summaryrefslogtreecommitdiffstats
path: root/kernel/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/security/selinux/hooks.c')
-rw-r--r--kernel/security/selinux/hooks.c6219
1 files changed, 6219 insertions, 0 deletions
diff --git a/kernel/security/selinux/hooks.c b/kernel/security/selinux/hooks.c
new file mode 100644
index 000000000..212070e1d
--- /dev/null
+++ b/kernel/security/selinux/hooks.c
@@ -0,0 +1,6219 @@
+/*
+ * NSA Security-Enhanced Linux (SELinux) security module
+ *
+ * This file contains the SELinux hook function implementations.
+ *
+ * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
+ * Chris Vance, <cvance@nai.com>
+ * Wayne Salamon, <wsalamon@nai.com>
+ * James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
+ * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Eric Paris <eparis@redhat.com>
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * <dgoeddel@trustedcs.com>
+ * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
+ * Paul Moore <paul@paul-moore.com>
+ * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
+ * Yuichi Nakamura <ynakam@hitachisoft.jp>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <linux/init.h>
+#include <linux/kd.h>
+#include <linux/kernel.h>
+#include <linux/tracehook.h>
+#include <linux/errno.h>
+#include <linux/sched.h>
+#include <linux/security.h>
+#include <linux/xattr.h>
+#include <linux/capability.h>
+#include <linux/unistd.h>
+#include <linux/mm.h>
+#include <linux/mman.h>
+#include <linux/slab.h>
+#include <linux/pagemap.h>
+#include <linux/proc_fs.h>
+#include <linux/swap.h>
+#include <linux/spinlock.h>
+#include <linux/syscalls.h>
+#include <linux/dcache.h>
+#include <linux/file.h>
+#include <linux/fdtable.h>
+#include <linux/namei.h>
+#include <linux/mount.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/tty.h>
+#include <net/icmp.h>
+#include <net/ip.h> /* for local_port_range[] */
+#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
+#include <net/inet_connection_sock.h>
+#include <net/net_namespace.h>
+#include <net/netlabel.h>
+#include <linux/uaccess.h>
+#include <asm/ioctls.h>
+#include <linux/atomic.h>
+#include <linux/bitops.h>
+#include <linux/interrupt.h>
+#include <linux/netdevice.h> /* for network interface checks */
+#include <net/netlink.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/dccp.h>
+#include <linux/quota.h>
+#include <linux/un.h> /* for Unix socket types */
+#include <net/af_unix.h> /* for Unix socket types */
+#include <linux/parser.h>
+#include <linux/nfs_mount.h>
+#include <net/ipv6.h>
+#include <linux/hugetlb.h>
+#include <linux/personality.h>
+#include <linux/audit.h>
+#include <linux/string.h>
+#include <linux/selinux.h>
+#include <linux/mutex.h>
+#include <linux/posix-timers.h>
+#include <linux/syslog.h>
+#include <linux/user_namespace.h>
+#include <linux/export.h>
+#include <linux/msg.h>
+#include <linux/shm.h>
+
+#include "avc.h"
+#include "objsec.h"
+#include "netif.h"
+#include "netnode.h"
+#include "netport.h"
+#include "xfrm.h"
+#include "netlabel.h"
+#include "audit.h"
+#include "avc_ss.h"
+
+/* SECMARK reference count */
+static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
+
+#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+int selinux_enforcing;
+
+static int __init enforcing_setup(char *str)
+{
+ unsigned long enforcing;
+ if (!kstrtoul(str, 0, &enforcing))
+ selinux_enforcing = enforcing ? 1 : 0;
+ return 1;
+}
+__setup("enforcing=", enforcing_setup);
+#endif
+
+#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
+int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
+
+static int __init selinux_enabled_setup(char *str)
+{
+ unsigned long enabled;
+ if (!kstrtoul(str, 0, &enabled))
+ selinux_enabled = enabled ? 1 : 0;
+ return 1;
+}
+__setup("selinux=", selinux_enabled_setup);
+#else
+int selinux_enabled = 1;
+#endif
+
+static struct kmem_cache *sel_inode_cache;
+
+/**
+ * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
+ *
+ * Description:
+ * This function checks the SECMARK reference counter to see if any SECMARK
+ * targets are currently configured, if the reference counter is greater than
+ * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
+ * enabled, false (0) if SECMARK is disabled. If the always_check_network
+ * policy capability is enabled, SECMARK is always considered enabled.
+ *
+ */
+static int selinux_secmark_enabled(void)
+{
+ return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
+}
+
+/**
+ * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
+ *
+ * Description:
+ * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
+ * (1) if any are enabled or false (0) if neither are enabled. If the
+ * always_check_network policy capability is enabled, peer labeling
+ * is always considered enabled.
+ *
+ */
+static int selinux_peerlbl_enabled(void)
+{
+ return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
+}
+
+static int selinux_netcache_avc_callback(u32 event)
+{
+ if (event == AVC_CALLBACK_RESET) {
+ sel_netif_flush();
+ sel_netnode_flush();
+ sel_netport_flush();
+ synchronize_net();
+ }
+ return 0;
+}
+
+/*
+ * initialise the security for the init task
+ */
+static void cred_init_security(void)
+{
+ struct cred *cred = (struct cred *) current->real_cred;
+ struct task_security_struct *tsec;
+
+ tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
+ if (!tsec)
+ panic("SELinux: Failed to initialize initial task.\n");
+
+ tsec->osid = tsec->sid = SECINITSID_KERNEL;
+ cred->security = tsec;
+}
+
+/*
+ * get the security ID of a set of credentials
+ */
+static inline u32 cred_sid(const struct cred *cred)
+{
+ const struct task_security_struct *tsec;
+
+ tsec = cred->security;
+ return tsec->sid;
+}
+
+/*
+ * get the objective security ID of a task
+ */
+static inline u32 task_sid(const struct task_struct *task)
+{
+ u32 sid;
+
+ rcu_read_lock();
+ sid = cred_sid(__task_cred(task));
+ rcu_read_unlock();
+ return sid;
+}
+
+/*
+ * get the subjective security ID of the current task
+ */
+static inline u32 current_sid(void)
+{
+ const struct task_security_struct *tsec = current_security();
+
+ return tsec->sid;
+}
+
+/* Allocate and free functions for each kind of security blob. */
+
+static int inode_alloc_security(struct inode *inode)
+{
+ struct inode_security_struct *isec;
+ u32 sid = current_sid();
+
+ isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
+ if (!isec)
+ return -ENOMEM;
+
+ mutex_init(&isec->lock);
+ INIT_LIST_HEAD(&isec->list);
+ isec->inode = inode;
+ isec->sid = SECINITSID_UNLABELED;
+ isec->sclass = SECCLASS_FILE;
+ isec->task_sid = sid;
+ inode->i_security = isec;
+
+ return 0;
+}
+
+static void inode_free_rcu(struct rcu_head *head)
+{
+ struct inode_security_struct *isec;
+
+ isec = container_of(head, struct inode_security_struct, rcu);
+ kmem_cache_free(sel_inode_cache, isec);
+}
+
+static void inode_free_security(struct inode *inode)
+{
+ struct inode_security_struct *isec = inode->i_security;
+ struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+
+ spin_lock(&sbsec->isec_lock);
+ if (!list_empty(&isec->list))
+ list_del_init(&isec->list);
+ spin_unlock(&sbsec->isec_lock);
+
+ /*
+ * The inode may still be referenced in a path walk and
+ * a call to selinux_inode_permission() can be made
+ * after inode_free_security() is called. Ideally, the VFS
+ * wouldn't do this, but fixing that is a much harder
+ * job. For now, simply free the i_security via RCU, and
+ * leave the current inode->i_security pointer intact.
+ * The inode will be freed after the RCU grace period too.
+ */
+ call_rcu(&isec->rcu, inode_free_rcu);
+}
+
+static int file_alloc_security(struct file *file)
+{
+ struct file_security_struct *fsec;
+ u32 sid = current_sid();
+
+ fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
+ if (!fsec)
+ return -ENOMEM;
+
+ fsec->sid = sid;
+ fsec->fown_sid = sid;
+ file->f_security = fsec;
+
+ return 0;
+}
+
+static void file_free_security(struct file *file)
+{
+ struct file_security_struct *fsec = file->f_security;
+ file->f_security = NULL;
+ kfree(fsec);
+}
+
+static int superblock_alloc_security(struct super_block *sb)
+{
+ struct superblock_security_struct *sbsec;
+
+ sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
+ if (!sbsec)
+ return -ENOMEM;
+
+ mutex_init(&sbsec->lock);
+ INIT_LIST_HEAD(&sbsec->isec_head);
+ spin_lock_init(&sbsec->isec_lock);
+ sbsec->sb = sb;
+ sbsec->sid = SECINITSID_UNLABELED;
+ sbsec->def_sid = SECINITSID_FILE;
+ sbsec->mntpoint_sid = SECINITSID_UNLABELED;
+ sb->s_security = sbsec;
+
+ return 0;
+}
+
+static void superblock_free_security(struct super_block *sb)
+{
+ struct superblock_security_struct *sbsec = sb->s_security;
+ sb->s_security = NULL;
+ kfree(sbsec);
+}
+
+/* The file system's label must be initialized prior to use. */
+
+static const char *labeling_behaviors[7] = {
+ "uses xattr",
+ "uses transition SIDs",
+ "uses task SIDs",
+ "uses genfs_contexts",
+ "not configured for labeling",
+ "uses mountpoint labeling",
+ "uses native labeling",
+};
+
+static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
+
+static inline int inode_doinit(struct inode *inode)
+{
+ return inode_doinit_with_dentry(inode, NULL);
+}
+
+enum {
+ Opt_error = -1,
+ Opt_context = 1,
+ Opt_fscontext = 2,
+ Opt_defcontext = 3,
+ Opt_rootcontext = 4,
+ Opt_labelsupport = 5,
+ Opt_nextmntopt = 6,
+};
+
+#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
+
+static const match_table_t tokens = {
+ {Opt_context, CONTEXT_STR "%s"},
+ {Opt_fscontext, FSCONTEXT_STR "%s"},
+ {Opt_defcontext, DEFCONTEXT_STR "%s"},
+ {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
+ {Opt_labelsupport, LABELSUPP_STR},
+ {Opt_error, NULL},
+};
+
+#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
+
+static int may_context_mount_sb_relabel(u32 sid,
+ struct superblock_security_struct *sbsec,
+ const struct cred *cred)
+{
+ const struct task_security_struct *tsec = cred->security;
+ int rc;
+
+ rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELFROM, NULL);
+ if (rc)
+ return rc;
+
+ rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELTO, NULL);
+ return rc;
+}
+
+static int may_context_mount_inode_relabel(u32 sid,
+ struct superblock_security_struct *sbsec,
+ const struct cred *cred)
+{
+ const struct task_security_struct *tsec = cred->security;
+ int rc;
+ rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__RELABELFROM, NULL);
+ if (rc)
+ return rc;
+
+ rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE, NULL);
+ return rc;
+}
+
+static int selinux_is_sblabel_mnt(struct super_block *sb)
+{
+ struct superblock_security_struct *sbsec = sb->s_security;
+
+ return sbsec->behavior == SECURITY_FS_USE_XATTR ||
+ sbsec->behavior == SECURITY_FS_USE_TRANS ||
+ sbsec->behavior == SECURITY_FS_USE_TASK ||
+ sbsec->behavior == SECURITY_FS_USE_NATIVE ||
+ /* Special handling. Genfs but also in-core setxattr handler */
+ !strcmp(sb->s_type->name, "sysfs") ||
+ !strcmp(sb->s_type->name, "pstore") ||
+ !strcmp(sb->s_type->name, "debugfs") ||
+ !strcmp(sb->s_type->name, "rootfs");
+}
+
+static int sb_finish_set_opts(struct super_block *sb)
+{
+ struct superblock_security_struct *sbsec = sb->s_security;
+ struct dentry *root = sb->s_root;
+ struct inode *root_inode = d_backing_inode(root);
+ int rc = 0;
+
+ if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
+ /* Make sure that the xattr handler exists and that no
+ error other than -ENODATA is returned by getxattr on
+ the root directory. -ENODATA is ok, as this may be
+ the first boot of the SELinux kernel before we have
+ assigned xattr values to the filesystem. */
+ if (!root_inode->i_op->getxattr) {
+ printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
+ "xattr support\n", sb->s_id, sb->s_type->name);
+ rc = -EOPNOTSUPP;
+ goto out;
+ }
+ rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
+ if (rc < 0 && rc != -ENODATA) {
+ if (rc == -EOPNOTSUPP)
+ printk(KERN_WARNING "SELinux: (dev %s, type "
+ "%s) has no security xattr handler\n",
+ sb->s_id, sb->s_type->name);
+ else
+ printk(KERN_WARNING "SELinux: (dev %s, type "
+ "%s) getxattr errno %d\n", sb->s_id,
+ sb->s_type->name, -rc);
+ goto out;
+ }
+ }
+
+ if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
+ printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
+ sb->s_id, sb->s_type->name);
+
+ sbsec->flags |= SE_SBINITIALIZED;
+ if (selinux_is_sblabel_mnt(sb))
+ sbsec->flags |= SBLABEL_MNT;
+
+ /* Initialize the root inode. */
+ rc = inode_doinit_with_dentry(root_inode, root);
+
+ /* Initialize any other inodes associated with the superblock, e.g.
+ inodes created prior to initial policy load or inodes created
+ during get_sb by a pseudo filesystem that directly
+ populates itself. */
+ spin_lock(&sbsec->isec_lock);
+next_inode:
+ if (!list_empty(&sbsec->isec_head)) {
+ struct inode_security_struct *isec =
+ list_entry(sbsec->isec_head.next,
+ struct inode_security_struct, list);
+ struct inode *inode = isec->inode;
+ list_del_init(&isec->list);
+ spin_unlock(&sbsec->isec_lock);
+ inode = igrab(inode);
+ if (inode) {
+ if (!IS_PRIVATE(inode))
+ inode_doinit(inode);
+ iput(inode);
+ }
+ spin_lock(&sbsec->isec_lock);
+ goto next_inode;
+ }
+ spin_unlock(&sbsec->isec_lock);
+out:
+ return rc;
+}
+
+/*
+ * This function should allow an FS to ask what it's mount security
+ * options were so it can use those later for submounts, displaying
+ * mount options, or whatever.
+ */
+static int selinux_get_mnt_opts(const struct super_block *sb,
+ struct security_mnt_opts *opts)
+{
+ int rc = 0, i;
+ struct superblock_security_struct *sbsec = sb->s_security;
+ char *context = NULL;
+ u32 len;
+ char tmp;
+
+ security_init_mnt_opts(opts);
+
+ if (!(sbsec->flags & SE_SBINITIALIZED))
+ return -EINVAL;
+
+ if (!ss_initialized)
+ return -EINVAL;
+
+ /* make sure we always check enough bits to cover the mask */
+ BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
+
+ tmp = sbsec->flags & SE_MNTMASK;
+ /* count the number of mount options for this sb */
+ for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
+ if (tmp & 0x01)
+ opts->num_mnt_opts++;
+ tmp >>= 1;
+ }
+ /* Check if the Label support flag is set */
+ if (sbsec->flags & SBLABEL_MNT)
+ opts->num_mnt_opts++;
+
+ opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
+ if (!opts->mnt_opts) {
+ rc = -ENOMEM;
+ goto out_free;
+ }
+
+ opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
+ if (!opts->mnt_opts_flags) {
+ rc = -ENOMEM;
+ goto out_free;
+ }
+
+ i = 0;
+ if (sbsec->flags & FSCONTEXT_MNT) {
+ rc = security_sid_to_context(sbsec->sid, &context, &len);
+ if (rc)
+ goto out_free;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
+ }
+ if (sbsec->flags & CONTEXT_MNT) {
+ rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
+ if (rc)
+ goto out_free;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = CONTEXT_MNT;
+ }
+ if (sbsec->flags & DEFCONTEXT_MNT) {
+ rc = security_sid_to_context(sbsec->def_sid, &context, &len);
+ if (rc)
+ goto out_free;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
+ }
+ if (sbsec->flags & ROOTCONTEXT_MNT) {
+ struct inode *root = d_backing_inode(sbsec->sb->s_root);
+ struct inode_security_struct *isec = root->i_security;
+
+ rc = security_sid_to_context(isec->sid, &context, &len);
+ if (rc)
+ goto out_free;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
+ }
+ if (sbsec->flags & SBLABEL_MNT) {
+ opts->mnt_opts[i] = NULL;
+ opts->mnt_opts_flags[i++] = SBLABEL_MNT;
+ }
+
+ BUG_ON(i != opts->num_mnt_opts);
+
+ return 0;
+
+out_free:
+ security_free_mnt_opts(opts);
+ return rc;
+}
+
+static int bad_option(struct superblock_security_struct *sbsec, char flag,
+ u32 old_sid, u32 new_sid)
+{
+ char mnt_flags = sbsec->flags & SE_MNTMASK;
+
+ /* check if the old mount command had the same options */
+ if (sbsec->flags & SE_SBINITIALIZED)
+ if (!(sbsec->flags & flag) ||
+ (old_sid != new_sid))
+ return 1;
+
+ /* check if we were passed the same options twice,
+ * aka someone passed context=a,context=b
+ */
+ if (!(sbsec->flags & SE_SBINITIALIZED))
+ if (mnt_flags & flag)
+ return 1;
+ return 0;
+}
+
+/*
+ * Allow filesystems with binary mount data to explicitly set mount point
+ * labeling information.
+ */
+static int selinux_set_mnt_opts(struct super_block *sb,
+ struct security_mnt_opts *opts,
+ unsigned long kern_flags,
+ unsigned long *set_kern_flags)
+{
+ const struct cred *cred = current_cred();
+ int rc = 0, i;
+ struct superblock_security_struct *sbsec = sb->s_security;
+ const char *name = sb->s_type->name;
+ struct inode *inode = d_backing_inode(sbsec->sb->s_root);
+ struct inode_security_struct *root_isec = inode->i_security;
+ u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
+ u32 defcontext_sid = 0;
+ char **mount_options = opts->mnt_opts;
+ int *flags = opts->mnt_opts_flags;
+ int num_opts = opts->num_mnt_opts;
+
+ mutex_lock(&sbsec->lock);
+
+ if (!ss_initialized) {
+ if (!num_opts) {
+ /* Defer initialization until selinux_complete_init,
+ after the initial policy is loaded and the security
+ server is ready to handle calls. */
+ goto out;
+ }
+ rc = -EINVAL;
+ printk(KERN_WARNING "SELinux: Unable to set superblock options "
+ "before the security server is initialized\n");
+ goto out;
+ }
+ if (kern_flags && !set_kern_flags) {
+ /* Specifying internal flags without providing a place to
+ * place the results is not allowed */
+ rc = -EINVAL;
+ goto out;
+ }
+
+ /*
+ * Binary mount data FS will come through this function twice. Once
+ * from an explicit call and once from the generic calls from the vfs.
+ * Since the generic VFS calls will not contain any security mount data
+ * we need to skip the double mount verification.
+ *
+ * This does open a hole in which we will not notice if the first
+ * mount using this sb set explict options and a second mount using
+ * this sb does not set any security options. (The first options
+ * will be used for both mounts)
+ */
+ if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
+ && (num_opts == 0))
+ goto out;
+
+ /*
+ * parse the mount options, check if they are valid sids.
+ * also check if someone is trying to mount the same sb more
+ * than once with different security options.
+ */
+ for (i = 0; i < num_opts; i++) {
+ u32 sid;
+
+ if (flags[i] == SBLABEL_MNT)
+ continue;
+ rc = security_context_to_sid(mount_options[i],
+ strlen(mount_options[i]), &sid, GFP_KERNEL);
+ if (rc) {
+ printk(KERN_WARNING "SELinux: security_context_to_sid"
+ "(%s) failed for (dev %s, type %s) errno=%d\n",
+ mount_options[i], sb->s_id, name, rc);
+ goto out;
+ }
+ switch (flags[i]) {
+ case FSCONTEXT_MNT:
+ fscontext_sid = sid;
+
+ if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
+ fscontext_sid))
+ goto out_double_mount;
+
+ sbsec->flags |= FSCONTEXT_MNT;
+ break;
+ case CONTEXT_MNT:
+ context_sid = sid;
+
+ if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
+ context_sid))
+ goto out_double_mount;
+
+ sbsec->flags |= CONTEXT_MNT;
+ break;
+ case ROOTCONTEXT_MNT:
+ rootcontext_sid = sid;
+
+ if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
+ rootcontext_sid))
+ goto out_double_mount;
+
+ sbsec->flags |= ROOTCONTEXT_MNT;
+
+ break;
+ case DEFCONTEXT_MNT:
+ defcontext_sid = sid;
+
+ if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
+ defcontext_sid))
+ goto out_double_mount;
+
+ sbsec->flags |= DEFCONTEXT_MNT;
+
+ break;
+ default:
+ rc = -EINVAL;
+ goto out;
+ }
+ }
+
+ if (sbsec->flags & SE_SBINITIALIZED) {
+ /* previously mounted with options, but not on this attempt? */
+ if ((sbsec->flags & SE_MNTMASK) && !num_opts)
+ goto out_double_mount;
+ rc = 0;
+ goto out;
+ }
+
+ if (strcmp(sb->s_type->name, "proc") == 0)
+ sbsec->flags |= SE_SBPROC;
+
+ if (!sbsec->behavior) {
+ /*
+ * Determine the labeling behavior to use for this
+ * filesystem type.
