aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c671
1 files changed, 309 insertions, 362 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4d1a54190388..564079c5c49d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -29,7 +29,7 @@
29#include <linux/tracehook.h> 29#include <linux/tracehook.h>
30#include <linux/errno.h> 30#include <linux/errno.h>
31#include <linux/sched.h> 31#include <linux/sched.h>
32#include <linux/security.h> 32#include <linux/lsm_hooks.h>
33#include <linux/xattr.h> 33#include <linux/xattr.h>
34#include <linux/capability.h> 34#include <linux/capability.h>
35#include <linux/unistd.h> 35#include <linux/unistd.h>
@@ -51,7 +51,6 @@
51#include <linux/tty.h> 51#include <linux/tty.h>
52#include <net/icmp.h> 52#include <net/icmp.h>
53#include <net/ip.h> /* for local_port_range[] */ 53#include <net/ip.h> /* for local_port_range[] */
54#include <net/sock.h>
55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56#include <net/inet_connection_sock.h> 55#include <net/inet_connection_sock.h>
57#include <net/net_namespace.h> 56#include <net/net_namespace.h>
@@ -404,6 +403,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
404 return sbsec->behavior == SECURITY_FS_USE_XATTR || 403 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
405 sbsec->behavior == SECURITY_FS_USE_TRANS || 404 sbsec->behavior == SECURITY_FS_USE_TRANS ||
406 sbsec->behavior == SECURITY_FS_USE_TASK || 405 sbsec->behavior == SECURITY_FS_USE_TASK ||
406 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
407 /* Special handling. Genfs but also in-core setxattr handler */ 407 /* Special handling. Genfs but also in-core setxattr handler */
408 !strcmp(sb->s_type->name, "sysfs") || 408 !strcmp(sb->s_type->name, "sysfs") ||
409 !strcmp(sb->s_type->name, "pstore") || 409 !strcmp(sb->s_type->name, "pstore") ||
@@ -415,7 +415,7 @@ static int sb_finish_set_opts(struct super_block *sb)
415{ 415{
416 struct superblock_security_struct *sbsec = sb->s_security; 416 struct superblock_security_struct *sbsec = sb->s_security;
417 struct dentry *root = sb->s_root; 417 struct dentry *root = sb->s_root;
418 struct inode *root_inode = root->d_inode; 418 struct inode *root_inode = d_backing_inode(root);
419 int rc = 0; 419 int rc = 0;
420 420
421 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 421 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
@@ -553,7 +553,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
553 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 553 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
554 } 554 }
555 if (sbsec->flags & ROOTCONTEXT_MNT) { 555 if (sbsec->flags & ROOTCONTEXT_MNT) {
556 struct inode *root = sbsec->sb->s_root->d_inode; 556 struct inode *root = d_backing_inode(sbsec->sb->s_root);
557 struct inode_security_struct *isec = root->i_security; 557 struct inode_security_struct *isec = root->i_security;
558 558
559 rc = security_sid_to_context(isec->sid, &context, &len); 559 rc = security_sid_to_context(isec->sid, &context, &len);
@@ -609,7 +609,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
609 int rc = 0, i; 609 int rc = 0, i;
610 struct superblock_security_struct *sbsec = sb->s_security; 610 struct superblock_security_struct *sbsec = sb->s_security;
611 const char *name = sb->s_type->name; 611 const char *name = sb->s_type->name;
612 struct inode *inode = sbsec->sb->s_root->d_inode; 612 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
613 struct inode_security_struct *root_isec = inode->i_security; 613 struct inode_security_struct *root_isec = inode->i_security;
614 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 614 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
615 u32 defcontext_sid = 0; 615 u32 defcontext_sid = 0;
@@ -725,7 +725,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
725 } 725 }
726 726
727 if (strcmp(sb->s_type->name, "proc") == 0) 727 if (strcmp(sb->s_type->name, "proc") == 0)
728 sbsec->flags |= SE_SBPROC; 728 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
729
730 if (!strcmp(sb->s_type->name, "debugfs") ||
731 !strcmp(sb->s_type->name, "sysfs") ||
732 !strcmp(sb->s_type->name, "pstore"))
733 sbsec->flags |= SE_SBGENFS;
729 734
730 if (!sbsec->behavior) { 735 if (!sbsec->behavior) {
731 /* 736 /*
@@ -836,8 +841,8 @@ static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 841 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
837 goto mismatch; 842 goto mismatch;
838 if (oldflags & ROOTCONTEXT_MNT) { 843 if (oldflags & ROOTCONTEXT_MNT) {
839 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security; 844 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
840 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security; 845 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
841 if (oldroot->sid != newroot->sid) 846 if (oldroot->sid != newroot->sid)
842 goto mismatch; 847 goto mismatch;
843 } 848 }
@@ -887,16 +892,16 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
887 if (!set_fscontext) 892 if (!set_fscontext)
888 newsbsec->sid = sid; 893 newsbsec->sid = sid;
889 if (!set_rootcontext) { 894 if (!set_rootcontext) {
890 struct inode *newinode = newsb->s_root->d_inode; 895 struct inode *newinode = d_backing_inode(newsb->s_root);
891 struct inode_security_struct *newisec = newinode->i_security; 896 struct inode_security_struct *newisec = newinode->i_security;
892 newisec->sid = sid; 897 newisec->sid = sid;
893 } 898 }
894 newsbsec->mntpoint_sid = sid; 899 newsbsec->mntpoint_sid = sid;
895 } 900 }
896 if (set_rootcontext) { 901 if (set_rootcontext) {
897 const struct inode *oldinode = oldsb->s_root->d_inode; 902 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
898 const struct inode_security_struct *oldisec = oldinode->i_security; 903 const struct inode_security_struct *oldisec = oldinode->i_security;
899 struct inode *newinode = newsb->s_root->d_inode; 904 struct inode *newinode = d_backing_inode(newsb->s_root);
900 struct inode_security_struct *newisec = newinode->i_security; 905 struct inode_security_struct *newisec = newinode->i_security;
901 906
