2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/ext2_fs.h>
46 #include <linux/proc_fs.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
52 #include <net/ip.h> /* for local_port_range[] */
53 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <linux/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h> /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h> /* for Unix socket types */
68 #include <net/af_unix.h> /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92 #define NUM_SEL_MNT_OPTS 4
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
130 /* Original (dummy) security module. */
131 static struct security_operations *original_ops;
133 /* Minimal support for a secondary security module,
134 just to allow the use of the dummy or capability modules.
135 The owlsm module can alternatively be used as a secondary
136 module as long as CONFIG_OWLSM_FD is not enabled. */
137 static struct security_operations *secondary_ops;
139 /* Lists of inode and superblock security structures initialized
140 before the policy was loaded. */
141 static LIST_HEAD(superblock_security_head);
142 static DEFINE_SPINLOCK(sb_security_lock);
144 static struct kmem_cache *sel_inode_cache;
147 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
150 * This function checks the SECMARK reference counter to see if any SECMARK
151 * targets are currently configured, if the reference counter is greater than
152 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
153 * enabled, false (0) if SECMARK is disabled.
156 static int selinux_secmark_enabled(void)
158 return (atomic_read(&selinux_secmark_refcount) > 0);
161 /* Allocate and free functions for each kind of security blob. */
163 static int task_alloc_security(struct task_struct *task)
165 struct task_security_struct *tsec;
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
171 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
172 task->security = tsec;
177 static void task_free_security(struct task_struct *task)
179 struct task_security_struct *tsec = task->security;
180 task->security = NULL;
184 static int inode_alloc_security(struct inode *inode)
186 struct task_security_struct *tsec = current->security;
187 struct inode_security_struct *isec;
189 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
193 mutex_init(&isec->lock);
194 INIT_LIST_HEAD(&isec->list);
196 isec->sid = SECINITSID_UNLABELED;
197 isec->sclass = SECCLASS_FILE;
198 isec->task_sid = tsec->sid;
199 inode->i_security = isec;
204 static void inode_free_security(struct inode *inode)
206 struct inode_security_struct *isec = inode->i_security;
207 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
209 spin_lock(&sbsec->isec_lock);
210 if (!list_empty(&isec->list))
211 list_del_init(&isec->list);
212 spin_unlock(&sbsec->isec_lock);
214 inode->i_security = NULL;
215 kmem_cache_free(sel_inode_cache, isec);
218 static int file_alloc_security(struct file *file)
220 struct task_security_struct *tsec = current->security;
221 struct file_security_struct *fsec;
223 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
227 fsec->sid = tsec->sid;
228 fsec->fown_sid = tsec->sid;
229 file->f_security = fsec;
234 static void file_free_security(struct file *file)
236 struct file_security_struct *fsec = file->f_security;
237 file->f_security = NULL;
241 static int superblock_alloc_security(struct super_block *sb)
243 struct superblock_security_struct *sbsec;
245 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
249 mutex_init(&sbsec->lock);
250 INIT_LIST_HEAD(&sbsec->list);
251 INIT_LIST_HEAD(&sbsec->isec_head);
252 spin_lock_init(&sbsec->isec_lock);
254 sbsec->sid = SECINITSID_UNLABELED;
255 sbsec->def_sid = SECINITSID_FILE;
256 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
257 sb->s_security = sbsec;
262 static void superblock_free_security(struct super_block *sb)
264 struct superblock_security_struct *sbsec = sb->s_security;
266 spin_lock(&sb_security_lock);
267 if (!list_empty(&sbsec->list))
268 list_del_init(&sbsec->list);
269 spin_unlock(&sb_security_lock);
271 sb->s_security = NULL;
275 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
277 struct sk_security_struct *ssec;
279 ssec = kzalloc(sizeof(*ssec), priority);
283 ssec->peer_sid = SECINITSID_UNLABELED;
284 ssec->sid = SECINITSID_UNLABELED;
285 sk->sk_security = ssec;
287 selinux_netlbl_sk_security_reset(ssec, family);
292 static void sk_free_security(struct sock *sk)
294 struct sk_security_struct *ssec = sk->sk_security;
296 sk->sk_security = NULL;
300 /* The security server must be initialized before
301 any labeling or access decisions can be provided. */
302 extern int ss_initialized;
304 /* The file system's label must be initialized prior to use. */
306 static char *labeling_behaviors[6] = {
308 "uses transition SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
315 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
317 static inline int inode_doinit(struct inode *inode)
319 return inode_doinit_with_dentry(inode, NULL);
330 static match_table_t tokens = {
331 {Opt_context, CONTEXT_STR "%s"},
332 {Opt_fscontext, FSCONTEXT_STR "%s"},
333 {Opt_defcontext, DEFCONTEXT_STR "%s"},
334 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 struct task_security_struct *tsec)
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
356 static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 struct task_security_struct *tsec)
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
371 static int sb_finish_set_opts(struct super_block *sb)
373 struct superblock_security_struct *sbsec = sb->s_security;
374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
404 sbsec->initialized = 1;
406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
414 /* Initialize the root inode. */
415 rc = inode_doinit_with_dentry(root_inode, root);
417 /* Initialize any other inodes associated with the superblock, e.g.
