2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
87 #define XATTR_SELINUX_SUFFIX "selinux"
88 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90 #define NUM_SEL_MNT_OPTS 4
92 extern unsigned int policydb_loaded_version;
93 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
94 extern int selinux_compat_net;
95 extern struct security_operations *security_ops;
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing = 0;
103 static int __init enforcing_setup(char *str)
105 selinux_enforcing = simple_strtol(str,NULL,0);
108 __setup("enforcing=", enforcing_setup);
111 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
112 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114 static int __init selinux_enabled_setup(char *str)
116 selinux_enabled = simple_strtol(str, NULL, 0);
119 __setup("selinux=", selinux_enabled_setup);
121 int selinux_enabled = 1;
124 /* Original (dummy) security module. */
125 static struct security_operations *original_ops = NULL;
127 /* Minimal support for a secondary security module,
128 just to allow the use of the dummy or capability modules.
129 The owlsm module can alternatively be used as a secondary
130 module as long as CONFIG_OWLSM_FD is not enabled. */
131 static struct security_operations *secondary_ops = NULL;
133 /* Lists of inode and superblock security structures initialized
134 before the policy was loaded. */
135 static LIST_HEAD(superblock_security_head);
136 static DEFINE_SPINLOCK(sb_security_lock);
138 static struct kmem_cache *sel_inode_cache;
141 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
144 * This function checks the SECMARK reference counter to see if any SECMARK
145 * targets are currently configured, if the reference counter is greater than
146 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
147 * enabled, false (0) if SECMARK is disabled.
150 static int selinux_secmark_enabled(void)
152 return (atomic_read(&selinux_secmark_refcount) > 0);
155 /* Allocate and free functions for each kind of security blob. */
157 static int task_alloc_security(struct task_struct *task)
159 struct task_security_struct *tsec;
161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221 fsec->sid = tsec->sid;
222 fsec->fown_sid = tsec->sid;
223 file->f_security = fsec;
228 static void file_free_security(struct file *file)
230 struct file_security_struct *fsec = file->f_security;
231 file->f_security = NULL;
235 static int superblock_alloc_security(struct super_block *sb)
237 struct superblock_security_struct *sbsec;
239 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243 mutex_init(&sbsec->lock);
244 INIT_LIST_HEAD(&sbsec->list);
245 INIT_LIST_HEAD(&sbsec->isec_head);
246 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sid = SECINITSID_UNLABELED;
249 sbsec->def_sid = SECINITSID_FILE;
250 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
251 sb->s_security = sbsec;
256 static void superblock_free_security(struct super_block *sb)
258 struct superblock_security_struct *sbsec = sb->s_security;
260 spin_lock(&sb_security_lock);
261 if (!list_empty(&sbsec->list))
262 list_del_init(&sbsec->list);
263 spin_unlock(&sb_security_lock);
265 sb->s_security = NULL;
269 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 struct sk_security_struct *ssec;
273 ssec = kzalloc(sizeof(*ssec), priority);
277 ssec->peer_sid = SECINITSID_UNLABELED;
278 ssec->sid = SECINITSID_UNLABELED;
279 sk->sk_security = ssec;
281 selinux_netlbl_sk_security_reset(ssec, family);
286 static void sk_free_security(struct sock *sk)
288 struct sk_security_struct *ssec = sk->sk_security;
290 sk->sk_security = NULL;
294 /* The security server must be initialized before
295 any labeling or access decisions can be provided. */
296 extern int ss_initialized;
298 /* The file system's label must be initialized prior to use. */
300 static char *labeling_behaviors[6] = {
302 "uses transition SIDs",
304 "uses genfs_contexts",
305 "not configured for labeling",
306 "uses mountpoint labeling",
309 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311 static inline int inode_doinit(struct inode *inode)
313 return inode_doinit_with_dentry(inode, NULL);
324 static match_table_t tokens = {
325 {Opt_context, CONTEXT_STR "%s"},
326 {Opt_fscontext, FSCONTEXT_STR "%s"},
327 {Opt_defcontext, DEFCONTEXT_STR "%s"},
328 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
334 static int may_context_mount_sb_relabel(u32 sid,
335 struct superblock_security_struct *sbsec,
336 struct task_security_struct *tsec)
340 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
341 FILESYSTEM__RELABELFROM, NULL);
345 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELTO, NULL);
350 static int may_context_mount_inode_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 struct task_security_struct *tsec)
355 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
356 FILESYSTEM__RELABELFROM, NULL);
360 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__ASSOCIATE, NULL);
365 static int sb_finish_set_opts(struct super_block *sb)
367 struct superblock_security_struct *sbsec = sb->s_security;
368 struct dentry *root = sb->s_root;
369 struct inode *root_inode = root->d_inode;
372 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
373 /* Make sure that the xattr handler exists and that no
374 error other than -ENODATA is returned by getxattr on
375 the root directory. -ENODATA is ok, as this may be
376 the first boot of the SELinux kernel before we have
377 assigned xattr values to the filesystem. */
378 if (!root_inode->i_op->getxattr) {
379 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
380 "xattr support\n", sb->s_id, sb->s_type->name);
384 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
385 if (rc < 0 && rc != -ENODATA) {
386 if (rc == -EOPNOTSUPP)
387 printk(KERN_WARNING "SELinux: (dev %s, type "
388 "%s) has no security xattr handler\n",
389 sb->s_id, sb->s_type->name);
391 printk(KERN_WARNING "SELinux: (dev %s, type "
392 "%s) getxattr errno %d\n", sb->s_id,
393 sb->s_type->name, -rc);
398 sbsec->initialized = 1;
400 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
401 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
402 sb->s_id, sb->s_type->name);
404 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
405 sb->s_id, sb->s_type->name,
406 labeling_behaviors[sbsec->behavior-1]);
408 /* Initialize the root inode. */
409 rc = inode_doinit_with_dentry(root_inode, root);
411 /* Initialize any other inodes associated with the superblock, e.g.
412 inodes created prior to initial policy load or inodes created
413 during get_sb by a pseudo filesystem that directly
415 spin_lock(&sbsec->isec_lock);
417 if (!list_empty(&sbsec->isec_head)) {
418 struct inode_security_struct *isec =
419 list_entry(sbsec->isec_head.next,
420 struct inode_security_struct, list);
421 struct inode *inode = isec->inode;
422 spin_unlock(&sbsec->isec_lock);
423 inode = igrab(inode);
425 if (!IS_PRIVATE(inode))
429 spin_lock(&sbsec->isec_lock);
430 list_del_init(&isec->list);
433 spin_unlock(&sbsec->isec_lock);
439 * This function should allow an FS to ask what it's mount security
440 * options were so it can use those later for submounts, displaying
441 * mount options, or whatever.
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444 struct security_mnt_opts *opts)
447 struct superblock_security_struct *sbsec = sb->s_security;
448 char *context = NULL;
452 security_init_mnt_opts(opts);
454 if (!sbsec->initialized)
461 * if we ever use sbsec flags for anything other than tracking mount
462 * settings this is going to need a mask
465 /* count the number of mount options for this sb */
466 for (i = 0; i < 8; i++) {
468 opts->num_mnt_opts++;
472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
510 rc = security_sid_to_context(isec->sid, &context, &len);
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517 BUG_ON(i != opts->num_mnt_opts);
522 security_free_mnt_opts(opts);
526 static int bad_option(struct superblock_security_struct *sbsec, char flag,
527 u32 old_sid, u32 new_sid)
529 /* check if the old mount command had the same options */
530 if (sbsec->initialized)
531 if (!(sbsec->flags & flag) ||
532 (old_sid != new_sid))
535 /* check if we were passed the same options twice,
536 * aka someone passed context=a,context=b
538 if (!sbsec->initialized)
539 if (sbsec->flags & flag)
545 * Allow filesystems with binary mount data to explicitly set mount point
546 * labeling information.
548 static int selinux_set_mnt_opts(struct super_block *sb,
549 struct security_mnt_opts *opts)
552 struct task_security_struct *tsec = current->security;
553 struct superblock_security_struct *sbsec = sb->s_security;
554 const char *name = sb->s_type->name;
555 struct inode *inode = sbsec->sb->s_root->d_inode;
556 struct inode_security_struct *root_isec = inode->i_security;
557 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
558 u32 defcontext_sid = 0;
559 char **mount_options = opts->mnt_opts;
560 int *flags = opts->mnt_opts_flags;
561 int num_opts = opts->num_mnt_opts;
563 mutex_lock(&sbsec->lock);
565 if (!ss_initialized) {
567 /* Defer initialization until selinux_complete_init,
568 after the initial policy is loaded and the security
569 server is ready to handle calls. */
570 spin_lock(&sb_security_lock);
571 if (list_empty(&sbsec->list))
572 list_add(&sbsec->list, &superblock_security_head);
573 spin_unlock(&sb_security_lock);
577 printk(KERN_WARNING "Unable to set superblock options before "
578 "the security server is initialized\n");
583 * Binary mount data FS will come through this function twice. Once
584 * from an explicit call and once from the generic calls from the vfs.
585 * Since the generic VFS calls will not contain any security mount data
586 * we need to skip the double mount verification.
588 * This does open a hole in which we will not notice if the first
589 * mount using this sb set explict options and a second mount using
590 * this sb does not set any security options. (The first options
591 * will be used for both mounts)
593 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
598 * parse the mount options, check if they are valid sids.
599 * also check if someone is trying to mount the same sb more
600 * than once with different security options.
602 for (i = 0; i < num_opts; i++) {
604 rc = security_context_to_sid(mount_options[i],
605 strlen(mount_options[i]), &sid);
607 printk(KERN_WARNING "SELinux: security_context_to_sid"
608 "(%s) failed for (dev %s, type %s) errno=%d\n",
609 mount_options[i], sb->s_id, name, rc);
616 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618 goto out_double_mount;
620 sbsec->flags |= FSCONTEXT_MNT;
625 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627 goto out_double_mount;
629 sbsec->flags |= CONTEXT_MNT;
631 case ROOTCONTEXT_MNT:
632 rootcontext_sid = sid;
634 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636 goto out_double_mount;
638 sbsec->flags |= ROOTCONTEXT_MNT;
642 defcontext_sid = sid;
644 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646 goto out_double_mount;
648 sbsec->flags |= DEFCONTEXT_MNT;
657 if (sbsec->initialized) {
658 /* previously mounted with options, but not on this attempt? */
659 if (sbsec->flags && !num_opts)
660 goto out_double_mount;
665 if (strcmp(sb->s_type->name, "proc") == 0)
668 /* Determine the labeling behavior to use for this filesystem type. */
669 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
672 __func__, sb->s_type->name, rc);
676 /* sets the context of the superblock for the fs being mounted. */
679 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
683 sbsec->sid = fscontext_sid;
687 * Switch to using mount point labeling behavior.
688 * sets the label used on all file below the mountpoint, and will set
689 * the superblock context if not already set.
