aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c1014
1 files changed, 736 insertions, 278 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8abd542c6b7c..2b8c55e181ae 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -67,6 +67,8 @@
67#include <linux/tcp.h> 67#include <linux/tcp.h>
68#include <linux/udp.h> 68#include <linux/udp.h>
69#include <linux/dccp.h> 69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
70#include <linux/quota.h> 72#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */ 73#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */ 74#include <net/af_unix.h> /* for Unix socket types */
@@ -98,20 +100,24 @@
98#include "audit.h" 100#include "audit.h"
99#include "avc_ss.h" 101#include "avc_ss.h"
100 102
103struct selinux_state selinux_state;
104
101/* SECMARK reference count */ 105/* SECMARK reference count */
102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 107
104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105int selinux_enforcing; 109static int selinux_enforcing_boot;
106 110
107static int __init enforcing_setup(char *str) 111static int __init enforcing_setup(char *str)
108{ 112{
109 unsigned long enforcing; 113 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing)) 114 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0; 115 selinux_enforcing_boot = enforcing ? 1 : 0;
112 return 1; 116 return 1;
113} 117}
114__setup("enforcing=", enforcing_setup); 118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
115#endif 121#endif
116 122
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
@@ -129,6 +135,19 @@ __setup("selinux=", selinux_enabled_setup);
129int selinux_enabled = 1; 135int selinux_enabled = 1;
130#endif 136#endif
131 137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
132static struct kmem_cache *sel_inode_cache; 151static struct kmem_cache *sel_inode_cache;
133static struct kmem_cache *file_security_cache; 152static struct kmem_cache *file_security_cache;
134 153
@@ -145,7 +164,8 @@ static struct kmem_cache *file_security_cache;
145 */ 164 */
146static int selinux_secmark_enabled(void) 165static int selinux_secmark_enabled(void)
147{ 166{
148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
149} 169}
150 170
151/** 171/**
@@ -160,7 +180,8 @@ static int selinux_secmark_enabled(void)
160 */ 180 */
161static int selinux_peerlbl_enabled(void) 181static int selinux_peerlbl_enabled(void)
162{ 182{
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
164} 185}
165 186
166static int selinux_netcache_avc_callback(u32 event) 187static int selinux_netcache_avc_callback(u32 event)
@@ -264,7 +285,8 @@ static int __inode_security_revalidate(struct inode *inode,
264 285
265 might_sleep_if(may_sleep); 286 might_sleep_if(may_sleep);
266 287
267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
268 if (!may_sleep) 290 if (!may_sleep)
269 return -ECHILD; 291 return -ECHILD;
270 292
@@ -446,12 +468,14 @@ static int may_context_mount_sb_relabel(u32 sid,
446 const struct task_security_struct *tsec = cred->security; 468 const struct task_security_struct *tsec = cred->security;
447 int rc; 469 int rc;
448 470
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL); 473 FILESYSTEM__RELABELFROM, NULL);
451 if (rc) 474 if (rc)
452 return rc; 475 return rc;
453 476
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL); 479 FILESYSTEM__RELABELTO, NULL);
456 return rc; 480 return rc;
457} 481}
@@ -462,12 +486,14 @@ static int may_context_mount_inode_relabel(u32 sid,
462{ 486{
463 const struct task_security_struct *tsec = cred->security; 487 const struct task_security_struct *tsec = cred->security;
464 int rc; 488 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL); 491 FILESYSTEM__RELABELFROM, NULL);
467 if (rc) 492 if (rc)
468 return rc; 493 return rc;
469 494
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL); 497 FILESYSTEM__ASSOCIATE, NULL);
472 return rc; 498 return rc;
473} 499}
@@ -486,7 +512,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
486 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs") || 514 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel && 515 (selinux_policycap_cgroupseclabel() &&
490 (!strcmp(sb->s_type->name, "cgroup") || 516 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2"))); 517 !strcmp(sb->s_type->name, "cgroup2")));
492} 518}
@@ -586,7 +612,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
586 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 if (!(sbsec->flags & SE_SBINITIALIZED))
587 return -EINVAL; 613 return -EINVAL;
588 614
589 if (!ss_initialized) 615 if (!selinux_state.initialized)
590 return -EINVAL; 616 return -EINVAL;
591 617
592 /* make sure we always check enough bits to cover the mask */ 618 /* make sure we always check enough bits to cover the mask */
@@ -617,21 +643,25 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
617 643
618 i = 0; 644 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) { 645 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len); 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
621 if (rc) 648 if (rc)
622 goto out_free; 649 goto out_free;
623 opts->mnt_opts[i] = context; 650 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 } 652 }
626 if (sbsec->flags & CONTEXT_MNT) { 653 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
628 if (rc) 657 if (rc)
629 goto out_free; 658 goto out_free;
630 opts->mnt_opts[i] = context; 659 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 } 661 }
633 if (sbsec->flags & DEFCONTEXT_MNT) { 662 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
635 if (rc) 665 if (rc)
636 goto out_free; 666 goto out_free;
637 opts->mnt_opts[i] = context; 667 opts->mnt_opts[i] = context;
@@ -641,7 +671,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
641 struct dentry *root = sbsec->sb->s_root; 671 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root); 672 struct inode_security_struct *isec = backing_inode_security(root);
643 673
644 rc = security_sid_to_context(isec->sid, &context, &len); 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
645 if (rc) 676 if (rc)
646 goto out_free; 677 goto out_free;
647 opts->mnt_opts[i] = context; 678 opts->mnt_opts[i] = context;
@@ -704,7 +735,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
704 735
705 mutex_lock(&sbsec->lock); 736 mutex_lock(&sbsec->lock);
706 737
707 if (!ss_initialized) { 738 if (!selinux_state.initialized) {
708 if (!num_opts) { 739 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init, 740 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security 741 after the initial policy is loaded and the security
@@ -750,7 +781,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
750 781
751 if (flags[i] == SBLABEL_MNT) 782 if (flags[i] == SBLABEL_MNT)
752 continue; 783 continue;
753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
754 if (rc) { 787 if (rc) {
755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -826,7 +859,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
826 * Determine the labeling behavior to use for this 859 * Determine the labeling behavior to use for this
827 * filesystem type. 860 * filesystem type.
828 */ 861 */
829 rc = security_fs_use(sb); 862 rc = security_fs_use(&selinux_state, sb);
830 if (rc) { 863 if (rc) {
831 printk(KERN_WARNING 864 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n", 865 "%s: security_fs_use(%s) returned %d\n",
@@ -851,7 +884,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
851 } 884 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(), 887 rc = security_transition_sid(&selinux_state,
888 current_sid(),
889 current_sid(),
855 SECCLASS_FILE, NULL, 890 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid); 891 &sbsec->mntpoint_sid);
857 if (rc) 892 if (rc)
@@ -987,7 +1022,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
987 * if the parent was able to be mounted it clearly had no special lsm 1022 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later 1023 * mount options. thus we can safely deal with this superblock later
989 */ 1024 */
990 if (!ss_initialized) 1025 if (!selinux_state.initialized)
991 return 0; 1026 return 0;
992 1027
993 /* 1028 /*
@@ -1014,7 +1049,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1014 1049
1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb); 1052 rc = security_fs_use(&selinux_state, newsb);
1018 if (rc) 1053 if (rc)
1019 goto out; 1054 goto out;
1020 } 1055 }
@@ -1297,7 +1332,7 @@ static inline int default_protocol_dgram(int protocol)
1297 1332
1298static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1333static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{ 1334{
1300 int extsockclass = selinux_policycap_extsockclass; 1335 int extsockclass = selinux_policycap_extsockclass();
1301 1336
1302 switch (family) { 1337 switch (family) {
1303 case PF_UNIX: 1338 case PF_UNIX:
@@ -1471,7 +1506,8 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
1471 path++; 1506 path++;
1472 } 1507 }
1473 } 1508 }
1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1475 } 1511 }
1476 free_page((unsigned long)buffer); 1512 free_page((unsigned long)buffer);
1477 return rc; 1513 return rc;
@@ -1589,7 +1625,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1589 sid = sbsec->def_sid; 1625 sid = sbsec->def_sid;
1590 rc = 0; 1626 rc = 0;
1591 } else { 1627 } else {
1592 rc = security_context_to_sid_default(context, rc, &sid, 1628 rc = security_context_to_sid_default(&selinux_state,
1629 context, rc, &sid,
1593 sbsec->def_sid, 1630 sbsec->def_sid,
1594 GFP_NOFS); 1631 GFP_NOFS);
1595 if (rc) { 1632 if (rc) {
@@ -1622,7 +1659,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1622 sid = sbsec->sid; 1659 sid = sbsec->sid;
1623 1660
1624 /* Try to obtain a transition SID. */ 1661 /* Try to obtain a transition SID. */
1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1626 if (rc) 1664 if (rc)
1627 goto out; 1665 goto out;
1628 break; 1666 break;
@@ -1740,9 +1778,11 @@ static int cred_has_capability(const struct cred *cred,
1740 return -EINVAL; 1778 return -EINVAL;
1741 } 1779 }
1742 1780
1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1744 if (audit == SECURITY_CAP_AUDIT) { 1783 if (audit == SECURITY_CAP_AUDIT) {
1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 if (rc2) 1786 if (rc2)
1747 return rc2; 1787 return rc2;
1748 } 1788 }
@@ -1768,7 +1808,8 @@ static int inode_has_perm(const struct cred *cred,
1768 sid = cred_sid(cred); 1808 sid = cred_sid(cred);
1769 isec = inode->i_security; 1809 isec = inode->i_security;
1770 1810
1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1772} 1813}
1773 1814
1774/* Same as inode_has_perm, but pass explicit audit data containing 1815/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1841,7 +1882,8 @@ static int file_has_perm(const struct cred *cred,
1841 ad.u.file = file; 1882 ad.u.file = file;
1842 1883
1843 if (sid != fsec->sid) { 1884 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid, 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1845 SECCLASS_FD, 1887 SECCLASS_FD,
1846 FD__USE, 1888 FD__USE,
1847 &ad); 1889 &ad);
@@ -1883,7 +1925,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
1883 *_new_isid = tsec->create_sid; 1925 *_new_isid = tsec->create_sid;
1884 } else { 1926 } else {
1885 const struct inode_security_struct *dsec = inode_security(dir); 1927 const struct inode_security_struct *dsec = inode_security(dir);
1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1928 return security_transition_sid(&selinux_state, tsec->sid,
1929 dsec->sid, tclass,
1887 name, _new_isid); 1930 name, _new_isid);
1888 } 1931 }
1889 1932
@@ -1910,7 +1953,8 @@ static int may_create(struct inode *dir,
1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1911 ad.u.dentry = dentry; 1954 ad.u.dentry = dentry;
1912 1955
1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1914 DIR__ADD_NAME | DIR__SEARCH, 1958 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad); 1959 &ad);
1916 if (rc) 1960 if (rc)
@@ -1921,11 +1965,13 @@ static int may_create(struct inode *dir,
1921 if (rc) 1965 if (rc)
1922 return rc; 1966 return rc;
1923 1967
1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1925 if (rc) 1970 if (rc)
1926 return rc; 1971 return rc;
1927 1972
1928 return avc_has_perm(newsid, sbsec->sid, 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM, 1975 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad); 1976 FILESYSTEM__ASSOCIATE, &ad);
1931} 1977}
@@ -1954,7 +2000,8 @@ static int may_link(struct inode *dir,
1954 2000
1955 av = DIR__SEARCH; 2001 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 if (rc) 2005 if (rc)
1959 return rc; 2006 return rc;
1960 2007
@@ -1974,7 +2021,8 @@ static int may_link(struct inode *dir,
1974 return 0; 2021 return 0;
1975 } 2022 }
1976 2023
1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
1978 return rc; 2026 return rc;
1979} 2027}
1980 2028
@@ -1998,16 +2046,19 @@ static inline int may_rename(struct inode *old_dir,
1998 ad.type = LSM_AUDIT_DATA_DENTRY; 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
1999 2047
2000 ad.u.dentry = old_dentry; 2048 ad.u.dentry = old_dentry;
2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc) 2052 if (rc)
2004 return rc; 2053 return rc;
2005 rc = avc_has_perm(sid, old_isec->sid, 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
2006 old_isec->sclass, FILE__RENAME, &ad); 2056 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc) 2057 if (rc)
2008 return rc; 2058 return rc;
2009 if (old_is_dir && new_dir != old_dir) { 2059 if (old_is_dir && new_dir != old_dir) {
2010 rc = avc_has_perm(sid, old_isec->sid, 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
2011 old_isec->sclass, DIR__REPARENT, &ad); 2062 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc) 2063 if (rc)
2013 return rc; 2064 return rc;
@@ -2017,13 +2068,15 @@ static inline int may_rename(struct inode *old_dir,
2017 av = DIR__ADD_NAME | DIR__SEARCH; 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2018 if (d_is_positive(new_dentry)) 2069 if (d_is_positive(new_dentry))
2019 av |= DIR__REMOVE_NAME; 2070 av |= DIR__REMOVE_NAME;
2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc) 2073 if (rc)
2022 return rc; 2074 return rc;
2023 if (d_is_positive(new_dentry)) { 2075 if (d_is_positive(new_dentry)) {
2024 new_isec = backing_inode_security(new_dentry); 2076 new_isec = backing_inode_security(new_dentry);
2025 new_is_dir = d_is_dir(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry);
2026 rc = avc_has_perm(sid, new_isec->sid, 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
2027 new_isec->sclass, 2080 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc) 2082 if (rc)
@@ -2043,7 +2096,8 @@ static int superblock_has_perm(const struct cred *cred,
2043 u32 sid = cred_sid(cred); 2096 u32 sid = cred_sid(cred);
2044 2097
2045 sbsec = sb->s_security; 2098 sbsec = sb->s_security;
2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047} 2101}
2048 2102
