2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92 #define NUM_SEL_MNT_OPTS 4
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
135 static struct security_operations *secondary_ops;
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
142 static struct kmem_cache *sel_inode_cache;
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
154 static int selinux_secmark_enabled(void)
156 return (atomic_read(&selinux_secmark_refcount) > 0);
159 /* Allocate and free functions for each kind of security blob. */
161 static int cred_alloc_security(struct cred *cred)
163 struct task_security_struct *tsec;
165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
169 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
170 cred->security = tsec;
176 * get the security ID of a set of credentials
178 static inline u32 cred_sid(const struct cred *cred)
180 const struct task_security_struct *tsec;
182 tsec = cred->security;
187 * get the security ID of a task
189 static inline u32 task_sid(const struct task_struct *task)
194 sid = cred_sid(__task_cred(task));
200 * get the security ID of the current task
202 static inline u32 current_sid(void)
204 const struct task_security_struct *tsec = current_cred()->security;
209 /* Allocate and free functions for each kind of security blob. */
211 static int inode_alloc_security(struct inode *inode)
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
231 static void inode_free_security(struct inode *inode)
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
245 static int file_alloc_security(struct file *file)
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
261 static void file_free_security(struct file *file)
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
268 static int superblock_alloc_security(struct super_block *sb)
270 struct superblock_security_struct *sbsec;
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
289 static void superblock_free_security(struct super_block *sb)
291 struct superblock_security_struct *sbsec = sb->s_security;
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
298 sb->s_security = NULL;
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
304 struct sk_security_struct *ssec;
306 ssec = kzalloc(sizeof(*ssec), priority);
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
314 selinux_netlbl_sk_security_reset(ssec, family);
319 static void sk_free_security(struct sock *sk)
321 struct sk_security_struct *ssec = sk->sk_security;
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
332 /* The file system's label must be initialized prior to use. */
334 static char *labeling_behaviors[6] = {
336 "uses transition SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
345 static inline int inode_doinit(struct inode *inode)
347 return inode_doinit_with_dentry(inode, NULL);
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
372 const struct task_security_struct *tsec = cred->security;
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
389 const struct task_security_struct *tsec = cred->security;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
401 static int sb_finish_set_opts(struct super_block *sb)
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
434 sbsec->initialized = 1;
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
451 spin_lock(&sbsec->isec_lock);
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
461 if (!IS_PRIVATE(inode))
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
469 spin_unlock(&sbsec->isec_lock);
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
488 security_init_mnt_opts(opts);
490 if (!sbsec->initialized)
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
504 opts->num_mnt_opts++;
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
546 rc = security_sid_to_context(isec->sid, &context, &len);
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
553 BUG_ON(i != opts->num_mnt_opts);
558 security_free_mnt_opts(opts);
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
587 const struct cred *cred = current_cred();
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
599 mutex_lock(&sbsec->lock);
601 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
638 for (i = 0; i < num_opts; i++) {
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
645 mount_options[i], sb->s_id, name, rc);
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
654 goto out_double_mount;
656 sbsec->flags |= FSCONTEXT_MNT;
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
663 goto out_double_mount;
665 sbsec->flags |= CONTEXT_MNT;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
672 goto out_double_mount;
674 sbsec->flags |= ROOTCONTEXT_MNT;
678 defcontext_sid = sid;
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
682 goto out_double_mount;
684 sbsec->flags |= DEFCONTEXT_MNT;
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
701 if (strcmp(sb->s_type->name, "proc") == 0)
704 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc);
712 /* sets the context of the superblock for the fs being mounted. */
714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
718 sbsec->sid = fscontext_sid;
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
727 if (!fscontext_sid) {
728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
732 sbsec->sid = context_sid;
734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
742 sbsec->mntpoint_sid = context_sid;
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
746 if (rootcontext_sid) {
747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
771 sbsec->def_sid = defcontext_sid;
774 rc = sb_finish_set_opts(sb);
776 mutex_unlock(&sbsec->lock);
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
815 mutex_lock(&newsbsec->lock);
817 newsbsec->flags = oldsbsec->flags;
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
824 u32 sid = oldsbsec->mntpoint_sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
833 newsbsec->mntpoint_sid = sid;
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
841 newisec->sid = oldisec->sid;
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
856 opts->num_mnt_opts = 0;
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
861 substring_t args[MAX_OPT_ARGS];
866 token = match_token(p, tokens, args);
870 if (context || defcontext) {
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 context = match_strdup(&args[0]);
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
888 fscontext = match_strdup(&args[0]);
895 case Opt_rootcontext:
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
901 rootcontext = match_strdup(&args[0]);
909 if (context || defcontext) {
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
914 defcontext = match_strdup(&args[0]);
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
957 opts->num_mnt_opts = num_mnt_opts;
968 * string mount options parsing and call set the sbsec
970 static int superblock_doinit(struct super_block *sb, void *data)
973 char *options = data;
974 struct security_mnt_opts opts;
976 security_init_mnt_opts(&opts);
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
983 rc = selinux_parse_opts_str(options, &opts);
988 rc = selinux_set_mnt_opts(sb, &opts);
991 security_free_mnt_opts(&opts);
995 static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1004 switch (opts->mnt_opts_flags[i]) {
1006 prefix = CONTEXT_STR;
1009 prefix = FSCONTEXT_STR;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1020 /* we need a comma before each option */
1022 seq_puts(m, prefix);
1025 seq_puts(m, opts->mnt_opts[i]);
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1033 struct security_mnt_opts opts;
1036 rc = selinux_get_mnt_opts(sb, &opts);
1038 /* before policy load we may get EINVAL, don't show anything */
1044 selinux_write_opts(m, &opts);
1046 security_free_mnt_opts(&opts);
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1053 switch (mode & S_IFMT) {
1055 return SECCLASS_SOCK_FILE;
1057 return SECCLASS_LNK_FILE;
1059 return SECCLASS_FILE;
1061 return SECCLASS_BLK_FILE;
1063 return SECCLASS_DIR;
1065 return SECCLASS_CHR_FILE;
1067 return SECCLASS_FIFO_FILE;
1071 return SECCLASS_FILE;
1074 static inline int default_protocol_stream(int protocol)
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1079 static inline int default_protocol_dgram(int protocol)
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1103 return SECCLASS_RAWIP_SOCKET;
1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1108 return SECCLASS_RAWIP_SOCKET;
1110 return SECCLASS_DCCP_SOCKET;
1112 return SECCLASS_RAWIP_SOCKET;
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121 case NETLINK_INET_DIAG:
1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1138 return SECCLASS_NETLINK_SOCKET;
1141 return SECCLASS_PACKET_SOCKET;
1143 return SECCLASS_KEY_SOCKET;
1145 return SECCLASS_APPLETALK_SOCKET;
1148 return SECCLASS_SOCKET;
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157 char *buffer, *path, *end;
1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1164 end = buffer+buflen;
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1174 memcpy(end, de->name, de->namelen);
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1198 struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200 char *context = NULL;
1204 if (isec->initialized)
1207 mutex_lock(&isec->lock);
1208 if (isec->initialized)
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1246 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS);
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1265 context = kmalloc(len, GFP_NOFS);
1271 rc = inode->i_op->getxattr(dentry,
1277 if (rc != -ENODATA) {
1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1279 "%d for dev=%s ino=%ld\n", __func__,
1280 -rc, inode->i_sb->s_id, inode->i_ino);
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1288 rc = security_context_to_sid_default(context, rc, &sid,
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1293 "returned %d for dev=%s ino=%ld\n",
1294 __func__, context, -rc,
1295 inode->i_sb->s_id, inode->i_ino);
1297 /* Leave with the unlabeled SID */
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1326 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid;
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode);
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1344 isec->initialized = 1;
1347 mutex_unlock(&isec->lock);
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1382 * Check permission between a pair of tasks, e.g. signal checks,
1383 * fork check, ptrace check, etc.
1384 * tsk1 is the actor and tsk2 is the target
1386 static int task_has_perm(const struct task_struct *tsk1,
1387 const struct task_struct *tsk2,
1390 const struct task_security_struct *__tsec1, *__tsec2;
1394 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1395 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1397 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1400 #if CAP_LAST_CAP > 63
1401 #error Fix SELinux to handle capabilities > 63.
1404 /* Check whether a task is allowed to use a capability. */
1405 static int task_has_capability(struct task_struct *tsk,
1408 struct avc_audit_data ad;
1409 struct av_decision avd;
1411 u32 sid = task_sid(tsk);
1412 u32 av = CAP_TO_MASK(cap);
1415 AVC_AUDIT_DATA_INIT(&ad, CAP);
1419 switch (CAP_TO_INDEX(cap)) {
1421 sclass = SECCLASS_CAPABILITY;
1424 sclass = SECCLASS_CAPABILITY2;
1428 "SELinux: out of range capability %d\n", cap);
1432 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1433 if (audit == SECURITY_CAP_AUDIT)
1434 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1438 /* Check whether a task is allowed to use a system operation. */
1439 static int task_has_system(struct task_struct *tsk,
1442 u32 sid = task_sid(tsk);
1444 return avc_has_perm(sid, SECINITSID_KERNEL,
1445 SECCLASS_SYSTEM, perms, NULL);
1448 /* Check whether a task has a particular permission to an inode.
1449 The 'adp' parameter is optional and allows other audit
1450 data to be passed (e.g. the dentry). */
1451 static int inode_has_perm(const struct cred *cred,
1452 struct inode *inode,
1454 struct avc_audit_data *adp)
1456 struct inode_security_struct *isec;
1457 struct avc_audit_data ad;
1460 if (unlikely(IS_PRIVATE(inode)))
1463 sid = cred_sid(cred);
1464 isec = inode->i_security;
1468 AVC_AUDIT_DATA_INIT(&ad, FS);
1469 ad.u.fs.inode = inode;
1472 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1475 /* Same as inode_has_perm, but pass explicit audit data containing
1476 the dentry to help the auditing code to more easily generate the
1477 pathname if needed. */
1478 static inline int dentry_has_perm(const struct cred *cred,
1479 struct vfsmount *mnt,
1480 struct dentry *dentry,
1483 struct inode *inode = dentry->d_inode;
1484 struct avc_audit_data ad;
1486 AVC_AUDIT_DATA_INIT(&ad, FS);
1487 ad.u.fs.path.mnt = mnt;
1488 ad.u.fs.path.dentry = dentry;
1489 return inode_has_perm(cred, inode, av, &ad);
1492 /* Check whether a task can use an open file descriptor to
1493 access an inode in a given way. Check access to the
1494 descriptor itself, and then use dentry_has_perm to
1495 check a particular permission to the file.
