2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
87 static int __init enforcing_setup(char *str)
89 selinux_enforcing = simple_strtol(str,NULL,0);
92 __setup("enforcing=", enforcing_setup);
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98 static int __init selinux_enabled_setup(char *str)
100 selinux_enabled = simple_strtol(str, NULL, 0);
103 __setup("selinux=", selinux_enabled_setup);
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
109 /* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
115 /* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
120 /* Allocate and free functions for each kind of security blob. */
122 static int task_alloc_security(struct task_struct *task)
124 struct task_security_struct *tsec;
126 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
137 static void task_free_security(struct task_struct *task)
139 struct task_security_struct *tsec = task->security;
140 task->security = NULL;
144 static int inode_alloc_security(struct inode *inode)
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
149 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
156 isec->sid = SECINITSID_UNLABELED;
157 isec->sclass = SECCLASS_FILE;
158 isec->task_sid = tsec->sid;
159 inode->i_security = isec;
164 static void inode_free_security(struct inode *inode)
166 struct inode_security_struct *isec = inode->i_security;
167 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
169 spin_lock(&sbsec->isec_lock);
170 if (!list_empty(&isec->list))
171 list_del_init(&isec->list);
172 spin_unlock(&sbsec->isec_lock);
174 inode->i_security = NULL;
178 static int file_alloc_security(struct file *file)
180 struct task_security_struct *tsec = current->security;
181 struct file_security_struct *fsec;
183 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
188 fsec->sid = tsec->sid;
189 fsec->fown_sid = tsec->sid;
190 file->f_security = fsec;
195 static void file_free_security(struct file *file)
197 struct file_security_struct *fsec = file->f_security;
198 file->f_security = NULL;
202 static int superblock_alloc_security(struct super_block *sb)
204 struct superblock_security_struct *sbsec;
206 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
210 init_MUTEX(&sbsec->sem);
211 INIT_LIST_HEAD(&sbsec->list);
212 INIT_LIST_HEAD(&sbsec->isec_head);
213 spin_lock_init(&sbsec->isec_lock);
215 sbsec->sid = SECINITSID_UNLABELED;
216 sbsec->def_sid = SECINITSID_FILE;
217 sb->s_security = sbsec;
222 static void superblock_free_security(struct super_block *sb)
224 struct superblock_security_struct *sbsec = sb->s_security;
226 spin_lock(&sb_security_lock);
227 if (!list_empty(&sbsec->list))
228 list_del_init(&sbsec->list);
229 spin_unlock(&sb_security_lock);
231 sb->s_security = NULL;
235 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
237 struct sk_security_struct *ssec;
239 if (family != PF_UNIX)
242 ssec = kzalloc(sizeof(*ssec), priority);
247 ssec->peer_sid = SECINITSID_UNLABELED;
248 sk->sk_security = ssec;
253 static void sk_free_security(struct sock *sk)
255 struct sk_security_struct *ssec = sk->sk_security;
257 if (sk->sk_family != PF_UNIX)
260 sk->sk_security = NULL;
264 /* The security server must be initialized before
265 any labeling or access decisions can be provided. */
266 extern int ss_initialized;
268 /* The file system's label must be initialized prior to use. */
270 static char *labeling_behaviors[6] = {
272 "uses transition SIDs",
274 "uses genfs_contexts",
275 "not configured for labeling",
276 "uses mountpoint labeling",
279 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
281 static inline int inode_doinit(struct inode *inode)
283 return inode_doinit_with_dentry(inode, NULL);
292 static match_table_t tokens = {
293 {Opt_context, "context=%s"},
294 {Opt_fscontext, "fscontext=%s"},
295 {Opt_defcontext, "defcontext=%s"},
298 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
300 static int try_context_mount(struct super_block *sb, void *data)
302 char *context = NULL, *defcontext = NULL;
305 int alloc = 0, rc = 0, seen = 0;
306 struct task_security_struct *tsec = current->security;
307 struct superblock_security_struct *sbsec = sb->s_security;
312 name = sb->s_type->name;
314 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
316 /* NFS we understand. */
317 if (!strcmp(name, "nfs")) {
318 struct nfs_mount_data *d = data;
320 if (d->version < NFS_MOUNT_VERSION)
324 context = d->context;
331 /* Standard string-based options. */
332 char *p, *options = data;
334 while ((p = strsep(&options, ",")) != NULL) {
336 substring_t args[MAX_OPT_ARGS];
341 token = match_token(p, tokens, args);
347 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
350 context = match_strdup(&args[0]);
361 if (seen & (Opt_context|Opt_fscontext)) {
363 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
366 context = match_strdup(&args[0]);
373 seen |= Opt_fscontext;
377 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
379 printk(KERN_WARNING "SELinux: "
380 "defcontext option is invalid "
381 "for this filesystem type\n");
384 if (seen & (Opt_context|Opt_defcontext)) {
386 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
389 defcontext = match_strdup(&args[0]);
396 seen |= Opt_defcontext;
401 printk(KERN_WARNING "SELinux: unknown mount "
413 rc = security_context_to_sid(context, strlen(context), &sid);
415 printk(KERN_WARNING "SELinux: security_context_to_sid"
416 "(%s) failed for (dev %s, type %s) errno=%d\n",
417 context, sb->s_id, name, rc);
421 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
422 FILESYSTEM__RELABELFROM, NULL);
426 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
427 FILESYSTEM__RELABELTO, NULL);
433 if (seen & Opt_context)
434 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
438 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
440 printk(KERN_WARNING "SELinux: security_context_to_sid"
441 "(%s) failed for (dev %s, type %s) errno=%d\n",
442 defcontext, sb->s_id, name, rc);
446 if (sid == sbsec->def_sid)
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
454 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__ASSOCIATE, NULL);
459 sbsec->def_sid = sid;
471 static int superblock_doinit(struct super_block *sb, void *data)
473 struct superblock_security_struct *sbsec = sb->s_security;
474 struct dentry *root = sb->s_root;
475 struct inode *inode = root->d_inode;
479 if (sbsec->initialized)
482 if (!ss_initialized) {
483 /* Defer initialization until selinux_complete_init,
484 after the initial policy is loaded and the security
485 server is ready to handle calls. */
486 spin_lock(&sb_security_lock);
487 if (list_empty(&sbsec->list))
488 list_add(&sbsec->list, &superblock_security_head);
489 spin_unlock(&sb_security_lock);
493 /* Determine the labeling behavior to use for this filesystem type. */
494 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
496 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
497 __FUNCTION__, sb->s_type->name, rc);
501 rc = try_context_mount(sb, data);
505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 /* Make sure that the xattr handler exists and that no
507 error other than -ENODATA is returned by getxattr on
508 the root directory. -ENODATA is ok, as this may be
509 the first boot of the SELinux kernel before we have
510 assigned xattr values to the filesystem. */
511 if (!inode->i_op->getxattr) {
512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 "xattr support\n", sb->s_id, sb->s_type->name);
517 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
531 if (strcmp(sb->s_type->name, "proc") == 0)
534 sbsec->initialized = 1;
536 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
537 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
538 sb->s_id, sb->s_type->name);
541 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
542 sb->s_id, sb->s_type->name,
543 labeling_behaviors[sbsec->behavior-1]);
546 /* Initialize the root inode. */
547 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
549 /* Initialize any other inodes associated with the superblock, e.g.
550 inodes created prior to initial policy load or inodes created
551 during get_sb by a pseudo filesystem that directly
553 spin_lock(&sbsec->isec_lock);
555 if (!list_empty(&sbsec->isec_head)) {
556 struct inode_security_struct *isec =
557 list_entry(sbsec->isec_head.next,
558 struct inode_security_struct, list);
559 struct inode *inode = isec->inode;
560 spin_unlock(&sbsec->isec_lock);
561 inode = igrab(inode);
563 if (!IS_PRIVATE (inode))
567 spin_lock(&sbsec->isec_lock);
568 list_del_init(&isec->list);
571 spin_unlock(&sbsec->isec_lock);
577 static inline u16 inode_mode_to_security_class(umode_t mode)
579 switch (mode & S_IFMT) {
581 return SECCLASS_SOCK_FILE;
583 return SECCLASS_LNK_FILE;
585 return SECCLASS_FILE;
587 return SECCLASS_BLK_FILE;
591 return SECCLASS_CHR_FILE;
593 return SECCLASS_FIFO_FILE;
597 return SECCLASS_FILE;
600 static inline int default_protocol_stream(int protocol)
602 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
605 static inline int default_protocol_dgram(int protocol)
607 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
610 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
617 return SECCLASS_UNIX_STREAM_SOCKET;
619 return SECCLASS_UNIX_DGRAM_SOCKET;
626 if (default_protocol_stream(protocol))
627 return SECCLASS_TCP_SOCKET;
629 return SECCLASS_RAWIP_SOCKET;
631 if (default_protocol_dgram(protocol))
632 return SECCLASS_UDP_SOCKET;
634 return SECCLASS_RAWIP_SOCKET;
636 return SECCLASS_RAWIP_SOCKET;
642 return SECCLASS_NETLINK_ROUTE_SOCKET;
643 case NETLINK_FIREWALL:
644 return SECCLASS_NETLINK_FIREWALL_SOCKET;
645 case NETLINK_INET_DIAG:
646 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
648 return SECCLASS_NETLINK_NFLOG_SOCKET;
650 return SECCLASS_NETLINK_XFRM_SOCKET;
651 case NETLINK_SELINUX:
652 return SECCLASS_NETLINK_SELINUX_SOCKET;
654 return SECCLASS_NETLINK_AUDIT_SOCKET;
656 return SECCLASS_NETLINK_IP6FW_SOCKET;
657 case NETLINK_DNRTMSG:
658 return SECCLASS_NETLINK_DNRT_SOCKET;
659 case NETLINK_KOBJECT_UEVENT:
660 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
662 return SECCLASS_NETLINK_SOCKET;
665 return SECCLASS_PACKET_SOCKET;
667 return SECCLASS_KEY_SOCKET;
670 return SECCLASS_SOCKET;
673 #ifdef CONFIG_PROC_FS
674 static int selinux_proc_get_sid(struct proc_dir_entry *de,
679 char *buffer, *path, *end;
681 buffer = (char*)__get_free_page(GFP_KERNEL);
691 while (de && de != de->parent) {
692 buflen -= de->namelen + 1;
696 memcpy(end, de->name, de->namelen);
701 rc = security_genfs_sid("proc", path, tclass, sid);
702 free_page((unsigned long)buffer);
706 static int selinux_proc_get_sid(struct proc_dir_entry *de,
714 /* The inode's security attributes must be initialized before first use. */
715 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
717 struct superblock_security_struct *sbsec = NULL;
718 struct inode_security_struct *isec = inode->i_security;
720 struct dentry *dentry;
721 #define INITCONTEXTLEN 255
722 char *context = NULL;
727 if (isec->initialized)
732 if (isec->initialized)
735 sbsec = inode->i_sb->s_security;
736 if (!sbsec->initialized) {
737 /* Defer initialization until selinux_complete_init,
738 after the initial policy is loaded and the security
739 server is ready to handle calls. */
740 spin_lock(&sbsec->isec_lock);
741 if (list_empty(&isec->list))
742 list_add(&isec->list, &sbsec->isec_head);
743 spin_unlock(&sbsec->isec_lock);
747 switch (sbsec->behavior) {
748 case SECURITY_FS_USE_XATTR:
749 if (!inode->i_op->getxattr) {
750 isec->sid = sbsec->def_sid;
754 /* Need a dentry, since the xattr API requires one.
