2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
367 static int sb_finish_set_opts(struct super_block *sb)
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
400 sbsec->initialized = 1;
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
417 spin_lock(&sbsec->isec_lock);
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
427 if (!IS_PRIVATE(inode))
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
435 spin_unlock(&sbsec->isec_lock);
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 struct security_mnt_opts *opts)
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
454 security_init_mnt_opts(opts);
456 if (!sbsec->initialized)
463 * if we ever use sbsec flags for anything other than tracking mount
464 * settings this is going to need a mask
467 /* count the number of mount options for this sb */
468 for (i = 0; i < 8; i++) {
470 opts->num_mnt_opts++;
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475 if (!opts->mnt_opts) {
480 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481 if (!opts->mnt_opts_flags) {
487 if (sbsec->flags & FSCONTEXT_MNT) {
488 rc = security_sid_to_context(sbsec->sid, &context, &len);
491 opts->mnt_opts[i] = context;
492 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494 if (sbsec->flags & CONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501 if (sbsec->flags & DEFCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508 if (sbsec->flags & ROOTCONTEXT_MNT) {
509 struct inode *root = sbsec->sb->s_root->d_inode;
510 struct inode_security_struct *isec = root->i_security;
512 rc = security_sid_to_context(isec->sid, &context, &len);
515 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
519 BUG_ON(i != opts->num_mnt_opts);
524 security_free_mnt_opts(opts);
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529 u32 old_sid, u32 new_sid)
531 /* check if the old mount command had the same options */
532 if (sbsec->initialized)
533 if (!(sbsec->flags & flag) ||
534 (old_sid != new_sid))
537 /* check if we were passed the same options twice,
538 * aka someone passed context=a,context=b
540 if (!sbsec->initialized)
541 if (sbsec->flags & flag)
547 * Allow filesystems with binary mount data to explicitly set mount point
548 * labeling information.
550 static int selinux_set_mnt_opts(struct super_block *sb,
551 struct security_mnt_opts *opts)
554 struct task_security_struct *tsec = current->security;
555 struct superblock_security_struct *sbsec = sb->s_security;
556 const char *name = sb->s_type->name;
557 struct inode *inode = sbsec->sb->s_root->d_inode;
558 struct inode_security_struct *root_isec = inode->i_security;
559 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560 u32 defcontext_sid = 0;
561 char **mount_options = opts->mnt_opts;
562 int *flags = opts->mnt_opts_flags;
563 int num_opts = opts->num_mnt_opts;
565 mutex_lock(&sbsec->lock);
567 if (!ss_initialized) {
569 /* Defer initialization until selinux_complete_init,
570 after the initial policy is loaded and the security
571 server is ready to handle calls. */
572 spin_lock(&sb_security_lock);
573 if (list_empty(&sbsec->list))
574 list_add(&sbsec->list, &superblock_security_head);
575 spin_unlock(&sb_security_lock);
579 printk(KERN_WARNING "Unable to set superblock options before "
580 "the security server is initialized\n");
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
604 for (i = 0; i < num_opts; i++) {
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
620 goto out_double_mount;
622 sbsec->flags |= FSCONTEXT_MNT;
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
629 goto out_double_mount;
631 sbsec->flags |= CONTEXT_MNT;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
638 goto out_double_mount;
640 sbsec->flags |= ROOTCONTEXT_MNT;
644 defcontext_sid = sid;
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
648 goto out_double_mount;
650 sbsec->flags |= DEFCONTEXT_MNT;
659 if (sbsec->initialized) {
660 /* previously mounted with options, but not on this attempt? */
661 if (sbsec->flags && !num_opts)
662 goto out_double_mount;
667 if (strcmp(sb->s_type->name, "proc") == 0)
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __FUNCTION__, sb->s_type->name, rc);
678 /* sets the context of the superblock for the fs being mounted. */
681 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
685 sbsec->sid = fscontext_sid;
689 * Switch to using mount point labeling behavior.
690 * sets the label used on all file below the mountpoint, and will set
691 * the superblock context if not already set.
694 if (!fscontext_sid) {
695 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
698 sbsec->sid = context_sid;
700 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
704 if (!rootcontext_sid)
705 rootcontext_sid = context_sid;
707 sbsec->mntpoint_sid = context_sid;
708 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
711 if (rootcontext_sid) {
712 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
716 root_isec->sid = rootcontext_sid;
717 root_isec->initialized = 1;
720 if (defcontext_sid) {
721 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
723 printk(KERN_WARNING "SELinux: defcontext option is "
724 "invalid for this filesystem type\n");
728 if (defcontext_sid != sbsec->def_sid) {
729 rc = may_context_mount_inode_relabel(defcontext_sid,
735 sbsec->def_sid = defcontext_sid;
738 rc = sb_finish_set_opts(sb);
740 mutex_unlock(&sbsec->lock);
744 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
745 "security settings for (dev %s, type %s)\n", sb->s_id, name);
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750 struct super_block *newsb)
752 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753 struct superblock_security_struct *newsbsec = newsb->s_security;
755 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
756 int set_context = (oldsbsec->flags & CONTEXT_MNT);
757 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
759 /* we can't error, we can't save the info, this shouldn't get called
760 * this early in the boot process. */
761 BUG_ON(!ss_initialized);
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
767 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized);
770 mutex_lock(&newsbsec->lock);
772 newsbsec->flags = oldsbsec->flags;
774 newsbsec->sid = oldsbsec->sid;
775 newsbsec->def_sid = oldsbsec->def_sid;
776 newsbsec->behavior = oldsbsec->behavior;
779 u32 sid = oldsbsec->mntpoint_sid;
783 if (!set_rootcontext) {
784 struct inode *newinode = newsb->s_root->d_inode;
785 struct inode_security_struct *newisec = newinode->i_security;
788 newsbsec->mntpoint_sid = sid;
790 if (set_rootcontext) {
791 const struct inode *oldinode = oldsb->s_root->d_inode;
792 const struct inode_security_struct *oldisec = oldinode->i_security;
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
796 newisec->sid = oldisec->sid;
799 sb_finish_set_opts(newsb);
800 mutex_unlock(&newsbsec->lock);
803 static int selinux_parse_opts_str(char *options,
804 struct security_mnt_opts *opts)
807 char *context = NULL, *defcontext = NULL;
808 char *fscontext = NULL, *rootcontext = NULL;
809 int rc, num_mnt_opts = 0;
811 opts->num_mnt_opts = 0;
813 /* Standard string-based options. */
814 while ((p = strsep(&options, "|")) != NULL) {
816 substring_t args[MAX_OPT_ARGS];
821 token = match_token(p, tokens, args);
825 if (context || defcontext) {
827 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
830 context = match_strdup(&args[0]);
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
843 fscontext = match_strdup(&args[0]);
850 case Opt_rootcontext:
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
856 rootcontext = match_strdup(&args[0]);
864 if (context || defcontext) {
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
869 defcontext = match_strdup(&args[0]);
878 printk(KERN_WARNING "SELinux: unknown mount option\n");
885 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
889 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890 if (!opts->mnt_opts_flags) {
891 kfree(opts->mnt_opts);
896 opts->mnt_opts[num_mnt_opts] = fscontext;
897 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
900 opts->mnt_opts[num_mnt_opts] = context;
901 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
904 opts->mnt_opts[num_mnt_opts] = rootcontext;
905 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
908 opts->mnt_opts[num_mnt_opts] = defcontext;
909 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
912 opts->num_mnt_opts = num_mnt_opts;
923 * string mount options parsing and call set the sbsec
925 static int superblock_doinit(struct super_block *sb, void *data)
928 char *options = data;
929 struct security_mnt_opts opts;
931 security_init_mnt_opts(&opts);
936 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
938 rc = selinux_parse_opts_str(options, &opts);
943 rc = selinux_set_mnt_opts(sb, &opts);
946 security_free_mnt_opts(&opts);
950 static inline u16 inode_mode_to_security_class(umode_t mode)
952 switch (mode & S_IFMT) {
954 return SECCLASS_SOCK_FILE;
956 return SECCLASS_LNK_FILE;
958 return SECCLASS_FILE;
960 return SECCLASS_BLK_FILE;
964 return SECCLASS_CHR_FILE;
966 return SECCLASS_FIFO_FILE;
970 return SECCLASS_FILE;
973 static inline int default_protocol_stream(int protocol)
975 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
978 static inline int default_protocol_dgram(int protocol)
980 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
990 return SECCLASS_UNIX_STREAM_SOCKET;
992 return SECCLASS_UNIX_DGRAM_SOCKET;
999 if (default_protocol_stream(protocol))
1000 return SECCLASS_TCP_SOCKET;
1002 return SECCLASS_RAWIP_SOCKET;
1004 if (default_protocol_dgram(protocol))
1005 return SECCLASS_UDP_SOCKET;
1007 return SECCLASS_RAWIP_SOCKET;
1009 return SECCLASS_DCCP_SOCKET;
1011 return SECCLASS_RAWIP_SOCKET;
1017 return SECCLASS_NETLINK_ROUTE_SOCKET;
1018 case NETLINK_FIREWALL:
1019 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020 case NETLINK_INET_DIAG:
1021 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1023 return SECCLASS_NETLINK_NFLOG_SOCKET;
1025 return SECCLASS_NETLINK_XFRM_SOCKET;
1026 case NETLINK_SELINUX:
1027 return SECCLASS_NETLINK_SELINUX_SOCKET;
1029 return SECCLASS_NETLINK_AUDIT_SOCKET;
1030 case NETLINK_IP6_FW:
1031 return SECCLASS_NETLINK_IP6FW_SOCKET;
1032 case NETLINK_DNRTMSG:
1033 return SECCLASS_NETLINK_DNRT_SOCKET;
1034 case NETLINK_KOBJECT_UEVENT:
1035 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1037 return SECCLASS_NETLINK_SOCKET;
1040 return SECCLASS_PACKET_SOCKET;
1042 return SECCLASS_KEY_SOCKET;
1044 return SECCLASS_APPLETALK_SOCKET;
1047 return SECCLASS_SOCKET;
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1056 char *buffer, *path, *end;
1058 buffer = (char*)__get_free_page(GFP_KERNEL);
1063 end = buffer+buflen;
1068 while (de && de != de->parent) {
1069 buflen -= de->namelen + 1;
1073 memcpy(end, de->name, de->namelen);
1078 rc = security_genfs_sid("proc", path, tclass, sid);
1079 free_page((unsigned long)buffer);
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1094 struct superblock_security_struct *sbsec = NULL;
1095 struct inode_security_struct *isec = inode->i_security;
1097 struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099 char *context = NULL;
1103 if (isec->initialized)
1106 mutex_lock(&isec->lock);
1107 if (isec->initialized)
1110 sbsec = inode->i_sb->s_security;
1111 if (!sbsec->initialized) {
1112 /* Defer initialization until selinux_complete_init,
1113 after the initial policy is loaded and the security
1114 server is ready to handle calls. */
1115 spin_lock(&sbsec->isec_lock);
1116 if (list_empty(&isec->list))
1117 list_add(&isec->list, &sbsec->isec_head);
1118 spin_unlock(&sbsec->isec_lock);
1122 switch (sbsec->behavior) {
1123 case SECURITY_FS_USE_XATTR:
1124 if (!inode->i_op->getxattr) {
1125 isec->sid = sbsec->def_sid;
1129 /* Need a dentry, since the xattr API requires one.
