2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
367 static int sb_finish_set_opts(struct super_block *sb)
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
400 sbsec->initialized = 1;
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
417 spin_lock(&sbsec->isec_lock);
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
427 if (!IS_PRIVATE(inode))
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
435 spin_unlock(&sbsec->isec_lock);
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
459 if (!sbsec->initialized)
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
515 rc = security_sid_to_context(isec->sid, &context, &len);
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
522 BUG_ON(i != *num_opts);
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
539 static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
560 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
572 mutex_lock(&sbsec->lock);
574 if (!ss_initialized) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
596 for (i = 0; i < num_opts; i++) {
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
603 mount_options[i], sb->s_id, name, rc);
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
612 goto out_double_mount;
614 sbsec->flags |= FSCONTEXT_MNT;
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
621 goto out_double_mount;
623 sbsec->flags |= CONTEXT_MNT;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
630 goto out_double_mount;
632 sbsec->flags |= ROOTCONTEXT_MNT;
636 defcontext_sid = sid;
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
640 goto out_double_mount;
642 sbsec->flags |= DEFCONTEXT_MNT;
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
659 if (strcmp(sb->s_type->name, "proc") == 0)
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
670 /* sets the context of the superblock for the fs being mounted. */
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
677 sbsec->sid = fscontext_sid;
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
690 sbsec->sid = context_sid;
692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
699 sbsec->mntpoint_sid = context_sid;
700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
727 sbsec->def_sid = defcontext_sid;
730 rc = sb_finish_set_opts(sb);
732 mutex_unlock(&sbsec->lock);
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
741 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
762 mutex_lock(&newsbsec->lock);
764 newsbsec->flags = oldsbsec->flags;
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
771 u32 sid = oldsbsec->mntpoint_sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
780 newsbsec->mntpoint_sid = sid;
782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
788 newisec->sid = oldisec->sid;
791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
796 * string mount options parsing and call set the sbsec
798 static int superblock_doinit(struct super_block *sb, void *data)
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
818 if (d->version != NFS_MOUNT_VERSION)
822 context = kstrdup(d->context, GFP_KERNEL);
833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
836 substring_t args[MAX_OPT_ARGS];
841 token = match_token(p, tokens, args);
845 if (context || defcontext) {
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 context = match_strdup(&args[0]);
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 fscontext = match_strdup(&args[0]);
870 case Opt_rootcontext:
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 rootcontext = match_strdup(&args[0]);
884 if (context || defcontext) {
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 defcontext = match_strdup(&args[0]);
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
932 static inline u16 inode_mode_to_security_class(umode_t mode)
934 switch (mode & S_IFMT) {
936 return SECCLASS_SOCK_FILE;
938 return SECCLASS_LNK_FILE;
940 return SECCLASS_FILE;
942 return SECCLASS_BLK_FILE;
946 return SECCLASS_CHR_FILE;
948 return SECCLASS_FIFO_FILE;
952 return SECCLASS_FILE;
955 static inline int default_protocol_stream(int protocol)
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
960 static inline int default_protocol_dgram(int protocol)
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
965 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
972 return SECCLASS_UNIX_STREAM_SOCKET;
974 return SECCLASS_UNIX_DGRAM_SOCKET;
981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
984 return SECCLASS_RAWIP_SOCKET;
986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
989 return SECCLASS_RAWIP_SOCKET;
991 return SECCLASS_DCCP_SOCKET;
993 return SECCLASS_RAWIP_SOCKET;
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1002 case NETLINK_INET_DIAG:
1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1019 return SECCLASS_NETLINK_SOCKET;
1022 return SECCLASS_PACKET_SOCKET;
1024 return SECCLASS_KEY_SOCKET;
1026 return SECCLASS_APPLETALK_SOCKET;
1029 return SECCLASS_SOCKET;
1032 #ifdef CONFIG_PROC_FS
1033 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1038 char *buffer, *path, *end;
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1045 end = buffer+buflen;
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1055 memcpy(end, de->name, de->namelen);
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1065 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1073 /* The inode's security attributes must be initialized before first use. */
1074 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1079 struct dentry *dentry;
1080 #define INITCONTEXTLEN 255
1081 char *context = NULL;
1085 if (isec->initialized)
1088 mutex_lock(&isec->lock);
1089 if (isec->initialized)
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1146 context = kmalloc(len, GFP_KERNEL);
1152 rc = inode->i_op->getxattr(dentry,
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1169 rc = security_context_to_sid_default(context, rc, &sid,
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1177 /* Leave with the unlabeled SID */
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1206 /* Default to the fs superblock SID. */
1207 isec->sid = sbsec->sid;
1210 struct proc_inode *proci = PROC_I(inode);
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1224 isec->initialized = 1;
1227 mutex_unlock(&isec->lock);
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1234 /* Convert a Linux signal to an access vector. */
1235 static inline u32 signal_to_av(int sig)
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1261 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263 static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1267 struct task_security_struct *tsec1, *tsec2;
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1275 /* Check whether a task is allowed to use a capability. */
1276 static int task_has_capability(struct task_struct *tsk,
1279 struct task_security_struct *tsec;
1280 struct avc_audit_data ad;
1282 tsec = tsk->security;
1284 AVC_AUDIT_DATA_INIT(&ad,CAP);
1288 return avc_has_perm(tsec->sid, tsec->sid,
1289 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1292 /* Check whether a task is allowed to use a system operation. */
1293 static int task_has_system(struct task_struct *tsk,
1296 struct task_security_struct *tsec;
1298 tsec = tsk->security;
1300 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1301 SECCLASS_SYSTEM, perms, NULL);
1304 /* Check whether a task has a particular permission to an inode.
1305 The 'adp' parameter is optional and allows other audit
1306 data to be passed (e.g. the dentry). */
1307 static int inode_has_perm(struct task_struct *tsk,
1308 struct inode *inode,
1310 struct avc_audit_data *adp)
1312 struct task_security_struct *tsec;
1313 struct inode_security_struct *isec;
1314 struct avc_audit_data ad;
1316 if (unlikely (IS_PRIVATE (inode)))
1319 tsec = tsk->security;
1320 isec = inode->i_security;
1324 AVC_AUDIT_DATA_INIT(&ad, FS);
1325 ad.u.fs.inode = inode;
1328 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1331 /* Same as inode_has_perm, but pass explicit audit data containing
1332 the dentry to help the auditing code to more easily generate the
1333 pathname if needed. */
1334 static inline int dentry_has_perm(struct task_struct *tsk,
1335 struct vfsmount *mnt,
1336 struct dentry *dentry,
1339 struct inode *inode = dentry->d_inode;
1340 struct avc_audit_data ad;
1341 AVC_AUDIT_DATA_INIT(&ad,FS);
1343 ad.u.fs.dentry = dentry;
1344 return inode_has_perm(tsk, inode, av, &ad);
1347 /* Check whether a task can use an open file descriptor to
1348 access an inode in a given way. Check access to the
1349 descriptor itself, and then use dentry_has_perm to
1350 check a particular permission to the file.
1351 Access to the descriptor is implicitly granted if it
1352 has the same SID as the process. If av is zero, then
1353 access to the file is not checked, e.g. for cases
1354 where only the descriptor is affected like seek. */
1355 static int file_has_perm(struct task_struct *tsk,
1359 struct task_security_struct *tsec = tsk->security;
1360 struct file_security_struct *fsec = file->f_security;
1361 struct vfsmount *mnt = file->f_path.mnt;
1362 struct dentry *dentry = file->f_path.dentry;
1363 struct inode *inode = dentry->d_inode;
1364 struct avc_audit_data ad;
1367 AVC_AUDIT_DATA_INIT(&ad, FS);
1369 ad.u.fs.dentry = dentry;
1371 if (tsec->sid != fsec->sid) {
1372 rc = avc_has_perm(tsec->sid, fsec->sid,
1380 /* av is zero if only checking access to the descriptor. */
1382 return inode_has_perm(tsk, inode, av, &ad);
1387 /* Check whether a task can create a file. */
1388 static int may_create(struct inode *dir,
1389 struct dentry *dentry,
1392 struct task_security_struct *tsec;
1393 struct inode_security_struct *dsec;
1394 struct superblock_security_struct *sbsec;
1396 struct avc_audit_data ad;
1399 tsec = current->security;
1400 dsec = dir->i_security;
1401 sbsec = dir->i_sb->s_security;
1403 AVC_AUDIT_DATA_INIT(&ad, FS);
1404 ad.u.fs.dentry = dentry;
1406 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1407 DIR__ADD_NAME | DIR__SEARCH,
1412 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1413 newsid = tsec->create_sid;
1415 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1421 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1425 return avc_has_perm(newsid, sbsec->sid,
1426 SECCLASS_FILESYSTEM,
1427 FILESYSTEM__ASSOCIATE, &ad);
1430 /* Check whether a task can create a key. */
1431 static int may_create_key(u32 ksid,
1432 struct task_struct *ctx)
1434 struct task_security_struct *tsec;
1436 tsec = ctx->security;
1438 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1442 #define MAY_UNLINK 1
1445 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1446 static int may_link(struct inode *dir,
1447 struct dentry *dentry,
1451 struct task_security_struct *tsec;
1452 struct inode_security_struct *dsec, *isec;
1453 struct avc_audit_data ad;
1457 tsec = current->security;
1458 dsec = dir->i_security;
1459 isec = dentry->d_inode->i_security;
1461 AVC_AUDIT_DATA_INIT(&ad, FS);
1462 ad.u.fs.dentry = dentry;
1465 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1466 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1481 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1485 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1489 static inline int may_rename(struct inode *old_dir,
