Gitiles
Code Review Sign In
gerrit.openfyde.cn / github.com / raspberrypi / raspberrypi-kernel / cf01efd098597f7ee88a61e645afacba987c4531 / . / security / selinux / hooks.c
blob: bdd0b32f010421424a29bfe586991bf5afcaf31e [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21#include <linux/config.h>
22#include <linux/module.h>
23#include <linux/init.h>
24#include <linux/kernel.h>
25#include <linux/ptrace.h>
26#include <linux/errno.h>
27#include <linux/sched.h>
28#include <linux/security.h>
29#include <linux/xattr.h>
30#include <linux/capability.h>
31#include <linux/unistd.h>
32#include <linux/mm.h>
33#include <linux/mman.h>
34#include <linux/slab.h>
35#include <linux/pagemap.h>
36#include <linux/swap.h>
37#include <linux/smp_lock.h>
38#include <linux/spinlock.h>
39#include <linux/syscalls.h>
40#include <linux/file.h>
41#include <linux/namei.h>
42#include <linux/mount.h>
43#include <linux/ext2_fs.h>
44#include <linux/proc_fs.h>
45#include <linux/kd.h>
46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
50#include <net/ip.h> /* for sysctl_local_port_range[] */
51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52#include <asm/uaccess.h>
53#include <asm/semaphore.h>
54#include <asm/ioctls.h>
55#include <linux/bitops.h>
56#include <linux/interrupt.h>
57#include <linux/netdevice.h> /* for network interface checks */
58#include <linux/netlink.h>
59#include <linux/tcp.h>
60#include <linux/udp.h>
61#include <linux/quota.h>
62#include <linux/un.h> /* for Unix socket types */
63#include <net/af_unix.h> /* for Unix socket types */
64#include <linux/parser.h>
65#include <linux/nfs_mount.h>
66#include <net/ipv6.h>
67#include <linux/hugetlb.h>
68#include <linux/personality.h>
69#include <linux/sysctl.h>
70#include <linux/audit.h>
Eric Paris6931dfc2005-06-30 02:58:51 -0700[diff] [blame]71#include <linux/string.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]72
73#include "avc.h"
74#include "objsec.h"
75#include "netif.h"
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]76#include "xfrm.h"
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]77
78#define XATTR_SELINUX_SUFFIX "selinux"
79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81extern unsigned int policydb_loaded_version;
82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85int selinux_enforcing = 0;
86
87static int __init enforcing_setup(char *str)
88{
89 selinux_enforcing = simple_strtol(str,NULL,0);
90 return 1;
91}
92__setup("enforcing=", enforcing_setup);
93#endif
94
95#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98static int __init selinux_enabled_setup(char *str)
99{
100 selinux_enabled = simple_strtol(str, NULL, 0);
101 return 1;
102}
103__setup("selinux=", selinux_enabled_setup);
104#endif
105
106/* Original (dummy) security module. */
107static struct security_operations *original_ops = NULL;
108
109/* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113static struct security_operations *secondary_ops = NULL;
114
115/* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117static LIST_HEAD(superblock_security_head);
118static DEFINE_SPINLOCK(sb_security_lock);
119
120/* Allocate and free functions for each kind of security blob. */
121
122static int task_alloc_security(struct task_struct *task)
123{
124 struct task_security_struct *tsec;
125
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]126 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]127 if (!tsec)
128 return -ENOMEM;
129
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]130 tsec->task = task;
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
133
134 return 0;
135}
136
137static void task_free_security(struct task_struct *task)
138{
139 struct task_security_struct *tsec = task->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]140 task->security = NULL;
141 kfree(tsec);
142}
143
144static int inode_alloc_security(struct inode *inode)
145{
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
148
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]149 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]150 if (!isec)
151 return -ENOMEM;
152
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]155 isec->inode = inode;
156 isec->sid = SECINITSID_UNLABELED;
157 isec->sclass = SECCLASS_FILE;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]158 isec->task_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]159 inode->i_security = isec;
160
161 return 0;
162}
163
164static void inode_free_security(struct inode *inode)
165{
166 struct inode_security_struct *isec = inode->i_security;
167 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
168
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]169 spin_lock(&sbsec->isec_lock);
170 if (!list_empty(&isec->list))
171 list_del_init(&isec->list);
172 spin_unlock(&sbsec->isec_lock);
173
174 inode->i_security = NULL;
175 kfree(isec);
176}
177
178static int file_alloc_security(struct file *file)
179{
180 struct task_security_struct *tsec = current->security;
181 struct file_security_struct *fsec;
182
Stephen Smalley26d2a4b2006-02-01 03:05:55 -0800[diff] [blame]183 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]184 if (!fsec)
185 return -ENOMEM;
186
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]187 fsec->file = file;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]188 fsec->sid = tsec->sid;
189 fsec->fown_sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]190 file->f_security = fsec;
191
192 return 0;
193}
194
195static void file_free_security(struct file *file)
196{
197 struct file_security_struct *fsec = file->f_security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]198 file->f_security = NULL;
199 kfree(fsec);
200}
201
202static int superblock_alloc_security(struct super_block *sb)
203{
204 struct superblock_security_struct *sbsec;
205
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]206 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]207 if (!sbsec)
208 return -ENOMEM;
209
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]210 init_MUTEX(&sbsec->sem);
211 INIT_LIST_HEAD(&sbsec->list);
212 INIT_LIST_HEAD(&sbsec->isec_head);
213 spin_lock_init(&sbsec->isec_lock);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]214 sbsec->sb = sb;
215 sbsec->sid = SECINITSID_UNLABELED;
216 sbsec->def_sid = SECINITSID_FILE;
217 sb->s_security = sbsec;
218
219 return 0;
220}
221
222static void superblock_free_security(struct super_block *sb)
223{
224 struct superblock_security_struct *sbsec = sb->s_security;
225
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]226 spin_lock(&sb_security_lock);
227 if (!list_empty(&sbsec->list))
228 list_del_init(&sbsec->list);
229 spin_unlock(&sb_security_lock);
230
231 sb->s_security = NULL;
232 kfree(sbsec);
233}
234
Al Viro7d877f32005-10-21 03:20:43 -0400[diff] [blame]235static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]236{
237 struct sk_security_struct *ssec;
238
239 if (family != PF_UNIX)
240 return 0;
241
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]242 ssec = kzalloc(sizeof(*ssec), priority);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]243 if (!ssec)
244 return -ENOMEM;
245
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]246 ssec->sk = sk;
247 ssec->peer_sid = SECINITSID_UNLABELED;
248 sk->sk_security = ssec;
249
250 return 0;
251}
252
253static void sk_free_security(struct sock *sk)
254{
255 struct sk_security_struct *ssec = sk->sk_security;
256
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]257 if (sk->sk_family != PF_UNIX)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]258 return;
259
260 sk->sk_security = NULL;
261 kfree(ssec);
262}
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]263
264/* The security server must be initialized before
265 any labeling or access decisions can be provided. */
266extern int ss_initialized;
267
268/* The file system's label must be initialized prior to use. */
269
270static char *labeling_behaviors[6] = {
271 "uses xattr",
272 "uses transition SIDs",
273 "uses task SIDs",
274 "uses genfs_contexts",
275 "not configured for labeling",
276 "uses mountpoint labeling",
277};
278
279static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
280
281static inline int inode_doinit(struct inode *inode)
282{
283 return inode_doinit_with_dentry(inode, NULL);
284}
285
286enum {
287 Opt_context = 1,
288 Opt_fscontext = 2,
289 Opt_defcontext = 4,
290};
291
292static match_table_t tokens = {
293 {Opt_context, "context=%s"},
294 {Opt_fscontext, "fscontext=%s"},
295 {Opt_defcontext, "defcontext=%s"},
296};
297
298#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
299
300static int try_context_mount(struct super_block *sb, void *data)
301{
302 char *context = NULL, *defcontext = NULL;
303 const char *name;
304 u32 sid;
305 int alloc = 0, rc = 0, seen = 0;
306 struct task_security_struct *tsec = current->security;
307 struct superblock_security_struct *sbsec = sb->s_security;
308
309 if (!data)
310 goto out;
311
312 name = sb->s_type->name;
313
314 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
315
316 /* NFS we understand. */
317 if (!strcmp(name, "nfs")) {
318 struct nfs_mount_data *d = data;
319
320 if (d->version < NFS_MOUNT_VERSION)
321 goto out;
322
323 if (d->context[0]) {
324 context = d->context;
325 seen |= Opt_context;
326 }
327 } else
328 goto out;
329
330 } else {
331 /* Standard string-based options. */
332 char *p, *options = data;
333
334 while ((p = strsep(&options, ",")) != NULL) {
335 int token;
336 substring_t args[MAX_OPT_ARGS];
337
338 if (!*p)
339 continue;
340
341 token = match_token(p, tokens, args);
342
343 switch (token) {
344 case Opt_context:
345 if (seen) {
346 rc = -EINVAL;
347 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
348 goto out_free;
349 }
350 context = match_strdup(&args[0]);
351 if (!context) {
352 rc = -ENOMEM;
353 goto out_free;
354 }
355 if (!alloc)
356 alloc = 1;
357 seen |= Opt_context;
358 break;
359
360 case Opt_fscontext:
361 if (seen & (Opt_context|Opt_fscontext)) {
362 rc = -EINVAL;
363 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
364 goto out_free;
365 }
366 context = match_strdup(&args[0]);
367 if (!context) {
368 rc = -ENOMEM;
369 goto out_free;
370 }
371 if (!alloc)
372 alloc = 1;
373 seen |= Opt_fscontext;
374 break;
375
376 case Opt_defcontext:
377 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
378 rc = -EINVAL;
379 printk(KERN_WARNING "SELinux: "
380 "defcontext option is invalid "
381 "for this filesystem type\n");
382 goto out_free;
383 }
384 if (seen & (Opt_context|Opt_defcontext)) {
385 rc = -EINVAL;
386 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
387 goto out_free;
388 }
389 defcontext = match_strdup(&args[0]);
390 if (!defcontext) {
391 rc = -ENOMEM;
392 goto out_free;
393 }
394 if (!alloc)
395 alloc = 1;
396 seen |= Opt_defcontext;
397 break;
398
399 default:
400 rc = -EINVAL;
401 printk(KERN_WARNING "SELinux: unknown mount "
402 "option\n");
403 goto out_free;
404
405 }
406 }
407 }
408
409 if (!seen)
410 goto out;
411
412 if (context) {
413 rc = security_context_to_sid(context, strlen(context), &sid);
414 if (rc) {
415 printk(KERN_WARNING "SELinux: security_context_to_sid"
416 "(%s) failed for (dev %s, type %s) errno=%d\n",
417 context, sb->s_id, name, rc);
418 goto out_free;
419 }
420
421 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
422 FILESYSTEM__RELABELFROM, NULL);
423 if (rc)
424 goto out_free;
425
426 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
427 FILESYSTEM__RELABELTO, NULL);
428 if (rc)
429 goto out_free;
430
431 sbsec->sid = sid;
432
433 if (seen & Opt_context)
434 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
435 }
436
437 if (defcontext) {
438 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
439 if (rc) {
440 printk(KERN_WARNING "SELinux: security_context_to_sid"
441 "(%s) failed for (dev %s, type %s) errno=%d\n",
442 defcontext, sb->s_id, name, rc);
443 goto out_free;
444 }
445
446 if (sid == sbsec->def_sid)
447 goto out_free;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 goto out_free;
453
454 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__ASSOCIATE, NULL);
456 if (rc)
457 goto out_free;
458
459 sbsec->def_sid = sid;
460 }
461
462out_free:
463 if (alloc) {
464 kfree(context);
465 kfree(defcontext);
466 }
467out:
468 return rc;
469}
470
471static int superblock_doinit(struct super_block *sb, void *data)
472{
473 struct superblock_security_struct *sbsec = sb->s_security;
474 struct dentry *root = sb->s_root;
475 struct inode *inode = root->d_inode;
476 int rc = 0;
477
478 down(&sbsec->sem);
479 if (sbsec->initialized)
480 goto out;
481
482 if (!ss_initialized) {
483 /* Defer initialization until selinux_complete_init,
484 after the initial policy is loaded and the security
485 server is ready to handle calls. */
486 spin_lock(&sb_security_lock);
487 if (list_empty(&sbsec->list))
488 list_add(&sbsec->list, &superblock_security_head);
489 spin_unlock(&sb_security_lock);
490 goto out;
491 }
492
493 /* Determine the labeling behavior to use for this filesystem type. */
494 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
495 if (rc) {
496 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
497 __FUNCTION__, sb->s_type->name, rc);
498 goto out;
499 }
500
501 rc = try_context_mount(sb, data);
502 if (rc)
503 goto out;
504
505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 /* Make sure that the xattr handler exists and that no
507 error other than -ENODATA is returned by getxattr on
508 the root directory. -ENODATA is ok, as this may be
509 the first boot of the SELinux kernel before we have
510 assigned xattr values to the filesystem. */
511 if (!inode->i_op->getxattr) {
512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 "xattr support\n", sb->s_id, sb->s_type->name);
514 rc = -EOPNOTSUPP;
515 goto out;
516 }
517 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
527 goto out;
528 }
529 }
530
531 if (strcmp(sb->s_type->name, "proc") == 0)
532 sbsec->proc = 1;
533
534 sbsec->initialized = 1;
535
536 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
537 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
538 sb->s_id, sb->s_type->name);
539 }
540 else {
541 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
542 sb->s_id, sb->s_type->name,
543 labeling_behaviors[sbsec->behavior-1]);
544 }
545
546 /* Initialize the root inode. */
547 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
548
549 /* Initialize any other inodes associated with the superblock, e.g.