1496 Access to the descriptor is implicitly granted if it
1497 has the same SID as the process. If av is zero, then
1498 access to the file is not checked, e.g. for cases
1499 where only the descriptor is affected like seek. */
1500 static int file_has_perm(const struct cred *cred,
1504 struct file_security_struct *fsec = file->f_security;
1505 struct inode *inode = file->f_path.dentry->d_inode;
1506 struct avc_audit_data ad;
1507 u32 sid = cred_sid(cred);
1510 AVC_AUDIT_DATA_INIT(&ad, FS);
1511 ad.u.fs.path = file->f_path;
1513 if (sid != fsec->sid) {
1514 rc = avc_has_perm(sid, fsec->sid,
1522 /* av is zero if only checking access to the descriptor. */
1525 rc = inode_has_perm(cred, inode, av, &ad);
1531 /* Check whether a task can create a file. */
1532 static int may_create(struct inode *dir,
1533 struct dentry *dentry,
1536 const struct cred *cred = current_cred();
1537 const struct task_security_struct *tsec = cred->security;
1538 struct inode_security_struct *dsec;
1539 struct superblock_security_struct *sbsec;
1541 struct avc_audit_data ad;
1544 dsec = dir->i_security;
1545 sbsec = dir->i_sb->s_security;
1548 newsid = tsec->create_sid;
1550 AVC_AUDIT_DATA_INIT(&ad, FS);
1551 ad.u.fs.path.dentry = dentry;
1553 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1554 DIR__ADD_NAME | DIR__SEARCH,
1559 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1560 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1565 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1569 return avc_has_perm(newsid, sbsec->sid,
1570 SECCLASS_FILESYSTEM,
1571 FILESYSTEM__ASSOCIATE, &ad);
1574 /* Check whether a task can create a key. */
1575 static int may_create_key(u32 ksid,
1576 struct task_struct *ctx)
1578 u32 sid = task_sid(ctx);
1580 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1584 #define MAY_UNLINK 1
1587 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1588 static int may_link(struct inode *dir,
1589 struct dentry *dentry,
1593 struct inode_security_struct *dsec, *isec;
1594 struct avc_audit_data ad;
1595 u32 sid = current_sid();
1599 dsec = dir->i_security;
1600 isec = dentry->d_inode->i_security;
1602 AVC_AUDIT_DATA_INIT(&ad, FS);
1603 ad.u.fs.path.dentry = dentry;
1606 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1607 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1622 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1627 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1631 static inline int may_rename(struct inode *old_dir,
1632 struct dentry *old_dentry,
1633 struct inode *new_dir,
1634 struct dentry *new_dentry)
1636 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1637 struct avc_audit_data ad;
1638 u32 sid = current_sid();
1640 int old_is_dir, new_is_dir;
1643 old_dsec = old_dir->i_security;
1644 old_isec = old_dentry->d_inode->i_security;
1645 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1646 new_dsec = new_dir->i_security;
1648 AVC_AUDIT_DATA_INIT(&ad, FS);
1650 ad.u.fs.path.dentry = old_dentry;
1651 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1652 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1655 rc = avc_has_perm(sid, old_isec->sid,
1656 old_isec->sclass, FILE__RENAME, &ad);
1659 if (old_is_dir && new_dir != old_dir) {
1660 rc = avc_has_perm(sid, old_isec->sid,
1661 old_isec->sclass, DIR__REPARENT, &ad);
1666 ad.u.fs.path.dentry = new_dentry;
1667 av = DIR__ADD_NAME | DIR__SEARCH;
1668 if (new_dentry->d_inode)
1669 av |= DIR__REMOVE_NAME;
1670 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1673 if (new_dentry->d_inode) {
1674 new_isec = new_dentry->d_inode->i_security;
1675 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1676 rc = avc_has_perm(sid, new_isec->sid,
1678 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1686 /* Check whether a task can perform a filesystem operation. */
1687 static int superblock_has_perm(const struct cred *cred,
1688 struct super_block *sb,
1690 struct avc_audit_data *ad)
1692 struct superblock_security_struct *sbsec;
1693 u32 sid = cred_sid(cred);
1695 sbsec = sb->s_security;
1696 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1699 /* Convert a Linux mode and permission mask to an access vector. */
1700 static inline u32 file_mask_to_av(int mode, int mask)
1704 if ((mode & S_IFMT) != S_IFDIR) {
1705 if (mask & MAY_EXEC)
1706 av |= FILE__EXECUTE;
1707 if (mask & MAY_READ)
1710 if (mask & MAY_APPEND)
1712 else if (mask & MAY_WRITE)
1716 if (mask & MAY_EXEC)
1718 if (mask & MAY_WRITE)
1720 if (mask & MAY_READ)
1727 /* Convert a Linux file to an access vector. */
1728 static inline u32 file_to_av(struct file *file)
1732 if (file->f_mode & FMODE_READ)
1734 if (file->f_mode & FMODE_WRITE) {
1735 if (file->f_flags & O_APPEND)
1742 * Special file opened with flags 3 for ioctl-only use.
1751 * Convert a file to an access vector and include the correct open
1754 static inline u32 open_file_to_av(struct file *file)
1756 u32 av = file_to_av(file);
1758 if (selinux_policycap_openperm) {
1759 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1761 * lnk files and socks do not really have an 'open'
1765 else if (S_ISCHR(mode))
1766 av |= CHR_FILE__OPEN;
1767 else if (S_ISBLK(mode))
1768 av |= BLK_FILE__OPEN;
1769 else if (S_ISFIFO(mode))
1770 av |= FIFO_FILE__OPEN;
1771 else if (S_ISDIR(mode))
1774 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1775 "unknown mode:%o\n", __func__, mode);
1780 /* Hook functions begin here. */
1782 static int selinux_ptrace_may_access(struct task_struct *child,
1787 rc = secondary_ops->ptrace_may_access(child, mode);
1791 if (mode == PTRACE_MODE_READ) {
1792 u32 sid = current_sid();
1793 u32 csid = task_sid(child);
1794 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1797 return task_has_perm(current, child, PROCESS__PTRACE);
1800 static int selinux_ptrace_traceme(struct task_struct *parent)
1804 rc = secondary_ops->ptrace_traceme(parent);
1808 return task_has_perm(parent, current, PROCESS__PTRACE);
1811 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1812 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1816 error = task_has_perm(current, target, PROCESS__GETCAP);
1820 return secondary_ops->capget(target, effective, inheritable, permitted);
1823 static int selinux_capset_check(const kernel_cap_t *effective,
1824 const kernel_cap_t *inheritable,
1825 const kernel_cap_t *permitted)
1829 error = secondary_ops->capset_check(effective, inheritable, permitted);
1833 return task_has_perm(current, current, PROCESS__SETCAP);
1836 static void selinux_capset_set(const kernel_cap_t *effective,
1837 const kernel_cap_t *inheritable,
1838 const kernel_cap_t *permitted)
1840 secondary_ops->capset_set(effective, inheritable, permitted);
1843 static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1847 rc = secondary_ops->capable(tsk, cap, audit);
1851 return task_has_capability(tsk, cap, audit);
1854 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1857 char *buffer, *path, *end;
1860 buffer = (char *)__get_free_page(GFP_KERNEL);
1865 end = buffer+buflen;
1871 const char *name = table->procname;
1872 size_t namelen = strlen(name);
1873 buflen -= namelen + 1;
1877 memcpy(end, name, namelen);
1880 table = table->parent;
1886 memcpy(end, "/sys", 4);
1888 rc = security_genfs_sid("proc", path, tclass, sid);
1890 free_page((unsigned long)buffer);
1895 static int selinux_sysctl(ctl_table *table, int op)
1902 rc = secondary_ops->sysctl(table, op);
1906 sid = current_sid();
1908 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1909 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1911 /* Default to the well-defined sysctl SID. */
1912 tsid = SECINITSID_SYSCTL;
1915 /* The op values are "defined" in sysctl.c, thereby creating
1916 * a bad coupling between this module and sysctl.c */
1918 error = avc_has_perm(sid, tsid,
1919 SECCLASS_DIR, DIR__SEARCH, NULL);
1927 error = avc_has_perm(sid, tsid,
1928 SECCLASS_FILE, av, NULL);
1934 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1936 const struct cred *cred = current_cred();
1948 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1953 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1956 rc = 0; /* let the kernel handle invalid cmds */
1962 static int selinux_quota_on(struct dentry *dentry)
1964 const struct cred *cred = current_cred();
1966 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1969 static int selinux_syslog(int type)
1973 rc = secondary_ops->syslog(type);
1978 case 3: /* Read last kernel messages */
1979 case 10: /* Return size of the log buffer */
1980 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1982 case 6: /* Disable logging to console */
1983 case 7: /* Enable logging to console */
1984 case 8: /* Set level of messages printed to console */
1985 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1987 case 0: /* Close log */
1988 case 1: /* Open log */
1989 case 2: /* Read from log */
1990 case 4: /* Read/clear last kernel messages */
1991 case 5: /* Clear ring buffer */
1993 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2000 * Check that a process has enough memory to allocate a new virtual
2001 * mapping. 0 means there is enough memory for the allocation to
2002 * succeed and -ENOMEM implies there is not.
2004 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2005 * if the capability is granted, but __vm_enough_memory requires 1 if
2006 * the capability is granted.
2008 * Do not audit the selinux permission check, as this is applied to all
2009 * processes that allocate mappings.
2011 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2013 int rc, cap_sys_admin = 0;
2015 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2019 return __vm_enough_memory(mm, pages, cap_sys_admin);
2022 /* binprm security operations */
2024 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2026 struct bprm_security_struct *bsec;
2028 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2032 bsec->sid = SECINITSID_UNLABELED;
2035 bprm->security = bsec;
2039 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2041 struct task_security_struct *tsec;
2042 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2043 struct inode_security_struct *isec;
2044 struct bprm_security_struct *bsec;
2046 struct avc_audit_data ad;
2049 rc = secondary_ops->bprm_set_security(bprm);
2053 bsec = bprm->security;
2058 tsec = current_security();
2059 isec = inode->i_security;
2061 /* Default to the current task SID. */
2062 bsec->sid = tsec->sid;
2064 /* Reset fs, key, and sock SIDs on execve. */
2065 tsec->create_sid = 0;
2066 tsec->keycreate_sid = 0;
2067 tsec->sockcreate_sid = 0;
2069 if (tsec->exec_sid) {
2070 newsid = tsec->exec_sid;
2071 /* Reset exec SID on execve. */
2074 /* Check for a default transition on this program. */
2075 rc = security_transition_sid(tsec->sid, isec->sid,
2076 SECCLASS_PROCESS, &newsid);
2081 AVC_AUDIT_DATA_INIT(&ad, FS);
2082 ad.u.fs.path = bprm->file->f_path;
2084 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2087 if (tsec->sid == newsid) {
2088 rc = avc_has_perm(tsec->sid, isec->sid,
2089 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2093 /* Check permissions for the transition. */
2094 rc = avc_has_perm(tsec->sid, newsid,
2095 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2099 rc = avc_has_perm(newsid, isec->sid,
2100 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2104 /* Clear any possibly unsafe personality bits on exec: */
2105 current->personality &= ~PER_CLEAR_ON_SETID;
2107 /* Set the security field to the new SID. */
2115 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2117 return secondary_ops->bprm_check_security(bprm);
2121 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2123 const struct cred *cred = current_cred();
2124 const struct task_security_struct *tsec = cred->security;
2132 /* Enable secure mode for SIDs transitions unless
2133 the noatsecure permission is granted between
2134 the two SIDs, i.e. ahp returns 0. */
2135 atsecure = avc_has_perm(osid, sid,
2137 PROCESS__NOATSECURE, NULL);
2140 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2143 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2145 kfree(bprm->security);
2146 bprm->security = NULL;
2149 extern struct vfsmount *selinuxfs_mount;
2150 extern struct dentry *selinux_null;
2152 /* Derived from fs/exec.c:flush_old_files. */
2153 static inline void flush_unauthorized_files(struct files_struct *files)
2155 const struct cred *cred = current_cred();
2156 struct avc_audit_data ad;
2157 struct file *file, *devnull = NULL;
2158 struct tty_struct *tty;
2159 struct fdtable *fdt;
2163 tty = get_current_tty();
2166 if (!list_empty(&tty->tty_files)) {
2167 struct inode *inode;
2169 /* Revalidate access to controlling tty.
2170 Use inode_has_perm on the tty inode directly rather
2171 than using file_has_perm, as this particular open
2172 file may belong to another process and we are only
2173 interested in the inode-based check here. */
2174 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2175 inode = file->f_path.dentry->d_inode;
2176 if (inode_has_perm(cred, inode,
2177 FILE__READ | FILE__WRITE, NULL)) {
2184 /* Reset controlling tty. */
2188 /* Revalidate access to inherited open files. */
2190 AVC_AUDIT_DATA_INIT(&ad, FS);
2192 spin_lock(&files->file_lock);
2194 unsigned long set, i;
2199 fdt = files_fdtable(files);
2200 if (i >= fdt->max_fds)
2202 set = fdt->open_fds->fds_bits[j];
2205 spin_unlock(&files->file_lock);
2206 for ( ; set ; i++, set >>= 1) {
2211 if (file_has_perm(cred,
2213 file_to_av(file))) {
2215 fd = get_unused_fd();
2225 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2226 if (IS_ERR(devnull)) {
2233 fd_install(fd, devnull);
2238 spin_lock(&files->file_lock);
2241 spin_unlock(&files->file_lock);
2244 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2246 struct task_security_struct *tsec;
2247 struct bprm_security_struct *bsec;
2251 secondary_ops->bprm_apply_creds(bprm, unsafe);
2253 tsec = current_security();
2255 bsec = bprm->security;
2258 tsec->osid = tsec->sid;
2260 if (tsec->sid != sid) {
2261 /* Check for shared state. If not ok, leave SID
2262 unchanged and kill. */
2263 if (unsafe & LSM_UNSAFE_SHARE) {
2264 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2265 PROCESS__SHARE, NULL);
2272 /* Check for ptracing, and update the task SID if ok.
