2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
87 static int __init enforcing_setup(char *str)
89 selinux_enforcing = simple_strtol(str,NULL,0);
92 __setup("enforcing=", enforcing_setup);
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98 static int __init selinux_enabled_setup(char *str)
100 selinux_enabled = simple_strtol(str, NULL, 0);
103 __setup("selinux=", selinux_enabled_setup);
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
109 /* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
115 /* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
120 static kmem_cache_t *sel_inode_cache;
122 /* Allocate and free functions for each kind of security blob. */
124 static int task_alloc_security(struct task_struct *task)
126 struct task_security_struct *tsec;
128 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
133 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
134 task->security = tsec;
139 static void task_free_security(struct task_struct *task)
141 struct task_security_struct *tsec = task->security;
142 task->security = NULL;
146 static int inode_alloc_security(struct inode *inode)
148 struct task_security_struct *tsec = current->security;
149 struct inode_security_struct *isec;
151 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
155 memset(isec, 0, sizeof(*isec));
156 init_MUTEX(&isec->sem);
157 INIT_LIST_HEAD(&isec->list);
159 isec->sid = SECINITSID_UNLABELED;
160 isec->sclass = SECCLASS_FILE;
161 isec->task_sid = tsec->sid;
162 inode->i_security = isec;
167 static void inode_free_security(struct inode *inode)
169 struct inode_security_struct *isec = inode->i_security;
170 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
172 spin_lock(&sbsec->isec_lock);
173 if (!list_empty(&isec->list))
174 list_del_init(&isec->list);
175 spin_unlock(&sbsec->isec_lock);
177 inode->i_security = NULL;
178 kmem_cache_free(sel_inode_cache, isec);
181 static int file_alloc_security(struct file *file)
183 struct task_security_struct *tsec = current->security;
184 struct file_security_struct *fsec;
186 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
191 fsec->sid = tsec->sid;
192 fsec->fown_sid = tsec->sid;
193 file->f_security = fsec;
198 static void file_free_security(struct file *file)
200 struct file_security_struct *fsec = file->f_security;
201 file->f_security = NULL;
205 static int superblock_alloc_security(struct super_block *sb)
207 struct superblock_security_struct *sbsec;
209 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
213 init_MUTEX(&sbsec->sem);
214 INIT_LIST_HEAD(&sbsec->list);
215 INIT_LIST_HEAD(&sbsec->isec_head);
216 spin_lock_init(&sbsec->isec_lock);
218 sbsec->sid = SECINITSID_UNLABELED;
219 sbsec->def_sid = SECINITSID_FILE;
220 sb->s_security = sbsec;
225 static void superblock_free_security(struct super_block *sb)
227 struct superblock_security_struct *sbsec = sb->s_security;
229 spin_lock(&sb_security_lock);
230 if (!list_empty(&sbsec->list))
231 list_del_init(&sbsec->list);
232 spin_unlock(&sb_security_lock);
234 sb->s_security = NULL;
238 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
240 struct sk_security_struct *ssec;
242 if (family != PF_UNIX)
245 ssec = kzalloc(sizeof(*ssec), priority);
250 ssec->peer_sid = SECINITSID_UNLABELED;
251 sk->sk_security = ssec;
256 static void sk_free_security(struct sock *sk)
258 struct sk_security_struct *ssec = sk->sk_security;
260 if (sk->sk_family != PF_UNIX)
263 sk->sk_security = NULL;
267 /* The security server must be initialized before
268 any labeling or access decisions can be provided. */
269 extern int ss_initialized;
271 /* The file system's label must be initialized prior to use. */
273 static char *labeling_behaviors[6] = {
275 "uses transition SIDs",
277 "uses genfs_contexts",
278 "not configured for labeling",
279 "uses mountpoint labeling",
282 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
284 static inline int inode_doinit(struct inode *inode)
286 return inode_doinit_with_dentry(inode, NULL);
295 static match_table_t tokens = {
296 {Opt_context, "context=%s"},
297 {Opt_fscontext, "fscontext=%s"},
298 {Opt_defcontext, "defcontext=%s"},
301 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
303 static int try_context_mount(struct super_block *sb, void *data)
305 char *context = NULL, *defcontext = NULL;
308 int alloc = 0, rc = 0, seen = 0;
309 struct task_security_struct *tsec = current->security;
310 struct superblock_security_struct *sbsec = sb->s_security;
315 name = sb->s_type->name;
317 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
319 /* NFS we understand. */
320 if (!strcmp(name, "nfs")) {
321 struct nfs_mount_data *d = data;
323 if (d->version < NFS_MOUNT_VERSION)
327 context = d->context;
334 /* Standard string-based options. */
335 char *p, *options = data;
337 while ((p = strsep(&options, ",")) != NULL) {
339 substring_t args[MAX_OPT_ARGS];
344 token = match_token(p, tokens, args);
350 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
353 context = match_strdup(&args[0]);
364 if (seen & (Opt_context|Opt_fscontext)) {
366 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
369 context = match_strdup(&args[0]);
376 seen |= Opt_fscontext;
380 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
382 printk(KERN_WARNING "SELinux: "
383 "defcontext option is invalid "
384 "for this filesystem type\n");
387 if (seen & (Opt_context|Opt_defcontext)) {
389 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
392 defcontext = match_strdup(&args[0]);
399 seen |= Opt_defcontext;
404 printk(KERN_WARNING "SELinux: unknown mount "
416 rc = security_context_to_sid(context, strlen(context), &sid);
418 printk(KERN_WARNING "SELinux: security_context_to_sid"
419 "(%s) failed for (dev %s, type %s) errno=%d\n",
420 context, sb->s_id, name, rc);
424 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
425 FILESYSTEM__RELABELFROM, NULL);
429 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
430 FILESYSTEM__RELABELTO, NULL);
436 if (seen & Opt_context)
437 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
441 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
443 printk(KERN_WARNING "SELinux: security_context_to_sid"
444 "(%s) failed for (dev %s, type %s) errno=%d\n",
445 defcontext, sb->s_id, name, rc);
449 if (sid == sbsec->def_sid)
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELFROM, NULL);
457 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__ASSOCIATE, NULL);
462 sbsec->def_sid = sid;
474 static int superblock_doinit(struct super_block *sb, void *data)
476 struct superblock_security_struct *sbsec = sb->s_security;
477 struct dentry *root = sb->s_root;
478 struct inode *inode = root->d_inode;
482 if (sbsec->initialized)
485 if (!ss_initialized) {
486 /* Defer initialization until selinux_complete_init,
487 after the initial policy is loaded and the security
488 server is ready to handle calls. */
489 spin_lock(&sb_security_lock);
490 if (list_empty(&sbsec->list))
491 list_add(&sbsec->list, &superblock_security_head);
492 spin_unlock(&sb_security_lock);
496 /* Determine the labeling behavior to use for this filesystem type. */
497 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
499 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
500 __FUNCTION__, sb->s_type->name, rc);
504 rc = try_context_mount(sb, data);
508 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
509 /* Make sure that the xattr handler exists and that no
510 error other than -ENODATA is returned by getxattr on
511 the root directory. -ENODATA is ok, as this may be
512 the first boot of the SELinux kernel before we have
513 assigned xattr values to the filesystem. */
514 if (!inode->i_op->getxattr) {
515 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
516 "xattr support\n", sb->s_id, sb->s_type->name);
520 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
521 if (rc < 0 && rc != -ENODATA) {
522 if (rc == -EOPNOTSUPP)
523 printk(KERN_WARNING "SELinux: (dev %s, type "
524 "%s) has no security xattr handler\n",
525 sb->s_id, sb->s_type->name);
527 printk(KERN_WARNING "SELinux: (dev %s, type "
528 "%s) getxattr errno %d\n", sb->s_id,
529 sb->s_type->name, -rc);
534 if (strcmp(sb->s_type->name, "proc") == 0)
537 sbsec->initialized = 1;
539 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
540 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
541 sb->s_id, sb->s_type->name);
544 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
545 sb->s_id, sb->s_type->name,
546 labeling_behaviors[sbsec->behavior-1]);
549 /* Initialize the root inode. */
550 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
552 /* Initialize any other inodes associated with the superblock, e.g.
553 inodes created prior to initial policy load or inodes created
554 during get_sb by a pseudo filesystem that directly
556 spin_lock(&sbsec->isec_lock);
558 if (!list_empty(&sbsec->isec_head)) {
559 struct inode_security_struct *isec =
560 list_entry(sbsec->isec_head.next,
561 struct inode_security_struct, list);
562 struct inode *inode = isec->inode;
563 spin_unlock(&sbsec->isec_lock);
564 inode = igrab(inode);
566 if (!IS_PRIVATE (inode))
570 spin_lock(&sbsec->isec_lock);
571 list_del_init(&isec->list);
574 spin_unlock(&sbsec->isec_lock);
580 static inline u16 inode_mode_to_security_class(umode_t mode)
582 switch (mode & S_IFMT) {
584 return SECCLASS_SOCK_FILE;
586 return SECCLASS_LNK_FILE;
588 return SECCLASS_FILE;
590 return SECCLASS_BLK_FILE;
594 return SECCLASS_CHR_FILE;
596 return SECCLASS_FIFO_FILE;
600 return SECCLASS_FILE;
603 static inline int default_protocol_stream(int protocol)
605 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
608 static inline int default_protocol_dgram(int protocol)
610 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
613 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
620 return SECCLASS_UNIX_STREAM_SOCKET;
622 return SECCLASS_UNIX_DGRAM_SOCKET;
629 if (default_protocol_stream(protocol))
630 return SECCLASS_TCP_SOCKET;
632 return SECCLASS_RAWIP_SOCKET;
634 if (default_protocol_dgram(protocol))
635 return SECCLASS_UDP_SOCKET;
637 return SECCLASS_RAWIP_SOCKET;
639 return SECCLASS_RAWIP_SOCKET;
645 return SECCLASS_NETLINK_ROUTE_SOCKET;
646 case NETLINK_FIREWALL:
647 return SECCLASS_NETLINK_FIREWALL_SOCKET;
648 case NETLINK_INET_DIAG:
649 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
651 return SECCLASS_NETLINK_NFLOG_SOCKET;
653 return SECCLASS_NETLINK_XFRM_SOCKET;
654 case NETLINK_SELINUX:
655 return SECCLASS_NETLINK_SELINUX_SOCKET;
657 return SECCLASS_NETLINK_AUDIT_SOCKET;
659 return SECCLASS_NETLINK_IP6FW_SOCKET;
660 case NETLINK_DNRTMSG:
661 return SECCLASS_NETLINK_DNRT_SOCKET;
662 case NETLINK_KOBJECT_UEVENT:
663 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
665 return SECCLASS_NETLINK_SOCKET;
668 return SECCLASS_PACKET_SOCKET;
670 return SECCLASS_KEY_SOCKET;
673 return SECCLASS_SOCKET;
676 #ifdef CONFIG_PROC_FS
677 static int selinux_proc_get_sid(struct proc_dir_entry *de,
682 char *buffer, *path, *end;
684 buffer = (char*)__get_free_page(GFP_KERNEL);
694 while (de && de != de->parent) {
695 buflen -= de->namelen + 1;
699 memcpy(end, de->name, de->namelen);
704 rc = security_genfs_sid("proc", path, tclass, sid);
705 free_page((unsigned long)buffer);
709 static int selinux_proc_get_sid(struct proc_dir_entry *de,
717 /* The inode's security attributes must be initialized before first use. */
718 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
720 struct superblock_security_struct *sbsec = NULL;
721 struct inode_security_struct *isec = inode->i_security;
723 struct dentry *dentry;
724 #define INITCONTEXTLEN 255
725 char *context = NULL;
730 if (isec->initialized)
735 if (isec->initialized)
738 sbsec = inode->i_sb->s_security;
739 if (!sbsec->initialized) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
743 spin_lock(&sbsec->isec_lock);
744 if (list_empty(&isec->list))
745 list_add(&isec->list, &sbsec->isec_head);
746 spin_unlock(&sbsec->isec_lock);
750 switch (sbsec->behavior) {
751 case SECURITY_FS_USE_XATTR:
752 if (!inode->i_op->getxattr) {
753 isec->sid = sbsec->def_sid;
757 /* Need a dentry, since the xattr API requires one.
