aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorJames Morris <james.morris@microsoft.com>2018-04-23 13:57:26 -0400
committerJames Morris <james.morris@microsoft.com>2018-04-23 13:57:26 -0400
commitb393a707c84bb56a7800c93849fd8b492f76ba42 (patch)
tree0c752bbf4d28f47d29042df8fa0c7826c51c50fd /security/selinux/hooks.c
parente59644b720aed4b9ec9d3818b483f97376fb31ed (diff)
parent6d08b06e67cd117f6992c46611dfb4ce267cd71e (diff)
Merge tag 'v4.17-rc2' into next-general
Sync to Linux 4.17-rc2 for developers.
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c1023
1 files changed, 745 insertions, 278 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8abd542c6b7c..4cafe6a19167 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -67,6 +67,8 @@
67#include <linux/tcp.h> 67#include <linux/tcp.h>
68#include <linux/udp.h> 68#include <linux/udp.h>
69#include <linux/dccp.h> 69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
70#include <linux/quota.h> 72#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */ 73#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */ 74#include <net/af_unix.h> /* for Unix socket types */
@@ -98,20 +100,24 @@
98#include "audit.h" 100#include "audit.h"
99#include "avc_ss.h" 101#include "avc_ss.h"
100 102
103struct selinux_state selinux_state;
104
101/* SECMARK reference count */ 105/* SECMARK reference count */
102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 107
104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105int selinux_enforcing; 109static int selinux_enforcing_boot;
106 110
107static int __init enforcing_setup(char *str) 111static int __init enforcing_setup(char *str)
108{ 112{
109 unsigned long enforcing; 113 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing)) 114 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0; 115 selinux_enforcing_boot = enforcing ? 1 : 0;
112 return 1; 116 return 1;
113} 117}
114__setup("enforcing=", enforcing_setup); 118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
115#endif 121#endif
116 122
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
@@ -129,6 +135,19 @@ __setup("selinux=", selinux_enabled_setup);
129int selinux_enabled = 1; 135int selinux_enabled = 1;
130#endif 136#endif
131 137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
132static struct kmem_cache *sel_inode_cache; 151static struct kmem_cache *sel_inode_cache;
133static struct kmem_cache *file_security_cache; 152static struct kmem_cache *file_security_cache;
134 153
@@ -145,7 +164,8 @@ static struct kmem_cache *file_security_cache;
145 */ 164 */
146static int selinux_secmark_enabled(void) 165static int selinux_secmark_enabled(void)
147{ 166{
148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
149} 169}
150 170
151/** 171/**
@@ -160,7 +180,8 @@ static int selinux_secmark_enabled(void)
160 */ 180 */
161static int selinux_peerlbl_enabled(void) 181static int selinux_peerlbl_enabled(void)
162{ 182{
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
164} 185}
165 186
166static int selinux_netcache_avc_callback(u32 event) 187static int selinux_netcache_avc_callback(u32 event)
@@ -264,7 +285,8 @@ static int __inode_security_revalidate(struct inode *inode,
264 285
265 might_sleep_if(may_sleep); 286 might_sleep_if(may_sleep);
266 287
267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
268 if (!may_sleep) 290 if (!may_sleep)
269 return -ECHILD; 291 return -ECHILD;
270 292
@@ -446,12 +468,14 @@ static int may_context_mount_sb_relabel(u32 sid,
446 const struct task_security_struct *tsec = cred->security; 468 const struct task_security_struct *tsec = cred->security;
447 int rc; 469 int rc;
448 470
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL); 473 FILESYSTEM__RELABELFROM, NULL);
451 if (rc) 474 if (rc)
452 return rc; 475 return rc;
453 476
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL); 479 FILESYSTEM__RELABELTO, NULL);
456 return rc; 480 return rc;
457} 481}
@@ -462,12 +486,14 @@ static int may_context_mount_inode_relabel(u32 sid,
462{ 486{
463 const struct task_security_struct *tsec = cred->security; 487 const struct task_security_struct *tsec = cred->security;
464 int rc; 488 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL); 491 FILESYSTEM__RELABELFROM, NULL);
467 if (rc) 492 if (rc)
468 return rc; 493 return rc;
469 494
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL); 497 FILESYSTEM__ASSOCIATE, NULL);
472 return rc; 498 return rc;
473} 499}
@@ -486,7 +512,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
486 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs") || 514 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel && 515 (selinux_policycap_cgroupseclabel() &&
490 (!strcmp(sb->s_type->name, "cgroup") || 516 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2"))); 517 !strcmp(sb->s_type->name, "cgroup2")));
492} 518}
@@ -586,7 +612,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
586 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 if (!(sbsec->flags & SE_SBINITIALIZED))
587 return -EINVAL; 613 return -EINVAL;
588 614
589 if (!ss_initialized) 615 if (!selinux_state.initialized)
590 return -EINVAL; 616 return -EINVAL;
591 617
592 /* make sure we always check enough bits to cover the mask */ 618 /* make sure we always check enough bits to cover the mask */
@@ -617,21 +643,25 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
617 643
618 i = 0; 644 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) { 645 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len); 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
621 if (rc) 648 if (rc)
622 goto out_free; 649 goto out_free;
623 opts->mnt_opts[i] = context; 650 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 } 652 }
626 if (sbsec->flags & CONTEXT_MNT) { 653 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
628 if (rc) 657 if (rc)
629 goto out_free; 658 goto out_free;
630 opts->mnt_opts[i] = context; 659 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 } 661 }
633 if (sbsec->flags & DEFCONTEXT_MNT) { 662 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
635 if (rc) 665 if (rc)
636 goto out_free; 666 goto out_free;
637 opts->mnt_opts[i] = context; 667 opts->mnt_opts[i] = context;
@@ -641,7 +671,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
641 struct dentry *root = sbsec->sb->s_root; 671 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root); 672 struct inode_security_struct *isec = backing_inode_security(root);
643 673
644 rc = security_sid_to_context(isec->sid, &context, &len); 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
645 if (rc) 676 if (rc)
646 goto out_free; 677 goto out_free;
647 opts->mnt_opts[i] = context; 678 opts->mnt_opts[i] = context;
@@ -704,7 +735,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
704 735
705 mutex_lock(&sbsec->lock); 736 mutex_lock(&sbsec->lock);
706 737
707 if (!ss_initialized) { 738 if (!selinux_state.initialized) {
708 if (!num_opts) { 739 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init, 740 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security 741 after the initial policy is loaded and the security
@@ -750,7 +781,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
750 781
751 if (flags[i] == SBLABEL_MNT) 782 if (flags[i] == SBLABEL_MNT)
752 continue; 783 continue;
753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
754 if (rc) { 787 if (rc) {
755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -826,7 +859,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
826 * Determine the labeling behavior to use for this 859 * Determine the labeling behavior to use for this
827 * filesystem type. 860 * filesystem type.
828 */ 861 */
829 rc = security_fs_use(sb); 862 rc = security_fs_use(&selinux_state, sb);
830 if (rc) { 863 if (rc) {
831 printk(KERN_WARNING 864 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n", 865 "%s: security_fs_use(%s) returned %d\n",
@@ -851,7 +884,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
851 } 884 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(), 887 rc = security_transition_sid(&selinux_state,
888 current_sid(),
889 current_sid(),
855 SECCLASS_FILE, NULL, 890 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid); 891 &sbsec->mntpoint_sid);
857 if (rc) 892 if (rc)
@@ -987,7 +1022,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
987 * if the parent was able to be mounted it clearly had no special lsm 1022 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later 1023 * mount options. thus we can safely deal with this superblock later
989 */ 1024 */
990 if (!ss_initialized) 1025 if (!selinux_state.initialized)
991 return 0; 1026 return 0;
992 1027
993 /* 1028 /*
@@ -1014,7 +1049,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1014 1049
1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb); 1052 rc = security_fs_use(&selinux_state, newsb);
1018 if (rc) 1053 if (rc)
1019 goto out; 1054 goto out;
1020 } 1055 }
@@ -1297,7 +1332,7 @@ static inline int default_protocol_dgram(int protocol)
1297 1332
1298static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1333static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{ 1334{
1300 int extsockclass = selinux_policycap_extsockclass; 1335 int extsockclass = selinux_policycap_extsockclass();
1301 1336
1302 switch (family) { 1337 switch (family) {
1303 case PF_UNIX: 1338 case PF_UNIX:
@@ -1471,7 +1506,8 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
1471 path++; 1506 path++;
1472 } 1507 }
1473 } 1508 }
1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1475 } 1511 }
1476 free_page((unsigned long)buffer); 1512 free_page((unsigned long)buffer);
1477 return rc; 1513 return rc;
@@ -1589,7 +1625,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1589 sid = sbsec->def_sid; 1625 sid = sbsec->def_sid;
1590 rc = 0; 1626 rc = 0;
1591 } else { 1627 } else {
1592 rc = security_context_to_sid_default(context, rc, &sid, 1628 rc = security_context_to_sid_default(&selinux_state,
1629 context, rc, &sid,
1593 sbsec->def_sid, 1630 sbsec->def_sid,
1594 GFP_NOFS); 1631 GFP_NOFS);
1595 if (rc) { 1632 if (rc) {
@@ -1622,7 +1659,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1622 sid = sbsec->sid; 1659 sid = sbsec->sid;
1623 1660
1624 /* Try to obtain a transition SID. */ 1661 /* Try to obtain a transition SID. */
1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1626 if (rc) 1664 if (rc)
1627 goto out; 1665 goto out;
1628 break; 1666 break;
@@ -1740,9 +1778,11 @@ static int cred_has_capability(const struct cred *cred,
1740 return -EINVAL; 1778 return -EINVAL;
1741 } 1779 }
1742 1780
1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1744 if (audit == SECURITY_CAP_AUDIT) { 1783 if (audit == SECURITY_CAP_AUDIT) {
1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 if (rc2) 1786 if (rc2)
1747 return rc2; 1787 return rc2;
1748 } 1788 }
@@ -1768,7 +1808,8 @@ static int inode_has_perm(const struct cred *cred,
1768 sid = cred_sid(cred); 1808 sid = cred_sid(cred);
1769 isec = inode->i_security; 1809 isec = inode->i_security;
1770 1810
1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1772} 1813}
1773 1814
1774/* Same as inode_has_perm, but pass explicit audit data containing 1815/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1841,7 +1882,8 @@ static int file_has_perm(const struct cred *cred,
1841 ad.u.file = file; 1882 ad.u.file = file;
1842 1883
1843 if (sid != fsec->sid) { 1884 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid, 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1845 SECCLASS_FD, 1887 SECCLASS_FD,
1846 FD__USE, 1888 FD__USE,
1847 &ad); 1889 &ad);
@@ -1883,7 +1925,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
1883 *_new_isid = tsec->create_sid; 1925 *_new_isid = tsec->create_sid;
1884 } else { 1926 } else {
1885 const struct inode_security_struct *dsec = inode_security(dir); 1927 const struct inode_security_struct *dsec = inode_security(dir);
1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1928 return security_transition_sid(&selinux_state, tsec->sid,
1929 dsec->sid, tclass,
1887 name, _new_isid); 1930 name, _new_isid);
1888 } 1931 }
1889 1932
@@ -1910,7 +1953,8 @@ static int may_create(struct inode *dir,
1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1911 ad.u.dentry = dentry; 1954 ad.u.dentry = dentry;
1912 1955
1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1914 DIR__ADD_NAME | DIR__SEARCH, 1958 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad); 1959 &ad);
1916 if (rc) 1960 if (rc)
@@ -1921,11 +1965,13 @@ static int may_create(struct inode *dir,
1921 if (rc) 1965 if (rc)
1922 return rc; 1966 return rc;
1923 1967
1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1925 if (rc) 1970 if (rc)
1926 return rc; 1971 return rc;
1927 1972
1928 return avc_has_perm(newsid, sbsec->sid, 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM, 1975 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad); 1976 FILESYSTEM__ASSOCIATE, &ad);
1931} 1977}
@@ -1954,7 +2000,8 @@ static int may_link(struct inode *dir,
1954 2000
1955 av = DIR__SEARCH; 2001 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 if (rc) 2005 if (rc)
1959 return rc; 2006 return rc;
1960 2007
@@ -1974,7 +2021,8 @@ static int may_link(struct inode *dir,
1974 return 0; 2021 return 0;
1975 } 2022 }
1976 2023
1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
1978 return rc; 2026 return rc;
1979} 2027}
1980 2028
@@ -1998,16 +2046,19 @@ static inline int may_rename(struct inode *old_dir,
1998 ad.type = LSM_AUDIT_DATA_DENTRY; 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
1999 2047
2000 ad.u.dentry = old_dentry; 2048 ad.u.dentry = old_dentry;
2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc) 2052 if (rc)
2004 return rc; 2053 return rc;
2005 rc = avc_has_perm(sid, old_isec->sid, 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
2006 old_isec->sclass, FILE__RENAME, &ad); 2056 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc) 2057 if (rc)
2008 return rc; 2058 return rc;
2009 if (old_is_dir && new_dir != old_dir) { 2059 if (old_is_dir && new_dir != old_dir) {
2010 rc = avc_has_perm(sid, old_isec->sid, 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
2011 old_isec->sclass, DIR__REPARENT, &ad); 2062 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc) 2063 if (rc)
2013 return rc; 2064 return rc;
@@ -2017,13 +2068,15 @@ static inline int may_rename(struct inode *old_dir,
2017 av = DIR__ADD_NAME | DIR__SEARCH; 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2018 if (d_is_positive(new_dentry)) 2069 if (d_is_positive(new_dentry))
2019 av |= DIR__REMOVE_NAME; 2070 av |= DIR__REMOVE_NAME;
2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc) 2073 if (rc)
2022 return rc; 2074 return rc;
2023 if (d_is_positive(new_dentry)) { 2075 if (d_is_positive(new_dentry)) {
2024 new_isec = backing_inode_security(new_dentry); 2076 new_isec = backing_inode_security(new_dentry);
2025 new_is_dir = d_is_dir(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry);
2026 rc = avc_has_perm(sid, new_isec->sid, 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
2027 new_isec->sclass, 2080 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc) 2082 if (rc)
@@ -2043,7 +2096,8 @@ static int superblock_has_perm(const struct cred *cred,
