/security/selinux/hooks.c
C | 5851 lines | 4414 code | 917 blank | 520 comment | 718 complexity | 05bd0c3c54ade157ab32a2607188216d MD5 | raw file
Possible License(s): GPL-2.0
Large files files are truncated, but you can click here to view the full file
- /*
- * NSA Security-Enhanced Linux (SELinux) security module
- *
- * This file contains the SELinux hook function implementations.
- *
- * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
- * Chris Vance, <cvance@nai.com>
- * Wayne Salamon, <wsalamon@nai.com>
- * James Morris <jmorris@redhat.com>
- *
- * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
- * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
- * Eric Paris <eparis@redhat.com>
- * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
- * <dgoeddel@trustedcs.com>
- * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
- * Paul Moore <paul.moore@hp.com>
- * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
- * Yuichi Nakamura <ynakam@hitachisoft.jp>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2,
- * as published by the Free Software Foundation.
- */
- #include <linux/init.h>
- #include <linux/kd.h>
- #include <linux/kernel.h>
- #include <linux/tracehook.h>
- #include <linux/errno.h>
- #include <linux/ext2_fs.h>
- #include <linux/sched.h>
- #include <linux/security.h>
- #include <linux/xattr.h>
- #include <linux/capability.h>
- #include <linux/unistd.h>
- #include <linux/mm.h>
- #include <linux/mman.h>
- #include <linux/slab.h>
- #include <linux/pagemap.h>
- #include <linux/proc_fs.h>
- #include <linux/swap.h>
- #include <linux/spinlock.h>
- #include <linux/syscalls.h>
- #include <linux/dcache.h>
- #include <linux/file.h>
- #include <linux/fdtable.h>
- #include <linux/namei.h>
- #include <linux/mount.h>
- #include <linux/netfilter_ipv4.h>
- #include <linux/netfilter_ipv6.h>
- #include <linux/tty.h>
- #include <net/icmp.h>
- #include <net/ip.h> /* for local_port_range[] */
- #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
- #include <net/net_namespace.h>
- #include <net/netlabel.h>
- #include <linux/uaccess.h>
- #include <asm/ioctls.h>
- #include <asm/atomic.h>
- #include <linux/bitops.h>
- #include <linux/interrupt.h>
- #include <linux/netdevice.h> /* for network interface checks */
- #include <linux/netlink.h>
- #include <linux/tcp.h>
- #include <linux/udp.h>
- #include <linux/dccp.h>
- #include <linux/quota.h>
- #include <linux/un.h> /* for Unix socket types */
- #include <net/af_unix.h> /* for Unix socket types */
- #include <linux/parser.h>
- #include <linux/nfs_mount.h>
- #include <net/ipv6.h>
- #include <linux/hugetlb.h>
- #include <linux/personality.h>
- #include <linux/audit.h>
- #include <linux/string.h>
- #include <linux/selinux.h>
- #include <linux/mutex.h>
- #include <linux/posix-timers.h>
- #include <linux/syslog.h>
- #include <linux/user_namespace.h>
- #include "avc.h"
- #include "objsec.h"
- #include "netif.h"
- #include "netnode.h"
- #include "netport.h"
- #include "xfrm.h"
- #include "netlabel.h"
- #include "audit.h"
- #define NUM_SEL_MNT_OPTS 5
- extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
- extern struct security_operations *security_ops;
- /* SECMARK reference count */
- atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
- #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
- int selinux_enforcing;
- static int __init enforcing_setup(char *str)
- {
- unsigned long enforcing;
- if (!strict_strtoul(str, 0, &enforcing))
- selinux_enforcing = enforcing ? 1 : 0;
- return 1;
- }
- __setup("enforcing=", enforcing_setup);
- #endif
- #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
- int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
- static int __init selinux_enabled_setup(char *str)
- {
- unsigned long enabled;
- if (!strict_strtoul(str, 0, &enabled))
- selinux_enabled = enabled ? 1 : 0;
- return 1;
- }
- __setup("selinux=", selinux_enabled_setup);
- #else
- int selinux_enabled = 1;
- #endif
- static struct kmem_cache *sel_inode_cache;
- /**
- * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
- *
- * Description:
- * This function checks the SECMARK reference counter to see if any SECMARK
- * targets are currently configured, if the reference counter is greater than
- * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
- * enabled, false (0) if SECMARK is disabled.
- *
- */
- static int selinux_secmark_enabled(void)
- {
- return (atomic_read(&selinux_secmark_refcount) > 0);
- }
- /*
- * initialise the security for the init task
- */
- static void cred_init_security(void)
- {
- struct cred *cred = (struct cred *) current->real_cred;
- struct task_security_struct *tsec;
- tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
- if (!tsec)
- panic("SELinux: Failed to initialize initial task.\n");
- tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
- }
- /*
- * get the security ID of a set of credentials
- */
- static inline u32 cred_sid(const struct cred *cred)
- {
- const struct task_security_struct *tsec;
- tsec = cred->security;
- return tsec->sid;
- }
- /*
- * get the objective security ID of a task
- */
- static inline u32 task_sid(const struct task_struct *task)
- {
- u32 sid;
- rcu_read_lock();
- sid = cred_sid(__task_cred(task));
- rcu_read_unlock();
- return sid;
- }
- /*
- * get the subjective security ID of the current task
- */
- static inline u32 current_sid(void)
- {
- const struct task_security_struct *tsec = current_security();
- return tsec->sid;
- }
- /* Allocate and free functions for each kind of security blob. */
- static int inode_alloc_security(struct inode *inode)
- {
- struct inode_security_struct *isec;
- u32 sid = current_sid();
- isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
- if (!isec)
- return -ENOMEM;
- mutex_init(&isec->lock);
- INIT_LIST_HEAD(&isec->list);
- isec->inode = inode;
- isec->sid = SECINITSID_UNLABELED;
- isec->sclass = SECCLASS_FILE;
- isec->task_sid = sid;
- inode->i_security = isec;
- return 0;
- }
- static void inode_free_rcu(struct rcu_head *head)
- {
- struct inode_security_struct *isec;
- isec = container_of(head, struct inode_security_struct, rcu);
- kmem_cache_free(sel_inode_cache, isec);
- }
- static void inode_free_security(struct inode *inode)
- {
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