550 inodes created prior to initial policy load or inodes created
551 during get_sb by a pseudo filesystem that directly
552 populates itself. */
553 spin_lock(&sbsec->isec_lock);
554next_inode:
555 if (!list_empty(&sbsec->isec_head)) {
556 struct inode_security_struct *isec =
557 list_entry(sbsec->isec_head.next,
558 struct inode_security_struct, list);
559 struct inode *inode = isec->inode;
560 spin_unlock(&sbsec->isec_lock);
561 inode = igrab(inode);
562 if (inode) {
563 if (!IS_PRIVATE (inode))
564 inode_doinit(inode);
565 iput(inode);
566 }
567 spin_lock(&sbsec->isec_lock);
568 list_del_init(&isec->list);
569 goto next_inode;
570 }
571 spin_unlock(&sbsec->isec_lock);
572out:
573 up(&sbsec->sem);
574 return rc;
575}
576
577static inline u16 inode_mode_to_security_class(umode_t mode)
578{
579 switch (mode & S_IFMT) {
580 case S_IFSOCK:
581 return SECCLASS_SOCK_FILE;
582 case S_IFLNK:
583 return SECCLASS_LNK_FILE;
584 case S_IFREG:
585 return SECCLASS_FILE;
586 case S_IFBLK:
587 return SECCLASS_BLK_FILE;
588 case S_IFDIR:
589 return SECCLASS_DIR;
590 case S_IFCHR:
591 return SECCLASS_CHR_FILE;
592 case S_IFIFO:
593 return SECCLASS_FIFO_FILE;
594
595 }
596
597 return SECCLASS_FILE;
598}
599
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]600static inline int default_protocol_stream(int protocol)
601{
602 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
603}
604
605static inline int default_protocol_dgram(int protocol)
606{
607 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
608}
609
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]610static inline u16 socket_type_to_security_class(int family, int type, int protocol)
611{
612 switch (family) {
613 case PF_UNIX:
614 switch (type) {
615 case SOCK_STREAM:
616 case SOCK_SEQPACKET:
617 return SECCLASS_UNIX_STREAM_SOCKET;
618 case SOCK_DGRAM:
619 return SECCLASS_UNIX_DGRAM_SOCKET;
620 }
621 break;
622 case PF_INET:
623 case PF_INET6:
624 switch (type) {
625 case SOCK_STREAM:
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]626 if (default_protocol_stream(protocol))
627 return SECCLASS_TCP_SOCKET;
628 else
629 return SECCLASS_RAWIP_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]630 case SOCK_DGRAM:
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]631 if (default_protocol_dgram(protocol))
632 return SECCLASS_UDP_SOCKET;
633 else
634 return SECCLASS_RAWIP_SOCKET;
635 default:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]636 return SECCLASS_RAWIP_SOCKET;
637 }
638 break;
639 case PF_NETLINK:
640 switch (protocol) {
641 case NETLINK_ROUTE:
642 return SECCLASS_NETLINK_ROUTE_SOCKET;
643 case NETLINK_FIREWALL:
644 return SECCLASS_NETLINK_FIREWALL_SOCKET;
James Morris216efaa2005-08-15 20:34:48 -0700[diff] [blame]645 case NETLINK_INET_DIAG:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]646 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
647 case NETLINK_NFLOG:
648 return SECCLASS_NETLINK_NFLOG_SOCKET;
649 case NETLINK_XFRM:
650 return SECCLASS_NETLINK_XFRM_SOCKET;
651 case NETLINK_SELINUX:
652 return SECCLASS_NETLINK_SELINUX_SOCKET;
653 case NETLINK_AUDIT:
654 return SECCLASS_NETLINK_AUDIT_SOCKET;
655 case NETLINK_IP6_FW:
656 return SECCLASS_NETLINK_IP6FW_SOCKET;
657 case NETLINK_DNRTMSG:
658 return SECCLASS_NETLINK_DNRT_SOCKET;
James Morris0c9b7942005-04-16 15:24:13 -0700[diff] [blame]659 case NETLINK_KOBJECT_UEVENT:
660 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]661 default:
662 return SECCLASS_NETLINK_SOCKET;
663 }
664 case PF_PACKET:
665 return SECCLASS_PACKET_SOCKET;
666 case PF_KEY:
667 return SECCLASS_KEY_SOCKET;
668 }
669
670 return SECCLASS_SOCKET;
671}
672
673#ifdef CONFIG_PROC_FS
674static int selinux_proc_get_sid(struct proc_dir_entry *de,
675 u16 tclass,
676 u32 *sid)
677{
678 int buflen, rc;
679 char *buffer, *path, *end;
680
681 buffer = (char*)__get_free_page(GFP_KERNEL);
682 if (!buffer)
683 return -ENOMEM;
684
685 buflen = PAGE_SIZE;
686 end = buffer+buflen;
687 *--end = '\0';
688 buflen--;
689 path = end-1;
690 *path = '/';
691 while (de && de != de->parent) {
692 buflen -= de->namelen + 1;
693 if (buflen < 0)
694 break;
695 end -= de->namelen;
696 memcpy(end, de->name, de->namelen);
697 *--end = '/';
698 path = end;
699 de = de->parent;
700 }
701 rc = security_genfs_sid("proc", path, tclass, sid);
702 free_page((unsigned long)buffer);
703 return rc;
704}
705#else
706static int selinux_proc_get_sid(struct proc_dir_entry *de,
707 u16 tclass,
708 u32 *sid)
709{
710 return -EINVAL;
711}
712#endif
713
714/* The inode's security attributes must be initialized before first use. */
715static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
716{
717 struct superblock_security_struct *sbsec = NULL;
718 struct inode_security_struct *isec = inode->i_security;
719 u32 sid;
720 struct dentry *dentry;
721#define INITCONTEXTLEN 255
722 char *context = NULL;
723 unsigned len = 0;
724 int rc = 0;
725 int hold_sem = 0;
726
727 if (isec->initialized)
728 goto out;
729
730 down(&isec->sem);
731 hold_sem = 1;
732 if (isec->initialized)
733 goto out;
734
735 sbsec = inode->i_sb->s_security;
736 if (!sbsec->initialized) {
737 /* Defer initialization until selinux_complete_init,
738 after the initial policy is loaded and the security
739 server is ready to handle calls. */
740 spin_lock(&sbsec->isec_lock);
741 if (list_empty(&isec->list))
742 list_add(&isec->list, &sbsec->isec_head);
743 spin_unlock(&sbsec->isec_lock);
744 goto out;
745 }
746
747 switch (sbsec->behavior) {
748 case SECURITY_FS_USE_XATTR:
749 if (!inode->i_op->getxattr) {
750 isec->sid = sbsec->def_sid;
751 break;
752 }
753
754 /* Need a dentry, since the xattr API requires one.
755 Life would be simpler if we could just pass the inode. */
756 if (opt_dentry) {
757 /* Called from d_instantiate or d_splice_alias. */
758 dentry = dget(opt_dentry);
759 } else {
760 /* Called from selinux_complete_init, try to find a dentry. */
761 dentry = d_find_alias(inode);
762 }
763 if (!dentry) {
764 printk(KERN_WARNING "%s: no dentry for dev=%s "
765 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
766 inode->i_ino);
767 goto out;
768 }
769
770 len = INITCONTEXTLEN;
771 context = kmalloc(len, GFP_KERNEL);
772 if (!context) {
773 rc = -ENOMEM;
774 dput(dentry);
775 goto out;
776 }
777 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
778 context, len);
779 if (rc == -ERANGE) {
780 /* Need a larger buffer. Query for the right size. */
781 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
782 NULL, 0);
783 if (rc < 0) {
784 dput(dentry);
785 goto out;
786 }
787 kfree(context);
788 len = rc;
789 context = kmalloc(len, GFP_KERNEL);
790 if (!context) {
791 rc = -ENOMEM;
792 dput(dentry);
793 goto out;
794 }
795 rc = inode->i_op->getxattr(dentry,
796 XATTR_NAME_SELINUX,
797 context, len);
798 }
799 dput(dentry);
800 if (rc < 0) {
801 if (rc != -ENODATA) {
802 printk(KERN_WARNING "%s: getxattr returned "
803 "%d for dev=%s ino=%ld\n", __FUNCTION__,
804 -rc, inode->i_sb->s_id, inode->i_ino);
805 kfree(context);
806 goto out;
807 }
808 /* Map ENODATA to the default file SID */
809 sid = sbsec->def_sid;
810 rc = 0;
811 } else {
James Morrisf5c1d5b2005-07-28 01:07:37 -0700[diff] [blame]812 rc = security_context_to_sid_default(context, rc, &sid,
813 sbsec->def_sid);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]814 if (rc) {
815 printk(KERN_WARNING "%s: context_to_sid(%s) "
816 "returned %d for dev=%s ino=%ld\n",
817 __FUNCTION__, context, -rc,
818 inode->i_sb->s_id, inode->i_ino);
819 kfree(context);
820 /* Leave with the unlabeled SID */
821 rc = 0;
822 break;
823 }
824 }
825 kfree(context);
826 isec->sid = sid;
827 break;
828 case SECURITY_FS_USE_TASK:
829 isec->sid = isec->task_sid;
830 break;
831 case SECURITY_FS_USE_TRANS:
832 /* Default to the fs SID. */
833 isec->sid = sbsec->sid;
834
835 /* Try to obtain a transition SID. */
836 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837 rc = security_transition_sid(isec->task_sid,
838 sbsec->sid,
839 isec->sclass,
840 &sid);
841 if (rc)
842 goto out;
843 isec->sid = sid;
844 break;
845 default:
846 /* Default to the fs SID. */
847 isec->sid = sbsec->sid;
848
849 if (sbsec->proc) {
850 struct proc_inode *proci = PROC_I(inode);
851 if (proci->pde) {
852 isec->sclass = inode_mode_to_security_class(inode->i_mode);
853 rc = selinux_proc_get_sid(proci->pde,
854 isec->sclass,
855 &sid);
856 if (rc)
857 goto out;
858 isec->sid = sid;
859 }
860 }
861 break;
862 }
863
864 isec->initialized = 1;
865
866out:
867 if (isec->sclass == SECCLASS_FILE)
868 isec->sclass = inode_mode_to_security_class(inode->i_mode);
869
870 if (hold_sem)
871 up(&isec->sem);
872 return rc;
873}
874
875/* Convert a Linux signal to an access vector. */
876static inline u32 signal_to_av(int sig)
877{
878 u32 perm = 0;
879
880 switch (sig) {
881 case SIGCHLD:
882 /* Commonly granted from child to parent. */
883 perm = PROCESS__SIGCHLD;
884 break;
885 case SIGKILL:
886 /* Cannot be caught or ignored */
887 perm = PROCESS__SIGKILL;
888 break;
889 case SIGSTOP:
890 /* Cannot be caught or ignored */
891 perm = PROCESS__SIGSTOP;
892 break;
893 default:
894 /* All other signals. */
895 perm = PROCESS__SIGNAL;
896 break;
897 }
898
899 return perm;
900}
901
902/* Check permission betweeen a pair of tasks, e.g. signal checks,
903 fork check, ptrace check, etc. */
904static int task_has_perm(struct task_struct *tsk1,
905 struct task_struct *tsk2,
906 u32 perms)
907{
908 struct task_security_struct *tsec1, *tsec2;
909
910 tsec1 = tsk1->security;
911 tsec2 = tsk2->security;
912 return avc_has_perm(tsec1->sid, tsec2->sid,
913 SECCLASS_PROCESS, perms, NULL);
914}
915
916/* Check whether a task is allowed to use a capability. */
917static int task_has_capability(struct task_struct *tsk,
918 int cap)
919{
920 struct task_security_struct *tsec;
921 struct avc_audit_data ad;
922
923 tsec = tsk->security;
924
925 AVC_AUDIT_DATA_INIT(&ad,CAP);
926 ad.tsk = tsk;
927 ad.u.cap = cap;
928
929 return avc_has_perm(tsec->sid, tsec->sid,
930 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
931}
932
933/* Check whether a task is allowed to use a system operation. */
934static int task_has_system(struct task_struct *tsk,
935 u32 perms)
936{
937 struct task_security_struct *tsec;
938
939 tsec = tsk->security;
940
941 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
942 SECCLASS_SYSTEM, perms, NULL);
943}
944
945/* Check whether a task has a particular permission to an inode.
946 The 'adp' parameter is optional and allows other audit
947 data to be passed (e.g. the dentry). */
948static int inode_has_perm(struct task_struct *tsk,
949 struct inode *inode,
950 u32 perms,
951 struct avc_audit_data *adp)
952{
953 struct task_security_struct *tsec;
954 struct inode_security_struct *isec;
955 struct avc_audit_data ad;
956
957 tsec = tsk->security;
958 isec = inode->i_security;
959
960 if (!adp) {
961 adp = &ad;
962 AVC_AUDIT_DATA_INIT(&ad, FS);
963 ad.u.fs.inode = inode;
964 }
965
966 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
967}
968
969/* Same as inode_has_perm, but pass explicit audit data containing
970 the dentry to help the auditing code to more easily generate the
971 pathname if needed. */
972static inline int dentry_has_perm(struct task_struct *tsk,
973 struct vfsmount *mnt,
974 struct dentry *dentry,
975 u32 av)
976{
977 struct inode *inode = dentry->d_inode;
978 struct avc_audit_data ad;
979 AVC_AUDIT_DATA_INIT(&ad,FS);
980 ad.u.fs.mnt = mnt;
981 ad.u.fs.dentry = dentry;
982 return inode_has_perm(tsk, inode, av, &ad);
983}
984
985/* Check whether a task can use an open file descriptor to
986 access an inode in a given way. Check access to the
987 descriptor itself, and then use dentry_has_perm to
988 check a particular permission to the file.
989 Access to the descriptor is implicitly granted if it
990 has the same SID as the process. If av is zero, then
991 access to the file is not checked, e.g. for cases
992 where only the descriptor is affected like seek. */
Arjan van de Ven858119e2006-01-14 13:20:43 -0800[diff] [blame]993static int file_has_perm(struct task_struct *tsk,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]994 struct file *file,
995 u32 av)
996{
997 struct task_security_struct *tsec = tsk->security;
998 struct file_security_struct *fsec = file->f_security;
999 struct vfsmount *mnt = file->f_vfsmnt;
1000 struct dentry *dentry = file->f_dentry;
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1003 int rc;
1004
1005 AVC_AUDIT_DATA_INIT(&ad, FS);
1006 ad.u.fs.mnt = mnt;
1007 ad.u.fs.dentry = dentry;
1008
1009 if (tsec->sid != fsec->sid) {
1010 rc = avc_has_perm(tsec->sid, fsec->sid,
1011 SECCLASS_FD,
1012 FD__USE,
1013 &ad);
1014 if (rc)
1015 return rc;
1016 }
1017
1018 /* av is zero if only checking access to the descriptor. */
1019 if (av)
1020 return inode_has_perm(tsk, inode, av, &ad);
1021
1022 return 0;
1023}
1024
1025/* Check whether a task can create a file. */
1026static int may_create(struct inode *dir,
1027 struct dentry *dentry,
1028 u16 tclass)
1029{
1030 struct task_security_struct *tsec;
1031 struct inode_security_struct *dsec;
1032 struct superblock_security_struct *sbsec;
1033 u32 newsid;
1034 struct avc_audit_data ad;
1035 int rc;
1036
1037 tsec = current->security;
1038 dsec = dir->i_security;
1039 sbsec = dir->i_sb->s_security;
1040
1041 AVC_AUDIT_DATA_INIT(&ad, FS);
1042 ad.u.fs.dentry = dentry;
1043
1044 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1045 DIR__ADD_NAME | DIR__SEARCH,
1046 &ad);
1047 if (rc)
1048 return rc;
1049
1050 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1051 newsid = tsec->create_sid;
1052 } else {
1053 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1054 &newsid);
1055 if (rc)
1056 return rc;
1057 }
1058
1059 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1060 if (rc)
1061 return rc;
1062
1063 return avc_has_perm(newsid, sbsec->sid,
1064 SECCLASS_FILESYSTEM,
1065 FILESYSTEM__ASSOCIATE, &ad);
1066}
1067
1068#define MAY_LINK 0
1069#define MAY_UNLINK 1
1070#define MAY_RMDIR 2
1071
1072/* Check whether a task can link, unlink, or rmdir a file/directory. */
1073static int may_link(struct inode *dir,
1074 struct dentry *dentry,
1075 int kind)
1076
1077{
1078 struct task_security_struct *tsec;
1079 struct inode_security_struct *dsec, *isec;
1080 struct avc_audit_data ad;
1081 u32 av;
1082 int rc;
1083
1084 tsec = current->security;
1085 dsec = dir->i_security;
1086 isec = dentry->d_inode->i_security;
1087
1088 AVC_AUDIT_DATA_INIT(&ad, FS);
1089 ad.u.fs.dentry = dentry;
1090
1091 av = DIR__SEARCH;
1092 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1093 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1094 if (rc)
1095 return rc;
1096
1097 switch (kind) {
1098 case MAY_LINK:
1099 av = FILE__LINK;
1100 break;
1101 case MAY_UNLINK:
1102 av = FILE__UNLINK;
1103 break;
1104 case MAY_RMDIR:
1105 av = DIR__RMDIR;
1106 break;
1107 default:
1108 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1109 return 0;
1110 }
1111
1112 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1113 return rc;
1114}
1115
1116static inline int may_rename(struct inode *old_dir,
1117 struct dentry *old_dentry,
1118 struct inode *new_dir,
1119 struct dentry *new_dentry)
1120{
1121 struct task_security_struct *tsec;
1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123 struct avc_audit_data ad;
1124 u32 av;
1125 int old_is_dir, new_is_dir;
1126 int rc;
1127
1128 tsec = current->security;
