diff options
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 4565 |
1 files changed, 4565 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c new file mode 100644 index 000000000000..8a2cc75b3948 --- /dev/null +++ b/security/selinux/hooks.c | |||
@@ -0,0 +1,4565 @@ | |||
1 | /* | ||
2 | * NSA Security-Enhanced Linux (SELinux) security module | ||
3 | * | ||
4 | * This file contains the SELinux hook function implementations. | ||
5 | * | ||
6 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | ||
7 | * Chris Vance, <cvance@nai.com> | ||
8 | * Wayne Salamon, <wsalamon@nai.com> | ||
9 | * James Morris <jmorris@redhat.com> | ||
10 | * | ||
11 | * Copyright (C) 2001,2002 Networks Associates Technology, Inc. | ||
12 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | ||
13 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | ||
14 | * <dgoeddel@trustedcs.com> | ||
15 | * | ||
16 | * This program is free software; you can redistribute it and/or modify | ||
17 | * it under the terms of the GNU General Public License version 2, | ||
18 | * as published by the Free Software Foundation. | ||
19 | */ | ||
20 | |||
21 | #include <linux/config.h> | ||
22 | #include <linux/module.h> | ||
23 | #include <linux/init.h> | ||
24 | #include <linux/kernel.h> | ||
25 | #include <linux/ptrace.h> | ||
26 | #include <linux/errno.h> | ||
27 | #include <linux/sched.h> | ||
28 | #include <linux/security.h> | ||
29 | #include <linux/xattr.h> | ||
30 | #include <linux/capability.h> | ||
31 | #include <linux/unistd.h> | ||
32 | #include <linux/mm.h> | ||
33 | #include <linux/mman.h> | ||
34 | #include <linux/slab.h> | ||
35 | #include <linux/pagemap.h> | ||
36 | #include <linux/swap.h> | ||
37 | #include <linux/smp_lock.h> | ||
38 | #include <linux/spinlock.h> | ||
39 | #include <linux/syscalls.h> | ||
40 | #include <linux/file.h> | ||
41 | #include <linux/namei.h> | ||
42 | #include <linux/mount.h> | ||
43 | #include <linux/ext2_fs.h> | ||
44 | #include <linux/proc_fs.h> | ||
45 | #include <linux/kd.h> | ||
46 | #include <linux/netfilter_ipv4.h> | ||
47 | #include <linux/netfilter_ipv6.h> | ||
48 | #include <linux/tty.h> | ||
49 | #include <net/icmp.h> | ||
50 | #include <net/ip.h> /* for sysctl_local_port_range[] */ | ||
51 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ | ||
52 | #include <asm/uaccess.h> | ||
53 | #include <asm/semaphore.h> | ||
54 | #include <asm/ioctls.h> | ||
55 | #include <linux/bitops.h> | ||
56 | #include <linux/interrupt.h> | ||
57 | #include <linux/netdevice.h> /* for network interface checks */ | ||
58 | #include <linux/netlink.h> | ||
59 | #include <linux/tcp.h> | ||
60 | #include <linux/udp.h> | ||
61 | #include <linux/quota.h> | ||
62 | #include <linux/un.h> /* for Unix socket types */ | ||
63 | #include <net/af_unix.h> /* for Unix socket types */ | ||
64 | #include <linux/parser.h> | ||
65 | #include <linux/nfs_mount.h> | ||
66 | #include <net/ipv6.h> | ||
67 | #include <linux/hugetlb.h> | ||
68 | #include <linux/personality.h> | ||
69 | #include <linux/sysctl.h> | ||
70 | #include <linux/audit.h> | ||
71 | |||
72 | #include "avc.h" | ||
73 | #include "objsec.h" | ||
74 | #include "netif.h" | ||
75 | |||
76 | #define XATTR_SELINUX_SUFFIX "selinux" | ||
77 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX | ||
78 | |||
79 | extern unsigned int policydb_loaded_version; | ||
80 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | ||
81 | |||
82 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | ||
83 | int selinux_enforcing = 0; | ||
84 | |||
85 | static int __init enforcing_setup(char *str) | ||
86 | { | ||
87 | selinux_enforcing = simple_strtol(str,NULL,0); | ||
88 | return 1; | ||
89 | } | ||
90 | __setup("enforcing=", enforcing_setup); | ||
91 | #endif | ||
92 | |||
93 | #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM | ||
94 | int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; | ||
95 | |||
96 | static int __init selinux_enabled_setup(char *str) | ||
97 | { | ||
98 | selinux_enabled = simple_strtol(str, NULL, 0); | ||
99 | return 1; | ||
100 | } | ||
101 | __setup("selinux=", selinux_enabled_setup); | ||
102 | #endif | ||
103 | |||
104 | /* Original (dummy) security module. */ | ||
105 | static struct security_operations *original_ops = NULL; | ||
106 | |||
107 | /* Minimal support for a secondary security module, | ||
108 | just to allow the use of the dummy or capability modules. | ||
109 | The owlsm module can alternatively be used as a secondary | ||
110 | module as long as CONFIG_OWLSM_FD is not enabled. */ | ||
111 | static struct security_operations *secondary_ops = NULL; | ||
112 | |||
113 | /* Lists of inode and superblock security structures initialized | ||
114 | before the policy was loaded. */ | ||
115 | static LIST_HEAD(superblock_security_head); | ||
116 | static DEFINE_SPINLOCK(sb_security_lock); | ||
117 | |||
118 | /* Allocate and free functions for each kind of security blob. */ | ||
119 | |||
120 | static int task_alloc_security(struct task_struct *task) | ||
121 | { | ||
122 | struct task_security_struct *tsec; | ||
123 | |||
124 | tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL); | ||
125 | if (!tsec) | ||
126 | return -ENOMEM; | ||
127 | |||
128 | memset(tsec, 0, sizeof(struct task_security_struct)); | ||
129 | tsec->magic = SELINUX_MAGIC; | ||
130 | tsec->task = task; | ||
131 | tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; | ||
132 | task->security = tsec; | ||
133 | |||
134 | return 0; | ||
135 | } | ||
136 | |||
137 | static void task_free_security(struct task_struct *task) | ||
138 | { | ||
139 | struct task_security_struct *tsec = task->security; | ||
140 | |||
141 | if (!tsec || tsec->magic != SELINUX_MAGIC) | ||
142 | return; | ||
143 | |||
144 | task->security = NULL; | ||
145 | kfree(tsec); | ||
146 | } | ||
147 | |||
148 | static int inode_alloc_security(struct inode *inode) | ||
149 | { | ||
150 | struct task_security_struct *tsec = current->security; | ||
151 | struct inode_security_struct *isec; | ||
152 | |||
153 | isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL); | ||
154 | if (!isec) | ||
155 | return -ENOMEM; | ||
156 | |||
157 | memset(isec, 0, sizeof(struct inode_security_struct)); | ||
158 | init_MUTEX(&isec->sem); | ||
159 | INIT_LIST_HEAD(&isec->list); | ||
160 | isec->magic = SELINUX_MAGIC; | ||
161 | isec->inode = inode; | ||
162 | isec->sid = SECINITSID_UNLABELED; | ||
163 | isec->sclass = SECCLASS_FILE; | ||
164 | if (tsec && tsec->magic == SELINUX_MAGIC) | ||
165 | isec->task_sid = tsec->sid; | ||
166 | else | ||
167 | isec->task_sid = SECINITSID_UNLABELED; | ||
168 | inode->i_security = isec; | ||
169 | |||
170 | return 0; | ||
171 | } | ||
172 | |||
173 | static void inode_free_security(struct inode *inode) | ||
174 | { | ||
175 | struct inode_security_struct *isec = inode->i_security; | ||
176 | struct superblock_security_struct *sbsec = inode->i_sb->s_security; | ||
177 | |||
178 | if (!isec || isec->magic != SELINUX_MAGIC) | ||
179 | return; | ||
180 | |||
181 | spin_lock(&sbsec->isec_lock); | ||
182 | if (!list_empty(&isec->list)) | ||
183 | list_del_init(&isec->list); | ||
184 | spin_unlock(&sbsec->isec_lock); | ||
185 | |||
186 | inode->i_security = NULL; | ||
187 | kfree(isec); | ||
188 | } | ||
189 | |||
190 | static int file_alloc_security(struct file *file) | ||
191 | { | ||
192 | struct task_security_struct *tsec = current->security; | ||
193 | struct file_security_struct *fsec; | ||
194 | |||
195 | fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC); | ||
196 | if (!fsec) | ||
197 | return -ENOMEM; | ||
198 | |||
199 | memset(fsec, 0, sizeof(struct file_security_struct)); | ||
200 | fsec->magic = SELINUX_MAGIC; | ||
201 | fsec->file = file; | ||
202 | if (tsec && tsec->magic == SELINUX_MAGIC) { | ||
203 | fsec->sid = tsec->sid; | ||
204 | fsec->fown_sid = tsec->sid; | ||
205 | } else { | ||
206 | fsec->sid = SECINITSID_UNLABELED; | ||
207 | fsec->fown_sid = SECINITSID_UNLABELED; | ||
208 | } | ||
209 | file->f_security = fsec; | ||
210 | |||
211 | return 0; | ||
212 | } | ||
213 | |||
214 | static void file_free_security(struct file *file) | ||
215 | { | ||
216 | struct file_security_struct *fsec = file->f_security; | ||
217 | |||
218 | if (!fsec || fsec->magic != SELINUX_MAGIC) | ||
219 | return; | ||
220 | |||
221 | file->f_security = NULL; | ||
222 | kfree(fsec); | ||
223 | } | ||
224 | |||
225 | static int superblock_alloc_security(struct super_block *sb) | ||
226 | { | ||
227 | struct superblock_security_struct *sbsec; | ||
228 | |||
229 | sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); | ||
230 | if (!sbsec) | ||
231 | return -ENOMEM; | ||
232 | |||
233 | memset(sbsec, 0, sizeof(struct superblock_security_struct)); | ||
234 | init_MUTEX(&sbsec->sem); | ||
235 | INIT_LIST_HEAD(&sbsec->list); | ||
236 | INIT_LIST_HEAD(&sbsec->isec_head); | ||
237 | spin_lock_init(&sbsec->isec_lock); | ||
238 | sbsec->magic = SELINUX_MAGIC; | ||
239 | sbsec->sb = sb; | ||
240 | sbsec->sid = SECINITSID_UNLABELED; | ||
241 | sbsec->def_sid = SECINITSID_FILE; | ||
242 | sb->s_security = sbsec; | ||
243 | |||
244 | return 0; | ||
245 | } | ||
246 | |||
247 | static void superblock_free_security(struct super_block *sb) | ||
248 | { | ||
249 | struct superblock_security_struct *sbsec = sb->s_security; | ||
250 | |||
251 | if (!sbsec || sbsec->magic != SELINUX_MAGIC) | ||
252 | return; | ||
253 | |||
254 | spin_lock(&sb_security_lock); | ||
255 | if (!list_empty(&sbsec->list)) | ||
256 | list_del_init(&sbsec->list); | ||
257 | spin_unlock(&sb_security_lock); | ||
258 | |||
259 | sb->s_security = NULL; | ||
260 | kfree(sbsec); | ||
261 | } | ||
262 | |||
263 | #ifdef CONFIG_SECURITY_NETWORK | ||
264 | static int sk_alloc_security(struct sock *sk, int family, int priority) | ||
265 | { | ||
266 | struct sk_security_struct *ssec; | ||
267 | |||
268 | if (family != PF_UNIX) | ||
269 | return 0; | ||
270 | |||
271 | ssec = kmalloc(sizeof(*ssec), priority); | ||
272 | if (!ssec) | ||
273 | return -ENOMEM; | ||
274 | |||
275 | memset(ssec, 0, sizeof(*ssec)); | ||
276 | ssec->magic = SELINUX_MAGIC; | ||
277 | ssec->sk = sk; | ||
278 | ssec->peer_sid = SECINITSID_UNLABELED; | ||
279 | sk->sk_security = ssec; | ||
280 | |||
281 | return 0; | ||
282 | } | ||
283 | |||
284 | static void sk_free_security(struct sock *sk) | ||
285 | { | ||
286 | struct sk_security_struct *ssec = sk->sk_security; | ||
287 | |||
288 | if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC) | ||
289 | return; | ||
290 | |||
291 | sk->sk_security = NULL; | ||
292 | kfree(ssec); | ||
293 | } | ||
294 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
295 | |||
296 | /* The security server must be initialized before | ||
297 | any labeling or access decisions can be provided. */ | ||
298 | extern int ss_initialized; | ||
299 | |||
300 | /* The file system's label must be initialized prior to use. */ | ||
301 | |||
302 | static char *labeling_behaviors[6] = { | ||
303 | "uses xattr", | ||
304 | "uses transition SIDs", | ||
305 | "uses task SIDs", | ||
306 | "uses genfs_contexts", | ||
307 | "not configured for labeling", | ||
308 | "uses mountpoint labeling", | ||
309 | }; | ||
310 | |||
311 | static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); | ||
312 | |||
313 | static inline int inode_doinit(struct inode *inode) | ||
314 | { | ||
315 | return inode_doinit_with_dentry(inode, NULL); | ||
316 | } | ||
317 | |||
318 | enum { | ||
319 | Opt_context = 1, | ||
320 | Opt_fscontext = 2, | ||
321 | Opt_defcontext = 4, | ||
322 | }; | ||
323 | |||
324 | static match_table_t tokens = { | ||
325 | {Opt_context, "context=%s"}, | ||
326 | {Opt_fscontext, "fscontext=%s"}, | ||
327 | {Opt_defcontext, "defcontext=%s"}, | ||
328 | }; | ||
329 | |||
330 | #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" | ||
331 | |||
332 | static int try_context_mount(struct super_block *sb, void *data) | ||
333 | { | ||
334 | char *context = NULL, *defcontext = NULL; | ||
335 | const char *name; | ||
336 | u32 sid; | ||
337 | int alloc = 0, rc = 0, seen = 0; | ||
338 | struct task_security_struct *tsec = current->security; | ||
339 | struct superblock_security_struct *sbsec = sb->s_security; | ||
340 | |||
341 | if (!data) | ||
342 | goto out; | ||
343 | |||
344 | name = sb->s_type->name; | ||
345 | |||
346 | if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) { | ||
347 | |||
348 | /* NFS we understand. */ | ||
349 | if (!strcmp(name, "nfs")) { | ||
350 | struct nfs_mount_data *d = data; | ||
351 | |||
352 | if (d->version < NFS_MOUNT_VERSION) | ||
353 | goto out; | ||
354 | |||
355 | if (d->context[0]) { | ||
356 | context = d->context; | ||
357 | seen |= Opt_context; | ||
358 | } | ||
359 | } else | ||
360 | goto out; | ||
361 | |||
362 | } else { | ||
363 | /* Standard string-based options. */ | ||
364 | char *p, *options = data; | ||
365 | |||
366 | while ((p = strsep(&options, ",")) != NULL) { | ||
367 | int token; | ||
368 | substring_t args[MAX_OPT_ARGS]; | ||
369 | |||
370 | if (!*p) | ||
371 | continue; | ||
372 | |||
373 | token = match_token(p, tokens, args); | ||
374 | |||
375 | switch (token) { | ||
376 | case Opt_context: | ||
377 | if (seen) { | ||
378 | rc = -EINVAL; | ||
379 | printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); | ||
380 | goto out_free; | ||
381 | } | ||
382 | context = match_strdup(&args[0]); | ||
383 | if (!context) { | ||
384 | rc = -ENOMEM; | ||
385 | goto out_free; | ||
386 | } | ||
387 | if (!alloc) | ||
388 | alloc = 1; | ||
389 | seen |= Opt_context; | ||
390 | break; | ||
391 | |||
392 | case Opt_fscontext: | ||
393 | if (seen & (Opt_context|Opt_fscontext)) { | ||
394 | rc = -EINVAL; | ||
395 | printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); | ||
396 | goto out_free; | ||
397 | } | ||
398 | context = match_strdup(&args[0]); | ||
399 | if (!context) { | ||
400 | rc = -ENOMEM; | ||
401 | goto out_free; | ||
402 | } | ||
403 | if (!alloc) | ||
404 | alloc = 1; | ||
405 | seen |= Opt_fscontext; | ||
406 | break; | ||
407 | |||
408 | case Opt_defcontext: | ||
409 | if (sbsec->behavior != SECURITY_FS_USE_XATTR) { | ||
410 | rc = -EINVAL; | ||
411 | printk(KERN_WARNING "SELinux: " | ||
412 | "defcontext option is invalid " | ||
413 | "for this filesystem type\n"); | ||
414 | goto out_free; | ||
415 | } | ||
416 | if (seen & (Opt_context|Opt_defcontext)) { | ||
417 | rc = -EINVAL; | ||
418 | printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); | ||
419 | goto out_free; | ||
420 | } | ||
421 | defcontext = match_strdup(&args[0]); | ||
422 | if (!defcontext) { | ||
423 | rc = -ENOMEM; | ||
424 | goto out_free; | ||
425 | } | ||
426 | if (!alloc) | ||
427 | alloc = 1; | ||
428 | seen |= Opt_defcontext; | ||
429 | break; | ||
430 | |||
431 | default: | ||
432 | rc = -EINVAL; | ||
433 | printk(KERN_WARNING "SELinux: unknown mount " | ||
434 | "option\n"); | ||
435 | goto out_free; | ||
436 | |||
437 | } | ||
438 | } | ||
439 | } | ||
440 | |||
441 | if (!seen) | ||
442 | goto out; | ||
443 | |||
444 | if (context) { | ||
445 | rc = security_context_to_sid(context, strlen(context), &sid); | ||
446 | if (rc) { | ||
447 | printk(KERN_WARNING "SELinux: security_context_to_sid" | ||
448 | "(%s) failed for (dev %s, type %s) errno=%d\n", | ||
449 | context, sb->s_id, name, rc); | ||
450 | goto out_free; | ||
451 | } | ||
452 | |||
453 | rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, | ||
454 | FILESYSTEM__RELABELFROM, NULL); | ||
455 | if (rc) | ||
456 | goto out_free; | ||
457 | |||
458 | rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, | ||
459 | FILESYSTEM__RELABELTO, NULL); | ||
460 | if (rc) | ||
461 | goto out_free; | ||
462 | |||
463 | sbsec->sid = sid; | ||
464 | |||
465 | if (seen & Opt_context) | ||
466 | sbsec->behavior = SECURITY_FS_USE_MNTPOINT; | ||
467 | } | ||
468 | |||
469 | if (defcontext) { | ||
470 | rc = security_context_to_sid(defcontext, strlen(defcontext), &sid); | ||
471 | if (rc) { | ||
472 | printk(KERN_WARNING "SELinux: security_context_to_sid" | ||
473 | "(%s) failed for (dev %s, type %s) errno=%d\n", | ||
474 | defcontext, sb->s_id, name, rc); | ||
475 | goto out_free; | ||
476 | } | ||
477 | |||
478 | if (sid == sbsec->def_sid) | ||
479 | goto out_free; | ||
480 | |||
481 | rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, | ||
482 | FILESYSTEM__RELABELFROM, NULL); | ||
483 | if (rc) | ||
484 | goto out_free; | ||
485 | |||
486 | rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, | ||
487 | FILESYSTEM__ASSOCIATE, NULL); | ||
488 | if (rc) | ||
489 | goto out_free; | ||
490 | |||
491 | sbsec->def_sid = sid; | ||
492 | } | ||
493 | |||
494 | out_free: | ||
495 | if (alloc) { | ||
496 | kfree(context); | ||
497 | kfree(defcontext); | ||
498 | } | ||
499 | out: | ||
500 | return rc; | ||
501 | } | ||
502 | |||
503 | static int superblock_doinit(struct super_block *sb, void *data) | ||
504 | { | ||
505 | struct superblock_security_struct *sbsec = sb->s_security; | ||
506 | struct dentry *root = sb->s_root; | ||
507 | struct inode *inode = root->d_inode; | ||
508 | int rc = 0; | ||
509 | |||
510 | down(&sbsec->sem); | ||
511 | if (sbsec->initialized) | ||
512 | goto out; | ||
513 | |||
514 | if (!ss_initialized) { | ||
515 | /* Defer initialization until selinux_complete_init, | ||
516 | after the initial policy is loaded and the security | ||
517 | server is ready to handle calls. */ | ||
518 | spin_lock(&sb_security_lock); | ||
519 | if (list_empty(&sbsec->list)) | ||
520 | list_add(&sbsec->list, &superblock_security_head); | ||
521 | spin_unlock(&sb_security_lock); | ||
522 | goto out; | ||
523 | } | ||
524 | |||
525 | /* Determine the labeling behavior to use for this filesystem type. */ | ||
526 | rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); | ||
527 | if (rc) { | ||
528 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | ||
529 | __FUNCTION__, sb->s_type->name, rc); | ||
530 | goto out; | ||
531 | } | ||
532 | |||
533 | rc = try_context_mount(sb, data); | ||
534 | if (rc) | ||
535 | goto out; | ||
536 | |||
537 | if (sbsec->behavior == SECURITY_FS_USE_XATTR) { | ||
538 | /* Make sure that the xattr handler exists and that no | ||
539 | error other than -ENODATA is returned by getxattr on | ||
540 | the root directory. -ENODATA is ok, as this may be | ||
541 | the first boot of the SELinux kernel before we have | ||
542 | assigned xattr values to the filesystem. */ | ||
543 | if (!inode->i_op->getxattr) { | ||
544 | printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " | ||
545 | "xattr support\n", sb->s_id, sb->s_type->name); | ||
546 | rc = -EOPNOTSUPP; | ||
547 | goto out; | ||
548 | } | ||
549 | rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); | ||
550 | if (rc < 0 && rc != -ENODATA) { | ||
551 | if (rc == -EOPNOTSUPP) | ||
552 | printk(KERN_WARNING "SELinux: (dev %s, type " | ||
553 | "%s) has no security xattr handler\n", | ||
554 | sb->s_id, sb->s_type->name); | ||
555 | else | ||
556 | printk(KERN_WARNING "SELinux: (dev %s, type " | ||
557 | "%s) getxattr errno %d\n", sb->s_id, | ||
558 | sb->s_type->name, -rc); | ||
559 | goto out; | ||
560 | } | ||
561 | } | ||
562 | |||