- spin_lock(&sbsec->isec_lock);
- if (!list_empty(&isec->list))
- list_del_init(&isec->list);
- spin_unlock(&sbsec->isec_lock);
- /*
- * The inode may still be referenced in a path walk and
- * a call to selinux_inode_permission() can be made
- * after inode_free_security() is called. Ideally, the VFS
- * wouldn't do this, but fixing that is a much harder
- * job. For now, simply free the i_security via RCU, and
- * leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&isec->rcu, inode_free_rcu);
- }
- static int file_alloc_security(struct file *file)
- {
- struct file_security_struct *fsec;
- u32 sid = current_sid();
- fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
- if (!fsec)
- return -ENOMEM;
- fsec->sid = sid;
- fsec->fown_sid = sid;
- file->f_security = fsec;
- return 0;
- }
- static void file_free_security(struct file *file)
- {
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
- kfree(fsec);
- }
- static int superblock_alloc_security(struct super_block *sb)
- {
- struct superblock_security_struct *sbsec;
- sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
- if (!sbsec)
- return -ENOMEM;
- mutex_init(&sbsec->lock);
- INIT_LIST_HEAD(&sbsec->isec_head);
- spin_lock_init(&sbsec->isec_lock);
- sbsec->sb = sb;
- sbsec->sid = SECINITSID_UNLABELED;
- sbsec->def_sid = SECINITSID_FILE;
- sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
- return 0;
- }
- static void superblock_free_security(struct super_block *sb)
- {
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
- kfree(sbsec);
- }
- /* The security server must be initialized before
- any labeling or access decisions can be provided. */
- extern int ss_initialized;
- /* The file system's label must be initialized prior to use. */
- static const char *labeling_behaviors[6] = {
- "uses xattr",
- "uses transition SIDs",
- "uses task SIDs",
- "uses genfs_contexts",
- "not configured for labeling",
- "uses mountpoint labeling",
- };
- static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
- static inline int inode_doinit(struct inode *inode)
- {
- return inode_doinit_with_dentry(inode, NULL);
- }
- enum {
- Opt_error = -1,
- Opt_context = 1,
- Opt_fscontext = 2,
- Opt_defcontext = 3,
- Opt_rootcontext = 4,
- Opt_labelsupport = 5,
- };
- static const match_table_t tokens = {
- {Opt_context, CONTEXT_STR "%s"},
- {Opt_fscontext, FSCONTEXT_STR "%s"},
- {Opt_defcontext, DEFCONTEXT_STR "%s"},
- {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
- {Opt_labelsupport, LABELSUPP_STR},
- {Opt_error, NULL},
- };
- #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
- static int may_context_mount_sb_relabel(u32 sid,
- struct superblock_security_struct *sbsec,
- const struct cred *cred)
- {
- const struct task_security_struct *tsec = cred->security;
- int rc;
- rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__RELABELFROM, NULL);
- if (rc)
- return rc;
- rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__RELABELTO, NULL);
- return rc;
- }
- static int may_context_mount_inode_relabel(u32 sid,
- struct superblock_security_struct *sbsec,
- const struct cred *cred)
- {
- const struct task_security_struct *tsec = cred->security;
- int rc;
- rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__RELABELFROM, NULL);
- if (rc)
- return rc;
- rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
- FILESYSTEM__ASSOCIATE, NULL);
- return rc;
- }
- static int sb_finish_set_opts(struct super_block *sb)
- {
- struct superblock_security_struct *sbsec = sb->s_security;
- struct dentry *root = sb->s_root;
- struct inode *root_inode = root->d_inode;
- int rc = 0;
- if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
- /* Make sure that the xattr handler exists and that no
- error other than -ENODATA is returned by getxattr on
- the root directory. -ENODATA is ok, as this may be
- the first boot of the SELinux kernel before we have
- assigned xattr values to the filesystem. */
- if (!root_inode->i_op->getxattr) {
- printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
- "xattr support\n", sb->s_id, sb->s_type->name);
- rc = -EOPNOTSUPP;
- goto out;
- }
- rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
- if (rc < 0 && rc != -ENODATA) {
- if (rc == -EOPNOTSUPP)
- printk(KERN_WARNING "SELinux: (dev %s, type "
- "%s) has no security xattr handler\n",
- sb->s_id, sb->s_type->name);
- else
- printk(KERN_WARNING "SELinux: (dev %s, type "
- "%s) getxattr errno %d\n", sb->s_id,
- sb->s_type->name, -rc);
- goto out;
- }
- }
- sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
- if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
- printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
- sb->s_id, sb->s_type->name);
- else
- printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
- sb->s_id, sb->s_type->name,
- labeling_behaviors[sbsec->behavior-1]);
- if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
- sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
- sbsec->behavior == SECURITY_FS_USE_NONE ||
- sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
- sbsec->flags &= ~SE_SBLABELSUPP;
- /* Special handling for sysfs. Is genfs but also has setxattr handler*/
- if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
- sbsec->flags |= SE_SBLABELSUPP;
- /* Initialize the root inode. */
- rc = inode_doinit_with_dentry(root_inode, root);
- /* Initialize any other inodes associated with the superblock, e.g.
- inodes created prior to initial policy load or inodes created
- during get_sb by a pseudo filesystem that directly
- populates itself. */
- spin_lock(&sbsec->isec_lock);
- next_inode:
- if (!list_empty(&sbsec->isec_head)) {
- struct inode_security_struct *isec =
- list_entry(sbsec->isec_head.next,
- struct inode_security_struct, list);
- struct inode *inode = isec->inode;
- spin_unlock(&sbsec->isec_lock);
- inode = igrab(inode);
- if (inode) {
- if (!IS_PRIVATE(inode))
- inode_doinit(inode);
- iput(inode);
- }
- spin_lock(&sbsec->isec_lock);
- list_del_init(&isec->list);
- goto next_inode;
- }
- spin_unlock(&sbsec->isec_lock);
- out:
- return rc;
- }
- /*
- * This function should allow an FS to ask what it's mount security
- * options were so it can use those later for submounts, displaying
- * mount options, or whatever.
