* James Morris <jmorris@redhat.com>
*
* Copyright (C) 2001,2002 Networks Associates Technology, Inc.
- * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Eric Paris <eparis@redhat.com>
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* <dgoeddel@trustedcs.com>
* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
#include <linux/init.h>
#include <linux/kernel.h>
-#include <linux/ptrace.h>
+#include <linux/tracehook.h>
#include <linux/errno.h>
#include <linux/sched.h>
#include <linux/security.h>
#include <linux/spinlock.h>
#include <linux/syscalls.h>
#include <linux/file.h>
+#include <linux/fdtable.h>
#include <linux/namei.h>
#include <linux/mount.h>
-#include <linux/ext2_fs.h>
#include <linux/proc_fs.h>
-#include <linux/kd.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/tty.h>
#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
#include <net/net_namespace.h>
#include <net/netlabel.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
#include <asm/ioctls.h>
#include <asm/atomic.h>
#include <linux/bitops.h>
static int __init enforcing_setup(char *str)
{
- selinux_enforcing = simple_strtol(str, NULL, 0);
+ unsigned long enforcing;
+ if (!strict_strtoul(str, 0, &enforcing))
+ selinux_enforcing = enforcing ? 1 : 0;
return 1;
}
__setup("enforcing=", enforcing_setup);
static int __init selinux_enabled_setup(char *str)
{
- selinux_enabled = simple_strtol(str, NULL, 0);
+ unsigned long enabled;
+ if (!strict_strtoul(str, 0, &enabled))
+ selinux_enabled = enabled ? 1 : 0;
return 1;
}
__setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1;
#endif
-/* Original (dummy) security module. */
-static struct security_operations *original_ops;
-/* Minimal support for a secondary security module,
- just to allow the use of the dummy or capability modules.
- The owlsm module can alternatively be used as a secondary
- module as long as CONFIG_OWLSM_FD is not enabled. */
+/*
+ * Minimal support for a secondary security module,
+ * just to allow the use of the capability module.
+ */
static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized
*/
if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
&& (num_opts == 0))
- goto out;
+ goto out;
/*
* parse the mount options, check if they are valid sids.
return rc;
}
+static void selinux_write_opts(struct seq_file *m,
+ struct security_mnt_opts *opts)
+{
+ int i;
+ char *prefix;
+
+ for (i = 0; i < opts->num_mnt_opts; i++) {
+ char *has_comma = strchr(opts->mnt_opts[i], ',');
+
+ switch (opts->mnt_opts_flags[i]) {
+ case CONTEXT_MNT:
+ prefix = CONTEXT_STR;
+ break;
+ case FSCONTEXT_MNT:
+ prefix = FSCONTEXT_STR;
+ break;
+ case ROOTCONTEXT_MNT:
+ prefix = ROOTCONTEXT_STR;
+ break;
+ case DEFCONTEXT_MNT:
+ prefix = DEFCONTEXT_STR;
+ break;
+ default:
+ BUG();
+ };
+ /* we need a comma before each option */
+ seq_putc(m, ',');
+ seq_puts(m, prefix);
+ if (has_comma)
+ seq_putc(m, '\"');
+ seq_puts(m, opts->mnt_opts[i]);
+ if (has_comma)
+ seq_putc(m, '\"');
+ }
+}
+
+static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+ struct security_mnt_opts opts;
+ int rc;
+
+ rc = selinux_get_mnt_opts(sb, &opts);
+ if (rc) {
+ /* before policy load we may get EINVAL, don't show anything */
+ if (rc == -EINVAL)
+ rc = 0;
+ return rc;
+ }
+
+ selinux_write_opts(m, &opts);
+
+ security_free_mnt_opts(&opts);
+
+ return rc;
+}
+
static inline u16 inode_mode_to_security_class(umode_t mode)
{
switch (mode & S_IFMT) {
/* Default to the fs superblock SID. */
isec->sid = sbsec->sid;
- if (sbsec->proc) {
+ if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
struct proc_inode *proci = PROC_I(inode);
if (proci->pde) {
isec->sclass = inode_mode_to_security_class(inode->i_mode);
/* Hook functions begin here. */
-static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
+static int selinux_ptrace_may_access(struct task_struct *child,
+ unsigned int mode)
{
int rc;
- rc = secondary_ops->ptrace(parent, child);
+ rc = secondary_ops->ptrace_may_access(child, mode);
if (rc)
return rc;
- return task_has_perm(parent, child, PROCESS__PTRACE);
+ if (mode == PTRACE_MODE_READ) {
+ struct task_security_struct *tsec = current->security;
+ struct task_security_struct *csec = child->security;
+ return avc_has_perm(tsec->sid, csec->sid,
+ SECCLASS_FILE, FILE__READ, NULL);
+ }
+
+ return task_has_perm(current, child, PROCESS__PTRACE);
+}
+
+static int selinux_ptrace_traceme(struct task_struct *parent)
+{
+ int rc;
+
+ rc = secondary_ops->ptrace_traceme(parent);
+ if (rc)
+ return rc;
+
+ return task_has_perm(parent, current, PROCESS__PTRACE);
}
static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
return __vm_enough_memory(mm, pages, cap_sys_admin);
}
-/**
- * task_tracer_task - return the task that is tracing the given task
- * @task: task to consider
- *
- * Returns NULL if noone is tracing @task, or the &struct task_struct
- * pointer to its tracer.
