aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c560
1 files changed, 154 insertions, 406 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 00815973d412..8d8b69c5664e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -89,11 +89,10 @@
89#define XATTR_SELINUX_SUFFIX "selinux" 89#define XATTR_SELINUX_SUFFIX "selinux"
90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91 91
92#define NUM_SEL_MNT_OPTS 4 92#define NUM_SEL_MNT_OPTS 5
93 93
94extern unsigned int policydb_loaded_version; 94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96extern int selinux_compat_net;
97extern struct security_operations *security_ops; 96extern struct security_operations *security_ops;
98 97
99/* SECMARK reference count */ 98/* SECMARK reference count */
@@ -311,7 +310,7 @@ static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
311 ssec->sid = SECINITSID_UNLABELED; 310 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec; 311 sk->sk_security = ssec;
313 312
314 selinux_netlbl_sk_security_reset(ssec, family); 313 selinux_netlbl_sk_security_reset(ssec);
315 314
316 return 0; 315 return 0;
317} 316}
@@ -353,6 +352,7 @@ enum {
353 Opt_fscontext = 2, 352 Opt_fscontext = 2,
354 Opt_defcontext = 3, 353 Opt_defcontext = 3,
355 Opt_rootcontext = 4, 354 Opt_rootcontext = 4,
355 Opt_labelsupport = 5,
356}; 356};
357 357
358static const match_table_t tokens = { 358static const match_table_t tokens = {
@@ -360,6 +360,7 @@ static const match_table_t tokens = {
360 {Opt_fscontext, FSCONTEXT_STR "%s"}, 360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363 {Opt_labelsupport, LABELSUPP_STR},
363 {Opt_error, NULL}, 364 {Opt_error, NULL},
364}; 365};
365 366
@@ -431,7 +432,7 @@ static int sb_finish_set_opts(struct super_block *sb)
431 } 432 }
432 } 433 }
433 434
434 sbsec->initialized = 1; 435 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
435 436
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 437 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 438 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
@@ -441,6 +442,12 @@ static int sb_finish_set_opts(struct super_block *sb)
441 sb->s_id, sb->s_type->name, 442 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]); 443 labeling_behaviors[sbsec->behavior-1]);
443 444
445 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
446 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
447 sbsec->behavior == SECURITY_FS_USE_NONE ||
448 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
449 sbsec->flags &= ~SE_SBLABELSUPP;
450
444 /* Initialize the root inode. */ 451 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root); 452 rc = inode_doinit_with_dentry(root_inode, root);
446 453
@@ -487,23 +494,22 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
487 494
488 security_init_mnt_opts(opts); 495 security_init_mnt_opts(opts);
489 496
490 if (!sbsec->initialized) 497 if (!(sbsec->flags & SE_SBINITIALIZED))
491 return -EINVAL; 498 return -EINVAL;
492 499
493 if (!ss_initialized) 500 if (!ss_initialized)
494 return -EINVAL; 501 return -EINVAL;
495 502
496 /* 503 tmp = sbsec->flags & SE_MNTMASK;
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
499 */
500 tmp = sbsec->flags;
501 /* count the number of mount options for this sb */ 504 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) { 505 for (i = 0; i < 8; i++) {
503 if (tmp & 0x01) 506 if (tmp & 0x01)
504 opts->num_mnt_opts++; 507 opts->num_mnt_opts++;
505 tmp >>= 1; 508 tmp >>= 1;
506 } 509 }
510 /* Check if the Label support flag is set */
511 if (sbsec->flags & SE_SBLABELSUPP)
512 opts->num_mnt_opts++;
507 513
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 514 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) { 515 if (!opts->mnt_opts) {
@@ -549,6 +555,10 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
549 opts->mnt_opts[i] = context; 555 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 556 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551 } 557 }
558 if (sbsec->flags & SE_SBLABELSUPP) {
559 opts->mnt_opts[i] = NULL;
560 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
561 }
552 562
553 BUG_ON(i != opts->num_mnt_opts); 563 BUG_ON(i != opts->num_mnt_opts);
554 564
@@ -562,8 +572,10 @@ out_free:
562static int bad_option(struct superblock_security_struct *sbsec, char flag, 572static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid) 573 u32 old_sid, u32 new_sid)
564{ 574{
575 char mnt_flags = sbsec->flags & SE_MNTMASK;
576
565 /* check if the old mount command had the same options */ 577 /* check if the old mount command had the same options */
566 if (sbsec->initialized) 578 if (sbsec->flags & SE_SBINITIALIZED)
567 if (!(sbsec->flags & flag) || 579 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid)) 580 (old_sid != new_sid))
569 return 1; 581 return 1;
@@ -571,8 +583,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
571 /* check if we were passed the same options twice, 583 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b 584 * aka someone passed context=a,context=b
573 */ 585 */
574 if (!sbsec->initialized) 586 if (!(sbsec->flags & SE_SBINITIALIZED))
575 if (sbsec->flags & flag) 587 if (mnt_flags & flag)
576 return 1; 588 return 1;
577 return 0; 589 return 0;
578} 590}
@@ -626,7 +638,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
626 * this sb does not set any security options. (The first options 638 * this sb does not set any security options. (The first options
627 * will be used for both mounts) 639 * will be used for both mounts)
628 */ 640 */
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 641 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 && (num_opts == 0)) 642 && (num_opts == 0))
631 goto out; 643 goto out;
632 644
@@ -637,6 +649,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
637 */ 649 */
638 for (i = 0; i < num_opts; i++) { 650 for (i = 0; i < num_opts; i++) {
639 u32 sid; 651 u32 sid;
652
653 if (flags[i] == SE_SBLABELSUPP)
654 continue;
640 rc = security_context_to_sid(mount_options[i], 655 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid); 656 strlen(mount_options[i]), &sid);
642 if (rc) { 657 if (rc) {
@@ -690,19 +705,19 @@ static int selinux_set_mnt_opts(struct super_block *sb,
690 } 705 }
691 } 706 }
692 707
693 if (sbsec->initialized) { 708 if (sbsec->flags & SE_SBINITIALIZED) {
694 /* previously mounted with options, but not on this attempt? */ 709 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts) 710 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
696 goto out_double_mount; 711 goto out_double_mount;
697 rc = 0; 712 rc = 0;
698 goto out; 713 goto out;
699 } 714 }
700 715
701 if (strcmp(sb->s_type->name, "proc") == 0) 716 if (strcmp(sb->s_type->name, "proc") == 0)
702 sbsec->proc = 1; 717 sbsec->flags |= SE_SBPROC;
703 718
704 /* Determine the labeling behavior to use for this filesystem type. */ 719 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); 720 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706 if (rc) { 721 if (rc) {
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", 722 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc); 723 __func__, sb->s_type->name, rc);