692 if (!fscontext_sid) {
693 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696 sbsec->sid = context_sid;
698 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
702 if (!rootcontext_sid)
703 rootcontext_sid = context_sid;
705 sbsec->mntpoint_sid = context_sid;
706 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709 if (rootcontext_sid) {
710 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
714 root_isec->sid = rootcontext_sid;
715 root_isec->initialized = 1;
718 if (defcontext_sid) {
719 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721 printk(KERN_WARNING "SELinux: defcontext option is "
722 "invalid for this filesystem type\n");
726 if (defcontext_sid != sbsec->def_sid) {
727 rc = may_context_mount_inode_relabel(defcontext_sid,
733 sbsec->def_sid = defcontext_sid;
736 rc = sb_finish_set_opts(sb);
738 mutex_unlock(&sbsec->lock);
742 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
743 "security settings for (dev %s, type %s)\n", sb->s_id, name);
747 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748 struct super_block *newsb)
750 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751 struct superblock_security_struct *newsbsec = newsb->s_security;
753 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
754 int set_context = (oldsbsec->flags & CONTEXT_MNT);
755 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
757 /* we can't error, we can't save the info, this shouldn't get called
758 * this early in the boot process. */
759 BUG_ON(!ss_initialized);
761 /* how can we clone if the old one wasn't set up?? */
762 BUG_ON(!oldsbsec->initialized);
764 /* if fs is reusing a sb, just let its options stand... */
765 if (newsbsec->initialized)
768 mutex_lock(&newsbsec->lock);
770 newsbsec->flags = oldsbsec->flags;
772 newsbsec->sid = oldsbsec->sid;
773 newsbsec->def_sid = oldsbsec->def_sid;
774 newsbsec->behavior = oldsbsec->behavior;
777 u32 sid = oldsbsec->mntpoint_sid;
781 if (!set_rootcontext) {
782 struct inode *newinode = newsb->s_root->d_inode;
783 struct inode_security_struct *newisec = newinode->i_security;
786 newsbsec->mntpoint_sid = sid;
788 if (set_rootcontext) {
789 const struct inode *oldinode = oldsb->s_root->d_inode;
790 const struct inode_security_struct *oldisec = oldinode->i_security;
791 struct inode *newinode = newsb->s_root->d_inode;
792 struct inode_security_struct *newisec = newinode->i_security;
794 newisec->sid = oldisec->sid;
797 sb_finish_set_opts(newsb);
798 mutex_unlock(&newsbsec->lock);
801 static int selinux_parse_opts_str(char *options,
802 struct security_mnt_opts *opts)
805 char *context = NULL, *defcontext = NULL;
806 char *fscontext = NULL, *rootcontext = NULL;
807 int rc, num_mnt_opts = 0;
809 opts->num_mnt_opts = 0;
811 /* Standard string-based options. */
812 while ((p = strsep(&options, "|")) != NULL) {
814 substring_t args[MAX_OPT_ARGS];
819 token = match_token(p, tokens, args);
823 if (context || defcontext) {
825 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828 context = match_strdup(&args[0]);
838 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 fscontext = match_strdup(&args[0]);
848 case Opt_rootcontext:
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 rootcontext = match_strdup(&args[0]);
862 if (context || defcontext) {
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 defcontext = match_strdup(&args[0]);
876 printk(KERN_WARNING "SELinux: unknown mount option\n");
883 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
887 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
888 if (!opts->mnt_opts_flags) {
889 kfree(opts->mnt_opts);
894 opts->mnt_opts[num_mnt_opts] = fscontext;
895 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898 opts->mnt_opts[num_mnt_opts] = context;
899 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902 opts->mnt_opts[num_mnt_opts] = rootcontext;
903 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906 opts->mnt_opts[num_mnt_opts] = defcontext;
907 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910 opts->num_mnt_opts = num_mnt_opts;
921 * string mount options parsing and call set the sbsec
923 static int superblock_doinit(struct super_block *sb, void *data)
926 char *options = data;
927 struct security_mnt_opts opts;
929 security_init_mnt_opts(&opts);
934 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
936 rc = selinux_parse_opts_str(options, &opts);
941 rc = selinux_set_mnt_opts(sb, &opts);
944 security_free_mnt_opts(&opts);
948 static inline u16 inode_mode_to_security_class(umode_t mode)
950 switch (mode & S_IFMT) {
952 return SECCLASS_SOCK_FILE;
954 return SECCLASS_LNK_FILE;
956 return SECCLASS_FILE;
958 return SECCLASS_BLK_FILE;
962 return SECCLASS_CHR_FILE;
964 return SECCLASS_FIFO_FILE;
968 return SECCLASS_FILE;
971 static inline int default_protocol_stream(int protocol)
973 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 static inline int default_protocol_dgram(int protocol)
978 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
988 return SECCLASS_UNIX_STREAM_SOCKET;
990 return SECCLASS_UNIX_DGRAM_SOCKET;
997 if (default_protocol_stream(protocol))
998 return SECCLASS_TCP_SOCKET;
1000 return SECCLASS_RAWIP_SOCKET;
1002 if (default_protocol_dgram(protocol))
1003 return SECCLASS_UDP_SOCKET;
1005 return SECCLASS_RAWIP_SOCKET;
1007 return SECCLASS_DCCP_SOCKET;
1009 return SECCLASS_RAWIP_SOCKET;
1015 return SECCLASS_NETLINK_ROUTE_SOCKET;
1016 case NETLINK_FIREWALL:
1017 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1018 case NETLINK_INET_DIAG:
1019 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1021 return SECCLASS_NETLINK_NFLOG_SOCKET;
1023 return SECCLASS_NETLINK_XFRM_SOCKET;
1024 case NETLINK_SELINUX:
1025 return SECCLASS_NETLINK_SELINUX_SOCKET;
1027 return SECCLASS_NETLINK_AUDIT_SOCKET;
1028 case NETLINK_IP6_FW:
1029 return SECCLASS_NETLINK_IP6FW_SOCKET;
1030 case NETLINK_DNRTMSG:
1031 return SECCLASS_NETLINK_DNRT_SOCKET;
1032 case NETLINK_KOBJECT_UEVENT:
1033 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1035 return SECCLASS_NETLINK_SOCKET;
1038 return SECCLASS_PACKET_SOCKET;
1040 return SECCLASS_KEY_SOCKET;
1042 return SECCLASS_APPLETALK_SOCKET;
1045 return SECCLASS_SOCKET;
1048 #ifdef CONFIG_PROC_FS
1049 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1054 char *buffer, *path, *end;
1056 buffer = (char*)__get_free_page(GFP_KERNEL);
1061 end = buffer+buflen;
1066 while (de && de != de->parent) {
1067 buflen -= de->namelen + 1;
1071 memcpy(end, de->name, de->namelen);
1076 rc = security_genfs_sid("proc", path, tclass, sid);
1077 free_page((unsigned long)buffer);
1081 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1089 /* The inode's security attributes must be initialized before first use. */
1090 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1092 struct superblock_security_struct *sbsec = NULL;
1093 struct inode_security_struct *isec = inode->i_security;
1095 struct dentry *dentry;
1096 #define INITCONTEXTLEN 255
1097 char *context = NULL;
1101 if (isec->initialized)
1104 mutex_lock(&isec->lock);
1105 if (isec->initialized)
1108 sbsec = inode->i_sb->s_security;
1109 if (!sbsec->initialized) {
1110 /* Defer initialization until selinux_complete_init,
1111 after the initial policy is loaded and the security
1112 server is ready to handle calls. */
1113 spin_lock(&sbsec->isec_lock);
1114 if (list_empty(&isec->list))
1115 list_add(&isec->list, &sbsec->isec_head);
1116 spin_unlock(&sbsec->isec_lock);
1120 switch (sbsec->behavior) {
1121 case SECURITY_FS_USE_XATTR:
1122 if (!inode->i_op->getxattr) {
1123 isec->sid = sbsec->def_sid;
1127 /* Need a dentry, since the xattr API requires one.
1128 Life would be simpler if we could just pass the inode. */
1130 /* Called from d_instantiate or d_splice_alias. */
1131 dentry = dget(opt_dentry);
1133 /* Called from selinux_complete_init, try to find a dentry. */
1134 dentry = d_find_alias(inode);
1137 printk(KERN_WARNING "%s: no dentry for dev=%s "
1138 "ino=%ld\n", __func__, inode->i_sb->s_id,
1143 len = INITCONTEXTLEN;
1144 context = kmalloc(len, GFP_NOFS);
1150 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152 if (rc == -ERANGE) {
1153 /* Need a larger buffer. Query for the right size. */
1154 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1162 context = kmalloc(len, GFP_NOFS);
1168 rc = inode->i_op->getxattr(dentry,
1174 if (rc != -ENODATA) {
1175 printk(KERN_WARNING "%s: getxattr returned "
1176 "%d for dev=%s ino=%ld\n", __func__,
1177 -rc, inode->i_sb->s_id, inode->i_ino);
1181 /* Map ENODATA to the default file SID */
1182 sid = sbsec->def_sid;
1185 rc = security_context_to_sid_default(context, rc, &sid,
1189 printk(KERN_WARNING "%s: context_to_sid(%s) "
1190 "returned %d for dev=%s ino=%ld\n",
1191 __func__, context, -rc,
1192 inode->i_sb->s_id, inode->i_ino);
1194 /* Leave with the unlabeled SID */
1202 case SECURITY_FS_USE_TASK:
1203 isec->sid = isec->task_sid;
1205 case SECURITY_FS_USE_TRANS:
1206 /* Default to the fs SID. */
1207 isec->sid = sbsec->sid;
1209 /* Try to obtain a transition SID. */
1210 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211 rc = security_transition_sid(isec->task_sid,
1219 case SECURITY_FS_USE_MNTPOINT:
1220 isec->sid = sbsec->mntpoint_sid;
1223 /* Default to the fs superblock SID. */
1224 isec->sid = sbsec->sid;
1227 struct proc_inode *proci = PROC_I(inode);
1229 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230 rc = selinux_proc_get_sid(proci->pde,
1241 isec->initialized = 1;
1244 mutex_unlock(&isec->lock);
1246 if (isec->sclass == SECCLASS_FILE)
1247 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1251 /* Convert a Linux signal to an access vector. */
1252 static inline u32 signal_to_av(int sig)
1258 /* Commonly granted from child to parent. */
1259 perm = PROCESS__SIGCHLD;
1262 /* Cannot be caught or ignored */
1263 perm = PROCESS__SIGKILL;
1266 /* Cannot be caught or ignored */
1267 perm = PROCESS__SIGSTOP;
1270 /* All other signals. */
1271 perm = PROCESS__SIGNAL;
1278 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1279 fork check, ptrace check, etc. */
1280 static int task_has_perm(struct task_struct *tsk1,
1281 struct task_struct *tsk2,
1284 struct task_security_struct *tsec1, *tsec2;
1286 tsec1 = tsk1->security;
1287 tsec2 = tsk2->security;
1288 return avc_has_perm(tsec1->sid, tsec2->sid,
1289 SECCLASS_PROCESS, perms, NULL);
1292 #if CAP_LAST_CAP > 63
1293 #error Fix SELinux to handle capabilities > 63.
1296 /* Check whether a task is allowed to use a capability. */
1297 static int task_has_capability(struct task_struct *tsk,
1300 struct task_security_struct *tsec;
1301 struct avc_audit_data ad;
1303 u32 av = CAP_TO_MASK(cap);
1305 tsec = tsk->security;
1307 AVC_AUDIT_DATA_INIT(&ad,CAP);
1311 switch (CAP_TO_INDEX(cap)) {
1313 sclass = SECCLASS_CAPABILITY;
1316 sclass = SECCLASS_CAPABILITY2;
1320 "SELinux: out of range capability %d\n", cap);
1323 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1326 /* Check whether a task is allowed to use a system operation. */
1327 static int task_has_system(struct task_struct *tsk,
1330 struct task_security_struct *tsec;
1332 tsec = tsk->security;
1334 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335 SECCLASS_SYSTEM, perms, NULL);
1338 /* Check whether a task has a particular permission to an inode.
1339 The 'adp' parameter is optional and allows other audit
1340 data to be passed (e.g. the dentry). */
1341 static int inode_has_perm(struct task_struct *tsk,
1342 struct inode *inode,
1344 struct avc_audit_data *adp)
1346 struct task_security_struct *tsec;
1347 struct inode_security_struct *isec;
1348 struct avc_audit_data ad;
1350 if (unlikely (IS_PRIVATE (inode)))
1353 tsec = tsk->security;
1354 isec = inode->i_security;
1358 AVC_AUDIT_DATA_INIT(&ad, FS);
1359 ad.u.fs.inode = inode;
1362 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1365 /* Same as inode_has_perm, but pass explicit audit data containing
1366 the dentry to help the auditing code to more easily generate the
1367 pathname if needed. */
1368 static inline int dentry_has_perm(struct task_struct *tsk,
1369 struct vfsmount *mnt,
1370 struct dentry *dentry,
1373 struct inode *inode = dentry->d_inode;
1374 struct avc_audit_data ad;
1375 AVC_AUDIT_DATA_INIT(&ad,FS);
1376 ad.u.fs.path.mnt = mnt;
1377 ad.u.fs.path.dentry = dentry;
1378 return inode_has_perm(tsk, inode, av, &ad);
1381 /* Check whether a task can use an open file descriptor to
1382 access an inode in a given way. Check access to the
1383 descriptor itself, and then use dentry_has_perm to
1384 check a particular permission to the file.
1385 Access to the descriptor is implicitly granted if it
1386 has the same SID as the process. If av is zero, then
1387 access to the file is not checked, e.g. for cases
1388 where only the descriptor is affected like seek. */
1389 static int file_has_perm(struct task_struct *tsk,
1393 struct task_security_struct *tsec = tsk->security;
1394 struct file_security_struct *fsec = file->f_security;
1395 struct inode *inode = file->f_path.dentry->d_inode;
1396 struct avc_audit_data ad;
1399 AVC_AUDIT_DATA_INIT(&ad, FS);
1400 ad.u.fs.path = file->f_path;
1402 if (tsec->sid != fsec->sid) {
1403 rc = avc_has_perm(tsec->sid, fsec->sid,
1411 /* av is zero if only checking access to the descriptor. */
1413 return inode_has_perm(tsk, inode, av, &ad);
1418 /* Check whether a task can create a file. */
1419 static int may_create(struct inode *dir,
1420 struct dentry *dentry,
1423 struct task_security_struct *tsec;
1424 struct inode_security_struct *dsec;
1425 struct superblock_security_struct *sbsec;
1427 struct avc_audit_data ad;
1430 tsec = current->security;
1431 dsec = dir->i_security;
1432 sbsec = dir->i_sb->s_security;
1434 AVC_AUDIT_DATA_INIT(&ad, FS);
1435 ad.u.fs.path.dentry = dentry;
1437 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438 DIR__ADD_NAME | DIR__SEARCH,
1443 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444 newsid = tsec->create_sid;
1446 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1452 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1456 return avc_has_perm(newsid, sbsec->sid,
1457 SECCLASS_FILESYSTEM,
1458 FILESYSTEM__ASSOCIATE, &ad);
1461 /* Check whether a task can create a key. */
1462 static int may_create_key(u32 ksid,
1463 struct task_struct *ctx)
1465 struct task_security_struct *tsec;
1467 tsec = ctx->security;
1469 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1473 #define MAY_UNLINK 1
1476 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1477 static int may_link(struct inode *dir,
1478 struct dentry *dentry,
1482 struct task_security_struct *tsec;
1483 struct inode_security_struct *dsec, *isec;
1484 struct avc_audit_data ad;
1488 tsec = current->security;
1489 dsec = dir->i_security;
1490 isec = dentry->d_inode->i_security;
1492 AVC_AUDIT_DATA_INIT(&ad, FS);
1493 ad.u.fs.path.dentry = dentry;
1496 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1512 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1516 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1520 static inline int may_rename(struct inode *old_dir,
1521 struct dentry *old_dentry,
1522 struct inode *new_dir,
1523 struct dentry *new_dentry)
1525 struct task_security_struct *tsec;
1526 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527 struct avc_audit_data ad;
1529 int old_is_dir, new_is_dir;
1532 tsec = current->security;
1533 old_dsec = old_dir->i_security;
1534 old_isec = old_dentry->d_inode->i_security;
1535 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536 new_dsec = new_dir->i_security;
1538 AVC_AUDIT_DATA_INIT(&ad, FS);
1540 ad.u.fs.path.dentry = old_dentry;
1541 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1545 rc = avc_has_perm(tsec->sid, old_isec->sid,
1546 old_isec->sclass, FILE__RENAME, &ad);
1549 if (old_is_dir && new_dir != old_dir) {
1550 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551 old_isec->sclass, DIR__REPARENT, &ad);
1556 ad.u.fs.path.dentry = new_dentry;
1557 av = DIR__ADD_NAME | DIR__SEARCH;
1558 if (new_dentry->d_inode)
1559 av |= DIR__REMOVE_NAME;
1560 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1563 if (new_dentry->d_inode) {
1564 new_isec = new_dentry->d_inode->i_security;
1565 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1576 /* Check whether a task can perform a filesystem operation. */
1577 static int superblock_has_perm(struct task_struct *tsk,
1578 struct super_block *sb,
1580 struct avc_audit_data *ad)
1582 struct task_security_struct *tsec;
1583 struct superblock_security_struct *sbsec;
1585 tsec = tsk->security;
1586 sbsec = sb->s_security;
1587 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1591 /* Convert a Linux mode and permission mask to an access vector. */
1592 static inline u32 file_mask_to_av(int mode, int mask)
1596 if ((mode & S_IFMT) != S_IFDIR) {
1597 if (mask & MAY_EXEC)
1598 av |= FILE__EXECUTE;
1599 if (mask & MAY_READ)
1602 if (mask & MAY_APPEND)
1604 else if (mask & MAY_WRITE)
1608 if (mask & MAY_EXEC)
1610 if (mask & MAY_WRITE)
1612 if (mask & MAY_READ)
1620 * Convert a file mask to an access vector and include the correct open
1623 static inline u32 open_file_mask_to_av(int mode, int mask)
1625 u32 av = file_mask_to_av(mode, mask);
1627 if (selinux_policycap_openperm) {
1629 * lnk files and socks do not really have an 'open'
1633 else if (S_ISCHR(mode))
1634 av |= CHR_FILE__OPEN;
1635 else if (S_ISBLK(mode))
1636 av |= BLK_FILE__OPEN;
1637 else if (S_ISFIFO(mode))
1638 av |= FIFO_FILE__OPEN;
1639 else if (S_ISDIR(mode))
1642 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1643 "with unknown mode:%x\n", mode);
1648 /* Convert a Linux file to an access vector. */
1649 static inline u32 file_to_av(struct file *file)
1653 if (file->f_mode & FMODE_READ)
1655 if (file->f_mode & FMODE_WRITE) {
1656 if (file->f_flags & O_APPEND)
1663 * Special file opened with flags 3 for ioctl-only use.