1129 old_dsec = old_dir->i_security;
1130 old_isec = old_dentry->d_inode->i_security;
1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132 new_dsec = new_dir->i_security;
1133
1134 AVC_AUDIT_DATA_INIT(&ad, FS);
1135
1136 ad.u.fs.dentry = old_dentry;
1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1139 if (rc)
1140 return rc;
1141 rc = avc_has_perm(tsec->sid, old_isec->sid,
1142 old_isec->sclass, FILE__RENAME, &ad);
1143 if (rc)
1144 return rc;
1145 if (old_is_dir && new_dir != old_dir) {
1146 rc = avc_has_perm(tsec->sid, old_isec->sid,
1147 old_isec->sclass, DIR__REPARENT, &ad);
1148 if (rc)
1149 return rc;
1150 }
1151
1152 ad.u.fs.dentry = new_dentry;
1153 av = DIR__ADD_NAME | DIR__SEARCH;
1154 if (new_dentry->d_inode)
1155 av |= DIR__REMOVE_NAME;
1156 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1157 if (rc)
1158 return rc;
1159 if (new_dentry->d_inode) {
1160 new_isec = new_dentry->d_inode->i_security;
1161 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1162 rc = avc_has_perm(tsec->sid, new_isec->sid,
1163 new_isec->sclass,
1164 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1165 if (rc)
1166 return rc;
1167 }
1168
1169 return 0;
1170}
1171
1172/* Check whether a task can perform a filesystem operation. */
1173static int superblock_has_perm(struct task_struct *tsk,
1174 struct super_block *sb,
1175 u32 perms,
1176 struct avc_audit_data *ad)
1177{
1178 struct task_security_struct *tsec;
1179 struct superblock_security_struct *sbsec;
1180
1181 tsec = tsk->security;
1182 sbsec = sb->s_security;
1183 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1184 perms, ad);
1185}
1186
1187/* Convert a Linux mode and permission mask to an access vector. */
1188static inline u32 file_mask_to_av(int mode, int mask)
1189{
1190 u32 av = 0;
1191
1192 if ((mode & S_IFMT) != S_IFDIR) {
1193 if (mask & MAY_EXEC)
1194 av |= FILE__EXECUTE;
1195 if (mask & MAY_READ)
1196 av |= FILE__READ;
1197
1198 if (mask & MAY_APPEND)
1199 av |= FILE__APPEND;
1200 else if (mask & MAY_WRITE)
1201 av |= FILE__WRITE;
1202
1203 } else {
1204 if (mask & MAY_EXEC)
1205 av |= DIR__SEARCH;
1206 if (mask & MAY_WRITE)
1207 av |= DIR__WRITE;
1208 if (mask & MAY_READ)
1209 av |= DIR__READ;
1210 }
1211
1212 return av;
1213}
1214
1215/* Convert a Linux file to an access vector. */
1216static inline u32 file_to_av(struct file *file)
1217{
1218 u32 av = 0;
1219
1220 if (file->f_mode & FMODE_READ)
1221 av |= FILE__READ;
1222 if (file->f_mode & FMODE_WRITE) {
1223 if (file->f_flags & O_APPEND)
1224 av |= FILE__APPEND;
1225 else
1226 av |= FILE__WRITE;
1227 }
1228
1229 return av;
1230}
1231
1232/* Set an inode's SID to a specified value. */
1233static int inode_security_set_sid(struct inode *inode, u32 sid)
1234{
1235 struct inode_security_struct *isec = inode->i_security;
1236 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1237
1238 if (!sbsec->initialized) {
1239 /* Defer initialization to selinux_complete_init. */
1240 return 0;
1241 }
1242
1243 down(&isec->sem);
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 isec->sid = sid;
1246 isec->initialized = 1;
1247 up(&isec->sem);
1248 return 0;
1249}
1250
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1251/* Hook functions begin here. */
1252
1253static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1254{
1255 struct task_security_struct *psec = parent->security;
1256 struct task_security_struct *csec = child->security;
1257 int rc;
1258
1259 rc = secondary_ops->ptrace(parent,child);
1260 if (rc)
1261 return rc;
1262
1263 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1264 /* Save the SID of the tracing process for later use in apply_creds. */
Stephen Smalley341c2d82006-03-11 03:27:16 -0800[diff] [blame]1265 if (!(child->ptrace & PT_PTRACED) && !rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1266 csec->ptrace_sid = psec->sid;
1267 return rc;
1268}
1269
1270static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1271 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1272{
1273 int error;
1274
1275 error = task_has_perm(current, target, PROCESS__GETCAP);
1276 if (error)
1277 return error;
1278
1279 return secondary_ops->capget(target, effective, inheritable, permitted);
1280}
1281
1282static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1283 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1284{
1285 int error;
1286
1287 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1288 if (error)
1289 return error;
1290
1291 return task_has_perm(current, target, PROCESS__SETCAP);
1292}
1293
1294static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1295 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1296{
1297 secondary_ops->capset_set(target, effective, inheritable, permitted);
1298}
1299
1300static int selinux_capable(struct task_struct *tsk, int cap)
1301{
1302 int rc;
1303
1304 rc = secondary_ops->capable(tsk, cap);
1305 if (rc)
1306 return rc;
1307
1308 return task_has_capability(tsk,cap);
1309}
1310
1311static int selinux_sysctl(ctl_table *table, int op)
1312{
1313 int error = 0;
1314 u32 av;
1315 struct task_security_struct *tsec;
1316 u32 tsid;
1317 int rc;
1318
1319 rc = secondary_ops->sysctl(table, op);
1320 if (rc)
1321 return rc;
1322
1323 tsec = current->security;
1324
1325 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1326 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1327 if (rc) {
1328 /* Default to the well-defined sysctl SID. */
1329 tsid = SECINITSID_SYSCTL;
1330 }
1331
1332 /* The op values are "defined" in sysctl.c, thereby creating
1333 * a bad coupling between this module and sysctl.c */
1334 if(op == 001) {
1335 error = avc_has_perm(tsec->sid, tsid,
1336 SECCLASS_DIR, DIR__SEARCH, NULL);
1337 } else {
1338 av = 0;
1339 if (op & 004)
1340 av |= FILE__READ;
1341 if (op & 002)
1342 av |= FILE__WRITE;
1343 if (av)
1344 error = avc_has_perm(tsec->sid, tsid,
1345 SECCLASS_FILE, av, NULL);
1346 }
1347
1348 return error;
1349}
1350
1351static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1352{
1353 int rc = 0;
1354
1355 if (!sb)
1356 return 0;
1357
1358 switch (cmds) {
1359 case Q_SYNC:
1360 case Q_QUOTAON:
1361 case Q_QUOTAOFF:
1362 case Q_SETINFO:
1363 case Q_SETQUOTA:
1364 rc = superblock_has_perm(current,
1365 sb,
1366 FILESYSTEM__QUOTAMOD, NULL);
1367 break;
1368 case Q_GETFMT:
1369 case Q_GETINFO:
1370 case Q_GETQUOTA:
1371 rc = superblock_has_perm(current,
1372 sb,
1373 FILESYSTEM__QUOTAGET, NULL);
1374 break;
1375 default:
1376 rc = 0; /* let the kernel handle invalid cmds */
1377 break;
1378 }
1379 return rc;
1380}
1381
1382static int selinux_quota_on(struct dentry *dentry)
1383{
1384 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1385}
1386
1387static int selinux_syslog(int type)
1388{
1389 int rc;
1390
1391 rc = secondary_ops->syslog(type);
1392 if (rc)
1393 return rc;
1394
1395 switch (type) {
1396 case 3: /* Read last kernel messages */
1397 case 10: /* Return size of the log buffer */
1398 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1399 break;
1400 case 6: /* Disable logging to console */
1401 case 7: /* Enable logging to console */
1402 case 8: /* Set level of messages printed to console */
1403 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1404 break;
1405 case 0: /* Close log */
1406 case 1: /* Open log */
1407 case 2: /* Read from log */
1408 case 4: /* Read/clear last kernel messages */
1409 case 5: /* Clear ring buffer */
1410 default:
1411 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1412 break;
1413 }
1414 return rc;
1415}
1416
1417/*
1418 * Check that a process has enough memory to allocate a new virtual
1419 * mapping. 0 means there is enough memory for the allocation to
1420 * succeed and -ENOMEM implies there is not.
1421 *
1422 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1423 * if the capability is granted, but __vm_enough_memory requires 1 if
1424 * the capability is granted.
1425 *
1426 * Do not audit the selinux permission check, as this is applied to all
1427 * processes that allocate mappings.
1428 */
1429static int selinux_vm_enough_memory(long pages)
1430{
1431 int rc, cap_sys_admin = 0;
1432 struct task_security_struct *tsec = current->security;
1433
1434 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1435 if (rc == 0)
1436 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1437 SECCLASS_CAPABILITY,
1438 CAP_TO_MASK(CAP_SYS_ADMIN),
1439 NULL);
1440
1441 if (rc == 0)
1442 cap_sys_admin = 1;
1443
1444 return __vm_enough_memory(pages, cap_sys_admin);
1445}
1446
1447/* binprm security operations */
1448
1449static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1450{
1451 struct bprm_security_struct *bsec;
1452
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]1453 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1454 if (!bsec)
1455 return -ENOMEM;
1456
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1457 bsec->bprm = bprm;
1458 bsec->sid = SECINITSID_UNLABELED;
1459 bsec->set = 0;
1460
1461 bprm->security = bsec;
1462 return 0;
1463}
1464
1465static int selinux_bprm_set_security(struct linux_binprm *bprm)
1466{
1467 struct task_security_struct *tsec;
1468 struct inode *inode = bprm->file->f_dentry->d_inode;
1469 struct inode_security_struct *isec;
1470 struct bprm_security_struct *bsec;
1471 u32 newsid;
1472 struct avc_audit_data ad;
1473 int rc;
1474
1475 rc = secondary_ops->bprm_set_security(bprm);
1476 if (rc)
1477 return rc;
1478
1479 bsec = bprm->security;
1480
1481 if (bsec->set)
1482 return 0;
1483
1484 tsec = current->security;
1485 isec = inode->i_security;
1486
1487 /* Default to the current task SID. */
1488 bsec->sid = tsec->sid;
1489
1490 /* Reset create SID on execve. */
1491 tsec->create_sid = 0;
1492
1493 if (tsec->exec_sid) {
1494 newsid = tsec->exec_sid;
1495 /* Reset exec SID on execve. */
1496 tsec->exec_sid = 0;
1497 } else {
1498 /* Check for a default transition on this program. */
1499 rc = security_transition_sid(tsec->sid, isec->sid,
1500 SECCLASS_PROCESS, &newsid);
1501 if (rc)
1502 return rc;
1503 }
1504
1505 AVC_AUDIT_DATA_INIT(&ad, FS);
1506 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1507 ad.u.fs.dentry = bprm->file->f_dentry;
1508
1509 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1510 newsid = tsec->sid;
1511
1512 if (tsec->sid == newsid) {
1513 rc = avc_has_perm(tsec->sid, isec->sid,
1514 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1515 if (rc)
1516 return rc;
1517 } else {
1518 /* Check permissions for the transition. */
1519 rc = avc_has_perm(tsec->sid, newsid,
1520 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1521 if (rc)
1522 return rc;
1523
1524 rc = avc_has_perm(newsid, isec->sid,
1525 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1526 if (rc)
1527 return rc;
1528
1529 /* Clear any possibly unsafe personality bits on exec: */
1530 current->personality &= ~PER_CLEAR_ON_SETID;
1531
1532 /* Set the security field to the new SID. */
1533 bsec->sid = newsid;
1534 }
1535
1536 bsec->set = 1;
1537 return 0;
1538}
1539
1540static int selinux_bprm_check_security (struct linux_binprm *bprm)
1541{
1542 return secondary_ops->bprm_check_security(bprm);
1543}
1544
1545
1546static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1547{
1548 struct task_security_struct *tsec = current->security;
1549 int atsecure = 0;
1550
1551 if (tsec->osid != tsec->sid) {
1552 /* Enable secure mode for SIDs transitions unless
1553 the noatsecure permission is granted between
1554 the two SIDs, i.e. ahp returns 0. */
1555 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1556 SECCLASS_PROCESS,
1557 PROCESS__NOATSECURE, NULL);
1558 }
1559
1560 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1561}
1562
1563static void selinux_bprm_free_security(struct linux_binprm *bprm)
1564{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -0700[diff] [blame]1565 kfree(bprm->security);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1566 bprm->security = NULL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1567}
1568
1569extern struct vfsmount *selinuxfs_mount;
1570extern struct dentry *selinux_null;
1571
1572/* Derived from fs/exec.c:flush_old_files. */
1573static inline void flush_unauthorized_files(struct files_struct * files)
1574{
1575 struct avc_audit_data ad;
1576 struct file *file, *devnull = NULL;
1577 struct tty_struct *tty = current->signal->tty;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1578 struct fdtable *fdt;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1579 long j = -1;
1580
1581 if (tty) {
1582 file_list_lock();
Eric Dumazet2f512012005-10-30 15:02:16 -0800[diff] [blame]1583 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1584 if (file) {
1585 /* Revalidate access to controlling tty.
1586 Use inode_has_perm on the tty inode directly rather
1587 than using file_has_perm, as this particular open
1588 file may belong to another process and we are only
1589 interested in the inode-based check here. */
1590 struct inode *inode = file->f_dentry->d_inode;
1591 if (inode_has_perm(current, inode,
1592 FILE__READ | FILE__WRITE, NULL)) {
1593 /* Reset controlling tty. */
1594 current->signal->tty = NULL;
1595 current->signal->tty_old_pgrp = 0;
1596 }
1597 }
1598 file_list_unlock();
1599 }
1600
1601 /* Revalidate access to inherited open files. */
1602
1603 AVC_AUDIT_DATA_INIT(&ad,FS);
1604
1605 spin_lock(&files->file_lock);
1606 for (;;) {
1607 unsigned long set, i;
1608 int fd;
1609
1610 j++;
1611 i = j * __NFDBITS;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1612 fdt = files_fdtable(files);
1613 if (i >= fdt->max_fds || i >= fdt->max_fdset)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1614 break;
Dipankar Sarmabadf1662005-09-09 13:04:10 -0700[diff] [blame]1615 set = fdt->open_fds->fds_bits[j];
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1616 if (!set)
1617 continue;
1618 spin_unlock(&files->file_lock);
1619 for ( ; set ; i++,set >>= 1) {
1620 if (set & 1) {
1621 file = fget(i);
1622 if (!file)
1623 continue;
1624 if (file_has_perm(current,
1625 file,
1626 file_to_av(file))) {
1627 sys_close(i);
1628 fd = get_unused_fd();
1629 if (fd != i) {
1630 if (fd >= 0)
1631 put_unused_fd(fd);
1632 fput(file);
1633 continue;
1634 }
1635 if (devnull) {
Nick Piggin095975d2006-01-08 01:02:19 -0800[diff] [blame]1636 get_file(devnull);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1637 } else {
1638 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1639 if (!devnull) {
1640 put_unused_fd(fd);
1641 fput(file);
1642 continue;
1643 }
1644 }
1645 fd_install(fd, devnull);
1646 }
1647 fput(file);
1648 }
1649 }
1650 spin_lock(&files->file_lock);
1651
1652 }
1653 spin_unlock(&files->file_lock);
1654}
1655
1656static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1657{
1658 struct task_security_struct *tsec;
1659 struct bprm_security_struct *bsec;
1660 u32 sid;
1661 int rc;
1662
1663 secondary_ops->bprm_apply_creds(bprm, unsafe);
1664
1665 tsec = current->security;
1666
1667 bsec = bprm->security;
1668 sid = bsec->sid;
1669
1670 tsec->osid = tsec->sid;
1671 bsec->unsafe = 0;
1672 if (tsec->sid != sid) {
1673 /* Check for shared state. If not ok, leave SID
1674 unchanged and kill. */
1675 if (unsafe & LSM_UNSAFE_SHARE) {
1676 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1677 PROCESS__SHARE, NULL);
1678 if (rc) {
1679 bsec->unsafe = 1;
1680 return;
1681 }
1682 }
1683
1684 /* Check for ptracing, and update the task SID if ok.
