2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92 #define NUM_SEL_MNT_OPTS 4
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
135 static struct security_operations *secondary_ops;
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
142 static struct kmem_cache *sel_inode_cache;
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
154 static int selinux_secmark_enabled(void)
156 return (atomic_read(&selinux_secmark_refcount) > 0);
160 * initialise the security for the init task
162 static void cred_init_security(void)
164 struct cred *cred = (struct cred *) current->real_cred;
165 struct task_security_struct *tsec;
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
169 panic("SELinux: Failed to initialize initial task.\n");
171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
172 cred->security = tsec;
176 * get the security ID of a set of credentials
178 static inline u32 cred_sid(const struct cred *cred)
180 const struct task_security_struct *tsec;
182 tsec = cred->security;
187 * get the objective security ID of a task
189 static inline u32 task_sid(const struct task_struct *task)
194 sid = cred_sid(__task_cred(task));
200 * get the subjective security ID of the current task
202 static inline u32 current_sid(void)
204 const struct task_security_struct *tsec = current_cred()->security;
209 /* Allocate and free functions for each kind of security blob. */
211 static int inode_alloc_security(struct inode *inode)
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
231 static void inode_free_security(struct inode *inode)
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
245 static int file_alloc_security(struct file *file)
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
261 static void file_free_security(struct file *file)
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
268 static int superblock_alloc_security(struct super_block *sb)
270 struct superblock_security_struct *sbsec;
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
289 static void superblock_free_security(struct super_block *sb)
291 struct superblock_security_struct *sbsec = sb->s_security;
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
298 sb->s_security = NULL;
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
304 struct sk_security_struct *ssec;
306 ssec = kzalloc(sizeof(*ssec), priority);
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
314 selinux_netlbl_sk_security_reset(ssec, family);
319 static void sk_free_security(struct sock *sk)
321 struct sk_security_struct *ssec = sk->sk_security;
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
332 /* The file system's label must be initialized prior to use. */
334 static char *labeling_behaviors[6] = {
336 "uses transition SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
345 static inline int inode_doinit(struct inode *inode)
347 return inode_doinit_with_dentry(inode, NULL);
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
372 const struct task_security_struct *tsec = cred->security;
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
389 const struct task_security_struct *tsec = cred->security;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
401 static int sb_finish_set_opts(struct super_block *sb)
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
434 sbsec->initialized = 1;
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
451 spin_lock(&sbsec->isec_lock);
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
461 if (!IS_PRIVATE(inode))
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
469 spin_unlock(&sbsec->isec_lock);
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
488 security_init_mnt_opts(opts);
490 if (!sbsec->initialized)
497 * if we ever use sbsec flags for anything other than tracking mount
498 * settings this is going to need a mask
501 /* count the number of mount options for this sb */
502 for (i = 0; i < 8; i++) {
504 opts->num_mnt_opts++;
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
546 rc = security_sid_to_context(isec->sid, &context, &len);
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
553 BUG_ON(i != opts->num_mnt_opts);
558 security_free_mnt_opts(opts);
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563 u32 old_sid, u32 new_sid)
565 /* check if the old mount command had the same options */
566 if (sbsec->initialized)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
574 if (!sbsec->initialized)
575 if (sbsec->flags & flag)
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
587 const struct cred *cred = current_cred();
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
599 mutex_lock(&sbsec->lock);
601 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
613 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614 "before the security server is initialized\n");
619 * Binary mount data FS will come through this function twice. Once
620 * from an explicit call and once from the generic calls from the vfs.
621 * Since the generic VFS calls will not contain any security mount data
622 * we need to skip the double mount verification.
624 * This does open a hole in which we will not notice if the first
625 * mount using this sb set explict options and a second mount using
626 * this sb does not set any security options. (The first options
627 * will be used for both mounts)
629 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
634 * parse the mount options, check if they are valid sids.
635 * also check if someone is trying to mount the same sb more
636 * than once with different security options.
638 for (i = 0; i < num_opts; i++) {
640 rc = security_context_to_sid(mount_options[i],
641 strlen(mount_options[i]), &sid);
643 printk(KERN_WARNING "SELinux: security_context_to_sid"
644 "(%s) failed for (dev %s, type %s) errno=%d\n",
645 mount_options[i], sb->s_id, name, rc);
652 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
654 goto out_double_mount;
656 sbsec->flags |= FSCONTEXT_MNT;
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
663 goto out_double_mount;
665 sbsec->flags |= CONTEXT_MNT;
667 case ROOTCONTEXT_MNT:
668 rootcontext_sid = sid;
670 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
672 goto out_double_mount;
674 sbsec->flags |= ROOTCONTEXT_MNT;
678 defcontext_sid = sid;
680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
682 goto out_double_mount;
684 sbsec->flags |= DEFCONTEXT_MNT;
693 if (sbsec->initialized) {
694 /* previously mounted with options, but not on this attempt? */
695 if (sbsec->flags && !num_opts)
696 goto out_double_mount;
701 if (strcmp(sb->s_type->name, "proc") == 0)
704 /* Determine the labeling behavior to use for this filesystem type. */
705 rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
707 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708 __func__, sb->s_type->name, rc);
712 /* sets the context of the superblock for the fs being mounted. */
714 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
718 sbsec->sid = fscontext_sid;
722 * Switch to using mount point labeling behavior.
723 * sets the label used on all file below the mountpoint, and will set
724 * the superblock context if not already set.
727 if (!fscontext_sid) {
728 rc = may_context_mount_sb_relabel(context_sid, sbsec,
732 sbsec->sid = context_sid;
734 rc = may_context_mount_inode_relabel(context_sid, sbsec,
739 if (!rootcontext_sid)
740 rootcontext_sid = context_sid;
742 sbsec->mntpoint_sid = context_sid;
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
746 if (rootcontext_sid) {
747 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
752 root_isec->sid = rootcontext_sid;
753 root_isec->initialized = 1;
756 if (defcontext_sid) {
757 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
759 printk(KERN_WARNING "SELinux: defcontext option is "
760 "invalid for this filesystem type\n");
764 if (defcontext_sid != sbsec->def_sid) {
765 rc = may_context_mount_inode_relabel(defcontext_sid,
771 sbsec->def_sid = defcontext_sid;
774 rc = sb_finish_set_opts(sb);
776 mutex_unlock(&sbsec->lock);
780 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
781 "security settings for (dev %s, type %s)\n", sb->s_id, name);
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786 struct super_block *newsb)
788 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789 struct superblock_security_struct *newsbsec = newsb->s_security;
791 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
792 int set_context = (oldsbsec->flags & CONTEXT_MNT);
793 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
796 * if the parent was able to be mounted it clearly had no special lsm
797 * mount options. thus we can safely put this sb on the list and deal
800 if (!ss_initialized) {
801 spin_lock(&sb_security_lock);
802 if (list_empty(&newsbsec->list))
803 list_add(&newsbsec->list, &superblock_security_head);
804 spin_unlock(&sb_security_lock);
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!oldsbsec->initialized);
811 /* if fs is reusing a sb, just let its options stand... */
812 if (newsbsec->initialized)
815 mutex_lock(&newsbsec->lock);
817 newsbsec->flags = oldsbsec->flags;
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
824 u32 sid = oldsbsec->mntpoint_sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
833 newsbsec->mntpoint_sid = sid;
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
841 newisec->sid = oldisec->sid;
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
856 opts->num_mnt_opts = 0;
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
861 substring_t args[MAX_OPT_ARGS];
866 token = match_token(p, tokens, args);
870 if (context || defcontext) {
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 context = match_strdup(&args[0]);
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
888 fscontext = match_strdup(&args[0]);
895 case Opt_rootcontext:
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
901 rootcontext = match_strdup(&args[0]);
909 if (context || defcontext) {
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
914 defcontext = match_strdup(&args[0]);
923 printk(KERN_WARNING "SELinux: unknown mount option\n");
930 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
934 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935 if (!opts->mnt_opts_flags) {
936 kfree(opts->mnt_opts);
941 opts->mnt_opts[num_mnt_opts] = fscontext;
942 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
945 opts->mnt_opts[num_mnt_opts] = context;
946 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
949 opts->mnt_opts[num_mnt_opts] = rootcontext;
950 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
953 opts->mnt_opts[num_mnt_opts] = defcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
957 opts->num_mnt_opts = num_mnt_opts;
968 * string mount options parsing and call set the sbsec
970 static int superblock_doinit(struct super_block *sb, void *data)
973 char *options = data;
974 struct security_mnt_opts opts;
976 security_init_mnt_opts(&opts);
981 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
983 rc = selinux_parse_opts_str(options, &opts);
988 rc = selinux_set_mnt_opts(sb, &opts);
991 security_free_mnt_opts(&opts);
995 static void selinux_write_opts(struct seq_file *m,
996 struct security_mnt_opts *opts)
1001 for (i = 0; i < opts->num_mnt_opts; i++) {
1002 char *has_comma = strchr(opts->mnt_opts[i], ',');
1004 switch (opts->mnt_opts_flags[i]) {
1006 prefix = CONTEXT_STR;
1009 prefix = FSCONTEXT_STR;
1011 case ROOTCONTEXT_MNT:
1012 prefix = ROOTCONTEXT_STR;
1014 case DEFCONTEXT_MNT:
1015 prefix = DEFCONTEXT_STR;
1020 /* we need a comma before each option */
1022 seq_puts(m, prefix);
1025 seq_puts(m, opts->mnt_opts[i]);
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1033 struct security_mnt_opts opts;
1036 rc = selinux_get_mnt_opts(sb, &opts);
1038 /* before policy load we may get EINVAL, don't show anything */
1044 selinux_write_opts(m, &opts);
1046 security_free_mnt_opts(&opts);
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1053 switch (mode & S_IFMT) {
1055 return SECCLASS_SOCK_FILE;
1057 return SECCLASS_LNK_FILE;
1059 return SECCLASS_FILE;
1061 return SECCLASS_BLK_FILE;
1063 return SECCLASS_DIR;
1065 return SECCLASS_CHR_FILE;
1067 return SECCLASS_FIFO_FILE;
1071 return SECCLASS_FILE;
1074 static inline int default_protocol_stream(int protocol)
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1079 static inline int default_protocol_dgram(int protocol)
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1103 return SECCLASS_RAWIP_SOCKET;
1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1108 return SECCLASS_RAWIP_SOCKET;
1110 return SECCLASS_DCCP_SOCKET;
1112 return SECCLASS_RAWIP_SOCKET;
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121 case NETLINK_INET_DIAG:
1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1138 return SECCLASS_NETLINK_SOCKET;
1141 return SECCLASS_PACKET_SOCKET;
1143 return SECCLASS_KEY_SOCKET;
1145 return SECCLASS_APPLETALK_SOCKET;
1148 return SECCLASS_SOCKET;
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157 char *buffer, *path, *end;
1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1164 end = buffer+buflen;
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1174 memcpy(end, de->name, de->namelen);
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1198 struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200 char *context = NULL;
1204 if (isec->initialized)
1207 mutex_lock(&isec->lock);
1208 if (isec->initialized)
1211 sbsec = inode->i_sb->s_security;
1212 if (!sbsec->initialized) {
1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1240 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1241 "ino=%ld\n", __func__, inode->i_sb->s_id,
1246 len = INITCONTEXTLEN;
1247 context = kmalloc(len, GFP_NOFS);
1253 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1255 if (rc == -ERANGE) {
1256 /* Need a larger buffer. Query for the right size. */
1257 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1265 context = kmalloc(len, GFP_NOFS);
1271 rc = inode->i_op->getxattr(dentry,
1277 if (rc != -ENODATA) {
1278 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1279 "%d for dev=%s ino=%ld\n", __func__,
1280 -rc, inode->i_sb->s_id, inode->i_ino);
1284 /* Map ENODATA to the default file SID */
1285 sid = sbsec->def_sid;
1288 rc = security_context_to_sid_default(context, rc, &sid,
1292 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1293 "returned %d for dev=%s ino=%ld\n",
1294 __func__, context, -rc,
1295 inode->i_sb->s_id, inode->i_ino);
1297 /* Leave with the unlabeled SID */
1305 case SECURITY_FS_USE_TASK:
1306 isec->sid = isec->task_sid;
1308 case SECURITY_FS_USE_TRANS:
1309 /* Default to the fs SID. */
1310 isec->sid = sbsec->sid;
1312 /* Try to obtain a transition SID. */
1313 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314 rc = security_transition_sid(isec->task_sid,
1322 case SECURITY_FS_USE_MNTPOINT:
1323 isec->sid = sbsec->mntpoint_sid;
1326 /* Default to the fs superblock SID. */
1327 isec->sid = sbsec->sid;
1329 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330 struct proc_inode *proci = PROC_I(inode);
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(proci->pde,
1344 isec->initialized = 1;
1347 mutex_unlock(&isec->lock);
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1385 static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1400 static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1404 const struct task_security_struct *__tsec1, *__tsec2;
1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1420 static int current_has_perm(const struct task_struct *tsk,
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1439 struct avc_audit_data ad;
1440 struct av_decision avd;
1442 u32 sid = cred_sid(cred);
1443 u32 av = CAP_TO_MASK(cap);
1446 AVC_AUDIT_DATA_INIT(&ad, CAP);
1450 switch (CAP_TO_INDEX(cap)) {
1452 sclass = SECCLASS_CAPABILITY;
1455 sclass = SECCLASS_CAPABILITY2;
1459 "SELinux: out of range capability %d\n", cap);
1463 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1464 if (audit == SECURITY_CAP_AUDIT)
1465 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1469 /* Check whether a task is allowed to use a system operation. */
1470 static int task_has_system(struct task_struct *tsk,
1473 u32 sid = task_sid(tsk);
1475 return avc_has_perm(sid, SECINITSID_KERNEL,
1476 SECCLASS_SYSTEM, perms, NULL);
1479 /* Check whether a task has a particular permission to an inode.
