2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
164 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
165 task->security = tsec;
170 static void task_free_security(struct task_struct *task)
172 struct task_security_struct *tsec = task->security;
173 task->security = NULL;
177 static int inode_alloc_security(struct inode *inode)
179 struct task_security_struct *tsec = current->security;
180 struct inode_security_struct *isec;
182 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
186 mutex_init(&isec->lock);
187 INIT_LIST_HEAD(&isec->list);
189 isec->sid = SECINITSID_UNLABELED;
190 isec->sclass = SECCLASS_FILE;
191 isec->task_sid = tsec->sid;
192 inode->i_security = isec;
197 static void inode_free_security(struct inode *inode)
199 struct inode_security_struct *isec = inode->i_security;
200 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202 spin_lock(&sbsec->isec_lock);
203 if (!list_empty(&isec->list))
204 list_del_init(&isec->list);
205 spin_unlock(&sbsec->isec_lock);
207 inode->i_security = NULL;
208 kmem_cache_free(sel_inode_cache, isec);
211 static int file_alloc_security(struct file *file)
213 struct task_security_struct *tsec = current->security;
214 struct file_security_struct *fsec;
216 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
222 file->f_security = fsec;
227 static void file_free_security(struct file *file)
229 struct file_security_struct *fsec = file->f_security;
230 file->f_security = NULL;
234 static int superblock_alloc_security(struct super_block *sb)
236 struct superblock_security_struct *sbsec;
238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
242 mutex_init(&sbsec->lock);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250 sb->s_security = sbsec;
255 static void superblock_free_security(struct super_block *sb)
257 struct superblock_security_struct *sbsec = sb->s_security;
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
264 sb->s_security = NULL;
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
270 struct sk_security_struct *ssec;
272 ssec = kzalloc(sizeof(*ssec), priority);
276 ssec->peer_sid = SECINITSID_UNLABELED;
277 ssec->sid = SECINITSID_UNLABELED;
278 sk->sk_security = ssec;
280 selinux_netlbl_sk_security_reset(ssec, family);
285 static void sk_free_security(struct sock *sk)
287 struct sk_security_struct *ssec = sk->sk_security;
289 sk->sk_security = NULL;
293 /* The security server must be initialized before
294 any labeling or access decisions can be provided. */
295 extern int ss_initialized;
297 /* The file system's label must be initialized prior to use. */
299 static char *labeling_behaviors[6] = {
301 "uses transition SIDs",
303 "uses genfs_contexts",
304 "not configured for labeling",
305 "uses mountpoint labeling",
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
310 static inline int inode_doinit(struct inode *inode)
312 return inode_doinit_with_dentry(inode, NULL);
323 static match_table_t tokens = {
324 {Opt_context, "context=%s"},
325 {Opt_fscontext, "fscontext=%s"},
326 {Opt_defcontext, "defcontext=%s"},
327 {Opt_rootcontext, "rootcontext=%s"},
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
333 static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
349 static int may_context_mount_inode_relabel(u32 sid,
350 struct superblock_security_struct *sbsec,
351 struct task_security_struct *tsec)
354 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355 FILESYSTEM__RELABELFROM, NULL);
359 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360 FILESYSTEM__ASSOCIATE, NULL);
364 static int sb_finish_set_opts(struct super_block *sb)
366 struct superblock_security_struct *sbsec = sb->s_security;
367 struct dentry *root = sb->s_root;
368 struct inode *root_inode = root->d_inode;
371 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
372 /* Make sure that the xattr handler exists and that no
373 error other than -ENODATA is returned by getxattr on
374 the root directory. -ENODATA is ok, as this may be
375 the first boot of the SELinux kernel before we have
376 assigned xattr values to the filesystem. */
377 if (!root_inode->i_op->getxattr) {
378 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
379 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
384 if (rc < 0 && rc != -ENODATA) {
385 if (rc == -EOPNOTSUPP)
386 printk(KERN_WARNING "SELinux: (dev %s, type "
387 "%s) has no security xattr handler\n",
388 sb->s_id, sb->s_type->name);
390 printk(KERN_WARNING "SELinux: (dev %s, type "
391 "%s) getxattr errno %d\n", sb->s_id,
392 sb->s_type->name, -rc);
397 sbsec->initialized = 1;
399 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
401 sb->s_id, sb->s_type->name);
403 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
404 sb->s_id, sb->s_type->name,
405 labeling_behaviors[sbsec->behavior-1]);
407 /* Initialize the root inode. */
408 rc = inode_doinit_with_dentry(root_inode, root);
410 /* Initialize any other inodes associated with the superblock, e.g.
411 inodes created prior to initial policy load or inodes created
412 during get_sb by a pseudo filesystem that directly
414 spin_lock(&sbsec->isec_lock);
416 if (!list_empty(&sbsec->isec_head)) {
417 struct inode_security_struct *isec =
418 list_entry(sbsec->isec_head.next,
419 struct inode_security_struct, list);
420 struct inode *inode = isec->inode;
421 spin_unlock(&sbsec->isec_lock);
422 inode = igrab(inode);
424 if (!IS_PRIVATE(inode))
428 spin_lock(&sbsec->isec_lock);
429 list_del_init(&isec->list);
432 spin_unlock(&sbsec->isec_lock);
438 * This function should allow an FS to ask what it's mount security
439 * options were so it can use those later for submounts, displaying
440 * mount options, or whatever.
442 static int selinux_get_mnt_opts(const struct super_block *sb,
443 struct security_mnt_opts *opts)
446 struct superblock_security_struct *sbsec = sb->s_security;
447 char *context = NULL;
451 security_init_mnt_opts(opts);
453 if (!sbsec->initialized)
460 * if we ever use sbsec flags for anything other than tracking mount
461 * settings this is going to need a mask
464 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) {
467 opts->num_mnt_opts++;
471 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472 if (!opts->mnt_opts) {
477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478 if (!opts->mnt_opts_flags) {
484 if (sbsec->flags & FSCONTEXT_MNT) {
485 rc = security_sid_to_context(sbsec->sid, &context, &len);
488 opts->mnt_opts[i] = context;
489 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491 if (sbsec->flags & CONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498 if (sbsec->flags & DEFCONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505 if (sbsec->flags & ROOTCONTEXT_MNT) {
506 struct inode *root = sbsec->sb->s_root->d_inode;
507 struct inode_security_struct *isec = root->i_security;
509 rc = security_sid_to_context(isec->sid, &context, &len);
512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516 BUG_ON(i != opts->num_mnt_opts);
521 security_free_mnt_opts(opts);
525 static int bad_option(struct superblock_security_struct *sbsec, char flag,
526 u32 old_sid, u32 new_sid)
528 /* check if the old mount command had the same options */
529 if (sbsec->initialized)
530 if (!(sbsec->flags & flag) ||
531 (old_sid != new_sid))
534 /* check if we were passed the same options twice,
535 * aka someone passed context=a,context=b
537 if (!sbsec->initialized)
538 if (sbsec->flags & flag)
544 * Allow filesystems with binary mount data to explicitly set mount point
545 * labeling information.
547 static int selinux_set_mnt_opts(struct super_block *sb,
548 struct security_mnt_opts *opts)
551 struct task_security_struct *tsec = current->security;
552 struct superblock_security_struct *sbsec = sb->s_security;
553 const char *name = sb->s_type->name;
554 struct inode *inode = sbsec->sb->s_root->d_inode;
555 struct inode_security_struct *root_isec = inode->i_security;
556 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
557 u32 defcontext_sid = 0;
558 char **mount_options = opts->mnt_opts;
559 int *flags = opts->mnt_opts_flags;
560 int num_opts = opts->num_mnt_opts;
562 mutex_lock(&sbsec->lock);
564 if (!ss_initialized) {
566 /* Defer initialization until selinux_complete_init,
567 after the initial policy is loaded and the security
568 server is ready to handle calls. */
569 spin_lock(&sb_security_lock);
570 if (list_empty(&sbsec->list))
571 list_add(&sbsec->list, &superblock_security_head);
572 spin_unlock(&sb_security_lock);
576 printk(KERN_WARNING "Unable to set superblock options before "
577 "the security server is initialized\n");
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
592 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
601 for (i = 0; i < num_opts; i++) {
603 rc = security_context_to_sid(mount_options[i],
604 strlen(mount_options[i]), &sid);
606 printk(KERN_WARNING "SELinux: security_context_to_sid"
607 "(%s) failed for (dev %s, type %s) errno=%d\n",
608 mount_options[i], sb->s_id, name, rc);
615 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
617 goto out_double_mount;
619 sbsec->flags |= FSCONTEXT_MNT;
624 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
626 goto out_double_mount;
628 sbsec->flags |= CONTEXT_MNT;
630 case ROOTCONTEXT_MNT:
631 rootcontext_sid = sid;
633 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
635 goto out_double_mount;
637 sbsec->flags |= ROOTCONTEXT_MNT;
641 defcontext_sid = sid;
643 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
645 goto out_double_mount;
647 sbsec->flags |= DEFCONTEXT_MNT;
656 if (sbsec->initialized) {
657 /* previously mounted with options, but not on this attempt? */
658 if (sbsec->flags && !num_opts)
659 goto out_double_mount;
664 if (strcmp(sb->s_type->name, "proc") == 0)
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
670 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
671 __FUNCTION__, sb->s_type->name, rc);
675 /* sets the context of the superblock for the fs being mounted. */
678 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682 sbsec->sid = fscontext_sid;
686 * Switch to using mount point labeling behavior.
687 * sets the label used on all file below the mountpoint, and will set
688 * the superblock context if not already set.
