* This file contains the SELinux hook function implementations.
*
* Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
- * Chris Vance, <cvance@nai.com>
- * Wayne Salamon, <wsalamon@nai.com>
- * James Morris <jmorris@redhat.com>
+ * Chris Vance, <cvance@nai.com>
+ * Wayne Salamon, <wsalamon@nai.com>
+ * James Morris <jmorris@redhat.com>
*
* Copyright (C) 2001,2002 Networks Associates Technology, Inc.
- * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Eric Paris <eparis@redhat.com>
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
- * <dgoeddel@trustedcs.com>
- * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
- * Paul Moore, <paul.moore@hp.com>
+ * <dgoeddel@trustedcs.com>
+ * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
+ * Paul Moore <paul.moore@hp.com>
* Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
- * Yuichi Nakamura <ynakam@hitachisoft.jp>
+ * Yuichi Nakamura <ynakam@hitachisoft.jp>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
- * as published by the Free Software Foundation.
+ * as published by the Free Software Foundation.
*/
#include <linux/init.h>
#include <linux/kernel.h>
-#include <linux/ptrace.h>
+#include <linux/tracehook.h>
#include <linux/errno.h>
#include <linux/sched.h>
#include <linux/security.h>
#include <linux/spinlock.h>
#include <linux/syscalls.h>
#include <linux/file.h>
+#include <linux/fdtable.h>
#include <linux/namei.h>
#include <linux/mount.h>
-#include <linux/ext2_fs.h>
#include <linux/proc_fs.h>
-#include <linux/kd.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/tty.h>
#include <net/icmp.h>
#include <net/ip.h> /* for local_port_range[] */
#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
-#include <asm/uaccess.h>
+#include <net/net_namespace.h>
+#include <net/netlabel.h>
+#include <linux/uaccess.h>
#include <asm/ioctls.h>
+#include <asm/atomic.h>
#include <linux/bitops.h>
#include <linux/interrupt.h>
#include <linux/netdevice.h> /* for network interface checks */
#include <linux/string.h>
#include <linux/selinux.h>
#include <linux/mutex.h>
+#include <linux/posix-timers.h>
#include "avc.h"
#include "objsec.h"
#include "netif.h"
+#include "netnode.h"
+#include "netport.h"
#include "xfrm.h"
#include "netlabel.h"
+#include "audit.h"
#define XATTR_SELINUX_SUFFIX "selinux"
#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
extern int selinux_compat_net;
extern struct security_operations *security_ops;
+/* SECMARK reference count */
+atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
+
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-int selinux_enforcing = 0;
+int selinux_enforcing;
static int __init enforcing_setup(char *str)
{
- selinux_enforcing = simple_strtol(str,NULL,0);
+ unsigned long enforcing;
+ if (!strict_strtoul(str, 0, &enforcing))
+ selinux_enforcing = enforcing ? 1 : 0;
return 1;
}
__setup("enforcing=", enforcing_setup);
static int __init selinux_enabled_setup(char *str)
{
- selinux_enabled = simple_strtol(str, NULL, 0);
+ unsigned long enabled;
+ if (!strict_strtoul(str, 0, &enabled))
+ selinux_enabled = enabled ? 1 : 0;
return 1;
}
__setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1;
#endif
-/* Original (dummy) security module. */
-static struct security_operations *original_ops = NULL;
-/* Minimal support for a secondary security module,
- just to allow the use of the dummy or capability modules.
- The owlsm module can alternatively be used as a secondary
- module as long as CONFIG_OWLSM_FD is not enabled. */
-static struct security_operations *secondary_ops = NULL;
+/*
+ * Minimal support for a secondary security module,
+ * just to allow the use of the capability module.
+ */
+static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized
before the policy was loaded. */
static struct kmem_cache *sel_inode_cache;
-/* Return security context for a given sid or just the context
- length if the buffer is null or length is 0 */
-static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
+/**
+ * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
+ *
+ * Description:
+ * This function checks the SECMARK reference counter to see if any SECMARK
+ * targets are currently configured, if the reference counter is greater than
+ * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
+ * enabled, false (0) if SECMARK is disabled.
+ *
+ */
+static int selinux_secmark_enabled(void)
{
- char *context;
- unsigned len;
- int rc;
-
- rc = security_sid_to_context(sid, &context, &len);
- if (rc)
- return rc;
-
- if (!buffer || !size)
- goto getsecurity_exit;
-
- if (size < len) {
- len = -ERANGE;
- goto getsecurity_exit;
- }
- memcpy(buffer, context, len);
-
-getsecurity_exit:
- kfree(context);
- return len;
+ return (atomic_read(&selinux_secmark_refcount) > 0);
}
/* Allocate and free functions for each kind of security blob. */
if (!tsec)
return -ENOMEM;
- tsec->task = task;
- tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
+ tsec->osid = tsec->sid = SECINITSID_UNLABELED;
task->security = tsec;
return 0;
struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec;
- isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
+ isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
if (!isec)
return -ENOMEM;
if (!fsec)
return -ENOMEM;
- fsec->file = file;
fsec->sid = tsec->sid;
fsec->fown_sid = tsec->sid;
file->f_security = fsec;
if (!ssec)
return -ENOMEM;
- ssec->sk = sk;
ssec->peer_sid = SECINITSID_UNLABELED;
ssec->sid = SECINITSID_UNLABELED;
sk->sk_security = ssec;
- selinux_netlbl_sk_security_init(ssec, family);
+ selinux_netlbl_sk_security_reset(ssec, family);
return 0;
}
struct sk_security_struct *ssec = sk->sk_security;
sk->sk_security = NULL;
+ selinux_netlbl_sk_security_free(ssec);
kfree(ssec);
}
Opt_rootcontext = 4,
};
-static match_table_t tokens = {
- {Opt_context, "context=%s"},
- {Opt_fscontext, "fscontext=%s"},
- {Opt_defcontext, "defcontext=%s"},
- {Opt_rootcontext, "rootcontext=%s"},
+static const match_table_t tokens = {
+ {Opt_context, CONTEXT_STR "%s"},
+ {Opt_fscontext, FSCONTEXT_STR "%s"},
+ {Opt_defcontext, DEFCONTEXT_STR "%s"},
+ {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
{Opt_error, NULL},
};
* mount options, or whatever.
*/
static int selinux_get_mnt_opts(const struct super_block *sb,
- char ***mount_options, int **mnt_opts_flags,
- int *num_opts)
+ struct security_mnt_opts *opts)
{
int rc = 0, i;
struct superblock_security_struct *sbsec = sb->s_security;
u32 len;
char tmp;
- *num_opts = 0;
- *mount_options = NULL;
- *mnt_opts_flags = NULL;
+ security_init_mnt_opts(opts);
if (!sbsec->initialized)
return -EINVAL;
/* count the number of mount options for this sb */
for (i = 0; i < 8; i++) {
if (tmp & 0x01)
- (*num_opts)++;
+ opts->num_mnt_opts++;
tmp >>= 1;
}
- *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
- if (!*mount_options) {
+ opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
+ if (!opts->mnt_opts) {
rc = -ENOMEM;
goto out_free;
}
- *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
- if (!*mnt_opts_flags) {
+ opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
+ if (!opts->mnt_opts_flags) {
rc = -ENOMEM;
goto out_free;
}
rc = security_sid_to_context(sbsec->sid, &context, &len);
if (rc)
goto out_free;
- (*mount_options)[i] = context;
- (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
}
if (sbsec->flags & CONTEXT_MNT) {
rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
if (rc)
goto out_free;
- (*mount_options)[i] = context;
- (*mnt_opts_flags)[i++] = CONTEXT_MNT;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = CONTEXT_MNT;
}
if (sbsec->flags & DEFCONTEXT_MNT) {
rc = security_sid_to_context(sbsec->def_sid, &context, &len);
if (rc)
goto out_free;
- (*mount_options)[i] = context;
- (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct inode *root = sbsec->sb->s_root->d_inode;
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
- (*mount_options)[i] = context;
- (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
+ opts->mnt_opts[i] = context;
+ opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
}
- BUG_ON(i != *num_opts);
+ BUG_ON(i != opts->num_mnt_opts);
return 0;
out_free:
- /* don't leak context string if security_sid_to_context had an error */
- if (*mount_options && i)
- for (; i > 0; i--)
- kfree((*mount_options)[i-1]);
- kfree(*mount_options);
- *mount_options = NULL;
- kfree(*mnt_opts_flags);
- *mnt_opts_flags = NULL;
- *num_opts = 0;
+ security_free_mnt_opts(opts);
return rc;
}
return 1;
return 0;
}
+
/*
* Allow filesystems with binary mount data to explicitly set mount point
* labeling information.
*/
-int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
- int *flags, int num_opts)
+static int selinux_set_mnt_opts(struct super_block *sb,
+ struct security_mnt_opts *opts)
{
int rc = 0, i;
struct task_security_struct *tsec = current->security;
struct inode_security_struct *root_isec = inode->i_security;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
+ char **mount_options = opts->mnt_opts;
+ int *flags = opts->mnt_opts_flags;
+ int num_opts = opts->num_mnt_opts;
mutex_lock(&sbsec->lock);
goto out;
}
rc = -EINVAL;
- printk(KERN_WARNING "Unable to set superblock options before "
- "the security server is initialized\n");
+ printk(KERN_WARNING "SELinux: Unable to set superblock options "
+ "before the security server is initialized\n");
goto out;
}
/*
+ * Binary mount data FS will come through this function twice. Once
+ * from an explicit call and once from the generic calls from the vfs.
+ * Since the generic VFS calls will not contain any security mount data
+ * we need to skip the double mount verification.
+ *
+ * This does open a hole in which we will not notice if the first
+ * mount using this sb set explict options and a second mount using
+ * this sb does not set any security options. (The first options
+ * will be used for both mounts)
+ */
+ if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
+ && (num_opts == 0))
+ goto out;
+
+ /*
* parse the mount options, check if they are valid sids.
