Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 8c8570fb8feef2bc166bee75a85748b25cda22d9 / . / security / selinux / hooks.c
blob: 9c08a19cc81b74081429dcd7d3067333671a61b3 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
Eric Paris6931dfc2005-06-30 02:58:51 -0700[diff] [blame]71#include <linux/string.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]76#include "xfrm.h"
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
104#endif
105
106/* Original (dummy) security module. */
107static struct security_operations *original_ops = NULL;
108
109/* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113static struct security_operations *secondary_ops = NULL;
114
115/* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117static LIST_HEAD(superblock_security_head);
118static DEFINE_SPINLOCK(sb_security_lock);
119
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]120/* Return security context for a given sid or just the context
121 length if the buffer is null or length is 0 */
122static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
123{
124 char *context;
125 unsigned len;
126 int rc;
127
128 rc = security_sid_to_context(sid, &context, &len);
129 if (rc)
130 return rc;
131
132 if (!buffer || !size)
133 goto getsecurity_exit;
134
135 if (size < len) {
136 len = -ERANGE;
137 goto getsecurity_exit;
138 }
139 memcpy(buffer, context, len);
140
141getsecurity_exit:
142 kfree(context);
143 return len;
144}
145
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]146/* Allocate and free functions for each kind of security blob. */
147
148static int task_alloc_security(struct task_struct *task)
149{
150 struct task_security_struct *tsec;
151
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]152 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]153 if (!tsec)
154 return -ENOMEM;
155
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]156 tsec->task = task;
157 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
158 task->security = tsec;
159
160 return 0;
161}
162
163static void task_free_security(struct task_struct *task)
164{
165 struct task_security_struct *tsec = task->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]166 task->security = NULL;
167 kfree(tsec);
168}
169
170static int inode_alloc_security(struct inode *inode)
171{
172 struct task_security_struct *tsec = current->security;
173 struct inode_security_struct *isec;
174
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]175 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]176 if (!isec)
177 return -ENOMEM;
178
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]179 init_MUTEX(&isec->sem);
180 INIT_LIST_HEAD(&isec->list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]181 isec->inode = inode;
182 isec->sid = SECINITSID_UNLABELED;
183 isec->sclass = SECCLASS_FILE;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]184 isec->task_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]185 inode->i_security = isec;
186
187 return 0;
188}
189
190static void inode_free_security(struct inode *inode)
191{
192 struct inode_security_struct *isec = inode->i_security;
193 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
194
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]195 spin_lock(&sbsec->isec_lock);
196 if (!list_empty(&isec->list))
197 list_del_init(&isec->list);
198 spin_unlock(&sbsec->isec_lock);
199
200 inode->i_security = NULL;
201 kfree(isec);
202}
203
204static int file_alloc_security(struct file *file)
205{
206 struct task_security_struct *tsec = current->security;
207 struct file_security_struct *fsec;
208
Stephen Smalley26d2a4b2006-02-01 03:05:55 -0800[diff] [blame]209 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]210 if (!fsec)
211 return -ENOMEM;
212
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]213 fsec->file = file;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]214 fsec->sid = tsec->sid;
215 fsec->fown_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]216 file->f_security = fsec;
217
218 return 0;
219}
220
221static void file_free_security(struct file *file)
222{
223 struct file_security_struct *fsec = file->f_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]224 file->f_security = NULL;
225 kfree(fsec);
226}
227
228static int superblock_alloc_security(struct super_block *sb)
229{
230 struct superblock_security_struct *sbsec;
231
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]232 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]233 if (!sbsec)
234 return -ENOMEM;
235
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]236 init_MUTEX(&sbsec->sem);
237 INIT_LIST_HEAD(&sbsec->list);
238 INIT_LIST_HEAD(&sbsec->isec_head);
239 spin_lock_init(&sbsec->isec_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]240 sbsec->sb = sb;
241 sbsec->sid = SECINITSID_UNLABELED;
242 sbsec->def_sid = SECINITSID_FILE;
243 sb->s_security = sbsec;
244
245 return 0;
246}
247
248static void superblock_free_security(struct super_block *sb)
249{
250 struct superblock_security_struct *sbsec = sb->s_security;
251
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]252 spin_lock(&sb_security_lock);
253 if (!list_empty(&sbsec->list))
254 list_del_init(&sbsec->list);
255 spin_unlock(&sb_security_lock);
256
257 sb->s_security = NULL;
258 kfree(sbsec);
259}
260
Al Viro7d877f32005-10-21 03:20:43 -0400[diff] [blame]261static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]262{
263 struct sk_security_struct *ssec;
264
265 if (family != PF_UNIX)
266 return 0;
267
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]268 ssec = kzalloc(sizeof(*ssec), priority);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]269 if (!ssec)
270 return -ENOMEM;
271
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]272 ssec->sk = sk;
273 ssec->peer_sid = SECINITSID_UNLABELED;
274 sk->sk_security = ssec;
275
276 return 0;
277}
278
279static void sk_free_security(struct sock *sk)
280{
281 struct sk_security_struct *ssec = sk->sk_security;
282
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]283 if (sk->sk_family != PF_UNIX)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]284 return;
285
286 sk->sk_security = NULL;
287 kfree(ssec);
288}
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]289
290/* The security server must be initialized before
291 any labeling or access decisions can be provided. */
292extern int ss_initialized;
293
294/* The file system's label must be initialized prior to use. */
295
296static char *labeling_behaviors[6] = {
297 "uses xattr",
298 "uses transition SIDs",
299 "uses task SIDs",
300 "uses genfs_contexts",
301 "not configured for labeling",
302 "uses mountpoint labeling",
303};
304
305static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
306
307static inline int inode_doinit(struct inode *inode)
308{
309 return inode_doinit_with_dentry(inode, NULL);
310}
311
312enum {
313 Opt_context = 1,
314 Opt_fscontext = 2,
315 Opt_defcontext = 4,
316};
317
318static match_table_t tokens = {
319 {Opt_context, "context=%s"},
320 {Opt_fscontext, "fscontext=%s"},
321 {Opt_defcontext, "defcontext=%s"},
322};
323
324#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
325
326static int try_context_mount(struct super_block *sb, void *data)
327{
328 char *context = NULL, *defcontext = NULL;
329 const char *name;
330 u32 sid;
331 int alloc = 0, rc = 0, seen = 0;
332 struct task_security_struct *tsec = current->security;
333 struct superblock_security_struct *sbsec = sb->s_security;
334
335 if (!data)
336 goto out;
337
338 name = sb->s_type->name;
339
340 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
341
342 /* NFS we understand. */
343 if (!strcmp(name, "nfs")) {
344 struct nfs_mount_data *d = data;
345
346 if (d->version < NFS_MOUNT_VERSION)
347 goto out;
348
349 if (d->context[0]) {
350 context = d->context;
351 seen |= Opt_context;
352 }
353 } else
354 goto out;
355
356 } else {
357 /* Standard string-based options. */
358 char *p, *options = data;
359
360 while ((p = strsep(&options, ",")) != NULL) {
361 int token;
362 substring_t args[MAX_OPT_ARGS];
363
364 if (!*p)
365 continue;
366
367 token = match_token(p, tokens, args);
368
369 switch (token) {
370 case Opt_context:
371 if (seen) {
372 rc = -EINVAL;
373 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
374 goto out_free;
375 }
376 context = match_strdup(&args[0]);
377 if (!context) {
378 rc = -ENOMEM;
379 goto out_free;
380 }
381 if (!alloc)
382 alloc = 1;
383 seen |= Opt_context;
384 break;
385
386 case Opt_fscontext:
387 if (seen & (Opt_context|Opt_fscontext)) {
388 rc = -EINVAL;
389 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
390 goto out_free;
391 }
392 context = match_strdup(&args[0]);
393 if (!context) {
394 rc = -ENOMEM;
395 goto out_free;
396 }
397 if (!alloc)
398 alloc = 1;
399 seen |= Opt_fscontext;
400 break;
401
402 case Opt_defcontext:
403 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
404 rc = -EINVAL;
405 printk(KERN_WARNING "SELinux: "
406 "defcontext option is invalid "
407 "for this filesystem type\n");
408 goto out_free;
409 }
410 if (seen & (Opt_context|Opt_defcontext)) {
411 rc = -EINVAL;
412 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
413 goto out_free;
414 }
415 defcontext = match_strdup(&args[0]);
416 if (!defcontext) {
417 rc = -ENOMEM;
418 goto out_free;
419 }
420 if (!alloc)
421 alloc = 1;
422 seen |= Opt_defcontext;
423 break;
424
425 default:
426 rc = -EINVAL;
427 printk(KERN_WARNING "SELinux: unknown mount "
428 "option\n");
429 goto out_free;
430
431 }
432 }
433 }
434
435 if (!seen)
436 goto out;
437
438 if (context) {
439 rc = security_context_to_sid(context, strlen(context), &sid);
440 if (rc) {
441 printk(KERN_WARNING "SELinux: security_context_to_sid"
442 "(%s) failed for (dev %s, type %s) errno=%d\n",
443 context, sb->s_id, name, rc);
444 goto out_free;
445 }
446
447 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
448 FILESYSTEM__RELABELFROM, NULL);
449 if (rc)
450 goto out_free;
451
452 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELTO, NULL);
454 if (rc)
455 goto out_free;
456
457 sbsec->sid = sid;
458
459 if (seen & Opt_context)
460 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
461 }
462
463 if (defcontext) {
464 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
465 if (rc) {
466 printk(KERN_WARNING "SELinux: security_context_to_sid"
467 "(%s) failed for (dev %s, type %s) errno=%d\n",
468 defcontext, sb->s_id, name, rc);
469 goto out_free;
470 }
471
472 if (sid == sbsec->def_sid)
473 goto out_free;
474
475 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
476 FILESYSTEM__RELABELFROM, NULL);
477 if (rc)
478 goto out_free;
479
480 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
481 FILESYSTEM__ASSOCIATE, NULL);
482 if (rc)
483 goto out_free;
484
485 sbsec->def_sid = sid;
486 }
487
488out_free:
489 if (alloc) {
490 kfree(context);
491 kfree(defcontext);
492 }
493out:
494 return rc;
495}
496
497static int superblock_doinit(struct super_block *sb, void *data)
498{
499 struct superblock_security_struct *sbsec = sb->s_security;
500 struct dentry *root = sb->s_root;
501 struct inode *inode = root->d_inode;
502 int rc = 0;
503
504 down(&sbsec->sem);
505 if (sbsec->initialized)
506 goto out;
507
508 if (!ss_initialized) {
509 /* Defer initialization until selinux_complete_init,
510 after the initial policy is loaded and the security
511 server is ready to handle calls. */
512 spin_lock(&sb_security_lock);
513 if (list_empty(&sbsec->list))
514 list_add(&sbsec->list, &superblock_security_head);
515 spin_unlock(&sb_security_lock);
516 goto out;
517 }
518
519 /* Determine the labeling behavior to use for this filesystem type. */
520 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
521 if (rc) {
522 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
523 __FUNCTION__, sb->s_type->name, rc);
524 goto out;
525 }
526
527 rc = try_context_mount(sb, data);
528 if (rc)
529 goto out;
530
531 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
532 /* Make sure that the xattr handler exists and that no
533 error other than -ENODATA is returned by getxattr on
534 the root directory. -ENODATA is ok, as this may be
535 the first boot of the SELinux kernel before we have
536 assigned xattr values to the filesystem. */
537 if (!inode->i_op->getxattr) {
538 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
539 "xattr support\n", sb->s_id, sb->s_type->name);
540 rc = -EOPNOTSUPP;
541 goto out;
542 }
543 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
544 if (rc < 0 && rc != -ENODATA) {
545 if (rc == -EOPNOTSUPP)
546 printk(KERN_WARNING "SELinux: (dev %s, type "
547 "%s) has no security xattr handler\n",
548 sb->s_id, sb->s_type->name);
549 else
550 printk(KERN_WARNING "SELinux: (dev %s, type "
551 "%s) getxattr errno %d\n", sb->s_id,
552 sb->s_type->name, -rc);
553 goto out;
554 }
555 }
556
557 if (strcmp(sb->s_type->name, "proc") == 0)
558 sbsec->proc = 1;
559
560 sbsec->initialized = 1;
561
562 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
563 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
564 sb->s_id, sb->s_type->name);
565 }
566 else {
567 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
568 sb->s_id, sb->s_type->name,
569 labeling_behaviors[sbsec->behavior-1]);
570 }
571
572 /* Initialize the root inode. */
573 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
574
575 /* Initialize any other inodes associated with the superblock, e.g.
576 inodes created prior to initial policy load or inodes created
577 during get_sb by a pseudo filesystem that directly
578 populates itself. */
579 spin_lock(&sbsec->isec_lock);
580next_inode:
581 if (!list_empty(&sbsec->isec_head)) {
582 struct inode_security_struct *isec =
583 list_entry(sbsec->isec_head.next,
584 struct inode_security_struct, list);
585 struct inode *inode = isec->inode;
586 spin_unlock(&sbsec->isec_lock);
587 inode = igrab(inode);
588 if (inode) {
589 if (!IS_PRIVATE (inode))
590 inode_doinit(inode);
591 iput(inode);
592 }
593 spin_lock(&sbsec->isec_lock);
594 list_del_init(&isec->list);
595 goto next_inode;
596 }
597 spin_unlock(&sbsec->isec_lock);
598out:
599 up(&sbsec->sem);
600 return rc;
601}
602
603static inline u16 inode_mode_to_security_class(umode_t mode)
604{
605 switch (mode & S_IFMT) {
606 case S_IFSOCK:
607 return SECCLASS_SOCK_FILE;
608 case S_IFLNK:
609 return SECCLASS_LNK_FILE;
610 case S_IFREG:
611 return SECCLASS_FILE;
612 case S_IFBLK:
613 return SECCLASS_BLK_FILE;
614 case S_IFDIR:
615 return SECCLASS_DIR;
616 case S_IFCHR:
617 return SECCLASS_CHR_FILE;
618 case S_IFIFO:
619 return SECCLASS_FIFO_FILE;
620
621 }
622
623 return SECCLASS_FILE;
624}
625
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]626static inline int default_protocol_stream(int protocol)
627{
628 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
629}
630
631static inline int default_protocol_dgram(int protocol)
632{
633 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
634}
635
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]636static inline u16 socket_type_to_security_class(int family, int type, int protocol)
637{
638 switch (family) {
639 case PF_UNIX:
640 switch (type) {
641 case SOCK_STREAM:
642 case SOCK_SEQPACKET:
643 return SECCLASS_UNIX_STREAM_SOCKET;
644 case SOCK_DGRAM:
645 return SECCLASS_UNIX_DGRAM_SOCKET;
646 }
647 break;
648 case PF_INET:
649 case PF_INET6:
650 switch (type) {
651 case SOCK_STREAM:
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]652 if (default_protocol_stream(protocol))
653 return SECCLASS_TCP_SOCKET;
654 else
655 return SECCLASS_RAWIP_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]656 case SOCK_DGRAM:
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]657 if (default_protocol_dgram(protocol))
658 return SECCLASS_UDP_SOCKET;
659 else
660 return SECCLASS_RAWIP_SOCKET;
661 default:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]662 return SECCLASS_RAWIP_SOCKET;
663 }
664 break;
665 case PF_NETLINK:
666 switch (protocol) {
667 case NETLINK_ROUTE:
668 return SECCLASS_NETLINK_ROUTE_SOCKET;
669 case NETLINK_FIREWALL:
670 return SECCLASS_NETLINK_FIREWALL_SOCKET;
James Morris216efaa2005-08-15 20:34:48 -0700[diff] [blame]671 case NETLINK_INET_DIAG:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]672 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
673 case NETLINK_NFLOG:
674 return SECCLASS_NETLINK_NFLOG_SOCKET;
675 case NETLINK_XFRM:
676 return SECCLASS_NETLINK_XFRM_SOCKET;
677 case NETLINK_SELINUX:
678 return SECCLASS_NETLINK_SELINUX_SOCKET;
679 case NETLINK_AUDIT:
680 return SECCLASS_NETLINK_AUDIT_SOCKET;
681 case NETLINK_IP6_FW:
682 return SECCLASS_NETLINK_IP6FW_SOCKET;
683 case NETLINK_DNRTMSG:
684 return SECCLASS_NETLINK_DNRT_SOCKET;
James Morris0c9b7942005-04-16 15:24:13 -0700[diff] [blame]685 case NETLINK_KOBJECT_UEVENT:
686 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]687 default:
688 return SECCLASS_NETLINK_SOCKET;
689 }
690 case PF_PACKET:
691 return SECCLASS_PACKET_SOCKET;
692 case PF_KEY:
693 return SECCLASS_KEY_SOCKET;
694 }
695
696 return SECCLASS_SOCKET;
697}
698
699#ifdef CONFIG_PROC_FS
700static int selinux_proc_get_sid(struct proc_dir_entry *de,
701 u16 tclass,
702 u32 *sid)
703{
704 int buflen, rc;
705 char *buffer, *path, *end;
706
707 buffer = (char*)__get_free_page(GFP_KERNEL);
708 if (!buffer)
709 return -ENOMEM;
710
711 buflen = PAGE_SIZE;
712 end = buffer+buflen;
713 *--end = '\0';
714 buflen--;
715 path = end-1;
716 *path = '/';
717 while (de && de != de->parent) {
718 buflen -= de->namelen + 1;
719 if (buflen < 0)
720 break;
721 end -= de->namelen;
722 memcpy(end, de->name, de->namelen);
723 *--end = '/';
724 path = end;
725 de = de->parent;
726 }
727 rc = security_genfs_sid("proc", path, tclass, sid);
728 free_page((unsigned long)buffer);
729 return rc;
730}
731#else
732static int selinux_proc_get_sid(struct proc_dir_entry *de,
733 u16 tclass,
734 u32 *sid)
735{
736 return -EINVAL;
737}
738#endif
739
740/* The inode's security attributes must be initialized before first use. */
741static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
742{
743 struct superblock_security_struct *sbsec = NULL;
744 struct inode_security_struct *isec = inode->i_security;
745 u32 sid;
746 struct dentry *dentry;
747#define INITCONTEXTLEN 255
748 char *context = NULL;
749 unsigned len = 0;
750 int rc = 0;
751 int hold_sem = 0;
752
753 if (isec->initialized)
754 goto out;
755
756 down(&isec->sem);
757 hold_sem = 1;
758 if (isec->initialized)
759 goto out;
760
761 sbsec = inode->i_sb->s_security;
762 if (!sbsec->initialized) {
763 /* Defer initialization until selinux_complete_init,
764 after the initial policy is loaded and the security
765 server is ready to handle calls. */
766 spin_lock(&sbsec->isec_lock);
767 if (list_empty(&isec->list))
768 list_add(&isec->list, &sbsec->isec_head);
769 spin_unlock(&sbsec->isec_lock);
770 goto out;
771 }
772
773 switch (sbsec->behavior) {
774 case SECURITY_FS_USE_XATTR:
775 if (!inode->i_op->getxattr) {
776 isec->sid = sbsec->def_sid;
777 break;
778 }
779
780 /* Need a dentry, since the xattr API requires one.