755 Life would be simpler if we could just pass the inode. */
757 /* Called from d_instantiate or d_splice_alias. */
758 dentry = dget(opt_dentry);
760 /* Called from selinux_complete_init, try to find a dentry. */
761 dentry = d_find_alias(inode);
764 printk(KERN_WARNING "%s: no dentry for dev=%s "
765 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
770 len = INITCONTEXTLEN;
771 context = kmalloc(len, GFP_KERNEL);
777 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
780 /* Need a larger buffer. Query for the right size. */
781 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
789 context = kmalloc(len, GFP_KERNEL);
795 rc = inode->i_op->getxattr(dentry,
801 if (rc != -ENODATA) {
802 printk(KERN_WARNING "%s: getxattr returned "
803 "%d for dev=%s ino=%ld\n", __FUNCTION__,
804 -rc, inode->i_sb->s_id, inode->i_ino);
808 /* Map ENODATA to the default file SID */
809 sid = sbsec->def_sid;
812 rc = security_context_to_sid_default(context, rc, &sid,
815 printk(KERN_WARNING "%s: context_to_sid(%s) "
816 "returned %d for dev=%s ino=%ld\n",
817 __FUNCTION__, context, -rc,
818 inode->i_sb->s_id, inode->i_ino);
820 /* Leave with the unlabeled SID */
828 case SECURITY_FS_USE_TASK:
829 isec->sid = isec->task_sid;
831 case SECURITY_FS_USE_TRANS:
832 /* Default to the fs SID. */
833 isec->sid = sbsec->sid;
835 /* Try to obtain a transition SID. */
836 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837 rc = security_transition_sid(isec->task_sid,
846 /* Default to the fs SID. */
847 isec->sid = sbsec->sid;
850 struct proc_inode *proci = PROC_I(inode);
852 isec->sclass = inode_mode_to_security_class(inode->i_mode);
853 rc = selinux_proc_get_sid(proci->pde,
864 isec->initialized = 1;
867 if (isec->sclass == SECCLASS_FILE)
868 isec->sclass = inode_mode_to_security_class(inode->i_mode);
875 /* Convert a Linux signal to an access vector. */
876 static inline u32 signal_to_av(int sig)
882 /* Commonly granted from child to parent. */
883 perm = PROCESS__SIGCHLD;
886 /* Cannot be caught or ignored */
887 perm = PROCESS__SIGKILL;
890 /* Cannot be caught or ignored */
891 perm = PROCESS__SIGSTOP;
894 /* All other signals. */
895 perm = PROCESS__SIGNAL;
902 /* Check permission betweeen a pair of tasks, e.g. signal checks,
903 fork check, ptrace check, etc. */
904 static int task_has_perm(struct task_struct *tsk1,
905 struct task_struct *tsk2,
908 struct task_security_struct *tsec1, *tsec2;
910 tsec1 = tsk1->security;
911 tsec2 = tsk2->security;
912 return avc_has_perm(tsec1->sid, tsec2->sid,
913 SECCLASS_PROCESS, perms, NULL);
916 /* Check whether a task is allowed to use a capability. */
917 static int task_has_capability(struct task_struct *tsk,
920 struct task_security_struct *tsec;
921 struct avc_audit_data ad;
923 tsec = tsk->security;
925 AVC_AUDIT_DATA_INIT(&ad,CAP);
929 return avc_has_perm(tsec->sid, tsec->sid,
930 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
933 /* Check whether a task is allowed to use a system operation. */
934 static int task_has_system(struct task_struct *tsk,
937 struct task_security_struct *tsec;
939 tsec = tsk->security;
941 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
942 SECCLASS_SYSTEM, perms, NULL);
945 /* Check whether a task has a particular permission to an inode.
946 The 'adp' parameter is optional and allows other audit
947 data to be passed (e.g. the dentry). */
948 static int inode_has_perm(struct task_struct *tsk,
951 struct avc_audit_data *adp)
953 struct task_security_struct *tsec;
954 struct inode_security_struct *isec;
955 struct avc_audit_data ad;
957 tsec = tsk->security;
958 isec = inode->i_security;
962 AVC_AUDIT_DATA_INIT(&ad, FS);
963 ad.u.fs.inode = inode;
966 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
969 /* Same as inode_has_perm, but pass explicit audit data containing
970 the dentry to help the auditing code to more easily generate the
971 pathname if needed. */
972 static inline int dentry_has_perm(struct task_struct *tsk,
973 struct vfsmount *mnt,
974 struct dentry *dentry,
977 struct inode *inode = dentry->d_inode;
978 struct avc_audit_data ad;
979 AVC_AUDIT_DATA_INIT(&ad,FS);
981 ad.u.fs.dentry = dentry;
982 return inode_has_perm(tsk, inode, av, &ad);
985 /* Check whether a task can use an open file descriptor to
986 access an inode in a given way. Check access to the
987 descriptor itself, and then use dentry_has_perm to
988 check a particular permission to the file.
989 Access to the descriptor is implicitly granted if it
990 has the same SID as the process. If av is zero, then
991 access to the file is not checked, e.g. for cases
992 where only the descriptor is affected like seek. */
993 static int file_has_perm(struct task_struct *tsk,
997 struct task_security_struct *tsec = tsk->security;
998 struct file_security_struct *fsec = file->f_security;
999 struct vfsmount *mnt = file->f_vfsmnt;
1000 struct dentry *dentry = file->f_dentry;
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1005 AVC_AUDIT_DATA_INIT(&ad, FS);
1007 ad.u.fs.dentry = dentry;
1009 if (tsec->sid != fsec->sid) {
1010 rc = avc_has_perm(tsec->sid, fsec->sid,
1018 /* av is zero if only checking access to the descriptor. */
1020 return inode_has_perm(tsk, inode, av, &ad);
1025 /* Check whether a task can create a file. */
1026 static int may_create(struct inode *dir,
1027 struct dentry *dentry,
1030 struct task_security_struct *tsec;
1031 struct inode_security_struct *dsec;
1032 struct superblock_security_struct *sbsec;
1034 struct avc_audit_data ad;
1037 tsec = current->security;
1038 dsec = dir->i_security;
1039 sbsec = dir->i_sb->s_security;
1041 AVC_AUDIT_DATA_INIT(&ad, FS);
1042 ad.u.fs.dentry = dentry;
1044 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1045 DIR__ADD_NAME | DIR__SEARCH,
1050 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1051 newsid = tsec->create_sid;
1053 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1059 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1063 return avc_has_perm(newsid, sbsec->sid,
1064 SECCLASS_FILESYSTEM,
1065 FILESYSTEM__ASSOCIATE, &ad);
1069 #define MAY_UNLINK 1
1072 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1073 static int may_link(struct inode *dir,
1074 struct dentry *dentry,
1078 struct task_security_struct *tsec;
1079 struct inode_security_struct *dsec, *isec;
1080 struct avc_audit_data ad;
1084 tsec = current->security;
1085 dsec = dir->i_security;
1086 isec = dentry->d_inode->i_security;
1088 AVC_AUDIT_DATA_INIT(&ad, FS);
1089 ad.u.fs.dentry = dentry;
1092 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1093 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1108 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1112 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1116 static inline int may_rename(struct inode *old_dir,
1117 struct dentry *old_dentry,
1118 struct inode *new_dir,
1119 struct dentry *new_dentry)
1121 struct task_security_struct *tsec;
1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123 struct avc_audit_data ad;
1125 int old_is_dir, new_is_dir;
1128 tsec = current->security;
1129 old_dsec = old_dir->i_security;
1130 old_isec = old_dentry->d_inode->i_security;
1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132 new_dsec = new_dir->i_security;
1134 AVC_AUDIT_DATA_INIT(&ad, FS);
1136 ad.u.fs.dentry = old_dentry;
1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1141 rc = avc_has_perm(tsec->sid, old_isec->sid,
1142 old_isec->sclass, FILE__RENAME, &ad);
1145 if (old_is_dir && new_dir != old_dir) {
1146 rc = avc_has_perm(tsec->sid, old_isec->sid,
1147 old_isec->sclass, DIR__REPARENT, &ad);
1152 ad.u.fs.dentry = new_dentry;
1153 av = DIR__ADD_NAME | DIR__SEARCH;
1154 if (new_dentry->d_inode)
1155 av |= DIR__REMOVE_NAME;
1156 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1159 if (new_dentry->d_inode) {
1160 new_isec = new_dentry->d_inode->i_security;
1161 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1162 rc = avc_has_perm(tsec->sid, new_isec->sid,
1164 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1172 /* Check whether a task can perform a filesystem operation. */
1173 static int superblock_has_perm(struct task_struct *tsk,
1174 struct super_block *sb,
1176 struct avc_audit_data *ad)
1178 struct task_security_struct *tsec;
1179 struct superblock_security_struct *sbsec;
1181 tsec = tsk->security;
1182 sbsec = sb->s_security;
1183 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1187 /* Convert a Linux mode and permission mask to an access vector. */
1188 static inline u32 file_mask_to_av(int mode, int mask)
1192 if ((mode & S_IFMT) != S_IFDIR) {
1193 if (mask & MAY_EXEC)
1194 av |= FILE__EXECUTE;
1195 if (mask & MAY_READ)
1198 if (mask & MAY_APPEND)
1200 else if (mask & MAY_WRITE)
1204 if (mask & MAY_EXEC)
1206 if (mask & MAY_WRITE)
1208 if (mask & MAY_READ)
1215 /* Convert a Linux file to an access vector. */
1216 static inline u32 file_to_av(struct file *file)
1220 if (file->f_mode & FMODE_READ)
1222 if (file->f_mode & FMODE_WRITE) {
1223 if (file->f_flags & O_APPEND)
1232 /* Set an inode's SID to a specified value. */
1233 static int inode_security_set_sid(struct inode *inode, u32 sid)
1235 struct inode_security_struct *isec = inode->i_security;
1236 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1238 if (!sbsec->initialized) {
1239 /* Defer initialization to selinux_complete_init. */
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1246 isec->initialized = 1;
1251 /* Hook functions begin here. */
1253 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1255 struct task_security_struct *psec = parent->security;
1256 struct task_security_struct *csec = child->security;
1259 rc = secondary_ops->ptrace(parent,child);
1263 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1264 /* Save the SID of the tracing process for later use in apply_creds. */
1265 if (!(child->ptrace & PT_PTRACED) && !rc)
1266 csec->ptrace_sid = psec->sid;
1270 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1271 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1275 error = task_has_perm(current, target, PROCESS__GETCAP);
1279 return secondary_ops->capget(target, effective, inheritable, permitted);
1282 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1283 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1287 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1291 return task_has_perm(current, target, PROCESS__SETCAP);
1294 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1295 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1297 secondary_ops->capset_set(target, effective, inheritable, permitted);
1300 static int selinux_capable(struct task_struct *tsk, int cap)
1304 rc = secondary_ops->capable(tsk, cap);
1308 return task_has_capability(tsk,cap);
1311 static int selinux_sysctl(ctl_table *table, int op)
1315 struct task_security_struct *tsec;
1319 rc = secondary_ops->sysctl(table, op);
1323 tsec = current->security;
1325 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1326 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1328 /* Default to the well-defined sysctl SID. */
1329 tsid = SECINITSID_SYSCTL;
1332 /* The op values are "defined" in sysctl.c, thereby creating
1333 * a bad coupling between this module and sysctl.c */
1335 error = avc_has_perm(tsec->sid, tsid,
1336 SECCLASS_DIR, DIR__SEARCH, NULL);
1344 error = avc_has_perm(tsec->sid, tsid,
1345 SECCLASS_FILE, av, NULL);
1351 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1364 rc = superblock_has_perm(current,
1366 FILESYSTEM__QUOTAMOD, NULL);
1371 rc = superblock_has_perm(current,
1373 FILESYSTEM__QUOTAGET, NULL);
1376 rc = 0; /* let the kernel handle invalid cmds */
1382 static int selinux_quota_on(struct dentry *dentry)
1384 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1387 static int selinux_syslog(int type)
1391 rc = secondary_ops->syslog(type);
1396 case 3: /* Read last kernel messages */
1397 case 10: /* Return size of the log buffer */
1398 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1400 case 6: /* Disable logging to console */
1401 case 7: /* Enable logging to console */
1402 case 8: /* Set level of messages printed to console */
1403 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1405 case 0: /* Close log */
1406 case 1: /* Open log */
1407 case 2: /* Read from log */
1408 case 4: /* Read/clear last kernel messages */
1409 case 5: /* Clear ring buffer */
1411 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1418 * Check that a process has enough memory to allocate a new virtual
1419 * mapping. 0 means there is enough memory for the allocation to
1420 * succeed and -ENOMEM implies there is not.