1130 Life would be simpler if we could just pass the inode. */
1132 /* Called from d_instantiate or d_splice_alias. */
1133 dentry = dget(opt_dentry);
1135 /* Called from selinux_complete_init, try to find a dentry. */
1136 dentry = d_find_alias(inode);
1139 printk(KERN_WARNING "%s: no dentry for dev=%s "
1140 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1145 len = INITCONTEXTLEN;
1146 context = kmalloc(len, GFP_KERNEL);
1152 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154 if (rc == -ERANGE) {
1155 /* Need a larger buffer. Query for the right size. */
1156 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1164 context = kmalloc(len, GFP_KERNEL);
1170 rc = inode->i_op->getxattr(dentry,
1176 if (rc != -ENODATA) {
1177 printk(KERN_WARNING "%s: getxattr returned "
1178 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179 -rc, inode->i_sb->s_id, inode->i_ino);
1183 /* Map ENODATA to the default file SID */
1184 sid = sbsec->def_sid;
1187 rc = security_context_to_sid_default(context, rc, &sid,
1190 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
1192 __FUNCTION__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino);
1195 /* Leave with the unlabeled SID */
1203 case SECURITY_FS_USE_TASK:
1204 isec->sid = isec->task_sid;
1206 case SECURITY_FS_USE_TRANS:
1207 /* Default to the fs SID. */
1208 isec->sid = sbsec->sid;
1210 /* Try to obtain a transition SID. */
1211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212 rc = security_transition_sid(isec->task_sid,
1220 case SECURITY_FS_USE_MNTPOINT:
1221 isec->sid = sbsec->mntpoint_sid;
1224 /* Default to the fs superblock SID. */
1225 isec->sid = sbsec->sid;
1228 struct proc_inode *proci = PROC_I(inode);
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 rc = selinux_proc_get_sid(proci->pde,
1242 isec->initialized = 1;
1245 mutex_unlock(&isec->lock);
1247 if (isec->sclass == SECCLASS_FILE)
1248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1259 /* Commonly granted from child to parent. */
1260 perm = PROCESS__SIGCHLD;
1263 /* Cannot be caught or ignored */
1264 perm = PROCESS__SIGKILL;
1267 /* Cannot be caught or ignored */
1268 perm = PROCESS__SIGSTOP;
1271 /* All other signals. */
1272 perm = PROCESS__SIGNAL;
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282 struct task_struct *tsk2,
1285 struct task_security_struct *tsec1, *tsec2;
1287 tsec1 = tsk1->security;
1288 tsec2 = tsk2->security;
1289 return avc_has_perm(tsec1->sid, tsec2->sid,
1290 SECCLASS_PROCESS, perms, NULL);
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1301 struct task_security_struct *tsec;
1302 struct avc_audit_data ad;
1304 u32 av = CAP_TO_MASK(cap);
1306 tsec = tsk->security;
1308 AVC_AUDIT_DATA_INIT(&ad,CAP);
1312 switch (CAP_TO_INDEX(cap)) {
1314 sclass = SECCLASS_CAPABILITY;
1317 sclass = SECCLASS_CAPABILITY2;
1321 "SELinux: out of range capability %d\n", cap);
1324 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1331 struct task_security_struct *tsec;
1333 tsec = tsk->security;
1335 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336 SECCLASS_SYSTEM, perms, NULL);
1339 /* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343 struct inode *inode,
1345 struct avc_audit_data *adp)
1347 struct task_security_struct *tsec;
1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad;
1351 if (unlikely (IS_PRIVATE (inode)))
1354 tsec = tsk->security;
1355 isec = inode->i_security;
1359 AVC_AUDIT_DATA_INIT(&ad, FS);
1360 ad.u.fs.inode = inode;
1363 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370 struct vfsmount *mnt,
1371 struct dentry *dentry,
1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS);
1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad);
1382 /* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1394 struct task_security_struct *tsec = tsk->security;
1395 struct file_security_struct *fsec = file->f_security;
1396 struct inode *inode = file->f_path.dentry->d_inode;
1397 struct avc_audit_data ad;
1400 AVC_AUDIT_DATA_INIT(&ad, FS);
1401 ad.u.fs.path = file->f_path;
1403 if (tsec->sid != fsec->sid) {
1404 rc = avc_has_perm(tsec->sid, fsec->sid,
1412 /* av is zero if only checking access to the descriptor. */
1414 return inode_has_perm(tsk, inode, av, &ad);
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421 struct dentry *dentry,
1424 struct task_security_struct *tsec;
1425 struct inode_security_struct *dsec;
1426 struct superblock_security_struct *sbsec;
1428 struct avc_audit_data ad;
1431 tsec = current->security;
1432 dsec = dir->i_security;
1433 sbsec = dir->i_sb->s_security;
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
1436 ad.u.fs.path.dentry = dentry;
1438 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439 DIR__ADD_NAME | DIR__SEARCH,
1444 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445 newsid = tsec->create_sid;
1447 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1453 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1457 return avc_has_perm(newsid, sbsec->sid,
1458 SECCLASS_FILESYSTEM,
1459 FILESYSTEM__ASSOCIATE, &ad);
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464 struct task_struct *ctx)
1466 struct task_security_struct *tsec;
1468 tsec = ctx->security;
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1474 #define MAY_UNLINK 1
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479 struct dentry *dentry,
1483 struct task_security_struct *tsec;
1484 struct inode_security_struct *dsec, *isec;
1485 struct avc_audit_data ad;
1489 tsec = current->security;
1490 dsec = dir->i_security;
1491 isec = dentry->d_inode->i_security;
1493 AVC_AUDIT_DATA_INIT(&ad, FS);
1494 ad.u.fs.path.dentry = dentry;
1497 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1517 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1521 static inline int may_rename(struct inode *old_dir,
1522 struct dentry *old_dentry,
1523 struct inode *new_dir,
1524 struct dentry *new_dentry)
1526 struct task_security_struct *tsec;
1527 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528 struct avc_audit_data ad;
1530 int old_is_dir, new_is_dir;
1533 tsec = current->security;
1534 old_dsec = old_dir->i_security;
1535 old_isec = old_dentry->d_inode->i_security;
1536 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537 new_dsec = new_dir->i_security;
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1541 ad.u.fs.path.dentry = old_dentry;
1542 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1546 rc = avc_has_perm(tsec->sid, old_isec->sid,
1547 old_isec->sclass, FILE__RENAME, &ad);
1550 if (old_is_dir && new_dir != old_dir) {
1551 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552 old_isec->sclass, DIR__REPARENT, &ad);
1557 ad.u.fs.path.dentry = new_dentry;
1558 av = DIR__ADD_NAME | DIR__SEARCH;
1559 if (new_dentry->d_inode)
1560 av |= DIR__REMOVE_NAME;
1561 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1564 if (new_dentry->d_inode) {
1565 new_isec = new_dentry->d_inode->i_security;
1566 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567 rc = avc_has_perm(tsec->sid, new_isec->sid,
1569 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579 struct super_block *sb,
1581 struct avc_audit_data *ad)
1583 struct task_security_struct *tsec;
1584 struct superblock_security_struct *sbsec;
1586 tsec = tsk->security;
1587 sbsec = sb->s_security;
1588 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1597 if ((mode & S_IFMT) != S_IFDIR) {
1598 if (mask & MAY_EXEC)
1599 av |= FILE__EXECUTE;
1600 if (mask & MAY_READ)
1603 if (mask & MAY_APPEND)
1605 else if (mask & MAY_WRITE)
1609 if (mask & MAY_EXEC)
1611 if (mask & MAY_WRITE)
1613 if (mask & MAY_READ)
1620 /* Convert a Linux file to an access vector. */
1621 static inline u32 file_to_av(struct file *file)
1625 if (file->f_mode & FMODE_READ)
1627 if (file->f_mode & FMODE_WRITE) {
1628 if (file->f_flags & O_APPEND)
1637 /* Hook functions begin here. */
1639 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1641 struct task_security_struct *psec = parent->security;
1642 struct task_security_struct *csec = child->security;
1645 rc = secondary_ops->ptrace(parent,child);
1649 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1650 /* Save the SID of the tracing process for later use in apply_creds. */
1651 if (!(child->ptrace & PT_PTRACED) && !rc)
1652 csec->ptrace_sid = psec->sid;
1656 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1657 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1661 error = task_has_perm(current, target, PROCESS__GETCAP);
1665 return secondary_ops->capget(target, effective, inheritable, permitted);
1668 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1669 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1673 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1677 return task_has_perm(current, target, PROCESS__SETCAP);
1680 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1681 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1683 secondary_ops->capset_set(target, effective, inheritable, permitted);
1686 static int selinux_capable(struct task_struct *tsk, int cap)
1690 rc = secondary_ops->capable(tsk, cap);
1694 return task_has_capability(tsk,cap);
1697 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1700 char *buffer, *path, *end;
1703 buffer = (char*)__get_free_page(GFP_KERNEL);
1708 end = buffer+buflen;
1714 const char *name = table->procname;
1715 size_t namelen = strlen(name);
1716 buflen -= namelen + 1;
1720 memcpy(end, name, namelen);
1723 table = table->parent;
1729 memcpy(end, "/sys", 4);
1731 rc = security_genfs_sid("proc", path, tclass, sid);
1733 free_page((unsigned long)buffer);
1738 static int selinux_sysctl(ctl_table *table, int op)
1742 struct task_security_struct *tsec;
1746 rc = secondary_ops->sysctl(table, op);
1750 tsec = current->security;
1752 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1753 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1755 /* Default to the well-defined sysctl SID. */
1756 tsid = SECINITSID_SYSCTL;
1759 /* The op values are "defined" in sysctl.c, thereby creating
1760 * a bad coupling between this module and sysctl.c */
1762 error = avc_has_perm(tsec->sid, tsid,
1763 SECCLASS_DIR, DIR__SEARCH, NULL);
1771 error = avc_has_perm(tsec->sid, tsid,
1772 SECCLASS_FILE, av, NULL);
1778 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1791 rc = superblock_has_perm(current,
1793 FILESYSTEM__QUOTAMOD, NULL);
1798 rc = superblock_has_perm(current,
1800 FILESYSTEM__QUOTAGET, NULL);
1803 rc = 0; /* let the kernel handle invalid cmds */
1809 static int selinux_quota_on(struct dentry *dentry)
1811 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1814 static int selinux_syslog(int type)
1818 rc = secondary_ops->syslog(type);
1823 case 3: /* Read last kernel messages */
1824 case 10: /* Return size of the log buffer */
1825 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1827 case 6: /* Disable logging to console */
1828 case 7: /* Enable logging to console */
1829 case 8: /* Set level of messages printed to console */
1830 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1832 case 0: /* Close log */
1833 case 1: /* Open log */
1834 case 2: /* Read from log */
1835 case 4: /* Read/clear last kernel messages */
1836 case 5: /* Clear ring buffer */
1838 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1845 * Check that a process has enough memory to allocate a new virtual
1846 * mapping. 0 means there is enough memory for the allocation to
1847 * succeed and -ENOMEM implies there is not.
1849 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1850 * if the capability is granted, but __vm_enough_memory requires 1 if
1851 * the capability is granted.
1853 * Do not audit the selinux permission check, as this is applied to all
1854 * processes that allocate mappings.
1856 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1858 int rc, cap_sys_admin = 0;
1859 struct task_security_struct *tsec = current->security;
1861 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1863 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1864 SECCLASS_CAPABILITY,
1865 CAP_TO_MASK(CAP_SYS_ADMIN),
1872 return __vm_enough_memory(mm, pages, cap_sys_admin);
1875 /* binprm security operations */
1877 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1879 struct bprm_security_struct *bsec;
1881 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1886 bsec->sid = SECINITSID_UNLABELED;
1889 bprm->security = bsec;
1893 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1895 struct task_security_struct *tsec;
1896 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1897 struct inode_security_struct *isec;
1898 struct bprm_security_struct *bsec;
1900 struct avc_audit_data ad;
1903 rc = secondary_ops->bprm_set_security(bprm);
1907 bsec = bprm->security;
1912 tsec = current->security;
1913 isec = inode->i_security;
1915 /* Default to the current task SID. */
1916 bsec->sid = tsec->sid;
1918 /* Reset fs, key, and sock SIDs on execve. */
1919 tsec->create_sid = 0;
1920 tsec->keycreate_sid = 0;
1921 tsec->sockcreate_sid = 0;
1923 if (tsec->exec_sid) {
1924 newsid = tsec->exec_sid;
1925 /* Reset exec SID on execve. */
1928 /* Check for a default transition on this program. */
1929 rc = security_transition_sid(tsec->sid, isec->sid,
1930 SECCLASS_PROCESS, &newsid);
1935 AVC_AUDIT_DATA_INIT(&ad, FS);
1936 ad.u.fs.path = bprm->file->f_path;
1938 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1941 if (tsec->sid == newsid) {
1942 rc = avc_has_perm(tsec->sid, isec->sid,
1943 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1947 /* Check permissions for the transition. */
1948 rc = avc_has_perm(tsec->sid, newsid,
1949 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1953 rc = avc_has_perm(newsid, isec->sid,
1954 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1958 /* Clear any possibly unsafe personality bits on exec: */
1959 current->personality &= ~PER_CLEAR_ON_SETID;
1961 /* Set the security field to the new SID. */
1969 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1971 return secondary_ops->bprm_check_security(bprm);
1975 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1977 struct task_security_struct *tsec = current->security;
1980 if (tsec->osid != tsec->sid) {
1981 /* Enable secure mode for SIDs transitions unless
1982 the noatsecure permission is granted between
1983 the two SIDs, i.e. ahp returns 0. */
1984 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1986 PROCESS__NOATSECURE, NULL);
1989 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1992 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1994 kfree(bprm->security);
1995 bprm->security = NULL;
1998 extern struct vfsmount *selinuxfs_mount;
1999 extern struct dentry *selinux_null;
2001 /* Derived from fs/exec.c:flush_old_files. */
2002 static inline void flush_unauthorized_files(struct files_struct * files)
2004 struct avc_audit_data ad;
2005 struct file *file, *devnull = NULL;
2006 struct tty_struct *tty;
2007 struct fdtable *fdt;
2011 mutex_lock(&tty_mutex);
2012 tty = get_current_tty();
2015 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2017 /* Revalidate access to controlling tty.
