->sid) { 2512 if (new_tsec->sid == old_tsec->sid) {
2479 rc = avc_has_perm(old_tsec->sid, isec->sid, 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2480 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2481 if (rc) 2516 if (rc)
2482 return rc; 2517 return rc;
2483 } else { 2518 } else {
2484 /* Check permissions for the transition. */ 2519 /* Check permissions for the transition. */
2485 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2486 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2487 if (rc) 2523 if (rc)
2488 return rc; 2524 return rc;
2489 2525
2490 rc = avc_has_perm(new_tsec->sid, isec->sid, 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2491 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2492 if (rc) 2529 if (rc)
2493 return rc; 2530 return rc;
2494 2531
2495 /* Check for shared state */ 2532 /* Check for shared state */
2496 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2497 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2498 SECCLASS_PROCESS, PROCESS__SHARE, 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2499 NULL); 2537 NULL);
2500 if (rc) 2538 if (rc)
@@ -2506,7 +2544,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2506 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2507 u32 ptsid = ptrace_parent_sid(); 2545 u32 ptsid = ptrace_parent_sid();
2508 if (ptsid != 0) { 2546 if (ptsid != 0) {
2509 rc = avc_has_perm(ptsid, new_tsec->sid, 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2510 SECCLASS_PROCESS, 2549 SECCLASS_PROCESS,
2511 PROCESS__PTRACE, NULL); 2550 PROCESS__PTRACE, NULL);
2512 if (rc) 2551 if (rc)
@@ -2520,7 +2559,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2520 /* Enable secure mode for SIDs transitions unless 2559 /* Enable secure mode for SIDs transitions unless
2521 the noatsecure permission is granted between 2560 the noatsecure permission is granted between
2522 the two SIDs, i.e. ahp returns 0. */ 2561 the two SIDs, i.e. ahp returns 0. */
2523 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2524 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2525 NULL); 2565 NULL);
2526 bprm->secureexec |= !!rc; 2566 bprm->secureexec |= !!rc;
@@ -2612,7 +2652,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2612 * higher than the default soft limit for cases where the default is 2652 * higher than the default soft limit for cases where the default is
2613 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2614 */ 2654 */
2615 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2616 PROCESS__RLIMITINH, NULL); 2657 PROCESS__RLIMITINH, NULL);
2617 if (rc) { 2658 if (rc) {
2618 /* protect against do_prlimit() */ 2659 /* protect against do_prlimit() */
@@ -2652,7 +2693,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2652 * This must occur _after_ the task SID has been updated so that any 2693 * This must occur _after_ the task SID has been updated so that any
2653 * kill done after the flush will be checked against the new SID. 2694 * kill done after the flush will be checked against the new SID.
2654 */ 2695 */
2655 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2656 if (rc) { 2698 if (rc) {
2657 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2658 memset(&itimer, 0, sizeof itimer); 2700 memset(&itimer, 0, sizeof itimer);
@@ -3081,7 +3123,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3081 if (IS_ERR(isec)) 3123 if (IS_ERR(isec))
3082 return PTR_ERR(isec); 3124 return PTR_ERR(isec);
3083 3125
3084 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3085 rcu ? MAY_NOT_BLOCK : 0); 3128 rcu ? MAY_NOT_BLOCK : 0);
3086} 3129}
3087 3130
@@ -3097,7 +3140,8 @@ static noinline int audit_inode_permission(struct inode *inode,
3097 ad.type = LSM_AUDIT_DATA_INODE; 3140 ad.type = LSM_AUDIT_DATA_INODE;
3098 ad.u.inode = inode; 3141 ad.u.inode = inode;
3099 3142
3100 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3101 audited, denied, result, &ad, flags); 3145 audited, denied, result, &ad, flags);
3102 if (rc) 3146 if (rc)
3103 return rc; 3147 return rc;
@@ -3135,7 +3179,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
3135 if (IS_ERR(isec)) 3179 if (IS_ERR(isec))
3136 return PTR_ERR(isec); 3180 return PTR_ERR(isec);
3137 3181
3138 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3139 audited = avc_audit_required(perms, &avd, rc, 3184 audited = avc_audit_required(perms, &avd, rc,
3140 from_access ? FILE__AUDIT_ACCESS : 0, 3185 from_access ? FILE__AUDIT_ACCESS : 0,
3141 &denied); 3186 &denied);
@@ -3224,7 +3269,8 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3224 ad.u.dentry = dentry; 3269 ad.u.dentry = dentry;
3225 3270
3226 isec = backing_inode_security(dentry); 3271 isec = backing_inode_security(dentry);
3227 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3228 FILE__RELABELFROM, &ad); 3274 FILE__RELABELFROM, &ad);
3229 if (rc) 3275 if (rc)
3230 return rc; 3276 return rc;
@@ -3261,7 +3307,8 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3261 if (rc) 3307 if (rc)
3262 return rc; 3308 return rc;
3263 3309
3264 rc = avc_has_perm(sid, newsid, isec->sclass, 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3265 FILE__RELABELTO, &ad); 3312 FILE__RELABELTO, &ad);
3266 if (rc) 3313 if (rc)
3267 return rc; 3314 return rc;
@@ -3271,7 +3318,8 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3271 if (rc) 3318 if (rc)
3272 return rc; 3319 return rc;
3273 3320
3274 return avc_has_perm(newsid, 3321 return avc_has_perm(&selinux_state,
3322 newsid,
3275 sbsec->sid, 3323 sbsec->sid,
3276 SECCLASS_FILESYSTEM, 3324 SECCLASS_FILESYSTEM,
3277 FILESYSTEM__ASSOCIATE, 3325 FILESYSTEM__ASSOCIATE,
@@ -3489,7 +3537,7 @@ static int selinux_file_permission(struct file *file, int mask)
3489 3537
3490 isec = inode_security(inode); 3538 isec = inode_security(inode);
3491 if (sid == fsec->sid && fsec->isid == isec->sid && 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3492 fsec->pseqno == avc_policy_seqno()) 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3493 /* No change since file_open check. */ 3541 /* No change since file_open check. */
3494 return 0; 3542 return 0;
3495 3543
@@ -3529,7 +3577,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3529 ad.u.op->path = file->f_path; 3577 ad.u.op->path = file->f_path;
3530 3578
3531 if (ssid != fsec->sid) { 3579 if (ssid != fsec->sid) {
3532 rc = avc_has_perm(ssid, fsec->sid, 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
3533 SECCLASS_FD, 3582 SECCLASS_FD,
3534 FD__USE, 3583 FD__USE,
3535 &ad); 3584 &ad);
@@ -3541,8 +3590,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3541 return 0; 3590 return 0;
3542 3591
3543 isec = inode_security(inode); 3592 isec = inode_security(inode);
3544 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3593 rc = avc_has_extended_perms(&selinux_state,
3545 requested, driver, xperm, &ad); 3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3546out: 3596out:
3547 return rc; 3597 return rc;
3548} 3598}
@@ -3610,7 +3660,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3610 * private file mapping that will also be writable. 3660 * private file mapping that will also be writable.