1422 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1423 * if the capability is granted, but __vm_enough_memory requires 1 if
1424 * the capability is granted.
1426 * Do not audit the selinux permission check, as this is applied to all
1427 * processes that allocate mappings.
1429 static int selinux_vm_enough_memory(long pages)
1431 int rc, cap_sys_admin = 0;
1432 struct task_security_struct *tsec = current->security;
1434 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1436 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1437 SECCLASS_CAPABILITY,
1438 CAP_TO_MASK(CAP_SYS_ADMIN),
1444 return __vm_enough_memory(pages, cap_sys_admin);
1447 /* binprm security operations */
1449 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1451 struct bprm_security_struct *bsec;
1453 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1458 bsec->sid = SECINITSID_UNLABELED;
1461 bprm->security = bsec;
1465 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1467 struct task_security_struct *tsec;
1468 struct inode *inode = bprm->file->f_dentry->d_inode;
1469 struct inode_security_struct *isec;
1470 struct bprm_security_struct *bsec;
1472 struct avc_audit_data ad;
1475 rc = secondary_ops->bprm_set_security(bprm);
1479 bsec = bprm->security;
1484 tsec = current->security;
1485 isec = inode->i_security;
1487 /* Default to the current task SID. */
1488 bsec->sid = tsec->sid;
1490 /* Reset create SID on execve. */
1491 tsec->create_sid = 0;
1493 if (tsec->exec_sid) {
1494 newsid = tsec->exec_sid;
1495 /* Reset exec SID on execve. */
1498 /* Check for a default transition on this program. */
1499 rc = security_transition_sid(tsec->sid, isec->sid,
1500 SECCLASS_PROCESS, &newsid);
1505 AVC_AUDIT_DATA_INIT(&ad, FS);
1506 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1507 ad.u.fs.dentry = bprm->file->f_dentry;
1509 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1512 if (tsec->sid == newsid) {
1513 rc = avc_has_perm(tsec->sid, isec->sid,
1514 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1518 /* Check permissions for the transition. */
1519 rc = avc_has_perm(tsec->sid, newsid,
1520 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1524 rc = avc_has_perm(newsid, isec->sid,
1525 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1529 /* Clear any possibly unsafe personality bits on exec: */
1530 current->personality &= ~PER_CLEAR_ON_SETID;
1532 /* Set the security field to the new SID. */
1540 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1542 return secondary_ops->bprm_check_security(bprm);
1546 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1548 struct task_security_struct *tsec = current->security;
1551 if (tsec->osid != tsec->sid) {
1552 /* Enable secure mode for SIDs transitions unless
1553 the noatsecure permission is granted between
1554 the two SIDs, i.e. ahp returns 0. */
1555 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1557 PROCESS__NOATSECURE, NULL);
1560 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1563 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1565 kfree(bprm->security);
1566 bprm->security = NULL;
1569 extern struct vfsmount *selinuxfs_mount;
1570 extern struct dentry *selinux_null;
1572 /* Derived from fs/exec.c:flush_old_files. */
1573 static inline void flush_unauthorized_files(struct files_struct * files)
1575 struct avc_audit_data ad;
1576 struct file *file, *devnull = NULL;
1577 struct tty_struct *tty = current->signal->tty;
1578 struct fdtable *fdt;
1583 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1585 /* Revalidate access to controlling tty.
1586 Use inode_has_perm on the tty inode directly rather
1587 than using file_has_perm, as this particular open
1588 file may belong to another process and we are only
1589 interested in the inode-based check here. */
1590 struct inode *inode = file->f_dentry->d_inode;
1591 if (inode_has_perm(current, inode,
1592 FILE__READ | FILE__WRITE, NULL)) {
1593 /* Reset controlling tty. */
1594 current->signal->tty = NULL;
1595 current->signal->tty_old_pgrp = 0;
1601 /* Revalidate access to inherited open files. */
1603 AVC_AUDIT_DATA_INIT(&ad,FS);
1605 spin_lock(&files->file_lock);
1607 unsigned long set, i;
1612 fdt = files_fdtable(files);
1613 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1615 set = fdt->open_fds->fds_bits[j];
1618 spin_unlock(&files->file_lock);
1619 for ( ; set ; i++,set >>= 1) {
1624 if (file_has_perm(current,
1626 file_to_av(file))) {
1628 fd = get_unused_fd();
1638 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1645 fd_install(fd, devnull);
1650 spin_lock(&files->file_lock);
1653 spin_unlock(&files->file_lock);
1656 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1658 struct task_security_struct *tsec;
1659 struct bprm_security_struct *bsec;
1663 secondary_ops->bprm_apply_creds(bprm, unsafe);
1665 tsec = current->security;
1667 bsec = bprm->security;
1670 tsec->osid = tsec->sid;
1672 if (tsec->sid != sid) {
1673 /* Check for shared state. If not ok, leave SID
1674 unchanged and kill. */
1675 if (unsafe & LSM_UNSAFE_SHARE) {
1676 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1677 PROCESS__SHARE, NULL);
1684 /* Check for ptracing, and update the task SID if ok.
