blob: 90b4cdc0c94806ca1cba335aaa6213dc9012229a [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -07001/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
Eric Paris6931dfc2005-06-30 02:58:51 -070071#include <linux/string.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070072
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
Trent Jaegerd28d1e02005-12-13 23:12:40 -080076#include "xfrm.h"
Linus Torvalds1da177e2005-04-16 15:20:36 -070077
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
Stephen Smalley30d55282006-05-03 10:52:36 -0400104#else
105int selinux_enabled = 1;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700106#endif
107
108/* Original (dummy) security module. */
109static struct security_operations *original_ops = NULL;
110
111/* Minimal support for a secondary security module,
112 just to allow the use of the dummy or capability modules.
113 The owlsm module can alternatively be used as a secondary
114 module as long as CONFIG_OWLSM_FD is not enabled. */
115static struct security_operations *secondary_ops = NULL;
116
117/* Lists of inode and superblock security structures initialized
118 before the policy was loaded. */
119static LIST_HEAD(superblock_security_head);
120static DEFINE_SPINLOCK(sb_security_lock);
121
James Morris7cae7e22006-03-22 00:09:22 -0800122static kmem_cache_t *sel_inode_cache;
123
Dustin Kirkland8c8570f2005-11-03 17:15:16 +0000124/* Return security context for a given sid or just the context
125 length if the buffer is null or length is 0 */
126static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
127{
128 char *context;
129 unsigned len;
130 int rc;
131
132 rc = security_sid_to_context(sid, &context, &len);
133 if (rc)
134 return rc;
135
136 if (!buffer || !size)
137 goto getsecurity_exit;
138
139 if (size < len) {
140 len = -ERANGE;
141 goto getsecurity_exit;
142 }
143 memcpy(buffer, context, len);
144
145getsecurity_exit:
146 kfree(context);
147 return len;
148}
149
Linus Torvalds1da177e2005-04-16 15:20:36 -0700150/* Allocate and free functions for each kind of security blob. */
151
152static int task_alloc_security(struct task_struct *task)
153{
154 struct task_security_struct *tsec;
155
James Morris89d155e2005-10-30 14:59:21 -0800156 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700157 if (!tsec)
158 return -ENOMEM;
159
Linus Torvalds1da177e2005-04-16 15:20:36 -0700160 tsec->task = task;
161 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
162 task->security = tsec;
163
164 return 0;
165}
166
167static void task_free_security(struct task_struct *task)
168{
169 struct task_security_struct *tsec = task->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700170 task->security = NULL;
171 kfree(tsec);
172}
173
174static int inode_alloc_security(struct inode *inode)
175{
176 struct task_security_struct *tsec = current->security;
177 struct inode_security_struct *isec;
178
James Morris7cae7e22006-03-22 00:09:22 -0800179 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700180 if (!isec)
181 return -ENOMEM;
182
James Morris7cae7e22006-03-22 00:09:22 -0800183 memset(isec, 0, sizeof(*isec));
Linus Torvalds1da177e2005-04-16 15:20:36 -0700184 init_MUTEX(&isec->sem);
185 INIT_LIST_HEAD(&isec->list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700186 isec->inode = inode;
187 isec->sid = SECINITSID_UNLABELED;
188 isec->sclass = SECCLASS_FILE;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800189 isec->task_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700190 inode->i_security = isec;
191
192 return 0;
193}
194
195static void inode_free_security(struct inode *inode)
196{
197 struct inode_security_struct *isec = inode->i_security;
198 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
199
Linus Torvalds1da177e2005-04-16 15:20:36 -0700200 spin_lock(&sbsec->isec_lock);
201 if (!list_empty(&isec->list))
202 list_del_init(&isec->list);
203 spin_unlock(&sbsec->isec_lock);
204
205 inode->i_security = NULL;
James Morris7cae7e22006-03-22 00:09:22 -0800206 kmem_cache_free(sel_inode_cache, isec);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700207}
208
209static int file_alloc_security(struct file *file)
210{
211 struct task_security_struct *tsec = current->security;
212 struct file_security_struct *fsec;
213
Stephen Smalley26d2a4b2006-02-01 03:05:55 -0800214 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700215 if (!fsec)
216 return -ENOMEM;
217
Linus Torvalds1da177e2005-04-16 15:20:36 -0700218 fsec->file = file;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800219 fsec->sid = tsec->sid;
220 fsec->fown_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700221 file->f_security = fsec;
222
223 return 0;
224}
225
226static void file_free_security(struct file *file)
227{
228 struct file_security_struct *fsec = file->f_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700229 file->f_security = NULL;
230 kfree(fsec);
231}
232
233static int superblock_alloc_security(struct super_block *sb)
234{
235 struct superblock_security_struct *sbsec;
236
James Morris89d155e2005-10-30 14:59:21 -0800237 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700238 if (!sbsec)
239 return -ENOMEM;
240
Linus Torvalds1da177e2005-04-16 15:20:36 -0700241 init_MUTEX(&sbsec->sem);
242 INIT_LIST_HEAD(&sbsec->list);
243 INIT_LIST_HEAD(&sbsec->isec_head);
244 spin_lock_init(&sbsec->isec_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700245 sbsec->sb = sb;
246 sbsec->sid = SECINITSID_UNLABELED;
247 sbsec->def_sid = SECINITSID_FILE;
248 sb->s_security = sbsec;
249
250 return 0;
251}
252
253static void superblock_free_security(struct super_block *sb)
254{
255 struct superblock_security_struct *sbsec = sb->s_security;
256
Linus Torvalds1da177e2005-04-16 15:20:36 -0700257 spin_lock(&sb_security_lock);
258 if (!list_empty(&sbsec->list))
259 list_del_init(&sbsec->list);
260 spin_unlock(&sb_security_lock);
261
262 sb->s_security = NULL;
263 kfree(sbsec);
264}
265
Al Viro7d877f32005-10-21 03:20:43 -0400266static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700267{
268 struct sk_security_struct *ssec;
269
270 if (family != PF_UNIX)
271 return 0;
272
James Morris89d155e2005-10-30 14:59:21 -0800273 ssec = kzalloc(sizeof(*ssec), priority);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700274 if (!ssec)
275 return -ENOMEM;
276
Linus Torvalds1da177e2005-04-16 15:20:36 -0700277 ssec->sk = sk;
278 ssec->peer_sid = SECINITSID_UNLABELED;
279 sk->sk_security = ssec;
280
281 return 0;
282}
283
284static void sk_free_security(struct sock *sk)
285{
286 struct sk_security_struct *ssec = sk->sk_security;
287
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800288 if (sk->sk_family != PF_UNIX)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700289 return;
290
291 sk->sk_security = NULL;
292 kfree(ssec);
293}
Linus Torvalds1da177e2005-04-16 15:20:36 -0700294
295/* The security server must be initialized before
296 any labeling or access decisions can be provided. */
297extern int ss_initialized;
298
299/* The file system's label must be initialized prior to use. */
300
301static char *labeling_behaviors[6] = {
302 "uses xattr",
303 "uses transition SIDs",
304 "uses task SIDs",
305 "uses genfs_contexts",
306 "not configured for labeling",
307 "uses mountpoint labeling",
308};
309
310static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312static inline int inode_doinit(struct inode *inode)
313{
314 return inode_doinit_with_dentry(inode, NULL);
315}
316
317enum {
318 Opt_context = 1,
319 Opt_fscontext = 2,
320 Opt_defcontext = 4,
321};
322
323static match_table_t tokens = {
324 {Opt_context, "context=%s"},
325 {Opt_fscontext, "fscontext=%s"},
326 {Opt_defcontext, "defcontext=%s"},
327};
328
329#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
330
331static int try_context_mount(struct super_block *sb, void *data)
332{
333 char *context = NULL, *defcontext = NULL;
334 const char *name;
335 u32 sid;
336 int alloc = 0, rc = 0, seen = 0;
337 struct task_security_struct *tsec = current->security;
338 struct superblock_security_struct *sbsec = sb->s_security;
339
340 if (!data)
341 goto out;
342
343 name = sb->s_type->name;
344
345 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
346
347 /* NFS we understand. */
348 if (!strcmp(name, "nfs")) {
349 struct nfs_mount_data *d = data;
350
351 if (d->version < NFS_MOUNT_VERSION)
352 goto out;
353
354 if (d->context[0]) {
355 context = d->context;
356 seen |= Opt_context;
357 }
358 } else
359 goto out;
360
361 } else {
362 /* Standard string-based options. */
363 char *p, *options = data;
364
365 while ((p = strsep(&options, ",")) != NULL) {
366 int token;
367 substring_t args[MAX_OPT_ARGS];
368
369 if (!*p)
370 continue;
371
372 token = match_token(p, tokens, args);
373
374 switch (token) {
375 case Opt_context:
376 if (seen) {
377 rc = -EINVAL;
378 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
379 goto out_free;
380 }
381 context = match_strdup(&args[0]);
382 if (!context) {
383 rc = -ENOMEM;
384 goto out_free;
385 }
386 if (!alloc)
387 alloc = 1;
388 seen |= Opt_context;
389 break;
390
391 case Opt_fscontext:
392 if (seen & (Opt_context|Opt_fscontext)) {
393 rc = -EINVAL;
394 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
395 goto out_free;
396 }
397 context = match_strdup(&args[0]);
398 if (!context) {
399 rc = -ENOMEM;
400 goto out_free;
401 }
402 if (!alloc)
403 alloc = 1;
404 seen |= Opt_fscontext;
405 break;
406
407 case Opt_defcontext:
408 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
409 rc = -EINVAL;
410 printk(KERN_WARNING "SELinux: "
411 "defcontext option is invalid "
412 "for this filesystem type\n");
413 goto out_free;
414 }
415 if (seen & (Opt_context|Opt_defcontext)) {
416 rc = -EINVAL;
417 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
418 goto out_free;
419 }
420 defcontext = match_strdup(&args[0]);
421 if (!defcontext) {
422 rc = -ENOMEM;
423 goto out_free;
424 }
425 if (!alloc)
426 alloc = 1;
427 seen |= Opt_defcontext;
428 break;
429
430 default:
431 rc = -EINVAL;
432 printk(KERN_WARNING "SELinux: unknown mount "
433 "option\n");
434 goto out_free;
435
436 }
437 }
438 }
439
440 if (!seen)
441 goto out;
442
443 if (context) {
444 rc = security_context_to_sid(context, strlen(context), &sid);
445 if (rc) {
446 printk(KERN_WARNING "SELinux: security_context_to_sid"
447 "(%s) failed for (dev %s, type %s) errno=%d\n",
448 context, sb->s_id, name, rc);
449 goto out_free;
450 }
451
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELFROM, NULL);
454 if (rc)
455 goto out_free;
456
457 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELTO, NULL);
459 if (rc)
460 goto out_free;
461
462 sbsec->sid = sid;
463
464 if (seen & Opt_context)
465 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
466 }
467
468 if (defcontext) {
469 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
470 if (rc) {
471 printk(KERN_WARNING "SELinux: security_context_to_sid"
472 "(%s) failed for (dev %s, type %s) errno=%d\n",
473 defcontext, sb->s_id, name, rc);
474 goto out_free;
475 }
476
477 if (sid == sbsec->def_sid)
478 goto out_free;
479
480 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
481 FILESYSTEM__RELABELFROM, NULL);
482 if (rc)
483 goto out_free;
484
485 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__ASSOCIATE, NULL);
487 if (rc)
488 goto out_free;
489
490 sbsec->def_sid = sid;
491 }
492
493out_free:
494 if (alloc) {
495 kfree(context);
496 kfree(defcontext);
497 }
498out:
499 return rc;
500}
501
502static int superblock_doinit(struct super_block *sb, void *data)
503{
504 struct superblock_security_struct *sbsec = sb->s_security;
505 struct dentry *root = sb->s_root;
506 struct inode *inode = root->d_inode;
507 int rc = 0;
508
509 down(&sbsec->sem);
510 if (sbsec->initialized)
511 goto out;
512
513 if (!ss_initialized) {
514 /* Defer initialization until selinux_complete_init,
515 after the initial policy is loaded and the security
516 server is ready to handle calls. */
517 spin_lock(&sb_security_lock);
518 if (list_empty(&sbsec->list))
519 list_add(&sbsec->list, &superblock_security_head);
520 spin_unlock(&sb_security_lock);
521 goto out;
522 }
523
524 /* Determine the labeling behavior to use for this filesystem type. */
525 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
526 if (rc) {
527 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
528 __FUNCTION__, sb->s_type->name, rc);
529 goto out;
530 }
531
532 rc = try_context_mount(sb, data);
533 if (rc)
534 goto out;
535
536 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
537 /* Make sure that the xattr handler exists and that no
538 error other than -ENODATA is returned by getxattr on
539 the root directory. -ENODATA is ok, as this may be
540 the first boot of the SELinux kernel before we have
541 assigned xattr values to the filesystem. */
542 if (!inode->i_op->getxattr) {
543 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
544 "xattr support\n", sb->s_id, sb->s_type->name);
545 rc = -EOPNOTSUPP;
546 goto out;
547 }
548 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
549 if (rc < 0 && rc != -ENODATA) {
550 if (rc == -EOPNOTSUPP)
551 printk(KERN_WARNING "SELinux: (dev %s, type "
552 "%s) has no security xattr handler\n",
553 sb->s_id, sb->s_type->name);
554 else
555 printk(KERN_WARNING "SELinux: (dev %s, type "
556 "%s) getxattr errno %d\n", sb->s_id,
557 sb->s_type->name, -rc);
558 goto out;
559 }
560 }
561
562 if (strcmp(sb->s_type->name, "proc") == 0)
563 sbsec->proc = 1;
564
565 sbsec->initialized = 1;
566
567 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
568 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
569 sb->s_id, sb->s_type->name);
570 }
571 else {
572 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
573 sb->s_id, sb->s_type->name,
574 labeling_behaviors[sbsec->behavior-1]);
575 }
576
577 /* Initialize the root inode. */
578 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
579
580 /* Initialize any other inodes associated with the superblock, e.g.
