aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c1014
1 files changed, 736 insertions, 278 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b7d4473edbde..1eeb70e439d7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -67,6 +67,8 @@
67#include <linux/tcp.h> 67#include <linux/tcp.h>
68#include <linux/udp.h> 68#include <linux/udp.h>
69#include <linux/dccp.h> 69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
70#include <linux/quota.h> 72#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */ 73#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */ 74#include <net/af_unix.h> /* for Unix socket types */
@@ -98,20 +100,24 @@
98#include "audit.h" 100#include "audit.h"
99#include "avc_ss.h" 101#include "avc_ss.h"
100 102
103struct selinux_state selinux_state;
104
101/* SECMARK reference count */ 105/* SECMARK reference count */
102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 107
104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105int selinux_enforcing; 109static int selinux_enforcing_boot;
106 110
107static int __init enforcing_setup(char *str) 111static int __init enforcing_setup(char *str)
108{ 112{
109 unsigned long enforcing; 113 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing)) 114 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0; 115 selinux_enforcing_boot = enforcing ? 1 : 0;
112 return 1; 116 return 1;
113} 117}
114__setup("enforcing=", enforcing_setup); 118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
115#endif 121#endif
116 122
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
@@ -129,6 +135,19 @@ __setup("selinux=", selinux_enabled_setup);
129int selinux_enabled = 1; 135int selinux_enabled = 1;
130#endif 136#endif
131 137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
132static struct kmem_cache *sel_inode_cache; 151static struct kmem_cache *sel_inode_cache;
133static struct kmem_cache *file_security_cache; 152static struct kmem_cache *file_security_cache;
134 153
@@ -145,7 +164,8 @@ static struct kmem_cache *file_security_cache;
145 */ 164 */
146static int selinux_secmark_enabled(void) 165static int selinux_secmark_enabled(void)
147{ 166{
148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
149} 169}
150 170
151/** 171/**
@@ -160,7 +180,8 @@ static int selinux_secmark_enabled(void)
160 */ 180 */
161static int selinux_peerlbl_enabled(void) 181static int selinux_peerlbl_enabled(void)
162{ 182{
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
164} 185}
165 186
166static int selinux_netcache_avc_callback(u32 event) 187static int selinux_netcache_avc_callback(u32 event)
@@ -264,7 +285,8 @@ static int __inode_security_revalidate(struct inode *inode,
264 285
265 might_sleep_if(may_sleep); 286 might_sleep_if(may_sleep);
266 287
267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
268 if (!may_sleep) 290 if (!may_sleep)
269 return -ECHILD; 291 return -ECHILD;
270 292
@@ -446,12 +468,14 @@ static int may_context_mount_sb_relabel(u32 sid,
446 const struct task_security_struct *tsec = cred->security; 468 const struct task_security_struct *tsec = cred->security;
447 int rc; 469 int rc;
448 470
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL); 473 FILESYSTEM__RELABELFROM, NULL);
451 if (rc) 474 if (rc)
452 return rc; 475 return rc;
453 476
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL); 479 FILESYSTEM__RELABELTO, NULL);
456 return rc; 480 return rc;
457} 481}
@@ -462,12 +486,14 @@ static int may_context_mount_inode_relabel(u32 sid,
462{ 486{
463 const struct task_security_struct *tsec = cred->security; 487 const struct task_security_struct *tsec = cred->security;
464 int rc; 488 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL); 491 FILESYSTEM__RELABELFROM, NULL);
467 if (rc) 492 if (rc)
468 return rc; 493 return rc;
469 494
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL); 497 FILESYSTEM__ASSOCIATE, NULL);
472 return rc; 498 return rc;
473} 499}
@@ -486,7 +512,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
486 !strcmp(sb->s_type->name, "debugfs") || 512 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") || 513 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs") || 514 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel && 515 (selinux_policycap_cgroupseclabel() &&
490 (!strcmp(sb->s_type->name, "cgroup") || 516 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2"))); 517 !strcmp(sb->s_type->name, "cgroup2")));
492} 518}
@@ -586,7 +612,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
586 if (!(sbsec->flags & SE_SBINITIALIZED)) 612 if (!(sbsec->flags & SE_SBINITIALIZED))
587 return -EINVAL; 613 return -EINVAL;
588 614
589 if (!ss_initialized) 615 if (!selinux_state.initialized)
590 return -EINVAL; 616 return -EINVAL;
591 617
592 /* make sure we always check enough bits to cover the mask */ 618 /* make sure we always check enough bits to cover the mask */
@@ -617,21 +643,25 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
617 643
618 i = 0; 644 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) { 645 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len); 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
621 if (rc) 648 if (rc)
622 goto out_free; 649 goto out_free;
623 opts->mnt_opts[i] = context; 650 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 } 652 }
626 if (sbsec->flags & CONTEXT_MNT) { 653 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
628 if (rc) 657 if (rc)
629 goto out_free; 658 goto out_free;
630 opts->mnt_opts[i] = context; 659 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 } 661 }
633 if (sbsec->flags & DEFCONTEXT_MNT) { 662 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
635 if (rc) 665 if (rc)
636 goto out_free; 666 goto out_free;
637 opts->mnt_opts[i] = context; 667 opts->mnt_opts[i] = context;
@@ -641,7 +671,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
641 struct dentry *root = sbsec->sb->s_root; 671 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root); 672 struct inode_security_struct *isec = backing_inode_security(root);
643 673
644 rc = security_sid_to_context(isec->sid, &context, &len); 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
645 if (rc) 676 if (rc)
646 goto out_free; 677 goto out_free;
647 opts->mnt_opts[i] = context; 678 opts->mnt_opts[i] = context;
@@ -704,7 +735,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
704 735
705 mutex_lock(&sbsec->lock); 736 mutex_lock(&sbsec->lock);
706 737
707 if (!ss_initialized) { 738 if (!selinux_state.initialized) {
708 if (!num_opts) { 739 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init, 740 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security 741 after the initial policy is loaded and the security
@@ -750,7 +781,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
750 781
751 if (flags[i] == SBLABEL_MNT) 782 if (flags[i] == SBLABEL_MNT)
752 continue; 783 continue;
753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
754 if (rc) { 787 if (rc) {
755 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n", 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -826,7 +859,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
826 * Determine the labeling behavior to use for this 859 * Determine the labeling behavior to use for this
827 * filesystem type. 860 * filesystem type.
828 */ 861 */
829 rc = security_fs_use(sb); 862 rc = security_fs_use(&selinux_state, sb);
830 if (rc) { 863 if (rc) {
831 printk(KERN_WARNING 864 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n", 865 "%s: security_fs_use(%s) returned %d\n",
@@ -851,7 +884,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
851 } 884 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(), 887 rc = security_transition_sid(&selinux_state,
888 current_sid(),
889 current_sid(),
855 SECCLASS_FILE, NULL, 890 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid); 891 &sbsec->mntpoint_sid);
857 if (rc) 892 if (rc)
@@ -987,7 +1022,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
987 * if the parent was able to be mounted it clearly had no special lsm 1022 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later 1023 * mount options. thus we can safely deal with this superblock later
989 */ 1024 */
990 if (!ss_initialized) 1025 if (!selinux_state.initialized)
991 return 0; 1026 return 0;
992 1027
993 /* 1028 /*
@@ -1014,7 +1049,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1014 1049
1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb); 1052 rc = security_fs_use(&selinux_state, newsb);
1018 if (rc) 1053 if (rc)
1019 goto out; 1054 goto out;
1020 } 1055 }
@@ -1297,7 +1332,7 @@ static inline int default_protocol_dgram(int protocol)
1297 1332
1298static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1333static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{ 1334{
1300 int extsockclass = selinux_policycap_extsockclass; 1335 int extsockclass = selinux_policycap_extsockclass();
1301 1336
1302 switch (family) { 1337 switch (family) {
1303 case PF_UNIX: 1338 case PF_UNIX:
@@ -1471,7 +1506,8 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
1471 path++; 1506 path++;
1472 } 1507 }
1473 } 1508 }
1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1475 } 1511 }
1476 free_page((unsigned long)buffer); 1512 free_page((unsigned long)buffer);
1477 return rc; 1513 return rc;
@@ -1589,7 +1625,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1589 sid = sbsec->def_sid; 1625 sid = sbsec->def_sid;
1590 rc = 0; 1626 rc = 0;
1591 } else { 1627 } else {
1592 rc = security_context_to_sid_default(context, rc, &sid, 1628 rc = security_context_to_sid_default(&selinux_state,
1629 context, rc, &sid,
1593 sbsec->def_sid, 1630 sbsec->def_sid,
1594 GFP_NOFS); 1631 GFP_NOFS);
1595 if (rc) { 1632 if (rc) {
@@ -1622,7 +1659,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1622 sid = sbsec->sid; 1659 sid = sbsec->sid;
1623 1660
1624 /* Try to obtain a transition SID. */ 1661 /* Try to obtain a transition SID. */
1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); 1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1626 if (rc) 1664 if (rc)
1627 goto out; 1665 goto out;
1628 break; 1666 break;
@@ -1740,9 +1778,11 @@ static int cred_has_capability(const struct cred *cred,
1740 return -EINVAL; 1778 return -EINVAL;
1741 } 1779 }
1742 1780
1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1744 if (audit == SECURITY_CAP_AUDIT) { 1783 if (audit == SECURITY_CAP_AUDIT) {
1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 if (rc2) 1786 if (rc2)
1747 return rc2; 1787 return rc2;
1748 } 1788 }
@@ -1768,7 +1808,8 @@ static int inode_has_perm(const struct cred *cred,
1768 sid = cred_sid(cred); 1808 sid = cred_sid(cred);
1769 isec = inode->i_security; 1809 isec = inode->i_security;
1770 1810
1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1772} 1813}
1773 1814
1774/* Same as inode_has_perm, but pass explicit audit data containing 1815/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1841,7 +1882,8 @@ static int file_has_perm(const struct cred *cred,
1841 ad.u.file = file; 1882 ad.u.file = file;
1842 1883
1843 if (sid != fsec->sid) { 1884 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid, 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1845 SECCLASS_FD, 1887 SECCLASS_FD,
1846 FD__USE, 1888 FD__USE,
1847 &ad); 1889 &ad);
@@ -1883,7 +1925,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
1883 *_new_isid = tsec->create_sid; 1925 *_new_isid = tsec->create_sid;
1884 } else { 1926 } else {
1885 const struct inode_security_struct *dsec = inode_security(dir); 1927 const struct inode_security_struct *dsec = inode_security(dir);
1886 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1928 return security_transition_sid(&selinux_state, tsec->sid,
1929 dsec->sid, tclass,
1887 name, _new_isid); 1930 name, _new_isid);
1888 } 1931 }
1889 1932
@@ -1910,7 +1953,8 @@ static int may_create(struct inode *dir,
1910 ad.type = LSM_AUDIT_DATA_DENTRY; 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1911 ad.u.dentry = dentry; 1954 ad.u.dentry = dentry;
1912 1955
1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1914 DIR__ADD_NAME | DIR__SEARCH, 1958 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad); 1959 &ad);
1916 if (rc) 1960 if (rc)
@@ -1921,11 +1965,13 @@ static int may_create(struct inode *dir,
1921 if (rc) 1965 if (rc)
1922 return rc; 1966 return rc;
1923 1967
1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1925 if (rc) 1970 if (rc)
1926 return rc; 1971 return rc;
1927 1972
1928 return avc_has_perm(newsid, sbsec->sid, 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM, 1975 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad); 1976 FILESYSTEM__ASSOCIATE, &ad);
1931} 1977}
@@ -1954,7 +2000,8 @@ static int may_link(struct inode *dir,
1954 2000
1955 av = DIR__SEARCH; 2001 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 if (rc) 2005 if (rc)
1959 return rc; 2006 return rc;
1960 2007
@@ -1974,7 +2021,8 @@ static int may_link(struct inode *dir,
1974 return 0; 2021 return 0;
1975 } 2022 }
1976 2023
1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
1978 return rc; 2026 return rc;
1979} 2027}
1980 2028
@@ -1998,16 +2046,19 @@ static inline int may_rename(struct inode *old_dir,
1998 ad.type = LSM_AUDIT_DATA_DENTRY; 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
1999 2047
2000 ad.u.dentry = old_dentry; 2048 ad.u.dentry = old_dentry;
2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc) 2052 if (rc)
2004 return rc; 2053 return rc;
2005 rc = avc_has_perm(sid, old_isec->sid, 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
2006 old_isec->sclass, FILE__RENAME, &ad); 2056 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc) 2057 if (rc)
2008 return rc; 2058 return rc;
2009 if (old_is_dir && new_dir != old_dir) { 2059 if (old_is_dir && new_dir != old_dir) {
2010 rc = avc_has_perm(sid, old_isec->sid, 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
2011 old_isec->sclass, DIR__REPARENT, &ad); 2062 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc) 2063 if (rc)
2013 return rc; 2064 return rc;
@@ -2017,13 +2068,15 @@ static inline int may_rename(struct inode *old_dir,
2017 av = DIR__ADD_NAME | DIR__SEARCH; 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2018 if (d_is_positive(new_dentry)) 2069 if (d_is_positive(new_dentry))
2019 av |= DIR__REMOVE_NAME; 2070 av |= DIR__REMOVE_NAME;
2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc) 2073 if (rc)
2022 return rc; 2074 return rc;
2023 if (d_is_positive(new_dentry)) { 2075 if (d_is_positive(new_dentry)) {
2024 new_isec = backing_inode_security(new_dentry); 2076 new_isec = backing_inode_security(new_dentry);
2025 new_is_dir = d_is_dir(new_dentry); 2077 new_is_dir = d_is_dir(new_dentry);
2026 rc = avc_has_perm(sid, new_isec->sid, 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
2027 new_isec->sclass, 2080 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc) 2082 if (rc)
@@ -2043,7 +2096,8 @@ static int superblock_has_perm(const struct cred *cred,
2043 u32 sid = cred_sid(cred); 2096 u32 sid = cred_sid(cred);
2044 2097
2045 sbsec = sb->s_security; 2098 sbsec = sb->s_security;
2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047} 2101}
2048 2102
2049/* Convert a Linux mode and permission mask to an access vector. */ 2103/* Convert a Linux mode and permission mask to an access vector. */
@@ -2106,7 +2160,8 @@ static inline u32 open_file_to_av(struct file *file)
2106 u32 av = file_to_av(file); 2160 u32 av = file_to_av(file);