1490 struct dentry *old_dentry,
1491 struct inode *new_dir,
1492 struct dentry *new_dentry)
1494 struct task_security_struct *tsec;
1495 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1496 struct avc_audit_data ad;
1498 int old_is_dir, new_is_dir;
1501 tsec = current->security;
1502 old_dsec = old_dir->i_security;
1503 old_isec = old_dentry->d_inode->i_security;
1504 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1505 new_dsec = new_dir->i_security;
1507 AVC_AUDIT_DATA_INIT(&ad, FS);
1509 ad.u.fs.dentry = old_dentry;
1510 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1511 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1514 rc = avc_has_perm(tsec->sid, old_isec->sid,
1515 old_isec->sclass, FILE__RENAME, &ad);
1518 if (old_is_dir && new_dir != old_dir) {
1519 rc = avc_has_perm(tsec->sid, old_isec->sid,
1520 old_isec->sclass, DIR__REPARENT, &ad);
1525 ad.u.fs.dentry = new_dentry;
1526 av = DIR__ADD_NAME | DIR__SEARCH;
1527 if (new_dentry->d_inode)
1528 av |= DIR__REMOVE_NAME;
1529 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1532 if (new_dentry->d_inode) {
1533 new_isec = new_dentry->d_inode->i_security;
1534 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1535 rc = avc_has_perm(tsec->sid, new_isec->sid,
1537 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1545 /* Check whether a task can perform a filesystem operation. */
1546 static int superblock_has_perm(struct task_struct *tsk,
1547 struct super_block *sb,
1549 struct avc_audit_data *ad)
1551 struct task_security_struct *tsec;
1552 struct superblock_security_struct *sbsec;
1554 tsec = tsk->security;
1555 sbsec = sb->s_security;
1556 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1560 /* Convert a Linux mode and permission mask to an access vector. */
1561 static inline u32 file_mask_to_av(int mode, int mask)
1565 if ((mode & S_IFMT) != S_IFDIR) {
1566 if (mask & MAY_EXEC)
1567 av |= FILE__EXECUTE;
1568 if (mask & MAY_READ)
1571 if (mask & MAY_APPEND)
1573 else if (mask & MAY_WRITE)
1577 if (mask & MAY_EXEC)
1579 if (mask & MAY_WRITE)
1581 if (mask & MAY_READ)
1588 /* Convert a Linux file to an access vector. */
1589 static inline u32 file_to_av(struct file *file)
1593 if (file->f_mode & FMODE_READ)
1595 if (file->f_mode & FMODE_WRITE) {
1596 if (file->f_flags & O_APPEND)
1605 /* Hook functions begin here. */
1607 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1609 struct task_security_struct *psec = parent->security;
1610 struct task_security_struct *csec = child->security;
1613 rc = secondary_ops->ptrace(parent,child);
1617 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1618 /* Save the SID of the tracing process for later use in apply_creds. */
1619 if (!(child->ptrace & PT_PTRACED) && !rc)
1620 csec->ptrace_sid = psec->sid;
1624 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1625 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1629 error = task_has_perm(current, target, PROCESS__GETCAP);
1633 return secondary_ops->capget(target, effective, inheritable, permitted);
1636 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1637 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1641 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1645 return task_has_perm(current, target, PROCESS__SETCAP);
1648 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1649 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1651 secondary_ops->capset_set(target, effective, inheritable, permitted);
1654 static int selinux_capable(struct task_struct *tsk, int cap)
1658 rc = secondary_ops->capable(tsk, cap);
1662 return task_has_capability(tsk,cap);
1665 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1668 char *buffer, *path, *end;
1671 buffer = (char*)__get_free_page(GFP_KERNEL);
1676 end = buffer+buflen;
1682 const char *name = table->procname;
1683 size_t namelen = strlen(name);
1684 buflen -= namelen + 1;
1688 memcpy(end, name, namelen);
1691 table = table->parent;
1697 memcpy(end, "/sys", 4);
1699 rc = security_genfs_sid("proc", path, tclass, sid);
1701 free_page((unsigned long)buffer);
1706 static int selinux_sysctl(ctl_table *table, int op)
1710 struct task_security_struct *tsec;
1714 rc = secondary_ops->sysctl(table, op);
1718 tsec = current->security;
1720 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1721 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1723 /* Default to the well-defined sysctl SID. */
1724 tsid = SECINITSID_SYSCTL;
1727 /* The op values are "defined" in sysctl.c, thereby creating
1728 * a bad coupling between this module and sysctl.c */
1730 error = avc_has_perm(tsec->sid, tsid,
1731 SECCLASS_DIR, DIR__SEARCH, NULL);
1739 error = avc_has_perm(tsec->sid, tsid,
1740 SECCLASS_FILE, av, NULL);
1746 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1759 rc = superblock_has_perm(current,
1761 FILESYSTEM__QUOTAMOD, NULL);
1766 rc = superblock_has_perm(current,
1768 FILESYSTEM__QUOTAGET, NULL);
1771 rc = 0; /* let the kernel handle invalid cmds */
1777 static int selinux_quota_on(struct dentry *dentry)
1779 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1782 static int selinux_syslog(int type)
1786 rc = secondary_ops->syslog(type);
1791 case 3: /* Read last kernel messages */
1792 case 10: /* Return size of the log buffer */
1793 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1795 case 6: /* Disable logging to console */
1796 case 7: /* Enable logging to console */
1797 case 8: /* Set level of messages printed to console */
1798 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1800 case 0: /* Close log */
1801 case 1: /* Open log */
1802 case 2: /* Read from log */
1803 case 4: /* Read/clear last kernel messages */
1804 case 5: /* Clear ring buffer */
1806 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1813 * Check that a process has enough memory to allocate a new virtual
1814 * mapping. 0 means there is enough memory for the allocation to
1815 * succeed and -ENOMEM implies there is not.
1817 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1818 * if the capability is granted, but __vm_enough_memory requires 1 if
1819 * the capability is granted.
1821 * Do not audit the selinux permission check, as this is applied to all
1822 * processes that allocate mappings.
1824 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1826 int rc, cap_sys_admin = 0;
1827 struct task_security_struct *tsec = current->security;
1829 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1831 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1832 SECCLASS_CAPABILITY,
1833 CAP_TO_MASK(CAP_SYS_ADMIN),
1840 return __vm_enough_memory(mm, pages, cap_sys_admin);
1843 /* binprm security operations */
1845 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1847 struct bprm_security_struct *bsec;
1849 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1854 bsec->sid = SECINITSID_UNLABELED;
1857 bprm->security = bsec;
1861 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1863 struct task_security_struct *tsec;
1864 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1865 struct inode_security_struct *isec;
1866 struct bprm_security_struct *bsec;
1868 struct avc_audit_data ad;
1871 rc = secondary_ops->bprm_set_security(bprm);
1875 bsec = bprm->security;
1880 tsec = current->security;
1881 isec = inode->i_security;
1883 /* Default to the current task SID. */
1884 bsec->sid = tsec->sid;
1886 /* Reset fs, key, and sock SIDs on execve. */
1887 tsec->create_sid = 0;
1888 tsec->keycreate_sid = 0;
1889 tsec->sockcreate_sid = 0;
1891 if (tsec->exec_sid) {
1892 newsid = tsec->exec_sid;
1893 /* Reset exec SID on execve. */
1896 /* Check for a default transition on this program. */
1897 rc = security_transition_sid(tsec->sid, isec->sid,
1898 SECCLASS_PROCESS, &newsid);
1903 AVC_AUDIT_DATA_INIT(&ad, FS);
1904 ad.u.fs.mnt = bprm->file->f_path.mnt;
1905 ad.u.fs.dentry = bprm->file->f_path.dentry;
1907 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1910 if (tsec->sid == newsid) {
1911 rc = avc_has_perm(tsec->sid, isec->sid,
1912 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1916 /* Check permissions for the transition. */
1917 rc = avc_has_perm(tsec->sid, newsid,
1918 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1922 rc = avc_has_perm(newsid, isec->sid,
1923 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1927 /* Clear any possibly unsafe personality bits on exec: */
1928 current->personality &= ~PER_CLEAR_ON_SETID;
1930 /* Set the security field to the new SID. */
1938 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1940 return secondary_ops->bprm_check_security(bprm);
1944 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1946 struct task_security_struct *tsec = current->security;
1949 if (tsec->osid != tsec->sid) {
1950 /* Enable secure mode for SIDs transitions unless
1951 the noatsecure permission is granted between
1952 the two SIDs, i.e. ahp returns 0. */
1953 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1955 PROCESS__NOATSECURE, NULL);
1958 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1961 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1963 kfree(bprm->security);
1964 bprm->security = NULL;
1967 extern struct vfsmount *selinuxfs_mount;
1968 extern struct dentry *selinux_null;
1970 /* Derived from fs/exec.c:flush_old_files. */
1971 static inline void flush_unauthorized_files(struct files_struct * files)
1973 struct avc_audit_data ad;
1974 struct file *file, *devnull = NULL;
1975 struct tty_struct *tty;
1976 struct fdtable *fdt;
1980 mutex_lock(&tty_mutex);
1981 tty = get_current_tty();
1984 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1986 /* Revalidate access to controlling tty.
1987 Use inode_has_perm on the tty inode directly rather
1988 than using file_has_perm, as this particular open
1989 file may belong to another process and we are only
1990 interested in the inode-based check here. */
1991 struct inode *inode = file->f_path.dentry->d_inode;
1992 if (inode_has_perm(current, inode,
1993 FILE__READ | FILE__WRITE, NULL)) {
1999 mutex_unlock(&tty_mutex);
2000 /* Reset controlling tty. */
2004 /* Revalidate access to inherited open files. */
2006 AVC_AUDIT_DATA_INIT(&ad,FS);
2008 spin_lock(&files->file_lock);
2010 unsigned long set, i;
2015 fdt = files_fdtable(files);
2016 if (i >= fdt->max_fds)
2018 set = fdt->open_fds->fds_bits[j];
2021 spin_unlock(&files->file_lock);
2022 for ( ; set ; i++,set >>= 1) {
2027 if (file_has_perm(current,
2029 file_to_av(file))) {
2031 fd = get_unused_fd();
2041 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2042 if (IS_ERR(devnull)) {
2049 fd_install(fd, devnull);
2054 spin_lock(&files->file_lock);
2057 spin_unlock(&files->file_lock);
2060 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2062 struct task_security_struct *tsec;
2063 struct bprm_security_struct *bsec;
2067 secondary_ops->bprm_apply_creds(bprm, unsafe);
2069 tsec = current->security;
2071 bsec = bprm->security;
2074 tsec->osid = tsec->sid;
2076 if (tsec->sid != sid) {
2077 /* Check for shared state. If not ok, leave SID
2078 unchanged and kill. */
2079 if (unsafe & LSM_UNSAFE_SHARE) {
2080 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2081 PROCESS__SHARE, NULL);
2088 /* Check for ptracing, and update the task SID if ok.