1480 The 'adp' parameter is optional and allows other audit
1481 data to be passed (e.g. the dentry). */
1482 static int inode_has_perm(const struct cred *cred,
1483 struct inode *inode,
1485 struct avc_audit_data *adp)
1487 struct inode_security_struct *isec;
1488 struct avc_audit_data ad;
1491 if (unlikely(IS_PRIVATE(inode)))
1494 sid = cred_sid(cred);
1495 isec = inode->i_security;
1499 AVC_AUDIT_DATA_INIT(&ad, FS);
1500 ad.u.fs.inode = inode;
1503 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1506 /* Same as inode_has_perm, but pass explicit audit data containing
1507 the dentry to help the auditing code to more easily generate the
1508 pathname if needed. */
1509 static inline int dentry_has_perm(const struct cred *cred,
1510 struct vfsmount *mnt,
1511 struct dentry *dentry,
1514 struct inode *inode = dentry->d_inode;
1515 struct avc_audit_data ad;
1517 AVC_AUDIT_DATA_INIT(&ad, FS);
1518 ad.u.fs.path.mnt = mnt;
1519 ad.u.fs.path.dentry = dentry;
1520 return inode_has_perm(cred, inode, av, &ad);
1523 /* Check whether a task can use an open file descriptor to
1524 access an inode in a given way. Check access to the
1525 descriptor itself, and then use dentry_has_perm to
1526 check a particular permission to the file.
1527 Access to the descriptor is implicitly granted if it
1528 has the same SID as the process. If av is zero, then
1529 access to the file is not checked, e.g. for cases
1530 where only the descriptor is affected like seek. */
1531 static int file_has_perm(const struct cred *cred,
1535 struct file_security_struct *fsec = file->f_security;
1536 struct inode *inode = file->f_path.dentry->d_inode;
1537 struct avc_audit_data ad;
1538 u32 sid = cred_sid(cred);
1541 AVC_AUDIT_DATA_INIT(&ad, FS);
1542 ad.u.fs.path = file->f_path;
1544 if (sid != fsec->sid) {
1545 rc = avc_has_perm(sid, fsec->sid,
1553 /* av is zero if only checking access to the descriptor. */
1556 rc = inode_has_perm(cred, inode, av, &ad);
1562 /* Check whether a task can create a file. */
1563 static int may_create(struct inode *dir,
1564 struct dentry *dentry,
1567 const struct cred *cred = current_cred();
1568 const struct task_security_struct *tsec = cred->security;
1569 struct inode_security_struct *dsec;
1570 struct superblock_security_struct *sbsec;
1572 struct avc_audit_data ad;
1575 dsec = dir->i_security;
1576 sbsec = dir->i_sb->s_security;
1579 newsid = tsec->create_sid;
1581 AVC_AUDIT_DATA_INIT(&ad, FS);
1582 ad.u.fs.path.dentry = dentry;
1584 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1585 DIR__ADD_NAME | DIR__SEARCH,
1590 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1591 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1596 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1600 return avc_has_perm(newsid, sbsec->sid,
1601 SECCLASS_FILESYSTEM,
1602 FILESYSTEM__ASSOCIATE, &ad);
1605 /* Check whether a task can create a key. */
1606 static int may_create_key(u32 ksid,
1607 struct task_struct *ctx)
1609 u32 sid = task_sid(ctx);
1611 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1615 #define MAY_UNLINK 1
1618 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1619 static int may_link(struct inode *dir,
1620 struct dentry *dentry,
1624 struct inode_security_struct *dsec, *isec;
1625 struct avc_audit_data ad;
1626 u32 sid = current_sid();
1630 dsec = dir->i_security;
1631 isec = dentry->d_inode->i_security;
1633 AVC_AUDIT_DATA_INIT(&ad, FS);
1634 ad.u.fs.path.dentry = dentry;
1637 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1638 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1653 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1658 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1662 static inline int may_rename(struct inode *old_dir,
1663 struct dentry *old_dentry,
1664 struct inode *new_dir,
1665 struct dentry *new_dentry)
1667 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1668 struct avc_audit_data ad;
1669 u32 sid = current_sid();
1671 int old_is_dir, new_is_dir;
1674 old_dsec = old_dir->i_security;
1675 old_isec = old_dentry->d_inode->i_security;
1676 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1677 new_dsec = new_dir->i_security;
1679 AVC_AUDIT_DATA_INIT(&ad, FS);
1681 ad.u.fs.path.dentry = old_dentry;
1682 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1683 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1686 rc = avc_has_perm(sid, old_isec->sid,
1687 old_isec->sclass, FILE__RENAME, &ad);
1690 if (old_is_dir && new_dir != old_dir) {
1691 rc = avc_has_perm(sid, old_isec->sid,
1692 old_isec->sclass, DIR__REPARENT, &ad);
1697 ad.u.fs.path.dentry = new_dentry;
1698 av = DIR__ADD_NAME | DIR__SEARCH;
1699 if (new_dentry->d_inode)
1700 av |= DIR__REMOVE_NAME;
1701 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1704 if (new_dentry->d_inode) {
1705 new_isec = new_dentry->d_inode->i_security;
1706 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1707 rc = avc_has_perm(sid, new_isec->sid,
1709 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1717 /* Check whether a task can perform a filesystem operation. */
1718 static int superblock_has_perm(const struct cred *cred,
1719 struct super_block *sb,
1721 struct avc_audit_data *ad)
1723 struct superblock_security_struct *sbsec;
1724 u32 sid = cred_sid(cred);
1726 sbsec = sb->s_security;
1727 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1730 /* Convert a Linux mode and permission mask to an access vector. */
1731 static inline u32 file_mask_to_av(int mode, int mask)
1735 if ((mode & S_IFMT) != S_IFDIR) {
1736 if (mask & MAY_EXEC)
1737 av |= FILE__EXECUTE;
1738 if (mask & MAY_READ)
1741 if (mask & MAY_APPEND)
1743 else if (mask & MAY_WRITE)
1747 if (mask & MAY_EXEC)
1749 if (mask & MAY_WRITE)
1751 if (mask & MAY_READ)
1758 /* Convert a Linux file to an access vector. */
1759 static inline u32 file_to_av(struct file *file)
1763 if (file->f_mode & FMODE_READ)
1765 if (file->f_mode & FMODE_WRITE) {
1766 if (file->f_flags & O_APPEND)
1773 * Special file opened with flags 3 for ioctl-only use.
1782 * Convert a file to an access vector and include the correct open
1785 static inline u32 open_file_to_av(struct file *file)
1787 u32 av = file_to_av(file);
1789 if (selinux_policycap_openperm) {
1790 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1792 * lnk files and socks do not really have an 'open'
1796 else if (S_ISCHR(mode))
1797 av |= CHR_FILE__OPEN;
1798 else if (S_ISBLK(mode))
1799 av |= BLK_FILE__OPEN;
1800 else if (S_ISFIFO(mode))
1801 av |= FIFO_FILE__OPEN;
1802 else if (S_ISDIR(mode))
1805 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1806 "unknown mode:%o\n", __func__, mode);
1811 /* Hook functions begin here. */
1813 static int selinux_ptrace_may_access(struct task_struct *child,
1818 rc = secondary_ops->ptrace_may_access(child, mode);
1822 if (mode == PTRACE_MODE_READ) {
1823 u32 sid = current_sid();
1824 u32 csid = task_sid(child);
1825 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1828 return current_has_perm(child, PROCESS__PTRACE);
1831 static int selinux_ptrace_traceme(struct task_struct *parent)
1835 rc = secondary_ops->ptrace_traceme(parent);
1839 return task_has_perm(parent, current, PROCESS__PTRACE);
1842 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1843 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1847 error = current_has_perm(target, PROCESS__GETCAP);
1851 return secondary_ops->capget(target, effective, inheritable, permitted);
1854 static int selinux_capset(struct cred *new, const struct cred *old,
1855 const kernel_cap_t *effective,
1856 const kernel_cap_t *inheritable,
1857 const kernel_cap_t *permitted)
1861 error = secondary_ops->capset(new, old,
1862 effective, inheritable, permitted);
1866 return cred_has_perm(old, new, PROCESS__SETCAP);
1869 static int selinux_capable(int cap, int audit)
1873 rc = secondary_ops->capable(cap, audit);
1877 return task_has_capability(current, current_cred(), cap, audit);
1880 static int selinux_task_capable(struct task_struct *tsk,
1881 const struct cred *cred, int cap, int audit)
1885 rc = secondary_ops->task_capable(tsk, cred, cap, audit);
1889 return task_has_capability(tsk, cred, cap, audit);
1892 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1895 char *buffer, *path, *end;
1898 buffer = (char *)__get_free_page(GFP_KERNEL);
1903 end = buffer+buflen;
1909 const char *name = table->procname;
1910 size_t namelen = strlen(name);
1911 buflen -= namelen + 1;
1915 memcpy(end, name, namelen);
1918 table = table->parent;
1924 memcpy(end, "/sys", 4);
1926 rc = security_genfs_sid("proc", path, tclass, sid);
1928 free_page((unsigned long)buffer);
1933 static int selinux_sysctl(ctl_table *table, int op)
1940 rc = secondary_ops->sysctl(table, op);
1944 sid = current_sid();
1946 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1947 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1949 /* Default to the well-defined sysctl SID. */
1950 tsid = SECINITSID_SYSCTL;
1953 /* The op values are "defined" in sysctl.c, thereby creating
1954 * a bad coupling between this module and sysctl.c */
1956 error = avc_has_perm(sid, tsid,
1957 SECCLASS_DIR, DIR__SEARCH, NULL);
1965 error = avc_has_perm(sid, tsid,
1966 SECCLASS_FILE, av, NULL);
1972 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1974 const struct cred *cred = current_cred();
1986 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1991 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1994 rc = 0; /* let the kernel handle invalid cmds */
2000 static int selinux_quota_on(struct dentry *dentry)
2002 const struct cred *cred = current_cred();
2004 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
2007 static int selinux_syslog(int type)
2011 rc = secondary_ops->syslog(type);
2016 case 3: /* Read last kernel messages */
2017 case 10: /* Return size of the log buffer */
2018 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2020 case 6: /* Disable logging to console */
2021 case 7: /* Enable logging to console */
2022 case 8: /* Set level of messages printed to console */
2023 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2025 case 0: /* Close log */
2026 case 1: /* Open log */
2027 case 2: /* Read from log */
2028 case 4: /* Read/clear last kernel messages */
2029 case 5: /* Clear ring buffer */
2031 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2038 * Check that a process has enough memory to allocate a new virtual
2039 * mapping. 0 means there is enough memory for the allocation to
2040 * succeed and -ENOMEM implies there is not.
2042 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2043 * if the capability is granted, but __vm_enough_memory requires 1 if
2044 * the capability is granted.
2046 * Do not audit the selinux permission check, as this is applied to all
2047 * processes that allocate mappings.