902 newisec->sid = oldisec->sid; 907 newisec->sid = oldisec->sid;
@@ -1189,8 +1194,6 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
1189 switch (protocol) { 1194 switch (protocol) {
1190 case NETLINK_ROUTE: 1195 case NETLINK_ROUTE:
1191 return SECCLASS_NETLINK_ROUTE_SOCKET; 1196 return SECCLASS_NETLINK_ROUTE_SOCKET;
1192 case NETLINK_FIREWALL:
1193 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1194 case NETLINK_SOCK_DIAG: 1197 case NETLINK_SOCK_DIAG:
1195 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1198 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1196 case NETLINK_NFLOG: 1199 case NETLINK_NFLOG:
@@ -1199,14 +1202,28 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
1199 return SECCLASS_NETLINK_XFRM_SOCKET; 1202 return SECCLASS_NETLINK_XFRM_SOCKET;
1200 case NETLINK_SELINUX: 1203 case NETLINK_SELINUX:
1201 return SECCLASS_NETLINK_SELINUX_SOCKET; 1204 return SECCLASS_NETLINK_SELINUX_SOCKET;
1205 case NETLINK_ISCSI:
1206 return SECCLASS_NETLINK_ISCSI_SOCKET;
1202 case NETLINK_AUDIT: 1207 case NETLINK_AUDIT:
1203 return SECCLASS_NETLINK_AUDIT_SOCKET; 1208 return SECCLASS_NETLINK_AUDIT_SOCKET;
1204 case NETLINK_IP6_FW: 1209 case NETLINK_FIB_LOOKUP:
1205 return SECCLASS_NETLINK_IP6FW_SOCKET; 1210 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 case NETLINK_CONNECTOR:
1212 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 case NETLINK_NETFILTER:
1214 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1206 case NETLINK_DNRTMSG: 1215 case NETLINK_DNRTMSG:
1207 return SECCLASS_NETLINK_DNRT_SOCKET; 1216 return SECCLASS_NETLINK_DNRT_SOCKET;
1208 case NETLINK_KOBJECT_UEVENT: 1217 case NETLINK_KOBJECT_UEVENT:
1209 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1218 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219 case NETLINK_GENERIC:
1220 return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 case NETLINK_SCSITRANSPORT:
1222 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 case NETLINK_RDMA:
1224 return SECCLASS_NETLINK_RDMA_SOCKET;
1225 case NETLINK_CRYPTO:
1226 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1210 default: 1227 default:
1211 return SECCLASS_NETLINK_SOCKET; 1228 return SECCLASS_NETLINK_SOCKET;
1212 } 1229 }
@@ -1221,12 +1238,13 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
1221 return SECCLASS_SOCKET; 1238 return SECCLASS_SOCKET;
1222} 1239}
1223 1240
1224#ifdef CONFIG_PROC_FS 1241static int selinux_genfs_get_sid(struct dentry *dentry,
1225static int selinux_proc_get_sid(struct dentry *dentry, 1242 u16 tclass,
1226 u16 tclass, 1243 u16 flags,
1227 u32 *sid) 1244 u32 *sid)
1228{ 1245{
1229 int rc; 1246 int rc;
1247 struct super_block *sb = dentry->d_inode->i_sb;
1230 char *buffer, *path; 1248 char *buffer, *path;
1231 1249
1232 buffer = (char *)__get_free_page(GFP_KERNEL); 1250 buffer = (char *)__get_free_page(GFP_KERNEL);
@@ -1237,26 +1255,20 @@ static int selinux_proc_get_sid(struct dentry *dentry,
1237 if (IS_ERR(path)) 1255 if (IS_ERR(path))
1238 rc = PTR_ERR(path); 1256 rc = PTR_ERR(path);
1239 else { 1257 else {
1240 /* each process gets a /proc/PID/ entry. Strip off the 1258 if (flags & SE_SBPROC) {
1241 * PID part to get a valid selinux labeling. 1259 /* each process gets a /proc/PID/ entry. Strip off the
1242 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1260 * PID part to get a valid selinux labeling.
1243 while (path[1] >= '0' && path[1] <= '9') { 1261 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1244 path[1] = '/'; 1262 while (path[1] >= '0' && path[1] <= '9') {
1245 path++; 1263 path[1] = '/';
1264 path++;
1265 }
1246 } 1266 }
1247 rc = security_genfs_sid("proc", path, tclass, sid); 1267 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1248 } 1268 }
1249 free_page((unsigned long)buffer); 1269 free_page((unsigned long)buffer);
1250 return rc; 1270 return rc;
1251} 1271}
1252#else
1253static int selinux_proc_get_sid(struct dentry *dentry,
1254 u16 tclass,
1255 u32 *sid)
1256{
1257 return -EINVAL;
1258}
1259#endif
1260 1272
1261/* The inode's security attributes must be initialized before first use. */ 1273/* The inode's security attributes must be initialized before first use. */
1262static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1274static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
@@ -1413,7 +1425,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1413 /* Default to the fs superblock SID. */ 1425 /* Default to the fs superblock SID. */
1414 isec->sid = sbsec->sid; 1426 isec->sid = sbsec->sid;
1415 1427
1416 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { 1428 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1417 /* We must have a dentry to determine the label on 1429 /* We must have a dentry to determine the label on
1418 * procfs inodes */ 1430 * procfs inodes */
1419 if (opt_dentry) 1431 if (opt_dentry)
@@ -1436,7 +1448,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1436 if (!dentry) 1448 if (!dentry)
1437 goto out_unlock; 1449 goto out_unlock;
1438 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1450 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1439 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid); 1451 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1452 sbsec->flags, &sid);
1440 dput(dentry); 1453 dput(dentry);
1441 if (rc) 1454 if (rc)
1442 goto out_unlock; 1455 goto out_unlock;
@@ -1565,7 +1578,7 @@ static int cred_has_capability(const struct cred *cred,
1565 1578
1566 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1579 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1567 if (audit == SECURITY_CAP_AUDIT) { 1580 if (audit == SECURITY_CAP_AUDIT) {
1568 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1581 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1569 if (rc2) 1582 if (rc2)
1570 return rc2; 1583 return rc2;
1571 } 1584 }
@@ -1611,7 +1624,7 @@ static inline int dentry_has_perm(const struct cred *cred,
1611 struct dentry *dentry, 1624 struct dentry *dentry,
1612 u32 av) 1625 u32 av)
1613{ 1626{
1614 struct inode *inode = dentry->d_inode; 1627 struct inode *inode = d_backing_inode(dentry);
