aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c922
1 files changed, 690 insertions, 232 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 925e546b5a87..0314fc766134 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -67,6 +67,8 @@
67#include <linux/tcp.h> 67#include <linux/tcp.h>
68#include <linux/udp.h> 68#include <linux/udp.h>
69#include <linux/dccp.h> 69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
70#include <linux/quota.h> 72#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */ 73#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */ 74#include <net/af_unix.h> /* for Unix socket types */
@@ -98,20 +100,24 @@
98#include "audit.h" 100#include "audit.h"
99#include "avc_ss.h" 101#include "avc_ss.h"
100 102
103struct selinux_state selinux_state;
104
101/* SECMARK reference count */ 105/* SECMARK reference count */
102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 107
104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105int selinux_enforcing; 109static int selinux_enforcing_boot;
106 110
107static int __init enforcing_setup(char *str) 111static int __init enforcing_setup(char *str)
108{ 112{
109 unsigned long enforcing; 113 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing)) 114 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0; 115 selinux_enforcing_boot = enforcing ? 1 : 0;
112 return 1; 116 return 1;
113} 117}
114__setup("enforcing=", enforcing_setup); 118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
115#endif 121#endif
116 122
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
@@ -129,6 +135,19 @@ __setup("selinux=", selinux_enabled_setup);
129int selinux_enabled = 1; 135int selinux_enabled = 1;
130#endif 136#endif
131 137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
132static struct kmem_cache *sel_inode_cache; 151static struct kmem_cache *sel_inode_cache;
133static struct kmem_cache *file_security_cache; 152static struct kmem_cache *file_security_cache;
134 153
@@ -145,7 +164,8 @@ static struct kmem_cache *file_security_cache;
145 */ 164 */
146static int selinux_secmark_enabled(void) 165static int selinux_secmark_enabled(void)
147{ 166{
148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
149} 169}
150 170
151/** 171/**
@@ -160,7 +180,8 @@ static int selinux_secmark_enabled(void)
160 */ 180 */
161static int selinux_peerlbl_enabled(void) 181static int selinux_peerlbl_enabled(void)
162{ 182{
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
164} 185}
165 186
166static int selinux_netcache_avc_callback(u32 event) 187static int selinux_netcache_avc_callback(u32 event)
@@ -264,7 +285,8 @@ static int __inode_security_revalidate(struct inode *inode,
264 285
265 might_sleep_if(may_sleep); 286 might_sleep_if(may_sleep);
266 287
267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
268 if (!may_sleep) 290 if (!may_sleep)
269 return -ECHILD; 291 return -ECHILD;
270 292
@@ -446,12 +468,14 @@ static int may_context_mount_sb_relabel(u32 sid,
446 const struct task_security_struct *tsec = cred->security; 468 const struct task_security_struct *tsec = cred->security;
447 int rc; 469 int rc;
448 470
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL); 473 FILESYSTEM__RELABELFROM, NULL);
451 if (rc) 474 if (rc)
452 return rc; 475 return rc;
453 476
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL); 479 FILESYSTEM__RELABELTO, NULL);
456 return rc; 480 return rc;
457} 481}
@@ -462,12 +486,14 @@ static int may_context_mount_inode_relabel(u32 sid,
462{ 486{
463 const struct task_security_struct *tsec = cred->security; 487 const struct task_security_struct *tsec = cred->security;
464 int rc; 488 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL); 491 FILESYSTEM__RELABELFROM, NULL);
467 if (rc) 492 if (rc)
468 return rc; 493 return rc;
469 494
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL); 497 FILESYSTEM__ASSOCIATE, NULL);
472 return rc; 498 return rc;
473} 499}
@@ -486,7 +512,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
486 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs") || 514 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel && 515 (selinux_policycap_cgroupseclabel() &&
490 (!strcmp(sb->s_type->name, "cgroup") || 516 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2"))); 517 !strcmp(sb->s_type->name, "cgroup2")));
492} 518}
@@ -586,7 +612,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
586 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 if (!(sbsec->flags & SE_SBINITIALIZED))
587 return -EINVAL; 613 return -EINVAL;
588 614
589 if (!ss_initialized) 615 if (!selinux_state.initialized)
590 return -EINVAL; 616 return -EINVAL;
591 617
592 /* make sure we always check enough bits to cover the mask */ 618 /* make sure we always check enough bits to cover the mask */
@@ -617,21 +643,25 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
617 643
618 i = 0; 644 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) { 645 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len); 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
621 if (rc) 648 if (rc)
622 goto out_free; 649 goto out_free;
623 opts->mnt_opts[i] = context; 650 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 } 652 }
626 if (sbsec->flags & CONTEXT_MNT) { 653 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
628 if (rc) 657 if (rc)
629 goto out_free; 658 goto out_free;
630 opts->mnt_opts[i] = context; 659 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 } 661 }
633 if (sbsec->flags & DEFCONTEXT_MNT) { 662 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
635 if (rc) 665 if (rc)
636 goto out_free; 666 goto out_free;
637 opts->mnt_opts[i] = context; 667 opts->mnt_opts[i] = context;
@@ -641,7 +671,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
641 struct dentry *root = sbsec->sb->s_root; 671 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root); 672 struct inode_security_struct *isec = backing_inode_security(root);
643 673
644 rc = security_sid_to_context(isec->sid, &context, &len); 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
645 if (rc) 676 if (rc)
646 goto out_free; 677 goto out_free;
647 opts->mnt_opts[i] = context; 678 opts->mnt_opts[i] = context;
@@ -704,7 +735,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
704 735
705 mutex_lock(&sbsec->lock); 736 mutex_lock(&sbsec->lock);
706 737
707 if (!ss_initialized) { 738 if (!selinux_state.initialized) {
708 if (!num_opts) { 739 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init, 740 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security 741 after the initial policy is loaded and the security
@@ -750,7 +781,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
750 781
751 if (flags[i] == SBLABEL_MNT) 782 if (flags[i] == SBLABEL_MNT)
752 continue; 783 continue;
753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
754 if (rc) { 787 if (rc) {
755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -826,7 +859,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
826 * Determine the labeling behavior to use for this 859 * Determine the labeling behavior to use for this
827 * filesystem type. 860 * filesystem type.
828 */ 861 */
829 rc = security_fs_use(sb); 862 rc = security_fs_use(&selinux_state, sb);
830 if (rc) { 863 if (rc) {
831 printk(KERN_WARNING 864 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n", 865 "%s: security_fs_use(%s) returned %d\n",
@@ -851,7 +884,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
851 } 884 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(), 887 rc = security_transition_sid(&selinux_state,
888 current_sid(),
889 current_sid(),
855 SECCLASS_FILE, NULL, 890 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid); 891 &sbsec->mntpoint_sid);
857 if (rc) 892 if (rc)
@@ -987,7 +1022,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
987 * if the parent was able to be mounted it clearly had no special lsm 1022 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later 1023 * mount options. thus we can safely deal with this superblock later
989 */ 1024 */
990 if (!ss_initialized) 1025 if (!selinux_state.initialized)
991 return 0; 1026 return 0;
992 1027
993 /* 1028 /*
@@ -1014,7 +1049,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1014 1049
1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb); 1052 rc = security_fs_use(&selinux_state, newsb);
1018 if (rc) 1053 if (rc)
1019 goto out; 1054 goto out;
1020 } 1055 }
@@ -1297,7 +1332,7 @@ static inline int default_protocol_dgram(int protocol)
1297 1332
1298static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1333static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{ 1334{
1300 int extsockclass = selinux_policycap_extsockclass; 1335 int extsockclass = selinux_policycap_extsockclass();
1301 1336
1302 switch (family) { 1337 switch (family) {
1303 case PF_UNIX: 1338 case PF_UNIX:
@@ -1471,7 +1506,8 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
1471 path++; 1506 path++;
1472 } 1507 }
1473 } 1508 }
1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1475 } 1511 }
1476 free_page((unsigned long)buffer); 1512 free_page((unsigned long)buffer);
1477 return rc; 1513 return rc;
@@ -1589,7 +1625,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1589 sid = sbsec->def_sid; 1625 sid = sbsec->def_sid;
1590 rc = 0; 1626 rc = 0;
1591 } else { 1627 } else {
1592 rc = security_context_to_sid_default(context, rc, &sid, 1628 rc = security_context_to_sid_default(&selinux_state,
1629 context, rc, &sid,
1593 sbsec->def_sid, 1630 sbsec->def_sid,
1594 GFP_NOFS); 1631 GFP_NOFS);
1595 if (rc) { 1632 if (rc) {
@@ -1622,7 +1659,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1622 sid = sbsec->sid; 1659 sid = sbsec->sid;
1623 1660
1624 /* Try to obtain a transition SID. */ 1661 /* Try to obtain a transition SID. */
1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1626 if (rc) 1664 if (rc)
1627 goto out; 1665 goto out;
1628 break; 1666 break;
@@ -1740,9 +1778,11 @@ static int cred_has_capability(const struct cred *cred,
1740 return -EINVAL; 1778 return -EINVAL;
1741 } 1779 }
1742 1780
1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1744 if (audit == SECURITY_CAP_AUDIT) { 1783 if (audit == SECURITY_CAP_AUDIT) {
1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 if (rc2) 1786 if (rc2)
1747 return rc2; 1787 return rc2;
1748 } 1788 }
@@ -1768,7 +1808,8 @@ static int inode_has_perm(const struct cred *cred,
1768 sid = cred_sid(cred); 1808 sid = cred_sid(cred);
1769 isec = inode->i_security; 1809 isec = inode->i_security;
1770 1810
1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1772} 1813}
1773 1814
1774/* Same as inode_has_perm, but pass explicit audit data containing 1815/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1841,7 +1882,8 @@ static int file_has_perm(const struct cred *cred,
1841 ad.u.file = file; 1882 ad.u.file = file;
1842 1883
1843 if (sid != fsec->sid) { 1884 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid, 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1845 SECCLASS_FD, 1887 SECCLASS_FD,
1846 FD__USE, 1888 FD__USE,
1847 &ad); 1889 &ad);
@@ -1883,7 +1925,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
1883 *_new_isid = tsec->create_sid; 1925 *_new_isid = tsec->create_sid;