2049/* Convert a Linux mode and permission mask to an access vector. */ 2103/* Convert a Linux mode and permission mask to an access vector. */
@@ -2106,7 +2160,8 @@ static inline u32 open_file_to_av(struct file *file)
2106 u32 av = file_to_av(file); 2160 u32 av = file_to_av(file);
2107 struct inode *inode = file_inode(file); 2161 struct inode *inode = file_inode(file);
2108 2162
2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 av |= FILE__OPEN; 2165 av |= FILE__OPEN;
2111 2166
2112 return av; 2167 return av;
@@ -2119,7 +2174,8 @@ static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2119 u32 mysid = current_sid(); 2174 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr); 2175 u32 mgrsid = task_sid(mgr);
2121 2176
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL); 2179 BINDER__SET_CONTEXT_MGR, NULL);
2124} 2180}
2125 2181
@@ -2132,13 +2188,15 @@ static int selinux_binder_transaction(struct task_struct *from,
2132 int rc; 2188 int rc;
2133 2189
2134 if (mysid != fromsid) { 2190 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL); 2193 BINDER__IMPERSONATE, NULL);
2137 if (rc) 2194 if (rc)
2138 return rc; 2195 return rc;
2139 } 2196 }
2140 2197
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL); 2200 NULL);
2143} 2201}
2144 2202
@@ -2148,7 +2206,8 @@ static int selinux_binder_transfer_binder(struct task_struct *from,
2148 u32 fromsid = task_sid(from); 2206 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to); 2207 u32 tosid = task_sid(to);
2150 2208
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL); 2211 NULL);
2153} 2212}
2154 2213
@@ -2167,7 +2226,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2167 ad.u.path = file->f_path; 2226 ad.u.path = file->f_path;
2168 2227
2169 if (sid != fsec->sid) { 2228 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid, 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
2171 SECCLASS_FD, 2231 SECCLASS_FD,
2172 FD__USE, 2232 FD__USE,
2173 &ad); 2233 &ad);
@@ -2185,7 +2245,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2185 return 0; 2245 return 0;
2186 2246
2187 isec = backing_inode_security(dentry); 2247 isec = backing_inode_security(dentry);
2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad); 2250 &ad);
2190} 2251}
2191 2252
@@ -2196,21 +2257,25 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2196 u32 csid = task_sid(child); 2257 u32 csid = task_sid(child);
2197 2258
2198 if (mode & PTRACE_MODE_READ) 2259 if (mode & PTRACE_MODE_READ)
2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 2262
2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202} 2265}
2203 2266
2204static int selinux_ptrace_traceme(struct task_struct *parent) 2267static int selinux_ptrace_traceme(struct task_struct *parent)
2205{ 2268{
2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL); 2271 PROCESS__PTRACE, NULL);
2208} 2272}
2209 2273
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212{ 2276{
2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL); 2279 PROCESS__GETCAP, NULL);
2215} 2280}
2216 2281
@@ -2219,7 +2284,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2219 const kernel_cap_t *inheritable, 2284 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted) 2285 const kernel_cap_t *permitted)
2221{ 2286{
2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL); 2289 PROCESS__SETCAP, NULL);
2224} 2290}
2225 2291
@@ -2279,18 +2345,21 @@ static int selinux_syslog(int type)
2279 switch (type) { 2345 switch (type) {
2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */ 2353 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL); 2358 NULL);
2291 } 2359 }
2292 /* All other syslog types */ 2360 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295} 2364}
2296 2365
@@ -2351,13 +2420,14 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2351 * policy allows the corresponding permission between 2420 * policy allows the corresponding permission between
2352 * the old and new contexts. 2421 * the old and new contexts.
2353 */ 2422 */
2354 if (selinux_policycap_nnp_nosuid_transition) { 2423 if (selinux_policycap_nnp_nosuid_transition()) {
2355 av = 0; 2424 av = 0;
2356 if (nnp) 2425 if (nnp)
2357 av |= PROCESS2__NNP_TRANSITION; 2426 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid) 2427 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION; 2428 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL); 2431 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc) 2432 if (!rc)
2363 return 0; 2433 return 0;
@@ -2368,7 +2438,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID. 2439 * of the permissions of the current SID.
2370 */ 2440 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 new_tsec->sid);
2372 if (!rc) 2443 if (!rc)
2373 return 0; 2444 return 0;
2374 2445
@@ -2420,8 +2491,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2420 return rc; 2491 return rc;
2421 } else { 2492 } else {
2422 /* Check for a default transition on this program. */ 2493 /* Check for a default transition on this program. */
2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2424 SECCLASS_PROCESS, NULL, 2495 isec->sid, SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid); 2496 &new_tsec->sid);
2426 if (rc) 2497 if (rc)
2427 return rc; 2498 return rc;
@@ -2439,25 +2510,29 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2439 ad.u.file = bprm->file; 2510 ad.u.file = bprm->file;
2440 2511
2441 if (new_tsec->sid == old_tsec->sid) { 2512 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc) 2516 if (rc)
2445 return rc; 2517 return rc;
2446 } else { 2518 } else {
2447 /* Check permissions for the transition. */ 2519 /* Check permissions for the transition. */
2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc) 2523 if (rc)
2451 return rc; 2524 return rc;
2452 2525
2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc) 2529 if (rc)
2456 return rc; 2530 return rc;
2457 2531
2458 /* Check for shared state */ 2532 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE, 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL); 2537 NULL);
2463 if (rc) 2538 if (rc)
@@ -2469,7 +2544,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 u32 ptsid = ptrace_parent_sid(); 2545 u32 ptsid = ptrace_parent_sid();
2471 if (ptsid != 0) { 2546 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS, 2549 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL); 2550 PROCESS__PTRACE, NULL);
2475 if (rc) 2551 if (rc)
@@ -2483,7 +2559,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2483 /* Enable secure mode for SIDs transitions unless 2559 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between 2560 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */ 2561 the two SIDs, i.e. ahp returns 0. */
2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL); 2565 NULL);
2489 bprm->secureexec |= !!rc; 2566 bprm->secureexec |= !!rc;
@@ -2575,7 +2652,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2575 * higher than the default soft limit for cases where the default is 2652 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */ 2654 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL); 2657 PROCESS__RLIMITINH, NULL);
2580 if (rc) { 2658 if (rc) {
2581 /* protect against do_prlimit() */ 2659 /* protect against do_prlimit() */
@@ -2615,7 +2693,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2615 * This must occur _after_ the task SID has been updated so that any 2693 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID. 2694 * kill done after the flush will be checked against the new SID.
2617 */ 2695 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 if (rc) { 2698 if (rc) {
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer); 2700 memset(&itimer, 0, sizeof itimer);
@@ -2779,7 +2858,9 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2779 2858
2780 if (flags[i] == SBLABEL_MNT) 2859 if (flags[i] == SBLABEL_MNT)
2781 continue; 2860 continue;
2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2863 GFP_KERNEL);
2783 if (rc) { 2864 if (rc) {
2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2904,7 +2985,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2904 if (rc) 2985 if (rc)
2905 return rc; 2986 return rc;
2906 2987
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 ctxlen);
2908} 2990}
2909 2991
2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2992static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
@@ -2958,14 +3040,15 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2958 isec->initialized = LABEL_INITIALIZED; 3040 isec->initialized = LABEL_INITIALIZED;
2959 } 3041 }
2960 3042
2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2962 return -EOPNOTSUPP; 3044 return -EOPNOTSUPP;
2963 3045
2964 if (name) 3046 if (name)
2965 *name = XATTR_SELINUX_SUFFIX; 3047 *name = XATTR_SELINUX_SUFFIX;
2966 3048
2967 if (value && len) { 3049 if (value && len) {
2968 rc = security_sid_to_context_force(newsid, &context, &clen); 3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3051 &context, &clen);
2969 if (rc) 3052 if (rc)
2970 return rc; 3053 return rc;
2971 *value = context; 3054 *value = context;
@@ -3040,7 +3123,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3040 if (IS_ERR(isec)) 3123 if (IS_ERR(isec))
3041 return PTR_ERR(isec); 3124 return PTR_ERR(isec);
3042 3125
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0); 3128 rcu ? MAY_NOT_BLOCK : 0);
3045} 3129}
3046 3130
@@ -3056,7 +3140,8 @@ static noinline int audit_inode_permission(struct inode *inode,
3056 ad.type = LSM_AUDIT_DATA_INODE; 3140 ad.type = LSM_AUDIT_DATA_INODE;
3057 ad.u.inode = inode; 3141 ad.u.inode = inode;
3058 3142
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3060 audited, denied, result, &ad, flags); 3145 audited, denied, result, &ad, flags);
3061 if (rc) 3146 if (rc)
3062 return rc; 3147 return rc;
@@ -3094,7 +3179,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
3094 if (IS_ERR(isec)) 3179 if (IS_ERR(isec))
3095 return PTR_ERR(isec); 3180 return PTR_ERR(isec);
3096 3181
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc, 3184 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0, 3185 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied); 3186 &denied);
@@ -3126,7 +3212,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 3214
3129 if (selinux_policycap_openperm && 3215 if (selinux_policycap_openperm() &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC && 3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) && 3217 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE)) 3218 !(ia_valid & ATTR_FILE))
@@ -3183,12 +3269,14 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3183 ad.u.dentry = dentry; 3269 ad.u.dentry = dentry;
3184 3270
3185 isec = backing_inode_security(dentry); 3271 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3187 FILE__RELABELFROM, &ad); 3274 FILE__RELABELFROM, &ad);
3188 if (rc) 3275 if (rc)
3189 return rc; 3276 return rc;
3190 3277
3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 GFP_KERNEL);
3192 if (rc == -EINVAL) { 3280 if (rc == -EINVAL) {
3193 if (!has_cap_mac_admin(true)) { 3281 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer *ab; 3282 struct audit_buffer *ab;
@@ -3213,22 +3301,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3213 3301
3214 return rc; 3302 return rc;
3215 } 3303 }
3216 rc = security_context_to_sid_force(value, size, &newsid); 3304 rc = security_context_to_sid_force(&selinux_state, value,
3305 size, &newsid);
3217 } 3306 }
3218 if (rc) 3307 if (rc)
3219 return rc; 3308 return rc;
3220 3309
3221 rc = avc_has_perm(sid, newsid, isec->sclass, 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3222 FILE__RELABELTO, &ad); 3312 FILE__RELABELTO, &ad);
3223 if (rc) 3313 if (rc)
3224 return rc; 3314 return rc;
3225 3315
3226 rc = security_validate_transition(isec->sid, newsid, sid, 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3227 isec->sclass); 3317 sid, isec->sclass);
3228 if (rc) 3318 if (rc)
3229 return rc; 3319 return rc;
3230 3320
3231 return avc_has_perm(newsid, 3321 return avc_has_perm(&selinux_state,
3322 newsid,
3232 sbsec->sid, 3323 sbsec->sid,
3233 SECCLASS_FILESYSTEM, 3324 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE, 3325 FILESYSTEM__ASSOCIATE,
@@ -3249,7 +3340,8 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3249 return; 3340 return;
3250 } 3341 }
3251 3342
3252 rc = security_context_to_sid_force(value, size, &newsid); 3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3344 &newsid);
3253 if (rc) { 3345 if (rc) {
3254 printk(KERN_ERR "SELinux: unable to map context to SID" 3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n", 3347 "for (%s, %lu), rc=%d\n",
@@ -3324,10 +3416,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
3324 */ 3416 */
3325 isec = inode_security(inode); 3417 isec = inode_security(inode);
3326 if (has_cap_mac_admin(false)) 3418 if (has_cap_mac_admin(false))
3327 error = security_sid_to_context_force(isec->sid, &context, 3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
3328 &size); 3421 &size);
3329 else 3422 else
3330 error = security_sid_to_context(isec->sid, &context, &size); 3423 error = security_sid_to_context(&selinux_state, isec->sid,
3424 &context, &size);
3331 if (error) 3425 if (error)
3332 return error; 3426 return error;
3333 error = size; 3427 error = size;
@@ -3353,7 +3447,8 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3353 if (!value || !size) 3447 if (!value || !size)
3354 return -EACCES; 3448 return -EACCES;
3355 3449
3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 GFP_KERNEL);
3357 if (rc) 3452 if (rc)
3358 return rc; 3453 return rc;
3359 3454
@@ -3442,7 +3537,7 @@ static int selinux_file_permission(struct file *file, int mask)
3442 3537
3443 isec = inode_security(inode); 3538 isec = inode_security(inode);
3444 if (sid == fsec->sid && fsec->isid == isec->sid && 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno()) 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3446 /* No change since file_open check. */ 3541 /* No change since file_open check. */
3447 return 0; 3542 return 0;
3448 3543
@@ -3482,7 +3577,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3482 ad.u.op->path = file->f_path; 3577 ad.u.op->path = file->f_path;
3483 3578
3484 if (ssid != fsec->sid) { 3579 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid, 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
3486 SECCLASS_FD, 3582 SECCLASS_FD,
3487 FD__USE, 3583 FD__USE,
3488 &ad); 3584 &ad);
@@ -3494,8 +3590,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3494 return 0; 3590 return 0;
3495 3591
3496 isec = inode_security(inode); 3592 isec = inode_security(inode);
3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3593 rc = avc_has_extended_perms(&selinux_state,
3498 requested, driver, xperm, &ad); 3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3499out: 3596out:
3500 return rc; 3597 return rc;
3501} 3598}
@@ -3563,7 +3660,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3563 * private file mapping that will also be writable. 3660 * private file mapping that will also be writable.