563 | if (strcmp(sb->s_type->name, "proc") == 0) | ||
564 | sbsec->proc = 1; | ||
565 | |||
566 | sbsec->initialized = 1; | ||
567 | |||
568 | if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { | ||
569 | printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", | ||
570 | sb->s_id, sb->s_type->name); | ||
571 | } | ||
572 | else { | ||
573 | printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", | ||
574 | sb->s_id, sb->s_type->name, | ||
575 | labeling_behaviors[sbsec->behavior-1]); | ||
576 | } | ||
577 | |||
578 | /* Initialize the root inode. */ | ||
579 | rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root); | ||
580 | |||
581 | /* Initialize any other inodes associated with the superblock, e.g. | ||
582 | inodes created prior to initial policy load or inodes created | ||
583 | during get_sb by a pseudo filesystem that directly | ||
584 | populates itself. */ | ||
585 | spin_lock(&sbsec->isec_lock); | ||
586 | next_inode: | ||
587 | if (!list_empty(&sbsec->isec_head)) { | ||
588 | struct inode_security_struct *isec = | ||
589 | list_entry(sbsec->isec_head.next, | ||
590 | struct inode_security_struct, list); | ||
591 | struct inode *inode = isec->inode; | ||
592 | spin_unlock(&sbsec->isec_lock); | ||
593 | inode = igrab(inode); | ||
594 | if (inode) { | ||
595 | if (!IS_PRIVATE (inode)) | ||
596 | inode_doinit(inode); | ||
597 | iput(inode); | ||
598 | } | ||
599 | spin_lock(&sbsec->isec_lock); | ||
600 | list_del_init(&isec->list); | ||
601 | goto next_inode; | ||
602 | } | ||
603 | spin_unlock(&sbsec->isec_lock); | ||
604 | out: | ||
605 | up(&sbsec->sem); | ||
606 | return rc; | ||
607 | } | ||
608 | |||
609 | static inline u16 inode_mode_to_security_class(umode_t mode) | ||
610 | { | ||
611 | switch (mode & S_IFMT) { | ||
612 | case S_IFSOCK: | ||
613 | return SECCLASS_SOCK_FILE; | ||
614 | case S_IFLNK: | ||
615 | return SECCLASS_LNK_FILE; | ||
616 | case S_IFREG: | ||
617 | return SECCLASS_FILE; | ||
618 | case S_IFBLK: | ||
619 | return SECCLASS_BLK_FILE; | ||
620 | case S_IFDIR: | ||
621 | return SECCLASS_DIR; | ||
622 | case S_IFCHR: | ||
623 | return SECCLASS_CHR_FILE; | ||
624 | case S_IFIFO: | ||
625 | return SECCLASS_FIFO_FILE; | ||
626 | |||
627 | } | ||
628 | |||
629 | return SECCLASS_FILE; | ||
630 | } | ||
631 | |||
632 | static inline u16 socket_type_to_security_class(int family, int type, int protocol) | ||
633 | { | ||
634 | switch (family) { | ||
635 | case PF_UNIX: | ||
636 | switch (type) { | ||
637 | case SOCK_STREAM: | ||
638 | case SOCK_SEQPACKET: | ||
639 | return SECCLASS_UNIX_STREAM_SOCKET; | ||
640 | case SOCK_DGRAM: | ||
641 | return SECCLASS_UNIX_DGRAM_SOCKET; | ||
642 | } | ||
643 | break; | ||
644 | case PF_INET: | ||
645 | case PF_INET6: | ||
646 | switch (type) { | ||
647 | case SOCK_STREAM: | ||
648 | return SECCLASS_TCP_SOCKET; | ||
649 | case SOCK_DGRAM: | ||
650 | return SECCLASS_UDP_SOCKET; | ||
651 | case SOCK_RAW: | ||
652 | return SECCLASS_RAWIP_SOCKET; | ||
653 | } | ||
654 | break; | ||
655 | case PF_NETLINK: | ||
656 | switch (protocol) { | ||
657 | case NETLINK_ROUTE: | ||
658 | return SECCLASS_NETLINK_ROUTE_SOCKET; | ||
659 | case NETLINK_FIREWALL: | ||
660 | return SECCLASS_NETLINK_FIREWALL_SOCKET; | ||
661 | case NETLINK_TCPDIAG: | ||
662 | return SECCLASS_NETLINK_TCPDIAG_SOCKET; | ||
663 | case NETLINK_NFLOG: | ||
664 | return SECCLASS_NETLINK_NFLOG_SOCKET; | ||
665 | case NETLINK_XFRM: | ||
666 | return SECCLASS_NETLINK_XFRM_SOCKET; | ||
667 | case NETLINK_SELINUX: | ||
668 | return SECCLASS_NETLINK_SELINUX_SOCKET; | ||
669 | case NETLINK_AUDIT: | ||
670 | return SECCLASS_NETLINK_AUDIT_SOCKET; | ||
671 | case NETLINK_IP6_FW: | ||
672 | return SECCLASS_NETLINK_IP6FW_SOCKET; | ||
673 | case NETLINK_DNRTMSG: | ||
674 | return SECCLASS_NETLINK_DNRT_SOCKET; | ||
675 | default: | ||
676 | return SECCLASS_NETLINK_SOCKET; | ||
677 | } | ||
678 | case PF_PACKET: | ||
679 | return SECCLASS_PACKET_SOCKET; | ||
680 | case PF_KEY: | ||
681 | return SECCLASS_KEY_SOCKET; | ||
682 | } | ||
683 | |||
684 | return SECCLASS_SOCKET; | ||
685 | } | ||
686 | |||
687 | #ifdef CONFIG_PROC_FS | ||
688 | static int selinux_proc_get_sid(struct proc_dir_entry *de, | ||
689 | u16 tclass, | ||
690 | u32 *sid) | ||
691 | { | ||
692 | int buflen, rc; | ||
693 | char *buffer, *path, *end; | ||
694 | |||
695 | buffer = (char*)__get_free_page(GFP_KERNEL); | ||
696 | if (!buffer) | ||
697 | return -ENOMEM; | ||
698 | |||
699 | buflen = PAGE_SIZE; | ||
700 | end = buffer+buflen; | ||
701 | *--end = '\0'; | ||
702 | buflen--; | ||
703 | path = end-1; | ||
704 | *path = '/'; | ||
705 | while (de && de != de->parent) { | ||
706 | buflen -= de->namelen + 1; | ||
707 | if (buflen < 0) | ||
708 | break; | ||
709 | end -= de->namelen; | ||
710 | memcpy(end, de->name, de->namelen); | ||
711 | *--end = '/'; | ||
712 | path = end; | ||
713 | de = de->parent; | ||
714 | } | ||
715 | rc = security_genfs_sid("proc", path, tclass, sid); | ||
716 | free_page((unsigned long)buffer); | ||
717 | return rc; | ||
718 | } | ||
719 | #else | ||
720 | static int selinux_proc_get_sid(struct proc_dir_entry *de, | ||
721 | u16 tclass, | ||
722 | u32 *sid) | ||
723 | { | ||
724 | return -EINVAL; | ||
725 | } | ||
726 | #endif | ||
727 | |||
728 | /* The inode's security attributes must be initialized before first use. */ | ||
729 | static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) | ||
730 | { | ||
731 | struct superblock_security_struct *sbsec = NULL; | ||
732 | struct inode_security_struct *isec = inode->i_security; | ||
733 | u32 sid; | ||
734 | struct dentry *dentry; | ||
735 | #define INITCONTEXTLEN 255 | ||
736 | char *context = NULL; | ||
737 | unsigned len = 0; | ||
738 | int rc = 0; | ||
739 | int hold_sem = 0; | ||
740 | |||
741 | if (isec->initialized) | ||
742 | goto out; | ||
743 | |||
744 | down(&isec->sem); | ||
745 | hold_sem = 1; | ||
746 | if (isec->initialized) | ||
747 | goto out; | ||
748 | |||
749 | sbsec = inode->i_sb->s_security; | ||
750 | if (!sbsec->initialized) { | ||
751 | /* Defer initialization until selinux_complete_init, | ||
752 | after the initial policy is loaded and the security | ||
753 | server is ready to handle calls. */ | ||
754 | spin_lock(&sbsec->isec_lock); | ||
755 | if (list_empty(&isec->list)) | ||
756 | list_add(&isec->list, &sbsec->isec_head); | ||
757 | spin_unlock(&sbsec->isec_lock); | ||
758 | goto out; | ||
759 | } | ||
760 | |||
761 | switch (sbsec->behavior) { | ||
762 | case SECURITY_FS_USE_XATTR: | ||
763 | if (!inode->i_op->getxattr) { | ||
764 | isec->sid = sbsec->def_sid; | ||
765 | break; | ||
766 | } | ||
767 | |||
768 | /* Need a dentry, since the xattr API requires one. | ||
769 | Life would be simpler if we could just pass the inode. */ | ||
770 | if (opt_dentry) { | ||
771 | /* Called from d_instantiate or d_splice_alias. */ | ||
772 | dentry = dget(opt_dentry); | ||
773 | } else { | ||
774 | /* Called from selinux_complete_init, try to find a dentry. */ | ||
775 | dentry = d_find_alias(inode); | ||
776 | } | ||
777 | if (!dentry) { | ||
778 | printk(KERN_WARNING "%s: no dentry for dev=%s " | ||
779 | "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id, | ||
780 | inode->i_ino); | ||
781 | goto out; | ||
782 | } | ||
783 | |||
784 | len = INITCONTEXTLEN; | ||
785 | context = kmalloc(len, GFP_KERNEL); | ||
786 | if (!context) { | ||
787 | rc = -ENOMEM; | ||
788 | dput(dentry); | ||
789 | goto out; | ||
790 | } | ||
791 | rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, | ||
792 | context, len); | ||
793 | if (rc == -ERANGE) { | ||
794 | /* Need a larger buffer. Query for the right size. */ | ||
795 | rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, | ||
796 | NULL, 0); | ||
797 | if (rc < 0) { | ||
798 | dput(dentry); | ||
799 | goto out; | ||
800 | } | ||
801 | kfree(context); | ||
802 | len = rc; | ||
803 | context = kmalloc(len, GFP_KERNEL); | ||
804 | if (!context) { | ||
805 | rc = -ENOMEM; | ||
806 | dput(dentry); | ||
807 | goto out; | ||
808 | } | ||
809 | rc = inode->i_op->getxattr(dentry, | ||
810 | XATTR_NAME_SELINUX, | ||
811 | context, len); | ||
812 | } | ||
813 | dput(dentry); | ||
814 | if (rc < 0) { | ||
815 | if (rc != -ENODATA) { | ||
816 | printk(KERN_WARNING "%s: getxattr returned " | ||
817 | "%d for dev=%s ino=%ld\n", __FUNCTION__, | ||
818 | -rc, inode->i_sb->s_id, inode->i_ino); | ||
819 | kfree(context); | ||
820 | goto out; | ||
821 | } | ||
822 | /* Map ENODATA to the default file SID */ | ||
823 | sid = sbsec->def_sid; | ||
824 | rc = 0; | ||
825 | } else { | ||
826 | rc = security_context_to_sid(context, rc, &sid); | ||
827 | if (rc) { | ||
828 | printk(KERN_WARNING "%s: context_to_sid(%s) " | ||
829 | "returned %d for dev=%s ino=%ld\n", | ||
830 | __FUNCTION__, context, -rc, | ||
831 | inode->i_sb->s_id, inode->i_ino); | ||
832 | kfree(context); | ||
833 | /* Leave with the unlabeled SID */ | ||
834 | rc = 0; | ||
835 | break; | ||
836 | } | ||
837 | } | ||
838 | kfree(context); | ||
839 | isec->sid = sid; | ||
840 | break; | ||
841 | case SECURITY_FS_USE_TASK: | ||
842 | isec->sid = isec->task_sid; | ||
843 | break; | ||
844 | case SECURITY_FS_USE_TRANS: | ||
845 | /* Default to the fs SID. */ | ||
846 | isec->sid = sbsec->sid; | ||
847 | |||
848 | /* Try to obtain a transition SID. */ | ||
849 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | ||
850 | rc = security_transition_sid(isec->task_sid, | ||
851 | sbsec->sid, | ||
852 | isec->sclass, | ||
853 | &sid); | ||
854 | if (rc) | ||
855 | goto out; | ||
856 | isec->sid = sid; | ||
857 | break; | ||
858 | default: | ||
859 | /* Default to the fs SID. */ | ||
860 | isec->sid = sbsec->sid; | ||
861 | |||
862 | if (sbsec->proc) { | ||
863 | struct proc_inode *proci = PROC_I(inode); | ||
864 | if (proci->pde) { | ||
865 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | ||
866 | rc = selinux_proc_get_sid(proci->pde, | ||
867 | isec->sclass, | ||
868 | &sid); | ||
869 | if (rc) | ||
870 | goto out; | ||
871 | isec->sid = sid; | ||
872 | } | ||
873 | } | ||
874 | break; | ||
875 | } | ||
876 | |||
877 | isec->initialized = 1; | ||
878 | |||
879 | out: | ||
880 | if (isec->sclass == SECCLASS_FILE) | ||
881 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | ||
882 | |||
883 | if (hold_sem) | ||
884 | up(&isec->sem); | ||
885 | return rc; | ||
886 | } | ||
887 | |||
888 | /* Convert a Linux signal to an access vector. */ | ||
889 | static inline u32 signal_to_av(int sig) | ||
890 | { | ||
891 | u32 perm = 0; | ||
892 | |||
893 | switch (sig) { | ||
894 | case SIGCHLD: | ||
895 | /* Commonly granted from child to parent. */ | ||
896 | perm = PROCESS__SIGCHLD; | ||
897 | break; | ||
898 | case SIGKILL: | ||
899 | /* Cannot be caught or ignored */ | ||
900 | perm = PROCESS__SIGKILL; | ||
901 | break; | ||
902 | case SIGSTOP: | ||
903 | /* Cannot be caught or ignored */ | ||
904 | perm = PROCESS__SIGSTOP; | ||
905 | break; | ||
906 | default: | ||
907 | /* All other signals. */ | ||
908 | perm = PROCESS__SIGNAL; | ||
909 | break; | ||
910 | } | ||
911 | |||
912 | return perm; | ||
913 | } | ||
914 | |||
915 | /* Check permission betweeen a pair of tasks, e.g. signal checks, | ||
916 | fork check, ptrace check, etc. */ | ||
917 | static int task_has_perm(struct task_struct *tsk1, | ||
918 | struct task_struct *tsk2, | ||
919 | u32 perms) | ||
920 | { | ||
921 | struct task_security_struct *tsec1, *tsec2; | ||
922 | |||
923 | tsec1 = tsk1->security; | ||
924 | tsec2 = tsk2->security; | ||
925 | return avc_has_perm(tsec1->sid, tsec2->sid, | ||
926 | SECCLASS_PROCESS, perms, NULL); | ||
927 | } | ||
928 | |||
929 | /* Check whether a task is allowed to use a capability. */ | ||
930 | static int task_has_capability(struct task_struct *tsk, | ||
931 | int cap) | ||
932 | { | ||
933 | struct task_security_struct *tsec; | ||
934 | struct avc_audit_data ad; | ||
935 | |||
936 | tsec = tsk->security; | ||
937 | |||
938 | AVC_AUDIT_DATA_INIT(&ad,CAP); | ||
939 | ad.tsk = tsk; | ||
940 | ad.u.cap = cap; | ||
941 | |||
942 | return avc_has_perm(tsec->sid, tsec->sid, | ||
943 | SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); | ||
944 | } | ||
945 | |||
946 | /* Check whether a task is allowed to use a system operation. */ | ||
947 | static int task_has_system(struct task_struct *tsk, | ||
948 | u32 perms) | ||
949 | { | ||
950 | struct task_security_struct *tsec; | ||
951 | |||
952 | tsec = tsk->security; | ||
953 | |||
954 | return avc_has_perm(tsec->sid, SECINITSID_KERNEL, | ||
955 | SECCLASS_SYSTEM, perms, NULL); | ||
956 | } | ||
957 | |||
958 | /* Check whether a task has a particular permission to an inode. | ||
959 | The 'adp' parameter is optional and allows other audit | ||
960 | data to be passed (e.g. the dentry). */ | ||
961 | static int inode_has_perm(struct task_struct *tsk, | ||
962 | struct inode *inode, | ||
963 | u32 perms, | ||
964 | struct avc_audit_data *adp) | ||
965 | { | ||
966 | struct task_security_struct *tsec; | ||
967 | struct inode_security_struct *isec; | ||
968 | struct avc_audit_data ad; | ||
969 | |||
970 | tsec = tsk->security; | ||
971 | isec = inode->i_security; | ||
972 | |||
973 | if (!adp) { | ||
974 | adp = &ad; | ||
975 | AVC_AUDIT_DATA_INIT(&ad, FS); | ||
976 | ad.u.fs.inode = inode; | ||
977 | } | ||
978 | |||
979 | return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); | ||
980 | } | ||
981 | |||
982 | /* Same as inode_has_perm, but pass explicit audit data containing | ||
983 | the dentry to help the auditing code to more easily generate the | ||
984 | pathname if needed. */ | ||
985 | static inline int dentry_has_perm(struct task_struct *tsk, | ||
986 | struct vfsmount *mnt, | ||
987 | struct dentry *dentry, | ||
988 | u32 av) | ||
989 | { | ||
990 | struct inode *inode = dentry->d_inode; | ||
991 | struct avc_audit_data ad; | ||
992 | AVC_AUDIT_DATA_INIT(&ad,FS); | ||
993 | ad.u.fs.mnt = mnt; | ||
994 | ad.u.fs.dentry = dentry; | ||
995 | return inode_has_perm(tsk, inode, av, &ad); | ||
996 | } | ||
997 | |||
998 | /* Check whether a task can use an open file descriptor to | ||
999 | access an inode in a given way. Check access to the | ||
1000 | descriptor itself, and then use dentry_has_perm to | ||
1001 | check a particular permission to the file. | ||
1002 | Access to the descriptor is implicitly granted if it | ||
1003 | has the same SID as the process. If av is zero, then | ||
1004 | access to the file is not checked, e.g. for cases | ||
1005 | where only the descriptor is affected like seek. */ | ||
1006 | static inline int file_has_perm(struct task_struct *tsk, | ||
1007 | struct file *file, | ||
1008 | u32 av) | ||
1009 | { | ||
1010 | struct task_security_struct *tsec = tsk->security; | ||
1011 | struct file_security_struct *fsec = file->f_security; | ||
1012 | struct vfsmount *mnt = file->f_vfsmnt; | ||
1013 | struct dentry *dentry = file->f_dentry; | ||
1014 | struct inode *inode = dentry->d_inode; | ||
1015 | struct avc_audit_data ad; | ||
1016 | int rc; | ||
1017 | |||
1018 | AVC_AUDIT_DATA_INIT(&ad, FS); | ||
1019 | ad.u.fs.mnt = mnt; | ||
1020 | ad.u.fs.dentry = dentry; | ||
1021 | |||
1022 | if (tsec->sid != fsec->sid) { | ||
1023 | rc = avc_has_perm(tsec->sid, fsec->sid, | ||
1024 | SECCLASS_FD, | ||
1025 | FD__USE, | ||
1026 | &ad); | ||
1027 | if (rc) | ||
1028 | return rc; | ||
1029 | } | ||
1030 | |||
1031 | /* av is zero if only checking access to the descriptor. */ | ||
1032 | if (av) | ||
1033 | return inode_has_perm(tsk, inode, av, &ad); | ||
1034 | |||
1035 | return 0; | ||
1036 | } | ||
1037 | |||
1038 | /* Check whether a task can create a file. */ | ||
1039 | static int may_create(struct inode *dir, | ||
1040 | struct dentry *dentry, | ||
1041 | u16 tclass) | ||
1042 | { | ||
1043 | struct task_security_struct *tsec; | ||
1044 | struct inode_security_struct *dsec; | ||
1045 | struct superblock_security_struct *sbsec; | ||
1046 | u32 newsid; | ||
1047 | struct avc_audit_data ad; | ||
1048 | int rc; | ||
1049 | |||
1050 | tsec = current->security; | ||
1051 | dsec = dir->i_security; | ||
1052 | sbsec = dir->i_sb->s_security; | ||
1053 | |||
1054 | AVC_AUDIT_DATA_INIT(&ad, FS); | ||
1055 | ad.u.fs.dentry = dentry; | ||
1056 | |||
1057 | rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, | ||
1058 | DIR__ADD_NAME | DIR__SEARCH, | ||
1059 | &ad); | ||
1060 | if (rc) | ||
1061 | return rc; | ||
1062 | |||
1063 | if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { | ||
1064 | newsid = tsec->create_sid; | ||
1065 | } else { | ||
1066 | rc = security_transition_sid(tsec->sid, dsec->sid, tclass, | ||
1067 | &newsid); | ||
1068 | if (rc) | ||
1069 | return rc; | ||
1070 | } | ||
1071 | |||
1072 | rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); | ||
1073 | if (rc) | ||
1074 | return rc; | ||
1075 | |||
1076 | return avc_has_perm(newsid, sbsec->sid, | ||
1077 | SECCLASS_FILESYSTEM, | ||
1078 | FILESYSTEM__ASSOCIATE, &ad); | ||
1079 | } | ||
1080 | |||
1081 | #define MAY_LINK 0 | ||
1082 | #define MAY_UNLINK 1 | ||
1083 | #define MAY_RMDIR 2 | ||
1084 | |||
1085 | /* Check whether a task can link, unlink, or rmdir a file/directory. */ | ||
1086 | static int may_link(struct inode *dir, | ||
1087 | struct dentry *dentry, | ||
1088 | int kind) | ||
1089 | |||
1090 | { | ||
1091 | struct task_security_struct *tsec; | ||
1092 | struct inode_security_struct *dsec, *isec; | ||
1093 | struct avc_audit_data ad; | ||
1094 | u32 av; | ||
1095 | int rc; | ||
1096 | |||
1097 | tsec = current->security; | ||
1098 | dsec = dir->i_security; | ||
1099 | isec = dentry->d_inode->i_security; | ||
1100 | |||
1101 | AVC_AUDIT_DATA_INIT(&ad, FS); | ||
1102 | ad.u.fs.dentry = dentry; | ||
1103 | |||
1104 | av = DIR__SEARCH; | ||
1105 | av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); | ||
1106 | rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); | ||
1107 | if (rc) | ||
1108 | return rc; | ||
1109 | |||
1110 | switch (kind) { | ||
1111 | case MAY_LINK: | ||
1112 | av = FILE__LINK; | ||
1113 | break; | ||
1114 | case MAY_UNLINK: | ||
1115 | av = FILE__UNLINK; | ||
1116 | break; | ||
1117 | case MAY_RMDIR: | ||
1118 | av = DIR__RMDIR; | ||
1119 | break; | ||
1120 | default: | ||
1121 | printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind); | ||
1122 | return 0; | ||
1123 | } | ||
1124 | |||
1125 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); | ||
1126 | return rc; | ||
1127 | } | ||
1128 | |||
1129 | static inline int may_rename(struct inode *old_dir, | ||
1130 | struct dentry *old_dentry, | ||
1131 | struct inode *new_dir, | ||
1132 | struct dentry *new_dentry) | ||
1133 | { | ||
1134 | struct task_security_struct *tsec; | ||
1135 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; | ||
1136 | struct avc_audit_data ad; | ||
1137 | u32 av; | ||
1138 | int old_is_dir, new_is_dir; | ||
1139 | int rc; | ||
1140 | |||
1141 | tsec = current->security; | ||
1142 | old_dsec = old_dir->i_security; | ||
1143 | old_isec = old_dentry->d_inode->i_security; | ||
1144 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | ||
1145 | new_dsec = new_dir->i_security; | ||
1146 | |||
1147 | AVC_AUDIT_DATA_INIT(&ad, FS); | ||
1148 | |||
1149 | ad.u.fs.dentry = old_dentry; | ||
