2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
367 static int sb_finish_set_opts(struct super_block *sb)
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
400 sbsec->initialized = 1;
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
417 spin_lock(&sbsec->isec_lock);
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
427 if (!IS_PRIVATE(inode))
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
435 spin_unlock(&sbsec->isec_lock);
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 struct security_mnt_opts *opts)
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
454 security_init_mnt_opts(opts);
456 if (!sbsec->initialized)
463 * if we ever use sbsec flags for anything other than tracking mount
464 * settings this is going to need a mask
467 /* count the number of mount options for this sb */
468 for (i = 0; i < 8; i++) {
470 opts->num_mnt_opts++;
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475 if (!opts->mnt_opts) {
480 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481 if (!opts->mnt_opts_flags) {
487 if (sbsec->flags & FSCONTEXT_MNT) {
488 rc = security_sid_to_context(sbsec->sid, &context, &len);
491 opts->mnt_opts[i] = context;
492 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494 if (sbsec->flags & CONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501 if (sbsec->flags & DEFCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508 if (sbsec->flags & ROOTCONTEXT_MNT) {
509 struct inode *root = sbsec->sb->s_root->d_inode;
510 struct inode_security_struct *isec = root->i_security;
512 rc = security_sid_to_context(isec->sid, &context, &len);
515 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
519 BUG_ON(i != opts->num_mnt_opts);
524 security_free_mnt_opts(opts);
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529 u32 old_sid, u32 new_sid)
531 /* check if the old mount command had the same options */
532 if (sbsec->initialized)
533 if (!(sbsec->flags & flag) ||
534 (old_sid != new_sid))
537 /* check if we were passed the same options twice,
538 * aka someone passed context=a,context=b
540 if (!sbsec->initialized)
541 if (sbsec->flags & flag)
547 * Allow filesystems with binary mount data to explicitly set mount point
548 * labeling information.
550 static int selinux_set_mnt_opts(struct super_block *sb,
551 struct security_mnt_opts *opts)
554 struct task_security_struct *tsec = current->security;
555 struct superblock_security_struct *sbsec = sb->s_security;
556 const char *name = sb->s_type->name;
557 struct inode *inode = sbsec->sb->s_root->d_inode;
558 struct inode_security_struct *root_isec = inode->i_security;
559 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560 u32 defcontext_sid = 0;
561 char **mount_options = opts->mnt_opts;
562 int *flags = opts->mnt_opts_flags;
563 int num_opts = opts->num_mnt_opts;
565 mutex_lock(&sbsec->lock);
567 if (!ss_initialized) {
569 /* Defer initialization until selinux_complete_init,
570 after the initial policy is loaded and the security
571 server is ready to handle calls. */
572 spin_lock(&sb_security_lock);
573 if (list_empty(&sbsec->list))
574 list_add(&sbsec->list, &superblock_security_head);
575 spin_unlock(&sb_security_lock);
579 printk(KERN_WARNING "Unable to set superblock options before "
580 "the security server is initialized\n");
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
604 for (i = 0; i < num_opts; i++) {
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
620 goto out_double_mount;
622 sbsec->flags |= FSCONTEXT_MNT;
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
629 goto out_double_mount;
631 sbsec->flags |= CONTEXT_MNT;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
638 goto out_double_mount;
640 sbsec->flags |= ROOTCONTEXT_MNT;
644 defcontext_sid = sid;
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
648 goto out_double_mount;
650 sbsec->flags |= DEFCONTEXT_MNT;
659 if (sbsec->initialized) {
660 /* previously mounted with options, but not on this attempt? */
661 if (sbsec->flags && !num_opts)
662 goto out_double_mount;
667 if (strcmp(sb->s_type->name, "proc") == 0)
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __FUNCTION__, sb->s_type->name, rc);
678 /* sets the context of the superblock for the fs being mounted. */
681 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
685 sbsec->sid = fscontext_sid;
689 * Switch to using mount point labeling behavior.
690 * sets the label used on all file below the mountpoint, and will set
691 * the superblock context if not already set.
694 if (!fscontext_sid) {
695 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
698 sbsec->sid = context_sid;
700 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
704 if (!rootcontext_sid)
705 rootcontext_sid = context_sid;
707 sbsec->mntpoint_sid = context_sid;
708 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
711 if (rootcontext_sid) {
712 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
716 root_isec->sid = rootcontext_sid;
717 root_isec->initialized = 1;
720 if (defcontext_sid) {
721 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
723 printk(KERN_WARNING "SELinux: defcontext option is "
724 "invalid for this filesystem type\n");
728 if (defcontext_sid != sbsec->def_sid) {
729 rc = may_context_mount_inode_relabel(defcontext_sid,
735 sbsec->def_sid = defcontext_sid;
738 rc = sb_finish_set_opts(sb);
740 mutex_unlock(&sbsec->lock);
744 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
745 "security settings for (dev %s, type %s)\n", sb->s_id, name);
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750 struct super_block *newsb)
752 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753 struct superblock_security_struct *newsbsec = newsb->s_security;
755 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
756 int set_context = (oldsbsec->flags & CONTEXT_MNT);
757 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
759 /* we can't error, we can't save the info, this shouldn't get called
760 * this early in the boot process. */
761 BUG_ON(!ss_initialized);
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
767 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized);
770 mutex_lock(&newsbsec->lock);
772 newsbsec->flags = oldsbsec->flags;
774 newsbsec->sid = oldsbsec->sid;
775 newsbsec->def_sid = oldsbsec->def_sid;
776 newsbsec->behavior = oldsbsec->behavior;
779 u32 sid = oldsbsec->mntpoint_sid;
783 if (!set_rootcontext) {
784 struct inode *newinode = newsb->s_root->d_inode;
785 struct inode_security_struct *newisec = newinode->i_security;
788 newsbsec->mntpoint_sid = sid;
790 if (set_rootcontext) {
791 const struct inode *oldinode = oldsb->s_root->d_inode;
792 const struct inode_security_struct *oldisec = oldinode->i_security;
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
796 newisec->sid = oldisec->sid;
799 sb_finish_set_opts(newsb);
800 mutex_unlock(&newsbsec->lock);
803 static int selinux_parse_opts_str(char *options,
804 struct security_mnt_opts *opts)
807 char *context = NULL, *defcontext = NULL;
808 char *fscontext = NULL, *rootcontext = NULL;
809 int rc, num_mnt_opts = 0;
811 opts->num_mnt_opts = 0;
813 /* Standard string-based options. */
814 while ((p = strsep(&options, "|")) != NULL) {
816 substring_t args[MAX_OPT_ARGS];
821 token = match_token(p, tokens, args);
825 if (context || defcontext) {
827 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
830 context = match_strdup(&args[0]);
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
843 fscontext = match_strdup(&args[0]);
850 case Opt_rootcontext:
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
856 rootcontext = match_strdup(&args[0]);
864 if (context || defcontext) {
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
869 defcontext = match_strdup(&args[0]);
878 printk(KERN_WARNING "SELinux: unknown mount option\n");
885 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
889 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890 if (!opts->mnt_opts_flags) {
891 kfree(opts->mnt_opts);
896 opts->mnt_opts[num_mnt_opts] = fscontext;
897 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
900 opts->mnt_opts[num_mnt_opts] = context;
901 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
904 opts->mnt_opts[num_mnt_opts] = rootcontext;
905 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
908 opts->mnt_opts[num_mnt_opts] = defcontext;
909 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
912 opts->num_mnt_opts = num_mnt_opts;
923 * string mount options parsing and call set the sbsec
925 static int superblock_doinit(struct super_block *sb, void *data)
928 char *options = data;
929 struct security_mnt_opts opts;
931 security_init_mnt_opts(&opts);
936 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
938 rc = selinux_parse_opts_str(options, &opts);
943 rc = selinux_set_mnt_opts(sb, &opts);
946 security_free_mnt_opts(&opts);
950 static inline u16 inode_mode_to_security_class(umode_t mode)
952 switch (mode & S_IFMT) {
954 return SECCLASS_SOCK_FILE;
956 return SECCLASS_LNK_FILE;
958 return SECCLASS_FILE;
960 return SECCLASS_BLK_FILE;
964 return SECCLASS_CHR_FILE;
966 return SECCLASS_FIFO_FILE;
970 return SECCLASS_FILE;
973 static inline int default_protocol_stream(int protocol)
975 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
978 static inline int default_protocol_dgram(int protocol)
980 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
990 return SECCLASS_UNIX_STREAM_SOCKET;
992 return SECCLASS_UNIX_DGRAM_SOCKET;
999 if (default_protocol_stream(protocol))
1000 return SECCLASS_TCP_SOCKET;
1002 return SECCLASS_RAWIP_SOCKET;
1004 if (default_protocol_dgram(protocol))
1005 return SECCLASS_UDP_SOCKET;
1007 return SECCLASS_RAWIP_SOCKET;
1009 return SECCLASS_DCCP_SOCKET;
1011 return SECCLASS_RAWIP_SOCKET;
1017 return SECCLASS_NETLINK_ROUTE_SOCKET;
1018 case NETLINK_FIREWALL:
1019 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020 case NETLINK_INET_DIAG:
1021 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1023 return SECCLASS_NETLINK_NFLOG_SOCKET;
1025 return SECCLASS_NETLINK_XFRM_SOCKET;
1026 case NETLINK_SELINUX:
1027 return SECCLASS_NETLINK_SELINUX_SOCKET;
1029 return SECCLASS_NETLINK_AUDIT_SOCKET;
1030 case NETLINK_IP6_FW:
1031 return SECCLASS_NETLINK_IP6FW_SOCKET;
1032 case NETLINK_DNRTMSG:
1033 return SECCLASS_NETLINK_DNRT_SOCKET;
1034 case NETLINK_KOBJECT_UEVENT:
1035 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1037 return SECCLASS_NETLINK_SOCKET;
1040 return SECCLASS_PACKET_SOCKET;
1042 return SECCLASS_KEY_SOCKET;
1044 return SECCLASS_APPLETALK_SOCKET;
1047 return SECCLASS_SOCKET;
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1056 char *buffer, *path, *end;
1058 buffer = (char*)__get_free_page(GFP_KERNEL);
1063 end = buffer+buflen;
1068 while (de && de != de->parent) {
1069 buflen -= de->namelen + 1;
1073 memcpy(end, de->name, de->namelen);
1078 rc = security_genfs_sid("proc", path, tclass, sid);
1079 free_page((unsigned long)buffer);
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1094 struct superblock_security_struct *sbsec = NULL;
1095 struct inode_security_struct *isec = inode->i_security;
1097 struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099 char *context = NULL;
1103 if (isec->initialized)
1106 mutex_lock(&isec->lock);
1107 if (isec->initialized)
1110 sbsec = inode->i_sb->s_security;
1111 if (!sbsec->initialized) {
1112 /* Defer initialization until selinux_complete_init,
1113 after the initial policy is loaded and the security
1114 server is ready to handle calls. */
1115 spin_lock(&sbsec->isec_lock);
1116 if (list_empty(&isec->list))
1117 list_add(&isec->list, &sbsec->isec_head);
1118 spin_unlock(&sbsec->isec_lock);
1122 switch (sbsec->behavior) {
1123 case SECURITY_FS_USE_XATTR:
1124 if (!inode->i_op->getxattr) {
1125 isec->sid = sbsec->def_sid;
1129 /* Need a dentry, since the xattr API requires one.