781 Life would be simpler if we could just pass the inode. */
782 if (opt_dentry) {
783 /* Called from d_instantiate or d_splice_alias. */
784 dentry = dget(opt_dentry);
785 } else {
786 /* Called from selinux_complete_init, try to find a dentry. */
787 dentry = d_find_alias(inode);
788 }
789 if (!dentry) {
790 printk(KERN_WARNING "%s: no dentry for dev=%s "
791 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
792 inode->i_ino);
793 goto out;
794 }
795
796 len = INITCONTEXTLEN;
797 context = kmalloc(len, GFP_KERNEL);
798 if (!context) {
799 rc = -ENOMEM;
800 dput(dentry);
801 goto out;
802 }
803 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
804 context, len);
805 if (rc == -ERANGE) {
806 /* Need a larger buffer. Query for the right size. */
807 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
808 NULL, 0);
809 if (rc < 0) {
810 dput(dentry);
811 goto out;
812 }
813 kfree(context);
814 len = rc;
815 context = kmalloc(len, GFP_KERNEL);
816 if (!context) {
817 rc = -ENOMEM;
818 dput(dentry);
819 goto out;
820 }
821 rc = inode->i_op->getxattr(dentry,
822 XATTR_NAME_SELINUX,
823 context, len);
824 }
825 dput(dentry);
826 if (rc < 0) {
827 if (rc != -ENODATA) {
828 printk(KERN_WARNING "%s: getxattr returned "
829 "%d for dev=%s ino=%ld\n", __FUNCTION__,
830 -rc, inode->i_sb->s_id, inode->i_ino);
831 kfree(context);
832 goto out;
833 }
834 /* Map ENODATA to the default file SID */
835 sid = sbsec->def_sid;
836 rc = 0;
837 } else {
James Morrisf5c1d5b2005-07-28 01:07:37 -0700[diff] [blame]838 rc = security_context_to_sid_default(context, rc, &sid,
839 sbsec->def_sid);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]840 if (rc) {
841 printk(KERN_WARNING "%s: context_to_sid(%s) "
842 "returned %d for dev=%s ino=%ld\n",
843 __FUNCTION__, context, -rc,
844 inode->i_sb->s_id, inode->i_ino);
845 kfree(context);
846 /* Leave with the unlabeled SID */
847 rc = 0;
848 break;
849 }
850 }
851 kfree(context);
852 isec->sid = sid;
853 break;
854 case SECURITY_FS_USE_TASK:
855 isec->sid = isec->task_sid;
856 break;
857 case SECURITY_FS_USE_TRANS:
858 /* Default to the fs SID. */
859 isec->sid = sbsec->sid;
860
861 /* Try to obtain a transition SID. */
862 isec->sclass = inode_mode_to_security_class(inode->i_mode);
863 rc = security_transition_sid(isec->task_sid,
864 sbsec->sid,
865 isec->sclass,
866 &sid);
867 if (rc)
868 goto out;
869 isec->sid = sid;
870 break;
871 default:
872 /* Default to the fs SID. */
873 isec->sid = sbsec->sid;
874
875 if (sbsec->proc) {
876 struct proc_inode *proci = PROC_I(inode);
877 if (proci->pde) {
878 isec->sclass = inode_mode_to_security_class(inode->i_mode);
879 rc = selinux_proc_get_sid(proci->pde,
880 isec->sclass,
881 &sid);
882 if (rc)
883 goto out;
884 isec->sid = sid;
885 }
886 }
887 break;
888 }
889
890 isec->initialized = 1;
891
892out:
893 if (isec->sclass == SECCLASS_FILE)
894 isec->sclass = inode_mode_to_security_class(inode->i_mode);
895
896 if (hold_sem)
897 up(&isec->sem);
898 return rc;
899}
900
901/* Convert a Linux signal to an access vector. */
902static inline u32 signal_to_av(int sig)
903{
904 u32 perm = 0;
905
906 switch (sig) {
907 case SIGCHLD:
908 /* Commonly granted from child to parent. */
909 perm = PROCESS__SIGCHLD;
910 break;
911 case SIGKILL:
912 /* Cannot be caught or ignored */
913 perm = PROCESS__SIGKILL;
914 break;
915 case SIGSTOP:
916 /* Cannot be caught or ignored */
917 perm = PROCESS__SIGSTOP;
918 break;
919 default:
920 /* All other signals. */
921 perm = PROCESS__SIGNAL;
922 break;
923 }
924
925 return perm;
926}
927
928/* Check permission betweeen a pair of tasks, e.g. signal checks,
929 fork check, ptrace check, etc. */
930static int task_has_perm(struct task_struct *tsk1,
931 struct task_struct *tsk2,
932 u32 perms)
933{
934 struct task_security_struct *tsec1, *tsec2;
935
936 tsec1 = tsk1->security;
937 tsec2 = tsk2->security;
938 return avc_has_perm(tsec1->sid, tsec2->sid,
939 SECCLASS_PROCESS, perms, NULL);
940}
941
942/* Check whether a task is allowed to use a capability. */
943static int task_has_capability(struct task_struct *tsk,
944 int cap)
945{
946 struct task_security_struct *tsec;
947 struct avc_audit_data ad;
948
949 tsec = tsk->security;
950
951 AVC_AUDIT_DATA_INIT(&ad,CAP);
952 ad.tsk = tsk;
953 ad.u.cap = cap;
954
955 return avc_has_perm(tsec->sid, tsec->sid,
956 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
957}
958
959/* Check whether a task is allowed to use a system operation. */
960static int task_has_system(struct task_struct *tsk,
961 u32 perms)
962{
963 struct task_security_struct *tsec;
964
965 tsec = tsk->security;
966
967 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
968 SECCLASS_SYSTEM, perms, NULL);
969}
970
971/* Check whether a task has a particular permission to an inode.
972 The 'adp' parameter is optional and allows other audit
973 data to be passed (e.g. the dentry). */
974static int inode_has_perm(struct task_struct *tsk,
975 struct inode *inode,
976 u32 perms,
977 struct avc_audit_data *adp)
978{
979 struct task_security_struct *tsec;
980 struct inode_security_struct *isec;
981 struct avc_audit_data ad;
982
983 tsec = tsk->security;
984 isec = inode->i_security;
985
986 if (!adp) {
987 adp = &ad;
988 AVC_AUDIT_DATA_INIT(&ad, FS);
989 ad.u.fs.inode = inode;
990 }
991
992 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
993}
994
995/* Same as inode_has_perm, but pass explicit audit data containing
996 the dentry to help the auditing code to more easily generate the
997 pathname if needed. */
998static inline int dentry_has_perm(struct task_struct *tsk,
999 struct vfsmount *mnt,
1000 struct dentry *dentry,
1001 u32 av)
1002{
1003 struct inode *inode = dentry->d_inode;
1004 struct avc_audit_data ad;
1005 AVC_AUDIT_DATA_INIT(&ad,FS);
1006 ad.u.fs.mnt = mnt;
1007 ad.u.fs.dentry = dentry;
1008 return inode_has_perm(tsk, inode, av, &ad);
1009}
1010
1011/* Check whether a task can use an open file descriptor to
1012 access an inode in a given way. Check access to the
1013 descriptor itself, and then use dentry_has_perm to
1014 check a particular permission to the file.
1015 Access to the descriptor is implicitly granted if it
1016 has the same SID as the process. If av is zero, then
1017 access to the file is not checked, e.g. for cases
1018 where only the descriptor is affected like seek. */
Arjan van de Ven858119e2006-01-14 13:20:43 -0800[diff] [blame]1019static int file_has_perm(struct task_struct *tsk,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1020 struct file *file,
1021 u32 av)
1022{
1023 struct task_security_struct *tsec = tsk->security;
1024 struct file_security_struct *fsec = file->f_security;
1025 struct vfsmount *mnt = file->f_vfsmnt;
1026 struct dentry *dentry = file->f_dentry;
1027 struct inode *inode = dentry->d_inode;
1028 struct avc_audit_data ad;
1029 int rc;
1030
1031 AVC_AUDIT_DATA_INIT(&ad, FS);
1032 ad.u.fs.mnt = mnt;
1033 ad.u.fs.dentry = dentry;
1034
1035 if (tsec->sid != fsec->sid) {
1036 rc = avc_has_perm(tsec->sid, fsec->sid,
1037 SECCLASS_FD,
1038 FD__USE,
1039 &ad);
1040 if (rc)
1041 return rc;
1042 }
1043
1044 /* av is zero if only checking access to the descriptor. */
1045 if (av)
1046 return inode_has_perm(tsk, inode, av, &ad);
1047
1048 return 0;
1049}
1050
1051/* Check whether a task can create a file. */
1052static int may_create(struct inode *dir,
1053 struct dentry *dentry,
1054 u16 tclass)
1055{
1056 struct task_security_struct *tsec;
1057 struct inode_security_struct *dsec;
1058 struct superblock_security_struct *sbsec;
1059 u32 newsid;
1060 struct avc_audit_data ad;
1061 int rc;
1062
1063 tsec = current->security;
1064 dsec = dir->i_security;
1065 sbsec = dir->i_sb->s_security;
1066
1067 AVC_AUDIT_DATA_INIT(&ad, FS);
1068 ad.u.fs.dentry = dentry;
1069
1070 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1071 DIR__ADD_NAME | DIR__SEARCH,
1072 &ad);
1073 if (rc)
1074 return rc;
1075
1076 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1077 newsid = tsec->create_sid;
1078 } else {
1079 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1080 &newsid);
1081 if (rc)
1082 return rc;
1083 }
1084
1085 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1086 if (rc)
1087 return rc;
1088
1089 return avc_has_perm(newsid, sbsec->sid,
1090 SECCLASS_FILESYSTEM,
1091 FILESYSTEM__ASSOCIATE, &ad);
1092}
1093
1094#define MAY_LINK 0
1095#define MAY_UNLINK 1
1096#define MAY_RMDIR 2
1097
1098/* Check whether a task can link, unlink, or rmdir a file/directory. */
1099static int may_link(struct inode *dir,
1100 struct dentry *dentry,
1101 int kind)
1102
1103{
1104 struct task_security_struct *tsec;
1105 struct inode_security_struct *dsec, *isec;
1106 struct avc_audit_data ad;
1107 u32 av;
1108 int rc;
1109
1110 tsec = current->security;
1111 dsec = dir->i_security;
1112 isec = dentry->d_inode->i_security;
1113
1114 AVC_AUDIT_DATA_INIT(&ad, FS);
1115 ad.u.fs.dentry = dentry;
1116
1117 av = DIR__SEARCH;
1118 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1119 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1120 if (rc)
1121 return rc;
1122
1123 switch (kind) {
1124 case MAY_LINK:
1125 av = FILE__LINK;
1126 break;
1127 case MAY_UNLINK:
1128 av = FILE__UNLINK;
1129 break;
1130 case MAY_RMDIR:
1131 av = DIR__RMDIR;
1132 break;
1133 default:
1134 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1135 return 0;
1136 }
1137
1138 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1139 return rc;
1140}
1141
1142static inline int may_rename(struct inode *old_dir,
1143 struct dentry *old_dentry,
1144 struct inode *new_dir,
1145 struct dentry *new_dentry)
1146{
1147 struct task_security_struct *tsec;
1148 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1149 struct avc_audit_data ad;
1150 u32 av;
1151 int old_is_dir, new_is_dir;
1152 int rc;
1153
1154 tsec = current->security;
1155 old_dsec = old_dir->i_security;
1156 old_isec = old_dentry->d_inode->i_security;
1157 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1158 new_dsec = new_dir->i_security;
1159
1160 AVC_AUDIT_DATA_INIT(&ad, FS);
1161
1162 ad.u.fs.dentry = old_dentry;
1163 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1164 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1165 if (rc)
1166 return rc;
1167 rc = avc_has_perm(tsec->sid, old_isec->sid,
1168 old_isec->sclass, FILE__RENAME, &ad);
1169 if (rc)
1170 return rc;
1171 if (old_is_dir && new_dir != old_dir) {
1172 rc = avc_has_perm(tsec->sid, old_isec->sid,
1173 old_isec->sclass, DIR__REPARENT, &ad);
1174 if (rc)
1175 return rc;
1176 }
1177
1178 ad.u.fs.dentry = new_dentry;
1179 av = DIR__ADD_NAME | DIR__SEARCH;
1180 if (new_dentry->d_inode)
1181 av |= DIR__REMOVE_NAME;
1182 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1183 if (rc)
1184 return rc;
1185 if (new_dentry->d_inode) {
1186 new_isec = new_dentry->d_inode->i_security;
1187 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1188 rc = avc_has_perm(tsec->sid, new_isec->sid,
1189 new_isec->sclass,
1190 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1191 if (rc)
1192 return rc;
1193 }
1194
1195 return 0;
1196}
1197
1198/* Check whether a task can perform a filesystem operation. */
1199static int superblock_has_perm(struct task_struct *tsk,
1200 struct super_block *sb,
1201 u32 perms,
1202 struct avc_audit_data *ad)
1203{
1204 struct task_security_struct *tsec;
1205 struct superblock_security_struct *sbsec;
1206
1207 tsec = tsk->security;
1208 sbsec = sb->s_security;
1209 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1210 perms, ad);
1211}
1212
1213/* Convert a Linux mode and permission mask to an access vector. */
1214static inline u32 file_mask_to_av(int mode, int mask)
1215{
1216 u32 av = 0;
1217
1218 if ((mode & S_IFMT) != S_IFDIR) {
1219 if (mask & MAY_EXEC)
1220 av |= FILE__EXECUTE;
1221 if (mask & MAY_READ)
1222 av |= FILE__READ;
1223
1224 if (mask & MAY_APPEND)
1225 av |= FILE__APPEND;
1226 else if (mask & MAY_WRITE)
1227 av |= FILE__WRITE;
1228
1229 } else {
1230 if (mask & MAY_EXEC)
1231 av |= DIR__SEARCH;
1232 if (mask & MAY_WRITE)
1233 av |= DIR__WRITE;
1234 if (mask & MAY_READ)
1235 av |= DIR__READ;
1236 }
1237
1238 return av;
1239}
1240
1241/* Convert a Linux file to an access vector. */
1242static inline u32 file_to_av(struct file *file)
1243{
1244 u32 av = 0;
1245
1246 if (file->f_mode & FMODE_READ)
1247 av |= FILE__READ;
1248 if (file->f_mode & FMODE_WRITE) {
1249 if (file->f_flags & O_APPEND)
1250 av |= FILE__APPEND;
1251 else
1252 av |= FILE__WRITE;
1253 }
1254
1255 return av;
1256}
1257
1258/* Set an inode's SID to a specified value. */
1259static int inode_security_set_sid(struct inode *inode, u32 sid)
1260{