3611 * This has an additional check. 3661 * This has an additional check.
3612 */ 3662 */
3613 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3614 PROCESS__EXECMEM, NULL); 3665 PROCESS__EXECMEM, NULL);
3615 if (rc) 3666 if (rc)
3616 goto error; 3667 goto error;
@@ -3640,7 +3691,8 @@ static int selinux_mmap_addr(unsigned long addr)
3640 3691
3641 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3642 u32 sid = current_sid(); 3693 u32 sid = current_sid();
3643 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3644 MEMPROTECT__MMAP_ZERO, NULL); 3696 MEMPROTECT__MMAP_ZERO, NULL);
3645 } 3697 }
3646 3698
@@ -3684,13 +3736,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3684 int rc = 0; 3736 int rc = 0;
3685 if (vma->vm_start >= vma->vm_mm->start_brk && 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3686 vma->vm_end <= vma->vm_mm->brk) { 3738 vma->vm_end <= vma->vm_mm->brk) {
3687 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3688 PROCESS__EXECHEAP, NULL); 3741 PROCESS__EXECHEAP, NULL);
3689 } else if (!vma->vm_file && 3742 } else if (!vma->vm_file &&
3690 ((vma->vm_start <= vma->vm_mm->start_stack && 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3691 vma->vm_end >= vma->vm_mm->start_stack) || 3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3692 vma_is_stack_for_current(vma))) { 3745 vma_is_stack_for_current(vma))) {
3693 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3694 PROCESS__EXECSTACK, NULL); 3748 PROCESS__EXECSTACK, NULL);
3695 } else if (vma->vm_file && vma->anon_vma) { 3749 } else if (vma->vm_file && vma->anon_vma) {
3696 /* 3750 /*
@@ -3782,7 +3836,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3782 else 3836 else
3783 perm = signal_to_av(signum); 3837 perm = signal_to_av(signum);
3784 3838
3785 return avc_has_perm(fsec->fown_sid, sid, 3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3786 SECCLASS_PROCESS, perm, NULL); 3841 SECCLASS_PROCESS, perm, NULL);
3787} 3842}
3788 3843
@@ -3808,7 +3863,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3808 * struct as its SID. 3863 * struct as its SID.
3809 */ 3864 */
3810 fsec->isid = isec->sid; 3865 fsec->isid = isec->sid;
3811 fsec->pseqno = avc_policy_seqno(); 3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3812 /* 3867 /*
3813 * Since the inode label or policy seqno may have changed 3868 * Since the inode label or policy seqno may have changed
3814 * between the selinux_inode_permission check and the saving 3869 * between the selinux_inode_permission check and the saving
@@ -3827,7 +3882,8 @@ static int selinux_task_alloc(struct task_struct *task,
3827{ 3882{
3828 u32 sid = current_sid(); 3883 u32 sid = current_sid();
3829 3884
3830 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3831} 3887}
3832 3888
3833/* 3889/*
@@ -3901,7 +3957,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
3901 u32 sid = current_sid(); 3957 u32 sid = current_sid();
3902 int ret; 3958 int ret;
3903 3959
3904 ret = avc_has_perm(sid, secid, 3960 ret = avc_has_perm(&selinux_state,
3961 sid, secid,
3905 SECCLASS_KERNEL_SERVICE, 3962 SECCLASS_KERNEL_SERVICE,
3906 KERNEL_SERVICE__USE_AS_OVERRIDE, 3963 KERNEL_SERVICE__USE_AS_OVERRIDE,
3907 NULL); 3964 NULL);
@@ -3925,7 +3982,8 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3925 u32 sid = current_sid(); 3982 u32 sid = current_sid();
3926 int ret; 3983 int ret;
3927 3984
3928 ret = avc_has_perm(sid, isec->sid, 3985 ret = avc_has_perm(&selinux_state,
3986 sid, isec->sid,
3929 SECCLASS_KERNEL_SERVICE, 3987 SECCLASS_KERNEL_SERVICE,
3930 KERNEL_SERVICE__CREATE_FILES_AS, 3988 KERNEL_SERVICE__CREATE_FILES_AS,
3931 NULL); 3989 NULL);
@@ -3942,7 +4000,8 @@ static int selinux_kernel_module_request(char *kmod_name)
3942 ad.type = LSM_AUDIT_DATA_KMOD; 4000 ad.type = LSM_AUDIT_DATA_KMOD;
3943 ad.u.kmod_name = kmod_name; 4001 ad.u.kmod_name = kmod_name;
3944 4002
3945 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4003 return avc_has_perm(&selinux_state,
4004 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3946 SYSTEM__MODULE_REQUEST, &ad); 4005 SYSTEM__MODULE_REQUEST, &ad);
3947} 4006}
3948 4007
@@ -3956,7 +4015,8 @@ static int selinux_kernel_module_from_file(struct file *file)
3956 4015
3957 /* init_module */ 4016 /* init_module */
3958 if (file == NULL) 4017 if (file == NULL)
3959 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4018 return avc_has_perm(&selinux_state,
4019 sid, sid, SECCLASS_SYSTEM,
3960 SYSTEM__MODULE_LOAD, NULL); 4020 SYSTEM__MODULE_LOAD, NULL);
3961 4021
3962 /* finit_module */ 4022 /* finit_module */
@@ -3966,13 +4026,15 @@ static int selinux_kernel_module_from_file(struct file *file)
3966 4026
3967 fsec = file->f_security; 4027 fsec = file->f_security;
3968 if (sid != fsec->sid) { 4028 if (sid != fsec->sid) {
3969 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4029 rc = avc_has_perm(&selinux_state,
4030 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3970 if (rc) 4031 if (rc)
3971 return rc; 4032 return rc;
3972 } 4033 }
3973 4034
3974 isec = inode_security(file_inode(file)); 4035 isec = inode_security(file_inode(file));
3975 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4036 return avc_has_perm(&selinux_state,
4037 sid, isec->sid, SECCLASS_SYSTEM,