758 Life would be simpler if we could just pass the inode. */
760 /* Called from d_instantiate or d_splice_alias. */
761 dentry = dget(opt_dentry);
763 /* Called from selinux_complete_init, try to find a dentry. */
764 dentry = d_find_alias(inode);
767 printk(KERN_WARNING "%s: no dentry for dev=%s "
768 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
773 len = INITCONTEXTLEN;
774 context = kmalloc(len, GFP_KERNEL);
780 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
783 /* Need a larger buffer. Query for the right size. */
784 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
792 context = kmalloc(len, GFP_KERNEL);
798 rc = inode->i_op->getxattr(dentry,
804 if (rc != -ENODATA) {
805 printk(KERN_WARNING "%s: getxattr returned "
806 "%d for dev=%s ino=%ld\n", __FUNCTION__,
807 -rc, inode->i_sb->s_id, inode->i_ino);
811 /* Map ENODATA to the default file SID */
812 sid = sbsec->def_sid;
815 rc = security_context_to_sid_default(context, rc, &sid,
818 printk(KERN_WARNING "%s: context_to_sid(%s) "
819 "returned %d for dev=%s ino=%ld\n",
820 __FUNCTION__, context, -rc,
821 inode->i_sb->s_id, inode->i_ino);
823 /* Leave with the unlabeled SID */
831 case SECURITY_FS_USE_TASK:
832 isec->sid = isec->task_sid;
834 case SECURITY_FS_USE_TRANS:
835 /* Default to the fs SID. */
836 isec->sid = sbsec->sid;
838 /* Try to obtain a transition SID. */
839 isec->sclass = inode_mode_to_security_class(inode->i_mode);
840 rc = security_transition_sid(isec->task_sid,
849 /* Default to the fs SID. */
850 isec->sid = sbsec->sid;
853 struct proc_inode *proci = PROC_I(inode);
855 isec->sclass = inode_mode_to_security_class(inode->i_mode);
856 rc = selinux_proc_get_sid(proci->pde,
867 isec->initialized = 1;
870 if (isec->sclass == SECCLASS_FILE)
871 isec->sclass = inode_mode_to_security_class(inode->i_mode);
878 /* Convert a Linux signal to an access vector. */
879 static inline u32 signal_to_av(int sig)
885 /* Commonly granted from child to parent. */
886 perm = PROCESS__SIGCHLD;
889 /* Cannot be caught or ignored */
890 perm = PROCESS__SIGKILL;
893 /* Cannot be caught or ignored */
894 perm = PROCESS__SIGSTOP;
897 /* All other signals. */
898 perm = PROCESS__SIGNAL;
905 /* Check permission betweeen a pair of tasks, e.g. signal checks,
906 fork check, ptrace check, etc. */
907 static int task_has_perm(struct task_struct *tsk1,
908 struct task_struct *tsk2,
911 struct task_security_struct *tsec1, *tsec2;
913 tsec1 = tsk1->security;
914 tsec2 = tsk2->security;
915 return avc_has_perm(tsec1->sid, tsec2->sid,
916 SECCLASS_PROCESS, perms, NULL);
919 /* Check whether a task is allowed to use a capability. */
920 static int task_has_capability(struct task_struct *tsk,
923 struct task_security_struct *tsec;
924 struct avc_audit_data ad;
926 tsec = tsk->security;
928 AVC_AUDIT_DATA_INIT(&ad,CAP);
932 return avc_has_perm(tsec->sid, tsec->sid,
933 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
936 /* Check whether a task is allowed to use a system operation. */
937 static int task_has_system(struct task_struct *tsk,
940 struct task_security_struct *tsec;
942 tsec = tsk->security;
944 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
945 SECCLASS_SYSTEM, perms, NULL);
948 /* Check whether a task has a particular permission to an inode.
949 The 'adp' parameter is optional and allows other audit
950 data to be passed (e.g. the dentry). */
951 static int inode_has_perm(struct task_struct *tsk,
954 struct avc_audit_data *adp)
956 struct task_security_struct *tsec;
957 struct inode_security_struct *isec;
958 struct avc_audit_data ad;
960 tsec = tsk->security;
961 isec = inode->i_security;
965 AVC_AUDIT_DATA_INIT(&ad, FS);
966 ad.u.fs.inode = inode;
969 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
972 /* Same as inode_has_perm, but pass explicit audit data containing
973 the dentry to help the auditing code to more easily generate the
974 pathname if needed. */
975 static inline int dentry_has_perm(struct task_struct *tsk,
976 struct vfsmount *mnt,
977 struct dentry *dentry,
980 struct inode *inode = dentry->d_inode;
981 struct avc_audit_data ad;
982 AVC_AUDIT_DATA_INIT(&ad,FS);
984 ad.u.fs.dentry = dentry;
985 return inode_has_perm(tsk, inode, av, &ad);
988 /* Check whether a task can use an open file descriptor to
989 access an inode in a given way. Check access to the
990 descriptor itself, and then use dentry_has_perm to
991 check a particular permission to the file.
992 Access to the descriptor is implicitly granted if it
993 has the same SID as the process. If av is zero, then
994 access to the file is not checked, e.g. for cases
995 where only the descriptor is affected like seek. */
996 static int file_has_perm(struct task_struct *tsk,
1000 struct task_security_struct *tsec = tsk->security;
1001 struct file_security_struct *fsec = file->f_security;
1002 struct vfsmount *mnt = file->f_vfsmnt;
1003 struct dentry *dentry = file->f_dentry;
1004 struct inode *inode = dentry->d_inode;
1005 struct avc_audit_data ad;
1008 AVC_AUDIT_DATA_INIT(&ad, FS);
1010 ad.u.fs.dentry = dentry;
1012 if (tsec->sid != fsec->sid) {
1013 rc = avc_has_perm(tsec->sid, fsec->sid,
1021 /* av is zero if only checking access to the descriptor. */
1023 return inode_has_perm(tsk, inode, av, &ad);
1028 /* Check whether a task can create a file. */
1029 static int may_create(struct inode *dir,
1030 struct dentry *dentry,
1033 struct task_security_struct *tsec;
1034 struct inode_security_struct *dsec;
1035 struct superblock_security_struct *sbsec;
1037 struct avc_audit_data ad;
1040 tsec = current->security;
1041 dsec = dir->i_security;
1042 sbsec = dir->i_sb->s_security;
1044 AVC_AUDIT_DATA_INIT(&ad, FS);
1045 ad.u.fs.dentry = dentry;
1047 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1048 DIR__ADD_NAME | DIR__SEARCH,
1053 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1054 newsid = tsec->create_sid;
1056 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1062 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1066 return avc_has_perm(newsid, sbsec->sid,
1067 SECCLASS_FILESYSTEM,
1068 FILESYSTEM__ASSOCIATE, &ad);
1072 #define MAY_UNLINK 1
1075 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1076 static int may_link(struct inode *dir,
1077 struct dentry *dentry,
1081 struct task_security_struct *tsec;
1082 struct inode_security_struct *dsec, *isec;
1083 struct avc_audit_data ad;
1087 tsec = current->security;
1088 dsec = dir->i_security;
1089 isec = dentry->d_inode->i_security;
1091 AVC_AUDIT_DATA_INIT(&ad, FS);
1092 ad.u.fs.dentry = dentry;
1095 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1096 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1115 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1119 static inline int may_rename(struct inode *old_dir,
1120 struct dentry *old_dentry,
1121 struct inode *new_dir,
1122 struct dentry *new_dentry)
1124 struct task_security_struct *tsec;
1125 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1126 struct avc_audit_data ad;
1128 int old_is_dir, new_is_dir;
1131 tsec = current->security;
1132 old_dsec = old_dir->i_security;
1133 old_isec = old_dentry->d_inode->i_security;
1134 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1135 new_dsec = new_dir->i_security;
1137 AVC_AUDIT_DATA_INIT(&ad, FS);
1139 ad.u.fs.dentry = old_dentry;
1140 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1141 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1144 rc = avc_has_perm(tsec->sid, old_isec->sid,
1145 old_isec->sclass, FILE__RENAME, &ad);
1148 if (old_is_dir && new_dir != old_dir) {
1149 rc = avc_has_perm(tsec->sid, old_isec->sid,
1150 old_isec->sclass, DIR__REPARENT, &ad);
1155 ad.u.fs.dentry = new_dentry;
1156 av = DIR__ADD_NAME | DIR__SEARCH;
1157 if (new_dentry->d_inode)
1158 av |= DIR__REMOVE_NAME;
1159 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1162 if (new_dentry->d_inode) {
1163 new_isec = new_dentry->d_inode->i_security;
1164 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1165 rc = avc_has_perm(tsec->sid, new_isec->sid,
1167 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1175 /* Check whether a task can perform a filesystem operation. */
1176 static int superblock_has_perm(struct task_struct *tsk,
1177 struct super_block *sb,
1179 struct avc_audit_data *ad)
1181 struct task_security_struct *tsec;
1182 struct superblock_security_struct *sbsec;
1184 tsec = tsk->security;
1185 sbsec = sb->s_security;
1186 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1190 /* Convert a Linux mode and permission mask to an access vector. */
1191 static inline u32 file_mask_to_av(int mode, int mask)
1195 if ((mode & S_IFMT) != S_IFDIR) {
1196 if (mask & MAY_EXEC)
1197 av |= FILE__EXECUTE;
1198 if (mask & MAY_READ)
1201 if (mask & MAY_APPEND)
1203 else if (mask & MAY_WRITE)
1207 if (mask & MAY_EXEC)
1209 if (mask & MAY_WRITE)
1211 if (mask & MAY_READ)
1218 /* Convert a Linux file to an access vector. */
1219 static inline u32 file_to_av(struct file *file)