2043 u32 sid = cred_sid(cred); 2096 u32 sid = cred_sid(cred);
2044 2097
2045 sbsec = sb->s_security; 2098 sbsec = sb->s_security;
2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047} 2101}
2048 2102
2049/* Convert a Linux mode and permission mask to an access vector. */ 2103/* Convert a Linux mode and permission mask to an access vector. */
@@ -2106,7 +2160,8 @@ static inline u32 open_file_to_av(struct file *file)
2106 u32 av = file_to_av(file); 2160 u32 av = file_to_av(file);
2107 struct inode *inode = file_inode(file); 2161 struct inode *inode = file_inode(file);
2108 2162
2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 av |= FILE__OPEN; 2165 av |= FILE__OPEN;
2111 2166
2112 return av; 2167 return av;
@@ -2119,7 +2174,8 @@ static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2119 u32 mysid = current_sid(); 2174 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr); 2175 u32 mgrsid = task_sid(mgr);
2121 2176
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL); 2179 BINDER__SET_CONTEXT_MGR, NULL);
2124} 2180}
2125 2181
@@ -2132,13 +2188,15 @@ static int selinux_binder_transaction(struct task_struct *from,
2132 int rc; 2188 int rc;
2133 2189
2134 if (mysid != fromsid) { 2190 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL); 2193 BINDER__IMPERSONATE, NULL);
2137 if (rc) 2194 if (rc)
2138 return rc; 2195 return rc;
2139 } 2196 }
2140 2197
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL); 2200 NULL);
2143} 2201}
2144 2202
@@ -2148,7 +2206,8 @@ static int selinux_binder_transfer_binder(struct task_struct *from,
2148 u32 fromsid = task_sid(from); 2206 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to); 2207 u32 tosid = task_sid(to);
2150 2208
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL); 2211 NULL);
2153} 2212}
2154 2213
@@ -2167,7 +2226,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2167 ad.u.path = file->f_path; 2226 ad.u.path = file->f_path;
2168 2227
2169 if (sid != fsec->sid) { 2228 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid, 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
2171 SECCLASS_FD, 2231 SECCLASS_FD,
2172 FD__USE, 2232 FD__USE,
2173 &ad); 2233 &ad);
@@ -2185,7 +2245,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2185 return 0; 2245 return 0;
2186 2246
2187 isec = backing_inode_security(dentry); 2247 isec = backing_inode_security(dentry);
2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad); 2250 &ad);
2190} 2251}
2191 2252
@@ -2196,21 +2257,25 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2196 u32 csid = task_sid(child); 2257 u32 csid = task_sid(child);
2197 2258
2198 if (mode & PTRACE_MODE_READ) 2259 if (mode & PTRACE_MODE_READ)
2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 2262
2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202} 2265}
2203 2266
2204static int selinux_ptrace_traceme(struct task_struct *parent) 2267static int selinux_ptrace_traceme(struct task_struct *parent)
2205{ 2268{
2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL); 2271 PROCESS__PTRACE, NULL);
2208} 2272}
2209 2273
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212{ 2276{
2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL); 2279 PROCESS__GETCAP, NULL);
2215} 2280}
2216 2281
@@ -2219,7 +2284,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2219 const kernel_cap_t *inheritable, 2284 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted) 2285 const kernel_cap_t *permitted)
2221{ 2286{
2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL); 2289 PROCESS__SETCAP, NULL);
2224} 2290}
2225 2291
@@ -2279,18 +2345,21 @@ static int selinux_syslog(int type)
2279 switch (type) { 2345 switch (type) {
2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */ 2353 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL); 2358 NULL);
2291 } 2359 }
2292 /* All other syslog types */ 2360 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295} 2364}
2296 2365
@@ -2351,13 +2420,14 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2351 * policy allows the corresponding permission between 2420 * policy allows the corresponding permission between
2352 * the old and new contexts. 2421 * the old and new contexts.
2353 */ 2422 */
2354 if (selinux_policycap_nnp_nosuid_transition) { 2423 if (selinux_policycap_nnp_nosuid_transition()) {
2355 av = 0; 2424 av = 0;
2356 if (nnp) 2425 if (nnp)
2357 av |= PROCESS2__NNP_TRANSITION; 2426 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid) 2427 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION; 2428 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL); 2431 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc) 2432 if (!rc)
2363 return 0; 2433 return 0;
@@ -2368,7 +2438,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID. 2439 * of the permissions of the current SID.
2370 */ 2440 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 new_tsec->sid);
2372 if (!rc) 2443 if (!rc)
2373 return 0; 2444 return 0;
2374 2445
@@ -2420,8 +2491,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2420 return rc; 2491 return rc;
2421 } else { 2492 } else {
2422 /* Check for a default transition on this program. */ 2493 /* Check for a default transition on this program. */
2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2424 SECCLASS_PROCESS, NULL, 2495 isec->sid, SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid); 2496 &new_tsec->sid);
2426 if (rc) 2497 if (rc)
2427 return rc; 2498 return rc;
@@ -2439,25 +2510,29 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2439 ad.u.file = bprm->file; 2510 ad.u.file = bprm->file;
2440 2511
2441 if (new_tsec->sid == old_tsec->sid) { 2512 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc) 2516 if (rc)
2445 return rc; 2517 return rc;
2446 } else { 2518 } else {
2447 /* Check permissions for the transition. */ 2519 /* Check permissions for the transition. */
2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc) 2523 if (rc)
2451 return rc; 2524 return rc;
2452 2525
2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc) 2529 if (rc)
2456 return rc; 2530 return rc;
2457 2531
2458 /* Check for shared state */ 2532 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE, 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL); 2537 NULL);
2463 if (rc) 2538 if (rc)
@@ -2469,7 +2544,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 u32 ptsid = ptrace_parent_sid(); 2545 u32 ptsid = ptrace_parent_sid();
2471 if (ptsid != 0) { 2546 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS, 2549 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL); 2550 PROCESS__PTRACE, NULL);
2475 if (rc) 2551 if (rc)
@@ -2483,7 +2559,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2483 /* Enable secure mode for SIDs transitions unless 2559 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between 2560 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */ 2561 the two SIDs, i.e. ahp returns 0. */
2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL); 2565 NULL);
2489 bprm->secureexec |= !!rc; 2566 bprm->secureexec |= !!rc;
@@ -2575,7 +2652,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2575 * higher than the default soft limit for cases where the default is 2652 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */ 2654 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL); 2657 PROCESS__RLIMITINH, NULL);
2580 if (rc) { 2658 if (rc) {
2581 /* protect against do_prlimit() */ 2659 /* protect against do_prlimit() */
@@ -2615,7 +2693,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2615 * This must occur _after_ the task SID has been updated so that any 2693 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID. 2694 * kill done after the flush will be checked against the new SID.
2617 */ 2695 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 if (rc) { 2698 if (rc) {
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer); 2700 memset(&itimer, 0, sizeof itimer);
@@ -2779,7 +2858,9 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2779 2858
2780 if (flags[i] == SBLABEL_MNT) 2859 if (flags[i] == SBLABEL_MNT)
2781 continue; 2860 continue;
2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2863 GFP_KERNEL);
2783 if (rc) { 2864 if (rc) {
2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2904,7 +2985,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2904 if (rc) 2985 if (rc)
2905 return rc; 2986 return rc;
2906 2987
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 ctxlen);
2908} 2990}
2909 2991
2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2992static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
@@ -2958,14 +3040,15 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2958 isec->initialized = LABEL_INITIALIZED; 3040 isec->initialized = LABEL_INITIALIZED;
2959 } 3041 }
2960 3042
2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2962 return -EOPNOTSUPP; 3044 return -EOPNOTSUPP;
2963 3045
2964 if (name) 3046 if (name)
2965 *name = XATTR_SELINUX_SUFFIX; 3047 *name = XATTR_SELINUX_SUFFIX;
2966 3048
2967 if (value && len) { 3049 if (value && len) {
2968 rc = security_sid_to_context_force(newsid, &context, &clen); 3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3051 &context, &clen);
2969 if (rc) 3052 if (rc)
2970 return rc; 3053 return rc;
2971 *value = context; 3054 *value = context;
@@ -3040,7 +3123,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3040 if (IS_ERR(isec)) 3123 if (IS_ERR(isec))
3041 return PTR_ERR(isec); 3124 return PTR_ERR(isec);
3042 3125
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0); 3128 rcu ? MAY_NOT_BLOCK : 0);
3045} 3129}
3046 3130
@@ -3056,7 +3140,8 @@ static noinline int audit_inode_permission(struct inode *inode,
3056 ad.type = LSM_AUDIT_DATA_INODE; 3140 ad.type = LSM_AUDIT_DATA_INODE;
3057 ad.u.inode = inode; 3141 ad.u.inode = inode;
3058 3142
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3060 audited, denied, result, &ad, flags); 3145 audited, denied, result, &ad, flags);
3061 if (rc) 3146 if (rc)
3062 return rc; 3147 return rc;
@@ -3094,7 +3179,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
3094 if (IS_ERR(isec)) 3179 if (IS_ERR(isec))
3095 return PTR_ERR(isec); 3180 return PTR_ERR(isec);
3096 3181
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc, 3184 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0, 3185 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied); 3186 &denied);
@@ -3126,7 +3212,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 3214
3129 if (selinux_policycap_openperm && 3215 if (selinux_policycap_openperm() &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC && 3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) && 3217 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE)) 3218 !(ia_valid & ATTR_FILE))
@@ -3183,12 +3269,14 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3183 ad.u.dentry = dentry; 3269 ad.u.dentry = dentry;
3184 3270
3185 isec = backing_inode_security(dentry); 3271 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3187 FILE__RELABELFROM, &ad); 3274 FILE__RELABELFROM, &ad);
3188 if (rc) 3275 if (rc)
3189 return rc; 3276 return rc;
3190 3277
3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 GFP_KERNEL);
3192 if (rc == -EINVAL) { 3280 if (rc == -EINVAL) {
3193 if (!has_cap_mac_admin(true)) { 3281 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer *ab; 3282 struct audit_buffer *ab;
@@ -3213,22 +3301,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3213 3301
3214 return rc; 3302 return rc;
3215 } 3303 }
3216 rc = security_context_to_sid_force(value, size, &newsid); 3304 rc = security_context_to_sid_force(&selinux_state, value,
3305 size, &newsid);
3217 } 3306 }
3218 if (rc) 3307 if (rc)
3219 return rc; 3308 return rc;
3220 3309
3221 rc = avc_has_perm(sid, newsid, isec->sclass, 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3222 FILE__RELABELTO, &ad); 3312 FILE__RELABELTO, &ad);
3223 if (rc) 3313 if (rc)
3224 return rc; 3314 return rc;
3225 3315
3226 rc = security_validate_transition(isec->sid, newsid, sid, 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3227 isec->sclass); 3317 sid, isec->sclass);
3228 if (rc) 3318 if (rc)
3229 return rc; 3319 return rc;
3230 3320
3231 return avc_has_perm(newsid, 3321 return avc_has_perm(&selinux_state,
3322 newsid,
3232 sbsec->sid, 3323 sbsec->sid,
3233 SECCLASS_FILESYSTEM, 3324 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE, 3325 FILESYSTEM__ASSOCIATE,
@@ -3249,7 +3340,8 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3249 return; 3340 return;
3250 } 3341 }
3251 3342
3252 rc = security_context_to_sid_force(value, size, &newsid); 3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3344 &newsid);
3253 if (rc) { 3345 if (rc) {
3254 printk(KERN_ERR "SELinux: unable to map context to SID" 3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n", 3347 "for (%s, %lu), rc=%d\n",
@@ -3324,10 +3416,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
3324 */ 3416 */
3325 isec = inode_security(inode); 3417 isec = inode_security(inode);
3326 if (has_cap_mac_admin(false)) 3418 if (has_cap_mac_admin(false))
3327 error = security_sid_to_context_force(isec->sid, &context, 3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
3328 &size); 3421 &size);
3329 else 3422 else
3330 error = security_sid_to_context(isec->sid, &context, &size); 3423 error = security_sid_to_context(&selinux_state, isec->sid,
3424 &context, &size);
3331 if (error) 3425 if (error)
3332 return error; 3426 return error;
3333 error = size; 3427 error = size;
@@ -3353,7 +3447,8 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3353 if (!value || !size) 3447 if (!value || !size)
3354 return -EACCES; 3448 return -EACCES;
3355 3449
3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 GFP_KERNEL);
3357 if (rc) 3452 if (rc)
3358 return rc; 3453 return rc;
3359 3454
@@ -3442,7 +3537,7 @@ static int selinux_file_permission(struct file *file, int mask)
3442 3537
3443 isec = inode_security(inode); 3538 isec = inode_security(inode);
3444 if (sid == fsec->sid && fsec->isid == isec->sid && 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno()) 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3446 /* No change since file_open check. */ 3541 /* No change since file_open check. */
3447 return 0; 3542 return 0;
3448 3543
@@ -3482,7 +3577,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3482 ad.u.op->path = file->f_path; 3577 ad.u.op->path = file->f_path;
3483 3578
3484 if (ssid != fsec->sid) { 3579 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid, 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
3486 SECCLASS_FD, 3582 SECCLASS_FD,
3487 FD__USE, 3583 FD__USE,
3488 &ad); 3584 &ad);
@@ -3494,8 +3590,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3494 return 0; 3590 return 0;
3495 3591
3496 isec = inode_security(inode); 3592 isec = inode_security(inode);
3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3593 rc = avc_has_extended_perms(&selinux_state,
3498 requested, driver, xperm, &ad); 3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3499out: 3596out:
3500 return rc; 3597 return rc;
3501} 3598}
@@ -3563,7 +3660,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3563 * private file mapping that will also be writable. 3660 * private file mapping that will also be writable.
