blob: b7773bf68efa8fb104c45312b8a385cbb701d499 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -07001/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
Eric Paris6931dfc2005-06-30 02:58:51 -070071#include <linux/string.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070072
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
Trent Jaegerd28d1e02005-12-13 23:12:40 -080076#include "xfrm.h"
Linus Torvalds1da177e2005-04-16 15:20:36 -070077
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
104#endif
105
106/* Original (dummy) security module. */
107static struct security_operations *original_ops = NULL;
108
109/* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113static struct security_operations *secondary_ops = NULL;
114
115/* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117static LIST_HEAD(superblock_security_head);
118static DEFINE_SPINLOCK(sb_security_lock);
119
120/* Allocate and free functions for each kind of security blob. */
121
122static int task_alloc_security(struct task_struct *task)
123{
124 struct task_security_struct *tsec;
125
James Morris89d155e2005-10-30 14:59:21 -0800126 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700127 if (!tsec)
128 return -ENOMEM;
129
Linus Torvalds1da177e2005-04-16 15:20:36 -0700130 tsec->task = task;
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
133
134 return 0;
135}
136
137static void task_free_security(struct task_struct *task)
138{
139 struct task_security_struct *tsec = task->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700140 task->security = NULL;
141 kfree(tsec);
142}
143
144static int inode_alloc_security(struct inode *inode)
145{
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
148
James Morris89d155e2005-10-30 14:59:21 -0800149 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700150 if (!isec)
151 return -ENOMEM;
152
Linus Torvalds1da177e2005-04-16 15:20:36 -0700153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700155 isec->inode = inode;
156 isec->sid = SECINITSID_UNLABELED;
157 isec->sclass = SECCLASS_FILE;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800158 isec->task_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700159 inode->i_security = isec;
160
161 return 0;
162}
163
164static void inode_free_security(struct inode *inode)
165{
166 struct inode_security_struct *isec = inode->i_security;
167 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
168
Linus Torvalds1da177e2005-04-16 15:20:36 -0700169 spin_lock(&sbsec->isec_lock);
170 if (!list_empty(&isec->list))
171 list_del_init(&isec->list);
172 spin_unlock(&sbsec->isec_lock);
173
174 inode->i_security = NULL;
175 kfree(isec);
176}
177
178static int file_alloc_security(struct file *file)
179{
180 struct task_security_struct *tsec = current->security;
181 struct file_security_struct *fsec;
182
Stephen Smalley26d2a4b2006-02-01 03:05:55 -0800183 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700184 if (!fsec)
185 return -ENOMEM;
186
Linus Torvalds1da177e2005-04-16 15:20:36 -0700187 fsec->file = file;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800188 fsec->sid = tsec->sid;
189 fsec->fown_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700190 file->f_security = fsec;
191
192 return 0;
193}
194
195static void file_free_security(struct file *file)
196{
197 struct file_security_struct *fsec = file->f_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700198 file->f_security = NULL;
199 kfree(fsec);
200}
201
202static int superblock_alloc_security(struct super_block *sb)
203{
204 struct superblock_security_struct *sbsec;
205
James Morris89d155e2005-10-30 14:59:21 -0800206 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700207 if (!sbsec)
208 return -ENOMEM;
209
Linus Torvalds1da177e2005-04-16 15:20:36 -0700210 init_MUTEX(&sbsec->sem);
211 INIT_LIST_HEAD(&sbsec->list);
212 INIT_LIST_HEAD(&sbsec->isec_head);
213 spin_lock_init(&sbsec->isec_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700214 sbsec->sb = sb;
215 sbsec->sid = SECINITSID_UNLABELED;
216 sbsec->def_sid = SECINITSID_FILE;
217 sb->s_security = sbsec;
218
219 return 0;
220}
221
222static void superblock_free_security(struct super_block *sb)
223{
224 struct superblock_security_struct *sbsec = sb->s_security;
225
Linus Torvalds1da177e2005-04-16 15:20:36 -0700226 spin_lock(&sb_security_lock);
227 if (!list_empty(&sbsec->list))
228 list_del_init(&sbsec->list);
229 spin_unlock(&sb_security_lock);
230
231 sb->s_security = NULL;
232 kfree(sbsec);
233}
234
Al Viro7d877f32005-10-21 03:20:43 -0400235static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700236{
237 struct sk_security_struct *ssec;
238
239 if (family != PF_UNIX)
240 return 0;
241
James Morris89d155e2005-10-30 14:59:21 -0800242 ssec = kzalloc(sizeof(*ssec), priority);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700243 if (!ssec)
244 return -ENOMEM;
245
Linus Torvalds1da177e2005-04-16 15:20:36 -0700246 ssec->sk = sk;
247 ssec->peer_sid = SECINITSID_UNLABELED;
248 sk->sk_security = ssec;
249
250 return 0;
251}
252
253static void sk_free_security(struct sock *sk)
254{
255 struct sk_security_struct *ssec = sk->sk_security;
256
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800257 if (sk->sk_family != PF_UNIX)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700258 return;
259
260 sk->sk_security = NULL;
261 kfree(ssec);
262}
Linus Torvalds1da177e2005-04-16 15:20:36 -0700263
264/* The security server must be initialized before
265 any labeling or access decisions can be provided. */
266extern int ss_initialized;
267
268/* The file system's label must be initialized prior to use. */
269
270static char *labeling_behaviors[6] = {
271 "uses xattr",
272 "uses transition SIDs",
273 "uses task SIDs",
274 "uses genfs_contexts",
275 "not configured for labeling",
276 "uses mountpoint labeling",
277};
278
279static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
280
281static inline int inode_doinit(struct inode *inode)
282{
283 return inode_doinit_with_dentry(inode, NULL);
284}
285
286enum {
287 Opt_context = 1,
288 Opt_fscontext = 2,
289 Opt_defcontext = 4,
290};
291
292static match_table_t tokens = {
293 {Opt_context, "context=%s"},
294 {Opt_fscontext, "fscontext=%s"},
295 {Opt_defcontext, "defcontext=%s"},
296};
297
298#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
299
300static int try_context_mount(struct super_block *sb, void *data)
301{
302 char *context = NULL, *defcontext = NULL;
303 const char *name;
304 u32 sid;
305 int alloc = 0, rc = 0, seen = 0;
306 struct task_security_struct *tsec = current->security;
307 struct superblock_security_struct *sbsec = sb->s_security;
308
309 if (!data)
310 goto out;
311
312 name = sb->s_type->name;
313
314 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
315
316 /* NFS we understand. */
317 if (!strcmp(name, "nfs")) {
318 struct nfs_mount_data *d = data;
319
320 if (d->version < NFS_MOUNT_VERSION)
321 goto out;
322
323 if (d->context[0]) {
324 context = d->context;
325 seen |= Opt_context;
326 }
327 } else
328 goto out;
329
330 } else {
331 /* Standard string-based options. */
332 char *p, *options = data;
333
334 while ((p = strsep(&options, ",")) != NULL) {
335 int token;
336 substring_t args[MAX_OPT_ARGS];
337
338 if (!*p)
339 continue;
340
341 token = match_token(p, tokens, args);
342
343 switch (token) {
344 case Opt_context:
345 if (seen) {
346 rc = -EINVAL;
347 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
348 goto out_free;
349 }
350 context = match_strdup(&args[0]);
351 if (!context) {
352 rc = -ENOMEM;
353 goto out_free;
354 }
355 if (!alloc)
356 alloc = 1;
357 seen |= Opt_context;
358 break;
359
360 case Opt_fscontext:
361 if (seen & (Opt_context|Opt_fscontext)) {
362 rc = -EINVAL;
363 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
364 goto out_free;
365 }
366 context = match_strdup(&args[0]);
367 if (!context) {
368 rc = -ENOMEM;
369 goto out_free;
370 }
371 if (!alloc)
372 alloc = 1;
373 seen |= Opt_fscontext;
374 break;
375
376 case Opt_defcontext:
377 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
378 rc = -EINVAL;
379 printk(KERN_WARNING "SELinux: "
380 "defcontext option is invalid "
381 "for this filesystem type\n");
382 goto out_free;
383 }
384 if (seen & (Opt_context|Opt_defcontext)) {
385 rc = -EINVAL;
386 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
387 goto out_free;
388 }
389 defcontext = match_strdup(&args[0]);
390 if (!defcontext) {
391 rc = -ENOMEM;
392 goto out_free;
393 }
394 if (!alloc)
395 alloc = 1;
396 seen |= Opt_defcontext;
397 break;
398
399 default:
400 rc = -EINVAL;
401 printk(KERN_WARNING "SELinux: unknown mount "
402 "option\n");
403 goto out_free;
404
405 }
406 }
407 }
408
409 if (!seen)
410 goto out;
411
412 if (context) {
413 rc = security_context_to_sid(context, strlen(context), &sid);
414 if (rc) {
415 printk(KERN_WARNING "SELinux: security_context_to_sid"
416 "(%s) failed for (dev %s, type %s) errno=%d\n",
417 context, sb->s_id, name, rc);
418 goto out_free;
419 }
420
421 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
422 FILESYSTEM__RELABELFROM, NULL);
423 if (rc)
424 goto out_free;
425
426 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
427 FILESYSTEM__RELABELTO, NULL);
428 if (rc)
429 goto out_free;
430
431 sbsec->sid = sid;
432
433 if (seen & Opt_context)
434 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
435 }
436
437 if (defcontext) {
438 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
439 if (rc) {
440 printk(KERN_WARNING "SELinux: security_context_to_sid"
441 "(%s) failed for (dev %s, type %s) errno=%d\n",
442 defcontext, sb->s_id, name, rc);
443 goto out_free;
444 }
445
446 if (sid == sbsec->def_sid)
447 goto out_free;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 goto out_free;
453
454 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__ASSOCIATE, NULL);
456 if (rc)
457 goto out_free;
458
459 sbsec->def_sid = sid;
460 }
461
462out_free:
463 if (alloc) {
464 kfree(context);
465 kfree(defcontext);
466 }
467out:
468 return rc;
469}
470
471static int superblock_doinit(struct super_block *sb, void *data)
472{
473 struct superblock_security_struct *sbsec = sb->s_security;
474 struct dentry *root = sb->s_root;
475 struct inode *inode = root->d_inode;
476 int rc = 0;
477
478 down(&sbsec->sem);
479 if (sbsec->initialized)
480 goto out;
481
482 if (!ss_initialized) {
483 /* Defer initialization until selinux_complete_init,
484 after the initial policy is loaded and the security
485 server is ready to handle calls. */
486 spin_lock(&sb_security_lock);
487 if (list_empty(&sbsec->list))
488 list_add(&sbsec->list, &superblock_security_head);
489 spin_unlock(&sb_security_lock);
490 goto out;
491 }
492
493 /* Determine the labeling behavior to use for this filesystem type. */
494 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
495 if (rc) {
496 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
497 __FUNCTION__, sb->s_type->name, rc);
498 goto out;
499 }
500
501 rc = try_context_mount(sb, data);
502 if (rc)
503 goto out;
504
505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 /* Make sure that the xattr handler exists and that no
507 error other than -ENODATA is returned by getxattr on
508 the root directory. -ENODATA is ok, as this may be
509 the first boot of the SELinux kernel before we have
510 assigned xattr values to the filesystem. */
511 if (!inode->i_op->getxattr) {
512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 "xattr support\n", sb->s_id, sb->s_type->name);
514 rc = -EOPNOTSUPP;
515 goto out;
516 }
517 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
527 goto out;
528 }
529 }
530
531 if (strcmp(sb->s_type->name, "proc") == 0)
532 sbsec->proc = 1;
533
534 sbsec->initialized = 1;
535
536 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
537 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
538 sb->s_id, sb->s_type->name);
539 }
540 else {
541 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
542 sb->s_id, sb->s_type->name,
543 labeling_behaviors[sbsec->behavior-1]);
544 }
545
546 /* Initialize the root inode. */
547 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
548
549 /* Initialize any other inodes associated with the superblock, e.g.
550 inodes created prior to initial policy load or inodes created
551 during get_sb by a pseudo filesystem that directly
552 populates itself. */
553 spin_lock(&sbsec->isec_lock);
554next_inode:
555 if (!list_empty(&sbsec->isec_head)) {
556 struct inode_security_struct *isec =
557 list_entry(sbsec->isec_head.next,
558 struct inode_security_struct, list);
559 struct inode *inode = isec->inode;
560 spin_unlock(&sbsec->isec_lock);
561 inode = igrab(inode);
562 if (inode) {
563 if (!IS_PRIVATE (inode))
564 inode_doinit(inode);
565 iput(inode);
566 }
567 spin_lock(&sbsec->isec_lock);
568 list_del_init(&isec->list);
569 goto next_inode;
570 }
571 spin_unlock(&sbsec->isec_lock);
572out:
573 up(&sbsec->sem);
574 return rc;
575}
576
577static inline u16 inode_mode_to_security_class(umode_t mode)
578{
579 switch (mode & S_IFMT) {
580 case S_IFSOCK:
581 return SECCLASS_SOCK_FILE;
582 case S_IFLNK:
583 return SECCLASS_LNK_FILE;
584 case S_IFREG:
585 return SECCLASS_FILE;
586 case S_IFBLK:
587 return SECCLASS_BLK_FILE;
588 case S_IFDIR:
589 return SECCLASS_DIR;
590 case S_IFCHR:
591 return SECCLASS_CHR_FILE;
592 case S_IFIFO:
593 return SECCLASS_FIFO_FILE;
594
595 }
596
597 return SECCLASS_FILE;
598}
599
James Morris13402582005-09-30 14:24:34 -0400600static inline int default_protocol_stream(int protocol)
601{
602 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
603}
604
605static inline int default_protocol_dgram(int protocol)
606{
607 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
608}
609
Linus Torvalds1da177e2005-04-16 15:20:36 -0700610static inline u16 socket_type_to_security_class(int family, int type, int protocol)
611{
612 switch (family) {
613 case PF_UNIX:
614 switch (type) {
615 case SOCK_STREAM:
616 case SOCK_SEQPACKET:
617 return SECCLASS_UNIX_STREAM_SOCKET;
618 case SOCK_DGRAM:
619 return SECCLASS_UNIX_DGRAM_SOCKET;
620 }
621 break;
622 case PF_INET:
623 case PF_INET6:
624 switch (type) {
625 case SOCK_STREAM:
James Morris13402582005-09-30 14:24:34 -0400626 if (default_protocol_stream(protocol))
627 return SECCLASS_TCP_SOCKET;
628 else
629 return SECCLASS_RAWIP_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700630 case SOCK_DGRAM:
James Morris13402582005-09-30 14:24:34 -0400631 if (default_protocol_dgram(protocol))
632 return SECCLASS_UDP_SOCKET;
633 else
634 return SECCLASS_RAWIP_SOCKET;
635 default:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700636 return SECCLASS_RAWIP_SOCKET;
637 }
638 break;
639 case PF_NETLINK:
640 switch (protocol) {
641 case NETLINK_ROUTE:
642 return SECCLASS_NETLINK_ROUTE_SOCKET;
643 case NETLINK_FIREWALL:
644 return SECCLASS_NETLINK_FIREWALL_SOCKET;
James Morris216efaa2005-08-15 20:34:48 -0700645 case NETLINK_INET_DIAG:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700646 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
647 case NETLINK_NFLOG:
648 return SECCLASS_NETLINK_NFLOG_SOCKET;
649 case NETLINK_XFRM:
650 return SECCLASS_NETLINK_XFRM_SOCKET;
651 case NETLINK_SELINUX:
652 return SECCLASS_NETLINK_SELINUX_SOCKET;
653 case NETLINK_AUDIT:
654 return SECCLASS_NETLINK_AUDIT_SOCKET;
655 case NETLINK_IP6_FW:
656 return SECCLASS_NETLINK_IP6FW_SOCKET;
657 case NETLINK_DNRTMSG:
658 return SECCLASS_NETLINK_DNRT_SOCKET;
James Morris0c9b7942005-04-16 15:24:13 -0700659 case NETLINK_KOBJECT_UEVENT:
660 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700661 default:
662 return SECCLASS_NETLINK_SOCKET;
663 }
664 case PF_PACKET:
665 return SECCLASS_PACKET_SOCKET;
666 case PF_KEY:
667 return SECCLASS_KEY_SOCKET;
668 }
669
670 return SECCLASS_SOCKET;
671}
672
673#ifdef CONFIG_PROC_FS
674static int selinux_proc_get_sid(struct proc_dir_entry *de,
675 u16 tclass,
676 u32 *sid)
677{
678 int buflen, rc;
679 char *buffer, *path, *end;
680
681 buffer = (char*)__get_free_page(GFP_KERNEL);
682 if (!buffer)
683 return -ENOMEM;
684
685 buflen = PAGE_SIZE;
686 end = buffer+buflen;
687 *--end = '\0';
688 buflen--;
689 path = end-1;
690 *path = '/';
691 while (de && de != de->parent) {
692 buflen -= de->namelen + 1;
693 if (buflen < 0)
694 break;
695 end -= de->namelen;
696 memcpy(end, de->name, de->namelen);
697 *--end = '/';
698 path = end;
699 de = de->parent;
700 }
701 rc = security_genfs_sid("proc", path, tclass, sid);
702 free_page((unsigned long)buffer);
703 return rc;
704}
705#else
706static int selinux_proc_get_sid(struct proc_dir_entry *de,
707 u16 tclass,
708 u32 *sid)
709{
710 return -EINVAL;
711}
712#endif
713
714/* The inode's security attributes must be initialized before first use. */
715static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
716{
717 struct superblock_security_struct *sbsec = NULL;
718 struct inode_security_struct *isec = inode->i_security;
719 u32 sid;
720 struct dentry *dentry;
721#define INITCONTEXTLEN 255
722 char *context = NULL;
723 unsigned len = 0;
724 int rc = 0;
725 int hold_sem = 0;
726
727 if (isec->initialized)
728 goto out;
729
730 down(&isec->sem);
731 hold_sem = 1;
732 if (isec->initialized)
733 goto out;
734
735 sbsec = inode->i_sb->s_security;
736 if (!sbsec->initialized) {
737 /* Defer initialization until selinux_complete_init,
738 after the initial policy is loaded and the security
739 server is ready to handle calls. */
740 spin_lock(&sbsec->isec_lock);
741 if (list_empty(&isec->list))
742 list_add(&isec->list, &sbsec->isec_head);
743 spin_unlock(&sbsec->isec_lock);
744 goto out;
745 }
746
747 switch (sbsec->behavior) {
748 case SECURITY_FS_USE_XATTR:
749 if (!inode->i_op->getxattr) {
750 isec->sid = sbsec->def_sid;
751 break;
752 }
753
754 /* Need a dentry, since the xattr API requires one.