3976 SYSTEM__MODULE_LOAD, &ad); 4038 SYSTEM__MODULE_LOAD, &ad);
3977} 4039}
3978 4040
@@ -3994,19 +4056,22 @@ static int selinux_kernel_read_file(struct file *file,
3994 4056
3995static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4057static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3996{ 4058{
3997 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4059 return avc_has_perm(&selinux_state,
4060 current_sid(), task_sid(p), SECCLASS_PROCESS,
3998 PROCESS__SETPGID, NULL); 4061 PROCESS__SETPGID, NULL);
3999} 4062}
4000 4063
4001static int selinux_task_getpgid(struct task_struct *p) 4064static int selinux_task_getpgid(struct task_struct *p)
4002{ 4065{
4003 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4066 return avc_has_perm(&selinux_state,
4067 current_sid(), task_sid(p), SECCLASS_PROCESS,
4004 PROCESS__GETPGID, NULL); 4068 PROCESS__GETPGID, NULL);
4005} 4069}
4006 4070
4007static int selinux_task_getsid(struct task_struct *p) 4071static int selinux_task_getsid(struct task_struct *p)
4008{ 4072{
4009 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4073 return avc_has_perm(&selinux_state,
4074 current_sid(), task_sid(p), SECCLASS_PROCESS,
4010 PROCESS__GETSESSION, NULL); 4075 PROCESS__GETSESSION, NULL);
4011} 4076}
4012 4077
@@ -4017,19 +4082,22 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4017 4082
4018static int selinux_task_setnice(struct task_struct *p, int nice) 4083static int selinux_task_setnice(struct task_struct *p, int nice)
4019{ 4084{
4020 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
4021 PROCESS__SETSCHED, NULL); 4087 PROCESS__SETSCHED, NULL);
4022} 4088}
4023 4089
4024static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4090static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4025{ 4091{
4026 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4027 PROCESS__SETSCHED, NULL); 4094 PROCESS__SETSCHED, NULL);
4028} 4095}
4029 4096
4030static int selinux_task_getioprio(struct task_struct *p) 4097static int selinux_task_getioprio(struct task_struct *p)
4031{ 4098{
4032 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4099 return avc_has_perm(&selinux_state,
4100 current_sid(), task_sid(p), SECCLASS_PROCESS,
4033 PROCESS__GETSCHED, NULL); 4101 PROCESS__GETSCHED, NULL);
4034} 4102}
4035 4103
@@ -4044,7 +4112,8 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
4044 av |= PROCESS__SETRLIMIT; 4112 av |= PROCESS__SETRLIMIT;
4045 if (flags & LSM_PRLIMIT_READ) 4113 if (flags & LSM_PRLIMIT_READ)
4046 av |= PROCESS__GETRLIMIT; 4114 av |= PROCESS__GETRLIMIT;
4047 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4115 return avc_has_perm(&selinux_state,
4116 cred_sid(cred), cred_sid(tcred),
4048 SECCLASS_PROCESS, av, NULL); 4117 SECCLASS_PROCESS, av, NULL);
4049} 4118}
4050 4119
@@ -4058,7 +4127,8 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4058 later be used as a safe reset point for the soft limit 4127 later be used as a safe reset point for the soft limit
4059 upon context transitions. See selinux_bprm_committing_creds. */ 4128 upon context transitions. See selinux_bprm_committing_creds. */
4060 if (old_rlim->rlim_max != new_rlim->rlim_max) 4129 if (old_rlim->rlim_max != new_rlim->rlim_max)
4061 return avc_has_perm(current_sid(), task_sid(p), 4130 return avc_has_perm(&selinux_state,
4131 current_sid(), task_sid(p),
4062 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4132 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4063 4133
4064 return 0; 4134 return 0;
@@ -4066,19 +4136,22 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4066 4136
4067static int selinux_task_setscheduler(struct task_struct *p) 4137static int selinux_task_setscheduler(struct task_struct *p)
4068{ 4138{
4069 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4139 return avc_has_perm(&selinux_state,
4140 current_sid(), task_sid(p), SECCLASS_PROCESS,
4070 PROCESS__SETSCHED, NULL); 4141 PROCESS__SETSCHED, NULL);
4071} 4142}
4072 4143
4073static int selinux_task_getscheduler(struct task_struct *p) 4144static int selinux_task_getscheduler(struct task_struct *p)
4074{ 4145{
4075 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4146 return avc_has_perm(&selinux_state,
4147 current_sid(), task_sid(p), SECCLASS_PROCESS,
4076 PROCESS__GETSCHED, NULL); 4148 PROCESS__GETSCHED, NULL);
4077} 4149}
4078 4150
4079static int selinux_task_movememory(struct task_struct *p) 4151static int selinux_task_movememory(struct task_struct *p)
4080{ 4152{
4081 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4153 return avc_has_perm(&selinux_state,
4154 current_sid(), task_sid(p), SECCLASS_PROCESS,
4082 PROCESS__SETSCHED, NULL); 4155 PROCESS__SETSCHED, NULL);
4083} 4156}
4084 4157
@@ -4093,7 +4166,8 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4093 perm = signal_to_av(sig); 4166 perm = signal_to_av(sig);
4094 if (!secid) 4167 if (!secid)
4095 secid = current_sid(); 4168 secid = current_sid();
4096 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4169 return avc_has_perm(&selinux_state,
4170 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4097} 4171}
4098 4172
4099static void selinux_task_to_inode(struct task_struct *p, 4173static void selinux_task_to_inode(struct task_struct *p,
@@ -4428,7 +4502,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