1223 if (file->f_mode & FMODE_READ)
1225 if (file->f_mode & FMODE_WRITE) {
1226 if (file->f_flags & O_APPEND)
1235 /* Set an inode's SID to a specified value. */
1236 static int inode_security_set_sid(struct inode *inode, u32 sid)
1238 struct inode_security_struct *isec = inode->i_security;
1239 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1241 if (!sbsec->initialized) {
1242 /* Defer initialization to selinux_complete_init. */
1247 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249 isec->initialized = 1;
1254 /* Hook functions begin here. */
1256 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1258 struct task_security_struct *psec = parent->security;
1259 struct task_security_struct *csec = child->security;
1262 rc = secondary_ops->ptrace(parent,child);
1266 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1267 /* Save the SID of the tracing process for later use in apply_creds. */
1268 if (!(child->ptrace & PT_PTRACED) && !rc)
1269 csec->ptrace_sid = psec->sid;
1273 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1274 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1278 error = task_has_perm(current, target, PROCESS__GETCAP);
1282 return secondary_ops->capget(target, effective, inheritable, permitted);
1285 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1286 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1290 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1294 return task_has_perm(current, target, PROCESS__SETCAP);
1297 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1298 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1300 secondary_ops->capset_set(target, effective, inheritable, permitted);
1303 static int selinux_capable(struct task_struct *tsk, int cap)
1307 rc = secondary_ops->capable(tsk, cap);
1311 return task_has_capability(tsk,cap);
1314 static int selinux_sysctl(ctl_table *table, int op)
1318 struct task_security_struct *tsec;
1322 rc = secondary_ops->sysctl(table, op);
1326 tsec = current->security;
1328 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1329 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1331 /* Default to the well-defined sysctl SID. */
1332 tsid = SECINITSID_SYSCTL;
1335 /* The op values are "defined" in sysctl.c, thereby creating
1336 * a bad coupling between this module and sysctl.c */
1338 error = avc_has_perm(tsec->sid, tsid,
1339 SECCLASS_DIR, DIR__SEARCH, NULL);
1347 error = avc_has_perm(tsec->sid, tsid,
1348 SECCLASS_FILE, av, NULL);
1354 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1367 rc = superblock_has_perm(current,
1369 FILESYSTEM__QUOTAMOD, NULL);
1374 rc = superblock_has_perm(current,
1376 FILESYSTEM__QUOTAGET, NULL);
1379 rc = 0; /* let the kernel handle invalid cmds */
1385 static int selinux_quota_on(struct dentry *dentry)
1387 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1390 static int selinux_syslog(int type)
1394 rc = secondary_ops->syslog(type);
1399 case 3: /* Read last kernel messages */
1400 case 10: /* Return size of the log buffer */
1401 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1403 case 6: /* Disable logging to console */
1404 case 7: /* Enable logging to console */
1405 case 8: /* Set level of messages printed to console */
1406 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1408 case 0: /* Close log */
1409 case 1: /* Open log */
1410 case 2: /* Read from log */
1411 case 4: /* Read/clear last kernel messages */
1412 case 5: /* Clear ring buffer */
1414 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1421 * Check that a process has enough memory to allocate a new virtual
1422 * mapping. 0 means there is enough memory for the allocation to
1423 * succeed and -ENOMEM implies there is not.
1425 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1426 * if the capability is granted, but __vm_enough_memory requires 1 if
1427 * the capability is granted.
1429 * Do not audit the selinux permission check, as this is applied to all
1430 * processes that allocate mappings.
1432 static int selinux_vm_enough_memory(long pages)
1434 int rc, cap_sys_admin = 0;
1435 struct task_security_struct *tsec = current->security;
1437 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1439 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1440 SECCLASS_CAPABILITY,
1441 CAP_TO_MASK(CAP_SYS_ADMIN),
1447 return __vm_enough_memory(pages, cap_sys_admin);
1450 /* binprm security operations */
1452 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1454 struct bprm_security_struct *bsec;
1456 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1461 bsec->sid = SECINITSID_UNLABELED;
1464 bprm->security = bsec;
1468 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1470 struct task_security_struct *tsec;
1471 struct inode *inode = bprm->file->f_dentry->d_inode;
1472 struct inode_security_struct *isec;
1473 struct bprm_security_struct *bsec;
1475 struct avc_audit_data ad;
1478 rc = secondary_ops->bprm_set_security(bprm);
1482 bsec = bprm->security;
1487 tsec = current->security;
1488 isec = inode->i_security;
1490 /* Default to the current task SID. */
1491 bsec->sid = tsec->sid;
1493 /* Reset create SID on execve. */
1494 tsec->create_sid = 0;
1496 if (tsec->exec_sid) {
1497 newsid = tsec->exec_sid;
1498 /* Reset exec SID on execve. */
1501 /* Check for a default transition on this program. */
1502 rc = security_transition_sid(tsec->sid, isec->sid,
1503 SECCLASS_PROCESS, &newsid);
1508 AVC_AUDIT_DATA_INIT(&ad, FS);
1509 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1510 ad.u.fs.dentry = bprm->file->f_dentry;
1512 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1515 if (tsec->sid == newsid) {
1516 rc = avc_has_perm(tsec->sid, isec->sid,
1517 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1521 /* Check permissions for the transition. */
1522 rc = avc_has_perm(tsec->sid, newsid,
1523 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1527 rc = avc_has_perm(newsid, isec->sid,
1528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1532 /* Clear any possibly unsafe personality bits on exec: */
1533 current->personality &= ~PER_CLEAR_ON_SETID;
1535 /* Set the security field to the new SID. */
1543 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1545 return secondary_ops->bprm_check_security(bprm);
1549 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1551 struct task_security_struct *tsec = current->security;
1554 if (tsec->osid != tsec->sid) {
1555 /* Enable secure mode for SIDs transitions unless
1556 the noatsecure permission is granted between
1557 the two SIDs, i.e. ahp returns 0. */
1558 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1560 PROCESS__NOATSECURE, NULL);
1563 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1566 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1568 kfree(bprm->security);
1569 bprm->security = NULL;
1572 extern struct vfsmount *selinuxfs_mount;
1573 extern struct dentry *selinux_null;
1575 /* Derived from fs/exec.c:flush_old_files. */
1576 static inline void flush_unauthorized_files(struct files_struct * files)
1578 struct avc_audit_data ad;
1579 struct file *file, *devnull = NULL;
1580 struct tty_struct *tty = current->signal->tty;
1581 struct fdtable *fdt;
1586 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1588 /* Revalidate access to controlling tty.
1589 Use inode_has_perm on the tty inode directly rather
1590 than using file_has_perm, as this particular open
1591 file may belong to another process and we are only
1592 interested in the inode-based check here. */
1593 struct inode *inode = file->f_dentry->d_inode;
1594 if (inode_has_perm(current, inode,
1595 FILE__READ | FILE__WRITE, NULL)) {
1596 /* Reset controlling tty. */
1597 current->signal->tty = NULL;
1598 current->signal->tty_old_pgrp = 0;
1604 /* Revalidate access to inherited open files. */
1606 AVC_AUDIT_DATA_INIT(&ad,FS);
1608 spin_lock(&files->file_lock);
1610 unsigned long set, i;
1615 fdt = files_fdtable(files);
1616 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1618 set = fdt->open_fds->fds_bits[j];
1621 spin_unlock(&files->file_lock);
1622 for ( ; set ; i++,set >>= 1) {
1627 if (file_has_perm(current,
1629 file_to_av(file))) {
1631 fd = get_unused_fd();
1641 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1648 fd_install(fd, devnull);
1653 spin_lock(&files->file_lock);
1656 spin_unlock(&files->file_lock);
1659 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1661 struct task_security_struct *tsec;
1662 struct bprm_security_struct *bsec;
1666 secondary_ops->bprm_apply_creds(bprm, unsafe);
1668 tsec = current->security;
1670 bsec = bprm->security;
1673 tsec->osid = tsec->sid;
1675 if (tsec->sid != sid) {
1676 /* Check for shared state. If not ok, leave SID
1677 unchanged and kill. */
1678 if (unsafe & LSM_UNSAFE_SHARE) {
1679 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1680 PROCESS__SHARE, NULL);
1687 /* Check for ptracing, and update the task SID if ok.