3564 * This has an additional check. 3661 * This has an additional check.
3565 */ 3662 */
3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL); 3665 PROCESS__EXECMEM, NULL);
3568 if (rc) 3666 if (rc)
3569 goto error; 3667 goto error;
@@ -3593,7 +3691,8 @@ static int selinux_mmap_addr(unsigned long addr)
3593 3691
3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 u32 sid = current_sid(); 3693 u32 sid = current_sid();
3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL); 3696 MEMPROTECT__MMAP_ZERO, NULL);
3598 } 3697 }
3599 3698
@@ -3615,7 +3714,7 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3615 return rc; 3714 return rc;
3616 } 3715 }
3617 3716
3618 if (selinux_checkreqprot) 3717 if (selinux_state.checkreqprot)
3619 prot = reqprot; 3718 prot = reqprot;
3620 3719
3621 return file_map_prot_check(file, prot, 3720 return file_map_prot_check(file, prot,
@@ -3629,7 +3728,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3629 const struct cred *cred = current_cred(); 3728 const struct cred *cred = current_cred();
3630 u32 sid = cred_sid(cred); 3729 u32 sid = cred_sid(cred);
3631 3730
3632 if (selinux_checkreqprot) 3731 if (selinux_state.checkreqprot)
3633 prot = reqprot; 3732 prot = reqprot;
3634 3733
3635 if (default_noexec && 3734 if (default_noexec &&
@@ -3637,13 +3736,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3637 int rc = 0; 3736 int rc = 0;
3638 if (vma->vm_start >= vma->vm_mm->start_brk && 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) { 3738 vma->vm_end <= vma->vm_mm->brk) {
3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL); 3741 PROCESS__EXECHEAP, NULL);
3642 } else if (!vma->vm_file && 3742 } else if (!vma->vm_file &&
3643 ((vma->vm_start <= vma->vm_mm->start_stack && 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) || 3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3645 vma_is_stack_for_current(vma))) { 3745 vma_is_stack_for_current(vma))) {
3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL); 3748 PROCESS__EXECSTACK, NULL);
3648 } else if (vma->vm_file && vma->anon_vma) { 3749 } else if (vma->vm_file && vma->anon_vma) {
3649 /* 3750 /*
@@ -3735,7 +3836,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3735 else 3836 else
3736 perm = signal_to_av(signum); 3837 perm = signal_to_av(signum);
3737 3838
3738 return avc_has_perm(fsec->fown_sid, sid, 3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3739 SECCLASS_PROCESS, perm, NULL); 3841 SECCLASS_PROCESS, perm, NULL);
3740} 3842}
3741 3843
@@ -3761,7 +3863,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3761 * struct as its SID. 3863 * struct as its SID.
3762 */ 3864 */
3763 fsec->isid = isec->sid; 3865 fsec->isid = isec->sid;
3764 fsec->pseqno = avc_policy_seqno(); 3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3765 /* 3867 /*
3766 * Since the inode label or policy seqno may have changed 3868 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving 3869 * between the selinux_inode_permission check and the saving
@@ -3780,7 +3882,8 @@ static int selinux_task_alloc(struct task_struct *task,
3780{ 3882{
3781 u32 sid = current_sid(); 3883 u32 sid = current_sid();
3782 3884
3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784} 3887}
3785 3888
3786/* 3889/*
@@ -3854,7 +3957,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
3854 u32 sid = current_sid(); 3957 u32 sid = current_sid();
3855 int ret; 3958 int ret;
3856 3959
3857 ret = avc_has_perm(sid, secid, 3960 ret = avc_has_perm(&selinux_state,
3961 sid, secid,
3858 SECCLASS_KERNEL_SERVICE, 3962 SECCLASS_KERNEL_SERVICE,
3859 KERNEL_SERVICE__USE_AS_OVERRIDE, 3963 KERNEL_SERVICE__USE_AS_OVERRIDE,
3860 NULL); 3964 NULL);
@@ -3878,7 +3982,8 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3878 u32 sid = current_sid(); 3982 u32 sid = current_sid();
3879 int ret; 3983 int ret;
3880 3984
3881 ret = avc_has_perm(sid, isec->sid, 3985 ret = avc_has_perm(&selinux_state,
3986 sid, isec->sid,
3882 SECCLASS_KERNEL_SERVICE, 3987 SECCLASS_KERNEL_SERVICE,
3883 KERNEL_SERVICE__CREATE_FILES_AS, 3988 KERNEL_SERVICE__CREATE_FILES_AS,
3884 NULL); 3989 NULL);
@@ -3895,7 +4000,8 @@ static int selinux_kernel_module_request(char *kmod_name)
3895 ad.type = LSM_AUDIT_DATA_KMOD; 4000 ad.type = LSM_AUDIT_DATA_KMOD;
3896 ad.u.kmod_name = kmod_name; 4001 ad.u.kmod_name = kmod_name;
3897 4002
3898 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4003 return avc_has_perm(&selinux_state,
4004 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899 SYSTEM__MODULE_REQUEST, &ad); 4005 SYSTEM__MODULE_REQUEST, &ad);
3900} 4006}
3901 4007
@@ -3909,7 +4015,8 @@ static int selinux_kernel_module_from_file(struct file *file)
3909 4015
3910 /* init_module */ 4016 /* init_module */
3911 if (file == NULL) 4017 if (file == NULL)
3912 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4018 return avc_has_perm(&selinux_state,
4019 sid, sid, SECCLASS_SYSTEM,
3913 SYSTEM__MODULE_LOAD, NULL); 4020 SYSTEM__MODULE_LOAD, NULL);
3914 4021
3915 /* finit_module */ 4022 /* finit_module */
@@ -3919,13 +4026,15 @@ static int selinux_kernel_module_from_file(struct file *file)
3919 4026
3920 fsec = file->f_security; 4027 fsec = file->f_security;
3921 if (sid != fsec->sid) { 4028 if (sid != fsec->sid) {
3922 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4029 rc = avc_has_perm(&selinux_state,
4030 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923 if (rc) 4031 if (rc)
3924 return rc; 4032 return rc;
3925 } 4033 }
3926 4034
3927 isec = inode_security(file_inode(file)); 4035 isec = inode_security(file_inode(file));
3928 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4036 return avc_has_perm(&selinux_state,
4037 sid, isec->sid, SECCLASS_SYSTEM,
3929 SYSTEM__MODULE_LOAD, &ad); 4038 SYSTEM__MODULE_LOAD, &ad);
3930} 4039}
3931 4040
@@ -3947,19 +4056,22 @@ static int selinux_kernel_read_file(struct file *file,
3947 4056
3948static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4057static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949{ 4058{
3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4059 return avc_has_perm(&selinux_state,
4060 current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 PROCESS__SETPGID, NULL); 4061 PROCESS__SETPGID, NULL);
3952} 4062}
3953 4063
3954static int selinux_task_getpgid(struct task_struct *p) 4064static int selinux_task_getpgid(struct task_struct *p)
3955{ 4065{
3956 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4066 return avc_has_perm(&selinux_state,
4067 current_sid(), task_sid(p), SECCLASS_PROCESS,
3957 PROCESS__GETPGID, NULL); 4068 PROCESS__GETPGID, NULL);
3958} 4069}
3959 4070
3960static int selinux_task_getsid(struct task_struct *p) 4071static int selinux_task_getsid(struct task_struct *p)
3961{ 4072{
3962 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4073 return avc_has_perm(&selinux_state,
4074 current_sid(), task_sid(p), SECCLASS_PROCESS,
3963 PROCESS__GETSESSION, NULL); 4075 PROCESS__GETSESSION, NULL);
3964} 4076}
3965 4077
@@ -3970,19 +4082,22 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3970 4082
3971static int selinux_task_setnice(struct task_struct *p, int nice) 4083static int selinux_task_setnice(struct task_struct *p, int nice)
3972{ 4084{
3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 PROCESS__SETSCHED, NULL); 4087 PROCESS__SETSCHED, NULL);
3975} 4088}
3976 4089
3977static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4090static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978{ 4091{
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__SETSCHED, NULL); 4094 PROCESS__SETSCHED, NULL);
3981} 4095}
3982 4096
3983static int selinux_task_getioprio(struct task_struct *p) 4097static int selinux_task_getioprio(struct task_struct *p)
3984{ 4098{
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4099 return avc_has_perm(&selinux_state,
4100 current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__GETSCHED, NULL); 4101 PROCESS__GETSCHED, NULL);
3987} 4102}
3988 4103
@@ -3997,7 +4112,8 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
3997 av |= PROCESS__SETRLIMIT; 4112 av |= PROCESS__SETRLIMIT;
3998 if (flags & LSM_PRLIMIT_READ) 4113 if (flags & LSM_PRLIMIT_READ)
3999 av |= PROCESS__GETRLIMIT; 4114 av |= PROCESS__GETRLIMIT;
4000 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4115 return avc_has_perm(&selinux_state,
4116 cred_sid(cred), cred_sid(tcred),
4001 SECCLASS_PROCESS, av, NULL); 4117 SECCLASS_PROCESS, av, NULL);
4002} 4118}
4003 4119
@@ -4011,7 +4127,8 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4011 later be used as a safe reset point for the soft limit 4127 later be used as a safe reset point for the soft limit
4012 upon context transitions. See selinux_bprm_committing_creds. */ 4128 upon context transitions. See selinux_bprm_committing_creds. */
4013 if (old_rlim->rlim_max != new_rlim->rlim_max) 4129 if (old_rlim->rlim_max != new_rlim->rlim_max)
4014 return avc_has_perm(current_sid(), task_sid(p), 4130 return avc_has_perm(&selinux_state,
4131 current_sid(), task_sid(p),
4015 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4132 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016 4133
4017 return 0; 4134 return 0;
@@ -4019,19 +4136,22 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4019 4136
4020static int selinux_task_setscheduler(struct task_struct *p) 4137static int selinux_task_setscheduler(struct task_struct *p)
4021{ 4138{
4022 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4139 return avc_has_perm(&selinux_state,
4140 current_sid(), task_sid(p), SECCLASS_PROCESS,
4023 PROCESS__SETSCHED, NULL); 4141 PROCESS__SETSCHED, NULL);
4024} 4142}
4025 4143
4026static int selinux_task_getscheduler(struct task_struct *p) 4144static int selinux_task_getscheduler(struct task_struct *p)
4027{ 4145{
4028 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4146 return avc_has_perm(&selinux_state,
4147 current_sid(), task_sid(p), SECCLASS_PROCESS,
4029 PROCESS__GETSCHED, NULL); 4148 PROCESS__GETSCHED, NULL);
4030} 4149}
4031 4150
4032static int selinux_task_movememory(struct task_struct *p) 4151static int selinux_task_movememory(struct task_struct *p)
4033{ 4152{
4034 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4153 return avc_has_perm(&selinux_state,
4154 current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 PROCESS__SETSCHED, NULL); 4155 PROCESS__SETSCHED, NULL);
4036} 4156}
4037 4157
@@ -4049,7 +4169,8 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4049 secid = current_sid(); 4169 secid = current_sid();
4050 else 4170 else
4051 secid = cred_sid(cred); 4171 secid = cred_sid(cred);
4052 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4172 return avc_has_perm(&selinux_state,
