2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
23 #include <linux/module.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/ptrace.h>
27 #include <linux/errno.h>
28 #include <linux/sched.h>
29 #include <linux/security.h>
30 #include <linux/xattr.h>
31 #include <linux/capability.h>
32 #include <linux/unistd.h>
34 #include <linux/mman.h>
35 #include <linux/slab.h>
36 #include <linux/pagemap.h>
37 #include <linux/swap.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h> /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/dccp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72 #include <linux/selinux.h>
73 #include <linux/mutex.h>
81 #define XATTR_SELINUX_SUFFIX "selinux"
82 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84 extern unsigned int policydb_loaded_version;
85 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
86 extern int selinux_compat_net;
88 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
89 int selinux_enforcing = 0;
91 static int __init enforcing_setup(char *str)
93 selinux_enforcing = simple_strtol(str,NULL,0);
96 __setup("enforcing=", enforcing_setup);
99 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
100 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
102 static int __init selinux_enabled_setup(char *str)
104 selinux_enabled = simple_strtol(str, NULL, 0);
107 __setup("selinux=", selinux_enabled_setup);
109 int selinux_enabled = 1;
112 /* Original (dummy) security module. */
113 static struct security_operations *original_ops = NULL;
115 /* Minimal support for a secondary security module,
116 just to allow the use of the dummy or capability modules.
117 The owlsm module can alternatively be used as a secondary
118 module as long as CONFIG_OWLSM_FD is not enabled. */
119 static struct security_operations *secondary_ops = NULL;
121 /* Lists of inode and superblock security structures initialized
122 before the policy was loaded. */
123 static LIST_HEAD(superblock_security_head);
124 static DEFINE_SPINLOCK(sb_security_lock);
126 static struct kmem_cache *sel_inode_cache;
128 /* Return security context for a given sid or just the context
129 length if the buffer is null or length is 0 */
130 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
136 rc = security_sid_to_context(sid, &context, &len);
140 if (!buffer || !size)
141 goto getsecurity_exit;
145 goto getsecurity_exit;
147 memcpy(buffer, context, len);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
325 static match_table_t tokens = {
326 {Opt_context, "context=%s"},
327 {Opt_fscontext, "fscontext=%s"},
328 {Opt_defcontext, "defcontext=%s"},
329 {Opt_rootcontext, "rootcontext=%s"},
332 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
334 static int may_context_mount_sb_relabel(u32 sid,
335 struct superblock_security_struct *sbsec,
336 struct task_security_struct *tsec)
340 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
341 FILESYSTEM__RELABELFROM, NULL);
345 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELTO, NULL);
350 static int may_context_mount_inode_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 struct task_security_struct *tsec)
355 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
356 FILESYSTEM__RELABELFROM, NULL);
360 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__ASSOCIATE, NULL);
365 static int try_context_mount(struct super_block *sb, void *data)
367 char *context = NULL, *defcontext = NULL;
368 char *fscontext = NULL, *rootcontext = NULL;
371 int alloc = 0, rc = 0, seen = 0;
372 struct task_security_struct *tsec = current->security;
373 struct superblock_security_struct *sbsec = sb->s_security;
378 name = sb->s_type->name;
380 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
382 /* NFS we understand. */
383 if (!strcmp(name, "nfs")) {
384 struct nfs_mount_data *d = data;
386 if (d->version < NFS_MOUNT_VERSION)
390 context = d->context;
397 /* Standard string-based options. */
398 char *p, *options = data;
400 while ((p = strsep(&options, "|")) != NULL) {
402 substring_t args[MAX_OPT_ARGS];
407 token = match_token(p, tokens, args);
411 if (seen & (Opt_context|Opt_defcontext)) {
413 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 context = match_strdup(&args[0]);
427 if (seen & Opt_fscontext) {
429 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432 fscontext = match_strdup(&args[0]);
439 seen |= Opt_fscontext;
442 case Opt_rootcontext:
443 if (seen & Opt_rootcontext) {
445 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448 rootcontext = match_strdup(&args[0]);
455 seen |= Opt_rootcontext;
459 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
461 printk(KERN_WARNING "SELinux: "
462 "defcontext option is invalid "
463 "for this filesystem type\n");
466 if (seen & (Opt_context|Opt_defcontext)) {
468 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471 defcontext = match_strdup(&args[0]);
478 seen |= Opt_defcontext;
483 printk(KERN_WARNING "SELinux: unknown mount "
494 /* sets the context of the superblock for the fs being mounted. */
496 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
498 printk(KERN_WARNING "SELinux: security_context_to_sid"
499 "(%s) failed for (dev %s, type %s) errno=%d\n",
500 fscontext, sb->s_id, name, rc);
504 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
512 * Switch to using mount point labeling behavior.
513 * sets the label used on all file below the mountpoint, and will set
514 * the superblock context if not already set.
517 rc = security_context_to_sid(context, strlen(context), &sid);
519 printk(KERN_WARNING "SELinux: security_context_to_sid"
520 "(%s) failed for (dev %s, type %s) errno=%d\n",
521 context, sb->s_id, name, rc);
526 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
531 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
535 sbsec->mntpoint_sid = sid;
537 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
541 struct inode *inode = sb->s_root->d_inode;
542 struct inode_security_struct *isec = inode->i_security;
543 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
545 printk(KERN_WARNING "SELinux: security_context_to_sid"
546 "(%s) failed for (dev %s, type %s) errno=%d\n",
547 rootcontext, sb->s_id, name, rc);
551 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
556 isec->initialized = 1;
560 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
562 printk(KERN_WARNING "SELinux: security_context_to_sid"
563 "(%s) failed for (dev %s, type %s) errno=%d\n",
564 defcontext, sb->s_id, name, rc);
568 if (sid == sbsec->def_sid)
571 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
575 sbsec->def_sid = sid;
589 static int superblock_doinit(struct super_block *sb, void *data)
591 struct superblock_security_struct *sbsec = sb->s_security;
592 struct dentry *root = sb->s_root;
593 struct inode *inode = root->d_inode;
596 mutex_lock(&sbsec->lock);
597 if (sbsec->initialized)
600 if (!ss_initialized) {
601 /* Defer initialization until selinux_complete_init,
602 after the initial policy is loaded and the security
603 server is ready to handle calls. */
604 spin_lock(&sb_security_lock);
605 if (list_empty(&sbsec->list))
606 list_add(&sbsec->list, &superblock_security_head);
607 spin_unlock(&sb_security_lock);
611 /* Determine the labeling behavior to use for this filesystem type. */
612 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
614 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
615 __FUNCTION__, sb->s_type->name, rc);
619 rc = try_context_mount(sb, data);
623 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
624 /* Make sure that the xattr handler exists and that no
625 error other than -ENODATA is returned by getxattr on
626 the root directory. -ENODATA is ok, as this may be
627 the first boot of the SELinux kernel before we have
628 assigned xattr values to the filesystem. */
629 if (!inode->i_op->getxattr) {
630 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
631 "xattr support\n", sb->s_id, sb->s_type->name);
635 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
636 if (rc < 0 && rc != -ENODATA) {
637 if (rc == -EOPNOTSUPP)
638 printk(KERN_WARNING "SELinux: (dev %s, type "
639 "%s) has no security xattr handler\n",
640 sb->s_id, sb->s_type->name);
642 printk(KERN_WARNING "SELinux: (dev %s, type "
643 "%s) getxattr errno %d\n", sb->s_id,
644 sb->s_type->name, -rc);
649 if (strcmp(sb->s_type->name, "proc") == 0)
652 sbsec->initialized = 1;
654 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
655 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
656 sb->s_id, sb->s_type->name);
659 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
660 sb->s_id, sb->s_type->name,
661 labeling_behaviors[sbsec->behavior-1]);
664 /* Initialize the root inode. */
665 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
667 /* Initialize any other inodes associated with the superblock, e.g.
668 inodes created prior to initial policy load or inodes created
669 during get_sb by a pseudo filesystem that directly
671 spin_lock(&sbsec->isec_lock);
673 if (!list_empty(&sbsec->isec_head)) {
674 struct inode_security_struct *isec =
675 list_entry(sbsec->isec_head.next,
676 struct inode_security_struct, list);
677 struct inode *inode = isec->inode;
678 spin_unlock(&sbsec->isec_lock);
679 inode = igrab(inode);
681 if (!IS_PRIVATE (inode))
685 spin_lock(&sbsec->isec_lock);
686 list_del_init(&isec->list);
689 spin_unlock(&sbsec->isec_lock);
691 mutex_unlock(&sbsec->lock);
695 static inline u16 inode_mode_to_security_class(umode_t mode)
697 switch (mode & S_IFMT) {
699 return SECCLASS_SOCK_FILE;
701 return SECCLASS_LNK_FILE;
703 return SECCLASS_FILE;
705 return SECCLASS_BLK_FILE;
709 return SECCLASS_CHR_FILE;
711 return SECCLASS_FIFO_FILE;
715 return SECCLASS_FILE;
718 static inline int default_protocol_stream(int protocol)
720 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723 static inline int default_protocol_dgram(int protocol)
725 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
735 return SECCLASS_UNIX_STREAM_SOCKET;
737 return SECCLASS_UNIX_DGRAM_SOCKET;
744 if (default_protocol_stream(protocol))
745 return SECCLASS_TCP_SOCKET;
747 return SECCLASS_RAWIP_SOCKET;
749 if (default_protocol_dgram(protocol))
750 return SECCLASS_UDP_SOCKET;
752 return SECCLASS_RAWIP_SOCKET;
754 return SECCLASS_DCCP_SOCKET;
756 return SECCLASS_RAWIP_SOCKET;
762 return SECCLASS_NETLINK_ROUTE_SOCKET;
763 case NETLINK_FIREWALL:
764 return SECCLASS_NETLINK_FIREWALL_SOCKET;
765 case NETLINK_INET_DIAG:
766 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
768 return SECCLASS_NETLINK_NFLOG_SOCKET;
770 return SECCLASS_NETLINK_XFRM_SOCKET;
771 case NETLINK_SELINUX:
772 return SECCLASS_NETLINK_SELINUX_SOCKET;
774 return SECCLASS_NETLINK_AUDIT_SOCKET;
776 return SECCLASS_NETLINK_IP6FW_SOCKET;
777 case NETLINK_DNRTMSG:
778 return SECCLASS_NETLINK_DNRT_SOCKET;
779 case NETLINK_KOBJECT_UEVENT:
780 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
782 return SECCLASS_NETLINK_SOCKET;
785 return SECCLASS_PACKET_SOCKET;
787 return SECCLASS_KEY_SOCKET;
789 return SECCLASS_APPLETALK_SOCKET;
792 return SECCLASS_SOCKET;
795 #ifdef CONFIG_PROC_FS
796 static int selinux_proc_get_sid(struct proc_dir_entry *de,
801 char *buffer, *path, *end;
803 buffer = (char*)__get_free_page(GFP_KERNEL);
813 while (de && de != de->parent) {
814 buflen -= de->namelen + 1;
818 memcpy(end, de->name, de->namelen);
823 rc = security_genfs_sid("proc", path, tclass, sid);
824 free_page((unsigned long)buffer);
828 static int selinux_proc_get_sid(struct proc_dir_entry *de,
836 /* The inode's security attributes must be initialized before first use. */
837 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
839 struct superblock_security_struct *sbsec = NULL;
840 struct inode_security_struct *isec = inode->i_security;
842 struct dentry *dentry;
843 #define INITCONTEXTLEN 255
844 char *context = NULL;
848 if (isec->initialized)
851 mutex_lock(&isec->lock);
852 if (isec->initialized)
855 sbsec = inode->i_sb->s_security;
856 if (!sbsec->initialized) {
857 /* Defer initialization until selinux_complete_init,
858 after the initial policy is loaded and the security
859 server is ready to handle calls. */
860 spin_lock(&sbsec->isec_lock);
861 if (list_empty(&isec->list))
862 list_add(&isec->list, &sbsec->isec_head);
863 spin_unlock(&sbsec->isec_lock);
867 switch (sbsec->behavior) {
868 case SECURITY_FS_USE_XATTR:
869 if (!inode->i_op->getxattr) {
870 isec->sid = sbsec->def_sid;
874 /* Need a dentry, since the xattr API requires one.
