Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
hooks.c
Go to the documentation of this file.
1 /*
2  * NSA Security-Enhanced Linux (SELinux) security module
3  *
4  * This file contains the SELinux hook function implementations.
5  *
6  * Authors: Stephen Smalley, <[email protected]>
7  * Chris Vance, <[email protected]>
8  * Wayne Salamon, <[email protected]>
9  * James Morris <[email protected]>
10  *
11  * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13  * Eric Paris <[email protected]>
14  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  * Paul Moore <[email protected]>
18  * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  * Yuichi Nakamura <[email protected]>
20  *
21  * This program is free software; you can redistribute it and/or modify
22  * it under the terms of the GNU General Public License version 2,
23  * as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/net_namespace.h>
56 #include <net/netlabel.h>
57 #include <linux/uaccess.h>
58 #include <asm/ioctls.h>
59 #include <linux/atomic.h>
60 #include <linux/bitops.h>
61 #include <linux/interrupt.h>
62 #include <linux/netdevice.h> /* for network interface checks */
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
68 #include <linux/un.h> /* for Unix socket types */
69 #include <net/af_unix.h> /* for Unix socket types */
70 #include <linux/parser.h>
71 #include <linux/nfs_mount.h>
72 #include <net/ipv6.h>
73 #include <linux/hugetlb.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79 #include <linux/posix-timers.h>
80 #include <linux/syslog.h>
81 #include <linux/user_namespace.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
85 
86 #include "avc.h"
87 #include "objsec.h"
88 #include "netif.h"
89 #include "netnode.h"
90 #include "netport.h"
91 #include "xfrm.h"
92 #include "netlabel.h"
93 #include "audit.h"
94 #include "avc_ss.h"
95 
96 #define NUM_SEL_MNT_OPTS 5
97 
98 extern struct security_operations *security_ops;
99 
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 
106 static int __init enforcing_setup(char *str)
107 {
108  unsigned long enforcing;
109  if (!strict_strtoul(str, 0, &enforcing))
110  selinux_enforcing = enforcing ? 1 : 0;
111  return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115 
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 
119 static int __init selinux_enabled_setup(char *str)
120 {
121  unsigned long enabled;
122  if (!strict_strtoul(str, 0, &enabled))
123  selinux_enabled = enabled ? 1 : 0;
124  return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130 
131 static struct kmem_cache *sel_inode_cache;
132 
143 static int selinux_secmark_enabled(void)
144 {
145  return (atomic_read(&selinux_secmark_refcount) > 0);
146 }
147 
148 /*
149  * initialise the security for the init task
150  */
151 static void cred_init_security(void)
152 {
153  struct cred *cred = (struct cred *) current->real_cred;
154  struct task_security_struct *tsec;
155 
156  tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157  if (!tsec)
158  panic("SELinux: Failed to initialize initial task.\n");
159 
160  tsec->osid = tsec->sid = SECINITSID_KERNEL;
161  cred->security = tsec;
162 }
163 
164 /*
165  * get the security ID of a set of credentials
166  */
167 static inline u32 cred_sid(const struct cred *cred)
168 {
169  const struct task_security_struct *tsec;
170 
171  tsec = cred->security;
172  return tsec->sid;
173 }
174 
175 /*
176  * get the objective security ID of a task
177  */
178 static inline u32 task_sid(const struct task_struct *task)
179 {
180  u32 sid;
181 
182  rcu_read_lock();
183  sid = cred_sid(__task_cred(task));
184  rcu_read_unlock();
185  return sid;
186 }
187 
188 /*
189  * get the subjective security ID of the current task
190  */
191 static inline u32 current_sid(void)
192 {
193  const struct task_security_struct *tsec = current_security();
194 
195  return tsec->sid;
196 }
197 
198 /* Allocate and free functions for each kind of security blob. */
199 
200 static int inode_alloc_security(struct inode *inode)
201 {
202  struct inode_security_struct *isec;
203  u32 sid = current_sid();
204 
205  isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206  if (!isec)
207  return -ENOMEM;
208 
209  mutex_init(&isec->lock);
210  INIT_LIST_HEAD(&isec->list);
211  isec->inode = inode;
212  isec->sid = SECINITSID_UNLABELED;
213  isec->sclass = SECCLASS_FILE;
214  isec->task_sid = sid;
215  inode->i_security = isec;
216 
217  return 0;
218 }
219 
220 static void inode_free_security(struct inode *inode)
221 {
222  struct inode_security_struct *isec = inode->i_security;
223  struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224 
225  spin_lock(&sbsec->isec_lock);
226  if (!list_empty(&isec->list))
227  list_del_init(&isec->list);
228  spin_unlock(&sbsec->isec_lock);
229 
230  inode->i_security = NULL;
231  kmem_cache_free(sel_inode_cache, isec);
232 }
233 
234 static int file_alloc_security(struct file *file)
235 {
236  struct file_security_struct *fsec;
237  u32 sid = current_sid();
238 
239  fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
240  if (!fsec)
241  return -ENOMEM;
242 
243  fsec->sid = sid;
244  fsec->fown_sid = sid;
245  file->f_security = fsec;
246 
247  return 0;
248 }
249 
250 static void file_free_security(struct file *file)
251 {
252  struct file_security_struct *fsec = file->f_security;
253  file->f_security = NULL;
254  kfree(fsec);
255 }
256 
257 static int superblock_alloc_security(struct super_block *sb)
258 {
259  struct superblock_security_struct *sbsec;
260 
261  sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262  if (!sbsec)
263  return -ENOMEM;
264 
265  mutex_init(&sbsec->lock);
266  INIT_LIST_HEAD(&sbsec->isec_head);
267  spin_lock_init(&sbsec->isec_lock);
268  sbsec->sb = sb;
269  sbsec->sid = SECINITSID_UNLABELED;
270  sbsec->def_sid = SECINITSID_FILE;
271  sbsec->mntpoint_sid = SECINITSID_UNLABELED;
272  sb->s_security = sbsec;
273 
274  return 0;
275 }
276 
277 static void superblock_free_security(struct super_block *sb)
278 {
279  struct superblock_security_struct *sbsec = sb->s_security;
280  sb->s_security = NULL;
281  kfree(sbsec);
282 }
283 
284 /* The file system's label must be initialized prior to use. */
285 
286 static const char *labeling_behaviors[6] = {
287  "uses xattr",
288  "uses transition SIDs",
289  "uses task SIDs",
290  "uses genfs_contexts",
291  "not configured for labeling",
292  "uses mountpoint labeling",
293 };
294 
295 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296 
297 static inline int inode_doinit(struct inode *inode)
298 {
299  return inode_doinit_with_dentry(inode, NULL);
300 }
301 
302 enum {
303  Opt_error = -1,
309 };
310 
311 static const match_table_t tokens = {
312  {Opt_context, CONTEXT_STR "%s"},
317  {Opt_error, NULL},
318 };
319 
320 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
321 
322 static int may_context_mount_sb_relabel(u32 sid,
323  struct superblock_security_struct *sbsec,
324  const struct cred *cred)
325 {
326  const struct task_security_struct *tsec = cred->security;
327  int rc;
328 
329  rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
330  FILESYSTEM__RELABELFROM, NULL);
331  if (rc)
332  return rc;
333 
334  rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
335  FILESYSTEM__RELABELTO, NULL);
336  return rc;
337 }
338 
339 static int may_context_mount_inode_relabel(u32 sid,
340  struct superblock_security_struct *sbsec,
341  const struct cred *cred)
342 {
343  const struct task_security_struct *tsec = cred->security;
344  int rc;
345  rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346  FILESYSTEM__RELABELFROM, NULL);
347  if (rc)
348  return rc;
349 
350  rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
351  FILESYSTEM__ASSOCIATE, NULL);
352  return rc;
353 }
354 
355 static int sb_finish_set_opts(struct super_block *sb)
356 {
357  struct superblock_security_struct *sbsec = sb->s_security;
358  struct dentry *root = sb->s_root;
359  struct inode *root_inode = root->d_inode;
360  int rc = 0;
361 
362  if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
363  /* Make sure that the xattr handler exists and that no
364  error other than -ENODATA is returned by getxattr on
365  the root directory. -ENODATA is ok, as this may be
366  the first boot of the SELinux kernel before we have
367  assigned xattr values to the filesystem. */
368  if (!root_inode->i_op->getxattr) {
369  printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
370  "xattr support\n", sb->s_id, sb->s_type->name);
371  rc = -EOPNOTSUPP;
372  goto out;
373  }
374  rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
375  if (rc < 0 && rc != -ENODATA) {
376  if (rc == -EOPNOTSUPP)
377  printk(KERN_WARNING "SELinux: (dev %s, type "
378  "%s) has no security xattr handler\n",
379  sb->s_id, sb->s_type->name);
380  else
381  printk(KERN_WARNING "SELinux: (dev %s, type "
382  "%s) getxattr errno %d\n", sb->s_id,
383  sb->s_type->name, -rc);
384  goto out;
385  }
386  }
387 
388  sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
389 
390  if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391  printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392  sb->s_id, sb->s_type->name);
393  else
394  printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395  sb->s_id, sb->s_type->name,
396  labeling_behaviors[sbsec->behavior-1]);
397 
398  if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400  sbsec->behavior == SECURITY_FS_USE_NONE ||
401  sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402  sbsec->flags &= ~SE_SBLABELSUPP;
403 
404  /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405  if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406  sbsec->flags |= SE_SBLABELSUPP;
407 
408  /* Initialize the root inode. */
409  rc = inode_doinit_with_dentry(root_inode, root);
410 
411  /* Initialize any other inodes associated with the superblock, e.g.
412  inodes created prior to initial policy load or inodes created
413  during get_sb by a pseudo filesystem that directly
414  populates itself. */
415  spin_lock(&sbsec->isec_lock);
416 next_inode:
417  if (!list_empty(&sbsec->isec_head)) {
418  struct inode_security_struct *isec =
419  list_entry(sbsec->isec_head.next,
420  struct inode_security_struct, list);
421  struct inode *inode = isec->inode;
422  spin_unlock(&sbsec->isec_lock);
423  inode = igrab(inode);
424  if (inode) {
425  if (!IS_PRIVATE(inode))
426  inode_doinit(inode);
427  iput(inode);
428  }
429  spin_lock(&sbsec->isec_lock);
430  list_del_init(&isec->list);
431  goto next_inode;
432  }
433  spin_unlock(&sbsec->isec_lock);
434 out:
435  return rc;
436 }
437 
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444  struct security_mnt_opts *opts)
445 {
446  int rc = 0, i;
447  struct superblock_security_struct *sbsec = sb->s_security;
448  char *context = NULL;
449  u32 len;
450  char tmp;
451 
452  security_init_mnt_opts(opts);
453 
454  if (!(sbsec->flags & SE_SBINITIALIZED))
455  return -EINVAL;
456 
457  if (!ss_initialized)
458  return -EINVAL;
459 
460  tmp = sbsec->flags & SE_MNTMASK;
461  /* count the number of mount options for this sb */
462  for (i = 0; i < 8; i++) {
463  if (tmp & 0x01)
464  opts->num_mnt_opts++;
465  tmp >>= 1;
466  }
467  /* Check if the Label support flag is set */
468  if (sbsec->flags & SE_SBLABELSUPP)
469  opts->num_mnt_opts++;
470 
471  opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472  if (!opts->mnt_opts) {
473  rc = -ENOMEM;
474  goto out_free;
475  }
476 
477  opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478  if (!opts->mnt_opts_flags) {
479  rc = -ENOMEM;
480  goto out_free;
481  }
482 
483  i = 0;
484  if (sbsec->flags & FSCONTEXT_MNT) {
485  rc = security_sid_to_context(sbsec->sid, &context, &len);
486  if (rc)
487  goto out_free;
488  opts->mnt_opts[i] = context;
489  opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490  }
491  if (sbsec->flags & CONTEXT_MNT) {
492  rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493  if (rc)
494  goto out_free;
495  opts->mnt_opts[i] = context;
496  opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497  }
498  if (sbsec->flags & DEFCONTEXT_MNT) {
499  rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500  if (rc)
501  goto out_free;
502  opts->mnt_opts[i] = context;
503  opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504  }
505  if (sbsec->flags & ROOTCONTEXT_MNT) {
506  struct inode *root = sbsec->sb->s_root->d_inode;
507  struct inode_security_struct *isec = root->i_security;
508 
509  rc = security_sid_to_context(isec->sid, &context, &len);
510  if (rc)
511  goto out_free;
512  opts->mnt_opts[i] = context;
513  opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514  }
515  if (sbsec->flags & SE_SBLABELSUPP) {
516  opts->mnt_opts[i] = NULL;
517  opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518  }
519 
520  BUG_ON(i != opts->num_mnt_opts);
521 
522  return 0;
523 
524 out_free:
525  security_free_mnt_opts(opts);
526  return rc;
527 }
528 
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530  u32 old_sid, u32 new_sid)
531 {
532  char mnt_flags = sbsec->flags & SE_MNTMASK;
533 
534  /* check if the old mount command had the same options */
535  if (sbsec->flags & SE_SBINITIALIZED)
536  if (!(sbsec->flags & flag) ||
537  (old_sid != new_sid))
538  return 1;
539 
540  /* check if we were passed the same options twice,
541  * aka someone passed context=a,context=b
542  */
543  if (!(sbsec->flags & SE_SBINITIALIZED))
544  if (mnt_flags & flag)
545  return 1;
546  return 0;
547 }
548 
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554  struct security_mnt_opts *opts)
555 {
556  const struct cred *cred = current_cred();
557  int rc = 0, i;
558  struct superblock_security_struct *sbsec = sb->s_security;
559  const char *name = sb->s_type->name;
560  struct inode *inode = sbsec->sb->s_root->d_inode;
561  struct inode_security_struct *root_isec = inode->i_security;
562  u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563  u32 defcontext_sid = 0;
564  char **mount_options = opts->mnt_opts;
565  int *flags = opts->mnt_opts_flags;
566  int num_opts = opts->num_mnt_opts;
567 
568  mutex_lock(&sbsec->lock);
569 
570  if (!ss_initialized) {
571  if (!num_opts) {
572  /* Defer initialization until selinux_complete_init,
573  after the initial policy is loaded and the security
574  server is ready to handle calls. */
575  goto out;
576  }
577  rc = -EINVAL;
578  printk(KERN_WARNING "SELinux: Unable to set superblock options "
579  "before the security server is initialized\n");
580  goto out;
581  }
582 
583  /*
584  * Binary mount data FS will come through this function twice. Once
585  * from an explicit call and once from the generic calls from the vfs.
586  * Since the generic VFS calls will not contain any security mount data
587  * we need to skip the double mount verification.
588  *
589  * This does open a hole in which we will not notice if the first
590  * mount using this sb set explict options and a second mount using
591  * this sb does not set any security options. (The first options
592  * will be used for both mounts)
593  */
594  if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595  && (num_opts == 0))
596  goto out;
597 
598  /*
599  * parse the mount options, check if they are valid sids.
600  * also check if someone is trying to mount the same sb more
601  * than once with different security options.
602  */
603  for (i = 0; i < num_opts; i++) {
604  u32 sid;
605 
606  if (flags[i] == SE_SBLABELSUPP)
607  continue;
608  rc = security_context_to_sid(mount_options[i],
609  strlen(mount_options[i]), &sid);
610  if (rc) {
611  printk(KERN_WARNING "SELinux: security_context_to_sid"
612  "(%s) failed for (dev %s, type %s) errno=%d\n",
613  mount_options[i], sb->s_id, name, rc);
614  goto out;
615  }
616  switch (flags[i]) {
617  case FSCONTEXT_MNT:
618  fscontext_sid = sid;
619 
620  if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621  fscontext_sid))
622  goto out_double_mount;
623 
624  sbsec->flags |= FSCONTEXT_MNT;
625  break;
626  case CONTEXT_MNT:
627  context_sid = sid;
628 
629  if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630  context_sid))
631  goto out_double_mount;
632 
633  sbsec->flags |= CONTEXT_MNT;
634  break;
635  case ROOTCONTEXT_MNT:
636  rootcontext_sid = sid;
637 
638  if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639  rootcontext_sid))
640  goto out_double_mount;
641 
642  sbsec->flags |= ROOTCONTEXT_MNT;
643 
644  break;
645  case DEFCONTEXT_MNT:
646  defcontext_sid = sid;
647 
648  if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649  defcontext_sid))
650  goto out_double_mount;
651 
652  sbsec->flags |= DEFCONTEXT_MNT;
653 
654  break;
655  default:
656  rc = -EINVAL;
657  goto out;
658  }
659  }
660 
661  if (sbsec->flags & SE_SBINITIALIZED) {
662  /* previously mounted with options, but not on this attempt? */
663  if ((sbsec->flags & SE_MNTMASK) && !num_opts)
664  goto out_double_mount;
665  rc = 0;
666  goto out;
667  }
668 
669  if (strcmp(sb->s_type->name, "proc") == 0)
670  sbsec->flags |= SE_SBPROC;
671 
672  /* Determine the labeling behavior to use for this filesystem type. */
673  rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674  if (rc) {
675  printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676  __func__, sb->s_type->name, rc);
677  goto out;
678  }
679 
680  /* sets the context of the superblock for the fs being mounted. */
681  if (fscontext_sid) {
682  rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
683  if (rc)
684  goto out;
685 
686  sbsec->sid = fscontext_sid;
687  }
688 
689  /*
690  * Switch to using mount point labeling behavior.
691  * sets the label used on all file below the mountpoint, and will set
692  * the superblock context if not already set.