2049 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2051 int rc, cap_sys_admin = 0;
2053 rc = selinux_capable(CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2057 return __vm_enough_memory(mm, pages, cap_sys_admin);
2060 /* binprm security operations */
2062 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2064 const struct task_security_struct *old_tsec;
2065 struct task_security_struct *new_tsec;
2066 struct inode_security_struct *isec;
2067 struct avc_audit_data ad;
2068 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2071 rc = secondary_ops->bprm_set_creds(bprm);
2075 /* SELinux context only depends on initial program or script and not
2076 * the script interpreter */
2077 if (bprm->cred_prepared)
2080 old_tsec = current_security();
2081 new_tsec = bprm->cred->security;
2082 isec = inode->i_security;
2084 /* Default to the current task SID. */
2085 new_tsec->sid = old_tsec->sid;
2086 new_tsec->osid = old_tsec->sid;
2088 /* Reset fs, key, and sock SIDs on execve. */
2089 new_tsec->create_sid = 0;
2090 new_tsec->keycreate_sid = 0;
2091 new_tsec->sockcreate_sid = 0;
2093 if (old_tsec->exec_sid) {
2094 new_tsec->sid = old_tsec->exec_sid;
2095 /* Reset exec SID on execve. */
2096 new_tsec->exec_sid = 0;
2098 /* Check for a default transition on this program. */
2099 rc = security_transition_sid(old_tsec->sid, isec->sid,
2100 SECCLASS_PROCESS, &new_tsec->sid);
2105 AVC_AUDIT_DATA_INIT(&ad, FS);
2106 ad.u.fs.path = bprm->file->f_path;
2108 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2109 new_tsec->sid = old_tsec->sid;
2111 if (new_tsec->sid == old_tsec->sid) {
2112 rc = avc_has_perm(old_tsec->sid, isec->sid,
2113 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2117 /* Check permissions for the transition. */
2118 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2119 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2123 rc = avc_has_perm(new_tsec->sid, isec->sid,
2124 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2128 /* Check for shared state */
2129 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2130 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2131 SECCLASS_PROCESS, PROCESS__SHARE,
2137 /* Make sure that anyone attempting to ptrace over a task that
2138 * changes its SID has the appropriate permit */
2140 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2141 struct task_struct *tracer;
2142 struct task_security_struct *sec;
2146 tracer = tracehook_tracer_task(current);
2147 if (likely(tracer != NULL)) {
2148 sec = __task_cred(tracer)->security;
2154 rc = avc_has_perm(ptsid, new_tsec->sid,
2156 PROCESS__PTRACE, NULL);
2162 /* Clear any possibly unsafe personality bits on exec: */
2163 bprm->per_clear |= PER_CLEAR_ON_SETID;
2169 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2171 return secondary_ops->bprm_check_security(bprm);
2174 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2176 const struct cred *cred = current_cred();
2177 const struct task_security_struct *tsec = cred->security;
2185 /* Enable secure mode for SIDs transitions unless
2186 the noatsecure permission is granted between
2187 the two SIDs, i.e. ahp returns 0. */
2188 atsecure = avc_has_perm(osid, sid,
2190 PROCESS__NOATSECURE, NULL);
2193 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2196 extern struct vfsmount *selinuxfs_mount;
2197 extern struct dentry *selinux_null;
2199 /* Derived from fs/exec.c:flush_old_files. */
2200 static inline void flush_unauthorized_files(const struct cred *cred,
2201 struct files_struct *files)
2203 struct avc_audit_data ad;
2204 struct file *file, *devnull = NULL;
2205 struct tty_struct *tty;
2206 struct fdtable *fdt;
2210 tty = get_current_tty();
2213 if (!list_empty(&tty->tty_files)) {
2214 struct inode *inode;
2216 /* Revalidate access to controlling tty.
2217 Use inode_has_perm on the tty inode directly rather
2218 than using file_has_perm, as this particular open
2219 file may belong to another process and we are only
2220 interested in the inode-based check here. */
2221 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2222 inode = file->f_path.dentry->d_inode;
2223 if (inode_has_perm(cred, inode,
2224 FILE__READ | FILE__WRITE, NULL)) {
2231 /* Reset controlling tty. */
2235 /* Revalidate access to inherited open files. */
2237 AVC_AUDIT_DATA_INIT(&ad, FS);
2239 spin_lock(&files->file_lock);
2241 unsigned long set, i;
2246 fdt = files_fdtable(files);
2247 if (i >= fdt->max_fds)
2249 set = fdt->open_fds->fds_bits[j];
2252 spin_unlock(&files->file_lock);
2253 for ( ; set ; i++, set >>= 1) {
2258 if (file_has_perm(cred,
2260 file_to_av(file))) {
2262 fd = get_unused_fd();
2272 devnull = dentry_open(
2274 mntget(selinuxfs_mount),
2276 if (IS_ERR(devnull)) {
2283 fd_install(fd, devnull);
2288 spin_lock(&files->file_lock);
2291 spin_unlock(&files->file_lock);
2295 * Prepare a process for imminent new credential changes due to exec
2297 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2299 struct task_security_struct *new_tsec;
2300 struct rlimit *rlim, *initrlim;
2303 secondary_ops->bprm_committing_creds(bprm);
2305 new_tsec = bprm->cred->security;
2306 if (new_tsec->sid == new_tsec->osid)
2309 /* Close files for which the new task SID is not authorized. */
2310 flush_unauthorized_files(bprm->cred, current->files);
2312 /* Always clear parent death signal on SID transitions. */
2313 current->pdeath_signal = 0;
2315 /* Check whether the new SID can inherit resource limits from the old
2316 * SID. If not, reset all soft limits to the lower of the current
2317 * task's hard limit and the init task's soft limit.
2319 * Note that the setting of hard limits (even to lower them) can be
2320 * controlled by the setrlimit check. The inclusion of the init task's
2321 * soft limit into the computation is to avoid resetting soft limits
2322 * higher than the default soft limit for cases where the default is
2323 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2325 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2326 PROCESS__RLIMITINH, NULL);
2328 for (i = 0; i < RLIM_NLIMITS; i++) {
2329 rlim = current->signal->rlim + i;
2330 initrlim = init_task.signal->rlim + i;
2331 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2333 update_rlimit_cpu(rlim->rlim_cur);
2338 * Clean up the process immediately after the installation of new credentials
2341 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2343 const struct task_security_struct *tsec = current_security();
2344 struct itimerval itimer;
2345 struct sighand_struct *psig;
2348 unsigned long flags;
2350 secondary_ops->bprm_committed_creds(bprm);
2358 /* Check whether the new SID can inherit signal state from the old SID.
2359 * If not, clear itimers to avoid subsequent signal generation and
2360 * flush and unblock signals.
2362 * This must occur _after_ the task SID has been updated so that any
2363 * kill done after the flush will be checked against the new SID.
2365 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2367 memset(&itimer, 0, sizeof itimer);
2368 for (i = 0; i < 3; i++)
2369 do_setitimer(i, &itimer, NULL);
2370 flush_signals(current);
2371 spin_lock_irq(¤t->sighand->siglock);
2372 flush_signal_handlers(current, 1);
2373 sigemptyset(¤t->blocked);
2374 recalc_sigpending();
2375 spin_unlock_irq(¤t->sighand->siglock);
2378 /* Wake up the parent if it is waiting so that it can recheck
2379 * wait permission to the new task SID. */
2380 read_lock_irq(&tasklist_lock);
2381 psig = current->parent->sighand;
2382 spin_lock_irqsave(&psig->siglock, flags);
2383 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2384 spin_unlock_irqrestore(&psig->siglock, flags);
2385 read_unlock_irq(&tasklist_lock);
2388 /* superblock security operations */
2390 static int selinux_sb_alloc_security(struct super_block *sb)
2392 return superblock_alloc_security(sb);
2395 static void selinux_sb_free_security(struct super_block *sb)
2397 superblock_free_security(sb);
2400 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2405 return !memcmp(prefix, option, plen);
2408 static inline int selinux_option(char *option, int len)
2410 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2411 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2412 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2413 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2416 static inline void take_option(char **to, char *from, int *first, int len)
2423 memcpy(*to, from, len);
2427 static inline void take_selinux_option(char **to, char *from, int *first,
2430 int current_size = 0;
2438 while (current_size < len) {
2448 static int selinux_sb_copy_data(char *orig, char *copy)
2450 int fnosec, fsec, rc = 0;
2451 char *in_save, *in_curr, *in_end;
2452 char *sec_curr, *nosec_save, *nosec;
2458 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2466 in_save = in_end = orig;
2470 open_quote = !open_quote;
2471 if ((*in_end == ',' && open_quote == 0) ||
2473 int len = in_end - in_curr;
2475 if (selinux_option(in_curr, len))
2476 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2478 take_option(&nosec, in_curr, &fnosec, len);
2480 in_curr = in_end + 1;
2482 } while (*in_end++);
2484 strcpy(in_save, nosec_save);
2485 free_page((unsigned long)nosec_save);
2490 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2492 const struct cred *cred = current_cred();
2493 struct avc_audit_data ad;
2496 rc = superblock_doinit(sb, data);
2500 /* Allow all mounts performed by the kernel */
2501 if (flags & MS_KERNMOUNT)
2504 AVC_AUDIT_DATA_INIT(&ad, FS);
2505 ad.u.fs.path.dentry = sb->s_root;
2506 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2509 static int selinux_sb_statfs(struct dentry *dentry)
2511 const struct cred *cred = current_cred();
2512 struct avc_audit_data ad;
2514 AVC_AUDIT_DATA_INIT(&ad, FS);
2515 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2516 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2519 static int selinux_mount(char *dev_name,
2522 unsigned long flags,
2525 const struct cred *cred = current_cred();
2528 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2532 if (flags & MS_REMOUNT)
2533 return superblock_has_perm(cred, path->mnt->mnt_sb,
2534 FILESYSTEM__REMOUNT, NULL);
2536 return dentry_has_perm(cred, path->mnt, path->dentry,
2540 static int selinux_umount(struct vfsmount *mnt, int flags)
2542 const struct cred *cred = current_cred();
2545 rc = secondary_ops->sb_umount(mnt, flags);
2549 return superblock_has_perm(cred, mnt->mnt_sb,
2550 FILESYSTEM__UNMOUNT, NULL);
2553 /* inode security operations */
2555 static int selinux_inode_alloc_security(struct inode *inode)
2557 return inode_alloc_security(inode);
2560 static void selinux_inode_free_security(struct inode *inode)
2562 inode_free_security(inode);
2565 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2566 char **name, void **value,
2569 const struct cred *cred = current_cred();
2570 const struct task_security_struct *tsec = cred->security;
2571 struct inode_security_struct *dsec;
2572 struct superblock_security_struct *sbsec;
2573 u32 sid, newsid, clen;
2575 char *namep = NULL, *context;
2577 dsec = dir->i_security;
2578 sbsec = dir->i_sb->s_security;
2581 newsid = tsec->create_sid;
2583 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2584 rc = security_transition_sid(sid, dsec->sid,
2585 inode_mode_to_security_class(inode->i_mode),
2588 printk(KERN_WARNING "%s: "
2589 "security_transition_sid failed, rc=%d (dev=%s "
2592 -rc, inode->i_sb->s_id, inode->i_ino);
2597 /* Possibly defer initialization to selinux_complete_init. */
2598 if (sbsec->initialized) {
2599 struct inode_security_struct *isec = inode->i_security;
2600 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2602 isec->initialized = 1;
2605 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2609 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2616 rc = security_sid_to_context_force(newsid, &context, &clen);
2628 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2630 return may_create(dir, dentry, SECCLASS_FILE);
2633 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2637 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2640 return may_link(dir, old_dentry, MAY_LINK);
2643 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2647 rc = secondary_ops->inode_unlink(dir, dentry);
2650 return may_link(dir, dentry, MAY_UNLINK);
2653 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2655 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2658 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2660 return may_create(dir, dentry, SECCLASS_DIR);
2663 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2665 return may_link(dir, dentry, MAY_RMDIR);
2668 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2672 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2676 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2679 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2680 struct inode *new_inode, struct dentry *new_dentry)
2682 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2685 static int selinux_inode_readlink(struct dentry *dentry)
2687 const struct cred *cred = current_cred();
2689 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2692 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2694 const struct cred *cred = current_cred();
2697 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2700 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2703 static int selinux_inode_permission(struct inode *inode, int mask)
2705 const struct cred *cred = current_cred();
2708 rc = secondary_ops->inode_permission(inode, mask);
2713 /* No permission to check. Existence test. */
2717 return inode_has_perm(cred, inode,
2718 file_mask_to_av(inode->i_mode, mask), NULL);
2721 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2723 const struct cred *cred = current_cred();
2726 rc = secondary_ops->inode_setattr(dentry, iattr);
2730 if (iattr->ia_valid & ATTR_FORCE)
2733 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2734 ATTR_ATIME_SET | ATTR_MTIME_SET))
2735 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2737 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2740 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2742 const struct cred *cred = current_cred();
2744 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2747 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2749 const struct cred *cred = current_cred();
2751 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2752 sizeof XATTR_SECURITY_PREFIX - 1)) {
2753 if (!strcmp(name, XATTR_NAME_CAPS)) {
2754 if (!capable(CAP_SETFCAP))
2756 } else if (!capable(CAP_SYS_ADMIN)) {
2757 /* A different attribute in the security namespace.