2273 Otherwise, leave SID unchanged and kill. */
2274 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2275 struct task_struct *tracer;
2276 struct task_security_struct *sec;
2280 tracer = tracehook_tracer_task(current);
2281 if (likely(tracer != NULL)) {
2282 sec = __task_cred(tracer)->security;
2288 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2289 PROCESS__PTRACE, NULL);
2301 * called after apply_creds without the task lock held
2303 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2305 struct task_security_struct *tsec;
2306 struct rlimit *rlim, *initrlim;
2307 struct itimerval itimer;
2308 struct bprm_security_struct *bsec;
2309 struct sighand_struct *psig;
2311 unsigned long flags;
2313 tsec = current_security();
2314 bsec = bprm->security;
2317 force_sig_specific(SIGKILL, current);
2320 if (tsec->osid == tsec->sid)
2323 /* Close files for which the new task SID is not authorized. */
2324 flush_unauthorized_files(current->files);
2326 /* Check whether the new SID can inherit signal state
2327 from the old SID. If not, clear itimers to avoid
2328 subsequent signal generation and flush and unblock
2329 signals. This must occur _after_ the task SID has
2330 been updated so that any kill done after the flush
2331 will be checked against the new SID. */
2332 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2333 PROCESS__SIGINH, NULL);
2335 memset(&itimer, 0, sizeof itimer);
2336 for (i = 0; i < 3; i++)
2337 do_setitimer(i, &itimer, NULL);
2338 flush_signals(current);
2339 spin_lock_irq(¤t->sighand->siglock);
2340 flush_signal_handlers(current, 1);
2341 sigemptyset(¤t->blocked);
2342 recalc_sigpending();
2343 spin_unlock_irq(¤t->sighand->siglock);
2346 /* Always clear parent death signal on SID transitions. */
2347 current->pdeath_signal = 0;
2349 /* Check whether the new SID can inherit resource limits
2350 from the old SID. If not, reset all soft limits to
2351 the lower of the current task's hard limit and the init
2352 task's soft limit. Note that the setting of hard limits
2353 (even to lower them) can be controlled by the setrlimit
2354 check. The inclusion of the init task's soft limit into
2355 the computation is to avoid resetting soft limits higher
2356 than the default soft limit for cases where the default
2357 is lower than the hard limit, e.g. RLIMIT_CORE or
2359 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2360 PROCESS__RLIMITINH, NULL);
2362 for (i = 0; i < RLIM_NLIMITS; i++) {
2363 rlim = current->signal->rlim + i;
2364 initrlim = init_task.signal->rlim+i;
2365 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2367 update_rlimit_cpu(rlim->rlim_cur);
2370 /* Wake up the parent if it is waiting so that it can
2371 recheck wait permission to the new task SID. */
2372 read_lock_irq(&tasklist_lock);
2373 psig = current->parent->sighand;
2374 spin_lock_irqsave(&psig->siglock, flags);
2375 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2376 spin_unlock_irqrestore(&psig->siglock, flags);
2377 read_unlock_irq(&tasklist_lock);
2380 /* superblock security operations */
2382 static int selinux_sb_alloc_security(struct super_block *sb)
2384 return superblock_alloc_security(sb);
2387 static void selinux_sb_free_security(struct super_block *sb)
2389 superblock_free_security(sb);
2392 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2397 return !memcmp(prefix, option, plen);
2400 static inline int selinux_option(char *option, int len)
2402 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2403 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2404 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2405 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2408 static inline void take_option(char **to, char *from, int *first, int len)
2415 memcpy(*to, from, len);
2419 static inline void take_selinux_option(char **to, char *from, int *first,
2422 int current_size = 0;
2430 while (current_size < len) {
2440 static int selinux_sb_copy_data(char *orig, char *copy)
2442 int fnosec, fsec, rc = 0;
2443 char *in_save, *in_curr, *in_end;
2444 char *sec_curr, *nosec_save, *nosec;
2450 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2458 in_save = in_end = orig;
2462 open_quote = !open_quote;
2463 if ((*in_end == ',' && open_quote == 0) ||
2465 int len = in_end - in_curr;
2467 if (selinux_option(in_curr, len))
2468 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2470 take_option(&nosec, in_curr, &fnosec, len);
2472 in_curr = in_end + 1;
2474 } while (*in_end++);
2476 strcpy(in_save, nosec_save);
2477 free_page((unsigned long)nosec_save);
2482 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2484 const struct cred *cred = current_cred();
2485 struct avc_audit_data ad;
2488 rc = superblock_doinit(sb, data);
2492 AVC_AUDIT_DATA_INIT(&ad, FS);
2493 ad.u.fs.path.dentry = sb->s_root;
2494 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2497 static int selinux_sb_statfs(struct dentry *dentry)
2499 const struct cred *cred = current_cred();
2500 struct avc_audit_data ad;
2502 AVC_AUDIT_DATA_INIT(&ad, FS);
2503 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2504 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2507 static int selinux_mount(char *dev_name,
2510 unsigned long flags,
2513 const struct cred *cred = current_cred();
2516 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2520 if (flags & MS_REMOUNT)
2521 return superblock_has_perm(cred, path->mnt->mnt_sb,
2522 FILESYSTEM__REMOUNT, NULL);
2524 return dentry_has_perm(cred, path->mnt, path->dentry,
2528 static int selinux_umount(struct vfsmount *mnt, int flags)
2530 const struct cred *cred = current_cred();
2533 rc = secondary_ops->sb_umount(mnt, flags);
2537 return superblock_has_perm(cred, mnt->mnt_sb,
2538 FILESYSTEM__UNMOUNT, NULL);
2541 /* inode security operations */
2543 static int selinux_inode_alloc_security(struct inode *inode)
2545 return inode_alloc_security(inode);
2548 static void selinux_inode_free_security(struct inode *inode)
2550 inode_free_security(inode);
2553 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2554 char **name, void **value,
2557 const struct cred *cred = current_cred();
2558 const struct task_security_struct *tsec = cred->security;
2559 struct inode_security_struct *dsec;
2560 struct superblock_security_struct *sbsec;
2561 u32 sid, newsid, clen;
2563 char *namep = NULL, *context;
2565 dsec = dir->i_security;
2566 sbsec = dir->i_sb->s_security;
2569 newsid = tsec->create_sid;
2571 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2572 rc = security_transition_sid(sid, dsec->sid,
2573 inode_mode_to_security_class(inode->i_mode),
2576 printk(KERN_WARNING "%s: "
2577 "security_transition_sid failed, rc=%d (dev=%s "
2580 -rc, inode->i_sb->s_id, inode->i_ino);
2585 /* Possibly defer initialization to selinux_complete_init. */
2586 if (sbsec->initialized) {
2587 struct inode_security_struct *isec = inode->i_security;
2588 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2590 isec->initialized = 1;
2593 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2597 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2604 rc = security_sid_to_context_force(newsid, &context, &clen);
2616 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2618 return may_create(dir, dentry, SECCLASS_FILE);
2621 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2625 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2628 return may_link(dir, old_dentry, MAY_LINK);
2631 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2635 rc = secondary_ops->inode_unlink(dir, dentry);
2638 return may_link(dir, dentry, MAY_UNLINK);
2641 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2643 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2646 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2648 return may_create(dir, dentry, SECCLASS_DIR);
2651 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2653 return may_link(dir, dentry, MAY_RMDIR);
2656 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2660 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2664 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2667 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2668 struct inode *new_inode, struct dentry *new_dentry)
2670 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2673 static int selinux_inode_readlink(struct dentry *dentry)
2675 const struct cred *cred = current_cred();
2677 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2680 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2682 const struct cred *cred = current_cred();
2685 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2688 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2691 static int selinux_inode_permission(struct inode *inode, int mask)
2693 const struct cred *cred = current_cred();
2696 rc = secondary_ops->inode_permission(inode, mask);
2701 /* No permission to check. Existence test. */
2705 return inode_has_perm(cred, inode,
2706 file_mask_to_av(inode->i_mode, mask), NULL);
2709 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2711 const struct cred *cred = current_cred();
2714 rc = secondary_ops->inode_setattr(dentry, iattr);
2718 if (iattr->ia_valid & ATTR_FORCE)
2721 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2722 ATTR_ATIME_SET | ATTR_MTIME_SET))
2723 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2725 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2728 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2730 const struct cred *cred = current_cred();
2732 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2735 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2737 const struct cred *cred = current_cred();
2739 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2740 sizeof XATTR_SECURITY_PREFIX - 1)) {
2741 if (!strcmp(name, XATTR_NAME_CAPS)) {
2742 if (!capable(CAP_SETFCAP))
2744 } else if (!capable(CAP_SYS_ADMIN)) {
2745 /* A different attribute in the security namespace.
2746 Restrict to administrator. */
2751 /* Not an attribute we recognize, so just check the
2752 ordinary setattr permission. */
2753 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2756 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2757 const void *value, size_t size, int flags)
2759 struct inode *inode = dentry->d_inode;
2760 struct inode_security_struct *isec = inode->i_security;
2761 struct superblock_security_struct *sbsec;
2762 struct avc_audit_data ad;
2763 u32 newsid, sid = current_sid();
2766 if (strcmp(name, XATTR_NAME_SELINUX))
2767 return selinux_inode_setotherxattr(dentry, name);
2769 sbsec = inode->i_sb->s_security;
2770 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2773 if (!is_owner_or_cap(inode))
2776 AVC_AUDIT_DATA_INIT(&ad, FS);
2777 ad.u.fs.path.dentry = dentry;
2779 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2780 FILE__RELABELFROM, &ad);
2784 rc = security_context_to_sid(value, size, &newsid);
2785 if (rc == -EINVAL) {
2786 if (!capable(CAP_MAC_ADMIN))
2788 rc = security_context_to_sid_force(value, size, &newsid);
2793 rc = avc_has_perm(sid, newsid, isec->sclass,
2794 FILE__RELABELTO, &ad);
2798 rc = security_validate_transition(isec->sid, newsid, sid,
2803 return avc_has_perm(newsid,
2805 SECCLASS_FILESYSTEM,
2806 FILESYSTEM__ASSOCIATE,
2810 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2811 const void *value, size_t size,
2814 struct inode *inode = dentry->d_inode;
2815 struct inode_security_struct *isec = inode->i_security;
2819 if (strcmp(name, XATTR_NAME_SELINUX)) {
2820 /* Not an attribute we recognize, so nothing to do. */
2824 rc = security_context_to_sid_force(value, size, &newsid);
2826 printk(KERN_ERR "SELinux: unable to map context to SID"
2827 "for (%s, %lu), rc=%d\n",
2828 inode->i_sb->s_id, inode->i_ino, -rc);
2836 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2838 const struct cred *cred = current_cred();
2840 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2843 static int selinux_inode_listxattr(struct dentry *dentry)
2845 const struct cred *cred = current_cred();
2847 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2850 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2852 if (strcmp(name, XATTR_NAME_SELINUX))
2853 return selinux_inode_setotherxattr(dentry, name);
2855 /* No one is allowed to remove a SELinux security label.
2856 You can change the label, but all data must be labeled. */
2861 * Copy the inode security context value to the user.
2863 * Permission check is handled by selinux_inode_getxattr hook.
2865 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2869 char *context = NULL;
2870 struct inode_security_struct *isec = inode->i_security;
2872 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2876 * If the caller has CAP_MAC_ADMIN, then get the raw context
2877 * value even if it is not defined by current policy; otherwise,
2878 * use the in-core value under current policy.
2879 * Use the non-auditing forms of the permission checks since
2880 * getxattr may be called by unprivileged processes commonly
2881 * and lack of permission just means that we fall back to the
2882 * in-core context value, not a denial.
