2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92 #define NUM_SEL_MNT_OPTS 4
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
135 static struct security_operations *secondary_ops;
137 /* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
142 static struct kmem_cache *sel_inode_cache;
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
154 static int selinux_secmark_enabled(void)
156 return (atomic_read(&selinux_secmark_refcount) > 0);
160 * initialise the security for the init task
162 static void cred_init_security(void)
164 struct cred *cred = (struct cred *) current->real_cred;
165 struct task_security_struct *tsec;
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
169 panic("SELinux: Failed to initialize initial task.\n");
171 tsec->osid = tsec->sid = SECINITSID_KERNEL;
172 cred->security = tsec;
176 * get the security ID of a set of credentials
178 static inline u32 cred_sid(const struct cred *cred)
180 const struct task_security_struct *tsec;
182 tsec = cred->security;
187 * get the objective security ID of a task
189 static inline u32 task_sid(const struct task_struct *task)
194 sid = cred_sid(__task_cred(task));
200 * get the subjective security ID of the current task
202 static inline u32 current_sid(void)
204 const struct task_security_struct *tsec = current_cred()->security;
209 /* Allocate and free functions for each kind of security blob. */
211 static int inode_alloc_security(struct inode *inode)
213 struct inode_security_struct *isec;
214 u32 sid = current_sid();
216 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
220 mutex_init(&isec->lock);
221 INIT_LIST_HEAD(&isec->list);
223 isec->sid = SECINITSID_UNLABELED;
224 isec->sclass = SECCLASS_FILE;
225 isec->task_sid = sid;
226 inode->i_security = isec;
231 static void inode_free_security(struct inode *inode)
233 struct inode_security_struct *isec = inode->i_security;
234 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
236 spin_lock(&sbsec->isec_lock);
237 if (!list_empty(&isec->list))
238 list_del_init(&isec->list);
239 spin_unlock(&sbsec->isec_lock);
241 inode->i_security = NULL;
242 kmem_cache_free(sel_inode_cache, isec);
245 static int file_alloc_security(struct file *file)
247 struct file_security_struct *fsec;
248 u32 sid = current_sid();
250 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
255 fsec->fown_sid = sid;
256 file->f_security = fsec;
261 static void file_free_security(struct file *file)
263 struct file_security_struct *fsec = file->f_security;
264 file->f_security = NULL;
268 static int superblock_alloc_security(struct super_block *sb)
270 struct superblock_security_struct *sbsec;
272 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
276 mutex_init(&sbsec->lock);
277 INIT_LIST_HEAD(&sbsec->list);
278 INIT_LIST_HEAD(&sbsec->isec_head);
279 spin_lock_init(&sbsec->isec_lock);
281 sbsec->sid = SECINITSID_UNLABELED;
282 sbsec->def_sid = SECINITSID_FILE;
283 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284 sb->s_security = sbsec;
289 static void superblock_free_security(struct super_block *sb)
291 struct superblock_security_struct *sbsec = sb->s_security;
293 spin_lock(&sb_security_lock);
294 if (!list_empty(&sbsec->list))
295 list_del_init(&sbsec->list);
296 spin_unlock(&sb_security_lock);
298 sb->s_security = NULL;
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
304 struct sk_security_struct *ssec;
306 ssec = kzalloc(sizeof(*ssec), priority);
310 ssec->peer_sid = SECINITSID_UNLABELED;
311 ssec->sid = SECINITSID_UNLABELED;
312 sk->sk_security = ssec;
314 selinux_netlbl_sk_security_reset(ssec, family);
319 static void sk_free_security(struct sock *sk)
321 struct sk_security_struct *ssec = sk->sk_security;
323 sk->sk_security = NULL;
324 selinux_netlbl_sk_security_free(ssec);
328 /* The security server must be initialized before
329 any labeling or access decisions can be provided. */
330 extern int ss_initialized;
332 /* The file system's label must be initialized prior to use. */
334 static char *labeling_behaviors[6] = {
336 "uses transition SIDs",
338 "uses genfs_contexts",
339 "not configured for labeling",
340 "uses mountpoint labeling",
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
345 static inline int inode_doinit(struct inode *inode)
347 return inode_doinit_with_dentry(inode, NULL);
358 static const match_table_t tokens = {
359 {Opt_context, CONTEXT_STR "%s"},
360 {Opt_fscontext, FSCONTEXT_STR "%s"},
361 {Opt_defcontext, DEFCONTEXT_STR "%s"},
362 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
366 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
368 static int may_context_mount_sb_relabel(u32 sid,
369 struct superblock_security_struct *sbsec,
370 const struct cred *cred)
372 const struct task_security_struct *tsec = cred->security;
375 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376 FILESYSTEM__RELABELFROM, NULL);
380 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELTO, NULL);
385 static int may_context_mount_inode_relabel(u32 sid,
386 struct superblock_security_struct *sbsec,
387 const struct cred *cred)
389 const struct task_security_struct *tsec = cred->security;
391 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392 FILESYSTEM__RELABELFROM, NULL);
396 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__ASSOCIATE, NULL);
401 static int sb_finish_set_opts(struct super_block *sb)
403 struct superblock_security_struct *sbsec = sb->s_security;
404 struct dentry *root = sb->s_root;
405 struct inode *root_inode = root->d_inode;
408 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409 /* Make sure that the xattr handler exists and that no
410 error other than -ENODATA is returned by getxattr on
411 the root directory. -ENODATA is ok, as this may be
412 the first boot of the SELinux kernel before we have
413 assigned xattr values to the filesystem. */
414 if (!root_inode->i_op->getxattr) {
415 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416 "xattr support\n", sb->s_id, sb->s_type->name);
420 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421 if (rc < 0 && rc != -ENODATA) {
422 if (rc == -EOPNOTSUPP)
423 printk(KERN_WARNING "SELinux: (dev %s, type "
424 "%s) has no security xattr handler\n",
425 sb->s_id, sb->s_type->name);
427 printk(KERN_WARNING "SELinux: (dev %s, type "
428 "%s) getxattr errno %d\n", sb->s_id,
429 sb->s_type->name, -rc);
434 sbsec->flags |= SE_SBINITIALIZED;
436 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438 sb->s_id, sb->s_type->name);
440 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441 sb->s_id, sb->s_type->name,
442 labeling_behaviors[sbsec->behavior-1]);
444 /* Initialize the root inode. */
445 rc = inode_doinit_with_dentry(root_inode, root);
447 /* Initialize any other inodes associated with the superblock, e.g.
448 inodes created prior to initial policy load or inodes created
449 during get_sb by a pseudo filesystem that directly
451 spin_lock(&sbsec->isec_lock);
453 if (!list_empty(&sbsec->isec_head)) {
454 struct inode_security_struct *isec =
455 list_entry(sbsec->isec_head.next,
456 struct inode_security_struct, list);
457 struct inode *inode = isec->inode;
458 spin_unlock(&sbsec->isec_lock);
459 inode = igrab(inode);
461 if (!IS_PRIVATE(inode))
465 spin_lock(&sbsec->isec_lock);
466 list_del_init(&isec->list);
469 spin_unlock(&sbsec->isec_lock);
475 * This function should allow an FS to ask what it's mount security
476 * options were so it can use those later for submounts, displaying
477 * mount options, or whatever.
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480 struct security_mnt_opts *opts)
483 struct superblock_security_struct *sbsec = sb->s_security;
484 char *context = NULL;
488 security_init_mnt_opts(opts);
490 if (!(sbsec->flags & SE_SBINITIALIZED))
496 tmp = sbsec->flags & SE_MNTMASK;
497 /* count the number of mount options for this sb */
498 for (i = 0; i < 8; i++) {
500 opts->num_mnt_opts++;
504 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
505 if (!opts->mnt_opts) {
510 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
511 if (!opts->mnt_opts_flags) {
517 if (sbsec->flags & FSCONTEXT_MNT) {
518 rc = security_sid_to_context(sbsec->sid, &context, &len);
521 opts->mnt_opts[i] = context;
522 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
524 if (sbsec->flags & CONTEXT_MNT) {
525 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
528 opts->mnt_opts[i] = context;
529 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
531 if (sbsec->flags & DEFCONTEXT_MNT) {
532 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
535 opts->mnt_opts[i] = context;
536 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
538 if (sbsec->flags & ROOTCONTEXT_MNT) {
539 struct inode *root = sbsec->sb->s_root->d_inode;
540 struct inode_security_struct *isec = root->i_security;
542 rc = security_sid_to_context(isec->sid, &context, &len);
545 opts->mnt_opts[i] = context;
546 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
549 BUG_ON(i != opts->num_mnt_opts);
554 security_free_mnt_opts(opts);
558 static int bad_option(struct superblock_security_struct *sbsec, char flag,
559 u32 old_sid, u32 new_sid)
561 char mnt_flags = sbsec->flags & SE_MNTMASK;
563 /* check if the old mount command had the same options */
564 if (sbsec->flags & SE_SBINITIALIZED)
565 if (!(sbsec->flags & flag) ||
566 (old_sid != new_sid))
569 /* check if we were passed the same options twice,
570 * aka someone passed context=a,context=b
572 if (!(sbsec->flags & SE_SBINITIALIZED))
573 if (mnt_flags & flag)
579 * Allow filesystems with binary mount data to explicitly set mount point
580 * labeling information.
582 static int selinux_set_mnt_opts(struct super_block *sb,
583 struct security_mnt_opts *opts)
585 const struct cred *cred = current_cred();
587 struct superblock_security_struct *sbsec = sb->s_security;
588 const char *name = sb->s_type->name;
589 struct inode *inode = sbsec->sb->s_root->d_inode;
590 struct inode_security_struct *root_isec = inode->i_security;
591 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
592 u32 defcontext_sid = 0;
593 char **mount_options = opts->mnt_opts;
594 int *flags = opts->mnt_opts_flags;
595 int num_opts = opts->num_mnt_opts;
597 mutex_lock(&sbsec->lock);
599 if (!ss_initialized) {
601 /* Defer initialization until selinux_complete_init,
602 after the initial policy is loaded and the security
603 server is ready to handle calls. */
604 spin_lock(&sb_security_lock);
605 if (list_empty(&sbsec->list))
606 list_add(&sbsec->list, &superblock_security_head);
607 spin_unlock(&sb_security_lock);
611 printk(KERN_WARNING "SELinux: Unable to set superblock options "
612 "before the security server is initialized\n");
617 * Binary mount data FS will come through this function twice. Once
618 * from an explicit call and once from the generic calls from the vfs.
619 * Since the generic VFS calls will not contain any security mount data
620 * we need to skip the double mount verification.
622 * This does open a hole in which we will not notice if the first
623 * mount using this sb set explict options and a second mount using
624 * this sb does not set any security options. (The first options
625 * will be used for both mounts)
627 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
632 * parse the mount options, check if they are valid sids.
633 * also check if someone is trying to mount the same sb more
634 * than once with different security options.
636 for (i = 0; i < num_opts; i++) {
638 rc = security_context_to_sid(mount_options[i],
639 strlen(mount_options[i]), &sid);
641 printk(KERN_WARNING "SELinux: security_context_to_sid"
642 "(%s) failed for (dev %s, type %s) errno=%d\n",
643 mount_options[i], sb->s_id, name, rc);
650 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
652 goto out_double_mount;
654 sbsec->flags |= FSCONTEXT_MNT;
659 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
661 goto out_double_mount;
663 sbsec->flags |= CONTEXT_MNT;
665 case ROOTCONTEXT_MNT:
666 rootcontext_sid = sid;
668 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
670 goto out_double_mount;
672 sbsec->flags |= ROOTCONTEXT_MNT;
676 defcontext_sid = sid;
678 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
680 goto out_double_mount;
682 sbsec->flags |= DEFCONTEXT_MNT;
691 if (sbsec->flags & SE_SBINITIALIZED) {
692 /* previously mounted with options, but not on this attempt? */
693 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
694 goto out_double_mount;
699 if (strcmp(sb->s_type->name, "proc") == 0)
700 sbsec->flags |= SE_SBPROC;
702 /* Determine the labeling behavior to use for this filesystem type. */
703 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
705 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
706 __func__, sb->s_type->name, rc);
710 /* sets the context of the superblock for the fs being mounted. */
712 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
716 sbsec->sid = fscontext_sid;
720 * Switch to using mount point labeling behavior.
721 * sets the label used on all file below the mountpoint, and will set
722 * the superblock context if not already set.