4173 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4053} 4174}
4054 4175
4055static void selinux_task_to_inode(struct task_struct *p, 4176static void selinux_task_to_inode(struct task_struct *p,
@@ -4137,6 +4258,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4137 break; 4258 break;
4138 } 4259 }
4139 4260
4261#if IS_ENABLED(CONFIG_IP_SCTP)
4262 case IPPROTO_SCTP: {
4263 struct sctphdr _sctph, *sh;
4264
4265 if (ntohs(ih->frag_off) & IP_OFFSET)
4266 break;
4267
4268 offset += ihlen;
4269 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4270 if (sh == NULL)
4271 break;
4272
4273 ad->u.net->sport = sh->source;
4274 ad->u.net->dport = sh->dest;
4275 break;
4276 }
4277#endif
4140 default: 4278 default:
4141 break; 4279 break;
4142 } 4280 }
@@ -4210,6 +4348,19 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4210 break; 4348 break;
4211 } 4349 }
4212 4350
4351#if IS_ENABLED(CONFIG_IP_SCTP)
4352 case IPPROTO_SCTP: {
4353 struct sctphdr _sctph, *sh;
4354
4355 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4356 if (sh == NULL)
4357 break;
4358
4359 ad->u.net->sport = sh->source;
4360 ad->u.net->dport = sh->dest;
4361 break;
4362 }
4363#endif
4213 /* includes fragments */ 4364 /* includes fragments */
4214 default: 4365 default:
4215 break; 4366 break;
@@ -4290,7 +4441,8 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4290 if (unlikely(err)) 4441 if (unlikely(err))
4291 return -EACCES; 4442 return -EACCES;
4292 4443
4293 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4444 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4445 nlbl_type, xfrm_sid, sid);
4294 if (unlikely(err)) { 4446 if (unlikely(err)) {
4295 printk(KERN_WARNING 4447 printk(KERN_WARNING
4296 "SELinux: failure in selinux_skb_peerlbl_sid()," 4448 "SELinux: failure in selinux_skb_peerlbl_sid(),"
@@ -4318,7 +4470,8 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4318 int err = 0; 4470 int err = 0;
4319 4471
4320 if (skb_sid != SECSID_NULL) 4472 if (skb_sid != SECSID_NULL)
4321 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4473 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4474 conn_sid);
4322 else 4475 else
4323 *conn_sid = sk_sid; 4476 *conn_sid = sk_sid;
4324 4477
@@ -4335,8 +4488,8 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4335 return 0; 4488 return 0;
4336 } 4489 }
4337 4490
4338 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4491 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4339 socksid); 4492 secclass, NULL, socksid);
4340} 4493}
4341 4494
4342static int sock_has_perm(struct sock *sk, u32 perms) 4495static int sock_has_perm(struct sock *sk, u32 perms)
@@ -4352,7 +4505,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
4352 ad.u.net = &net; 4505 ad.u.net = &net;
4353 ad.u.net->sk = sk; 4506 ad.u.net->sk = sk;
4354 4507
4355 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4508 return avc_has_perm(&selinux_state,
4509 current_sid(), sksec->sid, sksec->sclass, perms,
4356 &ad); 4510 &ad);
4357} 4511}
4358 4512
@@ -4372,7 +4526,8 @@ static int selinux_socket_create(int family, int type,
4372 if (rc) 4526 if (rc)
4373 return rc; 4527 return rc;
4374 4528
4375 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4529 return avc_has_perm(&selinux_state,
4530 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4376} 4531}
4377 4532
4378static int selinux_socket_post_create(struct socket *sock, int family, 4533static int selinux_socket_post_create(struct socket *sock, int family,
@@ -4399,6 +4554,10 @@ static int selinux_socket_post_create(struct socket *sock, int family,
4399 sksec = sock->sk->sk_security; 4554 sksec = sock->sk->sk_security;
4400 sksec->sclass = sclass; 4555 sksec->sclass = sclass;
4401 sksec->sid = sid; 4556 sksec->sid = sid;
4557 /* Allows detection of the first association on this socket */
4558 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4559 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4560
4402 err = selinux_netlbl_socket_post_create(sock->sk, family); 4561 err = selinux_netlbl_socket_post_create(sock->sk, family);
4403 } 4562 }
4404 4563
@@ -4419,11 +4578,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4419 if (err) 4578 if (err)
4420 goto out; 4579 goto out;
4421 4580
4422 /* 4581 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4423 * If PF_INET or PF_INET6, check name_bind permission for the port.
4424 * Multiple address binding for SCTP is not supported yet: we just
4425 * check the first address now.
4426 */
4427 family = sk->sk_family; 4582 family = sk->sk_family;
4428 if (family == PF_INET || family == PF_INET6) { 4583 if (family == PF_INET || family == PF_INET6) {
4429 char *addrp; 4584 char *addrp;
@@ -4435,22 +4590,35 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4435 unsigned short snum; 4590 unsigned short snum;
4436 u32 sid, node_perm; 4591 u32 sid, node_perm;
4437 4592
4438 if (family == PF_INET) { 4593 /*
4439 if (addrlen < sizeof(struct sockaddr_in)) { 4594 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4440 err = -EINVAL; 4595 * that validates multiple binding addresses. Because of this
4441 goto out; 4596 * need to check address->sa_family as it is possible to have
4442 } 4597 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4598 */
4599 switch (address->sa_family) {
4600 case AF_INET:
4601 if (addrlen < sizeof(struct sockaddr_in))
4602 return -EINVAL;
4443 addr4 = (struct sockaddr_in *)address; 4603 addr4 = (struct sockaddr_in *)address;
4444 snum = ntohs(addr4->sin_port); 4604 snum = ntohs(addr4->sin_port);
4445 addrp = (char *)&addr4->sin_addr.s_addr; 4605 addrp = (char *)&addr4->sin_addr.s_addr;
4446 } else { 4606 break;
4447 if (addrlen < SIN6_LEN_RFC2133) { 4607 case AF_INET6:
4448 err = -EINVAL; 4608 if (addrlen < SIN6_LEN_RFC2133)
4449 goto out; 4609 return -EINVAL;
4450 }
4451 addr6 = (struct sockaddr_in6 *)address; 4610 addr6 = (struct sockaddr_in6 *)address;
4452 snum = ntohs(addr6->sin6_port); 4611 snum = ntohs(addr6->sin6_port);
4453 addrp = (char *)&addr6->sin6_addr.s6_addr; 4612 addrp = (char *)&addr6->sin6_addr.s6_addr;
4613 break;
4614 default:
4615 /* Note that SCTP services expect -EINVAL, whereas
4616 * others expect -EAFNOSUPPORT.
4617 */
4618 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4619 return -EINVAL;
4620 else
4621 return -EAFNOSUPPORT;
4454 } 4622 }
4455 4623
4456 if (snum) { 4624 if (snum) {
@@ -4468,7 +4636,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4468 ad.u.net = &net; 4636 ad.u.net = &net;
4469 ad.u.net->sport = htons(snum); 4637 ad.u.net->sport = htons(snum);
4470 ad.u.net->family = family; 4638 ad.u.net->family = family;
4471 err = avc_has_perm(sksec->sid, sid, 4639 err = avc_has_perm(&selinux_state,
4640 sksec->sid, sid,
4472 sksec->sclass, 4641 sksec->sclass,
4473 SOCKET__NAME_BIND, &ad); 4642 SOCKET__NAME_BIND, &ad);
4474 if (err) 4643 if (err)
@@ -4489,6 +4658,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4489 node_perm = DCCP_SOCKET__NODE_BIND; 4658 node_perm = DCCP_SOCKET__NODE_BIND;
4490 break; 4659 break;
4491 4660
4661 case SECCLASS_SCTP_SOCKET:
4662 node_perm = SCTP_SOCKET__NODE_BIND;
4663 break;
4664
4492 default: 4665 default:
4493 node_perm = RAWIP_SOCKET__NODE_BIND; 4666 node_perm = RAWIP_SOCKET__NODE_BIND;
4494 break; 4667 break;
@@ -4503,12 +4676,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4503 ad.u.net->sport = htons(snum); 4676 ad.u.net->sport = htons(snum);
4504 ad.u.net->family = family; 4677 ad.u.net->family = family;
4505 4678
4506 if (family == PF_INET) 4679 if (address->sa_family == AF_INET)
4507 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4680 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4508 else 4681 else
4509 ad.u.net->v6info.saddr = addr6->sin6_addr; 4682 ad.u.net->v6info.saddr = addr6->sin6_addr;
4510 4683
4511 err = avc_has_perm(sksec->sid, sid, 4684 err = avc_has_perm(&selinux_state,
4685 sksec->sid, sid,
4512 sksec->sclass, node_perm, &ad); 4686 sksec->sclass, node_perm, &ad);
4513 if (err) 4687 if (err)
4514 goto out; 4688 goto out;
@@ -4517,7 +4691,11 @@ out:
4517 return err; 4691 return err;
4518} 4692}
4519 4693
4520static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4694/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4695 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4696 */
4697static int selinux_socket_connect_helper(struct socket *sock,
4698 struct sockaddr *address, int addrlen)
4521{ 4699{
4522 struct sock *sk = sock->sk; 4700 struct sock *sk = sock->sk;
4523 struct sk_security_struct *sksec = sk->sk_security; 4701 struct sk_security_struct *sksec = sk->sk_security;
@@ -4528,10 +4706,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4528 return err; 4706 return err;
4529 4707
4530 /* 4708 /*
4531 * If a TCP or DCCP socket, check name_connect permission for the port. 4709 * If a TCP, DCCP or SCTP socket, check name_connect permission
4710 * for the port.
4532 */ 4711 */
4533 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4712 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4534 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4713 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4714 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4535 struct common_audit_data ad; 4715 struct common_audit_data ad;
4536 struct lsm_network_audit net = {0,}; 4716 struct lsm_network_audit net = {0,};
4537 struct sockaddr_in *addr4 = NULL; 4717 struct sockaddr_in *addr4 = NULL;
@@ -4539,38 +4719,75 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4539 unsigned short snum; 4719 unsigned short snum;
4540 u32 sid, perm; 4720 u32 sid, perm;
4541 4721
4542 if (sk->sk_family == PF_INET) { 4722 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4723 * that validates multiple connect addresses. Because of this
4724 * need to check address->sa_family as it is possible to have
4725 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4726 */
4727 switch (address->sa_family) {
4728 case AF_INET:
4543 addr4 = (struct sockaddr_in *)address; 4729 addr4 = (struct sockaddr_in *)address;
4544 if (addrlen < sizeof(struct sockaddr_in)) 4730 if (addrlen < sizeof(struct sockaddr_in))
4545 return -EINVAL; 4731 return -EINVAL;
4546 snum = ntohs(addr4->sin_port); 4732 snum = ntohs(addr4->sin_port);
4547 } else { 4733 break;
4734 case AF_INET6:
4548 addr6 = (struct sockaddr_in6 *)address; 4735 addr6 = (struct sockaddr_in6 *)address;
4549 if (addrlen < SIN6_LEN_RFC2133) 4736 if (addrlen < SIN6_LEN_RFC2133)
4550 return -EINVAL; 4737 return -EINVAL;
4551 snum = ntohs(addr6->sin6_port); 4738 snum = ntohs(addr6->sin6_port);
4739 break;
4740 default:
4741 /* Note that SCTP services expect -EINVAL, whereas
4742 * others expect -EAFNOSUPPORT.
