aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c1060
1 files changed, 768 insertions, 292 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8644d864e3c1..be5817df0a9d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -67,6 +67,8 @@
67#include <linux/tcp.h> 67#include <linux/tcp.h>
68#include <linux/udp.h> 68#include <linux/udp.h>
69#include <linux/dccp.h> 69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
70#include <linux/quota.h> 72#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */ 73#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */ 74#include <net/af_unix.h> /* for Unix socket types */
@@ -98,20 +100,24 @@
98#include "audit.h" 100#include "audit.h"
99#include "avc_ss.h" 101#include "avc_ss.h"
100 102
103struct selinux_state selinux_state;
104
101/* SECMARK reference count */ 105/* SECMARK reference count */
102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 107
104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105int selinux_enforcing; 109static int selinux_enforcing_boot;
106 110
107static int __init enforcing_setup(char *str) 111static int __init enforcing_setup(char *str)
108{ 112{
109 unsigned long enforcing; 113 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing)) 114 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0; 115 selinux_enforcing_boot = enforcing ? 1 : 0;
112 return 1; 116 return 1;
113} 117}
114__setup("enforcing=", enforcing_setup); 118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
115#endif 121#endif
116 122
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
@@ -129,6 +135,19 @@ __setup("selinux=", selinux_enabled_setup);
129int selinux_enabled = 1; 135int selinux_enabled = 1;
130#endif 136#endif
131 137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
132static struct kmem_cache *sel_inode_cache; 151static struct kmem_cache *sel_inode_cache;
133static struct kmem_cache *file_security_cache; 152static struct kmem_cache *file_security_cache;
134 153
@@ -145,7 +164,8 @@ static struct kmem_cache *file_security_cache;
145 */ 164 */
146static int selinux_secmark_enabled(void) 165static int selinux_secmark_enabled(void)
147{ 166{
148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
149} 169}
150 170
151/** 171/**
@@ -160,7 +180,8 @@ static int selinux_secmark_enabled(void)
160 */ 180 */
161static int selinux_peerlbl_enabled(void) 181static int selinux_peerlbl_enabled(void)
162{ 182{
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
164} 185}
165 186
166static int selinux_netcache_avc_callback(u32 event) 187static int selinux_netcache_avc_callback(u32 event)
@@ -264,7 +285,8 @@ static int __inode_security_revalidate(struct inode *inode,
264 285
265 might_sleep_if(may_sleep); 286 might_sleep_if(may_sleep);
266 287
267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
268 if (!may_sleep) 290 if (!may_sleep)
269 return -ECHILD; 291 return -ECHILD;
270 292
@@ -446,12 +468,14 @@ static int may_context_mount_sb_relabel(u32 sid,
446 const struct task_security_struct *tsec = cred->security; 468 const struct task_security_struct *tsec = cred->security;
447 int rc; 469 int rc;
448 470
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL); 473 FILESYSTEM__RELABELFROM, NULL);
451 if (rc) 474 if (rc)
452 return rc; 475 return rc;
453 476
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL); 479 FILESYSTEM__RELABELTO, NULL);
456 return rc; 480 return rc;
457} 481}
@@ -462,12 +486,14 @@ static int may_context_mount_inode_relabel(u32 sid,
462{ 486{
463 const struct task_security_struct *tsec = cred->security; 487 const struct task_security_struct *tsec = cred->security;
464 int rc; 488 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL); 491 FILESYSTEM__RELABELFROM, NULL);
467 if (rc) 492 if (rc)
468 return rc; 493 return rc;
469 494
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL); 497 FILESYSTEM__ASSOCIATE, NULL);
472 return rc; 498 return rc;
473} 499}
@@ -486,7 +512,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
486 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs") || 514 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel && 515 (selinux_policycap_cgroupseclabel() &&
490 (!strcmp(sb->s_type->name, "cgroup") || 516 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2"))); 517 !strcmp(sb->s_type->name, "cgroup2")));
492} 518}
@@ -586,7 +612,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
586 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 if (!(sbsec->flags & SE_SBINITIALIZED))
587 return -EINVAL; 613 return -EINVAL;
588 614
589 if (!ss_initialized) 615 if (!selinux_state.initialized)
590 return -EINVAL; 616 return -EINVAL;
591 617
592 /* make sure we always check enough bits to cover the mask */ 618 /* make sure we always check enough bits to cover the mask */
@@ -617,21 +643,25 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
617 643
618 i = 0; 644 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) { 645 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len); 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
621 if (rc) 648 if (rc)
622 goto out_free; 649 goto out_free;
623 opts->mnt_opts[i] = context; 650 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 } 652 }
626 if (sbsec->flags & CONTEXT_MNT) { 653 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
628 if (rc) 657 if (rc)
629 goto out_free; 658 goto out_free;
630 opts->mnt_opts[i] = context; 659 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 } 661 }
633 if (sbsec->flags & DEFCONTEXT_MNT) { 662 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
635 if (rc) 665 if (rc)
636 goto out_free; 666 goto out_free;
637 opts->mnt_opts[i] = context; 667 opts->mnt_opts[i] = context;
@@ -641,7 +671,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
641 struct dentry *root = sbsec->sb->s_root; 671 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root); 672 struct inode_security_struct *isec = backing_inode_security(root);
643 673
644 rc = security_sid_to_context(isec->sid, &context, &len); 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
645 if (rc) 676 if (rc)
646 goto out_free; 677 goto out_free;
647 opts->mnt_opts[i] = context; 678 opts->mnt_opts[i] = context;
@@ -704,7 +735,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
704 735
705 mutex_lock(&sbsec->lock); 736 mutex_lock(&sbsec->lock);
706 737
707 if (!ss_initialized) { 738 if (!selinux_state.initialized) {
708 if (!num_opts) { 739 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init, 740 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security 741 after the initial policy is loaded and the security
@@ -750,7 +781,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
750 781
751 if (flags[i] == SBLABEL_MNT) 782 if (flags[i] == SBLABEL_MNT)
752 continue; 783 continue;
753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
754 if (rc) { 787 if (rc) {
755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -826,7 +859,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
826 * Determine the labeling behavior to use for this 859 * Determine the labeling behavior to use for this
827 * filesystem type. 860 * filesystem type.
828 */ 861 */
829 rc = security_fs_use(sb); 862 rc = security_fs_use(&selinux_state, sb);
830 if (rc) { 863 if (rc) {
831 printk(KERN_WARNING 864 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n", 865 "%s: security_fs_use(%s) returned %d\n",
@@ -851,7 +884,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
851 } 884 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(), 887 rc = security_transition_sid(&selinux_state,
888 current_sid(),
889 current_sid(),
855 SECCLASS_FILE, NULL, 890 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid); 891 &sbsec->mntpoint_sid);
857 if (rc) 892 if (rc)
@@ -987,7 +1022,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
987 * if the parent was able to be mounted it clearly had no special lsm 1022 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later 1023 * mount options. thus we can safely deal with this superblock later
989 */ 1024 */
990 if (!ss_initialized) 1025 if (!selinux_state.initialized)
991 return 0; 1026 return 0;
992 1027
993 /* 1028 /*
@@ -1014,7 +1049,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1014 1049
1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb); 1052 rc = security_fs_use(&selinux_state, newsb);
1018 if (rc) 1053 if (rc)
1019 goto out; 1054 goto out;
1020 } 1055 }
@@ -1297,7 +1332,7 @@ static inline int default_protocol_dgram(int protocol)
1297 1332
1298static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1333static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{ 1334{
1300 int extsockclass = selinux_policycap_extsockclass; 1335 int extsockclass = selinux_policycap_extsockclass();
1301 1336
1302 switch (family) { 1337 switch (family) {
1303 case PF_UNIX: 1338 case PF_UNIX:
@@ -1471,7 +1506,8 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
1471 path++; 1506 path++;
1472 } 1507 }
1473 } 1508 }
1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1475 } 1511 }
1476 free_page((unsigned long)buffer); 1512 free_page((unsigned long)buffer);
1477 return rc; 1513 return rc;
@@ -1589,7 +1625,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1589 sid = sbsec->def_sid; 1625 sid = sbsec->def_sid;
1590 rc = 0; 1626 rc = 0;
1591 } else { 1627 } else {
1592 rc = security_context_to_sid_default(context, rc, &sid, 1628 rc = security_context_to_sid_default(&selinux_state,
1629 context, rc, &sid,
1593 sbsec->def_sid, 1630 sbsec->def_sid,
1594 GFP_NOFS); 1631 GFP_NOFS);
1595 if (rc) { 1632 if (rc) {
@@ -1622,7 +1659,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1622 sid = sbsec->sid; 1659 sid = sbsec->sid;
1623 1660
1624 /* Try to obtain a transition SID. */ 1661 /* Try to obtain a transition SID. */
1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1626 if (rc) 1664 if (rc)
1627 goto out; 1665 goto out;
1628 break; 1666 break;
@@ -1740,9 +1778,11 @@ static int cred_has_capability(const struct cred *cred,
1740 return -EINVAL; 1778 return -EINVAL;
1741 } 1779 }
1742 1780
1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1744 if (audit == SECURITY_CAP_AUDIT) { 1783 if (audit == SECURITY_CAP_AUDIT) {
1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 if (rc2) 1786 if (rc2)
1747 return rc2; 1787 return rc2;
1748 } 1788 }
@@ -1768,7 +1808,8 @@ static int inode_has_perm(const struct cred *cred,
1768 sid = cred_sid(cred); 1808 sid = cred_sid(cred);
1769 isec = inode->i_security; 1809 isec = inode->i_security;
1770 1810
1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1772} 1813}
1773 1814
1774/* Same as inode_has_perm, but pass explicit audit data containing 1815/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1841,7 +1882,8 @@ static int file_has_perm(const struct cred *cred,
1841 ad.u.file = file; 1882 ad.u.file = file;
1842 1883
1843 if (sid != fsec->sid) { 1884 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid, 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1845 SECCLASS_FD, 1887 SECCLASS_FD,
1846 FD__USE, 1888 FD__USE,
1847 &ad); 1889 &ad);
@@ -1883,7 +1925,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
1883 *_new_isid = tsec->create_sid; 1925 *_new_isid = tsec->create_sid;
1884 } else { 1926 } else {
1885 const struct inode_security_struct *dsec = inode_security(dir); 1927 const struct inode_security_struct *dsec = inode_security(dir);
1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1928 return security_transition_sid(&selinux_state, tsec->sid,
1929 dsec->sid, tclass,
1887 name, _new_isid); 1930 name, _new_isid);
1888 } 1931 }
1889 1932
@@ -1910,7 +1953,8 @@ static int may_create(struct inode *dir,
1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1911 ad.u.dentry = dentry; 1954 ad.u.dentry = dentry;
1912 1955
1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1914 DIR__ADD_NAME | DIR__SEARCH, 1958 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad); 1959 &ad);
1916 if (rc) 1960 if (rc)
@@ -1921,11 +1965,13 @@ static int may_create(struct inode *dir,
1921 if (rc) 1965 if (rc)
1922 return rc; 1966 return rc;
1923 1967
1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1925 if (rc) 1970 if (rc)
1926 return rc; 1971 return rc;
1927 1972
1928 return avc_has_perm(newsid, sbsec->sid, 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM, 1975 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad); 1976 FILESYSTEM__ASSOCIATE, &ad);
1931} 1977}
@@ -1954,7 +2000,8 @@ static int may_link(struct inode *dir,
1954 2000
1955 av = DIR__SEARCH; 2001 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 if (rc) 2005 if (rc)
1959 return rc; 2006 return rc;
1960 2007
@@ -1974,7 +2021,8 @@ static int may_link(struct inode *dir,
1974 return 0; 2021 return 0;
1975 } 2022 }
1976 2023
1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
1978 return rc; 2026 return rc;
1979} 2027}
1980 2028
@@ -1998,16 +2046,19 @@ static inline int may_rename(struct inode *old_dir,
1998 ad.type = LSM_AUDIT_DATA_DENTRY; 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
1999 2047
2000 ad.u.dentry = old_dentry; 2048 ad.u.dentry = old_dentry;
2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc) 2052 if (rc)
2004 return rc; 2053 return rc;
2005 rc = avc_has_perm(sid, old_isec->sid, 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
2006 old_isec->sclass, FILE__RENAME, &ad); 2056 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc) 2057 if (rc)
2008 return rc; 2058 return rc;
2009 if (old_is_dir && new_dir != old_dir) { 2059 if (old_is_dir && new_dir != old_dir) {
2010 rc = avc_has_perm(sid, old_isec->sid, 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
2011 old_isec->sclass, DIR__REPARENT, &ad); 2062 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc) 2063 if (rc)
2013 return rc; 2064 return rc;
@@ -2017,13 +2068,15 @@ static inline int may_rename(struct inode *old_dir,
2017 av = DIR__ADD_NAME | DIR__SEARCH; 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2018 if (d_is_positive(new_dentry)) 2069 if (d_is_positive(new_dentry))
2019 av |= DIR__REMOVE_NAME; 2070 av |= DIR__REMOVE_NAME;
2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc) 2073 if (rc)
2022 return rc; 2074 return rc;
2023 if (d_is_positive(new_dentry)) { 2075 if (d_is_positive(new_dentry)) {
2024 new_isec = backing_inode_security(new_dentry); 2076 new_isec = backing_inode_security(new_dentry);
2025 new_is_dir = d_is_dir(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry);
2026 rc = avc_has_perm(sid, new_isec->sid, 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
2027 new_isec->sclass, 2080 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc) 2082 if (rc)
@@ -2043,7 +2096,8 @@ static int superblock_has_perm(const struct cred *cred,
2043 u32 sid = cred_sid(cred); 2096 u32 sid = cred_sid(cred);
2044 2097
2045 sbsec = sb->s_security; 2098 sbsec = sb->s_security;
2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047} 2101}
2048 2102