1685 Otherwise, leave SID unchanged and kill. */
1686 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1687 rc = avc_has_perm(tsec->ptrace_sid, sid,
1688 SECCLASS_PROCESS, PROCESS__PTRACE,
1700 * called after apply_creds without the task lock held
1702 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1704 struct task_security_struct *tsec;
1705 struct rlimit *rlim, *initrlim;
1706 struct itimerval itimer;
1707 struct bprm_security_struct *bsec;
1710 tsec = current->security;
1711 bsec = bprm->security;
1714 force_sig_specific(SIGKILL, current);
1717 if (tsec->osid == tsec->sid)
1720 /* Close files for which the new task SID is not authorized. */
1721 flush_unauthorized_files(current->files);
1723 /* Check whether the new SID can inherit signal state
1724 from the old SID. If not, clear itimers to avoid
1725 subsequent signal generation and flush and unblock
1726 signals. This must occur _after_ the task SID has
1727 been updated so that any kill done after the flush
1728 will be checked against the new SID. */
1729 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1730 PROCESS__SIGINH, NULL);
1732 memset(&itimer, 0, sizeof itimer);
1733 for (i = 0; i < 3; i++)
1734 do_setitimer(i, &itimer, NULL);
1735 flush_signals(current);
1736 spin_lock_irq(¤t->sighand->siglock);
1737 flush_signal_handlers(current, 1);
1738 sigemptyset(¤t->blocked);
1739 recalc_sigpending();
1740 spin_unlock_irq(¤t->sighand->siglock);
1743 /* Check whether the new SID can inherit resource limits
1744 from the old SID. If not, reset all soft limits to
1745 the lower of the current task's hard limit and the init
1746 task's soft limit. Note that the setting of hard limits
1747 (even to lower them) can be controlled by the setrlimit
1748 check. The inclusion of the init task's soft limit into
1749 the computation is to avoid resetting soft limits higher
1750 than the default soft limit for cases where the default
1751 is lower than the hard limit, e.g. RLIMIT_CORE or
1753 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1754 PROCESS__RLIMITINH, NULL);
1756 for (i = 0; i < RLIM_NLIMITS; i++) {
1757 rlim = current->signal->rlim + i;
1758 initrlim = init_task.signal->rlim+i;
1759 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1761 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1763 * This will cause RLIMIT_CPU calculations
1766 current->it_prof_expires = jiffies_to_cputime(1);
1770 /* Wake up the parent if it is waiting so that it can
1771 recheck wait permission to the new task SID. */
1772 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1775 /* superblock security operations */
1777 static int selinux_sb_alloc_security(struct super_block *sb)
1779 return superblock_alloc_security(sb);
1782 static void selinux_sb_free_security(struct super_block *sb)
1784 superblock_free_security(sb);
1787 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1792 return !memcmp(prefix, option, plen);
1795 static inline int selinux_option(char *option, int len)
1797 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1798 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1799 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1802 static inline void take_option(char **to, char *from, int *first, int len)
1810 memcpy(*to, from, len);
1814 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1816 int fnosec, fsec, rc = 0;
1817 char *in_save, *in_curr, *in_end;
1818 char *sec_curr, *nosec_save, *nosec;
1823 /* Binary mount data: just copy */
1824 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1825 copy_page(sec_curr, in_curr);
1829 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1837 in_save = in_end = orig;
1840 if (*in_end == ',' || *in_end == '\0') {
1841 int len = in_end - in_curr;
1843 if (selinux_option(in_curr, len))
1844 take_option(&sec_curr, in_curr, &fsec, len);
1846 take_option(&nosec, in_curr, &fnosec, len);
1848 in_curr = in_end + 1;
1850 } while (*in_end++);
1852 strcpy(in_save, nosec_save);
1853 free_page((unsigned long)nosec_save);
1858 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1860 struct avc_audit_data ad;
1863 rc = superblock_doinit(sb, data);
1867 AVC_AUDIT_DATA_INIT(&ad,FS);
1868 ad.u.fs.dentry = sb->s_root;
1869 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1872 static int selinux_sb_statfs(struct super_block *sb)
1874 struct avc_audit_data ad;
1876 AVC_AUDIT_DATA_INIT(&ad,FS);
1877 ad.u.fs.dentry = sb->s_root;
1878 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1881 static int selinux_mount(char * dev_name,
1882 struct nameidata *nd,
1884 unsigned long flags,
1889 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1893 if (flags & MS_REMOUNT)
1894 return superblock_has_perm(current, nd->mnt->mnt_sb,
1895 FILESYSTEM__REMOUNT, NULL);
1897 return dentry_has_perm(current, nd->mnt, nd->dentry,
1901 static int selinux_umount(struct vfsmount *mnt, int flags)
1905 rc = secondary_ops->sb_umount(mnt, flags);
1909 return superblock_has_perm(current,mnt->mnt_sb,
1910 FILESYSTEM__UNMOUNT,NULL);
1913 /* inode security operations */
1915 static int selinux_inode_alloc_security(struct inode *inode)
1917 return inode_alloc_security(inode);
1920 static void selinux_inode_free_security(struct inode *inode)
1922 inode_free_security(inode);
1925 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1926 char **name, void **value,
1929 struct task_security_struct *tsec;
1930 struct inode_security_struct *dsec;
1931 struct superblock_security_struct *sbsec;
1932 struct inode_security_struct *isec;
1935 char *namep = NULL, *context;
1937 tsec = current->security;
1938 dsec = dir->i_security;
1939 sbsec = dir->i_sb->s_security;
1940 isec = inode->i_security;
1942 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1943 newsid = tsec->create_sid;
1945 rc = security_transition_sid(tsec->sid, dsec->sid,
1946 inode_mode_to_security_class(inode->i_mode),
1949 printk(KERN_WARNING "%s: "
1950 "security_transition_sid failed, rc=%d (dev=%s "
1953 -rc, inode->i_sb->s_id, inode->i_ino);
1958 inode_security_set_sid(inode, newsid);
1960 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1964 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1971 rc = security_sid_to_context(newsid, &context, &clen);
1983 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1985 return may_create(dir, dentry, SECCLASS_FILE);
1988 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1992 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1995 return may_link(dir, old_dentry, MAY_LINK);
1998 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2002 rc = secondary_ops->inode_unlink(dir, dentry);
2005 return may_link(dir, dentry, MAY_UNLINK);
2008 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2010 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2013 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2015 return may_create(dir, dentry, SECCLASS_DIR);
2018 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2020 return may_link(dir, dentry, MAY_RMDIR);
2023 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2027 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2031 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2034 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2035 struct inode *new_inode, struct dentry *new_dentry)
2037 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2040 static int selinux_inode_readlink(struct dentry *dentry)
2042 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2045 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2049 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2052 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2055 static int selinux_inode_permission(struct inode *inode, int mask,
2056 struct nameidata *nd)
2060 rc = secondary_ops->inode_permission(inode, mask, nd);
2065 /* No permission to check. Existence test. */
2069 return inode_has_perm(current, inode,
2070 file_mask_to_av(inode->i_mode, mask), NULL);
2073 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2077 rc = secondary_ops->inode_setattr(dentry, iattr);
2081 if (iattr->ia_valid & ATTR_FORCE)
2084 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2085 ATTR_ATIME_SET | ATTR_MTIME_SET))
2086 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2088 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2091 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2093 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2096 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2098 struct task_security_struct *tsec = current->security;
2099 struct inode *inode = dentry->d_inode;
2100 struct inode_security_struct *isec = inode->i_security;
2101 struct superblock_security_struct *sbsec;
2102 struct avc_audit_data ad;
2106 if (strcmp(name, XATTR_NAME_SELINUX)) {
2107 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2108 sizeof XATTR_SECURITY_PREFIX - 1) &&
2109 !capable(CAP_SYS_ADMIN)) {
2110 /* A different attribute in the security namespace.
2111 Restrict to administrator. */
2115 /* Not an attribute we recognize, so just check the
2116 ordinary setattr permission. */
2117 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2120 sbsec = inode->i_sb->s_security;
2121 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2124 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2127 AVC_AUDIT_DATA_INIT(&ad,FS);
2128 ad.u.fs.dentry = dentry;
2130 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2131 FILE__RELABELFROM, &ad);
2135 rc = security_context_to_sid(value, size, &newsid);
2139 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2140 FILE__RELABELTO, &ad);
2144 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2149 return avc_has_perm(newsid,
2151 SECCLASS_FILESYSTEM,
2152 FILESYSTEM__ASSOCIATE,
2156 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2157 void *value, size_t size, int flags)
2159 struct inode *inode = dentry->d_inode;
2160 struct inode_security_struct *isec = inode->i_security;
2164 if (strcmp(name, XATTR_NAME_SELINUX)) {
2165 /* Not an attribute we recognize, so nothing to do. */
2169 rc = security_context_to_sid(value, size, &newsid);
2171 printk(KERN_WARNING "%s: unable to obtain SID for context "
2172 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2180 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2182 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2185 static int selinux_inode_listxattr (struct dentry *dentry)
2187 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2190 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2192 if (strcmp(name, XATTR_NAME_SELINUX)) {
2193 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2194 sizeof XATTR_SECURITY_PREFIX - 1) &&
2195 !capable(CAP_SYS_ADMIN)) {
2196 /* A different attribute in the security namespace.
2197 Restrict to administrator. */
2201 /* Not an attribute we recognize, so just check the
2202 ordinary setattr permission. Might want a separate
2203 permission for removexattr. */
2204 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2207 /* No one is allowed to remove a SELinux security label.
2208 You can change the label, but all data must be labeled. */
2213 * Copy the in-core inode security context value to the user. If the
2214 * getxattr() prior to this succeeded, check to see if we need to
2215 * canonicalize the value to be finally returned to the user.
2217 * Permission check is handled by selinux_inode_getxattr hook.
2219 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2221 struct inode_security_struct *isec = inode->i_security;
2226 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2231 rc = security_sid_to_context(isec->sid, &context, &len);
2235 /* Probe for required buffer size */
2236 if (!buffer || !size) {
2247 if ((len == err) && !(memcmp(context, buffer, len))) {
2248 /* Don't need to canonicalize value */
2252 memset(buffer, 0, size);
2254 memcpy(buffer, context, len);
2262 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2263 const void *value, size_t size, int flags)
2265 struct inode_security_struct *isec = inode->i_security;
2269 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2272 if (!value || !size)
2275 rc = security_context_to_sid((void*)value, size, &newsid);
2283 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285 const int len = sizeof(XATTR_NAME_SELINUX);
2286 if (buffer && len <= buffer_size)
2287 memcpy(buffer, XATTR_NAME_SELINUX, len);
2291 /* file security operations */
2293 static int selinux_file_permission(struct file *file, int mask)
2295 struct inode *inode = file->f_dentry->d_inode;
2298 /* No permission to check. Existence test. */
2302 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2303 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2306 return file_has_perm(current, file,
2307 file_mask_to_av(inode->i_mode, mask));
2310 static int selinux_file_alloc_security(struct file *file)
2312 return file_alloc_security(file);
2315 static void selinux_file_free_security(struct file *file)
2317 file_free_security(file);
2320 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2332 case EXT2_IOC_GETFLAGS:
2334 case EXT2_IOC_GETVERSION:
2335 error = file_has_perm(current, file, FILE__GETATTR);
2338 case EXT2_IOC_SETFLAGS:
2340 case EXT2_IOC_SETVERSION:
2341 error = file_has_perm(current, file, FILE__SETATTR);
2344 /* sys_ioctl() checks */
2348 error = file_has_perm(current, file, 0);
2353 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2356 /* default case assumes that the command will go
2357 * to the file's ioctl() function.
2360 error = file_has_perm(current, file, FILE__IOCTL);
2366 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368 #ifndef CONFIG_PPC32
2369 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371 * We are making executable an anonymous mapping or a
2372 * private file mapping that will also be writable.
2373 * This has an additional check.
2375 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2382 /* read access is always possible with a mapping */
2383 u32 av = FILE__READ;
2385 /* write access only matters if the mapping is shared */
2386 if (shared && (prot & PROT_WRITE))
2389 if (prot & PROT_EXEC)
2390 av |= FILE__EXECUTE;
2392 return file_has_perm(current, file, av);
2397 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2398 unsigned long prot, unsigned long flags)
2402 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2406 if (selinux_checkreqprot)
2409 return file_map_prot_check(file, prot,
2410 (flags & MAP_TYPE) == MAP_SHARED);
2413 static int selinux_file_mprotect(struct vm_area_struct *vma,
2414 unsigned long reqprot,
2419 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2423 if (selinux_checkreqprot)
2426 #ifndef CONFIG_PPC32
2427 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2429 if (vma->vm_start >= vma->vm_mm->start_brk &&
2430 vma->vm_end <= vma->vm_mm->brk) {
2431 rc = task_has_perm(current, current,
2433 } else if (!vma->vm_file &&
2434 vma->vm_start <= vma->vm_mm->start_stack &&
2435 vma->vm_end >= vma->vm_mm->start_stack) {
2436 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2437 } else if (vma->vm_file && vma->anon_vma) {
2439 * We are making executable a file mapping that has
2440 * had some COW done. Since pages might have been
2441 * written, check ability to execute the possibly
2442 * modified content. This typically should only
2443 * occur for text relocations.