755 Life would be simpler if we could just pass the inode. */
756 if (opt_dentry) {
757 /* Called from d_instantiate or d_splice_alias. */
758 dentry = dget(opt_dentry);
759 } else {
760 /* Called from selinux_complete_init, try to find a dentry. */
761 dentry = d_find_alias(inode);
762 }
763 if (!dentry) {
764 printk(KERN_WARNING "%s: no dentry for dev=%s "
765 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
766 inode->i_ino);
767 goto out;
768 }
769
770 len = INITCONTEXTLEN;
771 context = kmalloc(len, GFP_KERNEL);
772 if (!context) {
773 rc = -ENOMEM;
774 dput(dentry);
775 goto out;
776 }
777 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
778 context, len);
779 if (rc == -ERANGE) {
780 /* Need a larger buffer. Query for the right size. */
781 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
782 NULL, 0);
783 if (rc < 0) {
784 dput(dentry);
785 goto out;
786 }
787 kfree(context);
788 len = rc;
789 context = kmalloc(len, GFP_KERNEL);
790 if (!context) {
791 rc = -ENOMEM;
792 dput(dentry);
793 goto out;
794 }
795 rc = inode->i_op->getxattr(dentry,
796 XATTR_NAME_SELINUX,
797 context, len);
798 }
799 dput(dentry);
800 if (rc < 0) {
801 if (rc != -ENODATA) {
802 printk(KERN_WARNING "%s: getxattr returned "
803 "%d for dev=%s ino=%ld\n", __FUNCTION__,
804 -rc, inode->i_sb->s_id, inode->i_ino);
805 kfree(context);
806 goto out;
807 }
808 /* Map ENODATA to the default file SID */
809 sid = sbsec->def_sid;
810 rc = 0;
811 } else {
James Morrisf5c1d5b2005-07-28 01:07:37 -0700812 rc = security_context_to_sid_default(context, rc, &sid,
813 sbsec->def_sid);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700814 if (rc) {
815 printk(KERN_WARNING "%s: context_to_sid(%s) "
816 "returned %d for dev=%s ino=%ld\n",
817 __FUNCTION__, context, -rc,
818 inode->i_sb->s_id, inode->i_ino);
819 kfree(context);
820 /* Leave with the unlabeled SID */
821 rc = 0;
822 break;
823 }
824 }
825 kfree(context);
826 isec->sid = sid;
827 break;
828 case SECURITY_FS_USE_TASK:
829 isec->sid = isec->task_sid;
830 break;
831 case SECURITY_FS_USE_TRANS:
832 /* Default to the fs SID. */
833 isec->sid = sbsec->sid;
834
835 /* Try to obtain a transition SID. */
836 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837 rc = security_transition_sid(isec->task_sid,
838 sbsec->sid,
839 isec->sclass,
840 &sid);
841 if (rc)
842 goto out;
843 isec->sid = sid;
844 break;
845 default:
846 /* Default to the fs SID. */
847 isec->sid = sbsec->sid;
848
849 if (sbsec->proc) {
850 struct proc_inode *proci = PROC_I(inode);
851 if (proci->pde) {
852 isec->sclass = inode_mode_to_security_class(inode->i_mode);
853 rc = selinux_proc_get_sid(proci->pde,
854 isec->sclass,
855 &sid);
856 if (rc)
857 goto out;
858 isec->sid = sid;
859 }
860 }
861 break;
862 }
863
864 isec->initialized = 1;
865
866out:
867 if (isec->sclass == SECCLASS_FILE)
868 isec->sclass = inode_mode_to_security_class(inode->i_mode);
869
870 if (hold_sem)
871 up(&isec->sem);
872 return rc;
873}
874
875/* Convert a Linux signal to an access vector. */
876static inline u32 signal_to_av(int sig)
877{
878 u32 perm = 0;
879
880 switch (sig) {
881 case SIGCHLD:
882 /* Commonly granted from child to parent. */
883 perm = PROCESS__SIGCHLD;
884 break;
885 case SIGKILL:
886 /* Cannot be caught or ignored */
887 perm = PROCESS__SIGKILL;
888 break;
889 case SIGSTOP:
890 /* Cannot be caught or ignored */
891 perm = PROCESS__SIGSTOP;
892 break;
893 default:
894 /* All other signals. */
895 perm = PROCESS__SIGNAL;
896 break;
897 }
898
899 return perm;
900}
901
902/* Check permission betweeen a pair of tasks, e.g. signal checks,
903 fork check, ptrace check, etc. */
904static int task_has_perm(struct task_struct *tsk1,
905 struct task_struct *tsk2,
906 u32 perms)
907{
908 struct task_security_struct *tsec1, *tsec2;
909
910 tsec1 = tsk1->security;
911 tsec2 = tsk2->security;
912 return avc_has_perm(tsec1->sid, tsec2->sid,
913 SECCLASS_PROCESS, perms, NULL);
914}
915
916/* Check whether a task is allowed to use a capability. */
917static int task_has_capability(struct task_struct *tsk,
918 int cap)
919{
920 struct task_security_struct *tsec;
921 struct avc_audit_data ad;
922
923 tsec = tsk->security;
924
925 AVC_AUDIT_DATA_INIT(&ad,CAP);
926 ad.tsk = tsk;
927 ad.u.cap = cap;
928
929 return avc_has_perm(tsec->sid, tsec->sid,
930 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
931}
932
933/* Check whether a task is allowed to use a system operation. */
934static int task_has_system(struct task_struct *tsk,
935 u32 perms)
936{
937 struct task_security_struct *tsec;
938
939 tsec = tsk->security;
940
941 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
942 SECCLASS_SYSTEM, perms, NULL);
943}
944
945/* Check whether a task has a particular permission to an inode.
946 The 'adp' parameter is optional and allows other audit
947 data to be passed (e.g. the dentry). */
948static int inode_has_perm(struct task_struct *tsk,
949 struct inode *inode,
950 u32 perms,
951 struct avc_audit_data *adp)
952{
953 struct task_security_struct *tsec;
954 struct inode_security_struct *isec;
955 struct avc_audit_data ad;
956
957 tsec = tsk->security;
958 isec = inode->i_security;
959
960 if (!adp) {
961 adp = &ad;
962 AVC_AUDIT_DATA_INIT(&ad, FS);
963 ad.u.fs.inode = inode;
964 }
965
966 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
967}
968
969/* Same as inode_has_perm, but pass explicit audit data containing
970 the dentry to help the auditing code to more easily generate the
971 pathname if needed. */
972static inline int dentry_has_perm(struct task_struct *tsk,
973 struct vfsmount *mnt,
974 struct dentry *dentry,
975 u32 av)
976{
977 struct inode *inode = dentry->d_inode;
978 struct avc_audit_data ad;
979 AVC_AUDIT_DATA_INIT(&ad,FS);
980 ad.u.fs.mnt = mnt;
981 ad.u.fs.dentry = dentry;
982 return inode_has_perm(tsk, inode, av, &ad);
983}
984
985/* Check whether a task can use an open file descriptor to
986 access an inode in a given way. Check access to the
987 descriptor itself, and then use dentry_has_perm to
988 check a particular permission to the file.
989 Access to the descriptor is implicitly granted if it
990 has the same SID as the process. If av is zero, then
991 access to the file is not checked, e.g. for cases
992 where only the descriptor is affected like seek. */
Arjan van de Ven858119e2006-01-14 13:20:43 -0800993static int file_has_perm(struct task_struct *tsk,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700994 struct file *file,
995 u32 av)
996{
997 struct task_security_struct *tsec = tsk->security;
998 struct file_security_struct *fsec = file->f_security;
999 struct vfsmount *mnt = file->f_vfsmnt;
1000 struct dentry *dentry = file->f_dentry;
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1003 int rc;
1004
1005 AVC_AUDIT_DATA_INIT(&ad, FS);
1006 ad.u.fs.mnt = mnt;
1007 ad.u.fs.dentry = dentry;
1008
1009 if (tsec->sid != fsec->sid) {
1010 rc = avc_has_perm(tsec->sid, fsec->sid,
1011 SECCLASS_FD,
1012 FD__USE,
1013 &ad);
1014 if (rc)
1015 return rc;
1016 }
1017
1018 /* av is zero if only checking access to the descriptor. */
1019 if (av)
1020 return inode_has_perm(tsk, inode, av, &ad);
1021
1022 return 0;
1023}
1024
1025/* Check whether a task can create a file. */
1026static int may_create(struct inode *dir,
1027 struct dentry *dentry,
1028 u16 tclass)
1029{
1030 struct task_security_struct *tsec;
1031 struct inode_security_struct *dsec;
1032 struct superblock_security_struct *sbsec;
1033 u32 newsid;
1034 struct avc_audit_data ad;
1035 int rc;
1036
1037 tsec = current->security;
1038 dsec = dir->i_security;
1039 sbsec = dir->i_sb->s_security;
1040
1041 AVC_AUDIT_DATA_INIT(&ad, FS);
1042 ad.u.fs.dentry = dentry;
1043
1044 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1045 DIR__ADD_NAME | DIR__SEARCH,
1046 &ad);
1047 if (rc)
1048 return rc;
1049
1050 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1051 newsid = tsec->create_sid;
1052 } else {
1053 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1054 &newsid);
1055 if (rc)
1056 return rc;
1057 }
1058
1059 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1060 if (rc)
1061 return rc;
1062
1063 return avc_has_perm(newsid, sbsec->sid,
1064 SECCLASS_FILESYSTEM,
1065 FILESYSTEM__ASSOCIATE, &ad);
1066}
1067
1068#define MAY_LINK 0
1069#define MAY_UNLINK 1
1070#define MAY_RMDIR 2
1071
1072/* Check whether a task can link, unlink, or rmdir a file/directory. */
1073static int may_link(struct inode *dir,
1074 struct dentry *dentry,
1075 int kind)
1076
1077{
1078 struct task_security_struct *tsec;
1079 struct inode_security_struct *dsec, *isec;
1080 struct avc_audit_data ad;
1081 u32 av;
1082 int rc;
1083
1084 tsec = current->security;
1085 dsec = dir->i_security;
1086 isec = dentry->d_inode->i_security;
1087
1088 AVC_AUDIT_DATA_INIT(&ad, FS);
1089 ad.u.fs.dentry = dentry;
1090
1091 av = DIR__SEARCH;
1092 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1093 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1094 if (rc)
1095 return rc;
1096
1097 switch (kind) {
1098 case MAY_LINK:
1099 av = FILE__LINK;
1100 break;
1101 case MAY_UNLINK:
1102 av = FILE__UNLINK;
1103 break;
1104 case MAY_RMDIR:
1105 av = DIR__RMDIR;
1106 break;
1107 default:
1108 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1109 return 0;
1110 }
1111
1112 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1113 return rc;
1114}
1115
1116static inline int may_rename(struct inode *old_dir,
1117 struct dentry *old_dentry,
1118 struct inode *new_dir,
1119 struct dentry *new_dentry)
1120{
1121 struct task_security_struct *tsec;
1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123 struct avc_audit_data ad;
1124 u32 av;
1125 int old_is_dir, new_is_dir;
1126 int rc;
1127
1128 tsec = current->security;
1129 old_dsec = old_dir->i_security;
1130 old_isec = old_dentry->d_inode->i_security;
1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132 new_dsec = new_dir->i_security;
1133
1134 AVC_AUDIT_DATA_INIT(&ad, FS);
1135
1136 ad.u.fs.dentry = old_dentry;
1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1139 if (rc)
1140 return rc;
1141 rc = avc_has_perm(tsec->sid, old_isec->sid,
1142 old_isec->sclass, FILE__RENAME, &ad);
1143 if (rc)
1144 return rc;
1145 if (old_is_dir && new_dir != old_dir) {
1146 rc = avc_has_perm(tsec->sid, old_isec->sid,
1147 old_isec->sclass, DIR__REPARENT, &ad);
1148 if (rc)
1149 return rc;
1150 }
1151
1152 ad.u.fs.dentry = new_dentry;
1153 av = DIR__ADD_NAME | DIR__SEARCH;
1154 if (new_dentry->d_inode)
1155 av |= DIR__REMOVE_NAME;
1156 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1157 if (rc)
1158 return rc;
1159 if (new_dentry->d_inode) {
1160 new_isec = new_dentry->d_inode->i_security;
1161 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1162 rc = avc_has_perm(tsec->sid, new_isec->sid,
1163 new_isec->sclass,
1164 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1165 if (rc)
1166 return rc;
1167 }
1168
1169 return 0;
1170}
1171
1172/* Check whether a task can perform a filesystem operation. */
1173static int superblock_has_perm(struct task_struct *tsk,
1174 struct super_block *sb,
1175 u32 perms,
1176 struct avc_audit_data *ad)
1177{
1178 struct task_security_struct *tsec;
1179 struct superblock_security_struct *sbsec;
1180
1181 tsec = tsk->security;
1182 sbsec = sb->s_security;
1183 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1184 perms, ad);
1185}
1186
1187/* Convert a Linux mode and permission mask to an access vector. */
1188static inline u32 file_mask_to_av(int mode, int mask)
1189{
1190 u32 av = 0;
1191
1192 if ((mode & S_IFMT) != S_IFDIR) {
1193 if (mask & MAY_EXEC)
1194 av |= FILE__EXECUTE;
1195 if (mask & MAY_READ)
1196 av |= FILE__READ;
1197
1198 if (mask & MAY_APPEND)
1199 av |= FILE__APPEND;
1200 else if (mask & MAY_WRITE)
1201 av |= FILE__WRITE;
1202
1203 } else {
1204 if (mask & MAY_EXEC)
1205 av |= DIR__SEARCH;
1206 if (mask & MAY_WRITE)
1207 av |= DIR__WRITE;
1208 if (mask & MAY_READ)
1209 av |= DIR__READ;
1210 }
1211
1212 return av;
1213}
1214
1215/* Convert a Linux file to an access vector. */
1216static inline u32 file_to_av(struct file *file)
1217{
1218 u32 av = 0;
1219
1220 if (file->f_mode & FMODE_READ)
1221 av |= FILE__READ;
1222 if (file->f_mode & FMODE_WRITE) {
1223 if (file->f_flags & O_APPEND)
1224 av |= FILE__APPEND;
1225 else
1226 av |= FILE__WRITE;
1227 }
1228
1229 return av;
1230}
1231
1232/* Set an inode's SID to a specified value. */
1233static int inode_security_set_sid(struct inode *inode, u32 sid)
1234{
1235 struct inode_security_struct *isec = inode->i_security;
1236 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1237
1238 if (!sbsec->initialized) {
1239 /* Defer initialization to selinux_complete_init. */
1240 return 0;
1241 }
1242
1243 down(&isec->sem);
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 isec->sid = sid;
1246 isec->initialized = 1;
1247 up(&isec->sem);
1248 return 0;
1249}
1250
Linus Torvalds1da177e2005-04-16 15:20:36 -07001251/* Hook functions begin here. */
1252
1253static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1254{
1255 struct task_security_struct *psec = parent->security;
1256 struct task_security_struct *csec = child->security;
1257 int rc;
1258
1259 rc = secondary_ops->ptrace(parent,child);
1260 if (rc)
1261 return rc;
1262
1263 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1264 /* Save the SID of the tracing process for later use in apply_creds. */
1265 if (!rc)
1266 csec->ptrace_sid = psec->sid;
1267 return rc;
1268}
1269
1270static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1271 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1272{
1273 int error;
1274
1275 error = task_has_perm(current, target, PROCESS__GETCAP);
1276 if (error)
1277 return error;
1278
1279 return secondary_ops->capget(target, effective, inheritable, permitted);
1280}