2089 Otherwise, leave SID unchanged and kill. */
2090 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2091 rc = avc_has_perm(tsec->ptrace_sid, sid,
2092 SECCLASS_PROCESS, PROCESS__PTRACE,
2104 * called after apply_creds without the task lock held
2106 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2108 struct task_security_struct *tsec;
2109 struct rlimit *rlim, *initrlim;
2110 struct itimerval itimer;
2111 struct bprm_security_struct *bsec;
2114 tsec = current->security;
2115 bsec = bprm->security;
2118 force_sig_specific(SIGKILL, current);
2121 if (tsec->osid == tsec->sid)
2124 /* Close files for which the new task SID is not authorized. */
2125 flush_unauthorized_files(current->files);
2127 /* Check whether the new SID can inherit signal state
2128 from the old SID. If not, clear itimers to avoid
2129 subsequent signal generation and flush and unblock
2130 signals. This must occur _after_ the task SID has
2131 been updated so that any kill done after the flush
2132 will be checked against the new SID. */
2133 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2134 PROCESS__SIGINH, NULL);
2136 memset(&itimer, 0, sizeof itimer);
2137 for (i = 0; i < 3; i++)
2138 do_setitimer(i, &itimer, NULL);
2139 flush_signals(current);
2140 spin_lock_irq(¤t->sighand->siglock);
2141 flush_signal_handlers(current, 1);
2142 sigemptyset(¤t->blocked);
2143 recalc_sigpending();
2144 spin_unlock_irq(¤t->sighand->siglock);
2147 /* Always clear parent death signal on SID transitions. */
2148 current->pdeath_signal = 0;
2150 /* Check whether the new SID can inherit resource limits
2151 from the old SID. If not, reset all soft limits to
2152 the lower of the current task's hard limit and the init
2153 task's soft limit. Note that the setting of hard limits
2154 (even to lower them) can be controlled by the setrlimit
2155 check. The inclusion of the init task's soft limit into
2156 the computation is to avoid resetting soft limits higher
2157 than the default soft limit for cases where the default
2158 is lower than the hard limit, e.g. RLIMIT_CORE or
2160 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2161 PROCESS__RLIMITINH, NULL);
2163 for (i = 0; i < RLIM_NLIMITS; i++) {
2164 rlim = current->signal->rlim + i;
2165 initrlim = init_task.signal->rlim+i;
2166 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2168 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2170 * This will cause RLIMIT_CPU calculations
2173 current->it_prof_expires = jiffies_to_cputime(1);
2177 /* Wake up the parent if it is waiting so that it can
2178 recheck wait permission to the new task SID. */
2179 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2182 /* superblock security operations */
2184 static int selinux_sb_alloc_security(struct super_block *sb)
2186 return superblock_alloc_security(sb);
2189 static void selinux_sb_free_security(struct super_block *sb)
2191 superblock_free_security(sb);
2194 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2199 return !memcmp(prefix, option, plen);
2202 static inline int selinux_option(char *option, int len)
2204 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2205 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2206 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2207 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2210 static inline void take_option(char **to, char *from, int *first, int len)
2217 memcpy(*to, from, len);
2221 static inline void take_selinux_option(char **to, char *from, int *first,
2224 int current_size = 0;
2233 while (current_size < len) {
2243 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2245 int fnosec, fsec, rc = 0;
2246 char *in_save, *in_curr, *in_end;
2247 char *sec_curr, *nosec_save, *nosec;
2253 /* Binary mount data: just copy */
2254 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2255 copy_page(sec_curr, in_curr);
2259 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2267 in_save = in_end = orig;
2271 open_quote = !open_quote;
2272 if ((*in_end == ',' && open_quote == 0) ||
2274 int len = in_end - in_curr;
2276 if (selinux_option(in_curr, len))
2277 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2279 take_option(&nosec, in_curr, &fnosec, len);
2281 in_curr = in_end + 1;
2283 } while (*in_end++);
2285 strcpy(in_save, nosec_save);
2286 free_page((unsigned long)nosec_save);
2291 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2293 struct avc_audit_data ad;
2296 rc = superblock_doinit(sb, data);
2300 AVC_AUDIT_DATA_INIT(&ad,FS);
2301 ad.u.fs.dentry = sb->s_root;
2302 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2305 static int selinux_sb_statfs(struct dentry *dentry)
2307 struct avc_audit_data ad;
2309 AVC_AUDIT_DATA_INIT(&ad,FS);
2310 ad.u.fs.dentry = dentry->d_sb->s_root;
2311 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2314 static int selinux_mount(char * dev_name,
2315 struct nameidata *nd,
2317 unsigned long flags,
2322 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2326 if (flags & MS_REMOUNT)
2327 return superblock_has_perm(current, nd->mnt->mnt_sb,
2328 FILESYSTEM__REMOUNT, NULL);
2330 return dentry_has_perm(current, nd->mnt, nd->dentry,
2334 static int selinux_umount(struct vfsmount *mnt, int flags)
2338 rc = secondary_ops->sb_umount(mnt, flags);
2342 return superblock_has_perm(current,mnt->mnt_sb,
2343 FILESYSTEM__UNMOUNT,NULL);
2346 /* inode security operations */
2348 static int selinux_inode_alloc_security(struct inode *inode)
2350 return inode_alloc_security(inode);
2353 static void selinux_inode_free_security(struct inode *inode)
2355 inode_free_security(inode);
2358 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2359 char **name, void **value,
2362 struct task_security_struct *tsec;
2363 struct inode_security_struct *dsec;
2364 struct superblock_security_struct *sbsec;
2367 char *namep = NULL, *context;
2369 tsec = current->security;
2370 dsec = dir->i_security;
2371 sbsec = dir->i_sb->s_security;
2373 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2374 newsid = tsec->create_sid;
2376 rc = security_transition_sid(tsec->sid, dsec->sid,
2377 inode_mode_to_security_class(inode->i_mode),
2380 printk(KERN_WARNING "%s: "
2381 "security_transition_sid failed, rc=%d (dev=%s "
2384 -rc, inode->i_sb->s_id, inode->i_ino);
2389 /* Possibly defer initialization to selinux_complete_init. */
2390 if (sbsec->initialized) {
2391 struct inode_security_struct *isec = inode->i_security;
2392 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2394 isec->initialized = 1;
2397 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2401 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2408 rc = security_sid_to_context(newsid, &context, &clen);
2420 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2422 return may_create(dir, dentry, SECCLASS_FILE);
2425 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2429 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2432 return may_link(dir, old_dentry, MAY_LINK);
2435 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2439 rc = secondary_ops->inode_unlink(dir, dentry);
2442 return may_link(dir, dentry, MAY_UNLINK);
2445 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2447 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2450 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2452 return may_create(dir, dentry, SECCLASS_DIR);
2455 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2457 return may_link(dir, dentry, MAY_RMDIR);
2460 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2464 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2468 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2471 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2472 struct inode *new_inode, struct dentry *new_dentry)
2474 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2477 static int selinux_inode_readlink(struct dentry *dentry)
2479 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2482 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2486 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2489 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2492 static int selinux_inode_permission(struct inode *inode, int mask,
2493 struct nameidata *nd)
2497 rc = secondary_ops->inode_permission(inode, mask, nd);
2502 /* No permission to check. Existence test. */
2506 return inode_has_perm(current, inode,
2507 file_mask_to_av(inode->i_mode, mask), NULL);
2510 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2514 rc = secondary_ops->inode_setattr(dentry, iattr);
2518 if (iattr->ia_valid & ATTR_FORCE)
2521 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2522 ATTR_ATIME_SET | ATTR_MTIME_SET))
2523 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2525 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2528 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2530 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2533 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2535 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2536 sizeof XATTR_SECURITY_PREFIX - 1)) {
2537 if (!strcmp(name, XATTR_NAME_CAPS)) {
2538 if (!capable(CAP_SETFCAP))
2540 } else if (!capable(CAP_SYS_ADMIN)) {
2541 /* A different attribute in the security namespace.
2542 Restrict to administrator. */
2547 /* Not an attribute we recognize, so just check the
2548 ordinary setattr permission. */
2549 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2552 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2554 struct task_security_struct *tsec = current->security;
2555 struct inode *inode = dentry->d_inode;
2556 struct inode_security_struct *isec = inode->i_security;
2557 struct superblock_security_struct *sbsec;
2558 struct avc_audit_data ad;
2562 if (strcmp(name, XATTR_NAME_SELINUX))
2563 return selinux_inode_setotherxattr(dentry, name);
2565 sbsec = inode->i_sb->s_security;
2566 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2569 if (!is_owner_or_cap(inode))
2572 AVC_AUDIT_DATA_INIT(&ad,FS);
2573 ad.u.fs.dentry = dentry;
2575 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2576 FILE__RELABELFROM, &ad);
2580 rc = security_context_to_sid(value, size, &newsid);
2584 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2585 FILE__RELABELTO, &ad);
2589 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2594 return avc_has_perm(newsid,
2596 SECCLASS_FILESYSTEM,
2597 FILESYSTEM__ASSOCIATE,
2601 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2602 void *value, size_t size, int flags)
2604 struct inode *inode = dentry->d_inode;
2605 struct inode_security_struct *isec = inode->i_security;
2609 if (strcmp(name, XATTR_NAME_SELINUX)) {
2610 /* Not an attribute we recognize, so nothing to do. */
2614 rc = security_context_to_sid(value, size, &newsid);
2616 printk(KERN_WARNING "%s: unable to obtain SID for context "
2617 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2625 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2627 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2630 static int selinux_inode_listxattr (struct dentry *dentry)
2632 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2635 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2637 if (strcmp(name, XATTR_NAME_SELINUX))
2638 return selinux_inode_setotherxattr(dentry, name);
2640 /* No one is allowed to remove a SELinux security label.
2641 You can change the label, but all data must be labeled. */
2646 * Copy the in-core inode security context value to the user. If the
2647 * getxattr() prior to this succeeded, check to see if we need to
2648 * canonicalize the value to be finally returned to the user.
2650 * Permission check is handled by selinux_inode_getxattr hook.
2652 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2656 char *context = NULL;
2657 struct inode_security_struct *isec = inode->i_security;
2659 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2662 error = security_sid_to_context(isec->sid, &context, &size);
2675 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2676 const void *value, size_t size, int flags)
2678 struct inode_security_struct *isec = inode->i_security;
2682 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2685 if (!value || !size)
2688 rc = security_context_to_sid((void*)value, size, &newsid);
2696 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2698 const int len = sizeof(XATTR_NAME_SELINUX);
2699 if (buffer && len <= buffer_size)
2700 memcpy(buffer, XATTR_NAME_SELINUX, len);
2704 static int selinux_inode_need_killpriv(struct dentry *dentry)
2706 return secondary_ops->inode_need_killpriv(dentry);
2709 static int selinux_inode_killpriv(struct dentry *dentry)
2711 return secondary_ops->inode_killpriv(dentry);
2714 /* file security operations */
2716 static int selinux_revalidate_file_permission(struct file *file, int mask)
2719 struct inode *inode = file->f_path.dentry->d_inode;
2722 /* No permission to check. Existence test. */
2726 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2727 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2730 rc = file_has_perm(current, file,
2731 file_mask_to_av(inode->i_mode, mask));
2735 return selinux_netlbl_inode_permission(inode, mask);
2738 static int selinux_file_permission(struct file *file, int mask)
2740 struct inode *inode = file->f_path.dentry->d_inode;
2741 struct task_security_struct *tsec = current->security;
2742 struct file_security_struct *fsec = file->f_security;
2743 struct inode_security_struct *isec = inode->i_security;
2746 /* No permission to check. Existence test. */
2750 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2751 && fsec->pseqno == avc_policy_seqno())
2752 return selinux_netlbl_inode_permission(inode, mask);
2754 return selinux_revalidate_file_permission(file, mask);
2757 static int selinux_file_alloc_security(struct file *file)
2759 return file_alloc_security(file);
2762 static void selinux_file_free_security(struct file *file)
2764 file_free_security(file);
2767 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2779 case EXT2_IOC_GETFLAGS:
2781 case EXT2_IOC_GETVERSION:
2782 error = file_has_perm(current, file, FILE__GETATTR);
2785 case EXT2_IOC_SETFLAGS:
2787 case EXT2_IOC_SETVERSION:
2788 error = file_has_perm(current, file, FILE__SETATTR);
2791 /* sys_ioctl() checks */
2795 error = file_has_perm(current, file, 0);
2800 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2803 /* default case assumes that the command will go
2804 * to the file's ioctl() function.
2807 error = file_has_perm(current, file, FILE__IOCTL);
2813 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2815 #ifndef CONFIG_PPC32
2816 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2818 * We are making executable an anonymous mapping or a
2819 * private file mapping that will also be writable.
2820 * This has an additional check.
2822 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2829 /* read access is always possible with a mapping */
2830 u32 av = FILE__READ;
2832 /* write access only matters if the mapping is shared */
2833 if (shared && (prot & PROT_WRITE))
2836 if (prot & PROT_EXEC)
2837 av |= FILE__EXECUTE;
2839 return file_has_perm(current, file, av);
2844 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2845 unsigned long prot, unsigned long flags,
2846 unsigned long addr, unsigned long addr_only)
2849 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2851 if (addr < mmap_min_addr)
2852 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2853 MEMPROTECT__MMAP_ZERO, NULL);
2854 if (rc || addr_only)
2857 if (selinux_checkreqprot)
2860 return file_map_prot_check(file, prot,
2861 (flags & MAP_TYPE) == MAP_SHARED);
2864 static int selinux_file_mprotect(struct vm_area_struct *vma,
2865 unsigned long reqprot,
2870 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2874 if (selinux_checkreqprot)
2877 #ifndef CONFIG_PPC32
2878 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2880 if (vma->vm_start >= vma->vm_mm->start_brk &&
2881 vma->vm_end <= vma->vm_mm->brk) {
2882 rc = task_has_perm(current, current,
2884 } else if (!vma->vm_file &&
2885 vma->vm_start <= vma->vm_mm->start_stack &&
2886 vma->vm_end >= vma->vm_mm->start_stack) {
2887 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2888 } else if (vma->vm_file && vma->anon_vma) {
2890 * We are making executable a file mapping that has
2891 * had some COW done. Since pages might have been
2892 * written, check ability to execute the possibly
2893 * modified content. This typically should only
2894 * occur for text relocations.