2049/* Convert a Linux mode and permission mask to an access vector. */ 2103/* Convert a Linux mode and permission mask to an access vector. */
@@ -2106,7 +2160,8 @@ static inline u32 open_file_to_av(struct file *file)
2106 u32 av = file_to_av(file); 2160 u32 av = file_to_av(file);
2107 struct inode *inode = file_inode(file); 2161 struct inode *inode = file_inode(file);
2108 2162
2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 av |= FILE__OPEN; 2165 av |= FILE__OPEN;
2111 2166
2112 return av; 2167 return av;
@@ -2119,7 +2174,8 @@ static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2119 u32 mysid = current_sid(); 2174 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr); 2175 u32 mgrsid = task_sid(mgr);
2121 2176
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL); 2179 BINDER__SET_CONTEXT_MGR, NULL);
2124} 2180}
2125 2181
@@ -2132,13 +2188,15 @@ static int selinux_binder_transaction(struct task_struct *from,
2132 int rc; 2188 int rc;
2133 2189
2134 if (mysid != fromsid) { 2190 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL); 2193 BINDER__IMPERSONATE, NULL);
2137 if (rc) 2194 if (rc)
2138 return rc; 2195 return rc;
2139 } 2196 }
2140 2197
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL); 2200 NULL);
2143} 2201}
2144 2202
@@ -2148,7 +2206,8 @@ static int selinux_binder_transfer_binder(struct task_struct *from,
2148 u32 fromsid = task_sid(from); 2206 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to); 2207 u32 tosid = task_sid(to);
2150 2208
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL); 2211 NULL);
2153} 2212}
2154 2213
@@ -2167,7 +2226,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2167 ad.u.path = file->f_path; 2226 ad.u.path = file->f_path;
2168 2227
2169 if (sid != fsec->sid) { 2228 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid, 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
2171 SECCLASS_FD, 2231 SECCLASS_FD,
2172 FD__USE, 2232 FD__USE,
2173 &ad); 2233 &ad);
@@ -2185,7 +2245,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2185 return 0; 2245 return 0;
2186 2246
2187 isec = backing_inode_security(dentry); 2247 isec = backing_inode_security(dentry);
2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad); 2250 &ad);
2190} 2251}
2191 2252
@@ -2196,21 +2257,25 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2196 u32 csid = task_sid(child); 2257 u32 csid = task_sid(child);
2197 2258
2198 if (mode & PTRACE_MODE_READ) 2259 if (mode & PTRACE_MODE_READ)
2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 2262
2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202} 2265}
2203 2266
2204static int selinux_ptrace_traceme(struct task_struct *parent) 2267static int selinux_ptrace_traceme(struct task_struct *parent)
2205{ 2268{
2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL); 2271 PROCESS__PTRACE, NULL);
2208} 2272}
2209 2273
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212{ 2276{
2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL); 2279 PROCESS__GETCAP, NULL);
2215} 2280}
2216 2281
@@ -2219,7 +2284,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2219 const kernel_cap_t *inheritable, 2284 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted) 2285 const kernel_cap_t *permitted)
2221{ 2286{
2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL); 2289 PROCESS__SETCAP, NULL);
2224} 2290}
2225 2291
@@ -2279,18 +2345,21 @@ static int selinux_syslog(int type)
2279 switch (type) { 2345 switch (type) {
2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */ 2353 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL); 2358 NULL);
2291 } 2359 }
2292 /* All other syslog types */ 2360 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295} 2364}
2296 2365
@@ -2351,13 +2420,14 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2351 * policy allows the corresponding permission between 2420 * policy allows the corresponding permission between
2352 * the old and new contexts. 2421 * the old and new contexts.
2353 */ 2422 */
2354 if (selinux_policycap_nnp_nosuid_transition) { 2423 if (selinux_policycap_nnp_nosuid_transition()) {
2355 av = 0; 2424 av = 0;
2356 if (nnp) 2425 if (nnp)
2357 av |= PROCESS2__NNP_TRANSITION; 2426 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid) 2427 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION; 2428 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL); 2431 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc) 2432 if (!rc)
2363 return 0; 2433 return 0;
@@ -2368,7 +2438,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID. 2439 * of the permissions of the current SID.
2370 */ 2440 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 new_tsec->sid);
2372 if (!rc) 2443 if (!rc)
2373 return 0; 2444 return 0;
2374 2445
@@ -2420,8 +2491,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2420 return rc; 2491 return rc;
2421 } else { 2492 } else {
2422 /* Check for a default transition on this program. */ 2493 /* Check for a default transition on this program. */
2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2424 SECCLASS_PROCESS, NULL, 2495 isec->sid, SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid); 2496 &new_tsec->sid);
2426 if (rc) 2497 if (rc)
2427 return rc; 2498 return rc;
@@ -2439,25 +2510,29 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2439 ad.u.file = bprm->file; 2510 ad.u.file = bprm->file;
2440 2511
2441 if (new_tsec->sid == old_tsec->sid) { 2512 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc) 2516 if (rc)
2445 return rc; 2517 return rc;
2446 } else { 2518 } else {
2447 /* Check permissions for the transition. */ 2519 /* Check permissions for the transition. */
2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc) 2523 if (rc)
2451 return rc; 2524 return rc;
2452 2525
2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc) 2529 if (rc)
2456 return rc; 2530 return rc;
2457 2531
2458 /* Check for shared state */ 2532 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE, 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL); 2537 NULL);
2463 if (rc) 2538 if (rc)
@@ -2469,7 +2544,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 u32 ptsid = ptrace_parent_sid(); 2545 u32 ptsid = ptrace_parent_sid();
2471 if (ptsid != 0) { 2546 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS, 2549 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL); 2550 PROCESS__PTRACE, NULL);
2475 if (rc) 2551 if (rc)
@@ -2483,7 +2559,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2483 /* Enable secure mode for SIDs transitions unless 2559 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between 2560 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */ 2561 the two SIDs, i.e. ahp returns 0. */
2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL); 2565 NULL);
2489 bprm->secureexec |= !!rc; 2566 bprm->secureexec |= !!rc;
@@ -2575,7 +2652,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2575 * higher than the default soft limit for cases where the default is 2652 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */ 2654 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL); 2657 PROCESS__RLIMITINH, NULL);
2580 if (rc) { 2658 if (rc) {
2581 /* protect against do_prlimit() */ 2659 /* protect against do_prlimit() */
@@ -2615,7 +2693,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2615 * This must occur _after_ the task SID has been updated so that any 2693 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID. 2694 * kill done after the flush will be checked against the new SID.
2617 */ 2695 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 if (rc) { 2698 if (rc) {
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer); 2700 memset(&itimer, 0, sizeof itimer);
@@ -2779,7 +2858,9 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2779 2858
2780 if (flags[i] == SBLABEL_MNT) 2859 if (flags[i] == SBLABEL_MNT)
2781 continue; 2860 continue;
2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2863 GFP_KERNEL);
2783 if (rc) { 2864 if (rc) {
2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2904,7 +2985,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2904 if (rc) 2985 if (rc)
2905 return rc; 2986 return rc;
2906 2987
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 ctxlen);
2908} 2990}
2909 2991
2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2992static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
@@ -2958,14 +3040,15 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2958 isec->initialized = LABEL_INITIALIZED; 3040 isec->initialized = LABEL_INITIALIZED;
2959 } 3041 }
2960 3042
2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2962 return -EOPNOTSUPP; 3044 return -EOPNOTSUPP;
2963 3045
2964 if (name) 3046 if (name)
2965 *name = XATTR_SELINUX_SUFFIX; 3047 *name = XATTR_SELINUX_SUFFIX;
2966 3048
2967 if (value && len) { 3049 if (value && len) {
2968 rc = security_sid_to_context_force(newsid, &context, &clen); 3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3051 &context, &clen);
2969 if (rc) 3052 if (rc)
2970 return rc; 3053 return rc;
2971 *value = context; 3054 *value = context;
@@ -3040,7 +3123,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3040 if (IS_ERR(isec)) 3123 if (IS_ERR(isec))
3041 return PTR_ERR(isec); 3124 return PTR_ERR(isec);
3042 3125
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0); 3128 rcu ? MAY_NOT_BLOCK : 0);
3045} 3129}
3046 3130
@@ -3056,7 +3140,8 @@ static noinline int audit_inode_permission(struct inode *inode,
3056 ad.type = LSM_AUDIT_DATA_INODE; 3140 ad.type = LSM_AUDIT_DATA_INODE;
3057 ad.u.inode = inode; 3141 ad.u.inode = inode;
3058 3142
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3060 audited, denied, result, &ad, flags); 3145 audited, denied, result, &ad, flags);
3061 if (rc) 3146 if (rc)
3062 return rc; 3147 return rc;
@@ -3094,7 +3179,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
3094 if (IS_ERR(isec)) 3179 if (IS_ERR(isec))
3095 return PTR_ERR(isec); 3180 return PTR_ERR(isec);
3096 3181
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc, 3184 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0, 3185 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied); 3186 &denied);
@@ -3126,7 +3212,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 3214
3129 if (selinux_policycap_openperm && 3215 if (selinux_policycap_openperm() &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC && 3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) && 3217 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE)) 3218 !(ia_valid & ATTR_FILE))
@@ -3183,12 +3269,14 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3183 ad.u.dentry = dentry; 3269 ad.u.dentry = dentry;
3184 3270
3185 isec = backing_inode_security(dentry); 3271 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3187 FILE__RELABELFROM, &ad); 3274 FILE__RELABELFROM, &ad);
3188 if (rc) 3275 if (rc)
3189 return rc; 3276 return rc;
3190 3277
3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 GFP_KERNEL);
3192 if (rc == -EINVAL) { 3280 if (rc == -EINVAL) {
3193 if (!has_cap_mac_admin(true)) { 3281 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer *ab; 3282 struct audit_buffer *ab;
@@ -3213,22 +3301,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3213 3301
3214 return rc; 3302 return rc;
3215 } 3303 }
3216 rc = security_context_to_sid_force(value, size, &newsid); 3304 rc = security_context_to_sid_force(&selinux_state, value,
3305 size, &newsid);
3217 } 3306 }
3218 if (rc) 3307 if (rc)
3219 return rc; 3308 return rc;
3220 3309
3221 rc = avc_has_perm(sid, newsid, isec->sclass, 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3222 FILE__RELABELTO, &ad); 3312 FILE__RELABELTO, &ad);
3223 if (rc) 3313 if (rc)
3224 return rc; 3314 return rc;
3225 3315
3226 rc = security_validate_transition(isec->sid, newsid, sid, 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3227 isec->sclass); 3317 sid, isec->sclass);
3228 if (rc) 3318 if (rc)
3229 return rc; 3319 return rc;
3230 3320
3231 return avc_has_perm(newsid, 3321 return avc_has_perm(&selinux_state,
3322 newsid,
3232 sbsec->sid, 3323 sbsec->sid,
3233 SECCLASS_FILESYSTEM, 3324 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE, 3325 FILESYSTEM__ASSOCIATE,
@@ -3249,7 +3340,8 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3249 return; 3340 return;
3250 } 3341 }
3251 3342
3252 rc = security_context_to_sid_force(value, size, &newsid); 3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3344 &newsid);
3253 if (rc) { 3345 if (rc) {
3254 printk(KERN_ERR "SELinux: unable to map context to SID" 3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n", 3347 "for (%s, %lu), rc=%d\n",
@@ -3324,10 +3416,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
3324 */ 3416 */
3325 isec = inode_security(inode); 3417 isec = inode_security(inode);
3326 if (has_cap_mac_admin(false)) 3418 if (has_cap_mac_admin(false))
3327 error = security_sid_to_context_force(isec->sid, &context, 3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
3328 &size); 3421 &size);
3329 else 3422 else
3330 error = security_sid_to_context(isec->sid, &context, &size); 3423 error = security_sid_to_context(&selinux_state, isec->sid,
3424 &context, &size);
3331 if (error) 3425 if (error)
3332 return error; 3426 return error;
3333 error = size; 3427 error = size;
@@ -3353,7 +3447,8 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3353 if (!value || !size) 3447 if (!value || !size)
3354 return -EACCES; 3448 return -EACCES;
3355 3449
3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 GFP_KERNEL);
3357 if (rc) 3452 if (rc)
3358 return rc; 3453 return rc;
3359 3454
@@ -3442,7 +3537,7 @@ static int selinux_file_permission(struct file *file, int mask)
3442 3537
3443 isec = inode_security(inode); 3538 isec = inode_security(inode);
3444 if (sid == fsec->sid && fsec->isid == isec->sid && 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno()) 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3446 /* No change since file_open check. */ 3541 /* No change since file_open check. */
3447 return 0; 3542 return 0;
3448 3543
@@ -3482,7 +3577,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3482 ad.u.op->path = file->f_path; 3577 ad.u.op->path = file->f_path;
3483 3578
3484 if (ssid != fsec->sid) { 3579 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid, 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
3486 SECCLASS_FD, 3582 SECCLASS_FD,
3487 FD__USE, 3583 FD__USE,
3488 &ad); 3584 &ad);
@@ -3494,8 +3590,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3494 return 0; 3590 return 0;
3495 3591
3496 isec = inode_security(inode); 3592 isec = inode_security(inode);
3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3593 rc = avc_has_extended_perms(&selinux_state,
3498 requested, driver, xperm, &ad); 3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3499out: 3596out:
3500 return rc; 3597 return rc;
3501} 3598}
@@ -3563,7 +3660,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3563 * private file mapping that will also be writable. 3660 * private file mapping that will also be writable.