3564 * This has an additional check. 3661 * This has an additional check.
3565 */ 3662 */
3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL); 3665 PROCESS__EXECMEM, NULL);
3568 if (rc) 3666 if (rc)
3569 goto error; 3667 goto error;
@@ -3593,7 +3691,8 @@ static int selinux_mmap_addr(unsigned long addr)
3593 3691
3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 u32 sid = current_sid(); 3693 u32 sid = current_sid();
3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL); 3696 MEMPROTECT__MMAP_ZERO, NULL);
3598 } 3697 }
3599 3698
@@ -3615,7 +3714,7 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3615 return rc; 3714 return rc;
3616 } 3715 }
3617 3716
3618 if (selinux_checkreqprot) 3717 if (selinux_state.checkreqprot)
3619 prot = reqprot; 3718 prot = reqprot;
3620 3719
3621 return file_map_prot_check(file, prot, 3720 return file_map_prot_check(file, prot,
@@ -3629,7 +3728,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3629 const struct cred *cred = current_cred(); 3728 const struct cred *cred = current_cred();
3630 u32 sid = cred_sid(cred); 3729 u32 sid = cred_sid(cred);
3631 3730
3632 if (selinux_checkreqprot) 3731 if (selinux_state.checkreqprot)
3633 prot = reqprot; 3732 prot = reqprot;
3634 3733
3635 if (default_noexec && 3734 if (default_noexec &&
@@ -3637,13 +3736,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3637 int rc = 0; 3736 int rc = 0;
3638 if (vma->vm_start >= vma->vm_mm->start_brk && 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) { 3738 vma->vm_end <= vma->vm_mm->brk) {
3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL); 3741 PROCESS__EXECHEAP, NULL);
3642 } else if (!vma->vm_file && 3742 } else if (!vma->vm_file &&
3643 ((vma->vm_start <= vma->vm_mm->start_stack && 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) || 3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3645 vma_is_stack_for_current(vma))) { 3745 vma_is_stack_for_current(vma))) {
3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL); 3748 PROCESS__EXECSTACK, NULL);
3648 } else if (vma->vm_file && vma->anon_vma) { 3749 } else if (vma->vm_file && vma->anon_vma) {
3649 /* 3750 /*
@@ -3735,7 +3836,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3735 else 3836 else
3736 perm = signal_to_av(signum); 3837 perm = signal_to_av(signum);
3737 3838
3738 return avc_has_perm(fsec->fown_sid, sid, 3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3739 SECCLASS_PROCESS, perm, NULL); 3841 SECCLASS_PROCESS, perm, NULL);
3740} 3842}
3741 3843
@@ -3761,7 +3863,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3761 * struct as its SID. 3863 * struct as its SID.
3762 */ 3864 */
3763 fsec->isid = isec->sid; 3865 fsec->isid = isec->sid;
3764 fsec->pseqno = avc_policy_seqno(); 3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3765 /* 3867 /*
3766 * Since the inode label or policy seqno may have changed 3868 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving 3869 * between the selinux_inode_permission check and the saving
@@ -3780,7 +3882,8 @@ static int selinux_task_alloc(struct task_struct *task,
3780{ 3882{
3781 u32 sid = current_sid(); 3883 u32 sid = current_sid();
3782 3884
3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784} 3887}
3785 3888
3786/* 3889/*
@@ -3844,6 +3947,11 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3844 *tsec = *old_tsec; 3947 *tsec = *old_tsec;
3845} 3948}
3846 3949
3950static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3951{
3952 *secid = cred_sid(c);
3953}
3954
3847/* 3955/*
3848 * set the security data for a kernel service 3956 * set the security data for a kernel service
3849 * - all the creation contexts are set to unlabelled 3957 * - all the creation contexts are set to unlabelled
@@ -3854,7 +3962,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
3854 u32 sid = current_sid(); 3962 u32 sid = current_sid();
3855 int ret; 3963 int ret;
3856 3964
3857 ret = avc_has_perm(sid, secid, 3965 ret = avc_has_perm(&selinux_state,
3966 sid, secid,
3858 SECCLASS_KERNEL_SERVICE, 3967 SECCLASS_KERNEL_SERVICE,
3859 KERNEL_SERVICE__USE_AS_OVERRIDE, 3968 KERNEL_SERVICE__USE_AS_OVERRIDE,
3860 NULL); 3969 NULL);
@@ -3878,7 +3987,8 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3878 u32 sid = current_sid(); 3987 u32 sid = current_sid();
3879 int ret; 3988 int ret;
3880 3989
3881 ret = avc_has_perm(sid, isec->sid, 3990 ret = avc_has_perm(&selinux_state,
3991 sid, isec->sid,
3882 SECCLASS_KERNEL_SERVICE, 3992 SECCLASS_KERNEL_SERVICE,
3883 KERNEL_SERVICE__CREATE_FILES_AS, 3993 KERNEL_SERVICE__CREATE_FILES_AS,
3884 NULL); 3994 NULL);
@@ -3895,7 +4005,8 @@ static int selinux_kernel_module_request(char *kmod_name)
3895 ad.type = LSM_AUDIT_DATA_KMOD; 4005 ad.type = LSM_AUDIT_DATA_KMOD;
3896 ad.u.kmod_name = kmod_name; 4006 ad.u.kmod_name = kmod_name;
3897 4007
3898 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4008 return avc_has_perm(&selinux_state,
4009 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899 SYSTEM__MODULE_REQUEST, &ad); 4010 SYSTEM__MODULE_REQUEST, &ad);
3900} 4011}
3901 4012
@@ -3909,7 +4020,8 @@ static int selinux_kernel_module_from_file(struct file *file)
3909 4020
3910 /* init_module */ 4021 /* init_module */
3911 if (file == NULL) 4022 if (file == NULL)
3912 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4023 return avc_has_perm(&selinux_state,
4024 sid, sid, SECCLASS_SYSTEM,
3913 SYSTEM__MODULE_LOAD, NULL); 4025 SYSTEM__MODULE_LOAD, NULL);
3914 4026
3915 /* finit_module */ 4027 /* finit_module */
@@ -3919,13 +4031,15 @@ static int selinux_kernel_module_from_file(struct file *file)
3919 4031
3920 fsec = file->f_security; 4032 fsec = file->f_security;
3921 if (sid != fsec->sid) { 4033 if (sid != fsec->sid) {
3922 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4034 rc = avc_has_perm(&selinux_state,
4035 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923 if (rc) 4036 if (rc)
3924 return rc; 4037 return rc;
3925 } 4038 }
3926 4039
3927 isec = inode_security(file_inode(file)); 4040 isec = inode_security(file_inode(file));
3928 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4041 return avc_has_perm(&selinux_state,
4042 sid, isec->sid, SECCLASS_SYSTEM,
3929 SYSTEM__MODULE_LOAD, &ad); 4043 SYSTEM__MODULE_LOAD, &ad);
3930} 4044}
3931 4045
@@ -3947,19 +4061,22 @@ static int selinux_kernel_read_file(struct file *file,
3947 4061
3948static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4062static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949{ 4063{
3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4064 return avc_has_perm(&selinux_state,
4065 current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 PROCESS__SETPGID, NULL); 4066 PROCESS__SETPGID, NULL);
3952} 4067}
3953 4068
3954static int selinux_task_getpgid(struct task_struct *p) 4069static int selinux_task_getpgid(struct task_struct *p)
3955{ 4070{
3956 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4071 return avc_has_perm(&selinux_state,
4072 current_sid(), task_sid(p), SECCLASS_PROCESS,
3957 PROCESS__GETPGID, NULL); 4073 PROCESS__GETPGID, NULL);
3958} 4074}
3959 4075
3960static int selinux_task_getsid(struct task_struct *p) 4076static int selinux_task_getsid(struct task_struct *p)
3961{ 4077{
3962 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4078 return avc_has_perm(&selinux_state,
4079 current_sid(), task_sid(p), SECCLASS_PROCESS,
3963 PROCESS__GETSESSION, NULL); 4080 PROCESS__GETSESSION, NULL);
3964} 4081}
3965 4082
@@ -3970,19 +4087,22 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3970 4087
3971static int selinux_task_setnice(struct task_struct *p, int nice) 4088static int selinux_task_setnice(struct task_struct *p, int nice)
3972{ 4089{
3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4090 return avc_has_perm(&selinux_state,
4091 current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 PROCESS__SETSCHED, NULL); 4092 PROCESS__SETSCHED, NULL);
3975} 4093}
3976 4094
3977static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4095static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978{ 4096{
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4097 return avc_has_perm(&selinux_state,
4098 current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__SETSCHED, NULL); 4099 PROCESS__SETSCHED, NULL);
3981} 4100}
3982 4101
3983static int selinux_task_getioprio(struct task_struct *p) 4102static int selinux_task_getioprio(struct task_struct *p)
3984{ 4103{
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__GETSCHED, NULL); 4106 PROCESS__GETSCHED, NULL);
3987} 4107}
3988 4108
@@ -3997,7 +4117,8 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
3997 av |= PROCESS__SETRLIMIT; 4117 av |= PROCESS__SETRLIMIT;
3998 if (flags & LSM_PRLIMIT_READ) 4118 if (flags & LSM_PRLIMIT_READ)
3999 av |= PROCESS__GETRLIMIT; 4119 av |= PROCESS__GETRLIMIT;
4000 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4120 return avc_has_perm(&selinux_state,
4121 cred_sid(cred), cred_sid(tcred),
4001 SECCLASS_PROCESS, av, NULL); 4122 SECCLASS_PROCESS, av, NULL);
4002} 4123}
4003 4124
@@ -4011,7 +4132,8 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4011 later be used as a safe reset point for the soft limit 4132 later be used as a safe reset point for the soft limit
4012 upon context transitions. See selinux_bprm_committing_creds. */ 4133 upon context transitions. See selinux_bprm_committing_creds. */
4013 if (old_rlim->rlim_max != new_rlim->rlim_max) 4134 if (old_rlim->rlim_max != new_rlim->rlim_max)
4014 return avc_has_perm(current_sid(), task_sid(p), 4135 return avc_has_perm(&selinux_state,
4136 current_sid(), task_sid(p),
4015 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4137 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016 4138
4017 return 0; 4139 return 0;
@@ -4019,19 +4141,22 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4019 4141
4020static int selinux_task_setscheduler(struct task_struct *p) 4142static int selinux_task_setscheduler(struct task_struct *p)
4021{ 4143{
4022 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4144 return avc_has_perm(&selinux_state,
4145 current_sid(), task_sid(p), SECCLASS_PROCESS,
4023 PROCESS__SETSCHED, NULL); 4146 PROCESS__SETSCHED, NULL);
4024} 4147}
4025 4148
4026static int selinux_task_getscheduler(struct task_struct *p) 4149static int selinux_task_getscheduler(struct task_struct *p)
4027{ 4150{
4028 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4151 return avc_has_perm(&selinux_state,
4152 current_sid(), task_sid(p), SECCLASS_PROCESS,
4029 PROCESS__GETSCHED, NULL); 4153 PROCESS__GETSCHED, NULL);
4030} 4154}
4031 4155
4032static int selinux_task_movememory(struct task_struct *p) 4156static int selinux_task_movememory(struct task_struct *p)
4033{ 4157{
4034 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4158 return avc_has_perm(&selinux_state,
4159 current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 PROCESS__SETSCHED, NULL); 4160 PROCESS__SETSCHED, NULL);
4036} 4161}
4037 4162