2018 Use inode_has_perm on the tty inode directly rather
2019 than using file_has_perm, as this particular open
2020 file may belong to another process and we are only
2021 interested in the inode-based check here. */
2022 struct inode *inode = file->f_path.dentry->d_inode;
2023 if (inode_has_perm(current, inode,
2024 FILE__READ | FILE__WRITE, NULL)) {
2030 mutex_unlock(&tty_mutex);
2031 /* Reset controlling tty. */
2035 /* Revalidate access to inherited open files. */
2037 AVC_AUDIT_DATA_INIT(&ad,FS);
2039 spin_lock(&files->file_lock);
2041 unsigned long set, i;
2046 fdt = files_fdtable(files);
2047 if (i >= fdt->max_fds)
2049 set = fdt->open_fds->fds_bits[j];
2052 spin_unlock(&files->file_lock);
2053 for ( ; set ; i++,set >>= 1) {
2058 if (file_has_perm(current,
2060 file_to_av(file))) {
2062 fd = get_unused_fd();
2072 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2073 if (IS_ERR(devnull)) {
2080 fd_install(fd, devnull);
2085 spin_lock(&files->file_lock);
2088 spin_unlock(&files->file_lock);
2091 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2093 struct task_security_struct *tsec;
2094 struct bprm_security_struct *bsec;
2098 secondary_ops->bprm_apply_creds(bprm, unsafe);
2100 tsec = current->security;
2102 bsec = bprm->security;
2105 tsec->osid = tsec->sid;
2107 if (tsec->sid != sid) {
2108 /* Check for shared state. If not ok, leave SID
2109 unchanged and kill. */
2110 if (unsafe & LSM_UNSAFE_SHARE) {
2111 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2112 PROCESS__SHARE, NULL);
2119 /* Check for ptracing, and update the task SID if ok.
2120 Otherwise, leave SID unchanged and kill. */
2121 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2122 rc = avc_has_perm(tsec->ptrace_sid, sid,
2123 SECCLASS_PROCESS, PROCESS__PTRACE,
2135 * called after apply_creds without the task lock held
2137 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2139 struct task_security_struct *tsec;
2140 struct rlimit *rlim, *initrlim;
2141 struct itimerval itimer;
2142 struct bprm_security_struct *bsec;
2145 tsec = current->security;
2146 bsec = bprm->security;
2149 force_sig_specific(SIGKILL, current);
2152 if (tsec->osid == tsec->sid)
2155 /* Close files for which the new task SID is not authorized. */
2156 flush_unauthorized_files(current->files);
2158 /* Check whether the new SID can inherit signal state
2159 from the old SID. If not, clear itimers to avoid
2160 subsequent signal generation and flush and unblock
2161 signals. This must occur _after_ the task SID has
2162 been updated so that any kill done after the flush
2163 will be checked against the new SID. */
2164 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2165 PROCESS__SIGINH, NULL);
2167 memset(&itimer, 0, sizeof itimer);
2168 for (i = 0; i < 3; i++)
2169 do_setitimer(i, &itimer, NULL);
2170 flush_signals(current);
2171 spin_lock_irq(¤t->sighand->siglock);
2172 flush_signal_handlers(current, 1);
2173 sigemptyset(¤t->blocked);
2174 recalc_sigpending();
2175 spin_unlock_irq(¤t->sighand->siglock);
2178 /* Always clear parent death signal on SID transitions. */
2179 current->pdeath_signal = 0;
2181 /* Check whether the new SID can inherit resource limits
2182 from the old SID. If not, reset all soft limits to
2183 the lower of the current task's hard limit and the init
2184 task's soft limit. Note that the setting of hard limits
2185 (even to lower them) can be controlled by the setrlimit
2186 check. The inclusion of the init task's soft limit into
2187 the computation is to avoid resetting soft limits higher
2188 than the default soft limit for cases where the default
2189 is lower than the hard limit, e.g. RLIMIT_CORE or
2191 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2192 PROCESS__RLIMITINH, NULL);
2194 for (i = 0; i < RLIM_NLIMITS; i++) {
2195 rlim = current->signal->rlim + i;
2196 initrlim = init_task.signal->rlim+i;
2197 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2199 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2201 * This will cause RLIMIT_CPU calculations
2204 current->it_prof_expires = jiffies_to_cputime(1);
2208 /* Wake up the parent if it is waiting so that it can
2209 recheck wait permission to the new task SID. */
2210 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2213 /* superblock security operations */
2215 static int selinux_sb_alloc_security(struct super_block *sb)
2217 return superblock_alloc_security(sb);
2220 static void selinux_sb_free_security(struct super_block *sb)
2222 superblock_free_security(sb);
2225 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2230 return !memcmp(prefix, option, plen);
2233 static inline int selinux_option(char *option, int len)
2235 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2236 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2237 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2238 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2241 static inline void take_option(char **to, char *from, int *first, int len)
2248 memcpy(*to, from, len);
2252 static inline void take_selinux_option(char **to, char *from, int *first,
2255 int current_size = 0;
2264 while (current_size < len) {
2274 static int selinux_sb_copy_data(char *orig, char *copy)
2276 int fnosec, fsec, rc = 0;
2277 char *in_save, *in_curr, *in_end;
2278 char *sec_curr, *nosec_save, *nosec;
2284 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2292 in_save = in_end = orig;
2296 open_quote = !open_quote;
2297 if ((*in_end == ',' && open_quote == 0) ||
2299 int len = in_end - in_curr;
2301 if (selinux_option(in_curr, len))
2302 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2304 take_option(&nosec, in_curr, &fnosec, len);
2306 in_curr = in_end + 1;
2308 } while (*in_end++);
2310 strcpy(in_save, nosec_save);
2311 free_page((unsigned long)nosec_save);
2316 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2318 struct avc_audit_data ad;
2321 rc = superblock_doinit(sb, data);
2325 AVC_AUDIT_DATA_INIT(&ad,FS);
2326 ad.u.fs.path.dentry = sb->s_root;
2327 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2330 static int selinux_sb_statfs(struct dentry *dentry)
2332 struct avc_audit_data ad;
2334 AVC_AUDIT_DATA_INIT(&ad,FS);
2335 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2336 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2339 static int selinux_mount(char * dev_name,
2340 struct nameidata *nd,
2342 unsigned long flags,
2347 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2351 if (flags & MS_REMOUNT)
2352 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2353 FILESYSTEM__REMOUNT, NULL);
2355 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2359 static int selinux_umount(struct vfsmount *mnt, int flags)
2363 rc = secondary_ops->sb_umount(mnt, flags);
2367 return superblock_has_perm(current,mnt->mnt_sb,
2368 FILESYSTEM__UNMOUNT,NULL);
2371 /* inode security operations */
2373 static int selinux_inode_alloc_security(struct inode *inode)
2375 return inode_alloc_security(inode);
2378 static void selinux_inode_free_security(struct inode *inode)
2380 inode_free_security(inode);
2383 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2384 char **name, void **value,
2387 struct task_security_struct *tsec;
2388 struct inode_security_struct *dsec;
2389 struct superblock_security_struct *sbsec;
2392 char *namep = NULL, *context;
2394 tsec = current->security;
2395 dsec = dir->i_security;
2396 sbsec = dir->i_sb->s_security;
2398 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2399 newsid = tsec->create_sid;
2401 rc = security_transition_sid(tsec->sid, dsec->sid,
2402 inode_mode_to_security_class(inode->i_mode),
2405 printk(KERN_WARNING "%s: "
2406 "security_transition_sid failed, rc=%d (dev=%s "
2409 -rc, inode->i_sb->s_id, inode->i_ino);
2414 /* Possibly defer initialization to selinux_complete_init. */
2415 if (sbsec->initialized) {
2416 struct inode_security_struct *isec = inode->i_security;
2417 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2419 isec->initialized = 1;
2422 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2426 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2433 rc = security_sid_to_context(newsid, &context, &clen);
2445 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2447 return may_create(dir, dentry, SECCLASS_FILE);
2450 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2454 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2457 return may_link(dir, old_dentry, MAY_LINK);
2460 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2464 rc = secondary_ops->inode_unlink(dir, dentry);
2467 return may_link(dir, dentry, MAY_UNLINK);
2470 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2472 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2475 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2477 return may_create(dir, dentry, SECCLASS_DIR);
2480 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2482 return may_link(dir, dentry, MAY_RMDIR);
2485 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2489 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2493 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2496 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2497 struct inode *new_inode, struct dentry *new_dentry)
2499 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2502 static int selinux_inode_readlink(struct dentry *dentry)
2504 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2507 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2511 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2514 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2517 static int selinux_inode_permission(struct inode *inode, int mask,
2518 struct nameidata *nd)
2522 rc = secondary_ops->inode_permission(inode, mask, nd);
2527 /* No permission to check. Existence test. */
2531 return inode_has_perm(current, inode,
2532 file_mask_to_av(inode->i_mode, mask), NULL);
2535 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2539 rc = secondary_ops->inode_setattr(dentry, iattr);
2543 if (iattr->ia_valid & ATTR_FORCE)
2546 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2547 ATTR_ATIME_SET | ATTR_MTIME_SET))
2548 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2550 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2553 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2555 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2558 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2560 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2561 sizeof XATTR_SECURITY_PREFIX - 1)) {
2562 if (!strcmp(name, XATTR_NAME_CAPS)) {
2563 if (!capable(CAP_SETFCAP))
2565 } else if (!capable(CAP_SYS_ADMIN)) {
2566 /* A different attribute in the security namespace.
2567 Restrict to administrator. */
2572 /* Not an attribute we recognize, so just check the
2573 ordinary setattr permission. */
2574 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2577 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2579 struct task_security_struct *tsec = current->security;
2580 struct inode *inode = dentry->d_inode;
2581 struct inode_security_struct *isec = inode->i_security;
2582 struct superblock_security_struct *sbsec;
2583 struct avc_audit_data ad;
2587 if (strcmp(name, XATTR_NAME_SELINUX))
2588 return selinux_inode_setotherxattr(dentry, name);
2590 sbsec = inode->i_sb->s_security;
2591 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2594 if (!is_owner_or_cap(inode))
2597 AVC_AUDIT_DATA_INIT(&ad,FS);
2598 ad.u.fs.path.dentry = dentry;
2600 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2601 FILE__RELABELFROM, &ad);
2605 rc = security_context_to_sid(value, size, &newsid);
2609 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2610 FILE__RELABELTO, &ad);
2614 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2619 return avc_has_perm(newsid,
2621 SECCLASS_FILESYSTEM,
2622 FILESYSTEM__ASSOCIATE,
2626 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2627 void *value, size_t size, int flags)
2629 struct inode *inode = dentry->d_inode;
2630 struct inode_security_struct *isec = inode->i_security;
2634 if (strcmp(name, XATTR_NAME_SELINUX)) {
2635 /* Not an attribute we recognize, so nothing to do. */
2639 rc = security_context_to_sid(value, size, &newsid);
2641 printk(KERN_WARNING "%s: unable to obtain SID for context "
2642 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2650 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2652 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2655 static int selinux_inode_listxattr (struct dentry *dentry)
2657 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2660 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2662 if (strcmp(name, XATTR_NAME_SELINUX))
2663 return selinux_inode_setotherxattr(dentry, name);
2665 /* No one is allowed to remove a SELinux security label.