875 Life would be simpler if we could just pass the inode. */
877 /* Called from d_instantiate or d_splice_alias. */
878 dentry = dget(opt_dentry);
880 /* Called from selinux_complete_init, try to find a dentry. */
881 dentry = d_find_alias(inode);
884 printk(KERN_WARNING "%s: no dentry for dev=%s "
885 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
890 len = INITCONTEXTLEN;
891 context = kmalloc(len, GFP_KERNEL);
897 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900 /* Need a larger buffer. Query for the right size. */
901 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
909 context = kmalloc(len, GFP_KERNEL);
915 rc = inode->i_op->getxattr(dentry,
921 if (rc != -ENODATA) {
922 printk(KERN_WARNING "%s: getxattr returned "
923 "%d for dev=%s ino=%ld\n", __FUNCTION__,
924 -rc, inode->i_sb->s_id, inode->i_ino);
928 /* Map ENODATA to the default file SID */
929 sid = sbsec->def_sid;
932 rc = security_context_to_sid_default(context, rc, &sid,
935 printk(KERN_WARNING "%s: context_to_sid(%s) "
936 "returned %d for dev=%s ino=%ld\n",
937 __FUNCTION__, context, -rc,
938 inode->i_sb->s_id, inode->i_ino);
940 /* Leave with the unlabeled SID */
948 case SECURITY_FS_USE_TASK:
949 isec->sid = isec->task_sid;
951 case SECURITY_FS_USE_TRANS:
952 /* Default to the fs SID. */
953 isec->sid = sbsec->sid;
955 /* Try to obtain a transition SID. */
956 isec->sclass = inode_mode_to_security_class(inode->i_mode);
957 rc = security_transition_sid(isec->task_sid,
965 case SECURITY_FS_USE_MNTPOINT:
966 isec->sid = sbsec->mntpoint_sid;
969 /* Default to the fs superblock SID. */
970 isec->sid = sbsec->sid;
973 struct proc_inode *proci = PROC_I(inode);
975 isec->sclass = inode_mode_to_security_class(inode->i_mode);
976 rc = selinux_proc_get_sid(proci->pde,
987 isec->initialized = 1;
990 mutex_unlock(&isec->lock);
992 if (isec->sclass == SECCLASS_FILE)
993 isec->sclass = inode_mode_to_security_class(inode->i_mode);
997 /* Convert a Linux signal to an access vector. */
998 static inline u32 signal_to_av(int sig)
1004 /* Commonly granted from child to parent. */
1005 perm = PROCESS__SIGCHLD;
1008 /* Cannot be caught or ignored */
1009 perm = PROCESS__SIGKILL;
1012 /* Cannot be caught or ignored */
1013 perm = PROCESS__SIGSTOP;
1016 /* All other signals. */
1017 perm = PROCESS__SIGNAL;
1024 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1025 fork check, ptrace check, etc. */
1026 static int task_has_perm(struct task_struct *tsk1,
1027 struct task_struct *tsk2,
1030 struct task_security_struct *tsec1, *tsec2;
1032 tsec1 = tsk1->security;
1033 tsec2 = tsk2->security;
1034 return avc_has_perm(tsec1->sid, tsec2->sid,
1035 SECCLASS_PROCESS, perms, NULL);
1038 /* Check whether a task is allowed to use a capability. */
1039 static int task_has_capability(struct task_struct *tsk,
1042 struct task_security_struct *tsec;
1043 struct avc_audit_data ad;
1045 tsec = tsk->security;
1047 AVC_AUDIT_DATA_INIT(&ad,CAP);
1051 return avc_has_perm(tsec->sid, tsec->sid,
1052 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055 /* Check whether a task is allowed to use a system operation. */
1056 static int task_has_system(struct task_struct *tsk,
1059 struct task_security_struct *tsec;
1061 tsec = tsk->security;
1063 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1064 SECCLASS_SYSTEM, perms, NULL);
1067 /* Check whether a task has a particular permission to an inode.
1068 The 'adp' parameter is optional and allows other audit
1069 data to be passed (e.g. the dentry). */
1070 static int inode_has_perm(struct task_struct *tsk,
1071 struct inode *inode,
1073 struct avc_audit_data *adp)
1075 struct task_security_struct *tsec;
1076 struct inode_security_struct *isec;
1077 struct avc_audit_data ad;
1079 if (unlikely (IS_PRIVATE (inode)))
1082 tsec = tsk->security;
1083 isec = inode->i_security;
1087 AVC_AUDIT_DATA_INIT(&ad, FS);
1088 ad.u.fs.inode = inode;
1091 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1094 /* Same as inode_has_perm, but pass explicit audit data containing
1095 the dentry to help the auditing code to more easily generate the
1096 pathname if needed. */
1097 static inline int dentry_has_perm(struct task_struct *tsk,
1098 struct vfsmount *mnt,
1099 struct dentry *dentry,
1102 struct inode *inode = dentry->d_inode;
1103 struct avc_audit_data ad;
1104 AVC_AUDIT_DATA_INIT(&ad,FS);
1106 ad.u.fs.dentry = dentry;
1107 return inode_has_perm(tsk, inode, av, &ad);
1110 /* Check whether a task can use an open file descriptor to
1111 access an inode in a given way. Check access to the
1112 descriptor itself, and then use dentry_has_perm to
1113 check a particular permission to the file.
1114 Access to the descriptor is implicitly granted if it
1115 has the same SID as the process. If av is zero, then
1116 access to the file is not checked, e.g. for cases
1117 where only the descriptor is affected like seek. */
1118 static int file_has_perm(struct task_struct *tsk,
1122 struct task_security_struct *tsec = tsk->security;
1123 struct file_security_struct *fsec = file->f_security;
1124 struct vfsmount *mnt = file->f_path.mnt;
1125 struct dentry *dentry = file->f_path.dentry;
1126 struct inode *inode = dentry->d_inode;
1127 struct avc_audit_data ad;
1130 AVC_AUDIT_DATA_INIT(&ad, FS);
1132 ad.u.fs.dentry = dentry;
1134 if (tsec->sid != fsec->sid) {
1135 rc = avc_has_perm(tsec->sid, fsec->sid,
1143 /* av is zero if only checking access to the descriptor. */
1145 return inode_has_perm(tsk, inode, av, &ad);
1150 /* Check whether a task can create a file. */
1151 static int may_create(struct inode *dir,
1152 struct dentry *dentry,
1155 struct task_security_struct *tsec;
1156 struct inode_security_struct *dsec;
1157 struct superblock_security_struct *sbsec;
1159 struct avc_audit_data ad;
1162 tsec = current->security;
1163 dsec = dir->i_security;
1164 sbsec = dir->i_sb->s_security;
1166 AVC_AUDIT_DATA_INIT(&ad, FS);
1167 ad.u.fs.dentry = dentry;
1169 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1170 DIR__ADD_NAME | DIR__SEARCH,
1175 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1176 newsid = tsec->create_sid;
1178 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1184 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1188 return avc_has_perm(newsid, sbsec->sid,
1189 SECCLASS_FILESYSTEM,
1190 FILESYSTEM__ASSOCIATE, &ad);
1193 /* Check whether a task can create a key. */
1194 static int may_create_key(u32 ksid,
1195 struct task_struct *ctx)
1197 struct task_security_struct *tsec;
1199 tsec = ctx->security;
1201 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1205 #define MAY_UNLINK 1
1208 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1209 static int may_link(struct inode *dir,
1210 struct dentry *dentry,
1214 struct task_security_struct *tsec;
1215 struct inode_security_struct *dsec, *isec;
1216 struct avc_audit_data ad;
1220 tsec = current->security;
1221 dsec = dir->i_security;
1222 isec = dentry->d_inode->i_security;
1224 AVC_AUDIT_DATA_INIT(&ad, FS);
1225 ad.u.fs.dentry = dentry;
1228 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1229 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1244 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1248 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1252 static inline int may_rename(struct inode *old_dir,
1253 struct dentry *old_dentry,
1254 struct inode *new_dir,
1255 struct dentry *new_dentry)
1257 struct task_security_struct *tsec;
1258 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1259 struct avc_audit_data ad;
1261 int old_is_dir, new_is_dir;
1264 tsec = current->security;
1265 old_dsec = old_dir->i_security;
1266 old_isec = old_dentry->d_inode->i_security;
1267 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1268 new_dsec = new_dir->i_security;
1270 AVC_AUDIT_DATA_INIT(&ad, FS);
1272 ad.u.fs.dentry = old_dentry;
1273 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1274 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1277 rc = avc_has_perm(tsec->sid, old_isec->sid,
1278 old_isec->sclass, FILE__RENAME, &ad);
1281 if (old_is_dir && new_dir != old_dir) {
1282 rc = avc_has_perm(tsec->sid, old_isec->sid,
1283 old_isec->sclass, DIR__REPARENT, &ad);
1288 ad.u.fs.dentry = new_dentry;
1289 av = DIR__ADD_NAME | DIR__SEARCH;
1290 if (new_dentry->d_inode)
1291 av |= DIR__REMOVE_NAME;
1292 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1295 if (new_dentry->d_inode) {
1296 new_isec = new_dentry->d_inode->i_security;
1297 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1298 rc = avc_has_perm(tsec->sid, new_isec->sid,
1300 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1308 /* Check whether a task can perform a filesystem operation. */
1309 static int superblock_has_perm(struct task_struct *tsk,
1310 struct super_block *sb,
1312 struct avc_audit_data *ad)
1314 struct task_security_struct *tsec;
1315 struct superblock_security_struct *sbsec;
1317 tsec = tsk->security;
1318 sbsec = sb->s_security;
1319 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1323 /* Convert a Linux mode and permission mask to an access vector. */
1324 static inline u32 file_mask_to_av(int mode, int mask)
1328 if ((mode & S_IFMT) != S_IFDIR) {
1329 if (mask & MAY_EXEC)
1330 av |= FILE__EXECUTE;
1331 if (mask & MAY_READ)
1334 if (mask & MAY_APPEND)
1336 else if (mask & MAY_WRITE)
1340 if (mask & MAY_EXEC)
1342 if (mask & MAY_WRITE)
1344 if (mask & MAY_READ)
1351 /* Convert a Linux file to an access vector. */
1352 static inline u32 file_to_av(struct file *file)
1356 if (file->f_mode & FMODE_READ)
1358 if (file->f_mode & FMODE_WRITE) {
1359 if (file->f_flags & O_APPEND)
1368 /* Hook functions begin here. */
1370 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1372 struct task_security_struct *psec = parent->security;
1373 struct task_security_struct *csec = child->security;
1376 rc = secondary_ops->ptrace(parent,child);
1380 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1381 /* Save the SID of the tracing process for later use in apply_creds. */
1382 if (!(child->ptrace & PT_PTRACED) && !rc)
1383 csec->ptrace_sid = psec->sid;
1387 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1388 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1392 error = task_has_perm(current, target, PROCESS__GETCAP);
1396 return secondary_ops->capget(target, effective, inheritable, permitted);
1399 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1400 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1404 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1408 return task_has_perm(current, target, PROCESS__SETCAP);
1411 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1412 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1414 secondary_ops->capset_set(target, effective, inheritable, permitted);
1417 static int selinux_capable(struct task_struct *tsk, int cap)
1421 rc = secondary_ops->capable(tsk, cap);
1425 return task_has_capability(tsk,cap);
1428 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1431 char *buffer, *path, *end;
1434 buffer = (char*)__get_free_page(GFP_KERNEL);
1439 end = buffer+buflen;
1445 const char *name = table->procname;
1446 size_t namelen = strlen(name);
1447 buflen -= namelen + 1;
1451 memcpy(end, name, namelen);
1454 table = table->parent;
1460 memcpy(end, "/sys", 4);
1462 rc = security_genfs_sid("proc", path, tclass, sid);
1464 free_page((unsigned long)buffer);
1469 static int selinux_sysctl(ctl_table *table, int op)
1473 struct task_security_struct *tsec;
1477 rc = secondary_ops->sysctl(table, op);
1481 tsec = current->security;
1483 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1484 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1486 /* Default to the well-defined sysctl SID. */
1487 tsid = SECINITSID_SYSCTL;
1490 /* The op values are "defined" in sysctl.c, thereby creating
1491 * a bad coupling between this module and sysctl.c */
1493 error = avc_has_perm(tsec->sid, tsid,
1494 SECCLASS_DIR, DIR__SEARCH, NULL);
1502 error = avc_has_perm(tsec->sid, tsid,
1503 SECCLASS_FILE, av, NULL);
1509 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1522 rc = superblock_has_perm(current,
1524 FILESYSTEM__QUOTAMOD, NULL);
1529 rc = superblock_has_perm(current,
1531 FILESYSTEM__QUOTAGET, NULL);
1534 rc = 0; /* let the kernel handle invalid cmds */
1540 static int selinux_quota_on(struct dentry *dentry)
1542 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1545 static int selinux_syslog(int type)
1549 rc = secondary_ops->syslog(type);
1554 case 3: /* Read last kernel messages */
1555 case 10: /* Return size of the log buffer */
1556 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1558 case 6: /* Disable logging to console */
1559 case 7: /* Enable logging to console */
1560 case 8: /* Set level of messages printed to console */
1561 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1563 case 0: /* Close log */
1564 case 1: /* Open log */
1565 case 2: /* Read from log */
1566 case 4: /* Read/clear last kernel messages */
1567 case 5: /* Clear ring buffer */
1569 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1576 * Check that a process has enough memory to allocate a new virtual
1577 * mapping. 0 means there is enough memory for the allocation to
1578 * succeed and -ENOMEM implies there is not.