@@ -4049,7 +4174,8 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4049 secid = current_sid(); 4174 secid = current_sid();
4050 else 4175 else
4051 secid = cred_sid(cred); 4176 secid = cred_sid(cred);
4052 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4177 return avc_has_perm(&selinux_state,
4178 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4053} 4179}
4054 4180
4055static void selinux_task_to_inode(struct task_struct *p, 4181static void selinux_task_to_inode(struct task_struct *p,
@@ -4137,6 +4263,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4137 break; 4263 break;
4138 } 4264 }
4139 4265
4266#if IS_ENABLED(CONFIG_IP_SCTP)
4267 case IPPROTO_SCTP: {
4268 struct sctphdr _sctph, *sh;
4269
4270 if (ntohs(ih->frag_off) & IP_OFFSET)
4271 break;
4272
4273 offset += ihlen;
4274 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4275 if (sh == NULL)
4276 break;
4277
4278 ad->u.net->sport = sh->source;
4279 ad->u.net->dport = sh->dest;
4280 break;
4281 }
4282#endif
4140 default: 4283 default:
4141 break; 4284 break;
4142 } 4285 }
@@ -4210,6 +4353,19 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4210 break; 4353 break;
4211 } 4354 }
4212 4355
4356#if IS_ENABLED(CONFIG_IP_SCTP)
4357 case IPPROTO_SCTP: {
4358 struct sctphdr _sctph, *sh;
4359
4360 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4361 if (sh == NULL)
4362 break;
4363
4364 ad->u.net->sport = sh->source;
4365 ad->u.net->dport = sh->dest;
4366 break;
4367 }
4368#endif
4213 /* includes fragments */ 4369 /* includes fragments */
4214 default: 4370 default:
4215 break; 4371 break;
@@ -4290,7 +4446,8 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4290 if (unlikely(err)) 4446 if (unlikely(err))
4291 return -EACCES; 4447 return -EACCES;
4292 4448
4293 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4449 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4450 nlbl_type, xfrm_sid, sid);
4294 if (unlikely(err)) { 4451 if (unlikely(err)) {
4295 printk(KERN_WARNING 4452 printk(KERN_WARNING
4296 "SELinux: failure in selinux_skb_peerlbl_sid()," 4453 "SELinux: failure in selinux_skb_peerlbl_sid(),"
@@ -4318,7 +4475,8 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4318 int err = 0; 4475 int err = 0;
4319 4476
4320 if (skb_sid != SECSID_NULL) 4477 if (skb_sid != SECSID_NULL)
4321 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4478 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4479 conn_sid);
4322 else 4480 else
4323 *conn_sid = sk_sid; 4481 *conn_sid = sk_sid;
4324 4482
@@ -4335,8 +4493,8 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4335 return 0; 4493 return 0;
4336 } 4494 }
4337 4495
4338 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4496 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4339 socksid); 4497 secclass, NULL, socksid);
4340} 4498}
4341 4499
4342static int sock_has_perm(struct sock *sk, u32 perms) 4500static int sock_has_perm(struct sock *sk, u32 perms)
@@ -4352,7 +4510,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
4352 ad.u.net = &net; 4510 ad.u.net = &net;
4353 ad.u.net->sk = sk; 4511 ad.u.net->sk = sk;
4354 4512
4355 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4513 return avc_has_perm(&selinux_state,
4514 current_sid(), sksec->sid, sksec->sclass, perms,
4356 &ad); 4515 &ad);
4357} 4516}
4358 4517
@@ -4372,7 +4531,8 @@ static int selinux_socket_create(int family, int type,
4372 if (rc) 4531 if (rc)
4373 return rc; 4532 return rc;
4374 4533
4375 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4534 return avc_has_perm(&selinux_state,
4535 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4376} 4536}
4377 4537
4378static int selinux_socket_post_create(struct socket *sock, int family, 4538static int selinux_socket_post_create(struct socket *sock, int family,
@@ -4399,6 +4559,10 @@ static int selinux_socket_post_create(struct socket *sock, int family,
4399 sksec = sock->sk->sk_security; 4559 sksec = sock->sk->sk_security;
4400 sksec->sclass = sclass; 4560 sksec->sclass = sclass;
4401 sksec->sid = sid; 4561 sksec->sid = sid;
4562 /* Allows detection of the first association on this socket */
4563 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4564 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4565
4402 err = selinux_netlbl_socket_post_create(sock->sk, family); 4566 err = selinux_netlbl_socket_post_create(sock->sk, family);
4403 } 4567 }
4404 4568
@@ -4419,11 +4583,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4419 if (err) 4583 if (err)
4420 goto out; 4584 goto out;
4421 4585
4422 /* 4586 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4423 * If PF_INET or PF_INET6, check name_bind permission for the port.
4424 * Multiple address binding for SCTP is not supported yet: we just
4425 * check the first address now.
4426 */
4427 family = sk->sk_family; 4587 family = sk->sk_family;
4428 if (family == PF_INET || family == PF_INET6) { 4588 if (family == PF_INET || family == PF_INET6) {
4429 char *addrp; 4589 char *addrp;
@@ -4435,22 +4595,35 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4435 unsigned short snum; 4595 unsigned short snum;
4436 u32 sid, node_perm; 4596 u32 sid, node_perm;
4437 4597
4438 if (family == PF_INET) { 4598 /*
4439 if (addrlen < sizeof(struct sockaddr_in)) { 4599 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4440 err = -EINVAL; 4600 * that validates multiple binding addresses. Because of this
4441 goto out; 4601 * need to check address->sa_family as it is possible to have
4442 } 4602 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4603 */
4604 switch (address->sa_family) {
4605 case AF_INET:
4606 if (addrlen < sizeof(struct sockaddr_in))
4607 return -EINVAL;
4443 addr4 = (struct sockaddr_in *)address; 4608 addr4 = (struct sockaddr_in *)address;
4444 snum = ntohs(addr4->sin_port); 4609 snum = ntohs(addr4->sin_port);
4445 addrp = (char *)&addr4->sin_addr.s_addr; 4610 addrp = (char *)&addr4->sin_addr.s_addr;
4446 } else { 4611 break;
4447 if (addrlen < SIN6_LEN_RFC2133) { 4612 case AF_INET6:
4448 err = -EINVAL; 4613 if (addrlen < SIN6_LEN_RFC2133)
4449 goto out; 4614 return -EINVAL;
4450 }
4451 addr6 = (struct sockaddr_in6 *)address; 4615 addr6 = (struct sockaddr_in6 *)address;
4452 snum = ntohs(addr6->sin6_port); 4616 snum = ntohs(addr6->sin6_port);
4453 addrp = (char *)&addr6->sin6_addr.s6_addr; 4617 addrp = (char *)&addr6->sin6_addr.s6_addr;
4618 break;
4619 default:
4620 /* Note that SCTP services expect -EINVAL, whereas
4621 * others expect -EAFNOSUPPORT.
4622 */
4623 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4624 return -EINVAL;
4625 else
4626 return -EAFNOSUPPORT;
4454 } 4627 }
4455 4628
4456 if (snum) { 4629 if (snum) {
@@ -4468,7 +4641,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4468 ad.u.net = &net; 4641 ad.u.net = &net;
4469 ad.u.net->sport = htons(snum); 4642 ad.u.net->sport = htons(snum);
4470 ad.u.net->family = family; 4643 ad.u.net->family = family;
4471 err = avc_has_perm(sksec->sid, sid, 4644 err = avc_has_perm(&selinux_state,
4645 sksec->sid, sid,
4472 sksec->sclass, 4646 sksec->sclass,
4473 SOCKET__NAME_BIND, &ad); 4647 SOCKET__NAME_BIND, &ad);
4474 if (err) 4648 if (err)
@@ -4489,6 +4663,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4489 node_perm = DCCP_SOCKET__NODE_BIND; 4663 node_perm = DCCP_SOCKET__NODE_BIND;
4490 break; 4664 break;
4491 4665
4666 case SECCLASS_SCTP_SOCKET:
4667 node_perm = SCTP_SOCKET__NODE_BIND;
4668 break;
4669
4492 default: 4670 default:
4493 node_perm = RAWIP_SOCKET__NODE_BIND; 4671 node_perm = RAWIP_SOCKET__NODE_BIND;
4494 break; 4672 break;
@@ -4503,12 +4681,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4503 ad.u.net->sport = htons(snum); 4681 ad.u.net->sport = htons(snum);
4504 ad.u.net->family = family; 4682 ad.u.net->family = family;
4505 4683
4506 if (family == PF_INET) 4684 if (address->sa_family == AF_INET)
4507 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4685 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4508 else 4686 else
4509 ad.u.net->v6info.saddr = addr6->sin6_addr; 4687 ad.u.net->v6info.saddr = addr6->sin6_addr;
4510 4688
4511 err = avc_has_perm(sksec->sid, sid, 4689 err = avc_has_perm(&selinux_state,
4690 sksec->sid, sid,
4512 sksec->sclass, node_perm, &ad); 4691 sksec->sclass, node_perm, &ad);
4513 if (err) 4692 if (err)
4514 goto out; 4693 goto out;
@@ -4517,7 +4696,11 @@ out:
4517 return err; 4696 return err;
4518} 4697}
4519 4698
4520static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4699/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4700 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4701 */
4702static int selinux_socket_connect_helper(struct socket *sock,
4703 struct sockaddr *address, int addrlen)
4521{ 4704{
4522 struct sock *sk = sock->sk; 4705 struct sock *sk = sock->sk;
4523 struct sk_security_struct *sksec = sk->sk_security; 4706 struct sk_security_struct *sksec = sk->sk_security;
@@ -4528,10 +4711,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4528 return err; 4711 return err;
4529 4712
4530 /* 4713 /*
4531 * If a TCP or DCCP socket, check name_connect permission for the port. 4714 * If a TCP, DCCP or SCTP socket, check name_connect permission
4715 * for the port.
4532 */ 4716 */
4533 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4717 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4534 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4718 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4719 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4535 struct common_audit_data ad; 4720 struct common_audit_data ad;
4536 struct lsm_network_audit net = {0,}; 4721 struct lsm_network_audit net = {0,};
4537 struct sockaddr_in *addr4 = NULL; 4722 struct sockaddr_in *addr4 = NULL;
@@ -4539,38 +4724,75 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4539 unsigned short snum; 4724 unsigned short snum;
4540 u32 sid, perm; 4725 u32 sid, perm;
4541 4726
4542 if (sk->sk_family == PF_INET) { 4727 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4728 * that validates multiple connect addresses. Because of this
4729 * need to check address->sa_family as it is possible to have
4730 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4731 */
4732 switch (address->sa_family) {
4733 case AF_INET:
4543 addr4 = (struct sockaddr_in *)address; 4734 addr4 = (struct sockaddr_in *)address;
4544 if (addrlen < sizeof(struct sockaddr_in)) 4735 if (addrlen < sizeof(struct sockaddr_in))
4545 return -EINVAL; 4736 return -EINVAL;
4546 snum = ntohs(addr4->sin_port); 4737 snum = ntohs(addr4->sin_port);
4547 } else { 4738 break;
4739 case AF_INET6:
4548 addr6 = (struct sockaddr_in6 *)address; 4740 addr6 = (struct sockaddr_in6 *)address;
4549 if (addrlen < SIN6_LEN_RFC2133) 4741 if (addrlen < SIN6_LEN_RFC2133)
4550 return -EINVAL; 4742 return -EINVAL;
4551 snum = ntohs(addr6->sin6_port); 4743 snum = ntohs(addr6->sin6_port);
4744 break;
4745 default:
4746 /* Note that SCTP services expect -EINVAL, whereas
4747 * others expect -EAFNOSUPPORT.