1261 struct inode_security_struct *isec = inode->i_security;
1262 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1263
1264 if (!sbsec->initialized) {
1265 /* Defer initialization to selinux_complete_init. */
1266 return 0;
1267 }
1268
1269 down(&isec->sem);
1270 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1271 isec->sid = sid;
1272 isec->initialized = 1;
1273 up(&isec->sem);
1274 return 0;
1275}
1276
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1277/* Hook functions begin here. */
1278
1279static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1280{
1281 struct task_security_struct *psec = parent->security;
1282 struct task_security_struct *csec = child->security;
1283 int rc;
1284
1285 rc = secondary_ops->ptrace(parent,child);
1286 if (rc)
1287 return rc;
1288
1289 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1290 /* Save the SID of the tracing process for later use in apply_creds. */
Stephen Smalley341c2d82006-03-11 03:27:16 -0800[diff] [blame]1291 if (!(child->ptrace & PT_PTRACED) && !rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1292 csec->ptrace_sid = psec->sid;
1293 return rc;
1294}
1295
1296static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1297 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1298{
1299 int error;
1300
1301 error = task_has_perm(current, target, PROCESS__GETCAP);
1302 if (error)
1303 return error;
1304
1305 return secondary_ops->capget(target, effective, inheritable, permitted);
1306}
1307
1308static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1309 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1310{
1311 int error;
1312
1313 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1314 if (error)
1315 return error;
1316
1317 return task_has_perm(current, target, PROCESS__SETCAP);
1318}
1319
1320static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1321 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1322{
1323 secondary_ops->capset_set(target, effective, inheritable, permitted);
1324}
1325
1326static int selinux_capable(struct task_struct *tsk, int cap)
1327{
1328 int rc;
1329
1330 rc = secondary_ops->capable(tsk, cap);
1331 if (rc)
1332 return rc;
1333
1334 return task_has_capability(tsk,cap);
1335}
1336
1337static int selinux_sysctl(ctl_table *table, int op)
1338{
1339 int error = 0;
1340 u32 av;
1341 struct task_security_struct *tsec;
1342 u32 tsid;
1343 int rc;
1344
1345 rc = secondary_ops->sysctl(table, op);
1346 if (rc)
1347 return rc;
1348
1349 tsec = current->security;
1350
1351 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1352 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1353 if (rc) {
1354 /* Default to the well-defined sysctl SID. */
1355 tsid = SECINITSID_SYSCTL;
1356 }
1357
1358 /* The op values are "defined" in sysctl.c, thereby creating
1359 * a bad coupling between this module and sysctl.c */
1360 if(op == 001) {
1361 error = avc_has_perm(tsec->sid, tsid,
1362 SECCLASS_DIR, DIR__SEARCH, NULL);
1363 } else {
1364 av = 0;
1365 if (op & 004)
1366 av |= FILE__READ;
1367 if (op & 002)
1368 av |= FILE__WRITE;
1369 if (av)
1370 error = avc_has_perm(tsec->sid, tsid,
1371 SECCLASS_FILE, av, NULL);
1372 }
1373
1374 return error;
1375}
1376
1377static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1378{
1379 int rc = 0;
1380
1381 if (!sb)
1382 return 0;
1383
1384 switch (cmds) {
1385 case Q_SYNC:
1386 case Q_QUOTAON:
1387 case Q_QUOTAOFF:
1388 case Q_SETINFO:
1389 case Q_SETQUOTA:
1390 rc = superblock_has_perm(current,
1391 sb,
1392 FILESYSTEM__QUOTAMOD, NULL);
1393 break;
1394 case Q_GETFMT:
1395 case Q_GETINFO:
1396 case Q_GETQUOTA:
1397 rc = superblock_has_perm(current,
1398 sb,
1399 FILESYSTEM__QUOTAGET, NULL);
1400 break;
1401 default:
1402 rc = 0; /* let the kernel handle invalid cmds */
1403 break;
1404 }
1405 return rc;
1406}
1407
1408static int selinux_quota_on(struct dentry *dentry)
1409{
1410 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1411}
1412
1413static int selinux_syslog(int type)
1414{
1415 int rc;
1416
1417 rc = secondary_ops->syslog(type);
1418 if (rc)
1419 return rc;
1420
1421 switch (type) {
1422 case 3: /* Read last kernel messages */
1423 case 10: /* Return size of the log buffer */
1424 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1425 break;
1426 case 6: /* Disable logging to console */
1427 case 7: /* Enable logging to console */
1428 case 8: /* Set level of messages printed to console */
1429 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1430 break;
1431 case 0: /* Close log */
1432 case 1: /* Open log */
1433 case 2: /* Read from log */
1434 case 4: /* Read/clear last kernel messages */
1435 case 5: /* Clear ring buffer */
1436 default:
1437 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1438 break;
1439 }
1440 return rc;
1441}
1442
1443/*
1444 * Check that a process has enough memory to allocate a new virtual
1445 * mapping. 0 means there is enough memory for the allocation to
1446 * succeed and -ENOMEM implies there is not.
1447 *
1448 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1449 * if the capability is granted, but __vm_enough_memory requires 1 if
1450 * the capability is granted.
1451 *
1452 * Do not audit the selinux permission check, as this is applied to all
1453 * processes that allocate mappings.
1454 */
1455static int selinux_vm_enough_memory(long pages)
1456{
1457 int rc, cap_sys_admin = 0;
1458 struct task_security_struct *tsec = current->security;
1459
1460 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1461 if (rc == 0)
1462 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1463 SECCLASS_CAPABILITY,
1464 CAP_TO_MASK(CAP_SYS_ADMIN),
1465 NULL);
1466
1467 if (rc == 0)
1468 cap_sys_admin = 1;
1469
1470 return __vm_enough_memory(pages, cap_sys_admin);
1471}
1472
1473/* binprm security operations */
1474
1475static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1476{
1477 struct bprm_security_struct *bsec;
1478
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]1479 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1480 if (!bsec)
1481 return -ENOMEM;
1482
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1483 bsec->bprm = bprm;
1484 bsec->sid = SECINITSID_UNLABELED;
1485 bsec->set = 0;
1486
1487 bprm->security = bsec;
1488 return 0;
1489}
1490
1491static int selinux_bprm_set_security(struct linux_binprm *bprm)
1492{
1493 struct task_security_struct *tsec;
1494 struct inode *inode = bprm->file->f_dentry->d_inode;
1495 struct inode_security_struct *isec;
1496 struct bprm_security_struct *bsec;
1497 u32 newsid;
1498 struct avc_audit_data ad;
1499 int rc;
1500
1501 rc = secondary_ops->bprm_set_security(bprm);
1502 if (rc)
1503 return rc;
1504
1505 bsec = bprm->security;
1506
1507 if (bsec->set)
1508 return 0;
1509
1510 tsec = current->security;
1511 isec = inode->i_security;
1512
1513 /* Default to the current task SID. */
1514 bsec->sid = tsec->sid;
1515
1516 /* Reset create SID on execve. */
1517 tsec->create_sid = 0;
1518
1519 if (tsec->exec_sid) {
1520 newsid = tsec->exec_sid;
1521 /* Reset exec SID on execve. */
1522 tsec->exec_sid = 0;
1523 } else {
1524 /* Check for a default transition on this program. */
1525 rc = security_transition_sid(tsec->sid, isec->sid,
1526 SECCLASS_PROCESS, &newsid);
1527 if (rc)
1528 return rc;
1529 }
1530
1531 AVC_AUDIT_DATA_INIT(&ad, FS);
1532 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1533 ad.u.fs.dentry = bprm->file->f_dentry;
1534
1535 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1536 newsid = tsec->sid;
1537
1538 if (tsec->sid == newsid) {
1539 rc = avc_has_perm(tsec->sid, isec->sid,
1540 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1541 if (rc)
1542 return rc;
1543 } else {
1544 /* Check permissions for the transition. */
1545 rc = avc_has_perm(tsec->sid, newsid,
1546 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1547 if (rc)
1548 return rc;
1549
1550 rc = avc_has_perm(newsid, isec->sid,
1551 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1552 if (rc)
1553 return rc;
1554
1555 /* Clear any possibly unsafe personality bits on exec: */
1556 current->personality &= ~PER_CLEAR_ON_SETID;
1557
1558 /* Set the security field to the new SID. */
1559 bsec->sid = newsid;
1560 }
1561
1562 bsec->set = 1;
1563 return 0;
1564}
1565
1566static int selinux_bprm_check_security (struct linux_binprm *bprm)
1567{
1568 return secondary_ops->bprm_check_security(bprm);
1569}
1570
1571
1572static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1573{
1574 struct task_security_struct *tsec = current->security;
1575 int atsecure = 0;
1576
1577 if (tsec->osid != tsec->sid) {
1578 /* Enable secure mode for SIDs transitions unless
1579 the noatsecure permission is granted between
1580 the two SIDs, i.e. ahp returns 0. */
1581 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1582 SECCLASS_PROCESS,
1583 PROCESS__NOATSECURE, NULL);
1584 }
1585
1586 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1587}
1588
1589static void selinux_bprm_free_security(struct linux_binprm *bprm)
1590{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -0700[diff] [blame]1591 kfree(bprm->security);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1592 bprm->security = NULL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1593}
1594
1595extern struct vfsmount *selinuxfs_mount;
1596extern struct dentry *selinux_null;
1597
1598/* Derived from fs/exec.c:flush_old_files. */
1599static inline void flush_unauthorized_files(struct files_struct * files)
1600{
1601 struct avc_audit_data ad;
1602 struct file *file, *devnull = NULL;
1603 struct tty_struct *tty = current->signal->tty;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1604 struct fdtable *fdt;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1605 long j = -1;
1606
1607 if (tty) {
1608 file_list_lock();
Eric Dumazet2f512012005-10-30 15:02:16 -0800[diff] [blame]1609 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1610 if (file) {
1611 /* Revalidate access to controlling tty.
1612 Use inode_has_perm on the tty inode directly rather
1613 than using file_has_perm, as this particular open
1614 file may belong to another process and we are only
1615 interested in the inode-based check here. */
1616 struct inode *inode = file->f_dentry->d_inode;
1617 if (inode_has_perm(current, inode,
1618 FILE__READ | FILE__WRITE, NULL)) {
1619 /* Reset controlling tty. */
1620 current->signal->tty = NULL;
1621 current->signal->tty_old_pgrp = 0;
1622 }
1623 }
1624 file_list_unlock();
1625 }
1626
1627 /* Revalidate access to inherited open files. */
1628
1629 AVC_AUDIT_DATA_INIT(&ad,FS);
1630
1631 spin_lock(&files->file_lock);
1632 for (;;) {
1633 unsigned long set, i;
1634 int fd;
1635
1636 j++;
1637 i = j * __NFDBITS;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1638 fdt = files_fdtable(files);
1639 if (i >= fdt->max_fds || i >= fdt->max_fdset)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1640 break;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1641 set = fdt->open_fds->fds_bits[j];
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1642 if (!set)
1643 continue;
1644 spin_unlock(&files->file_lock);
1645 for ( ; set ; i++,set >>= 1) {
1646 if (set & 1) {
1647 file = fget(i);
1648 if (!file)
1649 continue;
1650 if (file_has_perm(current,
1651 file,
1652 file_to_av(file))) {
1653 sys_close(i);
1654 fd = get_unused_fd();
1655 if (fd != i) {
1656 if (fd >= 0)
1657 put_unused_fd(fd);
1658 fput(file);
1659 continue;
1660 }
1661 if (devnull) {
Nick Piggin095975d2006-01-08 01:02:19 -0800[diff] [blame]1662 get_file(devnull);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1663 } else {
1664 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1665 if (!devnull) {
1666 put_unused_fd(fd);
1667 fput(file);
1668 continue;
1669 }
1670 }
1671 fd_install(fd, devnull);
1672 }
1673 fput(file);
1674 }
1675 }
1676 spin_lock(&files->file_lock);
1677
1678 }
1679 spin_unlock(&files->file_lock);
1680}
1681
1682static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1683{
1684 struct task_security_struct *tsec;
1685 struct bprm_security_struct *bsec;
1686 u32 sid;
1687 int rc;
1688
1689 secondary_ops->bprm_apply_creds(bprm, unsafe);
1690
1691 tsec = current->security;
1692
1693 bsec = bprm->security;
1694 sid = bsec->sid;
1695
1696 tsec->osid = tsec->sid;
1697 bsec->unsafe = 0;
1698 if (tsec->sid != sid) {
1699 /* Check for shared state. If not ok, leave SID
1700 unchanged and kill. */
1701 if (unsafe & LSM_UNSAFE_SHARE) {
1702 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1703 PROCESS__SHARE, NULL);
1704 if (rc) {
1705 bsec->unsafe = 1;
1706 return;
1707 }
1708 }
1709
1710 /* Check for ptracing, and update the task SID if ok.