2758 Restrict to administrator. */
2763 /* Not an attribute we recognize, so just check the
2764 ordinary setattr permission. */
2765 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2768 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2769 const void *value, size_t size, int flags)
2771 struct inode *inode = dentry->d_inode;
2772 struct inode_security_struct *isec = inode->i_security;
2773 struct superblock_security_struct *sbsec;
2774 struct avc_audit_data ad;
2775 u32 newsid, sid = current_sid();
2778 if (strcmp(name, XATTR_NAME_SELINUX))
2779 return selinux_inode_setotherxattr(dentry, name);
2781 sbsec = inode->i_sb->s_security;
2782 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2785 if (!is_owner_or_cap(inode))
2788 AVC_AUDIT_DATA_INIT(&ad, FS);
2789 ad.u.fs.path.dentry = dentry;
2791 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2792 FILE__RELABELFROM, &ad);
2796 rc = security_context_to_sid(value, size, &newsid);
2797 if (rc == -EINVAL) {
2798 if (!capable(CAP_MAC_ADMIN))
2800 rc = security_context_to_sid_force(value, size, &newsid);
2805 rc = avc_has_perm(sid, newsid, isec->sclass,
2806 FILE__RELABELTO, &ad);
2810 rc = security_validate_transition(isec->sid, newsid, sid,
2815 return avc_has_perm(newsid,
2817 SECCLASS_FILESYSTEM,
2818 FILESYSTEM__ASSOCIATE,
2822 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2823 const void *value, size_t size,
2826 struct inode *inode = dentry->d_inode;
2827 struct inode_security_struct *isec = inode->i_security;
2831 if (strcmp(name, XATTR_NAME_SELINUX)) {
2832 /* Not an attribute we recognize, so nothing to do. */
2836 rc = security_context_to_sid_force(value, size, &newsid);
2838 printk(KERN_ERR "SELinux: unable to map context to SID"
2839 "for (%s, %lu), rc=%d\n",
2840 inode->i_sb->s_id, inode->i_ino, -rc);
2848 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2850 const struct cred *cred = current_cred();
2852 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2855 static int selinux_inode_listxattr(struct dentry *dentry)
2857 const struct cred *cred = current_cred();
2859 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2862 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2864 if (strcmp(name, XATTR_NAME_SELINUX))
2865 return selinux_inode_setotherxattr(dentry, name);
2867 /* No one is allowed to remove a SELinux security label.
2868 You can change the label, but all data must be labeled. */
2873 * Copy the inode security context value to the user.
2875 * Permission check is handled by selinux_inode_getxattr hook.
2877 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2881 char *context = NULL;
2882 struct inode_security_struct *isec = inode->i_security;
2884 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2888 * If the caller has CAP_MAC_ADMIN, then get the raw context
2889 * value even if it is not defined by current policy; otherwise,
2890 * use the in-core value under current policy.
2891 * Use the non-auditing forms of the permission checks since
2892 * getxattr may be called by unprivileged processes commonly
2893 * and lack of permission just means that we fall back to the
2894 * in-core context value, not a denial.
2896 error = selinux_capable(CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2898 error = security_sid_to_context_force(isec->sid, &context,
2901 error = security_sid_to_context(isec->sid, &context, &size);
2914 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2915 const void *value, size_t size, int flags)
2917 struct inode_security_struct *isec = inode->i_security;
2921 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2924 if (!value || !size)
2927 rc = security_context_to_sid((void *)value, size, &newsid);
2935 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2937 const int len = sizeof(XATTR_NAME_SELINUX);
2938 if (buffer && len <= buffer_size)
2939 memcpy(buffer, XATTR_NAME_SELINUX, len);
2943 static int selinux_inode_need_killpriv(struct dentry *dentry)
2945 return secondary_ops->inode_need_killpriv(dentry);
2948 static int selinux_inode_killpriv(struct dentry *dentry)
2950 return secondary_ops->inode_killpriv(dentry);
2953 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2955 struct inode_security_struct *isec = inode->i_security;
2959 /* file security operations */
2961 static int selinux_revalidate_file_permission(struct file *file, int mask)
2963 const struct cred *cred = current_cred();
2965 struct inode *inode = file->f_path.dentry->d_inode;
2968 /* No permission to check. Existence test. */
2972 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2973 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2976 rc = file_has_perm(cred, file,
2977 file_mask_to_av(inode->i_mode, mask));
2981 return selinux_netlbl_inode_permission(inode, mask);
2984 static int selinux_file_permission(struct file *file, int mask)
2986 struct inode *inode = file->f_path.dentry->d_inode;
2987 struct file_security_struct *fsec = file->f_security;
2988 struct inode_security_struct *isec = inode->i_security;
2989 u32 sid = current_sid();
2992 /* No permission to check. Existence test. */
2996 if (sid == fsec->sid && fsec->isid == isec->sid
2997 && fsec->pseqno == avc_policy_seqno())
2998 return selinux_netlbl_inode_permission(inode, mask);
3000 return selinux_revalidate_file_permission(file, mask);
3003 static int selinux_file_alloc_security(struct file *file)
3005 return file_alloc_security(file);
3008 static void selinux_file_free_security(struct file *file)
3010 file_free_security(file);
3013 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3016 const struct cred *cred = current_cred();
3019 if (_IOC_DIR(cmd) & _IOC_WRITE)
3021 if (_IOC_DIR(cmd) & _IOC_READ)
3026 return file_has_perm(cred, file, av);
3029 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3031 const struct cred *cred = current_cred();
3034 #ifndef CONFIG_PPC32
3035 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3037 * We are making executable an anonymous mapping or a
3038 * private file mapping that will also be writable.
3039 * This has an additional check.
3041 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3048 /* read access is always possible with a mapping */
3049 u32 av = FILE__READ;
3051 /* write access only matters if the mapping is shared */
3052 if (shared && (prot & PROT_WRITE))
3055 if (prot & PROT_EXEC)
3056 av |= FILE__EXECUTE;
3058 return file_has_perm(cred, file, av);
3065 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3066 unsigned long prot, unsigned long flags,
3067 unsigned long addr, unsigned long addr_only)
3070 u32 sid = current_sid();
3072 if (addr < mmap_min_addr)
3073 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3074 MEMPROTECT__MMAP_ZERO, NULL);
3075 if (rc || addr_only)
3078 if (selinux_checkreqprot)
3081 return file_map_prot_check(file, prot,
3082 (flags & MAP_TYPE) == MAP_SHARED);
3085 static int selinux_file_mprotect(struct vm_area_struct *vma,
3086 unsigned long reqprot,
3089 const struct cred *cred = current_cred();
3092 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3096 if (selinux_checkreqprot)
3099 #ifndef CONFIG_PPC32
3100 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3102 if (vma->vm_start >= vma->vm_mm->start_brk &&
3103 vma->vm_end <= vma->vm_mm->brk) {
3104 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3105 } else if (!vma->vm_file &&
3106 vma->vm_start <= vma->vm_mm->start_stack &&
3107 vma->vm_end >= vma->vm_mm->start_stack) {
3108 rc = current_has_perm(current, PROCESS__EXECSTACK);
3109 } else if (vma->vm_file && vma->anon_vma) {
3111 * We are making executable a file mapping that has
3112 * had some COW done. Since pages might have been
3113 * written, check ability to execute the possibly
3114 * modified content. This typically should only
3115 * occur for text relocations.
3117 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3124 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3127 static int selinux_file_lock(struct file *file, unsigned int cmd)
3129 const struct cred *cred = current_cred();
3131 return file_has_perm(cred, file, FILE__LOCK);
3134 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3137 const struct cred *cred = current_cred();
3142 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3147 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3148 err = file_has_perm(cred, file, FILE__WRITE);
3157 /* Just check FD__USE permission */
3158 err = file_has_perm(cred, file, 0);
3163 #if BITS_PER_LONG == 32
3168 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3172 err = file_has_perm(cred, file, FILE__LOCK);
3179 static int selinux_file_set_fowner(struct file *file)
3181 struct file_security_struct *fsec;
3183 fsec = file->f_security;
3184 fsec->fown_sid = current_sid();
3189 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3190 struct fown_struct *fown, int signum)
3193 u32 sid = current_sid();
3195 struct file_security_struct *fsec;
3197 /* struct fown_struct is never outside the context of a struct file */
3198 file = container_of(fown, struct file, f_owner);
3200 fsec = file->f_security;
3203 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3205 perm = signal_to_av(signum);
3207 return avc_has_perm(fsec->fown_sid, sid,
3208 SECCLASS_PROCESS, perm, NULL);
3211 static int selinux_file_receive(struct file *file)
3213 const struct cred *cred = current_cred();
3215 return file_has_perm(cred, file, file_to_av(file));
3218 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3220 struct file_security_struct *fsec;
3221 struct inode *inode;
3222 struct inode_security_struct *isec;
3224 inode = file->f_path.dentry->d_inode;
3225 fsec = file->f_security;
3226 isec = inode->i_security;
3228 * Save inode label and policy sequence number
3229 * at open-time so that selinux_file_permission
3230 * can determine whether revalidation is necessary.
3231 * Task label is already saved in the file security
3232 * struct as its SID.
3234 fsec->isid = isec->sid;
3235 fsec->pseqno = avc_policy_seqno();
3237 * Since the inode label or policy seqno may have changed
3238 * between the selinux_inode_permission check and the saving
3239 * of state above, recheck that access is still permitted.
3240 * Otherwise, access might never be revalidated against the
3241 * new inode label or new policy.
3242 * This check is not redundant - do not remove.
3244 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3247 /* task security operations */
3249 static int selinux_task_create(unsigned long clone_flags)
3253 rc = secondary_ops->task_create(clone_flags);
3257 return current_has_perm(current, PROCESS__FORK);
3261 * detach and free the LSM part of a set of credentials
3263 static void selinux_cred_free(struct cred *cred)
3265 struct task_security_struct *tsec = cred->security;
3266 cred->security = NULL;
3271 * prepare a new set of credentials for modification
3273 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3276 const struct task_security_struct *old_tsec;
3277 struct task_security_struct *tsec;
3279 old_tsec = old->security;
3281 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3285 new->security = tsec;
3290 * commit new credentials
3292 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3294 secondary_ops->cred_commit(new, old);
3298 * set the security data for a kernel service
3299 * - all the creation contexts are set to unlabelled
3301 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3303 struct task_security_struct *tsec = new->security;
3304 u32 sid = current_sid();
3307 ret = avc_has_perm(sid, secid,
3308 SECCLASS_KERNEL_SERVICE,
3309 KERNEL_SERVICE__USE_AS_OVERRIDE,
3313 tsec->create_sid = 0;
3314 tsec->keycreate_sid = 0;
3315 tsec->sockcreate_sid = 0;
3321 * set the file creation context in a security record to the same as the
3322 * objective context of the specified inode
3324 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3326 struct inode_security_struct *isec = inode->i_security;
3327 struct task_security_struct *tsec = new->security;
3328 u32 sid = current_sid();
3331 ret = avc_has_perm(sid, isec->sid,
3332 SECCLASS_KERNEL_SERVICE,
3333 KERNEL_SERVICE__CREATE_FILES_AS,
3337 tsec->create_sid = isec->sid;
3341 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3343 /* Since setuid only affects the current process, and
3344 since the SELinux controls are not based on the Linux
3345 identity attributes, SELinux does not need to control
3346 this operation. However, SELinux does control the use
3347 of the CAP_SETUID and CAP_SETGID capabilities using the
3352 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3355 return secondary_ops->task_fix_setuid(new, old, flags);
3358 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3360 /* See the comment for setuid above. */
3364 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3366 return current_has_perm(p, PROCESS__SETPGID);
3369 static int selinux_task_getpgid(struct task_struct *p)
3371 return current_has_perm(p, PROCESS__GETPGID);
3374 static int selinux_task_getsid(struct task_struct *p)
3376 return current_has_perm(p, PROCESS__GETSESSION);
3379 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3381 *secid = task_sid(p);
3384 static int selinux_task_setgroups(struct group_info *group_info)
3386 /* See the comment for setuid above. */
3390 static int selinux_task_setnice(struct task_struct *p, int nice)
3394 rc = secondary_ops->task_setnice(p, nice);
3398 return current_has_perm(p, PROCESS__SETSCHED);