2107 struct inode *inode = file_inode(file); 2161 struct inode *inode = file_inode(file);
2108 2162
2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) 2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 av |= FILE__OPEN; 2165 av |= FILE__OPEN;
2111 2166
2112 return av; 2167 return av;
@@ -2119,7 +2174,8 @@ static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2119 u32 mysid = current_sid(); 2174 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr); 2175 u32 mgrsid = task_sid(mgr);
2121 2176
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL); 2179 BINDER__SET_CONTEXT_MGR, NULL);
2124} 2180}
2125 2181
@@ -2132,13 +2188,15 @@ static int selinux_binder_transaction(struct task_struct *from,
2132 int rc; 2188 int rc;
2133 2189
2134 if (mysid != fromsid) { 2190 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL); 2193 BINDER__IMPERSONATE, NULL);
2137 if (rc) 2194 if (rc)
2138 return rc; 2195 return rc;
2139 } 2196 }
2140 2197
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL); 2200 NULL);
2143} 2201}
2144 2202
@@ -2148,7 +2206,8 @@ static int selinux_binder_transfer_binder(struct task_struct *from,
2148 u32 fromsid = task_sid(from); 2206 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to); 2207 u32 tosid = task_sid(to);
2150 2208
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL); 2211 NULL);
2153} 2212}
2154 2213
@@ -2167,7 +2226,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2167 ad.u.path = file->f_path; 2226 ad.u.path = file->f_path;
2168 2227
2169 if (sid != fsec->sid) { 2228 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid, 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
2171 SECCLASS_FD, 2231 SECCLASS_FD,
2172 FD__USE, 2232 FD__USE,
2173 &ad); 2233 &ad);
@@ -2185,7 +2245,8 @@ static int selinux_binder_transfer_file(struct task_struct *from,
2185 return 0; 2245 return 0;
2186 2246
2187 isec = backing_inode_security(dentry); 2247 isec = backing_inode_security(dentry);
2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad); 2250 &ad);
2190} 2251}
2191 2252
@@ -2196,21 +2257,25 @@ static int selinux_ptrace_access_check(struct task_struct *child,
2196 u32 csid = task_sid(child); 2257 u32 csid = task_sid(child);
2197 2258
2198 if (mode & PTRACE_MODE_READ) 2259 if (mode & PTRACE_MODE_READ)
2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 2262
2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202} 2265}
2203 2266
2204static int selinux_ptrace_traceme(struct task_struct *parent) 2267static int selinux_ptrace_traceme(struct task_struct *parent)
2205{ 2268{
2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS, 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL); 2271 PROCESS__PTRACE, NULL);
2208} 2272}
2209 2273
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212{ 2276{
2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS, 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL); 2279 PROCESS__GETCAP, NULL);
2215} 2280}
2216 2281
@@ -2219,7 +2284,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
2219 const kernel_cap_t *inheritable, 2284 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted) 2285 const kernel_cap_t *permitted)
2221{ 2286{
2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL); 2289 PROCESS__SETCAP, NULL);
2224} 2290}
2225 2291
@@ -2279,18 +2345,21 @@ static int selinux_syslog(int type)
2279 switch (type) { 2345 switch (type) {
2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */ 2353 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL: 2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL); 2358 NULL);
2291 } 2359 }
2292 /* All other syslog types */ 2360 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295} 2364}
2296 2365
@@ -2351,13 +2420,14 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2351 * policy allows the corresponding permission between 2420 * policy allows the corresponding permission between
2352 * the old and new contexts. 2421 * the old and new contexts.
2353 */ 2422 */
2354 if (selinux_policycap_nnp_nosuid_transition) { 2423 if (selinux_policycap_nnp_nosuid_transition()) {
2355 av = 0; 2424 av = 0;
2356 if (nnp) 2425 if (nnp)
2357 av |= PROCESS2__NNP_TRANSITION; 2426 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid) 2427 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION; 2428 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL); 2431 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc) 2432 if (!rc)
2363 return 0; 2433 return 0;
@@ -2368,7 +2438,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset 2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID. 2439 * of the permissions of the current SID.
2370 */ 2440 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 new_tsec->sid);
2372 if (!rc) 2443 if (!rc)
2373 return 0; 2444 return 0;
2374 2445
@@ -2420,8 +2491,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2420 return rc; 2491 return rc;
2421 } else { 2492 } else {
2422 /* Check for a default transition on this program. */ 2493 /* Check for a default transition on this program. */
2423 rc = security_transition_sid(old_tsec->sid, isec->sid, 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2424 SECCLASS_PROCESS, NULL, 2495 isec->sid, SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid); 2496 &new_tsec->sid);
2426 if (rc) 2497 if (rc)
2427 return rc; 2498 return rc;
@@ -2439,25 +2510,29 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2439 ad.u.file = bprm->file; 2510 ad.u.file = bprm->file;
2440 2511
2441 if (new_tsec->sid == old_tsec->sid) { 2512 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid, 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc) 2516 if (rc)
2445 return rc; 2517 return rc;
2446 } else { 2518 } else {
2447 /* Check permissions for the transition. */ 2519 /* Check permissions for the transition. */
2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc) 2523 if (rc)
2451 return rc; 2524 return rc;
2452 2525
2453 rc = avc_has_perm(new_tsec->sid, isec->sid, 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc) 2529 if (rc)
2456 return rc; 2530 return rc;
2457 2531
2458 /* Check for shared state */ 2532 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE, 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL); 2537 NULL);
2463 if (rc) 2538 if (rc)
@@ -2469,7 +2544,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 u32 ptsid = ptrace_parent_sid(); 2545 u32 ptsid = ptrace_parent_sid();
2471 if (ptsid != 0) { 2546 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid, 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS, 2549 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL); 2550 PROCESS__PTRACE, NULL);
2475 if (rc) 2551 if (rc)
@@ -2483,7 +2559,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2483 /* Enable secure mode for SIDs transitions unless 2559 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between 2560 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */ 2561 the two SIDs, i.e. ahp returns 0. */
2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL); 2565 NULL);
2489 bprm->secureexec |= !!rc; 2566 bprm->secureexec |= !!rc;
@@ -2575,7 +2652,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2575 * higher than the default soft limit for cases where the default is 2652 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */ 2654 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL); 2657 PROCESS__RLIMITINH, NULL);
2580 if (rc) { 2658 if (rc) {
2581 /* protect against do_prlimit() */ 2659 /* protect against do_prlimit() */
@@ -2615,7 +2693,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2615 * This must occur _after_ the task SID has been updated so that any 2693 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID. 2694 * kill done after the flush will be checked against the new SID.
2617 */ 2695 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 if (rc) { 2698 if (rc) {
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer); 2700 memset(&itimer, 0, sizeof itimer);
@@ -2779,7 +2858,9 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2779 2858
2780 if (flags[i] == SBLABEL_MNT) 2859 if (flags[i] == SBLABEL_MNT)
2781 continue; 2860 continue;
2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2863 GFP_KERNEL);
2783 if (rc) { 2864 if (rc) {
2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n", 2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2904,7 +2985,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2904 if (rc) 2985 if (rc)
2905 return rc; 2986 return rc;
2906 2987
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 ctxlen);
2908} 2990}
2909 2991
2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2992static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
@@ -2958,14 +3040,15 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2958 isec->initialized = LABEL_INITIALIZED; 3040 isec->initialized = LABEL_INITIALIZED;
2959 } 3041 }
2960 3042
2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2962 return -EOPNOTSUPP; 3044 return -EOPNOTSUPP;
2963 3045
2964 if (name) 3046 if (name)
2965 *name = XATTR_SELINUX_SUFFIX; 3047 *name = XATTR_SELINUX_SUFFIX;
2966 3048
2967 if (value && len) { 3049 if (value && len) {
2968 rc = security_sid_to_context_force(newsid, &context, &clen); 3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3051 &context, &clen);
2969 if (rc) 3052 if (rc)
2970 return rc; 3053 return rc;
2971 *value = context; 3054 *value = context;
@@ -3040,7 +3123,8 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3040 if (IS_ERR(isec)) 3123 if (IS_ERR(isec))
3041 return PTR_ERR(isec); 3124 return PTR_ERR(isec);
3042 3125
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0); 3128 rcu ? MAY_NOT_BLOCK : 0);
3045} 3129}
3046 3130
@@ -3056,7 +3140,8 @@ static noinline int audit_inode_permission(struct inode *inode,
3056 ad.type = LSM_AUDIT_DATA_INODE; 3140 ad.type = LSM_AUDIT_DATA_INODE;
3057 ad.u.inode = inode; 3141 ad.u.inode = inode;
3058 3142
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3060 audited, denied, result, &ad, flags); 3145 audited, denied, result, &ad, flags);
3061 if (rc) 3146 if (rc)
3062 return rc; 3147 return rc;
@@ -3094,7 +3179,8 @@ static int selinux_inode_permission(struct inode *inode, int mask)
3094 if (IS_ERR(isec)) 3179 if (IS_ERR(isec))
3095 return PTR_ERR(isec); 3180 return PTR_ERR(isec);
3096 3181
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc, 3184 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0, 3185 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied); 3186 &denied);
@@ -3126,7 +3212,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 3214
3129 if (selinux_policycap_openperm && 3215 if (selinux_policycap_openperm() &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC && 3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) && 3217 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE)) 3218 !(ia_valid & ATTR_FILE))
@@ -3183,12 +3269,14 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3183 ad.u.dentry = dentry; 3269 ad.u.dentry = dentry;
3184 3270
3185 isec = backing_inode_security(dentry); 3271 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3187 FILE__RELABELFROM, &ad); 3274 FILE__RELABELFROM, &ad);
3188 if (rc) 3275 if (rc)
3189 return rc; 3276 return rc;
3190 3277
3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 GFP_KERNEL);
3192 if (rc == -EINVAL) { 3280 if (rc == -EINVAL) {
3193 if (!has_cap_mac_admin(true)) { 3281 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer *ab; 3282 struct audit_buffer *ab;
@@ -3213,22 +3301,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3213 3301
3214 return rc; 3302 return rc;
3215 } 3303 }
3216 rc = security_context_to_sid_force(value, size, &newsid); 3304 rc = security_context_to_sid_force(&selinux_state, value,
3305 size, &newsid);
3217 } 3306 }
3218 if (rc) 3307 if (rc)
3219 return rc; 3308 return rc;
3220 3309
3221 rc = avc_has_perm(sid, newsid, isec->sclass, 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3222 FILE__RELABELTO, &ad); 3312 FILE__RELABELTO, &ad);
3223 if (rc) 3313 if (rc)
3224 return rc; 3314 return rc;
3225 3315
3226 rc = security_validate_transition(isec->sid, newsid, sid, 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3227 isec->sclass); 3317 sid, isec->sclass);
3228 if (rc) 3318 if (rc)
3229 return rc; 3319 return rc;
3230 3320
3231 return avc_has_perm(newsid, 3321 return avc_has_perm(&selinux_state,
3322 newsid,
3232 sbsec->sid, 3323 sbsec->sid,
3233 SECCLASS_FILESYSTEM, 3324 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE, 3325 FILESYSTEM__ASSOCIATE,
@@ -3249,7 +3340,8 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3249 return; 3340 return;
3250 } 3341 }
3251 3342
3252 rc = security_context_to_sid_force(value, size, &newsid); 3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3344 &newsid);
3253 if (rc) { 3345 if (rc) {
3254 printk(KERN_ERR "SELinux: unable to map context to SID" 3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n", 3347 "for (%s, %lu), rc=%d\n",
@@ -3324,10 +3416,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
3324 */ 3416 */
3325 isec = inode_security(inode); 3417 isec = inode_security(inode);
3326 if (has_cap_mac_admin(false)) 3418 if (has_cap_mac_admin(false))
3327 error = security_sid_to_context_force(isec->sid, &context, 3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
3328 &size); 3421 &size);
3329 else 3422 else
3330 error = security_sid_to_context(isec->sid, &context, &size); 3423 error = security_sid_to_context(&selinux_state, isec->sid,
3424 &context, &size);
3331 if (error) 3425 if (error)
3332 return error; 3426 return error;
3333 error = size; 3427 error = size;
@@ -3353,7 +3447,8 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3353 if (!value || !size) 3447 if (!value || !size)
3354 return -EACCES; 3448 return -EACCES;
3355 3449
3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 GFP_KERNEL);
3357 if (rc) 3452 if (rc)
3358 return rc; 3453 return rc;
3359 3454
@@ -3442,7 +3537,7 @@ static int selinux_file_permission(struct file *file, int mask)
3442 3537
3443 isec = inode_security(inode); 3538 isec = inode_security(inode);
3444 if (sid == fsec->sid && fsec->isid == isec->sid && 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno()) 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3446 /* No change since file_open check. */ 3541 /* No change since file_open check. */
3447 return 0; 3542 return 0;
3448 3543
@@ -3482,7 +3577,8 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3482 ad.u.op->path = file->f_path; 3577 ad.u.op->path = file->f_path;
3483 3578
3484 if (ssid != fsec->sid) { 3579 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid, 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
3486 SECCLASS_FD, 3582 SECCLASS_FD,
3487 FD__USE, 3583 FD__USE,
3488 &ad); 3584 &ad);
@@ -3494,8 +3590,9 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
3494 return 0; 3590 return 0;
3495 3591
3496 isec = inode_security(inode); 3592 isec = inode_security(inode);
3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3593 rc = avc_has_extended_perms(&selinux_state,
3498 requested, driver, xperm, &ad); 3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3499out: 3596out:
3500 return rc; 3597 return rc;
3501} 3598}
@@ -3563,7 +3660,8 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared
3563 * private file mapping that will also be writable. 3660 * private file mapping that will also be writable.