1671 /* Hook functions begin here. */
1673 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1677 rc = secondary_ops->ptrace(parent,child);
1681 return task_has_perm(parent, child, PROCESS__PTRACE);
1684 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1685 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1689 error = task_has_perm(current, target, PROCESS__GETCAP);
1693 return secondary_ops->capget(target, effective, inheritable, permitted);
1696 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1697 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1701 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1705 return task_has_perm(current, target, PROCESS__SETCAP);
1708 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1709 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711 secondary_ops->capset_set(target, effective, inheritable, permitted);
1714 static int selinux_capable(struct task_struct *tsk, int cap)
1718 rc = secondary_ops->capable(tsk, cap);
1722 return task_has_capability(tsk,cap);
1725 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1728 char *buffer, *path, *end;
1731 buffer = (char*)__get_free_page(GFP_KERNEL);
1736 end = buffer+buflen;
1742 const char *name = table->procname;
1743 size_t namelen = strlen(name);
1744 buflen -= namelen + 1;
1748 memcpy(end, name, namelen);
1751 table = table->parent;
1757 memcpy(end, "/sys", 4);
1759 rc = security_genfs_sid("proc", path, tclass, sid);
1761 free_page((unsigned long)buffer);
1766 static int selinux_sysctl(ctl_table *table, int op)
1770 struct task_security_struct *tsec;
1774 rc = secondary_ops->sysctl(table, op);
1778 tsec = current->security;
1780 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1781 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1783 /* Default to the well-defined sysctl SID. */
1784 tsid = SECINITSID_SYSCTL;
1787 /* The op values are "defined" in sysctl.c, thereby creating
1788 * a bad coupling between this module and sysctl.c */
1790 error = avc_has_perm(tsec->sid, tsid,
1791 SECCLASS_DIR, DIR__SEARCH, NULL);
1799 error = avc_has_perm(tsec->sid, tsid,
1800 SECCLASS_FILE, av, NULL);
1806 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1819 rc = superblock_has_perm(current,
1821 FILESYSTEM__QUOTAMOD, NULL);
1826 rc = superblock_has_perm(current,
1828 FILESYSTEM__QUOTAGET, NULL);
1831 rc = 0; /* let the kernel handle invalid cmds */
1837 static int selinux_quota_on(struct dentry *dentry)
1839 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1842 static int selinux_syslog(int type)
1846 rc = secondary_ops->syslog(type);
1851 case 3: /* Read last kernel messages */
1852 case 10: /* Return size of the log buffer */
1853 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1855 case 6: /* Disable logging to console */
1856 case 7: /* Enable logging to console */
1857 case 8: /* Set level of messages printed to console */
1858 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1860 case 0: /* Close log */
1861 case 1: /* Open log */
1862 case 2: /* Read from log */
1863 case 4: /* Read/clear last kernel messages */
1864 case 5: /* Clear ring buffer */
1866 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1873 * Check that a process has enough memory to allocate a new virtual
1874 * mapping. 0 means there is enough memory for the allocation to
1875 * succeed and -ENOMEM implies there is not.
1877 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1878 * if the capability is granted, but __vm_enough_memory requires 1 if
1879 * the capability is granted.
1881 * Do not audit the selinux permission check, as this is applied to all
1882 * processes that allocate mappings.
1884 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1886 int rc, cap_sys_admin = 0;
1887 struct task_security_struct *tsec = current->security;
1889 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1891 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1892 SECCLASS_CAPABILITY,
1893 CAP_TO_MASK(CAP_SYS_ADMIN),
1900 return __vm_enough_memory(mm, pages, cap_sys_admin);
1904 * task_tracer_task - return the task that is tracing the given task
1905 * @task: task to consider
1907 * Returns NULL if noone is tracing @task, or the &struct task_struct
1908 * pointer to its tracer.
1910 * Must be called under rcu_read_lock().
1912 static struct task_struct *task_tracer_task(struct task_struct *task)
1914 if (task->ptrace & PT_PTRACED)
1915 return rcu_dereference(task->parent);
1919 /* binprm security operations */
1921 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1923 struct bprm_security_struct *bsec;
1925 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1929 bsec->sid = SECINITSID_UNLABELED;
1932 bprm->security = bsec;
1936 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1938 struct task_security_struct *tsec;
1939 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1940 struct inode_security_struct *isec;
1941 struct bprm_security_struct *bsec;
1943 struct avc_audit_data ad;
1946 rc = secondary_ops->bprm_set_security(bprm);
1950 bsec = bprm->security;
1955 tsec = current->security;
1956 isec = inode->i_security;
1958 /* Default to the current task SID. */
1959 bsec->sid = tsec->sid;
1961 /* Reset fs, key, and sock SIDs on execve. */
1962 tsec->create_sid = 0;
1963 tsec->keycreate_sid = 0;
1964 tsec->sockcreate_sid = 0;
1966 if (tsec->exec_sid) {
1967 newsid = tsec->exec_sid;
1968 /* Reset exec SID on execve. */
1971 /* Check for a default transition on this program. */
1972 rc = security_transition_sid(tsec->sid, isec->sid,
1973 SECCLASS_PROCESS, &newsid);
1978 AVC_AUDIT_DATA_INIT(&ad, FS);
1979 ad.u.fs.path = bprm->file->f_path;
1981 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1984 if (tsec->sid == newsid) {
1985 rc = avc_has_perm(tsec->sid, isec->sid,
1986 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1990 /* Check permissions for the transition. */
1991 rc = avc_has_perm(tsec->sid, newsid,
1992 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1996 rc = avc_has_perm(newsid, isec->sid,
1997 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2001 /* Clear any possibly unsafe personality bits on exec: */
2002 current->personality &= ~PER_CLEAR_ON_SETID;
2004 /* Set the security field to the new SID. */
2012 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2014 return secondary_ops->bprm_check_security(bprm);
2018 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2020 struct task_security_struct *tsec = current->security;
2023 if (tsec->osid != tsec->sid) {
2024 /* Enable secure mode for SIDs transitions unless
2025 the noatsecure permission is granted between
2026 the two SIDs, i.e. ahp returns 0. */
2027 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2029 PROCESS__NOATSECURE, NULL);
2032 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2035 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2037 kfree(bprm->security);
2038 bprm->security = NULL;
2041 extern struct vfsmount *selinuxfs_mount;
2042 extern struct dentry *selinux_null;
2044 /* Derived from fs/exec.c:flush_old_files. */
2045 static inline void flush_unauthorized_files(struct files_struct * files)
2047 struct avc_audit_data ad;
2048 struct file *file, *devnull = NULL;
2049 struct tty_struct *tty;
2050 struct fdtable *fdt;
2054 mutex_lock(&tty_mutex);
2055 tty = get_current_tty();
2058 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2060 /* Revalidate access to controlling tty.
2061 Use inode_has_perm on the tty inode directly rather
2062 than using file_has_perm, as this particular open
2063 file may belong to another process and we are only
2064 interested in the inode-based check here. */
2065 struct inode *inode = file->f_path.dentry->d_inode;
2066 if (inode_has_perm(current, inode,
2067 FILE__READ | FILE__WRITE, NULL)) {
2073 mutex_unlock(&tty_mutex);
2074 /* Reset controlling tty. */
2078 /* Revalidate access to inherited open files. */
2080 AVC_AUDIT_DATA_INIT(&ad,FS);
2082 spin_lock(&files->file_lock);
2084 unsigned long set, i;
2089 fdt = files_fdtable(files);
2090 if (i >= fdt->max_fds)
2092 set = fdt->open_fds->fds_bits[j];
2095 spin_unlock(&files->file_lock);
2096 for ( ; set ; i++,set >>= 1) {
2101 if (file_has_perm(current,
2103 file_to_av(file))) {
2105 fd = get_unused_fd();
2115 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2116 if (IS_ERR(devnull)) {
2123 fd_install(fd, devnull);
2128 spin_lock(&files->file_lock);
2131 spin_unlock(&files->file_lock);
2134 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2136 struct task_security_struct *tsec;
2137 struct bprm_security_struct *bsec;
2141 secondary_ops->bprm_apply_creds(bprm, unsafe);
2143 tsec = current->security;
2145 bsec = bprm->security;
2148 tsec->osid = tsec->sid;
2150 if (tsec->sid != sid) {
2151 /* Check for shared state. If not ok, leave SID
2152 unchanged and kill. */
2153 if (unsafe & LSM_UNSAFE_SHARE) {
2154 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2155 PROCESS__SHARE, NULL);
2162 /* Check for ptracing, and update the task SID if ok.