4428 ad.u.net = &net; 4502 ad.u.net = &net;
4429 ad.u.net->sk = sk; 4503 ad.u.net->sk = sk;
4430 4504
4431 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4505 return avc_has_perm(&selinux_state,
4506 current_sid(), sksec->sid, sksec->sclass, perms,
4432 &ad); 4507 &ad);
4433} 4508}
4434 4509
@@ -4448,7 +4523,8 @@ static int selinux_socket_create(int family, int type,
4448 if (rc) 4523 if (rc)
4449 return rc; 4524 return rc;
4450 4525
4451 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4526 return avc_has_perm(&selinux_state,
4527 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4452} 4528}
4453 4529
4454static int selinux_socket_post_create(struct socket *sock, int family, 4530static int selinux_socket_post_create(struct socket *sock, int family,
@@ -4557,7 +4633,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4557 ad.u.net = &net; 4633 ad.u.net = &net;
4558 ad.u.net->sport = htons(snum); 4634 ad.u.net->sport = htons(snum);
4559 ad.u.net->family = family; 4635 ad.u.net->family = family;
4560 err = avc_has_perm(sksec->sid, sid, 4636 err = avc_has_perm(&selinux_state,
4637 sksec->sid, sid,
4561 sksec->sclass, 4638 sksec->sclass,
4562 SOCKET__NAME_BIND, &ad); 4639 SOCKET__NAME_BIND, &ad);
4563 if (err) 4640 if (err)
@@ -4601,7 +4678,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4601 else 4678 else
4602 ad.u.net->v6info.saddr = addr6->sin6_addr; 4679 ad.u.net->v6info.saddr = addr6->sin6_addr;
4603 4680
4604 err = avc_has_perm(sksec->sid, sid, 4681 err = avc_has_perm(&selinux_state,
4682 sksec->sid, sid,
4605 sksec->sclass, node_perm, &ad); 4683 sksec->sclass, node_perm, &ad);
4606 if (err) 4684 if (err)
4607 goto out; 4685 goto out;
@@ -4686,7 +4764,8 @@ static int selinux_socket_connect_helper(struct socket *sock,
4686 ad.u.net = &net; 4764 ad.u.net = &net;
4687 ad.u.net->dport = htons(snum); 4765 ad.u.net->dport = htons(snum);
4688 ad.u.net->family = sk->sk_family; 4766 ad.u.net->family = sk->sk_family;
4689 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4767 err = avc_has_perm(&selinux_state,
4768 sksec->sid, sid, sksec->sclass, perm, &ad);
4690 if (err) 4769 if (err)
4691 return err; 4770 return err;
4692 } 4771 }
@@ -4798,7 +4877,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4798 ad.u.net = &net; 4877 ad.u.net = &net;
4799 ad.u.net->sk = other; 4878 ad.u.net->sk = other;
4800 4879
4801 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4880 err = avc_has_perm(&selinux_state,
4881 sksec_sock->sid, sksec_other->sid,
4802 sksec_other->sclass, 4882 sksec_other->sclass,
4803 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4883 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4804 if (err) 4884 if (err)
@@ -4829,7 +4909,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4829 ad.u.net = &net; 4909 ad.u.net = &net;
4830 ad.u.net->sk = other->sk; 4910 ad.u.net->sk = other->sk;
4831 4911
4832 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4912 return avc_has_perm(&selinux_state,
4913 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4833 &ad); 4914 &ad);
4834} 4915}
4835 4916
@@ -4844,7 +4925,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4844 err = sel_netif_sid(ns, ifindex, &if_sid); 4925 err = sel_netif_sid(ns, ifindex, &if_sid);
4845 if (err) 4926 if (err)
4846 return err; 4927 return err;
4847 err = avc_has_perm(peer_sid, if_sid, 4928 err = avc_has_perm(&selinux_state,
4929 peer_sid, if_sid,
4848 SECCLASS_NETIF, NETIF__INGRESS, ad); 4930 SECCLASS_NETIF, NETIF__INGRESS, ad);
4849 if (err) 4931 if (err)
4850 return err; 4932 return err;
@@ -4852,7 +4934,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4852 err = sel_netnode_sid(addrp, family, &node_sid); 4934 err = sel_netnode_sid(addrp, family, &node_sid);
4853 if (err) 4935 if (err)
4854 return err; 4936 return err;
4855 return avc_has_perm(peer_sid, node_sid, 4937 return avc_has_perm(&selinux_state,
4938 peer_sid, node_sid,
4856 SECCLASS_NODE, NODE__RECVFROM, ad); 4939 SECCLASS_NODE, NODE__RECVFROM, ad);
4857} 4940}
4858 4941
@@ -4875,7 +4958,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4875 return err; 4958 return err;
4876 4959
4877 if (selinux_secmark_enabled()) { 4960 if (selinux_secmark_enabled()) {
4878 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4961 err = avc_has_perm(&selinux_state,
4962 sk_sid, skb->secmark, SECCLASS_PACKET,
4879 PACKET__RECV, &ad); 4963 PACKET__RECV, &ad);
4880 if (err) 4964 if (err)
4881 return err; 4965 return err;
@@ -4940,7 +5024,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4940 selinux_netlbl_err(skb, family, err, 0); 5024 selinux_netlbl_err(skb, family, err, 0);
4941 return err; 5025 return err;
4942 } 5026 }
4943 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5027 err = avc_has_perm(&selinux_state,
5028 sk_sid, peer_sid, SECCLASS_PEER,
4944 PEER__RECV, &ad); 5029 PEER__RECV, &ad);
4945 if (err) { 5030 if (err) {
4946 selinux_netlbl_err(skb, family, err, 0); 5031 selinux_netlbl_err(skb, family, err, 0);
@@ -4949,7 +5034,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4949 } 5034 }
4950 5035
4951 if (secmark_active) { 5036 if (secmark_active) {
4952 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5037 err = avc_has_perm(&selinux_state,