- *
- * Must be called under rcu_read_lock().
- */
-static struct task_struct *task_tracer_task(struct task_struct *task)
-{
- if (task->ptrace & PT_PTRACED)
- return rcu_dereference(task->parent);
- return NULL;
-}
-
/* binprm security operations */
static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
mutex_lock(&tty_mutex);
tty = get_current_tty();
+ mutex_unlock(&tty_mutex);
if (tty) {
file_list_lock();
file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
}
}
file_list_unlock();
+ tty_kref_put(tty);
}
- mutex_unlock(&tty_mutex);
/* Reset controlling tty. */
if (drop_tty)
no_tty();
u32 ptsid = 0;
rcu_read_lock();
- tracer = task_tracer_task(current);
+ tracer = tracehook_tracer_task(current);
if (likely(tracer != NULL)) {
sec = tracer->security;
ptsid = sec->sid;
}
if (value && len) {
- rc = security_sid_to_context(newsid, &context, &clen);
+ rc = security_sid_to_context_force(newsid, &context, &clen);
if (rc) {
kfree(namep);
return rc;
return dentry_has_perm(current, NULL, dentry, FILE__READ);
}
-static int selinux_inode_permission(struct inode *inode, int mask,
- struct nameidata *nd)
+static int selinux_inode_permission(struct inode *inode, int mask)
{
int rc;
- rc = secondary_ops->inode_permission(inode, mask, nd);
+ rc = secondary_ops->inode_permission(inode, mask);
if (rc)
return rc;
return rc;
rc = security_context_to_sid(value, size, &newsid);
+ if (rc == -EINVAL) {
+ if (!capable(CAP_MAC_ADMIN))
+ return rc;
+ rc = security_context_to_sid_force(value, size, &newsid);
+ }
if (rc)
return rc;
}
static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
- const void *value, size_t size,
+ const void *value, size_t size,
int flags)
{
struct inode *inode = dentry->d_inode;
return;
}
- rc = security_context_to_sid(value, size, &newsid);
+ rc = security_context_to_sid_force(value, size, &newsid);
if (rc) {
- printk(KERN_WARNING "%s: unable to obtain SID for context "
- "%s, rc=%d\n", __func__, (char *)value, -rc);
+ printk(KERN_ERR "SELinux: unable to map context to SID"
+ "for (%s, %lu), rc=%d\n",
+ inode->i_sb->s_id, inode->i_ino, -rc);
return;
}
}
/*
- * Copy the in-core inode security context value to the user. If the
- * getxattr() prior to this succeeded, check to see if we need to
- * canonicalize the value to be finally returned to the user.
+ * Copy the inode security context value to the user.
*
* Permission check is handled by selinux_inode_getxattr hook.
*/
u32 size;
int error;
char *context = NULL;
+ struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec = inode->i_security;
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
- error = security_sid_to_context(isec->sid, &context, &size);
+ /*
+ * If the caller has CAP_MAC_ADMIN, then get the raw context
+ * value even if it is not defined by current policy; otherwise,
+ * use the in-core value under current policy.
+ * Use the non-auditing forms of the permission checks since
+ * getxattr may be called by unprivileged processes commonly
+ * and lack of permission just means that we fall back to the
+ * in-core context value, not a denial.