2163 Otherwise, leave SID unchanged and kill. */
2164 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2165 struct task_struct *tracer;
2166 struct task_security_struct *sec;
2170 tracer = task_tracer_task(current);
2171 if (likely(tracer != NULL)) {
2172 sec = tracer->security;
2178 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2179 PROCESS__PTRACE, NULL);
2191 * called after apply_creds without the task lock held
2193 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2195 struct task_security_struct *tsec;
2196 struct rlimit *rlim, *initrlim;
2197 struct itimerval itimer;
2198 struct bprm_security_struct *bsec;
2201 tsec = current->security;
2202 bsec = bprm->security;
2205 force_sig_specific(SIGKILL, current);
2208 if (tsec->osid == tsec->sid)
2211 /* Close files for which the new task SID is not authorized. */
2212 flush_unauthorized_files(current->files);
2214 /* Check whether the new SID can inherit signal state
2215 from the old SID. If not, clear itimers to avoid
2216 subsequent signal generation and flush and unblock
2217 signals. This must occur _after_ the task SID has
2218 been updated so that any kill done after the flush
2219 will be checked against the new SID. */
2220 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2221 PROCESS__SIGINH, NULL);
2223 memset(&itimer, 0, sizeof itimer);
2224 for (i = 0; i < 3; i++)
2225 do_setitimer(i, &itimer, NULL);
2226 flush_signals(current);
2227 spin_lock_irq(¤t->sighand->siglock);
2228 flush_signal_handlers(current, 1);
2229 sigemptyset(¤t->blocked);
2230 recalc_sigpending();
2231 spin_unlock_irq(¤t->sighand->siglock);
2234 /* Always clear parent death signal on SID transitions. */
2235 current->pdeath_signal = 0;
2237 /* Check whether the new SID can inherit resource limits
2238 from the old SID. If not, reset all soft limits to
2239 the lower of the current task's hard limit and the init
2240 task's soft limit. Note that the setting of hard limits
2241 (even to lower them) can be controlled by the setrlimit
2242 check. The inclusion of the init task's soft limit into
2243 the computation is to avoid resetting soft limits higher
2244 than the default soft limit for cases where the default
2245 is lower than the hard limit, e.g. RLIMIT_CORE or
2247 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2248 PROCESS__RLIMITINH, NULL);
2250 for (i = 0; i < RLIM_NLIMITS; i++) {
2251 rlim = current->signal->rlim + i;
2252 initrlim = init_task.signal->rlim+i;
2253 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2255 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2257 * This will cause RLIMIT_CPU calculations
2260 current->it_prof_expires = jiffies_to_cputime(1);
2264 /* Wake up the parent if it is waiting so that it can
2265 recheck wait permission to the new task SID. */
2266 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2269 /* superblock security operations */
2271 static int selinux_sb_alloc_security(struct super_block *sb)
2273 return superblock_alloc_security(sb);
2276 static void selinux_sb_free_security(struct super_block *sb)
2278 superblock_free_security(sb);
2281 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2286 return !memcmp(prefix, option, plen);
2289 static inline int selinux_option(char *option, int len)
2291 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2297 static inline void take_option(char **to, char *from, int *first, int len)
2304 memcpy(*to, from, len);
2308 static inline void take_selinux_option(char **to, char *from, int *first,
2311 int current_size = 0;
2320 while (current_size < len) {
2330 static int selinux_sb_copy_data(char *orig, char *copy)
2332 int fnosec, fsec, rc = 0;
2333 char *in_save, *in_curr, *in_end;
2334 char *sec_curr, *nosec_save, *nosec;
2340 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2348 in_save = in_end = orig;
2352 open_quote = !open_quote;
2353 if ((*in_end == ',' && open_quote == 0) ||
2355 int len = in_end - in_curr;
2357 if (selinux_option(in_curr, len))
2358 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2360 take_option(&nosec, in_curr, &fnosec, len);
2362 in_curr = in_end + 1;
2364 } while (*in_end++);
2366 strcpy(in_save, nosec_save);
2367 free_page((unsigned long)nosec_save);
2372 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2374 struct avc_audit_data ad;
2377 rc = superblock_doinit(sb, data);
2381 AVC_AUDIT_DATA_INIT(&ad,FS);
2382 ad.u.fs.path.dentry = sb->s_root;
2383 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2386 static int selinux_sb_statfs(struct dentry *dentry)
2388 struct avc_audit_data ad;
2390 AVC_AUDIT_DATA_INIT(&ad,FS);
2391 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2392 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2395 static int selinux_mount(char * dev_name,
2396 struct nameidata *nd,
2398 unsigned long flags,
2403 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2407 if (flags & MS_REMOUNT)
2408 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2409 FILESYSTEM__REMOUNT, NULL);
2411 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2415 static int selinux_umount(struct vfsmount *mnt, int flags)
2419 rc = secondary_ops->sb_umount(mnt, flags);
2423 return superblock_has_perm(current,mnt->mnt_sb,
2424 FILESYSTEM__UNMOUNT,NULL);
2427 /* inode security operations */
2429 static int selinux_inode_alloc_security(struct inode *inode)
2431 return inode_alloc_security(inode);
2434 static void selinux_inode_free_security(struct inode *inode)
2436 inode_free_security(inode);
2439 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2440 char **name, void **value,
2443 struct task_security_struct *tsec;
2444 struct inode_security_struct *dsec;
2445 struct superblock_security_struct *sbsec;
2448 char *namep = NULL, *context;
2450 tsec = current->security;
2451 dsec = dir->i_security;
2452 sbsec = dir->i_sb->s_security;
2454 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2455 newsid = tsec->create_sid;
2457 rc = security_transition_sid(tsec->sid, dsec->sid,
2458 inode_mode_to_security_class(inode->i_mode),
2461 printk(KERN_WARNING "%s: "
2462 "security_transition_sid failed, rc=%d (dev=%s "
2465 -rc, inode->i_sb->s_id, inode->i_ino);
2470 /* Possibly defer initialization to selinux_complete_init. */
2471 if (sbsec->initialized) {
2472 struct inode_security_struct *isec = inode->i_security;
2473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2475 isec->initialized = 1;
2478 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2482 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2489 rc = security_sid_to_context(newsid, &context, &clen);
2501 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2503 return may_create(dir, dentry, SECCLASS_FILE);
2506 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2510 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2513 return may_link(dir, old_dentry, MAY_LINK);
2516 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2520 rc = secondary_ops->inode_unlink(dir, dentry);
2523 return may_link(dir, dentry, MAY_UNLINK);
2526 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2528 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2531 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2533 return may_create(dir, dentry, SECCLASS_DIR);
2536 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2538 return may_link(dir, dentry, MAY_RMDIR);
2541 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2545 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2549 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2552 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2553 struct inode *new_inode, struct dentry *new_dentry)
2555 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2558 static int selinux_inode_readlink(struct dentry *dentry)
2560 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2563 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2567 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2570 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2573 static int selinux_inode_permission(struct inode *inode, int mask,
2574 struct nameidata *nd)
2578 rc = secondary_ops->inode_permission(inode, mask, nd);
2583 /* No permission to check. Existence test. */
2587 return inode_has_perm(current, inode,
2588 open_file_mask_to_av(inode->i_mode, mask), NULL);
2591 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2595 rc = secondary_ops->inode_setattr(dentry, iattr);
2599 if (iattr->ia_valid & ATTR_FORCE)
2602 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2603 ATTR_ATIME_SET | ATTR_MTIME_SET))
2604 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2606 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2609 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2611 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2614 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2616 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2617 sizeof XATTR_SECURITY_PREFIX - 1)) {
2618 if (!strcmp(name, XATTR_NAME_CAPS)) {
2619 if (!capable(CAP_SETFCAP))
2621 } else if (!capable(CAP_SYS_ADMIN)) {
2622 /* A different attribute in the security namespace.
2623 Restrict to administrator. */
2628 /* Not an attribute we recognize, so just check the
2629 ordinary setattr permission. */
2630 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2633 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2635 struct task_security_struct *tsec = current->security;
2636 struct inode *inode = dentry->d_inode;
2637 struct inode_security_struct *isec = inode->i_security;
2638 struct superblock_security_struct *sbsec;
2639 struct avc_audit_data ad;
2643 if (strcmp(name, XATTR_NAME_SELINUX))
2644 return selinux_inode_setotherxattr(dentry, name);
2646 sbsec = inode->i_sb->s_security;
2647 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2650 if (!is_owner_or_cap(inode))
2653 AVC_AUDIT_DATA_INIT(&ad,FS);
2654 ad.u.fs.path.dentry = dentry;
2656 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2657 FILE__RELABELFROM, &ad);
2661 rc = security_context_to_sid(value, size, &newsid);
2665 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2666 FILE__RELABELTO, &ad);
2670 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2675 return avc_has_perm(newsid,
2677 SECCLASS_FILESYSTEM,
2678 FILESYSTEM__ASSOCIATE,
2682 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2683 void *value, size_t size, int flags)
2685 struct inode *inode = dentry->d_inode;
2686 struct inode_security_struct *isec = inode->i_security;
2690 if (strcmp(name, XATTR_NAME_SELINUX)) {
2691 /* Not an attribute we recognize, so nothing to do. */
2695 rc = security_context_to_sid(value, size, &newsid);
2697 printk(KERN_WARNING "%s: unable to obtain SID for context "
2698 "%s, rc=%d\n", __func__, (char *)value, -rc);
2706 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2708 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2711 static int selinux_inode_listxattr (struct dentry *dentry)
2713 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2716 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2718 if (strcmp(name, XATTR_NAME_SELINUX))
2719 return selinux_inode_setotherxattr(dentry, name);
2721 /* No one is allowed to remove a SELinux security label.
2722 You can change the label, but all data must be labeled. */
2727 * Copy the in-core inode security context value to the user. If the
2728 * getxattr() prior to this succeeded, check to see if we need to
2729 * canonicalize the value to be finally returned to the user.
2731 * Permission check is handled by selinux_inode_getxattr hook.
2733 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2737 char *context = NULL;
2738 struct inode_security_struct *isec = inode->i_security;
2740 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2743 error = security_sid_to_context(isec->sid, &context, &size);
2756 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2757 const void *value, size_t size, int flags)
2759 struct inode_security_struct *isec = inode->i_security;
2763 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2766 if (!value || !size)
2769 rc = security_context_to_sid((void*)value, size, &newsid);
2777 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2779 const int len = sizeof(XATTR_NAME_SELINUX);
2780 if (buffer && len <= buffer_size)
2781 memcpy(buffer, XATTR_NAME_SELINUX, len);
2785 static int selinux_inode_need_killpriv(struct dentry *dentry)
2787 return secondary_ops->inode_need_killpriv(dentry);
2790 static int selinux_inode_killpriv(struct dentry *dentry)
2792 return secondary_ops->inode_killpriv(dentry);
2795 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2797 struct inode_security_struct *isec = inode->i_security;
2801 /* file security operations */
2803 static int selinux_revalidate_file_permission(struct file *file, int mask)
2806 struct inode *inode = file->f_path.dentry->d_inode;
2809 /* No permission to check. Existence test. */
2813 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2814 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2817 rc = file_has_perm(current, file,
2818 file_mask_to_av(inode->i_mode, mask));
2822 return selinux_netlbl_inode_permission(inode, mask);
2825 static int selinux_file_permission(struct file *file, int mask)
2827 struct inode *inode = file->f_path.dentry->d_inode;
2828 struct task_security_struct *tsec = current->security;
2829 struct file_security_struct *fsec = file->f_security;
2830 struct inode_security_struct *isec = inode->i_security;
2833 /* No permission to check. Existence test. */
2837 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2838 && fsec->pseqno == avc_policy_seqno())
2839 return selinux_netlbl_inode_permission(inode, mask);
2841 return selinux_revalidate_file_permission(file, mask);
2844 static int selinux_file_alloc_security(struct file *file)
2846 return file_alloc_security(file);
2849 static void selinux_file_free_security(struct file *file)
2851 file_free_security(file);
2854 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2866 case EXT2_IOC_GETFLAGS:
2868 case EXT2_IOC_GETVERSION:
2869 error = file_has_perm(current, file, FILE__GETATTR);
2872 case EXT2_IOC_SETFLAGS:
2874 case EXT2_IOC_SETVERSION:
2875 error = file_has_perm(current, file, FILE__SETATTR);
2878 /* sys_ioctl() checks */
2882 error = file_has_perm(current, file, 0);
2887 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2890 /* default case assumes that the command will go
2891 * to the file's ioctl() function.
2894 error = file_has_perm(current, file, FILE__IOCTL);
2900 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2902 #ifndef CONFIG_PPC32
2903 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2905 * We are making executable an anonymous mapping or a
2906 * private file mapping that will also be writable.
2907 * This has an additional check.
2909 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2916 /* read access is always possible with a mapping */
2917 u32 av = FILE__READ;
2919 /* write access only matters if the mapping is shared */
2920 if (shared && (prot & PROT_WRITE))
2923 if (prot & PROT_EXEC)
2924 av |= FILE__EXECUTE;
2926 return file_has_perm(current, file, av);
2931 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2932 unsigned long prot, unsigned long flags,
2933 unsigned long addr, unsigned long addr_only)
2936 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2938 if (addr < mmap_min_addr)
2939 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2940 MEMPROTECT__MMAP_ZERO, NULL);
2941 if (rc || addr_only)
2944 if (selinux_checkreqprot)
2947 return file_map_prot_check(file, prot,
2948 (flags & MAP_TYPE) == MAP_SHARED);
2951 static int selinux_file_mprotect(struct vm_area_struct *vma,
2952 unsigned long reqprot,
2957 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2961 if (selinux_checkreqprot)
2964 #ifndef CONFIG_PPC32
2965 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2967 if (vma->vm_start >= vma->vm_mm->start_brk &&
2968 vma->vm_end <= vma->vm_mm->brk) {
2969 rc = task_has_perm(current, current,
2971 } else if (!vma->vm_file &&
2972 vma->vm_start <= vma->vm_mm->start_stack &&
2973 vma->vm_end >= vma->vm_mm->start_stack) {
2974 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2975 } else if (vma->vm_file && vma->anon_vma) {
2977 * We are making executable a file mapping that has
2978 * had some COW done. Since pages might have been
2979 * written, check ability to execute the possibly
2980 * modified content. This typically should only
2981 * occur for text relocations.
2983 rc = file_has_perm(current, vma->vm_file,
2991 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2994 static int selinux_file_lock(struct file *file, unsigned int cmd)
2996 return file_has_perm(current, file, FILE__LOCK);
2999 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3006 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3011 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3012 err = file_has_perm(current, file,FILE__WRITE);
3021 /* Just check FD__USE permission */
3022 err = file_has_perm(current, file, 0);
3027 #if BITS_PER_LONG == 32
3032 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3036 err = file_has_perm(current, file, FILE__LOCK);
3043 static int selinux_file_set_fowner(struct file *file)
3045 struct task_security_struct *tsec;
3046 struct file_security_struct *fsec;
3048 tsec = current->security;
3049 fsec = file->f_security;
3050 fsec->fown_sid = tsec->sid;
3055 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3056 struct fown_struct *fown, int signum)
3060 struct task_security_struct *tsec;
3061 struct file_security_struct *fsec;
3063 /* struct fown_struct is never outside the context of a struct file */
3064 file = container_of(fown, struct file, f_owner);
3066 tsec = tsk->security;
3067 fsec = file->f_security;
3070 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3072 perm = signal_to_av(signum);
3074 return avc_has_perm(fsec->fown_sid, tsec->sid,
3075 SECCLASS_PROCESS, perm, NULL);
3078 static int selinux_file_receive(struct file *file)
3080 return file_has_perm(current, file, file_to_av(file));
3083 static int selinux_dentry_open(struct file *file)
3085 struct file_security_struct *fsec;
3086 struct inode *inode;
3087 struct inode_security_struct *isec;
3088 inode = file->f_path.dentry->d_inode;
3089 fsec = file->f_security;
3090 isec = inode->i_security;
3092 * Save inode label and policy sequence number
3093 * at open-time so that selinux_file_permission
3094 * can determine whether revalidation is necessary.
