2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92 #define NUM_SEL_MNT_OPTS 4
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
135 static struct security_operations *secondary_ops;
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
142 static struct kmem_cache *sel_inode_cache;
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
154 static int selinux_secmark_enabled(void)
156 return (atomic_read(&selinux_secmark_refcount) > 0);
160 * initialise the security for the init task
162 static void cred_init_security(void)
164 struct cred *cred = (struct cred *) current->real_cred;
165 struct task_security_struct *tsec;
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
169 panic("SELinux: Failed to initialize initial task.\n");
171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
172 cred->security = tsec;
176 * get the security ID of a set of credentials
178 static inline u32 cred_sid(const struct cred *cred)
180 const struct task_security_struct *tsec;
182 tsec = cred->security;
187 * get the objective security ID of a task
189 static inline u32 task_sid(const struct task_struct *task)
194 sid = cred_sid(__task_cred(task));
200 * get the subjective security ID of the current task
202 static inline u32 current_sid(void)
204 const struct task_security_struct *tsec = current_cred()->security;
209 /* Allocate and free functions for each kind of security blob. */
211 static int inode_alloc_security(struct inode *inode)
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
231 static void inode_free_security(struct inode *inode)
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
245 static int file_alloc_security(struct file *file)
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
261 static void file_free_security(struct file *file)
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
268 static int superblock_alloc_security(struct super_block *sb)
270 struct superblock_security_struct *sbsec;
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
289 static void superblock_free_security(struct super_block *sb)
291 struct superblock_security_struct *sbsec = sb->s_security;
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
298 sb->s_security = NULL;
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
304 struct sk_security_struct *ssec;
306 ssec = kzalloc(sizeof(*ssec), priority);
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
314 selinux_netlbl_sk_security_reset(ssec, family);
319 static void sk_free_security(struct sock *sk)
321 struct sk_security_struct *ssec = sk->sk_security;
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
332 /* The file system's label must be initialized prior to use. */
334 static char *labeling_behaviors[6] = {
336 "uses transition SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
345 static inline int inode_doinit(struct inode *inode)
347 return inode_doinit_with_dentry(inode, NULL);
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
372 const struct task_security_struct *tsec = cred->security;
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
389 const struct task_security_struct *tsec = cred->security;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
401 static int sb_finish_set_opts(struct super_block *sb)
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
434 sbsec->initialized = 1;
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
451 spin_lock(&sbsec->isec_lock);
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
461 if (!IS_PRIVATE(inode))
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
469 spin_unlock(&sbsec->isec_lock);
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
488 security_init_mnt_opts(opts);
490 if (!sbsec->initialized)
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
504 opts->num_mnt_opts++;
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
546 rc = security_sid_to_context(isec->sid, &context, &len);
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
553 BUG_ON(i != opts->num_mnt_opts);
558 security_free_mnt_opts(opts);
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
587 const struct cred *cred = current_cred();
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
599 mutex_lock(&sbsec->lock);
601 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
638 for (i = 0; i < num_opts; i++) {
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
645 mount_options[i], sb->s_id, name, rc);
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
654 goto out_double_mount;
656 sbsec->flags |= FSCONTEXT_MNT;
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
663 goto out_double_mount;
665 sbsec->flags |= CONTEXT_MNT;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
672 goto out_double_mount;
674 sbsec->flags |= ROOTCONTEXT_MNT;
678 defcontext_sid = sid;
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
682 goto out_double_mount;
684 sbsec->flags |= DEFCONTEXT_MNT;
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
701 if (strcmp(sb->s_type->name, "proc") == 0)
704 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc);
712 /* sets the context of the superblock for the fs being mounted. */
714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
718 sbsec->sid = fscontext_sid;
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
727 if (!fscontext_sid) {
728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
732 sbsec->sid = context_sid;
734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
742 sbsec->mntpoint_sid = context_sid;
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
746 if (rootcontext_sid) {
747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
771 sbsec->def_sid = defcontext_sid;
774 rc = sb_finish_set_opts(sb);
776 mutex_unlock(&sbsec->lock);
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
815 mutex_lock(&newsbsec->lock);
817 newsbsec->flags = oldsbsec->flags;
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
824 u32 sid = oldsbsec->mntpoint_sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
833 newsbsec->mntpoint_sid = sid;
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
841 newisec->sid = oldisec->sid;
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
856 opts->num_mnt_opts = 0;
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
861 substring_t args[MAX_OPT_ARGS];
866 token = match_token(p, tokens, args);
870 if (context || defcontext) {
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 context = match_strdup(&args[0]);
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
888 fscontext = match_strdup(&args[0]);
895 case Opt_rootcontext:
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
901 rootcontext = match_strdup(&args[0]);
909 if (context || defcontext) {
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
914 defcontext = match_strdup(&args[0]);
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
957 opts->num_mnt_opts = num_mnt_opts;
968 * string mount options parsing and call set the sbsec
970 static int superblock_doinit(struct super_block *sb, void *data)
973 char *options = data;
974 struct security_mnt_opts opts;
976 security_init_mnt_opts(&opts);
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
983 rc = selinux_parse_opts_str(options, &opts);
988 rc = selinux_set_mnt_opts(sb, &opts);
991 security_free_mnt_opts(&opts);
995 static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1004 switch (opts->mnt_opts_flags[i]) {
1006 prefix = CONTEXT_STR;
1009 prefix = FSCONTEXT_STR;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1020 /* we need a comma before each option */
1022 seq_puts(m, prefix);
1025 seq_puts(m, opts->mnt_opts[i]);
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1033 struct security_mnt_opts opts;
1036 rc = selinux_get_mnt_opts(sb, &opts);
1038 /* before policy load we may get EINVAL, don't show anything */
1044 selinux_write_opts(m, &opts);
1046 security_free_mnt_opts(&opts);
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1053 switch (mode & S_IFMT) {
1055 return SECCLASS_SOCK_FILE;
1057 return SECCLASS_LNK_FILE;
1059 return SECCLASS_FILE;
1061 return SECCLASS_BLK_FILE;
1063 return SECCLASS_DIR;
1065 return SECCLASS_CHR_FILE;
1067 return SECCLASS_FIFO_FILE;
1071 return SECCLASS_FILE;
1074 static inline int default_protocol_stream(int protocol)
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1079 static inline int default_protocol_dgram(int protocol)
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1103 return SECCLASS_RAWIP_SOCKET;
1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1108 return SECCLASS_RAWIP_SOCKET;
1110 return SECCLASS_DCCP_SOCKET;
1112 return SECCLASS_RAWIP_SOCKET;
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121 case NETLINK_INET_DIAG:
1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1138 return SECCLASS_NETLINK_SOCKET;
1141 return SECCLASS_PACKET_SOCKET;
1143 return SECCLASS_KEY_SOCKET;
1145 return SECCLASS_APPLETALK_SOCKET;
1148 return SECCLASS_SOCKET;
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157 char *buffer, *path, *end;
1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1164 end = buffer+buflen;
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1174 memcpy(end, de->name, de->namelen);
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1198 struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200 char *context = NULL;
1204 if (isec->initialized)
1207 mutex_lock(&isec->lock);
1208 if (isec->initialized)
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1246 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS);
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1265 context = kmalloc(len, GFP_NOFS);
1271 rc = inode->i_op->getxattr(dentry,
1277 if (rc != -ENODATA) {
1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1279 "%d for dev=%s ino=%ld\n", __func__,
1280 -rc, inode->i_sb->s_id, inode->i_ino);
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1288 rc = security_context_to_sid_default(context, rc, &sid,
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1293 "returned %d for dev=%s ino=%ld\n",
1294 __func__, context, -rc,
1295 inode->i_sb->s_id, inode->i_ino);
1297 /* Leave with the unlabeled SID */
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1326 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid;
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode);
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1344 isec->initialized = 1;
1347 mutex_unlock(&isec->lock);
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1385 static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1400 static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1404 const struct task_security_struct *__tsec1, *__tsec2;
1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1420 static int current_has_perm(const struct task_struct *tsk,
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1439 struct avc_audit_data ad;
1440 struct av_decision avd;
1442 u32 sid = cred_sid(cred);
1443 u32 av = CAP_TO_MASK(cap);
1446 AVC_AUDIT_DATA_INIT(&ad, CAP);
1450 switch (CAP_TO_INDEX(cap)) {
1452 sclass = SECCLASS_CAPABILITY;
1455 sclass = SECCLASS_CAPABILITY2;
1459 "SELinux: out of range capability %d\n", cap);
1463 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1464 if (audit == SECURITY_CAP_AUDIT)
1465 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1469 /* Check whether a task is allowed to use a system operation. */
1470 static int task_has_system(struct task_struct *tsk,
1473 u32 sid = task_sid(tsk);
1475 return avc_has_perm(sid, SECINITSID_KERNEL,
1476 SECCLASS_SYSTEM, perms, NULL);
1479 /* Check whether a task has a particular permission to an inode.
1480 The 'adp' parameter is optional and allows other audit
1481 data to be passed (e.g. the dentry). */
1482 static int inode_has_perm(const struct cred *cred,
1483 struct inode *inode,
1485 struct avc_audit_data *adp)
1487 struct inode_security_struct *isec;
1488 struct avc_audit_data ad;
1491 if (unlikely(IS_PRIVATE(inode)))
1494 sid = cred_sid(cred);
1495 isec = inode->i_security;
1499 AVC_AUDIT_DATA_INIT(&ad, FS);
1500 ad.u.fs.inode = inode;
1503 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1506 /* Same as inode_has_perm, but pass explicit audit data containing
1507 the dentry to help the auditing code to more easily generate the
1508 pathname if needed. */
1509 static inline int dentry_has_perm(const struct cred *cred,
1510 struct vfsmount *mnt,
1511 struct dentry *dentry,
1514 struct inode *inode = dentry->d_inode;
1515 struct avc_audit_data ad;
1517 AVC_AUDIT_DATA_INIT(&ad, FS);
1518 ad.u.fs.path.mnt = mnt;
1519 ad.u.fs.path.dentry = dentry;
1520 return inode_has_perm(cred, inode, av, &ad);
1523 /* Check whether a task can use an open file descriptor to
1524 access an inode in a given way. Check access to the
1525 descriptor itself, and then use dentry_has_perm to
1526 check a particular permission to the file.