@@ -806,10 +821,10 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
806 } 821 }
807 822
808 /* how can we clone if the old one wasn't set up?? */ 823 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized); 824 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
810 825
811 /* if fs is reusing a sb, just let its options stand... */ 826 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized) 827 if (newsbsec->flags & SE_SBINITIALIZED)
813 return; 828 return;
814 829
815 mutex_lock(&newsbsec->lock); 830 mutex_lock(&newsbsec->lock);
@@ -917,7 +932,8 @@ static int selinux_parse_opts_str(char *options,
917 goto out_err; 932 goto out_err;
918 } 933 }
919 break; 934 break;
920 935 case Opt_labelsupport:
936 break;
921 default: 937 default:
922 rc = -EINVAL; 938 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: unknown mount option\n"); 939 printk(KERN_WARNING "SELinux: unknown mount option\n");
@@ -999,7 +1015,12 @@ static void selinux_write_opts(struct seq_file *m,
999 char *prefix; 1015 char *prefix;
1000 1016
1001 for (i = 0; i < opts->num_mnt_opts; i++) { 1017 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ','); 1018 char *has_comma;
1019
1020 if (opts->mnt_opts[i])
1021 has_comma = strchr(opts->mnt_opts[i], ',');
1022 else
1023 has_comma = NULL;
1003 1024
1004 switch (opts->mnt_opts_flags[i]) { 1025 switch (opts->mnt_opts_flags[i]) {
1005 case CONTEXT_MNT: 1026 case CONTEXT_MNT:
@@ -1014,6 +1035,10 @@ static void selinux_write_opts(struct seq_file *m,
1014 case DEFCONTEXT_MNT: 1035 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR; 1036 prefix = DEFCONTEXT_STR;
1016 break; 1037 break;
1038 case SE_SBLABELSUPP:
1039 seq_putc(m, ',');
1040 seq_puts(m, LABELSUPP_STR);
1041 continue;
1017 default: 1042 default:
1018 BUG(); 1043 BUG();
1019 }; 1044 };
@@ -1209,7 +1234,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1209 goto out_unlock; 1234 goto out_unlock;
1210 1235
1211 sbsec = inode->i_sb->s_security; 1236 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) { 1237 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1213 /* Defer initialization until selinux_complete_init, 1238 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security 1239 after the initial policy is loaded and the security
1215 server is ready to handle calls. */ 1240 server is ready to handle calls. */
@@ -1237,22 +1262,31 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1237 dentry = d_find_alias(inode); 1262 dentry = d_find_alias(inode);
1238 } 1263 }
1239 if (!dentry) { 1264 if (!dentry) {
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " 1265 /*
1241 "ino=%ld\n", __func__, inode->i_sb->s_id, 1266 * this is can be hit on boot when a file is accessed
1242 inode->i_ino); 1267 * before the policy is loaded. When we load policy we
1268 * may find inodes that have no dentry on the
1269 * sbsec->isec_head list. No reason to complain as these
1270 * will get fixed up the next time we go through
1271 * inode_doinit with a dentry, before these inodes could
1272 * be used again by userspace.
1273 */
1243 goto out_unlock; 1274 goto out_unlock;
1244 } 1275 }
1245 1276
1246 len = INITCONTEXTLEN; 1277 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS); 1278 context = kmalloc(len+1, GFP_NOFS);
1248 if (!context) { 1279 if (!context) {
1249 rc = -ENOMEM; 1280 rc = -ENOMEM;
1250 dput(dentry); 1281 dput(dentry);
1251 goto out_unlock; 1282 goto out_unlock;
1252 } 1283 }
1284 context[len] = '\0';
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1285 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254 context, len); 1286 context, len);
1255 if (rc == -ERANGE) { 1287 if (rc == -ERANGE) {
1288 kfree(context);
1289
1256 /* Need a larger buffer. Query for the right size. */ 1290 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, 1291 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258 NULL, 0); 1292 NULL, 0);
@@ -1260,14 +1294,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1260 dput(dentry); 1294 dput(dentry);
1261 goto out_unlock; 1295 goto out_unlock;
1262 } 1296 }
1263 kfree(context);
1264 len = rc; 1297 len = rc;
1265 context = kmalloc(len, GFP_NOFS); 1298 context = kmalloc(len+1, GFP_NOFS);
1266 if (!context) { 1299 if (!context) {
1267 rc = -ENOMEM; 1300 rc = -ENOMEM;
1268 dput(dentry); 1301 dput(dentry);
1269 goto out_unlock; 1302 goto out_unlock;
1270 } 1303 }
1304 context[len] = '\0';
1271 rc = inode->i_op->getxattr(dentry, 1305 rc = inode->i_op->getxattr(dentry,
1272 XATTR_NAME_SELINUX, 1306 XATTR_NAME_SELINUX,
1273 context, len); 1307 context, len);
@@ -1289,10 +1323,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1289 sbsec->def_sid, 1323 sbsec->def_sid,
1290 GFP_NOFS); 1324 GFP_NOFS);
1291 if (rc) { 1325 if (rc) {
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1326 char *dev = inode->i_sb->s_id;
1293 "returned %d for dev=%s ino=%ld\n", 1327 unsigned long ino = inode->i_ino;
1294 __func__, context, -rc, 1328
1295 inode->i_sb->s_id, inode->i_ino); 1329 if (rc == -EINVAL) {
1330 if (printk_ratelimit())
1331 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1332 "context=%s. This indicates you may need to relabel the inode or the "
1333 "filesystem in question.\n", ino, dev, context);
1334 } else {
1335 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1336 "returned %d for dev=%s ino=%ld\n",
1337 __func__, context, -rc, dev, ino);
1338 }
1296 kfree(context); 1339 kfree(context);
1297 /* Leave with the unlabeled SID */ 1340 /* Leave with the unlabeled SID */
1298 rc = 0; 1341 rc = 0;
@@ -1326,7 +1369,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1326 /* Default to the fs superblock SID. */ 1369 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid; 1370 isec->sid = sbsec->sid;
1328 1371
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) { 1372 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode); 1373 struct proc_inode *proci = PROC_I(inode);
1331 if (proci->pde) { 1374 if (proci->pde) {
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1375 isec->sclass = inode_mode_to_security_class(inode->i_mode);
@@ -1587,7 +1630,7 @@ static int may_create(struct inode *dir,
1587 if (rc) 1630 if (rc)
1588 return rc; 1631 return rc;
1589 1632
1590 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { 1633 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1591 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); 1634 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1592 if (rc) 1635 if (rc)
1593 return rc; 1636 return rc;
@@ -1801,6 +1844,8 @@ static inline u32 open_file_to_av(struct file *file)
1801 av |= FIFO_FILE__OPEN; 1844 av |= FIFO_FILE__OPEN;
1802 else if (S_ISDIR(mode)) 1845 else if (S_ISDIR(mode))
1803 av |= DIR__OPEN; 1846 av |= DIR__OPEN;
1847 else if (S_ISSOCK(mode))
1848 av |= SOCK_FILE__OPEN;
1804 else 1849 else
1805 printk(KERN_ERR "SELinux: WARNING: inside %s with " 1850 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1806 "unknown mode:%o\n", __func__, mode); 1851 "unknown mode:%o\n", __func__, mode);
@@ -1815,7 +1860,7 @@ static int selinux_ptrace_may_access(struct task_struct *child,