693  */
694  if (context_sid) {
695  if (!fscontext_sid) {
696  rc = may_context_mount_sb_relabel(context_sid, sbsec,
697  cred);
698  if (rc)
699  goto out;
700  sbsec->sid = context_sid;
701  } else {
702  rc = may_context_mount_inode_relabel(context_sid, sbsec,
703  cred);
704  if (rc)
705  goto out;
706  }
707  if (!rootcontext_sid)
708  rootcontext_sid = context_sid;
709 
710  sbsec->mntpoint_sid = context_sid;
712  }
713 
714  if (rootcontext_sid) {
715  rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
716  cred);
717  if (rc)
718  goto out;
719 
720  root_isec->sid = rootcontext_sid;
721  root_isec->initialized = 1;
722  }
723 
724  if (defcontext_sid) {
725  if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726  rc = -EINVAL;
727  printk(KERN_WARNING "SELinux: defcontext option is "
728  "invalid for this filesystem type\n");
729  goto out;
730  }
731 
732  if (defcontext_sid != sbsec->def_sid) {
733  rc = may_context_mount_inode_relabel(defcontext_sid,
734  sbsec, cred);
735  if (rc)
736  goto out;
737  }
738 
739  sbsec->def_sid = defcontext_sid;
740  }
741 
742  rc = sb_finish_set_opts(sb);
743 out:
744  mutex_unlock(&sbsec->lock);
745  return rc;
746 out_double_mount:
747  rc = -EINVAL;
748  printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
749  "security settings for (dev %s, type %s)\n", sb->s_id, name);
750  goto out;
751 }
752 
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754  struct super_block *newsb)
755 {
756  const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757  struct superblock_security_struct *newsbsec = newsb->s_security;
758 
759  int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
760  int set_context = (oldsbsec->flags & CONTEXT_MNT);
761  int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
762 
763  /*
764  * if the parent was able to be mounted it clearly had no special lsm
765  * mount options. thus we can safely deal with this superblock later
766  */
767  if (!ss_initialized)
768  return;
769 
770  /* how can we clone if the old one wasn't set up?? */
771  BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
772 
773  /* if fs is reusing a sb, just let its options stand... */
774  if (newsbsec->flags & SE_SBINITIALIZED)
775  return;
776 
777  mutex_lock(&newsbsec->lock);
778 
779  newsbsec->flags = oldsbsec->flags;
780 
781  newsbsec->sid = oldsbsec->sid;
782  newsbsec->def_sid = oldsbsec->def_sid;
783  newsbsec->behavior = oldsbsec->behavior;
784 
785  if (set_context) {
786  u32 sid = oldsbsec->mntpoint_sid;
787 
788  if (!set_fscontext)
789  newsbsec->sid = sid;
790  if (!set_rootcontext) {
791  struct inode *newinode = newsb->s_root->d_inode;
792  struct inode_security_struct *newisec = newinode->i_security;
793  newisec->sid = sid;
794  }
795  newsbsec->mntpoint_sid = sid;
796  }
797  if (set_rootcontext) {
798  const struct inode *oldinode = oldsb->s_root->d_inode;
799  const struct inode_security_struct *oldisec = oldinode->i_security;
800  struct inode *newinode = newsb->s_root->d_inode;
801  struct inode_security_struct *newisec = newinode->i_security;
802 
803  newisec->sid = oldisec->sid;
804  }
805 
806  sb_finish_set_opts(newsb);
807  mutex_unlock(&newsbsec->lock);
808 }
809 
810 static int selinux_parse_opts_str(char *options,
811  struct security_mnt_opts *opts)
812 {
813  char *p;
814  char *context = NULL, *defcontext = NULL;
815  char *fscontext = NULL, *rootcontext = NULL;
816  int rc, num_mnt_opts = 0;
817 
818  opts->num_mnt_opts = 0;
819 
820  /* Standard string-based options. */
821  while ((p = strsep(&options, "|")) != NULL) {
822  int token;
824 
825  if (!*p)
826  continue;
827 
828  token = match_token(p, tokens, args);
829 
830  switch (token) {
831  case Opt_context:
832  if (context || defcontext) {
833  rc = -EINVAL;
835  goto out_err;
836  }
837  context = match_strdup(&args[0]);
838  if (!context) {
839  rc = -ENOMEM;
840  goto out_err;
841  }
842  break;
843 
844  case Opt_fscontext:
845  if (fscontext) {
846  rc = -EINVAL;
848  goto out_err;
849  }
850  fscontext = match_strdup(&args[0]);
851  if (!fscontext) {
852  rc = -ENOMEM;
853  goto out_err;
854  }
855  break;
856 
857  case Opt_rootcontext:
858  if (rootcontext) {
859  rc = -EINVAL;
861  goto out_err;
862  }
863  rootcontext = match_strdup(&args[0]);
864  if (!rootcontext) {
865  rc = -ENOMEM;
866  goto out_err;
867  }
868  break;
869 
870  case Opt_defcontext:
871  if (context || defcontext) {
872  rc = -EINVAL;
874  goto out_err;
875  }
876  defcontext = match_strdup(&args[0]);
877  if (!defcontext) {
878  rc = -ENOMEM;
879  goto out_err;
880  }
881  break;
882  case Opt_labelsupport:
883  break;
884  default:
885  rc = -EINVAL;
886  printk(KERN_WARNING "SELinux: unknown mount option\n");
887  goto out_err;
888 
889  }
890  }
891 
892  rc = -ENOMEM;
893  opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894  if (!opts->mnt_opts)
895  goto out_err;
896 
897  opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898  if (!opts->mnt_opts_flags) {
899  kfree(opts->mnt_opts);
900  goto out_err;
901  }
902 
903  if (fscontext) {
904  opts->mnt_opts[num_mnt_opts] = fscontext;
905  opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906  }
907  if (context) {
908  opts->mnt_opts[num_mnt_opts] = context;
909  opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910  }
911  if (rootcontext) {
912  opts->mnt_opts[num_mnt_opts] = rootcontext;
913  opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914  }
915  if (defcontext) {
916  opts->mnt_opts[num_mnt_opts] = defcontext;
917  opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918  }
919 
920  opts->num_mnt_opts = num_mnt_opts;
921  return 0;
922 
923 out_err:
924  kfree(context);
925  kfree(defcontext);
926  kfree(fscontext);
927  kfree(rootcontext);
928  return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935  int rc = 0;
936  char *options = data;
937  struct security_mnt_opts opts;
938 
939  security_init_mnt_opts(&opts);
940 
941  if (!data)
942  goto out;
943 
944  BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945 
946  rc = selinux_parse_opts_str(options, &opts);
947  if (rc)
948  goto out_err;
949 
950 out:
951  rc = selinux_set_mnt_opts(sb, &opts);
952 
953 out_err:
954  security_free_mnt_opts(&opts);
955  return rc;
956 }
957 
958 static void selinux_write_opts(struct seq_file *m,
959  struct security_mnt_opts *opts)
960 {
961  int i;
962  char *prefix;
963 
964  for (i = 0; i < opts->num_mnt_opts; i++) {
965  char *has_comma;
966 
967  if (opts->mnt_opts[i])
968  has_comma = strchr(opts->mnt_opts[i], ',');
969  else
970  has_comma = NULL;
971 
972  switch (opts->mnt_opts_flags[i]) {
973  case CONTEXT_MNT:
974  prefix = CONTEXT_STR;
975  break;
976  case FSCONTEXT_MNT:
977  prefix = FSCONTEXT_STR;
978  break;
979  case ROOTCONTEXT_MNT:
980  prefix = ROOTCONTEXT_STR;
981  break;
982  case DEFCONTEXT_MNT:
983  prefix = DEFCONTEXT_STR;
984  break;
985  case SE_SBLABELSUPP:
986  seq_putc(m, ',');
988  continue;
989  default:
990  BUG();
991  return;
992  };
993  /* we need a comma before each option */
994  seq_putc(m, ',');
995  seq_puts(m, prefix);
996  if (has_comma)
997  seq_putc(m, '\"');
998  seq_puts(m, opts->mnt_opts[i]);
999  if (has_comma)
1000  seq_putc(m, '\"');
1001  }
1002 }
1003 
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1005 {
1006  struct security_mnt_opts opts;
1007  int rc;
1008 
1009  rc = selinux_get_mnt_opts(sb, &opts);
1010  if (rc) {
1011  /* before policy load we may get EINVAL, don't show anything */
1012  if (rc == -EINVAL)
1013  rc = 0;
1014  return rc;
1015  }
1016 
1017  selinux_write_opts(m, &opts);
1018 
1019  security_free_mnt_opts(&opts);
1020 
1021  return rc;
1022 }
1023 
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1025 {
1026  switch (mode & S_IFMT) {
1027  case S_IFSOCK:
1028  return SECCLASS_SOCK_FILE;
1029  case S_IFLNK:
1030  return SECCLASS_LNK_FILE;
1031  case S_IFREG:
1032  return SECCLASS_FILE;
1033  case S_IFBLK:
1034  return SECCLASS_BLK_FILE;
1035  case S_IFDIR:
1036  return SECCLASS_DIR;
1037  case S_IFCHR:
1038  return SECCLASS_CHR_FILE;
1039  case S_IFIFO:
1040  return SECCLASS_FIFO_FILE;
1041 
1042  }
1043 
1044  return SECCLASS_FILE;
1045 }
1046 
1047 static inline int default_protocol_stream(int protocol)
1048 {
1049  return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 }
1051 
1052 static inline int default_protocol_dgram(int protocol)
1053 {
1054  return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 }
1056 
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1058 {
1059  switch (family) {
1060  case PF_UNIX:
1061  switch (type) {
1062  case SOCK_STREAM:
1063  case SOCK_SEQPACKET:
1064  return SECCLASS_UNIX_STREAM_SOCKET;
1065  case SOCK_DGRAM:
1066  return SECCLASS_UNIX_DGRAM_SOCKET;
1067  }
1068  break;
1069  case PF_INET:
1070  case PF_INET6:
1071  switch (type) {
1072  case SOCK_STREAM:
1073  if (default_protocol_stream(protocol))
1074  return SECCLASS_TCP_SOCKET;
1075  else
1076  return SECCLASS_RAWIP_SOCKET;
1077  case SOCK_DGRAM:
1078  if (default_protocol_dgram(protocol))
1079  return SECCLASS_UDP_SOCKET;
1080  else
1081  return SECCLASS_RAWIP_SOCKET;
1082  case SOCK_DCCP:
1083  return SECCLASS_DCCP_SOCKET;
1084  default:
1085  return SECCLASS_RAWIP_SOCKET;
1086  }
1087  break;
1088  case PF_NETLINK:
1089  switch (protocol) {
1090  case NETLINK_ROUTE:
1091  return SECCLASS_NETLINK_ROUTE_SOCKET;
1092  case NETLINK_FIREWALL:
1093  return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094  case NETLINK_SOCK_DIAG:
1095  return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1096  case NETLINK_NFLOG:
1097  return SECCLASS_NETLINK_NFLOG_SOCKET;
1098  case NETLINK_XFRM:
1099  return SECCLASS_NETLINK_XFRM_SOCKET;
1100  case NETLINK_SELINUX:
1101  return SECCLASS_NETLINK_SELINUX_SOCKET;
1102  case NETLINK_AUDIT:
1103  return SECCLASS_NETLINK_AUDIT_SOCKET;
1104  case NETLINK_IP6_FW:
1105  return SECCLASS_NETLINK_IP6FW_SOCKET;
1106  case NETLINK_DNRTMSG:
1107  return SECCLASS_NETLINK_DNRT_SOCKET;
1109  return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1110  default:
1111  return SECCLASS_NETLINK_SOCKET;
1112  }
1113  case PF_PACKET:
1114  return SECCLASS_PACKET_SOCKET;
1115  case PF_KEY:
1116  return SECCLASS_KEY_SOCKET;
1117  case PF_APPLETALK:
1118  return SECCLASS_APPLETALK_SOCKET;
1119  }
1120 
1121  return SECCLASS_SOCKET;
1122 }
1123 
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1126  u16 tclass,
1127  u32 *sid)
1128 {
1129  int rc;
1130  char *buffer, *path;
1131 
1132  buffer = (char *)__get_free_page(GFP_KERNEL);
1133  if (!buffer)
1134  return -ENOMEM;
1135 
1136  path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1137  if (IS_ERR(path))
1138  rc = PTR_ERR(path);
1139  else {
1140  /* each process gets a /proc/PID/ entry. Strip off the
1141  * PID part to get a valid selinux labeling.
1142  * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143  while (path[1] >= '0' && path[1] <= '9') {
1144  path[1] = '/';
1145  path++;
1146  }
1147  rc = security_genfs_sid("proc", path, tclass, sid);
1148  }
1149  free_page((unsigned long)buffer);
1150  return rc;
1151 }
1152 #else
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1154  u16 tclass,
1155  u32 *sid)
1156 {
1157  return -EINVAL;
1158 }
1159 #endif
1160 
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1163 {
1164  struct superblock_security_struct *sbsec = NULL;
1165  struct inode_security_struct *isec = inode->i_security;
1166  u32 sid;
1167  struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169  char *context = NULL;
1170  unsigned len = 0;
1171  int rc = 0;
1172 
1173  if (isec->initialized)
1174  goto out;
1175 
1176  mutex_lock(&isec->lock);
1177  if (isec->initialized)
1178  goto out_unlock;
1179 
1180  sbsec = inode->i_sb->s_security;
1181  if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182  /* Defer initialization until selinux_complete_init,
1183  after the initial policy is loaded and the security
1184  server is ready to handle calls. */
1185  spin_lock(&sbsec->isec_lock);
1186  if (list_empty(&isec->list))
1187  list_add(&isec->list, &sbsec->isec_head);
1188  spin_unlock(&sbsec->isec_lock);
1189  goto out_unlock;
1190  }
1191 
1192  switch (sbsec->behavior) {
1193  case SECURITY_FS_USE_XATTR:
1194  if (!inode->i_op->getxattr) {
1195  isec->sid = sbsec->def_sid;
1196  break;
1197  }
1198 
1199  /* Need a dentry, since the xattr API requires one.
1200  Life would be simpler if we could just pass the inode. */
1201  if (opt_dentry) {
1202  /* Called from d_instantiate or d_splice_alias. */
1203  dentry = dget(opt_dentry);
1204  } else {
1205  /* Called from selinux_complete_init, try to find a dentry. */
1206  dentry = d_find_alias(inode);
1207  }
1208  if (!dentry) {
1209  /*
1210  * this is can be hit on boot when a file is accessed
1211  * before the policy is loaded. When we load policy we
1212  * may find inodes that have no dentry on the
1213  * sbsec->isec_head list. No reason to complain as these
1214  * will get fixed up the next time we go through
1215  * inode_doinit with a dentry, before these inodes could
1216  * be used again by userspace.
1217  */
1218  goto out_unlock;
1219  }
1220 
1221  len = INITCONTEXTLEN;
1222  context = kmalloc(len+1, GFP_NOFS);
1223  if (!context) {
1224  rc = -ENOMEM;
1225  dput(dentry);
1226  goto out_unlock;
1227  }
1228  context[len] = '\0';
1229  rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230  context, len);
1231  if (rc == -ERANGE) {
1232  kfree(context);
1233 
1234  /* Need a larger buffer. Query for the right size. */
1235  rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1236  NULL, 0);
1237  if (rc < 0) {
1238  dput(dentry);
1239  goto out_unlock;
1240  }
1241  len = rc;
1242  context = kmalloc(len+1, GFP_NOFS);
1243  if (!context) {
1244  rc = -ENOMEM;
1245  dput(dentry);
1246  goto out_unlock;
1247  }
1248  context[len] = '\0';
1249  rc = inode->i_op->getxattr(dentry,
1251  context, len);
1252  }
1253  dput(dentry);
1254  if (rc < 0) {
1255  if (rc != -ENODATA) {
1256  printk(KERN_WARNING "SELinux: %s: getxattr returned "
1257  "%d for dev=%s ino=%ld\n", __func__,
1258  -rc, inode->i_sb->s_id, inode->i_ino);
1259  kfree(context);
1260  goto out_unlock;
1261  }
1262  /* Map ENODATA to the default file SID */
1263  sid = sbsec->def_sid;
1264  rc = 0;
1265  } else {
1266  rc = security_context_to_sid_default(context, rc, &sid,
1267  sbsec->def_sid,
1268  GFP_NOFS);
1269  if (rc) {
1270  char *dev = inode->i_sb->s_id;
1271  unsigned long ino = inode->i_ino;
1272 
1273  if (rc == -EINVAL) {
1274  if (printk_ratelimit())
1275  printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276  "context=%s. This indicates you may need to relabel the inode or the "
1277  "filesystem in question.\n", ino, dev, context);
1278  } else {
1279  printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1280  "returned %d for dev=%s ino=%ld\n",
1281  __func__, context, -rc, dev, ino);
1282  }
1283  kfree(context);
1284  /* Leave with the unlabeled SID */
1285  rc = 0;
1286  break;
1287  }
1288  }
1289  kfree(context);
1290  isec->sid = sid;
1291  break;
1292  case SECURITY_FS_USE_TASK:
1293  isec->sid = isec->task_sid;
1294  break;
1295  case SECURITY_FS_USE_TRANS:
1296  /* Default to the fs SID. */
1297  isec->sid = sbsec->sid;
1298 
1299  /* Try to obtain a transition SID. */
1300  isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301  rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302  isec->sclass, NULL, &sid);
1303  if (rc)
1304  goto out_unlock;
1305  isec->sid = sid;
1306  break;
1308  isec->sid = sbsec->mntpoint_sid;
1309  break;
1310  default:
1311  /* Default to the fs superblock SID. */
1312  isec->sid = sbsec->sid;
1313 
1314  if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1315  if (opt_dentry) {
1316  isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317  rc = selinux_proc_get_sid(opt_dentry,
1318  isec->sclass,
1319  &sid);
1320  if (rc)
1321  goto out_unlock;
1322  isec->sid = sid;
1323  }
1324  }
1325  break;
1326  }
1327 
1328  isec->initialized = 1;
1329 
1330 out_unlock:
1331  mutex_unlock(&isec->lock);
1332 out:
1333  if (isec->sclass == SECCLASS_FILE)
1334  isec->sclass = inode_mode_to_security_class(inode->i_mode);
1335  return rc;
1336 }
1337 
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1340 {
1341  u32 perm = 0;
1342 
1343  switch (sig) {
1344  case SIGCHLD:
1345  /* Commonly granted from child to parent. */
1346  perm = PROCESS__SIGCHLD;
1347  break;
1348  case SIGKILL:
1349  /* Cannot be caught or ignored */
1350  perm = PROCESS__SIGKILL;
1351  break;
1352  case SIGSTOP:
1353  /* Cannot be caught or ignored */
1354  perm = PROCESS__SIGSTOP;
1355  break;
1356  default:
1357  /* All other signals. */
1358  perm = PROCESS__SIGNAL;
1359  break;
1360  }
1361 
1362  return perm;
1363 }
1364 
1365 /*
1366  * Check permission between a pair of credentials
1367  * fork check, ptrace check, etc.
1368  */
1369 static int cred_has_perm(const struct cred *actor,
1370  const struct cred *target,
1371  u32 perms)
1372 {
1373  u32 asid = cred_sid(actor), tsid = cred_sid(target);
1374 
1375  return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1376 }
1377 
1378 /*
1379  * Check permission between a pair of tasks, e.g. signal checks,
1380  * fork check, ptrace check, etc.
1381  * tsk1 is the actor and tsk2 is the target
1382  * - this uses the default subjective creds of tsk1
1383  */
1384 static int task_has_perm(const struct task_struct *tsk1,
1385  const struct task_struct *tsk2,
1386  u32 perms)
1387 {
1388  const struct task_security_struct *__tsec1, *__tsec2;
1389  u32 sid1, sid2;
1390 
1391  rcu_read_lock();
1392  __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1393  __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1394  rcu_read_unlock();
1395  return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1396 }
1397 
1398 /*
1399  * Check permission between current and another task, e.g. signal checks,
1400  * fork check, ptrace check, etc.
1401  * current is the actor and tsk2 is the target
1402  * - this uses current's subjective creds
1403  */
1404 static int current_has_perm(const struct task_struct *tsk,
1405  u32 perms)
1406 {
1407  u32 sid, tsid;
1408 
1409  sid = current_sid();
1410  tsid = task_sid(tsk);
1411  return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 }
1413 
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1416 #endif
1417 
1418 /* Check whether a task is allowed to use a capability. */
1419 static int cred_has_capability(const struct cred *cred,
1420  int cap, int audit)
1421 {
1422  struct common_audit_data ad;
1423  struct av_decision avd;
1424  u16 sclass;
1425  u32 sid = cred_sid(cred);
1426  u32 av = CAP_TO_MASK(cap);
1427  int rc;
1428 
1429  ad.type = LSM_AUDIT_DATA_CAP;
1430  ad.u.cap = cap;
1431 
1432  switch (CAP_TO_INDEX(cap)) {
1433  case 0:
1434  sclass = SECCLASS_CAPABILITY;
1435  break;
1436  case 1:
1437  sclass = SECCLASS_CAPABILITY2;
1438  break;
1439  default:
1441  "SELinux: out of range capability %d\n", cap);
1442  BUG();
1443  return -EINVAL;
1444  }
1445 
1446  rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1447  if (audit == SECURITY_CAP_AUDIT) {
1448  int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1449  if (rc2)
1450  return rc2;
1451  }
1452  return rc;
1453 }
1454 
1455 /* Check whether a task is allowed to use a system operation. */
1456 static int task_has_system(struct task_struct *tsk,
1457  u32 perms)
1458 {
1459  u32 sid = task_sid(tsk);
1460 
1461  return avc_has_perm(sid, SECINITSID_KERNEL,
1462  SECCLASS_SYSTEM, perms, NULL);
1463 }
1464 
1465 /* Check whether a task has a particular permission to an inode.
1466  The 'adp' parameter is optional and allows other audit
1467  data to be passed (e.g. the dentry). */
1468 static int inode_has_perm(const struct cred *cred,
1469  struct inode *inode,
1470  u32 perms,
1471  struct common_audit_data *adp,
1472  unsigned flags)
1473 {
1474  struct inode_security_struct *isec;
1475  u32 sid;
1476 
1477  validate_creds(cred);
1478 
1479  if (unlikely(IS_PRIVATE(inode)))
1480  return 0;
1481 
1482  sid = cred_sid(cred);
1483  isec = inode->i_security;
1484 
1485  return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1486 }
1487 
1488 /* Same as inode_has_perm, but pass explicit audit data containing
1489  the dentry to help the auditing code to more easily generate the
1490  pathname if needed. */
1491 static inline int dentry_has_perm(const struct cred *cred,
1492  struct dentry *dentry,
1493  u32 av)
1494 {
1495  struct inode *inode = dentry->d_inode;
1496  struct common_audit_data ad;
1497 
1499  ad.u.dentry = dentry;
1500  return inode_has_perm(cred, inode, av, &ad, 0);
1501 }
1502 
1503 /* Same as inode_has_perm, but pass explicit audit data containing
1504  the path to help the auditing code to more easily generate the
1505  pathname if needed. */
1506 static inline int path_has_perm(const struct cred *cred,
1507  struct path *path,
1508  u32 av)
1509 {
1510  struct inode *inode = path->dentry->d_inode;
1511  struct common_audit_data ad;
1512 
1514  ad.u.path = *path;
1515  return inode_has_perm(cred, inode, av, &ad, 0);
1516 }
1517 
1518 /* Check whether a task can use an open file descriptor to
1519  access an inode in a given way. Check access to the
1520  descriptor itself, and then use dentry_has_perm to
1521  check a particular permission to the file.