1711 Otherwise, leave SID unchanged and kill. */
1712 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1713 rc = avc_has_perm(tsec->ptrace_sid, sid,
1714 SECCLASS_PROCESS, PROCESS__PTRACE,
1715 NULL);
1716 if (rc) {
1717 bsec->unsafe = 1;
1718 return;
1719 }
1720 }
1721 tsec->sid = sid;
1722 }
1723}
1724
1725/*
1726 * called after apply_creds without the task lock held
1727 */
1728static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1729{
1730 struct task_security_struct *tsec;
1731 struct rlimit *rlim, *initrlim;
1732 struct itimerval itimer;
1733 struct bprm_security_struct *bsec;
1734 int rc, i;
1735
1736 tsec = current->security;
1737 bsec = bprm->security;
1738
1739 if (bsec->unsafe) {
1740 force_sig_specific(SIGKILL, current);
1741 return;
1742 }
1743 if (tsec->osid == tsec->sid)
1744 return;
1745
1746 /* Close files for which the new task SID is not authorized. */
1747 flush_unauthorized_files(current->files);
1748
1749 /* Check whether the new SID can inherit signal state
1750 from the old SID. If not, clear itimers to avoid
1751 subsequent signal generation and flush and unblock
1752 signals. This must occur _after_ the task SID has
1753 been updated so that any kill done after the flush
1754 will be checked against the new SID. */
1755 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1756 PROCESS__SIGINH, NULL);
1757 if (rc) {
1758 memset(&itimer, 0, sizeof itimer);
1759 for (i = 0; i < 3; i++)
1760 do_setitimer(i, &itimer, NULL);
1761 flush_signals(current);
1762 spin_lock_irq(&current->sighand->siglock);
1763 flush_signal_handlers(current, 1);
1764 sigemptyset(&current->blocked);
1765 recalc_sigpending();
1766 spin_unlock_irq(&current->sighand->siglock);
1767 }
1768
1769 /* Check whether the new SID can inherit resource limits
1770 from the old SID. If not, reset all soft limits to
1771 the lower of the current task's hard limit and the init
1772 task's soft limit. Note that the setting of hard limits
1773 (even to lower them) can be controlled by the setrlimit
1774 check. The inclusion of the init task's soft limit into
1775 the computation is to avoid resetting soft limits higher
1776 than the default soft limit for cases where the default
1777 is lower than the hard limit, e.g. RLIMIT_CORE or
1778 RLIMIT_STACK.*/
1779 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1780 PROCESS__RLIMITINH, NULL);
1781 if (rc) {
1782 for (i = 0; i < RLIM_NLIMITS; i++) {
1783 rlim = current->signal->rlim + i;
1784 initrlim = init_task.signal->rlim+i;
1785 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1786 }
1787 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1788 /*
1789 * This will cause RLIMIT_CPU calculations
1790 * to be refigured.
1791 */
1792 current->it_prof_expires = jiffies_to_cputime(1);
1793 }
1794 }
1795
1796 /* Wake up the parent if it is waiting so that it can
1797 recheck wait permission to the new task SID. */
1798 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1799}
1800
1801/* superblock security operations */
1802
1803static int selinux_sb_alloc_security(struct super_block *sb)
1804{
1805 return superblock_alloc_security(sb);
1806}
1807
1808static void selinux_sb_free_security(struct super_block *sb)
1809{
1810 superblock_free_security(sb);
1811}
1812
1813static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1814{
1815 if (plen > olen)
1816 return 0;
1817
1818 return !memcmp(prefix, option, plen);
1819}
1820
1821static inline int selinux_option(char *option, int len)
1822{
1823 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1824 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1825 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1826}
1827
1828static inline void take_option(char **to, char *from, int *first, int len)
1829{
1830 if (!*first) {
1831 **to = ',';
1832 *to += 1;
1833 }
1834 else
1835 *first = 0;
1836 memcpy(*to, from, len);
1837 *to += len;
1838}
1839
1840static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1841{
1842 int fnosec, fsec, rc = 0;
1843 char *in_save, *in_curr, *in_end;
1844 char *sec_curr, *nosec_save, *nosec;
1845
1846 in_curr = orig;
1847 sec_curr = copy;
1848
1849 /* Binary mount data: just copy */
1850 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1851 copy_page(sec_curr, in_curr);
1852 goto out;
1853 }
1854
1855 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1856 if (!nosec) {
1857 rc = -ENOMEM;
1858 goto out;
1859 }
1860
1861 nosec_save = nosec;
1862 fnosec = fsec = 1;
1863 in_save = in_end = orig;
1864
1865 do {
1866 if (*in_end == ',' || *in_end == '\0') {
1867 int len = in_end - in_curr;
1868
1869 if (selinux_option(in_curr, len))
1870 take_option(&sec_curr, in_curr, &fsec, len);
1871 else
1872 take_option(&nosec, in_curr, &fnosec, len);
1873
1874 in_curr = in_end + 1;
1875 }
1876 } while (*in_end++);
1877
Eric Paris6931dfc2005-06-30 02:58:51 -0700[diff] [blame]1878 strcpy(in_save, nosec_save);
Gerald Schaeferda3caa22005-06-21 17:15:18 -0700[diff] [blame]1879 free_page((unsigned long)nosec_save);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1880out:
1881 return rc;
1882}
1883
1884static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1885{
1886 struct avc_audit_data ad;
1887 int rc;
1888
1889 rc = superblock_doinit(sb, data);
1890 if (rc)
1891 return rc;
1892
1893 AVC_AUDIT_DATA_INIT(&ad,FS);
1894 ad.u.fs.dentry = sb->s_root;
1895 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1896}
1897
1898static int selinux_sb_statfs(struct super_block *sb)
1899{
1900 struct avc_audit_data ad;
1901
1902 AVC_AUDIT_DATA_INIT(&ad,FS);
1903 ad.u.fs.dentry = sb->s_root;
1904 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1905}
1906
1907static int selinux_mount(char * dev_name,
1908 struct nameidata *nd,
1909 char * type,
1910 unsigned long flags,
1911 void * data)
1912{
1913 int rc;
1914
1915 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1916 if (rc)
1917 return rc;
1918
1919 if (flags & MS_REMOUNT)
1920 return superblock_has_perm(current, nd->mnt->mnt_sb,
1921 FILESYSTEM__REMOUNT, NULL);
1922 else
1923 return dentry_has_perm(current, nd->mnt, nd->dentry,
1924 FILE__MOUNTON);
1925}
1926
1927static int selinux_umount(struct vfsmount *mnt, int flags)
1928{
1929 int rc;
1930
1931 rc = secondary_ops->sb_umount(mnt, flags);
1932 if (rc)
1933 return rc;
1934
1935 return superblock_has_perm(current,mnt->mnt_sb,
1936 FILESYSTEM__UNMOUNT,NULL);
1937}
1938
1939/* inode security operations */
1940
1941static int selinux_inode_alloc_security(struct inode *inode)
1942{
1943 return inode_alloc_security(inode);
1944}
1945
1946static void selinux_inode_free_security(struct inode *inode)
1947{
1948 inode_free_security(inode);
1949}
1950
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1951static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1952 char **name, void **value,
1953 size_t *len)
1954{
1955 struct task_security_struct *tsec;
1956 struct inode_security_struct *dsec;
1957 struct superblock_security_struct *sbsec;
1958 struct inode_security_struct *isec;
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1959 u32 newsid, clen;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1960 int rc;
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1961 char *namep = NULL, *context;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1962
1963 tsec = current->security;
1964 dsec = dir->i_security;
1965 sbsec = dir->i_sb->s_security;
1966 isec = inode->i_security;
1967
1968 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1969 newsid = tsec->create_sid;
1970 } else {
1971 rc = security_transition_sid(tsec->sid, dsec->sid,
1972 inode_mode_to_security_class(inode->i_mode),
1973 &newsid);
1974 if (rc) {
1975 printk(KERN_WARNING "%s: "
1976 "security_transition_sid failed, rc=%d (dev=%s "
1977 "ino=%ld)\n",
1978 __FUNCTION__,
1979 -rc, inode->i_sb->s_id, inode->i_ino);
1980 return rc;
1981 }
1982 }
1983
1984 inode_security_set_sid(inode, newsid);
1985
Stephen Smalley25a74f32005-11-08 21:34:33 -0800[diff] [blame]1986 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1987 return -EOPNOTSUPP;
1988
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1989 if (name) {
1990 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1991 if (!namep)
1992 return -ENOMEM;
1993 *name = namep;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1994 }
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1995
1996 if (value && len) {
1997 rc = security_sid_to_context(newsid, &context, &clen);
1998 if (rc) {
1999 kfree(namep);
2000 return rc;
2001 }
2002 *value = context;
2003 *len = clen;
2004 }
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]2005
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]2006 return 0;
2007}
2008
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2009static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2010{
2011 return may_create(dir, dentry, SECCLASS_FILE);
2012}
2013
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2014static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2015{
2016 int rc;
2017
2018 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2019 if (rc)
2020 return rc;
2021 return may_link(dir, old_dentry, MAY_LINK);
2022}
2023
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2024static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2025{
2026 int rc;
2027
2028 rc = secondary_ops->inode_unlink(dir, dentry);
2029 if (rc)
2030 return rc;
2031 return may_link(dir, dentry, MAY_UNLINK);
2032}
2033
2034static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2035{
2036 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2037}
2038
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2039static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2040{
2041 return may_create(dir, dentry, SECCLASS_DIR);
2042}
2043
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2044static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2045{
2046 return may_link(dir, dentry, MAY_RMDIR);
2047}
2048
2049static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2050{
2051 int rc;
2052
2053 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2054 if (rc)
2055 return rc;
2056
2057 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2058}
2059
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2060static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2061 struct inode *new_inode, struct dentry *new_dentry)
2062{
2063 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2064}
2065
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2066static int selinux_inode_readlink(struct dentry *dentry)
2067{
2068 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069}
2070
2071static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2072{
2073 int rc;
2074
2075 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2076 if (rc)
2077 return rc;
2078 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2079}
2080
2081static int selinux_inode_permission(struct inode *inode, int mask,
2082 struct nameidata *nd)
2083{
2084 int rc;
2085
2086 rc = secondary_ops->inode_permission(inode, mask, nd);
2087 if (rc)
2088 return rc;
2089
2090 if (!mask) {
2091 /* No permission to check. Existence test. */
2092 return 0;
2093 }
2094
2095 return inode_has_perm(current, inode,
2096 file_mask_to_av(inode->i_mode, mask), NULL);
2097}
2098
2099static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2100{
2101 int rc;
2102
2103 rc = secondary_ops->inode_setattr(dentry, iattr);
2104 if (rc)
2105 return rc;
2106
2107 if (iattr->ia_valid & ATTR_FORCE)
2108 return 0;
2109
2110 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2111 ATTR_ATIME_SET | ATTR_MTIME_SET))
2112 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2113
2114 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2115}
2116
2117static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2118{
2119 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2120}
2121
2122static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2123{
2124 struct task_security_struct *tsec = current->security;
2125 struct inode *inode = dentry->d_inode;
2126 struct inode_security_struct *isec = inode->i_security;
2127 struct superblock_security_struct *sbsec;
2128 struct avc_audit_data ad;
2129 u32 newsid;
2130 int rc = 0;
2131
2132 if (strcmp(name, XATTR_NAME_SELINUX)) {
2133 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2134 sizeof XATTR_SECURITY_PREFIX - 1) &&
2135 !capable(CAP_SYS_ADMIN)) {
2136 /* A different attribute in the security namespace.
2137 Restrict to administrator. */
2138 return -EPERM;
2139 }
2140
2141 /* Not an attribute we recognize, so just check the
2142 ordinary setattr permission. */
2143 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2144 }
2145
2146 sbsec = inode->i_sb->s_security;
2147 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2148 return -EOPNOTSUPP;
2149
2150 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2151 return -EPERM;
2152
2153 AVC_AUDIT_DATA_INIT(&ad,FS);
2154 ad.u.fs.dentry = dentry;
2155
2156 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2157 FILE__RELABELFROM, &ad);
2158 if (rc)
2159 return rc;
2160
2161 rc = security_context_to_sid(value, size, &newsid);
2162 if (rc)
2163 return rc;
2164
2165 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2166 FILE__RELABELTO, &ad);
2167 if (rc)
2168 return rc;
2169
2170 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2171 isec->sclass);
2172 if (rc)
2173 return rc;
2174
2175 return avc_has_perm(newsid,
2176 sbsec->sid,
2177 SECCLASS_FILESYSTEM,
2178 FILESYSTEM__ASSOCIATE,
2179 &ad);
2180}
2181
2182static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2183 void *value, size_t size, int flags)
2184{
2185 struct inode *inode = dentry->d_inode;
2186 struct inode_security_struct *isec = inode->i_security;
2187 u32 newsid;
2188 int rc;
2189
2190 if (strcmp(name, XATTR_NAME_SELINUX)) {
2191 /* Not an attribute we recognize, so nothing to do. */
2192 return;
2193 }
2194
2195 rc = security_context_to_sid(value, size, &newsid);
2196 if (rc) {
2197 printk(KERN_WARNING "%s: unable to obtain SID for context "
2198 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2199 return;
2200 }
2201
2202 isec->sid = newsid;
2203 return;
2204}
2205
2206static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2207{
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2208 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2209}
2210
2211static int selinux_inode_listxattr (struct dentry *dentry)
2212{
2213 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2214}
2215
2216static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2217{
2218 if (strcmp(name, XATTR_NAME_SELINUX)) {
2219 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2220 sizeof XATTR_SECURITY_PREFIX - 1) &&
2221 !capable(CAP_SYS_ADMIN)) {
2222 /* A different attribute in the security namespace.
2223 Restrict to administrator. */
2224 return -EPERM;
2225 }
2226
2227 /* Not an attribute we recognize, so just check the
2228 ordinary setattr permission. Might want a separate
2229 permission for removexattr. */
2230 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2231 }
2232
2233 /* No one is allowed to remove a SELinux security label.
2234 You can change the label, but all data must be labeled. */
2235 return -EACCES;
2236}
2237
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]2238static const char *selinux_inode_xattr_getsuffix(void)
2239{
2240 return XATTR_SELINUX_SUFFIX;
2241}
2242
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2243/*
2244 * Copy the in-core inode security context value to the user. If the
2245 * getxattr() prior to this succeeded, check to see if we need to
2246 * canonicalize the value to be finally returned to the user.
2247 *
2248 * Permission check is handled by selinux_inode_getxattr hook.
2249 */
2250static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2251{
2252 struct inode_security_struct *isec = inode->i_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2253
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]2254 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2255 return -EOPNOTSUPP;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2256
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]2257 return selinux_getsecurity(isec->sid, buffer, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2258}
2259
2260static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2261 const void *value, size_t size, int flags)
2262{
2263 struct inode_security_struct *isec = inode->i_security;
2264 u32 newsid;
2265 int rc;
2266
2267 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2268 return -EOPNOTSUPP;
2269
2270 if (!value || !size)
2271 return -EACCES;
2272
2273 rc = security_context_to_sid((void*)value, size, &newsid);
2274 if (rc)
2275 return rc;
2276
2277 isec->sid = newsid;
2278 return 0;
2279}
2280
2281static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2282{
2283 const int len = sizeof(XATTR_NAME_SELINUX);
2284 if (buffer && len <= buffer_size)
2285 memcpy(buffer, XATTR_NAME_SELINUX, len);
2286 return len;
2287}
2288
2289/* file security operations */
2290
2291static int selinux_file_permission(struct file *file, int mask)
2292{
2293 struct inode *inode = file->f_dentry->d_inode;
2294
2295 if (!mask) {
2296 /* No permission to check. Existence test. */
2297 return 0;
2298 }
2299
2300 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2301 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2302 mask |= MAY_APPEND;
2303
2304 return file_has_perm(current, file,
2305 file_mask_to_av(inode->i_mode, mask));
2306}
2307
2308static int selinux_file_alloc_security(struct file *file)
2309{
2310 return file_alloc_security(file);
2311}
2312
2313static void selinux_file_free_security(struct file *file)
2314{
2315 file_free_security(file);
2316}
2317
2318static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2319 unsigned long arg)
2320{
2321 int error = 0;
2322
2323 switch (cmd) {
2324 case FIONREAD:
2325 /* fall through */
2326 case FIBMAP:
2327 /* fall through */
2328 case FIGETBSZ:
2329 /* fall through */
2330 case EXT2_IOC_GETFLAGS:
2331 /* fall through */
2332 case EXT2_IOC_GETVERSION:
2333 error = file_has_perm(current, file, FILE__GETATTR);
2334 break;
2335
2336 case EXT2_IOC_SETFLAGS:
2337 /* fall through */
2338 case EXT2_IOC_SETVERSION:
2339 error = file_has_perm(current, file, FILE__SETATTR);
2340 break;
2341
2342 /* sys_ioctl() checks */
2343 case FIONBIO:
2344 /* fall through */
2345 case FIOASYNC:
2346 error = file_has_perm(current, file, 0);
2347 break;
2348
2349 case KDSKBENT:
2350 case KDSKBSENT:
2351 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2352 break;
2353
2354 /* default case assumes that the command will go
2355 * to the file's ioctl() function.