1815{ 1860{
1816 int rc; 1861 int rc;
1817 1862
1818 rc = secondary_ops->ptrace_may_access(child, mode); 1863 rc = cap_ptrace_may_access(child, mode);
1819 if (rc) 1864 if (rc)
1820 return rc; 1865 return rc;
1821 1866
@@ -1832,7 +1877,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
1832{ 1877{
1833 int rc; 1878 int rc;
1834 1879
1835 rc = secondary_ops->ptrace_traceme(parent); 1880 rc = cap_ptrace_traceme(parent);
1836 if (rc) 1881 if (rc)
1837 return rc; 1882 return rc;
1838 1883
@@ -1848,7 +1893,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1848 if (error) 1893 if (error)
1849 return error; 1894 return error;
1850 1895
1851 return secondary_ops->capget(target, effective, inheritable, permitted); 1896 return cap_capget(target, effective, inheritable, permitted);
1852} 1897}
1853 1898
1854static int selinux_capset(struct cred *new, const struct cred *old, 1899static int selinux_capset(struct cred *new, const struct cred *old,
@@ -1858,7 +1903,7 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1858{ 1903{
1859 int error; 1904 int error;
1860 1905
1861 error = secondary_ops->capset(new, old, 1906 error = cap_capset(new, old,
1862 effective, inheritable, permitted); 1907 effective, inheritable, permitted);
1863 if (error) 1908 if (error)
1864 return error; 1909 return error;
@@ -1866,12 +1911,22 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1866 return cred_has_perm(old, new, PROCESS__SETCAP); 1911 return cred_has_perm(old, new, PROCESS__SETCAP);
1867} 1912}
1868 1913
1914/*
1915 * (This comment used to live with the selinux_task_setuid hook,
1916 * which was removed).
1917 *
1918 * Since setuid only affects the current process, and since the SELinux
1919 * controls are not based on the Linux identity attributes, SELinux does not
1920 * need to control this operation. However, SELinux does control the use of
1921 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1922 */
1923
1869static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1924static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1870 int cap, int audit) 1925 int cap, int audit)
1871{ 1926{
1872 int rc; 1927 int rc;
1873 1928
1874 rc = secondary_ops->capable(tsk, cred, cap, audit); 1929 rc = cap_capable(tsk, cred, cap, audit);
1875 if (rc) 1930 if (rc)
1876 return rc; 1931 return rc;
1877 1932
@@ -1926,10 +1981,6 @@ static int selinux_sysctl(ctl_table *table, int op)
1926 u32 tsid, sid; 1981 u32 tsid, sid;
1927 int rc; 1982 int rc;
1928 1983
1929 rc = secondary_ops->sysctl(table, op);
1930 if (rc)
1931 return rc;
1932
1933 sid = current_sid(); 1984 sid = current_sid();
1934 1985
1935 rc = selinux_sysctl_get_sid(table, (op == 0001) ? 1986 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
@@ -1997,7 +2048,7 @@ static int selinux_syslog(int type)
1997{ 2048{
1998 int rc; 2049 int rc;
1999 2050
2000 rc = secondary_ops->syslog(type); 2051 rc = cap_syslog(type);
2001 if (rc) 2052 if (rc)
2002 return rc; 2053 return rc;
2003 2054
@@ -2028,10 +2079,6 @@ static int selinux_syslog(int type)
2028 * mapping. 0 means there is enough memory for the allocation to 2079 * mapping. 0 means there is enough memory for the allocation to
2029 * succeed and -ENOMEM implies there is not. 2080 * succeed and -ENOMEM implies there is not.
2030 * 2081 *
2031 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2032 * if the capability is granted, but __vm_enough_memory requires 1 if
2033 * the capability is granted.
2034 *
2035 * Do not audit the selinux permission check, as this is applied to all 2082 * Do not audit the selinux permission check, as this is applied to all
2036 * processes that allocate mappings. 2083 * processes that allocate mappings.
2037 */ 2084 */
@@ -2058,7 +2105,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2058 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2105 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2059 int rc; 2106 int rc;
2060 2107
2061 rc = secondary_ops->bprm_set_creds(bprm); 2108 rc = cap_bprm_set_creds(bprm);
2062 if (rc) 2109 if (rc)
2063 return rc; 2110 return rc;
2064 2111
@@ -2156,11 +2203,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2156 return 0; 2203 return 0;
2157} 2204}
2158 2205
2159static int selinux_bprm_check_security(struct linux_binprm *bprm)
2160{
2161 return secondary_ops->bprm_check_security(bprm);
2162}
2163
2164static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2206static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2165{ 2207{
2166 const struct cred *cred = current_cred(); 2208 const struct cred *cred = current_cred();
@@ -2180,7 +2222,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2180 PROCESS__NOATSECURE, NULL); 2222 PROCESS__NOATSECURE, NULL);
2181 } 2223 }
2182 2224
2183 return (atsecure || secondary_ops->bprm_secureexec(bprm)); 2225 return (atsecure || cap_bprm_secureexec(bprm));
2184} 2226}
2185 2227
2186extern struct vfsmount *selinuxfs_mount; 2228extern struct vfsmount *selinuxfs_mount;
@@ -2290,8 +2332,6 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2290 struct rlimit *rlim, *initrlim; 2332 struct rlimit *rlim, *initrlim;
2291 int rc, i; 2333 int rc, i;
2292 2334
2293 secondary_ops->bprm_committing_creds(bprm);
2294
2295 new_tsec = bprm->cred->security; 2335 new_tsec = bprm->cred->security;
2296 if (new_tsec->sid == new_tsec->osid) 2336 if (new_tsec->sid == new_tsec->osid)
2297 return; 2337 return;
@@ -2332,12 +2372,8 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2332{ 2372{
2333 const struct task_security_struct *tsec = current_security(); 2373 const struct task_security_struct *tsec = current_security();
2334 struct itimerval itimer; 2374 struct itimerval itimer;
2335 struct sighand_struct *psig;
2336 u32 osid, sid; 2375 u32 osid, sid;
2337 int rc, i; 2376 int rc, i;
2338 unsigned long flags;
2339
2340 secondary_ops->bprm_committed_creds(bprm);
2341 2377
2342 osid = tsec->osid; 2378 osid = tsec->osid;
2343 sid = tsec->sid; 2379 sid = tsec->sid;
@@ -2357,22 +2393,20 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2357 memset(&itimer, 0, sizeof itimer); 2393 memset(&itimer, 0, sizeof itimer);
2358 for (i = 0; i < 3; i++) 2394 for (i = 0; i < 3; i++)
2359 do_setitimer(i, &itimer, NULL); 2395 do_setitimer(i, &itimer, NULL);
2360 flush_signals(current);
2361 spin_lock_irq(&current->sighand->siglock); 2396 spin_lock_irq(&current->sighand->siglock);
2362 flush_signal_handlers(current, 1); 2397 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2363 sigemptyset(&current->blocked); 2398 __flush_signals(current);
2364 recalc_sigpending(); 2399 flush_signal_handlers(current, 1);
2400 sigemptyset(&current->blocked);
2401 }
2365 spin_unlock_irq(&current->sighand->siglock); 2402 spin_unlock_irq(&current->sighand->siglock);
2366 } 2403 }
2367 2404
2368 /* Wake up the parent if it is waiting so that it can recheck 2405 /* Wake up the parent if it is waiting so that it can recheck
2369 * wait permission to the new task SID. */ 2406 * wait permission to the new task SID. */
2370 read_lock_irq(&tasklist_lock); 2407 read_lock(&tasklist_lock);
