2  *  NSA Security-Enhanced Linux (SELinux) security module
 
   4  *  This file contains the SELinux hook function implementations.
 
   6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
 
   7  *            Chris Vance, <cvance@nai.com>
 
   8  *            Wayne Salamon, <wsalamon@nai.com>
 
   9  *            James Morris <jmorris@redhat.com>
 
  11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 
  12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 
  13  *                                         Eric Paris <eparis@redhat.com>
 
  14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 
  15  *                          <dgoeddel@trustedcs.com>
 
  16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
 
  17  *              Paul Moore <paul.moore@hp.com>
 
  18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 
  19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 
  21  *      This program is free software; you can redistribute it and/or modify
 
  22  *      it under the terms of the GNU General Public License version 2,
 
  23  *      as published by the Free Software Foundation.
 
  26 #include <linux/init.h>
 
  27 #include <linux/kernel.h>
 
  28 #include <linux/tracehook.h>
 
  29 #include <linux/errno.h>
 
  30 #include <linux/sched.h>
 
  31 #include <linux/security.h>
 
  32 #include <linux/xattr.h>
 
  33 #include <linux/capability.h>
 
  34 #include <linux/unistd.h>
 
  36 #include <linux/mman.h>
 
  37 #include <linux/slab.h>
 
  38 #include <linux/pagemap.h>
 
  39 #include <linux/swap.h>
 
  40 #include <linux/spinlock.h>
 
  41 #include <linux/syscalls.h>
 
  42 #include <linux/file.h>
 
  43 #include <linux/fdtable.h>
 
  44 #include <linux/namei.h>
 
  45 #include <linux/mount.h>
 
  46 #include <linux/proc_fs.h>
 
  47 #include <linux/netfilter_ipv4.h>
 
  48 #include <linux/netfilter_ipv6.h>
 
  49 #include <linux/tty.h>
 
  51 #include <net/ip.h>             /* for local_port_range[] */
 
  52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 
  53 #include <net/net_namespace.h>
 
  54 #include <net/netlabel.h>
 
  55 #include <linux/uaccess.h>
 
  56 #include <asm/ioctls.h>
 
  57 #include <asm/atomic.h>
 
  58 #include <linux/bitops.h>
 
  59 #include <linux/interrupt.h>
 
  60 #include <linux/netdevice.h>    /* for network interface checks */
 
  61 #include <linux/netlink.h>
 
  62 #include <linux/tcp.h>
 
  63 #include <linux/udp.h>
 
  64 #include <linux/dccp.h>
 
  65 #include <linux/quota.h>
 
  66 #include <linux/un.h>           /* for Unix socket types */
 
  67 #include <net/af_unix.h>        /* for Unix socket types */
 
  68 #include <linux/parser.h>
 
  69 #include <linux/nfs_mount.h>
 
  71 #include <linux/hugetlb.h>
 
  72 #include <linux/personality.h>
 
  73 #include <linux/sysctl.h>
 
  74 #include <linux/audit.h>
 
  75 #include <linux/string.h>
 
  76 #include <linux/selinux.h>
 
  77 #include <linux/mutex.h>
 
  88 #define XATTR_SELINUX_SUFFIX "selinux"
 
  89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
 
  91 #define NUM_SEL_MNT_OPTS 4
 
  93 extern unsigned int policydb_loaded_version;
 
  94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
 
  95 extern int selinux_compat_net;
 
  96 extern struct security_operations *security_ops;
 
  98 /* SECMARK reference count */
 
  99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 
 101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 
 102 int selinux_enforcing;
 
 104 static int __init enforcing_setup(char *str)
 
 106         unsigned long enforcing;
 
 107         if (!strict_strtoul(str, 0, &enforcing))
 
 108                 selinux_enforcing = enforcing ? 1 : 0;
 
 111 __setup("enforcing=", enforcing_setup);
 
 114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 
 115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 
 117 static int __init selinux_enabled_setup(char *str)
 
 119         unsigned long enabled;
 
 120         if (!strict_strtoul(str, 0, &enabled))
 
 121                 selinux_enabled = enabled ? 1 : 0;
 
 124 __setup("selinux=", selinux_enabled_setup);
 
 126 int selinux_enabled = 1;
 
 131  * Minimal support for a secondary security module,
 
 132  * just to allow the use of the capability module.
 
 134 static struct security_operations *secondary_ops;
 
 136 /* Lists of inode and superblock security structures initialized
 
 137    before the policy was loaded. */
 
 138 static LIST_HEAD(superblock_security_head);
 
 139 static DEFINE_SPINLOCK(sb_security_lock);
 
 141 static struct kmem_cache *sel_inode_cache;
 
 144  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 
 147  * This function checks the SECMARK reference counter to see if any SECMARK
 
 148  * targets are currently configured, if the reference counter is greater than
 
 149  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 
 150  * enabled, false (0) if SECMARK is disabled.
 
 153 static int selinux_secmark_enabled(void)
 
 155         return (atomic_read(&selinux_secmark_refcount) > 0);
 
 158 /* Allocate and free functions for each kind of security blob. */
 
 160 static int task_alloc_security(struct task_struct *task)
 
 162         struct task_security_struct *tsec;
 
 164         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 
 168         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
 
 169         task->security = tsec;
 
 174 static void task_free_security(struct task_struct *task)
 
 176         struct task_security_struct *tsec = task->security;
 
 177         task->security = NULL;
 
 181 static int inode_alloc_security(struct inode *inode)
 
 183         struct task_security_struct *tsec = current->security;
 
 184         struct inode_security_struct *isec;
 
 186         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 
 190         mutex_init(&isec->lock);
 
 191         INIT_LIST_HEAD(&isec->list);
 
 193         isec->sid = SECINITSID_UNLABELED;
 
 194         isec->sclass = SECCLASS_FILE;
 
 195         isec->task_sid = tsec->sid;
 
 196         inode->i_security = isec;
 
 201 static void inode_free_security(struct inode *inode)
 
 203         struct inode_security_struct *isec = inode->i_security;
 
 204         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 
 206         spin_lock(&sbsec->isec_lock);
 
 207         if (!list_empty(&isec->list))
 
 208                 list_del_init(&isec->list);
 
 209         spin_unlock(&sbsec->isec_lock);
 
 211         inode->i_security = NULL;
 
 212         kmem_cache_free(sel_inode_cache, isec);
 
 215 static int file_alloc_security(struct file *file)
 
 217         struct task_security_struct *tsec = current->security;
 
 218         struct file_security_struct *fsec;
 
 220         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
 
 224         fsec->sid = tsec->sid;
 
 225         fsec->fown_sid = tsec->sid;
 
 226         file->f_security = fsec;
 
 231 static void file_free_security(struct file *file)
 
 233         struct file_security_struct *fsec = file->f_security;
 
 234         file->f_security = NULL;
 
 238 static int superblock_alloc_security(struct super_block *sb)
 
 240         struct superblock_security_struct *sbsec;
 
 242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 
 246         mutex_init(&sbsec->lock);
 
 247         INIT_LIST_HEAD(&sbsec->list);
 
 248         INIT_LIST_HEAD(&sbsec->isec_head);
 
 249         spin_lock_init(&sbsec->isec_lock);
 
 251         sbsec->sid = SECINITSID_UNLABELED;
 
 252         sbsec->def_sid = SECINITSID_FILE;
 
 253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 
 254         sb->s_security = sbsec;
 
 259 static void superblock_free_security(struct super_block *sb)
 
 261         struct superblock_security_struct *sbsec = sb->s_security;
 
 263         spin_lock(&sb_security_lock);
 
 264         if (!list_empty(&sbsec->list))
 
 265                 list_del_init(&sbsec->list);
 
 266         spin_unlock(&sb_security_lock);
 
 268         sb->s_security = NULL;
 
 272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 
 274         struct sk_security_struct *ssec;
 
 276         ssec = kzalloc(sizeof(*ssec), priority);
 
 280         ssec->peer_sid = SECINITSID_UNLABELED;
 
 281         ssec->sid = SECINITSID_UNLABELED;
 
 282         sk->sk_security = ssec;
 
 284         selinux_netlbl_sk_security_reset(ssec, family);
 
 289 static void sk_free_security(struct sock *sk)
 
 291         struct sk_security_struct *ssec = sk->sk_security;
 
 293         sk->sk_security = NULL;
 
 297 /* The security server must be initialized before
 
 298    any labeling or access decisions can be provided. */
 
 299 extern int ss_initialized;
 
 301 /* The file system's label must be initialized prior to use. */
 
 303 static char *labeling_behaviors[6] = {
 
 305         "uses transition SIDs",
 
 307         "uses genfs_contexts",
 
 308         "not configured for labeling",
 
 309         "uses mountpoint labeling",
 
 312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 
 314 static inline int inode_doinit(struct inode *inode)
 
 316         return inode_doinit_with_dentry(inode, NULL);
 
 327 static match_table_t tokens = {
 
 328         {Opt_context, CONTEXT_STR "%s"},
 
 329         {Opt_fscontext, FSCONTEXT_STR "%s"},
 
 330         {Opt_defcontext, DEFCONTEXT_STR "%s"},
 
 331         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 
 335 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 
 337 static int may_context_mount_sb_relabel(u32 sid,
 
 338                         struct superblock_security_struct *sbsec,
 
 339                         struct task_security_struct *tsec)
 
 343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 
 344                           FILESYSTEM__RELABELFROM, NULL);
 
 348         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 
 349                           FILESYSTEM__RELABELTO, NULL);
 
 353 static int may_context_mount_inode_relabel(u32 sid,
 
 354                         struct superblock_security_struct *sbsec,
 
 355                         struct task_security_struct *tsec)
 
 358         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 
 359                           FILESYSTEM__RELABELFROM, NULL);
 
 363         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 
 364                           FILESYSTEM__ASSOCIATE, NULL);
 
 368 static int sb_finish_set_opts(struct super_block *sb)
 
 370         struct superblock_security_struct *sbsec = sb->s_security;
 
 371         struct dentry *root = sb->s_root;
 
 372         struct inode *root_inode = root->d_inode;
 
 375         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 
 376                 /* Make sure that the xattr handler exists and that no
 
 377                    error other than -ENODATA is returned by getxattr on
 
 378                    the root directory.  -ENODATA is ok, as this may be
 
 379                    the first boot of the SELinux kernel before we have
 
 380                    assigned xattr values to the filesystem. */
 
 381                 if (!root_inode->i_op->getxattr) {
 
 382                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 
 383                                "xattr support\n", sb->s_id, sb->s_type->name);
 
 387                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
 
 388                 if (rc < 0 && rc != -ENODATA) {
 
 389                         if (rc == -EOPNOTSUPP)
 
 390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
 
 391                                        "%s) has no security xattr handler\n",
 
 392                                        sb->s_id, sb->s_type->name);
 
 394                                 printk(KERN_WARNING "SELinux: (dev %s, type "
 
 395                                        "%s) getxattr errno %d\n", sb->s_id,
 
 396                                        sb->s_type->name, -rc);
 
 401         sbsec->initialized = 1;
 
 403         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
 
 404                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 
 405                        sb->s_id, sb->s_type->name);
 
 407                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 
 408                        sb->s_id, sb->s_type->name,
 
 409                        labeling_behaviors[sbsec->behavior-1]);
 
 411         /* Initialize the root inode. */
 
 412         rc = inode_doinit_with_dentry(root_inode, root);
 
 414         /* Initialize any other inodes associated with the superblock, e.g.
 
 415            inodes created prior to initial policy load or inodes created
 
 416            during get_sb by a pseudo filesystem that directly
 
 418         spin_lock(&sbsec->isec_lock);
 
 420         if (!list_empty(&sbsec->isec_head)) {
 
 421                 struct inode_security_struct *isec =
 
 422                                 list_entry(sbsec->isec_head.next,
 
 423                                            struct inode_security_struct, list);
 
 424                 struct inode *inode = isec->inode;
 
 425                 spin_unlock(&sbsec->isec_lock);
 
 426                 inode = igrab(inode);
 
 428                         if (!IS_PRIVATE(inode))
 
 432                 spin_lock(&sbsec->isec_lock);
 
 433                 list_del_init(&isec->list);
 
 436         spin_unlock(&sbsec->isec_lock);
 
 442  * This function should allow an FS to ask what it's mount security
 
 443  * options were so it can use those later for submounts, displaying
 
 444  * mount options, or whatever.
 
 446 static int selinux_get_mnt_opts(const struct super_block *sb,
 
 447                                 struct security_mnt_opts *opts)
 
 450         struct superblock_security_struct *sbsec = sb->s_security;
 
 451         char *context = NULL;
 
 455         security_init_mnt_opts(opts);
 
 457         if (!sbsec->initialized)
 
 464          * if we ever use sbsec flags for anything other than tracking mount
 
 465          * settings this is going to need a mask
 
 468         /* count the number of mount options for this sb */
 
 469         for (i = 0; i < 8; i++) {
 
 471                         opts->num_mnt_opts++;
 
 475         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 
 476         if (!opts->mnt_opts) {
 
 481         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 
 482         if (!opts->mnt_opts_flags) {
 
 488         if (sbsec->flags & FSCONTEXT_MNT) {
 
 489                 rc = security_sid_to_context(sbsec->sid, &context, &len);
 
 492                 opts->mnt_opts[i] = context;
 
 493                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 
 495         if (sbsec->flags & CONTEXT_MNT) {
 
 496                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 
 499                 opts->mnt_opts[i] = context;
 
 500                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 
 502         if (sbsec->flags & DEFCONTEXT_MNT) {
 
 503                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 
 506                 opts->mnt_opts[i] = context;
 
 507                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 
 509         if (sbsec->flags & ROOTCONTEXT_MNT) {
 
 510                 struct inode *root = sbsec->sb->s_root->d_inode;
 
 511                 struct inode_security_struct *isec = root->i_security;
 
 513                 rc = security_sid_to_context(isec->sid, &context, &len);
 
 516                 opts->mnt_opts[i] = context;
 
 517                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 
 520         BUG_ON(i != opts->num_mnt_opts);
 
 525         security_free_mnt_opts(opts);
 
 529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
 
 530                       u32 old_sid, u32 new_sid)
 
 532         /* check if the old mount command had the same options */
 
 533         if (sbsec->initialized)
 
 534                 if (!(sbsec->flags & flag) ||
 
 535                     (old_sid != new_sid))
 
 538         /* check if we were passed the same options twice,
 
 539          * aka someone passed context=a,context=b
 
 541         if (!sbsec->initialized)
 
 542                 if (sbsec->flags & flag)
 
 548  * Allow filesystems with binary mount data to explicitly set mount point
 
 549  * labeling information.
 
 551 static int selinux_set_mnt_opts(struct super_block *sb,
 
 552                                 struct security_mnt_opts *opts)
 
 555         struct task_security_struct *tsec = current->security;
 
 556         struct superblock_security_struct *sbsec = sb->s_security;
 
 557         const char *name = sb->s_type->name;
 
 558         struct inode *inode = sbsec->sb->s_root->d_inode;
 
 559         struct inode_security_struct *root_isec = inode->i_security;
 
 560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 
 561         u32 defcontext_sid = 0;
 
 562         char **mount_options = opts->mnt_opts;
 
 563         int *flags = opts->mnt_opts_flags;
 
 564         int num_opts = opts->num_mnt_opts;
 
 566         mutex_lock(&sbsec->lock);
 
 568         if (!ss_initialized) {
 
 570                         /* Defer initialization until selinux_complete_init,
 
 571                            after the initial policy is loaded and the security
 
 572                            server is ready to handle calls. */
 
 573                         spin_lock(&sb_security_lock);
 
 574                         if (list_empty(&sbsec->list))
 
 575                                 list_add(&sbsec->list, &superblock_security_head);
 
 576                         spin_unlock(&sb_security_lock);
 
 580                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
 
 581                         "before the security server is initialized\n");
 
 586          * Binary mount data FS will come through this function twice.  Once
 
 587          * from an explicit call and once from the generic calls from the vfs.
 
 588          * Since the generic VFS calls will not contain any security mount data
 
 589          * we need to skip the double mount verification.
 
 591          * This does open a hole in which we will not notice if the first
 
 592          * mount using this sb set explict options and a second mount using
 
 593          * this sb does not set any security options.  (The first options
 
 594          * will be used for both mounts)
 
 596         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 
 601          * parse the mount options, check if they are valid sids.
 
 602          * also check if someone is trying to mount the same sb more
 
 603          * than once with different security options.
 