* also check if someone is trying to mount the same sb more
* than once with different security options.
rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
if (rc) {
printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
- __FUNCTION__, sb->s_type->name, rc);
+ __func__, sb->s_type->name, rc);
goto out;
}
int set_context = (oldsbsec->flags & CONTEXT_MNT);
int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
- /* we can't error, we can't save the info, this shouldn't get called
- * this early in the boot process. */
- BUG_ON(!ss_initialized);
-
- /* this might go away sometime down the line if there is a new user
- * of clone, but for now, nfs better not get here... */
- BUG_ON(newsbsec->initialized);
+ /*
+ * if the parent was able to be mounted it clearly had no special lsm
+ * mount options. thus we can safely put this sb on the list and deal
+ * with it later
+ */
+ if (!ss_initialized) {
+ spin_lock(&sb_security_lock);
+ if (list_empty(&newsbsec->list))
+ list_add(&newsbsec->list, &superblock_security_head);
+ spin_unlock(&sb_security_lock);
+ return;
+ }
/* how can we clone if the old one wasn't set up?? */
BUG_ON(!oldsbsec->initialized);
+ /* if fs is reusing a sb, just let its options stand... */
+ if (newsbsec->initialized)
+ return;
+
mutex_lock(&newsbsec->lock);
newsbsec->flags = oldsbsec->flags;
mutex_unlock(&newsbsec->lock);
}
-/*
- * string mount options parsing and call set the sbsec
- */
-static int superblock_doinit(struct super_block *sb, void *data)
+static int selinux_parse_opts_str(char *options,
+ struct security_mnt_opts *opts)
{
+ char *p;
char *context = NULL, *defcontext = NULL;
char *fscontext = NULL, *rootcontext = NULL;
- int rc = 0;
- char *p, *options = data;
- /* selinux only know about a fixed number of mount options */
- char *mnt_opts[NUM_SEL_MNT_OPTS];
- int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
-
- if (!data)
- goto out;
-
- /* with the nfs patch this will become a goto out; */
- if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
- const char *name = sb->s_type->name;
- /* NFS we understand. */
- if (!strcmp(name, "nfs")) {
- struct nfs_mount_data *d = data;
-
- if (d->version != NFS_MOUNT_VERSION)
- goto out;
+ int rc, num_mnt_opts = 0;
- if (d->context[0]) {
- context = kstrdup(d->context, GFP_KERNEL);
- if (!context) {
- rc = -ENOMEM;
- goto out;
- }
- }
- goto build_flags;
- } else
- goto out;
- }
+ opts->num_mnt_opts = 0;
/* Standard string-based options. */
while ((p = strsep(&options, "|")) != NULL) {
}
}
-build_flags:
+ rc = -ENOMEM;
+ opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
+ if (!opts->mnt_opts)
+ goto out_err;
+
+ opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
+ if (!opts->mnt_opts_flags) {
+ kfree(opts->mnt_opts);
+ goto out_err;
+ }
+
if (fscontext) {
- mnt_opts[num_mnt_opts] = fscontext;
- mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
+ opts->mnt_opts[num_mnt_opts] = fscontext;
+ opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
}
if (context) {
- mnt_opts[num_mnt_opts] = context;
- mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
+ opts->mnt_opts[num_mnt_opts] = context;
+ opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
}
if (rootcontext) {
- mnt_opts[num_mnt_opts] = rootcontext;
- mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
+ opts->mnt_opts[num_mnt_opts] = rootcontext;
+ opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
}
if (defcontext) {
- mnt_opts[num_mnt_opts] = defcontext;
- mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
+ opts->mnt_opts[num_mnt_opts] = defcontext;
+ opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
}
-out:
- rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
+ opts->num_mnt_opts = num_mnt_opts;
+ return 0;
+
out_err:
kfree(context);
kfree(defcontext);
kfree(rootcontext);
return rc;
}
+/*
+ * string mount options parsing and call set the sbsec
+ */
+static int superblock_doinit(struct super_block *sb, void *data)
+{
+ int rc = 0;
+ char *options = data;
+ struct security_mnt_opts opts;
+
+ security_init_mnt_opts(&opts);
+
+ if (!data)
+ goto out;
+
+ BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
+
+ rc = selinux_parse_opts_str(options, &opts);
+ if (rc)
+ goto out_err;
+
+out:
+ rc = selinux_set_mnt_opts(sb, &opts);
+
+out_err:
+ security_free_mnt_opts(&opts);
+ return rc;
+}
+
+static void selinux_write_opts(struct seq_file *m,
+ struct security_mnt_opts *opts)
+{
+ int i;
+ char *prefix;
+
+ for (i = 0; i < opts->num_mnt_opts; i++) {
+ char *has_comma = strchr(opts->mnt_opts[i], ',');
+
+ switch (opts->mnt_opts_flags[i]) {
+ case CONTEXT_MNT:
+ prefix = CONTEXT_STR;
+ break;
+ case FSCONTEXT_MNT:
+ prefix = FSCONTEXT_STR;
+ break;
+ case ROOTCONTEXT_MNT:
+ prefix = ROOTCONTEXT_STR;
+ break;
+ case DEFCONTEXT_MNT:
+ prefix = DEFCONTEXT_STR;
+ break;
+ default:
+ BUG();
+ };
+ /* we need a comma before each option */
+ seq_putc(m, ',');
+ seq_puts(m, prefix);
+ if (has_comma)
+ seq_putc(m, '\"');
+ seq_puts(m, opts->mnt_opts[i]);
+ if (has_comma)
+ seq_putc(m, '\"');
+ }
+}
+
+static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
+{
+ struct security_mnt_opts opts;
+ int rc;
+
+ rc = selinux_get_mnt_opts(sb, &opts);
+ if (rc) {
+ /* before policy load we may get EINVAL, don't show anything */
+ if (rc == -EINVAL)
+ rc = 0;
+ return rc;
+ }
+
+ selinux_write_opts(m, &opts);
+
+ security_free_mnt_opts(&opts);
+
+ return rc;
+}
static inline u16 inode_mode_to_security_class(umode_t mode)
{
int buflen, rc;
char *buffer, *path, *end;
- buffer = (char*)__get_free_page(GFP_KERNEL);
+ buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer)
return -ENOMEM;
dentry = d_find_alias(inode);
}
if (!dentry) {
- printk(KERN_WARNING "%s: no dentry for dev=%s "
- "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
+ printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
+ "ino=%ld\n", __func__, inode->i_sb->s_id,
inode->i_ino);
goto out_unlock;
}
len = INITCONTEXTLEN;
- context = kmalloc(len, GFP_KERNEL);
+ context = kmalloc(len, GFP_NOFS);
if (!context) {
rc = -ENOMEM;
dput(dentry);
}
kfree(context);
len = rc;
- context = kmalloc(len, GFP_KERNEL);
+ context = kmalloc(len, GFP_NOFS);
if (!context) {
rc = -ENOMEM;
dput(dentry);
dput(dentry);
if (rc < 0) {
if (rc != -ENODATA) {
- printk(KERN_WARNING "%s: getxattr returned "
- "%d for dev=%s ino=%ld\n", __FUNCTION__,
+ printk(KERN_WARNING "SELinux: %s: getxattr returned "
+ "%d for dev=%s ino=%ld\n", __func__,
-rc, inode->i_sb->s_id, inode->i_ino);
kfree(context);
goto out_unlock;
rc = 0;
} else {
rc = security_context_to_sid_default(context, rc, &sid,
- sbsec->def_sid);
+ sbsec->def_sid,
+ GFP_NOFS);
if (rc) {
- printk(KERN_WARNING "%s: context_to_sid(%s) "
+ printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
"returned %d for dev=%s ino=%ld\n",
- __FUNCTION__, context, -rc,
+ __func__, context, -rc,
inode->i_sb->s_id, inode->i_ino);
kfree(context);
/* Leave with the unlabeled SID */
/* Default to the fs superblock SID. */
isec->sid = sbsec->sid;
- if (sbsec->proc) {
+ if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
struct proc_inode *proci = PROC_I(inode);
if (proci->pde) {
isec->sclass = inode_mode_to_security_class(inode->i_mode);
SECCLASS_PROCESS, perms, NULL);
}
+#if CAP_LAST_CAP > 63
+#error Fix SELinux to handle capabilities > 63.
+#endif
+
/* Check whether a task is allowed to use a capability. */
static int task_has_capability(struct task_struct *tsk,
int cap)
{
struct task_security_struct *tsec;
struct avc_audit_data ad;
+ u16 sclass;
+ u32 av = CAP_TO_MASK(cap);
tsec = tsk->security;
- AVC_AUDIT_DATA_INIT(&ad,CAP);
+ AVC_AUDIT_DATA_INIT(&ad, CAP);
ad.tsk = tsk;
ad.u.cap = cap;
- return avc_has_perm(tsec->sid, tsec->sid,
- SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
+ switch (CAP_TO_INDEX(cap)) {
+ case 0:
+ sclass = SECCLASS_CAPABILITY;
+ break;
+ case 1:
+ sclass = SECCLASS_CAPABILITY2;
+ break;
+ default:
+ printk(KERN_ERR
+ "SELinux: out of range capability %d\n", cap);
+ BUG();
+ }
+ return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
}
/* Check whether a task is allowed to use a system operation. */
struct inode_security_struct *isec;
struct avc_audit_data ad;
- if (unlikely (IS_PRIVATE (inode)))
+ if (unlikely(IS_PRIVATE(inode)))
return 0;
tsec = tsk->security;
{
struct inode *inode = dentry->d_inode;
struct avc_audit_data ad;
- AVC_AUDIT_DATA_INIT(&ad,FS);
- ad.u.fs.mnt = mnt;
- ad.u.fs.dentry = dentry;
+ AVC_AUDIT_DATA_INIT(&ad, FS);
+ ad.u.fs.path.mnt = mnt;
+ ad.u.fs.path.dentry = dentry;
return inode_has_perm(tsk, inode, av, &ad);
}
{
struct task_security_struct *tsec = tsk->security;
struct file_security_struct *fsec = file->f_security;
- struct vfsmount *mnt = file->f_path.mnt;
- struct dentry *dentry = file->f_path.dentry;
- struct inode *inode = dentry->d_inode;
+ struct inode *inode = file->f_path.dentry->d_inode;
struct avc_audit_data ad;
int rc;
AVC_AUDIT_DATA_INIT(&ad, FS);
- ad.u.fs.mnt = mnt;
- ad.u.fs.dentry = dentry;
+ ad.u.fs.path = file->f_path;
if (tsec->sid != fsec->sid) {
rc = avc_has_perm(tsec->sid, fsec->sid,
sbsec = dir->i_sb->s_security;
AVC_AUDIT_DATA_INIT(&ad, FS);
- ad.u.fs.dentry = dentry;
+ ad.u.fs.path.dentry = dentry;
rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
DIR__ADD_NAME | DIR__SEARCH,
return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
}
-#define MAY_LINK 0
-#define MAY_UNLINK 1
-#define MAY_RMDIR 2
+#define MAY_LINK 0
+#define MAY_UNLINK 1
+#define MAY_RMDIR 2
/* Check whether a task can link, unlink, or rmdir a file/directory. */
static int may_link(struct inode *dir,
isec = dentry->d_inode->i_security;
AVC_AUDIT_DATA_INIT(&ad, FS);
- ad.u.fs.dentry = dentry;
+ ad.u.fs.path.dentry = dentry;
av = DIR__SEARCH;
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
av = DIR__RMDIR;
break;
default:
- printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
+ printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
+ __func__, kind);
return 0;
}
AVC_AUDIT_DATA_INIT(&ad, FS);
- ad.u.fs.dentry = old_dentry;
+ ad.u.fs.path.dentry = old_dentry;
rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
DIR__REMOVE_NAME | DIR__SEARCH, &ad);
if (rc)
return rc;
}
- ad.u.fs.dentry = new_dentry;
+ ad.u.fs.path.dentry = new_dentry;
av = DIR__ADD_NAME | DIR__SEARCH;
if (new_dentry->d_inode)
av |= DIR__REMOVE_NAME;
return av;
}
+/*
+ * Convert a file mask to an access vector and include the correct open
+ * open permission.
