aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@ppc970.osdl.org>2005-04-16 18:20:36 -0400
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-04-16 18:20:36 -0400
commit1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (patch)
tree0bba044c4ce775e45a88a51686b5d9f90697ea9d /security/selinux/hooks.c
Linux-2.6.12-rc2v2.6.12-rc2
Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip!
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c4565
1 files changed, 4565 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
new file mode 100644
index 000000000000..8a2cc75b3948
--- /dev/null
+++ b/security/selinux/hooks.c
@@ -0,0 +1,4565 @@
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
71
72#include "avc.h"
73#include "objsec.h"
74#include "netif.h"
75
76#define XATTR_SELINUX_SUFFIX "selinux"
77#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
78
79extern unsigned int policydb_loaded_version;
80extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
81
82#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
83int selinux_enforcing = 0;
84
85static int __init enforcing_setup(char *str)
86{
87 selinux_enforcing = simple_strtol(str,NULL,0);
88 return 1;
89}
90__setup("enforcing=", enforcing_setup);
91#endif
92
93#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
94int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
95
96static int __init selinux_enabled_setup(char *str)
97{
98 selinux_enabled = simple_strtol(str, NULL, 0);
99 return 1;
100}
101__setup("selinux=", selinux_enabled_setup);
102#endif
103
104/* Original (dummy) security module. */
105static struct security_operations *original_ops = NULL;
106
107/* Minimal support for a secondary security module,
108 just to allow the use of the dummy or capability modules.
109 The owlsm module can alternatively be used as a secondary
110 module as long as CONFIG_OWLSM_FD is not enabled. */
111static struct security_operations *secondary_ops = NULL;
112
113/* Lists of inode and superblock security structures initialized
114 before the policy was loaded. */
115static LIST_HEAD(superblock_security_head);
116static DEFINE_SPINLOCK(sb_security_lock);
117
118/* Allocate and free functions for each kind of security blob. */
119
120static int task_alloc_security(struct task_struct *task)
121{
122 struct task_security_struct *tsec;
123
124 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
125 if (!tsec)
126 return -ENOMEM;
127
128 memset(tsec, 0, sizeof(struct task_security_struct));
129 tsec->magic = SELINUX_MAGIC;
130 tsec->task = task;
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
133
134 return 0;
135}
136
137static void task_free_security(struct task_struct *task)
138{
139 struct task_security_struct *tsec = task->security;
140
141 if (!tsec || tsec->magic != SELINUX_MAGIC)
142 return;
143
144 task->security = NULL;
145 kfree(tsec);
146}
147
148static int inode_alloc_security(struct inode *inode)
149{
150 struct task_security_struct *tsec = current->security;
151 struct inode_security_struct *isec;
152
153 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154 if (!isec)
155 return -ENOMEM;
156
157 memset(isec, 0, sizeof(struct inode_security_struct));
158 init_MUTEX(&isec->sem);
159 INIT_LIST_HEAD(&isec->list);
160 isec->magic = SELINUX_MAGIC;
161 isec->inode = inode;
162 isec->sid = SECINITSID_UNLABELED;
163 isec->sclass = SECCLASS_FILE;
164 if (tsec && tsec->magic == SELINUX_MAGIC)
165 isec->task_sid = tsec->sid;
166 else
167 isec->task_sid = SECINITSID_UNLABELED;
168 inode->i_security = isec;
169
170 return 0;
171}
172
173static void inode_free_security(struct inode *inode)
174{
175 struct inode_security_struct *isec = inode->i_security;
176 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178 if (!isec || isec->magic != SELINUX_MAGIC)
179 return;
180
181 spin_lock(&sbsec->isec_lock);
182 if (!list_empty(&isec->list))
183 list_del_init(&isec->list);
184 spin_unlock(&sbsec->isec_lock);
185
186 inode->i_security = NULL;
187 kfree(isec);
188}
189
190static int file_alloc_security(struct file *file)
191{
192 struct task_security_struct *tsec = current->security;
193 struct file_security_struct *fsec;
194
195 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196 if (!fsec)
197 return -ENOMEM;
198
199 memset(fsec, 0, sizeof(struct file_security_struct));
200 fsec->magic = SELINUX_MAGIC;
201 fsec->file = file;
202 if (tsec && tsec->magic == SELINUX_MAGIC) {
203 fsec->sid = tsec->sid;
204 fsec->fown_sid = tsec->sid;
205 } else {
206 fsec->sid = SECINITSID_UNLABELED;
207 fsec->fown_sid = SECINITSID_UNLABELED;
208 }
209 file->f_security = fsec;
210
211 return 0;
212}
213
214static void file_free_security(struct file *file)
215{
216 struct file_security_struct *fsec = file->f_security;
217
218 if (!fsec || fsec->magic != SELINUX_MAGIC)
219 return;
220
221 file->f_security = NULL;
222 kfree(fsec);
223}
224
225static int superblock_alloc_security(struct super_block *sb)
226{
227 struct superblock_security_struct *sbsec;
228
229 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
230 if (!sbsec)
231 return -ENOMEM;
232
233 memset(sbsec, 0, sizeof(struct superblock_security_struct));
234 init_MUTEX(&sbsec->sem);
235 INIT_LIST_HEAD(&sbsec->list);
236 INIT_LIST_HEAD(&sbsec->isec_head);
237 spin_lock_init(&sbsec->isec_lock);
238 sbsec->magic = SELINUX_MAGIC;
239 sbsec->sb = sb;
240 sbsec->sid = SECINITSID_UNLABELED;
241 sbsec->def_sid = SECINITSID_FILE;
242 sb->s_security = sbsec;
243
244 return 0;
245}
246
247static void superblock_free_security(struct super_block *sb)
248{
249 struct superblock_security_struct *sbsec = sb->s_security;
250
251 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
252 return;
253
254 spin_lock(&sb_security_lock);
255 if (!list_empty(&sbsec->list))
256 list_del_init(&sbsec->list);
257 spin_unlock(&sb_security_lock);
258
259 sb->s_security = NULL;
260 kfree(sbsec);
261}
262
263#ifdef CONFIG_SECURITY_NETWORK
264static int sk_alloc_security(struct sock *sk, int family, int priority)
265{
266 struct sk_security_struct *ssec;
267
268 if (family != PF_UNIX)
269 return 0;
270
271 ssec = kmalloc(sizeof(*ssec), priority);
272 if (!ssec)
273 return -ENOMEM;
274
275 memset(ssec, 0, sizeof(*ssec));
276 ssec->magic = SELINUX_MAGIC;
277 ssec->sk = sk;
278 ssec->peer_sid = SECINITSID_UNLABELED;
279 sk->sk_security = ssec;
280
281 return 0;
282}
283
284static void sk_free_security(struct sock *sk)
285{
286 struct sk_security_struct *ssec = sk->sk_security;
287
288 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
289 return;
290
291 sk->sk_security = NULL;
292 kfree(ssec);
293}
294#endif /* CONFIG_SECURITY_NETWORK */
295
296/* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298extern int ss_initialized;
299
300/* The file system's label must be initialized prior to use. */
301
302static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
309};
310
311static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313static inline int inode_doinit(struct inode *inode)
314{
315 return inode_doinit_with_dentry(inode, NULL);
316}
317
318enum {
319 Opt_context = 1,
320 Opt_fscontext = 2,
321 Opt_defcontext = 4,
322};
323
324static match_table_t tokens = {
325 {Opt_context, "context=%s"},
326 {Opt_fscontext, "fscontext=%s"},
327 {Opt_defcontext, "defcontext=%s"},
328};
329
330#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
331
332static int try_context_mount(struct super_block *sb, void *data)
333{
334 char *context = NULL, *defcontext = NULL;
335 const char *name;
336 u32 sid;
337 int alloc = 0, rc = 0, seen = 0;
338 struct task_security_struct *tsec = current->security;
339 struct superblock_security_struct *sbsec = sb->s_security;
340
341 if (!data)
342 goto out;
343
344 name = sb->s_type->name;
345
346 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348 /* NFS we understand. */
349 if (!strcmp(name, "nfs")) {
350 struct nfs_mount_data *d = data;
351
352 if (d->version < NFS_MOUNT_VERSION)
353 goto out;
354
355 if (d->context[0]) {
356 context = d->context;
357 seen |= Opt_context;
358 }
359 } else
360 goto out;
361
362 } else {
363 /* Standard string-based options. */
364 char *p, *options = data;
365
366 while ((p = strsep(&options, ",")) != NULL) {
367 int token;
368 substring_t args[MAX_OPT_ARGS];
369
370 if (!*p)
371 continue;
372
373 token = match_token(p, tokens, args);
374
375 switch (token) {
376 case Opt_context:
377 if (seen) {
378 rc = -EINVAL;
379 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380 goto out_free;
381 }
382 context = match_strdup(&args[0]);
383 if (!context) {
384 rc = -ENOMEM;
385 goto out_free;
386 }
387 if (!alloc)
388 alloc = 1;
389 seen |= Opt_context;
390 break;
391
392 case Opt_fscontext:
393 if (seen & (Opt_context|Opt_fscontext)) {
394 rc = -EINVAL;
395 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396 goto out_free;
397 }
398 context = match_strdup(&args[0]);
399 if (!context) {
400 rc = -ENOMEM;
401 goto out_free;
402 }
403 if (!alloc)
404 alloc = 1;
405 seen |= Opt_fscontext;
406 break;
407
408 case Opt_defcontext:
409 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410 rc = -EINVAL;
411 printk(KERN_WARNING "SELinux: "
412 "defcontext option is invalid "
413 "for this filesystem type\n");
414 goto out_free;
415 }
416 if (seen & (Opt_context|Opt_defcontext)) {
417 rc = -EINVAL;
418 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419 goto out_free;
420 }
421 defcontext = match_strdup(&args[0]);
422 if (!defcontext) {
423 rc = -ENOMEM;
424 goto out_free;
425 }
426 if (!alloc)
427 alloc = 1;
428 seen |= Opt_defcontext;
429 break;
430
431 default:
432 rc = -EINVAL;
433 printk(KERN_WARNING "SELinux: unknown mount "
434 "option\n");
435 goto out_free;
436
437 }
438 }
439 }
440
441 if (!seen)
442 goto out;
443
444 if (context) {
445 rc = security_context_to_sid(context, strlen(context), &sid);
446 if (rc) {
447 printk(KERN_WARNING "SELinux: security_context_to_sid"
448 "(%s) failed for (dev %s, type %s) errno=%d\n",
449 context, sb->s_id, name, rc);
450 goto out_free;
451 }
452
453 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELFROM, NULL);
455 if (rc)
456 goto out_free;
457
458 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459 FILESYSTEM__RELABELTO, NULL);
460 if (rc)
461 goto out_free;
462
463 sbsec->sid = sid;
464
465 if (seen & Opt_context)
466 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467 }
468
469 if (defcontext) {
470 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471 if (rc) {
472 printk(KERN_WARNING "SELinux: security_context_to_sid"
473 "(%s) failed for (dev %s, type %s) errno=%d\n",
474 defcontext, sb->s_id, name, rc);
475 goto out_free;
476 }
477
478 if (sid == sbsec->def_sid)
479 goto out_free;
480
481 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482 FILESYSTEM__RELABELFROM, NULL);
483 if (rc)
484 goto out_free;
485
486 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487 FILESYSTEM__ASSOCIATE, NULL);
488 if (rc)
489 goto out_free;
490
491 sbsec->def_sid = sid;
492 }
493
494out_free:
495 if (alloc) {
496 kfree(context);
497 kfree(defcontext);
498 }
499out:
500 return rc;
501}
502
503static int superblock_doinit(struct super_block *sb, void *data)
504{
505 struct superblock_security_struct *sbsec = sb->s_security;
506 struct dentry *root = sb->s_root;
507 struct inode *inode = root->d_inode;
508 int rc = 0;
509
510 down(&sbsec->sem);
511 if (sbsec->initialized)
512 goto out;
513
514 if (!ss_initialized) {
515 /* Defer initialization until selinux_complete_init,
516 after the initial policy is loaded and the security
517 server is ready to handle calls. */
518 spin_lock(&sb_security_lock);
519 if (list_empty(&sbsec->list))
520 list_add(&sbsec->list, &superblock_security_head);
521 spin_unlock(&sb_security_lock);
522 goto out;
523 }
524
525 /* Determine the labeling behavior to use for this filesystem type. */
526 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527 if (rc) {
528 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
529 __FUNCTION__, sb->s_type->name, rc);
530 goto out;
531 }
532
533 rc = try_context_mount(sb, data);
534 if (rc)
535 goto out;
536
537 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538 /* Make sure that the xattr handler exists and that no
539 error other than -ENODATA is returned by getxattr on
540 the root directory. -ENODATA is ok, as this may be
541 the first boot of the SELinux kernel before we have
542 assigned xattr values to the filesystem. */
543 if (!inode->i_op->getxattr) {
544 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545 "xattr support\n", sb->s_id, sb->s_type->name);
546 rc = -EOPNOTSUPP;
547 goto out;
548 }
549 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550 if (rc < 0 && rc != -ENODATA) {
551 if (rc == -EOPNOTSUPP)
552 printk(KERN_WARNING "SELinux: (dev %s, type "
553 "%s) has no security xattr handler\n",
554 sb->s_id, sb->s_type->name);
555 else
556 printk(KERN_WARNING "SELinux: (dev %s, type "
557 "%s) getxattr errno %d\n", sb->s_id,
558 sb->s_type->name, -rc);
559 goto out;
560 }
561 }
562
563 if (strcmp(sb->s_type->name, "proc") == 0)
564 sbsec->proc = 1;
565
566 sbsec->initialized = 1;
567
568 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570 sb->s_id, sb->s_type->name);
571 }
572 else {
573 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574 sb->s_id, sb->s_type->name,
575 labeling_behaviors[sbsec->behavior-1]);
576 }
577
578 /* Initialize the root inode. */
579 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581 /* Initialize any other inodes associated with the superblock, e.g.