+ */
+ rc = security_fs_use(sb);
+ if (rc) {
+ printk(KERN_WARNING
+ "%s: security_fs_use(%s) returned %d\n",
+ __func__, sb->s_type->name, rc);
+ goto out;
+ }
+ }
+ /* sets the context of the superblock for the fs being mounted. */
+ if (fscontext_sid) {
+ rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
+ if (rc)
+ goto out;
+
+ sbsec->sid = fscontext_sid;
+ }
+
+ /*
+ * Switch to using mount point labeling behavior.
+ * sets the label used on all file below the mountpoint, and will set
+ * the superblock context if not already set.
+ */
+ if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
+ sbsec->behavior = SECURITY_FS_USE_NATIVE;
+ *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
+ }
+
+ if (context_sid) {
+ if (!fscontext_sid) {
+ rc = may_context_mount_sb_relabel(context_sid, sbsec,
+ cred);
+ if (rc)
+ goto out;
+ sbsec->sid = context_sid;
+ } else {
+ rc = may_context_mount_inode_relabel(context_sid, sbsec,
+ cred);
+ if (rc)
+ goto out;
+ }
+ if (!rootcontext_sid)
+ rootcontext_sid = context_sid;
+
+ sbsec->mntpoint_sid = context_sid;
+ sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
+ }
+
+ if (rootcontext_sid) {
+ rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
+ cred);
+ if (rc)
+ goto out;
+
+ root_isec->sid = rootcontext_sid;
+ root_isec->initialized = 1;
+ }
+
+ if (defcontext_sid) {
+ if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
+ sbsec->behavior != SECURITY_FS_USE_NATIVE) {
+ rc = -EINVAL;
+ printk(KERN_WARNING "SELinux: defcontext option is "
+ "invalid for this filesystem type\n");
+ goto out;
+ }
+
+ if (defcontext_sid != sbsec->def_sid) {
+ rc = may_context_mount_inode_relabel(defcontext_sid,
+ sbsec, cred);
+ if (rc)
+ goto out;
+ }
+
+ sbsec->def_sid = defcontext_sid;
+ }
+
+ rc = sb_finish_set_opts(sb);
+out:
+ mutex_unlock(&sbsec->lock);
+ return rc;
+out_double_mount:
+ rc = -EINVAL;
+ printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
+ "security settings for (dev %s, type %s)\n", sb->s_id, name);
+ goto out;
+}
+
+static int selinux_cmp_sb_context(const struct super_block *oldsb,
+ const struct super_block *newsb)
+{
+ struct superblock_security_struct *old = oldsb->s_security;
+ struct superblock_security_struct *new = newsb->s_security;
+ char oldflags = old->flags & SE_MNTMASK;
+ char newflags = new->flags & SE_MNTMASK;
+
+ if (oldflags != newflags)
+ goto mismatch;
+ if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
+ goto mismatch;
+ if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
+ goto mismatch;
+ if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
+ goto mismatch;
+ if (oldflags & ROOTCONTEXT_MNT) {
+ struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
+ struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
+ if (oldroot->sid != newroot->sid)
+ goto mismatch;
+ }
+ return 0;
+mismatch:
+ printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
+ "different security settings for (dev %s, "
+ "type %s)\n", newsb->s_id, newsb->s_type->name);
+ return -EBUSY;
+}
+
+static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
+ struct super_block *newsb)
+{
+ const struct superblock_security_struct *oldsbsec = oldsb->s_security;
+ struct superblock_security_struct *newsbsec = newsb->s_security;
+
+ int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
+ int set_context = (oldsbsec->flags & CONTEXT_MNT);
+ int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
+
+ /*
+ * if the parent was able to be mounted it clearly had no special lsm
+ * mount options. thus we can safely deal with this superblock later
+ */
+ if (!ss_initialized)
+ return 0;
+
+ /* how can we clone if the old one wasn't set up?? */
+ BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
+
+ /* if fs is reusing a sb, make sure that the contexts match */
+ if (newsbsec->flags & SE_SBINITIALIZED)
+ return selinux_cmp_sb_context(oldsb, newsb);
+
+ mutex_lock(&newsbsec->lock);
+
+ newsbsec->flags = oldsbsec->flags;
+
+ newsbsec->sid = oldsbsec->sid;
+ newsbsec->def_sid = oldsbsec->def_sid;
+ newsbsec->behavior = oldsbsec->behavior;
+
+ if (set_context) {
+ u32 sid = oldsbsec->mntpoint_sid;
+
+ if (!set_fscontext)
+ newsbsec->sid = sid;
+ if (!set_rootcontext) {
+ struct inode *newinode = d_backing_inode(newsb->s_root);
+ struct inode_security_struct *newisec = newinode->i_security;
+ newisec->sid = sid;
+ }
+ newsbsec->mntpoint_sid = sid;
+ }
+ if (set_rootcontext) {
+ const struct inode *oldinode = d_backing_inode(oldsb->s_root);
+ const struct inode_security_struct *oldisec = oldinode->i_security;
+ struct inode *newinode = d_backing_inode(newsb->s_root);
+ struct inode_security_struct *newisec = newinode->i_security;
+
+ newisec->sid = oldisec->sid;
+ }
+
+ sb_finish_set_opts(newsb);
+ mutex_unlock(&newsbsec->lock);
+ return 0;
+}
+
+static int selinux_parse_opts_str(char *options,
+ struct security_mnt_opts *opts)
+{
+ char *p;
+ char *context = NULL, *defcontext = NULL;
+ char *fscontext = NULL, *rootcontext = NULL;
+ int rc, num_mnt_opts = 0;
+
+ opts->num_mnt_opts = 0;
+
+ /* Standard string-based options. */
+ while ((p = strsep(&options, "|")) != NULL) {
+ int token;
+ substring_t args[MAX_OPT_ARGS];
+
+ if (!*p)
+ continue;
+
+ token = match_token(p, tokens, args);
+
+ switch (token) {
+ case Opt_context:
+ if (context || defcontext) {
+ rc = -EINVAL;
+ printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
+ goto out_err;
+ }
+ context = match_strdup(&args[0]);
+ if (!context) {
+ rc = -ENOMEM;
+ goto out_err;
+ }
+ break;
+
+ case Opt_fscontext:
+ if (fscontext) {
+ rc = -EINVAL;
+ printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
+ goto out_err;
+ }
+ fscontext = match_strdup(&args[0]);
+ if (!fscontext) {
+ rc = -ENOMEM;
+ goto out_err;
+ }
+ break;
+
+ case Opt_rootcontext:
+ if (rootcontext) {
+ rc = -EINVAL;
+ printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
+ goto out_err;
+ }
+ rootcontext = match_strdup(&args[0]);
+ if (!rootcontext) {
+ rc = -ENOMEM;
+ goto out_err;
+ }
+ break;
+
+ case Opt_defcontext:
+ if (context || defcontext) {
+ rc = -EINVAL;
+ printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
+ goto out_err;
+ }
+ defcontext = match_strdup(&args[0]);
+ if (!defcontext) {
+ rc = -ENOMEM;
+ goto out_err;
+ }
+ break;
+ case Opt_labelsupport:
+ break;
+ default:
+ rc = -EINVAL;
+ printk(KERN_WARNING "SELinux: unknown mount option\n");
+ goto out_err;
+
+ }
+ }
+
+ rc = -ENOMEM;
+ opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
+ if (!opts->mnt_opts)
+ goto out_err;
+
+ opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
+ if (!opts->mnt_opts_flags) {
+ kfree(opts->mnt_opts);
+ goto out_err;
+ }
+
+ if (fscontext) {
+ opts->mnt_opts[num_mnt_opts] = fscontext;
+ opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
+ }
+ if (context) {
+ opts->mnt_opts[num_mnt_opts] = context;
+ opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
+ }
+ if (rootcontext) {
+ opts->mnt_opts[num_mnt_opts] = rootcontext;
+ opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
+ }
+ if (defcontext) {
+ opts->mnt_opts[num_mnt_opts] = defcontext;
+ opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
+ }
+
+ opts->num_mnt_opts = num_mnt_opts;
+ return 0;
+
+out_err:
+ kfree(context);
+ kfree(defcontext);
+ kfree(fscontext);
+ kfree(rootcontext);
+ return rc;
+}
+/*
+ * string mount options parsing and call set the sbsec
+ */
+static int superblock_doinit(struct super_block *sb, void *data)
+{
+ int rc = 0;
+ char *options = data;
+ struct security_mnt_opts opts;
+
+ security_init_mnt_opts(&opts);
+
+ if (!data)
+ goto out;
+
+ BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
+
+ rc = selinux_parse_opts_str(options, &opts);
+ if (rc)
+ goto out_err;
+
+out:
+ rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
+
+out_err:
+ security_free_mnt_opts(&opts);
+ return rc;
+}
+
+static void selinux_write_opts(struct seq_file *m,
+ struct security_mnt_opts *opts)
+{
+ int i;
+ char *prefix;
+
+ for (i = 0; i < opts->num_mnt_opts; i++) {
+ char *has_comma;
+
+ if (opts->mnt_opts[i])
+ has_comma = strchr(opts->mnt_opts[i], ',');
+ else
+ has_comma = NULL;
+
+ switch (opts->mnt_opts_flags[i]) {
+ case CONTEXT_MNT:
+ prefix = CONTEXT_STR;
+ break;
+ case FSCONTEXT_MNT:
+ prefix = FSCONTEXT_STR;
+ break;
+ case ROOTCONTEXT_MNT:
+ prefix = ROOTCONTEXT_STR;
+ break;
+ case DEFCONTEXT_MNT:
+ prefix = DEFCONTEXT_STR;
+ break;
+ case SBLABEL_MNT:
+ seq_putc(m, ',');
+ seq_puts(m, LABELSUPP_STR);
+ continue;
+ default:
+ BUG();
+ return;
+ };
+ /* we need a comma before each option */
+ seq_putc(m, ',');
+ seq_puts(m, prefix);
+ if (has_comma)
+ seq_putc(m, '\"');
+ seq_puts(m, opts->mnt_opts[i]);
+ if (has_comma)
+ seq_putc(m, '\"');
+ }
+}
+
+static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+ struct security_mnt_opts opts;
+ int rc;
+
+ rc = selinux_get_mnt_opts(sb, &opts);
+ if (rc) {
+ /* before policy load we may get EINVAL, don't show anything */
+ if (rc == -EINVAL)
+ rc = 0;
+ return rc;
+ }
+
+ selinux_write_opts(m, &opts);
+
+ security_free_mnt_opts(&opts);
+
+ return rc;
+}
+
+static inline u16 inode_mode_to_security_class(umode_t mode)
+{
+ switch (mode & S_IFMT) {
+ case S_IFSOCK:
+ return SECCLASS_SOCK_FILE;
+ case S_IFLNK:
+ return SECCLASS_LNK_FILE;
+ case S_IFREG:
+ return SECCLASS_FILE;
+ case S_IFBLK:
+ return SECCLASS_BLK_FILE;
+ case S_IFDIR:
+ return SECCLASS_DIR;
+ case S_IFCHR:
+ return SECCLASS_CHR_FILE;
+ case S_IFIFO:
+ return SECCLASS_FIFO_FILE;
+
+ }
+
+ return SECCLASS_FILE;
+}
+
+static inline int default_protocol_stream(int protocol)
+{
+ return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
+}
+
+static inline int default_protocol_dgram(int protocol)
+{
+ return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
+}
+
+static inline u16 socket_type_to_security_class(int family, int type, int protocol)
+{
+ switch (family) {
+ case PF_UNIX:
+ switch (type) {
+ case SOCK_STREAM:
+ case SOCK_SEQPACKET:
+ return SECCLASS_UNIX_STREAM_SOCKET;
+ case SOCK_DGRAM:
+ return SECCLASS_UNIX_DGRAM_SOCKET;
+ }
+ break;
+ case PF_INET:
+ case PF_INET6:
+ switch (type) {
+ case SOCK_STREAM:
+ if (default_protocol_stream(protocol))
+ return SECCLASS_TCP_SOCKET;
+ else
+ return SECCLASS_RAWIP_SOCKET;
+ case SOCK_DGRAM:
+ if (default_protocol_dgram(protocol))
+ return SECCLASS_UDP_SOCKET;
+ else
+ return SECCLASS_RAWIP_SOCKET;
+ case SOCK_DCCP:
+ return SECCLASS_DCCP_SOCKET;
+ default:
+ return SECCLASS_RAWIP_SOCKET;
+ }
+ break;
+ case PF_NETLINK:
+ switch (protocol) {
+ case NETLINK_ROUTE:
+ return SECCLASS_NETLINK_ROUTE_SOCKET;
+ case NETLINK_FIREWALL:
+ return SECCLASS_NETLINK_FIREWALL_SOCKET;
+ case NETLINK_SOCK_DIAG:
+ return SECCLASS_NETLINK_TCPDIAG_SOCKET;
+ case NETLINK_NFLOG:
+ return SECCLASS_NETLINK_NFLOG_SOCKET;
+ case NETLINK_XFRM:
+ return SECCLASS_NETLINK_XFRM_SOCKET;
+ case NETLINK_SELINUX:
+ return SECCLASS_NETLINK_SELINUX_SOCKET;
+ case NETLINK_AUDIT:
+ return SECCLASS_NETLINK_AUDIT_SOCKET;
+ case NETLINK_IP6_FW:
+ return SECCLASS_NETLINK_IP6FW_SOCKET;
+ case NETLINK_DNRTMSG:
+ return SECCLASS_NETLINK_DNRT_SOCKET;
+ case NETLINK_KOBJECT_UEVENT:
+ return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
+ default:
+ return SECCLASS_NETLINK_SOCKET;
+ }
+ case PF_PACKET:
+ return SECCLASS_PACKET_SOCKET;
+ case PF_KEY:
+ return SECCLASS_KEY_SOCKET;
+ case PF_APPLETALK:
+ return SECCLASS_APPLETALK_SOCKET;
+ }
+
+ return SECCLASS_SOCKET;
+}
+
+#ifdef CONFIG_PROC_FS
+static int selinux_proc_get_sid(struct dentry *dentry,
+ u16 tclass,
+ u32 *sid)
+{
+ int rc;
+ char *buffer, *path;
+
+ buffer = (char *)__get_free_page(GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
+ path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
+ if (IS_ERR(path))
+ rc = PTR_ERR(path);
+ else {
+ /* each process gets a /proc/PID/ entry. Strip off the
+ * PID part to get a valid selinux labeling.
+ * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
+ while (path[1] >= '0' && path[1] <= '9') {
+ path[1] = '/';
+ path++;
+ }
+ rc = security_genfs_sid("proc", path, tclass, sid);
+ }
+ free_page((unsigned long)buffer);
+ return rc;
+}
+#else
+static int selinux_proc_get_sid(struct dentry *dentry,
+ u16 tclass,
+ u32 *sid)
+{
+ return -EINVAL;
+}
+#endif
+
+/* The inode's security attributes must be initialized before first use. */
+static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
+{
+ struct superblock_security_struct *sbsec = NULL;
+ struct inode_security_struct *isec = inode->i_security;
+ u32 sid;
+ struct dentry *dentry;
+#define INITCONTEXTLEN 255
+ char *context = NULL;
+ unsigned len = 0;
+ int rc = 0;
+
+ if (isec->initialized)
+ goto out;
+
+ mutex_lock(&isec->lock);
+ if (isec->initialized)
+ goto out_unlock;
+
+ sbsec = inode->i_sb->s_security;
+ if (!(sbsec->flags & SE_SBINITIALIZED)) {
+ /* Defer initialization until selinux_complete_init,
+ after the initial policy is loaded and the security
+ server is ready to handle calls. */
+ spin_lock(&sbsec->isec_lock);
+ if (list_empty(&isec->list))
+ list_add(&isec->list, &sbsec->isec_head);
+ spin_unlock(&sbsec->isec_lock);
+ goto out_unlock;
+ }
+
+ switch (sbsec->behavior) {
+ case SECURITY_FS_USE_NATIVE:
+ break;
+ case SECURITY_FS_USE_XATTR:
+ if (!inode->i_op->getxattr) {
+ isec->sid = sbsec->def_sid;
+ break;
+ }
+
+ /* Need a dentry, since the xattr API requires one.
+ Life would be simpler if we could just pass the inode. */
+ if (opt_dentry) {
+ /* Called from d_instantiate or d_splice_alias. */
+ dentry = dget(opt_dentry);
+ } else {
+ /* Called from selinux_complete_init, try to find a dentry. */
+ dentry = d_find_alias(inode);
+ }
+ if (!dentry) {
+ /*
+ * this is can be hit on boot when a file is accessed
+ * before the policy is loaded. When we load policy we
+ * may find inodes that have no dentry on the
+ * sbsec->isec_head list. No reason to complain as these
+ * will get fixed up the next time we go through
+ * inode_doinit with a dentry, before these inodes could
+ * be used again by userspace.
+ */
+ goto out_unlock;
+ }
+
+ len = INITCONTEXTLEN;
+ context = kmalloc(len+1, GFP_NOFS);
+ if (!context) {
+ rc = -ENOMEM;
+ dput(dentry);
+ goto out_unlock;
+ }
+ context[len] = '\0';
+ rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
+ context, len);
+ if (rc == -ERANGE) {
+ kfree(context);
+
+ /* Need a larger buffer. Query for the right size. */
+ rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
+ NULL, 0);
+ if (rc < 0) {
+ dput(dentry);
+ goto out_unlock;
+ }
+ len = rc;
+ context = kmalloc(len+1, GFP_NOFS);
+ if (!context) {
+ rc = -ENOMEM;
+ dput(dentry);
+ goto out_unlock;
+ }
+ context[len] = '\0';
+ rc = inode->i_op->getxattr(dentry,
+ XATTR_NAME_SELINUX,
+ context, len);
+ }
+ dput(dentry);
+ if (rc < 0) {
+ if (rc != -ENODATA) {
+ printk(KERN_WARNING "SELinux: %s: getxattr returned "
+ "%d for dev=%s ino=%ld\n", __func__,
+ -rc, inode->i_sb->s_id, inode->i_ino);
+ kfree(context);
+ goto out_unlock;
+ }
+ /* Map ENODATA to the default file SID */
+ sid = sbsec->def_sid;
+ rc = 0;
+ } else {
+ rc = security_context_to_sid_default(context, rc, &sid,
+ sbsec->def_sid,
+ GFP_NOFS);
+ if (rc) {
+ char *dev = inode->i_sb->s_id;
+ unsigned long ino = inode->i_ino;
+
+ if (rc == -EINVAL) {
+ if (printk_ratelimit())
+ printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
+ "context=%s. This indicates you may need to relabel the inode or the "
+ "filesystem in question.\n", ino, dev, context);
+ } else {
+ printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
+ "returned %d for dev=%s ino=%ld\n",
+ __func__, context, -rc, dev, ino);
+ }
+ kfree(context);
+ /* Leave with the unlabeled SID */
+ rc = 0;
+ break;
+ }
+ }
+ kfree(context);
+ isec->sid = sid;
+ break;
+ case SECURITY_FS_USE_TASK:
+ isec->sid = isec->task_sid;
+ break;
+ case SECURITY_FS_USE_TRANS:
+ /* Default to the fs SID. */
+ isec->sid = sbsec->sid;
+
+ /* Try to obtain a transition SID. */
+ isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ rc = security_transition_sid(isec->task_sid, sbsec->sid,
+ isec->sclass, NULL, &sid);
+ if (rc)
+ goto out_unlock;
+ isec->sid = sid;
+ break;
+ case SECURITY_FS_USE_MNTPOINT:
+ isec->sid = sbsec->mntpoint_sid;
+ break;
+ default:
+ /* Default to the fs superblock SID. */
+ isec->sid = sbsec->sid;
+
+ if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+ /* We must have a dentry to determine the label on
+ * procfs inodes */
+ if (opt_dentry)
+ /* Called from d_instantiate or
+ * d_splice_alias. */
+ dentry = dget(opt_dentry);
+ else
+ /* Called from selinux_complete_init, try to
+ * find a dentry. */
+ dentry = d_find_alias(inode);
+ /*
+ * This can be hit on boot when a file is accessed
+ * before the policy is loaded. When we load policy we
+ * may find inodes that have no dentry on the
+ * sbsec->isec_head list. No reason to complain as
+ * these will get fixed up the next time we go through
+ * inode_doinit() with a dentry, before these inodes
+ * could be used again by userspace.