+ */
+static inline u32 open_file_mask_to_av(int mode, int mask)
+{
+ u32 av = file_mask_to_av(mode, mask);
+
+ if (selinux_policycap_openperm) {
+ /*
+ * lnk files and socks do not really have an 'open'
+ */
+ if (S_ISREG(mode))
+ av |= FILE__OPEN;
+ else if (S_ISCHR(mode))
+ av |= CHR_FILE__OPEN;
+ else if (S_ISBLK(mode))
+ av |= BLK_FILE__OPEN;
+ else if (S_ISFIFO(mode))
+ av |= FIFO_FILE__OPEN;
+ else if (S_ISDIR(mode))
+ av |= DIR__OPEN;
+ else
+ printk(KERN_ERR "SELinux: WARNING: inside %s with "
+ "unknown mode:%x\n", __func__, mode);
+ }
+ return av;
+}
+
/* Convert a Linux file to an access vector. */
static inline u32 file_to_av(struct file *file)
{
else
av |= FILE__WRITE;
}
+ if (!av) {
+ /*
+ * Special file opened with flags 3 for ioctl-only use.
+ */
+ av = FILE__IOCTL;
+ }
return av;
}
/* Hook functions begin here. */
-static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
+static int selinux_ptrace_may_access(struct task_struct *child,
+ unsigned int mode)
{
- struct task_security_struct *psec = parent->security;
- struct task_security_struct *csec = child->security;
int rc;
- rc = secondary_ops->ptrace(parent,child);
+ rc = secondary_ops->ptrace_may_access(child, mode);
if (rc)
return rc;
- rc = task_has_perm(parent, child, PROCESS__PTRACE);
- /* Save the SID of the tracing process for later use in apply_creds. */
- if (!(child->ptrace & PT_PTRACED) && !rc)
- csec->ptrace_sid = psec->sid;
- return rc;
+ if (mode == PTRACE_MODE_READ) {
+ struct task_security_struct *tsec = current->security;
+ struct task_security_struct *csec = child->security;
+ return avc_has_perm(tsec->sid, csec->sid,
+ SECCLASS_FILE, FILE__READ, NULL);
+ }
+
+ return task_has_perm(current, child, PROCESS__PTRACE);
+}
+
+static int selinux_ptrace_traceme(struct task_struct *parent)
+{
+ int rc;
+
+ rc = secondary_ops->ptrace_traceme(parent);
+ if (rc)
+ return rc;
+
+ return task_has_perm(parent, current, PROCESS__PTRACE);
}
static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
+ kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
int error;
}
static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
+ kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
int error;
}
static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
+ kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
secondary_ops->capset_set(target, effective, inheritable, permitted);
}
if (rc)
return rc;
- return task_has_capability(tsk,cap);
+ return task_has_capability(tsk, cap);
}
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
char *buffer, *path, *end;
rc = -ENOMEM;
- buffer = (char*)__get_free_page(GFP_KERNEL);
+ buffer = (char *)__get_free_page(GFP_KERNEL);
if (!buffer)
goto out;
/* The op values are "defined" in sysctl.c, thereby creating
* a bad coupling between this module and sysctl.c */
- if(op == 001) {
+ if (op == 001) {
error = avc_has_perm(tsec->sid, tsid,
SECCLASS_DIR, DIR__SEARCH, NULL);
} else {
if (av)
error = avc_has_perm(tsec->sid, tsid,
SECCLASS_FILE, av, NULL);
- }
+ }
return error;
}
return 0;
switch (cmds) {
- case Q_SYNC:
- case Q_QUOTAON:
- case Q_QUOTAOFF:
- case Q_SETINFO:
- case Q_SETQUOTA:
- rc = superblock_has_perm(current,
- sb,
- FILESYSTEM__QUOTAMOD, NULL);
- break;
- case Q_GETFMT:
- case Q_GETINFO:
- case Q_GETQUOTA:
- rc = superblock_has_perm(current,
- sb,
- FILESYSTEM__QUOTAGET, NULL);
- break;
- default:
- rc = 0; /* let the kernel handle invalid cmds */
- break;
+ case Q_SYNC:
+ case Q_QUOTAON:
+ case Q_QUOTAOFF:
+ case Q_SETINFO:
+ case Q_SETQUOTA:
+ rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
+ NULL);
+ break;
+ case Q_GETFMT:
+ case Q_GETINFO:
+ case Q_GETQUOTA:
+ rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
+ NULL);
+ break;
+ default:
+ rc = 0; /* let the kernel handle invalid cmds */
+ break;
}
return rc;
}
return rc;
switch (type) {
- case 3: /* Read last kernel messages */
- case 10: /* Return size of the log buffer */
- rc = task_has_system(current, SYSTEM__SYSLOG_READ);
- break;
- case 6: /* Disable logging to console */
- case 7: /* Enable logging to console */
- case 8: /* Set level of messages printed to console */
- rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
- break;
- case 0: /* Close log */
- case 1: /* Open log */
- case 2: /* Read from log */
- case 4: /* Read/clear last kernel messages */
- case 5: /* Clear ring buffer */
- default:
- rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
- break;
+ case 3: /* Read last kernel messages */
+ case 10: /* Return size of the log buffer */
+ rc = task_has_system(current, SYSTEM__SYSLOG_READ);
+ break;
+ case 6: /* Disable logging to console */
+ case 7: /* Enable logging to console */
+ case 8: /* Set level of messages printed to console */
+ rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
+ break;
+ case 0: /* Close log */
+ case 1: /* Open log */
+ case 2: /* Read from log */
+ case 4: /* Read/clear last kernel messages */
+ case 5: /* Clear ring buffer */
+ default:
+ rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
+ break;
}
return rc;
}
if (!bsec)
return -ENOMEM;
- bsec->bprm = bprm;
bsec->sid = SECINITSID_UNLABELED;
bsec->set = 0;
} else {
/* Check for a default transition on this program. */
rc = security_transition_sid(tsec->sid, isec->sid,
- SECCLASS_PROCESS, &newsid);
+ SECCLASS_PROCESS, &newsid);
if (rc)
return rc;
}
AVC_AUDIT_DATA_INIT(&ad, FS);
- ad.u.fs.mnt = bprm->file->f_path.mnt;
- ad.u.fs.dentry = bprm->file->f_path.dentry;
+ ad.u.fs.path = bprm->file->f_path;
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
newsid = tsec->sid;
- if (tsec->sid == newsid) {
+ if (tsec->sid == newsid) {
rc = avc_has_perm(tsec->sid, isec->sid,
SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
if (rc)
return 0;
}
-static int selinux_bprm_check_security (struct linux_binprm *bprm)
+static int selinux_bprm_check_security(struct linux_binprm *bprm)
{
return secondary_ops->bprm_check_security(bprm);
}
-static int selinux_bprm_secureexec (struct linux_binprm *bprm)
+static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
struct task_security_struct *tsec = current->security;
int atsecure = 0;
extern struct dentry *selinux_null;
/* Derived from fs/exec.c:flush_old_files. */
-static inline void flush_unauthorized_files(struct files_struct * files)
+static inline void flush_unauthorized_files(struct files_struct *files)
{
struct avc_audit_data ad;
struct file *file, *devnull = NULL;
long j = -1;
int drop_tty = 0;
- mutex_lock(&tty_mutex);
tty = get_current_tty();
if (tty) {
file_list_lock();
- file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
- if (file) {
+ if (!list_empty(&tty->tty_files)) {
+ struct inode *inode;
+
/* Revalidate access to controlling tty.
Use inode_has_perm on the tty inode directly rather
than using file_has_perm, as this particular open
file may belong to another process and we are only
interested in the inode-based check here. */
- struct inode *inode = file->f_path.dentry->d_inode;
+ file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
+ inode = file->f_path.dentry->d_inode;
if (inode_has_perm(current, inode,
FILE__READ | FILE__WRITE, NULL)) {
drop_tty = 1;
}
}
file_list_unlock();
+ tty_kref_put(tty);
}
- mutex_unlock(&tty_mutex);
/* Reset controlling tty. */
if (drop_tty)
no_tty();
/* Revalidate access to inherited open files. */
- AVC_AUDIT_DATA_INIT(&ad,FS);
+ AVC_AUDIT_DATA_INIT(&ad, FS);
spin_lock(&files->file_lock);
for (;;) {
if (!set)
continue;
spin_unlock(&files->file_lock);
- for ( ; set ; i++,set >>= 1) {
+ for ( ; set ; i++, set >>= 1) {
if (set & 1) {
file = fget(i);
if (!file)
/* Check for ptracing, and update the task SID if ok.
Otherwise, leave SID unchanged and kill. */
if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
- rc = avc_has_perm(tsec->ptrace_sid, sid,
- SECCLASS_PROCESS, PROCESS__PTRACE,
- NULL);
- if (rc) {
- bsec->unsafe = 1;
- return;
+ struct task_struct *tracer;
+ struct task_security_struct *sec;
+ u32 ptsid = 0;
+
+ rcu_read_lock();
+ tracer = tracehook_tracer_task(current);
+ if (likely(tracer != NULL)) {
+ sec = tracer->security;
+ ptsid = sec->sid;
+ }
+ rcu_read_unlock();
+
+ if (ptsid != 0) {
+ rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
+ PROCESS__PTRACE, NULL);
+ if (rc) {
+ bsec->unsafe = 1;
+ return;
+ }
}
}
tsec->sid = sid;
for (i = 0; i < RLIM_NLIMITS; i++) {
rlim = current->signal->rlim + i;
initrlim = init_task.signal->rlim+i;
- rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
- }
- if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
- /*
- * This will cause RLIMIT_CPU calculations
- * to be refigured.