2371 psig = current->parent->sighand; 2408 wake_up_interruptible(&current->real_parent->signal->wait_chldexit);
2372 spin_lock_irqsave(&psig->siglock, flags); 2409 read_unlock(&tasklist_lock);
2373 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2374 spin_unlock_irqrestore(&psig->siglock, flags);
2375 read_unlock_irq(&tasklist_lock);
2376} 2410}
2377 2411
2378/* superblock security operations */ 2412/* superblock security operations */
@@ -2400,7 +2434,8 @@ static inline int selinux_option(char *option, int len)
2400 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2434 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2401 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2435 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2402 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2436 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2403 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len)); 2437 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2438 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2404} 2439}
2405 2440
2406static inline void take_option(char **to, char *from, int *first, int len) 2441static inline void take_option(char **to, char *from, int *first, int len)
@@ -2513,11 +2548,6 @@ static int selinux_mount(char *dev_name,
2513 void *data) 2548 void *data)
2514{ 2549{
2515 const struct cred *cred = current_cred(); 2550 const struct cred *cred = current_cred();
2516 int rc;
2517
2518 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2519 if (rc)
2520 return rc;
2521 2551
2522 if (flags & MS_REMOUNT) 2552 if (flags & MS_REMOUNT)
2523 return superblock_has_perm(cred, path->mnt->mnt_sb, 2553 return superblock_has_perm(cred, path->mnt->mnt_sb,
@@ -2530,11 +2560,6 @@ static int selinux_mount(char *dev_name,
2530static int selinux_umount(struct vfsmount *mnt, int flags) 2560static int selinux_umount(struct vfsmount *mnt, int flags)
2531{ 2561{
2532 const struct cred *cred = current_cred(); 2562 const struct cred *cred = current_cred();
2533 int rc;
2534
2535 rc = secondary_ops->sb_umount(mnt, flags);
2536 if (rc)
2537 return rc;
2538 2563
2539 return superblock_has_perm(cred, mnt->mnt_sb, 2564 return superblock_has_perm(cred, mnt->mnt_sb,
2540 FILESYSTEM__UNMOUNT, NULL); 2565 FILESYSTEM__UNMOUNT, NULL);
@@ -2570,7 +2595,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2570 sid = tsec->sid; 2595 sid = tsec->sid;
2571 newsid = tsec->create_sid; 2596 newsid = tsec->create_sid;
2572 2597
2573 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { 2598 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2574 rc = security_transition_sid(sid, dsec->sid, 2599 rc = security_transition_sid(sid, dsec->sid,
2575 inode_mode_to_security_class(inode->i_mode), 2600 inode_mode_to_security_class(inode->i_mode),
2576 &newsid); 2601 &newsid);
@@ -2585,14 +2610,14 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2585 } 2610 }
2586 2611
2587 /* Possibly defer initialization to selinux_complete_init. */ 2612 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->initialized) { 2613 if (sbsec->flags & SE_SBINITIALIZED) {
2589 struct inode_security_struct *isec = inode->i_security; 2614 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2615 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2591 isec->sid = newsid; 2616 isec->sid = newsid;
2592 isec->initialized = 1; 2617 isec->initialized = 1;
2593 } 2618 }
2594 2619
2595 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2620 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2596 return -EOPNOTSUPP; 2621 return -EOPNOTSUPP;
2597 2622
2598 if (name) { 2623 if (name) {
@@ -2622,21 +2647,11 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma
2622 2647
2623static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2648static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2624{ 2649{
2625 int rc;
2626
2627 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2628 if (rc)
2629 return rc;
2630 return may_link(dir, old_dentry, MAY_LINK); 2650 return may_link(dir, old_dentry, MAY_LINK);
2631} 2651}
2632 2652
2633static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2653static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2634{ 2654{
2635 int rc;
2636
2637 rc = secondary_ops->inode_unlink(dir, dentry);
2638 if (rc)
2639 return rc;
2640 return may_link(dir, dentry, MAY_UNLINK); 2655 return may_link(dir, dentry, MAY_UNLINK);
2641} 2656}
2642 2657
@@ -2657,12 +2672,6 @@ static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2657 2672
2658static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) 2673static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2659{ 2674{
2660 int rc;
2661
2662 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2663 if (rc)
2664 return rc;
2665
2666 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2675 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2667} 2676}
2668 2677
@@ -2682,22 +2691,13 @@ static int selinux_inode_readlink(struct dentry *dentry)
2682static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) 2691static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2683{ 2692{
2684 const struct cred *cred = current_cred(); 2693 const struct cred *cred = current_cred();
2685 int rc;
2686 2694
2687 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2688 if (rc)
2689 return rc;
2690 return dentry_has_perm(cred, NULL, dentry, FILE__READ); 2695 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2691} 2696}
2692 2697
2693static int selinux_inode_permission(struct inode *inode, int mask) 2698static int selinux_inode_permission(struct inode *inode, int mask)
2694{ 2699{
2695 const struct cred *cred = current_cred(); 2700 const struct cred *cred = current_cred();
2696 int rc;
2697
2698 rc = secondary_ops->inode_permission(inode, mask);
2699 if (rc)
2700 return rc;
2701 2701
2702 if (!mask) { 2702 if (!mask) {
2703 /* No permission to check. Existence test. */ 2703 /* No permission to check. Existence test. */
@@ -2711,11 +2711,6 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2711static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2711static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2712{ 2712{
2713 const struct cred *cred = current_cred(); 2713 const struct cred *cred = current_cred();
2714 int rc;
2715
2716 rc = secondary_ops->inode_setattr(dentry, iattr);
2717 if (rc)
2718 return rc;
2719 2714
2720 if (iattr->ia_valid & ATTR_FORCE) 2715 if (iattr->ia_valid & ATTR_FORCE)
2721 return 0; 2716 return 0;
@@ -2769,7 +2764,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2769 return selinux_inode_setotherxattr(dentry, name); 2764 return selinux_inode_setotherxattr(dentry, name);
2770 2765
2771 sbsec = inode->i_sb->s_security; 2766 sbsec = inode->i_sb->s_security;
2772 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2767 if (!(sbsec->flags & SE_SBLABELSUPP))
2773 return -EOPNOTSUPP; 2768 return -EOPNOTSUPP;
2774 2769
2775 if (!is_owner_or_cap(inode)) 2770 if (!is_owner_or_cap(inode))
@@ -2931,16 +2926,6 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
2931 return len; 2926 return len;
2932} 2927}
2933 2928