+ */
+ if (!dentry)
+ goto out_unlock;
+ isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
+ dput(dentry);
+ if (rc)
+ goto out_unlock;
+ isec->sid = sid;
+ }
+ break;
+ }
+
+ isec->initialized = 1;
+
+out_unlock:
+ mutex_unlock(&isec->lock);
+out:
+ if (isec->sclass == SECCLASS_FILE)
+ isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ return rc;
+}
+
+/* Convert a Linux signal to an access vector. */
+static inline u32 signal_to_av(int sig)
+{
+ u32 perm = 0;
+
+ switch (sig) {
+ case SIGCHLD:
+ /* Commonly granted from child to parent. */
+ perm = PROCESS__SIGCHLD;
+ break;
+ case SIGKILL:
+ /* Cannot be caught or ignored */
+ perm = PROCESS__SIGKILL;
+ break;
+ case SIGSTOP:
+ /* Cannot be caught or ignored */
+ perm = PROCESS__SIGSTOP;
+ break;
+ default:
+ /* All other signals. */
+ perm = PROCESS__SIGNAL;
+ break;
+ }
+
+ return perm;
+}
+
+/*
+ * Check permission between a pair of credentials
+ * fork check, ptrace check, etc.
+ */
+static int cred_has_perm(const struct cred *actor,
+ const struct cred *target,
+ u32 perms)
+{
+ u32 asid = cred_sid(actor), tsid = cred_sid(target);
+
+ return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
+}
+
+/*
+ * Check permission between a pair of tasks, e.g. signal checks,
+ * fork check, ptrace check, etc.
+ * tsk1 is the actor and tsk2 is the target
+ * - this uses the default subjective creds of tsk1
+ */
+static int task_has_perm(const struct task_struct *tsk1,
+ const struct task_struct *tsk2,
+ u32 perms)
+{
+ const struct task_security_struct *__tsec1, *__tsec2;
+ u32 sid1, sid2;
+
+ rcu_read_lock();
+ __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
+ __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
+ rcu_read_unlock();
+ return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
+}
+
+/*
+ * Check permission between current and another task, e.g. signal checks,
+ * fork check, ptrace check, etc.
+ * current is the actor and tsk2 is the target
+ * - this uses current's subjective creds
+ */
+static int current_has_perm(const struct task_struct *tsk,
+ u32 perms)
+{
+ u32 sid, tsid;
+
+ sid = current_sid();
+ tsid = task_sid(tsk);
+ return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
+}
+
+#if CAP_LAST_CAP > 63
+#error Fix SELinux to handle capabilities > 63.
+#endif
+
+/* Check whether a task is allowed to use a capability. */
+static int cred_has_capability(const struct cred *cred,
+ int cap, int audit)
+{
+ struct common_audit_data ad;
+ struct av_decision avd;
+ u16 sclass;
+ u32 sid = cred_sid(cred);
+ u32 av = CAP_TO_MASK(cap);
+ int rc;
+
+ ad.type = LSM_AUDIT_DATA_CAP;
+ ad.u.cap = cap;
+
+ switch (CAP_TO_INDEX(cap)) {
+ case 0:
+ sclass = SECCLASS_CAPABILITY;
+ break;
+ case 1:
+ sclass = SECCLASS_CAPABILITY2;
+ break;
+ default:
+ printk(KERN_ERR
+ "SELinux: out of range capability %d\n", cap);
+ BUG();
+ return -EINVAL;
+ }
+
+ rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
+ if (audit == SECURITY_CAP_AUDIT) {
+ int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
+ if (rc2)
+ return rc2;
+ }
+ return rc;
+}
+
+/* Check whether a task is allowed to use a system operation. */
+static int task_has_system(struct task_struct *tsk,
+ u32 perms)
+{
+ u32 sid = task_sid(tsk);
+
+ return avc_has_perm(sid, SECINITSID_KERNEL,
+ SECCLASS_SYSTEM, perms, NULL);
+}
+
+/* Check whether a task has a particular permission to an inode.
+ The 'adp' parameter is optional and allows other audit
+ data to be passed (e.g. the dentry). */
+static int inode_has_perm(const struct cred *cred,
+ struct inode *inode,
+ u32 perms,
+ struct common_audit_data *adp)
+{
+ struct inode_security_struct *isec;
+ u32 sid;
+
+ validate_creds(cred);
+
+ if (unlikely(IS_PRIVATE(inode)))
+ return 0;
+
+ sid = cred_sid(cred);
+ isec = inode->i_security;
+
+ return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
+}
+
+/* Same as inode_has_perm, but pass explicit audit data containing
+ the dentry to help the auditing code to more easily generate the
+ pathname if needed. */
+static inline int dentry_has_perm(const struct cred *cred,
+ struct dentry *dentry,
+ u32 av)
+{
+ struct inode *inode = d_backing_inode(dentry);
+ struct common_audit_data ad;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+ ad.u.dentry = dentry;
+ return inode_has_perm(cred, inode, av, &ad);
+}
+
+/* Same as inode_has_perm, but pass explicit audit data containing
+ the path to help the auditing code to more easily generate the
+ pathname if needed. */
+static inline int path_has_perm(const struct cred *cred,
+ const struct path *path,
+ u32 av)
+{
+ struct inode *inode = d_backing_inode(path->dentry);
+ struct common_audit_data ad;
+
+ ad.type = LSM_AUDIT_DATA_PATH;
+ ad.u.path = *path;
+ return inode_has_perm(cred, inode, av, &ad);
+}
+
+/* Same as path_has_perm, but uses the inode from the file struct. */
+static inline int file_path_has_perm(const struct cred *cred,
+ struct file *file,
+ u32 av)
+{
+ struct common_audit_data ad;
+
+ ad.type = LSM_AUDIT_DATA_PATH;
+ ad.u.path = file->f_path;
+ return inode_has_perm(cred, file_inode(file), av, &ad);
+}
+
+/* Check whether a task can use an open file descriptor to
+ access an inode in a given way. Check access to the
+ descriptor itself, and then use dentry_has_perm to
+ check a particular permission to the file.
+ Access to the descriptor is implicitly granted if it
+ has the same SID as the process. If av is zero, then
+ access to the file is not checked, e.g. for cases
+ where only the descriptor is affected like seek. */
+static int file_has_perm(const struct cred *cred,
+ struct file *file,
+ u32 av)
+{
+ struct file_security_struct *fsec = file->f_security;
+ struct inode *inode = file_inode(file);
+ struct common_audit_data ad;
+ u32 sid = cred_sid(cred);
+ int rc;
+
+ ad.type = LSM_AUDIT_DATA_PATH;
+ ad.u.path = file->f_path;
+
+ if (sid != fsec->sid) {
+ rc = avc_has_perm(sid, fsec->sid,
+ SECCLASS_FD,
+ FD__USE,
+ &ad);
+ if (rc)
+ goto out;
+ }
+
+ /* av is zero if only checking access to the descriptor. */
+ rc = 0;
+ if (av)
+ rc = inode_has_perm(cred, inode, av, &ad);
+
+out:
+ return rc;
+}
+
+/* Check whether a task can create a file. */
+static int may_create(struct inode *dir,
+ struct dentry *dentry,
+ u16 tclass)
+{
+ const struct task_security_struct *tsec = current_security();
+ struct inode_security_struct *dsec;
+ struct superblock_security_struct *sbsec;
+ u32 sid, newsid;
+ struct common_audit_data ad;
+ int rc;
+
+ dsec = dir->i_security;
+ sbsec = dir->i_sb->s_security;
+
+ sid = tsec->sid;
+ newsid = tsec->create_sid;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+ ad.u.dentry = dentry;
+
+ rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
+ DIR__ADD_NAME | DIR__SEARCH,
+ &ad);
+ if (rc)
+ return rc;
+
+ if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
+ rc = security_transition_sid(sid, dsec->sid, tclass,
+ &dentry->d_name, &newsid);
+ if (rc)
+ return rc;
+ }
+
+ rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
+ if (rc)
+ return rc;
+
+ return avc_has_perm(newsid, sbsec->sid,
+ SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE, &ad);
+}
+
+/* Check whether a task can create a key. */
+static int may_create_key(u32 ksid,
+ struct task_struct *ctx)
+{
+ u32 sid = task_sid(ctx);
+
+ return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
+}
+
+#define MAY_LINK 0
+#define MAY_UNLINK 1
+#define MAY_RMDIR 2
+
+/* Check whether a task can link, unlink, or rmdir a file/directory. */
+static int may_link(struct inode *dir,
+ struct dentry *dentry,
+ int kind)
+
+{
+ struct inode_security_struct *dsec, *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+ u32 av;
+ int rc;
+
+ dsec = dir->i_security;
+ isec = d_backing_inode(dentry)->i_security;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+ ad.u.dentry = dentry;
+
+ av = DIR__SEARCH;
+ av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
+ rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
+ if (rc)
+ return rc;
+
+ switch (kind) {
+ case MAY_LINK:
+ av = FILE__LINK;
+ break;
+ case MAY_UNLINK:
+ av = FILE__UNLINK;
+ break;
+ case MAY_RMDIR:
+ av = DIR__RMDIR;
+ break;
+ default:
+ printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
+ __func__, kind);
+ return 0;
+ }
+
+ rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
+ return rc;
+}
+
+static inline int may_rename(struct inode *old_dir,
+ struct dentry *old_dentry,
+ struct inode *new_dir,
+ struct dentry *new_dentry)
+{
+ struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+ u32 av;
+ int old_is_dir, new_is_dir;
+ int rc;
+
+ old_dsec = old_dir->i_security;
+ old_isec = d_backing_inode(old_dentry)->i_security;
+ old_is_dir = d_is_dir(old_dentry);
+ new_dsec = new_dir->i_security;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+
+ ad.u.dentry = old_dentry;
+ rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
+ DIR__REMOVE_NAME | DIR__SEARCH, &ad);
+ if (rc)
+ return rc;
+ rc = avc_has_perm(sid, old_isec->sid,
+ old_isec->sclass, FILE__RENAME, &ad);
+ if (rc)
+ return rc;
+ if (old_is_dir && new_dir != old_dir) {
+ rc = avc_has_perm(sid, old_isec->sid,
+ old_isec->sclass, DIR__REPARENT, &ad);
+ if (rc)
+ return rc;
+ }
+
+ ad.u.dentry = new_dentry;
+ av = DIR__ADD_NAME | DIR__SEARCH;
+ if (d_is_positive(new_dentry))
+ av |= DIR__REMOVE_NAME;
+ rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
+ if (rc)
+ return rc;
+ if (d_is_positive(new_dentry)) {
+ new_isec = d_backing_inode(new_dentry)->i_security;
+ new_is_dir = d_is_dir(new_dentry);
+ rc = avc_has_perm(sid, new_isec->sid,
+ new_isec->sclass,
+ (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
+ if (rc)
+ return rc;
+ }
+
+ return 0;
+}
+
+/* Check whether a task can perform a filesystem operation. */
+static int superblock_has_perm(const struct cred *cred,
+ struct super_block *sb,
+ u32 perms,
+ struct common_audit_data *ad)
+{
+ struct superblock_security_struct *sbsec;
+ u32 sid = cred_sid(cred);
+
+ sbsec = sb->s_security;
+ return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
+}
+
+/* Convert a Linux mode and permission mask to an access vector. */
+static inline u32 file_mask_to_av(int mode, int mask)
+{
+ u32 av = 0;
+
+ if (!S_ISDIR(mode)) {
+ if (mask & MAY_EXEC)
+ av |= FILE__EXECUTE;
+ if (mask & MAY_READ)
+ av |= FILE__READ;
+
+ if (mask & MAY_APPEND)
+ av |= FILE__APPEND;
+ else if (mask & MAY_WRITE)
+ av |= FILE__WRITE;
+
+ } else {
+ if (mask & MAY_EXEC)
+ av |= DIR__SEARCH;
+ if (mask & MAY_WRITE)
+ av |= DIR__WRITE;
+ if (mask & MAY_READ)
+ av |= DIR__READ;
+ }
+
+ return av;
+}
+
+/* Convert a Linux file to an access vector. */
+static inline u32 file_to_av(struct file *file)
+{
+ u32 av = 0;
+
+ if (file->f_mode & FMODE_READ)
+ av |= FILE__READ;
+ if (file->f_mode & FMODE_WRITE) {
+ if (file->f_flags & O_APPEND)
+ av |= FILE__APPEND;
+ else
+ av |= FILE__WRITE;
+ }
+ if (!av) {
+ /*
+ * Special file opened with flags 3 for ioctl-only use.
+ */
+ av = FILE__IOCTL;
+ }
+
+ return av;
+}
+
+/*
+ * Convert a file to an access vector and include the correct open
+ * open permission.
+ */
+static inline u32 open_file_to_av(struct file *file)
+{
+ u32 av = file_to_av(file);
+
+ if (selinux_policycap_openperm)
+ av |= FILE__OPEN;
+
+ return av;
+}
+
+/* Hook functions begin here. */
+
+static int selinux_binder_set_context_mgr(struct task_struct *mgr)
+{
+ u32 mysid = current_sid();
+ u32 mgrsid = task_sid(mgr);
+
+ return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
+ BINDER__SET_CONTEXT_MGR, NULL);
+}
+
+static int selinux_binder_transaction(struct task_struct *from,
+ struct task_struct *to)
+{
+ u32 mysid = current_sid();
+ u32 fromsid = task_sid(from);
+ u32 tosid = task_sid(to);
+ int rc;
+
+ if (mysid != fromsid) {
+ rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
+ BINDER__IMPERSONATE, NULL);
+ if (rc)
+ return rc;
+ }
+
+ return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
+ NULL);
+}
+
+static int selinux_binder_transfer_binder(struct task_struct *from,
+ struct task_struct *to)
+{
+ u32 fromsid = task_sid(from);
+ u32 tosid = task_sid(to);
+
+ return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
+ NULL);
+}
+
+static int selinux_binder_transfer_file(struct task_struct *from,
+ struct task_struct *to,
+ struct file *file)
+{
+ u32 sid = task_sid(to);
+ struct file_security_struct *fsec = file->f_security;
+ struct inode *inode = d_backing_inode(file->f_path.dentry);
+ struct inode_security_struct *isec = inode->i_security;
+ struct common_audit_data ad;
+ int rc;
+
+ ad.type = LSM_AUDIT_DATA_PATH;
+ ad.u.path = file->f_path;
+
+ if (sid != fsec->sid) {
+ rc = avc_has_perm(sid, fsec->sid,
+ SECCLASS_FD,
+ FD__USE,
+ &ad);
+ if (rc)
+ return rc;
+ }
+
+ if (unlikely(IS_PRIVATE(inode)))
+ return 0;
+
+ return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
+ &ad);
+}
+
+static int selinux_ptrace_access_check(struct task_struct *child,
+ unsigned int mode)
+{
+ int rc;
+
+ rc = cap_ptrace_access_check(child, mode);
+ if (rc)
+ return rc;
+
+ if (mode & PTRACE_MODE_READ) {
+ u32 sid = current_sid();
+ u32 csid = task_sid(child);
+ return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
+ }
+
+ return current_has_perm(child, PROCESS__PTRACE);
+}
+
+static int selinux_ptrace_traceme(struct task_struct *parent)
+{
+ int rc;
+
+ rc = cap_ptrace_traceme(parent);
+ if (rc)
+ return rc;
+
+ return task_has_perm(parent, current, PROCESS__PTRACE);
+}
+
+static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
+ kernel_cap_t *inheritable, kernel_cap_t *permitted)
+{
+ int error;
+
+ error = current_has_perm(target, PROCESS__GETCAP);
+ if (error)
+ return error;
+
+ return cap_capget(target, effective, inheritable, permitted);
+}
+
+static int selinux_capset(struct cred *new, const struct cred *old,
+ const kernel_cap_t *effective,
+ const kernel_cap_t *inheritable,
+ const kernel_cap_t *permitted)
+{
+ int error;
+
+ error = cap_capset(new, old,
+ effective, inheritable, permitted);
+ if (error)
+ return error;
+
+ return cred_has_perm(old, new, PROCESS__SETCAP);
+}
+
+/*
+ * (This comment used to live with the selinux_task_setuid hook,
+ * which was removed).
+ *
+ * Since setuid only affects the current process, and since the SELinux
+ * controls are not based on the Linux identity attributes, SELinux does not
+ * need to control this operation. However, SELinux does control the use of
+ * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
+ */
+
+static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
+ int cap, int audit)
+{
+ int rc;
+
+ rc = cap_capable(cred, ns, cap, audit);
+ if (rc)
+ return rc;
+
+ return cred_has_capability(cred, cap, audit);
+}
+
+static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
+{
+ const struct cred *cred = current_cred();
+ int rc = 0;
+
+ if (!sb)
+ return 0;
+
+ switch (cmds) {
+ case Q_SYNC:
+ case Q_QUOTAON:
+ case Q_QUOTAOFF:
+ case Q_SETINFO:
+ case Q_SETQUOTA:
+ rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
+ break;
+ case Q_GETFMT:
+ case Q_GETINFO:
+ case Q_GETQUOTA:
+ rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
+ break;
+ default:
+ rc = 0; /* let the kernel handle invalid cmds */
+ break;
+ }
+ return rc;
+}
+
+static int selinux_quota_on(struct dentry *dentry)
+{
+ const struct cred *cred = current_cred();
+
+ return dentry_has_perm(cred, dentry, FILE__QUOTAON);
+}
+
+static int selinux_syslog(int type)
+{
+ int rc;
+
+ switch (type) {
+ case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
+ case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
+ rc = task_has_system(current, SYSTEM__SYSLOG_READ);
+ break;
+ case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
+ case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
+ /* Set level of messages printed to console */
+ case SYSLOG_ACTION_CONSOLE_LEVEL:
+ rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
+ break;
+ case SYSLOG_ACTION_CLOSE: /* Close log */
+ case SYSLOG_ACTION_OPEN: /* Open log */
+ case SYSLOG_ACTION_READ: /* Read from log */
+ case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
+ case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
+ default:
+ rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
+ break;
+ }
+ return rc;
+}
+
+/*
+ * Check that a process has enough memory to allocate a new virtual
+ * mapping. 0 means there is enough memory for the allocation to
+ * succeed and -ENOMEM implies there is not.
+ *
+ * Do not audit the selinux permission check, as this is applied to all
+ * processes that allocate mappings.
+ */
+static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
+{
+ int rc, cap_sys_admin = 0;
+
+ rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
+ SECURITY_CAP_NOAUDIT);
+ if (rc == 0)
+ cap_sys_admin = 1;
+
+ return __vm_enough_memory(mm, pages, cap_sys_admin);
+}
+
+/* binprm security operations */
+
+static int check_nnp_nosuid(const struct linux_binprm *bprm,
+ const struct task_security_struct *old_tsec,
+ const struct task_security_struct *new_tsec)
+{
+ int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
+ int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
+ int rc;
+
+ if (!nnp && !nosuid)
+ return 0; /* neither NNP nor nosuid */
+
+ if (new_tsec->sid == old_tsec->sid)
+ return 0; /* No change in credentials */
+
+ /*
+ * The only transitions we permit under NNP or nosuid
+ * are transitions to bounded SIDs, i.e. SIDs that are
+ * guaranteed to only be allowed a subset of the permissions
+ * of the current SID.
+ */
+ rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
+ if (rc) {
+ /*
+ * On failure, preserve the errno values for NNP vs nosuid.
+ * NNP: Operation not permitted for caller.
+ * nosuid: Permission denied to file.
+ */
+ if (nnp)
+ return -EPERM;
+ else
+ return -EACCES;
+ }
+ return 0;
+}
+
+static int selinux_bprm_set_creds(struct linux_binprm *bprm)
+{
+ const struct task_security_struct *old_tsec;
+ struct task_security_struct *new_tsec;
+ struct inode_security_struct *isec;
+ struct common_audit_data ad;
+ struct inode *inode = file_inode(bprm->file);
+ int rc;
+
+ rc = cap_bprm_set_creds(bprm);
+ if (rc)
+ return rc;
+
+ /* SELinux context only depends on initial program or script and not
+ * the script interpreter */
+ if (bprm->cred_prepared)
+ return 0;
+
+ old_tsec = current_security();
+ new_tsec = bprm->cred->security;
+ isec = inode->i_security;
+
+ /* Default to the current task SID. */
+ new_tsec->sid = old_tsec->sid;
+ new_tsec->osid = old_tsec->sid;
+
+ /* Reset fs, key, and sock SIDs on execve. */
+ new_tsec->create_sid = 0;
+ new_tsec->keycreate_sid = 0;
+ new_tsec->sockcreate_sid = 0;
+
+ if (old_tsec->exec_sid) {
+ new_tsec->sid = old_tsec->exec_sid;
+ /* Reset exec SID on execve. */
+ new_tsec->exec_sid = 0;
+
+ /* Fail on NNP or nosuid if not an allowed transition. */
+ rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
+ if (rc)
+ return rc;
+ } else {
+ /* Check for a default transition on this program. */
+ rc = security_transition_sid(old_tsec->sid, isec->sid,
+ SECCLASS_PROCESS, NULL,
+ &new_tsec->sid);
+ if (rc)
+ return rc;
+
+ /*
+ * Fallback to old SID on NNP or nosuid if not an allowed
+ * transition.