725 if (!fscontext_sid) {
726 rc = may_context_mount_sb_relabel(context_sid, sbsec,
730 sbsec->sid = context_sid;
732 rc = may_context_mount_inode_relabel(context_sid, sbsec,
737 if (!rootcontext_sid)
738 rootcontext_sid = context_sid;
740 sbsec->mntpoint_sid = context_sid;
741 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 if (rootcontext_sid) {
745 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
750 root_isec->sid = rootcontext_sid;
751 root_isec->initialized = 1;
754 if (defcontext_sid) {
755 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
757 printk(KERN_WARNING "SELinux: defcontext option is "
758 "invalid for this filesystem type\n");
762 if (defcontext_sid != sbsec->def_sid) {
763 rc = may_context_mount_inode_relabel(defcontext_sid,
769 sbsec->def_sid = defcontext_sid;
772 rc = sb_finish_set_opts(sb);
774 mutex_unlock(&sbsec->lock);
778 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
779 "security settings for (dev %s, type %s)\n", sb->s_id, name);
783 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
784 struct super_block *newsb)
786 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
787 struct superblock_security_struct *newsbsec = newsb->s_security;
789 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
790 int set_context = (oldsbsec->flags & CONTEXT_MNT);
791 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
794 * if the parent was able to be mounted it clearly had no special lsm
795 * mount options. thus we can safely put this sb on the list and deal
798 if (!ss_initialized) {
799 spin_lock(&sb_security_lock);
800 if (list_empty(&newsbsec->list))
801 list_add(&newsbsec->list, &superblock_security_head);
802 spin_unlock(&sb_security_lock);
806 /* how can we clone if the old one wasn't set up?? */
807 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
809 /* if fs is reusing a sb, just let its options stand... */
810 if (newsbsec->flags & SE_SBINITIALIZED)
813 mutex_lock(&newsbsec->lock);
815 newsbsec->flags = oldsbsec->flags;
817 newsbsec->sid = oldsbsec->sid;
818 newsbsec->def_sid = oldsbsec->def_sid;
819 newsbsec->behavior = oldsbsec->behavior;
822 u32 sid = oldsbsec->mntpoint_sid;
826 if (!set_rootcontext) {
827 struct inode *newinode = newsb->s_root->d_inode;
828 struct inode_security_struct *newisec = newinode->i_security;
831 newsbsec->mntpoint_sid = sid;
833 if (set_rootcontext) {
834 const struct inode *oldinode = oldsb->s_root->d_inode;
835 const struct inode_security_struct *oldisec = oldinode->i_security;
836 struct inode *newinode = newsb->s_root->d_inode;
837 struct inode_security_struct *newisec = newinode->i_security;
839 newisec->sid = oldisec->sid;
842 sb_finish_set_opts(newsb);
843 mutex_unlock(&newsbsec->lock);
846 static int selinux_parse_opts_str(char *options,
847 struct security_mnt_opts *opts)
850 char *context = NULL, *defcontext = NULL;
851 char *fscontext = NULL, *rootcontext = NULL;
852 int rc, num_mnt_opts = 0;
854 opts->num_mnt_opts = 0;
856 /* Standard string-based options. */
857 while ((p = strsep(&options, "|")) != NULL) {
859 substring_t args[MAX_OPT_ARGS];
864 token = match_token(p, tokens, args);
868 if (context || defcontext) {
870 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873 context = match_strdup(&args[0]);
883 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 fscontext = match_strdup(&args[0]);
893 case Opt_rootcontext:
896 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 rootcontext = match_strdup(&args[0]);
907 if (context || defcontext) {
909 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 defcontext = match_strdup(&args[0]);
921 printk(KERN_WARNING "SELinux: unknown mount option\n");
928 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
932 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
933 if (!opts->mnt_opts_flags) {
934 kfree(opts->mnt_opts);
939 opts->mnt_opts[num_mnt_opts] = fscontext;
940 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943 opts->mnt_opts[num_mnt_opts] = context;
944 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947 opts->mnt_opts[num_mnt_opts] = rootcontext;
948 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951 opts->mnt_opts[num_mnt_opts] = defcontext;
952 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955 opts->num_mnt_opts = num_mnt_opts;
966 * string mount options parsing and call set the sbsec
968 static int superblock_doinit(struct super_block *sb, void *data)
971 char *options = data;
972 struct security_mnt_opts opts;
974 security_init_mnt_opts(&opts);
979 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
981 rc = selinux_parse_opts_str(options, &opts);
986 rc = selinux_set_mnt_opts(sb, &opts);
989 security_free_mnt_opts(&opts);
993 static void selinux_write_opts(struct seq_file *m,
994 struct security_mnt_opts *opts)
999 for (i = 0; i < opts->num_mnt_opts; i++) {
1000 char *has_comma = strchr(opts->mnt_opts[i], ',');
1002 switch (opts->mnt_opts_flags[i]) {
1004 prefix = CONTEXT_STR;
1007 prefix = FSCONTEXT_STR;
1009 case ROOTCONTEXT_MNT:
1010 prefix = ROOTCONTEXT_STR;
1012 case DEFCONTEXT_MNT:
1013 prefix = DEFCONTEXT_STR;
1018 /* we need a comma before each option */
1020 seq_puts(m, prefix);
1023 seq_puts(m, opts->mnt_opts[i]);
1029 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1031 struct security_mnt_opts opts;
1034 rc = selinux_get_mnt_opts(sb, &opts);
1036 /* before policy load we may get EINVAL, don't show anything */
1042 selinux_write_opts(m, &opts);
1044 security_free_mnt_opts(&opts);
1049 static inline u16 inode_mode_to_security_class(umode_t mode)
1051 switch (mode & S_IFMT) {
1053 return SECCLASS_SOCK_FILE;
1055 return SECCLASS_LNK_FILE;
1057 return SECCLASS_FILE;
1059 return SECCLASS_BLK_FILE;
1061 return SECCLASS_DIR;
1063 return SECCLASS_CHR_FILE;
1065 return SECCLASS_FIFO_FILE;
1069 return SECCLASS_FILE;
1072 static inline int default_protocol_stream(int protocol)
1074 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 static inline int default_protocol_dgram(int protocol)
1079 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1088 case SOCK_SEQPACKET:
1089 return SECCLASS_UNIX_STREAM_SOCKET;
1091 return SECCLASS_UNIX_DGRAM_SOCKET;
1098 if (default_protocol_stream(protocol))
1099 return SECCLASS_TCP_SOCKET;
1101 return SECCLASS_RAWIP_SOCKET;
1103 if (default_protocol_dgram(protocol))
1104 return SECCLASS_UDP_SOCKET;
1106 return SECCLASS_RAWIP_SOCKET;
1108 return SECCLASS_DCCP_SOCKET;
1110 return SECCLASS_RAWIP_SOCKET;
1116 return SECCLASS_NETLINK_ROUTE_SOCKET;
1117 case NETLINK_FIREWALL:
1118 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1119 case NETLINK_INET_DIAG:
1120 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1122 return SECCLASS_NETLINK_NFLOG_SOCKET;
1124 return SECCLASS_NETLINK_XFRM_SOCKET;
1125 case NETLINK_SELINUX:
1126 return SECCLASS_NETLINK_SELINUX_SOCKET;
1128 return SECCLASS_NETLINK_AUDIT_SOCKET;
1129 case NETLINK_IP6_FW:
1130 return SECCLASS_NETLINK_IP6FW_SOCKET;
1131 case NETLINK_DNRTMSG:
1132 return SECCLASS_NETLINK_DNRT_SOCKET;
1133 case NETLINK_KOBJECT_UEVENT:
1134 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1136 return SECCLASS_NETLINK_SOCKET;
1139 return SECCLASS_PACKET_SOCKET;
1141 return SECCLASS_KEY_SOCKET;
1143 return SECCLASS_APPLETALK_SOCKET;
1146 return SECCLASS_SOCKET;
1149 #ifdef CONFIG_PROC_FS
1150 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1155 char *buffer, *path, *end;
1157 buffer = (char *)__get_free_page(GFP_KERNEL);
1162 end = buffer+buflen;
1167 while (de && de != de->parent) {
1168 buflen -= de->namelen + 1;
1172 memcpy(end, de->name, de->namelen);
1177 rc = security_genfs_sid("proc", path, tclass, sid);
1178 free_page((unsigned long)buffer);
1182 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1190 /* The inode's security attributes must be initialized before first use. */
1191 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1193 struct superblock_security_struct *sbsec = NULL;
1194 struct inode_security_struct *isec = inode->i_security;
1196 struct dentry *dentry;
1197 #define INITCONTEXTLEN 255
1198 char *context = NULL;
1202 if (isec->initialized)
1205 mutex_lock(&isec->lock);
1206 if (isec->initialized)
1209 sbsec = inode->i_sb->s_security;
1210 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1211 /* Defer initialization until selinux_complete_init,
1212 after the initial policy is loaded and the security
1213 server is ready to handle calls. */
1214 spin_lock(&sbsec->isec_lock);
1215 if (list_empty(&isec->list))
1216 list_add(&isec->list, &sbsec->isec_head);
1217 spin_unlock(&sbsec->isec_lock);
1221 switch (sbsec->behavior) {
1222 case SECURITY_FS_USE_XATTR:
1223 if (!inode->i_op->getxattr) {
1224 isec->sid = sbsec->def_sid;
1228 /* Need a dentry, since the xattr API requires one.
1229 Life would be simpler if we could just pass the inode. */
1231 /* Called from d_instantiate or d_splice_alias. */
1232 dentry = dget(opt_dentry);
1234 /* Called from selinux_complete_init, try to find a dentry. */
1235 dentry = d_find_alias(inode);
1238 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1239 "ino=%ld\n", __func__, inode->i_sb->s_id,
1244 len = INITCONTEXTLEN;
1245 context = kmalloc(len, GFP_NOFS);
1251 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1253 if (rc == -ERANGE) {
1254 /* Need a larger buffer. Query for the right size. */
1255 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1263 context = kmalloc(len, GFP_NOFS);
1269 rc = inode->i_op->getxattr(dentry,
1275 if (rc != -ENODATA) {
1276 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1277 "%d for dev=%s ino=%ld\n", __func__,
1278 -rc, inode->i_sb->s_id, inode->i_ino);
1282 /* Map ENODATA to the default file SID */
1283 sid = sbsec->def_sid;
1286 rc = security_context_to_sid_default(context, rc, &sid,
1290 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1291 "returned %d for dev=%s ino=%ld\n",
1292 __func__, context, -rc,
1293 inode->i_sb->s_id, inode->i_ino);
1295 /* Leave with the unlabeled SID */
1303 case SECURITY_FS_USE_TASK:
1304 isec->sid = isec->task_sid;
1306 case SECURITY_FS_USE_TRANS:
1307 /* Default to the fs SID. */
1308 isec->sid = sbsec->sid;
1310 /* Try to obtain a transition SID. */
1311 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1312 rc = security_transition_sid(isec->task_sid,
1320 case SECURITY_FS_USE_MNTPOINT:
1321 isec->sid = sbsec->mntpoint_sid;
1324 /* Default to the fs superblock SID. */
1325 isec->sid = sbsec->sid;
1327 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1328 struct proc_inode *proci = PROC_I(inode);
1330 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1331 rc = selinux_proc_get_sid(proci->pde,
1342 isec->initialized = 1;
1345 mutex_unlock(&isec->lock);
1347 if (isec->sclass == SECCLASS_FILE)
1348 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1352 /* Convert a Linux signal to an access vector. */
1353 static inline u32 signal_to_av(int sig)
1359 /* Commonly granted from child to parent. */
1360 perm = PROCESS__SIGCHLD;
1363 /* Cannot be caught or ignored */
1364 perm = PROCESS__SIGKILL;
1367 /* Cannot be caught or ignored */
1368 perm = PROCESS__SIGSTOP;
1371 /* All other signals. */
1372 perm = PROCESS__SIGNAL;
1380 * Check permission between a pair of credentials
1381 * fork check, ptrace check, etc.
1383 static int cred_has_perm(const struct cred *actor,
1384 const struct cred *target,
1387 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1389 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1393 * Check permission between a pair of tasks, e.g. signal checks,
1394 * fork check, ptrace check, etc.
1395 * tsk1 is the actor and tsk2 is the target
1396 * - this uses the default subjective creds of tsk1
1398 static int task_has_perm(const struct task_struct *tsk1,
1399 const struct task_struct *tsk2,
1402 const struct task_security_struct *__tsec1, *__tsec2;
1406 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1407 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1409 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1413 * Check permission between current and another task, e.g. signal checks,
1414 * fork check, ptrace check, etc.
1415 * current is the actor and tsk2 is the target
1416 * - this uses current's subjective creds
1418 static int current_has_perm(const struct task_struct *tsk,
1423 sid = current_sid();
1424 tsid = task_sid(tsk);
1425 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428 #if CAP_LAST_CAP > 63
1429 #error Fix SELinux to handle capabilities > 63.
1432 /* Check whether a task is allowed to use a capability. */
1433 static int task_has_capability(struct task_struct *tsk,
1434 const struct cred *cred,
1437 struct avc_audit_data ad;
1438 struct av_decision avd;
1440 u32 sid = cred_sid(cred);
1441 u32 av = CAP_TO_MASK(cap);
1444 AVC_AUDIT_DATA_INIT(&ad, CAP);
1448 switch (CAP_TO_INDEX(cap)) {
1450 sclass = SECCLASS_CAPABILITY;
1453 sclass = SECCLASS_CAPABILITY2;
1457 "SELinux: out of range capability %d\n", cap);
1461 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1462 if (audit == SECURITY_CAP_AUDIT)
1463 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1467 /* Check whether a task is allowed to use a system operation. */
1468 static int task_has_system(struct task_struct *tsk,
1471 u32 sid = task_sid(tsk);
1473 return avc_has_perm(sid, SECINITSID_KERNEL,
1474 SECCLASS_SYSTEM, perms, NULL);
1477 /* Check whether a task has a particular permission to an inode.
1478 The 'adp' parameter is optional and allows other audit
1479 data to be passed (e.g. the dentry). */
1480 static int inode_has_perm(const struct cred *cred,
1481 struct inode *inode,
1483 struct avc_audit_data *adp)
1485 struct inode_security_struct *isec;
1486 struct avc_audit_data ad;
1489 if (unlikely(IS_PRIVATE(inode)))
1492 sid = cred_sid(cred);
1493 isec = inode->i_security;
1497 AVC_AUDIT_DATA_INIT(&ad, FS);
1498 ad.u.fs.inode = inode;
1501 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1504 /* Same as inode_has_perm, but pass explicit audit data containing
1505 the dentry to help the auditing code to more easily generate the
1506 pathname if needed. */
1507 static inline int dentry_has_perm(const struct cred *cred,
1508 struct vfsmount *mnt,
1509 struct dentry *dentry,
1512 struct inode *inode = dentry->d_inode;
1513 struct avc_audit_data ad;
1515 AVC_AUDIT_DATA_INIT(&ad, FS);
1516 ad.u.fs.path.mnt = mnt;
1517 ad.u.fs.path.dentry = dentry;
1518 return inode_has_perm(cred, inode, av, &ad);
1521 /* Check whether a task can use an open file descriptor to
1522 access an inode in a given way. Check access to the
1523 descriptor itself, and then use dentry_has_perm to
1524 check a particular permission to the file.
