Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / kernel / msm / 7cae7e26f245151b9ccad868bf2edf8c8048d307 / . / security / selinux / hooks.c
blob: ccaf988f37292876fa9bbef366ed7d36cf508c48 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
Eric Paris6931dfc2005-06-30 02:58:51 -0700[diff] [blame]71#include <linux/string.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]76#include "xfrm.h"
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
104#endif
105
106/* Original (dummy) security module. */
107static struct security_operations *original_ops = NULL;
108
109/* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113static struct security_operations *secondary_ops = NULL;
114
115/* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117static LIST_HEAD(superblock_security_head);
118static DEFINE_SPINLOCK(sb_security_lock);
119
James Morris7cae7e22006-03-22 00:09:22 -0800[diff] [blame^]120static kmem_cache_t *sel_inode_cache;
121
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]122/* Allocate and free functions for each kind of security blob. */
123
124static int task_alloc_security(struct task_struct *task)
125{
126 struct task_security_struct *tsec;
127
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]128 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]129 if (!tsec)
130 return -ENOMEM;
131
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]132 tsec->task = task;
133 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
134 task->security = tsec;
135
136 return 0;
137}
138
139static void task_free_security(struct task_struct *task)
140{
141 struct task_security_struct *tsec = task->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]142 task->security = NULL;
143 kfree(tsec);
144}
145
146static int inode_alloc_security(struct inode *inode)
147{
148 struct task_security_struct *tsec = current->security;
149 struct inode_security_struct *isec;
150
James Morris7cae7e22006-03-22 00:09:22 -0800[diff] [blame^]151 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]152 if (!isec)
153 return -ENOMEM;
154
James Morris7cae7e22006-03-22 00:09:22 -0800[diff] [blame^]155 memset(isec, 0, sizeof(*isec));
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]156 init_MUTEX(&isec->sem);
157 INIT_LIST_HEAD(&isec->list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]158 isec->inode = inode;
159 isec->sid = SECINITSID_UNLABELED;
160 isec->sclass = SECCLASS_FILE;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]161 isec->task_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]162 inode->i_security = isec;
163
164 return 0;
165}
166
167static void inode_free_security(struct inode *inode)
168{
169 struct inode_security_struct *isec = inode->i_security;
170 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
171
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]172 spin_lock(&sbsec->isec_lock);
173 if (!list_empty(&isec->list))
174 list_del_init(&isec->list);
175 spin_unlock(&sbsec->isec_lock);
176
177 inode->i_security = NULL;
James Morris7cae7e22006-03-22 00:09:22 -0800[diff] [blame^]178 kmem_cache_free(sel_inode_cache, isec);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]179}
180
181static int file_alloc_security(struct file *file)
182{
183 struct task_security_struct *tsec = current->security;
184 struct file_security_struct *fsec;
185
Stephen Smalley26d2a4b2006-02-01 03:05:55 -0800[diff] [blame]186 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]187 if (!fsec)
188 return -ENOMEM;
189
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]190 fsec->file = file;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]191 fsec->sid = tsec->sid;
192 fsec->fown_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]193 file->f_security = fsec;
194
195 return 0;
196}
197
198static void file_free_security(struct file *file)
199{
200 struct file_security_struct *fsec = file->f_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]201 file->f_security = NULL;
202 kfree(fsec);
203}
204
205static int superblock_alloc_security(struct super_block *sb)
206{
207 struct superblock_security_struct *sbsec;
208
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]209 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]210 if (!sbsec)
211 return -ENOMEM;
212
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]213 init_MUTEX(&sbsec->sem);
214 INIT_LIST_HEAD(&sbsec->list);
215 INIT_LIST_HEAD(&sbsec->isec_head);
216 spin_lock_init(&sbsec->isec_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]217 sbsec->sb = sb;
218 sbsec->sid = SECINITSID_UNLABELED;
219 sbsec->def_sid = SECINITSID_FILE;
220 sb->s_security = sbsec;
221
222 return 0;
223}
224
225static void superblock_free_security(struct super_block *sb)
226{
227 struct superblock_security_struct *sbsec = sb->s_security;
228
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]229 spin_lock(&sb_security_lock);
230 if (!list_empty(&sbsec->list))
231 list_del_init(&sbsec->list);
232 spin_unlock(&sb_security_lock);
233
234 sb->s_security = NULL;
235 kfree(sbsec);
236}
237
Al Viro7d877f32005-10-21 03:20:43 -0400[diff] [blame]238static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]239{
240 struct sk_security_struct *ssec;
241
242 if (family != PF_UNIX)
243 return 0;
244
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]245 ssec = kzalloc(sizeof(*ssec), priority);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]246 if (!ssec)
247 return -ENOMEM;
248
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]249 ssec->sk = sk;
250 ssec->peer_sid = SECINITSID_UNLABELED;
251 sk->sk_security = ssec;
252
253 return 0;
254}
255
256static void sk_free_security(struct sock *sk)
257{
258 struct sk_security_struct *ssec = sk->sk_security;
259
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]260 if (sk->sk_family != PF_UNIX)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]261 return;
262
263 sk->sk_security = NULL;
264 kfree(ssec);
265}
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]266
267/* The security server must be initialized before
268 any labeling or access decisions can be provided. */
269extern int ss_initialized;
270
271/* The file system's label must be initialized prior to use. */
272
273static char *labeling_behaviors[6] = {
274 "uses xattr",
275 "uses transition SIDs",
276 "uses task SIDs",
277 "uses genfs_contexts",
278 "not configured for labeling",
279 "uses mountpoint labeling",
280};
281
282static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
283
284static inline int inode_doinit(struct inode *inode)
285{
286 return inode_doinit_with_dentry(inode, NULL);
287}
288
289enum {
290 Opt_context = 1,
291 Opt_fscontext = 2,
292 Opt_defcontext = 4,
293};
294
295static match_table_t tokens = {
296 {Opt_context, "context=%s"},
297 {Opt_fscontext, "fscontext=%s"},
298 {Opt_defcontext, "defcontext=%s"},
299};
300
301#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
302
303static int try_context_mount(struct super_block *sb, void *data)
304{
305 char *context = NULL, *defcontext = NULL;
306 const char *name;
307 u32 sid;
308 int alloc = 0, rc = 0, seen = 0;
309 struct task_security_struct *tsec = current->security;
310 struct superblock_security_struct *sbsec = sb->s_security;
311
312 if (!data)
313 goto out;
314
315 name = sb->s_type->name;
316
317 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
318
319 /* NFS we understand. */
320 if (!strcmp(name, "nfs")) {
321 struct nfs_mount_data *d = data;
322
323 if (d->version < NFS_MOUNT_VERSION)
324 goto out;
325
326 if (d->context[0]) {
327 context = d->context;
328 seen |= Opt_context;
329 }
330 } else
331 goto out;
332
333 } else {
334 /* Standard string-based options. */
335 char *p, *options = data;
336
337 while ((p = strsep(&options, ",")) != NULL) {
338 int token;
339 substring_t args[MAX_OPT_ARGS];
340
341 if (!*p)
342 continue;
343
344 token = match_token(p, tokens, args);
345
346 switch (token) {
347 case Opt_context:
348 if (seen) {
349 rc = -EINVAL;
350 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
351 goto out_free;
352 }
353 context = match_strdup(&args[0]);
354 if (!context) {
355 rc = -ENOMEM;
356 goto out_free;
357 }
358 if (!alloc)
359 alloc = 1;
360 seen |= Opt_context;
361 break;
362
363 case Opt_fscontext:
364 if (seen & (Opt_context|Opt_fscontext)) {
365 rc = -EINVAL;
366 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
367 goto out_free;
368 }
369 context = match_strdup(&args[0]);
370 if (!context) {
371 rc = -ENOMEM;
372 goto out_free;
373 }
374 if (!alloc)
375 alloc = 1;
376 seen |= Opt_fscontext;
377 break;
378
379 case Opt_defcontext:
380 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
381 rc = -EINVAL;
382 printk(KERN_WARNING "SELinux: "
383 "defcontext option is invalid "
384 "for this filesystem type\n");
385 goto out_free;
386 }
387 if (seen & (Opt_context|Opt_defcontext)) {
388 rc = -EINVAL;
389 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
390 goto out_free;
391 }
392 defcontext = match_strdup(&args[0]);
393 if (!defcontext) {
394 rc = -ENOMEM;
395 goto out_free;
396 }
397 if (!alloc)
398 alloc = 1;
399 seen |= Opt_defcontext;
400 break;
401
402 default:
403 rc = -EINVAL;
404 printk(KERN_WARNING "SELinux: unknown mount "
405 "option\n");
406 goto out_free;
407
408 }
409 }
410 }
411
412 if (!seen)
413 goto out;
414
415 if (context) {
416 rc = security_context_to_sid(context, strlen(context), &sid);
417 if (rc) {
418 printk(KERN_WARNING "SELinux: security_context_to_sid"
419 "(%s) failed for (dev %s, type %s) errno=%d\n",
420 context, sb->s_id, name, rc);
421 goto out_free;
422 }
423
424 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
425 FILESYSTEM__RELABELFROM, NULL);
426 if (rc)
427 goto out_free;
428
429 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
430 FILESYSTEM__RELABELTO, NULL);
431 if (rc)
432 goto out_free;
433
434 sbsec->sid = sid;
435
436 if (seen & Opt_context)
437 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
438 }
439
440 if (defcontext) {
441 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
442 if (rc) {
443 printk(KERN_WARNING "SELinux: security_context_to_sid"
444 "(%s) failed for (dev %s, type %s) errno=%d\n",
445 defcontext, sb->s_id, name, rc);
446 goto out_free;
447 }
448
449 if (sid == sbsec->def_sid)
450 goto out_free;
451
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELFROM, NULL);
454 if (rc)
455 goto out_free;
456
457 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__ASSOCIATE, NULL);
459 if (rc)
460 goto out_free;
461
462 sbsec->def_sid = sid;
463 }
464
465out_free:
466 if (alloc) {
467 kfree(context);
468 kfree(defcontext);
469 }
470out:
471 return rc;
472}
473
474static int superblock_doinit(struct super_block *sb, void *data)
475{
476 struct superblock_security_struct *sbsec = sb->s_security;
477 struct dentry *root = sb->s_root;
478 struct inode *inode = root->d_inode;
479 int rc = 0;
480
481 down(&sbsec->sem);
482 if (sbsec->initialized)
483 goto out;
484
485 if (!ss_initialized) {
486 /* Defer initialization until selinux_complete_init,
487 after the initial policy is loaded and the security
488 server is ready to handle calls. */
489 spin_lock(&sb_security_lock);
490 if (list_empty(&sbsec->list))
491 list_add(&sbsec->list, &superblock_security_head);
492 spin_unlock(&sb_security_lock);
493 goto out;
494 }
495
496 /* Determine the labeling behavior to use for this filesystem type. */
497 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
498 if (rc) {
499 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
500 __FUNCTION__, sb->s_type->name, rc);
501 goto out;
502 }
503
504 rc = try_context_mount(sb, data);
505 if (rc)
506 goto out;
507
508 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
509 /* Make sure that the xattr handler exists and that no
510 error other than -ENODATA is returned by getxattr on
511 the root directory. -ENODATA is ok, as this may be
512 the first boot of the SELinux kernel before we have
513 assigned xattr values to the filesystem. */
514 if (!inode->i_op->getxattr) {
515 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
516 "xattr support\n", sb->s_id, sb->s_type->name);
517 rc = -EOPNOTSUPP;
518 goto out;
519 }
520 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
521 if (rc < 0 && rc != -ENODATA) {
522 if (rc == -EOPNOTSUPP)
523 printk(KERN_WARNING "SELinux: (dev %s, type "
524 "%s) has no security xattr handler\n",
525 sb->s_id, sb->s_type->name);
526 else
527 printk(KERN_WARNING "SELinux: (dev %s, type "
528 "%s) getxattr errno %d\n", sb->s_id,
529 sb->s_type->name, -rc);
530 goto out;
531 }
532 }
533
534 if (strcmp(sb->s_type->name, "proc") == 0)
535 sbsec->proc = 1;
536
537 sbsec->initialized = 1;
538
539 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
540 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
541 sb->s_id, sb->s_type->name);
542 }
543 else {
544 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
545 sb->s_id, sb->s_type->name,
546 labeling_behaviors[sbsec->behavior-1]);
547 }
548
549 /* Initialize the root inode. */
550 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
551
552 /* Initialize any other inodes associated with the superblock, e.g.
553 inodes created prior to initial policy load or inodes created
554 during get_sb by a pseudo filesystem that directly
555 populates itself. */
556 spin_lock(&sbsec->isec_lock);
557next_inode:
558 if (!list_empty(&sbsec->isec_head)) {
559 struct inode_security_struct *isec =
560 list_entry(sbsec->isec_head.next,
561 struct inode_security_struct, list);
562 struct inode *inode = isec->inode;
563 spin_unlock(&sbsec->isec_lock);
564 inode = igrab(inode);
565 if (inode) {
566 if (!IS_PRIVATE (inode))
567 inode_doinit(inode);
568 iput(inode);
569 }
570 spin_lock(&sbsec->isec_lock);
571 list_del_init(&isec->list);
572 goto next_inode;
573 }
574 spin_unlock(&sbsec->isec_lock);
575out:
576 up(&sbsec->sem);
577 return rc;
578}
579
580static inline u16 inode_mode_to_security_class(umode_t mode)
581{
582 switch (mode & S_IFMT) {
583 case S_IFSOCK:
584 return SECCLASS_SOCK_FILE;
585 case S_IFLNK:
586 return SECCLASS_LNK_FILE;
587 case S_IFREG:
588 return SECCLASS_FILE;
589 case S_IFBLK:
590 return SECCLASS_BLK_FILE;
591 case S_IFDIR:
592 return SECCLASS_DIR;
593 case S_IFCHR:
594 return SECCLASS_CHR_FILE;
595 case S_IFIFO:
596 return SECCLASS_FIFO_FILE;
597
598 }
599
600 return SECCLASS_FILE;
601}
602
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]603static inline int default_protocol_stream(int protocol)
604{
605 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
606}
607
608static inline int default_protocol_dgram(int protocol)
609{
610 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
611}
612
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]613static inline u16 socket_type_to_security_class(int family, int type, int protocol)
614{
615 switch (family) {
616 case PF_UNIX:
617 switch (type) {
618 case SOCK_STREAM:
619 case SOCK_SEQPACKET:
620 return SECCLASS_UNIX_STREAM_SOCKET;
621 case SOCK_DGRAM:
622 return SECCLASS_UNIX_DGRAM_SOCKET;
623 }
624 break;
625 case PF_INET:
626 case PF_INET6:
627 switch (type) {
628 case SOCK_STREAM:
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]629 if (default_protocol_stream(protocol))
630 return SECCLASS_TCP_SOCKET;
631 else
632 return SECCLASS_RAWIP_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]633 case SOCK_DGRAM:
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]634 if (default_protocol_dgram(protocol))
635 return SECCLASS_UDP_SOCKET;
636 else
637 return SECCLASS_RAWIP_SOCKET;
638 default:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]639 return SECCLASS_RAWIP_SOCKET;
640 }
641 break;
642 case PF_NETLINK:
643 switch (protocol) {
644 case NETLINK_ROUTE:
645 return SECCLASS_NETLINK_ROUTE_SOCKET;
646 case NETLINK_FIREWALL:
647 return SECCLASS_NETLINK_FIREWALL_SOCKET;
James Morris216efaa2005-08-15 20:34:48 -0700[diff] [blame]648 case NETLINK_INET_DIAG:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]649 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
650 case NETLINK_NFLOG:
651 return SECCLASS_NETLINK_NFLOG_SOCKET;
652 case NETLINK_XFRM:
653 return SECCLASS_NETLINK_XFRM_SOCKET;
654 case NETLINK_SELINUX:
655 return SECCLASS_NETLINK_SELINUX_SOCKET;
656 case NETLINK_AUDIT:
657 return SECCLASS_NETLINK_AUDIT_SOCKET;
658 case NETLINK_IP6_FW:
659 return SECCLASS_NETLINK_IP6FW_SOCKET;
660 case NETLINK_DNRTMSG:
661 return SECCLASS_NETLINK_DNRT_SOCKET;
James Morris0c9b7942005-04-16 15:24:13 -0700[diff] [blame]662 case NETLINK_KOBJECT_UEVENT:
663 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]664 default:
665 return SECCLASS_NETLINK_SOCKET;
666 }
667 case PF_PACKET:
668 return SECCLASS_PACKET_SOCKET;
669 case PF_KEY:
670 return SECCLASS_KEY_SOCKET;
671 }
672
673 return SECCLASS_SOCKET;
674}
675
676#ifdef CONFIG_PROC_FS
677static int selinux_proc_get_sid(struct proc_dir_entry *de,
678 u16 tclass,
679 u32 *sid)
680{
681 int buflen, rc;
682 char *buffer, *path, *end;
683
684 buffer = (char*)__get_free_page(GFP_KERNEL);
685 if (!buffer)
686 return -ENOMEM;
687
688 buflen = PAGE_SIZE;
689 end = buffer+buflen;
690 *--end = '\0';
691 buflen--;
692 path = end-1;
693 *path = '/';
694 while (de && de != de->parent) {
695 buflen -= de->namelen + 1;
696 if (buflen < 0)
697 break;
698 end -= de->namelen;
699 memcpy(end, de->name, de->namelen);
700 *--end = '/';
701 path = end;
702 de = de->parent;
703 }
704 rc = security_genfs_sid("proc", path, tclass, sid);
705 free_page((unsigned long)buffer);
706 return rc;
707}
708#else
709static int selinux_proc_get_sid(struct proc_dir_entry *de,
710 u16 tclass,
711 u32 *sid)
712{
713 return -EINVAL;
714}
715#endif
716
717/* The inode's security attributes must be initialized before first use. */
718static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
719{
720 struct superblock_security_struct *sbsec = NULL;
721 struct inode_security_struct *isec = inode->i_security;
722 u32 sid;
723 struct dentry *dentry;
724#define INITCONTEXTLEN 255
725 char *context = NULL;
726 unsigned len = 0;
727 int rc = 0;
728 int hold_sem = 0;
729
730 if (isec->initialized)
731 goto out;
732
733 down(&isec->sem);
734 hold_sem = 1;
735 if (isec->initialized)
736 goto out;
737
738 sbsec = inode->i_sb->s_security;
739 if (!sbsec->initialized) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
743 spin_lock(&sbsec->isec_lock);
744 if (list_empty(&isec->list))
745 list_add(&isec->list, &sbsec->isec_head);
746 spin_unlock(&sbsec->isec_lock);
747 goto out;
748 }
749
750 switch (sbsec->behavior) {
751 case SECURITY_FS_USE_XATTR:
752 if (!inode->i_op->getxattr) {
753 isec->sid = sbsec->def_sid;
754 break;
755 }
756
757 /* Need a dentry, since the xattr API requires one.