3564 * This has an additional check. 3661 * This has an additional check.
3565 */ 3662 */
3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL); 3665 PROCESS__EXECMEM, NULL);
3568 if (rc) 3666 if (rc)
3569 goto error; 3667 goto error;
@@ -3593,7 +3691,8 @@ static int selinux_mmap_addr(unsigned long addr)
3593 3691
3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 u32 sid = current_sid(); 3693 u32 sid = current_sid();
3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL); 3696 MEMPROTECT__MMAP_ZERO, NULL);
3598 } 3697 }
3599 3698
@@ -3615,7 +3714,7 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3615 return rc; 3714 return rc;
3616 } 3715 }
3617 3716
3618 if (selinux_checkreqprot) 3717 if (selinux_state.checkreqprot)
3619 prot = reqprot; 3718 prot = reqprot;
3620 3719
3621 return file_map_prot_check(file, prot, 3720 return file_map_prot_check(file, prot,
@@ -3629,7 +3728,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3629 const struct cred *cred = current_cred(); 3728 const struct cred *cred = current_cred();
3630 u32 sid = cred_sid(cred); 3729 u32 sid = cred_sid(cred);
3631 3730
3632 if (selinux_checkreqprot) 3731 if (selinux_state.checkreqprot)
3633 prot = reqprot; 3732 prot = reqprot;
3634 3733
3635 if (default_noexec && 3734 if (default_noexec &&
@@ -3637,13 +3736,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3637 int rc = 0; 3736 int rc = 0;
3638 if (vma->vm_start >= vma->vm_mm->start_brk && 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) { 3738 vma->vm_end <= vma->vm_mm->brk) {
3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL); 3741 PROCESS__EXECHEAP, NULL);
3642 } else if (!vma->vm_file && 3742 } else if (!vma->vm_file &&
3643 ((vma->vm_start <= vma->vm_mm->start_stack && 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) || 3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3645 vma_is_stack_for_current(vma))) { 3745 vma_is_stack_for_current(vma))) {
3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL); 3748 PROCESS__EXECSTACK, NULL);
3648 } else if (vma->vm_file && vma->anon_vma) { 3749 } else if (vma->vm_file && vma->anon_vma) {
3649 /* 3750 /*
@@ -3735,7 +3836,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3735 else 3836 else
3736 perm = signal_to_av(signum); 3837 perm = signal_to_av(signum);
3737 3838
3738 return avc_has_perm(fsec->fown_sid, sid, 3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3739 SECCLASS_PROCESS, perm, NULL); 3841 SECCLASS_PROCESS, perm, NULL);
3740} 3842}
3741 3843
@@ -3761,7 +3863,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3761 * struct as its SID. 3863 * struct as its SID.
3762 */ 3864 */
3763 fsec->isid = isec->sid; 3865 fsec->isid = isec->sid;
3764 fsec->pseqno = avc_policy_seqno(); 3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3765 /* 3867 /*
3766 * Since the inode label or policy seqno may have changed 3868 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving 3869 * between the selinux_inode_permission check and the saving
@@ -3780,7 +3882,8 @@ static int selinux_task_alloc(struct task_struct *task,
3780{ 3882{
3781 u32 sid = current_sid(); 3883 u32 sid = current_sid();
3782 3884
3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784} 3887}
3785 3888
3786/* 3889/*
@@ -3844,6 +3947,11 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3844 *tsec = *old_tsec; 3947 *tsec = *old_tsec;
3845} 3948}
3846 3949
3950static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3951{
3952 *secid = cred_sid(c);
3953}
3954
3847/* 3955/*
3848 * set the security data for a kernel service 3956 * set the security data for a kernel service
3849 * - all the creation contexts are set to unlabelled 3957 * - all the creation contexts are set to unlabelled
@@ -3854,7 +3962,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
3854 u32 sid = current_sid(); 3962 u32 sid = current_sid();
3855 int ret; 3963 int ret;
3856 3964
3857 ret = avc_has_perm(sid, secid, 3965 ret = avc_has_perm(&selinux_state,
3966 sid, secid,
3858 SECCLASS_KERNEL_SERVICE, 3967 SECCLASS_KERNEL_SERVICE,
3859 KERNEL_SERVICE__USE_AS_OVERRIDE, 3968 KERNEL_SERVICE__USE_AS_OVERRIDE,
3860 NULL); 3969 NULL);
@@ -3878,7 +3987,8 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3878 u32 sid = current_sid(); 3987 u32 sid = current_sid();
3879 int ret; 3988 int ret;
3880 3989
3881 ret = avc_has_perm(sid, isec->sid, 3990 ret = avc_has_perm(&selinux_state,
3991 sid, isec->sid,
3882 SECCLASS_KERNEL_SERVICE, 3992 SECCLASS_KERNEL_SERVICE,
3883 KERNEL_SERVICE__CREATE_FILES_AS, 3993 KERNEL_SERVICE__CREATE_FILES_AS,
3884 NULL); 3994 NULL);
@@ -3895,7 +4005,8 @@ static int selinux_kernel_module_request(char *kmod_name)
3895 ad.type = LSM_AUDIT_DATA_KMOD; 4005 ad.type = LSM_AUDIT_DATA_KMOD;
3896 ad.u.kmod_name = kmod_name; 4006 ad.u.kmod_name = kmod_name;
3897 4007
3898 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4008 return avc_has_perm(&selinux_state,
4009 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899 SYSTEM__MODULE_REQUEST, &ad); 4010 SYSTEM__MODULE_REQUEST, &ad);
3900} 4011}
3901 4012
@@ -3909,7 +4020,8 @@ static int selinux_kernel_module_from_file(struct file *file)
3909 4020
3910 /* init_module */ 4021 /* init_module */
3911 if (file == NULL) 4022 if (file == NULL)
3912 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4023 return avc_has_perm(&selinux_state,
4024 sid, sid, SECCLASS_SYSTEM,
3913 SYSTEM__MODULE_LOAD, NULL); 4025 SYSTEM__MODULE_LOAD, NULL);
3914 4026
3915 /* finit_module */ 4027 /* finit_module */
@@ -3919,13 +4031,15 @@ static int selinux_kernel_module_from_file(struct file *file)
3919 4031
3920 fsec = file->f_security; 4032 fsec = file->f_security;
3921 if (sid != fsec->sid) { 4033 if (sid != fsec->sid) {
3922 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4034 rc = avc_has_perm(&selinux_state,
4035 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923 if (rc) 4036 if (rc)
3924 return rc; 4037 return rc;
3925 } 4038 }
3926 4039
3927 isec = inode_security(file_inode(file)); 4040 isec = inode_security(file_inode(file));
3928 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4041 return avc_has_perm(&selinux_state,
4042 sid, isec->sid, SECCLASS_SYSTEM,
3929 SYSTEM__MODULE_LOAD, &ad); 4043 SYSTEM__MODULE_LOAD, &ad);
3930} 4044}
3931 4045
@@ -3947,19 +4061,22 @@ static int selinux_kernel_read_file(struct file *file,
3947 4061
3948static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4062static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949{ 4063{
3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4064 return avc_has_perm(&selinux_state,
4065 current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 PROCESS__SETPGID, NULL); 4066 PROCESS__SETPGID, NULL);
3952} 4067}
3953 4068
3954static int selinux_task_getpgid(struct task_struct *p) 4069static int selinux_task_getpgid(struct task_struct *p)
3955{ 4070{
3956 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4071 return avc_has_perm(&selinux_state,
4072 current_sid(), task_sid(p), SECCLASS_PROCESS,
3957 PROCESS__GETPGID, NULL); 4073 PROCESS__GETPGID, NULL);
3958} 4074}
3959 4075
3960static int selinux_task_getsid(struct task_struct *p) 4076static int selinux_task_getsid(struct task_struct *p)
3961{ 4077{
3962 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4078 return avc_has_perm(&selinux_state,
4079 current_sid(), task_sid(p), SECCLASS_PROCESS,
3963 PROCESS__GETSESSION, NULL); 4080 PROCESS__GETSESSION, NULL);
3964} 4081}
3965 4082
@@ -3970,19 +4087,22 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3970 4087
3971static int selinux_task_setnice(struct task_struct *p, int nice) 4088static int selinux_task_setnice(struct task_struct *p, int nice)
3972{ 4089{
3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4090 return avc_has_perm(&selinux_state,
4091 current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 PROCESS__SETSCHED, NULL); 4092 PROCESS__SETSCHED, NULL);
3975} 4093}
3976 4094
3977static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4095static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978{ 4096{
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4097 return avc_has_perm(&selinux_state,
4098 current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__SETSCHED, NULL); 4099 PROCESS__SETSCHED, NULL);
3981} 4100}
3982 4101
3983static int selinux_task_getioprio(struct task_struct *p) 4102static int selinux_task_getioprio(struct task_struct *p)
3984{ 4103{
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__GETSCHED, NULL); 4106 PROCESS__GETSCHED, NULL);
3987} 4107}
3988 4108
@@ -3997,7 +4117,8 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
3997 av |= PROCESS__SETRLIMIT; 4117 av |= PROCESS__SETRLIMIT;
3998 if (flags & LSM_PRLIMIT_READ) 4118 if (flags & LSM_PRLIMIT_READ)
3999 av |= PROCESS__GETRLIMIT; 4119 av |= PROCESS__GETRLIMIT;
4000 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4120 return avc_has_perm(&selinux_state,
4121 cred_sid(cred), cred_sid(tcred),
4001 SECCLASS_PROCESS, av, NULL); 4122 SECCLASS_PROCESS, av, NULL);
4002} 4123}
4003 4124
@@ -4011,7 +4132,8 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4011 later be used as a safe reset point for the soft limit 4132 later be used as a safe reset point for the soft limit
4012 upon context transitions. See selinux_bprm_committing_creds. */ 4133 upon context transitions. See selinux_bprm_committing_creds. */
4013 if (old_rlim->rlim_max != new_rlim->rlim_max) 4134 if (old_rlim->rlim_max != new_rlim->rlim_max)
4014 return avc_has_perm(current_sid(), task_sid(p), 4135 return avc_has_perm(&selinux_state,
4136 current_sid(), task_sid(p),
4015 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4137 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016 4138
4017 return 0; 4139 return 0;
@@ -4019,34 +4141,41 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4019 4141
4020static int selinux_task_setscheduler(struct task_struct *p) 4142static int selinux_task_setscheduler(struct task_struct *p)
4021{ 4143{
4022 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4144 return avc_has_perm(&selinux_state,
4145 current_sid(), task_sid(p), SECCLASS_PROCESS,
4023 PROCESS__SETSCHED, NULL); 4146 PROCESS__SETSCHED, NULL);
4024} 4147}
4025 4148
4026static int selinux_task_getscheduler(struct task_struct *p) 4149static int selinux_task_getscheduler(struct task_struct *p)
4027{ 4150{
4028 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4151 return avc_has_perm(&selinux_state,
4152 current_sid(), task_sid(p), SECCLASS_PROCESS,
4029 PROCESS__GETSCHED, NULL); 4153 PROCESS__GETSCHED, NULL);
4030} 4154}
4031 4155
4032static int selinux_task_movememory(struct task_struct *p) 4156static int selinux_task_movememory(struct task_struct *p)
4033{ 4157{
4034 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4158 return avc_has_perm(&selinux_state,
4159 current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 PROCESS__SETSCHED, NULL); 4160 PROCESS__SETSCHED, NULL);
4036} 4161}
4037 4162
4038static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 4163static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4039 int sig, u32 secid) 4164 int sig, const struct cred *cred)
4040{ 4165{
4166 u32 secid;
4041 u32 perm; 4167 u32 perm;
4042 4168
4043 if (!sig) 4169 if (!sig)
4044 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4170 perm = PROCESS__SIGNULL; /* null signal; existence test */
4045 else 4171 else
4046 perm = signal_to_av(sig); 4172 perm = signal_to_av(sig);
4047 if (!secid) 4173 if (!cred)
4048 secid = current_sid(); 4174 secid = current_sid();
4049 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4175 else
4176 secid = cred_sid(cred);
4177 return avc_has_perm(&selinux_state,
4178 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4050} 4179}
4051 4180
4052static void selinux_task_to_inode(struct task_struct *p, 4181static void selinux_task_to_inode(struct task_struct *p,