5038 sk_sid, skb->secmark, SECCLASS_PACKET,
4953 PACKET__RECV, &ad); 5039 PACKET__RECV, &ad);
4954 if (err) 5040 if (err)
4955 return err; 5041 return err;
@@ -5132,7 +5218,8 @@ static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5132 ad.type = LSM_AUDIT_DATA_NET; 5218 ad.type = LSM_AUDIT_DATA_NET;
5133 ad.u.net = &net; 5219 ad.u.net = &net;
5134 ad.u.net->sk = ep->base.sk; 5220 ad.u.net->sk = ep->base.sk;
5135 err = avc_has_perm(sksec->peer_sid, peer_sid, sksec->sclass, 5221 err = avc_has_perm(&selinux_state,
5222 sksec->peer_sid, peer_sid, sksec->sclass,
5136 SCTP_SOCKET__ASSOCIATION, &ad); 5223 SCTP_SOCKET__ASSOCIATION, &ad);
5137 if (err) 5224 if (err)
5138 return err; 5225 return err;
@@ -5306,7 +5393,9 @@ static int selinux_secmark_relabel_packet(u32 sid)
5306 __tsec = current_security(); 5393 __tsec = current_security();
5307 tsid = __tsec->sid; 5394 tsid = __tsec->sid;
5308 5395
5309 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5396 return avc_has_perm(&selinux_state,
5397 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5398 NULL);
5310} 5399}
5311 5400
5312static void selinux_secmark_refcount_inc(void) 5401static void selinux_secmark_refcount_inc(void)
@@ -5354,7 +5443,8 @@ static int selinux_tun_dev_create(void)
5354 * connections unlike traditional sockets - check the TUN driver to 5443 * connections unlike traditional sockets - check the TUN driver to
5355 * get a better understanding of why this socket is special */ 5444 * get a better understanding of why this socket is special */
5356 5445
5357 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5446 return avc_has_perm(&selinux_state,
5447 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5358 NULL); 5448 NULL);
5359} 5449}
5360 5450
@@ -5362,7 +5452,8 @@ static int selinux_tun_dev_attach_queue(void *security)
5362{ 5452{
5363 struct tun_security_struct *tunsec = security; 5453 struct tun_security_struct *tunsec = security;
5364 5454
5365 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5455 return avc_has_perm(&selinux_state,
5456 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5366 TUN_SOCKET__ATTACH_QUEUE, NULL); 5457 TUN_SOCKET__ATTACH_QUEUE, NULL);
5367} 5458}
5368 5459
@@ -5390,11 +5481,13 @@ static int selinux_tun_dev_open(void *security)
5390 u32 sid = current_sid(); 5481 u32 sid = current_sid();
5391 int err; 5482 int err;
5392 5483
5393 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5484 err = avc_has_perm(&selinux_state,
5485 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5394 TUN_SOCKET__RELABELFROM, NULL); 5486 TUN_SOCKET__RELABELFROM, NULL);
5395 if (err) 5487 if (err)
5396 return err; 5488 return err;
5397 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5489 err = avc_has_perm(&selinux_state,
5490 sid, sid, SECCLASS_TUN_SOCKET,
5398 TUN_SOCKET__RELABELTO, NULL); 5491 TUN_SOCKET__RELABELTO, NULL);
5399 if (err) 5492 if (err)
5400 return err; 5493 return err;
@@ -5485,7 +5578,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5485 } 5578 }
5486 5579
5487 if (secmark_active) 5580 if (secmark_active)
5488 if (avc_has_perm(peer_sid, skb->secmark, 5581 if (avc_has_perm(&selinux_state,
5582 peer_sid, skb->secmark,
5489 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5583 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5490 return NF_DROP; 5584 return NF_DROP;
5491 5585
@@ -5597,7 +5691,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5597 return NF_DROP; 5691 return NF_DROP;
5598 5692
5599 if (selinux_secmark_enabled()) 5693 if (selinux_secmark_enabled())
5600 if (avc_has_perm(sksec->sid, skb->secmark, 5694 if (avc_has_perm(&selinux_state,
5695 sksec->sid, skb->secmark,
5601 SECCLASS_PACKET, PACKET__SEND, &ad)) 5696 SECCLASS_PACKET, PACKET__SEND, &ad))
5602 return NF_DROP_ERR(-ECONNREFUSED); 5697 return NF_DROP_ERR(-ECONNREFUSED);
5603 5698
@@ -5720,7 +5815,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5720 return NF_DROP; 5815 return NF_DROP;
5721 5816
5722 if (secmark_active) 5817 if (secmark_active)
5723 if (avc_has_perm(peer_sid, skb->secmark, 5818 if (avc_has_perm(&selinux_state,
5819 peer_sid, skb->secmark,
5724 SECCLASS_PACKET, secmark_perm, &ad)) 5820 SECCLASS_PACKET, secmark_perm, &ad))
5725 return NF_DROP_ERR(-ECONNREFUSED); 5821 return NF_DROP_ERR(-ECONNREFUSED);
5726 5822
@@ -5730,13 +5826,15 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5730 5826
5731 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5827 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5732 return NF_DROP; 5828 return NF_DROP;
5733 if (avc_has_perm(peer_sid, if_sid, 5829 if (avc_has_perm(&selinux_state,
5830 peer_sid, if_sid,
5734 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5831 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5735 return NF_DROP_ERR(-ECONNREFUSED); 5832 return NF_DROP_ERR(-ECONNREFUSED);
5736 5833
5737 if (sel_netnode_sid(addrp, family, &node_sid)) 5834 if (sel_netnode_sid(addrp, family, &node_sid))
5738 return NF_DROP; 5835 return NF_DROP;
5739 if (avc_has_perm(peer_sid, node_sid, 5836 if (avc_has_perm(&selinux_state,
5837 peer_sid, node_sid,
5740 SECCLASS_NODE, NODE__SENDTO, &ad)) 5838 SECCLASS_NODE, NODE__SENDTO, &ad))
5741 return NF_DROP_ERR(-ECONNREFUSED); 5839 return NF_DROP_ERR(-ECONNREFUSED);