1281
1282static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1283 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1284{
1285 int error;
1286
1287 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1288 if (error)
1289 return error;
1290
1291 return task_has_perm(current, target, PROCESS__SETCAP);
1292}
1293
1294static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1295 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1296{
1297 secondary_ops->capset_set(target, effective, inheritable, permitted);
1298}
1299
1300static int selinux_capable(struct task_struct *tsk, int cap)
1301{
1302 int rc;
1303
1304 rc = secondary_ops->capable(tsk, cap);
1305 if (rc)
1306 return rc;
1307
1308 return task_has_capability(tsk,cap);
1309}
1310
1311static int selinux_sysctl(ctl_table *table, int op)
1312{
1313 int error = 0;
1314 u32 av;
1315 struct task_security_struct *tsec;
1316 u32 tsid;
1317 int rc;
1318
1319 rc = secondary_ops->sysctl(table, op);
1320 if (rc)
1321 return rc;
1322
1323 tsec = current->security;
1324
1325 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1326 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1327 if (rc) {
1328 /* Default to the well-defined sysctl SID. */
1329 tsid = SECINITSID_SYSCTL;
1330 }
1331
1332 /* The op values are "defined" in sysctl.c, thereby creating
1333 * a bad coupling between this module and sysctl.c */
1334 if(op == 001) {
1335 error = avc_has_perm(tsec->sid, tsid,
1336 SECCLASS_DIR, DIR__SEARCH, NULL);
1337 } else {
1338 av = 0;
1339 if (op & 004)
1340 av |= FILE__READ;
1341 if (op & 002)
1342 av |= FILE__WRITE;
1343 if (av)
1344 error = avc_has_perm(tsec->sid, tsid,
1345 SECCLASS_FILE, av, NULL);
1346 }
1347
1348 return error;
1349}
1350
1351static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1352{
1353 int rc = 0;
1354
1355 if (!sb)
1356 return 0;
1357
1358 switch (cmds) {
1359 case Q_SYNC:
1360 case Q_QUOTAON:
1361 case Q_QUOTAOFF:
1362 case Q_SETINFO:
1363 case Q_SETQUOTA:
1364 rc = superblock_has_perm(current,
1365 sb,
1366 FILESYSTEM__QUOTAMOD, NULL);
1367 break;
1368 case Q_GETFMT:
1369 case Q_GETINFO:
1370 case Q_GETQUOTA:
1371 rc = superblock_has_perm(current,
1372 sb,
1373 FILESYSTEM__QUOTAGET, NULL);
1374 break;
1375 default:
1376 rc = 0; /* let the kernel handle invalid cmds */
1377 break;
1378 }
1379 return rc;
1380}
1381
1382static int selinux_quota_on(struct dentry *dentry)
1383{
1384 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1385}
1386
1387static int selinux_syslog(int type)
1388{
1389 int rc;
1390
1391 rc = secondary_ops->syslog(type);
1392 if (rc)
1393 return rc;
1394
1395 switch (type) {
1396 case 3: /* Read last kernel messages */
1397 case 10: /* Return size of the log buffer */
1398 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1399 break;
1400 case 6: /* Disable logging to console */
1401 case 7: /* Enable logging to console */
1402 case 8: /* Set level of messages printed to console */
1403 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1404 break;
1405 case 0: /* Close log */
1406 case 1: /* Open log */
1407 case 2: /* Read from log */
1408 case 4: /* Read/clear last kernel messages */
1409 case 5: /* Clear ring buffer */
1410 default:
1411 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1412 break;
1413 }
1414 return rc;
1415}
1416
1417/*
1418 * Check that a process has enough memory to allocate a new virtual
1419 * mapping. 0 means there is enough memory for the allocation to
1420 * succeed and -ENOMEM implies there is not.
1421 *
1422 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1423 * if the capability is granted, but __vm_enough_memory requires 1 if
1424 * the capability is granted.
1425 *
1426 * Do not audit the selinux permission check, as this is applied to all
1427 * processes that allocate mappings.
1428 */
1429static int selinux_vm_enough_memory(long pages)
1430{
1431 int rc, cap_sys_admin = 0;
1432 struct task_security_struct *tsec = current->security;
1433
1434 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1435 if (rc == 0)
1436 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1437 SECCLASS_CAPABILITY,
1438 CAP_TO_MASK(CAP_SYS_ADMIN),
1439 NULL);
1440
1441 if (rc == 0)
1442 cap_sys_admin = 1;
1443
1444 return __vm_enough_memory(pages, cap_sys_admin);
1445}
1446
1447/* binprm security operations */
1448
1449static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1450{
1451 struct bprm_security_struct *bsec;
1452
James Morris89d155e2005-10-30 14:59:21 -08001453 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001454 if (!bsec)
1455 return -ENOMEM;
1456
Linus Torvalds1da177e2005-04-16 15:20:36 -07001457 bsec->bprm = bprm;
1458 bsec->sid = SECINITSID_UNLABELED;
1459 bsec->set = 0;
1460
1461 bprm->security = bsec;
1462 return 0;
1463}
1464
1465static int selinux_bprm_set_security(struct linux_binprm *bprm)
1466{
1467 struct task_security_struct *tsec;
1468 struct inode *inode = bprm->file->f_dentry->d_inode;
1469 struct inode_security_struct *isec;
1470 struct bprm_security_struct *bsec;
1471 u32 newsid;
1472 struct avc_audit_data ad;
1473 int rc;
1474
1475 rc = secondary_ops->bprm_set_security(bprm);
1476 if (rc)
1477 return rc;
1478
1479 bsec = bprm->security;
1480
1481 if (bsec->set)
1482 return 0;
1483
1484 tsec = current->security;
1485 isec = inode->i_security;
1486
1487 /* Default to the current task SID. */
1488 bsec->sid = tsec->sid;
1489
1490 /* Reset create SID on execve. */
1491 tsec->create_sid = 0;
1492
1493 if (tsec->exec_sid) {
1494 newsid = tsec->exec_sid;
1495 /* Reset exec SID on execve. */
1496 tsec->exec_sid = 0;
1497 } else {
1498 /* Check for a default transition on this program. */
1499 rc = security_transition_sid(tsec->sid, isec->sid,
1500 SECCLASS_PROCESS, &newsid);
1501 if (rc)
1502 return rc;
1503 }
1504
1505 AVC_AUDIT_DATA_INIT(&ad, FS);
1506 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1507 ad.u.fs.dentry = bprm->file->f_dentry;
1508
1509 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1510 newsid = tsec->sid;
1511
1512 if (tsec->sid == newsid) {
1513 rc = avc_has_perm(tsec->sid, isec->sid,
1514 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1515 if (rc)
1516 return rc;
1517 } else {
1518 /* Check permissions for the transition. */
1519 rc = avc_has_perm(tsec->sid, newsid,
1520 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1521 if (rc)
1522 return rc;
1523
1524 rc = avc_has_perm(newsid, isec->sid,
1525 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1526 if (rc)
1527 return rc;
1528
1529 /* Clear any possibly unsafe personality bits on exec: */
1530 current->personality &= ~PER_CLEAR_ON_SETID;
1531
1532 /* Set the security field to the new SID. */
1533 bsec->sid = newsid;
1534 }
1535
1536 bsec->set = 1;
1537 return 0;
1538}
1539
1540static int selinux_bprm_check_security (struct linux_binprm *bprm)
1541{
1542 return secondary_ops->bprm_check_security(bprm);
1543}
1544
1545
1546static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1547{
1548 struct task_security_struct *tsec = current->security;
1549 int atsecure = 0;
1550
1551 if (tsec->osid != tsec->sid) {
1552 /* Enable secure mode for SIDs transitions unless
1553 the noatsecure permission is granted between
1554 the two SIDs, i.e. ahp returns 0. */
1555 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1556 SECCLASS_PROCESS,
1557 PROCESS__NOATSECURE, NULL);
1558 }
1559
1560 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1561}
1562
1563static void selinux_bprm_free_security(struct linux_binprm *bprm)
1564{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -07001565 kfree(bprm->security);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001566 bprm->security = NULL;
Linus Torvalds1da177e2005-04-16 15:20:36 -07001567}
1568
1569extern struct vfsmount *selinuxfs_mount;
1570extern struct dentry *selinux_null;
1571
1572/* Derived from fs/exec.c:flush_old_files. */
1573static inline void flush_unauthorized_files(struct files_struct * files)
1574{
1575 struct avc_audit_data ad;
1576 struct file *file, *devnull = NULL;
1577 struct tty_struct *tty = current->signal->tty;
Dipankar Sarmabadf1662005-09-09 13:04:10 -07001578 struct fdtable *fdt;
Linus Torvalds1da177e2005-04-16 15:20:36 -07001579 long j = -1;
1580
1581 if (tty) {
1582 file_list_lock();
Eric Dumazet2f512012005-10-30 15:02:16 -08001583 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001584 if (file) {
1585 /* Revalidate access to controlling tty.
1586 Use inode_has_perm on the tty inode directly rather
1587 than using file_has_perm, as this particular open
1588 file may belong to another process and we are only
1589 interested in the inode-based check here. */
1590 struct inode *inode = file->f_dentry->d_inode;
1591 if (inode_has_perm(current, inode,
1592 FILE__READ | FILE__WRITE, NULL)) {
1593 /* Reset controlling tty. */
1594 current->signal->tty = NULL;
1595 current->signal->tty_old_pgrp = 0;
1596 }
1597 }
1598 file_list_unlock();
1599 }
1600
1601 /* Revalidate access to inherited open files. */
1602
1603 AVC_AUDIT_DATA_INIT(&ad,FS);
1604
1605 spin_lock(&files->file_lock);
1606 for (;;) {
1607 unsigned long set, i;
1608 int fd;
1609
1610 j++;
1611 i = j * __NFDBITS;
Dipankar Sarmabadf1662005-09-09 13:04:10 -07001612 fdt = files_fdtable(files);
1613 if (i >= fdt->max_fds || i >= fdt->max_fdset)
Linus Torvalds1da177e2005-04-16 15:20:36 -07001614 break;
Dipankar Sarmabadf1662005-09-09 13:04:10 -07001615 set = fdt->open_fds->fds_bits[j];
Linus Torvalds1da177e2005-04-16 15:20:36 -07001616 if (!set)
1617 continue;
1618 spin_unlock(&files->file_lock);
1619 for ( ; set ; i++,set >>= 1) {
1620 if (set & 1) {
1621 file = fget(i);
1622 if (!file)
1623 continue;
1624 if (file_has_perm(current,
1625 file,
1626 file_to_av(file))) {
1627 sys_close(i);
1628 fd = get_unused_fd();
1629 if (fd != i) {
1630 if (fd >= 0)
1631 put_unused_fd(fd);
1632 fput(file);
1633 continue;
1634 }
1635 if (devnull) {
Nick Piggin095975d2006-01-08 01:02:19 -08001636 get_file(devnull);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001637 } else {
1638 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1639 if (!devnull) {
1640 put_unused_fd(fd);
1641 fput(file);
1642 continue;
1643 }
1644 }
1645 fd_install(fd, devnull);
1646 }
1647 fput(file);
1648 }
1649 }
1650 spin_lock(&files->file_lock);
1651
1652 }
1653 spin_unlock(&files->file_lock);
1654}
1655
1656static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1657{
1658 struct task_security_struct *tsec;
1659 struct bprm_security_struct *bsec;
1660 u32 sid;
1661 int rc;
1662
1663 secondary_ops->bprm_apply_creds(bprm, unsafe);
1664
1665 tsec = current->security;
1666
1667 bsec = bprm->security;
1668 sid = bsec->sid;
1669
1670 tsec->osid = tsec->sid;
1671 bsec->unsafe = 0;
1672 if (tsec->sid != sid) {
1673 /* Check for shared state. If not ok, leave SID
1674 unchanged and kill. */
1675 if (unsafe & LSM_UNSAFE_SHARE) {
1676 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1677 PROCESS__SHARE, NULL);
1678 if (rc) {
1679 bsec->unsafe = 1;
1680 return;
1681 }
1682 }
1683
1684 /* Check for ptracing, and update the task SID if ok.
1685 Otherwise, leave SID unchanged and kill. */
1686 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1687 rc = avc_has_perm(tsec->ptrace_sid, sid,
1688 SECCLASS_PROCESS, PROCESS__PTRACE,
1689 NULL);
1690 if (rc) {
1691 bsec->unsafe = 1;
1692 return;
1693 }
1694 }
1695 tsec->sid = sid;
1696 }
1697}
1698
1699/*
1700 * called after apply_creds without the task lock held
1701 */
1702static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1703{
1704 struct task_security_struct *tsec;
1705 struct rlimit *rlim, *initrlim;
1706 struct itimerval itimer;
1707 struct bprm_security_struct *bsec;
1708 int rc, i;
1709
1710 tsec = current->security;
1711 bsec = bprm->security;
1712
1713 if (bsec->unsafe) {
1714 force_sig_specific(SIGKILL, current);
1715 return;
1716 }
1717 if (tsec->osid == tsec->sid)
1718 return;
1719
1720 /* Close files for which the new task SID is not authorized. */
1721 flush_unauthorized_files(current->files);
1722
1723 /* Check whether the new SID can inherit signal state
1724 from the old SID. If not, clear itimers to avoid
1725 subsequent signal generation and flush and unblock
1726 signals. This must occur _after_ the task SID has
1727 been updated so that any kill done after the flush
1728 will be checked against the new SID. */
1729 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1730 PROCESS__SIGINH, NULL);
1731 if (rc) {
1732 memset(&itimer, 0, sizeof itimer);
1733 for (i = 0; i < 3; i++)
1734 do_setitimer(i, &itimer, NULL);
1735 flush_signals(current);
1736 spin_lock_irq(&current->sighand->siglock);
1737 flush_signal_handlers(current, 1);
1738 sigemptyset(&current->blocked);
1739 recalc_sigpending();
1740 spin_unlock_irq(&current->sighand->siglock);
1741 }
1742
1743 /* Check whether the new SID can inherit resource limits
1744 from the old SID. If not, reset all soft limits to
1745 the lower of the current task's hard limit and the init
1746 task's soft limit. Note that the setting of hard limits
1747 (even to lower them) can be controlled by the setrlimit
1748 check. The inclusion of the init task's soft limit into
1749 the computation is to avoid resetting soft limits higher
1750 than the default soft limit for cases where the default
1751 is lower than the hard limit, e.g. RLIMIT_CORE or
1752 RLIMIT_STACK.*/
1753 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1754 PROCESS__RLIMITINH, NULL);
1755 if (rc) {
1756 for (i = 0; i < RLIM_NLIMITS; i++) {
1757 rlim = current->signal->rlim + i;
1758 initrlim = init_task.signal->rlim+i;
1759 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1760 }
1761 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1762 /*
1763 * This will cause RLIMIT_CPU calculations
1764 * to be refigured.