1580 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1581 * if the capability is granted, but __vm_enough_memory requires 1 if
1582 * the capability is granted.
1584 * Do not audit the selinux permission check, as this is applied to all
1585 * processes that allocate mappings.
1587 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1589 int rc, cap_sys_admin = 0;
1590 struct task_security_struct *tsec = current->security;
1592 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1594 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1595 SECCLASS_CAPABILITY,
1596 CAP_TO_MASK(CAP_SYS_ADMIN),
1603 return __vm_enough_memory(mm, pages, cap_sys_admin);
1606 /* binprm security operations */
1608 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1610 struct bprm_security_struct *bsec;
1612 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1617 bsec->sid = SECINITSID_UNLABELED;
1620 bprm->security = bsec;
1624 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1626 struct task_security_struct *tsec;
1627 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1628 struct inode_security_struct *isec;
1629 struct bprm_security_struct *bsec;
1631 struct avc_audit_data ad;
1634 rc = secondary_ops->bprm_set_security(bprm);
1638 bsec = bprm->security;
1643 tsec = current->security;
1644 isec = inode->i_security;
1646 /* Default to the current task SID. */
1647 bsec->sid = tsec->sid;
1649 /* Reset fs, key, and sock SIDs on execve. */
1650 tsec->create_sid = 0;
1651 tsec->keycreate_sid = 0;
1652 tsec->sockcreate_sid = 0;
1654 if (tsec->exec_sid) {
1655 newsid = tsec->exec_sid;
1656 /* Reset exec SID on execve. */
1659 /* Check for a default transition on this program. */
1660 rc = security_transition_sid(tsec->sid, isec->sid,
1661 SECCLASS_PROCESS, &newsid);
1666 AVC_AUDIT_DATA_INIT(&ad, FS);
1667 ad.u.fs.mnt = bprm->file->f_path.mnt;
1668 ad.u.fs.dentry = bprm->file->f_path.dentry;
1670 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1673 if (tsec->sid == newsid) {
1674 rc = avc_has_perm(tsec->sid, isec->sid,
1675 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1679 /* Check permissions for the transition. */
1680 rc = avc_has_perm(tsec->sid, newsid,
1681 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1685 rc = avc_has_perm(newsid, isec->sid,
1686 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1690 /* Clear any possibly unsafe personality bits on exec: */
1691 current->personality &= ~PER_CLEAR_ON_SETID;
1693 /* Set the security field to the new SID. */
1701 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1703 return secondary_ops->bprm_check_security(bprm);
1707 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1709 struct task_security_struct *tsec = current->security;
1712 if (tsec->osid != tsec->sid) {
1713 /* Enable secure mode for SIDs transitions unless
1714 the noatsecure permission is granted between
1715 the two SIDs, i.e. ahp returns 0. */
1716 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1718 PROCESS__NOATSECURE, NULL);
1721 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1724 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1726 kfree(bprm->security);
1727 bprm->security = NULL;
1730 extern struct vfsmount *selinuxfs_mount;
1731 extern struct dentry *selinux_null;
1733 /* Derived from fs/exec.c:flush_old_files. */
1734 static inline void flush_unauthorized_files(struct files_struct * files)
1736 struct avc_audit_data ad;
1737 struct file *file, *devnull = NULL;
1738 struct tty_struct *tty;
1739 struct fdtable *fdt;
1743 mutex_lock(&tty_mutex);
1744 tty = get_current_tty();
1747 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1749 /* Revalidate access to controlling tty.
1750 Use inode_has_perm on the tty inode directly rather
1751 than using file_has_perm, as this particular open
1752 file may belong to another process and we are only
1753 interested in the inode-based check here. */
1754 struct inode *inode = file->f_path.dentry->d_inode;
1755 if (inode_has_perm(current, inode,
1756 FILE__READ | FILE__WRITE, NULL)) {
1762 mutex_unlock(&tty_mutex);
1763 /* Reset controlling tty. */
1767 /* Revalidate access to inherited open files. */
1769 AVC_AUDIT_DATA_INIT(&ad,FS);
1771 spin_lock(&files->file_lock);
1773 unsigned long set, i;
1778 fdt = files_fdtable(files);
1779 if (i >= fdt->max_fds)
1781 set = fdt->open_fds->fds_bits[j];
1784 spin_unlock(&files->file_lock);
1785 for ( ; set ; i++,set >>= 1) {
1790 if (file_has_perm(current,
1792 file_to_av(file))) {
1794 fd = get_unused_fd();
1804 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1805 if (IS_ERR(devnull)) {
1812 fd_install(fd, devnull);
1817 spin_lock(&files->file_lock);
1820 spin_unlock(&files->file_lock);
1823 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1825 struct task_security_struct *tsec;
1826 struct bprm_security_struct *bsec;
1830 secondary_ops->bprm_apply_creds(bprm, unsafe);
1832 tsec = current->security;
1834 bsec = bprm->security;
1837 tsec->osid = tsec->sid;
1839 if (tsec->sid != sid) {
1840 /* Check for shared state. If not ok, leave SID
1841 unchanged and kill. */
1842 if (unsafe & LSM_UNSAFE_SHARE) {
1843 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1844 PROCESS__SHARE, NULL);
1851 /* Check for ptracing, and update the task SID if ok.
1852 Otherwise, leave SID unchanged and kill. */
1853 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1854 rc = avc_has_perm(tsec->ptrace_sid, sid,
1855 SECCLASS_PROCESS, PROCESS__PTRACE,
1867 * called after apply_creds without the task lock held
1869 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1871 struct task_security_struct *tsec;
1872 struct rlimit *rlim, *initrlim;
1873 struct itimerval itimer;
1874 struct bprm_security_struct *bsec;
1877 tsec = current->security;
1878 bsec = bprm->security;
1881 force_sig_specific(SIGKILL, current);
1884 if (tsec->osid == tsec->sid)
1887 /* Close files for which the new task SID is not authorized. */
1888 flush_unauthorized_files(current->files);
1890 /* Check whether the new SID can inherit signal state
1891 from the old SID. If not, clear itimers to avoid
1892 subsequent signal generation and flush and unblock
1893 signals. This must occur _after_ the task SID has
1894 been updated so that any kill done after the flush
1895 will be checked against the new SID. */
1896 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1897 PROCESS__SIGINH, NULL);
1899 memset(&itimer, 0, sizeof itimer);
1900 for (i = 0; i < 3; i++)
1901 do_setitimer(i, &itimer, NULL);
1902 flush_signals(current);
1903 spin_lock_irq(¤t->sighand->siglock);
1904 flush_signal_handlers(current, 1);
1905 sigemptyset(¤t->blocked);
1906 recalc_sigpending();
1907 spin_unlock_irq(¤t->sighand->siglock);
1910 /* Always clear parent death signal on SID transitions. */
1911 current->pdeath_signal = 0;
1913 /* Check whether the new SID can inherit resource limits
1914 from the old SID. If not, reset all soft limits to
1915 the lower of the current task's hard limit and the init
1916 task's soft limit. Note that the setting of hard limits
1917 (even to lower them) can be controlled by the setrlimit
1918 check. The inclusion of the init task's soft limit into
1919 the computation is to avoid resetting soft limits higher
1920 than the default soft limit for cases where the default
1921 is lower than the hard limit, e.g. RLIMIT_CORE or
1923 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1924 PROCESS__RLIMITINH, NULL);
1926 for (i = 0; i < RLIM_NLIMITS; i++) {
1927 rlim = current->signal->rlim + i;
1928 initrlim = init_task.signal->rlim+i;
1929 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1931 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1933 * This will cause RLIMIT_CPU calculations
1936 current->it_prof_expires = jiffies_to_cputime(1);
1940 /* Wake up the parent if it is waiting so that it can
1941 recheck wait permission to the new task SID. */
1942 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1945 /* superblock security operations */
1947 static int selinux_sb_alloc_security(struct super_block *sb)
1949 return superblock_alloc_security(sb);
1952 static void selinux_sb_free_security(struct super_block *sb)
1954 superblock_free_security(sb);
1957 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1962 return !memcmp(prefix, option, plen);
1965 static inline int selinux_option(char *option, int len)
1967 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1968 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1969 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1970 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1973 static inline void take_option(char **to, char *from, int *first, int len)
1980 memcpy(*to, from, len);
1984 static inline void take_selinux_option(char **to, char *from, int *first,
1987 int current_size = 0;
1996 while (current_size < len) {
2006 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2008 int fnosec, fsec, rc = 0;
2009 char *in_save, *in_curr, *in_end;
2010 char *sec_curr, *nosec_save, *nosec;
2016 /* Binary mount data: just copy */
2017 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2018 copy_page(sec_curr, in_curr);
2022 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2030 in_save = in_end = orig;
2034 open_quote = !open_quote;
2035 if ((*in_end == ',' && open_quote == 0) ||
2037 int len = in_end - in_curr;
2039 if (selinux_option(in_curr, len))
2040 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2042 take_option(&nosec, in_curr, &fnosec, len);
2044 in_curr = in_end + 1;
2046 } while (*in_end++);
2048 strcpy(in_save, nosec_save);
2049 free_page((unsigned long)nosec_save);
2054 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2056 struct avc_audit_data ad;
2059 rc = superblock_doinit(sb, data);
2063 AVC_AUDIT_DATA_INIT(&ad,FS);
2064 ad.u.fs.dentry = sb->s_root;
2065 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2068 static int selinux_sb_statfs(struct dentry *dentry)
2070 struct avc_audit_data ad;
2072 AVC_AUDIT_DATA_INIT(&ad,FS);
2073 ad.u.fs.dentry = dentry->d_sb->s_root;
2074 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2077 static int selinux_mount(char * dev_name,
2078 struct nameidata *nd,
2080 unsigned long flags,
2085 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2089 if (flags & MS_REMOUNT)
2090 return superblock_has_perm(current, nd->mnt->mnt_sb,
2091 FILESYSTEM__REMOUNT, NULL);
2093 return dentry_has_perm(current, nd->mnt, nd->dentry,
2097 static int selinux_umount(struct vfsmount *mnt, int flags)
2101 rc = secondary_ops->sb_umount(mnt, flags);
2105 return superblock_has_perm(current,mnt->mnt_sb,
2106 FILESYSTEM__UNMOUNT,NULL);
2109 /* inode security operations */
2111 static int selinux_inode_alloc_security(struct inode *inode)
2113 return inode_alloc_security(inode);
2116 static void selinux_inode_free_security(struct inode *inode)
2118 inode_free_security(inode);
2121 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2122 char **name, void **value,
2125 struct task_security_struct *tsec;
2126 struct inode_security_struct *dsec;
2127 struct superblock_security_struct *sbsec;
2130 char *namep = NULL, *context;
2132 tsec = current->security;
2133 dsec = dir->i_security;
2134 sbsec = dir->i_sb->s_security;
2136 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2137 newsid = tsec->create_sid;
2139 rc = security_transition_sid(tsec->sid, dsec->sid,
2140 inode_mode_to_security_class(inode->i_mode),
2143 printk(KERN_WARNING "%s: "
2144 "security_transition_sid failed, rc=%d (dev=%s "
2147 -rc, inode->i_sb->s_id, inode->i_ino);
2152 /* Possibly defer initialization to selinux_complete_init. */
2153 if (sbsec->initialized) {
2154 struct inode_security_struct *isec = inode->i_security;
2155 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2157 isec->initialized = 1;
2160 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2164 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2171 rc = security_sid_to_context(newsid, &context, &clen);
2183 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2185 return may_create(dir, dentry, SECCLASS_FILE);
2188 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2192 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2195 return may_link(dir, old_dentry, MAY_LINK);
2198 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2202 rc = secondary_ops->inode_unlink(dir, dentry);
2205 return may_link(dir, dentry, MAY_UNLINK);
2208 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2210 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2213 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2215 return may_create(dir, dentry, SECCLASS_DIR);
2218 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2220 return may_link(dir, dentry, MAY_RMDIR);
2223 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2227 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2231 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2234 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2235 struct inode *new_inode, struct dentry *new_dentry)
2237 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2240 static int selinux_inode_readlink(struct dentry *dentry)
2242 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2245 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2249 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2252 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2255 static int selinux_inode_permission(struct inode *inode, int mask,
2256 struct nameidata *nd)
2260 rc = secondary_ops->inode_permission(inode, mask, nd);
2265 /* No permission to check. Existence test. */
2269 return inode_has_perm(current, inode,
2270 file_mask_to_av(inode->i_mode, mask), NULL);
2273 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2277 rc = secondary_ops->inode_setattr(dentry, iattr);
2281 if (iattr->ia_valid & ATTR_FORCE)
2284 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2285 ATTR_ATIME_SET | ATTR_MTIME_SET))
2286 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2288 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2291 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2293 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2296 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2298 struct task_security_struct *tsec = current->security;
2299 struct inode *inode = dentry->d_inode;
2300 struct inode_security_struct *isec = inode->i_security;
2301 struct superblock_security_struct *sbsec;
2302 struct avc_audit_data ad;
2306 if (strcmp(name, XATTR_NAME_SELINUX)) {
2307 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2308 sizeof XATTR_SECURITY_PREFIX - 1) &&
2309 !capable(CAP_SYS_ADMIN)) {
2310 /* A different attribute in the security namespace.