1685 Otherwise, leave SID unchanged and kill. */
1686 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1687 rc = avc_has_perm(tsec->ptrace_sid, sid,
1688 SECCLASS_PROCESS, PROCESS__PTRACE,
1689 NULL);
1690 if (rc) {
1691 bsec->unsafe = 1;
1692 return;
1693 }
1694 }
1695 tsec->sid = sid;
1696 }
1697}
1698
1699/*
1700 * called after apply_creds without the task lock held
1701 */
1702static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1703{
1704 struct task_security_struct *tsec;
1705 struct rlimit *rlim, *initrlim;
1706 struct itimerval itimer;
1707 struct bprm_security_struct *bsec;
1708 int rc, i;
1709
1710 tsec = current->security;
1711 bsec = bprm->security;
1712
1713 if (bsec->unsafe) {
1714 force_sig_specific(SIGKILL, current);
1715 return;
1716 }
1717 if (tsec->osid == tsec->sid)
1718 return;
1719
1720 /* Close files for which the new task SID is not authorized. */
1721 flush_unauthorized_files(current->files);
1722
1723 /* Check whether the new SID can inherit signal state
1724 from the old SID. If not, clear itimers to avoid
1725 subsequent signal generation and flush and unblock
1726 signals. This must occur _after_ the task SID has
1727 been updated so that any kill done after the flush
1728 will be checked against the new SID. */
1729 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1730 PROCESS__SIGINH, NULL);
1731 if (rc) {
1732 memset(&itimer, 0, sizeof itimer);
1733 for (i = 0; i < 3; i++)
1734 do_setitimer(i, &itimer, NULL);
1735 flush_signals(current);
1736 spin_lock_irq(&current->sighand->siglock);
1737 flush_signal_handlers(current, 1);
1738 sigemptyset(&current->blocked);
1739 recalc_sigpending();
1740 spin_unlock_irq(&current->sighand->siglock);
1741 }
1742
1743 /* Check whether the new SID can inherit resource limits
1744 from the old SID. If not, reset all soft limits to
1745 the lower of the current task's hard limit and the init
1746 task's soft limit. Note that the setting of hard limits
1747 (even to lower them) can be controlled by the setrlimit
1748 check. The inclusion of the init task's soft limit into
1749 the computation is to avoid resetting soft limits higher
1750 than the default soft limit for cases where the default
1751 is lower than the hard limit, e.g. RLIMIT_CORE or
1752 RLIMIT_STACK.*/
1753 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1754 PROCESS__RLIMITINH, NULL);
1755 if (rc) {
1756 for (i = 0; i < RLIM_NLIMITS; i++) {
1757 rlim = current->signal->rlim + i;
1758 initrlim = init_task.signal->rlim+i;
1759 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1760 }
1761 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1762 /*
1763 * This will cause RLIMIT_CPU calculations
1764 * to be refigured.
1765 */
1766 current->it_prof_expires = jiffies_to_cputime(1);
1767 }
1768 }
1769
1770 /* Wake up the parent if it is waiting so that it can
1771 recheck wait permission to the new task SID. */
1772 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1773}
1774
1775/* superblock security operations */
1776
1777static int selinux_sb_alloc_security(struct super_block *sb)
1778{
1779 return superblock_alloc_security(sb);
1780}
1781
1782static void selinux_sb_free_security(struct super_block *sb)
1783{
1784 superblock_free_security(sb);
1785}
1786
1787static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1788{
1789 if (plen > olen)
1790 return 0;
1791
1792 return !memcmp(prefix, option, plen);
1793}
1794
1795static inline int selinux_option(char *option, int len)
1796{
1797 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1798 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1799 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1800}
1801
1802static inline void take_option(char **to, char *from, int *first, int len)
1803{
1804 if (!*first) {
1805 **to = ',';
1806 *to += 1;
1807 }
1808 else
1809 *first = 0;
1810 memcpy(*to, from, len);
1811 *to += len;
1812}
1813
1814static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1815{
1816 int fnosec, fsec, rc = 0;
1817 char *in_save, *in_curr, *in_end;
1818 char *sec_curr, *nosec_save, *nosec;
1819
1820 in_curr = orig;
1821 sec_curr = copy;
1822
1823 /* Binary mount data: just copy */
1824 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1825 copy_page(sec_curr, in_curr);
1826 goto out;
1827 }
1828
1829 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1830 if (!nosec) {
1831 rc = -ENOMEM;
1832 goto out;
1833 }
1834
1835 nosec_save = nosec;
1836 fnosec = fsec = 1;
1837 in_save = in_end = orig;
1838
1839 do {
1840 if (*in_end == ',' || *in_end == '\0') {
1841 int len = in_end - in_curr;
1842
1843 if (selinux_option(in_curr, len))
1844 take_option(&sec_curr, in_curr, &fsec, len);
1845 else
1846 take_option(&nosec, in_curr, &fnosec, len);
1847
1848 in_curr = in_end + 1;
1849 }
1850 } while (*in_end++);
1851
Eric Paris6931dfc2005-06-30 02:58:51 -0700[diff] [blame]1852 strcpy(in_save, nosec_save);
Gerald Schaeferda3caa22005-06-21 17:15:18 -0700[diff] [blame]1853 free_page((unsigned long)nosec_save);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1854out:
1855 return rc;
1856}
1857
1858static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1859{
1860 struct avc_audit_data ad;
1861 int rc;
1862
1863 rc = superblock_doinit(sb, data);
1864 if (rc)
1865 return rc;
1866
1867 AVC_AUDIT_DATA_INIT(&ad,FS);
1868 ad.u.fs.dentry = sb->s_root;
1869 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1870}
1871
1872static int selinux_sb_statfs(struct super_block *sb)
1873{
1874 struct avc_audit_data ad;
1875
1876 AVC_AUDIT_DATA_INIT(&ad,FS);
1877 ad.u.fs.dentry = sb->s_root;
1878 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1879}
1880
1881static int selinux_mount(char * dev_name,
1882 struct nameidata *nd,
1883 char * type,
1884 unsigned long flags,
1885 void * data)
1886{
1887 int rc;
1888
1889 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1890 if (rc)
1891 return rc;
1892
1893 if (flags & MS_REMOUNT)
1894 return superblock_has_perm(current, nd->mnt->mnt_sb,
1895 FILESYSTEM__REMOUNT, NULL);
1896 else
1897 return dentry_has_perm(current, nd->mnt, nd->dentry,
1898 FILE__MOUNTON);
1899}
1900
1901static int selinux_umount(struct vfsmount *mnt, int flags)
1902{
1903 int rc;
1904
1905 rc = secondary_ops->sb_umount(mnt, flags);
1906 if (rc)
1907 return rc;
1908
1909 return superblock_has_perm(current,mnt->mnt_sb,
1910 FILESYSTEM__UNMOUNT,NULL);
1911}
1912
1913/* inode security operations */
1914
1915static int selinux_inode_alloc_security(struct inode *inode)
1916{
1917 return inode_alloc_security(inode);
1918}
1919
1920static void selinux_inode_free_security(struct inode *inode)
1921{
1922 inode_free_security(inode);
1923}
1924
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1925static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1926 char **name, void **value,
1927 size_t *len)
1928{
1929 struct task_security_struct *tsec;
1930 struct inode_security_struct *dsec;
1931 struct superblock_security_struct *sbsec;
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1932 u32 newsid, clen;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1933 int rc;
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1934 char *namep = NULL, *context;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1935
1936 tsec = current->security;
1937 dsec = dir->i_security;
1938 sbsec = dir->i_sb->s_security;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1939
1940 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1941 newsid = tsec->create_sid;
1942 } else {
1943 rc = security_transition_sid(tsec->sid, dsec->sid,
1944 inode_mode_to_security_class(inode->i_mode),
1945 &newsid);
1946 if (rc) {
1947 printk(KERN_WARNING "%s: "
1948 "security_transition_sid failed, rc=%d (dev=%s "
1949 "ino=%ld)\n",
1950 __FUNCTION__,
1951 -rc, inode->i_sb->s_id, inode->i_ino);
1952 return rc;
1953 }
1954 }
1955
1956 inode_security_set_sid(inode, newsid);
1957
Stephen Smalley8aad3872006-03-22 00:09:13 -0800[diff] [blame]1958 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
Stephen Smalley25a74f32005-11-08 21:34:33 -0800[diff] [blame]1959 return -EOPNOTSUPP;
1960
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1961 if (name) {
1962 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1963 if (!namep)
1964 return -ENOMEM;
1965 *name = namep;
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1966 }
Stephen Smalley570bc1c2005-09-09 13:01:43 -0700[diff] [blame]1967
1968 if (value && len) {
1969 rc = security_sid_to_context(newsid, &context, &clen);
1970 if (rc) {
1971 kfree(namep);
1972 return rc;
1973 }
1974 *value = context;
1975 *len = clen;
1976 }
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1977
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]1978 return 0;
1979}
1980
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1981static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1982{
1983 return may_create(dir, dentry, SECCLASS_FILE);
1984}
1985
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1986static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1987{
1988 int rc;
1989
1990 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1991 if (rc)
1992 return rc;
1993 return may_link(dir, old_dentry, MAY_LINK);
1994}
1995
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1996static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
1997{
1998 int rc;
1999
2000 rc = secondary_ops->inode_unlink(dir, dentry);
2001 if (rc)
2002 return rc;
2003 return may_link(dir, dentry, MAY_UNLINK);
2004}
2005
2006static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2007{
2008 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2009}
2010
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2011static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2012{
2013 return may_create(dir, dentry, SECCLASS_DIR);
2014}
2015
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2016static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2017{
2018 return may_link(dir, dentry, MAY_RMDIR);
2019}
2020
2021static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2022{
2023 int rc;
2024
2025 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2026 if (rc)
2027 return rc;
2028
2029 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2030}
2031
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2032static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2033 struct inode *new_inode, struct dentry *new_dentry)
2034{
2035 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2036}
2037
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2038static int selinux_inode_readlink(struct dentry *dentry)
2039{
2040 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2041}
2042
2043static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2044{
2045 int rc;
2046
2047 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2048 if (rc)
2049 return rc;
2050 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2051}
2052
2053static int selinux_inode_permission(struct inode *inode, int mask,
2054 struct nameidata *nd)
2055{
2056 int rc;
2057
2058 rc = secondary_ops->inode_permission(inode, mask, nd);
2059 if (rc)
2060 return rc;
2061
2062 if (!mask) {
2063 /* No permission to check. Existence test. */
2064 return 0;
2065 }
2066
2067 return inode_has_perm(current, inode,
2068 file_mask_to_av(inode->i_mode, mask), NULL);
2069}
2070
2071static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2072{
2073 int rc;
2074
2075 rc = secondary_ops->inode_setattr(dentry, iattr);
2076 if (rc)
2077 return rc;
2078
2079 if (iattr->ia_valid & ATTR_FORCE)
2080 return 0;
2081
2082 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2083 ATTR_ATIME_SET | ATTR_MTIME_SET))
2084 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2085
2086 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2087}
2088
2089static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2090{
2091 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2092}
2093
2094static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2095{
2096 struct task_security_struct *tsec = current->security;
2097 struct inode *inode = dentry->d_inode;
2098 struct inode_security_struct *isec = inode->i_security;
2099 struct superblock_security_struct *sbsec;
2100 struct avc_audit_data ad;
2101 u32 newsid;
2102 int rc = 0;
2103
2104 if (strcmp(name, XATTR_NAME_SELINUX)) {
2105 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2106 sizeof XATTR_SECURITY_PREFIX - 1) &&
2107 !capable(CAP_SYS_ADMIN)) {
2108 /* A different attribute in the security namespace.
2109 Restrict to administrator. */
2110 return -EPERM;
2111 }
2112
2113 /* Not an attribute we recognize, so just check the
2114 ordinary setattr permission. */
2115 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2116 }
2117
2118 sbsec = inode->i_sb->s_security;
2119 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2120 return -EOPNOTSUPP;
2121
2122 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2123 return -EPERM;
2124
2125 AVC_AUDIT_DATA_INIT(&ad,FS);
2126 ad.u.fs.dentry = dentry;
2127
2128 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2129 FILE__RELABELFROM, &ad);
2130 if (rc)
2131 return rc;
2132
2133 rc = security_context_to_sid(value, size, &newsid);
2134 if (rc)
2135 return rc;
2136
2137 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2138 FILE__RELABELTO, &ad);
2139 if (rc)
2140 return rc;
2141
2142 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2143 isec->sclass);
2144 if (rc)
2145 return rc;
2146
2147 return avc_has_perm(newsid,
2148 sbsec->sid,
2149 SECCLASS_FILESYSTEM,
2150 FILESYSTEM__ASSOCIATE,
2151 &ad);
2152}
2153
2154static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2155 void *value, size_t size, int flags)
2156{
2157 struct inode *inode = dentry->d_inode;
2158 struct inode_security_struct *isec = inode->i_security;
2159 u32 newsid;
2160 int rc;
2161
2162 if (strcmp(name, XATTR_NAME_SELINUX)) {
2163 /* Not an attribute we recognize, so nothing to do. */
2164 return;
2165 }
2166
2167 rc = security_context_to_sid(value, size, &newsid);
2168 if (rc) {
2169 printk(KERN_WARNING "%s: unable to obtain SID for context "
2170 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2171 return;
2172 }
2173
2174 isec->sid = newsid;
2175 return;
2176}
2177
2178static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2179{
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2180 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2181}
2182
2183static int selinux_inode_listxattr (struct dentry *dentry)
2184{
2185 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2186}
2187
2188static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2189{
2190 if (strcmp(name, XATTR_NAME_SELINUX)) {
2191 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2192 sizeof XATTR_SECURITY_PREFIX - 1) &&
2193 !capable(CAP_SYS_ADMIN)) {
2194 /* A different attribute in the security namespace.
2195 Restrict to administrator. */
2196 return -EPERM;
2197 }
2198
2199 /* Not an attribute we recognize, so just check the
2200 ordinary setattr permission. Might want a separate
2201 permission for removexattr. */
2202 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2203 }
2204
2205 /* No one is allowed to remove a SELinux security label.
2206 You can change the label, but all data must be labeled. */
2207 return -EACCES;
2208}
2209
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2210/*
2211 * Copy the in-core inode security context value to the user. If the
2212 * getxattr() prior to this succeeded, check to see if we need to
2213 * canonicalize the value to be finally returned to the user.
2214 *
2215 * Permission check is handled by selinux_inode_getxattr hook.
2216 */
2217static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2218{
2219 struct inode_security_struct *isec = inode->i_security;
2220 char *context;
2221 unsigned len;
2222 int rc;
2223
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2224 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2225 rc = -EOPNOTSUPP;
2226 goto out;
2227 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2228
2229 rc = security_sid_to_context(isec->sid, &context, &len);
2230 if (rc)
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2231 goto out;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2232
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2233 /* Probe for required buffer size */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2234 if (!buffer || !size) {
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2235 rc = len;
2236 goto out_free;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2237 }
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2238
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2239 if (size < len) {
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2240 rc = -ERANGE;
2241 goto out_free;
2242 }
2243
2244 if (err > 0) {
2245 if ((len == err) && !(memcmp(context, buffer, len))) {
2246 /* Don't need to canonicalize value */
2247 rc = err;
2248 goto out_free;
2249 }
2250 memset(buffer, 0, size);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2251 }
2252 memcpy(buffer, context, len);
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2253 rc = len;
2254out_free:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2255 kfree(context);
James Morrisd381d8a2005-10-30 14:59:22 -0800[diff] [blame]2256out:
2257 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2258}
2259
2260static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2261 const void *value, size_t size, int flags)
2262{
2263 struct inode_security_struct *isec = inode->i_security;
2264 u32 newsid;
2265 int rc;
2266
2267 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2268 return -EOPNOTSUPP;
2269
2270 if (!value || !size)
2271 return -EACCES;
2272
2273 rc = security_context_to_sid((void*)value, size, &newsid);
2274 if (rc)
2275 return rc;
2276
2277 isec->sid = newsid;
2278 return 0;
2279}
2280
2281static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2282{
2283 const int len = sizeof(XATTR_NAME_SELINUX);
2284 if (buffer && len <= buffer_size)
2285 memcpy(buffer, XATTR_NAME_SELINUX, len);
2286 return len;
2287}
2288
2289/* file security operations */
2290
2291static int selinux_file_permission(struct file *file, int mask)
2292{
2293 struct inode *inode = file->f_dentry->d_inode;
2294
2295 if (!mask) {
2296 /* No permission to check. Existence test. */
2297 return 0;
2298 }
2299
2300 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2301 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2302 mask |= MAY_APPEND;
2303
2304 return file_has_perm(current, file,
2305 file_mask_to_av(inode->i_mode, mask));
2306}
2307
2308static int selinux_file_alloc_security(struct file *file)
2309{
2310 return file_alloc_security(file);
2311}
2312
2313static void selinux_file_free_security(struct file *file)
2314{
2315 file_free_security(file);
2316}
2317
2318static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2319 unsigned long arg)
2320{
2321 int error = 0;
2322
2323 switch (cmd) {
2324 case FIONREAD:
2325 /* fall through */
2326 case FIBMAP:
2327 /* fall through */
2328 case FIGETBSZ:
2329 /* fall through */
2330 case EXT2_IOC_GETFLAGS:
2331 /* fall through */
2332 case EXT2_IOC_GETVERSION:
2333 error = file_has_perm(current, file, FILE__GETATTR);
2334 break;
2335
2336 case EXT2_IOC_SETFLAGS:
2337 /* fall through */
2338 case EXT2_IOC_SETVERSION:
2339 error = file_has_perm(current, file, FILE__SETATTR);
2340 break;
2341
2342 /* sys_ioctl() checks */
2343 case FIONBIO:
2344 /* fall through */
2345 case FIOASYNC:
2346 error = file_has_perm(current, file, 0);
2347 break;
2348
2349 case KDSKBENT:
2350 case KDSKBSENT:
2351 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2352 break;
2353
2354 /* default case assumes that the command will go
2355 * to the file's ioctl() function.