+ */
+ rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
+ if (rc)
+ new_tsec->sid = old_tsec->sid;
+ }
+
+ ad.type = LSM_AUDIT_DATA_PATH;
+ ad.u.path = bprm->file->f_path;
+
+ if (new_tsec->sid == old_tsec->sid) {
+ rc = avc_has_perm(old_tsec->sid, isec->sid,
+ SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
+ if (rc)
+ return rc;
+ } else {
+ /* Check permissions for the transition. */
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
+ SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
+ if (rc)
+ return rc;
+
+ rc = avc_has_perm(new_tsec->sid, isec->sid,
+ SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
+ if (rc)
+ return rc;
+
+ /* Check for shared state */
+ if (bprm->unsafe & LSM_UNSAFE_SHARE) {
+ rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
+ SECCLASS_PROCESS, PROCESS__SHARE,
+ NULL);
+ if (rc)
+ return -EPERM;
+ }
+
+ /* Make sure that anyone attempting to ptrace over a task that
+ * changes its SID has the appropriate permit */
+ if (bprm->unsafe &
+ (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
+ struct task_struct *tracer;
+ struct task_security_struct *sec;
+ u32 ptsid = 0;
+
+ rcu_read_lock();
+ tracer = ptrace_parent(current);
+ if (likely(tracer != NULL)) {
+ sec = __task_cred(tracer)->security;
+ ptsid = sec->sid;
+ }
+ rcu_read_unlock();
+
+ if (ptsid != 0) {
+ rc = avc_has_perm(ptsid, new_tsec->sid,
+ SECCLASS_PROCESS,
+ PROCESS__PTRACE, NULL);
+ if (rc)
+ return -EPERM;
+ }
+ }
+
+ /* Clear any possibly unsafe personality bits on exec: */
+ bprm->per_clear |= PER_CLEAR_ON_SETID;
+ }
+
+ return 0;
+}
+
+static int selinux_bprm_secureexec(struct linux_binprm *bprm)
+{
+ const struct task_security_struct *tsec = current_security();
+ u32 sid, osid;
+ int atsecure = 0;
+
+ sid = tsec->sid;
+ osid = tsec->osid;
+
+ if (osid != sid) {
+ /* Enable secure mode for SIDs transitions unless
+ the noatsecure permission is granted between
+ the two SIDs, i.e. ahp returns 0. */
+ atsecure = avc_has_perm(osid, sid,
+ SECCLASS_PROCESS,
+ PROCESS__NOATSECURE, NULL);
+ }
+
+ return (atsecure || cap_bprm_secureexec(bprm));
+}
+
+static int match_file(const void *p, struct file *file, unsigned fd)
+{
+ return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
+}
+
+/* Derived from fs/exec.c:flush_old_files. */
+static inline void flush_unauthorized_files(const struct cred *cred,
+ struct files_struct *files)
+{
+ struct file *file, *devnull = NULL;
+ struct tty_struct *tty;
+ int drop_tty = 0;
+ unsigned n;
+
+ tty = get_current_tty();
+ if (tty) {
+ spin_lock(&tty_files_lock);
+ if (!list_empty(&tty->tty_files)) {
+ struct tty_file_private *file_priv;
+
+ /* Revalidate access to controlling tty.
+ Use file_path_has_perm on the tty path directly
+ rather than using file_has_perm, as this particular
+ open file may belong to another process and we are
+ only interested in the inode-based check here. */
+ file_priv = list_first_entry(&tty->tty_files,
+ struct tty_file_private, list);
+ file = file_priv->file;
+ if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
+ drop_tty = 1;
+ }
+ spin_unlock(&tty_files_lock);
+ tty_kref_put(tty);
+ }
+ /* Reset controlling tty. */
+ if (drop_tty)
+ no_tty();
+
+ /* Revalidate access to inherited open files. */
+ n = iterate_fd(files, 0, match_file, cred);
+ if (!n) /* none found? */
+ return;
+
+ devnull = dentry_open(&selinux_null, O_RDWR, cred);
+ if (IS_ERR(devnull))
+ devnull = NULL;
+ /* replace all the matching ones with this */
+ do {
+ replace_fd(n - 1, devnull, 0);
+ } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
+ if (devnull)
+ fput(devnull);
+}
+
+/*
+ * Prepare a process for imminent new credential changes due to exec
+ */
+static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
+{
+ struct task_security_struct *new_tsec;
+ struct rlimit *rlim, *initrlim;
+ int rc, i;
+
+ new_tsec = bprm->cred->security;
+ if (new_tsec->sid == new_tsec->osid)
+ return;
+
+ /* Close files for which the new task SID is not authorized. */
+ flush_unauthorized_files(bprm->cred, current->files);
+
+ /* Always clear parent death signal on SID transitions. */
+ current->pdeath_signal = 0;
+
+ /* Check whether the new SID can inherit resource limits from the old
+ * SID. If not, reset all soft limits to the lower of the current
+ * task's hard limit and the init task's soft limit.
+ *
+ * Note that the setting of hard limits (even to lower them) can be
+ * controlled by the setrlimit check. The inclusion of the init task's
+ * soft limit into the computation is to avoid resetting soft limits
+ * higher than the default soft limit for cases where the default is
+ * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
+ */
+ rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
+ PROCESS__RLIMITINH, NULL);
+ if (rc) {
+ /* protect against do_prlimit() */
+ task_lock(current);
+ for (i = 0; i < RLIM_NLIMITS; i++) {
+ rlim = current->signal->rlim + i;
+ initrlim = init_task.signal->rlim + i;
+ rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
+ }
+ task_unlock(current);
+ update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
+ }
+}
+
+/*
+ * Clean up the process immediately after the installation of new credentials
+ * due to exec
+ */
+static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
+{
+ const struct task_security_struct *tsec = current_security();
+ struct itimerval itimer;
+ u32 osid, sid;
+ int rc, i;
+
+ osid = tsec->osid;
+ sid = tsec->sid;
+
+ if (sid == osid)
+ return;
+
+ /* Check whether the new SID can inherit signal state from the old SID.
+ * If not, clear itimers to avoid subsequent signal generation and
+ * flush and unblock signals.
+ *
+ * This must occur _after_ the task SID has been updated so that any
+ * kill done after the flush will be checked against the new SID.
+ */
+ rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
+ if (rc) {
+ memset(&itimer, 0, sizeof itimer);
+ for (i = 0; i < 3; i++)
+ do_setitimer(i, &itimer, NULL);
+ spin_lock_irq(&current->sighand->siglock);
+ if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
+ __flush_signals(current);
+ flush_signal_handlers(current, 1);
+ sigemptyset(&current->blocked);
+ }
+ spin_unlock_irq(&current->sighand->siglock);
+ }
+
+ /* Wake up the parent if it is waiting so that it can recheck
+ * wait permission to the new task SID. */
+ read_lock(&tasklist_lock);
+ __wake_up_parent(current, current->real_parent);
+ read_unlock(&tasklist_lock);
+}
+
+/* superblock security operations */
+
+static int selinux_sb_alloc_security(struct super_block *sb)
+{
+ return superblock_alloc_security(sb);
+}
+
+static void selinux_sb_free_security(struct super_block *sb)
+{
+ superblock_free_security(sb);
+}
+
+static inline int match_prefix(char *prefix, int plen, char *option, int olen)
+{
+ if (plen > olen)
+ return 0;
+
+ return !memcmp(prefix, option, plen);
+}
+
+static inline int selinux_option(char *option, int len)
+{
+ return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
+ match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
+ match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
+ match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
+ match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
+}
+
+static inline void take_option(char **to, char *from, int *first, int len)
+{
+ if (!*first) {
+ **to = ',';
+ *to += 1;
+ } else
+ *first = 0;
+ memcpy(*to, from, len);
+ *to += len;
+}
+
+static inline void take_selinux_option(char **to, char *from, int *first,
+ int len)
+{
+ int current_size = 0;
+
+ if (!*first) {
+ **to = '|';
+ *to += 1;
+ } else
+ *first = 0;
+
+ while (current_size < len) {
+ if (*from != '"') {
+ **to = *from;
+ *to += 1;
+ }
+ from += 1;
+ current_size += 1;
+ }
+}
+
+static int selinux_sb_copy_data(char *orig, char *copy)
+{
+ int fnosec, fsec, rc = 0;
+ char *in_save, *in_curr, *in_end;
+ char *sec_curr, *nosec_save, *nosec;
+ int open_quote = 0;
+
+ in_curr = orig;
+ sec_curr = copy;
+
+ nosec = (char *)get_zeroed_page(GFP_KERNEL);
+ if (!nosec) {
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ nosec_save = nosec;
+ fnosec = fsec = 1;
+ in_save = in_end = orig;
+
+ do {
+ if (*in_end == '"')
+ open_quote = !open_quote;
+ if ((*in_end == ',' && open_quote == 0) ||
+ *in_end == '\0') {
+ int len = in_end - in_curr;
+
+ if (selinux_option(in_curr, len))
+ take_selinux_option(&sec_curr, in_curr, &fsec, len);
+ else
+ take_option(&nosec, in_curr, &fnosec, len);
+
+ in_curr = in_end + 1;
+ }
+ } while (*in_end++);
+
+ strcpy(in_save, nosec_save);
+ free_page((unsigned long)nosec_save);
+out:
+ return rc;
+}
+
+static int selinux_sb_remount(struct super_block *sb, void *data)
+{
+ int rc, i, *flags;
+ struct security_mnt_opts opts;
+ char *secdata, **mount_options;
+ struct superblock_security_struct *sbsec = sb->s_security;
+
+ if (!(sbsec->flags & SE_SBINITIALIZED))
+ return 0;
+
+ if (!data)
+ return 0;
+
+ if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
+ return 0;
+
+ security_init_mnt_opts(&opts);
+ secdata = alloc_secdata();
+ if (!secdata)
+ return -ENOMEM;
+ rc = selinux_sb_copy_data(data, secdata);
+ if (rc)
+ goto out_free_secdata;
+
+ rc = selinux_parse_opts_str(secdata, &opts);
+ if (rc)
+ goto out_free_secdata;
+
+ mount_options = opts.mnt_opts;
+ flags = opts.mnt_opts_flags;
+
+ for (i = 0; i < opts.num_mnt_opts; i++) {
+ u32 sid;
+ size_t len;
+
+ if (flags[i] == SBLABEL_MNT)
+ continue;
+ len = strlen(mount_options[i]);
+ rc = security_context_to_sid(mount_options[i], len, &sid,
+ GFP_KERNEL);
+ if (rc) {
+ printk(KERN_WARNING "SELinux: security_context_to_sid"
+ "(%s) failed for (dev %s, type %s) errno=%d\n",
+ mount_options[i], sb->s_id, sb->s_type->name, rc);
+ goto out_free_opts;
+ }
+ rc = -EINVAL;
+ switch (flags[i]) {
+ case FSCONTEXT_MNT:
+ if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
+ goto out_bad_option;
+ break;
+ case CONTEXT_MNT:
+ if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
+ goto out_bad_option;
+ break;
+ case ROOTCONTEXT_MNT: {
+ struct inode_security_struct *root_isec;
+ root_isec = d_backing_inode(sb->s_root)->i_security;
+
+ if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
+ goto out_bad_option;
+ break;
+ }
+ case DEFCONTEXT_MNT:
+ if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
+ goto out_bad_option;
+ break;
+ default:
+ goto out_free_opts;
+ }
+ }
+
+ rc = 0;
+out_free_opts:
+ security_free_mnt_opts(&opts);
+out_free_secdata:
+ free_secdata(secdata);
+ return rc;
+out_bad_option:
+ printk(KERN_WARNING "SELinux: unable to change security options "
+ "during remount (dev %s, type=%s)\n", sb->s_id,
+ sb->s_type->name);
+ goto out_free_opts;
+}
+
+static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
+{
+ const struct cred *cred = current_cred();
+ struct common_audit_data ad;
+ int rc;
+
+ rc = superblock_doinit(sb, data);
+ if (rc)
+ return rc;
+
+ /* Allow all mounts performed by the kernel */
+ if (flags & MS_KERNMOUNT)
+ return 0;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+ ad.u.dentry = sb->s_root;
+ return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
+}
+
+static int selinux_sb_statfs(struct dentry *dentry)
+{
+ const struct cred *cred = current_cred();
+ struct common_audit_data ad;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+ ad.u.dentry = dentry->d_sb->s_root;
+ return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
+}
+
+static int selinux_mount(const char *dev_name,
+ struct path *path,
+ const char *type,
+ unsigned long flags,
+ void *data)
+{
+ const struct cred *cred = current_cred();
+
+ if (flags & MS_REMOUNT)
+ return superblock_has_perm(cred, path->dentry->d_sb,
+ FILESYSTEM__REMOUNT, NULL);
+ else
+ return path_has_perm(cred, path, FILE__MOUNTON);
+}
+
+static int selinux_umount(struct vfsmount *mnt, int flags)
+{
+ const struct cred *cred = current_cred();
+
+ return superblock_has_perm(cred, mnt->mnt_sb,
+ FILESYSTEM__UNMOUNT, NULL);
+}
+
+/* inode security operations */
+
+static int selinux_inode_alloc_security(struct inode *inode)
+{
+ return inode_alloc_security(inode);
+}
+
+static void selinux_inode_free_security(struct inode *inode)
+{
+ inode_free_security(inode);
+}
+
+static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ struct qstr *name, void **ctx,
+ u32 *ctxlen)
+{
+ const struct cred *cred = current_cred();
+ struct task_security_struct *tsec;
+ struct inode_security_struct *dsec;
+ struct superblock_security_struct *sbsec;
+ struct inode *dir = d_backing_inode(dentry->d_parent);
+ u32 newsid;
+ int rc;
+
+ tsec = cred->security;
+ dsec = dir->i_security;
+ sbsec = dir->i_sb->s_security;
+
+ if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
+ newsid = tsec->create_sid;
+ } else {
+ rc = security_transition_sid(tsec->sid, dsec->sid,
+ inode_mode_to_security_class(mode),
+ name,
+ &newsid);
+ if (rc) {
+ printk(KERN_WARNING
+ "%s: security_transition_sid failed, rc=%d\n",
+ __func__, -rc);
+ return rc;
+ }
+ }
+
+ return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+}
+
+static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ const struct qstr *qstr,
+ const char **name,
+ void **value, size_t *len)
+{
+ const struct task_security_struct *tsec = current_security();
+ struct inode_security_struct *dsec;
+ struct superblock_security_struct *sbsec;
+ u32 sid, newsid, clen;
+ int rc;
+ char *context;
+
+ dsec = dir->i_security;
+ sbsec = dir->i_sb->s_security;
+
+ sid = tsec->sid;
+ newsid = tsec->create_sid;
+
+ if ((sbsec->flags & SE_SBINITIALIZED) &&
+ (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
+ newsid = sbsec->mntpoint_sid;
+ else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
+ rc = security_transition_sid(sid, dsec->sid,
+ inode_mode_to_security_class(inode->i_mode),
+ qstr, &newsid);
+ if (rc) {
+ printk(KERN_WARNING "%s: "
+ "security_transition_sid failed, rc=%d (dev=%s "
+ "ino=%ld)\n",
+ __func__,
+ -rc, inode->i_sb->s_id, inode->i_ino);
+ return rc;
+ }
+ }
+
+ /* Possibly defer initialization to selinux_complete_init. */
+ if (sbsec->flags & SE_SBINITIALIZED) {
+ struct inode_security_struct *isec = inode->i_security;
+ isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ isec->sid = newsid;
+ isec->initialized = 1;
+ }
+
+ if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
+ return -EOPNOTSUPP;
+
+ if (name)
+ *name = XATTR_SELINUX_SUFFIX;
+
+ if (value && len) {
+ rc = security_sid_to_context_force(newsid, &context, &clen);
+ if (rc)
+ return rc;
+ *value = context;
+ *len = clen;
+ }
+
+ return 0;
+}
+
+static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
+{
+ return may_create(dir, dentry, SECCLASS_FILE);
+}
+
+static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
+{
+ return may_link(dir, old_dentry, MAY_LINK);
+}
+
+static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
+{
+ return may_link(dir, dentry, MAY_UNLINK);
+}
+
+static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
+{
+ return may_create(dir, dentry, SECCLASS_LNK_FILE);
+}
+
+static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
+{
+ return may_create(dir, dentry, SECCLASS_DIR);
+}
+
+static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
+{
+ return may_link(dir, dentry, MAY_RMDIR);
+}
+
+static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
+{
+ return may_create(dir, dentry, inode_mode_to_security_class(mode));
+}
+
+static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
+ struct inode *new_inode, struct dentry *new_dentry)
+{
+ return may_rename(old_inode, old_dentry, new_inode, new_dentry);
+}
+
+static int selinux_inode_readlink(struct dentry *dentry)
+{
+ const struct cred *cred = current_cred();
+
+ return dentry_has_perm(cred, dentry, FILE__READ);
+}
+
+static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
+{
+ const struct cred *cred = current_cred();
+
+ return dentry_has_perm(cred, dentry, FILE__READ);
+}
+
+static noinline int audit_inode_permission(struct inode *inode,
+ u32 perms, u32 audited, u32 denied,
+ int result,
+ unsigned flags)
+{
+ struct common_audit_data ad;
+ struct inode_security_struct *isec = inode->i_security;
+ int rc;
+
+ ad.type = LSM_AUDIT_DATA_INODE;
+ ad.u.inode = inode;
+
+ rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
+ audited, denied, result, &ad, flags);
+ if (rc)
+ return rc;
+ return 0;
+}
+
+static int selinux_inode_permission(struct inode *inode, int mask)
+{
+ const struct cred *cred = current_cred();
+ u32 perms;
+ bool from_access;
+ unsigned flags = mask & MAY_NOT_BLOCK;
+ struct inode_security_struct *isec;
+ u32 sid;
+ struct av_decision avd;
+ int rc, rc2;
+ u32 audited, denied;
+
+ from_access = mask & MAY_ACCESS;
+ mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
+
+ /* No permission to check. Existence test. */
+ if (!mask)
+ return 0;
+
+ validate_creds(cred);
+
+ if (unlikely(IS_PRIVATE(inode)))
+ return 0;
+
+ perms = file_mask_to_av(inode->i_mode, mask);
+
+ sid = cred_sid(cred);
+ isec = inode->i_security;
+
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
+ audited = avc_audit_required(perms, &avd, rc,
+ from_access ? FILE__AUDIT_ACCESS : 0,
+ &denied);
+ if (likely(!audited))
+ return rc;
+
+ rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
+ if (rc2)
+ return rc2;
+ return rc;
+}
+
+static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
+{
+ const struct cred *cred = current_cred();
+ unsigned int ia_valid = iattr->ia_valid;
+ __u32 av = FILE__WRITE;
+
+ /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
+ if (ia_valid & ATTR_FORCE) {
+ ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
+ ATTR_FORCE);
+ if (!ia_valid)
+ return 0;
+ }
+
+ if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
+ ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
+ return dentry_has_perm(cred, dentry, FILE__SETATTR);
+
+ if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
+ av |= FILE__OPEN;
+
+ return dentry_has_perm(cred, dentry, av);
+}
+
+static int selinux_inode_getattr(const struct path *path)
+{
+ return path_has_perm(current_cred(), path, FILE__GETATTR);
+}
+
+static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
+{
+ const struct cred *cred = current_cred();
+
+ if (!strncmp(name, XATTR_SECURITY_PREFIX,
+ sizeof XATTR_SECURITY_PREFIX - 1)) {
+ if (!strcmp(name, XATTR_NAME_CAPS)) {
+ if (!capable(CAP_SETFCAP))
+ return -EPERM;
+ } else if (!capable(CAP_SYS_ADMIN)) {
+ /* A different attribute in the security namespace.