- */
- static int selinux_get_mnt_opts(const struct super_block *sb,
- struct security_mnt_opts *opts)
- {
- int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
- char *context = NULL;
- u32 len;
- char tmp;
- security_init_mnt_opts(opts);
- if (!(sbsec->flags & SE_SBINITIALIZED))
- return -EINVAL;
- if (!ss_initialized)
- return -EINVAL;
- tmp = sbsec->flags & SE_MNTMASK;
- /* count the number of mount options for this sb */
- for (i = 0; i < 8; i++) {
- if (tmp & 0x01)
- opts->num_mnt_opts++;
- tmp >>= 1;
- }
- /* Check if the Label support flag is set */
- if (sbsec->flags & SE_SBLABELSUPP)
- opts->num_mnt_opts++;
- opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
- if (!opts->mnt_opts) {
- rc = -ENOMEM;
- goto out_free;
- }
- opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
- if (!opts->mnt_opts_flags) {
- rc = -ENOMEM;
- goto out_free;
- }
- i = 0;
- if (sbsec->flags & FSCONTEXT_MNT) {
- rc = security_sid_to_context(sbsec->sid, &context, &len);
- if (rc)
- goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
- }
- if (sbsec->flags & CONTEXT_MNT) {
- rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
- if (rc)
- goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = CONTEXT_MNT;
- }
- if (sbsec->flags & DEFCONTEXT_MNT) {
- rc = security_sid_to_context(sbsec->def_sid, &context, &len);
- if (rc)
- goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
- }
- if (sbsec->flags & ROOTCONTEXT_MNT) {
- struct inode *root = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *isec = root->i_security;
- rc = security_sid_to_context(isec->sid, &context, &len);
- if (rc)
- goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
- }
- if (sbsec->flags & SE_SBLABELSUPP) {
- opts->mnt_opts[i] = NULL;
- opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
- }
- BUG_ON(i != opts->num_mnt_opts);
- return 0;
- out_free:
- security_free_mnt_opts(opts);
- return rc;
- }
- static int bad_option(struct superblock_security_struct *sbsec, char flag,
- u32 old_sid, u32 new_sid)
- {
- char mnt_flags = sbsec->flags & SE_MNTMASK;
- /* check if the old mount command had the same options */
- if (sbsec->flags & SE_SBINITIALIZED)
- if (!(sbsec->flags & flag) ||
- (old_sid != new_sid))
- return 1;
- /* check if we were passed the same options twice,
- * aka someone passed context=a,context=b
- */
- if (!(sbsec->flags & SE_SBINITIALIZED))
- if (mnt_flags & flag)
- return 1;
- return 0;
- }
- /*
- * Allow filesystems with binary mount data to explicitly set mount point
- * labeling information.
- */
- static int selinux_set_mnt_opts(struct super_block *sb,
- struct security_mnt_opts *opts)
- {
- const struct cred *cred = current_cred();
- int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
- const char *name = sb->s_type->name;
- struct inode *inode = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *root_isec = inode->i_security;
- u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
- u32 defcontext_sid = 0;
- char **mount_options = opts->mnt_opts;
- int *flags = opts->mnt_opts_flags;
- int num_opts = opts->num_mnt_opts;
- mutex_lock(&sbsec->lock);
- if (!ss_initialized) {
- if (!num_opts) {
- /* Defer initialization until selinux_complete_init,
- after the initial policy is loaded and the security
- server is ready to handle calls. */
- goto out;
- }
- rc = -EINVAL;
- printk(KERN_WARNING "SELinux: Unable to set superblock options "
- "before the security server is initialized\n");
- goto out;
- }
- /*
- * Binary mount data FS will come through this function twice. Once
- * from an explicit call and once from the generic calls from the vfs.
- * Since the generic VFS calls will not contain any security mount data
- * we need to skip the double mount verification.
- *
- * This does open a hole in which we will not notice if the first
- * mount using this sb set explict options and a second mount using
- * this sb does not set any security options. (The first options
- * will be used for both mounts)
- */
- if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
- && (num_opts == 0))
- goto out;
- /*
- * parse the mount options, check if they are valid sids.
- * also check if someone is trying to mount the same sb more
- * than once with different security options.
- */
- for (i = 0; i < num_opts; i++) {
- u32 sid;
- if (flags[i] == SE_SBLABELSUPP)
- continue;
- rc = security_context_to_sid(mount_options[i],
- strlen(mount_options[i]), &sid);
- if (rc) {
- printk(KERN_WARNING "SELinux: security_context_to_sid"
- "(%s) failed for (dev %s, type %s) errno=%d\n",
- mount_options[i], sb->s_id, name, rc);
- goto out;
- }
- switch (flags[i]) {
- case FSCONTEXT_MNT:
- fscontext_sid = sid;
- if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
- fscontext_sid))
- goto out_double_mount;
- sbsec->flags |= FSCONTEXT_MNT;
- break;
- case CONTEXT_MNT:
- context_sid = sid;
- if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
- context_sid))
- goto out_double_mount;
- sbsec->flags |= CONTEXT_MNT;
- break;
- case ROOTCONTEXT_MNT:
- rootcontext_sid = sid;
- if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
- rootcontext_sid))
- goto out_double_mount;
- sbsec->flags |= ROOTCONTEXT_MNT;
- break;
- case DEFCONTEXT_MNT:
- defcontext_sid = sid;
- if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
- defcontext_sid))
- goto out_double_mount;
- sbsec->flags |= DEFCONTEXT_MNT;
- break;
- default:
- rc = -EINVAL;
- goto out;
- }
- }
- if (sbsec->flags & SE_SBINITIALIZED) {
- /* previously mounted with options, but not on this attempt? */
- if ((sbsec->flags & SE_MNTMASK) && !num_opts)
- goto out_double_mount;
- rc = 0;
- goto out;
- }
- if (strcmp(sb->s_type->name, "proc") == 0)
- sbsec->flags |= SE_SBPROC;
- /* Determine the labeling behavior to use for this filesystem type. */
- rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
- if (rc) {
- printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
- __func__, sb->s_type->name, rc);
- goto out;
- }
- /* sets the context of the superblock for the fs being mounted. */
- if (fscontext_sid) {
- rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
- if (rc)
- goto out;
- sbsec->sid = fscontext_sid;
- }
- /*
- * Switch to using mount point labeling behavior.
- * sets the label used on all file below the mountpoint, and will set
- * the superblock context if not already set.
