2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
367 static int sb_finish_set_opts(struct super_block *sb)
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
400 sbsec->initialized = 1;
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
417 spin_lock(&sbsec->isec_lock);
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
427 if (!IS_PRIVATE(inode))
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
435 spin_unlock(&sbsec->isec_lock);
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
459 if (!sbsec->initialized)
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
515 rc = security_sid_to_context(isec->sid, &context, &len);
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
522 BUG_ON(i != *num_opts);
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
539 static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
560 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
572 mutex_lock(&sbsec->lock);
574 if (!ss_initialized) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
596 for (i = 0; i < num_opts; i++) {
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
603 mount_options[i], sb->s_id, name, rc);
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
612 goto out_double_mount;
614 sbsec->flags |= FSCONTEXT_MNT;
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
621 goto out_double_mount;
623 sbsec->flags |= CONTEXT_MNT;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
630 goto out_double_mount;
632 sbsec->flags |= ROOTCONTEXT_MNT;
636 defcontext_sid = sid;
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
640 goto out_double_mount;
642 sbsec->flags |= DEFCONTEXT_MNT;
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
659 if (strcmp(sb->s_type->name, "proc") == 0)
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
670 /* sets the context of the superblock for the fs being mounted. */
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
677 sbsec->sid = fscontext_sid;
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
690 sbsec->sid = context_sid;
692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
699 sbsec->mntpoint_sid = context_sid;
700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
727 sbsec->def_sid = defcontext_sid;
730 rc = sb_finish_set_opts(sb);
732 mutex_unlock(&sbsec->lock);
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
741 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
762 mutex_lock(&newsbsec->lock);
764 newsbsec->flags = oldsbsec->flags;
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
771 u32 sid = oldsbsec->mntpoint_sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
780 newsbsec->mntpoint_sid = sid;
782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
788 newisec->sid = oldisec->sid;
791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
796 * string mount options parsing and call set the sbsec
798 static int superblock_doinit(struct super_block *sb, void *data)
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
818 if (d->version != NFS_MOUNT_VERSION)
822 context = kstrdup(d->context, GFP_KERNEL);
833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
836 substring_t args[MAX_OPT_ARGS];
841 token = match_token(p, tokens, args);
845 if (context || defcontext) {
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 context = match_strdup(&args[0]);
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 fscontext = match_strdup(&args[0]);
870 case Opt_rootcontext:
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 rootcontext = match_strdup(&args[0]);
884 if (context || defcontext) {
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 defcontext = match_strdup(&args[0]);
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
932 static inline u16 inode_mode_to_security_class(umode_t mode)
934 switch (mode & S_IFMT) {
936 return SECCLASS_SOCK_FILE;
938 return SECCLASS_LNK_FILE;
940 return SECCLASS_FILE;
942 return SECCLASS_BLK_FILE;
946 return SECCLASS_CHR_FILE;
948 return SECCLASS_FIFO_FILE;
952 return SECCLASS_FILE;
955 static inline int default_protocol_stream(int protocol)
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
960 static inline int default_protocol_dgram(int protocol)
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
965 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
972 return SECCLASS_UNIX_STREAM_SOCKET;
974 return SECCLASS_UNIX_DGRAM_SOCKET;
981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
984 return SECCLASS_RAWIP_SOCKET;
986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
989 return SECCLASS_RAWIP_SOCKET;
991 return SECCLASS_DCCP_SOCKET;
993 return SECCLASS_RAWIP_SOCKET;
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1002 case NETLINK_INET_DIAG:
1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1019 return SECCLASS_NETLINK_SOCKET;
1022 return SECCLASS_PACKET_SOCKET;
1024 return SECCLASS_KEY_SOCKET;
1026 return SECCLASS_APPLETALK_SOCKET;
1029 return SECCLASS_SOCKET;
1032 #ifdef CONFIG_PROC_FS
1033 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1038 char *buffer, *path, *end;
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1045 end = buffer+buflen;
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1055 memcpy(end, de->name, de->namelen);
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1065 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1073 /* The inode's security attributes must be initialized before first use. */
1074 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1079 struct dentry *dentry;
1080 #define INITCONTEXTLEN 255
1081 char *context = NULL;
1085 if (isec->initialized)
1088 mutex_lock(&isec->lock);
1089 if (isec->initialized)
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1146 context = kmalloc(len, GFP_KERNEL);
1152 rc = inode->i_op->getxattr(dentry,
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1169 rc = security_context_to_sid_default(context, rc, &sid,
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1177 /* Leave with the unlabeled SID */
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1206 /* Default to the fs superblock SID. */
1207 isec->sid = sbsec->sid;
1210 struct proc_inode *proci = PROC_I(inode);
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1224 isec->initialized = 1;
1227 mutex_unlock(&isec->lock);
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1234 /* Convert a Linux signal to an access vector. */
1235 static inline u32 signal_to_av(int sig)
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1261 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263 static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1267 struct task_security_struct *tsec1, *tsec2;
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1275 #if CAP_LAST_CAP > 63
1276 #error Fix SELinux to handle capabilities > 63.
1279 /* Check whether a task is allowed to use a capability. */
1280 static int task_has_capability(struct task_struct *tsk,
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
1286 u32 av = CAP_TO_MASK(cap);
1288 tsec = tsk->security;
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1294 switch (CAP_TO_INDEX(cap)) {
1296 sclass = SECCLASS_CAPABILITY;
1299 sclass = SECCLASS_CAPABILITY2;
1303 "SELinux: out of range capability %d\n", cap);
1306 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1309 /* Check whether a task is allowed to use a system operation. */
1310 static int task_has_system(struct task_struct *tsk,
1313 struct task_security_struct *tsec;
1315 tsec = tsk->security;
1317 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1318 SECCLASS_SYSTEM, perms, NULL);
1321 /* Check whether a task has a particular permission to an inode.
1322 The 'adp' parameter is optional and allows other audit
1323 data to be passed (e.g. the dentry). */
1324 static int inode_has_perm(struct task_struct *tsk,
1325 struct inode *inode,
1327 struct avc_audit_data *adp)
1329 struct task_security_struct *tsec;
1330 struct inode_security_struct *isec;
1331 struct avc_audit_data ad;
1333 if (unlikely (IS_PRIVATE (inode)))
1336 tsec = tsk->security;
1337 isec = inode->i_security;
1341 AVC_AUDIT_DATA_INIT(&ad, FS);
1342 ad.u.fs.inode = inode;
1345 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1348 /* Same as inode_has_perm, but pass explicit audit data containing
1349 the dentry to help the auditing code to more easily generate the
1350 pathname if needed. */
1351 static inline int dentry_has_perm(struct task_struct *tsk,
1352 struct vfsmount *mnt,
1353 struct dentry *dentry,
1356 struct inode *inode = dentry->d_inode;
1357 struct avc_audit_data ad;
1358 AVC_AUDIT_DATA_INIT(&ad,FS);
1360 ad.u.fs.dentry = dentry;
1361 return inode_has_perm(tsk, inode, av, &ad);
1364 /* Check whether a task can use an open file descriptor to
1365 access an inode in a given way. Check access to the
1366 descriptor itself, and then use dentry_has_perm to
1367 check a particular permission to the file.
1368 Access to the descriptor is implicitly granted if it
1369 has the same SID as the process. If av is zero, then
1370 access to the file is not checked, e.g. for cases
1371 where only the descriptor is affected like seek. */
1372 static int file_has_perm(struct task_struct *tsk,
1376 struct task_security_struct *tsec = tsk->security;
1377 struct file_security_struct *fsec = file->f_security;
1378 struct vfsmount *mnt = file->f_path.mnt;
1379 struct dentry *dentry = file->f_path.dentry;
1380 struct inode *inode = dentry->d_inode;
1381 struct avc_audit_data ad;
1384 AVC_AUDIT_DATA_INIT(&ad, FS);
1386 ad.u.fs.dentry = dentry;
1388 if (tsec->sid != fsec->sid) {
1389 rc = avc_has_perm(tsec->sid, fsec->sid,
1397 /* av is zero if only checking access to the descriptor. */
1399 return inode_has_perm(tsk, inode, av, &ad);
1404 /* Check whether a task can create a file. */
1405 static int may_create(struct inode *dir,
1406 struct dentry *dentry,
1409 struct task_security_struct *tsec;
1410 struct inode_security_struct *dsec;
1411 struct superblock_security_struct *sbsec;
1413 struct avc_audit_data ad;
1416 tsec = current->security;
1417 dsec = dir->i_security;
1418 sbsec = dir->i_sb->s_security;
1420 AVC_AUDIT_DATA_INIT(&ad, FS);
1421 ad.u.fs.dentry = dentry;
1423 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1424 DIR__ADD_NAME | DIR__SEARCH,
1429 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1430 newsid = tsec->create_sid;
1432 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1438 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1442 return avc_has_perm(newsid, sbsec->sid,
1443 SECCLASS_FILESYSTEM,
1444 FILESYSTEM__ASSOCIATE, &ad);
1447 /* Check whether a task can create a key. */
1448 static int may_create_key(u32 ksid,
1449 struct task_struct *ctx)
1451 struct task_security_struct *tsec;
1453 tsec = ctx->security;
1455 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1459 #define MAY_UNLINK 1
1462 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1463 static int may_link(struct inode *dir,
1464 struct dentry *dentry,
1468 struct task_security_struct *tsec;
1469 struct inode_security_struct *dsec, *isec;
1470 struct avc_audit_data ad;
1474 tsec = current->security;
1475 dsec = dir->i_security;
1476 isec = dentry->d_inode->i_security;
1478 AVC_AUDIT_DATA_INIT(&ad, FS);
1479 ad.u.fs.dentry = dentry;