2896 rc = file_has_perm(current, vma->vm_file,
2904 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2907 static int selinux_file_lock(struct file *file, unsigned int cmd)
2909 return file_has_perm(current, file, FILE__LOCK);
2912 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2919 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2924 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2925 err = file_has_perm(current, file,FILE__WRITE);
2934 /* Just check FD__USE permission */
2935 err = file_has_perm(current, file, 0);
2940 #if BITS_PER_LONG == 32
2945 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2949 err = file_has_perm(current, file, FILE__LOCK);
2956 static int selinux_file_set_fowner(struct file *file)
2958 struct task_security_struct *tsec;
2959 struct file_security_struct *fsec;
2961 tsec = current->security;
2962 fsec = file->f_security;
2963 fsec->fown_sid = tsec->sid;
2968 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2969 struct fown_struct *fown, int signum)
2973 struct task_security_struct *tsec;
2974 struct file_security_struct *fsec;
2976 /* struct fown_struct is never outside the context of a struct file */
2977 file = container_of(fown, struct file, f_owner);
2979 tsec = tsk->security;
2980 fsec = file->f_security;
2983 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2985 perm = signal_to_av(signum);
2987 return avc_has_perm(fsec->fown_sid, tsec->sid,
2988 SECCLASS_PROCESS, perm, NULL);
2991 static int selinux_file_receive(struct file *file)
2993 return file_has_perm(current, file, file_to_av(file));
2996 static int selinux_dentry_open(struct file *file)
2998 struct file_security_struct *fsec;
2999 struct inode *inode;
3000 struct inode_security_struct *isec;
3001 inode = file->f_path.dentry->d_inode;
3002 fsec = file->f_security;
3003 isec = inode->i_security;
3005 * Save inode label and policy sequence number
3006 * at open-time so that selinux_file_permission
3007 * can determine whether revalidation is necessary.
3008 * Task label is already saved in the file security
3009 * struct as its SID.
3011 fsec->isid = isec->sid;
3012 fsec->pseqno = avc_policy_seqno();
3014 * Since the inode label or policy seqno may have changed
3015 * between the selinux_inode_permission check and the saving
3016 * of state above, recheck that access is still permitted.
3017 * Otherwise, access might never be revalidated against the
3018 * new inode label or new policy.
3019 * This check is not redundant - do not remove.
3021 return inode_has_perm(current, inode, file_to_av(file), NULL);
3024 /* task security operations */
3026 static int selinux_task_create(unsigned long clone_flags)
3030 rc = secondary_ops->task_create(clone_flags);
3034 return task_has_perm(current, current, PROCESS__FORK);
3037 static int selinux_task_alloc_security(struct task_struct *tsk)
3039 struct task_security_struct *tsec1, *tsec2;
3042 tsec1 = current->security;
3044 rc = task_alloc_security(tsk);
3047 tsec2 = tsk->security;
3049 tsec2->osid = tsec1->osid;
3050 tsec2->sid = tsec1->sid;
3052 /* Retain the exec, fs, key, and sock SIDs across fork */
3053 tsec2->exec_sid = tsec1->exec_sid;
3054 tsec2->create_sid = tsec1->create_sid;
3055 tsec2->keycreate_sid = tsec1->keycreate_sid;
3056 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3058 /* Retain ptracer SID across fork, if any.
3059 This will be reset by the ptrace hook upon any
3060 subsequent ptrace_attach operations. */
3061 tsec2->ptrace_sid = tsec1->ptrace_sid;
3066 static void selinux_task_free_security(struct task_struct *tsk)
3068 task_free_security(tsk);
3071 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3073 /* Since setuid only affects the current process, and
3074 since the SELinux controls are not based on the Linux
3075 identity attributes, SELinux does not need to control
3076 this operation. However, SELinux does control the use
3077 of the CAP_SETUID and CAP_SETGID capabilities using the
3082 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3084 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3087 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3089 /* See the comment for setuid above. */
3093 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3095 return task_has_perm(current, p, PROCESS__SETPGID);
3098 static int selinux_task_getpgid(struct task_struct *p)
3100 return task_has_perm(current, p, PROCESS__GETPGID);
3103 static int selinux_task_getsid(struct task_struct *p)
3105 return task_has_perm(current, p, PROCESS__GETSESSION);
3108 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3110 selinux_get_task_sid(p, secid);
3113 static int selinux_task_setgroups(struct group_info *group_info)
3115 /* See the comment for setuid above. */
3119 static int selinux_task_setnice(struct task_struct *p, int nice)
3123 rc = secondary_ops->task_setnice(p, nice);
3127 return task_has_perm(current,p, PROCESS__SETSCHED);
3130 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3134 rc = secondary_ops->task_setioprio(p, ioprio);
3138 return task_has_perm(current, p, PROCESS__SETSCHED);
3141 static int selinux_task_getioprio(struct task_struct *p)
3143 return task_has_perm(current, p, PROCESS__GETSCHED);
3146 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3148 struct rlimit *old_rlim = current->signal->rlim + resource;
3151 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3155 /* Control the ability to change the hard limit (whether
3156 lowering or raising it), so that the hard limit can
3157 later be used as a safe reset point for the soft limit
3158 upon context transitions. See selinux_bprm_apply_creds. */
3159 if (old_rlim->rlim_max != new_rlim->rlim_max)
3160 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3165 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3169 rc = secondary_ops->task_setscheduler(p, policy, lp);
3173 return task_has_perm(current, p, PROCESS__SETSCHED);
3176 static int selinux_task_getscheduler(struct task_struct *p)
3178 return task_has_perm(current, p, PROCESS__GETSCHED);
3181 static int selinux_task_movememory(struct task_struct *p)
3183 return task_has_perm(current, p, PROCESS__SETSCHED);
3186 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3191 struct task_security_struct *tsec;
3193 rc = secondary_ops->task_kill(p, info, sig, secid);
3197 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3201 perm = PROCESS__SIGNULL; /* null signal; existence test */
3203 perm = signal_to_av(sig);
3206 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3208 rc = task_has_perm(current, p, perm);
3212 static int selinux_task_prctl(int option,
3218 /* The current prctl operations do not appear to require
3219 any SELinux controls since they merely observe or modify
3220 the state of the current process. */
3224 static int selinux_task_wait(struct task_struct *p)
3226 return task_has_perm(p, current, PROCESS__SIGCHLD);
3229 static void selinux_task_reparent_to_init(struct task_struct *p)
3231 struct task_security_struct *tsec;
3233 secondary_ops->task_reparent_to_init(p);
3236 tsec->osid = tsec->sid;
3237 tsec->sid = SECINITSID_KERNEL;
3241 static void selinux_task_to_inode(struct task_struct *p,
3242 struct inode *inode)
3244 struct task_security_struct *tsec = p->security;
3245 struct inode_security_struct *isec = inode->i_security;
3247 isec->sid = tsec->sid;
3248 isec->initialized = 1;
3252 /* Returns error only if unable to parse addresses */
3253 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3254 struct avc_audit_data *ad, u8 *proto)
3256 int offset, ihlen, ret = -EINVAL;
3257 struct iphdr _iph, *ih;
3259 offset = skb_network_offset(skb);
3260 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3264 ihlen = ih->ihl * 4;
3265 if (ihlen < sizeof(_iph))
3268 ad->u.net.v4info.saddr = ih->saddr;
3269 ad->u.net.v4info.daddr = ih->daddr;
3273 *proto = ih->protocol;
3275 switch (ih->protocol) {
3277 struct tcphdr _tcph, *th;
3279 if (ntohs(ih->frag_off) & IP_OFFSET)
3283 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3287 ad->u.net.sport = th->source;
3288 ad->u.net.dport = th->dest;
3293 struct udphdr _udph, *uh;
3295 if (ntohs(ih->frag_off) & IP_OFFSET)
3299 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3303 ad->u.net.sport = uh->source;
3304 ad->u.net.dport = uh->dest;
3308 case IPPROTO_DCCP: {
3309 struct dccp_hdr _dccph, *dh;
3311 if (ntohs(ih->frag_off) & IP_OFFSET)
3315 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3319 ad->u.net.sport = dh->dccph_sport;
3320 ad->u.net.dport = dh->dccph_dport;
3331 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3333 /* Returns error only if unable to parse addresses */
3334 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3335 struct avc_audit_data *ad, u8 *proto)
3338 int ret = -EINVAL, offset;
3339 struct ipv6hdr _ipv6h, *ip6;
3341 offset = skb_network_offset(skb);
3342 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3346 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3347 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3350 nexthdr = ip6->nexthdr;
3351 offset += sizeof(_ipv6h);
3352 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3361 struct tcphdr _tcph, *th;
3363 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3367 ad->u.net.sport = th->source;
3368 ad->u.net.dport = th->dest;
3373 struct udphdr _udph, *uh;
3375 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3379 ad->u.net.sport = uh->source;
3380 ad->u.net.dport = uh->dest;
3384 case IPPROTO_DCCP: {
3385 struct dccp_hdr _dccph, *dh;
3387 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3391 ad->u.net.sport = dh->dccph_sport;
3392 ad->u.net.dport = dh->dccph_dport;
3396 /* includes fragments */
3406 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3407 char **addrp, int src, u8 *proto)
3411 switch (ad->u.net.family) {
3413 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3416 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3417 &ad->u.net.v4info.daddr);
3420 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3422 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3425 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3426 &ad->u.net.v6info.daddr);
3435 "SELinux: failure in selinux_parse_skb(),"
3436 " unable to parse packet\n");
3442 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3444 * @family: protocol family
3445 * @sid: the packet's peer label SID
3448 * Check the various different forms of network peer labeling and determine
3449 * the peer label/SID for the packet; most of the magic actually occurs in
3450 * the security server function security_net_peersid_cmp(). The function
3451 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3452 * or -EACCES if @sid is invalid due to inconsistencies with the different
3456 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3463 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3464 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3466 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3467 if (unlikely(err)) {
3469 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3470 " unable to determine packet's peer label\n");
3477 /* socket security operations */
3478 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3481 struct inode_security_struct *isec;
3482 struct task_security_struct *tsec;
3483 struct avc_audit_data ad;
3486 tsec = task->security;
3487 isec = SOCK_INODE(sock)->i_security;
3489 if (isec->sid == SECINITSID_KERNEL)
3492 AVC_AUDIT_DATA_INIT(&ad,NET);
3493 ad.u.net.sk = sock->sk;
3494 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3500 static int selinux_socket_create(int family, int type,
3501 int protocol, int kern)
3504 struct task_security_struct *tsec;
3510 tsec = current->security;
3511 newsid = tsec->sockcreate_sid ? : tsec->sid;
3512 err = avc_has_perm(tsec->sid, newsid,
3513 socket_type_to_security_class(family, type,
3514 protocol), SOCKET__CREATE, NULL);
3520 static int selinux_socket_post_create(struct socket *sock, int family,
3521 int type, int protocol, int kern)
3524 struct inode_security_struct *isec;
3525 struct task_security_struct *tsec;
3526 struct sk_security_struct *sksec;
3529 isec = SOCK_INODE(sock)->i_security;
3531 tsec = current->security;
3532 newsid = tsec->sockcreate_sid ? : tsec->sid;
3533 isec->sclass = socket_type_to_security_class(family, type, protocol);
3534 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3535 isec->initialized = 1;
3538 sksec = sock->sk->sk_security;
3539 sksec->sid = isec->sid;
3540 sksec->sclass = isec->sclass;
3541 err = selinux_netlbl_socket_post_create(sock);
3547 /* Range of port numbers used to automatically bind.