582 inodes created prior to initial policy load or inodes created
583 during get_sb by a pseudo filesystem that directly
584 populates itself. */
585 spin_lock(&sbsec->isec_lock);
586next_inode:
587 if (!list_empty(&sbsec->isec_head)) {
588 struct inode_security_struct *isec =
589 list_entry(sbsec->isec_head.next,
590 struct inode_security_struct, list);
591 struct inode *inode = isec->inode;
592 spin_unlock(&sbsec->isec_lock);
593 inode = igrab(inode);
594 if (inode) {
595 if (!IS_PRIVATE (inode))
596 inode_doinit(inode);
597 iput(inode);
598 }
599 spin_lock(&sbsec->isec_lock);
600 list_del_init(&isec->list);
601 goto next_inode;
602 }
603 spin_unlock(&sbsec->isec_lock);
604out:
605 up(&sbsec->sem);
606 return rc;
607}
608
609static inline u16 inode_mode_to_security_class(umode_t mode)
610{
611 switch (mode & S_IFMT) {
612 case S_IFSOCK:
613 return SECCLASS_SOCK_FILE;
614 case S_IFLNK:
615 return SECCLASS_LNK_FILE;
616 case S_IFREG:
617 return SECCLASS_FILE;
618 case S_IFBLK:
619 return SECCLASS_BLK_FILE;
620 case S_IFDIR:
621 return SECCLASS_DIR;
622 case S_IFCHR:
623 return SECCLASS_CHR_FILE;
624 case S_IFIFO:
625 return SECCLASS_FIFO_FILE;
626
627 }
628
629 return SECCLASS_FILE;
630}
631
632static inline u16 socket_type_to_security_class(int family, int type, int protocol)
633{
634 switch (family) {
635 case PF_UNIX:
636 switch (type) {
637 case SOCK_STREAM:
638 case SOCK_SEQPACKET:
639 return SECCLASS_UNIX_STREAM_SOCKET;
640 case SOCK_DGRAM:
641 return SECCLASS_UNIX_DGRAM_SOCKET;
642 }
643 break;
644 case PF_INET:
645 case PF_INET6:
646 switch (type) {
647 case SOCK_STREAM:
648 return SECCLASS_TCP_SOCKET;
649 case SOCK_DGRAM:
650 return SECCLASS_UDP_SOCKET;
651 case SOCK_RAW:
652 return SECCLASS_RAWIP_SOCKET;
653 }
654 break;
655 case PF_NETLINK:
656 switch (protocol) {
657 case NETLINK_ROUTE:
658 return SECCLASS_NETLINK_ROUTE_SOCKET;
659 case NETLINK_FIREWALL:
660 return SECCLASS_NETLINK_FIREWALL_SOCKET;
661 case NETLINK_TCPDIAG:
662 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663 case NETLINK_NFLOG:
664 return SECCLASS_NETLINK_NFLOG_SOCKET;
665 case NETLINK_XFRM:
666 return SECCLASS_NETLINK_XFRM_SOCKET;
667 case NETLINK_SELINUX:
668 return SECCLASS_NETLINK_SELINUX_SOCKET;
669 case NETLINK_AUDIT:
670 return SECCLASS_NETLINK_AUDIT_SOCKET;
671 case NETLINK_IP6_FW:
672 return SECCLASS_NETLINK_IP6FW_SOCKET;
673 case NETLINK_DNRTMSG:
674 return SECCLASS_NETLINK_DNRT_SOCKET;
675 default:
676 return SECCLASS_NETLINK_SOCKET;
677 }
678 case PF_PACKET:
679 return SECCLASS_PACKET_SOCKET;
680 case PF_KEY:
681 return SECCLASS_KEY_SOCKET;
682 }
683
684 return SECCLASS_SOCKET;
685}
686
687#ifdef CONFIG_PROC_FS
688static int selinux_proc_get_sid(struct proc_dir_entry *de,
689 u16 tclass,
690 u32 *sid)
691{
692 int buflen, rc;
693 char *buffer, *path, *end;
694
695 buffer = (char*)__get_free_page(GFP_KERNEL);
696 if (!buffer)
697 return -ENOMEM;
698
699 buflen = PAGE_SIZE;
700 end = buffer+buflen;
701 *--end = '\0';
702 buflen--;
703 path = end-1;
704 *path = '/';
705 while (de && de != de->parent) {
706 buflen -= de->namelen + 1;
707 if (buflen < 0)
708 break;
709 end -= de->namelen;
710 memcpy(end, de->name, de->namelen);
711 *--end = '/';
712 path = end;
713 de = de->parent;
714 }
715 rc = security_genfs_sid("proc", path, tclass, sid);
716 free_page((unsigned long)buffer);
717 return rc;
718}
719#else
720static int selinux_proc_get_sid(struct proc_dir_entry *de,
721 u16 tclass,
722 u32 *sid)
723{
724 return -EINVAL;
725}
726#endif
727
728/* The inode's security attributes must be initialized before first use. */
729static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
730{
731 struct superblock_security_struct *sbsec = NULL;
732 struct inode_security_struct *isec = inode->i_security;
733 u32 sid;
734 struct dentry *dentry;
735#define INITCONTEXTLEN 255
736 char *context = NULL;
737 unsigned len = 0;
738 int rc = 0;
739 int hold_sem = 0;
740
741 if (isec->initialized)
742 goto out;
743
744 down(&isec->sem);
745 hold_sem = 1;
746 if (isec->initialized)
747 goto out;
748
749 sbsec = inode->i_sb->s_security;
750 if (!sbsec->initialized) {
751 /* Defer initialization until selinux_complete_init,
752 after the initial policy is loaded and the security
753 server is ready to handle calls. */
754 spin_lock(&sbsec->isec_lock);
755 if (list_empty(&isec->list))
756 list_add(&isec->list, &sbsec->isec_head);
757 spin_unlock(&sbsec->isec_lock);
758 goto out;
759 }
760
761 switch (sbsec->behavior) {
762 case SECURITY_FS_USE_XATTR:
763 if (!inode->i_op->getxattr) {
764 isec->sid = sbsec->def_sid;
765 break;
766 }
767
768 /* Need a dentry, since the xattr API requires one.
769 Life would be simpler if we could just pass the inode. */
770 if (opt_dentry) {
771 /* Called from d_instantiate or d_splice_alias. */
772 dentry = dget(opt_dentry);
773 } else {
774 /* Called from selinux_complete_init, try to find a dentry. */
775 dentry = d_find_alias(inode);
776 }
777 if (!dentry) {
778 printk(KERN_WARNING "%s: no dentry for dev=%s "
779 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
780 inode->i_ino);
781 goto out;
782 }
783
784 len = INITCONTEXTLEN;
785 context = kmalloc(len, GFP_KERNEL);
786 if (!context) {
787 rc = -ENOMEM;
788 dput(dentry);
789 goto out;
790 }
791 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
792 context, len);
793 if (rc == -ERANGE) {
794 /* Need a larger buffer. Query for the right size. */
795 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
796 NULL, 0);
797 if (rc < 0) {
798 dput(dentry);
799 goto out;
800 }
801 kfree(context);
802 len = rc;
803 context = kmalloc(len, GFP_KERNEL);
804 if (!context) {
805 rc = -ENOMEM;
806 dput(dentry);
807 goto out;
808 }
809 rc = inode->i_op->getxattr(dentry,
810 XATTR_NAME_SELINUX,
811 context, len);
812 }
813 dput(dentry);
814 if (rc < 0) {
815 if (rc != -ENODATA) {
816 printk(KERN_WARNING "%s: getxattr returned "
817 "%d for dev=%s ino=%ld\n", __FUNCTION__,
818 -rc, inode->i_sb->s_id, inode->i_ino);
819 kfree(context);
820 goto out;
821 }
822 /* Map ENODATA to the default file SID */
823 sid = sbsec->def_sid;
824 rc = 0;
825 } else {
826 rc = security_context_to_sid(context, rc, &sid);
827 if (rc) {
828 printk(KERN_WARNING "%s: context_to_sid(%s) "
829 "returned %d for dev=%s ino=%ld\n",
830 __FUNCTION__, context, -rc,
831 inode->i_sb->s_id, inode->i_ino);
832 kfree(context);
833 /* Leave with the unlabeled SID */
834 rc = 0;
835 break;
836 }
837 }
838 kfree(context);
839 isec->sid = sid;
840 break;
841 case SECURITY_FS_USE_TASK:
842 isec->sid = isec->task_sid;
843 break;
844 case SECURITY_FS_USE_TRANS:
845 /* Default to the fs SID. */
846 isec->sid = sbsec->sid;
847
848 /* Try to obtain a transition SID. */
849 isec->sclass = inode_mode_to_security_class(inode->i_mode);
850 rc = security_transition_sid(isec->task_sid,
851 sbsec->sid,
852 isec->sclass,
853 &sid);
854 if (rc)
855 goto out;
856 isec->sid = sid;
857 break;
858 default:
859 /* Default to the fs SID. */
860 isec->sid = sbsec->sid;
861
862 if (sbsec->proc) {
863 struct proc_inode *proci = PROC_I(inode);
864 if (proci->pde) {
865 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866 rc = selinux_proc_get_sid(proci->pde,
867 isec->sclass,
868 &sid);
869 if (rc)
870 goto out;
871 isec->sid = sid;
872 }
873 }
874 break;
875 }
876
877 isec->initialized = 1;
878
879out:
880 if (isec->sclass == SECCLASS_FILE)
881 isec->sclass = inode_mode_to_security_class(inode->i_mode);
882
883 if (hold_sem)
884 up(&isec->sem);
885 return rc;
886}
887
888/* Convert a Linux signal to an access vector. */
889static inline u32 signal_to_av(int sig)
890{
891 u32 perm = 0;
892
893 switch (sig) {
894 case SIGCHLD:
895 /* Commonly granted from child to parent. */
896 perm = PROCESS__SIGCHLD;
897 break;
898 case SIGKILL:
899 /* Cannot be caught or ignored */
900 perm = PROCESS__SIGKILL;
901 break;
902 case SIGSTOP:
903 /* Cannot be caught or ignored */
904 perm = PROCESS__SIGSTOP;
905 break;
906 default:
907 /* All other signals. */
908 perm = PROCESS__SIGNAL;
909 break;
910 }
911
912 return perm;
913}
914
915/* Check permission betweeen a pair of tasks, e.g. signal checks,
916 fork check, ptrace check, etc. */
917static int task_has_perm(struct task_struct *tsk1,
918 struct task_struct *tsk2,
919 u32 perms)
920{
921 struct task_security_struct *tsec1, *tsec2;
922
923 tsec1 = tsk1->security;
924 tsec2 = tsk2->security;
925 return avc_has_perm(tsec1->sid, tsec2->sid,
926 SECCLASS_PROCESS, perms, NULL);
927}
928
929/* Check whether a task is allowed to use a capability. */
930static int task_has_capability(struct task_struct *tsk,
931 int cap)
932{
933 struct task_security_struct *tsec;
934 struct avc_audit_data ad;
935
936 tsec = tsk->security;
937
938 AVC_AUDIT_DATA_INIT(&ad,CAP);
939 ad.tsk = tsk;
940 ad.u.cap = cap;
941
942 return avc_has_perm(tsec->sid, tsec->sid,
943 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
944}
945
946/* Check whether a task is allowed to use a system operation. */
947static int task_has_system(struct task_struct *tsk,
948 u32 perms)
949{
950 struct task_security_struct *tsec;
951
952 tsec = tsk->security;
953
954 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
955 SECCLASS_SYSTEM, perms, NULL);
956}
957
958/* Check whether a task has a particular permission to an inode.
959 The 'adp' parameter is optional and allows other audit
960 data to be passed (e.g. the dentry). */
961static int inode_has_perm(struct task_struct *tsk,
962 struct inode *inode,
963 u32 perms,
964 struct avc_audit_data *adp)
965{
966 struct task_security_struct *tsec;
967 struct inode_security_struct *isec;
968 struct avc_audit_data ad;
969
970 tsec = tsk->security;
971 isec = inode->i_security;
972
973 if (!adp) {
974 adp = &ad;
975 AVC_AUDIT_DATA_INIT(&ad, FS);
976 ad.u.fs.inode = inode;
977 }
978
979 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
980}
981
982/* Same as inode_has_perm, but pass explicit audit data containing
983 the dentry to help the auditing code to more easily generate the
984 pathname if needed. */
985static inline int dentry_has_perm(struct task_struct *tsk,
986 struct vfsmount *mnt,
987 struct dentry *dentry,
988 u32 av)
989{
990 struct inode *inode = dentry->d_inode;
991 struct avc_audit_data ad;
992 AVC_AUDIT_DATA_INIT(&ad,FS);
993 ad.u.fs.mnt = mnt;
994 ad.u.fs.dentry = dentry;
995 return inode_has_perm(tsk, inode, av, &ad);
996}
997
998/* Check whether a task can use an open file descriptor to
999 access an inode in a given way. Check access to the
1000 descriptor itself, and then use dentry_has_perm to
1001 check a particular permission to the file.
1002 Access to the descriptor is implicitly granted if it
1003 has the same SID as the process. If av is zero, then
1004 access to the file is not checked, e.g. for cases
1005 where only the descriptor is affected like seek. */
1006static inline int file_has_perm(struct task_struct *tsk,
1007 struct file *file,
1008 u32 av)
1009{
1010 struct task_security_struct *tsec = tsk->security;
1011 struct file_security_struct *fsec = file->f_security;
1012 struct vfsmount *mnt = file->f_vfsmnt;
1013 struct dentry *dentry = file->f_dentry;
1014 struct inode *inode = dentry->d_inode;
1015 struct avc_audit_data ad;
1016 int rc;
1017
1018 AVC_AUDIT_DATA_INIT(&ad, FS);
1019 ad.u.fs.mnt = mnt;
1020 ad.u.fs.dentry = dentry;
1021
1022 if (tsec->sid != fsec->sid) {
1023 rc = avc_has_perm(tsec->sid, fsec->sid,
1024 SECCLASS_FD,
1025 FD__USE,
1026 &ad);
1027 if (rc)
1028 return rc;
1029 }
1030
1031 /* av is zero if only checking access to the descriptor. */
1032 if (av)
1033 return inode_has_perm(tsk, inode, av, &ad);
1034
1035 return 0;
1036}
1037
1038/* Check whether a task can create a file. */
1039static int may_create(struct inode *dir,
1040 struct dentry *dentry,
1041 u16 tclass)
1042{
1043 struct task_security_struct *tsec;
1044 struct inode_security_struct *dsec;
1045 struct superblock_security_struct *sbsec;
1046 u32 newsid;
1047 struct avc_audit_data ad;
1048 int rc;
1049
1050 tsec = current->security;
1051 dsec = dir->i_security;
1052 sbsec = dir->i_sb->s_security;
1053
1054 AVC_AUDIT_DATA_INIT(&ad, FS);
1055 ad.u.fs.dentry = dentry;
1056
1057 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1058 DIR__ADD_NAME | DIR__SEARCH,
1059 &ad);
1060 if (rc)
1061 return rc;
1062
1063 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1064 newsid = tsec->create_sid;
1065 } else {
1066 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1067 &newsid);
1068 if (rc)
1069 return rc;
1070 }
1071
1072 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1073 if (rc)
1074 return rc;
1075
1076 return avc_has_perm(newsid, sbsec->sid,
1077 SECCLASS_FILESYSTEM,
1078 FILESYSTEM__ASSOCIATE, &ad);
1079}
1080
1081#define MAY_LINK 0
1082#define MAY_UNLINK 1
1083#define MAY_RMDIR 2
1084
1085/* Check whether a task can link, unlink, or rmdir a file/directory. */
1086static int may_link(struct inode *dir,
1087 struct dentry *dentry,
1088 int kind)
1089
1090{
1091 struct task_security_struct *tsec;
1092 struct inode_security_struct *dsec, *isec;
1093 struct avc_audit_data ad;
1094 u32 av;
1095 int rc;
1096
1097 tsec = current->security;
1098 dsec = dir->i_security;
1099 isec = dentry->d_inode->i_security;
1100
1101 AVC_AUDIT_DATA_INIT(&ad, FS);
1102 ad.u.fs.dentry = dentry;
1103
1104 av = DIR__SEARCH;
1105 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1106 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1107 if (rc)
1108 return rc;
1109
1110 switch (kind) {
1111 case MAY_LINK:
1112 av = FILE__LINK;
1113 break;
1114 case MAY_UNLINK:
1115 av = FILE__UNLINK;
1116 break;
1117 case MAY_RMDIR:
1118 av = DIR__RMDIR;
1119 break;
1120 default:
1121 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1122 return 0;
1123 }
1124
1125 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1126 return rc;
1127}
1128
1129static inline int may_rename(struct inode *old_dir,
1130 struct dentry *old_dentry,
1131 struct inode *new_dir,
1132 struct dentry *new_dentry)
1133{
1134 struct task_security_struct *tsec;
1135 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1136 struct avc_audit_data ad;
1137 u32 av;
1138 int old_is_dir, new_is_dir;
1139 int rc;
1140
1141 tsec = current->security;
1142 old_dsec = old_dir->i_security;
1143 old_isec = old_dentry->d_inode->i_security;
1144 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1145 new_dsec = new_dir->i_security;