4748 */
4749 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4750 return -EINVAL;
4751 else
4752 return -EAFNOSUPPORT;
4552 } 4753 }
4553 4754
4554 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4755 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4555 if (err) 4756 if (err)
4556 goto out; 4757 return err;
4557 4758
4558 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4759 switch (sksec->sclass) {
4559 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4760 case SECCLASS_TCP_SOCKET:
4761 perm = TCP_SOCKET__NAME_CONNECT;
4762 break;
4763 case SECCLASS_DCCP_SOCKET:
4764 perm = DCCP_SOCKET__NAME_CONNECT;
4765 break;
4766 case SECCLASS_SCTP_SOCKET:
4767 perm = SCTP_SOCKET__NAME_CONNECT;
4768 break;
4769 }
4560 4770
4561 ad.type = LSM_AUDIT_DATA_NET; 4771 ad.type = LSM_AUDIT_DATA_NET;
4562 ad.u.net = &net; 4772 ad.u.net = &net;
4563 ad.u.net->dport = htons(snum); 4773 ad.u.net->dport = htons(snum);
4564 ad.u.net->family = sk->sk_family; 4774 ad.u.net->family = sk->sk_family;
4565 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4775 err = avc_has_perm(&selinux_state,
4776 sksec->sid, sid, sksec->sclass, perm, &ad);
4566 if (err) 4777 if (err)
4567 goto out; 4778 return err;
4568 } 4779 }
4569 4780
4570 err = selinux_netlbl_socket_connect(sk, address); 4781 return 0;
4782}
4571 4783
4572out: 4784/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4573 return err; 4785static int selinux_socket_connect(struct socket *sock,
4786 struct sockaddr *address, int addrlen)
4787{
4788 int err;
4789 struct sock *sk = sock->sk;
4790
4791 err = selinux_socket_connect_helper(sock, address, addrlen);
4792 if (err)
4793 return err;
4794
4795 return selinux_netlbl_socket_connect(sk, address);
4574} 4796}
4575 4797
4576static int selinux_socket_listen(struct socket *sock, int backlog) 4798static int selinux_socket_listen(struct socket *sock, int backlog)
@@ -4663,7 +4885,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4663 ad.u.net = &net; 4885 ad.u.net = &net;
4664 ad.u.net->sk = other; 4886 ad.u.net->sk = other;
4665 4887
4666 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4888 err = avc_has_perm(&selinux_state,
4889 sksec_sock->sid, sksec_other->sid,
4667 sksec_other->sclass, 4890 sksec_other->sclass,
4668 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4891 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4669 if (err) 4892 if (err)
@@ -4671,8 +4894,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4671 4894
4672 /* server child socket */ 4895 /* server child socket */
4673 sksec_new->peer_sid = sksec_sock->sid; 4896 sksec_new->peer_sid = sksec_sock->sid;
4674 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4897 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4675 &sksec_new->sid); 4898 sksec_sock->sid, &sksec_new->sid);
4676 if (err) 4899 if (err)
4677 return err; 4900 return err;
4678 4901
@@ -4694,7 +4917,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4694 ad.u.net = &net; 4917 ad.u.net = &net;
4695 ad.u.net->sk = other->sk; 4918 ad.u.net->sk = other->sk;
4696 4919
4697 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4920 return avc_has_perm(&selinux_state,
4921 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4698 &ad); 4922 &ad);
4699} 4923}
4700 4924
@@ -4709,7 +4933,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4709 err = sel_netif_sid(ns, ifindex, &if_sid); 4933 err = sel_netif_sid(ns, ifindex, &if_sid);
4710 if (err) 4934 if (err)
4711 return err; 4935 return err;
4712 err = avc_has_perm(peer_sid, if_sid, 4936 err = avc_has_perm(&selinux_state,
4937 peer_sid, if_sid,
4713 SECCLASS_NETIF, NETIF__INGRESS, ad); 4938 SECCLASS_NETIF, NETIF__INGRESS, ad);
4714 if (err) 4939 if (err)
4715 return err; 4940 return err;
@@ -4717,7 +4942,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4717 err = sel_netnode_sid(addrp, family, &node_sid); 4942 err = sel_netnode_sid(addrp, family, &node_sid);
4718 if (err) 4943 if (err)
4719 return err; 4944 return err;
4720 return avc_has_perm(peer_sid, node_sid, 4945 return avc_has_perm(&selinux_state,
4946 peer_sid, node_sid,
4721 SECCLASS_NODE, NODE__RECVFROM, ad); 4947 SECCLASS_NODE, NODE__RECVFROM, ad);
4722} 4948}
4723 4949
@@ -4740,7 +4966,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4740 return err; 4966 return err;
4741 4967
4742 if (selinux_secmark_enabled()) { 4968 if (selinux_secmark_enabled()) {
4743 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4969 err = avc_has_perm(&selinux_state,
4970 sk_sid, skb->secmark, SECCLASS_PACKET,
4744 PACKET__RECV, &ad); 4971 PACKET__RECV, &ad);
4745 if (err) 4972 if (err)
4746 return err; 4973 return err;
@@ -4777,7 +5004,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4777 * to the selinux_sock_rcv_skb_compat() function to deal with the 5004 * to the selinux_sock_rcv_skb_compat() function to deal with the
4778 * special handling. We do this in an attempt to keep this function 5005 * special handling. We do this in an attempt to keep this function
4779 * as fast and as clean as possible. */ 5006 * as fast and as clean as possible. */
4780 if (!selinux_policycap_netpeer) 5007 if (!selinux_policycap_netpeer())
4781 return selinux_sock_rcv_skb_compat(sk, skb, family); 5008 return selinux_sock_rcv_skb_compat(sk, skb, family);
4782 5009
4783 secmark_active = selinux_secmark_enabled(); 5010 secmark_active = selinux_secmark_enabled();
@@ -4805,7 +5032,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4805 selinux_netlbl_err(skb, family, err, 0); 5032 selinux_netlbl_err(skb, family, err, 0);
4806 return err; 5033 return err;
4807 } 5034 }
4808 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5035 err = avc_has_perm(&selinux_state,
5036 sk_sid, peer_sid, SECCLASS_PEER,
4809 PEER__RECV, &ad); 5037 PEER__RECV, &ad);
4810 if (err) { 5038 if (err) {
4811 selinux_netlbl_err(skb, family, err, 0); 5039 selinux_netlbl_err(skb, family, err, 0);
@@ -4814,7 +5042,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4814 } 5042 }
4815 5043
4816 if (secmark_active) { 5044 if (secmark_active) {
4817 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5045 err = avc_has_perm(&selinux_state,
5046 sk_sid, skb->secmark, SECCLASS_PACKET,
4818 PACKET__RECV, &ad); 5047 PACKET__RECV, &ad);
4819 if (err) 5048 if (err)
4820 return err; 5049 return err;
@@ -4833,12 +5062,14 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
4833 u32 peer_sid = SECSID_NULL; 5062 u32 peer_sid = SECSID_NULL;
4834 5063
4835 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5064 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4836 sksec->sclass == SECCLASS_TCP_SOCKET) 5065 sksec->sclass == SECCLASS_TCP_SOCKET ||
5066 sksec->sclass == SECCLASS_SCTP_SOCKET)
4837 peer_sid = sksec->peer_sid; 5067 peer_sid = sksec->peer_sid;
4838 if (peer_sid == SECSID_NULL) 5068 if (peer_sid == SECSID_NULL)
4839 return -ENOPROTOOPT; 5069 return -ENOPROTOOPT;
4840 5070
4841 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 5071 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5072 &scontext_len);
4842 if (err) 5073 if (err)
4843 return err; 5074 return err;
4844 5075
@@ -4946,6 +5177,172 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4946 sksec->sclass = isec->sclass; 5177 sksec->sclass = isec->sclass;
4947} 5178}
4948 5179
5180/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5181 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5182 * already present).
5183 */
5184static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5185 struct sk_buff *skb)
5186{
5187 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5188 struct common_audit_data ad;
5189 struct lsm_network_audit net = {0,};
5190 u8 peerlbl_active;
5191 u32 peer_sid = SECINITSID_UNLABELED;
5192 u32 conn_sid;
5193 int err = 0;
5194
5195 if (!selinux_policycap_extsockclass())
5196 return 0;
5197
5198 peerlbl_active = selinux_peerlbl_enabled();
5199
5200 if (peerlbl_active) {
5201 /* This will return peer_sid = SECSID_NULL if there are
5202 * no peer labels, see security_net_peersid_resolve().
5203 */
5204 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5205 &peer_sid);
5206 if (err)
5207 return err;
5208
5209 if (peer_sid == SECSID_NULL)
5210 peer_sid = SECINITSID_UNLABELED;
5211 }
5212
5213 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5214 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5215
5216 /* Here as first association on socket. As the peer SID
5217 * was allowed by peer recv (and the netif/node checks),
5218 * then it is approved by policy and used as the primary
5219 * peer SID for getpeercon(3).
5220 */
5221 sksec->peer_sid = peer_sid;
5222 } else if (sksec->peer_sid != peer_sid) {
5223 /* Other association peer SIDs are checked to enforce
5224 * consistency among the peer SIDs.
5225 */
5226 ad.type = LSM_AUDIT_DATA_NET;
5227 ad.u.net = &net;
5228 ad.u.net->sk = ep->base.sk;
5229 err = avc_has_perm(&selinux_state,
5230 sksec->peer_sid, peer_sid, sksec->sclass,
5231 SCTP_SOCKET__ASSOCIATION, &ad);
5232 if (err)
5233 return err;
5234 }
5235
5236 /* Compute the MLS component for the connection and store
5237 * the information in ep. This will be used by SCTP TCP type
5238 * sockets and peeled off connections as they cause a new
5239 * socket to be generated. selinux_sctp_sk_clone() will then
5240 * plug this into the new socket.
5241 */
5242 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5243 if (err)
5244 return err;
5245
5246 ep->secid = conn_sid;
5247 ep->peer_secid = peer_sid;
5248
5249 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5250 return selinux_netlbl_sctp_assoc_request(ep, skb);
5251}
5252
5253/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5254 * based on their @optname.
5255 */
5256static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5257 struct sockaddr *address,
5258 int addrlen)
5259{
5260 int len, err = 0, walk_size = 0;
5261 void *addr_buf;
5262 struct sockaddr *addr;
5263 struct socket *sock;
5264
5265 if (!selinux_policycap_extsockclass())
5266 return 0;
5267
5268 /* Process one or more addresses that may be IPv4 or IPv6 */
5269 sock = sk->sk_socket;
5270 addr_buf = address;
5271
5272 while (walk_size < addrlen) {
5273 addr = addr_buf;
5274 switch (addr->sa_family) {
5275 case AF_INET:
5276 len = sizeof(struct sockaddr_in);
5277 break;
5278 case AF_INET6:
5279 len = sizeof(struct sockaddr_in6);
5280 break;
5281 default:
5282 return -EAFNOSUPPORT;
5283 }
5284
5285 err = -EINVAL;
5286 switch (optname) {
5287 /* Bind checks */
5288 case SCTP_PRIMARY_ADDR:
5289 case SCTP_SET_PEER_PRIMARY_ADDR:
5290 case SCTP_SOCKOPT_BINDX_ADD:
5291 err = selinux_socket_bind(sock, addr, len);
5292 break;
5293 /* Connect checks */
5294 case SCTP_SOCKOPT_CONNECTX:
5295 case SCTP_PARAM_SET_PRIMARY:
5296 case SCTP_PARAM_ADD_IP:
5297 case SCTP_SENDMSG_CONNECT:
5298 err = selinux_socket_connect_helper(sock, addr, len);
5299 if (err)
5300 return err;
5301
5302 /* As selinux_sctp_bind_connect() is called by the
5303 * SCTP protocol layer, the socket is already locked,
5304 * therefore selinux_netlbl_socket_connect_locked() is
5305 * is called here. The situations handled are:
5306 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5307 * whenever a new IP address is added or when a new
5308 * primary address is selected.
5309 * Note that an SCTP connect(2) call happens before
5310 * the SCTP protocol layer and is handled via
5311 * selinux_socket_connect().
5312 */
5313 err = selinux_netlbl_socket_connect_locked(sk, addr);
5314 break;
5315 }
5316
5317 if (err)
5318 return err;
5319
5320 addr_buf += len;
5321 walk_size += len;
5322 }
5323
5324 return 0;
5325}
5326
5327/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5328static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5329 struct sock *newsk)
5330{
5331 struct sk_security_struct *sksec = sk->sk_security;
5332 struct sk_security_struct *newsksec = newsk->sk_security;
5333
5334 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5335 * the non-sctp clone version.