- */
- if (context_sid) {
- if (!fscontext_sid) {
- rc = may_context_mount_sb_relabel(context_sid, sbsec,
- cred);
- if (rc)
- goto out;
- sbsec->sid = context_sid;
- } else {
- rc = may_context_mount_inode_relabel(context_sid, sbsec,
- cred);
- if (rc)
- goto out;
- }
- if (!rootcontext_sid)
- rootcontext_sid = context_sid;
- sbsec->mntpoint_sid = context_sid;
- sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
- }
- if (rootcontext_sid) {
- rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
- cred);
- if (rc)
- goto out;
- root_isec->sid = rootcontext_sid;
- root_isec->initialized = 1;
- }
- if (defcontext_sid) {
- if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
- rc = -EINVAL;
- printk(KERN_WARNING "SELinux: defcontext option is "
- "invalid for this filesystem type\n");
- goto out;
- }
- if (defcontext_sid != sbsec->def_sid) {
- rc = may_context_mount_inode_relabel(defcontext_sid,
- sbsec, cred);
- if (rc)
- goto out;
- }
- sbsec->def_sid = defcontext_sid;
- }
- rc = sb_finish_set_opts(sb);
- out:
- mutex_unlock(&sbsec->lock);
- return rc;
- out_double_mount:
- rc = -EINVAL;
- printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
- "security settings for (dev %s, type %s)\n", sb->s_id, name);
- goto out;
- }
- static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
- struct super_block *newsb)
- {
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
- int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
- int set_context = (oldsbsec->flags & CONTEXT_MNT);
- int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
- /*
- * if the parent was able to be mounted it clearly had no special lsm
- * mount options. thus we can safely deal with this superblock later
- */
- if (!ss_initialized)
- return;
- /* how can we clone if the old one wasn't set up?? */
- BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
- /* if fs is reusing a sb, just let its options stand... */
- if (newsbsec->flags & SE_SBINITIALIZED)
- return;
- mutex_lock(&newsbsec->lock);
- newsbsec->flags = oldsbsec->flags;
- newsbsec->sid = oldsbsec->sid;
- newsbsec->def_sid = oldsbsec->def_sid;
- newsbsec->behavior = oldsbsec->behavior;
- if (set_context) {
- u32 sid = oldsbsec->mntpoint_sid;
- if (!set_fscontext)
- newsbsec->sid = sid;
- if (!set_rootcontext) {
- struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
- newisec->sid = sid;
- }
- newsbsec->mntpoint_sid = sid;
- }
- if (set_rootcontext) {
- const struct inode *oldinode = oldsb->s_root->d_inode;
- const struct inode_security_struct *oldisec = oldinode->i_security;
- struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
- newisec->sid = oldisec->sid;
- }
- sb_finish_set_opts(newsb);
- mutex_unlock(&newsbsec->lock);
- }
- static int selinux_parse_opts_str(char *options,
- struct security_mnt_opts *opts)
- {
- char *p;
- char *context = NULL, *defcontext = NULL;
- char *fscontext = NULL, *rootcontext = NULL;
- int rc, num_mnt_opts = 0;
- opts->num_mnt_opts = 0;
- /* Standard string-based options. */
- while ((p = strsep(&options, "|")) != NULL) {
- int token;
- substring_t args[MAX_OPT_ARGS];
- if (!*p)
- continue;
- token = match_token(p, tokens, args);
- switch (token) {
- case Opt_context:
- if (context || defcontext) {
- rc = -EINVAL;
- printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
- goto out_err;
- }
- context = match_strdup(&args[0]);
- if (!context) {
- rc = -ENOMEM;
- goto out_err;
- }
- break;
- case Opt_fscontext:
- if (fscontext) {
- rc = -EINVAL;
- printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
- goto out_err;
- }
- fscontext = match_strdup(&args[0]);
- if (!fscontext) {
- rc = -ENOMEM;
- goto out_err;
- }
- break;
- case Opt_rootcontext:
- if (rootcontext) {
- rc = -EINVAL;
- printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
- goto out_err;
- }
- rootcontext = match_strdup(&args[0]);
- if (!rootcontext) {
- rc = -ENOMEM;
- goto out_err;
- }
- break;
- case Opt_defcontext:
- if (context || defcontext) {
- rc = -EINVAL;
- printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
- goto out_err;
- }
- defcontext = match_strdup(&args[0]);
- if (!defcontext) {
- rc = -ENOMEM;
- goto out_err;
- }
- break;
- case Opt_labelsupport:
- break;
- default:
- rc = -EINVAL;
- printk(KERN_WARNING "SELinux: unknown mount option\n");
- goto out_err;
- }
- }
- rc = -ENOMEM;
- opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
- if (!opts->mnt_opts)
- goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
- if (!opts->mnt_opts_flags) {
- kfree(opts->mnt_opts);
- goto out_err;
- }
- if (fscontext) {
- opts->mnt_opts[num_mnt_opts] = fscontext;
- opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
- }
- if (context) {
- opts->mnt_opts[num_mnt_opts] = context;
- opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
- }
- if (rootcontext) {
- opts->mnt_opts[num_mnt_opts] = rootcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
- }
- if (defcontext) {
- opts->mnt_opts[num_mnt_opts] = defcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
- }
- opts->num_mnt_opts = num_mnt_opts;
- return 0;
- out_err:
- kfree(context);
- kfree(defcontext);
- kfree(fscontext);
- kfree(rootcontext);
- return rc;
- }
- /*
- * string mount options parsing and call set the sbsec
- */
- static int superblock_doinit(struct super_block *sb, void *data)
- {
- int rc = 0;
- char *options = data;
- struct security_mnt_opts opts;
- security_init_mnt_opts(&opts);
- if (!data)
- goto out;
- BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
- rc = selinux_parse_opts_str(options, &opts);
- if (rc)
- goto out_err;
- out:
- rc = selinux_set_mnt_opts(sb, &opts);
- out_err:
- security_free_mnt_opts(&opts);
- return rc;
- }
- static void selinux_write_opts(struct seq_file *m,
- struct security_mnt_opts *opts)
- {
- int i;
- char *prefix;
- for (i = 0; i < opts->num_mnt_opts; i++) {