2356 */
2357 default:
2358 error = file_has_perm(current, file, FILE__IOCTL);
2359
2360 }
2361 return error;
2362}
2363
2364static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2365{
2366#ifndef CONFIG_PPC32
2367 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2368 /*
2369 * We are making executable an anonymous mapping or a
2370 * private file mapping that will also be writable.
2371 * This has an additional check.
2372 */
2373 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2374 if (rc)
2375 return rc;
2376 }
2377#endif
2378
2379 if (file) {
2380 /* read access is always possible with a mapping */
2381 u32 av = FILE__READ;
2382
2383 /* write access only matters if the mapping is shared */
2384 if (shared && (prot & PROT_WRITE))
2385 av |= FILE__WRITE;
2386
2387 if (prot & PROT_EXEC)
2388 av |= FILE__EXECUTE;
2389
2390 return file_has_perm(current, file, av);
2391 }
2392 return 0;
2393}
2394
2395static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2396 unsigned long prot, unsigned long flags)
2397{
2398 int rc;
2399
2400 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2401 if (rc)
2402 return rc;
2403
2404 if (selinux_checkreqprot)
2405 prot = reqprot;
2406
2407 return file_map_prot_check(file, prot,
2408 (flags & MAP_TYPE) == MAP_SHARED);
2409}
2410
2411static int selinux_file_mprotect(struct vm_area_struct *vma,
2412 unsigned long reqprot,
2413 unsigned long prot)
2414{
2415 int rc;
2416
2417 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2418 if (rc)
2419 return rc;
2420
2421 if (selinux_checkreqprot)
2422 prot = reqprot;
2423
2424#ifndef CONFIG_PPC32
Stephen Smalleydb4c9642006-02-01 03:05:54 -0800[diff] [blame]2425 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2426 rc = 0;
2427 if (vma->vm_start >= vma->vm_mm->start_brk &&
2428 vma->vm_end <= vma->vm_mm->brk) {
2429 rc = task_has_perm(current, current,
2430 PROCESS__EXECHEAP);
2431 } else if (!vma->vm_file &&
2432 vma->vm_start <= vma->vm_mm->start_stack &&
2433 vma->vm_end >= vma->vm_mm->start_stack) {
2434 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2435 } else if (vma->vm_file && vma->anon_vma) {
2436 /*
2437 * We are making executable a file mapping that has
2438 * had some COW done. Since pages might have been
2439 * written, check ability to execute the possibly
2440 * modified content. This typically should only
2441 * occur for text relocations.
2442 */
2443 rc = file_has_perm(current, vma->vm_file,
2444 FILE__EXECMOD);
2445 }
Lorenzo Hernandez García-Hierro6b992192005-06-25 14:54:34 -0700[diff] [blame]2446 if (rc)
2447 return rc;
2448 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2449#endif
2450
2451 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2452}
2453
2454static int selinux_file_lock(struct file *file, unsigned int cmd)
2455{
2456 return file_has_perm(current, file, FILE__LOCK);
2457}
2458
2459static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2460 unsigned long arg)
2461{
2462 int err = 0;
2463
2464 switch (cmd) {
2465 case F_SETFL:
2466 if (!file->f_dentry || !file->f_dentry->d_inode) {
2467 err = -EINVAL;
2468 break;
2469 }
2470
2471 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2472 err = file_has_perm(current, file,FILE__WRITE);
2473 break;
2474 }
2475 /* fall through */
2476 case F_SETOWN:
2477 case F_SETSIG:
2478 case F_GETFL:
2479 case F_GETOWN:
2480 case F_GETSIG:
2481 /* Just check FD__USE permission */
2482 err = file_has_perm(current, file, 0);
2483 break;
2484 case F_GETLK:
2485 case F_SETLK:
2486 case F_SETLKW:
2487#if BITS_PER_LONG == 32
2488 case F_GETLK64:
2489 case F_SETLK64:
2490 case F_SETLKW64:
2491#endif
2492 if (!file->f_dentry || !file->f_dentry->d_inode) {
2493 err = -EINVAL;
2494 break;
2495 }
2496 err = file_has_perm(current, file, FILE__LOCK);
2497 break;
2498 }
2499
2500 return err;
2501}
2502
2503static int selinux_file_set_fowner(struct file *file)
2504{
2505 struct task_security_struct *tsec;
2506 struct file_security_struct *fsec;
2507
2508 tsec = current->security;
2509 fsec = file->f_security;
2510 fsec->fown_sid = tsec->sid;
2511
2512 return 0;
2513}
2514
2515static int selinux_file_send_sigiotask(struct task_struct *tsk,
2516 struct fown_struct *fown, int signum)
2517{
2518 struct file *file;
2519 u32 perm;
2520 struct task_security_struct *tsec;
2521 struct file_security_struct *fsec;
2522
2523 /* struct fown_struct is never outside the context of a struct file */
2524 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2525
2526 tsec = tsk->security;
2527 fsec = file->f_security;
2528
2529 if (!signum)
2530 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2531 else
2532 perm = signal_to_av(signum);
2533
2534 return avc_has_perm(fsec->fown_sid, tsec->sid,
2535 SECCLASS_PROCESS, perm, NULL);
2536}
2537
2538static int selinux_file_receive(struct file *file)
2539{
2540 return file_has_perm(current, file, file_to_av(file));
2541}
2542
2543/* task security operations */
2544
2545static int selinux_task_create(unsigned long clone_flags)
2546{
2547 int rc;
2548
2549 rc = secondary_ops->task_create(clone_flags);
2550 if (rc)
2551 return rc;
2552
2553 return task_has_perm(current, current, PROCESS__FORK);
2554}
2555
2556static int selinux_task_alloc_security(struct task_struct *tsk)
2557{
2558 struct task_security_struct *tsec1, *tsec2;
2559 int rc;
2560
2561 tsec1 = current->security;
2562
2563 rc = task_alloc_security(tsk);
2564 if (rc)
2565 return rc;
2566 tsec2 = tsk->security;
2567
2568 tsec2->osid = tsec1->osid;
2569 tsec2->sid = tsec1->sid;
2570
2571 /* Retain the exec and create SIDs across fork */
2572 tsec2->exec_sid = tsec1->exec_sid;
2573 tsec2->create_sid = tsec1->create_sid;
2574
2575 /* Retain ptracer SID across fork, if any.
2576 This will be reset by the ptrace hook upon any
2577 subsequent ptrace_attach operations. */
2578 tsec2->ptrace_sid = tsec1->ptrace_sid;
2579
2580 return 0;
2581}
2582
2583static void selinux_task_free_security(struct task_struct *tsk)
2584{
2585 task_free_security(tsk);
2586}
2587
2588static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2589{
2590 /* Since setuid only affects the current process, and
2591 since the SELinux controls are not based on the Linux
2592 identity attributes, SELinux does not need to control
2593 this operation. However, SELinux does control the use
2594 of the CAP_SETUID and CAP_SETGID capabilities using the
2595 capable hook. */
2596 return 0;
2597}
2598
2599static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2600{
2601 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2602}
2603
2604static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2605{
2606 /* See the comment for setuid above. */
2607 return 0;
2608}
2609
2610static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2611{
2612 return task_has_perm(current, p, PROCESS__SETPGID);
2613}
2614
2615static int selinux_task_getpgid(struct task_struct *p)
2616{
2617 return task_has_perm(current, p, PROCESS__GETPGID);
2618}
2619
2620static int selinux_task_getsid(struct task_struct *p)
2621{
2622 return task_has_perm(current, p, PROCESS__GETSESSION);
2623}
2624
2625static int selinux_task_setgroups(struct group_info *group_info)
2626{
2627 /* See the comment for setuid above. */
2628 return 0;
2629}
2630
2631static int selinux_task_setnice(struct task_struct *p, int nice)
2632{
2633 int rc;
2634
2635 rc = secondary_ops->task_setnice(p, nice);
2636 if (rc)
2637 return rc;
2638
2639 return task_has_perm(current,p, PROCESS__SETSCHED);
2640}
2641
2642static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2643{
2644 struct rlimit *old_rlim = current->signal->rlim + resource;
2645 int rc;
2646
2647 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2648 if (rc)
2649 return rc;
2650
2651 /* Control the ability to change the hard limit (whether
2652 lowering or raising it), so that the hard limit can
2653 later be used as a safe reset point for the soft limit
2654 upon context transitions. See selinux_bprm_apply_creds. */
2655 if (old_rlim->rlim_max != new_rlim->rlim_max)
2656 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2657
2658 return 0;
2659}
2660
2661static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2662{
2663 return task_has_perm(current, p, PROCESS__SETSCHED);
2664}
2665
2666static int selinux_task_getscheduler(struct task_struct *p)
2667{
2668 return task_has_perm(current, p, PROCESS__GETSCHED);
2669}
2670
2671static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2672{
2673 u32 perm;
2674 int rc;
2675
2676 rc = secondary_ops->task_kill(p, info, sig);
2677 if (rc)
2678 return rc;
2679
Oleg Nesterov621d3122005-10-30 15:03:45 -0800[diff] [blame]2680 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2681 return 0;
2682
2683 if (!sig)
2684 perm = PROCESS__SIGNULL; /* null signal; existence test */
2685 else
2686 perm = signal_to_av(sig);
2687
2688 return task_has_perm(current, p, perm);
2689}
2690
2691static int selinux_task_prctl(int option,
2692 unsigned long arg2,
2693 unsigned long arg3,
2694 unsigned long arg4,
2695 unsigned long arg5)
2696{
2697 /* The current prctl operations do not appear to require
2698 any SELinux controls since they merely observe or modify
2699 the state of the current process. */
2700 return 0;
2701}
2702
2703static int selinux_task_wait(struct task_struct *p)
2704{
2705 u32 perm;
2706
2707 perm = signal_to_av(p->exit_signal);
2708
2709 return task_has_perm(p, current, perm);
2710}
2711
2712static void selinux_task_reparent_to_init(struct task_struct *p)
2713{
2714 struct task_security_struct *tsec;
2715
2716 secondary_ops->task_reparent_to_init(p);
2717
2718 tsec = p->security;
2719 tsec->osid = tsec->sid;
2720 tsec->sid = SECINITSID_KERNEL;
2721 return;
2722}
2723
2724static void selinux_task_to_inode(struct task_struct *p,
2725 struct inode *inode)
2726{
2727 struct task_security_struct *tsec = p->security;
2728 struct inode_security_struct *isec = inode->i_security;
2729
2730 isec->sid = tsec->sid;
2731 isec->initialized = 1;
2732 return;
2733}
2734
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2735/* Returns error only if unable to parse addresses */
2736static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2737{
2738 int offset, ihlen, ret = -EINVAL;
2739 struct iphdr _iph, *ih;
2740
2741 offset = skb->nh.raw - skb->data;
2742 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2743 if (ih == NULL)
2744 goto out;
2745
2746 ihlen = ih->ihl * 4;
2747 if (ihlen < sizeof(_iph))
2748 goto out;
2749
2750 ad->u.net.v4info.saddr = ih->saddr;
2751 ad->u.net.v4info.daddr = ih->daddr;
2752 ret = 0;
2753
2754 switch (ih->protocol) {
2755 case IPPROTO_TCP: {
2756 struct tcphdr _tcph, *th;
2757
2758 if (ntohs(ih->frag_off) & IP_OFFSET)
2759 break;
2760
2761 offset += ihlen;
2762 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2763 if (th == NULL)
2764 break;
2765
2766 ad->u.net.sport = th->source;
2767 ad->u.net.dport = th->dest;
2768 break;
2769 }
2770
2771 case IPPROTO_UDP: {
2772 struct udphdr _udph, *uh;
2773
2774 if (ntohs(ih->frag_off) & IP_OFFSET)
2775 break;
2776
2777 offset += ihlen;
2778 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2779 if (uh == NULL)
2780 break;
2781
2782 ad->u.net.sport = uh->source;
2783 ad->u.net.dport = uh->dest;
2784 break;
2785 }
2786
2787 default:
2788 break;
2789 }
2790out:
2791 return ret;
2792}
2793
2794#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2795
2796/* Returns error only if unable to parse addresses */
2797static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2798{
2799 u8 nexthdr;
2800 int ret = -EINVAL, offset;
2801 struct ipv6hdr _ipv6h, *ip6;
2802
2803 offset = skb->nh.raw - skb->data;
2804 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2805 if (ip6 == NULL)
2806 goto out;
2807
2808 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2809 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2810 ret = 0;
2811
2812 nexthdr = ip6->nexthdr;
2813 offset += sizeof(_ipv6h);
Herbert Xu0d3d0772005-04-24 20:16:19 -0700[diff] [blame]2814 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2815 if (offset < 0)
2816 goto out;
2817
2818 switch (nexthdr) {
2819 case IPPROTO_TCP: {
2820 struct tcphdr _tcph, *th;
2821
2822 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2823 if (th == NULL)
2824 break;
2825
2826 ad->u.net.sport = th->source;
2827 ad->u.net.dport = th->dest;
2828 break;
2829 }
2830
2831 case IPPROTO_UDP: {
2832 struct udphdr _udph, *uh;
2833
2834 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2835 if (uh == NULL)
2836 break;
2837
2838 ad->u.net.sport = uh->source;
2839 ad->u.net.dport = uh->dest;
2840 break;
2841 }
2842
2843 /* includes fragments */
2844 default:
2845 break;
2846 }
2847out:
2848 return ret;
2849}
2850
2851#endif /* IPV6 */
2852
2853static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2854 char **addrp, int *len, int src)
2855{
2856 int ret = 0;
2857
2858 switch (ad->u.net.family) {
2859 case PF_INET:
2860 ret = selinux_parse_skb_ipv4(skb, ad);
2861 if (ret || !addrp)
2862 break;
2863 *len = 4;
2864 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2865 &ad->u.net.v4info.daddr);
2866 break;
2867
2868#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2869 case PF_INET6:
2870 ret = selinux_parse_skb_ipv6(skb, ad);
2871 if (ret || !addrp)
2872 break;
2873 *len = 16;
2874 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2875 &ad->u.net.v6info.daddr);
2876 break;
2877#endif /* IPV6 */
2878 default:
2879 break;
2880 }
2881
2882 return ret;
2883}
2884
2885/* socket security operations */
2886static int socket_has_perm(struct task_struct *task, struct socket *sock,
2887 u32 perms)
2888{
2889 struct inode_security_struct *isec;
2890 struct task_security_struct *tsec;
2891 struct avc_audit_data ad;
2892 int err = 0;
2893
2894 tsec = task->security;
2895 isec = SOCK_INODE(sock)->i_security;
2896
2897 if (isec->sid == SECINITSID_KERNEL)
2898 goto out;
2899
2900 AVC_AUDIT_DATA_INIT(&ad,NET);
2901 ad.u.net.sk = sock->sk;
2902 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2903
2904out:
2905 return err;
2906}
2907
2908static int selinux_socket_create(int family, int type,
2909 int protocol, int kern)
2910{
2911 int err = 0;
2912 struct task_security_struct *tsec;
2913
2914 if (kern)
2915 goto out;
2916
2917 tsec = current->security;
2918 err = avc_has_perm(tsec->sid, tsec->sid,
2919 socket_type_to_security_class(family, type,
2920 protocol), SOCKET__CREATE, NULL);
2921
2922out:
2923 return err;
2924}
2925
2926static void selinux_socket_post_create(struct socket *sock, int family,
2927 int type, int protocol, int kern)
2928{
2929 struct inode_security_struct *isec;
2930 struct task_security_struct *tsec;
2931
2932 isec = SOCK_INODE(sock)->i_security;
2933
2934 tsec = current->security;
2935 isec->sclass = socket_type_to_security_class(family, type, protocol);
2936 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2937 isec->initialized = 1;
2938
2939 return;
2940}
2941
2942/* Range of port numbers used to automatically bind.