581 inodes created prior to initial policy load or inodes created
582 during get_sb by a pseudo filesystem that directly
583 populates itself. */
584 spin_lock(&sbsec->isec_lock);
585next_inode:
586 if (!list_empty(&sbsec->isec_head)) {
587 struct inode_security_struct *isec =
588 list_entry(sbsec->isec_head.next,
589 struct inode_security_struct, list);
590 struct inode *inode = isec->inode;
591 spin_unlock(&sbsec->isec_lock);
592 inode = igrab(inode);
593 if (inode) {
594 if (!IS_PRIVATE (inode))
595 inode_doinit(inode);
596 iput(inode);
597 }
598 spin_lock(&sbsec->isec_lock);
599 list_del_init(&isec->list);
600 goto next_inode;
601 }
602 spin_unlock(&sbsec->isec_lock);
603out:
604 up(&sbsec->sem);
605 return rc;
606}
607
608static inline u16 inode_mode_to_security_class(umode_t mode)
609{
610 switch (mode & S_IFMT) {
611 case S_IFSOCK:
612 return SECCLASS_SOCK_FILE;
613 case S_IFLNK:
614 return SECCLASS_LNK_FILE;
615 case S_IFREG:
616 return SECCLASS_FILE;
617 case S_IFBLK:
618 return SECCLASS_BLK_FILE;
619 case S_IFDIR:
620 return SECCLASS_DIR;
621 case S_IFCHR:
622 return SECCLASS_CHR_FILE;
623 case S_IFIFO:
624 return SECCLASS_FIFO_FILE;
625
626 }
627
628 return SECCLASS_FILE;
629}
630
James Morris13402582005-09-30 14:24:34 -0400631static inline int default_protocol_stream(int protocol)
632{
633 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
634}
635
636static inline int default_protocol_dgram(int protocol)
637{
638 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
639}
640
Linus Torvalds1da177e2005-04-16 15:20:36 -0700641static inline u16 socket_type_to_security_class(int family, int type, int protocol)
642{
643 switch (family) {
644 case PF_UNIX:
645 switch (type) {
646 case SOCK_STREAM:
647 case SOCK_SEQPACKET:
648 return SECCLASS_UNIX_STREAM_SOCKET;
649 case SOCK_DGRAM:
650 return SECCLASS_UNIX_DGRAM_SOCKET;
651 }
652 break;
653 case PF_INET:
654 case PF_INET6:
655 switch (type) {
656 case SOCK_STREAM:
James Morris13402582005-09-30 14:24:34 -0400657 if (default_protocol_stream(protocol))
658 return SECCLASS_TCP_SOCKET;
659 else
660 return SECCLASS_RAWIP_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700661 case SOCK_DGRAM:
James Morris13402582005-09-30 14:24:34 -0400662 if (default_protocol_dgram(protocol))
663 return SECCLASS_UDP_SOCKET;
664 else
665 return SECCLASS_RAWIP_SOCKET;
666 default:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700667 return SECCLASS_RAWIP_SOCKET;
668 }
669 break;
670 case PF_NETLINK:
671 switch (protocol) {
672 case NETLINK_ROUTE:
673 return SECCLASS_NETLINK_ROUTE_SOCKET;
674 case NETLINK_FIREWALL:
675 return SECCLASS_NETLINK_FIREWALL_SOCKET;
James Morris216efaa2005-08-15 20:34:48 -0700676 case NETLINK_INET_DIAG:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700677 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
678 case NETLINK_NFLOG:
679 return SECCLASS_NETLINK_NFLOG_SOCKET;
680 case NETLINK_XFRM:
681 return SECCLASS_NETLINK_XFRM_SOCKET;
682 case NETLINK_SELINUX:
683 return SECCLASS_NETLINK_SELINUX_SOCKET;
684 case NETLINK_AUDIT:
685 return SECCLASS_NETLINK_AUDIT_SOCKET;
686 case NETLINK_IP6_FW:
687 return SECCLASS_NETLINK_IP6FW_SOCKET;
688 case NETLINK_DNRTMSG:
689 return SECCLASS_NETLINK_DNRT_SOCKET;
James Morris0c9b7942005-04-16 15:24:13 -0700690 case NETLINK_KOBJECT_UEVENT:
691 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700692 default:
693 return SECCLASS_NETLINK_SOCKET;
694 }
695 case PF_PACKET:
696 return SECCLASS_PACKET_SOCKET;
697 case PF_KEY:
698 return SECCLASS_KEY_SOCKET;
699 }
700
701 return SECCLASS_SOCKET;
702}
703
704#ifdef CONFIG_PROC_FS
705static int selinux_proc_get_sid(struct proc_dir_entry *de,
706 u16 tclass,
707 u32 *sid)
708{
709 int buflen, rc;
710 char *buffer, *path, *end;
711
712 buffer = (char*)__get_free_page(GFP_KERNEL);
713 if (!buffer)
714 return -ENOMEM;
715
716 buflen = PAGE_SIZE;
717 end = buffer+buflen;
718 *--end = '\0';
719 buflen--;
720 path = end-1;
721 *path = '/';
722 while (de && de != de->parent) {
723 buflen -= de->namelen + 1;
724 if (buflen < 0)
725 break;
726 end -= de->namelen;
727 memcpy(end, de->name, de->namelen);
728 *--end = '/';
729 path = end;
730 de = de->parent;
731 }
732 rc = security_genfs_sid("proc", path, tclass, sid);
733 free_page((unsigned long)buffer);
734 return rc;
735}
736#else
737static int selinux_proc_get_sid(struct proc_dir_entry *de,
738 u16 tclass,
739 u32 *sid)
740{
741 return -EINVAL;
742}
743#endif
744
745/* The inode's security attributes must be initialized before first use. */
746static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
747{
748 struct superblock_security_struct *sbsec = NULL;
749 struct inode_security_struct *isec = inode->i_security;
750 u32 sid;
751 struct dentry *dentry;
752#define INITCONTEXTLEN 255
753 char *context = NULL;
754 unsigned len = 0;
755 int rc = 0;
756 int hold_sem = 0;
757
758 if (isec->initialized)
759 goto out;
760
761 down(&isec->sem);
762 hold_sem = 1;
763 if (isec->initialized)
764 goto out;
765
766 sbsec = inode->i_sb->s_security;
767 if (!sbsec->initialized) {
768 /* Defer initialization until selinux_complete_init,
769 after the initial policy is loaded and the security
770 server is ready to handle calls. */
771 spin_lock(&sbsec->isec_lock);
772 if (list_empty(&isec->list))
773 list_add(&isec->list, &sbsec->isec_head);
774 spin_unlock(&sbsec->isec_lock);
775 goto out;
776 }
777
778 switch (sbsec->behavior) {
779 case SECURITY_FS_USE_XATTR:
780 if (!inode->i_op->getxattr) {
781 isec->sid = sbsec->def_sid;
782 break;
783 }
784
785 /* Need a dentry, since the xattr API requires one.
786 Life would be simpler if we could just pass the inode. */
787 if (opt_dentry) {
788 /* Called from d_instantiate or d_splice_alias. */
789 dentry = dget(opt_dentry);
790 } else {
791 /* Called from selinux_complete_init, try to find a dentry. */
792 dentry = d_find_alias(inode);
793 }
794 if (!dentry) {
795 printk(KERN_WARNING "%s: no dentry for dev=%s "
796 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
797 inode->i_ino);
798 goto out;
799 }
800
801 len = INITCONTEXTLEN;
802 context = kmalloc(len, GFP_KERNEL);
803 if (!context) {
804 rc = -ENOMEM;
805 dput(dentry);
806 goto out;
807 }
808 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
809 context, len);
810 if (rc == -ERANGE) {
811 /* Need a larger buffer. Query for the right size. */
812 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813 NULL, 0);
814 if (rc < 0) {
815 dput(dentry);
816 goto out;
817 }
818 kfree(context);
819 len = rc;
820 context = kmalloc(len, GFP_KERNEL);
821 if (!context) {
822 rc = -ENOMEM;
823 dput(dentry);
824 goto out;
825 }
826 rc = inode->i_op->getxattr(dentry,
827 XATTR_NAME_SELINUX,
828 context, len);
829 }
830 dput(dentry);
831 if (rc < 0) {
832 if (rc != -ENODATA) {
833 printk(KERN_WARNING "%s: getxattr returned "
834 "%d for dev=%s ino=%ld\n", __FUNCTION__,
835 -rc, inode->i_sb->s_id, inode->i_ino);
836 kfree(context);
837 goto out;
838 }
839 /* Map ENODATA to the default file SID */
840 sid = sbsec->def_sid;
841 rc = 0;
842 } else {
James Morrisf5c1d5b2005-07-28 01:07:37 -0700843 rc = security_context_to_sid_default(context, rc, &sid,
844 sbsec->def_sid);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700845 if (rc) {
846 printk(KERN_WARNING "%s: context_to_sid(%s) "
847 "returned %d for dev=%s ino=%ld\n",
848 __FUNCTION__, context, -rc,
849 inode->i_sb->s_id, inode->i_ino);
850 kfree(context);
851 /* Leave with the unlabeled SID */
852 rc = 0;
853 break;
854 }
855 }
856 kfree(context);
857 isec->sid = sid;
858 break;
859 case SECURITY_FS_USE_TASK:
860 isec->sid = isec->task_sid;
861 break;
862 case SECURITY_FS_USE_TRANS:
863 /* Default to the fs SID. */
864 isec->sid = sbsec->sid;
865
866 /* Try to obtain a transition SID. */
867 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868 rc = security_transition_sid(isec->task_sid,
869 sbsec->sid,
870 isec->sclass,
871 &sid);
872 if (rc)
873 goto out;
874 isec->sid = sid;
875 break;
876 default:
877 /* Default to the fs SID. */
878 isec->sid = sbsec->sid;
879
880 if (sbsec->proc) {
881 struct proc_inode *proci = PROC_I(inode);
882 if (proci->pde) {
883 isec->sclass = inode_mode_to_security_class(inode->i_mode);
884 rc = selinux_proc_get_sid(proci->pde,
885 isec->sclass,
886 &sid);
887 if (rc)
888 goto out;
889 isec->sid = sid;
890 }
891 }
892 break;
893 }
894
895 isec->initialized = 1;
896
897out:
898 if (isec->sclass == SECCLASS_FILE)
899 isec->sclass = inode_mode_to_security_class(inode->i_mode);
900
901 if (hold_sem)
902 up(&isec->sem);
903 return rc;
904}
905
906/* Convert a Linux signal to an access vector. */
907static inline u32 signal_to_av(int sig)
908{
909 u32 perm = 0;
910
911 switch (sig) {
912 case SIGCHLD:
913 /* Commonly granted from child to parent. */
914 perm = PROCESS__SIGCHLD;
915 break;
916 case SIGKILL:
917 /* Cannot be caught or ignored */
918 perm = PROCESS__SIGKILL;
919 break;
920 case SIGSTOP:
921 /* Cannot be caught or ignored */
922 perm = PROCESS__SIGSTOP;
923 break;
924 default:
925 /* All other signals. */
926 perm = PROCESS__SIGNAL;
927 break;
928 }
929
930 return perm;
931}
932
933/* Check permission betweeen a pair of tasks, e.g. signal checks,
934 fork check, ptrace check, etc. */
935static int task_has_perm(struct task_struct *tsk1,
936 struct task_struct *tsk2,
937 u32 perms)
938{
939 struct task_security_struct *tsec1, *tsec2;
940
941 tsec1 = tsk1->security;
942 tsec2 = tsk2->security;
943 return avc_has_perm(tsec1->sid, tsec2->sid,
944 SECCLASS_PROCESS, perms, NULL);
945}
946
947/* Check whether a task is allowed to use a capability. */
948static int task_has_capability(struct task_struct *tsk,
949 int cap)
950{
951 struct task_security_struct *tsec;
952 struct avc_audit_data ad;
953
954 tsec = tsk->security;
955
956 AVC_AUDIT_DATA_INIT(&ad,CAP);
957 ad.tsk = tsk;
958 ad.u.cap = cap;
959
960 return avc_has_perm(tsec->sid, tsec->sid,
961 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
962}
963
964/* Check whether a task is allowed to use a system operation. */
965static int task_has_system(struct task_struct *tsk,
966 u32 perms)
967{
968 struct task_security_struct *tsec;
969
970 tsec = tsk->security;
971
972 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
973 SECCLASS_SYSTEM, perms, NULL);
974}
975
976/* Check whether a task has a particular permission to an inode.
977 The 'adp' parameter is optional and allows other audit
978 data to be passed (e.g. the dentry). */
979static int inode_has_perm(struct task_struct *tsk,
980 struct inode *inode,
981 u32 perms,
982 struct avc_audit_data *adp)
983{
984 struct task_security_struct *tsec;
985 struct inode_security_struct *isec;
986 struct avc_audit_data ad;
987
988 tsec = tsk->security;
989 isec = inode->i_security;
990
991 if (!adp) {
992 adp = &ad;
993 AVC_AUDIT_DATA_INIT(&ad, FS);
994 ad.u.fs.inode = inode;
995 }
996
997 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
998}
999
1000/* Same as inode_has_perm, but pass explicit audit data containing
1001 the dentry to help the auditing code to more easily generate the
1002 pathname if needed. */
1003static inline int dentry_has_perm(struct task_struct *tsk,
1004 struct vfsmount *mnt,
1005 struct dentry *dentry,
1006 u32 av)
1007{
1008 struct inode *inode = dentry->d_inode;
1009 struct avc_audit_data ad;
1010 AVC_AUDIT_DATA_INIT(&ad,FS);
1011 ad.u.fs.mnt = mnt;
1012 ad.u.fs.dentry = dentry;
1013 return inode_has_perm(tsk, inode, av, &ad);
1014}
1015
1016/* Check whether a task can use an open file descriptor to
1017 access an inode in a given way. Check access to the
1018 descriptor itself, and then use dentry_has_perm to
1019 check a particular permission to the file.
1020 Access to the descriptor is implicitly granted if it
1021 has the same SID as the process. If av is zero, then
1022 access to the file is not checked, e.g. for cases
1023 where only the descriptor is affected like seek. */
Arjan van de Ven858119e2006-01-14 13:20:43 -08001024static int file_has_perm(struct task_struct *tsk,
Linus Torvalds1da177e2005-04-16 15:20:36 -07001025 struct file *file,
1026 u32 av)
1027{
1028 struct task_security_struct *tsec = tsk->security;
1029 struct file_security_struct *fsec = file->f_security;
1030 struct vfsmount *mnt = file->f_vfsmnt;
1031 struct dentry *dentry = file->f_dentry;
1032 struct inode *inode = dentry->d_inode;
1033 struct avc_audit_data ad;
1034 int rc;
1035
1036 AVC_AUDIT_DATA_INIT(&ad, FS);
1037 ad.u.fs.mnt = mnt;
1038 ad.u.fs.dentry = dentry;
1039
1040 if (tsec->sid != fsec->sid) {
1041 rc = avc_has_perm(tsec->sid, fsec->sid,
1042 SECCLASS_FD,
1043 FD__USE,
1044 &ad);
1045 if (rc)
1046 return rc;
1047 }
1048
1049 /* av is zero if only checking access to the descriptor. */
1050 if (av)
1051 return inode_has_perm(tsk, inode, av, &ad);
1052
1053 return 0;
1054}
1055
1056/* Check whether a task can create a file. */
1057static int may_create(struct inode *dir,
1058 struct dentry *dentry,
1059 u16 tclass)
1060{
1061 struct task_security_struct *tsec;
1062 struct inode_security_struct *dsec;
1063 struct superblock_security_struct *sbsec;
1064 u32 newsid;
1065 struct avc_audit_data ad;
1066 int rc;
1067
1068 tsec = current->security;
1069 dsec = dir->i_security;
1070 sbsec = dir->i_sb->s_security;
1071
1072 AVC_AUDIT_DATA_INIT(&ad, FS);
1073 ad.u.fs.dentry = dentry;
1074
1075 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1076 DIR__ADD_NAME | DIR__SEARCH,
1077 &ad);
1078 if (rc)
1079 return rc;
1080
1081 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1082 newsid = tsec->create_sid;
1083 } else {
1084 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1085 &newsid);
1086 if (rc)
1087 return rc;
1088 }
1089
1090 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1091 if (rc)
1092 return rc;
1093
1094 return avc_has_perm(newsid, sbsec->sid,
1095 SECCLASS_FILESYSTEM,
1096 FILESYSTEM__ASSOCIATE, &ad);
1097}
1098
1099#define MAY_LINK 0
1100#define MAY_UNLINK 1
1101#define MAY_RMDIR 2
1102
1103/* Check whether a task can link, unlink, or rmdir a file/directory. */
1104static int may_link(struct inode *dir,
1105 struct dentry *dentry,
1106 int kind)
1107
1108{
1109 struct task_security_struct *tsec;
1110 struct inode_security_struct *dsec, *isec;
1111 struct avc_audit_data ad;
1112 u32 av;
1113 int rc;
1114
1115 tsec = current->security;
1116 dsec = dir->i_security;
1117 isec = dentry->d_inode->i_security;
1118
1119 AVC_AUDIT_DATA_INIT(&ad, FS);
1120 ad.u.fs.dentry = dentry;
1121
1122 av = DIR__SEARCH;
1123 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1124 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1125 if (rc)
1126 return rc;
1127
1128 switch (kind) {
1129 case MAY_LINK:
1130 av = FILE__LINK;
1131 break;
1132 case MAY_UNLINK:
1133 av = FILE__UNLINK;
1134 break;
1135 case MAY_RMDIR:
1136 av = DIR__RMDIR;
1137 break;
1138 default:
1139 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1140 return 0;
1141 }
1142
1143 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1144 return rc;
1145}
1146
1147static inline int may_rename(struct inode *old_dir,
1148 struct dentry *old_dentry,
1149 struct inode *new_dir,
1150 struct dentry *new_dentry)
1151{
1152 struct task_security_struct *tsec;
1153 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1154 struct avc_audit_data ad;
1155 u32 av;
1156 int old_is_dir, new_is_dir;
1157 int rc;
1158
1159 tsec = current->security;
1160 old_dsec = old_dir->i_security;
1161 old_isec = old_dentry->d_inode->i_security;
1162 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1163 new_dsec = new_dir->i_security;
1164
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166
1167 ad.u.fs.dentry = old_dentry;
1168 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1169 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1170 if (rc)
1171 return rc;
1172 rc = avc_has_perm(tsec->sid, old_isec->sid,
1173 old_isec->sclass, FILE__RENAME, &ad);
1174 if (rc)
1175 return rc;
1176 if (old_is_dir && new_dir != old_dir) {
1177 rc = avc_has_perm(tsec->sid, old_isec->sid,
1178 old_isec->sclass, DIR__REPARENT, &ad);
1179 if (rc)
1180 return rc;
1181 }
1182
1183 ad.u.fs.dentry = new_dentry;
1184 av = DIR__ADD_NAME | DIR__SEARCH;
1185 if (new_dentry->d_inode)
1186 av |= DIR__REMOVE_NAME;
1187 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1188 if (rc)
1189 return rc;
1190 if (new_dentry->d_inode) {
1191 new_isec = new_dentry->d_inode->i_security;
1192 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1193 rc = avc_has_perm(tsec->sid, new_isec->sid,
1194 new_isec->sclass,
1195 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1196 if (rc)
1197 return rc;
1198 }
1199
1200 return 0;
1201}
1202
1203/* Check whether a task can perform a filesystem operation. */