1525 Access to the descriptor is implicitly granted if it
1526 has the same SID as the process. If av is zero, then
1527 access to the file is not checked, e.g. for cases
1528 where only the descriptor is affected like seek. */
1529 static int file_has_perm(const struct cred *cred,
1533 struct file_security_struct *fsec = file->f_security;
1534 struct inode *inode = file->f_path.dentry->d_inode;
1535 struct avc_audit_data ad;
1536 u32 sid = cred_sid(cred);
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1540 ad.u.fs.path = file->f_path;
1542 if (sid != fsec->sid) {
1543 rc = avc_has_perm(sid, fsec->sid,
1551 /* av is zero if only checking access to the descriptor. */
1554 rc = inode_has_perm(cred, inode, av, &ad);
1560 /* Check whether a task can create a file. */
1561 static int may_create(struct inode *dir,
1562 struct dentry *dentry,
1565 const struct cred *cred = current_cred();
1566 const struct task_security_struct *tsec = cred->security;
1567 struct inode_security_struct *dsec;
1568 struct superblock_security_struct *sbsec;
1570 struct avc_audit_data ad;
1573 dsec = dir->i_security;
1574 sbsec = dir->i_sb->s_security;
1577 newsid = tsec->create_sid;
1579 AVC_AUDIT_DATA_INIT(&ad, FS);
1580 ad.u.fs.path.dentry = dentry;
1582 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1583 DIR__ADD_NAME | DIR__SEARCH,
1588 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1589 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1594 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1598 return avc_has_perm(newsid, sbsec->sid,
1599 SECCLASS_FILESYSTEM,
1600 FILESYSTEM__ASSOCIATE, &ad);
1603 /* Check whether a task can create a key. */
1604 static int may_create_key(u32 ksid,
1605 struct task_struct *ctx)
1607 u32 sid = task_sid(ctx);
1609 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1613 #define MAY_UNLINK 1
1616 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1617 static int may_link(struct inode *dir,
1618 struct dentry *dentry,
1622 struct inode_security_struct *dsec, *isec;
1623 struct avc_audit_data ad;
1624 u32 sid = current_sid();
1628 dsec = dir->i_security;
1629 isec = dentry->d_inode->i_security;
1631 AVC_AUDIT_DATA_INIT(&ad, FS);
1632 ad.u.fs.path.dentry = dentry;
1635 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1636 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1651 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1656 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1660 static inline int may_rename(struct inode *old_dir,
1661 struct dentry *old_dentry,
1662 struct inode *new_dir,
1663 struct dentry *new_dentry)
1665 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1666 struct avc_audit_data ad;
1667 u32 sid = current_sid();
1669 int old_is_dir, new_is_dir;
1672 old_dsec = old_dir->i_security;
1673 old_isec = old_dentry->d_inode->i_security;
1674 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1675 new_dsec = new_dir->i_security;
1677 AVC_AUDIT_DATA_INIT(&ad, FS);
1679 ad.u.fs.path.dentry = old_dentry;
1680 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1681 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1684 rc = avc_has_perm(sid, old_isec->sid,
1685 old_isec->sclass, FILE__RENAME, &ad);
1688 if (old_is_dir && new_dir != old_dir) {
1689 rc = avc_has_perm(sid, old_isec->sid,
1690 old_isec->sclass, DIR__REPARENT, &ad);
1695 ad.u.fs.path.dentry = new_dentry;
1696 av = DIR__ADD_NAME | DIR__SEARCH;
1697 if (new_dentry->d_inode)
1698 av |= DIR__REMOVE_NAME;
1699 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1702 if (new_dentry->d_inode) {
1703 new_isec = new_dentry->d_inode->i_security;
1704 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1705 rc = avc_has_perm(sid, new_isec->sid,
1707 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1715 /* Check whether a task can perform a filesystem operation. */
1716 static int superblock_has_perm(const struct cred *cred,
1717 struct super_block *sb,
1719 struct avc_audit_data *ad)
1721 struct superblock_security_struct *sbsec;
1722 u32 sid = cred_sid(cred);
1724 sbsec = sb->s_security;
1725 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1728 /* Convert a Linux mode and permission mask to an access vector. */
1729 static inline u32 file_mask_to_av(int mode, int mask)
1733 if ((mode & S_IFMT) != S_IFDIR) {
1734 if (mask & MAY_EXEC)
1735 av |= FILE__EXECUTE;
1736 if (mask & MAY_READ)
1739 if (mask & MAY_APPEND)
1741 else if (mask & MAY_WRITE)
1745 if (mask & MAY_EXEC)
1747 if (mask & MAY_WRITE)
1749 if (mask & MAY_READ)
1756 /* Convert a Linux file to an access vector. */
1757 static inline u32 file_to_av(struct file *file)
1761 if (file->f_mode & FMODE_READ)
1763 if (file->f_mode & FMODE_WRITE) {
1764 if (file->f_flags & O_APPEND)
1771 * Special file opened with flags 3 for ioctl-only use.
1780 * Convert a file to an access vector and include the correct open
1783 static inline u32 open_file_to_av(struct file *file)
1785 u32 av = file_to_av(file);
1787 if (selinux_policycap_openperm) {
1788 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1790 * lnk files and socks do not really have an 'open'
1794 else if (S_ISCHR(mode))
1795 av |= CHR_FILE__OPEN;
1796 else if (S_ISBLK(mode))
1797 av |= BLK_FILE__OPEN;
1798 else if (S_ISFIFO(mode))
1799 av |= FIFO_FILE__OPEN;
1800 else if (S_ISDIR(mode))
1803 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1804 "unknown mode:%o\n", __func__, mode);
1809 /* Hook functions begin here. */
1811 static int selinux_ptrace_may_access(struct task_struct *child,
1816 rc = secondary_ops->ptrace_may_access(child, mode);
1820 if (mode == PTRACE_MODE_READ) {
1821 u32 sid = current_sid();
1822 u32 csid = task_sid(child);
1823 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1826 return current_has_perm(child, PROCESS__PTRACE);
1829 static int selinux_ptrace_traceme(struct task_struct *parent)
1833 rc = secondary_ops->ptrace_traceme(parent);
1837 return task_has_perm(parent, current, PROCESS__PTRACE);
1840 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1841 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1845 error = current_has_perm(target, PROCESS__GETCAP);
1849 return secondary_ops->capget(target, effective, inheritable, permitted);
1852 static int selinux_capset(struct cred *new, const struct cred *old,
1853 const kernel_cap_t *effective,
1854 const kernel_cap_t *inheritable,
1855 const kernel_cap_t *permitted)
1859 error = secondary_ops->capset(new, old,
1860 effective, inheritable, permitted);
1864 return cred_has_perm(old, new, PROCESS__SETCAP);
1867 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1872 rc = secondary_ops->capable(tsk, cred, cap, audit);
1876 return task_has_capability(tsk, cred, cap, audit);
1879 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1882 char *buffer, *path, *end;
1885 buffer = (char *)__get_free_page(GFP_KERNEL);
1890 end = buffer+buflen;
1896 const char *name = table->procname;
1897 size_t namelen = strlen(name);
1898 buflen -= namelen + 1;
1902 memcpy(end, name, namelen);
1905 table = table->parent;
1911 memcpy(end, "/sys", 4);
1913 rc = security_genfs_sid("proc", path, tclass, sid);
1915 free_page((unsigned long)buffer);
1920 static int selinux_sysctl(ctl_table *table, int op)
1927 rc = secondary_ops->sysctl(table, op);
1931 sid = current_sid();
1933 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1934 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1936 /* Default to the well-defined sysctl SID. */
1937 tsid = SECINITSID_SYSCTL;
1940 /* The op values are "defined" in sysctl.c, thereby creating
1941 * a bad coupling between this module and sysctl.c */
1943 error = avc_has_perm(sid, tsid,
1944 SECCLASS_DIR, DIR__SEARCH, NULL);
1952 error = avc_has_perm(sid, tsid,
1953 SECCLASS_FILE, av, NULL);
1959 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1961 const struct cred *cred = current_cred();
1973 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1978 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1981 rc = 0; /* let the kernel handle invalid cmds */
1987 static int selinux_quota_on(struct dentry *dentry)
1989 const struct cred *cred = current_cred();
1991 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1994 static int selinux_syslog(int type)
1998 rc = secondary_ops->syslog(type);
2003 case 3: /* Read last kernel messages */
2004 case 10: /* Return size of the log buffer */
2005 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2007 case 6: /* Disable logging to console */
2008 case 7: /* Enable logging to console */
2009 case 8: /* Set level of messages printed to console */
2010 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2012 case 0: /* Close log */
2013 case 1: /* Open log */
2014 case 2: /* Read from log */
2015 case 4: /* Read/clear last kernel messages */
2016 case 5: /* Clear ring buffer */
2018 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2025 * Check that a process has enough memory to allocate a new virtual
2026 * mapping. 0 means there is enough memory for the allocation to
2027 * succeed and -ENOMEM implies there is not.
2029 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2030 * if the capability is granted, but __vm_enough_memory requires 1 if
2031 * the capability is granted.
2033 * Do not audit the selinux permission check, as this is applied to all
2034 * processes that allocate mappings.
2036 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2038 int rc, cap_sys_admin = 0;
2040 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2041 SECURITY_CAP_NOAUDIT);
2045 return __vm_enough_memory(mm, pages, cap_sys_admin);
2048 /* binprm security operations */
2050 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2052 const struct task_security_struct *old_tsec;
2053 struct task_security_struct *new_tsec;
2054 struct inode_security_struct *isec;
2055 struct avc_audit_data ad;
2056 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2059 rc = secondary_ops->bprm_set_creds(bprm);
2063 /* SELinux context only depends on initial program or script and not
2064 * the script interpreter */
2065 if (bprm->cred_prepared)
2068 old_tsec = current_security();
2069 new_tsec = bprm->cred->security;
2070 isec = inode->i_security;
2072 /* Default to the current task SID. */
2073 new_tsec->sid = old_tsec->sid;
2074 new_tsec->osid = old_tsec->sid;
2076 /* Reset fs, key, and sock SIDs on execve. */
2077 new_tsec->create_sid = 0;
2078 new_tsec->keycreate_sid = 0;
2079 new_tsec->sockcreate_sid = 0;
2081 if (old_tsec->exec_sid) {
2082 new_tsec->sid = old_tsec->exec_sid;
2083 /* Reset exec SID on execve. */
2084 new_tsec->exec_sid = 0;
2086 /* Check for a default transition on this program. */
2087 rc = security_transition_sid(old_tsec->sid, isec->sid,
2088 SECCLASS_PROCESS, &new_tsec->sid);
2093 AVC_AUDIT_DATA_INIT(&ad, FS);
2094 ad.u.fs.path = bprm->file->f_path;
2096 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2097 new_tsec->sid = old_tsec->sid;
2099 if (new_tsec->sid == old_tsec->sid) {
2100 rc = avc_has_perm(old_tsec->sid, isec->sid,
2101 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2105 /* Check permissions for the transition. */
2106 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2107 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2111 rc = avc_has_perm(new_tsec->sid, isec->sid,
2112 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2116 /* Check for shared state */
2117 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2118 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2119 SECCLASS_PROCESS, PROCESS__SHARE,
2125 /* Make sure that anyone attempting to ptrace over a task that
2126 * changes its SID has the appropriate permit */
2128 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2129 struct task_struct *tracer;
2130 struct task_security_struct *sec;
2134 tracer = tracehook_tracer_task(current);
2135 if (likely(tracer != NULL)) {
2136 sec = __task_cred(tracer)->security;
2142 rc = avc_has_perm(ptsid, new_tsec->sid,
2144 PROCESS__PTRACE, NULL);
2150 /* Clear any possibly unsafe personality bits on exec: */
2151 bprm->per_clear |= PER_CLEAR_ON_SETID;
2157 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2159 return secondary_ops->bprm_check_security(bprm);
2162 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2164 const struct cred *cred = current_cred();
2165 const struct task_security_struct *tsec = cred->security;
2173 /* Enable secure mode for SIDs transitions unless
2174 the noatsecure permission is granted between
2175 the two SIDs, i.e. ahp returns 0. */
2176 atsecure = avc_has_perm(osid, sid,
2178 PROCESS__NOATSECURE, NULL);
2181 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2184 extern struct vfsmount *selinuxfs_mount;
2185 extern struct dentry *selinux_null;
2187 /* Derived from fs/exec.c:flush_old_files. */
2188 static inline void flush_unauthorized_files(const struct cred *cred,
2189 struct files_struct *files)
2191 struct avc_audit_data ad;
2192 struct file *file, *devnull = NULL;
2193 struct tty_struct *tty;
2194 struct fdtable *fdt;
2198 tty = get_current_tty();
2201 if (!list_empty(&tty->tty_files)) {
2202 struct inode *inode;
2204 /* Revalidate access to controlling tty.
2205 Use inode_has_perm on the tty inode directly rather
2206 than using file_has_perm, as this particular open
2207 file may belong to another process and we are only
2208 interested in the inode-based check here. */
2209 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2210 inode = file->f_path.dentry->d_inode;
2211 if (inode_has_perm(cred, inode,
2212 FILE__READ | FILE__WRITE, NULL)) {
2219 /* Reset controlling tty. */
2223 /* Revalidate access to inherited open files. */
2225 AVC_AUDIT_DATA_INIT(&ad, FS);
2227 spin_lock(&files->file_lock);
2229 unsigned long set, i;
2234 fdt = files_fdtable(files);
2235 if (i >= fdt->max_fds)
2237 set = fdt->open_fds->fds_bits[j];
2240 spin_unlock(&files->file_lock);
2241 for ( ; set ; i++, set >>= 1) {
2246 if (file_has_perm(cred,
2248 file_to_av(file))) {
2250 fd = get_unused_fd();
2260 devnull = dentry_open(
2262 mntget(selinuxfs_mount),
2264 if (IS_ERR(devnull)) {
2271 fd_install(fd, devnull);
2276 spin_lock(&files->file_lock);
2279 spin_unlock(&files->file_lock);
2283 * Prepare a process for imminent new credential changes due to exec
2285 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2287 struct task_security_struct *new_tsec;
2288 struct rlimit *rlim, *initrlim;
2291 secondary_ops->bprm_committing_creds(bprm);
2293 new_tsec = bprm->cred->security;
2294 if (new_tsec->sid == new_tsec->osid)
2297 /* Close files for which the new task SID is not authorized. */
2298 flush_unauthorized_files(bprm->cred, current->files);
2300 /* Always clear parent death signal on SID transitions. */
2301 current->pdeath_signal = 0;
2303 /* Check whether the new SID can inherit resource limits from the old
2304 * SID. If not, reset all soft limits to the lower of the current
2305 * task's hard limit and the init task's soft limit.
2307 * Note that the setting of hard limits (even to lower them) can be
2308 * controlled by the setrlimit check. The inclusion of the init task's
2309 * soft limit into the computation is to avoid resetting soft limits
2310 * higher than the default soft limit for cases where the default is
2311 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2313 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2314 PROCESS__RLIMITINH, NULL);
2316 for (i = 0; i < RLIM_NLIMITS; i++) {
2317 rlim = current->signal->rlim + i;
2318 initrlim = init_task.signal->rlim + i;
2319 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2321 update_rlimit_cpu(rlim->rlim_cur);
2326 * Clean up the process immediately after the installation of new credentials
2329 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2331 const struct task_security_struct *tsec = current_security();
2332 struct itimerval itimer;
2333 struct sighand_struct *psig;
2336 unsigned long flags;
2338 secondary_ops->bprm_committed_creds(bprm);
2346 /* Check whether the new SID can inherit signal state from the old SID.