2445 rc = file_has_perm(current, vma->vm_file,
2453 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2456 static int selinux_file_lock(struct file *file, unsigned int cmd)
2458 return file_has_perm(current, file, FILE__LOCK);
2461 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2468 if (!file->f_dentry || !file->f_dentry->d_inode) {
2473 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2474 err = file_has_perm(current, file,FILE__WRITE);
2483 /* Just check FD__USE permission */
2484 err = file_has_perm(current, file, 0);
2489 #if BITS_PER_LONG == 32
2494 if (!file->f_dentry || !file->f_dentry->d_inode) {
2498 err = file_has_perm(current, file, FILE__LOCK);
2505 static int selinux_file_set_fowner(struct file *file)
2507 struct task_security_struct *tsec;
2508 struct file_security_struct *fsec;
2510 tsec = current->security;
2511 fsec = file->f_security;
2512 fsec->fown_sid = tsec->sid;
2517 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2518 struct fown_struct *fown, int signum)
2522 struct task_security_struct *tsec;
2523 struct file_security_struct *fsec;
2525 /* struct fown_struct is never outside the context of a struct file */
2526 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2528 tsec = tsk->security;
2529 fsec = file->f_security;
2532 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2534 perm = signal_to_av(signum);
2536 return avc_has_perm(fsec->fown_sid, tsec->sid,
2537 SECCLASS_PROCESS, perm, NULL);
2540 static int selinux_file_receive(struct file *file)
2542 return file_has_perm(current, file, file_to_av(file));
2545 /* task security operations */
2547 static int selinux_task_create(unsigned long clone_flags)
2551 rc = secondary_ops->task_create(clone_flags);
2555 return task_has_perm(current, current, PROCESS__FORK);
2558 static int selinux_task_alloc_security(struct task_struct *tsk)
2560 struct task_security_struct *tsec1, *tsec2;
2563 tsec1 = current->security;
2565 rc = task_alloc_security(tsk);
2568 tsec2 = tsk->security;
2570 tsec2->osid = tsec1->osid;
2571 tsec2->sid = tsec1->sid;
2573 /* Retain the exec and create SIDs across fork */
2574 tsec2->exec_sid = tsec1->exec_sid;
2575 tsec2->create_sid = tsec1->create_sid;
2577 /* Retain ptracer SID across fork, if any.
2578 This will be reset by the ptrace hook upon any
2579 subsequent ptrace_attach operations. */
2580 tsec2->ptrace_sid = tsec1->ptrace_sid;
2585 static void selinux_task_free_security(struct task_struct *tsk)
2587 task_free_security(tsk);
2590 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2592 /* Since setuid only affects the current process, and
2593 since the SELinux controls are not based on the Linux
2594 identity attributes, SELinux does not need to control
2595 this operation. However, SELinux does control the use
2596 of the CAP_SETUID and CAP_SETGID capabilities using the
2601 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2603 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2606 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2608 /* See the comment for setuid above. */
2612 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2614 return task_has_perm(current, p, PROCESS__SETPGID);
2617 static int selinux_task_getpgid(struct task_struct *p)
2619 return task_has_perm(current, p, PROCESS__GETPGID);
2622 static int selinux_task_getsid(struct task_struct *p)
2624 return task_has_perm(current, p, PROCESS__GETSESSION);
2627 static int selinux_task_setgroups(struct group_info *group_info)
2629 /* See the comment for setuid above. */
2633 static int selinux_task_setnice(struct task_struct *p, int nice)
2637 rc = secondary_ops->task_setnice(p, nice);
2641 return task_has_perm(current,p, PROCESS__SETSCHED);
2644 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2646 struct rlimit *old_rlim = current->signal->rlim + resource;
2649 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2653 /* Control the ability to change the hard limit (whether
2654 lowering or raising it), so that the hard limit can
2655 later be used as a safe reset point for the soft limit
2656 upon context transitions. See selinux_bprm_apply_creds. */
2657 if (old_rlim->rlim_max != new_rlim->rlim_max)
2658 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2663 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2665 return task_has_perm(current, p, PROCESS__SETSCHED);
2668 static int selinux_task_getscheduler(struct task_struct *p)
2670 return task_has_perm(current, p, PROCESS__GETSCHED);
2673 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2678 rc = secondary_ops->task_kill(p, info, sig);
2682 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2686 perm = PROCESS__SIGNULL; /* null signal; existence test */
2688 perm = signal_to_av(sig);
2690 return task_has_perm(current, p, perm);
2693 static int selinux_task_prctl(int option,
2699 /* The current prctl operations do not appear to require
2700 any SELinux controls since they merely observe or modify
2701 the state of the current process. */
2705 static int selinux_task_wait(struct task_struct *p)
2709 perm = signal_to_av(p->exit_signal);
2711 return task_has_perm(p, current, perm);
2714 static void selinux_task_reparent_to_init(struct task_struct *p)
2716 struct task_security_struct *tsec;
2718 secondary_ops->task_reparent_to_init(p);
2721 tsec->osid = tsec->sid;
2722 tsec->sid = SECINITSID_KERNEL;
2726 static void selinux_task_to_inode(struct task_struct *p,
2727 struct inode *inode)
2729 struct task_security_struct *tsec = p->security;
2730 struct inode_security_struct *isec = inode->i_security;
2732 isec->sid = tsec->sid;
2733 isec->initialized = 1;
2737 /* Returns error only if unable to parse addresses */
2738 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2740 int offset, ihlen, ret = -EINVAL;
2741 struct iphdr _iph, *ih;
2743 offset = skb->nh.raw - skb->data;
2744 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2748 ihlen = ih->ihl * 4;
2749 if (ihlen < sizeof(_iph))
2752 ad->u.net.v4info.saddr = ih->saddr;
2753 ad->u.net.v4info.daddr = ih->daddr;
2756 switch (ih->protocol) {
2758 struct tcphdr _tcph, *th;
2760 if (ntohs(ih->frag_off) & IP_OFFSET)
2764 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2768 ad->u.net.sport = th->source;
2769 ad->u.net.dport = th->dest;
2774 struct udphdr _udph, *uh;
2776 if (ntohs(ih->frag_off) & IP_OFFSET)
2780 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2784 ad->u.net.sport = uh->source;
2785 ad->u.net.dport = uh->dest;
2796 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2798 /* Returns error only if unable to parse addresses */
2799 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2802 int ret = -EINVAL, offset;
2803 struct ipv6hdr _ipv6h, *ip6;
2805 offset = skb->nh.raw - skb->data;
2806 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2810 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2811 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2814 nexthdr = ip6->nexthdr;
2815 offset += sizeof(_ipv6h);
2816 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2822 struct tcphdr _tcph, *th;
2824 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2828 ad->u.net.sport = th->source;
2829 ad->u.net.dport = th->dest;
2834 struct udphdr _udph, *uh;
2836 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2840 ad->u.net.sport = uh->source;
2841 ad->u.net.dport = uh->dest;
2845 /* includes fragments */
2855 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2856 char **addrp, int *len, int src)
2860 switch (ad->u.net.family) {
2862 ret = selinux_parse_skb_ipv4(skb, ad);
2866 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2867 &ad->u.net.v4info.daddr);
2870 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2872 ret = selinux_parse_skb_ipv6(skb, ad);
2876 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2877 &ad->u.net.v6info.daddr);
2887 /* socket security operations */
2888 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2891 struct inode_security_struct *isec;
2892 struct task_security_struct *tsec;
2893 struct avc_audit_data ad;
2896 tsec = task->security;
2897 isec = SOCK_INODE(sock)->i_security;
2899 if (isec->sid == SECINITSID_KERNEL)
2902 AVC_AUDIT_DATA_INIT(&ad,NET);
2903 ad.u.net.sk = sock->sk;
2904 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2910 static int selinux_socket_create(int family, int type,
2911 int protocol, int kern)
2914 struct task_security_struct *tsec;
2919 tsec = current->security;
2920 err = avc_has_perm(tsec->sid, tsec->sid,
2921 socket_type_to_security_class(family, type,
2922 protocol), SOCKET__CREATE, NULL);
2928 static void selinux_socket_post_create(struct socket *sock, int family,
2929 int type, int protocol, int kern)
2931 struct inode_security_struct *isec;
2932 struct task_security_struct *tsec;
2934 isec = SOCK_INODE(sock)->i_security;
2936 tsec = current->security;
2937 isec->sclass = socket_type_to_security_class(family, type, protocol);
2938 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2939 isec->initialized = 1;
2944 /* Range of port numbers used to automatically bind.
2945 Need to determine whether we should perform a name_bind
2946 permission check between the socket and the port number. */
2947 #define ip_local_port_range_0 sysctl_local_port_range[0]
2948 #define ip_local_port_range_1 sysctl_local_port_range[1]
2950 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2955 err = socket_has_perm(current, sock, SOCKET__BIND);
2960 * If PF_INET or PF_INET6, check name_bind permission for the port.
2961 * Multiple address binding for SCTP is not supported yet: we just
2962 * check the first address now.
2964 family = sock->sk->sk_family;
2965 if (family == PF_INET || family == PF_INET6) {
2967 struct inode_security_struct *isec;
2968 struct task_security_struct *tsec;
2969 struct avc_audit_data ad;
2970 struct sockaddr_in *addr4 = NULL;
2971 struct sockaddr_in6 *addr6 = NULL;
2972 unsigned short snum;
2973 struct sock *sk = sock->sk;
2974 u32 sid, node_perm, addrlen;
2976 tsec = current->security;
2977 isec = SOCK_INODE(sock)->i_security;
2979 if (family == PF_INET) {
2980 addr4 = (struct sockaddr_in *)address;
2981 snum = ntohs(addr4->sin_port);
2982 addrlen = sizeof(addr4->sin_addr.s_addr);
2983 addrp = (char *)&addr4->sin_addr.s_addr;
2985 addr6 = (struct sockaddr_in6 *)address;
2986 snum = ntohs(addr6->sin6_port);
2987 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2988 addrp = (char *)&addr6->sin6_addr.s6_addr;
2991 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2992 snum > ip_local_port_range_1)) {
2993 err = security_port_sid(sk->sk_family, sk->sk_type,
2994 sk->sk_protocol, snum, &sid);
2997 AVC_AUDIT_DATA_INIT(&ad,NET);
2998 ad.u.net.sport = htons(snum);
2999 ad.u.net.family = family;
3000 err = avc_has_perm(isec->sid, sid,
3002 SOCKET__NAME_BIND, &ad);
3007 switch(isec->sclass) {
3008 case SECCLASS_TCP_SOCKET:
3009 node_perm = TCP_SOCKET__NODE_BIND;
3012 case SECCLASS_UDP_SOCKET:
3013 node_perm = UDP_SOCKET__NODE_BIND;
3017 node_perm = RAWIP_SOCKET__NODE_BIND;
3021 err = security_node_sid(family, addrp, addrlen, &sid);
3025 AVC_AUDIT_DATA_INIT(&ad,NET);
3026 ad.u.net.sport = htons(snum);
3027 ad.u.net.family = family;
3029 if (family == PF_INET)
3030 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3032 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3034 err = avc_has_perm(isec->sid, sid,
3035 isec->sclass, node_perm, &ad);
3043 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3045 struct inode_security_struct *isec;
3048 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3053 * If a TCP socket, check name_connect permission for the port.