1150 | rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, | ||
1151 | DIR__REMOVE_NAME | DIR__SEARCH, &ad); | ||
1152 | if (rc) | ||
1153 | return rc; | ||
1154 | rc = avc_has_perm(tsec->sid, old_isec->sid, | ||
1155 | old_isec->sclass, FILE__RENAME, &ad); | ||
1156 | if (rc) | ||
1157 | return rc; | ||
1158 | if (old_is_dir && new_dir != old_dir) { | ||
1159 | rc = avc_has_perm(tsec->sid, old_isec->sid, | ||
1160 | old_isec->sclass, DIR__REPARENT, &ad); | ||
1161 | if (rc) | ||
1162 | return rc; | ||
1163 | } | ||
1164 | |||
1165 | ad.u.fs.dentry = new_dentry; | ||
1166 | av = DIR__ADD_NAME | DIR__SEARCH; | ||
1167 | if (new_dentry->d_inode) | ||
1168 | av |= DIR__REMOVE_NAME; | ||
1169 | rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); | ||
1170 | if (rc) | ||
1171 | return rc; | ||
1172 | if (new_dentry->d_inode) { | ||
1173 | new_isec = new_dentry->d_inode->i_security; | ||
1174 | new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); | ||
1175 | rc = avc_has_perm(tsec->sid, new_isec->sid, | ||
1176 | new_isec->sclass, | ||
1177 | (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); | ||
1178 | if (rc) | ||
1179 | return rc; | ||
1180 | } | ||
1181 | |||
1182 | return 0; | ||
1183 | } | ||
1184 | |||
1185 | /* Check whether a task can perform a filesystem operation. */ | ||
1186 | static int superblock_has_perm(struct task_struct *tsk, | ||
1187 | struct super_block *sb, | ||
1188 | u32 perms, | ||
1189 | struct avc_audit_data *ad) | ||
1190 | { | ||
1191 | struct task_security_struct *tsec; | ||
1192 | struct superblock_security_struct *sbsec; | ||
1193 | |||
1194 | tsec = tsk->security; | ||
1195 | sbsec = sb->s_security; | ||
1196 | return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, | ||
1197 | perms, ad); | ||
1198 | } | ||
1199 | |||
1200 | /* Convert a Linux mode and permission mask to an access vector. */ | ||
1201 | static inline u32 file_mask_to_av(int mode, int mask) | ||
1202 | { | ||
1203 | u32 av = 0; | ||
1204 | |||
1205 | if ((mode & S_IFMT) != S_IFDIR) { | ||
1206 | if (mask & MAY_EXEC) | ||
1207 | av |= FILE__EXECUTE; | ||
1208 | if (mask & MAY_READ) | ||
1209 | av |= FILE__READ; | ||
1210 | |||
1211 | if (mask & MAY_APPEND) | ||
1212 | av |= FILE__APPEND; | ||
1213 | else if (mask & MAY_WRITE) | ||
1214 | av |= FILE__WRITE; | ||
1215 | |||
1216 | } else { | ||
1217 | if (mask & MAY_EXEC) | ||
1218 | av |= DIR__SEARCH; | ||
1219 | if (mask & MAY_WRITE) | ||
1220 | av |= DIR__WRITE; | ||
1221 | if (mask & MAY_READ) | ||
1222 | av |= DIR__READ; | ||
1223 | } | ||
1224 | |||
1225 | return av; | ||
1226 | } | ||
1227 | |||
1228 | /* Convert a Linux file to an access vector. */ | ||
1229 | static inline u32 file_to_av(struct file *file) | ||
1230 | { | ||
1231 | u32 av = 0; | ||
1232 | |||
1233 | if (file->f_mode & FMODE_READ) | ||
1234 | av |= FILE__READ; | ||
1235 | if (file->f_mode & FMODE_WRITE) { | ||
1236 | if (file->f_flags & O_APPEND) | ||
1237 | av |= FILE__APPEND; | ||
1238 | else | ||
1239 | av |= FILE__WRITE; | ||
1240 | } | ||
1241 | |||
1242 | return av; | ||
1243 | } | ||
1244 | |||
1245 | /* Set an inode's SID to a specified value. */ | ||
1246 | static int inode_security_set_sid(struct inode *inode, u32 sid) | ||
1247 | { | ||
1248 | struct inode_security_struct *isec = inode->i_security; | ||
1249 | struct superblock_security_struct *sbsec = inode->i_sb->s_security; | ||
1250 | |||
1251 | if (!sbsec->initialized) { | ||
1252 | /* Defer initialization to selinux_complete_init. */ | ||
1253 | return 0; | ||
1254 | } | ||
1255 | |||
1256 | down(&isec->sem); | ||
1257 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | ||
1258 | isec->sid = sid; | ||
1259 | isec->initialized = 1; | ||
1260 | up(&isec->sem); | ||
1261 | return 0; | ||
1262 | } | ||
1263 | |||
1264 | /* Set the security attributes on a newly created file. */ | ||
1265 | static int post_create(struct inode *dir, | ||
1266 | struct dentry *dentry) | ||
1267 | { | ||
1268 | |||
1269 | struct task_security_struct *tsec; | ||
1270 | struct inode *inode; | ||
1271 | struct inode_security_struct *dsec; | ||
1272 | struct superblock_security_struct *sbsec; | ||
1273 | u32 newsid; | ||
1274 | char *context; | ||
1275 | unsigned int len; | ||
1276 | int rc; | ||
1277 | |||
1278 | tsec = current->security; | ||
1279 | dsec = dir->i_security; | ||
1280 | sbsec = dir->i_sb->s_security; | ||
1281 | |||
1282 | inode = dentry->d_inode; | ||
1283 | if (!inode) { | ||
1284 | /* Some file system types (e.g. NFS) may not instantiate | ||
1285 | a dentry for all create operations (e.g. symlink), | ||
1286 | so we have to check to see if the inode is non-NULL. */ | ||
1287 | printk(KERN_WARNING "post_create: no inode, dir (dev=%s, " | ||
1288 | "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino); | ||
1289 | return 0; | ||
1290 | } | ||
1291 | |||
1292 | if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { | ||
1293 | newsid = tsec->create_sid; | ||
1294 | } else { | ||
1295 | rc = security_transition_sid(tsec->sid, dsec->sid, | ||
1296 | inode_mode_to_security_class(inode->i_mode), | ||
1297 | &newsid); | ||
1298 | if (rc) { | ||
1299 | printk(KERN_WARNING "post_create: " | ||
1300 | "security_transition_sid failed, rc=%d (dev=%s " | ||
1301 | "ino=%ld)\n", | ||
1302 | -rc, inode->i_sb->s_id, inode->i_ino); | ||
1303 | return rc; | ||
1304 | } | ||
1305 | } | ||
1306 | |||
1307 | rc = inode_security_set_sid(inode, newsid); | ||
1308 | if (rc) { | ||
1309 | printk(KERN_WARNING "post_create: inode_security_set_sid " | ||
1310 | "failed, rc=%d (dev=%s ino=%ld)\n", | ||
1311 | -rc, inode->i_sb->s_id, inode->i_ino); | ||
1312 | return rc; | ||
1313 | } | ||
1314 | |||
1315 | if (sbsec->behavior == SECURITY_FS_USE_XATTR && | ||
1316 | inode->i_op->setxattr) { | ||
1317 | /* Use extended attributes. */ | ||
1318 | rc = security_sid_to_context(newsid, &context, &len); | ||
1319 | if (rc) { | ||
1320 | printk(KERN_WARNING "post_create: sid_to_context " | ||
1321 | "failed, rc=%d (dev=%s ino=%ld)\n", | ||
1322 | -rc, inode->i_sb->s_id, inode->i_ino); | ||
1323 | return rc; | ||
1324 | } | ||
1325 | down(&inode->i_sem); | ||
1326 | rc = inode->i_op->setxattr(dentry, | ||
1327 | XATTR_NAME_SELINUX, | ||
1328 | context, len, 0); | ||
1329 | up(&inode->i_sem); | ||
1330 | kfree(context); | ||
1331 | if (rc < 0) { | ||
1332 | printk(KERN_WARNING "post_create: setxattr failed, " | ||
1333 | "rc=%d (dev=%s ino=%ld)\n", | ||
1334 | -rc, inode->i_sb->s_id, inode->i_ino); | ||
1335 | return rc; | ||
1336 | } | ||
1337 | } | ||
1338 | |||
1339 | return 0; | ||
1340 | } | ||
1341 | |||
1342 | |||
1343 | /* Hook functions begin here. */ | ||
1344 | |||
1345 | static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) | ||
1346 | { | ||
1347 | struct task_security_struct *psec = parent->security; | ||
1348 | struct task_security_struct *csec = child->security; | ||
1349 | int rc; | ||
1350 | |||
1351 | rc = secondary_ops->ptrace(parent,child); | ||
1352 | if (rc) | ||
1353 | return rc; | ||
1354 | |||
1355 | rc = task_has_perm(parent, child, PROCESS__PTRACE); | ||
1356 | /* Save the SID of the tracing process for later use in apply_creds. */ | ||
1357 | if (!rc) | ||
1358 | csec->ptrace_sid = psec->sid; | ||
1359 | return rc; | ||
1360 | } | ||
1361 | |||
1362 | static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, | ||
1363 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | ||
1364 | { | ||
1365 | int error; | ||
1366 | |||
1367 | error = task_has_perm(current, target, PROCESS__GETCAP); | ||
1368 | if (error) | ||
1369 | return error; | ||
1370 | |||
1371 | return secondary_ops->capget(target, effective, inheritable, permitted); | ||
1372 | } | ||
1373 | |||
1374 | static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective, | ||
1375 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | ||
1376 | { | ||
1377 | int error; | ||
1378 | |||
1379 | error = secondary_ops->capset_check(target, effective, inheritable, permitted); | ||
1380 | if (error) | ||
1381 | return error; | ||
1382 | |||
1383 | return task_has_perm(current, target, PROCESS__SETCAP); | ||
1384 | } | ||
1385 | |||
1386 | static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, | ||
1387 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | ||
1388 | { | ||
1389 | secondary_ops->capset_set(target, effective, inheritable, permitted); | ||
1390 | } | ||
1391 | |||
1392 | static int selinux_capable(struct task_struct *tsk, int cap) | ||
1393 | { | ||
1394 | int rc; | ||
1395 | |||
1396 | rc = secondary_ops->capable(tsk, cap); | ||
1397 | if (rc) | ||
1398 | return rc; | ||
1399 | |||
1400 | return task_has_capability(tsk,cap); | ||
1401 | } | ||
1402 | |||
1403 | static int selinux_sysctl(ctl_table *table, int op) | ||
1404 | { | ||
1405 | int error = 0; | ||
1406 | u32 av; | ||
1407 | struct task_security_struct *tsec; | ||
1408 | u32 tsid; | ||
1409 | int rc; | ||
1410 | |||
1411 | rc = secondary_ops->sysctl(table, op); | ||
1412 | if (rc) | ||
1413 | return rc; | ||
1414 | |||
1415 | tsec = current->security; | ||
1416 | |||
1417 | rc = selinux_proc_get_sid(table->de, (op == 001) ? | ||
1418 | SECCLASS_DIR : SECCLASS_FILE, &tsid); | ||
1419 | if (rc) { | ||
1420 | /* Default to the well-defined sysctl SID. */ | ||
1421 | tsid = SECINITSID_SYSCTL; | ||
1422 | } | ||
1423 | |||
1424 | /* The op values are "defined" in sysctl.c, thereby creating | ||
1425 | * a bad coupling between this module and sysctl.c */ | ||
1426 | if(op == 001) { | ||
1427 | error = avc_has_perm(tsec->sid, tsid, | ||
1428 | SECCLASS_DIR, DIR__SEARCH, NULL); | ||
1429 | } else { | ||
1430 | av = 0; | ||
1431 | if (op & 004) | ||
1432 | av |= FILE__READ; | ||
1433 | if (op & 002) | ||
1434 | av |= FILE__WRITE; | ||
1435 | if (av) | ||
1436 | error = avc_has_perm(tsec->sid, tsid, | ||
1437 | SECCLASS_FILE, av, NULL); | ||
1438 | } | ||
1439 | |||
1440 | return error; | ||
1441 | } | ||
1442 | |||
1443 | static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) | ||
1444 | { | ||
1445 | int rc = 0; | ||
1446 | |||
1447 | if (!sb) | ||
1448 | return 0; | ||
1449 | |||
1450 | switch (cmds) { | ||
1451 | case Q_SYNC: | ||
1452 | case Q_QUOTAON: | ||
1453 | case Q_QUOTAOFF: | ||
1454 | case Q_SETINFO: | ||
1455 | case Q_SETQUOTA: | ||
1456 | rc = superblock_has_perm(current, | ||
1457 | sb, | ||
1458 | FILESYSTEM__QUOTAMOD, NULL); | ||
1459 | break; | ||
1460 | case Q_GETFMT: | ||
1461 | case Q_GETINFO: | ||
1462 | case Q_GETQUOTA: | ||
1463 | rc = superblock_has_perm(current, | ||
1464 | sb, | ||
1465 | FILESYSTEM__QUOTAGET, NULL); | ||
1466 | break; | ||
1467 | default: | ||
1468 | rc = 0; /* let the kernel handle invalid cmds */ | ||
1469 | break; | ||
1470 | } | ||
1471 | return rc; | ||
1472 | } | ||
1473 | |||
1474 | static int selinux_quota_on(struct dentry *dentry) | ||
1475 | { | ||
1476 | return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); | ||
1477 | } | ||
1478 | |||
1479 | static int selinux_syslog(int type) | ||
1480 | { | ||
1481 | int rc; | ||
1482 | |||
1483 | rc = secondary_ops->syslog(type); | ||
1484 | if (rc) | ||
1485 | return rc; | ||
1486 | |||
1487 | switch (type) { | ||
1488 | case 3: /* Read last kernel messages */ | ||
1489 | case 10: /* Return size of the log buffer */ | ||
1490 | rc = task_has_system(current, SYSTEM__SYSLOG_READ); | ||
1491 | break; | ||
1492 | case 6: /* Disable logging to console */ | ||
1493 | case 7: /* Enable logging to console */ | ||
1494 | case 8: /* Set level of messages printed to console */ | ||
1495 | rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); | ||
1496 | break; | ||
1497 | case 0: /* Close log */ | ||
1498 | case 1: /* Open log */ | ||
1499 | case 2: /* Read from log */ | ||
1500 | case 4: /* Read/clear last kernel messages */ | ||
1501 | case 5: /* Clear ring buffer */ | ||
1502 | default: | ||
1503 | rc = task_has_system(current, SYSTEM__SYSLOG_MOD); | ||
1504 | break; | ||
1505 | } | ||
1506 | return rc; | ||
1507 | } | ||
1508 | |||
1509 | /* | ||
1510 | * Check that a process has enough memory to allocate a new virtual | ||
1511 | * mapping. 0 means there is enough memory for the allocation to | ||
1512 | * succeed and -ENOMEM implies there is not. | ||
1513 | * | ||
1514 | * Note that secondary_ops->capable and task_has_perm_noaudit return 0 | ||
1515 | * if the capability is granted, but __vm_enough_memory requires 1 if | ||
1516 | * the capability is granted. | ||
1517 | * | ||
1518 | * Do not audit the selinux permission check, as this is applied to all | ||
1519 | * processes that allocate mappings. | ||
1520 | */ | ||
1521 | static int selinux_vm_enough_memory(long pages) | ||
1522 | { | ||
1523 | int rc, cap_sys_admin = 0; | ||
1524 | struct task_security_struct *tsec = current->security; | ||
1525 | |||
1526 | rc = secondary_ops->capable(current, CAP_SYS_ADMIN); | ||
1527 | if (rc == 0) | ||
1528 | rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, | ||
1529 | SECCLASS_CAPABILITY, | ||
1530 | CAP_TO_MASK(CAP_SYS_ADMIN), | ||
1531 | NULL); | ||
1532 | |||
1533 | if (rc == 0) | ||
1534 | cap_sys_admin = 1; | ||
1535 | |||
1536 | return __vm_enough_memory(pages, cap_sys_admin); | ||
1537 | } | ||
1538 | |||
1539 | /* binprm security operations */ | ||
1540 | |||
1541 | static int selinux_bprm_alloc_security(struct linux_binprm *bprm) | ||
1542 | { | ||
1543 | struct bprm_security_struct *bsec; | ||
1544 | |||
1545 | bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); | ||
1546 | if (!bsec) | ||
1547 | return -ENOMEM; | ||
1548 | |||
1549 | memset(bsec, 0, sizeof *bsec); | ||
1550 | bsec->magic = SELINUX_MAGIC; | ||
1551 | bsec->bprm = bprm; | ||
1552 | bsec->sid = SECINITSID_UNLABELED; | ||
1553 | bsec->set = 0; | ||
1554 | |||
1555 | bprm->security = bsec; | ||
1556 | return 0; | ||
1557 | } | ||
1558 | |||
1559 | static int selinux_bprm_set_security(struct linux_binprm *bprm) | ||
1560 | { | ||
1561 | struct task_security_struct *tsec; | ||
1562 | struct inode *inode = bprm->file->f_dentry->d_inode; | ||
1563 | struct inode_security_struct *isec; | ||
1564 | struct bprm_security_struct *bsec; | ||
1565 | u32 newsid; | ||
1566 | struct avc_audit_data ad; | ||
1567 | int rc; | ||
1568 | |||
1569 | rc = secondary_ops->bprm_set_security(bprm); | ||
1570 | if (rc) | ||
1571 | return rc; | ||
1572 | |||
1573 | bsec = bprm->security; | ||
1574 | |||
1575 | if (bsec->set) | ||
1576 | return 0; | ||
1577 | |||
1578 | tsec = current->security; | ||
1579 | isec = inode->i_security; | ||
1580 | |||
1581 | /* Default to the current task SID. */ | ||
1582 | bsec->sid = tsec->sid; | ||
1583 | |||
1584 | /* Reset create SID on execve. */ | ||
1585 | tsec->create_sid = 0; | ||
1586 | |||
1587 | if (tsec->exec_sid) { | ||
1588 | newsid = tsec->exec_sid; | ||
1589 | /* Reset exec SID on execve. */ | ||
1590 | tsec->exec_sid = 0; | ||
1591 | } else { | ||
1592 | /* Check for a default transition on this program. */ | ||
1593 | rc = security_transition_sid(tsec->sid, isec->sid, | ||
1594 | SECCLASS_PROCESS, &newsid); | ||
1595 | if (rc) | ||
1596 | return rc; | ||
1597 | } | ||
1598 | |||
1599 | AVC_AUDIT_DATA_INIT(&ad, FS); | ||
1600 | ad.u.fs.mnt = bprm->file->f_vfsmnt; | ||
1601 | ad.u.fs.dentry = bprm->file->f_dentry; | ||
1602 | |||
1603 | if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) | ||
1604 | newsid = tsec->sid; | ||
1605 | |||
1606 | if (tsec->sid == newsid) { | ||
1607 | rc = avc_has_perm(tsec->sid, isec->sid, | ||
1608 | SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); | ||
1609 | if (rc) | ||
1610 | return rc; | ||
1611 | } else { | ||
1612 | /* Check permissions for the transition. */ | ||
1613 | rc = avc_has_perm(tsec->sid, newsid, | ||
1614 | SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); | ||
1615 | if (rc) | ||
1616 | return rc; | ||
1617 | |||
1618 | rc = avc_has_perm(newsid, isec->sid, | ||
1619 | SECCLASS_FILE, FILE__ENTRYPOINT, &ad); | ||
1620 | if (rc) | ||
1621 | return rc; | ||
1622 | |||
1623 | /* Clear any possibly unsafe personality bits on exec: */ | ||
1624 | current->personality &= ~PER_CLEAR_ON_SETID; | ||
1625 | |||
1626 | /* Set the security field to the new SID. */ | ||
1627 | bsec->sid = newsid; | ||
1628 | } | ||
1629 | |||
1630 | bsec->set = 1; | ||
1631 | return 0; | ||
1632 | } | ||
1633 | |||
1634 | static int selinux_bprm_check_security (struct linux_binprm *bprm) | ||
1635 | { | ||
1636 | return secondary_ops->bprm_check_security(bprm); | ||
1637 | } | ||
1638 | |||
1639 | |||
1640 | static int selinux_bprm_secureexec (struct linux_binprm *bprm) | ||
1641 | { | ||
1642 | struct task_security_struct *tsec = current->security; | ||
1643 | int atsecure = 0; | ||
1644 | |||
1645 | if (tsec->osid != tsec->sid) { | ||
1646 | /* Enable secure mode for SIDs transitions unless | ||
1647 | the noatsecure permission is granted between | ||
1648 | the two SIDs, i.e. ahp returns 0. */ | ||
1649 | atsecure = avc_has_perm(tsec->osid, tsec->sid, | ||
1650 | SECCLASS_PROCESS, | ||
1651 | PROCESS__NOATSECURE, NULL); | ||
1652 | } | ||
1653 | |||
1654 | return (atsecure || secondary_ops->bprm_secureexec(bprm)); | ||
1655 | } | ||
1656 | |||
1657 | static void selinux_bprm_free_security(struct linux_binprm *bprm) | ||
1658 | { | ||
1659 | struct bprm_security_struct *bsec = bprm->security; | ||
1660 | bprm->security = NULL; | ||
1661 | kfree(bsec); | ||
1662 | } | ||
1663 | |||
1664 | extern struct vfsmount *selinuxfs_mount; | ||
1665 | extern struct dentry *selinux_null; | ||
1666 | |||
1667 | /* Derived from fs/exec.c:flush_old_files. */ | ||
1668 | static inline void flush_unauthorized_files(struct files_struct * files) | ||
1669 | { | ||
1670 | struct avc_audit_data ad; | ||
1671 | struct file *file, *devnull = NULL; | ||
1672 | struct tty_struct *tty = current->signal->tty; | ||
1673 | long j = -1; | ||
1674 | |||
1675 | if (tty) { | ||
1676 | file_list_lock(); | ||
1677 | file = list_entry(tty->tty_files.next, typeof(*file), f_list); | ||
1678 | if (file) { | ||
1679 | /* Revalidate access to controlling tty. | ||
1680 | Use inode_has_perm on the tty inode directly rather | ||
1681 | than using file_has_perm, as this particular open | ||
1682 | file may belong to another process and we are only | ||
1683 | interested in the inode-based check here. */ | ||
1684 | struct inode *inode = file->f_dentry->d_inode; | ||
1685 | if (inode_has_perm(current, inode, | ||
1686 | FILE__READ | FILE__WRITE, NULL)) { | ||
1687 | /* Reset controlling tty. */ | ||
1688 | current->signal->tty = NULL; | ||
1689 | current->signal->tty_old_pgrp = 0; | ||
1690 | } | ||
1691 | } | ||
1692 | file_list_unlock(); | ||
1693 | } | ||
1694 | |||
1695 | /* Revalidate access to inherited open files. */ | ||
1696 | |||
1697 | AVC_AUDIT_DATA_INIT(&ad,FS); | ||
1698 | |||
1699 | spin_lock(&files->file_lock); | ||
1700 | for (;;) { | ||
1701 | unsigned long set, i; | ||
1702 | int fd; | ||
1703 | |||
1704 | j++; | ||
1705 | i = j * __NFDBITS; | ||
1706 | if (i >= files->max_fds || i >= files->max_fdset) | ||
1707 | break; | ||
1708 | set = files->open_fds->fds_bits[j]; | ||
1709 | if (!set) | ||
1710 | continue; | ||
1711 | spin_unlock(&files->file_lock); | ||