@@ -4134,6 +4263,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4134 break; 4263 break;
4135 } 4264 }
4136 4265
4266#if IS_ENABLED(CONFIG_IP_SCTP)
4267 case IPPROTO_SCTP: {
4268 struct sctphdr _sctph, *sh;
4269
4270 if (ntohs(ih->frag_off) & IP_OFFSET)
4271 break;
4272
4273 offset += ihlen;
4274 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4275 if (sh == NULL)
4276 break;
4277
4278 ad->u.net->sport = sh->source;
4279 ad->u.net->dport = sh->dest;
4280 break;
4281 }
4282#endif
4137 default: 4283 default:
4138 break; 4284 break;
4139 } 4285 }
@@ -4207,6 +4353,19 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4207 break; 4353 break;
4208 } 4354 }
4209 4355
4356#if IS_ENABLED(CONFIG_IP_SCTP)
4357 case IPPROTO_SCTP: {
4358 struct sctphdr _sctph, *sh;
4359
4360 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4361 if (sh == NULL)
4362 break;
4363
4364 ad->u.net->sport = sh->source;
4365 ad->u.net->dport = sh->dest;
4366 break;
4367 }
4368#endif
4210 /* includes fragments */ 4369 /* includes fragments */
4211 default: 4370 default:
4212 break; 4371 break;
@@ -4287,7 +4446,8 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4287 if (unlikely(err)) 4446 if (unlikely(err))
4288 return -EACCES; 4447 return -EACCES;
4289 4448
4290 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4449 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4450 nlbl_type, xfrm_sid, sid);
4291 if (unlikely(err)) { 4451 if (unlikely(err)) {
4292 printk(KERN_WARNING 4452 printk(KERN_WARNING
4293 "SELinux: failure in selinux_skb_peerlbl_sid()," 4453 "SELinux: failure in selinux_skb_peerlbl_sid(),"
@@ -4315,7 +4475,8 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4315 int err = 0; 4475 int err = 0;
4316 4476
4317 if (skb_sid != SECSID_NULL) 4477 if (skb_sid != SECSID_NULL)
4318 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4478 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4479 conn_sid);
4319 else 4480 else
4320 *conn_sid = sk_sid; 4481 *conn_sid = sk_sid;
4321 4482
@@ -4332,8 +4493,8 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4332 return 0; 4493 return 0;
4333 } 4494 }
4334 4495
4335 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4496 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4336 socksid); 4497 secclass, NULL, socksid);
4337} 4498}
4338 4499
4339static int sock_has_perm(struct sock *sk, u32 perms) 4500static int sock_has_perm(struct sock *sk, u32 perms)
@@ -4349,7 +4510,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
4349 ad.u.net = &net; 4510 ad.u.net = &net;
4350 ad.u.net->sk = sk; 4511 ad.u.net->sk = sk;
4351 4512
4352 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4513 return avc_has_perm(&selinux_state,
4514 current_sid(), sksec->sid, sksec->sclass, perms,
4353 &ad); 4515 &ad);
4354} 4516}
4355 4517
@@ -4369,7 +4531,8 @@ static int selinux_socket_create(int family, int type,
4369 if (rc) 4531 if (rc)
4370 return rc; 4532 return rc;
4371 4533
4372 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4534 return avc_has_perm(&selinux_state,
4535 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4373} 4536}
4374 4537
4375static int selinux_socket_post_create(struct socket *sock, int family, 4538static int selinux_socket_post_create(struct socket *sock, int family,
@@ -4396,6 +4559,10 @@ static int selinux_socket_post_create(struct socket *sock, int family,
4396 sksec = sock->sk->sk_security; 4559 sksec = sock->sk->sk_security;
4397 sksec->sclass = sclass; 4560 sksec->sclass = sclass;
4398 sksec->sid = sid; 4561 sksec->sid = sid;
4562 /* Allows detection of the first association on this socket */
4563 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4564 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4565
4399 err = selinux_netlbl_socket_post_create(sock->sk, family); 4566 err = selinux_netlbl_socket_post_create(sock->sk, family);
4400 } 4567 }
4401 4568
@@ -4409,6 +4576,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
4409static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4576static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4410{ 4577{
4411 struct sock *sk = sock->sk; 4578 struct sock *sk = sock->sk;
4579 struct sk_security_struct *sksec = sk->sk_security;
4412 u16 family; 4580 u16 family;
4413 int err; 4581 int err;
4414 4582
@@ -4416,40 +4584,57 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4416 if (err) 4584 if (err)
4417 goto out; 4585 goto out;
4418 4586
4419 /* 4587 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4420 * If PF_INET or PF_INET6, check name_bind permission for the port.
4421 * Multiple address binding for SCTP is not supported yet: we just
4422 * check the first address now.
4423 */
4424 family = sk->sk_family; 4588 family = sk->sk_family;
4425 if (family == PF_INET || family == PF_INET6) { 4589 if (family == PF_INET || family == PF_INET6) {
4426 char *addrp; 4590 char *addrp;
4427 struct sk_security_struct *sksec = sk->sk_security;
4428 struct common_audit_data ad; 4591 struct common_audit_data ad;
4429 struct lsm_network_audit net = {0,}; 4592 struct lsm_network_audit net = {0,};
4430 struct sockaddr_in *addr4 = NULL; 4593 struct sockaddr_in *addr4 = NULL;
4431 struct sockaddr_in6 *addr6 = NULL; 4594 struct sockaddr_in6 *addr6 = NULL;
4595 u16 family_sa = address->sa_family;
4432 unsigned short snum; 4596 unsigned short snum;
4433 u32 sid, node_perm; 4597 u32 sid, node_perm;
4434 4598
4435 if (family == PF_INET) { 4599 /*
4436 if (addrlen < sizeof(struct sockaddr_in)) { 4600 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4437 err = -EINVAL; 4601 * that validates multiple binding addresses. Because of this
4438 goto out; 4602 * need to check address->sa_family as it is possible to have
4439 } 4603 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4604 */
4605 switch (family_sa) {
4606 case AF_UNSPEC:
4607 case AF_INET:
4608 if (addrlen < sizeof(struct sockaddr_in))
4609 return -EINVAL;
4440 addr4 = (struct sockaddr_in *)address; 4610 addr4 = (struct sockaddr_in *)address;
4611 if (family_sa == AF_UNSPEC) {
4612 /* see __inet_bind(), we only want to allow
4613 * AF_UNSPEC if the address is INADDR_ANY
4614 */
4615 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4616 goto err_af;
4617 family_sa = AF_INET;
4618 }
4441 snum = ntohs(addr4->sin_port); 4619 snum = ntohs(addr4->sin_port);
4442 addrp = (char *)&addr4->sin_addr.s_addr; 4620 addrp = (char *)&addr4->sin_addr.s_addr;
4443 } else { 4621 break;
4444 if (addrlen < SIN6_LEN_RFC2133) { 4622 case AF_INET6:
4445 err = -EINVAL; 4623 if (addrlen < SIN6_LEN_RFC2133)
4446 goto out; 4624 return -EINVAL;
4447 }
4448 addr6 = (struct sockaddr_in6 *)address; 4625 addr6 = (struct sockaddr_in6 *)address;
4449 snum = ntohs(addr6->sin6_port); 4626 snum = ntohs(addr6->sin6_port);
4450 addrp = (char *)&addr6->sin6_addr.s6_addr; 4627 addrp = (char *)&addr6->sin6_addr.s6_addr;
4628 break;
4629 default:
4630 goto err_af;
4451 } 4631 }
4452 4632
4633 ad.type = LSM_AUDIT_DATA_NET;
4634 ad.u.net = &net;
4635 ad.u.net->sport = htons(snum);
4636 ad.u.net->family = family_sa;
4637
4453 if (snum) { 4638 if (snum) {
4454 int low, high; 4639 int low, high;
4455 4640
@@ -4461,11 +4646,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4461 snum, &sid); 4646 snum, &sid);
4462 if (err) 4647 if (err)
4463 goto out; 4648 goto out;
4464 ad.type = LSM_AUDIT_DATA_NET; 4649 err = avc_has_perm(&selinux_state,
4465 ad.u.net = &net; 4650 sksec->sid, sid,
4466 ad.u.net->sport = htons(snum);
4467 ad.u.net->family = family;
4468 err = avc_has_perm(sksec->sid, sid,
4469 sksec->sclass, 4651 sksec->sclass,
4470 SOCKET__NAME_BIND, &ad); 4652 SOCKET__NAME_BIND, &ad);
4471 if (err) 4653 if (err)
@@ -4486,35 +4668,44 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4486 node_perm = DCCP_SOCKET__NODE_BIND; 4668 node_perm = DCCP_SOCKET__NODE_BIND;
4487 break; 4669 break;
4488 4670
4671 case SECCLASS_SCTP_SOCKET:
4672 node_perm = SCTP_SOCKET__NODE_BIND;
4673 break;
4674
4489 default: 4675 default:
4490 node_perm = RAWIP_SOCKET__NODE_BIND; 4676 node_perm = RAWIP_SOCKET__NODE_BIND;
4491 break; 4677 break;
4492 } 4678 }
4493 4679
4494 err = sel_netnode_sid(addrp, family, &sid); 4680 err = sel_netnode_sid(addrp, family_sa, &sid);
4495 if (err) 4681 if (err)
4496 goto out; 4682 goto out;
4497 4683
4498 ad.type = LSM_AUDIT_DATA_NET; 4684 if (family_sa == AF_INET)
4499 ad.u.net = &net;
4500 ad.u.net->sport = htons(snum);
4501 ad.u.net->family = family;
4502
4503 if (family == PF_INET)
4504 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4685 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4505 else 4686 else
4506 ad.u.net->v6info.saddr = addr6->sin6_addr; 4687 ad.u.net->v6info.saddr = addr6->sin6_addr;
4507 4688
4508 err = avc_has_perm(sksec->sid, sid, 4689 err = avc_has_perm(&selinux_state,
4690 sksec->sid, sid,
4509 sksec->sclass, node_perm, &ad); 4691 sksec->sclass, node_perm, &ad);
4510 if (err) 4692 if (err)
4511 goto out; 4693 goto out;
4512 } 4694 }
4513out: 4695out:
4514 return err; 4696 return err;
4697err_af:
4698 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4699 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4700 return -EINVAL;
4701 return -EAFNOSUPPORT;
4515} 4702}
4516 4703
4517static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4704/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4705 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4706 */
4707static int selinux_socket_connect_helper(struct socket *sock,
4708 struct sockaddr *address, int addrlen)
4518{ 4709{
4519 struct sock *sk = sock->sk; 4710 struct sock *sk = sock->sk;
4520 struct sk_security_struct *sksec = sk->sk_security; 4711 struct sk_security_struct *sksec = sk->sk_security;
@@ -4525,10 +4716,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4525 return err; 4716 return err;
4526 4717
4527 /* 4718 /*
4528 * If a TCP or DCCP socket, check name_connect permission for the port. 4719 * If a TCP, DCCP or SCTP socket, check name_connect permission
4720 * for the port.
4529 */ 4721 */
4530 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4722 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4531 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4723 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4724 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4532 struct common_audit_data ad; 4725 struct common_audit_data ad;
4533 struct lsm_network_audit net = {0,}; 4726 struct lsm_network_audit net = {0,};
4534 struct sockaddr_in *addr4 = NULL; 4727 struct sockaddr_in *addr4 = NULL;
@@ -4536,38 +4729,75 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4536 unsigned short snum; 4729 unsigned short snum;
4537 u32 sid, perm; 4730 u32 sid, perm;
4538 4731
4539 if (sk->sk_family == PF_INET) { 4732 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4733 * that validates multiple connect addresses. Because of this
4734 * need to check address->sa_family as it is possible to have
4735 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4736 */
4737 switch (address->sa_family) {
4738 case AF_INET:
4540 addr4 = (struct sockaddr_in *)address; 4739 addr4 = (struct sockaddr_in *)address;
4541 if (addrlen < sizeof(struct sockaddr_in)) 4740 if (addrlen < sizeof(struct sockaddr_in))
4542 return -EINVAL; 4741 return -EINVAL;
4543 snum = ntohs(addr4->sin_port); 4742 snum = ntohs(addr4->sin_port);
4544 } else { 4743 break;
4744 case AF_INET6:
4545 addr6 = (struct sockaddr_in6 *)address; 4745 addr6 = (struct sockaddr_in6 *)address;
4546 if (addrlen < SIN6_LEN_RFC2133) 4746 if (addrlen < SIN6_LEN_RFC2133)
4547 return -EINVAL; 4747 return -EINVAL;
4548 snum = ntohs(addr6->sin6_port); 4748 snum = ntohs(addr6->sin6_port);
4749 break;
4750 default:
4751 /* Note that SCTP services expect -EINVAL, whereas
4752 * others expect -EAFNOSUPPORT.