+ Restrict to administrator. */
+ return -EPERM;
+ }
+ }
+
+ /* Not an attribute we recognize, so just check the
+ ordinary setattr permission. */
+ return dentry_has_perm(cred, dentry, FILE__SETATTR);
+}
+
+static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
+{
+ struct inode *inode = d_backing_inode(dentry);
+ struct inode_security_struct *isec = inode->i_security;
+ struct superblock_security_struct *sbsec;
+ struct common_audit_data ad;
+ u32 newsid, sid = current_sid();
+ int rc = 0;
+
+ if (strcmp(name, XATTR_NAME_SELINUX))
+ return selinux_inode_setotherxattr(dentry, name);
+
+ sbsec = inode->i_sb->s_security;
+ if (!(sbsec->flags & SBLABEL_MNT))
+ return -EOPNOTSUPP;
+
+ if (!inode_owner_or_capable(inode))
+ return -EPERM;
+
+ ad.type = LSM_AUDIT_DATA_DENTRY;
+ ad.u.dentry = dentry;
+
+ rc = avc_has_perm(sid, isec->sid, isec->sclass,
+ FILE__RELABELFROM, &ad);
+ if (rc)
+ return rc;
+
+ rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
+ if (rc == -EINVAL) {
+ if (!capable(CAP_MAC_ADMIN)) {
+ struct audit_buffer *ab;
+ size_t audit_size;
+ const char *str;
+
+ /* We strip a nul only if it is at the end, otherwise the
+ * context contains a nul and we should audit that */
+ if (value) {
+ str = value;
+ if (str[size - 1] == '\0')
+ audit_size = size - 1;
+ else
+ audit_size = size;
+ } else {
+ str = "";
+ audit_size = 0;
+ }
+ ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
+ audit_log_format(ab, "op=setxattr invalid_context=");
+ audit_log_n_untrustedstring(ab, value, audit_size);
+ audit_log_end(ab);
+
+ return rc;
+ }
+ rc = security_context_to_sid_force(value, size, &newsid);
+ }
+ if (rc)
+ return rc;
+
+ rc = avc_has_perm(sid, newsid, isec->sclass,
+ FILE__RELABELTO, &ad);
+ if (rc)
+ return rc;
+
+ rc = security_validate_transition(isec->sid, newsid, sid,
+ isec->sclass);
+ if (rc)
+ return rc;
+
+ return avc_has_perm(newsid,
+ sbsec->sid,
+ SECCLASS_FILESYSTEM,
+ FILESYSTEM__ASSOCIATE,
+ &ad);
+}
+
+static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size,
+ int flags)
+{
+ struct inode *inode = d_backing_inode(dentry);
+ struct inode_security_struct *isec = inode->i_security;
+ u32 newsid;
+ int rc;
+
+ if (strcmp(name, XATTR_NAME_SELINUX)) {
+ /* Not an attribute we recognize, so nothing to do. */
+ return;
+ }
+
+ rc = security_context_to_sid_force(value, size, &newsid);
+ if (rc) {
+ printk(KERN_ERR "SELinux: unable to map context to SID"
+ "for (%s, %lu), rc=%d\n",
+ inode->i_sb->s_id, inode->i_ino, -rc);
+ return;
+ }
+
+ isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ isec->sid = newsid;
+ isec->initialized = 1;
+
+ return;
+}
+
+static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
+{
+ const struct cred *cred = current_cred();
+
+ return dentry_has_perm(cred, dentry, FILE__GETATTR);
+}
+
+static int selinux_inode_listxattr(struct dentry *dentry)
+{
+ const struct cred *cred = current_cred();
+
+ return dentry_has_perm(cred, dentry, FILE__GETATTR);
+}
+
+static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
+{
+ if (strcmp(name, XATTR_NAME_SELINUX))
+ return selinux_inode_setotherxattr(dentry, name);
+
+ /* No one is allowed to remove a SELinux security label.
+ You can change the label, but all data must be labeled. */
+ return -EACCES;
+}
+
+/*
+ * Copy the inode security context value to the user.
+ *
+ * Permission check is handled by selinux_inode_getxattr hook.
+ */
+static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
+{
+ u32 size;
+ int error;
+ char *context = NULL;
+ struct inode_security_struct *isec = inode->i_security;
+
+ if (strcmp(name, XATTR_SELINUX_SUFFIX))
+ return -EOPNOTSUPP;
+
+ /*
+ * If the caller has CAP_MAC_ADMIN, then get the raw context
+ * value even if it is not defined by current policy; otherwise,
+ * use the in-core value under current policy.
+ * Use the non-auditing forms of the permission checks since
+ * getxattr may be called by unprivileged processes commonly
+ * and lack of permission just means that we fall back to the
+ * in-core context value, not a denial.
+ */
+ error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
+ SECURITY_CAP_NOAUDIT);
+ if (!error)
+ error = security_sid_to_context_force(isec->sid, &context,
+ &size);
+ else
+ error = security_sid_to_context(isec->sid, &context, &size);
+ if (error)
+ return error;
+ error = size;
+ if (alloc) {
+ *buffer = context;
+ goto out_nofree;
+ }
+ kfree(context);
+out_nofree:
+ return error;
+}
+
+static int selinux_inode_setsecurity(struct inode *inode, const char *name,
+ const void *value, size_t size, int flags)
+{
+ struct inode_security_struct *isec = inode->i_security;
+ u32 newsid;
+ int rc;
+
+ if (strcmp(name, XATTR_SELINUX_SUFFIX))
+ return -EOPNOTSUPP;
+
+ if (!value || !size)
+ return -EACCES;
+
+ rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
+ if (rc)
+ return rc;
+
+ isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ isec->sid = newsid;
+ isec->initialized = 1;
+ return 0;
+}
+
+static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
+{
+ const int len = sizeof(XATTR_NAME_SELINUX);
+ if (buffer && len <= buffer_size)
+ memcpy(buffer, XATTR_NAME_SELINUX, len);
+ return len;
+}
+
+static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
+{
+ struct inode_security_struct *isec = inode->i_security;
+ *secid = isec->sid;
+}
+
+/* file security operations */
+
+static int selinux_revalidate_file_permission(struct file *file, int mask)
+{
+ const struct cred *cred = current_cred();
+ struct inode *inode = file_inode(file);
+
+ /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
+ if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
+ mask |= MAY_APPEND;
+
+ return file_has_perm(cred, file,
+ file_mask_to_av(inode->i_mode, mask));
+}
+
+static int selinux_file_permission(struct file *file, int mask)
+{
+ struct inode *inode = file_inode(file);
+ struct file_security_struct *fsec = file->f_security;
+ struct inode_security_struct *isec = inode->i_security;
+ u32 sid = current_sid();
+
+ if (!mask)
+ /* No permission to check. Existence test. */
+ return 0;
+
+ if (sid == fsec->sid && fsec->isid == isec->sid &&
+ fsec->pseqno == avc_policy_seqno())
+ /* No change since file_open check. */
+ return 0;
+
+ return selinux_revalidate_file_permission(file, mask);
+}
+
+static int selinux_file_alloc_security(struct file *file)
+{
+ return file_alloc_security(file);
+}
+
+static void selinux_file_free_security(struct file *file)
+{
+ file_free_security(file);
+}
+
+static int selinux_file_ioctl(struct file *file, unsigned int cmd,
+ unsigned long arg)
+{
+ const struct cred *cred = current_cred();
+ int error = 0;
+
+ switch (cmd) {
+ case FIONREAD:
+ /* fall through */
+ case FIBMAP:
+ /* fall through */
+ case FIGETBSZ:
+ /* fall through */
+ case FS_IOC_GETFLAGS:
+ /* fall through */
+ case FS_IOC_GETVERSION:
+ error = file_has_perm(cred, file, FILE__GETATTR);
+ break;
+
+ case FS_IOC_SETFLAGS:
+ /* fall through */
+ case FS_IOC_SETVERSION:
+ error = file_has_perm(cred, file, FILE__SETATTR);
+ break;
+
+ /* sys_ioctl() checks */
+ case FIONBIO:
+ /* fall through */
+ case FIOASYNC:
+ error = file_has_perm(cred, file, 0);
+ break;
+
+ case KDSKBENT:
+ case KDSKBSENT:
+ error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
+ SECURITY_CAP_AUDIT);
+ break;
+
+ /* default case assumes that the command will go
+ * to the file's ioctl() function.
+ */
+ default:
+ error = file_has_perm(cred, file, FILE__IOCTL);
+ }
+ return error;
+}
+
+static int default_noexec;
+
+static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
+{
+ const struct cred *cred = current_cred();
+ int rc = 0;
+
+ if (default_noexec &&
+ (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
+ /*
+ * We are making executable an anonymous mapping or a
+ * private file mapping that will also be writable.
+ * This has an additional check.
+ */
+ rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
+ if (rc)
+ goto error;
+ }
+
+ if (file) {
+ /* read access is always possible with a mapping */
+ u32 av = FILE__READ;
+
+ /* write access only matters if the mapping is shared */
+ if (shared && (prot & PROT_WRITE))
+ av |= FILE__WRITE;
+
+ if (prot & PROT_EXEC)
+ av |= FILE__EXECUTE;
+
+ return file_has_perm(cred, file, av);
+ }
+
+error:
+ return rc;
+}
+
+static int selinux_mmap_addr(unsigned long addr)
+{
+ int rc;
+
+ /* do DAC check on address space usage */
+ rc = cap_mmap_addr(addr);
+ if (rc)
+ return rc;
+
+ if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
+ u32 sid = current_sid();
+ rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
+ MEMPROTECT__MMAP_ZERO, NULL);
+ }
+
+ return rc;
+}
+
+static int selinux_mmap_file(struct file *file, unsigned long reqprot,
+ unsigned long prot, unsigned long flags)
+{
+ if (selinux_checkreqprot)
+ prot = reqprot;
+
+ return file_map_prot_check(file, prot,
+ (flags & MAP_TYPE) == MAP_SHARED);
+}
+
+static int selinux_file_mprotect(struct vm_area_struct *vma,
+ unsigned long reqprot,
+ unsigned long prot)
+{
+ const struct cred *cred = current_cred();
+
+ if (selinux_checkreqprot)
+ prot = reqprot;
+
+ if (default_noexec &&
+ (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
+ int rc = 0;
+ if (vma->vm_start >= vma->vm_mm->start_brk &&
+ vma->vm_end <= vma->vm_mm->brk) {
+ rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
+ } else if (!vma->vm_file &&
+ vma->vm_start <= vma->vm_mm->start_stack &&
+ vma->vm_end >= vma->vm_mm->start_stack) {
+ rc = current_has_perm(current, PROCESS__EXECSTACK);
+ } else if (vma->vm_file && vma->anon_vma) {
+ /*
+ * We are making executable a file mapping that has
+ * had some COW done. Since pages might have been
+ * written, check ability to execute the possibly
+ * modified content. This typically should only
+ * occur for text relocations.
+ */
+ rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
+ }
+ if (rc)
+ return rc;
+ }
+
+ return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
+}
+
+static int selinux_file_lock(struct file *file, unsigned int cmd)
+{
+ const struct cred *cred = current_cred();
+
+ return file_has_perm(cred, file, FILE__LOCK);
+}
+
+static int selinux_file_fcntl(struct file *file, unsigned int cmd,
+ unsigned long arg)
+{
+ const struct cred *cred = current_cred();
+ int err = 0;
+
+ switch (cmd) {
+ case F_SETFL:
+ if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
+ err = file_has_perm(cred, file, FILE__WRITE);
+ break;
+ }
+ /* fall through */
+ case F_SETOWN:
+ case F_SETSIG:
+ case F_GETFL:
+ case F_GETOWN:
+ case F_GETSIG:
+ case F_GETOWNER_UIDS:
+ /* Just check FD__USE permission */
+ err = file_has_perm(cred, file, 0);
+ break;
+ case F_GETLK:
+ case F_SETLK:
+ case F_SETLKW:
+ case F_OFD_GETLK:
+ case F_OFD_SETLK:
+ case F_OFD_SETLKW:
+#if BITS_PER_LONG == 32
+ case F_GETLK64:
+ case F_SETLK64:
+ case F_SETLKW64:
+#endif
+ err = file_has_perm(cred, file, FILE__LOCK);
+ break;
+ }
+
+ return err;
+}
+
+static void selinux_file_set_fowner(struct file *file)
+{
+ struct file_security_struct *fsec;
+
+ fsec = file->f_security;
+ fsec->fown_sid = current_sid();
+}
+
+static int selinux_file_send_sigiotask(struct task_struct *tsk,
+ struct fown_struct *fown, int signum)
+{
+ struct file *file;
+ u32 sid = task_sid(tsk);
+ u32 perm;
+ struct file_security_struct *fsec;
+
+ /* struct fown_struct is never outside the context of a struct file */
+ file = container_of(fown, struct file, f_owner);
+
+ fsec = file->f_security;
+
+ if (!signum)
+ perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
+ else
+ perm = signal_to_av(signum);
+
+ return avc_has_perm(fsec->fown_sid, sid,
+ SECCLASS_PROCESS, perm, NULL);
+}
+
+static int selinux_file_receive(struct file *file)
+{
+ const struct cred *cred = current_cred();
+
+ return file_has_perm(cred, file, file_to_av(file));
+}
+
+static int selinux_file_open(struct file *file, const struct cred *cred)
+{
+ struct file_security_struct *fsec;
+ struct inode_security_struct *isec;
+
+ fsec = file->f_security;
+ isec = file_inode(file)->i_security;
+ /*
+ * Save inode label and policy sequence number
+ * at open-time so that selinux_file_permission
+ * can determine whether revalidation is necessary.
+ * Task label is already saved in the file security
+ * struct as its SID.
+ */
+ fsec->isid = isec->sid;
+ fsec->pseqno = avc_policy_seqno();
+ /*
+ * Since the inode label or policy seqno may have changed
+ * between the selinux_inode_permission check and the saving
+ * of state above, recheck that access is still permitted.
+ * Otherwise, access might never be revalidated against the
+ * new inode label or new policy.
+ * This check is not redundant - do not remove.
+ */
+ return file_path_has_perm(cred, file, open_file_to_av(file));
+}
+
+/* task security operations */
+
+static int selinux_task_create(unsigned long clone_flags)
+{
+ return current_has_perm(current, PROCESS__FORK);
+}
+
+/*
+ * allocate the SELinux part of blank credentials
+ */
+static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
+{
+ struct task_security_struct *tsec;
+
+ tsec = kzalloc(sizeof(struct task_security_struct), gfp);
+ if (!tsec)
+ return -ENOMEM;
+
+ cred->security = tsec;
+ return 0;
+}
+
+/*
+ * detach and free the LSM part of a set of credentials
+ */
+static void selinux_cred_free(struct cred *cred)
+{
+ struct task_security_struct *tsec = cred->security;
+
+ /*
+ * cred->security == NULL if security_cred_alloc_blank() or
+ * security_prepare_creds() returned an error.
+ */
+ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
+ cred->security = (void *) 0x7UL;
+ kfree(tsec);
+}
+
+/*
+ * prepare a new set of credentials for modification
+ */
+static int selinux_cred_prepare(struct cred *new, const struct cred *old,
+ gfp_t gfp)
+{
+ const struct task_security_struct *old_tsec;
+ struct task_security_struct *tsec;
+
+ old_tsec = old->security;
+
+ tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
+ if (!tsec)
+ return -ENOMEM;
+
+ new->security = tsec;
+ return 0;
+}
+
+/*
+ * transfer the SELinux data to a blank set of creds
+ */
+static void selinux_cred_transfer(struct cred *new, const struct cred *old)
+{
+ const struct task_security_struct *old_tsec = old->security;
+ struct task_security_struct *tsec = new->security;
+
+ *tsec = *old_tsec;
+}
+
+/*
+ * set the security data for a kernel service
+ * - all the creation contexts are set to unlabelled
+ */
+static int selinux_kernel_act_as(struct cred *new, u32 secid)
+{
+ struct task_security_struct *tsec = new->security;
+ u32 sid = current_sid();
+ int ret;
+
+ ret = avc_has_perm(sid, secid,
+ SECCLASS_KERNEL_SERVICE,
+ KERNEL_SERVICE__USE_AS_OVERRIDE,
+ NULL);
+ if (ret == 0) {
+ tsec->sid = secid;
+ tsec->create_sid = 0;
+ tsec->keycreate_sid = 0;
+ tsec->sockcreate_sid = 0;
+ }
+ return ret;
+}
+
+/*
+ * set the file creation context in a security record to the same as the
+ * objective context of the specified inode
+ */
+static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
+{
+ struct inode_security_struct *isec = inode->i_security;
+ struct task_security_struct *tsec = new->security;
+ u32 sid = current_sid();
+ int ret;
+
+ ret = avc_has_perm(sid, isec->sid,
+ SECCLASS_KERNEL_SERVICE,
+ KERNEL_SERVICE__CREATE_FILES_AS,
+ NULL);
+
+ if (ret == 0)
+ tsec->create_sid = isec->sid;
+ return ret;
+}
+
+static int selinux_kernel_module_request(char *kmod_name)
+{
+ u32 sid;
+ struct common_audit_data ad;
+
+ sid = task_sid(current);
+
+ ad.type = LSM_AUDIT_DATA_KMOD;
+ ad.u.kmod_name = kmod_name;
+
+ return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
+ SYSTEM__MODULE_REQUEST, &ad);
+}
+
+static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
+{
+ return current_has_perm(p, PROCESS__SETPGID);
+}
+
+static int selinux_task_getpgid(struct task_struct *p)
+{
+ return current_has_perm(p, PROCESS__GETPGID);
+}
+
+static int selinux_task_getsid(struct task_struct *p)
+{
+ return current_has_perm(p, PROCESS__GETSESSION);
+}
+
+static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
+{
+ *secid = task_sid(p);
+}
+
+static int selinux_task_setnice(struct task_struct *p, int nice)
+{
+ int rc;
+
+ rc = cap_task_setnice(p, nice);
+ if (rc)
+ return rc;
+
+ return current_has_perm(p, PROCESS__SETSCHED);
+}
+
+static int selinux_task_setioprio(struct task_struct *p, int ioprio)
+{
+ int rc;
+
+ rc = cap_task_setioprio(p, ioprio);
+ if (rc)
+ return rc;
+
+ return current_has_perm(p, PROCESS__SETSCHED);
+}
+
+static int selinux_task_getioprio(struct task_struct *p)
+{
+ return current_has_perm(p, PROCESS__GETSCHED);
+}
+
+static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
+ struct rlimit *new_rlim)
+{
+ struct rlimit *old_rlim = p->signal->rlim + resource;
+
+ /* Control the ability to change the hard limit (whether
+ lowering or raising it), so that the hard limit can
+ later be used as a safe reset point for the soft limit
+ upon context transitions. See selinux_bprm_committing_creds. */
+ if (old_rlim->rlim_max != new_rlim->rlim_max)
+ return current_has_perm(p, PROCESS__SETRLIMIT);
+
+ return 0;
+}
+
+static int selinux_task_setscheduler(struct task_struct *p)
+{
+ int rc;
+
+ rc = cap_task_setscheduler(p);
+ if (rc)
+ return rc;
+
+ return current_has_perm(p, PROCESS__SETSCHED);
+}
+
+static int selinux_task_getscheduler(struct task_struct *p)
+{
+ return current_has_perm(p, PROCESS__GETSCHED);
+}
+
+static int selinux_task_movememory(struct task_struct *p)
+{
+ return current_has_perm(p, PROCESS__SETSCHED);
+}
+
+static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
+ int sig, u32 secid)
+{
+ u32 perm;
+ int rc;
+
+ if (!sig)
+ perm = PROCESS__SIGNULL; /* null signal; existence test */
+ else
+ perm = signal_to_av(sig);
+ if (secid)
+ rc = avc_has_perm(secid, task_sid(p),
+ SECCLASS_PROCESS, perm, NULL);
+ else
+ rc = current_has_perm(p, perm);
+ return rc;
+}
+
+static int selinux_task_wait(struct task_struct *p)
+{
+ return task_has_perm(p, current, PROCESS__SIGCHLD);
+}
+
+static void selinux_task_to_inode(struct task_struct *p,
+ struct inode *inode)
+{
+ struct inode_security_struct *isec = inode->i_security;
+ u32 sid = task_sid(p);
+
+ isec->sid = sid;
+ isec->initialized = 1;
+}
+
+/* Returns error only if unable to parse addresses */
+static int selinux_parse_skb_ipv4(struct sk_buff *skb,
+ struct common_audit_data *ad, u8 *proto)
+{
+ int offset, ihlen, ret = -EINVAL;
+ struct iphdr _iph, *ih;
+
+ offset = skb_network_offset(skb);
+ ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
+ if (ih == NULL)
+ goto out;
+
+ ihlen = ih->ihl * 4;
+ if (ihlen < sizeof(_iph))
+ goto out;
+
+ ad->u.net->v4info.saddr = ih->saddr;
+ ad->u.net->v4info.daddr = ih->daddr;
+ ret = 0;
+
+ if (proto)
+ *proto = ih->protocol;
+
+ switch (ih->protocol) {
+ case IPPROTO_TCP: {
+ struct tcphdr _tcph, *th;
+
+ if (ntohs(ih->frag_off) & IP_OFFSET)
+ break;
+
+ offset += ihlen;
+ th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
+ if (th == NULL)
+ break;
+
+ ad->u.net->sport = th->source;
+ ad->u.net->dport = th->dest;
+ break;
+ }
+
+ case IPPROTO_UDP: {
+ struct udphdr _udph, *uh;
+
+ if (ntohs(ih->frag_off) & IP_OFFSET)
+ break;
+
+ offset += ihlen;
+ uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
+ if (uh == NULL)
+ break;
+
+ ad->u.net->sport = uh->source;
+ ad->u.net->dport = uh->dest;
+ break;
+ }
+
+ case IPPROTO_DCCP: {
+ struct dccp_hdr _dccph, *dh;
+
+ if (ntohs(ih->frag_off) & IP_OFFSET)
+ break;
+
+ offset += ihlen;
+ dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
+ if (dh == NULL)
+ break;
+
+ ad->u.net->sport = dh->dccph_sport;
+ ad->u.net->dport = dh->dccph_dport;
+ break;
+ }
+
+ default:
+ break;
+ }
+out:
+ return ret;
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+
+/* Returns error only if unable to parse addresses */
+static int selinux_parse_skb_ipv6(struct sk_buff *skb,
+ struct common_audit_data *ad, u8 *proto)
+{
+ u8 nexthdr;
+ int ret = -EINVAL, offset;
+ struct ipv6hdr _ipv6h, *ip6;
+ __be16 frag_off;
+
+ offset = skb_network_offset(skb);
+ ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
+ if (ip6 == NULL)
+ goto out;
+
+ ad->u.net->v6info.saddr = ip6->saddr;
+ ad->u.net->v6info.daddr = ip6->daddr;
+ ret = 0;
+
+ nexthdr = ip6->nexthdr;
+ offset += sizeof(_ipv6h);
+ offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
+ if (offset < 0)
+ goto out;
+
+ if (proto)
+ *proto = nexthdr;
+
+ switch (nexthdr) {
+ case IPPROTO_TCP: {
+ struct tcphdr _tcph, *th;
+
+ th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
+ if (th == NULL)
+ break;
+
+ ad->u.net->sport = th->source;
+ ad->u.net->dport = th->dest;
+ break;
+ }
+
+ case IPPROTO_UDP: {
+ struct udphdr _udph, *uh;
+
+ uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
+ if (uh == NULL)
+ break;
+
+ ad->u.net->sport = uh->source;
+ ad->u.net->dport = uh->dest;
+ break;
+ }
+
+ case IPPROTO_DCCP: {
+ struct dccp_hdr _dccph, *dh;
+
+ dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
+ if (dh == NULL)
+ break;
+
+ ad->u.net->sport = dh->dccph_sport;
+ ad->u.net->dport = dh->dccph_dport;
+ break;
+ }
+
+ /* includes fragments */
+ default:
+ break;
+ }
+out:
+ return ret;
+}
+
+#endif /* IPV6 */
+
+static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
+ char **_addrp, int src, u8 *proto)
+{
+ char *addrp;
+ int ret;
+
+ switch (ad->u.net->family) {
+ case PF_INET:
+ ret = selinux_parse_skb_ipv4(skb, ad, proto);
+ if (ret)
+ goto parse_error;
+ addrp = (char *)(src ? &ad->u.net->v4info.saddr :
+ &ad->u.net->v4info.daddr);
+ goto okay;
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ case PF_INET6:
+ ret = selinux_parse_skb_ipv6(skb, ad, proto);
+ if (ret)
+ goto parse_error;
+ addrp = (char *)(src ? &ad->u.net->v6info.saddr :
+ &ad->u.net->v6info.daddr);
+ goto okay;
+#endif /* IPV6 */
+ default:
+ addrp = NULL;
+ goto okay;
+ }
+
+parse_error:
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_parse_skb(),"
+ " unable to parse packet\n");
+ return ret;
+
+okay:
+ if (_addrp)
+ *_addrp = addrp;
+ return 0;
+}
+
+/**
+ * selinux_skb_peerlbl_sid - Determine the peer label of a packet
+ * @skb: the packet
+ * @family: protocol family
+ * @sid: the packet's peer label SID
+ *
+ * Description:
+ * Check the various different forms of network peer labeling and determine
+ * the peer label/SID for the packet; most of the magic actually occurs in
+ * the security server function security_net_peersid_cmp(). The function
+ * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
+ * or -EACCES if @sid is invalid due to inconsistencies with the different
+ * peer labels.