5336 */
5337 if (!selinux_policycap_extsockclass())
5338 return selinux_sk_clone_security(sk, newsk);
5339
5340 newsksec->sid = ep->secid;
5341 newsksec->peer_sid = ep->peer_secid;
5342 newsksec->sclass = sksec->sclass;
5343 selinux_netlbl_sctp_sk_clone(sk, newsk);
5344}
5345
4949static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5346static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4950 struct request_sock *req) 5347 struct request_sock *req)
4951{ 5348{
@@ -5004,7 +5401,9 @@ static int selinux_secmark_relabel_packet(u32 sid)
5004 __tsec = current_security(); 5401 __tsec = current_security();
5005 tsid = __tsec->sid; 5402 tsid = __tsec->sid;
5006 5403
5007 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5404 return avc_has_perm(&selinux_state,
5405 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5406 NULL);
5008} 5407}
5009 5408
5010static void selinux_secmark_refcount_inc(void) 5409static void selinux_secmark_refcount_inc(void)
@@ -5052,7 +5451,8 @@ static int selinux_tun_dev_create(void)
5052 * connections unlike traditional sockets - check the TUN driver to 5451 * connections unlike traditional sockets - check the TUN driver to
5053 * get a better understanding of why this socket is special */ 5452 * get a better understanding of why this socket is special */
5054 5453
5055 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5454 return avc_has_perm(&selinux_state,
5455 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5056 NULL); 5456 NULL);
5057} 5457}
5058 5458
@@ -5060,7 +5460,8 @@ static int selinux_tun_dev_attach_queue(void *security)
5060{ 5460{
5061 struct tun_security_struct *tunsec = security; 5461 struct tun_security_struct *tunsec = security;
5062 5462
5063 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5463 return avc_has_perm(&selinux_state,
5464 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5064 TUN_SOCKET__ATTACH_QUEUE, NULL); 5465 TUN_SOCKET__ATTACH_QUEUE, NULL);
5065} 5466}
5066 5467
@@ -5088,11 +5489,13 @@ static int selinux_tun_dev_open(void *security)
5088 u32 sid = current_sid(); 5489 u32 sid = current_sid();
5089 int err; 5490 int err;
5090 5491
5091 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5492 err = avc_has_perm(&selinux_state,
5493 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5092 TUN_SOCKET__RELABELFROM, NULL); 5494 TUN_SOCKET__RELABELFROM, NULL);
5093 if (err) 5495 if (err)
5094 return err; 5496 return err;
5095 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5497 err = avc_has_perm(&selinux_state,
5498 sid, sid, SECCLASS_TUN_SOCKET,
5096 TUN_SOCKET__RELABELTO, NULL); 5499 TUN_SOCKET__RELABELTO, NULL);
5097 if (err) 5500 if (err)
5098 return err; 5501 return err;
@@ -5123,7 +5526,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5123 sk->sk_protocol, nlh->nlmsg_type, 5526 sk->sk_protocol, nlh->nlmsg_type,
5124 secclass_map[sksec->sclass - 1].name, 5527 secclass_map[sksec->sclass - 1].name,
5125 task_pid_nr(current), current->comm); 5528 task_pid_nr(current), current->comm);
5126 if (!selinux_enforcing || security_get_allow_unknown()) 5529 if (!enforcing_enabled(&selinux_state) ||
5530 security_get_allow_unknown(&selinux_state))
5127 err = 0; 5531 err = 0;
5128 } 5532 }
5129 5533
@@ -5153,7 +5557,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5153 u8 netlbl_active; 5557 u8 netlbl_active;
5154 u8 peerlbl_active; 5558 u8 peerlbl_active;
5155 5559
5156 if (!selinux_policycap_netpeer) 5560 if (!selinux_policycap_netpeer())
5157 return NF_ACCEPT; 5561 return NF_ACCEPT;
5158 5562
5159 secmark_active = selinux_secmark_enabled(); 5563 secmark_active = selinux_secmark_enabled();
@@ -5182,7 +5586,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5182 } 5586 }
5183 5587
5184 if (secmark_active) 5588 if (secmark_active)
5185 if (avc_has_perm(peer_sid, skb->secmark, 5589 if (avc_has_perm(&selinux_state,
5590 peer_sid, skb->secmark,
5186 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5591 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5187 return NF_DROP; 5592 return NF_DROP;
5188 5593
@@ -5294,7 +5699,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5294 return NF_DROP; 5699 return NF_DROP;
5295 5700
5296 if (selinux_secmark_enabled()) 5701 if (selinux_secmark_enabled())
5297 if (avc_has_perm(sksec->sid, skb->secmark, 5702 if (avc_has_perm(&selinux_state,
5703 sksec->sid, skb->secmark,
5298 SECCLASS_PACKET, PACKET__SEND, &ad)) 5704 SECCLASS_PACKET, PACKET__SEND, &ad))
5299 return NF_DROP_ERR(-ECONNREFUSED); 5705 return NF_DROP_ERR(-ECONNREFUSED);
5300 5706
@@ -5322,7 +5728,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5322 * to the selinux_ip_postroute_compat() function to deal with the 5728 * to the selinux_ip_postroute_compat() function to deal with the
5323 * special handling. We do this in an attempt to keep this function 5729 * special handling. We do this in an attempt to keep this function
5324 * as fast and as clean as possible. */ 5730 * as fast and as clean as possible. */
5325 if (!selinux_policycap_netpeer) 5731 if (!selinux_policycap_netpeer())
5326 return selinux_ip_postroute_compat(skb, ifindex, family); 5732 return selinux_ip_postroute_compat(skb, ifindex, family);
5327 5733
5328 secmark_active = selinux_secmark_enabled(); 5734 secmark_active = selinux_secmark_enabled();
@@ -5417,7 +5823,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5417 return NF_DROP; 5823 return NF_DROP;
5418 5824
5419 if (secmark_active) 5825 if (secmark_active)
5420 if (avc_has_perm(peer_sid, skb->secmark, 5826 if (avc_has_perm(&selinux_state,
5827 peer_sid, skb->secmark,
5421 SECCLASS_PACKET, secmark_perm, &ad)) 5828 SECCLASS_PACKET, secmark_perm, &ad))
5422 return NF_DROP_ERR(-ECONNREFUSED); 5829 return NF_DROP_ERR(-ECONNREFUSED);
5423 5830
@@ -5427,13 +5834,15 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5427 5834
5428 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5835 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5429 return NF_DROP; 5836 return NF_DROP;
5430 if (avc_has_perm(peer_sid, if_sid, 5837 if (avc_has_perm(&selinux_state,
5838 peer_sid, if_sid,
5431 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5839 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5432 return NF_DROP_ERR(-ECONNREFUSED); 5840 return NF_DROP_ERR(-ECONNREFUSED);
5433 5841
5434 if (sel_netnode_sid(addrp, family, &node_sid)) 5842 if (sel_netnode_sid(addrp, family, &node_sid))
5435 return NF_DROP; 5843 return NF_DROP;
5436 if (avc_has_perm(peer_sid, node_sid, 5844 if (avc_has_perm(&selinux_state,
5845 peer_sid, node_sid,
5437 SECCLASS_NODE, NODE__SENDTO, &ad)) 5846 SECCLASS_NODE, NODE__SENDTO, &ad))
5438 return NF_DROP_ERR(-ECONNREFUSED); 5847 return NF_DROP_ERR(-ECONNREFUSED);
5439 } 5848 }
@@ -5521,7 +5930,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5521 ad.type = LSM_AUDIT_DATA_IPC; 5930 ad.type = LSM_AUDIT_DATA_IPC;
5522 ad.u.ipc_id = ipc_perms->key; 5931 ad.u.ipc_id = ipc_perms->key;
5523 5932
5524 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5933 return avc_has_perm(&selinux_state,
5934 sid, isec->sid, isec->sclass, perms, &ad);
5525} 5935}
5526 5936
5527static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5937static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -5535,52 +5945,54 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
5535} 5945}
5536 5946
5537/* message queue security operations */ 5947/* message queue security operations */
5538static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5948static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5539{ 5949{
5540 struct ipc_security_struct *isec; 5950 struct ipc_security_struct *isec;
5541 struct common_audit_data ad; 5951 struct common_audit_data ad;
5542 u32 sid = current_sid(); 5952 u32 sid = current_sid();
5543 int rc; 5953 int rc;
5544 5954
5545 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5955 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5546 if (rc) 5956 if (rc)
5547 return rc; 5957 return rc;
5548 5958
5549 isec = msq->q_perm.security; 5959 isec = msq->security;
5550 5960
5551 ad.type = LSM_AUDIT_DATA_IPC; 5961 ad.type = LSM_AUDIT_DATA_IPC;
5552 ad.u.ipc_id = msq->q_perm.key; 5962 ad.u.ipc_id = msq->key;
5553 5963
5554 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5964 rc = avc_has_perm(&selinux_state,
5965 sid, isec->sid, SECCLASS_MSGQ,
5555 MSGQ__CREATE, &ad); 5966 MSGQ__CREATE, &ad);
5556 if (rc) { 5967 if (rc) {
5557 ipc_free_security(&msq->q_perm); 5968 ipc_free_security(msq);
5558 return rc; 5969 return rc;
5559 } 5970 }
5560 return 0; 5971 return 0;
5561} 5972}
5562 5973
5563static void selinux_msg_queue_free_security(struct msg_queue *msq) 5974static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5564{ 5975{
5565 ipc_free_security(&msq->q_perm); 5976 ipc_free_security(msq);
5566} 5977}
5567 5978
5568static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5979static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5569{ 5980{
5570 struct ipc_security_struct *isec; 5981 struct ipc_security_struct *isec;
5571 struct common_audit_data ad; 5982 struct common_audit_data ad;
5572 u32 sid = current_sid(); 5983 u32 sid = current_sid();
5573 5984
5574 isec = msq->q_perm.security; 5985 isec = msq->security;
5575 5986
5576 ad.type = LSM_AUDIT_DATA_IPC; 5987 ad.type = LSM_AUDIT_DATA_IPC;
5577 ad.u.ipc_id = msq->q_perm.key; 5988 ad.u.ipc_id = msq->key;
5578 5989
5579 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5990 return avc_has_perm(&selinux_state,
5991 sid, isec->sid, SECCLASS_MSGQ,
5580 MSGQ__ASSOCIATE, &ad); 5992 MSGQ__ASSOCIATE, &ad);
5581} 5993}
5582 5994
5583static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5995static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5584{ 5996{
5585 int err; 5997 int err;
5586 int perms; 5998 int perms;
@@ -5589,10 +6001,12 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5589 case IPC_INFO: 6001 case IPC_INFO:
5590 case MSG_INFO: 6002 case MSG_INFO:
5591 /* No specific object, just general system-wide information. */ 6003 /* No specific object, just general system-wide information. */
5592 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6004 return avc_has_perm(&selinux_state,
6005 current_sid(), SECINITSID_KERNEL,
5593 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6006 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5594 case IPC_STAT: 6007 case IPC_STAT:
5595 case MSG_STAT: 6008 case MSG_STAT:
6009 case MSG_STAT_ANY:
5596 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6010 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5597 break; 6011 break;
5598 case IPC_SET: 6012 case IPC_SET:
@@ -5605,11 +6019,11 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5605 return 0; 6019 return 0;
5606 } 6020 }
5607 6021
5608 err = ipc_has_perm(&msq->q_perm, perms); 6022 err = ipc_has_perm(msq, perms);
5609 return err; 6023 return err;
5610} 6024}
5611 6025
5612static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 6026static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5613{ 6027{
5614 struct ipc_security_struct *isec; 6028 struct ipc_security_struct *isec;
5615 struct msg_security_struct *msec; 6029 struct msg_security_struct *msec;
@@ -5617,7 +6031,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5617 u32 sid = current_sid(); 6031 u32 sid = current_sid();
5618 int rc; 6032 int rc;
5619 6033
5620 isec = msq->q_perm.security; 6034 isec = msq->security;
5621 msec = msg->security; 6035 msec = msg->security;
5622 6036
5623 /* 6037 /*
@@ -5628,31 +6042,34 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5628 * Compute new sid based on current process and 6042 * Compute new sid based on current process and
5629 * message queue this message will be stored in 6043 * message queue this message will be stored in
5630 */ 6044 */
5631 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 6045 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5632 NULL, &msec->sid); 6046 SECCLASS_MSG, NULL, &msec->sid);