1482 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1483 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1498 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1502 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1506 static inline int may_rename(struct inode *old_dir,
1507 struct dentry *old_dentry,
1508 struct inode *new_dir,
1509 struct dentry *new_dentry)
1511 struct task_security_struct *tsec;
1512 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1513 struct avc_audit_data ad;
1515 int old_is_dir, new_is_dir;
1518 tsec = current->security;
1519 old_dsec = old_dir->i_security;
1520 old_isec = old_dentry->d_inode->i_security;
1521 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1522 new_dsec = new_dir->i_security;
1524 AVC_AUDIT_DATA_INIT(&ad, FS);
1526 ad.u.fs.dentry = old_dentry;
1527 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1528 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1531 rc = avc_has_perm(tsec->sid, old_isec->sid,
1532 old_isec->sclass, FILE__RENAME, &ad);
1535 if (old_is_dir && new_dir != old_dir) {
1536 rc = avc_has_perm(tsec->sid, old_isec->sid,
1537 old_isec->sclass, DIR__REPARENT, &ad);
1542 ad.u.fs.dentry = new_dentry;
1543 av = DIR__ADD_NAME | DIR__SEARCH;
1544 if (new_dentry->d_inode)
1545 av |= DIR__REMOVE_NAME;
1546 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1549 if (new_dentry->d_inode) {
1550 new_isec = new_dentry->d_inode->i_security;
1551 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1552 rc = avc_has_perm(tsec->sid, new_isec->sid,
1554 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1562 /* Check whether a task can perform a filesystem operation. */
1563 static int superblock_has_perm(struct task_struct *tsk,
1564 struct super_block *sb,
1566 struct avc_audit_data *ad)
1568 struct task_security_struct *tsec;
1569 struct superblock_security_struct *sbsec;
1571 tsec = tsk->security;
1572 sbsec = sb->s_security;
1573 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1577 /* Convert a Linux mode and permission mask to an access vector. */
1578 static inline u32 file_mask_to_av(int mode, int mask)
1582 if ((mode & S_IFMT) != S_IFDIR) {
1583 if (mask & MAY_EXEC)
1584 av |= FILE__EXECUTE;
1585 if (mask & MAY_READ)
1588 if (mask & MAY_APPEND)
1590 else if (mask & MAY_WRITE)
1594 if (mask & MAY_EXEC)
1596 if (mask & MAY_WRITE)
1598 if (mask & MAY_READ)
1605 /* Convert a Linux file to an access vector. */
1606 static inline u32 file_to_av(struct file *file)
1610 if (file->f_mode & FMODE_READ)
1612 if (file->f_mode & FMODE_WRITE) {
1613 if (file->f_flags & O_APPEND)
1622 /* Hook functions begin here. */
1624 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1626 struct task_security_struct *psec = parent->security;
1627 struct task_security_struct *csec = child->security;
1630 rc = secondary_ops->ptrace(parent,child);
1634 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1635 /* Save the SID of the tracing process for later use in apply_creds. */
1636 if (!(child->ptrace & PT_PTRACED) && !rc)
1637 csec->ptrace_sid = psec->sid;
1641 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1642 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1646 error = task_has_perm(current, target, PROCESS__GETCAP);
1650 return secondary_ops->capget(target, effective, inheritable, permitted);
1653 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1654 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1658 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1662 return task_has_perm(current, target, PROCESS__SETCAP);
1665 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1666 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1668 secondary_ops->capset_set(target, effective, inheritable, permitted);
1671 static int selinux_capable(struct task_struct *tsk, int cap)
1675 rc = secondary_ops->capable(tsk, cap);
1679 return task_has_capability(tsk,cap);
1682 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1685 char *buffer, *path, *end;
1688 buffer = (char*)__get_free_page(GFP_KERNEL);
1693 end = buffer+buflen;
1699 const char *name = table->procname;
1700 size_t namelen = strlen(name);
1701 buflen -= namelen + 1;
1705 memcpy(end, name, namelen);
1708 table = table->parent;
1714 memcpy(end, "/sys", 4);
1716 rc = security_genfs_sid("proc", path, tclass, sid);
1718 free_page((unsigned long)buffer);
1723 static int selinux_sysctl(ctl_table *table, int op)
1727 struct task_security_struct *tsec;
1731 rc = secondary_ops->sysctl(table, op);
1735 tsec = current->security;
1737 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1738 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1740 /* Default to the well-defined sysctl SID. */
1741 tsid = SECINITSID_SYSCTL;
1744 /* The op values are "defined" in sysctl.c, thereby creating
1745 * a bad coupling between this module and sysctl.c */
1747 error = avc_has_perm(tsec->sid, tsid,
1748 SECCLASS_DIR, DIR__SEARCH, NULL);
1756 error = avc_has_perm(tsec->sid, tsid,
1757 SECCLASS_FILE, av, NULL);
1763 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1776 rc = superblock_has_perm(current,
1778 FILESYSTEM__QUOTAMOD, NULL);
1783 rc = superblock_has_perm(current,
1785 FILESYSTEM__QUOTAGET, NULL);
1788 rc = 0; /* let the kernel handle invalid cmds */
1794 static int selinux_quota_on(struct dentry *dentry)
1796 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1799 static int selinux_syslog(int type)
1803 rc = secondary_ops->syslog(type);
1808 case 3: /* Read last kernel messages */
1809 case 10: /* Return size of the log buffer */
1810 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1812 case 6: /* Disable logging to console */
1813 case 7: /* Enable logging to console */
1814 case 8: /* Set level of messages printed to console */
1815 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1817 case 0: /* Close log */
1818 case 1: /* Open log */
1819 case 2: /* Read from log */
1820 case 4: /* Read/clear last kernel messages */
1821 case 5: /* Clear ring buffer */
1823 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1830 * Check that a process has enough memory to allocate a new virtual
1831 * mapping. 0 means there is enough memory for the allocation to
1832 * succeed and -ENOMEM implies there is not.
1834 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1835 * if the capability is granted, but __vm_enough_memory requires 1 if
1836 * the capability is granted.
1838 * Do not audit the selinux permission check, as this is applied to all
1839 * processes that allocate mappings.
1841 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1843 int rc, cap_sys_admin = 0;
1844 struct task_security_struct *tsec = current->security;
1846 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1848 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1849 SECCLASS_CAPABILITY,
1850 CAP_TO_MASK(CAP_SYS_ADMIN),
1857 return __vm_enough_memory(mm, pages, cap_sys_admin);
1860 /* binprm security operations */
1862 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1864 struct bprm_security_struct *bsec;
1866 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1871 bsec->sid = SECINITSID_UNLABELED;
1874 bprm->security = bsec;
1878 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1880 struct task_security_struct *tsec;
1881 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1882 struct inode_security_struct *isec;
1883 struct bprm_security_struct *bsec;
1885 struct avc_audit_data ad;
1888 rc = secondary_ops->bprm_set_security(bprm);
1892 bsec = bprm->security;
1897 tsec = current->security;
1898 isec = inode->i_security;
1900 /* Default to the current task SID. */
1901 bsec->sid = tsec->sid;
1903 /* Reset fs, key, and sock SIDs on execve. */
1904 tsec->create_sid = 0;
1905 tsec->keycreate_sid = 0;
1906 tsec->sockcreate_sid = 0;
1908 if (tsec->exec_sid) {
1909 newsid = tsec->exec_sid;
1910 /* Reset exec SID on execve. */
1913 /* Check for a default transition on this program. */
1914 rc = security_transition_sid(tsec->sid, isec->sid,
1915 SECCLASS_PROCESS, &newsid);
1920 AVC_AUDIT_DATA_INIT(&ad, FS);
1921 ad.u.fs.mnt = bprm->file->f_path.mnt;
1922 ad.u.fs.dentry = bprm->file->f_path.dentry;
1924 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1927 if (tsec->sid == newsid) {
1928 rc = avc_has_perm(tsec->sid, isec->sid,
1929 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1933 /* Check permissions for the transition. */
1934 rc = avc_has_perm(tsec->sid, newsid,
1935 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1939 rc = avc_has_perm(newsid, isec->sid,
1940 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1944 /* Clear any possibly unsafe personality bits on exec: */
1945 current->personality &= ~PER_CLEAR_ON_SETID;
1947 /* Set the security field to the new SID. */
1955 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1957 return secondary_ops->bprm_check_security(bprm);
1961 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1963 struct task_security_struct *tsec = current->security;
1966 if (tsec->osid != tsec->sid) {
1967 /* Enable secure mode for SIDs transitions unless
1968 the noatsecure permission is granted between
1969 the two SIDs, i.e. ahp returns 0. */
1970 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1972 PROCESS__NOATSECURE, NULL);
1975 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1978 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1980 kfree(bprm->security);
1981 bprm->security = NULL;
1984 extern struct vfsmount *selinuxfs_mount;
1985 extern struct dentry *selinux_null;
1987 /* Derived from fs/exec.c:flush_old_files. */
1988 static inline void flush_unauthorized_files(struct files_struct * files)
1990 struct avc_audit_data ad;
1991 struct file *file, *devnull = NULL;
1992 struct tty_struct *tty;
1993 struct fdtable *fdt;
1997 mutex_lock(&tty_mutex);
1998 tty = get_current_tty();
2001 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2003 /* Revalidate access to controlling tty.
2004 Use inode_has_perm on the tty inode directly rather
2005 than using file_has_perm, as this particular open
2006 file may belong to another process and we are only
2007 interested in the inode-based check here. */
2008 struct inode *inode = file->f_path.dentry->d_inode;
2009 if (inode_has_perm(current, inode,
2010 FILE__READ | FILE__WRITE, NULL)) {
2016 mutex_unlock(&tty_mutex);
2017 /* Reset controlling tty. */
2021 /* Revalidate access to inherited open files. */
2023 AVC_AUDIT_DATA_INIT(&ad,FS);
2025 spin_lock(&files->file_lock);
2027 unsigned long set, i;
2032 fdt = files_fdtable(files);
2033 if (i >= fdt->max_fds)
2035 set = fdt->open_fds->fds_bits[j];
2038 spin_unlock(&files->file_lock);
2039 for ( ; set ; i++,set >>= 1) {
2044 if (file_has_perm(current,
2046 file_to_av(file))) {
2048 fd = get_unused_fd();
2058 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2059 if (IS_ERR(devnull)) {
2066 fd_install(fd, devnull);
2071 spin_lock(&files->file_lock);
2074 spin_unlock(&files->file_lock);
2077 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2079 struct task_security_struct *tsec;
2080 struct bprm_security_struct *bsec;
2084 secondary_ops->bprm_apply_creds(bprm, unsafe);
2086 tsec = current->security;
2088 bsec = bprm->security;
2091 tsec->osid = tsec->sid;
2093 if (tsec->sid != sid) {
2094 /* Check for shared state. If not ok, leave SID
2095 unchanged and kill. */
2096 if (unsafe & LSM_UNSAFE_SHARE) {
2097 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2098 PROCESS__SHARE, NULL);
2105 /* Check for ptracing, and update the task SID if ok.