3401 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3405 rc = secondary_ops->task_setioprio(p, ioprio);
3409 return current_has_perm(p, PROCESS__SETSCHED);
3412 static int selinux_task_getioprio(struct task_struct *p)
3414 return current_has_perm(p, PROCESS__GETSCHED);
3417 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3419 struct rlimit *old_rlim = current->signal->rlim + resource;
3422 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3426 /* Control the ability to change the hard limit (whether
3427 lowering or raising it), so that the hard limit can
3428 later be used as a safe reset point for the soft limit
3429 upon context transitions. See selinux_bprm_committing_creds. */
3430 if (old_rlim->rlim_max != new_rlim->rlim_max)
3431 return current_has_perm(current, PROCESS__SETRLIMIT);
3436 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3440 rc = secondary_ops->task_setscheduler(p, policy, lp);
3444 return current_has_perm(p, PROCESS__SETSCHED);
3447 static int selinux_task_getscheduler(struct task_struct *p)
3449 return current_has_perm(p, PROCESS__GETSCHED);
3452 static int selinux_task_movememory(struct task_struct *p)
3454 return current_has_perm(p, PROCESS__SETSCHED);
3457 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3463 rc = secondary_ops->task_kill(p, info, sig, secid);
3468 perm = PROCESS__SIGNULL; /* null signal; existence test */
3470 perm = signal_to_av(sig);
3472 rc = avc_has_perm(secid, task_sid(p),
3473 SECCLASS_PROCESS, perm, NULL);
3475 rc = current_has_perm(p, perm);
3479 static int selinux_task_prctl(int option,
3485 /* The current prctl operations do not appear to require
3486 any SELinux controls since they merely observe or modify
3487 the state of the current process. */
3488 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3491 static int selinux_task_wait(struct task_struct *p)
3493 return task_has_perm(p, current, PROCESS__SIGCHLD);
3496 static void selinux_task_to_inode(struct task_struct *p,
3497 struct inode *inode)
3499 struct inode_security_struct *isec = inode->i_security;
3500 u32 sid = task_sid(p);
3503 isec->initialized = 1;
3506 /* Returns error only if unable to parse addresses */
3507 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3508 struct avc_audit_data *ad, u8 *proto)
3510 int offset, ihlen, ret = -EINVAL;
3511 struct iphdr _iph, *ih;
3513 offset = skb_network_offset(skb);
3514 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3518 ihlen = ih->ihl * 4;
3519 if (ihlen < sizeof(_iph))
3522 ad->u.net.v4info.saddr = ih->saddr;
3523 ad->u.net.v4info.daddr = ih->daddr;
3527 *proto = ih->protocol;
3529 switch (ih->protocol) {
3531 struct tcphdr _tcph, *th;
3533 if (ntohs(ih->frag_off) & IP_OFFSET)
3537 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3541 ad->u.net.sport = th->source;
3542 ad->u.net.dport = th->dest;
3547 struct udphdr _udph, *uh;
3549 if (ntohs(ih->frag_off) & IP_OFFSET)
3553 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3557 ad->u.net.sport = uh->source;
3558 ad->u.net.dport = uh->dest;
3562 case IPPROTO_DCCP: {
3563 struct dccp_hdr _dccph, *dh;
3565 if (ntohs(ih->frag_off) & IP_OFFSET)
3569 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3573 ad->u.net.sport = dh->dccph_sport;
3574 ad->u.net.dport = dh->dccph_dport;
3585 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3587 /* Returns error only if unable to parse addresses */
3588 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3589 struct avc_audit_data *ad, u8 *proto)
3592 int ret = -EINVAL, offset;
3593 struct ipv6hdr _ipv6h, *ip6;
3595 offset = skb_network_offset(skb);
3596 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3600 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3601 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3604 nexthdr = ip6->nexthdr;
3605 offset += sizeof(_ipv6h);
3606 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3615 struct tcphdr _tcph, *th;
3617 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3621 ad->u.net.sport = th->source;
3622 ad->u.net.dport = th->dest;
3627 struct udphdr _udph, *uh;
3629 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3633 ad->u.net.sport = uh->source;
3634 ad->u.net.dport = uh->dest;
3638 case IPPROTO_DCCP: {
3639 struct dccp_hdr _dccph, *dh;
3641 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3645 ad->u.net.sport = dh->dccph_sport;
3646 ad->u.net.dport = dh->dccph_dport;
3650 /* includes fragments */
3660 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3661 char **_addrp, int src, u8 *proto)
3666 switch (ad->u.net.family) {
3668 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3671 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3672 &ad->u.net.v4info.daddr);
3675 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3677 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3680 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3681 &ad->u.net.v6info.daddr);
3691 "SELinux: failure in selinux_parse_skb(),"
3692 " unable to parse packet\n");
3702 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3704 * @family: protocol family
3705 * @sid: the packet's peer label SID
3708 * Check the various different forms of network peer labeling and determine
3709 * the peer label/SID for the packet; most of the magic actually occurs in
3710 * the security server function security_net_peersid_cmp(). The function
3711 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3712 * or -EACCES if @sid is invalid due to inconsistencies with the different
3716 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3723 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3724 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3726 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3727 if (unlikely(err)) {
3729 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3730 " unable to determine packet's peer label\n");
3737 /* socket security operations */
3738 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3741 struct inode_security_struct *isec;
3742 struct avc_audit_data ad;
3746 isec = SOCK_INODE(sock)->i_security;
3748 if (isec->sid == SECINITSID_KERNEL)
3750 sid = task_sid(task);
3752 AVC_AUDIT_DATA_INIT(&ad, NET);
3753 ad.u.net.sk = sock->sk;
3754 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3760 static int selinux_socket_create(int family, int type,
3761 int protocol, int kern)
3763 const struct cred *cred = current_cred();
3764 const struct task_security_struct *tsec = cred->security;
3773 newsid = tsec->sockcreate_sid ?: sid;
3775 secclass = socket_type_to_security_class(family, type, protocol);
3776 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3782 static int selinux_socket_post_create(struct socket *sock, int family,
3783 int type, int protocol, int kern)
3785 const struct cred *cred = current_cred();
3786 const struct task_security_struct *tsec = cred->security;
3787 struct inode_security_struct *isec;
3788 struct sk_security_struct *sksec;
3793 newsid = tsec->sockcreate_sid;
3795 isec = SOCK_INODE(sock)->i_security;
3798 isec->sid = SECINITSID_KERNEL;
3804 isec->sclass = socket_type_to_security_class(family, type, protocol);
3805 isec->initialized = 1;
3808 sksec = sock->sk->sk_security;
3809 sksec->sid = isec->sid;
3810 sksec->sclass = isec->sclass;
3811 err = selinux_netlbl_socket_post_create(sock);
3817 /* Range of port numbers used to automatically bind.
3818 Need to determine whether we should perform a name_bind
3819 permission check between the socket and the port number. */
3821 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3826 err = socket_has_perm(current, sock, SOCKET__BIND);
3831 * If PF_INET or PF_INET6, check name_bind permission for the port.
3832 * Multiple address binding for SCTP is not supported yet: we just
3833 * check the first address now.
3835 family = sock->sk->sk_family;
3836 if (family == PF_INET || family == PF_INET6) {
3838 struct inode_security_struct *isec;
3839 struct avc_audit_data ad;
3840 struct sockaddr_in *addr4 = NULL;
3841 struct sockaddr_in6 *addr6 = NULL;
3842 unsigned short snum;
3843 struct sock *sk = sock->sk;
3846 isec = SOCK_INODE(sock)->i_security;
3848 if (family == PF_INET) {
3849 addr4 = (struct sockaddr_in *)address;
3850 snum = ntohs(addr4->sin_port);
3851 addrp = (char *)&addr4->sin_addr.s_addr;
3853 addr6 = (struct sockaddr_in6 *)address;
3854 snum = ntohs(addr6->sin6_port);
3855 addrp = (char *)&addr6->sin6_addr.s6_addr;
3861 inet_get_local_port_range(&low, &high);
3863 if (snum < max(PROT_SOCK, low) || snum > high) {
3864 err = sel_netport_sid(sk->sk_protocol,
3868 AVC_AUDIT_DATA_INIT(&ad, NET);
3869 ad.u.net.sport = htons(snum);
3870 ad.u.net.family = family;
3871 err = avc_has_perm(isec->sid, sid,
3873 SOCKET__NAME_BIND, &ad);
3879 switch (isec->sclass) {
3880 case SECCLASS_TCP_SOCKET:
3881 node_perm = TCP_SOCKET__NODE_BIND;
3884 case SECCLASS_UDP_SOCKET:
3885 node_perm = UDP_SOCKET__NODE_BIND;
3888 case SECCLASS_DCCP_SOCKET:
3889 node_perm = DCCP_SOCKET__NODE_BIND;
3893 node_perm = RAWIP_SOCKET__NODE_BIND;
3897 err = sel_netnode_sid(addrp, family, &sid);
3901 AVC_AUDIT_DATA_INIT(&ad, NET);
3902 ad.u.net.sport = htons(snum);
3903 ad.u.net.family = family;
3905 if (family == PF_INET)
3906 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3908 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3910 err = avc_has_perm(isec->sid, sid,
3911 isec->sclass, node_perm, &ad);
3919 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3921 struct sock *sk = sock->sk;
3922 struct inode_security_struct *isec;
3925 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3930 * If a TCP or DCCP socket, check name_connect permission for the port.
3932 isec = SOCK_INODE(sock)->i_security;
3933 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3934 isec->sclass == SECCLASS_DCCP_SOCKET) {
3935 struct avc_audit_data ad;
3936 struct sockaddr_in *addr4 = NULL;
3937 struct sockaddr_in6 *addr6 = NULL;
3938 unsigned short snum;
3941 if (sk->sk_family == PF_INET) {
3942 addr4 = (struct sockaddr_in *)address;
3943 if (addrlen < sizeof(struct sockaddr_in))
3945 snum = ntohs(addr4->sin_port);
3947 addr6 = (struct sockaddr_in6 *)address;
3948 if (addrlen < SIN6_LEN_RFC2133)
3950 snum = ntohs(addr6->sin6_port);
3953 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3957 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3958 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3960 AVC_AUDIT_DATA_INIT(&ad, NET);
3961 ad.u.net.dport = htons(snum);
3962 ad.u.net.family = sk->sk_family;
3963 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3968 err = selinux_netlbl_socket_connect(sk, address);
3974 static int selinux_socket_listen(struct socket *sock, int backlog)
3976 return socket_has_perm(current, sock, SOCKET__LISTEN);
3979 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3982 struct inode_security_struct *isec;
3983 struct inode_security_struct *newisec;
3985 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3989 newisec = SOCK_INODE(newsock)->i_security;
3991 isec = SOCK_INODE(sock)->i_security;
3992 newisec->sclass = isec->sclass;
3993 newisec->sid = isec->sid;
3994 newisec->initialized = 1;
3999 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4004 rc = socket_has_perm(current, sock, SOCKET__WRITE);
4008 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
4011 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4012 int size, int flags)
4014 return socket_has_perm(current, sock, SOCKET__READ);
4017 static int selinux_socket_getsockname(struct socket *sock)
4019 return socket_has_perm(current, sock, SOCKET__GETATTR);
4022 static int selinux_socket_getpeername(struct socket *sock)
4024 return socket_has_perm(current, sock, SOCKET__GETATTR);
4027 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4031 err = socket_has_perm(current, sock, SOCKET__SETOPT);
4035 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4038 static int selinux_socket_getsockopt(struct socket *sock, int level,
4041 return socket_has_perm(current, sock, SOCKET__GETOPT);
4044 static int selinux_socket_shutdown(struct socket *sock, int how)
4046 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4049 static int selinux_socket_unix_stream_connect(struct socket *sock,
4050 struct socket *other,
4053 struct sk_security_struct *ssec;
4054 struct inode_security_struct *isec;
4055 struct inode_security_struct *other_isec;
4056 struct avc_audit_data ad;
4059 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4063 isec = SOCK_INODE(sock)->i_security;
4064 other_isec = SOCK_INODE(other)->i_security;
4066 AVC_AUDIT_DATA_INIT(&ad, NET);
4067 ad.u.net.sk = other->sk;
4069 err = avc_has_perm(isec->sid, other_isec->sid,
4071 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4075 /* connecting socket */
4076 ssec = sock->sk->sk_security;
4077 ssec->peer_sid = other_isec->sid;
4079 /* server child socket */
4080 ssec = newsk->sk_security;
4081 ssec->peer_sid = isec->sid;
4082 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4087 static int selinux_socket_unix_may_send(struct socket *sock,
4088 struct socket *other)
4090 struct inode_security_struct *isec;
4091 struct inode_security_struct *other_isec;
4092 struct avc_audit_data ad;
4095 isec = SOCK_INODE(sock)->i_security;
4096 other_isec = SOCK_INODE(other)->i_security;
4098 AVC_AUDIT_DATA_INIT(&ad, NET);
4099 ad.u.net.sk = other->sk;
4101 err = avc_has_perm(isec->sid, other_isec->sid,