1712 | for ( ; set ; i++,set >>= 1) { | ||
1713 | if (set & 1) { | ||
1714 | file = fget(i); | ||
1715 | if (!file) | ||
1716 | continue; | ||
1717 | if (file_has_perm(current, | ||
1718 | file, | ||
1719 | file_to_av(file))) { | ||
1720 | sys_close(i); | ||
1721 | fd = get_unused_fd(); | ||
1722 | if (fd != i) { | ||
1723 | if (fd >= 0) | ||
1724 | put_unused_fd(fd); | ||
1725 | fput(file); | ||
1726 | continue; | ||
1727 | } | ||
1728 | if (devnull) { | ||
1729 | atomic_inc(&devnull->f_count); | ||
1730 | } else { | ||
1731 | devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); | ||
1732 | if (!devnull) { | ||
1733 | put_unused_fd(fd); | ||
1734 | fput(file); | ||
1735 | continue; | ||
1736 | } | ||
1737 | } | ||
1738 | fd_install(fd, devnull); | ||
1739 | } | ||
1740 | fput(file); | ||
1741 | } | ||
1742 | } | ||
1743 | spin_lock(&files->file_lock); | ||
1744 | |||
1745 | } | ||
1746 | spin_unlock(&files->file_lock); | ||
1747 | } | ||
1748 | |||
1749 | static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | ||
1750 | { | ||
1751 | struct task_security_struct *tsec; | ||
1752 | struct bprm_security_struct *bsec; | ||
1753 | u32 sid; | ||
1754 | int rc; | ||
1755 | |||
1756 | secondary_ops->bprm_apply_creds(bprm, unsafe); | ||
1757 | |||
1758 | tsec = current->security; | ||
1759 | |||
1760 | bsec = bprm->security; | ||
1761 | sid = bsec->sid; | ||
1762 | |||
1763 | tsec->osid = tsec->sid; | ||
1764 | bsec->unsafe = 0; | ||
1765 | if (tsec->sid != sid) { | ||
1766 | /* Check for shared state. If not ok, leave SID | ||
1767 | unchanged and kill. */ | ||
1768 | if (unsafe & LSM_UNSAFE_SHARE) { | ||
1769 | rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, | ||
1770 | PROCESS__SHARE, NULL); | ||
1771 | if (rc) { | ||
1772 | bsec->unsafe = 1; | ||
1773 | return; | ||
1774 | } | ||
1775 | } | ||
1776 | |||
1777 | /* Check for ptracing, and update the task SID if ok. | ||
1778 | Otherwise, leave SID unchanged and kill. */ | ||
1779 | if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { | ||
1780 | rc = avc_has_perm(tsec->ptrace_sid, sid, | ||
1781 | SECCLASS_PROCESS, PROCESS__PTRACE, | ||
1782 | NULL); | ||
1783 | if (rc) { | ||
1784 | bsec->unsafe = 1; | ||
1785 | return; | ||
1786 | } | ||
1787 | } | ||
1788 | tsec->sid = sid; | ||
1789 | } | ||
1790 | } | ||
1791 | |||
1792 | /* | ||
1793 | * called after apply_creds without the task lock held | ||
1794 | */ | ||
1795 | static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) | ||
1796 | { | ||
1797 | struct task_security_struct *tsec; | ||
1798 | struct rlimit *rlim, *initrlim; | ||
1799 | struct itimerval itimer; | ||
1800 | struct bprm_security_struct *bsec; | ||
1801 | int rc, i; | ||
1802 | |||
1803 | tsec = current->security; | ||
1804 | bsec = bprm->security; | ||
1805 | |||
1806 | if (bsec->unsafe) { | ||
1807 | force_sig_specific(SIGKILL, current); | ||
1808 | return; | ||
1809 | } | ||
1810 | if (tsec->osid == tsec->sid) | ||
1811 | return; | ||
1812 | |||
1813 | /* Close files for which the new task SID is not authorized. */ | ||
1814 | flush_unauthorized_files(current->files); | ||
1815 | |||
1816 | /* Check whether the new SID can inherit signal state | ||
1817 | from the old SID. If not, clear itimers to avoid | ||
1818 | subsequent signal generation and flush and unblock | ||
1819 | signals. This must occur _after_ the task SID has | ||
1820 | been updated so that any kill done after the flush | ||
1821 | will be checked against the new SID. */ | ||
1822 | rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, | ||
1823 | PROCESS__SIGINH, NULL); | ||
1824 | if (rc) { | ||
1825 | memset(&itimer, 0, sizeof itimer); | ||
1826 | for (i = 0; i < 3; i++) | ||
1827 | do_setitimer(i, &itimer, NULL); | ||
1828 | flush_signals(current); | ||
1829 | spin_lock_irq(¤t->sighand->siglock); | ||
1830 | flush_signal_handlers(current, 1); | ||
1831 | sigemptyset(¤t->blocked); | ||
1832 | recalc_sigpending(); | ||
1833 | spin_unlock_irq(¤t->sighand->siglock); | ||
1834 | } | ||
1835 | |||
1836 | /* Check whether the new SID can inherit resource limits | ||
1837 | from the old SID. If not, reset all soft limits to | ||
1838 | the lower of the current task's hard limit and the init | ||
1839 | task's soft limit. Note that the setting of hard limits | ||
1840 | (even to lower them) can be controlled by the setrlimit | ||
1841 | check. The inclusion of the init task's soft limit into | ||
1842 | the computation is to avoid resetting soft limits higher | ||
1843 | than the default soft limit for cases where the default | ||
1844 | is lower than the hard limit, e.g. RLIMIT_CORE or | ||
1845 | RLIMIT_STACK.*/ | ||
1846 | rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, | ||
1847 | PROCESS__RLIMITINH, NULL); | ||
1848 | if (rc) { | ||
1849 | for (i = 0; i < RLIM_NLIMITS; i++) { | ||
1850 | rlim = current->signal->rlim + i; | ||
1851 | initrlim = init_task.signal->rlim+i; | ||
1852 | rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); | ||
1853 | } | ||
1854 | if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { | ||
1855 | /* | ||
1856 | * This will cause RLIMIT_CPU calculations | ||
1857 | * to be refigured. | ||
1858 | */ | ||
1859 | current->it_prof_expires = jiffies_to_cputime(1); | ||
1860 | } | ||
1861 | } | ||
1862 | |||
1863 | /* Wake up the parent if it is waiting so that it can | ||
1864 | recheck wait permission to the new task SID. */ | ||
1865 | wake_up_interruptible(¤t->parent->signal->wait_chldexit); | ||
1866 | } | ||
1867 | |||
1868 | /* superblock security operations */ | ||
1869 | |||
1870 | static int selinux_sb_alloc_security(struct super_block *sb) | ||
1871 | { | ||
1872 | return superblock_alloc_security(sb); | ||
1873 | } | ||
1874 | |||
1875 | static void selinux_sb_free_security(struct super_block *sb) | ||
1876 | { | ||
1877 | superblock_free_security(sb); | ||
1878 | } | ||
1879 | |||
1880 | static inline int match_prefix(char *prefix, int plen, char *option, int olen) | ||
1881 | { | ||
1882 | if (plen > olen) | ||
1883 | return 0; | ||
1884 | |||
1885 | return !memcmp(prefix, option, plen); | ||
1886 | } | ||
1887 | |||
1888 | static inline int selinux_option(char *option, int len) | ||
1889 | { | ||
1890 | return (match_prefix("context=", sizeof("context=")-1, option, len) || | ||
1891 | match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) || | ||
1892 | match_prefix("defcontext=", sizeof("defcontext=")-1, option, len)); | ||
1893 | } | ||
1894 | |||
1895 | static inline void take_option(char **to, char *from, int *first, int len) | ||
1896 | { | ||
1897 | if (!*first) { | ||
1898 | **to = ','; | ||
1899 | *to += 1; | ||
1900 | } | ||
1901 | else | ||
1902 | *first = 0; | ||
1903 | memcpy(*to, from, len); | ||
1904 | *to += len; | ||
1905 | } | ||
1906 | |||
1907 | static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy) | ||
1908 | { | ||
1909 | int fnosec, fsec, rc = 0; | ||
1910 | char *in_save, *in_curr, *in_end; | ||
1911 | char *sec_curr, *nosec_save, *nosec; | ||
1912 | |||
1913 | in_curr = orig; | ||
1914 | sec_curr = copy; | ||
1915 | |||
1916 | /* Binary mount data: just copy */ | ||
1917 | if (type->fs_flags & FS_BINARY_MOUNTDATA) { | ||
1918 | copy_page(sec_curr, in_curr); | ||
1919 | goto out; | ||
1920 | } | ||
1921 | |||
1922 | nosec = (char *)get_zeroed_page(GFP_KERNEL); | ||
1923 | if (!nosec) { | ||
1924 | rc = -ENOMEM; | ||
1925 | goto out; | ||
1926 | } | ||
1927 | |||
1928 | nosec_save = nosec; | ||
1929 | fnosec = fsec = 1; | ||
1930 | in_save = in_end = orig; | ||
1931 | |||
1932 | do { | ||
1933 | if (*in_end == ',' || *in_end == '\0') { | ||
1934 | int len = in_end - in_curr; | ||
1935 | |||
1936 | if (selinux_option(in_curr, len)) | ||
1937 | take_option(&sec_curr, in_curr, &fsec, len); | ||
1938 | else | ||
1939 | take_option(&nosec, in_curr, &fnosec, len); | ||
1940 | |||
1941 | in_curr = in_end + 1; | ||
1942 | } | ||
1943 | } while (*in_end++); | ||
1944 | |||
1945 | copy_page(in_save, nosec_save); | ||
1946 | out: | ||
1947 | return rc; | ||
1948 | } | ||
1949 | |||
1950 | static int selinux_sb_kern_mount(struct super_block *sb, void *data) | ||
1951 | { | ||
1952 | struct avc_audit_data ad; | ||
1953 | int rc; | ||
1954 | |||
1955 | rc = superblock_doinit(sb, data); | ||
1956 | if (rc) | ||
1957 | return rc; | ||
1958 | |||
1959 | AVC_AUDIT_DATA_INIT(&ad,FS); | ||
1960 | ad.u.fs.dentry = sb->s_root; | ||
1961 | return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad); | ||
1962 | } | ||
1963 | |||
1964 | static int selinux_sb_statfs(struct super_block *sb) | ||
1965 | { | ||
1966 | struct avc_audit_data ad; | ||
1967 | |||
1968 | AVC_AUDIT_DATA_INIT(&ad,FS); | ||
1969 | ad.u.fs.dentry = sb->s_root; | ||
1970 | return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad); | ||
1971 | } | ||
1972 | |||
1973 | static int selinux_mount(char * dev_name, | ||
1974 | struct nameidata *nd, | ||
1975 | char * type, | ||
1976 | unsigned long flags, | ||
1977 | void * data) | ||
1978 | { | ||
1979 | int rc; | ||
1980 | |||
1981 | rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); | ||
1982 | if (rc) | ||
1983 | return rc; | ||
1984 | |||
1985 | if (flags & MS_REMOUNT) | ||
1986 | return superblock_has_perm(current, nd->mnt->mnt_sb, | ||
1987 | FILESYSTEM__REMOUNT, NULL); | ||
1988 | else | ||
1989 | return dentry_has_perm(current, nd->mnt, nd->dentry, | ||
1990 | FILE__MOUNTON); | ||
1991 | } | ||
1992 | |||
1993 | static int selinux_umount(struct vfsmount *mnt, int flags) | ||
1994 | { | ||
1995 | int rc; | ||
1996 | |||
1997 | rc = secondary_ops->sb_umount(mnt, flags); | ||
1998 | if (rc) | ||
1999 | return rc; | ||
2000 | |||
2001 | return superblock_has_perm(current,mnt->mnt_sb, | ||
2002 | FILESYSTEM__UNMOUNT,NULL); | ||
2003 | } | ||
2004 | |||
2005 | /* inode security operations */ | ||
2006 | |||
2007 | static int selinux_inode_alloc_security(struct inode *inode) | ||
2008 | { | ||
2009 | return inode_alloc_security(inode); | ||
2010 | } | ||
2011 | |||
2012 | static void selinux_inode_free_security(struct inode *inode) | ||
2013 | { | ||
2014 | inode_free_security(inode); | ||
2015 | } | ||
2016 | |||
2017 | static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) | ||
2018 | { | ||
2019 | return may_create(dir, dentry, SECCLASS_FILE); | ||
2020 | } | ||
2021 | |||
2022 | static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask) | ||
2023 | { | ||
2024 | post_create(dir, dentry); | ||
2025 | } | ||
2026 | |||
2027 | static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) | ||
2028 | { | ||
2029 | int rc; | ||
2030 | |||
2031 | rc = secondary_ops->inode_link(old_dentry,dir,new_dentry); | ||
2032 | if (rc) | ||
2033 | return rc; | ||
2034 | return may_link(dir, old_dentry, MAY_LINK); | ||
2035 | } | ||
2036 | |||
2037 | static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry) | ||
2038 | { | ||
2039 | return; | ||
2040 | } | ||
2041 | |||
2042 | static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) | ||
2043 | { | ||
2044 | int rc; | ||
2045 | |||
2046 | rc = secondary_ops->inode_unlink(dir, dentry); | ||
2047 | if (rc) | ||
2048 | return rc; | ||
2049 | return may_link(dir, dentry, MAY_UNLINK); | ||
2050 | } | ||
2051 | |||
2052 | static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) | ||
2053 | { | ||
2054 | return may_create(dir, dentry, SECCLASS_LNK_FILE); | ||
2055 | } | ||
2056 | |||
2057 | static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name) | ||
2058 | { | ||
2059 | post_create(dir, dentry); | ||
2060 | } | ||
2061 | |||
2062 | static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) | ||
2063 | { | ||
2064 | return may_create(dir, dentry, SECCLASS_DIR); | ||
2065 | } | ||
2066 | |||
2067 | static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask) | ||
2068 | { | ||
2069 | post_create(dir, dentry); | ||
2070 | } | ||
2071 | |||
2072 | static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) | ||
2073 | { | ||
2074 | return may_link(dir, dentry, MAY_RMDIR); | ||
2075 | } | ||
2076 | |||
2077 | static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | ||
2078 | { | ||
2079 | int rc; | ||
2080 | |||
2081 | rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); | ||
2082 | if (rc) | ||
2083 | return rc; | ||
2084 | |||
2085 | return may_create(dir, dentry, inode_mode_to_security_class(mode)); | ||
2086 | } | ||
2087 | |||
2088 | static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | ||
2089 | { | ||
2090 | post_create(dir, dentry); | ||
2091 | } | ||
2092 | |||
2093 | static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, | ||
2094 | struct inode *new_inode, struct dentry *new_dentry) | ||
2095 | { | ||
2096 | return may_rename(old_inode, old_dentry, new_inode, new_dentry); | ||
2097 | } | ||
2098 | |||
2099 | static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry, | ||
2100 | struct inode *new_inode, struct dentry *new_dentry) | ||
2101 | { | ||
2102 | return; | ||
2103 | } | ||
2104 | |||
2105 | static int selinux_inode_readlink(struct dentry *dentry) | ||
2106 | { | ||
2107 | return dentry_has_perm(current, NULL, dentry, FILE__READ); | ||
2108 | } | ||
2109 | |||
2110 | static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) | ||
2111 | { | ||
2112 | int rc; | ||
2113 | |||
2114 | rc = secondary_ops->inode_follow_link(dentry,nameidata); | ||
2115 | if (rc) | ||
2116 | return rc; | ||
2117 | return dentry_has_perm(current, NULL, dentry, FILE__READ); | ||
2118 | } | ||
2119 | |||
2120 | static int selinux_inode_permission(struct inode *inode, int mask, | ||
2121 | struct nameidata *nd) | ||
2122 | { | ||
2123 | int rc; | ||
2124 | |||
2125 | rc = secondary_ops->inode_permission(inode, mask, nd); | ||
2126 | if (rc) | ||
2127 | return rc; | ||
2128 | |||
2129 | if (!mask) { | ||
2130 | /* No permission to check. Existence test. */ | ||
2131 | return 0; | ||
2132 | } | ||
2133 | |||
2134 | return inode_has_perm(current, inode, | ||
2135 | file_mask_to_av(inode->i_mode, mask), NULL); | ||
2136 | } | ||
2137 | |||
2138 | static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) | ||
2139 | { | ||
2140 | int rc; | ||
2141 | |||
2142 | rc = secondary_ops->inode_setattr(dentry, iattr); | ||
2143 | if (rc) | ||
2144 | return rc; | ||
2145 | |||
2146 | if (iattr->ia_valid & ATTR_FORCE) | ||
2147 | return 0; | ||
2148 | |||
2149 | if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | | ||
2150 | ATTR_ATIME_SET | ATTR_MTIME_SET)) | ||
2151 | return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); | ||
2152 | |||
2153 | return dentry_has_perm(current, NULL, dentry, FILE__WRITE); | ||
2154 | } | ||
2155 | |||
2156 | static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | ||
2157 | { | ||
2158 | return dentry_has_perm(current, mnt, dentry, FILE__GETATTR); | ||
2159 | } | ||
2160 | |||
2161 | static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags) | ||
2162 | { | ||
2163 | struct task_security_struct *tsec = current->security; | ||
2164 | struct inode *inode = dentry->d_inode; | ||
2165 | struct inode_security_struct *isec = inode->i_security; | ||
2166 | struct superblock_security_struct *sbsec; | ||
2167 | struct avc_audit_data ad; | ||
2168 | u32 newsid; | ||
2169 | int rc = 0; | ||
2170 | |||
2171 | if (strcmp(name, XATTR_NAME_SELINUX)) { | ||
2172 | if (!strncmp(name, XATTR_SECURITY_PREFIX, | ||
2173 | sizeof XATTR_SECURITY_PREFIX - 1) && | ||
2174 | !capable(CAP_SYS_ADMIN)) { | ||
2175 | /* A different attribute in the security namespace. | ||
2176 | Restrict to administrator. */ | ||
2177 | return -EPERM; | ||
2178 | } | ||
2179 | |||
2180 | /* Not an attribute we recognize, so just check the | ||
2181 | ordinary setattr permission. */ | ||
2182 | return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); | ||
2183 | } | ||
2184 | |||
2185 | sbsec = inode->i_sb->s_security; | ||
2186 | if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) | ||
2187 | return -EOPNOTSUPP; | ||
2188 | |||
2189 | if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) | ||
2190 | return -EPERM; | ||
2191 | |||
2192 | AVC_AUDIT_DATA_INIT(&ad,FS); | ||
2193 | ad.u.fs.dentry = dentry; | ||
2194 | |||
2195 | rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, | ||
2196 | FILE__RELABELFROM, &ad); | ||
2197 | if (rc) | ||
2198 | return rc; | ||
2199 | |||
2200 | rc = security_context_to_sid(value, size, &newsid); | ||
2201 | if (rc) | ||
2202 | return rc; | ||
2203 | |||
2204 | rc = avc_has_perm(tsec->sid, newsid, isec->sclass, | ||
2205 | FILE__RELABELTO, &ad); | ||
2206 | if (rc) | ||
2207 | return rc; | ||
2208 | |||
2209 | rc = security_validate_transition(isec->sid, newsid, tsec->sid, | ||
2210 | isec->sclass); | ||
2211 | if (rc) | ||
2212 | return rc; | ||
2213 | |||
2214 | return avc_has_perm(newsid, | ||
2215 | sbsec->sid, | ||
2216 | SECCLASS_FILESYSTEM, | ||
2217 | FILESYSTEM__ASSOCIATE, | ||
2218 | &ad); | ||
2219 | } | ||
2220 | |||
2221 | static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, | ||
2222 | void *value, size_t size, int flags) | ||
2223 | { | ||
2224 | struct inode *inode = dentry->d_inode; | ||
2225 | struct inode_security_struct *isec = inode->i_security; | ||
2226 | u32 newsid; | ||
2227 | int rc; | ||
2228 | |||
2229 | if (strcmp(name, XATTR_NAME_SELINUX)) { | ||
2230 | /* Not an attribute we recognize, so nothing to do. */ | ||
2231 | return; | ||
2232 | } | ||
2233 | |||
2234 | rc = security_context_to_sid(value, size, &newsid); | ||
2235 | if (rc) { | ||
2236 | printk(KERN_WARNING "%s: unable to obtain SID for context " | ||
2237 | "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc); | ||
2238 | return; | ||
2239 | } | ||
2240 | |||
2241 | isec->sid = newsid; | ||
2242 | return; | ||
2243 | } | ||
2244 | |||
2245 | static int selinux_inode_getxattr (struct dentry *dentry, char *name) | ||
2246 | { | ||
2247 | struct inode *inode = dentry->d_inode; | ||
2248 | struct superblock_security_struct *sbsec = inode->i_sb->s_security; | ||
2249 | |||
2250 | if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) | ||
2251 | return -EOPNOTSUPP; | ||
2252 | |||
2253 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); | ||
2254 | } | ||
2255 | |||
2256 | static int selinux_inode_listxattr (struct dentry *dentry) | ||
2257 | { | ||
2258 | return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); | ||
2259 | } | ||
2260 | |||
2261 | static int selinux_inode_removexattr (struct dentry *dentry, char *name) | ||
2262 | { | ||
2263 | if (strcmp(name, XATTR_NAME_SELINUX)) { | ||
2264 | if (!strncmp(name, XATTR_SECURITY_PREFIX, | ||
2265 | sizeof XATTR_SECURITY_PREFIX - 1) && | ||
2266 | !capable(CAP_SYS_ADMIN)) { | ||
2267 | /* A different attribute in the security namespace. | ||
2268 | Restrict to administrator. */ | ||
2269 | return -EPERM; | ||
2270 | } | ||
2271 | |||
2272 | /* Not an attribute we recognize, so just check the | ||
2273 | ordinary setattr permission. Might want a separate | ||
2274 | permission for removexattr. */ | ||
2275 | return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); | ||
2276 | } | ||
2277 | |||
2278 | /* No one is allowed to remove a SELinux security label. | ||
2279 | You can change the label, but all data must be labeled. */ | ||