2106 Otherwise, leave SID unchanged and kill. */
2107 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2108 rc = avc_has_perm(tsec->ptrace_sid, sid,
2109 SECCLASS_PROCESS, PROCESS__PTRACE,
2121 * called after apply_creds without the task lock held
2123 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2125 struct task_security_struct *tsec;
2126 struct rlimit *rlim, *initrlim;
2127 struct itimerval itimer;
2128 struct bprm_security_struct *bsec;
2131 tsec = current->security;
2132 bsec = bprm->security;
2135 force_sig_specific(SIGKILL, current);
2138 if (tsec->osid == tsec->sid)
2141 /* Close files for which the new task SID is not authorized. */
2142 flush_unauthorized_files(current->files);
2144 /* Check whether the new SID can inherit signal state
2145 from the old SID. If not, clear itimers to avoid
2146 subsequent signal generation and flush and unblock
2147 signals. This must occur _after_ the task SID has
2148 been updated so that any kill done after the flush
2149 will be checked against the new SID. */
2150 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2151 PROCESS__SIGINH, NULL);
2153 memset(&itimer, 0, sizeof itimer);
2154 for (i = 0; i < 3; i++)
2155 do_setitimer(i, &itimer, NULL);
2156 flush_signals(current);
2157 spin_lock_irq(¤t->sighand->siglock);
2158 flush_signal_handlers(current, 1);
2159 sigemptyset(¤t->blocked);
2160 recalc_sigpending();
2161 spin_unlock_irq(¤t->sighand->siglock);
2164 /* Always clear parent death signal on SID transitions. */
2165 current->pdeath_signal = 0;
2167 /* Check whether the new SID can inherit resource limits
2168 from the old SID. If not, reset all soft limits to
2169 the lower of the current task's hard limit and the init
2170 task's soft limit. Note that the setting of hard limits
2171 (even to lower them) can be controlled by the setrlimit
2172 check. The inclusion of the init task's soft limit into
2173 the computation is to avoid resetting soft limits higher
2174 than the default soft limit for cases where the default
2175 is lower than the hard limit, e.g. RLIMIT_CORE or
2177 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2178 PROCESS__RLIMITINH, NULL);
2180 for (i = 0; i < RLIM_NLIMITS; i++) {
2181 rlim = current->signal->rlim + i;
2182 initrlim = init_task.signal->rlim+i;
2183 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2185 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2187 * This will cause RLIMIT_CPU calculations
2190 current->it_prof_expires = jiffies_to_cputime(1);
2194 /* Wake up the parent if it is waiting so that it can
2195 recheck wait permission to the new task SID. */
2196 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2199 /* superblock security operations */
2201 static int selinux_sb_alloc_security(struct super_block *sb)
2203 return superblock_alloc_security(sb);
2206 static void selinux_sb_free_security(struct super_block *sb)
2208 superblock_free_security(sb);
2211 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2216 return !memcmp(prefix, option, plen);
2219 static inline int selinux_option(char *option, int len)
2221 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2222 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2223 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2224 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2227 static inline void take_option(char **to, char *from, int *first, int len)
2234 memcpy(*to, from, len);
2238 static inline void take_selinux_option(char **to, char *from, int *first,
2241 int current_size = 0;
2250 while (current_size < len) {
2260 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2262 int fnosec, fsec, rc = 0;
2263 char *in_save, *in_curr, *in_end;
2264 char *sec_curr, *nosec_save, *nosec;
2270 /* Binary mount data: just copy */
2271 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2272 copy_page(sec_curr, in_curr);
2276 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2284 in_save = in_end = orig;
2288 open_quote = !open_quote;
2289 if ((*in_end == ',' && open_quote == 0) ||
2291 int len = in_end - in_curr;
2293 if (selinux_option(in_curr, len))
2294 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2296 take_option(&nosec, in_curr, &fnosec, len);
2298 in_curr = in_end + 1;
2300 } while (*in_end++);
2302 strcpy(in_save, nosec_save);
2303 free_page((unsigned long)nosec_save);
2308 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2310 struct avc_audit_data ad;
2313 rc = superblock_doinit(sb, data);
2317 AVC_AUDIT_DATA_INIT(&ad,FS);
2318 ad.u.fs.dentry = sb->s_root;
2319 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2322 static int selinux_sb_statfs(struct dentry *dentry)
2324 struct avc_audit_data ad;
2326 AVC_AUDIT_DATA_INIT(&ad,FS);
2327 ad.u.fs.dentry = dentry->d_sb->s_root;
2328 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2331 static int selinux_mount(char * dev_name,
2332 struct nameidata *nd,
2334 unsigned long flags,
2339 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2343 if (flags & MS_REMOUNT)
2344 return superblock_has_perm(current, nd->mnt->mnt_sb,
2345 FILESYSTEM__REMOUNT, NULL);
2347 return dentry_has_perm(current, nd->mnt, nd->dentry,
2351 static int selinux_umount(struct vfsmount *mnt, int flags)
2355 rc = secondary_ops->sb_umount(mnt, flags);
2359 return superblock_has_perm(current,mnt->mnt_sb,
2360 FILESYSTEM__UNMOUNT,NULL);
2363 /* inode security operations */
2365 static int selinux_inode_alloc_security(struct inode *inode)
2367 return inode_alloc_security(inode);
2370 static void selinux_inode_free_security(struct inode *inode)
2372 inode_free_security(inode);
2375 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2376 char **name, void **value,
2379 struct task_security_struct *tsec;
2380 struct inode_security_struct *dsec;
2381 struct superblock_security_struct *sbsec;
2384 char *namep = NULL, *context;
2386 tsec = current->security;
2387 dsec = dir->i_security;
2388 sbsec = dir->i_sb->s_security;
2390 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2391 newsid = tsec->create_sid;
2393 rc = security_transition_sid(tsec->sid, dsec->sid,
2394 inode_mode_to_security_class(inode->i_mode),
2397 printk(KERN_WARNING "%s: "
2398 "security_transition_sid failed, rc=%d (dev=%s "
2401 -rc, inode->i_sb->s_id, inode->i_ino);
2406 /* Possibly defer initialization to selinux_complete_init. */
2407 if (sbsec->initialized) {
2408 struct inode_security_struct *isec = inode->i_security;
2409 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2411 isec->initialized = 1;
2414 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2418 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2425 rc = security_sid_to_context(newsid, &context, &clen);
2437 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2439 return may_create(dir, dentry, SECCLASS_FILE);
2442 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2446 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2449 return may_link(dir, old_dentry, MAY_LINK);
2452 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2456 rc = secondary_ops->inode_unlink(dir, dentry);
2459 return may_link(dir, dentry, MAY_UNLINK);
2462 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2464 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2467 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2469 return may_create(dir, dentry, SECCLASS_DIR);
2472 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2474 return may_link(dir, dentry, MAY_RMDIR);
2477 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2481 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2485 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2488 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2489 struct inode *new_inode, struct dentry *new_dentry)
2491 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2494 static int selinux_inode_readlink(struct dentry *dentry)
2496 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2499 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2503 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2506 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2509 static int selinux_inode_permission(struct inode *inode, int mask,
2510 struct nameidata *nd)
2514 rc = secondary_ops->inode_permission(inode, mask, nd);
2519 /* No permission to check. Existence test. */
2523 return inode_has_perm(current, inode,
2524 file_mask_to_av(inode->i_mode, mask), NULL);
2527 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2531 rc = secondary_ops->inode_setattr(dentry, iattr);
2535 if (iattr->ia_valid & ATTR_FORCE)
2538 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2539 ATTR_ATIME_SET | ATTR_MTIME_SET))
2540 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2542 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2545 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2547 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2550 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2552 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2553 sizeof XATTR_SECURITY_PREFIX - 1)) {
2554 if (!strcmp(name, XATTR_NAME_CAPS)) {
2555 if (!capable(CAP_SETFCAP))
2557 } else if (!capable(CAP_SYS_ADMIN)) {
2558 /* A different attribute in the security namespace.
2559 Restrict to administrator. */
2564 /* Not an attribute we recognize, so just check the
2565 ordinary setattr permission. */
2566 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2569 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2571 struct task_security_struct *tsec = current->security;
2572 struct inode *inode = dentry->d_inode;
2573 struct inode_security_struct *isec = inode->i_security;
2574 struct superblock_security_struct *sbsec;
2575 struct avc_audit_data ad;
2579 if (strcmp(name, XATTR_NAME_SELINUX))
2580 return selinux_inode_setotherxattr(dentry, name);
2582 sbsec = inode->i_sb->s_security;
2583 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2586 if (!is_owner_or_cap(inode))
2589 AVC_AUDIT_DATA_INIT(&ad,FS);
2590 ad.u.fs.dentry = dentry;
2592 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2593 FILE__RELABELFROM, &ad);
2597 rc = security_context_to_sid(value, size, &newsid);
2601 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2602 FILE__RELABELTO, &ad);
2606 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2611 return avc_has_perm(newsid,
2613 SECCLASS_FILESYSTEM,
2614 FILESYSTEM__ASSOCIATE,
2618 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2619 void *value, size_t size, int flags)
2621 struct inode *inode = dentry->d_inode;
2622 struct inode_security_struct *isec = inode->i_security;
2626 if (strcmp(name, XATTR_NAME_SELINUX)) {
2627 /* Not an attribute we recognize, so nothing to do. */
2631 rc = security_context_to_sid(value, size, &newsid);
2633 printk(KERN_WARNING "%s: unable to obtain SID for context "
2634 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2642 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2644 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2647 static int selinux_inode_listxattr (struct dentry *dentry)
2649 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2652 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2654 if (strcmp(name, XATTR_NAME_SELINUX))
2655 return selinux_inode_setotherxattr(dentry, name);
2657 /* No one is allowed to remove a SELinux security label.
2658 You can change the label, but all data must be labeled. */
2663 * Copy the in-core inode security context value to the user. If the
2664 * getxattr() prior to this succeeded, check to see if we need to
2665 * canonicalize the value to be finally returned to the user.
2667 * Permission check is handled by selinux_inode_getxattr hook.
2669 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2673 char *context = NULL;
2674 struct inode_security_struct *isec = inode->i_security;
2676 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2679 error = security_sid_to_context(isec->sid, &context, &size);
2692 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2693 const void *value, size_t size, int flags)
2695 struct inode_security_struct *isec = inode->i_security;
2699 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2702 if (!value || !size)
2705 rc = security_context_to_sid((void*)value, size, &newsid);
2713 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2715 const int len = sizeof(XATTR_NAME_SELINUX);
2716 if (buffer && len <= buffer_size)
2717 memcpy(buffer, XATTR_NAME_SELINUX, len);
2721 static int selinux_inode_need_killpriv(struct dentry *dentry)
2723 return secondary_ops->inode_need_killpriv(dentry);
2726 static int selinux_inode_killpriv(struct dentry *dentry)
2728 return secondary_ops->inode_killpriv(dentry);
2731 /* file security operations */
2733 static int selinux_revalidate_file_permission(struct file *file, int mask)
2736 struct inode *inode = file->f_path.dentry->d_inode;
2739 /* No permission to check. Existence test. */
2743 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2744 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2747 rc = file_has_perm(current, file,
2748 file_mask_to_av(inode->i_mode, mask));
2752 return selinux_netlbl_inode_permission(inode, mask);
2755 static int selinux_file_permission(struct file *file, int mask)
2757 struct inode *inode = file->f_path.dentry->d_inode;
2758 struct task_security_struct *tsec = current->security;
2759 struct file_security_struct *fsec = file->f_security;
2760 struct inode_security_struct *isec = inode->i_security;
2763 /* No permission to check. Existence test. */
2767 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2768 && fsec->pseqno == avc_policy_seqno())
2769 return selinux_netlbl_inode_permission(inode, mask);
2771 return selinux_revalidate_file_permission(file, mask);
2774 static int selinux_file_alloc_security(struct file *file)
2776 return file_alloc_security(file);
2779 static void selinux_file_free_security(struct file *file)
2781 file_free_security(file);
2784 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2796 case EXT2_IOC_GETFLAGS:
2798 case EXT2_IOC_GETVERSION:
2799 error = file_has_perm(current, file, FILE__GETATTR);
2802 case EXT2_IOC_SETFLAGS:
2804 case EXT2_IOC_SETVERSION:
2805 error = file_has_perm(current, file, FILE__SETATTR);
2808 /* sys_ioctl() checks */
2812 error = file_has_perm(current, file, 0);
2817 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2820 /* default case assumes that the command will go
2821 * to the file's ioctl() function.
2824 error = file_has_perm(current, file, FILE__IOCTL);
2830 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2832 #ifndef CONFIG_PPC32
2833 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2835 * We are making executable an anonymous mapping or a
2836 * private file mapping that will also be writable.
2837 * This has an additional check.
2839 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2846 /* read access is always possible with a mapping */
2847 u32 av = FILE__READ;
2849 /* write access only matters if the mapping is shared */
2850 if (shared && (prot & PROT_WRITE))
2853 if (prot & PROT_EXEC)
2854 av |= FILE__EXECUTE;
2856 return file_has_perm(current, file, av);
2861 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2862 unsigned long prot, unsigned long flags,
2863 unsigned long addr, unsigned long addr_only)
2866 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2868 if (addr < mmap_min_addr)
2869 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2870 MEMPROTECT__MMAP_ZERO, NULL);
2871 if (rc || addr_only)
2874 if (selinux_checkreqprot)
2877 return file_map_prot_check(file, prot,
2878 (flags & MAP_TYPE) == MAP_SHARED);
2881 static int selinux_file_mprotect(struct vm_area_struct *vma,
2882 unsigned long reqprot,
2887 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2891 if (selinux_checkreqprot)
2894 #ifndef CONFIG_PPC32
2895 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2897 if (vma->vm_start >= vma->vm_mm->start_brk &&
2898 vma->vm_end <= vma->vm_mm->brk) {
2899 rc = task_has_perm(current, current,
2901 } else if (!vma->vm_file &&
2902 vma->vm_start <= vma->vm_mm->start_stack &&
2903 vma->vm_end >= vma->vm_mm->start_stack) {
2904 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2905 } else if (vma->vm_file && vma->anon_vma) {
2907 * We are making executable a file mapping that has
2908 * had some COW done. Since pages might have been
2909 * written, check ability to execute the possibly
2910 * modified content. This typically should only
2911 * occur for text relocations.