3055 isec = SOCK_INODE(sock)->i_security;
3056 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3057 struct sock *sk = sock->sk;
3058 struct avc_audit_data ad;
3059 struct sockaddr_in *addr4 = NULL;
3060 struct sockaddr_in6 *addr6 = NULL;
3061 unsigned short snum;
3064 if (sk->sk_family == PF_INET) {
3065 addr4 = (struct sockaddr_in *)address;
3066 if (addrlen < sizeof(struct sockaddr_in))
3068 snum = ntohs(addr4->sin_port);
3070 addr6 = (struct sockaddr_in6 *)address;
3071 if (addrlen < SIN6_LEN_RFC2133)
3073 snum = ntohs(addr6->sin6_port);
3076 err = security_port_sid(sk->sk_family, sk->sk_type,
3077 sk->sk_protocol, snum, &sid);
3081 AVC_AUDIT_DATA_INIT(&ad,NET);
3082 ad.u.net.dport = htons(snum);
3083 ad.u.net.family = sk->sk_family;
3084 err = avc_has_perm(isec->sid, sid, isec->sclass,
3085 TCP_SOCKET__NAME_CONNECT, &ad);
3094 static int selinux_socket_listen(struct socket *sock, int backlog)
3096 return socket_has_perm(current, sock, SOCKET__LISTEN);
3099 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3102 struct inode_security_struct *isec;
3103 struct inode_security_struct *newisec;
3105 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3109 newisec = SOCK_INODE(newsock)->i_security;
3111 isec = SOCK_INODE(sock)->i_security;
3112 newisec->sclass = isec->sclass;
3113 newisec->sid = isec->sid;
3114 newisec->initialized = 1;
3119 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3122 return socket_has_perm(current, sock, SOCKET__WRITE);
3125 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3126 int size, int flags)
3128 return socket_has_perm(current, sock, SOCKET__READ);
3131 static int selinux_socket_getsockname(struct socket *sock)
3133 return socket_has_perm(current, sock, SOCKET__GETATTR);
3136 static int selinux_socket_getpeername(struct socket *sock)
3138 return socket_has_perm(current, sock, SOCKET__GETATTR);
3141 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3143 return socket_has_perm(current, sock, SOCKET__SETOPT);
3146 static int selinux_socket_getsockopt(struct socket *sock, int level,
3149 return socket_has_perm(current, sock, SOCKET__GETOPT);
3152 static int selinux_socket_shutdown(struct socket *sock, int how)
3154 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3157 static int selinux_socket_unix_stream_connect(struct socket *sock,
3158 struct socket *other,
3161 struct sk_security_struct *ssec;
3162 struct inode_security_struct *isec;
3163 struct inode_security_struct *other_isec;
3164 struct avc_audit_data ad;
3167 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3171 isec = SOCK_INODE(sock)->i_security;
3172 other_isec = SOCK_INODE(other)->i_security;
3174 AVC_AUDIT_DATA_INIT(&ad,NET);
3175 ad.u.net.sk = other->sk;
3177 err = avc_has_perm(isec->sid, other_isec->sid,
3179 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3183 /* connecting socket */
3184 ssec = sock->sk->sk_security;
3185 ssec->peer_sid = other_isec->sid;
3187 /* server child socket */
3188 ssec = newsk->sk_security;
3189 ssec->peer_sid = isec->sid;
3194 static int selinux_socket_unix_may_send(struct socket *sock,
3195 struct socket *other)
3197 struct inode_security_struct *isec;
3198 struct inode_security_struct *other_isec;
3199 struct avc_audit_data ad;
3202 isec = SOCK_INODE(sock)->i_security;
3203 other_isec = SOCK_INODE(other)->i_security;
3205 AVC_AUDIT_DATA_INIT(&ad,NET);
3206 ad.u.net.sk = other->sk;
3208 err = avc_has_perm(isec->sid, other_isec->sid,
3209 isec->sclass, SOCKET__SENDTO, &ad);
3216 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3221 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3224 struct socket *sock;
3225 struct net_device *dev;
3226 struct avc_audit_data ad;
3228 family = sk->sk_family;
3229 if (family != PF_INET && family != PF_INET6)
3232 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3233 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3236 read_lock_bh(&sk->sk_callback_lock);
3237 sock = sk->sk_socket;
3239 struct inode *inode;
3240 inode = SOCK_INODE(sock);
3242 struct inode_security_struct *isec;
3243 isec = inode->i_security;
3244 sock_sid = isec->sid;
3245 sock_class = isec->sclass;
3248 read_unlock_bh(&sk->sk_callback_lock);
3256 err = sel_netif_sids(dev, &if_sid, NULL);
3260 switch (sock_class) {
3261 case SECCLASS_UDP_SOCKET:
3262 netif_perm = NETIF__UDP_RECV;
3263 node_perm = NODE__UDP_RECV;
3264 recv_perm = UDP_SOCKET__RECV_MSG;
3267 case SECCLASS_TCP_SOCKET:
3268 netif_perm = NETIF__TCP_RECV;
3269 node_perm = NODE__TCP_RECV;
3270 recv_perm = TCP_SOCKET__RECV_MSG;
3274 netif_perm = NETIF__RAWIP_RECV;
3275 node_perm = NODE__RAWIP_RECV;
3279 AVC_AUDIT_DATA_INIT(&ad, NET);
3280 ad.u.net.netif = dev->name;
3281 ad.u.net.family = family;
3283 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3287 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3291 /* Fixme: this lookup is inefficient */
3292 err = security_node_sid(family, addrp, len, &node_sid);
3296 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3303 /* Fixme: make this more efficient */
3304 err = security_port_sid(sk->sk_family, sk->sk_type,
3305 sk->sk_protocol, ntohs(ad.u.net.sport),
3310 err = avc_has_perm(sock_sid, port_sid,
3311 sock_class, recv_perm, &ad);
3315 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3321 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3322 int __user *optlen, unsigned len)
3327 struct sk_security_struct *ssec;
3328 struct inode_security_struct *isec;
3331 isec = SOCK_INODE(sock)->i_security;
3333 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3334 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3335 ssec = sock->sk->sk_security;
3336 peer_sid = ssec->peer_sid;
3338 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3339 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3341 if (peer_sid == SECSID_NULL) {
3351 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3356 if (scontext_len > len) {
3361 if (copy_to_user(optval, scontext, scontext_len))
3365 if (put_user(scontext_len, optlen))
3373 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3376 u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3378 if (peer_sid == SECSID_NULL)
3381 err = security_sid_to_context(peer_sid, secdata, seclen);
3390 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3392 return sk_alloc_security(sk, family, priority);
3395 static void selinux_sk_free_security(struct sock *sk)
3397 sk_free_security(sk);
3400 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3402 struct inode_security_struct *isec;
3403 u32 sock_sid = SECINITSID_ANY_SOCKET;
3406 return selinux_no_sk_sid(fl);
3408 read_lock_bh(&sk->sk_callback_lock);
3409 isec = get_sock_isec(sk);
3412 sock_sid = isec->sid;
3414 read_unlock_bh(&sk->sk_callback_lock);
3418 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3422 struct nlmsghdr *nlh;
3423 struct socket *sock = sk->sk_socket;
3424 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3426 if (skb->len < NLMSG_SPACE(0)) {
3430 nlh = (struct nlmsghdr *)skb->data;
3432 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3434 if (err == -EINVAL) {
3435 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3436 "SELinux: unrecognized netlink message"
3437 " type=%hu for sclass=%hu\n",
3438 nlh->nlmsg_type, isec->sclass);
3439 if (!selinux_enforcing)
3449 err = socket_has_perm(current, sock, perm);
3454 #ifdef CONFIG_NETFILTER
3456 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3457 struct sk_buff **pskb,
3458 const struct net_device *in,
3459 const struct net_device *out,
3460 int (*okfn)(struct sk_buff *),
3464 int len, err = NF_ACCEPT;
3465 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3467 struct socket *sock;
3468 struct inode *inode;
3469 struct sk_buff *skb = *pskb;
3470 struct inode_security_struct *isec;
3471 struct avc_audit_data ad;
3472 struct net_device *dev = (struct net_device *)out;
3478 sock = sk->sk_socket;
3482 inode = SOCK_INODE(sock);
3486 err = sel_netif_sids(dev, &if_sid, NULL);
3490 isec = inode->i_security;
3492 switch (isec->sclass) {
3493 case SECCLASS_UDP_SOCKET:
3494 netif_perm = NETIF__UDP_SEND;
3495 node_perm = NODE__UDP_SEND;
3496 send_perm = UDP_SOCKET__SEND_MSG;
3499 case SECCLASS_TCP_SOCKET:
3500 netif_perm = NETIF__TCP_SEND;
3501 node_perm = NODE__TCP_SEND;
3502 send_perm = TCP_SOCKET__SEND_MSG;
3506 netif_perm = NETIF__RAWIP_SEND;
3507 node_perm = NODE__RAWIP_SEND;
3512 AVC_AUDIT_DATA_INIT(&ad, NET);
3513 ad.u.net.netif = dev->name;
3514 ad.u.net.family = family;
3516 err = selinux_parse_skb(skb, &ad, &addrp,
3517 &len, 0) ? NF_DROP : NF_ACCEPT;
3518 if (err != NF_ACCEPT)
3521 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3522 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3523 if (err != NF_ACCEPT)
3526 /* Fixme: this lookup is inefficient */
3527 err = security_node_sid(family, addrp, len,
3528 &node_sid) ? NF_DROP : NF_ACCEPT;
3529 if (err != NF_ACCEPT)
3532 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3533 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3534 if (err != NF_ACCEPT)
3540 /* Fixme: make this more efficient */
3541 err = security_port_sid(sk->sk_family,
3544 ntohs(ad.u.net.dport),
3545 &port_sid) ? NF_DROP : NF_ACCEPT;
3546 if (err != NF_ACCEPT)
3549 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3550 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3553 if (err != NF_ACCEPT)
3556 err = selinux_xfrm_postroute_last(isec->sid, skb);
3562 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3563 struct sk_buff **pskb,
3564 const struct net_device *in,
3565 const struct net_device *out,
3566 int (*okfn)(struct sk_buff *))
3568 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3571 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3573 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3574 struct sk_buff **pskb,
3575 const struct net_device *in,
3576 const struct net_device *out,
3577 int (*okfn)(struct sk_buff *))
3579 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3584 #endif /* CONFIG_NETFILTER */
3586 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3588 struct task_security_struct *tsec;
3589 struct av_decision avd;
3592 err = secondary_ops->netlink_send(sk, skb);
3596 tsec = current->security;
3599 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3600 SECCLASS_CAPABILITY, ~0, &avd);
3601 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3603 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3604 err = selinux_nlmsg_perm(sk, skb);
3609 static int selinux_netlink_recv(struct sk_buff *skb)
3611 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3616 static int ipc_alloc_security(struct task_struct *task,
3617 struct kern_ipc_perm *perm,
3620 struct task_security_struct *tsec = task->security;
3621 struct ipc_security_struct *isec;