5633 if (rc) 6047 if (rc)
5634 return rc; 6048 return rc;
5635 } 6049 }
5636 6050
5637 ad.type = LSM_AUDIT_DATA_IPC; 6051 ad.type = LSM_AUDIT_DATA_IPC;
5638 ad.u.ipc_id = msq->q_perm.key; 6052 ad.u.ipc_id = msq->key;
5639 6053
5640 /* Can this process write to the queue? */ 6054 /* Can this process write to the queue? */
5641 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6055 rc = avc_has_perm(&selinux_state,
6056 sid, isec->sid, SECCLASS_MSGQ,
5642 MSGQ__WRITE, &ad); 6057 MSGQ__WRITE, &ad);
5643 if (!rc) 6058 if (!rc)
5644 /* Can this process send the message */ 6059 /* Can this process send the message */
5645 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6060 rc = avc_has_perm(&selinux_state,
6061 sid, msec->sid, SECCLASS_MSG,
5646 MSG__SEND, &ad); 6062 MSG__SEND, &ad);
5647 if (!rc) 6063 if (!rc)
5648 /* Can the message be put in the queue? */ 6064 /* Can the message be put in the queue? */
5649 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6065 rc = avc_has_perm(&selinux_state,
6066 msec->sid, isec->sid, SECCLASS_MSGQ,
5650 MSGQ__ENQUEUE, &ad); 6067 MSGQ__ENQUEUE, &ad);
5651 6068
5652 return rc; 6069 return rc;
5653} 6070}
5654 6071
5655static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 6072static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5656 struct task_struct *target, 6073 struct task_struct *target,
5657 long type, int mode) 6074 long type, int mode)
5658{ 6075{
@@ -5662,68 +6079,72 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5662 u32 sid = task_sid(target); 6079 u32 sid = task_sid(target);
5663 int rc; 6080 int rc;
5664 6081
5665 isec = msq->q_perm.security; 6082 isec = msq->security;
5666 msec = msg->security; 6083 msec = msg->security;
5667 6084
5668 ad.type = LSM_AUDIT_DATA_IPC; 6085 ad.type = LSM_AUDIT_DATA_IPC;
5669 ad.u.ipc_id = msq->q_perm.key; 6086 ad.u.ipc_id = msq->key;
5670 6087
5671 rc = avc_has_perm(sid, isec->sid, 6088 rc = avc_has_perm(&selinux_state,
6089 sid, isec->sid,
5672 SECCLASS_MSGQ, MSGQ__READ, &ad); 6090 SECCLASS_MSGQ, MSGQ__READ, &ad);
5673 if (!rc) 6091 if (!rc)
5674 rc = avc_has_perm(sid, msec->sid, 6092 rc = avc_has_perm(&selinux_state,
6093 sid, msec->sid,
5675 SECCLASS_MSG, MSG__RECEIVE, &ad); 6094 SECCLASS_MSG, MSG__RECEIVE, &ad);
5676 return rc; 6095 return rc;
5677} 6096}
5678 6097
5679/* Shared Memory security operations */ 6098/* Shared Memory security operations */
5680static int selinux_shm_alloc_security(struct shmid_kernel *shp) 6099static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5681{ 6100{
5682 struct ipc_security_struct *isec; 6101 struct ipc_security_struct *isec;
5683 struct common_audit_data ad; 6102 struct common_audit_data ad;
5684 u32 sid = current_sid(); 6103 u32 sid = current_sid();
5685 int rc; 6104 int rc;
5686 6105
5687 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 6106 rc = ipc_alloc_security(shp, SECCLASS_SHM);
5688 if (rc) 6107 if (rc)
5689 return rc; 6108 return rc;
5690 6109
5691 isec = shp->shm_perm.security; 6110 isec = shp->security;
5692 6111
5693 ad.type = LSM_AUDIT_DATA_IPC; 6112 ad.type = LSM_AUDIT_DATA_IPC;
5694 ad.u.ipc_id = shp->shm_perm.key; 6113 ad.u.ipc_id = shp->key;
5695 6114
5696 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6115 rc = avc_has_perm(&selinux_state,
6116 sid, isec->sid, SECCLASS_SHM,
5697 SHM__CREATE, &ad); 6117 SHM__CREATE, &ad);
5698 if (rc) { 6118 if (rc) {
5699 ipc_free_security(&shp->shm_perm); 6119 ipc_free_security(shp);
5700 return rc; 6120 return rc;
5701 } 6121 }
5702 return 0; 6122 return 0;
5703} 6123}
5704 6124
5705static void selinux_shm_free_security(struct shmid_kernel *shp) 6125static void selinux_shm_free_security(struct kern_ipc_perm *shp)
5706{ 6126{
5707 ipc_free_security(&shp->shm_perm); 6127 ipc_free_security(shp);
5708} 6128}
5709 6129
5710static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 6130static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5711{ 6131{
5712 struct ipc_security_struct *isec; 6132 struct ipc_security_struct *isec;
5713 struct common_audit_data ad; 6133 struct common_audit_data ad;
5714 u32 sid = current_sid(); 6134 u32 sid = current_sid();
5715 6135
5716 isec = shp->shm_perm.security; 6136 isec = shp->security;
5717 6137
5718 ad.type = LSM_AUDIT_DATA_IPC; 6138 ad.type = LSM_AUDIT_DATA_IPC;
5719 ad.u.ipc_id = shp->shm_perm.key; 6139 ad.u.ipc_id = shp->key;
5720 6140
5721 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6141 return avc_has_perm(&selinux_state,
6142 sid, isec->sid, SECCLASS_SHM,
5722 SHM__ASSOCIATE, &ad); 6143 SHM__ASSOCIATE, &ad);
5723} 6144}
5724 6145
5725/* Note, at this point, shp is locked down */ 6146/* Note, at this point, shp is locked down */
5726static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 6147static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5727{ 6148{
5728 int perms; 6149 int perms;
5729 int err; 6150 int err;
@@ -5732,10 +6153,12 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5732 case IPC_INFO: 6153 case IPC_INFO:
5733 case SHM_INFO: 6154 case SHM_INFO:
5734 /* No specific object, just general system-wide information. */ 6155 /* No specific object, just general system-wide information. */
5735 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6156 return avc_has_perm(&selinux_state,
6157 current_sid(), SECINITSID_KERNEL,
5736 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6158 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5737 case IPC_STAT: 6159 case IPC_STAT:
5738 case SHM_STAT: 6160 case SHM_STAT:
6161 case SHM_STAT_ANY:
5739 perms = SHM__GETATTR | SHM__ASSOCIATE; 6162 perms = SHM__GETATTR | SHM__ASSOCIATE;
5740 break; 6163 break;
5741 case IPC_SET: 6164 case IPC_SET:
@@ -5752,11 +6175,11 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5752 return 0; 6175 return 0;
5753 } 6176 }
5754 6177
5755 err = ipc_has_perm(&shp->shm_perm, perms); 6178 err = ipc_has_perm(shp, perms);
5756 return err; 6179 return err;
5757} 6180}
5758 6181
5759static int selinux_shm_shmat(struct shmid_kernel *shp, 6182static int selinux_shm_shmat(struct kern_ipc_perm *shp,
5760 char __user *shmaddr, int shmflg) 6183 char __user *shmaddr, int shmflg)
5761{ 6184{
5762 u32 perms; 6185 u32 perms;
@@ -5766,57 +6189,59 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5766 else 6189 else
5767 perms = SHM__READ | SHM__WRITE; 6190 perms = SHM__READ | SHM__WRITE;
5768 6191
5769 return ipc_has_perm(&shp->shm_perm, perms); 6192 return ipc_has_perm(shp, perms);
5770} 6193}
5771 6194
5772/* Semaphore security operations */ 6195/* Semaphore security operations */
5773static int selinux_sem_alloc_security(struct sem_array *sma) 6196static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5774{ 6197{
5775 struct ipc_security_struct *isec; 6198 struct ipc_security_struct *isec;
5776 struct common_audit_data ad; 6199 struct common_audit_data ad;
5777 u32 sid = current_sid(); 6200 u32 sid = current_sid();
5778 int rc; 6201 int rc;
5779 6202
5780 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 6203 rc = ipc_alloc_security(sma, SECCLASS_SEM);
5781 if (rc) 6204 if (rc)
5782 return rc; 6205 return rc;
5783 6206
5784 isec = sma->sem_perm.security; 6207 isec = sma->security;
5785 6208
5786 ad.type = LSM_AUDIT_DATA_IPC; 6209 ad.type = LSM_AUDIT_DATA_IPC;
5787 ad.u.ipc_id = sma->sem_perm.key; 6210 ad.u.ipc_id = sma->key;
5788 6211
5789 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6212 rc = avc_has_perm(&selinux_state,
6213 sid, isec->sid, SECCLASS_SEM,
5790 SEM__CREATE, &ad); 6214 SEM__CREATE, &ad);
5791 if (rc) { 6215 if (rc) {
5792 ipc_free_security(&sma->sem_perm); 6216 ipc_free_security(sma);
5793 return rc; 6217 return rc;
5794 } 6218 }
5795 return 0; 6219 return 0;
5796} 6220}
5797 6221
5798static void selinux_sem_free_security(struct sem_array *sma) 6222static void selinux_sem_free_security(struct kern_ipc_perm *sma)
5799{ 6223{
5800 ipc_free_security(&sma->sem_perm); 6224 ipc_free_security(sma);
5801} 6225}
5802 6226
5803static int selinux_sem_associate(struct sem_array *sma, int semflg) 6227static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
5804{ 6228{
5805 struct ipc_security_struct *isec; 6229 struct ipc_security_struct *isec;
5806 struct common_audit_data ad; 6230 struct common_audit_data ad;
5807 u32 sid = current_sid(); 6231 u32 sid = current_sid();
5808 6232
5809 isec = sma->sem_perm.security; 6233 isec = sma->security;
5810 6234
5811 ad.type = LSM_AUDIT_DATA_IPC; 6235 ad.type = LSM_AUDIT_DATA_IPC;
5812 ad.u.ipc_id = sma->sem_perm.key; 6236 ad.u.ipc_id = sma->key;
5813 6237
5814 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6238 return avc_has_perm(&selinux_state,
6239 sid, isec->sid, SECCLASS_SEM,
5815 SEM__ASSOCIATE, &ad); 6240 SEM__ASSOCIATE, &ad);
5816} 6241}
5817 6242
5818/* Note, at this point, sma is locked down */ 6243/* Note, at this point, sma is locked down */
5819static int selinux_sem_semctl(struct sem_array *sma, int cmd) 6244static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
5820{ 6245{
5821 int err; 6246 int err;
5822 u32 perms; 6247 u32 perms;
@@ -5825,7 +6250,8 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5825 case IPC_INFO: 6250 case IPC_INFO:
5826 case SEM_INFO: 6251 case SEM_INFO:
5827 /* No specific object, just general system-wide information. */ 6252 /* No specific object, just general system-wide information. */
5828 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6253 return avc_has_perm(&selinux_state,
6254 current_sid(), SECINITSID_KERNEL,
5829 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6255 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5830 case GETPID: 6256 case GETPID:
5831 case GETNCNT: 6257 case GETNCNT:
@@ -5848,17 +6274,18 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5848 break; 6274 break;
5849 case IPC_STAT: 6275 case IPC_STAT:
5850 case SEM_STAT: 6276 case SEM_STAT:
6277 case SEM_STAT_ANY:
5851 perms = SEM__GETATTR | SEM__ASSOCIATE; 6278 perms = SEM__GETATTR | SEM__ASSOCIATE;
5852 break; 6279 break;
5853 default: 6280 default:
5854 return 0; 6281 return 0;
5855 } 6282 }
5856 6283
5857 err = ipc_has_perm(&sma->sem_perm, perms); 6284 err = ipc_has_perm(sma, perms);
5858 return err; 6285 return err;
5859} 6286}
5860 6287
5861static int selinux_sem_semop(struct sem_array *sma, 6288static int selinux_sem_semop(struct kern_ipc_perm *sma,
5862 struct sembuf *sops, unsigned nsops, int alter) 6289 struct sembuf *sops, unsigned nsops, int alter)
5863{ 6290{
5864 u32 perms; 6291 u32 perms;
@@ -5868,7 +6295,7 @@ static int selinux_sem_semop(struct sem_array *sma,
5868 else 6295 else
5869 perms = SEM__READ; 6296 perms = SEM__READ;
5870 6297
5871 return ipc_has_perm(&sma->sem_perm, perms); 6298 return ipc_has_perm(sma, perms);
5872} 6299}
5873 6300
5874static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6301static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
@@ -5911,7 +6338,8 @@ static int selinux_getprocattr(struct task_struct *p,
5911 __tsec = __task_cred(p)->security; 6338 __tsec = __task_cred(p)->security;
5912 6339
5913 if (current != p) { 6340 if (current != p) {
5914 error = avc_has_perm(current_sid(), __tsec->sid, 6341 error = avc_has_perm(&selinux_state,
6342 current_sid(), __tsec->sid,
5915 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6343 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5916 if (error) 6344 if (error)
5917 goto bad; 6345 goto bad;
@@ -5938,7 +6366,7 @@ static int selinux_getprocattr(struct task_struct *p,
5938 if (!sid) 6366 if (!sid)
5939 return 0; 6367 return 0;
5940 6368
5941 error = security_sid_to_context(sid, value, &len); 6369 error = security_sid_to_context(&selinux_state, sid, value, &len);
5942 if (error) 6370 if (error)
5943 return error; 6371 return error;
5944 return len; 6372 return len;
@@ -5960,19 +6388,24 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5960 * Basic control over ability to set these attributes at all. 6388 * Basic control over ability to set these attributes at all.