3548 Need to determine whether we should perform a name_bind
3549 permission check between the socket and the port number. */
3551 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3556 err = socket_has_perm(current, sock, SOCKET__BIND);
3561 * If PF_INET or PF_INET6, check name_bind permission for the port.
3562 * Multiple address binding for SCTP is not supported yet: we just
3563 * check the first address now.
3565 family = sock->sk->sk_family;
3566 if (family == PF_INET || family == PF_INET6) {
3568 struct inode_security_struct *isec;
3569 struct task_security_struct *tsec;
3570 struct avc_audit_data ad;
3571 struct sockaddr_in *addr4 = NULL;
3572 struct sockaddr_in6 *addr6 = NULL;
3573 unsigned short snum;
3574 struct sock *sk = sock->sk;
3575 u32 sid, node_perm, addrlen;
3577 tsec = current->security;
3578 isec = SOCK_INODE(sock)->i_security;
3580 if (family == PF_INET) {
3581 addr4 = (struct sockaddr_in *)address;
3582 snum = ntohs(addr4->sin_port);
3583 addrlen = sizeof(addr4->sin_addr.s_addr);
3584 addrp = (char *)&addr4->sin_addr.s_addr;
3586 addr6 = (struct sockaddr_in6 *)address;
3587 snum = ntohs(addr6->sin6_port);
3588 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3589 addrp = (char *)&addr6->sin6_addr.s6_addr;
3595 inet_get_local_port_range(&low, &high);
3597 if (snum < max(PROT_SOCK, low) || snum > high) {
3598 err = security_port_sid(sk->sk_family,
3600 sk->sk_protocol, snum,
3604 AVC_AUDIT_DATA_INIT(&ad,NET);
3605 ad.u.net.sport = htons(snum);
3606 ad.u.net.family = family;
3607 err = avc_has_perm(isec->sid, sid,
3609 SOCKET__NAME_BIND, &ad);
3615 switch(isec->sclass) {
3616 case SECCLASS_TCP_SOCKET:
3617 node_perm = TCP_SOCKET__NODE_BIND;
3620 case SECCLASS_UDP_SOCKET:
3621 node_perm = UDP_SOCKET__NODE_BIND;
3624 case SECCLASS_DCCP_SOCKET:
3625 node_perm = DCCP_SOCKET__NODE_BIND;
3629 node_perm = RAWIP_SOCKET__NODE_BIND;
3633 err = sel_netnode_sid(addrp, family, &sid);
3637 AVC_AUDIT_DATA_INIT(&ad,NET);
3638 ad.u.net.sport = htons(snum);
3639 ad.u.net.family = family;
3641 if (family == PF_INET)
3642 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3644 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3646 err = avc_has_perm(isec->sid, sid,
3647 isec->sclass, node_perm, &ad);
3655 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3657 struct inode_security_struct *isec;
3660 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3665 * If a TCP or DCCP socket, check name_connect permission for the port.
3667 isec = SOCK_INODE(sock)->i_security;
3668 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3669 isec->sclass == SECCLASS_DCCP_SOCKET) {
3670 struct sock *sk = sock->sk;
3671 struct avc_audit_data ad;
3672 struct sockaddr_in *addr4 = NULL;
3673 struct sockaddr_in6 *addr6 = NULL;
3674 unsigned short snum;
3677 if (sk->sk_family == PF_INET) {
3678 addr4 = (struct sockaddr_in *)address;
3679 if (addrlen < sizeof(struct sockaddr_in))
3681 snum = ntohs(addr4->sin_port);
3683 addr6 = (struct sockaddr_in6 *)address;
3684 if (addrlen < SIN6_LEN_RFC2133)
3686 snum = ntohs(addr6->sin6_port);
3689 err = security_port_sid(sk->sk_family, sk->sk_type,
3690 sk->sk_protocol, snum, &sid);
3694 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3695 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3697 AVC_AUDIT_DATA_INIT(&ad,NET);
3698 ad.u.net.dport = htons(snum);
3699 ad.u.net.family = sk->sk_family;
3700 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3709 static int selinux_socket_listen(struct socket *sock, int backlog)
3711 return socket_has_perm(current, sock, SOCKET__LISTEN);
3714 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3717 struct inode_security_struct *isec;
3718 struct inode_security_struct *newisec;
3720 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3724 newisec = SOCK_INODE(newsock)->i_security;
3726 isec = SOCK_INODE(sock)->i_security;
3727 newisec->sclass = isec->sclass;
3728 newisec->sid = isec->sid;
3729 newisec->initialized = 1;
3734 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3739 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3743 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3746 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3747 int size, int flags)
3749 return socket_has_perm(current, sock, SOCKET__READ);
3752 static int selinux_socket_getsockname(struct socket *sock)
3754 return socket_has_perm(current, sock, SOCKET__GETATTR);
3757 static int selinux_socket_getpeername(struct socket *sock)
3759 return socket_has_perm(current, sock, SOCKET__GETATTR);
3762 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3766 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3770 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3773 static int selinux_socket_getsockopt(struct socket *sock, int level,
3776 return socket_has_perm(current, sock, SOCKET__GETOPT);
3779 static int selinux_socket_shutdown(struct socket *sock, int how)
3781 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3784 static int selinux_socket_unix_stream_connect(struct socket *sock,
3785 struct socket *other,
3788 struct sk_security_struct *ssec;
3789 struct inode_security_struct *isec;
3790 struct inode_security_struct *other_isec;
3791 struct avc_audit_data ad;
3794 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3798 isec = SOCK_INODE(sock)->i_security;
3799 other_isec = SOCK_INODE(other)->i_security;
3801 AVC_AUDIT_DATA_INIT(&ad,NET);
3802 ad.u.net.sk = other->sk;
3804 err = avc_has_perm(isec->sid, other_isec->sid,
3806 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3810 /* connecting socket */
3811 ssec = sock->sk->sk_security;
3812 ssec->peer_sid = other_isec->sid;
3814 /* server child socket */
3815 ssec = newsk->sk_security;
3816 ssec->peer_sid = isec->sid;
3817 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3822 static int selinux_socket_unix_may_send(struct socket *sock,
3823 struct socket *other)
3825 struct inode_security_struct *isec;
3826 struct inode_security_struct *other_isec;
3827 struct avc_audit_data ad;
3830 isec = SOCK_INODE(sock)->i_security;
3831 other_isec = SOCK_INODE(other)->i_security;
3833 AVC_AUDIT_DATA_INIT(&ad,NET);
3834 ad.u.net.sk = other->sk;
3836 err = avc_has_perm(isec->sid, other_isec->sid,
3837 isec->sclass, SOCKET__SENDTO, &ad);
3844 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3846 struct avc_audit_data *ad)
3852 err = sel_netif_sid(ifindex, &if_sid);
3855 err = avc_has_perm(peer_sid, if_sid,
3856 SECCLASS_NETIF, NETIF__INGRESS, ad);
3860 err = sel_netnode_sid(addrp, family, &node_sid);
3863 return avc_has_perm(peer_sid, node_sid,
3864 SECCLASS_NODE, NODE__RECVFROM, ad);
3867 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3868 struct sk_buff *skb,
3869 struct avc_audit_data *ad,
3874 struct sk_security_struct *sksec = sk->sk_security;
3876 u32 netif_perm, node_perm, recv_perm;
3877 u32 port_sid, node_sid, if_sid, sk_sid;
3879 sk_sid = sksec->sid;
3880 sk_class = sksec->sclass;
3883 case SECCLASS_UDP_SOCKET:
3884 netif_perm = NETIF__UDP_RECV;
3885 node_perm = NODE__UDP_RECV;
3886 recv_perm = UDP_SOCKET__RECV_MSG;
3888 case SECCLASS_TCP_SOCKET:
3889 netif_perm = NETIF__TCP_RECV;
3890 node_perm = NODE__TCP_RECV;
3891 recv_perm = TCP_SOCKET__RECV_MSG;
3893 case SECCLASS_DCCP_SOCKET:
3894 netif_perm = NETIF__DCCP_RECV;
3895 node_perm = NODE__DCCP_RECV;
3896 recv_perm = DCCP_SOCKET__RECV_MSG;
3899 netif_perm = NETIF__RAWIP_RECV;
3900 node_perm = NODE__RAWIP_RECV;
3905 err = sel_netif_sid(skb->iif, &if_sid);
3908 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3912 err = sel_netnode_sid(addrp, family, &node_sid);
3915 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3921 err = security_port_sid(sk->sk_family, sk->sk_type,
3922 sk->sk_protocol, ntohs(ad->u.net.sport),
3924 if (unlikely(err)) {
3926 "SELinux: failure in"
3927 " selinux_sock_rcv_skb_iptables_compat(),"
3928 " network port label not found\n");
3931 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3934 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3935 struct avc_audit_data *ad,
3936 u16 family, char *addrp)
3939 struct sk_security_struct *sksec = sk->sk_security;
3941 u32 sk_sid = sksec->sid;
3943 if (selinux_compat_net)
3944 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3947 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3952 if (selinux_policycap_netpeer) {
3953 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3956 err = avc_has_perm(sk_sid, peer_sid,
3957 SECCLASS_PEER, PEER__RECV, ad);
3959 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3962 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3968 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3971 struct sk_security_struct *sksec = sk->sk_security;
3972 u16 family = sk->sk_family;
3973 u32 sk_sid = sksec->sid;
3974 struct avc_audit_data ad;
3977 if (family != PF_INET && family != PF_INET6)
3980 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3981 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3984 AVC_AUDIT_DATA_INIT(&ad, NET);
3985 ad.u.net.netif = skb->iif;
3986 ad.u.net.family = family;
3987 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3991 /* If any sort of compatibility mode is enabled then handoff processing
3992 * to the selinux_sock_rcv_skb_compat() function to deal with the
3993 * special handling. We do this in an attempt to keep this function
3994 * as fast and as clean as possible. */
3995 if (selinux_compat_net || !selinux_policycap_netpeer)
3996 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
3999 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4002 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4005 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4009 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4013 if (selinux_secmark_enabled()) {
4014 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4023 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4024 int __user *optlen, unsigned len)
4029 struct sk_security_struct *ssec;
4030 struct inode_security_struct *isec;
4031 u32 peer_sid = SECSID_NULL;
4033 isec = SOCK_INODE(sock)->i_security;
4035 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4036 isec->sclass == SECCLASS_TCP_SOCKET) {
4037 ssec = sock->sk->sk_security;
4038 peer_sid = ssec->peer_sid;
4040 if (peer_sid == SECSID_NULL) {
4045 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4050 if (scontext_len > len) {
4055 if (copy_to_user(optval, scontext, scontext_len))
4059 if (put_user(scontext_len, optlen))
4067 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4069 u32 peer_secid = SECSID_NULL;
4073 family = sock->sk->sk_family;
4074 else if (skb && skb->sk)
4075 family = skb->sk->sk_family;
4079 if (sock && family == PF_UNIX)
4080 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4082 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4085 *secid = peer_secid;
4086 if (peer_secid == SECSID_NULL)
4091 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4093 return sk_alloc_security(sk, family, priority);
4096 static void selinux_sk_free_security(struct sock *sk)
4098 sk_free_security(sk);
4101 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4103 struct sk_security_struct *ssec = sk->sk_security;
4104 struct sk_security_struct *newssec = newsk->sk_security;
4106 newssec->sid = ssec->sid;
4107 newssec->peer_sid = ssec->peer_sid;
4108 newssec->sclass = ssec->sclass;
4110 selinux_netlbl_sk_security_clone(ssec, newssec);
4113 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4116 *secid = SECINITSID_ANY_SOCKET;
4118 struct sk_security_struct *sksec = sk->sk_security;
4120 *secid = sksec->sid;
4124 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4126 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4127 struct sk_security_struct *sksec = sk->sk_security;
4129 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4130 sk->sk_family == PF_UNIX)
4131 isec->sid = sksec->sid;
4132 sksec->sclass = isec->sclass;
4134 selinux_netlbl_sock_graft(sk, parent);
4137 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4138 struct request_sock *req)
4140 struct sk_security_struct *sksec = sk->sk_security;
4145 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4148 if (peersid == SECSID_NULL) {
4149 req->secid = sksec->sid;
4150 req->peer_secid = SECSID_NULL;
4154 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4158 req->secid = newsid;
4159 req->peer_secid = peersid;
4163 static void selinux_inet_csk_clone(struct sock *newsk,
4164 const struct request_sock *req)
4166 struct sk_security_struct *newsksec = newsk->sk_security;
4168 newsksec->sid = req->secid;
4169 newsksec->peer_sid = req->peer_secid;
4170 /* NOTE: Ideally, we should also get the isec->sid for the
4171 new socket in sync, but we don't have the isec available yet.