3095 * Task label is already saved in the file security
3096 * struct as its SID.
3098 fsec->isid = isec->sid;
3099 fsec->pseqno = avc_policy_seqno();
3101 * Since the inode label or policy seqno may have changed
3102 * between the selinux_inode_permission check and the saving
3103 * of state above, recheck that access is still permitted.
3104 * Otherwise, access might never be revalidated against the
3105 * new inode label or new policy.
3106 * This check is not redundant - do not remove.
3108 return inode_has_perm(current, inode, file_to_av(file), NULL);
3111 /* task security operations */
3113 static int selinux_task_create(unsigned long clone_flags)
3117 rc = secondary_ops->task_create(clone_flags);
3121 return task_has_perm(current, current, PROCESS__FORK);
3124 static int selinux_task_alloc_security(struct task_struct *tsk)
3126 struct task_security_struct *tsec1, *tsec2;
3129 tsec1 = current->security;
3131 rc = task_alloc_security(tsk);
3134 tsec2 = tsk->security;
3136 tsec2->osid = tsec1->osid;
3137 tsec2->sid = tsec1->sid;
3139 /* Retain the exec, fs, key, and sock SIDs across fork */
3140 tsec2->exec_sid = tsec1->exec_sid;
3141 tsec2->create_sid = tsec1->create_sid;
3142 tsec2->keycreate_sid = tsec1->keycreate_sid;
3143 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3148 static void selinux_task_free_security(struct task_struct *tsk)
3150 task_free_security(tsk);
3153 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3155 /* Since setuid only affects the current process, and
3156 since the SELinux controls are not based on the Linux
3157 identity attributes, SELinux does not need to control
3158 this operation. However, SELinux does control the use
3159 of the CAP_SETUID and CAP_SETGID capabilities using the
3164 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3166 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3169 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3171 /* See the comment for setuid above. */
3175 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3177 return task_has_perm(current, p, PROCESS__SETPGID);
3180 static int selinux_task_getpgid(struct task_struct *p)
3182 return task_has_perm(current, p, PROCESS__GETPGID);
3185 static int selinux_task_getsid(struct task_struct *p)
3187 return task_has_perm(current, p, PROCESS__GETSESSION);
3190 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3192 struct task_security_struct *tsec = p->security;
3196 static int selinux_task_setgroups(struct group_info *group_info)
3198 /* See the comment for setuid above. */
3202 static int selinux_task_setnice(struct task_struct *p, int nice)
3206 rc = secondary_ops->task_setnice(p, nice);
3210 return task_has_perm(current,p, PROCESS__SETSCHED);
3213 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3217 rc = secondary_ops->task_setioprio(p, ioprio);
3221 return task_has_perm(current, p, PROCESS__SETSCHED);
3224 static int selinux_task_getioprio(struct task_struct *p)
3226 return task_has_perm(current, p, PROCESS__GETSCHED);
3229 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3231 struct rlimit *old_rlim = current->signal->rlim + resource;
3234 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3238 /* Control the ability to change the hard limit (whether
3239 lowering or raising it), so that the hard limit can
3240 later be used as a safe reset point for the soft limit
3241 upon context transitions. See selinux_bprm_apply_creds. */
3242 if (old_rlim->rlim_max != new_rlim->rlim_max)
3243 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3248 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3252 rc = secondary_ops->task_setscheduler(p, policy, lp);
3256 return task_has_perm(current, p, PROCESS__SETSCHED);
3259 static int selinux_task_getscheduler(struct task_struct *p)
3261 return task_has_perm(current, p, PROCESS__GETSCHED);
3264 static int selinux_task_movememory(struct task_struct *p)
3266 return task_has_perm(current, p, PROCESS__SETSCHED);
3269 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3274 struct task_security_struct *tsec;
3276 rc = secondary_ops->task_kill(p, info, sig, secid);
3280 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3284 perm = PROCESS__SIGNULL; /* null signal; existence test */
3286 perm = signal_to_av(sig);
3289 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3291 rc = task_has_perm(current, p, perm);
3295 static int selinux_task_prctl(int option,
3301 /* The current prctl operations do not appear to require
3302 any SELinux controls since they merely observe or modify
3303 the state of the current process. */
3307 static int selinux_task_wait(struct task_struct *p)
3309 return task_has_perm(p, current, PROCESS__SIGCHLD);
3312 static void selinux_task_reparent_to_init(struct task_struct *p)
3314 struct task_security_struct *tsec;
3316 secondary_ops->task_reparent_to_init(p);
3319 tsec->osid = tsec->sid;
3320 tsec->sid = SECINITSID_KERNEL;
3324 static void selinux_task_to_inode(struct task_struct *p,
3325 struct inode *inode)
3327 struct task_security_struct *tsec = p->security;
3328 struct inode_security_struct *isec = inode->i_security;
3330 isec->sid = tsec->sid;
3331 isec->initialized = 1;
3335 /* Returns error only if unable to parse addresses */
3336 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3337 struct avc_audit_data *ad, u8 *proto)
3339 int offset, ihlen, ret = -EINVAL;
3340 struct iphdr _iph, *ih;
3342 offset = skb_network_offset(skb);
3343 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3347 ihlen = ih->ihl * 4;
3348 if (ihlen < sizeof(_iph))
3351 ad->u.net.v4info.saddr = ih->saddr;
3352 ad->u.net.v4info.daddr = ih->daddr;
3356 *proto = ih->protocol;
3358 switch (ih->protocol) {
3360 struct tcphdr _tcph, *th;
3362 if (ntohs(ih->frag_off) & IP_OFFSET)
3366 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3370 ad->u.net.sport = th->source;
3371 ad->u.net.dport = th->dest;
3376 struct udphdr _udph, *uh;
3378 if (ntohs(ih->frag_off) & IP_OFFSET)
3382 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3386 ad->u.net.sport = uh->source;
3387 ad->u.net.dport = uh->dest;
3391 case IPPROTO_DCCP: {
3392 struct dccp_hdr _dccph, *dh;
3394 if (ntohs(ih->frag_off) & IP_OFFSET)
3398 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3402 ad->u.net.sport = dh->dccph_sport;
3403 ad->u.net.dport = dh->dccph_dport;
3414 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3416 /* Returns error only if unable to parse addresses */
3417 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3418 struct avc_audit_data *ad, u8 *proto)
3421 int ret = -EINVAL, offset;
3422 struct ipv6hdr _ipv6h, *ip6;
3424 offset = skb_network_offset(skb);
3425 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3429 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3430 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3433 nexthdr = ip6->nexthdr;
3434 offset += sizeof(_ipv6h);
3435 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3444 struct tcphdr _tcph, *th;
3446 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3450 ad->u.net.sport = th->source;
3451 ad->u.net.dport = th->dest;
3456 struct udphdr _udph, *uh;
3458 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3462 ad->u.net.sport = uh->source;
3463 ad->u.net.dport = uh->dest;
3467 case IPPROTO_DCCP: {
3468 struct dccp_hdr _dccph, *dh;
3470 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3474 ad->u.net.sport = dh->dccph_sport;
3475 ad->u.net.dport = dh->dccph_dport;
3479 /* includes fragments */
3489 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3490 char **addrp, int src, u8 *proto)
3494 switch (ad->u.net.family) {
3496 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3499 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3500 &ad->u.net.v4info.daddr);
3503 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3505 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3508 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3509 &ad->u.net.v6info.daddr);
3518 "SELinux: failure in selinux_parse_skb(),"
3519 " unable to parse packet\n");
3525 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3527 * @family: protocol family
3528 * @sid: the packet's peer label SID
3531 * Check the various different forms of network peer labeling and determine
3532 * the peer label/SID for the packet; most of the magic actually occurs in
3533 * the security server function security_net_peersid_cmp(). The function
3534 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3535 * or -EACCES if @sid is invalid due to inconsistencies with the different
3539 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3546 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3547 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3549 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3550 if (unlikely(err)) {
3552 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3553 " unable to determine packet's peer label\n");
3560 /* socket security operations */
3561 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3564 struct inode_security_struct *isec;
3565 struct task_security_struct *tsec;
3566 struct avc_audit_data ad;
3569 tsec = task->security;
3570 isec = SOCK_INODE(sock)->i_security;
3572 if (isec->sid == SECINITSID_KERNEL)
3575 AVC_AUDIT_DATA_INIT(&ad,NET);
3576 ad.u.net.sk = sock->sk;
3577 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3583 static int selinux_socket_create(int family, int type,
3584 int protocol, int kern)
3587 struct task_security_struct *tsec;
3593 tsec = current->security;
3594 newsid = tsec->sockcreate_sid ? : tsec->sid;
3595 err = avc_has_perm(tsec->sid, newsid,
3596 socket_type_to_security_class(family, type,
3597 protocol), SOCKET__CREATE, NULL);
3603 static int selinux_socket_post_create(struct socket *sock, int family,
3604 int type, int protocol, int kern)
3607 struct inode_security_struct *isec;
3608 struct task_security_struct *tsec;
3609 struct sk_security_struct *sksec;
3612 isec = SOCK_INODE(sock)->i_security;
3614 tsec = current->security;
3615 newsid = tsec->sockcreate_sid ? : tsec->sid;
3616 isec->sclass = socket_type_to_security_class(family, type, protocol);
3617 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3618 isec->initialized = 1;
3621 sksec = sock->sk->sk_security;
3622 sksec->sid = isec->sid;
3623 sksec->sclass = isec->sclass;
3624 err = selinux_netlbl_socket_post_create(sock);
3630 /* Range of port numbers used to automatically bind.
3631 Need to determine whether we should perform a name_bind
3632 permission check between the socket and the port number. */
3634 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3639 err = socket_has_perm(current, sock, SOCKET__BIND);
3644 * If PF_INET or PF_INET6, check name_bind permission for the port.
3645 * Multiple address binding for SCTP is not supported yet: we just
3646 * check the first address now.
3648 family = sock->sk->sk_family;
3649 if (family == PF_INET || family == PF_INET6) {
3651 struct inode_security_struct *isec;
3652 struct task_security_struct *tsec;
3653 struct avc_audit_data ad;
3654 struct sockaddr_in *addr4 = NULL;
3655 struct sockaddr_in6 *addr6 = NULL;
3656 unsigned short snum;
3657 struct sock *sk = sock->sk;
3658 u32 sid, node_perm, addrlen;
3660 tsec = current->security;
3661 isec = SOCK_INODE(sock)->i_security;
3663 if (family == PF_INET) {
3664 addr4 = (struct sockaddr_in *)address;
3665 snum = ntohs(addr4->sin_port);
3666 addrlen = sizeof(addr4->sin_addr.s_addr);
3667 addrp = (char *)&addr4->sin_addr.s_addr;
3669 addr6 = (struct sockaddr_in6 *)address;
3670 snum = ntohs(addr6->sin6_port);
3671 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3672 addrp = (char *)&addr6->sin6_addr.s6_addr;
3678 inet_get_local_port_range(&low, &high);
3680 if (snum < max(PROT_SOCK, low) || snum > high) {
3681 err = sel_netport_sid(sk->sk_protocol,
3685 AVC_AUDIT_DATA_INIT(&ad,NET);
3686 ad.u.net.sport = htons(snum);
3687 ad.u.net.family = family;
3688 err = avc_has_perm(isec->sid, sid,
3690 SOCKET__NAME_BIND, &ad);
3696 switch(isec->sclass) {
3697 case SECCLASS_TCP_SOCKET:
3698 node_perm = TCP_SOCKET__NODE_BIND;
3701 case SECCLASS_UDP_SOCKET:
3702 node_perm = UDP_SOCKET__NODE_BIND;
3705 case SECCLASS_DCCP_SOCKET:
3706 node_perm = DCCP_SOCKET__NODE_BIND;
3710 node_perm = RAWIP_SOCKET__NODE_BIND;
3714 err = sel_netnode_sid(addrp, family, &sid);
3718 AVC_AUDIT_DATA_INIT(&ad,NET);
3719 ad.u.net.sport = htons(snum);
3720 ad.u.net.family = family;
3722 if (family == PF_INET)
3723 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3725 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3727 err = avc_has_perm(isec->sid, sid,
3728 isec->sclass, node_perm, &ad);
3736 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3738 struct inode_security_struct *isec;
3741 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3746 * If a TCP or DCCP socket, check name_connect permission for the port.