1615 struct common_audit_data ad; 1628 struct common_audit_data ad;
1616 1629
1617 ad.type = LSM_AUDIT_DATA_DENTRY; 1630 ad.type = LSM_AUDIT_DATA_DENTRY;
@@ -1623,10 +1636,10 @@ static inline int dentry_has_perm(const struct cred *cred,
1623 the path to help the auditing code to more easily generate the 1636 the path to help the auditing code to more easily generate the
1624 pathname if needed. */ 1637 pathname if needed. */
1625static inline int path_has_perm(const struct cred *cred, 1638static inline int path_has_perm(const struct cred *cred,
1626 struct path *path, 1639 const struct path *path,
1627 u32 av) 1640 u32 av)
1628{ 1641{
1629 struct inode *inode = path->dentry->d_inode; 1642 struct inode *inode = d_backing_inode(path->dentry);
1630 struct common_audit_data ad; 1643 struct common_audit_data ad;
1631 1644
1632 ad.type = LSM_AUDIT_DATA_PATH; 1645 ad.type = LSM_AUDIT_DATA_PATH;
@@ -1754,7 +1767,7 @@ static int may_link(struct inode *dir,
1754 int rc; 1767 int rc;
1755 1768
1756 dsec = dir->i_security; 1769 dsec = dir->i_security;
1757 isec = dentry->d_inode->i_security; 1770 isec = d_backing_inode(dentry)->i_security;
1758 1771
1759 ad.type = LSM_AUDIT_DATA_DENTRY; 1772 ad.type = LSM_AUDIT_DATA_DENTRY;
1760 ad.u.dentry = dentry; 1773 ad.u.dentry = dentry;
@@ -1798,7 +1811,7 @@ static inline int may_rename(struct inode *old_dir,
1798 int rc; 1811 int rc;
1799 1812
1800 old_dsec = old_dir->i_security; 1813 old_dsec = old_dir->i_security;
1801 old_isec = old_dentry->d_inode->i_security; 1814 old_isec = d_backing_inode(old_dentry)->i_security;
1802 old_is_dir = d_is_dir(old_dentry); 1815 old_is_dir = d_is_dir(old_dentry);
1803 new_dsec = new_dir->i_security; 1816 new_dsec = new_dir->i_security;
1804 1817
@@ -1828,7 +1841,7 @@ static inline int may_rename(struct inode *old_dir,
1828 if (rc) 1841 if (rc)
1829 return rc; 1842 return rc;
1830 if (d_is_positive(new_dentry)) { 1843 if (d_is_positive(new_dentry)) {
1831 new_isec = new_dentry->d_inode->i_security; 1844 new_isec = d_backing_inode(new_dentry)->i_security;
1832 new_is_dir = d_is_dir(new_dentry); 1845 new_is_dir = d_is_dir(new_dentry);
1833 rc = avc_has_perm(sid, new_isec->sid, 1846 rc = avc_has_perm(sid, new_isec->sid,
1834 new_isec->sclass, 1847 new_isec->sclass,
@@ -1964,7 +1977,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
1964{ 1977{
1965 u32 sid = task_sid(to); 1978 u32 sid = task_sid(to);
1966 struct file_security_struct *fsec = file->f_security; 1979 struct file_security_struct *fsec = file->f_security;
1967 struct inode *inode = file->f_path.dentry->d_inode; 1980 struct inode *inode = d_backing_inode(file->f_path.dentry);
1968 struct inode_security_struct *isec = inode->i_security; 1981 struct inode_security_struct *isec = inode->i_security;
1969 struct common_audit_data ad; 1982 struct common_audit_data ad;
1970 int rc; 1983 int rc;
@@ -1991,12 +2004,6 @@ static int selinux_binder_transfer_file(struct task_struct *from,
1991static int selinux_ptrace_access_check(struct task_struct *child, 2004static int selinux_ptrace_access_check(struct task_struct *child,
1992 unsigned int mode) 2005 unsigned int mode)
1993{ 2006{
1994 int rc;
1995
1996 rc = cap_ptrace_access_check(child, mode);
1997 if (rc)
1998 return rc;
1999
2000 if (mode & PTRACE_MODE_READ) { 2007 if (mode & PTRACE_MODE_READ) {
2001 u32 sid = current_sid(); 2008 u32 sid = current_sid();
2002 u32 csid = task_sid(child); 2009 u32 csid = task_sid(child);
@@ -2008,25 +2015,13 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2008 2015
2009static int selinux_ptrace_traceme(struct task_struct *parent) 2016static int selinux_ptrace_traceme(struct task_struct *parent)
2010{ 2017{
2011 int rc;
2012
2013 rc = cap_ptrace_traceme(parent);
2014 if (rc)
2015 return rc;
2016
2017 return task_has_perm(parent, current, PROCESS__PTRACE); 2018 return task_has_perm(parent, current, PROCESS__PTRACE);
2018} 2019}
2019 2020
2020static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2021static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2021 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2022 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2022{ 2023{
2023 int error; 2024 return current_has_perm(target, PROCESS__GETCAP);
2024
2025 error = current_has_perm(target, PROCESS__GETCAP);
2026 if (error)
2027 return error;
2028
2029 return cap_capget(target, effective, inheritable, permitted);
2030} 2025}
2031 2026
2032static int selinux_capset(struct cred *new, const struct cred *old, 2027static int selinux_capset(struct cred *new, const struct cred *old,
@@ -2034,13 +2029,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2034 const kernel_cap_t *inheritable, 2029 const kernel_cap_t *inheritable,
2035 const kernel_cap_t *permitted) 2030 const kernel_cap_t *permitted)
2036{ 2031{
2037 int error;
2038
2039 error = cap_capset(new, old,
2040 effective, inheritable, permitted);
2041 if (error)
2042 return error;
2043
2044 return cred_has_perm(old, new, PROCESS__SETCAP); 2032 return cred_has_perm(old, new, PROCESS__SETCAP);
2045} 2033}
2046 2034
@@ -2057,12 +2045,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2057static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2045static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2058 int cap, int audit) 2046 int cap, int audit)
2059{ 2047{
2060 int rc;
2061
2062 rc = cap_capable(cred, ns, cap, audit);
2063 if (rc)
2064 return rc;
2065
2066 return cred_has_capability(cred, cap, audit); 2048 return cred_has_capability(cred, cap, audit);
2067} 2049}
2068 2050
@@ -2140,12 +2122,12 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2140{ 2122{
2141 int rc, cap_sys_admin = 0; 2123 int rc, cap_sys_admin = 0;
2142 2124
2143 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, 2125 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2144 SECURITY_CAP_NOAUDIT); 2126 SECURITY_CAP_NOAUDIT);
2145 if (rc == 0) 2127 if (rc == 0)
2146 cap_sys_admin = 1; 2128 cap_sys_admin = 1;
2147 2129
2148 return __vm_enough_memory(mm, pages, cap_sys_admin); 2130 return cap_sys_admin;
2149} 2131}
2150 2132