3623 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3627 isec->sclass = sclass;
3628 isec->ipc_perm = perm;
3629 isec->sid = tsec->sid;
3630 perm->security = isec;
3635 static void ipc_free_security(struct kern_ipc_perm *perm)
3637 struct ipc_security_struct *isec = perm->security;
3638 perm->security = NULL;
3642 static int msg_msg_alloc_security(struct msg_msg *msg)
3644 struct msg_security_struct *msec;
3646 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3651 msec->sid = SECINITSID_UNLABELED;
3652 msg->security = msec;
3657 static void msg_msg_free_security(struct msg_msg *msg)
3659 struct msg_security_struct *msec = msg->security;
3661 msg->security = NULL;
3665 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3668 struct task_security_struct *tsec;
3669 struct ipc_security_struct *isec;
3670 struct avc_audit_data ad;
3672 tsec = current->security;
3673 isec = ipc_perms->security;
3675 AVC_AUDIT_DATA_INIT(&ad, IPC);
3676 ad.u.ipc_id = ipc_perms->key;
3678 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3681 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3683 return msg_msg_alloc_security(msg);
3686 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3688 msg_msg_free_security(msg);
3691 /* message queue security operations */
3692 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3694 struct task_security_struct *tsec;
3695 struct ipc_security_struct *isec;
3696 struct avc_audit_data ad;
3699 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3703 tsec = current->security;
3704 isec = msq->q_perm.security;
3706 AVC_AUDIT_DATA_INIT(&ad, IPC);
3707 ad.u.ipc_id = msq->q_perm.key;
3709 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3712 ipc_free_security(&msq->q_perm);
3718 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3720 ipc_free_security(&msq->q_perm);
3723 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3725 struct task_security_struct *tsec;
3726 struct ipc_security_struct *isec;
3727 struct avc_audit_data ad;
3729 tsec = current->security;
3730 isec = msq->q_perm.security;
3732 AVC_AUDIT_DATA_INIT(&ad, IPC);
3733 ad.u.ipc_id = msq->q_perm.key;
3735 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3736 MSGQ__ASSOCIATE, &ad);
3739 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3747 /* No specific object, just general system-wide information. */
3748 return task_has_system(current, SYSTEM__IPC_INFO);
3751 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3754 perms = MSGQ__SETATTR;
3757 perms = MSGQ__DESTROY;
3763 err = ipc_has_perm(&msq->q_perm, perms);
3767 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3769 struct task_security_struct *tsec;
3770 struct ipc_security_struct *isec;
3771 struct msg_security_struct *msec;
3772 struct avc_audit_data ad;
3775 tsec = current->security;
3776 isec = msq->q_perm.security;
3777 msec = msg->security;
3780 * First time through, need to assign label to the message
3782 if (msec->sid == SECINITSID_UNLABELED) {
3784 * Compute new sid based on current process and
3785 * message queue this message will be stored in
3787 rc = security_transition_sid(tsec->sid,
3795 AVC_AUDIT_DATA_INIT(&ad, IPC);
3796 ad.u.ipc_id = msq->q_perm.key;
3798 /* Can this process write to the queue? */
3799 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3802 /* Can this process send the message */
3803 rc = avc_has_perm(tsec->sid, msec->sid,
3804 SECCLASS_MSG, MSG__SEND, &ad);
3806 /* Can the message be put in the queue? */
3807 rc = avc_has_perm(msec->sid, isec->sid,
3808 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3813 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3814 struct task_struct *target,
3815 long type, int mode)
3817 struct task_security_struct *tsec;
3818 struct ipc_security_struct *isec;
3819 struct msg_security_struct *msec;
3820 struct avc_audit_data ad;
3823 tsec = target->security;
3824 isec = msq->q_perm.security;
3825 msec = msg->security;
3827 AVC_AUDIT_DATA_INIT(&ad, IPC);
3828 ad.u.ipc_id = msq->q_perm.key;
3830 rc = avc_has_perm(tsec->sid, isec->sid,
3831 SECCLASS_MSGQ, MSGQ__READ, &ad);
3833 rc = avc_has_perm(tsec->sid, msec->sid,
3834 SECCLASS_MSG, MSG__RECEIVE, &ad);
3838 /* Shared Memory security operations */
3839 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3841 struct task_security_struct *tsec;
3842 struct ipc_security_struct *isec;
3843 struct avc_audit_data ad;
3846 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3850 tsec = current->security;
3851 isec = shp->shm_perm.security;
3853 AVC_AUDIT_DATA_INIT(&ad, IPC);
3854 ad.u.ipc_id = shp->shm_perm.key;
3856 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3859 ipc_free_security(&shp->shm_perm);
3865 static void selinux_shm_free_security(struct shmid_kernel *shp)
3867 ipc_free_security(&shp->shm_perm);
3870 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3872 struct task_security_struct *tsec;
3873 struct ipc_security_struct *isec;
3874 struct avc_audit_data ad;
3876 tsec = current->security;
3877 isec = shp->shm_perm.security;
3879 AVC_AUDIT_DATA_INIT(&ad, IPC);
3880 ad.u.ipc_id = shp->shm_perm.key;
3882 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3883 SHM__ASSOCIATE, &ad);
3886 /* Note, at this point, shp is locked down */
3887 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3895 /* No specific object, just general system-wide information. */
3896 return task_has_system(current, SYSTEM__IPC_INFO);
3899 perms = SHM__GETATTR | SHM__ASSOCIATE;
3902 perms = SHM__SETATTR;
3909 perms = SHM__DESTROY;
3915 err = ipc_has_perm(&shp->shm_perm, perms);
3919 static int selinux_shm_shmat(struct shmid_kernel *shp,
3920 char __user *shmaddr, int shmflg)
3925 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3929 if (shmflg & SHM_RDONLY)
3932 perms = SHM__READ | SHM__WRITE;
3934 return ipc_has_perm(&shp->shm_perm, perms);
3937 /* Semaphore security operations */
3938 static int selinux_sem_alloc_security(struct sem_array *sma)
3940 struct task_security_struct *tsec;
3941 struct ipc_security_struct *isec;
3942 struct avc_audit_data ad;
3945 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3949 tsec = current->security;
3950 isec = sma->sem_perm.security;
3952 AVC_AUDIT_DATA_INIT(&ad, IPC);
3953 ad.u.ipc_id = sma->sem_perm.key;
3955 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3958 ipc_free_security(&sma->sem_perm);
3964 static void selinux_sem_free_security(struct sem_array *sma)
3966 ipc_free_security(&sma->sem_perm);
3969 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3971 struct task_security_struct *tsec;
3972 struct ipc_security_struct *isec;
3973 struct avc_audit_data ad;
3975 tsec = current->security;
3976 isec = sma->sem_perm.security;
3978 AVC_AUDIT_DATA_INIT(&ad, IPC);
3979 ad.u.ipc_id = sma->sem_perm.key;
3981 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3982 SEM__ASSOCIATE, &ad);
3985 /* Note, at this point, sma is locked down */
3986 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3994 /* No specific object, just general system-wide information. */
3995 return task_has_system(current, SYSTEM__IPC_INFO);
3999 perms = SEM__GETATTR;
4010 perms = SEM__DESTROY;
4013 perms = SEM__SETATTR;
4017 perms = SEM__GETATTR | SEM__ASSOCIATE;
4023 err = ipc_has_perm(&sma->sem_perm, perms);
4027 static int selinux_sem_semop(struct sem_array *sma,
4028 struct sembuf *sops, unsigned nsops, int alter)
4033 perms = SEM__READ | SEM__WRITE;
4037 return ipc_has_perm(&sma->sem_perm, perms);
4040 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4046 av |= IPC__UNIX_READ;
4048 av |= IPC__UNIX_WRITE;
4053 return ipc_has_perm(ipcp, av);
4056 /* module stacking operations */
4057 static int selinux_register_security (const char *name, struct security_operations *ops)
4059 if (secondary_ops != original_ops) {
4060 printk(KERN_INFO "%s: There is already a secondary security "
4061 "module registered.\n", __FUNCTION__);
4065 secondary_ops = ops;
4067 printk(KERN_INFO "%s: Registering secondary module %s\n",
4074 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4076 if (ops != secondary_ops) {
4077 printk (KERN_INFO "%s: trying to unregister a security module "
4078 "that is not registered.\n", __FUNCTION__);
4082 secondary_ops = original_ops;
4087 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4090 inode_doinit_with_dentry(inode, dentry);
4093 static int selinux_getprocattr(struct task_struct *p,
4094 char *name, void *value, size_t size)
4096 struct task_security_struct *tsec;
4102 error = task_has_perm(current, p, PROCESS__GETATTR);
4112 if (!strcmp(name, "current"))
4114 else if (!strcmp(name, "prev"))
4116 else if (!strcmp(name, "exec"))
4117 sid = tsec->exec_sid;
4118 else if (!strcmp(name, "fscreate"))
4119 sid = tsec->create_sid;
4126 error = security_sid_to_context(sid, &context, &len);
4133 memcpy(value, context, len);
4138 static int selinux_setprocattr(struct task_struct *p,
4139 char *name, void *value, size_t size)
4141 struct task_security_struct *tsec;
4147 /* SELinux only allows a process to change its own
4148 security attributes. */
4153 * Basic control over ability to set these attributes at all.
4154 * current == p, but we'll pass them separately in case the
4155 * above restriction is ever removed.
4157 if (!strcmp(name, "exec"))
4158 error = task_has_perm(current, p, PROCESS__SETEXEC);
4159 else if (!strcmp(name, "fscreate"))
4160 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4161 else if (!strcmp(name, "current"))
4162 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4168 /* Obtain a SID for the context, if one was specified. */
4169 if (size && str[1] && str[1] != '\n') {
4170 if (str[size-1] == '\n') {
4174 error = security_context_to_sid(value, size, &sid);
4179 /* Permission checking based on the specified context is
4180 performed during the actual operation (execve,
4181 open/mkdir/...), when we know the full context of the
4182 operation. See selinux_bprm_set_security for the execve
4183 checks and may_create for the file creation checks. The
4184 operation will then fail if the context is not permitted. */
4186 if (!strcmp(name, "exec"))
4187 tsec->exec_sid = sid;
4188 else if (!strcmp(name, "fscreate"))
4189 tsec->create_sid = sid;
4190 else if (!strcmp(name, "current")) {
4191 struct av_decision avd;
4196 /* Only allow single threaded processes to change context */
4197 if (atomic_read(&p->mm->mm_users) != 1) {
4198 struct task_struct *g, *t;
4199 struct mm_struct *mm = p->mm;
4200 read_lock(&tasklist_lock);
4201 do_each_thread(g, t)
4202 if (t->mm == mm && t != p) {
4203 read_unlock(&tasklist_lock);
4206 while_each_thread(g, t);
4207 read_unlock(&tasklist_lock);
4210 /* Check permissions for the transition. */
4211 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4212 PROCESS__DYNTRANSITION, NULL);
4216 /* Check for ptracing, and update the task SID if ok.