418 inodes created prior to initial policy load or inodes created
419 during get_sb by a pseudo filesystem that directly
421 spin_lock(&sbsec->isec_lock);
423 if (!list_empty(&sbsec->isec_head)) {
424 struct inode_security_struct *isec =
425 list_entry(sbsec->isec_head.next,
426 struct inode_security_struct, list);
427 struct inode *inode = isec->inode;
428 spin_unlock(&sbsec->isec_lock);
429 inode = igrab(inode);
431 if (!IS_PRIVATE(inode))
435 spin_lock(&sbsec->isec_lock);
436 list_del_init(&isec->list);
439 spin_unlock(&sbsec->isec_lock);
445 * This function should allow an FS to ask what it's mount security
446 * options were so it can use those later for submounts, displaying
447 * mount options, or whatever.
449 static int selinux_get_mnt_opts(const struct super_block *sb,
450 struct security_mnt_opts *opts)
453 struct superblock_security_struct *sbsec = sb->s_security;
454 char *context = NULL;
458 security_init_mnt_opts(opts);
460 if (!sbsec->initialized)
467 * if we ever use sbsec flags for anything other than tracking mount
468 * settings this is going to need a mask
471 /* count the number of mount options for this sb */
472 for (i = 0; i < 8; i++) {
474 opts->num_mnt_opts++;
478 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479 if (!opts->mnt_opts) {
484 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485 if (!opts->mnt_opts_flags) {
491 if (sbsec->flags & FSCONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->sid, &context, &len);
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
498 if (sbsec->flags & CONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
505 if (sbsec->flags & DEFCONTEXT_MNT) {
506 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
509 opts->mnt_opts[i] = context;
510 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
512 if (sbsec->flags & ROOTCONTEXT_MNT) {
513 struct inode *root = sbsec->sb->s_root->d_inode;
514 struct inode_security_struct *isec = root->i_security;
516 rc = security_sid_to_context(isec->sid, &context, &len);
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
523 BUG_ON(i != opts->num_mnt_opts);
528 security_free_mnt_opts(opts);
532 static int bad_option(struct superblock_security_struct *sbsec, char flag,
533 u32 old_sid, u32 new_sid)
535 /* check if the old mount command had the same options */
536 if (sbsec->initialized)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
544 if (!sbsec->initialized)
545 if (sbsec->flags & flag)
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
554 static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
558 struct task_security_struct *tsec = current->security;
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
569 mutex_lock(&sbsec->lock);
571 if (!ss_initialized) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 spin_lock(&sb_security_lock);
577 if (list_empty(&sbsec->list))
578 list_add(&sbsec->list, &superblock_security_head);
579 spin_unlock(&sb_security_lock);
583 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584 "before the security server is initialized\n");
589 * Binary mount data FS will come through this function twice. Once
590 * from an explicit call and once from the generic calls from the vfs.
591 * Since the generic VFS calls will not contain any security mount data
592 * we need to skip the double mount verification.
594 * This does open a hole in which we will not notice if the first
595 * mount using this sb set explict options and a second mount using
596 * this sb does not set any security options. (The first options
597 * will be used for both mounts)
599 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
604 * parse the mount options, check if they are valid sids.
605 * also check if someone is trying to mount the same sb more
606 * than once with different security options.