3564 * This has an additional check. 3661 * This has an additional check.
3565 */ 3662 */
3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL); 3665 PROCESS__EXECMEM, NULL);
3568 if (rc) 3666 if (rc)
3569 goto error; 3667 goto error;
@@ -3593,7 +3691,8 @@ static int selinux_mmap_addr(unsigned long addr)
3593 3691
3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 u32 sid = current_sid(); 3693 u32 sid = current_sid();
3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL); 3696 MEMPROTECT__MMAP_ZERO, NULL);
3598 } 3697 }
3599 3698
@@ -3615,7 +3714,7 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3615 return rc; 3714 return rc;
3616 } 3715 }
3617 3716
3618 if (selinux_checkreqprot) 3717 if (selinux_state.checkreqprot)
3619 prot = reqprot; 3718 prot = reqprot;
3620 3719
3621 return file_map_prot_check(file, prot, 3720 return file_map_prot_check(file, prot,
@@ -3629,7 +3728,7 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3629 const struct cred *cred = current_cred(); 3728 const struct cred *cred = current_cred();
3630 u32 sid = cred_sid(cred); 3729 u32 sid = cred_sid(cred);
3631 3730
3632 if (selinux_checkreqprot) 3731 if (selinux_state.checkreqprot)
3633 prot = reqprot; 3732 prot = reqprot;
3634 3733
3635 if (default_noexec && 3734 if (default_noexec &&
@@ -3637,13 +3736,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3637 int rc = 0; 3736 int rc = 0;
3638 if (vma->vm_start >= vma->vm_mm->start_brk && 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) { 3738 vma->vm_end <= vma->vm_mm->brk) {
3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL); 3741 PROCESS__EXECHEAP, NULL);
3642 } else if (!vma->vm_file && 3742 } else if (!vma->vm_file &&
3643 ((vma->vm_start <= vma->vm_mm->start_stack && 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) || 3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3645 vma_is_stack_for_current(vma))) { 3745 vma_is_stack_for_current(vma))) {
3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL); 3748 PROCESS__EXECSTACK, NULL);
3648 } else if (vma->vm_file && vma->anon_vma) { 3749 } else if (vma->vm_file && vma->anon_vma) {
3649 /* 3750 /*
@@ -3735,7 +3836,8 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3735 else 3836 else
3736 perm = signal_to_av(signum); 3837 perm = signal_to_av(signum);
3737 3838
3738 return avc_has_perm(fsec->fown_sid, sid, 3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3739 SECCLASS_PROCESS, perm, NULL); 3841 SECCLASS_PROCESS, perm, NULL);
3740} 3842}
3741 3843
@@ -3761,7 +3863,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
3761 * struct as its SID. 3863 * struct as its SID.
3762 */ 3864 */
3763 fsec->isid = isec->sid; 3865 fsec->isid = isec->sid;
3764 fsec->pseqno = avc_policy_seqno(); 3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3765 /* 3867 /*
3766 * Since the inode label or policy seqno may have changed 3868 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving 3869 * between the selinux_inode_permission check and the saving
@@ -3780,7 +3882,8 @@ static int selinux_task_alloc(struct task_struct *task,
3780{ 3882{
3781 u32 sid = current_sid(); 3883 u32 sid = current_sid();
3782 3884
3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784} 3887}
3785 3888
3786/* 3889/*
@@ -3859,7 +3962,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
3859 u32 sid = current_sid(); 3962 u32 sid = current_sid();
3860 int ret; 3963 int ret;
3861 3964
3862 ret = avc_has_perm(sid, secid, 3965 ret = avc_has_perm(&selinux_state,
3966 sid, secid,
3863 SECCLASS_KERNEL_SERVICE, 3967 SECCLASS_KERNEL_SERVICE,
3864 KERNEL_SERVICE__USE_AS_OVERRIDE, 3968 KERNEL_SERVICE__USE_AS_OVERRIDE,
3865 NULL); 3969 NULL);
@@ -3883,7 +3987,8 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3883 u32 sid = current_sid(); 3987 u32 sid = current_sid();
3884 int ret; 3988 int ret;
3885 3989
3886 ret = avc_has_perm(sid, isec->sid, 3990 ret = avc_has_perm(&selinux_state,
3991 sid, isec->sid,
3887 SECCLASS_KERNEL_SERVICE, 3992 SECCLASS_KERNEL_SERVICE,
3888 KERNEL_SERVICE__CREATE_FILES_AS, 3993 KERNEL_SERVICE__CREATE_FILES_AS,
3889 NULL); 3994 NULL);
@@ -3900,7 +4005,8 @@ static int selinux_kernel_module_request(char *kmod_name)
3900 ad.type = LSM_AUDIT_DATA_KMOD; 4005 ad.type = LSM_AUDIT_DATA_KMOD;
3901 ad.u.kmod_name = kmod_name; 4006 ad.u.kmod_name = kmod_name;
3902 4007
3903 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4008 return avc_has_perm(&selinux_state,
4009 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3904 SYSTEM__MODULE_REQUEST, &ad); 4010 SYSTEM__MODULE_REQUEST, &ad);
3905} 4011}
3906 4012
@@ -3914,7 +4020,8 @@ static int selinux_kernel_module_from_file(struct file *file)
3914 4020
3915 /* init_module */ 4021 /* init_module */
3916 if (file == NULL) 4022 if (file == NULL)
3917 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 4023 return avc_has_perm(&selinux_state,
4024 sid, sid, SECCLASS_SYSTEM,
3918 SYSTEM__MODULE_LOAD, NULL); 4025 SYSTEM__MODULE_LOAD, NULL);
3919 4026
3920 /* finit_module */ 4027 /* finit_module */
@@ -3924,13 +4031,15 @@ static int selinux_kernel_module_from_file(struct file *file)
3924 4031
3925 fsec = file->f_security; 4032 fsec = file->f_security;
3926 if (sid != fsec->sid) { 4033 if (sid != fsec->sid) {
3927 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4034 rc = avc_has_perm(&selinux_state,
4035 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3928 if (rc) 4036 if (rc)
3929 return rc; 4037 return rc;
3930 } 4038 }
3931 4039
3932 isec = inode_security(file_inode(file)); 4040 isec = inode_security(file_inode(file));
3933 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 4041 return avc_has_perm(&selinux_state,
4042 sid, isec->sid, SECCLASS_SYSTEM,
3934 SYSTEM__MODULE_LOAD, &ad); 4043 SYSTEM__MODULE_LOAD, &ad);
3935} 4044}
3936 4045
@@ -3952,19 +4061,22 @@ static int selinux_kernel_read_file(struct file *file,
3952 4061
3953static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4062static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3954{ 4063{
3955 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4064 return avc_has_perm(&selinux_state,
4065 current_sid(), task_sid(p), SECCLASS_PROCESS,
3956 PROCESS__SETPGID, NULL); 4066 PROCESS__SETPGID, NULL);
3957} 4067}
3958 4068
3959static int selinux_task_getpgid(struct task_struct *p) 4069static int selinux_task_getpgid(struct task_struct *p)
3960{ 4070{
3961 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4071 return avc_has_perm(&selinux_state,
4072 current_sid(), task_sid(p), SECCLASS_PROCESS,
3962 PROCESS__GETPGID, NULL); 4073 PROCESS__GETPGID, NULL);
3963} 4074}
3964 4075
3965static int selinux_task_getsid(struct task_struct *p) 4076static int selinux_task_getsid(struct task_struct *p)
3966{ 4077{
3967 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4078 return avc_has_perm(&selinux_state,
4079 current_sid(), task_sid(p), SECCLASS_PROCESS,
3968 PROCESS__GETSESSION, NULL); 4080 PROCESS__GETSESSION, NULL);
3969} 4081}
3970 4082
@@ -3975,19 +4087,22 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3975 4087
3976static int selinux_task_setnice(struct task_struct *p, int nice) 4088static int selinux_task_setnice(struct task_struct *p, int nice)
3977{ 4089{
3978 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4090 return avc_has_perm(&selinux_state,
4091 current_sid(), task_sid(p), SECCLASS_PROCESS,
3979 PROCESS__SETSCHED, NULL); 4092 PROCESS__SETSCHED, NULL);
3980} 4093}
3981 4094
3982static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4095static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3983{ 4096{
3984 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4097 return avc_has_perm(&selinux_state,
4098 current_sid(), task_sid(p), SECCLASS_PROCESS,
3985 PROCESS__SETSCHED, NULL); 4099 PROCESS__SETSCHED, NULL);
3986} 4100}
3987 4101
3988static int selinux_task_getioprio(struct task_struct *p) 4102static int selinux_task_getioprio(struct task_struct *p)
3989{ 4103{
3990 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
3991 PROCESS__GETSCHED, NULL); 4106 PROCESS__GETSCHED, NULL);
3992} 4107}
3993 4108
@@ -4002,7 +4117,8 @@ static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcre
4002 av |= PROCESS__SETRLIMIT; 4117 av |= PROCESS__SETRLIMIT;
4003 if (flags & LSM_PRLIMIT_READ) 4118 if (flags & LSM_PRLIMIT_READ)
4004 av |= PROCESS__GETRLIMIT; 4119 av |= PROCESS__GETRLIMIT;
4005 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4120 return avc_has_perm(&selinux_state,
4121 cred_sid(cred), cred_sid(tcred),
4006 SECCLASS_PROCESS, av, NULL); 4122 SECCLASS_PROCESS, av, NULL);
4007} 4123}
4008 4124
@@ -4016,7 +4132,8 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4016 later be used as a safe reset point for the soft limit 4132 later be used as a safe reset point for the soft limit
4017 upon context transitions. See selinux_bprm_committing_creds. */ 4133 upon context transitions. See selinux_bprm_committing_creds. */
4018 if (old_rlim->rlim_max != new_rlim->rlim_max) 4134 if (old_rlim->rlim_max != new_rlim->rlim_max)
4019 return avc_has_perm(current_sid(), task_sid(p), 4135 return avc_has_perm(&selinux_state,
4136 current_sid(), task_sid(p),
4020 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4137 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4021 4138
4022 return 0; 4139 return 0;
@@ -4024,19 +4141,22 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4024 4141
4025static int selinux_task_setscheduler(struct task_struct *p) 4142static int selinux_task_setscheduler(struct task_struct *p)
4026{ 4143{
4027 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4144 return avc_has_perm(&selinux_state,
4145 current_sid(), task_sid(p), SECCLASS_PROCESS,
4028 PROCESS__SETSCHED, NULL); 4146 PROCESS__SETSCHED, NULL);
4029} 4147}
4030 4148
4031static int selinux_task_getscheduler(struct task_struct *p) 4149static int selinux_task_getscheduler(struct task_struct *p)
4032{ 4150{
4033 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4151 return avc_has_perm(&selinux_state,
4152 current_sid(), task_sid(p), SECCLASS_PROCESS,
4034 PROCESS__GETSCHED, NULL); 4153 PROCESS__GETSCHED, NULL);
4035} 4154}
4036 4155
4037static int selinux_task_movememory(struct task_struct *p) 4156static int selinux_task_movememory(struct task_struct *p)
4038{ 4157{
4039 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS, 4158 return avc_has_perm(&selinux_state,
4159 current_sid(), task_sid(p), SECCLASS_PROCESS,
4040 PROCESS__SETSCHED, NULL); 4160 PROCESS__SETSCHED, NULL);
4041} 4161}
4042 4162
@@ -4054,7 +4174,8 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4054 secid = current_sid(); 4174 secid = current_sid();
4055 else 4175 else
4056 secid = cred_sid(cred); 4176 secid = cred_sid(cred);