1204static int superblock_has_perm(struct task_struct *tsk,
1205 struct super_block *sb,
1206 u32 perms,
1207 struct avc_audit_data *ad)
1208{
1209 struct task_security_struct *tsec;
1210 struct superblock_security_struct *sbsec;
1211
1212 tsec = tsk->security;
1213 sbsec = sb->s_security;
1214 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1215 perms, ad);
1216}
1217
1218/* Convert a Linux mode and permission mask to an access vector. */
1219static inline u32 file_mask_to_av(int mode, int mask)
1220{
1221 u32 av = 0;
1222
1223 if ((mode & S_IFMT) != S_IFDIR) {
1224 if (mask & MAY_EXEC)
1225 av |= FILE__EXECUTE;
1226 if (mask & MAY_READ)
1227 av |= FILE__READ;
1228
1229 if (mask & MAY_APPEND)
1230 av |= FILE__APPEND;
1231 else if (mask & MAY_WRITE)
1232 av |= FILE__WRITE;
1233
1234 } else {
1235 if (mask & MAY_EXEC)
1236 av |= DIR__SEARCH;
1237 if (mask & MAY_WRITE)
1238 av |= DIR__WRITE;
1239 if (mask & MAY_READ)
1240 av |= DIR__READ;
1241 }
1242
1243 return av;
1244}
1245
1246/* Convert a Linux file to an access vector. */
1247static inline u32 file_to_av(struct file *file)
1248{
1249 u32 av = 0;
1250
1251 if (file->f_mode & FMODE_READ)
1252 av |= FILE__READ;
1253 if (file->f_mode & FMODE_WRITE) {
1254 if (file->f_flags & O_APPEND)
1255 av |= FILE__APPEND;
1256 else
1257 av |= FILE__WRITE;
1258 }
1259
1260 return av;
1261}
1262
1263/* Set an inode's SID to a specified value. */
1264static int inode_security_set_sid(struct inode *inode, u32 sid)
1265{
1266 struct inode_security_struct *isec = inode->i_security;
1267 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1268
1269 if (!sbsec->initialized) {
1270 /* Defer initialization to selinux_complete_init. */
1271 return 0;
1272 }
1273
1274 down(&isec->sem);
1275 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1276 isec->sid = sid;
1277 isec->initialized = 1;
1278 up(&isec->sem);
1279 return 0;
1280}
1281
Linus Torvalds1da177e2005-04-16 15:20:36 -07001282/* Hook functions begin here. */
1283
1284static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1285{
1286 struct task_security_struct *psec = parent->security;
1287 struct task_security_struct *csec = child->security;
1288 int rc;
1289
1290 rc = secondary_ops->ptrace(parent,child);
1291 if (rc)
1292 return rc;
1293
1294 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1295 /* Save the SID of the tracing process for later use in apply_creds. */
Stephen Smalley341c2d82006-03-11 03:27:16 -08001296 if (!(child->ptrace & PT_PTRACED) && !rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -07001297 csec->ptrace_sid = psec->sid;
1298 return rc;
1299}
1300
1301static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1302 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1303{
1304 int error;
1305
1306 error = task_has_perm(current, target, PROCESS__GETCAP);
1307 if (error)
1308 return error;
1309
1310 return secondary_ops->capget(target, effective, inheritable, permitted);
1311}
1312
1313static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1314 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1315{
1316 int error;
1317
1318 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1319 if (error)
1320 return error;
1321
1322 return task_has_perm(current, target, PROCESS__SETCAP);
1323}
1324
1325static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1326 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1327{
1328 secondary_ops->capset_set(target, effective, inheritable, permitted);
1329}
1330
1331static int selinux_capable(struct task_struct *tsk, int cap)
1332{
1333 int rc;
1334
1335 rc = secondary_ops->capable(tsk, cap);
1336 if (rc)
1337 return rc;
1338
1339 return task_has_capability(tsk,cap);
1340}
1341
1342static int selinux_sysctl(ctl_table *table, int op)
1343{
1344 int error = 0;
1345 u32 av;
1346 struct task_security_struct *tsec;
1347 u32 tsid;
1348 int rc;
1349
1350 rc = secondary_ops->sysctl(table, op);
1351 if (rc)
1352 return rc;
1353
1354 tsec = current->security;
1355
1356 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1357 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1358 if (rc) {
1359 /* Default to the well-defined sysctl SID. */
1360 tsid = SECINITSID_SYSCTL;
1361 }
1362
1363 /* The op values are "defined" in sysctl.c, thereby creating
1364 * a bad coupling between this module and sysctl.c */
1365 if(op == 001) {
1366 error = avc_has_perm(tsec->sid, tsid,
1367 SECCLASS_DIR, DIR__SEARCH, NULL);
1368 } else {
1369 av = 0;
1370 if (op & 004)
1371 av |= FILE__READ;
1372 if (op & 002)
1373 av |= FILE__WRITE;
1374 if (av)
1375 error = avc_has_perm(tsec->sid, tsid,
1376 SECCLASS_FILE, av, NULL);
1377 }
1378
1379 return error;
1380}
1381
1382static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1383{
1384 int rc = 0;
1385
1386 if (!sb)
1387 return 0;
1388
1389 switch (cmds) {
1390 case Q_SYNC:
1391 case Q_QUOTAON:
1392 case Q_QUOTAOFF:
1393 case Q_SETINFO:
1394 case Q_SETQUOTA:
1395 rc = superblock_has_perm(current,
1396 sb,
1397 FILESYSTEM__QUOTAMOD, NULL);
1398 break;
1399 case Q_GETFMT:
1400 case Q_GETINFO:
1401 case Q_GETQUOTA:
1402 rc = superblock_has_perm(current,
1403 sb,
1404 FILESYSTEM__QUOTAGET, NULL);
1405 break;
1406 default:
1407 rc = 0; /* let the kernel handle invalid cmds */
1408 break;
1409 }
1410 return rc;
1411}
1412
1413static int selinux_quota_on(struct dentry *dentry)
1414{
1415 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1416}
1417
1418static int selinux_syslog(int type)
1419{
1420 int rc;
1421
1422 rc = secondary_ops->syslog(type);
1423 if (rc)
1424 return rc;
1425
1426 switch (type) {
1427 case 3: /* Read last kernel messages */
1428 case 10: /* Return size of the log buffer */
1429 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1430 break;
1431 case 6: /* Disable logging to console */
1432 case 7: /* Enable logging to console */
1433 case 8: /* Set level of messages printed to console */
1434 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1435 break;
1436 case 0: /* Close log */
1437 case 1: /* Open log */
1438 case 2: /* Read from log */
1439 case 4: /* Read/clear last kernel messages */
1440 case 5: /* Clear ring buffer */
1441 default:
1442 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1443 break;
1444 }
1445 return rc;
1446}
1447
1448/*
1449 * Check that a process has enough memory to allocate a new virtual
1450 * mapping. 0 means there is enough memory for the allocation to
1451 * succeed and -ENOMEM implies there is not.
1452 *
1453 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1454 * if the capability is granted, but __vm_enough_memory requires 1 if
1455 * the capability is granted.
1456 *
1457 * Do not audit the selinux permission check, as this is applied to all
1458 * processes that allocate mappings.
1459 */
1460static int selinux_vm_enough_memory(long pages)
1461{
1462 int rc, cap_sys_admin = 0;
1463 struct task_security_struct *tsec = current->security;
1464
1465 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1466 if (rc == 0)
1467 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1468 SECCLASS_CAPABILITY,
1469 CAP_TO_MASK(CAP_SYS_ADMIN),
1470 NULL);
1471
1472 if (rc == 0)
1473 cap_sys_admin = 1;
1474
1475 return __vm_enough_memory(pages, cap_sys_admin);
1476}
1477
1478/* binprm security operations */
1479
1480static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1481{
1482 struct bprm_security_struct *bsec;
1483
James Morris89d155e2005-10-30 14:59:21 -08001484 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001485 if (!bsec)
1486 return -ENOMEM;
1487
Linus Torvalds1da177e2005-04-16 15:20:36 -07001488 bsec->bprm = bprm;
1489 bsec->sid = SECINITSID_UNLABELED;
1490 bsec->set = 0;
1491
1492 bprm->security = bsec;
1493 return 0;
1494}
1495
1496static int selinux_bprm_set_security(struct linux_binprm *bprm)
1497{
1498 struct task_security_struct *tsec;
1499 struct inode *inode = bprm->file->f_dentry->d_inode;
1500 struct inode_security_struct *isec;
1501 struct bprm_security_struct *bsec;
1502 u32 newsid;
1503 struct avc_audit_data ad;
1504 int rc;
1505
1506 rc = secondary_ops->bprm_set_security(bprm);
1507 if (rc)
1508 return rc;
1509
1510 bsec = bprm->security;
1511
1512 if (bsec->set)
1513 return 0;
1514
1515 tsec = current->security;
1516 isec = inode->i_security;
1517
1518 /* Default to the current task SID. */
1519 bsec->sid = tsec->sid;
1520
1521 /* Reset create SID on execve. */
1522 tsec->create_sid = 0;
1523
1524 if (tsec->exec_sid) {
1525 newsid = tsec->exec_sid;
1526 /* Reset exec SID on execve. */
1527 tsec->exec_sid = 0;
1528 } else {
1529 /* Check for a default transition on this program. */
1530 rc = security_transition_sid(tsec->sid, isec->sid,
1531 SECCLASS_PROCESS, &newsid);
1532 if (rc)
1533 return rc;
1534 }
1535
1536 AVC_AUDIT_DATA_INIT(&ad, FS);
1537 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1538 ad.u.fs.dentry = bprm->file->f_dentry;
1539
1540 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1541 newsid = tsec->sid;
1542
1543 if (tsec->sid == newsid) {
1544 rc = avc_has_perm(tsec->sid, isec->sid,
1545 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1546 if (rc)
1547 return rc;
1548 } else {
1549 /* Check permissions for the transition. */
1550 rc = avc_has_perm(tsec->sid, newsid,
1551 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1552 if (rc)
1553 return rc;
1554
1555 rc = avc_has_perm(newsid, isec->sid,
1556 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1557 if (rc)
1558 return rc;
1559
1560 /* Clear any possibly unsafe personality bits on exec: */
1561 current->personality &= ~PER_CLEAR_ON_SETID;
1562
1563 /* Set the security field to the new SID. */
1564 bsec->sid = newsid;
1565 }
1566
1567 bsec->set = 1;
1568 return 0;
1569}
1570
1571static int selinux_bprm_check_security (struct linux_binprm *bprm)
1572{
1573 return secondary_ops->bprm_check_security(bprm);
1574}
1575
1576
1577static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1578{
1579 struct task_security_struct *tsec = current->security;
1580 int atsecure = 0;
1581
1582 if (tsec->osid != tsec->sid) {
1583 /* Enable secure mode for SIDs transitions unless
1584 the noatsecure permission is granted between
1585 the two SIDs, i.e. ahp returns 0. */
1586 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1587 SECCLASS_PROCESS,
1588 PROCESS__NOATSECURE, NULL);
1589 }
1590
1591 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1592}
1593
1594static void selinux_bprm_free_security(struct linux_binprm *bprm)
1595{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -07001596 kfree(bprm->security);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001597 bprm->security = NULL;
Linus Torvalds1da177e2005-04-16 15:20:36 -07001598}
1599
1600extern struct vfsmount *selinuxfs_mount;
1601extern struct dentry *selinux_null;
1602
1603/* Derived from fs/exec.c:flush_old_files. */
1604static inline void flush_unauthorized_files(struct files_struct * files)
1605{
1606 struct avc_audit_data ad;
1607 struct file *file, *devnull = NULL;
1608 struct tty_struct *tty = current->signal->tty;
Dipankar Sarmabadf1662005-09-09 13:04:10 -07001609 struct fdtable *fdt;
Linus Torvalds1da177e2005-04-16 15:20:36 -07001610 long j = -1;
1611
1612 if (tty) {
1613 file_list_lock();
Eric Dumazet2f512012005-10-30 15:02:16 -08001614 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001615 if (file) {
1616 /* Revalidate access to controlling tty.
1617 Use inode_has_perm on the tty inode directly rather
1618 than using file_has_perm, as this particular open
1619 file may belong to another process and we are only
1620 interested in the inode-based check here. */
1621 struct inode *inode = file->f_dentry->d_inode;
1622 if (inode_has_perm(current, inode,
1623 FILE__READ | FILE__WRITE, NULL)) {
1624 /* Reset controlling tty. */
1625 current->signal->tty = NULL;
1626 current->signal->tty_old_pgrp = 0;
1627 }
1628 }
1629 file_list_unlock();
1630 }
1631
1632 /* Revalidate access to inherited open files. */
1633
1634 AVC_AUDIT_DATA_INIT(&ad,FS);
1635
1636 spin_lock(&files->file_lock);
1637 for (;;) {
1638 unsigned long set, i;
1639 int fd;
1640
1641 j++;
1642 i = j * __NFDBITS;
Dipankar Sarmabadf1662005-09-09 13:04:10 -07001643 fdt = files_fdtable(files);
1644 if (i >= fdt->max_fds || i >= fdt->max_fdset)
Linus Torvalds1da177e2005-04-16 15:20:36 -07001645 break;
Dipankar Sarmabadf1662005-09-09 13:04:10 -07001646 set = fdt->open_fds->fds_bits[j];
Linus Torvalds1da177e2005-04-16 15:20:36 -07001647 if (!set)
1648 continue;
1649 spin_unlock(&files->file_lock);
1650 for ( ; set ; i++,set >>= 1) {
1651 if (set & 1) {
1652 file = fget(i);
1653 if (!file)
1654 continue;
1655 if (file_has_perm(current,
1656 file,
1657 file_to_av(file))) {
1658 sys_close(i);
1659 fd = get_unused_fd();
1660 if (fd != i) {
1661 if (fd >= 0)
1662 put_unused_fd(fd);
1663 fput(file);
1664 continue;
1665 }
1666 if (devnull) {
Nick Piggin095975d2006-01-08 01:02:19 -08001667 get_file(devnull);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001668 } else {
1669 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1670 if (!devnull) {
1671 put_unused_fd(fd);
1672 fput(file);
1673 continue;
1674 }
1675 }
1676 fd_install(fd, devnull);
1677 }
1678 fput(file);
1679 }
1680 }
1681 spin_lock(&files->file_lock);
1682
1683 }
1684 spin_unlock(&files->file_lock);
1685}
1686
1687static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1688{
1689 struct task_security_struct *tsec;
1690 struct bprm_security_struct *bsec;
1691 u32 sid;
1692 int rc;
1693
1694 secondary_ops->bprm_apply_creds(bprm, unsafe);
1695
1696 tsec = current->security;
1697
1698 bsec = bprm->security;
1699 sid = bsec->sid;
1700
1701 tsec->osid = tsec->sid;
1702 bsec->unsafe = 0;
1703 if (tsec->sid != sid) {
1704 /* Check for shared state. If not ok, leave SID
1705 unchanged and kill. */
1706 if (unsafe & LSM_UNSAFE_SHARE) {
1707 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1708 PROCESS__SHARE, NULL);
1709 if (rc) {
1710 bsec->unsafe = 1;
1711 return;
1712 }
1713 }
1714
1715 /* Check for ptracing, and update the task SID if ok.
1716 Otherwise, leave SID unchanged and kill. */
1717 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1718 rc = avc_has_perm(tsec->ptrace_sid, sid,
1719 SECCLASS_PROCESS, PROCESS__PTRACE,
1720 NULL);
1721 if (rc) {
1722 bsec->unsafe = 1;
1723 return;
1724 }
1725 }
1726 tsec->sid = sid;
1727 }
1728}
1729
1730/*
1731 * called after apply_creds without the task lock held
1732 */
1733static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1734{
1735 struct task_security_struct *tsec;
1736 struct rlimit *rlim, *initrlim;
1737 struct itimerval itimer;
1738 struct bprm_security_struct *bsec;
1739 int rc, i;
1740
1741 tsec = current->security;
1742 bsec = bprm->security;
1743
1744 if (bsec->unsafe) {
1745 force_sig_specific(SIGKILL, current);
1746 return;
1747 }
1748 if (tsec->osid == tsec->sid)
1749 return;
1750
1751 /* Close files for which the new task SID is not authorized. */
1752 flush_unauthorized_files(current->files);
1753
1754 /* Check whether the new SID can inherit signal state
1755 from the old SID. If not, clear itimers to avoid
1756 subsequent signal generation and flush and unblock
1757 signals. This must occur _after_ the task SID has
1758 been updated so that any kill done after the flush
1759 will be checked against the new SID. */
1760 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1761 PROCESS__SIGINH, NULL);
1762 if (rc) {
1763 memset(&itimer, 0, sizeof itimer);
1764 for (i = 0; i < 3; i++)
1765 do_setitimer(i, &itimer, NULL);
1766 flush_signals(current);
1767 spin_lock_irq(&current->sighand->siglock);
1768 flush_signal_handlers(current, 1);
1769 sigemptyset(&current->blocked);
1770 recalc_sigpending();
1771 spin_unlock_irq(&current->sighand->siglock);
1772 }
1773
1774 /* Check whether the new SID can inherit resource limits
1775 from the old SID. If not, reset all soft limits to
1776 the lower of the current task's hard limit and the init
1777 task's soft limit. Note that the setting of hard limits
1778 (even to lower them) can be controlled by the setrlimit
1779 check. The inclusion of the init task's soft limit into
1780 the computation is to avoid resetting soft limits higher
1781 than the default soft limit for cases where the default
1782 is lower than the hard limit, e.g. RLIMIT_CORE or
1783 RLIMIT_STACK.*/
1784 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1785 PROCESS__RLIMITINH, NULL);
1786 if (rc) {
1787 for (i = 0; i < RLIM_NLIMITS; i++) {
1788 rlim = current->signal->rlim + i;
1789 initrlim = init_task.signal->rlim+i;
1790 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1791 }
1792 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1793 /*
1794 * This will cause RLIMIT_CPU calculations
1795 * to be refigured.