1688 Otherwise, leave SID unchanged and kill. */
1689 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1690 rc = avc_has_perm(tsec->ptrace_sid, sid,
1691 SECCLASS_PROCESS, PROCESS__PTRACE,
1703 * called after apply_creds without the task lock held
1705 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1707 struct task_security_struct *tsec;
1708 struct rlimit *rlim, *initrlim;
1709 struct itimerval itimer;
1710 struct bprm_security_struct *bsec;
1713 tsec = current->security;
1714 bsec = bprm->security;
1717 force_sig_specific(SIGKILL, current);
1720 if (tsec->osid == tsec->sid)
1723 /* Close files for which the new task SID is not authorized. */
1724 flush_unauthorized_files(current->files);
1726 /* Check whether the new SID can inherit signal state
1727 from the old SID. If not, clear itimers to avoid
1728 subsequent signal generation and flush and unblock
1729 signals. This must occur _after_ the task SID has
1730 been updated so that any kill done after the flush
1731 will be checked against the new SID. */
1732 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1733 PROCESS__SIGINH, NULL);
1735 memset(&itimer, 0, sizeof itimer);
1736 for (i = 0; i < 3; i++)
1737 do_setitimer(i, &itimer, NULL);
1738 flush_signals(current);
1739 spin_lock_irq(¤t->sighand->siglock);
1740 flush_signal_handlers(current, 1);
1741 sigemptyset(¤t->blocked);
1742 recalc_sigpending();
1743 spin_unlock_irq(¤t->sighand->siglock);
1746 /* Check whether the new SID can inherit resource limits
1747 from the old SID. If not, reset all soft limits to
1748 the lower of the current task's hard limit and the init
1749 task's soft limit. Note that the setting of hard limits
1750 (even to lower them) can be controlled by the setrlimit
1751 check. The inclusion of the init task's soft limit into
1752 the computation is to avoid resetting soft limits higher
1753 than the default soft limit for cases where the default
1754 is lower than the hard limit, e.g. RLIMIT_CORE or
1756 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1757 PROCESS__RLIMITINH, NULL);
1759 for (i = 0; i < RLIM_NLIMITS; i++) {
1760 rlim = current->signal->rlim + i;
1761 initrlim = init_task.signal->rlim+i;
1762 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1764 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1766 * This will cause RLIMIT_CPU calculations
1769 current->it_prof_expires = jiffies_to_cputime(1);
1773 /* Wake up the parent if it is waiting so that it can
1774 recheck wait permission to the new task SID. */
1775 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1778 /* superblock security operations */
1780 static int selinux_sb_alloc_security(struct super_block *sb)
1782 return superblock_alloc_security(sb);
1785 static void selinux_sb_free_security(struct super_block *sb)
1787 superblock_free_security(sb);
1790 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1795 return !memcmp(prefix, option, plen);
1798 static inline int selinux_option(char *option, int len)
1800 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1801 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1802 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1805 static inline void take_option(char **to, char *from, int *first, int len)
1813 memcpy(*to, from, len);
1817 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1819 int fnosec, fsec, rc = 0;
1820 char *in_save, *in_curr, *in_end;
1821 char *sec_curr, *nosec_save, *nosec;
1826 /* Binary mount data: just copy */
1827 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1828 copy_page(sec_curr, in_curr);
1832 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1840 in_save = in_end = orig;
1843 if (*in_end == ',' || *in_end == '\0') {
1844 int len = in_end - in_curr;
1846 if (selinux_option(in_curr, len))
1847 take_option(&sec_curr, in_curr, &fsec, len);
1849 take_option(&nosec, in_curr, &fnosec, len);
1851 in_curr = in_end + 1;
1853 } while (*in_end++);
1855 strcpy(in_save, nosec_save);
1856 free_page((unsigned long)nosec_save);
1861 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1863 struct avc_audit_data ad;
1866 rc = superblock_doinit(sb, data);
1870 AVC_AUDIT_DATA_INIT(&ad,FS);
1871 ad.u.fs.dentry = sb->s_root;
1872 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1875 static int selinux_sb_statfs(struct super_block *sb)
1877 struct avc_audit_data ad;
1879 AVC_AUDIT_DATA_INIT(&ad,FS);
1880 ad.u.fs.dentry = sb->s_root;
1881 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1884 static int selinux_mount(char * dev_name,
1885 struct nameidata *nd,
1887 unsigned long flags,
1892 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1896 if (flags & MS_REMOUNT)
1897 return superblock_has_perm(current, nd->mnt->mnt_sb,
1898 FILESYSTEM__REMOUNT, NULL);
1900 return dentry_has_perm(current, nd->mnt, nd->dentry,
1904 static int selinux_umount(struct vfsmount *mnt, int flags)
1908 rc = secondary_ops->sb_umount(mnt, flags);
1912 return superblock_has_perm(current,mnt->mnt_sb,
1913 FILESYSTEM__UNMOUNT,NULL);
1916 /* inode security operations */
1918 static int selinux_inode_alloc_security(struct inode *inode)
1920 return inode_alloc_security(inode);
1923 static void selinux_inode_free_security(struct inode *inode)
1925 inode_free_security(inode);
1928 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1929 char **name, void **value,
1932 struct task_security_struct *tsec;
1933 struct inode_security_struct *dsec;
1934 struct superblock_security_struct *sbsec;
1937 char *namep = NULL, *context;
1939 tsec = current->security;
1940 dsec = dir->i_security;
1941 sbsec = dir->i_sb->s_security;
1943 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1944 newsid = tsec->create_sid;
1946 rc = security_transition_sid(tsec->sid, dsec->sid,
1947 inode_mode_to_security_class(inode->i_mode),
1950 printk(KERN_WARNING "%s: "
1951 "security_transition_sid failed, rc=%d (dev=%s "
1954 -rc, inode->i_sb->s_id, inode->i_ino);
1959 inode_security_set_sid(inode, newsid);
1961 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1965 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1972 rc = security_sid_to_context(newsid, &context, &clen);
1984 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1986 return may_create(dir, dentry, SECCLASS_FILE);
1989 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1993 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1996 return may_link(dir, old_dentry, MAY_LINK);
1999 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2003 rc = secondary_ops->inode_unlink(dir, dentry);
2006 return may_link(dir, dentry, MAY_UNLINK);
2009 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2011 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2014 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2016 return may_create(dir, dentry, SECCLASS_DIR);
2019 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2021 return may_link(dir, dentry, MAY_RMDIR);
2024 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2028 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2032 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2035 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2036 struct inode *new_inode, struct dentry *new_dentry)
2038 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2041 static int selinux_inode_readlink(struct dentry *dentry)
2043 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2046 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2050 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2053 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2056 static int selinux_inode_permission(struct inode *inode, int mask,
2057 struct nameidata *nd)
2061 rc = secondary_ops->inode_permission(inode, mask, nd);
2066 /* No permission to check. Existence test. */
2070 return inode_has_perm(current, inode,
2071 file_mask_to_av(inode->i_mode, mask), NULL);
2074 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2078 rc = secondary_ops->inode_setattr(dentry, iattr);
2082 if (iattr->ia_valid & ATTR_FORCE)
2085 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2086 ATTR_ATIME_SET | ATTR_MTIME_SET))
2087 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2089 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2092 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2094 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2097 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2099 struct task_security_struct *tsec = current->security;
2100 struct inode *inode = dentry->d_inode;
2101 struct inode_security_struct *isec = inode->i_security;
2102 struct superblock_security_struct *sbsec;
2103 struct avc_audit_data ad;
2107 if (strcmp(name, XATTR_NAME_SELINUX)) {
2108 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2109 sizeof XATTR_SECURITY_PREFIX - 1) &&
2110 !capable(CAP_SYS_ADMIN)) {
2111 /* A different attribute in the security namespace.
2112 Restrict to administrator. */
2116 /* Not an attribute we recognize, so just check the
2117 ordinary setattr permission. */
2118 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2121 sbsec = inode->i_sb->s_security;
2122 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2125 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2128 AVC_AUDIT_DATA_INIT(&ad,FS);
2129 ad.u.fs.dentry = dentry;
2131 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2132 FILE__RELABELFROM, &ad);
2136 rc = security_context_to_sid(value, size, &newsid);
2140 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2141 FILE__RELABELTO, &ad);
2145 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2150 return avc_has_perm(newsid,
2152 SECCLASS_FILESYSTEM,
2153 FILESYSTEM__ASSOCIATE,
2157 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2158 void *value, size_t size, int flags)
2160 struct inode *inode = dentry->d_inode;
2161 struct inode_security_struct *isec = inode->i_security;
2165 if (strcmp(name, XATTR_NAME_SELINUX)) {
2166 /* Not an attribute we recognize, so nothing to do. */
2170 rc = security_context_to_sid(value, size, &newsid);
2172 printk(KERN_WARNING "%s: unable to obtain SID for context "
2173 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2181 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2183 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2186 static int selinux_inode_listxattr (struct dentry *dentry)
2188 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2191 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2193 if (strcmp(name, XATTR_NAME_SELINUX)) {
2194 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2195 sizeof XATTR_SECURITY_PREFIX - 1) &&
2196 !capable(CAP_SYS_ADMIN)) {
2197 /* A different attribute in the security namespace.
2198 Restrict to administrator. */
2202 /* Not an attribute we recognize, so just check the
2203 ordinary setattr permission. Might want a separate
2204 permission for removexattr. */
2205 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2208 /* No one is allowed to remove a SELinux security label.
2209 You can change the label, but all data must be labeled. */
2214 * Copy the in-core inode security context value to the user. If the
2215 * getxattr() prior to this succeeded, check to see if we need to
2216 * canonicalize the value to be finally returned to the user.
2218 * Permission check is handled by selinux_inode_getxattr hook.
2220 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2222 struct inode_security_struct *isec = inode->i_security;
2227 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2232 rc = security_sid_to_context(isec->sid, &context, &len);
2236 /* Probe for required buffer size */
2237 if (!buffer || !size) {
2248 if ((len == err) && !(memcmp(context, buffer, len))) {
2249 /* Don't need to canonicalize value */
2253 memset(buffer, 0, size);
2255 memcpy(buffer, context, len);
2263 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264 const void *value, size_t size, int flags)
2266 struct inode_security_struct *isec = inode->i_security;
2270 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2273 if (!value || !size)
2276 rc = security_context_to_sid((void*)value, size, &newsid);
2284 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2286 const int len = sizeof(XATTR_NAME_SELINUX);
2287 if (buffer && len <= buffer_size)
2288 memcpy(buffer, XATTR_NAME_SELINUX, len);
2292 /* file security operations */
2294 static int selinux_file_permission(struct file *file, int mask)
2296 struct inode *inode = file->f_dentry->d_inode;
2299 /* No permission to check. Existence test. */
2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2307 return file_has_perm(current, file,
2308 file_mask_to_av(inode->i_mode, mask));
2311 static int selinux_file_alloc_security(struct file *file)
2313 return file_alloc_security(file);
2316 static void selinux_file_free_security(struct file *file)
2318 file_free_security(file);
2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2333 case EXT2_IOC_GETFLAGS:
2335 case EXT2_IOC_GETVERSION:
2336 error = file_has_perm(current, file, FILE__GETATTR);
2339 case EXT2_IOC_SETFLAGS:
2341 case EXT2_IOC_SETVERSION:
2342 error = file_has_perm(current, file, FILE__SETATTR);
2345 /* sys_ioctl() checks */
2349 error = file_has_perm(current, file, 0);
2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2357 /* default case assumes that the command will go
2358 * to the file's ioctl() function.
2361 error = file_has_perm(current, file, FILE__IOCTL);
2367 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2369 #ifndef CONFIG_PPC32
2370 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2372 * We are making executable an anonymous mapping or a
2373 * private file mapping that will also be writable.
2374 * This has an additional check.
2376 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2383 /* read access is always possible with a mapping */
2384 u32 av = FILE__READ;
2386 /* write access only matters if the mapping is shared */
2387 if (shared && (prot & PROT_WRITE))
2390 if (prot & PROT_EXEC)
2391 av |= FILE__EXECUTE;
2393 return file_has_perm(current, file, av);
2398 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399 unsigned long prot, unsigned long flags)
2403 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2407 if (selinux_checkreqprot)
2410 return file_map_prot_check(file, prot,
2411 (flags & MAP_TYPE) == MAP_SHARED);
2414 static int selinux_file_mprotect(struct vm_area_struct *vma,
2415 unsigned long reqprot,
2420 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2424 if (selinux_checkreqprot)
2427 #ifndef CONFIG_PPC32
2428 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2430 if (vma->vm_start >= vma->vm_mm->start_brk &&
2431 vma->vm_end <= vma->vm_mm->brk) {
2432 rc = task_has_perm(current, current,
2434 } else if (!vma->vm_file &&
2435 vma->vm_start <= vma->vm_mm->start_stack &&
2436 vma->vm_end >= vma->vm_mm->start_stack) {
2437 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2438 } else if (vma->vm_file && vma->anon_vma) {
2440 * We are making executable a file mapping that has
2441 * had some COW done. Since pages might have been
2442 * written, check ability to execute the possibly
2443 * modified content. This typically should only
2444 * occur for text relocations.