2280 | return -EACCES; | ||
2281 | } | ||
2282 | |||
2283 | static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) | ||
2284 | { | ||
2285 | struct inode_security_struct *isec = inode->i_security; | ||
2286 | char *context; | ||
2287 | unsigned len; | ||
2288 | int rc; | ||
2289 | |||
2290 | /* Permission check handled by selinux_inode_getxattr hook.*/ | ||
2291 | |||
2292 | if (strcmp(name, XATTR_SELINUX_SUFFIX)) | ||
2293 | return -EOPNOTSUPP; | ||
2294 | |||
2295 | rc = security_sid_to_context(isec->sid, &context, &len); | ||
2296 | if (rc) | ||
2297 | return rc; | ||
2298 | |||
2299 | if (!buffer || !size) { | ||
2300 | kfree(context); | ||
2301 | return len; | ||
2302 | } | ||
2303 | if (size < len) { | ||
2304 | kfree(context); | ||
2305 | return -ERANGE; | ||
2306 | } | ||
2307 | memcpy(buffer, context, len); | ||
2308 | kfree(context); | ||
2309 | return len; | ||
2310 | } | ||
2311 | |||
2312 | static int selinux_inode_setsecurity(struct inode *inode, const char *name, | ||
2313 | const void *value, size_t size, int flags) | ||
2314 | { | ||
2315 | struct inode_security_struct *isec = inode->i_security; | ||
2316 | u32 newsid; | ||
2317 | int rc; | ||
2318 | |||
2319 | if (strcmp(name, XATTR_SELINUX_SUFFIX)) | ||
2320 | return -EOPNOTSUPP; | ||
2321 | |||
2322 | if (!value || !size) | ||
2323 | return -EACCES; | ||
2324 | |||
2325 | rc = security_context_to_sid((void*)value, size, &newsid); | ||
2326 | if (rc) | ||
2327 | return rc; | ||
2328 | |||
2329 | isec->sid = newsid; | ||
2330 | return 0; | ||
2331 | } | ||
2332 | |||
2333 | static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) | ||
2334 | { | ||
2335 | const int len = sizeof(XATTR_NAME_SELINUX); | ||
2336 | if (buffer && len <= buffer_size) | ||
2337 | memcpy(buffer, XATTR_NAME_SELINUX, len); | ||
2338 | return len; | ||
2339 | } | ||
2340 | |||
2341 | /* file security operations */ | ||
2342 | |||
2343 | static int selinux_file_permission(struct file *file, int mask) | ||
2344 | { | ||
2345 | struct inode *inode = file->f_dentry->d_inode; | ||
2346 | |||
2347 | if (!mask) { | ||
2348 | /* No permission to check. Existence test. */ | ||
2349 | return 0; | ||
2350 | } | ||
2351 | |||
2352 | /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ | ||
2353 | if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) | ||
2354 | mask |= MAY_APPEND; | ||
2355 | |||
2356 | return file_has_perm(current, file, | ||
2357 | file_mask_to_av(inode->i_mode, mask)); | ||
2358 | } | ||
2359 | |||
2360 | static int selinux_file_alloc_security(struct file *file) | ||
2361 | { | ||
2362 | return file_alloc_security(file); | ||
2363 | } | ||
2364 | |||
2365 | static void selinux_file_free_security(struct file *file) | ||
2366 | { | ||
2367 | file_free_security(file); | ||
2368 | } | ||
2369 | |||
2370 | static int selinux_file_ioctl(struct file *file, unsigned int cmd, | ||
2371 | unsigned long arg) | ||
2372 | { | ||
2373 | int error = 0; | ||
2374 | |||
2375 | switch (cmd) { | ||
2376 | case FIONREAD: | ||
2377 | /* fall through */ | ||
2378 | case FIBMAP: | ||
2379 | /* fall through */ | ||
2380 | case FIGETBSZ: | ||
2381 | /* fall through */ | ||
2382 | case EXT2_IOC_GETFLAGS: | ||
2383 | /* fall through */ | ||
2384 | case EXT2_IOC_GETVERSION: | ||
2385 | error = file_has_perm(current, file, FILE__GETATTR); | ||
2386 | break; | ||
2387 | |||
2388 | case EXT2_IOC_SETFLAGS: | ||
2389 | /* fall through */ | ||
2390 | case EXT2_IOC_SETVERSION: | ||
2391 | error = file_has_perm(current, file, FILE__SETATTR); | ||
2392 | break; | ||
2393 | |||
2394 | /* sys_ioctl() checks */ | ||
2395 | case FIONBIO: | ||
2396 | /* fall through */ | ||
2397 | case FIOASYNC: | ||
2398 | error = file_has_perm(current, file, 0); | ||
2399 | break; | ||
2400 | |||
2401 | case KDSKBENT: | ||
2402 | case KDSKBSENT: | ||
2403 | error = task_has_capability(current,CAP_SYS_TTY_CONFIG); | ||
2404 | break; | ||
2405 | |||
2406 | /* default case assumes that the command will go | ||
2407 | * to the file's ioctl() function. | ||
2408 | */ | ||
2409 | default: | ||
2410 | error = file_has_perm(current, file, FILE__IOCTL); | ||
2411 | |||
2412 | } | ||
2413 | return error; | ||
2414 | } | ||
2415 | |||
2416 | static int file_map_prot_check(struct file *file, unsigned long prot, int shared) | ||
2417 | { | ||
2418 | #ifndef CONFIG_PPC32 | ||
2419 | if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { | ||
2420 | /* | ||
2421 | * We are making executable an anonymous mapping or a | ||
2422 | * private file mapping that will also be writable. | ||
2423 | * This has an additional check. | ||
2424 | */ | ||
2425 | int rc = task_has_perm(current, current, PROCESS__EXECMEM); | ||
2426 | if (rc) | ||
2427 | return rc; | ||
2428 | } | ||
2429 | #endif | ||
2430 | |||
2431 | if (file) { | ||
2432 | /* read access is always possible with a mapping */ | ||
2433 | u32 av = FILE__READ; | ||
2434 | |||
2435 | /* write access only matters if the mapping is shared */ | ||
2436 | if (shared && (prot & PROT_WRITE)) | ||
2437 | av |= FILE__WRITE; | ||
2438 | |||
2439 | if (prot & PROT_EXEC) | ||
2440 | av |= FILE__EXECUTE; | ||
2441 | |||
2442 | return file_has_perm(current, file, av); | ||
2443 | } | ||
2444 | return 0; | ||
2445 | } | ||
2446 | |||
2447 | static int selinux_file_mmap(struct file *file, unsigned long reqprot, | ||
2448 | unsigned long prot, unsigned long flags) | ||
2449 | { | ||
2450 | int rc; | ||
2451 | |||
2452 | rc = secondary_ops->file_mmap(file, reqprot, prot, flags); | ||
2453 | if (rc) | ||
2454 | return rc; | ||
2455 | |||
2456 | if (selinux_checkreqprot) | ||
2457 | prot = reqprot; | ||
2458 | |||
2459 | return file_map_prot_check(file, prot, | ||
2460 | (flags & MAP_TYPE) == MAP_SHARED); | ||
2461 | } | ||
2462 | |||
2463 | static int selinux_file_mprotect(struct vm_area_struct *vma, | ||
2464 | unsigned long reqprot, | ||
2465 | unsigned long prot) | ||
2466 | { | ||
2467 | int rc; | ||
2468 | |||
2469 | rc = secondary_ops->file_mprotect(vma, reqprot, prot); | ||
2470 | if (rc) | ||
2471 | return rc; | ||
2472 | |||
2473 | if (selinux_checkreqprot) | ||
2474 | prot = reqprot; | ||
2475 | |||
2476 | #ifndef CONFIG_PPC32 | ||
2477 | if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) { | ||
2478 | /* | ||
2479 | * We are making executable a file mapping that has | ||
2480 | * had some COW done. Since pages might have been written, | ||
2481 | * check ability to execute the possibly modified content. | ||
2482 | * This typically should only occur for text relocations. | ||
2483 | */ | ||
2484 | int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD); | ||
2485 | if (rc) | ||
2486 | return rc; | ||
2487 | } | ||
2488 | #endif | ||
2489 | |||
2490 | return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); | ||
2491 | } | ||
2492 | |||
2493 | static int selinux_file_lock(struct file *file, unsigned int cmd) | ||
2494 | { | ||
2495 | return file_has_perm(current, file, FILE__LOCK); | ||
2496 | } | ||
2497 | |||
2498 | static int selinux_file_fcntl(struct file *file, unsigned int cmd, | ||
2499 | unsigned long arg) | ||
2500 | { | ||
2501 | int err = 0; | ||
2502 | |||
2503 | switch (cmd) { | ||
2504 | case F_SETFL: | ||
2505 | if (!file->f_dentry || !file->f_dentry->d_inode) { | ||
2506 | err = -EINVAL; | ||
2507 | break; | ||
2508 | } | ||
2509 | |||
2510 | if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { | ||
2511 | err = file_has_perm(current, file,FILE__WRITE); | ||
2512 | break; | ||
2513 | } | ||
2514 | /* fall through */ | ||
2515 | case F_SETOWN: | ||
2516 | case F_SETSIG: | ||
2517 | case F_GETFL: | ||
2518 | case F_GETOWN: | ||
2519 | case F_GETSIG: | ||
2520 | /* Just check FD__USE permission */ | ||
2521 | err = file_has_perm(current, file, 0); | ||
2522 | break; | ||
2523 | case F_GETLK: | ||
2524 | case F_SETLK: | ||
2525 | case F_SETLKW: | ||
2526 | #if BITS_PER_LONG == 32 | ||
2527 | case F_GETLK64: | ||
2528 | case F_SETLK64: | ||
2529 | case F_SETLKW64: | ||
2530 | #endif | ||
2531 | if (!file->f_dentry || !file->f_dentry->d_inode) { | ||
2532 | err = -EINVAL; | ||
2533 | break; | ||
2534 | } | ||
2535 | err = file_has_perm(current, file, FILE__LOCK); | ||
2536 | break; | ||
2537 | } | ||
2538 | |||
2539 | return err; | ||
2540 | } | ||
2541 | |||
2542 | static int selinux_file_set_fowner(struct file *file) | ||
2543 | { | ||
2544 | struct task_security_struct *tsec; | ||
2545 | struct file_security_struct *fsec; | ||
2546 | |||
2547 | tsec = current->security; | ||
2548 | fsec = file->f_security; | ||
2549 | fsec->fown_sid = tsec->sid; | ||
2550 | |||
2551 | return 0; | ||
2552 | } | ||
2553 | |||
2554 | static int selinux_file_send_sigiotask(struct task_struct *tsk, | ||
2555 | struct fown_struct *fown, int signum) | ||
2556 | { | ||
2557 | struct file *file; | ||
2558 | u32 perm; | ||
2559 | struct task_security_struct *tsec; | ||
2560 | struct file_security_struct *fsec; | ||
2561 | |||
2562 | /* struct fown_struct is never outside the context of a struct file */ | ||
2563 | file = (struct file *)((long)fown - offsetof(struct file,f_owner)); | ||
2564 | |||
2565 | tsec = tsk->security; | ||
2566 | fsec = file->f_security; | ||
2567 | |||
2568 | if (!signum) | ||
2569 | perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ | ||
2570 | else | ||
2571 | perm = signal_to_av(signum); | ||
2572 | |||
2573 | return avc_has_perm(fsec->fown_sid, tsec->sid, | ||
2574 | SECCLASS_PROCESS, perm, NULL); | ||
2575 | } | ||
2576 | |||
2577 | static int selinux_file_receive(struct file *file) | ||
2578 | { | ||
2579 | return file_has_perm(current, file, file_to_av(file)); | ||
2580 | } | ||
2581 | |||
2582 | /* task security operations */ | ||
2583 | |||
2584 | static int selinux_task_create(unsigned long clone_flags) | ||
2585 | { | ||
2586 | int rc; | ||
2587 | |||
2588 | rc = secondary_ops->task_create(clone_flags); | ||
2589 | if (rc) | ||
2590 | return rc; | ||
2591 | |||
2592 | return task_has_perm(current, current, PROCESS__FORK); | ||
2593 | } | ||
2594 | |||
2595 | static int selinux_task_alloc_security(struct task_struct *tsk) | ||
2596 | { | ||
2597 | struct task_security_struct *tsec1, *tsec2; | ||
2598 | int rc; | ||
2599 | |||
2600 | tsec1 = current->security; | ||
2601 | |||
2602 | rc = task_alloc_security(tsk); | ||
2603 | if (rc) | ||
2604 | return rc; | ||
2605 | tsec2 = tsk->security; | ||
2606 | |||
2607 | tsec2->osid = tsec1->osid; | ||
2608 | tsec2->sid = tsec1->sid; | ||
2609 | |||
2610 | /* Retain the exec and create SIDs across fork */ | ||
2611 | tsec2->exec_sid = tsec1->exec_sid; | ||
2612 | tsec2->create_sid = tsec1->create_sid; | ||
2613 | |||
2614 | /* Retain ptracer SID across fork, if any. | ||
2615 | This will be reset by the ptrace hook upon any | ||
2616 | subsequent ptrace_attach operations. */ | ||
2617 | tsec2->ptrace_sid = tsec1->ptrace_sid; | ||
2618 | |||
2619 | return 0; | ||
2620 | } | ||
2621 | |||
2622 | static void selinux_task_free_security(struct task_struct *tsk) | ||
2623 | { | ||
2624 | task_free_security(tsk); | ||
2625 | } | ||
2626 | |||
2627 | static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
2628 | { | ||
2629 | /* Since setuid only affects the current process, and | ||
2630 | since the SELinux controls are not based on the Linux | ||
2631 | identity attributes, SELinux does not need to control | ||
2632 | this operation. However, SELinux does control the use | ||
2633 | of the CAP_SETUID and CAP_SETGID capabilities using the | ||
2634 | capable hook. */ | ||
2635 | return 0; | ||
2636 | } | ||
2637 | |||
2638 | static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
2639 | { | ||
2640 | return secondary_ops->task_post_setuid(id0,id1,id2,flags); | ||
2641 | } | ||
2642 | |||
2643 | static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | ||
2644 | { | ||
2645 | /* See the comment for setuid above. */ | ||
2646 | return 0; | ||
2647 | } | ||
2648 | |||
2649 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) | ||
2650 | { | ||
2651 | return task_has_perm(current, p, PROCESS__SETPGID); | ||
2652 | } | ||
2653 | |||
2654 | static int selinux_task_getpgid(struct task_struct *p) | ||
2655 | { | ||
2656 | return task_has_perm(current, p, PROCESS__GETPGID); | ||
2657 | } | ||
2658 | |||
2659 | static int selinux_task_getsid(struct task_struct *p) | ||
2660 | { | ||
2661 | return task_has_perm(current, p, PROCESS__GETSESSION); | ||
2662 | } | ||
2663 | |||
2664 | static int selinux_task_setgroups(struct group_info *group_info) | ||
2665 | { | ||
2666 | /* See the comment for setuid above. */ | ||
2667 | return 0; | ||
2668 | } | ||
2669 | |||
2670 | static int selinux_task_setnice(struct task_struct *p, int nice) | ||
2671 | { | ||
2672 | int rc; | ||
2673 | |||
2674 | rc = secondary_ops->task_setnice(p, nice); | ||
2675 | if (rc) | ||
2676 | return rc; | ||
2677 | |||
2678 | return task_has_perm(current,p, PROCESS__SETSCHED); | ||
2679 | } | ||
2680 | |||
2681 | static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | ||
2682 | { | ||
2683 | struct rlimit *old_rlim = current->signal->rlim + resource; | ||
2684 | int rc; | ||
2685 | |||
2686 | rc = secondary_ops->task_setrlimit(resource, new_rlim); | ||
2687 | if (rc) | ||
2688 | return rc; | ||
2689 | |||
2690 | /* Control the ability to change the hard limit (whether | ||
2691 | lowering or raising it), so that the hard limit can | ||
2692 | later be used as a safe reset point for the soft limit | ||
2693 | upon context transitions. See selinux_bprm_apply_creds. */ | ||
2694 | if (old_rlim->rlim_max != new_rlim->rlim_max) | ||
2695 | return task_has_perm(current, current, PROCESS__SETRLIMIT); | ||
2696 | |||
2697 | return 0; | ||
2698 | } | ||
2699 | |||
2700 | static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) | ||
2701 | { | ||
2702 | return task_has_perm(current, p, PROCESS__SETSCHED); | ||
2703 | } | ||
2704 | |||
2705 | static int selinux_task_getscheduler(struct task_struct *p) | ||
2706 | { | ||
2707 | return task_has_perm(current, p, PROCESS__GETSCHED); | ||
2708 | } | ||
2709 | |||
2710 | static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig) | ||
2711 | { | ||
2712 | u32 perm; | ||
2713 | int rc; | ||
2714 | |||
2715 | rc = secondary_ops->task_kill(p, info, sig); | ||
2716 | if (rc) | ||
2717 | return rc; | ||
2718 | |||
2719 | if (info && ((unsigned long)info == 1 || | ||
2720 | (unsigned long)info == 2 || SI_FROMKERNEL(info))) | ||
2721 | return 0; | ||
2722 | |||
2723 | if (!sig) | ||
2724 | perm = PROCESS__SIGNULL; /* null signal; existence test */ | ||
2725 | else | ||
2726 | perm = signal_to_av(sig); | ||
2727 | |||
2728 | return task_has_perm(current, p, perm); | ||
2729 | } | ||
2730 | |||
2731 | static int selinux_task_prctl(int option, | ||
2732 | unsigned long arg2, | ||
2733 | unsigned long arg3, | ||
2734 | unsigned long arg4, | ||
2735 | unsigned long arg5) | ||
2736 | { | ||
2737 | /* The current prctl operations do not appear to require | ||
2738 | any SELinux controls since they merely observe or modify | ||
2739 | the state of the current process. */ | ||
2740 | return 0; | ||
2741 | } | ||
2742 | |||
2743 | static int selinux_task_wait(struct task_struct *p) | ||
2744 | { | ||
2745 | u32 perm; | ||
2746 | |||
2747 | perm = signal_to_av(p->exit_signal); | ||
2748 | |||
2749 | return task_has_perm(p, current, perm); | ||
2750 | } | ||
2751 | |||
2752 | static void selinux_task_reparent_to_init(struct task_struct *p) | ||
2753 | { | ||
2754 | struct task_security_struct *tsec; | ||
2755 | |||
2756 | secondary_ops->task_reparent_to_init(p); | ||
2757 | |||
2758 | tsec = p->security; | ||
2759 | tsec->osid = tsec->sid; | ||
2760 | tsec->sid = SECINITSID_KERNEL; | ||
2761 | return; | ||
2762 | } | ||
2763 | |||
2764 | static void selinux_task_to_inode(struct task_struct *p, | ||
2765 | struct inode *inode) | ||
2766 | { | ||
2767 | struct task_security_struct *tsec = p->security; | ||
2768 | struct inode_security_struct *isec = inode->i_security; | ||
2769 | |||
2770 | isec->sid = tsec->sid; | ||
2771 | isec->initialized = 1; | ||
2772 | return; | ||
2773 | } | ||
2774 | |||
2775 | #ifdef CONFIG_SECURITY_NETWORK | ||
2776 | |||
2777 | /* Returns error only if unable to parse addresses */ | ||
2778 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) | ||
2779 | { | ||
2780 | int offset, ihlen, ret = -EINVAL; | ||
2781 | struct iphdr _iph, *ih; | ||
2782 | |||
2783 | offset = skb->nh.raw - skb->data; | ||
2784 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); | ||
2785 | if (ih == NULL) | ||
2786 | goto out; | ||
2787 | |||
2788 | ihlen = ih->ihl * 4; | ||
2789 | if (ihlen < sizeof(_iph)) | ||
2790 | goto out; | ||
2791 | |||
2792 | ad->u.net.v4info.saddr = ih->saddr; | ||
2793 | ad->u.net.v4info.daddr = ih->daddr; | ||
2794 | ret = 0; | ||
2795 | |||
2796 | switch (ih->protocol) { | ||
2797 | case IPPROTO_TCP: { | ||
2798 | struct tcphdr _tcph, *th; | ||
2799 | |||
2800 | if (ntohs(ih->frag_off) & IP_OFFSET) | ||
2801 | break; | ||
2802 | |||
2803 | offset += ihlen; | ||
2804 | th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); | ||
2805 | if (th == NULL) | ||
2806 | break; | ||
2807 | |||
2808 | ad->u.net.sport = th->source; | ||
2809 | ad->u.net.dport = th->dest; | ||
2810 | break; | ||
2811 | } | ||
2812 | |||
2813 | case IPPROTO_UDP: { | ||
2814 | struct udphdr _udph, *uh; | ||
2815 | |||
2816 | if (ntohs(ih->frag_off) & IP_OFFSET) | ||
2817 | break; | ||
2818 | |||
2819 | offset += ihlen; | ||
2820 | uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); | ||
2821 | if (uh == NULL) | ||
2822 | break; | ||
2823 | |||
2824 | ad->u.net.sport = uh->source; | ||
2825 | ad->u.net.dport = uh->dest; | ||
2826 | break; | ||
2827 | } | ||
2828 | |||
2829 | default: | ||
2830 | break; | ||
2831 | } | ||
2832 | out: | ||
2833 | return ret; | ||
2834 | } | ||
2835 | |||
2836 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
2837 | |||
2838 | /* Returns error only if unable to parse addresses */ | ||
2839 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad) | ||
2840 | { | ||
2841 | u8 nexthdr; | ||
2842 | int ret = -EINVAL, offset; | ||
2843 | struct ipv6hdr _ipv6h, *ip6; | ||
2844 | |||
2845 | offset = skb->nh.raw - skb->data; | ||
2846 | ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); | ||
2847 | if (ip6 == NULL) | ||
2848 | goto out; | ||
2849 | |||
2850 | ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); | ||
2851 | ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); | ||
2852 | ret = 0; | ||
2853 | |||
2854 | nexthdr = ip6->nexthdr; | ||
2855 | offset += sizeof(_ipv6h); | ||
2856 | offset = ipv6_skip_exthdr(skb, offset, &nexthdr, | ||
2857 | skb->tail - skb->head - offset); | ||
2858 | if (offset < 0) | ||
2859 | goto out; | ||
2860 | |||
2861 | switch (nexthdr) { | ||
2862 | case IPPROTO_TCP: { | ||
2863 | struct tcphdr _tcph, *th; | ||
2864 | |||
2865 | th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); | ||
2866 | if (th == NULL) | ||
2867 | break; | ||
2868 | |||
2869 | ad->u.net.sport = th->source; | ||
2870 | ad->u.net.dport = th->dest; | ||
2871 | break; | ||
2872 | } | ||
2873 | |||
2874 | case IPPROTO_UDP: { | ||