758 Life would be simpler if we could just pass the inode. */
759 if (opt_dentry) {
760 /* Called from d_instantiate or d_splice_alias. */
761 dentry = dget(opt_dentry);
762 } else {
763 /* Called from selinux_complete_init, try to find a dentry. */
764 dentry = d_find_alias(inode);
765 }
766 if (!dentry) {
767 printk(KERN_WARNING "%s: no dentry for dev=%s "
768 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
769 inode->i_ino);
770 goto out;
771 }
772
773 len = INITCONTEXTLEN;
774 context = kmalloc(len, GFP_KERNEL);
775 if (!context) {
776 rc = -ENOMEM;
777 dput(dentry);
778 goto out;
779 }
780 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
781 context, len);
782 if (rc == -ERANGE) {
783 /* Need a larger buffer. Query for the right size. */
784 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
785 NULL, 0);
786 if (rc < 0) {
787 dput(dentry);
788 goto out;
789 }
790 kfree(context);
791 len = rc;
792 context = kmalloc(len, GFP_KERNEL);
793 if (!context) {
794 rc = -ENOMEM;
795 dput(dentry);
796 goto out;
797 }
798 rc = inode->i_op->getxattr(dentry,
799 XATTR_NAME_SELINUX,
800 context, len);
801 }
802 dput(dentry);
803 if (rc < 0) {
804 if (rc != -ENODATA) {
805 printk(KERN_WARNING "%s: getxattr returned "
806 "%d for dev=%s ino=%ld\n", __FUNCTION__,
807 -rc, inode->i_sb->s_id, inode->i_ino);
808 kfree(context);
809 goto out;
810 }
811 /* Map ENODATA to the default file SID */
812 sid = sbsec->def_sid;
813 rc = 0;
814 } else {
James Morrisf5c1d5b2005-07-28 01:07:37 -0700[diff] [blame]815 rc = security_context_to_sid_default(context, rc, &sid,
816 sbsec->def_sid);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]817 if (rc) {
818 printk(KERN_WARNING "%s: context_to_sid(%s) "
819 "returned %d for dev=%s ino=%ld\n",
820 __FUNCTION__, context, -rc,
821 inode->i_sb->s_id, inode->i_ino);
822 kfree(context);
823 /* Leave with the unlabeled SID */
824 rc = 0;
825 break;
826 }
827 }
828 kfree(context);
829 isec->sid = sid;
830 break;
831 case SECURITY_FS_USE_TASK:
832 isec->sid = isec->task_sid;
833 break;
834 case SECURITY_FS_USE_TRANS:
835 /* Default to the fs SID. */
836 isec->sid = sbsec->sid;
837
838 /* Try to obtain a transition SID. */
839 isec->sclass = inode_mode_to_security_class(inode->i_mode);
840 rc = security_transition_sid(isec->task_sid,
841 sbsec->sid,
842 isec->sclass,
843 &sid);
844 if (rc)
845 goto out;
846 isec->sid = sid;
847 break;
848 default:
849 /* Default to the fs SID. */
850 isec->sid = sbsec->sid;
851
852 if (sbsec->proc) {
853 struct proc_inode *proci = PROC_I(inode);
854 if (proci->pde) {
855 isec->sclass = inode_mode_to_security_class(inode->i_mode);
856 rc = selinux_proc_get_sid(proci->pde,
857 isec->sclass,
858 &sid);
859 if (rc)
860 goto out;
861 isec->sid = sid;
862 }
863 }
864 break;
865 }
866
867 isec->initialized = 1;
868
869out:
870 if (isec->sclass == SECCLASS_FILE)
871 isec->sclass = inode_mode_to_security_class(inode->i_mode);
872
873 if (hold_sem)
874 up(&isec->sem);
875 return rc;
876}
877
878/* Convert a Linux signal to an access vector. */
879static inline u32 signal_to_av(int sig)
880{
881 u32 perm = 0;
882
883 switch (sig) {
884 case SIGCHLD:
885 /* Commonly granted from child to parent. */
886 perm = PROCESS__SIGCHLD;
887 break;
888 case SIGKILL:
889 /* Cannot be caught or ignored */
890 perm = PROCESS__SIGKILL;
891 break;
892 case SIGSTOP:
893 /* Cannot be caught or ignored */
894 perm = PROCESS__SIGSTOP;
895 break;
896 default:
897 /* All other signals. */
898 perm = PROCESS__SIGNAL;
899 break;
900 }
901
902 return perm;
903}
904
905/* Check permission betweeen a pair of tasks, e.g. signal checks,
906 fork check, ptrace check, etc. */
907static int task_has_perm(struct task_struct *tsk1,
908 struct task_struct *tsk2,
909 u32 perms)
910{
911 struct task_security_struct *tsec1, *tsec2;
912
913 tsec1 = tsk1->security;
914 tsec2 = tsk2->security;
915 return avc_has_perm(tsec1->sid, tsec2->sid,
916 SECCLASS_PROCESS, perms, NULL);
917}
918
919/* Check whether a task is allowed to use a capability. */
920static int task_has_capability(struct task_struct *tsk,
921 int cap)
922{
923 struct task_security_struct *tsec;
924 struct avc_audit_data ad;
925
926 tsec = tsk->security;
927
928 AVC_AUDIT_DATA_INIT(&ad,CAP);
929 ad.tsk = tsk;
930 ad.u.cap = cap;
931
932 return avc_has_perm(tsec->sid, tsec->sid,
933 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
934}
935
936/* Check whether a task is allowed to use a system operation. */
937static int task_has_system(struct task_struct *tsk,
938 u32 perms)
939{
940 struct task_security_struct *tsec;
941
942 tsec = tsk->security;
943
944 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
945 SECCLASS_SYSTEM, perms, NULL);
946}
947
948/* Check whether a task has a particular permission to an inode.
949 The 'adp' parameter is optional and allows other audit
950 data to be passed (e.g. the dentry). */
951static int inode_has_perm(struct task_struct *tsk,
952 struct inode *inode,
953 u32 perms,
954 struct avc_audit_data *adp)
955{
956 struct task_security_struct *tsec;
957 struct inode_security_struct *isec;
958 struct avc_audit_data ad;
959
960 tsec = tsk->security;
961 isec = inode->i_security;
962
963 if (!adp) {
964 adp = &ad;
965 AVC_AUDIT_DATA_INIT(&ad, FS);
966 ad.u.fs.inode = inode;
967 }
968
969 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
970}
971
972/* Same as inode_has_perm, but pass explicit audit data containing
973 the dentry to help the auditing code to more easily generate the
974 pathname if needed. */
975static inline int dentry_has_perm(struct task_struct *tsk,
976 struct vfsmount *mnt,
977 struct dentry *dentry,
978 u32 av)
979{
980 struct inode *inode = dentry->d_inode;
981 struct avc_audit_data ad;
982 AVC_AUDIT_DATA_INIT(&ad,FS);
983 ad.u.fs.mnt = mnt;
984 ad.u.fs.dentry = dentry;
985 return inode_has_perm(tsk, inode, av, &ad);
986}
987
988/* Check whether a task can use an open file descriptor to
989 access an inode in a given way. Check access to the
990 descriptor itself, and then use dentry_has_perm to
991 check a particular permission to the file.
992 Access to the descriptor is implicitly granted if it
993 has the same SID as the process. If av is zero, then
994 access to the file is not checked, e.g. for cases
995 where only the descriptor is affected like seek. */
Arjan van de Ven858119e2006-01-14 13:20:43 -0800[diff] [blame]996static int file_has_perm(struct task_struct *tsk,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]997 struct file *file,
998 u32 av)
999{
1000 struct task_security_struct *tsec = tsk->security;
1001 struct file_security_struct *fsec = file->f_security;
1002 struct vfsmount *mnt = file->f_vfsmnt;
1003 struct dentry *dentry = file->f_dentry;
1004 struct inode *inode = dentry->d_inode;
1005 struct avc_audit_data ad;
1006 int rc;
1007
1008 AVC_AUDIT_DATA_INIT(&ad, FS);
1009 ad.u.fs.mnt = mnt;
1010 ad.u.fs.dentry = dentry;
1011
1012 if (tsec->sid != fsec->sid) {
1013 rc = avc_has_perm(tsec->sid, fsec->sid,
1014 SECCLASS_FD,
1015 FD__USE,
1016 &ad);
1017 if (rc)
1018 return rc;
1019 }
1020
1021 /* av is zero if only checking access to the descriptor. */
1022 if (av)
1023 return inode_has_perm(tsk, inode, av, &ad);
1024
1025 return 0;
1026}
1027
1028/* Check whether a task can create a file. */
1029static int may_create(struct inode *dir,
1030 struct dentry *dentry,
1031 u16 tclass)
1032{
1033 struct task_security_struct *tsec;
1034 struct inode_security_struct *dsec;
1035 struct superblock_security_struct *sbsec;
1036 u32 newsid;
1037 struct avc_audit_data ad;
1038 int rc;
1039
1040 tsec = current->security;
1041 dsec = dir->i_security;
1042 sbsec = dir->i_sb->s_security;
1043
1044 AVC_AUDIT_DATA_INIT(&ad, FS);
1045 ad.u.fs.dentry = dentry;
1046
1047 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1048 DIR__ADD_NAME | DIR__SEARCH,
1049 &ad);
1050 if (rc)
1051 return rc;
1052
1053 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1054 newsid = tsec->create_sid;
1055 } else {
1056 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1057 &newsid);
1058 if (rc)
1059 return rc;
1060 }
1061
1062 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1063 if (rc)
1064 return rc;
1065
1066 return avc_has_perm(newsid, sbsec->sid,
1067 SECCLASS_FILESYSTEM,
1068 FILESYSTEM__ASSOCIATE, &ad);
1069}
1070
1071#define MAY_LINK 0
1072#define MAY_UNLINK 1
1073#define MAY_RMDIR 2
1074
1075/* Check whether a task can link, unlink, or rmdir a file/directory. */
1076static int may_link(struct inode *dir,
1077 struct dentry *dentry,
1078 int kind)
1079
1080{
1081 struct task_security_struct *tsec;
1082 struct inode_security_struct *dsec, *isec;
1083 struct avc_audit_data ad;
1084 u32 av;
1085 int rc;
1086
1087 tsec = current->security;
1088 dsec = dir->i_security;
1089 isec = dentry->d_inode->i_security;
1090
1091 AVC_AUDIT_DATA_INIT(&ad, FS);
1092 ad.u.fs.dentry = dentry;
1093
1094 av = DIR__SEARCH;
1095 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1096 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1097 if (rc)
1098 return rc;
1099
1100 switch (kind) {
1101 case MAY_LINK:
1102 av = FILE__LINK;
1103 break;
1104 case MAY_UNLINK:
1105 av = FILE__UNLINK;
1106 break;
1107 case MAY_RMDIR:
1108 av = DIR__RMDIR;
1109 break;
1110 default:
1111 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1112 return 0;
1113 }
1114
1115 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1116 return rc;
1117}
1118
1119static inline int may_rename(struct inode *old_dir,
1120 struct dentry *old_dentry,
1121 struct inode *new_dir,
1122 struct dentry *new_dentry)
1123{
1124 struct task_security_struct *tsec;
1125 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1126 struct avc_audit_data ad;
1127 u32 av;
1128 int old_is_dir, new_is_dir;
1129 int rc;
1130
1131 tsec = current->security;
1132 old_dsec = old_dir->i_security;
1133 old_isec = old_dentry->d_inode->i_security;
1134 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1135 new_dsec = new_dir->i_security;
1136
1137 AVC_AUDIT_DATA_INIT(&ad, FS);
1138
1139 ad.u.fs.dentry = old_dentry;
1140 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1141 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1142 if (rc)
1143 return rc;
1144 rc = avc_has_perm(tsec->sid, old_isec->sid,
1145 old_isec->sclass, FILE__RENAME, &ad);
1146 if (rc)
1147 return rc;
1148 if (old_is_dir && new_dir != old_dir) {
1149 rc = avc_has_perm(tsec->sid, old_isec->sid,
1150 old_isec->sclass, DIR__REPARENT, &ad);
1151 if (rc)
1152 return rc;
1153 }
1154
1155 ad.u.fs.dentry = new_dentry;
1156 av = DIR__ADD_NAME | DIR__SEARCH;
1157 if (new_dentry->d_inode)
1158 av |= DIR__REMOVE_NAME;
1159 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1160 if (rc)
1161 return rc;
1162 if (new_dentry->d_inode) {
1163 new_isec = new_dentry->d_inode->i_security;
1164 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1165 rc = avc_has_perm(tsec->sid, new_isec->sid,
1166 new_isec->sclass,
1167 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1168 if (rc)
1169 return rc;
1170 }
1171
1172 return 0;
1173}
1174
1175/* Check whether a task can perform a filesystem operation. */
1176static int superblock_has_perm(struct task_struct *tsk,
1177 struct super_block *sb,
1178 u32 perms,
1179 struct avc_audit_data *ad)
1180{
1181 struct task_security_struct *tsec;
1182 struct superblock_security_struct *sbsec;
1183
1184 tsec = tsk->security;
1185 sbsec = sb->s_security;
1186 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1187 perms, ad);
1188}
1189
1190/* Convert a Linux mode and permission mask to an access vector. */
1191static inline u32 file_mask_to_av(int mode, int mask)
1192{
1193 u32 av = 0;
1194
1195 if ((mode & S_IFMT) != S_IFDIR) {
1196 if (mask & MAY_EXEC)
1197 av |= FILE__EXECUTE;
1198 if (mask & MAY_READ)
1199 av |= FILE__READ;
1200
1201 if (mask & MAY_APPEND)
1202 av |= FILE__APPEND;
1203 else if (mask & MAY_WRITE)
1204 av |= FILE__WRITE;
1205
1206 } else {
1207 if (mask & MAY_EXEC)
1208 av |= DIR__SEARCH;
1209 if (mask & MAY_WRITE)
1210 av |= DIR__WRITE;
1211 if (mask & MAY_READ)
1212 av |= DIR__READ;
1213 }
1214
1215 return av;
1216}
1217
1218/* Convert a Linux file to an access vector. */
1219static inline u32 file_to_av(struct file *file)
1220{
1221 u32 av = 0;
1222
1223 if (file->f_mode & FMODE_READ)
1224 av |= FILE__READ;
1225 if (file->f_mode & FMODE_WRITE) {
1226 if (file->f_flags & O_APPEND)
1227 av |= FILE__APPEND;
1228 else
1229 av |= FILE__WRITE;
1230 }
1231
1232 return av;
1233}
1234
1235/* Set an inode's SID to a specified value. */
1236static int inode_security_set_sid(struct inode *inode, u32 sid)
1237{
1238 struct inode_security_struct *isec = inode->i_security;
1239 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1240
1241 if (!sbsec->initialized) {
1242 /* Defer initialization to selinux_complete_init. */
1243 return 0;
1244 }
1245
1246 down(&isec->sem);
1247 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1248 isec->sid = sid;
1249 isec->initialized = 1;
1250 up(&isec->sem);
1251 return 0;
1252}
1253
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1254/* Hook functions begin here. */
1255
1256static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1257{
1258 struct task_security_struct *psec = parent->security;
1259 struct task_security_struct *csec = child->security;
1260 int rc;
1261
1262 rc = secondary_ops->ptrace(parent,child);
1263 if (rc)
1264 return rc;
1265
1266 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1267 /* Save the SID of the tracing process for later use in apply_creds. */
Stephen Smalley341c2d82006-03-11 03:27:16 -0800[diff] [blame]1268 if (!(child->ptrace & PT_PTRACED) && !rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1269 csec->ptrace_sid = psec->sid;
1270 return rc;
1271}
1272
1273static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1274 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1275{
1276 int error;
1277
1278 error = task_has_perm(current, target, PROCESS__GETCAP);
1279 if (error)