2347 * If not, clear itimers to avoid subsequent signal generation and
2348 * flush and unblock signals.
2350 * This must occur _after_ the task SID has been updated so that any
2351 * kill done after the flush will be checked against the new SID.
2353 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2355 memset(&itimer, 0, sizeof itimer);
2356 for (i = 0; i < 3; i++)
2357 do_setitimer(i, &itimer, NULL);
2358 flush_signals(current);
2359 spin_lock_irq(¤t->sighand->siglock);
2360 flush_signal_handlers(current, 1);
2361 sigemptyset(¤t->blocked);
2362 recalc_sigpending();
2363 spin_unlock_irq(¤t->sighand->siglock);
2366 /* Wake up the parent if it is waiting so that it can recheck
2367 * wait permission to the new task SID. */
2368 read_lock_irq(&tasklist_lock);
2369 psig = current->parent->sighand;
2370 spin_lock_irqsave(&psig->siglock, flags);
2371 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2372 spin_unlock_irqrestore(&psig->siglock, flags);
2373 read_unlock_irq(&tasklist_lock);
2376 /* superblock security operations */
2378 static int selinux_sb_alloc_security(struct super_block *sb)
2380 return superblock_alloc_security(sb);
2383 static void selinux_sb_free_security(struct super_block *sb)
2385 superblock_free_security(sb);
2388 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2393 return !memcmp(prefix, option, plen);
2396 static inline int selinux_option(char *option, int len)
2398 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2399 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2400 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2401 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2404 static inline void take_option(char **to, char *from, int *first, int len)
2411 memcpy(*to, from, len);
2415 static inline void take_selinux_option(char **to, char *from, int *first,
2418 int current_size = 0;
2426 while (current_size < len) {
2436 static int selinux_sb_copy_data(char *orig, char *copy)
2438 int fnosec, fsec, rc = 0;
2439 char *in_save, *in_curr, *in_end;
2440 char *sec_curr, *nosec_save, *nosec;
2446 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2454 in_save = in_end = orig;
2458 open_quote = !open_quote;
2459 if ((*in_end == ',' && open_quote == 0) ||
2461 int len = in_end - in_curr;
2463 if (selinux_option(in_curr, len))
2464 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2466 take_option(&nosec, in_curr, &fnosec, len);
2468 in_curr = in_end + 1;
2470 } while (*in_end++);
2472 strcpy(in_save, nosec_save);
2473 free_page((unsigned long)nosec_save);
2478 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2480 const struct cred *cred = current_cred();
2481 struct avc_audit_data ad;
2484 rc = superblock_doinit(sb, data);
2488 /* Allow all mounts performed by the kernel */
2489 if (flags & MS_KERNMOUNT)
2492 AVC_AUDIT_DATA_INIT(&ad, FS);
2493 ad.u.fs.path.dentry = sb->s_root;
2494 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2497 static int selinux_sb_statfs(struct dentry *dentry)
2499 const struct cred *cred = current_cred();
2500 struct avc_audit_data ad;
2502 AVC_AUDIT_DATA_INIT(&ad, FS);
2503 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2504 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2507 static int selinux_mount(char *dev_name,
2510 unsigned long flags,
2513 const struct cred *cred = current_cred();
2516 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2520 if (flags & MS_REMOUNT)
2521 return superblock_has_perm(cred, path->mnt->mnt_sb,
2522 FILESYSTEM__REMOUNT, NULL);
2524 return dentry_has_perm(cred, path->mnt, path->dentry,
2528 static int selinux_umount(struct vfsmount *mnt, int flags)
2530 const struct cred *cred = current_cred();
2533 rc = secondary_ops->sb_umount(mnt, flags);
2537 return superblock_has_perm(cred, mnt->mnt_sb,
2538 FILESYSTEM__UNMOUNT, NULL);
2541 /* inode security operations */
2543 static int selinux_inode_alloc_security(struct inode *inode)
2545 return inode_alloc_security(inode);
2548 static void selinux_inode_free_security(struct inode *inode)
2550 inode_free_security(inode);
2553 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2554 char **name, void **value,
2557 const struct cred *cred = current_cred();
2558 const struct task_security_struct *tsec = cred->security;
2559 struct inode_security_struct *dsec;
2560 struct superblock_security_struct *sbsec;
2561 u32 sid, newsid, clen;
2563 char *namep = NULL, *context;
2565 dsec = dir->i_security;
2566 sbsec = dir->i_sb->s_security;
2569 newsid = tsec->create_sid;
2571 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2572 rc = security_transition_sid(sid, dsec->sid,
2573 inode_mode_to_security_class(inode->i_mode),
2576 printk(KERN_WARNING "%s: "
2577 "security_transition_sid failed, rc=%d (dev=%s "
2580 -rc, inode->i_sb->s_id, inode->i_ino);
2585 /* Possibly defer initialization to selinux_complete_init. */
2586 if (sbsec->flags & SE_SBINITIALIZED) {
2587 struct inode_security_struct *isec = inode->i_security;
2588 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2590 isec->initialized = 1;
2593 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2597 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2604 rc = security_sid_to_context_force(newsid, &context, &clen);
2616 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2618 return may_create(dir, dentry, SECCLASS_FILE);
2621 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2625 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2628 return may_link(dir, old_dentry, MAY_LINK);
2631 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2635 rc = secondary_ops->inode_unlink(dir, dentry);
2638 return may_link(dir, dentry, MAY_UNLINK);
2641 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2643 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2646 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2648 return may_create(dir, dentry, SECCLASS_DIR);
2651 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2653 return may_link(dir, dentry, MAY_RMDIR);
2656 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2660 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2664 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2667 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2668 struct inode *new_inode, struct dentry *new_dentry)
2670 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2673 static int selinux_inode_readlink(struct dentry *dentry)
2675 const struct cred *cred = current_cred();
2677 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2680 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2682 const struct cred *cred = current_cred();
2685 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2688 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2691 static int selinux_inode_permission(struct inode *inode, int mask)
2693 const struct cred *cred = current_cred();
2696 rc = secondary_ops->inode_permission(inode, mask);
2701 /* No permission to check. Existence test. */
2705 return inode_has_perm(cred, inode,
2706 file_mask_to_av(inode->i_mode, mask), NULL);
2709 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2711 const struct cred *cred = current_cred();
2714 rc = secondary_ops->inode_setattr(dentry, iattr);
2718 if (iattr->ia_valid & ATTR_FORCE)
2721 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2722 ATTR_ATIME_SET | ATTR_MTIME_SET))
2723 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2725 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2728 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2730 const struct cred *cred = current_cred();
2732 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2735 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2737 const struct cred *cred = current_cred();
2739 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2740 sizeof XATTR_SECURITY_PREFIX - 1)) {
2741 if (!strcmp(name, XATTR_NAME_CAPS)) {
2742 if (!capable(CAP_SETFCAP))
2744 } else if (!capable(CAP_SYS_ADMIN)) {
2745 /* A different attribute in the security namespace.
2746 Restrict to administrator. */
2751 /* Not an attribute we recognize, so just check the
2752 ordinary setattr permission. */
2753 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2756 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2757 const void *value, size_t size, int flags)
2759 struct inode *inode = dentry->d_inode;
2760 struct inode_security_struct *isec = inode->i_security;
2761 struct superblock_security_struct *sbsec;
2762 struct avc_audit_data ad;
2763 u32 newsid, sid = current_sid();
2766 if (strcmp(name, XATTR_NAME_SELINUX))
2767 return selinux_inode_setotherxattr(dentry, name);
2769 sbsec = inode->i_sb->s_security;
2770 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2773 if (!is_owner_or_cap(inode))
2776 AVC_AUDIT_DATA_INIT(&ad, FS);
2777 ad.u.fs.path.dentry = dentry;
2779 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2780 FILE__RELABELFROM, &ad);
2784 rc = security_context_to_sid(value, size, &newsid);
2785 if (rc == -EINVAL) {
2786 if (!capable(CAP_MAC_ADMIN))
2788 rc = security_context_to_sid_force(value, size, &newsid);
2793 rc = avc_has_perm(sid, newsid, isec->sclass,
2794 FILE__RELABELTO, &ad);
2798 rc = security_validate_transition(isec->sid, newsid, sid,
2803 return avc_has_perm(newsid,
2805 SECCLASS_FILESYSTEM,
2806 FILESYSTEM__ASSOCIATE,
2810 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2811 const void *value, size_t size,
2814 struct inode *inode = dentry->d_inode;
2815 struct inode_security_struct *isec = inode->i_security;
2819 if (strcmp(name, XATTR_NAME_SELINUX)) {
2820 /* Not an attribute we recognize, so nothing to do. */
2824 rc = security_context_to_sid_force(value, size, &newsid);
2826 printk(KERN_ERR "SELinux: unable to map context to SID"
2827 "for (%s, %lu), rc=%d\n",
2828 inode->i_sb->s_id, inode->i_ino, -rc);
2836 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2838 const struct cred *cred = current_cred();
2840 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2843 static int selinux_inode_listxattr(struct dentry *dentry)
2845 const struct cred *cred = current_cred();
2847 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2850 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2852 if (strcmp(name, XATTR_NAME_SELINUX))
2853 return selinux_inode_setotherxattr(dentry, name);
2855 /* No one is allowed to remove a SELinux security label.
2856 You can change the label, but all data must be labeled. */
2861 * Copy the inode security context value to the user.
2863 * Permission check is handled by selinux_inode_getxattr hook.
2865 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2869 char *context = NULL;
2870 struct inode_security_struct *isec = inode->i_security;
2872 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2876 * If the caller has CAP_MAC_ADMIN, then get the raw context
2877 * value even if it is not defined by current policy; otherwise,
2878 * use the in-core value under current policy.
2879 * Use the non-auditing forms of the permission checks since
2880 * getxattr may be called by unprivileged processes commonly
2881 * and lack of permission just means that we fall back to the
2882 * in-core context value, not a denial.
2884 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2885 SECURITY_CAP_NOAUDIT);
2887 error = security_sid_to_context_force(isec->sid, &context,
2890 error = security_sid_to_context(isec->sid, &context, &size);
2903 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2904 const void *value, size_t size, int flags)
2906 struct inode_security_struct *isec = inode->i_security;
2910 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2913 if (!value || !size)
2916 rc = security_context_to_sid((void *)value, size, &newsid);
2924 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2926 const int len = sizeof(XATTR_NAME_SELINUX);
2927 if (buffer && len <= buffer_size)
2928 memcpy(buffer, XATTR_NAME_SELINUX, len);
2932 static int selinux_inode_need_killpriv(struct dentry *dentry)
2934 return secondary_ops->inode_need_killpriv(dentry);
2937 static int selinux_inode_killpriv(struct dentry *dentry)
2939 return secondary_ops->inode_killpriv(dentry);
2942 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2944 struct inode_security_struct *isec = inode->i_security;
2948 /* file security operations */
2950 static int selinux_revalidate_file_permission(struct file *file, int mask)
2952 const struct cred *cred = current_cred();
2954 struct inode *inode = file->f_path.dentry->d_inode;
2957 /* No permission to check. Existence test. */
2961 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2962 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2965 rc = file_has_perm(cred, file,
2966 file_mask_to_av(inode->i_mode, mask));
2970 return selinux_netlbl_inode_permission(inode, mask);
2973 static int selinux_file_permission(struct file *file, int mask)
2975 struct inode *inode = file->f_path.dentry->d_inode;
2976 struct file_security_struct *fsec = file->f_security;
2977 struct inode_security_struct *isec = inode->i_security;
2978 u32 sid = current_sid();
2981 /* No permission to check. Existence test. */
2985 if (sid == fsec->sid && fsec->isid == isec->sid
2986 && fsec->pseqno == avc_policy_seqno())
2987 return selinux_netlbl_inode_permission(inode, mask);
2989 return selinux_revalidate_file_permission(file, mask);
2992 static int selinux_file_alloc_security(struct file *file)
2994 return file_alloc_security(file);
2997 static void selinux_file_free_security(struct file *file)
2999 file_free_security(file);
3002 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3005 const struct cred *cred = current_cred();
3008 if (_IOC_DIR(cmd) & _IOC_WRITE)
3010 if (_IOC_DIR(cmd) & _IOC_READ)
3015 return file_has_perm(cred, file, av);
3018 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3020 const struct cred *cred = current_cred();
3023 #ifndef CONFIG_PPC32
3024 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3026 * We are making executable an anonymous mapping or a
3027 * private file mapping that will also be writable.
3028 * This has an additional check.
3030 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3037 /* read access is always possible with a mapping */
3038 u32 av = FILE__READ;
3040 /* write access only matters if the mapping is shared */
3041 if (shared && (prot & PROT_WRITE))
3044 if (prot & PROT_EXEC)
3045 av |= FILE__EXECUTE;
3047 return file_has_perm(cred, file, av);
3054 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3055 unsigned long prot, unsigned long flags,
3056 unsigned long addr, unsigned long addr_only)
3059 u32 sid = current_sid();
3061 if (addr < mmap_min_addr)
3062 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3063 MEMPROTECT__MMAP_ZERO, NULL);
3064 if (rc || addr_only)
3067 if (selinux_checkreqprot)
3070 return file_map_prot_check(file, prot,
3071 (flags & MAP_TYPE) == MAP_SHARED);
3074 static int selinux_file_mprotect(struct vm_area_struct *vma,
3075 unsigned long reqprot,
3078 const struct cred *cred = current_cred();
3081 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3085 if (selinux_checkreqprot)
3088 #ifndef CONFIG_PPC32
3089 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3091 if (vma->vm_start >= vma->vm_mm->start_brk &&
3092 vma->vm_end <= vma->vm_mm->brk) {
3093 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3094 } else if (!vma->vm_file &&
3095 vma->vm_start <= vma->vm_mm->start_stack &&
3096 vma->vm_end >= vma->vm_mm->start_stack) {
3097 rc = current_has_perm(current, PROCESS__EXECSTACK);
3098 } else if (vma->vm_file && vma->anon_vma) {
3100 * We are making executable a file mapping that has
3101 * had some COW done. Since pages might have been
3102 * written, check ability to execute the possibly
3103 * modified content. This typically should only
3104 * occur for text relocations.