1527 Access to the descriptor is implicitly granted if it
1528 has the same SID as the process. If av is zero, then
1529 access to the file is not checked, e.g. for cases
1530 where only the descriptor is affected like seek. */
1531 static int file_has_perm(const struct cred *cred,
1535 struct file_security_struct *fsec = file->f_security;
1536 struct inode *inode = file->f_path.dentry->d_inode;
1537 struct avc_audit_data ad;
1538 u32 sid = cred_sid(cred);
1541 AVC_AUDIT_DATA_INIT(&ad, FS);
1542 ad.u.fs.path = file->f_path;
1544 if (sid != fsec->sid) {
1545 rc = avc_has_perm(sid, fsec->sid,
1553 /* av is zero if only checking access to the descriptor. */
1556 rc = inode_has_perm(cred, inode, av, &ad);
1562 /* Check whether a task can create a file. */
1563 static int may_create(struct inode *dir,
1564 struct dentry *dentry,
1567 const struct cred *cred = current_cred();
1568 const struct task_security_struct *tsec = cred->security;
1569 struct inode_security_struct *dsec;
1570 struct superblock_security_struct *sbsec;
1572 struct avc_audit_data ad;
1575 dsec = dir->i_security;
1576 sbsec = dir->i_sb->s_security;
1579 newsid = tsec->create_sid;
1581 AVC_AUDIT_DATA_INIT(&ad, FS);
1582 ad.u.fs.path.dentry = dentry;
1584 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1585 DIR__ADD_NAME | DIR__SEARCH,
1590 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1591 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1596 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1600 return avc_has_perm(newsid, sbsec->sid,
1601 SECCLASS_FILESYSTEM,
1602 FILESYSTEM__ASSOCIATE, &ad);
1605 /* Check whether a task can create a key. */
1606 static int may_create_key(u32 ksid,
1607 struct task_struct *ctx)
1609 u32 sid = task_sid(ctx);
1611 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1615 #define MAY_UNLINK 1
1618 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1619 static int may_link(struct inode *dir,
1620 struct dentry *dentry,
1624 struct inode_security_struct *dsec, *isec;
1625 struct avc_audit_data ad;
1626 u32 sid = current_sid();
1630 dsec = dir->i_security;
1631 isec = dentry->d_inode->i_security;
1633 AVC_AUDIT_DATA_INIT(&ad, FS);
1634 ad.u.fs.path.dentry = dentry;
1637 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1638 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1653 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1658 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1662 static inline int may_rename(struct inode *old_dir,
1663 struct dentry *old_dentry,
1664 struct inode *new_dir,
1665 struct dentry *new_dentry)
1667 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1668 struct avc_audit_data ad;
1669 u32 sid = current_sid();
1671 int old_is_dir, new_is_dir;
1674 old_dsec = old_dir->i_security;
1675 old_isec = old_dentry->d_inode->i_security;
1676 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1677 new_dsec = new_dir->i_security;
1679 AVC_AUDIT_DATA_INIT(&ad, FS);
1681 ad.u.fs.path.dentry = old_dentry;
1682 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1683 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1686 rc = avc_has_perm(sid, old_isec->sid,
1687 old_isec->sclass, FILE__RENAME, &ad);
1690 if (old_is_dir && new_dir != old_dir) {
1691 rc = avc_has_perm(sid, old_isec->sid,
1692 old_isec->sclass, DIR__REPARENT, &ad);
1697 ad.u.fs.path.dentry = new_dentry;
1698 av = DIR__ADD_NAME | DIR__SEARCH;
1699 if (new_dentry->d_inode)
1700 av |= DIR__REMOVE_NAME;
1701 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1704 if (new_dentry->d_inode) {
1705 new_isec = new_dentry->d_inode->i_security;
1706 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1707 rc = avc_has_perm(sid, new_isec->sid,
1709 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1717 /* Check whether a task can perform a filesystem operation. */
1718 static int superblock_has_perm(const struct cred *cred,
1719 struct super_block *sb,
1721 struct avc_audit_data *ad)
1723 struct superblock_security_struct *sbsec;
1724 u32 sid = cred_sid(cred);
1726 sbsec = sb->s_security;
1727 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1730 /* Convert a Linux mode and permission mask to an access vector. */
1731 static inline u32 file_mask_to_av(int mode, int mask)
1735 if ((mode & S_IFMT) != S_IFDIR) {
1736 if (mask & MAY_EXEC)
1737 av |= FILE__EXECUTE;
1738 if (mask & MAY_READ)
1741 if (mask & MAY_APPEND)
1743 else if (mask & MAY_WRITE)
1747 if (mask & MAY_EXEC)
1749 if (mask & MAY_WRITE)
1751 if (mask & MAY_READ)
1758 /* Convert a Linux file to an access vector. */
1759 static inline u32 file_to_av(struct file *file)
1763 if (file->f_mode & FMODE_READ)
1765 if (file->f_mode & FMODE_WRITE) {
1766 if (file->f_flags & O_APPEND)
1773 * Special file opened with flags 3 for ioctl-only use.
1782 * Convert a file to an access vector and include the correct open
1785 static inline u32 open_file_to_av(struct file *file)
1787 u32 av = file_to_av(file);
1789 if (selinux_policycap_openperm) {
1790 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1792 * lnk files and socks do not really have an 'open'
1796 else if (S_ISCHR(mode))
1797 av |= CHR_FILE__OPEN;
1798 else if (S_ISBLK(mode))
1799 av |= BLK_FILE__OPEN;
1800 else if (S_ISFIFO(mode))
1801 av |= FIFO_FILE__OPEN;
1802 else if (S_ISDIR(mode))
1805 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1806 "unknown mode:%o\n", __func__, mode);
1811 /* Hook functions begin here. */
1813 static int selinux_ptrace_may_access(struct task_struct *child,
1818 rc = secondary_ops->ptrace_may_access(child, mode);
1822 if (mode == PTRACE_MODE_READ) {
1823 u32 sid = current_sid();
1824 u32 csid = task_sid(child);
1825 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1828 return current_has_perm(child, PROCESS__PTRACE);
1831 static int selinux_ptrace_traceme(struct task_struct *parent)
1835 rc = secondary_ops->ptrace_traceme(parent);
1839 return task_has_perm(parent, current, PROCESS__PTRACE);
1842 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1843 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1847 error = current_has_perm(target, PROCESS__GETCAP);
1851 return secondary_ops->capget(target, effective, inheritable, permitted);
1854 static int selinux_capset(struct cred *new, const struct cred *old,
1855 const kernel_cap_t *effective,
1856 const kernel_cap_t *inheritable,
1857 const kernel_cap_t *permitted)
1861 error = secondary_ops->capset(new, old,
1862 effective, inheritable, permitted);
1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1869 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1874 rc = secondary_ops->capable(tsk, cred, cap, audit);
1878 return task_has_capability(tsk, cred, cap, audit);
1881 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1884 char *buffer, *path, *end;
1887 buffer = (char *)__get_free_page(GFP_KERNEL);
1892 end = buffer+buflen;
1898 const char *name = table->procname;
1899 size_t namelen = strlen(name);
1900 buflen -= namelen + 1;
1904 memcpy(end, name, namelen);
1907 table = table->parent;
1913 memcpy(end, "/sys", 4);
1915 rc = security_genfs_sid("proc", path, tclass, sid);
1917 free_page((unsigned long)buffer);
1922 static int selinux_sysctl(ctl_table *table, int op)
1929 rc = secondary_ops->sysctl(table, op);
1933 sid = current_sid();
1935 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1936 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1938 /* Default to the well-defined sysctl SID. */
1939 tsid = SECINITSID_SYSCTL;
1942 /* The op values are "defined" in sysctl.c, thereby creating
1943 * a bad coupling between this module and sysctl.c */
1945 error = avc_has_perm(sid, tsid,
1946 SECCLASS_DIR, DIR__SEARCH, NULL);
1954 error = avc_has_perm(sid, tsid,
1955 SECCLASS_FILE, av, NULL);
1961 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1963 const struct cred *cred = current_cred();
1975 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1980 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1983 rc = 0; /* let the kernel handle invalid cmds */
1989 static int selinux_quota_on(struct dentry *dentry)
1991 const struct cred *cred = current_cred();
1993 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1996 static int selinux_syslog(int type)
2000 rc = secondary_ops->syslog(type);
2005 case 3: /* Read last kernel messages */
2006 case 10: /* Return size of the log buffer */
2007 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2009 case 6: /* Disable logging to console */
2010 case 7: /* Enable logging to console */
2011 case 8: /* Set level of messages printed to console */
2012 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2014 case 0: /* Close log */
2015 case 1: /* Open log */
2016 case 2: /* Read from log */
2017 case 4: /* Read/clear last kernel messages */
2018 case 5: /* Clear ring buffer */
2020 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2027 * Check that a process has enough memory to allocate a new virtual
2028 * mapping. 0 means there is enough memory for the allocation to
2029 * succeed and -ENOMEM implies there is not.
2031 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2032 * if the capability is granted, but __vm_enough_memory requires 1 if
2033 * the capability is granted.
2035 * Do not audit the selinux permission check, as this is applied to all
2036 * processes that allocate mappings.
2038 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2040 int rc, cap_sys_admin = 0;
2042 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2043 SECURITY_CAP_NOAUDIT);
2047 return __vm_enough_memory(mm, pages, cap_sys_admin);
2050 /* binprm security operations */
2052 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2054 const struct task_security_struct *old_tsec;
2055 struct task_security_struct *new_tsec;
2056 struct inode_security_struct *isec;
2057 struct avc_audit_data ad;
2058 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2061 rc = secondary_ops->bprm_set_creds(bprm);
2065 /* SELinux context only depends on initial program or script and not
2066 * the script interpreter */
2067 if (bprm->cred_prepared)
2070 old_tsec = current_security();
2071 new_tsec = bprm->cred->security;
2072 isec = inode->i_security;
2074 /* Default to the current task SID. */
2075 new_tsec->sid = old_tsec->sid;
2076 new_tsec->osid = old_tsec->sid;
2078 /* Reset fs, key, and sock SIDs on execve. */
2079 new_tsec->create_sid = 0;
2080 new_tsec->keycreate_sid = 0;
2081 new_tsec->sockcreate_sid = 0;
2083 if (old_tsec->exec_sid) {
2084 new_tsec->sid = old_tsec->exec_sid;
2085 /* Reset exec SID on execve. */
2086 new_tsec->exec_sid = 0;
2088 /* Check for a default transition on this program. */
2089 rc = security_transition_sid(old_tsec->sid, isec->sid,
2090 SECCLASS_PROCESS, &new_tsec->sid);
2095 AVC_AUDIT_DATA_INIT(&ad, FS);
2096 ad.u.fs.path = bprm->file->f_path;
2098 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2099 new_tsec->sid = old_tsec->sid;
2101 if (new_tsec->sid == old_tsec->sid) {
2102 rc = avc_has_perm(old_tsec->sid, isec->sid,
2103 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2107 /* Check permissions for the transition. */
2108 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2109 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2113 rc = avc_has_perm(new_tsec->sid, isec->sid,
2114 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2118 /* Check for shared state */
2119 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2120 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2121 SECCLASS_PROCESS, PROCESS__SHARE,
2127 /* Make sure that anyone attempting to ptrace over a task that
2128 * changes its SID has the appropriate permit */
2130 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2131 struct task_struct *tracer;
2132 struct task_security_struct *sec;
2136 tracer = tracehook_tracer_task(current);
2137 if (likely(tracer != NULL)) {
2138 sec = __task_cred(tracer)->security;
2144 rc = avc_has_perm(ptsid, new_tsec->sid,
2146 PROCESS__PTRACE, NULL);
2152 /* Clear any possibly unsafe personality bits on exec: */
2153 bprm->per_clear |= PER_CLEAR_ON_SETID;
2159 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2161 return secondary_ops->bprm_check_security(bprm);
2164 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2166 const struct cred *cred = current_cred();
2167 const struct task_security_struct *tsec = cred->security;
2175 /* Enable secure mode for SIDs transitions unless
2176 the noatsecure permission is granted between
2177 the two SIDs, i.e. ahp returns 0. */
2178 atsecure = avc_has_perm(osid, sid,
2180 PROCESS__NOATSECURE, NULL);
2183 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2186 extern struct vfsmount *selinuxfs_mount;
2187 extern struct dentry *selinux_null;
2189 /* Derived from fs/exec.c:flush_old_files. */
2190 static inline void flush_unauthorized_files(const struct cred *cred,
2191 struct files_struct *files)
2193 struct avc_audit_data ad;
2194 struct file *file, *devnull = NULL;
2195 struct tty_struct *tty;
2196 struct fdtable *fdt;
2200 tty = get_current_tty();
2203 if (!list_empty(&tty->tty_files)) {
2204 struct inode *inode;
2206 /* Revalidate access to controlling tty.
2207 Use inode_has_perm on the tty inode directly rather
2208 than using file_has_perm, as this particular open
2209 file may belong to another process and we are only
2210 interested in the inode-based check here. */
2211 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2212 inode = file->f_path.dentry->d_inode;
2213 if (inode_has_perm(cred, inode,
2214 FILE__READ | FILE__WRITE, NULL)) {
2221 /* Reset controlling tty. */
2225 /* Revalidate access to inherited open files. */
2227 AVC_AUDIT_DATA_INIT(&ad, FS);
2229 spin_lock(&files->file_lock);
2231 unsigned long set, i;
2236 fdt = files_fdtable(files);
2237 if (i >= fdt->max_fds)
2239 set = fdt->open_fds->fds_bits[j];
2242 spin_unlock(&files->file_lock);
2243 for ( ; set ; i++, set >>= 1) {
2248 if (file_has_perm(cred,
2250 file_to_av(file))) {
2252 fd = get_unused_fd();
2262 devnull = dentry_open(
2264 mntget(selinuxfs_mount),
2266 if (IS_ERR(devnull)) {
2273 fd_install(fd, devnull);
2278 spin_lock(&files->file_lock);
2281 spin_unlock(&files->file_lock);
2285 * Prepare a process for imminent new credential changes due to exec
2287 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2289 struct task_security_struct *new_tsec;
2290 struct rlimit *rlim, *initrlim;
2293 secondary_ops->bprm_committing_creds(bprm);
2295 new_tsec = bprm->cred->security;
2296 if (new_tsec->sid == new_tsec->osid)
2299 /* Close files for which the new task SID is not authorized. */
2300 flush_unauthorized_files(bprm->cred, current->files);
2302 /* Always clear parent death signal on SID transitions. */
2303 current->pdeath_signal = 0;
2305 /* Check whether the new SID can inherit resource limits from the old
2306 * SID. If not, reset all soft limits to the lower of the current
2307 * task's hard limit and the init task's soft limit.