 605         for (i = 0; i < num_opts; i++) {
 
 607                 rc = security_context_to_sid(mount_options[i],
 
 608                                              strlen(mount_options[i]), &sid);
 
 610                         printk(KERN_WARNING "SELinux: security_context_to_sid"
 
 611                                "(%s) failed for (dev %s, type %s) errno=%d\n",
 
 612                                mount_options[i], sb->s_id, name, rc);
 
 619                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 
 621                                 goto out_double_mount;
 
 623                         sbsec->flags |= FSCONTEXT_MNT;
 
 628                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 
 630                                 goto out_double_mount;
 
 632                         sbsec->flags |= CONTEXT_MNT;
 
 634                 case ROOTCONTEXT_MNT:
 
 635                         rootcontext_sid = sid;
 
 637                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 
 639                                 goto out_double_mount;
 
 641                         sbsec->flags |= ROOTCONTEXT_MNT;
 
 645                         defcontext_sid = sid;
 
 647                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 
 649                                 goto out_double_mount;
 
 651                         sbsec->flags |= DEFCONTEXT_MNT;
 
 660         if (sbsec->initialized) {
 
 661                 /* previously mounted with options, but not on this attempt? */
 
 662                 if (sbsec->flags && !num_opts)
 
 663                         goto out_double_mount;
 
 668         if (strcmp(sb->s_type->name, "proc") == 0)
 
 671         /* Determine the labeling behavior to use for this filesystem type. */
 
 672         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
 
 674                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
 
 675                        __func__, sb->s_type->name, rc);
 
 679         /* sets the context of the superblock for the fs being mounted. */
 
 682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
 
 686                 sbsec->sid = fscontext_sid;
 
 690          * Switch to using mount point labeling behavior.
 
 691          * sets the label used on all file below the mountpoint, and will set
 
 692          * the superblock context if not already set.
 
 695                 if (!fscontext_sid) {
 
 696                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
 
 699                         sbsec->sid = context_sid;
 
 701                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
 
 705                 if (!rootcontext_sid)
 
 706                         rootcontext_sid = context_sid;
 
 708                 sbsec->mntpoint_sid = context_sid;
 
 709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 
 712         if (rootcontext_sid) {
 
 713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
 
 717                 root_isec->sid = rootcontext_sid;
 
 718                 root_isec->initialized = 1;
 
 721         if (defcontext_sid) {
 
 722                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
 
 724                         printk(KERN_WARNING "SELinux: defcontext option is "
 
 725                                "invalid for this filesystem type\n");
 
 729                 if (defcontext_sid != sbsec->def_sid) {
 
 730                         rc = may_context_mount_inode_relabel(defcontext_sid,
 
 736                 sbsec->def_sid = defcontext_sid;
 
 739         rc = sb_finish_set_opts(sb);
 
 741         mutex_unlock(&sbsec->lock);
 
 745         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 
 746                "security settings for (dev %s, type %s)\n", sb->s_id, name);
 
 750 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 
 751                                         struct super_block *newsb)
 
 753         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 
 754         struct superblock_security_struct *newsbsec = newsb->s_security;
 
 756         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 
 757         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 
 758         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 
 761          * if the parent was able to be mounted it clearly had no special lsm
 
 762          * mount options.  thus we can safely put this sb on the list and deal
 
 765         if (!ss_initialized) {
 
 766                 spin_lock(&sb_security_lock);
 
 767                 if (list_empty(&newsbsec->list))
 
 768                         list_add(&newsbsec->list, &superblock_security_head);
 
 769                 spin_unlock(&sb_security_lock);
 
 773         /* how can we clone if the old one wasn't set up?? */
 
 774         BUG_ON(!oldsbsec->initialized);
 
 776         /* if fs is reusing a sb, just let its options stand... */
 
 777         if (newsbsec->initialized)
 
 780         mutex_lock(&newsbsec->lock);
 
 782         newsbsec->flags = oldsbsec->flags;
 
 784         newsbsec->sid = oldsbsec->sid;
 
 785         newsbsec->def_sid = oldsbsec->def_sid;
 
 786         newsbsec->behavior = oldsbsec->behavior;
 
 789                 u32 sid = oldsbsec->mntpoint_sid;
 
 793                 if (!set_rootcontext) {
 
 794                         struct inode *newinode = newsb->s_root->d_inode;
 
 795                         struct inode_security_struct *newisec = newinode->i_security;
 
 798                 newsbsec->mntpoint_sid = sid;
 
 800         if (set_rootcontext) {
 
 801                 const struct inode *oldinode = oldsb->s_root->d_inode;
 
 802                 const struct inode_security_struct *oldisec = oldinode->i_security;
 
 803                 struct inode *newinode = newsb->s_root->d_inode;
 
 804                 struct inode_security_struct *newisec = newinode->i_security;
 
 806                 newisec->sid = oldisec->sid;
 
 809         sb_finish_set_opts(newsb);
 
 810         mutex_unlock(&newsbsec->lock);
 
 813 static int selinux_parse_opts_str(char *options,
 
 814                                   struct security_mnt_opts *opts)
 
 817         char *context = NULL, *defcontext = NULL;
 
 818         char *fscontext = NULL, *rootcontext = NULL;
 
 819         int rc, num_mnt_opts = 0;
 
 821         opts->num_mnt_opts = 0;
 
 823         /* Standard string-based options. */
 
 824         while ((p = strsep(&options, "|")) != NULL) {
 
 826                 substring_t args[MAX_OPT_ARGS];
 
 831                 token = match_token(p, tokens, args);
 
 835                         if (context || defcontext) {
 
 837                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 
 840                         context = match_strdup(&args[0]);
 
 850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 
 853                         fscontext = match_strdup(&args[0]);
 
 860                 case Opt_rootcontext:
 
 863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 
 866                         rootcontext = match_strdup(&args[0]);
 
 874                         if (context || defcontext) {
 
 876                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
 
 879                         defcontext = match_strdup(&args[0]);
 
 888                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
 
 895         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
 
 899         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
 
 900         if (!opts->mnt_opts_flags) {
 
 901                 kfree(opts->mnt_opts);
 
 906                 opts->mnt_opts[num_mnt_opts] = fscontext;
 
 907                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
 
 910                 opts->mnt_opts[num_mnt_opts] = context;
 
 911                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
 
 914                 opts->mnt_opts[num_mnt_opts] = rootcontext;
 
 915                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
 
 918                 opts->mnt_opts[num_mnt_opts] = defcontext;
 
 919                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
 
 922         opts->num_mnt_opts = num_mnt_opts;
 
 933  * string mount options parsing and call set the sbsec
 
 935 static int superblock_doinit(struct super_block *sb, void *data)
 
 938         char *options = data;
 
 939         struct security_mnt_opts opts;
 
 941         security_init_mnt_opts(&opts);
 
 946         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
 
 948         rc = selinux_parse_opts_str(options, &opts);
 
 953         rc = selinux_set_mnt_opts(sb, &opts);
 
 956         security_free_mnt_opts(&opts);
 
 960 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
 
 965         for (i = 0; i < opts->num_mnt_opts; i++) {
 
 966                 char *has_comma = strchr(opts->mnt_opts[i], ',');
 
 968                 switch (opts->mnt_opts_flags[i]) {
 
 970                         prefix = CONTEXT_STR;
 
 973                         prefix = FSCONTEXT_STR;
 
 975                 case ROOTCONTEXT_MNT:
 
 976                         prefix = ROOTCONTEXT_STR;
 
 979                         prefix = DEFCONTEXT_STR;
 
 984                 /* we need a comma before each option */
 
 989                 seq_puts(m, opts->mnt_opts[i]);
 
 995 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
 
 997         struct security_mnt_opts opts;
 
1000         rc = selinux_get_mnt_opts(sb, &opts);
 
1004         selinux_write_opts(m, &opts);
 
1006         security_free_mnt_opts(&opts);
 
1011 static inline u16 inode_mode_to_security_class(umode_t mode)
 
1013         switch (mode & S_IFMT) {
 
1015                 return SECCLASS_SOCK_FILE;
 
1017                 return SECCLASS_LNK_FILE;
 
1019                 return SECCLASS_FILE;
 
1021                 return SECCLASS_BLK_FILE;
 
1023                 return SECCLASS_DIR;
 
1025                 return SECCLASS_CHR_FILE;
 
1027                 return SECCLASS_FIFO_FILE;
 
1031         return SECCLASS_FILE;
 
1034 static inline int default_protocol_stream(int protocol)
 
1036         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
 
1039 static inline int default_protocol_dgram(int protocol)
 
1041         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
 
1044 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
 
1050                 case SOCK_SEQPACKET:
 
1051                         return SECCLASS_UNIX_STREAM_SOCKET;
 
1053                         return SECCLASS_UNIX_DGRAM_SOCKET;
 
1060                         if (default_protocol_stream(protocol))
 
1061                                 return SECCLASS_TCP_SOCKET;
 
1063                                 return SECCLASS_RAWIP_SOCKET;
 
1065                         if (default_protocol_dgram(protocol))
 
1066                                 return SECCLASS_UDP_SOCKET;
 
1068                                 return SECCLASS_RAWIP_SOCKET;
 
1070                         return SECCLASS_DCCP_SOCKET;
 
1072                         return SECCLASS_RAWIP_SOCKET;
 
1078                         return SECCLASS_NETLINK_ROUTE_SOCKET;
 
1079                 case NETLINK_FIREWALL:
 
1080                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
 
1081                 case NETLINK_INET_DIAG:
 
1082                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
 
1084                         return SECCLASS_NETLINK_NFLOG_SOCKET;
 
1086                         return SECCLASS_NETLINK_XFRM_SOCKET;
 
1087                 case NETLINK_SELINUX:
 
1088                         return SECCLASS_NETLINK_SELINUX_SOCKET;
 
1090                         return SECCLASS_NETLINK_AUDIT_SOCKET;
 
1091                 case NETLINK_IP6_FW:
 
1092                         return SECCLASS_NETLINK_IP6FW_SOCKET;
 
1093                 case NETLINK_DNRTMSG:
 
1094                         return SECCLASS_NETLINK_DNRT_SOCKET;
 
1095                 case NETLINK_KOBJECT_UEVENT:
 
1096                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
 
1098                         return SECCLASS_NETLINK_SOCKET;
 
1101                 return SECCLASS_PACKET_SOCKET;
 
1103                 return SECCLASS_KEY_SOCKET;
 
1105                 return SECCLASS_APPLETALK_SOCKET;
 
1108         return SECCLASS_SOCKET;
 
1111 #ifdef CONFIG_PROC_FS
 
1112 static int selinux_proc_get_sid(struct proc_dir_entry *de,
 
1117         char *buffer, *path, *end;
 
1119         buffer = (char *)__get_free_page(GFP_KERNEL);
 
1124         end = buffer+buflen;
 
1129         while (de && de != de->parent) {
 
1130                 buflen -= de->namelen + 1;
 
1134                 memcpy(end, de->name, de->namelen);
 
1139         rc = security_genfs_sid("proc", path, tclass, sid);
 
1140         free_page((unsigned long)buffer);
 
1144 static int selinux_proc_get_sid(struct proc_dir_entry *de,
 
1152 /* The inode's security attributes must be initialized before first use. */
 
1153 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
 
1155         struct superblock_security_struct *sbsec = NULL;
 
1156         struct inode_security_struct *isec = inode->i_security;
 
1158         struct dentry *dentry;
 
1159 #define INITCONTEXTLEN 255
 
1160         char *context = NULL;
 
1164         if (isec->initialized)
 
1167         mutex_lock(&isec->lock);
 
1168         if (isec->initialized)
 
1171         sbsec = inode->i_sb->s_security;
 
1172         if (!sbsec->initialized) {
 
1173                 /* Defer initialization until selinux_complete_init,
 
1174                    after the initial policy is loaded and the security
 
1175                    server is ready to handle calls. */
 
1176                 spin_lock(&sbsec->isec_lock);
 
1177                 if (list_empty(&isec->list))
 
1178                         list_add(&isec->list, &sbsec->isec_head);
 
1179                 spin_unlock(&sbsec->isec_lock);
 
1183         switch (sbsec->behavior) {
 
1184         case SECURITY_FS_USE_XATTR:
 
1185                 if (!inode->i_op->getxattr) {
 
1186                         isec->sid = sbsec->def_sid;
 
1190                 /* Need a dentry, since the xattr API requires one.
 
1191                    Life would be simpler if we could just pass the inode. */
 
1193                         /* Called from d_instantiate or d_splice_alias. */
 
1194                         dentry = dget(opt_dentry);
 
1196                         /* Called from selinux_complete_init, try to find a dentry. */
 
1197                         dentry = d_find_alias(inode);
 
1200                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
 
1201                                "ino=%ld\n", __func__, inode->i_sb->s_id,
 
1206                 len = INITCONTEXTLEN;
 
1207                 context = kmalloc(len, GFP_NOFS);
 
1213                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
 
1215                 if (rc == -ERANGE) {
 
1216                         /* Need a larger buffer.  Query for the right size. */
 
1217                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
 
1225                         context = kmalloc(len, GFP_NOFS);
 
1231                         rc = inode->i_op->getxattr(dentry,
 
1237                         if (rc != -ENODATA) {
 
1238                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
 
1239                                        "%d for dev=%s ino=%ld\n", __func__,
 
1240                                        -rc, inode->i_sb->s_id, inode->i_ino);
 
1244                         /* Map ENODATA to the default file SID */
 
1245                         sid = sbsec->def_sid;
 
1248                         rc = security_context_to_sid_default(context, rc, &sid,
 
1252                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
 
1253                                        "returned %d for dev=%s ino=%ld\n",
 
1254                                        __func__, context, -rc,
 
1255                                        inode->i_sb->s_id, inode->i_ino);
 
1257                                 /* Leave with the unlabeled SID */
 
1265         case SECURITY_FS_USE_TASK:
 
1266                 isec->sid = isec->task_sid;
 
1268         case SECURITY_FS_USE_TRANS:
 
1269                 /* Default to the fs SID. */
 
1270                 isec->sid = sbsec->sid;
 
1272                 /* Try to obtain a transition SID. */
 
1273                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
 
1274                 rc = security_transition_sid(isec->task_sid,
 
1282         case SECURITY_FS_USE_MNTPOINT:
 
1283                 isec->sid = sbsec->mntpoint_sid;
 
1286                 /* Default to the fs superblock SID. */
 
1287                 isec->sid = sbsec->sid;
 
1290                         struct proc_inode *proci = PROC_I(inode);
 
1292                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
 
1293                                 rc = selinux_proc_get_sid(proci->pde,
 
1304         isec->initialized = 1;
 
1307         mutex_unlock(&isec->lock);
 
1309         if (isec->sclass == SECCLASS_FILE)
 
1310                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
 
1314 /* Convert a Linux signal to an access vector. */
 
1315 static inline u32 signal_to_av(int sig)
 
1321                 /* Commonly granted from child to parent. */
 
1322                 perm = PROCESS__SIGCHLD;
 
1325                 /* Cannot be caught or ignored */
 
1326                 perm = PROCESS__SIGKILL;
 
1329                 /* Cannot be caught or ignored */
 
1330                 perm = PROCESS__SIGSTOP;
 
1333                 /* All other signals. */
 
1334                 perm = PROCESS__SIGNAL;
 
1341 /* Check permission betweeen a pair of tasks, e.g. signal checks,
 
1342    fork check, ptrace check, etc. */
 
1343 static int task_has_perm(struct task_struct *tsk1,
 
1344                          struct task_struct *tsk2,
 
1347         struct task_security_struct *tsec1, *tsec2;
 
1349         tsec1 = tsk1->security;
 
1350         tsec2 = tsk2->security;
 
1351         return avc_has_perm(tsec1->sid, tsec2->sid,
 
1352                             SECCLASS_PROCESS, perms, NULL);
 
1355 #if CAP_LAST_CAP > 63
 
1356 #error Fix SELinux to handle capabilities > 63.
 
1359 /* Check whether a task is allowed to use a capability. */
 
1360 static int task_has_capability(struct task_struct *tsk,
 
1363         struct task_security_struct *tsec;
 
1364         struct avc_audit_data ad;
 
1366         u32 av = CAP_TO_MASK(cap);
 
1368         tsec = tsk->security;
 
1370         AVC_AUDIT_DATA_INIT(&ad, CAP);
 
1374         switch (CAP_TO_INDEX(cap)) {
 
1376                 sclass = SECCLASS_CAPABILITY;
 
1379                 sclass = SECCLASS_CAPABILITY2;
 
1383                        "SELinux:  out of range capability %d\n", cap);
 
1386         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
 
1389 /* Check whether a task is allowed to use a system operation. */
 
1390 static int task_has_system(struct task_struct *tsk,
 
1393         struct task_security_struct *tsec;
 
1395         tsec = tsk->security;
 
1397         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
 
1398                             SECCLASS_SYSTEM, perms, NULL);
 
1401 /* Check whether a task has a particular permission to an inode.
 