2934static int selinux_inode_need_killpriv(struct dentry *dentry)
2935{
2936 return secondary_ops->inode_need_killpriv(dentry);
2937}
2938
2939static int selinux_inode_killpriv(struct dentry *dentry)
2940{
2941 return secondary_ops->inode_killpriv(dentry);
2942}
2943
2944static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 2929static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2945{ 2930{
2946 struct inode_security_struct *isec = inode->i_security; 2931 struct inode_security_struct *isec = inode->i_security;
@@ -2952,7 +2937,6 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2952static int selinux_revalidate_file_permission(struct file *file, int mask) 2937static int selinux_revalidate_file_permission(struct file *file, int mask)
2953{ 2938{
2954 const struct cred *cred = current_cred(); 2939 const struct cred *cred = current_cred();
2955 int rc;
2956 struct inode *inode = file->f_path.dentry->d_inode; 2940 struct inode *inode = file->f_path.dentry->d_inode;
2957 2941
2958 if (!mask) { 2942 if (!mask) {
@@ -2964,29 +2948,15 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2964 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2948 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2965 mask |= MAY_APPEND; 2949 mask |= MAY_APPEND;
2966 2950
2967 rc = file_has_perm(cred, file, 2951 return file_has_perm(cred, file,
2968 file_mask_to_av(inode->i_mode, mask)); 2952 file_mask_to_av(inode->i_mode, mask));
2969 if (rc)
2970 return rc;
2971
2972 return selinux_netlbl_inode_permission(inode, mask);
2973} 2953}
2974 2954
2975static int selinux_file_permission(struct file *file, int mask) 2955static int selinux_file_permission(struct file *file, int mask)
2976{ 2956{
2977 struct inode *inode = file->f_path.dentry->d_inode; 2957 if (!mask)
2978 struct file_security_struct *fsec = file->f_security;
2979 struct inode_security_struct *isec = inode->i_security;
2980 u32 sid = current_sid();
2981
2982 if (!mask) {
2983 /* No permission to check. Existence test. */ 2958 /* No permission to check. Existence test. */
2984 return 0; 2959 return 0;
2985 }
2986
2987 if (sid == fsec->sid && fsec->isid == isec->sid
2988 && fsec->pseqno == avc_policy_seqno())
2989 return selinux_netlbl_inode_permission(inode, mask);
2990 2960
2991 return selinux_revalidate_file_permission(file, mask); 2961 return selinux_revalidate_file_permission(file, mask);
2992} 2962}
@@ -3060,9 +3030,21 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3060 int rc = 0; 3030 int rc = 0;
3061 u32 sid = current_sid(); 3031 u32 sid = current_sid();
3062 3032
3063 if (addr < mmap_min_addr) 3033 /*
3034 * notice that we are intentionally putting the SELinux check before
3035 * the secondary cap_file_mmap check. This is such a likely attempt
3036 * at bad behaviour/exploit that we always want to get the AVC, even
3037 * if DAC would have also denied the operation.
3038 */
3039 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3064 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3040 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3065 MEMPROTECT__MMAP_ZERO, NULL); 3041 MEMPROTECT__MMAP_ZERO, NULL);
3042 if (rc)
3043 return rc;
3044 }
3045
3046 /* do DAC check on address space usage */
3047 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3066 if (rc || addr_only) 3048 if (rc || addr_only)
3067 return rc; 3049 return rc;
3068 3050
@@ -3078,18 +3060,13 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
3078 unsigned long prot) 3060 unsigned long prot)
3079{ 3061{
3080 const struct cred *cred = current_cred(); 3062 const struct cred *cred = current_cred();
3081 int rc;
3082
3083 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3084 if (rc)
3085 return rc;
3086 3063
3087 if (selinux_checkreqprot) 3064 if (selinux_checkreqprot)
3088 prot = reqprot; 3065 prot = reqprot;
3089 3066
3090#ifndef CONFIG_PPC32 3067#ifndef CONFIG_PPC32
3091 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3068 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3092 rc = 0; 3069 int rc = 0;
3093 if (vma->vm_start >= vma->vm_mm->start_brk && 3070 if (vma->vm_start >= vma->vm_mm->start_brk &&
3094 vma->vm_end <= vma->vm_mm->brk) { 3071 vma->vm_end <= vma->vm_mm->brk) {
3095 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3072 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
@@ -3181,7 +3158,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
3181 struct fown_struct *fown, int signum) 3158 struct fown_struct *fown, int signum)
3182{ 3159{
3183 struct file *file; 3160 struct file *file;
3184 u32 sid = current_sid(); 3161 u32 sid = task_sid(tsk);
3185 u32 perm; 3162 u32 perm;
3186 struct file_security_struct *fsec; 3163 struct file_security_struct *fsec;
3187 3164
@@ -3239,12 +3216,6 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred)
3239 3216
3240static int selinux_task_create(unsigned long clone_flags) 3217static int selinux_task_create(unsigned long clone_flags)
3241{ 3218{
3242 int rc;
3243
3244 rc = secondary_ops->task_create(clone_flags);
3245 if (rc)
3246 return rc;
3247
3248 return current_has_perm(current, PROCESS__FORK); 3219 return current_has_perm(current, PROCESS__FORK);
3249} 3220}
3250 3221
@@ -3278,14 +3249,6 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3278} 3249}
3279 3250
3280/* 3251/*
3281 * commit new credentials
3282 */
3283static void selinux_cred_commit(struct cred *new, const struct cred *old)
3284{
3285 secondary_ops->cred_commit(new, old);
3286}
3287
3288/*
3289 * set the security data for a kernel service 3252 * set the security data for a kernel service
3290 * - all the creation contexts are set to unlabelled 3253 * - all the creation contexts are set to unlabelled
3291 */ 3254 */
@@ -3329,29 +3292,6 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3329 return 0; 3292 return 0;
3330} 3293}
3331 3294
3332static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3333{
3334 /* Since setuid only affects the current process, and
3335 since the SELinux controls are not based on the Linux
3336 identity attributes, SELinux does not need to control
3337 this operation. However, SELinux does control the use
3338 of the CAP_SETUID and CAP_SETGID capabilities using the
3339 capable hook. */
3340 return 0;
3341}
3342
3343static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3344 int flags)
3345{
3346 return secondary_ops->task_fix_setuid(new, old, flags);
3347}
3348
3349static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3350{
3351 /* See the comment for setuid above. */
3352 return 0;
3353}
3354
3355static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3295static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3356{ 3296{
3357 return current_has_perm(p, PROCESS__SETPGID); 3297 return current_has_perm(p, PROCESS__SETPGID);
@@ -3372,17 +3312,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3372 *secid = task_sid(p); 3312 *secid = task_sid(p);
3373} 3313}
3374 3314
3375static int selinux_task_setgroups(struct group_info *group_info)
3376{
3377 /* See the comment for setuid above. */
3378 return 0;
3379}
3380