691 if (!fscontext_sid) {
692 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
695 sbsec->sid = context_sid;
697 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701 if (!rootcontext_sid)
702 rootcontext_sid = context_sid;
704 sbsec->mntpoint_sid = context_sid;
705 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
708 if (rootcontext_sid) {
709 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713 root_isec->sid = rootcontext_sid;
714 root_isec->initialized = 1;
717 if (defcontext_sid) {
718 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
720 printk(KERN_WARNING "SELinux: defcontext option is "
721 "invalid for this filesystem type\n");
725 if (defcontext_sid != sbsec->def_sid) {
726 rc = may_context_mount_inode_relabel(defcontext_sid,
732 sbsec->def_sid = defcontext_sid;
735 rc = sb_finish_set_opts(sb);
737 mutex_unlock(&sbsec->lock);
741 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
742 "security settings for (dev %s, type %s)\n", sb->s_id, name);
746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
747 struct super_block *newsb)
749 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
750 struct superblock_security_struct *newsbsec = newsb->s_security;
752 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
753 int set_context = (oldsbsec->flags & CONTEXT_MNT);
754 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
756 /* we can't error, we can't save the info, this shouldn't get called
757 * this early in the boot process. */
758 BUG_ON(!ss_initialized);
760 /* how can we clone if the old one wasn't set up?? */
761 BUG_ON(!oldsbsec->initialized);
763 /* if fs is reusing a sb, just let its options stand... */
764 if (newsbsec->initialized)
767 mutex_lock(&newsbsec->lock);
769 newsbsec->flags = oldsbsec->flags;
771 newsbsec->sid = oldsbsec->sid;
772 newsbsec->def_sid = oldsbsec->def_sid;
773 newsbsec->behavior = oldsbsec->behavior;
776 u32 sid = oldsbsec->mntpoint_sid;
780 if (!set_rootcontext) {
781 struct inode *newinode = newsb->s_root->d_inode;
782 struct inode_security_struct *newisec = newinode->i_security;
785 newsbsec->mntpoint_sid = sid;
787 if (set_rootcontext) {
788 const struct inode *oldinode = oldsb->s_root->d_inode;
789 const struct inode_security_struct *oldisec = oldinode->i_security;
790 struct inode *newinode = newsb->s_root->d_inode;
791 struct inode_security_struct *newisec = newinode->i_security;
793 newisec->sid = oldisec->sid;
796 sb_finish_set_opts(newsb);
797 mutex_unlock(&newsbsec->lock);
800 static int selinux_parse_opts_str(char *options,
801 struct security_mnt_opts *opts)
804 char *context = NULL, *defcontext = NULL;
805 char *fscontext = NULL, *rootcontext = NULL;
806 int rc, num_mnt_opts = 0;
808 opts->num_mnt_opts = 0;
810 /* Standard string-based options. */
811 while ((p = strsep(&options, "|")) != NULL) {
813 substring_t args[MAX_OPT_ARGS];
818 token = match_token(p, tokens, args);
822 if (context || defcontext) {
824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
827 context = match_strdup(&args[0]);
837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
840 fscontext = match_strdup(&args[0]);
847 case Opt_rootcontext:
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
853 rootcontext = match_strdup(&args[0]);
861 if (context || defcontext) {
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
866 defcontext = match_strdup(&args[0]);
875 printk(KERN_WARNING "SELinux: unknown mount option\n");
882 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
887 if (!opts->mnt_opts_flags) {
888 kfree(opts->mnt_opts);
893 opts->mnt_opts[num_mnt_opts] = fscontext;
894 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
897 opts->mnt_opts[num_mnt_opts] = context;
898 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
901 opts->mnt_opts[num_mnt_opts] = rootcontext;
902 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
905 opts->mnt_opts[num_mnt_opts] = defcontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
909 opts->num_mnt_opts = num_mnt_opts;
920 * string mount options parsing and call set the sbsec
922 static int superblock_doinit(struct super_block *sb, void *data)
925 char *options = data;
926 struct security_mnt_opts opts;
928 security_init_mnt_opts(&opts);
933 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
935 rc = selinux_parse_opts_str(options, &opts);
940 rc = selinux_set_mnt_opts(sb, &opts);
943 security_free_mnt_opts(&opts);
947 static inline u16 inode_mode_to_security_class(umode_t mode)
949 switch (mode & S_IFMT) {
951 return SECCLASS_SOCK_FILE;
953 return SECCLASS_LNK_FILE;
955 return SECCLASS_FILE;
957 return SECCLASS_BLK_FILE;
961 return SECCLASS_CHR_FILE;
963 return SECCLASS_FIFO_FILE;
967 return SECCLASS_FILE;
970 static inline int default_protocol_stream(int protocol)
972 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
975 static inline int default_protocol_dgram(int protocol)
977 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
980 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
987 return SECCLASS_UNIX_STREAM_SOCKET;
989 return SECCLASS_UNIX_DGRAM_SOCKET;
996 if (default_protocol_stream(protocol))
997 return SECCLASS_TCP_SOCKET;
999 return SECCLASS_RAWIP_SOCKET;
1001 if (default_protocol_dgram(protocol))
1002 return SECCLASS_UDP_SOCKET;
1004 return SECCLASS_RAWIP_SOCKET;
1006 return SECCLASS_DCCP_SOCKET;
1008 return SECCLASS_RAWIP_SOCKET;
1014 return SECCLASS_NETLINK_ROUTE_SOCKET;
1015 case NETLINK_FIREWALL:
1016 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1017 case NETLINK_INET_DIAG:
1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1020 return SECCLASS_NETLINK_NFLOG_SOCKET;
1022 return SECCLASS_NETLINK_XFRM_SOCKET;
1023 case NETLINK_SELINUX:
1024 return SECCLASS_NETLINK_SELINUX_SOCKET;
1026 return SECCLASS_NETLINK_AUDIT_SOCKET;
1027 case NETLINK_IP6_FW:
1028 return SECCLASS_NETLINK_IP6FW_SOCKET;
1029 case NETLINK_DNRTMSG:
1030 return SECCLASS_NETLINK_DNRT_SOCKET;
1031 case NETLINK_KOBJECT_UEVENT:
1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1034 return SECCLASS_NETLINK_SOCKET;
1037 return SECCLASS_PACKET_SOCKET;
1039 return SECCLASS_KEY_SOCKET;
1041 return SECCLASS_APPLETALK_SOCKET;
1044 return SECCLASS_SOCKET;
1047 #ifdef CONFIG_PROC_FS
1048 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1053 char *buffer, *path, *end;
1055 buffer = (char*)__get_free_page(GFP_KERNEL);
1060 end = buffer+buflen;
1065 while (de && de != de->parent) {
1066 buflen -= de->namelen + 1;
1070 memcpy(end, de->name, de->namelen);
1075 rc = security_genfs_sid("proc", path, tclass, sid);
1076 free_page((unsigned long)buffer);
1080 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1088 /* The inode's security attributes must be initialized before first use. */
1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1091 struct superblock_security_struct *sbsec = NULL;
1092 struct inode_security_struct *isec = inode->i_security;
1094 struct dentry *dentry;
1095 #define INITCONTEXTLEN 255
1096 char *context = NULL;
1100 if (isec->initialized)
1103 mutex_lock(&isec->lock);
1104 if (isec->initialized)
1107 sbsec = inode->i_sb->s_security;
1108 if (!sbsec->initialized) {
1109 /* Defer initialization until selinux_complete_init,
1110 after the initial policy is loaded and the security
1111 server is ready to handle calls. */
1112 spin_lock(&sbsec->isec_lock);
1113 if (list_empty(&isec->list))
1114 list_add(&isec->list, &sbsec->isec_head);
1115 spin_unlock(&sbsec->isec_lock);
1119 switch (sbsec->behavior) {
1120 case SECURITY_FS_USE_XATTR:
1121 if (!inode->i_op->getxattr) {
1122 isec->sid = sbsec->def_sid;
1126 /* Need a dentry, since the xattr API requires one.
1127 Life would be simpler if we could just pass the inode. */
1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry = dget(opt_dentry);
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry = d_find_alias(inode);
1136 printk(KERN_WARNING "%s: no dentry for dev=%s "
1137 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1142 len = INITCONTEXTLEN;
1143 context = kmalloc(len, GFP_NOFS);
1149 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1151 if (rc == -ERANGE) {
1152 /* Need a larger buffer. Query for the right size. */
1153 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1161 context = kmalloc(len, GFP_NOFS);
1167 rc = inode->i_op->getxattr(dentry,
1173 if (rc != -ENODATA) {
1174 printk(KERN_WARNING "%s: getxattr returned "
1175 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1176 -rc, inode->i_sb->s_id, inode->i_ino);
1180 /* Map ENODATA to the default file SID */
1181 sid = sbsec->def_sid;
1184 rc = security_context_to_sid_default(context, rc, &sid,
1188 printk(KERN_WARNING "%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
1190 __FUNCTION__, context, -rc,
1191 inode->i_sb->s_id, inode->i_ino);
1193 /* Leave with the unlabeled SID */
1201 case SECURITY_FS_USE_TASK:
1202 isec->sid = isec->task_sid;
1204 case SECURITY_FS_USE_TRANS:
1205 /* Default to the fs SID. */
1206 isec->sid = sbsec->sid;
1208 /* Try to obtain a transition SID. */
1209 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1210 rc = security_transition_sid(isec->task_sid,
1218 case SECURITY_FS_USE_MNTPOINT:
1219 isec->sid = sbsec->mntpoint_sid;
1222 /* Default to the fs superblock SID. */
1223 isec->sid = sbsec->sid;
1226 struct proc_inode *proci = PROC_I(inode);
1228 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1229 rc = selinux_proc_get_sid(proci->pde,
1240 isec->initialized = 1;
1243 mutex_unlock(&isec->lock);
1245 if (isec->sclass == SECCLASS_FILE)
1246 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1250 /* Convert a Linux signal to an access vector. */
1251 static inline u32 signal_to_av(int sig)
1257 /* Commonly granted from child to parent. */
1258 perm = PROCESS__SIGCHLD;
1261 /* Cannot be caught or ignored */
1262 perm = PROCESS__SIGKILL;
1265 /* Cannot be caught or ignored */
1266 perm = PROCESS__SIGSTOP;
1269 /* All other signals. */
1270 perm = PROCESS__SIGNAL;
1277 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1278 fork check, ptrace check, etc. */
1279 static int task_has_perm(struct task_struct *tsk1,
1280 struct task_struct *tsk2,
1283 struct task_security_struct *tsec1, *tsec2;
1285 tsec1 = tsk1->security;
1286 tsec2 = tsk2->security;
1287 return avc_has_perm(tsec1->sid, tsec2->sid,
1288 SECCLASS_PROCESS, perms, NULL);
1291 #if CAP_LAST_CAP > 63
1292 #error Fix SELinux to handle capabilities > 63.
1295 /* Check whether a task is allowed to use a capability. */
1296 static int task_has_capability(struct task_struct *tsk,
1299 struct task_security_struct *tsec;
1300 struct avc_audit_data ad;
1302 u32 av = CAP_TO_MASK(cap);
1304 tsec = tsk->security;
1306 AVC_AUDIT_DATA_INIT(&ad,CAP);
1310 switch (CAP_TO_INDEX(cap)) {
1312 sclass = SECCLASS_CAPABILITY;
1315 sclass = SECCLASS_CAPABILITY2;
1319 "SELinux: out of range capability %d\n", cap);
1322 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1325 /* Check whether a task is allowed to use a system operation. */
1326 static int task_has_system(struct task_struct *tsk,
1329 struct task_security_struct *tsec;
1331 tsec = tsk->security;
1333 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1334 SECCLASS_SYSTEM, perms, NULL);
1337 /* Check whether a task has a particular permission to an inode.
1338 The 'adp' parameter is optional and allows other audit
1339 data to be passed (e.g. the dentry). */
1340 static int inode_has_perm(struct task_struct *tsk,
1341 struct inode *inode,
1343 struct avc_audit_data *adp)
1345 struct task_security_struct *tsec;
1346 struct inode_security_struct *isec;
1347 struct avc_audit_data ad;
1349 if (unlikely (IS_PRIVATE (inode)))
1352 tsec = tsk->security;
1353 isec = inode->i_security;
1357 AVC_AUDIT_DATA_INIT(&ad, FS);
1358 ad.u.fs.inode = inode;
1361 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364 /* Same as inode_has_perm, but pass explicit audit data containing
1365 the dentry to help the auditing code to more easily generate the
1366 pathname if needed. */
1367 static inline int dentry_has_perm(struct task_struct *tsk,
1368 struct vfsmount *mnt,
1369 struct dentry *dentry,
1372 struct inode *inode = dentry->d_inode;
1373 struct avc_audit_data ad;
1374 AVC_AUDIT_DATA_INIT(&ad,FS);
1375 ad.u.fs.path.mnt = mnt;
1376 ad.u.fs.path.dentry = dentry;
1377 return inode_has_perm(tsk, inode, av, &ad);
1380 /* Check whether a task can use an open file descriptor to
1381 access an inode in a given way. Check access to the
1382 descriptor itself, and then use dentry_has_perm to
1383 check a particular permission to the file.
1384 Access to the descriptor is implicitly granted if it
1385 has the same SID as the process. If av is zero, then
1386 access to the file is not checked, e.g. for cases
1387 where only the descriptor is affected like seek. */
1388 static int file_has_perm(struct task_struct *tsk,
1392 struct task_security_struct *tsec = tsk->security;
1393 struct file_security_struct *fsec = file->f_security;
1394 struct inode *inode = file->f_path.dentry->d_inode;
1395 struct avc_audit_data ad;
1398 AVC_AUDIT_DATA_INIT(&ad, FS);
1399 ad.u.fs.path = file->f_path;
1401 if (tsec->sid != fsec->sid) {
1402 rc = avc_has_perm(tsec->sid, fsec->sid,
1410 /* av is zero if only checking access to the descriptor. */
1412 return inode_has_perm(tsk, inode, av, &ad);
1417 /* Check whether a task can create a file. */
1418 static int may_create(struct inode *dir,
1419 struct dentry *dentry,
1422 struct task_security_struct *tsec;
1423 struct inode_security_struct *dsec;
1424 struct superblock_security_struct *sbsec;
1426 struct avc_audit_data ad;
1429 tsec = current->security;
1430 dsec = dir->i_security;
1431 sbsec = dir->i_sb->s_security;
1433 AVC_AUDIT_DATA_INIT(&ad, FS);
1434 ad.u.fs.path.dentry = dentry;
1436 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1437 DIR__ADD_NAME | DIR__SEARCH,
1442 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1443 newsid = tsec->create_sid;
1445 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1451 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1455 return avc_has_perm(newsid, sbsec->sid,
1456 SECCLASS_FILESYSTEM,
1457 FILESYSTEM__ASSOCIATE, &ad);
1460 /* Check whether a task can create a key. */
1461 static int may_create_key(u32 ksid,
1462 struct task_struct *ctx)
1464 struct task_security_struct *tsec;
1466 tsec = ctx->security;
1468 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1472 #define MAY_UNLINK 1
1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1476 static int may_link(struct inode *dir,
1477 struct dentry *dentry,
1481 struct task_security_struct *tsec;
1482 struct inode_security_struct *dsec, *isec;
1483 struct avc_audit_data ad;
1487 tsec = current->security;
1488 dsec = dir->i_security;
1489 isec = dentry->d_inode->i_security;
1491 AVC_AUDIT_DATA_INIT(&ad, FS);
1492 ad.u.fs.path.dentry = dentry;
1495 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1496 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1511 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1515 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1519 static inline int may_rename(struct inode *old_dir,
1520 struct dentry *old_dentry,
1521 struct inode *new_dir,
1522 struct dentry *new_dentry)
1524 struct task_security_struct *tsec;
1525 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1526 struct avc_audit_data ad;
1528 int old_is_dir, new_is_dir;
1531 tsec = current->security;
1532 old_dsec = old_dir->i_security;
1533 old_isec = old_dentry->d_inode->i_security;
1534 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1535 new_dsec = new_dir->i_security;
1537 AVC_AUDIT_DATA_INIT(&ad, FS);
1539 ad.u.fs.path.dentry = old_dentry;
1540 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1541 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544 rc = avc_has_perm(tsec->sid, old_isec->sid,
1545 old_isec->sclass, FILE__RENAME, &ad);
1548 if (old_is_dir && new_dir != old_dir) {
1549 rc = avc_has_perm(tsec->sid, old_isec->sid,
1550 old_isec->sclass, DIR__REPARENT, &ad);
1555 ad.u.fs.path.dentry = new_dentry;
1556 av = DIR__ADD_NAME | DIR__SEARCH;
1557 if (new_dentry->d_inode)
1558 av |= DIR__REMOVE_NAME;
1559 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562 if (new_dentry->d_inode) {
1563 new_isec = new_dentry->d_inode->i_security;
1564 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1565 rc = avc_has_perm(tsec->sid, new_isec->sid,
1567 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1575 /* Check whether a task can perform a filesystem operation. */
1576 static int superblock_has_perm(struct task_struct *tsk,
1577 struct super_block *sb,
1579 struct avc_audit_data *ad)
1581 struct task_security_struct *tsec;
1582 struct superblock_security_struct *sbsec;
1584 tsec = tsk->security;
1585 sbsec = sb->s_security;
1586 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1590 /* Convert a Linux mode and permission mask to an access vector. */
1591 static inline u32 file_mask_to_av(int mode, int mask)
1595 if ((mode & S_IFMT) != S_IFDIR) {
1596 if (mask & MAY_EXEC)
1597 av |= FILE__EXECUTE;
1598 if (mask & MAY_READ)
1601 if (mask & MAY_APPEND)
1603 else if (mask & MAY_WRITE)
1607 if (mask & MAY_EXEC)
1609 if (mask & MAY_WRITE)
1611 if (mask & MAY_READ)
1618 /* Convert a Linux file to an access vector. */
1619 static inline u32 file_to_av(struct file *file)
1623 if (file->f_mode & FMODE_READ)
1625 if (file->f_mode & FMODE_WRITE) {
1626 if (file->f_flags & O_APPEND)
1633 * Special file opened with flags 3 for ioctl-only use.