1130 Life would be simpler if we could just pass the inode. */
1132 /* Called from d_instantiate or d_splice_alias. */
1133 dentry = dget(opt_dentry);
1135 /* Called from selinux_complete_init, try to find a dentry. */
1136 dentry = d_find_alias(inode);
1139 printk(KERN_WARNING "%s: no dentry for dev=%s "
1140 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1145 len = INITCONTEXTLEN;
1146 context = kmalloc(len, GFP_NOFS);
1152 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154 if (rc == -ERANGE) {
1155 /* Need a larger buffer. Query for the right size. */
1156 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1164 context = kmalloc(len, GFP_NOFS);
1170 rc = inode->i_op->getxattr(dentry,
1176 if (rc != -ENODATA) {
1177 printk(KERN_WARNING "%s: getxattr returned "
1178 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179 -rc, inode->i_sb->s_id, inode->i_ino);
1183 /* Map ENODATA to the default file SID */
1184 sid = sbsec->def_sid;
1187 rc = security_context_to_sid_default(context, rc, &sid,
1191 printk(KERN_WARNING "%s: context_to_sid(%s) "
1192 "returned %d for dev=%s ino=%ld\n",
1193 __FUNCTION__, context, -rc,
1194 inode->i_sb->s_id, inode->i_ino);
1196 /* Leave with the unlabeled SID */
1204 case SECURITY_FS_USE_TASK:
1205 isec->sid = isec->task_sid;
1207 case SECURITY_FS_USE_TRANS:
1208 /* Default to the fs SID. */
1209 isec->sid = sbsec->sid;
1211 /* Try to obtain a transition SID. */
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = security_transition_sid(isec->task_sid,
1221 case SECURITY_FS_USE_MNTPOINT:
1222 isec->sid = sbsec->mntpoint_sid;
1225 /* Default to the fs superblock SID. */
1226 isec->sid = sbsec->sid;
1229 struct proc_inode *proci = PROC_I(inode);
1231 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1232 rc = selinux_proc_get_sid(proci->pde,
1243 isec->initialized = 1;
1246 mutex_unlock(&isec->lock);
1248 if (isec->sclass == SECCLASS_FILE)
1249 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1253 /* Convert a Linux signal to an access vector. */
1254 static inline u32 signal_to_av(int sig)
1260 /* Commonly granted from child to parent. */
1261 perm = PROCESS__SIGCHLD;
1264 /* Cannot be caught or ignored */
1265 perm = PROCESS__SIGKILL;
1268 /* Cannot be caught or ignored */
1269 perm = PROCESS__SIGSTOP;
1272 /* All other signals. */
1273 perm = PROCESS__SIGNAL;
1280 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1281 fork check, ptrace check, etc. */
1282 static int task_has_perm(struct task_struct *tsk1,
1283 struct task_struct *tsk2,
1286 struct task_security_struct *tsec1, *tsec2;
1288 tsec1 = tsk1->security;
1289 tsec2 = tsk2->security;
1290 return avc_has_perm(tsec1->sid, tsec2->sid,
1291 SECCLASS_PROCESS, perms, NULL);
1294 #if CAP_LAST_CAP > 63
1295 #error Fix SELinux to handle capabilities > 63.
1298 /* Check whether a task is allowed to use a capability. */
1299 static int task_has_capability(struct task_struct *tsk,
1302 struct task_security_struct *tsec;
1303 struct avc_audit_data ad;
1305 u32 av = CAP_TO_MASK(cap);
1307 tsec = tsk->security;
1309 AVC_AUDIT_DATA_INIT(&ad,CAP);
1313 switch (CAP_TO_INDEX(cap)) {
1315 sclass = SECCLASS_CAPABILITY;
1318 sclass = SECCLASS_CAPABILITY2;
1322 "SELinux: out of range capability %d\n", cap);
1325 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1328 /* Check whether a task is allowed to use a system operation. */
1329 static int task_has_system(struct task_struct *tsk,
1332 struct task_security_struct *tsec;
1334 tsec = tsk->security;
1336 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1337 SECCLASS_SYSTEM, perms, NULL);
1340 /* Check whether a task has a particular permission to an inode.
1341 The 'adp' parameter is optional and allows other audit
1342 data to be passed (e.g. the dentry). */
1343 static int inode_has_perm(struct task_struct *tsk,
1344 struct inode *inode,
1346 struct avc_audit_data *adp)
1348 struct task_security_struct *tsec;
1349 struct inode_security_struct *isec;
1350 struct avc_audit_data ad;
1352 if (unlikely (IS_PRIVATE (inode)))
1355 tsec = tsk->security;
1356 isec = inode->i_security;
1360 AVC_AUDIT_DATA_INIT(&ad, FS);
1361 ad.u.fs.inode = inode;
1364 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1367 /* Same as inode_has_perm, but pass explicit audit data containing
1368 the dentry to help the auditing code to more easily generate the
1369 pathname if needed. */
1370 static inline int dentry_has_perm(struct task_struct *tsk,
1371 struct vfsmount *mnt,
1372 struct dentry *dentry,
1375 struct inode *inode = dentry->d_inode;
1376 struct avc_audit_data ad;
1377 AVC_AUDIT_DATA_INIT(&ad,FS);
1378 ad.u.fs.path.mnt = mnt;
1379 ad.u.fs.path.dentry = dentry;
1380 return inode_has_perm(tsk, inode, av, &ad);
1383 /* Check whether a task can use an open file descriptor to
1384 access an inode in a given way. Check access to the
1385 descriptor itself, and then use dentry_has_perm to
1386 check a particular permission to the file.
1387 Access to the descriptor is implicitly granted if it
1388 has the same SID as the process. If av is zero, then
1389 access to the file is not checked, e.g. for cases
1390 where only the descriptor is affected like seek. */
1391 static int file_has_perm(struct task_struct *tsk,
1395 struct task_security_struct *tsec = tsk->security;
1396 struct file_security_struct *fsec = file->f_security;
1397 struct inode *inode = file->f_path.dentry->d_inode;
1398 struct avc_audit_data ad;
1401 AVC_AUDIT_DATA_INIT(&ad, FS);
1402 ad.u.fs.path = file->f_path;
1404 if (tsec->sid != fsec->sid) {
1405 rc = avc_has_perm(tsec->sid, fsec->sid,
1413 /* av is zero if only checking access to the descriptor. */
1415 return inode_has_perm(tsk, inode, av, &ad);
1420 /* Check whether a task can create a file. */
1421 static int may_create(struct inode *dir,
1422 struct dentry *dentry,
1425 struct task_security_struct *tsec;
1426 struct inode_security_struct *dsec;
1427 struct superblock_security_struct *sbsec;
1429 struct avc_audit_data ad;
1432 tsec = current->security;
1433 dsec = dir->i_security;
1434 sbsec = dir->i_sb->s_security;
1436 AVC_AUDIT_DATA_INIT(&ad, FS);
1437 ad.u.fs.path.dentry = dentry;
1439 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1440 DIR__ADD_NAME | DIR__SEARCH,
1445 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1446 newsid = tsec->create_sid;
1448 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1454 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1458 return avc_has_perm(newsid, sbsec->sid,
1459 SECCLASS_FILESYSTEM,
1460 FILESYSTEM__ASSOCIATE, &ad);
1463 /* Check whether a task can create a key. */
1464 static int may_create_key(u32 ksid,
1465 struct task_struct *ctx)
1467 struct task_security_struct *tsec;
1469 tsec = ctx->security;
1471 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1475 #define MAY_UNLINK 1
1478 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1479 static int may_link(struct inode *dir,
1480 struct dentry *dentry,
1484 struct task_security_struct *tsec;
1485 struct inode_security_struct *dsec, *isec;
1486 struct avc_audit_data ad;
1490 tsec = current->security;
1491 dsec = dir->i_security;
1492 isec = dentry->d_inode->i_security;
1494 AVC_AUDIT_DATA_INIT(&ad, FS);
1495 ad.u.fs.path.dentry = dentry;
1498 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1499 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1514 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1518 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1522 static inline int may_rename(struct inode *old_dir,
1523 struct dentry *old_dentry,
1524 struct inode *new_dir,
1525 struct dentry *new_dentry)
1527 struct task_security_struct *tsec;
1528 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1529 struct avc_audit_data ad;
1531 int old_is_dir, new_is_dir;
1534 tsec = current->security;
1535 old_dsec = old_dir->i_security;
1536 old_isec = old_dentry->d_inode->i_security;
1537 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1538 new_dsec = new_dir->i_security;
1540 AVC_AUDIT_DATA_INIT(&ad, FS);
1542 ad.u.fs.path.dentry = old_dentry;
1543 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1544 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1547 rc = avc_has_perm(tsec->sid, old_isec->sid,
1548 old_isec->sclass, FILE__RENAME, &ad);
1551 if (old_is_dir && new_dir != old_dir) {
1552 rc = avc_has_perm(tsec->sid, old_isec->sid,
1553 old_isec->sclass, DIR__REPARENT, &ad);
1558 ad.u.fs.path.dentry = new_dentry;
1559 av = DIR__ADD_NAME | DIR__SEARCH;
1560 if (new_dentry->d_inode)
1561 av |= DIR__REMOVE_NAME;
1562 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1565 if (new_dentry->d_inode) {
1566 new_isec = new_dentry->d_inode->i_security;
1567 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1568 rc = avc_has_perm(tsec->sid, new_isec->sid,
1570 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1578 /* Check whether a task can perform a filesystem operation. */
1579 static int superblock_has_perm(struct task_struct *tsk,
1580 struct super_block *sb,
1582 struct avc_audit_data *ad)
1584 struct task_security_struct *tsec;
1585 struct superblock_security_struct *sbsec;
1587 tsec = tsk->security;
1588 sbsec = sb->s_security;
1589 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1593 /* Convert a Linux mode and permission mask to an access vector. */
1594 static inline u32 file_mask_to_av(int mode, int mask)
1598 if ((mode & S_IFMT) != S_IFDIR) {
1599 if (mask & MAY_EXEC)
1600 av |= FILE__EXECUTE;
1601 if (mask & MAY_READ)
1604 if (mask & MAY_APPEND)
1606 else if (mask & MAY_WRITE)
1610 if (mask & MAY_EXEC)
1612 if (mask & MAY_WRITE)
1614 if (mask & MAY_READ)
1621 /* Convert a Linux file to an access vector. */
1622 static inline u32 file_to_av(struct file *file)
1626 if (file->f_mode & FMODE_READ)
1628 if (file->f_mode & FMODE_WRITE) {
1629 if (file->f_flags & O_APPEND)
1636 * Special file opened with flags 3 for ioctl-only use.
1644 /* Hook functions begin here. */
1646 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1648 struct task_security_struct *psec = parent->security;
1649 struct task_security_struct *csec = child->security;
1652 rc = secondary_ops->ptrace(parent,child);
1656 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1657 /* Save the SID of the tracing process for later use in apply_creds. */
1658 if (!(child->ptrace & PT_PTRACED) && !rc)
1659 csec->ptrace_sid = psec->sid;
1663 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1664 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1668 error = task_has_perm(current, target, PROCESS__GETCAP);
1672 return secondary_ops->capget(target, effective, inheritable, permitted);
1675 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1676 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1680 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1684 return task_has_perm(current, target, PROCESS__SETCAP);
1687 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1688 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1690 secondary_ops->capset_set(target, effective, inheritable, permitted);
1693 static int selinux_capable(struct task_struct *tsk, int cap)
1697 rc = secondary_ops->capable(tsk, cap);
1701 return task_has_capability(tsk,cap);
1704 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1707 char *buffer, *path, *end;
1710 buffer = (char*)__get_free_page(GFP_KERNEL);
1715 end = buffer+buflen;
1721 const char *name = table->procname;
1722 size_t namelen = strlen(name);
1723 buflen -= namelen + 1;
1727 memcpy(end, name, namelen);
1730 table = table->parent;
1736 memcpy(end, "/sys", 4);
1738 rc = security_genfs_sid("proc", path, tclass, sid);
1740 free_page((unsigned long)buffer);
1745 static int selinux_sysctl(ctl_table *table, int op)
1749 struct task_security_struct *tsec;
1753 rc = secondary_ops->sysctl(table, op);
1757 tsec = current->security;
1759 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1760 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1762 /* Default to the well-defined sysctl SID. */
1763 tsid = SECINITSID_SYSCTL;
1766 /* The op values are "defined" in sysctl.c, thereby creating
1767 * a bad coupling between this module and sysctl.c */
1769 error = avc_has_perm(tsec->sid, tsid,
1770 SECCLASS_DIR, DIR__SEARCH, NULL);
1778 error = avc_has_perm(tsec->sid, tsid,
1779 SECCLASS_FILE, av, NULL);
1785 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1798 rc = superblock_has_perm(current,
1800 FILESYSTEM__QUOTAMOD, NULL);
1805 rc = superblock_has_perm(current,
1807 FILESYSTEM__QUOTAGET, NULL);
1810 rc = 0; /* let the kernel handle invalid cmds */
1816 static int selinux_quota_on(struct dentry *dentry)
1818 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1821 static int selinux_syslog(int type)
1825 rc = secondary_ops->syslog(type);
1830 case 3: /* Read last kernel messages */
1831 case 10: /* Return size of the log buffer */
1832 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1834 case 6: /* Disable logging to console */
1835 case 7: /* Enable logging to console */
1836 case 8: /* Set level of messages printed to console */
1837 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1839 case 0: /* Close log */
1840 case 1: /* Open log */
1841 case 2: /* Read from log */
1842 case 4: /* Read/clear last kernel messages */
1843 case 5: /* Clear ring buffer */
1845 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1852 * Check that a process has enough memory to allocate a new virtual
1853 * mapping. 0 means there is enough memory for the allocation to
1854 * succeed and -ENOMEM implies there is not.