1796 */
1797 current->it_prof_expires = jiffies_to_cputime(1);
1798 }
1799 }
1800
1801 /* Wake up the parent if it is waiting so that it can
1802 recheck wait permission to the new task SID. */
1803 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1804}
1805
1806/* superblock security operations */
1807
1808static int selinux_sb_alloc_security(struct super_block *sb)
1809{
1810 return superblock_alloc_security(sb);
1811}
1812
1813static void selinux_sb_free_security(struct super_block *sb)
1814{
1815 superblock_free_security(sb);
1816}
1817
1818static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1819{
1820 if (plen > olen)
1821 return 0;
1822
1823 return !memcmp(prefix, option, plen);
1824}
1825
1826static inline int selinux_option(char *option, int len)
1827{
1828 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1829 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1830 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1831}
1832
1833static inline void take_option(char **to, char *from, int *first, int len)
1834{
1835 if (!*first) {
1836 **to = ',';
1837 *to += 1;
1838 }
1839 else
1840 *first = 0;
1841 memcpy(*to, from, len);
1842 *to += len;
1843}
1844
1845static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1846{
1847 int fnosec, fsec, rc = 0;
1848 char *in_save, *in_curr, *in_end;
1849 char *sec_curr, *nosec_save, *nosec;
1850
1851 in_curr = orig;
1852 sec_curr = copy;
1853
1854 /* Binary mount data: just copy */
1855 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1856 copy_page(sec_curr, in_curr);
1857 goto out;
1858 }
1859
1860 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1861 if (!nosec) {
1862 rc = -ENOMEM;
1863 goto out;
1864 }
1865
1866 nosec_save = nosec;
1867 fnosec = fsec = 1;
1868 in_save = in_end = orig;
1869
1870 do {
1871 if (*in_end == ',' || *in_end == '\0') {
1872 int len = in_end - in_curr;
1873
1874 if (selinux_option(in_curr, len))
1875 take_option(&sec_curr, in_curr, &fsec, len);
1876 else
1877 take_option(&nosec, in_curr, &fnosec, len);
1878
1879 in_curr = in_end + 1;
1880 }
1881 } while (*in_end++);
1882
Eric Paris6931dfc2005-06-30 02:58:51 -07001883 strcpy(in_save, nosec_save);
Gerald Schaeferda3caa22005-06-21 17:15:18 -07001884 free_page((unsigned long)nosec_save);
Linus Torvalds1da177e2005-04-16 15:20:36 -07001885out:
1886 return rc;
1887}
1888
1889static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1890{
1891 struct avc_audit_data ad;
1892 int rc;
1893
1894 rc = superblock_doinit(sb, data);
1895 if (rc)
1896 return rc;
1897
1898 AVC_AUDIT_DATA_INIT(&ad,FS);
1899 ad.u.fs.dentry = sb->s_root;
1900 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1901}
1902
1903static int selinux_sb_statfs(struct super_block *sb)
1904{
1905 struct avc_audit_data ad;
1906
1907 AVC_AUDIT_DATA_INIT(&ad,FS);
1908 ad.u.fs.dentry = sb->s_root;
1909 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1910}
1911
1912static int selinux_mount(char * dev_name,
1913 struct nameidata *nd,
1914 char * type,
1915 unsigned long flags,
1916 void * data)
1917{
1918 int rc;
1919
1920 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1921 if (rc)
1922 return rc;
1923
1924 if (flags & MS_REMOUNT)
1925 return superblock_has_perm(current, nd->mnt->mnt_sb,
1926 FILESYSTEM__REMOUNT, NULL);
1927 else
1928 return dentry_has_perm(current, nd->mnt, nd->dentry,
1929 FILE__MOUNTON);
1930}
1931
1932static int selinux_umount(struct vfsmount *mnt, int flags)
1933{
1934 int rc;
1935
1936 rc = secondary_ops->sb_umount(mnt, flags);
1937 if (rc)
1938 return rc;
1939
1940 return superblock_has_perm(current,mnt->mnt_sb,
1941 FILESYSTEM__UNMOUNT,NULL);
1942}
1943
1944/* inode security operations */
1945
1946static int selinux_inode_alloc_security(struct inode *inode)
1947{
1948 return inode_alloc_security(inode);
1949}
1950
1951static void selinux_inode_free_security(struct inode *inode)
1952{
1953 inode_free_security(inode);
1954}
1955
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001956static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1957 char **name, void **value,
1958 size_t *len)
1959{
1960 struct task_security_struct *tsec;
1961 struct inode_security_struct *dsec;
1962 struct superblock_security_struct *sbsec;
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001963 u32 newsid, clen;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001964 int rc;
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001965 char *namep = NULL, *context;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001966
1967 tsec = current->security;
1968 dsec = dir->i_security;
1969 sbsec = dir->i_sb->s_security;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001970
1971 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972 newsid = tsec->create_sid;
1973 } else {
1974 rc = security_transition_sid(tsec->sid, dsec->sid,
1975 inode_mode_to_security_class(inode->i_mode),
1976 &newsid);
1977 if (rc) {
1978 printk(KERN_WARNING "%s: "
1979 "security_transition_sid failed, rc=%d (dev=%s "
1980 "ino=%ld)\n",
1981 __FUNCTION__,
1982 -rc, inode->i_sb->s_id, inode->i_ino);
1983 return rc;
1984 }
1985 }
1986
1987 inode_security_set_sid(inode, newsid);
1988
Stephen Smalley8aad3872006-03-22 00:09:13 -08001989 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
Stephen Smalley25a74f32005-11-08 21:34:33 -08001990 return -EOPNOTSUPP;
1991
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001992 if (name) {
1993 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1994 if (!namep)
1995 return -ENOMEM;
1996 *name = namep;
Stephen Smalley5e41ff92005-09-09 13:01:35 -07001997 }
Stephen Smalley570bc1c2005-09-09 13:01:43 -07001998
1999 if (value && len) {
2000 rc = security_sid_to_context(newsid, &context, &clen);
2001 if (rc) {
2002 kfree(namep);
2003 return rc;
2004 }
2005 *value = context;
2006 *len = clen;
2007 }
Stephen Smalley5e41ff92005-09-09 13:01:35 -07002008
Stephen Smalley5e41ff92005-09-09 13:01:35 -07002009 return 0;
2010}
2011
Linus Torvalds1da177e2005-04-16 15:20:36 -07002012static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2013{
2014 return may_create(dir, dentry, SECCLASS_FILE);
2015}
2016
Linus Torvalds1da177e2005-04-16 15:20:36 -07002017static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2018{
2019 int rc;
2020
2021 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2022 if (rc)
2023 return rc;
2024 return may_link(dir, old_dentry, MAY_LINK);
2025}
2026
Linus Torvalds1da177e2005-04-16 15:20:36 -07002027static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2028{
2029 int rc;
2030
2031 rc = secondary_ops->inode_unlink(dir, dentry);
2032 if (rc)
2033 return rc;
2034 return may_link(dir, dentry, MAY_UNLINK);
2035}
2036
2037static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2038{
2039 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2040}
2041
Linus Torvalds1da177e2005-04-16 15:20:36 -07002042static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2043{
2044 return may_create(dir, dentry, SECCLASS_DIR);
2045}
2046
Linus Torvalds1da177e2005-04-16 15:20:36 -07002047static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2048{
2049 return may_link(dir, dentry, MAY_RMDIR);
2050}
2051
2052static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2053{
2054 int rc;
2055
2056 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2057 if (rc)
2058 return rc;
2059
2060 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2061}
2062
Linus Torvalds1da177e2005-04-16 15:20:36 -07002063static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2064 struct inode *new_inode, struct dentry *new_dentry)
2065{
2066 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2067}
2068
Linus Torvalds1da177e2005-04-16 15:20:36 -07002069static int selinux_inode_readlink(struct dentry *dentry)
2070{
2071 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2072}
2073
2074static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2075{
2076 int rc;
2077
2078 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2079 if (rc)
2080 return rc;
2081 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2082}
2083
2084static int selinux_inode_permission(struct inode *inode, int mask,
2085 struct nameidata *nd)
2086{
2087 int rc;
2088
2089 rc = secondary_ops->inode_permission(inode, mask, nd);
2090 if (rc)
2091 return rc;
2092
2093 if (!mask) {
2094 /* No permission to check. Existence test. */
2095 return 0;
2096 }
2097
2098 return inode_has_perm(current, inode,
2099 file_mask_to_av(inode->i_mode, mask), NULL);
2100}
2101
2102static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2103{
2104 int rc;
2105
2106 rc = secondary_ops->inode_setattr(dentry, iattr);
2107 if (rc)
2108 return rc;
2109
2110 if (iattr->ia_valid & ATTR_FORCE)
2111 return 0;
2112
2113 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2114 ATTR_ATIME_SET | ATTR_MTIME_SET))
2115 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2116
2117 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2118}
2119
2120static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2121{
2122 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2123}
2124
2125static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2126{
2127 struct task_security_struct *tsec = current->security;
2128 struct inode *inode = dentry->d_inode;
2129 struct inode_security_struct *isec = inode->i_security;
2130 struct superblock_security_struct *sbsec;
2131 struct avc_audit_data ad;
2132 u32 newsid;
2133 int rc = 0;
2134
2135 if (strcmp(name, XATTR_NAME_SELINUX)) {
2136 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2137 sizeof XATTR_SECURITY_PREFIX - 1) &&
2138 !capable(CAP_SYS_ADMIN)) {
2139 /* A different attribute in the security namespace.
2140 Restrict to administrator. */
2141 return -EPERM;
2142 }
2143
2144 /* Not an attribute we recognize, so just check the
2145 ordinary setattr permission. */
2146 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2147 }
2148
2149 sbsec = inode->i_sb->s_security;
2150 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2151 return -EOPNOTSUPP;
2152
2153 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2154 return -EPERM;
2155
2156 AVC_AUDIT_DATA_INIT(&ad,FS);
2157 ad.u.fs.dentry = dentry;
2158
2159 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2160 FILE__RELABELFROM, &ad);
2161 if (rc)
2162 return rc;
2163
2164 rc = security_context_to_sid(value, size, &newsid);
2165 if (rc)
2166 return rc;
2167
2168 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2169 FILE__RELABELTO, &ad);
2170 if (rc)
2171 return rc;
2172
2173 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2174 isec->sclass);
2175 if (rc)
2176 return rc;
2177
2178 return avc_has_perm(newsid,
2179 sbsec->sid,
2180 SECCLASS_FILESYSTEM,
2181 FILESYSTEM__ASSOCIATE,
2182 &ad);
2183}
2184
2185static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2186 void *value, size_t size, int flags)
2187{
2188 struct inode *inode = dentry->d_inode;
2189 struct inode_security_struct *isec = inode->i_security;
2190 u32 newsid;
2191 int rc;
2192
2193 if (strcmp(name, XATTR_NAME_SELINUX)) {
2194 /* Not an attribute we recognize, so nothing to do. */
2195 return;
2196 }
2197
2198 rc = security_context_to_sid(value, size, &newsid);
2199 if (rc) {
2200 printk(KERN_WARNING "%s: unable to obtain SID for context "
2201 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2202 return;
2203 }
2204
2205 isec->sid = newsid;
2206 return;
2207}
2208
2209static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2210{
Linus Torvalds1da177e2005-04-16 15:20:36 -07002211 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2212}
2213
2214static int selinux_inode_listxattr (struct dentry *dentry)
2215{
2216 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2217}
2218
2219static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2220{
2221 if (strcmp(name, XATTR_NAME_SELINUX)) {
2222 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2223 sizeof XATTR_SECURITY_PREFIX - 1) &&
2224 !capable(CAP_SYS_ADMIN)) {
2225 /* A different attribute in the security namespace.
2226 Restrict to administrator. */
2227 return -EPERM;
2228 }
2229
2230 /* Not an attribute we recognize, so just check the
2231 ordinary setattr permission. Might want a separate
2232 permission for removexattr. */
2233 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2234 }
2235
2236 /* No one is allowed to remove a SELinux security label.
2237 You can change the label, but all data must be labeled. */
2238 return -EACCES;
2239}
2240
Dustin Kirkland8c8570f2005-11-03 17:15:16 +00002241static const char *selinux_inode_xattr_getsuffix(void)
2242{
2243 return XATTR_SELINUX_SUFFIX;
2244}
2245
James Morrisd381d8a2005-10-30 14:59:22 -08002246/*
2247 * Copy the in-core inode security context value to the user. If the
2248 * getxattr() prior to this succeeded, check to see if we need to
2249 * canonicalize the value to be finally returned to the user.
2250 *
2251 * Permission check is handled by selinux_inode_getxattr hook.
2252 */
Dustin Kirkland7306a0b2005-11-16 15:53:13 +00002253static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
Linus Torvalds1da177e2005-04-16 15:20:36 -07002254{
2255 struct inode_security_struct *isec = inode->i_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -07002256
Dustin Kirkland8c8570f2005-11-03 17:15:16 +00002257 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2258 return -EOPNOTSUPP;
Linus Torvalds1da177e2005-04-16 15:20:36 -07002259
Dustin Kirkland8c8570f2005-11-03 17:15:16 +00002260 return selinux_getsecurity(isec->sid, buffer, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -07002261}
2262
2263static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264 const void *value, size_t size, int flags)
2265{
2266 struct inode_security_struct *isec = inode->i_security;
2267 u32 newsid;
2268 int rc;
2269
2270 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271 return -EOPNOTSUPP;
2272
2273 if (!value || !size)
2274 return -EACCES;
2275
2276 rc = security_context_to_sid((void*)value, size, &newsid);
2277 if (rc)
2278 return rc;
2279
2280 isec->sid = newsid;
2281 return 0;
2282}
2283
2284static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285{
2286 const int len = sizeof(XATTR_NAME_SELINUX);
2287 if (buffer && len <= buffer_size)
2288 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289 return len;
2290}
2291
2292/* file security operations */
2293
2294static int selinux_file_permission(struct file *file, int mask)
2295{
2296 struct inode *inode = file->f_dentry->d_inode;
2297
2298 if (!mask) {
2299 /* No permission to check. Existence test. */
2300 return 0;
2301 }
2302
2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305 mask |= MAY_APPEND;
2306
2307 return file_has_perm(current, file,
2308 file_mask_to_av(inode->i_mode, mask));
2309}
2310
2311static int selinux_file_alloc_security(struct file *file)
2312{
2313 return file_alloc_security(file);
2314}
2315
2316static void selinux_file_free_security(struct file *file)
2317{
2318 file_free_security(file);
2319}
2320
2321static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322 unsigned long arg)
2323{
2324 int error = 0;
2325
2326 switch (cmd) {
2327 case FIONREAD:
2328 /* fall through */
2329 case FIBMAP:
2330 /* fall through */
2331 case FIGETBSZ:
2332 /* fall through */
2333 case EXT2_IOC_GETFLAGS:
2334 /* fall through */
2335 case EXT2_IOC_GETVERSION:
2336 error = file_has_perm(current, file, FILE__GETATTR);
2337 break;
2338
2339 case EXT2_IOC_SETFLAGS:
2340 /* fall through */
2341 case EXT2_IOC_SETVERSION:
2342 error = file_has_perm(current, file, FILE__SETATTR);
2343 break;
2344
2345 /* sys_ioctl() checks */
2346 case FIONBIO:
2347 /* fall through */
2348 case FIOASYNC:
2349 error = file_has_perm(current, file, 0);
2350 break;
2351
2352 case KDSKBENT:
2353 case KDSKBSENT:
2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355 break;
2356
2357 /* default case assumes that the command will go
2358 * to the file's ioctl() function.
2359 */
2360 default:
2361 error = file_has_perm(current, file, FILE__IOCTL);
2362
2363 }
2364 return error;
2365}
2366
2367static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368{
2369#ifndef CONFIG_PPC32
2370 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371 /*
2372 * We are making executable an anonymous mapping or a
2373 * private file mapping that will also be writable.
2374 * This has an additional check.