1641 /* Hook functions begin here. */
1643 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1645 struct task_security_struct *psec = parent->security;
1646 struct task_security_struct *csec = child->security;
1649 rc = secondary_ops->ptrace(parent,child);
1653 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1654 /* Save the SID of the tracing process for later use in apply_creds. */
1655 if (!(child->ptrace & PT_PTRACED) && !rc)
1656 csec->ptrace_sid = psec->sid;
1660 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1661 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1665 error = task_has_perm(current, target, PROCESS__GETCAP);
1669 return secondary_ops->capget(target, effective, inheritable, permitted);
1672 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1673 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1677 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1681 return task_has_perm(current, target, PROCESS__SETCAP);
1684 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1685 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1687 secondary_ops->capset_set(target, effective, inheritable, permitted);
1690 static int selinux_capable(struct task_struct *tsk, int cap)
1694 rc = secondary_ops->capable(tsk, cap);
1698 return task_has_capability(tsk,cap);
1701 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1704 char *buffer, *path, *end;
1707 buffer = (char*)__get_free_page(GFP_KERNEL);
1712 end = buffer+buflen;
1718 const char *name = table->procname;
1719 size_t namelen = strlen(name);
1720 buflen -= namelen + 1;
1724 memcpy(end, name, namelen);
1727 table = table->parent;
1733 memcpy(end, "/sys", 4);
1735 rc = security_genfs_sid("proc", path, tclass, sid);
1737 free_page((unsigned long)buffer);
1742 static int selinux_sysctl(ctl_table *table, int op)
1746 struct task_security_struct *tsec;
1750 rc = secondary_ops->sysctl(table, op);
1754 tsec = current->security;
1756 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1757 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1759 /* Default to the well-defined sysctl SID. */
1760 tsid = SECINITSID_SYSCTL;
1763 /* The op values are "defined" in sysctl.c, thereby creating
1764 * a bad coupling between this module and sysctl.c */
1766 error = avc_has_perm(tsec->sid, tsid,
1767 SECCLASS_DIR, DIR__SEARCH, NULL);
1775 error = avc_has_perm(tsec->sid, tsid,
1776 SECCLASS_FILE, av, NULL);
1782 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1795 rc = superblock_has_perm(current,
1797 FILESYSTEM__QUOTAMOD, NULL);
1802 rc = superblock_has_perm(current,
1804 FILESYSTEM__QUOTAGET, NULL);
1807 rc = 0; /* let the kernel handle invalid cmds */
1813 static int selinux_quota_on(struct dentry *dentry)
1815 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1818 static int selinux_syslog(int type)
1822 rc = secondary_ops->syslog(type);
1827 case 3: /* Read last kernel messages */
1828 case 10: /* Return size of the log buffer */
1829 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1831 case 6: /* Disable logging to console */
1832 case 7: /* Enable logging to console */
1833 case 8: /* Set level of messages printed to console */
1834 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1836 case 0: /* Close log */
1837 case 1: /* Open log */
1838 case 2: /* Read from log */
1839 case 4: /* Read/clear last kernel messages */
1840 case 5: /* Clear ring buffer */
1842 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1849 * Check that a process has enough memory to allocate a new virtual
1850 * mapping. 0 means there is enough memory for the allocation to
1851 * succeed and -ENOMEM implies there is not.
1853 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1854 * if the capability is granted, but __vm_enough_memory requires 1 if
1855 * the capability is granted.
1857 * Do not audit the selinux permission check, as this is applied to all
1858 * processes that allocate mappings.
1860 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1862 int rc, cap_sys_admin = 0;
1863 struct task_security_struct *tsec = current->security;
1865 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1867 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1868 SECCLASS_CAPABILITY,
1869 CAP_TO_MASK(CAP_SYS_ADMIN),
1876 return __vm_enough_memory(mm, pages, cap_sys_admin);
1879 /* binprm security operations */
1881 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1883 struct bprm_security_struct *bsec;
1885 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1889 bsec->sid = SECINITSID_UNLABELED;
1892 bprm->security = bsec;
1896 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1898 struct task_security_struct *tsec;
1899 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1900 struct inode_security_struct *isec;
1901 struct bprm_security_struct *bsec;
1903 struct avc_audit_data ad;
1906 rc = secondary_ops->bprm_set_security(bprm);
1910 bsec = bprm->security;
1915 tsec = current->security;
1916 isec = inode->i_security;
1918 /* Default to the current task SID. */
1919 bsec->sid = tsec->sid;
1921 /* Reset fs, key, and sock SIDs on execve. */
1922 tsec->create_sid = 0;
1923 tsec->keycreate_sid = 0;
1924 tsec->sockcreate_sid = 0;
1926 if (tsec->exec_sid) {
1927 newsid = tsec->exec_sid;
1928 /* Reset exec SID on execve. */
1931 /* Check for a default transition on this program. */
1932 rc = security_transition_sid(tsec->sid, isec->sid,
1933 SECCLASS_PROCESS, &newsid);
1938 AVC_AUDIT_DATA_INIT(&ad, FS);
1939 ad.u.fs.path = bprm->file->f_path;
1941 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1944 if (tsec->sid == newsid) {
1945 rc = avc_has_perm(tsec->sid, isec->sid,
1946 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1950 /* Check permissions for the transition. */
1951 rc = avc_has_perm(tsec->sid, newsid,
1952 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1956 rc = avc_has_perm(newsid, isec->sid,
1957 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1961 /* Clear any possibly unsafe personality bits on exec: */
1962 current->personality &= ~PER_CLEAR_ON_SETID;
1964 /* Set the security field to the new SID. */
1972 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1974 return secondary_ops->bprm_check_security(bprm);
1978 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1980 struct task_security_struct *tsec = current->security;
1983 if (tsec->osid != tsec->sid) {
1984 /* Enable secure mode for SIDs transitions unless
1985 the noatsecure permission is granted between
1986 the two SIDs, i.e. ahp returns 0. */
1987 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1989 PROCESS__NOATSECURE, NULL);
1992 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1995 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1997 kfree(bprm->security);
1998 bprm->security = NULL;
2001 extern struct vfsmount *selinuxfs_mount;
2002 extern struct dentry *selinux_null;
2004 /* Derived from fs/exec.c:flush_old_files. */
2005 static inline void flush_unauthorized_files(struct files_struct * files)
2007 struct avc_audit_data ad;
2008 struct file *file, *devnull = NULL;
2009 struct tty_struct *tty;
2010 struct fdtable *fdt;
2014 mutex_lock(&tty_mutex);
2015 tty = get_current_tty();
2018 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2020 /* Revalidate access to controlling tty.
2021 Use inode_has_perm on the tty inode directly rather
2022 than using file_has_perm, as this particular open
2023 file may belong to another process and we are only
2024 interested in the inode-based check here. */
2025 struct inode *inode = file->f_path.dentry->d_inode;
2026 if (inode_has_perm(current, inode,
2027 FILE__READ | FILE__WRITE, NULL)) {
2033 mutex_unlock(&tty_mutex);
2034 /* Reset controlling tty. */
2038 /* Revalidate access to inherited open files. */
2040 AVC_AUDIT_DATA_INIT(&ad,FS);
2042 spin_lock(&files->file_lock);
2044 unsigned long set, i;
2049 fdt = files_fdtable(files);
2050 if (i >= fdt->max_fds)
2052 set = fdt->open_fds->fds_bits[j];
2055 spin_unlock(&files->file_lock);
2056 for ( ; set ; i++,set >>= 1) {
2061 if (file_has_perm(current,
2063 file_to_av(file))) {
2065 fd = get_unused_fd();
2075 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2076 if (IS_ERR(devnull)) {
2083 fd_install(fd, devnull);
2088 spin_lock(&files->file_lock);
2091 spin_unlock(&files->file_lock);
2094 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2096 struct task_security_struct *tsec;
2097 struct bprm_security_struct *bsec;
2101 secondary_ops->bprm_apply_creds(bprm, unsafe);
2103 tsec = current->security;
2105 bsec = bprm->security;
2108 tsec->osid = tsec->sid;
2110 if (tsec->sid != sid) {
2111 /* Check for shared state. If not ok, leave SID
2112 unchanged and kill. */
2113 if (unsafe & LSM_UNSAFE_SHARE) {
2114 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2115 PROCESS__SHARE, NULL);
2122 /* Check for ptracing, and update the task SID if ok.
