diff options
Diffstat (limited to 'ANDROID_3.4.5/security/selinux/hooks.c')
| -rw-r--r-- | ANDROID_3.4.5/security/selinux/hooks.c | 5923 |
1 files changed, 0 insertions, 5923 deletions
diff --git a/ANDROID_3.4.5/security/selinux/hooks.c b/ANDROID_3.4.5/security/selinux/hooks.c deleted file mode 100644 index 581b8c71..00000000 --- a/ANDROID_3.4.5/security/selinux/hooks.c +++ /dev/null @@ -1,5923 +0,0 @@ -/* - * NSA Security-Enhanced Linux (SELinux) security module - * - * This file contains the SELinux hook function implementations. - * - * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> - * Chris Vance, <cvance@nai.com> - * Wayne Salamon, <wsalamon@nai.com> - * James Morris <jmorris@redhat.com> - * - * Copyright (C) 2001,2002 Networks Associates Technology, Inc. - * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> - * Eric Paris <eparis@redhat.com> - * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - * <dgoeddel@trustedcs.com> - * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. - * Paul Moore <paul@paul-moore.com> - * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. - * Yuichi Nakamura <ynakam@hitachisoft.jp> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ - -#include <linux/init.h> -#include <linux/kd.h> -#include <linux/kernel.h> -#include <linux/tracehook.h> -#include <linux/errno.h> -#include <linux/sched.h> -#include <linux/security.h> -#include <linux/xattr.h> -#include <linux/capability.h> -#include <linux/unistd.h> -#include <linux/mm.h> -#include <linux/mman.h> -#include <linux/slab.h> -#include <linux/pagemap.h> -#include <linux/proc_fs.h> -#include <linux/swap.h> -#include <linux/spinlock.h> -#include <linux/syscalls.h> -#include <linux/dcache.h> -#include <linux/file.h> -#include <linux/fdtable.h> -#include <linux/namei.h> -#include <linux/mount.h> -#include <linux/netfilter_ipv4.h> -#include <linux/netfilter_ipv6.h> -#include <linux/tty.h> -#include <net/icmp.h> -#include <net/ip.h> /* for local_port_range[] */ -#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ -#include <net/net_namespace.h> -#include <net/netlabel.h> -#include <linux/uaccess.h> -#include <asm/ioctls.h> -#include <linux/atomic.h> -#include <linux/bitops.h> -#include <linux/interrupt.h> -#include <linux/netdevice.h> /* for network interface checks */ -#include <linux/netlink.h> -#include <linux/tcp.h> -#include <linux/udp.h> -#include <linux/dccp.h> -#include <linux/quota.h> -#include <linux/un.h> /* for Unix socket types */ -#include <net/af_unix.h> /* for Unix socket types */ -#include <linux/parser.h> -#include <linux/nfs_mount.h> -#include <net/ipv6.h> -#include <linux/hugetlb.h> -#include <linux/personality.h> -#include <linux/audit.h> -#include <linux/string.h> -#include <linux/selinux.h> -#include <linux/mutex.h> -#include <linux/posix-timers.h> -#include <linux/syslog.h> -#include <linux/user_namespace.h> -#include <linux/export.h> -#include <linux/msg.h> -#include <linux/shm.h> - -#include "avc.h" -#include "objsec.h" -#include "netif.h" -#include "netnode.h" -#include "netport.h" -#include "xfrm.h" -#include "netlabel.h" -#include "audit.h" -#include "avc_ss.h" - -#define NUM_SEL_MNT_OPTS 5 - -extern struct security_operations *security_ops; - -/* SECMARK reference count */ -static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); - -#ifdef CONFIG_SECURITY_SELINUX_DEVELOP -int selinux_enforcing; - -static int __init enforcing_setup(char *str) -{ - unsigned long enforcing; - if (!strict_strtoul(str, 0, &enforcing)) - selinux_enforcing = enforcing ? 1 : 0; - return 1; -} -__setup("enforcing=", enforcing_setup); -#endif - -#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM -int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; - -static int __init selinux_enabled_setup(char *str) -{ - unsigned long enabled; - if (!strict_strtoul(str, 0, &enabled)) - selinux_enabled = enabled ? 1 : 0; - return 1; -} -__setup("selinux=", selinux_enabled_setup); -#else -int selinux_enabled = 1; -#endif - -static struct kmem_cache *sel_inode_cache; - -/** - * selinux_secmark_enabled - Check to see if SECMARK is currently enabled - * - * Description: - * This function checks the SECMARK reference counter to see if any SECMARK - * targets are currently configured, if the reference counter is greater than - * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is - * enabled, false (0) if SECMARK is disabled. - * - */ -static int selinux_secmark_enabled(void) -{ - return (atomic_read(&selinux_secmark_refcount) > 0); -} - -/* - * initialise the security for the init task - */ -static void cred_init_security(void) -{ - struct cred *cred = (struct cred *) current->real_cred; - struct task_security_struct *tsec; - - tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); - if (!tsec) - panic("SELinux: Failed to initialize initial task.\n"); - - tsec->osid = tsec->sid = SECINITSID_KERNEL; - cred->security = tsec; -} - -/* - * get the security ID of a set of credentials - */ -static inline u32 cred_sid(const struct cred *cred) -{ - const struct task_security_struct *tsec; - - tsec = cred->security; - return tsec->sid; -} - -/* - * get the objective security ID of a task - */ -static inline u32 task_sid(const struct task_struct *task) -{ - u32 sid; - - rcu_read_lock(); - sid = cred_sid(__task_cred(task)); - rcu_read_unlock(); - return sid; -} - -/* - * get the subjective security ID of the current task - */ -static inline u32 current_sid(void) -{ - const struct task_security_struct *tsec = current_security(); - - return tsec->sid; -} - -/* Allocate and free functions for each kind of security blob. */ - -static int inode_alloc_security(struct inode *inode) -{ - struct inode_security_struct *isec; - u32 sid = current_sid(); - - isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); - if (!isec) - return -ENOMEM; - - mutex_init(&isec->lock); - INIT_LIST_HEAD(&isec->list); - isec->inode = inode; - isec->sid = SECINITSID_UNLABELED; - isec->sclass = SECCLASS_FILE; - isec->task_sid = sid; - inode->i_security = isec; - - return 0; -} - -static void inode_free_security(struct inode *inode) -{ - struct inode_security_struct *isec = inode->i_security; - struct superblock_security_struct *sbsec = inode->i_sb->s_security; - - spin_lock(&sbsec->isec_lock); - if (!list_empty(&isec->list)) - list_del_init(&isec->list); - spin_unlock(&sbsec->isec_lock); - - inode->i_security = NULL; - kmem_cache_free(sel_inode_cache, isec); -} - -static int file_alloc_security(struct file *file) -{ - struct file_security_struct *fsec; - u32 sid = current_sid(); - - fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); - if (!fsec) - return -ENOMEM; - - fsec->sid = sid; - fsec->fown_sid = sid; - file->f_security = fsec; - - return 0; -} - -static void file_free_security(struct file *file) -{ - struct file_security_struct *fsec = file->f_security; - file->f_security = NULL; - kfree(fsec); -} - -static int superblock_alloc_security(struct super_block *sb) -{ - struct superblock_security_struct *sbsec; - - sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); - if (!sbsec) - return -ENOMEM; - - mutex_init(&sbsec->lock); - INIT_LIST_HEAD(&sbsec->isec_head); - spin_lock_init(&sbsec->isec_lock); - sbsec->sb = sb; - sbsec->sid = SECINITSID_UNLABELED; - sbsec->def_sid = SECINITSID_FILE; - sbsec->mntpoint_sid = SECINITSID_UNLABELED; - sb->s_security = sbsec; - - return 0; -} - -static void superblock_free_security(struct super_block *sb) -{ - struct superblock_security_struct *sbsec = sb->s_security; - sb->s_security = NULL; - kfree(sbsec); -} - -/* The file system's label must be initialized prior to use. */ - -static const char *labeling_behaviors[6] = { - "uses xattr", - "uses transition SIDs", - "uses task SIDs", - "uses genfs_contexts", - "not configured for labeling", - "uses mountpoint labeling", -}; - -static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); - -static inline int inode_doinit(struct inode *inode) -{ - return inode_doinit_with_dentry(inode, NULL); -} - -enum { - Opt_error = -1, - Opt_context = 1, - Opt_fscontext = 2, - Opt_defcontext = 3, - Opt_rootcontext = 4, - Opt_labelsupport = 5, -}; - -static const match_table_t tokens = { - {Opt_context, CONTEXT_STR "%s"}, - {Opt_fscontext, FSCONTEXT_STR "%s"}, - {Opt_defcontext, DEFCONTEXT_STR "%s"}, - {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, - {Opt_labelsupport, LABELSUPP_STR}, - {Opt_error, NULL}, -}; - -#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" - -static int may_context_mount_sb_relabel(u32 sid, - struct superblock_security_struct *sbsec, - const struct cred *cred) -{ - const struct task_security_struct *tsec = cred->security; - int rc; - - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELFROM, NULL); - if (rc) - return rc; - - rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELTO, NULL); - return rc; -} - -static int may_context_mount_inode_relabel(u32 sid, - struct superblock_security_struct *sbsec, - const struct cred *cred) -{ - const struct task_security_struct *tsec = cred->security; - int rc; - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELFROM, NULL); - if (rc) - return rc; - - rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, NULL); - return rc; -} - -static int sb_finish_set_opts(struct super_block *sb) -{ - struct superblock_security_struct *sbsec = sb->s_security; - struct dentry *root = sb->s_root; - struct inode *root_inode = root->d_inode; - int rc = 0; - - if (sbsec->behavior == SECURITY_FS_USE_XATTR) { - /* Make sure that the xattr handler exists and that no - error other than -ENODATA is returned by getxattr on - the root directory. -ENODATA is ok, as this may be - the first boot of the SELinux kernel before we have - assigned xattr values to the filesystem. */ - if (!root_inode->i_op->getxattr) { - printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " - "xattr support\n", sb->s_id, sb->s_type->name); - rc = -EOPNOTSUPP; - goto out; - } - rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); - if (rc < 0 && rc != -ENODATA) { - if (rc == -EOPNOTSUPP) - printk(KERN_WARNING "SELinux: (dev %s, type " - "%s) has no security xattr handler\n", - sb->s_id, sb->s_type->name); - else - printk(KERN_WARNING "SELinux: (dev %s, type " - "%s) getxattr errno %d\n", sb->s_id, - sb->s_type->name, -rc); - goto out; - } - } - - sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); - - if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) - printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", - sb->s_id, sb->s_type->name); - else - printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", - sb->s_id, sb->s_type->name, - labeling_behaviors[sbsec->behavior-1]); - - if (sbsec->behavior == SECURITY_FS_USE_GENFS || - sbsec->behavior == SECURITY_FS_USE_MNTPOINT || - sbsec->behavior == SECURITY_FS_USE_NONE || - sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) - sbsec->flags &= ~SE_SBLABELSUPP; - - /* Special handling for sysfs. Is genfs but also has setxattr handler*/ - if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0) - sbsec->flags |= SE_SBLABELSUPP; - - /* Initialize the root inode. */ - rc = inode_doinit_with_dentry(root_inode, root); - - /* Initialize any other inodes associated with the superblock, e.g. - inodes created prior to initial policy load or inodes created - during get_sb by a pseudo filesystem that directly - populates itself. */ - spin_lock(&sbsec->isec_lock); -next_inode: - if (!list_empty(&sbsec->isec_head)) { - struct inode_security_struct *isec = - list_entry(sbsec->isec_head.next, - struct inode_security_struct, list); - struct inode *inode = isec->inode; - spin_unlock(&sbsec->isec_lock); - inode = igrab(inode); - if (inode) { - if (!IS_PRIVATE(inode)) - inode_doinit(inode); - iput(inode); - } - spin_lock(&sbsec->isec_lock); - list_del_init(&isec->list); - goto next_inode; - } - spin_unlock(&sbsec->isec_lock); -out: - return rc; -} - -/* - * This function should allow an FS to ask what it's mount security - * options were so it can use those later for submounts, displaying - * mount options, or whatever. - */ -static int selinux_get_mnt_opts(const struct super_block *sb, - struct security_mnt_opts *opts) -{ - int rc = 0, i; - struct superblock_security_struct *sbsec = sb->s_security; - char *context = NULL; - u32 len; - char tmp; - - security_init_mnt_opts(opts); - - if (!(sbsec->flags & SE_SBINITIALIZED)) - return -EINVAL; - - if (!ss_initialized) - return -EINVAL; - - tmp = sbsec->flags & SE_MNTMASK; - /* count the number of mount options for this sb */ - for (i = 0; i < 8; i++) { - if (tmp & 0x01) - opts->num_mnt_opts++; - tmp >>= 1; - } - /* Check if the Label support flag is set */ - if (sbsec->flags & SE_SBLABELSUPP) - opts->num_mnt_opts++; - - opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); - if (!opts->mnt_opts) { - rc = -ENOMEM; - goto out_free; - } - - opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); - if (!opts->mnt_opts_flags) { - rc = -ENOMEM; - goto out_free; - } - - i = 0; - if (sbsec->flags & FSCONTEXT_MNT) { - rc = security_sid_to_context(sbsec->sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; - } - if (sbsec->flags & CONTEXT_MNT) { - rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = CONTEXT_MNT; - } - if (sbsec->flags & DEFCONTEXT_MNT) { - rc = security_sid_to_context(sbsec->def_sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; - } - if (sbsec->flags & ROOTCONTEXT_MNT) { - struct inode *root = sbsec->sb->s_root->d_inode; - struct inode_security_struct *isec = root->i_security; - - rc = security_sid_to_context(isec->sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; - } - if (sbsec->flags & SE_SBLABELSUPP) { - opts->mnt_opts[i] = NULL; - opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; - } - - BUG_ON(i != opts->num_mnt_opts); - - return 0; - -out_free: - security_free_mnt_opts(opts); - return rc; -} - -static int bad_option(struct superblock_security_struct *sbsec, char flag, - u32 old_sid, u32 new_sid) -{ - char mnt_flags = sbsec->flags & SE_MNTMASK; - - /* check if the old mount command had the same options */ - if (sbsec->flags & SE_SBINITIALIZED) - if (!(sbsec->flags & flag) || - (old_sid != new_sid)) - return 1; - - /* check if we were passed the same options twice, - * aka someone passed context=a,context=b - */ - if (!(sbsec->flags & SE_SBINITIALIZED)) - if (mnt_flags & flag) - return 1; - return 0; -} - -/* - * Allow filesystems with binary mount data to explicitly set mount point - * labeling information. - */ -static int selinux_set_mnt_opts(struct super_block *sb, - struct security_mnt_opts *opts) -{ - const struct cred *cred = current_cred(); - int rc = 0, i; - struct superblock_security_struct *sbsec = sb->s_security; - const char *name = sb->s_type->name; - struct inode *inode = sbsec->sb->s_root->d_inode; - struct inode_security_struct *root_isec = inode->i_security; - u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; - u32 defcontext_sid = 0; - char **mount_options = opts->mnt_opts; - int *flags = opts->mnt_opts_flags; - int num_opts = opts->num_mnt_opts; - - mutex_lock(&sbsec->lock); - - if (!ss_initialized) { - if (!num_opts) { - /* Defer initialization until selinux_complete_init, - after the initial policy is loaded and the security - server is ready to handle calls. */ - goto out; - } - rc = -EINVAL; - printk(KERN_WARNING "SELinux: Unable to set superblock options " - "before the security server is initialized\n"); - goto out; - } - - /* - * Binary mount data FS will come through this function twice. Once - * from an explicit call and once from the generic calls from the vfs. - * Since the generic VFS calls will not contain any security mount data - * we need to skip the double mount verification. - * - * This does open a hole in which we will not notice if the first - * mount using this sb set explict options and a second mount using - * this sb does not set any security options. (The first options - * will be used for both mounts) - */ - if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) - && (num_opts == 0)) - goto out; - - /* - * parse the mount options, check if they are valid sids. - * also check if someone is trying to mount the same sb more - * than once with different security options. - */ - for (i = 0; i < num_opts; i++) { - u32 sid; - - if (flags[i] == SE_SBLABELSUPP) - continue; - rc = security_context_to_sid(mount_options[i], - strlen(mount_options[i]), &sid); - if (rc) { - printk(KERN_WARNING "SELinux: security_context_to_sid" - "(%s) failed for (dev %s, type %s) errno=%d\n", - mount_options[i], sb->s_id, name, rc); - goto out; - } - switch (flags[i]) { - case FSCONTEXT_MNT: - fscontext_sid = sid; - - if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, - fscontext_sid)) - goto out_double_mount; - - sbsec->flags |= FSCONTEXT_MNT; - break; - case CONTEXT_MNT: - context_sid = sid; - - if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, - context_sid)) - goto out_double_mount; - - sbsec->flags |= CONTEXT_MNT; - break; - case ROOTCONTEXT_MNT: - rootcontext_sid = sid; - - if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, - rootcontext_sid)) - goto out_double_mount; - - sbsec->flags |= ROOTCONTEXT_MNT; - - break; - case DEFCONTEXT_MNT: - defcontext_sid = sid; - - if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, - defcontext_sid)) - goto out_double_mount; - - sbsec->flags |= DEFCONTEXT_MNT; - - break; - default: - rc = -EINVAL; - goto out; - } - } - - if (sbsec->flags & SE_SBINITIALIZED) { - /* previously mounted with