1522  Access to the descriptor is implicitly granted if it
1523  has the same SID as the process. If av is zero, then
1524  access to the file is not checked, e.g. for cases
1525  where only the descriptor is affected like seek. */
1526 static int file_has_perm(const struct cred *cred,
1527  struct file *file,
1528  u32 av)
1529 {
1530  struct file_security_struct *fsec = file->f_security;
1531  struct inode *inode = file->f_path.dentry->d_inode;
1532  struct common_audit_data ad;
1533  u32 sid = cred_sid(cred);
1534  int rc;
1535 
1536  ad.type = LSM_AUDIT_DATA_PATH;
1537  ad.u.path = file->f_path;
1538 
1539  if (sid != fsec->sid) {
1540  rc = avc_has_perm(sid, fsec->sid,
1541  SECCLASS_FD,
1542  FD__USE,
1543  &ad);
1544  if (rc)
1545  goto out;
1546  }
1547 
1548  /* av is zero if only checking access to the descriptor. */
1549  rc = 0;
1550  if (av)
1551  rc = inode_has_perm(cred, inode, av, &ad, 0);
1552 
1553 out:
1554  return rc;
1555 }
1556 
1557 /* Check whether a task can create a file. */
1558 static int may_create(struct inode *dir,
1559  struct dentry *dentry,
1560  u16 tclass)
1561 {
1562  const struct task_security_struct *tsec = current_security();
1563  struct inode_security_struct *dsec;
1564  struct superblock_security_struct *sbsec;
1565  u32 sid, newsid;
1566  struct common_audit_data ad;
1567  int rc;
1568 
1569  dsec = dir->i_security;
1570  sbsec = dir->i_sb->s_security;
1571 
1572  sid = tsec->sid;
1573  newsid = tsec->create_sid;
1574 
1575  ad.type = LSM_AUDIT_DATA_DENTRY;
1576  ad.u.dentry = dentry;
1577 
1578  rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1579  DIR__ADD_NAME | DIR__SEARCH,
1580  &ad);
1581  if (rc)
1582  return rc;
1583 
1584  if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1585  rc = security_transition_sid(sid, dsec->sid, tclass,
1586  &dentry->d_name, &newsid);
1587  if (rc)
1588  return rc;
1589  }
1590 
1591  rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1592  if (rc)
1593  return rc;
1594 
1595  return avc_has_perm(newsid, sbsec->sid,
1596  SECCLASS_FILESYSTEM,
1597  FILESYSTEM__ASSOCIATE, &ad);
1598 }
1599 
1600 /* Check whether a task can create a key. */
1601 static int may_create_key(u32 ksid,
1602  struct task_struct *ctx)
1603 {
1604  u32 sid = task_sid(ctx);
1605 
1606  return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1607 }
1608 
1609 #define MAY_LINK 0
1610 #define MAY_UNLINK 1
1611 #define MAY_RMDIR 2
1612 
1613 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1614 static int may_link(struct inode *dir,
1615  struct dentry *dentry,
1616  int kind)
1617 
1618 {
1619  struct inode_security_struct *dsec, *isec;
1620  struct common_audit_data ad;
1621  u32 sid = current_sid();
1622  u32 av;
1623  int rc;
1624 
1625  dsec = dir->i_security;
1626  isec = dentry->d_inode->i_security;
1627 
1629  ad.u.dentry = dentry;
1630 
1631  av = DIR__SEARCH;
1632  av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1633  rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1634  if (rc)
1635  return rc;
1636 
1637  switch (kind) {
1638  case MAY_LINK:
1639  av = FILE__LINK;
1640  break;
1641  case MAY_UNLINK:
1642  av = FILE__UNLINK;
1643  break;
1644  case MAY_RMDIR:
1645  av = DIR__RMDIR;
1646  break;
1647  default:
1648  printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1649  __func__, kind);
1650  return 0;
1651  }
1652 
1653  rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1654  return rc;
1655 }
1656 
1657 static inline int may_rename(struct inode *old_dir,
1658  struct dentry *old_dentry,
1659  struct inode *new_dir,
1660  struct dentry *new_dentry)
1661 {
1662  struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1663  struct common_audit_data ad;
1664  u32 sid = current_sid();
1665  u32 av;
1666  int old_is_dir, new_is_dir;
1667  int rc;
1668 
1669  old_dsec = old_dir->i_security;
1670  old_isec = old_dentry->d_inode->i_security;
1671  old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1672  new_dsec = new_dir->i_security;
1673 
1674  ad.type = LSM_AUDIT_DATA_DENTRY;
1675 
1676  ad.u.dentry = old_dentry;
1677  rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1678  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1679  if (rc)
1680  return rc;
1681  rc = avc_has_perm(sid, old_isec->sid,
1682  old_isec->sclass, FILE__RENAME, &ad);
1683  if (rc)
1684  return rc;
1685  if (old_is_dir && new_dir != old_dir) {
1686  rc = avc_has_perm(sid, old_isec->sid,
1687  old_isec->sclass, DIR__REPARENT, &ad);
1688  if (rc)
1689  return rc;
1690  }
1691 
1692  ad.u.dentry = new_dentry;
1693  av = DIR__ADD_NAME | DIR__SEARCH;
1694  if (new_dentry->d_inode)
1695  av |= DIR__REMOVE_NAME;
1696  rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1697  if (rc)
1698  return rc;
1699  if (new_dentry->d_inode) {
1700  new_isec = new_dentry->d_inode->i_security;
1701  new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1702  rc = avc_has_perm(sid, new_isec->sid,
1703  new_isec->sclass,
1704  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1705  if (rc)
1706  return rc;
1707  }
1708 
1709  return 0;
1710 }
1711 
1712 /* Check whether a task can perform a filesystem operation. */
1713 static int superblock_has_perm(const struct cred *cred,
1714  struct super_block *sb,
1715  u32 perms,
1716  struct common_audit_data *ad)
1717 {
1718  struct superblock_security_struct *sbsec;
1719  u32 sid = cred_sid(cred);
1720 
1721  sbsec = sb->s_security;
1722  return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1723 }
1724 
1725 /* Convert a Linux mode and permission mask to an access vector. */
1726 static inline u32 file_mask_to_av(int mode, int mask)
1727 {
1728  u32 av = 0;
1729 
1730  if (!S_ISDIR(mode)) {
1731  if (mask & MAY_EXEC)
1732  av |= FILE__EXECUTE;
1733  if (mask & MAY_READ)
1734  av |= FILE__READ;
1735 
1736  if (mask & MAY_APPEND)
1737  av |= FILE__APPEND;
1738  else if (mask & MAY_WRITE)
1739  av |= FILE__WRITE;
1740 
1741  } else {
1742  if (mask & MAY_EXEC)
1743  av |= DIR__SEARCH;
1744  if (mask & MAY_WRITE)
1745  av |= DIR__WRITE;
1746  if (mask & MAY_READ)
1747  av |= DIR__READ;
1748  }
1749 
1750  return av;
1751 }
1752 
1753 /* Convert a Linux file to an access vector. */
1754 static inline u32 file_to_av(struct file *file)
1755 {
1756  u32 av = 0;
1757 
1758  if (file->f_mode & FMODE_READ)
1759  av |= FILE__READ;
1760  if (file->f_mode & FMODE_WRITE) {
1761  if (file->f_flags & O_APPEND)
1762  av |= FILE__APPEND;
1763  else
1764  av |= FILE__WRITE;
1765  }
1766  if (!av) {
1767  /*
1768  * Special file opened with flags 3 for ioctl-only use.
1769  */
1770  av = FILE__IOCTL;
1771  }
1772 
1773  return av;
1774 }
1775 
1776 /*
1777  * Convert a file to an access vector and include the correct open
1778  * open permission.
1779  */
1780 static inline u32 open_file_to_av(struct file *file)
1781 {
1782  u32 av = file_to_av(file);
1783 
1785  av |= FILE__OPEN;
1786 
1787  return av;
1788 }
1789 
1790 /* Hook functions begin here. */
1791 
1792 static int selinux_ptrace_access_check(struct task_struct *child,
1793  unsigned int mode)
1794 {
1795  int rc;
1796 
1797  rc = cap_ptrace_access_check(child, mode);
1798  if (rc)
1799  return rc;
1800 
1801  if (mode & PTRACE_MODE_READ) {
1802  u32 sid = current_sid();
1803  u32 csid = task_sid(child);
1804  return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1805  }
1806 
1807  return current_has_perm(child, PROCESS__PTRACE);
1808 }
1809 
1810 static int selinux_ptrace_traceme(struct task_struct *parent)
1811 {
1812  int rc;
1813 
1814  rc = cap_ptrace_traceme(parent);
1815  if (rc)
1816  return rc;
1817 
1818  return task_has_perm(parent, current, PROCESS__PTRACE);
1819 }
1820 
1821 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1822  kernel_cap_t *inheritable, kernel_cap_t *permitted)
1823 {
1824  int error;
1825 
1826  error = current_has_perm(target, PROCESS__GETCAP);
1827  if (error)
1828  return error;
1829 
1830  return cap_capget(target, effective, inheritable, permitted);
1831 }
1832 
1833 static int selinux_capset(struct cred *new, const struct cred *old,
1834  const kernel_cap_t *effective,
1835  const kernel_cap_t *inheritable,
1836  const kernel_cap_t *permitted)
1837 {
1838  int error;
1839 
1840  error = cap_capset(new, old,
1841  effective, inheritable, permitted);
1842  if (error)
1843  return error;
1844 
1845  return cred_has_perm(old, new, PROCESS__SETCAP);
1846 }
1847 
1848 /*
1849  * (This comment used to live with the selinux_task_setuid hook,
1850  * which was removed).
1851  *
1852  * Since setuid only affects the current process, and since the SELinux
1853  * controls are not based on the Linux identity attributes, SELinux does not
1854  * need to control this operation. However, SELinux does control the use of
1855  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1856  */
1857 
1858 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1859  int cap, int audit)
1860 {
1861  int rc;
1862 
1863  rc = cap_capable(cred, ns, cap, audit);
1864  if (rc)
1865  return rc;
1866 
1867  return cred_has_capability(cred, cap, audit);
1868 }
1869 
1870 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1871 {
1872  const struct cred *cred = current_cred();
1873  int rc = 0;
1874 
1875  if (!sb)
1876  return 0;
1877 
1878  switch (cmds) {
1879  case Q_SYNC:
1880  case Q_QUOTAON:
1881  case Q_QUOTAOFF:
1882  case Q_SETINFO:
1883  case Q_SETQUOTA:
1884  rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1885  break;
1886  case Q_GETFMT:
1887  case Q_GETINFO:
1888  case Q_GETQUOTA:
1889  rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1890  break;
1891  default:
1892  rc = 0; /* let the kernel handle invalid cmds */
1893  break;
1894  }
1895  return rc;
1896 }
1897 
1898 static int selinux_quota_on(struct dentry *dentry)
1899 {
1900  const struct cred *cred = current_cred();
1901 
1902  return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1903 }
1904 
1905 static int selinux_syslog(int type)
1906 {
1907  int rc;
1908 
1909  switch (type) {
1910  case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1911  case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1912  rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1913  break;
1914  case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1915  case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1916  /* Set level of messages printed to console */
1918  rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1919  break;
1920  case SYSLOG_ACTION_CLOSE: /* Close log */
1921  case SYSLOG_ACTION_OPEN: /* Open log */
1922  case SYSLOG_ACTION_READ: /* Read from log */
1923  case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1924  case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1925  default:
1926  rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1927  break;
1928  }
1929  return rc;
1930 }
1931 
1932 /*
1933  * Check that a process has enough memory to allocate a new virtual
1934  * mapping. 0 means there is enough memory for the allocation to
1935  * succeed and -ENOMEM implies there is not.
1936  *
1937  * Do not audit the selinux permission check, as this is applied to all
1938  * processes that allocate mappings.
1939  */
1940 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1941 {
1942  int rc, cap_sys_admin = 0;
1943 
1944  rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1946  if (rc == 0)
1947  cap_sys_admin = 1;
1948 
1949  return __vm_enough_memory(mm, pages, cap_sys_admin);
1950 }
1951 
1952 /* binprm security operations */
1953 
1954 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1955 {
1956  const struct task_security_struct *old_tsec;
1957  struct task_security_struct *new_tsec;
1958  struct inode_security_struct *isec;
1959  struct common_audit_data ad;
1960  struct inode *inode = bprm->file->f_path.dentry->d_inode;
1961  int rc;
1962 
1963  rc = cap_bprm_set_creds(bprm);
1964  if (rc)
1965  return rc;
1966 
1967  /* SELinux context only depends on initial program or script and not
1968  * the script interpreter */
1969  if (bprm->cred_prepared)
1970  return 0;
1971 
1972  old_tsec = current_security();
1973  new_tsec = bprm->cred->security;
1974  isec = inode->i_security;
1975 
1976  /* Default to the current task SID. */
1977  new_tsec->sid = old_tsec->sid;
1978  new_tsec->osid = old_tsec->sid;
1979 
1980  /* Reset fs, key, and sock SIDs on execve. */
1981  new_tsec->create_sid = 0;
1982  new_tsec->keycreate_sid = 0;
1983  new_tsec->sockcreate_sid = 0;
1984 
1985  if (old_tsec->exec_sid) {
1986  new_tsec->sid = old_tsec->exec_sid;
1987  /* Reset exec SID on execve. */
1988  new_tsec->exec_sid = 0;
1989 
1990  /*
1991  * Minimize confusion: if no_new_privs and a transition is
1992  * explicitly requested, then fail the exec.
1993  */
1994  if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
1995  return -EPERM;
1996  } else {
1997  /* Check for a default transition on this program. */
1998  rc = security_transition_sid(old_tsec->sid, isec->sid,
1999  SECCLASS_PROCESS, NULL,
2000  &new_tsec->sid);
2001  if (rc)
2002  return rc;
2003  }
2004 
2005  ad.type = LSM_AUDIT_DATA_PATH;
2006  ad.u.path = bprm->file->f_path;
2007 
2008  if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2009  (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2010  new_tsec->sid = old_tsec->sid;
2011 
2012  if (new_tsec->sid == old_tsec->sid) {
2013  rc = avc_has_perm(old_tsec->sid, isec->sid,
2014  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2015  if (rc)
2016  return rc;
2017  } else {
2018  /* Check permissions for the transition. */
2019  rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2020  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2021  if (rc)
2022  return rc;
2023 
2024  rc = avc_has_perm(new_tsec->sid, isec->sid,
2025  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2026  if (rc)
2027  return rc;
2028 
2029  /* Check for shared state */
2030  if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2031  rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2032  SECCLASS_PROCESS, PROCESS__SHARE,
2033  NULL);
2034  if (rc)
2035  return -EPERM;
2036  }
2037 
2038  /* Make sure that anyone attempting to ptrace over a task that
2039  * changes its SID has the appropriate permit */
2040  if (bprm->unsafe &
2042  struct task_struct *tracer;
2043  struct task_security_struct *sec;
2044  u32 ptsid = 0;
2045 
2046  rcu_read_lock();
2047  tracer = ptrace_parent(current);
2048  if (likely(tracer != NULL)) {
2049  sec = __task_cred(tracer)->security;
2050  ptsid = sec->sid;
2051  }
2052  rcu_read_unlock();
2053 
2054  if (ptsid != 0) {
2055  rc = avc_has_perm(ptsid, new_tsec->sid,
2056  SECCLASS_PROCESS,
2057  PROCESS__PTRACE, NULL);
2058  if (rc)
2059  return -EPERM;
2060  }
2061  }
2062 
2063  /* Clear any possibly unsafe personality bits on exec: */
2064  bprm->per_clear |= PER_CLEAR_ON_SETID;
2065  }
2066 
2067  return 0;
2068 }
2069 
2070 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2071 {
2072  const struct task_security_struct *tsec = current_security();
2073  u32 sid, osid;
2074  int atsecure = 0;
2075 
2076  sid = tsec->sid;
2077  osid = tsec->osid;
2078 
2079  if (osid != sid) {
2080  /* Enable secure mode for SIDs transitions unless
2081  the noatsecure permission is granted between
2082  the two SIDs, i.e. ahp returns 0. */
2083  atsecure = avc_has_perm(osid, sid,
2084  SECCLASS_PROCESS,
2085  PROCESS__NOATSECURE, NULL);
2086  }
2087 
2088  return (atsecure || cap_bprm_secureexec(bprm));
2089 }
2090 
2091 static int match_file(const void *p, struct file *file, unsigned fd)
2092 {
2093  return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2094 }
2095 
2096 /* Derived from fs/exec.c:flush_old_files. */
2097 static inline void flush_unauthorized_files(const struct cred *cred,
2098  struct files_struct *files)
2099 {
2100  struct file *file, *devnull = NULL;
2101  struct tty_struct *tty;
2102  int drop_tty = 0;
2103  unsigned n;
2104 
2105  tty = get_current_tty();
2106  if (tty) {
2107  spin_lock(&tty_files_lock);
2108  if (!list_empty(&tty->tty_files)) {
2109  struct tty_file_private *file_priv;
2110 
2111  /* Revalidate access to controlling tty.
2112  Use path_has_perm on the tty path directly rather
2113  than using file_has_perm, as this particular open
2114  file may belong to another process and we are only
2115  interested in the inode-based check here. */
2116  file_priv = list_first_entry(&tty->tty_files,
2117  struct tty_file_private, list);
2118  file = file_priv->file;
2119  if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2120  drop_tty = 1;
2121  }
2122  spin_unlock(&tty_files_lock);
2123  tty_kref_put(tty);
2124  }
2125  /* Reset controlling tty. */
2126  if (drop_tty)
2127  no_tty();
2128 
2129  /* Revalidate access to inherited open files. */
2130  n = iterate_fd(files, 0, match_file, cred);
2131  if (!n) /* none found? */
2132  return;
2133 
2134  devnull = dentry_open(&selinux_null, O_RDWR, cred);
2135  if (IS_ERR(devnull))
2136  devnull = NULL;
2137  /* replace all the matching ones with this */
2138  do {
2139  replace_fd(n - 1, devnull, 0);
2140  } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2141  if (devnull)
2142  fput(devnull);
2143 }
2144 
2145 /*
2146  * Prepare a process for imminent new credential changes due to exec
2147  */
2148 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2149 {
2150  struct task_security_struct *new_tsec;
2151  struct rlimit *rlim, *initrlim;
2152  int rc, i;
2153 
2154  new_tsec = bprm->cred->security;
2155  if (new_tsec->sid == new_tsec->osid)
2156  return;
2157 
2158  /* Close files for which the new task SID is not authorized. */
2159  flush_unauthorized_files(bprm->cred, current->files);
2160 
2161  /* Always clear parent death signal on SID transitions. */
2162  current->pdeath_signal = 0;
2163 
2164  /* Check whether the new SID can inherit resource limits from the old
2165  * SID. If not, reset all soft limits to the lower of the current
2166  * task's hard limit and the init task's soft limit.
2167  *
2168  * Note that the setting of hard limits (even to lower them) can be
2169  * controlled by the setrlimit check. The inclusion of the init task's
2170  * soft limit into the computation is to avoid resetting soft limits
2171  * higher than the default soft limit for cases where the default is
2172  * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2173  */
2174  rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2175  PROCESS__RLIMITINH, NULL);
2176  if (rc) {
2177  /* protect against do_prlimit() */
2178  task_lock(current);
2179  for (i = 0; i < RLIM_NLIMITS; i++) {
2180  rlim = current->signal->rlim + i;
2181  initrlim = init_task.signal->rlim + i;
2182  rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2183  }
2184  task_unlock(current);
2186  }
2187 }
2188 
2189 /*
2190  * Clean up the process immediately after the installation of new credentials
2191  * due to exec
2192  */
2193 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2194 {
2195  const struct task_security_struct *tsec = current_security();
2196  struct itimerval itimer;
2197  u32 osid, sid;
2198  int rc, i;
2199 
2200  osid = tsec->osid;
2201  sid = tsec->sid;
2202 
2203  if (sid == osid)
2204  return;
2205 
2206  /* Check whether the new SID can inherit signal state from the old SID.
2207  * If not, clear itimers to avoid subsequent signal generation and
2208  * flush and unblock signals.
2209  *
2210  * This must occur _after_ the task SID has been updated so that any
2211  * kill done after the flush will be checked against the new SID.