1402    The 'adp' parameter is optional and allows other audit
 
1403    data to be passed (e.g. the dentry). */
 
1404 static int inode_has_perm(struct task_struct *tsk,
 
1405                           struct inode *inode,
 
1407                           struct avc_audit_data *adp)
 
1409         struct task_security_struct *tsec;
 
1410         struct inode_security_struct *isec;
 
1411         struct avc_audit_data ad;
 
1413         if (unlikely(IS_PRIVATE(inode)))
 
1416         tsec = tsk->security;
 
1417         isec = inode->i_security;
 
1421                 AVC_AUDIT_DATA_INIT(&ad, FS);
 
1422                 ad.u.fs.inode = inode;
 
1425         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
 
1428 /* Same as inode_has_perm, but pass explicit audit data containing
 
1429    the dentry to help the auditing code to more easily generate the
 
1430    pathname if needed. */
 
1431 static inline int dentry_has_perm(struct task_struct *tsk,
 
1432                                   struct vfsmount *mnt,
 
1433                                   struct dentry *dentry,
 
1436         struct inode *inode = dentry->d_inode;
 
1437         struct avc_audit_data ad;
 
1438         AVC_AUDIT_DATA_INIT(&ad, FS);
 
1439         ad.u.fs.path.mnt = mnt;
 
1440         ad.u.fs.path.dentry = dentry;
 
1441         return inode_has_perm(tsk, inode, av, &ad);
 
1444 /* Check whether a task can use an open file descriptor to
 
1445    access an inode in a given way.  Check access to the
 
1446    descriptor itself, and then use dentry_has_perm to
 
1447    check a particular permission to the file.
 
1448    Access to the descriptor is implicitly granted if it
 
1449    has the same SID as the process.  If av is zero, then
 
1450    access to the file is not checked, e.g. for cases
 
1451    where only the descriptor is affected like seek. */
 
1452 static int file_has_perm(struct task_struct *tsk,
 
1456         struct task_security_struct *tsec = tsk->security;
 
1457         struct file_security_struct *fsec = file->f_security;
 
1458         struct inode *inode = file->f_path.dentry->d_inode;
 
1459         struct avc_audit_data ad;
 
1462         AVC_AUDIT_DATA_INIT(&ad, FS);
 
1463         ad.u.fs.path = file->f_path;
 
1465         if (tsec->sid != fsec->sid) {
 
1466                 rc = avc_has_perm(tsec->sid, fsec->sid,
 
1474         /* av is zero if only checking access to the descriptor. */
 
1476                 return inode_has_perm(tsk, inode, av, &ad);
 
1481 /* Check whether a task can create a file. */
 
1482 static int may_create(struct inode *dir,
 
1483                       struct dentry *dentry,
 
1486         struct task_security_struct *tsec;
 
1487         struct inode_security_struct *dsec;
 
1488         struct superblock_security_struct *sbsec;
 
1490         struct avc_audit_data ad;
 
1493         tsec = current->security;
 
1494         dsec = dir->i_security;
 
1495         sbsec = dir->i_sb->s_security;
 
1497         AVC_AUDIT_DATA_INIT(&ad, FS);
 
1498         ad.u.fs.path.dentry = dentry;
 
1500         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
 
1501                           DIR__ADD_NAME | DIR__SEARCH,
 
1506         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
 
1507                 newsid = tsec->create_sid;
 
1509                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
 
1515         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
 
1519         return avc_has_perm(newsid, sbsec->sid,
 
1520                             SECCLASS_FILESYSTEM,
 
1521                             FILESYSTEM__ASSOCIATE, &ad);
 
1524 /* Check whether a task can create a key. */
 
1525 static int may_create_key(u32 ksid,
 
1526                           struct task_struct *ctx)
 
1528         struct task_security_struct *tsec;
 
1530         tsec = ctx->security;
 
1532         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
 
1536 #define MAY_UNLINK      1
 
1539 /* Check whether a task can link, unlink, or rmdir a file/directory. */
 
1540 static int may_link(struct inode *dir,
 
1541                     struct dentry *dentry,
 
1545         struct task_security_struct *tsec;
 
1546         struct inode_security_struct *dsec, *isec;
 
1547         struct avc_audit_data ad;
 
1551         tsec = current->security;
 
1552         dsec = dir->i_security;
 
1553         isec = dentry->d_inode->i_security;
 
1555         AVC_AUDIT_DATA_INIT(&ad, FS);
 
1556         ad.u.fs.path.dentry = dentry;
 
1559         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
 
1560         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
 
1575                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
 
1580         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
 
1584 static inline int may_rename(struct inode *old_dir,
 
1585                              struct dentry *old_dentry,
 
1586                              struct inode *new_dir,
 
1587                              struct dentry *new_dentry)
 
1589         struct task_security_struct *tsec;
 
1590         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
 
1591         struct avc_audit_data ad;
 
1593         int old_is_dir, new_is_dir;
 
1596         tsec = current->security;
 
1597         old_dsec = old_dir->i_security;
 
1598         old_isec = old_dentry->d_inode->i_security;
 
1599         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
 
1600         new_dsec = new_dir->i_security;
 
1602         AVC_AUDIT_DATA_INIT(&ad, FS);
 
1604         ad.u.fs.path.dentry = old_dentry;
 
1605         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
 
1606                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
 
1609         rc = avc_has_perm(tsec->sid, old_isec->sid,
 
1610                           old_isec->sclass, FILE__RENAME, &ad);
 
1613         if (old_is_dir && new_dir != old_dir) {
 
1614                 rc = avc_has_perm(tsec->sid, old_isec->sid,
 
1615                                   old_isec->sclass, DIR__REPARENT, &ad);
 
1620         ad.u.fs.path.dentry = new_dentry;
 
1621         av = DIR__ADD_NAME | DIR__SEARCH;
 
1622         if (new_dentry->d_inode)
 
1623                 av |= DIR__REMOVE_NAME;
 
1624         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
 
1627         if (new_dentry->d_inode) {
 
1628                 new_isec = new_dentry->d_inode->i_security;
 
1629                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
 
1630                 rc = avc_has_perm(tsec->sid, new_isec->sid,
 
1632                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
 
1640 /* Check whether a task can perform a filesystem operation. */
 
1641 static int superblock_has_perm(struct task_struct *tsk,
 
1642                                struct super_block *sb,
 
1644                                struct avc_audit_data *ad)
 
1646         struct task_security_struct *tsec;
 
1647         struct superblock_security_struct *sbsec;
 
1649         tsec = tsk->security;
 
1650         sbsec = sb->s_security;
 
1651         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 
1655 /* Convert a Linux mode and permission mask to an access vector. */
 
1656 static inline u32 file_mask_to_av(int mode, int mask)
 
1660         if ((mode & S_IFMT) != S_IFDIR) {
 
1661                 if (mask & MAY_EXEC)
 
1662                         av |= FILE__EXECUTE;
 
1663                 if (mask & MAY_READ)
 
1666                 if (mask & MAY_APPEND)
 
1668                 else if (mask & MAY_WRITE)
 
1672                 if (mask & MAY_EXEC)
 
1674                 if (mask & MAY_WRITE)
 
1676                 if (mask & MAY_READ)
 
1684  * Convert a file mask to an access vector and include the correct open
 
1687 static inline u32 open_file_mask_to_av(int mode, int mask)
 
1689         u32 av = file_mask_to_av(mode, mask);
 
1691         if (selinux_policycap_openperm) {
 
1693                  * lnk files and socks do not really have an 'open'
 
1697                 else if (S_ISCHR(mode))
 
1698                         av |= CHR_FILE__OPEN;
 
1699                 else if (S_ISBLK(mode))
 
1700                         av |= BLK_FILE__OPEN;
 
1701                 else if (S_ISFIFO(mode))
 
1702                         av |= FIFO_FILE__OPEN;
 
1703                 else if (S_ISDIR(mode))
 
1706                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
 
1707                                 "unknown mode:%x\n", __func__, mode);
 
1712 /* Convert a Linux file to an access vector. */
 
1713 static inline u32 file_to_av(struct file *file)
 
1717         if (file->f_mode & FMODE_READ)
 
1719         if (file->f_mode & FMODE_WRITE) {
 
1720                 if (file->f_flags & O_APPEND)
 
1727                  * Special file opened with flags 3 for ioctl-only use.
 
1735 /* Hook functions begin here. */
 
1737 static int selinux_ptrace(struct task_struct *parent,
 
1738                           struct task_struct *child,
 
1743         rc = secondary_ops->ptrace(parent, child, mode);
 
1747         if (mode == PTRACE_MODE_READ) {
 
1748                 struct task_security_struct *tsec = parent->security;
 
1749                 struct task_security_struct *csec = child->security;
 
1750                 return avc_has_perm(tsec->sid, csec->sid,
 
1751                                     SECCLASS_FILE, FILE__READ, NULL);
 
1754         return task_has_perm(parent, child, PROCESS__PTRACE);
 
1757 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
 
1758                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
 
1762         error = task_has_perm(current, target, PROCESS__GETCAP);
 
1766         return secondary_ops->capget(target, effective, inheritable, permitted);
 
1769 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
 
1770                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
 
1774         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
 
1778         return task_has_perm(current, target, PROCESS__SETCAP);
 
1781 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
 
1782                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
 
1784         secondary_ops->capset_set(target, effective, inheritable, permitted);
 
1787 static int selinux_capable(struct task_struct *tsk, int cap)
 
1791         rc = secondary_ops->capable(tsk, cap);
 
1795         return task_has_capability(tsk, cap);
 
1798 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
 
1801         char *buffer, *path, *end;
 
1804         buffer = (char *)__get_free_page(GFP_KERNEL);
 
1809         end = buffer+buflen;
 
1815                 const char *name = table->procname;
 
1816                 size_t namelen = strlen(name);
 
1817                 buflen -= namelen + 1;
 
1821                 memcpy(end, name, namelen);
 
1824                 table = table->parent;
 
1830         memcpy(end, "/sys", 4);
 
1832         rc = security_genfs_sid("proc", path, tclass, sid);
 
1834         free_page((unsigned long)buffer);
 
1839 static int selinux_sysctl(ctl_table *table, int op)
 
1843         struct task_security_struct *tsec;
 
1847         rc = secondary_ops->sysctl(table, op);
 
1851         tsec = current->security;
 
1853         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
 
1854                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
 
1856                 /* Default to the well-defined sysctl SID. */
 
1857                 tsid = SECINITSID_SYSCTL;
 
1860         /* The op values are "defined" in sysctl.c, thereby creating
 
1861          * a bad coupling between this module and sysctl.c */
 
1863                 error = avc_has_perm(tsec->sid, tsid,
 
1864                                      SECCLASS_DIR, DIR__SEARCH, NULL);
 
1872                         error = avc_has_perm(tsec->sid, tsid,
 
1873                                              SECCLASS_FILE, av, NULL);
 
1879 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
 
1892                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
 
1898                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
 
1902                 rc = 0;  /* let the kernel handle invalid cmds */
 
1908 static int selinux_quota_on(struct dentry *dentry)
 
1910         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
 
1913 static int selinux_syslog(int type)
 
1917         rc = secondary_ops->syslog(type);
 
1922         case 3:         /* Read last kernel messages */
 
1923         case 10:        /* Return size of the log buffer */
 
1924                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
 
1926         case 6:         /* Disable logging to console */
 
1927         case 7:         /* Enable logging to console */
 
1928         case 8:         /* Set level of messages printed to console */
 
1929                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
 
1931         case 0:         /* Close log */
 
1932         case 1:         /* Open log */
 
1933         case 2:         /* Read from log */
 
1934         case 4:         /* Read/clear last kernel messages */
 
1935         case 5:         /* Clear ring buffer */
 
1937                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
 
1944  * Check that a process has enough memory to allocate a new virtual
 
1945  * mapping. 0 means there is enough memory for the allocation to
 
1946  * succeed and -ENOMEM implies there is not.
 
1948  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
 
1949  * if the capability is granted, but __vm_enough_memory requires 1 if
 
1950  * the capability is granted.
 
1952  * Do not audit the selinux permission check, as this is applied to all
 
1953  * processes that allocate mappings.
 
1955 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 
1957         int rc, cap_sys_admin = 0;
 
1958         struct task_security_struct *tsec = current->security;
 
1960         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
 
1962                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
 
1963                                           SECCLASS_CAPABILITY,
 
1964                                           CAP_TO_MASK(CAP_SYS_ADMIN),
 
1971         return __vm_enough_memory(mm, pages, cap_sys_admin);
 
1974 /* binprm security operations */
 
1976 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
 
1978         struct bprm_security_struct *bsec;
 
1980         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
 
1984         bsec->sid = SECINITSID_UNLABELED;
 
1987         bprm->security = bsec;
 
1991 static int selinux_bprm_set_security(struct linux_binprm *bprm)
 
1993         struct task_security_struct *tsec;
 
1994         struct inode *inode = bprm->file->f_path.dentry->d_inode;
 
1995         struct inode_security_struct *isec;
 
1996         struct bprm_security_struct *bsec;
 
1998         struct avc_audit_data ad;
 
2001         rc = secondary_ops->bprm_set_security(bprm);
 
2005         bsec = bprm->security;
 
2010         tsec = current->security;
 
2011         isec = inode->i_security;
 
2013         /* Default to the current task SID. */
 
2014         bsec->sid = tsec->sid;
 
2016         /* Reset fs, key, and sock SIDs on execve. */
 
2017         tsec->create_sid = 0;
 
2018         tsec->keycreate_sid = 0;
 
2019         tsec->sockcreate_sid = 0;
 
2021         if (tsec->exec_sid) {
 
2022                 newsid = tsec->exec_sid;
 
2023                 /* Reset exec SID on execve. */
 
2026                 /* Check for a default transition on this program. */
 
2027                 rc = security_transition_sid(tsec->sid, isec->sid,
 
2028                                              SECCLASS_PROCESS, &newsid);
 
2033         AVC_AUDIT_DATA_INIT(&ad, FS);
 
2034         ad.u.fs.path = bprm->file->f_path;
 
2036         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
 
2039         if (tsec->sid == newsid) {
 
2040                 rc = avc_has_perm(tsec->sid, isec->sid,
 
2041                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
 
2045                 /* Check permissions for the transition. */
 
2046                 rc = avc_has_perm(tsec->sid, newsid,
 
2047                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
 
2051                 rc = avc_has_perm(newsid, isec->sid,
 
2052                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
 
2056                 /* Clear any possibly unsafe personality bits on exec: */
 
2057                 current->personality &= ~PER_CLEAR_ON_SETID;
 
2059                 /* Set the security field to the new SID. */
 
2067 static int selinux_bprm_check_security(struct linux_binprm *bprm)
 
2069         return secondary_ops->bprm_check_security(bprm);
 
2073 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
 
2075         struct task_security_struct *tsec = current->security;
 
2078         if (tsec->osid != tsec->sid) {
 
2079                 /* Enable secure mode for SIDs transitions unless
 
2080                    the noatsecure permission is granted between
 
2081                    the two SIDs, i.e. ahp returns 0. */
 
2082                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
 
2084                                          PROCESS__NOATSECURE, NULL);
 
2087         return (atsecure || secondary_ops->bprm_secureexec(bprm));
 
2090 static void selinux_bprm_free_security(struct linux_binprm *bprm)
 
2092         kfree(bprm->security);
 
2093         bprm->security = NULL;
 
2096 extern struct vfsmount *selinuxfs_mount;
 
2097 extern struct dentry *selinux_null;
 
2099 /* Derived from fs/exec.c:flush_old_files. */
 
2100 static inline void flush_unauthorized_files(struct files_struct *files)
 
2102         struct avc_audit_data ad;
 
2103         struct file *file, *devnull = NULL;
 
2104         struct tty_struct *tty;
 
2105         struct fdtable *fdt;
 
2109         mutex_lock(&tty_mutex);
 
2110         tty = get_current_tty();
 
2113                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
 
2115                         /* Revalidate access to controlling tty.
 