- char *has_comma;
- if (opts->mnt_opts[i])
- has_comma = strchr(opts->mnt_opts[i], ',');
- else
- has_comma = NULL;
- switch (opts->mnt_opts_flags[i]) {
- case CONTEXT_MNT:
- prefix = CONTEXT_STR;
- break;
- case FSCONTEXT_MNT:
- prefix = FSCONTEXT_STR;
- break;
- case ROOTCONTEXT_MNT:
- prefix = ROOTCONTEXT_STR;
- break;
- case DEFCONTEXT_MNT:
- prefix = DEFCONTEXT_STR;
- break;
- case SE_SBLABELSUPP:
- seq_putc(m, ',');
- seq_puts(m, LABELSUPP_STR);
- continue;
- default:
- BUG();
- return;
- };
- /* we need a comma before each option */
- seq_putc(m, ',');
- seq_puts(m, prefix);
- if (has_comma)
- seq_putc(m, '\"');
- seq_puts(m, opts->mnt_opts[i]);
- if (has_comma)
- seq_putc(m, '\"');
- }
- }
- static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
- {
- struct security_mnt_opts opts;
- int rc;
- rc = selinux_get_mnt_opts(sb, &opts);
- if (rc) {
- /* before policy load we may get EINVAL, don't show anything */
- if (rc == -EINVAL)
- rc = 0;
- return rc;
- }
- selinux_write_opts(m, &opts);
- security_free_mnt_opts(&opts);
- return rc;
- }
- static inline u16 inode_mode_to_security_class(umode_t mode)
- {
- switch (mode & S_IFMT) {
- case S_IFSOCK:
- return SECCLASS_SOCK_FILE;
- case S_IFLNK:
- return SECCLASS_LNK_FILE;
- case S_IFREG:
- return SECCLASS_FILE;
- case S_IFBLK:
- return SECCLASS_BLK_FILE;
- case S_IFDIR:
- return SECCLASS_DIR;
- case S_IFCHR:
- return SECCLASS_CHR_FILE;
- case S_IFIFO:
- return SECCLASS_FIFO_FILE;
- }
- return SECCLASS_FILE;
- }
- static inline int default_protocol_stream(int protocol)
- {
- return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
- }
- static inline int default_protocol_dgram(int protocol)
- {
- return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
- }
- static inline u16 socket_type_to_security_class(int family, int type, int protocol)
- {
- switch (family) {
- case PF_UNIX:
- switch (type) {
- case SOCK_STREAM:
- case SOCK_SEQPACKET:
- return SECCLASS_UNIX_STREAM_SOCKET;
- case SOCK_DGRAM:
- return SECCLASS_UNIX_DGRAM_SOCKET;
- }
- break;
- case PF_INET:
- case PF_INET6:
- switch (type) {
- case SOCK_STREAM:
- if (default_protocol_stream(protocol))
- return SECCLASS_TCP_SOCKET;
- else
- return SECCLASS_RAWIP_SOCKET;
- case SOCK_DGRAM:
- if (default_protocol_dgram(protocol))
- return SECCLASS_UDP_SOCKET;
- else
- return SECCLASS_RAWIP_SOCKET;
- case SOCK_DCCP:
- return SECCLASS_DCCP_SOCKET;
- default:
- return SECCLASS_RAWIP_SOCKET;
- }
- break;
- case PF_NETLINK:
- switch (protocol) {
- case NETLINK_ROUTE:
- return SECCLASS_NETLINK_ROUTE_SOCKET;
- case NETLINK_FIREWALL:
- return SECCLASS_NETLINK_FIREWALL_SOCKET;
- case NETLINK_INET_DIAG:
- return SECCLASS_NETLINK_TCPDIAG_SOCKET;
- case NETLINK_NFLOG:
- return SECCLASS_NETLINK_NFLOG_SOCKET;
- case NETLINK_XFRM:
- return SECCLASS_NETLINK_XFRM_SOCKET;
- case NETLINK_SELINUX:
- return SECCLASS_NETLINK_SELINUX_SOCKET;
- case NETLINK_AUDIT:
- return SECCLASS_NETLINK_AUDIT_SOCKET;
- case NETLINK_IP6_FW:
- return SECCLASS_NETLINK_IP6FW_SOCKET;
- case NETLINK_DNRTMSG:
- return SECCLASS_NETLINK_DNRT_SOCKET;
- case NETLINK_KOBJECT_UEVENT:
- return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
- default:
- return SECCLASS_NETLINK_SOCKET;
- }
- case PF_PACKET:
- return SECCLASS_PACKET_SOCKET;
- case PF_KEY:
- return SECCLASS_KEY_SOCKET;
- case PF_APPLETALK:
- return SECCLASS_APPLETALK_SOCKET;
- }
- return SECCLASS_SOCKET;
- }
- #ifdef CONFIG_PROC_FS
- static int selinux_proc_get_sid(struct dentry *dentry,
- u16 tclass,
- u32 *sid)
- {
- int rc;
- char *buffer, *path;
- buffer = (char *)__get_free_page(GFP_KERNEL);
- if (!buffer)
- return -ENOMEM;
- path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
- if (IS_ERR(path))
- rc = PTR_ERR(path);
- else {
- /* each process gets a /proc/PID/ entry. Strip off the
- * PID part to get a valid selinux labeling.
- * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
- while (path[1] >= '0' && path[1] <= '9') {
- path[1] = '/';
- path++;
- }
- rc = security_genfs_sid("proc", path, tclass, sid);
- }
- free_page((unsigned long)buffer);
- return rc;
- }
- #else
- static int selinux_proc_get_sid(struct dentry *dentry,
- u16 tclass,
- u32 *sid)
- {
- return -EINVAL;
- }
- #endif
- /* The inode's security attributes must be initialized before first use. */
- static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
- {
- struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
- u32 sid;
- struct dentry *dentry;
- #define INITCONTEXTLEN 255
- char *context = NULL;
- unsigned len = 0;
- int rc = 0;
- if (isec->initialized)
- goto out;
- mutex_lock(&isec->lock);
- if (isec->initialized)
- goto out_unlock;
- sbsec = inode->i_sb->s_security;
- if (!(sbsec->flags & SE_SBINITIALIZED)) {
- /* Defer initialization until selinux_complete_init,
- after the initial policy is loaded and the security
- server is ready to handle calls. */
- spin_lock(&sbsec->isec_lock);
- if (list_empty(&isec->list))
- list_add(&isec->list, &sbsec->isec_head);
- spin_unlock(&sbsec->isec_lock);
- goto out_unlock;
- }
- switch (sbsec->behavior) {
- case SECURITY_FS_USE_XATTR:
- if (!inode->i_op->getxattr) {
- isec->sid = sbsec->def_sid;
- break;
- }
- /* Need a dentry, since the xattr API requires one.
- Life would be simpler if we could just pass the inode. */
- if (opt_dentry) {
- /* Called from d_instantiate or d_splice_alias. */
- dentry = dget(opt_dentry);
- } else {
- /* Called from selinux_complete_init, try to find a dentry. */
- dentry = d_find_alias(inode);
- }
- if (!dentry) {
- /*
- * this is can be hit on boot when a file is accessed
- * before the policy is loaded. When we load policy we
- * may find inodes that have no dentry on the
- * sbsec->isec_head list. No reason to complain as these
- * will get fixed up the next time we go through
- * inode_doinit with a dentry, before these inodes could
- * be used again by userspace.