2309 * Note that the setting of hard limits (even to lower them) can be
2310 * controlled by the setrlimit check. The inclusion of the init task's
2311 * soft limit into the computation is to avoid resetting soft limits
2312 * higher than the default soft limit for cases where the default is
2313 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2315 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2316 PROCESS__RLIMITINH, NULL);
2318 for (i = 0; i < RLIM_NLIMITS; i++) {
2319 rlim = current->signal->rlim + i;
2320 initrlim = init_task.signal->rlim + i;
2321 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2323 update_rlimit_cpu(rlim->rlim_cur);
2328 * Clean up the process immediately after the installation of new credentials
2331 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2333 const struct task_security_struct *tsec = current_security();
2334 struct itimerval itimer;
2335 struct sighand_struct *psig;
2338 unsigned long flags;
2340 secondary_ops->bprm_committed_creds(bprm);
2348 /* Check whether the new SID can inherit signal state from the old SID.
2349 * If not, clear itimers to avoid subsequent signal generation and
2350 * flush and unblock signals.
2352 * This must occur _after_ the task SID has been updated so that any
2353 * kill done after the flush will be checked against the new SID.
2355 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2357 memset(&itimer, 0, sizeof itimer);
2358 for (i = 0; i < 3; i++)
2359 do_setitimer(i, &itimer, NULL);
2360 flush_signals(current);
2361 spin_lock_irq(¤t->sighand->siglock);
2362 flush_signal_handlers(current, 1);
2363 sigemptyset(¤t->blocked);
2364 recalc_sigpending();
2365 spin_unlock_irq(¤t->sighand->siglock);
2368 /* Wake up the parent if it is waiting so that it can recheck
2369 * wait permission to the new task SID. */
2370 read_lock_irq(&tasklist_lock);
2371 psig = current->parent->sighand;
2372 spin_lock_irqsave(&psig->siglock, flags);
2373 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2374 spin_unlock_irqrestore(&psig->siglock, flags);
2375 read_unlock_irq(&tasklist_lock);
2378 /* superblock security operations */
2380 static int selinux_sb_alloc_security(struct super_block *sb)
2382 return superblock_alloc_security(sb);
2385 static void selinux_sb_free_security(struct super_block *sb)
2387 superblock_free_security(sb);
2390 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2395 return !memcmp(prefix, option, plen);
2398 static inline int selinux_option(char *option, int len)
2400 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2401 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2402 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2403 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2406 static inline void take_option(char **to, char *from, int *first, int len)
2413 memcpy(*to, from, len);
2417 static inline void take_selinux_option(char **to, char *from, int *first,
2420 int current_size = 0;
2428 while (current_size < len) {
2438 static int selinux_sb_copy_data(char *orig, char *copy)
2440 int fnosec, fsec, rc = 0;
2441 char *in_save, *in_curr, *in_end;
2442 char *sec_curr, *nosec_save, *nosec;
2448 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2456 in_save = in_end = orig;
2460 open_quote = !open_quote;
2461 if ((*in_end == ',' && open_quote == 0) ||
2463 int len = in_end - in_curr;
2465 if (selinux_option(in_curr, len))
2466 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2468 take_option(&nosec, in_curr, &fnosec, len);
2470 in_curr = in_end + 1;
2472 } while (*in_end++);
2474 strcpy(in_save, nosec_save);
2475 free_page((unsigned long)nosec_save);
2480 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2482 const struct cred *cred = current_cred();
2483 struct avc_audit_data ad;
2486 rc = superblock_doinit(sb, data);
2490 /* Allow all mounts performed by the kernel */
2491 if (flags & MS_KERNMOUNT)
2494 AVC_AUDIT_DATA_INIT(&ad, FS);
2495 ad.u.fs.path.dentry = sb->s_root;
2496 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2499 static int selinux_sb_statfs(struct dentry *dentry)
2501 const struct cred *cred = current_cred();
2502 struct avc_audit_data ad;
2504 AVC_AUDIT_DATA_INIT(&ad, FS);
2505 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2506 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2509 static int selinux_mount(char *dev_name,
2512 unsigned long flags,
2515 const struct cred *cred = current_cred();
2518 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2522 if (flags & MS_REMOUNT)
2523 return superblock_has_perm(cred, path->mnt->mnt_sb,
2524 FILESYSTEM__REMOUNT, NULL);
2526 return dentry_has_perm(cred, path->mnt, path->dentry,
2530 static int selinux_umount(struct vfsmount *mnt, int flags)
2532 const struct cred *cred = current_cred();
2535 rc = secondary_ops->sb_umount(mnt, flags);
2539 return superblock_has_perm(cred, mnt->mnt_sb,
2540 FILESYSTEM__UNMOUNT, NULL);
2543 /* inode security operations */
2545 static int selinux_inode_alloc_security(struct inode *inode)
2547 return inode_alloc_security(inode);
2550 static void selinux_inode_free_security(struct inode *inode)
2552 inode_free_security(inode);
2555 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2556 char **name, void **value,
2559 const struct cred *cred = current_cred();
2560 const struct task_security_struct *tsec = cred->security;
2561 struct inode_security_struct *dsec;
2562 struct superblock_security_struct *sbsec;
2563 u32 sid, newsid, clen;
2565 char *namep = NULL, *context;
2567 dsec = dir->i_security;
2568 sbsec = dir->i_sb->s_security;
2571 newsid = tsec->create_sid;
2573 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2574 rc = security_transition_sid(sid, dsec->sid,
2575 inode_mode_to_security_class(inode->i_mode),
2578 printk(KERN_WARNING "%s: "
2579 "security_transition_sid failed, rc=%d (dev=%s "
2582 -rc, inode->i_sb->s_id, inode->i_ino);
2587 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->initialized) {
2589 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2592 isec->initialized = 1;
2595 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2599 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2606 rc = security_sid_to_context_force(newsid, &context, &clen);
2618 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2620 return may_create(dir, dentry, SECCLASS_FILE);
2623 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2627 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2630 return may_link(dir, old_dentry, MAY_LINK);
2633 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2637 rc = secondary_ops->inode_unlink(dir, dentry);
2640 return may_link(dir, dentry, MAY_UNLINK);
2643 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2645 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2648 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2650 return may_create(dir, dentry, SECCLASS_DIR);
2653 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2655 return may_link(dir, dentry, MAY_RMDIR);
2658 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2662 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2666 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2669 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2670 struct inode *new_inode, struct dentry *new_dentry)
2672 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2675 static int selinux_inode_readlink(struct dentry *dentry)
2677 const struct cred *cred = current_cred();
2679 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2682 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2684 const struct cred *cred = current_cred();
2687 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2690 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2693 static int selinux_inode_permission(struct inode *inode, int mask)
2695 const struct cred *cred = current_cred();
2698 rc = secondary_ops->inode_permission(inode, mask);
2703 /* No permission to check. Existence test. */
2707 return inode_has_perm(cred, inode,
2708 file_mask_to_av(inode->i_mode, mask), NULL);
2711 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2713 const struct cred *cred = current_cred();
2716 rc = secondary_ops->inode_setattr(dentry, iattr);
2720 if (iattr->ia_valid & ATTR_FORCE)
2723 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2724 ATTR_ATIME_SET | ATTR_MTIME_SET))
2725 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2727 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2730 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2732 const struct cred *cred = current_cred();
2734 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2737 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2739 const struct cred *cred = current_cred();
2741 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2742 sizeof XATTR_SECURITY_PREFIX - 1)) {
2743 if (!strcmp(name, XATTR_NAME_CAPS)) {
2744 if (!capable(CAP_SETFCAP))
2746 } else if (!capable(CAP_SYS_ADMIN)) {
2747 /* A different attribute in the security namespace.
2748 Restrict to administrator. */
2753 /* Not an attribute we recognize, so just check the
2754 ordinary setattr permission. */
2755 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2758 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2759 const void *value, size_t size, int flags)
2761 struct inode *inode = dentry->d_inode;
2762 struct inode_security_struct *isec = inode->i_security;
2763 struct superblock_security_struct *sbsec;
2764 struct avc_audit_data ad;
2765 u32 newsid, sid = current_sid();
2768 if (strcmp(name, XATTR_NAME_SELINUX))
2769 return selinux_inode_setotherxattr(dentry, name);
2771 sbsec = inode->i_sb->s_security;
2772 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2775 if (!is_owner_or_cap(inode))
2778 AVC_AUDIT_DATA_INIT(&ad, FS);
2779 ad.u.fs.path.dentry = dentry;
2781 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2782 FILE__RELABELFROM, &ad);
2786 rc = security_context_to_sid(value, size, &newsid);
2787 if (rc == -EINVAL) {
2788 if (!capable(CAP_MAC_ADMIN))
2790 rc = security_context_to_sid_force(value, size, &newsid);
2795 rc = avc_has_perm(sid, newsid, isec->sclass,
2796 FILE__RELABELTO, &ad);
2800 rc = security_validate_transition(isec->sid, newsid, sid,
2805 return avc_has_perm(newsid,
2807 SECCLASS_FILESYSTEM,
2808 FILESYSTEM__ASSOCIATE,
2812 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2813 const void *value, size_t size,
2816 struct inode *inode = dentry->d_inode;
2817 struct inode_security_struct *isec = inode->i_security;
2821 if (strcmp(name, XATTR_NAME_SELINUX)) {
2822 /* Not an attribute we recognize, so nothing to do. */
2826 rc = security_context_to_sid_force(value, size, &newsid);
2828 printk(KERN_ERR "SELinux: unable to map context to SID"
2829 "for (%s, %lu), rc=%d\n",
2830 inode->i_sb->s_id, inode->i_ino, -rc);
2838 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2840 const struct cred *cred = current_cred();
2842 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2845 static int selinux_inode_listxattr(struct dentry *dentry)
2847 const struct cred *cred = current_cred();
2849 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2852 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2854 if (strcmp(name, XATTR_NAME_SELINUX))
2855 return selinux_inode_setotherxattr(dentry, name);
2857 /* No one is allowed to remove a SELinux security label.
2858 You can change the label, but all data must be labeled. */
2863 * Copy the inode security context value to the user.
2865 * Permission check is handled by selinux_inode_getxattr hook.
2867 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2871 char *context = NULL;
2872 struct inode_security_struct *isec = inode->i_security;
2874 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2878 * If the caller has CAP_MAC_ADMIN, then get the raw context
2879 * value even if it is not defined by current policy; otherwise,
2880 * use the in-core value under current policy.
2881 * Use the non-auditing forms of the permission checks since
2882 * getxattr may be called by unprivileged processes commonly
2883 * and lack of permission just means that we fall back to the
2884 * in-core context value, not a denial.