- */
- current->it_prof_expires = jiffies_to_cputime(1);
+ rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
}
+ update_rlimit_cpu(rlim->rlim_cur);
}
/* Wake up the parent if it is waiting so that it can
static inline int selinux_option(char *option, int len)
{
- return (match_prefix("context=", sizeof("context=")-1, option, len) ||
- match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
- match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
- match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
+ return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
+ match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
+ match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
+ match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
}
static inline void take_option(char **to, char *from, int *first, int len)
*to += len;
}
-static inline void take_selinux_option(char **to, char *from, int *first,
- int len)
+static inline void take_selinux_option(char **to, char *from, int *first,
+ int len)
{
int current_size = 0;
if (!*first) {
**to = '|';
*to += 1;
- }
- else
+ } else
*first = 0;
while (current_size < len) {
}
}
-static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
+static int selinux_sb_copy_data(char *orig, char *copy)
{
int fnosec, fsec, rc = 0;
char *in_save, *in_curr, *in_end;
in_curr = orig;
sec_curr = copy;
- /* Binary mount data: just copy */
- if (type->fs_flags & FS_BINARY_MOUNTDATA) {
- copy_page(sec_curr, in_curr);
- goto out;
- }
-
nosec = (char *)get_zeroed_page(GFP_KERNEL);
if (!nosec) {
rc = -ENOMEM;
if (rc)
return rc;
- AVC_AUDIT_DATA_INIT(&ad,FS);
- ad.u.fs.dentry = sb->s_root;
+ AVC_AUDIT_DATA_INIT(&ad, FS);
+ ad.u.fs.path.dentry = sb->s_root;
return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
}
{
struct avc_audit_data ad;
- AVC_AUDIT_DATA_INIT(&ad,FS);
- ad.u.fs.dentry = dentry->d_sb->s_root;
+ AVC_AUDIT_DATA_INIT(&ad, FS);
+ ad.u.fs.path.dentry = dentry->d_sb->s_root;
return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
}
-static int selinux_mount(char * dev_name,
- struct nameidata *nd,
- char * type,
- unsigned long flags,
- void * data)
+static int selinux_mount(char *dev_name,
+ struct path *path,
+ char *type,
+ unsigned long flags,
+ void *data)
{
int rc;
- rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
+ rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
if (rc)
return rc;
if (flags & MS_REMOUNT)
- return superblock_has_perm(current, nd->mnt->mnt_sb,
- FILESYSTEM__REMOUNT, NULL);
+ return superblock_has_perm(current, path->mnt->mnt_sb,
+ FILESYSTEM__REMOUNT, NULL);
else
- return dentry_has_perm(current, nd->mnt, nd->dentry,
- FILE__MOUNTON);
+ return dentry_has_perm(current, path->mnt, path->dentry,
+ FILE__MOUNTON);
}
static int selinux_umount(struct vfsmount *mnt, int flags)
if (rc)
return rc;
- return superblock_has_perm(current,mnt->mnt_sb,
- FILESYSTEM__UNMOUNT,NULL);
+ return superblock_has_perm(current, mnt->mnt_sb,
+ FILESYSTEM__UNMOUNT, NULL);
}
/* inode security operations */
printk(KERN_WARNING "%s: "
"security_transition_sid failed, rc=%d (dev=%s "
"ino=%ld)\n",
- __FUNCTION__,
+ __func__,
-rc, inode->i_sb->s_id, inode->i_ino);
return rc;
}
return -EOPNOTSUPP;
if (name) {
- namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
+ namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
if (!namep)
return -ENOMEM;
*name = namep;
}
if (value && len) {
- rc = security_sid_to_context(newsid, &context, &clen);
+ rc = security_sid_to_context_force(newsid, &context, &clen);
if (rc) {
kfree(namep);
return rc;
{
int rc;
- rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
+ rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
if (rc)
return rc;
return may_link(dir, old_dentry, MAY_LINK);
}
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
- struct inode *new_inode, struct dentry *new_dentry)
+ struct inode *new_inode, struct dentry *new_dentry)
{
return may_rename(old_inode, old_dentry, new_inode, new_dentry);
}
{
int rc;
- rc = secondary_ops->inode_follow_link(dentry,nameidata);
+ rc = secondary_ops->inode_follow_link(dentry, nameidata);
if (rc)
return rc;
return dentry_has_perm(current, NULL, dentry, FILE__READ);
}
-static int selinux_inode_permission(struct inode *inode, int mask,
- struct nameidata *nd)
+static int selinux_inode_permission(struct inode *inode, int mask)
{
int rc;
- rc = secondary_ops->inode_permission(inode, mask, nd);
+ rc = secondary_ops->inode_permission(inode, mask);
if (rc)
return rc;
}
return inode_has_perm(current, inode,
- file_mask_to_av(inode->i_mode, mask), NULL);
+ open_file_mask_to_av(inode->i_mode, mask), NULL);
}
static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
}
-static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
+static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof XATTR_SECURITY_PREFIX - 1)) {
return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
}
-static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
+static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
{
struct task_security_struct *tsec = current->security;
struct inode *inode = dentry->d_inode;
if (!is_owner_or_cap(inode))
return -EPERM;
- AVC_AUDIT_DATA_INIT(&ad,FS);
- ad.u.fs.dentry = dentry;
+ AVC_AUDIT_DATA_INIT(&ad, FS);
+ ad.u.fs.path.dentry = dentry;
rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
FILE__RELABELFROM, &ad);
return rc;
rc = security_context_to_sid(value, size, &newsid);
+ if (rc == -EINVAL) {
+ if (!capable(CAP_MAC_ADMIN))
+ return rc;
+ rc = security_context_to_sid_force(value, size, &newsid);
+ }
if (rc)
return rc;
return rc;
rc = security_validate_transition(isec->sid, newsid, tsec->sid,
- isec->sclass);
+ isec->sclass);
if (rc)
return rc;
&ad);
}
-static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
- void *value, size_t size, int flags)
+static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size,
+ int flags)
{
struct inode *inode = dentry->d_inode;
struct inode_security_struct *isec = inode->i_security;
return;
}
- rc = security_context_to_sid(value, size, &newsid);
+ rc = security_context_to_sid_force(value, size, &newsid);
if (rc) {
- printk(KERN_WARNING "%s: unable to obtain SID for context "
- "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
+ printk(KERN_ERR "SELinux: unable to map context to SID"
+ "for (%s, %lu), rc=%d\n",
+ inode->i_sb->s_id, inode->i_ino, -rc);
return;
}
return;
}
-static int selinux_inode_getxattr (struct dentry *dentry, char *name)
+static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
{
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
}
-static int selinux_inode_listxattr (struct dentry *dentry)
+static int selinux_inode_listxattr(struct dentry *dentry)
{
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
}
-static int selinux_inode_removexattr (struct dentry *dentry, char *name)
+static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
{
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
}
/*
- * Copy the in-core inode security context value to the user. If the
- * getxattr() prior to this succeeded, check to see if we need to
- * canonicalize the value to be finally returned to the user.
+ * Copy the inode security context value to the user.
*
* Permission check is handled by selinux_inode_getxattr hook.
*/
-static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
+static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
{
+ u32 size;
+ int error;
+ char *context = NULL;
+ struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec = inode->i_security;
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
- return selinux_getsecurity(isec->sid, buffer, size);
+ /*
+ * If the caller has CAP_MAC_ADMIN, then get the raw context
+ * value even if it is not defined by current policy; otherwise,
+ * use the in-core value under current policy.
+ * Use the non-auditing forms of the permission checks since
+ * getxattr may be called by unprivileged processes commonly
+ * and lack of permission just means that we fall back to the
+ * in-core context value, not a denial.
+ */
+ error = secondary_ops->capable(current, CAP_MAC_ADMIN);
+ if (!error)
+ error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
+ SECCLASS_CAPABILITY2,
+ CAPABILITY2__MAC_ADMIN,
+ 0,
+ NULL);
+ if (!error)
+ error = security_sid_to_context_force(isec->sid, &context,
+ &size);
+ else
+ error = security_sid_to_context(isec->sid, &context, &size);
+ if (error)
+ return error;
+ error = size;
+ if (alloc) {
+ *buffer = context;
+ goto out_nofree;
+ }
+ kfree(context);
+out_nofree:
+ return error;
}
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
- const void *value, size_t size, int flags)
+ const void *value, size_t size, int flags)
{
struct inode_security_struct *isec = inode->i_security;
u32 newsid;
if (!value || !size)
return -EACCES;
- rc = security_context_to_sid((void*)value, size, &newsid);
+ rc = security_context_to_sid((void *)value, size, &newsid);
if (rc)
return rc;
return secondary_ops->inode_killpriv(dentry);
}
+static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
+{
+ struct inode_security_struct *isec = inode->i_security;
+ *secid = isec->sid;
+}
+
/* file security operations */
static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
{
- int error = 0;
-
- switch (cmd) {
- case FIONREAD:
- /* fall through */
- case FIBMAP:
- /* fall through */
- case FIGETBSZ:
- /* fall through */
- case EXT2_IOC_GETFLAGS:
- /* fall through */
- case EXT2_IOC_GETVERSION:
- error = file_has_perm(current, file, FILE__GETATTR);
- break;
-
- case EXT2_IOC_SETFLAGS:
- /* fall through */
- case EXT2_IOC_SETVERSION:
- error = file_has_perm(current, file, FILE__SETATTR);
- break;
-
- /* sys_ioctl() checks */
- case FIONBIO:
- /* fall through */
- case FIOASYNC:
- error = file_has_perm(current, file, 0);
- break;
-
- case KDSKBENT:
- case KDSKBSENT:
- error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
- break;
+ u32 av = 0;
- /* default case assumes that the command will go
- * to the file's ioctl() function.
- */
- default:
- error = file_has_perm(current, file, FILE__IOCTL);
+ if (_IOC_DIR(cmd) & _IOC_WRITE)
+ av |= FILE__WRITE;
+ if (_IOC_DIR(cmd) & _IOC_READ)
+ av |= FILE__READ;
+ if (!av)
+ av = FILE__IOCTL;
- }
- return error;
+ return file_has_perm(current, file, av);
}
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
unsigned long addr, unsigned long addr_only)
{
int rc = 0;
- u32 sid = ((struct task_security_struct*)(current->security))->sid;
+ u32 sid = ((struct task_security_struct *)(current->security))->sid;
if (addr < mmap_min_addr)
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
int err = 0;
switch (cmd) {
- case F_SETFL:
- if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
- err = -EINVAL;
- break;
- }
+ case F_SETFL:
+ if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
+ err = -EINVAL;
+ break;
+ }
- if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
- err = file_has_perm(current, file,FILE__WRITE);
- break;
- }
- /* fall through */
- case F_SETOWN:
- case F_SETSIG:
- case F_GETFL:
- case F_GETOWN:
- case F_GETSIG:
- /* Just check FD__USE permission */
- err = file_has_perm(current, file, 0);
+ if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
+ err = file_has_perm(current, file, FILE__WRITE);
break;
- case F_GETLK:
- case F_SETLK:
- case F_SETLKW:
+ }
+ /* fall through */
+ case F_SETOWN:
+ case F_SETSIG:
+ case F_GETFL:
+ case F_GETOWN:
+ case F_GETSIG:
+ /* Just check FD__USE permission */
+ err = file_has_perm(current, file, 0);
+ break;
+ case F_GETLK:
+ case F_SETLK:
+ case F_SETLKW:
#if BITS_PER_LONG == 32
- case F_GETLK64:
- case F_SETLK64:
- case F_SETLKW64:
+ case F_GETLK64:
+ case F_SETLK64:
+ case F_SETLKW64:
#endif
- if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
- err = -EINVAL;
- break;
- }
- err = file_has_perm(current, file, FILE__LOCK);
+ if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
+ err = -EINVAL;
break;
+ }
+ err = file_has_perm(current, file, FILE__LOCK);
+ break;
}
return err;
static int selinux_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
- struct file *file;
+ struct file *file;
u32 perm;
struct task_security_struct *tsec;
struct file_security_struct *fsec;
/* struct fown_struct is never outside the context of a struct file */
- file = container_of(fown, struct file, f_owner);
+ file = container_of(fown, struct file, f_owner);
tsec = tsk->security;
fsec = file->f_security;
tsec2->keycreate_sid = tsec1->keycreate_sid;
tsec2->sockcreate_sid = tsec1->sockcreate_sid;
- /* Retain ptracer SID across fork, if any.