2446 rc = file_has_perm(current, vma->vm_file,
2454 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2457 static int selinux_file_lock(struct file *file, unsigned int cmd)
2459 return file_has_perm(current, file, FILE__LOCK);
2462 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2469 if (!file->f_dentry || !file->f_dentry->d_inode) {
2474 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2475 err = file_has_perm(current, file,FILE__WRITE);
2484 /* Just check FD__USE permission */
2485 err = file_has_perm(current, file, 0);
2490 #if BITS_PER_LONG == 32
2495 if (!file->f_dentry || !file->f_dentry->d_inode) {
2499 err = file_has_perm(current, file, FILE__LOCK);
2506 static int selinux_file_set_fowner(struct file *file)
2508 struct task_security_struct *tsec;
2509 struct file_security_struct *fsec;
2511 tsec = current->security;
2512 fsec = file->f_security;
2513 fsec->fown_sid = tsec->sid;
2518 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2519 struct fown_struct *fown, int signum)
2523 struct task_security_struct *tsec;
2524 struct file_security_struct *fsec;
2526 /* struct fown_struct is never outside the context of a struct file */
2527 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2529 tsec = tsk->security;
2530 fsec = file->f_security;
2533 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2535 perm = signal_to_av(signum);
2537 return avc_has_perm(fsec->fown_sid, tsec->sid,
2538 SECCLASS_PROCESS, perm, NULL);
2541 static int selinux_file_receive(struct file *file)
2543 return file_has_perm(current, file, file_to_av(file));
2546 /* task security operations */
2548 static int selinux_task_create(unsigned long clone_flags)
2552 rc = secondary_ops->task_create(clone_flags);
2556 return task_has_perm(current, current, PROCESS__FORK);
2559 static int selinux_task_alloc_security(struct task_struct *tsk)
2561 struct task_security_struct *tsec1, *tsec2;
2564 tsec1 = current->security;
2566 rc = task_alloc_security(tsk);
2569 tsec2 = tsk->security;
2571 tsec2->osid = tsec1->osid;
2572 tsec2->sid = tsec1->sid;
2574 /* Retain the exec and create SIDs across fork */
2575 tsec2->exec_sid = tsec1->exec_sid;
2576 tsec2->create_sid = tsec1->create_sid;
2578 /* Retain ptracer SID across fork, if any.
2579 This will be reset by the ptrace hook upon any
2580 subsequent ptrace_attach operations. */
2581 tsec2->ptrace_sid = tsec1->ptrace_sid;
2586 static void selinux_task_free_security(struct task_struct *tsk)
2588 task_free_security(tsk);
2591 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2593 /* Since setuid only affects the current process, and
2594 since the SELinux controls are not based on the Linux
2595 identity attributes, SELinux does not need to control
2596 this operation. However, SELinux does control the use
2597 of the CAP_SETUID and CAP_SETGID capabilities using the
2602 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2604 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2607 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2609 /* See the comment for setuid above. */
2613 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2615 return task_has_perm(current, p, PROCESS__SETPGID);
2618 static int selinux_task_getpgid(struct task_struct *p)
2620 return task_has_perm(current, p, PROCESS__GETPGID);
2623 static int selinux_task_getsid(struct task_struct *p)
2625 return task_has_perm(current, p, PROCESS__GETSESSION);
2628 static int selinux_task_setgroups(struct group_info *group_info)
2630 /* See the comment for setuid above. */
2634 static int selinux_task_setnice(struct task_struct *p, int nice)
2638 rc = secondary_ops->task_setnice(p, nice);
2642 return task_has_perm(current,p, PROCESS__SETSCHED);
2645 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2647 struct rlimit *old_rlim = current->signal->rlim + resource;
2650 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2654 /* Control the ability to change the hard limit (whether
2655 lowering or raising it), so that the hard limit can
2656 later be used as a safe reset point for the soft limit
2657 upon context transitions. See selinux_bprm_apply_creds. */
2658 if (old_rlim->rlim_max != new_rlim->rlim_max)
2659 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2664 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2666 return task_has_perm(current, p, PROCESS__SETSCHED);
2669 static int selinux_task_getscheduler(struct task_struct *p)
2671 return task_has_perm(current, p, PROCESS__GETSCHED);
2674 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2679 rc = secondary_ops->task_kill(p, info, sig);
2683 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2687 perm = PROCESS__SIGNULL; /* null signal; existence test */
2689 perm = signal_to_av(sig);
2691 return task_has_perm(current, p, perm);
2694 static int selinux_task_prctl(int option,
2700 /* The current prctl operations do not appear to require
2701 any SELinux controls since they merely observe or modify
2702 the state of the current process. */
2706 static int selinux_task_wait(struct task_struct *p)
2710 perm = signal_to_av(p->exit_signal);
2712 return task_has_perm(p, current, perm);
2715 static void selinux_task_reparent_to_init(struct task_struct *p)
2717 struct task_security_struct *tsec;
2719 secondary_ops->task_reparent_to_init(p);
2722 tsec->osid = tsec->sid;
2723 tsec->sid = SECINITSID_KERNEL;
2727 static void selinux_task_to_inode(struct task_struct *p,
2728 struct inode *inode)
2730 struct task_security_struct *tsec = p->security;
2731 struct inode_security_struct *isec = inode->i_security;
2733 isec->sid = tsec->sid;
2734 isec->initialized = 1;
2738 /* Returns error only if unable to parse addresses */
2739 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2741 int offset, ihlen, ret = -EINVAL;
2742 struct iphdr _iph, *ih;
2744 offset = skb->nh.raw - skb->data;
2745 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2749 ihlen = ih->ihl * 4;
2750 if (ihlen < sizeof(_iph))
2753 ad->u.net.v4info.saddr = ih->saddr;
2754 ad->u.net.v4info.daddr = ih->daddr;
2757 switch (ih->protocol) {
2759 struct tcphdr _tcph, *th;
2761 if (ntohs(ih->frag_off) & IP_OFFSET)
2765 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2769 ad->u.net.sport = th->source;
2770 ad->u.net.dport = th->dest;
2775 struct udphdr _udph, *uh;
2777 if (ntohs(ih->frag_off) & IP_OFFSET)
2781 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2785 ad->u.net.sport = uh->source;
2786 ad->u.net.dport = uh->dest;
2797 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2799 /* Returns error only if unable to parse addresses */
2800 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2803 int ret = -EINVAL, offset;
2804 struct ipv6hdr _ipv6h, *ip6;
2806 offset = skb->nh.raw - skb->data;
2807 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2811 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2812 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2815 nexthdr = ip6->nexthdr;
2816 offset += sizeof(_ipv6h);
2817 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2823 struct tcphdr _tcph, *th;
2825 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2829 ad->u.net.sport = th->source;
2830 ad->u.net.dport = th->dest;
2835 struct udphdr _udph, *uh;
2837 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2841 ad->u.net.sport = uh->source;
2842 ad->u.net.dport = uh->dest;
2846 /* includes fragments */
2856 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2857 char **addrp, int *len, int src)
2861 switch (ad->u.net.family) {
2863 ret = selinux_parse_skb_ipv4(skb, ad);
2867 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2868 &ad->u.net.v4info.daddr);
2871 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2873 ret = selinux_parse_skb_ipv6(skb, ad);
2877 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2878 &ad->u.net.v6info.daddr);
2888 /* socket security operations */
2889 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2892 struct inode_security_struct *isec;
2893 struct task_security_struct *tsec;
2894 struct avc_audit_data ad;
2897 tsec = task->security;
2898 isec = SOCK_INODE(sock)->i_security;
2900 if (isec->sid == SECINITSID_KERNEL)
2903 AVC_AUDIT_DATA_INIT(&ad,NET);
2904 ad.u.net.sk = sock->sk;
2905 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2911 static int selinux_socket_create(int family, int type,
2912 int protocol, int kern)
2915 struct task_security_struct *tsec;
2920 tsec = current->security;
2921 err = avc_has_perm(tsec->sid, tsec->sid,
2922 socket_type_to_security_class(family, type,
2923 protocol), SOCKET__CREATE, NULL);
2929 static void selinux_socket_post_create(struct socket *sock, int family,
2930 int type, int protocol, int kern)
2932 struct inode_security_struct *isec;
2933 struct task_security_struct *tsec;
2935 isec = SOCK_INODE(sock)->i_security;
2937 tsec = current->security;
2938 isec->sclass = socket_type_to_security_class(family, type, protocol);
2939 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2940 isec->initialized = 1;
2945 /* Range of port numbers used to automatically bind.
2946 Need to determine whether we should perform a name_bind
2947 permission check between the socket and the port number. */
2948 #define ip_local_port_range_0 sysctl_local_port_range[0]
2949 #define ip_local_port_range_1 sysctl_local_port_range[1]
2951 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2956 err = socket_has_perm(current, sock, SOCKET__BIND);
2961 * If PF_INET or PF_INET6, check name_bind permission for the port.
2962 * Multiple address binding for SCTP is not supported yet: we just
2963 * check the first address now.
2965 family = sock->sk->sk_family;
2966 if (family == PF_INET || family == PF_INET6) {
2968 struct inode_security_struct *isec;
2969 struct task_security_struct *tsec;
2970 struct avc_audit_data ad;
2971 struct sockaddr_in *addr4 = NULL;
2972 struct sockaddr_in6 *addr6 = NULL;
2973 unsigned short snum;
2974 struct sock *sk = sock->sk;
2975 u32 sid, node_perm, addrlen;
2977 tsec = current->security;
2978 isec = SOCK_INODE(sock)->i_security;
2980 if (family == PF_INET) {
2981 addr4 = (struct sockaddr_in *)address;
2982 snum = ntohs(addr4->sin_port);
2983 addrlen = sizeof(addr4->sin_addr.s_addr);
2984 addrp = (char *)&addr4->sin_addr.s_addr;
2986 addr6 = (struct sockaddr_in6 *)address;
2987 snum = ntohs(addr6->sin6_port);
2988 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2989 addrp = (char *)&addr6->sin6_addr.s6_addr;
2992 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2993 snum > ip_local_port_range_1)) {
2994 err = security_port_sid(sk->sk_family, sk->sk_type,
2995 sk->sk_protocol, snum, &sid);
2998 AVC_AUDIT_DATA_INIT(&ad,NET);
2999 ad.u.net.sport = htons(snum);
3000 ad.u.net.family = family;
3001 err = avc_has_perm(isec->sid, sid,
3003 SOCKET__NAME_BIND, &ad);
3008 switch(isec->sclass) {
3009 case SECCLASS_TCP_SOCKET:
3010 node_perm = TCP_SOCKET__NODE_BIND;
3013 case SECCLASS_UDP_SOCKET:
3014 node_perm = UDP_SOCKET__NODE_BIND;
3018 node_perm = RAWIP_SOCKET__NODE_BIND;
3022 err = security_node_sid(family, addrp, addrlen, &sid);
3026 AVC_AUDIT_DATA_INIT(&ad,NET);
3027 ad.u.net.sport = htons(snum);
3028 ad.u.net.family = family;
3030 if (family == PF_INET)
3031 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3033 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3035 err = avc_has_perm(isec->sid, sid,
3036 isec->sclass, node_perm, &ad);
3044 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3046 struct inode_security_struct *isec;
3049 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3054 * If a TCP socket, check name_connect permission for the port.