2886 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2887 SECURITY_CAP_NOAUDIT);
2889 error = security_sid_to_context_force(isec->sid, &context,
2892 error = security_sid_to_context(isec->sid, &context, &size);
2905 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2906 const void *value, size_t size, int flags)
2908 struct inode_security_struct *isec = inode->i_security;
2912 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2915 if (!value || !size)
2918 rc = security_context_to_sid((void *)value, size, &newsid);
2926 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2928 const int len = sizeof(XATTR_NAME_SELINUX);
2929 if (buffer && len <= buffer_size)
2930 memcpy(buffer, XATTR_NAME_SELINUX, len);
2934 static int selinux_inode_need_killpriv(struct dentry *dentry)
2936 return secondary_ops->inode_need_killpriv(dentry);
2939 static int selinux_inode_killpriv(struct dentry *dentry)
2941 return secondary_ops->inode_killpriv(dentry);
2944 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2946 struct inode_security_struct *isec = inode->i_security;
2950 /* file security operations */
2952 static int selinux_revalidate_file_permission(struct file *file, int mask)
2954 const struct cred *cred = current_cred();
2956 struct inode *inode = file->f_path.dentry->d_inode;
2959 /* No permission to check. Existence test. */
2963 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2964 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2967 rc = file_has_perm(cred, file,
2968 file_mask_to_av(inode->i_mode, mask));
2972 return selinux_netlbl_inode_permission(inode, mask);
2975 static int selinux_file_permission(struct file *file, int mask)
2977 struct inode *inode = file->f_path.dentry->d_inode;
2978 struct file_security_struct *fsec = file->f_security;
2979 struct inode_security_struct *isec = inode->i_security;
2980 u32 sid = current_sid();
2983 /* No permission to check. Existence test. */
2987 if (sid == fsec->sid && fsec->isid == isec->sid
2988 && fsec->pseqno == avc_policy_seqno())
2989 return selinux_netlbl_inode_permission(inode, mask);
2991 return selinux_revalidate_file_permission(file, mask);
2994 static int selinux_file_alloc_security(struct file *file)
2996 return file_alloc_security(file);
2999 static void selinux_file_free_security(struct file *file)
3001 file_free_security(file);
3004 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3007 const struct cred *cred = current_cred();
3010 if (_IOC_DIR(cmd) & _IOC_WRITE)
3012 if (_IOC_DIR(cmd) & _IOC_READ)
3017 return file_has_perm(cred, file, av);
3020 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3022 const struct cred *cred = current_cred();
3025 #ifndef CONFIG_PPC32
3026 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3028 * We are making executable an anonymous mapping or a
3029 * private file mapping that will also be writable.
3030 * This has an additional check.
3032 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3039 /* read access is always possible with a mapping */
3040 u32 av = FILE__READ;
3042 /* write access only matters if the mapping is shared */
3043 if (shared && (prot & PROT_WRITE))
3046 if (prot & PROT_EXEC)
3047 av |= FILE__EXECUTE;
3049 return file_has_perm(cred, file, av);
3056 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3057 unsigned long prot, unsigned long flags,
3058 unsigned long addr, unsigned long addr_only)
3061 u32 sid = current_sid();
3063 if (addr < mmap_min_addr)
3064 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3065 MEMPROTECT__MMAP_ZERO, NULL);
3066 if (rc || addr_only)
3069 if (selinux_checkreqprot)
3072 return file_map_prot_check(file, prot,
3073 (flags & MAP_TYPE) == MAP_SHARED);
3076 static int selinux_file_mprotect(struct vm_area_struct *vma,
3077 unsigned long reqprot,
3080 const struct cred *cred = current_cred();
3083 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3087 if (selinux_checkreqprot)
3090 #ifndef CONFIG_PPC32
3091 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3093 if (vma->vm_start >= vma->vm_mm->start_brk &&
3094 vma->vm_end <= vma->vm_mm->brk) {
3095 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3096 } else if (!vma->vm_file &&
3097 vma->vm_start <= vma->vm_mm->start_stack &&
3098 vma->vm_end >= vma->vm_mm->start_stack) {
3099 rc = current_has_perm(current, PROCESS__EXECSTACK);
3100 } else if (vma->vm_file && vma->anon_vma) {
3102 * We are making executable a file mapping that has
3103 * had some COW done. Since pages might have been
3104 * written, check ability to execute the possibly
3105 * modified content. This typically should only
3106 * occur for text relocations.
3108 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3115 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3118 static int selinux_file_lock(struct file *file, unsigned int cmd)
3120 const struct cred *cred = current_cred();
3122 return file_has_perm(cred, file, FILE__LOCK);
3125 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3128 const struct cred *cred = current_cred();
3133 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3138 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3139 err = file_has_perm(cred, file, FILE__WRITE);
3148 /* Just check FD__USE permission */
3149 err = file_has_perm(cred, file, 0);
3154 #if BITS_PER_LONG == 32
3159 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3163 err = file_has_perm(cred, file, FILE__LOCK);
3170 static int selinux_file_set_fowner(struct file *file)
3172 struct file_security_struct *fsec;
3174 fsec = file->f_security;
3175 fsec->fown_sid = current_sid();
3180 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3181 struct fown_struct *fown, int signum)
3184 u32 sid = current_sid();
3186 struct file_security_struct *fsec;
3188 /* struct fown_struct is never outside the context of a struct file */
3189 file = container_of(fown, struct file, f_owner);
3191 fsec = file->f_security;
3194 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3196 perm = signal_to_av(signum);
3198 return avc_has_perm(fsec->fown_sid, sid,
3199 SECCLASS_PROCESS, perm, NULL);
3202 static int selinux_file_receive(struct file *file)
3204 const struct cred *cred = current_cred();
3206 return file_has_perm(cred, file, file_to_av(file));
3209 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3211 struct file_security_struct *fsec;
3212 struct inode *inode;
3213 struct inode_security_struct *isec;
3215 inode = file->f_path.dentry->d_inode;
3216 fsec = file->f_security;
3217 isec = inode->i_security;
3219 * Save inode label and policy sequence number
3220 * at open-time so that selinux_file_permission
3221 * can determine whether revalidation is necessary.
3222 * Task label is already saved in the file security
3223 * struct as its SID.
3225 fsec->isid = isec->sid;
3226 fsec->pseqno = avc_policy_seqno();
3228 * Since the inode label or policy seqno may have changed
3229 * between the selinux_inode_permission check and the saving
3230 * of state above, recheck that access is still permitted.
3231 * Otherwise, access might never be revalidated against the
3232 * new inode label or new policy.
3233 * This check is not redundant - do not remove.
3235 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3238 /* task security operations */
3240 static int selinux_task_create(unsigned long clone_flags)
3244 rc = secondary_ops->task_create(clone_flags);
3248 return current_has_perm(current, PROCESS__FORK);
3252 * detach and free the LSM part of a set of credentials
3254 static void selinux_cred_free(struct cred *cred)
3256 struct task_security_struct *tsec = cred->security;
3257 cred->security = NULL;
3262 * prepare a new set of credentials for modification
3264 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3267 const struct task_security_struct *old_tsec;
3268 struct task_security_struct *tsec;
3270 old_tsec = old->security;
3272 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3276 new->security = tsec;
3281 * commit new credentials
3283 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3285 secondary_ops->cred_commit(new, old);
3289 * set the security data for a kernel service
3290 * - all the creation contexts are set to unlabelled
3292 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3294 struct task_security_struct *tsec = new->security;
3295 u32 sid = current_sid();
3298 ret = avc_has_perm(sid, secid,
3299 SECCLASS_KERNEL_SERVICE,
3300 KERNEL_SERVICE__USE_AS_OVERRIDE,
3304 tsec->create_sid = 0;
3305 tsec->keycreate_sid = 0;
3306 tsec->sockcreate_sid = 0;
3312 * set the file creation context in a security record to the same as the
3313 * objective context of the specified inode
3315 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3317 struct inode_security_struct *isec = inode->i_security;
3318 struct task_security_struct *tsec = new->security;
3319 u32 sid = current_sid();
3322 ret = avc_has_perm(sid, isec->sid,
3323 SECCLASS_KERNEL_SERVICE,
3324 KERNEL_SERVICE__CREATE_FILES_AS,
3328 tsec->create_sid = isec->sid;
3332 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3334 /* Since setuid only affects the current process, and
3335 since the SELinux controls are not based on the Linux
3336 identity attributes, SELinux does not need to control
3337 this operation. However, SELinux does control the use
3338 of the CAP_SETUID and CAP_SETGID capabilities using the
3343 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3346 return secondary_ops->task_fix_setuid(new, old, flags);
3349 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3351 /* See the comment for setuid above. */
3355 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3357 return current_has_perm(p, PROCESS__SETPGID);
3360 static int selinux_task_getpgid(struct task_struct *p)
3362 return current_has_perm(p, PROCESS__GETPGID);
3365 static int selinux_task_getsid(struct task_struct *p)
3367 return current_has_perm(p, PROCESS__GETSESSION);
3370 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3372 *secid = task_sid(p);
3375 static int selinux_task_setgroups(struct group_info *group_info)
3377 /* See the comment for setuid above. */
3381 static int selinux_task_setnice(struct task_struct *p, int nice)
3385 rc = secondary_ops->task_setnice(p, nice);
3389 return current_has_perm(p, PROCESS__SETSCHED);
3392 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3396 rc = secondary_ops->task_setioprio(p, ioprio);
3400 return current_has_perm(p, PROCESS__SETSCHED);
3403 static int selinux_task_getioprio(struct task_struct *p)
3405 return current_has_perm(p, PROCESS__GETSCHED);
3408 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3410 struct rlimit *old_rlim = current->signal->rlim + resource;
3413 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3417 /* Control the ability to change the hard limit (whether
3418 lowering or raising it), so that the hard limit can
3419 later be used as a safe reset point for the soft limit
3420 upon context transitions. See selinux_bprm_committing_creds. */
3421 if (old_rlim->rlim_max != new_rlim->rlim_max)
3422 return current_has_perm(current, PROCESS__SETRLIMIT);
3427 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3431 rc = secondary_ops->task_setscheduler(p, policy, lp);
3435 return current_has_perm(p, PROCESS__SETSCHED);
3438 static int selinux_task_getscheduler(struct task_struct *p)
3440 return current_has_perm(p, PROCESS__GETSCHED);
3443 static int selinux_task_movememory(struct task_struct *p)
3445 return current_has_perm(p, PROCESS__SETSCHED);
3448 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3454 rc = secondary_ops->task_kill(p, info, sig, secid);
3459 perm = PROCESS__SIGNULL; /* null signal; existence test */
3461 perm = signal_to_av(sig);
3463 rc = avc_has_perm(secid, task_sid(p),
3464 SECCLASS_PROCESS, perm, NULL);
3466 rc = current_has_perm(p, perm);
3470 static int selinux_task_prctl(int option,
3476 /* The current prctl operations do not appear to require
3477 any SELinux controls since they merely observe or modify
3478 the state of the current process. */
3479 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3482 static int selinux_task_wait(struct task_struct *p)
3484 return task_has_perm(p, current, PROCESS__SIGCHLD);
3487 static void selinux_task_to_inode(struct task_struct *p,
3488 struct inode *inode)
3490 struct inode_security_struct *isec = inode->i_security;
3491 u32 sid = task_sid(p);
3494 isec->initialized = 1;
3497 /* Returns error only if unable to parse addresses */
3498 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3499 struct avc_audit_data *ad, u8 *proto)
3501 int offset, ihlen, ret = -EINVAL;
3502 struct iphdr _iph, *ih;
3504 offset = skb_network_offset(skb);
3505 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3509 ihlen = ih->ihl * 4;
3510 if (ihlen < sizeof(_iph))
3513 ad->u.net.v4info.saddr = ih->saddr;
3514 ad->u.net.v4info.daddr = ih->daddr;
3518 *proto = ih->protocol;
3520 switch (ih->protocol) {
3522 struct tcphdr _tcph, *th;
3524 if (ntohs(ih->frag_off) & IP_OFFSET)
3528 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3532 ad->u.net.sport = th->source;
3533 ad->u.net.dport = th->dest;
3538 struct udphdr _udph, *uh;
3540 if (ntohs(ih->frag_off) & IP_OFFSET)
3544 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3548 ad->u.net.sport = uh->source;
3549 ad->u.net.dport = uh->dest;
3553 case IPPROTO_DCCP: {
3554 struct dccp_hdr _dccph, *dh;
3556 if (ntohs(ih->frag_off) & IP_OFFSET)
3560 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3564 ad->u.net.sport = dh->dccph_sport;
3565 ad->u.net.dport = dh->dccph_dport;
3576 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3578 /* Returns error only if unable to parse addresses */
3579 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3580 struct avc_audit_data *ad, u8 *proto)
3583 int ret = -EINVAL, offset;
3584 struct ipv6hdr _ipv6h, *ip6;
3586 offset = skb_network_offset(skb);
3587 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3591 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3592 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3595 nexthdr = ip6->nexthdr;
3596 offset += sizeof(_ipv6h);
3597 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3606 struct tcphdr _tcph, *th;
3608 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3612 ad->u.net.sport = th->source;
3613 ad->u.net.dport = th->dest;
3618 struct udphdr _udph, *uh;
3620 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3624 ad->u.net.sport = uh->source;
3625 ad->u.net.dport = uh->dest;
3629 case IPPROTO_DCCP: {
3630 struct dccp_hdr _dccph, *dh;
3632 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3636 ad->u.net.sport = dh->dccph_sport;
3637 ad->u.net.dport = dh->dccph_dport;
3641 /* includes fragments */
3651 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3652 char **_addrp, int src, u8 *proto)
3657 switch (ad->u.net.family) {
3659 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3662 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3663 &ad->u.net.v4info.daddr);
3666 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3668 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3671 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3672 &ad->u.net.v6info.daddr);
3682 "SELinux: failure in selinux_parse_skb(),"
3683 " unable to parse packet\n");
3693 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3695 * @family: protocol family
3696 * @sid: the packet's peer label SID
3699 * Check the various different forms of network peer labeling and determine
3700 * the peer label/SID for the packet; most of the magic actually occurs in
3701 * the security server function security_net_peersid_cmp(). The function
3702 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3703 * or -EACCES if @sid is invalid due to inconsistencies with the different
3707 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3714 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3715 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3717 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3718 if (unlikely(err)) {
3720 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3721 " unable to determine packet's peer label\n");
3728 /* socket security operations */
3729 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3732 struct inode_security_struct *isec;
3733 struct avc_audit_data ad;
3737 isec = SOCK_INODE(sock)->i_security;
3739 if (isec->sid == SECINITSID_KERNEL)
3741 sid = task_sid(task);
3743 AVC_AUDIT_DATA_INIT(&ad, NET);
3744 ad.u.net.sk = sock->sk;
3745 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3751 static int selinux_socket_create(int family, int type,
3752 int protocol, int kern)
3754 const struct cred *cred = current_cred();
3755 const struct task_security_struct *tsec = cred->security;
3764 newsid = tsec->sockcreate_sid ?: sid;
3766 secclass = socket_type_to_security_class(family, type, protocol);
3767 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3773 static int selinux_socket_post_create(struct socket *sock, int family,
3774 int type, int protocol, int kern)
3776 const struct cred *cred = current_cred();
3777 const struct task_security_struct *tsec = cred->security;
3778 struct inode_security_struct *isec;
3779 struct sk_security_struct *sksec;
3784 newsid = tsec->sockcreate_sid;
3786 isec = SOCK_INODE(sock)->i_security;
3789 isec->sid = SECINITSID_KERNEL;
3795 isec->sclass = socket_type_to_security_class(family, type, protocol);
3796 isec->initialized = 1;
3799 sksec = sock->sk->sk_security;
3800 sksec->sid = isec->sid;
3801 sksec->sclass = isec->sclass;
3802 err = selinux_netlbl_socket_post_create(sock);
3808 /* Range of port numbers used to automatically bind.