+ */
+ error = secondary_ops->capable(current, CAP_MAC_ADMIN);
+ if (!error)
+ error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
+ SECCLASS_CAPABILITY2,
+ CAPABILITY2__MAC_ADMIN,
+ 0,
+ NULL);
+ if (!error)
+ error = security_sid_to_context_force(isec->sid, &context,
+ &size);
+ else
+ error = security_sid_to_context(isec->sid, &context, &size);
if (error)
return error;
error = size;
static int selinux_file_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
{
- int error = 0;
-
- switch (cmd) {
- case FIONREAD:
- /* fall through */
- case FIBMAP:
- /* fall through */
- case FIGETBSZ:
- /* fall through */
- case EXT2_IOC_GETFLAGS:
- /* fall through */
- case EXT2_IOC_GETVERSION:
- error = file_has_perm(current, file, FILE__GETATTR);
- break;
-
- case EXT2_IOC_SETFLAGS:
- /* fall through */
- case EXT2_IOC_SETVERSION:
- error = file_has_perm(current, file, FILE__SETATTR);
- break;
-
- /* sys_ioctl() checks */
- case FIONBIO:
- /* fall through */
- case FIOASYNC:
- error = file_has_perm(current, file, 0);
- break;
+ u32 av = 0;
- case KDSKBENT:
- case KDSKBSENT:
- error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
- break;
+ if (_IOC_DIR(cmd) & _IOC_WRITE)
+ av |= FILE__WRITE;
+ if (_IOC_DIR(cmd) & _IOC_READ)
+ av |= FILE__READ;
+ if (!av)
+ av = FILE__IOCTL;
- /* default case assumes that the command will go
- * to the file's ioctl() function.
- */
- default:
- error = file_has_perm(current, file, FILE__IOCTL);
- }
- return error;
+ return file_has_perm(current, file, av);
}
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
if (rc)
return rc;
- if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
- return 0;
-
if (!sig)
perm = PROCESS__SIGNULL; /* null signal; existence test */
else
#endif /* IPV6 */
static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
- char **addrp, int src, u8 *proto)
+ char **_addrp, int src, u8 *proto)
{
- int ret = 0;
+ char *addrp;
+ int ret;
switch (ad->u.net.family) {
case PF_INET:
ret = selinux_parse_skb_ipv4(skb, ad, proto);
- if (ret || !addrp)
- break;
- *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
- &ad->u.net.v4info.daddr);
- break;
+ if (ret)
+ goto parse_error;
+ addrp = (char *)(src ? &ad->u.net.v4info.saddr :
+ &ad->u.net.v4info.daddr);
+ goto okay;
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
case PF_INET6:
ret = selinux_parse_skb_ipv6(skb, ad, proto);
- if (ret || !addrp)
- break;
- *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
- &ad->u.net.v6info.daddr);
- break;
+ if (ret)
+ goto parse_error;
+ addrp = (char *)(src ? &ad->u.net.v6info.saddr :
+ &ad->u.net.v6info.daddr);
+ goto okay;
#endif /* IPV6 */
default:
- break;
+ addrp = NULL;
+ goto okay;
}
- if (unlikely(ret))
- printk(KERN_WARNING
- "SELinux: failure in selinux_parse_skb(),"
- " unable to parse packet\n");
-
+parse_error:
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_parse_skb(),"
+ " unable to parse packet\n");
return ret;
+
+okay:
+ if (_addrp)
+ *_addrp = addrp;
+ return 0;
}
/**
struct sockaddr_in6 *addr6 = NULL;
unsigned short snum;
struct sock *sk = sock->sk;
- u32 sid, node_perm, addrlen;
+ u32 sid, node_perm;
tsec = current->security;
isec = SOCK_INODE(sock)->i_security;
if (family == PF_INET) {
addr4 = (struct sockaddr_in *)address;
snum = ntohs(addr4->sin_port);
- addrlen = sizeof(addr4->sin_addr.s_addr);
addrp = (char *)&addr4->sin_addr.s_addr;
} else {
addr6 = (struct sockaddr_in6 *)address;
snum = ntohs(addr6->sin6_port);
- addrlen = sizeof(addr6->sin6_addr.s6_addr);
addrp = (char *)&addr6->sin6_addr.s6_addr;
}
*secid = isec->sid;
}
-/* module stacking operations */
-static int selinux_register_security(const char *name, struct security_operations *ops)
-{
- if (secondary_ops != original_ops) {
- printk(KERN_ERR "%s: There is already a secondary security "
- "module registered.\n", __func__);
- return -EINVAL;
- }
-
- secondary_ops = ops;
-
- printk(KERN_INFO "%s: Registering secondary module %s\n",
- __func__,
- name);
-
- return 0;
-}
-
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (inode)
size--;
}
error = security_context_to_sid(value, size, &sid);
+ if (error == -EINVAL && !strcmp(name, "fscreate")) {
+ if (!capable(CAP_MAC_ADMIN))
+ return error;
+ error = security_context_to_sid_force(value, size,
+ &sid);
+ }
if (error)
return error;
}
if (sid == 0)
return -EINVAL;
-
- /* Only allow single threaded processes to change context */
+ /*
+ * SELinux allows to change context in the following case only.