2311 Restrict to administrator. */
2315 /* Not an attribute we recognize, so just check the
2316 ordinary setattr permission. */
2317 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2320 sbsec = inode->i_sb->s_security;
2321 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2324 if (!is_owner_or_cap(inode))
2327 AVC_AUDIT_DATA_INIT(&ad,FS);
2328 ad.u.fs.dentry = dentry;
2330 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2331 FILE__RELABELFROM, &ad);
2335 rc = security_context_to_sid(value, size, &newsid);
2339 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2340 FILE__RELABELTO, &ad);
2344 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2349 return avc_has_perm(newsid,
2351 SECCLASS_FILESYSTEM,
2352 FILESYSTEM__ASSOCIATE,
2356 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2357 void *value, size_t size, int flags)
2359 struct inode *inode = dentry->d_inode;
2360 struct inode_security_struct *isec = inode->i_security;
2364 if (strcmp(name, XATTR_NAME_SELINUX)) {
2365 /* Not an attribute we recognize, so nothing to do. */
2369 rc = security_context_to_sid(value, size, &newsid);
2371 printk(KERN_WARNING "%s: unable to obtain SID for context "
2372 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2380 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2382 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2385 static int selinux_inode_listxattr (struct dentry *dentry)
2387 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2390 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2392 if (strcmp(name, XATTR_NAME_SELINUX)) {
2393 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2394 sizeof XATTR_SECURITY_PREFIX - 1) &&
2395 !capable(CAP_SYS_ADMIN)) {
2396 /* A different attribute in the security namespace.
2397 Restrict to administrator. */
2401 /* Not an attribute we recognize, so just check the
2402 ordinary setattr permission. Might want a separate
2403 permission for removexattr. */
2404 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2407 /* No one is allowed to remove a SELinux security label.
2408 You can change the label, but all data must be labeled. */
2412 static const char *selinux_inode_xattr_getsuffix(void)
2414 return XATTR_SELINUX_SUFFIX;
2418 * Copy the in-core inode security context value to the user. If the
2419 * getxattr() prior to this succeeded, check to see if we need to
2420 * canonicalize the value to be finally returned to the user.
2422 * Permission check is handled by selinux_inode_getxattr hook.
2424 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2426 struct inode_security_struct *isec = inode->i_security;
2428 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2431 return selinux_getsecurity(isec->sid, buffer, size);
2434 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2435 const void *value, size_t size, int flags)
2437 struct inode_security_struct *isec = inode->i_security;
2441 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2444 if (!value || !size)
2447 rc = security_context_to_sid((void*)value, size, &newsid);
2455 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2457 const int len = sizeof(XATTR_NAME_SELINUX);
2458 if (buffer && len <= buffer_size)
2459 memcpy(buffer, XATTR_NAME_SELINUX, len);
2463 /* file security operations */
2465 static int selinux_file_permission(struct file *file, int mask)
2468 struct inode *inode = file->f_path.dentry->d_inode;
2471 /* No permission to check. Existence test. */
2475 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2476 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2479 rc = file_has_perm(current, file,
2480 file_mask_to_av(inode->i_mode, mask));
2484 return selinux_netlbl_inode_permission(inode, mask);
2487 static int selinux_file_alloc_security(struct file *file)
2489 return file_alloc_security(file);
2492 static void selinux_file_free_security(struct file *file)
2494 file_free_security(file);
2497 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2509 case EXT2_IOC_GETFLAGS:
2511 case EXT2_IOC_GETVERSION:
2512 error = file_has_perm(current, file, FILE__GETATTR);
2515 case EXT2_IOC_SETFLAGS:
2517 case EXT2_IOC_SETVERSION:
2518 error = file_has_perm(current, file, FILE__SETATTR);
2521 /* sys_ioctl() checks */
2525 error = file_has_perm(current, file, 0);
2530 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2533 /* default case assumes that the command will go
2534 * to the file's ioctl() function.
2537 error = file_has_perm(current, file, FILE__IOCTL);
2543 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2545 #ifndef CONFIG_PPC32
2546 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2548 * We are making executable an anonymous mapping or a
2549 * private file mapping that will also be writable.
2550 * This has an additional check.
2552 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2559 /* read access is always possible with a mapping */
2560 u32 av = FILE__READ;
2562 /* write access only matters if the mapping is shared */
2563 if (shared && (prot & PROT_WRITE))
2566 if (prot & PROT_EXEC)
2567 av |= FILE__EXECUTE;
2569 return file_has_perm(current, file, av);
2574 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2575 unsigned long prot, unsigned long flags,
2576 unsigned long addr, unsigned long addr_only)
2579 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2581 if (addr < mmap_min_addr)
2582 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2583 MEMPROTECT__MMAP_ZERO, NULL);
2584 if (rc || addr_only)
2587 if (selinux_checkreqprot)
2590 return file_map_prot_check(file, prot,
2591 (flags & MAP_TYPE) == MAP_SHARED);
2594 static int selinux_file_mprotect(struct vm_area_struct *vma,
2595 unsigned long reqprot,
2600 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2604 if (selinux_checkreqprot)
2607 #ifndef CONFIG_PPC32
2608 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2610 if (vma->vm_start >= vma->vm_mm->start_brk &&
2611 vma->vm_end <= vma->vm_mm->brk) {
2612 rc = task_has_perm(current, current,
2614 } else if (!vma->vm_file &&
2615 vma->vm_start <= vma->vm_mm->start_stack &&
2616 vma->vm_end >= vma->vm_mm->start_stack) {
2617 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2618 } else if (vma->vm_file && vma->anon_vma) {
2620 * We are making executable a file mapping that has
2621 * had some COW done. Since pages might have been
2622 * written, check ability to execute the possibly
2623 * modified content. This typically should only
2624 * occur for text relocations.
2626 rc = file_has_perm(current, vma->vm_file,
2634 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2637 static int selinux_file_lock(struct file *file, unsigned int cmd)
2639 return file_has_perm(current, file, FILE__LOCK);
2642 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2649 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2654 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2655 err = file_has_perm(current, file,FILE__WRITE);
2664 /* Just check FD__USE permission */
2665 err = file_has_perm(current, file, 0);
2670 #if BITS_PER_LONG == 32
2675 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2679 err = file_has_perm(current, file, FILE__LOCK);
2686 static int selinux_file_set_fowner(struct file *file)
2688 struct task_security_struct *tsec;
2689 struct file_security_struct *fsec;
2691 tsec = current->security;
2692 fsec = file->f_security;
2693 fsec->fown_sid = tsec->sid;
2698 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2699 struct fown_struct *fown, int signum)
2703 struct task_security_struct *tsec;
2704 struct file_security_struct *fsec;
2706 /* struct fown_struct is never outside the context of a struct file */
2707 file = container_of(fown, struct file, f_owner);
2709 tsec = tsk->security;
2710 fsec = file->f_security;
2713 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2715 perm = signal_to_av(signum);
2717 return avc_has_perm(fsec->fown_sid, tsec->sid,
2718 SECCLASS_PROCESS, perm, NULL);
2721 static int selinux_file_receive(struct file *file)
2723 return file_has_perm(current, file, file_to_av(file));
2726 /* task security operations */
2728 static int selinux_task_create(unsigned long clone_flags)
2732 rc = secondary_ops->task_create(clone_flags);
2736 return task_has_perm(current, current, PROCESS__FORK);
2739 static int selinux_task_alloc_security(struct task_struct *tsk)
2741 struct task_security_struct *tsec1, *tsec2;
2744 tsec1 = current->security;
2746 rc = task_alloc_security(tsk);
2749 tsec2 = tsk->security;
2751 tsec2->osid = tsec1->osid;
2752 tsec2->sid = tsec1->sid;
2754 /* Retain the exec, fs, key, and sock SIDs across fork */
2755 tsec2->exec_sid = tsec1->exec_sid;
2756 tsec2->create_sid = tsec1->create_sid;
2757 tsec2->keycreate_sid = tsec1->keycreate_sid;
2758 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2760 /* Retain ptracer SID across fork, if any.