4753 */
4754 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4755 return -EINVAL;
4756 else
4757 return -EAFNOSUPPORT;
4549 } 4758 }
4550 4759
4551 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4760 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4552 if (err) 4761 if (err)
4553 goto out; 4762 return err;
4554 4763
4555 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4764 switch (sksec->sclass) {
4556 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4765 case SECCLASS_TCP_SOCKET:
4766 perm = TCP_SOCKET__NAME_CONNECT;
4767 break;
4768 case SECCLASS_DCCP_SOCKET:
4769 perm = DCCP_SOCKET__NAME_CONNECT;
4770 break;
4771 case SECCLASS_SCTP_SOCKET:
4772 perm = SCTP_SOCKET__NAME_CONNECT;
4773 break;
4774 }
4557 4775
4558 ad.type = LSM_AUDIT_DATA_NET; 4776 ad.type = LSM_AUDIT_DATA_NET;
4559 ad.u.net = &net; 4777 ad.u.net = &net;
4560 ad.u.net->dport = htons(snum); 4778 ad.u.net->dport = htons(snum);
4561 ad.u.net->family = sk->sk_family; 4779 ad.u.net->family = address->sa_family;
4562 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4780 err = avc_has_perm(&selinux_state,
4781 sksec->sid, sid, sksec->sclass, perm, &ad);
4563 if (err) 4782 if (err)
4564 goto out; 4783 return err;
4565 } 4784 }
4566 4785
4567 err = selinux_netlbl_socket_connect(sk, address); 4786 return 0;
4787}
4568 4788
4569out: 4789/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4570 return err; 4790static int selinux_socket_connect(struct socket *sock,
4791 struct sockaddr *address, int addrlen)
4792{
4793 int err;
4794 struct sock *sk = sock->sk;
4795
4796 err = selinux_socket_connect_helper(sock, address, addrlen);
4797 if (err)
4798 return err;
4799
4800 return selinux_netlbl_socket_connect(sk, address);
4571} 4801}
4572 4802
4573static int selinux_socket_listen(struct socket *sock, int backlog) 4803static int selinux_socket_listen(struct socket *sock, int backlog)
@@ -4660,7 +4890,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4660 ad.u.net = &net; 4890 ad.u.net = &net;
4661 ad.u.net->sk = other; 4891 ad.u.net->sk = other;
4662 4892
4663 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4893 err = avc_has_perm(&selinux_state,
4894 sksec_sock->sid, sksec_other->sid,
4664 sksec_other->sclass, 4895 sksec_other->sclass,
4665 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4896 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4666 if (err) 4897 if (err)
@@ -4668,8 +4899,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4668 4899
4669 /* server child socket */ 4900 /* server child socket */
4670 sksec_new->peer_sid = sksec_sock->sid; 4901 sksec_new->peer_sid = sksec_sock->sid;
4671 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4902 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4672 &sksec_new->sid); 4903 sksec_sock->sid, &sksec_new->sid);
4673 if (err) 4904 if (err)
4674 return err; 4905 return err;
4675 4906
@@ -4691,7 +4922,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4691 ad.u.net = &net; 4922 ad.u.net = &net;
4692 ad.u.net->sk = other->sk; 4923 ad.u.net->sk = other->sk;
4693 4924
4694 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4925 return avc_has_perm(&selinux_state,
4926 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4695 &ad); 4927 &ad);
4696} 4928}
4697 4929
@@ -4706,7 +4938,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4706 err = sel_netif_sid(ns, ifindex, &if_sid); 4938 err = sel_netif_sid(ns, ifindex, &if_sid);
4707 if (err) 4939 if (err)
4708 return err; 4940 return err;
4709 err = avc_has_perm(peer_sid, if_sid, 4941 err = avc_has_perm(&selinux_state,
4942 peer_sid, if_sid,
4710 SECCLASS_NETIF, NETIF__INGRESS, ad); 4943 SECCLASS_NETIF, NETIF__INGRESS, ad);
4711 if (err) 4944 if (err)
4712 return err; 4945 return err;
@@ -4714,7 +4947,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4714 err = sel_netnode_sid(addrp, family, &node_sid); 4947 err = sel_netnode_sid(addrp, family, &node_sid);
4715 if (err) 4948 if (err)
4716 return err; 4949 return err;
4717 return avc_has_perm(peer_sid, node_sid, 4950 return avc_has_perm(&selinux_state,
4951 peer_sid, node_sid,
4718 SECCLASS_NODE, NODE__RECVFROM, ad); 4952 SECCLASS_NODE, NODE__RECVFROM, ad);
4719} 4953}
4720 4954
@@ -4737,7 +4971,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4737 return err; 4971 return err;
4738 4972
4739 if (selinux_secmark_enabled()) { 4973 if (selinux_secmark_enabled()) {
4740 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4974 err = avc_has_perm(&selinux_state,
4975 sk_sid, skb->secmark, SECCLASS_PACKET,
4741 PACKET__RECV, &ad); 4976 PACKET__RECV, &ad);
4742 if (err) 4977 if (err)
4743 return err; 4978 return err;
@@ -4774,7 +5009,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4774 * to the selinux_sock_rcv_skb_compat() function to deal with the 5009 * to the selinux_sock_rcv_skb_compat() function to deal with the
4775 * special handling. We do this in an attempt to keep this function 5010 * special handling. We do this in an attempt to keep this function
4776 * as fast and as clean as possible. */ 5011 * as fast and as clean as possible. */
4777 if (!selinux_policycap_netpeer) 5012 if (!selinux_policycap_netpeer())
4778 return selinux_sock_rcv_skb_compat(sk, skb, family); 5013 return selinux_sock_rcv_skb_compat(sk, skb, family);
4779 5014
4780 secmark_active = selinux_secmark_enabled(); 5015 secmark_active = selinux_secmark_enabled();
@@ -4802,7 +5037,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4802 selinux_netlbl_err(skb, family, err, 0); 5037 selinux_netlbl_err(skb, family, err, 0);
4803 return err; 5038 return err;
4804 } 5039 }
4805 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5040 err = avc_has_perm(&selinux_state,
5041 sk_sid, peer_sid, SECCLASS_PEER,
4806 PEER__RECV, &ad); 5042 PEER__RECV, &ad);
4807 if (err) { 5043 if (err) {
4808 selinux_netlbl_err(skb, family, err, 0); 5044 selinux_netlbl_err(skb, family, err, 0);
@@ -4811,7 +5047,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4811 } 5047 }
4812 5048
4813 if (secmark_active) { 5049 if (secmark_active) {
4814 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5050 err = avc_has_perm(&selinux_state,
5051 sk_sid, skb->secmark, SECCLASS_PACKET,
4815 PACKET__RECV, &ad); 5052 PACKET__RECV, &ad);
4816 if (err) 5053 if (err)
4817 return err; 5054 return err;
@@ -4830,12 +5067,14 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
4830 u32 peer_sid = SECSID_NULL; 5067 u32 peer_sid = SECSID_NULL;
4831 5068
4832 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5069 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4833 sksec->sclass == SECCLASS_TCP_SOCKET) 5070 sksec->sclass == SECCLASS_TCP_SOCKET ||
5071 sksec->sclass == SECCLASS_SCTP_SOCKET)
4834 peer_sid = sksec->peer_sid; 5072 peer_sid = sksec->peer_sid;
4835 if (peer_sid == SECSID_NULL) 5073 if (peer_sid == SECSID_NULL)
4836 return -ENOPROTOOPT; 5074 return -ENOPROTOOPT;
4837 5075
4838 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 5076 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5077 &scontext_len);
4839 if (err) 5078 if (err)
4840 return err; 5079 return err;
4841 5080
@@ -4943,6 +5182,173 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4943 sksec->sclass = isec->sclass; 5182 sksec->sclass = isec->sclass;
4944} 5183}
4945 5184
5185/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5186 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5187 * already present).
5188 */
5189static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5190 struct sk_buff *skb)
5191{
5192 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5193 struct common_audit_data ad;
5194 struct lsm_network_audit net = {0,};
5195 u8 peerlbl_active;
5196 u32 peer_sid = SECINITSID_UNLABELED;
5197 u32 conn_sid;
5198 int err = 0;
5199
5200 if (!selinux_policycap_extsockclass())
5201 return 0;
5202
5203 peerlbl_active = selinux_peerlbl_enabled();
5204
5205 if (peerlbl_active) {
5206 /* This will return peer_sid = SECSID_NULL if there are
5207 * no peer labels, see security_net_peersid_resolve().
5208 */
5209 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5210 &peer_sid);
5211 if (err)
5212 return err;
5213
5214 if (peer_sid == SECSID_NULL)
5215 peer_sid = SECINITSID_UNLABELED;
5216 }
5217
5218 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5219 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5220
5221 /* Here as first association on socket. As the peer SID
5222 * was allowed by peer recv (and the netif/node checks),
5223 * then it is approved by policy and used as the primary
5224 * peer SID for getpeercon(3).
5225 */
5226 sksec->peer_sid = peer_sid;
5227 } else if (sksec->peer_sid != peer_sid) {
5228 /* Other association peer SIDs are checked to enforce
5229 * consistency among the peer SIDs.
5230 */
5231 ad.type = LSM_AUDIT_DATA_NET;
5232 ad.u.net = &net;
5233 ad.u.net->sk = ep->base.sk;
5234 err = avc_has_perm(&selinux_state,
5235 sksec->peer_sid, peer_sid, sksec->sclass,
5236 SCTP_SOCKET__ASSOCIATION, &ad);
5237 if (err)
5238 return err;
5239 }
5240
5241 /* Compute the MLS component for the connection and store
5242 * the information in ep. This will be used by SCTP TCP type
5243 * sockets and peeled off connections as they cause a new
5244 * socket to be generated. selinux_sctp_sk_clone() will then
5245 * plug this into the new socket.
5246 */
5247 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5248 if (err)
5249 return err;
5250
5251 ep->secid = conn_sid;
5252 ep->peer_secid = peer_sid;
5253
5254 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5255 return selinux_netlbl_sctp_assoc_request(ep, skb);
5256}
5257
5258/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5259 * based on their @optname.
5260 */
5261static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5262 struct sockaddr *address,
5263 int addrlen)
5264{
5265 int len, err = 0, walk_size = 0;
5266 void *addr_buf;
5267 struct sockaddr *addr;
5268 struct socket *sock;
5269
5270 if (!selinux_policycap_extsockclass())
5271 return 0;
5272
5273 /* Process one or more addresses that may be IPv4 or IPv6 */
5274 sock = sk->sk_socket;
5275 addr_buf = address;
5276
5277 while (walk_size < addrlen) {
5278 addr = addr_buf;
5279 switch (addr->sa_family) {
5280 case AF_UNSPEC:
5281 case AF_INET:
5282 len = sizeof(struct sockaddr_in);
5283 break;
5284 case AF_INET6:
5285 len = sizeof(struct sockaddr_in6);
5286 break;
5287 default:
5288 return -EINVAL;
5289 }
5290
5291 err = -EINVAL;
5292 switch (optname) {
5293 /* Bind checks */
5294 case SCTP_PRIMARY_ADDR:
5295 case SCTP_SET_PEER_PRIMARY_ADDR:
5296 case SCTP_SOCKOPT_BINDX_ADD:
5297 err = selinux_socket_bind(sock, addr, len);
5298 break;
5299 /* Connect checks */
5300 case SCTP_SOCKOPT_CONNECTX:
5301 case SCTP_PARAM_SET_PRIMARY:
5302 case SCTP_PARAM_ADD_IP:
5303 case SCTP_SENDMSG_CONNECT:
5304 err = selinux_socket_connect_helper(sock, addr, len);
5305 if (err)
5306 return err;
5307
5308 /* As selinux_sctp_bind_connect() is called by the
5309 * SCTP protocol layer, the socket is already locked,
5310 * therefore selinux_netlbl_socket_connect_locked() is
5311 * is called here. The situations handled are:
5312 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5313 * whenever a new IP address is added or when a new
5314 * primary address is selected.
5315 * Note that an SCTP connect(2) call happens before
5316 * the SCTP protocol layer and is handled via
5317 * selinux_socket_connect().
5318 */
5319 err = selinux_netlbl_socket_connect_locked(sk, addr);
5320 break;
5321 }
5322
5323 if (err)
5324 return err;
5325
5326 addr_buf += len;
5327 walk_size += len;
5328 }
5329
5330 return 0;
5331}
5332
5333/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5334static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5335 struct sock *newsk)
5336{
5337 struct sk_security_struct *sksec = sk->sk_security;
5338 struct sk_security_struct *newsksec = newsk->sk_security;
5339
5340 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5341 * the non-sctp clone version.