4057 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 4177 return avc_has_perm(&selinux_state,
4178 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4058} 4179}
4059 4180
4060static void selinux_task_to_inode(struct task_struct *p, 4181static void selinux_task_to_inode(struct task_struct *p,
@@ -4142,6 +4263,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4142 break; 4263 break;
4143 } 4264 }
4144 4265
4266#if IS_ENABLED(CONFIG_IP_SCTP)
4267 case IPPROTO_SCTP: {
4268 struct sctphdr _sctph, *sh;
4269
4270 if (ntohs(ih->frag_off) & IP_OFFSET)
4271 break;
4272
4273 offset += ihlen;
4274 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4275 if (sh == NULL)
4276 break;
4277
4278 ad->u.net->sport = sh->source;
4279 ad->u.net->dport = sh->dest;
4280 break;
4281 }
4282#endif
4145 default: 4283 default:
4146 break; 4284 break;
4147 } 4285 }
@@ -4215,6 +4353,19 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4215 break; 4353 break;
4216 } 4354 }
4217 4355
4356#if IS_ENABLED(CONFIG_IP_SCTP)
4357 case IPPROTO_SCTP: {
4358 struct sctphdr _sctph, *sh;
4359
4360 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4361 if (sh == NULL)
4362 break;
4363
4364 ad->u.net->sport = sh->source;
4365 ad->u.net->dport = sh->dest;
4366 break;
4367 }
4368#endif
4218 /* includes fragments */ 4369 /* includes fragments */
4219 default: 4370 default:
4220 break; 4371 break;
@@ -4295,7 +4446,8 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4295 if (unlikely(err)) 4446 if (unlikely(err))
4296 return -EACCES; 4447 return -EACCES;
4297 4448
4298 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4449 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4450 nlbl_type, xfrm_sid, sid);
4299 if (unlikely(err)) { 4451 if (unlikely(err)) {
4300 printk(KERN_WARNING 4452 printk(KERN_WARNING
4301 "SELinux: failure in selinux_skb_peerlbl_sid()," 4453 "SELinux: failure in selinux_skb_peerlbl_sid(),"
@@ -4323,7 +4475,8 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4323 int err = 0; 4475 int err = 0;
4324 4476
4325 if (skb_sid != SECSID_NULL) 4477 if (skb_sid != SECSID_NULL)
4326 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4478 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4479 conn_sid);
4327 else 4480 else
4328 *conn_sid = sk_sid; 4481 *conn_sid = sk_sid;
4329 4482
@@ -4340,8 +4493,8 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4340 return 0; 4493 return 0;
4341 } 4494 }
4342 4495
4343 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4496 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4344 socksid); 4497 secclass, NULL, socksid);
4345} 4498}
4346 4499
4347static int sock_has_perm(struct sock *sk, u32 perms) 4500static int sock_has_perm(struct sock *sk, u32 perms)
@@ -4357,7 +4510,8 @@ static int sock_has_perm(struct sock *sk, u32 perms)
4357 ad.u.net = &net; 4510 ad.u.net = &net;
4358 ad.u.net->sk = sk; 4511 ad.u.net->sk = sk;
4359 4512
4360 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4513 return avc_has_perm(&selinux_state,
4514 current_sid(), sksec->sid, sksec->sclass, perms,
4361 &ad); 4515 &ad);
4362} 4516}
4363 4517
@@ -4377,7 +4531,8 @@ static int selinux_socket_create(int family, int type,
4377 if (rc) 4531 if (rc)
4378 return rc; 4532 return rc;
4379 4533
4380 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4534 return avc_has_perm(&selinux_state,
4535 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4381} 4536}
4382 4537
4383static int selinux_socket_post_create(struct socket *sock, int family, 4538static int selinux_socket_post_create(struct socket *sock, int family,
@@ -4404,6 +4559,10 @@ static int selinux_socket_post_create(struct socket *sock, int family,
4404 sksec = sock->sk->sk_security; 4559 sksec = sock->sk->sk_security;
4405 sksec->sclass = sclass; 4560 sksec->sclass = sclass;
4406 sksec->sid = sid; 4561 sksec->sid = sid;
4562 /* Allows detection of the first association on this socket */
4563 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4564 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4565
4407 err = selinux_netlbl_socket_post_create(sock->sk, family); 4566 err = selinux_netlbl_socket_post_create(sock->sk, family);
4408 } 4567 }
4409 4568
@@ -4424,11 +4583,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4424 if (err) 4583 if (err)
4425 goto out; 4584 goto out;
4426 4585
4427 /* 4586 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4428 * If PF_INET or PF_INET6, check name_bind permission for the port.
4429 * Multiple address binding for SCTP is not supported yet: we just
4430 * check the first address now.
4431 */
4432 family = sk->sk_family; 4587 family = sk->sk_family;
4433 if (family == PF_INET || family == PF_INET6) { 4588 if (family == PF_INET || family == PF_INET6) {
4434 char *addrp; 4589 char *addrp;
@@ -4440,22 +4595,35 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4440 unsigned short snum; 4595 unsigned short snum;
4441 u32 sid, node_perm; 4596 u32 sid, node_perm;
4442 4597
4443 if (family == PF_INET) { 4598 /*
4444 if (addrlen < sizeof(struct sockaddr_in)) { 4599 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4445 err = -EINVAL; 4600 * that validates multiple binding addresses. Because of this
4446 goto out; 4601 * need to check address->sa_family as it is possible to have
4447 } 4602 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4603 */
4604 switch (address->sa_family) {
4605 case AF_INET:
4606 if (addrlen < sizeof(struct sockaddr_in))
4607 return -EINVAL;
4448 addr4 = (struct sockaddr_in *)address; 4608 addr4 = (struct sockaddr_in *)address;
4449 snum = ntohs(addr4->sin_port); 4609 snum = ntohs(addr4->sin_port);
4450 addrp = (char *)&addr4->sin_addr.s_addr; 4610 addrp = (char *)&addr4->sin_addr.s_addr;
4451 } else { 4611 break;
4452 if (addrlen < SIN6_LEN_RFC2133) { 4612 case AF_INET6:
4453 err = -EINVAL; 4613 if (addrlen < SIN6_LEN_RFC2133)
4454 goto out; 4614 return -EINVAL;
4455 }
4456 addr6 = (struct sockaddr_in6 *)address; 4615 addr6 = (struct sockaddr_in6 *)address;
4457 snum = ntohs(addr6->sin6_port); 4616 snum = ntohs(addr6->sin6_port);
4458 addrp = (char *)&addr6->sin6_addr.s6_addr; 4617 addrp = (char *)&addr6->sin6_addr.s6_addr;
4618 break;
4619 default:
4620 /* Note that SCTP services expect -EINVAL, whereas
4621 * others expect -EAFNOSUPPORT.
4622 */
4623 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4624 return -EINVAL;
4625 else
4626 return -EAFNOSUPPORT;
4459 } 4627 }
4460 4628
4461 if (snum) { 4629 if (snum) {
@@ -4473,7 +4641,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4473 ad.u.net = &net; 4641 ad.u.net = &net;
4474 ad.u.net->sport = htons(snum); 4642 ad.u.net->sport = htons(snum);
4475 ad.u.net->family = family; 4643 ad.u.net->family = family;
4476 err = avc_has_perm(sksec->sid, sid, 4644 err = avc_has_perm(&selinux_state,
4645 sksec->sid, sid,
4477 sksec->sclass, 4646 sksec->sclass,
4478 SOCKET__NAME_BIND, &ad); 4647 SOCKET__NAME_BIND, &ad);
4479 if (err) 4648 if (err)
@@ -4494,6 +4663,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4494 node_perm = DCCP_SOCKET__NODE_BIND; 4663 node_perm = DCCP_SOCKET__NODE_BIND;
4495 break; 4664 break;
4496 4665
4666 case SECCLASS_SCTP_SOCKET:
4667 node_perm = SCTP_SOCKET__NODE_BIND;
4668 break;
4669
4497 default: 4670 default:
4498 node_perm = RAWIP_SOCKET__NODE_BIND; 4671 node_perm = RAWIP_SOCKET__NODE_BIND;
4499 break; 4672 break;
@@ -4508,12 +4681,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
4508 ad.u.net->sport = htons(snum); 4681 ad.u.net->sport = htons(snum);
4509 ad.u.net->family = family; 4682 ad.u.net->family = family;
4510 4683
4511 if (family == PF_INET) 4684 if (address->sa_family == AF_INET)
4512 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4685 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4513 else 4686 else
4514 ad.u.net->v6info.saddr = addr6->sin6_addr; 4687 ad.u.net->v6info.saddr = addr6->sin6_addr;
4515 4688
4516 err = avc_has_perm(sksec->sid, sid, 4689 err = avc_has_perm(&selinux_state,
4690 sksec->sid, sid,
4517 sksec->sclass, node_perm, &ad); 4691 sksec->sclass, node_perm, &ad);
4518 if (err) 4692 if (err)
4519 goto out; 4693 goto out;
@@ -4522,7 +4696,11 @@ out:
4522 return err; 4696 return err;
4523} 4697}
4524 4698
4525static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4699/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4700 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4701 */
4702static int selinux_socket_connect_helper(struct socket *sock,
4703 struct sockaddr *address, int addrlen)
4526{ 4704{
4527 struct sock *sk = sock->sk; 4705 struct sock *sk = sock->sk;
4528 struct sk_security_struct *sksec = sk->sk_security; 4706 struct sk_security_struct *sksec = sk->sk_security;
@@ -4533,10 +4711,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4533 return err; 4711 return err;
4534 4712
4535 /* 4713 /*
4536 * If a TCP or DCCP socket, check name_connect permission for the port. 4714 * If a TCP, DCCP or SCTP socket, check name_connect permission
4715 * for the port.
4537 */ 4716 */
4538 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4717 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4539 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4718 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4719 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4540 struct common_audit_data ad; 4720 struct common_audit_data ad;
4541 struct lsm_network_audit net = {0,}; 4721 struct lsm_network_audit net = {0,};
4542 struct sockaddr_in *addr4 = NULL; 4722 struct sockaddr_in *addr4 = NULL;
@@ -4544,38 +4724,75 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
4544 unsigned short snum; 4724 unsigned short snum;
4545 u32 sid, perm; 4725 u32 sid, perm;
4546 4726
4547 if (sk->sk_family == PF_INET) { 4727 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4728 * that validates multiple connect addresses. Because of this
4729 * need to check address->sa_family as it is possible to have
4730 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4731 */
4732 switch (address->sa_family) {
4733 case AF_INET:
4548 addr4 = (struct sockaddr_in *)address; 4734 addr4 = (struct sockaddr_in *)address;
4549 if (addrlen < sizeof(struct sockaddr_in)) 4735 if (addrlen < sizeof(struct sockaddr_in))
4550 return -EINVAL; 4736 return -EINVAL;
4551 snum = ntohs(addr4->sin_port); 4737 snum = ntohs(addr4->sin_port);
4552 } else { 4738 break;
4739 case AF_INET6:
4553 addr6 = (struct sockaddr_in6 *)address; 4740 addr6 = (struct sockaddr_in6 *)address;
4554 if (addrlen < SIN6_LEN_RFC2133) 4741 if (addrlen < SIN6_LEN_RFC2133)
4555 return -EINVAL; 4742 return -EINVAL;
4556 snum = ntohs(addr6->sin6_port); 4743 snum = ntohs(addr6->sin6_port);
4744 break;
4745 default:
4746 /* Note that SCTP services expect -EINVAL, whereas
4747 * others expect -EAFNOSUPPORT.