2123 Otherwise, leave SID unchanged and kill. */
2124 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2125 rc = avc_has_perm(tsec->ptrace_sid, sid,
2126 SECCLASS_PROCESS, PROCESS__PTRACE,
2138 * called after apply_creds without the task lock held
2140 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2142 struct task_security_struct *tsec;
2143 struct rlimit *rlim, *initrlim;
2144 struct itimerval itimer;
2145 struct bprm_security_struct *bsec;
2148 tsec = current->security;
2149 bsec = bprm->security;
2152 force_sig_specific(SIGKILL, current);
2155 if (tsec->osid == tsec->sid)
2158 /* Close files for which the new task SID is not authorized. */
2159 flush_unauthorized_files(current->files);
2161 /* Check whether the new SID can inherit signal state
2162 from the old SID. If not, clear itimers to avoid
2163 subsequent signal generation and flush and unblock
2164 signals. This must occur _after_ the task SID has
2165 been updated so that any kill done after the flush
2166 will be checked against the new SID. */
2167 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2168 PROCESS__SIGINH, NULL);
2170 memset(&itimer, 0, sizeof itimer);
2171 for (i = 0; i < 3; i++)
2172 do_setitimer(i, &itimer, NULL);
2173 flush_signals(current);
2174 spin_lock_irq(¤t->sighand->siglock);
2175 flush_signal_handlers(current, 1);
2176 sigemptyset(¤t->blocked);
2177 recalc_sigpending();
2178 spin_unlock_irq(¤t->sighand->siglock);
2181 /* Always clear parent death signal on SID transitions. */
2182 current->pdeath_signal = 0;
2184 /* Check whether the new SID can inherit resource limits
2185 from the old SID. If not, reset all soft limits to
2186 the lower of the current task's hard limit and the init
2187 task's soft limit. Note that the setting of hard limits
2188 (even to lower them) can be controlled by the setrlimit
2189 check. The inclusion of the init task's soft limit into
2190 the computation is to avoid resetting soft limits higher
2191 than the default soft limit for cases where the default
2192 is lower than the hard limit, e.g. RLIMIT_CORE or
2194 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2195 PROCESS__RLIMITINH, NULL);
2197 for (i = 0; i < RLIM_NLIMITS; i++) {
2198 rlim = current->signal->rlim + i;
2199 initrlim = init_task.signal->rlim+i;
2200 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2202 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2204 * This will cause RLIMIT_CPU calculations
2207 current->it_prof_expires = jiffies_to_cputime(1);
2211 /* Wake up the parent if it is waiting so that it can
2212 recheck wait permission to the new task SID. */
2213 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2216 /* superblock security operations */
2218 static int selinux_sb_alloc_security(struct super_block *sb)
2220 return superblock_alloc_security(sb);
2223 static void selinux_sb_free_security(struct super_block *sb)
2225 superblock_free_security(sb);
2228 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2233 return !memcmp(prefix, option, plen);
2236 static inline int selinux_option(char *option, int len)
2238 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2239 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2240 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2241 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2244 static inline void take_option(char **to, char *from, int *first, int len)
2251 memcpy(*to, from, len);
2255 static inline void take_selinux_option(char **to, char *from, int *first,
2258 int current_size = 0;
2267 while (current_size < len) {
2277 static int selinux_sb_copy_data(char *orig, char *copy)
2279 int fnosec, fsec, rc = 0;
2280 char *in_save, *in_curr, *in_end;
2281 char *sec_curr, *nosec_save, *nosec;
2287 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2295 in_save = in_end = orig;
2299 open_quote = !open_quote;
2300 if ((*in_end == ',' && open_quote == 0) ||
2302 int len = in_end - in_curr;
2304 if (selinux_option(in_curr, len))
2305 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2307 take_option(&nosec, in_curr, &fnosec, len);
2309 in_curr = in_end + 1;
2311 } while (*in_end++);
2313 strcpy(in_save, nosec_save);
2314 free_page((unsigned long)nosec_save);
2319 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2321 struct avc_audit_data ad;
2324 rc = superblock_doinit(sb, data);
2328 AVC_AUDIT_DATA_INIT(&ad,FS);
2329 ad.u.fs.path.dentry = sb->s_root;
2330 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2333 static int selinux_sb_statfs(struct dentry *dentry)
2335 struct avc_audit_data ad;
2337 AVC_AUDIT_DATA_INIT(&ad,FS);
2338 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2339 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2342 static int selinux_mount(char * dev_name,
2343 struct nameidata *nd,
2345 unsigned long flags,
2350 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2354 if (flags & MS_REMOUNT)
2355 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2356 FILESYSTEM__REMOUNT, NULL);
2358 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2362 static int selinux_umount(struct vfsmount *mnt, int flags)
2366 rc = secondary_ops->sb_umount(mnt, flags);
2370 return superblock_has_perm(current,mnt->mnt_sb,
2371 FILESYSTEM__UNMOUNT,NULL);
2374 /* inode security operations */
2376 static int selinux_inode_alloc_security(struct inode *inode)
2378 return inode_alloc_security(inode);
2381 static void selinux_inode_free_security(struct inode *inode)
2383 inode_free_security(inode);
2386 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2387 char **name, void **value,
2390 struct task_security_struct *tsec;
2391 struct inode_security_struct *dsec;
2392 struct superblock_security_struct *sbsec;
2395 char *namep = NULL, *context;
2397 tsec = current->security;
2398 dsec = dir->i_security;
2399 sbsec = dir->i_sb->s_security;
2401 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2402 newsid = tsec->create_sid;
2404 rc = security_transition_sid(tsec->sid, dsec->sid,
2405 inode_mode_to_security_class(inode->i_mode),
2408 printk(KERN_WARNING "%s: "
2409 "security_transition_sid failed, rc=%d (dev=%s "
2412 -rc, inode->i_sb->s_id, inode->i_ino);
2417 /* Possibly defer initialization to selinux_complete_init. */
2418 if (sbsec->initialized) {
2419 struct inode_security_struct *isec = inode->i_security;
2420 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2422 isec->initialized = 1;
2425 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2429 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2436 rc = security_sid_to_context(newsid, &context, &clen);
2448 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2450 return may_create(dir, dentry, SECCLASS_FILE);
2453 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2457 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2460 return may_link(dir, old_dentry, MAY_LINK);
2463 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2467 rc = secondary_ops->inode_unlink(dir, dentry);
2470 return may_link(dir, dentry, MAY_UNLINK);
2473 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2475 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2478 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2480 return may_create(dir, dentry, SECCLASS_DIR);
2483 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2485 return may_link(dir, dentry, MAY_RMDIR);
2488 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2492 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2496 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2499 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2500 struct inode *new_inode, struct dentry *new_dentry)
2502 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2505 static int selinux_inode_readlink(struct dentry *dentry)
2507 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2510 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2514 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2517 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2520 static int selinux_inode_permission(struct inode *inode, int mask,
2521 struct nameidata *nd)
2525 rc = secondary_ops->inode_permission(inode, mask, nd);
2530 /* No permission to check. Existence test. */
2534 return inode_has_perm(current, inode,
2535 file_mask_to_av(inode->i_mode, mask), NULL);
2538 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2542 rc = secondary_ops->inode_setattr(dentry, iattr);
2546 if (iattr->ia_valid & ATTR_FORCE)
2549 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2550 ATTR_ATIME_SET | ATTR_MTIME_SET))
2551 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2553 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2556 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2558 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2561 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2563 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2564 sizeof XATTR_SECURITY_PREFIX - 1)) {
2565 if (!strcmp(name, XATTR_NAME_CAPS)) {
2566 if (!capable(CAP_SETFCAP))
2568 } else if (!capable(CAP_SYS_ADMIN)) {
2569 /* A different attribute in the security namespace.
2570 Restrict to administrator. */
2575 /* Not an attribute we recognize, so just check the
2576 ordinary setattr permission. */
2577 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2580 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2582 struct task_security_struct *tsec = current->security;
2583 struct inode *inode = dentry->d_inode;
2584 struct inode_security_struct *isec = inode->i_security;
2585 struct superblock_security_struct *sbsec;
2586 struct avc_audit_data ad;
2590 if (strcmp(name, XATTR_NAME_SELINUX))
2591 return selinux_inode_setotherxattr(dentry, name);
2593 sbsec = inode->i_sb->s_security;
2594 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2597 if (!is_owner_or_cap(inode))
2600 AVC_AUDIT_DATA_INIT(&ad,FS);
2601 ad.u.fs.path.dentry = dentry;
2603 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2604 FILE__RELABELFROM, &ad);
2608 rc = security_context_to_sid(value, size, &newsid);
2612 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2613 FILE__RELABELTO, &ad);
2617 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2622 return avc_has_perm(newsid,
2624 SECCLASS_FILESYSTEM,
2625 FILESYSTEM__ASSOCIATE,
2629 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2630 void *value, size_t size, int flags)
2632 struct inode *inode = dentry->d_inode;
2633 struct inode_security_struct *isec = inode->i_security;
2637 if (strcmp(name, XATTR_NAME_SELINUX)) {
2638 /* Not an attribute we recognize, so nothing to do. */
2642 rc = security_context_to_sid(value, size, &newsid);
2644 printk(KERN_WARNING "%s: unable to obtain SID for context "
2645 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2653 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2655 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2658 static int selinux_inode_listxattr (struct dentry *dentry)
2660 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2663 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2665 if (strcmp(name, XATTR_NAME_SELINUX))
2666 return selinux_inode_setotherxattr(dentry, name);
2668 /* No one is allowed to remove a SELinux security label.
2669 You can change the label, but all data must be labeled. */
2674 * Copy the in-core inode security context value to the user. If the
2675 * getxattr() prior to this succeeded, check to see if we need to
2676 * canonicalize the value to be finally returned to the user.
2678 * Permission check is handled by selinux_inode_getxattr hook.
2680 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2684 char *context = NULL;
2685 struct inode_security_struct *isec = inode->i_security;
2687 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2690 error = security_sid_to_context(isec->sid, &context, &size);
2703 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2704 const void *value, size_t size, int flags)
2706 struct inode_security_struct *isec = inode->i_security;
2710 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2713 if (!value || !size)
2716 rc = security_context_to_sid((void*)value, size, &newsid);
2724 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2726 const int len = sizeof(XATTR_NAME_SELINUX);
2727 if (buffer && len <= buffer_size)
2728 memcpy(buffer, XATTR_NAME_SELINUX, len);
2732 static int selinux_inode_need_killpriv(struct dentry *dentry)
2734 return secondary_ops->inode_need_killpriv(dentry);
2737 static int selinux_inode_killpriv(struct dentry *dentry)
2739 return secondary_ops->inode_killpriv(dentry);
2742 /* file security operations */
2744 static int selinux_revalidate_file_permission(struct file *file, int mask)
2747 struct inode *inode = file->f_path.dentry->d_inode;
2750 /* No permission to check. Existence test. */
2754 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2755 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2758 rc = file_has_perm(current, file,
2759 file_mask_to_av(inode->i_mode, mask));
2763 return selinux_netlbl_inode_permission(inode, mask);
2766 static int selinux_file_permission(struct file *file, int mask)
2768 struct inode *inode = file->f_path.dentry->d_inode;
2769 struct task_security_struct *tsec = current->security;
2770 struct file_security_struct *fsec = file->f_security;
2771 struct inode_security_struct *isec = inode->i_security;
2774 /* No permission to check. Existence test. */
2778 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2779 && fsec->pseqno == avc_policy_seqno())
2780 return selinux_netlbl_inode_permission(inode, mask);
2782 return selinux_revalidate_file_permission(file, mask);
2785 static int selinux_file_alloc_security(struct file *file)
2787 return file_alloc_security(file);
2790 static void selinux_file_free_security(struct file *file)
2792 file_free_security(file);
2795 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2807 case EXT2_IOC_GETFLAGS:
2809 case EXT2_IOC_GETVERSION:
2810 error = file_has_perm(current, file, FILE__GETATTR);
2813 case EXT2_IOC_SETFLAGS:
2815 case EXT2_IOC_SETVERSION:
2816 error = file_has_perm(current, file, FILE__SETATTR);
2819 /* sys_ioctl() checks */
2823 error = file_has_perm(current, file, 0);
2828 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2831 /* default case assumes that the command will go
2832 * to the file's ioctl() function.
2835 error = file_has_perm(current, file, FILE__IOCTL);
2841 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2843 #ifndef CONFIG_PPC32
2844 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2846 * We are making executable an anonymous mapping or a
2847 * private file mapping that will also be writable.
2848 * This has an additional check.
2850 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2857 /* read access is always possible with a mapping */
2858 u32 av = FILE__READ;
2860 /* write access only matters if the mapping is shared */
2861 if (shared && (prot & PROT_WRITE))
2864 if (prot & PROT_EXEC)
2865 av |= FILE__EXECUTE;
2867 return file_has_perm(current, file, av);
2872 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2873 unsigned long prot, unsigned long flags,
2874 unsigned long addr, unsigned long addr_only)
2877 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2879 if (addr < mmap_min_addr)
2880 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2881 MEMPROTECT__MMAP_ZERO, NULL);
2882 if (rc || addr_only)
2885 if (selinux_checkreqprot)
2888 return file_map_prot_check(file, prot,
2889 (flags & MAP_TYPE) == MAP_SHARED);
2892 static int selinux_file_mprotect(struct vm_area_struct *vma,
2893 unsigned long reqprot,
2898 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2902 if (selinux_checkreqprot)
2905 #ifndef CONFIG_PPC32
2906 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2908 if (vma->vm_start >= vma->vm_mm->start_brk &&
2909 vma->vm_end <= vma->vm_mm->brk) {
2910 rc = task_has_perm(current, current,
2912 } else if (!vma->vm_file &&
2913 vma->vm_start <= vma->vm_mm->start_stack &&
2914 vma->vm_end >= vma->vm_mm->start_stack) {
2915 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2916 } else if (vma->vm_file && vma->anon_vma) {
2918 * We are making executable a file mapping that has
2919 * had some COW done. Since pages might have been
2920 * written, check ability to execute the possibly
2921 * modified content. This typically should only
2922 * occur for text relocations.
2924 rc = file_has_perm(current, vma->vm_file,
2932 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2935 static int selinux_file_lock(struct file *file, unsigned int cmd)
2937 return file_has_perm(current, file, FILE__LOCK);
2940 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2947 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2952 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2953 err = file_has_perm(current, file,FILE__WRITE);
2962 /* Just check FD__USE permission */
2963 err = file_has_perm(current, file, 0);
2968 #if BITS_PER_LONG == 32
2973 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2977 err = file_has_perm(current, file, FILE__LOCK);
2984 static int selinux_file_set_fowner(struct file *file)
2986 struct task_security_struct *tsec;
2987 struct file_security_struct *fsec;
2989 tsec = current->security;
2990 fsec = file->f_security;
2991 fsec->fown_sid = tsec->sid;
2996 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2997 struct fown_struct *fown, int signum)
3001 struct task_security_struct *tsec;
3002 struct file_security_struct *fsec;
3004 /* struct fown_struct is never outside the context of a struct file */
3005 file = container_of(fown, struct file, f_owner);
3007 tsec = tsk->security;
3008 fsec = file->f_security;
3011 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3013 perm = signal_to_av(signum);
3015 return avc_has_perm(fsec->fown_sid, tsec->sid,
3016 SECCLASS_PROCESS, perm, NULL);
3019 static int selinux_file_receive(struct file *file)
3021 return file_has_perm(current, file, file_to_av(file));
3024 static int selinux_dentry_open(struct file *file)
3026 struct file_security_struct *fsec;
3027 struct inode *inode;
3028 struct inode_security_struct *isec;
3029 inode = file->f_path.dentry->d_inode;
3030 fsec = file->f_security;
3031 isec = inode->i_security;
3033 * Save inode label and policy sequence number
3034 * at open-time so that selinux_file_permission
3035 * can determine whether revalidation is necessary.
3036 * Task label is already saved in the file security
3037 * struct as its SID.
3039 fsec->isid = isec->sid;
3040 fsec->pseqno = avc_policy_seqno();
3042 * Since the inode label or policy seqno may have changed
3043 * between the selinux_inode_permission check and the saving
3044 * of state above, recheck that access is still permitted.
3045 * Otherwise, access might never be revalidated against the
3046 * new inode label or new policy.
3047 * This check is not redundant - do not remove.
3049 return inode_has_perm(current, inode, file_to_av(file), NULL);
3052 /* task security operations */
3054 static int selinux_task_create(unsigned long clone_flags)
3058 rc = secondary_ops->task_create(clone_flags);
3062 return task_has_perm(current, current, PROCESS__FORK);
3065 static int selinux_task_alloc_security(struct task_struct *tsk)
3067 struct task_security_struct *tsec1, *tsec2;
3070 tsec1 = current->security;
3072 rc = task_alloc_security(tsk);
3075 tsec2 = tsk->security;
3077 tsec2->osid = tsec1->osid;
3078 tsec2->sid = tsec1->sid;
3080 /* Retain the exec, fs, key, and sock SIDs across fork */
3081 tsec2->exec_sid = tsec1->exec_sid;
3082 tsec2->create_sid = tsec1->create_sid;
3083 tsec2->keycreate_sid = tsec1->keycreate_sid;
3084 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3086 /* Retain ptracer SID across fork, if any.