1765 */
1766 current->it_prof_expires = jiffies_to_cputime(1);
1767 }
1768 }
1769
1770 /* Wake up the parent if it is waiting so that it can
1771 recheck wait permission to the new task SID. */
1772 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1773}
1774
1775/* superblock security operations */
1776
1777static int selinux_sb_alloc_security(struct super_block *sb)
1778{
1779 return superblock_alloc_security(sb);
1780}
1781
1782static void selinux_sb_free_security(struct super_block *sb)
1783{
1784 superblock_free_security(sb);
1785}
1786
1787static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1788{
1789 if (plen > olen)
1790 return 0;
1791
1792 return !memcmp(prefix, option, plen);
1793}
1794
1795static inline int selinux_option(char *option, int len)
1796{
1797 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1798 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1799 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1800}
1801
1802static inline void take_option(char **to, char *from, int *first, int len)
1803{
1804 if (!*first) {
1805 **to = ',';
1806 *to += 1;
1807 }
1808 else
1809 *first = 0;
1810 memcpy(*to, from, len);
1811 *to += len;
1812}
1813
1814static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1815{
1816 int fnosec, fsec, rc = 0;
1817 char *in_save, *in_curr, *in_end;
1818 char *sec_curr, *nosec_save, *nosec;
1819
1820 in_curr = orig;
1821 sec_curr = copy;
1822
1823 /* Binary mount data: just copy */
1824 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1825 copy_page(sec_curr, in_curr);
1826 goto out;
1827 }
1828
1829 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1830 if (!nosec) {
1831 rc = -ENOMEM;
1832 goto out;
1833 }
1834
1835 nosec_save = nosec;
1836 fnosec = fsec = 1;
1837 in_save = in_end = orig;
1838
1839 do {
1840 if (*in_end == ',' || *in_end == '\0') {
1841 int len = in_end - in_curr;
1842
1843 if (selinux_option(in_curr, len))
1844 take_option(&sec_curr, in_curr, &fsec, len);
1845 else
1846 take_option(&nosec, in_curr, &fnosec, len);
1847
1848 in_curr = in_end + 1;
1849 }
1850 } while (*in_end++);
1851
Eric Paris6931dfc2005-06-30 02:58:51 -07001852 strcpy(in_save, nosec_save);
Gerald Schaeferda3caa22005-06-21 17:15:18 -07001853 free_page((unsigned long)nosec_save);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001854out:
1855 return rc;
1856}
1857
1858static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1859{
1860 struct avc_audit_data ad;
1861 int rc;
1862
1863 rc = superblock_doinit(sb, data);
1864 if (rc)
1865 return rc;
1866
1867 AVC_AUDIT_DATA_INIT(&ad,FS);
1868 ad.u.fs.dentry = sb->s_root;
1869 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1870}
1871
1872static int selinux_sb_statfs(struct super_block *sb)
1873{
1874 struct avc_audit_data ad;
1875
1876 AVC_AUDIT_DATA_INIT(&ad,FS);
1877 ad.u.fs.dentry = sb->s_root;
1878 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1879}
1880
1881static int selinux_mount(char * dev_name,
1882 struct nameidata *nd,
1883 char * type,
1884 unsigned long flags,
1885 void * data)
1886{
1887 int rc;
1888
1889 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1890 if (rc)
1891 return rc;
1892
1893 if (flags & MS_REMOUNT)
1894 return superblock_has_perm(current, nd->mnt->mnt_sb,
1895 FILESYSTEM__REMOUNT, NULL);
1896 else
1897 return dentry_has_perm(current, nd->mnt, nd->dentry,
1898 FILE__MOUNTON);
1899}
1900
1901static int selinux_umount(struct vfsmount *mnt, int flags)
1902{
1903 int rc;
1904
1905 rc = secondary_ops->sb_umount(mnt, flags);
1906 if (rc)
1907 return rc;
1908
1909 return superblock_has_perm(current,mnt->mnt_sb,
1910 FILESYSTEM__UNMOUNT,NULL);
1911}
1912
1913/* inode security operations */
1914
1915static int selinux_inode_alloc_security(struct inode *inode)
1916{
1917 return inode_alloc_security(inode);
1918}
1919
1920static void selinux_inode_free_security(struct inode *inode)
1921{
1922 inode_free_security(inode);
1923}
1924
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001925static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1926 char **name, void **value,
1927 size_t *len)
1928{
1929 struct task_security_struct *tsec;
1930 struct inode_security_struct *dsec;
1931 struct superblock_security_struct *sbsec;
1932 struct inode_security_struct *isec;
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001933 u32 newsid, clen;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001934 int rc;
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001935 char *namep = NULL, *context;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001936
1937 tsec = current->security;
1938 dsec = dir->i_security;
1939 sbsec = dir->i_sb->s_security;
1940 isec = inode->i_security;
1941
1942 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1943 newsid = tsec->create_sid;
1944 } else {
1945 rc = security_transition_sid(tsec->sid, dsec->sid,
1946 inode_mode_to_security_class(inode->i_mode),
1947 &newsid);
1948 if (rc) {
1949 printk(KERN_WARNING "%s: "
1950 "security_transition_sid failed, rc=%d (dev=%s "
1951 "ino=%ld)\n",
1952 __FUNCTION__,
1953 -rc, inode->i_sb->s_id, inode->i_ino);
1954 return rc;
1955 }
1956 }
1957
1958 inode_security_set_sid(inode, newsid);
1959
Stephen Smalley25a74f32005-11-08 21:34:33 -08001960 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1961 return -EOPNOTSUPP;
1962
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001963 if (name) {
1964 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1965 if (!namep)
1966 return -ENOMEM;
1967 *name = namep;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001968 }
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001969
1970 if (value && len) {
1971 rc = security_sid_to_context(newsid, &context, &clen);
1972 if (rc) {
1973 kfree(namep);
1974 return rc;
1975 }
1976 *value = context;
1977 *len = clen;
1978 }
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001979
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001980 return 0;
1981}
1982
Linus Torvalds1da177e2005-04-16 15:20:36 -07001983static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1984{
1985 return may_create(dir, dentry, SECCLASS_FILE);
1986}
1987
Linus Torvalds1da177e2005-04-16 15:20:36 -07001988static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1989{
1990 int rc;
1991
1992 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1993 if (rc)
1994 return rc;
1995 return may_link(dir, old_dentry, MAY_LINK);
1996}
1997
Linus Torvalds1da177e2005-04-16 15:20:36 -07001998static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
1999{
2000 int rc;
2001
2002 rc = secondary_ops->inode_unlink(dir, dentry);
2003 if (rc)
2004 return rc;
2005 return may_link(dir, dentry, MAY_UNLINK);
2006}
2007
2008static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2009{
2010 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2011}
2012
Linus Torvalds1da177e2005-04-16 15:20:36 -07002013static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2014{
2015 return may_create(dir, dentry, SECCLASS_DIR);
2016}
2017
Linus Torvalds1da177e2005-04-16 15:20:36 -07002018static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2019{
2020 return may_link(dir, dentry, MAY_RMDIR);
2021}
2022
2023static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2024{
2025 int rc;
2026
2027 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2028 if (rc)
2029 return rc;
2030
2031 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2032}
2033
Linus Torvalds1da177e2005-04-16 15:20:36 -07002034static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2035 struct inode *new_inode, struct dentry *new_dentry)
2036{
2037 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2038}
2039
Linus Torvalds1da177e2005-04-16 15:20:36 -07002040static int selinux_inode_readlink(struct dentry *dentry)
2041{
2042 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2043}
2044
2045static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2046{
2047 int rc;
2048
2049 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2050 if (rc)
2051 return rc;
2052 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2053}
2054
2055static int selinux_inode_permission(struct inode *inode, int mask,
2056 struct nameidata *nd)
2057{
2058 int rc;
2059
2060 rc = secondary_ops->inode_permission(inode, mask, nd);
2061 if (rc)
2062 return rc;
2063
2064 if (!mask) {
2065 /* No permission to check. Existence test. */
2066 return 0;
2067 }
2068
2069 return inode_has_perm(current, inode,
2070 file_mask_to_av(inode->i_mode, mask), NULL);
2071}
2072
2073static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2074{
2075 int rc;
2076
2077 rc = secondary_ops->inode_setattr(dentry, iattr);
2078 if (rc)
2079 return rc;
2080
2081 if (iattr->ia_valid & ATTR_FORCE)
2082 return 0;
2083
2084 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2085 ATTR_ATIME_SET | ATTR_MTIME_SET))
2086 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2087
2088 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2089}
2090
2091static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2092{
2093 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2094}
2095
2096static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2097{
2098 struct task_security_struct *tsec = current->security;
2099 struct inode *inode = dentry->d_inode;
2100 struct inode_security_struct *isec = inode->i_security;
2101 struct superblock_security_struct *sbsec;
2102 struct avc_audit_data ad;
2103 u32 newsid;
2104 int rc = 0;
2105
2106 if (strcmp(name, XATTR_NAME_SELINUX)) {
2107 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2108 sizeof XATTR_SECURITY_PREFIX - 1) &&
2109 !capable(CAP_SYS_ADMIN)) {
2110 /* A different attribute in the security namespace.
2111 Restrict to administrator. */
2112 return -EPERM;
2113 }
2114
2115 /* Not an attribute we recognize, so just check the
2116 ordinary setattr permission. */
2117 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2118 }
2119
2120 sbsec = inode->i_sb->s_security;
2121 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2122 return -EOPNOTSUPP;
2123
2124 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2125 return -EPERM;
2126
2127 AVC_AUDIT_DATA_INIT(&ad,FS);
2128 ad.u.fs.dentry = dentry;
2129
2130 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2131 FILE__RELABELFROM, &ad);
2132 if (rc)
2133 return rc;
2134
2135 rc = security_context_to_sid(value, size, &newsid);
2136 if (rc)
2137 return rc;
2138
2139 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2140 FILE__RELABELTO, &ad);
2141 if (rc)
2142 return rc;
2143
2144 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2145 isec->sclass);
2146 if (rc)
2147 return rc;
2148
2149 return avc_has_perm(newsid,
2150 sbsec->sid,
2151 SECCLASS_FILESYSTEM,
2152 FILESYSTEM__ASSOCIATE,
2153 &ad);
2154}
2155
2156static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2157 void *value, size_t size, int flags)
2158{
2159 struct inode *inode = dentry->d_inode;
2160 struct inode_security_struct *isec = inode->i_security;
2161 u32 newsid;
2162 int rc;
2163
2164 if (strcmp(name, XATTR_NAME_SELINUX)) {
2165 /* Not an attribute we recognize, so nothing to do. */
2166 return;
2167 }
2168
2169 rc = security_context_to_sid(value, size, &newsid);
2170 if (rc) {
2171 printk(KERN_WARNING "%s: unable to obtain SID for context "
2172 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2173 return;
2174 }
2175
2176 isec->sid = newsid;
2177 return;
2178}
2179
2180static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2181{
Linus Torvalds1da177e2005-04-16 15:20:36 -07002182 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2183}
2184
2185static int selinux_inode_listxattr (struct dentry *dentry)
2186{
2187 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2188}
2189
2190static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2191{
2192 if (strcmp(name, XATTR_NAME_SELINUX)) {
2193 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2194 sizeof XATTR_SECURITY_PREFIX - 1) &&
2195 !capable(CAP_SYS_ADMIN)) {
2196 /* A different attribute in the security namespace.
2197 Restrict to administrator. */
2198 return -EPERM;
2199 }
2200
2201 /* Not an attribute we recognize, so just check the
2202 ordinary setattr permission. Might want a separate
2203 permission for removexattr. */
2204 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2205 }
2206
2207 /* No one is allowed to remove a SELinux security label.
2208 You can change the label, but all data must be labeled. */
2209 return -EACCES;
2210}
2211
James Morrisd381d8a2005-10-30 14:59:22 -08002212/*
2213 * Copy the in-core inode security context value to the user. If the
2214 * getxattr() prior to this succeeded, check to see if we need to
2215 * canonicalize the value to be finally returned to the user.
2216 *
2217 * Permission check is handled by selinux_inode_getxattr hook.
2218 */
2219static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
Linus Torvalds1da177e2005-04-16 15:20:36 -07002220{
2221 struct inode_security_struct *isec = inode->i_security;
2222 char *context;
2223 unsigned len;
2224 int rc;
2225
James Morrisd381d8a2005-10-30 14:59:22 -08002226 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2227 rc = -EOPNOTSUPP;
2228 goto out;
2229 }
Linus Torvalds1da177e2005-04-16 15:20:36 -07002230
2231 rc = security_sid_to_context(isec->sid, &context, &len);
2232 if (rc)
James Morrisd381d8a2005-10-30 14:59:22 -08002233 goto out;
Linus Torvalds1da177e2005-04-16 15:20:36 -07002234
James Morrisd381d8a2005-10-30 14:59:22 -08002235 /* Probe for required buffer size */
Linus Torvalds1da177e2005-04-16 15:20:36 -07002236 if (!buffer || !size) {
James Morrisd381d8a2005-10-30 14:59:22 -08002237 rc = len;
2238 goto out_free;
Linus Torvalds1da177e2005-04-16 15:20:36 -07002239 }
James Morrisd381d8a2005-10-30 14:59:22 -08002240
Linus Torvalds1da177e2005-04-16 15:20:36 -07002241 if (size < len) {
James Morrisd381d8a2005-10-30 14:59:22 -08002242 rc = -ERANGE;
2243 goto out_free;
2244 }
2245
2246 if (err > 0) {
2247 if ((len == err) && !(memcmp(context, buffer, len))) {
2248 /* Don't need to canonicalize value */
2249 rc = err;
2250 goto out_free;
2251 }
2252 memset(buffer, 0, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -07002253 }
2254 memcpy(buffer, context, len);
James Morrisd381d8a2005-10-30 14:59:22 -08002255 rc = len;
2256out_free:
Linus Torvalds1da177e2005-04-16 15:20:36 -07002257 kfree(context);
James Morrisd381d8a2005-10-30 14:59:22 -08002258out:
2259 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -07002260}
2261
2262static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2263 const void *value, size_t size, int flags)
2264{
2265 struct inode_security_struct *isec = inode->i_security;
2266 u32 newsid;
2267 int rc;
2268
2269 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2270 return -EOPNOTSUPP;
2271
2272 if (!value || !size)
2273 return -EACCES;
2274
2275 rc = security_context_to_sid((void*)value, size, &newsid);
2276 if (rc)
2277 return rc;
2278
2279 isec->sid = newsid;
2280 return 0;
2281}
2282
2283static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2284{
2285 const int len = sizeof(XATTR_NAME_SELINUX);
2286 if (buffer && len <= buffer_size)
2287 memcpy(buffer, XATTR_NAME_SELINUX, len);
2288 return len;
2289}
2290
2291/* file security operations */
2292
2293static int selinux_file_permission(struct file *file, int mask)
2294{
2295 struct inode *inode = file->f_dentry->d_inode;
2296
2297 if (!mask) {
2298 /* No permission to check. Existence test. */
2299 return 0;
2300 }
2301
2302 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2303 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2304 mask |= MAY_APPEND;
2305
2306 return file_has_perm(current, file,
2307 file_mask_to_av(inode->i_mode, mask));
2308}
2309
2310static int selinux_file_alloc_security(struct file *file)
2311{
2312 return file_alloc_security(file);
2313}
2314
2315static void selinux_file_free_security(struct file *file)
2316{
2317 file_free_security(file);
2318}
2319
2320static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2321 unsigned long arg)
2322{
2323 int error = 0;
2324
2325 switch (cmd) {
2326 case FIONREAD:
2327 /* fall through */
2328 case FIBMAP:
2329 /* fall through */
2330 case FIGETBSZ:
2331 /* fall through */
2332 case EXT2_IOC_GETFLAGS:
2333 /* fall through */
2334 case EXT2_IOC_GETVERSION:
2335 error = file_has_perm(current, file, FILE__GETATTR);
2336 break;
2337
2338 case EXT2_IOC_SETFLAGS:
2339 /* fall through */
2340 case EXT2_IOC_SETVERSION:
2341 error = file_has_perm(current, file, FILE__SETATTR);
2342 break;
2343
2344 /* sys_ioctl() checks */
2345 case FIONBIO:
2346 /* fall through */
2347 case FIOASYNC:
2348 error = file_has_perm(current, file, 0);
2349 break;
2350
2351 case KDSKBENT:
2352 case KDSKBSENT:
2353 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2354 break;
2355
2356 /* default case assumes that the command will go
2357 * to the file's ioctl() function.