- This will be reset by the ptrace hook upon any
- subsequent ptrace_attach operations. */
- tsec2->ptrace_sid = tsec1->ptrace_sid;
-
return 0;
}
static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{
- return secondary_ops->task_post_setuid(id0,id1,id2,flags);
+ return secondary_ops->task_post_setuid(id0, id1, id2, flags);
}
static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
{
- selinux_get_task_sid(p, secid);
+ struct task_security_struct *tsec = p->security;
+ *secid = tsec->sid;
}
static int selinux_task_setgroups(struct group_info *group_info)
if (rc)
return rc;
- return task_has_perm(current,p, PROCESS__SETSCHED);
+ return task_has_perm(current, p, PROCESS__SETSCHED);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
if (rc)
return rc;
- if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
- return 0;
-
if (!sig)
perm = PROCESS__SIGNULL; /* null signal; existence test */
else
unsigned long arg2,
unsigned long arg3,
unsigned long arg4,
- unsigned long arg5)
+ unsigned long arg5,
+ long *rc_p)
{
/* The current prctl operations do not appear to require
any SELinux controls since they merely observe or modify
the state of the current process. */
- return 0;
+ return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
}
static int selinux_task_wait(struct task_struct *p)
static void selinux_task_reparent_to_init(struct task_struct *p)
{
- struct task_security_struct *tsec;
+ struct task_security_struct *tsec;
secondary_ops->task_reparent_to_init(p);
*proto = ih->protocol;
switch (ih->protocol) {
- case IPPROTO_TCP: {
- struct tcphdr _tcph, *th;
+ case IPPROTO_TCP: {
+ struct tcphdr _tcph, *th;
- if (ntohs(ih->frag_off) & IP_OFFSET)
- break;
+ if (ntohs(ih->frag_off) & IP_OFFSET)
+ break;
offset += ihlen;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
ad->u.net.sport = th->source;
ad->u.net.dport = th->dest;
break;
- }
-
- case IPPROTO_UDP: {
- struct udphdr _udph, *uh;
-
- if (ntohs(ih->frag_off) & IP_OFFSET)
- break;
-
+ }
+
+ case IPPROTO_UDP: {
+ struct udphdr _udph, *uh;
+
+ if (ntohs(ih->frag_off) & IP_OFFSET)
+ break;
+
offset += ihlen;
- uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
+ uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
if (uh == NULL)
- break;
+ break;
- ad->u.net.sport = uh->source;
- ad->u.net.dport = uh->dest;
- break;
- }
+ ad->u.net.sport = uh->source;
+ ad->u.net.dport = uh->dest;
+ break;
+ }
case IPPROTO_DCCP: {
struct dccp_hdr _dccph, *dh;
ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport;
break;
- }
+ }
- default:
- break;
- }
-out:
- return ret;
+ default:
+ break;
+ }
+out:
+ return ret;
}
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
switch (nexthdr) {
case IPPROTO_TCP: {
- struct tcphdr _tcph, *th;
+ struct tcphdr _tcph, *th;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
if (th == NULL)
ad->u.net.sport = dh->dccph_sport;
ad->u.net.dport = dh->dccph_dport;
break;
- }
+ }
/* includes fragments */
default:
#endif /* IPV6 */
static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
- char **addrp, int *len, int src, u8 *proto)
+ char **_addrp, int src, u8 *proto)
{
- int ret = 0;
+ char *addrp;
+ int ret;
switch (ad->u.net.family) {
case PF_INET:
ret = selinux_parse_skb_ipv4(skb, ad, proto);
- if (ret || !addrp)
- break;
- *len = 4;
- *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
- &ad->u.net.v4info.daddr);
- break;
+ if (ret)
+ goto parse_error;
+ addrp = (char *)(src ? &ad->u.net.v4info.saddr :
+ &ad->u.net.v4info.daddr);
+ goto okay;
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
case PF_INET6:
ret = selinux_parse_skb_ipv6(skb, ad, proto);
- if (ret || !addrp)
- break;
- *len = 16;
- *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
- &ad->u.net.v6info.daddr);
- break;
+ if (ret)
+ goto parse_error;
+ addrp = (char *)(src ? &ad->u.net.v6info.saddr :
+ &ad->u.net.v6info.daddr);
+ goto okay;
#endif /* IPV6 */
default:
- break;
+ addrp = NULL;
+ goto okay;
}
+parse_error:
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_parse_skb(),"
+ " unable to parse packet\n");
return ret;
+
+okay:
+ if (_addrp)
+ *_addrp = addrp;
+ return 0;
}
/**
- * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * selinux_skb_peerlbl_sid - Determine the peer label of a packet
* @skb: the packet
- * @sid: the packet's SID
+ * @family: protocol family
+ * @sid: the packet's peer label SID
*
* Description:
- * Check the various different forms of external packet labeling and determine
- * the external SID for the packet. If only one form of external labeling is
- * present then it is used, if both labeled IPsec and NetLabel labels are
- * present then the SELinux type information is taken from the labeled IPsec
- * SA and the MLS sensitivity label information is taken from the NetLabel
- * security attributes. This bit of "magic" is done in the call to
- * selinux_netlbl_skbuff_getsid().
+ * Check the various different forms of network peer labeling and determine
+ * the peer label/SID for the packet; most of the magic actually occurs in
+ * the security server function security_net_peersid_cmp(). The function
+ * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
+ * or -EACCES if @sid is invalid due to inconsistencies with the different
+ * peer labels.
*
*/
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
{
+ int err;
u32 xfrm_sid;
u32 nlbl_sid;
+ u32 nlbl_type;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
- if (selinux_netlbl_skbuff_getsid(skb,
- (xfrm_sid == SECSID_NULL ?
- SECINITSID_NETMSG : xfrm_sid),
- &nlbl_sid) != 0)
- nlbl_sid = SECSID_NULL;
- *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+ selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
+
+ err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in selinux_skb_peerlbl_sid(),"
+ " unable to determine packet's peer label\n");
+ return -EACCES;
+ }
+
+ return 0;
}
/* socket security operations */
if (isec->sid == SECINITSID_KERNEL)
goto out;
- AVC_AUDIT_DATA_INIT(&ad,NET);
+ AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = sock->sk;
err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
if (sock->sk) {
sksec = sock->sk->sk_security;
sksec->sid = isec->sid;
+ sksec->sclass = isec->sclass;
err = selinux_netlbl_socket_post_create(sock);
}
struct sockaddr_in6 *addr6 = NULL;
unsigned short snum;
struct sock *sk = sock->sk;
- u32 sid, node_perm, addrlen;
+ u32 sid, node_perm;
tsec = current->security;
isec = SOCK_INODE(sock)->i_security;
if (family == PF_INET) {
addr4 = (struct sockaddr_in *)address;
snum = ntohs(addr4->sin_port);
- addrlen = sizeof(addr4->sin_addr.s_addr);
addrp = (char *)&addr4->sin_addr.s_addr;
} else {
addr6 = (struct sockaddr_in6 *)address;
snum = ntohs(addr6->sin6_port);
- addrlen = sizeof(addr6->sin6_addr.s6_addr);
addrp = (char *)&addr6->sin6_addr.s6_addr;
}
inet_get_local_port_range(&low, &high);
if (snum < max(PROT_SOCK, low) || snum > high) {
- err = security_port_sid(sk->sk_family,
- sk->sk_type,
- sk->sk_protocol, snum,
- &sid);
+ err = sel_netport_sid(sk->sk_protocol,
+ snum, &sid);
if (err)
goto out;
- AVC_AUDIT_DATA_INIT(&ad,NET);
+ AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum);
ad.u.net.family = family;
err = avc_has_perm(isec->sid, sid,
goto out;
}
}
-
- switch(isec->sclass) {
+
+ switch (isec->sclass) {
case SECCLASS_TCP_SOCKET:
node_perm = TCP_SOCKET__NODE_BIND;
break;
-
+
case SECCLASS_UDP_SOCKET:
node_perm = UDP_SOCKET__NODE_BIND;
break;
node_perm = RAWIP_SOCKET__NODE_BIND;
break;
}
-
- err = security_node_sid(family, addrp, addrlen, &sid);
+
+ err = sel_netnode_sid(addrp, family, &sid);
if (err)
goto out;
-
- AVC_AUDIT_DATA_INIT(&ad,NET);
+
+ AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sport = htons(snum);
ad.u.net.family = family;
ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
err = avc_has_perm(isec->sid, sid,
- isec->sclass, node_perm, &ad);
+ isec->sclass, node_perm, &ad);
if (err)
goto out;
}
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
+ struct sock *sk = sock->sk;
struct inode_security_struct *isec;
int err;
isec = SOCK_INODE(sock)->i_security;
if (isec->sclass == SECCLASS_TCP_SOCKET ||
isec->sclass == SECCLASS_DCCP_SOCKET) {
- struct sock *sk = sock->sk;
struct avc_audit_data ad;
struct sockaddr_in *addr4 = NULL;
struct sockaddr_in6 *addr6 = NULL;
snum = ntohs(addr6->sin6_port);
}
- err = security_port_sid(sk->sk_family, sk->sk_type,
- sk->sk_protocol, snum, &sid);
+ err = sel_netport_sid(sk->sk_protocol, snum, &sid);
if (err)
goto out;
perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
- AVC_AUDIT_DATA_INIT(&ad,NET);
+ AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.dport = htons(snum);
ad.u.net.family = sk->sk_family;
err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
goto out;
}
+ err = selinux_netlbl_socket_connect(sk, address);
+
out:
return err;
}
}
static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
- int size)
+ int size)
{
int rc;
return socket_has_perm(current, sock, SOCKET__GETATTR);
}
-static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
+static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
{
int err;
isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security;
- AVC_AUDIT_DATA_INIT(&ad,NET);
+ AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid,
/* connecting socket */
ssec = sock->sk->sk_security;
ssec->peer_sid = other_isec->sid;
-
+
/* server child socket */
ssec = newsk->sk_security;
ssec->peer_sid = isec->sid;
isec = SOCK_INODE(sock)->i_security;
other_isec = SOCK_INODE(other)->i_security;
- AVC_AUDIT_DATA_INIT(&ad,NET);
+ AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.sk = other->sk;
err = avc_has_perm(isec->sid, other_isec->sid,
return 0;
}
-static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
- struct avc_audit_data *ad, u16 family, char *addrp, int len)
+static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
+ u32 peer_sid,
+ struct avc_audit_data *ad)
{
- int err = 0;
- u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
- struct socket *sock;
- u16 sock_class = 0;
- u32 sock_sid = 0;
-
- read_lock_bh(&sk->sk_callback_lock);
- sock = sk->sk_socket;
- if (sock) {
- struct inode *inode;
- inode = SOCK_INODE(sock);
- if (inode) {
- struct inode_security_struct *isec;
- isec = inode->i_security;
- sock_sid = isec->sid;
- sock_class = isec->sclass;
- }
- }
- read_unlock_bh(&sk->sk_callback_lock);
- if (!sock_sid)
- goto out;
-
- if (!skb->dev)
- goto out;
+ int err;
+ u32 if_sid;
+ u32 node_sid;
- err = sel_netif_sids(skb->dev, &if_sid, NULL);
+ err = sel_netif_sid(ifindex, &if_sid);
if (err)
- goto out;
+ return err;
+ err = avc_has_perm(peer_sid, if_sid,
+ SECCLASS_NETIF, NETIF__INGRESS, ad);
+ if (err)
+ return err;
- switch (sock_class) {
+ err = sel_netnode_sid(addrp, family, &node_sid);
+ if (err)
+ return err;
+ return avc_has_perm(peer_sid, node_sid,
+ SECCLASS_NODE, NODE__RECVFROM, ad);