1280 return error;
1281
1282 return secondary_ops->capget(target, effective, inheritable, permitted);
1283}
1284
1285static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1286 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1287{
1288 int error;
1289
1290 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1291 if (error)
1292 return error;
1293
1294 return task_has_perm(current, target, PROCESS__SETCAP);
1295}
1296
1297static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1298 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1299{
1300 secondary_ops->capset_set(target, effective, inheritable, permitted);
1301}
1302
1303static int selinux_capable(struct task_struct *tsk, int cap)
1304{
1305 int rc;
1306
1307 rc = secondary_ops->capable(tsk, cap);
1308 if (rc)
1309 return rc;
1310
1311 return task_has_capability(tsk,cap);
1312}
1313
1314static int selinux_sysctl(ctl_table *table, int op)
1315{
1316 int error = 0;
1317 u32 av;
1318 struct task_security_struct *tsec;
1319 u32 tsid;
1320 int rc;
1321
1322 rc = secondary_ops->sysctl(table, op);
1323 if (rc)
1324 return rc;
1325
1326 tsec = current->security;
1327
1328 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1329 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1330 if (rc) {
1331 /* Default to the well-defined sysctl SID. */
1332 tsid = SECINITSID_SYSCTL;
1333 }
1334
1335 /* The op values are "defined" in sysctl.c, thereby creating
1336 * a bad coupling between this module and sysctl.c */
1337 if(op == 001) {
1338 error = avc_has_perm(tsec->sid, tsid,
1339 SECCLASS_DIR, DIR__SEARCH, NULL);
1340 } else {
1341 av = 0;
1342 if (op & 004)
1343 av |= FILE__READ;
1344 if (op & 002)
1345 av |= FILE__WRITE;
1346 if (av)
1347 error = avc_has_perm(tsec->sid, tsid,
1348 SECCLASS_FILE, av, NULL);
1349 }
1350
1351 return error;
1352}
1353
1354static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1355{
1356 int rc = 0;
1357
1358 if (!sb)
1359 return 0;
1360
1361 switch (cmds) {
1362 case Q_SYNC:
1363 case Q_QUOTAON:
1364 case Q_QUOTAOFF:
1365 case Q_SETINFO:
1366 case Q_SETQUOTA:
1367 rc = superblock_has_perm(current,
1368 sb,
1369 FILESYSTEM__QUOTAMOD, NULL);
1370 break;
1371 case Q_GETFMT:
1372 case Q_GETINFO:
1373 case Q_GETQUOTA:
1374 rc = superblock_has_perm(current,
1375 sb,
1376 FILESYSTEM__QUOTAGET, NULL);
1377 break;
1378 default:
1379 rc = 0; /* let the kernel handle invalid cmds */
1380 break;
1381 }
1382 return rc;
1383}
1384
1385static int selinux_quota_on(struct dentry *dentry)
1386{
1387 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1388}
1389
1390static int selinux_syslog(int type)
1391{
1392 int rc;
1393
1394 rc = secondary_ops->syslog(type);
1395 if (rc)
1396 return rc;
1397
1398 switch (type) {
1399 case 3: /* Read last kernel messages */
1400 case 10: /* Return size of the log buffer */
1401 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1402 break;
1403 case 6: /* Disable logging to console */
1404 case 7: /* Enable logging to console */
1405 case 8: /* Set level of messages printed to console */
1406 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1407 break;
1408 case 0: /* Close log */
1409 case 1: /* Open log */
1410 case 2: /* Read from log */
1411 case 4: /* Read/clear last kernel messages */
1412 case 5: /* Clear ring buffer */
1413 default:
1414 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1415 break;
1416 }
1417 return rc;
1418}
1419
1420/*
1421 * Check that a process has enough memory to allocate a new virtual
1422 * mapping. 0 means there is enough memory for the allocation to
1423 * succeed and -ENOMEM implies there is not.
1424 *
1425 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1426 * if the capability is granted, but __vm_enough_memory requires 1 if
1427 * the capability is granted.
1428 *
1429 * Do not audit the selinux permission check, as this is applied to all
1430 * processes that allocate mappings.
1431 */
1432static int selinux_vm_enough_memory(long pages)
1433{
1434 int rc, cap_sys_admin = 0;
1435 struct task_security_struct *tsec = current->security;
1436
1437 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1438 if (rc == 0)
1439 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1440 SECCLASS_CAPABILITY,
1441 CAP_TO_MASK(CAP_SYS_ADMIN),
1442 NULL);
1443
1444 if (rc == 0)
1445 cap_sys_admin = 1;
1446
1447 return __vm_enough_memory(pages, cap_sys_admin);
1448}
1449
1450/* binprm security operations */
1451
1452static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1453{
1454 struct bprm_security_struct *bsec;
1455
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]1456 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1457 if (!bsec)
1458 return -ENOMEM;
1459
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1460 bsec->bprm = bprm;
1461 bsec->sid = SECINITSID_UNLABELED;
1462 bsec->set = 0;
1463
1464 bprm->security = bsec;
1465 return 0;
1466}
1467
1468static int selinux_bprm_set_security(struct linux_binprm *bprm)
1469{
1470 struct task_security_struct *tsec;
1471 struct inode *inode = bprm->file->f_dentry->d_inode;
1472 struct inode_security_struct *isec;
1473 struct bprm_security_struct *bsec;
1474 u32 newsid;
1475 struct avc_audit_data ad;
1476 int rc;
1477
1478 rc = secondary_ops->bprm_set_security(bprm);
1479 if (rc)
1480 return rc;
1481
1482 bsec = bprm->security;
1483
1484 if (bsec->set)
1485 return 0;
1486
1487 tsec = current->security;
1488 isec = inode->i_security;
1489
1490 /* Default to the current task SID. */
1491 bsec->sid = tsec->sid;
1492
1493 /* Reset create SID on execve. */
1494 tsec->create_sid = 0;
1495
1496 if (tsec->exec_sid) {
1497 newsid = tsec->exec_sid;
1498 /* Reset exec SID on execve. */
1499 tsec->exec_sid = 0;
1500 } else {
1501 /* Check for a default transition on this program. */
1502 rc = security_transition_sid(tsec->sid, isec->sid,
1503 SECCLASS_PROCESS, &newsid);
1504 if (rc)
1505 return rc;
1506 }
1507
1508 AVC_AUDIT_DATA_INIT(&ad, FS);
1509 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1510 ad.u.fs.dentry = bprm->file->f_dentry;
1511
1512 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1513 newsid = tsec->sid;
1514
1515 if (tsec->sid == newsid) {
1516 rc = avc_has_perm(tsec->sid, isec->sid,
1517 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1518 if (rc)
1519 return rc;
1520 } else {
1521 /* Check permissions for the transition. */
1522 rc = avc_has_perm(tsec->sid, newsid,
1523 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1524 if (rc)
1525 return rc;
1526
1527 rc = avc_has_perm(newsid, isec->sid,
1528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1529 if (rc)
1530 return rc;
1531
1532 /* Clear any possibly unsafe personality bits on exec: */
1533 current->personality &= ~PER_CLEAR_ON_SETID;
1534
1535 /* Set the security field to the new SID. */
1536 bsec->sid = newsid;
1537 }
1538
1539 bsec->set = 1;
1540 return 0;
1541}
1542
1543static int selinux_bprm_check_security (struct linux_binprm *bprm)
1544{
1545 return secondary_ops->bprm_check_security(bprm);
1546}
1547
1548
1549static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1550{
1551 struct task_security_struct *tsec = current->security;
1552 int atsecure = 0;
1553
1554 if (tsec->osid != tsec->sid) {
1555 /* Enable secure mode for SIDs transitions unless
1556 the noatsecure permission is granted between
1557 the two SIDs, i.e. ahp returns 0. */
1558 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1559 SECCLASS_PROCESS,
1560 PROCESS__NOATSECURE, NULL);
1561 }
1562
1563 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1564}
1565
1566static void selinux_bprm_free_security(struct linux_binprm *bprm)
1567{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -0700[diff] [blame]1568 kfree(bprm->security);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1569 bprm->security = NULL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1570}
1571
1572extern struct vfsmount *selinuxfs_mount;
1573extern struct dentry *selinux_null;
1574
1575/* Derived from fs/exec.c:flush_old_files. */
1576static inline void flush_unauthorized_files(struct files_struct * files)
1577{
1578 struct avc_audit_data ad;
1579 struct file *file, *devnull = NULL;
1580 struct tty_struct *tty = current->signal->tty;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1581 struct fdtable *fdt;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1582 long j = -1;
1583
1584 if (tty) {
1585 file_list_lock();
Eric Dumazet2f512012005-10-30 15:02:16 -0800[diff] [blame]1586 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1587 if (file) {
1588 /* Revalidate access to controlling tty.
1589 Use inode_has_perm on the tty inode directly rather
1590 than using file_has_perm, as this particular open
1591 file may belong to another process and we are only
1592 interested in the inode-based check here. */
1593 struct inode *inode = file->f_dentry->d_inode;
1594 if (inode_has_perm(current, inode,
1595 FILE__READ | FILE__WRITE, NULL)) {
1596 /* Reset controlling tty. */
1597 current->signal->tty = NULL;
1598 current->signal->tty_old_pgrp = 0;
1599 }
1600 }
1601 file_list_unlock();
1602 }
1603
1604 /* Revalidate access to inherited open files. */
1605
1606 AVC_AUDIT_DATA_INIT(&ad,FS);
1607
1608 spin_lock(&files->file_lock);
1609 for (;;) {
1610 unsigned long set, i;
1611 int fd;
1612
1613 j++;
1614 i = j * __NFDBITS;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1615 fdt = files_fdtable(files);
1616 if (i >= fdt->max_fds || i >= fdt->max_fdset)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1617 break;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1618 set = fdt->open_fds->fds_bits[j];
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1619 if (!set)
1620 continue;
1621 spin_unlock(&files->file_lock);
1622 for ( ; set ; i++,set >>= 1) {
1623 if (set & 1) {
1624 file = fget(i);
1625 if (!file)
1626 continue;
1627 if (file_has_perm(current,
1628 file,
1629 file_to_av(file))) {
1630 sys_close(i);
1631 fd = get_unused_fd();
1632 if (fd != i) {
1633 if (fd >= 0)
1634 put_unused_fd(fd);
1635 fput(file);
1636 continue;
1637 }
1638 if (devnull) {
Nick Piggin095975d2006-01-08 01:02:19 -0800[diff] [blame]1639 get_file(devnull);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1640 } else {
1641 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1642 if (!devnull) {
1643 put_unused_fd(fd);
1644 fput(file);
1645 continue;
1646 }
1647 }
1648 fd_install(fd, devnull);
1649 }
1650 fput(file);
1651 }
1652 }
1653 spin_lock(&files->file_lock);
1654
1655 }
1656 spin_unlock(&files->file_lock);
1657}
1658
1659static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1660{
1661 struct task_security_struct *tsec;
1662 struct bprm_security_struct *bsec;
1663 u32 sid;
1664 int rc;
1665
1666 secondary_ops->bprm_apply_creds(bprm, unsafe);
1667
1668 tsec = current->security;
1669
1670 bsec = bprm->security;
1671 sid = bsec->sid;
1672
1673 tsec->osid = tsec->sid;
1674 bsec->unsafe = 0;
1675 if (tsec->sid != sid) {
1676 /* Check for shared state. If not ok, leave SID
1677 unchanged and kill. */
1678 if (unsafe & LSM_UNSAFE_SHARE) {
1679 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1680 PROCESS__SHARE, NULL);
1681 if (rc) {
1682 bsec->unsafe = 1;
1683 return;
1684 }
1685 }
1686
1687 /* Check for ptracing, and update the task SID if ok.
1688 Otherwise, leave SID unchanged and kill. */
1689 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1690 rc = avc_has_perm(tsec->ptrace_sid, sid,
1691 SECCLASS_PROCESS, PROCESS__PTRACE,
1692 NULL);
1693 if (rc) {
1694 bsec->unsafe = 1;
1695 return;
1696 }
1697 }
1698 tsec->sid = sid;
1699 }
1700}
1701
1702/*
1703 * called after apply_creds without the task lock held
1704 */
1705static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1706{
1707 struct task_security_struct *tsec;
1708 struct rlimit *rlim, *initrlim;
1709 struct itimerval itimer;
1710 struct bprm_security_struct *bsec;
1711 int rc, i;
1712
1713 tsec = current->security;
1714 bsec = bprm->security;
1715
1716 if (bsec->unsafe) {
1717 force_sig_specific(SIGKILL, current);
1718 return;
1719 }
1720 if (tsec->osid == tsec->sid)
1721 return;
1722
1723 /* Close files for which the new task SID is not authorized. */
1724 flush_unauthorized_files(current->files);
1725
1726 /* Check whether the new SID can inherit signal state
1727 from the old SID. If not, clear itimers to avoid
1728 subsequent signal generation and flush and unblock
1729 signals. This must occur _after_ the task SID has
1730 been updated so that any kill done after the flush
1731 will be checked against the new SID. */
1732 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1733 PROCESS__SIGINH, NULL);
1734 if (rc) {
1735 memset(&itimer, 0, sizeof itimer);
1736 for (i = 0; i < 3; i++)
1737 do_setitimer(i, &itimer, NULL);
1738 flush_signals(current);
1739 spin_lock_irq(&current->sighand->siglock);
1740 flush_signal_handlers(current, 1);
1741 sigemptyset(&current->blocked);
1742 recalc_sigpending();
1743 spin_unlock_irq(&current->sighand->siglock);
1744 }
1745
1746 /* Check whether the new SID can inherit resource limits
1747 from the old SID. If not, reset all soft limits to
1748 the lower of the current task's hard limit and the init
1749 task's soft limit. Note that the setting of hard limits
1750 (even to lower them) can be controlled by the setrlimit
1751 check. The inclusion of the init task's soft limit into
1752 the computation is to avoid resetting soft limits higher
1753 than the default soft limit for cases where the default
1754 is lower than the hard limit, e.g. RLIMIT_CORE or
1755 RLIMIT_STACK.*/
1756 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1757 PROCESS__RLIMITINH, NULL);
1758 if (rc) {
1759 for (i = 0; i < RLIM_NLIMITS; i++) {
1760 rlim = current->signal->rlim + i;
1761 initrlim = init_task.signal->rlim+i;
1762 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1763 }
1764 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1765 /*
1766 * This will cause RLIMIT_CPU calculations
1767 * to be refigured.