2116                            Use inode_has_perm on the tty inode directly rather
 
2117                            than using file_has_perm, as this particular open
 
2118                            file may belong to another process and we are only
 
2119                            interested in the inode-based check here. */
 
2120                         struct inode *inode = file->f_path.dentry->d_inode;
 
2121                         if (inode_has_perm(current, inode,
 
2122                                            FILE__READ | FILE__WRITE, NULL)) {
 
2128         mutex_unlock(&tty_mutex);
 
2129         /* Reset controlling tty. */
 
2133         /* Revalidate access to inherited open files. */
 
2135         AVC_AUDIT_DATA_INIT(&ad, FS);
 
2137         spin_lock(&files->file_lock);
 
2139                 unsigned long set, i;
 
2144                 fdt = files_fdtable(files);
 
2145                 if (i >= fdt->max_fds)
 
2147                 set = fdt->open_fds->fds_bits[j];
 
2150                 spin_unlock(&files->file_lock);
 
2151                 for ( ; set ; i++, set >>= 1) {
 
2156                                 if (file_has_perm(current,
 
2158                                                   file_to_av(file))) {
 
2160                                         fd = get_unused_fd();
 
2170                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
 
2171                                                 if (IS_ERR(devnull)) {
 
2178                                         fd_install(fd, devnull);
 
2183                 spin_lock(&files->file_lock);
 
2186         spin_unlock(&files->file_lock);
 
2189 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
 
2191         struct task_security_struct *tsec;
 
2192         struct bprm_security_struct *bsec;
 
2196         secondary_ops->bprm_apply_creds(bprm, unsafe);
 
2198         tsec = current->security;
 
2200         bsec = bprm->security;
 
2203         tsec->osid = tsec->sid;
 
2205         if (tsec->sid != sid) {
 
2206                 /* Check for shared state.  If not ok, leave SID
 
2207                    unchanged and kill. */
 
2208                 if (unsafe & LSM_UNSAFE_SHARE) {
 
2209                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
 
2210                                         PROCESS__SHARE, NULL);
 
2217                 /* Check for ptracing, and update the task SID if ok.
 
2218                    Otherwise, leave SID unchanged and kill. */
 
2219                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
 
2220                         struct task_struct *tracer;
 
2221                         struct task_security_struct *sec;
 
2225                         tracer = tracehook_tracer_task(current);
 
2226                         if (likely(tracer != NULL)) {
 
2227                                 sec = tracer->security;
 
2233                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
 
2234                                                   PROCESS__PTRACE, NULL);
 
2246  * called after apply_creds without the task lock held
 
2248 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
 
2250         struct task_security_struct *tsec;
 
2251         struct rlimit *rlim, *initrlim;
 
2252         struct itimerval itimer;
 
2253         struct bprm_security_struct *bsec;
 
2256         tsec = current->security;
 
2257         bsec = bprm->security;
 
2260                 force_sig_specific(SIGKILL, current);
 
2263         if (tsec->osid == tsec->sid)
 
2266         /* Close files for which the new task SID is not authorized. */
 
2267         flush_unauthorized_files(current->files);
 
2269         /* Check whether the new SID can inherit signal state
 
2270            from the old SID.  If not, clear itimers to avoid
 
2271            subsequent signal generation and flush and unblock
 
2272            signals. This must occur _after_ the task SID has
 
2273           been updated so that any kill done after the flush
 
2274           will be checked against the new SID. */
 
2275         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
 
2276                           PROCESS__SIGINH, NULL);
 
2278                 memset(&itimer, 0, sizeof itimer);
 
2279                 for (i = 0; i < 3; i++)
 
2280                         do_setitimer(i, &itimer, NULL);
 
2281                 flush_signals(current);
 
2282                 spin_lock_irq(¤t->sighand->siglock);
 
2283                 flush_signal_handlers(current, 1);
 
2284                 sigemptyset(¤t->blocked);
 
2285                 recalc_sigpending();
 
2286                 spin_unlock_irq(¤t->sighand->siglock);
 
2289         /* Always clear parent death signal on SID transitions. */
 
2290         current->pdeath_signal = 0;
 
2292         /* Check whether the new SID can inherit resource limits
 
2293            from the old SID.  If not, reset all soft limits to
 
2294            the lower of the current task's hard limit and the init
 
2295            task's soft limit.  Note that the setting of hard limits
 
2296            (even to lower them) can be controlled by the setrlimit
 
2297            check. The inclusion of the init task's soft limit into
 
2298            the computation is to avoid resetting soft limits higher
 
2299            than the default soft limit for cases where the default
 
2300            is lower than the hard limit, e.g. RLIMIT_CORE or
 
2302         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
 
2303                           PROCESS__RLIMITINH, NULL);
 
2305                 for (i = 0; i < RLIM_NLIMITS; i++) {
 
2306                         rlim = current->signal->rlim + i;
 
2307                         initrlim = init_task.signal->rlim+i;
 
2308                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
 
2310                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
 
2312                          * This will cause RLIMIT_CPU calculations
 
2315                         current->it_prof_expires = jiffies_to_cputime(1);
 
2319         /* Wake up the parent if it is waiting so that it can
 
2320            recheck wait permission to the new task SID. */
 
2321         wake_up_interruptible(¤t->parent->signal->wait_chldexit);
 
2324 /* superblock security operations */
 
2326 static int selinux_sb_alloc_security(struct super_block *sb)
 
2328         return superblock_alloc_security(sb);
 
2331 static void selinux_sb_free_security(struct super_block *sb)
 
2333         superblock_free_security(sb);
 
2336 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
 
2341         return !memcmp(prefix, option, plen);
 
2344 static inline int selinux_option(char *option, int len)
 
2346         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
 
2347                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
 
2348                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
 
2349                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
 
2352 static inline void take_option(char **to, char *from, int *first, int len)
 
2359         memcpy(*to, from, len);
 
2363 static inline void take_selinux_option(char **to, char *from, int *first,
 
2366         int current_size = 0;
 
2374         while (current_size < len) {
 
2384 static int selinux_sb_copy_data(char *orig, char *copy)
 
2386         int fnosec, fsec, rc = 0;
 
2387         char *in_save, *in_curr, *in_end;
 
2388         char *sec_curr, *nosec_save, *nosec;
 
2394         nosec = (char *)get_zeroed_page(GFP_KERNEL);
 
2402         in_save = in_end = orig;
 
2406                         open_quote = !open_quote;
 
2407                 if ((*in_end == ',' && open_quote == 0) ||
 
2409                         int len = in_end - in_curr;
 
2411                         if (selinux_option(in_curr, len))
 
2412                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
 
2414                                 take_option(&nosec, in_curr, &fnosec, len);
 
2416                         in_curr = in_end + 1;
 
2418         } while (*in_end++);
 
2420         strcpy(in_save, nosec_save);
 
2421         free_page((unsigned long)nosec_save);
 
2426 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
 
2428         struct avc_audit_data ad;
 
2431         rc = superblock_doinit(sb, data);
 
2435         AVC_AUDIT_DATA_INIT(&ad, FS);
 
2436         ad.u.fs.path.dentry = sb->s_root;
 
2437         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
 
2440 static int selinux_sb_statfs(struct dentry *dentry)
 
2442         struct avc_audit_data ad;
 
2444         AVC_AUDIT_DATA_INIT(&ad, FS);
 
2445         ad.u.fs.path.dentry = dentry->d_sb->s_root;
 
2446         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
 
2449 static int selinux_mount(char *dev_name,
 
2452                          unsigned long flags,
 
2457         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
 
2461         if (flags & MS_REMOUNT)
 
2462                 return superblock_has_perm(current, path->mnt->mnt_sb,
 
2463                                            FILESYSTEM__REMOUNT, NULL);
 
2465                 return dentry_has_perm(current, path->mnt, path->dentry,
 
2469 static int selinux_umount(struct vfsmount *mnt, int flags)
 
2473         rc = secondary_ops->sb_umount(mnt, flags);
 
2477         return superblock_has_perm(current, mnt->mnt_sb,
 
2478                                    FILESYSTEM__UNMOUNT, NULL);
 
2481 /* inode security operations */
 
2483 static int selinux_inode_alloc_security(struct inode *inode)
 
2485         return inode_alloc_security(inode);
 
2488 static void selinux_inode_free_security(struct inode *inode)
 
2490         inode_free_security(inode);
 
2493 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 
2494                                        char **name, void **value,
 
2497         struct task_security_struct *tsec;
 
2498         struct inode_security_struct *dsec;
 
2499         struct superblock_security_struct *sbsec;
 
2502         char *namep = NULL, *context;
 
2504         tsec = current->security;
 
2505         dsec = dir->i_security;
 
2506         sbsec = dir->i_sb->s_security;
 
2508         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
 
2509                 newsid = tsec->create_sid;
 
2511                 rc = security_transition_sid(tsec->sid, dsec->sid,
 
2512                                              inode_mode_to_security_class(inode->i_mode),
 
2515                         printk(KERN_WARNING "%s:  "
 
2516                                "security_transition_sid failed, rc=%d (dev=%s "
 
2519                                -rc, inode->i_sb->s_id, inode->i_ino);
 
2524         /* Possibly defer initialization to selinux_complete_init. */
 
2525         if (sbsec->initialized) {
 
2526                 struct inode_security_struct *isec = inode->i_security;
 
2527                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
 
2529                 isec->initialized = 1;
 
2532         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
 
2536                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
 
2543                 rc = security_sid_to_context_force(newsid, &context, &clen);
 
2555 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
 
2557         return may_create(dir, dentry, SECCLASS_FILE);
 
2560 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
 
2564         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
 
2567         return may_link(dir, old_dentry, MAY_LINK);
 
2570 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
 
2574         rc = secondary_ops->inode_unlink(dir, dentry);
 
2577         return may_link(dir, dentry, MAY_UNLINK);
 
2580 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
 
2582         return may_create(dir, dentry, SECCLASS_LNK_FILE);
 
2585 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
 
2587         return may_create(dir, dentry, SECCLASS_DIR);
 
2590 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
 
2592         return may_link(dir, dentry, MAY_RMDIR);
 
2595 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
 
2599         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
 
2603         return may_create(dir, dentry, inode_mode_to_security_class(mode));
 
2606 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
 
2607                                 struct inode *new_inode, struct dentry *new_dentry)
 
2609         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
 
2612 static int selinux_inode_readlink(struct dentry *dentry)
 
2614         return dentry_has_perm(current, NULL, dentry, FILE__READ);
 
2617 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
 
2621         rc = secondary_ops->inode_follow_link(dentry, nameidata);
 
2624         return dentry_has_perm(current, NULL, dentry, FILE__READ);
 
2627 static int selinux_inode_permission(struct inode *inode, int mask)
 
2631         rc = secondary_ops->inode_permission(inode, mask);
 
2636                 /* No permission to check.  Existence test. */
 
2640         return inode_has_perm(current, inode,
 
2641                                open_file_mask_to_av(inode->i_mode, mask), NULL);
 
2644 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
 
2648         rc = secondary_ops->inode_setattr(dentry, iattr);
 
2652         if (iattr->ia_valid & ATTR_FORCE)
 
2655         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
 
2656                                ATTR_ATIME_SET | ATTR_MTIME_SET))
 
2657                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
 
2659         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
 
2662 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
 
2664         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
 
2667 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
 
2669         if (!strncmp(name, XATTR_SECURITY_PREFIX,
 
2670                      sizeof XATTR_SECURITY_PREFIX - 1)) {
 
2671                 if (!strcmp(name, XATTR_NAME_CAPS)) {
 
2672                         if (!capable(CAP_SETFCAP))
 
2674                 } else if (!capable(CAP_SYS_ADMIN)) {
 
2675                         /* A different attribute in the security namespace.
 
2676                            Restrict to administrator. */
 
2681         /* Not an attribute we recognize, so just check the
 
2682            ordinary setattr permission. */
 
2683         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
 
2686 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
 
2687                                   const void *value, size_t size, int flags)
 
2689         struct task_security_struct *tsec = current->security;
 
2690         struct inode *inode = dentry->d_inode;
 
2691         struct inode_security_struct *isec = inode->i_security;
 
2692         struct superblock_security_struct *sbsec;
 
2693         struct avc_audit_data ad;
 
2697         if (strcmp(name, XATTR_NAME_SELINUX))
 
2698                 return selinux_inode_setotherxattr(dentry, name);
 
2700         sbsec = inode->i_sb->s_security;
 
2701         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
 
2704         if (!is_owner_or_cap(inode))
 
2707         AVC_AUDIT_DATA_INIT(&ad, FS);
 
2708         ad.u.fs.path.dentry = dentry;
 
2710         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
 
2711                           FILE__RELABELFROM, &ad);
 
2715         rc = security_context_to_sid(value, size, &newsid);
 
2716         if (rc == -EINVAL) {
 
2717                 if (!capable(CAP_MAC_ADMIN))
 
2719                 rc = security_context_to_sid_force(value, size, &newsid);
 
2724         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
 
2725                           FILE__RELABELTO, &ad);
 
2729         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
 
2734         return avc_has_perm(newsid,
 
2736                             SECCLASS_FILESYSTEM,
 
2737                             FILESYSTEM__ASSOCIATE,
 
2741 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 
2742                                         const void *value, size_t size,
 
2745         struct inode *inode = dentry->d_inode;
 
2746         struct inode_security_struct *isec = inode->i_security;
 
2750         if (strcmp(name, XATTR_NAME_SELINUX)) {
 
2751                 /* Not an attribute we recognize, so nothing to do. */
 
2755         rc = security_context_to_sid_force(value, size, &newsid);
 
2757                 printk(KERN_ERR "SELinux:  unable to map context to SID"
 
2758                        "for (%s, %lu), rc=%d\n",
 
2759                        inode->i_sb->s_id, inode->i_ino, -rc);
 
2767 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
 
2769         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
 
2772 static int selinux_inode_listxattr(struct dentry *dentry)
 
2774         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
 
2777 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
 
2779         if (strcmp(name, XATTR_NAME_SELINUX))
 
2780                 return selinux_inode_setotherxattr(dentry, name);
 
2782         /* No one is allowed to remove a SELinux security label.
 
2783            You can change the label, but all data must be labeled. */
 
2788  * Copy the inode security context value to the user.
 
2790  * Permission check is handled by selinux_inode_getxattr hook.
 
2792 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
 
2796         char *context = NULL;
 
2797         struct task_security_struct *tsec = current->security;
 
2798         struct inode_security_struct *isec = inode->i_security;
 
2800         if (strcmp(name, XATTR_SELINUX_SUFFIX))
 
2804          * If the caller has CAP_MAC_ADMIN, then get the raw context
 
2805          * value even if it is not defined by current policy; otherwise,
 
2806          * use the in-core value under current policy.
 
2807          * Use the non-auditing forms of the permission checks since
 
2808          * getxattr may be called by unprivileged processes commonly
 
2809          * and lack of permission just means that we fall back to the
 
2810          * in-core context value, not a denial.
 
2812         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
 
2814                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
 
2815                                              SECCLASS_CAPABILITY2,
 
2816                                              CAPABILITY2__MAC_ADMIN,
 
2820                 error = security_sid_to_context_force(isec->sid, &context,
 
2823                 error = security_sid_to_context(isec->sid, &context, &size);
 
2836 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 
2837                                      const void *value, size_t size, int flags)
 
2839         struct inode_security_struct *isec = inode->i_security;
 
2843         if (strcmp(name, XATTR_SELINUX_SUFFIX))
 
2846         if (!value || !size)
 
2849         rc = security_context_to_sid((void *)value, size, &newsid);
 
2857 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
 
2859         const int len = sizeof(XATTR_NAME_SELINUX);
 
2860         if (buffer && len <= buffer_size)
 
2861                 memcpy(buffer, XATTR_NAME_SELINUX, len);
 
2865 static int selinux_inode_need_killpriv(struct dentry *dentry)
 
2867         return secondary_ops->inode_need_killpriv(dentry);
 
2870 static int selinux_inode_killpriv(struct dentry *dentry)
 
2872         return secondary_ops->inode_killpriv(dentry);
 
2875 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
 
2877         struct inode_security_struct *isec = inode->i_security;
 
2881 /* file security operations */
 
2883 static int selinux_revalidate_file_permission(struct file *file, int mask)
 
2886         struct inode *inode = file->f_path.dentry->d_inode;
 
2889                 /* No permission to check.  Existence test. */
 
2893         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
 
2894         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
 
2897         rc = file_has_perm(current, file,
 
2898                            file_mask_to_av(inode->i_mode, mask));
 
2902         return selinux_netlbl_inode_permission(inode, mask);
 
2905 static int selinux_file_permission(struct file *file, int mask)
 
2907         struct inode *inode = file->f_path.dentry->d_inode;
 
2908         struct task_security_struct *tsec = current->security;
 
2909         struct file_security_struct *fsec = file->f_security;
 
2910         struct inode_security_struct *isec = inode->i_security;
 
2913                 /* No permission to check.  Existence test. */
 
2917         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
 
2918             && fsec->pseqno == avc_policy_seqno())
 
2919                 return selinux_netlbl_inode_permission(inode, mask);
 
2921         return selinux_revalidate_file_permission(file, mask);
 
2924 static int selinux_file_alloc_security(struct file *file)
 
2926         return file_alloc_security(file);
 
2929 static void selinux_file_free_security(struct file *file)
 
2931         file_free_security(file);
 
2934 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
 
2939         if (_IOC_DIR(cmd) & _IOC_WRITE)
 
2941         if (_IOC_DIR(cmd) & _IOC_READ)
 
2946         return file_has_perm(current, file, av);
 
2949 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
 
2951 #ifndef CONFIG_PPC32
 
2952         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
 
2954                  * We are making executable an anonymous mapping or a
 
2955                  * private file mapping that will also be writable.
 