4748 */
4749 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4750 return -EINVAL;
4751 else
4752 return -EAFNOSUPPORT;
4557 } 4753 }
4558 4754
4559 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4755 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4560 if (err) 4756 if (err)
4561 goto out; 4757 return err;
4562 4758
4563 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4759 switch (sksec->sclass) {
4564 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4760 case SECCLASS_TCP_SOCKET:
4761 perm = TCP_SOCKET__NAME_CONNECT;
4762 break;
4763 case SECCLASS_DCCP_SOCKET:
4764 perm = DCCP_SOCKET__NAME_CONNECT;
4765 break;
4766 case SECCLASS_SCTP_SOCKET:
4767 perm = SCTP_SOCKET__NAME_CONNECT;
4768 break;
4769 }
4565 4770
4566 ad.type = LSM_AUDIT_DATA_NET; 4771 ad.type = LSM_AUDIT_DATA_NET;
4567 ad.u.net = &net; 4772 ad.u.net = &net;
4568 ad.u.net->dport = htons(snum); 4773 ad.u.net->dport = htons(snum);
4569 ad.u.net->family = sk->sk_family; 4774 ad.u.net->family = sk->sk_family;
4570 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4775 err = avc_has_perm(&selinux_state,
4776 sksec->sid, sid, sksec->sclass, perm, &ad);
4571 if (err) 4777 if (err)
4572 goto out; 4778 return err;
4573 } 4779 }
4574 4780
4575 err = selinux_netlbl_socket_connect(sk, address); 4781 return 0;
4782}
4576 4783
4577out: 4784/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4578 return err; 4785static int selinux_socket_connect(struct socket *sock,
4786 struct sockaddr *address, int addrlen)
4787{
4788 int err;
4789 struct sock *sk = sock->sk;
4790
4791 err = selinux_socket_connect_helper(sock, address, addrlen);
4792 if (err)
4793 return err;
4794
4795 return selinux_netlbl_socket_connect(sk, address);
4579} 4796}
4580 4797
4581static int selinux_socket_listen(struct socket *sock, int backlog) 4798static int selinux_socket_listen(struct socket *sock, int backlog)
@@ -4668,7 +4885,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4668 ad.u.net = &net; 4885 ad.u.net = &net;
4669 ad.u.net->sk = other; 4886 ad.u.net->sk = other;
4670 4887
4671 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4888 err = avc_has_perm(&selinux_state,
4889 sksec_sock->sid, sksec_other->sid,
4672 sksec_other->sclass, 4890 sksec_other->sclass,
4673 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4891 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4674 if (err) 4892 if (err)
@@ -4676,8 +4894,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4676 4894
4677 /* server child socket */ 4895 /* server child socket */
4678 sksec_new->peer_sid = sksec_sock->sid; 4896 sksec_new->peer_sid = sksec_sock->sid;
4679 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4897 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4680 &sksec_new->sid); 4898 sksec_sock->sid, &sksec_new->sid);
4681 if (err) 4899 if (err)
4682 return err; 4900 return err;
4683 4901
@@ -4699,7 +4917,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4699 ad.u.net = &net; 4917 ad.u.net = &net;
4700 ad.u.net->sk = other->sk; 4918 ad.u.net->sk = other->sk;
4701 4919
4702 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4920 return avc_has_perm(&selinux_state,
4921 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4703 &ad); 4922 &ad);
4704} 4923}
4705 4924
@@ -4714,7 +4933,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4714 err = sel_netif_sid(ns, ifindex, &if_sid); 4933 err = sel_netif_sid(ns, ifindex, &if_sid);
4715 if (err) 4934 if (err)
4716 return err; 4935 return err;
4717 err = avc_has_perm(peer_sid, if_sid, 4936 err = avc_has_perm(&selinux_state,
4937 peer_sid, if_sid,
4718 SECCLASS_NETIF, NETIF__INGRESS, ad); 4938 SECCLASS_NETIF, NETIF__INGRESS, ad);
4719 if (err) 4939 if (err)
4720 return err; 4940 return err;
@@ -4722,7 +4942,8 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4722 err = sel_netnode_sid(addrp, family, &node_sid); 4942 err = sel_netnode_sid(addrp, family, &node_sid);
4723 if (err) 4943 if (err)
4724 return err; 4944 return err;
4725 return avc_has_perm(peer_sid, node_sid, 4945 return avc_has_perm(&selinux_state,
4946 peer_sid, node_sid,
4726 SECCLASS_NODE, NODE__RECVFROM, ad); 4947 SECCLASS_NODE, NODE__RECVFROM, ad);
4727} 4948}
4728 4949
@@ -4745,7 +4966,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4745 return err; 4966 return err;
4746 4967
4747 if (selinux_secmark_enabled()) { 4968 if (selinux_secmark_enabled()) {
4748 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4969 err = avc_has_perm(&selinux_state,
4970 sk_sid, skb->secmark, SECCLASS_PACKET,
4749 PACKET__RECV, &ad); 4971 PACKET__RECV, &ad);
4750 if (err) 4972 if (err)
4751 return err; 4973 return err;
@@ -4782,7 +5004,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4782 * to the selinux_sock_rcv_skb_compat() function to deal with the 5004 * to the selinux_sock_rcv_skb_compat() function to deal with the
4783 * special handling. We do this in an attempt to keep this function 5005 * special handling. We do this in an attempt to keep this function
4784 * as fast and as clean as possible. */ 5006 * as fast and as clean as possible. */
4785 if (!selinux_policycap_netpeer) 5007 if (!selinux_policycap_netpeer())
4786 return selinux_sock_rcv_skb_compat(sk, skb, family); 5008 return selinux_sock_rcv_skb_compat(sk, skb, family);
4787 5009
4788 secmark_active = selinux_secmark_enabled(); 5010 secmark_active = selinux_secmark_enabled();
@@ -4810,7 +5032,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4810 selinux_netlbl_err(skb, family, err, 0); 5032 selinux_netlbl_err(skb, family, err, 0);
4811 return err; 5033 return err;
4812 } 5034 }
4813 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5035 err = avc_has_perm(&selinux_state,
5036 sk_sid, peer_sid, SECCLASS_PEER,
4814 PEER__RECV, &ad); 5037 PEER__RECV, &ad);
4815 if (err) { 5038 if (err) {
4816 selinux_netlbl_err(skb, family, err, 0); 5039 selinux_netlbl_err(skb, family, err, 0);
@@ -4819,7 +5042,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4819 } 5042 }
4820 5043
4821 if (secmark_active) { 5044 if (secmark_active) {
4822 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5045 err = avc_has_perm(&selinux_state,
5046 sk_sid, skb->secmark, SECCLASS_PACKET,
4823 PACKET__RECV, &ad); 5047 PACKET__RECV, &ad);
4824 if (err) 5048 if (err)
4825 return err; 5049 return err;
@@ -4838,12 +5062,14 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
4838 u32 peer_sid = SECSID_NULL; 5062 u32 peer_sid = SECSID_NULL;
4839 5063
4840 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5064 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4841 sksec->sclass == SECCLASS_TCP_SOCKET) 5065 sksec->sclass == SECCLASS_TCP_SOCKET ||
5066 sksec->sclass == SECCLASS_SCTP_SOCKET)
4842 peer_sid = sksec->peer_sid; 5067 peer_sid = sksec->peer_sid;
4843 if (peer_sid == SECSID_NULL) 5068 if (peer_sid == SECSID_NULL)
4844 return -ENOPROTOOPT; 5069 return -ENOPROTOOPT;
4845 5070
4846 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 5071 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5072 &scontext_len);
4847 if (err) 5073 if (err)
4848 return err; 5074 return err;
4849 5075
@@ -4951,6 +5177,172 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4951 sksec->sclass = isec->sclass; 5177 sksec->sclass = isec->sclass;
4952} 5178}
4953 5179
5180/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5181 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5182 * already present).
5183 */
5184static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5185 struct sk_buff *skb)
5186{
5187 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5188 struct common_audit_data ad;
5189 struct lsm_network_audit net = {0,};
5190 u8 peerlbl_active;
5191 u32 peer_sid = SECINITSID_UNLABELED;
5192 u32 conn_sid;
5193 int err = 0;
5194
5195 if (!selinux_policycap_extsockclass())
5196 return 0;
5197
5198 peerlbl_active = selinux_peerlbl_enabled();
5199
5200 if (peerlbl_active) {
5201 /* This will return peer_sid = SECSID_NULL if there are
5202 * no peer labels, see security_net_peersid_resolve().
5203 */
5204 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5205 &peer_sid);
5206 if (err)
5207 return err;
5208
5209 if (peer_sid == SECSID_NULL)
5210 peer_sid = SECINITSID_UNLABELED;
5211 }
5212
5213 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5214 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5215
5216 /* Here as first association on socket. As the peer SID
5217 * was allowed by peer recv (and the netif/node checks),
5218 * then it is approved by policy and used as the primary
5219 * peer SID for getpeercon(3).
5220 */
5221 sksec->peer_sid = peer_sid;
5222 } else if (sksec->peer_sid != peer_sid) {
5223 /* Other association peer SIDs are checked to enforce
5224 * consistency among the peer SIDs.
5225 */
5226 ad.type = LSM_AUDIT_DATA_NET;
5227 ad.u.net = &net;
5228 ad.u.net->sk = ep->base.sk;
5229 err = avc_has_perm(&selinux_state,
5230 sksec->peer_sid, peer_sid, sksec->sclass,
5231 SCTP_SOCKET__ASSOCIATION, &ad);
5232 if (err)
5233 return err;
5234 }
5235
5236 /* Compute the MLS component for the connection and store
5237 * the information in ep. This will be used by SCTP TCP type
5238 * sockets and peeled off connections as they cause a new
5239 * socket to be generated. selinux_sctp_sk_clone() will then
5240 * plug this into the new socket.
5241 */
5242 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5243 if (err)
5244 return err;
5245
5246 ep->secid = conn_sid;
5247 ep->peer_secid = peer_sid;
5248
5249 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5250 return selinux_netlbl_sctp_assoc_request(ep, skb);
5251}
5252
5253/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5254 * based on their @optname.
5255 */
5256static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5257 struct sockaddr *address,
5258 int addrlen)
5259{
5260 int len, err = 0, walk_size = 0;
5261 void *addr_buf;
5262 struct sockaddr *addr;
5263 struct socket *sock;
5264
5265 if (!selinux_policycap_extsockclass())
5266 return 0;
5267
5268 /* Process one or more addresses that may be IPv4 or IPv6 */
5269 sock = sk->sk_socket;
5270 addr_buf = address;
5271
5272 while (walk_size < addrlen) {
5273 addr = addr_buf;
5274 switch (addr->sa_family) {
5275 case AF_INET:
5276 len = sizeof(struct sockaddr_in);
5277 break;
5278 case AF_INET6:
5279 len = sizeof(struct sockaddr_in6);
5280 break;
5281 default:
5282 return -EAFNOSUPPORT;
5283 }
5284
5285 err = -EINVAL;
5286 switch (optname) {
5287 /* Bind checks */
5288 case SCTP_PRIMARY_ADDR:
5289 case SCTP_SET_PEER_PRIMARY_ADDR:
5290 case SCTP_SOCKOPT_BINDX_ADD:
5291 err = selinux_socket_bind(sock, addr, len);
5292 break;
5293 /* Connect checks */
5294 case SCTP_SOCKOPT_CONNECTX:
5295 case SCTP_PARAM_SET_PRIMARY:
5296 case SCTP_PARAM_ADD_IP:
5297 case SCTP_SENDMSG_CONNECT:
5298 err = selinux_socket_connect_helper(sock, addr, len);
5299 if (err)
5300 return err;
5301
5302 /* As selinux_sctp_bind_connect() is called by the
5303 * SCTP protocol layer, the socket is already locked,
5304 * therefore selinux_netlbl_socket_connect_locked() is
5305 * is called here. The situations handled are:
5306 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5307 * whenever a new IP address is added or when a new
5308 * primary address is selected.
5309 * Note that an SCTP connect(2) call happens before
5310 * the SCTP protocol layer and is handled via
5311 * selinux_socket_connect().
5312 */
5313 err = selinux_netlbl_socket_connect_locked(sk, addr);
5314 break;
5315 }
5316
5317 if (err)
5318 return err;
5319
5320 addr_buf += len;
5321 walk_size += len;
5322 }
5323
5324 return 0;
5325}
5326
5327/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5328static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5329 struct sock *newsk)
5330{
5331 struct sk_security_struct *sksec = sk->sk_security;
5332 struct sk_security_struct *newsksec = newsk->sk_security;
5333
5334 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5335 * the non-sctp clone version.