2913 rc = file_has_perm(current, vma->vm_file,
2921 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2924 static int selinux_file_lock(struct file *file, unsigned int cmd)
2926 return file_has_perm(current, file, FILE__LOCK);
2929 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2936 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2941 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2942 err = file_has_perm(current, file,FILE__WRITE);
2951 /* Just check FD__USE permission */
2952 err = file_has_perm(current, file, 0);
2957 #if BITS_PER_LONG == 32
2962 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2966 err = file_has_perm(current, file, FILE__LOCK);
2973 static int selinux_file_set_fowner(struct file *file)
2975 struct task_security_struct *tsec;
2976 struct file_security_struct *fsec;
2978 tsec = current->security;
2979 fsec = file->f_security;
2980 fsec->fown_sid = tsec->sid;
2985 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2986 struct fown_struct *fown, int signum)
2990 struct task_security_struct *tsec;
2991 struct file_security_struct *fsec;
2993 /* struct fown_struct is never outside the context of a struct file */
2994 file = container_of(fown, struct file, f_owner);
2996 tsec = tsk->security;
2997 fsec = file->f_security;
3000 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3002 perm = signal_to_av(signum);
3004 return avc_has_perm(fsec->fown_sid, tsec->sid,
3005 SECCLASS_PROCESS, perm, NULL);
3008 static int selinux_file_receive(struct file *file)
3010 return file_has_perm(current, file, file_to_av(file));
3013 static int selinux_dentry_open(struct file *file)
3015 struct file_security_struct *fsec;
3016 struct inode *inode;
3017 struct inode_security_struct *isec;
3018 inode = file->f_path.dentry->d_inode;
3019 fsec = file->f_security;
3020 isec = inode->i_security;
3022 * Save inode label and policy sequence number
3023 * at open-time so that selinux_file_permission
3024 * can determine whether revalidation is necessary.
3025 * Task label is already saved in the file security
3026 * struct as its SID.
3028 fsec->isid = isec->sid;
3029 fsec->pseqno = avc_policy_seqno();
3031 * Since the inode label or policy seqno may have changed
3032 * between the selinux_inode_permission check and the saving
3033 * of state above, recheck that access is still permitted.
3034 * Otherwise, access might never be revalidated against the
3035 * new inode label or new policy.
3036 * This check is not redundant - do not remove.
3038 return inode_has_perm(current, inode, file_to_av(file), NULL);
3041 /* task security operations */
3043 static int selinux_task_create(unsigned long clone_flags)
3047 rc = secondary_ops->task_create(clone_flags);
3051 return task_has_perm(current, current, PROCESS__FORK);
3054 static int selinux_task_alloc_security(struct task_struct *tsk)
3056 struct task_security_struct *tsec1, *tsec2;
3059 tsec1 = current->security;
3061 rc = task_alloc_security(tsk);
3064 tsec2 = tsk->security;
3066 tsec2->osid = tsec1->osid;
3067 tsec2->sid = tsec1->sid;
3069 /* Retain the exec, fs, key, and sock SIDs across fork */
3070 tsec2->exec_sid = tsec1->exec_sid;
3071 tsec2->create_sid = tsec1->create_sid;
3072 tsec2->keycreate_sid = tsec1->keycreate_sid;
3073 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3075 /* Retain ptracer SID across fork, if any.
3076 This will be reset by the ptrace hook upon any
3077 subsequent ptrace_attach operations. */
3078 tsec2->ptrace_sid = tsec1->ptrace_sid;
3083 static void selinux_task_free_security(struct task_struct *tsk)
3085 task_free_security(tsk);
3088 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3090 /* Since setuid only affects the current process, and
3091 since the SELinux controls are not based on the Linux
3092 identity attributes, SELinux does not need to control
3093 this operation. However, SELinux does control the use
3094 of the CAP_SETUID and CAP_SETGID capabilities using the
3099 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3101 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3104 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3106 /* See the comment for setuid above. */
3110 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3112 return task_has_perm(current, p, PROCESS__SETPGID);
3115 static int selinux_task_getpgid(struct task_struct *p)
3117 return task_has_perm(current, p, PROCESS__GETPGID);
3120 static int selinux_task_getsid(struct task_struct *p)
3122 return task_has_perm(current, p, PROCESS__GETSESSION);
3125 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3127 selinux_get_task_sid(p, secid);
3130 static int selinux_task_setgroups(struct group_info *group_info)
3132 /* See the comment for setuid above. */
3136 static int selinux_task_setnice(struct task_struct *p, int nice)
3140 rc = secondary_ops->task_setnice(p, nice);
3144 return task_has_perm(current,p, PROCESS__SETSCHED);
3147 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3151 rc = secondary_ops->task_setioprio(p, ioprio);
3155 return task_has_perm(current, p, PROCESS__SETSCHED);
3158 static int selinux_task_getioprio(struct task_struct *p)
3160 return task_has_perm(current, p, PROCESS__GETSCHED);
3163 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3165 struct rlimit *old_rlim = current->signal->rlim + resource;
3168 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3172 /* Control the ability to change the hard limit (whether
3173 lowering or raising it), so that the hard limit can
3174 later be used as a safe reset point for the soft limit
3175 upon context transitions. See selinux_bprm_apply_creds. */
3176 if (old_rlim->rlim_max != new_rlim->rlim_max)
3177 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3182 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3186 rc = secondary_ops->task_setscheduler(p, policy, lp);
3190 return task_has_perm(current, p, PROCESS__SETSCHED);
3193 static int selinux_task_getscheduler(struct task_struct *p)
3195 return task_has_perm(current, p, PROCESS__GETSCHED);
3198 static int selinux_task_movememory(struct task_struct *p)
3200 return task_has_perm(current, p, PROCESS__SETSCHED);
3203 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3208 struct task_security_struct *tsec;
3210 rc = secondary_ops->task_kill(p, info, sig, secid);
3214 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3218 perm = PROCESS__SIGNULL; /* null signal; existence test */
3220 perm = signal_to_av(sig);
3223 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3225 rc = task_has_perm(current, p, perm);
3229 static int selinux_task_prctl(int option,
3235 /* The current prctl operations do not appear to require
3236 any SELinux controls since they merely observe or modify
3237 the state of the current process. */
3241 static int selinux_task_wait(struct task_struct *p)
3243 return task_has_perm(p, current, PROCESS__SIGCHLD);
3246 static void selinux_task_reparent_to_init(struct task_struct *p)
3248 struct task_security_struct *tsec;
3250 secondary_ops->task_reparent_to_init(p);
3253 tsec->osid = tsec->sid;
3254 tsec->sid = SECINITSID_KERNEL;
3258 static void selinux_task_to_inode(struct task_struct *p,
3259 struct inode *inode)
3261 struct task_security_struct *tsec = p->security;
3262 struct inode_security_struct *isec = inode->i_security;
3264 isec->sid = tsec->sid;
3265 isec->initialized = 1;
3269 /* Returns error only if unable to parse addresses */
3270 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3271 struct avc_audit_data *ad, u8 *proto)
3273 int offset, ihlen, ret = -EINVAL;
3274 struct iphdr _iph, *ih;
3276 offset = skb_network_offset(skb);
3277 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3281 ihlen = ih->ihl * 4;
3282 if (ihlen < sizeof(_iph))
3285 ad->u.net.v4info.saddr = ih->saddr;
3286 ad->u.net.v4info.daddr = ih->daddr;
3290 *proto = ih->protocol;
3292 switch (ih->protocol) {
3294 struct tcphdr _tcph, *th;
3296 if (ntohs(ih->frag_off) & IP_OFFSET)
3300 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3304 ad->u.net.sport = th->source;
3305 ad->u.net.dport = th->dest;
3310 struct udphdr _udph, *uh;
3312 if (ntohs(ih->frag_off) & IP_OFFSET)
3316 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3320 ad->u.net.sport = uh->source;
3321 ad->u.net.dport = uh->dest;
3325 case IPPROTO_DCCP: {
3326 struct dccp_hdr _dccph, *dh;
3328 if (ntohs(ih->frag_off) & IP_OFFSET)
3332 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3336 ad->u.net.sport = dh->dccph_sport;
3337 ad->u.net.dport = dh->dccph_dport;
3348 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3350 /* Returns error only if unable to parse addresses */
3351 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3352 struct avc_audit_data *ad, u8 *proto)
3355 int ret = -EINVAL, offset;
3356 struct ipv6hdr _ipv6h, *ip6;
3358 offset = skb_network_offset(skb);
3359 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3363 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3364 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3367 nexthdr = ip6->nexthdr;
3368 offset += sizeof(_ipv6h);
3369 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3378 struct tcphdr _tcph, *th;
3380 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3384 ad->u.net.sport = th->source;
3385 ad->u.net.dport = th->dest;
3390 struct udphdr _udph, *uh;
3392 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3396 ad->u.net.sport = uh->source;
3397 ad->u.net.dport = uh->dest;
3401 case IPPROTO_DCCP: {
3402 struct dccp_hdr _dccph, *dh;
3404 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3408 ad->u.net.sport = dh->dccph_sport;
3409 ad->u.net.dport = dh->dccph_dport;
3413 /* includes fragments */
3423 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3424 char **addrp, int src, u8 *proto)
3428 switch (ad->u.net.family) {
3430 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3433 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3434 &ad->u.net.v4info.daddr);
3437 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3439 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3442 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3443 &ad->u.net.v6info.daddr);
3452 "SELinux: failure in selinux_parse_skb(),"
3453 " unable to parse packet\n");
3459 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3461 * @family: protocol family
3462 * @sid: the packet's peer label SID
3465 * Check the various different forms of network peer labeling and determine
3466 * the peer label/SID for the packet; most of the magic actually occurs in
3467 * the security server function security_net_peersid_cmp(). The function
3468 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3469 * or -EACCES if @sid is invalid due to inconsistencies with the different
3473 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3480 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3481 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3483 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3484 if (unlikely(err)) {
3486 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3487 " unable to determine packet's peer label\n");
3494 /* socket security operations */
3495 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3498 struct inode_security_struct *isec;
3499 struct task_security_struct *tsec;
3500 struct avc_audit_data ad;
3503 tsec = task->security;
3504 isec = SOCK_INODE(sock)->i_security;
3506 if (isec->sid == SECINITSID_KERNEL)
3509 AVC_AUDIT_DATA_INIT(&ad,NET);
3510 ad.u.net.sk = sock->sk;
3511 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3517 static int selinux_socket_create(int family, int type,
3518 int protocol, int kern)
3521 struct task_security_struct *tsec;
3527 tsec = current->security;
3528 newsid = tsec->sockcreate_sid ? : tsec->sid;
3529 err = avc_has_perm(tsec->sid, newsid,
3530 socket_type_to_security_class(family, type,
3531 protocol), SOCKET__CREATE, NULL);
3537 static int selinux_socket_post_create(struct socket *sock, int family,
3538 int type, int protocol, int kern)
3541 struct inode_security_struct *isec;
3542 struct task_security_struct *tsec;
3543 struct sk_security_struct *sksec;
3546 isec = SOCK_INODE(sock)->i_security;
3548 tsec = current->security;
3549 newsid = tsec->sockcreate_sid ? : tsec->sid;
3550 isec->sclass = socket_type_to_security_class(family, type, protocol);
3551 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3552 isec->initialized = 1;
3555 sksec = sock->sk->sk_security;
3556 sksec->sid = isec->sid;
3557 sksec->sclass = isec->sclass;
3558 err = selinux_netlbl_socket_post_create(sock);
3564 /* Range of port numbers used to automatically bind.