5961 */ 6389 */
5962 if (!strcmp(name, "exec")) 6390 if (!strcmp(name, "exec"))
5963 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6391 error = avc_has_perm(&selinux_state,
6392 mysid, mysid, SECCLASS_PROCESS,
5964 PROCESS__SETEXEC, NULL); 6393 PROCESS__SETEXEC, NULL);
5965 else if (!strcmp(name, "fscreate")) 6394 else if (!strcmp(name, "fscreate"))
5966 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6395 error = avc_has_perm(&selinux_state,
6396 mysid, mysid, SECCLASS_PROCESS,
5967 PROCESS__SETFSCREATE, NULL); 6397 PROCESS__SETFSCREATE, NULL);
5968 else if (!strcmp(name, "keycreate")) 6398 else if (!strcmp(name, "keycreate"))
5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6399 error = avc_has_perm(&selinux_state,
6400 mysid, mysid, SECCLASS_PROCESS,
5970 PROCESS__SETKEYCREATE, NULL); 6401 PROCESS__SETKEYCREATE, NULL);
5971 else if (!strcmp(name, "sockcreate")) 6402 else if (!strcmp(name, "sockcreate"))
5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6403 error = avc_has_perm(&selinux_state,
6404 mysid, mysid, SECCLASS_PROCESS,
5973 PROCESS__SETSOCKCREATE, NULL); 6405 PROCESS__SETSOCKCREATE, NULL);
5974 else if (!strcmp(name, "current")) 6406 else if (!strcmp(name, "current"))
5975 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6407 error = avc_has_perm(&selinux_state,
6408 mysid, mysid, SECCLASS_PROCESS,
5976 PROCESS__SETCURRENT, NULL); 6409 PROCESS__SETCURRENT, NULL);
5977 else 6410 else
5978 error = -EINVAL; 6411 error = -EINVAL;
@@ -5985,7 +6418,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5985 str[size-1] = 0; 6418 str[size-1] = 0;
5986 size--; 6419 size--;
5987 } 6420 }
5988 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 6421 error = security_context_to_sid(&selinux_state, value, size,
6422 &sid, GFP_KERNEL);
5989 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6423 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5990 if (!has_cap_mac_admin(true)) { 6424 if (!has_cap_mac_admin(true)) {
5991 struct audit_buffer *ab; 6425 struct audit_buffer *ab;
@@ -6004,8 +6438,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6004 6438
6005 return error; 6439 return error;
6006 } 6440 }
6007 error = security_context_to_sid_force(value, size, 6441 error = security_context_to_sid_force(
6008 &sid); 6442 &selinux_state,
6443 value, size, &sid);
6009 } 6444 }
6010 if (error) 6445 if (error)
6011 return error; 6446 return error;
@@ -6027,7 +6462,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6027 } else if (!strcmp(name, "fscreate")) { 6462 } else if (!strcmp(name, "fscreate")) {
6028 tsec->create_sid = sid; 6463 tsec->create_sid = sid;
6029 } else if (!strcmp(name, "keycreate")) { 6464 } else if (!strcmp(name, "keycreate")) {
6030 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6465 error = avc_has_perm(&selinux_state,
6466 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6031 NULL); 6467 NULL);
6032 if (error) 6468 if (error)
6033 goto abort_change; 6469 goto abort_change;
@@ -6042,13 +6478,15 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6042 /* Only allow single threaded processes to change context */ 6478 /* Only allow single threaded processes to change context */
6043 error = -EPERM; 6479 error = -EPERM;
6044 if (!current_is_single_threaded()) { 6480 if (!current_is_single_threaded()) {
6045 error = security_bounded_transition(tsec->sid, sid); 6481 error = security_bounded_transition(&selinux_state,
6482 tsec->sid, sid);
6046 if (error) 6483 if (error)
6047 goto abort_change; 6484 goto abort_change;
6048 } 6485 }
6049 6486
6050 /* Check permissions for the transition. */ 6487 /* Check permissions for the transition. */
6051 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6488 error = avc_has_perm(&selinux_state,
6489 tsec->sid, sid, SECCLASS_PROCESS,
6052 PROCESS__DYNTRANSITION, NULL); 6490 PROCESS__DYNTRANSITION, NULL);
6053 if (error) 6491 if (error)
6054 goto abort_change; 6492 goto abort_change;
@@ -6057,7 +6495,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6057 Otherwise, leave SID unchanged and fail. */ 6495 Otherwise, leave SID unchanged and fail. */
6058 ptsid = ptrace_parent_sid(); 6496 ptsid = ptrace_parent_sid();
6059 if (ptsid != 0) { 6497 if (ptsid != 0) {
6060 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6498 error = avc_has_perm(&selinux_state,
6499 ptsid, sid, SECCLASS_PROCESS,
6061 PROCESS__PTRACE, NULL); 6500 PROCESS__PTRACE, NULL);
6062 if (error) 6501 if (error)
6063 goto abort_change; 6502 goto abort_change;
@@ -6084,12 +6523,14 @@ static int selinux_ismaclabel(const char *name)
6084 6523
6085static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6524static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6086{ 6525{
6087 return security_sid_to_context(secid, secdata, seclen); 6526 return security_sid_to_context(&selinux_state, secid,
6527 secdata, seclen);
6088} 6528}
6089 6529
6090static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6530static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6091{ 6531{
6092 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6532 return security_context_to_sid(&selinux_state, secdata, seclen,
6533 secid, GFP_KERNEL);
6093} 6534}
6094 6535
6095static void selinux_release_secctx(char *secdata, u32 seclen) 6536static void selinux_release_secctx(char *secdata, u32 seclen)
@@ -6181,7 +6622,8 @@ static int selinux_key_permission(key_ref_t key_ref,
6181 key = key_ref_to_ptr(key_ref); 6622 key = key_ref_to_ptr(key_ref);
6182 ksec = key->security; 6623 ksec = key->security;
6183 6624
6184 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6625 return avc_has_perm(&selinux_state,
6626 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6185} 6627}
6186 6628
6187static int selinux_key_getsecurity(struct key *key, char **_buffer) 6629static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -6191,7 +6633,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
6191 unsigned len; 6633 unsigned len;
6192 int rc; 6634 int rc;
6193 6635
6194 rc = security_sid_to_context(ksec->sid, &context, &len); 6636 rc = security_sid_to_context(&selinux_state, ksec->sid,
6637 &context, &len);
6195 if (!rc) 6638 if (!rc)
6196 rc = len; 6639 rc = len;
6197 *_buffer = context; 6640 *_buffer = context;
@@ -6216,7 +6659,8 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6216 ibpkey.subnet_prefix = subnet_prefix; 6659 ibpkey.subnet_prefix = subnet_prefix;
6217 ibpkey.pkey = pkey_val; 6660 ibpkey.pkey = pkey_val;
6218 ad.u.ibpkey = &ibpkey; 6661 ad.u.ibpkey = &ibpkey;
6219 return avc_has_perm(sec->sid, sid, 6662 return avc_has_perm(&selinux_state,
6663 sec->sid, sid,
6220 SECCLASS_INFINIBAND_PKEY, 6664 SECCLASS_INFINIBAND_PKEY,
6221 INFINIBAND_PKEY__ACCESS, &ad); 6665 INFINIBAND_PKEY__ACCESS, &ad);
6222} 6666}
@@ -6230,7 +6674,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6230 struct ib_security_struct *sec = ib_sec; 6674 struct ib_security_struct *sec = ib_sec;
6231 struct lsm_ibendport_audit ibendport; 6675 struct lsm_ibendport_audit ibendport;
6232 6676
6233 err = security_ib_endport_sid(dev_name, port_num, &sid); 6677 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6678 &sid);
6234 6679
6235 if (err) 6680 if (err)
6236 return err; 6681 return err;
@@ -6239,7 +6684,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6239 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6684 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6240 ibendport.port = port_num; 6685 ibendport.port = port_num;
6241 ad.u.ibendport = &ibendport; 6686 ad.u.ibendport = &ibendport;
6242 return avc_has_perm(sec->sid, sid, 6687 return avc_has_perm(&selinux_state,
6688 sec->sid, sid,
6243 SECCLASS_INFINIBAND_ENDPORT, 6689 SECCLASS_INFINIBAND_ENDPORT,
6244 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6690 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6245} 6691}
@@ -6272,11 +6718,13 @@ static int selinux_bpf(int cmd, union bpf_attr *attr,
6272 6718
6273 switch (cmd) { 6719 switch (cmd) {
6274 case BPF_MAP_CREATE: 6720 case BPF_MAP_CREATE:
6275 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6721 ret = avc_has_perm(&selinux_state,
6722 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6276 NULL); 6723 NULL);
6277 break; 6724 break;
6278 case BPF_PROG_LOAD: 6725 case BPF_PROG_LOAD:
6279 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6726 ret = avc_has_perm(&selinux_state,
6727 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6280 NULL); 6728 NULL);
6281 break; 6729 break;
6282 default: 6730 default:
@@ -6316,14 +6764,16 @@ static int bpf_fd_pass(struct file *file, u32 sid)
6316 if (file->f_op == &bpf_map_fops) { 6764 if (file->f_op == &bpf_map_fops) {
6317 map = file->private_data; 6765 map = file->private_data;
6318 bpfsec = map->security; 6766 bpfsec = map->security;
6319 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6767 ret = avc_has_perm(&selinux_state,
6768 sid, bpfsec->sid, SECCLASS_BPF,
6320 bpf_map_fmode_to_av(file->f_mode), NULL); 6769 bpf_map_fmode_to_av(file->f_mode), NULL);
6321 if (ret) 6770 if (ret)
6322 return ret; 6771 return ret;
6323 } else if (file->f_op == &bpf_prog_fops) { 6772 } else if (file->f_op == &bpf_prog_fops) {
6324 prog = file->private_data; 6773 prog = file->private_data;
6325 bpfsec = prog->aux->security; 6774 bpfsec = prog->aux->security;
6326 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6775 ret = avc_has_perm(&selinux_state,
6776 sid, bpfsec->sid, SECCLASS_BPF,
6327 BPF__PROG_RUN, NULL); 6777 BPF__PROG_RUN, NULL);
6328 if (ret) 6778 if (ret)
6329 return ret; 6779 return ret;
@@ -6337,7 +6787,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6337 struct bpf_security_struct *bpfsec; 6787 struct bpf_security_struct *bpfsec;
6338 6788
6339 bpfsec = map->security; 6789 bpfsec = map->security;
6340 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6790 return avc_has_perm(&selinux_state,
6791 sid, bpfsec->sid, SECCLASS_BPF,
6341 bpf_map_fmode_to_av(fmode), NULL); 6792 bpf_map_fmode_to_av(fmode), NULL);
6342} 6793}
6343 6794
@@ -6347,7 +6798,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
6347 struct bpf_security_struct *bpfsec; 6798 struct bpf_security_struct *bpfsec;
6348 6799
6349 bpfsec = prog->aux->security; 6800 bpfsec = prog->aux->security;
6350 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6801 return avc_has_perm(&selinux_state,
6802 sid, bpfsec->sid, SECCLASS_BPF,
6351 BPF__PROG_RUN, NULL); 6803 BPF__PROG_RUN, NULL);
6352} 6804}
6353 6805
@@ -6482,6 +6934,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6482 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6934 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6483 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6935 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6484 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6936 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6937 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6485 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6938 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6486 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6939 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6487 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6940 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
@@ -6566,6 +7019,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6566 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7019 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6567 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7020 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6568 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7021 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7022 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7023 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7024 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6569 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7025 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6570 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7026 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6571 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7027 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
@@ -6641,6 +7097,12 @@ static __init int selinux_init(void)
6641 7097
6642 printk(KERN_INFO "SELinux: Initializing.\n"); 7098 printk(KERN_INFO "SELinux: Initializing.\n");
6643 7099
7100 memset(&selinux_state, 0, sizeof(selinux_state));
7101 enforcing_set(&selinux_state, selinux_enforcing_boot);
7102 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7103 selinux_ss_init(&selinux_state.ss);
7104 selinux_avc_init(&selinux_state.avc);
7105
6644 /* Set the security state for the initial task. */ 7106 /* Set the security state for the initial task. */
6645 cred_init_security(); 7107 cred_init_security();
6646 7108
@@ -6654,6 +7116,12 @@ static __init int selinux_init(void)
6654 0, SLAB_PANIC, NULL); 7116 0, SLAB_PANIC, NULL);
6655 avc_init(); 7117 avc_init();
6656 7118
7119 avtab_cache_init();
7120
7121 ebitmap_cache_init();
7122
7123 hashtab_cache_init();
7124
6657 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7125 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6658 7126
6659 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7127 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
@@ -6662,7 +7130,7 @@ static __init int selinux_init(void)
6662 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7130 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6663 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7131 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6664 7132
6665 if (selinux_enforcing) 7133 if (selinux_enforcing_boot)
6666 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7134 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6667 else 7135 else
6668 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7136 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
@@ -6783,23 +7251,22 @@ static void selinux_nf_ip_exit(void)
6783#endif /* CONFIG_NETFILTER */ 7251#endif /* CONFIG_NETFILTER */
6784 7252
6785#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7253#ifdef CONFIG_SECURITY_SELINUX_DISABLE
6786static int selinux_disabled; 7254int selinux_disable(struct selinux_state *state)
6787
6788int selinux_disable(void)
6789{ 7255{
6790 if (ss_initialized) { 7256 if (state->initialized) {
6791 /* Not permitted after initial policy load. */ 7257 /* Not permitted after initial policy load. */
6792 return -EINVAL; 7258 return -EINVAL;
6793 } 7259 }
6794 7260
6795 if (selinux_disabled) { 7261 if (state->disabled) {
6796 /* Only do this once. */ 7262 /* Only do this once. */
6797 return -EINVAL; 7263 return -EINVAL;
6798 } 7264 }
6799 7265
7266 state->disabled = 1;
7267
6800 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7268 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6801 7269
6802 selinux_disabled = 1;
6803 selinux_enabled = 0; 7270 selinux_enabled = 0;
6804 7271
6805 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7272 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-05 00:15:33 -0400