2358 */
2359 default:
2360 error = file_has_perm(current, file, FILE__IOCTL);
2361
2362 }
2363 return error;
2364}
2365
2366static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2367{
2368#ifndef CONFIG_PPC32
2369 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2370 /*
2371 * We are making executable an anonymous mapping or a
2372 * private file mapping that will also be writable.
2373 * This has an additional check.
2374 */
2375 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2376 if (rc)
2377 return rc;
2378 }
2379#endif
2380
2381 if (file) {
2382 /* read access is always possible with a mapping */
2383 u32 av = FILE__READ;
2384
2385 /* write access only matters if the mapping is shared */
2386 if (shared && (prot & PROT_WRITE))
2387 av |= FILE__WRITE;
2388
2389 if (prot & PROT_EXEC)
2390 av |= FILE__EXECUTE;
2391
2392 return file_has_perm(current, file, av);
2393 }
2394 return 0;
2395}
2396
2397static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2398 unsigned long prot, unsigned long flags)
2399{
2400 int rc;
2401
2402 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2403 if (rc)
2404 return rc;
2405
2406 if (selinux_checkreqprot)
2407 prot = reqprot;
2408
2409 return file_map_prot_check(file, prot,
2410 (flags & MAP_TYPE) == MAP_SHARED);
2411}
2412
2413static int selinux_file_mprotect(struct vm_area_struct *vma,
2414 unsigned long reqprot,
2415 unsigned long prot)
2416{
2417 int rc;
2418
2419 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2420 if (rc)
2421 return rc;
2422
2423 if (selinux_checkreqprot)
2424 prot = reqprot;
2425
2426#ifndef CONFIG_PPC32
Stephen Smalleydb4c9642006-02-01 03:05:54 -08002427 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2428 rc = 0;
2429 if (vma->vm_start >= vma->vm_mm->start_brk &&
2430 vma->vm_end <= vma->vm_mm->brk) {
2431 rc = task_has_perm(current, current,
2432 PROCESS__EXECHEAP);
2433 } else if (!vma->vm_file &&
2434 vma->vm_start <= vma->vm_mm->start_stack &&
2435 vma->vm_end >= vma->vm_mm->start_stack) {
2436 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2437 } else if (vma->vm_file && vma->anon_vma) {
2438 /*
2439 * We are making executable a file mapping that has
2440 * had some COW done. Since pages might have been
2441 * written, check ability to execute the possibly
2442 * modified content. This typically should only
2443 * occur for text relocations.
2444 */
2445 rc = file_has_perm(current, vma->vm_file,
2446 FILE__EXECMOD);
2447 }
Lorenzo Hernandez García-Hierro6b992192005-06-25 14:54:34 -07002448 if (rc)
2449 return rc;
2450 }
Linus Torvalds1da177e2005-04-16 15:20:36 -07002451#endif
2452
2453 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2454}
2455
2456static int selinux_file_lock(struct file *file, unsigned int cmd)
2457{
2458 return file_has_perm(current, file, FILE__LOCK);
2459}
2460
2461static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2462 unsigned long arg)
2463{
2464 int err = 0;
2465
2466 switch (cmd) {
2467 case F_SETFL:
2468 if (!file->f_dentry || !file->f_dentry->d_inode) {
2469 err = -EINVAL;
2470 break;
2471 }
2472
2473 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2474 err = file_has_perm(current, file,FILE__WRITE);
2475 break;
2476 }
2477 /* fall through */
2478 case F_SETOWN:
2479 case F_SETSIG:
2480 case F_GETFL:
2481 case F_GETOWN:
2482 case F_GETSIG:
2483 /* Just check FD__USE permission */
2484 err = file_has_perm(current, file, 0);
2485 break;
2486 case F_GETLK:
2487 case F_SETLK:
2488 case F_SETLKW:
2489#if BITS_PER_LONG == 32
2490 case F_GETLK64:
2491 case F_SETLK64:
2492 case F_SETLKW64:
2493#endif
2494 if (!file->f_dentry || !file->f_dentry->d_inode) {
2495 err = -EINVAL;
2496 break;
2497 }
2498 err = file_has_perm(current, file, FILE__LOCK);
2499 break;
2500 }
2501
2502 return err;
2503}
2504
2505static int selinux_file_set_fowner(struct file *file)
2506{
2507 struct task_security_struct *tsec;
2508 struct file_security_struct *fsec;
2509
2510 tsec = current->security;
2511 fsec = file->f_security;
2512 fsec->fown_sid = tsec->sid;
2513
2514 return 0;
2515}
2516
2517static int selinux_file_send_sigiotask(struct task_struct *tsk,
2518 struct fown_struct *fown, int signum)
2519{
2520 struct file *file;
2521 u32 perm;
2522 struct task_security_struct *tsec;
2523 struct file_security_struct *fsec;
2524
2525 /* struct fown_struct is never outside the context of a struct file */
2526 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2527
2528 tsec = tsk->security;
2529 fsec = file->f_security;
2530
2531 if (!signum)
2532 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2533 else
2534 perm = signal_to_av(signum);
2535
2536 return avc_has_perm(fsec->fown_sid, tsec->sid,
2537 SECCLASS_PROCESS, perm, NULL);
2538}
2539
2540static int selinux_file_receive(struct file *file)
2541{
2542 return file_has_perm(current, file, file_to_av(file));
2543}
2544
2545/* task security operations */
2546
2547static int selinux_task_create(unsigned long clone_flags)
2548{
2549 int rc;
2550
2551 rc = secondary_ops->task_create(clone_flags);
2552 if (rc)
2553 return rc;
2554
2555 return task_has_perm(current, current, PROCESS__FORK);
2556}
2557
2558static int selinux_task_alloc_security(struct task_struct *tsk)
2559{
2560 struct task_security_struct *tsec1, *tsec2;
2561 int rc;
2562
2563 tsec1 = current->security;
2564
2565 rc = task_alloc_security(tsk);
2566 if (rc)
2567 return rc;
2568 tsec2 = tsk->security;
2569
2570 tsec2->osid = tsec1->osid;
2571 tsec2->sid = tsec1->sid;
2572
2573 /* Retain the exec and create SIDs across fork */
2574 tsec2->exec_sid = tsec1->exec_sid;
2575 tsec2->create_sid = tsec1->create_sid;
2576
2577 /* Retain ptracer SID across fork, if any.
2578 This will be reset by the ptrace hook upon any
2579 subsequent ptrace_attach operations. */
2580 tsec2->ptrace_sid = tsec1->ptrace_sid;
2581
2582 return 0;
2583}
2584
2585static void selinux_task_free_security(struct task_struct *tsk)
2586{
2587 task_free_security(tsk);
2588}
2589
2590static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2591{
2592 /* Since setuid only affects the current process, and
2593 since the SELinux controls are not based on the Linux
2594 identity attributes, SELinux does not need to control
2595 this operation. However, SELinux does control the use
2596 of the CAP_SETUID and CAP_SETGID capabilities using the
2597 capable hook. */
2598 return 0;
2599}
2600
2601static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2602{
2603 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2604}
2605
2606static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2607{
2608 /* See the comment for setuid above. */
2609 return 0;
2610}
2611
2612static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2613{
2614 return task_has_perm(current, p, PROCESS__SETPGID);
2615}
2616
2617static int selinux_task_getpgid(struct task_struct *p)
2618{
2619 return task_has_perm(current, p, PROCESS__GETPGID);
2620}
2621
2622static int selinux_task_getsid(struct task_struct *p)
2623{
2624 return task_has_perm(current, p, PROCESS__GETSESSION);
2625}
2626
2627static int selinux_task_setgroups(struct group_info *group_info)
2628{
2629 /* See the comment for setuid above. */
2630 return 0;
2631}
2632
2633static int selinux_task_setnice(struct task_struct *p, int nice)
2634{
2635 int rc;
2636
2637 rc = secondary_ops->task_setnice(p, nice);
2638 if (rc)
2639 return rc;
2640
2641 return task_has_perm(current,p, PROCESS__SETSCHED);
2642}
2643
2644static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2645{
2646 struct rlimit *old_rlim = current->signal->rlim + resource;
2647 int rc;
2648
2649 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2650 if (rc)
2651 return rc;
2652
2653 /* Control the ability to change the hard limit (whether
2654 lowering or raising it), so that the hard limit can
2655 later be used as a safe reset point for the soft limit
2656 upon context transitions. See selinux_bprm_apply_creds. */
2657 if (old_rlim->rlim_max != new_rlim->rlim_max)
2658 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2659
2660 return 0;
2661}
2662
2663static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2664{
2665 return task_has_perm(current, p, PROCESS__SETSCHED);
2666}
2667
2668static int selinux_task_getscheduler(struct task_struct *p)
2669{
2670 return task_has_perm(current, p, PROCESS__GETSCHED);
2671}
2672
2673static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2674{
2675 u32 perm;
2676 int rc;
2677
2678 rc = secondary_ops->task_kill(p, info, sig);
2679 if (rc)
2680 return rc;
2681
Oleg Nesterov621d3122005-10-30 15:03:45 -08002682 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
Linus Torvalds1da177e2005-04-16 15:20:36 -07002683 return 0;
2684
2685 if (!sig)
2686 perm = PROCESS__SIGNULL; /* null signal; existence test */
2687 else
2688 perm = signal_to_av(sig);
2689
2690 return task_has_perm(current, p, perm);
2691}
2692
2693static int selinux_task_prctl(int option,
2694 unsigned long arg2,
2695 unsigned long arg3,
2696 unsigned long arg4,
2697 unsigned long arg5)
2698{
2699 /* The current prctl operations do not appear to require
2700 any SELinux controls since they merely observe or modify
2701 the state of the current process. */
2702 return 0;
2703}
2704
2705static int selinux_task_wait(struct task_struct *p)
2706{
2707 u32 perm;
2708
2709 perm = signal_to_av(p->exit_signal);
2710
2711 return task_has_perm(p, current, perm);
2712}
2713
2714static void selinux_task_reparent_to_init(struct task_struct *p)
2715{
2716 struct task_security_struct *tsec;
2717
2718 secondary_ops->task_reparent_to_init(p);
2719
2720 tsec = p->security;
2721 tsec->osid = tsec->sid;
2722 tsec->sid = SECINITSID_KERNEL;
2723 return;
2724}
2725
2726static void selinux_task_to_inode(struct task_struct *p,
2727 struct inode *inode)
2728{
2729 struct task_security_struct *tsec = p->security;
2730 struct inode_security_struct *isec = inode->i_security;
2731
2732 isec->sid = tsec->sid;
2733 isec->initialized = 1;
2734 return;
2735}
2736
Linus Torvalds1da177e2005-04-16 15:20:36 -07002737/* Returns error only if unable to parse addresses */
2738static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2739{
2740 int offset, ihlen, ret = -EINVAL;
2741 struct iphdr _iph, *ih;
2742
2743 offset = skb->nh.raw - skb->data;
2744 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2745 if (ih == NULL)
2746 goto out;
2747
2748 ihlen = ih->ihl * 4;
2749 if (ihlen < sizeof(_iph))
2750 goto out;
2751
2752 ad->u.net.v4info.saddr = ih->saddr;
2753 ad->u.net.v4info.daddr = ih->daddr;
2754 ret = 0;
2755
2756 switch (ih->protocol) {
2757 case IPPROTO_TCP: {
2758 struct tcphdr _tcph, *th;
2759
2760 if (ntohs(ih->frag_off) & IP_OFFSET)
2761 break;
2762
2763 offset += ihlen;
2764 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2765 if (th == NULL)
2766 break;
2767
2768 ad->u.net.sport = th->source;
2769 ad->u.net.dport = th->dest;
2770 break;
2771 }
2772
2773 case IPPROTO_UDP: {
2774 struct udphdr _udph, *uh;
2775
2776 if (ntohs(ih->frag_off) & IP_OFFSET)
2777 break;
2778
2779 offset += ihlen;
2780 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2781 if (uh == NULL)
2782 break;
2783
2784 ad->u.net.sport = uh->source;
2785 ad->u.net.dport = uh->dest;
2786 break;
2787 }
2788
2789 default:
2790 break;
2791 }
2792out:
2793 return ret;
2794}
2795
2796#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2797
2798/* Returns error only if unable to parse addresses */
2799static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2800{
2801 u8 nexthdr;
2802 int ret = -EINVAL, offset;
2803 struct ipv6hdr _ipv6h, *ip6;
2804
2805 offset = skb->nh.raw - skb->data;
2806 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2807 if (ip6 == NULL)
2808 goto out;
2809
2810 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2811 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2812 ret = 0;
2813
2814 nexthdr = ip6->nexthdr;
2815 offset += sizeof(_ipv6h);
Herbert Xu0d3d0772005-04-24 20:16:19 -07002816 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
Linus Torvalds1da177e2005-04-16 15:20:36 -07002817 if (offset < 0)
2818 goto out;
2819
2820 switch (nexthdr) {
2821 case IPPROTO_TCP: {
2822 struct tcphdr _tcph, *th;
2823
2824 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2825 if (th == NULL)
2826 break;
2827
2828 ad->u.net.sport = th->source;
2829 ad->u.net.dport = th->dest;
2830 break;
2831 }
2832
2833 case IPPROTO_UDP: {
2834 struct udphdr _udph, *uh;
2835
2836 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2837 if (uh == NULL)
2838 break;
2839
2840 ad->u.net.sport = uh->source;
2841 ad->u.net.dport = uh->dest;
2842 break;
2843 }
2844
2845 /* includes fragments */
2846 default:
2847 break;
2848 }
2849out:
2850 return ret;
2851}
2852
2853#endif /* IPV6 */
2854
2855static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2856 char **addrp, int *len, int src)
2857{
2858 int ret = 0;
2859
2860 switch (ad->u.net.family) {
2861 case PF_INET:
2862 ret = selinux_parse_skb_ipv4(skb, ad);
2863 if (ret || !addrp)
2864 break;
2865 *len = 4;
2866 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2867 &ad->u.net.v4info.daddr);
2868 break;
2869
2870#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2871 case PF_INET6:
2872 ret = selinux_parse_skb_ipv6(skb, ad);
2873 if (ret || !addrp)
2874 break;
2875 *len = 16;
2876 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2877 &ad->u.net.v6info.daddr);
2878 break;
2879#endif /* IPV6 */
2880 default:
2881 break;
2882 }
2883
2884 return ret;
2885}
2886
2887/* socket security operations */
2888static int socket_has_perm(struct task_struct *task, struct socket *sock,
2889 u32 perms)
2890{
2891 struct inode_security_struct *isec;
2892 struct task_security_struct *tsec;
2893 struct avc_audit_data ad;
2894 int err = 0;
2895
2896 tsec = task->security;
2897 isec = SOCK_INODE(sock)->i_security;
2898
2899 if (isec->sid == SECINITSID_KERNEL)
2900 goto out;
2901
2902 AVC_AUDIT_DATA_INIT(&ad,NET);
2903 ad.u.net.sk = sock->sk;
2904 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2905
2906out:
2907 return err;
2908}
2909
2910static int selinux_socket_create(int family, int type,
2911 int protocol, int kern)
2912{
2913 int err = 0;
2914 struct task_security_struct *tsec;
2915
2916 if (kern)
2917 goto out;
2918
2919 tsec = current->security;
2920 err = avc_has_perm(tsec->sid, tsec->sid,
2921 socket_type_to_security_class(family, type,
2922 protocol), SOCKET__CREATE, NULL);
2923
2924out:
2925 return err;
2926}
2927
2928static void selinux_socket_post_create(struct socket *sock, int family,
2929 int type, int protocol, int kern)
2930{
2931 struct inode_security_struct *isec;
2932 struct task_security_struct *tsec;
2933
2934 isec = SOCK_INODE(sock)->i_security;
2935
2936 tsec = current->security;
2937 isec->sclass = socket_type_to_security_class(family, type, protocol);
2938 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2939 isec->initialized = 1;
2940
2941 return;
2942}
2943
2944/* Range of port numbers used to automatically bind.
2945 Need to determine whether we should perform a name_bind
2946 permission check between the socket and the port number. */
2947#define ip_local_port_range_0 sysctl_local_port_range[0]
2948#define ip_local_port_range_1 sysctl_local_port_range[1]
2949
2950static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2951{
2952 u16 family;
2953 int err;
2954
2955 err = socket_has_perm(current, sock, SOCKET__BIND);
2956 if (err)
2957 goto out;
2958
2959 /*
2960 * If PF_INET or PF_INET6, check name_bind permission for the port.