3565 Need to determine whether we should perform a name_bind
3566 permission check between the socket and the port number. */
3568 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3573 err = socket_has_perm(current, sock, SOCKET__BIND);
3578 * If PF_INET or PF_INET6, check name_bind permission for the port.
3579 * Multiple address binding for SCTP is not supported yet: we just
3580 * check the first address now.
3582 family = sock->sk->sk_family;
3583 if (family == PF_INET || family == PF_INET6) {
3585 struct inode_security_struct *isec;
3586 struct task_security_struct *tsec;
3587 struct avc_audit_data ad;
3588 struct sockaddr_in *addr4 = NULL;
3589 struct sockaddr_in6 *addr6 = NULL;
3590 unsigned short snum;
3591 struct sock *sk = sock->sk;
3592 u32 sid, node_perm, addrlen;
3594 tsec = current->security;
3595 isec = SOCK_INODE(sock)->i_security;
3597 if (family == PF_INET) {
3598 addr4 = (struct sockaddr_in *)address;
3599 snum = ntohs(addr4->sin_port);
3600 addrlen = sizeof(addr4->sin_addr.s_addr);
3601 addrp = (char *)&addr4->sin_addr.s_addr;
3603 addr6 = (struct sockaddr_in6 *)address;
3604 snum = ntohs(addr6->sin6_port);
3605 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3606 addrp = (char *)&addr6->sin6_addr.s6_addr;
3612 inet_get_local_port_range(&low, &high);
3614 if (snum < max(PROT_SOCK, low) || snum > high) {
3615 err = security_port_sid(sk->sk_family,
3617 sk->sk_protocol, snum,
3621 AVC_AUDIT_DATA_INIT(&ad,NET);
3622 ad.u.net.sport = htons(snum);
3623 ad.u.net.family = family;
3624 err = avc_has_perm(isec->sid, sid,
3626 SOCKET__NAME_BIND, &ad);
3632 switch(isec->sclass) {
3633 case SECCLASS_TCP_SOCKET:
3634 node_perm = TCP_SOCKET__NODE_BIND;
3637 case SECCLASS_UDP_SOCKET:
3638 node_perm = UDP_SOCKET__NODE_BIND;
3641 case SECCLASS_DCCP_SOCKET:
3642 node_perm = DCCP_SOCKET__NODE_BIND;
3646 node_perm = RAWIP_SOCKET__NODE_BIND;
3650 err = sel_netnode_sid(addrp, family, &sid);
3654 AVC_AUDIT_DATA_INIT(&ad,NET);
3655 ad.u.net.sport = htons(snum);
3656 ad.u.net.family = family;
3658 if (family == PF_INET)
3659 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3661 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3663 err = avc_has_perm(isec->sid, sid,
3664 isec->sclass, node_perm, &ad);
3672 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3674 struct inode_security_struct *isec;
3677 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3682 * If a TCP or DCCP socket, check name_connect permission for the port.
3684 isec = SOCK_INODE(sock)->i_security;
3685 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3686 isec->sclass == SECCLASS_DCCP_SOCKET) {
3687 struct sock *sk = sock->sk;
3688 struct avc_audit_data ad;
3689 struct sockaddr_in *addr4 = NULL;
3690 struct sockaddr_in6 *addr6 = NULL;
3691 unsigned short snum;
3694 if (sk->sk_family == PF_INET) {
3695 addr4 = (struct sockaddr_in *)address;
3696 if (addrlen < sizeof(struct sockaddr_in))
3698 snum = ntohs(addr4->sin_port);
3700 addr6 = (struct sockaddr_in6 *)address;
3701 if (addrlen < SIN6_LEN_RFC2133)
3703 snum = ntohs(addr6->sin6_port);
3706 err = security_port_sid(sk->sk_family, sk->sk_type,
3707 sk->sk_protocol, snum, &sid);
3711 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3712 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3714 AVC_AUDIT_DATA_INIT(&ad,NET);
3715 ad.u.net.dport = htons(snum);
3716 ad.u.net.family = sk->sk_family;
3717 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3726 static int selinux_socket_listen(struct socket *sock, int backlog)
3728 return socket_has_perm(current, sock, SOCKET__LISTEN);
3731 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3734 struct inode_security_struct *isec;
3735 struct inode_security_struct *newisec;
3737 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3741 newisec = SOCK_INODE(newsock)->i_security;
3743 isec = SOCK_INODE(sock)->i_security;
3744 newisec->sclass = isec->sclass;
3745 newisec->sid = isec->sid;
3746 newisec->initialized = 1;
3751 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3756 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3760 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3763 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3764 int size, int flags)
3766 return socket_has_perm(current, sock, SOCKET__READ);
3769 static int selinux_socket_getsockname(struct socket *sock)
3771 return socket_has_perm(current, sock, SOCKET__GETATTR);
3774 static int selinux_socket_getpeername(struct socket *sock)
3776 return socket_has_perm(current, sock, SOCKET__GETATTR);
3779 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3783 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3787 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3790 static int selinux_socket_getsockopt(struct socket *sock, int level,
3793 return socket_has_perm(current, sock, SOCKET__GETOPT);
3796 static int selinux_socket_shutdown(struct socket *sock, int how)
3798 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3801 static int selinux_socket_unix_stream_connect(struct socket *sock,
3802 struct socket *other,
3805 struct sk_security_struct *ssec;
3806 struct inode_security_struct *isec;
3807 struct inode_security_struct *other_isec;
3808 struct avc_audit_data ad;
3811 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3815 isec = SOCK_INODE(sock)->i_security;
3816 other_isec = SOCK_INODE(other)->i_security;
3818 AVC_AUDIT_DATA_INIT(&ad,NET);
3819 ad.u.net.sk = other->sk;
3821 err = avc_has_perm(isec->sid, other_isec->sid,
3823 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3827 /* connecting socket */
3828 ssec = sock->sk->sk_security;
3829 ssec->peer_sid = other_isec->sid;
3831 /* server child socket */
3832 ssec = newsk->sk_security;
3833 ssec->peer_sid = isec->sid;
3834 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3839 static int selinux_socket_unix_may_send(struct socket *sock,
3840 struct socket *other)
3842 struct inode_security_struct *isec;
3843 struct inode_security_struct *other_isec;
3844 struct avc_audit_data ad;
3847 isec = SOCK_INODE(sock)->i_security;
3848 other_isec = SOCK_INODE(other)->i_security;
3850 AVC_AUDIT_DATA_INIT(&ad,NET);
3851 ad.u.net.sk = other->sk;
3853 err = avc_has_perm(isec->sid, other_isec->sid,
3854 isec->sclass, SOCKET__SENDTO, &ad);
3861 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3863 struct avc_audit_data *ad)
3869 err = sel_netif_sid(ifindex, &if_sid);
3872 err = avc_has_perm(peer_sid, if_sid,
3873 SECCLASS_NETIF, NETIF__INGRESS, ad);
3877 err = sel_netnode_sid(addrp, family, &node_sid);
3880 return avc_has_perm(peer_sid, node_sid,
3881 SECCLASS_NODE, NODE__RECVFROM, ad);
3884 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3885 struct sk_buff *skb,
3886 struct avc_audit_data *ad,
3891 struct sk_security_struct *sksec = sk->sk_security;
3893 u32 netif_perm, node_perm, recv_perm;
3894 u32 port_sid, node_sid, if_sid, sk_sid;
3896 sk_sid = sksec->sid;
3897 sk_class = sksec->sclass;
3900 case SECCLASS_UDP_SOCKET:
3901 netif_perm = NETIF__UDP_RECV;
3902 node_perm = NODE__UDP_RECV;
3903 recv_perm = UDP_SOCKET__RECV_MSG;
3905 case SECCLASS_TCP_SOCKET:
3906 netif_perm = NETIF__TCP_RECV;
3907 node_perm = NODE__TCP_RECV;
3908 recv_perm = TCP_SOCKET__RECV_MSG;
3910 case SECCLASS_DCCP_SOCKET:
3911 netif_perm = NETIF__DCCP_RECV;
3912 node_perm = NODE__DCCP_RECV;
3913 recv_perm = DCCP_SOCKET__RECV_MSG;
3916 netif_perm = NETIF__RAWIP_RECV;
3917 node_perm = NODE__RAWIP_RECV;
3922 err = sel_netif_sid(skb->iif, &if_sid);
3925 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3929 err = sel_netnode_sid(addrp, family, &node_sid);
3932 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3938 err = security_port_sid(sk->sk_family, sk->sk_type,
3939 sk->sk_protocol, ntohs(ad->u.net.sport),
3941 if (unlikely(err)) {
3943 "SELinux: failure in"
3944 " selinux_sock_rcv_skb_iptables_compat(),"
3945 " network port label not found\n");
3948 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3951 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3952 struct avc_audit_data *ad,
3953 u16 family, char *addrp)
3956 struct sk_security_struct *sksec = sk->sk_security;
3958 u32 sk_sid = sksec->sid;
3960 if (selinux_compat_net)
3961 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3964 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3969 if (selinux_policycap_netpeer) {
3970 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3973 err = avc_has_perm(sk_sid, peer_sid,
3974 SECCLASS_PEER, PEER__RECV, ad);
3976 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3979 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3985 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3988 struct sk_security_struct *sksec = sk->sk_security;
3989 u16 family = sk->sk_family;
3990 u32 sk_sid = sksec->sid;
3991 struct avc_audit_data ad;
3994 if (family != PF_INET && family != PF_INET6)
3997 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3998 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4001 AVC_AUDIT_DATA_INIT(&ad, NET);
4002 ad.u.net.netif = skb->iif;
4003 ad.u.net.family = family;
4004 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4008 /* If any sort of compatibility mode is enabled then handoff processing
4009 * to the selinux_sock_rcv_skb_compat() function to deal with the
4010 * special handling. We do this in an attempt to keep this function
4011 * as fast and as clean as possible. */
4012 if (selinux_compat_net || !selinux_policycap_netpeer)
4013 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4016 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4019 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4022 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4026 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4030 if (selinux_secmark_enabled()) {
4031 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4040 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4041 int __user *optlen, unsigned len)
4046 struct sk_security_struct *ssec;
4047 struct inode_security_struct *isec;
4048 u32 peer_sid = SECSID_NULL;
4050 isec = SOCK_INODE(sock)->i_security;
4052 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4053 isec->sclass == SECCLASS_TCP_SOCKET) {
4054 ssec = sock->sk->sk_security;
4055 peer_sid = ssec->peer_sid;
4057 if (peer_sid == SECSID_NULL) {
4062 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4067 if (scontext_len > len) {
4072 if (copy_to_user(optval, scontext, scontext_len))
4076 if (put_user(scontext_len, optlen))
4084 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4086 u32 peer_secid = SECSID_NULL;
4090 family = sock->sk->sk_family;
4091 else if (skb && skb->sk)
4092 family = skb->sk->sk_family;
4096 if (sock && family == PF_UNIX)
4097 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4099 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4102 *secid = peer_secid;
4103 if (peer_secid == SECSID_NULL)
4108 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4110 return sk_alloc_security(sk, family, priority);
4113 static void selinux_sk_free_security(struct sock *sk)
4115 sk_free_security(sk);
4118 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4120 struct sk_security_struct *ssec = sk->sk_security;
4121 struct sk_security_struct *newssec = newsk->sk_security;
4123 newssec->sid = ssec->sid;
4124 newssec->peer_sid = ssec->peer_sid;
4125 newssec->sclass = ssec->sclass;
4127 selinux_netlbl_sk_security_clone(ssec, newssec);
4130 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4133 *secid = SECINITSID_ANY_SOCKET;
4135 struct sk_security_struct *sksec = sk->sk_security;
4137 *secid = sksec->sid;
4141 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4143 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4144 struct sk_security_struct *sksec = sk->sk_security;
4146 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4147 sk->sk_family == PF_UNIX)
4148 isec->sid = sksec->sid;
4149 sksec->sclass = isec->sclass;
4151 selinux_netlbl_sock_graft(sk, parent);
4154 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4155 struct request_sock *req)
4157 struct sk_security_struct *sksec = sk->sk_security;
4162 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4165 if (peersid == SECSID_NULL) {
4166 req->secid = sksec->sid;
4167 req->peer_secid = SECSID_NULL;
4171 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4175 req->secid = newsid;
4176 req->peer_secid = peersid;
4180 static void selinux_inet_csk_clone(struct sock *newsk,
4181 const struct request_sock *req)
4183 struct sk_security_struct *newsksec = newsk->sk_security;
4185 newsksec->sid = req->secid;
4186 newsksec->peer_sid = req->peer_secid;
4187 /* NOTE: Ideally, we should also get the isec->sid for the
4188 new socket in sync, but we don't have the isec available yet.