1768 */
1769 current->it_prof_expires = jiffies_to_cputime(1);
1770 }
1771 }
1772
1773 /* Wake up the parent if it is waiting so that it can
1774 recheck wait permission to the new task SID. */
1775 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1776}
1777
1778/* superblock security operations */
1779
1780static int selinux_sb_alloc_security(struct super_block *sb)
1781{
1782 return superblock_alloc_security(sb);
1783}
1784
1785static void selinux_sb_free_security(struct super_block *sb)
1786{
1787 superblock_free_security(sb);
1788}
1789
1790static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1791{
1792 if (plen > olen)
1793 return 0;
1794
1795 return !memcmp(prefix, option, plen);
1796}
1797
1798static inline int selinux_option(char *option, int len)
1799{
1800 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1801 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1802 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1803}
1804
1805static inline void take_option(char **to, char *from, int *first, int len)
1806{
1807 if (!*first) {
1808 **to = ',';
1809 *to += 1;
1810 }
1811 else
1812 *first = 0;
1813 memcpy(*to, from, len);
1814 *to += len;
1815}
1816
1817static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1818{
1819 int fnosec, fsec, rc = 0;
1820 char *in_save, *in_curr, *in_end;
1821 char *sec_curr, *nosec_save, *nosec;
1822
1823 in_curr = orig;
1824 sec_curr = copy;
1825
1826 /* Binary mount data: just copy */
1827 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1828 copy_page(sec_curr, in_curr);
1829 goto out;
1830 }
1831
1832 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1833 if (!nosec) {
1834 rc = -ENOMEM;
1835 goto out;
1836 }
1837
1838 nosec_save = nosec;
1839 fnosec = fsec = 1;
1840 in_save = in_end = orig;
1841
1842 do {
1843 if (*in_end == ',' || *in_end == '\0') {
1844 int len = in_end - in_curr;
1845
1846 if (selinux_option(in_curr, len))
1847 take_option(&sec_curr, in_curr, &fsec, len);
1848 else
1849 take_option(&nosec, in_curr, &fnosec, len);
1850
1851 in_curr = in_end + 1;
1852 }
1853 } while (*in_end++);
1854
Eric Paris6931dfc2005-06-30 02:58:51 -0700[diff] [blame]1855 strcpy(in_save, nosec_save);
Gerald Schaeferda3caa22005-06-21 17:15:18 -0700[diff] [blame]1856 free_page((unsigned long)nosec_save);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1857out:
1858 return rc;
1859}
1860
1861static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1862{
1863 struct avc_audit_data ad;
1864 int rc;
1865
1866 rc = superblock_doinit(sb, data);
1867 if (rc)
1868 return rc;
1869
1870 AVC_AUDIT_DATA_INIT(&ad,FS);
1871 ad.u.fs.dentry = sb->s_root;
1872 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1873}
1874
1875static int selinux_sb_statfs(struct super_block *sb)
1876{
1877 struct avc_audit_data ad;
1878
1879 AVC_AUDIT_DATA_INIT(&ad,FS);
1880 ad.u.fs.dentry = sb->s_root;
1881 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1882}
1883
1884static int selinux_mount(char * dev_name,
1885 struct nameidata *nd,
1886 char * type,
1887 unsigned long flags,
1888 void * data)
1889{
1890 int rc;
1891
1892 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1893 if (rc)
1894 return rc;
1895
1896 if (flags & MS_REMOUNT)
1897 return superblock_has_perm(current, nd->mnt->mnt_sb,
1898 FILESYSTEM__REMOUNT, NULL);
1899 else
1900 return dentry_has_perm(current, nd->mnt, nd->dentry,
1901 FILE__MOUNTON);
1902}
1903
1904static int selinux_umount(struct vfsmount *mnt, int flags)
1905{
1906 int rc;
1907
1908 rc = secondary_ops->sb_umount(mnt, flags);
1909 if (rc)
1910 return rc;
1911
1912 return superblock_has_perm(current,mnt->mnt_sb,
1913 FILESYSTEM__UNMOUNT,NULL);
1914}
1915
1916/* inode security operations */
1917
1918static int selinux_inode_alloc_security(struct inode *inode)
1919{
1920 return inode_alloc_security(inode);
1921}
1922
1923static void selinux_inode_free_security(struct inode *inode)
1924{
1925 inode_free_security(inode);
1926}
1927
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1928static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1929 char **name, void **value,
1930 size_t *len)
1931{
1932 struct task_security_struct *tsec;
1933 struct inode_security_struct *dsec;
1934 struct superblock_security_struct *sbsec;
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1935 u32 newsid, clen;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1936 int rc;
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1937 char *namep = NULL, *context;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1938
1939 tsec = current->security;
1940 dsec = dir->i_security;
1941 sbsec = dir->i_sb->s_security;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1942
1943 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1944 newsid = tsec->create_sid;
1945 } else {
1946 rc = security_transition_sid(tsec->sid, dsec->sid,
1947 inode_mode_to_security_class(inode->i_mode),
1948 &newsid);
1949 if (rc) {
1950 printk(KERN_WARNING "%s: "
1951 "security_transition_sid failed, rc=%d (dev=%s "
1952 "ino=%ld)\n",
1953 __FUNCTION__,
1954 -rc, inode->i_sb->s_id, inode->i_ino);
1955 return rc;
1956 }
1957 }
1958
1959 inode_security_set_sid(inode, newsid);
1960
Stephen Smalley8aad3872006-03-22 00:09:13 -0800[diff] [blame]1961 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
Stephen Smalley25a74f32005-11-08 21:34:33 -0800[diff] [blame]1962 return -EOPNOTSUPP;
1963
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1964 if (name) {
1965 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1966 if (!namep)
1967 return -ENOMEM;
1968 *name = namep;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1969 }
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1970
1971 if (value && len) {
1972 rc = security_sid_to_context(newsid, &context, &clen);
1973 if (rc) {
1974 kfree(namep);
1975 return rc;
1976 }
1977 *value = context;
1978 *len = clen;
1979 }
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1980
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1981 return 0;
1982}
1983
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1984static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1985{
1986 return may_create(dir, dentry, SECCLASS_FILE);
1987}
1988
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1989static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1990{
1991 int rc;
1992
1993 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1994 if (rc)
1995 return rc;
1996 return may_link(dir, old_dentry, MAY_LINK);
1997}
1998
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1999static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2000{
2001 int rc;
2002
2003 rc = secondary_ops->inode_unlink(dir, dentry);
2004 if (rc)
2005 return rc;
2006 return may_link(dir, dentry, MAY_UNLINK);
2007}
2008
2009static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2010{
2011 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2012}
2013
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2014static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2015{
2016 return may_create(dir, dentry, SECCLASS_DIR);
2017}
2018
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2019static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2020{
2021 return may_link(dir, dentry, MAY_RMDIR);
2022}
2023
2024static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2025{
2026 int rc;
2027
2028 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2029 if (rc)
2030 return rc;
2031
2032 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2033}
2034
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2035static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2036 struct inode *new_inode, struct dentry *new_dentry)
2037{
2038 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2039}
2040
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2041static int selinux_inode_readlink(struct dentry *dentry)
2042{
2043 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2044}
2045
2046static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2047{
2048 int rc;
2049
2050 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2051 if (rc)
2052 return rc;
2053 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2054}
2055
2056static int selinux_inode_permission(struct inode *inode, int mask,
2057 struct nameidata *nd)
2058{
2059 int rc;
2060
2061 rc = secondary_ops->inode_permission(inode, mask, nd);
2062 if (rc)
2063 return rc;
2064
2065 if (!mask) {
2066 /* No permission to check. Existence test. */
2067 return 0;
2068 }
2069
2070 return inode_has_perm(current, inode,
2071 file_mask_to_av(inode->i_mode, mask), NULL);
2072}
2073
2074static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2075{
2076 int rc;
2077
2078 rc = secondary_ops->inode_setattr(dentry, iattr);
2079 if (rc)
2080 return rc;
2081
2082 if (iattr->ia_valid & ATTR_FORCE)
2083 return 0;
2084
2085 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2086 ATTR_ATIME_SET | ATTR_MTIME_SET))
2087 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2088
2089 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2090}
2091
2092static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2093{
2094 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2095}
2096
2097static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2098{
2099 struct task_security_struct *tsec = current->security;
2100 struct inode *inode = dentry->d_inode;
2101 struct inode_security_struct *isec = inode->i_security;
2102 struct superblock_security_struct *sbsec;
2103 struct avc_audit_data ad;
2104 u32 newsid;
2105 int rc = 0;
2106
2107 if (strcmp(name, XATTR_NAME_SELINUX)) {
2108 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2109 sizeof XATTR_SECURITY_PREFIX - 1) &&
2110 !capable(CAP_SYS_ADMIN)) {
2111 /* A different attribute in the security namespace.
2112 Restrict to administrator. */
2113 return -EPERM;
2114 }
2115
2116 /* Not an attribute we recognize, so just check the
2117 ordinary setattr permission. */
2118 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2119 }
2120
2121 sbsec = inode->i_sb->s_security;
2122 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2123 return -EOPNOTSUPP;
2124
2125 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2126 return -EPERM;
2127
2128 AVC_AUDIT_DATA_INIT(&ad,FS);
2129 ad.u.fs.dentry = dentry;
2130
2131 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2132 FILE__RELABELFROM, &ad);
2133 if (rc)
2134 return rc;
2135
2136 rc = security_context_to_sid(value, size, &newsid);
2137 if (rc)
2138 return rc;
2139
2140 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2141 FILE__RELABELTO, &ad);
2142 if (rc)
2143 return rc;
2144
2145 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2146 isec->sclass);
2147 if (rc)
2148 return rc;
2149
2150 return avc_has_perm(newsid,
2151 sbsec->sid,
2152 SECCLASS_FILESYSTEM,
2153 FILESYSTEM__ASSOCIATE,
2154 &ad);
2155}
2156
2157static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2158 void *value, size_t size, int flags)
2159{
2160 struct inode *inode = dentry->d_inode;
2161 struct inode_security_struct *isec = inode->i_security;
2162 u32 newsid;
2163 int rc;
2164
2165 if (strcmp(name, XATTR_NAME_SELINUX)) {
2166 /* Not an attribute we recognize, so nothing to do. */
2167 return;
2168 }
2169
2170 rc = security_context_to_sid(value, size, &newsid);
2171 if (rc) {
2172 printk(KERN_WARNING "%s: unable to obtain SID for context "
2173 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2174 return;
2175 }
2176
2177 isec->sid = newsid;
2178 return;
2179}
2180
2181static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2182{
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2183 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2184}
2185
2186static int selinux_inode_listxattr (struct dentry *dentry)
2187{
2188 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2189}
2190
2191static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2192{
2193 if (strcmp(name, XATTR_NAME_SELINUX)) {
2194 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2195 sizeof XATTR_SECURITY_PREFIX - 1) &&
2196 !capable(CAP_SYS_ADMIN)) {
2197 /* A different attribute in the security namespace.
2198 Restrict to administrator. */
2199 return -EPERM;
2200 }
2201
2202 /* Not an attribute we recognize, so just check the
2203 ordinary setattr permission. Might want a separate
2204 permission for removexattr. */
2205 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2206 }
2207
2208 /* No one is allowed to remove a SELinux security label.
2209 You can change the label, but all data must be labeled. */
2210 return -EACCES;
2211}
2212
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2213/*
2214 * Copy the in-core inode security context value to the user. If the
2215 * getxattr() prior to this succeeded, check to see if we need to
2216 * canonicalize the value to be finally returned to the user.
2217 *
2218 * Permission check is handled by selinux_inode_getxattr hook.
2219 */
2220static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2221{
2222 struct inode_security_struct *isec = inode->i_security;
2223 char *context;
2224 unsigned len;
2225 int rc;
2226
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2227 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2228 rc = -EOPNOTSUPP;
2229 goto out;
2230 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2231
2232 rc = security_sid_to_context(isec->sid, &context, &len);
2233 if (rc)
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2234 goto out;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2235
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2236 /* Probe for required buffer size */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2237 if (!buffer || !size) {
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2238 rc = len;
2239 goto out_free;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2240 }
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2241
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2242 if (size < len) {
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2243 rc = -ERANGE;
2244 goto out_free;
2245 }
2246
2247 if (err > 0) {
2248 if ((len == err) && !(memcmp(context, buffer, len))) {
2249 /* Don't need to canonicalize value */
2250 rc = err;
2251 goto out_free;
2252 }
2253 memset(buffer, 0, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2254 }
2255 memcpy(buffer, context, len);
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2256 rc = len;
2257out_free:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2258 kfree(context);
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2259out:
2260 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2261}
2262
2263static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264 const void *value, size_t size, int flags)
2265{
2266 struct inode_security_struct *isec = inode->i_security;
2267 u32 newsid;
2268 int rc;
2269
2270 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271 return -EOPNOTSUPP;
2272
2273 if (!value || !size)
2274 return -EACCES;
2275
2276 rc = security_context_to_sid((void*)value, size, &newsid);
2277 if (rc)
2278 return rc;
2279
2280 isec->sid = newsid;
2281 return 0;
2282}
2283
2284static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285{
2286 const int len = sizeof(XATTR_NAME_SELINUX);
2287 if (buffer && len <= buffer_size)
2288 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289 return len;
2290}
2291
2292/* file security operations */
2293
2294static int selinux_file_permission(struct file *file, int mask)
2295{
2296 struct inode *inode = file->f_dentry->d_inode;
2297
2298 if (!mask) {
2299 /* No permission to check. Existence test. */
2300 return 0;
2301 }
2302
2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305 mask |= MAY_APPEND;
2306
2307 return file_has_perm(current, file,
2308 file_mask_to_av(inode->i_mode, mask));
2309}
2310
2311static int selinux_file_alloc_security(struct file *file)
2312{
2313 return file_alloc_security(file);
2314}
2315
2316static void selinux_file_free_security(struct file *file)
2317{
2318 file_free_security(file);
2319}
2320
2321static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322 unsigned long arg)
2323{
2324 int error = 0;
2325
2326 switch (cmd) {
2327 case FIONREAD:
2328 /* fall through */
2329 case FIBMAP:
2330 /* fall through */
2331 case FIGETBSZ:
2332 /* fall through */
2333 case EXT2_IOC_GETFLAGS:
2334 /* fall through */
2335 case EXT2_IOC_GETVERSION:
2336 error = file_has_perm(current, file, FILE__GETATTR);
2337 break;
2338
2339 case EXT2_IOC_SETFLAGS:
2340 /* fall through */
2341 case EXT2_IOC_SETVERSION:
2342 error = file_has_perm(current, file, FILE__SETATTR);
2343 break;
2344
2345 /* sys_ioctl() checks */
2346 case FIONBIO:
2347 /* fall through */
2348 case FIOASYNC:
2349 error = file_has_perm(current, file, 0);
2350 break;
2351
2352 case KDSKBENT:
2353 case KDSKBSENT:
2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355 break;
2356
2357 /* default case assumes that the command will go
2358 * to the file's ioctl() function.