1884 } else { 1926 } else {
1885 const struct inode_security_struct *dsec = inode_security(dir); 1927 const struct inode_security_struct *dsec = inode_security(dir);
1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1928 return security_transition_sid(&selinux_state, tsec->sid,
1929 dsec->sid, tclass,
1887 name, _new_isid); 1930 name, _new_isid);
1888 } 1931 }
1889 1932
@@ -1910,7 +1953,8 @@ static int may_create(struct inode *dir,
1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1911 ad.u.dentry = dentry; 1954 ad.u.dentry = dentry;
1912 1955
1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1914 DIR__ADD_NAME | DIR__SEARCH, 1958 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad); 1959 &ad);
1916 if (rc) 1960 if (rc)
@@ -1921,11 +1965,13 @@ static int may_create(struct inode *dir,
1921 if (rc) 1965 if (rc)
1922 return rc; 1966 return rc;
1923 1967
1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1925 if (rc) 1970 if (rc)
1926 return rc; 1971 return rc;
1927 1972
1928 return avc_has_perm(newsid, sbsec->sid, 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM, 1975 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad); 1976 FILESYSTEM__ASSOCIATE, &ad);
1931} 1977}
@@ -1954,7 +2000,8 @@ static int may_link(struct inode *dir,
1954 2000
1955 av = DIR__SEARCH; 2001 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 if (rc) 2005 if (rc)
1959 return rc; 2006 return rc;
1960 2007
@@ -1974,7 +2021,8 @@ static int may_link(struct inode *dir,
1974 return 0; 2021 return 0;
1975 } 2022 }
1976 2023
1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
1978 return rc; 2026 return rc;
1979} 2027}
1980 2028
@@ -1998,16 +2046,19 @@ static inline int may_rename(struct inode *old_dir,
1998 ad.type = LSM_AUDIT_DATA_DENTRY; 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
1999 2047
2000 ad.u.dentry = old_dentry; 2048 ad.u.dentry = old_dentry;
2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc) 2052 if (rc)
2004 return rc; 2053 return rc;
2005 rc = avc_has_perm(sid, old_isec->sid, 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
2006 old_isec->sclass, FILE__RENAME, &ad); 2056 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc) 2057 if (rc)
2008 return rc; 2058 return rc;
2009 if (old_is_dir && new_dir != old_dir) { 2059 if (old_is_dir && new_dir != old_dir) {
2010 rc = avc_has_perm(sid, old_isec->sid, 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
2011 old_isec->sclass, DIR__REPARENT, &ad); 2062 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc) 2063 if (rc)
2013 return rc; 2064 return rc;
@@ -2017,13 +2068,15 @@ static inline int may_rename(struct inode *old_dir,
2017 av = DIR__ADD_NAME | DIR__SEARCH; 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2018 if (d_is_positive(new_dentry)) 2069 if (d_is_positive(new_dentry))
2019 av |= DIR__REMOVE_NAME; 2070 av |= DIR__REMOVE_NAME;
2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc) 2073 if (rc)
2022 return rc; 2074 return rc;
2023 if (d_is_positive(new_dentry)) { 2075 if (d_is_positive(new_dentry)) {
2024 new_isec = backing_inode_security(new_dentry); 2076 new_isec = backing_inode_security(new_dentry);
2025 new_is_dir = d_is_dir(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry);
2026 rc = avc_has_perm(sid, new_isec->sid, 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
2027 new_isec->sclass, 2080 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc) 2082 if (rc)
@@ -2043,7 +2096,8 @@ static int superblock_has_perm(const struct cred *cred,
2043 u32 sid = cred_sid(cred); 2096 u32 sid = cred_sid(cred);
2044 2097
2045 sbsec = sb->s_security; 2098 sbsec = sb->s_security;
2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047} 2101}
2048 2102
2049/* Convert a Linux mode and permission mask to an access vector. */ 2103/* Convert a Linux mode and permission mask to an access vector. */
@@ -2106,7 +2160,8 @@ static inline u32 open_file_to_av(struct file *file)
2106 u32 av = file_to_av(file); 2160 u32 av = file_to_av(file);
2107 struct inode *inode = file_inode(file); 2161 struct inode *inode = file_inode(file);
2108 2162
2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 av |= FILE__OPEN; 2165 av |= FILE__OPEN;
2111 2166
2112 return av; 2167 return av;
@@ -2119,7 +2174,8 @@ static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2119 u32 mysid = current_sid(); 2174 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr); 2175 u32 mgrsid = task_sid(mgr);
2121 2176
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL); 2179 BINDER__SET_CONTEXT_MGR, NULL);
2124} 2180}
2125 2181
@@ -2132,13 +2188,15 @@ static int selinux_binder_transaction(struct task_struct *from,
2132 int rc; 2188 int rc;
2133 2189
2134 if (mysid != fromsid) { 2190 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL); 2193 BINDER__IMPERSONATE, NULL);
2137 if (rc) 2194 if (rc)
2138 return rc; 2195 return rc;
2139 } 2196 }
2140 2197
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL); 2200 NULL);
2143} 2201}
2144 2202
@@ -2148,7 +2206,8 @@ static int selinux_binder_transfer_binder(struct task_struct *from,
2148 u32 fromsid = task_sid(from); 2206 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to); 2207 u32 tosid = task_sid(to);
2150 2208
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL); 2211 NULL);
2153} 2212}
2154 2213
@@ -2167,7 +2226,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2167 ad.u.path = file->f_path; 2226 ad.u.path = file->f_path;
2168 2227
2169 if (sid != fsec->sid) { 2228 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid, 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
2171 SECCLASS_FD, 2231 SECCLASS_FD,
2172 FD__USE, 2232 FD__USE,
2173 &ad); 2233 &ad);
@@ -2185,7 +2245,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2185 return 0; 2245 return 0;
2186 2246
2187 isec = backing_inode_security(dentry); 2247 isec = backing_inode_security(dentry);
2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad); 2250 &ad);
2190} 2251}
2191 2252
@@ -2196,21 +2257,25 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2196 u32 csid = task_sid(child); 2257 u32 csid = task_sid(child);
2197 2258
2198 if (mode & PTRACE_MODE_READ) 2259 if (mode & PTRACE_MODE_READ)
2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 2262
2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202} 2265}
2203 2266
2204static int selinux_ptrace_traceme(struct task_struct *parent) 2267static int selinux_ptrace_traceme(struct task_struct *parent)
2205{ 2268{
2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL); 2271 PROCESS__PTRACE, NULL);
2208} 2272}
2209 2273
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212{ 2276{
2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL); 2279 PROCESS__GETCAP, NULL);
2215} 2280}
2216 2281
@@ -2219,7 +2284,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2219 const kernel_cap_t *inheritable, 2284 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted) 2285 const kernel_cap_t *permitted)
2221{ 2286{
2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL); 2289 PROCESS__SETCAP, NULL);
2224} 2290}
2225 2291
@@ -2279,18 +2345,21 @@ static int selinux_syslog(int type)
2279 switch (type) { 2345 switch (type) {
2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */ 2353 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL); 2358 NULL);
2291 } 2359 }
2292 /* All other syslog types */ 2360 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295} 2364}
2296 2365
@@ -2351,13 +2420,14 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2351 * policy allows the corresponding permission between 2420 * policy allows the corresponding permission between
2352 * the old and new contexts. 2421 * the old and new contexts.
2353 */ 2422 */
2354 if (selinux_policycap_nnp_nosuid_transition) { 2423 if (selinux_policycap_nnp_nosuid_transition()) {
2355 av = 0; 2424 av = 0;
2356 if (nnp) 2425 if (nnp)
2357 av |= PROCESS2__NNP_TRANSITION; 2426 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid) 2427 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION; 2428 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL); 2431 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc) 2432 if (!rc)
2363 return 0; 2433 return 0;
@@ -2368,7 +2438,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID. 2439 * of the permissions of the current SID.
2370 */ 2440 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 new_tsec->sid);
2372 if (!rc) 2443 if (!rc)
2373 return 0; 2444 return 0;
2374 2445
@@ -2420,8 +2491,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2420 return rc; 2491 return rc;
2421 } else { 2492 } else {
2422 /* Check for a default transition on this program. */ 2493 /* Check for a default transition on this program. */
2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2424 SECCLASS_PROCESS, NULL, 2495 isec->sid, SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid); 2496 &new_tsec->sid);
2426 if (rc) 2497 if (rc)
2427 return rc; 2498 return rc;
@@ -2439,25 +2510,29 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2439 ad.u.file = bprm->file; 2510 ad.u.file = bprm->file;
2440 2511
2441 if (new_tsec->sid == old_tsec->sid) { 2512 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc) 2516 if (rc)
2445 return rc; 2517 return rc;
2446 } else { 2518 } else {
2447 /* Check permissions for the transition. */ 2519 /* Check permissions for the transition. */
2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc) 2523 if (rc)
2451 return rc; 2524 return rc;
2452 2525
2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc) 2529 if (rc)
2456 return rc; 2530 return rc;
2457 2531
2458 /* Check for shared state */ 2532 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE, 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL); 2537 NULL);
2463 if (rc) 2538 if (rc)
@@ -2469,7 +2544,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 u32 ptsid = ptrace_parent_sid(); 2545 u32 ptsid = ptrace_parent_sid();
2471 if (ptsid != 0) { 2546 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS, 2549 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL); 2550 PROCESS__PTRACE, NULL);
2475 if (rc) 2551 if (rc)
@@ -2483,7 +2559,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2483 /* Enable secure mode for SIDs transitions unless 2559 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between 2560 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */ 2561 the two SIDs, i.e. ahp returns 0. */
2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL); 2565 NULL);
2489 bprm->secureexec |= !!rc; 2566 bprm->secureexec |= !!rc;
@@ -2575,7 +2652,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2575 * higher than the default soft limit for cases where the default is 2652 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */ 2654 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL); 2657 PROCESS__RLIMITINH, NULL);
2580 if (rc) { 2658 if (rc) {
2581 /* protect against do_prlimit() */ 2659 /* protect against do_prlimit() */
@@ -2615,7 +2693,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2615 * This must occur _after_ the task SID has been updated so that any 2693 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID. 2694 * kill done after the flush will be checked against the new SID.