James Morris13402582005-09-30 14:24:34 -04002961 * Multiple address binding for SCTP is not supported yet: we just
2962 * check the first address now.
Linus Torvalds1da177e2005-04-16 15:20:36 -07002963 */
2964 family = sock->sk->sk_family;
2965 if (family == PF_INET || family == PF_INET6) {
2966 char *addrp;
2967 struct inode_security_struct *isec;
2968 struct task_security_struct *tsec;
2969 struct avc_audit_data ad;
2970 struct sockaddr_in *addr4 = NULL;
2971 struct sockaddr_in6 *addr6 = NULL;
2972 unsigned short snum;
2973 struct sock *sk = sock->sk;
2974 u32 sid, node_perm, addrlen;
2975
2976 tsec = current->security;
2977 isec = SOCK_INODE(sock)->i_security;
2978
2979 if (family == PF_INET) {
2980 addr4 = (struct sockaddr_in *)address;
2981 snum = ntohs(addr4->sin_port);
2982 addrlen = sizeof(addr4->sin_addr.s_addr);
2983 addrp = (char *)&addr4->sin_addr.s_addr;
2984 } else {
2985 addr6 = (struct sockaddr_in6 *)address;
2986 snum = ntohs(addr6->sin6_port);
2987 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2988 addrp = (char *)&addr6->sin6_addr.s6_addr;
2989 }
2990
2991 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2992 snum > ip_local_port_range_1)) {
2993 err = security_port_sid(sk->sk_family, sk->sk_type,
2994 sk->sk_protocol, snum, &sid);
2995 if (err)
2996 goto out;
2997 AVC_AUDIT_DATA_INIT(&ad,NET);
2998 ad.u.net.sport = htons(snum);
2999 ad.u.net.family = family;
3000 err = avc_has_perm(isec->sid, sid,
3001 isec->sclass,
3002 SOCKET__NAME_BIND, &ad);
3003 if (err)
3004 goto out;
3005 }
3006
James Morris13402582005-09-30 14:24:34 -04003007 switch(isec->sclass) {
3008 case SECCLASS_TCP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -07003009 node_perm = TCP_SOCKET__NODE_BIND;
3010 break;
3011
James Morris13402582005-09-30 14:24:34 -04003012 case SECCLASS_UDP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -07003013 node_perm = UDP_SOCKET__NODE_BIND;
3014 break;
3015
3016 default:
3017 node_perm = RAWIP_SOCKET__NODE_BIND;
3018 break;
3019 }
3020
3021 err = security_node_sid(family, addrp, addrlen, &sid);
3022 if (err)
3023 goto out;
3024
3025 AVC_AUDIT_DATA_INIT(&ad,NET);
3026 ad.u.net.sport = htons(snum);
3027 ad.u.net.family = family;
3028
3029 if (family == PF_INET)
3030 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3031 else
3032 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3033
3034 err = avc_has_perm(isec->sid, sid,
3035 isec->sclass, node_perm, &ad);
3036 if (err)
3037 goto out;
3038 }
3039out:
3040 return err;
3041}
3042
3043static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3044{
3045 struct inode_security_struct *isec;
3046 int err;
3047
3048 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3049 if (err)
3050 return err;
3051
3052 /*
3053 * If a TCP socket, check name_connect permission for the port.
3054 */
3055 isec = SOCK_INODE(sock)->i_security;
3056 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3057 struct sock *sk = sock->sk;
3058 struct avc_audit_data ad;
3059 struct sockaddr_in *addr4 = NULL;
3060 struct sockaddr_in6 *addr6 = NULL;
3061 unsigned short snum;
3062 u32 sid;
3063
3064 if (sk->sk_family == PF_INET) {
3065 addr4 = (struct sockaddr_in *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -07003066 if (addrlen < sizeof(struct sockaddr_in))
Linus Torvalds1da177e2005-04-16 15:20:36 -07003067 return -EINVAL;
3068 snum = ntohs(addr4->sin_port);
3069 } else {
3070 addr6 = (struct sockaddr_in6 *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -07003071 if (addrlen < SIN6_LEN_RFC2133)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003072 return -EINVAL;
3073 snum = ntohs(addr6->sin6_port);
3074 }
3075
3076 err = security_port_sid(sk->sk_family, sk->sk_type,
3077 sk->sk_protocol, snum, &sid);
3078 if (err)
3079 goto out;
3080
3081 AVC_AUDIT_DATA_INIT(&ad,NET);
3082 ad.u.net.dport = htons(snum);
3083 ad.u.net.family = sk->sk_family;
3084 err = avc_has_perm(isec->sid, sid, isec->sclass,
3085 TCP_SOCKET__NAME_CONNECT, &ad);
3086 if (err)
3087 goto out;
3088 }
3089
3090out:
3091 return err;
3092}
3093
3094static int selinux_socket_listen(struct socket *sock, int backlog)
3095{
3096 return socket_has_perm(current, sock, SOCKET__LISTEN);
3097}
3098
3099static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3100{
3101 int err;
3102 struct inode_security_struct *isec;
3103 struct inode_security_struct *newisec;
3104
3105 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3106 if (err)
3107 return err;
3108
3109 newisec = SOCK_INODE(newsock)->i_security;
3110
3111 isec = SOCK_INODE(sock)->i_security;
3112 newisec->sclass = isec->sclass;
3113 newisec->sid = isec->sid;
3114 newisec->initialized = 1;
3115
3116 return 0;
3117}
3118
3119static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3120 int size)
3121{
3122 return socket_has_perm(current, sock, SOCKET__WRITE);
3123}
3124
3125static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3126 int size, int flags)
3127{
3128 return socket_has_perm(current, sock, SOCKET__READ);
3129}
3130
3131static int selinux_socket_getsockname(struct socket *sock)
3132{
3133 return socket_has_perm(current, sock, SOCKET__GETATTR);
3134}
3135
3136static int selinux_socket_getpeername(struct socket *sock)
3137{
3138 return socket_has_perm(current, sock, SOCKET__GETATTR);
3139}
3140
3141static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3142{
3143 return socket_has_perm(current, sock, SOCKET__SETOPT);
3144}
3145
3146static int selinux_socket_getsockopt(struct socket *sock, int level,
3147 int optname)
3148{
3149 return socket_has_perm(current, sock, SOCKET__GETOPT);
3150}
3151
3152static int selinux_socket_shutdown(struct socket *sock, int how)
3153{
3154 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3155}
3156
3157static int selinux_socket_unix_stream_connect(struct socket *sock,
3158 struct socket *other,
3159 struct sock *newsk)
3160{
3161 struct sk_security_struct *ssec;
3162 struct inode_security_struct *isec;
3163 struct inode_security_struct *other_isec;
3164 struct avc_audit_data ad;
3165 int err;
3166
3167 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3168 if (err)
3169 return err;
3170
3171 isec = SOCK_INODE(sock)->i_security;
3172 other_isec = SOCK_INODE(other)->i_security;
3173
3174 AVC_AUDIT_DATA_INIT(&ad,NET);
3175 ad.u.net.sk = other->sk;
3176
3177 err = avc_has_perm(isec->sid, other_isec->sid,
3178 isec->sclass,
3179 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3180 if (err)
3181 return err;
3182
3183 /* connecting socket */
3184 ssec = sock->sk->sk_security;
3185 ssec->peer_sid = other_isec->sid;
3186
3187 /* server child socket */
3188 ssec = newsk->sk_security;
3189 ssec->peer_sid = isec->sid;
3190
3191 return 0;
3192}
3193
3194static int selinux_socket_unix_may_send(struct socket *sock,
3195 struct socket *other)
3196{
3197 struct inode_security_struct *isec;
3198 struct inode_security_struct *other_isec;
3199 struct avc_audit_data ad;
3200 int err;
3201
3202 isec = SOCK_INODE(sock)->i_security;
3203 other_isec = SOCK_INODE(other)->i_security;
3204
3205 AVC_AUDIT_DATA_INIT(&ad,NET);
3206 ad.u.net.sk = other->sk;
3207
3208 err = avc_has_perm(isec->sid, other_isec->sid,
3209 isec->sclass, SOCKET__SENDTO, &ad);
3210 if (err)
3211 return err;
3212
3213 return 0;
3214}
3215
3216static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3217{
3218 u16 family;
3219 char *addrp;
3220 int len, err = 0;
3221 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3222 u32 sock_sid = 0;
3223 u16 sock_class = 0;
3224 struct socket *sock;
3225 struct net_device *dev;
3226 struct avc_audit_data ad;
3227
3228 family = sk->sk_family;
3229 if (family != PF_INET && family != PF_INET6)
3230 goto out;
3231
3232 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3233 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3234 family = PF_INET;
3235
3236 read_lock_bh(&sk->sk_callback_lock);
3237 sock = sk->sk_socket;
3238 if (sock) {
3239 struct inode *inode;
3240 inode = SOCK_INODE(sock);
3241 if (inode) {
3242 struct inode_security_struct *isec;
3243 isec = inode->i_security;
3244 sock_sid = isec->sid;
3245 sock_class = isec->sclass;
3246 }
3247 }
3248 read_unlock_bh(&sk->sk_callback_lock);
3249 if (!sock_sid)
3250 goto out;
3251
3252 dev = skb->dev;
3253 if (!dev)
3254 goto out;
3255
3256 err = sel_netif_sids(dev, &if_sid, NULL);
3257 if (err)
3258 goto out;
3259
3260 switch (sock_class) {
3261 case SECCLASS_UDP_SOCKET:
3262 netif_perm = NETIF__UDP_RECV;
3263 node_perm = NODE__UDP_RECV;
3264 recv_perm = UDP_SOCKET__RECV_MSG;
3265 break;
3266
3267 case SECCLASS_TCP_SOCKET:
3268 netif_perm = NETIF__TCP_RECV;
3269 node_perm = NODE__TCP_RECV;
3270 recv_perm = TCP_SOCKET__RECV_MSG;
3271 break;
3272
3273 default:
3274 netif_perm = NETIF__RAWIP_RECV;
3275 node_perm = NODE__RAWIP_RECV;
3276 break;
3277 }
3278
3279 AVC_AUDIT_DATA_INIT(&ad, NET);
3280 ad.u.net.netif = dev->name;
3281 ad.u.net.family = family;
3282
3283 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3284 if (err)
3285 goto out;
3286
3287 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3288 if (err)
3289 goto out;
3290
3291 /* Fixme: this lookup is inefficient */
3292 err = security_node_sid(family, addrp, len, &node_sid);
3293 if (err)
3294 goto out;
3295
3296 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3297 if (err)
3298 goto out;
3299
3300 if (recv_perm) {
3301 u32 port_sid;
3302
3303 /* Fixme: make this more efficient */
3304 err = security_port_sid(sk->sk_family, sk->sk_type,
3305 sk->sk_protocol, ntohs(ad.u.net.sport),
3306 &port_sid);
3307 if (err)
3308 goto out;
3309
3310 err = avc_has_perm(sock_sid, port_sid,
3311 sock_class, recv_perm, &ad);
3312 }
Trent Jaegerd28d1e02005-12-13 23:12:40 -08003313
3314 if (!err)
3315 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3316
Linus Torvalds1da177e2005-04-16 15:20:36 -07003317out:
3318 return err;
3319}
3320
3321static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3322 int __user *optlen, unsigned len)
3323{
3324 int err = 0;
3325 char *scontext;
3326 u32 scontext_len;
3327 struct sk_security_struct *ssec;
3328 struct inode_security_struct *isec;
3329
3330 isec = SOCK_INODE(sock)->i_security;
3331 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3332 err = -ENOPROTOOPT;
3333 goto out;
3334 }
3335
3336 ssec = sock->sk->sk_security;
3337
3338 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3339 if (err)
3340 goto out;
3341
3342 if (scontext_len > len) {
3343 err = -ERANGE;
3344 goto out_len;
3345 }
3346
3347 if (copy_to_user(optval, scontext, scontext_len))
3348 err = -EFAULT;
3349
3350out_len:
3351 if (put_user(scontext_len, optlen))
3352 err = -EFAULT;
3353
3354 kfree(scontext);
3355out:
3356 return err;
3357}
3358
Al Viro7d877f32005-10-21 03:20:43 -04003359static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003360{
3361 return sk_alloc_security(sk, family, priority);
3362}
3363
3364static void selinux_sk_free_security(struct sock *sk)
3365{
3366 sk_free_security(sk);
3367}
3368
Trent Jaegerd28d1e02005-12-13 23:12:40 -08003369static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3370{
3371 struct inode_security_struct *isec;
3372 u32 sock_sid = SECINITSID_ANY_SOCKET;
3373
3374 if (!sk)
3375 return selinux_no_sk_sid(fl);
3376
3377 read_lock_bh(&sk->sk_callback_lock);
3378 isec = get_sock_isec(sk);
3379
3380 if (isec)
3381 sock_sid = isec->sid;
3382
3383 read_unlock_bh(&sk->sk_callback_lock);
3384 return sock_sid;
3385}
3386
Linus Torvalds1da177e2005-04-16 15:20:36 -07003387static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3388{
3389 int err = 0;
3390 u32 perm;
3391 struct nlmsghdr *nlh;
3392 struct socket *sock = sk->sk_socket;
3393 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3394
3395 if (skb->len < NLMSG_SPACE(0)) {
3396 err = -EINVAL;
3397 goto out;
3398 }
3399 nlh = (struct nlmsghdr *)skb->data;
3400
3401 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3402 if (err) {
3403 if (err == -EINVAL) {
David Woodhouse9ad9ad32005-06-22 15:04:33 +01003404 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
Linus Torvalds1da177e2005-04-16 15:20:36 -07003405 "SELinux: unrecognized netlink message"
3406 " type=%hu for sclass=%hu\n",
3407 nlh->nlmsg_type, isec->sclass);
3408 if (!selinux_enforcing)
3409 err = 0;
3410 }
3411
3412 /* Ignore */
3413 if (err == -ENOENT)
3414 err = 0;
3415 goto out;
3416 }
3417
3418 err = socket_has_perm(current, sock, perm);
3419out:
3420 return err;
3421}
3422
3423#ifdef CONFIG_NETFILTER
3424
3425static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3426 struct sk_buff **pskb,
3427 const struct net_device *in,
3428 const struct net_device *out,
3429 int (*okfn)(struct sk_buff *),
3430 u16 family)
3431{
3432 char *addrp;
3433 int len, err = NF_ACCEPT;
3434 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3435 struct sock *sk;
3436 struct socket *sock;
3437 struct inode *inode;
3438 struct sk_buff *skb = *pskb;
3439 struct inode_security_struct *isec;
3440 struct avc_audit_data ad;
3441 struct net_device *dev = (struct net_device *)out;
3442
3443 sk = skb->sk;
3444 if (!sk)
3445 goto out;
3446
3447 sock = sk->sk_socket;
3448 if (!sock)
3449 goto out;
3450
3451 inode = SOCK_INODE(sock);
3452 if (!inode)
3453 goto out;
3454
3455 err = sel_netif_sids(dev, &if_sid, NULL);
3456 if (err)
3457 goto out;
3458
3459 isec = inode->i_security;
3460
3461 switch (isec->sclass) {
3462 case SECCLASS_UDP_SOCKET:
3463 netif_perm = NETIF__UDP_SEND;
3464 node_perm = NODE__UDP_SEND;
3465 send_perm = UDP_SOCKET__SEND_MSG;
3466 break;
3467
3468 case SECCLASS_TCP_SOCKET:
3469 netif_perm = NETIF__TCP_SEND;
3470 node_perm = NODE__TCP_SEND;
3471 send_perm = TCP_SOCKET__SEND_MSG;
3472 break;
3473
3474 default:
3475 netif_perm = NETIF__RAWIP_SEND;
3476 node_perm = NODE__RAWIP_SEND;
3477 break;
3478 }
3479
3480
3481 AVC_AUDIT_DATA_INIT(&ad, NET);
3482 ad.u.net.netif = dev->name;
3483 ad.u.net.family = family;
3484
3485 err = selinux_parse_skb(skb, &ad, &addrp,
3486 &len, 0) ? NF_DROP : NF_ACCEPT;
3487 if (err != NF_ACCEPT)
3488 goto out;
3489
3490 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3491 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3492 if (err != NF_ACCEPT)
3493 goto out;
3494
3495 /* Fixme: this lookup is inefficient */
3496 err = security_node_sid(family, addrp, len,
3497 &node_sid) ? NF_DROP : NF_ACCEPT;
3498 if (err != NF_ACCEPT)
3499 goto out;
3500
3501 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3502 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3503 if (err != NF_ACCEPT)
3504 goto out;
3505
3506 if (send_perm) {
3507 u32 port_sid;
3508
3509 /* Fixme: make this more efficient */
3510 err = security_port_sid(sk->sk_family,
3511 sk->sk_type,
3512 sk->sk_protocol,
3513 ntohs(ad.u.net.dport),
3514 &port_sid) ? NF_DROP : NF_ACCEPT;
3515 if (err != NF_ACCEPT)
3516 goto out;
3517
3518 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3519 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3520 }
3521
Trent Jaegerd28d1e02005-12-13 23:12:40 -08003522 if (err != NF_ACCEPT)
3523 goto out;
3524
3525 err = selinux_xfrm_postroute_last(isec->sid, skb);
3526
Linus Torvalds1da177e2005-04-16 15:20:36 -07003527out:
3528 return err;
3529}
3530
3531static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3532 struct sk_buff **pskb,
3533 const struct net_device *in,
3534 const struct net_device *out,
3535 int (*okfn)(struct sk_buff *))