options, but not on this attempt? */ - if ((sbsec->flags & SE_MNTMASK) && !num_opts) - goto out_double_mount; - rc = 0; - goto out; - } - - if (strcmp(sb->s_type->name, "proc") == 0) - sbsec->flags |= SE_SBPROC; - - /* Determine the labeling behavior to use for this filesystem type. */ - rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); - if (rc) { - printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", - __func__, sb->s_type->name, rc); - goto out; - } - - /* sets the context of the superblock for the fs being mounted. */ - if (fscontext_sid) { - rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); - if (rc) - goto out; - - sbsec->sid = fscontext_sid; - } - - /* - * Switch to using mount point labeling behavior. - * sets the label used on all file below the mountpoint, and will set - * the superblock context if not already set. - */ - if (context_sid) { - if (!fscontext_sid) { - rc = may_context_mount_sb_relabel(context_sid, sbsec, - cred); - if (rc) - goto out; - sbsec->sid = context_sid; - } else { - rc = may_context_mount_inode_relabel(context_sid, sbsec, - cred); - if (rc) - goto out; - } - if (!rootcontext_sid) - rootcontext_sid = context_sid; - - sbsec->mntpoint_sid = context_sid; - sbsec->behavior = SECURITY_FS_USE_MNTPOINT; - } - - if (rootcontext_sid) { - rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, - cred); - if (rc) - goto out; - - root_isec->sid = rootcontext_sid; - root_isec->initialized = 1; - } - - if (defcontext_sid) { - if (sbsec->behavior != SECURITY_FS_USE_XATTR) { - rc = -EINVAL; - printk(KERN_WARNING "SELinux: defcontext option is " - "invalid for this filesystem type\n"); - goto out; - } - - if (defcontext_sid != sbsec->def_sid) { - rc = may_context_mount_inode_relabel(defcontext_sid, - sbsec, cred); - if (rc) - goto out; - } - - sbsec->def_sid = defcontext_sid; - } - - rc = sb_finish_set_opts(sb); -out: - mutex_unlock(&sbsec->lock); - return rc; -out_double_mount: - rc = -EINVAL; - printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " - "security settings for (dev %s, type %s)\n", sb->s_id, name); - goto out; -} - -static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, - struct super_block *newsb) -{ - const struct superblock_security_struct *oldsbsec = oldsb->s_security; - struct superblock_security_struct *newsbsec = newsb->s_security; - - int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); - int set_context = (oldsbsec->flags & CONTEXT_MNT); - int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); - - /* - * if the parent was able to be mounted it clearly had no special lsm - * mount options. thus we can safely deal with this superblock later - */ - if (!ss_initialized) - return; - - /* how can we clone if the old one wasn't set up?? */ - BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); - - /* if fs is reusing a sb, just let its options stand... */ - if (newsbsec->flags & SE_SBINITIALIZED) - return; - - mutex_lock(&newsbsec->lock); - - newsbsec->flags = oldsbsec->flags; - - newsbsec->sid = oldsbsec->sid; - newsbsec->def_sid = oldsbsec->def_sid; - newsbsec->behavior = oldsbsec->behavior; - - if (set_context) { - u32 sid = oldsbsec->mntpoint_sid; - - if (!set_fscontext) - newsbsec->sid = sid; - if (!set_rootcontext) { - struct inode *newinode = newsb->s_root->d_inode; - struct inode_security_struct *newisec = newinode->i_security; - newisec->sid = sid; - } - newsbsec->mntpoint_sid = sid; - } - if (set_rootcontext) { - const struct inode *oldinode = oldsb->s_root->d_inode; - const struct inode_security_struct *oldisec = oldinode->i_security; - struct inode *newinode = newsb->s_root->d_inode; - struct inode_security_struct *newisec = newinode->i_security; - - newisec->sid = oldisec->sid; - } - - sb_finish_set_opts(newsb); - mutex_unlock(&newsbsec->lock); -} - -static int selinux_parse_opts_str(char *options, - struct security_mnt_opts *opts) -{ - char *p; - char *context = NULL, *defcontext = NULL; - char *fscontext = NULL, *rootcontext = NULL; - int rc, num_mnt_opts = 0; - - opts->num_mnt_opts = 0; - - /* Standard string-based options. */ - while ((p = strsep(&options, "|")) != NULL) { - int token; - substring_t args[MAX_OPT_ARGS]; - - if (!*p) - continue; - - token = match_token(p, tokens, args); - - switch (token) { - case Opt_context: - if (context || defcontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - context = match_strdup(&args[0]); - if (!context) { - rc = -ENOMEM; - goto out_err; - } - break; - - case Opt_fscontext: - if (fscontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - fscontext = match_strdup(&args[0]); - if (!fscontext) { - rc = -ENOMEM; - goto out_err; - } - break; - - case Opt_rootcontext: - if (rootcontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - rootcontext = match_strdup(&args[0]); - if (!rootcontext) { - rc = -ENOMEM; - goto out_err; - } - break; - - case Opt_defcontext: - if (context || defcontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - defcontext = match_strdup(&args[0]); - if (!defcontext) { - rc = -ENOMEM; - goto out_err; - } - break; - case Opt_labelsupport: - break; - default: - rc = -EINVAL; - printk(KERN_WARNING "SELinux: unknown mount option\n"); - goto out_err; - - } - } - - rc = -ENOMEM; - opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); - if (!opts->mnt_opts) - goto out_err; - - opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); - if (!opts->mnt_opts_flags) { - kfree(opts->mnt_opts); - goto out_err; - } - - if (fscontext) { - opts->mnt_opts[num_mnt_opts] = fscontext; - opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; - } - if (context) { - opts->mnt_opts[num_mnt_opts] = context; - opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; - } - if (rootcontext) { - opts->mnt_opts[num_mnt_opts] = rootcontext; - opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; - } - if (defcontext) { - opts->mnt_opts[num_mnt_opts] = defcontext; - opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; - } - - opts->num_mnt_opts = num_mnt_opts; - return 0; - -out_err: - kfree(context); - kfree(defcontext); - kfree(fscontext); - kfree(rootcontext); - return rc; -} -/* - * string mount options parsing and call set the sbsec - */ -static int superblock_doinit(struct super_block *sb, void *data) -{ - int rc = 0; - char *options = data; - struct security_mnt_opts opts; - - security_init_mnt_opts(&opts); - - if (!data) - goto out; - - BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); - - rc = selinux_parse_opts_str(options, &opts); - if (rc) - goto out_err; - -out: - rc = selinux_set_mnt_opts(sb, &opts); - -out_err: - security_free_mnt_opts(&opts); - return rc; -} - -static void selinux_write_opts(struct seq_file *m, - struct security_mnt_opts *opts) -{ - int i; - char *prefix; - - for (i = 0; i < opts->num_mnt_opts; i++) { - char *has_comma; - - if (opts->mnt_opts[i]) - has_comma = strchr(opts->mnt_opts[i], ','); - else - has_comma = NULL; - - switch (opts->mnt_opts_flags[i]) { - case CONTEXT_MNT: - prefix = CONTEXT_STR; - break; - case FSCONTEXT_MNT: - prefix = FSCONTEXT_STR; - break; - case ROOTCONTEXT_MNT: - prefix = ROOTCONTEXT_STR; - break; - case DEFCONTEXT_MNT: - prefix = DEFCONTEXT_STR; - break; - case SE_SBLABELSUPP: - seq_putc(m, ','); - seq_puts(m, LABELSUPP_STR); - continue; - default: - BUG(); - return; - }; - /* we need a comma before each option */ - seq_putc(m, ','); - seq_puts(m, prefix); - if (has_comma) - seq_putc(m, '\"'); - seq_puts(m, opts->mnt_opts[i]); - if (has_comma) - seq_putc(m, '\"'); - } -} - -static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) -{ - struct security_mnt_opts opts; - int rc; - - rc = selinux_get_mnt_opts(sb, &opts); - if (rc) { - /* before policy load we may get EINVAL, don't show anything */ - if (rc == -EINVAL) - rc = 0; - return rc; - } - - selinux_write_opts(m, &opts); - - security_free_mnt_opts(&opts); - - return rc; -} - -static inline u16 inode_mode_to_security_class(umode_t mode) -{ - switch (mode & S_IFMT) { - case S_IFSOCK: - return SECCLASS_SOCK_FILE; - case S_IFLNK: - return SECCLASS_LNK_FILE; - case S_IFREG: - return SECCLASS_FILE; - case S_IFBLK: - return SECCLASS_BLK_FILE; - case S_IFDIR: - return SECCLASS_DIR; - case S_IFCHR: - return SECCLASS_CHR_FILE; - case S_IFIFO: - return SECCLASS_FIFO_FILE; - - } - - return SECCLASS_FILE; -} - -static inline int default_protocol_stream(int protocol) -{ - return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); -} - -static inline int default_protocol_dgram(int protocol) -{ - return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); -} - -static inline u16 socket_type_to_security_class(int family, int type, int protocol) -{ - switch (family) { - case PF_UNIX: - switch (type) { - case SOCK_STREAM: - case SOCK_SEQPACKET: - return SECCLASS_UNIX_STREAM_SOCKET; - case SOCK_DGRAM: - return SECCLASS_UNIX_DGRAM_SOCKET; - } - break; - case PF_INET: - case PF_INET6: - switch (type) { - case SOCK_STREAM: - if (default_protocol_stream(protocol)) - return SECCLASS_TCP_SOCKET; - else - return SECCLASS_RAWIP_SOCKET; - case SOCK_DGRAM: - if (default_protocol_dgram(protocol)) - return SECCLASS_UDP_SOCKET; - else - return SECCLASS_RAWIP_SOCKET; - case SOCK_DCCP: - return SECCLASS_DCCP_SOCKET; - default: - return SECCLASS_RAWIP_SOCKET; - } - break; - case PF_NETLINK: - switch (protocol) { - case NETLINK_ROUTE: - return SECCLASS_NETLINK_ROUTE_SOCKET; - case NETLINK_FIREWALL: - return SECCLASS_NETLINK_FIREWALL_SOCKET; - case NETLINK_SOCK_DIAG: - return SECCLASS_NETLINK_TCPDIAG_SOCKET; - case NETLINK_NFLOG: - return SECCLASS_NETLINK_NFLOG_SOCKET; - case NETLINK_XFRM: - return SECCLASS_NETLINK_XFRM_SOCKET; - case NETLINK_SELINUX: - return SECCLASS_NETLINK_SELINUX_SOCKET; - case NETLINK_AUDIT: - return SECCLASS_NETLINK_AUDIT_SOCKET; - case NETLINK_IP6_FW: - return SECCLASS_NETLINK_IP6FW_SOCKET; - case NETLINK_DNRTMSG: - return SECCLASS_NETLINK_DNRT_SOCKET; - case NETLINK_KOBJECT_UEVENT: - return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; - default: - return SECCLASS_NETLINK_SOCKET; - } - case PF_PACKET: - return SECCLASS_PACKET_SOCKET; - case PF_KEY: - return SECCLASS_KEY_SOCKET; - case PF_APPLETALK: - return SECCLASS_APPLETALK_SOCKET; - } - - return SECCLASS_SOCKET; -} - -#ifdef CONFIG_PROC_FS -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) -{ - int rc; - char *buffer, *path; - - buffer = (char *)__get_free_page(GFP_KERNEL); - if (!buffer) - return -ENOMEM; - - path = dentry_path_raw(dentry, buffer, PAGE_SIZE); - if (IS_ERR(path)) - rc = PTR_ERR(path); - else { - /* each process gets a /proc/PID/ entry. Strip off the - * PID part to get a valid selinux labeling. - * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ - while (path[1] >= '0' && path[1] <= '9') { - path[1] = '/'; - path++; - } - rc = security_genfs_sid("proc", path, tclass, sid); - } - free_page((unsigned long)buffer); - return rc; -} -#else -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) -{ - return -EINVAL; -} -#endif - -/* The inode's security attributes must be initialized before first use. */ -static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) -{ - struct superblock_security_struct *sbsec = NULL; - struct inode_security_struct *isec = inode->i_security; - u32 sid; - struct dentry *dentry; -#define INITCONTEXTLEN 255 - char *context = NULL; - unsigned len = 0; - int rc = 0; - - if (isec->initialized) - goto out; - - mutex_lock(&isec->lock); - if (isec->initialized) - goto out_unlock; - - sbsec = inode->i_sb->s_security; - if (!(sbsec->flags & SE_SBINITIALIZED)) { - /* Defer initialization until selinux_complete_init, - after the initial policy is loaded and the security - server is ready to handle calls. */ - spin_lock(&sbsec->isec_lock); - if (list_empty(&isec->list)) - list_add(&isec->list, &sbsec->isec_head); - spin_unlock(&sbsec->isec_lock); - goto out_unlock; - } - - switch (sbsec->behavior) { - case SECURITY_FS_USE_XATTR: - if (!inode->i_op->getxattr) { - isec->sid = sbsec->def_sid; - break; - } - - /* Need a dentry, since the xattr API requires one. - Life would be simpler if we could just pass the inode. */ - if (opt_dentry) { - /* Called from d_instantiate or d_splice_alias. */ - dentry = dget(opt_dentry); - } else { - /* Called from selinux_complete_init, try to find a dentry. */ - dentry = d_find_alias(inode); - } - if (!dentry) { - /* - * this is can be hit on boot when a file is accessed - * before the policy is loaded. When we load policy we - * may find inodes that have no dentry on the - * sbsec->isec_head list. No reason to complain as these - * will get fixed up the next time we go through - * inode_doinit with a dentry, before these inodes could - * be used again by userspace. - */ - goto out_unlock; - } - - len = INITCONTEXTLEN; - context = kmalloc(len+1, GFP_NOFS); - if (!context) { - rc = -ENOMEM; - dput(dentry); - goto out_unlock; - } - context[len] = '\0'; - rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, - context, len); - if (rc == -ERANGE) { - kfree(context); - - /* Need a larger buffer. Query for the right size. */ - rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, - NULL, 0); - if (rc < 0) { - dput(dentry); - goto out_unlock; - } - len = rc; - context = kmalloc(len+1, GFP_NOFS); - if (!context) { - rc = -ENOMEM; - dput(dentry); - goto out_unlock; - } - context[len] = '\0'; - rc = inode->i_op->getxattr(dentry, - XATTR_NAME_SELINUX, - context, len); - } - dput(dentry); - if (rc < 0) { - if (rc != -ENODATA) { - printk(KERN_WARNING "SELinux: %s: getxattr returned " - "%d for dev=%s ino=%ld\n", __func__, - -rc, inode->i_sb->s_id, inode->i_ino); - kfree(context); - goto out_unlock; - } - /* Map ENODATA to the default file SID */ - sid = sbsec->def_sid; - rc = 0; - } else { - rc = security_context_to_sid_default(context, rc, &sid, - sbsec->def_sid, - GFP_NOFS); - if (rc) { - char *dev = inode->i_sb->s_id; - unsigned long ino = inode->i_ino; - - if (rc == -EINVAL) { - if (printk_ratelimit()) - printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " - "context=%s. This indicates you may need to relabel the inode or the " - "filesystem in question.\n", ino, dev, context); - } else { - printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " - "returned %d for dev=%s ino=%ld\n", - __func__, context, -rc, dev, ino); - } - kfree(context); - /* Leave with the unlabeled SID */ - rc = 0; - break; - } - } - kfree(context); - isec->sid = sid; - break; - case SECURITY_FS_USE_TASK: - isec->sid = isec->task_sid; - break; - case SECURITY_FS_USE_TRANS: - /* Default to the fs SID. */ - isec->sid = sbsec->sid; - - /* Try to obtain a transition SID. */ - isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = security_transition_sid(isec->task_sid, sbsec->sid, - isec->sclass, NULL, &sid); - if (rc) - goto out_unlock; - isec->sid = sid; - break; - case SECURITY_FS_USE_MNTPOINT: - isec->sid = sbsec->mntpoint_sid; - break; - default: - /* Default to the fs superblock SID. */ - isec->sid = sbsec->sid; - - if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { - if (opt_dentry) { - isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_proc_get_sid(opt_dentry, - isec->sclass, - &sid); - if (rc) - goto out_unlock; - isec->sid = sid; - } - } - break; - } - - isec->initialized = 1; - -out_unlock: - mutex_unlock(&isec->lock); -out: - if (isec->sclass == SECCLASS_FILE) - isec->sclass = inode_mode_to_security_class(inode->i_mode); - return rc; -} - -/* Convert a Linux signal to an access vector. */ -static inline u32 signal_to_av(int sig) -{ - u32 perm = 0; - - switch (sig) { - case SIGCHLD: - /* Commonly granted from child to parent. */ - perm = PROCESS__SIGCHLD; - break; - case SIGKILL: - /* Cannot be caught or ignored */ - perm = PROCESS__SIGKILL; - break; - case SIGSTOP: - /* Cannot be caught or ignored */ - perm = PROCESS__SIGSTOP; - break; - default: - /* All other signals. */ - perm = PROCESS__SIGNAL; - break; - } - - return perm; -} - -/* - * Check permission between a pair of credentials - * fork check, ptrace check, etc. - */ -static int cred_has_perm(const struct cred *actor, - const struct cred *target, - u32 perms) -{ - u32 asid = cred_sid(actor), tsid = cred_sid(target); - - return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); -} - -/* - * Check permission between a pair of tasks, e.g. signal checks, - * fork check, ptrace check, etc. - * tsk1 is the actor and tsk2 is the target - * - this uses the default subjective creds of tsk1 - */ -static int task_has_perm(const struct task_struct *tsk1, - const struct task_struct *tsk2, - u32 perms) -{ - const struct task_security_struct *__tsec1, *__tsec2; - u32 sid1, sid2; - - rcu_read_lock(); - __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; - __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; - rcu_read_unlock(); - return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); -} - -/* - * Check permission between current and another task, e.g. signal checks, - * fork check, ptrace check, etc. - * current is the actor and tsk2 is the target - * - this uses current's subjective creds - */ -static int current_has_perm(const struct task_struct *tsk, - u32 perms) -{ - u32 sid, tsid; - - sid = current_sid(); - tsid = task_sid(tsk); - return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); -} - -#if CAP_LAST_CAP > 63 -#error Fix SELinux to handle capabilities > 63. -#endif - -/* Check whether a task is allowed to use a capability. */ -static int cred_has_capability(const struct cred *cred, - int cap, int audit) -{ - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct av_decision avd; - u16 sclass; - u32 sid = cred_sid(cred); - u32 av = CAP_TO_MASK(cap); - int rc; - - COMMON_AUDIT_DATA_INIT(&ad, CAP); - ad.selinux_audit_data = &sad; - ad.tsk = current; - ad.u.cap = cap; - - switch (CAP_TO_INDEX(cap)) { - case 0: - sclass = SECCLASS_CAPABILITY; - break; - case 1: - sclass = SECCLASS_CAPABILITY2; - break; - default: - printk(KERN_ERR - "SELinux: out of range capability %d\n", cap); - BUG(); - return -EINVAL; - } - - rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); - if (audit == SECURITY_CAP_AUDIT) { - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); - if (rc2) - return rc2; - } - return rc; -} - -/* Check whether a task is allowed to use a system operation. */ -static int task_has_system(struct task_struct *tsk, - u32 perms) -{ - u32 sid = task_sid(tsk); - - return avc_has_perm(sid, SECINITSID_KERNEL, - SECCLASS_SYSTEM, perms, NULL); -} - -/* Check whether a task has a particular permission to an inode. - The 'adp' parameter is optional and allows other audit - data to be passed (e.g. the dentry). */ -static int inode_has_perm(const struct cred *cred, - struct inode *inode, - u32 perms, - struct common_audit_data *adp, - unsigned flags) -{ - struct inode_security_struct *isec; - u32 sid; - - validate_creds(cred); - - if (unlikely(IS_PRIVATE(inode))) - return 0; - - sid = cred_sid(cred); - isec = inode->i_security; - - return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); -} - -static int inode_has_perm_noadp(const struct cred *cred, - struct inode *inode, - u32 perms, - unsigned flags) -{ - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.u.inode = inode; - ad.selinux_audit_data = &sad; - return inode_has_perm(cred, inode, perms, &ad, flags); -} - -/* Same as inode_has_perm, but pass explicit audit data containing - the dentry to help the auditing code to more easily generate the - pathname if needed. */ -static inline int dentry_has_perm(const struct cred *cred, - struct dentry *dentry, - u32 av) -{ - struct inode *inode = dentry->d_inode; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.u.dentry = dentry; - ad.selinux_audit_data = &sad; - return inode_has_perm(cred, inode, av, &ad, 0); -} - -/* Same as inode_has_perm, but pass explicit audit data containing - the path to help the auditing code to more easily generate the - pathname if needed. */ -static inline int path_has_perm(const struct cred *cred, - struct path *path, - u32 av) -{ - struct inode *inode = path->dentry->d_inode; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, PATH); - ad.u.path = *path; - ad.selinux_audit_data = &sad; - return inode_has_perm(cred, inode, av, &ad, 0); -} - -/* Check whether a task can use an open file descriptor to - access an inode in a given way. Check access to the - descriptor itself, and then use dentry_has_perm to - check a particular permission to the file. - Access to the descriptor is implicitly granted if it - has the same SID as the process. If av is zero, then - access to the file is not checked, e.g. for cases - where only the descriptor is affected like seek. */ -static int file_has_perm(const struct cred *cred, - struct file *file, - u32 av) -{ - struct file_security_struct *fsec = file->f_security; - struct inode *inode = file->f_path.dentry->d_inode; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = cred_sid(cred); - int rc; - - COMMON_AUDIT_DATA_INIT(&ad, PATH); - ad.u.path = file->f_path; - ad.selinux_audit_data = &sad; - - if (sid != fsec->sid) { - rc = avc_has_perm(sid, fsec->sid, - SECCLASS_FD, - FD__USE, - &ad); - if (rc) - goto out; - } - - /* av is zero if only checking access to the descriptor. */ - rc = 0; - if (av) - rc = inode_has_perm(cred, inode, av, &ad, 0); - -out: - return rc; -} - -/* Check whether a task can create a file. */ -static int may_create(struct inode *dir, - struct dentry *dentry, - u16 tclass) -{ - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *dsec; - struct superblock_security_struct *sbsec; - u32 sid, newsid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - int rc; - - dsec = dir->i_security; - sbsec = dir->i_sb->s_security; - - sid = tsec->sid; - newsid = tsec->create_sid; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.u.dentry = dentry; - ad.selinux_audit_data = &sad; - - rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, - DIR__ADD_NAME | DIR__SEARCH, - &ad); - if (rc) - return rc; - - if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { - rc = security_transition_sid(sid, dsec->sid, tclass, - &dentry->d_name, &newsid); - if (rc) - return rc; - } - - rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); - if (rc) - return rc; - - return avc_has_perm(newsid, sbsec->sid, - SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, &ad); -} - -/* Check whether a task can create a key. */ -static int may_create_key(u32 ksid, - struct task_struct *ctx) -{ - u32 sid = task_sid(ctx); - - return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); -} - -#define MAY_LINK 0 -#define MAY_UNLINK 1 -#define MAY_RMDIR 2 - -/* Check whether a task can link, unlink, or rmdir a file/directory. */ -static int may_link(struct inode *dir, - struct dentry *dentry, - int kind) - -{ - struct inode_security_struct *dsec, *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - u32 av; - int rc; - - dsec = dir->i_security; - isec = dentry->d_inode->i_security; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.u.dentry = dentry; - ad.selinux_audit_data = &sad; - - av = DIR__SEARCH; - av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); - rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); - if (rc) - return rc; - - switch (kind) { - case MAY_LINK: - av = FILE__LINK; - break; - case MAY_UNLINK: - av = FILE__UNLINK; - break; - case MAY_RMDIR: - av = DIR__RMDIR; - break; - default: - printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", - __func__, kind); - return 0; - } - - rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); - return rc; -} - -static inline int may_rename(struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ - struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - u32 av; - int old_is_dir, new_is_dir; - int rc; - - old_dsec = old_dir->i_security; - old_isec = old_dentry->d_inode->i_security; - old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); - new_dsec = new_dir->i_security; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - - ad.u.dentry = old_dentry; - rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, - DIR__REMOVE_NAME | DIR__SEARCH, &ad); - if (rc) - return rc; - rc = avc_has_perm(sid, old_isec->sid, - old_isec->sclass, FILE__RENAME, &ad); - if (rc) - return rc; - if (old_is_dir && new_dir != old_dir) { - rc = avc_has_perm(sid, old_isec->sid, - old_isec->sclass, DIR__REPARENT, &ad); - if (rc) - return rc; - } - - ad.u.dentry = new_dentry; - av = DIR__ADD_NAME | DIR__SEARCH; - if (new_dentry->d_inode) - av |= DIR__REMOVE_NAME; - rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); - if (rc) - return rc; - if (new_dentry->d_inode) { - new_isec = new_dentry->d_inode->i_security; - new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); - rc = avc_has_perm(sid, new_isec->sid, - new_isec->sclass, - (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); - if (rc) - return rc; - } - - return 0; -} - -/* Check whether a task can perform a filesystem operation. */ -static int superblock_has_perm(const struct cred *cred, - struct super_block *sb, - u32 perms, - struct common_audit_data *ad) -{ - struct superblock_security_struct *sbsec; - u32 sid = cred_sid(cred); - - sbsec = sb->s_security; - return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); -} - -/* Convert a Linux mode and permission mask to an access vector. */ -static inline u32 file_mask_to_av(int mode, int mask) -{ - u32 av = 0; - - if (!S_ISDIR(mode)) { - if (mask & MAY_EXEC) - av |= FILE__EXECUTE; - if (mask & MAY_READ) - av |= FILE__READ; - - if (mask & MAY_APPEND) - av |= FILE__APPEND; - else if (mask & MAY_WRITE) - av |= FILE__WRITE; - - } else { - if (mask & MAY_EXEC) - av |= DIR__SEARCH; - if (mask & MAY_WRITE) - av |= DIR__WRITE; - if (mask & MAY_READ) - av |= DIR__READ; - } - - return av; -} - -/* Convert a Linux file to an access vector. */ -static inline u32 file_to_av(struct file *file) -{ - u32 av = 0; - - if (file->f_mode & FMODE_READ) - av |= FILE__READ; - if (file->f_mode & FMODE_WRITE) { - if (file->f_flags & O_APPEND) - av |= FILE__APPEND; - else - av |= FILE__WRITE; - } - if (!av) { - /* - * Special file opened with flags 3 for ioctl-only use. - */ - av = FILE__IOCTL; - } - - return av; -} - -/* - * Convert a file to an access vector and include the correct open - * open permission. - */ -static inline u32 open_file_to_av(struct file *file) -{ - u32 av = file_to_av(file); - - if (selinux_policycap_openperm) - av |= FILE__OPEN; - - return av; -} - -/* Hook functions begin here. */ - -static int selinux_ptrace_access_check(struct task_struct *child, - unsigned int mode) -{ - int rc; - - rc = cap_ptrace_access_check(child, mode); - if (rc) - return rc; - - if (mode & PTRACE_MODE_READ) { - u32 sid = current_sid(); - u32 csid = task_sid(child); - return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); - } - - return current_has_perm(child, PROCESS__PTRACE); -} - -static int selinux_ptrace_traceme(struct task_struct *parent) -{ - int rc; - - rc = cap_ptrace_traceme(parent); - if (rc) - return rc; - - return task_has_perm(parent, current, PROCESS__PTRACE); -} - -static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) -{ - int error; - - error = current_has_perm(target, PROCESS__GETCAP); - if (error) - return error; - - return cap_capget(target, effective, inheritable, permitted); -} - -static int selinux_capset(struct cred *new, const struct cred *old, - const kernel_cap_t *effective, - const kernel_cap_t *inheritable, - const kernel_cap_t *permitted) -{ - int error; - - error = cap_capset(new, old, - effective, inheritable, permitted); - if (error) - return error; - - return cred_has_perm(old, new, PROCESS__SETCAP); -} - -/* - * (This comment used to live with the selinux_task_setuid hook, - * which was removed). - * - * Since setuid only affects the current process, and since the SELinux - * controls are not based on the Linux identity attributes, SELinux does not - * need to control this operation. However, SELinux does control the use of - * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. - */ - -static int selinux_capable(const struct cred *cred, struct user_namespace *ns, - int cap, int audit) -{ - int rc; - - rc = cap_capable(cred, ns, cap, audit); - if (rc) - return rc; - - return cred_has_capability(cred, cap, audit); -} - -static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) -{ - const struct cred *cred = current_cred(); - int rc = 0; - - if (!sb) - return 0; - - switch (cmds) { - case Q_SYNC: - case Q_QUOTAON: - case Q_QUOTAOFF: - case Q_SETINFO: - case Q_SETQUOTA: - rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); - break; - case Q_GETFMT: - case Q_GETINFO: - case Q_GETQUOTA: - rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); - break; - default: - rc = 0; /* let the kernel handle invalid cmds */ - break; - } - return rc; -} - -static int selinux_quota_on(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__QUOTAON); -} - -static int selinux_syslog(int type) -{ - int rc; - - switch (type) { - case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ - case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ - rc = task_has_system(current, SYSTEM__SYSLOG_READ); - break; - case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ - case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ - /* Set level of messages printed to console */ - case SYSLOG_ACTION_CONSOLE_LEVEL: - rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); - break; - case SYSLOG_ACTION_CLOSE: /* Close log */ - case SYSLOG_ACTION_OPEN: /* Open log */ - case SYSLOG_ACTION_READ: /* Read from log */ - case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ - case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ - default: - rc = task_has_system(current, SYSTEM__SYSLOG_MOD); - break; - } - return rc; -} - -/* - * Check that a process has enough memory to allocate a new virtual - * mapping. 0 means there is enough memory for the allocation to - * succeed and -ENOMEM implies there is not. - * - * Do not audit the selinux permission check, as this is applied to all - * processes that allocate mappings. - */ -static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) -{ - int rc, cap_sys_admin = 0; - - rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, - SECURITY_CAP_NOAUDIT); - if (rc == 0) - cap_sys_admin = 1; - - return __vm_enough_memory(mm, pages, cap_sys_admin); -} - -/* binprm security operations */ - -static int selinux_bprm_set_creds(struct linux_binprm *bprm) -{ - const struct task_security_struct *old_tsec; - struct task_security_struct *new_tsec; - struct inode_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct inode *inode = bprm->file->f_path.dentry->d_inode; - int rc; - - rc = cap_bprm_set_creds(bprm); - if (rc) - return rc; - - /* SELinux context only depends on initial program or script and not - * the script interpreter */ - if (bprm->cred_prepared) - return 0; - - old_tsec = current_security(); - new_tsec = bprm->cred->security; - isec = inode->i_security; - - /* Default to the current task SID. */ - new_tsec->sid = old_tsec->sid; - new_tsec->osid = old_tsec->sid; - - /* Reset fs, key, and sock SIDs on execve. */ - new_tsec->create_sid = 0; - new_tsec->keycreate_sid = 0; - new_tsec->sockcreate_sid = 0; - - if (old_tsec->exec_sid) { - new_tsec->sid = old_tsec->exec_sid; - /* Reset exec SID on execve. */ - new_tsec->exec_sid = 0; - } else { - /* Check for a default transition on this program. */ - rc = security_transition_sid(old_tsec->sid, isec->sid, - SECCLASS_PROCESS, NULL, - &new_tsec->sid); - if (rc) - return rc; - } - - COMMON_AUDIT_DATA_INIT(&ad, PATH); - ad.selinux_audit_data = &sad; - ad.u.path = bprm->file->f_path; - - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) - new_tsec->sid = old_tsec->sid; - - if (new_tsec->sid == old_tsec->sid) { - rc = avc_has_perm(old_tsec->sid, isec->sid, - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); - if (rc) - return rc; - } else { - /* Check permissions for the transition. */ - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, - SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); - if (rc) - return rc; - - rc = avc_has_perm(new_tsec->sid, isec->sid, - SECCLASS_FILE, FILE__ENTRYPOINT, &ad); - if (rc) - return rc; - - /* Check for shared state */ - if (bprm->unsafe & LSM_UNSAFE_SHARE) { - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, - SECCLASS_PROCESS, PROCESS__SHARE, - NULL); - if (rc) - return -EPERM; - } - - /* Make sure that anyone attempting to ptrace over a task that - * changes its SID has the appropriate permit */ - if (bprm->unsafe & - (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { - struct task_struct *tracer; - struct task_security_struct *sec; - u32 ptsid = 0; - - rcu_read_lock(); - tracer = ptrace_parent(current); - if (likely(tracer != NULL)) { - sec = __task_cred(tracer)->security; - ptsid = sec->sid; - } - rcu_read_unlock(); - - if (ptsid != 0) { - rc = avc_has_perm(ptsid, new_tsec->sid, - SECCLASS_PROCESS, - PROCESS__PTRACE, NULL); - if (rc) - return -EPERM; - } - } - - /* Clear any possibly unsafe personality bits on exec: */ - bprm->per_clear |= PER_CLEAR_ON_SETID; - } - - return 0; -} - -static int selinux_bprm_secureexec(struct linux_binprm *bprm) -{ - const struct task_security_struct *tsec = current_security(); - u32 sid, osid; - int atsecure = 0; - - sid = tsec->sid; - osid = tsec->osid; - - if (osid != sid) { - /* Enable secure mode for SIDs transitions unless - the noatsecure permission is granted between - the two SIDs, i.e. ahp returns 0. */ - atsecure = avc_has_perm(osid, sid, - SECCLASS_PROCESS, - PROCESS__NOATSECURE, NULL); - } - - return (atsecure || cap_bprm_secureexec(bprm)); -} - -/* Derived from fs/exec.c:flush_old_files. */ -static inline void flush_unauthorized_files(const struct cred *cred, - struct files_struct *files) -{ - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct file *file, *devnull = NULL; - struct tty_struct *tty; - struct fdtable *fdt; - long j = -1; - int drop_tty = 0; - - tty = get_current_tty(); - if (tty) { - spin_lock(&tty_files_lock); - if (!list_empty(&tty->tty_files)) { - struct tty_file_private *file_priv; - struct inode *inode; - - /* Revalidate access to controlling tty. - Use inode_has_perm on the tty inode directly rather - than using file_has_perm, as this particular open - file may belong to another process and we are only - interested in the inode-based check here. */ - file_priv = list_first_entry(&tty->tty_files, - struct tty_file_private, list); - file = file_priv->file; - inode = file->f_path.dentry->d_inode; - if (inode_has_perm_noadp(cred, inode, - FILE__READ | FILE__WRITE, 0)) { - drop_tty = 1; - } - } - spin_unlock(&tty_files_lock); - tty_kref_put(tty); - } - /* Reset controlling tty. */ - if (drop_tty) - no_tty(); - - /* Revalidate access to inherited open files. */ - - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.selinux_audit_data = &sad; - - spin_lock(&files->file_lock); - for (;;) { - unsigned long set, i; - int fd; - - j++; - i = j * __NFDBITS; - fdt = files_fdtable(files); - if (i >= fdt->max_fds) - break; - set = fdt->open_fds[j]; - if (!set) - continue; - spin_unlock(&files->file_lock); - for ( ; set ; i++, set >>= 1) { - if (set & 1) { - file = fget(i); - if (!file) - continue; - if (file_has_perm(cred, - file, - file_to_av(file))) { - sys_close(i); - fd = get_unused_fd(); - if (fd != i) { - if (fd >= 0) - put_unused_fd(fd); - fput(file); - continue; - } - if (devnull) { - get_file(devnull); - } else { - devnull = dentry_open( - dget(selinux_null), - mntget(selinuxfs_mount), - O_RDWR, cred); - if (IS_ERR(devnull)) { - devnull = NULL; - put_unused_fd(fd); - fput(file); - continue; - } - } - fd_install(fd, devnull); - } - fput(file); - } - } - spin_lock(&files->file_lock); - - } - spin_unlock(&files->file_lock); -} - -/* - * Prepare a process for imminent new credential changes due to exec - */ -static void selinux_bprm_committing_creds(struct linux_binprm *bprm) -{ - struct task_security_struct *new_tsec; - struct rlimit *rlim, *initrlim; - int rc, i; - - new_tsec = bprm->cred->security; - if (new_tsec->sid == new_tsec->osid) - return; - - /* Close files for which the new task SID is not authorized. */ - flush_unauthorized_files(bprm->cred, current->files); - - /* Always clear parent death signal on SID transitions. */ - current->pdeath_signal = 0; - - /* Check whether the new SID can inherit resource limits from the old - * SID. If not, reset all soft limits to the lower of the current - * task's hard limit and the init task's soft limit. - * - * Note that the setting of hard limits (even to lower them) can be - * controlled by the setrlimit check. The inclusion of the init task's - * soft limit into the computation is to avoid resetting soft limits - * higher than the default soft limit for cases where the default is - * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. - */ - rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, - PROCESS__RLIMITINH, NULL); - if (rc) { - /* protect against do_prlimit() */ - task_lock(current); - for (i = 0; i < RLIM_NLIMITS; i++) { - rlim = current->signal->rlim + i; - initrlim = init_task.signal->rlim + i; - rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); - } - task_unlock(current); - update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); - } -} - -/* - * Clean up the process immediately after the installation of new credentials - * due to exec - */ -static void selinux_bprm_committed_creds(struct linux_binprm *bprm) -{ - const struct task_security_struct *tsec = current_security(); - struct itimerval itimer; - u32 osid, sid; - int rc, i; - - osid = tsec->osid; - sid = tsec->sid; - - if (sid == osid) - return; - - /* Check whether the new SID can inherit signal state from the old SID. - * If not, clear itimers to avoid subsequent signal generation and - * flush and unblock signals. - * - * This must occur _after_ the task SID has been updated so that any - * kill done after the flush will be checked against the new SID. - */ - rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); - if (rc) { - memset(&itimer, 0, sizeof itimer); - for (i = 0; i < 3; i++) - do_setitimer(i, &itimer, NULL); - spin_lock_irq(¤t->sighand->siglock); - if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { - __flush_signals(current); - flush_signal_handlers(current, 1); - sigemptyset(¤t->blocked); - } - spin_unlock_irq(¤t->sighand->siglock); - } - - /* Wake up the parent if it is waiting so that it can recheck - * wait permission to the new task SID. */ - read_lock(&tasklist_lock); - __wake_up_parent(current, current->real_parent); - read_unlock(&tasklist_lock); -} - -/* superblock security operations */ - -static int selinux_sb_alloc_security(struct super_block *sb) -{ - return superblock_alloc_security(sb); -} - -static void selinux_sb_free_security(struct super_block *sb) -{ - superblock_free_security(sb); -} - -static inline int match_prefix(char *prefix, int plen, char *option, int olen) -{ - if (plen > olen) - return 0; - - return !memcmp(prefix, option, plen); -} - -static inline int selinux_option(char *option, int len) -{ - return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || - match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || - match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || - match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || - match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); -} - -static inline void take_option(char **to, char *from, int *first, int len) -{ - if (!*first) { - **to = ','; - *to += 1; - } else - *first = 0; - memcpy(*to, from, len); - *to += len; -} - -static inline void take_selinux_option(char **to, char *from, int *first, - int len) -{ - int current_size = 0; - - if (!*first) { - **to = '|'; - *to += 1; - } else - *first = 0; - - while (current_size < len) { - if (*from != '"') { - **to = *from; - *to += 1; - } - from += 1; - current_size += 1; - } -} - -static int selinux_sb_copy_data(char *orig, char *copy) -{ - int fnosec, fsec, rc = 0; - char *in_save, *in_curr, *in_end; - char *sec_curr, *nosec_save, *nosec; - int open_quote = 0; - - in_curr = orig; - sec_curr = copy; - - nosec = (char *)get_zeroed_page(GFP_KERNEL); - if (!nosec) { - rc = -ENOMEM; - goto out; - } - - nosec_save = nosec; - fnosec = fsec = 1; - in_save = in_end = orig; - - do { - if (*in_end == '"') - open_quote = !open_quote; - if ((*in_end == ',' && open_quote == 0) || - *in_end == '\0') { - int len = in_end - in_curr; - - if (selinux_option(in_curr, len)) - take_selinux_option(&sec_curr, in_curr, &fsec, len); - else - take_option(&nosec, in_curr, &fnosec, len); - - in_curr = in_end + 1; - } - } while (*in_end++); - - strcpy(in_save, nosec_save); - free_page((unsigned long)nosec_save); -out: - return rc; -} - -static int selinux_sb_remount(struct super_block *sb, void *data) -{ - int rc, i, *flags; - struct security_mnt_opts opts; - char *secdata, **mount_options; - struct superblock_security_struct *sbsec = sb->s_security; - - if (!(sbsec->flags & SE_SBINITIALIZED)) - return 0; - - if (!data) - return 0; - - if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) - return 0; - - security_init_mnt_opts(&opts); - secdata = alloc_secdata(); - if (!secdata) - return -ENOMEM; - rc = selinux_sb_copy_data(data, secdata); - if (rc) - goto out_free_secdata; - - rc = selinux_parse_opts_str(secdata, &opts); - if (rc) - goto out_free_secdata; - - mount_options = opts.mnt_opts; - flags = opts.mnt_opts_flags; - - for (i = 0; i < opts.num_mnt_opts; i++) { - u32 sid; - size_t len; - - if (flags[i] == SE_SBLABELSUPP) - continue; - len = strlen(mount_options[i]); - rc = security_context_to_sid(mount_options[i], len, &sid); - if (rc) { - printk(KERN_WARNING "SELinux: security_context_to_sid" - "(%s) failed for (dev %s, type %s) errno=%d\n", - mount_options[i], sb->s_id, sb->s_type->name, rc); - goto out_free_opts; - } - rc = -EINVAL; - switch (flags[i]) { - case FSCONTEXT_MNT: - if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) - goto out_bad_option; - break; - case CONTEXT_MNT: - if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) - goto out_bad_option; - break; - case ROOTCONTEXT_MNT: { - struct inode_security_struct *root_isec; - root_isec = sb->s_root->d_inode->i_security; - - if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) - goto out_bad_option; - break; - } - case DEFCONTEXT_MNT: - if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) - goto out_bad_option; - break; - default: - goto out_free_opts; - } - } - - rc = 0; -out_free_opts: - security_free_mnt_opts(&opts); -out_free_secdata: - free_secdata(secdata); - return rc; -out_bad_option: - printk(KERN_WARNING "SELinux: unable to change security options " - "during remount (dev %s, type=%s)\n", sb->s_id, - sb->s_type->name); - goto out_free_opts; -} - -static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) -{ - const struct cred *cred = current_cred(); - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - int rc; - - rc = superblock_doinit(sb, data); - if (rc) - return rc; - - /* Allow all mounts performed by the kernel */ - if (flags & MS_KERNMOUNT) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - ad.u.dentry = sb->s_root; - return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); -} - -static int selinux_sb_statfs(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - ad.u.dentry = dentry->d_sb->s_root; - return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); -} - -static int selinux_mount(char *dev_name, - struct path *path, - char *type, - unsigned long flags, - void *data) -{ - const struct cred *cred = current_cred(); - - if (flags & MS_REMOUNT) - return superblock_has_perm(cred, path->dentry->d_sb, - FILESYSTEM__REMOUNT, NULL); - else - return path_has_perm(cred, path, FILE__MOUNTON); -} - -static int selinux_umount(struct vfsmount *mnt, int flags) -{ - const struct cred *cred = current_cred(); - - return superblock_has_perm(cred, mnt->mnt_sb, - FILESYSTEM__UNMOUNT, NULL); -} - -/* inode security operations */ - -static int selinux_inode_alloc_security(struct inode *inode) -{ - return inode_alloc_security(inode); -} - -static void selinux_inode_free_security(struct inode *inode) -{ - inode_free_security(inode); -} - -static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, char **name, - void **value, size_t *len) -{ - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *dsec; - struct superblock_security_struct *sbsec; - u32 sid, newsid, clen; - int rc; - char *namep = NULL, *context; - - dsec = dir->i_security; - sbsec = dir->i_sb->s_security; - - sid = tsec->sid; - newsid = tsec->create_sid; - - if ((sbsec->flags & SE_SBINITIALIZED) && - (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) - newsid = sbsec->mntpoint_sid; - else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { - rc = security_transition_sid(sid, dsec->sid, - inode_mode_to_security_class(inode->i_mode), - qstr, &newsid); - if (rc) { - printk(KERN_WARNING "%s: " - "security_transition_sid failed, rc=%d (dev=%s " - "ino=%ld)\n", - __func__, - -rc, inode->i_sb->s_id, inode->i_ino); - return rc; - } - } - - /* Possibly defer initialization to selinux_complete_init. */ - if (sbsec->flags & SE_SBINITIALIZED) { - struct inode_security_struct *isec = inode->i_security; - isec->sclass = inode_mode_to_security_class(inode->i_mode); - isec->sid = newsid; - isec->initialized = 1; - } - - if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) - return -EOPNOTSUPP; - - if (name) { - namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); - if (!namep) - return -ENOMEM; - *name = namep; - } - - if (value && len) { - rc = security_sid_to_context_force(newsid, &context, &clen); - if (rc) { - kfree(namep); - return rc; - } - *value = context; - *len = clen; - } - - return 0; -} - -static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) -{ - return may_create(dir, dentry, SECCLASS_FILE); -} - -static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) -{ - return may_link(dir, old_dentry, MAY_LINK); -} - -static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) -{ - return may_link(dir, dentry, MAY_UNLINK); -} - -static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) -{ - return may_create(dir, dentry, SECCLASS_LNK_FILE); -} - -static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) -{ - return may_create(dir, dentry, SECCLASS_DIR); -} - -static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) -{ - return may_link(dir, dentry, MAY_RMDIR); -} - -static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) -{ - return may_create(dir, dentry, inode_mode_to_security_class(mode)); -} - -static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, - struct inode *new_inode, struct dentry *new_dentry) -{ - return may_rename(old_inode, old_dentry, new_inode, new_dentry); -} - -static int selinux_inode_readlink(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__READ); -} - -static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__READ); -} - -static int selinux_inode_permission(struct inode *inode, int mask) -{ - const struct cred *cred = current_cred(); - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 perms; - bool from_access; - unsigned flags = mask & MAY_NOT_BLOCK; - - from_access = mask & MAY_ACCESS; - mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); - - /* No permission to check. Existence test. */ - if (!mask) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.selinux_audit_data = &sad; - ad.u.inode = inode; - - if (from_access) - ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS; - - perms = file_mask_to_av(inode->i_mode, mask); - - return inode_has_perm(cred, inode, perms, &ad, flags); -} - -static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) -{ - const struct cred *cred = current_cred(); - unsigned int ia_valid = iattr->ia_valid; - - /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ - if (ia_valid & ATTR_FORCE) { - ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | - ATTR_FORCE); - if (!ia_valid) - return 0; - } - - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | - ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) - return dentry_has_perm(cred, dentry, FILE__SETATTR); - - return dentry_has_perm(cred, dentry, FILE__WRITE); -} - -static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - struct path path; - - path.dentry = dentry; - path.mnt = mnt; - - return path_has_perm(cred, &path, FILE__GETATTR); -} - -static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) -{ - const struct cred *cred = current_cred(); - - if (!strncmp(name, XATTR_SECURITY_PREFIX, - sizeof XATTR_SECURITY_PREFIX - 1)) { - if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) - return -EPERM; - } else if (!capable(CAP_SYS_ADMIN)) { - /* A different attribute in the security namespace. - Restrict to administrator. */ - return -EPERM; - } - } - - /* Not an attribute we recognize, so just check the - ordinary setattr permission. */ - return dentry_has_perm(cred, dentry, FILE__SETATTR); -} - -static int selinux_inode_setxattr(struct dentry *dentry, const char *name, - const void *value, size_t size, int flags) -{ - struct inode *inode = dentry->d_inode; - struct inode_security_struct *isec = inode->i_security; - struct superblock_security_struct *sbsec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 newsid, sid = current_sid(); - int rc = 0; - - if (strcmp(name, XATTR_NAME_SELINUX)) - return selinux_inode_setotherxattr(dentry, name); - - sbsec = inode->i_sb->s_security; - if (!(sbsec->flags & SE_SBLABELSUPP)) - return -EOPNOTSUPP; - - if (!inode_owner_or_capable(inode)) - return -EPERM; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - ad.u.dentry = dentry; - - rc = avc_has_perm(sid, isec->sid, isec->sclass, - FILE__RELABELFROM, &ad); - if (rc) - return rc; - - rc = security_context_to_sid(value, size, &newsid); - if (rc == -EINVAL) { - if (!capable(CAP_MAC_ADMIN)) - return rc; - rc = security_context_to_sid_force(value, size, &newsid); - } - if (rc) - return rc; - - rc = avc_has_perm(sid, newsid, isec->sclass, - FILE__RELABELTO, &ad); - if (rc) - return rc; - - rc = security_validate_transition(isec->sid, newsid, sid, - isec->sclass); - if (rc) - return rc; - - return avc_has_perm(newsid, - sbsec->sid, - SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, - &ad); -} - -static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, - const void *value, size_t size, - int flags) -{ - struct inode *inode = dentry->d_inode; - struct inode_security_struct *isec = inode->i_security; - u32 newsid; - int rc; - - if (strcmp(name, XATTR_NAME_SELINUX)) { - /* Not an attribute we recognize, so nothing to do. */ - return; - } - - rc = security_context_to_sid_force(value, size, &newsid); - if (rc) { - printk(KERN_ERR "SELinux: unable to map context to SID" - "for (%s, %lu), rc=%d\n", - inode->i_sb->s_id, inode->i_ino, -rc); - return; - } - - isec->sid = newsid; - return; -} - -static int selinux_inode_getxattr(struct dentry *dentry, const char *name) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__GETATTR); -} - -static int selinux_inode_listxattr(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__GETATTR); -} - -static int selinux_inode_removexattr(struct dentry *dentry, const char *name) -{ - if (strcmp(name, XATTR_NAME_SELINUX)) - return selinux_inode_setotherxattr(dentry, name); - - /* No one is allowed to remove a SELinux security label. - You can change the label, but all data must be labeled. */ - return -EACCES; -} - -/* - * Copy the inode security context value to the user. - * - * Permission check is handled by selinux_inode_getxattr hook. - */ -static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) -{ - u32 size; - int error; - char *context = NULL; - struct inode_security_struct *isec = inode->i_security; - - if (strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; - - /* - * If the caller has CAP_MAC_ADMIN, then get the raw context - * value even if it is not defined by current policy; otherwise, - * use the in-core value under current policy. - * Use the non-auditing forms of the permission checks since - * getxattr may be called by unprivileged processes commonly - * and lack of permission just means that we fall back to the - * in-core context value, not a denial. - */ - error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, - SECURITY_CAP_NOAUDIT); - if (!error) - error = security_sid_to_context_force(isec->sid, &context, - &size); - else - error = security_sid_to_context(isec->sid, &context, &size); - if (error) - return error; - error = size; - if (alloc) { - *buffer = context; - goto out_nofree; - } - kfree(context); -out_nofree: - return error; -} - -static int selinux_inode_setsecurity(struct inode *inode, const char *name, - const void *value, size_t size, int flags) -{ - struct inode_security_struct *isec = inode->i_security; - u32 newsid; - int rc; - - if (strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; - - if (!value || !size) - return -EACCES; - - rc = security_context_to_sid((void *)value, size, &newsid); - if (rc) - return rc; - - isec->sid = newsid; - isec->initialized = 1; - return 0; -} - -static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) -{ - const int len = sizeof(XATTR_NAME_SELINUX); - if (buffer && len <= buffer_size) - memcpy(buffer, XATTR_NAME_SELINUX, len); - return len; -} - -static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) -{ - struct inode_security_struct *isec = inode->i_security; - *secid = isec->sid; -} - -/* file security operations */ - -static int selinux_revalidate_file_permission(struct file *file, int mask) -{ - const struct cred *cred = current_cred(); - struct inode *inode = file->f_path.dentry->d_inode; - - /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ - if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) - mask |= MAY_APPEND; - - return file_has_perm(cred, file, - file_mask_to_av(inode->i_mode, mask)); -} - -static int selinux_file_permission(struct file *file, int mask) -{ - struct inode *inode = file->f_path.dentry->d_inode; - struct file_security_struct *fsec = file->f_security; - struct inode_security_struct *isec = inode->i_security; - u32 sid = current_sid(); - - if (!mask) - /* No permission to check. Existence test. */ - return 0; - - if (sid == fsec->sid && fsec->isid == isec->sid && - fsec->pseqno == avc_policy_seqno()) - /* No change since dentry_open check. */ - return 0; - - return selinux_revalidate_file_permission(file, mask); -} - -static int selinux_file_alloc_security(struct file *file) -{ - return file_alloc_security(file); -} - -static void selinux_file_free_security(struct file *file) -{ - file_free_security(file); -} - -static int selinux_file_ioctl(struct file *file, unsigned int cmd, - unsigned long arg) -{ - const struct cred *cred = current_cred(); - int error = 0; - - switch (cmd) { - case FIONREAD: - /* fall through */ - case FIBMAP: - /* fall through */ - case FIGETBSZ: - /* fall through */ - case FS_IOC_GETFLAGS: - /* fall through */ - case FS_IOC_GETVERSION: - error = file_has_perm(cred, file, FILE__GETATTR); - break; - - case FS_IOC_SETFLAGS: - /* fall through */ - case FS_IOC_SETVERSION: - error = file_has_perm(cred, file, FILE__SETATTR); - break; - - /* sys_ioctl() checks */ - case FIONBIO: - /* fall through */ - case FIOASYNC: - error = file_has_perm(cred, file, 0); - break; - - case KDSKBENT: - case KDSKBSENT: - error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, - SECURITY_CAP_AUDIT); - break; - - /* default case assumes that the command will go - * to the file's ioctl() function. - */ - default: - error = file_has_perm(cred, file, FILE__IOCTL); - } - return error; -} - -static int default_noexec; - -static int file_map_prot_check(struct file *file, unsigned long prot, int shared) -{ - const struct cred *cred = current_cred(); - int rc = 0; - - if (default_noexec && - (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { - /* - * We are making executable an anonymous mapping or a - * private file mapping that will also be writable. - * This has an additional check. - */ - rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); - if (rc) - goto error; - } - - if (file) { - /* read access is always possible with a mapping */ - u32 av = FILE__READ; - - /* write access only matters if the mapping is shared */ - if (shared && (prot & PROT_WRITE)) - av |= FILE__WRITE; - - if (prot & PROT_EXEC) - av |= FILE__EXECUTE; - - return file_has_perm(cred, file, av); - } - -error: - return rc; -} - -static int selinux_file_mmap(struct file *file, unsigned long reqprot, - unsigned long prot, unsigned long flags, - unsigned long addr, unsigned long addr_only) -{ - int rc = 0; - u32 sid = current_sid(); - - /* - * notice that we are intentionally putting the SELinux check before - * the secondary cap_file_mmap check. This is such a likely attempt - * at bad behaviour/exploit that we always want to get the AVC, even - * if DAC would have also denied the operation. - */ - if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { - rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, - MEMPROTECT__MMAP_ZERO, NULL); - if (rc) - return rc; - } - - /* do DAC check on address space usage */ - rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); - if (rc || addr_only) - return rc; - - if (selinux_checkreqprot) - prot = reqprot; - - return file_map_prot_check(file, prot, - (flags & MAP_TYPE) == MAP_SHARED); -} - -static int selinux_file_mprotect(struct vm_area_struct *vma, - unsigned long reqprot, - unsigned long prot) -{ - const struct cred *cred = current_cred(); - - if (selinux_checkreqprot) - prot = reqprot; - - if (default_noexec && - (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { - int rc = 0; - if (vma->vm_start >= vma->vm_mm->start_brk && - vma->vm_end <= vma->vm_mm->brk) { - rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); - } else if (!vma->vm_file && - vma->vm_start <= vma->vm_mm->start_stack && - vma->vm_end >= vma->vm_mm->start_stack) { - rc = current_has_perm(current, PROCESS__EXECSTACK); - } else if (vma->vm_file && vma->anon_vma) { - /* - * We are making executable a file mapping that has - * had some COW done. Since pages might have been - * written, check ability to execute the possibly - * modified content. This typically should only - * occur for text relocations. - */ - rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); - } - if (rc) - return rc; - } - - return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); -} - -static int selinux_file_lock(struct file *file, unsigned int cmd) -{ - const struct cred *cred = current_cred(); - - return file_has_perm(cred, file, FILE__LOCK); -} - -static int selinux_file_fcntl(struct file *file, unsigned int cmd, - unsigned long arg) -{ - const struct cred *cred = current_cred(); - int err = 0; - - switch (cmd) { - case F_SETFL: - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } - - if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { - err = file_has_perm(cred, file, FILE__WRITE); - break; - } - /* fall through */ - case F_SETOWN: - case F_SETSIG: - case F_GETFL: - case F_GETOWN: - case F_GETSIG: - /* Just check FD__USE permission */ - err = file_has_perm(cred, file, 0); - break; - case F_GETLK: - case F_SETLK: - case F_SETLKW: -#if BITS_PER_LONG == 32 - case F_GETLK64: - case F_SETLK64: - case F_SETLKW64: -#endif - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } - err = file_has_perm(cred, file, FILE__LOCK); - break; - } - - return err; -} - -static int selinux_file_set_fowner(struct file *file) -{ - struct file_security_struct *fsec; - - fsec = file->f_security; - fsec->fown_sid = current_sid(); - - return 0; -} - -static int selinux_file_send_sigiotask(struct task_struct *tsk, - struct fown_struct *fown, int signum) -{ - struct file *file; - u32 sid = task_sid(tsk); - u32 perm; - struct file_security_struct *fsec; - - /* struct fown_struct is never outside the context of a struct file */ - file = container_of(fown, struct file, f_owner); - - fsec = file->f_security; - - if (!signum) - perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ - else - perm = signal_to_av(signum); - - return avc_has_perm(fsec->fown_sid, sid, - SECCLASS_PROCESS, perm, NULL); -} - -static int selinux_file_receive(struct file *file) -{ - const struct cred *cred = current_cred(); - - return file_has_perm(cred, file, file_to_av(file)); -} - -static int selinux_dentry_open(struct file *file, const struct cred *cred) -{ - struct file_security_struct *fsec; - struct inode *inode; - struct inode_security_struct *isec; - - inode = file->f_path.dentry->d_inode; - fsec = file->f_security; - isec = inode->i_security; - /* - * Save inode label and policy sequence number - * at open-time so that selinux_file_permission - * can determine whether revalidation is necessary. - * Task label is already saved in the file security - * struct as its SID. - */ - fsec->isid = isec->sid; - fsec->pseqno = avc_policy_seqno(); - /* - * Since the inode label or policy seqno may have changed - * between the selinux_inode_permission check and the saving - * of state above, recheck that access is still permitted. - * Otherwise, access might never be revalidated against the - * new inode label or new policy. - * This check is not redundant - do not remove. - */ - return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); -} - -/* task security operations */ - -static int selinux_task_create(unsigned long clone_flags) -{ - return current_has_perm(current, PROCESS__FORK); -} - -/* - * allocate the SELinux part of blank credentials - */ -static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) -{ - struct task_security_struct *tsec; - - tsec = kzalloc(sizeof(struct task_security_struct), gfp); - if (!tsec) - return -ENOMEM; - - cred->security = tsec; - return 0; -} - -/* - * detach and free the LSM part of a set of credentials - */ -static void selinux_cred_free(struct cred *cred) -{ - struct task_security_struct *tsec = cred->security; - - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); - cred->security = (void *) 0x7UL; - kfree(tsec); -} - -/* - * prepare a new set of credentials for modification - */ -static int selinux_cred_prepare(struct cred *new, const struct cred *old, - gfp_t gfp) -{ - const struct task_security_struct *old_tsec; - struct task_security_struct *tsec; - - old_tsec = old->security; - - tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); - if (!tsec) - return -ENOMEM; - - new->security = tsec; - return 0; -} - -/* - * transfer the SELinux data to a blank set of creds - */ -static void selinux_cred_transfer(struct cred *new, const struct cred *old) -{ - const struct task_security_struct *old_tsec = old->security; - struct task_security_struct *tsec = new->security; - - *tsec = *old_tsec; -} - -/* - * set the security data for a kernel service - * - all the creation contexts are set to unlabelled - */ -static int selinux_kernel_act_as(struct cred *new, u32 secid) -{ - struct task_security_struct *tsec = new->security; - u32 sid = current_sid(); - int ret; - - ret = avc_has_perm(sid, secid, - SECCLASS_KERNEL_SERVICE, - KERNEL_SERVICE__USE_AS_OVERRIDE, - NULL); - if (ret == 0) { - tsec->sid = secid; - tsec->create_sid = 0; - tsec->keycreate_sid = 0; - tsec->sockcreate_sid = 0; - } - return ret; -} - -/* - * set the file creation context in a security record to the same as the - * objective context of the specified inode - */ -static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) -{ - struct inode_security_struct *isec = inode->i_security; - struct task_security_struct *tsec = new->security; - u32 sid = current_sid(); - int ret; - - ret = avc_has_perm(sid, isec->sid, - SECCLASS_KERNEL_SERVICE, - KERNEL_SERVICE__CREATE_FILES_AS, - NULL); - - if (ret == 0) - tsec->create_sid = isec->sid; - return ret; -} - -static int selinux_kernel_module_request(char *kmod_name) -{ - u32 sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - sid = task_sid(current); - - COMMON_AUDIT_DATA_INIT(&ad, KMOD); - ad.selinux_audit_data = &sad; - ad.u.kmod_name = kmod_name; - - return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, - SYSTEM__MODULE_REQUEST, &ad); -} - -static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) -{ - return current_has_perm(p, PROCESS__SETPGID); -} - -static int selinux_task_getpgid(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETPGID); -} - -static int selinux_task_getsid(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETSESSION); -} - -static void selinux_task_getsecid(struct task_struct *p, u32 *secid) -{ - *secid = task_sid(p); -} - -static int selinux_task_setnice(struct task_struct *p, int nice) -{ - int rc; - - rc = cap_task_setnice(p, nice); - if (rc) - return rc; - - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_setioprio(struct task_struct *p, int ioprio) -{ - int rc; - - rc = cap_task_setioprio(p, ioprio); - if (rc) - return rc; - - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_getioprio(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETSCHED); -} - -static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, - struct rlimit *new_rlim) -{ - struct rlimit *old_rlim = p->signal->rlim + resource; - - /* Control the ability to change the hard limit (whether - lowering or raising it), so that the hard limit can - later be used as a safe reset point for the soft limit - upon context transitions. See selinux_bprm_committing_creds. */ - if (old_rlim->rlim_max != new_rlim->rlim_max) - return current_has_perm(p, PROCESS__SETRLIMIT); - - return 0; -} - -static int selinux_task_setscheduler(struct task_struct *p) -{ - int rc; - - rc = cap_task_setscheduler(p); - if (rc) - return rc; - - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_getscheduler(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETSCHED); -} - -static int selinux_task_movememory(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_kill(struct task_struct *p, struct siginfo *info, - int sig, u32 secid) -{ - u32 perm; - int rc; - - if (!sig) - perm = PROCESS__SIGNULL; /* null signal; existence test */ - else - perm = signal_to_av(sig); - if (secid) - rc = avc_has_perm(secid, task_sid(p), - SECCLASS_PROCESS, perm, NULL); - else - rc = current_has_perm(p, perm); - return rc; -} - -static int selinux_task_wait(struct task_struct *p) -{ - return task_has_perm(p, current, PROCESS__SIGCHLD); -} - -static void selinux_task_to_inode(struct task_struct *p, - struct inode *inode) -{ - struct inode_security_struct *isec = inode->i_security; - u32 sid = task_sid(p); - - isec->sid = sid; - isec->initialized = 1; -} - -/* Returns error only if unable to parse addresses */ -static int selinux_parse_skb_ipv4(struct sk_buff *skb, - struct common_audit_data *ad, u8 *proto) -{ - int offset, ihlen, ret = -EINVAL; - struct iphdr _iph, *ih; - - offset = skb_network_offset(skb); - ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); - if (ih == NULL) - goto out; - - ihlen = ih->ihl * 4; - if (ihlen < sizeof(_iph)) - goto out; - - ad->u.net->v4info.saddr = ih->saddr; - ad->u.net->v4info.daddr = ih->daddr; - ret = 0; - - if (proto) - *proto = ih->protocol; - - switch (ih->protocol) { - case IPPROTO_TCP: { - struct tcphdr _tcph, *th; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - - offset += ihlen; - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); - if (th == NULL) - break; - - ad->u.net->sport = th->source; - ad->u.net->dport = th->dest; - break; - } - - case IPPROTO_UDP: { - struct udphdr _udph, *uh; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - - offset += ihlen; - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); - if (uh == NULL) - break; - - ad->u.net->sport = uh->source; - ad->u.net->dport = uh->dest; - break; - } - - case IPPROTO_DCCP: { - struct dccp_hdr _dccph, *dh; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - - offset += ihlen; - dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); - if (dh == NULL) - break; - - ad->u.net->sport = dh->dccph_sport; - ad->u.net->dport = dh->dccph_dport; - break; - } - - default: - break; - } -out: - return ret; -} - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - -/* Returns error only if unable to parse addresses */ -static int selinux_parse_skb_ipv6(struct sk_buff *skb, - struct common_audit_data *ad, u8 *proto) -{ - u8 nexthdr; - int ret = -EINVAL, offset; - struct ipv6hdr _ipv6h, *ip6; - __be16 frag_off; - - offset = skb_network_offset(skb); - ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); - if (ip6 == NULL) - goto out; - - ad->u.net->v6info.saddr = ip6->saddr; - ad->u.net->v6info.daddr = ip6->daddr; - ret = 0; - - nexthdr = ip6->nexthdr; - offset += sizeof(_ipv6h); - offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); - if (offset < 0) - goto out; - - if (proto) - *proto = nexthdr; - - switch (nexthdr) { - case IPPROTO_TCP: { - struct tcphdr _tcph, *th; - - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); - if (th == NULL) - break; - - ad->u.net->sport = th->source; - ad->u.net->dport = th->dest; - break; - } - - case IPPROTO_UDP: { - struct udphdr _udph, *uh; - - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); - if (uh == NULL) - break; - - ad->u.net->sport = uh->source; - ad->u.net->dport = uh->dest; - break; - } - - case IPPROTO_DCCP: { - struct dccp_hdr _dccph, *dh; - - dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); - if (dh == NULL) - break; - - ad->u.net->sport = dh->dccph_sport; - ad->u.net->dport = dh->dccph_dport; - break; - } - - /* includes fragments */ - default: - break; - } -out: - return ret; -} - -#endif /* IPV6 */ - -static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, - char **_addrp, int src, u8 *proto) -{ - char *addrp; - int ret; - - switch (ad->u.net->family) { - case PF_INET: - ret = selinux_parse_skb_ipv4(skb, ad, proto); - if (ret) - goto parse_error; - addrp = (char *)(src ? &ad->u.net->v4info.saddr : - &ad->u.net->v4info.daddr); - goto okay; - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - case PF_INET6: - ret = selinux_parse_skb_ipv6(skb, ad, proto); - if (ret) - goto parse_error; - addrp = (char *)(src ? &ad->u.net->v6info.saddr : - &ad->u.net->v6info.daddr); - goto okay; -#endif /* IPV6 */ - default: - addrp = NULL; - goto okay; - } - -parse_error: - printk(KERN_WARNING - "SELinux: failure in selinux_parse_skb()," - " unable to parse packet\n"); - return ret; - -okay: - if (_addrp) - *_addrp = addrp; - return 0; -} - -/** - * selinux_skb_peerlbl_sid - Determine the peer label of a packet - * @skb: the packet - * @family: protocol family - * @sid: the packet's peer label SID - * - * Description: - * Check the various different forms of network peer labeling and determine - * the peer label/SID for the packet; most of the magic actually occurs in - * the security server function security_net_peersid_cmp(). The function - * returns zero if the value in @sid is valid (although it may be SECSID_NULL) - * or -EACCES if @sid is invalid due to inconsistencies with the different - * peer labels. - * - */ -static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) -{ - int err; - u32 xfrm_sid; - u32 nlbl_sid; - u32 nlbl_type; - - selinux_skb_xfrm_sid(skb, &xfrm_sid); - selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); - - err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); - if (unlikely(err)) { - printk(KERN_WARNING - "SELinux: failure in selinux_skb_peerlbl_sid()," - " unable to determine packet's peer label\n"); - return -EACCES; - } - - return 0; -} - -/* socket security operations */ - -static int socket_sockcreate_sid(const struct task_security_struct *tsec, - u16 secclass, u32 *socksid) -{ - if (tsec->sockcreate_sid > SECSID_NULL) { - *socksid = tsec->sockcreate_sid; - return 0; - } - - return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, - socksid); -} - -static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) -{ - struct sk_security_struct *sksec = sk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - u32 tsid = task_sid(task); - - if (sksec->sid == SECINITSID_KERNEL) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sk = sk; - - return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); -} - -static int selinux_socket_create(int family, int type, - int protocol, int kern) -{ - const struct task_security_struct *tsec = current_security(); - u32 newsid; - u16 secclass; - int rc; - - if (kern) - return 0; - - secclass = socket_type_to_security_class(family, type, protocol); - rc = socket_sockcreate_sid(tsec, secclass, &newsid); - if (rc) - return rc; - - return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); -} - -static int selinux_socket_post_create(struct socket *sock, int family, - int type, int protocol, int kern) -{ - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; - struct sk_security_struct *sksec; - int err = 0; - - isec->sclass = socket_type_to_security_class(family, type, protocol); - - if (kern) - isec->sid = SECINITSID_KERNEL; - else { - err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); - if (err) - return err; - } - - isec->initialized = 1; - - if (sock->sk) { - sksec = sock->sk->sk_security; - sksec->sid = isec->sid; - sksec->sclass = isec->sclass; - err = selinux_netlbl_socket_post_create(sock->sk, family); - } - - return err; -} - -/* Range of port numbers used to automatically bind. - Need to determine whether we should perform a name_bind - permission check between the socket and the port number. */ - -static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) -{ - struct sock *sk = sock->sk; - u16 family; - int err; - - err = sock_has_perm(current, sk, SOCKET__BIND); - if (err) - goto out; - - /* - * If PF_INET or PF_INET6, check name_bind permission for the port. - * Multiple address binding for SCTP is not supported yet: we just - * check the first address now. - */ - family = sk->sk_family; - if (family == PF_INET || family == PF_INET6) { - char *addrp; - struct sk_security_struct *sksec = sk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - struct sockaddr_in *addr4 = NULL; - struct sockaddr_in6 *addr6 = NULL; - unsigned short snum; - u32 sid, node_perm; - - if (family == PF_INET) { - addr4 = (struct sockaddr_in *)address; - snum = ntohs(addr4->sin_port); - addrp = (char *)&addr4->sin_addr.s_addr; - } else { - addr6 = (struct sockaddr_in6 *)address; - snum = ntohs(addr6->sin6_port); - addrp = (char *)&addr6->sin6_addr.s6_addr; - } - - if (snum) { - int low, high; - - inet_get_local_port_range(&low, &high); - - if (snum < max(PROT_SOCK, low) || snum > high) { - err = sel_netport_sid(sk->sk_protocol, - snum, &sid); - if (err) - goto out; - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sport = htons(snum); - ad.u.net->family = family; - err = avc_has_perm(sksec->sid, sid, - sksec->sclass, - SOCKET__NAME_BIND, &ad); - if (err) - goto out; - } - } - - switch (sksec->sclass) { - case SECCLASS_TCP_SOCKET: - node_perm = TCP_SOCKET__NODE_BIND; - break; - - case SECCLASS_UDP_SOCKET: - node_perm = UDP_SOCKET__NODE_BIND; - break; - - case SECCLASS_DCCP_SOCKET: - node_perm = DCCP_SOCKET__NODE_BIND; - break; - - default: - node_perm = RAWIP_SOCKET__NODE_BIND; - break; - } - - err = sel_netnode_sid(addrp, family, &sid); - if (err) - goto out; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sport = htons(snum); - ad.u.net->family = family; - - if (family == PF_INET) - ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; - else - ad.u.net->v6info.saddr = addr6->sin6_addr; - - err = avc_has_perm(sksec->sid, sid, - sksec->sclass, node_perm, &ad); - if (err) - goto out; - } -out: - return err; -} - -static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) -{ - struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; - int err; - - err = sock_has_perm(current, sk, SOCKET__CONNECT); - if (err) - return err; - - /* - * If a TCP or DCCP socket, check name_connect permission for the port. - */ - if (sksec->sclass == SECCLASS_TCP_SOCKET || - sksec->sclass == SECCLASS_DCCP_SOCKET) { - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - struct sockaddr_in *addr4 = NULL; - struct sockaddr_in6 *addr6 = NULL; - unsigned short snum; - u32 sid, perm; - - if (sk->sk_family == PF_INET) { - addr4 = (struct sockaddr_in *)address; - if (addrlen < sizeof(struct sockaddr_in)) - return -EINVAL; - snum = ntohs(addr4->sin_port); - } else { - addr6 = (struct sockaddr_in6 *)address; - if (addrlen < SIN6_LEN_RFC2133) - return -EINVAL; - snum = ntohs(addr6->sin6_port); - } - - err = sel_netport_sid(sk->sk_protocol, snum, &sid); - if (err) - goto out; - - perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? - TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->dport = htons(snum); - ad.u.net->family = sk->sk_family; - err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); - if (err) - goto out; - } - - err = selinux_netlbl_socket_connect(sk, address); - -out: - return err; -} - -static int selinux_socket_listen(struct socket *sock, int backlog) -{ - return sock_has_perm(current, sock->sk, SOCKET__LISTEN); -} - -static int selinux_socket_accept(struct socket *sock, struct socket *newsock) -{ - int err; - struct inode_security_struct *isec; - struct inode_security_struct *newisec; - - err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); - if (err) - return err; - - newisec = SOCK_INODE(newsock)->i_security; - - isec = SOCK_INODE(sock)->i_security; - newisec->sclass = isec->sclass; - newisec->sid = isec->sid; - newisec->initialized = 1; - - return 0; -} - -static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, - int size) -{ - return sock_has_perm(current, sock->sk, SOCKET__WRITE); -} - -static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, - int size, int flags) -{ - return sock_has_perm(current, sock->sk, SOCKET__READ); -} - -static int selinux_socket_getsockname(struct socket *sock) -{ - return sock_has_perm(current, sock->sk, SOCKET__GETATTR); -} - -static int selinux_socket_getpeername(struct socket *sock) -{ - return sock_has_perm(current, sock->sk, SOCKET__GETATTR); -} - -static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) -{ - int err; - - err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); - if (err) - return err; - - return selinux_netlbl_socket_setsockopt(sock, level, optname); -} - -static int selinux_socket_getsockopt(struct socket *sock, int level, - int optname) -{ - return sock_has_perm(current, sock->sk, SOCKET__GETOPT); -} - -static int selinux_socket_shutdown(struct socket *sock, int how) -{ - return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); -} - -static int selinux_socket_unix_stream_connect(struct sock *sock, - struct sock *other, - struct sock *newsk) -{ - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - int err; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sk = other; - - err = avc_has_perm(sksec_sock->sid, sksec_other->sid, - sksec_other->sclass, - UNIX_STREAM_SOCKET__CONNECTTO, &ad); - if (err) - return err; - - /* server child socket */ - sksec_new->peer_sid = sksec_sock->sid; - err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, - &sksec_new->sid); - if (err) - return err; - - /* connecting socket */ - sksec_sock->peer_sid = sksec_new->sid; - - return 0; -} - -static int selinux_socket_unix_may_send(struct socket *sock, - struct socket *other) -{ - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sk = other->sk; - - return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, - &ad); -} - -static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, - u32 peer_sid, - struct common_audit_data *ad) -{ - int err; - u32 if_sid; - u32 node_sid; - - err = sel_netif_sid(ifindex, &if_sid); - if (err) - return err; - err = avc_has_perm(peer_sid, if_sid, - SECCLASS_NETIF, NETIF__INGRESS, ad); - if (err) - return err; - - err = sel_netnode_sid(addrp, family, &node_sid); - if (err) - return err; - return avc_has_perm(peer_sid, node_sid, - SECCLASS_NODE, NODE__RECVFROM, ad); -} - -static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, - u16 family) -{ - int err = 0; - struct sk_security_struct *sksec = sk->sk_security; - u32 sk_sid = sksec->sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = skb->skb_iif; - ad.u.net->family = family; - err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); - if (err) - return err; - - if (selinux_secmark_enabled()) { - err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, - PACKET__RECV, &ad); - if (err) - return err; - } - - err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); - if (err) - return err; - err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); - - return err; -} - -static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) -{ - int err; - struct sk_security_struct *sksec = sk->sk_security; - u16 family = sk->sk_family; - u32 sk_sid = sksec->sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - u8 secmark_active; - u8 peerlbl_active; - - if (family != PF_INET && family != PF_INET6) - return 0; - - /* Handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - - /* If any sort of compatibility mode is enabled then handoff processing - * to the selinux_sock_rcv_skb_compat() function to deal with the - * special handling. We do this in an attempt to keep this function - * as fast and as clean as possible. */ - if (!selinux_policycap_netpeer) - return selinux_sock_rcv_skb_compat(sk, skb, family); - - secmark_active = selinux_secmark_enabled(); - peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); - if (!secmark_active && !peerlbl_active) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = skb->skb_iif; - ad.u.net->family = family; - err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); - if (err) - return err; - - if (peerlbl_active) { - u32 peer_sid; - - err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); - if (err) - return err; - err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, - peer_sid, &ad); - if (err) { - selinux_netlbl_err(skb, err, 0); - return err; - } - err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, - PEER__RECV, &ad); - if (err) - selinux_netlbl_err(skb, err, 0); - } - - if (secmark_active) { - err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, - PACKET__RECV, &ad); - if (err) - return err; - } - - return err; -} - -static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) -{ - int err = 0; - char *scontext; - u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; - u32 peer_sid = SECSID_NULL; - - if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || - sksec->sclass == SECCLASS_TCP_SOCKET) - peer_sid = sksec->peer_sid; - if (peer_sid == SECSID_NULL) - return -ENOPROTOOPT; - - err = security_sid_to_context(peer_sid, &scontext, &scontext_len); - if (err) - return err; - - if (scontext_len > len) { - err = -ERANGE; - goto out_len; - } - - if (copy_to_user(optval, scontext, scontext_len)) - err = -EFAULT; - -out_len: - if (put_user(scontext_len, optlen)) - err = -EFAULT; - kfree(scontext); - return err; -} - -static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) -{ - u32 peer_secid = SECSID_NULL; - u16 family; - - if (skb && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - else if (skb && skb->protocol == htons(ETH_P_IPV6)) - family = PF_INET6; - else if (sock) - family = sock->sk->sk_family; - else - goto out; - - if (sock && family == PF_UNIX) - selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); - else if (skb) - selinux_skb_peerlbl_sid(skb, family, &peer_secid); - -out: - *secid = peer_secid; - if (peer_secid == SECSID_NULL) - return -EINVAL; - return 0; -} - -static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) -{ - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; - - sksec->peer_sid = SECINITSID_UNLABELED; - sksec->sid = SECINITSID_UNLABELED; - selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; - - return 0; -} - -static void selinux_sk_free_security(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - - sk->sk_security = NULL; - selinux_netlbl_sk_security_free(sksec); - kfree(sksec); -} - -static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) -{ - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; - - newsksec->sid = sksec->sid; - newsksec->peer_sid = sksec->peer_sid; - newsksec->sclass = sksec->sclass; - - selinux_netlbl_sk_security_reset(newsksec); -} - -static void selinux_sk_getsecid(struct sock *sk, u32 *secid) -{ - if (!sk) - *secid = SECINITSID_ANY_SOCKET; - else { - struct sk_security_struct *sksec = sk->sk_security; - - *secid = sksec->sid; - } -} - -static void selinux_sock_graft(struct sock *sk, struct socket *parent) -{ - struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; - struct sk_security_struct *sksec = sk->sk_security; - - if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || - sk->sk_family == PF_UNIX) - isec->sid = sksec->sid; - sksec->sclass = isec->sclass; -} - -static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, - struct request_sock *req) -{ - struct sk_security_struct *sksec = sk->sk_security; - int err; - u16 family = sk->sk_family; - u32 newsid; - u32 peersid; - - /* handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - - err = selinux_skb_peerlbl_sid(skb, family, &peersid); - if (err) - return err; - if (peersid == SECSID_NULL) { - req->secid = sksec->sid; - req->peer_secid = SECSID_NULL; - } else { - err = security_sid_mls_copy(sksec->sid, peersid, &newsid); - if (err) - return err; - req->secid = newsid; - req->peer_secid = peersid; - } - - return selinux_netlbl_inet_conn_request(req, family); -} - -static void selinux_inet_csk_clone(struct sock *newsk, - const struct request_sock *req) -{ - struct sk_security_struct *newsksec = newsk->sk_security; - - newsksec->sid = req->secid; - newsksec->peer_sid = req->peer_secid; - /* NOTE: Ideally, we should also get the isec->sid for the - new socket in sync, but we don't have the isec available yet. - So we will wait until sock_graft to do it, by which - time it will have been created and available. */ - - /* We don't need to take any sort of lock here as we are the only - * thread with access to newsksec */ - selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); -} - -static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) -{ - u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; - - /* handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - - selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); -} - -static int selinux_secmark_relabel_packet(u32 sid) -{ - const struct task_security_struct *__tsec; - u32 tsid; - - __tsec = current_security(); - tsid = __tsec->sid; - - return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); -} - -static void selinux_secmark_refcount_inc(void) -{ - atomic_inc(&selinux_secmark_refcount); -} - -static void selinux_secmark_refcount_dec(void) -{ - atomic_dec(&selinux_secmark_refcount); -} - -static void selinux_req_classify_flow(const struct request_sock *req, - struct flowi *fl) -{ - fl->flowi_secid = req->secid; -} - -static int selinux_tun_dev_create(void) -{ - u32 sid = current_sid(); - - /* we aren't taking into account the "sockcreate" SID since the socket - * that is being created here is not a socket in the traditional sense, - * instead it is a private sock, accessible only to the kernel, and - * representing a wide range of network traffic spanning multiple - * connections unlike traditional sockets - check the TUN driver to - * get a better understanding of why this socket is special */ - - return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, - NULL); -} - -static void selinux_tun_dev_post_create(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - - /* we