2617 */ 2695 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 if (rc) { 2698 if (rc) {
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer); 2700 memset(&itimer, 0, sizeof itimer);
@@ -2779,7 +2858,9 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2779 2858
2780 if (flags[i] == SBLABEL_MNT) 2859 if (flags[i] == SBLABEL_MNT)
2781 continue; 2860 continue;
2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2863 GFP_KERNEL);
2783 if (rc) { 2864 if (rc) {
2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2904,7 +2985,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2904 if (rc) 2985 if (rc)
2905 return rc; 2986 return rc;
2906 2987
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 ctxlen);
2908} 2990}
2909 2991
2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2992static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
@@ -2958,14 +3040,15 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2958 isec->initialized = LABEL_INITIALIZED; 3040 isec->initialized = LABEL_INITIALIZED;
2959 } 3041 }
2960 3042
2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2962 return -EOPNOTSUPP; 3044 return -EOPNOTSUPP;
2963 3045
2964 if (name) 3046 if (name)
2965 *name = XATTR_SELINUX_SUFFIX; 3047 *name = XATTR_SELINUX_SUFFIX;
2966 3048
2967 if (value && len) { 3049 if (value && len) {
2968 rc = security_sid_to_context_force(newsid, &context, &clen); 3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3051 &context, &clen);
2969 if (rc) 3052 if (rc)
2970 return rc; 3053 return rc;
2971 *value = context; 3054 *value = context;
@@ -3040,7 +3123,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3040 if (IS_ERR(isec)) 3123 if (IS_ERR(isec))
3041 return PTR_ERR(isec); 3124 return PTR_ERR(isec);
3042 3125
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0); 3128 rcu ? MAY_NOT_BLOCK : 0);
3045} 3129}
3046 3130
@@ -3056,7 +3140,8 @@ static noinline int audit_inode_permission(struct inode *inode,
3056 ad.type = LSM_AUDIT_DATA_INODE; 3140 ad.type = LSM_AUDIT_DATA_INODE;
3057 ad.u.inode = inode; 3141 ad.u.inode = inode;
3058 3142
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3060 audited, denied, result, &ad, flags); 3145 audited, denied, result, &ad, flags);
3061 if (rc) 3146 if (rc)
3062 return rc; 3147 return rc;
@@ -3094,7 +3179,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
3094 if (IS_ERR(isec)) 3179 if (IS_ERR(isec))
3095 return PTR_ERR(isec); 3180 return PTR_ERR(isec);
3096 3181
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc, 3184 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0, 3185 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied); 3186 &denied);
@@ -3126,7 +3212,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 3214
3129 if (selinux_policycap_openperm && 3215 if (selinux_policycap_openperm() &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC && 3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) && 3217 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE)) 3218 !(ia_valid & ATTR_FILE))
@@ -3183,12 +3269,14 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3183 ad.u.dentry = dentry; 3269 ad.u.dentry = dentry;
3184 3270
3185 isec = backing_inode_security(dentry); 3271 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3187 FILE__RELABELFROM, &ad); 3274 FILE__RELABELFROM, &ad);
3188 if (rc) 3275 if (rc)
3189 return rc; 3276 return rc;
3190 3277
3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 GFP_KERNEL);
3192 if (rc == -EINVAL) { 3280 if (rc == -EINVAL) {
3193 if (!has_cap_mac_admin(true)) { 3281 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer *ab; 3282 struct audit_buffer *ab;
@@ -3213,22 +3301,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3213 3301
3214 return rc; 3302 return rc;
3215 } 3303 }
3216 rc = security_context_to_sid_force(value, size, &newsid); 3304 rc = security_context_to_sid_force(&selinux_state, value,
3305 size, &newsid);
3217 } 3306 }
3218 if (rc) 3307 if (rc)
3219 return rc; 3308 return rc;
3220 3309
3221 rc = avc_has_perm(sid, newsid, isec->sclass, 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3222 FILE__RELABELTO, &ad); 3312 FILE__RELABELTO, &ad);
3223 if (rc) 3313 if (rc)
3224 return rc; 3314 return rc;
3225 3315
3226 rc = security_validate_transition(isec->sid, newsid, sid, 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3227 isec->sclass); 3317 sid, isec->sclass);
3228 if (rc) 3318 if (rc)
3229 return rc; 3319 return rc;
3230 3320
3231 return avc_has_perm(newsid, 3321 return avc_has_perm(&selinux_state,
3322 newsid,
3232 sbsec->sid, 3323 sbsec->sid,
3233 SECCLASS_FILESYSTEM, 3324 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE, 3325 FILESYSTEM__ASSOCIATE,
@@ -3249,7 +3340,8 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3249 return; 3340 return;
3250 } 3341 }
3251 3342
3252 rc = security_context_to_sid_force(value, size, &newsid); 3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3344 &newsid);
3253 if (rc) { 3345 if (rc) {
3254 printk(KERN_ERR "SELinux: unable to map context to SID" 3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n", 3347 "for (%s, %lu), rc=%d\n",
@@ -3324,10 +3416,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
3324 */ 3416 */
3325 isec = inode_security(inode); 3417 isec = inode_security(inode);
3326 if (has_cap_mac_admin(false)) 3418 if (has_cap_mac_admin(false))
3327 error = security_sid_to_context_force(isec->sid, &context, 3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
3328 &size); 3421 &size);
3329 else 3422 else
3330 error = security_sid_to_context(isec->sid, &context, &size); 3423 error = security_sid_to_context(&selinux_state, isec->sid,
3424 &context, &size);
3331 if (error) 3425 if (error)
3332 return error; 3426 return error;
3333 error = size; 3427 error = size;
@@ -3353,7 +3447,8 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3353 if (!value || !size) 3447 if (!value || !size)
3354 return -EACCES; 3448 return -EACCES;
3355 3449
3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 GFP_KERNEL);
3357 if (rc) 3452 if (rc)
3358 return rc; 3453 return rc;
3359 3454
@@ -3442,7 +3537,7 @@ static int selinux_file_permission(struct file *file, int mask)
3442 3537
3443 isec = inode_security(inode); 3538 isec = inode_security(inode);
3444 if (sid == fsec->sid && fsec->isid == isec->sid && 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno()) 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3446 /* No change since file_open check. */ 3541 /* No change since file_open check. */
3447 return 0; 3542 return 0;
3448 3543
@@ -3482,7 +3577,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3482 ad.u.op->path = file->f_path; 3577 ad.u.op->path = file->f_path;
3483 3578
3484 if (ssid != fsec->sid) { 3579 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid, 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
3486 SECCLASS_FD, 3582 SECCLASS_FD,
3487 FD__USE, 3583 FD__USE,
3488 &ad); 3584 &ad);
@@ -3494,8 +3590,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3494 return 0; 3590 return 0;
3495 3591
3496 isec = inode_security(inode); 3592 isec = inode_security(inode);
3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3593 rc = avc_has_extended_perms(&selinux_state,
3498 requested, driver, xperm, &ad); 3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3499out: 3596out:
3500 return rc; 3597 return rc;
3501} 3598}
@@ -3563,7 +3660,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3563 * private file mapping that will also be writable. 3660 * private file mapping that will also be writable.
3564 * This has an additional check. 3661 * This has an additional check.
3565 */ 3662 */
3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL); 3665 PROCESS__EXECMEM, NULL);
3568 if (rc) 3666 if (rc)
3569 goto error; 3667 goto error;
@@ -3593,7 +3691,8 @@ static int selinux_mmap_addr(unsigned long addr)
3593 3691
3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 u32 sid = current_sid(); 3693 u32 sid = current_sid();
3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL); 3696 MEMPROTECT__MMAP_ZERO, NULL);
3598 } 3697 }
3599 3698
@@ -3615,7 +3714,7 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3615 return rc; 3714 return rc;
3616 } 3715 }
3617 3716
3618 if (selinux_checkreqprot) 3717 if (selinux_state.checkreqprot)
3619 prot = reqprot; 3718 prot = reqprot;
3620 3719
3621 return file_map_prot_check(file, prot, 3720 return file_map_prot_check(file, prot,
@@ -3629,7 +3728,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3629 const struct cred *cred = current_cred(); 3728 const struct cred *cred = current_cred();
3630 u32 sid = cred_sid(cred); 3729 u32 sid = cred_sid(cred);
3631 3730
3632 if (selinux_checkreqprot) 3731 if (selinux_state.checkreqprot)
3633 prot = reqprot; 3732 prot = reqprot;
3634 3733
3635 if (default_noexec && 3734 if (default_noexec &&
@@ -3637,13 +3736,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3637 int rc = 0; 3736 int rc = 0;
3638 if (vma->vm_start >= vma->vm_mm->start_brk && 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) { 3738 vma->vm_end <= vma->vm_mm->brk) {
3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL); 3741 PROCESS__EXECHEAP, NULL);
3642 } else if (!vma->vm_file && 3742 } else if (!vma->vm_file &&
3643 ((vma->vm_start <= vma->vm_mm->start_stack && 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) || 3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3645 vma_is_stack_for_current(vma))) { 3745 vma_is_stack_for_current(vma))) {
3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL); 3748 PROCESS__EXECSTACK, NULL);
3648 } else if (vma->vm_file && vma->anon_vma) { 3749 } else if (vma->vm_file && vma->anon_vma) {
3649 /* 3750 /*
@@ -3735,7 +3836,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3735 else 3836 else
3736 perm = signal_to_av(signum); 3837 perm = signal_to_av(signum);
3737 3838
3738 return avc_has_perm(fsec->fown_sid, sid, 3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3739 SECCLASS_PROCESS, perm, NULL); 3841 SECCLASS_PROCESS, perm, NULL);
3740} 3842}
3741 3843
@@ -3761,7 +3863,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3761 * struct as its SID. 3863 * struct as its SID.
3762 */ 3864 */
3763 fsec->isid = isec->sid; 3865 fsec->isid = isec->sid;
3764 fsec->pseqno = avc_policy_seqno(); 3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3765 /* 3867 /*
3766 * Since the inode label or policy seqno may have changed 3868 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving 3869 * between the selinux_inode_permission check and the saving
@@ -3780,7 +3882,8 @@ static int selinux_task_alloc(struct task_struct *task,
3780{ 3882{
3781 u32 sid = current_sid(); 3883 u32 sid = current_sid();
3782 3884
3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784} 3887}
3785 3888
3786/* 3889/*
@@ -3854,7 +3957,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
3854 u32 sid = current_sid(); 3957 u32 sid = current_sid();
3855 int ret; 3958 int ret;
3856 3959
3857 ret = avc_has_perm(sid, secid, 3960 ret = avc_has_perm(&selinux_state,
3961 sid, secid,
3858 SECCLASS_KERNEL_SERVICE, 3962 SECCLASS_KERNEL_SERVICE,
3859 KERNEL_SERVICE__USE_AS_OVERRIDE, 3963 KERNEL_SERVICE__USE_AS_OVERRIDE,
3860 NULL); 3964 NULL);
@@ -3878,7 +3982,8 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3878 u32 sid = current_sid(); 3982 u32 sid = current_sid();
3879 int ret; 3983 int ret;
3880 3984
3881 ret = avc_has_perm(sid, isec->sid, 3985 ret = avc_has_perm(&selinux_state,
3986 sid, isec->sid,
3882 SECCLASS_KERNEL_SERVICE, 3987 SECCLASS_KERNEL_SERVICE,
3883 KERNEL_SERVICE__CREATE_FILES_AS, 3988 KERNEL_SERVICE__CREATE_FILES_AS,
3884 NULL); 3989 NULL);
@@ -3895,7 +4000,8 @@ static int selinux_kernel_module_request(char *kmod_name)
3895 ad.type = LSM_AUDIT_DATA_KMOD; 4000 ad.type = LSM_AUDIT_DATA_KMOD;
3896 ad.u.kmod_name = kmod_name; 4001 ad.u.kmod_name = kmod_name;
3897 4002
3898 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4003 return avc_has_perm(&selinux_state,
4004 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899 SYSTEM__MODULE_REQUEST, &ad); 4005 SYSTEM__MODULE_REQUEST, &ad);
3900} 4006}
3901 4007
@@ -3909,7 +4015,8 @@ static int selinux_kernel_module_from_file(struct file *file)
3909 4015