4189 So we will wait until sock_graft to do it, by which
4190 time it will have been created and available. */
4192 /* We don't need to take any sort of lock here as we are the only
4193 * thread with access to newsksec */
4194 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4197 static void selinux_inet_conn_established(struct sock *sk,
4198 struct sk_buff *skb)
4200 struct sk_security_struct *sksec = sk->sk_security;
4202 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4205 static void selinux_req_classify_flow(const struct request_sock *req,
4208 fl->secid = req->secid;
4211 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4215 struct nlmsghdr *nlh;
4216 struct socket *sock = sk->sk_socket;
4217 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4219 if (skb->len < NLMSG_SPACE(0)) {
4223 nlh = nlmsg_hdr(skb);
4225 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4227 if (err == -EINVAL) {
4228 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4229 "SELinux: unrecognized netlink message"
4230 " type=%hu for sclass=%hu\n",
4231 nlh->nlmsg_type, isec->sclass);
4232 if (!selinux_enforcing)
4242 err = socket_has_perm(current, sock, perm);
4247 #ifdef CONFIG_NETFILTER
4249 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4254 struct avc_audit_data ad;
4258 if (!selinux_policycap_netpeer)
4261 secmark_active = selinux_secmark_enabled();
4262 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4263 if (!secmark_active && !peerlbl_active)
4266 AVC_AUDIT_DATA_INIT(&ad, NET);
4267 ad.u.net.netif = ifindex;
4268 ad.u.net.family = family;
4269 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4272 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4276 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4277 peer_sid, &ad) != 0)
4281 if (avc_has_perm(peer_sid, skb->secmark,
4282 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4288 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4289 struct sk_buff *skb,
4290 const struct net_device *in,
4291 const struct net_device *out,
4292 int (*okfn)(struct sk_buff *))
4294 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4297 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4298 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4299 struct sk_buff *skb,
4300 const struct net_device *in,
4301 const struct net_device *out,
4302 int (*okfn)(struct sk_buff *))
4304 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4308 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4310 struct avc_audit_data *ad,
4311 u16 family, char *addrp)
4314 struct sk_security_struct *sksec = sk->sk_security;
4316 u32 netif_perm, node_perm, send_perm;
4317 u32 port_sid, node_sid, if_sid, sk_sid;
4319 sk_sid = sksec->sid;
4320 sk_class = sksec->sclass;
4323 case SECCLASS_UDP_SOCKET:
4324 netif_perm = NETIF__UDP_SEND;
4325 node_perm = NODE__UDP_SEND;
4326 send_perm = UDP_SOCKET__SEND_MSG;
4328 case SECCLASS_TCP_SOCKET:
4329 netif_perm = NETIF__TCP_SEND;
4330 node_perm = NODE__TCP_SEND;
4331 send_perm = TCP_SOCKET__SEND_MSG;
4333 case SECCLASS_DCCP_SOCKET:
4334 netif_perm = NETIF__DCCP_SEND;
4335 node_perm = NODE__DCCP_SEND;
4336 send_perm = DCCP_SOCKET__SEND_MSG;
4339 netif_perm = NETIF__RAWIP_SEND;
4340 node_perm = NODE__RAWIP_SEND;
4345 err = sel_netif_sid(ifindex, &if_sid);
4348 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4351 err = sel_netnode_sid(addrp, family, &node_sid);
4354 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4361 err = security_port_sid(sk->sk_family, sk->sk_type,
4362 sk->sk_protocol, ntohs(ad->u.net.dport),
4364 if (unlikely(err)) {
4366 "SELinux: failure in"
4367 " selinux_ip_postroute_iptables_compat(),"
4368 " network port label not found\n");
4371 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4374 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4376 struct avc_audit_data *ad,
4381 struct sock *sk = skb->sk;
4382 struct sk_security_struct *sksec;
4386 sksec = sk->sk_security;
4388 if (selinux_compat_net) {
4389 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4393 if (avc_has_perm(sksec->sid, skb->secmark,
4394 SECCLASS_PACKET, PACKET__SEND, ad))
4398 if (selinux_policycap_netpeer)
4399 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4405 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4411 struct avc_audit_data ad;
4417 AVC_AUDIT_DATA_INIT(&ad, NET);
4418 ad.u.net.netif = ifindex;
4419 ad.u.net.family = family;
4420 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4423 /* If any sort of compatibility mode is enabled then handoff processing
4424 * to the selinux_ip_postroute_compat() function to deal with the
4425 * special handling. We do this in an attempt to keep this function
4426 * as fast and as clean as possible. */
4427 if (selinux_compat_net || !selinux_policycap_netpeer)
4428 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4429 family, addrp, proto);
4431 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4432 * packet transformation so allow the packet to pass without any checks
4433 * since we'll have another chance to perform access control checks
4434 * when the packet is on it's final way out.
4435 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4436 * is NULL, in this case go ahead and apply access control. */
4437 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4440 secmark_active = selinux_secmark_enabled();
4441 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4442 if (!secmark_active && !peerlbl_active)
4445 /* if the packet is locally generated (skb->sk != NULL) then use the
4446 * socket's label as the peer label, otherwise the packet is being
4447 * forwarded through this system and we need to fetch the peer label
4448 * directly from the packet */
4451 struct sk_security_struct *sksec = sk->sk_security;
4452 peer_sid = sksec->sid;
4453 secmark_perm = PACKET__SEND;
4455 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4457 secmark_perm = PACKET__FORWARD_OUT;
4461 if (avc_has_perm(peer_sid, skb->secmark,
4462 SECCLASS_PACKET, secmark_perm, &ad))
4465 if (peerlbl_active) {
4469 if (sel_netif_sid(ifindex, &if_sid))
4471 if (avc_has_perm(peer_sid, if_sid,
4472 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4475 if (sel_netnode_sid(addrp, family, &node_sid))
4477 if (avc_has_perm(peer_sid, node_sid,
4478 SECCLASS_NODE, NODE__SENDTO, &ad))
4485 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4486 struct sk_buff *skb,
4487 const struct net_device *in,
4488 const struct net_device *out,
4489 int (*okfn)(struct sk_buff *))
4491 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4494 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4495 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4496 struct sk_buff *skb,
4497 const struct net_device *in,
4498 const struct net_device *out,
4499 int (*okfn)(struct sk_buff *))
4501 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4505 #endif /* CONFIG_NETFILTER */
4507 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4511 err = secondary_ops->netlink_send(sk, skb);
4515 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4516 err = selinux_nlmsg_perm(sk, skb);
4521 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4524 struct avc_audit_data ad;
4526 err = secondary_ops->netlink_recv(skb, capability);
4530 AVC_AUDIT_DATA_INIT(&ad, CAP);
4531 ad.u.cap = capability;
4533 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4534 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4537 static int ipc_alloc_security(struct task_struct *task,
4538 struct kern_ipc_perm *perm,
4541 struct task_security_struct *tsec = task->security;
4542 struct ipc_security_struct *isec;
4544 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4548 isec->sclass = sclass;
4549 isec->ipc_perm = perm;
4550 isec->sid = tsec->sid;
4551 perm->security = isec;
4556 static void ipc_free_security(struct kern_ipc_perm *perm)
4558 struct ipc_security_struct *isec = perm->security;
4559 perm->security = NULL;
4563 static int msg_msg_alloc_security(struct msg_msg *msg)
4565 struct msg_security_struct *msec;
4567 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4572 msec->sid = SECINITSID_UNLABELED;
4573 msg->security = msec;
4578 static void msg_msg_free_security(struct msg_msg *msg)
4580 struct msg_security_struct *msec = msg->security;
4582 msg->security = NULL;
4586 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4589 struct task_security_struct *tsec;
4590 struct ipc_security_struct *isec;
4591 struct avc_audit_data ad;
4593 tsec = current->security;
4594 isec = ipc_perms->security;
4596 AVC_AUDIT_DATA_INIT(&ad, IPC);
4597 ad.u.ipc_id = ipc_perms->key;
4599 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4602 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4604 return msg_msg_alloc_security(msg);
4607 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4609 msg_msg_free_security(msg);
4612 /* message queue security operations */
4613 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4615 struct task_security_struct *tsec;
4616 struct ipc_security_struct *isec;
4617 struct avc_audit_data ad;
4620 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4624 tsec = current->security;
4625 isec = msq->q_perm.security;
4627 AVC_AUDIT_DATA_INIT(&ad, IPC);
4628 ad.u.ipc_id = msq->q_perm.key;
4630 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4633 ipc_free_security(&msq->q_perm);