4743 */
4744 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4745 return -EINVAL;
4746 else
4747 return -EAFNOSUPPORT;
4552 } 4748 }
4553 4749
4554 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4750 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4555 if (err) 4751 if (err)
4556 goto out; 4752 return err;
4557 4753
4558 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4754 switch (sksec->sclass) {
4559 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4755 case SECCLASS_TCP_SOCKET:
4756 perm = TCP_SOCKET__NAME_CONNECT;
4757 break;
4758 case SECCLASS_DCCP_SOCKET:
4759 perm = DCCP_SOCKET__NAME_CONNECT;
4760 break;
4761 case SECCLASS_SCTP_SOCKET:
4762 perm = SCTP_SOCKET__NAME_CONNECT;
4763 break;
4764 }
4560 4765
4561 ad.type = LSM_AUDIT_DATA_NET; 4766 ad.type = LSM_AUDIT_DATA_NET;
4562 ad.u.net = &net; 4767 ad.u.net = &net;
4563 ad.u.net->dport = htons(snum); 4768 ad.u.net->dport = htons(snum);
4564 ad.u.net->family = sk->sk_family; 4769 ad.u.net->family = sk->sk_family;
4565 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4770 err = avc_has_perm(&selinux_state,
4771 sksec->sid, sid, sksec->sclass, perm, &ad);
4566 if (err) 4772 if (err)
4567 goto out; 4773 return err;
4568 } 4774 }
4569 4775
4570 err = selinux_netlbl_socket_connect(sk, address); 4776 return 0;
4777}
4571 4778
4572out: 4779/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4573 return err; 4780static int selinux_socket_connect(struct socket *sock,
4781 struct sockaddr *address, int addrlen)
4782{
4783 int err;
4784 struct sock *sk = sock->sk;
4785
4786 err = selinux_socket_connect_helper(sock, address, addrlen);
4787 if (err)
4788 return err;
4789
4790 return selinux_netlbl_socket_connect(sk, address);
4574} 4791}
4575 4792
4576static int selinux_socket_listen(struct socket *sock, int backlog) 4793static int selinux_socket_listen(struct socket *sock, int backlog)
@@ -4663,7 +4880,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4663 ad.u.net = &net; 4880 ad.u.net = &net;
4664 ad.u.net->sk = other; 4881 ad.u.net->sk = other;
4665 4882
4666 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4883 err = avc_has_perm(&selinux_state,
4884 sksec_sock->sid, sksec_other->sid,
4667 sksec_other->sclass, 4885 sksec_other->sclass,
4668 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4886 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4669 if (err) 4887 if (err)
@@ -4671,8 +4889,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4671 4889
4672 /* server child socket */ 4890 /* server child socket */
4673 sksec_new->peer_sid = sksec_sock->sid; 4891 sksec_new->peer_sid = sksec_sock->sid;
4674 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4892 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4675 &sksec_new->sid); 4893 sksec_sock->sid, &sksec_new->sid);
4676 if (err) 4894 if (err)
4677 return err; 4895 return err;
4678 4896
@@ -4694,7 +4912,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4694 ad.u.net = &net; 4912 ad.u.net = &net;
4695 ad.u.net->sk = other->sk; 4913 ad.u.net->sk = other->sk;
4696 4914
4697 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4915 return avc_has_perm(&selinux_state,
4916 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4698 &ad); 4917 &ad);
4699} 4918}
4700 4919
@@ -4709,7 +4928,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4709 err = sel_netif_sid(ns, ifindex, &if_sid); 4928 err = sel_netif_sid(ns, ifindex, &if_sid);
4710 if (err) 4929 if (err)
4711 return err; 4930 return err;
4712 err = avc_has_perm(peer_sid, if_sid, 4931 err = avc_has_perm(&selinux_state,
4932 peer_sid, if_sid,
4713 SECCLASS_NETIF, NETIF__INGRESS, ad); 4933 SECCLASS_NETIF, NETIF__INGRESS, ad);
4714 if (err) 4934 if (err)
4715 return err; 4935 return err;
@@ -4717,7 +4937,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4717 err = sel_netnode_sid(addrp, family, &node_sid); 4937 err = sel_netnode_sid(addrp, family, &node_sid);
4718 if (err) 4938 if (err)
4719 return err; 4939 return err;
4720 return avc_has_perm(peer_sid, node_sid, 4940 return avc_has_perm(&selinux_state,
4941 peer_sid, node_sid,
4721 SECCLASS_NODE, NODE__RECVFROM, ad); 4942 SECCLASS_NODE, NODE__RECVFROM, ad);
4722} 4943}
4723 4944
@@ -4740,7 +4961,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4740 return err; 4961 return err;
4741 4962
4742 if (selinux_secmark_enabled()) { 4963 if (selinux_secmark_enabled()) {
4743 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4964 err = avc_has_perm(&selinux_state,
4965 sk_sid, skb->secmark, SECCLASS_PACKET,
4744 PACKET__RECV, &ad); 4966 PACKET__RECV, &ad);
4745 if (err) 4967 if (err)
4746 return err; 4968 return err;
@@ -4777,7 +4999,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4777 * to the selinux_sock_rcv_skb_compat() function to deal with the 4999 * to the selinux_sock_rcv_skb_compat() function to deal with the
4778 * special handling. We do this in an attempt to keep this function 5000 * special handling. We do this in an attempt to keep this function
4779 * as fast and as clean as possible. */ 5001 * as fast and as clean as possible. */
4780 if (!selinux_policycap_netpeer) 5002 if (!selinux_policycap_netpeer())
4781 return selinux_sock_rcv_skb_compat(sk, skb, family); 5003 return selinux_sock_rcv_skb_compat(sk, skb, family);
4782 5004
4783 secmark_active = selinux_secmark_enabled(); 5005 secmark_active = selinux_secmark_enabled();
@@ -4805,7 +5027,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4805 selinux_netlbl_err(skb, family, err, 0); 5027 selinux_netlbl_err(skb, family, err, 0);
4806 return err; 5028 return err;
4807 } 5029 }
4808 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5030 err = avc_has_perm(&selinux_state,
5031 sk_sid, peer_sid, SECCLASS_PEER,
4809 PEER__RECV, &ad); 5032 PEER__RECV, &ad);
4810 if (err) { 5033 if (err) {
4811 selinux_netlbl_err(skb, family, err, 0); 5034 selinux_netlbl_err(skb, family, err, 0);
@@ -4814,7 +5037,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4814 } 5037 }
4815 5038
4816 if (secmark_active) { 5039 if (secmark_active) {
4817 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5040 err = avc_has_perm(&selinux_state,
5041 sk_sid, skb->secmark, SECCLASS_PACKET,
4818 PACKET__RECV, &ad); 5042 PACKET__RECV, &ad);
4819 if (err) 5043 if (err)
4820 return err; 5044 return err;
@@ -4833,12 +5057,14 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
4833 u32 peer_sid = SECSID_NULL; 5057 u32 peer_sid = SECSID_NULL;
4834 5058
4835 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5059 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4836 sksec->sclass == SECCLASS_TCP_SOCKET) 5060 sksec->sclass == SECCLASS_TCP_SOCKET ||
5061 sksec->sclass == SECCLASS_SCTP_SOCKET)
4837 peer_sid = sksec->peer_sid; 5062 peer_sid = sksec->peer_sid;
4838 if (peer_sid == SECSID_NULL) 5063 if (peer_sid == SECSID_NULL)
4839 return -ENOPROTOOPT; 5064 return -ENOPROTOOPT;
4840 5065
4841 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 5066 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5067 &scontext_len);
4842 if (err) 5068 if (err)
4843 return err; 5069 return err;
4844 5070
@@ -4946,6 +5172,172 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4946 sksec->sclass = isec->sclass; 5172 sksec->sclass = isec->sclass;
4947} 5173}
4948 5174
5175/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5176 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5177 * already present).
5178 */
5179static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5180 struct sk_buff *skb)
5181{
5182 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5183 struct common_audit_data ad;
5184 struct lsm_network_audit net = {0,};
5185 u8 peerlbl_active;
5186 u32 peer_sid = SECINITSID_UNLABELED;
5187 u32 conn_sid;
5188 int err = 0;
5189
5190 if (!selinux_policycap_extsockclass())
5191 return 0;
5192
5193 peerlbl_active = selinux_peerlbl_enabled();
5194
5195 if (peerlbl_active) {
5196 /* This will return peer_sid = SECSID_NULL if there are
5197 * no peer labels, see security_net_peersid_resolve().
5198 */
5199 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5200 &peer_sid);
5201 if (err)
5202 return err;
5203
5204 if (peer_sid == SECSID_NULL)
5205 peer_sid = SECINITSID_UNLABELED;
5206 }
5207
5208 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5209 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5210
5211 /* Here as first association on socket. As the peer SID
5212 * was allowed by peer recv (and the netif/node checks),
5213 * then it is approved by policy and used as the primary
5214 * peer SID for getpeercon(3).
5215 */
5216 sksec->peer_sid = peer_sid;
5217 } else if (sksec->peer_sid != peer_sid) {
5218 /* Other association peer SIDs are checked to enforce
5219 * consistency among the peer SIDs.
5220 */
5221 ad.type = LSM_AUDIT_DATA_NET;
5222 ad.u.net = &net;
5223 ad.u.net->sk = ep->base.sk;
5224 err = avc_has_perm(&selinux_state,
5225 sksec->peer_sid, peer_sid, sksec->sclass,
5226 SCTP_SOCKET__ASSOCIATION, &ad);
5227 if (err)
5228 return err;
5229 }
5230
5231 /* Compute the MLS component for the connection and store
5232 * the information in ep. This will be used by SCTP TCP type
5233 * sockets and peeled off connections as they cause a new
5234 * socket to be generated. selinux_sctp_sk_clone() will then
5235 * plug this into the new socket.
5236 */
5237 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5238 if (err)
5239 return err;
5240
5241 ep->secid = conn_sid;
5242 ep->peer_secid = peer_sid;
5243
5244 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5245 return selinux_netlbl_sctp_assoc_request(ep, skb);
5246}
5247
5248/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5249 * based on their @optname.
5250 */
5251static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5252 struct sockaddr *address,
5253 int addrlen)
5254{
5255 int len, err = 0, walk_size = 0;
5256 void *addr_buf;
5257 struct sockaddr *addr;
5258 struct socket *sock;
5259
5260 if (!selinux_policycap_extsockclass())
5261 return 0;
5262
5263 /* Process one or more addresses that may be IPv4 or IPv6 */
5264 sock = sk->sk_socket;
5265 addr_buf = address;
5266
5267 while (walk_size < addrlen) {
5268 addr = addr_buf;
5269 switch (addr->sa_family) {
5270 case AF_INET:
5271 len = sizeof(struct sockaddr_in);
5272 break;
5273 case AF_INET6:
5274 len = sizeof(struct sockaddr_in6);
5275 break;
5276 default:
5277 return -EAFNOSUPPORT;
5278 }
5279
5280 err = -EINVAL;
5281 switch (optname) {
5282 /* Bind checks */
5283 case SCTP_PRIMARY_ADDR:
5284 case SCTP_SET_PEER_PRIMARY_ADDR:
5285 case SCTP_SOCKOPT_BINDX_ADD:
5286 err = selinux_socket_bind(sock, addr, len);
5287 break;
5288 /* Connect checks */
5289 case SCTP_SOCKOPT_CONNECTX:
5290 case SCTP_PARAM_SET_PRIMARY:
5291 case SCTP_PARAM_ADD_IP:
5292 case SCTP_SENDMSG_CONNECT:
5293 err = selinux_socket_connect_helper(sock, addr, len);
5294 if (err)
5295 return err;
5296
5297 /* As selinux_sctp_bind_connect() is called by the
5298 * SCTP protocol layer, the socket is already locked,
5299 * therefore selinux_netlbl_socket_connect_locked() is
5300 * is called here. The situations handled are:
5301 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5302 * whenever a new IP address is added or when a new
5303 * primary address is selected.
5304 * Note that an SCTP connect(2) call happens before
5305 * the SCTP protocol layer and is handled via
5306 * selinux_socket_connect().
5307 */
5308 err = selinux_netlbl_socket_connect_locked(sk, addr);
5309 break;
5310 }
5311
5312 if (err)
5313 return err;
5314
5315 addr_buf += len;
5316 walk_size += len;
5317 }
5318
5319 return 0;
5320}
5321
5322/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5323static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5324 struct sock *newsk)
5325{
5326 struct sk_security_struct *sksec = sk->sk_security;
5327 struct sk_security_struct *newsksec = newsk->sk_security;
5328
5329 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5330 * the non-sctp clone version.