2212  */
2213  rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2214  if (rc) {
2215  memset(&itimer, 0, sizeof itimer);
2216  for (i = 0; i < 3; i++)
2217  do_setitimer(i, &itimer, NULL);
2218  spin_lock_irq(&current->sighand->siglock);
2219  if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2222  sigemptyset(&current->blocked);
2223  }
2224  spin_unlock_irq(&current->sighand->siglock);
2225  }
2226 
2227  /* Wake up the parent if it is waiting so that it can recheck
2228  * wait permission to the new task SID. */
2229  read_lock(&tasklist_lock);
2230  __wake_up_parent(current, current->real_parent);
2231  read_unlock(&tasklist_lock);
2232 }
2233 
2234 /* superblock security operations */
2235 
2236 static int selinux_sb_alloc_security(struct super_block *sb)
2237 {
2238  return superblock_alloc_security(sb);
2239 }
2240 
2241 static void selinux_sb_free_security(struct super_block *sb)
2242 {
2243  superblock_free_security(sb);
2244 }
2245 
2246 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2247 {
2248  if (plen > olen)
2249  return 0;
2250 
2251  return !memcmp(prefix, option, plen);
2252 }
2253 
2254 static inline int selinux_option(char *option, int len)
2255 {
2256  return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2257  match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2258  match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2259  match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2260  match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2261 }
2262 
2263 static inline void take_option(char **to, char *from, int *first, int len)
2264 {
2265  if (!*first) {
2266  **to = ',';
2267  *to += 1;
2268  } else
2269  *first = 0;
2270  memcpy(*to, from, len);
2271  *to += len;
2272 }
2273 
2274 static inline void take_selinux_option(char **to, char *from, int *first,
2275  int len)
2276 {
2277  int current_size = 0;
2278 
2279  if (!*first) {
2280  **to = '|';
2281  *to += 1;
2282  } else
2283  *first = 0;
2284 
2285  while (current_size < len) {
2286  if (*from != '"') {
2287  **to = *from;
2288  *to += 1;
2289  }
2290  from += 1;
2291  current_size += 1;
2292  }
2293 }
2294 
2295 static int selinux_sb_copy_data(char *orig, char *copy)
2296 {
2297  int fnosec, fsec, rc = 0;
2298  char *in_save, *in_curr, *in_end;
2299  char *sec_curr, *nosec_save, *nosec;
2300  int open_quote = 0;
2301 
2302  in_curr = orig;
2303  sec_curr = copy;
2304 
2305  nosec = (char *)get_zeroed_page(GFP_KERNEL);
2306  if (!nosec) {
2307  rc = -ENOMEM;
2308  goto out;
2309  }
2310 
2311  nosec_save = nosec;
2312  fnosec = fsec = 1;
2313  in_save = in_end = orig;
2314 
2315  do {
2316  if (*in_end == '"')
2317  open_quote = !open_quote;
2318  if ((*in_end == ',' && open_quote == 0) ||
2319  *in_end == '\0') {
2320  int len = in_end - in_curr;
2321 
2322  if (selinux_option(in_curr, len))
2323  take_selinux_option(&sec_curr, in_curr, &fsec, len);
2324  else
2325  take_option(&nosec, in_curr, &fnosec, len);
2326 
2327  in_curr = in_end + 1;
2328  }
2329  } while (*in_end++);
2330 
2331  strcpy(in_save, nosec_save);
2332  free_page((unsigned long)nosec_save);
2333 out:
2334  return rc;
2335 }
2336 
2337 static int selinux_sb_remount(struct super_block *sb, void *data)
2338 {
2339  int rc, i, *flags;
2340  struct security_mnt_opts opts;
2341  char *secdata, **mount_options;
2342  struct superblock_security_struct *sbsec = sb->s_security;
2343 
2344  if (!(sbsec->flags & SE_SBINITIALIZED))
2345  return 0;
2346 
2347  if (!data)
2348  return 0;
2349 
2350  if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2351  return 0;
2352 
2353  security_init_mnt_opts(&opts);
2354  secdata = alloc_secdata();
2355  if (!secdata)
2356  return -ENOMEM;
2357  rc = selinux_sb_copy_data(data, secdata);
2358  if (rc)
2359  goto out_free_secdata;
2360 
2361  rc = selinux_parse_opts_str(secdata, &opts);
2362  if (rc)
2363  goto out_free_secdata;
2364 
2365  mount_options = opts.mnt_opts;
2366  flags = opts.mnt_opts_flags;
2367 
2368  for (i = 0; i < opts.num_mnt_opts; i++) {
2369  u32 sid;
2370  size_t len;
2371 
2372  if (flags[i] == SE_SBLABELSUPP)
2373  continue;
2374  len = strlen(mount_options[i]);
2375  rc = security_context_to_sid(mount_options[i], len, &sid);
2376  if (rc) {
2377  printk(KERN_WARNING "SELinux: security_context_to_sid"
2378  "(%s) failed for (dev %s, type %s) errno=%d\n",
2379  mount_options[i], sb->s_id, sb->s_type->name, rc);
2380  goto out_free_opts;
2381  }
2382  rc = -EINVAL;
2383  switch (flags[i]) {
2384  case FSCONTEXT_MNT:
2385  if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2386  goto out_bad_option;
2387  break;
2388  case CONTEXT_MNT:
2389  if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2390  goto out_bad_option;
2391  break;
2392  case ROOTCONTEXT_MNT: {
2393  struct inode_security_struct *root_isec;
2394  root_isec = sb->s_root->d_inode->i_security;
2395 
2396  if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2397  goto out_bad_option;
2398  break;
2399  }
2400  case DEFCONTEXT_MNT:
2401  if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2402  goto out_bad_option;
2403  break;
2404  default:
2405  goto out_free_opts;
2406  }
2407  }
2408 
2409  rc = 0;
2410 out_free_opts:
2411  security_free_mnt_opts(&opts);
2412 out_free_secdata:
2413  free_secdata(secdata);
2414  return rc;
2415 out_bad_option:
2416  printk(KERN_WARNING "SELinux: unable to change security options "
2417  "during remount (dev %s, type=%s)\n", sb->s_id,
2418  sb->s_type->name);
2419  goto out_free_opts;
2420 }
2421 
2422 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2423 {
2424  const struct cred *cred = current_cred();
2425  struct common_audit_data ad;
2426  int rc;
2427 
2428  rc = superblock_doinit(sb, data);
2429  if (rc)
2430  return rc;
2431 
2432  /* Allow all mounts performed by the kernel */
2433  if (flags & MS_KERNMOUNT)
2434  return 0;
2435 
2436  ad.type = LSM_AUDIT_DATA_DENTRY;
2437  ad.u.dentry = sb->s_root;
2438  return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2439 }
2440 
2441 static int selinux_sb_statfs(struct dentry *dentry)
2442 {
2443  const struct cred *cred = current_cred();
2444  struct common_audit_data ad;
2445 
2447  ad.u.dentry = dentry->d_sb->s_root;
2448  return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2449 }
2450 
2451 static int selinux_mount(const char *dev_name,
2452  struct path *path,
2453  const char *type,
2454  unsigned long flags,
2455  void *data)
2456 {
2457  const struct cred *cred = current_cred();
2458 
2459  if (flags & MS_REMOUNT)
2460  return superblock_has_perm(cred, path->dentry->d_sb,
2461  FILESYSTEM__REMOUNT, NULL);
2462  else
2463  return path_has_perm(cred, path, FILE__MOUNTON);
2464 }
2465 
2466 static int selinux_umount(struct vfsmount *mnt, int flags)
2467 {
2468  const struct cred *cred = current_cred();
2469 
2470  return superblock_has_perm(cred, mnt->mnt_sb,
2471  FILESYSTEM__UNMOUNT, NULL);
2472 }
2473 
2474 /* inode security operations */
2475 
2476 static int selinux_inode_alloc_security(struct inode *inode)
2477 {
2478  return inode_alloc_security(inode);
2479 }
2480 
2481 static void selinux_inode_free_security(struct inode *inode)
2482 {
2483  inode_free_security(inode);
2484 }
2485 
2486 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2487  const struct qstr *qstr, char **name,
2488  void **value, size_t *len)
2489 {
2490  const struct task_security_struct *tsec = current_security();
2491  struct inode_security_struct *dsec;
2492  struct superblock_security_struct *sbsec;
2493  u32 sid, newsid, clen;
2494  int rc;
2495  char *namep = NULL, *context;
2496 
2497  dsec = dir->i_security;
2498  sbsec = dir->i_sb->s_security;
2499 
2500  sid = tsec->sid;
2501  newsid = tsec->create_sid;
2502 
2503  if ((sbsec->flags & SE_SBINITIALIZED) &&
2504  (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2505  newsid = sbsec->mntpoint_sid;
2506  else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2507  rc = security_transition_sid(sid, dsec->sid,
2508  inode_mode_to_security_class(inode->i_mode),
2509  qstr, &newsid);
2510  if (rc) {
2511  printk(KERN_WARNING "%s: "
2512  "security_transition_sid failed, rc=%d (dev=%s "
2513  "ino=%ld)\n",
2514  __func__,
2515  -rc, inode->i_sb->s_id, inode->i_ino);
2516  return rc;
2517  }
2518  }
2519 
2520  /* Possibly defer initialization to selinux_complete_init. */
2521  if (sbsec->flags & SE_SBINITIALIZED) {
2522  struct inode_security_struct *isec = inode->i_security;
2523  isec->sclass = inode_mode_to_security_class(inode->i_mode);
2524  isec->sid = newsid;
2525  isec->initialized = 1;
2526  }
2527 
2528  if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2529  return -EOPNOTSUPP;
2530 
2531  if (name) {
2533  if (!namep)
2534  return -ENOMEM;
2535  *name = namep;
2536  }
2537 
2538  if (value && len) {
2539  rc = security_sid_to_context_force(newsid, &context, &clen);
2540  if (rc) {
2541  kfree(namep);
2542  return rc;
2543  }
2544  *value = context;
2545  *len = clen;
2546  }
2547 
2548  return 0;
2549 }
2550 
2551 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2552 {
2553  return may_create(dir, dentry, SECCLASS_FILE);
2554 }
2555 
2556 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2557 {
2558  return may_link(dir, old_dentry, MAY_LINK);
2559 }
2560 
2561 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2562 {
2563  return may_link(dir, dentry, MAY_UNLINK);
2564 }
2565 
2566 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2567 {
2568  return may_create(dir, dentry, SECCLASS_LNK_FILE);
2569 }
2570 
2571 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2572 {
2573  return may_create(dir, dentry, SECCLASS_DIR);
2574 }
2575 
2576 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2577 {
2578  return may_link(dir, dentry, MAY_RMDIR);
2579 }
2580 
2581 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2582 {
2583  return may_create(dir, dentry, inode_mode_to_security_class(mode));
2584 }
2585 
2586 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2587  struct inode *new_inode, struct dentry *new_dentry)
2588 {
2589  return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2590 }
2591 
2592 static int selinux_inode_readlink(struct dentry *dentry)
2593 {
2594  const struct cred *cred = current_cred();
2595 
2596  return dentry_has_perm(cred, dentry, FILE__READ);
2597 }
2598 
2599 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2600 {
2601  const struct cred *cred = current_cred();
2602 
2603  return dentry_has_perm(cred, dentry, FILE__READ);
2604 }
2605 
2606 static noinline int audit_inode_permission(struct inode *inode,
2607  u32 perms, u32 audited, u32 denied,
2608  unsigned flags)
2609 {
2610  struct common_audit_data ad;
2611  struct inode_security_struct *isec = inode->i_security;
2612  int rc;
2613 
2614  ad.type = LSM_AUDIT_DATA_INODE;
2615  ad.u.inode = inode;
2616 
2617  rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2618  audited, denied, &ad, flags);
2619  if (rc)
2620  return rc;
2621  return 0;
2622 }
2623 
2624 static int selinux_inode_permission(struct inode *inode, int mask)
2625 {
2626  const struct cred *cred = current_cred();
2627  u32 perms;
2628  bool from_access;
2629  unsigned flags = mask & MAY_NOT_BLOCK;
2630  struct inode_security_struct *isec;
2631  u32 sid;
2632  struct av_decision avd;
2633  int rc, rc2;
2634  u32 audited, denied;
2635 
2636  from_access = mask & MAY_ACCESS;
2637  mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2638 
2639  /* No permission to check. Existence test. */
2640  if (!mask)
2641  return 0;
2642 
2643  validate_creds(cred);
2644 
2645  if (unlikely(IS_PRIVATE(inode)))
2646  return 0;
2647 
2648  perms = file_mask_to_av(inode->i_mode, mask);
2649 
2650  sid = cred_sid(cred);
2651  isec = inode->i_security;
2652 
2653  rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2654  audited = avc_audit_required(perms, &avd, rc,
2655  from_access ? FILE__AUDIT_ACCESS : 0,
2656  &denied);
2657  if (likely(!audited))
2658  return rc;
2659 
2660  rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2661  if (rc2)
2662  return rc2;
2663  return rc;
2664 }
2665 
2666 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2667 {
2668  const struct cred *cred = current_cred();
2669  unsigned int ia_valid = iattr->ia_valid;
2670  __u32 av = FILE__WRITE;
2671 
2672  /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2673  if (ia_valid & ATTR_FORCE) {
2674  ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2675  ATTR_FORCE);
2676  if (!ia_valid)
2677  return 0;
2678  }
2679 
2680  if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2682  return dentry_has_perm(cred, dentry, FILE__SETATTR);
2683 
2684  if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2685  av |= FILE__OPEN;
2686 
2687  return dentry_has_perm(cred, dentry, av);
2688 }
2689 
2690 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2691 {
2692  const struct cred *cred = current_cred();
2693  struct path path;
2694 
2695  path.dentry = dentry;
2696  path.mnt = mnt;
2697 
2698  return path_has_perm(cred, &path, FILE__GETATTR);
2699 }
2700 
2701 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2702 {
2703  const struct cred *cred = current_cred();
2704 
2705  if (!strncmp(name, XATTR_SECURITY_PREFIX,
2706  sizeof XATTR_SECURITY_PREFIX - 1)) {
2707  if (!strcmp(name, XATTR_NAME_CAPS)) {
2708  if (!capable(CAP_SETFCAP))
2709  return -EPERM;
2710  } else if (!capable(CAP_SYS_ADMIN)) {
2711  /* A different attribute in the security namespace.
2712  Restrict to administrator. */
2713  return -EPERM;
2714  }
2715  }
2716 
2717  /* Not an attribute we recognize, so just check the
2718  ordinary setattr permission. */
2719  return dentry_has_perm(cred, dentry, FILE__SETATTR);
2720 }
2721 
2722 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2723  const void *value, size_t size, int flags)
2724 {
2725  struct inode *inode = dentry->d_inode;
2726  struct inode_security_struct *isec = inode->i_security;
2727  struct superblock_security_struct *sbsec;
2728  struct common_audit_data ad;
2729  u32 newsid, sid = current_sid();
2730  int rc = 0;
2731 
2732  if (strcmp(name, XATTR_NAME_SELINUX))
2733  return selinux_inode_setotherxattr(dentry, name);
2734 
2735  sbsec = inode->i_sb->s_security;
2736  if (!(sbsec->flags & SE_SBLABELSUPP))
2737  return -EOPNOTSUPP;
2738 
2739  if (!inode_owner_or_capable(inode))
2740  return -EPERM;
2741 
2742  ad.type = LSM_AUDIT_DATA_DENTRY;
2743  ad.u.dentry = dentry;
2744 
2745  rc = avc_has_perm(sid, isec->sid, isec->sclass,
2746  FILE__RELABELFROM, &ad);
2747  if (rc)
2748  return rc;
2749 
2750  rc = security_context_to_sid(value, size, &newsid);
2751  if (rc == -EINVAL) {
2752  if (!capable(CAP_MAC_ADMIN)) {
2753  struct audit_buffer *ab;
2754  size_t audit_size;
2755  const char *str;
2756 
2757  /* We strip a nul only if it is at the end, otherwise the
2758  * context contains a nul and we should audit that */
2759  if (value) {
2760  str = value;
2761  if (str[size - 1] == '\0')
2762  audit_size = size - 1;
2763  else
2764  audit_size = size;
2765  } else {
2766  str = "";
2767  audit_size = 0;
2768  }
2769  ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2770  audit_log_format(ab, "op=setxattr invalid_context=");
2771  audit_log_n_untrustedstring(ab, value, audit_size);
2772  audit_log_end(ab);
2773 
2774  return rc;
2775  }
2776  rc = security_context_to_sid_force(value, size, &newsid);
2777  }
2778  if (rc)
2779  return rc;
2780 
2781  rc = avc_has_perm(sid, newsid, isec->sclass,
2782  FILE__RELABELTO, &ad);
2783  if (rc)
2784  return rc;
2785 
2786  rc = security_validate_transition(isec->sid, newsid, sid,
2787  isec->sclass);
2788  if (rc)
2789  return rc;
2790 
2791  return avc_has_perm(newsid,
2792  sbsec->sid,
2793  SECCLASS_FILESYSTEM,
2794  FILESYSTEM__ASSOCIATE,
2795  &ad);
2796 }
2797 
2798 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2799  const void *value, size_t size,
2800  int flags)
2801 {
2802  struct inode *inode = dentry->d_inode;
2803  struct inode_security_struct *isec = inode->i_security;
2804  u32 newsid;
2805  int rc;
2806 
2807  if (strcmp(name, XATTR_NAME_SELINUX)) {
2808  /* Not an attribute we recognize, so nothing to do. */
2809  return;
2810  }
2811 
2812  rc = security_context_to_sid_force(value, size, &newsid);
2813  if (rc) {
2814  printk(KERN_ERR "SELinux: unable to map context to SID"
2815  "for (%s, %lu), rc=%d\n",
2816  inode->i_sb->s_id, inode->i_ino, -rc);
2817  return;
2818  }
2819 
2820  isec->sid = newsid;
2821  return;
2822 }
2823 
2824 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2825 {
2826  const struct cred *cred = current_cred();
2827 
2828  return dentry_has_perm(cred, dentry, FILE__GETATTR);
2829 }
2830 
2831 static int selinux_inode_listxattr(struct dentry *dentry)
2832 {
2833  const struct cred *cred = current_cred();
2834 
2835  return dentry_has_perm(cred, dentry, FILE__GETATTR);
2836 }
2837 
2838 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2839 {
2840  if (strcmp(name, XATTR_NAME_SELINUX))
2841  return selinux_inode_setotherxattr(dentry, name);
2842 
2843  /* No one is allowed to remove a SELinux security label.
2844  You can change the label, but all data must be labeled. */
2845  return -EACCES;
2846 }
2847 
2848 /*
2849  * Copy the inode security context value to the user.
2850  *
2851  * Permission check is handled by selinux_inode_getxattr hook.
2852  */
2853 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2854 {
2855  u32 size;
2856  int error;
2857  char *context = NULL;
2858  struct inode_security_struct *isec = inode->i_security;
2859 
2860  if (strcmp(name, XATTR_SELINUX_SUFFIX))
2861  return -EOPNOTSUPP;
2862 
2863  /*
2864  * If the caller has CAP_MAC_ADMIN, then get the raw context
2865  * value even if it is not defined by current policy; otherwise,
2866  * use the in-core value under current policy.
2867  * Use the non-auditing forms of the permission checks since
2868  * getxattr may be called by unprivileged processes commonly
2869  * and lack of permission just means that we fall back to the
2870  * in-core context value, not a denial.
2871  */
2872  error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2874  if (!error)
2875  error = security_sid_to_context_force(isec->sid, &context,
2876  &size);
2877  else
2878  error = security_sid_to_context(isec->sid, &context, &size);
2879  if (error)
2880  return error;
2881  error = size;
2882  if (alloc) {
2883  *buffer = context;
2884  goto out_nofree;
2885  }
2886  kfree(context);
2887 out_nofree:
2888  return error;
2889 }
2890 
2891 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2892  const void *value, size_t size, int flags)
2893 {
2894  struct inode_security_struct *isec = inode->i_security;
2895  u32 newsid;
2896  int rc;
2897 
2898  if (strcmp(name, XATTR_SELINUX_SUFFIX))
2899  return -EOPNOTSUPP;
2900 
2901  if (!value || !size)
2902  return -EACCES;
2903 
2904  rc = security_context_to_sid((void *)value, size, &newsid);
2905  if (rc)
2906  return rc;
2907 
2908  isec->sid = newsid;
2909  isec->initialized = 1;
2910  return 0;
2911 }
2912 
2913 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2914 {
2915  const int len = sizeof(XATTR_NAME_SELINUX);
2916  if (buffer && len <= buffer_size)
2917  memcpy(buffer, XATTR_NAME_SELINUX, len);
2918  return len;
2919 }
2920 
2921 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2922 {
2923  struct inode_security_struct *isec = inode->i_security;
2924  *secid = isec->sid;
2925 }
2926 
2927 /* file security operations */
2928 
2929 static int selinux_revalidate_file_permission(struct file *file, int mask)
2930 {
2931  const struct cred *cred = current_cred();
2932  struct inode *inode = file->f_path.dentry->d_inode;
2933 
2934  /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2935  if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2936  mask |= MAY_APPEND;
2937 
2938  return file_has_perm(cred, file,
2939  file_mask_to_av(inode->i_mode, mask));
2940 }
2941 
2942 static int selinux_file_permission(struct file *file, int mask)
2943 {
2944  struct inode *inode = file->f_path.dentry->d_inode;
2945  struct file_security_struct *fsec = file->f_security;
2946  struct inode_security_struct *isec = inode->i_security;
2947  u32 sid = current_sid();
2948 
2949  if (!mask)
2950  /* No permission to check. Existence test. */
2951  return 0;
2952 
2953  if (sid == fsec->sid && fsec->isid == isec->sid &&
2954  fsec->pseqno == avc_policy_seqno())
2955  /* No change since file_open check. */
2956  return 0;
2957 
2958  return selinux_revalidate_file_permission(file, mask);
2959 }
2960 
2961 static int selinux_file_alloc_security(struct file *file)
2962 {
2963  return file_alloc_security(file);
2964 }
2965 
2966 static void selinux_file_free_security(struct file *file)
2967 {
2968  file_free_security(file);
2969 }
2970 
2971 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2972  unsigned long arg)
2973 {
2974  const struct cred *cred = current_cred();
2975  int error = 0;
2976 
2977  switch (cmd) {
2978  case FIONREAD:
2979  /* fall through */
2980  case FIBMAP:
2981  /* fall through */
2982  case FIGETBSZ:
2983  /* fall through */
2984  case FS_IOC_GETFLAGS:
2985  /* fall through */
2986  case FS_IOC_GETVERSION:
2987  error = file_has_perm(cred, file, FILE__GETATTR);
2988  break;
2989 
2990  case FS_IOC_SETFLAGS:
2991  /* fall through */
2992  case FS_IOC_SETVERSION:
2993  error = file_has_perm(cred, file, FILE__SETATTR);
2994  break;
2995 
2996  /* sys_ioctl() checks */
2997  case FIONBIO:
2998  /* fall through */
2999  case FIOASYNC:
3000  error = file_has_perm(cred, file, 0);
3001  break;
3002 
3003  case KDSKBENT:
3004  case KDSKBSENT:
3005  error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3007  break;
3008 
3009  /* default case assumes that the command will go
3010  * to the file's ioctl() function.