+ *
+ */
+static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
+{
+ int err;
+ u32 xfrm_sid;
+ u32 nlbl_sid;
+ u32 nlbl_type;
+
+ err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
+ if (unlikely(err))
+ return -EACCES;
+ err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
+ if (unlikely(err))
+ return -EACCES;
+
+ err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_skb_peerlbl_sid(),"
+ " unable to determine packet's peer label\n");
+ return -EACCES;
+ }
+
+ return 0;
+}
+
+/**
+ * selinux_conn_sid - Determine the child socket label for a connection
+ * @sk_sid: the parent socket's SID
+ * @skb_sid: the packet's SID
+ * @conn_sid: the resulting connection SID
+ *
+ * If @skb_sid is valid then the user:role:type information from @sk_sid is
+ * combined with the MLS information from @skb_sid in order to create
+ * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
+ * of @sk_sid. Returns zero on success, negative values on failure.
+ *
+ */
+static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
+{
+ int err = 0;
+
+ if (skb_sid != SECSID_NULL)
+ err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
+ else
+ *conn_sid = sk_sid;
+
+ return err;
+}
+
+/* socket security operations */
+
+static int socket_sockcreate_sid(const struct task_security_struct *tsec,
+ u16 secclass, u32 *socksid)
+{
+ if (tsec->sockcreate_sid > SECSID_NULL) {
+ *socksid = tsec->sockcreate_sid;
+ return 0;
+ }
+
+ return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
+ socksid);
+}
+
+static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
+{
+ struct sk_security_struct *sksec = sk->sk_security;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ u32 tsid = task_sid(task);
+
+ if (sksec->sid == SECINITSID_KERNEL)
+ return 0;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->sk = sk;
+
+ return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
+}
+
+static int selinux_socket_create(int family, int type,
+ int protocol, int kern)
+{
+ const struct task_security_struct *tsec = current_security();
+ u32 newsid;
+ u16 secclass;
+ int rc;
+
+ if (kern)
+ return 0;
+
+ secclass = socket_type_to_security_class(family, type, protocol);
+ rc = socket_sockcreate_sid(tsec, secclass, &newsid);
+ if (rc)
+ return rc;
+
+ return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
+}
+
+static int selinux_socket_post_create(struct socket *sock, int family,
+ int type, int protocol, int kern)
+{
+ const struct task_security_struct *tsec = current_security();
+ struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+ struct sk_security_struct *sksec;
+ int err = 0;
+
+ isec->sclass = socket_type_to_security_class(family, type, protocol);
+
+ if (kern)
+ isec->sid = SECINITSID_KERNEL;
+ else {
+ err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
+ if (err)
+ return err;
+ }
+
+ isec->initialized = 1;
+
+ if (sock->sk) {
+ sksec = sock->sk->sk_security;
+ sksec->sid = isec->sid;
+ sksec->sclass = isec->sclass;
+ err = selinux_netlbl_socket_post_create(sock->sk, family);
+ }
+
+ return err;
+}
+
+/* Range of port numbers used to automatically bind.
+ Need to determine whether we should perform a name_bind
+ permission check between the socket and the port number. */
+
+static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
+{
+ struct sock *sk = sock->sk;
+ u16 family;
+ int err;
+
+ err = sock_has_perm(current, sk, SOCKET__BIND);
+ if (err)
+ goto out;
+
+ /*
+ * If PF_INET or PF_INET6, check name_bind permission for the port.
+ * Multiple address binding for SCTP is not supported yet: we just
+ * check the first address now.
+ */
+ family = sk->sk_family;
+ if (family == PF_INET || family == PF_INET6) {
+ char *addrp;
+ struct sk_security_struct *sksec = sk->sk_security;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ struct sockaddr_in *addr4 = NULL;
+ struct sockaddr_in6 *addr6 = NULL;
+ unsigned short snum;
+ u32 sid, node_perm;
+
+ if (family == PF_INET) {
+ addr4 = (struct sockaddr_in *)address;
+ snum = ntohs(addr4->sin_port);
+ addrp = (char *)&addr4->sin_addr.s_addr;
+ } else {
+ addr6 = (struct sockaddr_in6 *)address;
+ snum = ntohs(addr6->sin6_port);
+ addrp = (char *)&addr6->sin6_addr.s6_addr;
+ }
+
+ if (snum) {
+ int low, high;
+
+ inet_get_local_port_range(sock_net(sk), &low, &high);
+
+ if (snum < max(PROT_SOCK, low) || snum > high) {
+ err = sel_netport_sid(sk->sk_protocol,
+ snum, &sid);
+ if (err)
+ goto out;
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->sport = htons(snum);
+ ad.u.net->family = family;
+ err = avc_has_perm(sksec->sid, sid,
+ sksec->sclass,
+ SOCKET__NAME_BIND, &ad);
+ if (err)
+ goto out;
+ }
+ }
+
+ switch (sksec->sclass) {
+ case SECCLASS_TCP_SOCKET:
+ node_perm = TCP_SOCKET__NODE_BIND;
+ break;
+
+ case SECCLASS_UDP_SOCKET:
+ node_perm = UDP_SOCKET__NODE_BIND;
+ break;
+
+ case SECCLASS_DCCP_SOCKET:
+ node_perm = DCCP_SOCKET__NODE_BIND;
+ break;
+
+ default:
+ node_perm = RAWIP_SOCKET__NODE_BIND;
+ break;
+ }
+
+ err = sel_netnode_sid(addrp, family, &sid);
+ if (err)
+ goto out;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->sport = htons(snum);
+ ad.u.net->family = family;
+
+ if (family == PF_INET)
+ ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
+ else
+ ad.u.net->v6info.saddr = addr6->sin6_addr;
+
+ err = avc_has_perm(sksec->sid, sid,
+ sksec->sclass, node_perm, &ad);
+ if (err)
+ goto out;
+ }
+out:
+ return err;
+}
+
+static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
+{
+ struct sock *sk = sock->sk;
+ struct sk_security_struct *sksec = sk->sk_security;
+ int err;
+
+ err = sock_has_perm(current, sk, SOCKET__CONNECT);
+ if (err)
+ return err;
+
+ /*
+ * If a TCP or DCCP socket, check name_connect permission for the port.
+ */
+ if (sksec->sclass == SECCLASS_TCP_SOCKET ||
+ sksec->sclass == SECCLASS_DCCP_SOCKET) {
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ struct sockaddr_in *addr4 = NULL;
+ struct sockaddr_in6 *addr6 = NULL;
+ unsigned short snum;
+ u32 sid, perm;
+
+ if (sk->sk_family == PF_INET) {
+ addr4 = (struct sockaddr_in *)address;
+ if (addrlen < sizeof(struct sockaddr_in))
+ return -EINVAL;
+ snum = ntohs(addr4->sin_port);
+ } else {
+ addr6 = (struct sockaddr_in6 *)address;
+ if (addrlen < SIN6_LEN_RFC2133)
+ return -EINVAL;
+ snum = ntohs(addr6->sin6_port);
+ }
+
+ err = sel_netport_sid(sk->sk_protocol, snum, &sid);
+ if (err)
+ goto out;
+
+ perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
+ TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->dport = htons(snum);
+ ad.u.net->family = sk->sk_family;
+ err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
+ if (err)
+ goto out;
+ }
+
+ err = selinux_netlbl_socket_connect(sk, address);
+
+out:
+ return err;
+}
+
+static int selinux_socket_listen(struct socket *sock, int backlog)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
+}
+
+static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
+{
+ int err;
+ struct inode_security_struct *isec;
+ struct inode_security_struct *newisec;
+
+ err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
+ if (err)
+ return err;
+
+ newisec = SOCK_INODE(newsock)->i_security;
+
+ isec = SOCK_INODE(sock)->i_security;
+ newisec->sclass = isec->sclass;
+ newisec->sid = isec->sid;
+ newisec->initialized = 1;
+
+ return 0;
+}
+
+static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
+ int size)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__WRITE);
+}
+
+static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
+ int size, int flags)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__READ);
+}
+
+static int selinux_socket_getsockname(struct socket *sock)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
+}
+
+static int selinux_socket_getpeername(struct socket *sock)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
+}
+
+static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
+{
+ int err;
+
+ err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
+ if (err)
+ return err;
+
+ return selinux_netlbl_socket_setsockopt(sock, level, optname);
+}
+
+static int selinux_socket_getsockopt(struct socket *sock, int level,
+ int optname)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
+}
+
+static int selinux_socket_shutdown(struct socket *sock, int how)
+{
+ return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
+}
+
+static int selinux_socket_unix_stream_connect(struct sock *sock,
+ struct sock *other,
+ struct sock *newsk)
+{
+ struct sk_security_struct *sksec_sock = sock->sk_security;
+ struct sk_security_struct *sksec_other = other->sk_security;
+ struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ int err;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->sk = other;
+
+ err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
+ sksec_other->sclass,
+ UNIX_STREAM_SOCKET__CONNECTTO, &ad);
+ if (err)
+ return err;
+
+ /* server child socket */
+ sksec_new->peer_sid = sksec_sock->sid;
+ err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
+ &sksec_new->sid);
+ if (err)
+ return err;
+
+ /* connecting socket */
+ sksec_sock->peer_sid = sksec_new->sid;
+
+ return 0;
+}
+
+static int selinux_socket_unix_may_send(struct socket *sock,
+ struct socket *other)
+{
+ struct sk_security_struct *ssec = sock->sk->sk_security;
+ struct sk_security_struct *osec = other->sk->sk_security;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->sk = other->sk;
+
+ return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
+ &ad);
+}
+
+static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
+ char *addrp, u16 family, u32 peer_sid,
+ struct common_audit_data *ad)
+{
+ int err;
+ u32 if_sid;
+ u32 node_sid;
+
+ err = sel_netif_sid(ns, ifindex, &if_sid);
+ if (err)
+ return err;
+ err = avc_has_perm(peer_sid, if_sid,
+ SECCLASS_NETIF, NETIF__INGRESS, ad);
+ if (err)
+ return err;
+
+ err = sel_netnode_sid(addrp, family, &node_sid);
+ if (err)
+ return err;
+ return avc_has_perm(peer_sid, node_sid,
+ SECCLASS_NODE, NODE__RECVFROM, ad);
+}
+
+static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
+ u16 family)
+{
+ int err = 0;
+ struct sk_security_struct *sksec = sk->sk_security;
+ u32 sk_sid = sksec->sid;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ char *addrp;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->netif = skb->skb_iif;
+ ad.u.net->family = family;
+ err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
+ if (err)
+ return err;
+
+ if (selinux_secmark_enabled()) {
+ err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__RECV, &ad);
+ if (err)
+ return err;
+ }
+
+ err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
+ if (err)
+ return err;
+ err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
+
+ return err;
+}
+
+static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+ int err;
+ struct sk_security_struct *sksec = sk->sk_security;
+ u16 family = sk->sk_family;
+ u32 sk_sid = sksec->sid;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ char *addrp;
+ u8 secmark_active;
+ u8 peerlbl_active;
+
+ if (family != PF_INET && family != PF_INET6)
+ return 0;
+
+ /* Handle mapped IPv4 packets arriving via IPv6 sockets */
+ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
+
+ /* If any sort of compatibility mode is enabled then handoff processing
+ * to the selinux_sock_rcv_skb_compat() function to deal with the
+ * special handling. We do this in an attempt to keep this function
+ * as fast and as clean as possible. */
+ if (!selinux_policycap_netpeer)
+ return selinux_sock_rcv_skb_compat(sk, skb, family);
+
+ secmark_active = selinux_secmark_enabled();
+ peerlbl_active = selinux_peerlbl_enabled();
+ if (!secmark_active && !peerlbl_active)
+ return 0;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->netif = skb->skb_iif;
+ ad.u.net->family = family;
+ err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
+ if (err)
+ return err;
+
+ if (peerlbl_active) {
+ u32 peer_sid;
+
+ err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+ if (err)
+ return err;
+ err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
+ addrp, family, peer_sid, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 0);
+ return err;
+ }
+ err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
+ PEER__RECV, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 0);
+ return err;
+ }
+ }
+
+ if (secmark_active) {
+ err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__RECV, &ad);
+ if (err)
+ return err;
+ }
+
+ return err;
+}
+
+static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
+ int __user *optlen, unsigned len)
+{
+ int err = 0;
+ char *scontext;
+ u32 scontext_len;
+ struct sk_security_struct *sksec = sock->sk->sk_security;
+ u32 peer_sid = SECSID_NULL;
+
+ if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
+ sksec->sclass == SECCLASS_TCP_SOCKET)
+ peer_sid = sksec->peer_sid;
+ if (peer_sid == SECSID_NULL)
+ return -ENOPROTOOPT;
+
+ err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
+ if (err)
+ return err;
+
+ if (scontext_len > len) {
+ err = -ERANGE;
+ goto out_len;
+ }
+
+ if (copy_to_user(optval, scontext, scontext_len))
+ err = -EFAULT;
+
+out_len:
+ if (put_user(scontext_len, optlen))
+ err = -EFAULT;
+ kfree(scontext);
+ return err;
+}
+
+static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+{
+ u32 peer_secid = SECSID_NULL;
+ u16 family;
+
+ if (skb && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
+ else if (skb && skb->protocol == htons(ETH_P_IPV6))
+ family = PF_INET6;
+ else if (sock)
+ family = sock->sk->sk_family;
+ else
+ goto out;
+
+ if (sock && family == PF_UNIX)
+ selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
+ else if (skb)
+ selinux_skb_peerlbl_sid(skb, family, &peer_secid);
+
+out:
+ *secid = peer_secid;
+ if (peer_secid == SECSID_NULL)
+ return -EINVAL;
+ return 0;
+}
+
+static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
+{
+ struct sk_security_struct *sksec;
+
+ sksec = kzalloc(sizeof(*sksec), priority);
+ if (!sksec)
+ return -ENOMEM;
+
+ sksec->peer_sid = SECINITSID_UNLABELED;
+ sksec->sid = SECINITSID_UNLABELED;
+ selinux_netlbl_sk_security_reset(sksec);
+ sk->sk_security = sksec;
+
+ return 0;
+}
+
+static void selinux_sk_free_security(struct sock *sk)
+{
+ struct sk_security_struct *sksec = sk->sk_security;
+
+ sk->sk_security = NULL;
+ selinux_netlbl_sk_security_free(sksec);
+ kfree(sksec);
+}
+
+static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
+{
+ struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *newsksec = newsk->sk_security;
+
+ newsksec->sid = sksec->sid;
+ newsksec->peer_sid = sksec->peer_sid;
+ newsksec->sclass = sksec->sclass;
+
+ selinux_netlbl_sk_security_reset(newsksec);
+}
+
+static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
+{
+ if (!sk)
+ *secid = SECINITSID_ANY_SOCKET;
+ else {
+ struct sk_security_struct *sksec = sk->sk_security;
+
+ *secid = sksec->sid;
+ }
+}
+
+static void selinux_sock_graft(struct sock *sk, struct socket *parent)
+{
+ struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
+ struct sk_security_struct *sksec = sk->sk_security;
+
+ if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
+ sk->sk_family == PF_UNIX)
+ isec->sid = sksec->sid;
+ sksec->sclass = isec->sclass;
+}
+
+static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
+ struct request_sock *req)
+{
+ struct sk_security_struct *sksec = sk->sk_security;
+ int err;
+ u16 family = req->rsk_ops->family;
+ u32 connsid;
+ u32 peersid;
+
+ err = selinux_skb_peerlbl_sid(skb, family, &peersid);
+ if (err)
+ return err;
+ err = selinux_conn_sid(sksec->sid, peersid, &connsid);
+ if (err)
+ return err;
+ req->secid = connsid;
+ req->peer_secid = peersid;
+
+ return selinux_netlbl_inet_conn_request(req, family);
+}
+
+static void selinux_inet_csk_clone(struct sock *newsk,
+ const struct request_sock *req)
+{
+ struct sk_security_struct *newsksec = newsk->sk_security;
+
+ newsksec->sid = req->secid;
+ newsksec->peer_sid = req->peer_secid;
+ /* NOTE: Ideally, we should also get the isec->sid for the
+ new socket in sync, but we don't have the isec available yet.