5742 } 5840 }
@@ -5824,7 +5922,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5824 ad.type = LSM_AUDIT_DATA_IPC; 5922 ad.type = LSM_AUDIT_DATA_IPC;
5825 ad.u.ipc_id = ipc_perms->key; 5923 ad.u.ipc_id = ipc_perms->key;
5826 5924
5827 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5925 return avc_has_perm(&selinux_state,
5926 sid, isec->sid, isec->sclass, perms, &ad);
5828} 5927}
5829 5928
5830static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5929static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -5854,7 +5953,8 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5854 ad.type = LSM_AUDIT_DATA_IPC; 5953 ad.type = LSM_AUDIT_DATA_IPC;
5855 ad.u.ipc_id = msq->q_perm.key; 5954 ad.u.ipc_id = msq->q_perm.key;
5856 5955
5857 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5956 rc = avc_has_perm(&selinux_state,
5957 sid, isec->sid, SECCLASS_MSGQ,
5858 MSGQ__CREATE, &ad); 5958 MSGQ__CREATE, &ad);
5859 if (rc) { 5959 if (rc) {
5860 ipc_free_security(&msq->q_perm); 5960 ipc_free_security(&msq->q_perm);
@@ -5879,7 +5979,8 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5879 ad.type = LSM_AUDIT_DATA_IPC; 5979 ad.type = LSM_AUDIT_DATA_IPC;
5880 ad.u.ipc_id = msq->q_perm.key; 5980 ad.u.ipc_id = msq->q_perm.key;
5881 5981
5882 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5982 return avc_has_perm(&selinux_state,
5983 sid, isec->sid, SECCLASS_MSGQ,
5883 MSGQ__ASSOCIATE, &ad); 5984 MSGQ__ASSOCIATE, &ad);
5884} 5985}
5885 5986
@@ -5892,7 +5993,8 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5892 case IPC_INFO: 5993 case IPC_INFO:
5893 case MSG_INFO: 5994 case MSG_INFO:
5894 /* No specific object, just general system-wide information. */ 5995 /* No specific object, just general system-wide information. */
5895 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5996 return avc_has_perm(&selinux_state,
5997 current_sid(), SECINITSID_KERNEL,
5896 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5998 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5897 case IPC_STAT: 5999 case IPC_STAT:
5898 case MSG_STAT: 6000 case MSG_STAT:
@@ -5941,15 +6043,18 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5941 ad.u.ipc_id = msq->q_perm.key; 6043 ad.u.ipc_id = msq->q_perm.key;
5942 6044
5943 /* Can this process write to the queue? */ 6045 /* Can this process write to the queue? */
5944 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6046 rc = avc_has_perm(&selinux_state,
6047 sid, isec->sid, SECCLASS_MSGQ,
5945 MSGQ__WRITE, &ad); 6048 MSGQ__WRITE, &ad);
5946 if (!rc) 6049 if (!rc)
5947 /* Can this process send the message */ 6050 /* Can this process send the message */
5948 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6051 rc = avc_has_perm(&selinux_state,
6052 sid, msec->sid, SECCLASS_MSG,
5949 MSG__SEND, &ad); 6053 MSG__SEND, &ad);
5950 if (!rc) 6054 if (!rc)
5951 /* Can the message be put in the queue? */ 6055 /* Can the message be put in the queue? */
5952 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6056 rc = avc_has_perm(&selinux_state,
6057 msec->sid, isec->sid, SECCLASS_MSGQ,
5953 MSGQ__ENQUEUE, &ad); 6058 MSGQ__ENQUEUE, &ad);
5954 6059
5955 return rc; 6060 return rc;
@@ -5971,10 +6076,12 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5971 ad.type = LSM_AUDIT_DATA_IPC; 6076 ad.type = LSM_AUDIT_DATA_IPC;
5972 ad.u.ipc_id = msq->q_perm.key; 6077 ad.u.ipc_id = msq->q_perm.key;
5973 6078
5974 rc = avc_has_perm(sid, isec->sid, 6079 rc = avc_has_perm(&selinux_state,
6080 sid, isec->sid,
5975 SECCLASS_MSGQ, MSGQ__READ, &ad); 6081 SECCLASS_MSGQ, MSGQ__READ, &ad);
5976 if (!rc) 6082 if (!rc)
5977 rc = avc_has_perm(sid, msec->sid, 6083 rc = avc_has_perm(&selinux_state,
6084 sid, msec->sid,
5978 SECCLASS_MSG, MSG__RECEIVE, &ad); 6085 SECCLASS_MSG, MSG__RECEIVE, &ad);
5979 return rc; 6086 return rc;
5980} 6087}
@@ -5996,7 +6103,8 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5996 ad.type = LSM_AUDIT_DATA_IPC; 6103 ad.type = LSM_AUDIT_DATA_IPC;
5997 ad.u.ipc_id = shp->shm_perm.key; 6104 ad.u.ipc_id = shp->shm_perm.key;
5998 6105
5999 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6106 rc = avc_has_perm(&selinux_state,
6107 sid, isec->sid, SECCLASS_SHM,
6000 SHM__CREATE, &ad); 6108 SHM__CREATE, &ad);
6001 if (rc) { 6109 if (rc) {
6002 ipc_free_security(&shp->shm_perm); 6110 ipc_free_security(&shp->shm_perm);
@@ -6021,7 +6129,8 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
6021 ad.type = LSM_AUDIT_DATA_IPC; 6129 ad.type = LSM_AUDIT_DATA_IPC;
6022 ad.u.ipc_id = shp->shm_perm.key; 6130 ad.u.ipc_id = shp->shm_perm.key;
6023 6131
6024 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6132 return avc_has_perm(&selinux_state,
6133 sid, isec->sid, SECCLASS_SHM,
6025 SHM__ASSOCIATE, &ad); 6134 SHM__ASSOCIATE, &ad);
6026} 6135}
6027 6136
@@ -6035,7 +6144,8 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
6035 case IPC_INFO: 6144 case IPC_INFO:
6036 case SHM_INFO: 6145 case SHM_INFO:
6037 /* No specific object, just general system-wide information. */ 6146 /* No specific object, just general system-wide information. */
6038 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6147 return avc_has_perm(&selinux_state,
6148 current_sid(), SECINITSID_KERNEL,