608 for (i = 0; i < num_opts; i++) {
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
615 mount_options[i], sb->s_id, name, rc);
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
624 goto out_double_mount;
626 sbsec->flags |= FSCONTEXT_MNT;
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
633 goto out_double_mount;
635 sbsec->flags |= CONTEXT_MNT;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
642 goto out_double_mount;
644 sbsec->flags |= ROOTCONTEXT_MNT;
648 defcontext_sid = sid;
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
652 goto out_double_mount;
654 sbsec->flags |= DEFCONTEXT_MNT;
663 if (sbsec->initialized) {
664 /* previously mounted with options, but not on this attempt? */
665 if (sbsec->flags && !num_opts)
666 goto out_double_mount;
671 if (strcmp(sb->s_type->name, "proc") == 0)
674 /* Determine the labeling behavior to use for this filesystem type. */
675 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678 __func__, sb->s_type->name, rc);
682 /* sets the context of the superblock for the fs being mounted. */
685 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
689 sbsec->sid = fscontext_sid;
693 * Switch to using mount point labeling behavior.
694 * sets the label used on all file below the mountpoint, and will set
695 * the superblock context if not already set.
698 if (!fscontext_sid) {
699 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
702 sbsec->sid = context_sid;
704 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
711 sbsec->mntpoint_sid = context_sid;
712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
720 root_isec->sid = rootcontext_sid;
721 root_isec->initialized = 1;
724 if (defcontext_sid) {
725 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727 printk(KERN_WARNING "SELinux: defcontext option is "
728 "invalid for this filesystem type\n");
732 if (defcontext_sid != sbsec->def_sid) {
733 rc = may_context_mount_inode_relabel(defcontext_sid,
739 sbsec->def_sid = defcontext_sid;
742 rc = sb_finish_set_opts(sb);
744 mutex_unlock(&sbsec->lock);
748 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
749 "security settings for (dev %s, type %s)\n", sb->s_id, name);
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754 struct super_block *newsb)
756 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757 struct superblock_security_struct *newsbsec = newsb->s_security;
759 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
760 int set_context = (oldsbsec->flags & CONTEXT_MNT);
761 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
764 * if the parent was able to be mounted it clearly had no special lsm
765 * mount options. thus we can safely put this sb on the list and deal
768 if (!ss_initialized) {
769 spin_lock(&sb_security_lock);
770 if (list_empty(&newsbsec->list))
771 list_add(&newsbsec->list, &superblock_security_head);
772 spin_unlock(&sb_security_lock);
776 /* how can we clone if the old one wasn't set up?? */
777 BUG_ON(!oldsbsec->initialized);
779 /* if fs is reusing a sb, just let its options stand... */
780 if (newsbsec->initialized)
783 mutex_lock(&newsbsec->lock);
785 newsbsec->flags = oldsbsec->flags;
787 newsbsec->sid = oldsbsec->sid;
788 newsbsec->def_sid = oldsbsec->def_sid;
789 newsbsec->behavior = oldsbsec->behavior;
792 u32 sid = oldsbsec->mntpoint_sid;
796 if (!set_rootcontext) {
797 struct inode *newinode = newsb->s_root->d_inode;
798 struct inode_security_struct *newisec = newinode->i_security;
801 newsbsec->mntpoint_sid = sid;
803 if (set_rootcontext) {
804 const struct inode *oldinode = oldsb->s_root->d_inode;
805 const struct inode_security_struct *oldisec = oldinode->i_security;
806 struct inode *newinode = newsb->s_root->d_inode;
807 struct inode_security_struct *newisec = newinode->i_security;
809 newisec->sid = oldisec->sid;
812 sb_finish_set_opts(newsb);
813 mutex_unlock(&newsbsec->lock);
816 static int selinux_parse_opts_str(char *options,
817 struct security_mnt_opts *opts)
820 char *context = NULL, *defcontext = NULL;
821 char *fscontext = NULL, *rootcontext = NULL;
822 int rc, num_mnt_opts = 0;
824 opts->num_mnt_opts = 0;
826 /* Standard string-based options. */
827 while ((p = strsep(&options, "|")) != NULL) {
829 substring_t args[MAX_OPT_ARGS];
834 token = match_token(p, tokens, args);
838 if (context || defcontext) {
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
843 context = match_strdup(&args[0]);