2884 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2886 error = security_sid_to_context_force(isec->sid, &context,
2889 error = security_sid_to_context(isec->sid, &context, &size);
2902 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2903 const void *value, size_t size, int flags)
2905 struct inode_security_struct *isec = inode->i_security;
2909 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2912 if (!value || !size)
2915 rc = security_context_to_sid((void *)value, size, &newsid);
2923 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2925 const int len = sizeof(XATTR_NAME_SELINUX);
2926 if (buffer && len <= buffer_size)
2927 memcpy(buffer, XATTR_NAME_SELINUX, len);
2931 static int selinux_inode_need_killpriv(struct dentry *dentry)
2933 return secondary_ops->inode_need_killpriv(dentry);
2936 static int selinux_inode_killpriv(struct dentry *dentry)
2938 return secondary_ops->inode_killpriv(dentry);
2941 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2943 struct inode_security_struct *isec = inode->i_security;
2947 /* file security operations */
2949 static int selinux_revalidate_file_permission(struct file *file, int mask)
2951 const struct cred *cred = current_cred();
2953 struct inode *inode = file->f_path.dentry->d_inode;
2956 /* No permission to check. Existence test. */
2960 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2961 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2964 rc = file_has_perm(cred, file,
2965 file_mask_to_av(inode->i_mode, mask));
2969 return selinux_netlbl_inode_permission(inode, mask);
2972 static int selinux_file_permission(struct file *file, int mask)
2974 struct inode *inode = file->f_path.dentry->d_inode;
2975 struct file_security_struct *fsec = file->f_security;
2976 struct inode_security_struct *isec = inode->i_security;
2977 u32 sid = current_sid();
2980 /* No permission to check. Existence test. */
2984 if (sid == fsec->sid && fsec->isid == isec->sid
2985 && fsec->pseqno == avc_policy_seqno())
2986 return selinux_netlbl_inode_permission(inode, mask);
2988 return selinux_revalidate_file_permission(file, mask);
2991 static int selinux_file_alloc_security(struct file *file)
2993 return file_alloc_security(file);
2996 static void selinux_file_free_security(struct file *file)
2998 file_free_security(file);
3001 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3004 const struct cred *cred = current_cred();
3007 if (_IOC_DIR(cmd) & _IOC_WRITE)
3009 if (_IOC_DIR(cmd) & _IOC_READ)
3014 return file_has_perm(cred, file, av);
3017 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3019 const struct cred *cred = current_cred();
3021 #ifndef CONFIG_PPC32
3022 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3024 * We are making executable an anonymous mapping or a
3025 * private file mapping that will also be writable.
3026 * This has an additional check.
3028 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
3035 /* read access is always possible with a mapping */
3036 u32 av = FILE__READ;
3038 /* write access only matters if the mapping is shared */
3039 if (shared && (prot & PROT_WRITE))
3042 if (prot & PROT_EXEC)
3043 av |= FILE__EXECUTE;
3045 return file_has_perm(cred, file, av);
3050 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3051 unsigned long prot, unsigned long flags,
3052 unsigned long addr, unsigned long addr_only)
3055 u32 sid = current_sid();
3057 if (addr < mmap_min_addr)
3058 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3059 MEMPROTECT__MMAP_ZERO, NULL);
3060 if (rc || addr_only)
3063 if (selinux_checkreqprot)
3066 return file_map_prot_check(file, prot,
3067 (flags & MAP_TYPE) == MAP_SHARED);
3070 static int selinux_file_mprotect(struct vm_area_struct *vma,
3071 unsigned long reqprot,
3074 const struct cred *cred = current_cred();
3077 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3081 if (selinux_checkreqprot)
3084 #ifndef CONFIG_PPC32
3085 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3087 if (vma->vm_start >= vma->vm_mm->start_brk &&
3088 vma->vm_end <= vma->vm_mm->brk) {
3089 rc = task_has_perm(current, current,
3091 } else if (!vma->vm_file &&
3092 vma->vm_start <= vma->vm_mm->start_stack &&
3093 vma->vm_end >= vma->vm_mm->start_stack) {
3094 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3095 } else if (vma->vm_file && vma->anon_vma) {
3097 * We are making executable a file mapping that has
3098 * had some COW done. Since pages might have been
3099 * written, check ability to execute the possibly
3100 * modified content. This typically should only
3101 * occur for text relocations.
3103 rc = file_has_perm(cred, vma->vm_file,
3111 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3114 static int selinux_file_lock(struct file *file, unsigned int cmd)
3116 const struct cred *cred = current_cred();
3118 return file_has_perm(cred, file, FILE__LOCK);
3121 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3124 const struct cred *cred = current_cred();
3129 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3134 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3135 err = file_has_perm(cred, file, FILE__WRITE);
3144 /* Just check FD__USE permission */
3145 err = file_has_perm(cred, file, 0);
3150 #if BITS_PER_LONG == 32
3155 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3159 err = file_has_perm(cred, file, FILE__LOCK);
3166 static int selinux_file_set_fowner(struct file *file)
3168 struct file_security_struct *fsec;
3170 fsec = file->f_security;
3171 fsec->fown_sid = current_sid();
3176 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3177 struct fown_struct *fown, int signum)
3180 u32 sid = current_sid();
3182 struct file_security_struct *fsec;
3184 /* struct fown_struct is never outside the context of a struct file */
3185 file = container_of(fown, struct file, f_owner);
3187 fsec = file->f_security;
3190 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3192 perm = signal_to_av(signum);
3194 return avc_has_perm(fsec->fown_sid, sid,
3195 SECCLASS_PROCESS, perm, NULL);
3198 static int selinux_file_receive(struct file *file)
3200 const struct cred *cred = current_cred();
3202 return file_has_perm(cred, file, file_to_av(file));
3205 static int selinux_dentry_open(struct file *file)
3207 const struct cred *cred = current_cred();
3208 struct file_security_struct *fsec;
3209 struct inode *inode;
3210 struct inode_security_struct *isec;
3211 inode = file->f_path.dentry->d_inode;
3212 fsec = file->f_security;
3213 isec = inode->i_security;
3215 * Save inode label and policy sequence number
3216 * at open-time so that selinux_file_permission
3217 * can determine whether revalidation is necessary.
3218 * Task label is already saved in the file security
3219 * struct as its SID.
3221 fsec->isid = isec->sid;
3222 fsec->pseqno = avc_policy_seqno();
3224 * Since the inode label or policy seqno may have changed
3225 * between the selinux_inode_permission check and the saving
3226 * of state above, recheck that access is still permitted.
3227 * Otherwise, access might never be revalidated against the
3228 * new inode label or new policy.
3229 * This check is not redundant - do not remove.
3231 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3234 /* task security operations */
3236 static int selinux_task_create(unsigned long clone_flags)
3240 rc = secondary_ops->task_create(clone_flags);
3244 return task_has_perm(current, current, PROCESS__FORK);
3247 static int selinux_cred_alloc_security(struct cred *cred)
3249 struct task_security_struct *tsec1, *tsec2;
3252 tsec1 = current_security();
3254 rc = cred_alloc_security(cred);
3257 tsec2 = cred->security;
3259 tsec2->osid = tsec1->osid;
3260 tsec2->sid = tsec1->sid;
3262 /* Retain the exec, fs, key, and sock SIDs across fork */
3263 tsec2->exec_sid = tsec1->exec_sid;
3264 tsec2->create_sid = tsec1->create_sid;
3265 tsec2->keycreate_sid = tsec1->keycreate_sid;
3266 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3272 * detach and free the LSM part of a set of credentials
3274 static void selinux_cred_free(struct cred *cred)
3276 struct task_security_struct *tsec = cred->security;
3277 cred->security = NULL;
3281 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3283 /* Since setuid only affects the current process, and
3284 since the SELinux controls are not based on the Linux
3285 identity attributes, SELinux does not need to control
3286 this operation. However, SELinux does control the use
3287 of the CAP_SETUID and CAP_SETGID capabilities using the
3292 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3294 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3297 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3299 /* See the comment for setuid above. */
3303 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3305 return task_has_perm(current, p, PROCESS__SETPGID);
3308 static int selinux_task_getpgid(struct task_struct *p)
3310 return task_has_perm(current, p, PROCESS__GETPGID);
3313 static int selinux_task_getsid(struct task_struct *p)
3315 return task_has_perm(current, p, PROCESS__GETSESSION);
3318 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3320 *secid = task_sid(p);
3323 static int selinux_task_setgroups(struct group_info *group_info)
3325 /* See the comment for setuid above. */
3329 static int selinux_task_setnice(struct task_struct *p, int nice)
3333 rc = secondary_ops->task_setnice(p, nice);
3337 return task_has_perm(current, p, PROCESS__SETSCHED);
3340 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3344 rc = secondary_ops->task_setioprio(p, ioprio);
3348 return task_has_perm(current, p, PROCESS__SETSCHED);
3351 static int selinux_task_getioprio(struct task_struct *p)
3353 return task_has_perm(current, p, PROCESS__GETSCHED);
3356 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3358 struct rlimit *old_rlim = current->signal->rlim + resource;
3361 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3365 /* Control the ability to change the hard limit (whether
3366 lowering or raising it), so that the hard limit can
3367 later be used as a safe reset point for the soft limit
3368 upon context transitions. See selinux_bprm_apply_creds. */
3369 if (old_rlim->rlim_max != new_rlim->rlim_max)
3370 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3375 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3379 rc = secondary_ops->task_setscheduler(p, policy, lp);
3383 return task_has_perm(current, p, PROCESS__SETSCHED);
3386 static int selinux_task_getscheduler(struct task_struct *p)
3388 return task_has_perm(current, p, PROCESS__GETSCHED);
3391 static int selinux_task_movememory(struct task_struct *p)
3393 return task_has_perm(current, p, PROCESS__SETSCHED);
3396 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3402 rc = secondary_ops->task_kill(p, info, sig, secid);
3407 perm = PROCESS__SIGNULL; /* null signal; existence test */
3409 perm = signal_to_av(sig);
3411 rc = avc_has_perm(secid, task_sid(p),
3412 SECCLASS_PROCESS, perm, NULL);
3414 rc = task_has_perm(current, p, perm);
3418 static int selinux_task_prctl(int option,
3425 /* The current prctl operations do not appear to require
3426 any SELinux controls since they merely observe or modify
3427 the state of the current process. */
3428 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3431 static int selinux_task_wait(struct task_struct *p)
3433 return task_has_perm(p, current, PROCESS__SIGCHLD);
3436 static void selinux_task_reparent_to_init(struct task_struct *p)
3438 struct task_security_struct *tsec;
3440 secondary_ops->task_reparent_to_init(p);
3442 tsec = p->cred->security;
3443 tsec->osid = tsec->sid;
3444 tsec->sid = SECINITSID_KERNEL;
3448 static void selinux_task_to_inode(struct task_struct *p,
3449 struct inode *inode)
3451 struct inode_security_struct *isec = inode->i_security;
3452 u32 sid = task_sid(p);
3455 isec->initialized = 1;
3458 /* Returns error only if unable to parse addresses */
3459 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3460 struct avc_audit_data *ad, u8 *proto)
3462 int offset, ihlen, ret = -EINVAL;
3463 struct iphdr _iph, *ih;
3465 offset = skb_network_offset(skb);
3466 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3470 ihlen = ih->ihl * 4;
3471 if (ihlen < sizeof(_iph))
3474 ad->u.net.v4info.saddr = ih->saddr;
3475 ad->u.net.v4info.daddr = ih->daddr;
3479 *proto = ih->protocol;
3481 switch (ih->protocol) {
3483 struct tcphdr _tcph, *th;
3485 if (ntohs(ih->frag_off) & IP_OFFSET)
3489 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3493 ad->u.net.sport = th->source;
3494 ad->u.net.dport = th->dest;
3499 struct udphdr _udph, *uh;
3501 if (ntohs(ih->frag_off) & IP_OFFSET)
3505 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3509 ad->u.net.sport = uh->source;
3510 ad->u.net.dport = uh->dest;
3514 case IPPROTO_DCCP: {
3515 struct dccp_hdr _dccph, *dh;
3517 if (ntohs(ih->frag_off) & IP_OFFSET)
3521 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3525 ad->u.net.sport = dh->dccph_sport;
3526 ad->u.net.dport = dh->dccph_dport;
3537 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3539 /* Returns error only if unable to parse addresses */
3540 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3541 struct avc_audit_data *ad, u8 *proto)
3544 int ret = -EINVAL, offset;
3545 struct ipv6hdr _ipv6h, *ip6;
3547 offset = skb_network_offset(skb);
3548 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3552 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3553 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3556 nexthdr = ip6->nexthdr;
3557 offset += sizeof(_ipv6h);
3558 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3567 struct tcphdr _tcph, *th;
3569 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3573 ad->u.net.sport = th->source;
3574 ad->u.net.dport = th->dest;
3579 struct udphdr _udph, *uh;
3581 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3585 ad->u.net.sport = uh->source;
3586 ad->u.net.dport = uh->dest;
3590 case IPPROTO_DCCP: {
3591 struct dccp_hdr _dccph, *dh;
3593 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3597 ad->u.net.sport = dh->dccph_sport;
3598 ad->u.net.dport = dh->dccph_dport;
3602 /* includes fragments */
3612 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3613 char **_addrp, int src, u8 *proto)
3618 switch (ad->u.net.family) {
3620 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3623 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3624 &ad->u.net.v4info.daddr);
3627 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3629 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3632 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3633 &ad->u.net.v6info.daddr);
3643 "SELinux: failure in selinux_parse_skb(),"
3644 " unable to parse packet\n");
3654 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3656 * @family: protocol family
3657 * @sid: the packet's peer label SID
3660 * Check the various different forms of network peer labeling and determine
3661 * the peer label/SID for the packet; most of the magic actually occurs in
3662 * the security server function security_net_peersid_cmp(). The function
3663 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3664 * or -EACCES if @sid is invalid due to inconsistencies with the different
3668 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3675 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3676 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3678 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3679 if (unlikely(err)) {
3681 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3682 " unable to determine packet's peer label\n");
3689 /* socket security operations */
3690 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3693 struct inode_security_struct *isec;
3694 struct avc_audit_data ad;
3698 isec = SOCK_INODE(sock)->i_security;
3700 if (isec->sid == SECINITSID_KERNEL)
3702 sid = task_sid(task);
3704 AVC_AUDIT_DATA_INIT(&ad, NET);
3705 ad.u.net.sk = sock->sk;
3706 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3712 static int selinux_socket_create(int family, int type,
3713 int protocol, int kern)
3715 const struct cred *cred = current_cred();
3716 const struct task_security_struct *tsec = cred->security;
3725 newsid = tsec->sockcreate_sid ?: sid;
3727 secclass = socket_type_to_security_class(family, type, protocol);
3728 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3734 static int selinux_socket_post_create(struct socket *sock, int family,
3735 int type, int protocol, int kern)
3737 const struct cred *cred = current_cred();
3738 const struct task_security_struct *tsec = cred->security;
3739 struct inode_security_struct *isec;
3740 struct sk_security_struct *sksec;
3745 newsid = tsec->sockcreate_sid;
3747 isec = SOCK_INODE(sock)->i_security;
3750 isec->sid = SECINITSID_KERNEL;
3756 isec->sclass = socket_type_to_security_class(family, type, protocol);
3757 isec->initialized = 1;
3760 sksec = sock->sk->sk_security;
3761 sksec->sid = isec->sid;
3762 sksec->sclass = isec->sclass;
3763 err = selinux_netlbl_socket_post_create(sock);
3769 /* Range of port numbers used to automatically bind.