2875 | struct udphdr _udph, *uh; | ||
2876 | |||
2877 | uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); | ||
2878 | if (uh == NULL) | ||
2879 | break; | ||
2880 | |||
2881 | ad->u.net.sport = uh->source; | ||
2882 | ad->u.net.dport = uh->dest; | ||
2883 | break; | ||
2884 | } | ||
2885 | |||
2886 | /* includes fragments */ | ||
2887 | default: | ||
2888 | break; | ||
2889 | } | ||
2890 | out: | ||
2891 | return ret; | ||
2892 | } | ||
2893 | |||
2894 | #endif /* IPV6 */ | ||
2895 | |||
2896 | static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | ||
2897 | char **addrp, int *len, int src) | ||
2898 | { | ||
2899 | int ret = 0; | ||
2900 | |||
2901 | switch (ad->u.net.family) { | ||
2902 | case PF_INET: | ||
2903 | ret = selinux_parse_skb_ipv4(skb, ad); | ||
2904 | if (ret || !addrp) | ||
2905 | break; | ||
2906 | *len = 4; | ||
2907 | *addrp = (char *)(src ? &ad->u.net.v4info.saddr : | ||
2908 | &ad->u.net.v4info.daddr); | ||
2909 | break; | ||
2910 | |||
2911 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
2912 | case PF_INET6: | ||
2913 | ret = selinux_parse_skb_ipv6(skb, ad); | ||
2914 | if (ret || !addrp) | ||
2915 | break; | ||
2916 | *len = 16; | ||
2917 | *addrp = (char *)(src ? &ad->u.net.v6info.saddr : | ||
2918 | &ad->u.net.v6info.daddr); | ||
2919 | break; | ||
2920 | #endif /* IPV6 */ | ||
2921 | default: | ||
2922 | break; | ||
2923 | } | ||
2924 | |||
2925 | return ret; | ||
2926 | } | ||
2927 | |||
2928 | /* socket security operations */ | ||
2929 | static int socket_has_perm(struct task_struct *task, struct socket *sock, | ||
2930 | u32 perms) | ||
2931 | { | ||
2932 | struct inode_security_struct *isec; | ||
2933 | struct task_security_struct *tsec; | ||
2934 | struct avc_audit_data ad; | ||
2935 | int err = 0; | ||
2936 | |||
2937 | tsec = task->security; | ||
2938 | isec = SOCK_INODE(sock)->i_security; | ||
2939 | |||
2940 | if (isec->sid == SECINITSID_KERNEL) | ||
2941 | goto out; | ||
2942 | |||
2943 | AVC_AUDIT_DATA_INIT(&ad,NET); | ||
2944 | ad.u.net.sk = sock->sk; | ||
2945 | err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); | ||
2946 | |||
2947 | out: | ||
2948 | return err; | ||
2949 | } | ||
2950 | |||
2951 | static int selinux_socket_create(int family, int type, | ||
2952 | int protocol, int kern) | ||
2953 | { | ||
2954 | int err = 0; | ||
2955 | struct task_security_struct *tsec; | ||
2956 | |||
2957 | if (kern) | ||
2958 | goto out; | ||
2959 | |||
2960 | tsec = current->security; | ||
2961 | err = avc_has_perm(tsec->sid, tsec->sid, | ||
2962 | socket_type_to_security_class(family, type, | ||
2963 | protocol), SOCKET__CREATE, NULL); | ||
2964 | |||
2965 | out: | ||
2966 | return err; | ||
2967 | } | ||
2968 | |||
2969 | static void selinux_socket_post_create(struct socket *sock, int family, | ||
2970 | int type, int protocol, int kern) | ||
2971 | { | ||
2972 | struct inode_security_struct *isec; | ||
2973 | struct task_security_struct *tsec; | ||
2974 | |||
2975 | isec = SOCK_INODE(sock)->i_security; | ||
2976 | |||
2977 | tsec = current->security; | ||
2978 | isec->sclass = socket_type_to_security_class(family, type, protocol); | ||
2979 | isec->sid = kern ? SECINITSID_KERNEL : tsec->sid; | ||
2980 | isec->initialized = 1; | ||
2981 | |||
2982 | return; | ||
2983 | } | ||
2984 | |||
2985 | /* Range of port numbers used to automatically bind. | ||
2986 | Need to determine whether we should perform a name_bind | ||
2987 | permission check between the socket and the port number. */ | ||
2988 | #define ip_local_port_range_0 sysctl_local_port_range[0] | ||
2989 | #define ip_local_port_range_1 sysctl_local_port_range[1] | ||
2990 | |||
2991 | static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) | ||
2992 | { | ||
2993 | u16 family; | ||
2994 | int err; | ||
2995 | |||
2996 | err = socket_has_perm(current, sock, SOCKET__BIND); | ||
2997 | if (err) | ||
2998 | goto out; | ||
2999 | |||
3000 | /* | ||
3001 | * If PF_INET or PF_INET6, check name_bind permission for the port. | ||
3002 | */ | ||
3003 | family = sock->sk->sk_family; | ||
3004 | if (family == PF_INET || family == PF_INET6) { | ||
3005 | char *addrp; | ||
3006 | struct inode_security_struct *isec; | ||
3007 | struct task_security_struct *tsec; | ||
3008 | struct avc_audit_data ad; | ||
3009 | struct sockaddr_in *addr4 = NULL; | ||
3010 | struct sockaddr_in6 *addr6 = NULL; | ||
3011 | unsigned short snum; | ||
3012 | struct sock *sk = sock->sk; | ||
3013 | u32 sid, node_perm, addrlen; | ||
3014 | |||
3015 | tsec = current->security; | ||
3016 | isec = SOCK_INODE(sock)->i_security; | ||
3017 | |||
3018 | if (family == PF_INET) { | ||
3019 | addr4 = (struct sockaddr_in *)address; | ||
3020 | snum = ntohs(addr4->sin_port); | ||
3021 | addrlen = sizeof(addr4->sin_addr.s_addr); | ||
3022 | addrp = (char *)&addr4->sin_addr.s_addr; | ||
3023 | } else { | ||
3024 | addr6 = (struct sockaddr_in6 *)address; | ||
3025 | snum = ntohs(addr6->sin6_port); | ||
3026 | addrlen = sizeof(addr6->sin6_addr.s6_addr); | ||
3027 | addrp = (char *)&addr6->sin6_addr.s6_addr; | ||
3028 | } | ||
3029 | |||
3030 | if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) || | ||
3031 | snum > ip_local_port_range_1)) { | ||
3032 | err = security_port_sid(sk->sk_family, sk->sk_type, | ||
3033 | sk->sk_protocol, snum, &sid); | ||
3034 | if (err) | ||
3035 | goto out; | ||
3036 | AVC_AUDIT_DATA_INIT(&ad,NET); | ||
3037 | ad.u.net.sport = htons(snum); | ||
3038 | ad.u.net.family = family; | ||
3039 | err = avc_has_perm(isec->sid, sid, | ||
3040 | isec->sclass, | ||
3041 | SOCKET__NAME_BIND, &ad); | ||
3042 | if (err) | ||
3043 | goto out; | ||
3044 | } | ||
3045 | |||
3046 | switch(sk->sk_protocol) { | ||
3047 | case IPPROTO_TCP: | ||
3048 | node_perm = TCP_SOCKET__NODE_BIND; | ||
3049 | break; | ||
3050 | |||
3051 | case IPPROTO_UDP: | ||
3052 | node_perm = UDP_SOCKET__NODE_BIND; | ||
3053 | break; | ||
3054 | |||
3055 | default: | ||
3056 | node_perm = RAWIP_SOCKET__NODE_BIND; | ||
3057 | break; | ||
3058 | } | ||
3059 | |||
3060 | err = security_node_sid(family, addrp, addrlen, &sid); | ||
3061 | if (err) | ||
3062 | goto out; | ||
3063 | |||
3064 | AVC_AUDIT_DATA_INIT(&ad,NET); | ||
3065 | ad.u.net.sport = htons(snum); | ||
3066 | ad.u.net.family = family; | ||
3067 | |||
3068 | if (family == PF_INET) | ||
3069 | ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; | ||
3070 | else | ||
3071 | ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); | ||
3072 | |||
3073 | err = avc_has_perm(isec->sid, sid, | ||
3074 | isec->sclass, node_perm, &ad); | ||
3075 | if (err) | ||
3076 | goto out; | ||
3077 | } | ||
3078 | out: | ||
3079 | return err; | ||
3080 | } | ||
3081 | |||
3082 | static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) | ||
3083 | { | ||
3084 | struct inode_security_struct *isec; | ||
3085 | int err; | ||
3086 | |||
3087 | err = socket_has_perm(current, sock, SOCKET__CONNECT); | ||
3088 | if (err) | ||
3089 | return err; | ||
3090 | |||
3091 | /* | ||
3092 | * If a TCP socket, check name_connect permission for the port. | ||
3093 | */ | ||
3094 | isec = SOCK_INODE(sock)->i_security; | ||
3095 | if (isec->sclass == SECCLASS_TCP_SOCKET) { | ||
3096 | struct sock *sk = sock->sk; | ||
3097 | struct avc_audit_data ad; | ||
3098 | struct sockaddr_in *addr4 = NULL; | ||
3099 | struct sockaddr_in6 *addr6 = NULL; | ||
3100 | unsigned short snum; | ||
3101 | u32 sid; | ||
3102 | |||
3103 | if (sk->sk_family == PF_INET) { | ||
3104 | addr4 = (struct sockaddr_in *)address; | ||
3105 | if (addrlen != sizeof(struct sockaddr_in)) | ||
3106 | return -EINVAL; | ||
3107 | snum = ntohs(addr4->sin_port); | ||
3108 | } else { | ||
3109 | addr6 = (struct sockaddr_in6 *)address; | ||
3110 | if (addrlen != sizeof(struct sockaddr_in6)) | ||
3111 | return -EINVAL; | ||
3112 | snum = ntohs(addr6->sin6_port); | ||
3113 | } | ||
3114 | |||
3115 | err = security_port_sid(sk->sk_family, sk->sk_type, | ||
3116 | sk->sk_protocol, snum, &sid); | ||
3117 | if (err) | ||
3118 | goto out; | ||
3119 | |||
3120 | AVC_AUDIT_DATA_INIT(&ad,NET); | ||
3121 | ad.u.net.dport = htons(snum); | ||
3122 | ad.u.net.family = sk->sk_family; | ||
3123 | err = avc_has_perm(isec->sid, sid, isec->sclass, | ||
3124 | TCP_SOCKET__NAME_CONNECT, &ad); | ||
3125 | if (err) | ||
3126 | goto out; | ||
3127 | } | ||
3128 | |||
3129 | out: | ||
3130 | return err; | ||
3131 | } | ||
3132 | |||
3133 | static int selinux_socket_listen(struct socket *sock, int backlog) | ||
3134 | { | ||
3135 | return socket_has_perm(current, sock, SOCKET__LISTEN); | ||
3136 | } | ||
3137 | |||
3138 | static int selinux_socket_accept(struct socket *sock, struct socket *newsock) | ||
3139 | { | ||
3140 | int err; | ||
3141 | struct inode_security_struct *isec; | ||
3142 | struct inode_security_struct *newisec; | ||
3143 | |||
3144 | err = socket_has_perm(current, sock, SOCKET__ACCEPT); | ||
3145 | if (err) | ||
3146 | return err; | ||
3147 | |||
3148 | newisec = SOCK_INODE(newsock)->i_security; | ||
3149 | |||
3150 | isec = SOCK_INODE(sock)->i_security; | ||
3151 | newisec->sclass = isec->sclass; | ||
3152 | newisec->sid = isec->sid; | ||
3153 | newisec->initialized = 1; | ||
3154 | |||
3155 | return 0; | ||
3156 | } | ||
3157 | |||
3158 | static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, | ||
3159 | int size) | ||
3160 | { | ||
3161 | return socket_has_perm(current, sock, SOCKET__WRITE); | ||
3162 | } | ||
3163 | |||
3164 | static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, | ||
3165 | int size, int flags) | ||
3166 | { | ||
3167 | return socket_has_perm(current, sock, SOCKET__READ); | ||
3168 | } | ||
3169 | |||
3170 | static int selinux_socket_getsockname(struct socket *sock) | ||
3171 | { | ||
3172 | return socket_has_perm(current, sock, SOCKET__GETATTR); | ||
3173 | } | ||
3174 | |||
3175 | static int selinux_socket_getpeername(struct socket *sock) | ||
3176 | { | ||
3177 | return socket_has_perm(current, sock, SOCKET__GETATTR); | ||
3178 | } | ||
3179 | |||
3180 | static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) | ||
3181 | { | ||
3182 | return socket_has_perm(current, sock, SOCKET__SETOPT); | ||
3183 | } | ||
3184 | |||
3185 | static int selinux_socket_getsockopt(struct socket *sock, int level, | ||
3186 | int optname) | ||
3187 | { | ||
3188 | return socket_has_perm(current, sock, SOCKET__GETOPT); | ||
3189 | } | ||
3190 | |||
3191 | static int selinux_socket_shutdown(struct socket *sock, int how) | ||
3192 | { | ||
3193 | return socket_has_perm(current, sock, SOCKET__SHUTDOWN); | ||
3194 | } | ||
3195 | |||
3196 | static int selinux_socket_unix_stream_connect(struct socket *sock, | ||
3197 | struct socket *other, | ||
3198 | struct sock *newsk) | ||
3199 | { | ||
3200 | struct sk_security_struct *ssec; | ||
3201 | struct inode_security_struct *isec; | ||
3202 | struct inode_security_struct *other_isec; | ||
3203 | struct avc_audit_data ad; | ||
3204 | int err; | ||
3205 | |||
3206 | err = secondary_ops->unix_stream_connect(sock, other, newsk); | ||
3207 | if (err) | ||
3208 | return err; | ||
3209 | |||
3210 | isec = SOCK_INODE(sock)->i_security; | ||
3211 | other_isec = SOCK_INODE(other)->i_security; | ||
3212 | |||
3213 | AVC_AUDIT_DATA_INIT(&ad,NET); | ||
3214 | ad.u.net.sk = other->sk; | ||
3215 | |||
3216 | err = avc_has_perm(isec->sid, other_isec->sid, | ||
3217 | isec->sclass, | ||
3218 | UNIX_STREAM_SOCKET__CONNECTTO, &ad); | ||
3219 | if (err) | ||
3220 | return err; | ||
3221 | |||
3222 | /* connecting socket */ | ||
3223 | ssec = sock->sk->sk_security; | ||
3224 | ssec->peer_sid = other_isec->sid; | ||
3225 | |||
3226 | /* server child socket */ | ||
3227 | ssec = newsk->sk_security; | ||
3228 | ssec->peer_sid = isec->sid; | ||
3229 | |||
3230 | return 0; | ||
3231 | } | ||
3232 | |||
3233 | static int selinux_socket_unix_may_send(struct socket *sock, | ||
3234 | struct socket *other) | ||
3235 | { | ||
3236 | struct inode_security_struct *isec; | ||
3237 | struct inode_security_struct *other_isec; | ||
3238 | struct avc_audit_data ad; | ||
3239 | int err; | ||
3240 | |||
3241 | isec = SOCK_INODE(sock)->i_security; | ||
3242 | other_isec = SOCK_INODE(other)->i_security; | ||
3243 | |||
3244 | AVC_AUDIT_DATA_INIT(&ad,NET); | ||
3245 | ad.u.net.sk = other->sk; | ||
3246 | |||
3247 | err = avc_has_perm(isec->sid, other_isec->sid, | ||
3248 | isec->sclass, SOCKET__SENDTO, &ad); | ||
3249 | if (err) | ||
3250 | return err; | ||
3251 | |||
3252 | return 0; | ||
3253 | } | ||
3254 | |||
3255 | static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | ||
3256 | { | ||
3257 | u16 family; | ||
3258 | char *addrp; | ||
3259 | int len, err = 0; | ||
3260 | u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; | ||
3261 | u32 sock_sid = 0; | ||
3262 | u16 sock_class = 0; | ||
3263 | struct socket *sock; | ||
3264 | struct net_device *dev; | ||
3265 | struct avc_audit_data ad; | ||
3266 | |||
3267 | family = sk->sk_family; | ||
3268 | if (family != PF_INET && family != PF_INET6) | ||
3269 | goto out; | ||
3270 | |||
3271 | /* Handle mapped IPv4 packets arriving via IPv6 sockets */ | ||
3272 | if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) | ||
3273 | family = PF_INET; | ||
3274 | |||
3275 | read_lock_bh(&sk->sk_callback_lock); | ||
3276 | sock = sk->sk_socket; | ||
3277 | if (sock) { | ||
3278 | struct inode *inode; | ||
3279 | inode = SOCK_INODE(sock); | ||
3280 | if (inode) { | ||
3281 | struct inode_security_struct *isec; | ||
3282 | isec = inode->i_security; | ||
3283 | sock_sid = isec->sid; | ||
3284 | sock_class = isec->sclass; | ||
3285 | } | ||
3286 | } | ||
3287 | read_unlock_bh(&sk->sk_callback_lock); | ||
3288 | if (!sock_sid) | ||
3289 | goto out; | ||
3290 | |||
3291 | dev = skb->dev; | ||
3292 | if (!dev) | ||
3293 | goto out; | ||
3294 | |||
3295 | err = sel_netif_sids(dev, &if_sid, NULL); | ||
3296 | if (err) | ||
3297 | goto out; | ||
3298 | |||
3299 | switch (sock_class) { | ||
3300 | case SECCLASS_UDP_SOCKET: | ||
3301 | netif_perm = NETIF__UDP_RECV; | ||
3302 | node_perm = NODE__UDP_RECV; | ||
3303 | recv_perm = UDP_SOCKET__RECV_MSG; | ||
3304 | break; | ||
3305 | |||
3306 | case SECCLASS_TCP_SOCKET: | ||
3307 | netif_perm = NETIF__TCP_RECV; | ||
3308 | node_perm = NODE__TCP_RECV; | ||
3309 | recv_perm = TCP_SOCKET__RECV_MSG; | ||
3310 | break; | ||
3311 | |||
3312 | default: | ||
3313 | netif_perm = NETIF__RAWIP_RECV; | ||
3314 | node_perm = NODE__RAWIP_RECV; | ||
3315 | break; | ||
3316 | } | ||
3317 | |||
3318 | AVC_AUDIT_DATA_INIT(&ad, NET); | ||
3319 | ad.u.net.netif = dev->name; | ||
3320 | ad.u.net.family = family; | ||
3321 | |||
3322 | err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); | ||
3323 | if (err) | ||
3324 | goto out; | ||
3325 | |||
3326 | err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad); | ||
3327 | if (err) | ||
3328 | goto out; | ||
3329 | |||
3330 | /* Fixme: this lookup is inefficient */ | ||
3331 | err = security_node_sid(family, addrp, len, &node_sid); | ||
3332 | if (err) | ||
3333 | goto out; | ||
3334 | |||
3335 | err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad); | ||
3336 | if (err) | ||
3337 | goto out; | ||
3338 | |||
3339 | if (recv_perm) { | ||
3340 | u32 port_sid; | ||
3341 | |||
3342 | /* Fixme: make this more efficient */ | ||
3343 | err = security_port_sid(sk->sk_family, sk->sk_type, | ||
3344 | sk->sk_protocol, ntohs(ad.u.net.sport), | ||
3345 | &port_sid); | ||
3346 | if (err) | ||
3347 | goto out; | ||
3348 | |||
3349 | err = avc_has_perm(sock_sid, port_sid, | ||
3350 | sock_class, recv_perm, &ad); | ||
3351 | } | ||
3352 | out: | ||
3353 | return err; | ||
3354 | } | ||
3355 | |||
3356 | static int selinux_socket_getpeersec(struct socket *sock, char __user *optval, | ||
3357 | int __user *optlen, unsigned len) | ||
3358 | { | ||
3359 | int err = 0; | ||
3360 | char *scontext; | ||
3361 | u32 scontext_len; | ||
3362 | struct sk_security_struct *ssec; | ||
3363 | struct inode_security_struct *isec; | ||
3364 | |||
3365 | isec = SOCK_INODE(sock)->i_security; | ||
3366 | if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) { | ||
3367 | err = -ENOPROTOOPT; | ||
3368 | goto out; | ||
3369 | } | ||
3370 | |||
3371 | ssec = sock->sk->sk_security; | ||
3372 | |||
3373 | err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len); | ||
3374 | if (err) | ||
3375 | goto out; | ||
3376 | |||
3377 | if (scontext_len > len) { | ||
3378 | err = -ERANGE; | ||
3379 | goto out_len; | ||
3380 | } | ||
3381 | |||
3382 | if (copy_to_user(optval, scontext, scontext_len)) | ||
3383 | err = -EFAULT; | ||
3384 | |||
3385 | out_len: | ||
3386 | if (put_user(scontext_len, optlen)) | ||
3387 | err = -EFAULT; | ||
3388 | |||
3389 | kfree(scontext); | ||
3390 | out: | ||
3391 | return err; | ||
3392 | } | ||
3393 | |||
3394 | static int selinux_sk_alloc_security(struct sock *sk, int family, int priority) | ||
3395 | { | ||
3396 | return sk_alloc_security(sk, family, priority); | ||
3397 | } | ||
3398 | |||
3399 | static void selinux_sk_free_security(struct sock *sk) | ||
3400 | { | ||
3401 | sk_free_security(sk); | ||
3402 | } | ||
3403 | |||
3404 | static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | ||
3405 | { | ||
3406 | int err = 0; | ||
3407 | u32 perm; | ||
3408 | struct nlmsghdr *nlh; | ||
3409 | struct socket *sock = sk->sk_socket; | ||
3410 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; | ||
3411 | |||
3412 | if (skb->len < NLMSG_SPACE(0)) { | ||
3413 | err = -EINVAL; | ||
3414 | goto out; | ||
3415 | } | ||
3416 | nlh = (struct nlmsghdr *)skb->data; | ||
3417 | |||
3418 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); | ||
3419 | if (err) { | ||
3420 | if (err == -EINVAL) { | ||
3421 | audit_log(current->audit_context, | ||
3422 | "SELinux: unrecognized netlink message" | ||
3423 | " type=%hu for sclass=%hu\n", | ||
3424 | nlh->nlmsg_type, isec->sclass); | ||
3425 | if (!selinux_enforcing) | ||
3426 | err = 0; | ||
3427 | } | ||
3428 | |||
3429 | /* Ignore */ | ||
3430 | if (err == -ENOENT) | ||
3431 | err = 0; | ||
3432 | goto out; | ||
3433 | } | ||
3434 | |||
3435 | err = socket_has_perm(current, sock, perm); | ||
3436 | out: | ||
3437 | return err; | ||
3438 | } | ||
3439 | |||
3440 | #ifdef CONFIG_NETFILTER | ||
3441 | |||
3442 | static unsigned int selinux_ip_postroute_last(unsigned int hooknum, | ||
3443 | struct sk_buff **pskb, | ||
3444 | const struct net_device *in, | ||
3445 | const struct net_device *out, | ||
3446 | int (*okfn)(struct sk_buff *), | ||
3447 | u16 family) | ||
3448 | { | ||
3449 | char *addrp; | ||
3450 | int len, err = NF_ACCEPT; | ||
3451 | u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; | ||
3452 | struct sock *sk; | ||
3453 | struct socket *sock; | ||
3454 | struct inode *inode; | ||
3455 | struct sk_buff *skb = *pskb; | ||
3456 | struct inode_security_struct *isec; | ||
3457 | struct avc_audit_data ad; | ||
3458 | struct net_device *dev = (struct net_device *)out; | ||
3459 | |||
3460 | sk = skb->sk; | ||
3461 | if (!sk) | ||
3462 | goto out; | ||
3463 | |||
3464 | sock = sk->sk_socket; | ||
3465 | if (!sock) | ||
3466 | goto out; | ||
3467 | |||
3468 | inode = SOCK_INODE(sock); | ||
3469 | if (!inode) | ||
3470 | goto out; | ||