6039 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6149 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6040 case IPC_STAT: 6150 case IPC_STAT:
6041 case SHM_STAT: 6151 case SHM_STAT:
@@ -6089,7 +6199,8 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
6089 ad.type = LSM_AUDIT_DATA_IPC; 6199 ad.type = LSM_AUDIT_DATA_IPC;
6090 ad.u.ipc_id = sma->sem_perm.key; 6200 ad.u.ipc_id = sma->sem_perm.key;
6091 6201
6092 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6202 rc = avc_has_perm(&selinux_state,
6203 sid, isec->sid, SECCLASS_SEM,
6093 SEM__CREATE, &ad); 6204 SEM__CREATE, &ad);
6094 if (rc) { 6205 if (rc) {
6095 ipc_free_security(&sma->sem_perm); 6206 ipc_free_security(&sma->sem_perm);
@@ -6114,7 +6225,8 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
6114 ad.type = LSM_AUDIT_DATA_IPC; 6225 ad.type = LSM_AUDIT_DATA_IPC;
6115 ad.u.ipc_id = sma->sem_perm.key; 6226 ad.u.ipc_id = sma->sem_perm.key;
6116 6227
6117 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6228 return avc_has_perm(&selinux_state,
6229 sid, isec->sid, SECCLASS_SEM,
6118 SEM__ASSOCIATE, &ad); 6230 SEM__ASSOCIATE, &ad);
6119} 6231}
6120 6232
@@ -6128,7 +6240,8 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
6128 case IPC_INFO: 6240 case IPC_INFO:
6129 case SEM_INFO: 6241 case SEM_INFO:
6130 /* No specific object, just general system-wide information. */ 6242 /* No specific object, just general system-wide information. */
6131 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6243 return avc_has_perm(&selinux_state,
6244 current_sid(), SECINITSID_KERNEL,
6132 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6245 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6133 case GETPID: 6246 case GETPID:
6134 case GETNCNT: 6247 case GETNCNT:
@@ -6214,7 +6327,8 @@ static int selinux_getprocattr(struct task_struct *p,
6214 __tsec = __task_cred(p)->security; 6327 __tsec = __task_cred(p)->security;
6215 6328
6216 if (current != p) { 6329 if (current != p) {
6217 error = avc_has_perm(current_sid(), __tsec->sid, 6330 error = avc_has_perm(&selinux_state,
6331 current_sid(), __tsec->sid,
6218 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6332 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6219 if (error) 6333 if (error)
6220 goto bad; 6334 goto bad;
@@ -6263,19 +6377,24 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6263 * Basic control over ability to set these attributes at all. 6377 * Basic control over ability to set these attributes at all.
6264 */ 6378 */
6265 if (!strcmp(name, "exec")) 6379 if (!strcmp(name, "exec"))
6266 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6380 error = avc_has_perm(&selinux_state,
6381 mysid, mysid, SECCLASS_PROCESS,
6267 PROCESS__SETEXEC, NULL); 6382 PROCESS__SETEXEC, NULL);
6268 else if (!strcmp(name, "fscreate")) 6383 else if (!strcmp(name, "fscreate"))
6269 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6384 error = avc_has_perm(&selinux_state,
6385 mysid, mysid, SECCLASS_PROCESS,
6270 PROCESS__SETFSCREATE, NULL); 6386 PROCESS__SETFSCREATE, NULL);
6271 else if (!strcmp(name, "keycreate")) 6387 else if (!strcmp(name, "keycreate"))
6272 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6388 error = avc_has_perm(&selinux_state,
6389 mysid, mysid, SECCLASS_PROCESS,
6273 PROCESS__SETKEYCREATE, NULL); 6390 PROCESS__SETKEYCREATE, NULL);
6274 else if (!strcmp(name, "sockcreate")) 6391 else if (!strcmp(name, "sockcreate"))
6275 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6392 error = avc_has_perm(&selinux_state,
6393 mysid, mysid, SECCLASS_PROCESS,
6276 PROCESS__SETSOCKCREATE, NULL); 6394 PROCESS__SETSOCKCREATE, NULL);
6277 else if (!strcmp(name, "current")) 6395 else if (!strcmp(name, "current"))
6278 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6396 error = avc_has_perm(&selinux_state,
6397 mysid, mysid, SECCLASS_PROCESS,
6279 PROCESS__SETCURRENT, NULL); 6398 PROCESS__SETCURRENT, NULL);
6280 else 6399 else
6281 error = -EINVAL; 6400 error = -EINVAL;
@@ -6332,7 +6451,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6332 } else if (!strcmp(name, "fscreate")) { 6451 } else if (!strcmp(name, "fscreate")) {
6333 tsec->create_sid = sid; 6452 tsec->create_sid = sid;
6334 } else if (!strcmp(name, "keycreate")) { 6453 } else if (!strcmp(name, "keycreate")) {
6335 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6454 error = avc_has_perm(&selinux_state,
6455 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6336 NULL); 6456 NULL);
6337 if (error) 6457 if (error)
6338 goto abort_change; 6458 goto abort_change;
@@ -6354,7 +6474,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6354 } 6474 }
6355 6475
6356 /* Check permissions for the transition. */ 6476 /* Check permissions for the transition. */
6357 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6477 error = avc_has_perm(&selinux_state,
6478 tsec->sid, sid, SECCLASS_PROCESS,
6358 PROCESS__DYNTRANSITION, NULL); 6479 PROCESS__DYNTRANSITION, NULL);
6359 if (error) 6480 if (error)
6360 goto abort_change; 6481 goto abort_change;
@@ -6363,7 +6484,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6363 Otherwise, leave SID unchanged and fail. */ 6484 Otherwise, leave SID unchanged and fail. */
6364 ptsid = ptrace_parent_sid(); 6485 ptsid = ptrace_parent_sid();