1146
1147 AVC_AUDIT_DATA_INIT(&ad, FS);
1148
1149 ad.u.fs.dentry = old_dentry;
1150 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1151 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1152 if (rc)
1153 return rc;
1154 rc = avc_has_perm(tsec->sid, old_isec->sid,
1155 old_isec->sclass, FILE__RENAME, &ad);
1156 if (rc)
1157 return rc;
1158 if (old_is_dir && new_dir != old_dir) {
1159 rc = avc_has_perm(tsec->sid, old_isec->sid,
1160 old_isec->sclass, DIR__REPARENT, &ad);
1161 if (rc)
1162 return rc;
1163 }
1164
1165 ad.u.fs.dentry = new_dentry;
1166 av = DIR__ADD_NAME | DIR__SEARCH;
1167 if (new_dentry->d_inode)
1168 av |= DIR__REMOVE_NAME;
1169 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1170 if (rc)
1171 return rc;
1172 if (new_dentry->d_inode) {
1173 new_isec = new_dentry->d_inode->i_security;
1174 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1175 rc = avc_has_perm(tsec->sid, new_isec->sid,
1176 new_isec->sclass,
1177 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1178 if (rc)
1179 return rc;
1180 }
1181
1182 return 0;
1183}
1184
1185/* Check whether a task can perform a filesystem operation. */
1186static int superblock_has_perm(struct task_struct *tsk,
1187 struct super_block *sb,
1188 u32 perms,
1189 struct avc_audit_data *ad)
1190{
1191 struct task_security_struct *tsec;
1192 struct superblock_security_struct *sbsec;
1193
1194 tsec = tsk->security;
1195 sbsec = sb->s_security;
1196 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1197 perms, ad);
1198}
1199
1200/* Convert a Linux mode and permission mask to an access vector. */
1201static inline u32 file_mask_to_av(int mode, int mask)
1202{
1203 u32 av = 0;
1204
1205 if ((mode & S_IFMT) != S_IFDIR) {
1206 if (mask & MAY_EXEC)
1207 av |= FILE__EXECUTE;
1208 if (mask & MAY_READ)
1209 av |= FILE__READ;
1210
1211 if (mask & MAY_APPEND)
1212 av |= FILE__APPEND;
1213 else if (mask & MAY_WRITE)
1214 av |= FILE__WRITE;
1215
1216 } else {
1217 if (mask & MAY_EXEC)
1218 av |= DIR__SEARCH;
1219 if (mask & MAY_WRITE)
1220 av |= DIR__WRITE;
1221 if (mask & MAY_READ)
1222 av |= DIR__READ;
1223 }
1224
1225 return av;
1226}
1227
1228/* Convert a Linux file to an access vector. */
1229static inline u32 file_to_av(struct file *file)
1230{
1231 u32 av = 0;
1232
1233 if (file->f_mode & FMODE_READ)
1234 av |= FILE__READ;
1235 if (file->f_mode & FMODE_WRITE) {
1236 if (file->f_flags & O_APPEND)
1237 av |= FILE__APPEND;
1238 else
1239 av |= FILE__WRITE;
1240 }
1241
1242 return av;
1243}
1244
1245/* Set an inode's SID to a specified value. */
1246static int inode_security_set_sid(struct inode *inode, u32 sid)
1247{
1248 struct inode_security_struct *isec = inode->i_security;
1249 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1250
1251 if (!sbsec->initialized) {
1252 /* Defer initialization to selinux_complete_init. */
1253 return 0;
1254 }
1255
1256 down(&isec->sem);
1257 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1258 isec->sid = sid;
1259 isec->initialized = 1;
1260 up(&isec->sem);
1261 return 0;
1262}
1263
1264/* Set the security attributes on a newly created file. */
1265static int post_create(struct inode *dir,
1266 struct dentry *dentry)
1267{
1268
1269 struct task_security_struct *tsec;
1270 struct inode *inode;
1271 struct inode_security_struct *dsec;
1272 struct superblock_security_struct *sbsec;
1273 u32 newsid;
1274 char *context;
1275 unsigned int len;
1276 int rc;
1277
1278 tsec = current->security;
1279 dsec = dir->i_security;
1280 sbsec = dir->i_sb->s_security;
1281
1282 inode = dentry->d_inode;
1283 if (!inode) {
1284 /* Some file system types (e.g. NFS) may not instantiate
1285 a dentry for all create operations (e.g. symlink),
1286 so we have to check to see if the inode is non-NULL. */
1287 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1288 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1289 return 0;
1290 }
1291
1292 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1293 newsid = tsec->create_sid;
1294 } else {
1295 rc = security_transition_sid(tsec->sid, dsec->sid,
1296 inode_mode_to_security_class(inode->i_mode),
1297 &newsid);
1298 if (rc) {
1299 printk(KERN_WARNING "post_create: "
1300 "security_transition_sid failed, rc=%d (dev=%s "
1301 "ino=%ld)\n",
1302 -rc, inode->i_sb->s_id, inode->i_ino);
1303 return rc;
1304 }
1305 }
1306
1307 rc = inode_security_set_sid(inode, newsid);
1308 if (rc) {
1309 printk(KERN_WARNING "post_create: inode_security_set_sid "
1310 "failed, rc=%d (dev=%s ino=%ld)\n",
1311 -rc, inode->i_sb->s_id, inode->i_ino);
1312 return rc;
1313 }
1314
1315 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1316 inode->i_op->setxattr) {
1317 /* Use extended attributes. */
1318 rc = security_sid_to_context(newsid, &context, &len);
1319 if (rc) {
1320 printk(KERN_WARNING "post_create: sid_to_context "
1321 "failed, rc=%d (dev=%s ino=%ld)\n",
1322 -rc, inode->i_sb->s_id, inode->i_ino);
1323 return rc;
1324 }
1325 down(&inode->i_sem);
1326 rc = inode->i_op->setxattr(dentry,
1327 XATTR_NAME_SELINUX,
1328 context, len, 0);
1329 up(&inode->i_sem);
1330 kfree(context);
1331 if (rc < 0) {
1332 printk(KERN_WARNING "post_create: setxattr failed, "
1333 "rc=%d (dev=%s ino=%ld)\n",
1334 -rc, inode->i_sb->s_id, inode->i_ino);
1335 return rc;
1336 }
1337 }
1338
1339 return 0;
1340}
1341
1342
1343/* Hook functions begin here. */
1344
1345static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1346{
1347 struct task_security_struct *psec = parent->security;
1348 struct task_security_struct *csec = child->security;
1349 int rc;
1350
1351 rc = secondary_ops->ptrace(parent,child);
1352 if (rc)
1353 return rc;
1354
1355 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1356 /* Save the SID of the tracing process for later use in apply_creds. */
1357 if (!rc)
1358 csec->ptrace_sid = psec->sid;
1359 return rc;
1360}
1361
1362static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1363 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1364{
1365 int error;
1366
1367 error = task_has_perm(current, target, PROCESS__GETCAP);
1368 if (error)
1369 return error;
1370
1371 return secondary_ops->capget(target, effective, inheritable, permitted);
1372}
1373
1374static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1375 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1376{
1377 int error;
1378
1379 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1380 if (error)
1381 return error;
1382
1383 return task_has_perm(current, target, PROCESS__SETCAP);
1384}
1385
1386static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1387 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1388{
1389 secondary_ops->capset_set(target, effective, inheritable, permitted);
1390}
1391
1392static int selinux_capable(struct task_struct *tsk, int cap)
1393{
1394 int rc;
1395
1396 rc = secondary_ops->capable(tsk, cap);
1397 if (rc)
1398 return rc;
1399
1400 return task_has_capability(tsk,cap);
1401}
1402
1403static int selinux_sysctl(ctl_table *table, int op)
1404{
1405 int error = 0;
1406 u32 av;
1407 struct task_security_struct *tsec;
1408 u32 tsid;
1409 int rc;
1410
1411 rc = secondary_ops->sysctl(table, op);
1412 if (rc)
1413 return rc;
1414
1415 tsec = current->security;
1416
1417 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1418 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1419 if (rc) {
1420 /* Default to the well-defined sysctl SID. */
1421 tsid = SECINITSID_SYSCTL;
1422 }
1423
1424 /* The op values are "defined" in sysctl.c, thereby creating
1425 * a bad coupling between this module and sysctl.c */
1426 if(op == 001) {
1427 error = avc_has_perm(tsec->sid, tsid,
1428 SECCLASS_DIR, DIR__SEARCH, NULL);
1429 } else {
1430 av = 0;
1431 if (op & 004)
1432 av |= FILE__READ;
1433 if (op & 002)
1434 av |= FILE__WRITE;
1435 if (av)
1436 error = avc_has_perm(tsec->sid, tsid,
1437 SECCLASS_FILE, av, NULL);
1438 }
1439
1440 return error;
1441}
1442
1443static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1444{
1445 int rc = 0;
1446
1447 if (!sb)
1448 return 0;
1449
1450 switch (cmds) {
1451 case Q_SYNC:
1452 case Q_QUOTAON:
1453 case Q_QUOTAOFF:
1454 case Q_SETINFO:
1455 case Q_SETQUOTA:
1456 rc = superblock_has_perm(current,
1457 sb,
1458 FILESYSTEM__QUOTAMOD, NULL);
1459 break;
1460 case Q_GETFMT:
1461 case Q_GETINFO:
1462 case Q_GETQUOTA:
1463 rc = superblock_has_perm(current,
1464 sb,
1465 FILESYSTEM__QUOTAGET, NULL);
1466 break;
1467 default:
1468 rc = 0; /* let the kernel handle invalid cmds */
1469 break;
1470 }
1471 return rc;
1472}
1473
1474static int selinux_quota_on(struct dentry *dentry)
1475{
1476 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1477}
1478
1479static int selinux_syslog(int type)
1480{
1481 int rc;
1482
1483 rc = secondary_ops->syslog(type);
1484 if (rc)
1485 return rc;
1486
1487 switch (type) {
1488 case 3: /* Read last kernel messages */
1489 case 10: /* Return size of the log buffer */
1490 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1491 break;
1492 case 6: /* Disable logging to console */
1493 case 7: /* Enable logging to console */
1494 case 8: /* Set level of messages printed to console */
1495 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1496 break;
1497 case 0: /* Close log */
1498 case 1: /* Open log */
1499 case 2: /* Read from log */
1500 case 4: /* Read/clear last kernel messages */
1501 case 5: /* Clear ring buffer */
1502 default:
1503 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1504 break;
1505 }
1506 return rc;
1507}
1508
1509/*
1510 * Check that a process has enough memory to allocate a new virtual
1511 * mapping. 0 means there is enough memory for the allocation to
1512 * succeed and -ENOMEM implies there is not.
1513 *
1514 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1515 * if the capability is granted, but __vm_enough_memory requires 1 if
1516 * the capability is granted.
1517 *
1518 * Do not audit the selinux permission check, as this is applied to all
1519 * processes that allocate mappings.
1520 */
1521static int selinux_vm_enough_memory(long pages)
1522{
1523 int rc, cap_sys_admin = 0;
1524 struct task_security_struct *tsec = current->security;
1525
1526 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1527 if (rc == 0)
1528 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1529 SECCLASS_CAPABILITY,
1530 CAP_TO_MASK(CAP_SYS_ADMIN),
1531 NULL);
1532
1533 if (rc == 0)
1534 cap_sys_admin = 1;
1535
1536 return __vm_enough_memory(pages, cap_sys_admin);
1537}
1538
1539/* binprm security operations */
1540
1541static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1542{
1543 struct bprm_security_struct *bsec;
1544
1545 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1546 if (!bsec)
1547 return -ENOMEM;
1548
1549 memset(bsec, 0, sizeof *bsec);
1550 bsec->magic = SELINUX_MAGIC;
1551 bsec->bprm = bprm;
1552 bsec->sid = SECINITSID_UNLABELED;
1553 bsec->set = 0;
1554
1555 bprm->security = bsec;
1556 return 0;
1557}
1558
1559static int selinux_bprm_set_security(struct linux_binprm *bprm)
1560{
1561 struct task_security_struct *tsec;
1562 struct inode *inode = bprm->file->f_dentry->d_inode;
1563 struct inode_security_struct *isec;
1564 struct bprm_security_struct *bsec;
1565 u32 newsid;
1566 struct avc_audit_data ad;
1567 int rc;
1568
1569 rc = secondary_ops->bprm_set_security(bprm);
1570 if (rc)
1571 return rc;
1572
1573 bsec = bprm->security;
1574
1575 if (bsec->set)
1576 return 0;
1577
1578 tsec = current->security;
1579 isec = inode->i_security;
1580
1581 /* Default to the current task SID. */
1582 bsec->sid = tsec->sid;
1583
1584 /* Reset create SID on execve. */
1585 tsec->create_sid = 0;
1586
1587 if (tsec->exec_sid) {
1588 newsid = tsec->exec_sid;
1589 /* Reset exec SID on execve. */
1590 tsec->exec_sid = 0;
1591 } else {
1592 /* Check for a default transition on this program. */
1593 rc = security_transition_sid(tsec->sid, isec->sid,
1594 SECCLASS_PROCESS, &newsid);
1595 if (rc)
1596 return rc;
1597 }
1598
1599 AVC_AUDIT_DATA_INIT(&ad, FS);
1600 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1601 ad.u.fs.dentry = bprm->file->f_dentry;
1602
1603 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1604 newsid = tsec->sid;
1605
1606 if (tsec->sid == newsid) {
1607 rc = avc_has_perm(tsec->sid, isec->sid,
1608 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1609 if (rc)
1610 return rc;
1611 } else {
1612 /* Check permissions for the transition. */
1613 rc = avc_has_perm(tsec->sid, newsid,
1614 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1615 if (rc)
1616 return rc;
1617
1618 rc = avc_has_perm(newsid, isec->sid,
1619 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1620 if (rc)
1621 return rc;
1622
1623 /* Clear any possibly unsafe personality bits on exec: */
1624 current->personality &= ~PER_CLEAR_ON_SETID;
1625
1626 /* Set the security field to the new SID. */
1627 bsec->sid = newsid;
1628 }
1629
1630 bsec->set = 1;
1631 return 0;
1632}
1633
1634static int selinux_bprm_check_security (struct linux_binprm *bprm)
1635{
1636 return secondary_ops->bprm_check_security(bprm);
1637}
1638
1639
1640static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1641{
1642 struct task_security_struct *tsec = current->security;
1643 int atsecure = 0;
1644
1645 if (tsec->osid != tsec->sid) {
1646 /* Enable secure mode for SIDs transitions unless
1647 the noatsecure permission is granted between
1648 the two SIDs, i.e. ahp returns 0. */
1649 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1650 SECCLASS_PROCESS,
1651 PROCESS__NOATSECURE, NULL);
1652 }
1653
1654 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1655}
1656
1657static void selinux_bprm_free_security(struct linux_binprm *bprm)
1658{
1659 struct bprm_security_struct *bsec = bprm->security;
1660 bprm->security = NULL;
1661 kfree(bsec);
1662}
1663
1664extern struct vfsmount *selinuxfs_mount;
1665extern struct dentry *selinux_null;
1666
1667/* Derived from fs/exec.c:flush_old_files. */
1668static inline void flush_unauthorized_files(struct files_struct * files)
1669{
1670 struct avc_audit_data ad;
1671 struct file *file, *devnull = NULL;
1672 struct tty_struct *tty = current->signal->tty;
1673 long j = -1;
1674
1675 if (tty) {
1676 file_list_lock();
1677 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1678 if (file) {
1679 /* Revalidate access to controlling tty.