3087 This will be reset by the ptrace hook upon any
3088 subsequent ptrace_attach operations. */
3089 tsec2->ptrace_sid = tsec1->ptrace_sid;
3094 static void selinux_task_free_security(struct task_struct *tsk)
3096 task_free_security(tsk);
3099 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3101 /* Since setuid only affects the current process, and
3102 since the SELinux controls are not based on the Linux
3103 identity attributes, SELinux does not need to control
3104 this operation. However, SELinux does control the use
3105 of the CAP_SETUID and CAP_SETGID capabilities using the
3110 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3112 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3115 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3117 /* See the comment for setuid above. */
3121 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3123 return task_has_perm(current, p, PROCESS__SETPGID);
3126 static int selinux_task_getpgid(struct task_struct *p)
3128 return task_has_perm(current, p, PROCESS__GETPGID);
3131 static int selinux_task_getsid(struct task_struct *p)
3133 return task_has_perm(current, p, PROCESS__GETSESSION);
3136 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3138 selinux_get_task_sid(p, secid);
3141 static int selinux_task_setgroups(struct group_info *group_info)
3143 /* See the comment for setuid above. */
3147 static int selinux_task_setnice(struct task_struct *p, int nice)
3151 rc = secondary_ops->task_setnice(p, nice);
3155 return task_has_perm(current,p, PROCESS__SETSCHED);
3158 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3162 rc = secondary_ops->task_setioprio(p, ioprio);
3166 return task_has_perm(current, p, PROCESS__SETSCHED);
3169 static int selinux_task_getioprio(struct task_struct *p)
3171 return task_has_perm(current, p, PROCESS__GETSCHED);
3174 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3176 struct rlimit *old_rlim = current->signal->rlim + resource;
3179 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3183 /* Control the ability to change the hard limit (whether
3184 lowering or raising it), so that the hard limit can
3185 later be used as a safe reset point for the soft limit
3186 upon context transitions. See selinux_bprm_apply_creds. */
3187 if (old_rlim->rlim_max != new_rlim->rlim_max)
3188 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3193 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3197 rc = secondary_ops->task_setscheduler(p, policy, lp);
3201 return task_has_perm(current, p, PROCESS__SETSCHED);
3204 static int selinux_task_getscheduler(struct task_struct *p)
3206 return task_has_perm(current, p, PROCESS__GETSCHED);
3209 static int selinux_task_movememory(struct task_struct *p)
3211 return task_has_perm(current, p, PROCESS__SETSCHED);
3214 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3219 struct task_security_struct *tsec;
3221 rc = secondary_ops->task_kill(p, info, sig, secid);
3225 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3229 perm = PROCESS__SIGNULL; /* null signal; existence test */
3231 perm = signal_to_av(sig);
3234 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3236 rc = task_has_perm(current, p, perm);
3240 static int selinux_task_prctl(int option,
3246 /* The current prctl operations do not appear to require
3247 any SELinux controls since they merely observe or modify
3248 the state of the current process. */
3252 static int selinux_task_wait(struct task_struct *p)
3254 return task_has_perm(p, current, PROCESS__SIGCHLD);
3257 static void selinux_task_reparent_to_init(struct task_struct *p)
3259 struct task_security_struct *tsec;
3261 secondary_ops->task_reparent_to_init(p);
3264 tsec->osid = tsec->sid;
3265 tsec->sid = SECINITSID_KERNEL;
3269 static void selinux_task_to_inode(struct task_struct *p,
3270 struct inode *inode)
3272 struct task_security_struct *tsec = p->security;
3273 struct inode_security_struct *isec = inode->i_security;
3275 isec->sid = tsec->sid;
3276 isec->initialized = 1;
3280 /* Returns error only if unable to parse addresses */
3281 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3282 struct avc_audit_data *ad, u8 *proto)
3284 int offset, ihlen, ret = -EINVAL;
3285 struct iphdr _iph, *ih;
3287 offset = skb_network_offset(skb);
3288 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3292 ihlen = ih->ihl * 4;
3293 if (ihlen < sizeof(_iph))
3296 ad->u.net.v4info.saddr = ih->saddr;
3297 ad->u.net.v4info.daddr = ih->daddr;
3301 *proto = ih->protocol;
3303 switch (ih->protocol) {
3305 struct tcphdr _tcph, *th;
3307 if (ntohs(ih->frag_off) & IP_OFFSET)
3311 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3315 ad->u.net.sport = th->source;
3316 ad->u.net.dport = th->dest;
3321 struct udphdr _udph, *uh;
3323 if (ntohs(ih->frag_off) & IP_OFFSET)
3327 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3331 ad->u.net.sport = uh->source;
3332 ad->u.net.dport = uh->dest;
3336 case IPPROTO_DCCP: {
3337 struct dccp_hdr _dccph, *dh;
3339 if (ntohs(ih->frag_off) & IP_OFFSET)
3343 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3347 ad->u.net.sport = dh->dccph_sport;
3348 ad->u.net.dport = dh->dccph_dport;
3359 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3361 /* Returns error only if unable to parse addresses */
3362 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3363 struct avc_audit_data *ad, u8 *proto)
3366 int ret = -EINVAL, offset;
3367 struct ipv6hdr _ipv6h, *ip6;
3369 offset = skb_network_offset(skb);
3370 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3374 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3375 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3378 nexthdr = ip6->nexthdr;
3379 offset += sizeof(_ipv6h);
3380 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3389 struct tcphdr _tcph, *th;
3391 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3395 ad->u.net.sport = th->source;
3396 ad->u.net.dport = th->dest;
3401 struct udphdr _udph, *uh;
3403 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3407 ad->u.net.sport = uh->source;
3408 ad->u.net.dport = uh->dest;
3412 case IPPROTO_DCCP: {
3413 struct dccp_hdr _dccph, *dh;
3415 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3419 ad->u.net.sport = dh->dccph_sport;
3420 ad->u.net.dport = dh->dccph_dport;
3424 /* includes fragments */
3434 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3435 char **addrp, int src, u8 *proto)
3439 switch (ad->u.net.family) {
3441 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3444 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3445 &ad->u.net.v4info.daddr);
3448 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3450 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3453 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3454 &ad->u.net.v6info.daddr);
3463 "SELinux: failure in selinux_parse_skb(),"
3464 " unable to parse packet\n");
3470 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3472 * @family: protocol family
3473 * @sid: the packet's peer label SID
3476 * Check the various different forms of network peer labeling and determine
3477 * the peer label/SID for the packet; most of the magic actually occurs in
3478 * the security server function security_net_peersid_cmp(). The function
3479 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3480 * or -EACCES if @sid is invalid due to inconsistencies with the different
3484 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3491 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3492 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3494 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3495 if (unlikely(err)) {
3497 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3498 " unable to determine packet's peer label\n");
3505 /* socket security operations */
3506 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3509 struct inode_security_struct *isec;
3510 struct task_security_struct *tsec;
3511 struct avc_audit_data ad;
3514 tsec = task->security;
3515 isec = SOCK_INODE(sock)->i_security;
3517 if (isec->sid == SECINITSID_KERNEL)
3520 AVC_AUDIT_DATA_INIT(&ad,NET);
3521 ad.u.net.sk = sock->sk;
3522 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3528 static int selinux_socket_create(int family, int type,
3529 int protocol, int kern)
3532 struct task_security_struct *tsec;
3538 tsec = current->security;
3539 newsid = tsec->sockcreate_sid ? : tsec->sid;
3540 err = avc_has_perm(tsec->sid, newsid,
3541 socket_type_to_security_class(family, type,
3542 protocol), SOCKET__CREATE, NULL);
3548 static int selinux_socket_post_create(struct socket *sock, int family,
3549 int type, int protocol, int kern)
3552 struct inode_security_struct *isec;
3553 struct task_security_struct *tsec;
3554 struct sk_security_struct *sksec;
3557 isec = SOCK_INODE(sock)->i_security;
3559 tsec = current->security;
3560 newsid = tsec->sockcreate_sid ? : tsec->sid;
3561 isec->sclass = socket_type_to_security_class(family, type, protocol);
3562 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3563 isec->initialized = 1;
3566 sksec = sock->sk->sk_security;
3567 sksec->sid = isec->sid;
3568 sksec->sclass = isec->sclass;
3569 err = selinux_netlbl_socket_post_create(sock);
3575 /* Range of port numbers used to automatically bind.
3576 Need to determine whether we should perform a name_bind
3577 permission check between the socket and the port number. */
3579 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3584 err = socket_has_perm(current, sock, SOCKET__BIND);
3589 * If PF_INET or PF_INET6, check name_bind permission for the port.
3590 * Multiple address binding for SCTP is not supported yet: we just
3591 * check the first address now.
3593 family = sock->sk->sk_family;
3594 if (family == PF_INET || family == PF_INET6) {
3596 struct inode_security_struct *isec;
3597 struct task_security_struct *tsec;
3598 struct avc_audit_data ad;
3599 struct sockaddr_in *addr4 = NULL;
3600 struct sockaddr_in6 *addr6 = NULL;
3601 unsigned short snum;
3602 struct sock *sk = sock->sk;
3603 u32 sid, node_perm, addrlen;
3605 tsec = current->security;
3606 isec = SOCK_INODE(sock)->i_security;
3608 if (family == PF_INET) {
3609 addr4 = (struct sockaddr_in *)address;
3610 snum = ntohs(addr4->sin_port);
3611 addrlen = sizeof(addr4->sin_addr.s_addr);
3612 addrp = (char *)&addr4->sin_addr.s_addr;
3614 addr6 = (struct sockaddr_in6 *)address;
3615 snum = ntohs(addr6->sin6_port);
3616 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3617 addrp = (char *)&addr6->sin6_addr.s6_addr;
3623 inet_get_local_port_range(&low, &high);
3625 if (snum < max(PROT_SOCK, low) || snum > high) {
3626 err = security_port_sid(sk->sk_family,
3628 sk->sk_protocol, snum,
3632 AVC_AUDIT_DATA_INIT(&ad,NET);
3633 ad.u.net.sport = htons(snum);
3634 ad.u.net.family = family;
3635 err = avc_has_perm(isec->sid, sid,
3637 SOCKET__NAME_BIND, &ad);
3643 switch(isec->sclass) {
3644 case SECCLASS_TCP_SOCKET:
3645 node_perm = TCP_SOCKET__NODE_BIND;
3648 case SECCLASS_UDP_SOCKET:
3649 node_perm = UDP_SOCKET__NODE_BIND;
3652 case SECCLASS_DCCP_SOCKET:
3653 node_perm = DCCP_SOCKET__NODE_BIND;
3657 node_perm = RAWIP_SOCKET__NODE_BIND;
3661 err = sel_netnode_sid(addrp, family, &sid);
3665 AVC_AUDIT_DATA_INIT(&ad,NET);
3666 ad.u.net.sport = htons(snum);
3667 ad.u.net.family = family;
3669 if (family == PF_INET)
3670 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3672 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3674 err = avc_has_perm(isec->sid, sid,
3675 isec->sclass, node_perm, &ad);
3683 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3685 struct inode_security_struct *isec;
3688 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3693 * If a TCP or DCCP socket, check name_connect permission for the port.