3011  */
3012  default:
3013  error = file_has_perm(cred, file, FILE__IOCTL);
3014  }
3015  return error;
3016 }
3017 
3018 static int default_noexec;
3019 
3020 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3021 {
3022  const struct cred *cred = current_cred();
3023  int rc = 0;
3024 
3025  if (default_noexec &&
3026  (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3027  /*
3028  * We are making executable an anonymous mapping or a
3029  * private file mapping that will also be writable.
3030  * This has an additional check.
3031  */
3032  rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3033  if (rc)
3034  goto error;
3035  }
3036 
3037  if (file) {
3038  /* read access is always possible with a mapping */
3039  u32 av = FILE__READ;
3040 
3041  /* write access only matters if the mapping is shared */
3042  if (shared && (prot & PROT_WRITE))
3043  av |= FILE__WRITE;
3044 
3045  if (prot & PROT_EXEC)
3046  av |= FILE__EXECUTE;
3047 
3048  return file_has_perm(cred, file, av);
3049  }
3050 
3051 error:
3052  return rc;
3053 }
3054 
3055 static int selinux_mmap_addr(unsigned long addr)
3056 {
3057  int rc = 0;
3058  u32 sid = current_sid();
3059 
3060  /*
3061  * notice that we are intentionally putting the SELinux check before
3062  * the secondary cap_file_mmap check. This is such a likely attempt
3063  * at bad behaviour/exploit that we always want to get the AVC, even
3064  * if DAC would have also denied the operation.
3065  */
3066  if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3067  rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3068  MEMPROTECT__MMAP_ZERO, NULL);
3069  if (rc)
3070  return rc;
3071  }
3072 
3073  /* do DAC check on address space usage */
3074  return cap_mmap_addr(addr);
3075 }
3076 
3077 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3078  unsigned long prot, unsigned long flags)
3079 {
3081  prot = reqprot;
3082 
3083  return file_map_prot_check(file, prot,
3084  (flags & MAP_TYPE) == MAP_SHARED);
3085 }
3086 
3087 static int selinux_file_mprotect(struct vm_area_struct *vma,
3088  unsigned long reqprot,
3089  unsigned long prot)
3090 {
3091  const struct cred *cred = current_cred();
3092 
3094  prot = reqprot;
3095 
3096  if (default_noexec &&
3097  (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3098  int rc = 0;
3099  if (vma->vm_start >= vma->vm_mm->start_brk &&
3100  vma->vm_end <= vma->vm_mm->brk) {
3101  rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3102  } else if (!vma->vm_file &&
3103  vma->vm_start <= vma->vm_mm->start_stack &&
3104  vma->vm_end >= vma->vm_mm->start_stack) {
3105  rc = current_has_perm(current, PROCESS__EXECSTACK);
3106  } else if (vma->vm_file && vma->anon_vma) {
3107  /*
3108  * We are making executable a file mapping that has
3109  * had some COW done. Since pages might have been
3110  * written, check ability to execute the possibly
3111  * modified content. This typically should only
3112  * occur for text relocations.
3113  */
3114  rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3115  }
3116  if (rc)
3117  return rc;
3118  }
3119 
3120  return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3121 }
3122 
3123 static int selinux_file_lock(struct file *file, unsigned int cmd)
3124 {
3125  const struct cred *cred = current_cred();
3126 
3127  return file_has_perm(cred, file, FILE__LOCK);
3128 }
3129 
3130 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3131  unsigned long arg)
3132 {
3133  const struct cred *cred = current_cred();
3134  int err = 0;
3135 
3136  switch (cmd) {
3137  case F_SETFL:
3138  if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3139  err = -EINVAL;
3140  break;
3141  }
3142 
3143  if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3144  err = file_has_perm(cred, file, FILE__WRITE);
3145  break;
3146  }
3147  /* fall through */
3148  case F_SETOWN:
3149  case F_SETSIG:
3150  case F_GETFL:
3151  case F_GETOWN:
3152  case F_GETSIG:
3153  case F_GETOWNER_UIDS:
3154  /* Just check FD__USE permission */
3155  err = file_has_perm(cred, file, 0);
3156  break;
3157  case F_GETLK:
3158  case F_SETLK:
3159  case F_SETLKW:
3160 #if BITS_PER_LONG == 32
3161  case F_GETLK64:
3162  case F_SETLK64:
3163  case F_SETLKW64:
3164 #endif
3165  if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3166  err = -EINVAL;
3167  break;
3168  }
3169  err = file_has_perm(cred, file, FILE__LOCK);
3170  break;
3171  }
3172 
3173  return err;
3174 }
3175 
3176 static int selinux_file_set_fowner(struct file *file)
3177 {
3178  struct file_security_struct *fsec;
3179 
3180  fsec = file->f_security;
3181  fsec->fown_sid = current_sid();
3182 
3183  return 0;
3184 }
3185 
3186 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3187  struct fown_struct *fown, int signum)
3188 {
3189  struct file *file;
3190  u32 sid = task_sid(tsk);
3191  u32 perm;
3192  struct file_security_struct *fsec;
3193 
3194  /* struct fown_struct is never outside the context of a struct file */
3195  file = container_of(fown, struct file, f_owner);
3196 
3197  fsec = file->f_security;
3198 
3199  if (!signum)
3200  perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3201  else
3202  perm = signal_to_av(signum);
3203 
3204  return avc_has_perm(fsec->fown_sid, sid,
3205  SECCLASS_PROCESS, perm, NULL);
3206 }
3207 
3208 static int selinux_file_receive(struct file *file)
3209 {
3210  const struct cred *cred = current_cred();
3211 
3212  return file_has_perm(cred, file, file_to_av(file));
3213 }
3214 
3215 static int selinux_file_open(struct file *file, const struct cred *cred)
3216 {
3217  struct file_security_struct *fsec;
3218  struct inode_security_struct *isec;
3219 
3220  fsec = file->f_security;
3221  isec = file->f_path.dentry->d_inode->i_security;
3222  /*
3223  * Save inode label and policy sequence number
3224  * at open-time so that selinux_file_permission
3225  * can determine whether revalidation is necessary.
3226  * Task label is already saved in the file security
3227  * struct as its SID.
3228  */
3229  fsec->isid = isec->sid;
3230  fsec->pseqno = avc_policy_seqno();
3231  /*
3232  * Since the inode label or policy seqno may have changed
3233  * between the selinux_inode_permission check and the saving
3234  * of state above, recheck that access is still permitted.
3235  * Otherwise, access might never be revalidated against the
3236  * new inode label or new policy.
3237  * This check is not redundant - do not remove.
3238  */
3239  return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3240 }
3241 
3242 /* task security operations */
3243 
3244 static int selinux_task_create(unsigned long clone_flags)
3245 {
3246  return current_has_perm(current, PROCESS__FORK);
3247 }
3248 
3249 /*
3250  * allocate the SELinux part of blank credentials
3251  */
3252 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3253 {
3254  struct task_security_struct *tsec;
3255 
3256  tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3257  if (!tsec)
3258  return -ENOMEM;
3259 
3260  cred->security = tsec;
3261  return 0;
3262 }
3263 
3264 /*
3265  * detach and free the LSM part of a set of credentials
3266  */
3267 static void selinux_cred_free(struct cred *cred)
3268 {
3269  struct task_security_struct *tsec = cred->security;
3270 
3271  /*
3272  * cred->security == NULL if security_cred_alloc_blank() or
3273  * security_prepare_creds() returned an error.
3274  */
3275  BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3276  cred->security = (void *) 0x7UL;
3277  kfree(tsec);
3278 }
3279 
3280 /*
3281  * prepare a new set of credentials for modification
3282  */
3283 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3284  gfp_t gfp)
3285 {
3286  const struct task_security_struct *old_tsec;
3287  struct task_security_struct *tsec;
3288 
3289  old_tsec = old->security;
3290 
3291  tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3292  if (!tsec)
3293  return -ENOMEM;
3294 
3295  new->security = tsec;
3296  return 0;
3297 }
3298 
3299 /*
3300  * transfer the SELinux data to a blank set of creds
3301  */
3302 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3303 {
3304  const struct task_security_struct *old_tsec = old->security;
3305  struct task_security_struct *tsec = new->security;
3306 
3307  *tsec = *old_tsec;
3308 }
3309 
3310 /*
3311  * set the security data for a kernel service
3312  * - all the creation contexts are set to unlabelled
3313  */
3314 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3315 {
3316  struct task_security_struct *tsec = new->security;
3317  u32 sid = current_sid();
3318  int ret;
3319 
3320  ret = avc_has_perm(sid, secid,
3321  SECCLASS_KERNEL_SERVICE,
3322  KERNEL_SERVICE__USE_AS_OVERRIDE,
3323  NULL);
3324  if (ret == 0) {
3325  tsec->sid = secid;
3326  tsec->create_sid = 0;
3327  tsec->keycreate_sid = 0;
3328  tsec->sockcreate_sid = 0;
3329  }
3330  return ret;
3331 }
3332 
3333 /*
3334  * set the file creation context in a security record to the same as the
3335  * objective context of the specified inode
3336  */
3337 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3338 {
3339  struct inode_security_struct *isec = inode->i_security;
3340  struct task_security_struct *tsec = new->security;
3341  u32 sid = current_sid();
3342  int ret;
3343 
3344  ret = avc_has_perm(sid, isec->sid,
3345  SECCLASS_KERNEL_SERVICE,
3346  KERNEL_SERVICE__CREATE_FILES_AS,
3347  NULL);
3348 
3349  if (ret == 0)
3350  tsec->create_sid = isec->sid;
3351  return ret;
3352 }
3353 
3354 static int selinux_kernel_module_request(char *kmod_name)
3355 {
3356  u32 sid;
3357  struct common_audit_data ad;
3358 
3359  sid = task_sid(current);
3360 
3361  ad.type = LSM_AUDIT_DATA_KMOD;
3362  ad.u.kmod_name = kmod_name;
3363 
3364  return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3365  SYSTEM__MODULE_REQUEST, &ad);
3366 }
3367 
3368 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3369 {
3370  return current_has_perm(p, PROCESS__SETPGID);
3371 }
3372 
3373 static int selinux_task_getpgid(struct task_struct *p)
3374 {
3375  return current_has_perm(p, PROCESS__GETPGID);
3376 }
3377 
3378 static int selinux_task_getsid(struct task_struct *p)
3379 {
3380  return current_has_perm(p, PROCESS__GETSESSION);
3381 }
3382 
3383 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3384 {
3385  *secid = task_sid(p);
3386 }
3387 
3388 static int selinux_task_setnice(struct task_struct *p, int nice)
3389 {
3390  int rc;
3391 
3392  rc = cap_task_setnice(p, nice);
3393  if (rc)
3394  return rc;
3395 
3396  return current_has_perm(p, PROCESS__SETSCHED);
3397 }
3398 
3399 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3400 {
3401  int rc;
3402 
3403  rc = cap_task_setioprio(p, ioprio);
3404  if (rc)
3405  return rc;
3406 
3407  return current_has_perm(p, PROCESS__SETSCHED);
3408 }
3409 
3410 static int selinux_task_getioprio(struct task_struct *p)
3411 {
3412  return current_has_perm(p, PROCESS__GETSCHED);
3413 }
3414 
3415 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3416  struct rlimit *new_rlim)
3417 {
3418  struct rlimit *old_rlim = p->signal->rlim + resource;
3419 
3420  /* Control the ability to change the hard limit (whether
3421  lowering or raising it), so that the hard limit can
3422  later be used as a safe reset point for the soft limit
3423  upon context transitions. See selinux_bprm_committing_creds. */
3424  if (old_rlim->rlim_max != new_rlim->rlim_max)
3425  return current_has_perm(p, PROCESS__SETRLIMIT);
3426 
3427  return 0;
3428 }
3429 
3430 static int selinux_task_setscheduler(struct task_struct *p)
3431 {
3432  int rc;
3433 
3434  rc = cap_task_setscheduler(p);
3435  if (rc)
3436  return rc;
3437 
3438  return current_has_perm(p, PROCESS__SETSCHED);
3439 }
3440 
3441 static int selinux_task_getscheduler(struct task_struct *p)
3442 {
3443  return current_has_perm(p, PROCESS__GETSCHED);
3444 }
3445 
3446 static int selinux_task_movememory(struct task_struct *p)
3447 {
3448  return current_has_perm(p, PROCESS__SETSCHED);
3449 }
3450 
3451 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3452  int sig, u32 secid)
3453 {
3454  u32 perm;
3455  int rc;
3456 
3457  if (!sig)
3458  perm = PROCESS__SIGNULL; /* null signal; existence test */
3459  else
3460  perm = signal_to_av(sig);
3461  if (secid)
3462  rc = avc_has_perm(secid, task_sid(p),
3463  SECCLASS_PROCESS, perm, NULL);
3464  else
3465  rc = current_has_perm(p, perm);
3466  return rc;
3467 }
3468 
3469 static int selinux_task_wait(struct task_struct *p)
3470 {
3471  return task_has_perm(p, current, PROCESS__SIGCHLD);
3472 }
3473 
3474 static void selinux_task_to_inode(struct task_struct *p,
3475  struct inode *inode)
3476 {
3477  struct inode_security_struct *isec = inode->i_security;
3478  u32 sid = task_sid(p);
3479 
3480  isec->sid = sid;
3481  isec->initialized = 1;
3482 }
3483 
3484 /* Returns error only if unable to parse addresses */
3485 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3486  struct common_audit_data *ad, u8 *proto)
3487 {
3488  int offset, ihlen, ret = -EINVAL;
3489  struct iphdr _iph, *ih;
3490 
3491  offset = skb_network_offset(skb);
3492  ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3493  if (ih == NULL)
3494  goto out;
3495 
3496  ihlen = ih->ihl * 4;
3497  if (ihlen < sizeof(_iph))
3498  goto out;
3499 
3500  ad->u.net->v4info.saddr = ih->saddr;
3501  ad->u.net->v4info.daddr = ih->daddr;
3502  ret = 0;
3503 
3504  if (proto)
3505  *proto = ih->protocol;
3506 
3507  switch (ih->protocol) {
3508  case IPPROTO_TCP: {
3509  struct tcphdr _tcph, *th;
3510 
3511  if (ntohs(ih->frag_off) & IP_OFFSET)
3512  break;
3513 
3514  offset += ihlen;
3515  th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3516  if (th == NULL)
3517  break;
3518 
3519  ad->u.net->sport = th->source;
3520  ad->u.net->dport = th->dest;
3521  break;
3522  }
3523 
3524  case IPPROTO_UDP: {
3525  struct udphdr _udph, *uh;
3526 
3527  if (ntohs(ih->frag_off) & IP_OFFSET)
3528  break;
3529 
3530  offset += ihlen;
3531  uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3532  if (uh == NULL)
3533  break;
3534 
3535  ad->u.net->sport = uh->source;
3536  ad->u.net->dport = uh->dest;
3537  break;
3538  }
3539 
3540  case IPPROTO_DCCP: {
3541  struct dccp_hdr _dccph, *dh;
3542 
3543  if (ntohs(ih->frag_off) & IP_OFFSET)
3544  break;
3545 
3546  offset += ihlen;
3547  dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3548  if (dh == NULL)
3549  break;
3550 
3551  ad->u.net->sport = dh->dccph_sport;
3552  ad->u.net->dport = dh->dccph_dport;
3553  break;
3554  }
3555 
3556  default:
3557  break;
3558  }
3559 out:
3560  return ret;
3561 }
3562 
3563 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3564 
3565 /* Returns error only if unable to parse addresses */
3566 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3567  struct common_audit_data *ad, u8 *proto)
3568 {
3569  u8 nexthdr;
3570  int ret = -EINVAL, offset;
3571  struct ipv6hdr _ipv6h, *ip6;
3572  __be16 frag_off;
3573 
3574  offset = skb_network_offset(skb);
3575  ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3576  if (ip6 == NULL)
3577  goto out;
3578 
3579  ad->u.net->v6info.saddr = ip6->saddr;
3580  ad->u.net->v6info.daddr = ip6->daddr;
3581  ret = 0;
3582 
3583  nexthdr = ip6->nexthdr;
3584  offset += sizeof(_ipv6h);
3585  offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3586  if (offset < 0)
3587  goto out;
3588 
3589  if (proto)
3590  *proto = nexthdr;
3591 
3592  switch (nexthdr) {
3593  case IPPROTO_TCP: {
3594  struct tcphdr _tcph, *th;
3595 
3596  th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3597  if (th == NULL)
3598  break;
3599 
3600  ad->u.net->sport = th->source;
3601  ad->u.net->dport = th->dest;
3602  break;
3603  }
3604 
3605  case IPPROTO_UDP: {
3606  struct udphdr _udph, *uh;
3607 
3608  uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3609  if (uh == NULL)
3610  break;
3611 
3612  ad->u.net->sport = uh->source;
3613  ad->u.net->dport = uh->dest;
3614  break;
3615  }
3616 
3617  case IPPROTO_DCCP: {
3618  struct dccp_hdr _dccph, *dh;
3619 
3620  dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3621  if (dh == NULL)
3622  break;
3623 
3624  ad->u.net->sport = dh->dccph_sport;
3625  ad->u.net->dport = dh->dccph_dport;
3626  break;
3627  }
3628 
3629  /* includes fragments */
3630  default:
3631  break;
3632  }
3633 out:
3634  return ret;
3635 }
3636 
3637 #endif /* IPV6 */
3638 
3639 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3640  char **_addrp, int src, u8 *proto)
3641 {
3642  char *addrp;
3643  int ret;
3644 
3645  switch (ad->u.net->family) {
3646  case PF_INET:
3647  ret = selinux_parse_skb_ipv4(skb, ad, proto);
3648  if (ret)
3649  goto parse_error;
3650  addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3651  &ad->u.net->v4info.daddr);
3652  goto okay;
3653 
3654 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3655  case PF_INET6:
3656  ret = selinux_parse_skb_ipv6(skb, ad, proto);
3657  if (ret)
3658  goto parse_error;
3659  addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3660  &ad->u.net->v6info.daddr);
3661  goto okay;
3662 #endif /* IPV6 */
3663  default:
3664  addrp = NULL;
3665  goto okay;
3666  }
3667 
3668 parse_error:
3670  "SELinux: failure in selinux_parse_skb(),"
3671  " unable to parse packet\n");
3672  return ret;
3673 
3674 okay:
3675  if (_addrp)
3676  *_addrp = addrp;
3677  return 0;
3678 }
3679 
3695 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3696 {
3697  int err;
3698  u32 xfrm_sid;
3699  u32 nlbl_sid;
3700  u32 nlbl_type;
3701 
3702  selinux_skb_xfrm_sid(skb, &xfrm_sid);
3703  selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3704 
3705  err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3706  if (unlikely(err)) {
3708  "SELinux: failure in selinux_skb_peerlbl_sid(),"
3709  " unable to determine packet's peer label\n");
3710  return -EACCES;
3711  }
3712 
3713  return 0;
3714 }
3715 
3716 /* socket security operations */
3717 
3718 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3719  u16 secclass, u32 *socksid)
3720 {
3721  if (tsec->sockcreate_sid > SECSID_NULL) {
3722  *socksid = tsec->sockcreate_sid;
3723  return 0;
3724  }
3725 
3726  return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3727  socksid);
3728 }
3729 
3730 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3731 {
3732  struct sk_security_struct *sksec = sk->sk_security;
3733  struct common_audit_data ad;
3734  struct lsm_network_audit net = {0,};
3735  u32 tsid = task_sid(task);
3736 
3737  if (sksec->sid == SECINITSID_KERNEL)
3738  return 0;
3739 
3740  ad.type = LSM_AUDIT_DATA_NET;
3741  ad.u.net = &net;
3742  ad.u.net->sk = sk;
3743 
3744  return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3745 }
3746 
3747 static int selinux_socket_create(int family, int type,
3748  int protocol, int kern)
3749 {
3750  const struct task_security_struct *tsec = current_security();
3751  u32 newsid;
3752  u16 secclass;
3753  int rc;
3754 
3755  if (kern)
3756  return 0;
3757 
3758  secclass = socket_type_to_security_class(family, type, protocol);
3759  rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3760  if (rc)
3761  return rc;
3762 
3763  return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3764 }
3765 
3766 static int selinux_socket_post_create(struct socket *sock, int family,
3767  int type, int protocol, int kern)
3768 {
3769  const struct task_security_struct *tsec = current_security();
3770  struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3771  struct sk_security_struct *sksec;
3772  int err = 0;
3773 
3774  isec->sclass = socket_type_to_security_class(family, type, protocol);
3775 
3776  if (kern)
3777  isec->sid = SECINITSID_KERNEL;
3778  else {
3779  err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3780  if (err)
3781  return err;
3782  }
3783 
3784  isec->initialized = 1;
3785 
3786  if (sock->sk) {
3787  sksec = sock->sk->sk_security;
3788  sksec->sid = isec->sid;
3789  sksec->sclass = isec->sclass;
3790  err = selinux_netlbl_socket_post_create(sock->sk, family);
3791  }
3792 
3793  return err;
3794 }
3795 
3796 /* Range of port numbers used to automatically bind.