2359 */
2360 default:
2361 error = file_has_perm(current, file, FILE__IOCTL);
2362
2363 }
2364 return error;
2365}
2366
2367static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368{
2369#ifndef CONFIG_PPC32
2370 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371 /*
2372 * We are making executable an anonymous mapping or a
2373 * private file mapping that will also be writable.
2374 * This has an additional check.
2375 */
2376 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377 if (rc)
2378 return rc;
2379 }
2380#endif
2381
2382 if (file) {
2383 /* read access is always possible with a mapping */
2384 u32 av = FILE__READ;
2385
2386 /* write access only matters if the mapping is shared */
2387 if (shared && (prot & PROT_WRITE))
2388 av |= FILE__WRITE;
2389
2390 if (prot & PROT_EXEC)
2391 av |= FILE__EXECUTE;
2392
2393 return file_has_perm(current, file, av);
2394 }
2395 return 0;
2396}
2397
2398static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399 unsigned long prot, unsigned long flags)
2400{
2401 int rc;
2402
2403 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404 if (rc)
2405 return rc;
2406
2407 if (selinux_checkreqprot)
2408 prot = reqprot;
2409
2410 return file_map_prot_check(file, prot,
2411 (flags & MAP_TYPE) == MAP_SHARED);
2412}
2413
2414static int selinux_file_mprotect(struct vm_area_struct *vma,
2415 unsigned long reqprot,
2416 unsigned long prot)
2417{
2418 int rc;
2419
2420 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421 if (rc)
2422 return rc;
2423
2424 if (selinux_checkreqprot)
2425 prot = reqprot;
2426
2427#ifndef CONFIG_PPC32
Stephen Smalleydb4c9642006-02-01 03:05:54 -0800[diff] [blame]2428 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2429 rc = 0;
2430 if (vma->vm_start >= vma->vm_mm->start_brk &&
2431 vma->vm_end <= vma->vm_mm->brk) {
2432 rc = task_has_perm(current, current,
2433 PROCESS__EXECHEAP);
2434 } else if (!vma->vm_file &&
2435 vma->vm_start <= vma->vm_mm->start_stack &&
2436 vma->vm_end >= vma->vm_mm->start_stack) {
2437 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2438 } else if (vma->vm_file && vma->anon_vma) {
2439 /*
2440 * We are making executable a file mapping that has
2441 * had some COW done. Since pages might have been
2442 * written, check ability to execute the possibly
2443 * modified content. This typically should only
2444 * occur for text relocations.
2445 */
2446 rc = file_has_perm(current, vma->vm_file,
2447 FILE__EXECMOD);
2448 }
Lorenzo Hernandez García-Hierro6b992192005-06-25 14:54:34 -0700[diff] [blame]2449 if (rc)
2450 return rc;
2451 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2452#endif
2453
2454 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2455}
2456
2457static int selinux_file_lock(struct file *file, unsigned int cmd)
2458{
2459 return file_has_perm(current, file, FILE__LOCK);
2460}
2461
2462static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2463 unsigned long arg)
2464{
2465 int err = 0;
2466
2467 switch (cmd) {
2468 case F_SETFL:
2469 if (!file->f_dentry || !file->f_dentry->d_inode) {
2470 err = -EINVAL;
2471 break;
2472 }
2473
2474 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2475 err = file_has_perm(current, file,FILE__WRITE);
2476 break;
2477 }
2478 /* fall through */
2479 case F_SETOWN:
2480 case F_SETSIG:
2481 case F_GETFL:
2482 case F_GETOWN:
2483 case F_GETSIG:
2484 /* Just check FD__USE permission */
2485 err = file_has_perm(current, file, 0);
2486 break;
2487 case F_GETLK:
2488 case F_SETLK:
2489 case F_SETLKW:
2490#if BITS_PER_LONG == 32
2491 case F_GETLK64:
2492 case F_SETLK64:
2493 case F_SETLKW64:
2494#endif
2495 if (!file->f_dentry || !file->f_dentry->d_inode) {
2496 err = -EINVAL;
2497 break;
2498 }
2499 err = file_has_perm(current, file, FILE__LOCK);
2500 break;
2501 }
2502
2503 return err;
2504}
2505
2506static int selinux_file_set_fowner(struct file *file)
2507{
2508 struct task_security_struct *tsec;
2509 struct file_security_struct *fsec;
2510
2511 tsec = current->security;
2512 fsec = file->f_security;
2513 fsec->fown_sid = tsec->sid;
2514
2515 return 0;
2516}
2517
2518static int selinux_file_send_sigiotask(struct task_struct *tsk,
2519 struct fown_struct *fown, int signum)
2520{
2521 struct file *file;
2522 u32 perm;
2523 struct task_security_struct *tsec;
2524 struct file_security_struct *fsec;
2525
2526 /* struct fown_struct is never outside the context of a struct file */
2527 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2528
2529 tsec = tsk->security;
2530 fsec = file->f_security;
2531
2532 if (!signum)
2533 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2534 else
2535 perm = signal_to_av(signum);
2536
2537 return avc_has_perm(fsec->fown_sid, tsec->sid,
2538 SECCLASS_PROCESS, perm, NULL);
2539}
2540
2541static int selinux_file_receive(struct file *file)
2542{
2543 return file_has_perm(current, file, file_to_av(file));
2544}
2545
2546/* task security operations */
2547
2548static int selinux_task_create(unsigned long clone_flags)
2549{
2550 int rc;
2551
2552 rc = secondary_ops->task_create(clone_flags);
2553 if (rc)
2554 return rc;
2555
2556 return task_has_perm(current, current, PROCESS__FORK);
2557}
2558
2559static int selinux_task_alloc_security(struct task_struct *tsk)
2560{
2561 struct task_security_struct *tsec1, *tsec2;
2562 int rc;
2563
2564 tsec1 = current->security;
2565
2566 rc = task_alloc_security(tsk);
2567 if (rc)
2568 return rc;
2569 tsec2 = tsk->security;
2570
2571 tsec2->osid = tsec1->osid;
2572 tsec2->sid = tsec1->sid;
2573
2574 /* Retain the exec and create SIDs across fork */
2575 tsec2->exec_sid = tsec1->exec_sid;
2576 tsec2->create_sid = tsec1->create_sid;
2577
2578 /* Retain ptracer SID across fork, if any.
2579 This will be reset by the ptrace hook upon any
2580 subsequent ptrace_attach operations. */
2581 tsec2->ptrace_sid = tsec1->ptrace_sid;
2582
2583 return 0;
2584}
2585
2586static void selinux_task_free_security(struct task_struct *tsk)
2587{
2588 task_free_security(tsk);
2589}
2590
2591static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2592{
2593 /* Since setuid only affects the current process, and
2594 since the SELinux controls are not based on the Linux
2595 identity attributes, SELinux does not need to control
2596 this operation. However, SELinux does control the use
2597 of the CAP_SETUID and CAP_SETGID capabilities using the
2598 capable hook. */
2599 return 0;
2600}
2601
2602static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2603{
2604 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2605}
2606
2607static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2608{
2609 /* See the comment for setuid above. */
2610 return 0;
2611}
2612
2613static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2614{
2615 return task_has_perm(current, p, PROCESS__SETPGID);
2616}
2617
2618static int selinux_task_getpgid(struct task_struct *p)
2619{
2620 return task_has_perm(current, p, PROCESS__GETPGID);
2621}
2622
2623static int selinux_task_getsid(struct task_struct *p)
2624{
2625 return task_has_perm(current, p, PROCESS__GETSESSION);
2626}
2627
2628static int selinux_task_setgroups(struct group_info *group_info)
2629{
2630 /* See the comment for setuid above. */
2631 return 0;
2632}
2633
2634static int selinux_task_setnice(struct task_struct *p, int nice)
2635{
2636 int rc;
2637
2638 rc = secondary_ops->task_setnice(p, nice);
2639 if (rc)
2640 return rc;
2641
2642 return task_has_perm(current,p, PROCESS__SETSCHED);
2643}
2644
2645static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2646{
2647 struct rlimit *old_rlim = current->signal->rlim + resource;
2648 int rc;
2649
2650 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2651 if (rc)
2652 return rc;
2653
2654 /* Control the ability to change the hard limit (whether
2655 lowering or raising it), so that the hard limit can
2656 later be used as a safe reset point for the soft limit
2657 upon context transitions. See selinux_bprm_apply_creds. */
2658 if (old_rlim->rlim_max != new_rlim->rlim_max)
2659 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2660
2661 return 0;
2662}
2663
2664static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2665{
2666 return task_has_perm(current, p, PROCESS__SETSCHED);
2667}
2668
2669static int selinux_task_getscheduler(struct task_struct *p)
2670{
2671 return task_has_perm(current, p, PROCESS__GETSCHED);
2672}
2673
2674static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2675{
2676 u32 perm;
2677 int rc;
2678
2679 rc = secondary_ops->task_kill(p, info, sig);
2680 if (rc)
2681 return rc;
2682
Oleg Nesterov621d3122005-10-30 15:03:45 -0800[diff] [blame]2683 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2684 return 0;
2685
2686 if (!sig)
2687 perm = PROCESS__SIGNULL; /* null signal; existence test */
2688 else
2689 perm = signal_to_av(sig);
2690
2691 return task_has_perm(current, p, perm);
2692}
2693
2694static int selinux_task_prctl(int option,
2695 unsigned long arg2,
2696 unsigned long arg3,
2697 unsigned long arg4,
2698 unsigned long arg5)
2699{
2700 /* The current prctl operations do not appear to require
2701 any SELinux controls since they merely observe or modify
2702 the state of the current process. */
2703 return 0;
2704}
2705
2706static int selinux_task_wait(struct task_struct *p)
2707{
2708 u32 perm;
2709
2710 perm = signal_to_av(p->exit_signal);
2711
2712 return task_has_perm(p, current, perm);
2713}
2714
2715static void selinux_task_reparent_to_init(struct task_struct *p)
2716{
2717 struct task_security_struct *tsec;
2718
2719 secondary_ops->task_reparent_to_init(p);
2720
2721 tsec = p->security;
2722 tsec->osid = tsec->sid;
2723 tsec->sid = SECINITSID_KERNEL;
2724 return;
2725}
2726
2727static void selinux_task_to_inode(struct task_struct *p,
2728 struct inode *inode)
2729{
2730 struct task_security_struct *tsec = p->security;
2731 struct inode_security_struct *isec = inode->i_security;
2732
2733 isec->sid = tsec->sid;
2734 isec->initialized = 1;
2735 return;
2736}
2737
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2738/* Returns error only if unable to parse addresses */
2739static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2740{
2741 int offset, ihlen, ret = -EINVAL;
2742 struct iphdr _iph, *ih;
2743
2744 offset = skb->nh.raw - skb->data;
2745 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2746 if (ih == NULL)
2747 goto out;
2748
2749 ihlen = ih->ihl * 4;
2750 if (ihlen < sizeof(_iph))
2751 goto out;
2752
2753 ad->u.net.v4info.saddr = ih->saddr;
2754 ad->u.net.v4info.daddr = ih->daddr;
2755 ret = 0;
2756
2757 switch (ih->protocol) {
2758 case IPPROTO_TCP: {
2759 struct tcphdr _tcph, *th;
2760
2761 if (ntohs(ih->frag_off) & IP_OFFSET)
2762 break;
2763
2764 offset += ihlen;
2765 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2766 if (th == NULL)
2767 break;
2768
2769 ad->u.net.sport = th->source;
2770 ad->u.net.dport = th->dest;
2771 break;
2772 }
2773
2774 case IPPROTO_UDP: {
2775 struct udphdr _udph, *uh;
2776
2777 if (ntohs(ih->frag_off) & IP_OFFSET)
2778 break;
2779
2780 offset += ihlen;
2781 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2782 if (uh == NULL)
2783 break;
2784
2785 ad->u.net.sport = uh->source;
2786 ad->u.net.dport = uh->dest;
2787 break;
2788 }
2789
2790 default:
2791 break;
2792 }
2793out:
2794 return ret;
2795}
2796
2797#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2798
2799/* Returns error only if unable to parse addresses */
2800static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2801{
2802 u8 nexthdr;
2803 int ret = -EINVAL, offset;
2804 struct ipv6hdr _ipv6h, *ip6;
2805
2806 offset = skb->nh.raw - skb->data;
2807 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2808 if (ip6 == NULL)
2809 goto out;
2810
2811 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2812 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2813 ret = 0;
2814
2815 nexthdr = ip6->nexthdr;
2816 offset += sizeof(_ipv6h);
Herbert Xu0d3d0772005-04-24 20:16:19 -0700[diff] [blame]2817 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2818 if (offset < 0)
2819 goto out;
2820
2821 switch (nexthdr) {
2822 case IPPROTO_TCP: {
2823 struct tcphdr _tcph, *th;
2824
2825 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2826 if (th == NULL)
2827 break;
2828
2829 ad->u.net.sport = th->source;
2830 ad->u.net.dport = th->dest;
2831 break;
2832 }
2833
2834 case IPPROTO_UDP: {
2835 struct udphdr _udph, *uh;
2836
2837 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2838 if (uh == NULL)
2839 break;
2840
2841 ad->u.net.sport = uh->source;
2842 ad->u.net.dport = uh->dest;
2843 break;
2844 }
2845
2846 /* includes fragments */
2847 default:
2848 break;
2849 }
2850out:
2851 return ret;
2852}
2853
2854#endif /* IPV6 */
2855
2856static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2857 char **addrp, int *len, int src)
2858{
2859 int ret = 0;
2860
2861 switch (ad->u.net.family) {
2862 case PF_INET:
2863 ret = selinux_parse_skb_ipv4(skb, ad);
2864 if (ret || !addrp)
2865 break;
2866 *len = 4;
2867 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2868 &ad->u.net.v4info.daddr);
2869 break;
2870
2871#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2872 case PF_INET6:
2873 ret = selinux_parse_skb_ipv6(skb, ad);
2874 if (ret || !addrp)
2875 break;
2876 *len = 16;
2877 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2878 &ad->u.net.v6info.daddr);
2879 break;
2880#endif /* IPV6 */
2881 default:
2882 break;
2883 }
2884
2885 return ret;
2886}
2887
2888/* socket security operations */
2889static int socket_has_perm(struct task_struct *task, struct socket *sock,
2890 u32 perms)
2891{
2892 struct inode_security_struct *isec;
2893 struct task_security_struct *tsec;
2894 struct avc_audit_data ad;
2895 int err = 0;
2896
2897 tsec = task->security;
2898 isec = SOCK_INODE(sock)->i_security;
2899
2900 if (isec->sid == SECINITSID_KERNEL)
2901 goto out;
2902
2903 AVC_AUDIT_DATA_INIT(&ad,NET);
2904 ad.u.net.sk = sock->sk;
2905 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2906
2907out:
2908 return err;
2909}
2910
2911static int selinux_socket_create(int family, int type,
2912 int protocol, int kern)
2913{
2914 int err = 0;
2915 struct task_security_struct *tsec;
2916
2917 if (kern)
2918 goto out;
2919
2920 tsec = current->security;
2921 err = avc_has_perm(tsec->sid, tsec->sid,
2922 socket_type_to_security_class(family, type,
2923 protocol), SOCKET__CREATE, NULL);
2924
2925out:
2926 return err;
2927}
2928
2929static void selinux_socket_post_create(struct socket *sock, int family,
2930 int type, int protocol, int kern)
2931{
2932 struct inode_security_struct *isec;
2933 struct task_security_struct *tsec;
2934
2935 isec = SOCK_INODE(sock)->i_security;
2936
2937 tsec = current->security;
2938 isec->sclass = socket_type_to_security_class(family, type, protocol);
2939 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2940 isec->initialized = 1;
2941
2942 return;
2943}
2944
2945/* Range of port numbers used to automatically bind.