3695 isec = SOCK_INODE(sock)->i_security;
3696 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3697 isec->sclass == SECCLASS_DCCP_SOCKET) {
3698 struct sock *sk = sock->sk;
3699 struct avc_audit_data ad;
3700 struct sockaddr_in *addr4 = NULL;
3701 struct sockaddr_in6 *addr6 = NULL;
3702 unsigned short snum;
3705 if (sk->sk_family == PF_INET) {
3706 addr4 = (struct sockaddr_in *)address;
3707 if (addrlen < sizeof(struct sockaddr_in))
3709 snum = ntohs(addr4->sin_port);
3711 addr6 = (struct sockaddr_in6 *)address;
3712 if (addrlen < SIN6_LEN_RFC2133)
3714 snum = ntohs(addr6->sin6_port);
3717 err = security_port_sid(sk->sk_family, sk->sk_type,
3718 sk->sk_protocol, snum, &sid);
3722 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3723 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3725 AVC_AUDIT_DATA_INIT(&ad,NET);
3726 ad.u.net.dport = htons(snum);
3727 ad.u.net.family = sk->sk_family;
3728 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3737 static int selinux_socket_listen(struct socket *sock, int backlog)
3739 return socket_has_perm(current, sock, SOCKET__LISTEN);
3742 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3745 struct inode_security_struct *isec;
3746 struct inode_security_struct *newisec;
3748 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3752 newisec = SOCK_INODE(newsock)->i_security;
3754 isec = SOCK_INODE(sock)->i_security;
3755 newisec->sclass = isec->sclass;
3756 newisec->sid = isec->sid;
3757 newisec->initialized = 1;
3762 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3767 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3771 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3774 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3775 int size, int flags)
3777 return socket_has_perm(current, sock, SOCKET__READ);
3780 static int selinux_socket_getsockname(struct socket *sock)
3782 return socket_has_perm(current, sock, SOCKET__GETATTR);
3785 static int selinux_socket_getpeername(struct socket *sock)
3787 return socket_has_perm(current, sock, SOCKET__GETATTR);
3790 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3794 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3798 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3801 static int selinux_socket_getsockopt(struct socket *sock, int level,
3804 return socket_has_perm(current, sock, SOCKET__GETOPT);
3807 static int selinux_socket_shutdown(struct socket *sock, int how)
3809 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3812 static int selinux_socket_unix_stream_connect(struct socket *sock,
3813 struct socket *other,
3816 struct sk_security_struct *ssec;
3817 struct inode_security_struct *isec;
3818 struct inode_security_struct *other_isec;
3819 struct avc_audit_data ad;
3822 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3826 isec = SOCK_INODE(sock)->i_security;
3827 other_isec = SOCK_INODE(other)->i_security;
3829 AVC_AUDIT_DATA_INIT(&ad,NET);
3830 ad.u.net.sk = other->sk;
3832 err = avc_has_perm(isec->sid, other_isec->sid,
3834 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3838 /* connecting socket */
3839 ssec = sock->sk->sk_security;
3840 ssec->peer_sid = other_isec->sid;
3842 /* server child socket */
3843 ssec = newsk->sk_security;
3844 ssec->peer_sid = isec->sid;
3845 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3850 static int selinux_socket_unix_may_send(struct socket *sock,
3851 struct socket *other)
3853 struct inode_security_struct *isec;
3854 struct inode_security_struct *other_isec;
3855 struct avc_audit_data ad;
3858 isec = SOCK_INODE(sock)->i_security;
3859 other_isec = SOCK_INODE(other)->i_security;
3861 AVC_AUDIT_DATA_INIT(&ad,NET);
3862 ad.u.net.sk = other->sk;
3864 err = avc_has_perm(isec->sid, other_isec->sid,
3865 isec->sclass, SOCKET__SENDTO, &ad);
3872 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3874 struct avc_audit_data *ad)
3880 err = sel_netif_sid(ifindex, &if_sid);
3883 err = avc_has_perm(peer_sid, if_sid,
3884 SECCLASS_NETIF, NETIF__INGRESS, ad);
3888 err = sel_netnode_sid(addrp, family, &node_sid);
3891 return avc_has_perm(peer_sid, node_sid,
3892 SECCLASS_NODE, NODE__RECVFROM, ad);
3895 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3896 struct sk_buff *skb,
3897 struct avc_audit_data *ad,
3902 struct sk_security_struct *sksec = sk->sk_security;
3904 u32 netif_perm, node_perm, recv_perm;
3905 u32 port_sid, node_sid, if_sid, sk_sid;
3907 sk_sid = sksec->sid;
3908 sk_class = sksec->sclass;
3911 case SECCLASS_UDP_SOCKET:
3912 netif_perm = NETIF__UDP_RECV;
3913 node_perm = NODE__UDP_RECV;
3914 recv_perm = UDP_SOCKET__RECV_MSG;
3916 case SECCLASS_TCP_SOCKET:
3917 netif_perm = NETIF__TCP_RECV;
3918 node_perm = NODE__TCP_RECV;
3919 recv_perm = TCP_SOCKET__RECV_MSG;
3921 case SECCLASS_DCCP_SOCKET:
3922 netif_perm = NETIF__DCCP_RECV;
3923 node_perm = NODE__DCCP_RECV;
3924 recv_perm = DCCP_SOCKET__RECV_MSG;
3927 netif_perm = NETIF__RAWIP_RECV;
3928 node_perm = NODE__RAWIP_RECV;
3933 err = sel_netif_sid(skb->iif, &if_sid);
3936 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3940 err = sel_netnode_sid(addrp, family, &node_sid);
3943 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3949 err = security_port_sid(sk->sk_family, sk->sk_type,
3950 sk->sk_protocol, ntohs(ad->u.net.sport),
3952 if (unlikely(err)) {
3954 "SELinux: failure in"
3955 " selinux_sock_rcv_skb_iptables_compat(),"
3956 " network port label not found\n");
3959 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3962 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3963 struct avc_audit_data *ad,
3964 u16 family, char *addrp)
3967 struct sk_security_struct *sksec = sk->sk_security;
3969 u32 sk_sid = sksec->sid;
3971 if (selinux_compat_net)
3972 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3975 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3980 if (selinux_policycap_netpeer) {
3981 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3984 err = avc_has_perm(sk_sid, peer_sid,
3985 SECCLASS_PEER, PEER__RECV, ad);
3987 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3990 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3996 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3999 struct sk_security_struct *sksec = sk->sk_security;
4000 u16 family = sk->sk_family;
4001 u32 sk_sid = sksec->sid;
4002 struct avc_audit_data ad;
4005 if (family != PF_INET && family != PF_INET6)
4008 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4009 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4012 AVC_AUDIT_DATA_INIT(&ad, NET);
4013 ad.u.net.netif = skb->iif;
4014 ad.u.net.family = family;
4015 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4019 /* If any sort of compatibility mode is enabled then handoff processing
4020 * to the selinux_sock_rcv_skb_compat() function to deal with the
4021 * special handling. We do this in an attempt to keep this function
4022 * as fast and as clean as possible. */
4023 if (selinux_compat_net || !selinux_policycap_netpeer)
4024 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4027 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4030 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4033 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4037 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4041 if (selinux_secmark_enabled()) {
4042 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4051 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4052 int __user *optlen, unsigned len)
4057 struct sk_security_struct *ssec;
4058 struct inode_security_struct *isec;
4059 u32 peer_sid = SECSID_NULL;
4061 isec = SOCK_INODE(sock)->i_security;
4063 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4064 isec->sclass == SECCLASS_TCP_SOCKET) {
4065 ssec = sock->sk->sk_security;
4066 peer_sid = ssec->peer_sid;
4068 if (peer_sid == SECSID_NULL) {
4073 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4078 if (scontext_len > len) {
4083 if (copy_to_user(optval, scontext, scontext_len))
4087 if (put_user(scontext_len, optlen))
4095 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4097 u32 peer_secid = SECSID_NULL;
4101 family = sock->sk->sk_family;
4102 else if (skb && skb->sk)
4103 family = skb->sk->sk_family;
4107 if (sock && family == PF_UNIX)
4108 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4110 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4113 *secid = peer_secid;
4114 if (peer_secid == SECSID_NULL)
4119 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4121 return sk_alloc_security(sk, family, priority);
4124 static void selinux_sk_free_security(struct sock *sk)
4126 sk_free_security(sk);
4129 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4131 struct sk_security_struct *ssec = sk->sk_security;
4132 struct sk_security_struct *newssec = newsk->sk_security;
4134 newssec->sid = ssec->sid;
4135 newssec->peer_sid = ssec->peer_sid;
4136 newssec->sclass = ssec->sclass;
4138 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4141 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4144 *secid = SECINITSID_ANY_SOCKET;
4146 struct sk_security_struct *sksec = sk->sk_security;
4148 *secid = sksec->sid;
4152 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4154 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4155 struct sk_security_struct *sksec = sk->sk_security;
4157 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4158 sk->sk_family == PF_UNIX)
4159 isec->sid = sksec->sid;
4160 sksec->sclass = isec->sclass;
4162 selinux_netlbl_sock_graft(sk, parent);
4165 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4166 struct request_sock *req)
4168 struct sk_security_struct *sksec = sk->sk_security;
4173 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4176 if (peersid == SECSID_NULL) {
4177 req->secid = sksec->sid;
4178 req->peer_secid = SECSID_NULL;
4182 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4186 req->secid = newsid;
4187 req->peer_secid = peersid;
4191 static void selinux_inet_csk_clone(struct sock *newsk,
4192 const struct request_sock *req)
4194 struct sk_security_struct *newsksec = newsk->sk_security;
4196 newsksec->sid = req->secid;
4197 newsksec->peer_sid = req->peer_secid;
4198 /* NOTE: Ideally, we should also get the isec->sid for the
4199 new socket in sync, but we don't have the isec available yet.
4200 So we will wait until sock_graft to do it, by which
4201 time it will have been created and available. */
4203 /* We don't need to take any sort of lock here as we are the only
4204 * thread with access to newsksec */
4205 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4208 static void selinux_inet_conn_established(struct sock *sk,
4209 struct sk_buff *skb)
4211 struct sk_security_struct *sksec = sk->sk_security;
4213 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4216 static void selinux_req_classify_flow(const struct request_sock *req,
4219 fl->secid = req->secid;
4222 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4226 struct nlmsghdr *nlh;
4227 struct socket *sock = sk->sk_socket;
4228 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4230 if (skb->len < NLMSG_SPACE(0)) {
4234 nlh = nlmsg_hdr(skb);
4236 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4238 if (err == -EINVAL) {
4239 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4240 "SELinux: unrecognized netlink message"
4241 " type=%hu for sclass=%hu\n",
4242 nlh->nlmsg_type, isec->sclass);
4243 if (!selinux_enforcing)
4253 err = socket_has_perm(current, sock, perm);
4258 #ifdef CONFIG_NETFILTER
4260 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4265 struct avc_audit_data ad;
4269 if (!selinux_policycap_netpeer)
4272 secmark_active = selinux_secmark_enabled();
4273 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4274 if (!secmark_active && !peerlbl_active)
4277 AVC_AUDIT_DATA_INIT(&ad, NET);
4278 ad.u.net.netif = ifindex;
4279 ad.u.net.family = family;
4280 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4283 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4287 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4288 peer_sid, &ad) != 0)
4292 if (avc_has_perm(peer_sid, skb->secmark,
4293 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4299 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4300 struct sk_buff *skb,
4301 const struct net_device *in,
4302 const struct net_device *out,
4303 int (*okfn)(struct sk_buff *))
4305 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4308 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4309 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4310 struct sk_buff *skb,
4311 const struct net_device *in,
4312 const struct net_device *out,
4313 int (*okfn)(struct sk_buff *))
4315 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4319 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4321 struct avc_audit_data *ad,
4322 u16 family, char *addrp)
4325 struct sk_security_struct *sksec = sk->sk_security;
4327 u32 netif_perm, node_perm, send_perm;
4328 u32 port_sid, node_sid, if_sid, sk_sid;
4330 sk_sid = sksec->sid;
4331 sk_class = sksec->sclass;
4334 case SECCLASS_UDP_SOCKET:
4335 netif_perm = NETIF__UDP_SEND;
4336 node_perm = NODE__UDP_SEND;
4337 send_perm = UDP_SOCKET__SEND_MSG;
4339 case SECCLASS_TCP_SOCKET:
4340 netif_perm = NETIF__TCP_SEND;
4341 node_perm = NODE__TCP_SEND;
4342 send_perm = TCP_SOCKET__SEND_MSG;
4344 case SECCLASS_DCCP_SOCKET:
4345 netif_perm = NETIF__DCCP_SEND;
4346 node_perm = NODE__DCCP_SEND;
4347 send_perm = DCCP_SOCKET__SEND_MSG;
4350 netif_perm = NETIF__RAWIP_SEND;
4351 node_perm = NODE__RAWIP_SEND;
4356 err = sel_netif_sid(ifindex, &if_sid);
4359 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4362 err = sel_netnode_sid(addrp, family, &node_sid);
4365 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4372 err = security_port_sid(sk->sk_family, sk->sk_type,
4373 sk->sk_protocol, ntohs(ad->u.net.dport),
4375 if (unlikely(err)) {
4377 "SELinux: failure in"
4378 " selinux_ip_postroute_iptables_compat(),"
4379 " network port label not found\n");
4382 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4385 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4387 struct avc_audit_data *ad,
4392 struct sock *sk = skb->sk;
4393 struct sk_security_struct *sksec;
4397 sksec = sk->sk_security;
4399 if (selinux_compat_net) {
4400 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4404 if (avc_has_perm(sksec->sid, skb->secmark,
4405 SECCLASS_PACKET, PACKET__SEND, ad))
4409 if (selinux_policycap_netpeer)
4410 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4416 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4422 struct avc_audit_data ad;
4428 AVC_AUDIT_DATA_INIT(&ad, NET);
4429 ad.u.net.netif = ifindex;
4430 ad.u.net.family = family;
4431 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4434 /* If any sort of compatibility mode is enabled then handoff processing
4435 * to the selinux_ip_postroute_compat() function to deal with the
4436 * special handling. We do this in an attempt to keep this function
4437 * as fast and as clean as possible. */
4438 if (selinux_compat_net || !selinux_policycap_netpeer)
4439 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4440 family, addrp, proto);
4442 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4443 * packet transformation so allow the packet to pass without any checks
4444 * since we'll have another chance to perform access control checks
4445 * when the packet is on it's final way out.