2943 Need to determine whether we should perform a name_bind
2944 permission check between the socket and the port number. */
2945#define ip_local_port_range_0 sysctl_local_port_range[0]
2946#define ip_local_port_range_1 sysctl_local_port_range[1]
2947
2948static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2949{
2950 u16 family;
2951 int err;
2952
2953 err = socket_has_perm(current, sock, SOCKET__BIND);
2954 if (err)
2955 goto out;
2956
2957 /*
2958 * If PF_INET or PF_INET6, check name_bind permission for the port.
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]2959 * Multiple address binding for SCTP is not supported yet: we just
2960 * check the first address now.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2961 */
2962 family = sock->sk->sk_family;
2963 if (family == PF_INET || family == PF_INET6) {
2964 char *addrp;
2965 struct inode_security_struct *isec;
2966 struct task_security_struct *tsec;
2967 struct avc_audit_data ad;
2968 struct sockaddr_in *addr4 = NULL;
2969 struct sockaddr_in6 *addr6 = NULL;
2970 unsigned short snum;
2971 struct sock *sk = sock->sk;
2972 u32 sid, node_perm, addrlen;
2973
2974 tsec = current->security;
2975 isec = SOCK_INODE(sock)->i_security;
2976
2977 if (family == PF_INET) {
2978 addr4 = (struct sockaddr_in *)address;
2979 snum = ntohs(addr4->sin_port);
2980 addrlen = sizeof(addr4->sin_addr.s_addr);
2981 addrp = (char *)&addr4->sin_addr.s_addr;
2982 } else {
2983 addr6 = (struct sockaddr_in6 *)address;
2984 snum = ntohs(addr6->sin6_port);
2985 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2986 addrp = (char *)&addr6->sin6_addr.s6_addr;
2987 }
2988
2989 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2990 snum > ip_local_port_range_1)) {
2991 err = security_port_sid(sk->sk_family, sk->sk_type,
2992 sk->sk_protocol, snum, &sid);
2993 if (err)
2994 goto out;
2995 AVC_AUDIT_DATA_INIT(&ad,NET);
2996 ad.u.net.sport = htons(snum);
2997 ad.u.net.family = family;
2998 err = avc_has_perm(isec->sid, sid,
2999 isec->sclass,
3000 SOCKET__NAME_BIND, &ad);
3001 if (err)
3002 goto out;
3003 }
3004
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]3005 switch(isec->sclass) {
3006 case SECCLASS_TCP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3007 node_perm = TCP_SOCKET__NODE_BIND;
3008 break;
3009
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]3010 case SECCLASS_UDP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3011 node_perm = UDP_SOCKET__NODE_BIND;
3012 break;
3013
3014 default:
3015 node_perm = RAWIP_SOCKET__NODE_BIND;
3016 break;
3017 }
3018
3019 err = security_node_sid(family, addrp, addrlen, &sid);
3020 if (err)
3021 goto out;
3022
3023 AVC_AUDIT_DATA_INIT(&ad,NET);
3024 ad.u.net.sport = htons(snum);
3025 ad.u.net.family = family;
3026
3027 if (family == PF_INET)
3028 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3029 else
3030 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3031
3032 err = avc_has_perm(isec->sid, sid,
3033 isec->sclass, node_perm, &ad);
3034 if (err)
3035 goto out;
3036 }
3037out:
3038 return err;
3039}
3040
3041static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3042{
3043 struct inode_security_struct *isec;
3044 int err;
3045
3046 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3047 if (err)
3048 return err;
3049
3050 /*
3051 * If a TCP socket, check name_connect permission for the port.
3052 */
3053 isec = SOCK_INODE(sock)->i_security;
3054 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3055 struct sock *sk = sock->sk;
3056 struct avc_audit_data ad;
3057 struct sockaddr_in *addr4 = NULL;
3058 struct sockaddr_in6 *addr6 = NULL;
3059 unsigned short snum;
3060 u32 sid;
3061
3062 if (sk->sk_family == PF_INET) {
3063 addr4 = (struct sockaddr_in *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -0700[diff] [blame]3064 if (addrlen < sizeof(struct sockaddr_in))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3065 return -EINVAL;
3066 snum = ntohs(addr4->sin_port);
3067 } else {
3068 addr6 = (struct sockaddr_in6 *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -0700[diff] [blame]3069 if (addrlen < SIN6_LEN_RFC2133)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3070 return -EINVAL;
3071 snum = ntohs(addr6->sin6_port);
3072 }
3073
3074 err = security_port_sid(sk->sk_family, sk->sk_type,
3075 sk->sk_protocol, snum, &sid);
3076 if (err)
3077 goto out;
3078
3079 AVC_AUDIT_DATA_INIT(&ad,NET);
3080 ad.u.net.dport = htons(snum);
3081 ad.u.net.family = sk->sk_family;
3082 err = avc_has_perm(isec->sid, sid, isec->sclass,
3083 TCP_SOCKET__NAME_CONNECT, &ad);
3084 if (err)
3085 goto out;
3086 }
3087
3088out:
3089 return err;
3090}
3091
3092static int selinux_socket_listen(struct socket *sock, int backlog)
3093{
3094 return socket_has_perm(current, sock, SOCKET__LISTEN);
3095}
3096
3097static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3098{
3099 int err;
3100 struct inode_security_struct *isec;
3101 struct inode_security_struct *newisec;
3102
3103 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3104 if (err)
3105 return err;
3106
3107 newisec = SOCK_INODE(newsock)->i_security;
3108
3109 isec = SOCK_INODE(sock)->i_security;
3110 newisec->sclass = isec->sclass;
3111 newisec->sid = isec->sid;
3112 newisec->initialized = 1;
3113
3114 return 0;
3115}
3116
3117static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3118 int size)
3119{
3120 return socket_has_perm(current, sock, SOCKET__WRITE);
3121}
3122
3123static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3124 int size, int flags)
3125{
3126 return socket_has_perm(current, sock, SOCKET__READ);
3127}
3128
3129static int selinux_socket_getsockname(struct socket *sock)
3130{
3131 return socket_has_perm(current, sock, SOCKET__GETATTR);
3132}
3133
3134static int selinux_socket_getpeername(struct socket *sock)
3135{
3136 return socket_has_perm(current, sock, SOCKET__GETATTR);
3137}
3138
3139static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3140{
3141 return socket_has_perm(current, sock, SOCKET__SETOPT);
3142}
3143
3144static int selinux_socket_getsockopt(struct socket *sock, int level,
3145 int optname)
3146{
3147 return socket_has_perm(current, sock, SOCKET__GETOPT);
3148}
3149
3150static int selinux_socket_shutdown(struct socket *sock, int how)
3151{
3152 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3153}
3154
3155static int selinux_socket_unix_stream_connect(struct socket *sock,
3156 struct socket *other,
3157 struct sock *newsk)
3158{
3159 struct sk_security_struct *ssec;
3160 struct inode_security_struct *isec;
3161 struct inode_security_struct *other_isec;
3162 struct avc_audit_data ad;
3163 int err;
3164
3165 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3166 if (err)
3167 return err;
3168
3169 isec = SOCK_INODE(sock)->i_security;
3170 other_isec = SOCK_INODE(other)->i_security;
3171
3172 AVC_AUDIT_DATA_INIT(&ad,NET);
3173 ad.u.net.sk = other->sk;
3174
3175 err = avc_has_perm(isec->sid, other_isec->sid,
3176 isec->sclass,
3177 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3178 if (err)
3179 return err;
3180
3181 /* connecting socket */
3182 ssec = sock->sk->sk_security;
3183 ssec->peer_sid = other_isec->sid;
3184
3185 /* server child socket */
3186 ssec = newsk->sk_security;
3187 ssec->peer_sid = isec->sid;
3188
3189 return 0;
3190}
3191
3192static int selinux_socket_unix_may_send(struct socket *sock,
3193 struct socket *other)
3194{
3195 struct inode_security_struct *isec;
3196 struct inode_security_struct *other_isec;
3197 struct avc_audit_data ad;
3198 int err;
3199
3200 isec = SOCK_INODE(sock)->i_security;
3201 other_isec = SOCK_INODE(other)->i_security;
3202
3203 AVC_AUDIT_DATA_INIT(&ad,NET);
3204 ad.u.net.sk = other->sk;
3205
3206 err = avc_has_perm(isec->sid, other_isec->sid,
3207 isec->sclass, SOCKET__SENDTO, &ad);
3208 if (err)
3209 return err;
3210
3211 return 0;
3212}
3213
3214static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3215{
3216 u16 family;
3217 char *addrp;
3218 int len, err = 0;
3219 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3220 u32 sock_sid = 0;
3221 u16 sock_class = 0;
3222 struct socket *sock;
3223 struct net_device *dev;
3224 struct avc_audit_data ad;
3225
3226 family = sk->sk_family;
3227 if (family != PF_INET && family != PF_INET6)
3228 goto out;
3229
3230 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3231 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3232 family = PF_INET;
3233
3234 read_lock_bh(&sk->sk_callback_lock);
3235 sock = sk->sk_socket;
3236 if (sock) {
3237 struct inode *inode;
3238 inode = SOCK_INODE(sock);
3239 if (inode) {
3240 struct inode_security_struct *isec;
3241 isec = inode->i_security;
3242 sock_sid = isec->sid;
3243 sock_class = isec->sclass;
3244 }
3245 }
3246 read_unlock_bh(&sk->sk_callback_lock);
3247 if (!sock_sid)
3248 goto out;
3249
3250 dev = skb->dev;
3251 if (!dev)
3252 goto out;
3253
3254 err = sel_netif_sids(dev, &if_sid, NULL);
3255 if (err)
3256 goto out;
3257
3258 switch (sock_class) {
3259 case SECCLASS_UDP_SOCKET:
3260 netif_perm = NETIF__UDP_RECV;
3261 node_perm = NODE__UDP_RECV;
3262 recv_perm = UDP_SOCKET__RECV_MSG;
3263 break;
3264
3265 case SECCLASS_TCP_SOCKET:
3266 netif_perm = NETIF__TCP_RECV;
3267 node_perm = NODE__TCP_RECV;
3268 recv_perm = TCP_SOCKET__RECV_MSG;
3269 break;
3270
3271 default:
3272 netif_perm = NETIF__RAWIP_RECV;
3273 node_perm = NODE__RAWIP_RECV;
3274 break;
3275 }
3276
3277 AVC_AUDIT_DATA_INIT(&ad, NET);
3278 ad.u.net.netif = dev->name;
3279 ad.u.net.family = family;
3280
3281 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3282 if (err)
3283 goto out;
3284
3285 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3286 if (err)
3287 goto out;
3288
3289 /* Fixme: this lookup is inefficient */
3290 err = security_node_sid(family, addrp, len, &node_sid);
3291 if (err)
3292 goto out;
3293
3294 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3295 if (err)
3296 goto out;
3297
3298 if (recv_perm) {
3299 u32 port_sid;
3300
3301 /* Fixme: make this more efficient */
3302 err = security_port_sid(sk->sk_family, sk->sk_type,
3303 sk->sk_protocol, ntohs(ad.u.net.sport),
3304 &port_sid);
3305 if (err)
3306 goto out;
3307
3308 err = avc_has_perm(sock_sid, port_sid,
3309 sock_class, recv_perm, &ad);
3310 }
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3311
3312 if (!err)
3313 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3314
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3315out:
3316 return err;
3317}
3318
3319static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3320 int __user *optlen, unsigned len)
3321{
3322 int err = 0;
3323 char *scontext;
3324 u32 scontext_len;
3325 struct sk_security_struct *ssec;
3326 struct inode_security_struct *isec;
3327
3328 isec = SOCK_INODE(sock)->i_security;
3329 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3330 err = -ENOPROTOOPT;
3331 goto out;
3332 }
3333
3334 ssec = sock->sk->sk_security;
3335
3336 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3337 if (err)
3338 goto out;
3339
3340 if (scontext_len > len) {
3341 err = -ERANGE;
3342 goto out_len;
3343 }
3344
3345 if (copy_to_user(optval, scontext, scontext_len))
3346 err = -EFAULT;
3347
3348out_len:
3349 if (put_user(scontext_len, optlen))
3350 err = -EFAULT;
3351
3352 kfree(scontext);
3353out:
3354 return err;
3355}
3356
Al Viro7d877f32005-10-21 03:20:43 -0400[diff] [blame]3357static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3358{
3359 return sk_alloc_security(sk, family, priority);
3360}
3361
3362static void selinux_sk_free_security(struct sock *sk)
3363{
3364 sk_free_security(sk);
3365}
3366
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3367static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3368{
3369 struct inode_security_struct *isec;
3370 u32 sock_sid = SECINITSID_ANY_SOCKET;
3371
3372 if (!sk)
3373 return selinux_no_sk_sid(fl);
3374
3375 read_lock_bh(&sk->sk_callback_lock);
3376 isec = get_sock_isec(sk);
3377
3378 if (isec)
3379 sock_sid = isec->sid;
3380
3381 read_unlock_bh(&sk->sk_callback_lock);
3382 return sock_sid;
3383}
3384
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3385static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3386{
3387 int err = 0;
3388 u32 perm;
3389 struct nlmsghdr *nlh;
3390 struct socket *sock = sk->sk_socket;
3391 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3392
3393 if (skb->len < NLMSG_SPACE(0)) {
3394 err = -EINVAL;
3395 goto out;
3396 }
3397 nlh = (struct nlmsghdr *)skb->data;
3398
3399 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3400 if (err) {
3401 if (err == -EINVAL) {
David Woodhouse9ad9ad32005-06-22 15:04:33 +0100[diff] [blame]3402 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3403 "SELinux: unrecognized netlink message"
3404 " type=%hu for sclass=%hu\n",
3405 nlh->nlmsg_type, isec->sclass);
3406 if (!selinux_enforcing)
3407 err = 0;
3408 }
3409
3410 /* Ignore */
3411 if (err == -ENOENT)
3412 err = 0;
3413 goto out;
3414 }
3415
3416 err = socket_has_perm(current, sock, perm);
3417out:
3418 return err;
3419}
3420
3421#ifdef CONFIG_NETFILTER
3422
3423static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3424 struct sk_buff **pskb,
3425 const struct net_device *in,
3426 const struct net_device *out,
3427 int (*okfn)(struct sk_buff *),
3428 u16 family)
3429{
3430 char *addrp;
3431 int len, err = NF_ACCEPT;
3432 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3433 struct sock *sk;
3434 struct socket *sock;
3435 struct inode *inode;
3436 struct sk_buff *skb = *pskb;
3437 struct inode_security_struct *isec;
3438 struct avc_audit_data ad;
3439 struct net_device *dev = (struct net_device *)out;
3440
3441 sk = skb->sk;
3442 if (!sk)
3443 goto out;
3444
3445 sock = sk->sk_socket;
3446 if (!sock)
3447 goto out;
3448
3449 inode = SOCK_INODE(sock);
3450 if (!inode)
3451 goto out;
3452
3453 err = sel_netif_sids(dev, &if_sid, NULL);
3454 if (err)
3455 goto out;
3456
3457 isec = inode->i_security;
3458
3459 switch (isec->sclass) {
3460 case SECCLASS_UDP_SOCKET:
3461 netif_perm = NETIF__UDP_SEND;
3462 node_perm = NODE__UDP_SEND;
3463 send_perm = UDP_SOCKET__SEND_MSG;
3464 break;
3465
3466 case SECCLASS_TCP_SOCKET:
3467 netif_perm = NETIF__TCP_SEND;
3468 node_perm = NODE__TCP_SEND;
3469 send_perm = TCP_SOCKET__SEND_MSG;
3470 break;
3471
3472 default:
3473 netif_perm = NETIF__RAWIP_SEND;
3474 node_perm = NODE__RAWIP_SEND;
3475 break;
3476 }
3477
3478
3479 AVC_AUDIT_DATA_INIT(&ad, NET);
3480 ad.u.net.netif = dev->name;
3481 ad.u.net.family = family;
3482
3483 err = selinux_parse_skb(skb, &ad, &addrp,
3484 &len, 0) ? NF_DROP : NF_ACCEPT;
3485 if (err != NF_ACCEPT)
3486 goto out;
3487
3488 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3489 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3490 if (err != NF_ACCEPT)
3491 goto out;
3492
3493 /* Fixme: this lookup is inefficient */
3494 err = security_node_sid(family, addrp, len,
3495 &node_sid) ? NF_DROP : NF_ACCEPT;
3496 if (err != NF_ACCEPT)
3497 goto out;
3498
3499 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3500 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3501 if (err != NF_ACCEPT)
3502 goto out;
3503
3504 if (send_perm) {
3505 u32 port_sid;
3506
3507 /* Fixme: make this more efficient */
3508 err = security_port_sid(sk->sk_family,
3509 sk->sk_type,
3510 sk->sk_protocol,
3511 ntohs(ad.u.net.dport),
3512 &port_sid) ? NF_DROP : NF_ACCEPT;
3513 if (err != NF_ACCEPT)
3514 goto out;
3515
3516 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3517 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3518 }
3519
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3520 if (err != NF_ACCEPT)
3521 goto out;
3522
3523 err = selinux_xfrm_postroute_last(isec->sid, skb);
3524
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3525out:
3526 return err;
3527}
3528
3529static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3530 struct sk_buff **pskb,