5331 */
5332 if (!selinux_policycap_extsockclass())
5333 return selinux_sk_clone_security(sk, newsk);
5334
5335 newsksec->sid = ep->secid;
5336 newsksec->peer_sid = ep->peer_secid;
5337 newsksec->sclass = sksec->sclass;
5338 selinux_netlbl_sctp_sk_clone(sk, newsk);
5339}
5340
4949static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5341static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4950 struct request_sock *req) 5342 struct request_sock *req)
4951{ 5343{
@@ -5004,7 +5396,9 @@ static int selinux_secmark_relabel_packet(u32 sid)
5004 __tsec = current_security(); 5396 __tsec = current_security();
5005 tsid = __tsec->sid; 5397 tsid = __tsec->sid;
5006 5398
5007 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5399 return avc_has_perm(&selinux_state,
5400 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5401 NULL);
5008} 5402}
5009 5403
5010static void selinux_secmark_refcount_inc(void) 5404static void selinux_secmark_refcount_inc(void)
@@ -5052,7 +5446,8 @@ static int selinux_tun_dev_create(void)
5052 * connections unlike traditional sockets - check the TUN driver to 5446 * connections unlike traditional sockets - check the TUN driver to
5053 * get a better understanding of why this socket is special */ 5447 * get a better understanding of why this socket is special */
5054 5448
5055 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5449 return avc_has_perm(&selinux_state,
5450 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5056 NULL); 5451 NULL);
5057} 5452}
5058 5453
@@ -5060,7 +5455,8 @@ static int selinux_tun_dev_attach_queue(void *security)
5060{ 5455{
5061 struct tun_security_struct *tunsec = security; 5456 struct tun_security_struct *tunsec = security;
5062 5457
5063 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5458 return avc_has_perm(&selinux_state,
5459 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5064 TUN_SOCKET__ATTACH_QUEUE, NULL); 5460 TUN_SOCKET__ATTACH_QUEUE, NULL);
5065} 5461}
5066 5462
@@ -5088,11 +5484,13 @@ static int selinux_tun_dev_open(void *security)
5088 u32 sid = current_sid(); 5484 u32 sid = current_sid();
5089 int err; 5485 int err;
5090 5486
5091 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5487 err = avc_has_perm(&selinux_state,
5488 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5092 TUN_SOCKET__RELABELFROM, NULL); 5489 TUN_SOCKET__RELABELFROM, NULL);
5093 if (err) 5490 if (err)
5094 return err; 5491 return err;
5095 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5492 err = avc_has_perm(&selinux_state,
5493 sid, sid, SECCLASS_TUN_SOCKET,
5096 TUN_SOCKET__RELABELTO, NULL); 5494 TUN_SOCKET__RELABELTO, NULL);
5097 if (err) 5495 if (err)
5098 return err; 5496 return err;
@@ -5123,7 +5521,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5123 sk->sk_protocol, nlh->nlmsg_type, 5521 sk->sk_protocol, nlh->nlmsg_type,
5124 secclass_map[sksec->sclass - 1].name, 5522 secclass_map[sksec->sclass - 1].name,
5125 task_pid_nr(current), current->comm); 5523 task_pid_nr(current), current->comm);
5126 if (!selinux_enforcing || security_get_allow_unknown()) 5524 if (!enforcing_enabled(&selinux_state) ||
5525 security_get_allow_unknown(&selinux_state))
5127 err = 0; 5526 err = 0;
5128 } 5527 }
5129 5528
@@ -5153,7 +5552,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5153 u8 netlbl_active; 5552 u8 netlbl_active;
5154 u8 peerlbl_active; 5553 u8 peerlbl_active;
5155 5554
5156 if (!selinux_policycap_netpeer) 5555 if (!selinux_policycap_netpeer())
5157 return NF_ACCEPT; 5556 return NF_ACCEPT;
5158 5557
5159 secmark_active = selinux_secmark_enabled(); 5558 secmark_active = selinux_secmark_enabled();
@@ -5182,7 +5581,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5182 } 5581 }
5183 5582
5184 if (secmark_active) 5583 if (secmark_active)
5185 if (avc_has_perm(peer_sid, skb->secmark, 5584 if (avc_has_perm(&selinux_state,
5585 peer_sid, skb->secmark,
5186 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5586 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5187 return NF_DROP; 5587 return NF_DROP;
5188 5588
@@ -5294,7 +5694,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5294 return NF_DROP; 5694 return NF_DROP;
5295 5695
5296 if (selinux_secmark_enabled()) 5696 if (selinux_secmark_enabled())
5297 if (avc_has_perm(sksec->sid, skb->secmark, 5697 if (avc_has_perm(&selinux_state,
5698 sksec->sid, skb->secmark,
5298 SECCLASS_PACKET, PACKET__SEND, &ad)) 5699 SECCLASS_PACKET, PACKET__SEND, &ad))
5299 return NF_DROP_ERR(-ECONNREFUSED); 5700 return NF_DROP_ERR(-ECONNREFUSED);
5300 5701
@@ -5322,7 +5723,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5322 * to the selinux_ip_postroute_compat() function to deal with the 5723 * to the selinux_ip_postroute_compat() function to deal with the
5323 * special handling. We do this in an attempt to keep this function 5724 * special handling. We do this in an attempt to keep this function
5324 * as fast and as clean as possible. */ 5725 * as fast and as clean as possible. */
5325 if (!selinux_policycap_netpeer) 5726 if (!selinux_policycap_netpeer())
5326 return selinux_ip_postroute_compat(skb, ifindex, family); 5727 return selinux_ip_postroute_compat(skb, ifindex, family);
5327 5728
5328 secmark_active = selinux_secmark_enabled(); 5729 secmark_active = selinux_secmark_enabled();
@@ -5417,7 +5818,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5417 return NF_DROP; 5818 return NF_DROP;
5418 5819
5419 if (secmark_active) 5820 if (secmark_active)
5420 if (avc_has_perm(peer_sid, skb->secmark, 5821 if (avc_has_perm(&selinux_state,
5822 peer_sid, skb->secmark,
5421 SECCLASS_PACKET, secmark_perm, &ad)) 5823 SECCLASS_PACKET, secmark_perm, &ad))
5422 return NF_DROP_ERR(-ECONNREFUSED); 5824 return NF_DROP_ERR(-ECONNREFUSED);
5423 5825
@@ -5427,13 +5829,15 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5427 5829
5428 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5830 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5429 return NF_DROP; 5831 return NF_DROP;
5430 if (avc_has_perm(peer_sid, if_sid, 5832 if (avc_has_perm(&selinux_state,
5833 peer_sid, if_sid,
5431 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5834 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5432 return NF_DROP_ERR(-ECONNREFUSED); 5835 return NF_DROP_ERR(-ECONNREFUSED);
5433 5836
5434 if (sel_netnode_sid(addrp, family, &node_sid)) 5837 if (sel_netnode_sid(addrp, family, &node_sid))
5435 return NF_DROP; 5838 return NF_DROP;
5436 if (avc_has_perm(peer_sid, node_sid, 5839 if (avc_has_perm(&selinux_state,
5840 peer_sid, node_sid,
5437 SECCLASS_NODE, NODE__SENDTO, &ad)) 5841 SECCLASS_NODE, NODE__SENDTO, &ad))
5438 return NF_DROP_ERR(-ECONNREFUSED); 5842 return NF_DROP_ERR(-ECONNREFUSED);
5439 } 5843 }
@@ -5521,7 +5925,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5521 ad.type = LSM_AUDIT_DATA_IPC; 5925 ad.type = LSM_AUDIT_DATA_IPC;
5522 ad.u.ipc_id = ipc_perms->key; 5926 ad.u.ipc_id = ipc_perms->key;
5523 5927
5524 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5928 return avc_has_perm(&selinux_state,
5929 sid, isec->sid, isec->sclass, perms, &ad);
5525} 5930}
5526 5931
5527static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5932static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -5535,52 +5940,54 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
5535} 5940}
5536 5941
5537/* message queue security operations */ 5942/* message queue security operations */
5538static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5943static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5539{ 5944{
5540 struct ipc_security_struct *isec; 5945 struct ipc_security_struct *isec;
5541 struct common_audit_data ad; 5946 struct common_audit_data ad;
5542 u32 sid = current_sid(); 5947 u32 sid = current_sid();
5543 int rc; 5948 int rc;
5544 5949
5545 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5950 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5546 if (rc) 5951 if (rc)
5547 return rc; 5952 return rc;
5548 5953
5549 isec = msq->q_perm.security; 5954 isec = msq->security;
5550 5955
5551 ad.type = LSM_AUDIT_DATA_IPC; 5956 ad.type = LSM_AUDIT_DATA_IPC;
5552 ad.u.ipc_id = msq->q_perm.key; 5957 ad.u.ipc_id = msq->key;
5553 5958
5554 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5959 rc = avc_has_perm(&selinux_state,
5960 sid, isec->sid, SECCLASS_MSGQ,
5555 MSGQ__CREATE, &ad); 5961 MSGQ__CREATE, &ad);
5556 if (rc) { 5962 if (rc) {
5557 ipc_free_security(&msq->q_perm); 5963 ipc_free_security(msq);
5558 return rc; 5964 return rc;
5559 } 5965 }
5560 return 0; 5966 return 0;
5561} 5967}
5562 5968
5563static void selinux_msg_queue_free_security(struct msg_queue *msq) 5969static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5564{ 5970{
5565 ipc_free_security(&msq->q_perm); 5971 ipc_free_security(msq);
5566} 5972}
5567 5973
5568static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5974static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5569{ 5975{
5570 struct ipc_security_struct *isec; 5976 struct ipc_security_struct *isec;
5571 struct common_audit_data ad; 5977 struct common_audit_data ad;
5572 u32 sid = current_sid(); 5978 u32 sid = current_sid();
5573 5979
5574 isec = msq->q_perm.security; 5980 isec = msq->security;
5575 5981
5576 ad.type = LSM_AUDIT_DATA_IPC; 5982 ad.type = LSM_AUDIT_DATA_IPC;
5577 ad.u.ipc_id = msq->q_perm.key; 5983 ad.u.ipc_id = msq->key;
5578 5984
5579 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5985 return avc_has_perm(&selinux_state,
5986 sid, isec->sid, SECCLASS_MSGQ,
5580 MSGQ__ASSOCIATE, &ad); 5987 MSGQ__ASSOCIATE, &ad);
5581} 5988}
5582 5989
5583static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5990static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5584{ 5991{
5585 int err; 5992 int err;
5586 int perms; 5993 int perms;
@@ -5589,7 +5996,8 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5589 case IPC_INFO: 5996 case IPC_INFO:
5590 case MSG_INFO: 5997 case MSG_INFO:
5591 /* No specific object, just general system-wide information. */ 5998 /* No specific object, just general system-wide information. */
5592 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5999 return avc_has_perm(&selinux_state,
6000 current_sid(), SECINITSID_KERNEL,
5593 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6001 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5594 case IPC_STAT: 6002 case IPC_STAT:
5595 case MSG_STAT: 6003 case MSG_STAT:
@@ -5605,11 +6013,11 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5605 return 0; 6013 return 0;
5606 } 6014 }
5607 6015
5608 err = ipc_has_perm(&msq->q_perm, perms); 6016 err = ipc_has_perm(msq, perms);
5609 return err; 6017 return err;
5610} 6018}
5611 6019
5612static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 6020static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5613{ 6021{
5614 struct ipc_security_struct *isec; 6022 struct ipc_security_struct *isec;
5615 struct msg_security_struct *msec; 6023 struct msg_security_struct *msec;
@@ -5617,7 +6025,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5617 u32 sid = current_sid(); 6025 u32 sid = current_sid();
5618 int rc; 6026 int rc;
5619 6027
5620 isec = msq->q_perm.security; 6028 isec = msq->security;
5621 msec = msg->security; 6029 msec = msg->security;
5622 6030
5623 /* 6031 /*
@@ -5628,31 +6036,34 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5628 * Compute new sid based on current process and 6036 * Compute new sid based on current process and
5629 * message queue this message will be stored in 6037 * message queue this message will be stored in
5630 */ 6038 */