+}
+
+static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
+ struct sk_buff *skb,
+ struct avc_audit_data *ad,
+ u16 family,
+ char *addrp)
+{
+ int err;
+ struct sk_security_struct *sksec = sk->sk_security;
+ u16 sk_class;
+ u32 netif_perm, node_perm, recv_perm;
+ u32 port_sid, node_sid, if_sid, sk_sid;
+
+ sk_sid = sksec->sid;
+ sk_class = sksec->sclass;
+
+ switch (sk_class) {
case SECCLASS_UDP_SOCKET:
netif_perm = NETIF__UDP_RECV;
node_perm = NODE__UDP_RECV;
recv_perm = UDP_SOCKET__RECV_MSG;
break;
-
case SECCLASS_TCP_SOCKET:
netif_perm = NETIF__TCP_RECV;
node_perm = NODE__TCP_RECV;
recv_perm = TCP_SOCKET__RECV_MSG;
break;
-
case SECCLASS_DCCP_SOCKET:
netif_perm = NETIF__DCCP_RECV;
node_perm = NODE__DCCP_RECV;
recv_perm = DCCP_SOCKET__RECV_MSG;
break;
-
default:
netif_perm = NETIF__RAWIP_RECV;
node_perm = NODE__RAWIP_RECV;
+ recv_perm = 0;
break;
}
- err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+ err = sel_netif_sid(skb->iif, &if_sid);
if (err)
- goto out;
-
- err = security_node_sid(family, addrp, len, &node_sid);
+ return err;
+ err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
if (err)
- goto out;
-
- err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
+ return err;
+
+ err = sel_netnode_sid(addrp, family, &node_sid);
if (err)
- goto out;
+ return err;
+ err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
+ if (err)
+ return err;
- if (recv_perm) {
- u32 port_sid;
+ if (!recv_perm)
+ return 0;
+ err = sel_netport_sid(sk->sk_protocol,
+ ntohs(ad->u.net.sport), &port_sid);
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in"
+ " selinux_sock_rcv_skb_iptables_compat(),"
+ " network port label not found\n");
+ return err;
+ }
+ return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
+}
- err = security_port_sid(sk->sk_family, sk->sk_type,
- sk->sk_protocol, ntohs(ad->u.net.sport),
- &port_sid);
- if (err)
- goto out;
+static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
+ u16 family)
+{
+ int err;
+ struct sk_security_struct *sksec = sk->sk_security;
+ u32 peer_sid;
+ u32 sk_sid = sksec->sid;
+ struct avc_audit_data ad;
+ char *addrp;
+
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.netif = skb->iif;
+ ad.u.net.family = family;
+ err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
+ if (err)
+ return err;
- err = avc_has_perm(sock_sid, port_sid,
- sock_class, recv_perm, ad);
+ if (selinux_compat_net)
+ err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
+ family, addrp);
+ else
+ err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__RECV, &ad);
+ if (err)
+ return err;
+
+ if (selinux_policycap_netpeer) {
+ err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+ if (err)
+ return err;
+ err = avc_has_perm(sk_sid, peer_sid,
+ SECCLASS_PEER, PEER__RECV, &ad);
+ if (err)
+ selinux_netlbl_err(skb, err, 0);
+ } else {
+ err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
+ if (err)
+ return err;
+ err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
}
-out:
return err;
}
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- u16 family;
- char *addrp;
- int len, err = 0;
- struct avc_audit_data ad;
+ int err;
struct sk_security_struct *sksec = sk->sk_security;
+ u16 family = sk->sk_family;
+ u32 sk_sid = sksec->sid;
+ struct avc_audit_data ad;
+ char *addrp;
+ u8 secmark_active;
+ u8 peerlbl_active;
- family = sk->sk_family;
if (family != PF_INET && family != PF_INET6)
- goto out;
+ return 0;
/* Handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
family = PF_INET;
+ /* If any sort of compatibility mode is enabled then handoff processing
+ * to the selinux_sock_rcv_skb_compat() function to deal with the
+ * special handling. We do this in an attempt to keep this function
+ * as fast and as clean as possible. */
+ if (selinux_compat_net || !selinux_policycap_netpeer)
+ return selinux_sock_rcv_skb_compat(sk, skb, family);
+
+ secmark_active = selinux_secmark_enabled();
+ peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
+ if (!secmark_active && !peerlbl_active)
+ return 0;
+
AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+ ad.u.net.netif = skb->iif;
ad.u.net.family = family;
-
- err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
+ err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
- goto out;
+ return err;
- if (selinux_compat_net)
- err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
- addrp, len);
- else
- err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
- PACKET__RECV, &ad);
- if (err)
- goto out;
+ if (peerlbl_active) {
+ u32 peer_sid;
- err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
- if (err)
- goto out;
+ err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+ if (err)
+ return err;
+ err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
+ peer_sid, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 0);
+ return err;
+ }
+ err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
+ PEER__RECV, &ad);
+ if (err)
+ selinux_netlbl_err(skb, err, 0);
+ }
+
+ if (secmark_active) {
+ err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__RECV, &ad);
+ if (err)
+ return err;
+ }
- err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
-out:
return err;
}
err = -EFAULT;
kfree(scontext);
-out:
+out:
return err;
}
static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
u32 peer_secid = SECSID_NULL;
- int err = 0;
+ u16 family;
- if (sock && sock->sk->sk_family == PF_UNIX)
- selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
+ if (skb && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
+ else if (skb && skb->protocol == htons(ETH_P_IPV6))
+ family = PF_INET6;
+ else if (sock)
+ family = sock->sk->sk_family;
+ else
+ goto out;
+
+ if (sock && family == PF_UNIX)
+ selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
else if (skb)
- selinux_skb_extlbl_sid(skb, &peer_secid);
+ selinux_skb_peerlbl_sid(skb, family, &peer_secid);
- if (peer_secid == SECSID_NULL)
- err = -EINVAL;
+out:
*secid = peer_secid;
-
- return err;
+ if (peer_secid == SECSID_NULL)
+ return -EINVAL;
+ return 0;
}
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
newssec->sid = ssec->sid;
newssec->peer_sid = ssec->peer_sid;
+ newssec->sclass = ssec->sclass;
- selinux_netlbl_sk_security_clone(ssec, newssec);
+ selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
}
static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
}
}
-static void selinux_sock_graft(struct sock* sk, struct socket *parent)
+static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
isec->sid = sksec->sid;
-
- selinux_netlbl_sock_graft(sk, parent);
+ sksec->sclass = isec->sclass;
}
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
struct sk_security_struct *sksec = sk->sk_security;
int err;
+ u16 family = sk->sk_family;
u32 newsid;
u32 peersid;
- selinux_skb_extlbl_sid(skb, &peersid);
+ /* handle mapped IPv4 packets arriving via IPv6 sockets */
+ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
+
+ err = selinux_skb_peerlbl_sid(skb, family, &peersid);
+ if (err)
+ return err;
if (peersid == SECSID_NULL) {
req->secid = sksec->sid;
req->peer_secid = SECSID_NULL;
selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
}
-static void selinux_inet_conn_established(struct sock *sk,
- struct sk_buff *skb)
+static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
+ u16 family = sk->sk_family;
struct sk_security_struct *sksec = sk->sk_security;
- selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
+ /* handle mapped IPv4 packets arriving via IPv6 sockets */
+ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
+
+ selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
+
+ selinux_netlbl_inet_conn_established(sk, family);
}
static void selinux_req_classify_flow(const struct request_sock *req,
struct nlmsghdr *nlh;
struct socket *sock = sk->sk_socket;
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-
+
if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL;
goto out;
}
nlh = nlmsg_hdr(skb);
-
+
err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
if (err) {
if (err == -EINVAL) {
#ifdef CONFIG_NETFILTER
-static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
- struct avc_audit_data *ad,
- u16 family, char *addrp, int len)
+static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
+ u16 family)
{
- int err = 0;
- u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
- struct socket *sock;
- struct inode *inode;
- struct inode_security_struct *isec;
+ int err;
+ char *addrp;
+ u32 peer_sid;
+ struct avc_audit_data ad;
+ u8 secmark_active;
+ u8 netlbl_active;
+ u8 peerlbl_active;
- sock = sk->sk_socket;
- if (!sock)
- goto out;
+ if (!selinux_policycap_netpeer)
+ return NF_ACCEPT;
- inode = SOCK_INODE(sock);
- if (!inode)
- goto out;
+ secmark_active = selinux_secmark_enabled();
+ netlbl_active = netlbl_enabled();
+ peerlbl_active = netlbl_active || selinux_xfrm_enabled();
+ if (!secmark_active && !peerlbl_active)
+ return NF_ACCEPT;
- isec = inode->i_security;
-
- err = sel_netif_sids(dev, &if_sid, NULL);
- if (err)
- goto out;
+ if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
+ return NF_DROP;
+
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.netif = ifindex;
+ ad.u.net.family = family;
+ if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
+ return NF_DROP;
+
+ if (peerlbl_active) {
+ err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
+ peer_sid, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 1);
+ return NF_DROP;
+ }
+ }
+
+ if (secmark_active)
+ if (avc_has_perm(peer_sid, skb->secmark,
+ SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
+ return NF_DROP;
+
+ if (netlbl_active)
+ /* we do this in the FORWARD path and not the POST_ROUTING
+ * path because we want to make sure we apply the necessary
+ * labeling before IPsec is applied so we can leverage AH
+ * protection */
+ if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
+ return NF_DROP;
+
+ return NF_ACCEPT;
+}
+
+static unsigned int selinux_ipv4_forward(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return selinux_ip_forward(skb, in->ifindex, PF_INET);
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_forward(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return selinux_ip_forward(skb, in->ifindex, PF_INET6);
+}
+#endif /* IPV6 */
+
+static unsigned int selinux_ip_output(struct sk_buff *skb,
+ u16 family)
+{
+ u32 sid;
+
+ if (!netlbl_enabled())
+ return NF_ACCEPT;
- switch (isec->sclass) {
+ /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
+ * because we want to make sure we apply the necessary labeling
+ * before IPsec is applied so we can leverage AH protection */
+ if (skb->sk) {
+ struct sk_security_struct *sksec = skb->sk->sk_security;
+ sid = sksec->sid;
+ } else
+ sid = SECINITSID_KERNEL;
+ if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
+ return NF_DROP;
+
+ return NF_ACCEPT;
+}
+