3797  Need to determine whether we should perform a name_bind
3798  permission check between the socket and the port number. */
3799 
3800 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3801 {
3802  struct sock *sk = sock->sk;
3803  u16 family;
3804  int err;
3805 
3806  err = sock_has_perm(current, sk, SOCKET__BIND);
3807  if (err)
3808  goto out;
3809 
3810  /*
3811  * If PF_INET or PF_INET6, check name_bind permission for the port.
3812  * Multiple address binding for SCTP is not supported yet: we just
3813  * check the first address now.
3814  */
3815  family = sk->sk_family;
3816  if (family == PF_INET || family == PF_INET6) {
3817  char *addrp;
3818  struct sk_security_struct *sksec = sk->sk_security;
3819  struct common_audit_data ad;
3820  struct lsm_network_audit net = {0,};
3821  struct sockaddr_in *addr4 = NULL;
3822  struct sockaddr_in6 *addr6 = NULL;
3823  unsigned short snum;
3824  u32 sid, node_perm;
3825 
3826  if (family == PF_INET) {
3827  addr4 = (struct sockaddr_in *)address;
3828  snum = ntohs(addr4->sin_port);
3829  addrp = (char *)&addr4->sin_addr.s_addr;
3830  } else {
3831  addr6 = (struct sockaddr_in6 *)address;
3832  snum = ntohs(addr6->sin6_port);
3833  addrp = (char *)&addr6->sin6_addr.s6_addr;
3834  }
3835 
3836  if (snum) {
3837  int low, high;
3838 
3839  inet_get_local_port_range(&low, &high);
3840 
3841  if (snum < max(PROT_SOCK, low) || snum > high) {
3842  err = sel_netport_sid(sk->sk_protocol,
3843  snum, &sid);
3844  if (err)
3845  goto out;
3846  ad.type = LSM_AUDIT_DATA_NET;
3847  ad.u.net = &net;
3848  ad.u.net->sport = htons(snum);
3849  ad.u.net->family = family;
3850  err = avc_has_perm(sksec->sid, sid,
3851  sksec->sclass,
3852  SOCKET__NAME_BIND, &ad);
3853  if (err)
3854  goto out;
3855  }
3856  }
3857 
3858  switch (sksec->sclass) {
3859  case SECCLASS_TCP_SOCKET:
3860  node_perm = TCP_SOCKET__NODE_BIND;
3861  break;
3862 
3863  case SECCLASS_UDP_SOCKET:
3864  node_perm = UDP_SOCKET__NODE_BIND;
3865  break;
3866 
3867  case SECCLASS_DCCP_SOCKET:
3868  node_perm = DCCP_SOCKET__NODE_BIND;
3869  break;
3870 
3871  default:
3872  node_perm = RAWIP_SOCKET__NODE_BIND;
3873  break;
3874  }
3875 
3876  err = sel_netnode_sid(addrp, family, &sid);
3877  if (err)
3878  goto out;
3879 
3880  ad.type = LSM_AUDIT_DATA_NET;
3881  ad.u.net = &net;
3882  ad.u.net->sport = htons(snum);
3883  ad.u.net->family = family;
3884 
3885  if (family == PF_INET)
3886  ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3887  else
3888  ad.u.net->v6info.saddr = addr6->sin6_addr;
3889 
3890  err = avc_has_perm(sksec->sid, sid,
3891  sksec->sclass, node_perm, &ad);
3892  if (err)
3893  goto out;
3894  }
3895 out:
3896  return err;
3897 }
3898 
3899 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3900 {
3901  struct sock *sk = sock->sk;
3902  struct sk_security_struct *sksec = sk->sk_security;
3903  int err;
3904 
3905  err = sock_has_perm(current, sk, SOCKET__CONNECT);
3906  if (err)
3907  return err;
3908 
3909  /*
3910  * If a TCP or DCCP socket, check name_connect permission for the port.
3911  */
3912  if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3913  sksec->sclass == SECCLASS_DCCP_SOCKET) {
3914  struct common_audit_data ad;
3915  struct lsm_network_audit net = {0,};
3916  struct sockaddr_in *addr4 = NULL;
3917  struct sockaddr_in6 *addr6 = NULL;
3918  unsigned short snum;
3919  u32 sid, perm;
3920 
3921  if (sk->sk_family == PF_INET) {
3922  addr4 = (struct sockaddr_in *)address;
3923  if (addrlen < sizeof(struct sockaddr_in))
3924  return -EINVAL;
3925  snum = ntohs(addr4->sin_port);
3926  } else {
3927  addr6 = (struct sockaddr_in6 *)address;
3928  if (addrlen < SIN6_LEN_RFC2133)
3929  return -EINVAL;
3930  snum = ntohs(addr6->sin6_port);
3931  }
3932 
3933  err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3934  if (err)
3935  goto out;
3936 
3937  perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3938  TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3939 
3940  ad.type = LSM_AUDIT_DATA_NET;
3941  ad.u.net = &net;
3942  ad.u.net->dport = htons(snum);
3943  ad.u.net->family = sk->sk_family;
3944  err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3945  if (err)
3946  goto out;
3947  }
3948 
3949  err = selinux_netlbl_socket_connect(sk, address);
3950 
3951 out:
3952  return err;
3953 }
3954 
3955 static int selinux_socket_listen(struct socket *sock, int backlog)
3956 {
3957  return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3958 }
3959 
3960 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3961 {
3962  int err;
3963  struct inode_security_struct *isec;
3964  struct inode_security_struct *newisec;
3965 
3966  err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3967  if (err)
3968  return err;
3969 
3970  newisec = SOCK_INODE(newsock)->i_security;
3971 
3972  isec = SOCK_INODE(sock)->i_security;
3973  newisec->sclass = isec->sclass;
3974  newisec->sid = isec->sid;
3975  newisec->initialized = 1;
3976 
3977  return 0;
3978 }
3979 
3980 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3981  int size)
3982 {
3983  return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3984 }
3985 
3986 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3987  int size, int flags)
3988 {
3989  return sock_has_perm(current, sock->sk, SOCKET__READ);
3990 }
3991 
3992 static int selinux_socket_getsockname(struct socket *sock)
3993 {
3994  return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3995 }
3996 
3997 static int selinux_socket_getpeername(struct socket *sock)
3998 {
3999  return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4000 }
4001 
4002 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4003 {
4004  int err;
4005 
4006  err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4007  if (err)
4008  return err;
4009 
4010  return selinux_netlbl_socket_setsockopt(sock, level, optname);
4011 }
4012 
4013 static int selinux_socket_getsockopt(struct socket *sock, int level,
4014  int optname)
4015 {
4016  return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4017 }
4018 
4019 static int selinux_socket_shutdown(struct socket *sock, int how)
4020 {
4021  return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4022 }
4023 
4024 static int selinux_socket_unix_stream_connect(struct sock *sock,
4025  struct sock *other,
4026  struct sock *newsk)
4027 {
4028  struct sk_security_struct *sksec_sock = sock->sk_security;
4029  struct sk_security_struct *sksec_other = other->sk_security;
4030  struct sk_security_struct *sksec_new = newsk->sk_security;
4031  struct common_audit_data ad;
4032  struct lsm_network_audit net = {0,};
4033  int err;
4034 
4035  ad.type = LSM_AUDIT_DATA_NET;
4036  ad.u.net = &net;
4037  ad.u.net->sk = other;
4038 
4039  err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4040  sksec_other->sclass,
4041  UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4042  if (err)
4043  return err;
4044 
4045  /* server child socket */
4046  sksec_new->peer_sid = sksec_sock->sid;
4047  err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4048  &sksec_new->sid);
4049  if (err)
4050  return err;
4051 
4052  /* connecting socket */
4053  sksec_sock->peer_sid = sksec_new->sid;
4054 
4055  return 0;
4056 }
4057 
4058 static int selinux_socket_unix_may_send(struct socket *sock,
4059  struct socket *other)
4060 {
4061  struct sk_security_struct *ssec = sock->sk->sk_security;
4062  struct sk_security_struct *osec = other->sk->sk_security;
4063  struct common_audit_data ad;
4064  struct lsm_network_audit net = {0,};
4065 
4066  ad.type = LSM_AUDIT_DATA_NET;
4067  ad.u.net = &net;
4068  ad.u.net->sk = other->sk;
4069 
4070  return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4071  &ad);
4072 }
4073 
4074 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4075  u32 peer_sid,
4076  struct common_audit_data *ad)
4077 {
4078  int err;
4079  u32 if_sid;
4080  u32 node_sid;
4081 
4082  err = sel_netif_sid(ifindex, &if_sid);
4083  if (err)
4084  return err;
4085  err = avc_has_perm(peer_sid, if_sid,
4086  SECCLASS_NETIF, NETIF__INGRESS, ad);
4087  if (err)
4088  return err;
4089 
4090  err = sel_netnode_sid(addrp, family, &node_sid);
4091  if (err)
4092  return err;
4093  return avc_has_perm(peer_sid, node_sid,
4094  SECCLASS_NODE, NODE__RECVFROM, ad);
4095 }
4096 
4097 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4098  u16 family)
4099 {
4100  int err = 0;
4101  struct sk_security_struct *sksec = sk->sk_security;
4102  u32 sk_sid = sksec->sid;
4103  struct common_audit_data ad;
4104  struct lsm_network_audit net = {0,};
4105  char *addrp;
4106 
4107  ad.type = LSM_AUDIT_DATA_NET;
4108  ad.u.net = &net;
4109  ad.u.net->netif = skb->skb_iif;
4110  ad.u.net->family = family;
4111  err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4112  if (err)
4113  return err;
4114 
4115  if (selinux_secmark_enabled()) {
4116  err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4117  PACKET__RECV, &ad);
4118  if (err)
4119  return err;
4120  }
4121 
4122  err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4123  if (err)
4124  return err;
4125  err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4126 
4127  return err;
4128 }
4129 
4130 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4131 {
4132  int err;
4133  struct sk_security_struct *sksec = sk->sk_security;
4134  u16 family = sk->sk_family;
4135  u32 sk_sid = sksec->sid;
4136  struct common_audit_data ad;
4137  struct lsm_network_audit net = {0,};
4138  char *addrp;
4139  u8 secmark_active;
4140  u8 peerlbl_active;
4141 
4142  if (family != PF_INET && family != PF_INET6)
4143  return 0;
4144 
4145  /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4146  if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4147  family = PF_INET;
4148 
4149  /* If any sort of compatibility mode is enabled then handoff processing
4150  * to the selinux_sock_rcv_skb_compat() function to deal with the
4151  * special handling. We do this in an attempt to keep this function
4152  * as fast and as clean as possible. */
4154  return selinux_sock_rcv_skb_compat(sk, skb, family);
4155 
4156  secmark_active = selinux_secmark_enabled();
4157  peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4158  if (!secmark_active && !peerlbl_active)
4159  return 0;
4160 
4161  ad.type = LSM_AUDIT_DATA_NET;
4162  ad.u.net = &net;
4163  ad.u.net->netif = skb->skb_iif;
4164  ad.u.net->family = family;
4165  err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4166  if (err)
4167  return err;
4168 
4169  if (peerlbl_active) {
4170  u32 peer_sid;
4171 
4172  err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4173  if (err)
4174  return err;
4175  err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4176  peer_sid, &ad);
4177  if (err) {
4178  selinux_netlbl_err(skb, err, 0);
4179  return err;
4180  }
4181  err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4182  PEER__RECV, &ad);
4183  if (err)
4184  selinux_netlbl_err(skb, err, 0);
4185  }
4186 
4187  if (secmark_active) {
4188  err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4189  PACKET__RECV, &ad);
4190  if (err)
4191  return err;
4192  }
4193 
4194  return err;
4195 }
4196 
4197 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4198  int __user *optlen, unsigned len)
4199 {
4200  int err = 0;
4201  char *scontext;
4202  u32 scontext_len;
4203  struct sk_security_struct *sksec = sock->sk->sk_security;
4204  u32 peer_sid = SECSID_NULL;
4205 
4206  if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4207  sksec->sclass == SECCLASS_TCP_SOCKET)
4208  peer_sid = sksec->peer_sid;
4209  if (peer_sid == SECSID_NULL)
4210  return -ENOPROTOOPT;
4211 
4212  err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4213  if (err)
4214  return err;
4215 
4216  if (scontext_len > len) {
4217  err = -ERANGE;
4218  goto out_len;
4219  }
4220 
4221  if (copy_to_user(optval, scontext, scontext_len))
4222  err = -EFAULT;
4223 
4224 out_len:
4225  if (put_user(scontext_len, optlen))
4226  err = -EFAULT;
4227  kfree(scontext);
4228  return err;
4229 }
4230 
4231 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4232 {
4233  u32 peer_secid = SECSID_NULL;
4234  u16 family;
4235 
4236  if (skb && skb->protocol == htons(ETH_P_IP))
4237  family = PF_INET;
4238  else if (skb && skb->protocol == htons(ETH_P_IPV6))
4239  family = PF_INET6;
4240  else if (sock)
4241  family = sock->sk->sk_family;
4242  else
4243  goto out;
4244 
4245  if (sock && family == PF_UNIX)
4246  selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4247  else if (skb)
4248  selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4249 
4250 out:
4251  *secid = peer_secid;
4252  if (peer_secid == SECSID_NULL)
4253  return -EINVAL;
4254  return 0;
4255 }
4256 
4257 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4258 {
4259  struct sk_security_struct *sksec;
4260 
4261  sksec = kzalloc(sizeof(*sksec), priority);
4262  if (!sksec)
4263  return -ENOMEM;
4264 
4265  sksec->peer_sid = SECINITSID_UNLABELED;
4266  sksec->sid = SECINITSID_UNLABELED;
4268  sk->sk_security = sksec;
4269 
4270  return 0;
4271 }
4272 
4273 static void selinux_sk_free_security(struct sock *sk)
4274 {
4275  struct sk_security_struct *sksec = sk->sk_security;
4276 
4277  sk->sk_security = NULL;
4279  kfree(sksec);
4280 }
4281 
4282 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4283 {
4284  struct sk_security_struct *sksec = sk->sk_security;
4285  struct sk_security_struct *newsksec = newsk->sk_security;
4286 
4287  newsksec->sid = sksec->sid;
4288  newsksec->peer_sid = sksec->peer_sid;
4289  newsksec->sclass = sksec->sclass;
4290 
4292 }
4293 
4294 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4295 {
4296  if (!sk)
4297  *secid = SECINITSID_ANY_SOCKET;
4298  else {
4299  struct sk_security_struct *sksec = sk->sk_security;
4300 
4301  *secid = sksec->sid;
4302  }
4303 }
4304 
4305 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4306 {
4307  struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4308  struct sk_security_struct *sksec = sk->sk_security;
4309 
4310  if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4311  sk->sk_family == PF_UNIX)
4312  isec->sid = sksec->sid;
4313  sksec->sclass = isec->sclass;
4314 }
4315 
4316 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4317  struct request_sock *req)
4318 {
4319  struct sk_security_struct *sksec = sk->sk_security;
4320  int err;
4321  u16 family = sk->sk_family;
4322  u32 newsid;
4323  u32 peersid;
4324 
4325  /* handle mapped IPv4 packets arriving via IPv6 sockets */
4326  if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4327  family = PF_INET;
4328 
4329  err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4330  if (err)
4331  return err;
4332  if (peersid == SECSID_NULL) {
4333  req->secid = sksec->sid;
4334  req->peer_secid = SECSID_NULL;
4335  } else {
4336  err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4337  if (err)
4338  return err;
4339  req->secid = newsid;
4340  req->peer_secid = peersid;
4341  }
4342 
4343  return selinux_netlbl_inet_conn_request(req, family);
4344 }
4345 
4346 static void selinux_inet_csk_clone(struct sock *newsk,
4347  const struct request_sock *req)
4348 {
4349  struct sk_security_struct *newsksec = newsk->sk_security;
4350 
4351  newsksec->sid = req->secid;
4352  newsksec->peer_sid = req->peer_secid;
4353  /* NOTE: Ideally, we should also get the isec->sid for the
4354  new socket in sync, but we don't have the isec available yet.
4355  So we will wait until sock_graft to do it, by which
4356  time it will have been created and available. */
4357 
4358  /* We don't need to take any sort of lock here as we are the only
4359  * thread with access to newsksec */
4360  selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4361 }
4362 
4363 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4364 {
4365  u16 family = sk->sk_family;
4366  struct sk_security_struct *sksec = sk->sk_security;
4367 
4368  /* handle mapped IPv4 packets arriving via IPv6 sockets */
4369  if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4370  family = PF_INET;
4371 
4372  selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4373 }
4374 
4375 static int selinux_secmark_relabel_packet(u32 sid)
4376 {
4377  const struct task_security_struct *__tsec;
4378  u32 tsid;
4379 
4380  __tsec = current_security();
4381  tsid = __tsec->sid;
4382 
4383  return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4384 }
4385 
4386 static void selinux_secmark_refcount_inc(void)
4387 {
4388  atomic_inc(&selinux_secmark_refcount);
4389 }
4390 
4391 static void selinux_secmark_refcount_dec(void)
4392 {
4393  atomic_dec(&selinux_secmark_refcount);
4394 }
4395 
4396 static void selinux_req_classify_flow(const struct request_sock *req,
4397  struct flowi *fl)
4398 {
4399  fl->flowi_secid = req->secid;
4400 }
4401 
4402 static int selinux_tun_dev_create(void)
4403 {
4404  u32 sid = current_sid();
4405 
4406  /* we aren't taking into account the "sockcreate" SID since the socket
4407  * that is being created here is not a socket in the traditional sense,
4408  * instead it is a private sock, accessible only to the kernel, and
4409  * representing a wide range of network traffic spanning multiple
4410  * connections unlike traditional sockets - check the TUN driver to
4411  * get a better understanding of why this socket is special */
4412 
4413  return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4414  NULL);
4415 }
4416 
4417 static void selinux_tun_dev_post_create(struct sock *sk)
4418 {
4419  struct sk_security_struct *sksec = sk->sk_security;
4420 
4421  /* we don't currently perform any NetLabel based labeling here and it
4422  * isn't clear that we would want to do so anyway; while we could apply
4423  * labeling without the support of the TUN user the resulting labeled
4424  * traffic from the other end of the connection would almost certainly
4425  * cause confusion to the TUN user that had no idea network labeling
4426  * protocols were being used */
4427 
4428  /* see the comments in selinux_tun_dev_create() about why we don't use
4429  * the sockcreate SID here */
4430 
4431  sksec->sid = current_sid();
4432  sksec->sclass = SECCLASS_TUN_SOCKET;
4433 }
4434 
4435 static int selinux_tun_dev_attach(struct sock *sk)
4436 {
4437  struct sk_security_struct *sksec = sk->sk_security;
4438  u32 sid = current_sid();
4439  int err;
4440 
4441  err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4442  TUN_SOCKET__RELABELFROM, NULL);
4443  if (err)
4444  return err;
4445  err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4446  TUN_SOCKET__RELABELTO, NULL);
4447  if (err)
4448  return err;
4449 
4450  sksec->sid = sid;
4451 
4452  return 0;
4453 }
4454 
4455 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4456 {
4457  int err = 0;
4458  u32 perm;
4459  struct nlmsghdr *nlh;
4460  struct sk_security_struct *sksec = sk->sk_security;
4461 
4462  if (skb->len < NLMSG_SPACE(0)) {
4463  err = -EINVAL;
4464  goto out;
4465  }
4466  nlh = nlmsg_hdr(skb);
4467 
4468  err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4469  if (err) {
4470  if (err == -EINVAL) {
4471  audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4472  "SELinux: unrecognized netlink message"
4473  " type=%hu for sclass=%hu\n",
4474  nlh->nlmsg_type, sksec->sclass);
4476  err = 0;
4477  }
4478 
4479  /* Ignore */
4480  if (err == -ENOENT)
4481  err = 0;
4482  goto out;
4483  }
4484 
4485  err = sock_has_perm(current, sk, perm);
4486 out:
4487  return err;
4488 }
4489 
4490 #ifdef CONFIG_NETFILTER
4491 
4492 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4493  u16 family)
4494 {
4495  int err;
4496  char *addrp;
4497  u32 peer_sid;
4498  struct common_audit_data ad;
4499  struct lsm_network_audit net = {0,};
4500  u8 secmark_active;
4501  u8 netlbl_active;
4502  u8 peerlbl_active;
4503 
4505  return NF_ACCEPT;
4506 
4507  secmark_active = selinux_secmark_enabled();
4508  netlbl_active = netlbl_enabled();
4509  peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4510  if (!secmark_active && !peerlbl_active)
4511  return NF_ACCEPT;
4512 
4513  if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4514  return NF_DROP;
4515 
4516  ad.type = LSM_AUDIT_DATA_NET;
4517  ad.u.net = &net;
4518  ad.u.net->netif = ifindex;
4519  ad.u.net->family = family;
4520  if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4521  return NF_DROP;
4522 
4523  if (peerlbl_active) {
4524  err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4525  peer_sid, &ad);
4526  if (err) {
4527  selinux_netlbl_err(skb, err, 1);
4528  return NF_DROP;
4529  }
4530  }
4531 
4532  if (secmark_active)
4533  if (avc_has_perm(peer_sid, skb->secmark,
4534  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4535  return NF_DROP;
4536 
4537  if (netlbl_active)
4538  /* we do this in the FORWARD path and not the POST_ROUTING
4539  * path because we want to make sure we apply the necessary
4540  * labeling before IPsec is applied so we can leverage AH
4541  * protection */
4542  if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4543  return NF_DROP;
4544 
4545  return NF_ACCEPT;
4546 }
4547 
4548 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4549  struct sk_buff *skb,
4550  const struct net_device *in,
4551  const struct net_device *out,
4552  int (*okfn)(struct sk_buff *))
4553 {
4554  return selinux_ip_forward(skb, in->ifindex, PF_INET);
4555 }
4556 
4557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4559  struct sk_buff *skb,
4560  const struct net_device *in,
4561  const struct net_device *out,
4562  int (*okfn)(struct sk_buff *))
4563 {
4564  return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4565 }
4566 #endif /* IPV6 */
4567 
4568 static unsigned int selinux_ip_output(struct sk_buff *skb,
4569  u16 family)
4570 {
4571  u32 sid;
4572 
4573  if (!netlbl_enabled())
4574  return NF_ACCEPT;
4575 
4576  /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4577  * because we want to make sure we apply the necessary labeling
4578  * before IPsec is applied so we can leverage AH protection */
4579  if (skb->sk) {
4580  struct sk_security_struct *sksec = skb->sk->sk_security;
4581  sid = sksec->sid;
4582  } else
4583  sid = SECINITSID_KERNEL;
4584  if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4585  return NF_DROP;
4586 
4587  return NF_ACCEPT;
4588 }
4589 
4590 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4591  struct sk_buff *skb,
4592  const struct net_device *in,
4593  const struct net_device *out,
4594  int (*okfn)(struct sk_buff *))
4595 {
4596  return selinux_ip_output(skb, PF_INET);
4597 }
4598 
4599 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4600  int ifindex,
4601  u16 family)
4602 {
4603  struct sock *sk = skb->sk;
4604  struct sk_security_struct *sksec;
4605  struct common_audit_data ad;
4606  struct lsm_network_audit net = {0,};
4607  char *addrp;
4608  u8 proto;
4609 
4610  if (sk == NULL)
4611  return NF_ACCEPT;
4612  sksec = sk->sk_security;
4613 
4614  ad.type = LSM_AUDIT_DATA_NET;
4615  ad.u.net = &net;
4616  ad.u.net->netif = ifindex;
4617  ad.u.net->family = family;
4618  if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4619  return NF_DROP;
4620 
4621  if (selinux_secmark_enabled())
4622  if (avc_has_perm(sksec->sid, skb->secmark,
4623  SECCLASS_PACKET, PACKET__SEND, &ad))
4624  return NF_DROP_ERR(-ECONNREFUSED);
4625 
4626  if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4627  return NF_DROP_ERR(-ECONNREFUSED);
4628 
4629  return NF_ACCEPT;
4630 }
4631 
4632 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4633  u16 family)
4634 {
4635  u32 secmark_perm;
4636  u32 peer_sid;
4637  struct sock *sk;
4638  struct common_audit_data ad;
4639  struct lsm_network_audit net = {0,};
4640  char *addrp;
4641  u8 secmark_active;
4642  u8 peerlbl_active;
4643 
4644  /* If any sort of compatibility mode is enabled then handoff processing
4645  * to the selinux_ip_postroute_compat() function to deal with the
4646  * special handling. We do this in an attempt to keep this function
4647  * as fast and as clean as possible. */
4649  return selinux_ip_postroute_compat(skb, ifindex, family);
4650 #ifdef CONFIG_XFRM
4651  /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4652  * packet transformation so allow the packet to pass without any checks
4653  * since we'll have another chance to perform access control checks
4654  * when the packet is on it's final way out.