3748 isec = SOCK_INODE(sock)->i_security;
3749 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3750 isec->sclass == SECCLASS_DCCP_SOCKET) {
3751 struct sock *sk = sock->sk;
3752 struct avc_audit_data ad;
3753 struct sockaddr_in *addr4 = NULL;
3754 struct sockaddr_in6 *addr6 = NULL;
3755 unsigned short snum;
3758 if (sk->sk_family == PF_INET) {
3759 addr4 = (struct sockaddr_in *)address;
3760 if (addrlen < sizeof(struct sockaddr_in))
3762 snum = ntohs(addr4->sin_port);
3764 addr6 = (struct sockaddr_in6 *)address;
3765 if (addrlen < SIN6_LEN_RFC2133)
3767 snum = ntohs(addr6->sin6_port);
3770 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3774 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3775 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3777 AVC_AUDIT_DATA_INIT(&ad,NET);
3778 ad.u.net.dport = htons(snum);
3779 ad.u.net.family = sk->sk_family;
3780 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3789 static int selinux_socket_listen(struct socket *sock, int backlog)
3791 return socket_has_perm(current, sock, SOCKET__LISTEN);
3794 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3797 struct inode_security_struct *isec;
3798 struct inode_security_struct *newisec;
3800 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3804 newisec = SOCK_INODE(newsock)->i_security;
3806 isec = SOCK_INODE(sock)->i_security;
3807 newisec->sclass = isec->sclass;
3808 newisec->sid = isec->sid;
3809 newisec->initialized = 1;
3814 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3819 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3823 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3826 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3827 int size, int flags)
3829 return socket_has_perm(current, sock, SOCKET__READ);
3832 static int selinux_socket_getsockname(struct socket *sock)
3834 return socket_has_perm(current, sock, SOCKET__GETATTR);
3837 static int selinux_socket_getpeername(struct socket *sock)
3839 return socket_has_perm(current, sock, SOCKET__GETATTR);
3842 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3846 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3850 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3853 static int selinux_socket_getsockopt(struct socket *sock, int level,
3856 return socket_has_perm(current, sock, SOCKET__GETOPT);
3859 static int selinux_socket_shutdown(struct socket *sock, int how)
3861 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3864 static int selinux_socket_unix_stream_connect(struct socket *sock,
3865 struct socket *other,
3868 struct sk_security_struct *ssec;
3869 struct inode_security_struct *isec;
3870 struct inode_security_struct *other_isec;
3871 struct avc_audit_data ad;
3874 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3878 isec = SOCK_INODE(sock)->i_security;
3879 other_isec = SOCK_INODE(other)->i_security;
3881 AVC_AUDIT_DATA_INIT(&ad,NET);
3882 ad.u.net.sk = other->sk;
3884 err = avc_has_perm(isec->sid, other_isec->sid,
3886 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3890 /* connecting socket */
3891 ssec = sock->sk->sk_security;
3892 ssec->peer_sid = other_isec->sid;
3894 /* server child socket */
3895 ssec = newsk->sk_security;
3896 ssec->peer_sid = isec->sid;
3897 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3902 static int selinux_socket_unix_may_send(struct socket *sock,
3903 struct socket *other)
3905 struct inode_security_struct *isec;
3906 struct inode_security_struct *other_isec;
3907 struct avc_audit_data ad;
3910 isec = SOCK_INODE(sock)->i_security;
3911 other_isec = SOCK_INODE(other)->i_security;
3913 AVC_AUDIT_DATA_INIT(&ad,NET);
3914 ad.u.net.sk = other->sk;
3916 err = avc_has_perm(isec->sid, other_isec->sid,
3917 isec->sclass, SOCKET__SENDTO, &ad);
3924 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3926 struct avc_audit_data *ad)
3932 err = sel_netif_sid(ifindex, &if_sid);
3935 err = avc_has_perm(peer_sid, if_sid,
3936 SECCLASS_NETIF, NETIF__INGRESS, ad);
3940 err = sel_netnode_sid(addrp, family, &node_sid);
3943 return avc_has_perm(peer_sid, node_sid,
3944 SECCLASS_NODE, NODE__RECVFROM, ad);
3947 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3948 struct sk_buff *skb,
3949 struct avc_audit_data *ad,
3954 struct sk_security_struct *sksec = sk->sk_security;
3956 u32 netif_perm, node_perm, recv_perm;
3957 u32 port_sid, node_sid, if_sid, sk_sid;
3959 sk_sid = sksec->sid;
3960 sk_class = sksec->sclass;
3963 case SECCLASS_UDP_SOCKET:
3964 netif_perm = NETIF__UDP_RECV;
3965 node_perm = NODE__UDP_RECV;
3966 recv_perm = UDP_SOCKET__RECV_MSG;
3968 case SECCLASS_TCP_SOCKET:
3969 netif_perm = NETIF__TCP_RECV;
3970 node_perm = NODE__TCP_RECV;
3971 recv_perm = TCP_SOCKET__RECV_MSG;
3973 case SECCLASS_DCCP_SOCKET:
3974 netif_perm = NETIF__DCCP_RECV;
3975 node_perm = NODE__DCCP_RECV;
3976 recv_perm = DCCP_SOCKET__RECV_MSG;
3979 netif_perm = NETIF__RAWIP_RECV;
3980 node_perm = NODE__RAWIP_RECV;
3985 err = sel_netif_sid(skb->iif, &if_sid);
3988 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3992 err = sel_netnode_sid(addrp, family, &node_sid);
3995 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4001 err = sel_netport_sid(sk->sk_protocol,
4002 ntohs(ad->u.net.sport), &port_sid);
4003 if (unlikely(err)) {
4005 "SELinux: failure in"
4006 " selinux_sock_rcv_skb_iptables_compat(),"
4007 " network port label not found\n");
4010 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4013 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4014 struct avc_audit_data *ad,
4015 u16 family, char *addrp)
4018 struct sk_security_struct *sksec = sk->sk_security;
4020 u32 sk_sid = sksec->sid;
4022 if (selinux_compat_net)
4023 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4026 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4031 if (selinux_policycap_netpeer) {
4032 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4035 err = avc_has_perm(sk_sid, peer_sid,
4036 SECCLASS_PEER, PEER__RECV, ad);
4038 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4041 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4047 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4050 struct sk_security_struct *sksec = sk->sk_security;
4051 u16 family = sk->sk_family;
4052 u32 sk_sid = sksec->sid;
4053 struct avc_audit_data ad;
4056 if (family != PF_INET && family != PF_INET6)
4059 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4060 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4063 AVC_AUDIT_DATA_INIT(&ad, NET);
4064 ad.u.net.netif = skb->iif;
4065 ad.u.net.family = family;
4066 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4070 /* If any sort of compatibility mode is enabled then handoff processing
4071 * to the selinux_sock_rcv_skb_compat() function to deal with the
4072 * special handling. We do this in an attempt to keep this function
4073 * as fast and as clean as possible. */
4074 if (selinux_compat_net || !selinux_policycap_netpeer)
4075 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4078 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4081 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4084 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4088 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4092 if (selinux_secmark_enabled()) {
4093 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4102 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4103 int __user *optlen, unsigned len)
4108 struct sk_security_struct *ssec;
4109 struct inode_security_struct *isec;
4110 u32 peer_sid = SECSID_NULL;
4112 isec = SOCK_INODE(sock)->i_security;
4114 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4115 isec->sclass == SECCLASS_TCP_SOCKET) {
4116 ssec = sock->sk->sk_security;
4117 peer_sid = ssec->peer_sid;
4119 if (peer_sid == SECSID_NULL) {
4124 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4129 if (scontext_len > len) {
4134 if (copy_to_user(optval, scontext, scontext_len))
4138 if (put_user(scontext_len, optlen))
4146 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4148 u32 peer_secid = SECSID_NULL;
4152 family = sock->sk->sk_family;
4153 else if (skb && skb->sk)
4154 family = skb->sk->sk_family;
4158 if (sock && family == PF_UNIX)
4159 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4161 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4164 *secid = peer_secid;
4165 if (peer_secid == SECSID_NULL)
4170 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4172 return sk_alloc_security(sk, family, priority);
4175 static void selinux_sk_free_security(struct sock *sk)
4177 sk_free_security(sk);
4180 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4182 struct sk_security_struct *ssec = sk->sk_security;
4183 struct sk_security_struct *newssec = newsk->sk_security;
4185 newssec->sid = ssec->sid;
4186 newssec->peer_sid = ssec->peer_sid;
4187 newssec->sclass = ssec->sclass;
4189 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4192 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4195 *secid = SECINITSID_ANY_SOCKET;
4197 struct sk_security_struct *sksec = sk->sk_security;
4199 *secid = sksec->sid;
4203 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4205 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4206 struct sk_security_struct *sksec = sk->sk_security;
4208 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4209 sk->sk_family == PF_UNIX)
4210 isec->sid = sksec->sid;
4211 sksec->sclass = isec->sclass;
4213 selinux_netlbl_sock_graft(sk, parent);
4216 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4217 struct request_sock *req)
4219 struct sk_security_struct *sksec = sk->sk_security;
4224 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4227 if (peersid == SECSID_NULL) {
4228 req->secid = sksec->sid;
4229 req->peer_secid = SECSID_NULL;
4233 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4237 req->secid = newsid;
4238 req->peer_secid = peersid;
4242 static void selinux_inet_csk_clone(struct sock *newsk,
4243 const struct request_sock *req)
4245 struct sk_security_struct *newsksec = newsk->sk_security;
4247 newsksec->sid = req->secid;
4248 newsksec->peer_sid = req->peer_secid;
4249 /* NOTE: Ideally, we should also get the isec->sid for the
4250 new socket in sync, but we don't have the isec available yet.
4251 So we will wait until sock_graft to do it, by which
4252 time it will have been created and available. */
4254 /* We don't need to take any sort of lock here as we are the only
4255 * thread with access to newsksec */
4256 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4259 static void selinux_inet_conn_established(struct sock *sk,
4260 struct sk_buff *skb)
4262 struct sk_security_struct *sksec = sk->sk_security;
4264 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4267 static void selinux_req_classify_flow(const struct request_sock *req,
4270 fl->secid = req->secid;
4273 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4277 struct nlmsghdr *nlh;
4278 struct socket *sock = sk->sk_socket;
4279 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4281 if (skb->len < NLMSG_SPACE(0)) {
4285 nlh = nlmsg_hdr(skb);
4287 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4289 if (err == -EINVAL) {
4290 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4291 "SELinux: unrecognized netlink message"
4292 " type=%hu for sclass=%hu\n",
4293 nlh->nlmsg_type, isec->sclass);
4294 if (!selinux_enforcing)
4304 err = socket_has_perm(current, sock, perm);
4309 #ifdef CONFIG_NETFILTER
4311 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4316 struct avc_audit_data ad;
4320 if (!selinux_policycap_netpeer)
4323 secmark_active = selinux_secmark_enabled();
4324 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4325 if (!secmark_active && !peerlbl_active)
4328 AVC_AUDIT_DATA_INIT(&ad, NET);
4329 ad.u.net.netif = ifindex;
4330 ad.u.net.family = family;
4331 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4334 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4338 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4339 peer_sid, &ad) != 0)
4343 if (avc_has_perm(peer_sid, skb->secmark,
4344 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4350 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4351 struct sk_buff *skb,
4352 const struct net_device *in,
4353 const struct net_device *out,
4354 int (*okfn)(struct sk_buff *))
4356 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4359 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4360 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4361 struct sk_buff *skb,
4362 const struct net_device *in,
4363 const struct net_device *out,
4364 int (*okfn)(struct sk_buff *))
4366 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4370 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4372 struct avc_audit_data *ad,
4373 u16 family, char *addrp)
4376 struct sk_security_struct *sksec = sk->sk_security;
4378 u32 netif_perm, node_perm, send_perm;
4379 u32 port_sid, node_sid, if_sid, sk_sid;
4381 sk_sid = sksec->sid;
4382 sk_class = sksec->sclass;
4385 case SECCLASS_UDP_SOCKET:
4386 netif_perm = NETIF__UDP_SEND;
4387 node_perm = NODE__UDP_SEND;
4388 send_perm = UDP_SOCKET__SEND_MSG;
4390 case SECCLASS_TCP_SOCKET:
4391 netif_perm = NETIF__TCP_SEND;
4392 node_perm = NODE__TCP_SEND;
4393 send_perm = TCP_SOCKET__SEND_MSG;
4395 case SECCLASS_DCCP_SOCKET:
4396 netif_perm = NETIF__DCCP_SEND;
4397 node_perm = NODE__DCCP_SEND;
4398 send_perm = DCCP_SOCKET__SEND_MSG;
4401 netif_perm = NETIF__RAWIP_SEND;
4402 node_perm = NODE__RAWIP_SEND;
4407 err = sel_netif_sid(ifindex, &if_sid);
4410 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4413 err = sel_netnode_sid(addrp, family, &node_sid);
4416 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4423 err = sel_netport_sid(sk->sk_protocol,
4424 ntohs(ad->u.net.dport), &port_sid);
4425 if (unlikely(err)) {
4427 "SELinux: failure in"
4428 " selinux_ip_postroute_iptables_compat(),"
4429 " network port label not found\n");
4432 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4435 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4437 struct avc_audit_data *ad,
4442 struct sock *sk = skb->sk;
4443 struct sk_security_struct *sksec;
4447 sksec = sk->sk_security;
4449 if (selinux_compat_net) {
4450 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4454 if (avc_has_perm(sksec->sid, skb->secmark,
4455 SECCLASS_PACKET, PACKET__SEND, ad))
4459 if (selinux_policycap_netpeer)
4460 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4466 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4472 struct avc_audit_data ad;
4478 AVC_AUDIT_DATA_INIT(&ad, NET);
4479 ad.u.net.netif = ifindex;
4480 ad.u.net.family = family;
4481 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4484 /* If any sort of compatibility mode is enabled then handoff processing
4485 * to the selinux_ip_postroute_compat() function to deal with the
4486 * special handling. We do this in an attempt to keep this function
4487 * as fast and as clean as possible. */
4488 if (selinux_compat_net || !selinux_policycap_netpeer)
4489 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4490 family, addrp, proto);
4492 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4493 * packet transformation so allow the packet to pass without any checks
4494 * since we'll have another chance to perform access control checks
4495 * when the packet is on it's final way out.