3770 Need to determine whether we should perform a name_bind
3771 permission check between the socket and the port number. */
3773 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3778 err = socket_has_perm(current, sock, SOCKET__BIND);
3783 * If PF_INET or PF_INET6, check name_bind permission for the port.
3784 * Multiple address binding for SCTP is not supported yet: we just
3785 * check the first address now.
3787 family = sock->sk->sk_family;
3788 if (family == PF_INET || family == PF_INET6) {
3790 struct inode_security_struct *isec;
3791 struct avc_audit_data ad;
3792 struct sockaddr_in *addr4 = NULL;
3793 struct sockaddr_in6 *addr6 = NULL;
3794 unsigned short snum;
3795 struct sock *sk = sock->sk;
3798 isec = SOCK_INODE(sock)->i_security;
3800 if (family == PF_INET) {
3801 addr4 = (struct sockaddr_in *)address;
3802 snum = ntohs(addr4->sin_port);
3803 addrp = (char *)&addr4->sin_addr.s_addr;
3805 addr6 = (struct sockaddr_in6 *)address;
3806 snum = ntohs(addr6->sin6_port);
3807 addrp = (char *)&addr6->sin6_addr.s6_addr;
3813 inet_get_local_port_range(&low, &high);
3815 if (snum < max(PROT_SOCK, low) || snum > high) {
3816 err = sel_netport_sid(sk->sk_protocol,
3820 AVC_AUDIT_DATA_INIT(&ad, NET);
3821 ad.u.net.sport = htons(snum);
3822 ad.u.net.family = family;
3823 err = avc_has_perm(isec->sid, sid,
3825 SOCKET__NAME_BIND, &ad);
3831 switch (isec->sclass) {
3832 case SECCLASS_TCP_SOCKET:
3833 node_perm = TCP_SOCKET__NODE_BIND;
3836 case SECCLASS_UDP_SOCKET:
3837 node_perm = UDP_SOCKET__NODE_BIND;
3840 case SECCLASS_DCCP_SOCKET:
3841 node_perm = DCCP_SOCKET__NODE_BIND;
3845 node_perm = RAWIP_SOCKET__NODE_BIND;
3849 err = sel_netnode_sid(addrp, family, &sid);
3853 AVC_AUDIT_DATA_INIT(&ad, NET);
3854 ad.u.net.sport = htons(snum);
3855 ad.u.net.family = family;
3857 if (family == PF_INET)
3858 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3860 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3862 err = avc_has_perm(isec->sid, sid,
3863 isec->sclass, node_perm, &ad);
3871 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3873 struct sock *sk = sock->sk;
3874 struct inode_security_struct *isec;
3877 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3882 * If a TCP or DCCP socket, check name_connect permission for the port.
3884 isec = SOCK_INODE(sock)->i_security;
3885 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3886 isec->sclass == SECCLASS_DCCP_SOCKET) {
3887 struct avc_audit_data ad;
3888 struct sockaddr_in *addr4 = NULL;
3889 struct sockaddr_in6 *addr6 = NULL;
3890 unsigned short snum;
3893 if (sk->sk_family == PF_INET) {
3894 addr4 = (struct sockaddr_in *)address;
3895 if (addrlen < sizeof(struct sockaddr_in))
3897 snum = ntohs(addr4->sin_port);
3899 addr6 = (struct sockaddr_in6 *)address;
3900 if (addrlen < SIN6_LEN_RFC2133)
3902 snum = ntohs(addr6->sin6_port);
3905 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3909 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3910 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3912 AVC_AUDIT_DATA_INIT(&ad, NET);
3913 ad.u.net.dport = htons(snum);
3914 ad.u.net.family = sk->sk_family;
3915 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3920 err = selinux_netlbl_socket_connect(sk, address);
3926 static int selinux_socket_listen(struct socket *sock, int backlog)
3928 return socket_has_perm(current, sock, SOCKET__LISTEN);
3931 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3934 struct inode_security_struct *isec;
3935 struct inode_security_struct *newisec;
3937 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3941 newisec = SOCK_INODE(newsock)->i_security;
3943 isec = SOCK_INODE(sock)->i_security;
3944 newisec->sclass = isec->sclass;
3945 newisec->sid = isec->sid;
3946 newisec->initialized = 1;
3951 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3956 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3960 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3963 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3964 int size, int flags)
3966 return socket_has_perm(current, sock, SOCKET__READ);
3969 static int selinux_socket_getsockname(struct socket *sock)
3971 return socket_has_perm(current, sock, SOCKET__GETATTR);
3974 static int selinux_socket_getpeername(struct socket *sock)
3976 return socket_has_perm(current, sock, SOCKET__GETATTR);
3979 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3983 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3987 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3990 static int selinux_socket_getsockopt(struct socket *sock, int level,
3993 return socket_has_perm(current, sock, SOCKET__GETOPT);
3996 static int selinux_socket_shutdown(struct socket *sock, int how)
3998 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4001 static int selinux_socket_unix_stream_connect(struct socket *sock,
4002 struct socket *other,
4005 struct sk_security_struct *ssec;
4006 struct inode_security_struct *isec;
4007 struct inode_security_struct *other_isec;
4008 struct avc_audit_data ad;
4011 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4015 isec = SOCK_INODE(sock)->i_security;
4016 other_isec = SOCK_INODE(other)->i_security;
4018 AVC_AUDIT_DATA_INIT(&ad, NET);
4019 ad.u.net.sk = other->sk;
4021 err = avc_has_perm(isec->sid, other_isec->sid,
4023 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4027 /* connecting socket */
4028 ssec = sock->sk->sk_security;
4029 ssec->peer_sid = other_isec->sid;
4031 /* server child socket */
4032 ssec = newsk->sk_security;
4033 ssec->peer_sid = isec->sid;
4034 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4039 static int selinux_socket_unix_may_send(struct socket *sock,
4040 struct socket *other)
4042 struct inode_security_struct *isec;
4043 struct inode_security_struct *other_isec;
4044 struct avc_audit_data ad;
4047 isec = SOCK_INODE(sock)->i_security;
4048 other_isec = SOCK_INODE(other)->i_security;
4050 AVC_AUDIT_DATA_INIT(&ad, NET);
4051 ad.u.net.sk = other->sk;
4053 err = avc_has_perm(isec->sid, other_isec->sid,
4054 isec->sclass, SOCKET__SENDTO, &ad);
4061 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4063 struct avc_audit_data *ad)
4069 err = sel_netif_sid(ifindex, &if_sid);
4072 err = avc_has_perm(peer_sid, if_sid,
4073 SECCLASS_NETIF, NETIF__INGRESS, ad);
4077 err = sel_netnode_sid(addrp, family, &node_sid);
4080 return avc_has_perm(peer_sid, node_sid,
4081 SECCLASS_NODE, NODE__RECVFROM, ad);
4084 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4085 struct sk_buff *skb,
4086 struct avc_audit_data *ad,
4091 struct sk_security_struct *sksec = sk->sk_security;
4093 u32 netif_perm, node_perm, recv_perm;
4094 u32 port_sid, node_sid, if_sid, sk_sid;
4096 sk_sid = sksec->sid;
4097 sk_class = sksec->sclass;
4100 case SECCLASS_UDP_SOCKET:
4101 netif_perm = NETIF__UDP_RECV;
4102 node_perm = NODE__UDP_RECV;
4103 recv_perm = UDP_SOCKET__RECV_MSG;
4105 case SECCLASS_TCP_SOCKET:
4106 netif_perm = NETIF__TCP_RECV;
4107 node_perm = NODE__TCP_RECV;
4108 recv_perm = TCP_SOCKET__RECV_MSG;
4110 case SECCLASS_DCCP_SOCKET:
4111 netif_perm = NETIF__DCCP_RECV;
4112 node_perm = NODE__DCCP_RECV;
4113 recv_perm = DCCP_SOCKET__RECV_MSG;
4116 netif_perm = NETIF__RAWIP_RECV;
4117 node_perm = NODE__RAWIP_RECV;
4122 err = sel_netif_sid(skb->iif, &if_sid);
4125 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4129 err = sel_netnode_sid(addrp, family, &node_sid);
4132 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4138 err = sel_netport_sid(sk->sk_protocol,
4139 ntohs(ad->u.net.sport), &port_sid);
4140 if (unlikely(err)) {
4142 "SELinux: failure in"
4143 " selinux_sock_rcv_skb_iptables_compat(),"
4144 " network port label not found\n");
4147 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4150 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4154 struct sk_security_struct *sksec = sk->sk_security;
4156 u32 sk_sid = sksec->sid;
4157 struct avc_audit_data ad;
4160 AVC_AUDIT_DATA_INIT(&ad, NET);
4161 ad.u.net.netif = skb->iif;
4162 ad.u.net.family = family;
4163 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4167 if (selinux_compat_net)
4168 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4171 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4176 if (selinux_policycap_netpeer) {
4177 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4180 err = avc_has_perm(sk_sid, peer_sid,
4181 SECCLASS_PEER, PEER__RECV, &ad);
4183 selinux_netlbl_err(skb, err, 0);
4185 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4188 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4194 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4197 struct sk_security_struct *sksec = sk->sk_security;
4198 u16 family = sk->sk_family;
4199 u32 sk_sid = sksec->sid;
4200 struct avc_audit_data ad;
4205 if (family != PF_INET && family != PF_INET6)
4208 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4209 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4212 /* If any sort of compatibility mode is enabled then handoff processing
4213 * to the selinux_sock_rcv_skb_compat() function to deal with the
4214 * special handling. We do this in an attempt to keep this function
4215 * as fast and as clean as possible. */
4216 if (selinux_compat_net || !selinux_policycap_netpeer)
4217 return selinux_sock_rcv_skb_compat(sk, skb, family);
4219 secmark_active = selinux_secmark_enabled();
4220 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4221 if (!secmark_active && !peerlbl_active)
4224 AVC_AUDIT_DATA_INIT(&ad, NET);
4225 ad.u.net.netif = skb->iif;
4226 ad.u.net.family = family;
4227 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4231 if (peerlbl_active) {
4234 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4237 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4240 selinux_netlbl_err(skb, err, 0);
4243 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4246 selinux_netlbl_err(skb, err, 0);
4249 if (secmark_active) {
4250 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4259 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4260 int __user *optlen, unsigned len)
4265 struct sk_security_struct *ssec;
4266 struct inode_security_struct *isec;
4267 u32 peer_sid = SECSID_NULL;
4269 isec = SOCK_INODE(sock)->i_security;
4271 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4272 isec->sclass == SECCLASS_TCP_SOCKET) {
4273 ssec = sock->sk->sk_security;
4274 peer_sid = ssec->peer_sid;
4276 if (peer_sid == SECSID_NULL) {
4281 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4286 if (scontext_len > len) {
4291 if (copy_to_user(optval, scontext, scontext_len))
4295 if (put_user(scontext_len, optlen))
4303 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4305 u32 peer_secid = SECSID_NULL;
4308 if (skb && skb->protocol == htons(ETH_P_IP))
4310 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4313 family = sock->sk->sk_family;
4317 if (sock && family == PF_UNIX)
4318 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4320 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4323 *secid = peer_secid;
4324 if (peer_secid == SECSID_NULL)
4329 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4331 return sk_alloc_security(sk, family, priority);
4334 static void selinux_sk_free_security(struct sock *sk)
4336 sk_free_security(sk);
4339 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4341 struct sk_security_struct *ssec = sk->sk_security;
4342 struct sk_security_struct *newssec = newsk->sk_security;
4344 newssec->sid = ssec->sid;
4345 newssec->peer_sid = ssec->peer_sid;
4346 newssec->sclass = ssec->sclass;
4348 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4351 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4354 *secid = SECINITSID_ANY_SOCKET;
4356 struct sk_security_struct *sksec = sk->sk_security;
4358 *secid = sksec->sid;
4362 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4364 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4365 struct sk_security_struct *sksec = sk->sk_security;
4367 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4368 sk->sk_family == PF_UNIX)
4369 isec->sid = sksec->sid;
4370 sksec->sclass = isec->sclass;
4373 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4374 struct request_sock *req)
4376 struct sk_security_struct *sksec = sk->sk_security;
4378 u16 family = sk->sk_family;
4382 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4383 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4386 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4389 if (peersid == SECSID_NULL) {
4390 req->secid = sksec->sid;
4391 req->peer_secid = SECSID_NULL;
4395 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4399 req->secid = newsid;
4400 req->peer_secid = peersid;
4404 static void selinux_inet_csk_clone(struct sock *newsk,
4405 const struct request_sock *req)
4407 struct sk_security_struct *newsksec = newsk->sk_security;
4409 newsksec->sid = req->secid;
4410 newsksec->peer_sid = req->peer_secid;
4411 /* NOTE: Ideally, we should also get the isec->sid for the
4412 new socket in sync, but we don't have the isec available yet.
