X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=security%2Fselinux%2Fhooks.c;h=9fcb30dab94f3fb13b490db2c0822aef22b5321f;hb=43bc926fffd92024b46cafaf7350d669ba9ca884;hp=f844e402b53c2f76f64a90fb7831cb7bb96b03a3;hpb=c7b5ebbddf7bcd3651947760f423e3783bbe6573;p=linux-2.6.git diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f844e402b..9fcb30dab 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -10,6 +10,8 @@ * * Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2003 Red Hat, Inc., James Morris + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, @@ -64,15 +66,19 @@ #include #include #include +#include +#include +#include #include "avc.h" #include "objsec.h" #include "netif.h" +#include "xfrm.h" #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX -extern int policydb_loaded_version; +extern unsigned int policydb_loaded_version; extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); #ifdef CONFIG_SECURITY_SELINUX_DEVELOP @@ -95,6 +101,8 @@ static int __init selinux_enabled_setup(char *str) return 1; } __setup("selinux=", selinux_enabled_setup); +#else +int selinux_enabled = 1; #endif /* Original (dummy) security module. */ @@ -109,7 +117,35 @@ static struct security_operations *secondary_ops = NULL; /* Lists of inode and superblock security structures initialized before the policy was loaded. */ static LIST_HEAD(superblock_security_head); -static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED; +static DEFINE_SPINLOCK(sb_security_lock); + +static kmem_cache_t *sel_inode_cache; + +/* Return security context for a given sid or just the context + length if the buffer is null or length is 0 */ +static int selinux_getsecurity(u32 sid, void *buffer, size_t size) +{ + char *context; + unsigned len; + int rc; + + rc = security_sid_to_context(sid, &context, &len); + if (rc) + return rc; + + if (!buffer || !size) + goto getsecurity_exit; + + if (size < len) { + len = -ERANGE; + goto getsecurity_exit; + } + memcpy(buffer, context, len); + +getsecurity_exit: + kfree(context); + return len; +} /* Allocate and free functions for each kind of security blob. */ @@ -117,12 +153,10 @@ static int task_alloc_security(struct task_struct *task) { struct task_security_struct *tsec; - tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL); + tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); if (!tsec) return -ENOMEM; - memset(tsec, 0, sizeof(struct task_security_struct)); - tsec->magic = SELINUX_MAGIC; tsec->task = task; tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED; task->security = tsec; @@ -133,10 +167,6 @@ static int task_alloc_security(struct task_struct *task) static void task_free_security(struct task_struct *task) { struct task_security_struct *tsec = task->security; - - if (!tsec || tsec->magic != SELINUX_MAGIC) - return; - task->security = NULL; kfree(tsec); } @@ -146,21 +176,17 @@ static int inode_alloc_security(struct inode *inode) struct task_security_struct *tsec = current->security; struct inode_security_struct *isec; - isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL); + isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL); if (!isec) return -ENOMEM; - memset(isec, 0, sizeof(struct inode_security_struct)); + memset(isec, 0, sizeof(*isec)); init_MUTEX(&isec->sem); INIT_LIST_HEAD(&isec->list); - isec->magic = SELINUX_MAGIC; isec->inode = inode; isec->sid = SECINITSID_UNLABELED; isec->sclass = SECCLASS_FILE; - if (tsec && tsec->magic == SELINUX_MAGIC) - isec->task_sid = tsec->sid; - else - isec->task_sid = SECINITSID_UNLABELED; + isec->task_sid = tsec->sid; inode->i_security = isec; return 0; @@ -171,16 +197,13 @@ static void inode_free_security(struct inode *inode) struct inode_security_struct *isec = inode->i_security; struct superblock_security_struct *sbsec = inode->i_sb->s_security; - if (!isec || isec->magic != SELINUX_MAGIC) - return; - spin_lock(&sbsec->isec_lock); if (!list_empty(&isec->list)) list_del_init(&isec->list); spin_unlock(&sbsec->isec_lock); inode->i_security = NULL; - kfree(isec); + kmem_cache_free(sel_inode_cache, isec); } static int file_alloc_security(struct file *file) @@ -188,20 +211,13 @@ static int file_alloc_security(struct file *file) struct task_security_struct *tsec = current->security; struct file_security_struct *fsec; - fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC); + fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); if (!fsec) return -ENOMEM; - memset(fsec, 0, sizeof(struct file_security_struct)); - fsec->magic = SELINUX_MAGIC; fsec->file = file; - if (tsec && tsec->magic == SELINUX_MAGIC) { - fsec->sid = tsec->sid; - fsec->fown_sid = tsec->sid; - } else { - fsec->sid = SECINITSID_UNLABELED; - fsec->fown_sid = SECINITSID_UNLABELED; - } + fsec->sid = tsec->sid; + fsec->fown_sid = tsec->sid; file->f_security = fsec; return 0; @@ -210,10 +226,6 @@ static int file_alloc_security(struct file *file) static void file_free_security(struct file *file) { struct file_security_struct *fsec = file->f_security; - - if (!fsec || fsec->magic != SELINUX_MAGIC) - return; - file->f_security = NULL; kfree(fsec); } @@ -222,16 +234,14 @@ static int superblock_alloc_security(struct super_block *sb) { struct superblock_security_struct *sbsec; - sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); + sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); if (!sbsec) return -ENOMEM; - memset(sbsec, 0, sizeof(struct superblock_security_struct)); init_MUTEX(&sbsec->sem); INIT_LIST_HEAD(&sbsec->list); INIT_LIST_HEAD(&sbsec->isec_head); spin_lock_init(&sbsec->isec_lock); - sbsec->magic = SELINUX_MAGIC; sbsec->sb = sb; sbsec->sid = SECINITSID_UNLABELED; sbsec->def_sid = SECINITSID_FILE; @@ -244,9 +254,6 @@ static void superblock_free_security(struct super_block *sb) { struct superblock_security_struct *sbsec = sb->s_security; - if (!sbsec || sbsec->magic != SELINUX_MAGIC) - return; - spin_lock(&sb_security_lock); if (!list_empty(&sbsec->list)) list_del_init(&sbsec->list); @@ -256,20 +263,17 @@ static void superblock_free_security(struct super_block *sb) kfree(sbsec); } -#ifdef CONFIG_SECURITY_NETWORK -static int sk_alloc_security(struct sock *sk, int family, int priority) +static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) { struct sk_security_struct *ssec; if (family != PF_UNIX) return 0; - ssec = kmalloc(sizeof(*ssec), priority); + ssec = kzalloc(sizeof(*ssec), priority); if (!ssec) return -ENOMEM; - memset(ssec, 0, sizeof(*ssec)); - ssec->magic = SELINUX_MAGIC; ssec->sk = sk; ssec->peer_sid = SECINITSID_UNLABELED; sk->sk_security = ssec; @@ -281,13 +285,12 @@ static void sk_free_security(struct sock *sk) { struct sk_security_struct *ssec = sk->sk_security; - if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC) + if (sk->sk_family != PF_UNIX) return; sk->sk_security = NULL; kfree(ssec); } -#endif /* CONFIG_SECURITY_NETWORK */ /* The security server must be initialized before any labeling or access decisions can be provided. */ @@ -386,13 +389,6 @@ static int try_context_mount(struct super_block *sb, void *data) break; case Opt_fscontext: - if (sbsec->behavior != SECURITY_FS_USE_XATTR) { - rc = -EINVAL; - printk(KERN_WARNING "SELinux: " - "fscontext option is invalid for" - " this filesystem type\n"); - goto out_free; - } if (seen & (Opt_context|Opt_fscontext)) { rc = -EINVAL; printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); @@ -454,12 +450,12 @@ static int try_context_mount(struct super_block *sb, void *data) } rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELFROM, NULL, NULL); + FILESYSTEM__RELABELFROM, NULL); if (rc) goto out_free; rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELTO, NULL, NULL); + FILESYSTEM__RELABELTO, NULL); if (rc) goto out_free; @@ -482,12 +478,12 @@ static int try_context_mount(struct super_block *sb, void *data) goto out_free; rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELFROM, NULL, NULL); + FILESYSTEM__RELABELFROM, NULL); if (rc) goto out_free; rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, NULL, NULL); + FILESYSTEM__ASSOCIATE, NULL); if (rc) goto out_free; @@ -595,7 +591,8 @@ next_inode: spin_unlock(&sbsec->isec_lock); inode = igrab(inode); if (inode) { - inode_doinit(inode); + if (!IS_PRIVATE (inode)) + inode_doinit(inode); iput(inode); } spin_lock(&sbsec->isec_lock); @@ -631,33 +628,52 @@ static inline u16 inode_mode_to_security_class(umode_t mode) return SECCLASS_FILE; } +static inline int default_protocol_stream(int protocol) +{ + return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); +} + +static inline int default_protocol_dgram(int protocol) +{ + return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); +} + static inline u16 socket_type_to_security_class(int family, int type, int protocol) { switch (family) { case PF_UNIX: switch (type) { case SOCK_STREAM: + case SOCK_SEQPACKET: return SECCLASS_UNIX_STREAM_SOCKET; case SOCK_DGRAM: return SECCLASS_UNIX_DGRAM_SOCKET; } + break; case PF_INET: case PF_INET6: switch (type) { case SOCK_STREAM: - return SECCLASS_TCP_SOCKET; + if (default_protocol_stream(protocol)) + return SECCLASS_TCP_SOCKET; + else + return SECCLASS_RAWIP_SOCKET; case SOCK_DGRAM: - return SECCLASS_UDP_SOCKET; - case SOCK_RAW: + if (default_protocol_dgram(protocol)) + return SECCLASS_UDP_SOCKET; + else + return SECCLASS_RAWIP_SOCKET; + default: return SECCLASS_RAWIP_SOCKET; } + break; case PF_NETLINK: switch (protocol) { case NETLINK_ROUTE: return SECCLASS_NETLINK_ROUTE_SOCKET; case NETLINK_FIREWALL: return SECCLASS_NETLINK_FIREWALL_SOCKET; - case NETLINK_TCPDIAG: + case NETLINK_INET_DIAG: return SECCLASS_NETLINK_TCPDIAG_SOCKET; case NETLINK_NFLOG: return SECCLASS_NETLINK_NFLOG_SOCKET; @@ -671,6 +687,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc return SECCLASS_NETLINK_IP6FW_SOCKET; case NETLINK_DNRTMSG: return SECCLASS_NETLINK_DNRT_SOCKET; + case NETLINK_KOBJECT_UEVENT: + return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; default: return SECCLASS_NETLINK_SOCKET; } @@ -822,14 +840,17 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent sid = sbsec->def_sid; rc = 0; } else { - rc = security_context_to_sid(context, rc, &sid); + rc = security_context_to_sid_default(context, rc, &sid, + sbsec->def_sid); if (rc) { printk(KERN_WARNING "%s: context_to_sid(%s) " "returned %d for dev=%s ino=%ld\n", __FUNCTION__, context, -rc, inode->i_sb->s_id, inode->i_ino); kfree(context); - goto out; + /* Leave with the unlabeled SID */ + rc = 0; + break; } } kfree(context); @@ -874,18 +895,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent isec->initialized = 1; out: - if (inode->i_sock) { - struct socket *sock = SOCKET_I(inode); - if (sock->sk) { - isec->sclass = socket_type_to_security_class(sock->sk->sk_family, - sock->sk->sk_type, - sock->sk->sk_protocol); - } else { - isec->sclass = SECCLASS_SOCKET; - } - } else { + if (isec->sclass == SECCLASS_FILE) isec->sclass = inode_mode_to_security_class(inode->i_mode); - } if (hold_sem) up(&isec->sem); @@ -921,21 +932,21 @@ static inline u32 signal_to_av(int sig) /* Check permission betweeen a pair of tasks, e.g. signal checks, fork check, ptrace check, etc. */ -int task_has_perm(struct task_struct *tsk1, - struct task_struct *tsk2, - u32 perms) +static int task_has_perm(struct task_struct *tsk1, + struct task_struct *tsk2, + u32 perms) { struct task_security_struct *tsec1, *tsec2; tsec1 = tsk1->security; tsec2 = tsk2->security; return avc_has_perm(tsec1->sid, tsec2->sid, - SECCLASS_PROCESS, perms, &tsec2->avcr, NULL); + SECCLASS_PROCESS, perms, NULL); } /* Check whether a task is allowed to use a capability. */ -int task_has_capability(struct task_struct *tsk, - int cap) +static int task_has_capability(struct task_struct *tsk, + int cap) { struct task_security_struct *tsec; struct avc_audit_data ad; @@ -947,31 +958,28 @@ int task_has_capability(struct task_struct *tsk, ad.u.cap = cap; return avc_has_perm(tsec->sid, tsec->sid, - SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad); + SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); } /* Check whether a task is allowed to use a system operation. */ -int task_has_system(struct task_struct *tsk, - u32 perms) +static int task_has_system(struct task_struct *tsk, + u32 perms) { struct task_security_struct *tsec; tsec = tsk->security; return avc_has_perm(tsec->sid, SECINITSID_KERNEL, - SECCLASS_SYSTEM, perms, NULL, NULL); + SECCLASS_SYSTEM, perms, NULL); } /* Check whether a task has a particular permission to an inode. - The 'aeref' parameter is optional and allows other AVC - entry references to be passed (e.g. the one in the struct file). The 'adp' parameter is optional and allows other audit data to be passed (e.g. the dentry). */ -int inode_has_perm(struct task_struct *tsk, - struct inode *inode, - u32 perms, - struct avc_entry_ref *aeref, - struct avc_audit_data *adp) +static int inode_has_perm(struct task_struct *tsk, + struct inode *inode, + u32 perms, + struct avc_audit_data *adp) { struct task_security_struct *tsec; struct inode_security_struct *isec; @@ -986,8 +994,7 @@ int inode_has_perm(struct task_struct *tsk, ad.u.fs.inode = inode; } - return avc_has_perm(tsec->sid, isec->sid, isec->sclass, - perms, aeref ? aeref : &isec->avcr, adp); + return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp); } /* Same as inode_has_perm, but pass explicit audit data containing @@ -1003,7 +1010,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, AVC_AUDIT_DATA_INIT(&ad,FS); ad.u.fs.mnt = mnt; ad.u.fs.dentry = dentry; - return inode_has_perm(tsk, inode, av, NULL, &ad); + return inode_has_perm(tsk, inode, av, &ad); } /* Check whether a task can use an open file descriptor to @@ -1014,7 +1021,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, has the same SID as the process. If av is zero, then access to the file is not checked, e.g. for cases where only the descriptor is affected like seek. */ -static inline int file_has_perm(struct task_struct *tsk, +static int file_has_perm(struct task_struct *tsk, struct file *file, u32 av) { @@ -1034,14 +1041,14 @@ static inline int file_has_perm(struct task_struct *tsk, rc = avc_has_perm(tsec->sid, fsec->sid, SECCLASS_FD, FD__USE, - &fsec->avcr, &ad); + &ad); if (rc) return rc; } /* av is zero if only checking access to the descriptor. */ if (av) - return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad); + return inode_has_perm(tsk, inode, av, &ad); return 0; } @@ -1067,7 +1074,7 @@ static int may_create(struct inode *dir, rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, DIR__ADD_NAME | DIR__SEARCH, - &dsec->avcr, &ad); + &ad); if (rc) return rc; @@ -1080,13 +1087,13 @@ static int may_create(struct inode *dir, return rc; } - rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad); + rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad); if (rc) return rc; return avc_has_perm(newsid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, NULL, &ad); + FILESYSTEM__ASSOCIATE, &ad); } #define MAY_LINK 0 @@ -1114,8 +1121,7 @@ static int may_link(struct inode *dir, av = DIR__SEARCH; av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); - rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, - av, &dsec->avcr, &ad); + rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad); if (rc) return rc; @@ -1134,8 +1140,7 @@ static int may_link(struct inode *dir, return 0; } - rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, - av, &isec->avcr, &ad); + rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad); return rc; } @@ -1161,21 +1166,16 @@ static inline int may_rename(struct inode *old_dir, ad.u.fs.dentry = old_dentry; rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR, - DIR__REMOVE_NAME | DIR__SEARCH, - &old_dsec->avcr, &ad); + DIR__REMOVE_NAME | DIR__SEARCH, &ad); if (rc) return rc; rc = avc_has_perm(tsec->sid, old_isec->sid, - old_isec->sclass, - FILE__RENAME, - &old_isec->avcr, &ad); + old_isec->sclass, FILE__RENAME, &ad); if (rc) return rc; if (old_is_dir && new_dir != old_dir) { rc = avc_has_perm(tsec->sid, old_isec->sid, - old_isec->sclass, - DIR__REPARENT, - &old_isec->avcr, &ad); + old_isec->sclass, DIR__REPARENT, &ad); if (rc) return rc; } @@ -1184,8 +1184,7 @@ static inline int may_rename(struct inode *old_dir, av = DIR__ADD_NAME | DIR__SEARCH; if (new_dentry->d_inode) av |= DIR__REMOVE_NAME; - rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, - av,&new_dsec->avcr, &ad); + rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad); if (rc) return rc; if (new_dentry->d_inode) { @@ -1193,8 +1192,7 @@ static inline int may_rename(struct inode *old_dir, new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); rc = avc_has_perm(tsec->sid, new_isec->sid, new_isec->sclass, - (new_is_dir ? DIR__RMDIR : FILE__UNLINK), - &new_isec->avcr, &ad); + (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); if (rc) return rc; } @@ -1203,10 +1201,10 @@ static inline int may_rename(struct inode *old_dir, } /* Check whether a task can perform a filesystem operation. */ -int superblock_has_perm(struct task_struct *tsk, - struct super_block *sb, - u32 perms, - struct avc_audit_data *ad) +static int superblock_has_perm(struct task_struct *tsk, + struct super_block *sb, + u32 perms, + struct avc_audit_data *ad) { struct task_security_struct *tsec; struct superblock_security_struct *sbsec; @@ -1214,7 +1212,7 @@ int superblock_has_perm(struct task_struct *tsk, tsec = tsk->security; sbsec = sb->s_security; return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - perms, NULL, ad); + perms, ad); } /* Convert a Linux mode and permission mask to an access vector. */ @@ -1263,7 +1261,7 @@ static inline u32 file_to_av(struct file *file) } /* Set an inode's SID to a specified value. */ -int inode_security_set_sid(struct inode *inode, u32 sid) +static int inode_security_set_sid(struct inode *inode, u32 sid) { struct inode_security_struct *isec = inode->i_security; struct superblock_security_struct *sbsec = inode->i_sb->s_security; @@ -1281,85 +1279,6 @@ int inode_security_set_sid(struct inode *inode, u32 sid) return 0; } -/* Set