2666 You can change the label, but all data must be labeled. */
2671 * Copy the in-core inode security context value to the user. If the
2672 * getxattr() prior to this succeeded, check to see if we need to
2673 * canonicalize the value to be finally returned to the user.
2675 * Permission check is handled by selinux_inode_getxattr hook.
2677 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2681 char *context = NULL;
2682 struct inode_security_struct *isec = inode->i_security;
2684 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2687 error = security_sid_to_context(isec->sid, &context, &size);
2700 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2701 const void *value, size_t size, int flags)
2703 struct inode_security_struct *isec = inode->i_security;
2707 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2710 if (!value || !size)
2713 rc = security_context_to_sid((void*)value, size, &newsid);
2721 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2723 const int len = sizeof(XATTR_NAME_SELINUX);
2724 if (buffer && len <= buffer_size)
2725 memcpy(buffer, XATTR_NAME_SELINUX, len);
2729 static int selinux_inode_need_killpriv(struct dentry *dentry)
2731 return secondary_ops->inode_need_killpriv(dentry);
2734 static int selinux_inode_killpriv(struct dentry *dentry)
2736 return secondary_ops->inode_killpriv(dentry);
2739 /* file security operations */
2741 static int selinux_revalidate_file_permission(struct file *file, int mask)
2744 struct inode *inode = file->f_path.dentry->d_inode;
2747 /* No permission to check. Existence test. */
2751 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2752 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2755 rc = file_has_perm(current, file,
2756 file_mask_to_av(inode->i_mode, mask));
2760 return selinux_netlbl_inode_permission(inode, mask);
2763 static int selinux_file_permission(struct file *file, int mask)
2765 struct inode *inode = file->f_path.dentry->d_inode;
2766 struct task_security_struct *tsec = current->security;
2767 struct file_security_struct *fsec = file->f_security;
2768 struct inode_security_struct *isec = inode->i_security;
2771 /* No permission to check. Existence test. */
2775 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2776 && fsec->pseqno == avc_policy_seqno())
2777 return selinux_netlbl_inode_permission(inode, mask);
2779 return selinux_revalidate_file_permission(file, mask);
2782 static int selinux_file_alloc_security(struct file *file)
2784 return file_alloc_security(file);
2787 static void selinux_file_free_security(struct file *file)
2789 file_free_security(file);
2792 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2804 case EXT2_IOC_GETFLAGS:
2806 case EXT2_IOC_GETVERSION:
2807 error = file_has_perm(current, file, FILE__GETATTR);
2810 case EXT2_IOC_SETFLAGS:
2812 case EXT2_IOC_SETVERSION:
2813 error = file_has_perm(current, file, FILE__SETATTR);
2816 /* sys_ioctl() checks */
2820 error = file_has_perm(current, file, 0);
2825 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2828 /* default case assumes that the command will go
2829 * to the file's ioctl() function.
2832 error = file_has_perm(current, file, FILE__IOCTL);
2838 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2840 #ifndef CONFIG_PPC32
2841 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2843 * We are making executable an anonymous mapping or a
2844 * private file mapping that will also be writable.
2845 * This has an additional check.
2847 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2854 /* read access is always possible with a mapping */
2855 u32 av = FILE__READ;
2857 /* write access only matters if the mapping is shared */
2858 if (shared && (prot & PROT_WRITE))
2861 if (prot & PROT_EXEC)
2862 av |= FILE__EXECUTE;
2864 return file_has_perm(current, file, av);
2869 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2870 unsigned long prot, unsigned long flags,
2871 unsigned long addr, unsigned long addr_only)
2874 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2876 if (addr < mmap_min_addr)
2877 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2878 MEMPROTECT__MMAP_ZERO, NULL);
2879 if (rc || addr_only)
2882 if (selinux_checkreqprot)
2885 return file_map_prot_check(file, prot,
2886 (flags & MAP_TYPE) == MAP_SHARED);
2889 static int selinux_file_mprotect(struct vm_area_struct *vma,
2890 unsigned long reqprot,
2895 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2899 if (selinux_checkreqprot)
2902 #ifndef CONFIG_PPC32
2903 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2905 if (vma->vm_start >= vma->vm_mm->start_brk &&
2906 vma->vm_end <= vma->vm_mm->brk) {
2907 rc = task_has_perm(current, current,
2909 } else if (!vma->vm_file &&
2910 vma->vm_start <= vma->vm_mm->start_stack &&
2911 vma->vm_end >= vma->vm_mm->start_stack) {
2912 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2913 } else if (vma->vm_file && vma->anon_vma) {
2915 * We are making executable a file mapping that has
2916 * had some COW done. Since pages might have been
2917 * written, check ability to execute the possibly
2918 * modified content. This typically should only
2919 * occur for text relocations.
2921 rc = file_has_perm(current, vma->vm_file,
2929 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2932 static int selinux_file_lock(struct file *file, unsigned int cmd)
2934 return file_has_perm(current, file, FILE__LOCK);
2937 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2944 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2949 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2950 err = file_has_perm(current, file,FILE__WRITE);
2959 /* Just check FD__USE permission */
2960 err = file_has_perm(current, file, 0);
2965 #if BITS_PER_LONG == 32
2970 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2974 err = file_has_perm(current, file, FILE__LOCK);
2981 static int selinux_file_set_fowner(struct file *file)
2983 struct task_security_struct *tsec;
2984 struct file_security_struct *fsec;
2986 tsec = current->security;
2987 fsec = file->f_security;
2988 fsec->fown_sid = tsec->sid;
2993 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2994 struct fown_struct *fown, int signum)
2998 struct task_security_struct *tsec;
2999 struct file_security_struct *fsec;
3001 /* struct fown_struct is never outside the context of a struct file */
3002 file = container_of(fown, struct file, f_owner);
3004 tsec = tsk->security;
3005 fsec = file->f_security;
3008 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3010 perm = signal_to_av(signum);
3012 return avc_has_perm(fsec->fown_sid, tsec->sid,
3013 SECCLASS_PROCESS, perm, NULL);
3016 static int selinux_file_receive(struct file *file)
3018 return file_has_perm(current, file, file_to_av(file));
3021 static int selinux_dentry_open(struct file *file)
3023 struct file_security_struct *fsec;
3024 struct inode *inode;
3025 struct inode_security_struct *isec;
3026 inode = file->f_path.dentry->d_inode;
3027 fsec = file->f_security;
3028 isec = inode->i_security;
3030 * Save inode label and policy sequence number
3031 * at open-time so that selinux_file_permission
3032 * can determine whether revalidation is necessary.
3033 * Task label is already saved in the file security
3034 * struct as its SID.
3036 fsec->isid = isec->sid;
3037 fsec->pseqno = avc_policy_seqno();
3039 * Since the inode label or policy seqno may have changed
3040 * between the selinux_inode_permission check and the saving
3041 * of state above, recheck that access is still permitted.
3042 * Otherwise, access might never be revalidated against the
3043 * new inode label or new policy.
3044 * This check is not redundant - do not remove.
3046 return inode_has_perm(current, inode, file_to_av(file), NULL);
3049 /* task security operations */
3051 static int selinux_task_create(unsigned long clone_flags)
3055 rc = secondary_ops->task_create(clone_flags);
3059 return task_has_perm(current, current, PROCESS__FORK);
3062 static int selinux_task_alloc_security(struct task_struct *tsk)
3064 struct task_security_struct *tsec1, *tsec2;
3067 tsec1 = current->security;
3069 rc = task_alloc_security(tsk);
3072 tsec2 = tsk->security;
3074 tsec2->osid = tsec1->osid;
3075 tsec2->sid = tsec1->sid;
3077 /* Retain the exec, fs, key, and sock SIDs across fork */
3078 tsec2->exec_sid = tsec1->exec_sid;
3079 tsec2->create_sid = tsec1->create_sid;
3080 tsec2->keycreate_sid = tsec1->keycreate_sid;
3081 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3083 /* Retain ptracer SID across fork, if any.
3084 This will be reset by the ptrace hook upon any
3085 subsequent ptrace_attach operations. */
3086 tsec2->ptrace_sid = tsec1->ptrace_sid;
3091 static void selinux_task_free_security(struct task_struct *tsk)
3093 task_free_security(tsk);
3096 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3098 /* Since setuid only affects the current process, and
3099 since the SELinux controls are not based on the Linux
3100 identity attributes, SELinux does not need to control
3101 this operation. However, SELinux does control the use
3102 of the CAP_SETUID and CAP_SETGID capabilities using the
3107 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3109 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3112 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3114 /* See the comment for setuid above. */
3118 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3120 return task_has_perm(current, p, PROCESS__SETPGID);
3123 static int selinux_task_getpgid(struct task_struct *p)
3125 return task_has_perm(current, p, PROCESS__GETPGID);
3128 static int selinux_task_getsid(struct task_struct *p)
3130 return task_has_perm(current, p, PROCESS__GETSESSION);
3133 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3135 selinux_get_task_sid(p, secid);
3138 static int selinux_task_setgroups(struct group_info *group_info)
3140 /* See the comment for setuid above. */
3144 static int selinux_task_setnice(struct task_struct *p, int nice)
3148 rc = secondary_ops->task_setnice(p, nice);
3152 return task_has_perm(current,p, PROCESS__SETSCHED);
3155 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3159 rc = secondary_ops->task_setioprio(p, ioprio);
3163 return task_has_perm(current, p, PROCESS__SETSCHED);
3166 static int selinux_task_getioprio(struct task_struct *p)
3168 return task_has_perm(current, p, PROCESS__GETSCHED);
3171 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3173 struct rlimit *old_rlim = current->signal->rlim + resource;
3176 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3180 /* Control the ability to change the hard limit (whether
3181 lowering or raising it), so that the hard limit can
3182 later be used as a safe reset point for the soft limit
3183 upon context transitions. See selinux_bprm_apply_creds. */
3184 if (old_rlim->rlim_max != new_rlim->rlim_max)
3185 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3190 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3194 rc = secondary_ops->task_setscheduler(p, policy, lp);
3198 return task_has_perm(current, p, PROCESS__SETSCHED);
3201 static int selinux_task_getscheduler(struct task_struct *p)
3203 return task_has_perm(current, p, PROCESS__GETSCHED);
3206 static int selinux_task_movememory(struct task_struct *p)
3208 return task_has_perm(current, p, PROCESS__SETSCHED);
3211 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3216 struct task_security_struct *tsec;
3218 rc = secondary_ops->task_kill(p, info, sig, secid);
3222 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3226 perm = PROCESS__SIGNULL; /* null signal; existence test */
3228 perm = signal_to_av(sig);
3231 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3233 rc = task_has_perm(current, p, perm);
3237 static int selinux_task_prctl(int option,
3243 /* The current prctl operations do not appear to require
3244 any SELinux controls since they merely observe or modify