1856 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1857 * if the capability is granted, but __vm_enough_memory requires 1 if
1858 * the capability is granted.
1860 * Do not audit the selinux permission check, as this is applied to all
1861 * processes that allocate mappings.
1863 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1865 int rc, cap_sys_admin = 0;
1866 struct task_security_struct *tsec = current->security;
1868 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1870 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1871 SECCLASS_CAPABILITY,
1872 CAP_TO_MASK(CAP_SYS_ADMIN),
1879 return __vm_enough_memory(mm, pages, cap_sys_admin);
1882 /* binprm security operations */
1884 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1886 struct bprm_security_struct *bsec;
1888 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1893 bsec->sid = SECINITSID_UNLABELED;
1896 bprm->security = bsec;
1900 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1902 struct task_security_struct *tsec;
1903 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1904 struct inode_security_struct *isec;
1905 struct bprm_security_struct *bsec;
1907 struct avc_audit_data ad;
1910 rc = secondary_ops->bprm_set_security(bprm);
1914 bsec = bprm->security;
1919 tsec = current->security;
1920 isec = inode->i_security;
1922 /* Default to the current task SID. */
1923 bsec->sid = tsec->sid;
1925 /* Reset fs, key, and sock SIDs on execve. */
1926 tsec->create_sid = 0;
1927 tsec->keycreate_sid = 0;
1928 tsec->sockcreate_sid = 0;
1930 if (tsec->exec_sid) {
1931 newsid = tsec->exec_sid;
1932 /* Reset exec SID on execve. */
1935 /* Check for a default transition on this program. */
1936 rc = security_transition_sid(tsec->sid, isec->sid,
1937 SECCLASS_PROCESS, &newsid);
1942 AVC_AUDIT_DATA_INIT(&ad, FS);
1943 ad.u.fs.path = bprm->file->f_path;
1945 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1948 if (tsec->sid == newsid) {
1949 rc = avc_has_perm(tsec->sid, isec->sid,
1950 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1954 /* Check permissions for the transition. */
1955 rc = avc_has_perm(tsec->sid, newsid,
1956 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1960 rc = avc_has_perm(newsid, isec->sid,
1961 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1965 /* Clear any possibly unsafe personality bits on exec: */
1966 current->personality &= ~PER_CLEAR_ON_SETID;
1968 /* Set the security field to the new SID. */
1976 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1978 return secondary_ops->bprm_check_security(bprm);
1982 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1984 struct task_security_struct *tsec = current->security;
1987 if (tsec->osid != tsec->sid) {
1988 /* Enable secure mode for SIDs transitions unless
1989 the noatsecure permission is granted between
1990 the two SIDs, i.e. ahp returns 0. */
1991 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1993 PROCESS__NOATSECURE, NULL);
1996 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1999 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2001 kfree(bprm->security);
2002 bprm->security = NULL;
2005 extern struct vfsmount *selinuxfs_mount;
2006 extern struct dentry *selinux_null;
2008 /* Derived from fs/exec.c:flush_old_files. */
2009 static inline void flush_unauthorized_files(struct files_struct * files)
2011 struct avc_audit_data ad;
2012 struct file *file, *devnull = NULL;
2013 struct tty_struct *tty;
2014 struct fdtable *fdt;
2018 mutex_lock(&tty_mutex);
2019 tty = get_current_tty();
2022 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2024 /* Revalidate access to controlling tty.
2025 Use inode_has_perm on the tty inode directly rather
2026 than using file_has_perm, as this particular open
2027 file may belong to another process and we are only
2028 interested in the inode-based check here. */
2029 struct inode *inode = file->f_path.dentry->d_inode;
2030 if (inode_has_perm(current, inode,
2031 FILE__READ | FILE__WRITE, NULL)) {
2037 mutex_unlock(&tty_mutex);
2038 /* Reset controlling tty. */
2042 /* Revalidate access to inherited open files. */
2044 AVC_AUDIT_DATA_INIT(&ad,FS);
2046 spin_lock(&files->file_lock);
2048 unsigned long set, i;
2053 fdt = files_fdtable(files);
2054 if (i >= fdt->max_fds)
2056 set = fdt->open_fds->fds_bits[j];
2059 spin_unlock(&files->file_lock);
2060 for ( ; set ; i++,set >>= 1) {
2065 if (file_has_perm(current,
2067 file_to_av(file))) {
2069 fd = get_unused_fd();
2079 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2080 if (IS_ERR(devnull)) {
2087 fd_install(fd, devnull);
2092 spin_lock(&files->file_lock);
2095 spin_unlock(&files->file_lock);
2098 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2100 struct task_security_struct *tsec;
2101 struct bprm_security_struct *bsec;
2105 secondary_ops->bprm_apply_creds(bprm, unsafe);
2107 tsec = current->security;
2109 bsec = bprm->security;
2112 tsec->osid = tsec->sid;
2114 if (tsec->sid != sid) {
2115 /* Check for shared state. If not ok, leave SID
2116 unchanged and kill. */
2117 if (unsafe & LSM_UNSAFE_SHARE) {
2118 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2119 PROCESS__SHARE, NULL);
2126 /* Check for ptracing, and update the task SID if ok.
2127 Otherwise, leave SID unchanged and kill. */
2128 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2129 rc = avc_has_perm(tsec->ptrace_sid, sid,
2130 SECCLASS_PROCESS, PROCESS__PTRACE,
2142 * called after apply_creds without the task lock held
2144 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2146 struct task_security_struct *tsec;
2147 struct rlimit *rlim, *initrlim;
2148 struct itimerval itimer;
2149 struct bprm_security_struct *bsec;
2152 tsec = current->security;
2153 bsec = bprm->security;
2156 force_sig_specific(SIGKILL, current);
2159 if (tsec->osid == tsec->sid)
2162 /* Close files for which the new task SID is not authorized. */
2163 flush_unauthorized_files(current->files);
2165 /* Check whether the new SID can inherit signal state
2166 from the old SID. If not, clear itimers to avoid
2167 subsequent signal generation and flush and unblock
2168 signals. This must occur _after_ the task SID has
2169 been updated so that any kill done after the flush
2170 will be checked against the new SID. */
2171 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2172 PROCESS__SIGINH, NULL);
2174 memset(&itimer, 0, sizeof itimer);
2175 for (i = 0; i < 3; i++)
2176 do_setitimer(i, &itimer, NULL);
2177 flush_signals(current);
2178 spin_lock_irq(¤t->sighand->siglock);
2179 flush_signal_handlers(current, 1);
2180 sigemptyset(¤t->blocked);
2181 recalc_sigpending();
2182 spin_unlock_irq(¤t->sighand->siglock);
2185 /* Always clear parent death signal on SID transitions. */
2186 current->pdeath_signal = 0;
2188 /* Check whether the new SID can inherit resource limits
2189 from the old SID. If not, reset all soft limits to
2190 the lower of the current task's hard limit and the init
2191 task's soft limit. Note that the setting of hard limits
2192 (even to lower them) can be controlled by the setrlimit
2193 check. The inclusion of the init task's soft limit into
2194 the computation is to avoid resetting soft limits higher
2195 than the default soft limit for cases where the default
2196 is lower than the hard limit, e.g. RLIMIT_CORE or
2198 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2199 PROCESS__RLIMITINH, NULL);
2201 for (i = 0; i < RLIM_NLIMITS; i++) {
2202 rlim = current->signal->rlim + i;
2203 initrlim = init_task.signal->rlim+i;
2204 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2206 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2208 * This will cause RLIMIT_CPU calculations
2211 current->it_prof_expires = jiffies_to_cputime(1);
2215 /* Wake up the parent if it is waiting so that it can
2216 recheck wait permission to the new task SID. */
2217 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2220 /* superblock security operations */
2222 static int selinux_sb_alloc_security(struct super_block *sb)
2224 return superblock_alloc_security(sb);
2227 static void selinux_sb_free_security(struct super_block *sb)
2229 superblock_free_security(sb);
2232 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2237 return !memcmp(prefix, option, plen);
2240 static inline int selinux_option(char *option, int len)
2242 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2243 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2244 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2245 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2248 static inline void take_option(char **to, char *from, int *first, int len)
2255 memcpy(*to, from, len);
2259 static inline void take_selinux_option(char **to, char *from, int *first,
2262 int current_size = 0;
2271 while (current_size < len) {
2281 static int selinux_sb_copy_data(char *orig, char *copy)
2283 int fnosec, fsec, rc = 0;
2284 char *in_save, *in_curr, *in_end;
2285 char *sec_curr, *nosec_save, *nosec;
2291 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2299 in_save = in_end = orig;
2303 open_quote = !open_quote;
2304 if ((*in_end == ',' && open_quote == 0) ||
2306 int len = in_end - in_curr;
2308 if (selinux_option(in_curr, len))
2309 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2311 take_option(&nosec, in_curr, &fnosec, len);
2313 in_curr = in_end + 1;
2315 } while (*in_end++);
2317 strcpy(in_save, nosec_save);
2318 free_page((unsigned long)nosec_save);
2323 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2325 struct avc_audit_data ad;
2328 rc = superblock_doinit(sb, data);
2332 AVC_AUDIT_DATA_INIT(&ad,FS);
2333 ad.u.fs.path.dentry = sb->s_root;
2334 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2337 static int selinux_sb_statfs(struct dentry *dentry)
2339 struct avc_audit_data ad;
2341 AVC_AUDIT_DATA_INIT(&ad,FS);
2342 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2343 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2346 static int selinux_mount(char * dev_name,
2347 struct nameidata *nd,
2349 unsigned long flags,
2354 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2358 if (flags & MS_REMOUNT)
2359 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2360 FILESYSTEM__REMOUNT, NULL);
2362 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2366 static int selinux_umount(struct vfsmount *mnt, int flags)
2370 rc = secondary_ops->sb_umount(mnt, flags);
2374 return superblock_has_perm(current,mnt->mnt_sb,
2375 FILESYSTEM__UNMOUNT,NULL);
2378 /* inode security operations */
2380 static int selinux_inode_alloc_security(struct inode *inode)
2382 return inode_alloc_security(inode);
2385 static void selinux_inode_free_security(struct inode *inode)
2387 inode_free_security(inode);
2390 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2391 char **name, void **value,
2394 struct task_security_struct *tsec;
2395 struct inode_security_struct *dsec;
2396 struct superblock_security_struct *sbsec;
2399 char *namep = NULL, *context;
2401 tsec = current->security;
2402 dsec = dir->i_security;
2403 sbsec = dir->i_sb->s_security;
2405 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2406 newsid = tsec->create_sid;
2408 rc = security_transition_sid(tsec->sid, dsec->sid,
2409 inode_mode_to_security_class(inode->i_mode),
2412 printk(KERN_WARNING "%s: "
2413 "security_transition_sid failed, rc=%d (dev=%s "
2416 -rc, inode->i_sb->s_id, inode->i_ino);
2421 /* Possibly defer initialization to selinux_complete_init. */
2422 if (sbsec->initialized) {
2423 struct inode_security_struct *isec = inode->i_security;
2424 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2426 isec->initialized = 1;
2429 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2433 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2440 rc = security_sid_to_context(newsid, &context, &clen);
2452 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2454 return may_create(dir, dentry, SECCLASS_FILE);
2457 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2461 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2464 return may_link(dir, old_dentry, MAY_LINK);
2467 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2471 rc = secondary_ops->inode_unlink(dir, dentry);
2474 return may_link(dir, dentry, MAY_UNLINK);
2477 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2479 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2482 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2484 return may_create(dir, dentry, SECCLASS_DIR);
2487 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2489 return may_link(dir, dentry, MAY_RMDIR);
2492 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2496 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2500 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2503 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2504 struct inode *new_inode, struct dentry *new_dentry)
2506 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2509 static int selinux_inode_readlink(struct dentry *dentry)
2511 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2514 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2518 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2521 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2524 static int selinux_inode_permission(struct inode *inode, int mask,
2525 struct nameidata *nd)
2529 rc = secondary_ops->inode_permission(inode, mask, nd);
2534 /* No permission to check. Existence test. */
2538 return inode_has_perm(current, inode,
2539 file_mask_to_av(inode->i_mode, mask), NULL);
2542 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2546 rc = secondary_ops->inode_setattr(dentry, iattr);
2550 if (iattr->ia_valid & ATTR_FORCE)
2553 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2554 ATTR_ATIME_SET | ATTR_MTIME_SET))
2555 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2557 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2560 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2562 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2565 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2567 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2568 sizeof XATTR_SECURITY_PREFIX - 1)) {
2569 if (!strcmp(name, XATTR_NAME_CAPS)) {
2570 if (!capable(CAP_SETFCAP))
2572 } else if (!capable(CAP_SYS_ADMIN)) {
2573 /* A different attribute in the security namespace.