3471 | |||
3472 | err = sel_netif_sids(dev, &if_sid, NULL); | ||
3473 | if (err) | ||
3474 | goto out; | ||
3475 | |||
3476 | isec = inode->i_security; | ||
3477 | |||
3478 | switch (isec->sclass) { | ||
3479 | case SECCLASS_UDP_SOCKET: | ||
3480 | netif_perm = NETIF__UDP_SEND; | ||
3481 | node_perm = NODE__UDP_SEND; | ||
3482 | send_perm = UDP_SOCKET__SEND_MSG; | ||
3483 | break; | ||
3484 | |||
3485 | case SECCLASS_TCP_SOCKET: | ||
3486 | netif_perm = NETIF__TCP_SEND; | ||
3487 | node_perm = NODE__TCP_SEND; | ||
3488 | send_perm = TCP_SOCKET__SEND_MSG; | ||
3489 | break; | ||
3490 | |||
3491 | default: | ||
3492 | netif_perm = NETIF__RAWIP_SEND; | ||
3493 | node_perm = NODE__RAWIP_SEND; | ||
3494 | break; | ||
3495 | } | ||
3496 | |||
3497 | |||
3498 | AVC_AUDIT_DATA_INIT(&ad, NET); | ||
3499 | ad.u.net.netif = dev->name; | ||
3500 | ad.u.net.family = family; | ||
3501 | |||
3502 | err = selinux_parse_skb(skb, &ad, &addrp, | ||
3503 | &len, 0) ? NF_DROP : NF_ACCEPT; | ||
3504 | if (err != NF_ACCEPT) | ||
3505 | goto out; | ||
3506 | |||
3507 | err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, | ||
3508 | netif_perm, &ad) ? NF_DROP : NF_ACCEPT; | ||
3509 | if (err != NF_ACCEPT) | ||
3510 | goto out; | ||
3511 | |||
3512 | /* Fixme: this lookup is inefficient */ | ||
3513 | err = security_node_sid(family, addrp, len, | ||
3514 | &node_sid) ? NF_DROP : NF_ACCEPT; | ||
3515 | if (err != NF_ACCEPT) | ||
3516 | goto out; | ||
3517 | |||
3518 | err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, | ||
3519 | node_perm, &ad) ? NF_DROP : NF_ACCEPT; | ||
3520 | if (err != NF_ACCEPT) | ||
3521 | goto out; | ||
3522 | |||
3523 | if (send_perm) { | ||
3524 | u32 port_sid; | ||
3525 | |||
3526 | /* Fixme: make this more efficient */ | ||
3527 | err = security_port_sid(sk->sk_family, | ||
3528 | sk->sk_type, | ||
3529 | sk->sk_protocol, | ||
3530 | ntohs(ad.u.net.dport), | ||
3531 | &port_sid) ? NF_DROP : NF_ACCEPT; | ||
3532 | if (err != NF_ACCEPT) | ||
3533 | goto out; | ||
3534 | |||
3535 | err = avc_has_perm(isec->sid, port_sid, isec->sclass, | ||
3536 | send_perm, &ad) ? NF_DROP : NF_ACCEPT; | ||
3537 | } | ||
3538 | |||
3539 | out: | ||
3540 | return err; | ||
3541 | } | ||
3542 | |||
3543 | static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, | ||
3544 | struct sk_buff **pskb, | ||
3545 | const struct net_device *in, | ||
3546 | const struct net_device *out, | ||
3547 | int (*okfn)(struct sk_buff *)) | ||
3548 | { | ||
3549 | return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET); | ||
3550 | } | ||
3551 | |||
3552 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
3553 | |||
3554 | static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, | ||
3555 | struct sk_buff **pskb, | ||
3556 | const struct net_device *in, | ||
3557 | const struct net_device *out, | ||
3558 | int (*okfn)(struct sk_buff *)) | ||
3559 | { | ||
3560 | return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6); | ||
3561 | } | ||
3562 | |||
3563 | #endif /* IPV6 */ | ||
3564 | |||
3565 | #endif /* CONFIG_NETFILTER */ | ||
3566 | |||
3567 | #else | ||
3568 | |||
3569 | static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | ||
3570 | { | ||
3571 | return 0; | ||
3572 | } | ||
3573 | |||
3574 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
3575 | |||
3576 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | ||
3577 | { | ||
3578 | struct task_security_struct *tsec; | ||
3579 | struct av_decision avd; | ||
3580 | int err; | ||
3581 | |||
3582 | err = secondary_ops->netlink_send(sk, skb); | ||
3583 | if (err) | ||
3584 | return err; | ||
3585 | |||
3586 | tsec = current->security; | ||
3587 | |||
3588 | avd.allowed = 0; | ||
3589 | avc_has_perm_noaudit(tsec->sid, tsec->sid, | ||
3590 | SECCLASS_CAPABILITY, ~0, &avd); | ||
3591 | cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); | ||
3592 | |||
3593 | if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) | ||
3594 | err = selinux_nlmsg_perm(sk, skb); | ||
3595 | |||
3596 | return err; | ||
3597 | } | ||
3598 | |||
3599 | static int selinux_netlink_recv(struct sk_buff *skb) | ||
3600 | { | ||
3601 | if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) | ||
3602 | return -EPERM; | ||
3603 | return 0; | ||
3604 | } | ||
3605 | |||
3606 | static int ipc_alloc_security(struct task_struct *task, | ||
3607 | struct kern_ipc_perm *perm, | ||
3608 | u16 sclass) | ||
3609 | { | ||
3610 | struct task_security_struct *tsec = task->security; | ||
3611 | struct ipc_security_struct *isec; | ||
3612 | |||
3613 | isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); | ||
3614 | if (!isec) | ||
3615 | return -ENOMEM; | ||
3616 | |||
3617 | memset(isec, 0, sizeof(struct ipc_security_struct)); | ||
3618 | isec->magic = SELINUX_MAGIC; | ||
3619 | isec->sclass = sclass; | ||
3620 | isec->ipc_perm = perm; | ||
3621 | if (tsec) { | ||
3622 | isec->sid = tsec->sid; | ||
3623 | } else { | ||
3624 | isec->sid = SECINITSID_UNLABELED; | ||
3625 | } | ||
3626 | perm->security = isec; | ||
3627 | |||
3628 | return 0; | ||
3629 | } | ||
3630 | |||
3631 | static void ipc_free_security(struct kern_ipc_perm *perm) | ||
3632 | { | ||
3633 | struct ipc_security_struct *isec = perm->security; | ||
3634 | if (!isec || isec->magic != SELINUX_MAGIC) | ||
3635 | return; | ||
3636 | |||
3637 | perm->security = NULL; | ||
3638 | kfree(isec); | ||
3639 | } | ||
3640 | |||
3641 | static int msg_msg_alloc_security(struct msg_msg *msg) | ||
3642 | { | ||
3643 | struct msg_security_struct *msec; | ||
3644 | |||
3645 | msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL); | ||
3646 | if (!msec) | ||
3647 | return -ENOMEM; | ||
3648 | |||
3649 | memset(msec, 0, sizeof(struct msg_security_struct)); | ||
3650 | msec->magic = SELINUX_MAGIC; | ||
3651 | msec->msg = msg; | ||
3652 | msec->sid = SECINITSID_UNLABELED; | ||
3653 | msg->security = msec; | ||
3654 | |||
3655 | return 0; | ||
3656 | } | ||
3657 | |||
3658 | static void msg_msg_free_security(struct msg_msg *msg) | ||
3659 | { | ||
3660 | struct msg_security_struct *msec = msg->security; | ||
3661 | if (!msec || msec->magic != SELINUX_MAGIC) | ||
3662 | return; | ||
3663 | |||
3664 | msg->security = NULL; | ||
3665 | kfree(msec); | ||
3666 | } | ||
3667 | |||
3668 | static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | ||
3669 | u16 sclass, u32 perms) | ||
3670 | { | ||
3671 | struct task_security_struct *tsec; | ||
3672 | struct ipc_security_struct *isec; | ||
3673 | struct avc_audit_data ad; | ||
3674 | |||
3675 | tsec = current->security; | ||
3676 | isec = ipc_perms->security; | ||
3677 | |||
3678 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3679 | ad.u.ipc_id = ipc_perms->key; | ||
3680 | |||
3681 | return avc_has_perm(tsec->sid, isec->sid, sclass, perms, &ad); | ||
3682 | } | ||
3683 | |||
3684 | static int selinux_msg_msg_alloc_security(struct msg_msg *msg) | ||
3685 | { | ||
3686 | return msg_msg_alloc_security(msg); | ||
3687 | } | ||
3688 | |||
3689 | static void selinux_msg_msg_free_security(struct msg_msg *msg) | ||
3690 | { | ||
3691 | msg_msg_free_security(msg); | ||
3692 | } | ||
3693 | |||
3694 | /* message queue security operations */ | ||
3695 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | ||
3696 | { | ||
3697 | struct task_security_struct *tsec; | ||
3698 | struct ipc_security_struct *isec; | ||
3699 | struct avc_audit_data ad; | ||
3700 | int rc; | ||
3701 | |||
3702 | rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); | ||
3703 | if (rc) | ||
3704 | return rc; | ||
3705 | |||
3706 | tsec = current->security; | ||
3707 | isec = msq->q_perm.security; | ||
3708 | |||
3709 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3710 | ad.u.ipc_id = msq->q_perm.key; | ||
3711 | |||
3712 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, | ||
3713 | MSGQ__CREATE, &ad); | ||
3714 | if (rc) { | ||
3715 | ipc_free_security(&msq->q_perm); | ||
3716 | return rc; | ||
3717 | } | ||
3718 | return 0; | ||
3719 | } | ||
3720 | |||
3721 | static void selinux_msg_queue_free_security(struct msg_queue *msq) | ||
3722 | { | ||
3723 | ipc_free_security(&msq->q_perm); | ||
3724 | } | ||
3725 | |||
3726 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | ||
3727 | { | ||
3728 | struct task_security_struct *tsec; | ||
3729 | struct ipc_security_struct *isec; | ||
3730 | struct avc_audit_data ad; | ||
3731 | |||
3732 | tsec = current->security; | ||
3733 | isec = msq->q_perm.security; | ||
3734 | |||
3735 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3736 | ad.u.ipc_id = msq->q_perm.key; | ||
3737 | |||
3738 | return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, | ||
3739 | MSGQ__ASSOCIATE, &ad); | ||
3740 | } | ||
3741 | |||
3742 | static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) | ||
3743 | { | ||
3744 | int err; | ||
3745 | int perms; | ||
3746 | |||
3747 | switch(cmd) { | ||
3748 | case IPC_INFO: | ||
3749 | case MSG_INFO: | ||
3750 | /* No specific object, just general system-wide information. */ | ||
3751 | return task_has_system(current, SYSTEM__IPC_INFO); | ||
3752 | case IPC_STAT: | ||
3753 | case MSG_STAT: | ||
3754 | perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; | ||
3755 | break; | ||
3756 | case IPC_SET: | ||
3757 | perms = MSGQ__SETATTR; | ||
3758 | break; | ||
3759 | case IPC_RMID: | ||
3760 | perms = MSGQ__DESTROY; | ||
3761 | break; | ||
3762 | default: | ||
3763 | return 0; | ||
3764 | } | ||
3765 | |||
3766 | err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms); | ||
3767 | return err; | ||
3768 | } | ||
3769 | |||
3770 | static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) | ||
3771 | { | ||
3772 | struct task_security_struct *tsec; | ||
3773 | struct ipc_security_struct *isec; | ||
3774 | struct msg_security_struct *msec; | ||
3775 | struct avc_audit_data ad; | ||
3776 | int rc; | ||
3777 | |||
3778 | tsec = current->security; | ||
3779 | isec = msq->q_perm.security; | ||
3780 | msec = msg->security; | ||
3781 | |||
3782 | /* | ||
3783 | * First time through, need to assign label to the message | ||
3784 | */ | ||
3785 | if (msec->sid == SECINITSID_UNLABELED) { | ||
3786 | /* | ||
3787 | * Compute new sid based on current process and | ||
3788 | * message queue this message will be stored in | ||
3789 | */ | ||
3790 | rc = security_transition_sid(tsec->sid, | ||
3791 | isec->sid, | ||
3792 | SECCLASS_MSG, | ||
3793 | &msec->sid); | ||
3794 | if (rc) | ||
3795 | return rc; | ||
3796 | } | ||
3797 | |||
3798 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3799 | ad.u.ipc_id = msq->q_perm.key; | ||
3800 | |||
3801 | /* Can this process write to the queue? */ | ||
3802 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, | ||
3803 | MSGQ__WRITE, &ad); | ||
3804 | if (!rc) | ||
3805 | /* Can this process send the message */ | ||
3806 | rc = avc_has_perm(tsec->sid, msec->sid, | ||
3807 | SECCLASS_MSG, MSG__SEND, &ad); | ||
3808 | if (!rc) | ||
3809 | /* Can the message be put in the queue? */ | ||
3810 | rc = avc_has_perm(msec->sid, isec->sid, | ||
3811 | SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); | ||
3812 | |||
3813 | return rc; | ||
3814 | } | ||
3815 | |||
3816 | static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | ||
3817 | struct task_struct *target, | ||
3818 | long type, int mode) | ||
3819 | { | ||
3820 | struct task_security_struct *tsec; | ||
3821 | struct ipc_security_struct *isec; | ||
3822 | struct msg_security_struct *msec; | ||
3823 | struct avc_audit_data ad; | ||
3824 | int rc; | ||
3825 | |||
3826 | tsec = target->security; | ||
3827 | isec = msq->q_perm.security; | ||
3828 | msec = msg->security; | ||
3829 | |||
3830 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3831 | ad.u.ipc_id = msq->q_perm.key; | ||
3832 | |||
3833 | rc = avc_has_perm(tsec->sid, isec->sid, | ||
3834 | SECCLASS_MSGQ, MSGQ__READ, &ad); | ||
3835 | if (!rc) | ||
3836 | rc = avc_has_perm(tsec->sid, msec->sid, | ||
3837 | SECCLASS_MSG, MSG__RECEIVE, &ad); | ||
3838 | return rc; | ||
3839 | } | ||
3840 | |||
3841 | /* Shared Memory security operations */ | ||
3842 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) | ||
3843 | { | ||
3844 | struct task_security_struct *tsec; | ||
3845 | struct ipc_security_struct *isec; | ||
3846 | struct avc_audit_data ad; | ||
3847 | int rc; | ||
3848 | |||
3849 | rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); | ||
3850 | if (rc) | ||
3851 | return rc; | ||
3852 | |||
3853 | tsec = current->security; | ||
3854 | isec = shp->shm_perm.security; | ||
3855 | |||
3856 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3857 | ad.u.ipc_id = shp->shm_perm.key; | ||
3858 | |||
3859 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, | ||
3860 | SHM__CREATE, &ad); | ||
3861 | if (rc) { | ||
3862 | ipc_free_security(&shp->shm_perm); | ||
3863 | return rc; | ||
3864 | } | ||
3865 | return 0; | ||
3866 | } | ||
3867 | |||
3868 | static void selinux_shm_free_security(struct shmid_kernel *shp) | ||
3869 | { | ||
3870 | ipc_free_security(&shp->shm_perm); | ||
3871 | } | ||
3872 | |||
3873 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | ||
3874 | { | ||
3875 | struct task_security_struct *tsec; | ||
3876 | struct ipc_security_struct *isec; | ||
3877 | struct avc_audit_data ad; | ||
3878 | |||
3879 | tsec = current->security; | ||
3880 | isec = shp->shm_perm.security; | ||
3881 | |||
3882 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3883 | ad.u.ipc_id = shp->shm_perm.key; | ||
3884 | |||
3885 | return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, | ||
3886 | SHM__ASSOCIATE, &ad); | ||
3887 | } | ||
3888 | |||
3889 | /* Note, at this point, shp is locked down */ | ||
3890 | static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) | ||
3891 | { | ||
3892 | int perms; | ||
3893 | int err; | ||
3894 | |||
3895 | switch(cmd) { | ||
3896 | case IPC_INFO: | ||
3897 | case SHM_INFO: | ||
3898 | /* No specific object, just general system-wide information. */ | ||
3899 | return task_has_system(current, SYSTEM__IPC_INFO); | ||
3900 | case IPC_STAT: | ||
3901 | case SHM_STAT: | ||
3902 | perms = SHM__GETATTR | SHM__ASSOCIATE; | ||
3903 | break; | ||
3904 | case IPC_SET: | ||
3905 | perms = SHM__SETATTR; | ||
3906 | break; | ||
3907 | case SHM_LOCK: | ||
3908 | case SHM_UNLOCK: | ||
3909 | perms = SHM__LOCK; | ||
3910 | break; | ||
3911 | case IPC_RMID: | ||
3912 | perms = SHM__DESTROY; | ||
3913 | break; | ||
3914 | default: | ||
3915 | return 0; | ||
3916 | } | ||
3917 | |||
3918 | err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms); | ||
3919 | return err; | ||
3920 | } | ||
3921 | |||
3922 | static int selinux_shm_shmat(struct shmid_kernel *shp, | ||
3923 | char __user *shmaddr, int shmflg) | ||
3924 | { | ||
3925 | u32 perms; | ||
3926 | int rc; | ||
3927 | |||
3928 | rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); | ||
3929 | if (rc) | ||
3930 | return rc; | ||
3931 | |||
3932 | if (shmflg & SHM_RDONLY) | ||
3933 | perms = SHM__READ; | ||
3934 | else | ||
3935 | perms = SHM__READ | SHM__WRITE; | ||
3936 | |||
3937 | return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms); | ||
3938 | } | ||
3939 | |||
3940 | /* Semaphore security operations */ | ||
3941 | static int selinux_sem_alloc_security(struct sem_array *sma) | ||
3942 | { | ||
3943 | struct task_security_struct *tsec; | ||
3944 | struct ipc_security_struct *isec; | ||
3945 | struct avc_audit_data ad; | ||
3946 | int rc; | ||
3947 | |||
3948 | rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); | ||
3949 | if (rc) | ||
3950 | return rc; | ||
3951 | |||
3952 | tsec = current->security; | ||
3953 | isec = sma->sem_perm.security; | ||
3954 | |||
3955 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3956 | ad.u.ipc_id = sma->sem_perm.key; | ||
3957 | |||
3958 | rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, | ||
3959 | SEM__CREATE, &ad); | ||
3960 | if (rc) { | ||
3961 | ipc_free_security(&sma->sem_perm); | ||
3962 | return rc; | ||
3963 | } | ||
3964 | return 0; | ||
3965 | } | ||
3966 | |||
3967 | static void selinux_sem_free_security(struct sem_array *sma) | ||
3968 | { | ||
3969 | ipc_free_security(&sma->sem_perm); | ||
3970 | } | ||
3971 | |||
3972 | static int selinux_sem_associate(struct sem_array *sma, int semflg) | ||
3973 | { | ||
3974 | struct task_security_struct *tsec; | ||
3975 | struct ipc_security_struct *isec; | ||
3976 | struct avc_audit_data ad; | ||
3977 | |||
3978 | tsec = current->security; | ||
3979 | isec = sma->sem_perm.security; | ||
3980 | |||
3981 | AVC_AUDIT_DATA_INIT(&ad, IPC); | ||
3982 | ad.u.ipc_id = sma->sem_perm.key; | ||
3983 | |||
3984 | return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, | ||
3985 | SEM__ASSOCIATE, &ad); | ||
3986 | } | ||
3987 | |||
3988 | /* Note, at this point, sma is locked down */ | ||
3989 | static int selinux_sem_semctl(struct sem_array *sma, int cmd) | ||
3990 | { | ||
3991 | int err; | ||
3992 | u32 perms; | ||
3993 | |||
3994 | switch(cmd) { | ||
3995 | case IPC_INFO: | ||
3996 | case SEM_INFO: | ||
3997 | /* No specific object, just general system-wide information. */ | ||
3998 | return task_has_system(current, SYSTEM__IPC_INFO); | ||
3999 | case GETPID: | ||
4000 | case GETNCNT: | ||
4001 | case GETZCNT: | ||
4002 | perms = SEM__GETATTR; | ||
4003 | break; | ||
4004 | case GETVAL: | ||
4005 | case GETALL: | ||
4006 | perms = SEM__READ; | ||
4007 | break; | ||
4008 | case SETVAL: | ||
4009 | case SETALL: | ||
4010 | perms = SEM__WRITE; | ||
4011 | break; | ||
4012 | case IPC_RMID: | ||
4013 | perms = SEM__DESTROY; | ||
4014 | break; | ||
4015 | case IPC_SET: | ||
4016 | perms = SEM__SETATTR; | ||
4017 | break; | ||
4018 | case IPC_STAT: | ||
4019 | case SEM_STAT: | ||
4020 | perms = SEM__GETATTR | SEM__ASSOCIATE; | ||
4021 | break; | ||
4022 | default: | ||
4023 | return 0; | ||
4024 | } | ||
4025 | |||
4026 | err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms); | ||
4027 | return err; | ||
4028 | } | ||
4029 | |||
4030 | static int selinux_sem_semop(struct sem_array *sma, | ||
4031 | struct sembuf *sops, unsigned nsops, int alter) | ||
4032 | { | ||
4033 | u32 perms; | ||
4034 | |||
4035 | if (alter) | ||
4036 | perms = SEM__READ | SEM__WRITE; | ||
4037 | else | ||
4038 | perms = SEM__READ; | ||
4039 | |||
4040 | return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms); | ||
4041 | } | ||
4042 | |||
4043 | static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) | ||
4044 | { | ||
4045 | struct ipc_security_struct *isec = ipcp->security; | ||
4046 | u16 sclass = SECCLASS_IPC; | ||
4047 | u32 av = 0; | ||
4048 | |||
4049 | if (isec && isec->magic == SELINUX_MAGIC) | ||
4050 | sclass = isec->sclass; | ||
4051 | |||
4052 | av = 0; | ||
4053 | if (flag & S_IRUGO) | ||
4054 | av |= IPC__UNIX_READ; | ||
4055 | if (flag & S_IWUGO) | ||
4056 | av |= IPC__UNIX_WRITE; | ||
4057 | |||
4058 | if (av == 0) | ||
4059 | return 0; | ||
4060 | |||
4061 | return ipc_has_perm(ipcp, sclass, av); | ||
4062 | } | ||
4063 | |||
4064 | /* module stacking operations */ | ||
4065 | static int selinux_register_security (const char *name, struct security_operations *ops) | ||
4066 | { | ||