6365 if (ptsid != 0) { 6486 if (ptsid != 0) {
6366 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6487 error = avc_has_perm(&selinux_state,
6488 ptsid, sid, SECCLASS_PROCESS,
6367 PROCESS__PTRACE, NULL); 6489 PROCESS__PTRACE, NULL);
6368 if (error) 6490 if (error)
6369 goto abort_change; 6491 goto abort_change;
@@ -6489,7 +6611,8 @@ static int selinux_key_permission(key_ref_t key_ref,
6489 key = key_ref_to_ptr(key_ref); 6611 key = key_ref_to_ptr(key_ref);
6490 ksec = key->security; 6612 ksec = key->security;
6491 6613
6492 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6614 return avc_has_perm(&selinux_state,
6615 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6493} 6616}
6494 6617
6495static int selinux_key_getsecurity(struct key *key, char **_buffer) 6618static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -6525,7 +6648,8 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6525 ibpkey.subnet_prefix = subnet_prefix; 6648 ibpkey.subnet_prefix = subnet_prefix;
6526 ibpkey.pkey = pkey_val; 6649 ibpkey.pkey = pkey_val;
6527 ad.u.ibpkey = &ibpkey; 6650 ad.u.ibpkey = &ibpkey;
6528 return avc_has_perm(sec->sid, sid, 6651 return avc_has_perm(&selinux_state,
6652 sec->sid, sid,
6529 SECCLASS_INFINIBAND_PKEY, 6653 SECCLASS_INFINIBAND_PKEY,
6530 INFINIBAND_PKEY__ACCESS, &ad); 6654 INFINIBAND_PKEY__ACCESS, &ad);
6531} 6655}
@@ -6549,7 +6673,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6549 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6673 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6550 ibendport.port = port_num; 6674 ibendport.port = port_num;
6551 ad.u.ibendport = &ibendport; 6675 ad.u.ibendport = &ibendport;
6552 return avc_has_perm(sec->sid, sid, 6676 return avc_has_perm(&selinux_state,
6677 sec->sid, sid,
6553 SECCLASS_INFINIBAND_ENDPORT, 6678 SECCLASS_INFINIBAND_ENDPORT,
6554 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6679 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6555} 6680}
@@ -6582,11 +6707,13 @@ static int selinux_bpf(int cmd, union bpf_attr *attr,
6582 6707
6583 switch (cmd) { 6708 switch (cmd) {
6584 case BPF_MAP_CREATE: 6709 case BPF_MAP_CREATE:
6585 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6710 ret = avc_has_perm(&selinux_state,
6711 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6586 NULL); 6712 NULL);
6587 break; 6713 break;
6588 case BPF_PROG_LOAD: 6714 case BPF_PROG_LOAD:
6589 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6715 ret = avc_has_perm(&selinux_state,
6716 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6590 NULL); 6717 NULL);
6591 break; 6718 break;
6592 default: 6719 default:
@@ -6626,14 +6753,16 @@ static int bpf_fd_pass(struct file *file, u32 sid)
6626 if (file->f_op == &bpf_map_fops) { 6753 if (file->f_op == &bpf_map_fops) {
6627 map = file->private_data; 6754 map = file->private_data;
6628 bpfsec = map->security; 6755 bpfsec = map->security;
6629 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6756 ret = avc_has_perm(&selinux_state,
6757 sid, bpfsec->sid, SECCLASS_BPF,
6630 bpf_map_fmode_to_av(file->f_mode), NULL); 6758 bpf_map_fmode_to_av(file->f_mode), NULL);
6631 if (ret) 6759 if (ret)
6632 return ret; 6760 return ret;
6633 } else if (file->f_op == &bpf_prog_fops) { 6761 } else if (file->f_op == &bpf_prog_fops) {
6634 prog = file->private_data; 6762 prog = file->private_data;
6635 bpfsec = prog->aux->security; 6763 bpfsec = prog->aux->security;
6636 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6764 ret = avc_has_perm(&selinux_state,
6765 sid, bpfsec->sid, SECCLASS_BPF,
6637 BPF__PROG_RUN, NULL); 6766 BPF__PROG_RUN, NULL);
6638 if (ret) 6767 if (ret)
6639 return ret; 6768 return ret;
@@ -6647,7 +6776,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6647 struct bpf_security_struct *bpfsec; 6776 struct bpf_security_struct *bpfsec;
6648 6777
6649 bpfsec = map->security; 6778 bpfsec = map->security;
6650 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6779 return avc_has_perm(&selinux_state,
6780 sid, bpfsec->sid, SECCLASS_BPF,
6651 bpf_map_fmode_to_av(fmode), NULL); 6781 bpf_map_fmode_to_av(fmode), NULL);
6652} 6782}
6653 6783
@@ -6657,7 +6787,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
6657 struct bpf_security_struct *bpfsec; 6787 struct bpf_security_struct *bpfsec;
6658 6788
6659 bpfsec = prog->aux->security; 6789 bpfsec = prog->aux->security;
6660 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6790 return avc_has_perm(&selinux_state,
6791 sid, bpfsec->sid, SECCLASS_BPF,
6661 BPF__PROG_RUN, NULL); 6792 BPF__PROG_RUN, NULL);
6662} 6793}
6663 6794
@@ -6958,6 +7089,7 @@ static __init int selinux_init(void)
6958 enforcing_set(&selinux_state, selinux_enforcing_boot); 7089 enforcing_set(&selinux_state, selinux_enforcing_boot);
6959 selinux_state.checkreqprot = selinux_checkreqprot_boot; 7090 selinux_state.checkreqprot = selinux_checkreqprot_boot;
6960 selinux_ss_init(&selinux_state.ss); 7091 selinux_ss_init(&selinux_state.ss);
7092 selinux_avc_init(&selinux_state.avc);
6961 7093
6962 /* Set the security state for the initial task. */ 7094 /* Set the security state for the initial task. */
6963 cred_init_security(); 7095 cred_init_security();
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-04 05:34:41 -0400