4655  * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4656  * is NULL, in this case go ahead and apply access control. */
4657  if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4658  return NF_ACCEPT;
4659 #endif
4660  secmark_active = selinux_secmark_enabled();
4661  peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4662  if (!secmark_active && !peerlbl_active)
4663  return NF_ACCEPT;
4664 
4665  /* if the packet is being forwarded then get the peer label from the
4666  * packet itself; otherwise check to see if it is from a local
4667  * application or the kernel, if from an application get the peer label
4668  * from the sending socket, otherwise use the kernel's sid */
4669  sk = skb->sk;
4670  if (sk == NULL) {
4671  if (skb->skb_iif) {
4672  secmark_perm = PACKET__FORWARD_OUT;
4673  if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4674  return NF_DROP;
4675  } else {
4676  secmark_perm = PACKET__SEND;
4677  peer_sid = SECINITSID_KERNEL;
4678  }
4679  } else {
4680  struct sk_security_struct *sksec = sk->sk_security;
4681  peer_sid = sksec->sid;
4682  secmark_perm = PACKET__SEND;
4683  }
4684 
4685  ad.type = LSM_AUDIT_DATA_NET;
4686  ad.u.net = &net;
4687  ad.u.net->netif = ifindex;
4688  ad.u.net->family = family;
4689  if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4690  return NF_DROP;
4691 
4692  if (secmark_active)
4693  if (avc_has_perm(peer_sid, skb->secmark,
4694  SECCLASS_PACKET, secmark_perm, &ad))
4695  return NF_DROP_ERR(-ECONNREFUSED);
4696 
4697  if (peerlbl_active) {
4698  u32 if_sid;
4699  u32 node_sid;
4700 
4701  if (sel_netif_sid(ifindex, &if_sid))
4702  return NF_DROP;
4703  if (avc_has_perm(peer_sid, if_sid,
4704  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4705  return NF_DROP_ERR(-ECONNREFUSED);
4706 
4707  if (sel_netnode_sid(addrp, family, &node_sid))
4708  return NF_DROP;
4709  if (avc_has_perm(peer_sid, node_sid,
4710  SECCLASS_NODE, NODE__SENDTO, &ad))
4711  return NF_DROP_ERR(-ECONNREFUSED);
4712  }
4713 
4714  return NF_ACCEPT;
4715 }
4716 
4717 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4718  struct sk_buff *skb,
4719  const struct net_device *in,
4720  const struct net_device *out,
4721  int (*okfn)(struct sk_buff *))
4722 {
4723  return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4724 }
4725 
4726 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4727 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4728  struct sk_buff *skb,
4729  const struct net_device *in,
4730  const struct net_device *out,
4731  int (*okfn)(struct sk_buff *))
4732 {
4733  return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4734 }
4735 #endif /* IPV6 */
4736 
4737 #endif /* CONFIG_NETFILTER */
4738 
4739 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4740 {
4741  int err;
4742 
4743  err = cap_netlink_send(sk, skb);
4744  if (err)
4745  return err;
4746 
4747  return selinux_nlmsg_perm(sk, skb);
4748 }
4749 
4750 static int ipc_alloc_security(struct task_struct *task,
4751  struct kern_ipc_perm *perm,
4752  u16 sclass)
4753 {
4754  struct ipc_security_struct *isec;
4755  u32 sid;
4756 
4757  isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4758  if (!isec)
4759  return -ENOMEM;
4760 
4761  sid = task_sid(task);
4762  isec->sclass = sclass;
4763  isec->sid = sid;
4764  perm->security = isec;
4765 
4766  return 0;
4767 }
4768 
4769 static void ipc_free_security(struct kern_ipc_perm *perm)
4770 {
4771  struct ipc_security_struct *isec = perm->security;
4772  perm->security = NULL;
4773  kfree(isec);
4774 }
4775 
4776 static int msg_msg_alloc_security(struct msg_msg *msg)
4777 {
4778  struct msg_security_struct *msec;
4779 
4780  msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4781  if (!msec)
4782  return -ENOMEM;
4783 
4784  msec->sid = SECINITSID_UNLABELED;
4785  msg->security = msec;
4786 
4787  return 0;
4788 }
4789 
4790 static void msg_msg_free_security(struct msg_msg *msg)
4791 {
4792  struct msg_security_struct *msec = msg->security;
4793 
4794  msg->security = NULL;
4795  kfree(msec);
4796 }
4797 
4798 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4799  u32 perms)
4800 {
4801  struct ipc_security_struct *isec;
4802  struct common_audit_data ad;
4803  u32 sid = current_sid();
4804 
4805  isec = ipc_perms->security;
4806 
4807  ad.type = LSM_AUDIT_DATA_IPC;
4808  ad.u.ipc_id = ipc_perms->key;
4809 
4810  return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4811 }
4812 
4813 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4814 {
4815  return msg_msg_alloc_security(msg);
4816 }
4817 
4818 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4819 {
4820  msg_msg_free_security(msg);
4821 }
4822 
4823 /* message queue security operations */
4824 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4825 {
4826  struct ipc_security_struct *isec;
4827  struct common_audit_data ad;
4828  u32 sid = current_sid();
4829  int rc;
4830 
4831  rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4832  if (rc)
4833  return rc;
4834 
4835  isec = msq->q_perm.security;
4836 
4837  ad.type = LSM_AUDIT_DATA_IPC;
4838  ad.u.ipc_id = msq->q_perm.key;
4839 
4840  rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4841  MSGQ__CREATE, &ad);
4842  if (rc) {
4843  ipc_free_security(&msq->q_perm);
4844  return rc;
4845  }
4846  return 0;
4847 }
4848 
4849 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4850 {
4851  ipc_free_security(&msq->q_perm);
4852 }
4853 
4854 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4855 {
4856  struct ipc_security_struct *isec;
4857  struct common_audit_data ad;
4858  u32 sid = current_sid();
4859 
4860  isec = msq->q_perm.security;
4861 
4862  ad.type = LSM_AUDIT_DATA_IPC;
4863  ad.u.ipc_id = msq->q_perm.key;
4864 
4865  return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4866  MSGQ__ASSOCIATE, &ad);
4867 }
4868 
4869 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4870 {
4871  int err;
4872  int perms;
4873 
4874  switch (cmd) {
4875  case IPC_INFO:
4876  case MSG_INFO:
4877  /* No specific object, just general system-wide information. */
4878  return task_has_system(current, SYSTEM__IPC_INFO);
4879  case IPC_STAT:
4880  case MSG_STAT:
4881  perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4882  break;
4883  case IPC_SET:
4884  perms = MSGQ__SETATTR;
4885  break;
4886  case IPC_RMID:
4887  perms = MSGQ__DESTROY;
4888  break;
4889  default:
4890  return 0;
4891  }
4892 
4893  err = ipc_has_perm(&msq->q_perm, perms);
4894  return err;
4895 }
4896 
4897 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4898 {
4899  struct ipc_security_struct *isec;
4900  struct msg_security_struct *msec;
4901  struct common_audit_data ad;
4902  u32 sid = current_sid();
4903  int rc;
4904 
4905  isec = msq->q_perm.security;
4906  msec = msg->security;
4907 
4908  /*
4909  * First time through, need to assign label to the message
4910  */
4911  if (msec->sid == SECINITSID_UNLABELED) {
4912  /*
4913  * Compute new sid based on current process and
4914  * message queue this message will be stored in
4915  */
4916  rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4917  NULL, &msec->sid);
4918  if (rc)
4919  return rc;
4920  }
4921 
4922  ad.type = LSM_AUDIT_DATA_IPC;
4923  ad.u.ipc_id = msq->q_perm.key;
4924 
4925  /* Can this process write to the queue? */
4926  rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4927  MSGQ__WRITE, &ad);
4928  if (!rc)
4929  /* Can this process send the message */
4930  rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4931  MSG__SEND, &ad);
4932  if (!rc)
4933  /* Can the message be put in the queue? */
4934  rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4935  MSGQ__ENQUEUE, &ad);
4936 
4937  return rc;
4938 }
4939 
4940 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4941  struct task_struct *target,
4942  long type, int mode)
4943 {
4944  struct ipc_security_struct *isec;
4945  struct msg_security_struct *msec;
4946  struct common_audit_data ad;
4947  u32 sid = task_sid(target);
4948  int rc;
4949 
4950  isec = msq->q_perm.security;
4951  msec = msg->security;
4952 
4953  ad.type = LSM_AUDIT_DATA_IPC;
4954  ad.u.ipc_id = msq->q_perm.key;
4955 
4956  rc = avc_has_perm(sid, isec->sid,
4957  SECCLASS_MSGQ, MSGQ__READ, &ad);
4958  if (!rc)
4959  rc = avc_has_perm(sid, msec->sid,
4960  SECCLASS_MSG, MSG__RECEIVE, &ad);
4961  return rc;
4962 }
4963 
4964 /* Shared Memory security operations */
4965 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4966 {
4967  struct ipc_security_struct *isec;
4968  struct common_audit_data ad;
4969  u32 sid = current_sid();
4970  int rc;
4971 
4972  rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4973  if (rc)
4974  return rc;
4975 
4976  isec = shp->shm_perm.security;
4977 
4978  ad.type = LSM_AUDIT_DATA_IPC;
4979  ad.u.ipc_id = shp->shm_perm.key;
4980 
4981  rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4982  SHM__CREATE, &ad);
4983  if (rc) {
4984  ipc_free_security(&shp->shm_perm);
4985  return rc;
4986  }
4987  return 0;
4988 }
4989 
4990 static void selinux_shm_free_security(struct shmid_kernel *shp)
4991 {
4992  ipc_free_security(&shp->shm_perm);
4993 }
4994 
4995 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4996 {
4997  struct ipc_security_struct *isec;
4998  struct common_audit_data ad;
4999  u32 sid = current_sid();
5000 
5001  isec = shp->shm_perm.security;
5002 
5003  ad.type = LSM_AUDIT_DATA_IPC;
5004  ad.u.ipc_id = shp->shm_perm.key;
5005 
5006  return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5007  SHM__ASSOCIATE, &ad);
5008 }
5009 
5010 /* Note, at this point, shp is locked down */
5011 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5012 {
5013  int perms;
5014  int err;
5015 
5016  switch (cmd) {
5017  case IPC_INFO:
5018  case SHM_INFO:
5019  /* No specific object, just general system-wide information. */
5020  return task_has_system(current, SYSTEM__IPC_INFO);
5021  case IPC_STAT:
5022  case SHM_STAT:
5023  perms = SHM__GETATTR | SHM__ASSOCIATE;
5024  break;
5025  case IPC_SET:
5026  perms = SHM__SETATTR;
5027  break;
5028  case SHM_LOCK:
5029  case SHM_UNLOCK:
5030  perms = SHM__LOCK;
5031  break;
5032  case IPC_RMID:
5033  perms = SHM__DESTROY;
5034  break;
5035  default:
5036  return 0;
5037  }
5038 
5039  err = ipc_has_perm(&shp->shm_perm, perms);
5040  return err;
5041 }
5042 
5043 static int selinux_shm_shmat(struct shmid_kernel *shp,
5044  char __user *shmaddr, int shmflg)
5045 {
5046  u32 perms;
5047 
5048  if (shmflg & SHM_RDONLY)
5049  perms = SHM__READ;
5050  else
5051  perms = SHM__READ | SHM__WRITE;
5052 
5053  return ipc_has_perm(&shp->shm_perm, perms);
5054 }
5055 
5056 /* Semaphore security operations */
5057 static int selinux_sem_alloc_security(struct sem_array *sma)
5058 {
5059  struct ipc_security_struct *isec;
5060  struct common_audit_data ad;
5061  u32 sid = current_sid();
5062  int rc;
5063 
5064  rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5065  if (rc)
5066  return rc;
5067 
5068  isec = sma->sem_perm.security;
5069 
5070  ad.type = LSM_AUDIT_DATA_IPC;
5071  ad.u.ipc_id = sma->sem_perm.key;
5072 
5073  rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5074  SEM__CREATE, &ad);
5075  if (rc) {
5076  ipc_free_security(&sma->sem_perm);
5077  return rc;
5078  }
5079  return 0;
5080 }
5081 
5082 static void selinux_sem_free_security(struct sem_array *sma)
5083 {
5084  ipc_free_security(&sma->sem_perm);
5085 }
5086 
5087 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5088 {
5089  struct ipc_security_struct *isec;
5090  struct common_audit_data ad;
5091  u32 sid = current_sid();
5092 
5093  isec = sma->sem_perm.security;
5094 
5095  ad.type = LSM_AUDIT_DATA_IPC;
5096  ad.u.ipc_id = sma->sem_perm.key;
5097 
5098  return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5099  SEM__ASSOCIATE, &ad);
5100 }
5101 
5102 /* Note, at this point, sma is locked down */
5103 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5104 {
5105  int err;
5106  u32 perms;
5107 
5108  switch (cmd) {
5109  case IPC_INFO:
5110  case SEM_INFO:
5111  /* No specific object, just general system-wide information. */
5112  return task_has_system(current, SYSTEM__IPC_INFO);
5113  case GETPID:
5114  case GETNCNT:
5115  case GETZCNT:
5116  perms = SEM__GETATTR;
5117  break;
5118  case GETVAL:
5119  case GETALL:
5120  perms = SEM__READ;
5121  break;
5122  case SETVAL:
5123  case SETALL:
5124  perms = SEM__WRITE;
5125  break;
5126  case IPC_RMID:
5127  perms = SEM__DESTROY;
5128  break;
5129  case IPC_SET:
5130  perms = SEM__SETATTR;
5131  break;
5132  case IPC_STAT:
5133  case SEM_STAT:
5134  perms = SEM__GETATTR | SEM__ASSOCIATE;
5135  break;
5136  default:
5137  return 0;
5138  }
5139 
5140  err = ipc_has_perm(&sma->sem_perm, perms);
5141  return err;
5142 }
5143 
5144 static int selinux_sem_semop(struct sem_array *sma,
5145  struct sembuf *sops, unsigned nsops, int alter)
5146 {
5147  u32 perms;
5148 
5149  if (alter)
5150  perms = SEM__READ | SEM__WRITE;
5151  else
5152  perms = SEM__READ;
5153 
5154  return ipc_has_perm(&sma->sem_perm, perms);
5155 }
5156 
5157 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5158 {
5159  u32 av = 0;
5160 
5161  av = 0;
5162  if (flag & S_IRUGO)
5163  av |= IPC__UNIX_READ;
5164  if (flag & S_IWUGO)
5165  av |= IPC__UNIX_WRITE;
5166 
5167  if (av == 0)
5168  return 0;
5169 
5170  return ipc_has_perm(ipcp, av);
5171 }
5172 
5173 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5174 {
5175  struct ipc_security_struct *isec = ipcp->security;
5176  *secid = isec->sid;
5177 }
5178 
5179 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5180 {
5181  if (inode)
5182  inode_doinit_with_dentry(inode, dentry);
5183 }
5184 
5185 static int selinux_getprocattr(struct task_struct *p,
5186  char *name, char **value)
5187 {
5188  const struct task_security_struct *__tsec;
5189  u32 sid;
5190  int error;
5191  unsigned len;
5192 
5193  if (current != p) {
5194  error = current_has_perm(p, PROCESS__GETATTR);
5195  if (error)
5196  return error;
5197  }
5198 
5199  rcu_read_lock();
5200  __tsec = __task_cred(p)->security;
5201 
5202  if (!strcmp(name, "current"))
5203  sid = __tsec->sid;
5204  else if (!strcmp(name, "prev"))
5205  sid = __tsec->osid;
5206  else if (!strcmp(name, "exec"))
5207  sid = __tsec->exec_sid;
5208  else if (!strcmp(name, "fscreate"))
5209  sid = __tsec->create_sid;
5210  else if (!strcmp(name, "keycreate"))
5211  sid = __tsec->keycreate_sid;
5212  else if (!strcmp(name, "sockcreate"))
5213  sid = __tsec->sockcreate_sid;
5214  else
5215  goto invalid;
5216  rcu_read_unlock();
5217 
5218  if (!sid)
5219  return 0;
5220 
5221  error = security_sid_to_context(sid, value, &len);
5222  if (error)
5223  return error;
5224  return len;
5225 
5226 invalid:
5227  rcu_read_unlock();
5228  return -EINVAL;
5229 }
5230 
5231 static int selinux_setprocattr(struct task_struct *p,
5232  char *name, void *value, size_t size)
5233 {
5234  struct task_security_struct *tsec;
5235  struct task_struct *tracer;
5236  struct cred *new;
5237  u32 sid = 0, ptsid;
5238  int error;
5239  char *str = value;
5240 
5241  if (current != p) {
5242  /* SELinux only allows a process to change its own
5243  security attributes. */
5244  return -EACCES;
5245  }
5246 
5247  /*
5248  * Basic control over ability to set these attributes at all.