3106 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3113 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3116 static int selinux_file_lock(struct file *file, unsigned int cmd)
3118 const struct cred *cred = current_cred();
3120 return file_has_perm(cred, file, FILE__LOCK);
3123 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3126 const struct cred *cred = current_cred();
3131 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3136 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3137 err = file_has_perm(cred, file, FILE__WRITE);
3146 /* Just check FD__USE permission */
3147 err = file_has_perm(cred, file, 0);
3152 #if BITS_PER_LONG == 32
3157 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3161 err = file_has_perm(cred, file, FILE__LOCK);
3168 static int selinux_file_set_fowner(struct file *file)
3170 struct file_security_struct *fsec;
3172 fsec = file->f_security;
3173 fsec->fown_sid = current_sid();
3178 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3179 struct fown_struct *fown, int signum)
3182 u32 sid = current_sid();
3184 struct file_security_struct *fsec;
3186 /* struct fown_struct is never outside the context of a struct file */
3187 file = container_of(fown, struct file, f_owner);
3189 fsec = file->f_security;
3192 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3194 perm = signal_to_av(signum);
3196 return avc_has_perm(fsec->fown_sid, sid,
3197 SECCLASS_PROCESS, perm, NULL);
3200 static int selinux_file_receive(struct file *file)
3202 const struct cred *cred = current_cred();
3204 return file_has_perm(cred, file, file_to_av(file));
3207 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3209 struct file_security_struct *fsec;
3210 struct inode *inode;
3211 struct inode_security_struct *isec;
3213 inode = file->f_path.dentry->d_inode;
3214 fsec = file->f_security;
3215 isec = inode->i_security;
3217 * Save inode label and policy sequence number
3218 * at open-time so that selinux_file_permission
3219 * can determine whether revalidation is necessary.
3220 * Task label is already saved in the file security
3221 * struct as its SID.
3223 fsec->isid = isec->sid;
3224 fsec->pseqno = avc_policy_seqno();
3226 * Since the inode label or policy seqno may have changed
3227 * between the selinux_inode_permission check and the saving
3228 * of state above, recheck that access is still permitted.
3229 * Otherwise, access might never be revalidated against the
3230 * new inode label or new policy.
3231 * This check is not redundant - do not remove.
3233 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3236 /* task security operations */
3238 static int selinux_task_create(unsigned long clone_flags)
3242 rc = secondary_ops->task_create(clone_flags);
3246 return current_has_perm(current, PROCESS__FORK);
3250 * detach and free the LSM part of a set of credentials
3252 static void selinux_cred_free(struct cred *cred)
3254 struct task_security_struct *tsec = cred->security;
3255 cred->security = NULL;
3260 * prepare a new set of credentials for modification
3262 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3265 const struct task_security_struct *old_tsec;
3266 struct task_security_struct *tsec;
3268 old_tsec = old->security;
3270 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3274 new->security = tsec;
3279 * commit new credentials
3281 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3283 secondary_ops->cred_commit(new, old);
3287 * set the security data for a kernel service
3288 * - all the creation contexts are set to unlabelled
3290 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3292 struct task_security_struct *tsec = new->security;
3293 u32 sid = current_sid();
3296 ret = avc_has_perm(sid, secid,
3297 SECCLASS_KERNEL_SERVICE,
3298 KERNEL_SERVICE__USE_AS_OVERRIDE,
3302 tsec->create_sid = 0;
3303 tsec->keycreate_sid = 0;
3304 tsec->sockcreate_sid = 0;
3310 * set the file creation context in a security record to the same as the
3311 * objective context of the specified inode
3313 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3315 struct inode_security_struct *isec = inode->i_security;
3316 struct task_security_struct *tsec = new->security;
3317 u32 sid = current_sid();
3320 ret = avc_has_perm(sid, isec->sid,
3321 SECCLASS_KERNEL_SERVICE,
3322 KERNEL_SERVICE__CREATE_FILES_AS,
3326 tsec->create_sid = isec->sid;
3330 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3332 /* Since setuid only affects the current process, and
3333 since the SELinux controls are not based on the Linux
3334 identity attributes, SELinux does not need to control
3335 this operation. However, SELinux does control the use
3336 of the CAP_SETUID and CAP_SETGID capabilities using the
3341 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3344 return secondary_ops->task_fix_setuid(new, old, flags);
3347 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3349 /* See the comment for setuid above. */
3353 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3355 return current_has_perm(p, PROCESS__SETPGID);
3358 static int selinux_task_getpgid(struct task_struct *p)
3360 return current_has_perm(p, PROCESS__GETPGID);
3363 static int selinux_task_getsid(struct task_struct *p)
3365 return current_has_perm(p, PROCESS__GETSESSION);
3368 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3370 *secid = task_sid(p);
3373 static int selinux_task_setgroups(struct group_info *group_info)
3375 /* See the comment for setuid above. */
3379 static int selinux_task_setnice(struct task_struct *p, int nice)
3383 rc = secondary_ops->task_setnice(p, nice);
3387 return current_has_perm(p, PROCESS__SETSCHED);
3390 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3394 rc = secondary_ops->task_setioprio(p, ioprio);
3398 return current_has_perm(p, PROCESS__SETSCHED);
3401 static int selinux_task_getioprio(struct task_struct *p)
3403 return current_has_perm(p, PROCESS__GETSCHED);
3406 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3408 struct rlimit *old_rlim = current->signal->rlim + resource;
3411 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3415 /* Control the ability to change the hard limit (whether
3416 lowering or raising it), so that the hard limit can
3417 later be used as a safe reset point for the soft limit
3418 upon context transitions. See selinux_bprm_committing_creds. */
3419 if (old_rlim->rlim_max != new_rlim->rlim_max)
3420 return current_has_perm(current, PROCESS__SETRLIMIT);
3425 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3429 rc = secondary_ops->task_setscheduler(p, policy, lp);
3433 return current_has_perm(p, PROCESS__SETSCHED);
3436 static int selinux_task_getscheduler(struct task_struct *p)
3438 return current_has_perm(p, PROCESS__GETSCHED);
3441 static int selinux_task_movememory(struct task_struct *p)
3443 return current_has_perm(p, PROCESS__SETSCHED);
3446 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3452 rc = secondary_ops->task_kill(p, info, sig, secid);
3457 perm = PROCESS__SIGNULL; /* null signal; existence test */
3459 perm = signal_to_av(sig);
3461 rc = avc_has_perm(secid, task_sid(p),
3462 SECCLASS_PROCESS, perm, NULL);
3464 rc = current_has_perm(p, perm);
3468 static int selinux_task_prctl(int option,
3474 /* The current prctl operations do not appear to require
3475 any SELinux controls since they merely observe or modify
3476 the state of the current process. */
3477 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3480 static int selinux_task_wait(struct task_struct *p)
3482 return task_has_perm(p, current, PROCESS__SIGCHLD);
3485 static void selinux_task_to_inode(struct task_struct *p,
3486 struct inode *inode)
3488 struct inode_security_struct *isec = inode->i_security;
3489 u32 sid = task_sid(p);
3492 isec->initialized = 1;
3495 /* Returns error only if unable to parse addresses */
3496 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3497 struct avc_audit_data *ad, u8 *proto)
3499 int offset, ihlen, ret = -EINVAL;
3500 struct iphdr _iph, *ih;
3502 offset = skb_network_offset(skb);
3503 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3507 ihlen = ih->ihl * 4;
3508 if (ihlen < sizeof(_iph))
3511 ad->u.net.v4info.saddr = ih->saddr;
3512 ad->u.net.v4info.daddr = ih->daddr;
3516 *proto = ih->protocol;
3518 switch (ih->protocol) {
3520 struct tcphdr _tcph, *th;
3522 if (ntohs(ih->frag_off) & IP_OFFSET)
3526 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3530 ad->u.net.sport = th->source;
3531 ad->u.net.dport = th->dest;
3536 struct udphdr _udph, *uh;
3538 if (ntohs(ih->frag_off) & IP_OFFSET)
3542 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3546 ad->u.net.sport = uh->source;
3547 ad->u.net.dport = uh->dest;
3551 case IPPROTO_DCCP: {
3552 struct dccp_hdr _dccph, *dh;
3554 if (ntohs(ih->frag_off) & IP_OFFSET)
3558 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3562 ad->u.net.sport = dh->dccph_sport;
3563 ad->u.net.dport = dh->dccph_dport;
3574 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3576 /* Returns error only if unable to parse addresses */
3577 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3578 struct avc_audit_data *ad, u8 *proto)
3581 int ret = -EINVAL, offset;
3582 struct ipv6hdr _ipv6h, *ip6;
3584 offset = skb_network_offset(skb);
3585 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3589 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3590 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3593 nexthdr = ip6->nexthdr;
3594 offset += sizeof(_ipv6h);
3595 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3604 struct tcphdr _tcph, *th;
3606 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3610 ad->u.net.sport = th->source;
3611 ad->u.net.dport = th->dest;
3616 struct udphdr _udph, *uh;
3618 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3622 ad->u.net.sport = uh->source;
3623 ad->u.net.dport = uh->dest;
3627 case IPPROTO_DCCP: {
3628 struct dccp_hdr _dccph, *dh;
3630 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3634 ad->u.net.sport = dh->dccph_sport;
3635 ad->u.net.dport = dh->dccph_dport;
3639 /* includes fragments */
3649 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3650 char **_addrp, int src, u8 *proto)
3655 switch (ad->u.net.family) {
3657 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3660 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3661 &ad->u.net.v4info.daddr);
3664 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3666 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3669 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3670 &ad->u.net.v6info.daddr);
3680 "SELinux: failure in selinux_parse_skb(),"
3681 " unable to parse packet\n");
3691 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3693 * @family: protocol family
3694 * @sid: the packet's peer label SID
3697 * Check the various different forms of network peer labeling and determine
3698 * the peer label/SID for the packet; most of the magic actually occurs in
3699 * the security server function security_net_peersid_cmp(). The function
3700 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3701 * or -EACCES if @sid is invalid due to inconsistencies with the different
3705 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3712 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3713 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3715 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3716 if (unlikely(err)) {
3718 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3719 " unable to determine packet's peer label\n");
3726 /* socket security operations */
3727 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3730 struct inode_security_struct *isec;
3731 struct avc_audit_data ad;
3735 isec = SOCK_INODE(sock)->i_security;
3737 if (isec->sid == SECINITSID_KERNEL)
3739 sid = task_sid(task);
3741 AVC_AUDIT_DATA_INIT(&ad, NET);
3742 ad.u.net.sk = sock->sk;
3743 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3749 static int selinux_socket_create(int family, int type,
3750 int protocol, int kern)
3752 const struct cred *cred = current_cred();
3753 const struct task_security_struct *tsec = cred->security;
3762 newsid = tsec->sockcreate_sid ?: sid;
3764 secclass = socket_type_to_security_class(family, type, protocol);
3765 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3771 static int selinux_socket_post_create(struct socket *sock, int family,
3772 int type, int protocol, int kern)
3774 const struct cred *cred = current_cred();
3775 const struct task_security_struct *tsec = cred->security;
3776 struct inode_security_struct *isec;
3777 struct sk_security_struct *sksec;
3782 newsid = tsec->sockcreate_sid;
3784 isec = SOCK_INODE(sock)->i_security;
3787 isec->sid = SECINITSID_KERNEL;
3793 isec->sclass = socket_type_to_security_class(family, type, protocol);
3794 isec->initialized = 1;
3797 sksec = sock->sk->sk_security;
3798 sksec->sid = isec->sid;
3799 sksec->sclass = isec->sclass;
3800 err = selinux_netlbl_socket_post_create(sock);
3806 /* Range of port numbers used to automatically bind.
3807 Need to determine whether we should perform a name_bind
3808 permission check between the socket and the port number. */
3810 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3815 err = socket_has_perm(current, sock, SOCKET__BIND);
3820 * If PF_INET or PF_INET6, check name_bind permission for the port.
3821 * Multiple address binding for SCTP is not supported yet: we just
3822 * check the first address now.
3824 family = sock->sk->sk_family;
3825 if (family == PF_INET || family == PF_INET6) {
3827 struct inode_security_struct *isec;
3828 struct avc_audit_data ad;
3829 struct sockaddr_in *addr4 = NULL;
3830 struct sockaddr_in6 *addr6 = NULL;
3831 unsigned short snum;
3832 struct sock *sk = sock->sk;
3835 isec = SOCK_INODE(sock)->i_security;
3837 if (family == PF_INET) {
3838 addr4 = (struct sockaddr_in *)address;
3839 snum = ntohs(addr4->sin_port);
3840 addrp = (char *)&addr4->sin_addr.s_addr;
3842 addr6 = (struct sockaddr_in6 *)address;
3843 snum = ntohs(addr6->sin6_port);
3844 addrp = (char *)&addr6->sin6_addr.s6_addr;
3850 inet_get_local_port_range(&low, &high);
3852 if (snum < max(PROT_SOCK, low) || snum > high) {
3853 err = sel_netport_sid(sk->sk_protocol,
3857 AVC_AUDIT_DATA_INIT(&ad, NET);
3858 ad.u.net.sport = htons(snum);
3859 ad.u.net.family = family;
3860 err = avc_has_perm(isec->sid, sid,
3862 SOCKET__NAME_BIND, &ad);
3868 switch (isec->sclass) {
3869 case SECCLASS_TCP_SOCKET:
3870 node_perm = TCP_SOCKET__NODE_BIND;
3873 case SECCLASS_UDP_SOCKET:
3874 node_perm = UDP_SOCKET__NODE_BIND;
3877 case SECCLASS_DCCP_SOCKET:
3878 node_perm = DCCP_SOCKET__NODE_BIND;
3882 node_perm = RAWIP_SOCKET__NODE_BIND;
3886 err = sel_netnode_sid(addrp, family, &sid);
3890 AVC_AUDIT_DATA_INIT(&ad, NET);
3891 ad.u.net.sport = htons(snum);
3892 ad.u.net.family = family;
3894 if (family == PF_INET)
3895 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3897 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3899 err = avc_has_perm(isec->sid, sid,
3900 isec->sclass, node_perm, &ad);
3908 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3910 struct sock *sk = sock->sk;
3911 struct inode_security_struct *isec;
3914 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3919 * If a TCP or DCCP socket, check name_connect permission for the port.