2946 Need to determine whether we should perform a name_bind
2947 permission check between the socket and the port number. */
2948#define ip_local_port_range_0 sysctl_local_port_range[0]
2949#define ip_local_port_range_1 sysctl_local_port_range[1]
2950
2951static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2952{
2953 u16 family;
2954 int err;
2955
2956 err = socket_has_perm(current, sock, SOCKET__BIND);
2957 if (err)
2958 goto out;
2959
2960 /*
2961 * If PF_INET or PF_INET6, check name_bind permission for the port.
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]2962 * Multiple address binding for SCTP is not supported yet: we just
2963 * check the first address now.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2964 */
2965 family = sock->sk->sk_family;
2966 if (family == PF_INET || family == PF_INET6) {
2967 char *addrp;
2968 struct inode_security_struct *isec;
2969 struct task_security_struct *tsec;
2970 struct avc_audit_data ad;
2971 struct sockaddr_in *addr4 = NULL;
2972 struct sockaddr_in6 *addr6 = NULL;
2973 unsigned short snum;
2974 struct sock *sk = sock->sk;
2975 u32 sid, node_perm, addrlen;
2976
2977 tsec = current->security;
2978 isec = SOCK_INODE(sock)->i_security;
2979
2980 if (family == PF_INET) {
2981 addr4 = (struct sockaddr_in *)address;
2982 snum = ntohs(addr4->sin_port);
2983 addrlen = sizeof(addr4->sin_addr.s_addr);
2984 addrp = (char *)&addr4->sin_addr.s_addr;
2985 } else {
2986 addr6 = (struct sockaddr_in6 *)address;
2987 snum = ntohs(addr6->sin6_port);
2988 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2989 addrp = (char *)&addr6->sin6_addr.s6_addr;
2990 }
2991
2992 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2993 snum > ip_local_port_range_1)) {
2994 err = security_port_sid(sk->sk_family, sk->sk_type,
2995 sk->sk_protocol, snum, &sid);
2996 if (err)
2997 goto out;
2998 AVC_AUDIT_DATA_INIT(&ad,NET);
2999 ad.u.net.sport = htons(snum);
3000 ad.u.net.family = family;
3001 err = avc_has_perm(isec->sid, sid,
3002 isec->sclass,
3003 SOCKET__NAME_BIND, &ad);
3004 if (err)
3005 goto out;
3006 }
3007
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]3008 switch(isec->sclass) {
3009 case SECCLASS_TCP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3010 node_perm = TCP_SOCKET__NODE_BIND;
3011 break;
3012
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]3013 case SECCLASS_UDP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3014 node_perm = UDP_SOCKET__NODE_BIND;
3015 break;
3016
3017 default:
3018 node_perm = RAWIP_SOCKET__NODE_BIND;
3019 break;
3020 }
3021
3022 err = security_node_sid(family, addrp, addrlen, &sid);
3023 if (err)
3024 goto out;
3025
3026 AVC_AUDIT_DATA_INIT(&ad,NET);
3027 ad.u.net.sport = htons(snum);
3028 ad.u.net.family = family;
3029
3030 if (family == PF_INET)
3031 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3032 else
3033 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3034
3035 err = avc_has_perm(isec->sid, sid,
3036 isec->sclass, node_perm, &ad);
3037 if (err)
3038 goto out;
3039 }
3040out:
3041 return err;
3042}
3043
3044static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3045{
3046 struct inode_security_struct *isec;
3047 int err;
3048
3049 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3050 if (err)
3051 return err;
3052
3053 /*
3054 * If a TCP socket, check name_connect permission for the port.
3055 */
3056 isec = SOCK_INODE(sock)->i_security;
3057 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3058 struct sock *sk = sock->sk;
3059 struct avc_audit_data ad;
3060 struct sockaddr_in *addr4 = NULL;
3061 struct sockaddr_in6 *addr6 = NULL;
3062 unsigned short snum;
3063 u32 sid;
3064
3065 if (sk->sk_family == PF_INET) {
3066 addr4 = (struct sockaddr_in *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -0700[diff] [blame]3067 if (addrlen < sizeof(struct sockaddr_in))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3068 return -EINVAL;
3069 snum = ntohs(addr4->sin_port);
3070 } else {
3071 addr6 = (struct sockaddr_in6 *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -0700[diff] [blame]3072 if (addrlen < SIN6_LEN_RFC2133)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3073 return -EINVAL;
3074 snum = ntohs(addr6->sin6_port);
3075 }
3076
3077 err = security_port_sid(sk->sk_family, sk->sk_type,
3078 sk->sk_protocol, snum, &sid);
3079 if (err)
3080 goto out;
3081
3082 AVC_AUDIT_DATA_INIT(&ad,NET);
3083 ad.u.net.dport = htons(snum);
3084 ad.u.net.family = sk->sk_family;
3085 err = avc_has_perm(isec->sid, sid, isec->sclass,
3086 TCP_SOCKET__NAME_CONNECT, &ad);
3087 if (err)
3088 goto out;
3089 }
3090
3091out:
3092 return err;
3093}
3094
3095static int selinux_socket_listen(struct socket *sock, int backlog)
3096{
3097 return socket_has_perm(current, sock, SOCKET__LISTEN);
3098}
3099
3100static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3101{
3102 int err;
3103 struct inode_security_struct *isec;
3104 struct inode_security_struct *newisec;
3105
3106 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3107 if (err)
3108 return err;
3109
3110 newisec = SOCK_INODE(newsock)->i_security;
3111
3112 isec = SOCK_INODE(sock)->i_security;
3113 newisec->sclass = isec->sclass;
3114 newisec->sid = isec->sid;
3115 newisec->initialized = 1;
3116
3117 return 0;
3118}
3119
3120static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3121 int size)
3122{
3123 return socket_has_perm(current, sock, SOCKET__WRITE);
3124}
3125
3126static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3127 int size, int flags)
3128{
3129 return socket_has_perm(current, sock, SOCKET__READ);
3130}
3131
3132static int selinux_socket_getsockname(struct socket *sock)
3133{
3134 return socket_has_perm(current, sock, SOCKET__GETATTR);
3135}
3136
3137static int selinux_socket_getpeername(struct socket *sock)
3138{
3139 return socket_has_perm(current, sock, SOCKET__GETATTR);
3140}
3141
3142static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3143{
3144 return socket_has_perm(current, sock, SOCKET__SETOPT);
3145}
3146
3147static int selinux_socket_getsockopt(struct socket *sock, int level,
3148 int optname)
3149{
3150 return socket_has_perm(current, sock, SOCKET__GETOPT);
3151}
3152
3153static int selinux_socket_shutdown(struct socket *sock, int how)
3154{
3155 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3156}
3157
3158static int selinux_socket_unix_stream_connect(struct socket *sock,
3159 struct socket *other,
3160 struct sock *newsk)
3161{
3162 struct sk_security_struct *ssec;
3163 struct inode_security_struct *isec;
3164 struct inode_security_struct *other_isec;
3165 struct avc_audit_data ad;
3166 int err;
3167
3168 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3169 if (err)
3170 return err;
3171
3172 isec = SOCK_INODE(sock)->i_security;
3173 other_isec = SOCK_INODE(other)->i_security;
3174
3175 AVC_AUDIT_DATA_INIT(&ad,NET);
3176 ad.u.net.sk = other->sk;
3177
3178 err = avc_has_perm(isec->sid, other_isec->sid,
3179 isec->sclass,
3180 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3181 if (err)
3182 return err;
3183
3184 /* connecting socket */
3185 ssec = sock->sk->sk_security;
3186 ssec->peer_sid = other_isec->sid;
3187
3188 /* server child socket */
3189 ssec = newsk->sk_security;
3190 ssec->peer_sid = isec->sid;
3191
3192 return 0;
3193}
3194
3195static int selinux_socket_unix_may_send(struct socket *sock,
3196 struct socket *other)
3197{
3198 struct inode_security_struct *isec;
3199 struct inode_security_struct *other_isec;
3200 struct avc_audit_data ad;
3201 int err;
3202
3203 isec = SOCK_INODE(sock)->i_security;
3204 other_isec = SOCK_INODE(other)->i_security;
3205
3206 AVC_AUDIT_DATA_INIT(&ad,NET);
3207 ad.u.net.sk = other->sk;
3208
3209 err = avc_has_perm(isec->sid, other_isec->sid,
3210 isec->sclass, SOCKET__SENDTO, &ad);
3211 if (err)
3212 return err;
3213
3214 return 0;
3215}
3216
3217static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3218{
3219 u16 family;
3220 char *addrp;
3221 int len, err = 0;
3222 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3223 u32 sock_sid = 0;
3224 u16 sock_class = 0;
3225 struct socket *sock;
3226 struct net_device *dev;
3227 struct avc_audit_data ad;
3228
3229 family = sk->sk_family;
3230 if (family != PF_INET && family != PF_INET6)
3231 goto out;
3232
3233 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3234 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3235 family = PF_INET;
3236
3237 read_lock_bh(&sk->sk_callback_lock);
3238 sock = sk->sk_socket;
3239 if (sock) {
3240 struct inode *inode;
3241 inode = SOCK_INODE(sock);
3242 if (inode) {
3243 struct inode_security_struct *isec;
3244 isec = inode->i_security;
3245 sock_sid = isec->sid;
3246 sock_class = isec->sclass;
3247 }
3248 }
3249 read_unlock_bh(&sk->sk_callback_lock);
3250 if (!sock_sid)
3251 goto out;
3252
3253 dev = skb->dev;
3254 if (!dev)
3255 goto out;
3256
3257 err = sel_netif_sids(dev, &if_sid, NULL);
3258 if (err)
3259 goto out;
3260
3261 switch (sock_class) {
3262 case SECCLASS_UDP_SOCKET:
3263 netif_perm = NETIF__UDP_RECV;
3264 node_perm = NODE__UDP_RECV;
3265 recv_perm = UDP_SOCKET__RECV_MSG;
3266 break;
3267
3268 case SECCLASS_TCP_SOCKET:
3269 netif_perm = NETIF__TCP_RECV;
3270 node_perm = NODE__TCP_RECV;
3271 recv_perm = TCP_SOCKET__RECV_MSG;
3272 break;
3273
3274 default:
3275 netif_perm = NETIF__RAWIP_RECV;
3276 node_perm = NODE__RAWIP_RECV;
3277 break;
3278 }
3279
3280 AVC_AUDIT_DATA_INIT(&ad, NET);
3281 ad.u.net.netif = dev->name;
3282 ad.u.net.family = family;
3283
3284 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3285 if (err)
3286 goto out;
3287
3288 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3289 if (err)
3290 goto out;
3291
3292 /* Fixme: this lookup is inefficient */
3293 err = security_node_sid(family, addrp, len, &node_sid);
3294 if (err)
3295 goto out;
3296
3297 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3298 if (err)
3299 goto out;
3300
3301 if (recv_perm) {
3302 u32 port_sid;
3303
3304 /* Fixme: make this more efficient */
3305 err = security_port_sid(sk->sk_family, sk->sk_type,
3306 sk->sk_protocol, ntohs(ad.u.net.sport),
3307 &port_sid);
3308 if (err)
3309 goto out;
3310
3311 err = avc_has_perm(sock_sid, port_sid,
3312 sock_class, recv_perm, &ad);
3313 }
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3314
3315 if (!err)
3316 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3317
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3318out:
3319 return err;
3320}
3321
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3322static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3323 int __user *optlen, unsigned len)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3324{
3325 int err = 0;
3326 char *scontext;
3327 u32 scontext_len;
3328 struct sk_security_struct *ssec;
3329 struct inode_security_struct *isec;
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3330 u32 peer_sid = 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3331
3332 isec = SOCK_INODE(sock)->i_security;
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3333
3334 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3335 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3336 ssec = sock->sk->sk_security;
3337 peer_sid = ssec->peer_sid;
3338 }
3339 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3340 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3341
3342 if (peer_sid == SECSID_NULL) {
3343 err = -ENOPROTOOPT;
3344 goto out;
3345 }
3346 }
3347 else {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3348 err = -ENOPROTOOPT;
3349 goto out;
3350 }
3351
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3352 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3353
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3354 if (err)
3355 goto out;
3356
3357 if (scontext_len > len) {
3358 err = -ERANGE;
3359 goto out_len;
3360 }
3361
3362 if (copy_to_user(optval, scontext, scontext_len))
3363 err = -EFAULT;
3364
3365out_len:
3366 if (put_user(scontext_len, optlen))
3367 err = -EFAULT;
3368
3369 kfree(scontext);
3370out:
3371 return err;
3372}
3373
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3374static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3375{
3376 int err = 0;
3377 u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3378
3379 if (peer_sid == SECSID_NULL)
3380 return -EINVAL;
3381
3382 err = security_sid_to_context(peer_sid, secdata, seclen);
3383 if (err)
3384 return err;
3385
3386 return 0;
3387}
3388
3389
3390
Al Viro7d877f32005-10-21 03:20:43 -0400[diff] [blame]3391static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3392{
3393 return sk_alloc_security(sk, family, priority);
3394}
3395
3396static void selinux_sk_free_security(struct sock *sk)
3397{
3398 sk_free_security(sk);
3399}
3400
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3401static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3402{
3403 struct inode_security_struct *isec;
3404 u32 sock_sid = SECINITSID_ANY_SOCKET;
3405
3406 if (!sk)
3407 return selinux_no_sk_sid(fl);
3408
3409 read_lock_bh(&sk->sk_callback_lock);
3410 isec = get_sock_isec(sk);
3411
3412 if (isec)
3413 sock_sid = isec->sid;
3414
3415 read_unlock_bh(&sk->sk_callback_lock);
3416 return sock_sid;
3417}
3418
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3419static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3420{
3421 int err = 0;
3422 u32 perm;
3423 struct nlmsghdr *nlh;
3424 struct socket *sock = sk->sk_socket;
3425 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3426
3427 if (skb->len < NLMSG_SPACE(0)) {
3428 err = -EINVAL;
3429 goto out;
3430 }
3431 nlh = (struct nlmsghdr *)skb->data;
3432
3433 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3434 if (err) {
3435 if (err == -EINVAL) {
David Woodhouse9ad9ad32005-06-22 15:04:33 +0100[diff] [blame]3436 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3437 "SELinux: unrecognized netlink message"
3438 " type=%hu for sclass=%hu\n",
3439 nlh->nlmsg_type, isec->sclass);
3440 if (!selinux_enforcing)
3441 err = 0;
3442 }
3443
3444 /* Ignore */
3445 if (err == -ENOENT)
3446 err = 0;
3447 goto out;
3448 }
3449
3450 err = socket_has_perm(current, sock, perm);
3451out:
3452 return err;
3453}
3454
3455#ifdef CONFIG_NETFILTER
3456
3457static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3458 struct sk_buff **pskb,
3459 const struct net_device *in,
3460 const struct net_device *out,
3461 int (*okfn)(struct sk_buff *),
3462 u16 family)
3463{
3464 char *addrp;
3465 int len, err = NF_ACCEPT;
3466 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3467 struct sock *sk;
3468 struct socket *sock;
3469 struct inode *inode;
3470 struct sk_buff *skb = *pskb;
3471 struct inode_security_struct *isec;
3472 struct avc_audit_data ad;
3473 struct net_device *dev = (struct net_device *)out;
3474
3475 sk = skb->sk;
3476 if (!sk)
3477 goto out;
3478
3479 sock = sk->sk_socket;
3480 if (!sock)
3481 goto out;
3482
3483 inode = SOCK_INODE(sock);
3484 if (!inode)
3485 goto out;
3486
3487 err = sel_netif_sids(dev, &if_sid, NULL);
3488 if (err)
3489 goto out;
3490
3491 isec = inode->i_security;
3492
3493 switch (isec->sclass) {
3494 case SECCLASS_UDP_SOCKET:
3495 netif_perm = NETIF__UDP_SEND;
3496 node_perm = NODE__UDP_SEND;
3497 send_perm = UDP_SOCKET__SEND_MSG;
3498 break;
3499
3500 case SECCLASS_TCP_SOCKET:
3501 netif_perm = NETIF__TCP_SEND;
3502 node_perm = NODE__TCP_SEND;
3503 send_perm = TCP_SOCKET__SEND_MSG;
3504 break;
3505
3506 default:
3507 netif_perm = NETIF__RAWIP_SEND;
3508 node_perm = NODE__RAWIP_SEND;
3509 break;
3510 }
3511
3512
3513 AVC_AUDIT_DATA_INIT(&ad, NET);
3514 ad.u.net.netif = dev->name;
3515 ad.u.net.family = family;
3516
3517 err = selinux_parse_skb(skb, &ad, &addrp,
3518 &len, 0) ? NF_DROP : NF_ACCEPT;
3519 if (err != NF_ACCEPT)
3520 goto out;
3521
3522 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3523 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3524 if (err != NF_ACCEPT)
3525 goto out;
3526
3527 /* Fixme: this lookup is inefficient */
3528 err = security_node_sid(family, addrp, len,
3529 &node_sid) ? NF_DROP : NF_ACCEPT;
3530 if (err != NF_ACCEPT)
3531 goto out;
3532
3533 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3534 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3535 if (err != NF_ACCEPT)