- */
- goto out_unlock;
- }
- len = INITCONTEXTLEN;
- context = kmalloc(len+1, GFP_NOFS);
- if (!context) {
- rc = -ENOMEM;
- dput(dentry);
- goto out_unlock;
- }
- context[len] = '\0';
- rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
- context, len);
- if (rc == -ERANGE) {
- kfree(context);
- /* Need a larger buffer. Query for the right size. */
- rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
- NULL, 0);
- if (rc < 0) {
- dput(dentry);
- goto out_unlock;
- }
- len = rc;
- context = kmalloc(len+1, GFP_NOFS);
- if (!context) {
- rc = -ENOMEM;
- dput(dentry);
- goto out_unlock;
- }
- context[len] = '\0';
- rc = inode->i_op->getxattr(dentry,
- XATTR_NAME_SELINUX,
- context, len);
- }
- dput(dentry);
- if (rc < 0) {
- if (rc != -ENODATA) {
- printk(KERN_WARNING "SELinux: %s: getxattr returned "
- "%d for dev=%s ino=%ld\n", __func__,
- -rc, inode->i_sb->s_id, inode->i_ino);
- kfree(context);
- goto out_unlock;
- }
- /* Map ENODATA to the default file SID */
- sid = sbsec->def_sid;
- rc = 0;
- } else {
- rc = security_context_to_sid_default(context, rc, &sid,
- sbsec->def_sid,
- GFP_NOFS);
- if (rc) {
- char *dev = inode->i_sb->s_id;
- unsigned long ino = inode->i_ino;
- if (rc == -EINVAL) {
- if (printk_ratelimit())
- printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
- "context=%s. This indicates you may need to relabel the inode or the "
- "filesystem in question.\n", ino, dev, context);
- } else {
- printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
- "returned %d for dev=%s ino=%ld\n",
- __func__, context, -rc, dev, ino);
- }
- kfree(context);
- /* Leave with the unlabeled SID */
- rc = 0;
- break;
- }
- }
- kfree(context);
- isec->sid = sid;
- break;
- case SECURITY_FS_USE_TASK:
- isec->sid = isec->task_sid;
- break;
- case SECURITY_FS_USE_TRANS:
- /* Default to the fs SID. */
- isec->sid = sbsec->sid;
- /* Try to obtain a transition SID. */
- isec->sclass = inode_mode_to_security_class(inode->i_mode);
- rc = security_transition_sid(isec->task_sid, sbsec->sid,
- isec->sclass, NULL, &sid);
- if (rc)
- goto out_unlock;
- isec->sid = sid;
- break;
- case SECURITY_FS_USE_MNTPOINT:
- isec->sid = sbsec->mntpoint_sid;
- break;
- default:
- /* Default to the fs superblock SID. */
- isec->sid = sbsec->sid;
- if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
- if (opt_dentry) {
- isec->sclass = inode_mode_to_security_class(inode->i_mode);
- rc = selinux_proc_get_sid(opt_dentry,
- isec->sclass,
- &sid);
- if (rc)
- goto out_unlock;
- isec->sid = sid;
- }
- }
- break;
- }
- isec->initialized = 1;
- out_unlock:
- mutex_unlock(&isec->lock);
- out:
- if (isec->sclass == SECCLASS_FILE)
- isec->sclass = inode_mode_to_security_class(inode->i_mode);
- return rc;
- }
- /* Convert a Linux signal to an access vector. */
- static inline u32 signal_to_av(int sig)
- {
- u32 perm = 0;
- switch (sig) {
- case SIGCHLD:
- /* Commonly granted from child to parent. */
- perm = PROCESS__SIGCHLD;
- break;
- case SIGKILL:
- /* Cannot be caught or ignored */
- perm = PROCESS__SIGKILL;
- break;
- case SIGSTOP:
- /* Cannot be caught or ignored */
- perm = PROCESS__SIGSTOP;
- break;
- default:
- /* All other signals. */
- perm = PROCESS__SIGNAL;
- break;
- }
- return perm;
- }
- /*
- * Check permission between a pair of credentials
- * fork check, ptrace check, etc.
- */
- static int cred_has_perm(const struct cred *actor,
- const struct cred *target,
- u32 perms)
- {
- u32 asid = cred_sid(actor), tsid = cred_sid(target);
- return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
- }
- /*
- * Check permission between a pair of tasks, e.g. signal checks,
- * fork check, ptrace check, etc.
- * tsk1 is the actor and tsk2 is the target
- * - this uses the default subjective creds of tsk1
- */
- static int task_has_perm(const struct task_struct *tsk1,
- const struct task_struct *tsk2,
- u32 perms)
- {
- const struct task_security_struct *__tsec1, *__tsec2;
- u32 sid1, sid2;
- rcu_read_lock();
- __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
- __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
- rcu_read_unlock();
- return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
- }
- /*
- * Check permission between current and another task, e.g. signal checks,
- * fork check, ptrace check, etc.
- * current is the actor and tsk2 is the target
- * - this uses current's subjective creds
- */
- static int current_has_perm(const struct task_struct *tsk,
- u32 perms)
- {
- u32 sid, tsid;
- sid = current_sid();
- tsid = task_sid(tsk);
- return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
- }
- #if CAP_LAST_CAP > 63
- #error Fix SELinux to handle capabilities > 63.
- #endif
- /* Check whether a task is allowed to use a capability. */
- static int task_has_capability(struct task_struct *tsk,
- const struct cred *cred,
- int cap, int audit)
- {
- struct common_audit_data ad;
- struct av_decision avd;
- u16 sclass;
- u32 sid = cred_sid(cred);
- u32 av = CAP_TO_MASK(cap);
- int rc;
- COMMON_AUDIT_DATA_INIT(&ad, CAP);
- ad.tsk = tsk;
- ad.u.cap = cap;
- switch (CAP_TO_INDEX(cap)) {
- case 0:
- sclass = SECCLASS_CAPABILITY;
- break;
- case 1:
- sclass = SECCLASS_CAPABILITY2;
- break;
- default:
- printk(KERN_ERR
- "SELinux: out of range capability %d\n", cap);
- BUG();
- return -EINVAL;
- }
- rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
- if (audit == SECURITY_CAP_AUDIT) {
- int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
- if (rc2)
- return rc2;
- }
- return rc;
- }
- /* Check whether a task is allowed to use a system operation. */
- static int task_has_system(struct task_struct *tsk,
- u32 perms)
- {
- u32 sid = task_sid(tsk);
- return avc_has_perm(sid, SECINITSID_KERNEL,
- SECCLASS_SYSTEM, perms, NULL);
- }
- /* Check whether a task has a particular permission to an inode.