3531 const struct net_device *in,
3532 const struct net_device *out,
3533 int (*okfn)(struct sk_buff *))
3534{
3535 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3536}
3537
3538#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3539
3540static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3541 struct sk_buff **pskb,
3542 const struct net_device *in,
3543 const struct net_device *out,
3544 int (*okfn)(struct sk_buff *))
3545{
3546 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3547}
3548
3549#endif /* IPV6 */
3550
3551#endif /* CONFIG_NETFILTER */
3552
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3553static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3554{
3555 struct task_security_struct *tsec;
3556 struct av_decision avd;
3557 int err;
3558
3559 err = secondary_ops->netlink_send(sk, skb);
3560 if (err)
3561 return err;
3562
3563 tsec = current->security;
3564
3565 avd.allowed = 0;
3566 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3567 SECCLASS_CAPABILITY, ~0, &avd);
3568 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3569
3570 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3571 err = selinux_nlmsg_perm(sk, skb);
3572
3573 return err;
3574}
3575
3576static int selinux_netlink_recv(struct sk_buff *skb)
3577{
3578 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3579 return -EPERM;
3580 return 0;
3581}
3582
3583static int ipc_alloc_security(struct task_struct *task,
3584 struct kern_ipc_perm *perm,
3585 u16 sclass)
3586{
3587 struct task_security_struct *tsec = task->security;
3588 struct ipc_security_struct *isec;
3589
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]3590 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3591 if (!isec)
3592 return -ENOMEM;
3593
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3594 isec->sclass = sclass;
3595 isec->ipc_perm = perm;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]3596 isec->sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3597 perm->security = isec;
3598
3599 return 0;
3600}
3601
3602static void ipc_free_security(struct kern_ipc_perm *perm)
3603{
3604 struct ipc_security_struct *isec = perm->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3605 perm->security = NULL;
3606 kfree(isec);
3607}
3608
3609static int msg_msg_alloc_security(struct msg_msg *msg)
3610{
3611 struct msg_security_struct *msec;
3612
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]3613 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3614 if (!msec)
3615 return -ENOMEM;
3616
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3617 msec->msg = msg;
3618 msec->sid = SECINITSID_UNLABELED;
3619 msg->security = msec;
3620
3621 return 0;
3622}
3623
3624static void msg_msg_free_security(struct msg_msg *msg)
3625{
3626 struct msg_security_struct *msec = msg->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3627
3628 msg->security = NULL;
3629 kfree(msec);
3630}
3631
3632static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3633 u32 perms)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3634{
3635 struct task_security_struct *tsec;
3636 struct ipc_security_struct *isec;
3637 struct avc_audit_data ad;
3638
3639 tsec = current->security;
3640 isec = ipc_perms->security;
3641
3642 AVC_AUDIT_DATA_INIT(&ad, IPC);
3643 ad.u.ipc_id = ipc_perms->key;
3644
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3645 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3646}
3647
3648static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3649{
3650 return msg_msg_alloc_security(msg);
3651}
3652
3653static void selinux_msg_msg_free_security(struct msg_msg *msg)
3654{
3655 msg_msg_free_security(msg);
3656}
3657
3658/* message queue security operations */
3659static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3660{
3661 struct task_security_struct *tsec;
3662 struct ipc_security_struct *isec;
3663 struct avc_audit_data ad;
3664 int rc;
3665
3666 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3667 if (rc)
3668 return rc;
3669
3670 tsec = current->security;
3671 isec = msq->q_perm.security;
3672
3673 AVC_AUDIT_DATA_INIT(&ad, IPC);
3674 ad.u.ipc_id = msq->q_perm.key;
3675
3676 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3677 MSGQ__CREATE, &ad);
3678 if (rc) {
3679 ipc_free_security(&msq->q_perm);
3680 return rc;
3681 }
3682 return 0;
3683}
3684
3685static void selinux_msg_queue_free_security(struct msg_queue *msq)
3686{
3687 ipc_free_security(&msq->q_perm);
3688}
3689
3690static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3691{
3692 struct task_security_struct *tsec;
3693 struct ipc_security_struct *isec;
3694 struct avc_audit_data ad;
3695
3696 tsec = current->security;
3697 isec = msq->q_perm.security;
3698
3699 AVC_AUDIT_DATA_INIT(&ad, IPC);
3700 ad.u.ipc_id = msq->q_perm.key;
3701
3702 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3703 MSGQ__ASSOCIATE, &ad);
3704}
3705
3706static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3707{
3708 int err;
3709 int perms;
3710
3711 switch(cmd) {
3712 case IPC_INFO:
3713 case MSG_INFO:
3714 /* No specific object, just general system-wide information. */
3715 return task_has_system(current, SYSTEM__IPC_INFO);
3716 case IPC_STAT:
3717 case MSG_STAT:
3718 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3719 break;
3720 case IPC_SET:
3721 perms = MSGQ__SETATTR;
3722 break;
3723 case IPC_RMID:
3724 perms = MSGQ__DESTROY;
3725 break;
3726 default:
3727 return 0;
3728 }
3729
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3730 err = ipc_has_perm(&msq->q_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3731 return err;
3732}
3733
3734static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3735{
3736 struct task_security_struct *tsec;
3737 struct ipc_security_struct *isec;
3738 struct msg_security_struct *msec;
3739 struct avc_audit_data ad;
3740 int rc;
3741
3742 tsec = current->security;
3743 isec = msq->q_perm.security;
3744 msec = msg->security;
3745
3746 /*
3747 * First time through, need to assign label to the message
3748 */
3749 if (msec->sid == SECINITSID_UNLABELED) {
3750 /*
3751 * Compute new sid based on current process and
3752 * message queue this message will be stored in
3753 */
3754 rc = security_transition_sid(tsec->sid,
3755 isec->sid,
3756 SECCLASS_MSG,
3757 &msec->sid);
3758 if (rc)
3759 return rc;
3760 }
3761
3762 AVC_AUDIT_DATA_INIT(&ad, IPC);
3763 ad.u.ipc_id = msq->q_perm.key;
3764
3765 /* Can this process write to the queue? */
3766 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3767 MSGQ__WRITE, &ad);
3768 if (!rc)
3769 /* Can this process send the message */
3770 rc = avc_has_perm(tsec->sid, msec->sid,
3771 SECCLASS_MSG, MSG__SEND, &ad);
3772 if (!rc)
3773 /* Can the message be put in the queue? */
3774 rc = avc_has_perm(msec->sid, isec->sid,
3775 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3776
3777 return rc;
3778}
3779
3780static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3781 struct task_struct *target,
3782 long type, int mode)
3783{
3784 struct task_security_struct *tsec;
3785 struct ipc_security_struct *isec;
3786 struct msg_security_struct *msec;
3787 struct avc_audit_data ad;
3788 int rc;
3789
3790 tsec = target->security;
3791 isec = msq->q_perm.security;
3792 msec = msg->security;
3793
3794 AVC_AUDIT_DATA_INIT(&ad, IPC);
3795 ad.u.ipc_id = msq->q_perm.key;
3796
3797 rc = avc_has_perm(tsec->sid, isec->sid,
3798 SECCLASS_MSGQ, MSGQ__READ, &ad);
3799 if (!rc)
3800 rc = avc_has_perm(tsec->sid, msec->sid,
3801 SECCLASS_MSG, MSG__RECEIVE, &ad);
3802 return rc;
3803}
3804
3805/* Shared Memory security operations */
3806static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3807{
3808 struct task_security_struct *tsec;
3809 struct ipc_security_struct *isec;
3810 struct avc_audit_data ad;
3811 int rc;
3812
3813 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3814 if (rc)
3815 return rc;
3816
3817 tsec = current->security;
3818 isec = shp->shm_perm.security;
3819
3820 AVC_AUDIT_DATA_INIT(&ad, IPC);
3821 ad.u.ipc_id = shp->shm_perm.key;
3822
3823 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3824 SHM__CREATE, &ad);
3825 if (rc) {
3826 ipc_free_security(&shp->shm_perm);
3827 return rc;
3828 }
3829 return 0;
3830}
3831
3832static void selinux_shm_free_security(struct shmid_kernel *shp)
3833{
3834 ipc_free_security(&shp->shm_perm);
3835}
3836
3837static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3838{
3839 struct task_security_struct *tsec;
3840 struct ipc_security_struct *isec;
3841 struct avc_audit_data ad;
3842
3843 tsec = current->security;
3844 isec = shp->shm_perm.security;
3845
3846 AVC_AUDIT_DATA_INIT(&ad, IPC);
3847 ad.u.ipc_id = shp->shm_perm.key;
3848
3849 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3850 SHM__ASSOCIATE, &ad);
3851}
3852
3853/* Note, at this point, shp is locked down */
3854static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3855{
3856 int perms;
3857 int err;
3858
3859 switch(cmd) {
3860 case IPC_INFO:
3861 case SHM_INFO:
3862 /* No specific object, just general system-wide information. */
3863 return task_has_system(current, SYSTEM__IPC_INFO);
3864 case IPC_STAT:
3865 case SHM_STAT:
3866 perms = SHM__GETATTR | SHM__ASSOCIATE;
3867 break;
3868 case IPC_SET:
3869 perms = SHM__SETATTR;
3870 break;
3871 case SHM_LOCK:
3872 case SHM_UNLOCK:
3873 perms = SHM__LOCK;
3874 break;
3875 case IPC_RMID:
3876 perms = SHM__DESTROY;
3877 break;
3878 default:
3879 return 0;
3880 }
3881
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3882 err = ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3883 return err;
3884}
3885
3886static int selinux_shm_shmat(struct shmid_kernel *shp,
3887 char __user *shmaddr, int shmflg)
3888{
3889 u32 perms;
3890 int rc;
3891
3892 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3893 if (rc)
3894 return rc;
3895
3896 if (shmflg & SHM_RDONLY)
3897 perms = SHM__READ;
3898 else
3899 perms = SHM__READ | SHM__WRITE;
3900
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3901 return ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3902}
3903
3904/* Semaphore security operations */
3905static int selinux_sem_alloc_security(struct sem_array *sma)
3906{
3907 struct task_security_struct *tsec;
3908 struct ipc_security_struct *isec;
3909 struct avc_audit_data ad;
3910 int rc;
3911
3912 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3913 if (rc)
3914 return rc;
3915
3916 tsec = current->security;
3917 isec = sma->sem_perm.security;
3918
3919 AVC_AUDIT_DATA_INIT(&ad, IPC);
3920 ad.u.ipc_id = sma->sem_perm.key;
3921
3922 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3923 SEM__CREATE, &ad);
3924 if (rc) {
3925 ipc_free_security(&sma->sem_perm);
3926 return rc;
3927 }
3928 return 0;
3929}
3930
3931static void selinux_sem_free_security(struct sem_array *sma)
3932{
3933 ipc_free_security(&sma->sem_perm);
3934}
3935
3936static int selinux_sem_associate(struct sem_array *sma, int semflg)
3937{
3938 struct task_security_struct *tsec;
3939 struct ipc_security_struct *isec;
3940 struct avc_audit_data ad;
3941
3942 tsec = current->security;
3943 isec = sma->sem_perm.security;
3944
3945 AVC_AUDIT_DATA_INIT(&ad, IPC);
3946 ad.u.ipc_id = sma->sem_perm.key;
3947
3948 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3949 SEM__ASSOCIATE, &ad);
3950}
3951
3952/* Note, at this point, sma is locked down */
3953static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3954{
3955 int err;
3956 u32 perms;
3957
3958 switch(cmd) {
3959 case IPC_INFO:
3960 case SEM_INFO:
3961 /* No specific object, just general system-wide information. */
3962 return task_has_system(current, SYSTEM__IPC_INFO);
3963 case GETPID:
3964 case GETNCNT:
3965 case GETZCNT:
3966 perms = SEM__GETATTR;
3967 break;
3968 case GETVAL:
3969 case GETALL:
3970 perms = SEM__READ;
3971 break;
3972 case SETVAL:
3973 case SETALL:
3974 perms = SEM__WRITE;
3975 break;
3976 case IPC_RMID:
3977 perms = SEM__DESTROY;
3978 break;
3979 case IPC_SET:
3980 perms = SEM__SETATTR;
3981 break;
3982 case IPC_STAT:
3983 case SEM_STAT:
3984 perms = SEM__GETATTR | SEM__ASSOCIATE;
3985 break;
3986 default:
3987 return 0;
3988 }
3989
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3990 err = ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3991 return err;
3992}
3993
3994static int selinux_sem_semop(struct sem_array *sma,
3995 struct sembuf *sops, unsigned nsops, int alter)
3996{
3997 u32 perms;
3998
3999 if (alter)
4000 perms = SEM__READ | SEM__WRITE;
4001 else
4002 perms = SEM__READ;
4003
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4004 return ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4005}
4006
4007static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4008{
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4009 u32 av = 0;
4010
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4011 av = 0;
4012 if (flag & S_IRUGO)
4013 av |= IPC__UNIX_READ;
4014 if (flag & S_IWUGO)
4015 av |= IPC__UNIX_WRITE;
4016
4017 if (av == 0)
4018 return 0;
4019
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4020 return ipc_has_perm(ipcp, av);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4021}
4022
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]4023static int selinux_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
4024{
4025 struct ipc_security_struct *isec = ipcp->security;
4026
4027 return selinux_getsecurity(isec->sid, buffer, size);
4028}
4029
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4030/* module stacking operations */
4031static int selinux_register_security (const char *name, struct security_operations *ops)
4032{
4033 if (secondary_ops != original_ops) {
4034 printk(KERN_INFO "%s: There is already a secondary security "
4035 "module registered.\n", __FUNCTION__);
4036 return -EINVAL;
4037 }
4038
4039 secondary_ops = ops;
4040
4041 printk(KERN_INFO "%s: Registering secondary module %s\n",
4042 __FUNCTION__,
4043 name);
4044
4045 return 0;
4046}
4047
4048static int selinux_unregister_security (const char *name, struct security_operations *ops)
4049{
4050 if (ops != secondary_ops) {
4051 printk (KERN_INFO "%s: trying to unregister a security module "
4052 "that is not registered.\n", __FUNCTION__);
4053 return -EINVAL;
4054 }
4055
4056 secondary_ops = original_ops;
4057
4058 return 0;
4059}
4060
4061static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4062{
4063 if (inode)
4064 inode_doinit_with_dentry(inode, dentry);
4065}
4066
4067static int selinux_getprocattr(struct task_struct *p,
4068 char *name, void *value, size_t size)
4069{
4070 struct task_security_struct *tsec;
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]4071 u32 sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4072 int error;
4073
4074 if (current != p) {
4075 error = task_has_perm(current, p, PROCESS__GETATTR);
4076 if (error)
4077 return error;
4078 }
4079
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4080 tsec = p->security;
4081
4082 if (!strcmp(name, "current"))
4083 sid = tsec->sid;
4084 else if (!strcmp(name, "prev"))
4085 sid = tsec->osid;
4086 else if (!strcmp(name, "exec"))
4087 sid = tsec->exec_sid;
4088 else if (!strcmp(name, "fscreate"))
4089 sid = tsec->create_sid;
4090 else
4091 return -EINVAL;
4092
4093 if (!sid)
4094 return 0;
4095
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]4096 return selinux_getsecurity(sid, value, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4097}
4098
4099static int selinux_setprocattr(struct task_struct *p,
4100 char *name, void *value, size_t size)
4101{
4102 struct task_security_struct *tsec;
4103 u32 sid = 0;
4104 int error;
4105 char *str = value;
4106
4107 if (current != p) {
4108 /* SELinux only allows a process to change its own
4109 security attributes. */
4110 return -EACCES;
4111 }
4112
4113 /*
4114 * Basic control over ability to set these attributes at all.