3381static int selinux_task_setnice(struct task_struct *p, int nice) 3315static int selinux_task_setnice(struct task_struct *p, int nice)
3382{ 3316{
3383 int rc; 3317 int rc;
3384 3318
3385 rc = secondary_ops->task_setnice(p, nice); 3319 rc = cap_task_setnice(p, nice);
3386 if (rc) 3320 if (rc)
3387 return rc; 3321 return rc;
3388 3322
@@ -3393,7 +3327,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3393{ 3327{
3394 int rc; 3328 int rc;
3395 3329
3396 rc = secondary_ops->task_setioprio(p, ioprio); 3330 rc = cap_task_setioprio(p, ioprio);
3397 if (rc) 3331 if (rc)
3398 return rc; 3332 return rc;
3399 3333
@@ -3408,11 +3342,6 @@ static int selinux_task_getioprio(struct task_struct *p)
3408static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) 3342static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3409{ 3343{
3410 struct rlimit *old_rlim = current->signal->rlim + resource; 3344 struct rlimit *old_rlim = current->signal->rlim + resource;
3411 int rc;
3412
3413 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3414 if (rc)
3415 return rc;
3416 3345
3417 /* Control the ability to change the hard limit (whether 3346 /* Control the ability to change the hard limit (whether
3418 lowering or raising it), so that the hard limit can 3347 lowering or raising it), so that the hard limit can
@@ -3428,7 +3357,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s
3428{ 3357{
3429 int rc; 3358 int rc;
3430 3359
3431 rc = secondary_ops->task_setscheduler(p, policy, lp); 3360 rc = cap_task_setscheduler(p, policy, lp);
3432 if (rc) 3361 if (rc)
3433 return rc; 3362 return rc;
3434 3363
@@ -3451,10 +3380,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3451 u32 perm; 3380 u32 perm;
3452 int rc; 3381 int rc;
3453 3382
3454 rc = secondary_ops->task_kill(p, info, sig, secid);
3455 if (rc)
3456 return rc;
3457
3458 if (!sig) 3383 if (!sig)
3459 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3384 perm = PROCESS__SIGNULL; /* null signal; existence test */
3460 else 3385 else
@@ -3467,18 +3392,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3467 return rc; 3392 return rc;
3468} 3393}
3469 3394
3470static int selinux_task_prctl(int option,
3471 unsigned long arg2,
3472 unsigned long arg3,
3473 unsigned long arg4,
3474 unsigned long arg5)
3475{
3476 /* The current prctl operations do not appear to require
3477 any SELinux controls since they merely observe or modify
3478 the state of the current process. */
3479 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3480}
3481
3482static int selinux_task_wait(struct task_struct *p) 3395static int selinux_task_wait(struct task_struct *p)
3483{ 3396{
3484 return task_has_perm(p, current, PROCESS__SIGCHLD); 3397 return task_has_perm(p, current, PROCESS__SIGCHLD);
@@ -3799,7 +3712,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3799 sksec = sock->sk->sk_security; 3712 sksec = sock->sk->sk_security;
3800 sksec->sid = isec->sid; 3713 sksec->sid = isec->sid;
3801 sksec->sclass = isec->sclass; 3714 sksec->sclass = isec->sclass;
3802 err = selinux_netlbl_socket_post_create(sock); 3715 err = selinux_netlbl_socket_post_create(sock->sk, family);
3803 } 3716 }
3804 3717
3805 return err; 3718 return err;
@@ -3990,13 +3903,7 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3990static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3903static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3991 int size) 3904 int size)
3992{ 3905{
3993 int rc; 3906 return socket_has_perm(current, sock, SOCKET__WRITE);
3994
3995 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3996 if (rc)
3997 return rc;
3998
3999 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
4000} 3907}
4001 3908
4002static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 3909static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
@@ -4047,10 +3954,6 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
4047 struct avc_audit_data ad; 3954 struct avc_audit_data ad;
4048 int err; 3955 int err;
4049 3956
4050 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4051 if (err)
4052 return err;
4053
4054 isec = SOCK_INODE(sock)->i_security; 3957 isec = SOCK_INODE(sock)->i_security;
4055 other_isec = SOCK_INODE(other)->i_security; 3958 other_isec = SOCK_INODE(other)->i_security;
4056 3959
@@ -4120,72 +4023,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4120 SECCLASS_NODE, NODE__RECVFROM, ad); 4023 SECCLASS_NODE, NODE__RECVFROM, ad);
4121} 4024}
4122 4025
4123static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4124 struct sk_buff *skb,
4125 struct avc_audit_data *ad,
4126 u16 family,
4127 char *addrp)
4128{
4129 int err;
4130 struct sk_security_struct *sksec = sk->sk_security;
4131 u16 sk_class;
4132 u32 netif_perm, node_perm, recv_perm;
4133 u32 port_sid, node_sid, if_sid, sk_sid;
4134
4135 sk_sid = sksec->sid;
4136 sk_class = sksec->sclass;
4137
4138 switch (sk_class) {
4139 case SECCLASS_UDP_SOCKET:
4140 netif_perm = NETIF__UDP_RECV;
4141 node_perm = NODE__UDP_RECV;
4142 recv_perm = UDP_SOCKET__RECV_MSG;
4143 break;
4144 case SECCLASS_TCP_SOCKET:
4145 netif_perm = NETIF__TCP_RECV;
4146 node_perm = NODE__TCP_RECV;
4147 recv_perm = TCP_SOCKET__RECV_MSG;
4148 break;
4149 case SECCLASS_DCCP_SOCKET:
4150 netif_perm = NETIF__DCCP_RECV;
4151 node_perm = NODE__DCCP_RECV;
4152 recv_perm = DCCP_SOCKET__RECV_MSG;
4153 break;
4154 default:
4155 netif_perm = NETIF__RAWIP_RECV;
4156 node_perm = NODE__RAWIP_RECV;
4157 recv_perm = 0;
4158 break;
4159 }
4160
4161 err = sel_netif_sid(skb->iif, &if_sid);
4162 if (err)
4163 return err;
4164 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4165 if (err)
4166 return err;
4167
4168 err = sel_netnode_sid(addrp, family, &node_sid);
4169 if (err)
4170 return err;
4171 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4172 if (err)
4173 return err;
4174
4175 if (!recv_perm)
4176 return 0;
4177 err = sel_netport_sid(sk->sk_protocol,
4178 ntohs(ad->u.net.sport), &port_sid);
4179 if (unlikely(err)) {
4180 printk(KERN_WARNING
4181 "SELinux: failure in"
4182 " selinux_sock_rcv_skb_iptables_compat(),"
4183 " network port label not found\n");
4184 return err;
4185 }
4186 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4187}
4188
4189static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4026static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4190 u16 family) 4027 u16 family)
4191{ 4028{
@@ -4203,14 +4040,12 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4203 if (err) 4040 if (err)
4204 return err; 4041 return err;
4205 4042
4206 if (selinux_compat_net) 4043 if (selinux_secmark_enabled()) {
4207 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4208 family, addrp);
4209 else if (selinux_secmark_enabled())
4210 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4044 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4211 PACKET__RECV, &ad); 4045 PACKET__RECV, &ad);
4212 if (err) 4046 if (err)
4213 return err; 4047 return err;
4048 }
4214 4049
4215 if (selinux_policycap_netpeer) { 4050 if (selinux_policycap_netpeer) {
4216 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4051 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