4413 So we will wait until sock_graft to do it, by which
4414 time it will have been created and available. */
4416 /* We don't need to take any sort of lock here as we are the only
4417 * thread with access to newsksec */
4418 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4421 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4423 u16 family = sk->sk_family;
4424 struct sk_security_struct *sksec = sk->sk_security;
4426 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4427 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4430 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4432 selinux_netlbl_inet_conn_established(sk, family);
4435 static void selinux_req_classify_flow(const struct request_sock *req,
4438 fl->secid = req->secid;
4441 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4445 struct nlmsghdr *nlh;
4446 struct socket *sock = sk->sk_socket;
4447 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4449 if (skb->len < NLMSG_SPACE(0)) {
4453 nlh = nlmsg_hdr(skb);
4455 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4457 if (err == -EINVAL) {
4458 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4459 "SELinux: unrecognized netlink message"
4460 " type=%hu for sclass=%hu\n",
4461 nlh->nlmsg_type, isec->sclass);
4462 if (!selinux_enforcing || security_get_allow_unknown())
4472 err = socket_has_perm(current, sock, perm);
4477 #ifdef CONFIG_NETFILTER
4479 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4485 struct avc_audit_data ad;
4490 if (!selinux_policycap_netpeer)
4493 secmark_active = selinux_secmark_enabled();
4494 netlbl_active = netlbl_enabled();
4495 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4496 if (!secmark_active && !peerlbl_active)
4499 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4502 AVC_AUDIT_DATA_INIT(&ad, NET);
4503 ad.u.net.netif = ifindex;
4504 ad.u.net.family = family;
4505 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4508 if (peerlbl_active) {
4509 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4512 selinux_netlbl_err(skb, err, 1);
4518 if (avc_has_perm(peer_sid, skb->secmark,
4519 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4523 /* we do this in the FORWARD path and not the POST_ROUTING
4524 * path because we want to make sure we apply the necessary
4525 * labeling before IPsec is applied so we can leverage AH
4527 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4533 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4534 struct sk_buff *skb,
4535 const struct net_device *in,
4536 const struct net_device *out,
4537 int (*okfn)(struct sk_buff *))
4539 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4542 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4543 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4544 struct sk_buff *skb,
4545 const struct net_device *in,
4546 const struct net_device *out,
4547 int (*okfn)(struct sk_buff *))
4549 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4553 static unsigned int selinux_ip_output(struct sk_buff *skb,
4558 if (!netlbl_enabled())
4561 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4562 * because we want to make sure we apply the necessary labeling
4563 * before IPsec is applied so we can leverage AH protection */
4565 struct sk_security_struct *sksec = skb->sk->sk_security;
4568 sid = SECINITSID_KERNEL;
4569 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4575 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4576 struct sk_buff *skb,
4577 const struct net_device *in,
4578 const struct net_device *out,
4579 int (*okfn)(struct sk_buff *))
4581 return selinux_ip_output(skb, PF_INET);
4584 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4586 struct avc_audit_data *ad,
4587 u16 family, char *addrp)
4590 struct sk_security_struct *sksec = sk->sk_security;
4592 u32 netif_perm, node_perm, send_perm;
4593 u32 port_sid, node_sid, if_sid, sk_sid;
4595 sk_sid = sksec->sid;
4596 sk_class = sksec->sclass;
4599 case SECCLASS_UDP_SOCKET:
4600 netif_perm = NETIF__UDP_SEND;
4601 node_perm = NODE__UDP_SEND;
4602 send_perm = UDP_SOCKET__SEND_MSG;
4604 case SECCLASS_TCP_SOCKET:
4605 netif_perm = NETIF__TCP_SEND;
4606 node_perm = NODE__TCP_SEND;
4607 send_perm = TCP_SOCKET__SEND_MSG;
4609 case SECCLASS_DCCP_SOCKET:
4610 netif_perm = NETIF__DCCP_SEND;
4611 node_perm = NODE__DCCP_SEND;
4612 send_perm = DCCP_SOCKET__SEND_MSG;
4615 netif_perm = NETIF__RAWIP_SEND;
4616 node_perm = NODE__RAWIP_SEND;
4621 err = sel_netif_sid(ifindex, &if_sid);
4624 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4627 err = sel_netnode_sid(addrp, family, &node_sid);
4630 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4637 err = sel_netport_sid(sk->sk_protocol,
4638 ntohs(ad->u.net.dport), &port_sid);
4639 if (unlikely(err)) {
4641 "SELinux: failure in"
4642 " selinux_ip_postroute_iptables_compat(),"
4643 " network port label not found\n");
4646 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4649 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4653 struct sock *sk = skb->sk;
4654 struct sk_security_struct *sksec;
4655 struct avc_audit_data ad;
4661 sksec = sk->sk_security;
4663 AVC_AUDIT_DATA_INIT(&ad, NET);
4664 ad.u.net.netif = ifindex;
4665 ad.u.net.family = family;
4666 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4669 if (selinux_compat_net) {
4670 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4671 &ad, family, addrp))
4674 if (avc_has_perm(sksec->sid, skb->secmark,
4675 SECCLASS_PACKET, PACKET__SEND, &ad))
4679 if (selinux_policycap_netpeer)
4680 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4686 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4692 struct avc_audit_data ad;
4697 /* If any sort of compatibility mode is enabled then handoff processing
4698 * to the selinux_ip_postroute_compat() function to deal with the
4699 * special handling. We do this in an attempt to keep this function
4700 * as fast and as clean as possible. */
4701 if (selinux_compat_net || !selinux_policycap_netpeer)
4702 return selinux_ip_postroute_compat(skb, ifindex, family);
4704 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4705 * packet transformation so allow the packet to pass without any checks
4706 * since we'll have another chance to perform access control checks
4707 * when the packet is on it's final way out.