4115 * current == p, but we'll pass them separately in case the
4116 * above restriction is ever removed.
4117 */
4118 if (!strcmp(name, "exec"))
4119 error = task_has_perm(current, p, PROCESS__SETEXEC);
4120 else if (!strcmp(name, "fscreate"))
4121 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4122 else if (!strcmp(name, "current"))
4123 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4124 else
4125 error = -EINVAL;
4126 if (error)
4127 return error;
4128
4129 /* Obtain a SID for the context, if one was specified. */
4130 if (size && str[1] && str[1] != '\n') {
4131 if (str[size-1] == '\n') {
4132 str[size-1] = 0;
4133 size--;
4134 }
4135 error = security_context_to_sid(value, size, &sid);
4136 if (error)
4137 return error;
4138 }
4139
4140 /* Permission checking based on the specified context is
4141 performed during the actual operation (execve,
4142 open/mkdir/...), when we know the full context of the
4143 operation. See selinux_bprm_set_security for the execve
4144 checks and may_create for the file creation checks. The
4145 operation will then fail if the context is not permitted. */
4146 tsec = p->security;
4147 if (!strcmp(name, "exec"))
4148 tsec->exec_sid = sid;
4149 else if (!strcmp(name, "fscreate"))
4150 tsec->create_sid = sid;
4151 else if (!strcmp(name, "current")) {
4152 struct av_decision avd;
4153
4154 if (sid == 0)
4155 return -EINVAL;
4156
4157 /* Only allow single threaded processes to change context */
4158 if (atomic_read(&p->mm->mm_users) != 1) {
4159 struct task_struct *g, *t;
4160 struct mm_struct *mm = p->mm;
4161 read_lock(&tasklist_lock);
4162 do_each_thread(g, t)
4163 if (t->mm == mm && t != p) {
4164 read_unlock(&tasklist_lock);
4165 return -EPERM;
4166 }
4167 while_each_thread(g, t);
4168 read_unlock(&tasklist_lock);
4169 }
4170
4171 /* Check permissions for the transition. */
4172 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4173 PROCESS__DYNTRANSITION, NULL);
4174 if (error)
4175 return error;
4176
4177 /* Check for ptracing, and update the task SID if ok.
4178 Otherwise, leave SID unchanged and fail. */
4179 task_lock(p);
4180 if (p->ptrace & PT_PTRACED) {
4181 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4182 SECCLASS_PROCESS,
4183 PROCESS__PTRACE, &avd);
4184 if (!error)
4185 tsec->sid = sid;
4186 task_unlock(p);
4187 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4188 PROCESS__PTRACE, &avd, error, NULL);
4189 if (error)
4190 return error;
4191 } else {
4192 tsec->sid = sid;
4193 task_unlock(p);
4194 }
4195 }
4196 else
4197 return -EINVAL;
4198
4199 return size;
4200}
4201
4202static struct security_operations selinux_ops = {
4203 .ptrace = selinux_ptrace,
4204 .capget = selinux_capget,
4205 .capset_check = selinux_capset_check,
4206 .capset_set = selinux_capset_set,
4207 .sysctl = selinux_sysctl,
4208 .capable = selinux_capable,
4209 .quotactl = selinux_quotactl,
4210 .quota_on = selinux_quota_on,
4211 .syslog = selinux_syslog,
4212 .vm_enough_memory = selinux_vm_enough_memory,
4213
4214 .netlink_send = selinux_netlink_send,
4215 .netlink_recv = selinux_netlink_recv,
4216
4217 .bprm_alloc_security = selinux_bprm_alloc_security,
4218 .bprm_free_security = selinux_bprm_free_security,
4219 .bprm_apply_creds = selinux_bprm_apply_creds,
4220 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4221 .bprm_set_security = selinux_bprm_set_security,
4222 .bprm_check_security = selinux_bprm_check_security,
4223 .bprm_secureexec = selinux_bprm_secureexec,
4224
4225 .sb_alloc_security = selinux_sb_alloc_security,
4226 .sb_free_security = selinux_sb_free_security,
4227 .sb_copy_data = selinux_sb_copy_data,
4228 .sb_kern_mount = selinux_sb_kern_mount,
4229 .sb_statfs = selinux_sb_statfs,
4230 .sb_mount = selinux_mount,
4231 .sb_umount = selinux_umount,
4232
4233 .inode_alloc_security = selinux_inode_alloc_security,
4234 .inode_free_security = selinux_inode_free_security,
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]4235 .inode_init_security = selinux_inode_init_security,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4236 .inode_create = selinux_inode_create,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4237 .inode_link = selinux_inode_link,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4238 .inode_unlink = selinux_inode_unlink,
4239 .inode_symlink = selinux_inode_symlink,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4240 .inode_mkdir = selinux_inode_mkdir,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4241 .inode_rmdir = selinux_inode_rmdir,
4242 .inode_mknod = selinux_inode_mknod,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4243 .inode_rename = selinux_inode_rename,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4244 .inode_readlink = selinux_inode_readlink,
4245 .inode_follow_link = selinux_inode_follow_link,
4246 .inode_permission = selinux_inode_permission,
4247 .inode_setattr = selinux_inode_setattr,
4248 .inode_getattr = selinux_inode_getattr,
4249 .inode_setxattr = selinux_inode_setxattr,
4250 .inode_post_setxattr = selinux_inode_post_setxattr,
4251 .inode_getxattr = selinux_inode_getxattr,
4252 .inode_listxattr = selinux_inode_listxattr,
4253 .inode_removexattr = selinux_inode_removexattr,
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]4254 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4255 .inode_getsecurity = selinux_inode_getsecurity,
4256 .inode_setsecurity = selinux_inode_setsecurity,
4257 .inode_listsecurity = selinux_inode_listsecurity,
4258
4259 .file_permission = selinux_file_permission,
4260 .file_alloc_security = selinux_file_alloc_security,
4261 .file_free_security = selinux_file_free_security,
4262 .file_ioctl = selinux_file_ioctl,
4263 .file_mmap = selinux_file_mmap,
4264 .file_mprotect = selinux_file_mprotect,
4265 .file_lock = selinux_file_lock,
4266 .file_fcntl = selinux_file_fcntl,
4267 .file_set_fowner = selinux_file_set_fowner,
4268 .file_send_sigiotask = selinux_file_send_sigiotask,
4269 .file_receive = selinux_file_receive,
4270
4271 .task_create = selinux_task_create,
4272 .task_alloc_security = selinux_task_alloc_security,
4273 .task_free_security = selinux_task_free_security,
4274 .task_setuid = selinux_task_setuid,
4275 .task_post_setuid = selinux_task_post_setuid,
4276 .task_setgid = selinux_task_setgid,
4277 .task_setpgid = selinux_task_setpgid,
4278 .task_getpgid = selinux_task_getpgid,
4279 .task_getsid = selinux_task_getsid,
4280 .task_setgroups = selinux_task_setgroups,
4281 .task_setnice = selinux_task_setnice,
4282 .task_setrlimit = selinux_task_setrlimit,
4283 .task_setscheduler = selinux_task_setscheduler,
4284 .task_getscheduler = selinux_task_getscheduler,
4285 .task_kill = selinux_task_kill,
4286 .task_wait = selinux_task_wait,
4287 .task_prctl = selinux_task_prctl,
4288 .task_reparent_to_init = selinux_task_reparent_to_init,
4289 .task_to_inode = selinux_task_to_inode,
4290
4291 .ipc_permission = selinux_ipc_permission,
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000[diff] [blame^]4292 .ipc_getsecurity = selinux_ipc_getsecurity,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4293
4294 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4295 .msg_msg_free_security = selinux_msg_msg_free_security,
4296
4297 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4298 .msg_queue_free_security = selinux_msg_queue_free_security,
4299 .msg_queue_associate = selinux_msg_queue_associate,
4300 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4301 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4302 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4303
4304 .shm_alloc_security = selinux_shm_alloc_security,
4305 .shm_free_security = selinux_shm_free_security,
4306 .shm_associate = selinux_shm_associate,
4307 .shm_shmctl = selinux_shm_shmctl,
4308 .shm_shmat = selinux_shm_shmat,
4309
4310 .sem_alloc_security = selinux_sem_alloc_security,
4311 .sem_free_security = selinux_sem_free_security,
4312 .sem_associate = selinux_sem_associate,
4313 .sem_semctl = selinux_sem_semctl,
4314 .sem_semop = selinux_sem_semop,
4315
4316 .register_security = selinux_register_security,
4317 .unregister_security = selinux_unregister_security,
4318
4319 .d_instantiate = selinux_d_instantiate,
4320
4321 .getprocattr = selinux_getprocattr,
4322 .setprocattr = selinux_setprocattr,
4323
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4324 .unix_stream_connect = selinux_socket_unix_stream_connect,
4325 .unix_may_send = selinux_socket_unix_may_send,
4326
4327 .socket_create = selinux_socket_create,
4328 .socket_post_create = selinux_socket_post_create,
4329 .socket_bind = selinux_socket_bind,
4330 .socket_connect = selinux_socket_connect,
4331 .socket_listen = selinux_socket_listen,
4332 .socket_accept = selinux_socket_accept,
4333 .socket_sendmsg = selinux_socket_sendmsg,
4334 .socket_recvmsg = selinux_socket_recvmsg,
4335 .socket_getsockname = selinux_socket_getsockname,
4336 .socket_getpeername = selinux_socket_getpeername,
4337 .socket_getsockopt = selinux_socket_getsockopt,
4338 .socket_setsockopt = selinux_socket_setsockopt,
4339 .socket_shutdown = selinux_socket_shutdown,
4340 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4341 .socket_getpeersec = selinux_socket_getpeersec,
4342 .sk_alloc_security = selinux_sk_alloc_security,
4343 .sk_free_security = selinux_sk_free_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4344 .sk_getsid = selinux_sk_getsid_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4345
4346#ifdef CONFIG_SECURITY_NETWORK_XFRM
4347 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4348 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4349 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4350 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4351 .xfrm_state_free_security = selinux_xfrm_state_free,
4352 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4353#endif
4354};
4355
4356static __init int selinux_init(void)
4357{
4358 struct task_security_struct *tsec;
4359
4360 if (!selinux_enabled) {
4361 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4362 return 0;
4363 }
4364
4365 printk(KERN_INFO "SELinux: Initializing.\n");
4366
4367 /* Set the security state for the initial task. */
4368 if (task_alloc_security(current))
4369 panic("SELinux: Failed to initialize initial task.\n");
4370 tsec = current->security;
4371 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4372
4373 avc_init();
4374
4375 original_ops = secondary_ops = security_ops;
4376 if (!secondary_ops)
4377 panic ("SELinux: No initial security operations\n");
4378 if (register_security (&selinux_ops))
4379 panic("SELinux: Unable to register with kernel.\n");
4380
4381 if (selinux_enforcing) {
4382 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4383 } else {
4384 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4385 }
4386 return 0;
4387}
4388
4389void selinux_complete_init(void)
4390{
4391 printk(KERN_INFO "SELinux: Completing initialization.\n");
4392
4393 /* Set up any superblocks initialized prior to the policy load. */
4394 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4395 spin_lock(&sb_security_lock);
4396next_sb:
4397 if (!list_empty(&superblock_security_head)) {
4398 struct superblock_security_struct *sbsec =
4399 list_entry(superblock_security_head.next,
4400 struct superblock_security_struct,
4401 list);
4402 struct super_block *sb = sbsec->sb;
4403 spin_lock(&sb_lock);
4404 sb->s_count++;
4405 spin_unlock(&sb_lock);
4406 spin_unlock(&sb_security_lock);
4407 down_read(&sb->s_umount);
4408 if (sb->s_root)
4409 superblock_doinit(sb, NULL);
4410 drop_super(sb);
4411 spin_lock(&sb_security_lock);
4412 list_del_init(&sbsec->list);
4413 goto next_sb;
4414 }
4415 spin_unlock(&sb_security_lock);
4416}
4417
4418/* SELinux requires early initialization in order to label
4419 all processes and objects when they are created. */
4420security_initcall(selinux_init);
4421
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4422#if defined(CONFIG_NETFILTER)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4423
4424static struct nf_hook_ops selinux_ipv4_op = {
4425 .hook = selinux_ipv4_postroute_last,
4426 .owner = THIS_MODULE,
4427 .pf = PF_INET,
4428 .hooknum = NF_IP_POST_ROUTING,
4429 .priority = NF_IP_PRI_SELINUX_LAST,
4430};
4431
4432#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4433
4434static struct nf_hook_ops selinux_ipv6_op = {
4435 .hook = selinux_ipv6_postroute_last,
4436 .owner = THIS_MODULE,
4437 .pf = PF_INET6,
4438 .hooknum = NF_IP6_POST_ROUTING,
4439 .priority = NF_IP6_PRI_SELINUX_LAST,
4440};
4441
4442#endif /* IPV6 */
4443
4444static int __init selinux_nf_ip_init(void)
4445{
4446 int err = 0;
4447
4448 if (!selinux_enabled)
4449 goto out;
4450
4451 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4452
4453 err = nf_register_hook(&selinux_ipv4_op);
4454 if (err)
4455 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4456
4457#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4458
4459 err = nf_register_hook(&selinux_ipv6_op);
4460 if (err)
4461 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4462
4463#endif /* IPV6 */
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4464
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4465out:
4466 return err;
4467}
4468
4469__initcall(selinux_nf_ip_init);
4470
4471#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4472static void selinux_nf_ip_exit(void)
4473{
4474 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4475
4476 nf_unregister_hook(&selinux_ipv4_op);
4477#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4478 nf_unregister_hook(&selinux_ipv6_op);
4479#endif /* IPV6 */
4480}
4481#endif
4482
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4483#else /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4484
4485#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4486#define selinux_nf_ip_exit()
4487#endif
4488
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4489#endif /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4490
4491#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4492int selinux_disable(void)
4493{
4494 extern void exit_sel_fs(void);
4495 static int selinux_disabled = 0;
4496
4497 if (ss_initialized) {
4498 /* Not permitted after initial policy load. */
4499 return -EINVAL;
4500 }
4501
4502 if (selinux_disabled) {
4503 /* Only do this once. */
4504 return -EINVAL;
4505 }
4506
4507 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4508
4509 selinux_disabled = 1;
4510
4511 /* Reset security_ops to the secondary module, dummy or capability. */
4512 security_ops = secondary_ops;
4513
4514 /* Unregister netfilter hooks. */
4515 selinux_nf_ip_exit();
4516
4517 /* Unregister selinuxfs. */
4518 exit_sel_fs();
4519
4520 return 0;
4521}
4522#endif
4523
4524