5336 */
5337 if (!selinux_policycap_extsockclass())
5338 return selinux_sk_clone_security(sk, newsk);
5339
5340 newsksec->sid = ep->secid;
5341 newsksec->peer_sid = ep->peer_secid;
5342 newsksec->sclass = sksec->sclass;
5343 selinux_netlbl_sctp_sk_clone(sk, newsk);
5344}
5345
4954static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5346static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4955 struct request_sock *req) 5347 struct request_sock *req)
4956{ 5348{
@@ -5009,7 +5401,9 @@ static int selinux_secmark_relabel_packet(u32 sid)
5009 __tsec = current_security(); 5401 __tsec = current_security();
5010 tsid = __tsec->sid; 5402 tsid = __tsec->sid;
5011 5403
5012 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 5404 return avc_has_perm(&selinux_state,
5405 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5406 NULL);
5013} 5407}
5014 5408
5015static void selinux_secmark_refcount_inc(void) 5409static void selinux_secmark_refcount_inc(void)
@@ -5057,7 +5451,8 @@ static int selinux_tun_dev_create(void)
5057 * connections unlike traditional sockets - check the TUN driver to 5451 * connections unlike traditional sockets - check the TUN driver to
5058 * get a better understanding of why this socket is special */ 5452 * get a better understanding of why this socket is special */
5059 5453
5060 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5454 return avc_has_perm(&selinux_state,
5455 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5061 NULL); 5456 NULL);
5062} 5457}
5063 5458
@@ -5065,7 +5460,8 @@ static int selinux_tun_dev_attach_queue(void *security)
5065{ 5460{
5066 struct tun_security_struct *tunsec = security; 5461 struct tun_security_struct *tunsec = security;
5067 5462
5068 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5463 return avc_has_perm(&selinux_state,
5464 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5069 TUN_SOCKET__ATTACH_QUEUE, NULL); 5465 TUN_SOCKET__ATTACH_QUEUE, NULL);
5070} 5466}
5071 5467
@@ -5093,11 +5489,13 @@ static int selinux_tun_dev_open(void *security)
5093 u32 sid = current_sid(); 5489 u32 sid = current_sid();
5094 int err; 5490 int err;
5095 5491
5096 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5492 err = avc_has_perm(&selinux_state,
5493 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5097 TUN_SOCKET__RELABELFROM, NULL); 5494 TUN_SOCKET__RELABELFROM, NULL);
5098 if (err) 5495 if (err)
5099 return err; 5496 return err;
5100 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5497 err = avc_has_perm(&selinux_state,
5498 sid, sid, SECCLASS_TUN_SOCKET,
5101 TUN_SOCKET__RELABELTO, NULL); 5499 TUN_SOCKET__RELABELTO, NULL);
5102 if (err) 5500 if (err)
5103 return err; 5501 return err;
@@ -5128,7 +5526,8 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5128 sk->sk_protocol, nlh->nlmsg_type, 5526 sk->sk_protocol, nlh->nlmsg_type,
5129 secclass_map[sksec->sclass - 1].name, 5527 secclass_map[sksec->sclass - 1].name,
5130 task_pid_nr(current), current->comm); 5528 task_pid_nr(current), current->comm);
5131 if (!selinux_enforcing || security_get_allow_unknown()) 5529 if (!enforcing_enabled(&selinux_state) ||
5530 security_get_allow_unknown(&selinux_state))
5132 err = 0; 5531 err = 0;
5133 } 5532 }
5134 5533
@@ -5158,7 +5557,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5158 u8 netlbl_active; 5557 u8 netlbl_active;
5159 u8 peerlbl_active; 5558 u8 peerlbl_active;
5160 5559
5161 if (!selinux_policycap_netpeer) 5560 if (!selinux_policycap_netpeer())
5162 return NF_ACCEPT; 5561 return NF_ACCEPT;
5163 5562
5164 secmark_active = selinux_secmark_enabled(); 5563 secmark_active = selinux_secmark_enabled();
@@ -5187,7 +5586,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
5187 } 5586 }
5188 5587
5189 if (secmark_active) 5588 if (secmark_active)
5190 if (avc_has_perm(peer_sid, skb->secmark, 5589 if (avc_has_perm(&selinux_state,
5590 peer_sid, skb->secmark,
5191 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5591 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5192 return NF_DROP; 5592 return NF_DROP;
5193 5593
@@ -5299,7 +5699,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5299 return NF_DROP; 5699 return NF_DROP;
5300 5700
5301 if (selinux_secmark_enabled()) 5701 if (selinux_secmark_enabled())
5302 if (avc_has_perm(sksec->sid, skb->secmark, 5702 if (avc_has_perm(&selinux_state,
5703 sksec->sid, skb->secmark,
5303 SECCLASS_PACKET, PACKET__SEND, &ad)) 5704 SECCLASS_PACKET, PACKET__SEND, &ad))
5304 return NF_DROP_ERR(-ECONNREFUSED); 5705 return NF_DROP_ERR(-ECONNREFUSED);
5305 5706
@@ -5327,7 +5728,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5327 * to the selinux_ip_postroute_compat() function to deal with the 5728 * to the selinux_ip_postroute_compat() function to deal with the
5328 * special handling. We do this in an attempt to keep this function 5729 * special handling. We do this in an attempt to keep this function
5329 * as fast and as clean as possible. */ 5730 * as fast and as clean as possible. */
5330 if (!selinux_policycap_netpeer) 5731 if (!selinux_policycap_netpeer())
5331 return selinux_ip_postroute_compat(skb, ifindex, family); 5732 return selinux_ip_postroute_compat(skb, ifindex, family);
5332 5733
5333 secmark_active = selinux_secmark_enabled(); 5734 secmark_active = selinux_secmark_enabled();
@@ -5422,7 +5823,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5422 return NF_DROP; 5823 return NF_DROP;
5423 5824
5424 if (secmark_active) 5825 if (secmark_active)
5425 if (avc_has_perm(peer_sid, skb->secmark, 5826 if (avc_has_perm(&selinux_state,
5827 peer_sid, skb->secmark,
5426 SECCLASS_PACKET, secmark_perm, &ad)) 5828 SECCLASS_PACKET, secmark_perm, &ad))
5427 return NF_DROP_ERR(-ECONNREFUSED); 5829 return NF_DROP_ERR(-ECONNREFUSED);
5428 5830
@@ -5432,13 +5834,15 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5432 5834
5433 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5835 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5434 return NF_DROP; 5836 return NF_DROP;
5435 if (avc_has_perm(peer_sid, if_sid, 5837 if (avc_has_perm(&selinux_state,
5838 peer_sid, if_sid,
5436 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5839 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5437 return NF_DROP_ERR(-ECONNREFUSED); 5840 return NF_DROP_ERR(-ECONNREFUSED);
5438 5841
5439 if (sel_netnode_sid(addrp, family, &node_sid)) 5842 if (sel_netnode_sid(addrp, family, &node_sid))
5440 return NF_DROP; 5843 return NF_DROP;
5441 if (avc_has_perm(peer_sid, node_sid, 5844 if (avc_has_perm(&selinux_state,
5845 peer_sid, node_sid,
5442 SECCLASS_NODE, NODE__SENDTO, &ad)) 5846 SECCLASS_NODE, NODE__SENDTO, &ad))
5443 return NF_DROP_ERR(-ECONNREFUSED); 5847 return NF_DROP_ERR(-ECONNREFUSED);
5444 } 5848 }
@@ -5526,7 +5930,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5526 ad.type = LSM_AUDIT_DATA_IPC; 5930 ad.type = LSM_AUDIT_DATA_IPC;
5527 ad.u.ipc_id = ipc_perms->key; 5931 ad.u.ipc_id = ipc_perms->key;
5528 5932
5529 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5933 return avc_has_perm(&selinux_state,
5934 sid, isec->sid, isec->sclass, perms, &ad);
5530} 5935}
5531 5936
5532static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5937static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
@@ -5540,52 +5945,54 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
5540} 5945}
5541 5946
5542/* message queue security operations */ 5947/* message queue security operations */
5543static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5948static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5544{ 5949{
5545 struct ipc_security_struct *isec; 5950 struct ipc_security_struct *isec;
5546 struct common_audit_data ad; 5951 struct common_audit_data ad;
5547 u32 sid = current_sid(); 5952 u32 sid = current_sid();
5548 int rc; 5953 int rc;
5549 5954
5550 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ); 5955 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5551 if (rc) 5956 if (rc)
5552 return rc; 5957 return rc;
5553 5958
5554 isec = msq->q_perm.security; 5959 isec = msq->security;
5555 5960
5556 ad.type = LSM_AUDIT_DATA_IPC; 5961 ad.type = LSM_AUDIT_DATA_IPC;
5557 ad.u.ipc_id = msq->q_perm.key; 5962 ad.u.ipc_id = msq->key;
5558 5963
5559 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5964 rc = avc_has_perm(&selinux_state,
5965 sid, isec->sid, SECCLASS_MSGQ,
5560 MSGQ__CREATE, &ad); 5966 MSGQ__CREATE, &ad);
5561 if (rc) { 5967 if (rc) {
5562 ipc_free_security(&msq->q_perm); 5968 ipc_free_security(msq);
5563 return rc; 5969 return rc;
5564 } 5970 }
5565 return 0; 5971 return 0;
5566} 5972}
5567 5973
5568static void selinux_msg_queue_free_security(struct msg_queue *msq) 5974static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5569{ 5975{
5570 ipc_free_security(&msq->q_perm); 5976 ipc_free_security(msq);
5571} 5977}
5572 5978
5573static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5979static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5574{ 5980{
5575 struct ipc_security_struct *isec; 5981 struct ipc_security_struct *isec;
5576 struct common_audit_data ad; 5982 struct common_audit_data ad;
5577 u32 sid = current_sid(); 5983 u32 sid = current_sid();
5578 5984
5579 isec = msq->q_perm.security; 5985 isec = msq->security;
5580 5986
5581 ad.type = LSM_AUDIT_DATA_IPC; 5987 ad.type = LSM_AUDIT_DATA_IPC;
5582 ad.u.ipc_id = msq->q_perm.key; 5988 ad.u.ipc_id = msq->key;
5583 5989
5584 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5990 return avc_has_perm(&selinux_state,
5991 sid, isec->sid, SECCLASS_MSGQ,
5585 MSGQ__ASSOCIATE, &ad); 5992 MSGQ__ASSOCIATE, &ad);
5586} 5993}
5587 5994
5588static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5995static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5589{ 5996{
5590 int err; 5997 int err;
5591 int perms; 5998 int perms;
@@ -5594,7 +6001,8 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5594 case IPC_INFO: 6001 case IPC_INFO:
5595 case MSG_INFO: 6002 case MSG_INFO:
5596 /* No specific object, just general system-wide information. */ 6003 /* No specific object, just general system-wide information. */
5597 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6004 return avc_has_perm(&selinux_state,
6005 current_sid(), SECINITSID_KERNEL,
5598 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6006 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5599 case IPC_STAT: 6007 case IPC_STAT:
5600 case MSG_STAT: 6008 case MSG_STAT:
@@ -5610,11 +6018,11 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5610 return 0; 6018 return 0;
5611 } 6019 }
5612 6020
5613 err = ipc_has_perm(&msq->q_perm, perms); 6021 err = ipc_has_perm(msq, perms);
5614 return err; 6022 return err;
5615} 6023}
5616 6024
5617static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 6025static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5618{ 6026{
5619 struct ipc_security_struct *isec; 6027 struct ipc_security_struct *isec;
5620 struct msg_security_struct *msec; 6028 struct msg_security_struct *msec;
@@ -5622,7 +6030,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5622 u32 sid = current_sid(); 6030 u32 sid = current_sid();
5623 int rc; 6031 int rc;
5624 6032
5625 isec = msq->q_perm.security; 6033 isec = msq->security;
5626 msec = msg->security; 6034 msec = msg->security;
5627 6035
5628 /* 6036 /*
@@ -5633,31 +6041,34 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
5633 * Compute new sid based on current process and 6041 * Compute new sid based on current process and
5634 * message queue this message will be stored in 6042 * message queue this message will be stored in
5635 */ 6043 */