+static unsigned int selinux_ipv4_output(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return selinux_ip_output(skb, PF_INET);
+}
+
+static int selinux_ip_postroute_iptables_compat(struct sock *sk,
+ int ifindex,
+ struct avc_audit_data *ad,
+ u16 family, char *addrp)
+{
+ int err;
+ struct sk_security_struct *sksec = sk->sk_security;
+ u16 sk_class;
+ u32 netif_perm, node_perm, send_perm;
+ u32 port_sid, node_sid, if_sid, sk_sid;
+
+ sk_sid = sksec->sid;
+ sk_class = sksec->sclass;
+
+ switch (sk_class) {
case SECCLASS_UDP_SOCKET:
netif_perm = NETIF__UDP_SEND;
node_perm = NODE__UDP_SEND;
send_perm = UDP_SOCKET__SEND_MSG;
break;
-
case SECCLASS_TCP_SOCKET:
netif_perm = NETIF__TCP_SEND;
node_perm = NODE__TCP_SEND;
send_perm = TCP_SOCKET__SEND_MSG;
break;
-
case SECCLASS_DCCP_SOCKET:
netif_perm = NETIF__DCCP_SEND;
node_perm = NODE__DCCP_SEND;
send_perm = DCCP_SOCKET__SEND_MSG;
break;
-
default:
netif_perm = NETIF__RAWIP_SEND;
node_perm = NODE__RAWIP_SEND;
+ send_perm = 0;
break;
}
- err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+ err = sel_netif_sid(ifindex, &if_sid);
if (err)
- goto out;
-
- err = security_node_sid(family, addrp, len, &node_sid);
+ return err;
+ err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+ return err;
+
+ err = sel_netnode_sid(addrp, family, &node_sid);
if (err)
- goto out;
-
- err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
+ return err;
+ err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
if (err)
- goto out;
+ return err;
- if (send_perm) {
- u32 port_sid;
-
- err = security_port_sid(sk->sk_family,
- sk->sk_type,
- sk->sk_protocol,
- ntohs(ad->u.net.dport),
- &port_sid);
- if (err)
- goto out;
+ if (send_perm != 0)
+ return 0;
- err = avc_has_perm(isec->sid, port_sid, isec->sclass,
- send_perm, ad);
+ err = sel_netport_sid(sk->sk_protocol,
+ ntohs(ad->u.net.dport), &port_sid);
+ if (unlikely(err)) {
+ printk(KERN_WARNING
+ "SELinux: failure in"
+ " selinux_ip_postroute_iptables_compat(),"
+ " network port label not found\n");
+ return err;
}
-out:
- return err;
+ return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
}
-static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *),
- u16 family)
+static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
+ int ifindex,
+ u16 family)
{
- char *addrp;
- int len, err = 0;
- struct sock *sk;
- struct avc_audit_data ad;
- struct net_device *dev = (struct net_device *)out;
+ struct sock *sk = skb->sk;
struct sk_security_struct *sksec;
+ struct avc_audit_data ad;
+ char *addrp;
u8 proto;
- sk = skb->sk;
- if (!sk)
- goto out;
-
+ if (sk == NULL)
+ return NF_ACCEPT;
sksec = sk->sk_security;
AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = dev->name;
+ ad.u.net.netif = ifindex;
ad.u.net.family = family;
+ if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
+ return NF_DROP;
- err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
- if (err)
- goto out;
+ if (selinux_compat_net) {
+ if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
+ &ad, family, addrp))
+ return NF_DROP;
+ } else {
+ if (avc_has_perm(sksec->sid, skb->secmark,
+ SECCLASS_PACKET, PACKET__SEND, &ad))
+ return NF_DROP;
+ }
- if (selinux_compat_net)
- err = selinux_ip_postroute_last_compat(sk, dev, &ad,
- family, addrp, len);
- else
- err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
- PACKET__SEND, &ad);
+ if (selinux_policycap_netpeer)
+ if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
+ return NF_DROP;
- if (err)
- goto out;
+ return NF_ACCEPT;
+}
- err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
-out:
- return err ? NF_DROP : NF_ACCEPT;
+static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
+ u16 family)
+{
+ u32 secmark_perm;
+ u32 peer_sid;
+ struct sock *sk;
+ struct avc_audit_data ad;
+ char *addrp;
+ u8 secmark_active;
+ u8 peerlbl_active;
+
+ /* If any sort of compatibility mode is enabled then handoff processing
+ * to the selinux_ip_postroute_compat() function to deal with the
+ * special handling. We do this in an attempt to keep this function
+ * as fast and as clean as possible. */
+ if (selinux_compat_net || !selinux_policycap_netpeer)
+ return selinux_ip_postroute_compat(skb, ifindex, family);
+
+ /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
+ * packet transformation so allow the packet to pass without any checks
+ * since we'll have another chance to perform access control checks
+ * when the packet is on it's final way out.
+ * NOTE: there appear to be some IPv6 multicast cases where skb->dst
+ * is NULL, in this case go ahead and apply access control. */
+ if (skb->dst != NULL && skb->dst->xfrm != NULL)
+ return NF_ACCEPT;
+
+ secmark_active = selinux_secmark_enabled();
+ peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
+ if (!secmark_active && !peerlbl_active)
+ return NF_ACCEPT;
+
+ /* if the packet is being forwarded then get the peer label from the
+ * packet itself; otherwise check to see if it is from a local
+ * application or the kernel, if from an application get the peer label
+ * from the sending socket, otherwise use the kernel's sid */
+ sk = skb->sk;
+ if (sk == NULL) {
+ switch (family) {
+ case PF_INET:
+ if (IPCB(skb)->flags & IPSKB_FORWARDED)
+ secmark_perm = PACKET__FORWARD_OUT;
+ else
+ secmark_perm = PACKET__SEND;
+ break;
+ case PF_INET6:
+ if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
+ secmark_perm = PACKET__FORWARD_OUT;
+ else
+ secmark_perm = PACKET__SEND;
+ break;
+ default:
+ return NF_DROP;
+ }
+ if (secmark_perm == PACKET__FORWARD_OUT) {
+ if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
+ return NF_DROP;
+ } else
+ peer_sid = SECINITSID_KERNEL;
+ } else {
+ struct sk_security_struct *sksec = sk->sk_security;
+ peer_sid = sksec->sid;
+ secmark_perm = PACKET__SEND;
+ }
+
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.netif = ifindex;
+ ad.u.net.family = family;
+ if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
+ return NF_DROP;
+
+ if (secmark_active)
+ if (avc_has_perm(peer_sid, skb->secmark,
+ SECCLASS_PACKET, secmark_perm, &ad))
+ return NF_DROP;
+
+ if (peerlbl_active) {
+ u32 if_sid;
+ u32 node_sid;
+
+ if (sel_netif_sid(ifindex, &if_sid))
+ return NF_DROP;
+ if (avc_has_perm(peer_sid, if_sid,
+ SECCLASS_NETIF, NETIF__EGRESS, &ad))
+ return NF_DROP;
+
+ if (sel_netnode_sid(addrp, family, &node_sid))
+ return NF_DROP;
+ if (avc_has_perm(peer_sid, node_sid,
+ SECCLASS_NODE, NODE__SENDTO, &ad))
+ return NF_DROP;
+ }
+
+ return NF_ACCEPT;
}
-static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
+static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
{
- return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET);
+ return selinux_ip_postroute(skb, out->ifindex, PF_INET);
}
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-
-static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
+static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
{
- return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6);
+ return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
}
-
#endif /* IPV6 */
#endif /* CONFIG_NETFILTER */
ad.u.cap = capability;
return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
- SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
+ SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
}
static int ipc_alloc_security(struct task_struct *task,
return -ENOMEM;
isec->sclass = sclass;
- isec->ipc_perm = perm;
isec->sid = tsec->sid;
perm->security = isec;
if (!msec)
return -ENOMEM;
- msec->msg = msg;
msec->sid = SECINITSID_UNLABELED;
msg->security = msec;
isec = msq->q_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC);
- ad.u.ipc_id = msq->q_perm.key;
+ ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad);
int err;
int perms;
- switch(cmd) {
+ switch (cmd) {
case IPC_INFO:
case MSG_INFO:
/* No specific object, just general system-wide information. */
msec = msg->security;
AVC_AUDIT_DATA_INIT(&ad, IPC);
- ad.u.ipc_id = msq->q_perm.key;
+ ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid,
SECCLASS_MSGQ, MSGQ__READ, &ad);
isec = shp->shm_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC);
- ad.u.ipc_id = shp->shm_perm.key;
+ ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad);
int perms;
int err;
- switch(cmd) {
+ switch (cmd) {
case IPC_INFO:
case SHM_INFO:
/* No specific object, just general system-wide information. */
isec = sma->sem_perm.security;
AVC_AUDIT_DATA_INIT(&ad, IPC);
- ad.u.ipc_id = sma->sem_perm.key;
+ ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad);
int err;
u32 perms;
- switch(cmd) {
+ switch (cmd) {
case IPC_INFO:
case SEM_INFO:
/* No specific object, just general system-wide information. */
return ipc_has_perm(ipcp, av);
}
-/* module stacking operations */
-static int selinux_register_security (const char *name, struct security_operations *ops)
+static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- if (secondary_ops != original_ops) {
- printk(KERN_ERR "%s: There is already a secondary security "
- "module registered.\n", __FUNCTION__);
- return -EINVAL;
- }
-
- secondary_ops = ops;
-
- printk(KERN_INFO "%s: Registering secondary module %s\n",
- __FUNCTION__,
- name);
-
- return 0;
+ struct ipc_security_struct *isec = ipcp->security;
+ *secid = isec->sid;
}
-static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
+static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (inode)
inode_doinit_with_dentry(inode, dentry);
char *name, void *value, size_t size)
{
struct task_security_struct *tsec;
+ struct task_struct *tracer;
u32 sid = 0;
int error;
char *str = value;
size--;
}
error = security_context_to_sid(value, size, &sid);
+ if (error == -EINVAL && !strcmp(name, "fscreate")) {
+ if (!capable(CAP_MAC_ADMIN))
+ return error;
+ error = security_context_to_sid_force(value, size,
+ &sid);
+ }
if (error)
return error;
}
if (sid == 0)
return -EINVAL;
-
- /* Only allow single threaded processes to change context */
+ /*
+ * SELinux allows to change context in the following case only.
+ * - Single threaded processes.
+ * - Multi threaded processes intend to change its context into
+ * more restricted domain (defined by TYPEBOUNDS statement).
+ */
if (atomic_read(&p->mm->mm_users) != 1) {
struct task_struct *g, *t;
struct mm_struct *mm = p->mm;
read_lock(&tasklist_lock);
- do_each_thread(g, t)
+ do_each_thread(g, t) {
if (t->mm == mm && t != p) {
read_unlock(&tasklist_lock);
- return -EPERM;
+ error = security_bounded_transition(tsec->sid, sid);
+ if (!error)
+ goto boundary_ok;
+
+ return error;
}
- while_each_thread(g, t);
+ } while_each_thread(g, t);
read_unlock(&tasklist_lock);
- }
+ }
+boundary_ok:
/* Check permissions for the transition. */
error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
- PROCESS__DYNTRANSITION, NULL);
+ PROCESS__DYNTRANSITION, NULL);
if (error)
return error;
/* Check for ptracing, and update the task SID if ok.