3910 /* init_module */ 4016 /* init_module */
3911 if (file == NULL) 4017 if (file == NULL)
3912 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4018 return avc_has_perm(&selinux_state,
4019 sid, sid, SECCLASS_SYSTEM,
3913 SYSTEM__MODULE_LOAD, NULL); 4020 SYSTEM__MODULE_LOAD, NULL);
3914 4021
3915 /* finit_module */ 4022 /* finit_module */
@@ -3919,13 +4026,15 @@ static int selinux_kernel_module_from_file(struct file *file)
3919 4026
3920 fsec = file->f_security; 4027 fsec = file->f_security;
3921 if (sid != fsec->sid) { 4028 if (sid != fsec->sid) {
3922 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4029 rc = avc_has_perm(&selinux_state,
4030 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923 if (rc) 4031 if (rc)
3924 return rc; 4032 return rc;
3925 } 4033 }
3926 4034
3927 isec = inode_security(file_inode(file)); 4035 isec = inode_security(file_inode(file));
3928 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4036 return avc_has_perm(&selinux_state,
4037 sid, isec->sid, SECCLASS_SYSTEM,
3929 SYSTEM__MODULE_LOAD, &ad); 4038 SYSTEM__MODULE_LOAD, &ad);
3930} 4039}
3931 4040
@@ -3947,19 +4056,22 @@ static int selinux_kernel_read_file(struct file *file,
3947 4056
3948static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4057static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949{ 4058{
3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4059 return avc_has_perm(&selinux_state,
4060 current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 PROCESS__SETPGID, NULL); 4061 PROCESS__SETPGID, NULL);
3952} 4062}
3953 4063
3954static int selinux_task_getpgid(struct task_struct *p) 4064static int selinux_task_getpgid(struct task_struct *p)
3955{ 4065{
3956 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4066 return avc_has_perm(&selinux_state,
4067 current_sid(), task_sid(p), SECCLASS_PROCESS,
3957 PROCESS__GETPGID, NULL); 4068 PROCESS__GETPGID, NULL);
3958} 4069}
3959 4070
3960static int selinux_task_getsid(struct task_struct *p) 4071static int selinux_task_getsid(struct task_struct *p)
3961{ 4072{
3962 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4073 return avc_has_perm(&selinux_state,
4074 current_sid(), task_sid(p), SECCLASS_PROCESS,
3963 PROCESS__GETSESSION, NULL); 4075 PROCESS__GETSESSION, NULL);
3964} 4076}
3965 4077
@@ -3970,19 +4082,22 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3970 4082
3971static int selinux_task_setnice(struct task_struct *p, int nice) 4083static int selinux_task_setnice(struct task_struct *p, int nice)
3972{ 4084{
3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 PROCESS__SETSCHED, NULL); 4087 PROCESS__SETSCHED, NULL);
3975} 4088}
3976 4089
3977static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4090static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978{ 4091{
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__SETSCHED, NULL); 4094 PROCESS__SETSCHED, NULL);
3981} 4095}
3982 4096
3983static int selinux_task_getioprio(struct task_struct *p) 4097static int selinux_task_getioprio(struct task_struct *p)
3984{ 4098{
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4099 return avc_has_perm(&selinux_state,
4100 current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__GETSCHED, NULL); 4101 PROCESS__GETSCHED, NULL);
3987} 4102}
3988 4103
@@ -3997,7 +4112,8 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
3997 av |= PROCESS__SETRLIMIT; 4112 av |= PROCESS__SETRLIMIT;
3998 if (flags & LSM_PRLIMIT_READ) 4113 if (flags & LSM_PRLIMIT_READ)
3999 av |= PROCESS__GETRLIMIT; 4114 av |= PROCESS__GETRLIMIT;
4000 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4115 return avc_has_perm(&selinux_state,
4116 cred_sid(cred), cred_sid(tcred),
4001 SECCLASS_PROCESS, av, NULL); 4117 SECCLASS_PROCESS, av, NULL);
4002} 4118}
4003 4119
@@ -4011,7 +4127,8 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4011 later be used as a safe reset point for the soft limit 4127 later be used as a safe reset point for the soft limit
4012 upon context transitions. See selinux_bprm_committing_creds. */ 4128 upon context transitions. See selinux_bprm_committing_creds. */
4013 if (old_rlim->rlim_max != new_rlim->rlim_max) 4129 if (old_rlim->rlim_max != new_rlim->rlim_max)
4014 return avc_has_perm(current_sid(), task_sid(p), 4130 return avc_has_perm(&selinux_state,
4131 current_sid(), task_sid(p),
4015 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4132 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016 4133
4017 return 0; 4134 return 0;
@@ -4019,19 +4136,22 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4019 4136
4020static int selinux_task_setscheduler(struct task_struct *p) 4137static int selinux_task_setscheduler(struct task_struct *p)
4021{ 4138{
4022 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4139 return avc_has_perm(&selinux_state,
4140 current_sid(), task_sid(p), SECCLASS_PROCESS,
4023 PROCESS__SETSCHED, NULL); 4141 PROCESS__SETSCHED, NULL);
4024} 4142}
4025 4143
4026static int selinux_task_getscheduler(struct task_struct *p) 4144static int selinux_task_getscheduler(struct task_struct *p)
4027{ 4145{
4028 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4146 return avc_has_perm(&selinux_state,
4147 current_sid(), task_sid(p), SECCLASS_PROCESS,
4029 PROCESS__GETSCHED, NULL); 4148 PROCESS__GETSCHED, NULL);
4030} 4149}
4031 4150
4032static int selinux_task_movememory(struct task_struct *p) 4151static int selinux_task_movememory(struct task_struct *p)
4033{ 4152{
4034 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4153 return avc_has_perm(&selinux_state,
4154 current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 PROCESS__SETSCHED, NULL); 4155 PROCESS__SETSCHED, NULL);
4036} 4156}
4037 4157
@@ -4046,7 +4166,8 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4046 perm = signal_to_av(sig); 4166 perm = signal_to_av(sig);
4047 if (!secid) 4167 if (!secid)
4048 secid = current_sid(); 4168 secid = current_sid();
4049 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4169 return avc_has_perm(&selinux_state,
4170 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4050} 4171}
4051 4172
4052static void selinux_task_to_inode(struct task_struct *p, 4173static void selinux_task_to_inode(struct task_struct *p,
@@ -4134,6 +4255,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4134 break; 4255 break;
4135 } 4256 }
4136 4257
4258#if IS_ENABLED(CONFIG_IP_SCTP)
4259 case IPPROTO_SCTP: {
4260 struct sctphdr _sctph, *sh;
4261
4262 if (ntohs(ih->frag_off) & IP_OFFSET)
4263 break;
4264
4265 offset += ihlen;
4266 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4267 if (sh == NULL)
4268 break;
4269
4270 ad->u.net->sport = sh->source;
4271 ad->u.net->dport = sh->dest;
4272 break;
4273 }
4274#endif
4137 default: 4275 default:
4138 break; 4276 break;
4139 } 4277 }
@@ -4207,6 +4345,19 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4207 break; 4345 break;
4208 } 4346 }
4209 4347
4348#if IS_ENABLED(CONFIG_IP_SCTP)
4349 case IPPROTO_SCTP: {
4350 struct sctphdr _sctph, *sh;
4351
4352 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4353 if (sh == NULL)
4354 break;
4355
4356 ad->u.net->sport = sh->source;
4357 ad->u.net->dport = sh->dest;
4358 break;
4359 }
4360#endif
4210 /* includes fragments */ 4361 /* includes fragments */
4211 default: 4362 default:
4212 break; 4363 break;
@@ -4287,7 +4438,8 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4287 if (unlikely(err)) 4438 if (unlikely(err))
4288 return -EACCES; 4439 return -EACCES;
4289 4440
4290 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4441 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4442 nlbl_type, xfrm_sid, sid);
4291 if (unlikely(err)) { 4443 if (unlikely(err)) {
4292 printk(KERN_WARNING 4444 printk(KERN_WARNING
4293 "SELinux: failure in selinux_skb_peerlbl_sid()," 4445 "SELinux: failure in selinux_skb_peerlbl_sid(),"
@@ -4315,7 +4467,8 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4315 int err = 0; 4467 int err = 0;
4316 4468
4317 if (skb_sid != SECSID_NULL) 4469 if (skb_sid != SECSID_NULL)
4318 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4470 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4471 conn_sid);
4319 else 4472 else
4320 *conn_sid = sk_sid; 4473 *conn_sid = sk_sid;
4321 4474
@@ -4332,8 +4485,8 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4332 return 0; 4485 return 0;
4333 } 4486 }
4334 4487
4335 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4488 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4336 socksid); 4489 secclass, NULL, socksid);
4337} 4490}
4338 4491
4339static int sock_has_perm(struct sock *sk, u32 perms) 4492static int sock_has_perm(struct sock *sk, u32 perms)
@@ -4349,7 +4502,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
4349 ad.u.net = &net; 4502 ad.u.net = &net;
4350 ad.u.net->sk = sk; 4503 ad.u.net->sk = sk;
4351 4504
4352 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4505 return avc_has_perm(&selinux_state,
4506 current_sid(), sksec->sid, sksec->sclass, perms,
4353 &ad); 4507 &ad);
4354} 4508}
4355 4509
@@ -4369,7 +4523,8 @@ static int selinux_socket_create(int family, int type,
4369 if (rc) 4523 if (rc)
4370 return rc; 4524 return rc;
4371 4525
4372 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4526 return avc_has_perm(&selinux_state,
4527 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4373} 4528}
4374 4529
4375static int selinux_socket_post_create(struct socket *sock, int family, 4530static int selinux_socket_post_create(struct socket *sock, int family,
@@ -4396,6 +4551,10 @@ static int selinux_socket_post_create(struct socket *sock, int family,
4396 sksec = sock->sk->sk_security; 4551 sksec = sock->sk->sk_security;
4397 sksec->sclass = sclass; 4552 sksec->sclass = sclass;
4398 sksec->sid = sid; 4553 sksec->sid = sid;
4554 /* Allows detection of the first association on this socket */
4555 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4556 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4557
4399 err = selinux_netlbl_socket_post_create(sock->sk, family); 4558 err = selinux_netlbl_socket_post_create(sock->sk, family);
4400 } 4559 }
4401 4560
@@ -4416,11 +4575,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4416 if (err) 4575 if (err)
4417 goto out; 4576 goto out;
4418 4577
4419 /* 4578 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4420 * If PF_INET or PF_INET6, check name_bind permission for the port.
4421 * Multiple address binding for SCTP is not supported yet: we just
4422 * check the first address now.
4423 */
4424 family = sk->sk_family; 4579 family = sk->sk_family;
4425 if (family == PF_INET || family == PF_INET6) { 4580 if (family == PF_INET || family == PF_INET6) {
4426 char *addrp; 4581 char *addrp;
@@ -4432,22 +4587,35 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4432 unsigned short snum; 4587 unsigned short snum;
4433 u32 sid, node_perm; 4588 u32 sid, node_perm;
4434 4589
4435 if (family == PF_INET) { 4590 /*
4436 if (addrlen < sizeof(struct sockaddr_in)) { 4591 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4437 err = -EINVAL; 4592 * that validates multiple binding addresses. Because of this
4438 goto out; 4593 * need to check address->sa_family as it is possible to have
4439 } 4594 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4595 */
4596 switch (address->sa_family) {
4597 case AF_INET:
4598 if (addrlen < sizeof(struct sockaddr_in))
4599 return -EINVAL;
4440 addr4 = (struct sockaddr_in *)address; 4600 addr4 = (struct sockaddr_in *)address;
4441 snum = ntohs(addr4->sin_port); 4601 snum = ntohs(addr4->sin_port);
4442 addrp = (char *)&addr4->sin_addr.s_addr; 4602 addrp = (char *)&addr4->sin_addr.s_addr;
4443 } else { 4603 break;
4444 if (addrlen < SIN6_LEN_RFC2133) { 4604 case AF_INET6:
4445 err = -EINVAL; 4605 if (addrlen < SIN6_LEN_RFC2133)
4446 goto out; 4606 return -EINVAL;
4447 }
4448 addr6 = (struct sockaddr_in6 *)address; 4607 addr6 = (struct sockaddr_in6 *)address;
4449 snum = ntohs(addr6->sin6_port); 4608 snum = ntohs(addr6->sin6_port);
4450 addrp = (char *)&addr6->sin6_addr.s6_addr; 4609 addrp = (char *)&addr6->sin6_addr.s6_addr;
4610 break;
4611 default:
4612 /* Note that SCTP services expect -EINVAL, whereas
4613 * others expect -EAFNOSUPPORT.