5631 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 6039 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5632 NULL, &msec->sid); 6040 SECCLASS_MSG, NULL, &msec->sid);
5633 if (rc) 6041 if (rc)
5634 return rc; 6042 return rc;
5635 } 6043 }
5636 6044
5637 ad.type = LSM_AUDIT_DATA_IPC; 6045 ad.type = LSM_AUDIT_DATA_IPC;
5638 ad.u.ipc_id = msq->q_perm.key; 6046 ad.u.ipc_id = msq->key;
5639 6047
5640 /* Can this process write to the queue? */ 6048 /* Can this process write to the queue? */
5641 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6049 rc = avc_has_perm(&selinux_state,
6050 sid, isec->sid, SECCLASS_MSGQ,
5642 MSGQ__WRITE, &ad); 6051 MSGQ__WRITE, &ad);
5643 if (!rc) 6052 if (!rc)
5644 /* Can this process send the message */ 6053 /* Can this process send the message */
5645 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6054 rc = avc_has_perm(&selinux_state,
6055 sid, msec->sid, SECCLASS_MSG,
5646 MSG__SEND, &ad); 6056 MSG__SEND, &ad);
5647 if (!rc) 6057 if (!rc)
5648 /* Can the message be put in the queue? */ 6058 /* Can the message be put in the queue? */
5649 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6059 rc = avc_has_perm(&selinux_state,
6060 msec->sid, isec->sid, SECCLASS_MSGQ,
5650 MSGQ__ENQUEUE, &ad); 6061 MSGQ__ENQUEUE, &ad);
5651 6062
5652 return rc; 6063 return rc;
5653} 6064}
5654 6065
5655static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 6066static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5656 struct task_struct *target, 6067 struct task_struct *target,
5657 long type, int mode) 6068 long type, int mode)
5658{ 6069{
@@ -5662,68 +6073,72 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5662 u32 sid = task_sid(target); 6073 u32 sid = task_sid(target);
5663 int rc; 6074 int rc;
5664 6075
5665 isec = msq->q_perm.security; 6076 isec = msq->security;
5666 msec = msg->security; 6077 msec = msg->security;
5667 6078
5668 ad.type = LSM_AUDIT_DATA_IPC; 6079 ad.type = LSM_AUDIT_DATA_IPC;
5669 ad.u.ipc_id = msq->q_perm.key; 6080 ad.u.ipc_id = msq->key;
5670 6081
5671 rc = avc_has_perm(sid, isec->sid, 6082 rc = avc_has_perm(&selinux_state,
6083 sid, isec->sid,
5672 SECCLASS_MSGQ, MSGQ__READ, &ad); 6084 SECCLASS_MSGQ, MSGQ__READ, &ad);
5673 if (!rc) 6085 if (!rc)
5674 rc = avc_has_perm(sid, msec->sid, 6086 rc = avc_has_perm(&selinux_state,
6087 sid, msec->sid,
5675 SECCLASS_MSG, MSG__RECEIVE, &ad); 6088 SECCLASS_MSG, MSG__RECEIVE, &ad);
5676 return rc; 6089 return rc;
5677} 6090}
5678 6091
5679/* Shared Memory security operations */ 6092/* Shared Memory security operations */
5680static int selinux_shm_alloc_security(struct shmid_kernel *shp) 6093static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5681{ 6094{
5682 struct ipc_security_struct *isec; 6095 struct ipc_security_struct *isec;
5683 struct common_audit_data ad; 6096 struct common_audit_data ad;
5684 u32 sid = current_sid(); 6097 u32 sid = current_sid();
5685 int rc; 6098 int rc;
5686 6099
5687 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 6100 rc = ipc_alloc_security(shp, SECCLASS_SHM);
5688 if (rc) 6101 if (rc)
5689 return rc; 6102 return rc;
5690 6103
5691 isec = shp->shm_perm.security; 6104 isec = shp->security;
5692 6105
5693 ad.type = LSM_AUDIT_DATA_IPC; 6106 ad.type = LSM_AUDIT_DATA_IPC;
5694 ad.u.ipc_id = shp->shm_perm.key; 6107 ad.u.ipc_id = shp->key;
5695 6108
5696 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6109 rc = avc_has_perm(&selinux_state,
6110 sid, isec->sid, SECCLASS_SHM,
5697 SHM__CREATE, &ad); 6111 SHM__CREATE, &ad);
5698 if (rc) { 6112 if (rc) {
5699 ipc_free_security(&shp->shm_perm); 6113 ipc_free_security(shp);
5700 return rc; 6114 return rc;
5701 } 6115 }
5702 return 0; 6116 return 0;
5703} 6117}
5704 6118
5705static void selinux_shm_free_security(struct shmid_kernel *shp) 6119static void selinux_shm_free_security(struct kern_ipc_perm *shp)
5706{ 6120{
5707 ipc_free_security(&shp->shm_perm); 6121 ipc_free_security(shp);
5708} 6122}
5709 6123
5710static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 6124static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5711{ 6125{
5712 struct ipc_security_struct *isec; 6126 struct ipc_security_struct *isec;
5713 struct common_audit_data ad; 6127 struct common_audit_data ad;
5714 u32 sid = current_sid(); 6128 u32 sid = current_sid();
5715 6129
5716 isec = shp->shm_perm.security; 6130 isec = shp->security;
5717 6131
5718 ad.type = LSM_AUDIT_DATA_IPC; 6132 ad.type = LSM_AUDIT_DATA_IPC;
5719 ad.u.ipc_id = shp->shm_perm.key; 6133 ad.u.ipc_id = shp->key;
5720 6134
5721 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6135 return avc_has_perm(&selinux_state,
6136 sid, isec->sid, SECCLASS_SHM,
5722 SHM__ASSOCIATE, &ad); 6137 SHM__ASSOCIATE, &ad);
5723} 6138}
5724 6139
5725/* Note, at this point, shp is locked down */ 6140/* Note, at this point, shp is locked down */
5726static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 6141static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5727{ 6142{
5728 int perms; 6143 int perms;
5729 int err; 6144 int err;
@@ -5732,7 +6147,8 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5732 case IPC_INFO: 6147 case IPC_INFO:
5733 case SHM_INFO: 6148 case SHM_INFO:
5734 /* No specific object, just general system-wide information. */ 6149 /* No specific object, just general system-wide information. */
5735 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6150 return avc_has_perm(&selinux_state,
6151 current_sid(), SECINITSID_KERNEL,
5736 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6152 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5737 case IPC_STAT: 6153 case IPC_STAT:
5738 case SHM_STAT: 6154 case SHM_STAT:
@@ -5752,11 +6168,11 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5752 return 0; 6168 return 0;
5753 } 6169 }
5754 6170
5755 err = ipc_has_perm(&shp->shm_perm, perms); 6171 err = ipc_has_perm(shp, perms);
5756 return err; 6172 return err;
5757} 6173}
5758 6174
5759static int selinux_shm_shmat(struct shmid_kernel *shp, 6175static int selinux_shm_shmat(struct kern_ipc_perm *shp,
5760 char __user *shmaddr, int shmflg) 6176 char __user *shmaddr, int shmflg)
5761{ 6177{
5762 u32 perms; 6178 u32 perms;
@@ -5766,57 +6182,59 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5766 else 6182 else
5767 perms = SHM__READ | SHM__WRITE; 6183 perms = SHM__READ | SHM__WRITE;
5768 6184
5769 return ipc_has_perm(&shp->shm_perm, perms); 6185 return ipc_has_perm(shp, perms);
5770} 6186}
5771 6187
5772/* Semaphore security operations */ 6188/* Semaphore security operations */
5773static int selinux_sem_alloc_security(struct sem_array *sma) 6189static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5774{ 6190{
5775 struct ipc_security_struct *isec; 6191 struct ipc_security_struct *isec;
5776 struct common_audit_data ad; 6192 struct common_audit_data ad;
5777 u32 sid = current_sid(); 6193 u32 sid = current_sid();
5778 int rc; 6194 int rc;
5779 6195
5780 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 6196 rc = ipc_alloc_security(sma, SECCLASS_SEM);
5781 if (rc) 6197 if (rc)
5782 return rc; 6198 return rc;
5783 6199
5784 isec = sma->sem_perm.security; 6200 isec = sma->security;
5785 6201
5786 ad.type = LSM_AUDIT_DATA_IPC; 6202 ad.type = LSM_AUDIT_DATA_IPC;
5787 ad.u.ipc_id = sma->sem_perm.key; 6203 ad.u.ipc_id = sma->key;
5788 6204
5789 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6205 rc = avc_has_perm(&selinux_state,
6206 sid, isec->sid, SECCLASS_SEM,
5790 SEM__CREATE, &ad); 6207 SEM__CREATE, &ad);
5791 if (rc) { 6208 if (rc) {
5792 ipc_free_security(&sma->sem_perm); 6209 ipc_free_security(sma);
5793 return rc; 6210 return rc;
5794 } 6211 }
5795 return 0; 6212 return 0;
5796} 6213}
5797 6214
5798static void selinux_sem_free_security(struct sem_array *sma) 6215static void selinux_sem_free_security(struct kern_ipc_perm *sma)
5799{ 6216{
5800 ipc_free_security(&sma->sem_perm); 6217 ipc_free_security(sma);
5801} 6218}
5802 6219
5803static int selinux_sem_associate(struct sem_array *sma, int semflg) 6220static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
5804{ 6221{
5805 struct ipc_security_struct *isec; 6222 struct ipc_security_struct *isec;
5806 struct common_audit_data ad; 6223 struct common_audit_data ad;
5807 u32 sid = current_sid(); 6224 u32 sid = current_sid();
5808 6225
5809 isec = sma->sem_perm.security; 6226 isec = sma->security;
5810 6227
5811 ad.type = LSM_AUDIT_DATA_IPC; 6228 ad.type = LSM_AUDIT_DATA_IPC;
5812 ad.u.ipc_id = sma->sem_perm.key; 6229 ad.u.ipc_id = sma->key;
5813 6230
5814 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6231 return avc_has_perm(&selinux_state,
6232 sid, isec->sid, SECCLASS_SEM,
5815 SEM__ASSOCIATE, &ad); 6233 SEM__ASSOCIATE, &ad);
5816} 6234}
5817 6235
5818/* Note, at this point, sma is locked down */ 6236/* Note, at this point, sma is locked down */
5819static int selinux_sem_semctl(struct sem_array *sma, int cmd) 6237static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
5820{ 6238{
5821 int err; 6239 int err;
5822 u32 perms; 6240 u32 perms;
@@ -5825,7 +6243,8 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5825 case IPC_INFO: 6243 case IPC_INFO:
5826 case SEM_INFO: 6244 case SEM_INFO:
5827 /* No specific object, just general system-wide information. */ 6245 /* No specific object, just general system-wide information. */
5828 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6246 return avc_has_perm(&selinux_state,
6247 current_sid(), SECINITSID_KERNEL,
5829 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6248 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5830 case GETPID: 6249 case GETPID:
5831 case GETNCNT: 6250 case GETNCNT:
@@ -5854,11 +6273,11 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5854 return 0; 6273 return 0;
5855 } 6274 }
5856 6275
5857 err = ipc_has_perm(&sma->sem_perm, perms); 6276 err = ipc_has_perm(sma, perms);
5858 return err; 6277 return err;
5859} 6278}
5860 6279
5861static int selinux_sem_semop(struct sem_array *sma, 6280static int selinux_sem_semop(struct kern_ipc_perm *sma,
5862 struct sembuf *sops, unsigned nsops, int alter) 6281 struct sembuf *sops, unsigned nsops, int alter)
5863{ 6282{
5864 u32 perms; 6283 u32 perms;
@@ -5868,7 +6287,7 @@ static int selinux_sem_semop(struct sem_array *sma,
5868 else 6287 else
5869 perms = SEM__READ; 6288 perms = SEM__READ;
5870 6289
5871 return ipc_has_perm(&sma->sem_perm, perms); 6290 return ipc_has_perm(sma, perms);
5872} 6291}
5873 6292
5874static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6293static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
@@ -5911,7 +6330,8 @@ static int selinux_getprocattr(struct task_struct *p,
5911 __tsec = __task_cred(p)->security; 6330 __tsec = __task_cred(p)->security;
5912 6331
5913 if (current != p) { 6332 if (current != p) {
5914 error = avc_has_perm(current_sid(), __tsec->sid, 6333 error = avc_has_perm(&selinux_state,
6334 current_sid(), __tsec->sid,
5915 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6335 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5916 if (error) 6336 if (error)
5917 goto bad; 6337 goto bad;
@@ -5938,7 +6358,7 @@ static int selinux_getprocattr(struct task_struct *p,
5938 if (!sid) 6358 if (!sid)
5939 return 0; 6359 return 0;
5940 6360
5941 error = security_sid_to_context(sid, value, &len); 6361 error = security_sid_to_context(&selinux_state, sid, value, &len);
5942 if (error) 6362 if (error)
5943 return error; 6363 return error;
5944 return len; 6364 return len;
@@ -5960,19 +6380,24 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5960 * Basic control over ability to set these attributes at all. 6380 * Basic control over ability to set these attributes at all.