3536 goto out;
3537
3538 if (send_perm) {
3539 u32 port_sid;
3540
3541 /* Fixme: make this more efficient */
3542 err = security_port_sid(sk->sk_family,
3543 sk->sk_type,
3544 sk->sk_protocol,
3545 ntohs(ad.u.net.dport),
3546 &port_sid) ? NF_DROP : NF_ACCEPT;
3547 if (err != NF_ACCEPT)
3548 goto out;
3549
3550 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3551 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3552 }
3553
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3554 if (err != NF_ACCEPT)
3555 goto out;
3556
3557 err = selinux_xfrm_postroute_last(isec->sid, skb);
3558
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3559out:
3560 return err;
3561}
3562
3563static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3564 struct sk_buff **pskb,
3565 const struct net_device *in,
3566 const struct net_device *out,
3567 int (*okfn)(struct sk_buff *))
3568{
3569 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3570}
3571
3572#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3573
3574static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3575 struct sk_buff **pskb,
3576 const struct net_device *in,
3577 const struct net_device *out,
3578 int (*okfn)(struct sk_buff *))
3579{
3580 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3581}
3582
3583#endif /* IPV6 */
3584
3585#endif /* CONFIG_NETFILTER */
3586
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3587static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3588{
3589 struct task_security_struct *tsec;
3590 struct av_decision avd;
3591 int err;
3592
3593 err = secondary_ops->netlink_send(sk, skb);
3594 if (err)
3595 return err;
3596
3597 tsec = current->security;
3598
3599 avd.allowed = 0;
3600 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3601 SECCLASS_CAPABILITY, ~0, &avd);
3602 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3603
3604 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3605 err = selinux_nlmsg_perm(sk, skb);
3606
3607 return err;
3608}
3609
3610static int selinux_netlink_recv(struct sk_buff *skb)
3611{
3612 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3613 return -EPERM;
3614 return 0;
3615}
3616
3617static int ipc_alloc_security(struct task_struct *task,
3618 struct kern_ipc_perm *perm,
3619 u16 sclass)
3620{
3621 struct task_security_struct *tsec = task->security;
3622 struct ipc_security_struct *isec;
3623
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]3624 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3625 if (!isec)
3626 return -ENOMEM;
3627
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3628 isec->sclass = sclass;
3629 isec->ipc_perm = perm;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]3630 isec->sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3631 perm->security = isec;
3632
3633 return 0;
3634}
3635
3636static void ipc_free_security(struct kern_ipc_perm *perm)
3637{
3638 struct ipc_security_struct *isec = perm->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3639 perm->security = NULL;
3640 kfree(isec);
3641}
3642
3643static int msg_msg_alloc_security(struct msg_msg *msg)
3644{
3645 struct msg_security_struct *msec;
3646
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]3647 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3648 if (!msec)
3649 return -ENOMEM;
3650
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3651 msec->msg = msg;
3652 msec->sid = SECINITSID_UNLABELED;
3653 msg->security = msec;
3654
3655 return 0;
3656}
3657
3658static void msg_msg_free_security(struct msg_msg *msg)
3659{
3660 struct msg_security_struct *msec = msg->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3661
3662 msg->security = NULL;
3663 kfree(msec);
3664}
3665
3666static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3667 u32 perms)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3668{
3669 struct task_security_struct *tsec;
3670 struct ipc_security_struct *isec;
3671 struct avc_audit_data ad;
3672
3673 tsec = current->security;
3674 isec = ipc_perms->security;
3675
3676 AVC_AUDIT_DATA_INIT(&ad, IPC);
3677 ad.u.ipc_id = ipc_perms->key;
3678
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3679 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3680}
3681
3682static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3683{
3684 return msg_msg_alloc_security(msg);
3685}
3686
3687static void selinux_msg_msg_free_security(struct msg_msg *msg)
3688{
3689 msg_msg_free_security(msg);
3690}
3691
3692/* message queue security operations */
3693static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3694{
3695 struct task_security_struct *tsec;
3696 struct ipc_security_struct *isec;
3697 struct avc_audit_data ad;
3698 int rc;
3699
3700 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3701 if (rc)
3702 return rc;
3703
3704 tsec = current->security;
3705 isec = msq->q_perm.security;
3706
3707 AVC_AUDIT_DATA_INIT(&ad, IPC);
3708 ad.u.ipc_id = msq->q_perm.key;
3709
3710 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3711 MSGQ__CREATE, &ad);
3712 if (rc) {
3713 ipc_free_security(&msq->q_perm);
3714 return rc;
3715 }
3716 return 0;
3717}
3718
3719static void selinux_msg_queue_free_security(struct msg_queue *msq)
3720{
3721 ipc_free_security(&msq->q_perm);
3722}
3723
3724static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3725{
3726 struct task_security_struct *tsec;
3727 struct ipc_security_struct *isec;
3728 struct avc_audit_data ad;
3729
3730 tsec = current->security;
3731 isec = msq->q_perm.security;
3732
3733 AVC_AUDIT_DATA_INIT(&ad, IPC);
3734 ad.u.ipc_id = msq->q_perm.key;
3735
3736 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3737 MSGQ__ASSOCIATE, &ad);
3738}
3739
3740static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3741{
3742 int err;
3743 int perms;
3744
3745 switch(cmd) {
3746 case IPC_INFO:
3747 case MSG_INFO:
3748 /* No specific object, just general system-wide information. */
3749 return task_has_system(current, SYSTEM__IPC_INFO);
3750 case IPC_STAT:
3751 case MSG_STAT:
3752 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3753 break;
3754 case IPC_SET:
3755 perms = MSGQ__SETATTR;
3756 break;
3757 case IPC_RMID:
3758 perms = MSGQ__DESTROY;
3759 break;
3760 default:
3761 return 0;
3762 }
3763
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3764 err = ipc_has_perm(&msq->q_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3765 return err;
3766}
3767
3768static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3769{
3770 struct task_security_struct *tsec;
3771 struct ipc_security_struct *isec;
3772 struct msg_security_struct *msec;
3773 struct avc_audit_data ad;
3774 int rc;
3775
3776 tsec = current->security;
3777 isec = msq->q_perm.security;
3778 msec = msg->security;
3779
3780 /*
3781 * First time through, need to assign label to the message
3782 */
3783 if (msec->sid == SECINITSID_UNLABELED) {
3784 /*
3785 * Compute new sid based on current process and
3786 * message queue this message will be stored in
3787 */
3788 rc = security_transition_sid(tsec->sid,
3789 isec->sid,
3790 SECCLASS_MSG,
3791 &msec->sid);
3792 if (rc)
3793 return rc;
3794 }
3795
3796 AVC_AUDIT_DATA_INIT(&ad, IPC);
3797 ad.u.ipc_id = msq->q_perm.key;
3798
3799 /* Can this process write to the queue? */
3800 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3801 MSGQ__WRITE, &ad);
3802 if (!rc)
3803 /* Can this process send the message */
3804 rc = avc_has_perm(tsec->sid, msec->sid,
3805 SECCLASS_MSG, MSG__SEND, &ad);
3806 if (!rc)
3807 /* Can the message be put in the queue? */
3808 rc = avc_has_perm(msec->sid, isec->sid,
3809 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3810
3811 return rc;
3812}
3813
3814static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3815 struct task_struct *target,
3816 long type, int mode)
3817{
3818 struct task_security_struct *tsec;
3819 struct ipc_security_struct *isec;
3820 struct msg_security_struct *msec;
3821 struct avc_audit_data ad;
3822 int rc;
3823
3824 tsec = target->security;
3825 isec = msq->q_perm.security;
3826 msec = msg->security;
3827
3828 AVC_AUDIT_DATA_INIT(&ad, IPC);
3829 ad.u.ipc_id = msq->q_perm.key;
3830
3831 rc = avc_has_perm(tsec->sid, isec->sid,
3832 SECCLASS_MSGQ, MSGQ__READ, &ad);
3833 if (!rc)
3834 rc = avc_has_perm(tsec->sid, msec->sid,
3835 SECCLASS_MSG, MSG__RECEIVE, &ad);
3836 return rc;
3837}
3838
3839/* Shared Memory security operations */
3840static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3841{
3842 struct task_security_struct *tsec;
3843 struct ipc_security_struct *isec;
3844 struct avc_audit_data ad;
3845 int rc;
3846
3847 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3848 if (rc)
3849 return rc;
3850
3851 tsec = current->security;
3852 isec = shp->shm_perm.security;
3853
3854 AVC_AUDIT_DATA_INIT(&ad, IPC);
3855 ad.u.ipc_id = shp->shm_perm.key;
3856
3857 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3858 SHM__CREATE, &ad);
3859 if (rc) {
3860 ipc_free_security(&shp->shm_perm);
3861 return rc;
3862 }
3863 return 0;
3864}
3865
3866static void selinux_shm_free_security(struct shmid_kernel *shp)
3867{
3868 ipc_free_security(&shp->shm_perm);
3869}
3870
3871static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3872{
3873 struct task_security_struct *tsec;
3874 struct ipc_security_struct *isec;
3875 struct avc_audit_data ad;
3876
3877 tsec = current->security;
3878 isec = shp->shm_perm.security;
3879
3880 AVC_AUDIT_DATA_INIT(&ad, IPC);
3881 ad.u.ipc_id = shp->shm_perm.key;
3882
3883 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3884 SHM__ASSOCIATE, &ad);
3885}
3886
3887/* Note, at this point, shp is locked down */
3888static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3889{
3890 int perms;
3891 int err;
3892
3893 switch(cmd) {
3894 case IPC_INFO:
3895 case SHM_INFO:
3896 /* No specific object, just general system-wide information. */
3897 return task_has_system(current, SYSTEM__IPC_INFO);
3898 case IPC_STAT:
3899 case SHM_STAT:
3900 perms = SHM__GETATTR | SHM__ASSOCIATE;
3901 break;
3902 case IPC_SET:
3903 perms = SHM__SETATTR;
3904 break;
3905 case SHM_LOCK:
3906 case SHM_UNLOCK:
3907 perms = SHM__LOCK;
3908 break;
3909 case IPC_RMID:
3910 perms = SHM__DESTROY;
3911 break;
3912 default:
3913 return 0;
3914 }
3915
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3916 err = ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3917 return err;
3918}
3919
3920static int selinux_shm_shmat(struct shmid_kernel *shp,
3921 char __user *shmaddr, int shmflg)
3922{
3923 u32 perms;
3924 int rc;
3925
3926 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3927 if (rc)
3928 return rc;
3929
3930 if (shmflg & SHM_RDONLY)
3931 perms = SHM__READ;
3932 else
3933 perms = SHM__READ | SHM__WRITE;
3934
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3935 return ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3936}
3937
3938/* Semaphore security operations */
3939static int selinux_sem_alloc_security(struct sem_array *sma)
3940{
3941 struct task_security_struct *tsec;
3942 struct ipc_security_struct *isec;
3943 struct avc_audit_data ad;
3944 int rc;
3945
3946 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3947 if (rc)
3948 return rc;
3949
3950 tsec = current->security;
3951 isec = sma->sem_perm.security;
3952
3953 AVC_AUDIT_DATA_INIT(&ad, IPC);
3954 ad.u.ipc_id = sma->sem_perm.key;
3955
3956 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3957 SEM__CREATE, &ad);
3958 if (rc) {
3959 ipc_free_security(&sma->sem_perm);
3960 return rc;
3961 }
3962 return 0;
3963}
3964
3965static void selinux_sem_free_security(struct sem_array *sma)
3966{
3967 ipc_free_security(&sma->sem_perm);
3968}
3969
3970static int selinux_sem_associate(struct sem_array *sma, int semflg)
3971{
3972 struct task_security_struct *tsec;
3973 struct ipc_security_struct *isec;
3974 struct avc_audit_data ad;
3975
3976 tsec = current->security;
3977 isec = sma->sem_perm.security;
3978
3979 AVC_AUDIT_DATA_INIT(&ad, IPC);
3980 ad.u.ipc_id = sma->sem_perm.key;
3981
3982 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3983 SEM__ASSOCIATE, &ad);
3984}
3985
3986/* Note, at this point, sma is locked down */
3987static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3988{
3989 int err;
3990 u32 perms;
3991
3992 switch(cmd) {
3993 case IPC_INFO:
3994 case SEM_INFO:
3995 /* No specific object, just general system-wide information. */
3996 return task_has_system(current, SYSTEM__IPC_INFO);
3997 case GETPID:
3998 case GETNCNT:
3999 case GETZCNT:
4000 perms = SEM__GETATTR;
4001 break;
4002 case GETVAL:
4003 case GETALL:
4004 perms = SEM__READ;
4005 break;
4006 case SETVAL:
4007 case SETALL:
4008 perms = SEM__WRITE;
4009 break;
4010 case IPC_RMID:
4011 perms = SEM__DESTROY;
4012 break;
4013 case IPC_SET:
4014 perms = SEM__SETATTR;
4015 break;
4016 case IPC_STAT:
4017 case SEM_STAT:
4018 perms = SEM__GETATTR | SEM__ASSOCIATE;
4019 break;
4020 default:
4021 return 0;
4022 }
4023
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4024 err = ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4025 return err;
4026}
4027
4028static int selinux_sem_semop(struct sem_array *sma,
4029 struct sembuf *sops, unsigned nsops, int alter)
4030{
4031 u32 perms;
4032
4033 if (alter)
4034 perms = SEM__READ | SEM__WRITE;
4035 else
4036 perms = SEM__READ;
4037
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4038 return ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4039}
4040
4041static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4042{
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4043 u32 av = 0;
4044
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4045 av = 0;
4046 if (flag & S_IRUGO)
4047 av |= IPC__UNIX_READ;
4048 if (flag & S_IWUGO)
4049 av |= IPC__UNIX_WRITE;
4050
4051 if (av == 0)
4052 return 0;
4053
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4054 return ipc_has_perm(ipcp, av);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4055}
4056
4057/* module stacking operations */
4058static int selinux_register_security (const char *name, struct security_operations *ops)
4059{
4060 if (secondary_ops != original_ops) {
4061 printk(KERN_INFO "%s: There is already a secondary security "
4062 "module registered.\n", __FUNCTION__);
4063 return -EINVAL;
4064 }
4065
4066 secondary_ops = ops;
4067
4068 printk(KERN_INFO "%s: Registering secondary module %s\n",
4069 __FUNCTION__,
4070 name);
4071
4072 return 0;
4073}
4074
4075static int selinux_unregister_security (const char *name, struct security_operations *ops)
4076{
4077 if (ops != secondary_ops) {
4078 printk (KERN_INFO "%s: trying to unregister a security module "
4079 "that is not registered.\n", __FUNCTION__);
4080 return -EINVAL;
4081 }
4082
4083 secondary_ops = original_ops;
4084
4085 return 0;
4086}
4087
4088static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4089{
4090 if (inode)
4091 inode_doinit_with_dentry(inode, dentry);
4092}
4093
4094static int selinux_getprocattr(struct task_struct *p,
4095 char *name, void *value, size_t size)
4096{
4097 struct task_security_struct *tsec;
4098 u32 sid, len;
4099 char *context;
4100 int error;
4101
4102 if (current != p) {
4103 error = task_has_perm(current, p, PROCESS__GETATTR);
4104 if (error)
4105 return error;
4106 }
4107
4108 if (!size)
4109 return -ERANGE;
4110
4111 tsec = p->security;
4112
4113 if (!strcmp(name, "current"))
4114 sid = tsec->sid;
4115 else if (!strcmp(name, "prev"))
4116 sid = tsec->osid;
4117 else if (!strcmp(name, "exec"))
4118 sid = tsec->exec_sid;
4119 else if (!strcmp(name, "fscreate"))
4120 sid = tsec->create_sid;
4121 else
4122 return -EINVAL;
4123
4124 if (!sid)
4125 return 0;
4126
4127 error = security_sid_to_context(sid, &context, &len);
4128 if (error)
4129 return error;
4130 if (len > size) {
4131 kfree(context);
4132 return -ERANGE;
4133 }
4134 memcpy(value, context, len);
4135 kfree(context);
4136 return len;
4137}
4138
4139static int selinux_setprocattr(struct task_struct *p,
4140 char *name, void *value, size_t size)
4141{
4142 struct task_security_struct *tsec;
4143 u32 sid = 0;
4144 int error;
4145 char *str = value;
4146
4147 if (current != p) {
4148 /* SELinux only allows a process to change its own
4149 security attributes. */
4150 return -EACCES;
4151 }
4152
4153 /*
4154 * Basic control over ability to set these attributes at all.