2574 Restrict to administrator. */
2579 /* Not an attribute we recognize, so just check the
2580 ordinary setattr permission. */
2581 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2584 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2586 struct task_security_struct *tsec = current->security;
2587 struct inode *inode = dentry->d_inode;
2588 struct inode_security_struct *isec = inode->i_security;
2589 struct superblock_security_struct *sbsec;
2590 struct avc_audit_data ad;
2594 if (strcmp(name, XATTR_NAME_SELINUX))
2595 return selinux_inode_setotherxattr(dentry, name);
2597 sbsec = inode->i_sb->s_security;
2598 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2601 if (!is_owner_or_cap(inode))
2604 AVC_AUDIT_DATA_INIT(&ad,FS);
2605 ad.u.fs.path.dentry = dentry;
2607 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2608 FILE__RELABELFROM, &ad);
2612 rc = security_context_to_sid(value, size, &newsid);
2616 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2617 FILE__RELABELTO, &ad);
2621 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2626 return avc_has_perm(newsid,
2628 SECCLASS_FILESYSTEM,
2629 FILESYSTEM__ASSOCIATE,
2633 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2634 void *value, size_t size, int flags)
2636 struct inode *inode = dentry->d_inode;
2637 struct inode_security_struct *isec = inode->i_security;
2641 if (strcmp(name, XATTR_NAME_SELINUX)) {
2642 /* Not an attribute we recognize, so nothing to do. */
2646 rc = security_context_to_sid(value, size, &newsid);
2648 printk(KERN_WARNING "%s: unable to obtain SID for context "
2649 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2657 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2659 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2662 static int selinux_inode_listxattr (struct dentry *dentry)
2664 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2667 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2669 if (strcmp(name, XATTR_NAME_SELINUX))
2670 return selinux_inode_setotherxattr(dentry, name);
2672 /* No one is allowed to remove a SELinux security label.
2673 You can change the label, but all data must be labeled. */
2678 * Copy the in-core inode security context value to the user. If the
2679 * getxattr() prior to this succeeded, check to see if we need to
2680 * canonicalize the value to be finally returned to the user.
2682 * Permission check is handled by selinux_inode_getxattr hook.
2684 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2688 char *context = NULL;
2689 struct inode_security_struct *isec = inode->i_security;
2691 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2694 error = security_sid_to_context(isec->sid, &context, &size);
2707 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2708 const void *value, size_t size, int flags)
2710 struct inode_security_struct *isec = inode->i_security;
2714 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2717 if (!value || !size)
2720 rc = security_context_to_sid((void*)value, size, &newsid);
2728 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2730 const int len = sizeof(XATTR_NAME_SELINUX);
2731 if (buffer && len <= buffer_size)
2732 memcpy(buffer, XATTR_NAME_SELINUX, len);
2736 static int selinux_inode_need_killpriv(struct dentry *dentry)
2738 return secondary_ops->inode_need_killpriv(dentry);
2741 static int selinux_inode_killpriv(struct dentry *dentry)
2743 return secondary_ops->inode_killpriv(dentry);
2746 /* file security operations */
2748 static int selinux_revalidate_file_permission(struct file *file, int mask)
2751 struct inode *inode = file->f_path.dentry->d_inode;
2754 /* No permission to check. Existence test. */
2758 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2759 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2762 rc = file_has_perm(current, file,
2763 file_mask_to_av(inode->i_mode, mask));
2767 return selinux_netlbl_inode_permission(inode, mask);
2770 static int selinux_file_permission(struct file *file, int mask)
2772 struct inode *inode = file->f_path.dentry->d_inode;
2773 struct task_security_struct *tsec = current->security;
2774 struct file_security_struct *fsec = file->f_security;
2775 struct inode_security_struct *isec = inode->i_security;
2778 /* No permission to check. Existence test. */
2782 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2783 && fsec->pseqno == avc_policy_seqno())
2784 return selinux_netlbl_inode_permission(inode, mask);
2786 return selinux_revalidate_file_permission(file, mask);
2789 static int selinux_file_alloc_security(struct file *file)
2791 return file_alloc_security(file);
2794 static void selinux_file_free_security(struct file *file)
2796 file_free_security(file);
2799 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2811 case EXT2_IOC_GETFLAGS:
2813 case EXT2_IOC_GETVERSION:
2814 error = file_has_perm(current, file, FILE__GETATTR);
2817 case EXT2_IOC_SETFLAGS:
2819 case EXT2_IOC_SETVERSION:
2820 error = file_has_perm(current, file, FILE__SETATTR);
2823 /* sys_ioctl() checks */
2827 error = file_has_perm(current, file, 0);
2832 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2835 /* default case assumes that the command will go
2836 * to the file's ioctl() function.
2839 error = file_has_perm(current, file, FILE__IOCTL);
2845 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2847 #ifndef CONFIG_PPC32
2848 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2850 * We are making executable an anonymous mapping or a
2851 * private file mapping that will also be writable.
2852 * This has an additional check.
2854 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2861 /* read access is always possible with a mapping */
2862 u32 av = FILE__READ;
2864 /* write access only matters if the mapping is shared */
2865 if (shared && (prot & PROT_WRITE))
2868 if (prot & PROT_EXEC)
2869 av |= FILE__EXECUTE;
2871 return file_has_perm(current, file, av);
2876 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2877 unsigned long prot, unsigned long flags,
2878 unsigned long addr, unsigned long addr_only)
2881 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2883 if (addr < mmap_min_addr)
2884 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2885 MEMPROTECT__MMAP_ZERO, NULL);
2886 if (rc || addr_only)
2889 if (selinux_checkreqprot)
2892 return file_map_prot_check(file, prot,
2893 (flags & MAP_TYPE) == MAP_SHARED);
2896 static int selinux_file_mprotect(struct vm_area_struct *vma,
2897 unsigned long reqprot,
2902 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2906 if (selinux_checkreqprot)
2909 #ifndef CONFIG_PPC32
2910 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2912 if (vma->vm_start >= vma->vm_mm->start_brk &&
2913 vma->vm_end <= vma->vm_mm->brk) {
2914 rc = task_has_perm(current, current,
2916 } else if (!vma->vm_file &&
2917 vma->vm_start <= vma->vm_mm->start_stack &&
2918 vma->vm_end >= vma->vm_mm->start_stack) {
2919 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2920 } else if (vma->vm_file && vma->anon_vma) {
2922 * We are making executable a file mapping that has
2923 * had some COW done. Since pages might have been
2924 * written, check ability to execute the possibly
2925 * modified content. This typically should only
2926 * occur for text relocations.
2928 rc = file_has_perm(current, vma->vm_file,
2936 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2939 static int selinux_file_lock(struct file *file, unsigned int cmd)
2941 return file_has_perm(current, file, FILE__LOCK);
2944 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2951 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2956 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2957 err = file_has_perm(current, file,FILE__WRITE);
2966 /* Just check FD__USE permission */
2967 err = file_has_perm(current, file, 0);
2972 #if BITS_PER_LONG == 32
2977 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2981 err = file_has_perm(current, file, FILE__LOCK);
2988 static int selinux_file_set_fowner(struct file *file)
2990 struct task_security_struct *tsec;
2991 struct file_security_struct *fsec;
2993 tsec = current->security;
2994 fsec = file->f_security;
2995 fsec->fown_sid = tsec->sid;
3000 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3001 struct fown_struct *fown, int signum)
3005 struct task_security_struct *tsec;
3006 struct file_security_struct *fsec;
3008 /* struct fown_struct is never outside the context of a struct file */
3009 file = container_of(fown, struct file, f_owner);
3011 tsec = tsk->security;
3012 fsec = file->f_security;
3015 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3017 perm = signal_to_av(signum);
3019 return avc_has_perm(fsec->fown_sid, tsec->sid,
3020 SECCLASS_PROCESS, perm, NULL);
3023 static int selinux_file_receive(struct file *file)
3025 return file_has_perm(current, file, file_to_av(file));
3028 static int selinux_dentry_open(struct file *file)
3030 struct file_security_struct *fsec;
3031 struct inode *inode;
3032 struct inode_security_struct *isec;
3033 inode = file->f_path.dentry->d_inode;
3034 fsec = file->f_security;
3035 isec = inode->i_security;
3037 * Save inode label and policy sequence number
3038 * at open-time so that selinux_file_permission
3039 * can determine whether revalidation is necessary.
3040 * Task label is already saved in the file security
3041 * struct as its SID.
3043 fsec->isid = isec->sid;
3044 fsec->pseqno = avc_policy_seqno();
3046 * Since the inode label or policy seqno may have changed
3047 * between the selinux_inode_permission check and the saving
3048 * of state above, recheck that access is still permitted.
3049 * Otherwise, access might never be revalidated against the
3050 * new inode label or new policy.
3051 * This check is not redundant - do not remove.
3053 return inode_has_perm(current, inode, file_to_av(file), NULL);
3056 /* task security operations */
3058 static int selinux_task_create(unsigned long clone_flags)
3062 rc = secondary_ops->task_create(clone_flags);
3066 return task_has_perm(current, current, PROCESS__FORK);
3069 static int selinux_task_alloc_security(struct task_struct *tsk)
3071 struct task_security_struct *tsec1, *tsec2;
3074 tsec1 = current->security;
3076 rc = task_alloc_security(tsk);
3079 tsec2 = tsk->security;
3081 tsec2->osid = tsec1->osid;
3082 tsec2->sid = tsec1->sid;
3084 /* Retain the exec, fs, key, and sock SIDs across fork */
3085 tsec2->exec_sid = tsec1->exec_sid;
3086 tsec2->create_sid = tsec1->create_sid;
3087 tsec2->keycreate_sid = tsec1->keycreate_sid;
3088 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3090 /* Retain ptracer SID across fork, if any.