2151/* binprm security operations */ 2133/* binprm security operations */
@@ -2194,10 +2176,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2194 struct inode *inode = file_inode(bprm->file); 2176 struct inode *inode = file_inode(bprm->file);
2195 int rc; 2177 int rc;
2196 2178
2197 rc = cap_bprm_set_creds(bprm);
2198 if (rc)
2199 return rc;
2200
2201 /* SELinux context only depends on initial program or script and not 2179 /* SELinux context only depends on initial program or script and not
2202 * the script interpreter */ 2180 * the script interpreter */
2203 if (bprm->cred_prepared) 2181 if (bprm->cred_prepared)
@@ -2321,7 +2299,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2321 PROCESS__NOATSECURE, NULL); 2299 PROCESS__NOATSECURE, NULL);
2322 } 2300 }
2323 2301
2324 return (atsecure || cap_bprm_secureexec(bprm)); 2302 return !!atsecure;
2325} 2303}
2326 2304
2327static int match_file(const void *p, struct file *file, unsigned fd) 2305static int match_file(const void *p, struct file *file, unsigned fd)
@@ -2452,10 +2430,12 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2452 for (i = 0; i < 3; i++) 2430 for (i = 0; i < 3; i++)
2453 do_setitimer(i, &itimer, NULL); 2431 do_setitimer(i, &itimer, NULL);
2454 spin_lock_irq(&current->sighand->siglock); 2432 spin_lock_irq(&current->sighand->siglock);
2455 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { 2433 if (!fatal_signal_pending(current)) {
2456 __flush_signals(current); 2434 flush_sigqueue(&current->pending);
2435 flush_sigqueue(&current->signal->shared_pending);
2457 flush_signal_handlers(current, 1); 2436 flush_signal_handlers(current, 1);
2458 sigemptyset(&current->blocked); 2437 sigemptyset(&current->blocked);
2438 recalc_sigpending();
2459 } 2439 }
2460 spin_unlock_irq(&current->sighand->siglock); 2440 spin_unlock_irq(&current->sighand->siglock);
2461 } 2441 }
@@ -2628,7 +2608,7 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2628 break; 2608 break;
2629 case ROOTCONTEXT_MNT: { 2609 case ROOTCONTEXT_MNT: {
2630 struct inode_security_struct *root_isec; 2610 struct inode_security_struct *root_isec;
2631 root_isec = sb->s_root->d_inode->i_security; 2611 root_isec = d_backing_inode(sb->s_root)->i_security;
2632 2612
2633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2613 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2634 goto out_bad_option; 2614 goto out_bad_option;
@@ -2728,7 +2708,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2728 struct task_security_struct *tsec; 2708 struct task_security_struct *tsec;
2729 struct inode_security_struct *dsec; 2709 struct inode_security_struct *dsec;
2730 struct superblock_security_struct *sbsec; 2710 struct superblock_security_struct *sbsec;
2731 struct inode *dir = dentry->d_parent->d_inode; 2711 struct inode *dir = d_backing_inode(dentry->d_parent);
2732 u32 newsid; 2712 u32 newsid;
2733 int rc; 2713 int rc;
2734 2714
@@ -2862,11 +2842,23 @@ static int selinux_inode_readlink(struct dentry *dentry)
2862 return dentry_has_perm(cred, dentry, FILE__READ); 2842 return dentry_has_perm(cred, dentry, FILE__READ);
2863} 2843}
2864 2844
2865static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2845static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2846 bool rcu)
2866{ 2847{
2867 const struct cred *cred = current_cred(); 2848 const struct cred *cred = current_cred();
2849 struct common_audit_data ad;
2850 struct inode_security_struct *isec;
2851 u32 sid;
2868 2852
2869 return dentry_has_perm(cred, dentry, FILE__READ); 2853 validate_creds(cred);
2854
2855 ad.type = LSM_AUDIT_DATA_DENTRY;
2856 ad.u.dentry = dentry;
2857 sid = cred_sid(cred);
2858 isec = inode->i_security;
2859
2860 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2861 rcu ? MAY_NOT_BLOCK : 0);
2870} 2862}
2871 2863
2872static noinline int audit_inode_permission(struct inode *inode, 2864static noinline int audit_inode_permission(struct inode *inode,
@@ -2954,15 +2946,9 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2954 return dentry_has_perm(cred, dentry, av); 2946 return dentry_has_perm(cred, dentry, av);
2955} 2947}
2956 2948
2957static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2949static int selinux_inode_getattr(const struct path *path)
2958{ 2950{
2959 const struct cred *cred = current_cred(); 2951 return path_has_perm(current_cred(), path, FILE__GETATTR);
2960 struct path path;
2961
2962 path.dentry = dentry;
2963 path.mnt = mnt;
2964
2965 return path_has_perm(cred, &path, FILE__GETATTR);
2966} 2952}
2967 2953
2968static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 2954static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
@@ -2989,7 +2975,7 @@ static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2989static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2975static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2990 const void *value, size_t size, int flags) 2976 const void *value, size_t size, int flags)
2991{ 2977{
2992 struct inode *inode = dentry->d_inode; 2978 struct inode *inode = d_backing_inode(dentry);
2993 struct inode_security_struct *isec = inode->i_security; 2979 struct inode_security_struct *isec = inode->i_security;
2994 struct superblock_security_struct *sbsec; 2980 struct superblock_security_struct *sbsec;
2995 struct common_audit_data ad; 2981 struct common_audit_data ad;
@@ -3066,7 +3052,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3066 const void *value, size_t size, 3052 const void *value, size_t size,
3067 int flags) 3053 int flags)
3068{ 3054{
3069 struct inode *inode = dentry->d_inode; 3055 struct inode *inode = d_backing_inode(dentry);
3070 struct inode_security_struct *isec = inode->i_security; 3056 struct inode_security_struct *isec = inode->i_security;
3071 u32 newsid; 3057 u32 newsid;
3072 int rc; 3058 int rc;
@@ -3139,8 +3125,11 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
3139 * and lack of permission just means that we fall back to the 3125 * and lack of permission just means that we fall back to the
3140 * in-core context value, not a denial. 3126 * in-core context value, not a denial.