5342 */
5343 if (!selinux_policycap_extsockclass())
5344 return selinux_sk_clone_security(sk, newsk);
5345
5346 newsksec->sid = ep->secid;
5347 newsksec->peer_sid = ep->peer_secid;
5348 newsksec->sclass = sksec->sclass;
5349 selinux_netlbl_sctp_sk_clone(sk, newsk);
5350}
5351
4946static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5352static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4947 struct request_sock *req) 5353 struct request_sock *req)
4948{ 5354{
@@ -5001,7 +5407,9 @@ static int selinux_secmark_relabel_packet(u32 sid)
5001 __tsec = current_security(); 5407 __tsec = current_security();
5002 tsid = __tsec->sid; 5408 tsid = __tsec->sid;
5003 5409
5004 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5410 return avc_has_perm(&selinux_state,
5411 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5412 NULL);
5005} 5413}
5006 5414
5007static void selinux_secmark_refcount_inc(void) 5415static void selinux_secmark_refcount_inc(void)
@@ -5049,7 +5457,8 @@ static int selinux_tun_dev_create(void)
5049 * connections unlike traditional sockets - check the TUN driver to 5457 * connections unlike traditional sockets - check the TUN driver to
5050 * get a better understanding of why this socket is special */ 5458 * get a better understanding of why this socket is special */
5051 5459
5052 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5460 return avc_has_perm(&selinux_state,
5461 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5053 NULL); 5462 NULL);
5054} 5463}
5055 5464
@@ -5057,7 +5466,8 @@ static int selinux_tun_dev_attach_queue(void *security)
5057{ 5466{
5058 struct tun_security_struct *tunsec = security; 5467 struct tun_security_struct *tunsec = security;
5059 5468
5060 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5469 return avc_has_perm(&selinux_state,
5470 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5061 TUN_SOCKET__ATTACH_QUEUE, NULL); 5471 TUN_SOCKET__ATTACH_QUEUE, NULL);
5062} 5472}
5063 5473
@@ -5085,11 +5495,13 @@ static int selinux_tun_dev_open(void *security)
5085 u32 sid = current_sid(); 5495 u32 sid = current_sid();
5086 int err; 5496 int err;
5087 5497
5088 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5498 err = avc_has_perm(&selinux_state,
5499 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5089 TUN_SOCKET__RELABELFROM, NULL); 5500 TUN_SOCKET__RELABELFROM, NULL);
5090 if (err) 5501 if (err)
5091 return err; 5502 return err;
5092 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5503 err = avc_has_perm(&selinux_state,
5504 sid, sid, SECCLASS_TUN_SOCKET,
5093 TUN_SOCKET__RELABELTO, NULL); 5505 TUN_SOCKET__RELABELTO, NULL);
5094 if (err) 5506 if (err)
5095 return err; 5507 return err;
@@ -5120,7 +5532,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5120 sk->sk_protocol, nlh->nlmsg_type, 5532 sk->sk_protocol, nlh->nlmsg_type,
5121 secclass_map[sksec->sclass - 1].name, 5533 secclass_map[sksec->sclass - 1].name,
5122 task_pid_nr(current), current->comm); 5534 task_pid_nr(current), current->comm);
5123 if (!selinux_enforcing || security_get_allow_unknown()) 5535 if (!enforcing_enabled(&selinux_state) ||
5536 security_get_allow_unknown(&selinux_state))
5124 err = 0; 5537 err = 0;
5125 } 5538 }
5126 5539
@@ -5150,7 +5563,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5150 u8 netlbl_active; 5563 u8 netlbl_active;
5151 u8 peerlbl_active; 5564 u8 peerlbl_active;
5152 5565
5153 if (!selinux_policycap_netpeer) 5566 if (!selinux_policycap_netpeer())
5154 return NF_ACCEPT; 5567 return NF_ACCEPT;
5155 5568
5156 secmark_active = selinux_secmark_enabled(); 5569 secmark_active = selinux_secmark_enabled();
@@ -5179,7 +5592,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5179 } 5592 }
5180 5593
5181 if (secmark_active) 5594 if (secmark_active)
5182 if (avc_has_perm(peer_sid, skb->secmark, 5595 if (avc_has_perm(&selinux_state,
5596 peer_sid, skb->secmark,
5183 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5597 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5184 return NF_DROP; 5598 return NF_DROP;
5185 5599
@@ -5291,7 +5705,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5291 return NF_DROP; 5705 return NF_DROP;
5292 5706
5293 if (selinux_secmark_enabled()) 5707 if (selinux_secmark_enabled())
5294 if (avc_has_perm(sksec->sid, skb->secmark, 5708 if (avc_has_perm(&selinux_state,
5709 sksec->sid, skb->secmark,
5295 SECCLASS_PACKET, PACKET__SEND, &ad)) 5710 SECCLASS_PACKET, PACKET__SEND, &ad))
5296 return NF_DROP_ERR(-ECONNREFUSED); 5711 return NF_DROP_ERR(-ECONNREFUSED);
5297 5712
@@ -5319,7 +5734,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5319 * to the selinux_ip_postroute_compat() function to deal with the 5734 * to the selinux_ip_postroute_compat() function to deal with the
5320 * special handling. We do this in an attempt to keep this function 5735 * special handling. We do this in an attempt to keep this function
5321 * as fast and as clean as possible. */ 5736 * as fast and as clean as possible. */
5322 if (!selinux_policycap_netpeer) 5737 if (!selinux_policycap_netpeer())
5323 return selinux_ip_postroute_compat(skb, ifindex, family); 5738 return selinux_ip_postroute_compat(skb, ifindex, family);
5324 5739
5325 secmark_active = selinux_secmark_enabled(); 5740 secmark_active = selinux_secmark_enabled();
@@ -5414,7 +5829,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5414 return NF_DROP; 5829 return NF_DROP;
5415 5830
5416 if (secmark_active) 5831 if (secmark_active)
5417 if (avc_has_perm(peer_sid, skb->secmark, 5832 if (avc_has_perm(&selinux_state,
5833 peer_sid, skb->secmark,
5418 SECCLASS_PACKET, secmark_perm, &ad)) 5834 SECCLASS_PACKET, secmark_perm, &ad))
5419 return NF_DROP_ERR(-ECONNREFUSED); 5835 return NF_DROP_ERR(-ECONNREFUSED);
5420 5836
@@ -5424,13 +5840,15 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5424 5840
5425 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5841 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5426 return NF_DROP; 5842 return NF_DROP;
5427 if (avc_has_perm(peer_sid, if_sid, 5843 if (avc_has_perm(&selinux_state,
5844 peer_sid, if_sid,
5428 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5845 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5429 return NF_DROP_ERR(-ECONNREFUSED); 5846 return NF_DROP_ERR(-ECONNREFUSED);
5430 5847
5431 if (sel_netnode_sid(addrp, family, &node_sid)) 5848 if (sel_netnode_sid(addrp, family, &node_sid))
5432 return NF_DROP; 5849 return NF_DROP;
5433 if (avc_has_perm(peer_sid, node_sid, 5850 if (avc_has_perm(&selinux_state,
5851 peer_sid, node_sid,
5434 SECCLASS_NODE, NODE__SENDTO, &ad)) 5852 SECCLASS_NODE, NODE__SENDTO, &ad))
5435 return NF_DROP_ERR(-ECONNREFUSED); 5853 return NF_DROP_ERR(-ECONNREFUSED);
5436 } 5854 }
@@ -5518,7 +5936,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5518 ad.type = LSM_AUDIT_DATA_IPC; 5936 ad.type = LSM_AUDIT_DATA_IPC;
5519 ad.u.ipc_id = ipc_perms->key; 5937 ad.u.ipc_id = ipc_perms->key;
5520 5938
5521 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5939 return avc_has_perm(&selinux_state,
5940 sid, isec->sid, isec->sclass, perms, &ad);
5522} 5941}
5523 5942
5524static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5943static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -5532,52 +5951,54 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
5532} 5951}
5533 5952
5534/* message queue security operations */ 5953/* message queue security operations */
5535static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5954static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5536{ 5955{
5537 struct ipc_security_struct *isec; 5956 struct ipc_security_struct *isec;
5538 struct common_audit_data ad; 5957 struct common_audit_data ad;
5539 u32 sid = current_sid(); 5958 u32 sid = current_sid();
5540 int rc; 5959 int rc;
5541 5960
5542 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5961 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5543 if (rc) 5962 if (rc)
5544 return rc; 5963 return rc;
5545 5964
5546 isec = msq->q_perm.security; 5965 isec = msq->security;
5547 5966
5548 ad.type = LSM_AUDIT_DATA_IPC; 5967 ad.type = LSM_AUDIT_DATA_IPC;
5549 ad.u.ipc_id = msq->q_perm.key; 5968 ad.u.ipc_id = msq->key;
5550 5969
5551 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5970 rc = avc_has_perm(&selinux_state,
5971 sid, isec->sid, SECCLASS_MSGQ,
5552 MSGQ__CREATE, &ad); 5972 MSGQ__CREATE, &ad);
5553 if (rc) { 5973 if (rc) {
5554 ipc_free_security(&msq->q_perm); 5974 ipc_free_security(msq);
5555 return rc; 5975 return rc;
5556 } 5976 }
5557 return 0; 5977 return 0;
5558} 5978}
5559 5979
5560static void selinux_msg_queue_free_security(struct msg_queue *msq) 5980static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5561{ 5981{
5562 ipc_free_security(&msq->q_perm); 5982 ipc_free_security(msq);
5563} 5983}
5564 5984
5565static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5985static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5566{ 5986{
5567 struct ipc_security_struct *isec; 5987 struct ipc_security_struct *isec;
5568 struct common_audit_data ad; 5988 struct common_audit_data ad;
5569 u32 sid = current_sid(); 5989 u32 sid = current_sid();
5570 5990
5571 isec = msq->q_perm.security; 5991 isec = msq->security;
5572 5992
5573 ad.type = LSM_AUDIT_DATA_IPC; 5993 ad.type = LSM_AUDIT_DATA_IPC;
5574 ad.u.ipc_id = msq->q_perm.key; 5994 ad.u.ipc_id = msq->key;
5575 5995
5576 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5996 return avc_has_perm(&selinux_state,
5997 sid, isec->sid, SECCLASS_MSGQ,
5577 MSGQ__ASSOCIATE, &ad); 5998 MSGQ__ASSOCIATE, &ad);
5578} 5999}
5579 6000
5580static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 6001static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5581{ 6002{
5582 int err; 6003 int err;
5583 int perms; 6004 int perms;
@@ -5586,10 +6007,12 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5586 case IPC_INFO: 6007 case IPC_INFO:
5587 case MSG_INFO: 6008 case MSG_INFO:
5588 /* No specific object, just general system-wide information. */ 6009 /* No specific object, just general system-wide information. */
5589 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6010 return avc_has_perm(&selinux_state,
6011 current_sid(), SECINITSID_KERNEL,
5590 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6012 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5591 case IPC_STAT: 6013 case IPC_STAT:
5592 case MSG_STAT: 6014 case MSG_STAT:
6015 case MSG_STAT_ANY:
5593 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6016 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5594 break; 6017 break;
5595 case IPC_SET: 6018 case IPC_SET:
@@ -5602,11 +6025,11 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5602 return 0; 6025 return 0;
5603 } 6026 }
5604 6027
5605 err = ipc_has_perm(&msq->q_perm, perms); 6028 err = ipc_has_perm(msq, perms);
5606 return err; 6029 return err;
5607} 6030}
5608 6031
5609static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 6032static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5610{ 6033{
5611 struct ipc_security_struct *isec; 6034 struct ipc_security_struct *isec;
5612 struct msg_security_struct *msec; 6035 struct msg_security_struct *msec;
@@ -5614,7 +6037,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5614 u32 sid = current_sid(); 6037 u32 sid = current_sid();
5615 int rc; 6038 int rc;
5616 6039
5617 isec = msq->q_perm.security; 6040 isec = msq->security;
5618 msec = msg->security; 6041 msec = msg->security;
5619 6042
5620 /* 6043 /*
@@ -5625,31 +6048,34 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5625 * Compute new sid based on current process and 6048 * Compute new sid based on current process and
5626 * message queue this message will be stored in 6049 * message queue this message will be stored in
5627 */ 6050 */
5628 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 6051 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5629 NULL, &msec->sid); 6052 SECCLASS_MSG, NULL, &msec->sid);