4172 So we will wait until sock_graft to do it, by which
4173 time it will have been created and available. */
4175 /* We don't need to take any sort of lock here as we are the only
4176 * thread with access to newsksec */
4177 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4180 static void selinux_inet_conn_established(struct sock *sk,
4181 struct sk_buff *skb)
4183 struct sk_security_struct *sksec = sk->sk_security;
4185 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4188 static void selinux_req_classify_flow(const struct request_sock *req,
4191 fl->secid = req->secid;
4194 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4198 struct nlmsghdr *nlh;
4199 struct socket *sock = sk->sk_socket;
4200 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4202 if (skb->len < NLMSG_SPACE(0)) {
4206 nlh = nlmsg_hdr(skb);
4208 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4210 if (err == -EINVAL) {
4211 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4212 "SELinux: unrecognized netlink message"
4213 " type=%hu for sclass=%hu\n",
4214 nlh->nlmsg_type, isec->sclass);
4215 if (!selinux_enforcing)
4225 err = socket_has_perm(current, sock, perm);
4230 #ifdef CONFIG_NETFILTER
4232 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4237 struct avc_audit_data ad;
4241 if (!selinux_policycap_netpeer)
4244 secmark_active = selinux_secmark_enabled();
4245 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4246 if (!secmark_active && !peerlbl_active)
4249 AVC_AUDIT_DATA_INIT(&ad, NET);
4250 ad.u.net.netif = ifindex;
4251 ad.u.net.family = family;
4252 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4255 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4259 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4260 peer_sid, &ad) != 0)
4264 if (avc_has_perm(peer_sid, skb->secmark,
4265 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4271 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4272 struct sk_buff *skb,
4273 const struct net_device *in,
4274 const struct net_device *out,
4275 int (*okfn)(struct sk_buff *))
4277 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4280 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4281 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4282 struct sk_buff *skb,
4283 const struct net_device *in,
4284 const struct net_device *out,
4285 int (*okfn)(struct sk_buff *))
4287 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4291 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4293 struct avc_audit_data *ad,
4294 u16 family, char *addrp)
4297 struct sk_security_struct *sksec = sk->sk_security;
4299 u32 netif_perm, node_perm, send_perm;
4300 u32 port_sid, node_sid, if_sid, sk_sid;
4302 sk_sid = sksec->sid;
4303 sk_class = sksec->sclass;
4306 case SECCLASS_UDP_SOCKET:
4307 netif_perm = NETIF__UDP_SEND;
4308 node_perm = NODE__UDP_SEND;
4309 send_perm = UDP_SOCKET__SEND_MSG;
4311 case SECCLASS_TCP_SOCKET:
4312 netif_perm = NETIF__TCP_SEND;
4313 node_perm = NODE__TCP_SEND;
4314 send_perm = TCP_SOCKET__SEND_MSG;
4316 case SECCLASS_DCCP_SOCKET:
4317 netif_perm = NETIF__DCCP_SEND;
4318 node_perm = NODE__DCCP_SEND;
4319 send_perm = DCCP_SOCKET__SEND_MSG;
4322 netif_perm = NETIF__RAWIP_SEND;
4323 node_perm = NODE__RAWIP_SEND;
4328 err = sel_netif_sid(ifindex, &if_sid);
4331 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4334 err = sel_netnode_sid(addrp, family, &node_sid);
4337 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4344 err = security_port_sid(sk->sk_family, sk->sk_type,
4345 sk->sk_protocol, ntohs(ad->u.net.dport),
4347 if (unlikely(err)) {
4349 "SELinux: failure in"
4350 " selinux_ip_postroute_iptables_compat(),"
4351 " network port label not found\n");
4354 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4357 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4359 struct avc_audit_data *ad,
4364 struct sock *sk = skb->sk;
4365 struct sk_security_struct *sksec;
4369 sksec = sk->sk_security;
4371 if (selinux_compat_net) {
4372 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4376 if (avc_has_perm(sksec->sid, skb->secmark,
4377 SECCLASS_PACKET, PACKET__SEND, ad))
4381 if (selinux_policycap_netpeer)
4382 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4388 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4394 struct avc_audit_data ad;
4400 AVC_AUDIT_DATA_INIT(&ad, NET);
4401 ad.u.net.netif = ifindex;
4402 ad.u.net.family = family;
4403 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4406 /* If any sort of compatibility mode is enabled then handoff processing
4407 * to the selinux_ip_postroute_compat() function to deal with the
4408 * special handling. We do this in an attempt to keep this function
4409 * as fast and as clean as possible. */
4410 if (selinux_compat_net || !selinux_policycap_netpeer)
4411 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4412 family, addrp, proto);
4414 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4415 * packet transformation so allow the packet to pass without any checks
4416 * since we'll have another chance to perform access control checks
4417 * when the packet is on it's final way out.
4418 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4419 * is NULL, in this case go ahead and apply access control. */
4420 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4423 secmark_active = selinux_secmark_enabled();
4424 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4425 if (!secmark_active && !peerlbl_active)
4428 /* if the packet is locally generated (skb->sk != NULL) then use the
4429 * socket's label as the peer label, otherwise the packet is being
4430 * forwarded through this system and we need to fetch the peer label
4431 * directly from the packet */
4434 struct sk_security_struct *sksec = sk->sk_security;
4435 peer_sid = sksec->sid;
4436 secmark_perm = PACKET__SEND;
4438 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4440 secmark_perm = PACKET__FORWARD_OUT;
4444 if (avc_has_perm(peer_sid, skb->secmark,
4445 SECCLASS_PACKET, secmark_perm, &ad))
4448 if (peerlbl_active) {
4452 if (sel_netif_sid(ifindex, &if_sid))
4454 if (avc_has_perm(peer_sid, if_sid,
4455 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4458 if (sel_netnode_sid(addrp, family, &node_sid))
4460 if (avc_has_perm(peer_sid, node_sid,
4461 SECCLASS_NODE, NODE__SENDTO, &ad))
4468 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4469 struct sk_buff *skb,
4470 const struct net_device *in,
4471 const struct net_device *out,
4472 int (*okfn)(struct sk_buff *))
4474 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4477 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4478 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4479 struct sk_buff *skb,
4480 const struct net_device *in,
4481 const struct net_device *out,
4482 int (*okfn)(struct sk_buff *))
4484 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4488 #endif /* CONFIG_NETFILTER */
4490 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4494 err = secondary_ops->netlink_send(sk, skb);
4498 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4499 err = selinux_nlmsg_perm(sk, skb);
4504 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4507 struct avc_audit_data ad;
4509 err = secondary_ops->netlink_recv(skb, capability);
4513 AVC_AUDIT_DATA_INIT(&ad, CAP);
4514 ad.u.cap = capability;
4516 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4517 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4520 static int ipc_alloc_security(struct task_struct *task,
4521 struct kern_ipc_perm *perm,
4524 struct task_security_struct *tsec = task->security;
4525 struct ipc_security_struct *isec;
4527 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4531 isec->sclass = sclass;
4532 isec->ipc_perm = perm;
4533 isec->sid = tsec->sid;
4534 perm->security = isec;
4539 static void ipc_free_security(struct kern_ipc_perm *perm)
4541 struct ipc_security_struct *isec = perm->security;
4542 perm->security = NULL;
4546 static int msg_msg_alloc_security(struct msg_msg *msg)
4548 struct msg_security_struct *msec;
4550 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4555 msec->sid = SECINITSID_UNLABELED;
4556 msg->security = msec;
4561 static void msg_msg_free_security(struct msg_msg *msg)
4563 struct msg_security_struct *msec = msg->security;
4565 msg->security = NULL;
4569 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4572 struct task_security_struct *tsec;
4573 struct ipc_security_struct *isec;
4574 struct avc_audit_data ad;
4576 tsec = current->security;
4577 isec = ipc_perms->security;
4579 AVC_AUDIT_DATA_INIT(&ad, IPC);
4580 ad.u.ipc_id = ipc_perms->key;
4582 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4585 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4587 return msg_msg_alloc_security(msg);
4590 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4592 msg_msg_free_security(msg);
4595 /* message queue security operations */
4596 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4598 struct task_security_struct *tsec;
4599 struct ipc_security_struct *isec;
4600 struct avc_audit_data ad;
4603 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4607 tsec = current->security;
4608 isec = msq->q_perm.security;
4610 AVC_AUDIT_DATA_INIT(&ad, IPC);
4611 ad.u.ipc_id = msq->q_perm.key;
4613 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4616 ipc_free_security(&msq->q_perm);