2956                  * This has an additional check.
 
2958                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
 
2965                 /* read access is always possible with a mapping */
 
2966                 u32 av = FILE__READ;
 
2968                 /* write access only matters if the mapping is shared */
 
2969                 if (shared && (prot & PROT_WRITE))
 
2972                 if (prot & PROT_EXEC)
 
2973                         av |= FILE__EXECUTE;
 
2975                 return file_has_perm(current, file, av);
 
2980 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
 
2981                              unsigned long prot, unsigned long flags,
 
2982                              unsigned long addr, unsigned long addr_only)
 
2985         u32 sid = ((struct task_security_struct *)(current->security))->sid;
 
2987         if (addr < mmap_min_addr)
 
2988                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
 
2989                                   MEMPROTECT__MMAP_ZERO, NULL);
 
2990         if (rc || addr_only)
 
2993         if (selinux_checkreqprot)
 
2996         return file_map_prot_check(file, prot,
 
2997                                    (flags & MAP_TYPE) == MAP_SHARED);
 
3000 static int selinux_file_mprotect(struct vm_area_struct *vma,
 
3001                                  unsigned long reqprot,
 
3006         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
 
3010         if (selinux_checkreqprot)
 
3013 #ifndef CONFIG_PPC32
 
3014         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
 
3016                 if (vma->vm_start >= vma->vm_mm->start_brk &&
 
3017                     vma->vm_end <= vma->vm_mm->brk) {
 
3018                         rc = task_has_perm(current, current,
 
3020                 } else if (!vma->vm_file &&
 
3021                            vma->vm_start <= vma->vm_mm->start_stack &&
 
3022                            vma->vm_end >= vma->vm_mm->start_stack) {
 
3023                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
 
3024                 } else if (vma->vm_file && vma->anon_vma) {
 
3026                          * We are making executable a file mapping that has
 
3027                          * had some COW done. Since pages might have been
 
3028                          * written, check ability to execute the possibly
 
3029                          * modified content.  This typically should only
 
3030                          * occur for text relocations.
 
3032                         rc = file_has_perm(current, vma->vm_file,
 
3040         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
 
3043 static int selinux_file_lock(struct file *file, unsigned int cmd)
 
3045         return file_has_perm(current, file, FILE__LOCK);
 
3048 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
 
3055                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
 
3060                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
 
3061                         err = file_has_perm(current, file, FILE__WRITE);
 
3070                 /* Just check FD__USE permission */
 
3071                 err = file_has_perm(current, file, 0);
 
3076 #if BITS_PER_LONG == 32
 
3081                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
 
3085                 err = file_has_perm(current, file, FILE__LOCK);
 
3092 static int selinux_file_set_fowner(struct file *file)
 
3094         struct task_security_struct *tsec;
 
3095         struct file_security_struct *fsec;
 
3097         tsec = current->security;
 
3098         fsec = file->f_security;
 
3099         fsec->fown_sid = tsec->sid;
 
3104 static int selinux_file_send_sigiotask(struct task_struct *tsk,
 
3105                                        struct fown_struct *fown, int signum)
 
3109         struct task_security_struct *tsec;
 
3110         struct file_security_struct *fsec;
 
3112         /* struct fown_struct is never outside the context of a struct file */
 
3113         file = container_of(fown, struct file, f_owner);
 
3115         tsec = tsk->security;
 
3116         fsec = file->f_security;
 
3119                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
 
3121                 perm = signal_to_av(signum);
 
3123         return avc_has_perm(fsec->fown_sid, tsec->sid,
 
3124                             SECCLASS_PROCESS, perm, NULL);
 
3127 static int selinux_file_receive(struct file *file)
 
3129         return file_has_perm(current, file, file_to_av(file));
 
3132 static int selinux_dentry_open(struct file *file)
 
3134         struct file_security_struct *fsec;
 
3135         struct inode *inode;
 
3136         struct inode_security_struct *isec;
 
3137         inode = file->f_path.dentry->d_inode;
 
3138         fsec = file->f_security;
 
3139         isec = inode->i_security;
 
3141          * Save inode label and policy sequence number
 
3142          * at open-time so that selinux_file_permission
 
3143          * can determine whether revalidation is necessary.
 
3144          * Task label is already saved in the file security
 
3145          * struct as its SID.
 
3147         fsec->isid = isec->sid;
 
3148         fsec->pseqno = avc_policy_seqno();
 
3150          * Since the inode label or policy seqno may have changed
 
3151          * between the selinux_inode_permission check and the saving
 
3152          * of state above, recheck that access is still permitted.
 
3153          * Otherwise, access might never be revalidated against the
 
3154          * new inode label or new policy.
 
3155          * This check is not redundant - do not remove.
 
3157         return inode_has_perm(current, inode, file_to_av(file), NULL);
 
3160 /* task security operations */
 
3162 static int selinux_task_create(unsigned long clone_flags)
 
3166         rc = secondary_ops->task_create(clone_flags);
 
3170         return task_has_perm(current, current, PROCESS__FORK);
 
3173 static int selinux_task_alloc_security(struct task_struct *tsk)
 
3175         struct task_security_struct *tsec1, *tsec2;
 
3178         tsec1 = current->security;
 
3180         rc = task_alloc_security(tsk);
 
3183         tsec2 = tsk->security;
 
3185         tsec2->osid = tsec1->osid;
 
3186         tsec2->sid = tsec1->sid;
 
3188         /* Retain the exec, fs, key, and sock SIDs across fork */
 
3189         tsec2->exec_sid = tsec1->exec_sid;
 
3190         tsec2->create_sid = tsec1->create_sid;
 
3191         tsec2->keycreate_sid = tsec1->keycreate_sid;
 
3192         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
 
3197 static void selinux_task_free_security(struct task_struct *tsk)
 
3199         task_free_security(tsk);
 
3202 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 
3204         /* Since setuid only affects the current process, and
 
3205            since the SELinux controls are not based on the Linux
 
3206            identity attributes, SELinux does not need to control
 
3207            this operation.  However, SELinux does control the use
 
3208            of the CAP_SETUID and CAP_SETGID capabilities using the
 
3213 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 
3215         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
 
3218 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
 
3220         /* See the comment for setuid above. */
 
3224 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
 
3226         return task_has_perm(current, p, PROCESS__SETPGID);
 
3229 static int selinux_task_getpgid(struct task_struct *p)
 
3231         return task_has_perm(current, p, PROCESS__GETPGID);
 
3234 static int selinux_task_getsid(struct task_struct *p)
 
3236         return task_has_perm(current, p, PROCESS__GETSESSION);
 
3239 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
 
3241         struct task_security_struct *tsec = p->security;
 
3245 static int selinux_task_setgroups(struct group_info *group_info)
 
3247         /* See the comment for setuid above. */
 
3251 static int selinux_task_setnice(struct task_struct *p, int nice)
 
3255         rc = secondary_ops->task_setnice(p, nice);
 
3259         return task_has_perm(current, p, PROCESS__SETSCHED);
 
3262 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
 
3266         rc = secondary_ops->task_setioprio(p, ioprio);
 
3270         return task_has_perm(current, p, PROCESS__SETSCHED);
 
3273 static int selinux_task_getioprio(struct task_struct *p)
 
3275         return task_has_perm(current, p, PROCESS__GETSCHED);
 
3278 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
 
3280         struct rlimit *old_rlim = current->signal->rlim + resource;
 
3283         rc = secondary_ops->task_setrlimit(resource, new_rlim);
 
3287         /* Control the ability to change the hard limit (whether
 
3288            lowering or raising it), so that the hard limit can
 
3289            later be used as a safe reset point for the soft limit
 
3290            upon context transitions. See selinux_bprm_apply_creds. */
 
3291         if (old_rlim->rlim_max != new_rlim->rlim_max)
 
3292                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
 
3297 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
 
3301         rc = secondary_ops->task_setscheduler(p, policy, lp);
 
3305         return task_has_perm(current, p, PROCESS__SETSCHED);
 
3308 static int selinux_task_getscheduler(struct task_struct *p)
 
3310         return task_has_perm(current, p, PROCESS__GETSCHED);
 
3313 static int selinux_task_movememory(struct task_struct *p)
 
3315         return task_has_perm(current, p, PROCESS__SETSCHED);
 
3318 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
 
3323         struct task_security_struct *tsec;
 
3325         rc = secondary_ops->task_kill(p, info, sig, secid);
 
3330                 perm = PROCESS__SIGNULL; /* null signal; existence test */
 
3332                 perm = signal_to_av(sig);
 
3335                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
 
3337                 rc = task_has_perm(current, p, perm);
 
3341 static int selinux_task_prctl(int option,
 
3348         /* The current prctl operations do not appear to require
 
3349            any SELinux controls since they merely observe or modify
 
3350            the state of the current process. */
 
3351         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
 
3354 static int selinux_task_wait(struct task_struct *p)
 
3356         return task_has_perm(p, current, PROCESS__SIGCHLD);
 
3359 static void selinux_task_reparent_to_init(struct task_struct *p)
 
3361         struct task_security_struct *tsec;
 
3363         secondary_ops->task_reparent_to_init(p);
 
3366         tsec->osid = tsec->sid;
 
3367         tsec->sid = SECINITSID_KERNEL;
 
3371 static void selinux_task_to_inode(struct task_struct *p,
 
3372                                   struct inode *inode)
 
3374         struct task_security_struct *tsec = p->security;
 
3375         struct inode_security_struct *isec = inode->i_security;
 
3377         isec->sid = tsec->sid;
 
3378         isec->initialized = 1;
 
3382 /* Returns error only if unable to parse addresses */
 
3383 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
 
3384                         struct avc_audit_data *ad, u8 *proto)
 
3386         int offset, ihlen, ret = -EINVAL;
 
3387         struct iphdr _iph, *ih;
 
3389         offset = skb_network_offset(skb);
 
3390         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
 
3394         ihlen = ih->ihl * 4;
 
3395         if (ihlen < sizeof(_iph))
 
3398         ad->u.net.v4info.saddr = ih->saddr;
 
3399         ad->u.net.v4info.daddr = ih->daddr;
 
3403                 *proto = ih->protocol;
 
3405         switch (ih->protocol) {
 
3407                 struct tcphdr _tcph, *th;
 
3409                 if (ntohs(ih->frag_off) & IP_OFFSET)
 
3413                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
 
3417                 ad->u.net.sport = th->source;
 
3418                 ad->u.net.dport = th->dest;
 
3423                 struct udphdr _udph, *uh;
 
3425                 if (ntohs(ih->frag_off) & IP_OFFSET)
 
3429                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
 
3433                 ad->u.net.sport = uh->source;
 
3434                 ad->u.net.dport = uh->dest;
 
3438         case IPPROTO_DCCP: {
 
3439                 struct dccp_hdr _dccph, *dh;
 
3441                 if (ntohs(ih->frag_off) & IP_OFFSET)
 
3445                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
 
3449                 ad->u.net.sport = dh->dccph_sport;
 
3450                 ad->u.net.dport = dh->dccph_dport;
 
3461 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
3463 /* Returns error only if unable to parse addresses */
 
3464 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
 
3465                         struct avc_audit_data *ad, u8 *proto)
 
3468         int ret = -EINVAL, offset;
 
3469         struct ipv6hdr _ipv6h, *ip6;
 
3471         offset = skb_network_offset(skb);
 
3472         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
 
3476         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
 
3477         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
 
3480         nexthdr = ip6->nexthdr;
 
3481         offset += sizeof(_ipv6h);
 
3482         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
 
3491                 struct tcphdr _tcph, *th;
 
3493                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
 
3497                 ad->u.net.sport = th->source;
 
3498                 ad->u.net.dport = th->dest;
 
3503                 struct udphdr _udph, *uh;
 
3505                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
 
3509                 ad->u.net.sport = uh->source;
 
3510                 ad->u.net.dport = uh->dest;
 
3514         case IPPROTO_DCCP: {
 
3515                 struct dccp_hdr _dccph, *dh;
 
3517                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
 
3521                 ad->u.net.sport = dh->dccph_sport;
 
3522                 ad->u.net.dport = dh->dccph_dport;
 
3526         /* includes fragments */
 
3536 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 
3537                              char **addrp, int src, u8 *proto)
 
3541         switch (ad->u.net.family) {
 
3543                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
 
3546                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
 
3547                                         &ad->u.net.v4info.daddr);
 
3550 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
3552                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
 
3555                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
 
3556                                         &ad->u.net.v6info.daddr);
 
3565                        "SELinux: failure in selinux_parse_skb(),"
 
3566                        " unable to parse packet\n");
 
3572  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
 
3574  * @family: protocol family
 
3575  * @sid: the packet's peer label SID
 
3578  * Check the various different forms of network peer labeling and determine
 
3579  * the peer label/SID for the packet; most of the magic actually occurs in
 
3580  * the security server function security_net_peersid_cmp().  The function
 
3581  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
 
3582  * or -EACCES if @sid is invalid due to inconsistencies with the different
 
3586 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 
3593         selinux_skb_xfrm_sid(skb, &xfrm_sid);
 
3594         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
3596         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
 
3597         if (unlikely(err)) {
 
3599                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
 
3600                        " unable to determine packet's peer label\n");
 
3607 /* socket security operations */
 
3608 static int socket_has_perm(struct task_struct *task, struct socket *sock,
 
3611         struct inode_security_struct *isec;
 
3612         struct task_security_struct *tsec;
 
3613         struct avc_audit_data ad;
 
3616         tsec = task->security;
 
3617         isec = SOCK_INODE(sock)->i_security;
 
3619         if (isec->sid == SECINITSID_KERNEL)
 
3622         AVC_AUDIT_DATA_INIT(&ad, NET);
 
3623         ad.u.net.sk = sock->sk;
 
3624         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
 
3630 static int selinux_socket_create(int family, int type,
 
3631                                  int protocol, int kern)
 
3634         struct task_security_struct *tsec;
 
3640         tsec = current->security;
 
3641         newsid = tsec->sockcreate_sid ? : tsec->sid;
 
3642         err = avc_has_perm(tsec->sid, newsid,
 
3643                            socket_type_to_security_class(family, type,
 
3644                            protocol), SOCKET__CREATE, NULL);
 
3650 static int selinux_socket_post_create(struct socket *sock, int family,
 
3651                                       int type, int protocol, int kern)
 
3654         struct inode_security_struct *isec;
 
3655         struct task_security_struct *tsec;
 
3656         struct sk_security_struct *sksec;
 
3659         isec = SOCK_INODE(sock)->i_security;
 
3661         tsec = current->security;
 
3662         newsid = tsec->sockcreate_sid ? : tsec->sid;
 
3663         isec->sclass = socket_type_to_security_class(family, type, protocol);
 
3664         isec->sid = kern ? SECINITSID_KERNEL : newsid;
 
3665         isec->initialized = 1;
 
3668                 sksec = sock->sk->sk_security;
 
3669                 sksec->sid = isec->sid;
 
3670                 sksec->sclass = isec->sclass;
 
3671                 err = selinux_netlbl_socket_post_create(sock);
 
3677 /* Range of port numbers used to automatically bind.
 
3678    Need to determine whether we should perform a name_bind
 
3679    permission check between the socket and the port number. */
 
3681 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
 
3686         err = socket_has_perm(current, sock, SOCKET__BIND);
 
3691          * If PF_INET or PF_INET6, check name_bind permission for the port.
 
3692          * Multiple address binding for SCTP is not supported yet: we just
 
3693          * check the first address now.
 