- The 'adp' parameter is optional and allows other audit
- data to be passed (e.g. the dentry). */
- static int inode_has_perm(const struct cred *cred,
- struct inode *inode,
- u32 perms,
- struct common_audit_data *adp,
- unsigned flags)
- {
- struct inode_security_struct *isec;
- u32 sid;
- validate_creds(cred);
- if (unlikely(IS_PRIVATE(inode)))
- return 0;
- sid = cred_sid(cred);
- isec = inode->i_security;
- return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
- }
- static int inode_has_perm_noadp(const struct cred *cred,
- struct inode *inode,
- u32 perms,
- unsigned flags)
- {
- struct common_audit_data ad;
- COMMON_AUDIT_DATA_INIT(&ad, INODE);
- ad.u.inode = inode;
- return inode_has_perm(cred, inode, perms, &ad, flags);
- }
- /* Same as inode_has_perm, but pass explicit audit data containing
- the dentry to help the auditing code to more easily generate the
- pathname if needed. */
- static inline int dentry_has_perm(const struct cred *cred,
- struct dentry *dentry,
- u32 av)
- {
- struct inode *inode = dentry->d_inode;
- struct common_audit_data ad;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
- ad.u.dentry = dentry;
- return inode_has_perm(cred, inode, av, &ad, 0);
- }
- /* Same as inode_has_perm, but pass explicit audit data containing
- the path to help the auditing code to more easily generate the
- pathname if needed. */
- static inline int path_has_perm(const struct cred *cred,
- struct path *path,
- u32 av)
- {
- struct inode *inode = path->dentry->d_inode;
- struct common_audit_data ad;
- COMMON_AUDIT_DATA_INIT(&ad, PATH);
- ad.u.path = *path;
- return inode_has_perm(cred, inode, av, &ad, 0);
- }
- /* Check whether a task can use an open file descriptor to
- access an inode in a given way. Check access to the
- descriptor itself, and then use dentry_has_perm to
- check a particular permission to the file.
- Access to the descriptor is implicitly granted if it
- has the same SID as the process. If av is zero, then
- access to the file is not checked, e.g. for cases
- where only the descriptor is affected like seek. */
- static int file_has_perm(const struct cred *cred,
- struct file *file,
- u32 av)
- {
- struct file_security_struct *fsec = file->f_security;
- struct inode *inode = file->f_path.dentry->d_inode;
- struct common_audit_data ad;
- u32 sid = cred_sid(cred);
- int rc;
- COMMON_AUDIT_DATA_INIT(&ad, PATH);
- ad.u.path = file->f_path;
- if (sid != fsec->sid) {
- rc = avc_has_perm(sid, fsec->sid,
- SECCLASS_FD,
- FD__USE,
- &ad);
- if (rc)
- goto out;
- }
- /* av is zero if only checking access to the descriptor. */
- rc = 0;
- if (av)
- rc = inode_has_perm(cred, inode, av, &ad, 0);
- out:
- return rc;
- }
- /* Check whether a task can create a file. */
- static int may_create(struct inode *dir,
- struct dentry *dentry,
- u16 tclass)
- {
- const struct task_security_struct *tsec = current_security();
- struct inode_security_struct *dsec;
- struct superblock_security_struct *sbsec;
- u32 sid, newsid;
- struct common_audit_data ad;
- int rc;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
- sid = tsec->sid;
- newsid = tsec->create_sid;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
- ad.u.dentry = dentry;
- rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
- DIR__ADD_NAME | DIR__SEARCH,
- &ad);
- if (rc)
- return rc;
- if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
- rc = security_transition_sid(sid, dsec->sid, tclass,
- &dentry->d_name, &newsid);
- if (rc)
- return rc;
- }
- rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
- if (rc)
- return rc;
- return avc_has_perm(newsid, sbsec->sid,
- SECCLASS_FILESYSTEM,
- FILESYSTEM__ASSOCIATE, &ad);
- }
- /* Check whether a task can create a key. */
- static int may_create_key(u32 ksid,
- struct task_struct *ctx)
- {
- u32 sid = task_sid(ctx);
- return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
- }
- #define MAY_LINK 0
- #define MAY_UNLINK 1
- #define MAY_RMDIR 2
- /* Check whether a task can link, unlink, or rmdir a file/directory. */
- static int may_link(struct inode *dir,
- struct dentry *dentry,
- int kind)
- {
- struct inode_security_struct *dsec, *isec;
- struct common_audit_data ad;
- u32 sid = current_sid();
- u32 av;
- int rc;
- dsec = dir->i_security;
- isec = dentry->d_inode->i_security;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
- ad.u.dentry = dentry;
- av = DIR__SEARCH;
- av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
- rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
- if (rc)
- return rc;
- switch (kind) {
- case MAY_LINK:
- av = FILE__LINK;
- break;
- case MAY_UNLINK:
- av = FILE__UNLINK;
- break;
- case MAY_RMDIR:
- av = DIR__RMDIR;
- break;
- default:
- printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
- __func__, kind);
- return 0;
- }
- rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
- return rc;
- }
- static inline int may_rename(struct inode *old_dir,
- struct dentry *old_dentry,
- struct inode *new_dir,
- struct dentry *new_dentry)
- {
- struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
- struct common_audit_data ad;
- u32 sid = current_sid();
- u32 av;
- int old_is_dir, new_is_dir;
- int rc;
- old_dsec = old_dir->i_security;
- old_isec = old_dentry->d_inode->i_security;
- old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
- new_dsec = new_dir->i_security;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
- ad.u.dentry = old_dentry;
- rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
- DIR__REMOVE_NAME | DIR__SEARCH, &ad);
- if (rc)
- return rc;
- rc = avc_has_perm(sid, old_isec->sid,
- old_isec->sclass, FILE__RENAME, &ad);
- if (rc)
- return rc;
- if (old_is_dir && new_dir != old_dir) {
- rc = avc_has_perm(sid, old_isec->sid,
- old_isec->sclass, DIR__REPARENT, &ad);
- if (rc)
- return rc;
- }
- ad.u.dentry = new_dentry;
- av = DIR__ADD_NAME | DIR__SEARCH;
- if (new_dentry->d_inode)
- av |= DIR__REMOVE_NAME;
- rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
- if (rc)
- return rc;
- if (new_dentry->d_inode) {
- new_isec = new_dentry->d_inode->i_security;
- new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
- rc = avc_has_perm(sid, new_isec->sid,
- new_isec->sclass,
- (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
- if (rc)
- return rc;
- }
- return 0;
- }
- /* Check whether a task can perform a filesystem operation. */
- static int superblock_has_perm(const struct cred *cred,
- struct super_block *sb,
- u32 perms,
- struct common_audit_data *ad)
- {
- struct superblock_security_struct *sbsec;
- u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
- return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
- }
- /* Convert a Linux mode and permission mask to an access vector. */
- static inline u32 file_mask_to_av(int mode, int mask)
- {
- u32 av = 0;
- if ((mode & S_IFMT) != S_IFDIR) {
- if (mask & MAY_EXEC)
- av |= FILE__EXECUTE;
- if (mask & MAY_READ)
- av |= FILE__READ;
- if (mask & MAY_APPEND)
- av |= FILE__APPEND;
- else if (mask & MAY_WRITE)
- av |= FILE__WRITE;
- } else {
- if (mask & MAY_EXEC)
- av |= DIR__SEARCH;
- if (mask & MAY_WRITE)
- av |= DIR__WRITE;
- if (mask & MAY_READ)
- av |= DIR__READ;
- }
- return av;
- }
- /* Convert a Linux file to an access vector. */
- static inline u32 file_to_av(struct file *file)
- {
- u32 av = 0;
- if (file->f_mode & FMODE_READ)
- av |= FILE__READ;
- if (file->f_mode & FMODE_WRITE) {
- if (file->f_flags & O_APPEND)
- av |= FILE__APPEND;
- else
- av |= FILE__WRITE;
- }
- if (!av) {
- /*
- * Special file opened with flags 3 for ioctl-only use.