4614 */
4615 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4616 return -EINVAL;
4617 else
4618 return -EAFNOSUPPORT;
4451 } 4619 }
4452 4620
4453 if (snum) { 4621 if (snum) {
@@ -4465,7 +4633,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4465 ad.u.net = &net; 4633 ad.u.net = &net;
4466 ad.u.net->sport = htons(snum); 4634 ad.u.net->sport = htons(snum);
4467 ad.u.net->family = family; 4635 ad.u.net->family = family;
4468 err = avc_has_perm(sksec->sid, sid, 4636 err = avc_has_perm(&selinux_state,
4637 sksec->sid, sid,
4469 sksec->sclass, 4638 sksec->sclass,
4470 SOCKET__NAME_BIND, &ad); 4639 SOCKET__NAME_BIND, &ad);
4471 if (err) 4640 if (err)
@@ -4486,6 +4655,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4486 node_perm = DCCP_SOCKET__NODE_BIND; 4655 node_perm = DCCP_SOCKET__NODE_BIND;
4487 break; 4656 break;
4488 4657
4658 case SECCLASS_SCTP_SOCKET:
4659 node_perm = SCTP_SOCKET__NODE_BIND;
4660 break;
4661
4489 default: 4662 default:
4490 node_perm = RAWIP_SOCKET__NODE_BIND; 4663 node_perm = RAWIP_SOCKET__NODE_BIND;
4491 break; 4664 break;
@@ -4500,12 +4673,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4500 ad.u.net->sport = htons(snum); 4673 ad.u.net->sport = htons(snum);
4501 ad.u.net->family = family; 4674 ad.u.net->family = family;
4502 4675
4503 if (family == PF_INET) 4676 if (address->sa_family == AF_INET)
4504 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4677 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4505 else 4678 else
4506 ad.u.net->v6info.saddr = addr6->sin6_addr; 4679 ad.u.net->v6info.saddr = addr6->sin6_addr;
4507 4680
4508 err = avc_has_perm(sksec->sid, sid, 4681 err = avc_has_perm(&selinux_state,
4682 sksec->sid, sid,
4509 sksec->sclass, node_perm, &ad); 4683 sksec->sclass, node_perm, &ad);
4510 if (err) 4684 if (err)
4511 goto out; 4685 goto out;
@@ -4514,7 +4688,11 @@ out:
4514 return err; 4688 return err;
4515} 4689}
4516 4690
4517static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4691/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4692 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4693 */
4694static int selinux_socket_connect_helper(struct socket *sock,
4695 struct sockaddr *address, int addrlen)
4518{ 4696{
4519 struct sock *sk = sock->sk; 4697 struct sock *sk = sock->sk;
4520 struct sk_security_struct *sksec = sk->sk_security; 4698 struct sk_security_struct *sksec = sk->sk_security;
@@ -4525,10 +4703,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4525 return err; 4703 return err;
4526 4704
4527 /* 4705 /*
4528 * If a TCP or DCCP socket, check name_connect permission for the port. 4706 * If a TCP, DCCP or SCTP socket, check name_connect permission
4707 * for the port.
4529 */ 4708 */
4530 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4709 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4531 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4710 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4711 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4532 struct common_audit_data ad; 4712 struct common_audit_data ad;
4533 struct lsm_network_audit net = {0,}; 4713 struct lsm_network_audit net = {0,};
4534 struct sockaddr_in *addr4 = NULL; 4714 struct sockaddr_in *addr4 = NULL;
@@ -4536,38 +4716,75 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4536 unsigned short snum; 4716 unsigned short snum;
4537 u32 sid, perm; 4717 u32 sid, perm;
4538 4718
4539 if (sk->sk_family == PF_INET) { 4719 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4720 * that validates multiple connect addresses. Because of this
4721 * need to check address->sa_family as it is possible to have
4722 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4723 */
4724 switch (address->sa_family) {
4725 case AF_INET:
4540 addr4 = (struct sockaddr_in *)address; 4726 addr4 = (struct sockaddr_in *)address;
4541 if (addrlen < sizeof(struct sockaddr_in)) 4727 if (addrlen < sizeof(struct sockaddr_in))
4542 return -EINVAL; 4728 return -EINVAL;
4543 snum = ntohs(addr4->sin_port); 4729 snum = ntohs(addr4->sin_port);
4544 } else { 4730 break;
4731 case AF_INET6:
4545 addr6 = (struct sockaddr_in6 *)address; 4732 addr6 = (struct sockaddr_in6 *)address;
4546 if (addrlen < SIN6_LEN_RFC2133) 4733 if (addrlen < SIN6_LEN_RFC2133)
4547 return -EINVAL; 4734 return -EINVAL;
4548 snum = ntohs(addr6->sin6_port); 4735 snum = ntohs(addr6->sin6_port);
4736 break;
4737 default:
4738 /* Note that SCTP services expect -EINVAL, whereas
4739 * others expect -EAFNOSUPPORT.
4740 */
4741 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4742 return -EINVAL;
4743 else
4744 return -EAFNOSUPPORT;
4549 } 4745 }
4550 4746
4551 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4747 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4552 if (err) 4748 if (err)
4553 goto out; 4749 return err;
4554 4750
4555 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4751 switch (sksec->sclass) {
4556 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4752 case SECCLASS_TCP_SOCKET:
4753 perm = TCP_SOCKET__NAME_CONNECT;
4754 break;
4755 case SECCLASS_DCCP_SOCKET:
4756 perm = DCCP_SOCKET__NAME_CONNECT;
4757 break;
4758 case SECCLASS_SCTP_SOCKET:
4759 perm = SCTP_SOCKET__NAME_CONNECT;
4760 break;
4761 }
4557 4762
4558 ad.type = LSM_AUDIT_DATA_NET; 4763 ad.type = LSM_AUDIT_DATA_NET;
4559 ad.u.net = &net; 4764 ad.u.net = &net;
4560 ad.u.net->dport = htons(snum); 4765 ad.u.net->dport = htons(snum);
4561 ad.u.net->family = sk->sk_family; 4766 ad.u.net->family = sk->sk_family;
4562 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4767 err = avc_has_perm(&selinux_state,
4768 sksec->sid, sid, sksec->sclass, perm, &ad);
4563 if (err) 4769 if (err)
4564 goto out; 4770 return err;
4565 } 4771 }
4566 4772
4567 err = selinux_netlbl_socket_connect(sk, address); 4773 return 0;
4774}
4568 4775
4569out: 4776/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4570 return err; 4777static int selinux_socket_connect(struct socket *sock,
4778 struct sockaddr *address, int addrlen)
4779{
4780 int err;
4781 struct sock *sk = sock->sk;
4782
4783 err = selinux_socket_connect_helper(sock, address, addrlen);
4784 if (err)
4785 return err;
4786
4787 return selinux_netlbl_socket_connect(sk, address);
4571} 4788}
4572 4789
4573static int selinux_socket_listen(struct socket *sock, int backlog) 4790static int selinux_socket_listen(struct socket *sock, int backlog)
@@ -4660,7 +4877,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4660 ad.u.net = &net; 4877 ad.u.net = &net;
4661 ad.u.net->sk = other; 4878 ad.u.net->sk = other;
4662 4879
4663 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4880 err = avc_has_perm(&selinux_state,
4881 sksec_sock->sid, sksec_other->sid,
4664 sksec_other->sclass, 4882 sksec_other->sclass,
4665 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4883 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4666 if (err) 4884 if (err)
@@ -4668,8 +4886,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4668 4886
4669 /* server child socket */ 4887 /* server child socket */
4670 sksec_new->peer_sid = sksec_sock->sid; 4888 sksec_new->peer_sid = sksec_sock->sid;
4671 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4889 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4672 &sksec_new->sid); 4890 sksec_sock->sid, &sksec_new->sid);
4673 if (err) 4891 if (err)
4674 return err; 4892 return err;
4675 4893
@@ -4691,7 +4909,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4691 ad.u.net = &net; 4909 ad.u.net = &net;
4692 ad.u.net->sk = other->sk; 4910 ad.u.net->sk = other->sk;
4693 4911
4694 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4912 return avc_has_perm(&selinux_state,
4913 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4695 &ad); 4914 &ad);
4696} 4915}
4697 4916
@@ -4706,7 +4925,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4706 err = sel_netif_sid(ns, ifindex, &if_sid); 4925 err = sel_netif_sid(ns, ifindex, &if_sid);
4707 if (err) 4926 if (err)
4708 return err; 4927 return err;
4709 err = avc_has_perm(peer_sid, if_sid, 4928 err = avc_has_perm(&selinux_state,
4929 peer_sid, if_sid,
4710 SECCLASS_NETIF, NETIF__INGRESS, ad); 4930 SECCLASS_NETIF, NETIF__INGRESS, ad);
4711 if (err) 4931 if (err)
4712 return err; 4932 return err;
@@ -4714,7 +4934,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4714 err = sel_netnode_sid(addrp, family, &node_sid); 4934 err = sel_netnode_sid(addrp, family, &node_sid);
4715 if (err) 4935 if (err)
4716 return err; 4936 return err;
4717 return avc_has_perm(peer_sid, node_sid, 4937 return avc_has_perm(&selinux_state,
4938 peer_sid, node_sid,
4718 SECCLASS_NODE, NODE__RECVFROM, ad); 4939 SECCLASS_NODE, NODE__RECVFROM, ad);
4719} 4940}
4720 4941
@@ -4737,7 +4958,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4737 return err; 4958 return err;
4738 4959
4739 if (selinux_secmark_enabled()) { 4960 if (selinux_secmark_enabled()) {
4740 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4961 err = avc_has_perm(&selinux_state,
4962 sk_sid, skb->secmark, SECCLASS_PACKET,
4741 PACKET__RECV, &ad); 4963 PACKET__RECV, &ad);
4742 if (err) 4964 if (err)
4743 return err; 4965 return err;
@@ -4774,7 +4996,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4774 * to the selinux_sock_rcv_skb_compat() function to deal with the 4996 * to the selinux_sock_rcv_skb_compat() function to deal with the
4775 * special handling. We do this in an attempt to keep this function 4997 * special handling. We do this in an attempt to keep this function
4776 * as fast and as clean as possible. */ 4998 * as fast and as clean as possible. */
4777 if (!selinux_policycap_netpeer) 4999 if (!selinux_policycap_netpeer())
4778 return selinux_sock_rcv_skb_compat(sk, skb, family); 5000 return selinux_sock_rcv_skb_compat(sk, skb, family);
4779 5001
4780 secmark_active = selinux_secmark_enabled(); 5002 secmark_active = selinux_secmark_enabled();
@@ -4802,7 +5024,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4802 selinux_netlbl_err(skb, family, err, 0); 5024 selinux_netlbl_err(skb, family, err, 0);
4803 return err; 5025 return err;
4804 } 5026 }
4805 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5027 err = avc_has_perm(&selinux_state,
5028 sk_sid, peer_sid, SECCLASS_PEER,
4806 PEER__RECV, &ad); 5029 PEER__RECV, &ad);
4807 if (err) { 5030 if (err) {
4808 selinux_netlbl_err(skb, family, err, 0); 5031 selinux_netlbl_err(skb, family, err, 0);
@@ -4811,7 +5034,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4811 } 5034 }
4812 5035
4813 if (secmark_active) { 5036 if (secmark_active) {
4814 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5037 err = avc_has_perm(&selinux_state,
5038 sk_sid, skb->secmark, SECCLASS_PACKET,
4815 PACKET__RECV, &ad); 5039 PACKET__RECV, &ad);
4816 if (err) 5040 if (err)
4817 return err; 5041 return err;
@@ -4830,12 +5054,14 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
4830 u32 peer_sid = SECSID_NULL; 5054 u32 peer_sid = SECSID_NULL;
4831 5055
4832 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5056 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4833 sksec->sclass == SECCLASS_TCP_SOCKET) 5057 sksec->sclass == SECCLASS_TCP_SOCKET ||
5058 sksec->sclass == SECCLASS_SCTP_SOCKET)
4834 peer_sid = sksec->peer_sid; 5059 peer_sid = sksec->peer_sid;
4835 if (peer_sid == SECSID_NULL) 5060 if (peer_sid == SECSID_NULL)
4836 return -ENOPROTOOPT; 5061 return -ENOPROTOOPT;
4837 5062
4838 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 5063 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5064 &scontext_len);
4839 if (err) 5065 if (err)
4840 return err; 5066 return err;
4841 5067
@@ -4943,6 +5169,172 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4943 sksec->sclass = isec->sclass; 5169 sksec->sclass = isec->sclass;
4944} 5170}
4945 5171
5172/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5173 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5174 * already present).
5175 */
5176static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5177 struct sk_buff *skb)
5178{
5179 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5180 struct common_audit_data ad;
5181 struct lsm_network_audit net = {0,};
5182 u8 peerlbl_active;
5183 u32 peer_sid = SECINITSID_UNLABELED;
5184 u32 conn_sid;
5185 int err = 0;
5186
5187 if (!selinux_policycap_extsockclass())
5188 return 0;
5189
5190 peerlbl_active = selinux_peerlbl_enabled();
5191
5192 if (peerlbl_active) {
5193 /* This will return peer_sid = SECSID_NULL if there are
5194 * no peer labels, see security_net_peersid_resolve().