+ * - Single threaded processes.
+ * - Multi threaded processes intend to change its context into
+ * more restricted domain (defined by TYPEBOUNDS statement).
+ */
if (atomic_read(&p->mm->mm_users) != 1) {
struct task_struct *g, *t;
struct mm_struct *mm = p->mm;
read_lock(&tasklist_lock);
- do_each_thread(g, t)
+ do_each_thread(g, t) {
if (t->mm == mm && t != p) {
read_unlock(&tasklist_lock);
- return -EPERM;
+ error = security_bounded_transition(tsec->sid, sid);
+ if (!error)
+ goto boundary_ok;
+
+ return error;
}
- while_each_thread(g, t);
+ } while_each_thread(g, t);
read_unlock(&tasklist_lock);
}
+boundary_ok:
/* Check permissions for the transition. */
error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
Otherwise, leave SID unchanged and fail. */
task_lock(p);
rcu_read_lock();
- tracer = task_tracer_task(p);
+ tracer = tracehook_tracer_task(p);
if (tracer != NULL) {
struct task_security_struct *ptsec = tracer->security;
u32 ptsid = ptsec->sid;
static struct security_operations selinux_ops = {
.name = "selinux",
- .ptrace = selinux_ptrace,
+ .ptrace_may_access = selinux_ptrace_may_access,
+ .ptrace_traceme = selinux_ptrace_traceme,
.capget = selinux_capget,
.capset_check = selinux_capset_check,
.capset_set = selinux_capset_set,
.sb_free_security = selinux_sb_free_security,
.sb_copy_data = selinux_sb_copy_data,
.sb_kern_mount = selinux_sb_kern_mount,
+ .sb_show_options = selinux_sb_show_options,
.sb_statfs = selinux_sb_statfs,
.sb_mount = selinux_mount,
.sb_umount = selinux_umount,
- .sb_get_mnt_opts = selinux_get_mnt_opts,
.sb_set_mnt_opts = selinux_set_mnt_opts,
.sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
.sb_parse_opts_str = selinux_parse_opts_str,
.inode_listsecurity = selinux_inode_listsecurity,
.inode_need_killpriv = selinux_inode_need_killpriv,
.inode_killpriv = selinux_inode_killpriv,
- .inode_getsecid = selinux_inode_getsecid,
+ .inode_getsecid = selinux_inode_getsecid,
.file_permission = selinux_file_permission,
.file_alloc_security = selinux_file_alloc_security,
.task_to_inode = selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission,
- .ipc_getsecid = selinux_ipc_getsecid,
+ .ipc_getsecid = selinux_ipc_getsecid,
.msg_msg_alloc_security = selinux_msg_msg_alloc_security,
.msg_msg_free_security = selinux_msg_msg_free_security,
.sem_semctl = selinux_sem_semctl,
.sem_semop = selinux_sem_semop,
- .register_security = selinux_register_security,
-
.d_instantiate = selinux_d_instantiate,
.getprocattr = selinux_getprocattr,
0, SLAB_PANIC, NULL);
avc_init();
- original_ops = secondary_ops = security_ops;
+ secondary_ops = security_ops;
if (!secondary_ops)
panic("SELinux: No initial security operations\n");
if (register_security(&selinux_ops))
static int __init selinux_nf_ip_init(void)
{
int err = 0;
- u32 iter;
if (!selinux_enabled)
goto out;
printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
- for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
- err = nf_register_hook(&selinux_ipv4_ops[iter]);
- if (err)
- panic("SELinux: nf_register_hook for IPv4: error %d\n",
- err);
- }
+ err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
+ if (err)
+ panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
- for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
- err = nf_register_hook(&selinux_ipv6_ops[iter]);
- if (err)
- panic("SELinux: nf_register_hook for IPv6: error %d\n",
- err);
- }
+ err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
+ if (err)
+ panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
#endif /* IPV6 */
out:
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static void selinux_nf_ip_exit(void)
{
- u32 iter;
-
printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
- for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
- nf_unregister_hook(&selinux_ipv4_ops[iter]);
+ nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
- for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
- nf_unregister_hook(&selinux_ipv6_ops[iter]);
+ nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
#endif /* IPV6 */
}
#endif
git://ftp.safe.ca / safe / jmp / linux-2.6 / blobdiff