Otherwise, leave SID unchanged and fail. */
task_lock(p);
- if (p->ptrace & PT_PTRACED) {
- error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
+ rcu_read_lock();
+ tracer = tracehook_tracer_task(p);
+ if (tracer != NULL) {
+ struct task_security_struct *ptsec = tracer->security;
+ u32 ptsid = ptsec->sid;
+ rcu_read_unlock();
+ error = avc_has_perm_noaudit(ptsid, sid,
SECCLASS_PROCESS,
PROCESS__PTRACE, 0, &avd);
if (!error)
tsec->sid = sid;
task_unlock(p);
- avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
+ avc_audit(ptsid, sid, SECCLASS_PROCESS,
PROCESS__PTRACE, &avd, error, NULL);
if (error)
return error;
} else {
+ rcu_read_unlock();
tsec->sid = sid;
task_unlock(p);
}
- }
- else
+ } else
return -EINVAL;
return size;
return security_sid_to_context(secid, secdata, seclen);
}
+static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+{
+ return security_context_to_sid(secdata, seclen, secid);
+}
+
static void selinux_release_secctx(char *secdata, u32 seclen)
{
kfree(secdata);
if (!ksec)
return -ENOMEM;
- ksec->obj = k;
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
SECCLASS_KEY, perm, NULL);
}
+static int selinux_key_getsecurity(struct key *key, char **_buffer)
+{
+ struct key_security_struct *ksec = key->security;
+ char *context = NULL;
+ unsigned len;
+ int rc;
+
+ rc = security_sid_to_context(ksec->sid, &context, &len);
+ if (!rc)
+ rc = len;
+ *_buffer = context;
+ return rc;
+}
+
#endif
static struct security_operations selinux_ops = {
- .ptrace = selinux_ptrace,
+ .name = "selinux",
+
+ .ptrace_may_access = selinux_ptrace_may_access,
+ .ptrace_traceme = selinux_ptrace_traceme,
.capget = selinux_capget,
.capset_check = selinux_capset_check,
.capset_set = selinux_capset_set,
.vm_enough_memory = selinux_vm_enough_memory,
.netlink_send = selinux_netlink_send,
- .netlink_recv = selinux_netlink_recv,
+ .netlink_recv = selinux_netlink_recv,
.bprm_alloc_security = selinux_bprm_alloc_security,
.bprm_free_security = selinux_bprm_free_security,
.sb_alloc_security = selinux_sb_alloc_security,
.sb_free_security = selinux_sb_free_security,
.sb_copy_data = selinux_sb_copy_data,
- .sb_kern_mount = selinux_sb_kern_mount,
+ .sb_kern_mount = selinux_sb_kern_mount,
+ .sb_show_options = selinux_sb_show_options,
.sb_statfs = selinux_sb_statfs,
.sb_mount = selinux_mount,
.sb_umount = selinux_umount,
- .sb_get_mnt_opts = selinux_get_mnt_opts,
.sb_set_mnt_opts = selinux_set_mnt_opts,
- .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
+ .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
+ .sb_parse_opts_str = selinux_parse_opts_str,
+
.inode_alloc_security = selinux_inode_alloc_security,
.inode_free_security = selinux_inode_free_security,
.inode_getxattr = selinux_inode_getxattr,
.inode_listxattr = selinux_inode_listxattr,
.inode_removexattr = selinux_inode_removexattr,
- .inode_getsecurity = selinux_inode_getsecurity,
- .inode_setsecurity = selinux_inode_setsecurity,
- .inode_listsecurity = selinux_inode_listsecurity,
+ .inode_getsecurity = selinux_inode_getsecurity,
+ .inode_setsecurity = selinux_inode_setsecurity,
+ .inode_listsecurity = selinux_inode_listsecurity,
.inode_need_killpriv = selinux_inode_need_killpriv,
.inode_killpriv = selinux_inode_killpriv,
+ .inode_getsecid = selinux_inode_getsecid,
.file_permission = selinux_file_permission,
.file_alloc_security = selinux_file_alloc_security,
.file_send_sigiotask = selinux_file_send_sigiotask,
.file_receive = selinux_file_receive,
- .dentry_open = selinux_dentry_open,
+ .dentry_open = selinux_dentry_open,
.task_create = selinux_task_create,
.task_alloc_security = selinux_task_alloc_security,
.task_setgid = selinux_task_setgid,
.task_setpgid = selinux_task_setpgid,
.task_getpgid = selinux_task_getpgid,
- .task_getsid = selinux_task_getsid,
+ .task_getsid = selinux_task_getsid,
.task_getsecid = selinux_task_getsecid,
.task_setgroups = selinux_task_setgroups,
.task_setnice = selinux_task_setnice,
.task_wait = selinux_task_wait,
.task_prctl = selinux_task_prctl,
.task_reparent_to_init = selinux_task_reparent_to_init,
- .task_to_inode = selinux_task_to_inode,
+ .task_to_inode = selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission,
+ .ipc_getsecid = selinux_ipc_getsecid,
.msg_msg_alloc_security = selinux_msg_msg_alloc_security,
.msg_msg_free_security = selinux_msg_msg_free_security,
.shm_shmctl = selinux_shm_shmctl,
.shm_shmat = selinux_shm_shmat,
- .sem_alloc_security = selinux_sem_alloc_security,
- .sem_free_security = selinux_sem_free_security,
+ .sem_alloc_security = selinux_sem_alloc_security,
+ .sem_free_security = selinux_sem_free_security,
.sem_associate = selinux_sem_associate,
.sem_semctl = selinux_sem_semctl,
.sem_semop = selinux_sem_semop,
- .register_security = selinux_register_security,
-
- .d_instantiate = selinux_d_instantiate,
+ .d_instantiate = selinux_d_instantiate,
- .getprocattr = selinux_getprocattr,
- .setprocattr = selinux_setprocattr,
+ .getprocattr = selinux_getprocattr,
+ .setprocattr = selinux_setprocattr,
.secid_to_secctx = selinux_secid_to_secctx,
+ .secctx_to_secid = selinux_secctx_to_secid,
.release_secctx = selinux_release_secctx,
- .unix_stream_connect = selinux_socket_unix_stream_connect,
+ .unix_stream_connect = selinux_socket_unix_stream_connect,
.unix_may_send = selinux_socket_unix_may_send,
.socket_create = selinux_socket_create,
.sk_alloc_security = selinux_sk_alloc_security,
.sk_free_security = selinux_sk_free_security,
.sk_clone_security = selinux_sk_clone_security,
- .sk_getsecid = selinux_sk_getsecid,
+ .sk_getsecid = selinux_sk_getsecid,
.sock_graft = selinux_sock_graft,
.inet_conn_request = selinux_inet_conn_request,
.inet_csk_clone = selinux_inet_csk_clone,
.xfrm_state_alloc_security = selinux_xfrm_state_alloc,
.xfrm_state_free_security = selinux_xfrm_state_free,
.xfrm_state_delete_security = selinux_xfrm_state_delete,
- .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
+ .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
.xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
.xfrm_decode_session = selinux_xfrm_decode_session,
#endif
#ifdef CONFIG_KEYS
- .key_alloc = selinux_key_alloc,
- .key_free = selinux_key_free,
- .key_permission = selinux_key_permission,
+ .key_alloc = selinux_key_alloc,
+ .key_free = selinux_key_free,
+ .key_permission = selinux_key_permission,
+ .key_getsecurity = selinux_key_getsecurity,
+#endif
+
+#ifdef CONFIG_AUDIT
+ .audit_rule_init = selinux_audit_rule_init,
+ .audit_rule_known = selinux_audit_rule_known,
+ .audit_rule_match = selinux_audit_rule_match,
+ .audit_rule_free = selinux_audit_rule_free,
#endif
};
{
struct task_security_struct *tsec;
+ if (!security_module_enable(&selinux_ops)) {
+ selinux_enabled = 0;
+ return 0;
+ }
+
if (!selinux_enabled) {
printk(KERN_INFO "SELinux: Disabled at boot.\n");
return 0;
0, SLAB_PANIC, NULL);
avc_init();
- original_ops = secondary_ops = security_ops;
+ secondary_ops = security_ops;
if (!secondary_ops)
- panic ("SELinux: No initial security operations\n");
- if (register_security (&selinux_ops))
+ panic("SELinux: No initial security operations\n");
+ if (register_security(&selinux_ops))
panic("SELinux: Unable to register with kernel.\n");
- if (selinux_enforcing) {
+ if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
- } else {
+ else
printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
- }
-
-#ifdef CONFIG_KEYS
- /* Add security information to initial keyrings */
- selinux_key_alloc(&root_user_keyring, current,
- KEY_ALLOC_NOT_IN_QUOTA);
- selinux_key_alloc(&root_session_keyring, current,
- KEY_ALLOC_NOT_IN_QUOTA);
-#endif
return 0;
}
if (!list_empty(&superblock_security_head)) {
struct superblock_security_struct *sbsec =
list_entry(superblock_security_head.next,
- struct superblock_security_struct,
- list);
+ struct superblock_security_struct,
+ list);
struct super_block *sb = sbsec->sb;
sb->s_count++;
spin_unlock(&sb_security_lock);
#if defined(CONFIG_NETFILTER)
-static struct nf_hook_ops selinux_ipv4_op = {
- .hook = selinux_ipv4_postroute_last,
- .owner = THIS_MODULE,
- .pf = PF_INET,
- .hooknum = NF_IP_POST_ROUTING,
- .priority = NF_IP_PRI_SELINUX_LAST,
+static struct nf_hook_ops selinux_ipv4_ops[] = {
+ {
+ .hook = selinux_ipv4_postroute,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_INET_POST_ROUTING,
+ .priority = NF_IP_PRI_SELINUX_LAST,
+ },
+ {
+ .hook = selinux_ipv4_forward,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_INET_FORWARD,
+ .priority = NF_IP_PRI_SELINUX_FIRST,
+ },
+ {
+ .hook = selinux_ipv4_output,
+ .owner = THIS_MODULE,
+ .pf = PF_INET,
+ .hooknum = NF_INET_LOCAL_OUT,
+ .priority = NF_IP_PRI_SELINUX_FIRST,
+ }
};
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-static struct nf_hook_ops selinux_ipv6_op = {
- .hook = selinux_ipv6_postroute_last,
- .owner = THIS_MODULE,
- .pf = PF_INET6,
- .hooknum = NF_IP6_POST_ROUTING,
- .priority = NF_IP6_PRI_SELINUX_LAST,
+static struct nf_hook_ops selinux_ipv6_ops[] = {
+ {
+ .hook = selinux_ipv6_postroute,
+ .owner = THIS_MODULE,
+ .pf = PF_INET6,
+ .hooknum = NF_INET_POST_ROUTING,
+ .priority = NF_IP6_PRI_SELINUX_LAST,
+ },
+ {
+ .hook = selinux_ipv6_forward,
+ .owner = THIS_MODULE,
+ .pf = PF_INET6,
+ .hooknum = NF_INET_FORWARD,
+ .priority = NF_IP6_PRI_SELINUX_FIRST,
+ }
};
#endif /* IPV6 */
printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
- err = nf_register_hook(&selinux_ipv4_op);
+ err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
if (err)
- panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
+ panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-
- err = nf_register_hook(&selinux_ipv6_op);
+ err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
if (err)
- panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
-
+ panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
#endif /* IPV6 */
out:
{
printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
- nf_unregister_hook(&selinux_ipv4_op);
+ nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
- nf_unregister_hook(&selinux_ipv6_op);
+ nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
#endif /* IPV6 */
}
#endif
#endif /* CONFIG_NETFILTER */
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+static int selinux_disabled;
+
int selinux_disable(void)
{
extern void exit_sel_fs(void);
- static int selinux_disabled = 0;
if (ss_initialized) {
/* Not permitted after initial policy load. */
return 0;
}
#endif
-
-