2375 */
2376 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377 if (rc)
2378 return rc;
2379 }
2380#endif
2381
2382 if (file) {
2383 /* read access is always possible with a mapping */
2384 u32 av = FILE__READ;
2385
2386 /* write access only matters if the mapping is shared */
2387 if (shared && (prot & PROT_WRITE))
2388 av |= FILE__WRITE;
2389
2390 if (prot & PROT_EXEC)
2391 av |= FILE__EXECUTE;
2392
2393 return file_has_perm(current, file, av);
2394 }
2395 return 0;
2396}
2397
2398static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399 unsigned long prot, unsigned long flags)
2400{
2401 int rc;
2402
2403 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404 if (rc)
2405 return rc;
2406
2407 if (selinux_checkreqprot)
2408 prot = reqprot;
2409
2410 return file_map_prot_check(file, prot,
2411 (flags & MAP_TYPE) == MAP_SHARED);
2412}
2413
2414static int selinux_file_mprotect(struct vm_area_struct *vma,
2415 unsigned long reqprot,
2416 unsigned long prot)
2417{
2418 int rc;
2419
2420 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421 if (rc)
2422 return rc;
2423
2424 if (selinux_checkreqprot)
2425 prot = reqprot;
2426
2427#ifndef CONFIG_PPC32
Stephen Smalleydb4c9642006-02-01 03:05:54 -08002428 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2429 rc = 0;
2430 if (vma->vm_start >= vma->vm_mm->start_brk &&
2431 vma->vm_end <= vma->vm_mm->brk) {
2432 rc = task_has_perm(current, current,
2433 PROCESS__EXECHEAP);
2434 } else if (!vma->vm_file &&
2435 vma->vm_start <= vma->vm_mm->start_stack &&
2436 vma->vm_end >= vma->vm_mm->start_stack) {
2437 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2438 } else if (vma->vm_file && vma->anon_vma) {
2439 /*
2440 * We are making executable a file mapping that has
2441 * had some COW done. Since pages might have been
2442 * written, check ability to execute the possibly
2443 * modified content. This typically should only
2444 * occur for text relocations.
2445 */
2446 rc = file_has_perm(current, vma->vm_file,
2447 FILE__EXECMOD);
2448 }
Lorenzo Hernandez García-Hierro6b992192005-06-25 14:54:34 -07002449 if (rc)
2450 return rc;
2451 }
Linus Torvalds1da177e2005-04-16 15:20:36 -07002452#endif
2453
2454 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2455}
2456
2457static int selinux_file_lock(struct file *file, unsigned int cmd)
2458{
2459 return file_has_perm(current, file, FILE__LOCK);
2460}
2461
2462static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2463 unsigned long arg)
2464{
2465 int err = 0;
2466
2467 switch (cmd) {
2468 case F_SETFL:
2469 if (!file->f_dentry || !file->f_dentry->d_inode) {
2470 err = -EINVAL;
2471 break;
2472 }
2473
2474 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2475 err = file_has_perm(current, file,FILE__WRITE);
2476 break;
2477 }
2478 /* fall through */
2479 case F_SETOWN:
2480 case F_SETSIG:
2481 case F_GETFL:
2482 case F_GETOWN:
2483 case F_GETSIG:
2484 /* Just check FD__USE permission */
2485 err = file_has_perm(current, file, 0);
2486 break;
2487 case F_GETLK:
2488 case F_SETLK:
2489 case F_SETLKW:
2490#if BITS_PER_LONG == 32
2491 case F_GETLK64:
2492 case F_SETLK64:
2493 case F_SETLKW64:
2494#endif
2495 if (!file->f_dentry || !file->f_dentry->d_inode) {
2496 err = -EINVAL;
2497 break;
2498 }
2499 err = file_has_perm(current, file, FILE__LOCK);
2500 break;
2501 }
2502
2503 return err;
2504}
2505
2506static int selinux_file_set_fowner(struct file *file)
2507{
2508 struct task_security_struct *tsec;
2509 struct file_security_struct *fsec;
2510
2511 tsec = current->security;
2512 fsec = file->f_security;
2513 fsec->fown_sid = tsec->sid;
2514
2515 return 0;
2516}
2517
2518static int selinux_file_send_sigiotask(struct task_struct *tsk,
2519 struct fown_struct *fown, int signum)
2520{
2521 struct file *file;
2522 u32 perm;
2523 struct task_security_struct *tsec;
2524 struct file_security_struct *fsec;
2525
2526 /* struct fown_struct is never outside the context of a struct file */
2527 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2528
2529 tsec = tsk->security;
2530 fsec = file->f_security;
2531
2532 if (!signum)
2533 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2534 else
2535 perm = signal_to_av(signum);
2536
2537 return avc_has_perm(fsec->fown_sid, tsec->sid,
2538 SECCLASS_PROCESS, perm, NULL);
2539}
2540
2541static int selinux_file_receive(struct file *file)
2542{
2543 return file_has_perm(current, file, file_to_av(file));
2544}
2545
2546/* task security operations */
2547
2548static int selinux_task_create(unsigned long clone_flags)
2549{
2550 int rc;
2551
2552 rc = secondary_ops->task_create(clone_flags);
2553 if (rc)
2554 return rc;
2555
2556 return task_has_perm(current, current, PROCESS__FORK);
2557}
2558
2559static int selinux_task_alloc_security(struct task_struct *tsk)
2560{
2561 struct task_security_struct *tsec1, *tsec2;
2562 int rc;
2563
2564 tsec1 = current->security;
2565
2566 rc = task_alloc_security(tsk);
2567 if (rc)
2568 return rc;
2569 tsec2 = tsk->security;
2570
2571 tsec2->osid = tsec1->osid;
2572 tsec2->sid = tsec1->sid;
2573
2574 /* Retain the exec and create SIDs across fork */
2575 tsec2->exec_sid = tsec1->exec_sid;
2576 tsec2->create_sid = tsec1->create_sid;
2577
2578 /* Retain ptracer SID across fork, if any.
2579 This will be reset by the ptrace hook upon any
2580 subsequent ptrace_attach operations. */
2581 tsec2->ptrace_sid = tsec1->ptrace_sid;
2582
2583 return 0;
2584}
2585
2586static void selinux_task_free_security(struct task_struct *tsk)
2587{
2588 task_free_security(tsk);
2589}
2590
2591static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2592{
2593 /* Since setuid only affects the current process, and
2594 since the SELinux controls are not based on the Linux
2595 identity attributes, SELinux does not need to control
2596 this operation. However, SELinux does control the use
2597 of the CAP_SETUID and CAP_SETGID capabilities using the
2598 capable hook. */
2599 return 0;
2600}
2601
2602static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2603{
2604 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2605}
2606
2607static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2608{
2609 /* See the comment for setuid above. */
2610 return 0;
2611}
2612
2613static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2614{
2615 return task_has_perm(current, p, PROCESS__SETPGID);
2616}
2617
2618static int selinux_task_getpgid(struct task_struct *p)
2619{
2620 return task_has_perm(current, p, PROCESS__GETPGID);
2621}
2622
2623static int selinux_task_getsid(struct task_struct *p)
2624{
2625 return task_has_perm(current, p, PROCESS__GETSESSION);
2626}
2627
2628static int selinux_task_setgroups(struct group_info *group_info)
2629{
2630 /* See the comment for setuid above. */
2631 return 0;
2632}
2633
2634static int selinux_task_setnice(struct task_struct *p, int nice)
2635{
2636 int rc;
2637
2638 rc = secondary_ops->task_setnice(p, nice);
2639 if (rc)
2640 return rc;
2641
2642 return task_has_perm(current,p, PROCESS__SETSCHED);
2643}
2644
2645static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2646{
2647 struct rlimit *old_rlim = current->signal->rlim + resource;
2648 int rc;
2649
2650 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2651 if (rc)
2652 return rc;
2653
2654 /* Control the ability to change the hard limit (whether
2655 lowering or raising it), so that the hard limit can
2656 later be used as a safe reset point for the soft limit
2657 upon context transitions. See selinux_bprm_apply_creds. */
2658 if (old_rlim->rlim_max != new_rlim->rlim_max)
2659 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2660
2661 return 0;
2662}
2663
2664static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2665{
2666 return task_has_perm(current, p, PROCESS__SETSCHED);
2667}
2668
2669static int selinux_task_getscheduler(struct task_struct *p)
2670{
2671 return task_has_perm(current, p, PROCESS__GETSCHED);
2672}
2673
2674static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2675{
2676 u32 perm;
2677 int rc;
2678
2679 rc = secondary_ops->task_kill(p, info, sig);
2680 if (rc)
2681 return rc;
2682
Oleg Nesterov621d3122005-10-30 15:03:45 -08002683 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
Linus Torvalds1da177e2005-04-16 15:20:36 -07002684 return 0;
2685
2686 if (!sig)
2687 perm = PROCESS__SIGNULL; /* null signal; existence test */
2688 else
2689 perm = signal_to_av(sig);
2690
2691 return task_has_perm(current, p, perm);
2692}
2693
2694static int selinux_task_prctl(int option,
2695 unsigned long arg2,
2696 unsigned long arg3,
2697 unsigned long arg4,
2698 unsigned long arg5)
2699{
2700 /* The current prctl operations do not appear to require
2701 any SELinux controls since they merely observe or modify
2702 the state of the current process. */
2703 return 0;
2704}
2705
2706static int selinux_task_wait(struct task_struct *p)
2707{
2708 u32 perm;
2709
2710 perm = signal_to_av(p->exit_signal);
2711
2712 return task_has_perm(p, current, perm);
2713}
2714
2715static void selinux_task_reparent_to_init(struct task_struct *p)
2716{
2717 struct task_security_struct *tsec;
2718
2719 secondary_ops->task_reparent_to_init(p);
2720
2721 tsec = p->security;
2722 tsec->osid = tsec->sid;
2723 tsec->sid = SECINITSID_KERNEL;
2724 return;
2725}
2726
2727static void selinux_task_to_inode(struct task_struct *p,
2728 struct inode *inode)
2729{
2730 struct task_security_struct *tsec = p->security;
2731 struct inode_security_struct *isec = inode->i_security;
2732
2733 isec->sid = tsec->sid;
2734 isec->initialized = 1;
2735 return;
2736}
2737
Linus Torvalds1da177e2005-04-16 15:20:36 -07002738/* Returns error only if unable to parse addresses */
2739static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2740{
2741 int offset, ihlen, ret = -EINVAL;
2742 struct iphdr _iph, *ih;
2743
2744 offset = skb->nh.raw - skb->data;
2745 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2746 if (ih == NULL)
2747 goto out;
2748
2749 ihlen = ih->ihl * 4;
2750 if (ihlen < sizeof(_iph))
2751 goto out;
2752
2753 ad->u.net.v4info.saddr = ih->saddr;
2754 ad->u.net.v4info.daddr = ih->daddr;
2755 ret = 0;
2756
2757 switch (ih->protocol) {
2758 case IPPROTO_TCP: {
2759 struct tcphdr _tcph, *th;
2760
2761 if (ntohs(ih->frag_off) & IP_OFFSET)
2762 break;
2763
2764 offset += ihlen;
2765 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2766 if (th == NULL)
2767 break;
2768
2769 ad->u.net.sport = th->source;
2770 ad->u.net.dport = th->dest;
2771 break;
2772 }
2773
2774 case IPPROTO_UDP: {
2775 struct udphdr _udph, *uh;
2776
2777 if (ntohs(ih->frag_off) & IP_OFFSET)
2778 break;
2779
2780 offset += ihlen;
2781 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2782 if (uh == NULL)
2783 break;
2784
2785 ad->u.net.sport = uh->source;
2786 ad->u.net.dport = uh->dest;
2787 break;
2788 }
2789
2790 default:
2791 break;
2792 }
2793out:
2794 return ret;
2795}
2796
2797#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2798
2799/* Returns error only if unable to parse addresses */
2800static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2801{
2802 u8 nexthdr;
2803 int ret = -EINVAL, offset;
2804 struct ipv6hdr _ipv6h, *ip6;
2805
2806 offset = skb->nh.raw - skb->data;
2807 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2808 if (ip6 == NULL)
2809 goto out;
2810
2811 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2812 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2813 ret = 0;
2814
2815 nexthdr = ip6->nexthdr;
2816 offset += sizeof(_ipv6h);
Herbert Xu0d3d0772005-04-24 20:16:19 -07002817 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
Linus Torvalds1da177e2005-04-16 15:20:36 -07002818 if (offset < 0)
2819 goto out;
2820
2821 switch (nexthdr) {
2822 case IPPROTO_TCP: {
2823 struct tcphdr _tcph, *th;
2824
2825 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2826 if (th == NULL)
2827 break;
2828
2829 ad->u.net.sport = th->source;
2830 ad->u.net.dport = th->dest;
2831 break;
2832 }
2833
2834 case IPPROTO_UDP: {
2835 struct udphdr _udph, *uh;
2836
2837 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2838 if (uh == NULL)
2839 break;
2840
2841 ad->u.net.sport = uh->source;
2842 ad->u.net.dport = uh->dest;
2843 break;
2844 }
2845
2846 /* includes fragments */
2847 default:
2848 break;
2849 }
2850out:
2851 return ret;
2852}
2853
2854#endif /* IPV6 */
2855
2856static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2857 char **addrp, int *len, int src)
2858{
2859 int ret = 0;
2860
2861 switch (ad->u.net.family) {
2862 case PF_INET:
2863 ret = selinux_parse_skb_ipv4(skb, ad);
2864 if (ret || !addrp)
2865 break;
2866 *len = 4;
2867 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2868 &ad->u.net.v4info.daddr);
2869 break;
2870
2871#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2872 case PF_INET6:
2873 ret = selinux_parse_skb_ipv6(skb, ad);
2874 if (ret || !addrp)
2875 break;
2876 *len = 16;
2877 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2878 &ad->u.net.v6info.daddr);
2879 break;
2880#endif /* IPV6 */
2881 default:
2882 break;
2883 }
2884
2885 return ret;
2886}
2887
2888/* socket security operations */
2889static int socket_has_perm(struct task_struct *task, struct socket *sock,
2890 u32 perms)
2891{
2892 struct inode_security_struct *isec;
2893 struct task_security_struct *tsec;
2894 struct avc_audit_data ad;
2895 int err = 0;
2896
2897 tsec = task->security;
2898 isec = SOCK_INODE(sock)->i_security;
2899
2900 if (isec->sid == SECINITSID_KERNEL)
2901 goto out;
2902
2903 AVC_AUDIT_DATA_INIT(&ad,NET);
2904 ad.u.net.sk = sock->sk;
2905 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2906
2907out:
2908 return err;
2909}
2910
2911static int selinux_socket_create(int family, int type,
2912 int protocol, int kern)
2913{
2914 int err = 0;
2915 struct task_security_struct *tsec;
2916
2917 if (kern)
2918 goto out;
2919
2920 tsec = current->security;
2921 err = avc_has_perm(tsec->sid, tsec->sid,
2922 socket_type_to_security_class(family, type,
2923 protocol), SOCKET__CREATE, NULL);
2924
2925out:
2926 return err;
2927}
2928
2929static void selinux_socket_post_create(struct socket *sock, int family,
2930 int type, int protocol, int kern)
2931{
2932 struct inode_security_struct *isec;
2933 struct task_security_struct *tsec;
2934
2935 isec = SOCK_INODE(sock)->i_security;
2936
2937 tsec = current->security;
2938 isec->sclass = socket_type_to_security_class(family, type, protocol);
2939 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2940 isec->initialized = 1;
2941
2942 return;
2943}
2944
2945/* Range of port numbers used to automatically bind.
2946 Need to determine whether we should perform a name_bind
2947 permission check between the socket and the port number. */
2948#define ip_local_port_range_0 sysctl_local_port_range[0]
2949#define ip_local_port_range_1 sysctl_local_port_range[1]
2950
2951static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2952{
2953 u16 family;
2954 int err;
2955
2956 err = socket_has_perm(current, sock, SOCKET__BIND);
2957 if (err)
2958 goto out;
2959
2960 /*
2961 * If PF_INET or PF_INET6, check name_bind permission for the port.
James Morris13402582005-09-30 14:24:34 -04002962 * Multiple address binding for SCTP is not supported yet: we just
2963 * check the first address now.