2356 */
2357 default:
2358 error = file_has_perm(current, file, FILE__IOCTL);
2359
2360 }
2361 return error;
2362}
2363
2364static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2365{
2366#ifndef CONFIG_PPC32
2367 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2368 /*
2369 * We are making executable an anonymous mapping or a
2370 * private file mapping that will also be writable.
2371 * This has an additional check.
2372 */
2373 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2374 if (rc)
2375 return rc;
2376 }
2377#endif
2378
2379 if (file) {
2380 /* read access is always possible with a mapping */
2381 u32 av = FILE__READ;
2382
2383 /* write access only matters if the mapping is shared */
2384 if (shared && (prot & PROT_WRITE))
2385 av |= FILE__WRITE;
2386
2387 if (prot & PROT_EXEC)
2388 av |= FILE__EXECUTE;
2389
2390 return file_has_perm(current, file, av);
2391 }
2392 return 0;
2393}
2394
2395static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2396 unsigned long prot, unsigned long flags)
2397{
2398 int rc;
2399
2400 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2401 if (rc)
2402 return rc;
2403
2404 if (selinux_checkreqprot)
2405 prot = reqprot;
2406
2407 return file_map_prot_check(file, prot,
2408 (flags & MAP_TYPE) == MAP_SHARED);
2409}
2410
2411static int selinux_file_mprotect(struct vm_area_struct *vma,
2412 unsigned long reqprot,
2413 unsigned long prot)
2414{
2415 int rc;
2416
2417 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2418 if (rc)
2419 return rc;
2420
2421 if (selinux_checkreqprot)
2422 prot = reqprot;
2423
2424#ifndef CONFIG_PPC32
Stephen Smalleydb4c9642006-02-01 03:05:54 -0800[diff] [blame]2425 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2426 rc = 0;
2427 if (vma->vm_start >= vma->vm_mm->start_brk &&
2428 vma->vm_end <= vma->vm_mm->brk) {
2429 rc = task_has_perm(current, current,
2430 PROCESS__EXECHEAP);
2431 } else if (!vma->vm_file &&
2432 vma->vm_start <= vma->vm_mm->start_stack &&
2433 vma->vm_end >= vma->vm_mm->start_stack) {
2434 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2435 } else if (vma->vm_file && vma->anon_vma) {
2436 /*
2437 * We are making executable a file mapping that has
2438 * had some COW done. Since pages might have been
2439 * written, check ability to execute the possibly
2440 * modified content. This typically should only
2441 * occur for text relocations.
2442 */
2443 rc = file_has_perm(current, vma->vm_file,
2444 FILE__EXECMOD);
2445 }
Lorenzo Hernandez García-Hierro6b992192005-06-25 14:54:34 -0700[diff] [blame]2446 if (rc)
2447 return rc;
2448 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2449#endif
2450
2451 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2452}
2453
2454static int selinux_file_lock(struct file *file, unsigned int cmd)
2455{
2456 return file_has_perm(current, file, FILE__LOCK);
2457}
2458
2459static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2460 unsigned long arg)
2461{
2462 int err = 0;
2463
2464 switch (cmd) {
2465 case F_SETFL:
2466 if (!file->f_dentry || !file->f_dentry->d_inode) {
2467 err = -EINVAL;
2468 break;
2469 }
2470
2471 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2472 err = file_has_perm(current, file,FILE__WRITE);
2473 break;
2474 }
2475 /* fall through */
2476 case F_SETOWN:
2477 case F_SETSIG:
2478 case F_GETFL:
2479 case F_GETOWN:
2480 case F_GETSIG:
2481 /* Just check FD__USE permission */
2482 err = file_has_perm(current, file, 0);
2483 break;
2484 case F_GETLK:
2485 case F_SETLK:
2486 case F_SETLKW:
2487#if BITS_PER_LONG == 32
2488 case F_GETLK64:
2489 case F_SETLK64:
2490 case F_SETLKW64:
2491#endif
2492 if (!file->f_dentry || !file->f_dentry->d_inode) {
2493 err = -EINVAL;
2494 break;
2495 }
2496 err = file_has_perm(current, file, FILE__LOCK);
2497 break;
2498 }
2499
2500 return err;
2501}
2502
2503static int selinux_file_set_fowner(struct file *file)
2504{
2505 struct task_security_struct *tsec;
2506 struct file_security_struct *fsec;
2507
2508 tsec = current->security;
2509 fsec = file->f_security;
2510 fsec->fown_sid = tsec->sid;
2511
2512 return 0;
2513}
2514
2515static int selinux_file_send_sigiotask(struct task_struct *tsk,
2516 struct fown_struct *fown, int signum)
2517{
2518 struct file *file;
2519 u32 perm;
2520 struct task_security_struct *tsec;
2521 struct file_security_struct *fsec;
2522
2523 /* struct fown_struct is never outside the context of a struct file */
2524 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2525
2526 tsec = tsk->security;
2527 fsec = file->f_security;
2528
2529 if (!signum)
2530 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2531 else
2532 perm = signal_to_av(signum);
2533
2534 return avc_has_perm(fsec->fown_sid, tsec->sid,
2535 SECCLASS_PROCESS, perm, NULL);
2536}
2537
2538static int selinux_file_receive(struct file *file)
2539{
2540 return file_has_perm(current, file, file_to_av(file));
2541}
2542
2543/* task security operations */
2544
2545static int selinux_task_create(unsigned long clone_flags)
2546{
2547 int rc;
2548
2549 rc = secondary_ops->task_create(clone_flags);
2550 if (rc)
2551 return rc;
2552
2553 return task_has_perm(current, current, PROCESS__FORK);
2554}
2555
2556static int selinux_task_alloc_security(struct task_struct *tsk)
2557{
2558 struct task_security_struct *tsec1, *tsec2;
2559 int rc;
2560
2561 tsec1 = current->security;
2562
2563 rc = task_alloc_security(tsk);
2564 if (rc)
2565 return rc;
2566 tsec2 = tsk->security;
2567
2568 tsec2->osid = tsec1->osid;
2569 tsec2->sid = tsec1->sid;
2570
2571 /* Retain the exec and create SIDs across fork */
2572 tsec2->exec_sid = tsec1->exec_sid;
2573 tsec2->create_sid = tsec1->create_sid;
2574
2575 /* Retain ptracer SID across fork, if any.
2576 This will be reset by the ptrace hook upon any
2577 subsequent ptrace_attach operations. */
2578 tsec2->ptrace_sid = tsec1->ptrace_sid;
2579
2580 return 0;
2581}
2582
2583static void selinux_task_free_security(struct task_struct *tsk)
2584{
2585 task_free_security(tsk);
2586}
2587
2588static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2589{
2590 /* Since setuid only affects the current process, and
2591 since the SELinux controls are not based on the Linux
2592 identity attributes, SELinux does not need to control
2593 this operation. However, SELinux does control the use
2594 of the CAP_SETUID and CAP_SETGID capabilities using the
2595 capable hook. */
2596 return 0;
2597}
2598
2599static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2600{
2601 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2602}
2603
2604static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2605{
2606 /* See the comment for setuid above. */
2607 return 0;
2608}
2609
2610static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2611{
2612 return task_has_perm(current, p, PROCESS__SETPGID);
2613}
2614
2615static int selinux_task_getpgid(struct task_struct *p)
2616{
2617 return task_has_perm(current, p, PROCESS__GETPGID);
2618}
2619
2620static int selinux_task_getsid(struct task_struct *p)
2621{
2622 return task_has_perm(current, p, PROCESS__GETSESSION);
2623}
2624
2625static int selinux_task_setgroups(struct group_info *group_info)
2626{
2627 /* See the comment for setuid above. */
2628 return 0;
2629}
2630
2631static int selinux_task_setnice(struct task_struct *p, int nice)
2632{
2633 int rc;
2634
2635 rc = secondary_ops->task_setnice(p, nice);
2636 if (rc)
2637 return rc;
2638
2639 return task_has_perm(current,p, PROCESS__SETSCHED);
2640}
2641
2642static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2643{
2644 struct rlimit *old_rlim = current->signal->rlim + resource;
2645 int rc;
2646
2647 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2648 if (rc)
2649 return rc;
2650
2651 /* Control the ability to change the hard limit (whether
2652 lowering or raising it), so that the hard limit can
2653 later be used as a safe reset point for the soft limit
2654 upon context transitions. See selinux_bprm_apply_creds. */
2655 if (old_rlim->rlim_max != new_rlim->rlim_max)
2656 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2657
2658 return 0;
2659}
2660
2661static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2662{
2663 return task_has_perm(current, p, PROCESS__SETSCHED);
2664}
2665
2666static int selinux_task_getscheduler(struct task_struct *p)
2667{
2668 return task_has_perm(current, p, PROCESS__GETSCHED);
2669}
2670
2671static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2672{
2673 u32 perm;
2674 int rc;
2675
2676 rc = secondary_ops->task_kill(p, info, sig);
2677 if (rc)
2678 return rc;
2679
Oleg Nesterov621d3122005-10-30 15:03:45 -0800[diff] [blame]2680 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2681 return 0;
2682
2683 if (!sig)
2684 perm = PROCESS__SIGNULL; /* null signal; existence test */
2685 else
2686 perm = signal_to_av(sig);
2687
2688 return task_has_perm(current, p, perm);
2689}
2690
2691static int selinux_task_prctl(int option,
2692 unsigned long arg2,
2693 unsigned long arg3,
2694 unsigned long arg4,
2695 unsigned long arg5)
2696{
2697 /* The current prctl operations do not appear to require
2698 any SELinux controls since they merely observe or modify
2699 the state of the current process. */
2700 return 0;
2701}
2702
2703static int selinux_task_wait(struct task_struct *p)
2704{
2705 u32 perm;
2706
2707 perm = signal_to_av(p->exit_signal);
2708
2709 return task_has_perm(p, current, perm);
2710}
2711
2712static void selinux_task_reparent_to_init(struct task_struct *p)
2713{
2714 struct task_security_struct *tsec;
2715
2716 secondary_ops->task_reparent_to_init(p);
2717
2718 tsec = p->security;
2719 tsec->osid = tsec->sid;
2720 tsec->sid = SECINITSID_KERNEL;
2721 return;
2722}
2723
2724static void selinux_task_to_inode(struct task_struct *p,
2725 struct inode *inode)
2726{
2727 struct task_security_struct *tsec = p->security;
2728 struct inode_security_struct *isec = inode->i_security;
2729
2730 isec->sid = tsec->sid;
2731 isec->initialized = 1;
2732 return;
2733}
2734
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2735/* Returns error only if unable to parse addresses */
2736static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2737{
2738 int offset, ihlen, ret = -EINVAL;
2739 struct iphdr _iph, *ih;
2740
2741 offset = skb->nh.raw - skb->data;
2742 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2743 if (ih == NULL)
2744 goto out;
2745
2746 ihlen = ih->ihl * 4;
2747 if (ihlen < sizeof(_iph))
2748 goto out;
2749
2750 ad->u.net.v4info.saddr = ih->saddr;
2751 ad->u.net.v4info.daddr = ih->daddr;
2752 ret = 0;
2753
2754 switch (ih->protocol) {
2755 case IPPROTO_TCP: {
2756 struct tcphdr _tcph, *th;
2757
2758 if (ntohs(ih->frag_off) & IP_OFFSET)
2759 break;
2760
2761 offset += ihlen;
2762 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2763 if (th == NULL)
2764 break;
2765
2766 ad->u.net.sport = th->source;
2767 ad->u.net.dport = th->dest;
2768 break;
2769 }
2770
2771 case IPPROTO_UDP: {
2772 struct udphdr _udph, *uh;
2773
2774 if (ntohs(ih->frag_off) & IP_OFFSET)
2775 break;
2776
2777 offset += ihlen;
2778 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2779 if (uh == NULL)
2780 break;
2781
2782 ad->u.net.sport = uh->source;
2783 ad->u.net.dport = uh->dest;
2784 break;
2785 }
2786
2787 default:
2788 break;
2789 }
2790out:
2791 return ret;
2792}
2793
2794#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2795
2796/* Returns error only if unable to parse addresses */
2797static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2798{
2799 u8 nexthdr;
2800 int ret = -EINVAL, offset;
2801 struct ipv6hdr _ipv6h, *ip6;
2802
2803 offset = skb->nh.raw - skb->data;
2804 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2805 if (ip6 == NULL)
2806 goto out;
2807
2808 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2809 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2810 ret = 0;
2811
2812 nexthdr = ip6->nexthdr;
2813 offset += sizeof(_ipv6h);
Herbert Xu0d3d0772005-04-24 20:16:19 -0700[diff] [blame]2814 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2815 if (offset < 0)
2816 goto out;
2817
2818 switch (nexthdr) {
2819 case IPPROTO_TCP: {
2820 struct tcphdr _tcph, *th;
2821
2822 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2823 if (th == NULL)
2824 break;
2825
2826 ad->u.net.sport = th->source;
2827 ad->u.net.dport = th->dest;
2828 break;
2829 }
2830
2831 case IPPROTO_UDP: {
2832 struct udphdr _udph, *uh;
2833
2834 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2835 if (uh == NULL)
2836 break;
2837
2838 ad->u.net.sport = uh->source;
2839 ad->u.net.dport = uh->dest;
2840 break;
2841 }
2842
2843 /* includes fragments */
2844 default:
2845 break;
2846 }
2847out:
2848 return ret;
2849}
2850
2851#endif /* IPV6 */
2852
2853static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2854 char **addrp, int *len, int src)
2855{
2856 int ret = 0;
2857
2858 switch (ad->u.net.family) {
2859 case PF_INET:
2860 ret = selinux_parse_skb_ipv4(skb, ad);
2861 if (ret || !addrp)
2862 break;
2863 *len = 4;
2864 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2865 &ad->u.net.v4info.daddr);
2866 break;
2867
2868#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2869 case PF_INET6:
2870 ret = selinux_parse_skb_ipv6(skb, ad);
2871 if (ret || !addrp)
2872 break;
2873 *len = 16;
2874 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2875 &ad->u.net.v6info.daddr);
2876 break;
2877#endif /* IPV6 */
2878 default:
2879 break;
2880 }
2881
2882 return ret;
2883}
2884
2885/* socket security operations */
2886static int socket_has_perm(struct task_struct *task, struct socket *sock,
2887 u32 perms)
2888{
2889 struct inode_security_struct *isec;
2890 struct task_security_struct *tsec;
2891 struct avc_audit_data ad;
2892 int err = 0;
2893
2894 tsec = task->security;
2895 isec = SOCK_INODE(sock)->i_security;
2896
2897 if (isec->sid == SECINITSID_KERNEL)
2898 goto out;
2899
2900 AVC_AUDIT_DATA_INIT(&ad,NET);
2901 ad.u.net.sk = sock->sk;
2902 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2903
2904out:
2905 return err;
2906}
2907
2908static int selinux_socket_create(int family, int type,
2909 int protocol, int kern)
2910{
2911 int err = 0;
2912 struct task_security_struct *tsec;
2913
2914 if (kern)
2915 goto out;
2916
2917 tsec = current->security;
2918 err = avc_has_perm(tsec->sid, tsec->sid,
2919 socket_type_to_security_class(family, type,
2920 protocol), SOCKET__CREATE, NULL);
2921
2922out:
2923 return err;
2924}
2925
2926static void selinux_socket_post_create(struct socket *sock, int family,
2927 int type, int protocol, int kern)
2928{
2929 struct inode_security_struct *isec;
2930 struct task_security_struct *tsec;
2931
2932 isec = SOCK_INODE(sock)->i_security;
2933
2934 tsec = current->security;
2935 isec->sclass = socket_type_to_security_class(family, type, protocol);
2936 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2937 isec->initialized = 1;
2938
2939 return;
2940}
2941
2942/* Range of port numbers used to automatically bind.