4496 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4497 * is NULL, in this case go ahead and apply access control. */
4498 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4501 secmark_active = selinux_secmark_enabled();
4502 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4503 if (!secmark_active && !peerlbl_active)
4506 /* if the packet is locally generated (skb->sk != NULL) then use the
4507 * socket's label as the peer label, otherwise the packet is being
4508 * forwarded through this system and we need to fetch the peer label
4509 * directly from the packet */
4512 struct sk_security_struct *sksec = sk->sk_security;
4513 peer_sid = sksec->sid;
4514 secmark_perm = PACKET__SEND;
4516 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4518 secmark_perm = PACKET__FORWARD_OUT;
4522 if (avc_has_perm(peer_sid, skb->secmark,
4523 SECCLASS_PACKET, secmark_perm, &ad))
4526 if (peerlbl_active) {
4530 if (sel_netif_sid(ifindex, &if_sid))
4532 if (avc_has_perm(peer_sid, if_sid,
4533 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4536 if (sel_netnode_sid(addrp, family, &node_sid))
4538 if (avc_has_perm(peer_sid, node_sid,
4539 SECCLASS_NODE, NODE__SENDTO, &ad))
4546 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4547 struct sk_buff *skb,
4548 const struct net_device *in,
4549 const struct net_device *out,
4550 int (*okfn)(struct sk_buff *))
4552 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4555 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4556 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4557 struct sk_buff *skb,
4558 const struct net_device *in,
4559 const struct net_device *out,
4560 int (*okfn)(struct sk_buff *))
4562 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4566 #endif /* CONFIG_NETFILTER */
4568 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4572 err = secondary_ops->netlink_send(sk, skb);
4576 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4577 err = selinux_nlmsg_perm(sk, skb);
4582 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4585 struct avc_audit_data ad;
4587 err = secondary_ops->netlink_recv(skb, capability);
4591 AVC_AUDIT_DATA_INIT(&ad, CAP);
4592 ad.u.cap = capability;
4594 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4595 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4598 static int ipc_alloc_security(struct task_struct *task,
4599 struct kern_ipc_perm *perm,
4602 struct task_security_struct *tsec = task->security;
4603 struct ipc_security_struct *isec;
4605 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4609 isec->sclass = sclass;
4610 isec->sid = tsec->sid;
4611 perm->security = isec;
4616 static void ipc_free_security(struct kern_ipc_perm *perm)
4618 struct ipc_security_struct *isec = perm->security;
4619 perm->security = NULL;
4623 static int msg_msg_alloc_security(struct msg_msg *msg)
4625 struct msg_security_struct *msec;
4627 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4631 msec->sid = SECINITSID_UNLABELED;
4632 msg->security = msec;
4637 static void msg_msg_free_security(struct msg_msg *msg)
4639 struct msg_security_struct *msec = msg->security;
4641 msg->security = NULL;
4645 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4648 struct task_security_struct *tsec;
4649 struct ipc_security_struct *isec;
4650 struct avc_audit_data ad;
4652 tsec = current->security;
4653 isec = ipc_perms->security;
4655 AVC_AUDIT_DATA_INIT(&ad, IPC);
4656 ad.u.ipc_id = ipc_perms->key;
4658 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4661 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4663 return msg_msg_alloc_security(msg);
4666 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4668 msg_msg_free_security(msg);
4671 /* message queue security operations */
4672 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4674 struct task_security_struct *tsec;
4675 struct ipc_security_struct *isec;
4676 struct avc_audit_data ad;
4679 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4683 tsec = current->security;
4684 isec = msq->q_perm.security;
4686 AVC_AUDIT_DATA_INIT(&ad, IPC);
4687 ad.u.ipc_id = msq->q_perm.key;
4689 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4692 ipc_free_security(&msq->q_perm);
4698 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4700 ipc_free_security(&msq->q_perm);
4703 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4705 struct task_security_struct *tsec;
4706 struct ipc_security_struct *isec;
4707 struct avc_audit_data ad;
4709 tsec = current->security;
4710 isec = msq->q_perm.security;
4712 AVC_AUDIT_DATA_INIT(&ad, IPC);
4713 ad.u.ipc_id = msq->q_perm.key;
4715 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4716 MSGQ__ASSOCIATE, &ad);
4719 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4727 /* No specific object, just general system-wide information. */
4728 return task_has_system(current, SYSTEM__IPC_INFO);
4731 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4734 perms = MSGQ__SETATTR;
4737 perms = MSGQ__DESTROY;
4743 err = ipc_has_perm(&msq->q_perm, perms);
4747 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4749 struct task_security_struct *tsec;
4750 struct ipc_security_struct *isec;
4751 struct msg_security_struct *msec;
4752 struct avc_audit_data ad;
4755 tsec = current->security;
4756 isec = msq->q_perm.security;
4757 msec = msg->security;
4760 * First time through, need to assign label to the message
4762 if (msec->sid == SECINITSID_UNLABELED) {
4764 * Compute new sid based on current process and
4765 * message queue this message will be stored in
4767 rc = security_transition_sid(tsec->sid,
4775 AVC_AUDIT_DATA_INIT(&ad, IPC);
4776 ad.u.ipc_id = msq->q_perm.key;
4778 /* Can this process write to the queue? */
4779 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4782 /* Can this process send the message */
4783 rc = avc_has_perm(tsec->sid, msec->sid,
4784 SECCLASS_MSG, MSG__SEND, &ad);
4786 /* Can the message be put in the queue? */
4787 rc = avc_has_perm(msec->sid, isec->sid,
4788 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4793 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4794 struct task_struct *target,
4795 long type, int mode)
4797 struct task_security_struct *tsec;
4798 struct ipc_security_struct *isec;
4799 struct msg_security_struct *msec;
4800 struct avc_audit_data ad;
4803 tsec = target->security;
4804 isec = msq->q_perm.security;
4805 msec = msg->security;
4807 AVC_AUDIT_DATA_INIT(&ad, IPC);
4808 ad.u.ipc_id = msq->q_perm.key;
4810 rc = avc_has_perm(tsec->sid, isec->sid,
4811 SECCLASS_MSGQ, MSGQ__READ, &ad);
4813 rc = avc_has_perm(tsec->sid, msec->sid,
4814 SECCLASS_MSG, MSG__RECEIVE, &ad);
4818 /* Shared Memory security operations */
4819 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4821 struct task_security_struct *tsec;
4822 struct ipc_security_struct *isec;
4823 struct avc_audit_data ad;
4826 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4830 tsec = current->security;
4831 isec = shp->shm_perm.security;
4833 AVC_AUDIT_DATA_INIT(&ad, IPC);
4834 ad.u.ipc_id = shp->shm_perm.key;
4836 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4839 ipc_free_security(&shp->shm_perm);
4845 static void selinux_shm_free_security(struct shmid_kernel *shp)
4847 ipc_free_security(&shp->shm_perm);
4850 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4852 struct task_security_struct *tsec;
4853 struct ipc_security_struct *isec;
4854 struct avc_audit_data ad;
4856 tsec = current->security;
4857 isec = shp->shm_perm.security;
4859 AVC_AUDIT_DATA_INIT(&ad, IPC);
4860 ad.u.ipc_id = shp->shm_perm.key;
4862 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4863 SHM__ASSOCIATE, &ad);
4866 /* Note, at this point, shp is locked down */
4867 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4875 /* No specific object, just general system-wide information. */
4876 return task_has_system(current, SYSTEM__IPC_INFO);
4879 perms = SHM__GETATTR | SHM__ASSOCIATE;
4882 perms = SHM__SETATTR;
4889 perms = SHM__DESTROY;
4895 err = ipc_has_perm(&shp->shm_perm, perms);
4899 static int selinux_shm_shmat(struct shmid_kernel *shp,
4900 char __user *shmaddr, int shmflg)
4905 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4909 if (shmflg & SHM_RDONLY)
4912 perms = SHM__READ | SHM__WRITE;
4914 return ipc_has_perm(&shp->shm_perm, perms);
4917 /* Semaphore security operations */
4918 static int selinux_sem_alloc_security(struct sem_array *sma)
4920 struct task_security_struct *tsec;
4921 struct ipc_security_struct *isec;
4922 struct avc_audit_data ad;
4925 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4929 tsec = current->security;
4930 isec = sma->sem_perm.security;
4932 AVC_AUDIT_DATA_INIT(&ad, IPC);
4933 ad.u.ipc_id = sma->sem_perm.key;
4935 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4938 ipc_free_security(&sma->sem_perm);
4944 static void selinux_sem_free_security(struct sem_array *sma)
4946 ipc_free_security(&sma->sem_perm);
4949 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4951 struct task_security_struct *tsec;
4952 struct ipc_security_struct *isec;
4953 struct avc_audit_data ad;
4955 tsec = current->security;
4956 isec = sma->sem_perm.security;
4958 AVC_AUDIT_DATA_INIT(&ad, IPC);
4959 ad.u.ipc_id = sma->sem_perm.key;
4961 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4962 SEM__ASSOCIATE, &ad);
4965 /* Note, at this point, sma is locked down */
4966 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4974 /* No specific object, just general system-wide information. */
4975 return task_has_system(current, SYSTEM__IPC_INFO);
4979 perms = SEM__GETATTR;
4990 perms = SEM__DESTROY;
4993 perms = SEM__SETATTR;
4997 perms = SEM__GETATTR | SEM__ASSOCIATE;
5003 err = ipc_has_perm(&sma->sem_perm, perms);
5007 static int selinux_sem_semop(struct sem_array *sma,
5008 struct sembuf *sops, unsigned nsops, int alter)
5013 perms = SEM__READ | SEM__WRITE;
5017 return ipc_has_perm(&sma->sem_perm, perms);
5020 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5026 av |= IPC__UNIX_READ;
5028 av |= IPC__UNIX_WRITE;
5033 return ipc_has_perm(ipcp, av);
5036 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5038 struct ipc_security_struct *isec = ipcp->security;
5042 /* module stacking operations */
5043 static int selinux_register_security (const char *name, struct security_operations *ops)
5045 if (secondary_ops != original_ops) {
5046 printk(KERN_ERR "%s: There is already a secondary security "
5047 "module registered.\n", __func__);
5051 secondary_ops = ops;
5053 printk(KERN_INFO "%s: Registering secondary module %s\n",
5060 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5063 inode_doinit_with_dentry(inode, dentry);
5066 static int selinux_getprocattr(struct task_struct *p,
5067 char *name, char **value)
5069 struct task_security_struct *tsec;
5075 error = task_has_perm(current, p, PROCESS__GETATTR);
5082 if (!strcmp(name, "current"))
5084 else if (!strcmp(name, "prev"))
5086 else if (!strcmp(name, "exec"))
5087 sid = tsec->exec_sid;
5088 else if (!strcmp(name, "fscreate"))
5089 sid = tsec->create_sid;
5090 else if (!strcmp(name, "keycreate"))
5091 sid = tsec->keycreate_sid;
5092 else if (!strcmp(name, "sockcreate"))
5093 sid = tsec->sockcreate_sid;
5100 error = security_sid_to_context(sid, value, &len);
5106 static int selinux_setprocattr(struct task_struct *p,
5107 char *name, void *value, size_t size)
5109 struct task_security_struct *tsec;
5110 struct task_struct *tracer;
5116 /* SELinux only allows a process to change its own
5117 security attributes. */
5122 * Basic control over ability to set these attributes at all.
5123 * current == p, but we'll pass them separately in case the
5124 * above restriction is ever removed.
5126 if (!strcmp(name, "exec"))
5127 error = task_has_perm(current, p, PROCESS__SETEXEC);
5128 else if (!strcmp(name, "fscreate"))
5129 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5130 else if (!strcmp(name, "keycreate"))
5131 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5132 else if (!strcmp(name, "sockcreate"))
5133 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5134 else if (!strcmp(name, "current"))
5135 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5141 /* Obtain a SID for the context, if one was specified. */
5142 if (size && str[1] && str[1] != '\n') {
5143 if (str[size-1] == '\n') {
5147 error = security_context_to_sid(value, size, &sid);
5152 /* Permission checking based on the specified context is
5153 performed during the actual operation (execve,
5154 open/mkdir/...), when we know the full context of the
5155 operation. See selinux_bprm_set_security for the execve
5156 checks and may_create for the file creation checks. The
5157 operation will then fail if the context is not permitted. */
5159 if (!strcmp(name, "exec"))
5160 tsec->exec_sid = sid;
5161 else if (!strcmp(name, "fscreate"))
5162 tsec->create_sid = sid;
5163 else if (!strcmp(name, "keycreate")) {
5164 error = may_create_key(sid, p);
5167 tsec->keycreate_sid = sid;
5168 } else if (!strcmp(name, "sockcreate"))
5169 tsec->sockcreate_sid = sid;
5170 else if (!strcmp(name, "current")) {
5171 struct av_decision avd;
5176 /* Only allow single threaded processes to change context */
5177 if (atomic_read(&p->mm->mm_users) != 1) {
5178 struct task_struct *g, *t;
5179 struct mm_struct *mm = p->mm;
5180 read_lock(&tasklist_lock);
5181 do_each_thread(g, t)
5182 if (t->mm == mm && t != p) {
5183 read_unlock(&tasklist_lock);
5186 while_each_thread(g, t);
5187 read_unlock(&tasklist_lock);
5190 /* Check permissions for the transition. */
5191 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5192 PROCESS__DYNTRANSITION, NULL);
5196 /* Check for ptracing, and update the task SID if ok.