2761 This will be reset by the ptrace hook upon any
2762 subsequent ptrace_attach operations. */
2763 tsec2->ptrace_sid = tsec1->ptrace_sid;
2768 static void selinux_task_free_security(struct task_struct *tsk)
2770 task_free_security(tsk);
2773 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2775 /* Since setuid only affects the current process, and
2776 since the SELinux controls are not based on the Linux
2777 identity attributes, SELinux does not need to control
2778 this operation. However, SELinux does control the use
2779 of the CAP_SETUID and CAP_SETGID capabilities using the
2784 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2786 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2789 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2791 /* See the comment for setuid above. */
2795 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2797 return task_has_perm(current, p, PROCESS__SETPGID);
2800 static int selinux_task_getpgid(struct task_struct *p)
2802 return task_has_perm(current, p, PROCESS__GETPGID);
2805 static int selinux_task_getsid(struct task_struct *p)
2807 return task_has_perm(current, p, PROCESS__GETSESSION);
2810 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2812 selinux_get_task_sid(p, secid);
2815 static int selinux_task_setgroups(struct group_info *group_info)
2817 /* See the comment for setuid above. */
2821 static int selinux_task_setnice(struct task_struct *p, int nice)
2825 rc = secondary_ops->task_setnice(p, nice);
2829 return task_has_perm(current,p, PROCESS__SETSCHED);
2832 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2834 return task_has_perm(current, p, PROCESS__SETSCHED);
2837 static int selinux_task_getioprio(struct task_struct *p)
2839 return task_has_perm(current, p, PROCESS__GETSCHED);
2842 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2844 struct rlimit *old_rlim = current->signal->rlim + resource;
2847 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2851 /* Control the ability to change the hard limit (whether
2852 lowering or raising it), so that the hard limit can
2853 later be used as a safe reset point for the soft limit
2854 upon context transitions. See selinux_bprm_apply_creds. */
2855 if (old_rlim->rlim_max != new_rlim->rlim_max)
2856 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2861 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2863 return task_has_perm(current, p, PROCESS__SETSCHED);
2866 static int selinux_task_getscheduler(struct task_struct *p)
2868 return task_has_perm(current, p, PROCESS__GETSCHED);
2871 static int selinux_task_movememory(struct task_struct *p)
2873 return task_has_perm(current, p, PROCESS__SETSCHED);
2876 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2881 struct task_security_struct *tsec;
2883 rc = secondary_ops->task_kill(p, info, sig, secid);
2887 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2891 perm = PROCESS__SIGNULL; /* null signal; existence test */
2893 perm = signal_to_av(sig);
2896 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2898 rc = task_has_perm(current, p, perm);
2902 static int selinux_task_prctl(int option,
2908 /* The current prctl operations do not appear to require
2909 any SELinux controls since they merely observe or modify
2910 the state of the current process. */
2914 static int selinux_task_wait(struct task_struct *p)
2918 perm = signal_to_av(p->exit_signal);
2920 return task_has_perm(p, current, perm);
2923 static void selinux_task_reparent_to_init(struct task_struct *p)
2925 struct task_security_struct *tsec;
2927 secondary_ops->task_reparent_to_init(p);
2930 tsec->osid = tsec->sid;
2931 tsec->sid = SECINITSID_KERNEL;
2935 static void selinux_task_to_inode(struct task_struct *p,
2936 struct inode *inode)
2938 struct task_security_struct *tsec = p->security;
2939 struct inode_security_struct *isec = inode->i_security;
2941 isec->sid = tsec->sid;
2942 isec->initialized = 1;
2946 /* Returns error only if unable to parse addresses */
2947 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
2948 struct avc_audit_data *ad, u8 *proto)
2950 int offset, ihlen, ret = -EINVAL;
2951 struct iphdr _iph, *ih;
2953 offset = skb_network_offset(skb);
2954 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2958 ihlen = ih->ihl * 4;
2959 if (ihlen < sizeof(_iph))
2962 ad->u.net.v4info.saddr = ih->saddr;
2963 ad->u.net.v4info.daddr = ih->daddr;
2967 *proto = ih->protocol;
2969 switch (ih->protocol) {
2971 struct tcphdr _tcph, *th;
2973 if (ntohs(ih->frag_off) & IP_OFFSET)
2977 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2981 ad->u.net.sport = th->source;
2982 ad->u.net.dport = th->dest;
2987 struct udphdr _udph, *uh;
2989 if (ntohs(ih->frag_off) & IP_OFFSET)
2993 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2997 ad->u.net.sport = uh->source;
2998 ad->u.net.dport = uh->dest;
3002 case IPPROTO_DCCP: {
3003 struct dccp_hdr _dccph, *dh;
3005 if (ntohs(ih->frag_off) & IP_OFFSET)
3009 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3013 ad->u.net.sport = dh->dccph_sport;
3014 ad->u.net.dport = dh->dccph_dport;
3025 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3027 /* Returns error only if unable to parse addresses */
3028 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3029 struct avc_audit_data *ad, u8 *proto)
3032 int ret = -EINVAL, offset;
3033 struct ipv6hdr _ipv6h, *ip6;
3035 offset = skb_network_offset(skb);
3036 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3040 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3041 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3044 nexthdr = ip6->nexthdr;
3045 offset += sizeof(_ipv6h);
3046 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3055 struct tcphdr _tcph, *th;
3057 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3061 ad->u.net.sport = th->source;
3062 ad->u.net.dport = th->dest;
3067 struct udphdr _udph, *uh;
3069 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3073 ad->u.net.sport = uh->source;
3074 ad->u.net.dport = uh->dest;
3078 case IPPROTO_DCCP: {
3079 struct dccp_hdr _dccph, *dh;
3081 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3085 ad->u.net.sport = dh->dccph_sport;
3086 ad->u.net.dport = dh->dccph_dport;
3090 /* includes fragments */
3100 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3101 char **addrp, int *len, int src, u8 *proto)
3105 switch (ad->u.net.family) {
3107 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3111 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3112 &ad->u.net.v4info.daddr);
3115 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3117 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3121 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3122 &ad->u.net.v6info.daddr);
3133 * selinux_skb_extlbl_sid - Determine the external label of a packet
3135 * @sid: the packet's SID
3138 * Check the various different forms of external packet labeling and determine
3139 * the external SID for the packet. If only one form of external labeling is
3140 * present then it is used, if both labeled IPsec and NetLabel labels are
3141 * present then the SELinux type information is taken from the labeled IPsec
3142 * SA and the MLS sensitivity label information is taken from the NetLabel
3143 * security attributes. This bit of "magic" is done in the call to
3144 * selinux_netlbl_skbuff_getsid().
3147 static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3152 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3153 if (selinux_netlbl_skbuff_getsid(skb,
3154 (xfrm_sid == SECSID_NULL ?
3155 SECINITSID_NETMSG : xfrm_sid),
3157 nlbl_sid = SECSID_NULL;
3158 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3161 /* socket security operations */
3162 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3165 struct inode_security_struct *isec;
3166 struct task_security_struct *tsec;
3167 struct avc_audit_data ad;
3170 tsec = task->security;
3171 isec = SOCK_INODE(sock)->i_security;
3173 if (isec->sid == SECINITSID_KERNEL)
3176 AVC_AUDIT_DATA_INIT(&ad,NET);
3177 ad.u.net.sk = sock->sk;
3178 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3184 static int selinux_socket_create(int family, int type,
3185 int protocol, int kern)
3188 struct task_security_struct *tsec;
3194 tsec = current->security;
3195 newsid = tsec->sockcreate_sid ? : tsec->sid;
3196 err = avc_has_perm(tsec->sid, newsid,
3197 socket_type_to_security_class(family, type,
3198 protocol), SOCKET__CREATE, NULL);
3204 static int selinux_socket_post_create(struct socket *sock, int family,
3205 int type, int protocol, int kern)
3208 struct inode_security_struct *isec;
3209 struct task_security_struct *tsec;
3210 struct sk_security_struct *sksec;
3213 isec = SOCK_INODE(sock)->i_security;
3215 tsec = current->security;
3216 newsid = tsec->sockcreate_sid ? : tsec->sid;
3217 isec->sclass = socket_type_to_security_class(family, type, protocol);
3218 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3219 isec->initialized = 1;
3222 sksec = sock->sk->sk_security;
3223 sksec->sid = isec->sid;
3224 err = selinux_netlbl_socket_post_create(sock);
3230 /* Range of port numbers used to automatically bind.
3231 Need to determine whether we should perform a name_bind
3232 permission check between the socket and the port number. */
3233 #define ip_local_port_range_0 sysctl_local_port_range[0]
3234 #define ip_local_port_range_1 sysctl_local_port_range[1]
3236 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3241 err = socket_has_perm(current, sock, SOCKET__BIND);
3246 * If PF_INET or PF_INET6, check name_bind permission for the port.
3247 * Multiple address binding for SCTP is not supported yet: we just
3248 * check the first address now.
3250 family = sock->sk->sk_family;
3251 if (family == PF_INET || family == PF_INET6) {
3253 struct inode_security_struct *isec;
3254 struct task_security_struct *tsec;
3255 struct avc_audit_data ad;
3256 struct sockaddr_in *addr4 = NULL;
3257 struct sockaddr_in6 *addr6 = NULL;
3258 unsigned short snum;
3259 struct sock *sk = sock->sk;
3260 u32 sid, node_perm, addrlen;
3262 tsec = current->security;
3263 isec = SOCK_INODE(sock)->i_security;
3265 if (family == PF_INET) {
3266 addr4 = (struct sockaddr_in *)address;
3267 snum = ntohs(addr4->sin_port);
3268 addrlen = sizeof(addr4->sin_addr.s_addr);
3269 addrp = (char *)&addr4->sin_addr.s_addr;
3271 addr6 = (struct sockaddr_in6 *)address;
3272 snum = ntohs(addr6->sin6_port);
3273 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3274 addrp = (char *)&addr6->sin6_addr.s6_addr;
3277 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3278 snum > ip_local_port_range_1)) {
3279 err = security_port_sid(sk->sk_family, sk->sk_type,
3280 sk->sk_protocol, snum, &sid);
3283 AVC_AUDIT_DATA_INIT(&ad,NET);
3284 ad.u.net.sport = htons(snum);
3285 ad.u.net.family = family;
3286 err = avc_has_perm(isec->sid, sid,
3288 SOCKET__NAME_BIND, &ad);
3293 switch(isec->sclass) {
3294 case SECCLASS_TCP_SOCKET:
3295 node_perm = TCP_SOCKET__NODE_BIND;
3298 case SECCLASS_UDP_SOCKET:
3299 node_perm = UDP_SOCKET__NODE_BIND;
3302 case SECCLASS_DCCP_SOCKET:
3303 node_perm = DCCP_SOCKET__NODE_BIND;
3307 node_perm = RAWIP_SOCKET__NODE_BIND;
3311 err = security_node_sid(family, addrp, addrlen, &sid);
3315 AVC_AUDIT_DATA_INIT(&ad,NET);
3316 ad.u.net.sport = htons(snum);
3317 ad.u.net.family = family;
3319 if (family == PF_INET)
3320 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3322 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3324 err = avc_has_perm(isec->sid, sid,
3325 isec->sclass, node_perm, &ad);
3333 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3335 struct inode_security_struct *isec;
3338 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3343 * If a TCP or DCCP socket, check name_connect permission for the port.