4217 Otherwise, leave SID unchanged and fail. */
4219 if (p->ptrace & PT_PTRACED) {
4220 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4222 PROCESS__PTRACE, &avd);
4226 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4227 PROCESS__PTRACE, &avd, error, NULL);
4241 static struct security_operations selinux_ops = {
4242 .ptrace = selinux_ptrace,
4243 .capget = selinux_capget,
4244 .capset_check = selinux_capset_check,
4245 .capset_set = selinux_capset_set,
4246 .sysctl = selinux_sysctl,
4247 .capable = selinux_capable,
4248 .quotactl = selinux_quotactl,
4249 .quota_on = selinux_quota_on,
4250 .syslog = selinux_syslog,
4251 .vm_enough_memory = selinux_vm_enough_memory,
4253 .netlink_send = selinux_netlink_send,
4254 .netlink_recv = selinux_netlink_recv,
4256 .bprm_alloc_security = selinux_bprm_alloc_security,
4257 .bprm_free_security = selinux_bprm_free_security,
4258 .bprm_apply_creds = selinux_bprm_apply_creds,
4259 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4260 .bprm_set_security = selinux_bprm_set_security,
4261 .bprm_check_security = selinux_bprm_check_security,
4262 .bprm_secureexec = selinux_bprm_secureexec,
4264 .sb_alloc_security = selinux_sb_alloc_security,
4265 .sb_free_security = selinux_sb_free_security,
4266 .sb_copy_data = selinux_sb_copy_data,
4267 .sb_kern_mount = selinux_sb_kern_mount,
4268 .sb_statfs = selinux_sb_statfs,
4269 .sb_mount = selinux_mount,
4270 .sb_umount = selinux_umount,
4272 .inode_alloc_security = selinux_inode_alloc_security,
4273 .inode_free_security = selinux_inode_free_security,
4274 .inode_init_security = selinux_inode_init_security,
4275 .inode_create = selinux_inode_create,
4276 .inode_link = selinux_inode_link,
4277 .inode_unlink = selinux_inode_unlink,
4278 .inode_symlink = selinux_inode_symlink,
4279 .inode_mkdir = selinux_inode_mkdir,
4280 .inode_rmdir = selinux_inode_rmdir,
4281 .inode_mknod = selinux_inode_mknod,
4282 .inode_rename = selinux_inode_rename,
4283 .inode_readlink = selinux_inode_readlink,
4284 .inode_follow_link = selinux_inode_follow_link,
4285 .inode_permission = selinux_inode_permission,
4286 .inode_setattr = selinux_inode_setattr,
4287 .inode_getattr = selinux_inode_getattr,
4288 .inode_setxattr = selinux_inode_setxattr,
4289 .inode_post_setxattr = selinux_inode_post_setxattr,
4290 .inode_getxattr = selinux_inode_getxattr,
4291 .inode_listxattr = selinux_inode_listxattr,
4292 .inode_removexattr = selinux_inode_removexattr,
4293 .inode_getsecurity = selinux_inode_getsecurity,
4294 .inode_setsecurity = selinux_inode_setsecurity,
4295 .inode_listsecurity = selinux_inode_listsecurity,
4297 .file_permission = selinux_file_permission,
4298 .file_alloc_security = selinux_file_alloc_security,
4299 .file_free_security = selinux_file_free_security,
4300 .file_ioctl = selinux_file_ioctl,
4301 .file_mmap = selinux_file_mmap,
4302 .file_mprotect = selinux_file_mprotect,
4303 .file_lock = selinux_file_lock,
4304 .file_fcntl = selinux_file_fcntl,
4305 .file_set_fowner = selinux_file_set_fowner,
4306 .file_send_sigiotask = selinux_file_send_sigiotask,
4307 .file_receive = selinux_file_receive,
4309 .task_create = selinux_task_create,
4310 .task_alloc_security = selinux_task_alloc_security,
4311 .task_free_security = selinux_task_free_security,
4312 .task_setuid = selinux_task_setuid,
4313 .task_post_setuid = selinux_task_post_setuid,
4314 .task_setgid = selinux_task_setgid,
4315 .task_setpgid = selinux_task_setpgid,
4316 .task_getpgid = selinux_task_getpgid,
4317 .task_getsid = selinux_task_getsid,
4318 .task_setgroups = selinux_task_setgroups,
4319 .task_setnice = selinux_task_setnice,
4320 .task_setrlimit = selinux_task_setrlimit,
4321 .task_setscheduler = selinux_task_setscheduler,
4322 .task_getscheduler = selinux_task_getscheduler,
4323 .task_kill = selinux_task_kill,
4324 .task_wait = selinux_task_wait,
4325 .task_prctl = selinux_task_prctl,
4326 .task_reparent_to_init = selinux_task_reparent_to_init,
4327 .task_to_inode = selinux_task_to_inode,
4329 .ipc_permission = selinux_ipc_permission,
4331 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4332 .msg_msg_free_security = selinux_msg_msg_free_security,
4334 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4335 .msg_queue_free_security = selinux_msg_queue_free_security,
4336 .msg_queue_associate = selinux_msg_queue_associate,
4337 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4338 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4339 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4341 .shm_alloc_security = selinux_shm_alloc_security,
4342 .shm_free_security = selinux_shm_free_security,
4343 .shm_associate = selinux_shm_associate,
4344 .shm_shmctl = selinux_shm_shmctl,
4345 .shm_shmat = selinux_shm_shmat,
4347 .sem_alloc_security = selinux_sem_alloc_security,
4348 .sem_free_security = selinux_sem_free_security,
4349 .sem_associate = selinux_sem_associate,
4350 .sem_semctl = selinux_sem_semctl,
4351 .sem_semop = selinux_sem_semop,
4353 .register_security = selinux_register_security,
4354 .unregister_security = selinux_unregister_security,
4356 .d_instantiate = selinux_d_instantiate,
4358 .getprocattr = selinux_getprocattr,
4359 .setprocattr = selinux_setprocattr,
4361 .unix_stream_connect = selinux_socket_unix_stream_connect,
4362 .unix_may_send = selinux_socket_unix_may_send,
4364 .socket_create = selinux_socket_create,
4365 .socket_post_create = selinux_socket_post_create,
4366 .socket_bind = selinux_socket_bind,
4367 .socket_connect = selinux_socket_connect,
4368 .socket_listen = selinux_socket_listen,
4369 .socket_accept = selinux_socket_accept,
4370 .socket_sendmsg = selinux_socket_sendmsg,
4371 .socket_recvmsg = selinux_socket_recvmsg,
4372 .socket_getsockname = selinux_socket_getsockname,
4373 .socket_getpeername = selinux_socket_getpeername,
4374 .socket_getsockopt = selinux_socket_getsockopt,
4375 .socket_setsockopt = selinux_socket_setsockopt,
4376 .socket_shutdown = selinux_socket_shutdown,
4377 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4378 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4379 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4380 .sk_alloc_security = selinux_sk_alloc_security,
4381 .sk_free_security = selinux_sk_free_security,
4382 .sk_getsid = selinux_sk_getsid_security,
4384 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4385 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4386 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4387 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4388 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4389 .xfrm_state_free_security = selinux_xfrm_state_free,
4390 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4394 static __init int selinux_init(void)
4396 struct task_security_struct *tsec;
4398 if (!selinux_enabled) {
4399 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4403 printk(KERN_INFO "SELinux: Initializing.\n");
4405 /* Set the security state for the initial task. */
4406 if (task_alloc_security(current))
4407 panic("SELinux: Failed to initialize initial task.\n");
4408 tsec = current->security;
4409 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4413 original_ops = secondary_ops = security_ops;
4415 panic ("SELinux: No initial security operations\n");
4416 if (register_security (&selinux_ops))
4417 panic("SELinux: Unable to register with kernel.\n");
4419 if (selinux_enforcing) {
4420 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4422 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4427 void selinux_complete_init(void)
4429 printk(KERN_INFO "SELinux: Completing initialization.\n");
4431 /* Set up any superblocks initialized prior to the policy load. */
4432 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4433 spin_lock(&sb_security_lock);
4435 if (!list_empty(&superblock_security_head)) {
4436 struct superblock_security_struct *sbsec =
4437 list_entry(superblock_security_head.next,
4438 struct superblock_security_struct,
4440 struct super_block *sb = sbsec->sb;
4441 spin_lock(&sb_lock);
4443 spin_unlock(&sb_lock);
4444 spin_unlock(&sb_security_lock);
4445 down_read(&sb->s_umount);
4447 superblock_doinit(sb, NULL);
4449 spin_lock(&sb_security_lock);
4450 list_del_init(&sbsec->list);
4453 spin_unlock(&sb_security_lock);
4456 /* SELinux requires early initialization in order to label
4457 all processes and objects when they are created. */
4458 security_initcall(selinux_init);
4460 #if defined(CONFIG_NETFILTER)
4462 static struct nf_hook_ops selinux_ipv4_op = {
4463 .hook = selinux_ipv4_postroute_last,
4464 .owner = THIS_MODULE,
4466 .hooknum = NF_IP_POST_ROUTING,
4467 .priority = NF_IP_PRI_SELINUX_LAST,
4470 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4472 static struct nf_hook_ops selinux_ipv6_op = {
4473 .hook = selinux_ipv6_postroute_last,
4474 .owner = THIS_MODULE,
4476 .hooknum = NF_IP6_POST_ROUTING,
4477 .priority = NF_IP6_PRI_SELINUX_LAST,
4482 static int __init selinux_nf_ip_init(void)
4486 if (!selinux_enabled)
4489 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4491 err = nf_register_hook(&selinux_ipv4_op);
4493 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4495 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4497 err = nf_register_hook(&selinux_ipv6_op);
4499 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4507 __initcall(selinux_nf_ip_init);
4509 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4510 static void selinux_nf_ip_exit(void)
4512 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4514 nf_unregister_hook(&selinux_ipv4_op);
4515 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4516 nf_unregister_hook(&selinux_ipv6_op);
4521 #else /* CONFIG_NETFILTER */
4523 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4524 #define selinux_nf_ip_exit()
4527 #endif /* CONFIG_NETFILTER */
4529 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4530 int selinux_disable(void)
4532 extern void exit_sel_fs(void);
4533 static int selinux_disabled = 0;
4535 if (ss_initialized) {
4536 /* Not permitted after initial policy load. */
4540 if (selinux_disabled) {
4541 /* Only do this once. */
4545 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4547 selinux_disabled = 1;
4549 /* Reset security_ops to the secondary module, dummy or capability. */
4550 security_ops = secondary_ops;
4552 /* Unregister netfilter hooks. */
4553 selinux_nf_ip_exit();
4555 /* Unregister selinuxfs. */
projects / linux-2.6 / blob