2943 Need to determine whether we should perform a name_bind
2944 permission check between the socket and the port number. */
2945#define ip_local_port_range_0 sysctl_local_port_range[0]
2946#define ip_local_port_range_1 sysctl_local_port_range[1]
2947
2948static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2949{
2950 u16 family;
2951 int err;
2952
2953 err = socket_has_perm(current, sock, SOCKET__BIND);
2954 if (err)
2955 goto out;
2956
2957 /*
2958 * If PF_INET or PF_INET6, check name_bind permission for the port.
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]2959 * Multiple address binding for SCTP is not supported yet: we just
2960 * check the first address now.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]2961 */
2962 family = sock->sk->sk_family;
2963 if (family == PF_INET || family == PF_INET6) {
2964 char *addrp;
2965 struct inode_security_struct *isec;
2966 struct task_security_struct *tsec;
2967 struct avc_audit_data ad;
2968 struct sockaddr_in *addr4 = NULL;
2969 struct sockaddr_in6 *addr6 = NULL;
2970 unsigned short snum;
2971 struct sock *sk = sock->sk;
2972 u32 sid, node_perm, addrlen;
2973
2974 tsec = current->security;
2975 isec = SOCK_INODE(sock)->i_security;
2976
2977 if (family == PF_INET) {
2978 addr4 = (struct sockaddr_in *)address;
2979 snum = ntohs(addr4->sin_port);
2980 addrlen = sizeof(addr4->sin_addr.s_addr);
2981 addrp = (char *)&addr4->sin_addr.s_addr;
2982 } else {
2983 addr6 = (struct sockaddr_in6 *)address;
2984 snum = ntohs(addr6->sin6_port);
2985 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2986 addrp = (char *)&addr6->sin6_addr.s6_addr;
2987 }
2988
2989 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2990 snum > ip_local_port_range_1)) {
2991 err = security_port_sid(sk->sk_family, sk->sk_type,
2992 sk->sk_protocol, snum, &sid);
2993 if (err)
2994 goto out;
2995 AVC_AUDIT_DATA_INIT(&ad,NET);
2996 ad.u.net.sport = htons(snum);
2997 ad.u.net.family = family;
2998 err = avc_has_perm(isec->sid, sid,
2999 isec->sclass,
3000 SOCKET__NAME_BIND, &ad);
3001 if (err)
3002 goto out;
3003 }
3004
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]3005 switch(isec->sclass) {
3006 case SECCLASS_TCP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3007 node_perm = TCP_SOCKET__NODE_BIND;
3008 break;
3009
James Morris13402582005-09-30 14:24:34 -0400[diff] [blame]3010 case SECCLASS_UDP_SOCKET:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3011 node_perm = UDP_SOCKET__NODE_BIND;
3012 break;
3013
3014 default:
3015 node_perm = RAWIP_SOCKET__NODE_BIND;
3016 break;
3017 }
3018
3019 err = security_node_sid(family, addrp, addrlen, &sid);
3020 if (err)
3021 goto out;
3022
3023 AVC_AUDIT_DATA_INIT(&ad,NET);
3024 ad.u.net.sport = htons(snum);
3025 ad.u.net.family = family;
3026
3027 if (family == PF_INET)
3028 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3029 else
3030 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3031
3032 err = avc_has_perm(isec->sid, sid,
3033 isec->sclass, node_perm, &ad);
3034 if (err)
3035 goto out;
3036 }
3037out:
3038 return err;
3039}
3040
3041static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3042{
3043 struct inode_security_struct *isec;
3044 int err;
3045
3046 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3047 if (err)
3048 return err;
3049
3050 /*
3051 * If a TCP socket, check name_connect permission for the port.
3052 */
3053 isec = SOCK_INODE(sock)->i_security;
3054 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3055 struct sock *sk = sock->sk;
3056 struct avc_audit_data ad;
3057 struct sockaddr_in *addr4 = NULL;
3058 struct sockaddr_in6 *addr6 = NULL;
3059 unsigned short snum;
3060 u32 sid;
3061
3062 if (sk->sk_family == PF_INET) {
3063 addr4 = (struct sockaddr_in *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -0700[diff] [blame]3064 if (addrlen < sizeof(struct sockaddr_in))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3065 return -EINVAL;
3066 snum = ntohs(addr4->sin_port);
3067 } else {
3068 addr6 = (struct sockaddr_in6 *)address;
Stephen Smalley911656f2005-07-28 21:16:21 -0700[diff] [blame]3069 if (addrlen < SIN6_LEN_RFC2133)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3070 return -EINVAL;
3071 snum = ntohs(addr6->sin6_port);
3072 }
3073
3074 err = security_port_sid(sk->sk_family, sk->sk_type,
3075 sk->sk_protocol, snum, &sid);
3076 if (err)
3077 goto out;
3078
3079 AVC_AUDIT_DATA_INIT(&ad,NET);
3080 ad.u.net.dport = htons(snum);
3081 ad.u.net.family = sk->sk_family;
3082 err = avc_has_perm(isec->sid, sid, isec->sclass,
3083 TCP_SOCKET__NAME_CONNECT, &ad);
3084 if (err)
3085 goto out;
3086 }
3087
3088out:
3089 return err;
3090}
3091
3092static int selinux_socket_listen(struct socket *sock, int backlog)
3093{
3094 return socket_has_perm(current, sock, SOCKET__LISTEN);
3095}
3096
3097static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3098{
3099 int err;
3100 struct inode_security_struct *isec;
3101 struct inode_security_struct *newisec;
3102
3103 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3104 if (err)
3105 return err;
3106
3107 newisec = SOCK_INODE(newsock)->i_security;
3108
3109 isec = SOCK_INODE(sock)->i_security;
3110 newisec->sclass = isec->sclass;
3111 newisec->sid = isec->sid;
3112 newisec->initialized = 1;
3113
3114 return 0;
3115}
3116
3117static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3118 int size)
3119{
3120 return socket_has_perm(current, sock, SOCKET__WRITE);
3121}
3122
3123static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3124 int size, int flags)
3125{
3126 return socket_has_perm(current, sock, SOCKET__READ);
3127}
3128
3129static int selinux_socket_getsockname(struct socket *sock)
3130{
3131 return socket_has_perm(current, sock, SOCKET__GETATTR);
3132}
3133
3134static int selinux_socket_getpeername(struct socket *sock)
3135{
3136 return socket_has_perm(current, sock, SOCKET__GETATTR);
3137}
3138
3139static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3140{
3141 return socket_has_perm(current, sock, SOCKET__SETOPT);
3142}
3143
3144static int selinux_socket_getsockopt(struct socket *sock, int level,
3145 int optname)
3146{
3147 return socket_has_perm(current, sock, SOCKET__GETOPT);
3148}
3149
3150static int selinux_socket_shutdown(struct socket *sock, int how)
3151{
3152 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3153}
3154
3155static int selinux_socket_unix_stream_connect(struct socket *sock,
3156 struct socket *other,
3157 struct sock *newsk)
3158{
3159 struct sk_security_struct *ssec;
3160 struct inode_security_struct *isec;
3161 struct inode_security_struct *other_isec;
3162 struct avc_audit_data ad;
3163 int err;
3164
3165 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3166 if (err)
3167 return err;
3168
3169 isec = SOCK_INODE(sock)->i_security;
3170 other_isec = SOCK_INODE(other)->i_security;
3171
3172 AVC_AUDIT_DATA_INIT(&ad,NET);
3173 ad.u.net.sk = other->sk;
3174
3175 err = avc_has_perm(isec->sid, other_isec->sid,
3176 isec->sclass,
3177 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3178 if (err)
3179 return err;
3180
3181 /* connecting socket */
3182 ssec = sock->sk->sk_security;
3183 ssec->peer_sid = other_isec->sid;
3184
3185 /* server child socket */
3186 ssec = newsk->sk_security;
3187 ssec->peer_sid = isec->sid;
3188
3189 return 0;
3190}
3191
3192static int selinux_socket_unix_may_send(struct socket *sock,
3193 struct socket *other)
3194{
3195 struct inode_security_struct *isec;
3196 struct inode_security_struct *other_isec;
3197 struct avc_audit_data ad;
3198 int err;
3199
3200 isec = SOCK_INODE(sock)->i_security;
3201 other_isec = SOCK_INODE(other)->i_security;
3202
3203 AVC_AUDIT_DATA_INIT(&ad,NET);
3204 ad.u.net.sk = other->sk;
3205
3206 err = avc_has_perm(isec->sid, other_isec->sid,
3207 isec->sclass, SOCKET__SENDTO, &ad);
3208 if (err)
3209 return err;
3210
3211 return 0;
3212}
3213
3214static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3215{
3216 u16 family;
3217 char *addrp;
3218 int len, err = 0;
3219 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3220 u32 sock_sid = 0;
3221 u16 sock_class = 0;
3222 struct socket *sock;
3223 struct net_device *dev;
3224 struct avc_audit_data ad;
3225
3226 family = sk->sk_family;
3227 if (family != PF_INET && family != PF_INET6)
3228 goto out;
3229
3230 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3231 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3232 family = PF_INET;
3233
3234 read_lock_bh(&sk->sk_callback_lock);
3235 sock = sk->sk_socket;
3236 if (sock) {
3237 struct inode *inode;
3238 inode = SOCK_INODE(sock);
3239 if (inode) {
3240 struct inode_security_struct *isec;
3241 isec = inode->i_security;
3242 sock_sid = isec->sid;
3243 sock_class = isec->sclass;
3244 }
3245 }
3246 read_unlock_bh(&sk->sk_callback_lock);
3247 if (!sock_sid)
3248 goto out;
3249
3250 dev = skb->dev;
3251 if (!dev)
3252 goto out;
3253
3254 err = sel_netif_sids(dev, &if_sid, NULL);
3255 if (err)
3256 goto out;
3257
3258 switch (sock_class) {
3259 case SECCLASS_UDP_SOCKET:
3260 netif_perm = NETIF__UDP_RECV;
3261 node_perm = NODE__UDP_RECV;
3262 recv_perm = UDP_SOCKET__RECV_MSG;
3263 break;
3264
3265 case SECCLASS_TCP_SOCKET:
3266 netif_perm = NETIF__TCP_RECV;
3267 node_perm = NODE__TCP_RECV;
3268 recv_perm = TCP_SOCKET__RECV_MSG;
3269 break;
3270
3271 default:
3272 netif_perm = NETIF__RAWIP_RECV;
3273 node_perm = NODE__RAWIP_RECV;
3274 break;
3275 }
3276
3277 AVC_AUDIT_DATA_INIT(&ad, NET);
3278 ad.u.net.netif = dev->name;
3279 ad.u.net.family = family;
3280
3281 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3282 if (err)
3283 goto out;
3284
3285 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3286 if (err)
3287 goto out;
3288
3289 /* Fixme: this lookup is inefficient */
3290 err = security_node_sid(family, addrp, len, &node_sid);
3291 if (err)
3292 goto out;
3293
3294 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3295 if (err)
3296 goto out;
3297
3298 if (recv_perm) {
3299 u32 port_sid;
3300
3301 /* Fixme: make this more efficient */
3302 err = security_port_sid(sk->sk_family, sk->sk_type,
3303 sk->sk_protocol, ntohs(ad.u.net.sport),
3304 &port_sid);
3305 if (err)
3306 goto out;
3307
3308 err = avc_has_perm(sock_sid, port_sid,
3309 sock_class, recv_perm, &ad);
3310 }
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3311
3312 if (!err)
3313 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3314
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3315out:
3316 return err;
3317}
3318
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3319static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3320 int __user *optlen, unsigned len)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3321{
3322 int err = 0;
3323 char *scontext;
3324 u32 scontext_len;
3325 struct sk_security_struct *ssec;
3326 struct inode_security_struct *isec;
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3327 u32 peer_sid = 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3328
3329 isec = SOCK_INODE(sock)->i_security;
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3330
3331 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3332 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3333 ssec = sock->sk->sk_security;
3334 peer_sid = ssec->peer_sid;
3335 }
3336 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3337 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3338
3339 if (peer_sid == SECSID_NULL) {
3340 err = -ENOPROTOOPT;
3341 goto out;
3342 }
3343 }
3344 else {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3345 err = -ENOPROTOOPT;
3346 goto out;
3347 }
3348
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3349 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3350
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3351 if (err)
3352 goto out;
3353
3354 if (scontext_len > len) {
3355 err = -ERANGE;
3356 goto out_len;
3357 }
3358
3359 if (copy_to_user(optval, scontext, scontext_len))
3360 err = -EFAULT;
3361
3362out_len:
3363 if (put_user(scontext_len, optlen))
3364 err = -EFAULT;
3365
3366 kfree(scontext);
3367out:
3368 return err;
3369}
3370
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]3371static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3372{
3373 int err = 0;
3374 u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3375
3376 if (peer_sid == SECSID_NULL)
3377 return -EINVAL;
3378
3379 err = security_sid_to_context(peer_sid, secdata, seclen);
3380 if (err)
3381 return err;
3382
3383 return 0;
3384}
3385
3386
3387
Al Viro7d877f32005-10-21 03:20:43 -0400[diff] [blame]3388static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3389{
3390 return sk_alloc_security(sk, family, priority);
3391}
3392
3393static void selinux_sk_free_security(struct sock *sk)
3394{
3395 sk_free_security(sk);
3396}
3397
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3398static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3399{
3400 struct inode_security_struct *isec;
3401 u32 sock_sid = SECINITSID_ANY_SOCKET;
3402
3403 if (!sk)
3404 return selinux_no_sk_sid(fl);
3405
3406 read_lock_bh(&sk->sk_callback_lock);
3407 isec = get_sock_isec(sk);
3408
3409 if (isec)
3410 sock_sid = isec->sid;
3411
3412 read_unlock_bh(&sk->sk_callback_lock);
3413 return sock_sid;
3414}
3415
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3416static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3417{
3418 int err = 0;
3419 u32 perm;
3420 struct nlmsghdr *nlh;
3421 struct socket *sock = sk->sk_socket;
3422 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3423
3424 if (skb->len < NLMSG_SPACE(0)) {
3425 err = -EINVAL;
3426 goto out;
3427 }
3428 nlh = (struct nlmsghdr *)skb->data;
3429
3430 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3431 if (err) {
3432 if (err == -EINVAL) {
David Woodhouse9ad9ad32005-06-22 15:04:33 +0100[diff] [blame]3433 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3434 "SELinux: unrecognized netlink message"
3435 " type=%hu for sclass=%hu\n",
3436 nlh->nlmsg_type, isec->sclass);
3437 if (!selinux_enforcing)
3438 err = 0;
3439 }
3440
3441 /* Ignore */
3442 if (err == -ENOENT)
3443 err = 0;
3444 goto out;
3445 }
3446
3447 err = socket_has_perm(current, sock, perm);
3448out:
3449 return err;
3450}
3451
3452#ifdef CONFIG_NETFILTER
3453
3454static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3455 struct sk_buff **pskb,
3456 const struct net_device *in,
3457 const struct net_device *out,
3458 int (*okfn)(struct sk_buff *),
3459 u16 family)
3460{
3461 char *addrp;
3462 int len, err = NF_ACCEPT;
3463 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3464 struct sock *sk;
3465 struct socket *sock;
3466 struct inode *inode;
3467 struct sk_buff *skb = *pskb;
3468 struct inode_security_struct *isec;
3469 struct avc_audit_data ad;
3470 struct net_device *dev = (struct net_device *)out;
3471
3472 sk = skb->sk;
3473 if (!sk)
3474 goto out;
3475
3476 sock = sk->sk_socket;
3477 if (!sock)
3478 goto out;
3479
3480 inode = SOCK_INODE(sock);
3481 if (!inode)
3482 goto out;
3483
3484 err = sel_netif_sids(dev, &if_sid, NULL);
3485 if (err)
3486 goto out;
3487
3488 isec = inode->i_security;
3489
3490 switch (isec->sclass) {
3491 case SECCLASS_UDP_SOCKET:
3492 netif_perm = NETIF__UDP_SEND;
3493 node_perm = NODE__UDP_SEND;
3494 send_perm = UDP_SOCKET__SEND_MSG;
3495 break;
3496
3497 case SECCLASS_TCP_SOCKET:
3498 netif_perm = NETIF__TCP_SEND;
3499 node_perm = NODE__TCP_SEND;
3500 send_perm = TCP_SOCKET__SEND_MSG;
3501 break;
3502
3503 default:
3504 netif_perm = NETIF__RAWIP_SEND;
3505 node_perm = NODE__RAWIP_SEND;
3506 break;
3507 }
3508
3509
3510 AVC_AUDIT_DATA_INIT(&ad, NET);
3511 ad.u.net.netif = dev->name;
3512 ad.u.net.family = family;
3513
3514 err = selinux_parse_skb(skb, &ad, &addrp,
3515 &len, 0) ? NF_DROP : NF_ACCEPT;
3516 if (err != NF_ACCEPT)
3517 goto out;
3518
3519 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3520 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3521 if (err != NF_ACCEPT)
3522 goto out;
3523
3524 /* Fixme: this lookup is inefficient */
3525 err = security_node_sid(family, addrp, len,
3526 &node_sid) ? NF_DROP : NF_ACCEPT;
3527 if (err != NF_ACCEPT)
3528 goto out;
3529
3530 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3531 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3532 if (err != NF_ACCEPT)
3533 goto out;
3534
3535 if (send_perm) {