3141 */ 3127 */
3142 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 3128 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3143 SECURITY_CAP_NOAUDIT); 3129 SECURITY_CAP_NOAUDIT);
3130 if (!error)
3131 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3132 SECURITY_CAP_NOAUDIT);
3144 if (!error) 3133 if (!error)
3145 error = security_sid_to_context_force(isec->sid, &context, 3134 error = security_sid_to_context_force(isec->sid, &context,
3146 &size); 3135 &size);
@@ -3294,7 +3283,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3294 int rc = 0; 3283 int rc = 0;
3295 3284
3296 if (default_noexec && 3285 if (default_noexec &&
3297 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { 3286 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3287 (!shared && (prot & PROT_WRITE)))) {
3298 /* 3288 /*
3299 * We are making executable an anonymous mapping or a 3289 * We are making executable an anonymous mapping or a
3300 * private file mapping that will also be writable. 3290 * private file mapping that will also be writable.
@@ -3325,12 +3315,7 @@ error:
3325 3315
3326static int selinux_mmap_addr(unsigned long addr) 3316static int selinux_mmap_addr(unsigned long addr)
3327{ 3317{
3328 int rc; 3318 int rc = 0;
3329
3330 /* do DAC check on address space usage */
3331 rc = cap_mmap_addr(addr);
3332 if (rc)
3333 return rc;
3334 3319
3335 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3320 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3336 u32 sid = current_sid(); 3321 u32 sid = current_sid();
@@ -3646,23 +3631,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3646 3631
3647static int selinux_task_setnice(struct task_struct *p, int nice) 3632static int selinux_task_setnice(struct task_struct *p, int nice)
3648{ 3633{
3649 int rc;
3650
3651 rc = cap_task_setnice(p, nice);
3652 if (rc)
3653 return rc;
3654
3655 return current_has_perm(p, PROCESS__SETSCHED); 3634 return current_has_perm(p, PROCESS__SETSCHED);
3656} 3635}
3657 3636
3658static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3637static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3659{ 3638{
3660 int rc;
3661
3662 rc = cap_task_setioprio(p, ioprio);
3663 if (rc)
3664 return rc;
3665
3666 return current_has_perm(p, PROCESS__SETSCHED); 3639 return current_has_perm(p, PROCESS__SETSCHED);
3667} 3640}
3668 3641
@@ -3688,12 +3661,6 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3688 3661
3689static int selinux_task_setscheduler(struct task_struct *p) 3662static int selinux_task_setscheduler(struct task_struct *p)
3690{ 3663{
3691 int rc;
3692
3693 rc = cap_task_setscheduler(p);
3694 if (rc)
3695 return rc;
3696
3697 return current_has_perm(p, PROCESS__SETSCHED); 3664 return current_has_perm(p, PROCESS__SETSCHED);
3698} 3665}
3699 3666
@@ -4652,11 +4619,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4652 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4619 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4653} 4620}
4654 4621
4655static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4656{
4657 skb_set_owner_w(skb, sk);
4658}
4659
4660static int selinux_secmark_relabel_packet(u32 sid) 4622static int selinux_secmark_relabel_packet(u32 sid)
4661{ 4623{
4662 const struct task_security_struct *__tsec; 4624 const struct task_security_struct *__tsec;
@@ -4780,8 +4742,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4780 if (err == -EINVAL) { 4742 if (err == -EINVAL) {
4781 printk(KERN_WARNING 4743 printk(KERN_WARNING
4782 "SELinux: unrecognized netlink message:" 4744 "SELinux: unrecognized netlink message:"
4783 " protocol=%hu nlmsg_type=%hu sclass=%hu\n", 4745 " protocol=%hu nlmsg_type=%hu sclass=%s\n",
4784 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass); 4746 sk->sk_protocol, nlh->nlmsg_type,
4747 secclass_map[sksec->sclass - 1].name);
4785 if (!selinux_enforcing || security_get_allow_unknown()) 4748 if (!selinux_enforcing || security_get_allow_unknown())
4786 err = 0; 4749 err = 0;
4787 } 4750 }
@@ -4858,21 +4821,17 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
4858 4821
4859static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, 4822static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4860 struct sk_buff *skb, 4823 struct sk_buff *skb,
4861 const struct net_device *in, 4824 const struct nf_hook_state *state)
4862 const struct net_device *out,
4863 int (*okfn)(struct sk_buff *))
4864{ 4825{
4865 return selinux_ip_forward(skb, in, PF_INET); 4826 return selinux_ip_forward(skb, state->in, PF_INET);
4866} 4827}
4867 4828
4868#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4829#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4869static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops, 4830static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4870 struct sk_buff *skb, 4831 struct sk_buff *skb,
4871 const struct net_device *in, 4832 const struct nf_hook_state *state)
4872 const struct net_device *out,
4873 int (*okfn)(struct sk_buff *))
4874{ 4833{
4875 return selinux_ip_forward(skb, in, PF_INET6); 4834 return selinux_ip_forward(skb, state->in, PF_INET6);
4876} 4835}
4877#endif /* IPV6 */ 4836#endif /* IPV6 */
4878 4837
@@ -4920,9 +4879,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
4920 4879
4921static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops, 4880static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4922 struct sk_buff *skb, 4881 struct sk_buff *skb,
4923 const struct net_device *in, 4882 const struct nf_hook_state *state)
4924 const struct net_device *out,
4925 int (*okfn)(struct sk_buff *))
4926{ 4883{
4927 return selinux_ip_output(skb, PF_INET); 4884 return selinux_ip_output(skb, PF_INET);
4928} 4885}
@@ -5097,21 +5054,17 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5097 5054
5098static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, 5055static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5099 struct sk_buff *skb, 5056 struct sk_buff *skb,
5100 const struct net_device *in, 5057 const struct nf_hook_state *state)
5101 const struct net_device *out,
5102 int (*okfn)(struct sk_buff *))
5103{ 5058{
5104 return selinux_ip_postroute(skb, out, PF_INET); 5059 return selinux_ip_postroute(skb, state->out, PF_INET);
5105} 5060}
5106 5061
5107#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 5062#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5108static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops, 5063static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5109 struct sk_buff *skb, 5064 struct sk_buff *skb,
5110 const struct net_device *in, 5065 const struct nf_hook_state *state)
5111 const struct net_device *out,
5112 int (*okfn)(struct sk_buff *))
5113{ 5066{
5114 return selinux_ip_postroute(skb, out, PF_INET6); 5067 return selinux_ip_postroute(skb, state->out, PF_INET6);
5115} 5068}
5116#endif /* IPV6 */ 5069#endif /* IPV6 */
5117 5070
@@ -5119,12 +5072,6 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5119 5072
5120static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5073static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5121{ 5074{