Linus Torvalds1da177e2005-04-16 15:20:36 -07002964 */
2965 family = sock->sk->sk_family;
2966 if (family == PF_INET || family == PF_INET6) {
2967 char *addrp;
2968 struct inode_security_struct *isec;
2969 struct task_security_struct *tsec;
2970 struct avc_audit_data ad;
2971 struct sockaddr_in *addr4 = NULL;
2972 struct sockaddr_in6 *addr6 = NULL;
2973 unsigned short snum;
2974 struct sock *sk = sock->sk;
2975 u32 sid, node_perm, addrlen;
2976
2977 tsec = current->security;
2978 isec = SOCK_INODE(sock)->i_security;
2979
2980 if (family == PF_INET) {
2981 addr4 = (struct sockaddr_in *)address;
2982 snum = ntohs(addr4->sin_port);
2983 addrlen = sizeof(addr4->sin_addr.s_addr);
2984 addrp = (char *)&addr4->sin_addr.s_addr;
2985 } else {
2986 addr6 = (struct sockaddr_in6 *)address;
2987 snum = ntohs(addr6->sin6_port);
2988 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2989 addrp = (char *)&addr6->sin6_addr.s6_addr;
2990 }
2991
2992 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2993 snum > ip_local_port_range_1)) {
2994 err = security_port_sid(sk->sk_family, sk->sk_type,
2995 sk->sk_protocol, snum, &sid);
2996 if (err)
2997 goto out;
2998 AVC_AUDIT_DATA_INIT(&ad,NET);
2999 ad.u.net.sport = htons(snum);
3000 ad.u.net.family = family;
3001 err = avc_has_perm(isec->sid, sid,
3002 isec->sclass,
3003 SOCKET__NAME_BIND, &ad);
3004 if (err)
3005 goto out;
3006 }
3007
James Morris13402582005-09-30 14:24:34 -04003008 switch(isec->sclass) {
3009 case SECCLASS_TCP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -07003010 node_perm = TCP_SOCKET__NODE_BIND;
3011 break;
3012
James Morris13402582005-09-30 14:24:34 -04003013 case SECCLASS_UDP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -07003014 node_perm = UDP_SOCKET__NODE_BIND;
3015 break;
3016
3017 default:
3018 node_perm = RAWIP_SOCKET__NODE_BIND;
3019 break;
3020 }
3021
3022 err = security_node_sid(family, addrp, addrlen, &sid);
3023 if (err)
3024 goto out;
3025
3026 AVC_AUDIT_DATA_INIT(&ad,NET);
3027 ad.u.net.sport = htons(snum);
3028 ad.u.net.family = family;
3029
3030 if (family == PF_INET)
3031 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3032 else
3033 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3034
3035 err = avc_has_perm(isec->sid, sid,
3036 isec->sclass, node_perm, &ad);
3037 if (err)
3038 goto out;
3039 }
3040out:
3041 return err;
3042}
3043
3044static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3045{
3046 struct inode_security_struct *isec;
3047 int err;
3048
3049 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3050 if (err)
3051 return err;
3052
3053 /*
3054 * If a TCP socket, check name_connect permission for the port.
3055 */
3056 isec = SOCK_INODE(sock)->i_security;
3057 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3058 struct sock *sk = sock->sk;
3059 struct avc_audit_data ad;
3060 struct sockaddr_in *addr4 = NULL;
3061 struct sockaddr_in6 *addr6 = NULL;
3062 unsigned short snum;
3063 u32 sid;
3064
3065 if (sk->sk_family == PF_INET) {
3066 addr4 = (struct sockaddr_in *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -07003067 if (addrlen < sizeof(struct sockaddr_in))
Linus Torvalds1da177e2005-04-16 15:20:36 -07003068 return -EINVAL;
3069 snum = ntohs(addr4->sin_port);
3070 } else {
3071 addr6 = (struct sockaddr_in6 *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -07003072 if (addrlen < SIN6_LEN_RFC2133)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003073 return -EINVAL;
3074 snum = ntohs(addr6->sin6_port);
3075 }
3076
3077 err = security_port_sid(sk->sk_family, sk->sk_type,
3078 sk->sk_protocol, snum, &sid);
3079 if (err)
3080 goto out;
3081
3082 AVC_AUDIT_DATA_INIT(&ad,NET);
3083 ad.u.net.dport = htons(snum);
3084 ad.u.net.family = sk->sk_family;
3085 err = avc_has_perm(isec->sid, sid, isec->sclass,
3086 TCP_SOCKET__NAME_CONNECT, &ad);
3087 if (err)
3088 goto out;
3089 }
3090
3091out:
3092 return err;
3093}
3094
3095static int selinux_socket_listen(struct socket *sock, int backlog)
3096{
3097 return socket_has_perm(current, sock, SOCKET__LISTEN);
3098}
3099
3100static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3101{
3102 int err;
3103 struct inode_security_struct *isec;
3104 struct inode_security_struct *newisec;
3105
3106 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3107 if (err)
3108 return err;
3109
3110 newisec = SOCK_INODE(newsock)->i_security;
3111
3112 isec = SOCK_INODE(sock)->i_security;
3113 newisec->sclass = isec->sclass;
3114 newisec->sid = isec->sid;
3115 newisec->initialized = 1;
3116
3117 return 0;
3118}
3119
3120static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3121 int size)
3122{
3123 return socket_has_perm(current, sock, SOCKET__WRITE);
3124}
3125
3126static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3127 int size, int flags)
3128{
3129 return socket_has_perm(current, sock, SOCKET__READ);
3130}
3131
3132static int selinux_socket_getsockname(struct socket *sock)
3133{
3134 return socket_has_perm(current, sock, SOCKET__GETATTR);
3135}
3136
3137static int selinux_socket_getpeername(struct socket *sock)
3138{
3139 return socket_has_perm(current, sock, SOCKET__GETATTR);
3140}
3141
3142static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3143{
3144 return socket_has_perm(current, sock, SOCKET__SETOPT);
3145}
3146
3147static int selinux_socket_getsockopt(struct socket *sock, int level,
3148 int optname)
3149{
3150 return socket_has_perm(current, sock, SOCKET__GETOPT);
3151}
3152
3153static int selinux_socket_shutdown(struct socket *sock, int how)
3154{
3155 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3156}
3157
3158static int selinux_socket_unix_stream_connect(struct socket *sock,
3159 struct socket *other,
3160 struct sock *newsk)
3161{
3162 struct sk_security_struct *ssec;
3163 struct inode_security_struct *isec;
3164 struct inode_security_struct *other_isec;
3165 struct avc_audit_data ad;
3166 int err;
3167
3168 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3169 if (err)
3170 return err;
3171
3172 isec = SOCK_INODE(sock)->i_security;
3173 other_isec = SOCK_INODE(other)->i_security;
3174
3175 AVC_AUDIT_DATA_INIT(&ad,NET);
3176 ad.u.net.sk = other->sk;
3177
3178 err = avc_has_perm(isec->sid, other_isec->sid,
3179 isec->sclass,
3180 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3181 if (err)
3182 return err;
3183
3184 /* connecting socket */
3185 ssec = sock->sk->sk_security;
3186 ssec->peer_sid = other_isec->sid;
3187
3188 /* server child socket */
3189 ssec = newsk->sk_security;
3190 ssec->peer_sid = isec->sid;
3191
3192 return 0;
3193}
3194
3195static int selinux_socket_unix_may_send(struct socket *sock,
3196 struct socket *other)
3197{
3198 struct inode_security_struct *isec;
3199 struct inode_security_struct *other_isec;
3200 struct avc_audit_data ad;
3201 int err;
3202
3203 isec = SOCK_INODE(sock)->i_security;
3204 other_isec = SOCK_INODE(other)->i_security;
3205
3206 AVC_AUDIT_DATA_INIT(&ad,NET);
3207 ad.u.net.sk = other->sk;
3208
3209 err = avc_has_perm(isec->sid, other_isec->sid,
3210 isec->sclass, SOCKET__SENDTO, &ad);
3211 if (err)
3212 return err;
3213
3214 return 0;
3215}
3216
3217static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3218{
3219 u16 family;
3220 char *addrp;
3221 int len, err = 0;
3222 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3223 u32 sock_sid = 0;
3224 u16 sock_class = 0;
3225 struct socket *sock;
3226 struct net_device *dev;
3227 struct avc_audit_data ad;
3228
3229 family = sk->sk_family;
3230 if (family != PF_INET && family != PF_INET6)
3231 goto out;
3232
3233 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
Alexey Dobriyand4e9dc62006-05-20 15:00:02 -07003234 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
Linus Torvalds1da177e2005-04-16 15:20:36 -07003235 family = PF_INET;
3236
3237 read_lock_bh(&sk->sk_callback_lock);
3238 sock = sk->sk_socket;
3239 if (sock) {
3240 struct inode *inode;
3241 inode = SOCK_INODE(sock);
3242 if (inode) {
3243 struct inode_security_struct *isec;
3244 isec = inode->i_security;
3245 sock_sid = isec->sid;
3246 sock_class = isec->sclass;
3247 }
3248 }
3249 read_unlock_bh(&sk->sk_callback_lock);
3250 if (!sock_sid)
3251 goto out;
3252
3253 dev = skb->dev;
3254 if (!dev)
3255 goto out;
3256
3257 err = sel_netif_sids(dev, &if_sid, NULL);
3258 if (err)
3259 goto out;
3260
3261 switch (sock_class) {
3262 case SECCLASS_UDP_SOCKET:
3263 netif_perm = NETIF__UDP_RECV;
3264 node_perm = NODE__UDP_RECV;
3265 recv_perm = UDP_SOCKET__RECV_MSG;
3266 break;
3267
3268 case SECCLASS_TCP_SOCKET:
3269 netif_perm = NETIF__TCP_RECV;
3270 node_perm = NODE__TCP_RECV;
3271 recv_perm = TCP_SOCKET__RECV_MSG;
3272 break;
3273
3274 default:
3275 netif_perm = NETIF__RAWIP_RECV;
3276 node_perm = NODE__RAWIP_RECV;
3277 break;
3278 }
3279
3280 AVC_AUDIT_DATA_INIT(&ad, NET);
3281 ad.u.net.netif = dev->name;
3282 ad.u.net.family = family;
3283
3284 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3285 if (err)
3286 goto out;
3287
3288 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3289 if (err)
3290 goto out;
3291
3292 /* Fixme: this lookup is inefficient */
3293 err = security_node_sid(family, addrp, len, &node_sid);
3294 if (err)
3295 goto out;
3296
3297 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3298 if (err)
3299 goto out;
3300
3301 if (recv_perm) {
3302 u32 port_sid;
3303
3304 /* Fixme: make this more efficient */
3305 err = security_port_sid(sk->sk_family, sk->sk_type,
3306 sk->sk_protocol, ntohs(ad.u.net.sport),
3307 &port_sid);
3308 if (err)
3309 goto out;
3310
3311 err = avc_has_perm(sock_sid, port_sid,
3312 sock_class, recv_perm, &ad);
3313 }
Trent Jaegerd28d1e02005-12-13 23:12:40 -08003314
3315 if (!err)
3316 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3317
Linus Torvalds1da177e2005-04-16 15:20:36 -07003318out:
3319 return err;
3320}
3321
Catherine Zhang2c7946a2006-03-20 22:41:23 -08003322static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3323 int __user *optlen, unsigned len)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003324{
3325 int err = 0;
3326 char *scontext;
3327 u32 scontext_len;
3328 struct sk_security_struct *ssec;
3329 struct inode_security_struct *isec;
Catherine Zhang2c7946a2006-03-20 22:41:23 -08003330 u32 peer_sid = 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003331
3332 isec = SOCK_INODE(sock)->i_security;
Catherine Zhang2c7946a2006-03-20 22:41:23 -08003333
3334 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3335 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3336 ssec = sock->sk->sk_security;
3337 peer_sid = ssec->peer_sid;
3338 }
3339 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3340 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3341
3342 if (peer_sid == SECSID_NULL) {
3343 err = -ENOPROTOOPT;
3344 goto out;
3345 }
3346 }
3347 else {
Linus Torvalds1da177e2005-04-16 15:20:36 -07003348 err = -ENOPROTOOPT;
3349 goto out;
3350 }
3351
Catherine Zhang2c7946a2006-03-20 22:41:23 -08003352 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3353
Linus Torvalds1da177e2005-04-16 15:20:36 -07003354 if (err)
3355 goto out;
3356
3357 if (scontext_len > len) {
3358 err = -ERANGE;
3359 goto out_len;
3360 }
3361
3362 if (copy_to_user(optval, scontext, scontext_len))
3363 err = -EFAULT;
3364
3365out_len:
3366 if (put_user(scontext_len, optlen))
3367 err = -EFAULT;
3368
3369 kfree(scontext);
3370out:
3371 return err;
3372}
3373
Catherine Zhang2c7946a2006-03-20 22:41:23 -08003374static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3375{
3376 int err = 0;
3377 u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3378
3379 if (peer_sid == SECSID_NULL)
3380 return -EINVAL;
3381
3382 err = security_sid_to_context(peer_sid, secdata, seclen);
3383 if (err)
3384 return err;
3385
3386 return 0;
3387}
3388
3389
3390
Al Viro7d877f32005-10-21 03:20:43 -04003391static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003392{
3393 return sk_alloc_security(sk, family, priority);
3394}
3395
3396static void selinux_sk_free_security(struct sock *sk)
3397{
3398 sk_free_security(sk);
3399}
3400
Trent Jaegerd28d1e02005-12-13 23:12:40 -08003401static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3402{
3403 struct inode_security_struct *isec;
3404 u32 sock_sid = SECINITSID_ANY_SOCKET;
3405
3406 if (!sk)
3407 return selinux_no_sk_sid(fl);
3408
3409 read_lock_bh(&sk->sk_callback_lock);
3410 isec = get_sock_isec(sk);
3411
3412 if (isec)
3413 sock_sid = isec->sid;
3414
3415 read_unlock_bh(&sk->sk_callback_lock);
3416 return sock_sid;
3417}
3418
Linus Torvalds1da177e2005-04-16 15:20:36 -07003419static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3420{
3421 int err = 0;
3422 u32 perm;
3423 struct nlmsghdr *nlh;
3424 struct socket *sock = sk->sk_socket;
3425 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3426
3427 if (skb->len < NLMSG_SPACE(0)) {
3428 err = -EINVAL;
3429 goto out;
3430 }
3431 nlh = (struct nlmsghdr *)skb->data;
3432
3433 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3434 if (err) {
3435 if (err == -EINVAL) {
David Woodhouse9ad9ad32005-06-22 15:04:33 +01003436 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
Linus Torvalds1da177e2005-04-16 15:20:36 -07003437 "SELinux: unrecognized netlink message"
3438 " type=%hu for sclass=%hu\n",
3439 nlh->nlmsg_type, isec->sclass);
3440 if (!selinux_enforcing)
3441 err = 0;
3442 }
3443
3444 /* Ignore */
3445 if (err == -ENOENT)
3446 err = 0;
3447 goto out;
3448 }
3449
3450 err = socket_has_perm(current, sock, perm);
3451out:
3452 return err;
3453}
3454
3455#ifdef CONFIG_NETFILTER
3456
3457static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3458 struct sk_buff **pskb,
3459 const struct net_device *in,
3460 const struct net_device *out,
3461 int (*okfn)(struct sk_buff *),
3462 u16 family)
3463{
3464 char *addrp;
3465 int len, err = NF_ACCEPT;
3466 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3467 struct sock *sk;
3468 struct socket *sock;
3469 struct inode *inode;
3470 struct sk_buff *skb = *pskb;
3471 struct inode_security_struct *isec;
3472 struct avc_audit_data ad;
3473 struct net_device *dev = (struct net_device *)out;
3474
3475 sk = skb->sk;
3476 if (!sk)
3477 goto out;
3478
3479 sock = sk->sk_socket;
3480 if (!sock)
3481 goto out;
3482
3483 inode = SOCK_INODE(sock);
3484 if (!inode)
3485 goto out;
3486
3487 err = sel_netif_sids(dev, &if_sid, NULL);
3488 if (err)
3489 goto out;
3490
3491 isec = inode->i_security;
3492
3493 switch (isec->sclass) {
3494 case SECCLASS_UDP_SOCKET:
3495 netif_perm = NETIF__UDP_SEND;
3496 node_perm = NODE__UDP_SEND;
3497 send_perm = UDP_SOCKET__SEND_MSG;
3498 break;
3499
3500 case SECCLASS_TCP_SOCKET:
3501 netif_perm = NETIF__TCP_SEND;
3502 node_perm = NODE__TCP_SEND;
3503 send_perm = TCP_SOCKET__SEND_MSG;
3504 break;
3505
3506 default:
3507 netif_perm = NETIF__RAWIP_SEND;
3508 node_perm = NODE__RAWIP_SEND;
3509 break;
3510 }
3511
3512
3513 AVC_AUDIT_DATA_INIT(&ad, NET);
3514 ad.u.net.netif = dev->name;
3515 ad.u.net.family = family;
3516
3517 err = selinux_parse_skb(skb, &ad, &addrp,
3518 &len, 0) ? NF_DROP : NF_ACCEPT;
3519 if (err != NF_ACCEPT)
3520 goto out;
3521
3522 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3523 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3524 if (err != NF_ACCEPT)
3525 goto out;
3526
3527 /* Fixme: this lookup is inefficient */
3528 err = security_node_sid(family, addrp, len,
3529 &node_sid) ? NF_DROP : NF_ACCEPT;
3530 if (err != NF_ACCEPT)
3531 goto out;
3532
3533 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3534 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3535 if (err != NF_ACCEPT)
3536 goto out;
3537
3538 if (send_perm) {
3539 u32 port_sid;
3540
3541 /* Fixme: make this more efficient */
3542 err = security_port_sid(sk->sk_family,
3543 sk->sk_type,
3544 sk->sk_protocol,
3545 ntohs(ad.u.net.dport),
3546 &port_sid) ? NF_DROP : NF_ACCEPT;
3547 if (err != NF_ACCEPT)
3548 goto out;
3549