3245 the state of the current process. */
3249 static int selinux_task_wait(struct task_struct *p)
3251 return task_has_perm(p, current, PROCESS__SIGCHLD);
3254 static void selinux_task_reparent_to_init(struct task_struct *p)
3256 struct task_security_struct *tsec;
3258 secondary_ops->task_reparent_to_init(p);
3261 tsec->osid = tsec->sid;
3262 tsec->sid = SECINITSID_KERNEL;
3266 static void selinux_task_to_inode(struct task_struct *p,
3267 struct inode *inode)
3269 struct task_security_struct *tsec = p->security;
3270 struct inode_security_struct *isec = inode->i_security;
3272 isec->sid = tsec->sid;
3273 isec->initialized = 1;
3277 /* Returns error only if unable to parse addresses */
3278 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3279 struct avc_audit_data *ad, u8 *proto)
3281 int offset, ihlen, ret = -EINVAL;
3282 struct iphdr _iph, *ih;
3284 offset = skb_network_offset(skb);
3285 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3289 ihlen = ih->ihl * 4;
3290 if (ihlen < sizeof(_iph))
3293 ad->u.net.v4info.saddr = ih->saddr;
3294 ad->u.net.v4info.daddr = ih->daddr;
3298 *proto = ih->protocol;
3300 switch (ih->protocol) {
3302 struct tcphdr _tcph, *th;
3304 if (ntohs(ih->frag_off) & IP_OFFSET)
3308 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3312 ad->u.net.sport = th->source;
3313 ad->u.net.dport = th->dest;
3318 struct udphdr _udph, *uh;
3320 if (ntohs(ih->frag_off) & IP_OFFSET)
3324 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3328 ad->u.net.sport = uh->source;
3329 ad->u.net.dport = uh->dest;
3333 case IPPROTO_DCCP: {
3334 struct dccp_hdr _dccph, *dh;
3336 if (ntohs(ih->frag_off) & IP_OFFSET)
3340 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3344 ad->u.net.sport = dh->dccph_sport;
3345 ad->u.net.dport = dh->dccph_dport;
3356 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3358 /* Returns error only if unable to parse addresses */
3359 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3360 struct avc_audit_data *ad, u8 *proto)
3363 int ret = -EINVAL, offset;
3364 struct ipv6hdr _ipv6h, *ip6;
3366 offset = skb_network_offset(skb);
3367 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3371 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3372 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3375 nexthdr = ip6->nexthdr;
3376 offset += sizeof(_ipv6h);
3377 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3386 struct tcphdr _tcph, *th;
3388 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3392 ad->u.net.sport = th->source;
3393 ad->u.net.dport = th->dest;
3398 struct udphdr _udph, *uh;
3400 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3404 ad->u.net.sport = uh->source;
3405 ad->u.net.dport = uh->dest;
3409 case IPPROTO_DCCP: {
3410 struct dccp_hdr _dccph, *dh;
3412 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3416 ad->u.net.sport = dh->dccph_sport;
3417 ad->u.net.dport = dh->dccph_dport;
3421 /* includes fragments */
3431 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3432 char **addrp, int src, u8 *proto)
3436 switch (ad->u.net.family) {
3438 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3441 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3442 &ad->u.net.v4info.daddr);
3445 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3447 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3450 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3451 &ad->u.net.v6info.daddr);
3460 "SELinux: failure in selinux_parse_skb(),"
3461 " unable to parse packet\n");
3467 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3469 * @family: protocol family
3470 * @sid: the packet's peer label SID
3473 * Check the various different forms of network peer labeling and determine
3474 * the peer label/SID for the packet; most of the magic actually occurs in
3475 * the security server function security_net_peersid_cmp(). The function
3476 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3477 * or -EACCES if @sid is invalid due to inconsistencies with the different
3481 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3488 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3489 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3491 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3492 if (unlikely(err)) {
3494 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3495 " unable to determine packet's peer label\n");
3502 /* socket security operations */
3503 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3506 struct inode_security_struct *isec;
3507 struct task_security_struct *tsec;
3508 struct avc_audit_data ad;
3511 tsec = task->security;
3512 isec = SOCK_INODE(sock)->i_security;
3514 if (isec->sid == SECINITSID_KERNEL)
3517 AVC_AUDIT_DATA_INIT(&ad,NET);
3518 ad.u.net.sk = sock->sk;
3519 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3525 static int selinux_socket_create(int family, int type,
3526 int protocol, int kern)
3529 struct task_security_struct *tsec;
3535 tsec = current->security;
3536 newsid = tsec->sockcreate_sid ? : tsec->sid;
3537 err = avc_has_perm(tsec->sid, newsid,
3538 socket_type_to_security_class(family, type,
3539 protocol), SOCKET__CREATE, NULL);
3545 static int selinux_socket_post_create(struct socket *sock, int family,
3546 int type, int protocol, int kern)
3549 struct inode_security_struct *isec;
3550 struct task_security_struct *tsec;
3551 struct sk_security_struct *sksec;
3554 isec = SOCK_INODE(sock)->i_security;
3556 tsec = current->security;
3557 newsid = tsec->sockcreate_sid ? : tsec->sid;
3558 isec->sclass = socket_type_to_security_class(family, type, protocol);
3559 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3560 isec->initialized = 1;
3563 sksec = sock->sk->sk_security;
3564 sksec->sid = isec->sid;
3565 sksec->sclass = isec->sclass;
3566 err = selinux_netlbl_socket_post_create(sock);
3572 /* Range of port numbers used to automatically bind.
3573 Need to determine whether we should perform a name_bind
3574 permission check between the socket and the port number. */
3576 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3581 err = socket_has_perm(current, sock, SOCKET__BIND);
3586 * If PF_INET or PF_INET6, check name_bind permission for the port.
3587 * Multiple address binding for SCTP is not supported yet: we just
3588 * check the first address now.
3590 family = sock->sk->sk_family;
3591 if (family == PF_INET || family == PF_INET6) {
3593 struct inode_security_struct *isec;
3594 struct task_security_struct *tsec;
3595 struct avc_audit_data ad;
3596 struct sockaddr_in *addr4 = NULL;
3597 struct sockaddr_in6 *addr6 = NULL;
3598 unsigned short snum;
3599 struct sock *sk = sock->sk;
3600 u32 sid, node_perm, addrlen;
3602 tsec = current->security;
3603 isec = SOCK_INODE(sock)->i_security;
3605 if (family == PF_INET) {
3606 addr4 = (struct sockaddr_in *)address;
3607 snum = ntohs(addr4->sin_port);
3608 addrlen = sizeof(addr4->sin_addr.s_addr);
3609 addrp = (char *)&addr4->sin_addr.s_addr;
3611 addr6 = (struct sockaddr_in6 *)address;
3612 snum = ntohs(addr6->sin6_port);
3613 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3614 addrp = (char *)&addr6->sin6_addr.s6_addr;
3620 inet_get_local_port_range(&low, &high);
3622 if (snum < max(PROT_SOCK, low) || snum > high) {
3623 err = security_port_sid(sk->sk_family,
3625 sk->sk_protocol, snum,
3629 AVC_AUDIT_DATA_INIT(&ad,NET);
3630 ad.u.net.sport = htons(snum);
3631 ad.u.net.family = family;
3632 err = avc_has_perm(isec->sid, sid,
3634 SOCKET__NAME_BIND, &ad);
3640 switch(isec->sclass) {
3641 case SECCLASS_TCP_SOCKET:
3642 node_perm = TCP_SOCKET__NODE_BIND;
3645 case SECCLASS_UDP_SOCKET:
3646 node_perm = UDP_SOCKET__NODE_BIND;
3649 case SECCLASS_DCCP_SOCKET:
3650 node_perm = DCCP_SOCKET__NODE_BIND;
3654 node_perm = RAWIP_SOCKET__NODE_BIND;
3658 err = sel_netnode_sid(addrp, family, &sid);
3662 AVC_AUDIT_DATA_INIT(&ad,NET);
3663 ad.u.net.sport = htons(snum);
3664 ad.u.net.family = family;
3666 if (family == PF_INET)
3667 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3669 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3671 err = avc_has_perm(isec->sid, sid,
3672 isec->sclass, node_perm, &ad);
3680 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3682 struct inode_security_struct *isec;
3685 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3690 * If a TCP or DCCP socket, check name_connect permission for the port.
3692 isec = SOCK_INODE(sock)->i_security;
3693 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3694 isec->sclass == SECCLASS_DCCP_SOCKET) {
3695 struct sock *sk = sock->sk;
3696 struct avc_audit_data ad;
3697 struct sockaddr_in *addr4 = NULL;
3698 struct sockaddr_in6 *addr6 = NULL;
3699 unsigned short snum;
3702 if (sk->sk_family == PF_INET) {
3703 addr4 = (struct sockaddr_in *)address;
3704 if (addrlen < sizeof(struct sockaddr_in))
3706 snum = ntohs(addr4->sin_port);
3708 addr6 = (struct sockaddr_in6 *)address;
3709 if (addrlen < SIN6_LEN_RFC2133)
3711 snum = ntohs(addr6->sin6_port);
3714 err = security_port_sid(sk->sk_family, sk->sk_type,
3715 sk->sk_protocol, snum, &sid);
3719 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3720 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3722 AVC_AUDIT_DATA_INIT(&ad,NET);
3723 ad.u.net.dport = htons(snum);
3724 ad.u.net.family = sk->sk_family;
3725 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3734 static int selinux_socket_listen(struct socket *sock, int backlog)
3736 return socket_has_perm(current, sock, SOCKET__LISTEN);
3739 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3742 struct inode_security_struct *isec;
3743 struct inode_security_struct *newisec;
3745 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3749 newisec = SOCK_INODE(newsock)->i_security;
3751 isec = SOCK_INODE(sock)->i_security;
3752 newisec->sclass = isec->sclass;
3753 newisec->sid = isec->sid;
3754 newisec->initialized = 1;
3759 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3764 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3768 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3771 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3772 int size, int flags)
3774 return socket_has_perm(current, sock, SOCKET__READ);
3777 static int selinux_socket_getsockname(struct socket *sock)
3779 return socket_has_perm(current, sock, SOCKET__GETATTR);
3782 static int selinux_socket_getpeername(struct socket *sock)
3784 return socket_has_perm(current, sock, SOCKET__GETATTR);
3787 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3791 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3795 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3798 static int selinux_socket_getsockopt(struct socket *sock, int level,
3801 return socket_has_perm(current, sock, SOCKET__GETOPT);
3804 static int selinux_socket_shutdown(struct socket *sock, int how)
3806 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3809 static int selinux_socket_unix_stream_connect(struct socket *sock,
3810 struct socket *other,
3813 struct sk_security_struct *ssec;
3814 struct inode_security_struct *isec;
3815 struct inode_security_struct *other_isec;
3816 struct avc_audit_data ad;
3819 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3823 isec = SOCK_INODE(sock)->i_security;
3824 other_isec = SOCK_INODE(other)->i_security;
3826 AVC_AUDIT_DATA_INIT(&ad,NET);
3827 ad.u.net.sk = other->sk;
3829 err = avc_has_perm(isec->sid, other_isec->sid,
3831 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3835 /* connecting socket */
3836 ssec = sock->sk->sk_security;
3837 ssec->peer_sid = other_isec->sid;
3839 /* server child socket */
3840 ssec = newsk->sk_security;
3841 ssec->peer_sid = isec->sid;
3842 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3847 static int selinux_socket_unix_may_send(struct socket *sock,
3848 struct socket *other)
3850 struct inode_security_struct *isec;
3851 struct inode_security_struct *other_isec;