3921 isec = SOCK_INODE(sock)->i_security;
3922 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3923 isec->sclass == SECCLASS_DCCP_SOCKET) {
3924 struct avc_audit_data ad;
3925 struct sockaddr_in *addr4 = NULL;
3926 struct sockaddr_in6 *addr6 = NULL;
3927 unsigned short snum;
3930 if (sk->sk_family == PF_INET) {
3931 addr4 = (struct sockaddr_in *)address;
3932 if (addrlen < sizeof(struct sockaddr_in))
3934 snum = ntohs(addr4->sin_port);
3936 addr6 = (struct sockaddr_in6 *)address;
3937 if (addrlen < SIN6_LEN_RFC2133)
3939 snum = ntohs(addr6->sin6_port);
3942 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3946 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3947 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3949 AVC_AUDIT_DATA_INIT(&ad, NET);
3950 ad.u.net.dport = htons(snum);
3951 ad.u.net.family = sk->sk_family;
3952 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3957 err = selinux_netlbl_socket_connect(sk, address);
3963 static int selinux_socket_listen(struct socket *sock, int backlog)
3965 return socket_has_perm(current, sock, SOCKET__LISTEN);
3968 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3971 struct inode_security_struct *isec;
3972 struct inode_security_struct *newisec;
3974 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3978 newisec = SOCK_INODE(newsock)->i_security;
3980 isec = SOCK_INODE(sock)->i_security;
3981 newisec->sclass = isec->sclass;
3982 newisec->sid = isec->sid;
3983 newisec->initialized = 1;
3988 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3993 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3997 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
4000 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4001 int size, int flags)
4003 return socket_has_perm(current, sock, SOCKET__READ);
4006 static int selinux_socket_getsockname(struct socket *sock)
4008 return socket_has_perm(current, sock, SOCKET__GETATTR);
4011 static int selinux_socket_getpeername(struct socket *sock)
4013 return socket_has_perm(current, sock, SOCKET__GETATTR);
4016 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4020 err = socket_has_perm(current, sock, SOCKET__SETOPT);
4024 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4027 static int selinux_socket_getsockopt(struct socket *sock, int level,
4030 return socket_has_perm(current, sock, SOCKET__GETOPT);
4033 static int selinux_socket_shutdown(struct socket *sock, int how)
4035 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4038 static int selinux_socket_unix_stream_connect(struct socket *sock,
4039 struct socket *other,
4042 struct sk_security_struct *ssec;
4043 struct inode_security_struct *isec;
4044 struct inode_security_struct *other_isec;
4045 struct avc_audit_data ad;
4048 err = secondary_ops->unix_stream_connect(sock, other, newsk);
4052 isec = SOCK_INODE(sock)->i_security;
4053 other_isec = SOCK_INODE(other)->i_security;
4055 AVC_AUDIT_DATA_INIT(&ad, NET);
4056 ad.u.net.sk = other->sk;
4058 err = avc_has_perm(isec->sid, other_isec->sid,
4060 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4064 /* connecting socket */
4065 ssec = sock->sk->sk_security;
4066 ssec->peer_sid = other_isec->sid;
4068 /* server child socket */
4069 ssec = newsk->sk_security;
4070 ssec->peer_sid = isec->sid;
4071 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4076 static int selinux_socket_unix_may_send(struct socket *sock,
4077 struct socket *other)
4079 struct inode_security_struct *isec;
4080 struct inode_security_struct *other_isec;
4081 struct avc_audit_data ad;
4084 isec = SOCK_INODE(sock)->i_security;
4085 other_isec = SOCK_INODE(other)->i_security;
4087 AVC_AUDIT_DATA_INIT(&ad, NET);
4088 ad.u.net.sk = other->sk;
4090 err = avc_has_perm(isec->sid, other_isec->sid,
4091 isec->sclass, SOCKET__SENDTO, &ad);
4098 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4100 struct avc_audit_data *ad)
4106 err = sel_netif_sid(ifindex, &if_sid);
4109 err = avc_has_perm(peer_sid, if_sid,
4110 SECCLASS_NETIF, NETIF__INGRESS, ad);
4114 err = sel_netnode_sid(addrp, family, &node_sid);
4117 return avc_has_perm(peer_sid, node_sid,
4118 SECCLASS_NODE, NODE__RECVFROM, ad);
4121 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4122 struct sk_buff *skb,
4123 struct avc_audit_data *ad,
4128 struct sk_security_struct *sksec = sk->sk_security;
4130 u32 netif_perm, node_perm, recv_perm;
4131 u32 port_sid, node_sid, if_sid, sk_sid;
4133 sk_sid = sksec->sid;
4134 sk_class = sksec->sclass;
4137 case SECCLASS_UDP_SOCKET:
4138 netif_perm = NETIF__UDP_RECV;
4139 node_perm = NODE__UDP_RECV;
4140 recv_perm = UDP_SOCKET__RECV_MSG;
4142 case SECCLASS_TCP_SOCKET:
4143 netif_perm = NETIF__TCP_RECV;
4144 node_perm = NODE__TCP_RECV;
4145 recv_perm = TCP_SOCKET__RECV_MSG;
4147 case SECCLASS_DCCP_SOCKET:
4148 netif_perm = NETIF__DCCP_RECV;
4149 node_perm = NODE__DCCP_RECV;
4150 recv_perm = DCCP_SOCKET__RECV_MSG;
4153 netif_perm = NETIF__RAWIP_RECV;
4154 node_perm = NODE__RAWIP_RECV;
4159 err = sel_netif_sid(skb->iif, &if_sid);
4162 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4166 err = sel_netnode_sid(addrp, family, &node_sid);
4169 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4175 err = sel_netport_sid(sk->sk_protocol,
4176 ntohs(ad->u.net.sport), &port_sid);
4177 if (unlikely(err)) {
4179 "SELinux: failure in"
4180 " selinux_sock_rcv_skb_iptables_compat(),"
4181 " network port label not found\n");
4184 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4187 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4191 struct sk_security_struct *sksec = sk->sk_security;
4193 u32 sk_sid = sksec->sid;
4194 struct avc_audit_data ad;
4197 AVC_AUDIT_DATA_INIT(&ad, NET);
4198 ad.u.net.netif = skb->iif;
4199 ad.u.net.family = family;
4200 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4204 if (selinux_compat_net)
4205 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4207 else if (selinux_secmark_enabled())
4208 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4213 if (selinux_policycap_netpeer) {
4214 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4217 err = avc_has_perm(sk_sid, peer_sid,
4218 SECCLASS_PEER, PEER__RECV, &ad);
4220 selinux_netlbl_err(skb, err, 0);
4222 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4225 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4231 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4234 struct sk_security_struct *sksec = sk->sk_security;
4235 u16 family = sk->sk_family;
4236 u32 sk_sid = sksec->sid;
4237 struct avc_audit_data ad;
4242 if (family != PF_INET && family != PF_INET6)
4245 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4246 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4249 /* If any sort of compatibility mode is enabled then handoff processing
4250 * to the selinux_sock_rcv_skb_compat() function to deal with the
4251 * special handling. We do this in an attempt to keep this function
4252 * as fast and as clean as possible. */
4253 if (selinux_compat_net || !selinux_policycap_netpeer)
4254 return selinux_sock_rcv_skb_compat(sk, skb, family);
4256 secmark_active = selinux_secmark_enabled();
4257 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4258 if (!secmark_active && !peerlbl_active)
4261 AVC_AUDIT_DATA_INIT(&ad, NET);
4262 ad.u.net.netif = skb->iif;
4263 ad.u.net.family = family;
4264 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4268 if (peerlbl_active) {
4271 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4274 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4277 selinux_netlbl_err(skb, err, 0);
4280 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4283 selinux_netlbl_err(skb, err, 0);
4286 if (secmark_active) {
4287 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4296 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4297 int __user *optlen, unsigned len)
4302 struct sk_security_struct *ssec;
4303 struct inode_security_struct *isec;
4304 u32 peer_sid = SECSID_NULL;
4306 isec = SOCK_INODE(sock)->i_security;
4308 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4309 isec->sclass == SECCLASS_TCP_SOCKET) {
4310 ssec = sock->sk->sk_security;
4311 peer_sid = ssec->peer_sid;
4313 if (peer_sid == SECSID_NULL) {
4318 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4323 if (scontext_len > len) {
4328 if (copy_to_user(optval, scontext, scontext_len))
4332 if (put_user(scontext_len, optlen))
4340 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4342 u32 peer_secid = SECSID_NULL;
4345 if (skb && skb->protocol == htons(ETH_P_IP))
4347 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4350 family = sock->sk->sk_family;
4354 if (sock && family == PF_UNIX)
4355 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4357 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4360 *secid = peer_secid;
4361 if (peer_secid == SECSID_NULL)
4366 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4368 return sk_alloc_security(sk, family, priority);
4371 static void selinux_sk_free_security(struct sock *sk)
4373 sk_free_security(sk);
4376 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4378 struct sk_security_struct *ssec = sk->sk_security;
4379 struct sk_security_struct *newssec = newsk->sk_security;
4381 newssec->sid = ssec->sid;
4382 newssec->peer_sid = ssec->peer_sid;
4383 newssec->sclass = ssec->sclass;
4385 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4388 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4391 *secid = SECINITSID_ANY_SOCKET;
4393 struct sk_security_struct *sksec = sk->sk_security;
4395 *secid = sksec->sid;
4399 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4401 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4402 struct sk_security_struct *sksec = sk->sk_security;
4404 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4405 sk->sk_family == PF_UNIX)
4406 isec->sid = sksec->sid;
4407 sksec->sclass = isec->sclass;
4410 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4411 struct request_sock *req)
4413 struct sk_security_struct *sksec = sk->sk_security;
4415 u16 family = sk->sk_family;
4419 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4420 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4423 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4426 if (peersid == SECSID_NULL) {
4427 req->secid = sksec->sid;
4428 req->peer_secid = SECSID_NULL;
4432 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4436 req->secid = newsid;
4437 req->peer_secid = peersid;
4441 static void selinux_inet_csk_clone(struct sock *newsk,
4442 const struct request_sock *req)
4444 struct sk_security_struct *newsksec = newsk->sk_security;
4446 newsksec->sid = req->secid;
4447 newsksec->peer_sid = req->peer_secid;
4448 /* NOTE: Ideally, we should also get the isec->sid for the
4449 new socket in sync, but we don't have the isec available yet.
4450 So we will wait until sock_graft to do it, by which
4451 time it will have been created and available. */
4453 /* We don't need to take any sort of lock here as we are the only
4454 * thread with access to newsksec */
4455 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4458 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4460 u16 family = sk->sk_family;
4461 struct sk_security_struct *sksec = sk->sk_security;
4463 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4464 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4467 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4469 selinux_netlbl_inet_conn_established(sk, family);
4472 static void selinux_req_classify_flow(const struct request_sock *req,
4475 fl->secid = req->secid;
4478 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4482 struct nlmsghdr *nlh;
4483 struct socket *sock = sk->sk_socket;
4484 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4486 if (skb->len < NLMSG_SPACE(0)) {
4490 nlh = nlmsg_hdr(skb);
4492 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4494 if (err == -EINVAL) {
4495 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4496 "SELinux: unrecognized netlink message"
4497 " type=%hu for sclass=%hu\n",
4498 nlh->nlmsg_type, isec->sclass);
4499 if (!selinux_enforcing || security_get_allow_unknown())
4509 err = socket_has_perm(current, sock, perm);
4514 #ifdef CONFIG_NETFILTER
4516 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4522 struct avc_audit_data ad;
4527 if (!selinux_policycap_netpeer)
4530 secmark_active = selinux_secmark_enabled();
4531 netlbl_active = netlbl_enabled();
4532 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4533 if (!secmark_active && !peerlbl_active)
4536 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4539 AVC_AUDIT_DATA_INIT(&ad, NET);
4540 ad.u.net.netif = ifindex;
4541 ad.u.net.family = family;
4542 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4545 if (peerlbl_active) {
4546 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4549 selinux_netlbl_err(skb, err, 1);
4555 if (avc_has_perm(peer_sid, skb->secmark,
4556 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4560 /* we do this in the FORWARD path and not the POST_ROUTING
4561 * path because we want to make sure we apply the necessary
4562 * labeling before IPsec is applied so we can leverage AH
4564 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4570 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4571 struct sk_buff *skb,
4572 const struct net_device *in,
4573 const struct net_device *out,
4574 int (*okfn)(struct sk_buff *))
4576 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4580 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4581 struct sk_buff *skb,
4582 const struct net_device *in,
4583 const struct net_device *out,
4584 int (*okfn)(struct sk_buff *))
4586 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4590 static unsigned int selinux_ip_output(struct sk_buff *skb,
4595 if (!netlbl_enabled())
4598 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4599 * because we want to make sure we apply the necessary labeling
4600 * before IPsec is applied so we can leverage AH protection */
4602 struct sk_security_struct *sksec = skb->sk->sk_security;
4605 sid = SECINITSID_KERNEL;
4606 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4612 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4613 struct sk_buff *skb,
4614 const struct net_device *in,
4615 const struct net_device *out,
4616 int (*okfn)(struct sk_buff *))
4618 return selinux_ip_output(skb, PF_INET);
4621 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4623 struct avc_audit_data *ad,
4624 u16 family, char *addrp)
4627 struct sk_security_struct *sksec = sk->sk_security;
4629 u32 netif_perm, node_perm, send_perm;
4630 u32 port_sid, node_sid, if_sid, sk_sid;
4632 sk_sid = sksec->sid;
4633 sk_class = sksec->sclass;
4636 case SECCLASS_UDP_SOCKET:
4637 netif_perm = NETIF__UDP_SEND;
4638 node_perm = NODE__UDP_SEND;
4639 send_perm = UDP_SOCKET__SEND_MSG;
4641 case SECCLASS_TCP_SOCKET:
4642 netif_perm = NETIF__TCP_SEND;
4643 node_perm = NODE__TCP_SEND;
4644 send_perm = TCP_SOCKET__SEND_MSG;
4646 case SECCLASS_DCCP_SOCKET:
4647 netif_perm = NETIF__DCCP_SEND;
4648 node_perm = NODE__DCCP_SEND;
4649 send_perm = DCCP_SOCKET__SEND_MSG;
4652 netif_perm = NETIF__RAWIP_SEND;
4653 node_perm = NODE__RAWIP_SEND;
4658 err = sel_netif_sid(ifindex, &if_sid);
4661 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4664 err = sel_netnode_sid(addrp, family, &node_sid);
4667 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4674 err = sel_netport_sid(sk->sk_protocol,
4675 ntohs(ad->u.net.dport), &port_sid);
4676 if (unlikely(err)) {
4678 "SELinux: failure in"
4679 " selinux_ip_postroute_iptables_compat(),"
4680 " network port label not found\n");
4683 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4686 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4690 struct sock *sk = skb->sk;
4691 struct sk_security_struct *sksec;
4692 struct avc_audit_data ad;
4698 sksec = sk->sk_security;
4700 AVC_AUDIT_DATA_INIT(&ad, NET);
4701 ad.u.net.netif = ifindex;
4702 ad.u.net.family = family;
4703 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4706 if (selinux_compat_net) {
4707 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4708 &ad, family, addrp))
4710 } else if (selinux_secmark_enabled()) {
4711 if (avc_has_perm(sksec->sid, skb->secmark,
4712 SECCLASS_PACKET, PACKET__SEND, &ad))
4716 if (selinux_policycap_netpeer)
4717 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4723 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4729 struct avc_audit_data ad;
4734 /* If any sort of compatibility mode is enabled then handoff processing
4735 * to the selinux_ip_postroute_compat() function to deal with the
4736 * special handling. We do this in an attempt to keep this function
4737 * as fast and as clean as possible. */
4738 if (selinux_compat_net || !selinux_policycap_netpeer)
4739 return selinux_ip_postroute_compat(skb, ifindex, family);
4741 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4742 * packet transformation so allow the packet to pass without any checks
4743 * since we'll have another chance to perform access control checks
4744 * when the packet is on it's final way out.