the security attributes on a newly created file. */ -static int post_create(struct inode *dir, - struct dentry *dentry) -{ - - struct task_security_struct *tsec; - struct inode *inode; - struct inode_security_struct *dsec; - struct superblock_security_struct *sbsec; - u32 newsid; - char *context; - unsigned int len; - int rc; - - tsec = current->security; - dsec = dir->i_security; - sbsec = dir->i_sb->s_security; - - inode = dentry->d_inode; - if (!inode) { - /* Some file system types (e.g. NFS) may not instantiate - a dentry for all create operations (e.g. symlink), - so we have to check to see if the inode is non-NULL. */ - printk(KERN_WARNING "post_create: no inode, dir (dev=%s, " - "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino); - return 0; - } - - if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { - newsid = tsec->create_sid; - } else { - rc = security_transition_sid(tsec->sid, dsec->sid, - inode_mode_to_security_class(inode->i_mode), - &newsid); - if (rc) { - printk(KERN_WARNING "post_create: " - "security_transition_sid failed, rc=%d (dev=%s " - "ino=%ld)\n", - -rc, inode->i_sb->s_id, inode->i_ino); - return rc; - } - } - - rc = inode_security_set_sid(inode, newsid); - if (rc) { - printk(KERN_WARNING "post_create: inode_security_set_sid " - "failed, rc=%d (dev=%s ino=%ld)\n", - -rc, inode->i_sb->s_id, inode->i_ino); - return rc; - } - - if (sbsec->behavior == SECURITY_FS_USE_XATTR && - inode->i_op->setxattr) { - /* Use extended attributes. */ - rc = security_sid_to_context(newsid, &context, &len); - if (rc) { - printk(KERN_WARNING "post_create: sid_to_context " - "failed, rc=%d (dev=%s ino=%ld)\n", - -rc, inode->i_sb->s_id, inode->i_ino); - return rc; - } - down(&inode->i_sem); - rc = inode->i_op->setxattr(dentry, - XATTR_NAME_SELINUX, - context, len, 0); - up(&inode->i_sem); - kfree(context); - if (rc < 0) { - printk(KERN_WARNING "post_create: setxattr failed, " - "rc=%d (dev=%s ino=%ld)\n", - -rc, inode->i_sb->s_id, inode->i_ino); - return rc; - } - } - - return 0; -} - - /* Hook functions begin here. */ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) @@ -1374,7 +1293,7 @@ static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) rc = task_has_perm(parent, child, PROCESS__PTRACE); /* Save the SID of the tracing process for later use in apply_creds. */ - if (!rc) + if (!(child->ptrace & PT_PTRACED) && !rc) csec->ptrace_sid = psec->sid; return rc; } @@ -1406,12 +1325,6 @@ static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effect static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - int error; - - error = task_has_perm(current, target, PROCESS__SETCAP); - if (error) - return; - secondary_ops->capset_set(target, effective, inheritable, permitted); } @@ -1451,7 +1364,7 @@ static int selinux_sysctl(ctl_table *table, int op) * a bad coupling between this module and sysctl.c */ if(op == 001) { error = avc_has_perm(tsec->sid, tsid, - SECCLASS_DIR, DIR__SEARCH, NULL, NULL); + SECCLASS_DIR, DIR__SEARCH, NULL); } else { av = 0; if (op & 004) @@ -1460,7 +1373,7 @@ static int selinux_sysctl(ctl_table *table, int op) av |= FILE__WRITE; if (av) error = avc_has_perm(tsec->sid, tsid, - SECCLASS_FILE, av, NULL, NULL); + SECCLASS_FILE, av, NULL); } return error; @@ -1497,9 +1410,9 @@ static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) return rc; } -static int selinux_quota_on(struct file *f) +static int selinux_quota_on(struct dentry *dentry) { - return file_has_perm(current, f, FILE__QUOTAON); + return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON); } static int selinux_syslog(int type) @@ -1537,70 +1450,29 @@ static int selinux_syslog(int type) * mapping. 0 means there is enough memory for the allocation to * succeed and -ENOMEM implies there is not. * - * We currently support three overcommit policies, which are set via the - * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting + * Note that secondary_ops->capable and task_has_perm_noaudit return 0 + * if the capability is granted, but __vm_enough_memory requires 1 if + * the capability is granted. * - * Strict overcommit modes added 2002 Feb 26 by Alan Cox. - * Additional code 2002 Jul 20 by Robert Love. + * Do not audit the selinux permission check, as this is applied to all + * processes that allocate mappings. */ static int selinux_vm_enough_memory(long pages) { - unsigned long free, allowed; - int rc; + int rc, cap_sys_admin = 0; struct task_security_struct *tsec = current->security; - vm_acct_memory(pages); - - /* - * Sometimes we want to use more memory than we have - */ - if (sysctl_overcommit_memory == OVERCOMMIT_ALWAYS) - return 0; + rc = secondary_ops->capable(current, CAP_SYS_ADMIN); + if (rc == 0) + rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, + SECCLASS_CAPABILITY, + CAP_TO_MASK(CAP_SYS_ADMIN), + NULL); - if (sysctl_overcommit_memory == OVERCOMMIT_GUESS) { - free = get_page_cache_size(); - free += nr_free_pages(); - free += nr_swap_pages; + if (rc == 0) + cap_sys_admin = 1; - /* - * Any slabs which are created with the - * SLAB_RECLAIM_ACCOUNT flag claim to have contents - * which are reclaimable, under pressure. The dentry - * cache and most inode caches should fall into this - */ - free += atomic_read(&slab_reclaim_pages); - - /* - * Leave the last 3% for privileged processes. - * Don't audit the check, as it is applied to all processes - * that allocate mappings. - */ - rc = secondary_ops->capable(current, CAP_SYS_ADMIN); - if (!rc) { - rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, - SECCLASS_CAPABILITY, - CAP_TO_MASK(CAP_SYS_ADMIN), - NULL, NULL); - } - if (rc) - free -= free / 32; - - if (free > pages) - return 0; - vm_unacct_memory(pages); - return -ENOMEM; - } - - allowed = (totalram_pages - hugetlb_total_pages()) - * sysctl_overcommit_ratio / 100; - allowed += total_swap_pages; - - if (atomic_read(&vm_committed_space) < allowed) - return 0; - - vm_unacct_memory(pages); - - return -ENOMEM; + return __vm_enough_memory(pages, cap_sys_admin); } /* binprm security operations */ @@ -1609,12 +1481,10 @@ static int selinux_bprm_alloc_security(struct linux_binprm *bprm) { struct bprm_security_struct *bsec; - bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); + bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL); if (!bsec) return -ENOMEM; - memset(bsec, 0, sizeof *bsec); - bsec->magic = SELINUX_MAGIC; bsec->bprm = bprm; bsec->sid = SECINITSID_UNLABELED; bsec->set = 0; @@ -1672,22 +1542,18 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) if (tsec->sid == newsid) { rc = avc_has_perm(tsec->sid, isec->sid, - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, - &isec->avcr, &ad); + SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); if (rc) return rc; } else { /* Check permissions for the transition. */ rc = avc_has_perm(tsec->sid, newsid, - SECCLASS_PROCESS, PROCESS__TRANSITION, - NULL, - &ad); + SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); if (rc) return rc; rc = avc_has_perm(newsid, isec->sid, - SECCLASS_FILE, FILE__ENTRYPOINT, - &isec->avcr, &ad); + SECCLASS_FILE, FILE__ENTRYPOINT, &ad); if (rc) return rc; @@ -1719,7 +1585,7 @@ static int selinux_bprm_secureexec (struct linux_binprm *bprm) the two SIDs, i.e. ahp returns 0. */ atsecure = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, - PROCESS__NOATSECURE, NULL, NULL); + PROCESS__NOATSECURE, NULL); } return (atsecure || secondary_ops->bprm_secureexec(bprm)); @@ -1727,9 +1593,8 @@ static int selinux_bprm_secureexec (struct linux_binprm *bprm) static void selinux_bprm_free_security(struct linux_binprm *bprm) { - struct bprm_security_struct *bsec = bprm->security; + kfree(bprm->security); bprm->security = NULL; - kfree(bsec); } extern struct vfsmount *selinuxfs_mount; @@ -1741,11 +1606,12 @@ static inline void flush_unauthorized_files(struct files_struct * files) struct avc_audit_data ad; struct file *file, *devnull = NULL; struct tty_struct *tty = current->signal->tty; + struct fdtable *fdt; long j = -1; if (tty) { file_list_lock(); - file = list_entry(tty->tty_files.next, typeof(*file), f_list); + file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); if (file) { /* Revalidate access to controlling tty. Use inode_has_perm on the tty inode directly rather @@ -1754,8 +1620,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) interested in the inode-based check here. */ struct inode *inode = file->f_dentry->d_inode; if (inode_has_perm(current, inode, - FILE__READ | FILE__WRITE, - NULL, NULL)) { + FILE__READ | FILE__WRITE, NULL)) { /* Reset controlling tty. */ current->signal->tty = NULL; current->signal->tty_old_pgrp = 0; @@ -1775,9 +1640,10 @@ static inline void flush_unauthorized_files(struct files_struct * files) j++; i = j * __NFDBITS; - if (i >= files->max_fds || i >= files->max_fdset) + fdt = files_fdtable(files); + if (i >= fdt->max_fds || i >= fdt->max_fdset) break; - set = files->open_fds->fds_bits[j]; + set = fdt->open_fds->fds_bits[j]; if (!set) continue; spin_unlock(&files->file_lock); @@ -1798,7 +1664,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) continue; } if (devnull) { - atomic_inc(&devnull->f_count); + get_file(devnull); } else { devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); if (!devnull) { @@ -1823,10 +1689,7 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) struct task_security_struct *tsec; struct bprm_security_struct *bsec; u32 sid; - struct av_decision avd; - struct itimerval itimer; - struct rlimit *rlim, *initrlim; - int rc, i; + int rc; secondary_ops->bprm_apply_creds(bprm, unsafe); @@ -1836,93 +1699,108 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) sid = bsec->sid; tsec->osid = tsec->sid; + bsec->unsafe = 0; if (tsec->sid != sid) { /* Check for shared state. If not ok, leave SID unchanged and kill. */ if (unsafe & LSM_UNSAFE_SHARE) { - rc = avc_has_perm_noaudit(tsec->sid, sid, - SECCLASS_PROCESS, PROCESS__SHARE, - NULL, &avd); + rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, + PROCESS__SHARE, NULL); if (rc) { - task_unlock(current); - avc_audit(tsec->sid, sid, SECCLASS_PROCESS, - PROCESS__SHARE, &avd, rc, NULL); - force_sig_specific(SIGKILL, current); - goto lock_out; + bsec->unsafe = 1; + return; } } /* Check for ptracing, and update the task SID if ok. Otherwise, leave SID unchanged and kill. */ if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { - rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid, + rc = avc_has_perm(tsec->ptrace_sid, sid, SECCLASS_PROCESS, PROCESS__PTRACE, - NULL, &avd); - if (!rc) - tsec->sid = sid; - task_unlock(current); - avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, - PROCESS__PTRACE, &avd, rc, NULL); + NULL); if (rc) { - force_sig_specific(SIGKILL, current); - goto lock_out; + bsec->unsafe = 1; + return; } - } else { - tsec->sid = sid; - task_unlock(current); - } - - /* Close files for which the new task SID is not authorized. */ - flush_unauthorized_files(current->files); - - /* Check whether the new SID can inherit signal state - from the old SID. If not, clear itimers to avoid - subsequent signal generation and flush and unblock - signals. This must occur _after_ the task SID has - been updated so that any kill done after the flush - will be checked against the new SID. */ - rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, - PROCESS__SIGINH, NULL, NULL); - if (rc) { - memset(&itimer, 0, sizeof itimer); - for (i = 0; i < 3; i++) - do_setitimer(i, &itimer, NULL); - flush_signals(current); - spin_lock_irq(¤t->sighand->siglock); - flush_signal_handlers(current, 1); - sigemptyset(¤t->blocked); - recalc_sigpending(); - spin_unlock_irq(¤t->sighand->siglock); } + tsec->sid = sid; + } +} - /* Check whether the new SID can inherit resource limits - from the old SID. If not, reset all soft limits to - the lower of the current task's hard limit and the init - task's soft limit. Note that the setting of hard limits - (even to lower them) can be controlled by the setrlimit - check. The inclusion of the init task's soft limit into - the computation is to avoid resetting soft limits higher - than the default soft limit for cases where the default - is lower than the hard limit, e.g. RLIMIT_CORE or - RLIMIT_STACK.*/ - rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, - PROCESS__RLIMITINH, NULL, NULL); - if (rc) { - for (i = 0; i < RLIM_NLIMITS; i++) { - rlim = current->rlim + i; - initrlim = init_task.rlim+i; - rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); - } - } +/* + * called after apply_creds without the task lock held + */ +static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm) +{ + struct task_security_struct *tsec; + struct rlimit *rlim, *initrlim; + struct itimerval itimer; + struct bprm_security_struct *bsec; + int rc, i; - /* Wake up the parent if it is waiting so that it can - recheck wait permission to the new task SID. */ - wake_up_interruptible(¤t->parent->wait_chldexit); + tsec = current->security; + bsec = bprm->security; -lock_out: - task_lock(current); + if (bsec->unsafe) { + force_sig_specific(SIGKILL, current); return; } + if (tsec->osid == tsec->sid) + return; + + /* Close files for which the new task SID is not authorized. */ + flush_unauthorized_files(current->files); + + /* Check whether the new SID can inherit signal state + from the old SID. If not, clear itimers to avoid + subsequent signal generation and flush and unblock + signals. This must occur _after_ the task SID has + been updated so that any kill done after the flush + will be checked against the new SID. */ + rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, + PROCESS__SIGINH, NULL); + if (rc) { + memset(&itimer, 0, sizeof itimer); + for (i = 0; i < 3; i++) + do_setitimer(i, &itimer, NULL); + flush_signals(current); + spin_lock_irq(¤t->sighand->siglock); + flush_signal_handlers(current, 1); + sigemptyset(¤t->blocked); + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); + } + + /* Check whether the new SID can inherit resource limits + from the old SID. If not, reset all soft limits to + the lower of the current task's hard limit and the init + task's soft limit. Note that the setting of hard limits + (even to lower them) can be controlled by the setrlimit + check. The inclusion of the init task's soft limit into + the computation is to avoid resetting soft limits higher + than the default soft limit for cases where the default + is lower than the hard limit, e.g. RLIMIT_CORE or + RLIMIT_STACK.*/ + rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, + PROCESS__RLIMITINH, NULL); + if (rc) { + for (i = 0; i < RLIM_NLIMITS; i++) { + rlim = current->signal->rlim + i; + initrlim = init_task.signal->rlim+i; + rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur); + } + if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) { + /* + * This will cause RLIMIT_CPU calculations + * to be refigured. + */ + current->it_prof_expires = jiffies_to_cputime(1); + } + } + + /* Wake up the parent if it is waiting so that it can + recheck wait permission to the new task SID. */ + wake_up_interruptible(¤t->parent->signal->wait_chldexit); } /* superblock security operations */ @@ -2002,7 +1880,8 @@ static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void } } while (*in_end++); - copy_page(in_save, nosec_save); + strcpy(in_save, nosec_save); + free_page((unsigned long)nosec_save); out: return rc; } @@ -2074,14 +1953,65 @@ static void selinux_inode_free_security(struct inode *inode) inode_free_security(inode); } -static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) +static int selinux_inode_init_security(struct inode *inode, struct inode *dir, + char **name, void **value, + size_t *len) { - return may_create(dir, dentry, SECCLASS_FILE); + struct task_security_struct *tsec; + struct inode_security_struct *dsec; + struct superblock_security_struct *sbsec; + u32 newsid, clen; + int rc; + char *namep = NULL, *context; + + tsec = current->security; + dsec = dir->i_security; + sbsec = dir->i_sb->s_security; + + if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) { + newsid = tsec->create_sid; + } else { + rc = security_transition_sid(tsec->sid, dsec->sid, + inode_mode_to_security_class(inode->i_mode), + &newsid); + if (rc) { + printk(KERN_WARNING "%s: " + "security_transition_sid failed, rc=%d (dev=%s " + "ino=%ld)\n", + __FUNCTION__, + -rc, inode->i_sb->s_id, inode->i_ino); + return rc; + } + } + + inode_security_set_sid(inode, newsid); + + if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + return -EOPNOTSUPP; + + if (name) { + namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); + if (!namep) + return -ENOMEM; + *name = namep; + } + + if (value && len) { + rc = security_sid_to_context(newsid, &context, &clen); + if (rc) { + kfree(namep); + return rc; + } + *value = context; + *len = clen; + } + + return 0; } -static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask) +static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask) { - post_create(dir, dentry); + return may_create(dir, dentry, SECCLASS_FILE); } static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) @@ -2094,11 +2024,6 @@ static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, stru return may_link(dir, old_dentry, MAY_LINK); } -static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry) -{ - return; -} - static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) { int rc; @@ -2114,21 +2039,11 @@ static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const return may_create(dir, dentry, SECCLASS_LNK_FILE); } -static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name) -{ - post_create(dir, dentry); -} - static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask) { return may_create(dir, dentry, SECCLASS_DIR); } -static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask) -{ - post_create(dir, dentry); -} - static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) { return may_link(dir, dentry, MAY_RMDIR); @@ -2145,23 +2060,12 @@ static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mod return