5636 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 6044 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5637 NULL, &msec->sid); 6045 SECCLASS_MSG, NULL, &msec->sid);
5638 if (rc) 6046 if (rc)
5639 return rc; 6047 return rc;
5640 } 6048 }
5641 6049
5642 ad.type = LSM_AUDIT_DATA_IPC; 6050 ad.type = LSM_AUDIT_DATA_IPC;
5643 ad.u.ipc_id = msq->q_perm.key; 6051 ad.u.ipc_id = msq->key;
5644 6052
5645 /* Can this process write to the queue? */ 6053 /* Can this process write to the queue? */
5646 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6054 rc = avc_has_perm(&selinux_state,
6055 sid, isec->sid, SECCLASS_MSGQ,
5647 MSGQ__WRITE, &ad); 6056 MSGQ__WRITE, &ad);
5648 if (!rc) 6057 if (!rc)
5649 /* Can this process send the message */ 6058 /* Can this process send the message */
5650 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6059 rc = avc_has_perm(&selinux_state,
6060 sid, msec->sid, SECCLASS_MSG,
5651 MSG__SEND, &ad); 6061 MSG__SEND, &ad);
5652 if (!rc) 6062 if (!rc)
5653 /* Can the message be put in the queue? */ 6063 /* Can the message be put in the queue? */
5654 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6064 rc = avc_has_perm(&selinux_state,
6065 msec->sid, isec->sid, SECCLASS_MSGQ,
5655 MSGQ__ENQUEUE, &ad); 6066 MSGQ__ENQUEUE, &ad);
5656 6067
5657 return rc; 6068 return rc;
5658} 6069}
5659 6070
5660static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 6071static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5661 struct task_struct *target, 6072 struct task_struct *target,
5662 long type, int mode) 6073 long type, int mode)
5663{ 6074{
@@ -5667,68 +6078,72 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5667 u32 sid = task_sid(target); 6078 u32 sid = task_sid(target);
5668 int rc; 6079 int rc;
5669 6080
5670 isec = msq->q_perm.security; 6081 isec = msq->security;
5671 msec = msg->security; 6082 msec = msg->security;
5672 6083
5673 ad.type = LSM_AUDIT_DATA_IPC; 6084 ad.type = LSM_AUDIT_DATA_IPC;
5674 ad.u.ipc_id = msq->q_perm.key; 6085 ad.u.ipc_id = msq->key;
5675 6086
5676 rc = avc_has_perm(sid, isec->sid, 6087 rc = avc_has_perm(&selinux_state,
6088 sid, isec->sid,
5677 SECCLASS_MSGQ, MSGQ__READ, &ad); 6089 SECCLASS_MSGQ, MSGQ__READ, &ad);
5678 if (!rc) 6090 if (!rc)
5679 rc = avc_has_perm(sid, msec->sid, 6091 rc = avc_has_perm(&selinux_state,
6092 sid, msec->sid,
5680 SECCLASS_MSG, MSG__RECEIVE, &ad); 6093 SECCLASS_MSG, MSG__RECEIVE, &ad);
5681 return rc; 6094 return rc;
5682} 6095}
5683 6096
5684/* Shared Memory security operations */ 6097/* Shared Memory security operations */
5685static int selinux_shm_alloc_security(struct shmid_kernel *shp) 6098static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5686{ 6099{
5687 struct ipc_security_struct *isec; 6100 struct ipc_security_struct *isec;
5688 struct common_audit_data ad; 6101 struct common_audit_data ad;
5689 u32 sid = current_sid(); 6102 u32 sid = current_sid();
5690 int rc; 6103 int rc;
5691 6104
5692 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM); 6105 rc = ipc_alloc_security(shp, SECCLASS_SHM);
5693 if (rc) 6106 if (rc)
5694 return rc; 6107 return rc;
5695 6108
5696 isec = shp->shm_perm.security; 6109 isec = shp->security;
5697 6110
5698 ad.type = LSM_AUDIT_DATA_IPC; 6111 ad.type = LSM_AUDIT_DATA_IPC;
5699 ad.u.ipc_id = shp->shm_perm.key; 6112 ad.u.ipc_id = shp->key;
5700 6113
5701 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6114 rc = avc_has_perm(&selinux_state,
6115 sid, isec->sid, SECCLASS_SHM,
5702 SHM__CREATE, &ad); 6116 SHM__CREATE, &ad);
5703 if (rc) { 6117 if (rc) {
5704 ipc_free_security(&shp->shm_perm); 6118 ipc_free_security(shp);
5705 return rc; 6119 return rc;
5706 } 6120 }
5707 return 0; 6121 return 0;
5708} 6122}
5709 6123
5710static void selinux_shm_free_security(struct shmid_kernel *shp) 6124static void selinux_shm_free_security(struct kern_ipc_perm *shp)
5711{ 6125{
5712 ipc_free_security(&shp->shm_perm); 6126 ipc_free_security(shp);
5713} 6127}
5714 6128
5715static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 6129static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5716{ 6130{
5717 struct ipc_security_struct *isec; 6131 struct ipc_security_struct *isec;
5718 struct common_audit_data ad; 6132 struct common_audit_data ad;
5719 u32 sid = current_sid(); 6133 u32 sid = current_sid();
5720 6134
5721 isec = shp->shm_perm.security; 6135 isec = shp->security;
5722 6136
5723 ad.type = LSM_AUDIT_DATA_IPC; 6137 ad.type = LSM_AUDIT_DATA_IPC;
5724 ad.u.ipc_id = shp->shm_perm.key; 6138 ad.u.ipc_id = shp->key;
5725 6139
5726 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6140 return avc_has_perm(&selinux_state,
6141 sid, isec->sid, SECCLASS_SHM,
5727 SHM__ASSOCIATE, &ad); 6142 SHM__ASSOCIATE, &ad);
5728} 6143}
5729 6144
5730/* Note, at this point, shp is locked down */ 6145/* Note, at this point, shp is locked down */
5731static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 6146static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5732{ 6147{
5733 int perms; 6148 int perms;
5734 int err; 6149 int err;
@@ -5737,7 +6152,8 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5737 case IPC_INFO: 6152 case IPC_INFO:
5738 case SHM_INFO: 6153 case SHM_INFO:
5739 /* No specific object, just general system-wide information. */ 6154 /* No specific object, just general system-wide information. */
5740 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6155 return avc_has_perm(&selinux_state,
6156 current_sid(), SECINITSID_KERNEL,
5741 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6157 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5742 case IPC_STAT: 6158 case IPC_STAT:
5743 case SHM_STAT: 6159 case SHM_STAT:
@@ -5757,11 +6173,11 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5757 return 0; 6173 return 0;
5758 } 6174 }
5759 6175
5760 err = ipc_has_perm(&shp->shm_perm, perms); 6176 err = ipc_has_perm(shp, perms);
5761 return err; 6177 return err;
5762} 6178}
5763 6179
5764static int selinux_shm_shmat(struct shmid_kernel *shp, 6180static int selinux_shm_shmat(struct kern_ipc_perm *shp,
5765 char __user *shmaddr, int shmflg) 6181 char __user *shmaddr, int shmflg)
5766{ 6182{
5767 u32 perms; 6183 u32 perms;
@@ -5771,57 +6187,59 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5771 else 6187 else
5772 perms = SHM__READ | SHM__WRITE; 6188 perms = SHM__READ | SHM__WRITE;
5773 6189
5774 return ipc_has_perm(&shp->shm_perm, perms); 6190 return ipc_has_perm(shp, perms);
5775} 6191}
5776 6192
5777/* Semaphore security operations */ 6193/* Semaphore security operations */
5778static int selinux_sem_alloc_security(struct sem_array *sma) 6194static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5779{ 6195{
5780 struct ipc_security_struct *isec; 6196 struct ipc_security_struct *isec;
5781 struct common_audit_data ad; 6197 struct common_audit_data ad;
5782 u32 sid = current_sid(); 6198 u32 sid = current_sid();
5783 int rc; 6199 int rc;
5784 6200
5785 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 6201 rc = ipc_alloc_security(sma, SECCLASS_SEM);
5786 if (rc) 6202 if (rc)
5787 return rc; 6203 return rc;
5788 6204
5789 isec = sma->sem_perm.security; 6205 isec = sma->security;
5790 6206
5791 ad.type = LSM_AUDIT_DATA_IPC; 6207 ad.type = LSM_AUDIT_DATA_IPC;
5792 ad.u.ipc_id = sma->sem_perm.key; 6208 ad.u.ipc_id = sma->key;
5793 6209
5794 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6210 rc = avc_has_perm(&selinux_state,
6211 sid, isec->sid, SECCLASS_SEM,
5795 SEM__CREATE, &ad); 6212 SEM__CREATE, &ad);
5796 if (rc) { 6213 if (rc) {
5797 ipc_free_security(&sma->sem_perm); 6214 ipc_free_security(sma);
5798 return rc; 6215 return rc;
5799 } 6216 }
5800 return 0; 6217 return 0;
5801} 6218}
5802 6219
5803static void selinux_sem_free_security(struct sem_array *sma) 6220static void selinux_sem_free_security(struct kern_ipc_perm *sma)
5804{ 6221{
5805 ipc_free_security(&sma->sem_perm); 6222 ipc_free_security(sma);
5806} 6223}
5807 6224
5808static int selinux_sem_associate(struct sem_array *sma, int semflg) 6225static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
5809{ 6226{
5810 struct ipc_security_struct *isec; 6227 struct ipc_security_struct *isec;
5811 struct common_audit_data ad; 6228 struct common_audit_data ad;
5812 u32 sid = current_sid(); 6229 u32 sid = current_sid();
5813 6230
5814 isec = sma->sem_perm.security; 6231 isec = sma->security;
5815 6232
5816 ad.type = LSM_AUDIT_DATA_IPC; 6233 ad.type = LSM_AUDIT_DATA_IPC;
5817 ad.u.ipc_id = sma->sem_perm.key; 6234 ad.u.ipc_id = sma->key;
5818 6235
5819 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6236 return avc_has_perm(&selinux_state,
6237 sid, isec->sid, SECCLASS_SEM,
5820 SEM__ASSOCIATE, &ad); 6238 SEM__ASSOCIATE, &ad);
5821} 6239}
5822 6240
5823/* Note, at this point, sma is locked down */ 6241/* Note, at this point, sma is locked down */
5824static int selinux_sem_semctl(struct sem_array *sma, int cmd) 6242static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
5825{ 6243{
5826 int err; 6244 int err;
5827 u32 perms; 6245 u32 perms;
@@ -5830,7 +6248,8 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5830 case IPC_INFO: 6248 case IPC_INFO:
5831 case SEM_INFO: 6249 case SEM_INFO:
5832 /* No specific object, just general system-wide information. */ 6250 /* No specific object, just general system-wide information. */
5833 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6251 return avc_has_perm(&selinux_state,
6252 current_sid(), SECINITSID_KERNEL,
5834 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6253 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5835 case GETPID: 6254 case GETPID:
5836 case GETNCNT: 6255 case GETNCNT:
@@ -5859,11 +6278,11 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5859 return 0; 6278 return 0;
5860 } 6279 }
5861 6280
5862 err = ipc_has_perm(&sma->sem_perm, perms); 6281 err = ipc_has_perm(sma, perms);
5863 return err; 6282 return err;
5864} 6283}
5865 6284
5866static int selinux_sem_semop(struct sem_array *sma, 6285static int selinux_sem_semop(struct kern_ipc_perm *sma,
5867 struct sembuf *sops, unsigned nsops, int alter) 6286 struct sembuf *sops, unsigned nsops, int alter)
5868{ 6287{
5869 u32 perms; 6288 u32 perms;
@@ -5873,7 +6292,7 @@ static int selinux_sem_semop(struct sem_array *sma,
5873 else 6292 else
5874 perms = SEM__READ; 6293 perms = SEM__READ;
5875 6294
5876 return ipc_has_perm(&sma->sem_perm, perms); 6295 return ipc_has_perm(sma, perms);
5877} 6296}
5878 6297
5879static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6298static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
@@ -5916,7 +6335,8 @@ static int selinux_getprocattr(struct task_struct *p,
5916 __tsec = __task_cred(p)->security; 6335 __tsec = __task_cred(p)->security;
5917 6336
5918 if (current != p) { 6337 if (current != p) {
5919 error = avc_has_perm(current_sid(), __tsec->sid, 6338 error = avc_has_perm(&selinux_state,
6339 current_sid(), __tsec->sid,
5920 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6340 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5921 if (error) 6341 if (error)
5922 goto bad; 6342 goto bad;
@@ -5943,7 +6363,7 @@ static int selinux_getprocattr(struct task_struct *p,
5943 if (!sid) 6363 if (!sid)
5944 return 0; 6364 return 0;
5945 6365
5946 error = security_sid_to_context(sid, value, &len); 6366 error = security_sid_to_context(&selinux_state, sid, value, &len);
5947 if (error) 6367 if (error)
5948 return error; 6368 return error;
5949 return len; 6369 return len;
@@ -5965,19 +6385,24 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5965 * Basic control over ability to set these attributes at all. 6385 * Basic control over ability to set these attributes at all.