3536{
3537 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3538}
3539
3540#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3541
3542static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3543 struct sk_buff **pskb,
3544 const struct net_device *in,
3545 const struct net_device *out,
3546 int (*okfn)(struct sk_buff *))
3547{
3548 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3549}
3550
3551#endif /* IPV6 */
3552
3553#endif /* CONFIG_NETFILTER */
3554
Linus Torvalds1da177e2005-04-16 15:20:36 -07003555static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3556{
3557 struct task_security_struct *tsec;
3558 struct av_decision avd;
3559 int err;
3560
3561 err = secondary_ops->netlink_send(sk, skb);
3562 if (err)
3563 return err;
3564
3565 tsec = current->security;
3566
3567 avd.allowed = 0;
3568 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3569 SECCLASS_CAPABILITY, ~0, &avd);
3570 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3571
3572 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3573 err = selinux_nlmsg_perm(sk, skb);
3574
3575 return err;
3576}
3577
3578static int selinux_netlink_recv(struct sk_buff *skb)
3579{
3580 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3581 return -EPERM;
3582 return 0;
3583}
3584
3585static int ipc_alloc_security(struct task_struct *task,
3586 struct kern_ipc_perm *perm,
3587 u16 sclass)
3588{
3589 struct task_security_struct *tsec = task->security;
3590 struct ipc_security_struct *isec;
3591
James Morris89d155e2005-10-30 14:59:21 -08003592 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003593 if (!isec)
3594 return -ENOMEM;
3595
Linus Torvalds1da177e2005-04-16 15:20:36 -07003596 isec->sclass = sclass;
3597 isec->ipc_perm = perm;
Stephen Smalley9ac49d22006-02-01 03:05:56 -08003598 isec->sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003599 perm->security = isec;
3600
3601 return 0;
3602}
3603
3604static void ipc_free_security(struct kern_ipc_perm *perm)
3605{
3606 struct ipc_security_struct *isec = perm->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003607 perm->security = NULL;
3608 kfree(isec);
3609}
3610
3611static int msg_msg_alloc_security(struct msg_msg *msg)
3612{
3613 struct msg_security_struct *msec;
3614
James Morris89d155e2005-10-30 14:59:21 -08003615 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003616 if (!msec)
3617 return -ENOMEM;
3618
Linus Torvalds1da177e2005-04-16 15:20:36 -07003619 msec->msg = msg;
3620 msec->sid = SECINITSID_UNLABELED;
3621 msg->security = msec;
3622
3623 return 0;
3624}
3625
3626static void msg_msg_free_security(struct msg_msg *msg)
3627{
3628 struct msg_security_struct *msec = msg->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003629
3630 msg->security = NULL;
3631 kfree(msec);
3632}
3633
3634static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
Stephen Smalley6af963f2005-05-01 08:58:39 -07003635 u32 perms)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003636{
3637 struct task_security_struct *tsec;
3638 struct ipc_security_struct *isec;
3639 struct avc_audit_data ad;
3640
3641 tsec = current->security;
3642 isec = ipc_perms->security;
3643
3644 AVC_AUDIT_DATA_INIT(&ad, IPC);
3645 ad.u.ipc_id = ipc_perms->key;
3646
Stephen Smalley6af963f2005-05-01 08:58:39 -07003647 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003648}
3649
3650static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3651{
3652 return msg_msg_alloc_security(msg);
3653}
3654
3655static void selinux_msg_msg_free_security(struct msg_msg *msg)
3656{
3657 msg_msg_free_security(msg);
3658}
3659
3660/* message queue security operations */
3661static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3662{
3663 struct task_security_struct *tsec;
3664 struct ipc_security_struct *isec;
3665 struct avc_audit_data ad;
3666 int rc;
3667
3668 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3669 if (rc)
3670 return rc;
3671
3672 tsec = current->security;
3673 isec = msq->q_perm.security;
3674
3675 AVC_AUDIT_DATA_INIT(&ad, IPC);
3676 ad.u.ipc_id = msq->q_perm.key;
3677
3678 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3679 MSGQ__CREATE, &ad);
3680 if (rc) {
3681 ipc_free_security(&msq->q_perm);
3682 return rc;
3683 }
3684 return 0;
3685}
3686
3687static void selinux_msg_queue_free_security(struct msg_queue *msq)
3688{
3689 ipc_free_security(&msq->q_perm);
3690}
3691
3692static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3693{
3694 struct task_security_struct *tsec;
3695 struct ipc_security_struct *isec;
3696 struct avc_audit_data ad;
3697
3698 tsec = current->security;
3699 isec = msq->q_perm.security;
3700
3701 AVC_AUDIT_DATA_INIT(&ad, IPC);
3702 ad.u.ipc_id = msq->q_perm.key;
3703
3704 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3705 MSGQ__ASSOCIATE, &ad);
3706}
3707
3708static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3709{
3710 int err;
3711 int perms;
3712
3713 switch(cmd) {
3714 case IPC_INFO:
3715 case MSG_INFO:
3716 /* No specific object, just general system-wide information. */
3717 return task_has_system(current, SYSTEM__IPC_INFO);
3718 case IPC_STAT:
3719 case MSG_STAT:
3720 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3721 break;
3722 case IPC_SET:
3723 perms = MSGQ__SETATTR;
3724 break;
3725 case IPC_RMID:
3726 perms = MSGQ__DESTROY;
3727 break;
3728 default:
3729 return 0;
3730 }
3731
Stephen Smalley6af963f2005-05-01 08:58:39 -07003732 err = ipc_has_perm(&msq->q_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003733 return err;
3734}
3735
3736static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3737{
3738 struct task_security_struct *tsec;
3739 struct ipc_security_struct *isec;
3740 struct msg_security_struct *msec;
3741 struct avc_audit_data ad;
3742 int rc;
3743
3744 tsec = current->security;
3745 isec = msq->q_perm.security;
3746 msec = msg->security;
3747
3748 /*
3749 * First time through, need to assign label to the message
3750 */
3751 if (msec->sid == SECINITSID_UNLABELED) {
3752 /*
3753 * Compute new sid based on current process and
3754 * message queue this message will be stored in
3755 */
3756 rc = security_transition_sid(tsec->sid,
3757 isec->sid,
3758 SECCLASS_MSG,
3759 &msec->sid);
3760 if (rc)
3761 return rc;
3762 }
3763
3764 AVC_AUDIT_DATA_INIT(&ad, IPC);
3765 ad.u.ipc_id = msq->q_perm.key;
3766
3767 /* Can this process write to the queue? */
3768 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3769 MSGQ__WRITE, &ad);
3770 if (!rc)
3771 /* Can this process send the message */
3772 rc = avc_has_perm(tsec->sid, msec->sid,
3773 SECCLASS_MSG, MSG__SEND, &ad);
3774 if (!rc)
3775 /* Can the message be put in the queue? */
3776 rc = avc_has_perm(msec->sid, isec->sid,
3777 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3778
3779 return rc;
3780}
3781
3782static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3783 struct task_struct *target,
3784 long type, int mode)
3785{
3786 struct task_security_struct *tsec;
3787 struct ipc_security_struct *isec;
3788 struct msg_security_struct *msec;
3789 struct avc_audit_data ad;
3790 int rc;
3791
3792 tsec = target->security;
3793 isec = msq->q_perm.security;
3794 msec = msg->security;
3795
3796 AVC_AUDIT_DATA_INIT(&ad, IPC);
3797 ad.u.ipc_id = msq->q_perm.key;
3798
3799 rc = avc_has_perm(tsec->sid, isec->sid,
3800 SECCLASS_MSGQ, MSGQ__READ, &ad);
3801 if (!rc)
3802 rc = avc_has_perm(tsec->sid, msec->sid,
3803 SECCLASS_MSG, MSG__RECEIVE, &ad);
3804 return rc;
3805}
3806
3807/* Shared Memory security operations */
3808static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3809{
3810 struct task_security_struct *tsec;
3811 struct ipc_security_struct *isec;
3812 struct avc_audit_data ad;
3813 int rc;
3814
3815 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3816 if (rc)
3817 return rc;
3818
3819 tsec = current->security;
3820 isec = shp->shm_perm.security;
3821
3822 AVC_AUDIT_DATA_INIT(&ad, IPC);
3823 ad.u.ipc_id = shp->shm_perm.key;
3824
3825 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3826 SHM__CREATE, &ad);
3827 if (rc) {
3828 ipc_free_security(&shp->shm_perm);
3829 return rc;
3830 }
3831 return 0;
3832}
3833
3834static void selinux_shm_free_security(struct shmid_kernel *shp)
3835{
3836 ipc_free_security(&shp->shm_perm);
3837}
3838
3839static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3840{
3841 struct task_security_struct *tsec;
3842 struct ipc_security_struct *isec;
3843 struct avc_audit_data ad;
3844
3845 tsec = current->security;
3846 isec = shp->shm_perm.security;
3847
3848 AVC_AUDIT_DATA_INIT(&ad, IPC);
3849 ad.u.ipc_id = shp->shm_perm.key;
3850
3851 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3852 SHM__ASSOCIATE, &ad);
3853}
3854
3855/* Note, at this point, shp is locked down */
3856static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3857{
3858 int perms;
3859 int err;
3860
3861 switch(cmd) {
3862 case IPC_INFO:
3863 case SHM_INFO:
3864 /* No specific object, just general system-wide information. */
3865 return task_has_system(current, SYSTEM__IPC_INFO);
3866 case IPC_STAT:
3867 case SHM_STAT:
3868 perms = SHM__GETATTR | SHM__ASSOCIATE;
3869 break;
3870 case IPC_SET:
3871 perms = SHM__SETATTR;
3872 break;
3873 case SHM_LOCK:
3874 case SHM_UNLOCK:
3875 perms = SHM__LOCK;
3876 break;
3877 case IPC_RMID:
3878 perms = SHM__DESTROY;
3879 break;
3880 default:
3881 return 0;
3882 }
3883
Stephen Smalley6af963f2005-05-01 08:58:39 -07003884 err = ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003885 return err;
3886}
3887
3888static int selinux_shm_shmat(struct shmid_kernel *shp,
3889 char __user *shmaddr, int shmflg)
3890{
3891 u32 perms;
3892 int rc;
3893
3894 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3895 if (rc)
3896 return rc;
3897
3898 if (shmflg & SHM_RDONLY)
3899 perms = SHM__READ;
3900 else
3901 perms = SHM__READ | SHM__WRITE;
3902
Stephen Smalley6af963f2005-05-01 08:58:39 -07003903 return ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003904}
3905
3906/* Semaphore security operations */
3907static int selinux_sem_alloc_security(struct sem_array *sma)
3908{
3909 struct task_security_struct *tsec;
3910 struct ipc_security_struct *isec;
3911 struct avc_audit_data ad;
3912 int rc;
3913
3914 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3915 if (rc)
3916 return rc;
3917
3918 tsec = current->security;
3919 isec = sma->sem_perm.security;
3920
3921 AVC_AUDIT_DATA_INIT(&ad, IPC);
3922 ad.u.ipc_id = sma->sem_perm.key;
3923
3924 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3925 SEM__CREATE, &ad);
3926 if (rc) {
3927 ipc_free_security(&sma->sem_perm);
3928 return rc;
3929 }
3930 return 0;
3931}
3932
3933static void selinux_sem_free_security(struct sem_array *sma)
3934{
3935 ipc_free_security(&sma->sem_perm);
3936}
3937
3938static int selinux_sem_associate(struct sem_array *sma, int semflg)
3939{
3940 struct task_security_struct *tsec;
3941 struct ipc_security_struct *isec;
3942 struct avc_audit_data ad;
3943
3944 tsec = current->security;
3945 isec = sma->sem_perm.security;
3946
3947 AVC_AUDIT_DATA_INIT(&ad, IPC);
3948 ad.u.ipc_id = sma->sem_perm.key;
3949
3950 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3951 SEM__ASSOCIATE, &ad);
3952}
3953
3954/* Note, at this point, sma is locked down */
3955static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3956{
3957 int err;
3958 u32 perms;
3959
3960 switch(cmd) {
3961 case IPC_INFO:
3962 case SEM_INFO:
3963 /* No specific object, just general system-wide information. */
3964 return task_has_system(current, SYSTEM__IPC_INFO);
3965 case GETPID:
3966 case GETNCNT:
3967 case GETZCNT:
3968 perms = SEM__GETATTR;
3969 break;
3970 case GETVAL:
3971 case GETALL:
3972 perms = SEM__READ;
3973 break;
3974 case SETVAL:
3975 case SETALL:
3976 perms = SEM__WRITE;
3977 break;
3978 case IPC_RMID:
3979 perms = SEM__DESTROY;
3980 break;
3981 case IPC_SET:
3982 perms = SEM__SETATTR;
3983 break;
3984 case IPC_STAT:
3985 case SEM_STAT:
3986 perms = SEM__GETATTR | SEM__ASSOCIATE;
3987 break;
3988 default:
3989 return 0;
3990 }
3991
Stephen Smalley6af963f2005-05-01 08:58:39 -07003992 err = ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003993 return err;
3994}
3995
3996static int selinux_sem_semop(struct sem_array *sma,
3997 struct sembuf *sops, unsigned nsops, int alter)
3998{
3999 u32 perms;
4000
4001 if (alter)
4002 perms = SEM__READ | SEM__WRITE;
4003 else
4004 perms = SEM__READ;
4005
Stephen Smalley6af963f2005-05-01 08:58:39 -07004006 return ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004007}
4008
4009static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4010{
Linus Torvalds1da177e2005-04-16 15:20:36 -07004011 u32 av = 0;
4012
Linus Torvalds1da177e2005-04-16 15:20:36 -07004013 av = 0;
4014 if (flag & S_IRUGO)
4015 av |= IPC__UNIX_READ;
4016 if (flag & S_IWUGO)
4017 av |= IPC__UNIX_WRITE;
4018
4019 if (av == 0)
4020 return 0;
4021
Stephen Smalley6af963f2005-05-01 08:58:39 -07004022 return ipc_has_perm(ipcp, av);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004023}
4024
4025/* module stacking operations */
4026static int selinux_register_security (const char *name, struct security_operations *ops)
4027{
4028 if (secondary_ops != original_ops) {
4029 printk(KERN_INFO "%s: There is already a secondary security "
4030 "module registered.\n", __FUNCTION__);
4031 return -EINVAL;
4032 }
4033
4034 secondary_ops = ops;
4035
4036 printk(KERN_INFO "%s: Registering secondary module %s\n",
4037 __FUNCTION__,
4038 name);
4039
4040 return 0;
4041}
4042
4043static int selinux_unregister_security (const char *name, struct security_operations *ops)
4044{
4045 if (ops != secondary_ops) {
4046 printk (KERN_INFO "%s: trying to unregister a security module "
4047 "that is not registered.\n", __FUNCTION__);
4048 return -EINVAL;
4049 }
4050
4051 secondary_ops = original_ops;
4052
4053 return 0;
4054}
4055
4056static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4057{
4058 if (inode)
4059 inode_doinit_with_dentry(inode, dentry);
4060}
4061
4062static int selinux_getprocattr(struct task_struct *p,
4063 char *name, void *value, size_t size)
4064{
4065 struct task_security_struct *tsec;
4066 u32 sid, len;
4067 char *context;
4068 int error;
4069
4070 if (current != p) {
4071 error = task_has_perm(current, p, PROCESS__GETATTR);
4072 if (error)
4073 return error;
4074 }
4075
4076 if (!size)
4077 return -ERANGE;
4078
4079 tsec = p->security;
4080
4081 if (!strcmp(name, "current"))
4082 sid = tsec->sid;
4083 else if (!strcmp(name, "prev"))
4084 sid = tsec->osid;
4085 else if (!strcmp(name, "exec"))
4086 sid = tsec->exec_sid;
4087 else if (!strcmp(name, "fscreate"))
4088 sid = tsec->create_sid;
4089 else
4090 return -EINVAL;
4091
4092 if (!sid)
4093 return 0;
4094
4095 error = security_sid_to_context(sid, &context, &len);
4096 if (error)
4097 return error;
4098 if (len > size) {
4099 kfree(context);
4100 return -ERANGE;
4101 }
4102 memcpy(value, context, len);
4103 kfree(context);
4104 return len;
4105}
4106
4107static int selinux_setprocattr(struct task_struct *p,
4108 char *name, void *value, size_t size)
4109{
4110 struct task_security_struct *tsec;
4111 u32 sid = 0;
4112 int error;
4113 char *str = value;
4114
4115 if (current != p) {
4116 /* SELinux only allows a process to change its own
4117 security attributes. */
4118 return -EACCES;
4119 }
4120
4121 /*
4122 * Basic control over ability to set these attributes at all.