1680 Use inode_has_perm on the tty inode directly rather
1681 than using file_has_perm, as this particular open
1682 file may belong to another process and we are only
1683 interested in the inode-based check here. */
1684 struct inode *inode = file->f_dentry->d_inode;
1685 if (inode_has_perm(current, inode,
1686 FILE__READ | FILE__WRITE, NULL)) {
1687 /* Reset controlling tty. */
1688 current->signal->tty = NULL;
1689 current->signal->tty_old_pgrp = 0;
1690 }
1691 }
1692 file_list_unlock();
1693 }
1694
1695 /* Revalidate access to inherited open files. */
1696
1697 AVC_AUDIT_DATA_INIT(&ad,FS);
1698
1699 spin_lock(&files->file_lock);
1700 for (;;) {
1701 unsigned long set, i;
1702 int fd;
1703
1704 j++;
1705 i = j * __NFDBITS;
1706 if (i >= files->max_fds || i >= files->max_fdset)
1707 break;
1708 set = files->open_fds->fds_bits[j];
1709 if (!set)
1710 continue;
1711 spin_unlock(&files->file_lock);
1712 for ( ; set ; i++,set >>= 1) {
1713 if (set & 1) {
1714 file = fget(i);
1715 if (!file)
1716 continue;
1717 if (file_has_perm(current,
1718 file,
1719 file_to_av(file))) {
1720 sys_close(i);
1721 fd = get_unused_fd();
1722 if (fd != i) {
1723 if (fd >= 0)
1724 put_unused_fd(fd);
1725 fput(file);
1726 continue;
1727 }
1728 if (devnull) {
1729 atomic_inc(&devnull->f_count);
1730 } else {
1731 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1732 if (!devnull) {
1733 put_unused_fd(fd);
1734 fput(file);
1735 continue;
1736 }
1737 }
1738 fd_install(fd, devnull);
1739 }
1740 fput(file);
1741 }
1742 }
1743 spin_lock(&files->file_lock);
1744
1745 }
1746 spin_unlock(&files->file_lock);
1747}
1748
1749static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1750{
1751 struct task_security_struct *tsec;
1752 struct bprm_security_struct *bsec;
1753 u32 sid;
1754 int rc;
1755
1756 secondary_ops->bprm_apply_creds(bprm, unsafe);
1757
1758 tsec = current->security;
1759
1760 bsec = bprm->security;
1761 sid = bsec->sid;
1762
1763 tsec->osid = tsec->sid;
1764 bsec->unsafe = 0;
1765 if (tsec->sid != sid) {
1766 /* Check for shared state. If not ok, leave SID
1767 unchanged and kill. */
1768 if (unsafe & LSM_UNSAFE_SHARE) {
1769 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1770 PROCESS__SHARE, NULL);
1771 if (rc) {
1772 bsec->unsafe = 1;
1773 return;
1774 }
1775 }
1776
1777 /* Check for ptracing, and update the task SID if ok.
1778 Otherwise, leave SID unchanged and kill. */
1779 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1780 rc = avc_has_perm(tsec->ptrace_sid, sid,
1781 SECCLASS_PROCESS, PROCESS__PTRACE,
1782 NULL);
1783 if (rc) {
1784 bsec->unsafe = 1;
1785 return;
1786 }
1787 }
1788 tsec->sid = sid;
1789 }
1790}
1791
1792/*
1793 * called after apply_creds without the task lock held
1794 */
1795static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1796{
1797 struct task_security_struct *tsec;
1798 struct rlimit *rlim, *initrlim;
1799 struct itimerval itimer;
1800 struct bprm_security_struct *bsec;
1801 int rc, i;
1802
1803 tsec = current->security;
1804 bsec = bprm->security;
1805
1806 if (bsec->unsafe) {
1807 force_sig_specific(SIGKILL, current);
1808 return;
1809 }
1810 if (tsec->osid == tsec->sid)
1811 return;
1812
1813 /* Close files for which the new task SID is not authorized. */
1814 flush_unauthorized_files(current->files);
1815
1816 /* Check whether the new SID can inherit signal state
1817 from the old SID. If not, clear itimers to avoid
1818 subsequent signal generation and flush and unblock
1819 signals. This must occur _after_ the task SID has
1820 been updated so that any kill done after the flush
1821 will be checked against the new SID. */
1822 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1823 PROCESS__SIGINH, NULL);
1824 if (rc) {
1825 memset(&itimer, 0, sizeof itimer);
1826 for (i = 0; i < 3; i++)
1827 do_setitimer(i, &itimer, NULL);
1828 flush_signals(current);
1829 spin_lock_irq(&current->sighand->siglock);
1830 flush_signal_handlers(current, 1);
1831 sigemptyset(&current->blocked);
1832 recalc_sigpending();
1833 spin_unlock_irq(&current->sighand->siglock);
1834 }
1835
1836 /* Check whether the new SID can inherit resource limits
1837 from the old SID. If not, reset all soft limits to
1838 the lower of the current task's hard limit and the init
1839 task's soft limit. Note that the setting of hard limits
1840 (even to lower them) can be controlled by the setrlimit
1841 check. The inclusion of the init task's soft limit into
1842 the computation is to avoid resetting soft limits higher
1843 than the default soft limit for cases where the default
1844 is lower than the hard limit, e.g. RLIMIT_CORE or
1845 RLIMIT_STACK.*/
1846 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1847 PROCESS__RLIMITINH, NULL);
1848 if (rc) {
1849 for (i = 0; i < RLIM_NLIMITS; i++) {
1850 rlim = current->signal->rlim + i;
1851 initrlim = init_task.signal->rlim+i;
1852 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1853 }
1854 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1855 /*
1856 * This will cause RLIMIT_CPU calculations
1857 * to be refigured.
1858 */
1859 current->it_prof_expires = jiffies_to_cputime(1);
1860 }
1861 }
1862
1863 /* Wake up the parent if it is waiting so that it can
1864 recheck wait permission to the new task SID. */
1865 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1866}
1867
1868/* superblock security operations */
1869
1870static int selinux_sb_alloc_security(struct super_block *sb)
1871{
1872 return superblock_alloc_security(sb);
1873}
1874
1875static void selinux_sb_free_security(struct super_block *sb)
1876{
1877 superblock_free_security(sb);
1878}
1879
1880static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1881{
1882 if (plen > olen)
1883 return 0;
1884
1885 return !memcmp(prefix, option, plen);
1886}
1887
1888static inline int selinux_option(char *option, int len)
1889{
1890 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1891 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1892 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1893}
1894
1895static inline void take_option(char **to, char *from, int *first, int len)
1896{
1897 if (!*first) {
1898 **to = ',';
1899 *to += 1;
1900 }
1901 else
1902 *first = 0;
1903 memcpy(*to, from, len);
1904 *to += len;
1905}
1906
1907static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1908{
1909 int fnosec, fsec, rc = 0;
1910 char *in_save, *in_curr, *in_end;
1911 char *sec_curr, *nosec_save, *nosec;
1912
1913 in_curr = orig;
1914 sec_curr = copy;
1915
1916 /* Binary mount data: just copy */
1917 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1918 copy_page(sec_curr, in_curr);
1919 goto out;
1920 }
1921
1922 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1923 if (!nosec) {
1924 rc = -ENOMEM;
1925 goto out;
1926 }
1927
1928 nosec_save = nosec;
1929 fnosec = fsec = 1;
1930 in_save = in_end = orig;
1931
1932 do {
1933 if (*in_end == ',' || *in_end == '\0') {
1934 int len = in_end - in_curr;
1935
1936 if (selinux_option(in_curr, len))
1937 take_option(&sec_curr, in_curr, &fsec, len);
1938 else
1939 take_option(&nosec, in_curr, &fnosec, len);
1940
1941 in_curr = in_end + 1;
1942 }
1943 } while (*in_end++);
1944
1945 copy_page(in_save, nosec_save);
1946out:
1947 return rc;
1948}
1949
1950static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1951{
1952 struct avc_audit_data ad;
1953 int rc;
1954
1955 rc = superblock_doinit(sb, data);
1956 if (rc)
1957 return rc;
1958
1959 AVC_AUDIT_DATA_INIT(&ad,FS);
1960 ad.u.fs.dentry = sb->s_root;
1961 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1962}
1963
1964static int selinux_sb_statfs(struct super_block *sb)
1965{
1966 struct avc_audit_data ad;
1967
1968 AVC_AUDIT_DATA_INIT(&ad,FS);
1969 ad.u.fs.dentry = sb->s_root;
1970 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1971}
1972
1973static int selinux_mount(char * dev_name,
1974 struct nameidata *nd,
1975 char * type,
1976 unsigned long flags,
1977 void * data)
1978{
1979 int rc;
1980
1981 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1982 if (rc)
1983 return rc;
1984
1985 if (flags & MS_REMOUNT)
1986 return superblock_has_perm(current, nd->mnt->mnt_sb,
1987 FILESYSTEM__REMOUNT, NULL);
1988 else
1989 return dentry_has_perm(current, nd->mnt, nd->dentry,
1990 FILE__MOUNTON);
1991}
1992
1993static int selinux_umount(struct vfsmount *mnt, int flags)
1994{
1995 int rc;
1996
1997 rc = secondary_ops->sb_umount(mnt, flags);
1998 if (rc)
1999 return rc;
2000
2001 return superblock_has_perm(current,mnt->mnt_sb,
2002 FILESYSTEM__UNMOUNT,NULL);
2003}
2004
2005/* inode security operations */
2006
2007static int selinux_inode_alloc_security(struct inode *inode)
2008{
2009 return inode_alloc_security(inode);
2010}
2011
2012static void selinux_inode_free_security(struct inode *inode)
2013{
2014 inode_free_security(inode);
2015}
2016
2017static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2018{
2019 return may_create(dir, dentry, SECCLASS_FILE);
2020}
2021
2022static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2023{
2024 post_create(dir, dentry);
2025}
2026
2027static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2028{
2029 int rc;
2030
2031 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2032 if (rc)
2033 return rc;
2034 return may_link(dir, old_dentry, MAY_LINK);
2035}
2036
2037static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2038{
2039 return;
2040}
2041
2042static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2043{
2044 int rc;
2045
2046 rc = secondary_ops->inode_unlink(dir, dentry);
2047 if (rc)
2048 return rc;
2049 return may_link(dir, dentry, MAY_UNLINK);
2050}
2051
2052static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2053{
2054 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2055}
2056
2057static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2058{
2059 post_create(dir, dentry);
2060}
2061
2062static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2063{
2064 return may_create(dir, dentry, SECCLASS_DIR);
2065}
2066
2067static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2068{
2069 post_create(dir, dentry);
2070}
2071
2072static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2073{
2074 return may_link(dir, dentry, MAY_RMDIR);
2075}
2076
2077static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2078{
2079 int rc;
2080
2081 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2082 if (rc)
2083 return rc;
2084
2085 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2086}
2087
2088static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2089{
2090 post_create(dir, dentry);
2091}
2092
2093static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2094 struct inode *new_inode, struct dentry *new_dentry)
2095{
2096 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2097}
2098
2099static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2100 struct inode *new_inode, struct dentry *new_dentry)
2101{
2102 return;
2103}
2104
2105static int selinux_inode_readlink(struct dentry *dentry)
2106{
2107 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2108}
2109
2110static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2111{
2112 int rc;
2113
2114 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2115 if (rc)
2116 return rc;
2117 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2118}
2119
2120static int selinux_inode_permission(struct inode *inode, int mask,
2121 struct nameidata *nd)
2122{
2123 int rc;
2124
2125 rc = secondary_ops->inode_permission(inode, mask, nd);
2126 if (rc)
2127 return rc;
2128
2129 if (!mask) {
2130 /* No permission to check. Existence test. */
2131 return 0;
2132 }
2133
2134 return inode_has_perm(current, inode,
2135 file_mask_to_av(inode->i_mode, mask), NULL);
2136}
2137
2138static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2139{
2140 int rc;
2141
2142 rc = secondary_ops->inode_setattr(dentry, iattr);
2143 if (rc)
2144 return rc;
2145
2146 if (iattr->ia_valid & ATTR_FORCE)
2147 return 0;
2148
2149 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2150 ATTR_ATIME_SET | ATTR_MTIME_SET))
2151 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2152
2153 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2154}
2155
2156static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2157{
2158 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2159}
2160
2161static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2162{
2163 struct task_security_struct *tsec = current->security;
2164 struct inode *inode = dentry->d_inode;
2165 struct inode_security_struct *isec = inode->i_security;
2166 struct superblock_security_struct *sbsec;
2167 struct avc_audit_data ad;
2168 u32 newsid;
2169 int rc = 0;
2170
2171 if (strcmp(name, XATTR_NAME_SELINUX)) {
2172 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2173 sizeof XATTR_SECURITY_PREFIX - 1) &&
2174 !capable(CAP_SYS_ADMIN)) {
2175 /* A different attribute in the security namespace.
2176 Restrict to administrator. */
2177 return -EPERM;
2178 }
2179
2180 /* Not an attribute we recognize, so just check the
2181 ordinary setattr permission. */
2182 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2183 }
2184
2185 sbsec = inode->i_sb->s_security;
2186 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2187 return -EOPNOTSUPP;
2188
2189 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2190 return -EPERM;
2191
2192 AVC_AUDIT_DATA_INIT(&ad,FS);
2193 ad.u.fs.dentry = dentry;
2194
2195 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2196 FILE__RELABELFROM, &ad);
2197 if (rc)
2198 return rc;
2199
2200 rc = security_context_to_sid(value, size, &newsid);
2201 if (rc)
2202 return rc;
2203
2204 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2205 FILE__RELABELTO, &ad);
2206 if (rc)
2207 return rc;
2208
2209 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2210 isec->sclass);
2211 if (rc)
2212 return rc;
2213
2214 return avc_has_perm(newsid,
2215 sbsec->sid,
2216 SECCLASS_FILESYSTEM,
2217 FILESYSTEM__ASSOCIATE,
2218 &ad);
2219}
2220
2221static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2222 void *value, size_t size, int flags)
2223{
2224 struct inode *inode = dentry->d_inode;
2225 struct inode_security_struct *isec = inode->i_security;
2226 u32 newsid;
2227 int rc;
2228
2229 if (strcmp(name, XATTR_NAME_SELINUX)) {
2230 /* Not an attribute we recognize, so nothing to do. */
2231 return;
2232 }
2233
2234 rc = security_context_to_sid(value, size, &newsid);
2235 if (rc) {
2236 printk(KERN_WARNING "%s: unable to obtain SID for context "
2237 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2238 return;
2239 }
2240
2241 isec->sid = newsid;
2242 return;
2243}
2244
2245static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2246{
2247 struct inode *inode = dentry->d_inode;
2248 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2249
2250 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2251 return -EOPNOTSUPP;
2252
2253 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2254}
2255
2256static int selinux_inode_listxattr (struct dentry *dentry)
2257{
2258 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2259}
2260
2261static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2262{
2263 if (strcmp(name, XATTR_NAME_SELINUX)) {
2264 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2265 sizeof XATTR_SECURITY_PREFIX - 1) &&
2266 !capable(CAP_SYS_ADMIN)) {
2267 /* A different attribute in the security namespace.
2268 Restrict to administrator. */
2269 return -EPERM;
2270 }
2271
2272 /* Not an attribute we recognize, so just check the
2273 ordinary setattr permission. Might want a separate
2274 permission for removexattr. */
2275 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2276 }
2277
2278 /* No one is allowed to remove a SELinux security label.
2279 You can change the label, but all data must be labeled. */
2280 return -EACCES;
2281}
2282
2283static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2284{
2285 struct inode_security_struct *isec = inode->i_security;
2286 char *context;
2287 unsigned len;
2288 int rc;
2289
2290 /* Permission check handled by selinux_inode_getxattr hook.*/
2291
2292 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2293 return -EOPNOTSUPP;
2294
2295 rc = security_sid_to_context(isec->sid, &context, &len);
2296 if (rc)
2297 return rc;
2298
2299 if (!buffer || !size) {
2300 kfree(context);
2301 return len;
2302 }
2303 if (size < len) {
2304 kfree(context);
2305 return -ERANGE;
2306 }
2307 memcpy(buffer, context, len);
2308 kfree(context);
2309 return len;
2310}
2311
2312static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2313 const void *value, size_t size, int flags)
2314{
2315 struct inode_security_struct *isec = inode->i_security;
2316 u32 newsid;
2317 int rc;
2318
2319 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2320 return -EOPNOTSUPP;
2321
2322 if (!value || !size)
2323 return -EACCES;
2324
2325 rc = security_context_to_sid((void*)value, size, &newsid);
2326 if (rc)
2327 return rc;
2328
2329 isec->sid = newsid;
2330 return 0;
2331}
2332
2333static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2334{
2335 const int len = sizeof(XATTR_NAME_SELINUX);
2336 if (buffer && len <= buffer_size)
2337 memcpy(buffer, XATTR_NAME_SELINUX, len);
2338 return len;
2339}
2340
2341/* file security operations */
2342
2343static int selinux_file_permission(struct file *file, int mask)
2344{
2345 struct inode *inode = file->f_dentry->d_inode;
2346
2347 if (!mask) {
2348 /* No permission to check. Existence test. */
2349 return 0;
2350 }
2351
2352 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2353 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2354 mask |= MAY_APPEND;
2355
2356 return file_has_perm(current, file,
2357 file_mask_to_av(inode->i_mode, mask));
2358}
2359
2360static int selinux_file_alloc_security(struct file *file)
2361{
2362 return file_alloc_security(file);
2363}
2364
2365static void selinux_file_free_security(struct file *file)
2366{
2367 file_free_security(file);
2368}
2369
2370static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2371 unsigned long arg)
2372{
2373 int error = 0;
2374
2375 switch (cmd) {
2376 case FIONREAD:
2377 /* fall through */
2378 case FIBMAP:
2379 /* fall through */
2380 case FIGETBSZ:
2381 /* fall through */
2382 case EXT2_IOC_GETFLAGS:
2383 /* fall through */
2384 case EXT2_IOC_GETVERSION:
2385 error = file_has_perm(current, file, FILE__GETATTR);
2386 break;
2387
2388 case EXT2_IOC_SETFLAGS:
2389 /* fall through */
2390 case EXT2_IOC_SETVERSION:
2391 error = file_has_perm(current, file, FILE__SETATTR);
2392 break;
2393
2394 /* sys_ioctl() checks */
2395 case FIONBIO:
2396 /* fall through */
2397 case FIOASYNC:
2398 error = file_has_perm(current, file, 0);
2399 break;
2400
2401 case KDSKBENT:
2402 case KDSKBSENT:
2403 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2404 break;
2405
2406 /* default case assumes that the command will go
2407 * to the file's ioctl() function.