4622 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4624 ipc_free_security(&msq->q_perm);
4627 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4629 struct task_security_struct *tsec;
4630 struct ipc_security_struct *isec;
4631 struct avc_audit_data ad;
4633 tsec = current->security;
4634 isec = msq->q_perm.security;
4636 AVC_AUDIT_DATA_INIT(&ad, IPC);
4637 ad.u.ipc_id = msq->q_perm.key;
4639 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4640 MSGQ__ASSOCIATE, &ad);
4643 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4651 /* No specific object, just general system-wide information. */
4652 return task_has_system(current, SYSTEM__IPC_INFO);
4655 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4658 perms = MSGQ__SETATTR;
4661 perms = MSGQ__DESTROY;
4667 err = ipc_has_perm(&msq->q_perm, perms);
4671 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4673 struct task_security_struct *tsec;
4674 struct ipc_security_struct *isec;
4675 struct msg_security_struct *msec;
4676 struct avc_audit_data ad;
4679 tsec = current->security;
4680 isec = msq->q_perm.security;
4681 msec = msg->security;
4684 * First time through, need to assign label to the message
4686 if (msec->sid == SECINITSID_UNLABELED) {
4688 * Compute new sid based on current process and
4689 * message queue this message will be stored in
4691 rc = security_transition_sid(tsec->sid,
4699 AVC_AUDIT_DATA_INIT(&ad, IPC);
4700 ad.u.ipc_id = msq->q_perm.key;
4702 /* Can this process write to the queue? */
4703 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4706 /* Can this process send the message */
4707 rc = avc_has_perm(tsec->sid, msec->sid,
4708 SECCLASS_MSG, MSG__SEND, &ad);
4710 /* Can the message be put in the queue? */
4711 rc = avc_has_perm(msec->sid, isec->sid,
4712 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4717 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4718 struct task_struct *target,
4719 long type, int mode)
4721 struct task_security_struct *tsec;
4722 struct ipc_security_struct *isec;
4723 struct msg_security_struct *msec;
4724 struct avc_audit_data ad;
4727 tsec = target->security;
4728 isec = msq->q_perm.security;
4729 msec = msg->security;
4731 AVC_AUDIT_DATA_INIT(&ad, IPC);
4732 ad.u.ipc_id = msq->q_perm.key;
4734 rc = avc_has_perm(tsec->sid, isec->sid,
4735 SECCLASS_MSGQ, MSGQ__READ, &ad);
4737 rc = avc_has_perm(tsec->sid, msec->sid,
4738 SECCLASS_MSG, MSG__RECEIVE, &ad);
4742 /* Shared Memory security operations */
4743 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4745 struct task_security_struct *tsec;
4746 struct ipc_security_struct *isec;
4747 struct avc_audit_data ad;
4750 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4754 tsec = current->security;
4755 isec = shp->shm_perm.security;
4757 AVC_AUDIT_DATA_INIT(&ad, IPC);
4758 ad.u.ipc_id = shp->shm_perm.key;
4760 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4763 ipc_free_security(&shp->shm_perm);
4769 static void selinux_shm_free_security(struct shmid_kernel *shp)
4771 ipc_free_security(&shp->shm_perm);
4774 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4776 struct task_security_struct *tsec;
4777 struct ipc_security_struct *isec;
4778 struct avc_audit_data ad;
4780 tsec = current->security;
4781 isec = shp->shm_perm.security;
4783 AVC_AUDIT_DATA_INIT(&ad, IPC);
4784 ad.u.ipc_id = shp->shm_perm.key;
4786 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4787 SHM__ASSOCIATE, &ad);
4790 /* Note, at this point, shp is locked down */
4791 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4799 /* No specific object, just general system-wide information. */
4800 return task_has_system(current, SYSTEM__IPC_INFO);
4803 perms = SHM__GETATTR | SHM__ASSOCIATE;
4806 perms = SHM__SETATTR;
4813 perms = SHM__DESTROY;
4819 err = ipc_has_perm(&shp->shm_perm, perms);
4823 static int selinux_shm_shmat(struct shmid_kernel *shp,
4824 char __user *shmaddr, int shmflg)
4829 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4833 if (shmflg & SHM_RDONLY)
4836 perms = SHM__READ | SHM__WRITE;
4838 return ipc_has_perm(&shp->shm_perm, perms);
4841 /* Semaphore security operations */
4842 static int selinux_sem_alloc_security(struct sem_array *sma)
4844 struct task_security_struct *tsec;
4845 struct ipc_security_struct *isec;
4846 struct avc_audit_data ad;
4849 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4853 tsec = current->security;
4854 isec = sma->sem_perm.security;
4856 AVC_AUDIT_DATA_INIT(&ad, IPC);
4857 ad.u.ipc_id = sma->sem_perm.key;
4859 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4862 ipc_free_security(&sma->sem_perm);
4868 static void selinux_sem_free_security(struct sem_array *sma)
4870 ipc_free_security(&sma->sem_perm);
4873 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4875 struct task_security_struct *tsec;
4876 struct ipc_security_struct *isec;
4877 struct avc_audit_data ad;
4879 tsec = current->security;
4880 isec = sma->sem_perm.security;
4882 AVC_AUDIT_DATA_INIT(&ad, IPC);
4883 ad.u.ipc_id = sma->sem_perm.key;
4885 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4886 SEM__ASSOCIATE, &ad);
4889 /* Note, at this point, sma is locked down */
4890 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4898 /* No specific object, just general system-wide information. */
4899 return task_has_system(current, SYSTEM__IPC_INFO);
4903 perms = SEM__GETATTR;
4914 perms = SEM__DESTROY;
4917 perms = SEM__SETATTR;
4921 perms = SEM__GETATTR | SEM__ASSOCIATE;
4927 err = ipc_has_perm(&sma->sem_perm, perms);
4931 static int selinux_sem_semop(struct sem_array *sma,
4932 struct sembuf *sops, unsigned nsops, int alter)
4937 perms = SEM__READ | SEM__WRITE;
4941 return ipc_has_perm(&sma->sem_perm, perms);
4944 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4950 av |= IPC__UNIX_READ;
4952 av |= IPC__UNIX_WRITE;
4957 return ipc_has_perm(ipcp, av);
4960 /* module stacking operations */
4961 static int selinux_register_security (const char *name, struct security_operations *ops)
4963 if (secondary_ops != original_ops) {
4964 printk(KERN_ERR "%s: There is already a secondary security "
4965 "module registered.\n", __FUNCTION__);
4969 secondary_ops = ops;
4971 printk(KERN_INFO "%s: Registering secondary module %s\n",
4978 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4981 inode_doinit_with_dentry(inode, dentry);
4984 static int selinux_getprocattr(struct task_struct *p,
4985 char *name, char **value)
4987 struct task_security_struct *tsec;
4993 error = task_has_perm(current, p, PROCESS__GETATTR);
5000 if (!strcmp(name, "current"))
5002 else if (!strcmp(name, "prev"))
5004 else if (!strcmp(name, "exec"))
5005 sid = tsec->exec_sid;
5006 else if (!strcmp(name, "fscreate"))
5007 sid = tsec->create_sid;
5008 else if (!strcmp(name, "keycreate"))
5009 sid = tsec->keycreate_sid;
5010 else if (!strcmp(name, "sockcreate"))
5011 sid = tsec->sockcreate_sid;
5018 error = security_sid_to_context(sid, value, &len);
5024 static int selinux_setprocattr(struct task_struct *p,
5025 char *name, void *value, size_t size)
5027 struct task_security_struct *tsec;
5033 /* SELinux only allows a process to change its own
5034 security attributes. */
5039 * Basic control over ability to set these attributes at all.
5040 * current == p, but we'll pass them separately in case the
5041 * above restriction is ever removed.
5043 if (!strcmp(name, "exec"))
5044 error = task_has_perm(current, p, PROCESS__SETEXEC);
5045 else if (!strcmp(name, "fscreate"))
5046 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5047 else if (!strcmp(name, "keycreate"))
5048 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5049 else if (!strcmp(name, "sockcreate"))
5050 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5051 else if (!strcmp(name, "current"))
5052 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5058 /* Obtain a SID for the context, if one was specified. */
5059 if (size && str[1] && str[1] != '\n') {
5060 if (str[size-1] == '\n') {
5064 error = security_context_to_sid(value, size, &sid);
5069 /* Permission checking based on the specified context is
5070 performed during the actual operation (execve,
5071 open/mkdir/...), when we know the full context of the
5072 operation. See selinux_bprm_set_security for the execve
5073 checks and may_create for the file creation checks. The
5074 operation will then fail if the context is not permitted. */
5076 if (!strcmp(name, "exec"))
5077 tsec->exec_sid = sid;
5078 else if (!strcmp(name, "fscreate"))
5079 tsec->create_sid = sid;
5080 else if (!strcmp(name, "keycreate")) {
5081 error = may_create_key(sid, p);
5084 tsec->keycreate_sid = sid;
5085 } else if (!strcmp(name, "sockcreate"))
5086 tsec->sockcreate_sid = sid;
5087 else if (!strcmp(name, "current")) {
5088 struct av_decision avd;
5093 /* Only allow single threaded processes to change context */
5094 if (atomic_read(&p->mm->mm_users) != 1) {
5095 struct task_struct *g, *t;
5096 struct mm_struct *mm = p->mm;
5097 read_lock(&tasklist_lock);
5098 do_each_thread(g, t)
5099 if (t->mm == mm && t != p) {
5100 read_unlock(&tasklist_lock);
5103 while_each_thread(g, t);
5104 read_unlock(&tasklist_lock);
5107 /* Check permissions for the transition. */
5108 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5109 PROCESS__DYNTRANSITION, NULL);
5113 /* Check for ptracing, and update the task SID if ok.