5249  * current == p, but we'll pass them separately in case the
5250  * above restriction is ever removed.
5251  */
5252  if (!strcmp(name, "exec"))
5253  error = current_has_perm(p, PROCESS__SETEXEC);
5254  else if (!strcmp(name, "fscreate"))
5255  error = current_has_perm(p, PROCESS__SETFSCREATE);
5256  else if (!strcmp(name, "keycreate"))
5257  error = current_has_perm(p, PROCESS__SETKEYCREATE);
5258  else if (!strcmp(name, "sockcreate"))
5259  error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5260  else if (!strcmp(name, "current"))
5261  error = current_has_perm(p, PROCESS__SETCURRENT);
5262  else
5263  error = -EINVAL;
5264  if (error)
5265  return error;
5266 
5267  /* Obtain a SID for the context, if one was specified. */
5268  if (size && str[1] && str[1] != '\n') {
5269  if (str[size-1] == '\n') {
5270  str[size-1] = 0;
5271  size--;
5272  }
5273  error = security_context_to_sid(value, size, &sid);
5274  if (error == -EINVAL && !strcmp(name, "fscreate")) {
5275  if (!capable(CAP_MAC_ADMIN)) {
5276  struct audit_buffer *ab;
5277  size_t audit_size;
5278 
5279  /* We strip a nul only if it is at the end, otherwise the
5280  * context contains a nul and we should audit that */
5281  if (str[size - 1] == '\0')
5282  audit_size = size - 1;
5283  else
5284  audit_size = size;
5285  ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5286  audit_log_format(ab, "op=fscreate invalid_context=");
5287  audit_log_n_untrustedstring(ab, value, audit_size);
5288  audit_log_end(ab);
5289 
5290  return error;
5291  }
5292  error = security_context_to_sid_force(value, size,
5293  &sid);
5294  }
5295  if (error)
5296  return error;
5297  }
5298 
5299  new = prepare_creds();
5300  if (!new)
5301  return -ENOMEM;
5302 
5303  /* Permission checking based on the specified context is
5304  performed during the actual operation (execve,
5305  open/mkdir/...), when we know the full context of the
5306  operation. See selinux_bprm_set_creds for the execve
5307  checks and may_create for the file creation checks. The
5308  operation will then fail if the context is not permitted. */
5309  tsec = new->security;
5310  if (!strcmp(name, "exec")) {
5311  tsec->exec_sid = sid;
5312  } else if (!strcmp(name, "fscreate")) {
5313  tsec->create_sid = sid;
5314  } else if (!strcmp(name, "keycreate")) {
5315  error = may_create_key(sid, p);
5316  if (error)
5317  goto abort_change;
5318  tsec->keycreate_sid = sid;
5319  } else if (!strcmp(name, "sockcreate")) {
5320  tsec->sockcreate_sid = sid;
5321  } else if (!strcmp(name, "current")) {
5322  error = -EINVAL;
5323  if (sid == 0)
5324  goto abort_change;
5325 
5326  /* Only allow single threaded processes to change context */
5327  error = -EPERM;
5328  if (!current_is_single_threaded()) {
5329  error = security_bounded_transition(tsec->sid, sid);
5330  if (error)
5331  goto abort_change;
5332  }
5333 
5334  /* Check permissions for the transition. */
5335  error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5336  PROCESS__DYNTRANSITION, NULL);
5337  if (error)
5338  goto abort_change;
5339 
5340  /* Check for ptracing, and update the task SID if ok.
5341  Otherwise, leave SID unchanged and fail. */
5342  ptsid = 0;
5343  task_lock(p);
5344  tracer = ptrace_parent(p);
5345  if (tracer)
5346  ptsid = task_sid(tracer);
5347  task_unlock(p);
5348 
5349  if (tracer) {
5350  error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5351  PROCESS__PTRACE, NULL);
5352  if (error)
5353  goto abort_change;
5354  }
5355 
5356  tsec->sid = sid;
5357  } else {
5358  error = -EINVAL;
5359  goto abort_change;
5360  }
5361 
5362  commit_creds(new);
5363  return size;
5364 
5365 abort_change:
5366  abort_creds(new);
5367  return error;
5368 }
5369 
5370 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5371 {
5372  return security_sid_to_context(secid, secdata, seclen);
5373 }
5374 
5375 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5376 {
5377  return security_context_to_sid(secdata, seclen, secid);
5378 }
5379 
5380 static void selinux_release_secctx(char *secdata, u32 seclen)
5381 {
5382  kfree(secdata);
5383 }
5384 
5385 /*
5386  * called with inode->i_mutex locked
5387  */
5388 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5389 {
5390  return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5391 }
5392 
5393 /*
5394  * called with inode->i_mutex locked
5395  */
5396 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5397 {
5398  return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5399 }
5400 
5401 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5402 {
5403  int len = 0;
5404  len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5405  ctx, true);
5406  if (len < 0)
5407  return len;
5408  *ctxlen = len;
5409  return 0;
5410 }
5411 #ifdef CONFIG_KEYS
5412 
5413 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5414  unsigned long flags)
5415 {
5416  const struct task_security_struct *tsec;
5417  struct key_security_struct *ksec;
5418 
5419  ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5420  if (!ksec)
5421  return -ENOMEM;
5422 
5423  tsec = cred->security;
5424  if (tsec->keycreate_sid)
5425  ksec->sid = tsec->keycreate_sid;
5426  else
5427  ksec->sid = tsec->sid;
5428 
5429  k->security = ksec;
5430  return 0;
5431 }
5432 
5433 static void selinux_key_free(struct key *k)
5434 {
5435  struct key_security_struct *ksec = k->security;
5436 
5437  k->security = NULL;
5438  kfree(ksec);
5439 }
5440 
5441 static int selinux_key_permission(key_ref_t key_ref,
5442  const struct cred *cred,
5443  key_perm_t perm)
5444 {
5445  struct key *key;
5446  struct key_security_struct *ksec;
5447  u32 sid;
5448 
5449  /* if no specific permissions are requested, we skip the
5450  permission check. No serious, additional covert channels
5451  appear to be created. */
5452  if (perm == 0)
5453  return 0;
5454 
5455  sid = cred_sid(cred);
5456 
5457  key = key_ref_to_ptr(key_ref);
5458  ksec = key->security;
5459 
5460  return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5461 }
5462 
5463 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5464 {
5465  struct key_security_struct *ksec = key->security;
5466  char *context = NULL;
5467  unsigned len;
5468  int rc;
5469 
5470  rc = security_sid_to_context(ksec->sid, &context, &len);
5471  if (!rc)
5472  rc = len;
5473  *_buffer = context;
5474  return rc;
5475 }
5476 
5477 #endif
5478 
5479 static struct security_operations selinux_ops = {
5480  .name = "selinux",
5481 
5482  .ptrace_access_check = selinux_ptrace_access_check,
5483  .ptrace_traceme = selinux_ptrace_traceme,
5484  .capget = selinux_capget,
5485  .capset = selinux_capset,
5486  .capable = selinux_capable,
5487  .quotactl = selinux_quotactl,
5488  .quota_on = selinux_quota_on,
5489  .syslog = selinux_syslog,
5490  .vm_enough_memory = selinux_vm_enough_memory,
5491 
5492  .netlink_send = selinux_netlink_send,
5493 
5494  .bprm_set_creds = selinux_bprm_set_creds,
5495  .bprm_committing_creds = selinux_bprm_committing_creds,
5496  .bprm_committed_creds = selinux_bprm_committed_creds,
5497  .bprm_secureexec = selinux_bprm_secureexec,
5498 
5499  .sb_alloc_security = selinux_sb_alloc_security,
5500  .sb_free_security = selinux_sb_free_security,
5501  .sb_copy_data = selinux_sb_copy_data,
5502  .sb_remount = selinux_sb_remount,
5503  .sb_kern_mount = selinux_sb_kern_mount,
5504  .sb_show_options = selinux_sb_show_options,
5505  .sb_statfs = selinux_sb_statfs,
5506  .sb_mount = selinux_mount,
5507  .sb_umount = selinux_umount,
5508  .sb_set_mnt_opts = selinux_set_mnt_opts,
5509  .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5510  .sb_parse_opts_str = selinux_parse_opts_str,
5511 
5512 
5513  .inode_alloc_security = selinux_inode_alloc_security,
5514  .inode_free_security = selinux_inode_free_security,
5515  .inode_init_security = selinux_inode_init_security,
5516  .inode_create = selinux_inode_create,
5517  .inode_link = selinux_inode_link,
5518  .inode_unlink = selinux_inode_unlink,
5519  .inode_symlink = selinux_inode_symlink,
5520  .inode_mkdir = selinux_inode_mkdir,
5521  .inode_rmdir = selinux_inode_rmdir,
5522  .inode_mknod = selinux_inode_mknod,
5523  .inode_rename = selinux_inode_rename,
5524  .inode_readlink = selinux_inode_readlink,
5525  .inode_follow_link = selinux_inode_follow_link,
5526  .inode_permission = selinux_inode_permission,
5527  .inode_setattr = selinux_inode_setattr,
5528  .inode_getattr = selinux_inode_getattr,
5529  .inode_setxattr = selinux_inode_setxattr,
5530  .inode_post_setxattr = selinux_inode_post_setxattr,
5531  .inode_getxattr = selinux_inode_getxattr,
5532  .inode_listxattr = selinux_inode_listxattr,
5533  .inode_removexattr = selinux_inode_removexattr,
5534  .inode_getsecurity = selinux_inode_getsecurity,
5535  .inode_setsecurity = selinux_inode_setsecurity,
5536  .inode_listsecurity = selinux_inode_listsecurity,
5537  .inode_getsecid = selinux_inode_getsecid,
5538 
5539  .file_permission = selinux_file_permission,
5540  .file_alloc_security = selinux_file_alloc_security,
5541  .file_free_security = selinux_file_free_security,
5542  .file_ioctl = selinux_file_ioctl,
5543  .mmap_file = selinux_mmap_file,
5544  .mmap_addr = selinux_mmap_addr,
5545  .file_mprotect = selinux_file_mprotect,
5546  .file_lock = selinux_file_lock,
5547  .file_fcntl = selinux_file_fcntl,
5548  .file_set_fowner = selinux_file_set_fowner,
5549  .file_send_sigiotask = selinux_file_send_sigiotask,
5550  .file_receive = selinux_file_receive,
5551 
5552  .file_open = selinux_file_open,
5553 
5554  .task_create = selinux_task_create,
5555  .cred_alloc_blank = selinux_cred_alloc_blank,
5556  .cred_free = selinux_cred_free,
5557  .cred_prepare = selinux_cred_prepare,
5558  .cred_transfer = selinux_cred_transfer,
5559  .kernel_act_as = selinux_kernel_act_as,
5560  .kernel_create_files_as = selinux_kernel_create_files_as,
5561  .kernel_module_request = selinux_kernel_module_request,
5562  .task_setpgid = selinux_task_setpgid,
5563  .task_getpgid = selinux_task_getpgid,
5564  .task_getsid = selinux_task_getsid,
5565  .task_getsecid = selinux_task_getsecid,
5566  .task_setnice = selinux_task_setnice,
5567  .task_setioprio = selinux_task_setioprio,
5568  .task_getioprio = selinux_task_getioprio,
5569  .task_setrlimit = selinux_task_setrlimit,
5570  .task_setscheduler = selinux_task_setscheduler,
5571  .task_getscheduler = selinux_task_getscheduler,
5572  .task_movememory = selinux_task_movememory,
5573  .task_kill = selinux_task_kill,
5574  .task_wait = selinux_task_wait,
5575  .task_to_inode = selinux_task_to_inode,
5576 
5577  .ipc_permission = selinux_ipc_permission,
5578  .ipc_getsecid = selinux_ipc_getsecid,
5579 
5580  .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5581  .msg_msg_free_security = selinux_msg_msg_free_security,
5582 
5583  .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5584  .msg_queue_free_security = selinux_msg_queue_free_security,
5585  .msg_queue_associate = selinux_msg_queue_associate,
5586  .msg_queue_msgctl = selinux_msg_queue_msgctl,
5587  .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5588  .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5589 
5590  .shm_alloc_security = selinux_shm_alloc_security,
5591  .shm_free_security = selinux_shm_free_security,
5592  .shm_associate = selinux_shm_associate,
5593  .shm_shmctl = selinux_shm_shmctl,
5594  .shm_shmat = selinux_shm_shmat,
5595 
5596  .sem_alloc_security = selinux_sem_alloc_security,
5597  .sem_free_security = selinux_sem_free_security,
5598  .sem_associate = selinux_sem_associate,
5599  .sem_semctl = selinux_sem_semctl,
5600  .sem_semop = selinux_sem_semop,
5601 
5602  .d_instantiate = selinux_d_instantiate,
5603 
5604  .getprocattr = selinux_getprocattr,
5605  .setprocattr = selinux_setprocattr,
5606 
5607  .secid_to_secctx = selinux_secid_to_secctx,
5608  .secctx_to_secid = selinux_secctx_to_secid,
5609  .release_secctx = selinux_release_secctx,
5610  .inode_notifysecctx = selinux_inode_notifysecctx,
5611  .inode_setsecctx = selinux_inode_setsecctx,
5612  .inode_getsecctx = selinux_inode_getsecctx,
5613 
5614  .unix_stream_connect = selinux_socket_unix_stream_connect,
5615  .unix_may_send = selinux_socket_unix_may_send,
5616 
5617  .socket_create = selinux_socket_create,
5618  .socket_post_create = selinux_socket_post_create,
5619  .socket_bind = selinux_socket_bind,
5620  .socket_connect = selinux_socket_connect,
5621  .socket_listen = selinux_socket_listen,
5622  .socket_accept = selinux_socket_accept,
5623  .socket_sendmsg = selinux_socket_sendmsg,
5624  .socket_recvmsg = selinux_socket_recvmsg,
5625  .socket_getsockname = selinux_socket_getsockname,
5626  .socket_getpeername = selinux_socket_getpeername,
5627  .socket_getsockopt = selinux_socket_getsockopt,
5628  .socket_setsockopt = selinux_socket_setsockopt,
5629  .socket_shutdown = selinux_socket_shutdown,
5630  .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5631  .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5632  .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5633  .sk_alloc_security = selinux_sk_alloc_security,
5634  .sk_free_security = selinux_sk_free_security,
5635  .sk_clone_security = selinux_sk_clone_security,
5636  .sk_getsecid = selinux_sk_getsecid,
5637  .sock_graft = selinux_sock_graft,
5638  .inet_conn_request = selinux_inet_conn_request,
5639  .inet_csk_clone = selinux_inet_csk_clone,
5640  .inet_conn_established = selinux_inet_conn_established,
5641  .secmark_relabel_packet = selinux_secmark_relabel_packet,
5642  .secmark_refcount_inc = selinux_secmark_refcount_inc,
5643  .secmark_refcount_dec = selinux_secmark_refcount_dec,
5644  .req_classify_flow = selinux_req_classify_flow,
5645  .tun_dev_create = selinux_tun_dev_create,
5646  .tun_dev_post_create = selinux_tun_dev_post_create,
5647  .tun_dev_attach = selinux_tun_dev_attach,
5648 
5649 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5650  .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5651  .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5652  .xfrm_policy_free_security = selinux_xfrm_policy_free,
5653  .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5654  .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5655  .xfrm_state_free_security = selinux_xfrm_state_free,
5656  .xfrm_state_delete_security = selinux_xfrm_state_delete,
5657  .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5658  .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5659  .xfrm_decode_session = selinux_xfrm_decode_session,
5660 #endif
5661 
5662 #ifdef CONFIG_KEYS
5663  .key_alloc = selinux_key_alloc,
5664  .key_free = selinux_key_free,
5665  .key_permission = selinux_key_permission,
5666  .key_getsecurity = selinux_key_getsecurity,
5667 #endif
5668 
5669 #ifdef CONFIG_AUDIT
5670  .audit_rule_init = selinux_audit_rule_init,
5671  .audit_rule_known = selinux_audit_rule_known,
5672  .audit_rule_match = selinux_audit_rule_match,
5673  .audit_rule_free = selinux_audit_rule_free,
5674 #endif
5675 };
5676 
5677 static __init int selinux_init(void)
5678 {
5679  if (!security_module_enable(&selinux_ops)) {
5680  selinux_enabled = 0;
5681  return 0;
5682  }
5683 
5684  if (!selinux_enabled) {
5685  printk(KERN_INFO "SELinux: Disabled at boot.\n");
5686  return 0;
5687  }
5688 
5689  printk(KERN_INFO "SELinux: Initializing.\n");
5690 
5691  /* Set the security state for the initial task. */
5692  cred_init_security();
5693 
5694  default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5695 
5696  sel_inode_cache = kmem_cache_create("selinux_inode_security",
5697  sizeof(struct inode_security_struct),
5698  0, SLAB_PANIC, NULL);
5699  avc_init();
5700 
5701  if (register_security(&selinux_ops))
5702  panic("SELinux: Unable to register with kernel.\n");
5703 
5704  if (selinux_enforcing)
5705  printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5706  else
5707  printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5708 
5709  return 0;
5710 }
5711 
5712 static void delayed_superblock_init(struct super_block *sb, void *unused)
5713 {
5714  superblock_doinit(sb, NULL);
5715 }
5716 
5718 {
5719  printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5720 
5721  /* Set up any superblocks initialized prior to the policy load. */
5722  printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5723  iterate_supers(delayed_superblock_init, NULL);
5724 }
5725 
5726 /* SELinux requires early initialization in order to label
5727  all processes and objects when they are created. */
5728 security_initcall(selinux_init);
5729 
5730 #if defined(CONFIG_NETFILTER)
5731 
5732 static struct nf_hook_ops selinux_ipv4_ops[] = {
5733  {
5734  .hook = selinux_ipv4_postroute,
5735  .owner = THIS_MODULE,
5736  .pf = NFPROTO_IPV4,
5737  .hooknum = NF_INET_POST_ROUTING,
5738  .priority = NF_IP_PRI_SELINUX_LAST,
5739  },
5740  {
5741  .hook = selinux_ipv4_forward,
5742  .owner = THIS_MODULE,
5743  .pf = NFPROTO_IPV4,
5744  .hooknum = NF_INET_FORWARD,
5745  .priority = NF_IP_PRI_SELINUX_FIRST,
5746  },
5747  {
5748  .hook = selinux_ipv4_output,
5749  .owner = THIS_MODULE,
5750  .pf = NFPROTO_IPV4,
5751  .hooknum = NF_INET_LOCAL_OUT,
5752  .priority = NF_IP_PRI_SELINUX_FIRST,
5753  }
5754 };
5755 
5756 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5757 
5758 static struct nf_hook_ops selinux_ipv6_ops[] = {
5759  {
5760  .hook = selinux_ipv6_postroute,
5761  .owner = THIS_MODULE,
5762  .pf = NFPROTO_IPV6,
5763  .hooknum = NF_INET_POST_ROUTING,
5764  .priority = NF_IP6_PRI_SELINUX_LAST,
5765  },
5766  {
5767  .hook = selinux_ipv6_forward,
5768  .owner = THIS_MODULE,
5769  .pf = NFPROTO_IPV6,
5770  .hooknum = NF_INET_FORWARD,
5771  .priority = NF_IP6_PRI_SELINUX_FIRST,
5772  }
5773 };
5774 
5775 #endif /* IPV6 */
5776 
5777 static int __init selinux_nf_ip_init(void)
5778 {
5779  int err = 0;
5780 
5781  if (!selinux_enabled)
5782  goto out;
5783 
5784  printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5785 
5786  err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5787  if (err)
5788  panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5789 
5790 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5791  err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5792  if (err)
5793  panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5794 #endif /* IPV6 */
5795 
5796 out:
5797  return err;
5798 }
5799 
5800 __initcall(selinux_nf_ip_init);
5801 
5802 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5803 static void selinux_nf_ip_exit(void)
5804 {
5805  printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5806 
5807  nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5808 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5809  nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5810 #endif /* IPV6 */
5811 }
5812 #endif
5813 
5814 #else /* CONFIG_NETFILTER */
5815 
5816 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5817 #define selinux_nf_ip_exit()
5818 #endif
5819 
5820 #endif /* CONFIG_NETFILTER */
5821 
5822 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5823 static int selinux_disabled;
5824 
5825 int selinux_disable(void)
5826 {
5827  if (ss_initialized) {
5828  /* Not permitted after initial policy load. */
5829  return -EINVAL;
5830  }
5831 
5832  if (selinux_disabled) {
5833  /* Only do this once. */
5834  return -EINVAL;
5835  }
5836 
5837  printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5838 
5839  selinux_disabled = 1;
5840  selinux_enabled = 0;
5841 
5843 
5844  /* Try to destroy the avc node cache */
5845  avc_disable();
5846 
5847  /* Unregister netfilter hooks. */
5848  selinux_nf_ip_exit();
5849 
5850  /* Unregister selinuxfs. */
5851  exit_sel_fs();
5852 
5853  return 0;
5854 }
5855 #endif