5630 if (rc) 6053 if (rc)
5631 return rc; 6054 return rc;
5632 } 6055 }
5633 6056
5634 ad.type = LSM_AUDIT_DATA_IPC; 6057 ad.type = LSM_AUDIT_DATA_IPC;
5635 ad.u.ipc_id = msq->q_perm.key; 6058 ad.u.ipc_id = msq->key;
5636 6059
5637 /* Can this process write to the queue? */ 6060 /* Can this process write to the queue? */
5638 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6061 rc = avc_has_perm(&selinux_state,
6062 sid, isec->sid, SECCLASS_MSGQ,
5639 MSGQ__WRITE, &ad); 6063 MSGQ__WRITE, &ad);
5640 if (!rc) 6064 if (!rc)
5641 /* Can this process send the message */ 6065 /* Can this process send the message */
5642 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6066 rc = avc_has_perm(&selinux_state,
6067 sid, msec->sid, SECCLASS_MSG,
5643 MSG__SEND, &ad); 6068 MSG__SEND, &ad);
5644 if (!rc) 6069 if (!rc)
5645 /* Can the message be put in the queue? */ 6070 /* Can the message be put in the queue? */
5646 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6071 rc = avc_has_perm(&selinux_state,
6072 msec->sid, isec->sid, SECCLASS_MSGQ,
5647 MSGQ__ENQUEUE, &ad); 6073 MSGQ__ENQUEUE, &ad);
5648 6074
5649 return rc; 6075 return rc;
5650} 6076}
5651 6077
5652static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 6078static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5653 struct task_struct *target, 6079 struct task_struct *target,
5654 long type, int mode) 6080 long type, int mode)
5655{ 6081{
@@ -5659,68 +6085,72 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5659 u32 sid = task_sid(target); 6085 u32 sid = task_sid(target);
5660 int rc; 6086 int rc;
5661 6087
5662 isec = msq->q_perm.security; 6088 isec = msq->security;
5663 msec = msg->security; 6089 msec = msg->security;
5664 6090
5665 ad.type = LSM_AUDIT_DATA_IPC; 6091 ad.type = LSM_AUDIT_DATA_IPC;
5666 ad.u.ipc_id = msq->q_perm.key; 6092 ad.u.ipc_id = msq->key;
5667 6093
5668 rc = avc_has_perm(sid, isec->sid, 6094 rc = avc_has_perm(&selinux_state,
6095 sid, isec->sid,
5669 SECCLASS_MSGQ, MSGQ__READ, &ad); 6096 SECCLASS_MSGQ, MSGQ__READ, &ad);
5670 if (!rc) 6097 if (!rc)
5671 rc = avc_has_perm(sid, msec->sid, 6098 rc = avc_has_perm(&selinux_state,
6099 sid, msec->sid,
5672 SECCLASS_MSG, MSG__RECEIVE, &ad); 6100 SECCLASS_MSG, MSG__RECEIVE, &ad);
5673 return rc; 6101 return rc;
5674} 6102}
5675 6103
5676/* Shared Memory security operations */ 6104/* Shared Memory security operations */
5677static int selinux_shm_alloc_security(struct shmid_kernel *shp) 6105static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5678{ 6106{
5679 struct ipc_security_struct *isec; 6107 struct ipc_security_struct *isec;
5680 struct common_audit_data ad; 6108 struct common_audit_data ad;
5681 u32 sid = current_sid(); 6109 u32 sid = current_sid();
5682 int rc; 6110 int rc;
5683 6111
5684 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 6112 rc = ipc_alloc_security(shp, SECCLASS_SHM);
5685 if (rc) 6113 if (rc)
5686 return rc; 6114 return rc;
5687 6115
5688 isec = shp->shm_perm.security; 6116 isec = shp->security;
5689 6117
5690 ad.type = LSM_AUDIT_DATA_IPC; 6118 ad.type = LSM_AUDIT_DATA_IPC;
5691 ad.u.ipc_id = shp->shm_perm.key; 6119 ad.u.ipc_id = shp->key;
5692 6120
5693 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6121 rc = avc_has_perm(&selinux_state,
6122 sid, isec->sid, SECCLASS_SHM,
5694 SHM__CREATE, &ad); 6123 SHM__CREATE, &ad);
5695 if (rc) { 6124 if (rc) {
5696 ipc_free_security(&shp->shm_perm); 6125 ipc_free_security(shp);
5697 return rc; 6126 return rc;
5698 } 6127 }
5699 return 0; 6128 return 0;
5700} 6129}
5701 6130
5702static void selinux_shm_free_security(struct shmid_kernel *shp) 6131static void selinux_shm_free_security(struct kern_ipc_perm *shp)
5703{ 6132{
5704 ipc_free_security(&shp->shm_perm); 6133 ipc_free_security(shp);
5705} 6134}
5706 6135
5707static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 6136static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5708{ 6137{
5709 struct ipc_security_struct *isec; 6138 struct ipc_security_struct *isec;
5710 struct common_audit_data ad; 6139 struct common_audit_data ad;
5711 u32 sid = current_sid(); 6140 u32 sid = current_sid();
5712 6141
5713 isec = shp->shm_perm.security; 6142 isec = shp->security;
5714 6143
5715 ad.type = LSM_AUDIT_DATA_IPC; 6144 ad.type = LSM_AUDIT_DATA_IPC;
5716 ad.u.ipc_id = shp->shm_perm.key; 6145 ad.u.ipc_id = shp->key;
5717 6146
5718 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6147 return avc_has_perm(&selinux_state,
6148 sid, isec->sid, SECCLASS_SHM,
5719 SHM__ASSOCIATE, &ad); 6149 SHM__ASSOCIATE, &ad);
5720} 6150}
5721 6151
5722/* Note, at this point, shp is locked down */ 6152/* Note, at this point, shp is locked down */
5723static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 6153static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5724{ 6154{
5725 int perms; 6155 int perms;
5726 int err; 6156 int err;
@@ -5729,10 +6159,12 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5729 case IPC_INFO: 6159 case IPC_INFO:
5730 case SHM_INFO: 6160 case SHM_INFO:
5731 /* No specific object, just general system-wide information. */ 6161 /* No specific object, just general system-wide information. */
5732 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6162 return avc_has_perm(&selinux_state,
6163 current_sid(), SECINITSID_KERNEL,
5733 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6164 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5734 case IPC_STAT: 6165 case IPC_STAT:
5735 case SHM_STAT: 6166 case SHM_STAT:
6167 case SHM_STAT_ANY:
5736 perms = SHM__GETATTR | SHM__ASSOCIATE; 6168 perms = SHM__GETATTR | SHM__ASSOCIATE;
5737 break; 6169 break;
5738 case IPC_SET: 6170 case IPC_SET:
@@ -5749,11 +6181,11 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5749 return 0; 6181 return 0;
5750 } 6182 }
5751 6183
5752 err = ipc_has_perm(&shp->shm_perm, perms); 6184 err = ipc_has_perm(shp, perms);
5753 return err; 6185 return err;
5754} 6186}
5755 6187
5756static int selinux_shm_shmat(struct shmid_kernel *shp, 6188static int selinux_shm_shmat(struct kern_ipc_perm *shp,
5757 char __user *shmaddr, int shmflg) 6189 char __user *shmaddr, int shmflg)
5758{ 6190{
5759 u32 perms; 6191 u32 perms;
@@ -5763,57 +6195,59 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5763 else 6195 else
5764 perms = SHM__READ | SHM__WRITE; 6196 perms = SHM__READ | SHM__WRITE;
5765 6197
5766 return ipc_has_perm(&shp->shm_perm, perms); 6198 return ipc_has_perm(shp, perms);
5767} 6199}
5768 6200
5769/* Semaphore security operations */ 6201/* Semaphore security operations */
5770static int selinux_sem_alloc_security(struct sem_array *sma) 6202static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5771{ 6203{
5772 struct ipc_security_struct *isec; 6204 struct ipc_security_struct *isec;
5773 struct common_audit_data ad; 6205 struct common_audit_data ad;
5774 u32 sid = current_sid(); 6206 u32 sid = current_sid();
5775 int rc; 6207 int rc;
5776 6208
5777 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 6209 rc = ipc_alloc_security(sma, SECCLASS_SEM);
5778 if (rc) 6210 if (rc)
5779 return rc; 6211 return rc;
5780 6212
5781 isec = sma->sem_perm.security; 6213 isec = sma->security;
5782 6214
5783 ad.type = LSM_AUDIT_DATA_IPC; 6215 ad.type = LSM_AUDIT_DATA_IPC;
5784 ad.u.ipc_id = sma->sem_perm.key; 6216 ad.u.ipc_id = sma->key;
5785 6217
5786 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6218 rc = avc_has_perm(&selinux_state,
6219 sid, isec->sid, SECCLASS_SEM,
5787 SEM__CREATE, &ad); 6220 SEM__CREATE, &ad);
5788 if (rc) { 6221 if (rc) {
5789 ipc_free_security(&sma->sem_perm); 6222 ipc_free_security(sma);
5790 return rc; 6223 return rc;
5791 } 6224 }
5792 return 0; 6225 return 0;
5793} 6226}
5794 6227
5795static void selinux_sem_free_security(struct sem_array *sma) 6228static void selinux_sem_free_security(struct kern_ipc_perm *sma)
5796{ 6229{
5797 ipc_free_security(&sma->sem_perm); 6230 ipc_free_security(sma);
5798} 6231}
5799 6232
5800static int selinux_sem_associate(struct sem_array *sma, int semflg) 6233static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
5801{ 6234{
5802 struct ipc_security_struct *isec; 6235 struct ipc_security_struct *isec;
5803 struct common_audit_data ad; 6236 struct common_audit_data ad;
5804 u32 sid = current_sid(); 6237 u32 sid = current_sid();
5805 6238
5806 isec = sma->sem_perm.security; 6239 isec = sma->security;
5807 6240
5808 ad.type = LSM_AUDIT_DATA_IPC; 6241 ad.type = LSM_AUDIT_DATA_IPC;
5809 ad.u.ipc_id = sma->sem_perm.key; 6242 ad.u.ipc_id = sma->key;
5810 6243
5811 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6244 return avc_has_perm(&selinux_state,
6245 sid, isec->sid, SECCLASS_SEM,
5812 SEM__ASSOCIATE, &ad); 6246 SEM__ASSOCIATE, &ad);
5813} 6247}
5814 6248
5815/* Note, at this point, sma is locked down */ 6249/* Note, at this point, sma is locked down */
5816static int selinux_sem_semctl(struct sem_array *sma, int cmd) 6250static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
5817{ 6251{
5818 int err; 6252 int err;
5819 u32 perms; 6253 u32 perms;
@@ -5822,7 +6256,8 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5822 case IPC_INFO: 6256 case IPC_INFO:
5823 case SEM_INFO: 6257 case SEM_INFO:
5824 /* No specific object, just general system-wide information. */ 6258 /* No specific object, just general system-wide information. */
5825 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6259 return avc_has_perm(&selinux_state,
6260 current_sid(), SECINITSID_KERNEL,
5826 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6261 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5827 case GETPID: 6262 case GETPID:
5828 case GETNCNT: 6263 case GETNCNT:
@@ -5845,17 +6280,18 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5845 break; 6280 break;
5846 case IPC_STAT: 6281 case IPC_STAT:
5847 case SEM_STAT: 6282 case SEM_STAT:
6283 case SEM_STAT_ANY:
5848 perms = SEM__GETATTR | SEM__ASSOCIATE; 6284 perms = SEM__GETATTR | SEM__ASSOCIATE;
5849 break; 6285 break;
5850 default: 6286 default:
5851 return 0; 6287 return 0;
5852 } 6288 }
5853 6289
5854 err = ipc_has_perm(&sma->sem_perm, perms); 6290 err = ipc_has_perm(sma, perms);
5855 return err; 6291 return err;
5856} 6292}
5857 6293
5858static int selinux_sem_semop(struct sem_array *sma, 6294static int selinux_sem_semop(struct kern_ipc_perm *sma,
5859 struct sembuf *sops, unsigned nsops, int alter) 6295 struct sembuf *sops, unsigned nsops, int alter)
5860{ 6296{
5861 u32 perms; 6297 u32 perms;
@@ -5865,7 +6301,7 @@ static int selinux_sem_semop(struct sem_array *sma,
5865 else 6301 else
5866 perms = SEM__READ; 6302 perms = SEM__READ;
5867 6303
5868 return ipc_has_perm(&sma->sem_perm, perms); 6304 return ipc_has_perm(sma, perms);
5869} 6305}
5870 6306
5871static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6307static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
@@ -5908,7 +6344,8 @@ static int selinux_getprocattr(struct task_struct *p,
5908 __tsec = __task_cred(p)->security; 6344 __tsec = __task_cred(p)->security;
5909 6345
5910 if (current != p) { 6346 if (current != p) {
5911 error = avc_has_perm(current_sid(), __tsec->sid, 6347 error = avc_has_perm(&selinux_state,
6348 current_sid(), __tsec->sid,
5912 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6349 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5913 if (error) 6350 if (error)
5914 goto bad; 6351 goto bad;
@@ -5935,7 +6372,7 @@ static int selinux_getprocattr(struct task_struct *p,
5935 if (!sid) 6372 if (!sid)
5936 return 0; 6373 return 0;
5937 6374
5938 error = security_sid_to_context(sid, value, &len); 6375 error = security_sid_to_context(&selinux_state, sid, value, &len);
5939 if (error) 6376 if (error)
5940 return error; 6377 return error;
5941 return len; 6378 return len;
@@ -5957,19 +6394,24 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5957 * Basic control over ability to set these attributes at all. 6394 * Basic control over ability to set these attributes at all.