4708 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4709 * is NULL, in this case go ahead and apply access control. */
4710 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4713 secmark_active = selinux_secmark_enabled();
4714 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4715 if (!secmark_active && !peerlbl_active)
4718 /* if the packet is being forwarded then get the peer label from the
4719 * packet itself; otherwise check to see if it is from a local
4720 * application or the kernel, if from an application get the peer label
4721 * from the sending socket, otherwise use the kernel's sid */
4726 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4727 secmark_perm = PACKET__FORWARD_OUT;
4729 secmark_perm = PACKET__SEND;
4732 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4733 secmark_perm = PACKET__FORWARD_OUT;
4735 secmark_perm = PACKET__SEND;
4740 if (secmark_perm == PACKET__FORWARD_OUT) {
4741 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4744 peer_sid = SECINITSID_KERNEL;
4746 struct sk_security_struct *sksec = sk->sk_security;
4747 peer_sid = sksec->sid;
4748 secmark_perm = PACKET__SEND;
4751 AVC_AUDIT_DATA_INIT(&ad, NET);
4752 ad.u.net.netif = ifindex;
4753 ad.u.net.family = family;
4754 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4758 if (avc_has_perm(peer_sid, skb->secmark,
4759 SECCLASS_PACKET, secmark_perm, &ad))
4762 if (peerlbl_active) {
4766 if (sel_netif_sid(ifindex, &if_sid))
4768 if (avc_has_perm(peer_sid, if_sid,
4769 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4772 if (sel_netnode_sid(addrp, family, &node_sid))
4774 if (avc_has_perm(peer_sid, node_sid,
4775 SECCLASS_NODE, NODE__SENDTO, &ad))
4782 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4783 struct sk_buff *skb,
4784 const struct net_device *in,
4785 const struct net_device *out,
4786 int (*okfn)(struct sk_buff *))
4788 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4791 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4792 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4793 struct sk_buff *skb,
4794 const struct net_device *in,
4795 const struct net_device *out,
4796 int (*okfn)(struct sk_buff *))
4798 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4802 #endif /* CONFIG_NETFILTER */
4804 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4808 err = secondary_ops->netlink_send(sk, skb);
4812 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4813 err = selinux_nlmsg_perm(sk, skb);
4818 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4821 struct avc_audit_data ad;
4823 err = secondary_ops->netlink_recv(skb, capability);
4827 AVC_AUDIT_DATA_INIT(&ad, CAP);
4828 ad.u.cap = capability;
4830 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4831 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4834 static int ipc_alloc_security(struct task_struct *task,
4835 struct kern_ipc_perm *perm,
4838 struct ipc_security_struct *isec;
4841 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4845 sid = task_sid(task);
4846 isec->sclass = sclass;
4848 perm->security = isec;
4853 static void ipc_free_security(struct kern_ipc_perm *perm)
4855 struct ipc_security_struct *isec = perm->security;
4856 perm->security = NULL;
4860 static int msg_msg_alloc_security(struct msg_msg *msg)
4862 struct msg_security_struct *msec;
4864 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4868 msec->sid = SECINITSID_UNLABELED;
4869 msg->security = msec;
4874 static void msg_msg_free_security(struct msg_msg *msg)
4876 struct msg_security_struct *msec = msg->security;
4878 msg->security = NULL;
4882 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4885 struct ipc_security_struct *isec;
4886 struct avc_audit_data ad;
4887 u32 sid = current_sid();
4889 isec = ipc_perms->security;
4891 AVC_AUDIT_DATA_INIT(&ad, IPC);
4892 ad.u.ipc_id = ipc_perms->key;
4894 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4897 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4899 return msg_msg_alloc_security(msg);
4902 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4904 msg_msg_free_security(msg);
4907 /* message queue security operations */
4908 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4910 struct ipc_security_struct *isec;
4911 struct avc_audit_data ad;
4912 u32 sid = current_sid();
4915 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4919 isec = msq->q_perm.security;
4921 AVC_AUDIT_DATA_INIT(&ad, IPC);
4922 ad.u.ipc_id = msq->q_perm.key;
4924 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4927 ipc_free_security(&msq->q_perm);
4933 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4935 ipc_free_security(&msq->q_perm);
4938 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4940 struct ipc_security_struct *isec;
4941 struct avc_audit_data ad;
4942 u32 sid = current_sid();
4944 isec = msq->q_perm.security;
4946 AVC_AUDIT_DATA_INIT(&ad, IPC);
4947 ad.u.ipc_id = msq->q_perm.key;
4949 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4950 MSGQ__ASSOCIATE, &ad);
4953 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4961 /* No specific object, just general system-wide information. */
4962 return task_has_system(current, SYSTEM__IPC_INFO);
4965 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4968 perms = MSGQ__SETATTR;
4971 perms = MSGQ__DESTROY;
4977 err = ipc_has_perm(&msq->q_perm, perms);
4981 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4983 struct ipc_security_struct *isec;
4984 struct msg_security_struct *msec;
4985 struct avc_audit_data ad;
4986 u32 sid = current_sid();
4989 isec = msq->q_perm.security;
4990 msec = msg->security;
4993 * First time through, need to assign label to the message
4995 if (msec->sid == SECINITSID_UNLABELED) {
4997 * Compute new sid based on current process and
4998 * message queue this message will be stored in
5000 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5006 AVC_AUDIT_DATA_INIT(&ad, IPC);
5007 ad.u.ipc_id = msq->q_perm.key;
5009 /* Can this process write to the queue? */
5010 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5013 /* Can this process send the message */
5014 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5017 /* Can the message be put in the queue? */
5018 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5019 MSGQ__ENQUEUE, &ad);
5024 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5025 struct task_struct *target,
5026 long type, int mode)
5028 struct ipc_security_struct *isec;
5029 struct msg_security_struct *msec;
5030 struct avc_audit_data ad;
5031 u32 sid = task_sid(target);
5034 isec = msq->q_perm.security;
5035 msec = msg->security;
5037 AVC_AUDIT_DATA_INIT(&ad, IPC);
5038 ad.u.ipc_id = msq->q_perm.key;
5040 rc = avc_has_perm(sid, isec->sid,
5041 SECCLASS_MSGQ, MSGQ__READ, &ad);
5043 rc = avc_has_perm(sid, msec->sid,
5044 SECCLASS_MSG, MSG__RECEIVE, &ad);
5048 /* Shared Memory security operations */
5049 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5051 struct ipc_security_struct *isec;
5052 struct avc_audit_data ad;
5053 u32 sid = current_sid();
5056 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5060 isec = shp->shm_perm.security;
5062 AVC_AUDIT_DATA_INIT(&ad, IPC);
5063 ad.u.ipc_id = shp->shm_perm.key;
5065 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5068 ipc_free_security(&shp->shm_perm);
5074 static void selinux_shm_free_security(struct shmid_kernel *shp)
5076 ipc_free_security(&shp->shm_perm);
5079 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5081 struct ipc_security_struct *isec;
5082 struct avc_audit_data ad;
5083 u32 sid = current_sid();
5085 isec = shp->shm_perm.security;
5087 AVC_AUDIT_DATA_INIT(&ad, IPC);
5088 ad.u.ipc_id = shp->shm_perm.key;
5090 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5091 SHM__ASSOCIATE, &ad);
5094 /* Note, at this point, shp is locked down */
5095 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5103 /* No specific object, just general system-wide information. */
5104 return task_has_system(current, SYSTEM__IPC_INFO);
5107 perms = SHM__GETATTR | SHM__ASSOCIATE;
5110 perms = SHM__SETATTR;
5117 perms = SHM__DESTROY;
5123 err = ipc_has_perm(&shp->shm_perm, perms);
5127 static int selinux_shm_shmat(struct shmid_kernel *shp,
5128 char __user *shmaddr, int shmflg)
5133 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5137 if (shmflg & SHM_RDONLY)
5140 perms = SHM__READ | SHM__WRITE;
5142 return ipc_has_perm(&shp->shm_perm, perms);
5145 /* Semaphore security operations */
5146 static int selinux_sem_alloc_security(struct sem_array *sma)
5148 struct ipc_security_struct *isec;
5149 struct avc_audit_data ad;
5150 u32 sid = current_sid();
5153 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5157 isec = sma->sem_perm.security;
5159 AVC_AUDIT_DATA_INIT(&ad, IPC);
5160 ad.u.ipc_id = sma->sem_perm.key;
5162 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5165 ipc_free_security(&sma->sem_perm);
5171 static void selinux_sem_free_security(struct sem_array *sma)
5173 ipc_free_security(&sma->sem_perm);
5176 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5178 struct ipc_security_struct *isec;
5179 struct avc_audit_data ad;
5180 u32 sid = current_sid();
5182 isec = sma->sem_perm.security;
5184 AVC_AUDIT_DATA_INIT(&ad, IPC);
5185 ad.u.ipc_id = sma->sem_perm.key;
5187 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5188 SEM__ASSOCIATE, &ad);
5191 /* Note, at this point, sma is locked down */
5192 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5200 /* No specific object, just general system-wide information. */
5201 return task_has_system(current, SYSTEM__IPC_INFO);
5205 perms = SEM__GETATTR;
5216 perms = SEM__DESTROY;
5219 perms = SEM__SETATTR;
5223 perms = SEM__GETATTR | SEM__ASSOCIATE;
5229 err = ipc_has_perm(&sma->sem_perm, perms);
5233 static int selinux_sem_semop(struct sem_array *sma,
5234 struct sembuf *sops, unsigned nsops, int alter)
5239 perms = SEM__READ | SEM__WRITE;
5243 return ipc_has_perm(&sma->sem_perm, perms);
5246 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5252 av |= IPC__UNIX_READ;
5254 av |= IPC__UNIX_WRITE;
5259 return ipc_has_perm(ipcp, av);
5262 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5264 struct ipc_security_struct *isec = ipcp->security;
5268 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5271 inode_doinit_with_dentry(inode, dentry);
5274 static int selinux_getprocattr(struct task_struct *p,
5275 char *name, char **value)
5277 const struct task_security_struct *__tsec;
5283 error = task_has_perm(current, p, PROCESS__GETATTR);
5289 __tsec = __task_cred(p)->security;
5291 if (!strcmp(name, "current"))
5293 else if (!strcmp(name, "prev"))
5295 else if (!strcmp(name, "exec"))
5296 sid = __tsec->exec_sid;
5297 else if (!strcmp(name, "fscreate"))
5298 sid = __tsec->create_sid;
5299 else if (!strcmp(name, "keycreate"))
5300 sid = __tsec->keycreate_sid;
5301 else if (!strcmp(name, "sockcreate"))
5302 sid = __tsec->sockcreate_sid;
5310 error = security_sid_to_context(sid, value, &len);
5320 static int selinux_setprocattr(struct task_struct *p,
5321 char *name, void *value, size_t size)
5323 struct task_security_struct *tsec;
5324 struct task_struct *tracer;
5330 /* SELinux only allows a process to change its own
5331 security attributes. */
5336 * Basic control over ability to set these attributes at all.
5337 * current == p, but we'll pass them separately in case the
5338 * above restriction is ever removed.
5340 if (!strcmp(name, "exec"))
5341 error = task_has_perm(current, p, PROCESS__SETEXEC);
5342 else if (!strcmp(name, "fscreate"))
5343 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5344 else if (!strcmp(name, "keycreate"))
5345 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5346 else if (!strcmp(name, "sockcreate"))
5347 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5348 else if (!strcmp(name, "current"))
5349 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5355 /* Obtain a SID for the context, if one was specified. */
5356 if (size && str[1] && str[1] != '\n') {
5357 if (str[size-1] == '\n') {
5361 error = security_context_to_sid(value, size, &sid);
5362 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5363 if (!capable(CAP_MAC_ADMIN))
5365 error = security_context_to_sid_force(value, size,
5372 /* Permission checking based on the specified context is
5373 performed during the actual operation (execve,
5374 open/mkdir/...), when we know the full context of the
5375 operation. See selinux_bprm_set_security for the execve
5376 checks and may_create for the file creation checks. The
5377 operation will then fail if the context is not permitted. */
5378 tsec = p->cred->security;
5379 if (!strcmp(name, "exec"))
5380 tsec->exec_sid = sid;
5381 else if (!strcmp(name, "fscreate"))
5382 tsec->create_sid = sid;
5383 else if (!strcmp(name, "keycreate")) {
5384 error = may_create_key(sid, p);
5387 tsec->keycreate_sid = sid;
5388 } else if (!strcmp(name, "sockcreate"))
5389 tsec->sockcreate_sid = sid;
5390 else if (!strcmp(name, "current")) {
5391 struct av_decision avd;
5396 * SELinux allows to change context in the following case only.
5397 * - Single threaded processes.
5398 * - Multi threaded processes intend to change its context into
5399 * more restricted domain (defined by TYPEBOUNDS statement).
5401 if (atomic_read(&p->mm->mm_users) != 1) {
5402 struct task_struct *g, *t;
5403 struct mm_struct *mm = p->mm;
5404 read_lock(&tasklist_lock);
5405 do_each_thread(g, t) {
5406 if (t->mm == mm && t != p) {
5407 read_unlock(&tasklist_lock);
5408 error = security_bounded_transition(tsec->sid, sid);
5414 } while_each_thread(g, t);
5415 read_unlock(&tasklist_lock);
5419 /* Check permissions for the transition. */
5420 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5421 PROCESS__DYNTRANSITION, NULL);
5425 /* Check for ptracing, and update the task SID if ok.