+ So we will wait until sock_graft to do it, by which
+ time it will have been created and available. */
+
+ /* We don't need to take any sort of lock here as we are the only
+ * thread with access to newsksec */
+ selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
+}
+
+static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
+{
+ u16 family = sk->sk_family;
+ struct sk_security_struct *sksec = sk->sk_security;
+
+ /* handle mapped IPv4 packets arriving via IPv6 sockets */
+ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
+
+ selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
+}
+
+static int selinux_secmark_relabel_packet(u32 sid)
+{
+ const struct task_security_struct *__tsec;
+ u32 tsid;
+
+ __tsec = current_security();
+ tsid = __tsec->sid;
+
+ return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
+}
+
+static void selinux_secmark_refcount_inc(void)
+{
+ atomic_inc(&selinux_secmark_refcount);
+}
+
+static void selinux_secmark_refcount_dec(void)
+{
+ atomic_dec(&selinux_secmark_refcount);
+}
+
+static void selinux_req_classify_flow(const struct request_sock *req,
+ struct flowi *fl)
+{
+ fl->flowi_secid = req->secid;
+}
+
+static int selinux_tun_dev_alloc_security(void **security)
+{
+ struct tun_security_struct *tunsec;
+
+ tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
+ if (!tunsec)
+ return -ENOMEM;
+ tunsec->sid = current_sid();
+
+ *security = tunsec;
+ return 0;
+}
+
+static void selinux_tun_dev_free_security(void *security)
+{
+ kfree(security);
+}
+
+static int selinux_tun_dev_create(void)
+{
+ u32 sid = current_sid();
+
+ /* we aren't taking into account the "sockcreate" SID since the socket
+ * that is being created here is not a socket in the traditional sense,
+ * instead it is a private sock, accessible only to the kernel, and
+ * representing a wide range of network traffic spanning multiple
+ * connections unlike traditional sockets - check the TUN driver to
+ * get a better understanding of why this socket is special */
+
+ return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
+ NULL);
+}
+
+static int selinux_tun_dev_attach_queue(void *security)
+{
+ struct tun_security_struct *tunsec = security;
+
+ return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
+ TUN_SOCKET__ATTACH_QUEUE, NULL);
+}
+
+static int selinux_tun_dev_attach(struct sock *sk, void *security)
+{
+ struct tun_security_struct *tunsec = security;
+ struct sk_security_struct *sksec = sk->sk_security;
+
+ /* we don't currently perform any NetLabel based labeling here and it
+ * isn't clear that we would want to do so anyway; while we could apply
+ * labeling without the support of the TUN user the resulting labeled
+ * traffic from the other end of the connection would almost certainly
+ * cause confusion to the TUN user that had no idea network labeling
+ * protocols were being used */
+
+ sksec->sid = tunsec->sid;
+ sksec->sclass = SECCLASS_TUN_SOCKET;
+
+ return 0;
+}
+
+static int selinux_tun_dev_open(void *security)
+{
+ struct tun_security_struct *tunsec = security;
+ u32 sid = current_sid();
+ int err;
+
+ err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
+ TUN_SOCKET__RELABELFROM, NULL);
+ if (err)
+ return err;
+ err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
+ TUN_SOCKET__RELABELTO, NULL);
+ if (err)
+ return err;
+ tunsec->sid = sid;
+
+ return 0;
+}
+
+static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
+{
+ int err = 0;
+ u32 perm;
+ struct nlmsghdr *nlh;
+ struct sk_security_struct *sksec = sk->sk_security;
+
+ if (skb->len < NLMSG_HDRLEN) {
+ err = -EINVAL;
+ goto out;
+ }
+ nlh = nlmsg_hdr(skb);
+
+ err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
+ if (err) {
+ if (err == -EINVAL) {
+ printk(KERN_WARNING
+ "SELinux: unrecognized netlink message:"
+ " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
+ sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
+ if (!selinux_enforcing || security_get_allow_unknown())
+ err = 0;
+ }
+
+ /* Ignore */
+ if (err == -ENOENT)
+ err = 0;
+ goto out;
+ }
+
+ err = sock_has_perm(current, sk, perm);
+out:
+ return err;
+}
+
+#ifdef CONFIG_NETFILTER
+
+static unsigned int selinux_ip_forward(struct sk_buff *skb,
+ const struct net_device *indev,
+ u16 family)
+{
+ int err;
+ char *addrp;
+ u32 peer_sid;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ u8 secmark_active;
+ u8 netlbl_active;
+ u8 peerlbl_active;
+
+ if (!selinux_policycap_netpeer)
+ return NF_ACCEPT;
+
+ secmark_active = selinux_secmark_enabled();
+ netlbl_active = netlbl_enabled();
+ peerlbl_active = selinux_peerlbl_enabled();
+ if (!secmark_active && !peerlbl_active)
+ return NF_ACCEPT;
+
+ if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
+ return NF_DROP;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->netif = indev->ifindex;
+ ad.u.net->family = family;
+ if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
+ return NF_DROP;
+
+ if (peerlbl_active) {
+ err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
+ addrp, family, peer_sid, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 1);
+ return NF_DROP;
+ }
+ }
+
+ if (secmark_active)
+ if (avc_has_perm(peer_sid, skb->secmark,
+ SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
+ return NF_DROP;
+
+ if (netlbl_active)
+ /* we do this in the FORWARD path and not the POST_ROUTING
+ * path because we want to make sure we apply the necessary
+ * labeling before IPsec is applied so we can leverage AH
+ * protection */
+ if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
+ return NF_DROP;
+
+ return NF_ACCEPT;
+}
+
+static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_forward(skb, state->in, PF_INET);
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_forward(skb, state->in, PF_INET6);
+}
+#endif /* IPV6 */
+
+static unsigned int selinux_ip_output(struct sk_buff *skb,
+ u16 family)
+{
+ struct sock *sk;
+ u32 sid;
+
+ if (!netlbl_enabled())
+ return NF_ACCEPT;
+
+ /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
+ * because we want to make sure we apply the necessary labeling
+ * before IPsec is applied so we can leverage AH protection */
+ sk = skb->sk;
+ if (sk) {
+ struct sk_security_struct *sksec;
+
+ if (sk->sk_state == TCP_LISTEN)
+ /* if the socket is the listening state then this
+ * packet is a SYN-ACK packet which means it needs to
+ * be labeled based on the connection/request_sock and
+ * not the parent socket. unfortunately, we can't
+ * lookup the request_sock yet as it isn't queued on
+ * the parent socket until after the SYN-ACK is sent.
+ * the "solution" is to simply pass the packet as-is
+ * as any IP option based labeling should be copied
+ * from the initial connection request (in the IP
+ * layer). it is far from ideal, but until we get a
+ * security label in the packet itself this is the
+ * best we can do. */
+ return NF_ACCEPT;
+
+ /* standard practice, label using the parent socket */
+ sksec = sk->sk_security;
+ sid = sksec->sid;
+ } else
+ sid = SECINITSID_KERNEL;
+ if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
+ return NF_DROP;
+
+ return NF_ACCEPT;
+}
+
+static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_output(skb, PF_INET);
+}
+
+static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
+ int ifindex,
+ u16 family)
+{
+ struct sock *sk = skb->sk;
+ struct sk_security_struct *sksec;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ char *addrp;
+ u8 proto;
+
+ if (sk == NULL)
+ return NF_ACCEPT;
+ sksec = sk->sk_security;
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->netif = ifindex;
+ ad.u.net->family = family;
+ if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
+ return NF_DROP;
+
+ if (selinux_secmark_enabled())
+ if (avc_has_perm(sksec->sid, skb->secmark,
+ SECCLASS_PACKET, PACKET__SEND, &ad))
+ return NF_DROP_ERR(-ECONNREFUSED);
+
+ if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
+ return NF_DROP_ERR(-ECONNREFUSED);
+
+ return NF_ACCEPT;
+}
+
+static unsigned int selinux_ip_postroute(struct sk_buff *skb,
+ const struct net_device *outdev,
+ u16 family)
+{
+ u32 secmark_perm;
+ u32 peer_sid;
+ int ifindex = outdev->ifindex;
+ struct sock *sk;
+ struct common_audit_data ad;
+ struct lsm_network_audit net = {0,};
+ char *addrp;
+ u8 secmark_active;
+ u8 peerlbl_active;
+
+ /* If any sort of compatibility mode is enabled then handoff processing
+ * to the selinux_ip_postroute_compat() function to deal with the
+ * special handling. We do this in an attempt to keep this function
+ * as fast and as clean as possible. */
+ if (!selinux_policycap_netpeer)
+ return selinux_ip_postroute_compat(skb, ifindex, family);
+
+ secmark_active = selinux_secmark_enabled();
+ peerlbl_active = selinux_peerlbl_enabled();
+ if (!secmark_active && !peerlbl_active)
+ return NF_ACCEPT;
+
+ sk = skb->sk;
+
+#ifdef CONFIG_XFRM
+ /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
+ * packet transformation so allow the packet to pass without any checks
+ * since we'll have another chance to perform access control checks
+ * when the packet is on it's final way out.
+ * NOTE: there appear to be some IPv6 multicast cases where skb->dst
+ * is NULL, in this case go ahead and apply access control.
+ * NOTE: if this is a local socket (skb->sk != NULL) that is in the
+ * TCP listening state we cannot wait until the XFRM processing
+ * is done as we will miss out on the SA label if we do;
+ * unfortunately, this means more work, but it is only once per
+ * connection. */
+ if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
+ !(sk != NULL && sk->sk_state == TCP_LISTEN))
+ return NF_ACCEPT;
+#endif
+
+ if (sk == NULL) {
+ /* Without an associated socket the packet is either coming
+ * from the kernel or it is being forwarded; check the packet
+ * to determine which and if the packet is being forwarded
+ * query the packet directly to determine the security label. */
+ if (skb->skb_iif) {
+ secmark_perm = PACKET__FORWARD_OUT;
+ if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
+ return NF_DROP;
+ } else {
+ secmark_perm = PACKET__SEND;
+ peer_sid = SECINITSID_KERNEL;
+ }
+ } else if (sk->sk_state == TCP_LISTEN) {
+ /* Locally generated packet but the associated socket is in the
+ * listening state which means this is a SYN-ACK packet. In
+ * this particular case the correct security label is assigned
+ * to the connection/request_sock but unfortunately we can't
+ * query the request_sock as it isn't queued on the parent
+ * socket until after the SYN-ACK packet is sent; the only
+ * viable choice is to regenerate the label like we do in
+ * selinux_inet_conn_request(). See also selinux_ip_output()
+ * for similar problems. */
+ u32 skb_sid;
+ struct sk_security_struct *sksec = sk->sk_security;
+ if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
+ return NF_DROP;
+ /* At this point, if the returned skb peerlbl is SECSID_NULL
+ * and the packet has been through at least one XFRM
+ * transformation then we must be dealing with the "final"
+ * form of labeled IPsec packet; since we've already applied
+ * all of our access controls on this packet we can safely
+ * pass the packet. */
+ if (skb_sid == SECSID_NULL) {
+ switch (family) {
+ case PF_INET:
+ if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
+ return NF_ACCEPT;
+ break;
+ case PF_INET6:
+ if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
+ return NF_ACCEPT;
+ break;
+ default:
+ return NF_DROP_ERR(-ECONNREFUSED);
+ }
+ }
+ if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
+ return NF_DROP;
+ secmark_perm = PACKET__SEND;
+ } else {
+ /* Locally generated packet, fetch the security label from the
+ * associated socket. */
+ struct sk_security_struct *sksec = sk->sk_security;
+ peer_sid = sksec->sid;
+ secmark_perm = PACKET__SEND;
+ }
+
+ ad.type = LSM_AUDIT_DATA_NET;
+ ad.u.net = &net;
+ ad.u.net->netif = ifindex;
+ ad.u.net->family = family;
+ if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
+ return NF_DROP;
+
+ if (secmark_active)
+ if (avc_has_perm(peer_sid, skb->secmark,
+ SECCLASS_PACKET, secmark_perm, &ad))
+ return NF_DROP_ERR(-ECONNREFUSED);
+
+ if (peerlbl_active) {
+ u32 if_sid;
+ u32 node_sid;
+
+ if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
+ return NF_DROP;
+ if (avc_has_perm(peer_sid, if_sid,
+ SECCLASS_NETIF, NETIF__EGRESS, &ad))
+ return NF_DROP_ERR(-ECONNREFUSED);
+
+ if (sel_netnode_sid(addrp, family, &node_sid))
+ return NF_DROP;
+ if (avc_has_perm(peer_sid, node_sid,
+ SECCLASS_NODE, NODE__SENDTO, &ad))
+ return NF_DROP_ERR(-ECONNREFUSED);
+ }
+
+ return NF_ACCEPT;
+}
+
+static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_postroute(skb, state->out, PF_INET);
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_postroute(skb, state->out, PF_INET6);
+}
+#endif /* IPV6 */
+
+#endif /* CONFIG_NETFILTER */
+
+static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
+{
+ int err;
+
+ err = cap_netlink_send(sk, skb);
+ if (err)
+ return err;
+
+ return selinux_nlmsg_perm(sk, skb);
+}
+
+static int ipc_alloc_security(struct task_struct *task,
+ struct kern_ipc_perm *perm,
+ u16 sclass)
+{
+ struct ipc_security_struct *isec;
+ u32 sid;
+
+ isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
+ if (!isec)
+ return -ENOMEM;
+
+ sid = task_sid(task);
+ isec->sclass = sclass;
+ isec->sid = sid;
+ perm->security = isec;
+
+ return 0;
+}
+
+static void ipc_free_security(struct kern_ipc_perm *perm)
+{
+ struct ipc_security_struct *isec = perm->security;
+ perm->security = NULL;
+ kfree(isec);
+}
+
+static int msg_msg_alloc_security(struct msg_msg *msg)
+{
+ struct msg_security_struct *msec;
+
+ msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
+ if (!msec)
+ return -ENOMEM;
+
+ msec->sid = SECINITSID_UNLABELED;
+ msg->security = msec;
+
+ return 0;
+}
+
+static void msg_msg_free_security(struct msg_msg *msg)
+{
+ struct msg_security_struct *msec = msg->security;
+
+ msg->security = NULL;
+ kfree(msec);
+}
+
+static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
+ u32 perms)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+
+ isec = ipc_perms->security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = ipc_perms->key;
+
+ return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
+}
+
+static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
+{
+ return msg_msg_alloc_security(msg);
+}
+
+static void selinux_msg_msg_free_security(struct msg_msg *msg)
+{
+ msg_msg_free_security(msg);
+}
+
+/* message queue security operations */
+static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+ int rc;
+
+ rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
+ if (rc)
+ return rc;
+
+ isec = msq->q_perm.security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = msq->q_perm.key;
+
+ rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
+ MSGQ__CREATE, &ad);
+ if (rc) {
+ ipc_free_security(&msq->q_perm);
+ return rc;
+ }
+ return 0;
+}
+
+static void selinux_msg_queue_free_security(struct msg_queue *msq)
+{
+ ipc_free_security(&msq->q_perm);
+}
+
+static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+
+ isec = msq->q_perm.security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = msq->q_perm.key;
+
+ return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
+ MSGQ__ASSOCIATE, &ad);
+}
+
+static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
+{
+ int err;
+ int perms;
+
+ switch (cmd) {
+ case IPC_INFO:
+ case MSG_INFO:
+ /* No specific object, just general system-wide information. */
+ return task_has_system(current, SYSTEM__IPC_INFO);
+ case IPC_STAT:
+ case MSG_STAT:
+ perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
+ break;
+ case IPC_SET:
+ perms = MSGQ__SETATTR;
+ break;
+ case IPC_RMID:
+ perms = MSGQ__DESTROY;
+ break;
+ default:
+ return 0;
+ }
+
+ err = ipc_has_perm(&msq->q_perm, perms);
+ return err;
+}
+
+static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
+{
+ struct ipc_security_struct *isec;
+ struct msg_security_struct *msec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+ int rc;
+
+ isec = msq->q_perm.security;
+ msec = msg->security;
+
+ /*
+ * First time through, need to assign label to the message
+ */
+ if (msec->sid == SECINITSID_UNLABELED) {
+ /*
+ * Compute new sid based on current process and
+ * message queue this message will be stored in
+ */
+ rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
+ NULL, &msec->sid);
+ if (rc)
+ return rc;
+ }
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = msq->q_perm.key;
+
+ /* Can this process write to the queue? */
+ rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
+ MSGQ__WRITE, &ad);
+ if (!rc)
+ /* Can this process send the message */
+ rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
+ MSG__SEND, &ad);
+ if (!rc)
+ /* Can the message be put in the queue? */
+ rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
+ MSGQ__ENQUEUE, &ad);
+
+ return rc;
+}
+
+static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
+ struct task_struct *target,
+ long type, int mode)
+{
+ struct ipc_security_struct *isec;
+ struct msg_security_struct *msec;
+ struct common_audit_data ad;
+ u32 sid = task_sid(target);
+ int rc;
+
+ isec = msq->q_perm.security;
+ msec = msg->security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = msq->q_perm.key;
+
+ rc = avc_has_perm(sid, isec->sid,
+ SECCLASS_MSGQ, MSGQ__READ, &ad);
+ if (!rc)
+ rc = avc_has_perm(sid, msec->sid,
+ SECCLASS_MSG, MSG__RECEIVE, &ad);
+ return rc;
+}
+
+/* Shared Memory security operations */
+static int selinux_shm_alloc_security(struct shmid_kernel *shp)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+ int rc;
+
+ rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
+ if (rc)
+ return rc;
+
+ isec = shp->shm_perm.security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = shp->shm_perm.key;
+
+ rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
+ SHM__CREATE, &ad);
+ if (rc) {
+ ipc_free_security(&shp->shm_perm);
+ return rc;
+ }
+ return 0;
+}
+
+static void selinux_shm_free_security(struct shmid_kernel *shp)
+{
+ ipc_free_security(&shp->shm_perm);
+}
+
+static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+
+ isec = shp->shm_perm.security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = shp->shm_perm.key;
+
+ return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
+ SHM__ASSOCIATE, &ad);
+}
+
+/* Note, at this point, shp is locked down */
+static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
+{
+ int perms;
+ int err;
+
+ switch (cmd) {
+ case IPC_INFO:
+ case SHM_INFO:
+ /* No specific object, just general system-wide information. */
+ return task_has_system(current, SYSTEM__IPC_INFO);
+ case IPC_STAT:
+ case SHM_STAT:
+ perms = SHM__GETATTR | SHM__ASSOCIATE;
+ break;
+ case IPC_SET:
+ perms = SHM__SETATTR;
+ break;
+ case SHM_LOCK:
+ case SHM_UNLOCK:
+ perms = SHM__LOCK;
+ break;
+ case IPC_RMID:
+ perms = SHM__DESTROY;
+ break;
+ default:
+ return 0;
+ }
+
+ err = ipc_has_perm(&shp->shm_perm, perms);
+ return err;
+}
+
+static int selinux_shm_shmat(struct shmid_kernel *shp,
+ char __user *shmaddr, int shmflg)
+{
+ u32 perms;
+
+ if (shmflg & SHM_RDONLY)
+ perms = SHM__READ;
+ else
+ perms = SHM__READ | SHM__WRITE;
+
+ return ipc_has_perm(&shp->shm_perm, perms);
+}
+
+/* Semaphore security operations */
+static int selinux_sem_alloc_security(struct sem_array *sma)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+ int rc;
+
+ rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
+ if (rc)
+ return rc;
+
+ isec = sma->sem_perm.security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = sma->sem_perm.key;
+
+ rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
+ SEM__CREATE, &ad);
+ if (rc) {
+ ipc_free_security(&sma->sem_perm);
+ return rc;
+ }
+ return 0;
+}
+
+static void selinux_sem_free_security(struct sem_array *sma)
+{
+ ipc_free_security(&sma->sem_perm);
+}
+
+static int selinux_sem_associate(struct sem_array *sma, int semflg)
+{
+ struct ipc_security_struct *isec;
+ struct common_audit_data ad;
+ u32 sid = current_sid();
+
+ isec = sma->sem_perm.security;
+
+ ad.type = LSM_AUDIT_DATA_IPC;
+ ad.u.ipc_id = sma->sem_perm.key;
+
+ return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
+ SEM__ASSOCIATE, &ad);
+}
+
+/* Note, at this point, sma is locked down */
+static int selinux_sem_semctl(struct sem_array *sma, int cmd)
+{
+ int err;
+ u32 perms;
+
+ switch (cmd) {
+ case IPC_INFO:
+ case SEM_INFO:
+ /* No specific object, just general system-wide information. */
+ return task_has_system(current, SYSTEM__IPC_INFO);
+ case GETPID:
+ case GETNCNT:
+ case GETZCNT:
+ perms = SEM__GETATTR;
+ break;
+ case GETVAL:
+ case GETALL:
+ perms = SEM__READ;
+ break;
+ case SETVAL:
+ case SETALL:
+ perms = SEM__WRITE;
+ break;
+ case IPC_RMID:
+ perms = SEM__DESTROY;
+ break;
+ case IPC_SET:
+ perms = SEM__SETATTR;
+ break;
+ case IPC_STAT:
+ case SEM_STAT:
+ perms = SEM__GETATTR | SEM__ASSOCIATE;
+ break;
+ default:
+ return 0;
+ }
+
+ err = ipc_has_perm(&sma->sem_perm, perms);
+ return err;
+}
+
+static int selinux_sem_semop(struct sem_array *sma,
+ struct sembuf *sops, unsigned nsops, int alter)
+{
+ u32 perms;
+
+ if (alter)
+ perms = SEM__READ | SEM__WRITE;
+ else
+ perms = SEM__READ;
+
+ return ipc_has_perm(&sma->sem_perm, perms);
+}
+
+static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
+{
+ u32 av = 0;
+
+ av = 0;
+ if (flag & S_IRUGO)
+ av |= IPC__UNIX_READ;
+ if (flag & S_IWUGO)
+ av |= IPC__UNIX_WRITE;
+
+ if (av == 0)
+ return 0;
+
+ return ipc_has_perm(ipcp, av);
+}
+
+static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+{
+ struct ipc_security_struct *isec = ipcp->security;
+ *secid = isec->sid;
+}
+
+static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
+{
+ if (inode)
+ inode_doinit_with_dentry(inode, dentry);
+}
+
+static int selinux_getprocattr(struct task_struct *p,
+ char *name, char **value)
+{
+ const struct task_security_struct *__tsec;
+ u32 sid;
+ int error;
+ unsigned len;
+
+ if (current != p) {
+ error = current_has_perm(p, PROCESS__GETATTR);
+ if (error)
+ return error;
+ }
+
+ rcu_read_lock();
+ __tsec = __task_cred(p)->security;
+
+ if (!strcmp(name, "current"))
+ sid = __tsec->sid;
+ else if (!strcmp(name, "prev"))
+ sid = __tsec->osid;
+ else if (!strcmp(name, "exec"))
+ sid = __tsec->exec_sid;
+ else if (!strcmp(name, "fscreate"))
+ sid = __tsec->create_sid;
+ else if (!strcmp(name, "keycreate"))
+ sid = __tsec->keycreate_sid;
+ else if (!strcmp(name, "sockcreate"))
+ sid = __tsec->sockcreate_sid;
+ else
+ goto invalid;
+ rcu_read_unlock();
+
+ if (!sid)
+ return 0;
+
+ error = security_sid_to_context(sid, value, &len);
+ if (error)
+ return error;
+ return len;
+
+invalid:
+ rcu_read_unlock();
+ return -EINVAL;
+}
+
+static int selinux_setprocattr(struct task_struct *p,
+ char *name, void *value, size_t size)
+{
+ struct task_security_struct *tsec;
+ struct task_struct *tracer;
+ struct cred *new;
+ u32 sid = 0, ptsid;
+ int error;
+ char *str = value;
+
+ if (current != p) {
+ /* SELinux only allows a process to change its own
+ security attributes. */
+ return -EACCES;
+ }
+
+ /*
+ * Basic control over ability to set these attributes at all.