3695         family = sock->sk->sk_family;
 
3696         if (family == PF_INET || family == PF_INET6) {
 
3698                 struct inode_security_struct *isec;
 
3699                 struct task_security_struct *tsec;
 
3700                 struct avc_audit_data ad;
 
3701                 struct sockaddr_in *addr4 = NULL;
 
3702                 struct sockaddr_in6 *addr6 = NULL;
 
3703                 unsigned short snum;
 
3704                 struct sock *sk = sock->sk;
 
3707                 tsec = current->security;
 
3708                 isec = SOCK_INODE(sock)->i_security;
 
3710                 if (family == PF_INET) {
 
3711                         addr4 = (struct sockaddr_in *)address;
 
3712                         snum = ntohs(addr4->sin_port);
 
3713                         addrp = (char *)&addr4->sin_addr.s_addr;
 
3715                         addr6 = (struct sockaddr_in6 *)address;
 
3716                         snum = ntohs(addr6->sin6_port);
 
3717                         addrp = (char *)&addr6->sin6_addr.s6_addr;
 
3723                         inet_get_local_port_range(&low, &high);
 
3725                         if (snum < max(PROT_SOCK, low) || snum > high) {
 
3726                                 err = sel_netport_sid(sk->sk_protocol,
 
3730                                 AVC_AUDIT_DATA_INIT(&ad, NET);
 
3731                                 ad.u.net.sport = htons(snum);
 
3732                                 ad.u.net.family = family;
 
3733                                 err = avc_has_perm(isec->sid, sid,
 
3735                                                    SOCKET__NAME_BIND, &ad);
 
3741                 switch (isec->sclass) {
 
3742                 case SECCLASS_TCP_SOCKET:
 
3743                         node_perm = TCP_SOCKET__NODE_BIND;
 
3746                 case SECCLASS_UDP_SOCKET:
 
3747                         node_perm = UDP_SOCKET__NODE_BIND;
 
3750                 case SECCLASS_DCCP_SOCKET:
 
3751                         node_perm = DCCP_SOCKET__NODE_BIND;
 
3755                         node_perm = RAWIP_SOCKET__NODE_BIND;
 
3759                 err = sel_netnode_sid(addrp, family, &sid);
 
3763                 AVC_AUDIT_DATA_INIT(&ad, NET);
 
3764                 ad.u.net.sport = htons(snum);
 
3765                 ad.u.net.family = family;
 
3767                 if (family == PF_INET)
 
3768                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
 
3770                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
 
3772                 err = avc_has_perm(isec->sid, sid,
 
3773                                    isec->sclass, node_perm, &ad);
 
3781 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
 
3783         struct inode_security_struct *isec;
 
3786         err = socket_has_perm(current, sock, SOCKET__CONNECT);
 
3791          * If a TCP or DCCP socket, check name_connect permission for the port.
 
3793         isec = SOCK_INODE(sock)->i_security;
 
3794         if (isec->sclass == SECCLASS_TCP_SOCKET ||
 
3795             isec->sclass == SECCLASS_DCCP_SOCKET) {
 
3796                 struct sock *sk = sock->sk;
 
3797                 struct avc_audit_data ad;
 
3798                 struct sockaddr_in *addr4 = NULL;
 
3799                 struct sockaddr_in6 *addr6 = NULL;
 
3800                 unsigned short snum;
 
3803                 if (sk->sk_family == PF_INET) {
 
3804                         addr4 = (struct sockaddr_in *)address;
 
3805                         if (addrlen < sizeof(struct sockaddr_in))
 
3807                         snum = ntohs(addr4->sin_port);
 
3809                         addr6 = (struct sockaddr_in6 *)address;
 
3810                         if (addrlen < SIN6_LEN_RFC2133)
 
3812                         snum = ntohs(addr6->sin6_port);
 
3815                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
 
3819                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
 
3820                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
 
3822                 AVC_AUDIT_DATA_INIT(&ad, NET);
 
3823                 ad.u.net.dport = htons(snum);
 
3824                 ad.u.net.family = sk->sk_family;
 
3825                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
 
3834 static int selinux_socket_listen(struct socket *sock, int backlog)
 
3836         return socket_has_perm(current, sock, SOCKET__LISTEN);
 
3839 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
 
3842         struct inode_security_struct *isec;
 
3843         struct inode_security_struct *newisec;
 
3845         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
 
3849         newisec = SOCK_INODE(newsock)->i_security;
 
3851         isec = SOCK_INODE(sock)->i_security;
 
3852         newisec->sclass = isec->sclass;
 
3853         newisec->sid = isec->sid;
 
3854         newisec->initialized = 1;
 
3859 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 
3864         rc = socket_has_perm(current, sock, SOCKET__WRITE);
 
3868         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
 
3871 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
 
3872                                   int size, int flags)
 
3874         return socket_has_perm(current, sock, SOCKET__READ);
 
3877 static int selinux_socket_getsockname(struct socket *sock)
 
3879         return socket_has_perm(current, sock, SOCKET__GETATTR);
 
3882 static int selinux_socket_getpeername(struct socket *sock)
 
3884         return socket_has_perm(current, sock, SOCKET__GETATTR);
 
3887 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
 
3891         err = socket_has_perm(current, sock, SOCKET__SETOPT);
 
3895         return selinux_netlbl_socket_setsockopt(sock, level, optname);
 
3898 static int selinux_socket_getsockopt(struct socket *sock, int level,
 
3901         return socket_has_perm(current, sock, SOCKET__GETOPT);
 
3904 static int selinux_socket_shutdown(struct socket *sock, int how)
 
3906         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
 
3909 static int selinux_socket_unix_stream_connect(struct socket *sock,
 
3910                                               struct socket *other,
 
3913         struct sk_security_struct *ssec;
 
3914         struct inode_security_struct *isec;
 
3915         struct inode_security_struct *other_isec;
 
3916         struct avc_audit_data ad;
 
3919         err = secondary_ops->unix_stream_connect(sock, other, newsk);
 
3923         isec = SOCK_INODE(sock)->i_security;
 
3924         other_isec = SOCK_INODE(other)->i_security;
 
3926         AVC_AUDIT_DATA_INIT(&ad, NET);
 
3927         ad.u.net.sk = other->sk;
 
3929         err = avc_has_perm(isec->sid, other_isec->sid,
 
3931                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
 
3935         /* connecting socket */
 
3936         ssec = sock->sk->sk_security;
 
3937         ssec->peer_sid = other_isec->sid;
 
3939         /* server child socket */
 
3940         ssec = newsk->sk_security;
 
3941         ssec->peer_sid = isec->sid;
 
3942         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
 
3947 static int selinux_socket_unix_may_send(struct socket *sock,
 
3948                                         struct socket *other)
 
3950         struct inode_security_struct *isec;
 
3951         struct inode_security_struct *other_isec;
 
3952         struct avc_audit_data ad;
 
3955         isec = SOCK_INODE(sock)->i_security;
 
3956         other_isec = SOCK_INODE(other)->i_security;
 
3958         AVC_AUDIT_DATA_INIT(&ad, NET);
 
3959         ad.u.net.sk = other->sk;
 
3961         err = avc_has_perm(isec->sid, other_isec->sid,
 
3962                            isec->sclass, SOCKET__SENDTO, &ad);
 
3969 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
 
3971                                     struct avc_audit_data *ad)
 
3977         err = sel_netif_sid(ifindex, &if_sid);
 
3980         err = avc_has_perm(peer_sid, if_sid,
 
3981                            SECCLASS_NETIF, NETIF__INGRESS, ad);
 
3985         err = sel_netnode_sid(addrp, family, &node_sid);
 
3988         return avc_has_perm(peer_sid, node_sid,
 
3989                             SECCLASS_NODE, NODE__RECVFROM, ad);
 
3992 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
 
3993                                                 struct sk_buff *skb,
 
3994                                                 struct avc_audit_data *ad,
 
3999         struct sk_security_struct *sksec = sk->sk_security;
 
4001         u32 netif_perm, node_perm, recv_perm;
 
4002         u32 port_sid, node_sid, if_sid, sk_sid;
 
4004         sk_sid = sksec->sid;
 
4005         sk_class = sksec->sclass;
 
4008         case SECCLASS_UDP_SOCKET:
 
4009                 netif_perm = NETIF__UDP_RECV;
 
4010                 node_perm = NODE__UDP_RECV;
 
4011                 recv_perm = UDP_SOCKET__RECV_MSG;
 
4013         case SECCLASS_TCP_SOCKET:
 
4014                 netif_perm = NETIF__TCP_RECV;
 
4015                 node_perm = NODE__TCP_RECV;
 
4016                 recv_perm = TCP_SOCKET__RECV_MSG;
 
4018         case SECCLASS_DCCP_SOCKET:
 
4019                 netif_perm = NETIF__DCCP_RECV;
 
4020                 node_perm = NODE__DCCP_RECV;
 
4021                 recv_perm = DCCP_SOCKET__RECV_MSG;
 
4024                 netif_perm = NETIF__RAWIP_RECV;
 
4025                 node_perm = NODE__RAWIP_RECV;
 
4030         err = sel_netif_sid(skb->iif, &if_sid);
 
4033         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
 
4037         err = sel_netnode_sid(addrp, family, &node_sid);
 
4040         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
 
4046         err = sel_netport_sid(sk->sk_protocol,
 
4047                               ntohs(ad->u.net.sport), &port_sid);
 
4048         if (unlikely(err)) {
 
4050                        "SELinux: failure in"
 
4051                        " selinux_sock_rcv_skb_iptables_compat(),"
 
4052                        " network port label not found\n");
 
4055         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
 
4058 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 
4059                                        struct avc_audit_data *ad,
 
4060                                        u16 family, char *addrp)
 
4063         struct sk_security_struct *sksec = sk->sk_security;
 
4065         u32 sk_sid = sksec->sid;
 
4067         if (selinux_compat_net)
 
4068                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
 
4071                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
 
4076         if (selinux_policycap_netpeer) {
 
4077                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
 
4080                 err = avc_has_perm(sk_sid, peer_sid,
 
4081                                    SECCLASS_PEER, PEER__RECV, ad);
 
4083                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
 
4086                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
 
4092 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 
4095         struct sk_security_struct *sksec = sk->sk_security;
 
4096         u16 family = sk->sk_family;
 
4097         u32 sk_sid = sksec->sid;
 
4098         struct avc_audit_data ad;
 
4101         if (family != PF_INET && family != PF_INET6)
 
4104         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
 
4105         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
 
4108         AVC_AUDIT_DATA_INIT(&ad, NET);
 
4109         ad.u.net.netif = skb->iif;
 
4110         ad.u.net.family = family;
 
4111         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
 
4115         /* If any sort of compatibility mode is enabled then handoff processing
 
4116          * to the selinux_sock_rcv_skb_compat() function to deal with the
 
4117          * special handling.  We do this in an attempt to keep this function
 
4118          * as fast and as clean as possible. */
 
4119         if (selinux_compat_net || !selinux_policycap_netpeer)
 
4120                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
 
4123         if (netlbl_enabled() || selinux_xfrm_enabled()) {
 
4126                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
 
4129                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
 
4133                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 
4137         if (selinux_secmark_enabled()) {
 
4138                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
 
4147 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
 
4148                                             int __user *optlen, unsigned len)
 
4153         struct sk_security_struct *ssec;
 
4154         struct inode_security_struct *isec;
 
4155         u32 peer_sid = SECSID_NULL;
 
4157         isec = SOCK_INODE(sock)->i_security;
 
4159         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
 
4160             isec->sclass == SECCLASS_TCP_SOCKET) {
 
4161                 ssec = sock->sk->sk_security;
 
4162                 peer_sid = ssec->peer_sid;
 
4164         if (peer_sid == SECSID_NULL) {
 
4169         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
 
4174         if (scontext_len > len) {
 
4179         if (copy_to_user(optval, scontext, scontext_len))
 
4183         if (put_user(scontext_len, optlen))
 
4191 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
 
4193         u32 peer_secid = SECSID_NULL;
 
4197                 family = sock->sk->sk_family;
 
4198         else if (skb && skb->sk)
 
4199                 family = skb->sk->sk_family;
 
4203         if (sock && family == PF_UNIX)
 
4204                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
 
4206                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
 
4209         *secid = peer_secid;
 
4210         if (peer_secid == SECSID_NULL)
 
4215 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 
4217         return sk_alloc_security(sk, family, priority);
 
4220 static void selinux_sk_free_security(struct sock *sk)
 
4222         sk_free_security(sk);
 
4225 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
 
4227         struct sk_security_struct *ssec = sk->sk_security;
 
4228         struct sk_security_struct *newssec = newsk->sk_security;
 
4230         newssec->sid = ssec->sid;
 
4231         newssec->peer_sid = ssec->peer_sid;
 
4232         newssec->sclass = ssec->sclass;
 
4234         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
 
4237 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
 
4240                 *secid = SECINITSID_ANY_SOCKET;
 
4242                 struct sk_security_struct *sksec = sk->sk_security;
 
4244                 *secid = sksec->sid;
 
4248 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
 
4250         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
 
4251         struct sk_security_struct *sksec = sk->sk_security;
 
4253         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
 
4254             sk->sk_family == PF_UNIX)
 
4255                 isec->sid = sksec->sid;
 
4256         sksec->sclass = isec->sclass;
 
4258         selinux_netlbl_sock_graft(sk, parent);
 
4261 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 
4262                                      struct request_sock *req)
 
4264         struct sk_security_struct *sksec = sk->sk_security;
 
4269         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
 
4272         if (peersid == SECSID_NULL) {
 
4273                 req->secid = sksec->sid;
 
4274                 req->peer_secid = SECSID_NULL;
 
4278         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
 
4282         req->secid = newsid;
 
4283         req->peer_secid = peersid;
 
4287 static void selinux_inet_csk_clone(struct sock *newsk,
 
4288                                    const struct request_sock *req)
 
4290         struct sk_security_struct *newsksec = newsk->sk_security;
 
4292         newsksec->sid = req->secid;
 
4293         newsksec->peer_sid = req->peer_secid;
 
4294         /* NOTE: Ideally, we should also get the isec->sid for the
 
4295            new socket in sync, but we don't have the isec available yet.
 
4296            So we will wait until sock_graft to do it, by which
 
4297            time it will have been created and available. */
 
4299         /* We don't need to take any sort of lock here as we are the only
 
4300          * thread with access to newsksec */
 
4301         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
 
4304 static void selinux_inet_conn_established(struct sock *sk,
 
4305                                 struct sk_buff *skb)
 
4307         struct sk_security_struct *sksec = sk->sk_security;
 
4309         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
 
4312 static void selinux_req_classify_flow(const struct request_sock *req,
 
4315         fl->secid = req->secid;
 
4318 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
 
4322         struct nlmsghdr *nlh;
 
4323         struct socket *sock = sk->sk_socket;
 
4324         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
 
4326         if (skb->len < NLMSG_SPACE(0)) {
 
4330         nlh = nlmsg_hdr(skb);
 
4332         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
 
4334                 if (err == -EINVAL) {
 
4335                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
 
4336                                   "SELinux:  unrecognized netlink message"
 
4337                                   " type=%hu for sclass=%hu\n",
 
4338                                   nlh->nlmsg_type, isec->sclass);
 
4339                         if (!selinux_enforcing)
 
4349         err = socket_has_perm(current, sock, perm);
 
4354 #ifdef CONFIG_NETFILTER
 
4356 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 
4361         struct avc_audit_data ad;
 
4365         if (!selinux_policycap_netpeer)
 
4368         secmark_active = selinux_secmark_enabled();
 
4369         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
 
4370         if (!secmark_active && !peerlbl_active)
 
4373         AVC_AUDIT_DATA_INIT(&ad, NET);
 
4374         ad.u.net.netif = ifindex;
 
4375         ad.u.net.family = family;
 
4376         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
 
4379         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
 
4383                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
 
4384                                              peer_sid, &ad) != 0)
 
4388                 if (avc_has_perm(peer_sid, skb->secmark,
 
4389                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
 
4395 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
 
4396                                          struct sk_buff *skb,
 
4397                                          const struct net_device *in,
 
4398                                          const struct net_device *out,
 
4399                                          int (*okfn)(struct sk_buff *))
 
4401         return selinux_ip_forward(skb, in->ifindex, PF_INET);
 
4404 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
4405 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
 
4406                                          struct sk_buff *skb,
 
4407                                          const struct net_device *in,
 
4408                                          const struct net_device *out,
 
4409                                          int (*okfn)(struct sk_buff *))
 
4411         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
 
4415 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
 
4417                                                 struct avc_audit_data *ad,
 
4418                                                 u16 family, char *addrp)
 
4421         struct sk_security_struct *sksec = sk->sk_security;
 
4423         u32 netif_perm, node_perm, send_perm;
 
4424         u32 port_sid, node_sid, if_sid, sk_sid;
 
4426         sk_sid = sksec->sid;
 
4427         sk_class = sksec->sclass;
 
4430         case SECCLASS_UDP_SOCKET:
 
4431                 netif_perm = NETIF__UDP_SEND;
 
4432                 node_perm = NODE__UDP_SEND;
 
4433                 send_perm = UDP_SOCKET__SEND_MSG;
 
4435         case SECCLASS_TCP_SOCKET:
 
4436                 netif_perm = NETIF__TCP_SEND;
 
4437                 node_perm = NODE__TCP_SEND;
 
4438                 send_perm = TCP_SOCKET__SEND_MSG;
 
4440         case SECCLASS_DCCP_SOCKET:
 
4441                 netif_perm = NETIF__DCCP_SEND;
 
4442                 node_perm = NODE__DCCP_SEND;
 
4443                 send_perm = DCCP_SOCKET__SEND_MSG;
 
4446                 netif_perm = NETIF__RAWIP_SEND;
 
4447                 node_perm = NODE__RAWIP_SEND;
 
4452         err = sel_netif_sid(ifindex, &if_sid);
 
4455         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
 
4458         err = sel_netnode_sid(addrp, family, &node_sid);
 
4461         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
 
4468         err = sel_netport_sid(sk->sk_protocol,
 
4469                               ntohs(ad->u.net.dport), &port_sid);
 
4470         if (unlikely(err)) {
 
4472                        "SELinux: failure in"
 
4473                        " selinux_ip_postroute_iptables_compat(),"
 
4474                        " network port label not found\n");
 
4477         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
 
4480 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 
4482                                                 struct avc_audit_data *ad,
 
4487         struct sock *sk = skb->sk;
 
4488         struct sk_security_struct *sksec;
 
4492         sksec = sk->sk_security;
 
4494         if (selinux_compat_net) {
 
4495                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
 
4499                 if (avc_has_perm(sksec->sid, skb->secmark,
 
4500                                  SECCLASS_PACKET, PACKET__SEND, ad))
 
4504         if (selinux_policycap_netpeer)
 
4505                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
 
4511 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 
4517         struct avc_audit_data ad;
 
4523         AVC_AUDIT_DATA_INIT(&ad, NET);
 
4524         ad.u.net.netif = ifindex;
 
4525         ad.u.net.family = family;
 
4526         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
 
4529         /* If any sort of compatibility mode is enabled then handoff processing
 
4530          * to the selinux_ip_postroute_compat() function to deal with the
 
4531          * special handling.  We do this in an attempt to keep this function
 
4532          * as fast and as clean as possible. */
 
4533         if (selinux_compat_net || !selinux_policycap_netpeer)
 
4534                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
 
4535                                                    family, addrp, proto);
 
4537         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
 
4538          * packet transformation so allow the packet to pass without any checks
 
4539          * since we'll have another chance to perform access control checks
 
4540          * when the packet is on it's final way out.
 