5961 */ 6381 */
5962 if (!strcmp(name, "exec")) 6382 if (!strcmp(name, "exec"))
5963 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6383 error = avc_has_perm(&selinux_state,
6384 mysid, mysid, SECCLASS_PROCESS,
5964 PROCESS__SETEXEC, NULL); 6385 PROCESS__SETEXEC, NULL);
5965 else if (!strcmp(name, "fscreate")) 6386 else if (!strcmp(name, "fscreate"))
5966 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6387 error = avc_has_perm(&selinux_state,
6388 mysid, mysid, SECCLASS_PROCESS,
5967 PROCESS__SETFSCREATE, NULL); 6389 PROCESS__SETFSCREATE, NULL);
5968 else if (!strcmp(name, "keycreate")) 6390 else if (!strcmp(name, "keycreate"))
5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6391 error = avc_has_perm(&selinux_state,
6392 mysid, mysid, SECCLASS_PROCESS,
5970 PROCESS__SETKEYCREATE, NULL); 6393 PROCESS__SETKEYCREATE, NULL);
5971 else if (!strcmp(name, "sockcreate")) 6394 else if (!strcmp(name, "sockcreate"))
5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6395 error = avc_has_perm(&selinux_state,
6396 mysid, mysid, SECCLASS_PROCESS,
5973 PROCESS__SETSOCKCREATE, NULL); 6397 PROCESS__SETSOCKCREATE, NULL);
5974 else if (!strcmp(name, "current")) 6398 else if (!strcmp(name, "current"))
5975 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6399 error = avc_has_perm(&selinux_state,
6400 mysid, mysid, SECCLASS_PROCESS,
5976 PROCESS__SETCURRENT, NULL); 6401 PROCESS__SETCURRENT, NULL);
5977 else 6402 else
5978 error = -EINVAL; 6403 error = -EINVAL;
@@ -5985,7 +6410,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5985 str[size-1] = 0; 6410 str[size-1] = 0;
5986 size--; 6411 size--;
5987 } 6412 }
5988 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 6413 error = security_context_to_sid(&selinux_state, value, size,
6414 &sid, GFP_KERNEL);
5989 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6415 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5990 if (!has_cap_mac_admin(true)) { 6416 if (!has_cap_mac_admin(true)) {
5991 struct audit_buffer *ab; 6417 struct audit_buffer *ab;
@@ -6004,8 +6430,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6004 6430
6005 return error; 6431 return error;
6006 } 6432 }
6007 error = security_context_to_sid_force(value, size, 6433 error = security_context_to_sid_force(
6008 &sid); 6434 &selinux_state,
6435 value, size, &sid);
6009 } 6436 }
6010 if (error) 6437 if (error)
6011 return error; 6438 return error;
@@ -6027,7 +6454,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6027 } else if (!strcmp(name, "fscreate")) { 6454 } else if (!strcmp(name, "fscreate")) {
6028 tsec->create_sid = sid; 6455 tsec->create_sid = sid;
6029 } else if (!strcmp(name, "keycreate")) { 6456 } else if (!strcmp(name, "keycreate")) {
6030 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6457 error = avc_has_perm(&selinux_state,
6458 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6031 NULL); 6459 NULL);
6032 if (error) 6460 if (error)
6033 goto abort_change; 6461 goto abort_change;
@@ -6042,13 +6470,15 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6042 /* Only allow single threaded processes to change context */ 6470 /* Only allow single threaded processes to change context */
6043 error = -EPERM; 6471 error = -EPERM;
6044 if (!current_is_single_threaded()) { 6472 if (!current_is_single_threaded()) {
6045 error = security_bounded_transition(tsec->sid, sid); 6473 error = security_bounded_transition(&selinux_state,
6474 tsec->sid, sid);
6046 if (error) 6475 if (error)
6047 goto abort_change; 6476 goto abort_change;
6048 } 6477 }
6049 6478
6050 /* Check permissions for the transition. */ 6479 /* Check permissions for the transition. */
6051 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6480 error = avc_has_perm(&selinux_state,
6481 tsec->sid, sid, SECCLASS_PROCESS,
6052 PROCESS__DYNTRANSITION, NULL); 6482 PROCESS__DYNTRANSITION, NULL);
6053 if (error) 6483 if (error)
6054 goto abort_change; 6484 goto abort_change;
@@ -6057,7 +6487,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6057 Otherwise, leave SID unchanged and fail. */ 6487 Otherwise, leave SID unchanged and fail. */
6058 ptsid = ptrace_parent_sid(); 6488 ptsid = ptrace_parent_sid();
6059 if (ptsid != 0) { 6489 if (ptsid != 0) {
6060 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6490 error = avc_has_perm(&selinux_state,
6491 ptsid, sid, SECCLASS_PROCESS,
6061 PROCESS__PTRACE, NULL); 6492 PROCESS__PTRACE, NULL);
6062 if (error) 6493 if (error)
6063 goto abort_change; 6494 goto abort_change;
@@ -6084,12 +6515,14 @@ static int selinux_ismaclabel(const char *name)
6084 6515
6085static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6516static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6086{ 6517{
6087 return security_sid_to_context(secid, secdata, seclen); 6518 return security_sid_to_context(&selinux_state, secid,
6519 secdata, seclen);
6088} 6520}
6089 6521
6090static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6522static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6091{ 6523{
6092 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6524 return security_context_to_sid(&selinux_state, secdata, seclen,
6525 secid, GFP_KERNEL);
6093} 6526}
6094 6527
6095static void selinux_release_secctx(char *secdata, u32 seclen) 6528static void selinux_release_secctx(char *secdata, u32 seclen)
@@ -6181,7 +6614,8 @@ static int selinux_key_permission(key_ref_t key_ref,
6181 key = key_ref_to_ptr(key_ref); 6614 key = key_ref_to_ptr(key_ref);
6182 ksec = key->security; 6615 ksec = key->security;
6183 6616
6184 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6617 return avc_has_perm(&selinux_state,
6618 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6185} 6619}
6186 6620
6187static int selinux_key_getsecurity(struct key *key, char **_buffer) 6621static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -6191,7 +6625,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
6191 unsigned len; 6625 unsigned len;
6192 int rc; 6626 int rc;
6193 6627
6194 rc = security_sid_to_context(ksec->sid, &context, &len); 6628 rc = security_sid_to_context(&selinux_state, ksec->sid,
6629 &context, &len);
6195 if (!rc) 6630 if (!rc)
6196 rc = len; 6631 rc = len;
6197 *_buffer = context; 6632 *_buffer = context;
@@ -6216,7 +6651,8 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6216 ibpkey.subnet_prefix = subnet_prefix; 6651 ibpkey.subnet_prefix = subnet_prefix;
6217 ibpkey.pkey = pkey_val; 6652 ibpkey.pkey = pkey_val;
6218 ad.u.ibpkey = &ibpkey; 6653 ad.u.ibpkey = &ibpkey;
6219 return avc_has_perm(sec->sid, sid, 6654 return avc_has_perm(&selinux_state,
6655 sec->sid, sid,
6220 SECCLASS_INFINIBAND_PKEY, 6656 SECCLASS_INFINIBAND_PKEY,
6221 INFINIBAND_PKEY__ACCESS, &ad); 6657 INFINIBAND_PKEY__ACCESS, &ad);
6222} 6658}
@@ -6230,7 +6666,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6230 struct ib_security_struct *sec = ib_sec; 6666 struct ib_security_struct *sec = ib_sec;
6231 struct lsm_ibendport_audit ibendport; 6667 struct lsm_ibendport_audit ibendport;
6232 6668
6233 err = security_ib_endport_sid(dev_name, port_num, &sid); 6669 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6670 &sid);
6234 6671
6235 if (err) 6672 if (err)
6236 return err; 6673 return err;
@@ -6239,7 +6676,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6239 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6676 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6240 ibendport.port = port_num; 6677 ibendport.port = port_num;
6241 ad.u.ibendport = &ibendport; 6678 ad.u.ibendport = &ibendport;
6242 return avc_has_perm(sec->sid, sid, 6679 return avc_has_perm(&selinux_state,
6680 sec->sid, sid,
6243 SECCLASS_INFINIBAND_ENDPORT, 6681 SECCLASS_INFINIBAND_ENDPORT,
6244 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6682 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6245} 6683}
@@ -6272,11 +6710,13 @@ static int selinux_bpf(int cmd, union bpf_attr *attr,
6272 6710
6273 switch (cmd) { 6711 switch (cmd) {
6274 case BPF_MAP_CREATE: 6712 case BPF_MAP_CREATE:
6275 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6713 ret = avc_has_perm(&selinux_state,
6714 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6276 NULL); 6715 NULL);
6277 break; 6716 break;
6278 case BPF_PROG_LOAD: 6717 case BPF_PROG_LOAD:
6279 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6718 ret = avc_has_perm(&selinux_state,
6719 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6280 NULL); 6720 NULL);
6281 break; 6721 break;
6282 default: 6722 default:
@@ -6316,14 +6756,16 @@ static int bpf_fd_pass(struct file *file, u32 sid)
6316 if (file->f_op == &bpf_map_fops) { 6756 if (file->f_op == &bpf_map_fops) {
6317 map = file->private_data; 6757 map = file->private_data;
6318 bpfsec = map->security; 6758 bpfsec = map->security;
6319 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6759 ret = avc_has_perm(&selinux_state,
6760 sid, bpfsec->sid, SECCLASS_BPF,
6320 bpf_map_fmode_to_av(file->f_mode), NULL); 6761 bpf_map_fmode_to_av(file->f_mode), NULL);
6321 if (ret) 6762 if (ret)
6322 return ret; 6763 return ret;
6323 } else if (file->f_op == &bpf_prog_fops) { 6764 } else if (file->f_op == &bpf_prog_fops) {
6324 prog = file->private_data; 6765 prog = file->private_data;
6325 bpfsec = prog->aux->security; 6766 bpfsec = prog->aux->security;
6326 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6767 ret = avc_has_perm(&selinux_state,
6768 sid, bpfsec->sid, SECCLASS_BPF,
6327 BPF__PROG_RUN, NULL); 6769 BPF__PROG_RUN, NULL);
6328 if (ret) 6770 if (ret)
6329 return ret; 6771 return ret;
@@ -6337,7 +6779,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6337 struct bpf_security_struct *bpfsec; 6779 struct bpf_security_struct *bpfsec;
6338 6780
6339 bpfsec = map->security; 6781 bpfsec = map->security;
6340 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6782 return avc_has_perm(&selinux_state,
6783 sid, bpfsec->sid, SECCLASS_BPF,
6341 bpf_map_fmode_to_av(fmode), NULL); 6784 bpf_map_fmode_to_av(fmode), NULL);
6342} 6785}
6343 6786
@@ -6347,7 +6790,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
6347 struct bpf_security_struct *bpfsec; 6790 struct bpf_security_struct *bpfsec;
6348 6791
6349 bpfsec = prog->aux->security; 6792 bpfsec = prog->aux->security;
6350 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6793 return avc_has_perm(&selinux_state,
6794 sid, bpfsec->sid, SECCLASS_BPF,
6351 BPF__PROG_RUN, NULL); 6795 BPF__PROG_RUN, NULL);
6352} 6796}
6353 6797
@@ -6566,6 +7010,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6566 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7010 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6567 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7011 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6568 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7012 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7013 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7014 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7015 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6569 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7016 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6570 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7017 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6571 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7018 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
@@ -6641,6 +7088,12 @@ static __init int selinux_init(void)
6641 7088
6642 printk(KERN_INFO "SELinux: Initializing.\n"); 7089 printk(KERN_INFO "SELinux: Initializing.\n");
6643 7090
7091 memset(&selinux_state, 0, sizeof(selinux_state));
7092 enforcing_set(&selinux_state, selinux_enforcing_boot);
7093 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7094 selinux_ss_init(&selinux_state.ss);
7095 selinux_avc_init(&selinux_state.avc);
7096
6644 /* Set the security state for the initial task. */ 7097 /* Set the security state for the initial task. */
6645 cred_init_security(); 7098 cred_init_security();
6646 7099
@@ -6654,6 +7107,12 @@ static __init int selinux_init(void)
6654 0, SLAB_PANIC, NULL); 7107 0, SLAB_PANIC, NULL);
6655 avc_init(); 7108 avc_init();
6656 7109
7110 avtab_cache_init();
7111
7112 ebitmap_cache_init();
7113
7114 hashtab_cache_init();
7115
6657 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7116 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6658 7117
6659 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7118 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
@@ -6662,7 +7121,7 @@ static __init int selinux_init(void)
6662 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7121 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6663 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7122 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6664 7123
6665 if (selinux_enforcing) 7124 if (selinux_enforcing_boot)
6666 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7125 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6667 else 7126 else
6668 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7127 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
@@ -6783,23 +7242,22 @@ static void selinux_nf_ip_exit(void)
6783#endif /* CONFIG_NETFILTER */ 7242#endif /* CONFIG_NETFILTER */
6784 7243
6785#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7244#ifdef CONFIG_SECURITY_SELINUX_DISABLE
6786static int selinux_disabled; 7245int selinux_disable(struct selinux_state *state)
6787
6788int selinux_disable(void)
6789{ 7246{
6790 if (ss_initialized) { 7247 if (state->initialized) {
6791 /* Not permitted after initial policy load. */ 7248 /* Not permitted after initial policy load. */
6792 return -EINVAL; 7249 return -EINVAL;
6793 } 7250 }
6794 7251
6795 if (selinux_disabled) { 7252 if (state->disabled) {
6796 /* Only do this once. */ 7253 /* Only do this once. */
6797 return -EINVAL; 7254 return -EINVAL;
6798 } 7255 }
6799 7256
7257 state->disabled = 1;
7258
6800 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7259 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6801 7260
6802 selinux_disabled = 1;
6803 selinux_enabled = 0; 7261 selinux_enabled = 0;
6804 7262
6805 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7263 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-06 13:34:50 -0400