2408 */
2409 default:
2410 error = file_has_perm(current, file, FILE__IOCTL);
2411
2412 }
2413 return error;
2414}
2415
2416static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2417{
2418#ifndef CONFIG_PPC32
2419 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2420 /*
2421 * We are making executable an anonymous mapping or a
2422 * private file mapping that will also be writable.
2423 * This has an additional check.
2424 */
2425 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2426 if (rc)
2427 return rc;
2428 }
2429#endif
2430
2431 if (file) {
2432 /* read access is always possible with a mapping */
2433 u32 av = FILE__READ;
2434
2435 /* write access only matters if the mapping is shared */
2436 if (shared && (prot & PROT_WRITE))
2437 av |= FILE__WRITE;
2438
2439 if (prot & PROT_EXEC)
2440 av |= FILE__EXECUTE;
2441
2442 return file_has_perm(current, file, av);
2443 }
2444 return 0;
2445}
2446
2447static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2448 unsigned long prot, unsigned long flags)
2449{
2450 int rc;
2451
2452 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2453 if (rc)
2454 return rc;
2455
2456 if (selinux_checkreqprot)
2457 prot = reqprot;
2458
2459 return file_map_prot_check(file, prot,
2460 (flags & MAP_TYPE) == MAP_SHARED);
2461}
2462
2463static int selinux_file_mprotect(struct vm_area_struct *vma,
2464 unsigned long reqprot,
2465 unsigned long prot)
2466{
2467 int rc;
2468
2469 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2470 if (rc)
2471 return rc;
2472
2473 if (selinux_checkreqprot)
2474 prot = reqprot;
2475
2476#ifndef CONFIG_PPC32
2477 if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2478 /*
2479 * We are making executable a file mapping that has
2480 * had some COW done. Since pages might have been written,
2481 * check ability to execute the possibly modified content.
2482 * This typically should only occur for text relocations.
2483 */
2484 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2485 if (rc)
2486 return rc;
2487 }
2488#endif
2489
2490 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2491}
2492
2493static int selinux_file_lock(struct file *file, unsigned int cmd)
2494{
2495 return file_has_perm(current, file, FILE__LOCK);
2496}
2497
2498static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2499 unsigned long arg)
2500{
2501 int err = 0;
2502
2503 switch (cmd) {
2504 case F_SETFL:
2505 if (!file->f_dentry || !file->f_dentry->d_inode) {
2506 err = -EINVAL;
2507 break;
2508 }
2509
2510 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2511 err = file_has_perm(current, file,FILE__WRITE);
2512 break;
2513 }
2514 /* fall through */
2515 case F_SETOWN:
2516 case F_SETSIG:
2517 case F_GETFL:
2518 case F_GETOWN:
2519 case F_GETSIG:
2520 /* Just check FD__USE permission */
2521 err = file_has_perm(current, file, 0);
2522 break;
2523 case F_GETLK:
2524 case F_SETLK:
2525 case F_SETLKW:
2526#if BITS_PER_LONG == 32
2527 case F_GETLK64:
2528 case F_SETLK64:
2529 case F_SETLKW64:
2530#endif
2531 if (!file->f_dentry || !file->f_dentry->d_inode) {
2532 err = -EINVAL;
2533 break;
2534 }
2535 err = file_has_perm(current, file, FILE__LOCK);
2536 break;
2537 }
2538
2539 return err;
2540}
2541
2542static int selinux_file_set_fowner(struct file *file)
2543{
2544 struct task_security_struct *tsec;
2545 struct file_security_struct *fsec;
2546
2547 tsec = current->security;
2548 fsec = file->f_security;
2549 fsec->fown_sid = tsec->sid;
2550
2551 return 0;
2552}
2553
2554static int selinux_file_send_sigiotask(struct task_struct *tsk,
2555 struct fown_struct *fown, int signum)
2556{
2557 struct file *file;
2558 u32 perm;
2559 struct task_security_struct *tsec;
2560 struct file_security_struct *fsec;
2561
2562 /* struct fown_struct is never outside the context of a struct file */
2563 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2564
2565 tsec = tsk->security;
2566 fsec = file->f_security;
2567
2568 if (!signum)
2569 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2570 else
2571 perm = signal_to_av(signum);
2572
2573 return avc_has_perm(fsec->fown_sid, tsec->sid,
2574 SECCLASS_PROCESS, perm, NULL);
2575}
2576
2577static int selinux_file_receive(struct file *file)
2578{
2579 return file_has_perm(current, file, file_to_av(file));
2580}
2581
2582/* task security operations */
2583
2584static int selinux_task_create(unsigned long clone_flags)
2585{
2586 int rc;
2587
2588 rc = secondary_ops->task_create(clone_flags);
2589 if (rc)
2590 return rc;
2591
2592 return task_has_perm(current, current, PROCESS__FORK);
2593}
2594
2595static int selinux_task_alloc_security(struct task_struct *tsk)
2596{
2597 struct task_security_struct *tsec1, *tsec2;
2598 int rc;
2599
2600 tsec1 = current->security;
2601
2602 rc = task_alloc_security(tsk);
2603 if (rc)
2604 return rc;
2605 tsec2 = tsk->security;
2606
2607 tsec2->osid = tsec1->osid;
2608 tsec2->sid = tsec1->sid;
2609
2610 /* Retain the exec and create SIDs across fork */
2611 tsec2->exec_sid = tsec1->exec_sid;
2612 tsec2->create_sid = tsec1->create_sid;
2613
2614 /* Retain ptracer SID across fork, if any.
2615 This will be reset by the ptrace hook upon any
2616 subsequent ptrace_attach operations. */
2617 tsec2->ptrace_sid = tsec1->ptrace_sid;
2618
2619 return 0;
2620}
2621
2622static void selinux_task_free_security(struct task_struct *tsk)
2623{
2624 task_free_security(tsk);
2625}
2626
2627static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2628{
2629 /* Since setuid only affects the current process, and
2630 since the SELinux controls are not based on the Linux
2631 identity attributes, SELinux does not need to control
2632 this operation. However, SELinux does control the use
2633 of the CAP_SETUID and CAP_SETGID capabilities using the
2634 capable hook. */
2635 return 0;
2636}
2637
2638static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2639{
2640 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2641}
2642
2643static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2644{
2645 /* See the comment for setuid above. */
2646 return 0;
2647}
2648
2649static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2650{
2651 return task_has_perm(current, p, PROCESS__SETPGID);
2652}
2653
2654static int selinux_task_getpgid(struct task_struct *p)
2655{
2656 return task_has_perm(current, p, PROCESS__GETPGID);
2657}
2658
2659static int selinux_task_getsid(struct task_struct *p)
2660{
2661 return task_has_perm(current, p, PROCESS__GETSESSION);
2662}
2663
2664static int selinux_task_setgroups(struct group_info *group_info)
2665{
2666 /* See the comment for setuid above. */
2667 return 0;
2668}
2669
2670static int selinux_task_setnice(struct task_struct *p, int nice)
2671{
2672 int rc;
2673
2674 rc = secondary_ops->task_setnice(p, nice);
2675 if (rc)
2676 return rc;
2677
2678 return task_has_perm(current,p, PROCESS__SETSCHED);
2679}
2680
2681static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2682{
2683 struct rlimit *old_rlim = current->signal->rlim + resource;
2684 int rc;
2685
2686 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2687 if (rc)
2688 return rc;
2689
2690 /* Control the ability to change the hard limit (whether
2691 lowering or raising it), so that the hard limit can
2692 later be used as a safe reset point for the soft limit
2693 upon context transitions. See selinux_bprm_apply_creds. */
2694 if (old_rlim->rlim_max != new_rlim->rlim_max)
2695 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2696
2697 return 0;
2698}
2699
2700static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2701{
2702 return task_has_perm(current, p, PROCESS__SETSCHED);
2703}
2704
2705static int selinux_task_getscheduler(struct task_struct *p)
2706{
2707 return task_has_perm(current, p, PROCESS__GETSCHED);
2708}
2709
2710static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2711{
2712 u32 perm;
2713 int rc;
2714
2715 rc = secondary_ops->task_kill(p, info, sig);
2716 if (rc)
2717 return rc;
2718
2719 if (info && ((unsigned long)info == 1 ||
2720 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2721 return 0;
2722
2723 if (!sig)
2724 perm = PROCESS__SIGNULL; /* null signal; existence test */
2725 else
2726 perm = signal_to_av(sig);
2727
2728 return task_has_perm(current, p, perm);
2729}
2730
2731static int selinux_task_prctl(int option,
2732 unsigned long arg2,
2733 unsigned long arg3,
2734 unsigned long arg4,
2735 unsigned long arg5)
2736{
2737 /* The current prctl operations do not appear to require
2738 any SELinux controls since they merely observe or modify
2739 the state of the current process. */
2740 return 0;
2741}
2742
2743static int selinux_task_wait(struct task_struct *p)
2744{
2745 u32 perm;
2746
2747 perm = signal_to_av(p->exit_signal);
2748
2749 return task_has_perm(p, current, perm);
2750}
2751
2752static void selinux_task_reparent_to_init(struct task_struct *p)
2753{
2754 struct task_security_struct *tsec;
2755
2756 secondary_ops->task_reparent_to_init(p);
2757
2758 tsec = p->security;
2759 tsec->osid = tsec->sid;
2760 tsec->sid = SECINITSID_KERNEL;
2761 return;
2762}
2763
2764static void selinux_task_to_inode(struct task_struct *p,
2765 struct inode *inode)
2766{
2767 struct task_security_struct *tsec = p->security;
2768 struct inode_security_struct *isec = inode->i_security;
2769
2770 isec->sid = tsec->sid;
2771 isec->initialized = 1;
2772 return;
2773}
2774
2775#ifdef CONFIG_SECURITY_NETWORK
2776
2777/* Returns error only if unable to parse addresses */
2778static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2779{
2780 int offset, ihlen, ret = -EINVAL;
2781 struct iphdr _iph, *ih;
2782
2783 offset = skb->nh.raw - skb->data;
2784 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2785 if (ih == NULL)
2786 goto out;
2787
2788 ihlen = ih->ihl * 4;
2789 if (ihlen < sizeof(_iph))
2790 goto out;
2791
2792 ad->u.net.v4info.saddr = ih->saddr;
2793 ad->u.net.v4info.daddr = ih->daddr;
2794 ret = 0;
2795
2796 switch (ih->protocol) {
2797 case IPPROTO_TCP: {
2798 struct tcphdr _tcph, *th;
2799
2800 if (ntohs(ih->frag_off) & IP_OFFSET)
2801 break;
2802
2803 offset += ihlen;
2804 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2805 if (th == NULL)
2806 break;
2807
2808 ad->u.net.sport = th->source;
2809 ad->u.net.dport = th->dest;
2810 break;
2811 }
2812
2813 case IPPROTO_UDP: {
2814 struct udphdr _udph, *uh;
2815
2816 if (ntohs(ih->frag_off) & IP_OFFSET)
2817 break;
2818
2819 offset += ihlen;
2820 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2821 if (uh == NULL)
2822 break;
2823
2824 ad->u.net.sport = uh->source;
2825 ad->u.net.dport = uh->dest;
2826 break;
2827 }
2828
2829 default:
2830 break;
2831 }
2832out:
2833 return ret;
2834}
2835
2836#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2837
2838/* Returns error only if unable to parse addresses */
2839static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2840{
2841 u8 nexthdr;
2842 int ret = -EINVAL, offset;
2843 struct ipv6hdr _ipv6h, *ip6;
2844
2845 offset = skb->nh.raw - skb->data;
2846 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2847 if (ip6 == NULL)
2848 goto out;
2849
2850 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2851 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2852 ret = 0;
2853
2854 nexthdr = ip6->nexthdr;
2855 offset += sizeof(_ipv6h);
2856 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2857 skb->tail - skb->head - offset);
2858 if (offset < 0)
2859 goto out;
2860
2861 switch (nexthdr) {
2862 case IPPROTO_TCP: {
2863 struct tcphdr _tcph, *th;
2864
2865 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2866 if (th == NULL)
2867 break;
2868
2869 ad->u.net.sport = th->source;
2870 ad->u.net.dport = th->dest;
2871 break;
2872 }
2873
2874 case IPPROTO_UDP: {
2875 struct udphdr _udph, *uh;
2876
2877 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2878 if (uh == NULL)
2879 break;
2880
2881 ad->u.net.sport = uh->source;
2882 ad->u.net.dport = uh->dest;
2883 break;
2884 }
2885
2886 /* includes fragments */
2887 default:
2888 break;
2889 }
2890out:
2891 return ret;
2892}
2893
2894#endif /* IPV6 */
2895
2896static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2897 char **addrp, int *len, int src)
2898{
2899 int ret = 0;
2900
2901 switch (ad->u.net.family) {
2902 case PF_INET:
2903 ret = selinux_parse_skb_ipv4(skb, ad);
2904 if (ret || !addrp)
2905 break;
2906 *len = 4;
2907 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2908 &ad->u.net.v4info.daddr);
2909 break;
2910
2911#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2912 case PF_INET6:
2913 ret = selinux_parse_skb_ipv6(skb, ad);
2914 if (ret || !addrp)
2915 break;
2916 *len = 16;
2917 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2918 &ad->u.net.v6info.daddr);
2919 break;
2920#endif /* IPV6 */
2921 default:
2922 break;
2923 }
2924
2925 return ret;
2926}
2927
2928/* socket security operations */
2929static int socket_has_perm(struct task_struct *task, struct socket *sock,
2930 u32 perms)
2931{
2932 struct inode_security_struct *isec;
2933 struct task_security_struct *tsec;
2934 struct avc_audit_data ad;
2935 int err = 0;
2936
2937 tsec = task->security;
2938 isec = SOCK_INODE(sock)->i_security;
2939
2940 if (isec->sid == SECINITSID_KERNEL)
2941 goto out;
2942
2943 AVC_AUDIT_DATA_INIT(&ad,NET);
2944 ad.u.net.sk = sock->sk;
2945 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2946
2947out:
2948 return err;
2949}
2950
2951static int selinux_socket_create(int family, int type,
2952 int protocol, int kern)
2953{
2954 int err = 0;
2955 struct task_security_struct *tsec;
2956
2957 if (kern)
2958 goto out;
2959
2960 tsec = current->security;
2961 err = avc_has_perm(tsec->sid, tsec->sid,
2962 socket_type_to_security_class(family, type,
2963 protocol), SOCKET__CREATE, NULL);
2964
2965out:
2966 return err;
2967}
2968
2969static void selinux_socket_post_create(struct socket *sock, int family,
2970 int type, int protocol, int kern)
2971{
2972 struct inode_security_struct *isec;
2973 struct task_security_struct *tsec;
2974
2975 isec = SOCK_INODE(sock)->i_security;
2976
2977 tsec = current->security;
2978 isec->sclass = socket_type_to_security_class(family, type, protocol);
2979 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2980 isec->initialized = 1;
2981
2982 return;
2983}
2984
2985/* Range of port numbers used to automatically bind.