5122 int err;
5123
5124 err = cap_netlink_send(sk, skb);
5125 if (err)
5126 return err;
5127
5128 return selinux_nlmsg_perm(sk, skb); 5075 return selinux_nlmsg_perm(sk, skb);
5129} 5076}
5130 5077
@@ -5862,219 +5809,220 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
5862 5809
5863#endif 5810#endif
5864 5811
5865static struct security_operations selinux_ops = { 5812static struct security_hook_list selinux_hooks[] = {
5866 .name = "selinux", 5813 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5867 5814 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5868 .binder_set_context_mgr = selinux_binder_set_context_mgr, 5815 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5869 .binder_transaction = selinux_binder_transaction, 5816 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5870 .binder_transfer_binder = selinux_binder_transfer_binder, 5817
5871 .binder_transfer_file = selinux_binder_transfer_file, 5818 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5872 5819 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5873 .ptrace_access_check = selinux_ptrace_access_check, 5820 LSM_HOOK_INIT(capget, selinux_capget),
5874 .ptrace_traceme = selinux_ptrace_traceme, 5821 LSM_HOOK_INIT(capset, selinux_capset),
5875 .capget = selinux_capget, 5822 LSM_HOOK_INIT(capable, selinux_capable),
5876 .capset = selinux_capset, 5823 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5877 .capable = selinux_capable, 5824 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5878 .quotactl = selinux_quotactl, 5825 LSM_HOOK_INIT(syslog, selinux_syslog),
5879 .quota_on = selinux_quota_on, 5826 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5880 .syslog = selinux_syslog, 5827
5881 .vm_enough_memory = selinux_vm_enough_memory, 5828 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5882 5829
5883 .netlink_send = selinux_netlink_send, 5830 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5884 5831 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5885 .bprm_set_creds = selinux_bprm_set_creds, 5832 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5886 .bprm_committing_creds = selinux_bprm_committing_creds, 5833 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5887 .bprm_committed_creds = selinux_bprm_committed_creds, 5834
5888 .bprm_secureexec = selinux_bprm_secureexec, 5835 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5889 5836 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5890 .sb_alloc_security = selinux_sb_alloc_security, 5837 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5891 .sb_free_security = selinux_sb_free_security, 5838 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5892 .sb_copy_data = selinux_sb_copy_data, 5839 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5893 .sb_remount = selinux_sb_remount, 5840 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5894 .sb_kern_mount = selinux_sb_kern_mount, 5841 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5895 .sb_show_options = selinux_sb_show_options, 5842 LSM_HOOK_INIT(sb_mount, selinux_mount),
5896 .sb_statfs = selinux_sb_statfs, 5843 LSM_HOOK_INIT(sb_umount, selinux_umount),
5897 .sb_mount = selinux_mount, 5844 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5898 .sb_umount = selinux_umount, 5845 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5899 .sb_set_mnt_opts = selinux_set_mnt_opts, 5846 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5900 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, 5847
5901 .sb_parse_opts_str = selinux_parse_opts_str, 5848 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5902 5849
5903 .dentry_init_security = selinux_dentry_init_security, 5850 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5904 5851 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5905 .inode_alloc_security = selinux_inode_alloc_security, 5852 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5906 .inode_free_security = selinux_inode_free_security, 5853 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5907 .inode_init_security = selinux_inode_init_security, 5854 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5908 .inode_create = selinux_inode_create, 5855 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5909 .inode_link = selinux_inode_link, 5856 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5910 .inode_unlink = selinux_inode_unlink, 5857 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5911 .inode_symlink = selinux_inode_symlink, 5858 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5912 .inode_mkdir = selinux_inode_mkdir, 5859 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5913 .inode_rmdir = selinux_inode_rmdir, 5860 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5914 .inode_mknod = selinux_inode_mknod, 5861 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5915 .inode_rename = selinux_inode_rename, 5862 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5916 .inode_readlink = selinux_inode_readlink, 5863 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5917 .inode_follow_link = selinux_inode_follow_link, 5864 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5918 .inode_permission = selinux_inode_permission, 5865 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5919 .inode_setattr = selinux_inode_setattr, 5866 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5920 .inode_getattr = selinux_inode_getattr, 5867 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5921 .inode_setxattr = selinux_inode_setxattr, 5868 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5922 .inode_post_setxattr = selinux_inode_post_setxattr, 5869 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5923 .inode_getxattr = selinux_inode_getxattr, 5870 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5924 .inode_listxattr = selinux_inode_listxattr, 5871 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5925 .inode_removexattr = selinux_inode_removexattr, 5872 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5926 .inode_getsecurity = selinux_inode_getsecurity, 5873 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5927 .inode_setsecurity = selinux_inode_setsecurity, 5874 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
5928 .inode_listsecurity = selinux_inode_listsecurity, 5875
5929 .inode_getsecid = selinux_inode_getsecid, 5876 LSM_HOOK_INIT(file_permission, selinux_file_permission),
5930 5877 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
5931 .file_permission = selinux_file_permission, 5878 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
5932 .file_alloc_security = selinux_file_alloc_security, 5879 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
5933 .file_free_security = selinux_file_free_security, 5880 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
5934 .file_ioctl = selinux_file_ioctl, 5881 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
5935 .mmap_file = selinux_mmap_file, 5882 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