4123 * current == p, but we'll pass them separately in case the
4124 * above restriction is ever removed.
4125 */
4126 if (!strcmp(name, "exec"))
4127 error = task_has_perm(current, p, PROCESS__SETEXEC);
4128 else if (!strcmp(name, "fscreate"))
4129 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4130 else if (!strcmp(name, "current"))
4131 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4132 else
4133 error = -EINVAL;
4134 if (error)
4135 return error;
4136
4137 /* Obtain a SID for the context, if one was specified. */
4138 if (size && str[1] && str[1] != '\n') {
4139 if (str[size-1] == '\n') {
4140 str[size-1] = 0;
4141 size--;
4142 }
4143 error = security_context_to_sid(value, size, &sid);
4144 if (error)
4145 return error;
4146 }
4147
4148 /* Permission checking based on the specified context is
4149 performed during the actual operation (execve,
4150 open/mkdir/...), when we know the full context of the
4151 operation. See selinux_bprm_set_security for the execve
4152 checks and may_create for the file creation checks. The
4153 operation will then fail if the context is not permitted. */
4154 tsec = p->security;
4155 if (!strcmp(name, "exec"))
4156 tsec->exec_sid = sid;
4157 else if (!strcmp(name, "fscreate"))
4158 tsec->create_sid = sid;
4159 else if (!strcmp(name, "current")) {
4160 struct av_decision avd;
4161
4162 if (sid == 0)
4163 return -EINVAL;
4164
4165 /* Only allow single threaded processes to change context */
4166 if (atomic_read(&p->mm->mm_users) != 1) {
4167 struct task_struct *g, *t;
4168 struct mm_struct *mm = p->mm;
4169 read_lock(&tasklist_lock);
4170 do_each_thread(g, t)
4171 if (t->mm == mm && t != p) {
4172 read_unlock(&tasklist_lock);
4173 return -EPERM;
4174 }
4175 while_each_thread(g, t);
4176 read_unlock(&tasklist_lock);
4177 }
4178
4179 /* Check permissions for the transition. */
4180 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4181 PROCESS__DYNTRANSITION, NULL);
4182 if (error)
4183 return error;
4184
4185 /* Check for ptracing, and update the task SID if ok.
4186 Otherwise, leave SID unchanged and fail. */
4187 task_lock(p);
4188 if (p->ptrace & PT_PTRACED) {
4189 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4190 SECCLASS_PROCESS,
4191 PROCESS__PTRACE, &avd);
4192 if (!error)
4193 tsec->sid = sid;
4194 task_unlock(p);
4195 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4196 PROCESS__PTRACE, &avd, error, NULL);
4197 if (error)
4198 return error;
4199 } else {
4200 tsec->sid = sid;
4201 task_unlock(p);
4202 }
4203 }
4204 else
4205 return -EINVAL;
4206
4207 return size;
4208}
4209
4210static struct security_operations selinux_ops = {
4211 .ptrace = selinux_ptrace,
4212 .capget = selinux_capget,
4213 .capset_check = selinux_capset_check,
4214 .capset_set = selinux_capset_set,
4215 .sysctl = selinux_sysctl,
4216 .capable = selinux_capable,
4217 .quotactl = selinux_quotactl,
4218 .quota_on = selinux_quota_on,
4219 .syslog = selinux_syslog,
4220 .vm_enough_memory = selinux_vm_enough_memory,
4221
4222 .netlink_send = selinux_netlink_send,
4223 .netlink_recv = selinux_netlink_recv,
4224
4225 .bprm_alloc_security = selinux_bprm_alloc_security,
4226 .bprm_free_security = selinux_bprm_free_security,
4227 .bprm_apply_creds = selinux_bprm_apply_creds,
4228 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4229 .bprm_set_security = selinux_bprm_set_security,
4230 .bprm_check_security = selinux_bprm_check_security,
4231 .bprm_secureexec = selinux_bprm_secureexec,
4232
4233 .sb_alloc_security = selinux_sb_alloc_security,
4234 .sb_free_security = selinux_sb_free_security,
4235 .sb_copy_data = selinux_sb_copy_data,
4236 .sb_kern_mount = selinux_sb_kern_mount,
4237 .sb_statfs = selinux_sb_statfs,
4238 .sb_mount = selinux_mount,
4239 .sb_umount = selinux_umount,
4240
4241 .inode_alloc_security = selinux_inode_alloc_security,
4242 .inode_free_security = selinux_inode_free_security,
Stephen Smalley5e41ff92005-09-09 13:01:35 -07004243 .inode_init_security = selinux_inode_init_security,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004244 .inode_create = selinux_inode_create,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004245 .inode_link = selinux_inode_link,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004246 .inode_unlink = selinux_inode_unlink,
4247 .inode_symlink = selinux_inode_symlink,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004248 .inode_mkdir = selinux_inode_mkdir,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004249 .inode_rmdir = selinux_inode_rmdir,
4250 .inode_mknod = selinux_inode_mknod,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004251 .inode_rename = selinux_inode_rename,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004252 .inode_readlink = selinux_inode_readlink,
4253 .inode_follow_link = selinux_inode_follow_link,
4254 .inode_permission = selinux_inode_permission,
4255 .inode_setattr = selinux_inode_setattr,
4256 .inode_getattr = selinux_inode_getattr,
4257 .inode_setxattr = selinux_inode_setxattr,
4258 .inode_post_setxattr = selinux_inode_post_setxattr,
4259 .inode_getxattr = selinux_inode_getxattr,
4260 .inode_listxattr = selinux_inode_listxattr,
4261 .inode_removexattr = selinux_inode_removexattr,
4262 .inode_getsecurity = selinux_inode_getsecurity,
4263 .inode_setsecurity = selinux_inode_setsecurity,
4264 .inode_listsecurity = selinux_inode_listsecurity,
4265
4266 .file_permission = selinux_file_permission,
4267 .file_alloc_security = selinux_file_alloc_security,
4268 .file_free_security = selinux_file_free_security,
4269 .file_ioctl = selinux_file_ioctl,
4270 .file_mmap = selinux_file_mmap,
4271 .file_mprotect = selinux_file_mprotect,
4272 .file_lock = selinux_file_lock,
4273 .file_fcntl = selinux_file_fcntl,
4274 .file_set_fowner = selinux_file_set_fowner,
4275 .file_send_sigiotask = selinux_file_send_sigiotask,
4276 .file_receive = selinux_file_receive,
4277
4278 .task_create = selinux_task_create,
4279 .task_alloc_security = selinux_task_alloc_security,
4280 .task_free_security = selinux_task_free_security,
4281 .task_setuid = selinux_task_setuid,
4282 .task_post_setuid = selinux_task_post_setuid,
4283 .task_setgid = selinux_task_setgid,
4284 .task_setpgid = selinux_task_setpgid,
4285 .task_getpgid = selinux_task_getpgid,
4286 .task_getsid = selinux_task_getsid,
4287 .task_setgroups = selinux_task_setgroups,
4288 .task_setnice = selinux_task_setnice,
4289 .task_setrlimit = selinux_task_setrlimit,
4290 .task_setscheduler = selinux_task_setscheduler,
4291 .task_getscheduler = selinux_task_getscheduler,
4292 .task_kill = selinux_task_kill,
4293 .task_wait = selinux_task_wait,
4294 .task_prctl = selinux_task_prctl,
4295 .task_reparent_to_init = selinux_task_reparent_to_init,
4296 .task_to_inode = selinux_task_to_inode,
4297
4298 .ipc_permission = selinux_ipc_permission,
4299
4300 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4301 .msg_msg_free_security = selinux_msg_msg_free_security,
4302
4303 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4304 .msg_queue_free_security = selinux_msg_queue_free_security,
4305 .msg_queue_associate = selinux_msg_queue_associate,
4306 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4307 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4308 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4309
4310 .shm_alloc_security = selinux_shm_alloc_security,
4311 .shm_free_security = selinux_shm_free_security,
4312 .shm_associate = selinux_shm_associate,
4313 .shm_shmctl = selinux_shm_shmctl,
4314 .shm_shmat = selinux_shm_shmat,
4315
4316 .sem_alloc_security = selinux_sem_alloc_security,
4317 .sem_free_security = selinux_sem_free_security,
4318 .sem_associate = selinux_sem_associate,
4319 .sem_semctl = selinux_sem_semctl,
4320 .sem_semop = selinux_sem_semop,
4321
4322 .register_security = selinux_register_security,
4323 .unregister_security = selinux_unregister_security,
4324
4325 .d_instantiate = selinux_d_instantiate,
4326
4327 .getprocattr = selinux_getprocattr,
4328 .setprocattr = selinux_setprocattr,
4329
Linus Torvalds1da177e2005-04-16 15:20:36 -07004330 .unix_stream_connect = selinux_socket_unix_stream_connect,
4331 .unix_may_send = selinux_socket_unix_may_send,
4332
4333 .socket_create = selinux_socket_create,
4334 .socket_post_create = selinux_socket_post_create,
4335 .socket_bind = selinux_socket_bind,
4336 .socket_connect = selinux_socket_connect,
4337 .socket_listen = selinux_socket_listen,
4338 .socket_accept = selinux_socket_accept,
4339 .socket_sendmsg = selinux_socket_sendmsg,
4340 .socket_recvmsg = selinux_socket_recvmsg,
4341 .socket_getsockname = selinux_socket_getsockname,
4342 .socket_getpeername = selinux_socket_getpeername,
4343 .socket_getsockopt = selinux_socket_getsockopt,
4344 .socket_setsockopt = selinux_socket_setsockopt,
4345 .socket_shutdown = selinux_socket_shutdown,
4346 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4347 .socket_getpeersec = selinux_socket_getpeersec,
4348 .sk_alloc_security = selinux_sk_alloc_security,
4349 .sk_free_security = selinux_sk_free_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -08004350 .sk_getsid = selinux_sk_getsid_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -08004351
4352#ifdef CONFIG_SECURITY_NETWORK_XFRM
4353 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4354 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4355 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4356 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4357 .xfrm_state_free_security = selinux_xfrm_state_free,
4358 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004359#endif
4360};
4361
4362static __init int selinux_init(void)
4363{
4364 struct task_security_struct *tsec;
4365
4366 if (!selinux_enabled) {
4367 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4368 return 0;
4369 }
4370
4371 printk(KERN_INFO "SELinux: Initializing.\n");
4372
4373 /* Set the security state for the initial task. */
4374 if (task_alloc_security(current))
4375 panic("SELinux: Failed to initialize initial task.\n");
4376 tsec = current->security;
4377 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4378
4379 avc_init();
4380
4381 original_ops = secondary_ops = security_ops;
4382 if (!secondary_ops)
4383 panic ("SELinux: No initial security operations\n");
4384 if (register_security (&selinux_ops))
4385 panic("SELinux: Unable to register with kernel.\n");
4386
4387 if (selinux_enforcing) {
4388 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4389 } else {
4390 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4391 }
4392 return 0;
4393}
4394
4395void selinux_complete_init(void)
4396{
4397 printk(KERN_INFO "SELinux: Completing initialization.\n");
4398
4399 /* Set up any superblocks initialized prior to the policy load. */
4400 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4401 spin_lock(&sb_security_lock);
4402next_sb:
4403 if (!list_empty(&superblock_security_head)) {
4404 struct superblock_security_struct *sbsec =
4405 list_entry(superblock_security_head.next,
4406 struct superblock_security_struct,
4407 list);
4408 struct super_block *sb = sbsec->sb;
4409 spin_lock(&sb_lock);
4410 sb->s_count++;
4411 spin_unlock(&sb_lock);
4412 spin_unlock(&sb_security_lock);
4413 down_read(&sb->s_umount);
4414 if (sb->s_root)
4415 superblock_doinit(sb, NULL);
4416 drop_super(sb);
4417 spin_lock(&sb_security_lock);
4418 list_del_init(&sbsec->list);
4419 goto next_sb;
4420 }
4421 spin_unlock(&sb_security_lock);
4422}
4423
4424/* SELinux requires early initialization in order to label
4425 all processes and objects when they are created. */
4426security_initcall(selinux_init);
4427
Stephen Smalleyc2b507f2006-02-04 23:27:50 -08004428#if defined(CONFIG_NETFILTER)
Linus Torvalds1da177e2005-04-16 15:20:36 -07004429
4430static struct nf_hook_ops selinux_ipv4_op = {
4431 .hook = selinux_ipv4_postroute_last,
4432 .owner = THIS_MODULE,
4433 .pf = PF_INET,
4434 .hooknum = NF_IP_POST_ROUTING,
4435 .priority = NF_IP_PRI_SELINUX_LAST,
4436};
4437
4438#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4439
4440static struct nf_hook_ops selinux_ipv6_op = {
4441 .hook = selinux_ipv6_postroute_last,
4442 .owner = THIS_MODULE,
4443 .pf = PF_INET6,
4444 .hooknum = NF_IP6_POST_ROUTING,
4445 .priority = NF_IP6_PRI_SELINUX_LAST,
4446};
4447
4448#endif /* IPV6 */
4449
4450static int __init selinux_nf_ip_init(void)
4451{
4452 int err = 0;
4453
4454 if (!selinux_enabled)
4455 goto out;
4456
4457 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4458
4459 err = nf_register_hook(&selinux_ipv4_op);
4460 if (err)
4461 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4462
4463#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4464
4465 err = nf_register_hook(&selinux_ipv6_op);
4466 if (err)
4467 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4468
4469#endif /* IPV6 */
Trent Jaegerd28d1e02005-12-13 23:12:40 -08004470
Linus Torvalds1da177e2005-04-16 15:20:36 -07004471out:
4472 return err;
4473}
4474
4475__initcall(selinux_nf_ip_init);
4476
4477#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4478static void selinux_nf_ip_exit(void)
4479{
4480 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4481
4482 nf_unregister_hook(&selinux_ipv4_op);
4483#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4484 nf_unregister_hook(&selinux_ipv6_op);
4485#endif /* IPV6 */
4486}
4487#endif
4488
Stephen Smalleyc2b507f2006-02-04 23:27:50 -08004489#else /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -07004490
4491#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4492#define selinux_nf_ip_exit()
4493#endif
4494
Stephen Smalleyc2b507f2006-02-04 23:27:50 -08004495#endif /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -07004496
4497#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4498int selinux_disable(void)
4499{
4500 extern void exit_sel_fs(void);
4501 static int selinux_disabled = 0;
4502
4503 if (ss_initialized) {
4504 /* Not permitted after initial policy load. */
4505 return -EINVAL;
4506 }
4507
4508 if (selinux_disabled) {
4509 /* Only do this once. */
4510 return -EINVAL;
4511 }
4512
4513 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4514
4515 selinux_disabled = 1;
4516
4517 /* Reset security_ops to the secondary module, dummy or capability. */
4518 security_ops = secondary_ops;
4519
4520 /* Unregister netfilter hooks. */
4521 selinux_nf_ip_exit();
4522
4523 /* Unregister selinuxfs. */
4524 exit_sel_fs();
4525
4526 return 0;
4527}
4528#endif
4529
4530