4745 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4746 * is NULL, in this case go ahead and apply access control. */
4747 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4750 secmark_active = selinux_secmark_enabled();
4751 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4752 if (!secmark_active && !peerlbl_active)
4755 /* if the packet is being forwarded then get the peer label from the
4756 * packet itself; otherwise check to see if it is from a local
4757 * application or the kernel, if from an application get the peer label
4758 * from the sending socket, otherwise use the kernel's sid */
4763 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4764 secmark_perm = PACKET__FORWARD_OUT;
4766 secmark_perm = PACKET__SEND;
4769 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4770 secmark_perm = PACKET__FORWARD_OUT;
4772 secmark_perm = PACKET__SEND;
4777 if (secmark_perm == PACKET__FORWARD_OUT) {
4778 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4781 peer_sid = SECINITSID_KERNEL;
4783 struct sk_security_struct *sksec = sk->sk_security;
4784 peer_sid = sksec->sid;
4785 secmark_perm = PACKET__SEND;
4788 AVC_AUDIT_DATA_INIT(&ad, NET);
4789 ad.u.net.netif = ifindex;
4790 ad.u.net.family = family;
4791 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4795 if (avc_has_perm(peer_sid, skb->secmark,
4796 SECCLASS_PACKET, secmark_perm, &ad))
4799 if (peerlbl_active) {
4803 if (sel_netif_sid(ifindex, &if_sid))
4805 if (avc_has_perm(peer_sid, if_sid,
4806 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4809 if (sel_netnode_sid(addrp, family, &node_sid))
4811 if (avc_has_perm(peer_sid, node_sid,
4812 SECCLASS_NODE, NODE__SENDTO, &ad))
4819 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4820 struct sk_buff *skb,
4821 const struct net_device *in,
4822 const struct net_device *out,
4823 int (*okfn)(struct sk_buff *))
4825 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4828 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4829 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4830 struct sk_buff *skb,
4831 const struct net_device *in,
4832 const struct net_device *out,
4833 int (*okfn)(struct sk_buff *))
4835 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4839 #endif /* CONFIG_NETFILTER */
4841 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4845 err = secondary_ops->netlink_send(sk, skb);
4849 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4850 err = selinux_nlmsg_perm(sk, skb);
4855 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4858 struct avc_audit_data ad;
4860 err = secondary_ops->netlink_recv(skb, capability);
4864 AVC_AUDIT_DATA_INIT(&ad, CAP);
4865 ad.u.cap = capability;
4867 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4868 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4871 static int ipc_alloc_security(struct task_struct *task,
4872 struct kern_ipc_perm *perm,
4875 struct ipc_security_struct *isec;
4878 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4882 sid = task_sid(task);
4883 isec->sclass = sclass;
4885 perm->security = isec;
4890 static void ipc_free_security(struct kern_ipc_perm *perm)
4892 struct ipc_security_struct *isec = perm->security;
4893 perm->security = NULL;
4897 static int msg_msg_alloc_security(struct msg_msg *msg)
4899 struct msg_security_struct *msec;
4901 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4905 msec->sid = SECINITSID_UNLABELED;
4906 msg->security = msec;
4911 static void msg_msg_free_security(struct msg_msg *msg)
4913 struct msg_security_struct *msec = msg->security;
4915 msg->security = NULL;
4919 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4922 struct ipc_security_struct *isec;
4923 struct avc_audit_data ad;
4924 u32 sid = current_sid();
4926 isec = ipc_perms->security;
4928 AVC_AUDIT_DATA_INIT(&ad, IPC);
4929 ad.u.ipc_id = ipc_perms->key;
4931 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4934 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4936 return msg_msg_alloc_security(msg);
4939 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4941 msg_msg_free_security(msg);
4944 /* message queue security operations */
4945 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4947 struct ipc_security_struct *isec;
4948 struct avc_audit_data ad;
4949 u32 sid = current_sid();
4952 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4956 isec = msq->q_perm.security;
4958 AVC_AUDIT_DATA_INIT(&ad, IPC);
4959 ad.u.ipc_id = msq->q_perm.key;
4961 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4964 ipc_free_security(&msq->q_perm);
4970 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4972 ipc_free_security(&msq->q_perm);
4975 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4977 struct ipc_security_struct *isec;
4978 struct avc_audit_data ad;
4979 u32 sid = current_sid();
4981 isec = msq->q_perm.security;
4983 AVC_AUDIT_DATA_INIT(&ad, IPC);
4984 ad.u.ipc_id = msq->q_perm.key;
4986 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4987 MSGQ__ASSOCIATE, &ad);
4990 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4998 /* No specific object, just general system-wide information. */
4999 return task_has_system(current, SYSTEM__IPC_INFO);
5002 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5005 perms = MSGQ__SETATTR;
5008 perms = MSGQ__DESTROY;
5014 err = ipc_has_perm(&msq->q_perm, perms);
5018 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5020 struct ipc_security_struct *isec;
5021 struct msg_security_struct *msec;
5022 struct avc_audit_data ad;
5023 u32 sid = current_sid();
5026 isec = msq->q_perm.security;
5027 msec = msg->security;
5030 * First time through, need to assign label to the message
5032 if (msec->sid == SECINITSID_UNLABELED) {
5034 * Compute new sid based on current process and
5035 * message queue this message will be stored in
5037 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5043 AVC_AUDIT_DATA_INIT(&ad, IPC);
5044 ad.u.ipc_id = msq->q_perm.key;
5046 /* Can this process write to the queue? */
5047 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5050 /* Can this process send the message */
5051 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5054 /* Can the message be put in the queue? */
5055 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5056 MSGQ__ENQUEUE, &ad);
5061 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5062 struct task_struct *target,
5063 long type, int mode)
5065 struct ipc_security_struct *isec;
5066 struct msg_security_struct *msec;
5067 struct avc_audit_data ad;
5068 u32 sid = task_sid(target);
5071 isec = msq->q_perm.security;
5072 msec = msg->security;
5074 AVC_AUDIT_DATA_INIT(&ad, IPC);
5075 ad.u.ipc_id = msq->q_perm.key;
5077 rc = avc_has_perm(sid, isec->sid,
5078 SECCLASS_MSGQ, MSGQ__READ, &ad);
5080 rc = avc_has_perm(sid, msec->sid,
5081 SECCLASS_MSG, MSG__RECEIVE, &ad);
5085 /* Shared Memory security operations */
5086 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5088 struct ipc_security_struct *isec;
5089 struct avc_audit_data ad;
5090 u32 sid = current_sid();
5093 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5097 isec = shp->shm_perm.security;
5099 AVC_AUDIT_DATA_INIT(&ad, IPC);
5100 ad.u.ipc_id = shp->shm_perm.key;
5102 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5105 ipc_free_security(&shp->shm_perm);
5111 static void selinux_shm_free_security(struct shmid_kernel *shp)
5113 ipc_free_security(&shp->shm_perm);
5116 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5118 struct ipc_security_struct *isec;
5119 struct avc_audit_data ad;
5120 u32 sid = current_sid();
5122 isec = shp->shm_perm.security;
5124 AVC_AUDIT_DATA_INIT(&ad, IPC);
5125 ad.u.ipc_id = shp->shm_perm.key;
5127 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5128 SHM__ASSOCIATE, &ad);
5131 /* Note, at this point, shp is locked down */
5132 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5140 /* No specific object, just general system-wide information. */
5141 return task_has_system(current, SYSTEM__IPC_INFO);
5144 perms = SHM__GETATTR | SHM__ASSOCIATE;
5147 perms = SHM__SETATTR;
5154 perms = SHM__DESTROY;
5160 err = ipc_has_perm(&shp->shm_perm, perms);
5164 static int selinux_shm_shmat(struct shmid_kernel *shp,
5165 char __user *shmaddr, int shmflg)
5170 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5174 if (shmflg & SHM_RDONLY)
5177 perms = SHM__READ | SHM__WRITE;
5179 return ipc_has_perm(&shp->shm_perm, perms);
5182 /* Semaphore security operations */
5183 static int selinux_sem_alloc_security(struct sem_array *sma)
5185 struct ipc_security_struct *isec;
5186 struct avc_audit_data ad;
5187 u32 sid = current_sid();
5190 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5194 isec = sma->sem_perm.security;
5196 AVC_AUDIT_DATA_INIT(&ad, IPC);
5197 ad.u.ipc_id = sma->sem_perm.key;
5199 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5202 ipc_free_security(&sma->sem_perm);
5208 static void selinux_sem_free_security(struct sem_array *sma)
5210 ipc_free_security(&sma->sem_perm);
5213 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5215 struct ipc_security_struct *isec;
5216 struct avc_audit_data ad;
5217 u32 sid = current_sid();
5219 isec = sma->sem_perm.security;
5221 AVC_AUDIT_DATA_INIT(&ad, IPC);
5222 ad.u.ipc_id = sma->sem_perm.key;
5224 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5225 SEM__ASSOCIATE, &ad);
5228 /* Note, at this point, sma is locked down */
5229 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5237 /* No specific object, just general system-wide information. */
5238 return task_has_system(current, SYSTEM__IPC_INFO);
5242 perms = SEM__GETATTR;
5253 perms = SEM__DESTROY;
5256 perms = SEM__SETATTR;
5260 perms = SEM__GETATTR | SEM__ASSOCIATE;
5266 err = ipc_has_perm(&sma->sem_perm, perms);
5270 static int selinux_sem_semop(struct sem_array *sma,
5271 struct sembuf *sops, unsigned nsops, int alter)
5276 perms = SEM__READ | SEM__WRITE;
5280 return ipc_has_perm(&sma->sem_perm, perms);
5283 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5289 av |= IPC__UNIX_READ;
5291 av |= IPC__UNIX_WRITE;
5296 return ipc_has_perm(ipcp, av);
5299 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5301 struct ipc_security_struct *isec = ipcp->security;
5305 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5308 inode_doinit_with_dentry(inode, dentry);
5311 static int selinux_getprocattr(struct task_struct *p,
5312 char *name, char **value)
5314 const struct task_security_struct *__tsec;
5320 error = current_has_perm(p, PROCESS__GETATTR);
5326 __tsec = __task_cred(p)->security;
5328 if (!strcmp(name, "current"))
5330 else if (!strcmp(name, "prev"))
5332 else if (!strcmp(name, "exec"))
5333 sid = __tsec->exec_sid;
5334 else if (!strcmp(name, "fscreate"))
5335 sid = __tsec->create_sid;
5336 else if (!strcmp(name, "keycreate"))
5337 sid = __tsec->keycreate_sid;
5338 else if (!strcmp(name, "sockcreate"))
5339 sid = __tsec->sockcreate_sid;
5347 error = security_sid_to_context(sid, value, &len);
5357 static int selinux_setprocattr(struct task_struct *p,
5358 char *name, void *value, size_t size)
5360 struct task_security_struct *tsec;
5361 struct task_struct *tracer;
5368 /* SELinux only allows a process to change its own
5369 security attributes. */
5374 * Basic control over ability to set these attributes at all.
5375 * current == p, but we'll pass them separately in case the
5376 * above restriction is ever removed.
5378 if (!strcmp(name, "exec"))
5379 error = current_has_perm(p, PROCESS__SETEXEC);
5380 else if (!strcmp(name, "fscreate"))
5381 error = current_has_perm(p, PROCESS__SETFSCREATE);
5382 else if (!strcmp(name, "keycreate"))
5383 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5384 else if (!strcmp(name, "sockcreate"))
5385 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5386 else if (!strcmp(name, "current"))
5387 error = current_has_perm(p, PROCESS__SETCURRENT);
5393 /* Obtain a SID for the context, if one was specified. */
5394 if (size && str[1] && str[1] != '\n') {
5395 if (str[size-1] == '\n') {
5399 error = security_context_to_sid(value, size, &sid);
5400 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5401 if (!capable(CAP_MAC_ADMIN))
5403 error = security_context_to_sid_force(value, size,
5410 new = prepare_creds();
5414 /* Permission checking based on the specified context is
5415 performed during the actual operation (execve,
5416 open/mkdir/...), when we know the full context of the
5417 operation. See selinux_bprm_set_creds for the execve
5418 checks and may_create for the file creation checks. The
5419 operation will then fail if the context is not permitted. */
5420 tsec = new->security;
5421 if (!strcmp(name, "exec")) {
5422 tsec->exec_sid = sid;
5423 } else if (!strcmp(name, "fscreate")) {
5424 tsec->create_sid = sid;
5425 } else if (!strcmp(name, "keycreate")) {
5426 error = may_create_key(sid, p);
5429 tsec->keycreate_sid = sid;
5430 } else if (!strcmp(name, "sockcreate")) {
5431 tsec->sockcreate_sid = sid;
5432 } else if (!strcmp(name, "current")) {
5437 /* Only allow single threaded processes to change context */
5439 if (!is_single_threaded(p)) {
5440 error = security_bounded_transition(tsec->sid, sid);
5445 /* Check permissions for the transition. */
5446 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5447 PROCESS__DYNTRANSITION, NULL);
5451 /* Check for ptracing, and update the task SID if ok.