4102 isec->sclass, SOCKET__SENDTO, &ad);
4109 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4111 struct avc_audit_data *ad)
4117 err = sel_netif_sid(ifindex, &if_sid);
4120 err = avc_has_perm(peer_sid, if_sid,
4121 SECCLASS_NETIF, NETIF__INGRESS, ad);
4125 err = sel_netnode_sid(addrp, family, &node_sid);
4128 return avc_has_perm(peer_sid, node_sid,
4129 SECCLASS_NODE, NODE__RECVFROM, ad);
4132 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4133 struct sk_buff *skb,
4134 struct avc_audit_data *ad,
4139 struct sk_security_struct *sksec = sk->sk_security;
4141 u32 netif_perm, node_perm, recv_perm;
4142 u32 port_sid, node_sid, if_sid, sk_sid;
4144 sk_sid = sksec->sid;
4145 sk_class = sksec->sclass;
4148 case SECCLASS_UDP_SOCKET:
4149 netif_perm = NETIF__UDP_RECV;
4150 node_perm = NODE__UDP_RECV;
4151 recv_perm = UDP_SOCKET__RECV_MSG;
4153 case SECCLASS_TCP_SOCKET:
4154 netif_perm = NETIF__TCP_RECV;
4155 node_perm = NODE__TCP_RECV;
4156 recv_perm = TCP_SOCKET__RECV_MSG;
4158 case SECCLASS_DCCP_SOCKET:
4159 netif_perm = NETIF__DCCP_RECV;
4160 node_perm = NODE__DCCP_RECV;
4161 recv_perm = DCCP_SOCKET__RECV_MSG;
4164 netif_perm = NETIF__RAWIP_RECV;
4165 node_perm = NODE__RAWIP_RECV;
4170 err = sel_netif_sid(skb->iif, &if_sid);
4173 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4177 err = sel_netnode_sid(addrp, family, &node_sid);
4180 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4186 err = sel_netport_sid(sk->sk_protocol,
4187 ntohs(ad->u.net.sport), &port_sid);
4188 if (unlikely(err)) {
4190 "SELinux: failure in"
4191 " selinux_sock_rcv_skb_iptables_compat(),"
4192 " network port label not found\n");
4195 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4198 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4202 struct sk_security_struct *sksec = sk->sk_security;
4204 u32 sk_sid = sksec->sid;
4205 struct avc_audit_data ad;
4208 AVC_AUDIT_DATA_INIT(&ad, NET);
4209 ad.u.net.netif = skb->iif;
4210 ad.u.net.family = family;
4211 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4215 if (selinux_compat_net)
4216 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4218 else if (selinux_secmark_enabled())
4219 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4224 if (selinux_policycap_netpeer) {
4225 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4228 err = avc_has_perm(sk_sid, peer_sid,
4229 SECCLASS_PEER, PEER__RECV, &ad);
4231 selinux_netlbl_err(skb, err, 0);
4233 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4236 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4242 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4245 struct sk_security_struct *sksec = sk->sk_security;
4246 u16 family = sk->sk_family;
4247 u32 sk_sid = sksec->sid;
4248 struct avc_audit_data ad;
4253 if (family != PF_INET && family != PF_INET6)
4256 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4257 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4260 /* If any sort of compatibility mode is enabled then handoff processing
4261 * to the selinux_sock_rcv_skb_compat() function to deal with the
4262 * special handling. We do this in an attempt to keep this function
4263 * as fast and as clean as possible. */
4264 if (selinux_compat_net || !selinux_policycap_netpeer)
4265 return selinux_sock_rcv_skb_compat(sk, skb, family);
4267 secmark_active = selinux_secmark_enabled();
4268 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4269 if (!secmark_active && !peerlbl_active)
4272 AVC_AUDIT_DATA_INIT(&ad, NET);
4273 ad.u.net.netif = skb->iif;
4274 ad.u.net.family = family;
4275 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4279 if (peerlbl_active) {
4282 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4285 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4288 selinux_netlbl_err(skb, err, 0);
4291 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4294 selinux_netlbl_err(skb, err, 0);
4297 if (secmark_active) {
4298 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4307 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4308 int __user *optlen, unsigned len)
4313 struct sk_security_struct *ssec;
4314 struct inode_security_struct *isec;
4315 u32 peer_sid = SECSID_NULL;
4317 isec = SOCK_INODE(sock)->i_security;
4319 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4320 isec->sclass == SECCLASS_TCP_SOCKET) {
4321 ssec = sock->sk->sk_security;
4322 peer_sid = ssec->peer_sid;
4324 if (peer_sid == SECSID_NULL) {
4329 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4334 if (scontext_len > len) {
4339 if (copy_to_user(optval, scontext, scontext_len))
4343 if (put_user(scontext_len, optlen))
4351 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4353 u32 peer_secid = SECSID_NULL;
4356 if (skb && skb->protocol == htons(ETH_P_IP))
4358 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4361 family = sock->sk->sk_family;
4365 if (sock && family == PF_UNIX)
4366 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4368 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4371 *secid = peer_secid;
4372 if (peer_secid == SECSID_NULL)
4377 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4379 return sk_alloc_security(sk, family, priority);
4382 static void selinux_sk_free_security(struct sock *sk)
4384 sk_free_security(sk);
4387 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4389 struct sk_security_struct *ssec = sk->sk_security;
4390 struct sk_security_struct *newssec = newsk->sk_security;
4392 newssec->sid = ssec->sid;
4393 newssec->peer_sid = ssec->peer_sid;
4394 newssec->sclass = ssec->sclass;
4396 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4399 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4402 *secid = SECINITSID_ANY_SOCKET;
4404 struct sk_security_struct *sksec = sk->sk_security;
4406 *secid = sksec->sid;
4410 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4412 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4413 struct sk_security_struct *sksec = sk->sk_security;
4415 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4416 sk->sk_family == PF_UNIX)
4417 isec->sid = sksec->sid;
4418 sksec->sclass = isec->sclass;
4421 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4422 struct request_sock *req)
4424 struct sk_security_struct *sksec = sk->sk_security;
4426 u16 family = sk->sk_family;
4430 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4431 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4434 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4437 if (peersid == SECSID_NULL) {
4438 req->secid = sksec->sid;
4439 req->peer_secid = SECSID_NULL;
4443 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4447 req->secid = newsid;
4448 req->peer_secid = peersid;
4452 static void selinux_inet_csk_clone(struct sock *newsk,
4453 const struct request_sock *req)
4455 struct sk_security_struct *newsksec = newsk->sk_security;
4457 newsksec->sid = req->secid;
4458 newsksec->peer_sid = req->peer_secid;
4459 /* NOTE: Ideally, we should also get the isec->sid for the
4460 new socket in sync, but we don't have the isec available yet.
4461 So we will wait until sock_graft to do it, by which
4462 time it will have been created and available. */
4464 /* We don't need to take any sort of lock here as we are the only
4465 * thread with access to newsksec */
4466 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4469 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4471 u16 family = sk->sk_family;
4472 struct sk_security_struct *sksec = sk->sk_security;
4474 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4475 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4478 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4480 selinux_netlbl_inet_conn_established(sk, family);
4483 static void selinux_req_classify_flow(const struct request_sock *req,
4486 fl->secid = req->secid;
4489 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4493 struct nlmsghdr *nlh;
4494 struct socket *sock = sk->sk_socket;
4495 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4497 if (skb->len < NLMSG_SPACE(0)) {
4501 nlh = nlmsg_hdr(skb);
4503 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4505 if (err == -EINVAL) {
4506 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4507 "SELinux: unrecognized netlink message"
4508 " type=%hu for sclass=%hu\n",
4509 nlh->nlmsg_type, isec->sclass);
4510 if (!selinux_enforcing || security_get_allow_unknown())
4520 err = socket_has_perm(current, sock, perm);
4525 #ifdef CONFIG_NETFILTER
4527 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4533 struct avc_audit_data ad;
4538 if (!selinux_policycap_netpeer)
4541 secmark_active = selinux_secmark_enabled();
4542 netlbl_active = netlbl_enabled();
4543 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4544 if (!secmark_active && !peerlbl_active)
4547 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4550 AVC_AUDIT_DATA_INIT(&ad, NET);
4551 ad.u.net.netif = ifindex;
4552 ad.u.net.family = family;
4553 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4556 if (peerlbl_active) {
4557 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4560 selinux_netlbl_err(skb, err, 1);
4566 if (avc_has_perm(peer_sid, skb->secmark,
4567 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4571 /* we do this in the FORWARD path and not the POST_ROUTING
4572 * path because we want to make sure we apply the necessary
4573 * labeling before IPsec is applied so we can leverage AH
4575 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4581 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4582 struct sk_buff *skb,
4583 const struct net_device *in,
4584 const struct net_device *out,
4585 int (*okfn)(struct sk_buff *))
4587 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4590 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4591 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4592 struct sk_buff *skb,
4593 const struct net_device *in,
4594 const struct net_device *out,
4595 int (*okfn)(struct sk_buff *))
4597 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4601 static unsigned int selinux_ip_output(struct sk_buff *skb,
4606 if (!netlbl_enabled())
4609 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4610 * because we want to make sure we apply the necessary labeling
4611 * before IPsec is applied so we can leverage AH protection */
4613 struct sk_security_struct *sksec = skb->sk->sk_security;
4616 sid = SECINITSID_KERNEL;
4617 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4623 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4624 struct sk_buff *skb,
4625 const struct net_device *in,
4626 const struct net_device *out,
4627 int (*okfn)(struct sk_buff *))
4629 return selinux_ip_output(skb, PF_INET);
4632 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4634 struct avc_audit_data *ad,
4635 u16 family, char *addrp)
4638 struct sk_security_struct *sksec = sk->sk_security;
4640 u32 netif_perm, node_perm, send_perm;
4641 u32 port_sid, node_sid, if_sid, sk_sid;
4643 sk_sid = sksec->sid;
4644 sk_class = sksec->sclass;
4647 case SECCLASS_UDP_SOCKET:
4648 netif_perm = NETIF__UDP_SEND;
4649 node_perm = NODE__UDP_SEND;
4650 send_perm = UDP_SOCKET__SEND_MSG;
4652 case SECCLASS_TCP_SOCKET:
4653 netif_perm = NETIF__TCP_SEND;
4654 node_perm = NODE__TCP_SEND;
4655 send_perm = TCP_SOCKET__SEND_MSG;
4657 case SECCLASS_DCCP_SOCKET:
4658 netif_perm = NETIF__DCCP_SEND;
4659 node_perm = NODE__DCCP_SEND;
4660 send_perm = DCCP_SOCKET__SEND_MSG;
4663 netif_perm = NETIF__RAWIP_SEND;
4664 node_perm = NODE__RAWIP_SEND;
4669 err = sel_netif_sid(ifindex, &if_sid);
4672 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4675 err = sel_netnode_sid(addrp, family, &node_sid);
4678 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4685 err = sel_netport_sid(sk->sk_protocol,
4686 ntohs(ad->u.net.dport), &port_sid);
4687 if (unlikely(err)) {
4689 "SELinux: failure in"
4690 " selinux_ip_postroute_iptables_compat(),"
4691 " network port label not found\n");
4694 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4697 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4701 struct sock *sk = skb->sk;
4702 struct sk_security_struct *sksec;
4703 struct avc_audit_data ad;
4709 sksec = sk->sk_security;
4711 AVC_AUDIT_DATA_INIT(&ad, NET);
4712 ad.u.net.netif = ifindex;
4713 ad.u.net.family = family;
4714 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4717 if (selinux_compat_net) {
4718 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4719 &ad, family, addrp))
4721 } else if (selinux_secmark_enabled()) {
4722 if (avc_has_perm(sksec->sid, skb->secmark,
4723 SECCLASS_PACKET, PACKET__SEND, &ad))
4727 if (selinux_policycap_netpeer)
4728 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4734 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4740 struct avc_audit_data ad;
4745 /* If any sort of compatibility mode is enabled then handoff processing
4746 * to the selinux_ip_postroute_compat() function to deal with the
4747 * special handling. We do this in an attempt to keep this function
4748 * as fast and as clean as possible. */
4749 if (selinux_compat_net || !selinux_policycap_netpeer)
4750 return selinux_ip_postroute_compat(skb, ifindex, family);
4752 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4753 * packet transformation so allow the packet to pass without any checks
4754 * since we'll have another chance to perform access control checks
4755 * when the packet is on it's final way out.