3550 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3551 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3552 }
3553
Trent Jaegerd28d1e02005-12-13 23:12:40 -08003554 if (err != NF_ACCEPT)
3555 goto out;
3556
3557 err = selinux_xfrm_postroute_last(isec->sid, skb);
3558
Linus Torvalds1da177e2005-04-16 15:20:36 -07003559out:
3560 return err;
3561}
3562
3563static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3564 struct sk_buff **pskb,
3565 const struct net_device *in,
3566 const struct net_device *out,
3567 int (*okfn)(struct sk_buff *))
3568{
3569 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3570}
3571
3572#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3573
3574static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3575 struct sk_buff **pskb,
3576 const struct net_device *in,
3577 const struct net_device *out,
3578 int (*okfn)(struct sk_buff *))
3579{
3580 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3581}
3582
3583#endif /* IPV6 */
3584
3585#endif /* CONFIG_NETFILTER */
3586
Linus Torvalds1da177e2005-04-16 15:20:36 -07003587static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3588{
3589 struct task_security_struct *tsec;
3590 struct av_decision avd;
3591 int err;
3592
3593 err = secondary_ops->netlink_send(sk, skb);
3594 if (err)
3595 return err;
3596
3597 tsec = current->security;
3598
3599 avd.allowed = 0;
3600 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3601 SECCLASS_CAPABILITY, ~0, &avd);
3602 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3603
3604 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3605 err = selinux_nlmsg_perm(sk, skb);
3606
3607 return err;
3608}
3609
3610static int selinux_netlink_recv(struct sk_buff *skb)
3611{
3612 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3613 return -EPERM;
3614 return 0;
3615}
3616
3617static int ipc_alloc_security(struct task_struct *task,
3618 struct kern_ipc_perm *perm,
3619 u16 sclass)
3620{
3621 struct task_security_struct *tsec = task->security;
3622 struct ipc_security_struct *isec;
3623
James Morris89d155e2005-10-30 14:59:21 -08003624 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003625 if (!isec)
3626 return -ENOMEM;
3627
Linus Torvalds1da177e2005-04-16 15:20:36 -07003628 isec->sclass = sclass;
3629 isec->ipc_perm = perm;
Stephen Smalley9ac49d22006-02-01 03:05:56 -08003630 isec->sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003631 perm->security = isec;
3632
3633 return 0;
3634}
3635
3636static void ipc_free_security(struct kern_ipc_perm *perm)
3637{
3638 struct ipc_security_struct *isec = perm->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003639 perm->security = NULL;
3640 kfree(isec);
3641}
3642
3643static int msg_msg_alloc_security(struct msg_msg *msg)
3644{
3645 struct msg_security_struct *msec;
3646
James Morris89d155e2005-10-30 14:59:21 -08003647 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003648 if (!msec)
3649 return -ENOMEM;
3650
Linus Torvalds1da177e2005-04-16 15:20:36 -07003651 msec->msg = msg;
3652 msec->sid = SECINITSID_UNLABELED;
3653 msg->security = msec;
3654
3655 return 0;
3656}
3657
3658static void msg_msg_free_security(struct msg_msg *msg)
3659{
3660 struct msg_security_struct *msec = msg->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -07003661
3662 msg->security = NULL;
3663 kfree(msec);
3664}
3665
3666static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
Stephen Smalley6af963f2005-05-01 08:58:39 -07003667 u32 perms)
Linus Torvalds1da177e2005-04-16 15:20:36 -07003668{
3669 struct task_security_struct *tsec;
3670 struct ipc_security_struct *isec;
3671 struct avc_audit_data ad;
3672
3673 tsec = current->security;
3674 isec = ipc_perms->security;
3675
3676 AVC_AUDIT_DATA_INIT(&ad, IPC);
3677 ad.u.ipc_id = ipc_perms->key;
3678
Stephen Smalley6af963f2005-05-01 08:58:39 -07003679 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003680}
3681
3682static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3683{
3684 return msg_msg_alloc_security(msg);
3685}
3686
3687static void selinux_msg_msg_free_security(struct msg_msg *msg)
3688{
3689 msg_msg_free_security(msg);
3690}
3691
3692/* message queue security operations */
3693static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3694{
3695 struct task_security_struct *tsec;
3696 struct ipc_security_struct *isec;
3697 struct avc_audit_data ad;
3698 int rc;
3699
3700 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3701 if (rc)
3702 return rc;
3703
3704 tsec = current->security;
3705 isec = msq->q_perm.security;
3706
3707 AVC_AUDIT_DATA_INIT(&ad, IPC);
3708 ad.u.ipc_id = msq->q_perm.key;
3709
3710 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3711 MSGQ__CREATE, &ad);
3712 if (rc) {
3713 ipc_free_security(&msq->q_perm);
3714 return rc;
3715 }
3716 return 0;
3717}
3718
3719static void selinux_msg_queue_free_security(struct msg_queue *msq)
3720{
3721 ipc_free_security(&msq->q_perm);
3722}
3723
3724static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3725{
3726 struct task_security_struct *tsec;
3727 struct ipc_security_struct *isec;
3728 struct avc_audit_data ad;
3729
3730 tsec = current->security;
3731 isec = msq->q_perm.security;
3732
3733 AVC_AUDIT_DATA_INIT(&ad, IPC);
3734 ad.u.ipc_id = msq->q_perm.key;
3735
3736 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3737 MSGQ__ASSOCIATE, &ad);
3738}
3739
3740static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3741{
3742 int err;
3743 int perms;
3744
3745 switch(cmd) {
3746 case IPC_INFO:
3747 case MSG_INFO:
3748 /* No specific object, just general system-wide information. */
3749 return task_has_system(current, SYSTEM__IPC_INFO);
3750 case IPC_STAT:
3751 case MSG_STAT:
3752 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3753 break;
3754 case IPC_SET:
3755 perms = MSGQ__SETATTR;
3756 break;
3757 case IPC_RMID:
3758 perms = MSGQ__DESTROY;
3759 break;
3760 default:
3761 return 0;
3762 }
3763
Stephen Smalley6af963f2005-05-01 08:58:39 -07003764 err = ipc_has_perm(&msq->q_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003765 return err;
3766}
3767
3768static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3769{
3770 struct task_security_struct *tsec;
3771 struct ipc_security_struct *isec;
3772 struct msg_security_struct *msec;
3773 struct avc_audit_data ad;
3774 int rc;
3775
3776 tsec = current->security;
3777 isec = msq->q_perm.security;
3778 msec = msg->security;
3779
3780 /*
3781 * First time through, need to assign label to the message
3782 */
3783 if (msec->sid == SECINITSID_UNLABELED) {
3784 /*
3785 * Compute new sid based on current process and
3786 * message queue this message will be stored in
3787 */
3788 rc = security_transition_sid(tsec->sid,
3789 isec->sid,
3790 SECCLASS_MSG,
3791 &msec->sid);
3792 if (rc)
3793 return rc;
3794 }
3795
3796 AVC_AUDIT_DATA_INIT(&ad, IPC);
3797 ad.u.ipc_id = msq->q_perm.key;
3798
3799 /* Can this process write to the queue? */
3800 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3801 MSGQ__WRITE, &ad);
3802 if (!rc)
3803 /* Can this process send the message */
3804 rc = avc_has_perm(tsec->sid, msec->sid,
3805 SECCLASS_MSG, MSG__SEND, &ad);
3806 if (!rc)
3807 /* Can the message be put in the queue? */
3808 rc = avc_has_perm(msec->sid, isec->sid,
3809 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3810
3811 return rc;
3812}
3813
3814static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3815 struct task_struct *target,
3816 long type, int mode)
3817{
3818 struct task_security_struct *tsec;
3819 struct ipc_security_struct *isec;
3820 struct msg_security_struct *msec;
3821 struct avc_audit_data ad;
3822 int rc;
3823
3824 tsec = target->security;
3825 isec = msq->q_perm.security;
3826 msec = msg->security;
3827
3828 AVC_AUDIT_DATA_INIT(&ad, IPC);
3829 ad.u.ipc_id = msq->q_perm.key;
3830
3831 rc = avc_has_perm(tsec->sid, isec->sid,
3832 SECCLASS_MSGQ, MSGQ__READ, &ad);
3833 if (!rc)
3834 rc = avc_has_perm(tsec->sid, msec->sid,
3835 SECCLASS_MSG, MSG__RECEIVE, &ad);
3836 return rc;
3837}
3838
3839/* Shared Memory security operations */
3840static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3841{
3842 struct task_security_struct *tsec;
3843 struct ipc_security_struct *isec;
3844 struct avc_audit_data ad;
3845 int rc;
3846
3847 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3848 if (rc)
3849 return rc;
3850
3851 tsec = current->security;
3852 isec = shp->shm_perm.security;
3853
3854 AVC_AUDIT_DATA_INIT(&ad, IPC);
3855 ad.u.ipc_id = shp->shm_perm.key;
3856
3857 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3858 SHM__CREATE, &ad);
3859 if (rc) {
3860 ipc_free_security(&shp->shm_perm);
3861 return rc;
3862 }
3863 return 0;
3864}
3865
3866static void selinux_shm_free_security(struct shmid_kernel *shp)
3867{
3868 ipc_free_security(&shp->shm_perm);
3869}
3870
3871static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3872{
3873 struct task_security_struct *tsec;
3874 struct ipc_security_struct *isec;
3875 struct avc_audit_data ad;
3876
3877 tsec = current->security;
3878 isec = shp->shm_perm.security;
3879
3880 AVC_AUDIT_DATA_INIT(&ad, IPC);
3881 ad.u.ipc_id = shp->shm_perm.key;
3882
3883 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3884 SHM__ASSOCIATE, &ad);
3885}
3886
3887/* Note, at this point, shp is locked down */
3888static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3889{
3890 int perms;
3891 int err;
3892
3893 switch(cmd) {
3894 case IPC_INFO:
3895 case SHM_INFO:
3896 /* No specific object, just general system-wide information. */
3897 return task_has_system(current, SYSTEM__IPC_INFO);
3898 case IPC_STAT:
3899 case SHM_STAT:
3900 perms = SHM__GETATTR | SHM__ASSOCIATE;
3901 break;
3902 case IPC_SET:
3903 perms = SHM__SETATTR;
3904 break;
3905 case SHM_LOCK:
3906 case SHM_UNLOCK:
3907 perms = SHM__LOCK;
3908 break;
3909 case IPC_RMID:
3910 perms = SHM__DESTROY;
3911 break;
3912 default:
3913 return 0;
3914 }
3915
Stephen Smalley6af963f2005-05-01 08:58:39 -07003916 err = ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003917 return err;
3918}
3919
3920static int selinux_shm_shmat(struct shmid_kernel *shp,
3921 char __user *shmaddr, int shmflg)
3922{
3923 u32 perms;
3924 int rc;
3925
3926 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3927 if (rc)
3928 return rc;
3929
3930 if (shmflg & SHM_RDONLY)
3931 perms = SHM__READ;
3932 else
3933 perms = SHM__READ | SHM__WRITE;
3934
Stephen Smalley6af963f2005-05-01 08:58:39 -07003935 return ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07003936}
3937
3938/* Semaphore security operations */
3939static int selinux_sem_alloc_security(struct sem_array *sma)
3940{
3941 struct task_security_struct *tsec;
3942 struct ipc_security_struct *isec;
3943 struct avc_audit_data ad;
3944 int rc;
3945
3946 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3947 if (rc)
3948 return rc;
3949
3950 tsec = current->security;
3951 isec = sma->sem_perm.security;
3952
3953 AVC_AUDIT_DATA_INIT(&ad, IPC);
3954 ad.u.ipc_id = sma->sem_perm.key;
3955
3956 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3957 SEM__CREATE, &ad);
3958 if (rc) {
3959 ipc_free_security(&sma->sem_perm);
3960 return rc;
3961 }
3962 return 0;
3963}
3964
3965static void selinux_sem_free_security(struct sem_array *sma)
3966{
3967 ipc_free_security(&sma->sem_perm);
3968}
3969
3970static int selinux_sem_associate(struct sem_array *sma, int semflg)
3971{
3972 struct task_security_struct *tsec;
3973 struct ipc_security_struct *isec;
3974 struct avc_audit_data ad;
3975
3976 tsec = current->security;
3977 isec = sma->sem_perm.security;
3978
3979 AVC_AUDIT_DATA_INIT(&ad, IPC);
3980 ad.u.ipc_id = sma->sem_perm.key;
3981
3982 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3983 SEM__ASSOCIATE, &ad);
3984}
3985
3986/* Note, at this point, sma is locked down */
3987static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3988{
3989 int err;
3990 u32 perms;
3991
3992 switch(cmd) {
3993 case IPC_INFO:
3994 case SEM_INFO:
3995 /* No specific object, just general system-wide information. */
3996 return task_has_system(current, SYSTEM__IPC_INFO);
3997 case GETPID:
3998 case GETNCNT:
3999 case GETZCNT:
4000 perms = SEM__GETATTR;
4001 break;
4002 case GETVAL:
4003 case GETALL:
4004 perms = SEM__READ;
4005 break;
4006 case SETVAL:
4007 case SETALL:
4008 perms = SEM__WRITE;
4009 break;
4010 case IPC_RMID:
4011 perms = SEM__DESTROY;
4012 break;
4013 case IPC_SET:
4014 perms = SEM__SETATTR;
4015 break;
4016 case IPC_STAT:
4017 case SEM_STAT:
4018 perms = SEM__GETATTR | SEM__ASSOCIATE;
4019 break;
4020 default:
4021 return 0;
4022 }
4023
Stephen Smalley6af963f2005-05-01 08:58:39 -07004024 err = ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004025 return err;
4026}
4027
4028static int selinux_sem_semop(struct sem_array *sma,
4029 struct sembuf *sops, unsigned nsops, int alter)
4030{
4031 u32 perms;
4032
4033 if (alter)
4034 perms = SEM__READ | SEM__WRITE;
4035 else
4036 perms = SEM__READ;
4037
Stephen Smalley6af963f2005-05-01 08:58:39 -07004038 return ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004039}
4040
4041static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4042{
Linus Torvalds1da177e2005-04-16 15:20:36 -07004043 u32 av = 0;
4044
Linus Torvalds1da177e2005-04-16 15:20:36 -07004045 av = 0;
4046 if (flag & S_IRUGO)
4047 av |= IPC__UNIX_READ;
4048 if (flag & S_IWUGO)
4049 av |= IPC__UNIX_WRITE;
4050
4051 if (av == 0)
4052 return 0;
4053
Stephen Smalley6af963f2005-05-01 08:58:39 -07004054 return ipc_has_perm(ipcp, av);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004055}
4056
4057/* module stacking operations */
4058static int selinux_register_security (const char *name, struct security_operations *ops)
4059{
4060 if (secondary_ops != original_ops) {
4061 printk(KERN_INFO "%s: There is already a secondary security "
4062 "module registered.\n", __FUNCTION__);
4063 return -EINVAL;
4064 }
4065
4066 secondary_ops = ops;
4067
4068 printk(KERN_INFO "%s: Registering secondary module %s\n",
4069 __FUNCTION__,
4070 name);
4071
4072 return 0;
4073}
4074
4075static int selinux_unregister_security (const char *name, struct security_operations *ops)
4076{
4077 if (ops != secondary_ops) {
4078 printk (KERN_INFO "%s: trying to unregister a security module "
4079 "that is not registered.\n", __FUNCTION__);
4080 return -EINVAL;
4081 }
4082
4083 secondary_ops = original_ops;
4084
4085 return 0;
4086}
4087
4088static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4089{
4090 if (inode)
4091 inode_doinit_with_dentry(inode, dentry);
4092}
4093
4094static int selinux_getprocattr(struct task_struct *p,
4095 char *name, void *value, size_t size)
4096{
4097 struct task_security_struct *tsec;
Dustin Kirkland8c8570f2005-11-03 17:15:16 +00004098 u32 sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -07004099 int error;
4100
4101 if (current != p) {
4102 error = task_has_perm(current, p, PROCESS__GETATTR);
4103 if (error)
4104 return error;
4105 }
4106
Linus Torvalds1da177e2005-04-16 15:20:36 -07004107 tsec = p->security;
4108
4109 if (!strcmp(name, "current"))
4110 sid = tsec->sid;
4111 else if (!strcmp(name, "prev"))
4112 sid = tsec->osid;
4113 else if (!strcmp(name, "exec"))
4114 sid = tsec->exec_sid;
4115 else if (!strcmp(name, "fscreate"))
4116 sid = tsec->create_sid;
4117 else
4118 return -EINVAL;
4119
4120 if (!sid)
4121 return 0;
4122
Dustin Kirkland8c8570f2005-11-03 17:15:16 +00004123 return selinux_getsecurity(sid, value, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004124}
4125
4126static int selinux_setprocattr(struct task_struct *p,
4127 char *name, void *value, size_t size)
4128{
4129 struct task_security_struct *tsec;
4130 u32 sid = 0;
4131 int error;
4132 char *str = value;
4133
4134 if (current != p) {
4135 /* SELinux only allows a process to change its own
4136 security attributes. */
4137 return -EACCES;
4138 }
4139
4140 /*
4141 * Basic control over ability to set these attributes at all.