5452 Otherwise, leave SID unchanged and fail. */
5455 tracer = tracehook_tracer_task(p);
5457 ptsid = task_sid(tracer);
5461 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5462 PROCESS__PTRACE, NULL);
5481 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5483 return security_sid_to_context(secid, secdata, seclen);
5486 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5488 return security_context_to_sid(secdata, seclen, secid);
5491 static void selinux_release_secctx(char *secdata, u32 seclen)
5498 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5499 unsigned long flags)
5501 const struct task_security_struct *tsec;
5502 struct key_security_struct *ksec;
5504 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5508 tsec = cred->security;
5509 if (tsec->keycreate_sid)
5510 ksec->sid = tsec->keycreate_sid;
5512 ksec->sid = tsec->sid;
5518 static void selinux_key_free(struct key *k)
5520 struct key_security_struct *ksec = k->security;
5526 static int selinux_key_permission(key_ref_t key_ref,
5527 const struct cred *cred,
5531 struct key_security_struct *ksec;
5534 /* if no specific permissions are requested, we skip the
5535 permission check. No serious, additional covert channels
5536 appear to be created. */
5540 sid = cred_sid(cred);
5542 key = key_ref_to_ptr(key_ref);
5543 ksec = key->security;
5545 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5548 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5550 struct key_security_struct *ksec = key->security;
5551 char *context = NULL;
5555 rc = security_sid_to_context(ksec->sid, &context, &len);
5564 static struct security_operations selinux_ops = {
5567 .ptrace_may_access = selinux_ptrace_may_access,
5568 .ptrace_traceme = selinux_ptrace_traceme,
5569 .capget = selinux_capget,
5570 .capset = selinux_capset,
5571 .sysctl = selinux_sysctl,
5572 .capable = selinux_capable,
5573 .quotactl = selinux_quotactl,
5574 .quota_on = selinux_quota_on,
5575 .syslog = selinux_syslog,
5576 .vm_enough_memory = selinux_vm_enough_memory,
5578 .netlink_send = selinux_netlink_send,
5579 .netlink_recv = selinux_netlink_recv,
5581 .bprm_set_creds = selinux_bprm_set_creds,
5582 .bprm_check_security = selinux_bprm_check_security,
5583 .bprm_committing_creds = selinux_bprm_committing_creds,
5584 .bprm_committed_creds = selinux_bprm_committed_creds,
5585 .bprm_secureexec = selinux_bprm_secureexec,
5587 .sb_alloc_security = selinux_sb_alloc_security,
5588 .sb_free_security = selinux_sb_free_security,
5589 .sb_copy_data = selinux_sb_copy_data,
5590 .sb_kern_mount = selinux_sb_kern_mount,
5591 .sb_show_options = selinux_sb_show_options,
5592 .sb_statfs = selinux_sb_statfs,
5593 .sb_mount = selinux_mount,
5594 .sb_umount = selinux_umount,
5595 .sb_set_mnt_opts = selinux_set_mnt_opts,
5596 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5597 .sb_parse_opts_str = selinux_parse_opts_str,
5600 .inode_alloc_security = selinux_inode_alloc_security,
5601 .inode_free_security = selinux_inode_free_security,
5602 .inode_init_security = selinux_inode_init_security,
5603 .inode_create = selinux_inode_create,
5604 .inode_link = selinux_inode_link,
5605 .inode_unlink = selinux_inode_unlink,
5606 .inode_symlink = selinux_inode_symlink,
5607 .inode_mkdir = selinux_inode_mkdir,
5608 .inode_rmdir = selinux_inode_rmdir,
5609 .inode_mknod = selinux_inode_mknod,
5610 .inode_rename = selinux_inode_rename,
5611 .inode_readlink = selinux_inode_readlink,
5612 .inode_follow_link = selinux_inode_follow_link,
5613 .inode_permission = selinux_inode_permission,
5614 .inode_setattr = selinux_inode_setattr,
5615 .inode_getattr = selinux_inode_getattr,
5616 .inode_setxattr = selinux_inode_setxattr,
5617 .inode_post_setxattr = selinux_inode_post_setxattr,
5618 .inode_getxattr = selinux_inode_getxattr,
5619 .inode_listxattr = selinux_inode_listxattr,
5620 .inode_removexattr = selinux_inode_removexattr,
5621 .inode_getsecurity = selinux_inode_getsecurity,
5622 .inode_setsecurity = selinux_inode_setsecurity,
5623 .inode_listsecurity = selinux_inode_listsecurity,
5624 .inode_need_killpriv = selinux_inode_need_killpriv,
5625 .inode_killpriv = selinux_inode_killpriv,
5626 .inode_getsecid = selinux_inode_getsecid,
5628 .file_permission = selinux_file_permission,
5629 .file_alloc_security = selinux_file_alloc_security,
5630 .file_free_security = selinux_file_free_security,
5631 .file_ioctl = selinux_file_ioctl,
5632 .file_mmap = selinux_file_mmap,
5633 .file_mprotect = selinux_file_mprotect,
5634 .file_lock = selinux_file_lock,
5635 .file_fcntl = selinux_file_fcntl,
5636 .file_set_fowner = selinux_file_set_fowner,
5637 .file_send_sigiotask = selinux_file_send_sigiotask,
5638 .file_receive = selinux_file_receive,
5640 .dentry_open = selinux_dentry_open,
5642 .task_create = selinux_task_create,
5643 .cred_free = selinux_cred_free,
5644 .cred_prepare = selinux_cred_prepare,
5645 .cred_commit = selinux_cred_commit,
5646 .kernel_act_as = selinux_kernel_act_as,
5647 .kernel_create_files_as = selinux_kernel_create_files_as,
5648 .task_setuid = selinux_task_setuid,
5649 .task_fix_setuid = selinux_task_fix_setuid,
5650 .task_setgid = selinux_task_setgid,
5651 .task_setpgid = selinux_task_setpgid,
5652 .task_getpgid = selinux_task_getpgid,
5653 .task_getsid = selinux_task_getsid,
5654 .task_getsecid = selinux_task_getsecid,
5655 .task_setgroups = selinux_task_setgroups,
5656 .task_setnice = selinux_task_setnice,
5657 .task_setioprio = selinux_task_setioprio,
5658 .task_getioprio = selinux_task_getioprio,
5659 .task_setrlimit = selinux_task_setrlimit,
5660 .task_setscheduler = selinux_task_setscheduler,
5661 .task_getscheduler = selinux_task_getscheduler,
5662 .task_movememory = selinux_task_movememory,
5663 .task_kill = selinux_task_kill,
5664 .task_wait = selinux_task_wait,
5665 .task_prctl = selinux_task_prctl,
5666 .task_to_inode = selinux_task_to_inode,
5668 .ipc_permission = selinux_ipc_permission,
5669 .ipc_getsecid = selinux_ipc_getsecid,
5671 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5672 .msg_msg_free_security = selinux_msg_msg_free_security,
5674 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5675 .msg_queue_free_security = selinux_msg_queue_free_security,
5676 .msg_queue_associate = selinux_msg_queue_associate,
5677 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5678 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5679 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5681 .shm_alloc_security = selinux_shm_alloc_security,
5682 .shm_free_security = selinux_shm_free_security,
5683 .shm_associate = selinux_shm_associate,
5684 .shm_shmctl = selinux_shm_shmctl,
5685 .shm_shmat = selinux_shm_shmat,
5687 .sem_alloc_security = selinux_sem_alloc_security,
5688 .sem_free_security = selinux_sem_free_security,
5689 .sem_associate = selinux_sem_associate,
5690 .sem_semctl = selinux_sem_semctl,
5691 .sem_semop = selinux_sem_semop,
5693 .d_instantiate = selinux_d_instantiate,
5695 .getprocattr = selinux_getprocattr,
5696 .setprocattr = selinux_setprocattr,
5698 .secid_to_secctx = selinux_secid_to_secctx,
5699 .secctx_to_secid = selinux_secctx_to_secid,
5700 .release_secctx = selinux_release_secctx,
5702 .unix_stream_connect = selinux_socket_unix_stream_connect,
5703 .unix_may_send = selinux_socket_unix_may_send,
5705 .socket_create = selinux_socket_create,
5706 .socket_post_create = selinux_socket_post_create,
5707 .socket_bind = selinux_socket_bind,
5708 .socket_connect = selinux_socket_connect,
5709 .socket_listen = selinux_socket_listen,
5710 .socket_accept = selinux_socket_accept,
5711 .socket_sendmsg = selinux_socket_sendmsg,
5712 .socket_recvmsg = selinux_socket_recvmsg,
5713 .socket_getsockname = selinux_socket_getsockname,
5714 .socket_getpeername = selinux_socket_getpeername,
5715 .socket_getsockopt = selinux_socket_getsockopt,
5716 .socket_setsockopt = selinux_socket_setsockopt,
5717 .socket_shutdown = selinux_socket_shutdown,
5718 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5719 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5720 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5721 .sk_alloc_security = selinux_sk_alloc_security,
5722 .sk_free_security = selinux_sk_free_security,
5723 .sk_clone_security = selinux_sk_clone_security,
5724 .sk_getsecid = selinux_sk_getsecid,
5725 .sock_graft = selinux_sock_graft,
5726 .inet_conn_request = selinux_inet_conn_request,
5727 .inet_csk_clone = selinux_inet_csk_clone,
5728 .inet_conn_established = selinux_inet_conn_established,
5729 .req_classify_flow = selinux_req_classify_flow,
5731 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5732 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5733 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5734 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5735 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5736 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5737 .xfrm_state_free_security = selinux_xfrm_state_free,
5738 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5739 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5740 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5741 .xfrm_decode_session = selinux_xfrm_decode_session,
5745 .key_alloc = selinux_key_alloc,
5746 .key_free = selinux_key_free,
5747 .key_permission = selinux_key_permission,
5748 .key_getsecurity = selinux_key_getsecurity,
5752 .audit_rule_init = selinux_audit_rule_init,
5753 .audit_rule_known = selinux_audit_rule_known,
5754 .audit_rule_match = selinux_audit_rule_match,
5755 .audit_rule_free = selinux_audit_rule_free,
5759 static __init int selinux_init(void)
5761 if (!security_module_enable(&selinux_ops)) {
5762 selinux_enabled = 0;
5766 if (!selinux_enabled) {
5767 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5771 printk(KERN_INFO "SELinux: Initializing.\n");
5773 /* Set the security state for the initial task. */
5774 cred_init_security();
5776 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5777 sizeof(struct inode_security_struct),
5778 0, SLAB_PANIC, NULL);
5781 secondary_ops = security_ops;
5783 panic("SELinux: No initial security operations\n");
5784 if (register_security(&selinux_ops))
5785 panic("SELinux: Unable to register with kernel.\n");
5787 if (selinux_enforcing)
5788 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5790 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5795 void selinux_complete_init(void)
5797 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5799 /* Set up any superblocks initialized prior to the policy load. */
5800 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5801 spin_lock(&sb_lock);
5802 spin_lock(&sb_security_lock);
5804 if (!list_empty(&superblock_security_head)) {
5805 struct superblock_security_struct *sbsec =
5806 list_entry(superblock_security_head.next,
5807 struct superblock_security_struct,
5809 struct super_block *sb = sbsec->sb;
5811 spin_unlock(&sb_security_lock);
5812 spin_unlock(&sb_lock);
5813 down_read(&sb->s_umount);
5815 superblock_doinit(sb, NULL);
5817 spin_lock(&sb_lock);
5818 spin_lock(&sb_security_lock);
5819 list_del_init(&sbsec->list);
5822 spin_unlock(&sb_security_lock);
5823 spin_unlock(&sb_lock);
5826 /* SELinux requires early initialization in order to label
5827 all processes and objects when they are created. */
5828 security_initcall(selinux_init);
5830 #if defined(CONFIG_NETFILTER)
5832 static struct nf_hook_ops selinux_ipv4_ops[] = {
5834 .hook = selinux_ipv4_postroute,
5835 .owner = THIS_MODULE,
5837 .hooknum = NF_INET_POST_ROUTING,
5838 .priority = NF_IP_PRI_SELINUX_LAST,
5841 .hook = selinux_ipv4_forward,
5842 .owner = THIS_MODULE,
5844 .hooknum = NF_INET_FORWARD,
5845 .priority = NF_IP_PRI_SELINUX_FIRST,
5848 .hook = selinux_ipv4_output,
5849 .owner = THIS_MODULE,
5851 .hooknum = NF_INET_LOCAL_OUT,
5852 .priority = NF_IP_PRI_SELINUX_FIRST,
5856 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5858 static struct nf_hook_ops selinux_ipv6_ops[] = {
5860 .hook = selinux_ipv6_postroute,
5861 .owner = THIS_MODULE,
5863 .hooknum = NF_INET_POST_ROUTING,
5864 .priority = NF_IP6_PRI_SELINUX_LAST,
5867 .hook = selinux_ipv6_forward,
5868 .owner = THIS_MODULE,
5870 .hooknum = NF_INET_FORWARD,
5871 .priority = NF_IP6_PRI_SELINUX_FIRST,
5877 static int __init selinux_nf_ip_init(void)
5881 if (!selinux_enabled)
5884 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5886 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5888 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5890 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5891 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5893 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5900 __initcall(selinux_nf_ip_init);
5902 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5903 static void selinux_nf_ip_exit(void)
5905 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5907 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5908 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5909 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5914 #else /* CONFIG_NETFILTER */
5916 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5917 #define selinux_nf_ip_exit()
5920 #endif /* CONFIG_NETFILTER */
5922 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5923 static int selinux_disabled;
5925 int selinux_disable(void)
5927 extern void exit_sel_fs(void);
5929 if (ss_initialized) {
5930 /* Not permitted after initial policy load. */
5934 if (selinux_disabled) {
5935 /* Only do this once. */
5939 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5941 selinux_disabled = 1;
5942 selinux_enabled = 0;
5944 /* Reset security_ops to the secondary module, dummy or capability. */
5945 security_ops = secondary_ops;
5947 /* Unregister netfilter hooks. */
5948 selinux_nf_ip_exit();
5950 /* Unregister selinuxfs. */