3809 Need to determine whether we should perform a name_bind
3810 permission check between the socket and the port number. */
3812 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3817 err = socket_has_perm(current, sock, SOCKET__BIND);
3822 * If PF_INET or PF_INET6, check name_bind permission for the port.
3823 * Multiple address binding for SCTP is not supported yet: we just
3824 * check the first address now.
3826 family = sock->sk->sk_family;
3827 if (family == PF_INET || family == PF_INET6) {
3829 struct inode_security_struct *isec;
3830 struct avc_audit_data ad;
3831 struct sockaddr_in *addr4 = NULL;
3832 struct sockaddr_in6 *addr6 = NULL;
3833 unsigned short snum;
3834 struct sock *sk = sock->sk;
3837 isec = SOCK_INODE(sock)->i_security;
3839 if (family == PF_INET) {
3840 addr4 = (struct sockaddr_in *)address;
3841 snum = ntohs(addr4->sin_port);
3842 addrp = (char *)&addr4->sin_addr.s_addr;
3844 addr6 = (struct sockaddr_in6 *)address;
3845 snum = ntohs(addr6->sin6_port);
3846 addrp = (char *)&addr6->sin6_addr.s6_addr;
3852 inet_get_local_port_range(&low, &high);
3854 if (snum < max(PROT_SOCK, low) || snum > high) {
3855 err = sel_netport_sid(sk->sk_protocol,
3859 AVC_AUDIT_DATA_INIT(&ad, NET);
3860 ad.u.net.sport = htons(snum);
3861 ad.u.net.family = family;
3862 err = avc_has_perm(isec->sid, sid,
3864 SOCKET__NAME_BIND, &ad);
3870 switch (isec->sclass) {
3871 case SECCLASS_TCP_SOCKET:
3872 node_perm = TCP_SOCKET__NODE_BIND;
3875 case SECCLASS_UDP_SOCKET:
3876 node_perm = UDP_SOCKET__NODE_BIND;
3879 case SECCLASS_DCCP_SOCKET:
3880 node_perm = DCCP_SOCKET__NODE_BIND;
3884 node_perm = RAWIP_SOCKET__NODE_BIND;
3888 err = sel_netnode_sid(addrp, family, &sid);
3892 AVC_AUDIT_DATA_INIT(&ad, NET);
3893 ad.u.net.sport = htons(snum);
3894 ad.u.net.family = family;
3896 if (family == PF_INET)
3897 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3899 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3901 err = avc_has_perm(isec->sid, sid,
3902 isec->sclass, node_perm, &ad);
3910 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3912 struct sock *sk = sock->sk;
3913 struct inode_security_struct *isec;
3916 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3921 * If a TCP or DCCP socket, check name_connect permission for the port.
3923 isec = SOCK_INODE(sock)->i_security;
3924 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3925 isec->sclass == SECCLASS_DCCP_SOCKET) {
3926 struct avc_audit_data ad;
3927 struct sockaddr_in *addr4 = NULL;
3928 struct sockaddr_in6 *addr6 = NULL;
3929 unsigned short snum;
3932 if (sk->sk_family == PF_INET) {
3933 addr4 = (struct sockaddr_in *)address;
3934 if (addrlen < sizeof(struct sockaddr_in))
3936 snum = ntohs(addr4->sin_port);
3938 addr6 = (struct sockaddr_in6 *)address;
3939 if (addrlen < SIN6_LEN_RFC2133)
3941 snum = ntohs(addr6->sin6_port);
3944 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3948 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3949 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3951 AVC_AUDIT_DATA_INIT(&ad, NET);
3952 ad.u.net.dport = htons(snum);
3953 ad.u.net.family = sk->sk_family;
3954 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3959 err = selinux_netlbl_socket_connect(sk, address);
3965 static int selinux_socket_listen(struct socket *sock, int backlog)
3967 return socket_has_perm(current, sock, SOCKET__LISTEN);
3970 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3973 struct inode_security_struct *isec;
3974 struct inode_security_struct *newisec;
3976 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3980 newisec = SOCK_INODE(newsock)->i_security;
3982 isec = SOCK_INODE(sock)->i_security;
3983 newisec->sclass = isec->sclass;
3984 newisec->sid = isec->sid;
3985 newisec->initialized = 1;
3990 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3995 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3999 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
4002 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4003 int size, int flags)
4005 return socket_has_perm(current, sock, SOCKET__READ);
4008 static int selinux_socket_getsockname(struct socket *sock)
4010 return socket_has_perm(current, sock, SOCKET__GETATTR);
4013 static int selinux_socket_getpeername(struct socket *sock)
4015 return socket_has_perm(current, sock, SOCKET__GETATTR);
4018 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4022 err = socket_has_perm(current, sock, SOCKET__SETOPT);
4026 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4029 static int selinux_socket_getsockopt(struct socket *sock, int level,
4032 return socket_has_perm(current, sock, SOCKET__GETOPT);
4035 static int selinux_socket_shutdown(struct socket *sock, int how)
4037 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4040 static int selinux_socket_unix_stream_connect(struct socket *sock,
4041 struct socket *other,
4044 struct sk_security_struct *ssec;
4045 struct inode_security_struct *isec;
4046 struct inode_security_struct *other_isec;
4047 struct avc_audit_data ad;
4050 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4054 isec = SOCK_INODE(sock)->i_security;
4055 other_isec = SOCK_INODE(other)->i_security;
4057 AVC_AUDIT_DATA_INIT(&ad, NET);
4058 ad.u.net.sk = other->sk;
4060 err = avc_has_perm(isec->sid, other_isec->sid,
4062 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4066 /* connecting socket */
4067 ssec = sock->sk->sk_security;
4068 ssec->peer_sid = other_isec->sid;
4070 /* server child socket */
4071 ssec = newsk->sk_security;
4072 ssec->peer_sid = isec->sid;
4073 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4078 static int selinux_socket_unix_may_send(struct socket *sock,
4079 struct socket *other)
4081 struct inode_security_struct *isec;
4082 struct inode_security_struct *other_isec;
4083 struct avc_audit_data ad;
4086 isec = SOCK_INODE(sock)->i_security;
4087 other_isec = SOCK_INODE(other)->i_security;
4089 AVC_AUDIT_DATA_INIT(&ad, NET);
4090 ad.u.net.sk = other->sk;
4092 err = avc_has_perm(isec->sid, other_isec->sid,
4093 isec->sclass, SOCKET__SENDTO, &ad);
4100 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4102 struct avc_audit_data *ad)
4108 err = sel_netif_sid(ifindex, &if_sid);
4111 err = avc_has_perm(peer_sid, if_sid,
4112 SECCLASS_NETIF, NETIF__INGRESS, ad);
4116 err = sel_netnode_sid(addrp, family, &node_sid);
4119 return avc_has_perm(peer_sid, node_sid,
4120 SECCLASS_NODE, NODE__RECVFROM, ad);
4123 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4124 struct sk_buff *skb,
4125 struct avc_audit_data *ad,
4130 struct sk_security_struct *sksec = sk->sk_security;
4132 u32 netif_perm, node_perm, recv_perm;
4133 u32 port_sid, node_sid, if_sid, sk_sid;
4135 sk_sid = sksec->sid;
4136 sk_class = sksec->sclass;
4139 case SECCLASS_UDP_SOCKET:
4140 netif_perm = NETIF__UDP_RECV;
4141 node_perm = NODE__UDP_RECV;
4142 recv_perm = UDP_SOCKET__RECV_MSG;
4144 case SECCLASS_TCP_SOCKET:
4145 netif_perm = NETIF__TCP_RECV;
4146 node_perm = NODE__TCP_RECV;
4147 recv_perm = TCP_SOCKET__RECV_MSG;
4149 case SECCLASS_DCCP_SOCKET:
4150 netif_perm = NETIF__DCCP_RECV;
4151 node_perm = NODE__DCCP_RECV;
4152 recv_perm = DCCP_SOCKET__RECV_MSG;
4155 netif_perm = NETIF__RAWIP_RECV;
4156 node_perm = NODE__RAWIP_RECV;
4161 err = sel_netif_sid(skb->iif, &if_sid);
4164 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4168 err = sel_netnode_sid(addrp, family, &node_sid);
4171 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4177 err = sel_netport_sid(sk->sk_protocol,
4178 ntohs(ad->u.net.sport), &port_sid);
4179 if (unlikely(err)) {
4181 "SELinux: failure in"
4182 " selinux_sock_rcv_skb_iptables_compat(),"
4183 " network port label not found\n");
4186 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4189 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4193 struct sk_security_struct *sksec = sk->sk_security;
4195 u32 sk_sid = sksec->sid;
4196 struct avc_audit_data ad;
4199 AVC_AUDIT_DATA_INIT(&ad, NET);
4200 ad.u.net.netif = skb->iif;
4201 ad.u.net.family = family;
4202 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4206 if (selinux_compat_net)
4207 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4209 else if (selinux_secmark_enabled())
4210 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4215 if (selinux_policycap_netpeer) {
4216 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4219 err = avc_has_perm(sk_sid, peer_sid,
4220 SECCLASS_PEER, PEER__RECV, &ad);
4222 selinux_netlbl_err(skb, err, 0);
4224 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4227 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4233 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4236 struct sk_security_struct *sksec = sk->sk_security;
4237 u16 family = sk->sk_family;
4238 u32 sk_sid = sksec->sid;
4239 struct avc_audit_data ad;
4244 if (family != PF_INET && family != PF_INET6)
4247 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4248 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4251 /* If any sort of compatibility mode is enabled then handoff processing
4252 * to the selinux_sock_rcv_skb_compat() function to deal with the
4253 * special handling. We do this in an attempt to keep this function
4254 * as fast and as clean as possible. */
4255 if (selinux_compat_net || !selinux_policycap_netpeer)
4256 return selinux_sock_rcv_skb_compat(sk, skb, family);
4258 secmark_active = selinux_secmark_enabled();
4259 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4260 if (!secmark_active && !peerlbl_active)
4263 AVC_AUDIT_DATA_INIT(&ad, NET);
4264 ad.u.net.netif = skb->iif;
4265 ad.u.net.family = family;
4266 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4270 if (peerlbl_active) {
4273 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4276 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4279 selinux_netlbl_err(skb, err, 0);
4282 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4285 selinux_netlbl_err(skb, err, 0);
4288 if (secmark_active) {
4289 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4298 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4299 int __user *optlen, unsigned len)
4304 struct sk_security_struct *ssec;
4305 struct inode_security_struct *isec;
4306 u32 peer_sid = SECSID_NULL;
4308 isec = SOCK_INODE(sock)->i_security;
4310 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4311 isec->sclass == SECCLASS_TCP_SOCKET) {
4312 ssec = sock->sk->sk_security;
4313 peer_sid = ssec->peer_sid;
4315 if (peer_sid == SECSID_NULL) {
4320 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4325 if (scontext_len > len) {
4330 if (copy_to_user(optval, scontext, scontext_len))
4334 if (put_user(scontext_len, optlen))
4342 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4344 u32 peer_secid = SECSID_NULL;
4347 if (skb && skb->protocol == htons(ETH_P_IP))
4349 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4352 family = sock->sk->sk_family;
4356 if (sock && family == PF_UNIX)
4357 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4359 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4362 *secid = peer_secid;
4363 if (peer_secid == SECSID_NULL)
4368 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4370 return sk_alloc_security(sk, family, priority);
4373 static void selinux_sk_free_security(struct sock *sk)
4375 sk_free_security(sk);
4378 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4380 struct sk_security_struct *ssec = sk->sk_security;
4381 struct sk_security_struct *newssec = newsk->sk_security;
4383 newssec->sid = ssec->sid;
4384 newssec->peer_sid = ssec->peer_sid;
4385 newssec->sclass = ssec->sclass;
4387 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4390 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4393 *secid = SECINITSID_ANY_SOCKET;
4395 struct sk_security_struct *sksec = sk->sk_security;
4397 *secid = sksec->sid;
4401 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4403 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4404 struct sk_security_struct *sksec = sk->sk_security;
4406 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4407 sk->sk_family == PF_UNIX)
4408 isec->sid = sksec->sid;
4409 sksec->sclass = isec->sclass;
4412 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4413 struct request_sock *req)
4415 struct sk_security_struct *sksec = sk->sk_security;
4417 u16 family = sk->sk_family;
4421 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4422 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4425 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4428 if (peersid == SECSID_NULL) {
4429 req->secid = sksec->sid;
4430 req->peer_secid = SECSID_NULL;
4434 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4438 req->secid = newsid;
4439 req->peer_secid = peersid;
4443 static void selinux_inet_csk_clone(struct sock *newsk,
4444 const struct request_sock *req)
4446 struct sk_security_struct *newsksec = newsk->sk_security;
4448 newsksec->sid = req->secid;
4449 newsksec->peer_sid = req->peer_secid;
4450 /* NOTE: Ideally, we should also get the isec->sid for the
4451 new socket in sync, but we don't have the isec available yet.