don't currently perform any NetLabel based labeling here and it - * isn't clear that we would want to do so anyway; while we could apply - * labeling without the support of the TUN user the resulting labeled - * traffic from the other end of the connection would almost certainly - * cause confusion to the TUN user that had no idea network labeling - * protocols were being used */ - - /* see the comments in selinux_tun_dev_create() about why we don't use - * the sockcreate SID here */ - - sksec->sid = current_sid(); - sksec->sclass = SECCLASS_TUN_SOCKET; -} - -static int selinux_tun_dev_attach(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - u32 sid = current_sid(); - int err; - - err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET, - TUN_SOCKET__RELABELFROM, NULL); - if (err) - return err; - err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, - TUN_SOCKET__RELABELTO, NULL); - if (err) - return err; - - sksec->sid = sid; - - return 0; -} - -static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) -{ - int err = 0; - u32 perm; - struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; - - if (skb->len < NLMSG_SPACE(0)) { - err = -EINVAL; - goto out; - } - nlh = nlmsg_hdr(skb); - - err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); - if (err) { - if (err == -EINVAL) { - audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, - "SELinux: unrecognized netlink message" - " type=%hu for sclass=%hu\n", - nlh->nlmsg_type, sksec->sclass); - if (!selinux_enforcing || security_get_allow_unknown()) - err = 0; - } - - /* Ignore */ - if (err == -ENOENT) - err = 0; - goto out; - } - - err = sock_has_perm(current, sk, perm); -out: - return err; -} - -#ifdef CONFIG_NETFILTER - -static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, - u16 family) -{ - int err; - char *addrp; - u32 peer_sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - u8 secmark_active; - u8 netlbl_active; - u8 peerlbl_active; - - if (!selinux_policycap_netpeer) - return NF_ACCEPT; - - secmark_active = selinux_secmark_enabled(); - netlbl_active = netlbl_enabled(); - peerlbl_active = netlbl_active || selinux_xfrm_enabled(); - if (!secmark_active && !peerlbl_active) - return NF_ACCEPT; - - if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) - return NF_DROP; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = ifindex; - ad.u.net->family = family; - if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) - return NF_DROP; - - if (peerlbl_active) { - err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, - peer_sid, &ad); - if (err) { - selinux_netlbl_err(skb, err, 1); - return NF_DROP; - } - } - - if (secmark_active) - if (avc_has_perm(peer_sid, skb->secmark, - SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) - return NF_DROP; - - if (netlbl_active) - /* we do this in the FORWARD path and not the POST_ROUTING - * path because we want to make sure we apply the necessary - * labeling before IPsec is applied so we can leverage AH - * protection */ - if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) - return NF_DROP; - - return NF_ACCEPT; -} - -static unsigned int selinux_ipv4_forward(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_forward(skb, in->ifindex, PF_INET); -} - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -static unsigned int selinux_ipv6_forward(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_forward(skb, in->ifindex, PF_INET6); -} -#endif /* IPV6 */ - -static unsigned int selinux_ip_output(struct sk_buff *skb, - u16 family) -{ - u32 sid; - - if (!netlbl_enabled()) - return NF_ACCEPT; - - /* we do this in the LOCAL_OUT path and not the POST_ROUTING path - * because we want to make sure we apply the necessary labeling - * before IPsec is applied so we can leverage AH protection */ - if (skb->sk) { - struct sk_security_struct *sksec = skb->sk->sk_security; - sid = sksec->sid; - } else - sid = SECINITSID_KERNEL; - if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) - return NF_DROP; - - return NF_ACCEPT; -} - -static unsigned int selinux_ipv4_output(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_output(skb, PF_INET); -} - -static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, - int ifindex, - u16 family) -{ - struct sock *sk = skb->sk; - struct sk_security_struct *sksec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - u8 proto; - - if (sk == NULL) - return NF_ACCEPT; - sksec = sk->sk_security; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = ifindex; - ad.u.net->family = family; - if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) - return NF_DROP; - - if (selinux_secmark_enabled()) - if (avc_has_perm(sksec->sid, skb->secmark, - SECCLASS_PACKET, PACKET__SEND, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - - if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) - return NF_DROP_ERR(-ECONNREFUSED); - - return NF_ACCEPT; -} - -static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, - u16 family) -{ - u32 secmark_perm; - u32 peer_sid; - struct sock *sk; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - u8 secmark_active; - u8 peerlbl_active; - - /* If any sort of compatibility mode is enabled then handoff processing - * to the selinux_ip_postroute_compat() function to deal with the - * special handling. We do this in an attempt to keep this function - * as fast and as clean as possible. */ - if (!selinux_policycap_netpeer) - return selinux_ip_postroute_compat(skb, ifindex, family); -#ifdef CONFIG_XFRM - /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec - * packet transformation so allow the packet to pass without any checks - * since we'll have another chance to perform access control checks - * when the packet is on it's final way out. - * NOTE: there appear to be some IPv6 multicast cases where skb->dst - * is NULL, in this case go ahead and apply access control. */ - if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) - return NF_ACCEPT; -#endif - secmark_active = selinux_secmark_enabled(); - peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); - if (!secmark_active && !peerlbl_active) - return NF_ACCEPT; - - /* if the packet is being forwarded then get the peer label from the - * packet itself; otherwise check to see if it is from a local - * application or the kernel, if from an application get the peer label - * from the sending socket, otherwise use the kernel's sid */ - sk = skb->sk; - if (sk == NULL) { - if (skb->skb_iif) { - secmark_perm = PACKET__FORWARD_OUT; - if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) - return NF_DROP; - } else { - secmark_perm = PACKET__SEND; - peer_sid = SECINITSID_KERNEL; - } - } else { - struct sk_security_struct *sksec = sk->sk_security; - peer_sid = sksec->sid; - secmark_perm = PACKET__SEND; - } - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = ifindex; - ad.u.net->family = family; - if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) - return NF_DROP; - - if (secmark_active) - if (avc_has_perm(peer_sid, skb->secmark, - SECCLASS_PACKET, secmark_perm, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - - if (peerlbl_active) { - u32 if_sid; - u32 node_sid; - - if (sel_netif_sid(ifindex, &if_sid)) - return NF_DROP; - if (avc_has_perm(peer_sid, if_sid, - SECCLASS_NETIF, NETIF__EGRESS, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - - if (sel_netnode_sid(addrp, family, &node_sid)) - return NF_DROP; - if (avc_has_perm(peer_sid, node_sid, - SECCLASS_NODE, NODE__SENDTO, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - } - - return NF_ACCEPT; -} - -static unsigned int selinux_ipv4_postroute(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_postroute(skb, out->ifindex, PF_INET); -} - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -static unsigned int selinux_ipv6_postroute(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_postroute(skb, out->ifindex, PF_INET6); -} -#endif /* IPV6 */ - -#endif /* CONFIG_NETFILTER */ - -static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) -{ - int err; - - err = cap_netlink_send(sk, skb); - if (err) - return err; - - return selinux_nlmsg_perm(sk, skb); -} - -static int ipc_alloc_security(struct task_struct *task, - struct kern_ipc_perm *perm, - u16 sclass) -{ - struct ipc_security_struct *isec; - u32 sid; - - isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); - if (!isec) - return -ENOMEM; - - sid = task_sid(task); - isec->sclass = sclass; - isec->sid = sid; - perm->security = isec; - - return 0; -} - -static void ipc_free_security(struct kern_ipc_perm *perm) -{ - struct ipc_security_struct *isec = perm->security; - perm->security = NULL; - kfree(isec); -} - -static int msg_msg_alloc_security(struct msg_msg *msg) -{ - struct msg_security_struct *msec; - - msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); - if (!msec) - return -ENOMEM; - - msec->sid = SECINITSID_UNLABELED; - msg->security = msec; - - return 0; -} - -static void msg_msg_free_security(struct msg_msg *msg) -{ - struct msg_security_struct *msec = msg->security; - - msg->security = NULL; - kfree(msec); -} - -static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, - u32 perms) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = ipc_perms->security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = ipc_perms->key; - - return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); -} - -static int selinux_msg_msg_alloc_security(struct msg_msg *msg) -{ - return msg_msg_alloc_security(msg); -} - -static void selinux_msg_msg_free_security(struct msg_msg *msg) -{ - msg_msg_free_security(msg); -} - -/* message queue security operations */ -static int selinux_msg_queue_alloc_security(struct msg_queue *msq) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); - if (rc) - return rc; - - isec = msq->q_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, - MSGQ__CREATE, &ad); - if (rc) { - ipc_free_security(&msq->q_perm); - return rc; - } - return 0; -} - -static void selinux_msg_queue_free_security(struct msg_queue *msq) -{ - ipc_free_security(&msq->q_perm); -} - -static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = msq->q_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, - MSGQ__ASSOCIATE, &ad); -} - -static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) -{ - int err; - int perms; - - switch (cmd) { - case IPC_INFO: - case MSG_INFO: - /* No specific object, just general system-wide information. */ - return task_has_system(current, SYSTEM__IPC_INFO); - case IPC_STAT: - case MSG_STAT: - perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; - break; - case IPC_SET: - perms = MSGQ__SETATTR; - break; - case IPC_RMID: - perms = MSGQ__DESTROY; - break; - default: - return 0; - } - - err = ipc_has_perm(&msq->q_perm, perms); - return err; -} - -static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) -{ - struct ipc_security_struct *isec; - struct msg_security_struct *msec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - isec = msq->q_perm.security; - msec = msg->security; - - /* - * First time through, need to assign label to the message - */ - if (msec->sid == SECINITSID_UNLABELED) { - /* - * Compute new sid based on current process and - * message queue this message will be stored in - */ - rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, - NULL, &msec->sid); - if (rc) - return rc; - } - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - /* Can this process write to the queue? */ - rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, - MSGQ__WRITE, &ad); - if (!rc) - /* Can this process send the message */ - rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, - MSG__SEND, &ad); - if (!rc) - /* Can the message be put in the queue? */ - rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, - MSGQ__ENQUEUE, &ad); - - return rc; -} - -static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, - struct task_struct *target, - long type, int mode) -{ - struct ipc_security_struct *isec; - struct msg_security_struct *msec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = task_sid(target); - int rc; - - isec = msq->q_perm.security; - msec = msg->security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - rc = avc_has_perm(sid, isec->sid, - SECCLASS_MSGQ, MSGQ__READ, &ad); - if (!rc) - rc = avc_has_perm(sid, msec->sid, - SECCLASS_MSG, MSG__RECEIVE, &ad); - return rc; -} - -/* Shared Memory security operations */ -static int selinux_shm_alloc_security(struct shmid_kernel *shp) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); - if (rc) - return rc; - - isec = shp->shm_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = shp->shm_perm.key; - - rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, - SHM__CREATE, &ad); - if (rc) { - ipc_free_security(&shp->shm_perm); - return rc; - } - return 0; -} - -static void selinux_shm_free_security(struct shmid_kernel *shp) -{ - ipc_free_security(&shp->shm_perm); -} - -static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = shp->shm_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = shp->shm_perm.key; - - return avc_has_perm(sid, isec->sid, SECCLASS_SHM, - SHM__ASSOCIATE, &ad); -} - -/* Note, at this point, shp is locked down */ -static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) -{ - int perms; - int err; - - switch (cmd) { - case IPC_INFO: - case SHM_INFO: - /* No specific object, just general system-wide information. */ - return task_has_system(current, SYSTEM__IPC_INFO); - case IPC_STAT: - case SHM_STAT: - perms = SHM__GETATTR | SHM__ASSOCIATE; - break; - case IPC_SET: - perms = SHM__SETATTR; - break; - case SHM_LOCK: - case SHM_UNLOCK: - perms = SHM__LOCK; - break; - case IPC_RMID: - perms = SHM__DESTROY; - break; - default: - return 0; - } - - err = ipc_has_perm(&shp->shm_perm, perms); - return err; -} - -static int selinux_shm_shmat(struct shmid_kernel *shp, - char __user *shmaddr, int shmflg) -{ - u32 perms; - - if (shmflg & SHM_RDONLY) - perms = SHM__READ; - else - perms = SHM__READ | SHM__WRITE; - - return ipc_has_perm(&shp->shm_perm, perms); -} - -/* Semaphore security operations */ -static int selinux_sem_alloc_security(struct sem_array *sma) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); - if (rc) - return rc; - - isec = sma->sem_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = sma->sem_perm.key; - - rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, - SEM__CREATE, &ad); - if (rc) { - ipc_free_security(&sma->sem_perm); - return rc; - } - return 0; -} - -static void selinux_sem_free_security(struct sem_array *sma) -{ - ipc_free_security(&sma->sem_perm); -} - -static int selinux_sem_associate(struct sem_array *sma, int semflg) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = sma->sem_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = sma->sem_perm.key; - - return avc_has_perm(sid, isec->sid, SECCLASS_SEM, - SEM__ASSOCIATE, &ad); -} - -/* Note, at this point, sma is locked down */ -static int selinux_sem_semctl(struct sem_array *sma, int cmd) -{ - int err; - u32 perms; - - switch (cmd) { - case IPC_INFO: - case SEM_INFO: - /* No specific object, just general system-wide information. */ - return task_has_system(current, SYSTEM__IPC_INFO); - case GETPID: - case GETNCNT: - case GETZCNT: - perms = SEM__GETATTR; - break; - case GETVAL: - case GETALL: - perms = SEM__READ; - break; - case SETVAL: - case SETALL: - perms = SEM__WRITE; - break; - case IPC_RMID: - perms = SEM__DESTROY; - break; - case IPC_SET: - perms = SEM__SETATTR; - break; - case IPC_STAT: - case SEM_STAT: - perms = SEM__GETATTR | SEM__ASSOCIATE; - break; - default: - return 0; - } - - err = ipc_has_perm(&sma->sem_perm, perms); - return err; -} - -static int selinux_sem_semop(struct sem_array *sma, - struct sembuf *sops, unsigned nsops, int alter) -{ - u32 perms; - - if (alter) - perms = SEM__READ | SEM__WRITE; - else - perms = SEM__READ; - - return ipc_has_perm(&sma->sem_perm, perms); -} - -static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) -{ - u32 av = 0; - - av = 0; - if (flag & S_IRUGO) - av |= IPC__UNIX_READ; - if (flag & S_IWUGO) - av |= IPC__UNIX_WRITE; - - if (av == 0) - return 0; - - return ipc_has_perm(ipcp, av); -} - -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) -{ - struct ipc_security_struct *isec = ipcp->security; - *secid = isec->sid; -} - -static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) -{ - if (inode) - inode_doinit_with_dentry(inode, dentry); -} - -static int selinux_getprocattr(struct task_struct *p, - char *name, char **value) -{ - const struct task_security_struct *__tsec; - u32 sid; - int error; - unsigned len; - - if (current != p) { - error = current_has_perm(p, PROCESS__GETATTR); - if (error) - return error; - } - - rcu_read_lock(); - __tsec = __task_cred(p)->security; - - if (!strcmp(name, "current")) - sid = __tsec->sid; - else if (!strcmp(name, "prev")) - sid = __tsec->osid; - else if (!strcmp(name, "exec")) - sid = __tsec->exec_sid; - else if (!strcmp(name, "fscreate")) - sid = __tsec->create_sid; - else if (!strcmp(name, "keycreate")) - sid = __tsec->keycreate_sid; - else if (!strcmp(name, "sockcreate")) - sid = __tsec->sockcreate_sid; - else - goto invalid; - rcu_read_unlock(); - - if (!sid) - return 0; - - error = security_sid_to_context(sid, value, &len); - if (error) - return error; - return len; - -invalid: - rcu_read_unlock(); - return -EINVAL; -} - -static int selinux_setprocattr(struct task_struct *p, - char *name, void *value, size_t size) -{ - struct task_security_struct *tsec; - struct