3056 isec = SOCK_INODE(sock)->i_security;
3057 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3058 struct sock *sk = sock->sk;
3059 struct avc_audit_data ad;
3060 struct sockaddr_in *addr4 = NULL;
3061 struct sockaddr_in6 *addr6 = NULL;
3062 unsigned short snum;
3065 if (sk->sk_family == PF_INET) {
3066 addr4 = (struct sockaddr_in *)address;
3067 if (addrlen < sizeof(struct sockaddr_in))
3069 snum = ntohs(addr4->sin_port);
3071 addr6 = (struct sockaddr_in6 *)address;
3072 if (addrlen < SIN6_LEN_RFC2133)
3074 snum = ntohs(addr6->sin6_port);
3077 err = security_port_sid(sk->sk_family, sk->sk_type,
3078 sk->sk_protocol, snum, &sid);
3082 AVC_AUDIT_DATA_INIT(&ad,NET);
3083 ad.u.net.dport = htons(snum);
3084 ad.u.net.family = sk->sk_family;
3085 err = avc_has_perm(isec->sid, sid, isec->sclass,
3086 TCP_SOCKET__NAME_CONNECT, &ad);
3095 static int selinux_socket_listen(struct socket *sock, int backlog)
3097 return socket_has_perm(current, sock, SOCKET__LISTEN);
3100 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3103 struct inode_security_struct *isec;
3104 struct inode_security_struct *newisec;
3106 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3110 newisec = SOCK_INODE(newsock)->i_security;
3112 isec = SOCK_INODE(sock)->i_security;
3113 newisec->sclass = isec->sclass;
3114 newisec->sid = isec->sid;
3115 newisec->initialized = 1;
3120 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3123 return socket_has_perm(current, sock, SOCKET__WRITE);
3126 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3127 int size, int flags)
3129 return socket_has_perm(current, sock, SOCKET__READ);
3132 static int selinux_socket_getsockname(struct socket *sock)
3134 return socket_has_perm(current, sock, SOCKET__GETATTR);
3137 static int selinux_socket_getpeername(struct socket *sock)
3139 return socket_has_perm(current, sock, SOCKET__GETATTR);
3142 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3144 return socket_has_perm(current, sock, SOCKET__SETOPT);
3147 static int selinux_socket_getsockopt(struct socket *sock, int level,
3150 return socket_has_perm(current, sock, SOCKET__GETOPT);
3153 static int selinux_socket_shutdown(struct socket *sock, int how)
3155 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3158 static int selinux_socket_unix_stream_connect(struct socket *sock,
3159 struct socket *other,
3162 struct sk_security_struct *ssec;
3163 struct inode_security_struct *isec;
3164 struct inode_security_struct *other_isec;
3165 struct avc_audit_data ad;
3168 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3172 isec = SOCK_INODE(sock)->i_security;
3173 other_isec = SOCK_INODE(other)->i_security;
3175 AVC_AUDIT_DATA_INIT(&ad,NET);
3176 ad.u.net.sk = other->sk;
3178 err = avc_has_perm(isec->sid, other_isec->sid,
3180 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3184 /* connecting socket */
3185 ssec = sock->sk->sk_security;
3186 ssec->peer_sid = other_isec->sid;
3188 /* server child socket */
3189 ssec = newsk->sk_security;
3190 ssec->peer_sid = isec->sid;
3195 static int selinux_socket_unix_may_send(struct socket *sock,
3196 struct socket *other)
3198 struct inode_security_struct *isec;
3199 struct inode_security_struct *other_isec;
3200 struct avc_audit_data ad;
3203 isec = SOCK_INODE(sock)->i_security;
3204 other_isec = SOCK_INODE(other)->i_security;
3206 AVC_AUDIT_DATA_INIT(&ad,NET);
3207 ad.u.net.sk = other->sk;
3209 err = avc_has_perm(isec->sid, other_isec->sid,
3210 isec->sclass, SOCKET__SENDTO, &ad);
3217 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3222 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3225 struct socket *sock;
3226 struct net_device *dev;
3227 struct avc_audit_data ad;
3229 family = sk->sk_family;
3230 if (family != PF_INET && family != PF_INET6)
3233 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3234 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3237 read_lock_bh(&sk->sk_callback_lock);
3238 sock = sk->sk_socket;
3240 struct inode *inode;
3241 inode = SOCK_INODE(sock);
3243 struct inode_security_struct *isec;
3244 isec = inode->i_security;
3245 sock_sid = isec->sid;
3246 sock_class = isec->sclass;
3249 read_unlock_bh(&sk->sk_callback_lock);
3257 err = sel_netif_sids(dev, &if_sid, NULL);
3261 switch (sock_class) {
3262 case SECCLASS_UDP_SOCKET:
3263 netif_perm = NETIF__UDP_RECV;
3264 node_perm = NODE__UDP_RECV;
3265 recv_perm = UDP_SOCKET__RECV_MSG;
3268 case SECCLASS_TCP_SOCKET:
3269 netif_perm = NETIF__TCP_RECV;
3270 node_perm = NODE__TCP_RECV;
3271 recv_perm = TCP_SOCKET__RECV_MSG;
3275 netif_perm = NETIF__RAWIP_RECV;
3276 node_perm = NODE__RAWIP_RECV;
3280 AVC_AUDIT_DATA_INIT(&ad, NET);
3281 ad.u.net.netif = dev->name;
3282 ad.u.net.family = family;
3284 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3288 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3292 /* Fixme: this lookup is inefficient */
3293 err = security_node_sid(family, addrp, len, &node_sid);
3297 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3304 /* Fixme: make this more efficient */
3305 err = security_port_sid(sk->sk_family, sk->sk_type,
3306 sk->sk_protocol, ntohs(ad.u.net.sport),
3311 err = avc_has_perm(sock_sid, port_sid,
3312 sock_class, recv_perm, &ad);
3316 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3322 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3323 int __user *optlen, unsigned len)
3328 struct sk_security_struct *ssec;
3329 struct inode_security_struct *isec;
3332 isec = SOCK_INODE(sock)->i_security;
3334 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3335 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3336 ssec = sock->sk->sk_security;
3337 peer_sid = ssec->peer_sid;
3339 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3340 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3342 if (peer_sid == SECSID_NULL) {
3352 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3357 if (scontext_len > len) {
3362 if (copy_to_user(optval, scontext, scontext_len))
3366 if (put_user(scontext_len, optlen))
3374 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3377 u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3379 if (peer_sid == SECSID_NULL)
3382 err = security_sid_to_context(peer_sid, secdata, seclen);
3391 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3393 return sk_alloc_security(sk, family, priority);
3396 static void selinux_sk_free_security(struct sock *sk)
3398 sk_free_security(sk);
3401 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3403 struct inode_security_struct *isec;
3404 u32 sock_sid = SECINITSID_ANY_SOCKET;
3407 return selinux_no_sk_sid(fl);
3409 read_lock_bh(&sk->sk_callback_lock);
3410 isec = get_sock_isec(sk);
3413 sock_sid = isec->sid;
3415 read_unlock_bh(&sk->sk_callback_lock);
3419 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3423 struct nlmsghdr *nlh;
3424 struct socket *sock = sk->sk_socket;
3425 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3427 if (skb->len < NLMSG_SPACE(0)) {
3431 nlh = (struct nlmsghdr *)skb->data;
3433 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3435 if (err == -EINVAL) {
3436 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3437 "SELinux: unrecognized netlink message"
3438 " type=%hu for sclass=%hu\n",
3439 nlh->nlmsg_type, isec->sclass);
3440 if (!selinux_enforcing)
3450 err = socket_has_perm(current, sock, perm);
3455 #ifdef CONFIG_NETFILTER
3457 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3458 struct sk_buff **pskb,
3459 const struct net_device *in,
3460 const struct net_device *out,
3461 int (*okfn)(struct sk_buff *),
3465 int len, err = NF_ACCEPT;
3466 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3468 struct socket *sock;
3469 struct inode *inode;
3470 struct sk_buff *skb = *pskb;
3471 struct inode_security_struct *isec;
3472 struct avc_audit_data ad;
3473 struct net_device *dev = (struct net_device *)out;
3479 sock = sk->sk_socket;
3483 inode = SOCK_INODE(sock);
3487 err = sel_netif_sids(dev, &if_sid, NULL);
3491 isec = inode->i_security;
3493 switch (isec->sclass) {
3494 case SECCLASS_UDP_SOCKET:
3495 netif_perm = NETIF__UDP_SEND;
3496 node_perm = NODE__UDP_SEND;
3497 send_perm = UDP_SOCKET__SEND_MSG;
3500 case SECCLASS_TCP_SOCKET:
3501 netif_perm = NETIF__TCP_SEND;
3502 node_perm = NODE__TCP_SEND;
3503 send_perm = TCP_SOCKET__SEND_MSG;
3507 netif_perm = NETIF__RAWIP_SEND;
3508 node_perm = NODE__RAWIP_SEND;
3513 AVC_AUDIT_DATA_INIT(&ad, NET);
3514 ad.u.net.netif = dev->name;
3515 ad.u.net.family = family;
3517 err = selinux_parse_skb(skb, &ad, &addrp,
3518 &len, 0) ? NF_DROP : NF_ACCEPT;
3519 if (err != NF_ACCEPT)
3522 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3523 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3524 if (err != NF_ACCEPT)
3527 /* Fixme: this lookup is inefficient */
3528 err = security_node_sid(family, addrp, len,
3529 &node_sid) ? NF_DROP : NF_ACCEPT;
3530 if (err != NF_ACCEPT)
3533 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3534 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3535 if (err != NF_ACCEPT)
3541 /* Fixme: make this more efficient */
3542 err = security_port_sid(sk->sk_family,
3545 ntohs(ad.u.net.dport),
3546 &port_sid) ? NF_DROP : NF_ACCEPT;
3547 if (err != NF_ACCEPT)
3550 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3551 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3554 if (err != NF_ACCEPT)
3557 err = selinux_xfrm_postroute_last(isec->sid, skb);
3563 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3564 struct sk_buff **pskb,
3565 const struct net_device *in,
3566 const struct net_device *out,
3567 int (*okfn)(struct sk_buff *))
3569 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3572 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3574 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3575 struct sk_buff **pskb,
3576 const struct net_device *in,
3577 const struct net_device *out,
3578 int (*okfn)(struct sk_buff *))
3580 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3585 #endif /* CONFIG_NETFILTER */
3587 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3589 struct task_security_struct *tsec;
3590 struct av_decision avd;
3593 err = secondary_ops->netlink_send(sk, skb);
3597 tsec = current->security;
3600 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3601 SECCLASS_CAPABILITY, ~0, &avd);
3602 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3604 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3605 err = selinux_nlmsg_perm(sk, skb);
3610 static int selinux_netlink_recv(struct sk_buff *skb)
3612 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3617 static int ipc_alloc_security(struct task_struct *task,
3618 struct kern_ipc_perm *perm,
3621 struct task_security_struct *tsec = task->security;
3622 struct ipc_security_struct *isec;