5195 */
5196 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5197 &peer_sid);
5198 if (err)
5199 return err;
5200
5201 if (peer_sid == SECSID_NULL)
5202 peer_sid = SECINITSID_UNLABELED;
5203 }
5204
5205 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5206 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5207
5208 /* Here as first association on socket. As the peer SID
5209 * was allowed by peer recv (and the netif/node checks),
5210 * then it is approved by policy and used as the primary
5211 * peer SID for getpeercon(3).
5212 */
5213 sksec->peer_sid = peer_sid;
5214 } else if (sksec->peer_sid != peer_sid) {
5215 /* Other association peer SIDs are checked to enforce
5216 * consistency among the peer SIDs.
5217 */
5218 ad.type = LSM_AUDIT_DATA_NET;
5219 ad.u.net = &net;
5220 ad.u.net->sk = ep->base.sk;
5221 err = avc_has_perm(&selinux_state,
5222 sksec->peer_sid, peer_sid, sksec->sclass,
5223 SCTP_SOCKET__ASSOCIATION, &ad);
5224 if (err)
5225 return err;
5226 }
5227
5228 /* Compute the MLS component for the connection and store
5229 * the information in ep. This will be used by SCTP TCP type
5230 * sockets and peeled off connections as they cause a new
5231 * socket to be generated. selinux_sctp_sk_clone() will then
5232 * plug this into the new socket.
5233 */
5234 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5235 if (err)
5236 return err;
5237
5238 ep->secid = conn_sid;
5239 ep->peer_secid = peer_sid;
5240
5241 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5242 return selinux_netlbl_sctp_assoc_request(ep, skb);
5243}
5244
5245/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5246 * based on their @optname.
5247 */
5248static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5249 struct sockaddr *address,
5250 int addrlen)
5251{
5252 int len, err = 0, walk_size = 0;
5253 void *addr_buf;
5254 struct sockaddr *addr;
5255 struct socket *sock;
5256
5257 if (!selinux_policycap_extsockclass())
5258 return 0;
5259
5260 /* Process one or more addresses that may be IPv4 or IPv6 */
5261 sock = sk->sk_socket;
5262 addr_buf = address;
5263
5264 while (walk_size < addrlen) {
5265 addr = addr_buf;
5266 switch (addr->sa_family) {
5267 case AF_INET:
5268 len = sizeof(struct sockaddr_in);
5269 break;
5270 case AF_INET6:
5271 len = sizeof(struct sockaddr_in6);
5272 break;
5273 default:
5274 return -EAFNOSUPPORT;
5275 }
5276
5277 err = -EINVAL;
5278 switch (optname) {
5279 /* Bind checks */
5280 case SCTP_PRIMARY_ADDR:
5281 case SCTP_SET_PEER_PRIMARY_ADDR:
5282 case SCTP_SOCKOPT_BINDX_ADD:
5283 err = selinux_socket_bind(sock, addr, len);
5284 break;
5285 /* Connect checks */
5286 case SCTP_SOCKOPT_CONNECTX:
5287 case SCTP_PARAM_SET_PRIMARY:
5288 case SCTP_PARAM_ADD_IP:
5289 case SCTP_SENDMSG_CONNECT:
5290 err = selinux_socket_connect_helper(sock, addr, len);
5291 if (err)
5292 return err;
5293
5294 /* As selinux_sctp_bind_connect() is called by the
5295 * SCTP protocol layer, the socket is already locked,
5296 * therefore selinux_netlbl_socket_connect_locked() is
5297 * is called here. The situations handled are:
5298 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5299 * whenever a new IP address is added or when a new
5300 * primary address is selected.
5301 * Note that an SCTP connect(2) call happens before
5302 * the SCTP protocol layer and is handled via
5303 * selinux_socket_connect().
5304 */
5305 err = selinux_netlbl_socket_connect_locked(sk, addr);
5306 break;
5307 }
5308
5309 if (err)
5310 return err;
5311
5312 addr_buf += len;
5313 walk_size += len;
5314 }
5315
5316 return 0;
5317}
5318
5319/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5320static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5321 struct sock *newsk)
5322{
5323 struct sk_security_struct *sksec = sk->sk_security;
5324 struct sk_security_struct *newsksec = newsk->sk_security;
5325
5326 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5327 * the non-sctp clone version.
5328 */
5329 if (!selinux_policycap_extsockclass())
5330 return selinux_sk_clone_security(sk, newsk);
5331
5332 newsksec->sid = ep->secid;
5333 newsksec->peer_sid = ep->peer_secid;
5334 newsksec->sclass = sksec->sclass;
5335 selinux_netlbl_sctp_sk_clone(sk, newsk);
5336}
5337
4946static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5338static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4947 struct request_sock *req) 5339 struct request_sock *req)
4948{ 5340{
@@ -5001,7 +5393,9 @@ static int selinux_secmark_relabel_packet(u32 sid)
5001 __tsec = current_security(); 5393 __tsec = current_security();
5002 tsid = __tsec->sid; 5394 tsid = __tsec->sid;
5003 5395
5004 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5396 return avc_has_perm(&selinux_state,
5397 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5398 NULL);
5005} 5399}
5006 5400
5007static void selinux_secmark_refcount_inc(void) 5401static void selinux_secmark_refcount_inc(void)
@@ -5049,7 +5443,8 @@ static int selinux_tun_dev_create(void)
5049 * connections unlike traditional sockets - check the TUN driver to 5443 * connections unlike traditional sockets - check the TUN driver to
5050 * get a better understanding of why this socket is special */ 5444 * get a better understanding of why this socket is special */
5051 5445
5052 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5446 return avc_has_perm(&selinux_state,
5447 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5053 NULL); 5448 NULL);
5054} 5449}
5055 5450
@@ -5057,7 +5452,8 @@ static int selinux_tun_dev_attach_queue(void *security)
5057{ 5452{
5058 struct tun_security_struct *tunsec = security; 5453 struct tun_security_struct *tunsec = security;
5059 5454
5060 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5455 return avc_has_perm(&selinux_state,
5456 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5061 TUN_SOCKET__ATTACH_QUEUE, NULL); 5457 TUN_SOCKET__ATTACH_QUEUE, NULL);
5062} 5458}
5063 5459
@@ -5085,11 +5481,13 @@ static int selinux_tun_dev_open(void *security)
5085 u32 sid = current_sid(); 5481 u32 sid = current_sid();
5086 int err; 5482 int err;
5087 5483
5088 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5484 err = avc_has_perm(&selinux_state,
5485 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5089 TUN_SOCKET__RELABELFROM, NULL); 5486 TUN_SOCKET__RELABELFROM, NULL);
5090 if (err) 5487 if (err)
5091 return err; 5488 return err;
5092 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5489 err = avc_has_perm(&selinux_state,
5490 sid, sid, SECCLASS_TUN_SOCKET,
5093 TUN_SOCKET__RELABELTO, NULL); 5491 TUN_SOCKET__RELABELTO, NULL);
5094 if (err) 5492 if (err)
5095 return err; 5493 return err;
@@ -5120,7 +5518,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5120 sk->sk_protocol, nlh->nlmsg_type, 5518 sk->sk_protocol, nlh->nlmsg_type,
5121 secclass_map[sksec->sclass - 1].name, 5519 secclass_map[sksec->sclass - 1].name,
5122 task_pid_nr(current), current->comm); 5520 task_pid_nr(current), current->comm);
5123 if (!selinux_enforcing || security_get_allow_unknown()) 5521 if (!enforcing_enabled(&selinux_state) ||
5522 security_get_allow_unknown(&selinux_state))
5124 err = 0; 5523 err = 0;
5125 } 5524 }
5126 5525
@@ -5150,7 +5549,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5150 u8 netlbl_active; 5549 u8 netlbl_active;
5151 u8 peerlbl_active; 5550 u8 peerlbl_active;
5152 5551
5153 if (!selinux_policycap_netpeer) 5552 if (!selinux_policycap_netpeer())
5154 return NF_ACCEPT; 5553 return NF_ACCEPT;
5155 5554
5156 secmark_active = selinux_secmark_enabled(); 5555 secmark_active = selinux_secmark_enabled();
@@ -5179,7 +5578,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5179 } 5578 }
5180 5579
5181 if (secmark_active) 5580 if (secmark_active)
5182 if (avc_has_perm(peer_sid, skb->secmark, 5581 if (avc_has_perm(&selinux_state,
5582 peer_sid, skb->secmark,
5183 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5583 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5184 return NF_DROP; 5584 return NF_DROP;
5185 5585
@@ -5291,7 +5691,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5291 return NF_DROP; 5691 return NF_DROP;
5292 5692
5293 if (selinux_secmark_enabled()) 5693 if (selinux_secmark_enabled())
5294 if (avc_has_perm(sksec->sid, skb->secmark, 5694 if (avc_has_perm(&selinux_state,
5695 sksec->sid, skb->secmark,
5295 SECCLASS_PACKET, PACKET__SEND, &ad)) 5696 SECCLASS_PACKET, PACKET__SEND, &ad))
5296 return NF_DROP_ERR(-ECONNREFUSED); 5697 return NF_DROP_ERR(-ECONNREFUSED);
5297 5698
@@ -5319,7 +5720,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5319 * to the selinux_ip_postroute_compat() function to deal with the 5720 * to the selinux_ip_postroute_compat() function to deal with the
5320 * special handling. We do this in an attempt to keep this function 5721 * special handling. We do this in an attempt to keep this function
5321 * as fast and as clean as possible. */ 5722 * as fast and as clean as possible. */
5322 if (!selinux_policycap_netpeer) 5723 if (!selinux_policycap_netpeer())
5323 return selinux_ip_postroute_compat(skb, ifindex, family); 5724 return selinux_ip_postroute_compat(skb, ifindex, family);
5324 5725
5325 secmark_active = selinux_secmark_enabled(); 5726 secmark_active = selinux_secmark_enabled();
@@ -5414,7 +5815,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5414 return NF_DROP; 5815 return NF_DROP;
5415 5816
5416 if (secmark_active) 5817 if (secmark_active)
5417 if (avc_has_perm(peer_sid, skb->secmark, 5818 if (avc_has_perm(&selinux_state,
5819 peer_sid, skb->secmark,