4142 * current == p, but we'll pass them separately in case the
4143 * above restriction is ever removed.
4144 */
4145 if (!strcmp(name, "exec"))
4146 error = task_has_perm(current, p, PROCESS__SETEXEC);
4147 else if (!strcmp(name, "fscreate"))
4148 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4149 else if (!strcmp(name, "current"))
4150 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4151 else
4152 error = -EINVAL;
4153 if (error)
4154 return error;
4155
4156 /* Obtain a SID for the context, if one was specified. */
4157 if (size && str[1] && str[1] != '\n') {
4158 if (str[size-1] == '\n') {
4159 str[size-1] = 0;
4160 size--;
4161 }
4162 error = security_context_to_sid(value, size, &sid);
4163 if (error)
4164 return error;
4165 }
4166
4167 /* Permission checking based on the specified context is
4168 performed during the actual operation (execve,
4169 open/mkdir/...), when we know the full context of the
4170 operation. See selinux_bprm_set_security for the execve
4171 checks and may_create for the file creation checks. The
4172 operation will then fail if the context is not permitted. */
4173 tsec = p->security;
4174 if (!strcmp(name, "exec"))
4175 tsec->exec_sid = sid;
4176 else if (!strcmp(name, "fscreate"))
4177 tsec->create_sid = sid;
4178 else if (!strcmp(name, "current")) {
4179 struct av_decision avd;
4180
4181 if (sid == 0)
4182 return -EINVAL;
4183
4184 /* Only allow single threaded processes to change context */
4185 if (atomic_read(&p->mm->mm_users) != 1) {
4186 struct task_struct *g, *t;
4187 struct mm_struct *mm = p->mm;
4188 read_lock(&tasklist_lock);
4189 do_each_thread(g, t)
4190 if (t->mm == mm && t != p) {
4191 read_unlock(&tasklist_lock);
4192 return -EPERM;
4193 }
4194 while_each_thread(g, t);
4195 read_unlock(&tasklist_lock);
4196 }
4197
4198 /* Check permissions for the transition. */
4199 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4200 PROCESS__DYNTRANSITION, NULL);
4201 if (error)
4202 return error;
4203
4204 /* Check for ptracing, and update the task SID if ok.
4205 Otherwise, leave SID unchanged and fail. */
4206 task_lock(p);
4207 if (p->ptrace & PT_PTRACED) {
4208 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4209 SECCLASS_PROCESS,
4210 PROCESS__PTRACE, &avd);
4211 if (!error)
4212 tsec->sid = sid;
4213 task_unlock(p);
4214 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4215 PROCESS__PTRACE, &avd, error, NULL);
4216 if (error)
4217 return error;
4218 } else {
4219 tsec->sid = sid;
4220 task_unlock(p);
4221 }
4222 }
4223 else
4224 return -EINVAL;
4225
4226 return size;
4227}
4228
4229static struct security_operations selinux_ops = {
4230 .ptrace = selinux_ptrace,
4231 .capget = selinux_capget,
4232 .capset_check = selinux_capset_check,
4233 .capset_set = selinux_capset_set,
4234 .sysctl = selinux_sysctl,
4235 .capable = selinux_capable,
4236 .quotactl = selinux_quotactl,
4237 .quota_on = selinux_quota_on,
4238 .syslog = selinux_syslog,
4239 .vm_enough_memory = selinux_vm_enough_memory,
4240
4241 .netlink_send = selinux_netlink_send,
4242 .netlink_recv = selinux_netlink_recv,
4243
4244 .bprm_alloc_security = selinux_bprm_alloc_security,
4245 .bprm_free_security = selinux_bprm_free_security,
4246 .bprm_apply_creds = selinux_bprm_apply_creds,
4247 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4248 .bprm_set_security = selinux_bprm_set_security,
4249 .bprm_check_security = selinux_bprm_check_security,
4250 .bprm_secureexec = selinux_bprm_secureexec,
4251
4252 .sb_alloc_security = selinux_sb_alloc_security,
4253 .sb_free_security = selinux_sb_free_security,
4254 .sb_copy_data = selinux_sb_copy_data,
4255 .sb_kern_mount = selinux_sb_kern_mount,
4256 .sb_statfs = selinux_sb_statfs,
4257 .sb_mount = selinux_mount,
4258 .sb_umount = selinux_umount,
4259
4260 .inode_alloc_security = selinux_inode_alloc_security,
4261 .inode_free_security = selinux_inode_free_security,
Stephen Smalley5e41ff92005-09-09 13:01:35 -07004262 .inode_init_security = selinux_inode_init_security,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004263 .inode_create = selinux_inode_create,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004264 .inode_link = selinux_inode_link,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004265 .inode_unlink = selinux_inode_unlink,
4266 .inode_symlink = selinux_inode_symlink,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004267 .inode_mkdir = selinux_inode_mkdir,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004268 .inode_rmdir = selinux_inode_rmdir,
4269 .inode_mknod = selinux_inode_mknod,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004270 .inode_rename = selinux_inode_rename,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004271 .inode_readlink = selinux_inode_readlink,
4272 .inode_follow_link = selinux_inode_follow_link,
4273 .inode_permission = selinux_inode_permission,
4274 .inode_setattr = selinux_inode_setattr,
4275 .inode_getattr = selinux_inode_getattr,
4276 .inode_setxattr = selinux_inode_setxattr,
4277 .inode_post_setxattr = selinux_inode_post_setxattr,
4278 .inode_getxattr = selinux_inode_getxattr,
4279 .inode_listxattr = selinux_inode_listxattr,
4280 .inode_removexattr = selinux_inode_removexattr,
Dustin Kirkland8c8570f2005-11-03 17:15:16 +00004281 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004282 .inode_getsecurity = selinux_inode_getsecurity,
4283 .inode_setsecurity = selinux_inode_setsecurity,
4284 .inode_listsecurity = selinux_inode_listsecurity,
4285
4286 .file_permission = selinux_file_permission,
4287 .file_alloc_security = selinux_file_alloc_security,
4288 .file_free_security = selinux_file_free_security,
4289 .file_ioctl = selinux_file_ioctl,
4290 .file_mmap = selinux_file_mmap,
4291 .file_mprotect = selinux_file_mprotect,
4292 .file_lock = selinux_file_lock,
4293 .file_fcntl = selinux_file_fcntl,
4294 .file_set_fowner = selinux_file_set_fowner,
4295 .file_send_sigiotask = selinux_file_send_sigiotask,
4296 .file_receive = selinux_file_receive,
4297
4298 .task_create = selinux_task_create,
4299 .task_alloc_security = selinux_task_alloc_security,
4300 .task_free_security = selinux_task_free_security,
4301 .task_setuid = selinux_task_setuid,
4302 .task_post_setuid = selinux_task_post_setuid,
4303 .task_setgid = selinux_task_setgid,
4304 .task_setpgid = selinux_task_setpgid,
4305 .task_getpgid = selinux_task_getpgid,
4306 .task_getsid = selinux_task_getsid,
4307 .task_setgroups = selinux_task_setgroups,
4308 .task_setnice = selinux_task_setnice,
4309 .task_setrlimit = selinux_task_setrlimit,
4310 .task_setscheduler = selinux_task_setscheduler,
4311 .task_getscheduler = selinux_task_getscheduler,
4312 .task_kill = selinux_task_kill,
4313 .task_wait = selinux_task_wait,
4314 .task_prctl = selinux_task_prctl,
4315 .task_reparent_to_init = selinux_task_reparent_to_init,
4316 .task_to_inode = selinux_task_to_inode,
4317
4318 .ipc_permission = selinux_ipc_permission,
4319
4320 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4321 .msg_msg_free_security = selinux_msg_msg_free_security,
4322
4323 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4324 .msg_queue_free_security = selinux_msg_queue_free_security,
4325 .msg_queue_associate = selinux_msg_queue_associate,
4326 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4327 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4328 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4329
4330 .shm_alloc_security = selinux_shm_alloc_security,
4331 .shm_free_security = selinux_shm_free_security,
4332 .shm_associate = selinux_shm_associate,
4333 .shm_shmctl = selinux_shm_shmctl,
4334 .shm_shmat = selinux_shm_shmat,
4335
4336 .sem_alloc_security = selinux_sem_alloc_security,
4337 .sem_free_security = selinux_sem_free_security,
4338 .sem_associate = selinux_sem_associate,
4339 .sem_semctl = selinux_sem_semctl,
4340 .sem_semop = selinux_sem_semop,
4341
4342 .register_security = selinux_register_security,
4343 .unregister_security = selinux_unregister_security,
4344
4345 .d_instantiate = selinux_d_instantiate,
4346
4347 .getprocattr = selinux_getprocattr,
4348 .setprocattr = selinux_setprocattr,
4349
Linus Torvalds1da177e2005-04-16 15:20:36 -07004350 .unix_stream_connect = selinux_socket_unix_stream_connect,
4351 .unix_may_send = selinux_socket_unix_may_send,
4352
4353 .socket_create = selinux_socket_create,
4354 .socket_post_create = selinux_socket_post_create,
4355 .socket_bind = selinux_socket_bind,
4356 .socket_connect = selinux_socket_connect,
4357 .socket_listen = selinux_socket_listen,
4358 .socket_accept = selinux_socket_accept,
4359 .socket_sendmsg = selinux_socket_sendmsg,
4360 .socket_recvmsg = selinux_socket_recvmsg,
4361 .socket_getsockname = selinux_socket_getsockname,
4362 .socket_getpeername = selinux_socket_getpeername,
4363 .socket_getsockopt = selinux_socket_getsockopt,
4364 .socket_setsockopt = selinux_socket_setsockopt,
4365 .socket_shutdown = selinux_socket_shutdown,
4366 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
Catherine Zhang2c7946a2006-03-20 22:41:23 -08004367 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4368 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004369 .sk_alloc_security = selinux_sk_alloc_security,
4370 .sk_free_security = selinux_sk_free_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -08004371 .sk_getsid = selinux_sk_getsid_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -08004372
4373#ifdef CONFIG_SECURITY_NETWORK_XFRM
4374 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4375 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4376 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4377 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4378 .xfrm_state_free_security = selinux_xfrm_state_free,
4379 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
Linus Torvalds1da177e2005-04-16 15:20:36 -07004380#endif
4381};
4382
4383static __init int selinux_init(void)
4384{
4385 struct task_security_struct *tsec;
4386
4387 if (!selinux_enabled) {
4388 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4389 return 0;
4390 }
4391
4392 printk(KERN_INFO "SELinux: Initializing.\n");
4393
4394 /* Set the security state for the initial task. */
4395 if (task_alloc_security(current))
4396 panic("SELinux: Failed to initialize initial task.\n");
4397 tsec = current->security;
4398 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4399
James Morris7cae7e22006-03-22 00:09:22 -08004400 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4401 sizeof(struct inode_security_struct),
4402 0, SLAB_PANIC, NULL, NULL);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004403 avc_init();
4404
4405 original_ops = secondary_ops = security_ops;
4406 if (!secondary_ops)
4407 panic ("SELinux: No initial security operations\n");
4408 if (register_security (&selinux_ops))
4409 panic("SELinux: Unable to register with kernel.\n");
4410
4411 if (selinux_enforcing) {
4412 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4413 } else {
4414 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4415 }
4416 return 0;
4417}
4418
4419void selinux_complete_init(void)
4420{
4421 printk(KERN_INFO "SELinux: Completing initialization.\n");
4422
4423 /* Set up any superblocks initialized prior to the policy load. */
4424 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
Stephen Smalleyba0c19e2006-06-04 02:51:30 -07004425 spin_lock(&sb_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004426 spin_lock(&sb_security_lock);
4427next_sb:
4428 if (!list_empty(&superblock_security_head)) {
4429 struct superblock_security_struct *sbsec =
4430 list_entry(superblock_security_head.next,
4431 struct superblock_security_struct,
4432 list);
4433 struct super_block *sb = sbsec->sb;
Linus Torvalds1da177e2005-04-16 15:20:36 -07004434 sb->s_count++;
Linus Torvalds1da177e2005-04-16 15:20:36 -07004435 spin_unlock(&sb_security_lock);
Stephen Smalleyba0c19e2006-06-04 02:51:30 -07004436 spin_unlock(&sb_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004437 down_read(&sb->s_umount);
4438 if (sb->s_root)
4439 superblock_doinit(sb, NULL);
4440 drop_super(sb);
Stephen Smalleyba0c19e2006-06-04 02:51:30 -07004441 spin_lock(&sb_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004442 spin_lock(&sb_security_lock);
4443 list_del_init(&sbsec->list);
4444 goto next_sb;
4445 }
4446 spin_unlock(&sb_security_lock);
Stephen Smalleyba0c19e2006-06-04 02:51:30 -07004447 spin_unlock(&sb_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -07004448}
4449
4450/* SELinux requires early initialization in order to label
4451 all processes and objects when they are created. */
4452security_initcall(selinux_init);
4453
Stephen Smalleyc2b507f2006-02-04 23:27:50 -08004454#if defined(CONFIG_NETFILTER)
Linus Torvalds1da177e2005-04-16 15:20:36 -07004455
4456static struct nf_hook_ops selinux_ipv4_op = {
4457 .hook = selinux_ipv4_postroute_last,
4458 .owner = THIS_MODULE,
4459 .pf = PF_INET,
4460 .hooknum = NF_IP_POST_ROUTING,
4461 .priority = NF_IP_PRI_SELINUX_LAST,
4462};
4463
4464#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4465
4466static struct nf_hook_ops selinux_ipv6_op = {
4467 .hook = selinux_ipv6_postroute_last,
4468 .owner = THIS_MODULE,
4469 .pf = PF_INET6,
4470 .hooknum = NF_IP6_POST_ROUTING,
4471 .priority = NF_IP6_PRI_SELINUX_LAST,
4472};
4473
4474#endif /* IPV6 */
4475
4476static int __init selinux_nf_ip_init(void)
4477{
4478 int err = 0;
4479
4480 if (!selinux_enabled)
4481 goto out;
4482
4483 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4484
4485 err = nf_register_hook(&selinux_ipv4_op);
4486 if (err)
4487 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4488
4489#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4490
4491 err = nf_register_hook(&selinux_ipv6_op);
4492 if (err)
4493 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4494
4495#endif /* IPV6 */
Trent Jaegerd28d1e02005-12-13 23:12:40 -08004496
Linus Torvalds1da177e2005-04-16 15:20:36 -07004497out:
4498 return err;
4499}
4500
4501__initcall(selinux_nf_ip_init);
4502
4503#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4504static void selinux_nf_ip_exit(void)
4505{
4506 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4507
4508 nf_unregister_hook(&selinux_ipv4_op);
4509#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4510 nf_unregister_hook(&selinux_ipv6_op);
4511#endif /* IPV6 */
4512}
4513#endif
4514
Stephen Smalleyc2b507f2006-02-04 23:27:50 -08004515#else /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -07004516
4517#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4518#define selinux_nf_ip_exit()
4519#endif
4520
Stephen Smalleyc2b507f2006-02-04 23:27:50 -08004521#endif /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -07004522
4523#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4524int selinux_disable(void)
4525{
4526 extern void exit_sel_fs(void);
4527 static int selinux_disabled = 0;
4528
4529 if (ss_initialized) {
4530 /* Not permitted after initial policy load. */
4531 return -EINVAL;
4532 }
4533
4534 if (selinux_disabled) {
4535 /* Only do this once. */
4536 return -EINVAL;
4537 }
4538
4539 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4540
4541 selinux_disabled = 1;
Stephen Smalley30d55282006-05-03 10:52:36 -04004542 selinux_enabled = 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -07004543
4544 /* Reset security_ops to the secondary module, dummy or capability. */
4545 security_ops = secondary_ops;
4546
4547 /* Unregister netfilter hooks. */
4548 selinux_nf_ip_exit();
4549
4550 /* Unregister selinuxfs. */
4551 exit_sel_fs();
4552
4553 return 0;
4554}
4555#endif
4556
4557