@@ -4252,7 +4087,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4252 * to the selinux_sock_rcv_skb_compat() function to deal with the 4087 * to the selinux_sock_rcv_skb_compat() function to deal with the
4253 * special handling. We do this in an attempt to keep this function 4088 * special handling. We do this in an attempt to keep this function
4254 * as fast and as clean as possible. */ 4089 * as fast and as clean as possible. */
4255 if (selinux_compat_net || !selinux_policycap_netpeer) 4090 if (!selinux_policycap_netpeer)
4256 return selinux_sock_rcv_skb_compat(sk, skb, family); 4091 return selinux_sock_rcv_skb_compat(sk, skb, family);
4257 4092
4258 secmark_active = selinux_secmark_enabled(); 4093 secmark_active = selinux_secmark_enabled();
@@ -4384,7 +4219,7 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4384 newssec->peer_sid = ssec->peer_sid; 4219 newssec->peer_sid = ssec->peer_sid;
4385 newssec->sclass = ssec->sclass; 4220 newssec->sclass = ssec->sclass;
4386 4221
4387 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family); 4222 selinux_netlbl_sk_security_reset(newssec);
4388} 4223}
4389 4224
4390static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4225static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
@@ -4428,16 +4263,15 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4428 if (peersid == SECSID_NULL) { 4263 if (peersid == SECSID_NULL) {
4429 req->secid = sksec->sid; 4264 req->secid = sksec->sid;
4430 req->peer_secid = SECSID_NULL; 4265 req->peer_secid = SECSID_NULL;
4431 return 0; 4266 } else {
4267 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4268 if (err)
4269 return err;
4270 req->secid = newsid;
4271 req->peer_secid = peersid;
4432 } 4272 }
4433 4273
4434 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4274 return selinux_netlbl_inet_conn_request(req, family);
4435 if (err)
4436 return err;
4437
4438 req->secid = newsid;
4439 req->peer_secid = peersid;
4440 return 0;
4441} 4275}
4442 4276
4443static void selinux_inet_csk_clone(struct sock *newsk, 4277static void selinux_inet_csk_clone(struct sock *newsk,
@@ -4454,7 +4288,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
4454 4288
4455 /* We don't need to take any sort of lock here as we are the only 4289 /* We don't need to take any sort of lock here as we are the only
4456 * thread with access to newsksec */ 4290 * thread with access to newsksec */
4457 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4291 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4458} 4292}
4459 4293
4460static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4294static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
@@ -4467,8 +4301,6 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4467 family = PF_INET; 4301 family = PF_INET;
4468 4302
4469 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4303 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4470
4471 selinux_netlbl_inet_conn_established(sk, family);
4472} 4304}
4473 4305
4474static void selinux_req_classify_flow(const struct request_sock *req, 4306static void selinux_req_classify_flow(const struct request_sock *req,
@@ -4620,71 +4452,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum,
4620 return selinux_ip_output(skb, PF_INET); 4452 return selinux_ip_output(skb, PF_INET);
4621} 4453}
4622 4454
4623static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4624 int ifindex,
4625 struct avc_audit_data *ad,
4626 u16 family, char *addrp)
4627{
4628 int err;
4629 struct sk_security_struct *sksec = sk->sk_security;
4630 u16 sk_class;
4631 u32 netif_perm, node_perm, send_perm;
4632 u32 port_sid, node_sid, if_sid, sk_sid;
4633
4634 sk_sid = sksec->sid;
4635 sk_class = sksec->sclass;
4636
4637 switch (sk_class) {
4638 case SECCLASS_UDP_SOCKET:
4639 netif_perm = NETIF__UDP_SEND;
4640 node_perm = NODE__UDP_SEND;
4641 send_perm = UDP_SOCKET__SEND_MSG;
4642 break;
4643 case SECCLASS_TCP_SOCKET:
4644 netif_perm = NETIF__TCP_SEND;
4645 node_perm = NODE__TCP_SEND;
4646 send_perm = TCP_SOCKET__SEND_MSG;
4647 break;
4648 case SECCLASS_DCCP_SOCKET:
4649 netif_perm = NETIF__DCCP_SEND;
4650 node_perm = NODE__DCCP_SEND;
4651 send_perm = DCCP_SOCKET__SEND_MSG;
4652 break;
4653 default:
4654 netif_perm = NETIF__RAWIP_SEND;
4655 node_perm = NODE__RAWIP_SEND;
4656 send_perm = 0;
4657 break;
4658 }
4659
4660 err = sel_netif_sid(ifindex, &if_sid);
4661 if (err)
4662 return err;
4663 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4664 return err;
4665
4666 err = sel_netnode_sid(addrp, family, &node_sid);
4667 if (err)
4668 return err;
4669 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4670 if (err)
4671 return err;
4672
4673 if (send_perm != 0)
4674 return 0;
4675
4676 err = sel_netport_sid(sk->sk_protocol,
4677 ntohs(ad->u.net.dport), &port_sid);
4678 if (unlikely(err)) {
4679 printk(KERN_WARNING
4680 "SELinux: failure in"
4681 " selinux_ip_postroute_iptables_compat(),"
4682 " network port label not found\n");
4683 return err;
4684 }
4685 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4686}
4687
4688static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 4455static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4689 int ifindex, 4456 int ifindex,
4690 u16 family) 4457 u16 family)
@@ -4705,15 +4472,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4705 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4472 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4706 return NF_DROP; 4473 return NF_DROP;
4707 4474
4708 if (selinux_compat_net) { 4475 if (selinux_secmark_enabled())
4709 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4710 &ad, family, addrp))
4711 return NF_DROP;
4712 } else if (selinux_secmark_enabled()) {
4713 if (avc_has_perm(sksec->sid, skb->secmark, 4476 if (avc_has_perm(sksec->sid, skb->secmark,
4714 SECCLASS_PACKET, PACKET__SEND, &ad)) 4477 SECCLASS_PACKET, PACKET__SEND, &ad))
4715 return NF_DROP; 4478 return NF_DROP;
4716 }
4717 4479
4718 if (selinux_policycap_netpeer) 4480 if (selinux_policycap_netpeer)
4719 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 4481 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
@@ -4737,7 +4499,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4737 * to the selinux_ip_postroute_compat() function to deal with the 4499 * to the selinux_ip_postroute_compat() function to deal with the
4738 * special handling. We do this in an attempt to keep this function 4500 * special handling. We do this in an attempt to keep this function
4739 * as fast and as clean as possible. */ 4501 * as fast and as clean as possible. */
4740 if (selinux_compat_net || !selinux_policycap_netpeer) 4502 if (!selinux_policycap_netpeer)
4741 return selinux_ip_postroute_compat(skb, ifindex, family); 4503 return selinux_ip_postroute_compat(skb, ifindex, family);
4742#ifdef CONFIG_XFRM 4504#ifdef CONFIG_XFRM
4743 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4505 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
@@ -4746,7 +4508,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4746 * when the packet is on it's final way out. 4508 * when the packet is on it's final way out.