5418 SECCLASS_PACKET, secmark_perm, &ad)) 5820 SECCLASS_PACKET, secmark_perm, &ad))
5419 return NF_DROP_ERR(-ECONNREFUSED); 5821 return NF_DROP_ERR(-ECONNREFUSED);
5420 5822
@@ -5424,13 +5826,15 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5424 5826
5425 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5827 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5426 return NF_DROP; 5828 return NF_DROP;
5427 if (avc_has_perm(peer_sid, if_sid, 5829 if (avc_has_perm(&selinux_state,
5830 peer_sid, if_sid,
5428 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5831 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5429 return NF_DROP_ERR(-ECONNREFUSED); 5832 return NF_DROP_ERR(-ECONNREFUSED);
5430 5833
5431 if (sel_netnode_sid(addrp, family, &node_sid)) 5834 if (sel_netnode_sid(addrp, family, &node_sid))
5432 return NF_DROP; 5835 return NF_DROP;
5433 if (avc_has_perm(peer_sid, node_sid, 5836 if (avc_has_perm(&selinux_state,
5837 peer_sid, node_sid,
5434 SECCLASS_NODE, NODE__SENDTO, &ad)) 5838 SECCLASS_NODE, NODE__SENDTO, &ad))
5435 return NF_DROP_ERR(-ECONNREFUSED); 5839 return NF_DROP_ERR(-ECONNREFUSED);
5436 } 5840 }
@@ -5518,7 +5922,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5518 ad.type = LSM_AUDIT_DATA_IPC; 5922 ad.type = LSM_AUDIT_DATA_IPC;
5519 ad.u.ipc_id = ipc_perms->key; 5923 ad.u.ipc_id = ipc_perms->key;
5520 5924
5521 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5925 return avc_has_perm(&selinux_state,
5926 sid, isec->sid, isec->sclass, perms, &ad);
5522} 5927}
5523 5928
5524static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5929static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -5548,7 +5953,8 @@ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5548 ad.type = LSM_AUDIT_DATA_IPC; 5953 ad.type = LSM_AUDIT_DATA_IPC;
5549 ad.u.ipc_id = msq->key; 5954 ad.u.ipc_id = msq->key;
5550 5955
5551 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5956 rc = avc_has_perm(&selinux_state,
5957 sid, isec->sid, SECCLASS_MSGQ,
5552 MSGQ__CREATE, &ad); 5958 MSGQ__CREATE, &ad);
5553 if (rc) { 5959 if (rc) {
5554 ipc_free_security(msq); 5960 ipc_free_security(msq);
@@ -5573,7 +5979,8 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5573 ad.type = LSM_AUDIT_DATA_IPC; 5979 ad.type = LSM_AUDIT_DATA_IPC;
5574 ad.u.ipc_id = msq->key; 5980 ad.u.ipc_id = msq->key;
5575 5981
5576 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5982 return avc_has_perm(&selinux_state,
5983 sid, isec->sid, SECCLASS_MSGQ,
5577 MSGQ__ASSOCIATE, &ad); 5984 MSGQ__ASSOCIATE, &ad);
5578} 5985}
5579 5986
@@ -5586,7 +5993,8 @@ static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5586 case IPC_INFO: 5993 case IPC_INFO:
5587 case MSG_INFO: 5994 case MSG_INFO:
5588 /* No specific object, just general system-wide information. */ 5995 /* No specific object, just general system-wide information. */
5589 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 5996 return avc_has_perm(&selinux_state,
5997 current_sid(), SECINITSID_KERNEL,
5590 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5998 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5591 case IPC_STAT: 5999 case IPC_STAT:
5592 case MSG_STAT: 6000 case MSG_STAT:
@@ -5625,8 +6033,8 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m
5625 * Compute new sid based on current process and 6033 * Compute new sid based on current process and
5626 * message queue this message will be stored in 6034 * message queue this message will be stored in
5627 */ 6035 */
5628 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 6036 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5629 NULL, &msec->sid); 6037 SECCLASS_MSG, NULL, &msec->sid);
5630 if (rc) 6038 if (rc)
5631 return rc; 6039 return rc;
5632 } 6040 }
@@ -5635,15 +6043,18 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m
5635 ad.u.ipc_id = msq->key; 6043 ad.u.ipc_id = msq->key;
5636 6044
5637 /* Can this process write to the queue? */ 6045 /* Can this process write to the queue? */
5638 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6046 rc = avc_has_perm(&selinux_state,
6047 sid, isec->sid, SECCLASS_MSGQ,
5639 MSGQ__WRITE, &ad); 6048 MSGQ__WRITE, &ad);
5640 if (!rc) 6049 if (!rc)
5641 /* Can this process send the message */ 6050 /* Can this process send the message */
5642 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6051 rc = avc_has_perm(&selinux_state,
6052 sid, msec->sid, SECCLASS_MSG,
5643 MSG__SEND, &ad); 6053 MSG__SEND, &ad);
5644 if (!rc) 6054 if (!rc)
5645 /* Can the message be put in the queue? */ 6055 /* Can the message be put in the queue? */
5646 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6056 rc = avc_has_perm(&selinux_state,
6057 msec->sid, isec->sid, SECCLASS_MSGQ,
5647 MSGQ__ENQUEUE, &ad); 6058 MSGQ__ENQUEUE, &ad);
5648 6059
5649 return rc; 6060 return rc;
@@ -5665,10 +6076,12 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
5665 ad.type = LSM_AUDIT_DATA_IPC; 6076 ad.type = LSM_AUDIT_DATA_IPC;
5666 ad.u.ipc_id = msq->key; 6077 ad.u.ipc_id = msq->key;
5667 6078
5668 rc = avc_has_perm(sid, isec->sid, 6079 rc = avc_has_perm(&selinux_state,
6080 sid, isec->sid,
5669 SECCLASS_MSGQ, MSGQ__READ, &ad); 6081 SECCLASS_MSGQ, MSGQ__READ, &ad);
5670 if (!rc) 6082 if (!rc)
5671 rc = avc_has_perm(sid, msec->sid, 6083 rc = avc_has_perm(&selinux_state,
6084 sid, msec->sid,
5672 SECCLASS_MSG, MSG__RECEIVE, &ad); 6085 SECCLASS_MSG, MSG__RECEIVE, &ad);
5673 return rc; 6086 return rc;
5674} 6087}
@@ -5690,7 +6103,8 @@ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5690 ad.type = LSM_AUDIT_DATA_IPC; 6103 ad.type = LSM_AUDIT_DATA_IPC;
5691 ad.u.ipc_id = shp->key; 6104 ad.u.ipc_id = shp->key;
5692 6105
5693 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6106 rc = avc_has_perm(&selinux_state,
6107 sid, isec->sid, SECCLASS_SHM,
5694 SHM__CREATE, &ad); 6108 SHM__CREATE, &ad);
5695 if (rc) { 6109 if (rc) {
5696 ipc_free_security(shp); 6110 ipc_free_security(shp);
@@ -5715,7 +6129,8 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5715 ad.type = LSM_AUDIT_DATA_IPC; 6129 ad.type = LSM_AUDIT_DATA_IPC;
5716 ad.u.ipc_id = shp->key; 6130 ad.u.ipc_id = shp->key;
5717 6131
5718 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6132 return avc_has_perm(&selinux_state,
6133 sid, isec->sid, SECCLASS_SHM,
5719 SHM__ASSOCIATE, &ad); 6134 SHM__ASSOCIATE, &ad);
5720} 6135}
5721 6136
@@ -5729,7 +6144,8 @@ static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5729 case IPC_INFO: 6144 case IPC_INFO:
5730 case SHM_INFO: 6145 case SHM_INFO:
5731 /* No specific object, just general system-wide information. */ 6146 /* No specific object, just general system-wide information. */
5732 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6147 return avc_has_perm(&selinux_state,
6148 current_sid(), SECINITSID_KERNEL,
5733 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6149 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5734 case IPC_STAT: 6150 case IPC_STAT:
5735 case SHM_STAT: 6151 case SHM_STAT:
@@ -5783,7 +6199,8 @@ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5783 ad.type = LSM_AUDIT_DATA_IPC; 6199 ad.type = LSM_AUDIT_DATA_IPC;
5784 ad.u.ipc_id = sma->key; 6200 ad.u.ipc_id = sma->key;
5785 6201
5786 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6202 rc = avc_has_perm(&selinux_state,
6203 sid, isec->sid, SECCLASS_SEM,
5787 SEM__CREATE, &ad); 6204 SEM__CREATE, &ad);
5788 if (rc) { 6205 if (rc) {
5789 ipc_free_security(sma); 6206 ipc_free_security(sma);
@@ -5808,7 +6225,8 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
5808 ad.type = LSM_AUDIT_DATA_IPC; 6225 ad.type = LSM_AUDIT_DATA_IPC;
5809 ad.u.ipc_id = sma->key; 6226 ad.u.ipc_id = sma->key;
5810 6227
5811 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6228 return avc_has_perm(&selinux_state,
6229 sid, isec->sid, SECCLASS_SEM,
5812 SEM__ASSOCIATE, &ad); 6230 SEM__ASSOCIATE, &ad);
5813} 6231}
5814 6232
@@ -5822,7 +6240,8 @@ static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
5822 case IPC_INFO: 6240 case IPC_INFO:
5823 case SEM_INFO: 6241 case SEM_INFO:
5824 /* No specific object, just general system-wide information. */ 6242 /* No specific object, just general system-wide information. */
5825 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6243 return avc_has_perm(&selinux_state,
6244 current_sid(), SECINITSID_KERNEL,
5826 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6245 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5827 case GETPID: 6246 case GETPID:
5828 case GETNCNT: 6247 case GETNCNT:
@@ -5908,7 +6327,8 @@ static int selinux_getprocattr(struct task_struct *p,
5908 __tsec = __task_cred(p)->security; 6327 __tsec = __task_cred(p)->security;
5909 6328
5910 if (current != p) { 6329 if (current != p) {
5911 error = avc_has_perm(current_sid(), __tsec->sid, 6330 error = avc_has_perm(&selinux_state,
6331 current_sid(), __tsec->sid,
5912 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6332 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5913 if (error) 6333 if (error)
5914 goto bad; 6334 goto bad;
@@ -5935,7 +6355,7 @@ static int selinux_getprocattr(struct task_struct *p,
5935 if (!sid) 6355 if (!sid)
5936 return 0; 6356 return 0;
5937 6357
5938 error = security_sid_to_context(sid, value, &len); 6358 error = security_sid_to_context(&selinux_state, sid, value, &len);
5939 if (error) 6359 if (error)
5940 return error; 6360 return error;
5941 return len; 6361 return len;
@@ -5957,19 +6377,24 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5957 * Basic control over ability to set these attributes at all. 6377 * Basic control over ability to set these attributes at all.