5936 .mmap_addr = selinux_mmap_addr, 5883 LSM_HOOK_INIT(file_lock, selinux_file_lock),
5937 .file_mprotect = selinux_file_mprotect, 5884 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
5938 .file_lock = selinux_file_lock, 5885 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
5939 .file_fcntl = selinux_file_fcntl, 5886 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
5940 .file_set_fowner = selinux_file_set_fowner, 5887 LSM_HOOK_INIT(file_receive, selinux_file_receive),
5941 .file_send_sigiotask = selinux_file_send_sigiotask, 5888
5942 .file_receive = selinux_file_receive, 5889 LSM_HOOK_INIT(file_open, selinux_file_open),
5943 5890
5944 .file_open = selinux_file_open, 5891 LSM_HOOK_INIT(task_create, selinux_task_create),
5945 5892 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
5946 .task_create = selinux_task_create, 5893 LSM_HOOK_INIT(cred_free, selinux_cred_free),
5947 .cred_alloc_blank = selinux_cred_alloc_blank, 5894 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
5948 .cred_free = selinux_cred_free, 5895 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
5949 .cred_prepare = selinux_cred_prepare, 5896 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
5950 .cred_transfer = selinux_cred_transfer, 5897 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
5951 .kernel_act_as = selinux_kernel_act_as, 5898 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
5952 .kernel_create_files_as = selinux_kernel_create_files_as, 5899 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
5953 .kernel_module_request = selinux_kernel_module_request, 5900 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
5954 .task_setpgid = selinux_task_setpgid, 5901 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
5955 .task_getpgid = selinux_task_getpgid, 5902 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
5956 .task_getsid = selinux_task_getsid, 5903 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
5957 .task_getsecid = selinux_task_getsecid, 5904 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
5958 .task_setnice = selinux_task_setnice, 5905 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
5959 .task_setioprio = selinux_task_setioprio, 5906 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
5960 .task_getioprio = selinux_task_getioprio, 5907 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
5961 .task_setrlimit = selinux_task_setrlimit, 5908 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
5962 .task_setscheduler = selinux_task_setscheduler, 5909 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
5963 .task_getscheduler = selinux_task_getscheduler, 5910 LSM_HOOK_INIT(task_kill, selinux_task_kill),
5964 .task_movememory = selinux_task_movememory, 5911 LSM_HOOK_INIT(task_wait, selinux_task_wait),
5965 .task_kill = selinux_task_kill, 5912 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
5966 .task_wait = selinux_task_wait, 5913
5967 .task_to_inode = selinux_task_to_inode, 5914 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
5968 5915 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
5969 .ipc_permission = selinux_ipc_permission, 5916
5970 .ipc_getsecid = selinux_ipc_getsecid, 5917 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
5971 5918 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
5972 .msg_msg_alloc_security = selinux_msg_msg_alloc_security, 5919
5973 .msg_msg_free_security = selinux_msg_msg_free_security, 5920 LSM_HOOK_INIT(msg_queue_alloc_security,
5974 5921 selinux_msg_queue_alloc_security),
5975 .msg_queue_alloc_security = selinux_msg_queue_alloc_security, 5922 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
5976 .msg_queue_free_security = selinux_msg_queue_free_security, 5923 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
5977 .msg_queue_associate = selinux_msg_queue_associate, 5924 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
5978 .msg_queue_msgctl = selinux_msg_queue_msgctl, 5925 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
5979 .msg_queue_msgsnd = selinux_msg_queue_msgsnd, 5926 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
5980 .msg_queue_msgrcv = selinux_msg_queue_msgrcv, 5927
5981 5928 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
5982 .shm_alloc_security = selinux_shm_alloc_security, 5929 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
5983 .shm_free_security = selinux_shm_free_security, 5930 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
5984 .shm_associate = selinux_shm_associate, 5931 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
5985 .shm_shmctl = selinux_shm_shmctl, 5932 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
5986 .shm_shmat = selinux_shm_shmat, 5933
5987 5934 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
5988 .sem_alloc_security = selinux_sem_alloc_security, 5935 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
5989 .sem_free_security = selinux_sem_free_security, 5936 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
5990 .sem_associate = selinux_sem_associate, 5937 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
5991 .sem_semctl = selinux_sem_semctl, 5938 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
5992 .sem_semop = selinux_sem_semop, 5939
5993 5940 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
5994 .d_instantiate = selinux_d_instantiate, 5941
5995 5942 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
5996 .getprocattr = selinux_getprocattr, 5943 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
5997 .setprocattr = selinux_setprocattr, 5944
5998 5945 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
5999 .ismaclabel = selinux_ismaclabel, 5946 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6000 .secid_to_secctx = selinux_secid_to_secctx, 5947 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6001 .secctx_to_secid = selinux_secctx_to_secid, 5948 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6002 .release_secctx = selinux_release_secctx, 5949 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6003 .inode_notifysecctx = selinux_inode_notifysecctx, 5950 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6004 .inode_setsecctx = selinux_inode_setsecctx, 5951 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6005 .inode_getsecctx = selinux_inode_getsecctx, 5952
6006 5953 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6007 .unix_stream_connect = selinux_socket_unix_stream_connect, 5954 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6008 .unix_may_send = selinux_socket_unix_may_send, 5955