3852 struct avc_audit_data ad;
3855 isec = SOCK_INODE(sock)->i_security;
3856 other_isec = SOCK_INODE(other)->i_security;
3858 AVC_AUDIT_DATA_INIT(&ad,NET);
3859 ad.u.net.sk = other->sk;
3861 err = avc_has_perm(isec->sid, other_isec->sid,
3862 isec->sclass, SOCKET__SENDTO, &ad);
3869 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3871 struct avc_audit_data *ad)
3877 err = sel_netif_sid(ifindex, &if_sid);
3880 err = avc_has_perm(peer_sid, if_sid,
3881 SECCLASS_NETIF, NETIF__INGRESS, ad);
3885 err = sel_netnode_sid(addrp, family, &node_sid);
3888 return avc_has_perm(peer_sid, node_sid,
3889 SECCLASS_NODE, NODE__RECVFROM, ad);
3892 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3893 struct sk_buff *skb,
3894 struct avc_audit_data *ad,
3899 struct sk_security_struct *sksec = sk->sk_security;
3901 u32 netif_perm, node_perm, recv_perm;
3902 u32 port_sid, node_sid, if_sid, sk_sid;
3904 sk_sid = sksec->sid;
3905 sk_class = sksec->sclass;
3908 case SECCLASS_UDP_SOCKET:
3909 netif_perm = NETIF__UDP_RECV;
3910 node_perm = NODE__UDP_RECV;
3911 recv_perm = UDP_SOCKET__RECV_MSG;
3913 case SECCLASS_TCP_SOCKET:
3914 netif_perm = NETIF__TCP_RECV;
3915 node_perm = NODE__TCP_RECV;
3916 recv_perm = TCP_SOCKET__RECV_MSG;
3918 case SECCLASS_DCCP_SOCKET:
3919 netif_perm = NETIF__DCCP_RECV;
3920 node_perm = NODE__DCCP_RECV;
3921 recv_perm = DCCP_SOCKET__RECV_MSG;
3924 netif_perm = NETIF__RAWIP_RECV;
3925 node_perm = NODE__RAWIP_RECV;
3930 err = sel_netif_sid(skb->iif, &if_sid);
3933 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3937 err = sel_netnode_sid(addrp, family, &node_sid);
3940 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3946 err = security_port_sid(sk->sk_family, sk->sk_type,
3947 sk->sk_protocol, ntohs(ad->u.net.sport),
3949 if (unlikely(err)) {
3951 "SELinux: failure in"
3952 " selinux_sock_rcv_skb_iptables_compat(),"
3953 " network port label not found\n");
3956 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3959 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3960 struct avc_audit_data *ad,
3961 u16 family, char *addrp)
3964 struct sk_security_struct *sksec = sk->sk_security;
3966 u32 sk_sid = sksec->sid;
3968 if (selinux_compat_net)
3969 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3972 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3977 if (selinux_policycap_netpeer) {
3978 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3981 err = avc_has_perm(sk_sid, peer_sid,
3982 SECCLASS_PEER, PEER__RECV, ad);
3984 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3987 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3993 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3996 struct sk_security_struct *sksec = sk->sk_security;
3997 u16 family = sk->sk_family;
3998 u32 sk_sid = sksec->sid;
3999 struct avc_audit_data ad;
4002 if (family != PF_INET && family != PF_INET6)
4005 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4006 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4009 AVC_AUDIT_DATA_INIT(&ad, NET);
4010 ad.u.net.netif = skb->iif;
4011 ad.u.net.family = family;
4012 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4016 /* If any sort of compatibility mode is enabled then handoff processing
4017 * to the selinux_sock_rcv_skb_compat() function to deal with the
4018 * special handling. We do this in an attempt to keep this function
4019 * as fast and as clean as possible. */
4020 if (selinux_compat_net || !selinux_policycap_netpeer)
4021 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4024 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4027 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4030 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4034 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4038 if (selinux_secmark_enabled()) {
4039 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4048 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4049 int __user *optlen, unsigned len)
4054 struct sk_security_struct *ssec;
4055 struct inode_security_struct *isec;
4056 u32 peer_sid = SECSID_NULL;
4058 isec = SOCK_INODE(sock)->i_security;
4060 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4061 isec->sclass == SECCLASS_TCP_SOCKET) {
4062 ssec = sock->sk->sk_security;
4063 peer_sid = ssec->peer_sid;
4065 if (peer_sid == SECSID_NULL) {
4070 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4075 if (scontext_len > len) {
4080 if (copy_to_user(optval, scontext, scontext_len))
4084 if (put_user(scontext_len, optlen))
4092 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4094 u32 peer_secid = SECSID_NULL;
4098 family = sock->sk->sk_family;
4099 else if (skb && skb->sk)
4100 family = skb->sk->sk_family;
4104 if (sock && family == PF_UNIX)
4105 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4107 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4110 *secid = peer_secid;
4111 if (peer_secid == SECSID_NULL)
4116 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4118 return sk_alloc_security(sk, family, priority);
4121 static void selinux_sk_free_security(struct sock *sk)
4123 sk_free_security(sk);
4126 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4128 struct sk_security_struct *ssec = sk->sk_security;
4129 struct sk_security_struct *newssec = newsk->sk_security;
4131 newssec->sid = ssec->sid;
4132 newssec->peer_sid = ssec->peer_sid;
4133 newssec->sclass = ssec->sclass;
4135 selinux_netlbl_sk_security_clone(ssec, newssec);
4138 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4141 *secid = SECINITSID_ANY_SOCKET;
4143 struct sk_security_struct *sksec = sk->sk_security;
4145 *secid = sksec->sid;
4149 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4151 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4152 struct sk_security_struct *sksec = sk->sk_security;
4154 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4155 sk->sk_family == PF_UNIX)
4156 isec->sid = sksec->sid;
4157 sksec->sclass = isec->sclass;
4159 selinux_netlbl_sock_graft(sk, parent);
4162 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4163 struct request_sock *req)
4165 struct sk_security_struct *sksec = sk->sk_security;
4170 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4173 if (peersid == SECSID_NULL) {
4174 req->secid = sksec->sid;
4175 req->peer_secid = SECSID_NULL;
4179 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4183 req->secid = newsid;
4184 req->peer_secid = peersid;
4188 static void selinux_inet_csk_clone(struct sock *newsk,
4189 const struct request_sock *req)
4191 struct sk_security_struct *newsksec = newsk->sk_security;
4193 newsksec->sid = req->secid;
4194 newsksec->peer_sid = req->peer_secid;
4195 /* NOTE: Ideally, we should also get the isec->sid for the
4196 new socket in sync, but we don't have the isec available yet.
4197 So we will wait until sock_graft to do it, by which
4198 time it will have been created and available. */
4200 /* We don't need to take any sort of lock here as we are the only
4201 * thread with access to newsksec */
4202 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4205 static void selinux_inet_conn_established(struct sock *sk,
4206 struct sk_buff *skb)
4208 struct sk_security_struct *sksec = sk->sk_security;
4210 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4213 static void selinux_req_classify_flow(const struct request_sock *req,
4216 fl->secid = req->secid;
4219 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4223 struct nlmsghdr *nlh;
4224 struct socket *sock = sk->sk_socket;
4225 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4227 if (skb->len < NLMSG_SPACE(0)) {
4231 nlh = nlmsg_hdr(skb);
4233 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4235 if (err == -EINVAL) {
4236 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4237 "SELinux: unrecognized netlink message"
4238 " type=%hu for sclass=%hu\n",
4239 nlh->nlmsg_type, isec->sclass);
4240 if (!selinux_enforcing)
4250 err = socket_has_perm(current, sock, perm);
4255 #ifdef CONFIG_NETFILTER
4257 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4262 struct avc_audit_data ad;
4266 if (!selinux_policycap_netpeer)
4269 secmark_active = selinux_secmark_enabled();
4270 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4271 if (!secmark_active && !peerlbl_active)
4274 AVC_AUDIT_DATA_INIT(&ad, NET);
4275 ad.u.net.netif = ifindex;
4276 ad.u.net.family = family;
4277 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4280 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4284 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4285 peer_sid, &ad) != 0)
4289 if (avc_has_perm(peer_sid, skb->secmark,
4290 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4296 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4297 struct sk_buff *skb,
4298 const struct net_device *in,
4299 const struct net_device *out,
4300 int (*okfn)(struct sk_buff *))
4302 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4305 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4306 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4307 struct sk_buff *skb,
4308 const struct net_device *in,
4309 const struct net_device *out,
4310 int (*okfn)(struct sk_buff *))
4312 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4316 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4318 struct avc_audit_data *ad,
4319 u16 family, char *addrp)
4322 struct sk_security_struct *sksec = sk->sk_security;
4324 u32 netif_perm, node_perm, send_perm;
4325 u32 port_sid, node_sid, if_sid, sk_sid;
4327 sk_sid = sksec->sid;
4328 sk_class = sksec->sclass;
4331 case SECCLASS_UDP_SOCKET:
4332 netif_perm = NETIF__UDP_SEND;
4333 node_perm = NODE__UDP_SEND;
4334 send_perm = UDP_SOCKET__SEND_MSG;
4336 case SECCLASS_TCP_SOCKET:
4337 netif_perm = NETIF__TCP_SEND;
4338 node_perm = NODE__TCP_SEND;
4339 send_perm = TCP_SOCKET__SEND_MSG;
4341 case SECCLASS_DCCP_SOCKET:
4342 netif_perm = NETIF__DCCP_SEND;
4343 node_perm = NODE__DCCP_SEND;
4344 send_perm = DCCP_SOCKET__SEND_MSG;
4347 netif_perm = NETIF__RAWIP_SEND;
4348 node_perm = NODE__RAWIP_SEND;
4353 err = sel_netif_sid(ifindex, &if_sid);
4356 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4359 err = sel_netnode_sid(addrp, family, &node_sid);
4362 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4369 err = security_port_sid(sk->sk_family, sk->sk_type,
4370 sk->sk_protocol, ntohs(ad->u.net.dport),
4372 if (unlikely(err)) {
4374 "SELinux: failure in"
4375 " selinux_ip_postroute_iptables_compat(),"
4376 " network port label not found\n");
4379 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4382 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4384 struct avc_audit_data *ad,
4389 struct sock *sk = skb->sk;
4390 struct sk_security_struct *sksec;
4394 sksec = sk->sk_security;
4396 if (selinux_compat_net) {
4397 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4401 if (avc_has_perm(sksec->sid, skb->secmark,
4402 SECCLASS_PACKET, PACKET__SEND, ad))
4406 if (selinux_policycap_netpeer)
4407 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4413 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4419 struct avc_audit_data ad;
4425 AVC_AUDIT_DATA_INIT(&ad, NET);
4426 ad.u.net.netif = ifindex;
4427 ad.u.net.family = family;
4428 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4431 /* If any sort of compatibility mode is enabled then handoff processing
4432 * to the selinux_ip_postroute_compat() function to deal with the
4433 * special handling. We do this in an attempt to keep this function
4434 * as fast and as clean as possible. */
4435 if (selinux_compat_net || !selinux_policycap_netpeer)
4436 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4437 family, addrp, proto);
4439 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4440 * packet transformation so allow the packet to pass without any checks
4441 * since we'll have another chance to perform access control checks
4442 * when the packet is on it's final way out.