2986 Need to determine whether we should perform a name_bind
2987 permission check between the socket and the port number. */
2988#define ip_local_port_range_0 sysctl_local_port_range[0]
2989#define ip_local_port_range_1 sysctl_local_port_range[1]
2990
2991static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2992{
2993 u16 family;
2994 int err;
2995
2996 err = socket_has_perm(current, sock, SOCKET__BIND);
2997 if (err)
2998 goto out;
2999
3000 /*
3001 * If PF_INET or PF_INET6, check name_bind permission for the port.
3002 */
3003 family = sock->sk->sk_family;
3004 if (family == PF_INET || family == PF_INET6) {
3005 char *addrp;
3006 struct inode_security_struct *isec;
3007 struct task_security_struct *tsec;
3008 struct avc_audit_data ad;
3009 struct sockaddr_in *addr4 = NULL;
3010 struct sockaddr_in6 *addr6 = NULL;
3011 unsigned short snum;
3012 struct sock *sk = sock->sk;
3013 u32 sid, node_perm, addrlen;
3014
3015 tsec = current->security;
3016 isec = SOCK_INODE(sock)->i_security;
3017
3018 if (family == PF_INET) {
3019 addr4 = (struct sockaddr_in *)address;
3020 snum = ntohs(addr4->sin_port);
3021 addrlen = sizeof(addr4->sin_addr.s_addr);
3022 addrp = (char *)&addr4->sin_addr.s_addr;
3023 } else {
3024 addr6 = (struct sockaddr_in6 *)address;
3025 snum = ntohs(addr6->sin6_port);
3026 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3027 addrp = (char *)&addr6->sin6_addr.s6_addr;
3028 }
3029
3030 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3031 snum > ip_local_port_range_1)) {
3032 err = security_port_sid(sk->sk_family, sk->sk_type,
3033 sk->sk_protocol, snum, &sid);
3034 if (err)
3035 goto out;
3036 AVC_AUDIT_DATA_INIT(&ad,NET);
3037 ad.u.net.sport = htons(snum);
3038 ad.u.net.family = family;
3039 err = avc_has_perm(isec->sid, sid,
3040 isec->sclass,
3041 SOCKET__NAME_BIND, &ad);
3042 if (err)
3043 goto out;
3044 }
3045
3046 switch(sk->sk_protocol) {
3047 case IPPROTO_TCP:
3048 node_perm = TCP_SOCKET__NODE_BIND;
3049 break;
3050
3051 case IPPROTO_UDP:
3052 node_perm = UDP_SOCKET__NODE_BIND;
3053 break;
3054
3055 default:
3056 node_perm = RAWIP_SOCKET__NODE_BIND;
3057 break;
3058 }
3059
3060 err = security_node_sid(family, addrp, addrlen, &sid);
3061 if (err)
3062 goto out;
3063
3064 AVC_AUDIT_DATA_INIT(&ad,NET);
3065 ad.u.net.sport = htons(snum);
3066 ad.u.net.family = family;
3067
3068 if (family == PF_INET)
3069 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3070 else
3071 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3072
3073 err = avc_has_perm(isec->sid, sid,
3074 isec->sclass, node_perm, &ad);
3075 if (err)
3076 goto out;
3077 }
3078out:
3079 return err;
3080}
3081
3082static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3083{
3084 struct inode_security_struct *isec;
3085 int err;
3086
3087 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3088 if (err)
3089 return err;
3090
3091 /*
3092 * If a TCP socket, check name_connect permission for the port.
3093 */
3094 isec = SOCK_INODE(sock)->i_security;
3095 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3096 struct sock *sk = sock->sk;
3097 struct avc_audit_data ad;
3098 struct sockaddr_in *addr4 = NULL;
3099 struct sockaddr_in6 *addr6 = NULL;
3100 unsigned short snum;
3101 u32 sid;
3102
3103 if (sk->sk_family == PF_INET) {
3104 addr4 = (struct sockaddr_in *)address;
3105 if (addrlen != sizeof(struct sockaddr_in))
3106 return -EINVAL;
3107 snum = ntohs(addr4->sin_port);
3108 } else {
3109 addr6 = (struct sockaddr_in6 *)address;
3110 if (addrlen != sizeof(struct sockaddr_in6))
3111 return -EINVAL;
3112 snum = ntohs(addr6->sin6_port);
3113 }
3114
3115 err = security_port_sid(sk->sk_family, sk->sk_type,
3116 sk->sk_protocol, snum, &sid);
3117 if (err)
3118 goto out;
3119
3120 AVC_AUDIT_DATA_INIT(&ad,NET);
3121 ad.u.net.dport = htons(snum);
3122 ad.u.net.family = sk->sk_family;
3123 err = avc_has_perm(isec->sid, sid, isec->sclass,
3124 TCP_SOCKET__NAME_CONNECT, &ad);
3125 if (err)
3126 goto out;
3127 }
3128
3129out:
3130 return err;
3131}
3132
3133static int selinux_socket_listen(struct socket *sock, int backlog)
3134{
3135 return socket_has_perm(current, sock, SOCKET__LISTEN);
3136}
3137
3138static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3139{
3140 int err;
3141 struct inode_security_struct *isec;
3142 struct inode_security_struct *newisec;
3143
3144 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3145 if (err)
3146 return err;
3147
3148 newisec = SOCK_INODE(newsock)->i_security;
3149
3150 isec = SOCK_INODE(sock)->i_security;
3151 newisec->sclass = isec->sclass;
3152 newisec->sid = isec->sid;
3153 newisec->initialized = 1;
3154
3155 return 0;
3156}
3157
3158static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3159 int size)
3160{
3161 return socket_has_perm(current, sock, SOCKET__WRITE);
3162}
3163
3164static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3165 int size, int flags)
3166{
3167 return socket_has_perm(current, sock, SOCKET__READ);
3168}
3169
3170static int selinux_socket_getsockname(struct socket *sock)
3171{
3172 return socket_has_perm(current, sock, SOCKET__GETATTR);
3173}
3174
3175static int selinux_socket_getpeername(struct socket *sock)
3176{
3177 return socket_has_perm(current, sock, SOCKET__GETATTR);
3178}
3179
3180static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3181{
3182 return socket_has_perm(current, sock, SOCKET__SETOPT);
3183}
3184
3185static int selinux_socket_getsockopt(struct socket *sock, int level,
3186 int optname)
3187{
3188 return socket_has_perm(current, sock, SOCKET__GETOPT);
3189}
3190
3191static int selinux_socket_shutdown(struct socket *sock, int how)
3192{
3193 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3194}
3195
3196static int selinux_socket_unix_stream_connect(struct socket *sock,
3197 struct socket *other,
3198 struct sock *newsk)
3199{
3200 struct sk_security_struct *ssec;
3201 struct inode_security_struct *isec;
3202 struct inode_security_struct *other_isec;
3203 struct avc_audit_data ad;
3204 int err;
3205
3206 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3207 if (err)
3208 return err;
3209
3210 isec = SOCK_INODE(sock)->i_security;
3211 other_isec = SOCK_INODE(other)->i_security;
3212
3213 AVC_AUDIT_DATA_INIT(&ad,NET);
3214 ad.u.net.sk = other->sk;
3215
3216 err = avc_has_perm(isec->sid, other_isec->sid,
3217 isec->sclass,
3218 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3219 if (err)
3220 return err;
3221
3222 /* connecting socket */
3223 ssec = sock->sk->sk_security;
3224 ssec->peer_sid = other_isec->sid;
3225
3226 /* server child socket */
3227 ssec = newsk->sk_security;
3228 ssec->peer_sid = isec->sid;
3229
3230 return 0;
3231}
3232
3233static int selinux_socket_unix_may_send(struct socket *sock,
3234 struct socket *other)
3235{
3236 struct inode_security_struct *isec;
3237 struct inode_security_struct *other_isec;
3238 struct avc_audit_data ad;
3239 int err;
3240
3241 isec = SOCK_INODE(sock)->i_security;
3242 other_isec = SOCK_INODE(other)->i_security;
3243
3244 AVC_AUDIT_DATA_INIT(&ad,NET);
3245 ad.u.net.sk = other->sk;
3246
3247 err = avc_has_perm(isec->sid, other_isec->sid,
3248 isec->sclass, SOCKET__SENDTO, &ad);
3249 if (err)
3250 return err;
3251
3252 return 0;
3253}
3254
3255static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3256{
3257 u16 family;
3258 char *addrp;
3259 int len, err = 0;
3260 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3261 u32 sock_sid = 0;
3262 u16 sock_class = 0;
3263 struct socket *sock;
3264 struct net_device *dev;
3265 struct avc_audit_data ad;
3266
3267 family = sk->sk_family;
3268 if (family != PF_INET && family != PF_INET6)
3269 goto out;
3270
3271 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3272 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3273 family = PF_INET;
3274
3275 read_lock_bh(&sk->sk_callback_lock);
3276 sock = sk->sk_socket;
3277 if (sock) {
3278 struct inode *inode;
3279 inode = SOCK_INODE(sock);
3280 if (inode) {
3281 struct inode_security_struct *isec;
3282 isec = inode->i_security;
3283 sock_sid = isec->sid;
3284 sock_class = isec->sclass;
3285 }
3286 }
3287 read_unlock_bh(&sk->sk_callback_lock);
3288 if (!sock_sid)
3289 goto out;
3290
3291 dev = skb->dev;
3292 if (!dev)
3293 goto out;
3294
3295 err = sel_netif_sids(dev, &if_sid, NULL);
3296 if (err)
3297 goto out;
3298
3299 switch (sock_class) {
3300 case SECCLASS_UDP_SOCKET:
3301 netif_perm = NETIF__UDP_RECV;
3302 node_perm = NODE__UDP_RECV;
3303 recv_perm = UDP_SOCKET__RECV_MSG;
3304 break;
3305
3306 case SECCLASS_TCP_SOCKET:
3307 netif_perm = NETIF__TCP_RECV;
3308 node_perm = NODE__TCP_RECV;
3309 recv_perm = TCP_SOCKET__RECV_MSG;
3310 break;
3311
3312 default:
3313 netif_perm = NETIF__RAWIP_RECV;
3314 node_perm = NODE__RAWIP_RECV;
3315 break;
3316 }
3317
3318 AVC_AUDIT_DATA_INIT(&ad, NET);
3319 ad.u.net.netif = dev->name;
3320 ad.u.net.family = family;
3321
3322 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3323 if (err)
3324 goto out;
3325
3326 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3327 if (err)
3328 goto out;
3329
3330 /* Fixme: this lookup is inefficient */
3331 err = security_node_sid(family, addrp, len, &node_sid);
3332 if (err)
3333 goto out;
3334
3335 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3336 if (err)
3337 goto out;
3338
3339 if (recv_perm) {
3340 u32 port_sid;
3341
3342 /* Fixme: make this more efficient */
3343 err = security_port_sid(sk->sk_family, sk->sk_type,
3344 sk->sk_protocol, ntohs(ad.u.net.sport),
3345 &port_sid);
3346 if (err)
3347 goto out;
3348
3349 err = avc_has_perm(sock_sid, port_sid,
3350 sock_class, recv_perm, &ad);
3351 }
3352out:
3353 return err;
3354}
3355
3356static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3357 int __user *optlen, unsigned len)
3358{
3359 int err = 0;
3360 char *scontext;
3361 u32 scontext_len;
3362 struct sk_security_struct *ssec;
3363 struct inode_security_struct *isec;
3364
3365 isec = SOCK_INODE(sock)->i_security;
3366 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3367 err = -ENOPROTOOPT;
3368 goto out;
3369 }
3370
3371 ssec = sock->sk->sk_security;
3372
3373 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3374 if (err)
3375 goto out;
3376
3377 if (scontext_len > len) {
3378 err = -ERANGE;
3379 goto out_len;
3380 }
3381
3382 if (copy_to_user(optval, scontext, scontext_len))
3383 err = -EFAULT;
3384
3385out_len:
3386 if (put_user(scontext_len, optlen))
3387 err = -EFAULT;
3388
3389 kfree(scontext);
3390out:
3391 return err;
3392}
3393
3394static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3395{
3396 return sk_alloc_security(sk, family, priority);
3397}
3398
3399static void selinux_sk_free_security(struct sock *sk)
3400{
3401 sk_free_security(sk);
3402}
3403
3404static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3405{
3406 int err = 0;
3407 u32 perm;
3408 struct nlmsghdr *nlh;
3409 struct socket *sock = sk->sk_socket;
3410 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3411
3412 if (skb->len < NLMSG_SPACE(0)) {
3413 err = -EINVAL;
3414 goto out;
3415 }
3416 nlh = (struct nlmsghdr *)skb->data;
3417
3418 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3419 if (err) {
3420 if (err == -EINVAL) {
3421 audit_log(current->audit_context,
3422 "SELinux: unrecognized netlink message"
3423 " type=%hu for sclass=%hu\n",
3424 nlh->nlmsg_type, isec->sclass);
3425 if (!selinux_enforcing)
3426 err = 0;
3427 }
3428
3429 /* Ignore */
3430 if (err == -ENOENT)
3431 err = 0;
3432 goto out;
3433 }
3434
3435 err = socket_has_perm(current, sock, perm);
3436out:
3437 return err;
3438}
3439
3440#ifdef CONFIG_NETFILTER
3441
3442static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3443 struct sk_buff **pskb,
3444 const struct net_device *in,
3445 const struct net_device *out,
3446 int (*okfn)(struct sk_buff *),
3447 u16 family)
3448{
3449 char *addrp;
3450 int len, err = NF_ACCEPT;
3451 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3452 struct sock *sk;
3453 struct socket *sock;
3454 struct inode *inode;
3455 struct sk_buff *skb = *pskb;
3456 struct inode_security_struct *isec;
3457 struct avc_audit_data ad;
3458 struct net_device *dev = (struct net_device *)out;
3459
3460 sk = skb->sk;
3461 if (!sk)
3462 goto out;
3463
3464 sock = sk->sk_socket;
3465 if (!sock)
3466 goto out;
3467
3468 inode = SOCK_INODE(sock);
3469 if (!inode)
3470 goto out;
3471
3472 err = sel_netif_sids(dev, &if_sid, NULL);
3473 if (err)
3474 goto out;
3475
3476 isec = inode->i_security;
3477
3478 switch (isec->sclass) {
3479 case SECCLASS_UDP_SOCKET:
3480 netif_perm = NETIF__UDP_SEND;
3481 node_perm = NODE__UDP_SEND;
3482 send_perm = UDP_SOCKET__SEND_MSG;
3483 break;
3484
3485 case SECCLASS_TCP_SOCKET:
3486 netif_perm = NETIF__TCP_SEND;
3487 node_perm = NODE__TCP_SEND;
3488 send_perm = TCP_SOCKET__SEND_MSG;
3489 break;
3490
3491 default:
3492 netif_perm = NETIF__RAWIP_SEND;
3493 node_perm = NODE__RAWIP_SEND;
3494 break;
3495 }
3496
3497
3498 AVC_AUDIT_DATA_INIT(&ad, NET);
3499 ad.u.net.netif = dev->name;
3500 ad.u.net.family = family;
3501
3502 err = selinux_parse_skb(skb, &ad, &addrp,
3503 &len, 0) ? NF_DROP : NF_ACCEPT;
3504 if (err != NF_ACCEPT)
3505 goto out;
3506
3507 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3508 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3509 if (err != NF_ACCEPT)
3510 goto out;
3511
3512 /* Fixme: this lookup is inefficient */
3513 err = security_node_sid(family, addrp, len,
3514 &node_sid) ? NF_DROP : NF_ACCEPT;
3515 if (err != NF_ACCEPT)
3516 goto out;
3517
3518 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3519 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3520 if (err != NF_ACCEPT)
3521 goto out;
3522
3523 if (send_perm) {
3524 u32 port_sid;
3525
3526 /* Fixme: make this more efficient */
3527 err = security_port_sid(sk->sk_family,
3528 sk->sk_type,
3529 sk->sk_protocol,
3530 ntohs(ad.u.net.dport),
3531 &port_sid) ? NF_DROP : NF_ACCEPT;
3532 if (err != NF_ACCEPT)
3533 goto out;
3534
3535 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3536 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3537 }
3538
3539out:
3540 return err;
3541}
3542
3543static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3544 struct sk_buff **pskb,
3545 const struct net_device *in,
3546 const struct net_device *out,
3547 int (*okfn)(struct sk_buff *))
3548{
3549 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3550}
3551
3552#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3553
3554static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3555 struct sk_buff **pskb,
3556 const struct net_device *in,
3557 const struct net_device *out,
3558 int (*okfn)(struct sk_buff *))
3559{
3560 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3561}