5197 Otherwise, leave SID unchanged and fail. */
5200 tracer = task_tracer_task(p);
5201 if (tracer != NULL) {
5202 struct task_security_struct *ptsec = tracer->security;
5203 u32 ptsid = ptsec->sid;
5205 error = avc_has_perm_noaudit(ptsid, sid,
5207 PROCESS__PTRACE, 0, &avd);
5211 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5212 PROCESS__PTRACE, &avd, error, NULL);
5227 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5229 return security_sid_to_context(secid, secdata, seclen);
5232 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5234 return security_context_to_sid(secdata, seclen, secid);
5237 static void selinux_release_secctx(char *secdata, u32 seclen)
5244 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5245 unsigned long flags)
5247 struct task_security_struct *tsec = tsk->security;
5248 struct key_security_struct *ksec;
5250 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5254 if (tsec->keycreate_sid)
5255 ksec->sid = tsec->keycreate_sid;
5257 ksec->sid = tsec->sid;
5263 static void selinux_key_free(struct key *k)
5265 struct key_security_struct *ksec = k->security;
5271 static int selinux_key_permission(key_ref_t key_ref,
5272 struct task_struct *ctx,
5276 struct task_security_struct *tsec;
5277 struct key_security_struct *ksec;
5279 key = key_ref_to_ptr(key_ref);
5281 tsec = ctx->security;
5282 ksec = key->security;
5284 /* if no specific permissions are requested, we skip the
5285 permission check. No serious, additional covert channels
5286 appear to be created. */
5290 return avc_has_perm(tsec->sid, ksec->sid,
5291 SECCLASS_KEY, perm, NULL);
5296 static struct security_operations selinux_ops = {
5297 .ptrace = selinux_ptrace,
5298 .capget = selinux_capget,
5299 .capset_check = selinux_capset_check,
5300 .capset_set = selinux_capset_set,
5301 .sysctl = selinux_sysctl,
5302 .capable = selinux_capable,
5303 .quotactl = selinux_quotactl,
5304 .quota_on = selinux_quota_on,
5305 .syslog = selinux_syslog,
5306 .vm_enough_memory = selinux_vm_enough_memory,
5308 .netlink_send = selinux_netlink_send,
5309 .netlink_recv = selinux_netlink_recv,
5311 .bprm_alloc_security = selinux_bprm_alloc_security,
5312 .bprm_free_security = selinux_bprm_free_security,
5313 .bprm_apply_creds = selinux_bprm_apply_creds,
5314 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5315 .bprm_set_security = selinux_bprm_set_security,
5316 .bprm_check_security = selinux_bprm_check_security,
5317 .bprm_secureexec = selinux_bprm_secureexec,
5319 .sb_alloc_security = selinux_sb_alloc_security,
5320 .sb_free_security = selinux_sb_free_security,
5321 .sb_copy_data = selinux_sb_copy_data,
5322 .sb_kern_mount = selinux_sb_kern_mount,
5323 .sb_statfs = selinux_sb_statfs,
5324 .sb_mount = selinux_mount,
5325 .sb_umount = selinux_umount,
5326 .sb_get_mnt_opts = selinux_get_mnt_opts,
5327 .sb_set_mnt_opts = selinux_set_mnt_opts,
5328 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5329 .sb_parse_opts_str = selinux_parse_opts_str,
5332 .inode_alloc_security = selinux_inode_alloc_security,
5333 .inode_free_security = selinux_inode_free_security,
5334 .inode_init_security = selinux_inode_init_security,
5335 .inode_create = selinux_inode_create,
5336 .inode_link = selinux_inode_link,
5337 .inode_unlink = selinux_inode_unlink,
5338 .inode_symlink = selinux_inode_symlink,
5339 .inode_mkdir = selinux_inode_mkdir,
5340 .inode_rmdir = selinux_inode_rmdir,
5341 .inode_mknod = selinux_inode_mknod,
5342 .inode_rename = selinux_inode_rename,
5343 .inode_readlink = selinux_inode_readlink,
5344 .inode_follow_link = selinux_inode_follow_link,
5345 .inode_permission = selinux_inode_permission,
5346 .inode_setattr = selinux_inode_setattr,
5347 .inode_getattr = selinux_inode_getattr,
5348 .inode_setxattr = selinux_inode_setxattr,
5349 .inode_post_setxattr = selinux_inode_post_setxattr,
5350 .inode_getxattr = selinux_inode_getxattr,
5351 .inode_listxattr = selinux_inode_listxattr,
5352 .inode_removexattr = selinux_inode_removexattr,
5353 .inode_getsecurity = selinux_inode_getsecurity,
5354 .inode_setsecurity = selinux_inode_setsecurity,
5355 .inode_listsecurity = selinux_inode_listsecurity,
5356 .inode_need_killpriv = selinux_inode_need_killpriv,
5357 .inode_killpriv = selinux_inode_killpriv,
5358 .inode_getsecid = selinux_inode_getsecid,
5360 .file_permission = selinux_file_permission,
5361 .file_alloc_security = selinux_file_alloc_security,
5362 .file_free_security = selinux_file_free_security,
5363 .file_ioctl = selinux_file_ioctl,
5364 .file_mmap = selinux_file_mmap,
5365 .file_mprotect = selinux_file_mprotect,
5366 .file_lock = selinux_file_lock,
5367 .file_fcntl = selinux_file_fcntl,
5368 .file_set_fowner = selinux_file_set_fowner,
5369 .file_send_sigiotask = selinux_file_send_sigiotask,
5370 .file_receive = selinux_file_receive,
5372 .dentry_open = selinux_dentry_open,
5374 .task_create = selinux_task_create,
5375 .task_alloc_security = selinux_task_alloc_security,
5376 .task_free_security = selinux_task_free_security,
5377 .task_setuid = selinux_task_setuid,
5378 .task_post_setuid = selinux_task_post_setuid,
5379 .task_setgid = selinux_task_setgid,
5380 .task_setpgid = selinux_task_setpgid,
5381 .task_getpgid = selinux_task_getpgid,
5382 .task_getsid = selinux_task_getsid,
5383 .task_getsecid = selinux_task_getsecid,
5384 .task_setgroups = selinux_task_setgroups,
5385 .task_setnice = selinux_task_setnice,
5386 .task_setioprio = selinux_task_setioprio,
5387 .task_getioprio = selinux_task_getioprio,
5388 .task_setrlimit = selinux_task_setrlimit,
5389 .task_setscheduler = selinux_task_setscheduler,
5390 .task_getscheduler = selinux_task_getscheduler,
5391 .task_movememory = selinux_task_movememory,
5392 .task_kill = selinux_task_kill,
5393 .task_wait = selinux_task_wait,
5394 .task_prctl = selinux_task_prctl,
5395 .task_reparent_to_init = selinux_task_reparent_to_init,
5396 .task_to_inode = selinux_task_to_inode,
5398 .ipc_permission = selinux_ipc_permission,
5399 .ipc_getsecid = selinux_ipc_getsecid,
5401 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5402 .msg_msg_free_security = selinux_msg_msg_free_security,
5404 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5405 .msg_queue_free_security = selinux_msg_queue_free_security,
5406 .msg_queue_associate = selinux_msg_queue_associate,
5407 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5408 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5409 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5411 .shm_alloc_security = selinux_shm_alloc_security,
5412 .shm_free_security = selinux_shm_free_security,
5413 .shm_associate = selinux_shm_associate,
5414 .shm_shmctl = selinux_shm_shmctl,
5415 .shm_shmat = selinux_shm_shmat,
5417 .sem_alloc_security = selinux_sem_alloc_security,
5418 .sem_free_security = selinux_sem_free_security,
5419 .sem_associate = selinux_sem_associate,
5420 .sem_semctl = selinux_sem_semctl,
5421 .sem_semop = selinux_sem_semop,
5423 .register_security = selinux_register_security,
5425 .d_instantiate = selinux_d_instantiate,
5427 .getprocattr = selinux_getprocattr,
5428 .setprocattr = selinux_setprocattr,
5430 .secid_to_secctx = selinux_secid_to_secctx,
5431 .secctx_to_secid = selinux_secctx_to_secid,
5432 .release_secctx = selinux_release_secctx,
5434 .unix_stream_connect = selinux_socket_unix_stream_connect,
5435 .unix_may_send = selinux_socket_unix_may_send,
5437 .socket_create = selinux_socket_create,
5438 .socket_post_create = selinux_socket_post_create,
5439 .socket_bind = selinux_socket_bind,
5440 .socket_connect = selinux_socket_connect,
5441 .socket_listen = selinux_socket_listen,
5442 .socket_accept = selinux_socket_accept,
5443 .socket_sendmsg = selinux_socket_sendmsg,
5444 .socket_recvmsg = selinux_socket_recvmsg,
5445 .socket_getsockname = selinux_socket_getsockname,
5446 .socket_getpeername = selinux_socket_getpeername,
5447 .socket_getsockopt = selinux_socket_getsockopt,
5448 .socket_setsockopt = selinux_socket_setsockopt,
5449 .socket_shutdown = selinux_socket_shutdown,
5450 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5451 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5452 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5453 .sk_alloc_security = selinux_sk_alloc_security,
5454 .sk_free_security = selinux_sk_free_security,
5455 .sk_clone_security = selinux_sk_clone_security,
5456 .sk_getsecid = selinux_sk_getsecid,
5457 .sock_graft = selinux_sock_graft,
5458 .inet_conn_request = selinux_inet_conn_request,
5459 .inet_csk_clone = selinux_inet_csk_clone,
5460 .inet_conn_established = selinux_inet_conn_established,
5461 .req_classify_flow = selinux_req_classify_flow,
5463 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5464 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5465 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5466 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5467 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5468 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5469 .xfrm_state_free_security = selinux_xfrm_state_free,
5470 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5471 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5472 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5473 .xfrm_decode_session = selinux_xfrm_decode_session,
5477 .key_alloc = selinux_key_alloc,
5478 .key_free = selinux_key_free,
5479 .key_permission = selinux_key_permission,
5483 static __init int selinux_init(void)
5485 struct task_security_struct *tsec;
5487 if (!selinux_enabled) {
5488 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5492 printk(KERN_INFO "SELinux: Initializing.\n");
5494 /* Set the security state for the initial task. */
5495 if (task_alloc_security(current))
5496 panic("SELinux: Failed to initialize initial task.\n");
5497 tsec = current->security;
5498 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5500 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5501 sizeof(struct inode_security_struct),
5502 0, SLAB_PANIC, NULL);
5505 original_ops = secondary_ops = security_ops;
5507 panic ("SELinux: No initial security operations\n");
5508 if (register_security (&selinux_ops))
5509 panic("SELinux: Unable to register with kernel.\n");
5511 if (selinux_enforcing) {
5512 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5514 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5518 /* Add security information to initial keyrings */
5519 selinux_key_alloc(&root_user_keyring, current,
5520 KEY_ALLOC_NOT_IN_QUOTA);
5521 selinux_key_alloc(&root_session_keyring, current,
5522 KEY_ALLOC_NOT_IN_QUOTA);
5528 void selinux_complete_init(void)
5530 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5532 /* Set up any superblocks initialized prior to the policy load. */
5533 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5534 spin_lock(&sb_lock);
5535 spin_lock(&sb_security_lock);
5537 if (!list_empty(&superblock_security_head)) {
5538 struct superblock_security_struct *sbsec =
5539 list_entry(superblock_security_head.next,
5540 struct superblock_security_struct,
5542 struct super_block *sb = sbsec->sb;
5544 spin_unlock(&sb_security_lock);
5545 spin_unlock(&sb_lock);
5546 down_read(&sb->s_umount);
5548 superblock_doinit(sb, NULL);
5550 spin_lock(&sb_lock);
5551 spin_lock(&sb_security_lock);
5552 list_del_init(&sbsec->list);
5555 spin_unlock(&sb_security_lock);
5556 spin_unlock(&sb_lock);
5559 /* SELinux requires early initialization in order to label
5560 all processes and objects when they are created. */
5561 security_initcall(selinux_init);
5563 #if defined(CONFIG_NETFILTER)
5565 static struct nf_hook_ops selinux_ipv4_ops[] = {
5567 .hook = selinux_ipv4_postroute,
5568 .owner = THIS_MODULE,
5570 .hooknum = NF_INET_POST_ROUTING,
5571 .priority = NF_IP_PRI_SELINUX_LAST,
5574 .hook = selinux_ipv4_forward,
5575 .owner = THIS_MODULE,
5577 .hooknum = NF_INET_FORWARD,
5578 .priority = NF_IP_PRI_SELINUX_FIRST,
5582 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5584 static struct nf_hook_ops selinux_ipv6_ops[] = {
5586 .hook = selinux_ipv6_postroute,
5587 .owner = THIS_MODULE,
5589 .hooknum = NF_INET_POST_ROUTING,
5590 .priority = NF_IP6_PRI_SELINUX_LAST,
5593 .hook = selinux_ipv6_forward,
5594 .owner = THIS_MODULE,
5596 .hooknum = NF_INET_FORWARD,
5597 .priority = NF_IP6_PRI_SELINUX_FIRST,
5603 static int __init selinux_nf_ip_init(void)
5608 if (!selinux_enabled)
5611 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5613 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5614 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5616 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5620 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5621 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5622 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5624 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5633 __initcall(selinux_nf_ip_init);
5635 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5636 static void selinux_nf_ip_exit(void)
5640 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5642 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5643 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5644 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5645 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5646 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5651 #else /* CONFIG_NETFILTER */
5653 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5654 #define selinux_nf_ip_exit()
5657 #endif /* CONFIG_NETFILTER */
5659 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5660 int selinux_disable(void)
5662 extern void exit_sel_fs(void);
5663 static int selinux_disabled = 0;
5665 if (ss_initialized) {
5666 /* Not permitted after initial policy load. */
5670 if (selinux_disabled) {
5671 /* Only do this once. */
5675 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5677 selinux_disabled = 1;
5678 selinux_enabled = 0;
5680 /* Reset security_ops to the secondary module, dummy or capability. */
5681 security_ops = secondary_ops;
5683 /* Unregister netfilter hooks. */
5684 selinux_nf_ip_exit();
5686 /* Unregister selinuxfs. */