4756 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4757 * is NULL, in this case go ahead and apply access control. */
4758 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4761 secmark_active = selinux_secmark_enabled();
4762 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4763 if (!secmark_active && !peerlbl_active)
4766 /* if the packet is being forwarded then get the peer label from the
4767 * packet itself; otherwise check to see if it is from a local
4768 * application or the kernel, if from an application get the peer label
4769 * from the sending socket, otherwise use the kernel's sid */
4774 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4775 secmark_perm = PACKET__FORWARD_OUT;
4777 secmark_perm = PACKET__SEND;
4780 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4781 secmark_perm = PACKET__FORWARD_OUT;
4783 secmark_perm = PACKET__SEND;
4788 if (secmark_perm == PACKET__FORWARD_OUT) {
4789 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4792 peer_sid = SECINITSID_KERNEL;
4794 struct sk_security_struct *sksec = sk->sk_security;
4795 peer_sid = sksec->sid;
4796 secmark_perm = PACKET__SEND;
4799 AVC_AUDIT_DATA_INIT(&ad, NET);
4800 ad.u.net.netif = ifindex;
4801 ad.u.net.family = family;
4802 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4806 if (avc_has_perm(peer_sid, skb->secmark,
4807 SECCLASS_PACKET, secmark_perm, &ad))
4810 if (peerlbl_active) {
4814 if (sel_netif_sid(ifindex, &if_sid))
4816 if (avc_has_perm(peer_sid, if_sid,
4817 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4820 if (sel_netnode_sid(addrp, family, &node_sid))
4822 if (avc_has_perm(peer_sid, node_sid,
4823 SECCLASS_NODE, NODE__SENDTO, &ad))
4830 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4831 struct sk_buff *skb,
4832 const struct net_device *in,
4833 const struct net_device *out,
4834 int (*okfn)(struct sk_buff *))
4836 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4839 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4840 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4841 struct sk_buff *skb,
4842 const struct net_device *in,
4843 const struct net_device *out,
4844 int (*okfn)(struct sk_buff *))
4846 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4850 #endif /* CONFIG_NETFILTER */
4852 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4856 err = secondary_ops->netlink_send(sk, skb);
4860 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4861 err = selinux_nlmsg_perm(sk, skb);
4866 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4869 struct avc_audit_data ad;
4871 err = secondary_ops->netlink_recv(skb, capability);
4875 AVC_AUDIT_DATA_INIT(&ad, CAP);
4876 ad.u.cap = capability;
4878 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4879 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4882 static int ipc_alloc_security(struct task_struct *task,
4883 struct kern_ipc_perm *perm,
4886 struct ipc_security_struct *isec;
4889 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4893 sid = task_sid(task);
4894 isec->sclass = sclass;
4896 perm->security = isec;
4901 static void ipc_free_security(struct kern_ipc_perm *perm)
4903 struct ipc_security_struct *isec = perm->security;
4904 perm->security = NULL;
4908 static int msg_msg_alloc_security(struct msg_msg *msg)
4910 struct msg_security_struct *msec;
4912 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4916 msec->sid = SECINITSID_UNLABELED;
4917 msg->security = msec;
4922 static void msg_msg_free_security(struct msg_msg *msg)
4924 struct msg_security_struct *msec = msg->security;
4926 msg->security = NULL;
4930 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4933 struct ipc_security_struct *isec;
4934 struct avc_audit_data ad;
4935 u32 sid = current_sid();
4937 isec = ipc_perms->security;
4939 AVC_AUDIT_DATA_INIT(&ad, IPC);
4940 ad.u.ipc_id = ipc_perms->key;
4942 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4945 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4947 return msg_msg_alloc_security(msg);
4950 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4952 msg_msg_free_security(msg);
4955 /* message queue security operations */
4956 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4958 struct ipc_security_struct *isec;
4959 struct avc_audit_data ad;
4960 u32 sid = current_sid();
4963 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4967 isec = msq->q_perm.security;
4969 AVC_AUDIT_DATA_INIT(&ad, IPC);
4970 ad.u.ipc_id = msq->q_perm.key;
4972 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4975 ipc_free_security(&msq->q_perm);
4981 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4983 ipc_free_security(&msq->q_perm);
4986 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4988 struct ipc_security_struct *isec;
4989 struct avc_audit_data ad;
4990 u32 sid = current_sid();
4992 isec = msq->q_perm.security;
4994 AVC_AUDIT_DATA_INIT(&ad, IPC);
4995 ad.u.ipc_id = msq->q_perm.key;
4997 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4998 MSGQ__ASSOCIATE, &ad);
5001 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5009 /* No specific object, just general system-wide information. */
5010 return task_has_system(current, SYSTEM__IPC_INFO);
5013 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5016 perms = MSGQ__SETATTR;
5019 perms = MSGQ__DESTROY;
5025 err = ipc_has_perm(&msq->q_perm, perms);
5029 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5031 struct ipc_security_struct *isec;
5032 struct msg_security_struct *msec;
5033 struct avc_audit_data ad;
5034 u32 sid = current_sid();
5037 isec = msq->q_perm.security;
5038 msec = msg->security;
5041 * First time through, need to assign label to the message
5043 if (msec->sid == SECINITSID_UNLABELED) {
5045 * Compute new sid based on current process and
5046 * message queue this message will be stored in
5048 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5054 AVC_AUDIT_DATA_INIT(&ad, IPC);
5055 ad.u.ipc_id = msq->q_perm.key;
5057 /* Can this process write to the queue? */
5058 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5061 /* Can this process send the message */
5062 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5065 /* Can the message be put in the queue? */
5066 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5067 MSGQ__ENQUEUE, &ad);
5072 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5073 struct task_struct *target,
5074 long type, int mode)
5076 struct ipc_security_struct *isec;
5077 struct msg_security_struct *msec;
5078 struct avc_audit_data ad;
5079 u32 sid = task_sid(target);
5082 isec = msq->q_perm.security;
5083 msec = msg->security;
5085 AVC_AUDIT_DATA_INIT(&ad, IPC);
5086 ad.u.ipc_id = msq->q_perm.key;
5088 rc = avc_has_perm(sid, isec->sid,
5089 SECCLASS_MSGQ, MSGQ__READ, &ad);
5091 rc = avc_has_perm(sid, msec->sid,
5092 SECCLASS_MSG, MSG__RECEIVE, &ad);
5096 /* Shared Memory security operations */
5097 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5099 struct ipc_security_struct *isec;
5100 struct avc_audit_data ad;
5101 u32 sid = current_sid();
5104 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5108 isec = shp->shm_perm.security;
5110 AVC_AUDIT_DATA_INIT(&ad, IPC);
5111 ad.u.ipc_id = shp->shm_perm.key;
5113 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5116 ipc_free_security(&shp->shm_perm);
5122 static void selinux_shm_free_security(struct shmid_kernel *shp)
5124 ipc_free_security(&shp->shm_perm);
5127 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5129 struct ipc_security_struct *isec;
5130 struct avc_audit_data ad;
5131 u32 sid = current_sid();
5133 isec = shp->shm_perm.security;
5135 AVC_AUDIT_DATA_INIT(&ad, IPC);
5136 ad.u.ipc_id = shp->shm_perm.key;
5138 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5139 SHM__ASSOCIATE, &ad);
5142 /* Note, at this point, shp is locked down */
5143 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5151 /* No specific object, just general system-wide information. */
5152 return task_has_system(current, SYSTEM__IPC_INFO);
5155 perms = SHM__GETATTR | SHM__ASSOCIATE;
5158 perms = SHM__SETATTR;
5165 perms = SHM__DESTROY;
5171 err = ipc_has_perm(&shp->shm_perm, perms);
5175 static int selinux_shm_shmat(struct shmid_kernel *shp,
5176 char __user *shmaddr, int shmflg)
5181 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5185 if (shmflg & SHM_RDONLY)
5188 perms = SHM__READ | SHM__WRITE;
5190 return ipc_has_perm(&shp->shm_perm, perms);
5193 /* Semaphore security operations */
5194 static int selinux_sem_alloc_security(struct sem_array *sma)
5196 struct ipc_security_struct *isec;
5197 struct avc_audit_data ad;
5198 u32 sid = current_sid();
5201 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5205 isec = sma->sem_perm.security;
5207 AVC_AUDIT_DATA_INIT(&ad, IPC);
5208 ad.u.ipc_id = sma->sem_perm.key;
5210 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5213 ipc_free_security(&sma->sem_perm);
5219 static void selinux_sem_free_security(struct sem_array *sma)
5221 ipc_free_security(&sma->sem_perm);
5224 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5226 struct ipc_security_struct *isec;
5227 struct avc_audit_data ad;
5228 u32 sid = current_sid();
5230 isec = sma->sem_perm.security;
5232 AVC_AUDIT_DATA_INIT(&ad, IPC);
5233 ad.u.ipc_id = sma->sem_perm.key;
5235 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5236 SEM__ASSOCIATE, &ad);
5239 /* Note, at this point, sma is locked down */
5240 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5248 /* No specific object, just general system-wide information. */
5249 return task_has_system(current, SYSTEM__IPC_INFO);
5253 perms = SEM__GETATTR;
5264 perms = SEM__DESTROY;
5267 perms = SEM__SETATTR;
5271 perms = SEM__GETATTR | SEM__ASSOCIATE;
5277 err = ipc_has_perm(&sma->sem_perm, perms);
5281 static int selinux_sem_semop(struct sem_array *sma,
5282 struct sembuf *sops, unsigned nsops, int alter)
5287 perms = SEM__READ | SEM__WRITE;
5291 return ipc_has_perm(&sma->sem_perm, perms);
5294 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5300 av |= IPC__UNIX_READ;
5302 av |= IPC__UNIX_WRITE;
5307 return ipc_has_perm(ipcp, av);
5310 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5312 struct ipc_security_struct *isec = ipcp->security;
5316 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5319 inode_doinit_with_dentry(inode, dentry);
5322 static int selinux_getprocattr(struct task_struct *p,
5323 char *name, char **value)
5325 const struct task_security_struct *__tsec;
5331 error = current_has_perm(p, PROCESS__GETATTR);
5337 __tsec = __task_cred(p)->security;
5339 if (!strcmp(name, "current"))
5341 else if (!strcmp(name, "prev"))
5343 else if (!strcmp(name, "exec"))
5344 sid = __tsec->exec_sid;
5345 else if (!strcmp(name, "fscreate"))
5346 sid = __tsec->create_sid;
5347 else if (!strcmp(name, "keycreate"))
5348 sid = __tsec->keycreate_sid;
5349 else if (!strcmp(name, "sockcreate"))
5350 sid = __tsec->sockcreate_sid;
5358 error = security_sid_to_context(sid, value, &len);
5368 static int selinux_setprocattr(struct task_struct *p,
5369 char *name, void *value, size_t size)
5371 struct task_security_struct *tsec;
5372 struct task_struct *tracer;
5379 /* SELinux only allows a process to change its own
5380 security attributes. */
5385 * Basic control over ability to set these attributes at all.
5386 * current == p, but we'll pass them separately in case the
5387 * above restriction is ever removed.
5389 if (!strcmp(name, "exec"))
5390 error = current_has_perm(p, PROCESS__SETEXEC);
5391 else if (!strcmp(name, "fscreate"))
5392 error = current_has_perm(p, PROCESS__SETFSCREATE);
5393 else if (!strcmp(name, "keycreate"))
5394 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5395 else if (!strcmp(name, "sockcreate"))
5396 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5397 else if (!strcmp(name, "current"))
5398 error = current_has_perm(p, PROCESS__SETCURRENT);
5404 /* Obtain a SID for the context, if one was specified. */
5405 if (size && str[1] && str[1] != '\n') {
5406 if (str[size-1] == '\n') {
5410 error = security_context_to_sid(value, size, &sid);
5411 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5412 if (!capable(CAP_MAC_ADMIN))
5414 error = security_context_to_sid_force(value, size,
5421 new = prepare_creds();
5425 /* Permission checking based on the specified context is
5426 performed during the actual operation (execve,
5427 open/mkdir/...), when we know the full context of the
5428 operation. See selinux_bprm_set_creds for the execve
5429 checks and may_create for the file creation checks. The
5430 operation will then fail if the context is not permitted. */
5431 tsec = new->security;
5432 if (!strcmp(name, "exec")) {
5433 tsec->exec_sid = sid;
5434 } else if (!strcmp(name, "fscreate")) {
5435 tsec->create_sid = sid;
5436 } else if (!strcmp(name, "keycreate")) {
5437 error = may_create_key(sid, p);
5440 tsec->keycreate_sid = sid;
5441 } else if (!strcmp(name, "sockcreate")) {
5442 tsec->sockcreate_sid = sid;
5443 } else if (!strcmp(name, "current")) {
5448 /* Only allow single threaded processes to change context */
5450 if (!is_single_threaded(p)) {
5451 error = security_bounded_transition(tsec->sid, sid);
5456 /* Check permissions for the transition. */
5457 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5458 PROCESS__DYNTRANSITION, NULL);
5462 /* Check for ptracing, and update the task SID if ok.