4443 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4444 * is NULL, in this case go ahead and apply access control. */
4445 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4448 secmark_active = selinux_secmark_enabled();
4449 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4450 if (!secmark_active && !peerlbl_active)
4453 /* if the packet is locally generated (skb->sk != NULL) then use the
4454 * socket's label as the peer label, otherwise the packet is being
4455 * forwarded through this system and we need to fetch the peer label
4456 * directly from the packet */
4459 struct sk_security_struct *sksec = sk->sk_security;
4460 peer_sid = sksec->sid;
4461 secmark_perm = PACKET__SEND;
4463 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4465 secmark_perm = PACKET__FORWARD_OUT;
4469 if (avc_has_perm(peer_sid, skb->secmark,
4470 SECCLASS_PACKET, secmark_perm, &ad))
4473 if (peerlbl_active) {
4477 if (sel_netif_sid(ifindex, &if_sid))
4479 if (avc_has_perm(peer_sid, if_sid,
4480 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4483 if (sel_netnode_sid(addrp, family, &node_sid))
4485 if (avc_has_perm(peer_sid, node_sid,
4486 SECCLASS_NODE, NODE__SENDTO, &ad))
4493 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4494 struct sk_buff *skb,
4495 const struct net_device *in,
4496 const struct net_device *out,
4497 int (*okfn)(struct sk_buff *))
4499 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4502 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4503 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4504 struct sk_buff *skb,
4505 const struct net_device *in,
4506 const struct net_device *out,
4507 int (*okfn)(struct sk_buff *))
4509 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4513 #endif /* CONFIG_NETFILTER */
4515 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4519 err = secondary_ops->netlink_send(sk, skb);
4523 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4524 err = selinux_nlmsg_perm(sk, skb);
4529 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4532 struct avc_audit_data ad;
4534 err = secondary_ops->netlink_recv(skb, capability);
4538 AVC_AUDIT_DATA_INIT(&ad, CAP);
4539 ad.u.cap = capability;
4541 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4542 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4545 static int ipc_alloc_security(struct task_struct *task,
4546 struct kern_ipc_perm *perm,
4549 struct task_security_struct *tsec = task->security;
4550 struct ipc_security_struct *isec;
4552 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4556 isec->sclass = sclass;
4557 isec->ipc_perm = perm;
4558 isec->sid = tsec->sid;
4559 perm->security = isec;
4564 static void ipc_free_security(struct kern_ipc_perm *perm)
4566 struct ipc_security_struct *isec = perm->security;
4567 perm->security = NULL;
4571 static int msg_msg_alloc_security(struct msg_msg *msg)
4573 struct msg_security_struct *msec;
4575 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4580 msec->sid = SECINITSID_UNLABELED;
4581 msg->security = msec;
4586 static void msg_msg_free_security(struct msg_msg *msg)
4588 struct msg_security_struct *msec = msg->security;
4590 msg->security = NULL;
4594 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4597 struct task_security_struct *tsec;
4598 struct ipc_security_struct *isec;
4599 struct avc_audit_data ad;
4601 tsec = current->security;
4602 isec = ipc_perms->security;
4604 AVC_AUDIT_DATA_INIT(&ad, IPC);
4605 ad.u.ipc_id = ipc_perms->key;
4607 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4610 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4612 return msg_msg_alloc_security(msg);
4615 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4617 msg_msg_free_security(msg);
4620 /* message queue security operations */
4621 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4623 struct task_security_struct *tsec;
4624 struct ipc_security_struct *isec;
4625 struct avc_audit_data ad;
4628 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4632 tsec = current->security;
4633 isec = msq->q_perm.security;
4635 AVC_AUDIT_DATA_INIT(&ad, IPC);
4636 ad.u.ipc_id = msq->q_perm.key;
4638 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4641 ipc_free_security(&msq->q_perm);
4647 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4649 ipc_free_security(&msq->q_perm);
4652 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4654 struct task_security_struct *tsec;
4655 struct ipc_security_struct *isec;
4656 struct avc_audit_data ad;
4658 tsec = current->security;
4659 isec = msq->q_perm.security;
4661 AVC_AUDIT_DATA_INIT(&ad, IPC);
4662 ad.u.ipc_id = msq->q_perm.key;
4664 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4665 MSGQ__ASSOCIATE, &ad);
4668 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4676 /* No specific object, just general system-wide information. */
4677 return task_has_system(current, SYSTEM__IPC_INFO);
4680 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4683 perms = MSGQ__SETATTR;
4686 perms = MSGQ__DESTROY;
4692 err = ipc_has_perm(&msq->q_perm, perms);
4696 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4698 struct task_security_struct *tsec;
4699 struct ipc_security_struct *isec;
4700 struct msg_security_struct *msec;
4701 struct avc_audit_data ad;
4704 tsec = current->security;
4705 isec = msq->q_perm.security;
4706 msec = msg->security;
4709 * First time through, need to assign label to the message
4711 if (msec->sid == SECINITSID_UNLABELED) {
4713 * Compute new sid based on current process and
4714 * message queue this message will be stored in
4716 rc = security_transition_sid(tsec->sid,
4724 AVC_AUDIT_DATA_INIT(&ad, IPC);
4725 ad.u.ipc_id = msq->q_perm.key;
4727 /* Can this process write to the queue? */
4728 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4731 /* Can this process send the message */
4732 rc = avc_has_perm(tsec->sid, msec->sid,
4733 SECCLASS_MSG, MSG__SEND, &ad);
4735 /* Can the message be put in the queue? */
4736 rc = avc_has_perm(msec->sid, isec->sid,
4737 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4742 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4743 struct task_struct *target,
4744 long type, int mode)
4746 struct task_security_struct *tsec;
4747 struct ipc_security_struct *isec;
4748 struct msg_security_struct *msec;
4749 struct avc_audit_data ad;
4752 tsec = target->security;
4753 isec = msq->q_perm.security;
4754 msec = msg->security;
4756 AVC_AUDIT_DATA_INIT(&ad, IPC);
4757 ad.u.ipc_id = msq->q_perm.key;
4759 rc = avc_has_perm(tsec->sid, isec->sid,
4760 SECCLASS_MSGQ, MSGQ__READ, &ad);
4762 rc = avc_has_perm(tsec->sid, msec->sid,
4763 SECCLASS_MSG, MSG__RECEIVE, &ad);
4767 /* Shared Memory security operations */
4768 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4770 struct task_security_struct *tsec;
4771 struct ipc_security_struct *isec;
4772 struct avc_audit_data ad;
4775 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4779 tsec = current->security;
4780 isec = shp->shm_perm.security;
4782 AVC_AUDIT_DATA_INIT(&ad, IPC);
4783 ad.u.ipc_id = shp->shm_perm.key;
4785 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4788 ipc_free_security(&shp->shm_perm);
4794 static void selinux_shm_free_security(struct shmid_kernel *shp)
4796 ipc_free_security(&shp->shm_perm);
4799 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4801 struct task_security_struct *tsec;
4802 struct ipc_security_struct *isec;
4803 struct avc_audit_data ad;
4805 tsec = current->security;
4806 isec = shp->shm_perm.security;
4808 AVC_AUDIT_DATA_INIT(&ad, IPC);
4809 ad.u.ipc_id = shp->shm_perm.key;
4811 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4812 SHM__ASSOCIATE, &ad);
4815 /* Note, at this point, shp is locked down */
4816 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4824 /* No specific object, just general system-wide information. */
4825 return task_has_system(current, SYSTEM__IPC_INFO);
4828 perms = SHM__GETATTR | SHM__ASSOCIATE;
4831 perms = SHM__SETATTR;
4838 perms = SHM__DESTROY;
4844 err = ipc_has_perm(&shp->shm_perm, perms);
4848 static int selinux_shm_shmat(struct shmid_kernel *shp,
4849 char __user *shmaddr, int shmflg)
4854 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4858 if (shmflg & SHM_RDONLY)
4861 perms = SHM__READ | SHM__WRITE;
4863 return ipc_has_perm(&shp->shm_perm, perms);
4866 /* Semaphore security operations */
4867 static int selinux_sem_alloc_security(struct sem_array *sma)
4869 struct task_security_struct *tsec;
4870 struct ipc_security_struct *isec;
4871 struct avc_audit_data ad;
4874 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4878 tsec = current->security;
4879 isec = sma->sem_perm.security;
4881 AVC_AUDIT_DATA_INIT(&ad, IPC);
4882 ad.u.ipc_id = sma->sem_perm.key;
4884 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4887 ipc_free_security(&sma->sem_perm);
4893 static void selinux_sem_free_security(struct sem_array *sma)
4895 ipc_free_security(&sma->sem_perm);
4898 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4900 struct task_security_struct *tsec;
4901 struct ipc_security_struct *isec;
4902 struct avc_audit_data ad;
4904 tsec = current->security;
4905 isec = sma->sem_perm.security;
4907 AVC_AUDIT_DATA_INIT(&ad, IPC);
4908 ad.u.ipc_id = sma->sem_perm.key;
4910 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4911 SEM__ASSOCIATE, &ad);
4914 /* Note, at this point, sma is locked down */
4915 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4923 /* No specific object, just general system-wide information. */
4924 return task_has_system(current, SYSTEM__IPC_INFO);
4928 perms = SEM__GETATTR;
4939 perms = SEM__DESTROY;
4942 perms = SEM__SETATTR;
4946 perms = SEM__GETATTR | SEM__ASSOCIATE;
4952 err = ipc_has_perm(&sma->sem_perm, perms);
4956 static int selinux_sem_semop(struct sem_array *sma,
4957 struct sembuf *sops, unsigned nsops, int alter)
4962 perms = SEM__READ | SEM__WRITE;
4966 return ipc_has_perm(&sma->sem_perm, perms);
4969 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4975 av |= IPC__UNIX_READ;
4977 av |= IPC__UNIX_WRITE;
4982 return ipc_has_perm(ipcp, av);
4985 /* module stacking operations */
4986 static int selinux_register_security (const char *name, struct security_operations *ops)
4988 if (secondary_ops != original_ops) {
4989 printk(KERN_ERR "%s: There is already a secondary security "
4990 "module registered.\n", __FUNCTION__);
4994 secondary_ops = ops;
4996 printk(KERN_INFO "%s: Registering secondary module %s\n",
5003 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5006 inode_doinit_with_dentry(inode, dentry);
5009 static int selinux_getprocattr(struct task_struct *p,
5010 char *name, char **value)
5012 struct task_security_struct *tsec;
5018 error = task_has_perm(current, p, PROCESS__GETATTR);
5025 if (!strcmp(name, "current"))
5027 else if (!strcmp(name, "prev"))
5029 else if (!strcmp(name, "exec"))
5030 sid = tsec->exec_sid;
5031 else if (!strcmp(name, "fscreate"))
5032 sid = tsec->create_sid;
5033 else if (!strcmp(name, "keycreate"))
5034 sid = tsec->keycreate_sid;
5035 else if (!strcmp(name, "sockcreate"))
5036 sid = tsec->sockcreate_sid;
5043 error = security_sid_to_context(sid, value, &len);
5049 static int selinux_setprocattr(struct task_struct *p,
5050 char *name, void *value, size_t size)
5052 struct task_security_struct *tsec;
5058 /* SELinux only allows a process to change its own
5059 security attributes. */
5064 * Basic control over ability to set these attributes at all.
5065 * current == p, but we'll pass them separately in case the
5066 * above restriction is ever removed.
5068 if (!strcmp(name, "exec"))
5069 error = task_has_perm(current, p, PROCESS__SETEXEC);
5070 else if (!strcmp(name, "fscreate"))
5071 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5072 else if (!strcmp(name, "keycreate"))
5073 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5074 else if (!strcmp(name, "sockcreate"))
5075 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5076 else if (!strcmp(name, "current"))
5077 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5083 /* Obtain a SID for the context, if one was specified. */
5084 if (size && str[1] && str[1] != '\n') {
5085 if (str[size-1] == '\n') {
5089 error = security_context_to_sid(value, size, &sid);
5094 /* Permission checking based on the specified context is
5095 performed during the actual operation (execve,
5096 open/mkdir/...), when we know the full context of the
5097 operation. See selinux_bprm_set_security for the execve
5098 checks and may_create for the file creation checks. The
5099 operation will then fail if the context is not permitted. */
5101 if (!strcmp(name, "exec"))
5102 tsec->exec_sid = sid;
5103 else if (!strcmp(name, "fscreate"))
5104 tsec->create_sid = sid;
5105 else if (!strcmp(name, "keycreate")) {
5106 error = may_create_key(sid, p);
5109 tsec->keycreate_sid = sid;
5110 } else if (!strcmp(name, "sockcreate"))
5111 tsec->sockcreate_sid = sid;
5112 else if (!strcmp(name, "current")) {
5113 struct av_decision avd;
5118 /* Only allow single threaded processes to change context */
5119 if (atomic_read(&p->mm->mm_users) != 1) {
5120 struct task_struct *g, *t;
5121 struct mm_struct *mm = p->mm;
5122 read_lock(&tasklist_lock);
5123 do_each_thread(g, t)
5124 if (t->mm == mm && t != p) {
5125 read_unlock(&tasklist_lock);
5128 while_each_thread(g, t);
5129 read_unlock(&tasklist_lock);
5132 /* Check permissions for the transition. */
5133 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5134 PROCESS__DYNTRANSITION, NULL);
5138 /* Check for ptracing, and update the task SID if ok.