3562
3563#endif /* IPV6 */
3564
3565#endif /* CONFIG_NETFILTER */
3566
3567#else
3568
3569static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3570{
3571 return 0;
3572}
3573
3574#endif /* CONFIG_SECURITY_NETWORK */
3575
3576static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3577{
3578 struct task_security_struct *tsec;
3579 struct av_decision avd;
3580 int err;
3581
3582 err = secondary_ops->netlink_send(sk, skb);
3583 if (err)
3584 return err;
3585
3586 tsec = current->security;
3587
3588 avd.allowed = 0;
3589 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3590 SECCLASS_CAPABILITY, ~0, &avd);
3591 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3592
3593 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3594 err = selinux_nlmsg_perm(sk, skb);
3595
3596 return err;
3597}
3598
3599static int selinux_netlink_recv(struct sk_buff *skb)
3600{
3601 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3602 return -EPERM;
3603 return 0;
3604}
3605
3606static int ipc_alloc_security(struct task_struct *task,
3607 struct kern_ipc_perm *perm,
3608 u16 sclass)
3609{
3610 struct task_security_struct *tsec = task->security;
3611 struct ipc_security_struct *isec;
3612
3613 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3614 if (!isec)
3615 return -ENOMEM;
3616
3617 memset(isec, 0, sizeof(struct ipc_security_struct));
3618 isec->magic = SELINUX_MAGIC;
3619 isec->sclass = sclass;
3620 isec->ipc_perm = perm;
3621 if (tsec) {
3622 isec->sid = tsec->sid;
3623 } else {
3624 isec->sid = SECINITSID_UNLABELED;
3625 }
3626 perm->security = isec;
3627
3628 return 0;
3629}
3630
3631static void ipc_free_security(struct kern_ipc_perm *perm)
3632{
3633 struct ipc_security_struct *isec = perm->security;
3634 if (!isec || isec->magic != SELINUX_MAGIC)
3635 return;
3636
3637 perm->security = NULL;
3638 kfree(isec);
3639}
3640
3641static int msg_msg_alloc_security(struct msg_msg *msg)
3642{
3643 struct msg_security_struct *msec;
3644
3645 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3646 if (!msec)
3647 return -ENOMEM;
3648
3649 memset(msec, 0, sizeof(struct msg_security_struct));
3650 msec->magic = SELINUX_MAGIC;
3651 msec->msg = msg;
3652 msec->sid = SECINITSID_UNLABELED;
3653 msg->security = msec;
3654
3655 return 0;
3656}
3657
3658static void msg_msg_free_security(struct msg_msg *msg)
3659{
3660 struct msg_security_struct *msec = msg->security;
3661 if (!msec || msec->magic != SELINUX_MAGIC)
3662 return;
3663
3664 msg->security = NULL;
3665 kfree(msec);
3666}
3667
3668static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3669 u16 sclass, u32 perms)
3670{
3671 struct task_security_struct *tsec;
3672 struct ipc_security_struct *isec;
3673 struct avc_audit_data ad;
3674
3675 tsec = current->security;
3676 isec = ipc_perms->security;
3677
3678 AVC_AUDIT_DATA_INIT(&ad, IPC);
3679 ad.u.ipc_id = ipc_perms->key;
3680
3681 return avc_has_perm(tsec->sid, isec->sid, sclass, perms, &ad);
3682}
3683
3684static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3685{
3686 return msg_msg_alloc_security(msg);
3687}
3688
3689static void selinux_msg_msg_free_security(struct msg_msg *msg)
3690{
3691 msg_msg_free_security(msg);
3692}
3693
3694/* message queue security operations */
3695static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3696{
3697 struct task_security_struct *tsec;
3698 struct ipc_security_struct *isec;
3699 struct avc_audit_data ad;
3700 int rc;
3701
3702 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3703 if (rc)
3704 return rc;
3705
3706 tsec = current->security;
3707 isec = msq->q_perm.security;
3708
3709 AVC_AUDIT_DATA_INIT(&ad, IPC);
3710 ad.u.ipc_id = msq->q_perm.key;
3711
3712 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3713 MSGQ__CREATE, &ad);
3714 if (rc) {
3715 ipc_free_security(&msq->q_perm);
3716 return rc;
3717 }
3718 return 0;
3719}
3720
3721static void selinux_msg_queue_free_security(struct msg_queue *msq)
3722{
3723 ipc_free_security(&msq->q_perm);
3724}
3725
3726static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3727{
3728 struct task_security_struct *tsec;
3729 struct ipc_security_struct *isec;
3730 struct avc_audit_data ad;
3731
3732 tsec = current->security;
3733 isec = msq->q_perm.security;
3734
3735 AVC_AUDIT_DATA_INIT(&ad, IPC);
3736 ad.u.ipc_id = msq->q_perm.key;
3737
3738 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3739 MSGQ__ASSOCIATE, &ad);
3740}
3741
3742static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3743{
3744 int err;
3745 int perms;
3746
3747 switch(cmd) {
3748 case IPC_INFO:
3749 case MSG_INFO:
3750 /* No specific object, just general system-wide information. */
3751 return task_has_system(current, SYSTEM__IPC_INFO);
3752 case IPC_STAT:
3753 case MSG_STAT:
3754 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3755 break;
3756 case IPC_SET:
3757 perms = MSGQ__SETATTR;
3758 break;
3759 case IPC_RMID:
3760 perms = MSGQ__DESTROY;
3761 break;
3762 default:
3763 return 0;
3764 }
3765
3766 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3767 return err;
3768}
3769
3770static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3771{
3772 struct task_security_struct *tsec;
3773 struct ipc_security_struct *isec;
3774 struct msg_security_struct *msec;
3775 struct avc_audit_data ad;
3776 int rc;
3777
3778 tsec = current->security;
3779 isec = msq->q_perm.security;
3780 msec = msg->security;
3781
3782 /*
3783 * First time through, need to assign label to the message
3784 */
3785 if (msec->sid == SECINITSID_UNLABELED) {
3786 /*
3787 * Compute new sid based on current process and
3788 * message queue this message will be stored in
3789 */
3790 rc = security_transition_sid(tsec->sid,
3791 isec->sid,
3792 SECCLASS_MSG,
3793 &msec->sid);
3794 if (rc)
3795 return rc;
3796 }
3797
3798 AVC_AUDIT_DATA_INIT(&ad, IPC);
3799 ad.u.ipc_id = msq->q_perm.key;
3800
3801 /* Can this process write to the queue? */
3802 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3803 MSGQ__WRITE, &ad);
3804 if (!rc)
3805 /* Can this process send the message */
3806 rc = avc_has_perm(tsec->sid, msec->sid,
3807 SECCLASS_MSG, MSG__SEND, &ad);
3808 if (!rc)
3809 /* Can the message be put in the queue? */
3810 rc = avc_has_perm(msec->sid, isec->sid,
3811 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3812
3813 return rc;
3814}
3815
3816static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3817 struct task_struct *target,
3818 long type, int mode)
3819{
3820 struct task_security_struct *tsec;
3821 struct ipc_security_struct *isec;
3822 struct msg_security_struct *msec;
3823 struct avc_audit_data ad;
3824 int rc;
3825
3826 tsec = target->security;
3827 isec = msq->q_perm.security;
3828 msec = msg->security;
3829
3830 AVC_AUDIT_DATA_INIT(&ad, IPC);
3831 ad.u.ipc_id = msq->q_perm.key;
3832
3833 rc = avc_has_perm(tsec->sid, isec->sid,
3834 SECCLASS_MSGQ, MSGQ__READ, &ad);
3835 if (!rc)
3836 rc = avc_has_perm(tsec->sid, msec->sid,
3837 SECCLASS_MSG, MSG__RECEIVE, &ad);
3838 return rc;
3839}
3840
3841/* Shared Memory security operations */
3842static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3843{
3844 struct task_security_struct *tsec;
3845 struct ipc_security_struct *isec;
3846 struct avc_audit_data ad;
3847 int rc;
3848
3849 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3850 if (rc)
3851 return rc;
3852
3853 tsec = current->security;
3854 isec = shp->shm_perm.security;
3855
3856 AVC_AUDIT_DATA_INIT(&ad, IPC);
3857 ad.u.ipc_id = shp->shm_perm.key;
3858
3859 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3860 SHM__CREATE, &ad);
3861 if (rc) {
3862 ipc_free_security(&shp->shm_perm);
3863 return rc;
3864 }
3865 return 0;
3866}
3867
3868static void selinux_shm_free_security(struct shmid_kernel *shp)
3869{
3870 ipc_free_security(&shp->shm_perm);
3871}
3872
3873static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3874{
3875 struct task_security_struct *tsec;
3876 struct ipc_security_struct *isec;
3877 struct avc_audit_data ad;
3878
3879 tsec = current->security;
3880 isec = shp->shm_perm.security;
3881
3882 AVC_AUDIT_DATA_INIT(&ad, IPC);
3883 ad.u.ipc_id = shp->shm_perm.key;
3884
3885 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3886 SHM__ASSOCIATE, &ad);
3887}
3888
3889/* Note, at this point, shp is locked down */
3890static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3891{
3892 int perms;
3893 int err;
3894
3895 switch(cmd) {
3896 case IPC_INFO:
3897 case SHM_INFO:
3898 /* No specific object, just general system-wide information. */
3899 return task_has_system(current, SYSTEM__IPC_INFO);
3900 case IPC_STAT:
3901 case SHM_STAT:
3902 perms = SHM__GETATTR | SHM__ASSOCIATE;
3903 break;
3904 case IPC_SET:
3905 perms = SHM__SETATTR;
3906 break;
3907 case SHM_LOCK:
3908 case SHM_UNLOCK:
3909 perms = SHM__LOCK;
3910 break;
3911 case IPC_RMID:
3912 perms = SHM__DESTROY;
3913 break;
3914 default:
3915 return 0;
3916 }
3917
3918 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3919 return err;
3920}
3921
3922static int selinux_shm_shmat(struct shmid_kernel *shp,
3923 char __user *shmaddr, int shmflg)
3924{
3925 u32 perms;
3926 int rc;
3927
3928 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3929 if (rc)
3930 return rc;
3931
3932 if (shmflg & SHM_RDONLY)
3933 perms = SHM__READ;
3934 else
3935 perms = SHM__READ | SHM__WRITE;
3936
3937 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3938}
3939
3940/* Semaphore security operations */
3941static int selinux_sem_alloc_security(struct sem_array *sma)
3942{
3943 struct task_security_struct *tsec;
3944 struct ipc_security_struct *isec;
3945 struct avc_audit_data ad;
3946 int rc;
3947
3948 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3949 if (rc)
3950 return rc;
3951
3952 tsec = current->security;
3953 isec = sma->sem_perm.security;
3954
3955 AVC_AUDIT_DATA_INIT(&ad, IPC);
3956 ad.u.ipc_id = sma->sem_perm.key;
3957
3958 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3959 SEM__CREATE, &ad);
3960 if (rc) {
3961 ipc_free_security(&sma->sem_perm);
3962 return rc;
3963 }
3964 return 0;
3965}
3966
3967static void selinux_sem_free_security(struct sem_array *sma)
3968{
3969 ipc_free_security(&sma->sem_perm);
3970}
3971
3972static int selinux_sem_associate(struct sem_array *sma, int semflg)
3973{
3974 struct task_security_struct *tsec;
3975 struct ipc_security_struct *isec;
3976 struct avc_audit_data ad;
3977
3978 tsec = current->security;
3979 isec = sma->sem_perm.security;
3980
3981 AVC_AUDIT_DATA_INIT(&ad, IPC);
3982 ad.u.ipc_id = sma->sem_perm.key;
3983
3984 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3985 SEM__ASSOCIATE, &ad);
3986}
3987
3988/* Note, at this point, sma is locked down */
3989static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3990{
3991 int err;
3992 u32 perms;
3993
3994 switch(cmd) {
3995 case IPC_INFO:
3996 case SEM_INFO:
3997 /* No specific object, just general system-wide information. */
3998 return task_has_system(current, SYSTEM__IPC_INFO);
3999 case GETPID:
4000 case GETNCNT:
4001 case GETZCNT:
4002 perms = SEM__GETATTR;
4003 break;
4004 case GETVAL:
4005 case GETALL:
4006 perms = SEM__READ;
4007 break;
4008 case SETVAL:
4009 case SETALL:
4010 perms = SEM__WRITE;
4011 break;
4012 case IPC_RMID:
4013 perms = SEM__DESTROY;
4014 break;
4015 case IPC_SET:
4016 perms = SEM__SETATTR;
4017 break;
4018 case IPC_STAT:
4019 case SEM_STAT:
4020 perms = SEM__GETATTR | SEM__ASSOCIATE;
4021 break;
4022 default:
4023 return 0;
4024 }
4025
4026 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4027 return err;
4028}
4029
4030static int selinux_sem_semop(struct sem_array *sma,
4031 struct sembuf *sops, unsigned nsops, int alter)
4032{
4033 u32 perms;
4034
4035 if (alter)
4036 perms = SEM__READ | SEM__WRITE;
4037 else
4038 perms = SEM__READ;
4039
4040 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4041}
4042
4043static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4044{
4045 struct ipc_security_struct *isec = ipcp->security;
4046 u16 sclass = SECCLASS_IPC;
4047 u32 av = 0;
4048
4049 if (isec && isec->magic == SELINUX_MAGIC)
4050 sclass = isec->sclass;
4051
4052 av = 0;
4053 if (flag & S_IRUGO)
4054 av |= IPC__UNIX_READ;
4055 if (flag & S_IWUGO)
4056 av |= IPC__UNIX_WRITE;
4057
4058 if (av == 0)
4059 return 0;
4060
4061 return ipc_has_perm(ipcp, sclass, av);
4062}
4063
4064/* module stacking operations */
4065static int selinux_register_security (const char *name, struct security_operations *ops)
4066{
4067 if (secondary_ops != original_ops) {
4068 printk(KERN_INFO "%s: There is already a secondary security "
4069 "module registered.\n", __FUNCTION__);
4070 return -EINVAL;
4071 }
4072
4073 secondary_ops = ops;
4074
4075 printk(KERN_INFO "%s: Registering secondary module %s\n",
4076 __FUNCTION__,
4077 name);
4078
4079 return 0;
4080}
4081
4082static int selinux_unregister_security (const char *name, struct security_operations *ops)
4083{
4084 if (ops != secondary_ops) {
4085 printk (KERN_INFO "%s: trying to unregister a security module "
4086 "that is not registered.\n", __FUNCTION__);
4087 return -EINVAL;
4088 }
4089
4090 secondary_ops = original_ops;
4091
4092 return 0;
4093}
4094
4095static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4096{
4097 if (inode)
4098 inode_doinit_with_dentry(inode, dentry);
4099}
4100
4101static int selinux_getprocattr(struct task_struct *p,
4102 char *name, void *value, size_t size)
4103{
4104 struct task_security_struct *tsec;
4105 u32 sid, len;
4106 char *context;
4107 int error;
4108
4109 if (current != p) {
4110 error = task_has_perm(current, p, PROCESS__GETATTR);
4111 if (error)
4112 return error;
4113 }
4114
4115 if (!size)
4116 return -ERANGE;
4117
4118 tsec = p->security;
4119
4120 if (!strcmp(name, "current"))
4121 sid = tsec->sid;
4122 else if (!strcmp(name, "prev"))
4123 sid = tsec->osid;
4124 else if (!strcmp(name, "exec"))
4125 sid = tsec->exec_sid;
4126 else if (!strcmp(name, "fscreate"))
4127 sid = tsec->create_sid;
4128 else
4129 return -EINVAL;
4130
4131 if (!sid)
4132 return 0;
4133
4134 error = security_sid_to_context(sid, &context, &len);
4135 if (error)
4136 return error;
4137 if (len > size) {
4138 kfree(context);
4139 return -ERANGE;
4140 }
4141 memcpy(value, context, len);
4142 kfree(context);
4143 return len;
4144}
4145
4146static int selinux_setprocattr(struct task_struct *p,
4147 char *name, void *value, size_t size)
4148{
4149 struct task_security_struct *tsec;
4150 u32 sid = 0;
4151 int error;
4152 char *str = value;
4153
4154 if (current != p) {
4155 /* SELinux only allows a process to change its own
4156 security attributes. */
4157 return -EACCES;
4158 }
4159
4160 /*
4161 * Basic control over ability to set these attributes at all.