3345 isec = SOCK_INODE(sock)->i_security;
3346 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3347 isec->sclass == SECCLASS_DCCP_SOCKET) {
3348 struct sock *sk = sock->sk;
3349 struct avc_audit_data ad;
3350 struct sockaddr_in *addr4 = NULL;
3351 struct sockaddr_in6 *addr6 = NULL;
3352 unsigned short snum;
3355 if (sk->sk_family == PF_INET) {
3356 addr4 = (struct sockaddr_in *)address;
3357 if (addrlen < sizeof(struct sockaddr_in))
3359 snum = ntohs(addr4->sin_port);
3361 addr6 = (struct sockaddr_in6 *)address;
3362 if (addrlen < SIN6_LEN_RFC2133)
3364 snum = ntohs(addr6->sin6_port);
3367 err = security_port_sid(sk->sk_family, sk->sk_type,
3368 sk->sk_protocol, snum, &sid);
3372 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3373 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3375 AVC_AUDIT_DATA_INIT(&ad,NET);
3376 ad.u.net.dport = htons(snum);
3377 ad.u.net.family = sk->sk_family;
3378 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3387 static int selinux_socket_listen(struct socket *sock, int backlog)
3389 return socket_has_perm(current, sock, SOCKET__LISTEN);
3392 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3395 struct inode_security_struct *isec;
3396 struct inode_security_struct *newisec;
3398 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3402 newisec = SOCK_INODE(newsock)->i_security;
3404 isec = SOCK_INODE(sock)->i_security;
3405 newisec->sclass = isec->sclass;
3406 newisec->sid = isec->sid;
3407 newisec->initialized = 1;
3412 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3417 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3421 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3424 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3425 int size, int flags)
3427 return socket_has_perm(current, sock, SOCKET__READ);
3430 static int selinux_socket_getsockname(struct socket *sock)
3432 return socket_has_perm(current, sock, SOCKET__GETATTR);
3435 static int selinux_socket_getpeername(struct socket *sock)
3437 return socket_has_perm(current, sock, SOCKET__GETATTR);
3440 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3444 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3448 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3451 static int selinux_socket_getsockopt(struct socket *sock, int level,
3454 return socket_has_perm(current, sock, SOCKET__GETOPT);
3457 static int selinux_socket_shutdown(struct socket *sock, int how)
3459 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3462 static int selinux_socket_unix_stream_connect(struct socket *sock,
3463 struct socket *other,
3466 struct sk_security_struct *ssec;
3467 struct inode_security_struct *isec;
3468 struct inode_security_struct *other_isec;
3469 struct avc_audit_data ad;
3472 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3476 isec = SOCK_INODE(sock)->i_security;
3477 other_isec = SOCK_INODE(other)->i_security;
3479 AVC_AUDIT_DATA_INIT(&ad,NET);
3480 ad.u.net.sk = other->sk;
3482 err = avc_has_perm(isec->sid, other_isec->sid,
3484 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3488 /* connecting socket */
3489 ssec = sock->sk->sk_security;
3490 ssec->peer_sid = other_isec->sid;
3492 /* server child socket */
3493 ssec = newsk->sk_security;
3494 ssec->peer_sid = isec->sid;
3495 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3500 static int selinux_socket_unix_may_send(struct socket *sock,
3501 struct socket *other)
3503 struct inode_security_struct *isec;
3504 struct inode_security_struct *other_isec;
3505 struct avc_audit_data ad;
3508 isec = SOCK_INODE(sock)->i_security;
3509 other_isec = SOCK_INODE(other)->i_security;
3511 AVC_AUDIT_DATA_INIT(&ad,NET);
3512 ad.u.net.sk = other->sk;
3514 err = avc_has_perm(isec->sid, other_isec->sid,
3515 isec->sclass, SOCKET__SENDTO, &ad);
3522 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3523 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3526 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3527 struct socket *sock;
3531 read_lock_bh(&sk->sk_callback_lock);
3532 sock = sk->sk_socket;
3534 struct inode *inode;
3535 inode = SOCK_INODE(sock);
3537 struct inode_security_struct *isec;
3538 isec = inode->i_security;
3539 sock_sid = isec->sid;
3540 sock_class = isec->sclass;
3543 read_unlock_bh(&sk->sk_callback_lock);
3550 err = sel_netif_sids(skb->dev, &if_sid, NULL);
3554 switch (sock_class) {
3555 case SECCLASS_UDP_SOCKET:
3556 netif_perm = NETIF__UDP_RECV;
3557 node_perm = NODE__UDP_RECV;
3558 recv_perm = UDP_SOCKET__RECV_MSG;
3561 case SECCLASS_TCP_SOCKET:
3562 netif_perm = NETIF__TCP_RECV;
3563 node_perm = NODE__TCP_RECV;
3564 recv_perm = TCP_SOCKET__RECV_MSG;
3567 case SECCLASS_DCCP_SOCKET:
3568 netif_perm = NETIF__DCCP_RECV;
3569 node_perm = NODE__DCCP_RECV;
3570 recv_perm = DCCP_SOCKET__RECV_MSG;
3574 netif_perm = NETIF__RAWIP_RECV;
3575 node_perm = NODE__RAWIP_RECV;
3579 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3583 err = security_node_sid(family, addrp, len, &node_sid);
3587 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3594 err = security_port_sid(sk->sk_family, sk->sk_type,
3595 sk->sk_protocol, ntohs(ad->u.net.sport),
3600 err = avc_has_perm(sock_sid, port_sid,
3601 sock_class, recv_perm, ad);
3608 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3613 struct avc_audit_data ad;
3614 struct sk_security_struct *sksec = sk->sk_security;
3616 family = sk->sk_family;
3617 if (family != PF_INET && family != PF_INET6)
3620 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3621 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3624 AVC_AUDIT_DATA_INIT(&ad, NET);
3625 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3626 ad.u.net.family = family;
3628 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
3632 if (selinux_compat_net)
3633 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3636 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3641 err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3645 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3650 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3651 int __user *optlen, unsigned len)
3656 struct sk_security_struct *ssec;
3657 struct inode_security_struct *isec;
3658 u32 peer_sid = SECSID_NULL;
3660 isec = SOCK_INODE(sock)->i_security;
3662 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3663 isec->sclass == SECCLASS_TCP_SOCKET) {
3664 ssec = sock->sk->sk_security;
3665 peer_sid = ssec->peer_sid;
3667 if (peer_sid == SECSID_NULL) {
3672 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3677 if (scontext_len > len) {
3682 if (copy_to_user(optval, scontext, scontext_len))
3686 if (put_user(scontext_len, optlen))
3694 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3696 u32 peer_secid = SECSID_NULL;
3699 if (sock && sock->sk->sk_family == PF_UNIX)
3700 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3702 selinux_skb_extlbl_sid(skb, &peer_secid);
3704 if (peer_secid == SECSID_NULL)
3706 *secid = peer_secid;
3711 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3713 return sk_alloc_security(sk, family, priority);
3716 static void selinux_sk_free_security(struct sock *sk)
3718 sk_free_security(sk);
3721 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3723 struct sk_security_struct *ssec = sk->sk_security;
3724 struct sk_security_struct *newssec = newsk->sk_security;
3726 newssec->sid = ssec->sid;
3727 newssec->peer_sid = ssec->peer_sid;
3729 selinux_netlbl_sk_security_clone(ssec, newssec);
3732 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3735 *secid = SECINITSID_ANY_SOCKET;
3737 struct sk_security_struct *sksec = sk->sk_security;
3739 *secid = sksec->sid;
3743 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
3745 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3746 struct sk_security_struct *sksec = sk->sk_security;
3748 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
3749 sk->sk_family == PF_UNIX)
3750 isec->sid = sksec->sid;
3752 selinux_netlbl_sock_graft(sk, parent);
3755 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3756 struct request_sock *req)
3758 struct sk_security_struct *sksec = sk->sk_security;
3763 selinux_skb_extlbl_sid(skb, &peersid);
3764 if (peersid == SECSID_NULL) {
3765 req->secid = sksec->sid;
3766 req->peer_secid = SECSID_NULL;
3770 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3774 req->secid = newsid;
3775 req->peer_secid = peersid;
3779 static void selinux_inet_csk_clone(struct sock *newsk,
3780 const struct request_sock *req)
3782 struct sk_security_struct *newsksec = newsk->sk_security;
3784 newsksec->sid = req->secid;
3785 newsksec->peer_sid = req->peer_secid;
3786 /* NOTE: Ideally, we should also get the isec->sid for the
3787 new socket in sync, but we don't have the isec available yet.
3788 So we will wait until sock_graft to do it, by which
3789 time it will have been created and available. */
3791 /* We don't need to take any sort of lock here as we are the only
3792 * thread with access to newsksec */
3793 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3796 static void selinux_inet_conn_established(struct sock *sk,
3797 struct sk_buff *skb)
3799 struct sk_security_struct *sksec = sk->sk_security;
3801 selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3804 static void selinux_req_classify_flow(const struct request_sock *req,
3807 fl->secid = req->secid;
3810 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3814 struct nlmsghdr *nlh;
3815 struct socket *sock = sk->sk_socket;
3816 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3818 if (skb->len < NLMSG_SPACE(0)) {
3822 nlh = nlmsg_hdr(skb);
3824 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3826 if (err == -EINVAL) {
3827 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3828 "SELinux: unrecognized netlink message"
3829 " type=%hu for sclass=%hu\n",
3830 nlh->nlmsg_type, isec->sclass);
3831 if (!selinux_enforcing)
3841 err = socket_has_perm(current, sock, perm);
3846 #ifdef CONFIG_NETFILTER
3848 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3849 struct avc_audit_data *ad,
3850 u16 family, char *addrp, int len)
3853 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3854 struct socket *sock;
3855 struct inode *inode;
3856 struct inode_security_struct *isec;
3858 sock = sk->sk_socket;
3862 inode = SOCK_INODE(sock);
3866 isec = inode->i_security;
3868 err = sel_netif_sids(dev, &if_sid, NULL);
3872 switch (isec->sclass) {
3873 case SECCLASS_UDP_SOCKET:
3874 netif_perm = NETIF__UDP_SEND;
3875 node_perm = NODE__UDP_SEND;
3876 send_perm = UDP_SOCKET__SEND_MSG;
3879 case SECCLASS_TCP_SOCKET:
3880 netif_perm = NETIF__TCP_SEND;
3881 node_perm = NODE__TCP_SEND;
3882 send_perm = TCP_SOCKET__SEND_MSG;
3885 case SECCLASS_DCCP_SOCKET:
3886 netif_perm = NETIF__DCCP_SEND;
3887 node_perm = NODE__DCCP_SEND;
3888 send_perm = DCCP_SOCKET__SEND_MSG;
3892 netif_perm = NETIF__RAWIP_SEND;
3893 node_perm = NODE__RAWIP_SEND;
3897 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3901 err = security_node_sid(family, addrp, len, &node_sid);
3905 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3912 err = security_port_sid(sk->sk_family,
3915 ntohs(ad->u.net.dport),
3920 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3927 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3928 struct sk_buff **pskb,
3929 const struct net_device *in,
3930 const struct net_device *out,
3931 int (*okfn)(struct sk_buff *),
3937 struct sk_buff *skb = *pskb;
3938 struct avc_audit_data ad;
3939 struct net_device *dev = (struct net_device *)out;
3940 struct sk_security_struct *sksec;
3947 sksec = sk->sk_security;
3949 AVC_AUDIT_DATA_INIT(&ad, NET);
3950 ad.u.net.netif = dev->name;
3951 ad.u.net.family = family;
3953 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
3957 if (selinux_compat_net)
3958 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3959 family, addrp, len);
3961 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3967 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
3969 return err ? NF_DROP : NF_ACCEPT;
3972 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3973 struct sk_buff **pskb,
3974 const struct net_device *in,
3975 const struct net_device *out,
3976 int (*okfn)(struct sk_buff *))
3978 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3981 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3983 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3984 struct sk_buff **pskb,