4446 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4447 * is NULL, in this case go ahead and apply access control. */
4448 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4451 secmark_active = selinux_secmark_enabled();
4452 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4453 if (!secmark_active && !peerlbl_active)
4456 /* if the packet is locally generated (skb->sk != NULL) then use the
4457 * socket's label as the peer label, otherwise the packet is being
4458 * forwarded through this system and we need to fetch the peer label
4459 * directly from the packet */
4462 struct sk_security_struct *sksec = sk->sk_security;
4463 peer_sid = sksec->sid;
4464 secmark_perm = PACKET__SEND;
4466 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4468 secmark_perm = PACKET__FORWARD_OUT;
4472 if (avc_has_perm(peer_sid, skb->secmark,
4473 SECCLASS_PACKET, secmark_perm, &ad))
4476 if (peerlbl_active) {
4480 if (sel_netif_sid(ifindex, &if_sid))
4482 if (avc_has_perm(peer_sid, if_sid,
4483 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4486 if (sel_netnode_sid(addrp, family, &node_sid))
4488 if (avc_has_perm(peer_sid, node_sid,
4489 SECCLASS_NODE, NODE__SENDTO, &ad))
4496 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4497 struct sk_buff *skb,
4498 const struct net_device *in,
4499 const struct net_device *out,
4500 int (*okfn)(struct sk_buff *))
4502 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4505 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4506 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4507 struct sk_buff *skb,
4508 const struct net_device *in,
4509 const struct net_device *out,
4510 int (*okfn)(struct sk_buff *))
4512 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4516 #endif /* CONFIG_NETFILTER */
4518 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4522 err = secondary_ops->netlink_send(sk, skb);
4526 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4527 err = selinux_nlmsg_perm(sk, skb);
4532 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4535 struct avc_audit_data ad;
4537 err = secondary_ops->netlink_recv(skb, capability);
4541 AVC_AUDIT_DATA_INIT(&ad, CAP);
4542 ad.u.cap = capability;
4544 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4545 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4548 static int ipc_alloc_security(struct task_struct *task,
4549 struct kern_ipc_perm *perm,
4552 struct task_security_struct *tsec = task->security;
4553 struct ipc_security_struct *isec;
4555 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4559 isec->sclass = sclass;
4560 isec->sid = tsec->sid;
4561 perm->security = isec;
4566 static void ipc_free_security(struct kern_ipc_perm *perm)
4568 struct ipc_security_struct *isec = perm->security;
4569 perm->security = NULL;
4573 static int msg_msg_alloc_security(struct msg_msg *msg)
4575 struct msg_security_struct *msec;
4577 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4581 msec->sid = SECINITSID_UNLABELED;
4582 msg->security = msec;
4587 static void msg_msg_free_security(struct msg_msg *msg)
4589 struct msg_security_struct *msec = msg->security;
4591 msg->security = NULL;
4595 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4598 struct task_security_struct *tsec;
4599 struct ipc_security_struct *isec;
4600 struct avc_audit_data ad;
4602 tsec = current->security;
4603 isec = ipc_perms->security;
4605 AVC_AUDIT_DATA_INIT(&ad, IPC);
4606 ad.u.ipc_id = ipc_perms->key;
4608 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4611 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4613 return msg_msg_alloc_security(msg);
4616 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4618 msg_msg_free_security(msg);
4621 /* message queue security operations */
4622 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4624 struct task_security_struct *tsec;
4625 struct ipc_security_struct *isec;
4626 struct avc_audit_data ad;
4629 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4633 tsec = current->security;
4634 isec = msq->q_perm.security;
4636 AVC_AUDIT_DATA_INIT(&ad, IPC);
4637 ad.u.ipc_id = msq->q_perm.key;
4639 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4642 ipc_free_security(&msq->q_perm);
4648 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4650 ipc_free_security(&msq->q_perm);
4653 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4655 struct task_security_struct *tsec;
4656 struct ipc_security_struct *isec;
4657 struct avc_audit_data ad;
4659 tsec = current->security;
4660 isec = msq->q_perm.security;
4662 AVC_AUDIT_DATA_INIT(&ad, IPC);
4663 ad.u.ipc_id = msq->q_perm.key;
4665 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4666 MSGQ__ASSOCIATE, &ad);
4669 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4677 /* No specific object, just general system-wide information. */
4678 return task_has_system(current, SYSTEM__IPC_INFO);
4681 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4684 perms = MSGQ__SETATTR;
4687 perms = MSGQ__DESTROY;
4693 err = ipc_has_perm(&msq->q_perm, perms);
4697 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4699 struct task_security_struct *tsec;
4700 struct ipc_security_struct *isec;
4701 struct msg_security_struct *msec;
4702 struct avc_audit_data ad;
4705 tsec = current->security;
4706 isec = msq->q_perm.security;
4707 msec = msg->security;
4710 * First time through, need to assign label to the message
4712 if (msec->sid == SECINITSID_UNLABELED) {
4714 * Compute new sid based on current process and
4715 * message queue this message will be stored in
4717 rc = security_transition_sid(tsec->sid,
4725 AVC_AUDIT_DATA_INIT(&ad, IPC);
4726 ad.u.ipc_id = msq->q_perm.key;
4728 /* Can this process write to the queue? */
4729 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4732 /* Can this process send the message */
4733 rc = avc_has_perm(tsec->sid, msec->sid,
4734 SECCLASS_MSG, MSG__SEND, &ad);
4736 /* Can the message be put in the queue? */
4737 rc = avc_has_perm(msec->sid, isec->sid,
4738 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4743 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4744 struct task_struct *target,
4745 long type, int mode)
4747 struct task_security_struct *tsec;
4748 struct ipc_security_struct *isec;
4749 struct msg_security_struct *msec;
4750 struct avc_audit_data ad;
4753 tsec = target->security;
4754 isec = msq->q_perm.security;
4755 msec = msg->security;
4757 AVC_AUDIT_DATA_INIT(&ad, IPC);
4758 ad.u.ipc_id = msq->q_perm.key;
4760 rc = avc_has_perm(tsec->sid, isec->sid,
4761 SECCLASS_MSGQ, MSGQ__READ, &ad);
4763 rc = avc_has_perm(tsec->sid, msec->sid,
4764 SECCLASS_MSG, MSG__RECEIVE, &ad);
4768 /* Shared Memory security operations */
4769 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4771 struct task_security_struct *tsec;
4772 struct ipc_security_struct *isec;
4773 struct avc_audit_data ad;
4776 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4780 tsec = current->security;
4781 isec = shp->shm_perm.security;
4783 AVC_AUDIT_DATA_INIT(&ad, IPC);
4784 ad.u.ipc_id = shp->shm_perm.key;
4786 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4789 ipc_free_security(&shp->shm_perm);
4795 static void selinux_shm_free_security(struct shmid_kernel *shp)
4797 ipc_free_security(&shp->shm_perm);
4800 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4802 struct task_security_struct *tsec;
4803 struct ipc_security_struct *isec;
4804 struct avc_audit_data ad;
4806 tsec = current->security;
4807 isec = shp->shm_perm.security;
4809 AVC_AUDIT_DATA_INIT(&ad, IPC);
4810 ad.u.ipc_id = shp->shm_perm.key;
4812 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4813 SHM__ASSOCIATE, &ad);
4816 /* Note, at this point, shp is locked down */
4817 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4825 /* No specific object, just general system-wide information. */
4826 return task_has_system(current, SYSTEM__IPC_INFO);
4829 perms = SHM__GETATTR | SHM__ASSOCIATE;
4832 perms = SHM__SETATTR;
4839 perms = SHM__DESTROY;
4845 err = ipc_has_perm(&shp->shm_perm, perms);
4849 static int selinux_shm_shmat(struct shmid_kernel *shp,
4850 char __user *shmaddr, int shmflg)
4855 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4859 if (shmflg & SHM_RDONLY)
4862 perms = SHM__READ | SHM__WRITE;
4864 return ipc_has_perm(&shp->shm_perm, perms);
4867 /* Semaphore security operations */
4868 static int selinux_sem_alloc_security(struct sem_array *sma)
4870 struct task_security_struct *tsec;
4871 struct ipc_security_struct *isec;
4872 struct avc_audit_data ad;
4875 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4879 tsec = current->security;
4880 isec = sma->sem_perm.security;
4882 AVC_AUDIT_DATA_INIT(&ad, IPC);
4883 ad.u.ipc_id = sma->sem_perm.key;
4885 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4888 ipc_free_security(&sma->sem_perm);
4894 static void selinux_sem_free_security(struct sem_array *sma)
4896 ipc_free_security(&sma->sem_perm);
4899 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4901 struct task_security_struct *tsec;
4902 struct ipc_security_struct *isec;
4903 struct avc_audit_data ad;
4905 tsec = current->security;
4906 isec = sma->sem_perm.security;
4908 AVC_AUDIT_DATA_INIT(&ad, IPC);
4909 ad.u.ipc_id = sma->sem_perm.key;
4911 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4912 SEM__ASSOCIATE, &ad);
4915 /* Note, at this point, sma is locked down */
4916 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4924 /* No specific object, just general system-wide information. */
4925 return task_has_system(current, SYSTEM__IPC_INFO);
4929 perms = SEM__GETATTR;
4940 perms = SEM__DESTROY;
4943 perms = SEM__SETATTR;
4947 perms = SEM__GETATTR | SEM__ASSOCIATE;
4953 err = ipc_has_perm(&sma->sem_perm, perms);
4957 static int selinux_sem_semop(struct sem_array *sma,
4958 struct sembuf *sops, unsigned nsops, int alter)
4963 perms = SEM__READ | SEM__WRITE;
4967 return ipc_has_perm(&sma->sem_perm, perms);
4970 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4976 av |= IPC__UNIX_READ;
4978 av |= IPC__UNIX_WRITE;
4983 return ipc_has_perm(ipcp, av);
4986 /* module stacking operations */
4987 static int selinux_register_security (const char *name, struct security_operations *ops)
4989 if (secondary_ops != original_ops) {
4990 printk(KERN_ERR "%s: There is already a secondary security "
4991 "module registered.\n", __FUNCTION__);
4995 secondary_ops = ops;
4997 printk(KERN_INFO "%s: Registering secondary module %s\n",
5004 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5007 inode_doinit_with_dentry(inode, dentry);
5010 static int selinux_getprocattr(struct task_struct *p,
5011 char *name, char **value)
5013 struct task_security_struct *tsec;
5019 error = task_has_perm(current, p, PROCESS__GETATTR);
5026 if (!strcmp(name, "current"))
5028 else if (!strcmp(name, "prev"))
5030 else if (!strcmp(name, "exec"))
5031 sid = tsec->exec_sid;
5032 else if (!strcmp(name, "fscreate"))
5033 sid = tsec->create_sid;
5034 else if (!strcmp(name, "keycreate"))
5035 sid = tsec->keycreate_sid;
5036 else if (!strcmp(name, "sockcreate"))
5037 sid = tsec->sockcreate_sid;
5044 error = security_sid_to_context(sid, value, &len);
5050 static int selinux_setprocattr(struct task_struct *p,
5051 char *name, void *value, size_t size)
5053 struct task_security_struct *tsec;
5059 /* SELinux only allows a process to change its own
5060 security attributes. */
5065 * Basic control over ability to set these attributes at all.
5066 * current == p, but we'll pass them separately in case the
5067 * above restriction is ever removed.
5069 if (!strcmp(name, "exec"))
5070 error = task_has_perm(current, p, PROCESS__SETEXEC);
5071 else if (!strcmp(name, "fscreate"))
5072 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5073 else if (!strcmp(name, "keycreate"))
5074 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5075 else if (!strcmp(name, "sockcreate"))
5076 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5077 else if (!strcmp(name, "current"))
5078 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5084 /* Obtain a SID for the context, if one was specified. */
5085 if (size && str[1] && str[1] != '\n') {
5086 if (str[size-1] == '\n') {
5090 error = security_context_to_sid(value, size, &sid);
5095 /* Permission checking based on the specified context is
5096 performed during the actual operation (execve,
5097 open/mkdir/...), when we know the full context of the
5098 operation. See selinux_bprm_set_security for the execve
5099 checks and may_create for the file creation checks. The
5100 operation will then fail if the context is not permitted. */
5102 if (!strcmp(name, "exec"))
5103 tsec->exec_sid = sid;
5104 else if (!strcmp(name, "fscreate"))
5105 tsec->create_sid = sid;
5106 else if (!strcmp(name, "keycreate")) {
5107 error = may_create_key(sid, p);
5110 tsec->keycreate_sid = sid;
5111 } else if (!strcmp(name, "sockcreate"))
5112 tsec->sockcreate_sid = sid;
5113 else if (!strcmp(name, "current")) {
5114 struct av_decision avd;
5119 /* Only allow single threaded processes to change context */
5120 if (atomic_read(&p->mm->mm_users) != 1) {
5121 struct task_struct *g, *t;
5122 struct mm_struct *mm = p->mm;
5123 read_lock(&tasklist_lock);
5124 do_each_thread(g, t)
5125 if (t->mm == mm && t != p) {
5126 read_unlock(&tasklist_lock);
5129 while_each_thread(g, t);
5130 read_unlock(&tasklist_lock);
5133 /* Check permissions for the transition. */
5134 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5135 PROCESS__DYNTRANSITION, NULL);
5139 /* Check for ptracing, and update the task SID if ok.