5114 Otherwise, leave SID unchanged and fail. */
5116 if (p->ptrace & PT_PTRACED) {
5117 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5119 PROCESS__PTRACE, 0, &avd);
5123 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5124 PROCESS__PTRACE, &avd, error, NULL);
5138 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5140 return security_sid_to_context(secid, secdata, seclen);
5143 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5145 return security_context_to_sid(secdata, seclen, secid);
5148 static void selinux_release_secctx(char *secdata, u32 seclen)
5155 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5156 unsigned long flags)
5158 struct task_security_struct *tsec = tsk->security;
5159 struct key_security_struct *ksec;
5161 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5166 if (tsec->keycreate_sid)
5167 ksec->sid = tsec->keycreate_sid;
5169 ksec->sid = tsec->sid;
5175 static void selinux_key_free(struct key *k)
5177 struct key_security_struct *ksec = k->security;
5183 static int selinux_key_permission(key_ref_t key_ref,
5184 struct task_struct *ctx,
5188 struct task_security_struct *tsec;
5189 struct key_security_struct *ksec;
5191 key = key_ref_to_ptr(key_ref);
5193 tsec = ctx->security;
5194 ksec = key->security;
5196 /* if no specific permissions are requested, we skip the
5197 permission check. No serious, additional covert channels
5198 appear to be created. */
5202 return avc_has_perm(tsec->sid, ksec->sid,
5203 SECCLASS_KEY, perm, NULL);
5208 static struct security_operations selinux_ops = {
5209 .ptrace = selinux_ptrace,
5210 .capget = selinux_capget,
5211 .capset_check = selinux_capset_check,
5212 .capset_set = selinux_capset_set,
5213 .sysctl = selinux_sysctl,
5214 .capable = selinux_capable,
5215 .quotactl = selinux_quotactl,
5216 .quota_on = selinux_quota_on,
5217 .syslog = selinux_syslog,
5218 .vm_enough_memory = selinux_vm_enough_memory,
5220 .netlink_send = selinux_netlink_send,
5221 .netlink_recv = selinux_netlink_recv,
5223 .bprm_alloc_security = selinux_bprm_alloc_security,
5224 .bprm_free_security = selinux_bprm_free_security,
5225 .bprm_apply_creds = selinux_bprm_apply_creds,
5226 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5227 .bprm_set_security = selinux_bprm_set_security,
5228 .bprm_check_security = selinux_bprm_check_security,
5229 .bprm_secureexec = selinux_bprm_secureexec,
5231 .sb_alloc_security = selinux_sb_alloc_security,
5232 .sb_free_security = selinux_sb_free_security,
5233 .sb_copy_data = selinux_sb_copy_data,
5234 .sb_kern_mount = selinux_sb_kern_mount,
5235 .sb_statfs = selinux_sb_statfs,
5236 .sb_mount = selinux_mount,
5237 .sb_umount = selinux_umount,
5238 .sb_get_mnt_opts = selinux_get_mnt_opts,
5239 .sb_set_mnt_opts = selinux_set_mnt_opts,
5240 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5242 .inode_alloc_security = selinux_inode_alloc_security,
5243 .inode_free_security = selinux_inode_free_security,
5244 .inode_init_security = selinux_inode_init_security,
5245 .inode_create = selinux_inode_create,
5246 .inode_link = selinux_inode_link,
5247 .inode_unlink = selinux_inode_unlink,
5248 .inode_symlink = selinux_inode_symlink,
5249 .inode_mkdir = selinux_inode_mkdir,
5250 .inode_rmdir = selinux_inode_rmdir,
5251 .inode_mknod = selinux_inode_mknod,
5252 .inode_rename = selinux_inode_rename,
5253 .inode_readlink = selinux_inode_readlink,
5254 .inode_follow_link = selinux_inode_follow_link,
5255 .inode_permission = selinux_inode_permission,
5256 .inode_setattr = selinux_inode_setattr,
5257 .inode_getattr = selinux_inode_getattr,
5258 .inode_setxattr = selinux_inode_setxattr,
5259 .inode_post_setxattr = selinux_inode_post_setxattr,
5260 .inode_getxattr = selinux_inode_getxattr,
5261 .inode_listxattr = selinux_inode_listxattr,
5262 .inode_removexattr = selinux_inode_removexattr,
5263 .inode_getsecurity = selinux_inode_getsecurity,
5264 .inode_setsecurity = selinux_inode_setsecurity,
5265 .inode_listsecurity = selinux_inode_listsecurity,
5266 .inode_need_killpriv = selinux_inode_need_killpriv,
5267 .inode_killpriv = selinux_inode_killpriv,
5269 .file_permission = selinux_file_permission,
5270 .file_alloc_security = selinux_file_alloc_security,
5271 .file_free_security = selinux_file_free_security,
5272 .file_ioctl = selinux_file_ioctl,
5273 .file_mmap = selinux_file_mmap,
5274 .file_mprotect = selinux_file_mprotect,
5275 .file_lock = selinux_file_lock,
5276 .file_fcntl = selinux_file_fcntl,
5277 .file_set_fowner = selinux_file_set_fowner,
5278 .file_send_sigiotask = selinux_file_send_sigiotask,
5279 .file_receive = selinux_file_receive,
5281 .dentry_open = selinux_dentry_open,
5283 .task_create = selinux_task_create,
5284 .task_alloc_security = selinux_task_alloc_security,
5285 .task_free_security = selinux_task_free_security,
5286 .task_setuid = selinux_task_setuid,
5287 .task_post_setuid = selinux_task_post_setuid,
5288 .task_setgid = selinux_task_setgid,
5289 .task_setpgid = selinux_task_setpgid,
5290 .task_getpgid = selinux_task_getpgid,
5291 .task_getsid = selinux_task_getsid,
5292 .task_getsecid = selinux_task_getsecid,
5293 .task_setgroups = selinux_task_setgroups,
5294 .task_setnice = selinux_task_setnice,
5295 .task_setioprio = selinux_task_setioprio,
5296 .task_getioprio = selinux_task_getioprio,
5297 .task_setrlimit = selinux_task_setrlimit,
5298 .task_setscheduler = selinux_task_setscheduler,
5299 .task_getscheduler = selinux_task_getscheduler,
5300 .task_movememory = selinux_task_movememory,
5301 .task_kill = selinux_task_kill,
5302 .task_wait = selinux_task_wait,
5303 .task_prctl = selinux_task_prctl,
5304 .task_reparent_to_init = selinux_task_reparent_to_init,
5305 .task_to_inode = selinux_task_to_inode,
5307 .ipc_permission = selinux_ipc_permission,
5309 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5310 .msg_msg_free_security = selinux_msg_msg_free_security,
5312 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5313 .msg_queue_free_security = selinux_msg_queue_free_security,
5314 .msg_queue_associate = selinux_msg_queue_associate,
5315 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5316 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5317 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5319 .shm_alloc_security = selinux_shm_alloc_security,
5320 .shm_free_security = selinux_shm_free_security,
5321 .shm_associate = selinux_shm_associate,
5322 .shm_shmctl = selinux_shm_shmctl,
5323 .shm_shmat = selinux_shm_shmat,
5325 .sem_alloc_security = selinux_sem_alloc_security,
5326 .sem_free_security = selinux_sem_free_security,
5327 .sem_associate = selinux_sem_associate,
5328 .sem_semctl = selinux_sem_semctl,
5329 .sem_semop = selinux_sem_semop,
5331 .register_security = selinux_register_security,
5333 .d_instantiate = selinux_d_instantiate,
5335 .getprocattr = selinux_getprocattr,
5336 .setprocattr = selinux_setprocattr,
5338 .secid_to_secctx = selinux_secid_to_secctx,
5339 .secctx_to_secid = selinux_secctx_to_secid,
5340 .release_secctx = selinux_release_secctx,
5342 .unix_stream_connect = selinux_socket_unix_stream_connect,
5343 .unix_may_send = selinux_socket_unix_may_send,
5345 .socket_create = selinux_socket_create,
5346 .socket_post_create = selinux_socket_post_create,
5347 .socket_bind = selinux_socket_bind,
5348 .socket_connect = selinux_socket_connect,
5349 .socket_listen = selinux_socket_listen,
5350 .socket_accept = selinux_socket_accept,
5351 .socket_sendmsg = selinux_socket_sendmsg,
5352 .socket_recvmsg = selinux_socket_recvmsg,
5353 .socket_getsockname = selinux_socket_getsockname,
5354 .socket_getpeername = selinux_socket_getpeername,
5355 .socket_getsockopt = selinux_socket_getsockopt,
5356 .socket_setsockopt = selinux_socket_setsockopt,
5357 .socket_shutdown = selinux_socket_shutdown,
5358 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5359 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5360 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5361 .sk_alloc_security = selinux_sk_alloc_security,
5362 .sk_free_security = selinux_sk_free_security,
5363 .sk_clone_security = selinux_sk_clone_security,
5364 .sk_getsecid = selinux_sk_getsecid,
5365 .sock_graft = selinux_sock_graft,
5366 .inet_conn_request = selinux_inet_conn_request,
5367 .inet_csk_clone = selinux_inet_csk_clone,
5368 .inet_conn_established = selinux_inet_conn_established,
5369 .req_classify_flow = selinux_req_classify_flow,
5371 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5372 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5373 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5374 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5375 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5376 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5377 .xfrm_state_free_security = selinux_xfrm_state_free,
5378 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5379 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5380 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5381 .xfrm_decode_session = selinux_xfrm_decode_session,
5385 .key_alloc = selinux_key_alloc,
5386 .key_free = selinux_key_free,
5387 .key_permission = selinux_key_permission,
5391 static __init int selinux_init(void)
5393 struct task_security_struct *tsec;
5395 if (!selinux_enabled) {
5396 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5400 printk(KERN_INFO "SELinux: Initializing.\n");
5402 /* Set the security state for the initial task. */
5403 if (task_alloc_security(current))
5404 panic("SELinux: Failed to initialize initial task.\n");
5405 tsec = current->security;
5406 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5408 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5409 sizeof(struct inode_security_struct),
5410 0, SLAB_PANIC, NULL);
5413 original_ops = secondary_ops = security_ops;
5415 panic ("SELinux: No initial security operations\n");
5416 if (register_security (&selinux_ops))
5417 panic("SELinux: Unable to register with kernel.\n");
5419 if (selinux_enforcing) {
5420 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5422 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5426 /* Add security information to initial keyrings */
5427 selinux_key_alloc(&root_user_keyring, current,
5428 KEY_ALLOC_NOT_IN_QUOTA);
5429 selinux_key_alloc(&root_session_keyring, current,
5430 KEY_ALLOC_NOT_IN_QUOTA);
5436 void selinux_complete_init(void)
5438 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5440 /* Set up any superblocks initialized prior to the policy load. */
5441 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5442 spin_lock(&sb_lock);
5443 spin_lock(&sb_security_lock);
5445 if (!list_empty(&superblock_security_head)) {
5446 struct superblock_security_struct *sbsec =
5447 list_entry(superblock_security_head.next,
5448 struct superblock_security_struct,
5450 struct super_block *sb = sbsec->sb;
5452 spin_unlock(&sb_security_lock);
5453 spin_unlock(&sb_lock);
5454 down_read(&sb->s_umount);
5456 superblock_doinit(sb, NULL);
5458 spin_lock(&sb_lock);
5459 spin_lock(&sb_security_lock);
5460 list_del_init(&sbsec->list);
5463 spin_unlock(&sb_security_lock);
5464 spin_unlock(&sb_lock);
5467 /* SELinux requires early initialization in order to label
5468 all processes and objects when they are created. */
5469 security_initcall(selinux_init);
5471 #if defined(CONFIG_NETFILTER)
5473 static struct nf_hook_ops selinux_ipv4_ops[] = {
5475 .hook = selinux_ipv4_postroute,
5476 .owner = THIS_MODULE,
5478 .hooknum = NF_INET_POST_ROUTING,
5479 .priority = NF_IP_PRI_SELINUX_LAST,
5482 .hook = selinux_ipv4_forward,
5483 .owner = THIS_MODULE,
5485 .hooknum = NF_INET_FORWARD,
5486 .priority = NF_IP_PRI_SELINUX_FIRST,
5490 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5492 static struct nf_hook_ops selinux_ipv6_ops[] = {
5494 .hook = selinux_ipv6_postroute,
5495 .owner = THIS_MODULE,
5497 .hooknum = NF_INET_POST_ROUTING,
5498 .priority = NF_IP6_PRI_SELINUX_LAST,
5501 .hook = selinux_ipv6_forward,
5502 .owner = THIS_MODULE,
5504 .hooknum = NF_INET_FORWARD,
5505 .priority = NF_IP6_PRI_SELINUX_FIRST,
5511 static int __init selinux_nf_ip_init(void)
5516 if (!selinux_enabled)
5519 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5521 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5522 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5524 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5528 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5529 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5530 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5532 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5541 __initcall(selinux_nf_ip_init);
5543 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5544 static void selinux_nf_ip_exit(void)
5548 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5550 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5551 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5553 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5554 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5559 #else /* CONFIG_NETFILTER */
5561 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5562 #define selinux_nf_ip_exit()
5565 #endif /* CONFIG_NETFILTER */
5567 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5568 int selinux_disable(void)
5570 extern void exit_sel_fs(void);
5571 static int selinux_disabled = 0;
5573 if (ss_initialized) {
5574 /* Not permitted after initial policy load. */
5578 if (selinux_disabled) {
5579 /* Only do this once. */
5583 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5585 selinux_disabled = 1;
5586 selinux_enabled = 0;
5588 /* Reset security_ops to the secondary module, dummy or capability. */
5589 security_ops = secondary_ops;
5591 /* Unregister netfilter hooks. */
5592 selinux_nf_ip_exit();
5594 /* Unregister selinuxfs. */