5966 */ 6386 */
5967 if (!strcmp(name, "exec")) 6387 if (!strcmp(name, "exec"))
5968 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6388 error = avc_has_perm(&selinux_state,
6389 mysid, mysid, SECCLASS_PROCESS,
5969 PROCESS__SETEXEC, NULL); 6390 PROCESS__SETEXEC, NULL);
5970 else if (!strcmp(name, "fscreate")) 6391 else if (!strcmp(name, "fscreate"))
5971 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6392 error = avc_has_perm(&selinux_state,
6393 mysid, mysid, SECCLASS_PROCESS,
5972 PROCESS__SETFSCREATE, NULL); 6394 PROCESS__SETFSCREATE, NULL);
5973 else if (!strcmp(name, "keycreate")) 6395 else if (!strcmp(name, "keycreate"))
5974 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6396 error = avc_has_perm(&selinux_state,
6397 mysid, mysid, SECCLASS_PROCESS,
5975 PROCESS__SETKEYCREATE, NULL); 6398 PROCESS__SETKEYCREATE, NULL);
5976 else if (!strcmp(name, "sockcreate")) 6399 else if (!strcmp(name, "sockcreate"))
5977 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6400 error = avc_has_perm(&selinux_state,
6401 mysid, mysid, SECCLASS_PROCESS,
5978 PROCESS__SETSOCKCREATE, NULL); 6402 PROCESS__SETSOCKCREATE, NULL);
5979 else if (!strcmp(name, "current")) 6403 else if (!strcmp(name, "current"))
5980 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6404 error = avc_has_perm(&selinux_state,
6405 mysid, mysid, SECCLASS_PROCESS,
5981 PROCESS__SETCURRENT, NULL); 6406 PROCESS__SETCURRENT, NULL);
5982 else 6407 else
5983 error = -EINVAL; 6408 error = -EINVAL;
@@ -5990,7 +6415,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
5990 str[size-1] = 0; 6415 str[size-1] = 0;
5991 size--; 6416 size--;
5992 } 6417 }
5993 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 6418 error = security_context_to_sid(&selinux_state, value, size,
6419 &sid, GFP_KERNEL);
5994 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6420 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5995 if (!has_cap_mac_admin(true)) { 6421 if (!has_cap_mac_admin(true)) {
5996 struct audit_buffer *ab; 6422 struct audit_buffer *ab;
@@ -6009,8 +6435,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6009 6435
6010 return error; 6436 return error;
6011 } 6437 }
6012 error = security_context_to_sid_force(value, size, 6438 error = security_context_to_sid_force(
6013 &sid); 6439 &selinux_state,
6440 value, size, &sid);
6014 } 6441 }
6015 if (error) 6442 if (error)
6016 return error; 6443 return error;
@@ -6032,7 +6459,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6032 } else if (!strcmp(name, "fscreate")) { 6459 } else if (!strcmp(name, "fscreate")) {
6033 tsec->create_sid = sid; 6460 tsec->create_sid = sid;
6034 } else if (!strcmp(name, "keycreate")) { 6461 } else if (!strcmp(name, "keycreate")) {
6035 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE, 6462 error = avc_has_perm(&selinux_state,
6463 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6036 NULL); 6464 NULL);
6037 if (error) 6465 if (error)
6038 goto abort_change; 6466 goto abort_change;
@@ -6047,13 +6475,15 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6047 /* Only allow single threaded processes to change context */ 6475 /* Only allow single threaded processes to change context */
6048 error = -EPERM; 6476 error = -EPERM;
6049 if (!current_is_single_threaded()) { 6477 if (!current_is_single_threaded()) {
6050 error = security_bounded_transition(tsec->sid, sid); 6478 error = security_bounded_transition(&selinux_state,
6479 tsec->sid, sid);
6051 if (error) 6480 if (error)
6052 goto abort_change; 6481 goto abort_change;
6053 } 6482 }
6054 6483
6055 /* Check permissions for the transition. */ 6484 /* Check permissions for the transition. */
6056 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6485 error = avc_has_perm(&selinux_state,
6486 tsec->sid, sid, SECCLASS_PROCESS,
6057 PROCESS__DYNTRANSITION, NULL); 6487 PROCESS__DYNTRANSITION, NULL);
6058 if (error) 6488 if (error)
6059 goto abort_change; 6489 goto abort_change;
@@ -6062,7 +6492,8 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
6062 Otherwise, leave SID unchanged and fail. */ 6492 Otherwise, leave SID unchanged and fail. */
6063 ptsid = ptrace_parent_sid(); 6493 ptsid = ptrace_parent_sid();
6064 if (ptsid != 0) { 6494 if (ptsid != 0) {
6065 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6495 error = avc_has_perm(&selinux_state,
6496 ptsid, sid, SECCLASS_PROCESS,
6066 PROCESS__PTRACE, NULL); 6497 PROCESS__PTRACE, NULL);
6067 if (error) 6498 if (error)
6068 goto abort_change; 6499 goto abort_change;
@@ -6089,12 +6520,14 @@ static int selinux_ismaclabel(const char *name)
6089 6520
6090static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6521static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6091{ 6522{
6092 return security_sid_to_context(secid, secdata, seclen); 6523 return security_sid_to_context(&selinux_state, secid,
6524 secdata, seclen);
6093} 6525}
6094 6526
6095static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6527static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6096{ 6528{
6097 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 6529 return security_context_to_sid(&selinux_state, secdata, seclen,
6530 secid, GFP_KERNEL);
6098} 6531}
6099 6532
6100static void selinux_release_secctx(char *secdata, u32 seclen) 6533static void selinux_release_secctx(char *secdata, u32 seclen)
@@ -6186,7 +6619,8 @@ static int selinux_key_permission(key_ref_t key_ref,
6186 key = key_ref_to_ptr(key_ref); 6619 key = key_ref_to_ptr(key_ref);
6187 ksec = key->security; 6620 ksec = key->security;
6188 6621
6189 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6622 return avc_has_perm(&selinux_state,
6623 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6190} 6624}
6191 6625
6192static int selinux_key_getsecurity(struct key *key, char **_buffer) 6626static int selinux_key_getsecurity(struct key *key, char **_buffer)
@@ -6196,7 +6630,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
6196 unsigned len; 6630 unsigned len;
6197 int rc; 6631 int rc;
6198 6632
6199 rc = security_sid_to_context(ksec->sid, &context, &len); 6633 rc = security_sid_to_context(&selinux_state, ksec->sid,
6634 &context, &len);
6200 if (!rc) 6635 if (!rc)
6201 rc = len; 6636 rc = len;
6202 *_buffer = context; 6637 *_buffer = context;
@@ -6221,7 +6656,8 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6221 ibpkey.subnet_prefix = subnet_prefix; 6656 ibpkey.subnet_prefix = subnet_prefix;
6222 ibpkey.pkey = pkey_val; 6657 ibpkey.pkey = pkey_val;
6223 ad.u.ibpkey = &ibpkey; 6658 ad.u.ibpkey = &ibpkey;
6224 return avc_has_perm(sec->sid, sid, 6659 return avc_has_perm(&selinux_state,
6660 sec->sid, sid,
6225 SECCLASS_INFINIBAND_PKEY, 6661 SECCLASS_INFINIBAND_PKEY,
6226 INFINIBAND_PKEY__ACCESS, &ad); 6662 INFINIBAND_PKEY__ACCESS, &ad);
6227} 6663}
@@ -6235,7 +6671,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6235 struct ib_security_struct *sec = ib_sec; 6671 struct ib_security_struct *sec = ib_sec;
6236 struct lsm_ibendport_audit ibendport; 6672 struct lsm_ibendport_audit ibendport;
6237 6673
6238 err = security_ib_endport_sid(dev_name, port_num, &sid); 6674 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6675 &sid);
6239 6676
6240 if (err) 6677 if (err)
6241 return err; 6678 return err;
@@ -6244,7 +6681,8 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6244 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6681 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6245 ibendport.port = port_num; 6682 ibendport.port = port_num;
6246 ad.u.ibendport = &ibendport; 6683 ad.u.ibendport = &ibendport;
6247 return avc_has_perm(sec->sid, sid, 6684 return avc_has_perm(&selinux_state,
6685 sec->sid, sid,
6248 SECCLASS_INFINIBAND_ENDPORT, 6686 SECCLASS_INFINIBAND_ENDPORT,
6249 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6687 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6250} 6688}
@@ -6277,11 +6715,13 @@ static int selinux_bpf(int cmd, union bpf_attr *attr,
6277 6715
6278 switch (cmd) { 6716 switch (cmd) {
6279 case BPF_MAP_CREATE: 6717 case BPF_MAP_CREATE:
6280 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6718 ret = avc_has_perm(&selinux_state,
6719 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6281 NULL); 6720 NULL);
6282 break; 6721 break;
6283 case BPF_PROG_LOAD: 6722 case BPF_PROG_LOAD:
6284 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6723 ret = avc_has_perm(&selinux_state,
6724 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6285 NULL); 6725 NULL);
6286 break; 6726 break;
6287 default: 6727 default:
@@ -6321,14 +6761,16 @@ static int bpf_fd_pass(struct file *file, u32 sid)
6321 if (file->f_op == &bpf_map_fops) { 6761 if (file->f_op == &bpf_map_fops) {
6322 map = file->private_data; 6762 map = file->private_data;
6323 bpfsec = map->security; 6763 bpfsec = map->security;
6324 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6764 ret = avc_has_perm(&selinux_state,
6765 sid, bpfsec->sid, SECCLASS_BPF,
6325 bpf_map_fmode_to_av(file->f_mode), NULL); 6766 bpf_map_fmode_to_av(file->f_mode), NULL);
6326 if (ret) 6767 if (ret)
6327 return ret; 6768 return ret;
6328 } else if (file->f_op == &bpf_prog_fops) { 6769 } else if (file->f_op == &bpf_prog_fops) {
6329 prog = file->private_data; 6770 prog = file->private_data;
6330 bpfsec = prog->aux->security; 6771 bpfsec = prog->aux->security;
6331 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6772 ret = avc_has_perm(&selinux_state,
6773 sid, bpfsec->sid, SECCLASS_BPF,
6332 BPF__PROG_RUN, NULL); 6774 BPF__PROG_RUN, NULL);
6333 if (ret) 6775 if (ret)
6334 return ret; 6776 return ret;
@@ -6342,7 +6784,8 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6342 struct bpf_security_struct *bpfsec; 6784 struct bpf_security_struct *bpfsec;
6343 6785
6344 bpfsec = map->security; 6786 bpfsec = map->security;
6345 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6787 return avc_has_perm(&selinux_state,
6788 sid, bpfsec->sid, SECCLASS_BPF,
6346 bpf_map_fmode_to_av(fmode), NULL); 6789 bpf_map_fmode_to_av(fmode), NULL);
6347} 6790}
6348 6791
@@ -6352,7 +6795,8 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
6352 struct bpf_security_struct *bpfsec; 6795 struct bpf_security_struct *bpfsec;
6353 6796
6354 bpfsec = prog->aux->security; 6797 bpfsec = prog->aux->security;
6355 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 6798 return avc_has_perm(&selinux_state,
6799 sid, bpfsec->sid, SECCLASS_BPF,
6356 BPF__PROG_RUN, NULL); 6800 BPF__PROG_RUN, NULL);
6357} 6801}
6358 6802
@@ -6572,6 +7016,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6572 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7016 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6573 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7017 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6574 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7018 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7019 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7020 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7021 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6575 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7022 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6576 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7023 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6577 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7024 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
@@ -6647,6 +7094,12 @@ static __init int selinux_init(void)
6647 7094
6648 printk(KERN_INFO "SELinux: Initializing.\n"); 7095 printk(KERN_INFO "SELinux: Initializing.\n");
6649 7096
7097 memset(&selinux_state, 0, sizeof(selinux_state));
7098 enforcing_set(&selinux_state, selinux_enforcing_boot);
7099 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7100 selinux_ss_init(&selinux_state.ss);
7101 selinux_avc_init(&selinux_state.avc);
7102
6650 /* Set the security state for the initial task. */ 7103 /* Set the security state for the initial task. */
6651 cred_init_security(); 7104 cred_init_security();
6652 7105
@@ -6660,6 +7113,12 @@ static __init int selinux_init(void)
6660 0, SLAB_PANIC, NULL); 7113 0, SLAB_PANIC, NULL);
6661 avc_init(); 7114 avc_init();
6662 7115
7116 avtab_cache_init();
7117
7118 ebitmap_cache_init();
7119
7120 hashtab_cache_init();
7121
6663 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7122 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6664 7123
6665 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7124 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
@@ -6668,7 +7127,7 @@ static __init int selinux_init(void)
6668 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7127 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6669 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7128 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6670 7129
6671 if (selinux_enforcing) 7130 if (selinux_enforcing_boot)
6672 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 7131 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6673 else 7132 else
6674 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 7133 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
@@ -6789,23 +7248,22 @@ static void selinux_nf_ip_exit(void)
6789#endif /* CONFIG_NETFILTER */ 7248#endif /* CONFIG_NETFILTER */
6790 7249
6791#ifdef CONFIG_SECURITY_SELINUX_DISABLE 7250#ifdef CONFIG_SECURITY_SELINUX_DISABLE
6792static int selinux_disabled; 7251int selinux_disable(struct selinux_state *state)
6793
6794int selinux_disable(void)
6795{ 7252{
6796 if (ss_initialized) { 7253 if (state->initialized) {
6797 /* Not permitted after initial policy load. */ 7254 /* Not permitted after initial policy load. */
6798 return -EINVAL; 7255 return -EINVAL;
6799 } 7256 }
6800 7257
6801 if (selinux_disabled) { 7258 if (state->disabled) {
6802 /* Only do this once. */ 7259 /* Only do this once. */
6803 return -EINVAL; 7260 return -EINVAL;
6804 } 7261 }
6805 7262
7263 state->disabled = 1;
7264
6806 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 7265 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6807 7266
6808 selinux_disabled = 1;
6809 selinux_enabled = 0; 7267 selinux_enabled = 0;
6810 7268
6811 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7269 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-05 11:55:32 -0400