6009 5956 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6010 .socket_create = selinux_socket_create, 5957 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6011 .socket_post_create = selinux_socket_post_create, 5958 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6012 .socket_bind = selinux_socket_bind, 5959 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6013 .socket_connect = selinux_socket_connect, 5960 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6014 .socket_listen = selinux_socket_listen, 5961 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6015 .socket_accept = selinux_socket_accept, 5962 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6016 .socket_sendmsg = selinux_socket_sendmsg, 5963 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6017 .socket_recvmsg = selinux_socket_recvmsg, 5964 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6018 .socket_getsockname = selinux_socket_getsockname, 5965 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6019 .socket_getpeername = selinux_socket_getpeername, 5966 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6020 .socket_getsockopt = selinux_socket_getsockopt, 5967 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6021 .socket_setsockopt = selinux_socket_setsockopt, 5968 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6022 .socket_shutdown = selinux_socket_shutdown, 5969 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6023 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 5970 LSM_HOOK_INIT(socket_getpeersec_stream,
6024 .socket_getpeersec_stream = selinux_socket_getpeersec_stream, 5971 selinux_socket_getpeersec_stream),
6025 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 5972 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6026 .sk_alloc_security = selinux_sk_alloc_security, 5973 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6027 .sk_free_security = selinux_sk_free_security, 5974 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6028 .sk_clone_security = selinux_sk_clone_security, 5975 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6029 .sk_getsecid = selinux_sk_getsecid, 5976 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6030 .sock_graft = selinux_sock_graft, 5977 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6031 .inet_conn_request = selinux_inet_conn_request, 5978 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6032 .inet_csk_clone = selinux_inet_csk_clone, 5979 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6033 .inet_conn_established = selinux_inet_conn_established, 5980 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6034 .secmark_relabel_packet = selinux_secmark_relabel_packet, 5981 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6035 .secmark_refcount_inc = selinux_secmark_refcount_inc, 5982 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6036 .secmark_refcount_dec = selinux_secmark_refcount_dec, 5983 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6037 .req_classify_flow = selinux_req_classify_flow, 5984 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6038 .tun_dev_alloc_security = selinux_tun_dev_alloc_security, 5985 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6039 .tun_dev_free_security = selinux_tun_dev_free_security, 5986 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6040 .tun_dev_create = selinux_tun_dev_create, 5987 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6041 .tun_dev_attach_queue = selinux_tun_dev_attach_queue, 5988 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6042 .tun_dev_attach = selinux_tun_dev_attach, 5989 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6043 .tun_dev_open = selinux_tun_dev_open, 5990 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6044 .skb_owned_by = selinux_skb_owned_by,
6045 5991
6046#ifdef CONFIG_SECURITY_NETWORK_XFRM 5992#ifdef CONFIG_SECURITY_NETWORK_XFRM
6047 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5993 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6048 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5994 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6049 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5995 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6050 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5996 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6051 .xfrm_state_alloc = selinux_xfrm_state_alloc, 5997 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6052 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire, 5998 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6053 .xfrm_state_free_security = selinux_xfrm_state_free, 5999 selinux_xfrm_state_alloc_acquire),
6054 .xfrm_state_delete_security = selinux_xfrm_state_delete, 6000 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6055 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 6001 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6056 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, 6002 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6057 .xfrm_decode_session = selinux_xfrm_decode_session, 6003 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6004 selinux_xfrm_state_pol_flow_match),
6005 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6058#endif 6006#endif
6059 6007
6060#ifdef CONFIG_KEYS 6008#ifdef CONFIG_KEYS
6061 .key_alloc = selinux_key_alloc, 6009 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6062 .key_free = selinux_key_free, 6010 LSM_HOOK_INIT(key_free, selinux_key_free),
6063 .key_permission = selinux_key_permission, 6011 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6064 .key_getsecurity = selinux_key_getsecurity, 6012 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6065#endif 6013#endif
6066 6014
6067#ifdef CONFIG_AUDIT 6015#ifdef CONFIG_AUDIT
6068 .audit_rule_init = selinux_audit_rule_init, 6016 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6069 .audit_rule_known = selinux_audit_rule_known, 6017 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6070 .audit_rule_match = selinux_audit_rule_match, 6018 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6071 .audit_rule_free = selinux_audit_rule_free, 6019 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6072#endif 6020#endif
6073}; 6021};
6074 6022
6075static __init int selinux_init(void) 6023static __init int selinux_init(void)
6076{ 6024{
6077 if (!security_module_enable(&selinux_ops)) { 6025 if (!security_module_enable("selinux")) {
6078 selinux_enabled = 0; 6026 selinux_enabled = 0;
6079 return 0; 6027 return 0;
6080 } 6028 }
@@ -6096,8 +6044,7 @@ static __init int selinux_init(void)
6096 0, SLAB_PANIC, NULL); 6044 0, SLAB_PANIC, NULL);
6097 avc_init(); 6045 avc_init();
6098 6046
6099 if (register_security(&selinux_ops)) 6047 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6100 panic("SELinux: Unable to register with kernel.\n");
6101 6048
6102 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6049 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6103 panic("SELinux: Unable to register AVC netcache callback\n"); 6050 panic("SELinux: Unable to register AVC netcache callback\n");
@@ -6225,7 +6172,7 @@ int selinux_disable(void)
6225 selinux_disabled = 1; 6172 selinux_disabled = 1;
6226 selinux_enabled = 0; 6173 selinux_enabled = 0;
6227 6174
6228 reset_security_ops(); 6175 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6229 6176
6230 /* Try to destroy the avc node cache */ 6177 /* Try to destroy the avc node cache */
6231 avc_disable(); 6178 avc_disable();
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-01 21:56:58 -0400