5463 Otherwise, leave SID unchanged and fail. */
5466 tracer = tracehook_tracer_task(p);
5468 ptsid = task_sid(tracer);
5472 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5473 PROCESS__PTRACE, NULL);
5492 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5494 return security_sid_to_context(secid, secdata, seclen);
5497 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5499 return security_context_to_sid(secdata, seclen, secid);
5502 static void selinux_release_secctx(char *secdata, u32 seclen)
5509 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5510 unsigned long flags)
5512 const struct task_security_struct *tsec;
5513 struct key_security_struct *ksec;
5515 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5519 tsec = cred->security;
5520 if (tsec->keycreate_sid)
5521 ksec->sid = tsec->keycreate_sid;
5523 ksec->sid = tsec->sid;
5529 static void selinux_key_free(struct key *k)
5531 struct key_security_struct *ksec = k->security;
5537 static int selinux_key_permission(key_ref_t key_ref,
5538 const struct cred *cred,
5542 struct key_security_struct *ksec;
5545 /* if no specific permissions are requested, we skip the
5546 permission check. No serious, additional covert channels
5547 appear to be created. */
5551 sid = cred_sid(cred);
5553 key = key_ref_to_ptr(key_ref);
5554 ksec = key->security;
5556 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5559 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5561 struct key_security_struct *ksec = key->security;
5562 char *context = NULL;
5566 rc = security_sid_to_context(ksec->sid, &context, &len);
5575 static struct security_operations selinux_ops = {
5578 .ptrace_may_access = selinux_ptrace_may_access,
5579 .ptrace_traceme = selinux_ptrace_traceme,
5580 .capget = selinux_capget,
5581 .capset = selinux_capset,
5582 .sysctl = selinux_sysctl,
5583 .capable = selinux_capable,
5584 .task_capable = selinux_task_capable,
5585 .quotactl = selinux_quotactl,
5586 .quota_on = selinux_quota_on,
5587 .syslog = selinux_syslog,
5588 .vm_enough_memory = selinux_vm_enough_memory,
5590 .netlink_send = selinux_netlink_send,
5591 .netlink_recv = selinux_netlink_recv,
5593 .bprm_set_creds = selinux_bprm_set_creds,
5594 .bprm_check_security = selinux_bprm_check_security,
5595 .bprm_committing_creds = selinux_bprm_committing_creds,
5596 .bprm_committed_creds = selinux_bprm_committed_creds,
5597 .bprm_secureexec = selinux_bprm_secureexec,
5599 .sb_alloc_security = selinux_sb_alloc_security,
5600 .sb_free_security = selinux_sb_free_security,
5601 .sb_copy_data = selinux_sb_copy_data,
5602 .sb_kern_mount = selinux_sb_kern_mount,
5603 .sb_show_options = selinux_sb_show_options,
5604 .sb_statfs = selinux_sb_statfs,
5605 .sb_mount = selinux_mount,
5606 .sb_umount = selinux_umount,
5607 .sb_set_mnt_opts = selinux_set_mnt_opts,
5608 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5609 .sb_parse_opts_str = selinux_parse_opts_str,
5612 .inode_alloc_security = selinux_inode_alloc_security,
5613 .inode_free_security = selinux_inode_free_security,
5614 .inode_init_security = selinux_inode_init_security,
5615 .inode_create = selinux_inode_create,
5616 .inode_link = selinux_inode_link,
5617 .inode_unlink = selinux_inode_unlink,
5618 .inode_symlink = selinux_inode_symlink,
5619 .inode_mkdir = selinux_inode_mkdir,
5620 .inode_rmdir = selinux_inode_rmdir,
5621 .inode_mknod = selinux_inode_mknod,
5622 .inode_rename = selinux_inode_rename,
5623 .inode_readlink = selinux_inode_readlink,
5624 .inode_follow_link = selinux_inode_follow_link,
5625 .inode_permission = selinux_inode_permission,
5626 .inode_setattr = selinux_inode_setattr,
5627 .inode_getattr = selinux_inode_getattr,
5628 .inode_setxattr = selinux_inode_setxattr,
5629 .inode_post_setxattr = selinux_inode_post_setxattr,
5630 .inode_getxattr = selinux_inode_getxattr,
5631 .inode_listxattr = selinux_inode_listxattr,
5632 .inode_removexattr = selinux_inode_removexattr,
5633 .inode_getsecurity = selinux_inode_getsecurity,
5634 .inode_setsecurity = selinux_inode_setsecurity,
5635 .inode_listsecurity = selinux_inode_listsecurity,
5636 .inode_need_killpriv = selinux_inode_need_killpriv,
5637 .inode_killpriv = selinux_inode_killpriv,
5638 .inode_getsecid = selinux_inode_getsecid,
5640 .file_permission = selinux_file_permission,
5641 .file_alloc_security = selinux_file_alloc_security,
5642 .file_free_security = selinux_file_free_security,
5643 .file_ioctl = selinux_file_ioctl,
5644 .file_mmap = selinux_file_mmap,
5645 .file_mprotect = selinux_file_mprotect,
5646 .file_lock = selinux_file_lock,
5647 .file_fcntl = selinux_file_fcntl,
5648 .file_set_fowner = selinux_file_set_fowner,
5649 .file_send_sigiotask = selinux_file_send_sigiotask,
5650 .file_receive = selinux_file_receive,
5652 .dentry_open = selinux_dentry_open,
5654 .task_create = selinux_task_create,
5655 .cred_free = selinux_cred_free,
5656 .cred_prepare = selinux_cred_prepare,
5657 .cred_commit = selinux_cred_commit,
5658 .kernel_act_as = selinux_kernel_act_as,
5659 .kernel_create_files_as = selinux_kernel_create_files_as,
5660 .task_setuid = selinux_task_setuid,
5661 .task_fix_setuid = selinux_task_fix_setuid,
5662 .task_setgid = selinux_task_setgid,
5663 .task_setpgid = selinux_task_setpgid,
5664 .task_getpgid = selinux_task_getpgid,
5665 .task_getsid = selinux_task_getsid,
5666 .task_getsecid = selinux_task_getsecid,
5667 .task_setgroups = selinux_task_setgroups,
5668 .task_setnice = selinux_task_setnice,
5669 .task_setioprio = selinux_task_setioprio,
5670 .task_getioprio = selinux_task_getioprio,
5671 .task_setrlimit = selinux_task_setrlimit,
5672 .task_setscheduler = selinux_task_setscheduler,
5673 .task_getscheduler = selinux_task_getscheduler,
5674 .task_movememory = selinux_task_movememory,
5675 .task_kill = selinux_task_kill,
5676 .task_wait = selinux_task_wait,
5677 .task_prctl = selinux_task_prctl,
5678 .task_to_inode = selinux_task_to_inode,
5680 .ipc_permission = selinux_ipc_permission,
5681 .ipc_getsecid = selinux_ipc_getsecid,
5683 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5684 .msg_msg_free_security = selinux_msg_msg_free_security,
5686 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5687 .msg_queue_free_security = selinux_msg_queue_free_security,
5688 .msg_queue_associate = selinux_msg_queue_associate,
5689 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5690 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5691 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5693 .shm_alloc_security = selinux_shm_alloc_security,
5694 .shm_free_security = selinux_shm_free_security,
5695 .shm_associate = selinux_shm_associate,
5696 .shm_shmctl = selinux_shm_shmctl,
5697 .shm_shmat = selinux_shm_shmat,
5699 .sem_alloc_security = selinux_sem_alloc_security,
5700 .sem_free_security = selinux_sem_free_security,
5701 .sem_associate = selinux_sem_associate,
5702 .sem_semctl = selinux_sem_semctl,
5703 .sem_semop = selinux_sem_semop,
5705 .d_instantiate = selinux_d_instantiate,
5707 .getprocattr = selinux_getprocattr,
5708 .setprocattr = selinux_setprocattr,
5710 .secid_to_secctx = selinux_secid_to_secctx,
5711 .secctx_to_secid = selinux_secctx_to_secid,
5712 .release_secctx = selinux_release_secctx,
5714 .unix_stream_connect = selinux_socket_unix_stream_connect,
5715 .unix_may_send = selinux_socket_unix_may_send,
5717 .socket_create = selinux_socket_create,
5718 .socket_post_create = selinux_socket_post_create,
5719 .socket_bind = selinux_socket_bind,
5720 .socket_connect = selinux_socket_connect,
5721 .socket_listen = selinux_socket_listen,
5722 .socket_accept = selinux_socket_accept,
5723 .socket_sendmsg = selinux_socket_sendmsg,
5724 .socket_recvmsg = selinux_socket_recvmsg,
5725 .socket_getsockname = selinux_socket_getsockname,
5726 .socket_getpeername = selinux_socket_getpeername,
5727 .socket_getsockopt = selinux_socket_getsockopt,
5728 .socket_setsockopt = selinux_socket_setsockopt,
5729 .socket_shutdown = selinux_socket_shutdown,
5730 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5731 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5732 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5733 .sk_alloc_security = selinux_sk_alloc_security,
5734 .sk_free_security = selinux_sk_free_security,
5735 .sk_clone_security = selinux_sk_clone_security,
5736 .sk_getsecid = selinux_sk_getsecid,
5737 .sock_graft = selinux_sock_graft,
5738 .inet_conn_request = selinux_inet_conn_request,
5739 .inet_csk_clone = selinux_inet_csk_clone,
5740 .inet_conn_established = selinux_inet_conn_established,
5741 .req_classify_flow = selinux_req_classify_flow,
5743 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5744 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5745 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5746 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5747 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5748 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5749 .xfrm_state_free_security = selinux_xfrm_state_free,
5750 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5751 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5752 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5753 .xfrm_decode_session = selinux_xfrm_decode_session,
5757 .key_alloc = selinux_key_alloc,
5758 .key_free = selinux_key_free,
5759 .key_permission = selinux_key_permission,
5760 .key_getsecurity = selinux_key_getsecurity,
5764 .audit_rule_init = selinux_audit_rule_init,
5765 .audit_rule_known = selinux_audit_rule_known,
5766 .audit_rule_match = selinux_audit_rule_match,
5767 .audit_rule_free = selinux_audit_rule_free,
5771 static __init int selinux_init(void)
5773 if (!security_module_enable(&selinux_ops)) {
5774 selinux_enabled = 0;
5778 if (!selinux_enabled) {
5779 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5783 printk(KERN_INFO "SELinux: Initializing.\n");
5785 /* Set the security state for the initial task. */
5786 cred_init_security();
5788 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5789 sizeof(struct inode_security_struct),
5790 0, SLAB_PANIC, NULL);
5793 secondary_ops = security_ops;
5795 panic("SELinux: No initial security operations\n");
5796 if (register_security(&selinux_ops))
5797 panic("SELinux: Unable to register with kernel.\n");
5799 if (selinux_enforcing)
5800 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5802 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5807 void selinux_complete_init(void)
5809 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5811 /* Set up any superblocks initialized prior to the policy load. */
5812 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5813 spin_lock(&sb_lock);
5814 spin_lock(&sb_security_lock);
5816 if (!list_empty(&superblock_security_head)) {
5817 struct superblock_security_struct *sbsec =
5818 list_entry(superblock_security_head.next,
5819 struct superblock_security_struct,
5821 struct super_block *sb = sbsec->sb;
5823 spin_unlock(&sb_security_lock);
5824 spin_unlock(&sb_lock);
5825 down_read(&sb->s_umount);
5827 superblock_doinit(sb, NULL);
5829 spin_lock(&sb_lock);
5830 spin_lock(&sb_security_lock);
5831 list_del_init(&sbsec->list);
5834 spin_unlock(&sb_security_lock);
5835 spin_unlock(&sb_lock);
5838 /* SELinux requires early initialization in order to label
5839 all processes and objects when they are created. */
5840 security_initcall(selinux_init);
5842 #if defined(CONFIG_NETFILTER)
5844 static struct nf_hook_ops selinux_ipv4_ops[] = {
5846 .hook = selinux_ipv4_postroute,
5847 .owner = THIS_MODULE,
5849 .hooknum = NF_INET_POST_ROUTING,
5850 .priority = NF_IP_PRI_SELINUX_LAST,
5853 .hook = selinux_ipv4_forward,
5854 .owner = THIS_MODULE,
5856 .hooknum = NF_INET_FORWARD,
5857 .priority = NF_IP_PRI_SELINUX_FIRST,
5860 .hook = selinux_ipv4_output,
5861 .owner = THIS_MODULE,
5863 .hooknum = NF_INET_LOCAL_OUT,
5864 .priority = NF_IP_PRI_SELINUX_FIRST,
5868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5870 static struct nf_hook_ops selinux_ipv6_ops[] = {
5872 .hook = selinux_ipv6_postroute,
5873 .owner = THIS_MODULE,
5875 .hooknum = NF_INET_POST_ROUTING,
5876 .priority = NF_IP6_PRI_SELINUX_LAST,
5879 .hook = selinux_ipv6_forward,
5880 .owner = THIS_MODULE,
5882 .hooknum = NF_INET_FORWARD,
5883 .priority = NF_IP6_PRI_SELINUX_FIRST,
5889 static int __init selinux_nf_ip_init(void)
5893 if (!selinux_enabled)
5896 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5898 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5900 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5902 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5903 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5905 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5912 __initcall(selinux_nf_ip_init);
5914 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5915 static void selinux_nf_ip_exit(void)
5917 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5919 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5920 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5921 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5926 #else /* CONFIG_NETFILTER */
5928 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5929 #define selinux_nf_ip_exit()
5932 #endif /* CONFIG_NETFILTER */
5934 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5935 static int selinux_disabled;
5937 int selinux_disable(void)
5939 extern void exit_sel_fs(void);
5941 if (ss_initialized) {
5942 /* Not permitted after initial policy load. */
5946 if (selinux_disabled) {
5947 /* Only do this once. */
5951 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5953 selinux_disabled = 1;
5954 selinux_enabled = 0;
5956 /* Reset security_ops to the secondary module, dummy or capability. */
5957 security_ops = secondary_ops;
5959 /* Unregister netfilter hooks. */
5960 selinux_nf_ip_exit();
5962 /* Unregister selinuxfs. */