may_create(dir, dentry, inode_mode_to_security_class(mode)); } -static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) -{ - post_create(dir, dentry); -} - static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) { return may_rename(old_inode, old_dentry, new_inode, new_dentry); } -static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry, - struct inode *new_inode, struct dentry *new_dentry) -{ - return; -} - static int selinux_inode_readlink(struct dentry *dentry) { return dentry_has_perm(current, NULL, dentry, FILE__READ); @@ -2192,7 +2096,7 @@ static int selinux_inode_permission(struct inode *inode, int mask, } return inode_has_perm(current, inode, - file_mask_to_av(inode->i_mode, mask), NULL, NULL); + file_mask_to_av(inode->i_mode, mask), NULL); } static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) @@ -2203,6 +2107,9 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) if (rc) return rc; + if (iattr->ia_valid & ATTR_FORCE) + return 0; + if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_ATIME_SET | ATTR_MTIME_SET)) return dentry_has_perm(current, NULL, dentry, FILE__SETATTR); @@ -2243,12 +2150,14 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) return -EOPNOTSUPP; + if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER)) + return -EPERM; + AVC_AUDIT_DATA_INIT(&ad,FS); ad.u.fs.dentry = dentry; rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, - FILE__RELABELFROM, - &isec->avcr, &ad); + FILE__RELABELFROM, &ad); if (rc) return rc; @@ -2257,7 +2166,12 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value return rc; rc = avc_has_perm(tsec->sid, newsid, isec->sclass, - FILE__RELABELTO, NULL, &ad); + FILE__RELABELTO, &ad); + if (rc) + return rc; + + rc = security_validate_transition(isec->sid, newsid, tsec->sid, + isec->sclass); if (rc) return rc; @@ -2265,7 +2179,6 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value sbsec->sid, SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, - NULL, &ad); } @@ -2295,12 +2208,6 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, char *name, static int selinux_inode_getxattr (struct dentry *dentry, char *name) { - struct inode *inode = dentry->d_inode; - struct superblock_security_struct *sbsec = inode->i_sb->s_security; - - if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) - return -EOPNOTSUPP; - return dentry_has_perm(current, NULL, dentry, FILE__GETATTR); } @@ -2331,40 +2238,31 @@ static int selinux_inode_removexattr (struct dentry *dentry, char *name) return -EACCES; } -static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) +static const char *selinux_inode_xattr_getsuffix(void) { - struct inode *inode = dentry->d_inode; - struct inode_security_struct *isec = inode->i_security; - char *context; - unsigned len; - int rc; + return XATTR_SELINUX_SUFFIX; +} - /* Permission check handled by selinux_inode_getxattr hook.*/ +/* + * Copy the in-core inode security context value to the user. If the + * getxattr() prior to this succeeded, check to see if we need to + * canonicalize the value to be finally returned to the user. + * + * Permission check is handled by selinux_inode_getxattr hook. + */ +static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) +{ + struct inode_security_struct *isec = inode->i_security; if (strcmp(name, XATTR_SELINUX_SUFFIX)) return -EOPNOTSUPP; - rc = security_sid_to_context(isec->sid, &context, &len); - if (rc) - return rc; - - if (!buffer || !size) { - kfree(context); - return len; - } - if (size < len) { - kfree(context); - return -ERANGE; - } - memcpy(buffer, context, len); - kfree(context); - return len; + return selinux_getsecurity(isec->sid, buffer, size); } -static int selinux_inode_setsecurity(struct dentry *dentry, const char *name, +static int selinux_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { - struct inode *inode = dentry->d_inode; struct inode_security_struct *isec = inode->i_security; u32 newsid; int rc; @@ -2383,10 +2281,10 @@ static int selinux_inode_setsecurity(struct dentry *dentry, const char *name, return 0; } -static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer) +static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) { const int len = sizeof(XATTR_NAME_SELINUX); - if (buffer) + if (buffer && len <= buffer_size) memcpy(buffer, XATTR_NAME_SELINUX, len); return len; } @@ -2468,6 +2366,17 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, static int file_map_prot_check(struct file *file, unsigned long prot, int shared) { + if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { + /* + * We are making executable an anonymous mapping or a + * private file mapping that will also be writable. + * This has an additional check. + */ + int rc = task_has_perm(current, current, PROCESS__EXECMEM); + if (rc) + return rc; + } + if (file) { /* read access is always possible with a mapping */ u32 av = FILE__READ; @@ -2484,27 +2393,60 @@ static int file_map_prot_check(struct file *file, unsigned long prot, int shared return 0; } -static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags) +static int selinux_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) { int rc; - rc = secondary_ops->file_mmap(file, prot, flags); + rc = secondary_ops->file_mmap(file, reqprot, prot, flags); if (rc) return rc; + if (selinux_checkreqprot) + prot = reqprot; + return file_map_prot_check(file, prot, (flags & MAP_TYPE) == MAP_SHARED); } static int selinux_file_mprotect(struct vm_area_struct *vma, + unsigned long reqprot, unsigned long prot) { int rc; - rc = secondary_ops->file_mprotect(vma, prot); + rc = secondary_ops->file_mprotect(vma, reqprot, prot); if (rc) return rc; + if (selinux_checkreqprot) + prot = reqprot; + + if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { + rc = 0; + if (vma->vm_start >= vma->vm_mm->start_brk && + vma->vm_end <= vma->vm_mm->brk) { + rc = task_has_perm(current, current, + PROCESS__EXECHEAP); + } else if (!vma->vm_file && + vma->vm_start <= vma->vm_mm->start_stack && + vma->vm_end >= vma->vm_mm->start_stack) { + rc = task_has_perm(current, current, PROCESS__EXECSTACK); + } else if (vma->vm_file && vma->anon_vma) { + /* + * We are making executable a file mapping that has + * had some COW done. Since pages might have been + * written, check ability to execute the possibly + * modified content. This typically should only + * occur for text relocations. + */ + rc = file_has_perm(current, vma->vm_file, + FILE__EXECMOD); + } + if (rc) + return rc; + } + return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); } @@ -2570,8 +2512,7 @@ static int selinux_file_set_fowner(struct file *file) } static int selinux_file_send_sigiotask(struct task_struct *tsk, - struct fown_struct *fown, - int fd, int reason) + struct fown_struct *fown, int signum) { struct file *file; u32 perm; @@ -2584,13 +2525,13 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, tsec = tsk->security; fsec = file->f_security; - if (!fown->signum) + if (!signum) perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ else - perm = signal_to_av(fown->signum); + perm = signal_to_av(signum); return avc_has_perm(fsec->fown_sid, tsec->sid, - SECCLASS_PROCESS, perm, NULL, NULL); + SECCLASS_PROCESS, perm, NULL); } static int selinux_file_receive(struct file *file) @@ -2699,7 +2640,7 @@ static int selinux_task_setnice(struct task_struct *p, int nice) static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) { - struct rlimit *old_rlim = current->rlim + resource; + struct rlimit *old_rlim = current->signal->rlim + resource; int rc; rc = secondary_ops->task_setrlimit(resource, new_rlim); @@ -2718,17 +2659,7 @@ static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp) { - struct task_security_struct *tsec1, *tsec2; - - tsec1 = current->security; - tsec2 = p->security; - - /* No auditing from the setscheduler hook, since the runqueue lock - is held and the system will deadlock if we try to log an audit - message. */ - return avc_has_perm_noaudit(tsec1->sid, tsec2->sid, - SECCLASS_PROCESS, PROCESS__SETSCHED, - &tsec2->avcr, NULL); + return task_has_perm(current, p, PROCESS__SETSCHED); } static int selinux_task_getscheduler(struct task_struct *p) @@ -2745,8 +2676,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int si if (rc) return rc; - if (info && ((unsigned long)info == 1 || - (unsigned long)info == 2 || SI_FROMKERNEL(info))) + if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) return 0; if (!sig) @@ -2801,8 +2731,6 @@ static void selinux_task_to_inode(struct task_struct *p, return; } -#ifdef CONFIG_SECURITY_NETWORK - /* Returns error only if unable to parse addresses */ static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) { @@ -2882,8 +2810,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad nexthdr = ip6->nexthdr; offset += sizeof(_ipv6h); - offset = ipv6_skip_exthdr(skb, offset, &nexthdr, - skb->tail - skb->head - offset); + offset = ipv6_skip_exthdr(skb, offset, &nexthdr); if (offset < 0) goto out; @@ -2971,8 +2898,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, AVC_AUDIT_DATA_INIT(&ad,NET); ad.u.net.sk = sock->sk; - err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, - perms, &isec->avcr, &ad); + err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); out: return err; @@ -2990,7 +2916,7 @@ static int selinux_socket_create(int family, int type, tsec = current->security; err = avc_has_perm(tsec->sid, tsec->sid, socket_type_to_security_class(family, type, - protocol), SOCKET__CREATE, NULL, NULL); + protocol), SOCKET__CREATE, NULL); out: return err; @@ -2999,18 +2925,15 @@ out: static void selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { - int err; struct inode_security_struct *isec; struct task_security_struct *tsec; - err = inode_doinit(SOCK_INODE(sock)); - if (err < 0) - return; isec = SOCK_INODE(sock)->i_security; tsec = current->security; isec->sclass = socket_type_to_security_class(family, type, protocol); isec->sid = kern ? SECINITSID_KERNEL : tsec->sid; + isec->initialized = 1; return; } @@ -3032,6 +2955,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in /* * If PF_INET or PF_INET6, check name_bind permission for the port. + * Multiple address binding for SCTP is not supported yet: we just + * check the first address now. */ family = sock->sk->sk_family; if (family == PF_INET || family == PF_INET6) { @@ -3071,17 +2996,17 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ad.u.net.family = family; err = avc_has_perm(isec->sid, sid, isec->sclass, - SOCKET__NAME_BIND, NULL, &ad); + SOCKET__NAME_BIND, &ad); if (err) goto out; } - switch(sk->sk_protocol) { - case IPPROTO_TCP: + switch(isec->sclass) { + case SECCLASS_TCP_SOCKET: node_perm = TCP_SOCKET__NODE_BIND; break; - case IPPROTO_UDP: + case SECCLASS_UDP_SOCKET: node_perm = UDP_SOCKET__NODE_BIND; break; @@ -3104,7 +3029,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); err = avc_has_perm(isec->sid, sid, - isec->sclass, node_perm, NULL, &ad); + isec->sclass, node_perm, &ad); if (err) goto out; } @@ -3114,7 +3039,53 @@ out: static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) { - return socket_has_perm(current, sock, SOCKET__CONNECT); + struct inode_security_struct *isec; + int err; + + err = socket_has_perm(current, sock, SOCKET__CONNECT); + if (err) + return err; + + /* + * If a TCP socket, check name_connect permission for the port. + */ + isec = SOCK_INODE(sock)->i_security; + if (isec->sclass == SECCLASS_TCP_SOCKET) { + struct sock *sk = sock->sk; + struct avc_audit_data ad; + struct sockaddr_in *addr4 = NULL; + struct sockaddr_in6 *addr6 = NULL; + unsigned short snum; + u32 sid; + + if (sk->sk_family == PF_INET) { + addr4 = (struct sockaddr_in *)address; + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + snum = ntohs(addr4->sin_port); + } else { + addr6 = (struct sockaddr_in6 *)address; + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + snum = ntohs(addr6->sin6_port); + } + + err = security_port_sid(sk->sk_family, sk->sk_type, + sk->sk_protocol, snum, &sid); + if (err) + goto out; + + AVC_AUDIT_DATA_INIT(&ad,NET); + ad.u.net.dport = htons(snum); + ad.u.net.family = sk->sk_family; + err = avc_has_perm(isec->sid, sid, isec->sclass, + TCP_SOCKET__NAME_CONNECT, &ad); + if (err) + goto out; + } + +out: + return err; } static int selinux_socket_listen(struct socket *sock, int backlog) @@ -3132,14 +3103,12 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) if (err) return err; - err = inode_doinit(SOCK_INODE(newsock)); - if (err < 0) - return err; newisec = SOCK_INODE(newsock)->i_security; isec = SOCK_INODE(sock)->i_security; newisec->sclass = isec->sclass; newisec->sid = isec->sid; + newisec->initialized = 1; return 0; } @@ -3204,8 +3173,7 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, err = avc_has_perm(isec->sid, other_isec->sid, isec->sclass, - UNIX_STREAM_SOCKET__CONNECTTO, - &other_isec->avcr, &ad); + UNIX_STREAM_SOCKET__CONNECTTO, &ad); if (err) return err; @@ -3235,9 +3203,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, ad.u.net.sk = other->sk; err = avc_has_perm(isec->sid, other_isec->sid, - isec->sclass, - SOCKET__SENDTO, - &other_isec->avcr, &ad); + isec->sclass, SOCKET__SENDTO, &ad); if (err) return err; @@ -3249,13 +3215,11 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) u16 family; char *addrp; int len, err = 0; - u32 netif_perm, node_perm, node_sid, recv_perm = 0; + u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; u32 sock_sid = 0; u16 sock_class = 0; struct socket *sock; struct net_device *dev; - struct sel_netif *netif; - struct netif_security_struct *nsec; struct avc_audit_data ad; family = sk->sk_family; @@ -3263,7 +3227,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) goto out; /* Handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP)) + if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) family = PF_INET; read_lock_bh(&sk->sk_callback_lock); @@ -3286,13 +3250,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) if (!dev) goto out; - netif = sel_netif_lookup(dev); - if (IS_ERR(netif)) { - err = PTR_ERR(netif); + err = sel_netif_sids(dev, &if_sid, NULL); + if (err) goto out; - } - - nsec = &netif->nsec; switch (sock_class) { case SECCLASS_UDP_SOCKET: @@ -3318,14 +3278,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) ad.u.net.family = family; err = selinux_parse_skb(skb, &ad, &addrp, &len, 1); - if (err) { - sel_netif_put(netif); + if (err) goto out; - } - err = avc_has_perm(sock_sid, nsec->if_sid, SECCLASS_NETIF, - netif_perm, &nsec->avcr, &ad); - sel_netif_put(netif); + err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad); if (err) goto out; @@ -3334,7 +3290,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) if (err) goto out; - err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad); + err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad); if (err) goto out; @@ -3348,31 +3304,49 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) if (err) goto out; - err = avc_has_perm(sock_sid, port_sid, sock_class, - recv_perm, NULL, &ad); + err = avc_has_perm(sock_sid, port_sid, + sock_class, recv_perm, &ad); } + + if (!err) + err = selinux_xfrm_sock_rcv_skb(sock_sid, skb); + out: return err; } -static int selinux_socket_getpeersec(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) +static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, + int __user *optlen, unsigned len) { int err = 0; char *scontext; u32 scontext_len; struct sk_security_struct *ssec; struct inode_security_struct *isec; + u32 peer_sid = 0; isec = SOCK_INODE(sock)->i_security; - if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) { + + /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */ + if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) { + ssec = sock->sk->sk_security; + peer_sid = ssec->peer_sid; + } + else if (isec->sclass == SECCLASS_TCP_SOCKET) { + peer_sid = selinux_socket_getpeer_stream(sock->sk); + + if (peer_sid == SECSID_NULL) { + err = -ENOPROTOOPT; + goto out; + } + } + else { err = -ENOPROTOOPT; goto out; } - ssec = sock->sk->sk_security; - - err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len); + err = security_sid_to_context(peer_sid, &scontext, &scontext_len); + if (err) goto out; @@ -3393,7 +3367,24 @@ out: return err; } -static int selinux_sk_alloc_security(struct sock *sk, int family, int priority) +static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen) +{ + int err = 0; + u32 peer_sid = selinux_socket_getpeer_dgram(skb); + + if (peer_sid == SECSID_NULL) + return -EINVAL; + + err = security_sid_to_context(peer_sid, secdata, seclen); + if (err) + return err; + + return 0; +} + + + +static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { return sk_alloc_security(sk, family, priority); } @@ -3403,6 +3394,24 @@ static void selinux_sk_free_security(struct sock *sk) sk_free_security(sk); } +static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) +{ + struct inode_security_struct *isec; + u32 sock_sid = SECINITSID_ANY_SOCKET; + + if (!sk) + return selinux_no_sk_sid(fl); + + read_lock_bh(&sk->sk_callback_lock); + isec = get_sock_isec(sk); + + if (isec) + sock_sid = isec->sid; + + read_unlock_bh(&sk->sk_callback_lock); + return sock_sid; +} + static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) { int err = 0; @@ -3419,6 +3428,15 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); if (err) { + if (err == -EINVAL) { + audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, + "SELinux: unrecognized netlink message" + " type=%hu for sclass=%hu\n", + nlh->nlmsg_type, isec->sclass); + if (!selinux_enforcing) + err = 0; + } + /* Ignore */ if (err == -ENOENT) err = 0; @@ -3441,13 +3459,11 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, { char *addrp; int len, err = NF_ACCEPT; - u32 netif_perm, node_perm, node_sid, send_perm = 0; + u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; struct sock *sk; struct socket *sock; struct inode *inode; - struct sel_netif *netif; struct sk_buff *skb = *pskb; - struct netif_security_struct *nsec; struct inode_security_struct *isec; struct avc_audit_data ad; struct net_device *dev = (struct net_device *)out; @@ -3464,13 +3480,10 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, if (!inode) goto out; - netif = sel_netif_lookup(dev); - if (IS_ERR(netif)) { - err = NF_DROP; + err = sel_netif_sids(dev, &if_sid, NULL); + if (err) goto out; - } - - nsec = &netif->nsec; + isec = inode->i_security; switch (isec->sclass) { @@ -3499,14 +3512,11 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, err = selinux_parse_skb(skb, &ad, &addrp, &len, 0) ? NF_DROP : NF_ACCEPT; - if (err != NF_ACCEPT) { - sel_netif_put(netif); + if (err != NF_ACCEPT) goto out; - } - err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF, - netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT; - sel_netif_put(netif); + err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, + netif_perm, &ad) ? NF_DROP : NF_ACCEPT; if (err != NF_ACCEPT) goto out; @@ -3517,7 +3527,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, goto out; err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, - node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT; + node_perm, &ad) ? NF_DROP : NF_ACCEPT; if (err != NF_ACCEPT) goto out; @@ -3534,9 +3544,14 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, goto out; err = avc_has_perm(isec->sid, port_sid, isec->sclass, - send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT; + send_perm, &ad) ? NF_DROP : NF_ACCEPT; } + if (err != NF_ACCEPT) + goto out; + + err = selinux_xfrm_postroute_last(isec->sid, skb); + out: return err; } @@ -3565,23 +3580,22 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, #endif /* CONFIG_NETFILTER */ -#else - -static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) +static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) { - return 0; -} + struct task_security_struct *tsec; + struct av_decision avd; + int err; -#endif /* CONFIG_SECURITY_NETWORK */ + err = secondary_ops->netlink_send(sk, skb); + if (err) + return err; -static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) -{ - int err = 0; + tsec = current->security; - if (capable(CAP_NET_ADMIN)) - cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); - else - NETLINK_CB(skb).eff_cap = 0; + avd.allowed = 0; + avc_has_perm_noaudit(tsec->sid, tsec->sid, + SECCLASS_CAPABILITY, ~0, &avd); + cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) err = selinux_nlmsg_perm(sk, skb); @@ -3603,19 +3617,13 @@ static int ipc_alloc_security(struct task_struct *task, struct task_security_struct *tsec = task->security; struct ipc_security_struct *isec; - isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); + isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); if (!isec) return -ENOMEM; - memset(isec, 0, sizeof(struct ipc_security_struct)); - isec->magic = SELINUX_MAGIC; isec->sclass = sclass; isec->ipc_perm = perm; - if (tsec) { - isec->sid = tsec->sid; - } else { - isec->sid = SECINITSID_UNLABELED; - } + isec->sid = tsec->sid; perm->security = isec; return 0; @@ -3624,9 +3632,6 @@ static int ipc_alloc_security(struct task_struct *task, static void ipc_free_security(struct kern_ipc_perm *perm) { struct ipc_security_struct *isec = perm->security; - if (!isec || isec->magic != SELINUX_MAGIC) - return; - perm->security = NULL; kfree(isec); } @@ -3635,12 +3640,10 @@ static int msg_msg_alloc_security(struct msg_msg *msg) { struct msg_security_struct *msec; - msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL); + msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); if (!msec) return -ENOMEM; - memset(msec, 0, sizeof(struct msg_security_struct)); - msec->magic = SELINUX_MAGIC; msec->msg = msg; msec->sid = SECINITSID_UNLABELED; msg->security = msec; @@ -3651,15 +3654,13 @@ static int msg_msg_alloc_security(struct msg_msg *msg) static void msg_msg_free_security(struct msg_msg *msg) { struct msg_security_struct *msec = msg->security; - if (!msec || msec->magic != SELINUX_MAGIC) - return; msg->security = NULL; kfree(msec); } static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, - u16 sclass, u32 perms) + u32 perms) { struct task_security_struct *tsec; struct ipc_security_struct *isec; @@ -3671,8 +3672,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, AVC_AUDIT_DATA_INIT(&ad, IPC); ad.u.ipc_id = ipc_perms->key; - return avc_has_perm(tsec->sid, isec->sid, sclass, - perms, &isec->avcr, &ad); + return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad); } static int selinux_msg_msg_alloc_security(struct msg_msg *msg) @@ -3704,7 +3704,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) ad.u.ipc_id = msq->q_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, - MSGQ__CREATE, &isec->avcr, &ad); + MSGQ__CREATE, &ad); if (rc) { ipc_free_security(&msq->q_perm); return rc; @@ -3730,7 +3730,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) ad.u.ipc_id = msq->q_perm.key; return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, - MSGQ__ASSOCIATE, &isec->avcr, &ad); + MSGQ__ASSOCIATE, &ad); } static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) @@ -3757,7 +3757,7 @@ static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) return 0; } - err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms); + err = ipc_has_perm(&msq->q_perm, perms); return err; } @@ -3794,17 +3794,15 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, /* Can this process write to the queue? */ rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ, - MSGQ__WRITE, &isec->avcr, &ad); + MSGQ__WRITE, &ad); if (!rc) /* Can this process send the message */ rc = avc_has_perm(tsec->sid, msec->sid, - SECCLASS_MSG, MSG__SEND, - &msec->avcr, &ad); + SECCLASS_MSG, MSG__SEND, &ad); if (!rc) /* Can the message be put in the queue? */ rc = avc_has_perm(msec->sid, isec->sid, - SECCLASS_MSGQ, MSGQ__ENQUEUE, - &isec->avcr, &ad); + SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad); return rc; } @@ -3827,12 +3825,10 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, ad.u.ipc_id = msq->q_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, - SECCLASS_MSGQ, MSGQ__READ, - &isec->avcr, &ad); + SECCLASS_MSGQ, MSGQ__READ, &ad); if (!rc) rc = avc_has_perm(tsec->sid, msec->sid, - SECCLASS_MSG, MSG__RECEIVE, - &msec->avcr, &ad); + SECCLASS_MSG, MSG__RECEIVE, &ad); return rc; } @@ -3855,7 +3851,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) ad.u.ipc_id = shp->shm_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, - SHM__CREATE, &isec->avcr, &ad); + SHM__CREATE, &ad); if (rc) { ipc_free_security(&shp->shm_perm); return rc; @@ -3881,7 +3877,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) ad.u.ipc_id = shp->shm_perm.key; return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM, - SHM__ASSOCIATE, &isec->avcr, &ad); + SHM__ASSOCIATE, &ad); } /* Note, at this point, shp is locked down */ @@ -3913,7 +3909,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) return 0; } - err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms); + err = ipc_has_perm(&shp->shm_perm, perms); return err; } @@ -3932,7 +3928,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, else perms = SHM__READ | SHM__WRITE; - return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms); + return ipc_has_perm(&shp->shm_perm, perms); } /* Semaphore security operations */ @@ -3954,7 +3950,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) ad.u.ipc_id = sma->sem_perm.key; rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, - SEM__CREATE, &isec->avcr, &ad); + SEM__CREATE, &ad); if (rc) { ipc_free_security(&sma->sem_perm); return rc; @@ -3980,7 +3976,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg) ad.u.ipc_id = sma->sem_perm.key; return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM, - SEM__ASSOCIATE, &isec->avcr, &ad); + SEM__ASSOCIATE, &ad); } /* Note, at this point, sma is locked down */ @@ -4021,7 +4017,7 @@ static int selinux_sem_semctl(struct sem_array *sma, int cmd) return 0; } - err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms); + err = ipc_has_perm(&sma->sem_perm, perms); return err; } @@ -4035,18 +4031,13 @@ static int selinux_sem_semop(struct sem_array *sma, else perms = SEM__READ; - return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms); + return ipc_has_perm(&sma->sem_perm, perms); } static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) { - struct ipc_security_struct *isec = ipcp->security; - u16 sclass = SECCLASS_IPC; u32 av = 0; - if (isec && isec->magic == SELINUX_MAGIC) - sclass = isec->sclass; - av = 0; if (flag & S_IRUGO) av |= IPC__UNIX_READ; @@ -4056,11 +4047,11 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) if (av == 0) return 0; - return ipc_has_perm(ipcp, sclass, av); + return ipc_has_perm(ipcp, av); } /* module stacking operations */ -int selinux_register_security (const char *name, struct security_operations *ops) +static int selinux_register_security (const char *name, struct security_operations *ops) { if (secondary_ops != original_ops) { printk(KERN_INFO "%s: There is already a secondary security " @@ -4077,7 +4068,7 @@ int selinux_register_security (const char *name, struct security_operations *ops return 0; } -int selinux_unregister_security (const char *name, struct security_operations *ops) +static int selinux_unregister_security (const char *name, struct security_operations *ops) { if (ops != secondary_ops) { printk (KERN_INFO "%s: trying to unregister a security module " @@ -4100,8 +4091,7 @@ static int selinux_getprocattr(struct task_struct *p, char *name, void *value, size_t size) { struct task_security_struct *tsec; - u32 sid, len; - char *context; + u32 sid; int error; if (current != p) { @@ -4110,9 +4100,6 @@ static int selinux_getprocattr(struct task_struct *p, return error; } - if (!size) - return -ERANGE; - tsec = p->security; if (!strcmp(name, "current")) @@ -4129,16 +4116,7 @@ static int selinux_getprocattr(struct task_struct *p, if (!sid) return 0; - error = security_sid_to_context(sid, &context, &len); - if (error) - return error; - if (len > size) { - kfree(context); - return -ERANGE; - } - memcpy(value, context, len); - kfree(context); - return len; + return selinux_getsecurity(sid, value, size); } static int selinux_setprocattr(struct task_struct *p, @@ -4147,11 +4125,11 @@ static int selinux_setprocattr(struct task_struct *p, struct task_security_struct *tsec; u32 sid = 0; int error; + char *str = value; - if (current != p || !strcmp(name, "current")) { + if (current != p) { /* SELinux only allows a process to change its own - security attributes, and it only allows the process - current SID to change via exec. */ + security attributes. */ return -EACCES; } @@ -4164,14 +4142,19 @@ static int selinux_setprocattr(struct task_struct *p, error = task_has_perm(current, p, PROCESS__SETEXEC); else if (!strcmp(name, "fscreate")) error = task_has_perm(current, p, PROCESS__SETFSCREATE); + else if (!strcmp(name, "current")) + error = task_has_perm(current, p, PROCESS__SETCURRENT); else error = -EINVAL; if (error) return error; /* Obtain a SID for the context, if one was specified. */ - if (size) { - int error; + if (size && str[1] && str[1] != '\n') { + if (str[size-1] == '\n') { + str[size-1] = 0; + size--; + } error = security_context_to_sid(value, size, &sid); if (error) return error; @@ -4188,13 +4171,58 @@ static int selinux_setprocattr(struct task_struct *p, tsec->exec_sid = sid; else if (!strcmp(name, "fscreate")) tsec->create_sid = sid; + else if (!strcmp(name, "current")) { + struct av_decision avd; + + if (sid == 0) + return -EINVAL; + + /* Only allow single threaded processes to change context */ + if (atomic_read(&p->mm->mm_users) != 1) { + struct task_struct *g, *t; + struct mm_struct *mm = p->mm; + read_lock(&tasklist_lock); + do_each_thread(g, t) + if (t->mm == mm && t != p) { + read_unlock(&tasklist_lock); + return -EPERM; + } + while_each_thread(g, t); + read_unlock(&tasklist_lock); + } + + /* Check permissions for the transition. */ + error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, + PROCESS__DYNTRANSITION, NULL); + if (error) + return error; + + /* Check for ptracing, and update the task SID if ok. + Otherwise, leave SID unchanged and fail. */ + task_lock(p); + if (p->ptrace & PT_PTRACED) { + error = avc_has_perm_noaudit(tsec->ptrace_sid, sid, + SECCLASS_PROCESS, + PROCESS__PTRACE, &avd); + if (!error) + tsec->sid = sid; + task_unlock(p); + avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS, + PROCESS__PTRACE, &avd, error, NULL); + if (error) + return error; + } else { + tsec->sid = sid; + task_unlock(p); + } + } else return -EINVAL; return size; } -struct security_operations selinux_ops = { +static struct security_operations selinux_ops = { .ptrace = selinux_ptrace, .capget = selinux_capget, .capset_check = selinux_capset_check, @@ -4212,6 +4240,7 @@ struct security_operations selinux_ops = { .bprm_alloc_security = selinux_bprm_alloc_security, .bprm_free_security = selinux_bprm_free_security, .bprm_apply_creds = selinux_bprm_apply_creds, + .bprm_post_apply_creds = selinux_bprm_post_apply_creds, .bprm_set_security = selinux_bprm_set_security, .bprm_check_security = selinux_bprm_check_security, .bprm_secureexec = selinux_bprm_secureexec, @@ -4226,20 +4255,15 @@ struct security_operations selinux_ops = { .inode_alloc_security = selinux_inode_alloc_security, .inode_free_security = selinux_inode_free_security, + .inode_init_security = selinux_inode_init_security, .inode_create = selinux_inode_create, - .inode_post_create = selinux_inode_post_create, .inode_link = selinux_inode_link, - .inode_post_link = selinux_inode_post_link, .inode_unlink = selinux_inode_unlink, .inode_symlink = selinux_inode_symlink, - .inode_post_symlink = selinux_inode_post_symlink, .inode_mkdir = selinux_inode_mkdir, - .inode_post_mkdir = selinux_inode_post_mkdir, .inode_rmdir = selinux_inode_rmdir, .inode_mknod = selinux_inode_mknod, - .inode_post_mknod = selinux_inode_post_mknod, .inode_rename = selinux_inode_rename, - .inode_post_rename = selinux_inode_post_rename, .inode_readlink = selinux_inode_readlink, .inode_follow_link = selinux_inode_follow_link, .inode_permission = selinux_inode_permission, @@ -4250,6 +4274,7 @@ struct security_operations selinux_ops = { .inode_getxattr = selinux_inode_getxattr, .inode_listxattr = selinux_inode_listxattr, .inode_removexattr = selinux_inode_removexattr, + .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix, .inode_getsecurity = selinux_inode_getsecurity, .inode_setsecurity = selinux_inode_setsecurity, .inode_listsecurity = selinux_inode_listsecurity, @@ -4318,7 +4343,6 @@ struct security_operations selinux_ops = { .getprocattr = selinux_getprocattr, .setprocattr = selinux_setprocattr, -#ifdef CONFIG_SECURITY_NETWORK .unix_stream_connect = selinux_socket_unix_stream_connect, .unix_may_send = selinux_socket_unix_may_send, @@ -4336,13 +4360,23 @@ struct security_operations selinux_ops = { .socket_setsockopt = selinux_socket_setsockopt, .socket_shutdown = selinux_socket_shutdown, .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, - .socket_getpeersec = selinux_socket_getpeersec, + .socket_getpeersec_stream = selinux_socket_getpeersec_stream, + .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, .sk_alloc_security = selinux_sk_alloc_security, .sk_free_security = selinux_sk_free_security, + .sk_getsid = selinux_sk_getsid_security, + +#ifdef CONFIG_SECURITY_NETWORK_XFRM + .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, + .xfrm_policy_clone_security = selinux_xfrm_policy_clone, + .xfrm_policy_free_security = selinux_xfrm_policy_free, + .xfrm_state_alloc_security = selinux_xfrm_state_alloc, + .xfrm_state_free_security = selinux_xfrm_state_free, + .xfrm_policy_lookup = selinux_xfrm_policy_lookup, #endif }; -__init int selinux_init(void) +static __init int selinux_init(void) { struct task_security_struct *tsec; @@ -4359,6 +4393,9 @@ __init int selinux_init(void) tsec = current->security; tsec->osid = tsec->sid = SECINITSID_KERNEL; + sel_inode_cache = kmem_cache_create("selinux_inode_security", + sizeof(struct inode_security_struct), + 0, SLAB_PANIC, NULL, NULL); avc_init(); original_ops = secondary_ops = security_ops; @@ -4381,6 +4418,7 @@ void selinux_complete_init(void) /* Set up any superblocks initialized prior to the policy load. */ printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); + spin_lock(&sb_lock); spin_lock(&sb_security_lock); next_sb: if (!list_empty(&superblock_security_head)) { @@ -4389,26 +4427,27 @@ next_sb: struct superblock_security_struct, list); struct super_block *sb = sbsec->sb; - spin_lock(&sb_lock); sb->s_count++; - spin_unlock(&sb_lock); spin_unlock(&sb_security_lock); + spin_unlock(&sb_lock); down_read(&sb->s_umount); if (sb->s_root) superblock_doinit(sb, NULL); drop_super(sb); + spin_lock(&sb_lock); spin_lock(&sb_security_lock); list_del_init(&sbsec->list); goto next_sb; } spin_unlock(&sb_security_lock); + spin_unlock(&sb_lock); } /* SELinux requires early initialization in order to label all processes and objects when they are created. */ security_initcall(selinux_init); -#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) +#if defined(CONFIG_NETFILTER) static struct nf_hook_ops selinux_ipv4_op = { .hook = selinux_ipv4_postroute_last, @@ -4450,6 +4489,7 @@ static int __init selinux_nf_ip_init(void) panic("SELinux: nf_register_hook for IPv6: error %d\n", err); #endif /* IPV6 */ + out: return err; } @@ -4468,13 +4508,13 @@ static void selinux_nf_ip_exit(void) } #endif -#else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ +#else /* CONFIG_NETFILTER */ #ifdef CONFIG_SECURITY_SELINUX_DISABLE #define selinux_nf_ip_exit() #endif -#endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ +#endif /* CONFIG_NETFILTER */ #ifdef CONFIG_SECURITY_SELINUX_DISABLE int selinux_disable(void) @@ -4495,6 +4535,7 @@ int selinux_disable(void) printk(KERN_INFO "SELinux: Disabled at runtime.\n"); selinux_disabled = 1; + selinux_enabled = 0; /* Reset security_ops to the secondary module, dummy or capability. */ security_ops = secondary_ops;