3536 u32 port_sid;
3537
3538 /* Fixme: make this more efficient */
3539 err = security_port_sid(sk->sk_family,
3540 sk->sk_type,
3541 sk->sk_protocol,
3542 ntohs(ad.u.net.dport),
3543 &port_sid) ? NF_DROP : NF_ACCEPT;
3544 if (err != NF_ACCEPT)
3545 goto out;
3546
3547 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3548 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3549 }
3550
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]3551 if (err != NF_ACCEPT)
3552 goto out;
3553
3554 err = selinux_xfrm_postroute_last(isec->sid, skb);
3555
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3556out:
3557 return err;
3558}
3559
3560static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3561 struct sk_buff **pskb,
3562 const struct net_device *in,
3563 const struct net_device *out,
3564 int (*okfn)(struct sk_buff *))
3565{
3566 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3567}
3568
3569#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3570
3571static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3572 struct sk_buff **pskb,
3573 const struct net_device *in,
3574 const struct net_device *out,
3575 int (*okfn)(struct sk_buff *))
3576{
3577 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3578}
3579
3580#endif /* IPV6 */
3581
3582#endif /* CONFIG_NETFILTER */
3583
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3584static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3585{
3586 struct task_security_struct *tsec;
3587 struct av_decision avd;
3588 int err;
3589
3590 err = secondary_ops->netlink_send(sk, skb);
3591 if (err)
3592 return err;
3593
3594 tsec = current->security;
3595
3596 avd.allowed = 0;
3597 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3598 SECCLASS_CAPABILITY, ~0, &avd);
3599 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3600
3601 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3602 err = selinux_nlmsg_perm(sk, skb);
3603
3604 return err;
3605}
3606
3607static int selinux_netlink_recv(struct sk_buff *skb)
3608{
3609 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3610 return -EPERM;
3611 return 0;
3612}
3613
3614static int ipc_alloc_security(struct task_struct *task,
3615 struct kern_ipc_perm *perm,
3616 u16 sclass)
3617{
3618 struct task_security_struct *tsec = task->security;
3619 struct ipc_security_struct *isec;
3620
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]3621 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3622 if (!isec)
3623 return -ENOMEM;
3624
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3625 isec->sclass = sclass;
3626 isec->ipc_perm = perm;
Stephen Smalley9ac49d22006-02-01 03:05:56 -0800[diff] [blame]3627 isec->sid = tsec->sid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3628 perm->security = isec;
3629
3630 return 0;
3631}
3632
3633static void ipc_free_security(struct kern_ipc_perm *perm)
3634{
3635 struct ipc_security_struct *isec = perm->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3636 perm->security = NULL;
3637 kfree(isec);
3638}
3639
3640static int msg_msg_alloc_security(struct msg_msg *msg)
3641{
3642 struct msg_security_struct *msec;
3643
James Morris89d155e2005-10-30 14:59:21 -0800[diff] [blame]3644 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3645 if (!msec)
3646 return -ENOMEM;
3647
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3648 msec->msg = msg;
3649 msec->sid = SECINITSID_UNLABELED;
3650 msg->security = msec;
3651
3652 return 0;
3653}
3654
3655static void msg_msg_free_security(struct msg_msg *msg)
3656{
3657 struct msg_security_struct *msec = msg->security;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3658
3659 msg->security = NULL;
3660 kfree(msec);
3661}
3662
3663static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3664 u32 perms)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3665{
3666 struct task_security_struct *tsec;
3667 struct ipc_security_struct *isec;
3668 struct avc_audit_data ad;
3669
3670 tsec = current->security;
3671 isec = ipc_perms->security;
3672
3673 AVC_AUDIT_DATA_INIT(&ad, IPC);
3674 ad.u.ipc_id = ipc_perms->key;
3675
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3676 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3677}
3678
3679static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3680{
3681 return msg_msg_alloc_security(msg);
3682}
3683
3684static void selinux_msg_msg_free_security(struct msg_msg *msg)
3685{
3686 msg_msg_free_security(msg);
3687}
3688
3689/* message queue security operations */
3690static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3691{
3692 struct task_security_struct *tsec;
3693 struct ipc_security_struct *isec;
3694 struct avc_audit_data ad;
3695 int rc;
3696
3697 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3698 if (rc)
3699 return rc;
3700
3701 tsec = current->security;
3702 isec = msq->q_perm.security;
3703
3704 AVC_AUDIT_DATA_INIT(&ad, IPC);
3705 ad.u.ipc_id = msq->q_perm.key;
3706
3707 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3708 MSGQ__CREATE, &ad);
3709 if (rc) {
3710 ipc_free_security(&msq->q_perm);
3711 return rc;
3712 }
3713 return 0;
3714}
3715
3716static void selinux_msg_queue_free_security(struct msg_queue *msq)
3717{
3718 ipc_free_security(&msq->q_perm);
3719}
3720
3721static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3722{
3723 struct task_security_struct *tsec;
3724 struct ipc_security_struct *isec;
3725 struct avc_audit_data ad;
3726
3727 tsec = current->security;
3728 isec = msq->q_perm.security;
3729
3730 AVC_AUDIT_DATA_INIT(&ad, IPC);
3731 ad.u.ipc_id = msq->q_perm.key;
3732
3733 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3734 MSGQ__ASSOCIATE, &ad);
3735}
3736
3737static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3738{
3739 int err;
3740 int perms;
3741
3742 switch(cmd) {
3743 case IPC_INFO:
3744 case MSG_INFO:
3745 /* No specific object, just general system-wide information. */
3746 return task_has_system(current, SYSTEM__IPC_INFO);
3747 case IPC_STAT:
3748 case MSG_STAT:
3749 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3750 break;
3751 case IPC_SET:
3752 perms = MSGQ__SETATTR;
3753 break;
3754 case IPC_RMID:
3755 perms = MSGQ__DESTROY;
3756 break;
3757 default:
3758 return 0;
3759 }
3760
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3761 err = ipc_has_perm(&msq->q_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3762 return err;
3763}
3764
3765static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3766{
3767 struct task_security_struct *tsec;
3768 struct ipc_security_struct *isec;
3769 struct msg_security_struct *msec;
3770 struct avc_audit_data ad;
3771 int rc;
3772
3773 tsec = current->security;
3774 isec = msq->q_perm.security;
3775 msec = msg->security;
3776
3777 /*
3778 * First time through, need to assign label to the message
3779 */
3780 if (msec->sid == SECINITSID_UNLABELED) {
3781 /*
3782 * Compute new sid based on current process and
3783 * message queue this message will be stored in
3784 */
3785 rc = security_transition_sid(tsec->sid,
3786 isec->sid,
3787 SECCLASS_MSG,
3788 &msec->sid);
3789 if (rc)
3790 return rc;
3791 }
3792
3793 AVC_AUDIT_DATA_INIT(&ad, IPC);
3794 ad.u.ipc_id = msq->q_perm.key;
3795
3796 /* Can this process write to the queue? */
3797 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3798 MSGQ__WRITE, &ad);
3799 if (!rc)
3800 /* Can this process send the message */
3801 rc = avc_has_perm(tsec->sid, msec->sid,
3802 SECCLASS_MSG, MSG__SEND, &ad);
3803 if (!rc)
3804 /* Can the message be put in the queue? */
3805 rc = avc_has_perm(msec->sid, isec->sid,
3806 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3807
3808 return rc;
3809}
3810
3811static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3812 struct task_struct *target,
3813 long type, int mode)
3814{
3815 struct task_security_struct *tsec;
3816 struct ipc_security_struct *isec;
3817 struct msg_security_struct *msec;
3818 struct avc_audit_data ad;
3819 int rc;
3820
3821 tsec = target->security;
3822 isec = msq->q_perm.security;
3823 msec = msg->security;
3824
3825 AVC_AUDIT_DATA_INIT(&ad, IPC);
3826 ad.u.ipc_id = msq->q_perm.key;
3827
3828 rc = avc_has_perm(tsec->sid, isec->sid,
3829 SECCLASS_MSGQ, MSGQ__READ, &ad);
3830 if (!rc)
3831 rc = avc_has_perm(tsec->sid, msec->sid,
3832 SECCLASS_MSG, MSG__RECEIVE, &ad);
3833 return rc;
3834}
3835
3836/* Shared Memory security operations */
3837static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3838{
3839 struct task_security_struct *tsec;
3840 struct ipc_security_struct *isec;
3841 struct avc_audit_data ad;
3842 int rc;
3843
3844 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3845 if (rc)
3846 return rc;
3847
3848 tsec = current->security;
3849 isec = shp->shm_perm.security;
3850
3851 AVC_AUDIT_DATA_INIT(&ad, IPC);
3852 ad.u.ipc_id = shp->shm_perm.key;
3853
3854 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3855 SHM__CREATE, &ad);
3856 if (rc) {
3857 ipc_free_security(&shp->shm_perm);
3858 return rc;
3859 }
3860 return 0;
3861}
3862
3863static void selinux_shm_free_security(struct shmid_kernel *shp)
3864{
3865 ipc_free_security(&shp->shm_perm);
3866}
3867
3868static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3869{
3870 struct task_security_struct *tsec;
3871 struct ipc_security_struct *isec;
3872 struct avc_audit_data ad;
3873
3874 tsec = current->security;
3875 isec = shp->shm_perm.security;
3876
3877 AVC_AUDIT_DATA_INIT(&ad, IPC);
3878 ad.u.ipc_id = shp->shm_perm.key;
3879
3880 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3881 SHM__ASSOCIATE, &ad);
3882}
3883
3884/* Note, at this point, shp is locked down */
3885static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3886{
3887 int perms;
3888 int err;
3889
3890 switch(cmd) {
3891 case IPC_INFO:
3892 case SHM_INFO:
3893 /* No specific object, just general system-wide information. */
3894 return task_has_system(current, SYSTEM__IPC_INFO);
3895 case IPC_STAT:
3896 case SHM_STAT:
3897 perms = SHM__GETATTR | SHM__ASSOCIATE;
3898 break;
3899 case IPC_SET:
3900 perms = SHM__SETATTR;
3901 break;
3902 case SHM_LOCK:
3903 case SHM_UNLOCK:
3904 perms = SHM__LOCK;
3905 break;
3906 case IPC_RMID:
3907 perms = SHM__DESTROY;
3908 break;
3909 default:
3910 return 0;
3911 }
3912
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3913 err = ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3914 return err;
3915}
3916
3917static int selinux_shm_shmat(struct shmid_kernel *shp,
3918 char __user *shmaddr, int shmflg)
3919{
3920 u32 perms;
3921 int rc;
3922
3923 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3924 if (rc)
3925 return rc;
3926
3927 if (shmflg & SHM_RDONLY)
3928 perms = SHM__READ;
3929 else
3930 perms = SHM__READ | SHM__WRITE;
3931
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]3932 return ipc_has_perm(&shp->shm_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3933}
3934
3935/* Semaphore security operations */
3936static int selinux_sem_alloc_security(struct sem_array *sma)
3937{
3938 struct task_security_struct *tsec;
3939 struct ipc_security_struct *isec;
3940 struct avc_audit_data ad;
3941 int rc;
3942
3943 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3944 if (rc)
3945 return rc;
3946
3947 tsec = current->security;
3948 isec = sma->sem_perm.security;
3949
3950 AVC_AUDIT_DATA_INIT(&ad, IPC);
3951 ad.u.ipc_id = sma->sem_perm.key;
3952
3953 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3954 SEM__CREATE, &ad);
3955 if (rc) {
3956 ipc_free_security(&sma->sem_perm);
3957 return rc;
3958 }
3959 return 0;
3960}
3961
3962static void selinux_sem_free_security(struct sem_array *sma)
3963{
3964 ipc_free_security(&sma->sem_perm);
3965}
3966
3967static int selinux_sem_associate(struct sem_array *sma, int semflg)
3968{
3969 struct task_security_struct *tsec;
3970 struct ipc_security_struct *isec;
3971 struct avc_audit_data ad;
3972
3973 tsec = current->security;
3974 isec = sma->sem_perm.security;
3975
3976 AVC_AUDIT_DATA_INIT(&ad, IPC);
3977 ad.u.ipc_id = sma->sem_perm.key;
3978
3979 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3980 SEM__ASSOCIATE, &ad);
3981}
3982
3983/* Note, at this point, sma is locked down */
3984static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3985{
3986 int err;
3987 u32 perms;
3988
3989 switch(cmd) {
3990 case IPC_INFO:
3991 case SEM_INFO:
3992 /* No specific object, just general system-wide information. */
3993 return task_has_system(current, SYSTEM__IPC_INFO);
3994 case GETPID:
3995 case GETNCNT:
3996 case GETZCNT:
3997 perms = SEM__GETATTR;
3998 break;
3999 case GETVAL:
4000 case GETALL:
4001 perms = SEM__READ;
4002 break;
4003 case SETVAL:
4004 case SETALL:
4005 perms = SEM__WRITE;
4006 break;
4007 case IPC_RMID:
4008 perms = SEM__DESTROY;
4009 break;
4010 case IPC_SET:
4011 perms = SEM__SETATTR;
4012 break;
4013 case IPC_STAT:
4014 case SEM_STAT:
4015 perms = SEM__GETATTR | SEM__ASSOCIATE;
4016 break;
4017 default:
4018 return 0;
4019 }
4020
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4021 err = ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4022 return err;
4023}
4024
4025static int selinux_sem_semop(struct sem_array *sma,
4026 struct sembuf *sops, unsigned nsops, int alter)
4027{
4028 u32 perms;
4029
4030 if (alter)
4031 perms = SEM__READ | SEM__WRITE;
4032 else
4033 perms = SEM__READ;
4034
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4035 return ipc_has_perm(&sma->sem_perm, perms);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4036}
4037
4038static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4039{
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4040 u32 av = 0;
4041
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4042 av = 0;
4043 if (flag & S_IRUGO)
4044 av |= IPC__UNIX_READ;
4045 if (flag & S_IWUGO)
4046 av |= IPC__UNIX_WRITE;
4047
4048 if (av == 0)
4049 return 0;
4050
Stephen Smalley6af963f2005-05-01 08:58:39 -0700[diff] [blame]4051 return ipc_has_perm(ipcp, av);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4052}
4053
4054/* module stacking operations */
4055static int selinux_register_security (const char *name, struct security_operations *ops)
4056{
4057 if (secondary_ops != original_ops) {
4058 printk(KERN_INFO "%s: There is already a secondary security "
4059 "module registered.\n", __FUNCTION__);
4060 return -EINVAL;
4061 }
4062
4063 secondary_ops = ops;
4064
4065 printk(KERN_INFO "%s: Registering secondary module %s\n",
4066 __FUNCTION__,
4067 name);
4068
4069 return 0;
4070}
4071
4072static int selinux_unregister_security (const char *name, struct security_operations *ops)
4073{
4074 if (ops != secondary_ops) {
4075 printk (KERN_INFO "%s: trying to unregister a security module "
4076 "that is not registered.\n", __FUNCTION__);
4077 return -EINVAL;
4078 }
4079
4080 secondary_ops = original_ops;
4081
4082 return 0;
4083}
4084
4085static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4086{
4087 if (inode)
4088 inode_doinit_with_dentry(inode, dentry);
4089}
4090
4091static int selinux_getprocattr(struct task_struct *p,
4092 char *name, void *value, size_t size)
4093{
4094 struct task_security_struct *tsec;
4095 u32 sid, len;
4096 char *context;
4097 int error;
4098
4099 if (current != p) {
4100 error = task_has_perm(current, p, PROCESS__GETATTR);
4101 if (error)
4102 return error;
4103 }
4104
4105 if (!size)
4106 return -ERANGE;
4107
4108 tsec = p->security;
4109
4110 if (!strcmp(name, "current"))
4111 sid = tsec->sid;
4112 else if (!strcmp(name, "prev"))
4113 sid = tsec->osid;
4114 else if (!strcmp(name, "exec"))
4115 sid = tsec->exec_sid;
4116 else if (!strcmp(name, "fscreate"))
4117 sid = tsec->create_sid;
4118 else
4119 return -EINVAL;
4120
4121 if (!sid)
4122 return 0;
4123
4124 error = security_sid_to_context(sid, &context, &len);
4125 if (error)
4126 return error;
4127 if (len > size) {
4128 kfree(context);
4129 return -ERANGE;
4130 }
4131 memcpy(value, context, len);
4132 kfree(context);
4133 return len;
4134}
4135
4136static int selinux_setprocattr(struct task_struct *p,
4137 char *name, void *value, size_t size)
4138{
4139 struct task_security_struct *tsec;
4140 u32 sid = 0;
4141 int error;
4142 char *str = value;
4143
4144 if (current != p) {
4145 /* SELinux only allows a process to change its own
4146 security attributes. */
4147 return -EACCES;
4148 }
4149
4150 /*
4151 * Basic control over ability to set these attributes at all.