+ * current == p, but we'll pass them separately in case the
+ * above restriction is ever removed.
+ */
+ if (!strcmp(name, "exec"))
+ error = current_has_perm(p, PROCESS__SETEXEC);
+ else if (!strcmp(name, "fscreate"))
+ error = current_has_perm(p, PROCESS__SETFSCREATE);
+ else if (!strcmp(name, "keycreate"))
+ error = current_has_perm(p, PROCESS__SETKEYCREATE);
+ else if (!strcmp(name, "sockcreate"))
+ error = current_has_perm(p, PROCESS__SETSOCKCREATE);
+ else if (!strcmp(name, "current"))
+ error = current_has_perm(p, PROCESS__SETCURRENT);
+ else
+ error = -EINVAL;
+ if (error)
+ return error;
+
+ /* Obtain a SID for the context, if one was specified. */
+ if (size && str[1] && str[1] != '\n') {
+ if (str[size-1] == '\n') {
+ str[size-1] = 0;
+ size--;
+ }
+ error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
+ if (error == -EINVAL && !strcmp(name, "fscreate")) {
+ if (!capable(CAP_MAC_ADMIN)) {
+ struct audit_buffer *ab;
+ size_t audit_size;
+
+ /* We strip a nul only if it is at the end, otherwise the
+ * context contains a nul and we should audit that */
+ if (str[size - 1] == '\0')
+ audit_size = size - 1;
+ else
+ audit_size = size;
+ ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
+ audit_log_format(ab, "op=fscreate invalid_context=");
+ audit_log_n_untrustedstring(ab, value, audit_size);
+ audit_log_end(ab);
+
+ return error;
+ }
+ error = security_context_to_sid_force(value, size,
+ &sid);
+ }
+ if (error)
+ return error;
+ }
+
+ new = prepare_creds();
+ if (!new)
+ return -ENOMEM;
+
+ /* Permission checking based on the specified context is
+ performed during the actual operation (execve,
+ open/mkdir/...), when we know the full context of the
+ operation. See selinux_bprm_set_creds for the execve
+ checks and may_create for the file creation checks. The
+ operation will then fail if the context is not permitted. */
+ tsec = new->security;
+ if (!strcmp(name, "exec")) {
+ tsec->exec_sid = sid;
+ } else if (!strcmp(name, "fscreate")) {
+ tsec->create_sid = sid;
+ } else if (!strcmp(name, "keycreate")) {
+ error = may_create_key(sid, p);
+ if (error)
+ goto abort_change;
+ tsec->keycreate_sid = sid;
+ } else if (!strcmp(name, "sockcreate")) {
+ tsec->sockcreate_sid = sid;
+ } else if (!strcmp(name, "current")) {
+ error = -EINVAL;
+ if (sid == 0)
+ goto abort_change;
+
+ /* Only allow single threaded processes to change context */
+ error = -EPERM;
+ if (!current_is_single_threaded()) {
+ error = security_bounded_transition(tsec->sid, sid);
+ if (error)
+ goto abort_change;
+ }
+
+ /* Check permissions for the transition. */
+ error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
+ PROCESS__DYNTRANSITION, NULL);
+ if (error)
+ goto abort_change;
+
+ /* Check for ptracing, and update the task SID if ok.
+ Otherwise, leave SID unchanged and fail. */
+ ptsid = 0;
+ rcu_read_lock();
+ tracer = ptrace_parent(p);
+ if (tracer)
+ ptsid = task_sid(tracer);
+ rcu_read_unlock();
+
+ if (tracer) {
+ error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
+ PROCESS__PTRACE, NULL);
+ if (error)
+ goto abort_change;
+ }
+
+ tsec->sid = sid;
+ } else {
+ error = -EINVAL;
+ goto abort_change;
+ }
+
+ commit_creds(new);
+ return size;
+
+abort_change:
+ abort_creds(new);
+ return error;
+}
+
+static int selinux_ismaclabel(const char *name)
+{
+ return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
+}
+
+static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+ return security_sid_to_context(secid, secdata, seclen);
+}
+
+static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+{
+ return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
+}
+
+static void selinux_release_secctx(char *secdata, u32 seclen)
+{
+ kfree(secdata);
+}
+
+/*
+ * called with inode->i_mutex locked
+ */
+static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+{
+ return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
+}
+
+/*
+ * called with inode->i_mutex locked
+ */
+static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
+{
+ return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
+}
+
+static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+{
+ int len = 0;
+ len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
+ ctx, true);
+ if (len < 0)
+ return len;
+ *ctxlen = len;
+ return 0;
+}
+#ifdef CONFIG_KEYS
+
+static int selinux_key_alloc(struct key *k, const struct cred *cred,
+ unsigned long flags)
+{
+ const struct task_security_struct *tsec;
+ struct key_security_struct *ksec;
+
+ ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
+ if (!ksec)
+ return -ENOMEM;
+
+ tsec = cred->security;
+ if (tsec->keycreate_sid)
+ ksec->sid = tsec->keycreate_sid;
+ else
+ ksec->sid = tsec->sid;
+
+ k->security = ksec;
+ return 0;
+}
+
+static void selinux_key_free(struct key *k)
+{
+ struct key_security_struct *ksec = k->security;
+
+ k->security = NULL;
+ kfree(ksec);
+}
+
+static int selinux_key_permission(key_ref_t key_ref,
+ const struct cred *cred,
+ unsigned perm)
+{
+ struct key *key;
+ struct key_security_struct *ksec;
+ u32 sid;
+
+ /* if no specific permissions are requested, we skip the
+ permission check. No serious, additional covert channels
+ appear to be created. */
+ if (perm == 0)
+ return 0;
+
+ sid = cred_sid(cred);
+
+ key = key_ref_to_ptr(key_ref);
+ ksec = key->security;
+
+ return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
+}
+
+static int selinux_key_getsecurity(struct key *key, char **_buffer)
+{
+ struct key_security_struct *ksec = key->security;
+ char *context = NULL;
+ unsigned len;
+ int rc;
+
+ rc = security_sid_to_context(ksec->sid, &context, &len);
+ if (!rc)
+ rc = len;
+ *_buffer = context;
+ return rc;
+}
+
+#endif
+
+static struct security_operations selinux_ops = {
+ .name = "selinux",
+
+ .binder_set_context_mgr = selinux_binder_set_context_mgr,
+ .binder_transaction = selinux_binder_transaction,
+ .binder_transfer_binder = selinux_binder_transfer_binder,
+ .binder_transfer_file = selinux_binder_transfer_file,
+
+ .ptrace_access_check = selinux_ptrace_access_check,
+ .ptrace_traceme = selinux_ptrace_traceme,
+ .capget = selinux_capget,
+ .capset = selinux_capset,
+ .capable = selinux_capable,
+ .quotactl = selinux_quotactl,
+ .quota_on = selinux_quota_on,
+ .syslog = selinux_syslog,
+ .vm_enough_memory = selinux_vm_enough_memory,
+
+ .netlink_send = selinux_netlink_send,
+
+ .bprm_set_creds = selinux_bprm_set_creds,
+ .bprm_committing_creds = selinux_bprm_committing_creds,
+ .bprm_committed_creds = selinux_bprm_committed_creds,
+ .bprm_secureexec = selinux_bprm_secureexec,
+
+ .sb_alloc_security = selinux_sb_alloc_security,
+ .sb_free_security = selinux_sb_free_security,
+ .sb_copy_data = selinux_sb_copy_data,
+ .sb_remount = selinux_sb_remount,
+ .sb_kern_mount = selinux_sb_kern_mount,
+ .sb_show_options = selinux_sb_show_options,
+ .sb_statfs = selinux_sb_statfs,
+ .sb_mount = selinux_mount,
+ .sb_umount = selinux_umount,
+ .sb_set_mnt_opts = selinux_set_mnt_opts,
+ .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
+ .sb_parse_opts_str = selinux_parse_opts_str,
+
+ .dentry_init_security = selinux_dentry_init_security,
+
+ .inode_alloc_security = selinux_inode_alloc_security,
+ .inode_free_security = selinux_inode_free_security,
+ .inode_init_security = selinux_inode_init_security,
+ .inode_create = selinux_inode_create,
+ .inode_link = selinux_inode_link,
+ .inode_unlink = selinux_inode_unlink,
+ .inode_symlink = selinux_inode_symlink,
+ .inode_mkdir = selinux_inode_mkdir,
+ .inode_rmdir = selinux_inode_rmdir,
+ .inode_mknod = selinux_inode_mknod,
+ .inode_rename = selinux_inode_rename,
+ .inode_readlink = selinux_inode_readlink,
+ .inode_follow_link = selinux_inode_follow_link,
+ .inode_permission = selinux_inode_permission,
+ .inode_setattr = selinux_inode_setattr,
+ .inode_getattr = selinux_inode_getattr,
+ .inode_setxattr = selinux_inode_setxattr,
+ .inode_post_setxattr = selinux_inode_post_setxattr,
+ .inode_getxattr = selinux_inode_getxattr,
+ .inode_listxattr = selinux_inode_listxattr,
+ .inode_removexattr = selinux_inode_removexattr,
+ .inode_getsecurity = selinux_inode_getsecurity,
+ .inode_setsecurity = selinux_inode_setsecurity,
+ .inode_listsecurity = selinux_inode_listsecurity,
+ .inode_getsecid = selinux_inode_getsecid,
+
+ .file_permission = selinux_file_permission,
+ .file_alloc_security = selinux_file_alloc_security,
+ .file_free_security = selinux_file_free_security,
+ .file_ioctl = selinux_file_ioctl,
+ .mmap_file = selinux_mmap_file,
+ .mmap_addr = selinux_mmap_addr,
+ .file_mprotect = selinux_file_mprotect,
+ .file_lock = selinux_file_lock,
+ .file_fcntl = selinux_file_fcntl,
+ .file_set_fowner = selinux_file_set_fowner,
+ .file_send_sigiotask = selinux_file_send_sigiotask,
+ .file_receive = selinux_file_receive,
+
+ .file_open = selinux_file_open,
+
+ .task_create = selinux_task_create,
+ .cred_alloc_blank = selinux_cred_alloc_blank,
+ .cred_free = selinux_cred_free,
+ .cred_prepare = selinux_cred_prepare,
+ .cred_transfer = selinux_cred_transfer,
+ .kernel_act_as = selinux_kernel_act_as,
+ .kernel_create_files_as = selinux_kernel_create_files_as,
+ .kernel_module_request = selinux_kernel_module_request,
+ .task_setpgid = selinux_task_setpgid,
+ .task_getpgid = selinux_task_getpgid,
+ .task_getsid = selinux_task_getsid,
+ .task_getsecid = selinux_task_getsecid,
+ .task_setnice = selinux_task_setnice,
+ .task_setioprio = selinux_task_setioprio,
+ .task_getioprio = selinux_task_getioprio,
+ .task_setrlimit = selinux_task_setrlimit,
+ .task_setscheduler = selinux_task_setscheduler,
+ .task_getscheduler = selinux_task_getscheduler,
+ .task_movememory = selinux_task_movememory,
+ .task_kill = selinux_task_kill,
+ .task_wait = selinux_task_wait,
+ .task_to_inode = selinux_task_to_inode,
+
+ .ipc_permission = selinux_ipc_permission,
+ .ipc_getsecid = selinux_ipc_getsecid,
+
+ .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
+ .msg_msg_free_security = selinux_msg_msg_free_security,
+
+ .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
+ .msg_queue_free_security = selinux_msg_queue_free_security,
+ .msg_queue_associate = selinux_msg_queue_associate,
+ .msg_queue_msgctl = selinux_msg_queue_msgctl,
+ .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
+ .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
+
+ .shm_alloc_security = selinux_shm_alloc_security,
+ .shm_free_security = selinux_shm_free_security,
+ .shm_associate = selinux_shm_associate,
+ .shm_shmctl = selinux_shm_shmctl,
+ .shm_shmat = selinux_shm_shmat,
+
+ .sem_alloc_security = selinux_sem_alloc_security,
+ .sem_free_security = selinux_sem_free_security,
+ .sem_associate = selinux_sem_associate,
+ .sem_semctl = selinux_sem_semctl,
+ .sem_semop = selinux_sem_semop,
+
+ .d_instantiate = selinux_d_instantiate,
+
+ .getprocattr = selinux_getprocattr,
+ .setprocattr = selinux_setprocattr,
+
+ .ismaclabel = selinux_ismaclabel,
+ .secid_to_secctx = selinux_secid_to_secctx,
+ .secctx_to_secid = selinux_secctx_to_secid,
+ .release_secctx = selinux_release_secctx,
+ .inode_notifysecctx = selinux_inode_notifysecctx,
+ .inode_setsecctx = selinux_inode_setsecctx,
+ .inode_getsecctx = selinux_inode_getsecctx,
+
+ .unix_stream_connect = selinux_socket_unix_stream_connect,
+ .unix_may_send = selinux_socket_unix_may_send,
+
+ .socket_create = selinux_socket_create,
+ .socket_post_create = selinux_socket_post_create,
+ .socket_bind = selinux_socket_bind,
+ .socket_connect = selinux_socket_connect,
+ .socket_listen = selinux_socket_listen,
+ .socket_accept = selinux_socket_accept,
+ .socket_sendmsg = selinux_socket_sendmsg,
+ .socket_recvmsg = selinux_socket_recvmsg,
+ .socket_getsockname = selinux_socket_getsockname,
+ .socket_getpeername = selinux_socket_getpeername,
+ .socket_getsockopt = selinux_socket_getsockopt,
+ .socket_setsockopt = selinux_socket_setsockopt,
+ .socket_shutdown = selinux_socket_shutdown,
+ .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
+ .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
+ .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
+ .sk_alloc_security = selinux_sk_alloc_security,
+ .sk_free_security = selinux_sk_free_security,
+ .sk_clone_security = selinux_sk_clone_security,
+ .sk_getsecid = selinux_sk_getsecid,
+ .sock_graft = selinux_sock_graft,
+ .inet_conn_request = selinux_inet_conn_request,
+ .inet_csk_clone = selinux_inet_csk_clone,
+ .inet_conn_established = selinux_inet_conn_established,
+ .secmark_relabel_packet = selinux_secmark_relabel_packet,
+ .secmark_refcount_inc = selinux_secmark_refcount_inc,
+ .secmark_refcount_dec = selinux_secmark_refcount_dec,
+ .req_classify_flow = selinux_req_classify_flow,
+ .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
+ .tun_dev_free_security = selinux_tun_dev_free_security,
+ .tun_dev_create = selinux_tun_dev_create,
+ .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
+ .tun_dev_attach = selinux_tun_dev_attach,
+ .tun_dev_open = selinux_tun_dev_open,
+
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+ .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
+ .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
+ .xfrm_policy_free_security = selinux_xfrm_policy_free,
+ .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
+ .xfrm_state_alloc = selinux_xfrm_state_alloc,
+ .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
+ .xfrm_state_free_security = selinux_xfrm_state_free,
+ .xfrm_state_delete_security = selinux_xfrm_state_delete,
+ .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
+ .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
+ .xfrm_decode_session = selinux_xfrm_decode_session,
+#endif
+
+#ifdef CONFIG_KEYS
+ .key_alloc = selinux_key_alloc,
+ .key_free = selinux_key_free,
+ .key_permission = selinux_key_permission,
+ .key_getsecurity = selinux_key_getsecurity,
+#endif
+
+#ifdef CONFIG_AUDIT
+ .audit_rule_init = selinux_audit_rule_init,
+ .audit_rule_known = selinux_audit_rule_known,
+ .audit_rule_match = selinux_audit_rule_match,
+ .audit_rule_free = selinux_audit_rule_free,
+#endif
+};
+
+static __init int selinux_init(void)
+{
+ if (!security_module_enable(&selinux_ops)) {
+ selinux_enabled = 0;
+ return 0;
+ }
+
+ if (!selinux_enabled) {
+ printk(KERN_INFO "SELinux: Disabled at boot.\n");
+ return 0;
+ }
+
+ printk(KERN_INFO "SELinux: Initializing.\n");
+
+ /* Set the security state for the initial task. */
+ cred_init_security();
+
+ default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
+
+ sel_inode_cache = kmem_cache_create("selinux_inode_security",
+ sizeof(struct inode_security_struct),
+ 0, SLAB_PANIC, NULL);
+ avc_init();
+
+ if (register_security(&selinux_ops))
+ panic("SELinux: Unable to register with kernel.\n");
+
+ if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
+ panic("SELinux: Unable to register AVC netcache callback\n");
+
+ if (selinux_enforcing)
+ printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
+ else
+ printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
+
+ return 0;
+}
+
+static void delayed_superblock_init(struct super_block *sb, void *unused)
+{
+ superblock_doinit(sb, NULL);
+}
+
+void selinux_complete_init(void)
+{
+ printk(KERN_DEBUG "SELinux: Completing initialization.\n");
+
+ /* Set up any superblocks initialized prior to the policy load. */
+ printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
+ iterate_supers(delayed_superblock_init, NULL);
+}
+
+/* SELinux requires early initialization in order to label
+ all processes and objects when they are created. */
+security_initcall(selinux_init);
+
+#if defined(CONFIG_NETFILTER)
+
+static struct nf_hook_ops selinux_nf_ops[] = {
+ {
+ .hook = selinux_ipv4_postroute,
+ .owner = THIS_MODULE,
+ .pf = NFPROTO_IPV4,
+ .hooknum = NF_INET_POST_ROUTING,
+ .priority = NF_IP_PRI_SELINUX_LAST,
+ },
+ {
+ .hook = selinux_ipv4_forward,
+ .owner = THIS_MODULE,
+ .pf = NFPROTO_IPV4,
+ .hooknum = NF_INET_FORWARD,
+ .priority = NF_IP_PRI_SELINUX_FIRST,
+ },
+ {
+ .hook = selinux_ipv4_output,
+ .owner = THIS_MODULE,
+ .pf = NFPROTO_IPV4,
+ .hooknum = NF_INET_LOCAL_OUT,
+ .priority = NF_IP_PRI_SELINUX_FIRST,
+ },
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ {
+ .hook = selinux_ipv6_postroute,
+ .owner = THIS_MODULE,
+ .pf = NFPROTO_IPV6,
+ .hooknum = NF_INET_POST_ROUTING,
+ .priority = NF_IP6_PRI_SELINUX_LAST,
+ },
+ {
+ .hook = selinux_ipv6_forward,
+ .owner = THIS_MODULE,
+ .pf = NFPROTO_IPV6,
+ .hooknum = NF_INET_FORWARD,
+ .priority = NF_IP6_PRI_SELINUX_FIRST,
+ },
+#endif /* IPV6 */
+};
+
+static int __init selinux_nf_ip_init(void)
+{
+ int err;
+
+ if (!selinux_enabled)
+ return 0;
+
+ printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
+
+ err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
+ if (err)
+ panic("SELinux: nf_register_hooks: error %d\n", err);
+
+ return 0;
+}
+
+__initcall(selinux_nf_ip_init);
+
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+static void selinux_nf_ip_exit(void)
+{
+ printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
+
+ nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
+}
+#endif
+
+#else /* CONFIG_NETFILTER */
+
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+#define selinux_nf_ip_exit()
+#endif
+
+#endif /* CONFIG_NETFILTER */
+
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+static int selinux_disabled;
+
+int selinux_disable(void)
+{
+ if (ss_initialized) {
+ /* Not permitted after initial policy load. */
+ return -EINVAL;
+ }
+
+ if (selinux_disabled) {
+ /* Only do this once. */
+ return -EINVAL;
+ }
+
+ printk(KERN_INFO "SELinux: Disabled at runtime.\n");
+
+ selinux_disabled = 1;
+ selinux_enabled = 0;
+
+ reset_security_ops();
+
+ /* Try to destroy the avc node cache */
+ avc_disable();
+
+ /* Unregister netfilter hooks. */
+ selinux_nf_ip_exit();
+
+ /* Unregister selinuxfs. */
+ exit_sel_fs();
+
+ return 0;
+}
+#endif