4155 * current == p, but we'll pass them separately in case the
4156 * above restriction is ever removed.
4157 */
4158 if (!strcmp(name, "exec"))
4159 error = task_has_perm(current, p, PROCESS__SETEXEC);
4160 else if (!strcmp(name, "fscreate"))
4161 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4162 else if (!strcmp(name, "current"))
4163 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4164 else
4165 error = -EINVAL;
4166 if (error)
4167 return error;
4168
4169 /* Obtain a SID for the context, if one was specified. */
4170 if (size && str[1] && str[1] != '\n') {
4171 if (str[size-1] == '\n') {
4172 str[size-1] = 0;
4173 size--;
4174 }
4175 error = security_context_to_sid(value, size, &sid);
4176 if (error)
4177 return error;
4178 }
4179
4180 /* Permission checking based on the specified context is
4181 performed during the actual operation (execve,
4182 open/mkdir/...), when we know the full context of the
4183 operation. See selinux_bprm_set_security for the execve
4184 checks and may_create for the file creation checks. The
4185 operation will then fail if the context is not permitted. */
4186 tsec = p->security;
4187 if (!strcmp(name, "exec"))
4188 tsec->exec_sid = sid;
4189 else if (!strcmp(name, "fscreate"))
4190 tsec->create_sid = sid;
4191 else if (!strcmp(name, "current")) {
4192 struct av_decision avd;
4193
4194 if (sid == 0)
4195 return -EINVAL;
4196
4197 /* Only allow single threaded processes to change context */
4198 if (atomic_read(&p->mm->mm_users) != 1) {
4199 struct task_struct *g, *t;
4200 struct mm_struct *mm = p->mm;
4201 read_lock(&tasklist_lock);
4202 do_each_thread(g, t)
4203 if (t->mm == mm && t != p) {
4204 read_unlock(&tasklist_lock);
4205 return -EPERM;
4206 }
4207 while_each_thread(g, t);
4208 read_unlock(&tasklist_lock);
4209 }
4210
4211 /* Check permissions for the transition. */
4212 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4213 PROCESS__DYNTRANSITION, NULL);
4214 if (error)
4215 return error;
4216
4217 /* Check for ptracing, and update the task SID if ok.
4218 Otherwise, leave SID unchanged and fail. */
4219 task_lock(p);
4220 if (p->ptrace & PT_PTRACED) {
4221 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4222 SECCLASS_PROCESS,
4223 PROCESS__PTRACE, &avd);
4224 if (!error)
4225 tsec->sid = sid;
4226 task_unlock(p);
4227 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4228 PROCESS__PTRACE, &avd, error, NULL);
4229 if (error)
4230 return error;
4231 } else {
4232 tsec->sid = sid;
4233 task_unlock(p);
4234 }
4235 }
4236 else
4237 return -EINVAL;
4238
4239 return size;
4240}
4241
4242static struct security_operations selinux_ops = {
4243 .ptrace = selinux_ptrace,
4244 .capget = selinux_capget,
4245 .capset_check = selinux_capset_check,
4246 .capset_set = selinux_capset_set,
4247 .sysctl = selinux_sysctl,
4248 .capable = selinux_capable,
4249 .quotactl = selinux_quotactl,
4250 .quota_on = selinux_quota_on,
4251 .syslog = selinux_syslog,
4252 .vm_enough_memory = selinux_vm_enough_memory,
4253
4254 .netlink_send = selinux_netlink_send,
4255 .netlink_recv = selinux_netlink_recv,
4256
4257 .bprm_alloc_security = selinux_bprm_alloc_security,
4258 .bprm_free_security = selinux_bprm_free_security,
4259 .bprm_apply_creds = selinux_bprm_apply_creds,
4260 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4261 .bprm_set_security = selinux_bprm_set_security,
4262 .bprm_check_security = selinux_bprm_check_security,
4263 .bprm_secureexec = selinux_bprm_secureexec,
4264
4265 .sb_alloc_security = selinux_sb_alloc_security,
4266 .sb_free_security = selinux_sb_free_security,
4267 .sb_copy_data = selinux_sb_copy_data,
4268 .sb_kern_mount = selinux_sb_kern_mount,
4269 .sb_statfs = selinux_sb_statfs,
4270 .sb_mount = selinux_mount,
4271 .sb_umount = selinux_umount,
4272
4273 .inode_alloc_security = selinux_inode_alloc_security,
4274 .inode_free_security = selinux_inode_free_security,
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]4275 .inode_init_security = selinux_inode_init_security,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4276 .inode_create = selinux_inode_create,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4277 .inode_link = selinux_inode_link,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4278 .inode_unlink = selinux_inode_unlink,
4279 .inode_symlink = selinux_inode_symlink,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4280 .inode_mkdir = selinux_inode_mkdir,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4281 .inode_rmdir = selinux_inode_rmdir,
4282 .inode_mknod = selinux_inode_mknod,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4283 .inode_rename = selinux_inode_rename,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4284 .inode_readlink = selinux_inode_readlink,
4285 .inode_follow_link = selinux_inode_follow_link,
4286 .inode_permission = selinux_inode_permission,
4287 .inode_setattr = selinux_inode_setattr,
4288 .inode_getattr = selinux_inode_getattr,
4289 .inode_setxattr = selinux_inode_setxattr,
4290 .inode_post_setxattr = selinux_inode_post_setxattr,
4291 .inode_getxattr = selinux_inode_getxattr,
4292 .inode_listxattr = selinux_inode_listxattr,
4293 .inode_removexattr = selinux_inode_removexattr,
4294 .inode_getsecurity = selinux_inode_getsecurity,
4295 .inode_setsecurity = selinux_inode_setsecurity,
4296 .inode_listsecurity = selinux_inode_listsecurity,
4297
4298 .file_permission = selinux_file_permission,
4299 .file_alloc_security = selinux_file_alloc_security,
4300 .file_free_security = selinux_file_free_security,
4301 .file_ioctl = selinux_file_ioctl,
4302 .file_mmap = selinux_file_mmap,
4303 .file_mprotect = selinux_file_mprotect,
4304 .file_lock = selinux_file_lock,
4305 .file_fcntl = selinux_file_fcntl,
4306 .file_set_fowner = selinux_file_set_fowner,
4307 .file_send_sigiotask = selinux_file_send_sigiotask,
4308 .file_receive = selinux_file_receive,
4309
4310 .task_create = selinux_task_create,
4311 .task_alloc_security = selinux_task_alloc_security,
4312 .task_free_security = selinux_task_free_security,
4313 .task_setuid = selinux_task_setuid,
4314 .task_post_setuid = selinux_task_post_setuid,
4315 .task_setgid = selinux_task_setgid,
4316 .task_setpgid = selinux_task_setpgid,
4317 .task_getpgid = selinux_task_getpgid,
4318 .task_getsid = selinux_task_getsid,
4319 .task_setgroups = selinux_task_setgroups,
4320 .task_setnice = selinux_task_setnice,
4321 .task_setrlimit = selinux_task_setrlimit,
4322 .task_setscheduler = selinux_task_setscheduler,
4323 .task_getscheduler = selinux_task_getscheduler,
4324 .task_kill = selinux_task_kill,
4325 .task_wait = selinux_task_wait,
4326 .task_prctl = selinux_task_prctl,
4327 .task_reparent_to_init = selinux_task_reparent_to_init,
4328 .task_to_inode = selinux_task_to_inode,
4329
4330 .ipc_permission = selinux_ipc_permission,
4331
4332 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4333 .msg_msg_free_security = selinux_msg_msg_free_security,
4334
4335 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4336 .msg_queue_free_security = selinux_msg_queue_free_security,
4337 .msg_queue_associate = selinux_msg_queue_associate,
4338 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4339 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4340 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4341
4342 .shm_alloc_security = selinux_shm_alloc_security,
4343 .shm_free_security = selinux_shm_free_security,
4344 .shm_associate = selinux_shm_associate,
4345 .shm_shmctl = selinux_shm_shmctl,
4346 .shm_shmat = selinux_shm_shmat,
4347
4348 .sem_alloc_security = selinux_sem_alloc_security,
4349 .sem_free_security = selinux_sem_free_security,
4350 .sem_associate = selinux_sem_associate,
4351 .sem_semctl = selinux_sem_semctl,
4352 .sem_semop = selinux_sem_semop,
4353
4354 .register_security = selinux_register_security,
4355 .unregister_security = selinux_unregister_security,
4356
4357 .d_instantiate = selinux_d_instantiate,
4358
4359 .getprocattr = selinux_getprocattr,
4360 .setprocattr = selinux_setprocattr,
4361
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4362 .unix_stream_connect = selinux_socket_unix_stream_connect,
4363 .unix_may_send = selinux_socket_unix_may_send,
4364
4365 .socket_create = selinux_socket_create,
4366 .socket_post_create = selinux_socket_post_create,
4367 .socket_bind = selinux_socket_bind,
4368 .socket_connect = selinux_socket_connect,
4369 .socket_listen = selinux_socket_listen,
4370 .socket_accept = selinux_socket_accept,
4371 .socket_sendmsg = selinux_socket_sendmsg,
4372 .socket_recvmsg = selinux_socket_recvmsg,
4373 .socket_getsockname = selinux_socket_getsockname,
4374 .socket_getpeername = selinux_socket_getpeername,
4375 .socket_getsockopt = selinux_socket_getsockopt,
4376 .socket_setsockopt = selinux_socket_setsockopt,
4377 .socket_shutdown = selinux_socket_shutdown,
4378 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]4379 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4380 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4381 .sk_alloc_security = selinux_sk_alloc_security,
4382 .sk_free_security = selinux_sk_free_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4383 .sk_getsid = selinux_sk_getsid_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4384
4385#ifdef CONFIG_SECURITY_NETWORK_XFRM
4386 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4387 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4388 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4389 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4390 .xfrm_state_free_security = selinux_xfrm_state_free,
4391 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4392#endif
4393};
4394
4395static __init int selinux_init(void)
4396{
4397 struct task_security_struct *tsec;
4398
4399 if (!selinux_enabled) {
4400 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4401 return 0;
4402 }
4403
4404 printk(KERN_INFO "SELinux: Initializing.\n");
4405
4406 /* Set the security state for the initial task. */
4407 if (task_alloc_security(current))
4408 panic("SELinux: Failed to initialize initial task.\n");
4409 tsec = current->security;
4410 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4411
James Morris7cae7e22006-03-22 00:09:22 -0800[diff] [blame^]4412 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4413 sizeof(struct inode_security_struct),
4414 0, SLAB_PANIC, NULL, NULL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4415 avc_init();
4416
4417 original_ops = secondary_ops = security_ops;
4418 if (!secondary_ops)
4419 panic ("SELinux: No initial security operations\n");
4420 if (register_security (&selinux_ops))
4421 panic("SELinux: Unable to register with kernel.\n");
4422
4423 if (selinux_enforcing) {
4424 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4425 } else {
4426 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4427 }
4428 return 0;
4429}
4430
4431void selinux_complete_init(void)
4432{
4433 printk(KERN_INFO "SELinux: Completing initialization.\n");
4434
4435 /* Set up any superblocks initialized prior to the policy load. */
4436 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4437 spin_lock(&sb_security_lock);
4438next_sb:
4439 if (!list_empty(&superblock_security_head)) {
4440 struct superblock_security_struct *sbsec =
4441 list_entry(superblock_security_head.next,
4442 struct superblock_security_struct,
4443 list);
4444 struct super_block *sb = sbsec->sb;
4445 spin_lock(&sb_lock);
4446 sb->s_count++;
4447 spin_unlock(&sb_lock);
4448 spin_unlock(&sb_security_lock);
4449 down_read(&sb->s_umount);
4450 if (sb->s_root)
4451 superblock_doinit(sb, NULL);
4452 drop_super(sb);
4453 spin_lock(&sb_security_lock);
4454 list_del_init(&sbsec->list);
4455 goto next_sb;
4456 }
4457 spin_unlock(&sb_security_lock);
4458}
4459
4460/* SELinux requires early initialization in order to label
4461 all processes and objects when they are created. */
4462security_initcall(selinux_init);
4463
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4464#if defined(CONFIG_NETFILTER)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4465
4466static struct nf_hook_ops selinux_ipv4_op = {
4467 .hook = selinux_ipv4_postroute_last,
4468 .owner = THIS_MODULE,
4469 .pf = PF_INET,
4470 .hooknum = NF_IP_POST_ROUTING,
4471 .priority = NF_IP_PRI_SELINUX_LAST,
4472};
4473
4474#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4475
4476static struct nf_hook_ops selinux_ipv6_op = {
4477 .hook = selinux_ipv6_postroute_last,
4478 .owner = THIS_MODULE,
4479 .pf = PF_INET6,
4480 .hooknum = NF_IP6_POST_ROUTING,
4481 .priority = NF_IP6_PRI_SELINUX_LAST,
4482};
4483
4484#endif /* IPV6 */
4485
4486static int __init selinux_nf_ip_init(void)
4487{
4488 int err = 0;
4489
4490 if (!selinux_enabled)
4491 goto out;
4492
4493 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4494
4495 err = nf_register_hook(&selinux_ipv4_op);
4496 if (err)
4497 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4498
4499#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4500
4501 err = nf_register_hook(&selinux_ipv6_op);
4502 if (err)
4503 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4504
4505#endif /* IPV6 */
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4506
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4507out:
4508 return err;
4509}
4510
4511__initcall(selinux_nf_ip_init);
4512
4513#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4514static void selinux_nf_ip_exit(void)
4515{
4516 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4517
4518 nf_unregister_hook(&selinux_ipv4_op);
4519#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4520 nf_unregister_hook(&selinux_ipv6_op);
4521#endif /* IPV6 */
4522}
4523#endif
4524
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4525#else /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4526
4527#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4528#define selinux_nf_ip_exit()
4529#endif
4530
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4531#endif /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4532
4533#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4534int selinux_disable(void)
4535{
4536 extern void exit_sel_fs(void);
4537 static int selinux_disabled = 0;
4538
4539 if (ss_initialized) {
4540 /* Not permitted after initial policy load. */
4541 return -EINVAL;
4542 }
4543
4544 if (selinux_disabled) {
4545 /* Only do this once. */
4546 return -EINVAL;
4547 }
4548
4549 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4550
4551 selinux_disabled = 1;
4552
4553 /* Reset security_ops to the secondary module, dummy or capability. */
4554 security_ops = secondary_ops;
4555
4556 /* Unregister netfilter hooks. */
4557 selinux_nf_ip_exit();
4558
4559 /* Unregister selinuxfs. */
4560 exit_sel_fs();
4561
4562 return 0;
4563}
4564#endif
4565
4566