4639 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4641 ipc_free_security(&msq->q_perm);
4644 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4646 struct task_security_struct *tsec;
4647 struct ipc_security_struct *isec;
4648 struct avc_audit_data ad;
4650 tsec = current->security;
4651 isec = msq->q_perm.security;
4653 AVC_AUDIT_DATA_INIT(&ad, IPC);
4654 ad.u.ipc_id = msq->q_perm.key;
4656 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4657 MSGQ__ASSOCIATE, &ad);
4660 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4668 /* No specific object, just general system-wide information. */
4669 return task_has_system(current, SYSTEM__IPC_INFO);
4672 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4675 perms = MSGQ__SETATTR;
4678 perms = MSGQ__DESTROY;
4684 err = ipc_has_perm(&msq->q_perm, perms);
4688 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4690 struct task_security_struct *tsec;
4691 struct ipc_security_struct *isec;
4692 struct msg_security_struct *msec;
4693 struct avc_audit_data ad;
4696 tsec = current->security;
4697 isec = msq->q_perm.security;
4698 msec = msg->security;
4701 * First time through, need to assign label to the message
4703 if (msec->sid == SECINITSID_UNLABELED) {
4705 * Compute new sid based on current process and
4706 * message queue this message will be stored in
4708 rc = security_transition_sid(tsec->sid,
4716 AVC_AUDIT_DATA_INIT(&ad, IPC);
4717 ad.u.ipc_id = msq->q_perm.key;
4719 /* Can this process write to the queue? */
4720 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4723 /* Can this process send the message */
4724 rc = avc_has_perm(tsec->sid, msec->sid,
4725 SECCLASS_MSG, MSG__SEND, &ad);
4727 /* Can the message be put in the queue? */
4728 rc = avc_has_perm(msec->sid, isec->sid,
4729 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4734 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4735 struct task_struct *target,
4736 long type, int mode)
4738 struct task_security_struct *tsec;
4739 struct ipc_security_struct *isec;
4740 struct msg_security_struct *msec;
4741 struct avc_audit_data ad;
4744 tsec = target->security;
4745 isec = msq->q_perm.security;
4746 msec = msg->security;
4748 AVC_AUDIT_DATA_INIT(&ad, IPC);
4749 ad.u.ipc_id = msq->q_perm.key;
4751 rc = avc_has_perm(tsec->sid, isec->sid,
4752 SECCLASS_MSGQ, MSGQ__READ, &ad);
4754 rc = avc_has_perm(tsec->sid, msec->sid,
4755 SECCLASS_MSG, MSG__RECEIVE, &ad);
4759 /* Shared Memory security operations */
4760 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4762 struct task_security_struct *tsec;
4763 struct ipc_security_struct *isec;
4764 struct avc_audit_data ad;
4767 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4771 tsec = current->security;
4772 isec = shp->shm_perm.security;
4774 AVC_AUDIT_DATA_INIT(&ad, IPC);
4775 ad.u.ipc_id = shp->shm_perm.key;
4777 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4780 ipc_free_security(&shp->shm_perm);
4786 static void selinux_shm_free_security(struct shmid_kernel *shp)
4788 ipc_free_security(&shp->shm_perm);
4791 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4793 struct task_security_struct *tsec;
4794 struct ipc_security_struct *isec;
4795 struct avc_audit_data ad;
4797 tsec = current->security;
4798 isec = shp->shm_perm.security;
4800 AVC_AUDIT_DATA_INIT(&ad, IPC);
4801 ad.u.ipc_id = shp->shm_perm.key;
4803 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4804 SHM__ASSOCIATE, &ad);
4807 /* Note, at this point, shp is locked down */
4808 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4816 /* No specific object, just general system-wide information. */
4817 return task_has_system(current, SYSTEM__IPC_INFO);
4820 perms = SHM__GETATTR | SHM__ASSOCIATE;
4823 perms = SHM__SETATTR;
4830 perms = SHM__DESTROY;
4836 err = ipc_has_perm(&shp->shm_perm, perms);
4840 static int selinux_shm_shmat(struct shmid_kernel *shp,
4841 char __user *shmaddr, int shmflg)
4846 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4850 if (shmflg & SHM_RDONLY)
4853 perms = SHM__READ | SHM__WRITE;
4855 return ipc_has_perm(&shp->shm_perm, perms);
4858 /* Semaphore security operations */
4859 static int selinux_sem_alloc_security(struct sem_array *sma)
4861 struct task_security_struct *tsec;
4862 struct ipc_security_struct *isec;
4863 struct avc_audit_data ad;
4866 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4870 tsec = current->security;
4871 isec = sma->sem_perm.security;
4873 AVC_AUDIT_DATA_INIT(&ad, IPC);
4874 ad.u.ipc_id = sma->sem_perm.key;
4876 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4879 ipc_free_security(&sma->sem_perm);
4885 static void selinux_sem_free_security(struct sem_array *sma)
4887 ipc_free_security(&sma->sem_perm);
4890 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4892 struct task_security_struct *tsec;
4893 struct ipc_security_struct *isec;
4894 struct avc_audit_data ad;
4896 tsec = current->security;
4897 isec = sma->sem_perm.security;
4899 AVC_AUDIT_DATA_INIT(&ad, IPC);
4900 ad.u.ipc_id = sma->sem_perm.key;
4902 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4903 SEM__ASSOCIATE, &ad);
4906 /* Note, at this point, sma is locked down */
4907 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4915 /* No specific object, just general system-wide information. */
4916 return task_has_system(current, SYSTEM__IPC_INFO);
4920 perms = SEM__GETATTR;
4931 perms = SEM__DESTROY;
4934 perms = SEM__SETATTR;
4938 perms = SEM__GETATTR | SEM__ASSOCIATE;
4944 err = ipc_has_perm(&sma->sem_perm, perms);
4948 static int selinux_sem_semop(struct sem_array *sma,
4949 struct sembuf *sops, unsigned nsops, int alter)
4954 perms = SEM__READ | SEM__WRITE;
4958 return ipc_has_perm(&sma->sem_perm, perms);
4961 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4967 av |= IPC__UNIX_READ;
4969 av |= IPC__UNIX_WRITE;
4974 return ipc_has_perm(ipcp, av);
4977 /* module stacking operations */
4978 static int selinux_register_security (const char *name, struct security_operations *ops)
4980 if (secondary_ops != original_ops) {
4981 printk(KERN_ERR "%s: There is already a secondary security "
4982 "module registered.\n", __FUNCTION__);
4986 secondary_ops = ops;
4988 printk(KERN_INFO "%s: Registering secondary module %s\n",
4995 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4998 inode_doinit_with_dentry(inode, dentry);
5001 static int selinux_getprocattr(struct task_struct *p,
5002 char *name, char **value)
5004 struct task_security_struct *tsec;
5010 error = task_has_perm(current, p, PROCESS__GETATTR);
5017 if (!strcmp(name, "current"))
5019 else if (!strcmp(name, "prev"))
5021 else if (!strcmp(name, "exec"))
5022 sid = tsec->exec_sid;
5023 else if (!strcmp(name, "fscreate"))
5024 sid = tsec->create_sid;
5025 else if (!strcmp(name, "keycreate"))
5026 sid = tsec->keycreate_sid;
5027 else if (!strcmp(name, "sockcreate"))
5028 sid = tsec->sockcreate_sid;
5035 error = security_sid_to_context(sid, value, &len);
5041 static int selinux_setprocattr(struct task_struct *p,
5042 char *name, void *value, size_t size)
5044 struct task_security_struct *tsec;
5050 /* SELinux only allows a process to change its own
5051 security attributes. */
5056 * Basic control over ability to set these attributes at all.
5057 * current == p, but we'll pass them separately in case the
5058 * above restriction is ever removed.
5060 if (!strcmp(name, "exec"))
5061 error = task_has_perm(current, p, PROCESS__SETEXEC);
5062 else if (!strcmp(name, "fscreate"))
5063 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5064 else if (!strcmp(name, "keycreate"))
5065 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5066 else if (!strcmp(name, "sockcreate"))
5067 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5068 else if (!strcmp(name, "current"))
5069 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5075 /* Obtain a SID for the context, if one was specified. */
5076 if (size && str[1] && str[1] != '\n') {
5077 if (str[size-1] == '\n') {
5081 error = security_context_to_sid(value, size, &sid);
5086 /* Permission checking based on the specified context is
5087 performed during the actual operation (execve,
5088 open/mkdir/...), when we know the full context of the
5089 operation. See selinux_bprm_set_security for the execve
5090 checks and may_create for the file creation checks. The
5091 operation will then fail if the context is not permitted. */
5093 if (!strcmp(name, "exec"))
5094 tsec->exec_sid = sid;
5095 else if (!strcmp(name, "fscreate"))
5096 tsec->create_sid = sid;
5097 else if (!strcmp(name, "keycreate")) {
5098 error = may_create_key(sid, p);
5101 tsec->keycreate_sid = sid;
5102 } else if (!strcmp(name, "sockcreate"))
5103 tsec->sockcreate_sid = sid;
5104 else if (!strcmp(name, "current")) {
5105 struct av_decision avd;
5110 /* Only allow single threaded processes to change context */
5111 if (atomic_read(&p->mm->mm_users) != 1) {
5112 struct task_struct *g, *t;
5113 struct mm_struct *mm = p->mm;
5114 read_lock(&tasklist_lock);
5115 do_each_thread(g, t)
5116 if (t->mm == mm && t != p) {
5117 read_unlock(&tasklist_lock);
5120 while_each_thread(g, t);
5121 read_unlock(&tasklist_lock);
5124 /* Check permissions for the transition. */
5125 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5126 PROCESS__DYNTRANSITION, NULL);
5130 /* Check for ptracing, and update the task SID if ok.