3624 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3628 isec->sclass = sclass;
3629 isec->ipc_perm = perm;
3630 isec->sid = tsec->sid;
3631 perm->security = isec;
3636 static void ipc_free_security(struct kern_ipc_perm *perm)
3638 struct ipc_security_struct *isec = perm->security;
3639 perm->security = NULL;
3643 static int msg_msg_alloc_security(struct msg_msg *msg)
3645 struct msg_security_struct *msec;
3647 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3652 msec->sid = SECINITSID_UNLABELED;
3653 msg->security = msec;
3658 static void msg_msg_free_security(struct msg_msg *msg)
3660 struct msg_security_struct *msec = msg->security;
3662 msg->security = NULL;
3666 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3669 struct task_security_struct *tsec;
3670 struct ipc_security_struct *isec;
3671 struct avc_audit_data ad;
3673 tsec = current->security;
3674 isec = ipc_perms->security;
3676 AVC_AUDIT_DATA_INIT(&ad, IPC);
3677 ad.u.ipc_id = ipc_perms->key;
3679 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3682 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3684 return msg_msg_alloc_security(msg);
3687 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3689 msg_msg_free_security(msg);
3692 /* message queue security operations */
3693 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3695 struct task_security_struct *tsec;
3696 struct ipc_security_struct *isec;
3697 struct avc_audit_data ad;
3700 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3704 tsec = current->security;
3705 isec = msq->q_perm.security;
3707 AVC_AUDIT_DATA_INIT(&ad, IPC);
3708 ad.u.ipc_id = msq->q_perm.key;
3710 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3713 ipc_free_security(&msq->q_perm);
3719 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3721 ipc_free_security(&msq->q_perm);
3724 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3726 struct task_security_struct *tsec;
3727 struct ipc_security_struct *isec;
3728 struct avc_audit_data ad;
3730 tsec = current->security;
3731 isec = msq->q_perm.security;
3733 AVC_AUDIT_DATA_INIT(&ad, IPC);
3734 ad.u.ipc_id = msq->q_perm.key;
3736 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3737 MSGQ__ASSOCIATE, &ad);
3740 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3748 /* No specific object, just general system-wide information. */
3749 return task_has_system(current, SYSTEM__IPC_INFO);
3752 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3755 perms = MSGQ__SETATTR;
3758 perms = MSGQ__DESTROY;
3764 err = ipc_has_perm(&msq->q_perm, perms);
3768 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3770 struct task_security_struct *tsec;
3771 struct ipc_security_struct *isec;
3772 struct msg_security_struct *msec;
3773 struct avc_audit_data ad;
3776 tsec = current->security;
3777 isec = msq->q_perm.security;
3778 msec = msg->security;
3781 * First time through, need to assign label to the message
3783 if (msec->sid == SECINITSID_UNLABELED) {
3785 * Compute new sid based on current process and
3786 * message queue this message will be stored in
3788 rc = security_transition_sid(tsec->sid,
3796 AVC_AUDIT_DATA_INIT(&ad, IPC);
3797 ad.u.ipc_id = msq->q_perm.key;
3799 /* Can this process write to the queue? */
3800 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3803 /* Can this process send the message */
3804 rc = avc_has_perm(tsec->sid, msec->sid,
3805 SECCLASS_MSG, MSG__SEND, &ad);
3807 /* Can the message be put in the queue? */
3808 rc = avc_has_perm(msec->sid, isec->sid,
3809 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3814 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3815 struct task_struct *target,
3816 long type, int mode)
3818 struct task_security_struct *tsec;
3819 struct ipc_security_struct *isec;
3820 struct msg_security_struct *msec;
3821 struct avc_audit_data ad;
3824 tsec = target->security;
3825 isec = msq->q_perm.security;
3826 msec = msg->security;
3828 AVC_AUDIT_DATA_INIT(&ad, IPC);
3829 ad.u.ipc_id = msq->q_perm.key;
3831 rc = avc_has_perm(tsec->sid, isec->sid,
3832 SECCLASS_MSGQ, MSGQ__READ, &ad);
3834 rc = avc_has_perm(tsec->sid, msec->sid,
3835 SECCLASS_MSG, MSG__RECEIVE, &ad);
3839 /* Shared Memory security operations */
3840 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3842 struct task_security_struct *tsec;
3843 struct ipc_security_struct *isec;
3844 struct avc_audit_data ad;
3847 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3851 tsec = current->security;
3852 isec = shp->shm_perm.security;
3854 AVC_AUDIT_DATA_INIT(&ad, IPC);
3855 ad.u.ipc_id = shp->shm_perm.key;
3857 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3860 ipc_free_security(&shp->shm_perm);
3866 static void selinux_shm_free_security(struct shmid_kernel *shp)
3868 ipc_free_security(&shp->shm_perm);
3871 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3873 struct task_security_struct *tsec;
3874 struct ipc_security_struct *isec;
3875 struct avc_audit_data ad;
3877 tsec = current->security;
3878 isec = shp->shm_perm.security;
3880 AVC_AUDIT_DATA_INIT(&ad, IPC);
3881 ad.u.ipc_id = shp->shm_perm.key;
3883 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3884 SHM__ASSOCIATE, &ad);
3887 /* Note, at this point, shp is locked down */
3888 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3896 /* No specific object, just general system-wide information. */
3897 return task_has_system(current, SYSTEM__IPC_INFO);
3900 perms = SHM__GETATTR | SHM__ASSOCIATE;
3903 perms = SHM__SETATTR;
3910 perms = SHM__DESTROY;
3916 err = ipc_has_perm(&shp->shm_perm, perms);
3920 static int selinux_shm_shmat(struct shmid_kernel *shp,
3921 char __user *shmaddr, int shmflg)
3926 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3930 if (shmflg & SHM_RDONLY)
3933 perms = SHM__READ | SHM__WRITE;
3935 return ipc_has_perm(&shp->shm_perm, perms);
3938 /* Semaphore security operations */
3939 static int selinux_sem_alloc_security(struct sem_array *sma)
3941 struct task_security_struct *tsec;
3942 struct ipc_security_struct *isec;
3943 struct avc_audit_data ad;
3946 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3950 tsec = current->security;
3951 isec = sma->sem_perm.security;
3953 AVC_AUDIT_DATA_INIT(&ad, IPC);
3954 ad.u.ipc_id = sma->sem_perm.key;
3956 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3959 ipc_free_security(&sma->sem_perm);
3965 static void selinux_sem_free_security(struct sem_array *sma)
3967 ipc_free_security(&sma->sem_perm);
3970 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3972 struct task_security_struct *tsec;
3973 struct ipc_security_struct *isec;
3974 struct avc_audit_data ad;
3976 tsec = current->security;
3977 isec = sma->sem_perm.security;
3979 AVC_AUDIT_DATA_INIT(&ad, IPC);
3980 ad.u.ipc_id = sma->sem_perm.key;
3982 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3983 SEM__ASSOCIATE, &ad);
3986 /* Note, at this point, sma is locked down */
3987 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3995 /* No specific object, just general system-wide information. */
3996 return task_has_system(current, SYSTEM__IPC_INFO);
4000 perms = SEM__GETATTR;
4011 perms = SEM__DESTROY;
4014 perms = SEM__SETATTR;
4018 perms = SEM__GETATTR | SEM__ASSOCIATE;
4024 err = ipc_has_perm(&sma->sem_perm, perms);
4028 static int selinux_sem_semop(struct sem_array *sma,
4029 struct sembuf *sops, unsigned nsops, int alter)
4034 perms = SEM__READ | SEM__WRITE;
4038 return ipc_has_perm(&sma->sem_perm, perms);
4041 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4047 av |= IPC__UNIX_READ;
4049 av |= IPC__UNIX_WRITE;
4054 return ipc_has_perm(ipcp, av);
4057 /* module stacking operations */
4058 static int selinux_register_security (const char *name, struct security_operations *ops)
4060 if (secondary_ops != original_ops) {
4061 printk(KERN_INFO "%s: There is already a secondary security "
4062 "module registered.\n", __FUNCTION__);
4066 secondary_ops = ops;
4068 printk(KERN_INFO "%s: Registering secondary module %s\n",
4075 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4077 if (ops != secondary_ops) {
4078 printk (KERN_INFO "%s: trying to unregister a security module "
4079 "that is not registered.\n", __FUNCTION__);
4083 secondary_ops = original_ops;
4088 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4091 inode_doinit_with_dentry(inode, dentry);
4094 static int selinux_getprocattr(struct task_struct *p,
4095 char *name, void *value, size_t size)
4097 struct task_security_struct *tsec;
4103 error = task_has_perm(current, p, PROCESS__GETATTR);
4113 if (!strcmp(name, "current"))
4115 else if (!strcmp(name, "prev"))
4117 else if (!strcmp(name, "exec"))
4118 sid = tsec->exec_sid;
4119 else if (!strcmp(name, "fscreate"))
4120 sid = tsec->create_sid;
4127 error = security_sid_to_context(sid, &context, &len);
4134 memcpy(value, context, len);
4139 static int selinux_setprocattr(struct task_struct *p,
4140 char *name, void *value, size_t size)
4142 struct task_security_struct *tsec;
4148 /* SELinux only allows a process to change its own
4149 security attributes. */
4154 * Basic control over ability to set these attributes at all.
4155 * current == p, but we'll pass them separately in case the
4156 * above restriction is ever removed.
4158 if (!strcmp(name, "exec"))
4159 error = task_has_perm(current, p, PROCESS__SETEXEC);
4160 else if (!strcmp(name, "fscreate"))
4161 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4162 else if (!strcmp(name, "current"))
4163 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4169 /* Obtain a SID for the context, if one was specified. */
4170 if (size && str[1] && str[1] != '\n') {
4171 if (str[size-1] == '\n') {
4175 error = security_context_to_sid(value, size, &sid);
4180 /* Permission checking based on the specified context is
4181 performed during the actual operation (execve,
4182 open/mkdir/...), when we know the full context of the
4183 operation. See selinux_bprm_set_security for the execve
4184 checks and may_create for the file creation checks. The
4185 operation will then fail if the context is not permitted. */
4187 if (!strcmp(name, "exec"))
4188 tsec->exec_sid = sid;
4189 else if (!strcmp(name, "fscreate"))
4190 tsec->create_sid = sid;
4191 else if (!strcmp(name, "current")) {
4192 struct av_decision avd;
4197 /* Only allow single threaded processes to change context */
4198 if (atomic_read(&p->mm->mm_users) != 1) {
4199 struct task_struct *g, *t;
4200 struct mm_struct *mm = p->mm;
4201 read_lock(&tasklist_lock);
4202 do_each_thread(g, t)
4203 if (t->mm == mm && t != p) {
4204 read_unlock(&tasklist_lock);
4207 while_each_thread(g, t);
4208 read_unlock(&tasklist_lock);
4211 /* Check permissions for the transition. */
4212 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4213 PROCESS__DYNTRANSITION, NULL);
4217 /* Check for ptracing, and update the task SID if ok.