3985 const struct net_device *in,
3986 const struct net_device *out,
3987 int (*okfn)(struct sk_buff *))
3989 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3994 #endif /* CONFIG_NETFILTER */
3996 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4000 err = secondary_ops->netlink_send(sk, skb);
4004 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4005 err = selinux_nlmsg_perm(sk, skb);
4010 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4013 struct avc_audit_data ad;
4015 err = secondary_ops->netlink_recv(skb, capability);
4019 AVC_AUDIT_DATA_INIT(&ad, CAP);
4020 ad.u.cap = capability;
4022 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4023 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4026 static int ipc_alloc_security(struct task_struct *task,
4027 struct kern_ipc_perm *perm,
4030 struct task_security_struct *tsec = task->security;
4031 struct ipc_security_struct *isec;
4033 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4037 isec->sclass = sclass;
4038 isec->ipc_perm = perm;
4039 isec->sid = tsec->sid;
4040 perm->security = isec;
4045 static void ipc_free_security(struct kern_ipc_perm *perm)
4047 struct ipc_security_struct *isec = perm->security;
4048 perm->security = NULL;
4052 static int msg_msg_alloc_security(struct msg_msg *msg)
4054 struct msg_security_struct *msec;
4056 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4061 msec->sid = SECINITSID_UNLABELED;
4062 msg->security = msec;
4067 static void msg_msg_free_security(struct msg_msg *msg)
4069 struct msg_security_struct *msec = msg->security;
4071 msg->security = NULL;
4075 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4078 struct task_security_struct *tsec;
4079 struct ipc_security_struct *isec;
4080 struct avc_audit_data ad;
4082 tsec = current->security;
4083 isec = ipc_perms->security;
4085 AVC_AUDIT_DATA_INIT(&ad, IPC);
4086 ad.u.ipc_id = ipc_perms->key;
4088 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4091 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4093 return msg_msg_alloc_security(msg);
4096 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4098 msg_msg_free_security(msg);
4101 /* message queue security operations */
4102 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4104 struct task_security_struct *tsec;
4105 struct ipc_security_struct *isec;
4106 struct avc_audit_data ad;
4109 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4113 tsec = current->security;
4114 isec = msq->q_perm.security;
4116 AVC_AUDIT_DATA_INIT(&ad, IPC);
4117 ad.u.ipc_id = msq->q_perm.key;
4119 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4122 ipc_free_security(&msq->q_perm);
4128 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4130 ipc_free_security(&msq->q_perm);
4133 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4135 struct task_security_struct *tsec;
4136 struct ipc_security_struct *isec;
4137 struct avc_audit_data ad;
4139 tsec = current->security;
4140 isec = msq->q_perm.security;
4142 AVC_AUDIT_DATA_INIT(&ad, IPC);
4143 ad.u.ipc_id = msq->q_perm.key;
4145 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4146 MSGQ__ASSOCIATE, &ad);
4149 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4157 /* No specific object, just general system-wide information. */
4158 return task_has_system(current, SYSTEM__IPC_INFO);
4161 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4164 perms = MSGQ__SETATTR;
4167 perms = MSGQ__DESTROY;
4173 err = ipc_has_perm(&msq->q_perm, perms);
4177 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4179 struct task_security_struct *tsec;
4180 struct ipc_security_struct *isec;
4181 struct msg_security_struct *msec;
4182 struct avc_audit_data ad;
4185 tsec = current->security;
4186 isec = msq->q_perm.security;
4187 msec = msg->security;
4190 * First time through, need to assign label to the message
4192 if (msec->sid == SECINITSID_UNLABELED) {
4194 * Compute new sid based on current process and
4195 * message queue this message will be stored in
4197 rc = security_transition_sid(tsec->sid,
4205 AVC_AUDIT_DATA_INIT(&ad, IPC);
4206 ad.u.ipc_id = msq->q_perm.key;
4208 /* Can this process write to the queue? */
4209 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4212 /* Can this process send the message */
4213 rc = avc_has_perm(tsec->sid, msec->sid,
4214 SECCLASS_MSG, MSG__SEND, &ad);
4216 /* Can the message be put in the queue? */
4217 rc = avc_has_perm(msec->sid, isec->sid,
4218 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4223 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4224 struct task_struct *target,
4225 long type, int mode)
4227 struct task_security_struct *tsec;
4228 struct ipc_security_struct *isec;
4229 struct msg_security_struct *msec;
4230 struct avc_audit_data ad;
4233 tsec = target->security;
4234 isec = msq->q_perm.security;
4235 msec = msg->security;
4237 AVC_AUDIT_DATA_INIT(&ad, IPC);
4238 ad.u.ipc_id = msq->q_perm.key;
4240 rc = avc_has_perm(tsec->sid, isec->sid,
4241 SECCLASS_MSGQ, MSGQ__READ, &ad);
4243 rc = avc_has_perm(tsec->sid, msec->sid,
4244 SECCLASS_MSG, MSG__RECEIVE, &ad);
4248 /* Shared Memory security operations */
4249 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4251 struct task_security_struct *tsec;
4252 struct ipc_security_struct *isec;
4253 struct avc_audit_data ad;
4256 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4260 tsec = current->security;
4261 isec = shp->shm_perm.security;
4263 AVC_AUDIT_DATA_INIT(&ad, IPC);
4264 ad.u.ipc_id = shp->shm_perm.key;
4266 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4269 ipc_free_security(&shp->shm_perm);
4275 static void selinux_shm_free_security(struct shmid_kernel *shp)
4277 ipc_free_security(&shp->shm_perm);
4280 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4282 struct task_security_struct *tsec;
4283 struct ipc_security_struct *isec;
4284 struct avc_audit_data ad;
4286 tsec = current->security;
4287 isec = shp->shm_perm.security;
4289 AVC_AUDIT_DATA_INIT(&ad, IPC);
4290 ad.u.ipc_id = shp->shm_perm.key;
4292 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4293 SHM__ASSOCIATE, &ad);
4296 /* Note, at this point, shp is locked down */
4297 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4305 /* No specific object, just general system-wide information. */
4306 return task_has_system(current, SYSTEM__IPC_INFO);
4309 perms = SHM__GETATTR | SHM__ASSOCIATE;
4312 perms = SHM__SETATTR;
4319 perms = SHM__DESTROY;
4325 err = ipc_has_perm(&shp->shm_perm, perms);
4329 static int selinux_shm_shmat(struct shmid_kernel *shp,
4330 char __user *shmaddr, int shmflg)
4335 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4339 if (shmflg & SHM_RDONLY)
4342 perms = SHM__READ | SHM__WRITE;
4344 return ipc_has_perm(&shp->shm_perm, perms);
4347 /* Semaphore security operations */
4348 static int selinux_sem_alloc_security(struct sem_array *sma)
4350 struct task_security_struct *tsec;
4351 struct ipc_security_struct *isec;
4352 struct avc_audit_data ad;
4355 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4359 tsec = current->security;
4360 isec = sma->sem_perm.security;
4362 AVC_AUDIT_DATA_INIT(&ad, IPC);
4363 ad.u.ipc_id = sma->sem_perm.key;
4365 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4368 ipc_free_security(&sma->sem_perm);
4374 static void selinux_sem_free_security(struct sem_array *sma)
4376 ipc_free_security(&sma->sem_perm);
4379 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4381 struct task_security_struct *tsec;
4382 struct ipc_security_struct *isec;
4383 struct avc_audit_data ad;
4385 tsec = current->security;
4386 isec = sma->sem_perm.security;
4388 AVC_AUDIT_DATA_INIT(&ad, IPC);
4389 ad.u.ipc_id = sma->sem_perm.key;
4391 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4392 SEM__ASSOCIATE, &ad);
4395 /* Note, at this point, sma is locked down */
4396 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4404 /* No specific object, just general system-wide information. */
4405 return task_has_system(current, SYSTEM__IPC_INFO);
4409 perms = SEM__GETATTR;
4420 perms = SEM__DESTROY;
4423 perms = SEM__SETATTR;
4427 perms = SEM__GETATTR | SEM__ASSOCIATE;
4433 err = ipc_has_perm(&sma->sem_perm, perms);
4437 static int selinux_sem_semop(struct sem_array *sma,
4438 struct sembuf *sops, unsigned nsops, int alter)
4443 perms = SEM__READ | SEM__WRITE;
4447 return ipc_has_perm(&sma->sem_perm, perms);
4450 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4456 av |= IPC__UNIX_READ;
4458 av |= IPC__UNIX_WRITE;
4463 return ipc_has_perm(ipcp, av);
4466 /* module stacking operations */
4467 static int selinux_register_security (const char *name, struct security_operations *ops)
4469 if (secondary_ops != original_ops) {
4470 printk(KERN_ERR "%s: There is already a secondary security "
4471 "module registered.\n", __FUNCTION__);
4475 secondary_ops = ops;
4477 printk(KERN_INFO "%s: Registering secondary module %s\n",
4484 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4486 if (ops != secondary_ops) {
4487 printk(KERN_ERR "%s: trying to unregister a security module "
4488 "that is not registered.\n", __FUNCTION__);
4492 secondary_ops = original_ops;
4497 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4500 inode_doinit_with_dentry(inode, dentry);
4503 static int selinux_getprocattr(struct task_struct *p,
4504 char *name, char **value)
4506 struct task_security_struct *tsec;
4512 error = task_has_perm(current, p, PROCESS__GETATTR);
4519 if (!strcmp(name, "current"))
4521 else if (!strcmp(name, "prev"))
4523 else if (!strcmp(name, "exec"))
4524 sid = tsec->exec_sid;
4525 else if (!strcmp(name, "fscreate"))
4526 sid = tsec->create_sid;
4527 else if (!strcmp(name, "keycreate"))
4528 sid = tsec->keycreate_sid;
4529 else if (!strcmp(name, "sockcreate"))
4530 sid = tsec->sockcreate_sid;
4537 error = security_sid_to_context(sid, value, &len);
4543 static int selinux_setprocattr(struct task_struct *p,
4544 char *name, void *value, size_t size)
4546 struct task_security_struct *tsec;
4552 /* SELinux only allows a process to change its own
4553 security attributes. */
4558 * Basic control over ability to set these attributes at all.
4559 * current == p, but we'll pass them separately in case the
4560 * above restriction is ever removed.
4562 if (!strcmp(name, "exec"))
4563 error = task_has_perm(current, p, PROCESS__SETEXEC);
4564 else if (!strcmp(name, "fscreate"))
4565 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4566 else if (!strcmp(name, "keycreate"))
4567 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4568 else if (!strcmp(name, "sockcreate"))
4569 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4570 else if (!strcmp(name, "current"))
4571 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4577 /* Obtain a SID for the context, if one was specified. */
4578 if (size && str[1] && str[1] != '\n') {
4579 if (str[size-1] == '\n') {
4583 error = security_context_to_sid(value, size, &sid);
4588 /* Permission checking based on the specified context is
4589 performed during the actual operation (execve,
4590 open/mkdir/...), when we know the full context of the
4591 operation. See selinux_bprm_set_security for the execve
4592 checks and may_create for the file creation checks. The
4593 operation will then fail if the context is not permitted. */
4595 if (!strcmp(name, "exec"))
4596 tsec->exec_sid = sid;
4597 else if (!strcmp(name, "fscreate"))
4598 tsec->create_sid = sid;
4599 else if (!strcmp(name, "keycreate")) {
4600 error = may_create_key(sid, p);
4603 tsec->keycreate_sid = sid;
4604 } else if (!strcmp(name, "sockcreate"))
4605 tsec->sockcreate_sid = sid;
4606 else if (!strcmp(name, "current")) {
4607 struct av_decision avd;
4612 /* Only allow single threaded processes to change context */
4613 if (atomic_read(&p->mm->mm_users) != 1) {
4614 struct task_struct *g, *t;
4615 struct mm_struct *mm = p->mm;
4616 read_lock(&tasklist_lock);
4617 do_each_thread(g, t)
4618 if (t->mm == mm && t != p) {
4619 read_unlock(&tasklist_lock);
4622 while_each_thread(g, t);
4623 read_unlock(&tasklist_lock);
4626 /* Check permissions for the transition. */
4627 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4628 PROCESS__DYNTRANSITION, NULL);
4632 /* Check for ptracing, and update the task SID if ok.