4067 | if (secondary_ops != original_ops) { | ||
4068 | printk(KERN_INFO "%s: There is already a secondary security " | ||
4069 | "module registered.\n", __FUNCTION__); | ||
4070 | return -EINVAL; | ||
4071 | } | ||
4072 | |||
4073 | secondary_ops = ops; | ||
4074 | |||
4075 | printk(KERN_INFO "%s: Registering secondary module %s\n", | ||
4076 | __FUNCTION__, | ||
4077 | name); | ||
4078 | |||
4079 | return 0; | ||
4080 | } | ||
4081 | |||
4082 | static int selinux_unregister_security (const char *name, struct security_operations *ops) | ||
4083 | { | ||
4084 | if (ops != secondary_ops) { | ||
4085 | printk (KERN_INFO "%s: trying to unregister a security module " | ||
4086 | "that is not registered.\n", __FUNCTION__); | ||
4087 | return -EINVAL; | ||
4088 | } | ||
4089 | |||
4090 | secondary_ops = original_ops; | ||
4091 | |||
4092 | return 0; | ||
4093 | } | ||
4094 | |||
4095 | static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode) | ||
4096 | { | ||
4097 | if (inode) | ||
4098 | inode_doinit_with_dentry(inode, dentry); | ||
4099 | } | ||
4100 | |||
4101 | static int selinux_getprocattr(struct task_struct *p, | ||
4102 | char *name, void *value, size_t size) | ||
4103 | { | ||
4104 | struct task_security_struct *tsec; | ||
4105 | u32 sid, len; | ||
4106 | char *context; | ||
4107 | int error; | ||
4108 | |||
4109 | if (current != p) { | ||
4110 | error = task_has_perm(current, p, PROCESS__GETATTR); | ||
4111 | if (error) | ||
4112 | return error; | ||
4113 | } | ||
4114 | |||
4115 | if (!size) | ||
4116 | return -ERANGE; | ||
4117 | |||
4118 | tsec = p->security; | ||
4119 | |||
4120 | if (!strcmp(name, "current")) | ||
4121 | sid = tsec->sid; | ||
4122 | else if (!strcmp(name, "prev")) | ||
4123 | sid = tsec->osid; | ||
4124 | else if (!strcmp(name, "exec")) | ||
4125 | sid = tsec->exec_sid; | ||
4126 | else if (!strcmp(name, "fscreate")) | ||
4127 | sid = tsec->create_sid; | ||
4128 | else | ||
4129 | return -EINVAL; | ||
4130 | |||
4131 | if (!sid) | ||
4132 | return 0; | ||
4133 | |||
4134 | error = security_sid_to_context(sid, &context, &len); | ||
4135 | if (error) | ||
4136 | return error; | ||
4137 | if (len > size) { | ||
4138 | kfree(context); | ||
4139 | return -ERANGE; | ||
4140 | } | ||
4141 | memcpy(value, context, len); | ||
4142 | kfree(context); | ||
4143 | return len; | ||
4144 | } | ||
4145 | |||
4146 | static int selinux_setprocattr(struct task_struct *p, | ||
4147 | char *name, void *value, size_t size) | ||
4148 | { | ||
4149 | struct task_security_struct *tsec; | ||
4150 | u32 sid = 0; | ||
4151 | int error; | ||
4152 | char *str = value; | ||
4153 | |||
4154 | if (current != p) { | ||
4155 | /* SELinux only allows a process to change its own | ||
4156 | security attributes. */ | ||
4157 | return -EACCES; | ||
4158 | } | ||
4159 | |||
4160 | /* | ||
4161 | * Basic control over ability to set these attributes at all. | ||
4162 | * current == p, but we'll pass them separately in case the | ||
4163 | * above restriction is ever removed. | ||
4164 | */ | ||
4165 | if (!strcmp(name, "exec")) | ||
4166 | error = task_has_perm(current, p, PROCESS__SETEXEC); | ||
4167 | else if (!strcmp(name, "fscreate")) | ||
4168 | error = task_has_perm(current, p, PROCESS__SETFSCREATE); | ||
4169 | else if (!strcmp(name, "current")) | ||
4170 | error = task_has_perm(current, p, PROCESS__SETCURRENT); | ||
4171 | else | ||
4172 | error = -EINVAL; | ||
4173 | if (error) | ||
4174 | return error; | ||
4175 | |||
4176 | /* Obtain a SID for the context, if one was specified. */ | ||
4177 | if (size && str[1] && str[1] != '\n') { | ||
4178 | if (str[size-1] == '\n') { | ||
4179 | str[size-1] = 0; | ||
4180 | size--; | ||
4181 | } | ||
4182 | error = security_context_to_sid(value, size, &sid); | ||
4183 | if (error) | ||
4184 | return error; | ||
4185 | } | ||
4186 | |||
4187 | /* Permission checking based on the specified context is | ||
4188 | performed during the actual operation (execve, | ||
4189 | open/mkdir/...), when we know the full context of the | ||
4190 | operation. See selinux_bprm_set_security for the execve | ||
4191 | checks and may_create for the file creation checks. The | ||
4192 | operation will then fail if the context is not permitted. */ | ||
4193 | tsec = p->security; | ||
4194 | if (!strcmp(name, "exec")) | ||
4195 | tsec->exec_sid = sid; | ||
4196 | else if (!strcmp(name, "fscreate")) | ||
4197 | tsec->create_sid = sid; | ||
4198 | else if (!strcmp(name, "current")) { | ||
4199 | struct av_decision avd; | ||
4200 | |||
4201 | if (sid == 0) | ||
4202 | return -EINVAL; | ||
4203 | |||
4204 | /* Only allow single threaded processes to change context */ | ||
4205 | if (atomic_read(&p->mm->mm_users) != 1) { | ||
4206 | struct task_struct *g, *t; | ||
4207 | struct mm_struct *mm = p->mm; | ||
4208 | read_lock(&tasklist_lock); | ||
4209 | do_each_thread(g, t) | ||
4210 | if (t->mm == mm && t != p) { | ||
4211 | read_unlock(&tasklist_lock); | ||
4212 | return -EPERM; | ||
4213 | } | ||
4214 | while_each_thread(g, t); | ||
4215 | read_unlock(&tasklist_lock); | ||
4216 | } | ||
4217 | |||
4218 | /* Check permissions for the transition. */ | ||
4219 | error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, | ||
4220 | PROCESS__DYNTRANSITION, NULL); | ||
4221 | if (error) | ||
4222 | return error; | ||
4223 | |||
4224 | /* Check for ptracing, and update the task SID if ok. | ||
4225 | Otherwise, leave SID unchanged and fail. */ | ||
4226 | task_lock(p); | ||
4227 | if (p->ptrace & PT_PTRACED) { | ||
4228 | error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, | ||
4229 | SECCLASS_PROCESS, | ||
4230 | PROCESS__PTRACE, &avd); | ||
4231 | if (!error) | ||
4232 | tsec->sid = sid; | ||
4233 | task_unlock(p); | ||
4234 | avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, | ||
4235 | PROCESS__PTRACE, &avd, error, NULL); | ||
4236 | if (error) | ||
4237 | return error; | ||
4238 | } else { | ||
4239 | tsec->sid = sid; | ||
4240 | task_unlock(p); | ||
4241 | } | ||
4242 | } | ||
4243 | else | ||
4244 | return -EINVAL; | ||
4245 | |||
4246 | return size; | ||
4247 | } | ||
4248 | |||
4249 | static struct security_operations selinux_ops = { | ||
4250 | .ptrace = selinux_ptrace, | ||
4251 | .capget = selinux_capget, | ||
4252 | .capset_check = selinux_capset_check, | ||
4253 | .capset_set = selinux_capset_set, | ||
4254 | .sysctl = selinux_sysctl, | ||
4255 | .capable = selinux_capable, | ||
4256 | .quotactl = selinux_quotactl, | ||
4257 | .quota_on = selinux_quota_on, | ||
4258 | .syslog = selinux_syslog, | ||
4259 | .vm_enough_memory = selinux_vm_enough_memory, | ||
4260 | |||
4261 | .netlink_send = selinux_netlink_send, | ||
4262 | .netlink_recv = selinux_netlink_recv, | ||
4263 | |||
4264 | .bprm_alloc_security = selinux_bprm_alloc_security, | ||
4265 | .bprm_free_security = selinux_bprm_free_security, | ||
4266 | .bprm_apply_creds = selinux_bprm_apply_creds, | ||
4267 | .bprm_post_apply_creds = selinux_bprm_post_apply_creds, | ||
4268 | .bprm_set_security = selinux_bprm_set_security, | ||
4269 | .bprm_check_security = selinux_bprm_check_security, | ||
4270 | .bprm_secureexec = selinux_bprm_secureexec, | ||
4271 | |||
4272 | .sb_alloc_security = selinux_sb_alloc_security, | ||
4273 | .sb_free_security = selinux_sb_free_security, | ||
4274 | .sb_copy_data = selinux_sb_copy_data, | ||
4275 | .sb_kern_mount = selinux_sb_kern_mount, | ||
4276 | .sb_statfs = selinux_sb_statfs, | ||
4277 | .sb_mount = selinux_mount, | ||
4278 | .sb_umount = selinux_umount, | ||
4279 | |||
4280 | .inode_alloc_security = selinux_inode_alloc_security, | ||
4281 | .inode_free_security = selinux_inode_free_security, | ||
4282 | .inode_create = selinux_inode_create, | ||
4283 | .inode_post_create = selinux_inode_post_create, | ||
4284 | .inode_link = selinux_inode_link, | ||
4285 | .inode_post_link = selinux_inode_post_link, | ||
4286 | .inode_unlink = selinux_inode_unlink, | ||
4287 | .inode_symlink = selinux_inode_symlink, | ||
4288 | .inode_post_symlink = selinux_inode_post_symlink, | ||
4289 | .inode_mkdir = selinux_inode_mkdir, | ||
4290 | .inode_post_mkdir = selinux_inode_post_mkdir, | ||
4291 | .inode_rmdir = selinux_inode_rmdir, | ||
4292 | .inode_mknod = selinux_inode_mknod, | ||
4293 | .inode_post_mknod = selinux_inode_post_mknod, | ||
4294 | .inode_rename = selinux_inode_rename, | ||
4295 | .inode_post_rename = selinux_inode_post_rename, | ||
4296 | .inode_readlink = selinux_inode_readlink, | ||
4297 | .inode_follow_link = selinux_inode_follow_link, | ||
4298 | .inode_permission = selinux_inode_permission, | ||
4299 | .inode_setattr = selinux_inode_setattr, | ||
4300 | .inode_getattr = selinux_inode_getattr, | ||
4301 | .inode_setxattr = selinux_inode_setxattr, | ||
4302 | .inode_post_setxattr = selinux_inode_post_setxattr, | ||
4303 | .inode_getxattr = selinux_inode_getxattr, | ||
4304 | .inode_listxattr = selinux_inode_listxattr, | ||
4305 | .inode_removexattr = selinux_inode_removexattr, | ||
4306 | .inode_getsecurity = selinux_inode_getsecurity, | ||
4307 | .inode_setsecurity = selinux_inode_setsecurity, | ||
4308 | .inode_listsecurity = selinux_inode_listsecurity, | ||
4309 | |||
4310 | .file_permission = selinux_file_permission, | ||
4311 | .file_alloc_security = selinux_file_alloc_security, | ||
4312 | .file_free_security = selinux_file_free_security, | ||
4313 | .file_ioctl = selinux_file_ioctl, | ||
4314 | .file_mmap = selinux_file_mmap, | ||
4315 | .file_mprotect = selinux_file_mprotect, | ||
4316 | .file_lock = selinux_file_lock, | ||
4317 | .file_fcntl = selinux_file_fcntl, | ||
4318 | .file_set_fowner = selinux_file_set_fowner, | ||
4319 | .file_send_sigiotask = selinux_file_send_sigiotask, | ||
4320 | .file_receive = selinux_file_receive, | ||
4321 | |||
4322 | .task_create = selinux_task_create, | ||
4323 | .task_alloc_security = selinux_task_alloc_security, | ||
4324 | .task_free_security = selinux_task_free_security, | ||
4325 | .task_setuid = selinux_task_setuid, | ||
4326 | .task_post_setuid = selinux_task_post_setuid, | ||
4327 | .task_setgid = selinux_task_setgid, | ||
4328 | .task_setpgid = selinux_task_setpgid, | ||
4329 | .task_getpgid = selinux_task_getpgid, | ||
4330 | .task_getsid = selinux_task_getsid, | ||
4331 | .task_setgroups = selinux_task_setgroups, | ||
4332 | .task_setnice = selinux_task_setnice, | ||
4333 | .task_setrlimit = selinux_task_setrlimit, | ||
4334 | .task_setscheduler = selinux_task_setscheduler, | ||
4335 | .task_getscheduler = selinux_task_getscheduler, | ||
4336 | .task_kill = selinux_task_kill, | ||
4337 | .task_wait = selinux_task_wait, | ||
4338 | .task_prctl = selinux_task_prctl, | ||
4339 | .task_reparent_to_init = selinux_task_reparent_to_init, | ||
4340 | .task_to_inode = selinux_task_to_inode, | ||
4341 | |||
4342 | .ipc_permission = selinux_ipc_permission, | ||
4343 | |||
4344 | .msg_msg_alloc_security = selinux_msg_msg_alloc_security, | ||
4345 | .msg_msg_free_security = selinux_msg_msg_free_security, | ||
4346 | |||
4347 | .msg_queue_alloc_security = selinux_msg_queue_alloc_security, | ||
4348 | .msg_queue_free_security = selinux_msg_queue_free_security, | ||
4349 | .msg_queue_associate = selinux_msg_queue_associate, | ||
4350 | .msg_queue_msgctl = selinux_msg_queue_msgctl, | ||
4351 | .msg_queue_msgsnd = selinux_msg_queue_msgsnd, | ||
4352 | .msg_queue_msgrcv = selinux_msg_queue_msgrcv, | ||
4353 | |||
4354 | .shm_alloc_security = selinux_shm_alloc_security, | ||
4355 | .shm_free_security = selinux_shm_free_security, | ||
4356 | .shm_associate = selinux_shm_associate, | ||
4357 | .shm_shmctl = selinux_shm_shmctl, | ||
4358 | .shm_shmat = selinux_shm_shmat, | ||
4359 | |||
4360 | .sem_alloc_security = selinux_sem_alloc_security, | ||
4361 | .sem_free_security = selinux_sem_free_security, | ||
4362 | .sem_associate = selinux_sem_associate, | ||
4363 | .sem_semctl = selinux_sem_semctl, | ||
4364 | .sem_semop = selinux_sem_semop, | ||
4365 | |||
4366 | .register_security = selinux_register_security, | ||
4367 | .unregister_security = selinux_unregister_security, | ||
4368 | |||
4369 | .d_instantiate = selinux_d_instantiate, | ||
4370 | |||
4371 | .getprocattr = selinux_getprocattr, | ||
4372 | .setprocattr = selinux_setprocattr, | ||
4373 | |||
4374 | #ifdef CONFIG_SECURITY_NETWORK | ||
4375 | .unix_stream_connect = selinux_socket_unix_stream_connect, | ||
4376 | .unix_may_send = selinux_socket_unix_may_send, | ||
4377 | |||
4378 | .socket_create = selinux_socket_create, | ||
4379 | .socket_post_create = selinux_socket_post_create, | ||
4380 | .socket_bind = selinux_socket_bind, | ||
4381 | .socket_connect = selinux_socket_connect, | ||
4382 | .socket_listen = selinux_socket_listen, | ||
4383 | .socket_accept = selinux_socket_accept, | ||
4384 | .socket_sendmsg = selinux_socket_sendmsg, | ||
4385 | .socket_recvmsg = selinux_socket_recvmsg, | ||
4386 | .socket_getsockname = selinux_socket_getsockname, | ||
4387 | .socket_getpeername = selinux_socket_getpeername, | ||
4388 | .socket_getsockopt = selinux_socket_getsockopt, | ||
4389 | .socket_setsockopt = selinux_socket_setsockopt, | ||
4390 | .socket_shutdown = selinux_socket_shutdown, | ||
4391 | .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, | ||
4392 | .socket_getpeersec = selinux_socket_getpeersec, | ||
4393 | .sk_alloc_security = selinux_sk_alloc_security, | ||
4394 | .sk_free_security = selinux_sk_free_security, | ||
4395 | #endif | ||
4396 | }; | ||
4397 | |||
4398 | static __init int selinux_init(void) | ||
4399 | { | ||
4400 | struct task_security_struct *tsec; | ||
4401 | |||
4402 | if (!selinux_enabled) { | ||
4403 | printk(KERN_INFO "SELinux: Disabled at boot.\n"); | ||
4404 | return 0; | ||
4405 | } | ||
4406 | |||
4407 | printk(KERN_INFO "SELinux: Initializing.\n"); | ||
4408 | |||
4409 | /* Set the security state for the initial task. */ | ||
4410 | if (task_alloc_security(current)) | ||
4411 | panic("SELinux: Failed to initialize initial task.\n"); | ||
4412 | tsec = current->security; | ||
4413 | tsec->osid = tsec->sid = SECINITSID_KERNEL; | ||
4414 | |||
4415 | avc_init(); | ||
4416 | |||
4417 | original_ops = secondary_ops = security_ops; | ||
4418 | if (!secondary_ops) | ||
4419 | panic ("SELinux: No initial security operations\n"); | ||
4420 | if (register_security (&selinux_ops)) | ||
4421 | panic("SELinux: Unable to register with kernel.\n"); | ||
4422 | |||
4423 | if (selinux_enforcing) { | ||
4424 | printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); | ||
4425 | } else { | ||
4426 | printk(KERN_INFO "SELinux: Starting in permissive mode\n"); | ||
4427 | } | ||
4428 | return 0; | ||
4429 | } | ||
4430 | |||
4431 | void selinux_complete_init(void) | ||
4432 | { | ||
4433 | printk(KERN_INFO "SELinux: Completing initialization.\n"); | ||
4434 | |||
4435 | /* Set up any superblocks initialized prior to the policy load. */ | ||
4436 | printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); | ||
4437 | spin_lock(&sb_security_lock); | ||
4438 | next_sb: | ||
4439 | if (!list_empty(&superblock_security_head)) { | ||
4440 | struct superblock_security_struct *sbsec = | ||
4441 | list_entry(superblock_security_head.next, | ||
4442 | struct superblock_security_struct, | ||
4443 | list); | ||
4444 | struct super_block *sb = sbsec->sb; | ||
4445 | spin_lock(&sb_lock); | ||
4446 | sb->s_count++; | ||
4447 | spin_unlock(&sb_lock); | ||
4448 | spin_unlock(&sb_security_lock); | ||
4449 | down_read(&sb->s_umount); | ||
4450 | if (sb->s_root) | ||
4451 | superblock_doinit(sb, NULL); | ||
4452 | drop_super(sb); | ||
4453 | spin_lock(&sb_security_lock); | ||
4454 | list_del_init(&sbsec->list); | ||
4455 | goto next_sb; | ||
4456 | } | ||
4457 | spin_unlock(&sb_security_lock); | ||
4458 | } | ||
4459 | |||
4460 | /* SELinux requires early initialization in order to label | ||
4461 | all processes and objects when they are created. */ | ||
4462 | security_initcall(selinux_init); | ||
4463 | |||
4464 | #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) | ||
4465 | |||
4466 | static struct nf_hook_ops selinux_ipv4_op = { | ||
4467 | .hook = selinux_ipv4_postroute_last, | ||
4468 | .owner = THIS_MODULE, | ||
4469 | .pf = PF_INET, | ||
4470 | .hooknum = NF_IP_POST_ROUTING, | ||
4471 | .priority = NF_IP_PRI_SELINUX_LAST, | ||
4472 | }; | ||
4473 | |||
4474 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
4475 | |||
4476 | static struct nf_hook_ops selinux_ipv6_op = { | ||
4477 | .hook = selinux_ipv6_postroute_last, | ||
4478 | .owner = THIS_MODULE, | ||
4479 | .pf = PF_INET6, | ||
4480 | .hooknum = NF_IP6_POST_ROUTING, | ||
4481 | .priority = NF_IP6_PRI_SELINUX_LAST, | ||
4482 | }; | ||
4483 | |||
4484 | #endif /* IPV6 */ | ||
4485 | |||
4486 | static int __init selinux_nf_ip_init(void) | ||
4487 | { | ||
4488 | int err = 0; | ||
4489 | |||
4490 | if (!selinux_enabled) | ||
4491 | goto out; | ||
4492 | |||
4493 | printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); | ||
4494 | |||
4495 | err = nf_register_hook(&selinux_ipv4_op); | ||
4496 | if (err) | ||
4497 | panic("SELinux: nf_register_hook for IPv4: error %d\n", err); | ||
4498 | |||
4499 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
4500 | |||
4501 | err = nf_register_hook(&selinux_ipv6_op); | ||
4502 | if (err) | ||
4503 | panic("SELinux: nf_register_hook for IPv6: error %d\n", err); | ||
4504 | |||
4505 | #endif /* IPV6 */ | ||
4506 | out: | ||
4507 | return err; | ||
4508 | } | ||
4509 | |||
4510 | __initcall(selinux_nf_ip_init); | ||
4511 | |||
4512 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | ||
4513 | static void selinux_nf_ip_exit(void) | ||
4514 | { | ||
4515 | printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); | ||
4516 | |||
4517 | nf_unregister_hook(&selinux_ipv4_op); | ||
4518 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
4519 | nf_unregister_hook(&selinux_ipv6_op); | ||
4520 | #endif /* IPV6 */ | ||
4521 | } | ||
4522 | #endif | ||
4523 | |||
4524 | #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | ||
4525 | |||
4526 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | ||
4527 | #define selinux_nf_ip_exit() | ||
4528 | #endif | ||
4529 | |||
4530 | #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | ||
4531 | |||
4532 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | ||
4533 | int selinux_disable(void) | ||
4534 | { | ||
4535 | extern void exit_sel_fs(void); | ||
4536 | static int selinux_disabled = 0; | ||
4537 | |||
4538 | if (ss_initialized) { | ||
4539 | /* Not permitted after initial policy load. */ | ||
4540 | return -EINVAL; | ||
4541 | } | ||
4542 | |||
4543 | if (selinux_disabled) { | ||
4544 | /* Only do this once. */ | ||
4545 | return -EINVAL; | ||
4546 | } | ||
4547 | |||
4548 | printk(KERN_INFO "SELinux: Disabled at runtime.\n"); | ||
4549 | |||
4550 | selinux_disabled = 1; | ||
4551 | |||
4552 | /* Reset security_ops to the secondary module, dummy or capability. */ | ||
4553 | security_ops = secondary_ops; | ||
4554 | |||
4555 | /* Unregister netfilter hooks. */ | ||
4556 | selinux_nf_ip_exit(); | ||
4557 | |||
4558 | /* Unregister selinuxfs. */ | ||
4559 | exit_sel_fs(); | ||
4560 | |||
4561 | return 0; | ||
4562 | } | ||
4563 | #endif | ||
4564 | |||
4565 | |||