4541          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
 
4542          *       is NULL, in this case go ahead and apply access control. */
 
4543         if (skb->dst != NULL && skb->dst->xfrm != NULL)
 
4546         secmark_active = selinux_secmark_enabled();
 
4547         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
 
4548         if (!secmark_active && !peerlbl_active)
 
4551         /* if the packet is locally generated (skb->sk != NULL) then use the
 
4552          * socket's label as the peer label, otherwise the packet is being
 
4553          * forwarded through this system and we need to fetch the peer label
 
4554          * directly from the packet */
 
4557                 struct sk_security_struct *sksec = sk->sk_security;
 
4558                 peer_sid = sksec->sid;
 
4559                 secmark_perm = PACKET__SEND;
 
4561                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
 
4563                 secmark_perm = PACKET__FORWARD_OUT;
 
4567                 if (avc_has_perm(peer_sid, skb->secmark,
 
4568                                  SECCLASS_PACKET, secmark_perm, &ad))
 
4571         if (peerlbl_active) {
 
4575                 if (sel_netif_sid(ifindex, &if_sid))
 
4577                 if (avc_has_perm(peer_sid, if_sid,
 
4578                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
 
4581                 if (sel_netnode_sid(addrp, family, &node_sid))
 
4583                 if (avc_has_perm(peer_sid, node_sid,
 
4584                                  SECCLASS_NODE, NODE__SENDTO, &ad))
 
4591 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
 
4592                                            struct sk_buff *skb,
 
4593                                            const struct net_device *in,
 
4594                                            const struct net_device *out,
 
4595                                            int (*okfn)(struct sk_buff *))
 
4597         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
 
4600 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
4601 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
 
4602                                            struct sk_buff *skb,
 
4603                                            const struct net_device *in,
 
4604                                            const struct net_device *out,
 
4605                                            int (*okfn)(struct sk_buff *))
 
4607         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
 
4611 #endif  /* CONFIG_NETFILTER */
 
4613 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
 
4617         err = secondary_ops->netlink_send(sk, skb);
 
4621         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
 
4622                 err = selinux_nlmsg_perm(sk, skb);
 
4627 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
 
4630         struct avc_audit_data ad;
 
4632         err = secondary_ops->netlink_recv(skb, capability);
 
4636         AVC_AUDIT_DATA_INIT(&ad, CAP);
 
4637         ad.u.cap = capability;
 
4639         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
 
4640                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
 
4643 static int ipc_alloc_security(struct task_struct *task,
 
4644                               struct kern_ipc_perm *perm,
 
4647         struct task_security_struct *tsec = task->security;
 
4648         struct ipc_security_struct *isec;
 
4650         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
 
4654         isec->sclass = sclass;
 
4655         isec->sid = tsec->sid;
 
4656         perm->security = isec;
 
4661 static void ipc_free_security(struct kern_ipc_perm *perm)
 
4663         struct ipc_security_struct *isec = perm->security;
 
4664         perm->security = NULL;
 
4668 static int msg_msg_alloc_security(struct msg_msg *msg)
 
4670         struct msg_security_struct *msec;
 
4672         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
 
4676         msec->sid = SECINITSID_UNLABELED;
 
4677         msg->security = msec;
 
4682 static void msg_msg_free_security(struct msg_msg *msg)
 
4684         struct msg_security_struct *msec = msg->security;
 
4686         msg->security = NULL;
 
4690 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
 
4693         struct task_security_struct *tsec;
 
4694         struct ipc_security_struct *isec;
 
4695         struct avc_audit_data ad;
 
4697         tsec = current->security;
 
4698         isec = ipc_perms->security;
 
4700         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4701         ad.u.ipc_id = ipc_perms->key;
 
4703         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
 
4706 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
 
4708         return msg_msg_alloc_security(msg);
 
4711 static void selinux_msg_msg_free_security(struct msg_msg *msg)
 
4713         msg_msg_free_security(msg);
 
4716 /* message queue security operations */
 
4717 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
 
4719         struct task_security_struct *tsec;
 
4720         struct ipc_security_struct *isec;
 
4721         struct avc_audit_data ad;
 
4724         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
 
4728         tsec = current->security;
 
4729         isec = msq->q_perm.security;
 
4731         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4732         ad.u.ipc_id = msq->q_perm.key;
 
4734         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
 
4737                 ipc_free_security(&msq->q_perm);
 
4743 static void selinux_msg_queue_free_security(struct msg_queue *msq)
 
4745         ipc_free_security(&msq->q_perm);
 
4748 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
 
4750         struct task_security_struct *tsec;
 
4751         struct ipc_security_struct *isec;
 
4752         struct avc_audit_data ad;
 
4754         tsec = current->security;
 
4755         isec = msq->q_perm.security;
 
4757         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4758         ad.u.ipc_id = msq->q_perm.key;
 
4760         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
 
4761                             MSGQ__ASSOCIATE, &ad);
 
4764 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
 
4772                 /* No specific object, just general system-wide information. */
 
4773                 return task_has_system(current, SYSTEM__IPC_INFO);
 
4776                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
 
4779                 perms = MSGQ__SETATTR;
 
4782                 perms = MSGQ__DESTROY;
 
4788         err = ipc_has_perm(&msq->q_perm, perms);
 
4792 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
 
4794         struct task_security_struct *tsec;
 
4795         struct ipc_security_struct *isec;
 
4796         struct msg_security_struct *msec;
 
4797         struct avc_audit_data ad;
 
4800         tsec = current->security;
 
4801         isec = msq->q_perm.security;
 
4802         msec = msg->security;
 
4805          * First time through, need to assign label to the message
 
4807         if (msec->sid == SECINITSID_UNLABELED) {
 
4809                  * Compute new sid based on current process and
 
4810                  * message queue this message will be stored in
 
4812                 rc = security_transition_sid(tsec->sid,
 
4820         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4821         ad.u.ipc_id = msq->q_perm.key;
 
4823         /* Can this process write to the queue? */
 
4824         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
 
4827                 /* Can this process send the message */
 
4828                 rc = avc_has_perm(tsec->sid, msec->sid,
 
4829                                   SECCLASS_MSG, MSG__SEND, &ad);
 
4831                 /* Can the message be put in the queue? */
 
4832                 rc = avc_has_perm(msec->sid, isec->sid,
 
4833                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
 
4838 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
 
4839                                     struct task_struct *target,
 
4840                                     long type, int mode)
 
4842         struct task_security_struct *tsec;
 
4843         struct ipc_security_struct *isec;
 
4844         struct msg_security_struct *msec;
 
4845         struct avc_audit_data ad;
 
4848         tsec = target->security;
 
4849         isec = msq->q_perm.security;
 
4850         msec = msg->security;
 
4852         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4853         ad.u.ipc_id = msq->q_perm.key;
 
4855         rc = avc_has_perm(tsec->sid, isec->sid,
 
4856                           SECCLASS_MSGQ, MSGQ__READ, &ad);
 
4858                 rc = avc_has_perm(tsec->sid, msec->sid,
 
4859                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
 
4863 /* Shared Memory security operations */
 
4864 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
 
4866         struct task_security_struct *tsec;
 
4867         struct ipc_security_struct *isec;
 
4868         struct avc_audit_data ad;
 
4871         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
 
4875         tsec = current->security;
 
4876         isec = shp->shm_perm.security;
 
4878         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4879         ad.u.ipc_id = shp->shm_perm.key;
 
4881         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
 
4884                 ipc_free_security(&shp->shm_perm);
 
4890 static void selinux_shm_free_security(struct shmid_kernel *shp)
 
4892         ipc_free_security(&shp->shm_perm);
 
4895 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
 
4897         struct task_security_struct *tsec;
 
4898         struct ipc_security_struct *isec;
 
4899         struct avc_audit_data ad;
 
4901         tsec = current->security;
 
4902         isec = shp->shm_perm.security;
 
4904         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4905         ad.u.ipc_id = shp->shm_perm.key;
 
4907         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
 
4908                             SHM__ASSOCIATE, &ad);
 
4911 /* Note, at this point, shp is locked down */
 
4912 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
 
4920                 /* No specific object, just general system-wide information. */
 
4921                 return task_has_system(current, SYSTEM__IPC_INFO);
 
4924                 perms = SHM__GETATTR | SHM__ASSOCIATE;
 
4927                 perms = SHM__SETATTR;
 
4934                 perms = SHM__DESTROY;
 
4940         err = ipc_has_perm(&shp->shm_perm, perms);
 
4944 static int selinux_shm_shmat(struct shmid_kernel *shp,
 
4945                              char __user *shmaddr, int shmflg)
 
4950         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
 
4954         if (shmflg & SHM_RDONLY)
 
4957                 perms = SHM__READ | SHM__WRITE;
 
4959         return ipc_has_perm(&shp->shm_perm, perms);
 
4962 /* Semaphore security operations */
 
4963 static int selinux_sem_alloc_security(struct sem_array *sma)
 
4965         struct task_security_struct *tsec;
 
4966         struct ipc_security_struct *isec;
 
4967         struct avc_audit_data ad;
 
4970         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
 
4974         tsec = current->security;
 
4975         isec = sma->sem_perm.security;
 
4977         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
4978         ad.u.ipc_id = sma->sem_perm.key;
 
4980         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
 
4983                 ipc_free_security(&sma->sem_perm);
 
4989 static void selinux_sem_free_security(struct sem_array *sma)
 
4991         ipc_free_security(&sma->sem_perm);
 
4994 static int selinux_sem_associate(struct sem_array *sma, int semflg)
 
4996         struct task_security_struct *tsec;
 
4997         struct ipc_security_struct *isec;
 
4998         struct avc_audit_data ad;
 
5000         tsec = current->security;
 
5001         isec = sma->sem_perm.security;
 
5003         AVC_AUDIT_DATA_INIT(&ad, IPC);
 
5004         ad.u.ipc_id = sma->sem_perm.key;
 
5006         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
 
5007                             SEM__ASSOCIATE, &ad);
 
5010 /* Note, at this point, sma is locked down */
 
5011 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
 
5019                 /* No specific object, just general system-wide information. */
 
5020                 return task_has_system(current, SYSTEM__IPC_INFO);
 
5024                 perms = SEM__GETATTR;
 
5035                 perms = SEM__DESTROY;
 
5038                 perms = SEM__SETATTR;
 
5042                 perms = SEM__GETATTR | SEM__ASSOCIATE;
 
5048         err = ipc_has_perm(&sma->sem_perm, perms);
 
5052 static int selinux_sem_semop(struct sem_array *sma,
 
5053                              struct sembuf *sops, unsigned nsops, int alter)
 
5058                 perms = SEM__READ | SEM__WRITE;
 
5062         return ipc_has_perm(&sma->sem_perm, perms);
 
5065 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 
5071                 av |= IPC__UNIX_READ;
 
5073                 av |= IPC__UNIX_WRITE;
 
5078         return ipc_has_perm(ipcp, av);
 
5081 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
 
5083         struct ipc_security_struct *isec = ipcp->security;
 
5087 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
 
5090                 inode_doinit_with_dentry(inode, dentry);
 
5093 static int selinux_getprocattr(struct task_struct *p,
 
5094                                char *name, char **value)
 
5096         struct task_security_struct *tsec;
 
5102                 error = task_has_perm(current, p, PROCESS__GETATTR);
 
5109         if (!strcmp(name, "current"))
 
5111         else if (!strcmp(name, "prev"))
 
5113         else if (!strcmp(name, "exec"))
 
5114                 sid = tsec->exec_sid;
 
5115         else if (!strcmp(name, "fscreate"))
 
5116                 sid = tsec->create_sid;
 
5117         else if (!strcmp(name, "keycreate"))
 
5118                 sid = tsec->keycreate_sid;
 
5119         else if (!strcmp(name, "sockcreate"))
 
5120                 sid = tsec->sockcreate_sid;
 
5127         error = security_sid_to_context(sid, value, &len);
 
5133 static int selinux_setprocattr(struct task_struct *p,
 
5134                                char *name, void *value, size_t size)
 
5136         struct task_security_struct *tsec;
 
5137         struct task_struct *tracer;
 
5143                 /* SELinux only allows a process to change its own
 
5144                    security attributes. */
 
5149          * Basic control over ability to set these attributes at all.
 
5150          * current == p, but we'll pass them separately in case the
 
5151          * above restriction is ever removed.
 
5153         if (!strcmp(name, "exec"))
 
5154                 error = task_has_perm(current, p, PROCESS__SETEXEC);
 
5155         else if (!strcmp(name, "fscreate"))
 
5156                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
 
5157         else if (!strcmp(name, "keycreate"))
 
5158                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
 
5159         else if (!strcmp(name, "sockcreate"))
 
5160                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
 
5161         else if (!strcmp(name, "current"))
 
5162                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
 
5168         /* Obtain a SID for the context, if one was specified. */
 
5169         if (size && str[1] && str[1] != '\n') {
 
5170                 if (str[size-1] == '\n') {
 
5174                 error = security_context_to_sid(value, size, &sid);
 
5175                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
 
5176                         if (!capable(CAP_MAC_ADMIN))
 
5178                         error = security_context_to_sid_force(value, size,
 
5185         /* Permission checking based on the specified context is
 
5186            performed during the actual operation (execve,
 
5187            open/mkdir/...), when we know the full context of the
 
5188            operation.  See selinux_bprm_set_security for the execve
 
5189            checks and may_create for the file creation checks. The
 
5190            operation will then fail if the context is not permitted. */
 
5192         if (!strcmp(name, "exec"))
 
5193                 tsec->exec_sid = sid;
 
5194         else if (!strcmp(name, "fscreate"))
 
5195                 tsec->create_sid = sid;
 
5196         else if (!strcmp(name, "keycreate")) {
 
5197                 error = may_create_key(sid, p);
 
5200                 tsec->keycreate_sid = sid;
 
5201         } else if (!strcmp(name, "sockcreate"))
 
5202                 tsec->sockcreate_sid = sid;
 
5203         else if (!strcmp(name, "current")) {
 
5204                 struct av_decision avd;
 
5209                 /* Only allow single threaded processes to change context */
 
5210                 if (atomic_read(&p->mm->mm_users) != 1) {
 
5211                         struct task_struct *g, *t;
 
5212                         struct mm_struct *mm = p->mm;
 
5213                         read_lock(&tasklist_lock);
 
5214                         do_each_thread(g, t) {
 
5215                                 if (t->mm == mm && t != p) {
 
5216                                         read_unlock(&tasklist_lock);
 
5219                         } while_each_thread(g, t);
 
5220                         read_unlock(&tasklist_lock);
 
5223                 /* Check permissions for the transition. */
 
5224                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
 
5225                                      PROCESS__DYNTRANSITION, NULL);
 
5229                 /* Check for ptracing, and update the task SID if ok.
 