4218 Otherwise, leave SID unchanged and fail. */
4220 if (p->ptrace & PT_PTRACED) {
4221 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4223 PROCESS__PTRACE, &avd);
4227 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4228 PROCESS__PTRACE, &avd, error, NULL);
4242 static struct security_operations selinux_ops = {
4243 .ptrace = selinux_ptrace,
4244 .capget = selinux_capget,
4245 .capset_check = selinux_capset_check,
4246 .capset_set = selinux_capset_set,
4247 .sysctl = selinux_sysctl,
4248 .capable = selinux_capable,
4249 .quotactl = selinux_quotactl,
4250 .quota_on = selinux_quota_on,
4251 .syslog = selinux_syslog,
4252 .vm_enough_memory = selinux_vm_enough_memory,
4254 .netlink_send = selinux_netlink_send,
4255 .netlink_recv = selinux_netlink_recv,
4257 .bprm_alloc_security = selinux_bprm_alloc_security,
4258 .bprm_free_security = selinux_bprm_free_security,
4259 .bprm_apply_creds = selinux_bprm_apply_creds,
4260 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4261 .bprm_set_security = selinux_bprm_set_security,
4262 .bprm_check_security = selinux_bprm_check_security,
4263 .bprm_secureexec = selinux_bprm_secureexec,
4265 .sb_alloc_security = selinux_sb_alloc_security,
4266 .sb_free_security = selinux_sb_free_security,
4267 .sb_copy_data = selinux_sb_copy_data,
4268 .sb_kern_mount = selinux_sb_kern_mount,
4269 .sb_statfs = selinux_sb_statfs,
4270 .sb_mount = selinux_mount,
4271 .sb_umount = selinux_umount,
4273 .inode_alloc_security = selinux_inode_alloc_security,
4274 .inode_free_security = selinux_inode_free_security,
4275 .inode_init_security = selinux_inode_init_security,
4276 .inode_create = selinux_inode_create,
4277 .inode_link = selinux_inode_link,
4278 .inode_unlink = selinux_inode_unlink,
4279 .inode_symlink = selinux_inode_symlink,
4280 .inode_mkdir = selinux_inode_mkdir,
4281 .inode_rmdir = selinux_inode_rmdir,
4282 .inode_mknod = selinux_inode_mknod,
4283 .inode_rename = selinux_inode_rename,
4284 .inode_readlink = selinux_inode_readlink,
4285 .inode_follow_link = selinux_inode_follow_link,
4286 .inode_permission = selinux_inode_permission,
4287 .inode_setattr = selinux_inode_setattr,
4288 .inode_getattr = selinux_inode_getattr,
4289 .inode_setxattr = selinux_inode_setxattr,
4290 .inode_post_setxattr = selinux_inode_post_setxattr,
4291 .inode_getxattr = selinux_inode_getxattr,
4292 .inode_listxattr = selinux_inode_listxattr,
4293 .inode_removexattr = selinux_inode_removexattr,
4294 .inode_getsecurity = selinux_inode_getsecurity,
4295 .inode_setsecurity = selinux_inode_setsecurity,
4296 .inode_listsecurity = selinux_inode_listsecurity,
4298 .file_permission = selinux_file_permission,
4299 .file_alloc_security = selinux_file_alloc_security,
4300 .file_free_security = selinux_file_free_security,
4301 .file_ioctl = selinux_file_ioctl,
4302 .file_mmap = selinux_file_mmap,
4303 .file_mprotect = selinux_file_mprotect,
4304 .file_lock = selinux_file_lock,
4305 .file_fcntl = selinux_file_fcntl,
4306 .file_set_fowner = selinux_file_set_fowner,
4307 .file_send_sigiotask = selinux_file_send_sigiotask,
4308 .file_receive = selinux_file_receive,
4310 .task_create = selinux_task_create,
4311 .task_alloc_security = selinux_task_alloc_security,
4312 .task_free_security = selinux_task_free_security,
4313 .task_setuid = selinux_task_setuid,
4314 .task_post_setuid = selinux_task_post_setuid,
4315 .task_setgid = selinux_task_setgid,
4316 .task_setpgid = selinux_task_setpgid,
4317 .task_getpgid = selinux_task_getpgid,
4318 .task_getsid = selinux_task_getsid,
4319 .task_setgroups = selinux_task_setgroups,
4320 .task_setnice = selinux_task_setnice,
4321 .task_setrlimit = selinux_task_setrlimit,
4322 .task_setscheduler = selinux_task_setscheduler,
4323 .task_getscheduler = selinux_task_getscheduler,
4324 .task_kill = selinux_task_kill,
4325 .task_wait = selinux_task_wait,
4326 .task_prctl = selinux_task_prctl,
4327 .task_reparent_to_init = selinux_task_reparent_to_init,
4328 .task_to_inode = selinux_task_to_inode,
4330 .ipc_permission = selinux_ipc_permission,
4332 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4333 .msg_msg_free_security = selinux_msg_msg_free_security,
4335 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4336 .msg_queue_free_security = selinux_msg_queue_free_security,
4337 .msg_queue_associate = selinux_msg_queue_associate,
4338 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4339 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4340 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4342 .shm_alloc_security = selinux_shm_alloc_security,
4343 .shm_free_security = selinux_shm_free_security,
4344 .shm_associate = selinux_shm_associate,
4345 .shm_shmctl = selinux_shm_shmctl,
4346 .shm_shmat = selinux_shm_shmat,
4348 .sem_alloc_security = selinux_sem_alloc_security,
4349 .sem_free_security = selinux_sem_free_security,
4350 .sem_associate = selinux_sem_associate,
4351 .sem_semctl = selinux_sem_semctl,
4352 .sem_semop = selinux_sem_semop,
4354 .register_security = selinux_register_security,
4355 .unregister_security = selinux_unregister_security,
4357 .d_instantiate = selinux_d_instantiate,
4359 .getprocattr = selinux_getprocattr,
4360 .setprocattr = selinux_setprocattr,
4362 .unix_stream_connect = selinux_socket_unix_stream_connect,
4363 .unix_may_send = selinux_socket_unix_may_send,
4365 .socket_create = selinux_socket_create,
4366 .socket_post_create = selinux_socket_post_create,
4367 .socket_bind = selinux_socket_bind,
4368 .socket_connect = selinux_socket_connect,
4369 .socket_listen = selinux_socket_listen,
4370 .socket_accept = selinux_socket_accept,
4371 .socket_sendmsg = selinux_socket_sendmsg,
4372 .socket_recvmsg = selinux_socket_recvmsg,
4373 .socket_getsockname = selinux_socket_getsockname,
4374 .socket_getpeername = selinux_socket_getpeername,
4375 .socket_getsockopt = selinux_socket_getsockopt,
4376 .socket_setsockopt = selinux_socket_setsockopt,
4377 .socket_shutdown = selinux_socket_shutdown,
4378 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4379 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4380 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4381 .sk_alloc_security = selinux_sk_alloc_security,
4382 .sk_free_security = selinux_sk_free_security,
4383 .sk_getsid = selinux_sk_getsid_security,
4385 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4386 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4387 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4388 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4389 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4390 .xfrm_state_free_security = selinux_xfrm_state_free,
4391 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4395 static __init int selinux_init(void)
4397 struct task_security_struct *tsec;
4399 if (!selinux_enabled) {
4400 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4404 printk(KERN_INFO "SELinux: Initializing.\n");
4406 /* Set the security state for the initial task. */
4407 if (task_alloc_security(current))
4408 panic("SELinux: Failed to initialize initial task.\n");
4409 tsec = current->security;
4410 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4412 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4413 sizeof(struct inode_security_struct),
4414 0, SLAB_PANIC, NULL, NULL);
4417 original_ops = secondary_ops = security_ops;
4419 panic ("SELinux: No initial security operations\n");
4420 if (register_security (&selinux_ops))
4421 panic("SELinux: Unable to register with kernel.\n");
4423 if (selinux_enforcing) {
4424 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4426 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4431 void selinux_complete_init(void)
4433 printk(KERN_INFO "SELinux: Completing initialization.\n");
4435 /* Set up any superblocks initialized prior to the policy load. */
4436 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4437 spin_lock(&sb_security_lock);
4439 if (!list_empty(&superblock_security_head)) {
4440 struct superblock_security_struct *sbsec =
4441 list_entry(superblock_security_head.next,
4442 struct superblock_security_struct,
4444 struct super_block *sb = sbsec->sb;
4445 spin_lock(&sb_lock);
4447 spin_unlock(&sb_lock);
4448 spin_unlock(&sb_security_lock);
4449 down_read(&sb->s_umount);
4451 superblock_doinit(sb, NULL);
4453 spin_lock(&sb_security_lock);
4454 list_del_init(&sbsec->list);
4457 spin_unlock(&sb_security_lock);
4460 /* SELinux requires early initialization in order to label
4461 all processes and objects when they are created. */
4462 security_initcall(selinux_init);
4464 #if defined(CONFIG_NETFILTER)
4466 static struct nf_hook_ops selinux_ipv4_op = {
4467 .hook = selinux_ipv4_postroute_last,
4468 .owner = THIS_MODULE,
4470 .hooknum = NF_IP_POST_ROUTING,
4471 .priority = NF_IP_PRI_SELINUX_LAST,
4474 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4476 static struct nf_hook_ops selinux_ipv6_op = {
4477 .hook = selinux_ipv6_postroute_last,
4478 .owner = THIS_MODULE,
4480 .hooknum = NF_IP6_POST_ROUTING,
4481 .priority = NF_IP6_PRI_SELINUX_LAST,
4486 static int __init selinux_nf_ip_init(void)
4490 if (!selinux_enabled)
4493 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4495 err = nf_register_hook(&selinux_ipv4_op);
4497 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4499 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4501 err = nf_register_hook(&selinux_ipv6_op);
4503 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4511 __initcall(selinux_nf_ip_init);
4513 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4514 static void selinux_nf_ip_exit(void)
4516 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4518 nf_unregister_hook(&selinux_ipv4_op);
4519 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4520 nf_unregister_hook(&selinux_ipv6_op);
4525 #else /* CONFIG_NETFILTER */
4527 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4528 #define selinux_nf_ip_exit()
4531 #endif /* CONFIG_NETFILTER */
4533 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4534 int selinux_disable(void)
4536 extern void exit_sel_fs(void);
4537 static int selinux_disabled = 0;
4539 if (ss_initialized) {
4540 /* Not permitted after initial policy load. */
4544 if (selinux_disabled) {
4545 /* Only do this once. */
4549 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4551 selinux_disabled = 1;
4553 /* Reset security_ops to the secondary module, dummy or capability. */
4554 security_ops = secondary_ops;
4556 /* Unregister netfilter hooks. */
4557 selinux_nf_ip_exit();
4559 /* Unregister selinuxfs. */
projects / linux-2.6 / blob