5140 Otherwise, leave SID unchanged and fail. */
5142 if (p->ptrace & PT_PTRACED) {
5143 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5145 PROCESS__PTRACE, 0, &avd);
5149 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5150 PROCESS__PTRACE, &avd, error, NULL);
5164 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5166 return security_sid_to_context(secid, secdata, seclen);
5169 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5171 return security_context_to_sid(secdata, seclen, secid);
5174 static void selinux_release_secctx(char *secdata, u32 seclen)
5181 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5182 unsigned long flags)
5184 struct task_security_struct *tsec = tsk->security;
5185 struct key_security_struct *ksec;
5187 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5191 if (tsec->keycreate_sid)
5192 ksec->sid = tsec->keycreate_sid;
5194 ksec->sid = tsec->sid;
5200 static void selinux_key_free(struct key *k)
5202 struct key_security_struct *ksec = k->security;
5208 static int selinux_key_permission(key_ref_t key_ref,
5209 struct task_struct *ctx,
5213 struct task_security_struct *tsec;
5214 struct key_security_struct *ksec;
5216 key = key_ref_to_ptr(key_ref);
5218 tsec = ctx->security;
5219 ksec = key->security;
5221 /* if no specific permissions are requested, we skip the
5222 permission check. No serious, additional covert channels
5223 appear to be created. */
5227 return avc_has_perm(tsec->sid, ksec->sid,
5228 SECCLASS_KEY, perm, NULL);
5233 static struct security_operations selinux_ops = {
5234 .ptrace = selinux_ptrace,
5235 .capget = selinux_capget,
5236 .capset_check = selinux_capset_check,
5237 .capset_set = selinux_capset_set,
5238 .sysctl = selinux_sysctl,
5239 .capable = selinux_capable,
5240 .quotactl = selinux_quotactl,
5241 .quota_on = selinux_quota_on,
5242 .syslog = selinux_syslog,
5243 .vm_enough_memory = selinux_vm_enough_memory,
5245 .netlink_send = selinux_netlink_send,
5246 .netlink_recv = selinux_netlink_recv,
5248 .bprm_alloc_security = selinux_bprm_alloc_security,
5249 .bprm_free_security = selinux_bprm_free_security,
5250 .bprm_apply_creds = selinux_bprm_apply_creds,
5251 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5252 .bprm_set_security = selinux_bprm_set_security,
5253 .bprm_check_security = selinux_bprm_check_security,
5254 .bprm_secureexec = selinux_bprm_secureexec,
5256 .sb_alloc_security = selinux_sb_alloc_security,
5257 .sb_free_security = selinux_sb_free_security,
5258 .sb_copy_data = selinux_sb_copy_data,
5259 .sb_kern_mount = selinux_sb_kern_mount,
5260 .sb_statfs = selinux_sb_statfs,
5261 .sb_mount = selinux_mount,
5262 .sb_umount = selinux_umount,
5263 .sb_get_mnt_opts = selinux_get_mnt_opts,
5264 .sb_set_mnt_opts = selinux_set_mnt_opts,
5265 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5266 .sb_parse_opts_str = selinux_parse_opts_str,
5269 .inode_alloc_security = selinux_inode_alloc_security,
5270 .inode_free_security = selinux_inode_free_security,
5271 .inode_init_security = selinux_inode_init_security,
5272 .inode_create = selinux_inode_create,
5273 .inode_link = selinux_inode_link,
5274 .inode_unlink = selinux_inode_unlink,
5275 .inode_symlink = selinux_inode_symlink,
5276 .inode_mkdir = selinux_inode_mkdir,
5277 .inode_rmdir = selinux_inode_rmdir,
5278 .inode_mknod = selinux_inode_mknod,
5279 .inode_rename = selinux_inode_rename,
5280 .inode_readlink = selinux_inode_readlink,
5281 .inode_follow_link = selinux_inode_follow_link,
5282 .inode_permission = selinux_inode_permission,
5283 .inode_setattr = selinux_inode_setattr,
5284 .inode_getattr = selinux_inode_getattr,
5285 .inode_setxattr = selinux_inode_setxattr,
5286 .inode_post_setxattr = selinux_inode_post_setxattr,
5287 .inode_getxattr = selinux_inode_getxattr,
5288 .inode_listxattr = selinux_inode_listxattr,
5289 .inode_removexattr = selinux_inode_removexattr,
5290 .inode_getsecurity = selinux_inode_getsecurity,
5291 .inode_setsecurity = selinux_inode_setsecurity,
5292 .inode_listsecurity = selinux_inode_listsecurity,
5293 .inode_need_killpriv = selinux_inode_need_killpriv,
5294 .inode_killpriv = selinux_inode_killpriv,
5296 .file_permission = selinux_file_permission,
5297 .file_alloc_security = selinux_file_alloc_security,
5298 .file_free_security = selinux_file_free_security,
5299 .file_ioctl = selinux_file_ioctl,
5300 .file_mmap = selinux_file_mmap,
5301 .file_mprotect = selinux_file_mprotect,
5302 .file_lock = selinux_file_lock,
5303 .file_fcntl = selinux_file_fcntl,
5304 .file_set_fowner = selinux_file_set_fowner,
5305 .file_send_sigiotask = selinux_file_send_sigiotask,
5306 .file_receive = selinux_file_receive,
5308 .dentry_open = selinux_dentry_open,
5310 .task_create = selinux_task_create,
5311 .task_alloc_security = selinux_task_alloc_security,
5312 .task_free_security = selinux_task_free_security,
5313 .task_setuid = selinux_task_setuid,
5314 .task_post_setuid = selinux_task_post_setuid,
5315 .task_setgid = selinux_task_setgid,
5316 .task_setpgid = selinux_task_setpgid,
5317 .task_getpgid = selinux_task_getpgid,
5318 .task_getsid = selinux_task_getsid,
5319 .task_getsecid = selinux_task_getsecid,
5320 .task_setgroups = selinux_task_setgroups,
5321 .task_setnice = selinux_task_setnice,
5322 .task_setioprio = selinux_task_setioprio,
5323 .task_getioprio = selinux_task_getioprio,
5324 .task_setrlimit = selinux_task_setrlimit,
5325 .task_setscheduler = selinux_task_setscheduler,
5326 .task_getscheduler = selinux_task_getscheduler,
5327 .task_movememory = selinux_task_movememory,
5328 .task_kill = selinux_task_kill,
5329 .task_wait = selinux_task_wait,
5330 .task_prctl = selinux_task_prctl,
5331 .task_reparent_to_init = selinux_task_reparent_to_init,
5332 .task_to_inode = selinux_task_to_inode,
5334 .ipc_permission = selinux_ipc_permission,
5336 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5337 .msg_msg_free_security = selinux_msg_msg_free_security,
5339 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5340 .msg_queue_free_security = selinux_msg_queue_free_security,
5341 .msg_queue_associate = selinux_msg_queue_associate,
5342 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5343 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5344 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5346 .shm_alloc_security = selinux_shm_alloc_security,
5347 .shm_free_security = selinux_shm_free_security,
5348 .shm_associate = selinux_shm_associate,
5349 .shm_shmctl = selinux_shm_shmctl,
5350 .shm_shmat = selinux_shm_shmat,
5352 .sem_alloc_security = selinux_sem_alloc_security,
5353 .sem_free_security = selinux_sem_free_security,
5354 .sem_associate = selinux_sem_associate,
5355 .sem_semctl = selinux_sem_semctl,
5356 .sem_semop = selinux_sem_semop,
5358 .register_security = selinux_register_security,
5360 .d_instantiate = selinux_d_instantiate,
5362 .getprocattr = selinux_getprocattr,
5363 .setprocattr = selinux_setprocattr,
5365 .secid_to_secctx = selinux_secid_to_secctx,
5366 .secctx_to_secid = selinux_secctx_to_secid,
5367 .release_secctx = selinux_release_secctx,
5369 .unix_stream_connect = selinux_socket_unix_stream_connect,
5370 .unix_may_send = selinux_socket_unix_may_send,
5372 .socket_create = selinux_socket_create,
5373 .socket_post_create = selinux_socket_post_create,
5374 .socket_bind = selinux_socket_bind,
5375 .socket_connect = selinux_socket_connect,
5376 .socket_listen = selinux_socket_listen,
5377 .socket_accept = selinux_socket_accept,
5378 .socket_sendmsg = selinux_socket_sendmsg,
5379 .socket_recvmsg = selinux_socket_recvmsg,
5380 .socket_getsockname = selinux_socket_getsockname,
5381 .socket_getpeername = selinux_socket_getpeername,
5382 .socket_getsockopt = selinux_socket_getsockopt,
5383 .socket_setsockopt = selinux_socket_setsockopt,
5384 .socket_shutdown = selinux_socket_shutdown,
5385 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5386 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5387 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5388 .sk_alloc_security = selinux_sk_alloc_security,
5389 .sk_free_security = selinux_sk_free_security,
5390 .sk_clone_security = selinux_sk_clone_security,
5391 .sk_getsecid = selinux_sk_getsecid,
5392 .sock_graft = selinux_sock_graft,
5393 .inet_conn_request = selinux_inet_conn_request,
5394 .inet_csk_clone = selinux_inet_csk_clone,
5395 .inet_conn_established = selinux_inet_conn_established,
5396 .req_classify_flow = selinux_req_classify_flow,
5398 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5399 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5400 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5401 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5402 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5403 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5404 .xfrm_state_free_security = selinux_xfrm_state_free,
5405 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5406 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5407 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5408 .xfrm_decode_session = selinux_xfrm_decode_session,
5412 .key_alloc = selinux_key_alloc,
5413 .key_free = selinux_key_free,
5414 .key_permission = selinux_key_permission,
5418 static __init int selinux_init(void)
5420 struct task_security_struct *tsec;
5422 if (!selinux_enabled) {
5423 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5427 printk(KERN_INFO "SELinux: Initializing.\n");
5429 /* Set the security state for the initial task. */
5430 if (task_alloc_security(current))
5431 panic("SELinux: Failed to initialize initial task.\n");
5432 tsec = current->security;
5433 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5435 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5436 sizeof(struct inode_security_struct),
5437 0, SLAB_PANIC, NULL);
5440 original_ops = secondary_ops = security_ops;
5442 panic ("SELinux: No initial security operations\n");
5443 if (register_security (&selinux_ops))
5444 panic("SELinux: Unable to register with kernel.\n");
5446 if (selinux_enforcing) {
5447 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5449 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5453 /* Add security information to initial keyrings */
5454 selinux_key_alloc(&root_user_keyring, current,
5455 KEY_ALLOC_NOT_IN_QUOTA);
5456 selinux_key_alloc(&root_session_keyring, current,
5457 KEY_ALLOC_NOT_IN_QUOTA);
5463 void selinux_complete_init(void)
5465 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5467 /* Set up any superblocks initialized prior to the policy load. */
5468 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5469 spin_lock(&sb_lock);
5470 spin_lock(&sb_security_lock);
5472 if (!list_empty(&superblock_security_head)) {
5473 struct superblock_security_struct *sbsec =
5474 list_entry(superblock_security_head.next,
5475 struct superblock_security_struct,
5477 struct super_block *sb = sbsec->sb;
5479 spin_unlock(&sb_security_lock);
5480 spin_unlock(&sb_lock);
5481 down_read(&sb->s_umount);
5483 superblock_doinit(sb, NULL);
5485 spin_lock(&sb_lock);
5486 spin_lock(&sb_security_lock);
5487 list_del_init(&sbsec->list);
5490 spin_unlock(&sb_security_lock);
5491 spin_unlock(&sb_lock);
5494 /* SELinux requires early initialization in order to label
5495 all processes and objects when they are created. */
5496 security_initcall(selinux_init);
5498 #if defined(CONFIG_NETFILTER)
5500 static struct nf_hook_ops selinux_ipv4_ops[] = {
5502 .hook = selinux_ipv4_postroute,
5503 .owner = THIS_MODULE,
5505 .hooknum = NF_INET_POST_ROUTING,
5506 .priority = NF_IP_PRI_SELINUX_LAST,
5509 .hook = selinux_ipv4_forward,
5510 .owner = THIS_MODULE,
5512 .hooknum = NF_INET_FORWARD,
5513 .priority = NF_IP_PRI_SELINUX_FIRST,
5517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5519 static struct nf_hook_ops selinux_ipv6_ops[] = {
5521 .hook = selinux_ipv6_postroute,
5522 .owner = THIS_MODULE,
5524 .hooknum = NF_INET_POST_ROUTING,
5525 .priority = NF_IP6_PRI_SELINUX_LAST,
5528 .hook = selinux_ipv6_forward,
5529 .owner = THIS_MODULE,
5531 .hooknum = NF_INET_FORWARD,
5532 .priority = NF_IP6_PRI_SELINUX_FIRST,
5538 static int __init selinux_nf_ip_init(void)
5543 if (!selinux_enabled)
5546 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5548 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5549 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5551 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5555 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5556 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5557 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5559 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5568 __initcall(selinux_nf_ip_init);
5570 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5571 static void selinux_nf_ip_exit(void)
5575 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5577 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5578 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5580 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5581 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5586 #else /* CONFIG_NETFILTER */
5588 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5589 #define selinux_nf_ip_exit()
5592 #endif /* CONFIG_NETFILTER */
5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5595 int selinux_disable(void)
5597 extern void exit_sel_fs(void);
5598 static int selinux_disabled = 0;
5600 if (ss_initialized) {
5601 /* Not permitted after initial policy load. */
5605 if (selinux_disabled) {
5606 /* Only do this once. */
5610 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5612 selinux_disabled = 1;
5613 selinux_enabled = 0;
5615 /* Reset security_ops to the secondary module, dummy or capability. */
5616 security_ops = secondary_ops;
5618 /* Unregister netfilter hooks. */
5619 selinux_nf_ip_exit();
5621 /* Unregister selinuxfs. */