5230                    Otherwise, leave SID unchanged and fail. */
 
5233                 tracer = tracehook_tracer_task(p);
 
5234                 if (tracer != NULL) {
 
5235                         struct task_security_struct *ptsec = tracer->security;
 
5236                         u32 ptsid = ptsec->sid;
 
5238                         error = avc_has_perm_noaudit(ptsid, sid,
 
5240                                                      PROCESS__PTRACE, 0, &avd);
 
5244                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
 
5245                                   PROCESS__PTRACE, &avd, error, NULL);
 
5259 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 
5261         return security_sid_to_context(secid, secdata, seclen);
 
5264 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 
5266         return security_context_to_sid(secdata, seclen, secid);
 
5269 static void selinux_release_secctx(char *secdata, u32 seclen)
 
5276 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
 
5277                              unsigned long flags)
 
5279         struct task_security_struct *tsec = tsk->security;
 
5280         struct key_security_struct *ksec;
 
5282         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
 
5286         if (tsec->keycreate_sid)
 
5287                 ksec->sid = tsec->keycreate_sid;
 
5289                 ksec->sid = tsec->sid;
 
5295 static void selinux_key_free(struct key *k)
 
5297         struct key_security_struct *ksec = k->security;
 
5303 static int selinux_key_permission(key_ref_t key_ref,
 
5304                             struct task_struct *ctx,
 
5308         struct task_security_struct *tsec;
 
5309         struct key_security_struct *ksec;
 
5311         key = key_ref_to_ptr(key_ref);
 
5313         tsec = ctx->security;
 
5314         ksec = key->security;
 
5316         /* if no specific permissions are requested, we skip the
 
5317            permission check. No serious, additional covert channels
 
5318            appear to be created. */
 
5322         return avc_has_perm(tsec->sid, ksec->sid,
 
5323                             SECCLASS_KEY, perm, NULL);
 
5326 static int selinux_key_getsecurity(struct key *key, char **_buffer)
 
5328         struct key_security_struct *ksec = key->security;
 
5329         char *context = NULL;
 
5333         rc = security_sid_to_context(ksec->sid, &context, &len);
 
5342 static struct security_operations selinux_ops = {
 
5345         .ptrace =                       selinux_ptrace,
 
5346         .capget =                       selinux_capget,
 
5347         .capset_check =                 selinux_capset_check,
 
5348         .capset_set =                   selinux_capset_set,
 
5349         .sysctl =                       selinux_sysctl,
 
5350         .capable =                      selinux_capable,
 
5351         .quotactl =                     selinux_quotactl,
 
5352         .quota_on =                     selinux_quota_on,
 
5353         .syslog =                       selinux_syslog,
 
5354         .vm_enough_memory =             selinux_vm_enough_memory,
 
5356         .netlink_send =                 selinux_netlink_send,
 
5357         .netlink_recv =                 selinux_netlink_recv,
 
5359         .bprm_alloc_security =          selinux_bprm_alloc_security,
 
5360         .bprm_free_security =           selinux_bprm_free_security,
 
5361         .bprm_apply_creds =             selinux_bprm_apply_creds,
 
5362         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
 
5363         .bprm_set_security =            selinux_bprm_set_security,
 
5364         .bprm_check_security =          selinux_bprm_check_security,
 
5365         .bprm_secureexec =              selinux_bprm_secureexec,
 
5367         .sb_alloc_security =            selinux_sb_alloc_security,
 
5368         .sb_free_security =             selinux_sb_free_security,
 
5369         .sb_copy_data =                 selinux_sb_copy_data,
 
5370         .sb_kern_mount =                selinux_sb_kern_mount,
 
5371         .sb_show_options =              selinux_sb_show_options,
 
5372         .sb_statfs =                    selinux_sb_statfs,
 
5373         .sb_mount =                     selinux_mount,
 
5374         .sb_umount =                    selinux_umount,
 
5375         .sb_set_mnt_opts =              selinux_set_mnt_opts,
 
5376         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
 
5377         .sb_parse_opts_str =            selinux_parse_opts_str,
 
5380         .inode_alloc_security =         selinux_inode_alloc_security,
 
5381         .inode_free_security =          selinux_inode_free_security,
 
5382         .inode_init_security =          selinux_inode_init_security,
 
5383         .inode_create =                 selinux_inode_create,
 
5384         .inode_link =                   selinux_inode_link,
 
5385         .inode_unlink =                 selinux_inode_unlink,
 
5386         .inode_symlink =                selinux_inode_symlink,
 
5387         .inode_mkdir =                  selinux_inode_mkdir,
 
5388         .inode_rmdir =                  selinux_inode_rmdir,
 
5389         .inode_mknod =                  selinux_inode_mknod,
 
5390         .inode_rename =                 selinux_inode_rename,
 
5391         .inode_readlink =               selinux_inode_readlink,
 
5392         .inode_follow_link =            selinux_inode_follow_link,
 
5393         .inode_permission =             selinux_inode_permission,
 
5394         .inode_setattr =                selinux_inode_setattr,
 
5395         .inode_getattr =                selinux_inode_getattr,
 
5396         .inode_setxattr =               selinux_inode_setxattr,
 
5397         .inode_post_setxattr =          selinux_inode_post_setxattr,
 
5398         .inode_getxattr =               selinux_inode_getxattr,
 
5399         .inode_listxattr =              selinux_inode_listxattr,
 
5400         .inode_removexattr =            selinux_inode_removexattr,
 
5401         .inode_getsecurity =            selinux_inode_getsecurity,
 
5402         .inode_setsecurity =            selinux_inode_setsecurity,
 
5403         .inode_listsecurity =           selinux_inode_listsecurity,
 
5404         .inode_need_killpriv =          selinux_inode_need_killpriv,
 
5405         .inode_killpriv =               selinux_inode_killpriv,
 
5406         .inode_getsecid =               selinux_inode_getsecid,
 
5408         .file_permission =              selinux_file_permission,
 
5409         .file_alloc_security =          selinux_file_alloc_security,
 
5410         .file_free_security =           selinux_file_free_security,
 
5411         .file_ioctl =                   selinux_file_ioctl,
 
5412         .file_mmap =                    selinux_file_mmap,
 
5413         .file_mprotect =                selinux_file_mprotect,
 
5414         .file_lock =                    selinux_file_lock,
 
5415         .file_fcntl =                   selinux_file_fcntl,
 
5416         .file_set_fowner =              selinux_file_set_fowner,
 
5417         .file_send_sigiotask =          selinux_file_send_sigiotask,
 
5418         .file_receive =                 selinux_file_receive,
 
5420         .dentry_open =                  selinux_dentry_open,
 
5422         .task_create =                  selinux_task_create,
 
5423         .task_alloc_security =          selinux_task_alloc_security,
 
5424         .task_free_security =           selinux_task_free_security,
 
5425         .task_setuid =                  selinux_task_setuid,
 
5426         .task_post_setuid =             selinux_task_post_setuid,
 
5427         .task_setgid =                  selinux_task_setgid,
 
5428         .task_setpgid =                 selinux_task_setpgid,
 
5429         .task_getpgid =                 selinux_task_getpgid,
 
5430         .task_getsid =                  selinux_task_getsid,
 
5431         .task_getsecid =                selinux_task_getsecid,
 
5432         .task_setgroups =               selinux_task_setgroups,
 
5433         .task_setnice =                 selinux_task_setnice,
 
5434         .task_setioprio =               selinux_task_setioprio,
 
5435         .task_getioprio =               selinux_task_getioprio,
 
5436         .task_setrlimit =               selinux_task_setrlimit,
 
5437         .task_setscheduler =            selinux_task_setscheduler,
 
5438         .task_getscheduler =            selinux_task_getscheduler,
 
5439         .task_movememory =              selinux_task_movememory,
 
5440         .task_kill =                    selinux_task_kill,
 
5441         .task_wait =                    selinux_task_wait,
 
5442         .task_prctl =                   selinux_task_prctl,
 
5443         .task_reparent_to_init =        selinux_task_reparent_to_init,
 
5444         .task_to_inode =                selinux_task_to_inode,
 
5446         .ipc_permission =               selinux_ipc_permission,
 
5447         .ipc_getsecid =                 selinux_ipc_getsecid,
 
5449         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
 
5450         .msg_msg_free_security =        selinux_msg_msg_free_security,
 
5452         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
 
5453         .msg_queue_free_security =      selinux_msg_queue_free_security,
 
5454         .msg_queue_associate =          selinux_msg_queue_associate,
 
5455         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
 
5456         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
 
5457         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
 
5459         .shm_alloc_security =           selinux_shm_alloc_security,
 
5460         .shm_free_security =            selinux_shm_free_security,
 
5461         .shm_associate =                selinux_shm_associate,
 
5462         .shm_shmctl =                   selinux_shm_shmctl,
 
5463         .shm_shmat =                    selinux_shm_shmat,
 
5465         .sem_alloc_security =           selinux_sem_alloc_security,
 
5466         .sem_free_security =            selinux_sem_free_security,
 
5467         .sem_associate =                selinux_sem_associate,
 
5468         .sem_semctl =                   selinux_sem_semctl,
 
5469         .sem_semop =                    selinux_sem_semop,
 
5471         .d_instantiate =                selinux_d_instantiate,
 
5473         .getprocattr =                  selinux_getprocattr,
 
5474         .setprocattr =                  selinux_setprocattr,
 
5476         .secid_to_secctx =              selinux_secid_to_secctx,
 
5477         .secctx_to_secid =              selinux_secctx_to_secid,
 
5478         .release_secctx =               selinux_release_secctx,
 
5480         .unix_stream_connect =          selinux_socket_unix_stream_connect,
 
5481         .unix_may_send =                selinux_socket_unix_may_send,
 
5483         .socket_create =                selinux_socket_create,
 
5484         .socket_post_create =           selinux_socket_post_create,
 
5485         .socket_bind =                  selinux_socket_bind,
 
5486         .socket_connect =               selinux_socket_connect,
 
5487         .socket_listen =                selinux_socket_listen,
 
5488         .socket_accept =                selinux_socket_accept,
 
5489         .socket_sendmsg =               selinux_socket_sendmsg,
 
5490         .socket_recvmsg =               selinux_socket_recvmsg,
 
5491         .socket_getsockname =           selinux_socket_getsockname,
 
5492         .socket_getpeername =           selinux_socket_getpeername,
 
5493         .socket_getsockopt =            selinux_socket_getsockopt,
 
5494         .socket_setsockopt =            selinux_socket_setsockopt,
 
5495         .socket_shutdown =              selinux_socket_shutdown,
 
5496         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
 
5497         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
 
5498         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
 
5499         .sk_alloc_security =            selinux_sk_alloc_security,
 
5500         .sk_free_security =             selinux_sk_free_security,
 
5501         .sk_clone_security =            selinux_sk_clone_security,
 
5502         .sk_getsecid =                  selinux_sk_getsecid,
 
5503         .sock_graft =                   selinux_sock_graft,
 
5504         .inet_conn_request =            selinux_inet_conn_request,
 
5505         .inet_csk_clone =               selinux_inet_csk_clone,
 
5506         .inet_conn_established =        selinux_inet_conn_established,
 
5507         .req_classify_flow =            selinux_req_classify_flow,
 
5509 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 
5510         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
 
5511         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
 
5512         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
 
5513         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
 
5514         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
 
5515         .xfrm_state_free_security =     selinux_xfrm_state_free,
 
5516         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
 
5517         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
 
5518         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
 
5519         .xfrm_decode_session =          selinux_xfrm_decode_session,
 
5523         .key_alloc =                    selinux_key_alloc,
 
5524         .key_free =                     selinux_key_free,
 
5525         .key_permission =               selinux_key_permission,
 
5526         .key_getsecurity =              selinux_key_getsecurity,
 
5530         .audit_rule_init =              selinux_audit_rule_init,
 
5531         .audit_rule_known =             selinux_audit_rule_known,
 
5532         .audit_rule_match =             selinux_audit_rule_match,
 
5533         .audit_rule_free =              selinux_audit_rule_free,
 
5537 static __init int selinux_init(void)
 
5539         struct task_security_struct *tsec;
 
5541         if (!security_module_enable(&selinux_ops)) {
 
5542                 selinux_enabled = 0;
 
5546         if (!selinux_enabled) {
 
5547                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
 
5551         printk(KERN_INFO "SELinux:  Initializing.\n");
 
5553         /* Set the security state for the initial task. */
 
5554         if (task_alloc_security(current))
 
5555                 panic("SELinux:  Failed to initialize initial task.\n");
 
5556         tsec = current->security;
 
5557         tsec->osid = tsec->sid = SECINITSID_KERNEL;
 
5559         sel_inode_cache = kmem_cache_create("selinux_inode_security",
 
5560                                             sizeof(struct inode_security_struct),
 
5561                                             0, SLAB_PANIC, NULL);
 
5564         secondary_ops = security_ops;
 
5566                 panic("SELinux: No initial security operations\n");
 
5567         if (register_security(&selinux_ops))
 
5568                 panic("SELinux: Unable to register with kernel.\n");
 
5570         if (selinux_enforcing)
 
5571                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
 
5573                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
 
5578 void selinux_complete_init(void)
 
5580         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
 
5582         /* Set up any superblocks initialized prior to the policy load. */
 
5583         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
 
5584         spin_lock(&sb_lock);
 
5585         spin_lock(&sb_security_lock);
 
5587         if (!list_empty(&superblock_security_head)) {
 
5588                 struct superblock_security_struct *sbsec =
 
5589                                 list_entry(superblock_security_head.next,
 
5590                                            struct superblock_security_struct,
 
5592                 struct super_block *sb = sbsec->sb;
 
5594                 spin_unlock(&sb_security_lock);
 
5595                 spin_unlock(&sb_lock);
 
5596                 down_read(&sb->s_umount);
 
5598                         superblock_doinit(sb, NULL);
 
5600                 spin_lock(&sb_lock);
 
5601                 spin_lock(&sb_security_lock);
 
5602                 list_del_init(&sbsec->list);
 
5605         spin_unlock(&sb_security_lock);
 
5606         spin_unlock(&sb_lock);
 
5609 /* SELinux requires early initialization in order to label
 
5610    all processes and objects when they are created. */
 
5611 security_initcall(selinux_init);
 
5613 #if defined(CONFIG_NETFILTER)
 
5615 static struct nf_hook_ops selinux_ipv4_ops[] = {
 
5617                 .hook =         selinux_ipv4_postroute,
 
5618                 .owner =        THIS_MODULE,
 
5620                 .hooknum =      NF_INET_POST_ROUTING,
 
5621                 .priority =     NF_IP_PRI_SELINUX_LAST,
 
5624                 .hook =         selinux_ipv4_forward,
 
5625                 .owner =        THIS_MODULE,
 
5627                 .hooknum =      NF_INET_FORWARD,
 
5628                 .priority =     NF_IP_PRI_SELINUX_FIRST,
 
5632 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
5634 static struct nf_hook_ops selinux_ipv6_ops[] = {
 
5636                 .hook =         selinux_ipv6_postroute,
 
5637                 .owner =        THIS_MODULE,
 
5639                 .hooknum =      NF_INET_POST_ROUTING,
 
5640                 .priority =     NF_IP6_PRI_SELINUX_LAST,
 
5643                 .hook =         selinux_ipv6_forward,
 
5644                 .owner =        THIS_MODULE,
 
5646                 .hooknum =      NF_INET_FORWARD,
 
5647                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
 
5653 static int __init selinux_nf_ip_init(void)
 
5658         if (!selinux_enabled)
 
5661         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
 
5663         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
 
5664                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
 
5666                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
 
5670 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
5671         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
 
5672                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
 
5674                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
 
5683 __initcall(selinux_nf_ip_init);
 
5685 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 
5686 static void selinux_nf_ip_exit(void)
 
5690         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
 
5692         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
 
5693                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
 
5694 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 
5695         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
 
5696                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
 
5701 #else /* CONFIG_NETFILTER */
 
5703 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 
5704 #define selinux_nf_ip_exit()
 
5707 #endif /* CONFIG_NETFILTER */
 
5709 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 
5710 static int selinux_disabled;
 
5712 int selinux_disable(void)
 
5714         extern void exit_sel_fs(void);
 
5716         if (ss_initialized) {
 
5717                 /* Not permitted after initial policy load. */
 
5721         if (selinux_disabled) {
 
5722                 /* Only do this once. */
 
5726         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
 
5728         selinux_disabled = 1;
 
5729         selinux_enabled = 0;
 
5731         /* Reset security_ops to the secondary module, dummy or capability. */
 
5732         security_ops = secondary_ops;
 
5734         /* Unregister netfilter hooks. */
 
5735         selinux_nf_ip_exit();
 
5737         /* Unregister selinuxfs. */