3091 This will be reset by the ptrace hook upon any
3092 subsequent ptrace_attach operations. */
3093 tsec2->ptrace_sid = tsec1->ptrace_sid;
3098 static void selinux_task_free_security(struct task_struct *tsk)
3100 task_free_security(tsk);
3103 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3105 /* Since setuid only affects the current process, and
3106 since the SELinux controls are not based on the Linux
3107 identity attributes, SELinux does not need to control
3108 this operation. However, SELinux does control the use
3109 of the CAP_SETUID and CAP_SETGID capabilities using the
3114 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3116 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3119 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3121 /* See the comment for setuid above. */
3125 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3127 return task_has_perm(current, p, PROCESS__SETPGID);
3130 static int selinux_task_getpgid(struct task_struct *p)
3132 return task_has_perm(current, p, PROCESS__GETPGID);
3135 static int selinux_task_getsid(struct task_struct *p)
3137 return task_has_perm(current, p, PROCESS__GETSESSION);
3140 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3142 selinux_get_task_sid(p, secid);
3145 static int selinux_task_setgroups(struct group_info *group_info)
3147 /* See the comment for setuid above. */
3151 static int selinux_task_setnice(struct task_struct *p, int nice)
3155 rc = secondary_ops->task_setnice(p, nice);
3159 return task_has_perm(current,p, PROCESS__SETSCHED);
3162 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3166 rc = secondary_ops->task_setioprio(p, ioprio);
3170 return task_has_perm(current, p, PROCESS__SETSCHED);
3173 static int selinux_task_getioprio(struct task_struct *p)
3175 return task_has_perm(current, p, PROCESS__GETSCHED);
3178 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3180 struct rlimit *old_rlim = current->signal->rlim + resource;
3183 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3187 /* Control the ability to change the hard limit (whether
3188 lowering or raising it), so that the hard limit can
3189 later be used as a safe reset point for the soft limit
3190 upon context transitions. See selinux_bprm_apply_creds. */
3191 if (old_rlim->rlim_max != new_rlim->rlim_max)
3192 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3197 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3201 rc = secondary_ops->task_setscheduler(p, policy, lp);
3205 return task_has_perm(current, p, PROCESS__SETSCHED);
3208 static int selinux_task_getscheduler(struct task_struct *p)
3210 return task_has_perm(current, p, PROCESS__GETSCHED);
3213 static int selinux_task_movememory(struct task_struct *p)
3215 return task_has_perm(current, p, PROCESS__SETSCHED);
3218 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3223 struct task_security_struct *tsec;
3225 rc = secondary_ops->task_kill(p, info, sig, secid);
3229 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3233 perm = PROCESS__SIGNULL; /* null signal; existence test */
3235 perm = signal_to_av(sig);
3238 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3240 rc = task_has_perm(current, p, perm);
3244 static int selinux_task_prctl(int option,
3250 /* The current prctl operations do not appear to require
3251 any SELinux controls since they merely observe or modify
3252 the state of the current process. */
3256 static int selinux_task_wait(struct task_struct *p)
3258 return task_has_perm(p, current, PROCESS__SIGCHLD);
3261 static void selinux_task_reparent_to_init(struct task_struct *p)
3263 struct task_security_struct *tsec;
3265 secondary_ops->task_reparent_to_init(p);
3268 tsec->osid = tsec->sid;
3269 tsec->sid = SECINITSID_KERNEL;
3273 static void selinux_task_to_inode(struct task_struct *p,
3274 struct inode *inode)
3276 struct task_security_struct *tsec = p->security;
3277 struct inode_security_struct *isec = inode->i_security;
3279 isec->sid = tsec->sid;
3280 isec->initialized = 1;
3284 /* Returns error only if unable to parse addresses */
3285 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3286 struct avc_audit_data *ad, u8 *proto)
3288 int offset, ihlen, ret = -EINVAL;
3289 struct iphdr _iph, *ih;
3291 offset = skb_network_offset(skb);
3292 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3296 ihlen = ih->ihl * 4;
3297 if (ihlen < sizeof(_iph))
3300 ad->u.net.v4info.saddr = ih->saddr;
3301 ad->u.net.v4info.daddr = ih->daddr;
3305 *proto = ih->protocol;
3307 switch (ih->protocol) {
3309 struct tcphdr _tcph, *th;
3311 if (ntohs(ih->frag_off) & IP_OFFSET)
3315 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3319 ad->u.net.sport = th->source;
3320 ad->u.net.dport = th->dest;
3325 struct udphdr _udph, *uh;
3327 if (ntohs(ih->frag_off) & IP_OFFSET)
3331 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3335 ad->u.net.sport = uh->source;
3336 ad->u.net.dport = uh->dest;
3340 case IPPROTO_DCCP: {
3341 struct dccp_hdr _dccph, *dh;
3343 if (ntohs(ih->frag_off) & IP_OFFSET)
3347 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3351 ad->u.net.sport = dh->dccph_sport;
3352 ad->u.net.dport = dh->dccph_dport;
3363 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3365 /* Returns error only if unable to parse addresses */
3366 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3367 struct avc_audit_data *ad, u8 *proto)
3370 int ret = -EINVAL, offset;
3371 struct ipv6hdr _ipv6h, *ip6;
3373 offset = skb_network_offset(skb);
3374 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3378 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3379 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3382 nexthdr = ip6->nexthdr;
3383 offset += sizeof(_ipv6h);
3384 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3393 struct tcphdr _tcph, *th;
3395 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3399 ad->u.net.sport = th->source;
3400 ad->u.net.dport = th->dest;
3405 struct udphdr _udph, *uh;
3407 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3411 ad->u.net.sport = uh->source;
3412 ad->u.net.dport = uh->dest;
3416 case IPPROTO_DCCP: {
3417 struct dccp_hdr _dccph, *dh;
3419 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3423 ad->u.net.sport = dh->dccph_sport;
3424 ad->u.net.dport = dh->dccph_dport;
3428 /* includes fragments */
3438 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3439 char **addrp, int src, u8 *proto)
3443 switch (ad->u.net.family) {
3445 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3448 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3449 &ad->u.net.v4info.daddr);
3452 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3454 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3457 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3458 &ad->u.net.v6info.daddr);
3467 "SELinux: failure in selinux_parse_skb(),"
3468 " unable to parse packet\n");
3474 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3476 * @family: protocol family
3477 * @sid: the packet's peer label SID
3480 * Check the various different forms of network peer labeling and determine
3481 * the peer label/SID for the packet; most of the magic actually occurs in
3482 * the security server function security_net_peersid_cmp(). The function
3483 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3484 * or -EACCES if @sid is invalid due to inconsistencies with the different
3488 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3495 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3496 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3498 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3499 if (unlikely(err)) {
3501 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3502 " unable to determine packet's peer label\n");
3509 /* socket security operations */
3510 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3513 struct inode_security_struct *isec;
3514 struct task_security_struct *tsec;
3515 struct avc_audit_data ad;
3518 tsec = task->security;
3519 isec = SOCK_INODE(sock)->i_security;
3521 if (isec->sid == SECINITSID_KERNEL)
3524 AVC_AUDIT_DATA_INIT(&ad,NET);
3525 ad.u.net.sk = sock->sk;
3526 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3532 static int selinux_socket_create(int family, int type,
3533 int protocol, int kern)
3536 struct task_security_struct *tsec;
3542 tsec = current->security;
3543 newsid = tsec->sockcreate_sid ? : tsec->sid;
3544 err = avc_has_perm(tsec->sid, newsid,
3545 socket_type_to_security_class(family, type,
3546 protocol), SOCKET__CREATE, NULL);
3552 static int selinux_socket_post_create(struct socket *sock, int family,
3553 int type, int protocol, int kern)
3556 struct inode_security_struct *isec;
3557 struct task_security_struct *tsec;
3558 struct sk_security_struct *sksec;
3561 isec = SOCK_INODE(sock)->i_security;
3563 tsec = current->security;
3564 newsid = tsec->sockcreate_sid ? : tsec->sid;
3565 isec->sclass = socket_type_to_security_class(family, type, protocol);
3566 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3567 isec->initialized = 1;
3570 sksec = sock->sk->sk_security;
3571 sksec->sid = isec->sid;
3572 sksec->sclass = isec->sclass;
3573 err = selinux_netlbl_socket_post_create(sock);
3579 /* Range of port numbers used to automatically bind.
3580 Need to determine whether we should perform a name_bind
3581 permission check between the socket and the port number. */
3583 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3588 err = socket_has_perm(current, sock, SOCKET__BIND);
3593 * If PF_INET or PF_INET6, check name_bind permission for the port.
3594 * Multiple address binding for SCTP is not supported yet: we just
3595 * check the first address now.
3597 family = sock->sk->sk_family;
3598 if (family == PF_INET || family == PF_INET6) {
3600 struct inode_security_struct *isec;
3601 struct task_security_struct *tsec;
3602 struct avc_audit_data ad;
3603 struct sockaddr_in *addr4 = NULL;
3604 struct sockaddr_in6 *addr6 = NULL;
3605 unsigned short snum;
3606 struct sock *sk = sock->sk;
3607 u32 sid, node_perm, addrlen;
3609 tsec = current->security;
3610 isec = SOCK_INODE(sock)->i_security;
3612 if (family == PF_INET) {
3613 addr4 = (struct sockaddr_in *)address;
3614 snum = ntohs(addr4->sin_port);
3615 addrlen = sizeof(addr4->sin_addr.s_addr);
3616 addrp = (char *)&addr4->sin_addr.s_addr;
3618 addr6 = (struct sockaddr_in6 *)address;
3619 snum = ntohs(addr6->sin6_port);
3620 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3621 addrp = (char *)&addr6->sin6_addr.s6_addr;
3627 inet_get_local_port_range(&low, &high);
3629 if (snum < max(PROT_SOCK, low) || snum > high) {
3630 err = security_port_sid(sk->sk_family,
3632 sk->sk_protocol, snum,
3636 AVC_AUDIT_DATA_INIT(&ad,NET);
3637 ad.u.net.sport = htons(snum);
3638 ad.u.net.family = family;
3639 err = avc_has_perm(isec->sid, sid,
3641 SOCKET__NAME_BIND, &ad);
3647 switch(isec->sclass) {
3648 case SECCLASS_TCP_SOCKET:
3649 node_perm = TCP_SOCKET__NODE_BIND;
3652 case SECCLASS_UDP_SOCKET:
3653 node_perm = UDP_SOCKET__NODE_BIND;
3656 case SECCLASS_DCCP_SOCKET:
3657 node_perm = DCCP_SOCKET__NODE_BIND;
3661 node_perm = RAWIP_SOCKET__NODE_BIND;
3665 err = sel_netnode_sid(addrp, family, &sid);
3669 AVC_AUDIT_DATA_INIT(&ad,NET);
3670 ad.u.net.sport = htons(snum);
3671 ad.u.net.family = family;
3673 if (family == PF_INET)
3674 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3676 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3678 err = avc_has_perm(isec->sid, sid,
3679 isec->sclass, node_perm, &ad);
3687 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3689 struct inode_security_struct *isec;
3692 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3697 * If a TCP or DCCP socket, check name_connect permission for the port.
3699 isec = SOCK_INODE(sock)->i_security;
3700 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3701 isec->sclass == SECCLASS_DCCP_SOCKET) {
3702 struct sock *sk = sock->sk;
3703 struct avc_audit_data ad;
3704 struct sockaddr_in *addr4 = NULL;
3705 struct sockaddr_in6 *addr6 = NULL;
3706 unsigned short snum;
3709 if (sk->sk_family == PF_INET) {
3710 addr4 = (struct sockaddr_in *)address;
3711 if (addrlen < sizeof(struct sockaddr_in))
3713 snum = ntohs(addr4->sin_port);
3715 addr6 = (struct sockaddr_in6 *)address;
3716 if (addrlen < SIN6_LEN_RFC2133)
3718 snum = ntohs(addr6->sin6_port);
3721 err = security_port_sid(sk->sk_family, sk->sk_type,
3722 sk->sk_protocol, snum, &sid);
3726 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3727 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3729 AVC_AUDIT_DATA_INIT(&ad,NET);
3730 ad.u.net.dport = htons(snum);
3731 ad.u.net.family = sk->sk_family;
3732 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3741 static int selinux_socket_listen(struct socket *sock, int backlog)
3743 return socket_has_perm(current, sock, SOCKET__LISTEN);
3746 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3749 struct inode_security_struct *isec;
3750 struct inode_security_struct *newisec;
3752 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3756 newisec = SOCK_INODE(newsock)->i_security;
3758 isec = SOCK_INODE(sock)->i_security;
3759 newisec->sclass = isec->sclass;
3760 newisec->sid = isec->sid;
3761 newisec->initialized = 1;
3766 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3771 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3775 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3778 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3779 int size, int flags)
3781 return socket_has_perm(current, sock, SOCKET__READ);