4452 So we will wait until sock_graft to do it, by which
4453 time it will have been created and available. */
4455 /* We don't need to take any sort of lock here as we are the only
4456 * thread with access to newsksec */
4457 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4460 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4462 u16 family = sk->sk_family;
4463 struct sk_security_struct *sksec = sk->sk_security;
4465 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4466 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4469 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4471 selinux_netlbl_inet_conn_established(sk, family);
4474 static void selinux_req_classify_flow(const struct request_sock *req,
4477 fl->secid = req->secid;
4480 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4484 struct nlmsghdr *nlh;
4485 struct socket *sock = sk->sk_socket;
4486 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4488 if (skb->len < NLMSG_SPACE(0)) {
4492 nlh = nlmsg_hdr(skb);
4494 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4496 if (err == -EINVAL) {
4497 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4498 "SELinux: unrecognized netlink message"
4499 " type=%hu for sclass=%hu\n",
4500 nlh->nlmsg_type, isec->sclass);
4501 if (!selinux_enforcing || security_get_allow_unknown())
4511 err = socket_has_perm(current, sock, perm);
4516 #ifdef CONFIG_NETFILTER
4518 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4524 struct avc_audit_data ad;
4529 if (!selinux_policycap_netpeer)
4532 secmark_active = selinux_secmark_enabled();
4533 netlbl_active = netlbl_enabled();
4534 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4535 if (!secmark_active && !peerlbl_active)
4538 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4541 AVC_AUDIT_DATA_INIT(&ad, NET);
4542 ad.u.net.netif = ifindex;
4543 ad.u.net.family = family;
4544 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4547 if (peerlbl_active) {
4548 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4551 selinux_netlbl_err(skb, err, 1);
4557 if (avc_has_perm(peer_sid, skb->secmark,
4558 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4562 /* we do this in the FORWARD path and not the POST_ROUTING
4563 * path because we want to make sure we apply the necessary
4564 * labeling before IPsec is applied so we can leverage AH
4566 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4572 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4573 struct sk_buff *skb,
4574 const struct net_device *in,
4575 const struct net_device *out,
4576 int (*okfn)(struct sk_buff *))
4578 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4581 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4582 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4583 struct sk_buff *skb,
4584 const struct net_device *in,
4585 const struct net_device *out,
4586 int (*okfn)(struct sk_buff *))
4588 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4592 static unsigned int selinux_ip_output(struct sk_buff *skb,
4597 if (!netlbl_enabled())
4600 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4601 * because we want to make sure we apply the necessary labeling
4602 * before IPsec is applied so we can leverage AH protection */
4604 struct sk_security_struct *sksec = skb->sk->sk_security;
4607 sid = SECINITSID_KERNEL;
4608 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4614 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4615 struct sk_buff *skb,
4616 const struct net_device *in,
4617 const struct net_device *out,
4618 int (*okfn)(struct sk_buff *))
4620 return selinux_ip_output(skb, PF_INET);
4623 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4625 struct avc_audit_data *ad,
4626 u16 family, char *addrp)
4629 struct sk_security_struct *sksec = sk->sk_security;
4631 u32 netif_perm, node_perm, send_perm;
4632 u32 port_sid, node_sid, if_sid, sk_sid;
4634 sk_sid = sksec->sid;
4635 sk_class = sksec->sclass;
4638 case SECCLASS_UDP_SOCKET:
4639 netif_perm = NETIF__UDP_SEND;
4640 node_perm = NODE__UDP_SEND;
4641 send_perm = UDP_SOCKET__SEND_MSG;
4643 case SECCLASS_TCP_SOCKET:
4644 netif_perm = NETIF__TCP_SEND;
4645 node_perm = NODE__TCP_SEND;
4646 send_perm = TCP_SOCKET__SEND_MSG;
4648 case SECCLASS_DCCP_SOCKET:
4649 netif_perm = NETIF__DCCP_SEND;
4650 node_perm = NODE__DCCP_SEND;
4651 send_perm = DCCP_SOCKET__SEND_MSG;
4654 netif_perm = NETIF__RAWIP_SEND;
4655 node_perm = NODE__RAWIP_SEND;
4660 err = sel_netif_sid(ifindex, &if_sid);
4663 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4666 err = sel_netnode_sid(addrp, family, &node_sid);
4669 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4676 err = sel_netport_sid(sk->sk_protocol,
4677 ntohs(ad->u.net.dport), &port_sid);
4678 if (unlikely(err)) {
4680 "SELinux: failure in"
4681 " selinux_ip_postroute_iptables_compat(),"
4682 " network port label not found\n");
4685 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4688 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4692 struct sock *sk = skb->sk;
4693 struct sk_security_struct *sksec;
4694 struct avc_audit_data ad;
4700 sksec = sk->sk_security;
4702 AVC_AUDIT_DATA_INIT(&ad, NET);
4703 ad.u.net.netif = ifindex;
4704 ad.u.net.family = family;
4705 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4708 if (selinux_compat_net) {
4709 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4710 &ad, family, addrp))
4712 } else if (selinux_secmark_enabled()) {
4713 if (avc_has_perm(sksec->sid, skb->secmark,
4714 SECCLASS_PACKET, PACKET__SEND, &ad))
4718 if (selinux_policycap_netpeer)
4719 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4725 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4731 struct avc_audit_data ad;
4736 /* If any sort of compatibility mode is enabled then handoff processing
4737 * to the selinux_ip_postroute_compat() function to deal with the
4738 * special handling. We do this in an attempt to keep this function
4739 * as fast and as clean as possible. */
4740 if (selinux_compat_net || !selinux_policycap_netpeer)
4741 return selinux_ip_postroute_compat(skb, ifindex, family);
4743 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4744 * packet transformation so allow the packet to pass without any checks
4745 * since we'll have another chance to perform access control checks
4746 * when the packet is on it's final way out.