- */
- av = FILE__IOCTL;
- }
- return av;
- }
- /*
- * Convert a file to an access vector and include the correct open
- * open permission.
- */
- static inline u32 open_file_to_av(struct file *file)
- {
- u32 av = file_to_av(file);
- if (selinux_policycap_openperm)
- av |= FILE__OPEN;
- return av;
- }
- /* Hook functions begin here. */
- static int selinux_ptrace_access_check(struct task_struct *child,
- unsigned int mode)
- {
- int rc;
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
- if (mode == PTRACE_MODE_READ) {
- u32 sid = current_sid();
- u32 csid = task_sid(child);
- return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
- }
- return current_has_perm(child, PROCESS__PTRACE);
- }
- static int selinux_ptrace_traceme(struct task_struct *parent)
- {
- int rc;
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
- return task_has_perm(parent, current, PROCESS__PTRACE);
- }
- static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
- {
- int error;
- error = current_has_perm(target, PROCESS__GETCAP);
- if (error)
- return error;
- return cap_capget(target, effective, inheritable, permitted);
- }
- static int selinux_capset(struct cred *new, const struct cred *old,
- const kernel_cap_t *effective,
- const kernel_cap_t *inheritable,
- const kernel_cap_t *permitted)
- {
- int error;
- error = cap_capset(new, old,
- effective, inheritable, permitted);
- if (error)
- return error;
- return cred_has_perm(old, new, PROCESS__SETCAP);
- }
- /*
- * (This comment used to live with the selinux_task_setuid hook,
- * which was removed).
- *
- * Since setuid only affects the current process, and since the SELinux
- * controls are not based on the Linux identity attributes, SELinux does not
- * need to control this operation. However, SELinux does control the use of
- * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
- */
- static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
- struct user_namespace *ns, int cap, int audit)
- {
- int rc;
- rc = cap_capable(tsk, cred, ns, cap, audit);
- if (rc)
- return rc;
- return task_has_capability(tsk, cred, cap, audit);
- }
- static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
- {
- const struct cred *cred = current_cred();
- int rc = 0;
- if (!sb)
- return 0;
- switch (cmds) {
- case Q_SYNC:
- case Q_QUOTAON:
- case Q_QUOTAOFF:
- case Q_SETINFO:
- case Q_SETQUOTA:
- rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
- break;
- case Q_GETFMT:
- case Q_GETINFO:
- case Q_GETQUOTA:
- rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
- break;
- default:
- rc = 0; /* let the kernel handle invalid cmds */
- break;
- }
- return rc;
- }
- static int selinux_quota_on(struct dentry *dentry)
- {
- const struct cred *cred = current_cred();
- return dentry_has_perm(cred, dentry, FILE__QUOTAON);
- }
- static int selinux_syslog(int type)
- {
- int rc;
- switch (type) {
- case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
- case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
- rc = task_has_system(current, SYSTEM__SYSLOG_READ);
- break;
- case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
- case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
- /* Set level of messages printed to console */
- case SYSLOG_ACTION_CONSOLE_LEVEL:
- rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
- break;
- case SYSLOG_ACTION_CLOSE: /* Close log */
- case SYSLOG_ACTION_OPEN: /* Open log */
- case SYSLOG_ACTION_READ: /* Read from log */
- case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
- case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
- default:
- rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
- break;
- }
- return rc;
- }
- /*
- * Check that a process has enough memory to allocate a new virtual
- * mapping. 0 means there is enough memory for the allocation to
- * succeed and -ENOMEM implies there is not.
- *
- * Do not audit the selinux permission check, as this is applied to all
- * processes that allocate mappings.
- */
- static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
- {
- int rc, cap_sys_admin = 0;
- rc = selinux_capable(current, current_cred(),
- &init_user_ns, CAP_SYS_ADMIN,
- SECURITY_CAP_NOAUDIT);
- if (rc == 0)
- cap_sys_admin = 1;
- return __vm_enough_memory(mm, pages, cap_sys_admin);
- }
- /* binprm security operations */
- static int selinux_bprm_set_creds(struct linux_binprm *bprm)
- {
- const struct task_security_struct *old_tsec;
- struct task_security_struct *new_tsec;
- struct inode_security_struct *isec;
- struct common_audit_data ad;
- struct inode *inode = bprm->file->f_path.dentry->d_inode;
- int rc;
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
- /* SELinux context only depends on initial program or script and not
- * the script interpreter */
- if (bprm->cred_prepared)
- return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
- isec = inode->i_security;
- /* Default to the current task SID. */
- new_tsec->sid = old_tse…
Large files files are truncated, but you can click here to view the full file