3784 static int selinux_socket_getsockname(struct socket *sock)
3786 return socket_has_perm(current, sock, SOCKET__GETATTR);
3789 static int selinux_socket_getpeername(struct socket *sock)
3791 return socket_has_perm(current, sock, SOCKET__GETATTR);
3794 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3798 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3802 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3805 static int selinux_socket_getsockopt(struct socket *sock, int level,
3808 return socket_has_perm(current, sock, SOCKET__GETOPT);
3811 static int selinux_socket_shutdown(struct socket *sock, int how)
3813 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3816 static int selinux_socket_unix_stream_connect(struct socket *sock,
3817 struct socket *other,
3820 struct sk_security_struct *ssec;
3821 struct inode_security_struct *isec;
3822 struct inode_security_struct *other_isec;
3823 struct avc_audit_data ad;
3826 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3830 isec = SOCK_INODE(sock)->i_security;
3831 other_isec = SOCK_INODE(other)->i_security;
3833 AVC_AUDIT_DATA_INIT(&ad,NET);
3834 ad.u.net.sk = other->sk;
3836 err = avc_has_perm(isec->sid, other_isec->sid,
3838 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3842 /* connecting socket */
3843 ssec = sock->sk->sk_security;
3844 ssec->peer_sid = other_isec->sid;
3846 /* server child socket */
3847 ssec = newsk->sk_security;
3848 ssec->peer_sid = isec->sid;
3849 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3854 static int selinux_socket_unix_may_send(struct socket *sock,
3855 struct socket *other)
3857 struct inode_security_struct *isec;
3858 struct inode_security_struct *other_isec;
3859 struct avc_audit_data ad;
3862 isec = SOCK_INODE(sock)->i_security;
3863 other_isec = SOCK_INODE(other)->i_security;
3865 AVC_AUDIT_DATA_INIT(&ad,NET);
3866 ad.u.net.sk = other->sk;
3868 err = avc_has_perm(isec->sid, other_isec->sid,
3869 isec->sclass, SOCKET__SENDTO, &ad);
3876 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3878 struct avc_audit_data *ad)
3884 err = sel_netif_sid(ifindex, &if_sid);
3887 err = avc_has_perm(peer_sid, if_sid,
3888 SECCLASS_NETIF, NETIF__INGRESS, ad);
3892 err = sel_netnode_sid(addrp, family, &node_sid);
3895 return avc_has_perm(peer_sid, node_sid,
3896 SECCLASS_NODE, NODE__RECVFROM, ad);
3899 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3900 struct sk_buff *skb,
3901 struct avc_audit_data *ad,
3906 struct sk_security_struct *sksec = sk->sk_security;
3908 u32 netif_perm, node_perm, recv_perm;
3909 u32 port_sid, node_sid, if_sid, sk_sid;
3911 sk_sid = sksec->sid;
3912 sk_class = sksec->sclass;
3915 case SECCLASS_UDP_SOCKET:
3916 netif_perm = NETIF__UDP_RECV;
3917 node_perm = NODE__UDP_RECV;
3918 recv_perm = UDP_SOCKET__RECV_MSG;
3920 case SECCLASS_TCP_SOCKET:
3921 netif_perm = NETIF__TCP_RECV;
3922 node_perm = NODE__TCP_RECV;
3923 recv_perm = TCP_SOCKET__RECV_MSG;
3925 case SECCLASS_DCCP_SOCKET:
3926 netif_perm = NETIF__DCCP_RECV;
3927 node_perm = NODE__DCCP_RECV;
3928 recv_perm = DCCP_SOCKET__RECV_MSG;
3931 netif_perm = NETIF__RAWIP_RECV;
3932 node_perm = NODE__RAWIP_RECV;
3937 err = sel_netif_sid(skb->iif, &if_sid);
3940 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3944 err = sel_netnode_sid(addrp, family, &node_sid);
3947 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3953 err = security_port_sid(sk->sk_family, sk->sk_type,
3954 sk->sk_protocol, ntohs(ad->u.net.sport),
3956 if (unlikely(err)) {
3958 "SELinux: failure in"
3959 " selinux_sock_rcv_skb_iptables_compat(),"
3960 " network port label not found\n");
3963 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3966 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3967 struct avc_audit_data *ad,
3968 u16 family, char *addrp)
3971 struct sk_security_struct *sksec = sk->sk_security;
3973 u32 sk_sid = sksec->sid;
3975 if (selinux_compat_net)
3976 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3979 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3984 if (selinux_policycap_netpeer) {
3985 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3988 err = avc_has_perm(sk_sid, peer_sid,
3989 SECCLASS_PEER, PEER__RECV, ad);
3991 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3994 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4000 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4003 struct sk_security_struct *sksec = sk->sk_security;
4004 u16 family = sk->sk_family;
4005 u32 sk_sid = sksec->sid;
4006 struct avc_audit_data ad;
4009 if (family != PF_INET && family != PF_INET6)
4012 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4013 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4016 AVC_AUDIT_DATA_INIT(&ad, NET);
4017 ad.u.net.netif = skb->iif;
4018 ad.u.net.family = family;
4019 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4023 /* If any sort of compatibility mode is enabled then handoff processing
4024 * to the selinux_sock_rcv_skb_compat() function to deal with the
4025 * special handling. We do this in an attempt to keep this function
4026 * as fast and as clean as possible. */
4027 if (selinux_compat_net || !selinux_policycap_netpeer)
4028 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4031 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4034 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4037 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4041 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4045 if (selinux_secmark_enabled()) {
4046 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4055 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4056 int __user *optlen, unsigned len)
4061 struct sk_security_struct *ssec;
4062 struct inode_security_struct *isec;
4063 u32 peer_sid = SECSID_NULL;
4065 isec = SOCK_INODE(sock)->i_security;
4067 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4068 isec->sclass == SECCLASS_TCP_SOCKET) {
4069 ssec = sock->sk->sk_security;
4070 peer_sid = ssec->peer_sid;
4072 if (peer_sid == SECSID_NULL) {
4077 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4082 if (scontext_len > len) {
4087 if (copy_to_user(optval, scontext, scontext_len))
4091 if (put_user(scontext_len, optlen))
4099 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4101 u32 peer_secid = SECSID_NULL;
4105 family = sock->sk->sk_family;
4106 else if (skb && skb->sk)
4107 family = skb->sk->sk_family;
4111 if (sock && family == PF_UNIX)
4112 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4114 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4117 *secid = peer_secid;
4118 if (peer_secid == SECSID_NULL)
4123 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4125 return sk_alloc_security(sk, family, priority);
4128 static void selinux_sk_free_security(struct sock *sk)
4130 sk_free_security(sk);
4133 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4135 struct sk_security_struct *ssec = sk->sk_security;
4136 struct sk_security_struct *newssec = newsk->sk_security;
4138 newssec->sid = ssec->sid;
4139 newssec->peer_sid = ssec->peer_sid;
4140 newssec->sclass = ssec->sclass;
4142 selinux_netlbl_sk_security_clone(ssec, newssec);
4145 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4148 *secid = SECINITSID_ANY_SOCKET;
4150 struct sk_security_struct *sksec = sk->sk_security;
4152 *secid = sksec->sid;
4156 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4158 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4159 struct sk_security_struct *sksec = sk->sk_security;
4161 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4162 sk->sk_family == PF_UNIX)
4163 isec->sid = sksec->sid;
4164 sksec->sclass = isec->sclass;
4166 selinux_netlbl_sock_graft(sk, parent);
4169 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4170 struct request_sock *req)
4172 struct sk_security_struct *sksec = sk->sk_security;
4177 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4180 if (peersid == SECSID_NULL) {
4181 req->secid = sksec->sid;
4182 req->peer_secid = SECSID_NULL;
4186 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4190 req->secid = newsid;
4191 req->peer_secid = peersid;
4195 static void selinux_inet_csk_clone(struct sock *newsk,
4196 const struct request_sock *req)
4198 struct sk_security_struct *newsksec = newsk->sk_security;
4200 newsksec->sid = req->secid;
4201 newsksec->peer_sid = req->peer_secid;
4202 /* NOTE: Ideally, we should also get the isec->sid for the
4203 new socket in sync, but we don't have the isec available yet.
4204 So we will wait until sock_graft to do it, by which
4205 time it will have been created and available. */
4207 /* We don't need to take any sort of lock here as we are the only
4208 * thread with access to newsksec */
4209 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4212 static void selinux_inet_conn_established(struct sock *sk,
4213 struct sk_buff *skb)
4215 struct sk_security_struct *sksec = sk->sk_security;
4217 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4220 static void selinux_req_classify_flow(const struct request_sock *req,
4223 fl->secid = req->secid;
4226 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4230 struct nlmsghdr *nlh;
4231 struct socket *sock = sk->sk_socket;
4232 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4234 if (skb->len < NLMSG_SPACE(0)) {
4238 nlh = nlmsg_hdr(skb);
4240 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4242 if (err == -EINVAL) {
4243 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4244 "SELinux: unrecognized netlink message"
4245 " type=%hu for sclass=%hu\n",
4246 nlh->nlmsg_type, isec->sclass);
4247 if (!selinux_enforcing)
4257 err = socket_has_perm(current, sock, perm);
4262 #ifdef CONFIG_NETFILTER
4264 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4269 struct avc_audit_data ad;
4273 if (!selinux_policycap_netpeer)
4276 secmark_active = selinux_secmark_enabled();
4277 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4278 if (!secmark_active && !peerlbl_active)
4281 AVC_AUDIT_DATA_INIT(&ad, NET);
4282 ad.u.net.netif = ifindex;
4283 ad.u.net.family = family;
4284 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4287 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4291 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4292 peer_sid, &ad) != 0)
4296 if (avc_has_perm(peer_sid, skb->secmark,
4297 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4303 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4304 struct sk_buff *skb,
4305 const struct net_device *in,
4306 const struct net_device *out,
4307 int (*okfn)(struct sk_buff *))
4309 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4312 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4313 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4314 struct sk_buff *skb,
4315 const struct net_device *in,
4316 const struct net_device *out,
4317 int (*okfn)(struct sk_buff *))
4319 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4323 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4325 struct avc_audit_data *ad,
4326 u16 family, char *addrp)
4329 struct sk_security_struct *sksec = sk->sk_security;
4331 u32 netif_perm, node_perm, send_perm;
4332 u32 port_sid, node_sid, if_sid, sk_sid;
4334 sk_sid = sksec->sid;
4335 sk_class = sksec->sclass;
4338 case SECCLASS_UDP_SOCKET:
4339 netif_perm = NETIF__UDP_SEND;
4340 node_perm = NODE__UDP_SEND;
4341 send_perm = UDP_SOCKET__SEND_MSG;
4343 case SECCLASS_TCP_SOCKET:
4344 netif_perm = NETIF__TCP_SEND;
4345 node_perm = NODE__TCP_SEND;
4346 send_perm = TCP_SOCKET__SEND_MSG;
4348 case SECCLASS_DCCP_SOCKET:
4349 netif_perm = NETIF__DCCP_SEND;
4350 node_perm = NODE__DCCP_SEND;
4351 send_perm = DCCP_SOCKET__SEND_MSG;
4354 netif_perm = NETIF__RAWIP_SEND;
4355 node_perm = NODE__RAWIP_SEND;
4360 err = sel_netif_sid(ifindex, &if_sid);
4363 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4366 err = sel_netnode_sid(addrp, family, &node_sid);
4369 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4376 err = security_port_sid(sk->sk_family, sk->sk_type,
4377 sk->sk_protocol, ntohs(ad->u.net.dport),
4379 if (unlikely(err)) {
4381 "SELinux: failure in"
4382 " selinux_ip_postroute_iptables_compat(),"
4383 " network port label not found\n");
4386 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4389 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4391 struct avc_audit_data *ad,
4396 struct sock *sk = skb->sk;
4397 struct sk_security_struct *sksec;
4401 sksec = sk->sk_security;
4403 if (selinux_compat_net) {
4404 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4408 if (avc_has_perm(sksec->sid, skb->secmark,
4409 SECCLASS_PACKET, PACKET__SEND, ad))
4413 if (selinux_policycap_netpeer)
4414 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4420 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4426 struct avc_audit_data ad;
4432 AVC_AUDIT_DATA_INIT(&ad, NET);
4433 ad.u.net.netif = ifindex;
4434 ad.u.net.family = family;
4435 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4438 /* If any sort of compatibility mode is enabled then handoff processing
4439 * to the selinux_ip_postroute_compat() function to deal with the
4440 * special handling. We do this in an attempt to keep this function
4441 * as fast and as clean as possible. */
4442 if (selinux_compat_net || !selinux_policycap_netpeer)
4443 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4444 family, addrp, proto);
4446 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4447 * packet transformation so allow the packet to pass without any checks
4448 * since we'll have another chance to perform access control checks
4449 * when the packet is on it's final way out.