5426 Otherwise, leave SID unchanged and fail. */
5429 tracer = tracehook_tracer_task(p);
5430 if (tracer != NULL) {
5431 u32 ptsid = task_sid(tracer);
5433 error = avc_has_perm_noaudit(ptsid, sid,
5435 PROCESS__PTRACE, 0, &avd);
5439 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5440 PROCESS__PTRACE, &avd, error, NULL);
5454 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5456 return security_sid_to_context(secid, secdata, seclen);
5459 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5461 return security_context_to_sid(secdata, seclen, secid);
5464 static void selinux_release_secctx(char *secdata, u32 seclen)
5471 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5472 unsigned long flags)
5474 const struct task_security_struct *__tsec;
5475 struct key_security_struct *ksec;
5477 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5482 __tsec = __task_cred(tsk)->security;
5483 if (__tsec->keycreate_sid)
5484 ksec->sid = __tsec->keycreate_sid;
5486 ksec->sid = __tsec->sid;
5493 static void selinux_key_free(struct key *k)
5495 struct key_security_struct *ksec = k->security;
5501 static int selinux_key_permission(key_ref_t key_ref,
5502 struct task_struct *ctx,
5506 struct key_security_struct *ksec;
5509 /* if no specific permissions are requested, we skip the
5510 permission check. No serious, additional covert channels
5511 appear to be created. */
5515 sid = task_sid(ctx);
5517 key = key_ref_to_ptr(key_ref);
5518 ksec = key->security;
5520 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5523 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5525 struct key_security_struct *ksec = key->security;
5526 char *context = NULL;
5530 rc = security_sid_to_context(ksec->sid, &context, &len);
5539 static struct security_operations selinux_ops = {
5542 .ptrace_may_access = selinux_ptrace_may_access,
5543 .ptrace_traceme = selinux_ptrace_traceme,
5544 .capget = selinux_capget,
5545 .capset_check = selinux_capset_check,
5546 .capset_set = selinux_capset_set,
5547 .sysctl = selinux_sysctl,
5548 .capable = selinux_capable,
5549 .quotactl = selinux_quotactl,
5550 .quota_on = selinux_quota_on,
5551 .syslog = selinux_syslog,
5552 .vm_enough_memory = selinux_vm_enough_memory,
5554 .netlink_send = selinux_netlink_send,
5555 .netlink_recv = selinux_netlink_recv,
5557 .bprm_alloc_security = selinux_bprm_alloc_security,
5558 .bprm_free_security = selinux_bprm_free_security,
5559 .bprm_apply_creds = selinux_bprm_apply_creds,
5560 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5561 .bprm_set_security = selinux_bprm_set_security,
5562 .bprm_check_security = selinux_bprm_check_security,
5563 .bprm_secureexec = selinux_bprm_secureexec,
5565 .sb_alloc_security = selinux_sb_alloc_security,
5566 .sb_free_security = selinux_sb_free_security,
5567 .sb_copy_data = selinux_sb_copy_data,
5568 .sb_kern_mount = selinux_sb_kern_mount,
5569 .sb_show_options = selinux_sb_show_options,
5570 .sb_statfs = selinux_sb_statfs,
5571 .sb_mount = selinux_mount,
5572 .sb_umount = selinux_umount,
5573 .sb_set_mnt_opts = selinux_set_mnt_opts,
5574 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5575 .sb_parse_opts_str = selinux_parse_opts_str,
5578 .inode_alloc_security = selinux_inode_alloc_security,
5579 .inode_free_security = selinux_inode_free_security,
5580 .inode_init_security = selinux_inode_init_security,
5581 .inode_create = selinux_inode_create,
5582 .inode_link = selinux_inode_link,
5583 .inode_unlink = selinux_inode_unlink,
5584 .inode_symlink = selinux_inode_symlink,
5585 .inode_mkdir = selinux_inode_mkdir,
5586 .inode_rmdir = selinux_inode_rmdir,
5587 .inode_mknod = selinux_inode_mknod,
5588 .inode_rename = selinux_inode_rename,
5589 .inode_readlink = selinux_inode_readlink,
5590 .inode_follow_link = selinux_inode_follow_link,
5591 .inode_permission = selinux_inode_permission,
5592 .inode_setattr = selinux_inode_setattr,
5593 .inode_getattr = selinux_inode_getattr,
5594 .inode_setxattr = selinux_inode_setxattr,
5595 .inode_post_setxattr = selinux_inode_post_setxattr,
5596 .inode_getxattr = selinux_inode_getxattr,
5597 .inode_listxattr = selinux_inode_listxattr,
5598 .inode_removexattr = selinux_inode_removexattr,
5599 .inode_getsecurity = selinux_inode_getsecurity,
5600 .inode_setsecurity = selinux_inode_setsecurity,
5601 .inode_listsecurity = selinux_inode_listsecurity,
5602 .inode_need_killpriv = selinux_inode_need_killpriv,
5603 .inode_killpriv = selinux_inode_killpriv,
5604 .inode_getsecid = selinux_inode_getsecid,
5606 .file_permission = selinux_file_permission,
5607 .file_alloc_security = selinux_file_alloc_security,
5608 .file_free_security = selinux_file_free_security,
5609 .file_ioctl = selinux_file_ioctl,
5610 .file_mmap = selinux_file_mmap,
5611 .file_mprotect = selinux_file_mprotect,
5612 .file_lock = selinux_file_lock,
5613 .file_fcntl = selinux_file_fcntl,
5614 .file_set_fowner = selinux_file_set_fowner,
5615 .file_send_sigiotask = selinux_file_send_sigiotask,
5616 .file_receive = selinux_file_receive,
5618 .dentry_open = selinux_dentry_open,
5620 .task_create = selinux_task_create,
5621 .cred_alloc_security = selinux_cred_alloc_security,
5622 .cred_free = selinux_cred_free,
5623 .task_setuid = selinux_task_setuid,
5624 .task_post_setuid = selinux_task_post_setuid,
5625 .task_setgid = selinux_task_setgid,
5626 .task_setpgid = selinux_task_setpgid,
5627 .task_getpgid = selinux_task_getpgid,
5628 .task_getsid = selinux_task_getsid,
5629 .task_getsecid = selinux_task_getsecid,
5630 .task_setgroups = selinux_task_setgroups,
5631 .task_setnice = selinux_task_setnice,
5632 .task_setioprio = selinux_task_setioprio,
5633 .task_getioprio = selinux_task_getioprio,
5634 .task_setrlimit = selinux_task_setrlimit,
5635 .task_setscheduler = selinux_task_setscheduler,
5636 .task_getscheduler = selinux_task_getscheduler,
5637 .task_movememory = selinux_task_movememory,
5638 .task_kill = selinux_task_kill,
5639 .task_wait = selinux_task_wait,
5640 .task_prctl = selinux_task_prctl,
5641 .task_reparent_to_init = selinux_task_reparent_to_init,
5642 .task_to_inode = selinux_task_to_inode,
5644 .ipc_permission = selinux_ipc_permission,
5645 .ipc_getsecid = selinux_ipc_getsecid,
5647 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5648 .msg_msg_free_security = selinux_msg_msg_free_security,
5650 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5651 .msg_queue_free_security = selinux_msg_queue_free_security,
5652 .msg_queue_associate = selinux_msg_queue_associate,
5653 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5654 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5655 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5657 .shm_alloc_security = selinux_shm_alloc_security,
5658 .shm_free_security = selinux_shm_free_security,
5659 .shm_associate = selinux_shm_associate,
5660 .shm_shmctl = selinux_shm_shmctl,
5661 .shm_shmat = selinux_shm_shmat,
5663 .sem_alloc_security = selinux_sem_alloc_security,
5664 .sem_free_security = selinux_sem_free_security,
5665 .sem_associate = selinux_sem_associate,
5666 .sem_semctl = selinux_sem_semctl,
5667 .sem_semop = selinux_sem_semop,
5669 .d_instantiate = selinux_d_instantiate,
5671 .getprocattr = selinux_getprocattr,
5672 .setprocattr = selinux_setprocattr,
5674 .secid_to_secctx = selinux_secid_to_secctx,
5675 .secctx_to_secid = selinux_secctx_to_secid,
5676 .release_secctx = selinux_release_secctx,
5678 .unix_stream_connect = selinux_socket_unix_stream_connect,
5679 .unix_may_send = selinux_socket_unix_may_send,
5681 .socket_create = selinux_socket_create,
5682 .socket_post_create = selinux_socket_post_create,
5683 .socket_bind = selinux_socket_bind,
5684 .socket_connect = selinux_socket_connect,
5685 .socket_listen = selinux_socket_listen,
5686 .socket_accept = selinux_socket_accept,
5687 .socket_sendmsg = selinux_socket_sendmsg,
5688 .socket_recvmsg = selinux_socket_recvmsg,
5689 .socket_getsockname = selinux_socket_getsockname,
5690 .socket_getpeername = selinux_socket_getpeername,
5691 .socket_getsockopt = selinux_socket_getsockopt,
5692 .socket_setsockopt = selinux_socket_setsockopt,
5693 .socket_shutdown = selinux_socket_shutdown,
5694 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5695 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5696 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5697 .sk_alloc_security = selinux_sk_alloc_security,
5698 .sk_free_security = selinux_sk_free_security,
5699 .sk_clone_security = selinux_sk_clone_security,
5700 .sk_getsecid = selinux_sk_getsecid,
5701 .sock_graft = selinux_sock_graft,
5702 .inet_conn_request = selinux_inet_conn_request,
5703 .inet_csk_clone = selinux_inet_csk_clone,
5704 .inet_conn_established = selinux_inet_conn_established,
5705 .req_classify_flow = selinux_req_classify_flow,
5707 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5708 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5709 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5710 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5711 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5712 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5713 .xfrm_state_free_security = selinux_xfrm_state_free,
5714 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5715 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5716 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5717 .xfrm_decode_session = selinux_xfrm_decode_session,
5721 .key_alloc = selinux_key_alloc,
5722 .key_free = selinux_key_free,
5723 .key_permission = selinux_key_permission,
5724 .key_getsecurity = selinux_key_getsecurity,
5728 .audit_rule_init = selinux_audit_rule_init,
5729 .audit_rule_known = selinux_audit_rule_known,
5730 .audit_rule_match = selinux_audit_rule_match,
5731 .audit_rule_free = selinux_audit_rule_free,
5735 static __init int selinux_init(void)
5737 struct task_security_struct *tsec;
5739 if (!security_module_enable(&selinux_ops)) {
5740 selinux_enabled = 0;
5744 if (!selinux_enabled) {
5745 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5749 printk(KERN_INFO "SELinux: Initializing.\n");
5751 /* Set the security state for the initial task. */
5752 if (cred_alloc_security(current->cred))
5753 panic("SELinux: Failed to initialize initial task.\n");
5754 tsec = current->cred->security;
5755 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5757 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5758 sizeof(struct inode_security_struct),
5759 0, SLAB_PANIC, NULL);
5762 secondary_ops = security_ops;
5764 panic("SELinux: No initial security operations\n");
5765 if (register_security(&selinux_ops))
5766 panic("SELinux: Unable to register with kernel.\n");
5768 if (selinux_enforcing)
5769 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5771 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5776 void selinux_complete_init(void)
5778 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5780 /* Set up any superblocks initialized prior to the policy load. */
5781 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5782 spin_lock(&sb_lock);
5783 spin_lock(&sb_security_lock);
5785 if (!list_empty(&superblock_security_head)) {
5786 struct superblock_security_struct *sbsec =
5787 list_entry(superblock_security_head.next,
5788 struct superblock_security_struct,
5790 struct super_block *sb = sbsec->sb;
5792 spin_unlock(&sb_security_lock);
5793 spin_unlock(&sb_lock);
5794 down_read(&sb->s_umount);
5796 superblock_doinit(sb, NULL);
5798 spin_lock(&sb_lock);
5799 spin_lock(&sb_security_lock);
5800 list_del_init(&sbsec->list);
5803 spin_unlock(&sb_security_lock);
5804 spin_unlock(&sb_lock);
5807 /* SELinux requires early initialization in order to label
5808 all processes and objects when they are created. */
5809 security_initcall(selinux_init);
5811 #if defined(CONFIG_NETFILTER)
5813 static struct nf_hook_ops selinux_ipv4_ops[] = {
5815 .hook = selinux_ipv4_postroute,
5816 .owner = THIS_MODULE,
5818 .hooknum = NF_INET_POST_ROUTING,
5819 .priority = NF_IP_PRI_SELINUX_LAST,
5822 .hook = selinux_ipv4_forward,
5823 .owner = THIS_MODULE,
5825 .hooknum = NF_INET_FORWARD,
5826 .priority = NF_IP_PRI_SELINUX_FIRST,
5829 .hook = selinux_ipv4_output,
5830 .owner = THIS_MODULE,
5832 .hooknum = NF_INET_LOCAL_OUT,
5833 .priority = NF_IP_PRI_SELINUX_FIRST,
5837 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5839 static struct nf_hook_ops selinux_ipv6_ops[] = {
5841 .hook = selinux_ipv6_postroute,
5842 .owner = THIS_MODULE,
5844 .hooknum = NF_INET_POST_ROUTING,
5845 .priority = NF_IP6_PRI_SELINUX_LAST,
5848 .hook = selinux_ipv6_forward,
5849 .owner = THIS_MODULE,
5851 .hooknum = NF_INET_FORWARD,
5852 .priority = NF_IP6_PRI_SELINUX_FIRST,
5858 static int __init selinux_nf_ip_init(void)
5862 if (!selinux_enabled)
5865 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5867 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5869 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5871 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5872 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5874 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5881 __initcall(selinux_nf_ip_init);
5883 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5884 static void selinux_nf_ip_exit(void)
5886 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5888 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5889 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5890 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5895 #else /* CONFIG_NETFILTER */
5897 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5898 #define selinux_nf_ip_exit()
5901 #endif /* CONFIG_NETFILTER */
5903 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5904 static int selinux_disabled;
5906 int selinux_disable(void)
5908 extern void exit_sel_fs(void);
5910 if (ss_initialized) {
5911 /* Not permitted after initial policy load. */
5915 if (selinux_disabled) {
5916 /* Only do this once. */
5920 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5922 selinux_disabled = 1;
5923 selinux_enabled = 0;
5925 /* Reset security_ops to the secondary module, dummy or capability. */
5926 security_ops = secondary_ops;
5928 /* Unregister netfilter hooks. */
5929 selinux_nf_ip_exit();
5931 /* Unregister selinuxfs. */