5958 */ 6395 */
5959 if (!strcmp(name, "exec")) 6396 if (!strcmp(name, "exec"))
5960 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6397 error = avc_has_perm(&selinux_state,
6398 mysid, mysid, SECCLASS_PROCESS,
5961 PROCESS__SETEXEC, NULL); 6399 PROCESS__SETEXEC, NULL);
5962 else if (!strcmp(name, "fscreate")) 6400 else if (!strcmp(name, "fscreate"))
5963 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6401 error = avc_has_perm(&selinux_state,
6402 mysid, mysid, SECCLASS_PROCESS,
5964 PROCESS__SETFSCREATE, NULL); 6403 PROCESS__SETFSCREATE, NULL);
5965 else if (!strcmp(name, "keycreate")) 6404 else if (!strcmp(name, "keycreate"))
5966 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6405 error = avc_has_perm(&selinux_state,
6406 mysid, mysid, SECCLASS_PROCESS,
5967 PROCESS__SETKEYCREATE, NULL); 6407 PROCESS__SETKEYCREATE, NULL);
5968 else if (!strcmp(name, "sockcreate")) 6408 else if (!strcmp(name, "sockcreate"))
5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6409 error = avc_has_perm(&selinux_state,
6410 mysid, mysid, SECCLASS_PROCESS,
5970 PROCESS__SETSOCKCREATE, NULL); 6411 PROCESS__SETSOCKCREATE, NULL);
5971 else if (!strcmp(name, "current")) 6412 else if (!strcmp(name, "current"))
5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6413 error = avc_has_perm(&selinux_state,
6414 mysid, mysid, SECCLASS_PROCESS,
5973 PROCESS__SETCURRENT, NULL); 6415 PROCESS__SETCURRENT, NULL);
5974 else 6416 else
5975 error = -EINVAL; 6417 error = -EINVAL;
@@ -5982,7 +6424,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5982 str[size-1] = 0; 6424 str[size-1] = 0;
5983 size--; 6425 size--;
5984 } 6426 }
5985 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 6427 error = security_context_to_sid(&selinux_state, value, size,
6428 &sid, GFP_KERNEL);
5986 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6429 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5987 if (!has_cap_mac_admin(true)) { 6430 if (!has_cap_mac_admin(true)) {
5988 struct audit_buffer *ab; 6431 struct audit_buffer *ab;
@@ -6001,8 +6444,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6001 6444
6002 return error; 6445 return error;
6003 } 6446 }
6004 error = security_context_to_sid_force(value, size, 6447 error = security_context_to_sid_force(
6005 &sid); 6448 &selinux_state,
6449 value, size, &sid);
6006 } 6450 }
6007 if (error) 6451 if (error)
6008 return error; 6452 return error;
@@ -6024,7 +6468,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6024 } else if (!strcmp(name, "fscreate")) { 6468 } else if (!strcmp(name, "fscreate")) {
6025 tsec->create_sid = sid; 6469 tsec->create_sid = sid;
6026 } else if (!strcmp(name, "keycreate")) { 6470 } else if (!strcmp(name, "keycreate")) {
6027 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6471 error = avc_has_perm(&selinux_state,
6472 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6028 NULL); 6473 NULL);
6029 if (error) 6474 if (error)
6030 goto abort_change; 6475 goto abort_change;
@@ -6039,13 +6484,15 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6039 /* Only allow single threaded processes to change context */ 6484 /* Only allow single threaded processes to change context */
6040 error = -EPERM; 6485 error = -EPERM;
6041 if (!current_is_single_threaded()) { 6486 if (!current_is_single_threaded()) {
6042 error = security_bounded_transition(tsec->sid, sid); 6487 error = security_bounded_transition(&selinux_state,
6488 tsec->sid, sid);
6043 if (error) 6489 if (error)
6044 goto abort_change; 6490 goto abort_change;
6045 } 6491 }
6046 6492
6047 /* Check permissions for the transition. */ 6493 /* Check permissions for the transition. */
6048 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6494 error = avc_has_perm(&selinux_state,
6495 tsec->sid, sid, SECCLASS_PROCESS,
6049 PROCESS__DYNTRANSITION, NULL); 6496 PROCESS__DYNTRANSITION, NULL);
6050 if (error) 6497 if (error)
6051 goto abort_change; 6498 goto abort_change;
@@ -6054,7 +6501,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6054 Otherwise, leave SID unchanged and fail. */ 6501 Otherwise, leave SID unchanged and fail. */
6055 ptsid = ptrace_parent_sid(); 6502 ptsid = ptrace_parent_sid();
6056 if (ptsid != 0) { 6503 if (ptsid != 0) {
6057 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6504 error = avc_has_perm(&selinux_state,
6505 ptsid, sid, SECCLASS_PROCESS,
6058 PROCESS__PTRACE, NULL); 6506 PROCESS__PTRACE, NULL);
6059 if (error) 6507 if (error)
6060 goto abort_change; 6508 goto abort_change;
@@ -6081,12 +6529,14 @@ static int selinux_ismaclabel(const char *name)
6081 6529
6082static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6530static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6083{ 6531{
6084 return security_sid_to_context(secid, secdata, seclen); 6532 return security_sid_to_context(&selinux_state, secid,
6533 secdata, seclen);
6085} 6534}
6086 6535
6087static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6536static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6088{ 6537{
6089 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6538 return security_context_to_sid(&selinux_state, secdata, seclen,
6539 secid, GFP_KERNEL);
6090} 6540}
6091 6541
6092static void selinux_release_secctx(char *secdata, u32 seclen) 6542static void selinux_release_secctx(char *secdata, u32 seclen)
@@ -6178,7 +6628,8 @@ static int selinux_key_permission(key_ref_t key_ref,
6178 key = key_ref_to_ptr(key_ref); 6628 key = key_ref_to_ptr(key_ref);
6179 ksec = key->security; 6629 ksec = key->security;
6180 6630
6181 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6631 return avc_has_perm(&selinux_state,
6632 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6182} 6633}
6183 6634
6184static int selinux_key_getsecurity(struct key *key, char **_buffer) 6635static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -6188,7 +6639,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
6188 unsigned len; 6639 unsigned len;
6189 int rc; 6640 int rc;
6190 6641
6191 rc = security_sid_to_context(ksec->sid, &context, &len); 6642 rc = security_sid_to_context(&selinux_state, ksec->sid,
6643 &context, &len);
6192 if (!rc) 6644 if (!rc)
6193 rc = len; 6645 rc = len;
6194 *_buffer = context; 6646 *_buffer = context;
@@ -6213,7 +6665,8 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6213 ibpkey.subnet_prefix = subnet_prefix; 6665 ibpkey.subnet_prefix = subnet_prefix;
6214 ibpkey.pkey = pkey_val; 6666 ibpkey.pkey = pkey_val;
6215 ad.u.ibpkey = &ibpkey; 6667 ad.u.ibpkey = &ibpkey;
6216 return avc_has_perm(sec->sid, sid, 6668 return avc_has_perm(&selinux_state,
6669 sec->sid, sid,
6217 SECCLASS_INFINIBAND_PKEY, 6670 SECCLASS_INFINIBAND_PKEY,
6218 INFINIBAND_PKEY__ACCESS, &ad); 6671 INFINIBAND_PKEY__ACCESS, &ad);
6219} 6672}
@@ -6227,7 +6680,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6227 struct ib_security_struct *sec = ib_sec; 6680 struct ib_security_struct *sec = ib_sec;
6228 struct lsm_ibendport_audit ibendport; 6681 struct lsm_ibendport_audit ibendport;
6229 6682
6230 err = security_ib_endport_sid(dev_name, port_num, &sid); 6683 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6684 &sid);
6231 6685
6232 if (err) 6686 if (err)
6233 return err; 6687 return err;
@@ -6236,7 +6690,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6236 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6690 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6237 ibendport.port = port_num; 6691 ibendport.port = port_num;
6238 ad.u.ibendport = &ibendport; 6692 ad.u.ibendport = &ibendport;
6239 return avc_has_perm(sec->sid, sid, 6693 return avc_has_perm(&selinux_state,
6694 sec->sid, sid,
6240 SECCLASS_INFINIBAND_ENDPORT, 6695 SECCLASS_INFINIBAND_ENDPORT,
6241 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6696 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6242} 6697}
@@ -6269,11 +6724,13 @@ static int selinux_bpf(int cmd, union bpf_attr *attr,
6269 6724
6270 switch (cmd) { 6725 switch (cmd) {
6271 case BPF_MAP_CREATE: 6726 case BPF_MAP_CREATE:
6272 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6727 ret = avc_has_perm(&selinux_state,
6728 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6273 NULL); 6729 NULL);
6274 break; 6730 break;
6275 case BPF_PROG_LOAD: 6731 case BPF_PROG_LOAD:
6276 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6732 ret = avc_has_perm(&selinux_state,
6733 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6277 NULL); 6734 NULL);
6278 break; 6735 break;
6279 default: 6736 default:
@@ -6313,14 +6770,16 @@ static int bpf_fd_pass(struct file *file, u32 sid)
6313 if (file->f_op == &bpf_map_fops) { 6770 if (file->f_op == &bpf_map_fops) {
6314 map = file->private_data; 6771 map = file->private_data;
6315 bpfsec = map->security; 6772 bpfsec = map->security;
6316 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6773 ret = avc_has_perm(&selinux_state,
6774 sid, bpfsec->sid, SECCLASS_BPF,
6317 bpf_map_fmode_to_av(file->f_mode), NULL); 6775 bpf_map_fmode_to_av(file->f_mode), NULL);
6318 if (ret) 6776 if (ret)
6319 return ret; 6777 return ret;
6320 } else if (file->f_op == &bpf_prog_fops) { 6778 } else if (file->f_op == &bpf_prog_fops) {
6321 prog = file->private_data; 6779 prog = file->private_data;
6322 bpfsec = prog->aux->security; 6780 bpfsec = prog->aux->security;
6323 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6781 ret = avc_has_perm(&selinux_state,
6782 sid, bpfsec->sid, SECCLASS_BPF,
6324 BPF__PROG_RUN, NULL); 6783 BPF__PROG_RUN, NULL);
6325 if (ret) 6784 if (ret)
6326 return ret; 6785 return ret;
@@ -6334,7 +6793,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6334 struct bpf_security_struct *bpfsec; 6793 struct bpf_security_struct *bpfsec;
6335 6794
6336 bpfsec = map->security; 6795 bpfsec = map->security;
6337 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6796 return avc_has_perm(&selinux_state,
6797 sid, bpfsec->sid, SECCLASS_BPF,
6338 bpf_map_fmode_to_av(fmode), NULL); 6798 bpf_map_fmode_to_av(fmode), NULL);
6339} 6799}
6340 6800
@@ -6344,7 +6804,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
6344 struct bpf_security_struct *bpfsec; 6804 struct bpf_security_struct *bpfsec;
6345 6805
6346 bpfsec = prog->aux->security; 6806 bpfsec = prog->aux->security;
6347 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6807 return avc_has_perm(&selinux_state,
6808 sid, bpfsec->sid, SECCLASS_BPF,
6348 BPF__PROG_RUN, NULL); 6809 BPF__PROG_RUN, NULL);
6349} 6810}
6350 6811
@@ -6479,6 +6940,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6479 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6940 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6480 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6941 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6481 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6942 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6943 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6482 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6944 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6483 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6945 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6484 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6946 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
@@ -6563,6 +7025,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6563 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7025 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6564 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7026 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6565 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7027 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7028 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7029 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7030 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6566 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7031 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6567 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7032 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6568 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7033 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
@@ -6638,6 +7103,12 @@ static __init int selinux_init(void)
6638 7103
6639 printk(KERN_INFO "SELinux: Initializing.\n"); 7104 printk(KERN_INFO "SELinux: Initializing.\n");
6640 7105
7106 memset(&selinux_state, 0, sizeof(selinux_state));
7107 enforcing_set(&selinux_state, selinux_enforcing_boot);
7108 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7109 selinux_ss_init(&selinux_state.ss);
7110 selinux_avc_init(&selinux_state.avc);
7111
6641 /* Set the security state for the initial task. */ 7112 /* Set the security state for the initial task. */
6642 cred_init_security(); 7113 cred_init_security();
6643 7114
@@ -6651,6 +7122,12 @@ static __init int selinux_init(void)
6651 0, SLAB_PANIC, NULL); 7122 0, SLAB_PANIC, NULL);
6652 avc_init(); 7123 avc_init();
6653 7124
7125 avtab_cache_init();
7126
7127 ebitmap_cache_init();
7128
7129 hashtab_cache_init();
7130
6654 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7131 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6655 7132
6656 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7133 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
@@ -6659,7 +7136,7 @@ static __init int selinux_init(void)
6659 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7136 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6660 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7137 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6661 7138
6662 if (selinux_enforcing) 7139 if (selinux_enforcing_boot)
6663 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7140 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6664 else 7141 else
6665 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7142 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
@@ -6780,23 +7257,22 @@ static void selinux_nf_ip_exit(void)
6780#endif /* CONFIG_NETFILTER */ 7257#endif /* CONFIG_NETFILTER */
6781 7258
6782#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7259#ifdef CONFIG_SECURITY_SELINUX_DISABLE
6783static int selinux_disabled; 7260int selinux_disable(struct selinux_state *state)
6784
6785int selinux_disable(void)
6786{ 7261{
6787 if (ss_initialized) { 7262 if (state->initialized) {
6788 /* Not permitted after initial policy load. */ 7263 /* Not permitted after initial policy load. */
6789 return -EINVAL; 7264 return -EINVAL;
6790 } 7265 }
6791 7266
6792 if (selinux_disabled) { 7267 if (state->disabled) {
6793 /* Only do this once. */ 7268 /* Only do this once. */
6794 return -EINVAL; 7269 return -EINVAL;
6795 } 7270 }
6796 7271
7272 state->disabled = 1;
7273
6797 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7274 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6798 7275
6799 selinux_disabled = 1;
6800 selinux_enabled = 0; 7276 selinux_enabled = 0;
6801 7277
6802 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7278 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-06 11:24:56 -0400