5958 */ 6378 */
5959 if (!strcmp(name, "exec")) 6379 if (!strcmp(name, "exec"))
5960 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6380 error = avc_has_perm(&selinux_state,
6381 mysid, mysid, SECCLASS_PROCESS,
5961 PROCESS__SETEXEC, NULL); 6382 PROCESS__SETEXEC, NULL);
5962 else if (!strcmp(name, "fscreate")) 6383 else if (!strcmp(name, "fscreate"))
5963 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6384 error = avc_has_perm(&selinux_state,
6385 mysid, mysid, SECCLASS_PROCESS,
5964 PROCESS__SETFSCREATE, NULL); 6386 PROCESS__SETFSCREATE, NULL);
5965 else if (!strcmp(name, "keycreate")) 6387 else if (!strcmp(name, "keycreate"))
5966 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6388 error = avc_has_perm(&selinux_state,
6389 mysid, mysid, SECCLASS_PROCESS,
5967 PROCESS__SETKEYCREATE, NULL); 6390 PROCESS__SETKEYCREATE, NULL);
5968 else if (!strcmp(name, "sockcreate")) 6391 else if (!strcmp(name, "sockcreate"))
5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6392 error = avc_has_perm(&selinux_state,
6393 mysid, mysid, SECCLASS_PROCESS,
5970 PROCESS__SETSOCKCREATE, NULL); 6394 PROCESS__SETSOCKCREATE, NULL);
5971 else if (!strcmp(name, "current")) 6395 else if (!strcmp(name, "current"))
5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6396 error = avc_has_perm(&selinux_state,
6397 mysid, mysid, SECCLASS_PROCESS,
5973 PROCESS__SETCURRENT, NULL); 6398 PROCESS__SETCURRENT, NULL);
5974 else 6399 else
5975 error = -EINVAL; 6400 error = -EINVAL;
@@ -5982,7 +6407,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5982 str[size-1] = 0; 6407 str[size-1] = 0;
5983 size--; 6408 size--;
5984 } 6409 }
5985 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 6410 error = security_context_to_sid(&selinux_state, value, size,
6411 &sid, GFP_KERNEL);
5986 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6412 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5987 if (!has_cap_mac_admin(true)) { 6413 if (!has_cap_mac_admin(true)) {
5988 struct audit_buffer *ab; 6414 struct audit_buffer *ab;
@@ -6001,8 +6427,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6001 6427
6002 return error; 6428 return error;
6003 } 6429 }
6004 error = security_context_to_sid_force(value, size, 6430 error = security_context_to_sid_force(
6005 &sid); 6431 &selinux_state,
6432 value, size, &sid);
6006 } 6433 }
6007 if (error) 6434 if (error)
6008 return error; 6435 return error;
@@ -6024,7 +6451,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6024 } else if (!strcmp(name, "fscreate")) { 6451 } else if (!strcmp(name, "fscreate")) {
6025 tsec->create_sid = sid; 6452 tsec->create_sid = sid;
6026 } else if (!strcmp(name, "keycreate")) { 6453 } else if (!strcmp(name, "keycreate")) {
6027 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6454 error = avc_has_perm(&selinux_state,
6455 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6028 NULL); 6456 NULL);
6029 if (error) 6457 if (error)
6030 goto abort_change; 6458 goto abort_change;
@@ -6039,13 +6467,15 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6039 /* Only allow single threaded processes to change context */ 6467 /* Only allow single threaded processes to change context */
6040 error = -EPERM; 6468 error = -EPERM;
6041 if (!current_is_single_threaded()) { 6469 if (!current_is_single_threaded()) {
6042 error = security_bounded_transition(tsec->sid, sid); 6470 error = security_bounded_transition(&selinux_state,
6471 tsec->sid, sid);
6043 if (error) 6472 if (error)
6044 goto abort_change; 6473 goto abort_change;
6045 } 6474 }
6046 6475
6047 /* Check permissions for the transition. */ 6476 /* Check permissions for the transition. */
6048 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6477 error = avc_has_perm(&selinux_state,
6478 tsec->sid, sid, SECCLASS_PROCESS,
6049 PROCESS__DYNTRANSITION, NULL); 6479 PROCESS__DYNTRANSITION, NULL);
6050 if (error) 6480 if (error)
6051 goto abort_change; 6481 goto abort_change;
@@ -6054,7 +6484,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6054 Otherwise, leave SID unchanged and fail. */ 6484 Otherwise, leave SID unchanged and fail. */
6055 ptsid = ptrace_parent_sid(); 6485 ptsid = ptrace_parent_sid();
6056 if (ptsid != 0) { 6486 if (ptsid != 0) {
6057 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6487 error = avc_has_perm(&selinux_state,
6488 ptsid, sid, SECCLASS_PROCESS,
6058 PROCESS__PTRACE, NULL); 6489 PROCESS__PTRACE, NULL);
6059 if (error) 6490 if (error)
6060 goto abort_change; 6491 goto abort_change;
@@ -6081,12 +6512,14 @@ static int selinux_ismaclabel(const char *name)
6081 6512
6082static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6513static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6083{ 6514{
6084 return security_sid_to_context(secid, secdata, seclen); 6515 return security_sid_to_context(&selinux_state, secid,
6516 secdata, seclen);
6085} 6517}
6086 6518
6087static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6519static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6088{ 6520{
6089 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6521 return security_context_to_sid(&selinux_state, secdata, seclen,
6522 secid, GFP_KERNEL);
6090} 6523}
6091 6524
6092static void selinux_release_secctx(char *secdata, u32 seclen) 6525static void selinux_release_secctx(char *secdata, u32 seclen)
@@ -6178,7 +6611,8 @@ static int selinux_key_permission(key_ref_t key_ref,
6178 key = key_ref_to_ptr(key_ref); 6611 key = key_ref_to_ptr(key_ref);
6179 ksec = key->security; 6612 ksec = key->security;
6180 6613
6181 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6614 return avc_has_perm(&selinux_state,
6615 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6182} 6616}
6183 6617
6184static int selinux_key_getsecurity(struct key *key, char **_buffer) 6618static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -6188,7 +6622,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
6188 unsigned len; 6622 unsigned len;
6189 int rc; 6623 int rc;
6190 6624
6191 rc = security_sid_to_context(ksec->sid, &context, &len); 6625 rc = security_sid_to_context(&selinux_state, ksec->sid,
6626 &context, &len);
6192 if (!rc) 6627 if (!rc)
6193 rc = len; 6628 rc = len;
6194 *_buffer = context; 6629 *_buffer = context;
@@ -6213,7 +6648,8 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6213 ibpkey.subnet_prefix = subnet_prefix; 6648 ibpkey.subnet_prefix = subnet_prefix;
6214 ibpkey.pkey = pkey_val; 6649 ibpkey.pkey = pkey_val;
6215 ad.u.ibpkey = &ibpkey; 6650 ad.u.ibpkey = &ibpkey;
6216 return avc_has_perm(sec->sid, sid, 6651 return avc_has_perm(&selinux_state,
6652 sec->sid, sid,
6217 SECCLASS_INFINIBAND_PKEY, 6653 SECCLASS_INFINIBAND_PKEY,
6218 INFINIBAND_PKEY__ACCESS, &ad); 6654 INFINIBAND_PKEY__ACCESS, &ad);
6219} 6655}
@@ -6227,7 +6663,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6227 struct ib_security_struct *sec = ib_sec; 6663 struct ib_security_struct *sec = ib_sec;
6228 struct lsm_ibendport_audit ibendport; 6664 struct lsm_ibendport_audit ibendport;
6229 6665
6230 err = security_ib_endport_sid(dev_name, port_num, &sid); 6666 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6667 &sid);
6231 6668
6232 if (err) 6669 if (err)
6233 return err; 6670 return err;
@@ -6236,7 +6673,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6236 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6673 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6237 ibendport.port = port_num; 6674 ibendport.port = port_num;
6238 ad.u.ibendport = &ibendport; 6675 ad.u.ibendport = &ibendport;
6239 return avc_has_perm(sec->sid, sid, 6676 return avc_has_perm(&selinux_state,
6677 sec->sid, sid,
6240 SECCLASS_INFINIBAND_ENDPORT, 6678 SECCLASS_INFINIBAND_ENDPORT,
6241 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6679 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6242} 6680}
@@ -6269,11 +6707,13 @@ static int selinux_bpf(int cmd, union bpf_attr *attr,
6269 6707
6270 switch (cmd) { 6708 switch (cmd) {
6271 case BPF_MAP_CREATE: 6709 case BPF_MAP_CREATE:
6272 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6710 ret = avc_has_perm(&selinux_state,
6711 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6273 NULL); 6712 NULL);
6274 break; 6713 break;
6275 case BPF_PROG_LOAD: 6714 case BPF_PROG_LOAD:
6276 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6715 ret = avc_has_perm(&selinux_state,
6716 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6277 NULL); 6717 NULL);
6278 break; 6718 break;
6279 default: 6719 default:
@@ -6313,14 +6753,16 @@ static int bpf_fd_pass(struct file *file, u32 sid)
6313 if (file->f_op == &bpf_map_fops) { 6753 if (file->f_op == &bpf_map_fops) {
6314 map = file->private_data; 6754 map = file->private_data;
6315 bpfsec = map->security; 6755 bpfsec = map->security;
6316 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6756 ret = avc_has_perm(&selinux_state,
6757 sid, bpfsec->sid, SECCLASS_BPF,
6317 bpf_map_fmode_to_av(file->f_mode), NULL); 6758 bpf_map_fmode_to_av(file->f_mode), NULL);
6318 if (ret) 6759 if (ret)
6319 return ret; 6760 return ret;
6320 } else if (file->f_op == &bpf_prog_fops) { 6761 } else if (file->f_op == &bpf_prog_fops) {
6321 prog = file->private_data; 6762 prog = file->private_data;
6322 bpfsec = prog->aux->security; 6763 bpfsec = prog->aux->security;
6323 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6764 ret = avc_has_perm(&selinux_state,
6765 sid, bpfsec->sid, SECCLASS_BPF,
6324 BPF__PROG_RUN, NULL); 6766 BPF__PROG_RUN, NULL);
6325 if (ret) 6767 if (ret)
6326 return ret; 6768 return ret;
@@ -6334,7 +6776,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6334 struct bpf_security_struct *bpfsec; 6776 struct bpf_security_struct *bpfsec;
6335 6777
6336 bpfsec = map->security; 6778 bpfsec = map->security;
6337 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6779 return avc_has_perm(&selinux_state,
6780 sid, bpfsec->sid, SECCLASS_BPF,
6338 bpf_map_fmode_to_av(fmode), NULL); 6781 bpf_map_fmode_to_av(fmode), NULL);
6339} 6782}
6340 6783
@@ -6344,7 +6787,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
6344 struct bpf_security_struct *bpfsec; 6787 struct bpf_security_struct *bpfsec;
6345 6788
6346 bpfsec = prog->aux->security; 6789 bpfsec = prog->aux->security;
6347 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6790 return avc_has_perm(&selinux_state,
6791 sid, bpfsec->sid, SECCLASS_BPF,
6348 BPF__PROG_RUN, NULL); 6792 BPF__PROG_RUN, NULL);
6349} 6793}
6350 6794
@@ -6563,6 +7007,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6563 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7007 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6564 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7008 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6565 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7009 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7010 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7011 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7012 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6566 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7013 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6567 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7014 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6568 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7015 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
@@ -6638,6 +7085,12 @@ static __init int selinux_init(void)
6638 7085
6639 printk(KERN_INFO "SELinux: Initializing.\n"); 7086 printk(KERN_INFO "SELinux: Initializing.\n");
6640 7087
7088 memset(&selinux_state, 0, sizeof(selinux_state));
7089 enforcing_set(&selinux_state, selinux_enforcing_boot);
7090 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7091 selinux_ss_init(&selinux_state.ss);
7092 selinux_avc_init(&selinux_state.avc);
7093
6641 /* Set the security state for the initial task. */ 7094 /* Set the security state for the initial task. */
6642 cred_init_security(); 7095 cred_init_security();
6643 7096
@@ -6651,6 +7104,12 @@ static __init int selinux_init(void)
6651 0, SLAB_PANIC, NULL); 7104 0, SLAB_PANIC, NULL);
6652 avc_init(); 7105 avc_init();
6653 7106
7107 avtab_cache_init();
7108
7109 ebitmap_cache_init();
7110
7111 hashtab_cache_init();
7112
6654 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7113 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6655 7114
6656 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7115 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
@@ -6659,7 +7118,7 @@ static __init int selinux_init(void)
6659 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7118 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6660 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7119 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6661 7120
6662 if (selinux_enforcing) 7121 if (selinux_enforcing_boot)
6663 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7122 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6664 else 7123 else
6665 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7124 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
@@ -6780,23 +7239,22 @@ static void selinux_nf_ip_exit(void)
6780#endif /* CONFIG_NETFILTER */ 7239#endif /* CONFIG_NETFILTER */
6781 7240
6782#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7241#ifdef CONFIG_SECURITY_SELINUX_DISABLE
6783static int selinux_disabled; 7242int selinux_disable(struct selinux_state *state)
6784
6785int selinux_disable(void)
6786{ 7243{
6787 if (ss_initialized) { 7244 if (state->initialized) {
6788 /* Not permitted after initial policy load. */ 7245 /* Not permitted after initial policy load. */
6789 return -EINVAL; 7246 return -EINVAL;
6790 } 7247 }
6791 7248
6792 if (selinux_disabled) { 7249 if (state->disabled) {
6793 /* Only do this once. */ 7250 /* Only do this once. */
6794 return -EINVAL; 7251 return -EINVAL;
6795 } 7252 }
6796 7253
7254 state->disabled = 1;
7255
6797 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7256 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6798 7257
6799 selinux_disabled = 1;
6800 selinux_enabled = 0; 7258 selinux_enabled = 0;
6801 7259
6802 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7260 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-03 08:11:36 -0400