4747 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4748 * is NULL, in this case go ahead and apply access control. */
4749 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4752 secmark_active = selinux_secmark_enabled();
4753 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4754 if (!secmark_active && !peerlbl_active)
4757 /* if the packet is being forwarded then get the peer label from the
4758 * packet itself; otherwise check to see if it is from a local
4759 * application or the kernel, if from an application get the peer label
4760 * from the sending socket, otherwise use the kernel's sid */
4765 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4766 secmark_perm = PACKET__FORWARD_OUT;
4768 secmark_perm = PACKET__SEND;
4771 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4772 secmark_perm = PACKET__FORWARD_OUT;
4774 secmark_perm = PACKET__SEND;
4779 if (secmark_perm == PACKET__FORWARD_OUT) {
4780 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4783 peer_sid = SECINITSID_KERNEL;
4785 struct sk_security_struct *sksec = sk->sk_security;
4786 peer_sid = sksec->sid;
4787 secmark_perm = PACKET__SEND;
4790 AVC_AUDIT_DATA_INIT(&ad, NET);
4791 ad.u.net.netif = ifindex;
4792 ad.u.net.family = family;
4793 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4797 if (avc_has_perm(peer_sid, skb->secmark,
4798 SECCLASS_PACKET, secmark_perm, &ad))
4801 if (peerlbl_active) {
4805 if (sel_netif_sid(ifindex, &if_sid))
4807 if (avc_has_perm(peer_sid, if_sid,
4808 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4811 if (sel_netnode_sid(addrp, family, &node_sid))
4813 if (avc_has_perm(peer_sid, node_sid,
4814 SECCLASS_NODE, NODE__SENDTO, &ad))
4821 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4822 struct sk_buff *skb,
4823 const struct net_device *in,
4824 const struct net_device *out,
4825 int (*okfn)(struct sk_buff *))
4827 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4830 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4831 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4832 struct sk_buff *skb,
4833 const struct net_device *in,
4834 const struct net_device *out,
4835 int (*okfn)(struct sk_buff *))
4837 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4841 #endif /* CONFIG_NETFILTER */
4843 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4847 err = secondary_ops->netlink_send(sk, skb);
4851 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4852 err = selinux_nlmsg_perm(sk, skb);
4857 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4860 struct avc_audit_data ad;
4862 err = secondary_ops->netlink_recv(skb, capability);
4866 AVC_AUDIT_DATA_INIT(&ad, CAP);
4867 ad.u.cap = capability;
4869 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4870 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4873 static int ipc_alloc_security(struct task_struct *task,
4874 struct kern_ipc_perm *perm,
4877 struct ipc_security_struct *isec;
4880 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4884 sid = task_sid(task);
4885 isec->sclass = sclass;
4887 perm->security = isec;
4892 static void ipc_free_security(struct kern_ipc_perm *perm)
4894 struct ipc_security_struct *isec = perm->security;
4895 perm->security = NULL;
4899 static int msg_msg_alloc_security(struct msg_msg *msg)
4901 struct msg_security_struct *msec;
4903 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4907 msec->sid = SECINITSID_UNLABELED;
4908 msg->security = msec;
4913 static void msg_msg_free_security(struct msg_msg *msg)
4915 struct msg_security_struct *msec = msg->security;
4917 msg->security = NULL;
4921 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4924 struct ipc_security_struct *isec;
4925 struct avc_audit_data ad;
4926 u32 sid = current_sid();
4928 isec = ipc_perms->security;
4930 AVC_AUDIT_DATA_INIT(&ad, IPC);
4931 ad.u.ipc_id = ipc_perms->key;
4933 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4936 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4938 return msg_msg_alloc_security(msg);
4941 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4943 msg_msg_free_security(msg);
4946 /* message queue security operations */
4947 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4949 struct ipc_security_struct *isec;
4950 struct avc_audit_data ad;
4951 u32 sid = current_sid();
4954 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4958 isec = msq->q_perm.security;
4960 AVC_AUDIT_DATA_INIT(&ad, IPC);
4961 ad.u.ipc_id = msq->q_perm.key;
4963 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4966 ipc_free_security(&msq->q_perm);
4972 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4974 ipc_free_security(&msq->q_perm);
4977 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4979 struct ipc_security_struct *isec;
4980 struct avc_audit_data ad;
4981 u32 sid = current_sid();
4983 isec = msq->q_perm.security;
4985 AVC_AUDIT_DATA_INIT(&ad, IPC);
4986 ad.u.ipc_id = msq->q_perm.key;
4988 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4989 MSGQ__ASSOCIATE, &ad);
4992 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5000 /* No specific object, just general system-wide information. */
5001 return task_has_system(current, SYSTEM__IPC_INFO);
5004 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5007 perms = MSGQ__SETATTR;
5010 perms = MSGQ__DESTROY;
5016 err = ipc_has_perm(&msq->q_perm, perms);
5020 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5022 struct ipc_security_struct *isec;
5023 struct msg_security_struct *msec;
5024 struct avc_audit_data ad;
5025 u32 sid = current_sid();
5028 isec = msq->q_perm.security;
5029 msec = msg->security;
5032 * First time through, need to assign label to the message
5034 if (msec->sid == SECINITSID_UNLABELED) {
5036 * Compute new sid based on current process and
5037 * message queue this message will be stored in
5039 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5045 AVC_AUDIT_DATA_INIT(&ad, IPC);
5046 ad.u.ipc_id = msq->q_perm.key;
5048 /* Can this process write to the queue? */
5049 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5052 /* Can this process send the message */
5053 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5056 /* Can the message be put in the queue? */
5057 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5058 MSGQ__ENQUEUE, &ad);
5063 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5064 struct task_struct *target,
5065 long type, int mode)
5067 struct ipc_security_struct *isec;
5068 struct msg_security_struct *msec;
5069 struct avc_audit_data ad;
5070 u32 sid = task_sid(target);
5073 isec = msq->q_perm.security;
5074 msec = msg->security;
5076 AVC_AUDIT_DATA_INIT(&ad, IPC);
5077 ad.u.ipc_id = msq->q_perm.key;
5079 rc = avc_has_perm(sid, isec->sid,
5080 SECCLASS_MSGQ, MSGQ__READ, &ad);
5082 rc = avc_has_perm(sid, msec->sid,
5083 SECCLASS_MSG, MSG__RECEIVE, &ad);
5087 /* Shared Memory security operations */
5088 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5090 struct ipc_security_struct *isec;
5091 struct avc_audit_data ad;
5092 u32 sid = current_sid();
5095 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5099 isec = shp->shm_perm.security;
5101 AVC_AUDIT_DATA_INIT(&ad, IPC);
5102 ad.u.ipc_id = shp->shm_perm.key;
5104 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5107 ipc_free_security(&shp->shm_perm);
5113 static void selinux_shm_free_security(struct shmid_kernel *shp)
5115 ipc_free_security(&shp->shm_perm);
5118 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5120 struct ipc_security_struct *isec;
5121 struct avc_audit_data ad;
5122 u32 sid = current_sid();
5124 isec = shp->shm_perm.security;
5126 AVC_AUDIT_DATA_INIT(&ad, IPC);
5127 ad.u.ipc_id = shp->shm_perm.key;
5129 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5130 SHM__ASSOCIATE, &ad);
5133 /* Note, at this point, shp is locked down */
5134 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5142 /* No specific object, just general system-wide information. */
5143 return task_has_system(current, SYSTEM__IPC_INFO);
5146 perms = SHM__GETATTR | SHM__ASSOCIATE;
5149 perms = SHM__SETATTR;
5156 perms = SHM__DESTROY;
5162 err = ipc_has_perm(&shp->shm_perm, perms);
5166 static int selinux_shm_shmat(struct shmid_kernel *shp,
5167 char __user *shmaddr, int shmflg)
5172 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5176 if (shmflg & SHM_RDONLY)
5179 perms = SHM__READ | SHM__WRITE;
5181 return ipc_has_perm(&shp->shm_perm, perms);
5184 /* Semaphore security operations */
5185 static int selinux_sem_alloc_security(struct sem_array *sma)
5187 struct ipc_security_struct *isec;
5188 struct avc_audit_data ad;
5189 u32 sid = current_sid();
5192 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5196 isec = sma->sem_perm.security;
5198 AVC_AUDIT_DATA_INIT(&ad, IPC);
5199 ad.u.ipc_id = sma->sem_perm.key;
5201 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5204 ipc_free_security(&sma->sem_perm);
5210 static void selinux_sem_free_security(struct sem_array *sma)
5212 ipc_free_security(&sma->sem_perm);
5215 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5217 struct ipc_security_struct *isec;
5218 struct avc_audit_data ad;
5219 u32 sid = current_sid();
5221 isec = sma->sem_perm.security;
5223 AVC_AUDIT_DATA_INIT(&ad, IPC);
5224 ad.u.ipc_id = sma->sem_perm.key;
5226 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5227 SEM__ASSOCIATE, &ad);
5230 /* Note, at this point, sma is locked down */
5231 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5239 /* No specific object, just general system-wide information. */
5240 return task_has_system(current, SYSTEM__IPC_INFO);
5244 perms = SEM__GETATTR;
5255 perms = SEM__DESTROY;
5258 perms = SEM__SETATTR;
5262 perms = SEM__GETATTR | SEM__ASSOCIATE;
5268 err = ipc_has_perm(&sma->sem_perm, perms);
5272 static int selinux_sem_semop(struct sem_array *sma,
5273 struct sembuf *sops, unsigned nsops, int alter)
5278 perms = SEM__READ | SEM__WRITE;
5282 return ipc_has_perm(&sma->sem_perm, perms);
5285 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5291 av |= IPC__UNIX_READ;
5293 av |= IPC__UNIX_WRITE;
5298 return ipc_has_perm(ipcp, av);
5301 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5303 struct ipc_security_struct *isec = ipcp->security;
5307 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5310 inode_doinit_with_dentry(inode, dentry);
5313 static int selinux_getprocattr(struct task_struct *p,
5314 char *name, char **value)
5316 const struct task_security_struct *__tsec;
5322 error = current_has_perm(p, PROCESS__GETATTR);
5328 __tsec = __task_cred(p)->security;
5330 if (!strcmp(name, "current"))
5332 else if (!strcmp(name, "prev"))
5334 else if (!strcmp(name, "exec"))
5335 sid = __tsec->exec_sid;
5336 else if (!strcmp(name, "fscreate"))
5337 sid = __tsec->create_sid;
5338 else if (!strcmp(name, "keycreate"))
5339 sid = __tsec->keycreate_sid;
5340 else if (!strcmp(name, "sockcreate"))
5341 sid = __tsec->sockcreate_sid;
5349 error = security_sid_to_context(sid, value, &len);
5359 static int selinux_setprocattr(struct task_struct *p,
5360 char *name, void *value, size_t size)
5362 struct task_security_struct *tsec;
5363 struct task_struct *tracer;
5370 /* SELinux only allows a process to change its own
5371 security attributes. */
5376 * Basic control over ability to set these attributes at all.
5377 * current == p, but we'll pass them separately in case the
5378 * above restriction is ever removed.
5380 if (!strcmp(name, "exec"))
5381 error = current_has_perm(p, PROCESS__SETEXEC);
5382 else if (!strcmp(name, "fscreate"))
5383 error = current_has_perm(p, PROCESS__SETFSCREATE);
5384 else if (!strcmp(name, "keycreate"))
5385 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5386 else if (!strcmp(name, "sockcreate"))
5387 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5388 else if (!strcmp(name, "current"))
5389 error = current_has_perm(p, PROCESS__SETCURRENT);
5395 /* Obtain a SID for the context, if one was specified. */
5396 if (size && str[1] && str[1] != '\n') {
5397 if (str[size-1] == '\n') {
5401 error = security_context_to_sid(value, size, &sid);
5402 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5403 if (!capable(CAP_MAC_ADMIN))
5405 error = security_context_to_sid_force(value, size,
5412 new = prepare_creds();
5416 /* Permission checking based on the specified context is
5417 performed during the actual operation (execve,
5418 open/mkdir/...), when we know the full context of the
5419 operation. See selinux_bprm_set_creds for the execve
5420 checks and may_create for the file creation checks. The
5421 operation will then fail if the context is not permitted. */
5422 tsec = new->security;
5423 if (!strcmp(name, "exec")) {
5424 tsec->exec_sid = sid;
5425 } else if (!strcmp(name, "fscreate")) {
5426 tsec->create_sid = sid;
5427 } else if (!strcmp(name, "keycreate")) {
5428 error = may_create_key(sid, p);
5431 tsec->keycreate_sid = sid;
5432 } else if (!strcmp(name, "sockcreate")) {
5433 tsec->sockcreate_sid = sid;
5434 } else if (!strcmp(name, "current")) {
5439 /* Only allow single threaded processes to change context */
5441 if (!is_single_threaded(p)) {
5442 error = security_bounded_transition(tsec->sid, sid);
5447 /* Check permissions for the transition. */
5448 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5449 PROCESS__DYNTRANSITION, NULL);
5453 /* Check for ptracing, and update the task SID if ok.