4450 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4451 * is NULL, in this case go ahead and apply access control. */
4452 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4455 secmark_active = selinux_secmark_enabled();
4456 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4457 if (!secmark_active && !peerlbl_active)
4460 /* if the packet is locally generated (skb->sk != NULL) then use the
4461 * socket's label as the peer label, otherwise the packet is being
4462 * forwarded through this system and we need to fetch the peer label
4463 * directly from the packet */
4466 struct sk_security_struct *sksec = sk->sk_security;
4467 peer_sid = sksec->sid;
4468 secmark_perm = PACKET__SEND;
4470 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4472 secmark_perm = PACKET__FORWARD_OUT;
4476 if (avc_has_perm(peer_sid, skb->secmark,
4477 SECCLASS_PACKET, secmark_perm, &ad))
4480 if (peerlbl_active) {
4484 if (sel_netif_sid(ifindex, &if_sid))
4486 if (avc_has_perm(peer_sid, if_sid,
4487 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4490 if (sel_netnode_sid(addrp, family, &node_sid))
4492 if (avc_has_perm(peer_sid, node_sid,
4493 SECCLASS_NODE, NODE__SENDTO, &ad))
4500 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4501 struct sk_buff *skb,
4502 const struct net_device *in,
4503 const struct net_device *out,
4504 int (*okfn)(struct sk_buff *))
4506 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4509 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4510 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4511 struct sk_buff *skb,
4512 const struct net_device *in,
4513 const struct net_device *out,
4514 int (*okfn)(struct sk_buff *))
4516 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4520 #endif /* CONFIG_NETFILTER */
4522 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4526 err = secondary_ops->netlink_send(sk, skb);
4530 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4531 err = selinux_nlmsg_perm(sk, skb);
4536 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4539 struct avc_audit_data ad;
4541 err = secondary_ops->netlink_recv(skb, capability);
4545 AVC_AUDIT_DATA_INIT(&ad, CAP);
4546 ad.u.cap = capability;
4548 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4549 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4552 static int ipc_alloc_security(struct task_struct *task,
4553 struct kern_ipc_perm *perm,
4556 struct task_security_struct *tsec = task->security;
4557 struct ipc_security_struct *isec;
4559 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4563 isec->sclass = sclass;
4564 isec->ipc_perm = perm;
4565 isec->sid = tsec->sid;
4566 perm->security = isec;
4571 static void ipc_free_security(struct kern_ipc_perm *perm)
4573 struct ipc_security_struct *isec = perm->security;
4574 perm->security = NULL;
4578 static int msg_msg_alloc_security(struct msg_msg *msg)
4580 struct msg_security_struct *msec;
4582 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4587 msec->sid = SECINITSID_UNLABELED;
4588 msg->security = msec;
4593 static void msg_msg_free_security(struct msg_msg *msg)
4595 struct msg_security_struct *msec = msg->security;
4597 msg->security = NULL;
4601 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4604 struct task_security_struct *tsec;
4605 struct ipc_security_struct *isec;
4606 struct avc_audit_data ad;
4608 tsec = current->security;
4609 isec = ipc_perms->security;
4611 AVC_AUDIT_DATA_INIT(&ad, IPC);
4612 ad.u.ipc_id = ipc_perms->key;
4614 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4617 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4619 return msg_msg_alloc_security(msg);
4622 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4624 msg_msg_free_security(msg);
4627 /* message queue security operations */
4628 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4630 struct task_security_struct *tsec;
4631 struct ipc_security_struct *isec;
4632 struct avc_audit_data ad;
4635 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4639 tsec = current->security;
4640 isec = msq->q_perm.security;
4642 AVC_AUDIT_DATA_INIT(&ad, IPC);
4643 ad.u.ipc_id = msq->q_perm.key;
4645 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4648 ipc_free_security(&msq->q_perm);
4654 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4656 ipc_free_security(&msq->q_perm);
4659 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4661 struct task_security_struct *tsec;
4662 struct ipc_security_struct *isec;
4663 struct avc_audit_data ad;
4665 tsec = current->security;
4666 isec = msq->q_perm.security;
4668 AVC_AUDIT_DATA_INIT(&ad, IPC);
4669 ad.u.ipc_id = msq->q_perm.key;
4671 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4672 MSGQ__ASSOCIATE, &ad);
4675 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4683 /* No specific object, just general system-wide information. */
4684 return task_has_system(current, SYSTEM__IPC_INFO);
4687 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4690 perms = MSGQ__SETATTR;
4693 perms = MSGQ__DESTROY;
4699 err = ipc_has_perm(&msq->q_perm, perms);
4703 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4705 struct task_security_struct *tsec;
4706 struct ipc_security_struct *isec;
4707 struct msg_security_struct *msec;
4708 struct avc_audit_data ad;
4711 tsec = current->security;
4712 isec = msq->q_perm.security;
4713 msec = msg->security;
4716 * First time through, need to assign label to the message
4718 if (msec->sid == SECINITSID_UNLABELED) {
4720 * Compute new sid based on current process and
4721 * message queue this message will be stored in
4723 rc = security_transition_sid(tsec->sid,
4731 AVC_AUDIT_DATA_INIT(&ad, IPC);
4732 ad.u.ipc_id = msq->q_perm.key;
4734 /* Can this process write to the queue? */
4735 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4738 /* Can this process send the message */
4739 rc = avc_has_perm(tsec->sid, msec->sid,
4740 SECCLASS_MSG, MSG__SEND, &ad);
4742 /* Can the message be put in the queue? */
4743 rc = avc_has_perm(msec->sid, isec->sid,
4744 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4749 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4750 struct task_struct *target,
4751 long type, int mode)
4753 struct task_security_struct *tsec;
4754 struct ipc_security_struct *isec;
4755 struct msg_security_struct *msec;
4756 struct avc_audit_data ad;
4759 tsec = target->security;
4760 isec = msq->q_perm.security;
4761 msec = msg->security;
4763 AVC_AUDIT_DATA_INIT(&ad, IPC);
4764 ad.u.ipc_id = msq->q_perm.key;
4766 rc = avc_has_perm(tsec->sid, isec->sid,
4767 SECCLASS_MSGQ, MSGQ__READ, &ad);
4769 rc = avc_has_perm(tsec->sid, msec->sid,
4770 SECCLASS_MSG, MSG__RECEIVE, &ad);
4774 /* Shared Memory security operations */
4775 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4777 struct task_security_struct *tsec;
4778 struct ipc_security_struct *isec;
4779 struct avc_audit_data ad;
4782 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4786 tsec = current->security;
4787 isec = shp->shm_perm.security;
4789 AVC_AUDIT_DATA_INIT(&ad, IPC);
4790 ad.u.ipc_id = shp->shm_perm.key;
4792 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4795 ipc_free_security(&shp->shm_perm);
4801 static void selinux_shm_free_security(struct shmid_kernel *shp)
4803 ipc_free_security(&shp->shm_perm);
4806 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4808 struct task_security_struct *tsec;
4809 struct ipc_security_struct *isec;
4810 struct avc_audit_data ad;
4812 tsec = current->security;
4813 isec = shp->shm_perm.security;
4815 AVC_AUDIT_DATA_INIT(&ad, IPC);
4816 ad.u.ipc_id = shp->shm_perm.key;
4818 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4819 SHM__ASSOCIATE, &ad);
4822 /* Note, at this point, shp is locked down */
4823 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4831 /* No specific object, just general system-wide information. */
4832 return task_has_system(current, SYSTEM__IPC_INFO);
4835 perms = SHM__GETATTR | SHM__ASSOCIATE;
4838 perms = SHM__SETATTR;
4845 perms = SHM__DESTROY;
4851 err = ipc_has_perm(&shp->shm_perm, perms);
4855 static int selinux_shm_shmat(struct shmid_kernel *shp,
4856 char __user *shmaddr, int shmflg)
4861 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4865 if (shmflg & SHM_RDONLY)
4868 perms = SHM__READ | SHM__WRITE;
4870 return ipc_has_perm(&shp->shm_perm, perms);
4873 /* Semaphore security operations */
4874 static int selinux_sem_alloc_security(struct sem_array *sma)
4876 struct task_security_struct *tsec;
4877 struct ipc_security_struct *isec;
4878 struct avc_audit_data ad;
4881 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4885 tsec = current->security;
4886 isec = sma->sem_perm.security;
4888 AVC_AUDIT_DATA_INIT(&ad, IPC);
4889 ad.u.ipc_id = sma->sem_perm.key;
4891 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4894 ipc_free_security(&sma->sem_perm);
4900 static void selinux_sem_free_security(struct sem_array *sma)
4902 ipc_free_security(&sma->sem_perm);
4905 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4907 struct task_security_struct *tsec;
4908 struct ipc_security_struct *isec;
4909 struct avc_audit_data ad;
4911 tsec = current->security;
4912 isec = sma->sem_perm.security;
4914 AVC_AUDIT_DATA_INIT(&ad, IPC);
4915 ad.u.ipc_id = sma->sem_perm.key;
4917 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4918 SEM__ASSOCIATE, &ad);
4921 /* Note, at this point, sma is locked down */
4922 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4930 /* No specific object, just general system-wide information. */
4931 return task_has_system(current, SYSTEM__IPC_INFO);
4935 perms = SEM__GETATTR;
4946 perms = SEM__DESTROY;
4949 perms = SEM__SETATTR;
4953 perms = SEM__GETATTR | SEM__ASSOCIATE;
4959 err = ipc_has_perm(&sma->sem_perm, perms);
4963 static int selinux_sem_semop(struct sem_array *sma,
4964 struct sembuf *sops, unsigned nsops, int alter)
4969 perms = SEM__READ | SEM__WRITE;
4973 return ipc_has_perm(&sma->sem_perm, perms);
4976 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4982 av |= IPC__UNIX_READ;
4984 av |= IPC__UNIX_WRITE;
4989 return ipc_has_perm(ipcp, av);
4992 /* module stacking operations */
4993 static int selinux_register_security (const char *name, struct security_operations *ops)
4995 if (secondary_ops != original_ops) {
4996 printk(KERN_ERR "%s: There is already a secondary security "
4997 "module registered.\n", __FUNCTION__);
5001 secondary_ops = ops;
5003 printk(KERN_INFO "%s: Registering secondary module %s\n",
5010 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5013 inode_doinit_with_dentry(inode, dentry);
5016 static int selinux_getprocattr(struct task_struct *p,
5017 char *name, char **value)
5019 struct task_security_struct *tsec;
5025 error = task_has_perm(current, p, PROCESS__GETATTR);
5032 if (!strcmp(name, "current"))
5034 else if (!strcmp(name, "prev"))
5036 else if (!strcmp(name, "exec"))
5037 sid = tsec->exec_sid;
5038 else if (!strcmp(name, "fscreate"))
5039 sid = tsec->create_sid;
5040 else if (!strcmp(name, "keycreate"))
5041 sid = tsec->keycreate_sid;
5042 else if (!strcmp(name, "sockcreate"))
5043 sid = tsec->sockcreate_sid;
5050 error = security_sid_to_context(sid, value, &len);
5056 static int selinux_setprocattr(struct task_struct *p,
5057 char *name, void *value, size_t size)
5059 struct task_security_struct *tsec;
5065 /* SELinux only allows a process to change its own
5066 security attributes. */
5071 * Basic control over ability to set these attributes at all.
5072 * current == p, but we'll pass them separately in case the
5073 * above restriction is ever removed.
5075 if (!strcmp(name, "exec"))
5076 error = task_has_perm(current, p, PROCESS__SETEXEC);
5077 else if (!strcmp(name, "fscreate"))
5078 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5079 else if (!strcmp(name, "keycreate"))
5080 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5081 else if (!strcmp(name, "sockcreate"))
5082 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5083 else if (!strcmp(name, "current"))
5084 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5090 /* Obtain a SID for the context, if one was specified. */
5091 if (size && str[1] && str[1] != '\n') {
5092 if (str[size-1] == '\n') {
5096 error = security_context_to_sid(value, size, &sid);
5101 /* Permission checking based on the specified context is
5102 performed during the actual operation (execve,
5103 open/mkdir/...), when we know the full context of the
5104 operation. See selinux_bprm_set_security for the execve
5105 checks and may_create for the file creation checks. The
5106 operation will then fail if the context is not permitted. */
5108 if (!strcmp(name, "exec"))
5109 tsec->exec_sid = sid;
5110 else if (!strcmp(name, "fscreate"))
5111 tsec->create_sid = sid;
5112 else if (!strcmp(name, "keycreate")) {
5113 error = may_create_key(sid, p);
5116 tsec->keycreate_sid = sid;
5117 } else if (!strcmp(name, "sockcreate"))
5118 tsec->sockcreate_sid = sid;
5119 else if (!strcmp(name, "current")) {
5120 struct av_decision avd;
5125 /* Only allow single threaded processes to change context */
5126 if (atomic_read(&p->mm->mm_users) != 1) {
5127 struct task_struct *g, *t;
5128 struct mm_struct *mm = p->mm;
5129 read_lock(&tasklist_lock);
5130 do_each_thread(g, t)
5131 if (t->mm == mm && t != p) {
5132 read_unlock(&tasklist_lock);
5135 while_each_thread(g, t);
5136 read_unlock(&tasklist_lock);
5139 /* Check permissions for the transition. */
5140 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5141 PROCESS__DYNTRANSITION, NULL);
5145 /* Check for ptracing, and update the task SID if ok.