4633 Otherwise, leave SID unchanged and fail. */
4635 if (p->ptrace & PT_PTRACED) {
4636 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4638 PROCESS__PTRACE, 0, &avd);
4642 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4643 PROCESS__PTRACE, &avd, error, NULL);
4657 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4659 return security_sid_to_context(secid, secdata, seclen);
4662 static void selinux_release_secctx(char *secdata, u32 seclen)
4669 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4670 unsigned long flags)
4672 struct task_security_struct *tsec = tsk->security;
4673 struct key_security_struct *ksec;
4675 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4680 if (tsec->keycreate_sid)
4681 ksec->sid = tsec->keycreate_sid;
4683 ksec->sid = tsec->sid;
4689 static void selinux_key_free(struct key *k)
4691 struct key_security_struct *ksec = k->security;
4697 static int selinux_key_permission(key_ref_t key_ref,
4698 struct task_struct *ctx,
4702 struct task_security_struct *tsec;
4703 struct key_security_struct *ksec;
4705 key = key_ref_to_ptr(key_ref);
4707 tsec = ctx->security;
4708 ksec = key->security;
4710 /* if no specific permissions are requested, we skip the
4711 permission check. No serious, additional covert channels
4712 appear to be created. */
4716 return avc_has_perm(tsec->sid, ksec->sid,
4717 SECCLASS_KEY, perm, NULL);
4722 static struct security_operations selinux_ops = {
4723 .ptrace = selinux_ptrace,
4724 .capget = selinux_capget,
4725 .capset_check = selinux_capset_check,
4726 .capset_set = selinux_capset_set,
4727 .sysctl = selinux_sysctl,
4728 .capable = selinux_capable,
4729 .quotactl = selinux_quotactl,
4730 .quota_on = selinux_quota_on,
4731 .syslog = selinux_syslog,
4732 .vm_enough_memory = selinux_vm_enough_memory,
4734 .netlink_send = selinux_netlink_send,
4735 .netlink_recv = selinux_netlink_recv,
4737 .bprm_alloc_security = selinux_bprm_alloc_security,
4738 .bprm_free_security = selinux_bprm_free_security,
4739 .bprm_apply_creds = selinux_bprm_apply_creds,
4740 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4741 .bprm_set_security = selinux_bprm_set_security,
4742 .bprm_check_security = selinux_bprm_check_security,
4743 .bprm_secureexec = selinux_bprm_secureexec,
4745 .sb_alloc_security = selinux_sb_alloc_security,
4746 .sb_free_security = selinux_sb_free_security,
4747 .sb_copy_data = selinux_sb_copy_data,
4748 .sb_kern_mount = selinux_sb_kern_mount,
4749 .sb_statfs = selinux_sb_statfs,
4750 .sb_mount = selinux_mount,
4751 .sb_umount = selinux_umount,
4753 .inode_alloc_security = selinux_inode_alloc_security,
4754 .inode_free_security = selinux_inode_free_security,
4755 .inode_init_security = selinux_inode_init_security,
4756 .inode_create = selinux_inode_create,
4757 .inode_link = selinux_inode_link,
4758 .inode_unlink = selinux_inode_unlink,
4759 .inode_symlink = selinux_inode_symlink,
4760 .inode_mkdir = selinux_inode_mkdir,
4761 .inode_rmdir = selinux_inode_rmdir,
4762 .inode_mknod = selinux_inode_mknod,
4763 .inode_rename = selinux_inode_rename,
4764 .inode_readlink = selinux_inode_readlink,
4765 .inode_follow_link = selinux_inode_follow_link,
4766 .inode_permission = selinux_inode_permission,
4767 .inode_setattr = selinux_inode_setattr,
4768 .inode_getattr = selinux_inode_getattr,
4769 .inode_setxattr = selinux_inode_setxattr,
4770 .inode_post_setxattr = selinux_inode_post_setxattr,
4771 .inode_getxattr = selinux_inode_getxattr,
4772 .inode_listxattr = selinux_inode_listxattr,
4773 .inode_removexattr = selinux_inode_removexattr,
4774 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
4775 .inode_getsecurity = selinux_inode_getsecurity,
4776 .inode_setsecurity = selinux_inode_setsecurity,
4777 .inode_listsecurity = selinux_inode_listsecurity,
4779 .file_permission = selinux_file_permission,
4780 .file_alloc_security = selinux_file_alloc_security,
4781 .file_free_security = selinux_file_free_security,
4782 .file_ioctl = selinux_file_ioctl,
4783 .file_mmap = selinux_file_mmap,
4784 .file_mprotect = selinux_file_mprotect,
4785 .file_lock = selinux_file_lock,
4786 .file_fcntl = selinux_file_fcntl,
4787 .file_set_fowner = selinux_file_set_fowner,
4788 .file_send_sigiotask = selinux_file_send_sigiotask,
4789 .file_receive = selinux_file_receive,
4791 .task_create = selinux_task_create,
4792 .task_alloc_security = selinux_task_alloc_security,
4793 .task_free_security = selinux_task_free_security,
4794 .task_setuid = selinux_task_setuid,
4795 .task_post_setuid = selinux_task_post_setuid,
4796 .task_setgid = selinux_task_setgid,
4797 .task_setpgid = selinux_task_setpgid,
4798 .task_getpgid = selinux_task_getpgid,
4799 .task_getsid = selinux_task_getsid,
4800 .task_getsecid = selinux_task_getsecid,
4801 .task_setgroups = selinux_task_setgroups,
4802 .task_setnice = selinux_task_setnice,
4803 .task_setioprio = selinux_task_setioprio,
4804 .task_getioprio = selinux_task_getioprio,
4805 .task_setrlimit = selinux_task_setrlimit,
4806 .task_setscheduler = selinux_task_setscheduler,
4807 .task_getscheduler = selinux_task_getscheduler,
4808 .task_movememory = selinux_task_movememory,
4809 .task_kill = selinux_task_kill,
4810 .task_wait = selinux_task_wait,
4811 .task_prctl = selinux_task_prctl,
4812 .task_reparent_to_init = selinux_task_reparent_to_init,
4813 .task_to_inode = selinux_task_to_inode,
4815 .ipc_permission = selinux_ipc_permission,
4817 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4818 .msg_msg_free_security = selinux_msg_msg_free_security,
4820 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4821 .msg_queue_free_security = selinux_msg_queue_free_security,
4822 .msg_queue_associate = selinux_msg_queue_associate,
4823 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4824 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4825 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4827 .shm_alloc_security = selinux_shm_alloc_security,
4828 .shm_free_security = selinux_shm_free_security,
4829 .shm_associate = selinux_shm_associate,
4830 .shm_shmctl = selinux_shm_shmctl,
4831 .shm_shmat = selinux_shm_shmat,
4833 .sem_alloc_security = selinux_sem_alloc_security,
4834 .sem_free_security = selinux_sem_free_security,
4835 .sem_associate = selinux_sem_associate,
4836 .sem_semctl = selinux_sem_semctl,
4837 .sem_semop = selinux_sem_semop,
4839 .register_security = selinux_register_security,
4840 .unregister_security = selinux_unregister_security,
4842 .d_instantiate = selinux_d_instantiate,
4844 .getprocattr = selinux_getprocattr,
4845 .setprocattr = selinux_setprocattr,
4847 .secid_to_secctx = selinux_secid_to_secctx,
4848 .release_secctx = selinux_release_secctx,
4850 .unix_stream_connect = selinux_socket_unix_stream_connect,
4851 .unix_may_send = selinux_socket_unix_may_send,
4853 .socket_create = selinux_socket_create,
4854 .socket_post_create = selinux_socket_post_create,
4855 .socket_bind = selinux_socket_bind,
4856 .socket_connect = selinux_socket_connect,
4857 .socket_listen = selinux_socket_listen,
4858 .socket_accept = selinux_socket_accept,
4859 .socket_sendmsg = selinux_socket_sendmsg,
4860 .socket_recvmsg = selinux_socket_recvmsg,
4861 .socket_getsockname = selinux_socket_getsockname,
4862 .socket_getpeername = selinux_socket_getpeername,
4863 .socket_getsockopt = selinux_socket_getsockopt,
4864 .socket_setsockopt = selinux_socket_setsockopt,
4865 .socket_shutdown = selinux_socket_shutdown,
4866 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4867 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4868 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4869 .sk_alloc_security = selinux_sk_alloc_security,
4870 .sk_free_security = selinux_sk_free_security,
4871 .sk_clone_security = selinux_sk_clone_security,
4872 .sk_getsecid = selinux_sk_getsecid,
4873 .sock_graft = selinux_sock_graft,
4874 .inet_conn_request = selinux_inet_conn_request,
4875 .inet_csk_clone = selinux_inet_csk_clone,
4876 .inet_conn_established = selinux_inet_conn_established,
4877 .req_classify_flow = selinux_req_classify_flow,
4879 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4880 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4881 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4882 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4883 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
4884 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4885 .xfrm_state_free_security = selinux_xfrm_state_free,
4886 .xfrm_state_delete_security = selinux_xfrm_state_delete,
4887 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4888 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
4889 .xfrm_decode_session = selinux_xfrm_decode_session,
4893 .key_alloc = selinux_key_alloc,
4894 .key_free = selinux_key_free,
4895 .key_permission = selinux_key_permission,
4899 static __init int selinux_init(void)
4901 struct task_security_struct *tsec;
4903 if (!selinux_enabled) {
4904 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4908 printk(KERN_INFO "SELinux: Initializing.\n");
4910 /* Set the security state for the initial task. */
4911 if (task_alloc_security(current))
4912 panic("SELinux: Failed to initialize initial task.\n");
4913 tsec = current->security;
4914 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4916 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4917 sizeof(struct inode_security_struct),
4918 0, SLAB_PANIC, NULL);
4921 original_ops = secondary_ops = security_ops;
4923 panic ("SELinux: No initial security operations\n");
4924 if (register_security (&selinux_ops))
4925 panic("SELinux: Unable to register with kernel.\n");
4927 if (selinux_enforcing) {
4928 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
4930 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
4934 /* Add security information to initial keyrings */
4935 selinux_key_alloc(&root_user_keyring, current,
4936 KEY_ALLOC_NOT_IN_QUOTA);
4937 selinux_key_alloc(&root_session_keyring, current,
4938 KEY_ALLOC_NOT_IN_QUOTA);
4944 void selinux_complete_init(void)
4946 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
4948 /* Set up any superblocks initialized prior to the policy load. */
4949 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
4950 spin_lock(&sb_lock);
4951 spin_lock(&sb_security_lock);
4953 if (!list_empty(&superblock_security_head)) {
4954 struct superblock_security_struct *sbsec =
4955 list_entry(superblock_security_head.next,
4956 struct superblock_security_struct,
4958 struct super_block *sb = sbsec->sb;
4960 spin_unlock(&sb_security_lock);
4961 spin_unlock(&sb_lock);
4962 down_read(&sb->s_umount);
4964 superblock_doinit(sb, NULL);
4966 spin_lock(&sb_lock);
4967 spin_lock(&sb_security_lock);
4968 list_del_init(&sbsec->list);
4971 spin_unlock(&sb_security_lock);
4972 spin_unlock(&sb_lock);
4975 /* SELinux requires early initialization in order to label
4976 all processes and objects when they are created. */
4977 security_initcall(selinux_init);
4979 #if defined(CONFIG_NETFILTER)
4981 static struct nf_hook_ops selinux_ipv4_op = {
4982 .hook = selinux_ipv4_postroute_last,
4983 .owner = THIS_MODULE,
4985 .hooknum = NF_IP_POST_ROUTING,
4986 .priority = NF_IP_PRI_SELINUX_LAST,
4989 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4991 static struct nf_hook_ops selinux_ipv6_op = {
4992 .hook = selinux_ipv6_postroute_last,
4993 .owner = THIS_MODULE,
4995 .hooknum = NF_IP6_POST_ROUTING,
4996 .priority = NF_IP6_PRI_SELINUX_LAST,
5001 static int __init selinux_nf_ip_init(void)
5005 if (!selinux_enabled)
5008 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5010 err = nf_register_hook(&selinux_ipv4_op);
5012 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5014 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5016 err = nf_register_hook(&selinux_ipv6_op);
5018 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5026 __initcall(selinux_nf_ip_init);
5028 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5029 static void selinux_nf_ip_exit(void)
5031 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5033 nf_unregister_hook(&selinux_ipv4_op);
5034 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5035 nf_unregister_hook(&selinux_ipv6_op);
5040 #else /* CONFIG_NETFILTER */
5042 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5043 #define selinux_nf_ip_exit()
5046 #endif /* CONFIG_NETFILTER */
5048 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5049 int selinux_disable(void)
5051 extern void exit_sel_fs(void);
5052 static int selinux_disabled = 0;
5054 if (ss_initialized) {
5055 /* Not permitted after initial policy load. */
5059 if (selinux_disabled) {
5060 /* Only do this once. */
5064 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5066 selinux_disabled = 1;
5067 selinux_enabled = 0;
5069 /* Reset security_ops to the secondary module, dummy or capability. */
5070 security_ops = secondary_ops;
5072 /* Unregister netfilter hooks. */
5073 selinux_nf_ip_exit();
5075 /* Unregister selinuxfs. */
projects / linux-2.6 / blob