4747 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4509 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4748 * is NULL, in this case go ahead and apply access control. */ 4510 * is NULL, in this case go ahead and apply access control. */
4749 if (skb->dst != NULL && skb->dst->xfrm != NULL) 4511 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4750 return NF_ACCEPT; 4512 return NF_ACCEPT;
4751#endif 4513#endif
4752 secmark_active = selinux_secmark_enabled(); 4514 secmark_active = selinux_secmark_enabled();
@@ -4844,7 +4606,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4844{ 4606{
4845 int err; 4607 int err;
4846 4608
4847 err = secondary_ops->netlink_send(sk, skb); 4609 err = cap_netlink_send(sk, skb);
4848 if (err) 4610 if (err)
4849 return err; 4611 return err;
4850 4612
@@ -4859,7 +4621,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4859 int err; 4621 int err;
4860 struct avc_audit_data ad; 4622 struct avc_audit_data ad;
4861 4623
4862 err = secondary_ops->netlink_recv(skb, capability); 4624 err = cap_netlink_recv(skb, capability);
4863 if (err) 4625 if (err)
4864 return err; 4626 return err;
4865 4627
@@ -5167,11 +4929,6 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
5167 char __user *shmaddr, int shmflg) 4929 char __user *shmaddr, int shmflg)
5168{ 4930{
5169 u32 perms; 4931 u32 perms;
5170 int rc;
5171
5172 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5173 if (rc)
5174 return rc;
5175 4932
5176 if (shmflg & SHM_RDONLY) 4933 if (shmflg & SHM_RDONLY)
5177 perms = SHM__READ; 4934 perms = SHM__READ;
@@ -5581,7 +5338,6 @@ static struct security_operations selinux_ops = {
5581 .netlink_recv = selinux_netlink_recv, 5338 .netlink_recv = selinux_netlink_recv,
5582 5339
5583 .bprm_set_creds = selinux_bprm_set_creds, 5340 .bprm_set_creds = selinux_bprm_set_creds,
5584 .bprm_check_security = selinux_bprm_check_security,
5585 .bprm_committing_creds = selinux_bprm_committing_creds, 5341 .bprm_committing_creds = selinux_bprm_committing_creds,
5586 .bprm_committed_creds = selinux_bprm_committed_creds, 5342 .bprm_committed_creds = selinux_bprm_committed_creds,
5587 .bprm_secureexec = selinux_bprm_secureexec, 5343 .bprm_secureexec = selinux_bprm_secureexec,
@@ -5623,8 +5379,6 @@ static struct security_operations selinux_ops = {
5623 .inode_getsecurity = selinux_inode_getsecurity, 5379 .inode_getsecurity = selinux_inode_getsecurity,
5624 .inode_setsecurity = selinux_inode_setsecurity, 5380 .inode_setsecurity = selinux_inode_setsecurity,
5625 .inode_listsecurity = selinux_inode_listsecurity, 5381 .inode_listsecurity = selinux_inode_listsecurity,
5626 .inode_need_killpriv = selinux_inode_need_killpriv,
5627 .inode_killpriv = selinux_inode_killpriv,
5628 .inode_getsecid = selinux_inode_getsecid, 5382 .inode_getsecid = selinux_inode_getsecid,
5629 5383
5630 .file_permission = selinux_file_permission, 5384 .file_permission = selinux_file_permission,
@@ -5644,17 +5398,12 @@ static struct security_operations selinux_ops = {
5644 .task_create = selinux_task_create, 5398 .task_create = selinux_task_create,
5645 .cred_free = selinux_cred_free, 5399 .cred_free = selinux_cred_free,
5646 .cred_prepare = selinux_cred_prepare, 5400 .cred_prepare = selinux_cred_prepare,
5647 .cred_commit = selinux_cred_commit,
5648 .kernel_act_as = selinux_kernel_act_as, 5401 .kernel_act_as = selinux_kernel_act_as,
5649 .kernel_create_files_as = selinux_kernel_create_files_as, 5402 .kernel_create_files_as = selinux_kernel_create_files_as,
5650 .task_setuid = selinux_task_setuid,
5651 .task_fix_setuid = selinux_task_fix_setuid,
5652 .task_setgid = selinux_task_setgid,
5653 .task_setpgid = selinux_task_setpgid, 5403 .task_setpgid = selinux_task_setpgid,
5654 .task_getpgid = selinux_task_getpgid, 5404 .task_getpgid = selinux_task_getpgid,
5655 .task_getsid = selinux_task_getsid, 5405 .task_getsid = selinux_task_getsid,
5656 .task_getsecid = selinux_task_getsecid, 5406 .task_getsecid = selinux_task_getsecid,
5657 .task_setgroups = selinux_task_setgroups,
5658 .task_setnice = selinux_task_setnice, 5407 .task_setnice = selinux_task_setnice,
5659 .task_setioprio = selinux_task_setioprio, 5408 .task_setioprio = selinux_task_setioprio,
5660 .task_getioprio = selinux_task_getioprio, 5409 .task_getioprio = selinux_task_getioprio,
@@ -5664,7 +5413,6 @@ static struct security_operations selinux_ops = {
5664 .task_movememory = selinux_task_movememory, 5413 .task_movememory = selinux_task_movememory,
5665 .task_kill = selinux_task_kill, 5414 .task_kill = selinux_task_kill,
5666 .task_wait = selinux_task_wait, 5415 .task_wait = selinux_task_wait,
5667 .task_prctl = selinux_task_prctl,
5668 .task_to_inode = selinux_task_to_inode, 5416 .task_to_inode = selinux_task_to_inode,
5669 5417
5670 .ipc_permission = selinux_ipc_permission, 5418 .ipc_permission = selinux_ipc_permission,
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-29 08:20:40 -0400