5146 Otherwise, leave SID unchanged and fail. */
5148 if (p->ptrace & PT_PTRACED) {
5149 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5151 PROCESS__PTRACE, 0, &avd);
5155 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5156 PROCESS__PTRACE, &avd, error, NULL);
5170 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5172 return security_sid_to_context(secid, secdata, seclen);
5175 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5177 return security_context_to_sid(secdata, seclen, secid);
5180 static void selinux_release_secctx(char *secdata, u32 seclen)
5187 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5188 unsigned long flags)
5190 struct task_security_struct *tsec = tsk->security;
5191 struct key_security_struct *ksec;
5193 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5198 if (tsec->keycreate_sid)
5199 ksec->sid = tsec->keycreate_sid;
5201 ksec->sid = tsec->sid;
5207 static void selinux_key_free(struct key *k)
5209 struct key_security_struct *ksec = k->security;
5215 static int selinux_key_permission(key_ref_t key_ref,
5216 struct task_struct *ctx,
5220 struct task_security_struct *tsec;
5221 struct key_security_struct *ksec;
5223 key = key_ref_to_ptr(key_ref);
5225 tsec = ctx->security;
5226 ksec = key->security;
5228 /* if no specific permissions are requested, we skip the
5229 permission check. No serious, additional covert channels
5230 appear to be created. */
5234 return avc_has_perm(tsec->sid, ksec->sid,
5235 SECCLASS_KEY, perm, NULL);
5240 static struct security_operations selinux_ops = {
5241 .ptrace = selinux_ptrace,
5242 .capget = selinux_capget,
5243 .capset_check = selinux_capset_check,
5244 .capset_set = selinux_capset_set,
5245 .sysctl = selinux_sysctl,
5246 .capable = selinux_capable,
5247 .quotactl = selinux_quotactl,
5248 .quota_on = selinux_quota_on,
5249 .syslog = selinux_syslog,
5250 .vm_enough_memory = selinux_vm_enough_memory,
5252 .netlink_send = selinux_netlink_send,
5253 .netlink_recv = selinux_netlink_recv,
5255 .bprm_alloc_security = selinux_bprm_alloc_security,
5256 .bprm_free_security = selinux_bprm_free_security,
5257 .bprm_apply_creds = selinux_bprm_apply_creds,
5258 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5259 .bprm_set_security = selinux_bprm_set_security,
5260 .bprm_check_security = selinux_bprm_check_security,
5261 .bprm_secureexec = selinux_bprm_secureexec,
5263 .sb_alloc_security = selinux_sb_alloc_security,
5264 .sb_free_security = selinux_sb_free_security,
5265 .sb_copy_data = selinux_sb_copy_data,
5266 .sb_kern_mount = selinux_sb_kern_mount,
5267 .sb_statfs = selinux_sb_statfs,
5268 .sb_mount = selinux_mount,
5269 .sb_umount = selinux_umount,
5270 .sb_get_mnt_opts = selinux_get_mnt_opts,
5271 .sb_set_mnt_opts = selinux_set_mnt_opts,
5272 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5273 .sb_parse_opts_str = selinux_parse_opts_str,
5276 .inode_alloc_security = selinux_inode_alloc_security,
5277 .inode_free_security = selinux_inode_free_security,
5278 .inode_init_security = selinux_inode_init_security,
5279 .inode_create = selinux_inode_create,
5280 .inode_link = selinux_inode_link,
5281 .inode_unlink = selinux_inode_unlink,
5282 .inode_symlink = selinux_inode_symlink,
5283 .inode_mkdir = selinux_inode_mkdir,
5284 .inode_rmdir = selinux_inode_rmdir,
5285 .inode_mknod = selinux_inode_mknod,
5286 .inode_rename = selinux_inode_rename,
5287 .inode_readlink = selinux_inode_readlink,
5288 .inode_follow_link = selinux_inode_follow_link,
5289 .inode_permission = selinux_inode_permission,
5290 .inode_setattr = selinux_inode_setattr,
5291 .inode_getattr = selinux_inode_getattr,
5292 .inode_setxattr = selinux_inode_setxattr,
5293 .inode_post_setxattr = selinux_inode_post_setxattr,
5294 .inode_getxattr = selinux_inode_getxattr,
5295 .inode_listxattr = selinux_inode_listxattr,
5296 .inode_removexattr = selinux_inode_removexattr,
5297 .inode_getsecurity = selinux_inode_getsecurity,
5298 .inode_setsecurity = selinux_inode_setsecurity,
5299 .inode_listsecurity = selinux_inode_listsecurity,
5300 .inode_need_killpriv = selinux_inode_need_killpriv,
5301 .inode_killpriv = selinux_inode_killpriv,
5303 .file_permission = selinux_file_permission,
5304 .file_alloc_security = selinux_file_alloc_security,
5305 .file_free_security = selinux_file_free_security,
5306 .file_ioctl = selinux_file_ioctl,
5307 .file_mmap = selinux_file_mmap,
5308 .file_mprotect = selinux_file_mprotect,
5309 .file_lock = selinux_file_lock,
5310 .file_fcntl = selinux_file_fcntl,
5311 .file_set_fowner = selinux_file_set_fowner,
5312 .file_send_sigiotask = selinux_file_send_sigiotask,
5313 .file_receive = selinux_file_receive,
5315 .dentry_open = selinux_dentry_open,
5317 .task_create = selinux_task_create,
5318 .task_alloc_security = selinux_task_alloc_security,
5319 .task_free_security = selinux_task_free_security,
5320 .task_setuid = selinux_task_setuid,
5321 .task_post_setuid = selinux_task_post_setuid,
5322 .task_setgid = selinux_task_setgid,
5323 .task_setpgid = selinux_task_setpgid,
5324 .task_getpgid = selinux_task_getpgid,
5325 .task_getsid = selinux_task_getsid,
5326 .task_getsecid = selinux_task_getsecid,
5327 .task_setgroups = selinux_task_setgroups,
5328 .task_setnice = selinux_task_setnice,
5329 .task_setioprio = selinux_task_setioprio,
5330 .task_getioprio = selinux_task_getioprio,
5331 .task_setrlimit = selinux_task_setrlimit,
5332 .task_setscheduler = selinux_task_setscheduler,
5333 .task_getscheduler = selinux_task_getscheduler,
5334 .task_movememory = selinux_task_movememory,
5335 .task_kill = selinux_task_kill,
5336 .task_wait = selinux_task_wait,
5337 .task_prctl = selinux_task_prctl,
5338 .task_reparent_to_init = selinux_task_reparent_to_init,
5339 .task_to_inode = selinux_task_to_inode,
5341 .ipc_permission = selinux_ipc_permission,
5343 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5344 .msg_msg_free_security = selinux_msg_msg_free_security,
5346 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5347 .msg_queue_free_security = selinux_msg_queue_free_security,
5348 .msg_queue_associate = selinux_msg_queue_associate,
5349 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5350 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5351 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5353 .shm_alloc_security = selinux_shm_alloc_security,
5354 .shm_free_security = selinux_shm_free_security,
5355 .shm_associate = selinux_shm_associate,
5356 .shm_shmctl = selinux_shm_shmctl,
5357 .shm_shmat = selinux_shm_shmat,
5359 .sem_alloc_security = selinux_sem_alloc_security,
5360 .sem_free_security = selinux_sem_free_security,
5361 .sem_associate = selinux_sem_associate,
5362 .sem_semctl = selinux_sem_semctl,
5363 .sem_semop = selinux_sem_semop,
5365 .register_security = selinux_register_security,
5367 .d_instantiate = selinux_d_instantiate,
5369 .getprocattr = selinux_getprocattr,
5370 .setprocattr = selinux_setprocattr,
5372 .secid_to_secctx = selinux_secid_to_secctx,
5373 .secctx_to_secid = selinux_secctx_to_secid,
5374 .release_secctx = selinux_release_secctx,
5376 .unix_stream_connect = selinux_socket_unix_stream_connect,
5377 .unix_may_send = selinux_socket_unix_may_send,
5379 .socket_create = selinux_socket_create,
5380 .socket_post_create = selinux_socket_post_create,
5381 .socket_bind = selinux_socket_bind,
5382 .socket_connect = selinux_socket_connect,
5383 .socket_listen = selinux_socket_listen,
5384 .socket_accept = selinux_socket_accept,
5385 .socket_sendmsg = selinux_socket_sendmsg,
5386 .socket_recvmsg = selinux_socket_recvmsg,
5387 .socket_getsockname = selinux_socket_getsockname,
5388 .socket_getpeername = selinux_socket_getpeername,
5389 .socket_getsockopt = selinux_socket_getsockopt,
5390 .socket_setsockopt = selinux_socket_setsockopt,
5391 .socket_shutdown = selinux_socket_shutdown,
5392 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5393 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5394 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5395 .sk_alloc_security = selinux_sk_alloc_security,
5396 .sk_free_security = selinux_sk_free_security,
5397 .sk_clone_security = selinux_sk_clone_security,
5398 .sk_getsecid = selinux_sk_getsecid,
5399 .sock_graft = selinux_sock_graft,
5400 .inet_conn_request = selinux_inet_conn_request,
5401 .inet_csk_clone = selinux_inet_csk_clone,
5402 .inet_conn_established = selinux_inet_conn_established,
5403 .req_classify_flow = selinux_req_classify_flow,
5405 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5406 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5407 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5408 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5409 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5410 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5411 .xfrm_state_free_security = selinux_xfrm_state_free,
5412 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5413 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5414 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5415 .xfrm_decode_session = selinux_xfrm_decode_session,
5419 .key_alloc = selinux_key_alloc,
5420 .key_free = selinux_key_free,
5421 .key_permission = selinux_key_permission,
5425 static __init int selinux_init(void)
5427 struct task_security_struct *tsec;
5429 if (!selinux_enabled) {
5430 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5434 printk(KERN_INFO "SELinux: Initializing.\n");
5436 /* Set the security state for the initial task. */
5437 if (task_alloc_security(current))
5438 panic("SELinux: Failed to initialize initial task.\n");
5439 tsec = current->security;
5440 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5442 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5443 sizeof(struct inode_security_struct),
5444 0, SLAB_PANIC, NULL);
5447 original_ops = secondary_ops = security_ops;
5449 panic ("SELinux: No initial security operations\n");
5450 if (register_security (&selinux_ops))
5451 panic("SELinux: Unable to register with kernel.\n");
5453 if (selinux_enforcing) {
5454 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5456 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5460 /* Add security information to initial keyrings */
5461 selinux_key_alloc(&root_user_keyring, current,
5462 KEY_ALLOC_NOT_IN_QUOTA);
5463 selinux_key_alloc(&root_session_keyring, current,
5464 KEY_ALLOC_NOT_IN_QUOTA);
5470 void selinux_complete_init(void)
5472 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5474 /* Set up any superblocks initialized prior to the policy load. */
5475 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5476 spin_lock(&sb_lock);
5477 spin_lock(&sb_security_lock);
5479 if (!list_empty(&superblock_security_head)) {
5480 struct superblock_security_struct *sbsec =
5481 list_entry(superblock_security_head.next,
5482 struct superblock_security_struct,
5484 struct super_block *sb = sbsec->sb;
5486 spin_unlock(&sb_security_lock);
5487 spin_unlock(&sb_lock);
5488 down_read(&sb->s_umount);
5490 superblock_doinit(sb, NULL);
5492 spin_lock(&sb_lock);
5493 spin_lock(&sb_security_lock);
5494 list_del_init(&sbsec->list);
5497 spin_unlock(&sb_security_lock);
5498 spin_unlock(&sb_lock);
5501 /* SELinux requires early initialization in order to label
5502 all processes and objects when they are created. */
5503 security_initcall(selinux_init);
5505 #if defined(CONFIG_NETFILTER)
5507 static struct nf_hook_ops selinux_ipv4_ops[] = {
5509 .hook = selinux_ipv4_postroute,
5510 .owner = THIS_MODULE,
5512 .hooknum = NF_INET_POST_ROUTING,
5513 .priority = NF_IP_PRI_SELINUX_LAST,
5516 .hook = selinux_ipv4_forward,
5517 .owner = THIS_MODULE,
5519 .hooknum = NF_INET_FORWARD,
5520 .priority = NF_IP_PRI_SELINUX_FIRST,
5524 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5526 static struct nf_hook_ops selinux_ipv6_ops[] = {
5528 .hook = selinux_ipv6_postroute,
5529 .owner = THIS_MODULE,
5531 .hooknum = NF_INET_POST_ROUTING,
5532 .priority = NF_IP6_PRI_SELINUX_LAST,
5535 .hook = selinux_ipv6_forward,
5536 .owner = THIS_MODULE,
5538 .hooknum = NF_INET_FORWARD,
5539 .priority = NF_IP6_PRI_SELINUX_FIRST,
5545 static int __init selinux_nf_ip_init(void)
5550 if (!selinux_enabled)
5553 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5555 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5556 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5558 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5562 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5563 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5564 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5566 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5575 __initcall(selinux_nf_ip_init);
5577 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5578 static void selinux_nf_ip_exit(void)
5582 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5584 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5585 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5586 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5587 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5588 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5593 #else /* CONFIG_NETFILTER */
5595 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5596 #define selinux_nf_ip_exit()
5599 #endif /* CONFIG_NETFILTER */
5601 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5602 int selinux_disable(void)
5604 extern void exit_sel_fs(void);
5605 static int selinux_disabled = 0;
5607 if (ss_initialized) {
5608 /* Not permitted after initial policy load. */
5612 if (selinux_disabled) {
5613 /* Only do this once. */
5617 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5619 selinux_disabled = 1;
5620 selinux_enabled = 0;
5622 /* Reset security_ops to the secondary module, dummy or capability. */
5623 security_ops = secondary_ops;
5625 /* Unregister netfilter hooks. */
5626 selinux_nf_ip_exit();
5628 /* Unregister selinuxfs. */
git.samba.org / sfrench / cifs-2.6.git / blob