5131 Otherwise, leave SID unchanged and fail. */
5133 if (p->ptrace & PT_PTRACED) {
5134 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5136 PROCESS__PTRACE, 0, &avd);
5140 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5141 PROCESS__PTRACE, &avd, error, NULL);
5155 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5157 return security_sid_to_context(secid, secdata, seclen);
5160 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5162 return security_context_to_sid(secdata, seclen, secid);
5165 static void selinux_release_secctx(char *secdata, u32 seclen)
5172 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5173 unsigned long flags)
5175 struct task_security_struct *tsec = tsk->security;
5176 struct key_security_struct *ksec;
5178 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5183 if (tsec->keycreate_sid)
5184 ksec->sid = tsec->keycreate_sid;
5186 ksec->sid = tsec->sid;
5192 static void selinux_key_free(struct key *k)
5194 struct key_security_struct *ksec = k->security;
5200 static int selinux_key_permission(key_ref_t key_ref,
5201 struct task_struct *ctx,
5205 struct task_security_struct *tsec;
5206 struct key_security_struct *ksec;
5208 key = key_ref_to_ptr(key_ref);
5210 tsec = ctx->security;
5211 ksec = key->security;
5213 /* if no specific permissions are requested, we skip the
5214 permission check. No serious, additional covert channels
5215 appear to be created. */
5219 return avc_has_perm(tsec->sid, ksec->sid,
5220 SECCLASS_KEY, perm, NULL);
5225 static struct security_operations selinux_ops = {
5226 .ptrace = selinux_ptrace,
5227 .capget = selinux_capget,
5228 .capset_check = selinux_capset_check,
5229 .capset_set = selinux_capset_set,
5230 .sysctl = selinux_sysctl,
5231 .capable = selinux_capable,
5232 .quotactl = selinux_quotactl,
5233 .quota_on = selinux_quota_on,
5234 .syslog = selinux_syslog,
5235 .vm_enough_memory = selinux_vm_enough_memory,
5237 .netlink_send = selinux_netlink_send,
5238 .netlink_recv = selinux_netlink_recv,
5240 .bprm_alloc_security = selinux_bprm_alloc_security,
5241 .bprm_free_security = selinux_bprm_free_security,
5242 .bprm_apply_creds = selinux_bprm_apply_creds,
5243 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5244 .bprm_set_security = selinux_bprm_set_security,
5245 .bprm_check_security = selinux_bprm_check_security,
5246 .bprm_secureexec = selinux_bprm_secureexec,
5248 .sb_alloc_security = selinux_sb_alloc_security,
5249 .sb_free_security = selinux_sb_free_security,
5250 .sb_copy_data = selinux_sb_copy_data,
5251 .sb_kern_mount = selinux_sb_kern_mount,
5252 .sb_statfs = selinux_sb_statfs,
5253 .sb_mount = selinux_mount,
5254 .sb_umount = selinux_umount,
5255 .sb_get_mnt_opts = selinux_get_mnt_opts,
5256 .sb_set_mnt_opts = selinux_set_mnt_opts,
5257 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5259 .inode_alloc_security = selinux_inode_alloc_security,
5260 .inode_free_security = selinux_inode_free_security,
5261 .inode_init_security = selinux_inode_init_security,
5262 .inode_create = selinux_inode_create,
5263 .inode_link = selinux_inode_link,
5264 .inode_unlink = selinux_inode_unlink,
5265 .inode_symlink = selinux_inode_symlink,
5266 .inode_mkdir = selinux_inode_mkdir,
5267 .inode_rmdir = selinux_inode_rmdir,
5268 .inode_mknod = selinux_inode_mknod,
5269 .inode_rename = selinux_inode_rename,
5270 .inode_readlink = selinux_inode_readlink,
5271 .inode_follow_link = selinux_inode_follow_link,
5272 .inode_permission = selinux_inode_permission,
5273 .inode_setattr = selinux_inode_setattr,
5274 .inode_getattr = selinux_inode_getattr,
5275 .inode_setxattr = selinux_inode_setxattr,
5276 .inode_post_setxattr = selinux_inode_post_setxattr,
5277 .inode_getxattr = selinux_inode_getxattr,
5278 .inode_listxattr = selinux_inode_listxattr,
5279 .inode_removexattr = selinux_inode_removexattr,
5280 .inode_getsecurity = selinux_inode_getsecurity,
5281 .inode_setsecurity = selinux_inode_setsecurity,
5282 .inode_listsecurity = selinux_inode_listsecurity,
5283 .inode_need_killpriv = selinux_inode_need_killpriv,
5284 .inode_killpriv = selinux_inode_killpriv,
5286 .file_permission = selinux_file_permission,
5287 .file_alloc_security = selinux_file_alloc_security,
5288 .file_free_security = selinux_file_free_security,
5289 .file_ioctl = selinux_file_ioctl,
5290 .file_mmap = selinux_file_mmap,
5291 .file_mprotect = selinux_file_mprotect,
5292 .file_lock = selinux_file_lock,
5293 .file_fcntl = selinux_file_fcntl,
5294 .file_set_fowner = selinux_file_set_fowner,
5295 .file_send_sigiotask = selinux_file_send_sigiotask,
5296 .file_receive = selinux_file_receive,
5298 .dentry_open = selinux_dentry_open,
5300 .task_create = selinux_task_create,
5301 .task_alloc_security = selinux_task_alloc_security,
5302 .task_free_security = selinux_task_free_security,
5303 .task_setuid = selinux_task_setuid,
5304 .task_post_setuid = selinux_task_post_setuid,
5305 .task_setgid = selinux_task_setgid,
5306 .task_setpgid = selinux_task_setpgid,
5307 .task_getpgid = selinux_task_getpgid,
5308 .task_getsid = selinux_task_getsid,
5309 .task_getsecid = selinux_task_getsecid,
5310 .task_setgroups = selinux_task_setgroups,
5311 .task_setnice = selinux_task_setnice,
5312 .task_setioprio = selinux_task_setioprio,
5313 .task_getioprio = selinux_task_getioprio,
5314 .task_setrlimit = selinux_task_setrlimit,
5315 .task_setscheduler = selinux_task_setscheduler,
5316 .task_getscheduler = selinux_task_getscheduler,
5317 .task_movememory = selinux_task_movememory,
5318 .task_kill = selinux_task_kill,
5319 .task_wait = selinux_task_wait,
5320 .task_prctl = selinux_task_prctl,
5321 .task_reparent_to_init = selinux_task_reparent_to_init,
5322 .task_to_inode = selinux_task_to_inode,
5324 .ipc_permission = selinux_ipc_permission,
5326 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5327 .msg_msg_free_security = selinux_msg_msg_free_security,
5329 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5330 .msg_queue_free_security = selinux_msg_queue_free_security,
5331 .msg_queue_associate = selinux_msg_queue_associate,
5332 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5333 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5334 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5336 .shm_alloc_security = selinux_shm_alloc_security,
5337 .shm_free_security = selinux_shm_free_security,
5338 .shm_associate = selinux_shm_associate,
5339 .shm_shmctl = selinux_shm_shmctl,
5340 .shm_shmat = selinux_shm_shmat,
5342 .sem_alloc_security = selinux_sem_alloc_security,
5343 .sem_free_security = selinux_sem_free_security,
5344 .sem_associate = selinux_sem_associate,
5345 .sem_semctl = selinux_sem_semctl,
5346 .sem_semop = selinux_sem_semop,
5348 .register_security = selinux_register_security,
5350 .d_instantiate = selinux_d_instantiate,
5352 .getprocattr = selinux_getprocattr,
5353 .setprocattr = selinux_setprocattr,
5355 .secid_to_secctx = selinux_secid_to_secctx,
5356 .secctx_to_secid = selinux_secctx_to_secid,
5357 .release_secctx = selinux_release_secctx,
5359 .unix_stream_connect = selinux_socket_unix_stream_connect,
5360 .unix_may_send = selinux_socket_unix_may_send,
5362 .socket_create = selinux_socket_create,
5363 .socket_post_create = selinux_socket_post_create,
5364 .socket_bind = selinux_socket_bind,
5365 .socket_connect = selinux_socket_connect,
5366 .socket_listen = selinux_socket_listen,
5367 .socket_accept = selinux_socket_accept,
5368 .socket_sendmsg = selinux_socket_sendmsg,
5369 .socket_recvmsg = selinux_socket_recvmsg,
5370 .socket_getsockname = selinux_socket_getsockname,
5371 .socket_getpeername = selinux_socket_getpeername,
5372 .socket_getsockopt = selinux_socket_getsockopt,
5373 .socket_setsockopt = selinux_socket_setsockopt,
5374 .socket_shutdown = selinux_socket_shutdown,
5375 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5376 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5377 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5378 .sk_alloc_security = selinux_sk_alloc_security,
5379 .sk_free_security = selinux_sk_free_security,
5380 .sk_clone_security = selinux_sk_clone_security,
5381 .sk_getsecid = selinux_sk_getsecid,
5382 .sock_graft = selinux_sock_graft,
5383 .inet_conn_request = selinux_inet_conn_request,
5384 .inet_csk_clone = selinux_inet_csk_clone,
5385 .inet_conn_established = selinux_inet_conn_established,
5386 .req_classify_flow = selinux_req_classify_flow,
5388 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5389 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5390 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5391 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5392 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5393 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5394 .xfrm_state_free_security = selinux_xfrm_state_free,
5395 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5396 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5397 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5398 .xfrm_decode_session = selinux_xfrm_decode_session,
5402 .key_alloc = selinux_key_alloc,
5403 .key_free = selinux_key_free,
5404 .key_permission = selinux_key_permission,
5408 static __init int selinux_init(void)
5410 struct task_security_struct *tsec;
5412 if (!selinux_enabled) {
5413 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5417 printk(KERN_INFO "SELinux: Initializing.\n");
5419 /* Set the security state for the initial task. */
5420 if (task_alloc_security(current))
5421 panic("SELinux: Failed to initialize initial task.\n");
5422 tsec = current->security;
5423 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5425 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5426 sizeof(struct inode_security_struct),
5427 0, SLAB_PANIC, NULL);
5430 original_ops = secondary_ops = security_ops;
5432 panic ("SELinux: No initial security operations\n");
5433 if (register_security (&selinux_ops))
5434 panic("SELinux: Unable to register with kernel.\n");
5436 if (selinux_enforcing) {
5437 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5439 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5443 /* Add security information to initial keyrings */
5444 selinux_key_alloc(&root_user_keyring, current,
5445 KEY_ALLOC_NOT_IN_QUOTA);
5446 selinux_key_alloc(&root_session_keyring, current,
5447 KEY_ALLOC_NOT_IN_QUOTA);
5453 void selinux_complete_init(void)
5455 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5457 /* Set up any superblocks initialized prior to the policy load. */
5458 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5459 spin_lock(&sb_lock);
5460 spin_lock(&sb_security_lock);
5462 if (!list_empty(&superblock_security_head)) {
5463 struct superblock_security_struct *sbsec =
5464 list_entry(superblock_security_head.next,
5465 struct superblock_security_struct,
5467 struct super_block *sb = sbsec->sb;
5469 spin_unlock(&sb_security_lock);
5470 spin_unlock(&sb_lock);
5471 down_read(&sb->s_umount);
5473 superblock_doinit(sb, NULL);
5475 spin_lock(&sb_lock);
5476 spin_lock(&sb_security_lock);
5477 list_del_init(&sbsec->list);
5480 spin_unlock(&sb_security_lock);
5481 spin_unlock(&sb_lock);
5484 /* SELinux requires early initialization in order to label
5485 all processes and objects when they are created. */
5486 security_initcall(selinux_init);
5488 #if defined(CONFIG_NETFILTER)
5490 static struct nf_hook_ops selinux_ipv4_ops[] = {
5492 .hook = selinux_ipv4_postroute,
5493 .owner = THIS_MODULE,
5495 .hooknum = NF_INET_POST_ROUTING,
5496 .priority = NF_IP_PRI_SELINUX_LAST,
5499 .hook = selinux_ipv4_forward,
5500 .owner = THIS_MODULE,
5502 .hooknum = NF_INET_FORWARD,
5503 .priority = NF_IP_PRI_SELINUX_FIRST,
5507 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5509 static struct nf_hook_ops selinux_ipv6_ops[] = {
5511 .hook = selinux_ipv6_postroute,
5512 .owner = THIS_MODULE,
5514 .hooknum = NF_INET_POST_ROUTING,
5515 .priority = NF_IP6_PRI_SELINUX_LAST,
5518 .hook = selinux_ipv6_forward,
5519 .owner = THIS_MODULE,
5521 .hooknum = NF_INET_FORWARD,
5522 .priority = NF_IP6_PRI_SELINUX_FIRST,
5528 static int __init selinux_nf_ip_init(void)
5533 if (!selinux_enabled)
5536 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5538 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5539 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5541 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5545 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5546 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5547 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5549 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5558 __initcall(selinux_nf_ip_init);
5560 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5561 static void selinux_nf_ip_exit(void)
5565 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5567 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5568 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5570 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5571 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5576 #else /* CONFIG_NETFILTER */
5578 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5579 #define selinux_nf_ip_exit()
5582 #endif /* CONFIG_NETFILTER */
5584 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5585 int selinux_disable(void)
5587 extern void exit_sel_fs(void);
5588 static int selinux_disabled = 0;
5590 if (ss_initialized) {
5591 /* Not permitted after initial policy load. */
5595 if (selinux_disabled) {
5596 /* Only do this once. */
5600 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5602 selinux_disabled = 1;
5603 selinux_enabled = 0;
5605 /* Reset security_ops to the secondary module, dummy or capability. */
5606 security_ops = secondary_ops;
5608 /* Unregister netfilter hooks. */
5609 selinux_nf_ip_exit();
5611 /* Unregister selinuxfs. */
git.samba.org / sfrench / cifs-2.6.git / blob