5454 Otherwise, leave SID unchanged and fail. */
5457 tracer = tracehook_tracer_task(p);
5459 ptsid = task_sid(tracer);
5463 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5464 PROCESS__PTRACE, NULL);
5483 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5485 return security_sid_to_context(secid, secdata, seclen);
5488 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5490 return security_context_to_sid(secdata, seclen, secid);
5493 static void selinux_release_secctx(char *secdata, u32 seclen)
5500 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5501 unsigned long flags)
5503 const struct task_security_struct *tsec;
5504 struct key_security_struct *ksec;
5506 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5510 tsec = cred->security;
5511 if (tsec->keycreate_sid)
5512 ksec->sid = tsec->keycreate_sid;
5514 ksec->sid = tsec->sid;
5520 static void selinux_key_free(struct key *k)
5522 struct key_security_struct *ksec = k->security;
5528 static int selinux_key_permission(key_ref_t key_ref,
5529 const struct cred *cred,
5533 struct key_security_struct *ksec;
5536 /* if no specific permissions are requested, we skip the
5537 permission check. No serious, additional covert channels
5538 appear to be created. */
5542 sid = cred_sid(cred);
5544 key = key_ref_to_ptr(key_ref);
5545 ksec = key->security;
5547 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5550 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5552 struct key_security_struct *ksec = key->security;
5553 char *context = NULL;
5557 rc = security_sid_to_context(ksec->sid, &context, &len);
5566 static struct security_operations selinux_ops = {
5569 .ptrace_may_access = selinux_ptrace_may_access,
5570 .ptrace_traceme = selinux_ptrace_traceme,
5571 .capget = selinux_capget,
5572 .capset = selinux_capset,
5573 .sysctl = selinux_sysctl,
5574 .capable = selinux_capable,
5575 .quotactl = selinux_quotactl,
5576 .quota_on = selinux_quota_on,
5577 .syslog = selinux_syslog,
5578 .vm_enough_memory = selinux_vm_enough_memory,
5580 .netlink_send = selinux_netlink_send,
5581 .netlink_recv = selinux_netlink_recv,
5583 .bprm_set_creds = selinux_bprm_set_creds,
5584 .bprm_check_security = selinux_bprm_check_security,
5585 .bprm_committing_creds = selinux_bprm_committing_creds,
5586 .bprm_committed_creds = selinux_bprm_committed_creds,
5587 .bprm_secureexec = selinux_bprm_secureexec,
5589 .sb_alloc_security = selinux_sb_alloc_security,
5590 .sb_free_security = selinux_sb_free_security,
5591 .sb_copy_data = selinux_sb_copy_data,
5592 .sb_kern_mount = selinux_sb_kern_mount,
5593 .sb_show_options = selinux_sb_show_options,
5594 .sb_statfs = selinux_sb_statfs,
5595 .sb_mount = selinux_mount,
5596 .sb_umount = selinux_umount,
5597 .sb_set_mnt_opts = selinux_set_mnt_opts,
5598 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5599 .sb_parse_opts_str = selinux_parse_opts_str,
5602 .inode_alloc_security = selinux_inode_alloc_security,
5603 .inode_free_security = selinux_inode_free_security,
5604 .inode_init_security = selinux_inode_init_security,
5605 .inode_create = selinux_inode_create,
5606 .inode_link = selinux_inode_link,
5607 .inode_unlink = selinux_inode_unlink,
5608 .inode_symlink = selinux_inode_symlink,
5609 .inode_mkdir = selinux_inode_mkdir,
5610 .inode_rmdir = selinux_inode_rmdir,
5611 .inode_mknod = selinux_inode_mknod,
5612 .inode_rename = selinux_inode_rename,
5613 .inode_readlink = selinux_inode_readlink,
5614 .inode_follow_link = selinux_inode_follow_link,
5615 .inode_permission = selinux_inode_permission,
5616 .inode_setattr = selinux_inode_setattr,
5617 .inode_getattr = selinux_inode_getattr,
5618 .inode_setxattr = selinux_inode_setxattr,
5619 .inode_post_setxattr = selinux_inode_post_setxattr,
5620 .inode_getxattr = selinux_inode_getxattr,
5621 .inode_listxattr = selinux_inode_listxattr,
5622 .inode_removexattr = selinux_inode_removexattr,
5623 .inode_getsecurity = selinux_inode_getsecurity,
5624 .inode_setsecurity = selinux_inode_setsecurity,
5625 .inode_listsecurity = selinux_inode_listsecurity,
5626 .inode_need_killpriv = selinux_inode_need_killpriv,
5627 .inode_killpriv = selinux_inode_killpriv,
5628 .inode_getsecid = selinux_inode_getsecid,
5630 .file_permission = selinux_file_permission,
5631 .file_alloc_security = selinux_file_alloc_security,
5632 .file_free_security = selinux_file_free_security,
5633 .file_ioctl = selinux_file_ioctl,
5634 .file_mmap = selinux_file_mmap,
5635 .file_mprotect = selinux_file_mprotect,
5636 .file_lock = selinux_file_lock,
5637 .file_fcntl = selinux_file_fcntl,
5638 .file_set_fowner = selinux_file_set_fowner,
5639 .file_send_sigiotask = selinux_file_send_sigiotask,
5640 .file_receive = selinux_file_receive,
5642 .dentry_open = selinux_dentry_open,
5644 .task_create = selinux_task_create,
5645 .cred_free = selinux_cred_free,
5646 .cred_prepare = selinux_cred_prepare,
5647 .cred_commit = selinux_cred_commit,
5648 .kernel_act_as = selinux_kernel_act_as,
5649 .kernel_create_files_as = selinux_kernel_create_files_as,
5650 .task_setuid = selinux_task_setuid,
5651 .task_fix_setuid = selinux_task_fix_setuid,
5652 .task_setgid = selinux_task_setgid,
5653 .task_setpgid = selinux_task_setpgid,
5654 .task_getpgid = selinux_task_getpgid,
5655 .task_getsid = selinux_task_getsid,
5656 .task_getsecid = selinux_task_getsecid,
5657 .task_setgroups = selinux_task_setgroups,
5658 .task_setnice = selinux_task_setnice,
5659 .task_setioprio = selinux_task_setioprio,
5660 .task_getioprio = selinux_task_getioprio,
5661 .task_setrlimit = selinux_task_setrlimit,
5662 .task_setscheduler = selinux_task_setscheduler,
5663 .task_getscheduler = selinux_task_getscheduler,
5664 .task_movememory = selinux_task_movememory,
5665 .task_kill = selinux_task_kill,
5666 .task_wait = selinux_task_wait,
5667 .task_prctl = selinux_task_prctl,
5668 .task_to_inode = selinux_task_to_inode,
5670 .ipc_permission = selinux_ipc_permission,
5671 .ipc_getsecid = selinux_ipc_getsecid,
5673 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5674 .msg_msg_free_security = selinux_msg_msg_free_security,
5676 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5677 .msg_queue_free_security = selinux_msg_queue_free_security,
5678 .msg_queue_associate = selinux_msg_queue_associate,
5679 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5680 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5681 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5683 .shm_alloc_security = selinux_shm_alloc_security,
5684 .shm_free_security = selinux_shm_free_security,
5685 .shm_associate = selinux_shm_associate,
5686 .shm_shmctl = selinux_shm_shmctl,
5687 .shm_shmat = selinux_shm_shmat,
5689 .sem_alloc_security = selinux_sem_alloc_security,
5690 .sem_free_security = selinux_sem_free_security,
5691 .sem_associate = selinux_sem_associate,
5692 .sem_semctl = selinux_sem_semctl,
5693 .sem_semop = selinux_sem_semop,
5695 .d_instantiate = selinux_d_instantiate,
5697 .getprocattr = selinux_getprocattr,
5698 .setprocattr = selinux_setprocattr,
5700 .secid_to_secctx = selinux_secid_to_secctx,
5701 .secctx_to_secid = selinux_secctx_to_secid,
5702 .release_secctx = selinux_release_secctx,
5704 .unix_stream_connect = selinux_socket_unix_stream_connect,
5705 .unix_may_send = selinux_socket_unix_may_send,
5707 .socket_create = selinux_socket_create,
5708 .socket_post_create = selinux_socket_post_create,
5709 .socket_bind = selinux_socket_bind,
5710 .socket_connect = selinux_socket_connect,
5711 .socket_listen = selinux_socket_listen,
5712 .socket_accept = selinux_socket_accept,
5713 .socket_sendmsg = selinux_socket_sendmsg,
5714 .socket_recvmsg = selinux_socket_recvmsg,
5715 .socket_getsockname = selinux_socket_getsockname,
5716 .socket_getpeername = selinux_socket_getpeername,
5717 .socket_getsockopt = selinux_socket_getsockopt,
5718 .socket_setsockopt = selinux_socket_setsockopt,
5719 .socket_shutdown = selinux_socket_shutdown,
5720 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5721 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5722 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5723 .sk_alloc_security = selinux_sk_alloc_security,
5724 .sk_free_security = selinux_sk_free_security,
5725 .sk_clone_security = selinux_sk_clone_security,
5726 .sk_getsecid = selinux_sk_getsecid,
5727 .sock_graft = selinux_sock_graft,
5728 .inet_conn_request = selinux_inet_conn_request,
5729 .inet_csk_clone = selinux_inet_csk_clone,
5730 .inet_conn_established = selinux_inet_conn_established,
5731 .req_classify_flow = selinux_req_classify_flow,
5733 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5734 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5735 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5736 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5737 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5738 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5739 .xfrm_state_free_security = selinux_xfrm_state_free,
5740 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5741 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5742 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5743 .xfrm_decode_session = selinux_xfrm_decode_session,
5747 .key_alloc = selinux_key_alloc,
5748 .key_free = selinux_key_free,
5749 .key_permission = selinux_key_permission,
5750 .key_getsecurity = selinux_key_getsecurity,
5754 .audit_rule_init = selinux_audit_rule_init,
5755 .audit_rule_known = selinux_audit_rule_known,
5756 .audit_rule_match = selinux_audit_rule_match,
5757 .audit_rule_free = selinux_audit_rule_free,
5761 static __init int selinux_init(void)
5763 if (!security_module_enable(&selinux_ops)) {
5764 selinux_enabled = 0;
5768 if (!selinux_enabled) {
5769 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5773 printk(KERN_INFO "SELinux: Initializing.\n");
5775 /* Set the security state for the initial task. */
5776 cred_init_security();
5778 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5779 sizeof(struct inode_security_struct),
5780 0, SLAB_PANIC, NULL);
5783 secondary_ops = security_ops;
5785 panic("SELinux: No initial security operations\n");
5786 if (register_security(&selinux_ops))
5787 panic("SELinux: Unable to register with kernel.\n");
5789 if (selinux_enforcing)
5790 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5792 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5797 void selinux_complete_init(void)
5799 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5801 /* Set up any superblocks initialized prior to the policy load. */
5802 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5803 spin_lock(&sb_lock);
5804 spin_lock(&sb_security_lock);
5806 if (!list_empty(&superblock_security_head)) {
5807 struct superblock_security_struct *sbsec =
5808 list_entry(superblock_security_head.next,
5809 struct superblock_security_struct,
5811 struct super_block *sb = sbsec->sb;
5813 spin_unlock(&sb_security_lock);
5814 spin_unlock(&sb_lock);
5815 down_read(&sb->s_umount);
5817 superblock_doinit(sb, NULL);
5819 spin_lock(&sb_lock);
5820 spin_lock(&sb_security_lock);
5821 list_del_init(&sbsec->list);
5824 spin_unlock(&sb_security_lock);
5825 spin_unlock(&sb_lock);
5828 /* SELinux requires early initialization in order to label
5829 all processes and objects when they are created. */
5830 security_initcall(selinux_init);
5832 #if defined(CONFIG_NETFILTER)
5834 static struct nf_hook_ops selinux_ipv4_ops[] = {
5836 .hook = selinux_ipv4_postroute,
5837 .owner = THIS_MODULE,
5839 .hooknum = NF_INET_POST_ROUTING,
5840 .priority = NF_IP_PRI_SELINUX_LAST,
5843 .hook = selinux_ipv4_forward,
5844 .owner = THIS_MODULE,
5846 .hooknum = NF_INET_FORWARD,
5847 .priority = NF_IP_PRI_SELINUX_FIRST,
5850 .hook = selinux_ipv4_output,
5851 .owner = THIS_MODULE,
5853 .hooknum = NF_INET_LOCAL_OUT,
5854 .priority = NF_IP_PRI_SELINUX_FIRST,
5858 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5860 static struct nf_hook_ops selinux_ipv6_ops[] = {
5862 .hook = selinux_ipv6_postroute,
5863 .owner = THIS_MODULE,
5865 .hooknum = NF_INET_POST_ROUTING,
5866 .priority = NF_IP6_PRI_SELINUX_LAST,
5869 .hook = selinux_ipv6_forward,
5870 .owner = THIS_MODULE,
5872 .hooknum = NF_INET_FORWARD,
5873 .priority = NF_IP6_PRI_SELINUX_FIRST,
5879 static int __init selinux_nf_ip_init(void)
5883 if (!selinux_enabled)
5886 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5888 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5890 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5892 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5893 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5895 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5902 __initcall(selinux_nf_ip_init);
5904 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5905 static void selinux_nf_ip_exit(void)
5907 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5909 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5910 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5911 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5916 #else /* CONFIG_NETFILTER */
5918 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5919 #define selinux_nf_ip_exit()
5922 #endif /* CONFIG_NETFILTER */
5924 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5925 static int selinux_disabled;
5927 int selinux_disable(void)
5929 extern void exit_sel_fs(void);
5931 if (ss_initialized) {
5932 /* Not permitted after initial policy load. */
5936 if (selinux_disabled) {
5937 /* Only do this once. */
5941 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5943 selinux_disabled = 1;
5944 selinux_enabled = 0;
5946 /* Reset security_ops to the secondary module, dummy or capability. */
5947 security_ops = secondary_ops;
5949 /* Unregister netfilter hooks. */
5950 selinux_nf_ip_exit();
5952 /* Unregister selinuxfs. */
git.samba.org / sfrench / cifs-2.6.git / blob