4162 * current == p, but we'll pass them separately in case the
4163 * above restriction is ever removed.
4164 */
4165 if (!strcmp(name, "exec"))
4166 error = task_has_perm(current, p, PROCESS__SETEXEC);
4167 else if (!strcmp(name, "fscreate"))
4168 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4169 else if (!strcmp(name, "current"))
4170 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4171 else
4172 error = -EINVAL;
4173 if (error)
4174 return error;
4175
4176 /* Obtain a SID for the context, if one was specified. */
4177 if (size && str[1] && str[1] != '\n') {
4178 if (str[size-1] == '\n') {
4179 str[size-1] = 0;
4180 size--;
4181 }
4182 error = security_context_to_sid(value, size, &sid);
4183 if (error)
4184 return error;
4185 }
4186
4187 /* Permission checking based on the specified context is
4188 performed during the actual operation (execve,
4189 open/mkdir/...), when we know the full context of the
4190 operation. See selinux_bprm_set_security for the execve
4191 checks and may_create for the file creation checks. The
4192 operation will then fail if the context is not permitted. */
4193 tsec = p->security;
4194 if (!strcmp(name, "exec"))
4195 tsec->exec_sid = sid;
4196 else if (!strcmp(name, "fscreate"))
4197 tsec->create_sid = sid;
4198 else if (!strcmp(name, "current")) {
4199 struct av_decision avd;
4200
4201 if (sid == 0)
4202 return -EINVAL;
4203
4204 /* Only allow single threaded processes to change context */
4205 if (atomic_read(&p->mm->mm_users) != 1) {
4206 struct task_struct *g, *t;
4207 struct mm_struct *mm = p->mm;
4208 read_lock(&tasklist_lock);
4209 do_each_thread(g, t)
4210 if (t->mm == mm && t != p) {
4211 read_unlock(&tasklist_lock);
4212 return -EPERM;
4213 }
4214 while_each_thread(g, t);
4215 read_unlock(&tasklist_lock);
4216 }
4217
4218 /* Check permissions for the transition. */
4219 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4220 PROCESS__DYNTRANSITION, NULL);
4221 if (error)
4222 return error;
4223
4224 /* Check for ptracing, and update the task SID if ok.
4225 Otherwise, leave SID unchanged and fail. */
4226 task_lock(p);
4227 if (p->ptrace & PT_PTRACED) {
4228 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4229 SECCLASS_PROCESS,
4230 PROCESS__PTRACE, &avd);
4231 if (!error)
4232 tsec->sid = sid;
4233 task_unlock(p);
4234 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4235 PROCESS__PTRACE, &avd, error, NULL);
4236 if (error)
4237 return error;
4238 } else {
4239 tsec->sid = sid;
4240 task_unlock(p);
4241 }
4242 }
4243 else
4244 return -EINVAL;
4245
4246 return size;
4247}
4248
4249static struct security_operations selinux_ops = {
4250 .ptrace = selinux_ptrace,
4251 .capget = selinux_capget,
4252 .capset_check = selinux_capset_check,
4253 .capset_set = selinux_capset_set,
4254 .sysctl = selinux_sysctl,
4255 .capable = selinux_capable,
4256 .quotactl = selinux_quotactl,
4257 .quota_on = selinux_quota_on,
4258 .syslog = selinux_syslog,
4259 .vm_enough_memory = selinux_vm_enough_memory,
4260
4261 .netlink_send = selinux_netlink_send,
4262 .netlink_recv = selinux_netlink_recv,
4263
4264 .bprm_alloc_security = selinux_bprm_alloc_security,
4265 .bprm_free_security = selinux_bprm_free_security,
4266 .bprm_apply_creds = selinux_bprm_apply_creds,
4267 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4268 .bprm_set_security = selinux_bprm_set_security,
4269 .bprm_check_security = selinux_bprm_check_security,
4270 .bprm_secureexec = selinux_bprm_secureexec,
4271
4272 .sb_alloc_security = selinux_sb_alloc_security,
4273 .sb_free_security = selinux_sb_free_security,
4274 .sb_copy_data = selinux_sb_copy_data,
4275 .sb_kern_mount = selinux_sb_kern_mount,
4276 .sb_statfs = selinux_sb_statfs,
4277 .sb_mount = selinux_mount,
4278 .sb_umount = selinux_umount,
4279
4280 .inode_alloc_security = selinux_inode_alloc_security,
4281 .inode_free_security = selinux_inode_free_security,
4282 .inode_create = selinux_inode_create,
4283 .inode_post_create = selinux_inode_post_create,
4284 .inode_link = selinux_inode_link,
4285 .inode_post_link = selinux_inode_post_link,
4286 .inode_unlink = selinux_inode_unlink,
4287 .inode_symlink = selinux_inode_symlink,
4288 .inode_post_symlink = selinux_inode_post_symlink,
4289 .inode_mkdir = selinux_inode_mkdir,
4290 .inode_post_mkdir = selinux_inode_post_mkdir,
4291 .inode_rmdir = selinux_inode_rmdir,
4292 .inode_mknod = selinux_inode_mknod,
4293 .inode_post_mknod = selinux_inode_post_mknod,
4294 .inode_rename = selinux_inode_rename,
4295 .inode_post_rename = selinux_inode_post_rename,
4296 .inode_readlink = selinux_inode_readlink,
4297 .inode_follow_link = selinux_inode_follow_link,
4298 .inode_permission = selinux_inode_permission,
4299 .inode_setattr = selinux_inode_setattr,
4300 .inode_getattr = selinux_inode_getattr,
4301 .inode_setxattr = selinux_inode_setxattr,
4302 .inode_post_setxattr = selinux_inode_post_setxattr,
4303 .inode_getxattr = selinux_inode_getxattr,
4304 .inode_listxattr = selinux_inode_listxattr,
4305 .inode_removexattr = selinux_inode_removexattr,
4306 .inode_getsecurity = selinux_inode_getsecurity,
4307 .inode_setsecurity = selinux_inode_setsecurity,
4308 .inode_listsecurity = selinux_inode_listsecurity,
4309
4310 .file_permission = selinux_file_permission,
4311 .file_alloc_security = selinux_file_alloc_security,
4312 .file_free_security = selinux_file_free_security,
4313 .file_ioctl = selinux_file_ioctl,
4314 .file_mmap = selinux_file_mmap,
4315 .file_mprotect = selinux_file_mprotect,
4316 .file_lock = selinux_file_lock,
4317 .file_fcntl = selinux_file_fcntl,
4318 .file_set_fowner = selinux_file_set_fowner,
4319 .file_send_sigiotask = selinux_file_send_sigiotask,
4320 .file_receive = selinux_file_receive,
4321
4322 .task_create = selinux_task_create,
4323 .task_alloc_security = selinux_task_alloc_security,
4324 .task_free_security = selinux_task_free_security,
4325 .task_setuid = selinux_task_setuid,
4326 .task_post_setuid = selinux_task_post_setuid,
4327 .task_setgid = selinux_task_setgid,
4328 .task_setpgid = selinux_task_setpgid,
4329 .task_getpgid = selinux_task_getpgid,
4330 .task_getsid = selinux_task_getsid,
4331 .task_setgroups = selinux_task_setgroups,
4332 .task_setnice = selinux_task_setnice,
4333 .task_setrlimit = selinux_task_setrlimit,
4334 .task_setscheduler = selinux_task_setscheduler,
4335 .task_getscheduler = selinux_task_getscheduler,
4336 .task_kill = selinux_task_kill,
4337 .task_wait = selinux_task_wait,
4338 .task_prctl = selinux_task_prctl,
4339 .task_reparent_to_init = selinux_task_reparent_to_init,
4340 .task_to_inode = selinux_task_to_inode,
4341
4342 .ipc_permission = selinux_ipc_permission,
4343
4344 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4345 .msg_msg_free_security = selinux_msg_msg_free_security,
4346
4347 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4348 .msg_queue_free_security = selinux_msg_queue_free_security,
4349 .msg_queue_associate = selinux_msg_queue_associate,
4350 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4351 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4352 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4353
4354 .shm_alloc_security = selinux_shm_alloc_security,
4355 .shm_free_security = selinux_shm_free_security,
4356 .shm_associate = selinux_shm_associate,
4357 .shm_shmctl = selinux_shm_shmctl,
4358 .shm_shmat = selinux_shm_shmat,
4359
4360 .sem_alloc_security = selinux_sem_alloc_security,
4361 .sem_free_security = selinux_sem_free_security,
4362 .sem_associate = selinux_sem_associate,
4363 .sem_semctl = selinux_sem_semctl,
4364 .sem_semop = selinux_sem_semop,
4365
4366 .register_security = selinux_register_security,
4367 .unregister_security = selinux_unregister_security,
4368
4369 .d_instantiate = selinux_d_instantiate,
4370
4371 .getprocattr = selinux_getprocattr,
4372 .setprocattr = selinux_setprocattr,
4373
4374#ifdef CONFIG_SECURITY_NETWORK
4375 .unix_stream_connect = selinux_socket_unix_stream_connect,
4376 .unix_may_send = selinux_socket_unix_may_send,
4377
4378 .socket_create = selinux_socket_create,
4379 .socket_post_create = selinux_socket_post_create,
4380 .socket_bind = selinux_socket_bind,
4381 .socket_connect = selinux_socket_connect,
4382 .socket_listen = selinux_socket_listen,
4383 .socket_accept = selinux_socket_accept,
4384 .socket_sendmsg = selinux_socket_sendmsg,
4385 .socket_recvmsg = selinux_socket_recvmsg,
4386 .socket_getsockname = selinux_socket_getsockname,
4387 .socket_getpeername = selinux_socket_getpeername,
4388 .socket_getsockopt = selinux_socket_getsockopt,
4389 .socket_setsockopt = selinux_socket_setsockopt,
4390 .socket_shutdown = selinux_socket_shutdown,
4391 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4392 .socket_getpeersec = selinux_socket_getpeersec,
4393 .sk_alloc_security = selinux_sk_alloc_security,
4394 .sk_free_security = selinux_sk_free_security,
4395#endif
4396};
4397
4398static __init int selinux_init(void)
4399{
4400 struct task_security_struct *tsec;
4401
4402 if (!selinux_enabled) {
4403 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4404 return 0;
4405 }
4406
4407 printk(KERN_INFO "SELinux: Initializing.\n");
4408
4409 /* Set the security state for the initial task. */
4410 if (task_alloc_security(current))
4411 panic("SELinux: Failed to initialize initial task.\n");
4412 tsec = current->security;
4413 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4414
4415 avc_init();
4416
4417 original_ops = secondary_ops = security_ops;
4418 if (!secondary_ops)
4419 panic ("SELinux: No initial security operations\n");
4420 if (register_security (&selinux_ops))
4421 panic("SELinux: Unable to register with kernel.\n");
4422
4423 if (selinux_enforcing) {
4424 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4425 } else {
4426 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4427 }
4428 return 0;
4429}
4430
4431void selinux_complete_init(void)
4432{
4433 printk(KERN_INFO "SELinux: Completing initialization.\n");
4434
4435 /* Set up any superblocks initialized prior to the policy load. */
4436 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4437 spin_lock(&sb_security_lock);
4438next_sb:
4439 if (!list_empty(&superblock_security_head)) {
4440 struct superblock_security_struct *sbsec =
4441 list_entry(superblock_security_head.next,
4442 struct superblock_security_struct,
4443 list);
4444 struct super_block *sb = sbsec->sb;
4445 spin_lock(&sb_lock);
4446 sb->s_count++;
4447 spin_unlock(&sb_lock);
4448 spin_unlock(&sb_security_lock);
4449 down_read(&sb->s_umount);
4450 if (sb->s_root)
4451 superblock_doinit(sb, NULL);
4452 drop_super(sb);
4453 spin_lock(&sb_security_lock);
4454 list_del_init(&sbsec->list);
4455 goto next_sb;
4456 }
4457 spin_unlock(&sb_security_lock);
4458}
4459
4460/* SELinux requires early initialization in order to label
4461 all processes and objects when they are created. */
4462security_initcall(selinux_init);
4463
4464#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4465
4466static struct nf_hook_ops selinux_ipv4_op = {
4467 .hook = selinux_ipv4_postroute_last,
4468 .owner = THIS_MODULE,
4469 .pf = PF_INET,
4470 .hooknum = NF_IP_POST_ROUTING,
4471 .priority = NF_IP_PRI_SELINUX_LAST,
4472};
4473
4474#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4475
4476static struct nf_hook_ops selinux_ipv6_op = {
4477 .hook = selinux_ipv6_postroute_last,
4478 .owner = THIS_MODULE,
4479 .pf = PF_INET6,
4480 .hooknum = NF_IP6_POST_ROUTING,
4481 .priority = NF_IP6_PRI_SELINUX_LAST,
4482};
4483
4484#endif /* IPV6 */
4485
4486static int __init selinux_nf_ip_init(void)
4487{
4488 int err = 0;
4489
4490 if (!selinux_enabled)
4491 goto out;
4492
4493 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4494
4495 err = nf_register_hook(&selinux_ipv4_op);
4496 if (err)
4497 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4498
4499#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4500
4501 err = nf_register_hook(&selinux_ipv6_op);
4502 if (err)
4503 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4504
4505#endif /* IPV6 */
4506out:
4507 return err;
4508}
4509
4510__initcall(selinux_nf_ip_init);
4511
4512#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4513static void selinux_nf_ip_exit(void)
4514{
4515 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4516
4517 nf_unregister_hook(&selinux_ipv4_op);
4518#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4519 nf_unregister_hook(&selinux_ipv6_op);
4520#endif /* IPV6 */
4521}
4522#endif
4523
4524#else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4525
4526#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4527#define selinux_nf_ip_exit()
4528#endif
4529
4530#endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4531
4532#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4533int selinux_disable(void)
4534{
4535 extern void exit_sel_fs(void);
4536 static int selinux_disabled = 0;
4537
4538 if (ss_initialized) {
4539 /* Not permitted after initial policy load. */
4540 return -EINVAL;
4541 }
4542
4543 if (selinux_disabled) {
4544 /* Only do this once. */
4545 return -EINVAL;
4546 }
4547
4548 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4549
4550 selinux_disabled = 1;
4551
4552 /* Reset security_ops to the secondary module, dummy or capability. */
4553 security_ops = secondary_ops;
4554
4555 /* Unregister netfilter hooks. */
4556 selinux_nf_ip_exit();
4557
4558 /* Unregister selinuxfs. */
4559 exit_sel_fs();
4560
4561 return 0;
4562}
4563#endif
4564
4565