task_struct *tracer; - struct cred *new; - u32 sid = 0, ptsid; - int error; - char *str = value; - - if (current != p) { - /* SELinux only allows a process to change its own - security attributes. */ - return -EACCES; - } - - /* - * Basic control over ability to set these attributes at all. - * current == p, but we'll pass them separately in case the - * above restriction is ever removed. - */ - if (!strcmp(name, "exec")) - error = current_has_perm(p, PROCESS__SETEXEC); - else if (!strcmp(name, "fscreate")) - error = current_has_perm(p, PROCESS__SETFSCREATE); - else if (!strcmp(name, "keycreate")) - error = current_has_perm(p, PROCESS__SETKEYCREATE); - else if (!strcmp(name, "sockcreate")) - error = current_has_perm(p, PROCESS__SETSOCKCREATE); - else if (!strcmp(name, "current")) - error = current_has_perm(p, PROCESS__SETCURRENT); - else - error = -EINVAL; - if (error) - return error; - - /* Obtain a SID for the context, if one was specified. */ - if (size && str[1] && str[1] != '\n') { - if (str[size-1] == '\n') { - str[size-1] = 0; - size--; - } - error = security_context_to_sid(value, size, &sid); - if (error == -EINVAL && !strcmp(name, "fscreate")) { - if (!capable(CAP_MAC_ADMIN)) - return error; - error = security_context_to_sid_force(value, size, - &sid); - } - if (error) - return error; - } - - new = prepare_creds(); - if (!new) - return -ENOMEM; - - /* Permission checking based on the specified context is - performed during the actual operation (execve, - open/mkdir/...), when we know the full context of the - operation. See selinux_bprm_set_creds for the execve - checks and may_create for the file creation checks. The - operation will then fail if the context is not permitted. */ - tsec = new->security; - if (!strcmp(name, "exec")) { - tsec->exec_sid = sid; - } else if (!strcmp(name, "fscreate")) { - tsec->create_sid = sid; - } else if (!strcmp(name, "keycreate")) { - error = may_create_key(sid, p); - if (error) - goto abort_change; - tsec->keycreate_sid = sid; - } else if (!strcmp(name, "sockcreate")) { - tsec->sockcreate_sid = sid; - } else if (!strcmp(name, "current")) { - error = -EINVAL; - if (sid == 0) - goto abort_change; - - /* Only allow single threaded processes to change context */ - error = -EPERM; - if (!current_is_single_threaded()) { - error = security_bounded_transition(tsec->sid, sid); - if (error) - goto abort_change; - } - - /* Check permissions for the transition. */ - error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, - PROCESS__DYNTRANSITION, NULL); - if (error) - goto abort_change; - - /* Check for ptracing, and update the task SID if ok. - Otherwise, leave SID unchanged and fail. */ - ptsid = 0; - task_lock(p); - tracer = ptrace_parent(p); - if (tracer) - ptsid = task_sid(tracer); - task_unlock(p); - - if (tracer) { - error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, - PROCESS__PTRACE, NULL); - if (error) - goto abort_change; - } - - tsec->sid = sid; - } else { - error = -EINVAL; - goto abort_change; - } - - commit_creds(new); - return size; - -abort_change: - abort_creds(new); - return error; -} - -static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) -{ - return security_sid_to_context(secid, secdata, seclen); -} - -static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) -{ - return security_context_to_sid(secdata, seclen, secid); -} - -static void selinux_release_secctx(char *secdata, u32 seclen) -{ - kfree(secdata); -} - -/* - * called with inode->i_mutex locked - */ -static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) -{ - return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); -} - -/* - * called with inode->i_mutex locked - */ -static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) -{ - return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); -} - -static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -{ - int len = 0; - len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, - ctx, true); - if (len < 0) - return len; - *ctxlen = len; - return 0; -} -#ifdef CONFIG_KEYS - -static int selinux_key_alloc(struct key *k, const struct cred *cred, - unsigned long flags) -{ - const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; - - tsec = cred->security; - if (tsec->keycreate_sid) - ksec->sid = tsec->keycreate_sid; - else - ksec->sid = tsec->sid; - - k->security = ksec; - return 0; -} - -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - -static int selinux_key_permission(key_ref_t key_ref, - const struct cred *cred, - key_perm_t perm) -{ - struct key *key; - struct key_security_struct *ksec; - u32 sid; - - /* if no specific permissions are requested, we skip the - permission check. No serious, additional covert channels - appear to be created. */ - if (perm == 0) - return 0; - - sid = cred_sid(cred); - - key = key_ref_to_ptr(key_ref); - ksec = key->security; - - return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); -} - -static int selinux_key_getsecurity(struct key *key, char **_buffer) -{ - struct key_security_struct *ksec = key->security; - char *context = NULL; - unsigned len; - int rc; - - rc = security_sid_to_context(ksec->sid, &context, &len); - if (!rc) - rc = len; - *_buffer = context; - return rc; -} - -#endif - -static struct security_operations selinux_ops = { - .name = "selinux", - - .ptrace_access_check = selinux_ptrace_access_check, - .ptrace_traceme = selinux_ptrace_traceme, - .capget = selinux_capget, - .capset = selinux_capset, - .capable = selinux_capable, - .quotactl = selinux_quotactl, - .quota_on = selinux_quota_on, - .syslog = selinux_syslog, - .vm_enough_memory = selinux_vm_enough_memory, - - .netlink_send = selinux_netlink_send, - - .bprm_set_creds = selinux_bprm_set_creds, - .bprm_committing_creds = selinux_bprm_committing_creds, - .bprm_committed_creds = selinux_bprm_committed_creds, - .bprm_secureexec = selinux_bprm_secureexec, - - .sb_alloc_security = selinux_sb_alloc_security, - .sb_free_security = selinux_sb_free_security, - .sb_copy_data = selinux_sb_copy_data, - .sb_remount = selinux_sb_remount, - .sb_kern_mount = selinux_sb_kern_mount, - .sb_show_options = selinux_sb_show_options, - .sb_statfs = selinux_sb_statfs, - .sb_mount = selinux_mount, - .sb_umount = selinux_umount, - .sb_set_mnt_opts = selinux_set_mnt_opts, - .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, - .sb_parse_opts_str = selinux_parse_opts_str, - - - .inode_alloc_security = selinux_inode_alloc_security, - .inode_free_security = selinux_inode_free_security, - .inode_init_security = selinux_inode_init_security, - .inode_create = selinux_inode_create, - .inode_link = selinux_inode_link, - .inode_unlink = selinux_inode_unlink, - .inode_symlink = selinux_inode_symlink, - .inode_mkdir = selinux_inode_mkdir, - .inode_rmdir = selinux_inode_rmdir, - .inode_mknod = selinux_inode_mknod, - .inode_rename = selinux_inode_rename, - .inode_readlink = selinux_inode_readlink, - .inode_follow_link = selinux_inode_follow_link, - .inode_permission = selinux_inode_permission, - .inode_setattr = selinux_inode_setattr, - .inode_getattr = selinux_inode_getattr, - .inode_setxattr = selinux_inode_setxattr, - .inode_post_setxattr = selinux_inode_post_setxattr, - .inode_getxattr = selinux_inode_getxattr, - .inode_listxattr = selinux_inode_listxattr, - .inode_removexattr = selinux_inode_removexattr, - .inode_getsecurity = selinux_inode_getsecurity, - .inode_setsecurity = selinux_inode_setsecurity, - .inode_listsecurity = selinux_inode_listsecurity, - .inode_getsecid = selinux_inode_getsecid, - - .file_permission = selinux_file_permission, - .file_alloc_security = selinux_file_alloc_security, - .file_free_security = selinux_file_free_security, - .file_ioctl = selinux_file_ioctl, - .file_mmap = selinux_file_mmap, - .file_mprotect = selinux_file_mprotect, - .file_lock = selinux_file_lock, - .file_fcntl = selinux_file_fcntl, - .file_set_fowner = selinux_file_set_fowner, - .file_send_sigiotask = selinux_file_send_sigiotask, - .file_receive = selinux_file_receive, - - .dentry_open = selinux_dentry_open, - - .task_create = selinux_task_create, - .cred_alloc_blank = selinux_cred_alloc_blank, - .cred_free = selinux_cred_free, - .cred_prepare = selinux_cred_prepare, - .cred_transfer = selinux_cred_transfer, - .kernel_act_as = selinux_kernel_act_as, - .kernel_create_files_as = selinux_kernel_create_files_as, - .kernel_module_request = selinux_kernel_module_request, - .task_setpgid = selinux_task_setpgid, - .task_getpgid = selinux_task_getpgid, - .task_getsid = selinux_task_getsid, - .task_getsecid = selinux_task_getsecid, - .task_setnice = selinux_task_setnice, - .task_setioprio = selinux_task_setioprio, - .task_getioprio = selinux_task_getioprio, - .task_setrlimit = selinux_task_setrlimit, - .task_setscheduler = selinux_task_setscheduler, - .task_getscheduler = selinux_task_getscheduler, - .task_movememory = selinux_task_movememory, - .task_kill = selinux_task_kill, - .task_wait = selinux_task_wait, - .task_to_inode = selinux_task_to_inode, - - .ipc_permission = selinux_ipc_permission, - .ipc_getsecid = selinux_ipc_getsecid, - - .msg_msg_alloc_security = selinux_msg_msg_alloc_security, - .msg_msg_free_security = selinux_msg_msg_free_security, - - .msg_queue_alloc_security = selinux_msg_queue_alloc_security, - .msg_queue_free_security = selinux_msg_queue_free_security, - .msg_queue_associate = selinux_msg_queue_associate, - .msg_queue_msgctl = selinux_msg_queue_msgctl, - .msg_queue_msgsnd = selinux_msg_queue_msgsnd, - .msg_queue_msgrcv = selinux_msg_queue_msgrcv, - - .shm_alloc_security = selinux_shm_alloc_security, - .shm_free_security = selinux_shm_free_security, - .shm_associate = selinux_shm_associate, - .shm_shmctl = selinux_shm_shmctl, - .shm_shmat = selinux_shm_shmat, - - .sem_alloc_security = selinux_sem_alloc_security, - .sem_free_security = selinux_sem_free_security, - .sem_associate = selinux_sem_associate, - .sem_semctl = selinux_sem_semctl, - .sem_semop = selinux_sem_semop, - - .d_instantiate = selinux_d_instantiate, - - .getprocattr = selinux_getprocattr, - .setprocattr = selinux_setprocattr, - - .secid_to_secctx = selinux_secid_to_secctx, - .secctx_to_secid = selinux_secctx_to_secid, - .release_secctx = selinux_release_secctx, - .inode_notifysecctx = selinux_inode_notifysecctx, - .inode_setsecctx = selinux_inode_setsecctx, - .inode_getsecctx = selinux_inode_getsecctx, - - .unix_stream_connect = selinux_socket_unix_stream_connect, - .unix_may_send = selinux_socket_unix_may_send, - - .socket_create = selinux_socket_create, - .socket_post_create = selinux_socket_post_create, - .socket_bind = selinux_socket_bind, - .socket_connect = selinux_socket_connect, - .socket_listen = selinux_socket_listen, - .socket_accept = selinux_socket_accept, - .socket_sendmsg = selinux_socket_sendmsg, - .socket_recvmsg = selinux_socket_recvmsg, - .socket_getsockname = selinux_socket_getsockname, - .socket_getpeername = selinux_socket_getpeername, - .socket_getsockopt = selinux_socket_getsockopt, - .socket_setsockopt = selinux_socket_setsockopt, - .socket_shutdown = selinux_socket_shutdown, - .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, - .socket_getpeersec_stream = selinux_socket_getpeersec_stream, - .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, - .sk_alloc_security = selinux_sk_alloc_security, - .sk_free_security = selinux_sk_free_security, - .sk_clone_security = selinux_sk_clone_security, - .sk_getsecid = selinux_sk_getsecid, - .sock_graft = selinux_sock_graft, - .inet_conn_request = selinux_inet_conn_request, - .inet_csk_clone = selinux_inet_csk_clone, - .inet_conn_established = selinux_inet_conn_established, - .secmark_relabel_packet = selinux_secmark_relabel_packet, - .secmark_refcount_inc = selinux_secmark_refcount_inc, - .secmark_refcount_dec = selinux_secmark_refcount_dec, - .req_classify_flow = selinux_req_classify_flow, - .tun_dev_create = selinux_tun_dev_create, - .tun_dev_post_create = selinux_tun_dev_post_create, - .tun_dev_attach = selinux_tun_dev_attach, - -#ifdef CONFIG_SECURITY_NETWORK_XFRM - .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, - .xfrm_policy_clone_security = selinux_xfrm_policy_clone, - .xfrm_policy_free_security = selinux_xfrm_policy_free, - .xfrm_policy_delete_security = selinux_xfrm_policy_delete, - .xfrm_state_alloc_security = selinux_xfrm_state_alloc, - .xfrm_state_free_security = selinux_xfrm_state_free, - .xfrm_state_delete_security = selinux_xfrm_state_delete, - .xfrm_policy_lookup = selinux_xfrm_policy_lookup, - .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, - .xfrm_decode_session = selinux_xfrm_decode_session, -#endif - -#ifdef CONFIG_KEYS - .key_alloc = selinux_key_alloc, - .key_free = selinux_key_free, - .key_permission = selinux_key_permission, - .key_getsecurity = selinux_key_getsecurity, -#endif - -#ifdef CONFIG_AUDIT - .audit_rule_init = selinux_audit_rule_init, - .audit_rule_known = selinux_audit_rule_known, - .audit_rule_match = selinux_audit_rule_match, - .audit_rule_free = selinux_audit_rule_free, -#endif -}; - -extern int wmt_getsyspara(char *varname, unsigned char *varval, int *varlen); - -static __init int selinux_init(void) -{ - // 2013-12-10 YJChen: Add Begin - char selinux_env_name[] = "wmt.selinux.param"; - char selinux_env_buf[32] = "0"; - int varlen = 32; - unsigned int nEnable = 0; - - if (wmt_getsyspara(selinux_env_name, selinux_env_buf, &varlen) == 0) { - sscanf(selinux_env_buf, "%x", &nEnable); - printk("wmt.selinux.param = %x\n", nEnable); - if (nEnable != 0x1) { - printk("setting disable selinux\n"); - selinux_enabled = 0; - return 0; - } - } - else { - // not define wmt.selinux.param, default disable - printk("default disable selinux\n"); - selinux_enabled = 0; - return 0; - } - // 2013-12-10 YJChen: Add End - - if (!security_module_enable(&selinux_ops)) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - printk(KERN_INFO "SELinux: Disabled at boot.\n"); - return 0; - } - - printk(KERN_INFO "SELinux: Initializing.\n"); - - /* Set the security state for the initial task. */ - cred_init_security(); - - default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); - - sel_inode_cache = kmem_cache_create("selinux_inode_security", - sizeof(struct inode_security_struct), - 0, SLAB_PANIC, NULL); - avc_init(); - - if (register_security(&selinux_ops)) - panic("SELinux: Unable to register with kernel.\n"); - - if (selinux_enforcing) - printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); - else - printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); - - return 0; -} - -static void delayed_superblock_init(struct super_block *sb, void *unused) -{ - superblock_doinit(sb, NULL); -} - -void selinux_complete_init(void) -{ - printk(KERN_DEBUG "SELinux: Completing initialization.\n"); - - /* Set up any superblocks initialized prior to the policy load. */ - printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); - iterate_supers(delayed_superblock_init, NULL); -} - -/* SELinux requires early initialization in order to label - all processes and objects when they are created. */ -security_initcall(selinux_init); - -#if defined(CONFIG_NETFILTER) - -static struct nf_hook_ops selinux_ipv4_ops[] = { - { - .hook = selinux_ipv4_postroute, - .owner = THIS_MODULE, - .pf = PF_INET, - .hooknum = NF_INET_POST_ROUTING, - .priority = NF_IP_PRI_SELINUX_LAST, - }, - { - .hook = selinux_ipv4_forward, - .owner = THIS_MODULE, - .pf = PF_INET, - .hooknum = NF_INET_FORWARD, - .priority = NF_IP_PRI_SELINUX_FIRST, - }, - { - .hook = selinux_ipv4_output, - .owner = THIS_MODULE, - .pf = PF_INET, - .hooknum = NF_INET_LOCAL_OUT, - .priority = NF_IP_PRI_SELINUX_FIRST, - } -}; - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - -static struct nf_hook_ops selinux_ipv6_ops[] = { - { - .hook = selinux_ipv6_postroute, - .owner = THIS_MODULE, - .pf = PF_INET6, - .hooknum = NF_INET_POST_ROUTING, - .priority = NF_IP6_PRI_SELINUX_LAST, - }, - { - .hook = selinux_ipv6_forward, - .owner = THIS_MODULE, - .pf = PF_INET6, - .hooknum = NF_INET_FORWARD, - .priority = NF_IP6_PRI_SELINUX_FIRST, - } -}; - -#endif /* IPV6 */ - -static int __init selinux_nf_ip_init(void) -{ - int err = 0; - - if (!selinux_enabled) - goto out; - - printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); - - err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); - if (err) - panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); - if (err) - panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); -#endif /* IPV6 */ - -out: - return err; -} - -__initcall(selinux_nf_ip_init); - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -static void selinux_nf_ip_exit(void) -{ - printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); - - nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); -#endif /* IPV6 */ -} -#endif - -#else /* CONFIG_NETFILTER */ - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -#define selinux_nf_ip_exit() -#endif - -#endif /* CONFIG_NETFILTER */ - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -static int selinux_disabled; - -int selinux_disable(void) -{ - if (ss_initialized) { - /* Not permitted after initial policy load. */ - return -EINVAL; - } - - if (selinux_disabled) { - /* Only do this once. */ - return -EINVAL; - } - - printk(KERN_INFO "SELinux: Disabled at runtime.\n"); - - selinux_disabled = 1; - selinux_enabled = 0; - - reset_security_ops(); - - /* Try to destroy the avc node cache */ - avc_disable(); - - /* Unregister netfilter hooks. */ - selinux_nf_ip_exit(); - - /* Unregister selinuxfs. */ - exit_sel_fs(); - - return 0; -} -#endif |