4152 * current == p, but we'll pass them separately in case the
4153 * above restriction is ever removed.
4154 */
4155 if (!strcmp(name, "exec"))
4156 error = task_has_perm(current, p, PROCESS__SETEXEC);
4157 else if (!strcmp(name, "fscreate"))
4158 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4159 else if (!strcmp(name, "current"))
4160 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4161 else
4162 error = -EINVAL;
4163 if (error)
4164 return error;
4165
4166 /* Obtain a SID for the context, if one was specified. */
4167 if (size && str[1] && str[1] != '\n') {
4168 if (str[size-1] == '\n') {
4169 str[size-1] = 0;
4170 size--;
4171 }
4172 error = security_context_to_sid(value, size, &sid);
4173 if (error)
4174 return error;
4175 }
4176
4177 /* Permission checking based on the specified context is
4178 performed during the actual operation (execve,
4179 open/mkdir/...), when we know the full context of the
4180 operation. See selinux_bprm_set_security for the execve
4181 checks and may_create for the file creation checks. The
4182 operation will then fail if the context is not permitted. */
4183 tsec = p->security;
4184 if (!strcmp(name, "exec"))
4185 tsec->exec_sid = sid;
4186 else if (!strcmp(name, "fscreate"))
4187 tsec->create_sid = sid;
4188 else if (!strcmp(name, "current")) {
4189 struct av_decision avd;
4190
4191 if (sid == 0)
4192 return -EINVAL;
4193
4194 /* Only allow single threaded processes to change context */
4195 if (atomic_read(&p->mm->mm_users) != 1) {
4196 struct task_struct *g, *t;
4197 struct mm_struct *mm = p->mm;
4198 read_lock(&tasklist_lock);
4199 do_each_thread(g, t)
4200 if (t->mm == mm && t != p) {
4201 read_unlock(&tasklist_lock);
4202 return -EPERM;
4203 }
4204 while_each_thread(g, t);
4205 read_unlock(&tasklist_lock);
4206 }
4207
4208 /* Check permissions for the transition. */
4209 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4210 PROCESS__DYNTRANSITION, NULL);
4211 if (error)
4212 return error;
4213
4214 /* Check for ptracing, and update the task SID if ok.
4215 Otherwise, leave SID unchanged and fail. */
4216 task_lock(p);
4217 if (p->ptrace & PT_PTRACED) {
4218 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4219 SECCLASS_PROCESS,
4220 PROCESS__PTRACE, &avd);
4221 if (!error)
4222 tsec->sid = sid;
4223 task_unlock(p);
4224 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4225 PROCESS__PTRACE, &avd, error, NULL);
4226 if (error)
4227 return error;
4228 } else {
4229 tsec->sid = sid;
4230 task_unlock(p);
4231 }
4232 }
4233 else
4234 return -EINVAL;
4235
4236 return size;
4237}
4238
4239static struct security_operations selinux_ops = {
4240 .ptrace = selinux_ptrace,
4241 .capget = selinux_capget,
4242 .capset_check = selinux_capset_check,
4243 .capset_set = selinux_capset_set,
4244 .sysctl = selinux_sysctl,
4245 .capable = selinux_capable,
4246 .quotactl = selinux_quotactl,
4247 .quota_on = selinux_quota_on,
4248 .syslog = selinux_syslog,
4249 .vm_enough_memory = selinux_vm_enough_memory,
4250
4251 .netlink_send = selinux_netlink_send,
4252 .netlink_recv = selinux_netlink_recv,
4253
4254 .bprm_alloc_security = selinux_bprm_alloc_security,
4255 .bprm_free_security = selinux_bprm_free_security,
4256 .bprm_apply_creds = selinux_bprm_apply_creds,
4257 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4258 .bprm_set_security = selinux_bprm_set_security,
4259 .bprm_check_security = selinux_bprm_check_security,
4260 .bprm_secureexec = selinux_bprm_secureexec,
4261
4262 .sb_alloc_security = selinux_sb_alloc_security,
4263 .sb_free_security = selinux_sb_free_security,
4264 .sb_copy_data = selinux_sb_copy_data,
4265 .sb_kern_mount = selinux_sb_kern_mount,
4266 .sb_statfs = selinux_sb_statfs,
4267 .sb_mount = selinux_mount,
4268 .sb_umount = selinux_umount,
4269
4270 .inode_alloc_security = selinux_inode_alloc_security,
4271 .inode_free_security = selinux_inode_free_security,
Stephen Smalley5e41ff92005-09-09 13:01:35 -0700[diff] [blame]4272 .inode_init_security = selinux_inode_init_security,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4273 .inode_create = selinux_inode_create,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4274 .inode_link = selinux_inode_link,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4275 .inode_unlink = selinux_inode_unlink,
4276 .inode_symlink = selinux_inode_symlink,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4277 .inode_mkdir = selinux_inode_mkdir,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4278 .inode_rmdir = selinux_inode_rmdir,
4279 .inode_mknod = selinux_inode_mknod,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4280 .inode_rename = selinux_inode_rename,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4281 .inode_readlink = selinux_inode_readlink,
4282 .inode_follow_link = selinux_inode_follow_link,
4283 .inode_permission = selinux_inode_permission,
4284 .inode_setattr = selinux_inode_setattr,
4285 .inode_getattr = selinux_inode_getattr,
4286 .inode_setxattr = selinux_inode_setxattr,
4287 .inode_post_setxattr = selinux_inode_post_setxattr,
4288 .inode_getxattr = selinux_inode_getxattr,
4289 .inode_listxattr = selinux_inode_listxattr,
4290 .inode_removexattr = selinux_inode_removexattr,
4291 .inode_getsecurity = selinux_inode_getsecurity,
4292 .inode_setsecurity = selinux_inode_setsecurity,
4293 .inode_listsecurity = selinux_inode_listsecurity,
4294
4295 .file_permission = selinux_file_permission,
4296 .file_alloc_security = selinux_file_alloc_security,
4297 .file_free_security = selinux_file_free_security,
4298 .file_ioctl = selinux_file_ioctl,
4299 .file_mmap = selinux_file_mmap,
4300 .file_mprotect = selinux_file_mprotect,
4301 .file_lock = selinux_file_lock,
4302 .file_fcntl = selinux_file_fcntl,
4303 .file_set_fowner = selinux_file_set_fowner,
4304 .file_send_sigiotask = selinux_file_send_sigiotask,
4305 .file_receive = selinux_file_receive,
4306
4307 .task_create = selinux_task_create,
4308 .task_alloc_security = selinux_task_alloc_security,
4309 .task_free_security = selinux_task_free_security,
4310 .task_setuid = selinux_task_setuid,
4311 .task_post_setuid = selinux_task_post_setuid,
4312 .task_setgid = selinux_task_setgid,
4313 .task_setpgid = selinux_task_setpgid,
4314 .task_getpgid = selinux_task_getpgid,
4315 .task_getsid = selinux_task_getsid,
4316 .task_setgroups = selinux_task_setgroups,
4317 .task_setnice = selinux_task_setnice,
4318 .task_setrlimit = selinux_task_setrlimit,
4319 .task_setscheduler = selinux_task_setscheduler,
4320 .task_getscheduler = selinux_task_getscheduler,
4321 .task_kill = selinux_task_kill,
4322 .task_wait = selinux_task_wait,
4323 .task_prctl = selinux_task_prctl,
4324 .task_reparent_to_init = selinux_task_reparent_to_init,
4325 .task_to_inode = selinux_task_to_inode,
4326
4327 .ipc_permission = selinux_ipc_permission,
4328
4329 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4330 .msg_msg_free_security = selinux_msg_msg_free_security,
4331
4332 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4333 .msg_queue_free_security = selinux_msg_queue_free_security,
4334 .msg_queue_associate = selinux_msg_queue_associate,
4335 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4336 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4337 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4338
4339 .shm_alloc_security = selinux_shm_alloc_security,
4340 .shm_free_security = selinux_shm_free_security,
4341 .shm_associate = selinux_shm_associate,
4342 .shm_shmctl = selinux_shm_shmctl,
4343 .shm_shmat = selinux_shm_shmat,
4344
4345 .sem_alloc_security = selinux_sem_alloc_security,
4346 .sem_free_security = selinux_sem_free_security,
4347 .sem_associate = selinux_sem_associate,
4348 .sem_semctl = selinux_sem_semctl,
4349 .sem_semop = selinux_sem_semop,
4350
4351 .register_security = selinux_register_security,
4352 .unregister_security = selinux_unregister_security,
4353
4354 .d_instantiate = selinux_d_instantiate,
4355
4356 .getprocattr = selinux_getprocattr,
4357 .setprocattr = selinux_setprocattr,
4358
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4359 .unix_stream_connect = selinux_socket_unix_stream_connect,
4360 .unix_may_send = selinux_socket_unix_may_send,
4361
4362 .socket_create = selinux_socket_create,
4363 .socket_post_create = selinux_socket_post_create,
4364 .socket_bind = selinux_socket_bind,
4365 .socket_connect = selinux_socket_connect,
4366 .socket_listen = selinux_socket_listen,
4367 .socket_accept = selinux_socket_accept,
4368 .socket_sendmsg = selinux_socket_sendmsg,
4369 .socket_recvmsg = selinux_socket_recvmsg,
4370 .socket_getsockname = selinux_socket_getsockname,
4371 .socket_getpeername = selinux_socket_getpeername,
4372 .socket_getsockopt = selinux_socket_getsockopt,
4373 .socket_setsockopt = selinux_socket_setsockopt,
4374 .socket_shutdown = selinux_socket_shutdown,
4375 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
Catherine Zhang2c7946a2006-03-20 22:41:23 -0800[diff] [blame]4376 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4377 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4378 .sk_alloc_security = selinux_sk_alloc_security,
4379 .sk_free_security = selinux_sk_free_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4380 .sk_getsid = selinux_sk_getsid_security,
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4381
4382#ifdef CONFIG_SECURITY_NETWORK_XFRM
4383 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4384 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4385 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4386 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4387 .xfrm_state_free_security = selinux_xfrm_state_free,
4388 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4389#endif
4390};
4391
4392static __init int selinux_init(void)
4393{
4394 struct task_security_struct *tsec;
4395
4396 if (!selinux_enabled) {
4397 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4398 return 0;
4399 }
4400
4401 printk(KERN_INFO "SELinux: Initializing.\n");
4402
4403 /* Set the security state for the initial task. */
4404 if (task_alloc_security(current))
4405 panic("SELinux: Failed to initialize initial task.\n");
4406 tsec = current->security;
4407 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4408
4409 avc_init();
4410
4411 original_ops = secondary_ops = security_ops;
4412 if (!secondary_ops)
4413 panic ("SELinux: No initial security operations\n");
4414 if (register_security (&selinux_ops))
4415 panic("SELinux: Unable to register with kernel.\n");
4416
4417 if (selinux_enforcing) {
4418 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4419 } else {
4420 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4421 }
4422 return 0;
4423}
4424
4425void selinux_complete_init(void)
4426{
4427 printk(KERN_INFO "SELinux: Completing initialization.\n");
4428
4429 /* Set up any superblocks initialized prior to the policy load. */
4430 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4431 spin_lock(&sb_security_lock);
4432next_sb:
4433 if (!list_empty(&superblock_security_head)) {
4434 struct superblock_security_struct *sbsec =
4435 list_entry(superblock_security_head.next,
4436 struct superblock_security_struct,
4437 list);
4438 struct super_block *sb = sbsec->sb;
4439 spin_lock(&sb_lock);
4440 sb->s_count++;
4441 spin_unlock(&sb_lock);
4442 spin_unlock(&sb_security_lock);
4443 down_read(&sb->s_umount);
4444 if (sb->s_root)
4445 superblock_doinit(sb, NULL);
4446 drop_super(sb);
4447 spin_lock(&sb_security_lock);
4448 list_del_init(&sbsec->list);
4449 goto next_sb;
4450 }
4451 spin_unlock(&sb_security_lock);
4452}
4453
4454/* SELinux requires early initialization in order to label
4455 all processes and objects when they are created. */
4456security_initcall(selinux_init);
4457
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4458#if defined(CONFIG_NETFILTER)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4459
4460static struct nf_hook_ops selinux_ipv4_op = {
4461 .hook = selinux_ipv4_postroute_last,
4462 .owner = THIS_MODULE,
4463 .pf = PF_INET,
4464 .hooknum = NF_IP_POST_ROUTING,
4465 .priority = NF_IP_PRI_SELINUX_LAST,
4466};
4467
4468#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4469
4470static struct nf_hook_ops selinux_ipv6_op = {
4471 .hook = selinux_ipv6_postroute_last,
4472 .owner = THIS_MODULE,
4473 .pf = PF_INET6,
4474 .hooknum = NF_IP6_POST_ROUTING,
4475 .priority = NF_IP6_PRI_SELINUX_LAST,
4476};
4477
4478#endif /* IPV6 */
4479
4480static int __init selinux_nf_ip_init(void)
4481{
4482 int err = 0;
4483
4484 if (!selinux_enabled)
4485 goto out;
4486
4487 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4488
4489 err = nf_register_hook(&selinux_ipv4_op);
4490 if (err)
4491 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4492
4493#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4494
4495 err = nf_register_hook(&selinux_ipv6_op);
4496 if (err)
4497 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4498
4499#endif /* IPV6 */
Trent Jaegerd28d1e02005-12-13 23:12:40 -0800[diff] [blame]4500
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4501out:
4502 return err;
4503}
4504
4505__initcall(selinux_nf_ip_init);
4506
4507#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4508static void selinux_nf_ip_exit(void)
4509{
4510 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4511
4512 nf_unregister_hook(&selinux_ipv4_op);
4513#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4514 nf_unregister_hook(&selinux_ipv6_op);
4515#endif /* IPV6 */
4516}
4517#endif
4518
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4519#else /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4520
4521#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4522#define selinux_nf_ip_exit()
4523#endif
4524
Stephen Smalleyc2b507f2006-02-04 23:27:50 -0800[diff] [blame]4525#endif /* CONFIG_NETFILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]4526
4527#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4528int selinux_disable(void)
4529{
4530 extern void exit_sel_fs(void);
4531 static int selinux_disabled = 0;
4532
4533 if (ss_initialized) {
4534 /* Not permitted after initial policy load. */
4535 return -EINVAL;
4536 }
4537
4538 if (selinux_disabled) {
4539 /* Only do this once. */
4540 return -EINVAL;
4541 }
4542
4543 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4544
4545 selinux_disabled = 1;
4546
4547 /* Reset security_ops to the secondary module, dummy or capability. */
4548 security_ops = secondary_ops;
4549
4550 /* Unregister netfilter hooks. */
4551 selinux_nf_ip_exit();
4552
4553 /* Unregister selinuxfs. */
4554 exit_sel_fs();
4555
4556 return 0;
4557}
4558#endif
4559
4560