5139 Otherwise, leave SID unchanged and fail. */
5141 if (p->ptrace & PT_PTRACED) {
5142 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5144 PROCESS__PTRACE, 0, &avd);
5148 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5149 PROCESS__PTRACE, &avd, error, NULL);
5163 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5165 return security_sid_to_context(secid, secdata, seclen);
5168 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5170 return security_context_to_sid(secdata, seclen, secid);
5173 static void selinux_release_secctx(char *secdata, u32 seclen)
5180 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5181 unsigned long flags)
5183 struct task_security_struct *tsec = tsk->security;
5184 struct key_security_struct *ksec;
5186 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5191 if (tsec->keycreate_sid)
5192 ksec->sid = tsec->keycreate_sid;
5194 ksec->sid = tsec->sid;
5200 static void selinux_key_free(struct key *k)
5202 struct key_security_struct *ksec = k->security;
5208 static int selinux_key_permission(key_ref_t key_ref,
5209 struct task_struct *ctx,
5213 struct task_security_struct *tsec;
5214 struct key_security_struct *ksec;
5216 key = key_ref_to_ptr(key_ref);
5218 tsec = ctx->security;
5219 ksec = key->security;
5221 /* if no specific permissions are requested, we skip the
5222 permission check. No serious, additional covert channels
5223 appear to be created. */
5227 return avc_has_perm(tsec->sid, ksec->sid,
5228 SECCLASS_KEY, perm, NULL);
5233 static struct security_operations selinux_ops = {
5234 .ptrace = selinux_ptrace,
5235 .capget = selinux_capget,
5236 .capset_check = selinux_capset_check,
5237 .capset_set = selinux_capset_set,
5238 .sysctl = selinux_sysctl,
5239 .capable = selinux_capable,
5240 .quotactl = selinux_quotactl,
5241 .quota_on = selinux_quota_on,
5242 .syslog = selinux_syslog,
5243 .vm_enough_memory = selinux_vm_enough_memory,
5245 .netlink_send = selinux_netlink_send,
5246 .netlink_recv = selinux_netlink_recv,
5248 .bprm_alloc_security = selinux_bprm_alloc_security,
5249 .bprm_free_security = selinux_bprm_free_security,
5250 .bprm_apply_creds = selinux_bprm_apply_creds,
5251 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5252 .bprm_set_security = selinux_bprm_set_security,
5253 .bprm_check_security = selinux_bprm_check_security,
5254 .bprm_secureexec = selinux_bprm_secureexec,
5256 .sb_alloc_security = selinux_sb_alloc_security,
5257 .sb_free_security = selinux_sb_free_security,
5258 .sb_copy_data = selinux_sb_copy_data,
5259 .sb_kern_mount = selinux_sb_kern_mount,
5260 .sb_statfs = selinux_sb_statfs,
5261 .sb_mount = selinux_mount,
5262 .sb_umount = selinux_umount,
5263 .sb_get_mnt_opts = selinux_get_mnt_opts,
5264 .sb_set_mnt_opts = selinux_set_mnt_opts,
5265 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5266 .sb_parse_opts_str = selinux_parse_opts_str,
5269 .inode_alloc_security = selinux_inode_alloc_security,
5270 .inode_free_security = selinux_inode_free_security,
5271 .inode_init_security = selinux_inode_init_security,
5272 .inode_create = selinux_inode_create,
5273 .inode_link = selinux_inode_link,
5274 .inode_unlink = selinux_inode_unlink,
5275 .inode_symlink = selinux_inode_symlink,
5276 .inode_mkdir = selinux_inode_mkdir,
5277 .inode_rmdir = selinux_inode_rmdir,
5278 .inode_mknod = selinux_inode_mknod,
5279 .inode_rename = selinux_inode_rename,
5280 .inode_readlink = selinux_inode_readlink,
5281 .inode_follow_link = selinux_inode_follow_link,
5282 .inode_permission = selinux_inode_permission,
5283 .inode_setattr = selinux_inode_setattr,
5284 .inode_getattr = selinux_inode_getattr,
5285 .inode_setxattr = selinux_inode_setxattr,
5286 .inode_post_setxattr = selinux_inode_post_setxattr,
5287 .inode_getxattr = selinux_inode_getxattr,
5288 .inode_listxattr = selinux_inode_listxattr,
5289 .inode_removexattr = selinux_inode_removexattr,
5290 .inode_getsecurity = selinux_inode_getsecurity,
5291 .inode_setsecurity = selinux_inode_setsecurity,
5292 .inode_listsecurity = selinux_inode_listsecurity,
5293 .inode_need_killpriv = selinux_inode_need_killpriv,
5294 .inode_killpriv = selinux_inode_killpriv,
5296 .file_permission = selinux_file_permission,
5297 .file_alloc_security = selinux_file_alloc_security,
5298 .file_free_security = selinux_file_free_security,
5299 .file_ioctl = selinux_file_ioctl,
5300 .file_mmap = selinux_file_mmap,
5301 .file_mprotect = selinux_file_mprotect,
5302 .file_lock = selinux_file_lock,
5303 .file_fcntl = selinux_file_fcntl,
5304 .file_set_fowner = selinux_file_set_fowner,
5305 .file_send_sigiotask = selinux_file_send_sigiotask,
5306 .file_receive = selinux_file_receive,
5308 .dentry_open = selinux_dentry_open,
5310 .task_create = selinux_task_create,
5311 .task_alloc_security = selinux_task_alloc_security,
5312 .task_free_security = selinux_task_free_security,
5313 .task_setuid = selinux_task_setuid,
5314 .task_post_setuid = selinux_task_post_setuid,
5315 .task_setgid = selinux_task_setgid,
5316 .task_setpgid = selinux_task_setpgid,
5317 .task_getpgid = selinux_task_getpgid,
5318 .task_getsid = selinux_task_getsid,
5319 .task_getsecid = selinux_task_getsecid,
5320 .task_setgroups = selinux_task_setgroups,
5321 .task_setnice = selinux_task_setnice,
5322 .task_setioprio = selinux_task_setioprio,
5323 .task_getioprio = selinux_task_getioprio,
5324 .task_setrlimit = selinux_task_setrlimit,
5325 .task_setscheduler = selinux_task_setscheduler,
5326 .task_getscheduler = selinux_task_getscheduler,
5327 .task_movememory = selinux_task_movememory,
5328 .task_kill = selinux_task_kill,
5329 .task_wait = selinux_task_wait,
5330 .task_prctl = selinux_task_prctl,
5331 .task_reparent_to_init = selinux_task_reparent_to_init,
5332 .task_to_inode = selinux_task_to_inode,
5334 .ipc_permission = selinux_ipc_permission,
5336 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5337 .msg_msg_free_security = selinux_msg_msg_free_security,
5339 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5340 .msg_queue_free_security = selinux_msg_queue_free_security,
5341 .msg_queue_associate = selinux_msg_queue_associate,
5342 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5343 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5344 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5346 .shm_alloc_security = selinux_shm_alloc_security,
5347 .shm_free_security = selinux_shm_free_security,
5348 .shm_associate = selinux_shm_associate,
5349 .shm_shmctl = selinux_shm_shmctl,
5350 .shm_shmat = selinux_shm_shmat,
5352 .sem_alloc_security = selinux_sem_alloc_security,
5353 .sem_free_security = selinux_sem_free_security,
5354 .sem_associate = selinux_sem_associate,
5355 .sem_semctl = selinux_sem_semctl,
5356 .sem_semop = selinux_sem_semop,
5358 .register_security = selinux_register_security,
5360 .d_instantiate = selinux_d_instantiate,
5362 .getprocattr = selinux_getprocattr,
5363 .setprocattr = selinux_setprocattr,
5365 .secid_to_secctx = selinux_secid_to_secctx,
5366 .secctx_to_secid = selinux_secctx_to_secid,
5367 .release_secctx = selinux_release_secctx,
5369 .unix_stream_connect = selinux_socket_unix_stream_connect,
5370 .unix_may_send = selinux_socket_unix_may_send,
5372 .socket_create = selinux_socket_create,
5373 .socket_post_create = selinux_socket_post_create,
5374 .socket_bind = selinux_socket_bind,
5375 .socket_connect = selinux_socket_connect,
5376 .socket_listen = selinux_socket_listen,
5377 .socket_accept = selinux_socket_accept,
5378 .socket_sendmsg = selinux_socket_sendmsg,
5379 .socket_recvmsg = selinux_socket_recvmsg,
5380 .socket_getsockname = selinux_socket_getsockname,
5381 .socket_getpeername = selinux_socket_getpeername,
5382 .socket_getsockopt = selinux_socket_getsockopt,
5383 .socket_setsockopt = selinux_socket_setsockopt,
5384 .socket_shutdown = selinux_socket_shutdown,
5385 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5386 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5387 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5388 .sk_alloc_security = selinux_sk_alloc_security,
5389 .sk_free_security = selinux_sk_free_security,
5390 .sk_clone_security = selinux_sk_clone_security,
5391 .sk_getsecid = selinux_sk_getsecid,
5392 .sock_graft = selinux_sock_graft,
5393 .inet_conn_request = selinux_inet_conn_request,
5394 .inet_csk_clone = selinux_inet_csk_clone,
5395 .inet_conn_established = selinux_inet_conn_established,
5396 .req_classify_flow = selinux_req_classify_flow,
5398 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5399 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5400 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5401 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5402 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5403 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5404 .xfrm_state_free_security = selinux_xfrm_state_free,
5405 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5406 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5407 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5408 .xfrm_decode_session = selinux_xfrm_decode_session,
5412 .key_alloc = selinux_key_alloc,
5413 .key_free = selinux_key_free,
5414 .key_permission = selinux_key_permission,
5418 static __init int selinux_init(void)
5420 struct task_security_struct *tsec;
5422 if (!selinux_enabled) {
5423 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5427 printk(KERN_INFO "SELinux: Initializing.\n");
5429 /* Set the security state for the initial task. */
5430 if (task_alloc_security(current))
5431 panic("SELinux: Failed to initialize initial task.\n");
5432 tsec = current->security;
5433 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5435 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5436 sizeof(struct inode_security_struct),
5437 0, SLAB_PANIC, NULL);
5440 original_ops = secondary_ops = security_ops;
5442 panic ("SELinux: No initial security operations\n");
5443 if (register_security (&selinux_ops))
5444 panic("SELinux: Unable to register with kernel.\n");
5446 if (selinux_enforcing) {
5447 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5449 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5453 /* Add security information to initial keyrings */
5454 selinux_key_alloc(&root_user_keyring, current,
5455 KEY_ALLOC_NOT_IN_QUOTA);
5456 selinux_key_alloc(&root_session_keyring, current,
5457 KEY_ALLOC_NOT_IN_QUOTA);
5463 void selinux_complete_init(void)
5465 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5467 /* Set up any superblocks initialized prior to the policy load. */
5468 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5469 spin_lock(&sb_lock);
5470 spin_lock(&sb_security_lock);
5472 if (!list_empty(&superblock_security_head)) {
5473 struct superblock_security_struct *sbsec =
5474 list_entry(superblock_security_head.next,
5475 struct superblock_security_struct,
5477 struct super_block *sb = sbsec->sb;
5479 spin_unlock(&sb_security_lock);
5480 spin_unlock(&sb_lock);
5481 down_read(&sb->s_umount);
5483 superblock_doinit(sb, NULL);
5485 spin_lock(&sb_lock);
5486 spin_lock(&sb_security_lock);
5487 list_del_init(&sbsec->list);
5490 spin_unlock(&sb_security_lock);
5491 spin_unlock(&sb_lock);
5494 /* SELinux requires early initialization in order to label
5495 all processes and objects when they are created. */
5496 security_initcall(selinux_init);
5498 #if defined(CONFIG_NETFILTER)
5500 static struct nf_hook_ops selinux_ipv4_ops[] = {
5502 .hook = selinux_ipv4_postroute,
5503 .owner = THIS_MODULE,
5505 .hooknum = NF_INET_POST_ROUTING,
5506 .priority = NF_IP_PRI_SELINUX_LAST,
5509 .hook = selinux_ipv4_forward,
5510 .owner = THIS_MODULE,
5512 .hooknum = NF_INET_FORWARD,
5513 .priority = NF_IP_PRI_SELINUX_FIRST,
5517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5519 static struct nf_hook_ops selinux_ipv6_ops[] = {
5521 .hook = selinux_ipv6_postroute,
5522 .owner = THIS_MODULE,
5524 .hooknum = NF_INET_POST_ROUTING,
5525 .priority = NF_IP6_PRI_SELINUX_LAST,
5528 .hook = selinux_ipv6_forward,
5529 .owner = THIS_MODULE,
5531 .hooknum = NF_INET_FORWARD,
5532 .priority = NF_IP6_PRI_SELINUX_FIRST,
5538 static int __init selinux_nf_ip_init(void)
5543 if (!selinux_enabled)
5546 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5548 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5549 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5551 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5555 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5556 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5557 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5559 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5568 __initcall(selinux_nf_ip_init);
5570 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5571 static void selinux_nf_ip_exit(void)
5575 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5577 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5578 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5580 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5581 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5586 #else /* CONFIG_NETFILTER */
5588 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5589 #define selinux_nf_ip_exit()
5592 #endif /* CONFIG_NETFILTER */
5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5595 int selinux_disable(void)
5597 extern void exit_sel_fs(void);
5598 static int selinux_disabled = 0;
5600 if (ss_initialized) {
5601 /* Not permitted after initial policy load. */
5605 if (selinux_disabled) {
5606 /* Only do this once. */
5610 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5612 selinux_disabled = 1;
5613 selinux_enabled = 0;
5615 /* Reset security_ops to the secondary module, dummy or capability. */
5616 security_ops = secondary_ops;
5618 /* Unregister netfilter hooks. */
5619 selinux_nf_ip_exit();
5621 /* Unregister selinuxfs. */
projects / linux-2.6 / blob