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
856 fscontext = match_strdup(&args[0]);
863 case Opt_rootcontext:
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
869 rootcontext = match_strdup(&args[0]);
877 if (context || defcontext) {
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
882 defcontext = match_strdup(&args[0]);
891 printk(KERN_WARNING "SELinux: unknown mount option\n");
898 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
902 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
903 if (!opts->mnt_opts_flags) {
904 kfree(opts->mnt_opts);
909 opts->mnt_opts[num_mnt_opts] = fscontext;
910 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
913 opts->mnt_opts[num_mnt_opts] = context;
914 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
917 opts->mnt_opts[num_mnt_opts] = rootcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
921 opts->mnt_opts[num_mnt_opts] = defcontext;
922 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
925 opts->num_mnt_opts = num_mnt_opts;
936 * string mount options parsing and call set the sbsec
938 static int superblock_doinit(struct super_block *sb, void *data)
941 char *options = data;
942 struct security_mnt_opts opts;
944 security_init_mnt_opts(&opts);
949 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
951 rc = selinux_parse_opts_str(options, &opts);
956 rc = selinux_set_mnt_opts(sb, &opts);
959 security_free_mnt_opts(&opts);
963 static inline u16 inode_mode_to_security_class(umode_t mode)
965 switch (mode & S_IFMT) {
967 return SECCLASS_SOCK_FILE;
969 return SECCLASS_LNK_FILE;
971 return SECCLASS_FILE;
973 return SECCLASS_BLK_FILE;
977 return SECCLASS_CHR_FILE;
979 return SECCLASS_FIFO_FILE;
983 return SECCLASS_FILE;
986 static inline int default_protocol_stream(int protocol)
988 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
991 static inline int default_protocol_dgram(int protocol)
993 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
996 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1002 case SOCK_SEQPACKET:
1003 return SECCLASS_UNIX_STREAM_SOCKET;
1005 return SECCLASS_UNIX_DGRAM_SOCKET;
1012 if (default_protocol_stream(protocol))
1013 return SECCLASS_TCP_SOCKET;
1015 return SECCLASS_RAWIP_SOCKET;
1017 if (default_protocol_dgram(protocol))
1018 return SECCLASS_UDP_SOCKET;
1020 return SECCLASS_RAWIP_SOCKET;
1022 return SECCLASS_DCCP_SOCKET;
1024 return SECCLASS_RAWIP_SOCKET;
1030 return SECCLASS_NETLINK_ROUTE_SOCKET;
1031 case NETLINK_FIREWALL:
1032 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1033 case NETLINK_INET_DIAG:
1034 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1036 return SECCLASS_NETLINK_NFLOG_SOCKET;
1038 return SECCLASS_NETLINK_XFRM_SOCKET;
1039 case NETLINK_SELINUX:
1040 return SECCLASS_NETLINK_SELINUX_SOCKET;
1042 return SECCLASS_NETLINK_AUDIT_SOCKET;
1043 case NETLINK_IP6_FW:
1044 return SECCLASS_NETLINK_IP6FW_SOCKET;
1045 case NETLINK_DNRTMSG:
1046 return SECCLASS_NETLINK_DNRT_SOCKET;
1047 case NETLINK_KOBJECT_UEVENT:
1048 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1050 return SECCLASS_NETLINK_SOCKET;
1053 return SECCLASS_PACKET_SOCKET;
1055 return SECCLASS_KEY_SOCKET;
1057 return SECCLASS_APPLETALK_SOCKET;
1060 return SECCLASS_SOCKET;
1063 #ifdef CONFIG_PROC_FS
1064 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1069 char *buffer, *path, *end;
1071 buffer = (char *)__get_free_page(GFP_KERNEL);
1076 end = buffer+buflen;
1081 while (de && de != de->parent) {
1082 buflen -= de->namelen + 1;
1086 memcpy(end, de->name, de->namelen);
1091 rc = security_genfs_sid("proc", path, tclass, sid);
1092 free_page((unsigned long)buffer);
1096 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1104 /* The inode's security attributes must be initialized before first use. */
1105 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1107 struct superblock_security_struct *sbsec = NULL;
1108 struct inode_security_struct *isec = inode->i_security;
1110 struct dentry *dentry;
1111 #define INITCONTEXTLEN 255
1112 char *context = NULL;
1116 if (isec->initialized)
1119 mutex_lock(&isec->lock);
1120 if (isec->initialized)
1123 sbsec = inode->i_sb->s_security;
1124 if (!sbsec->initialized) {
1125 /* Defer initialization until selinux_complete_init,
1126 after the initial policy is loaded and the security
1127 server is ready to handle calls. */
1128 spin_lock(&sbsec->isec_lock);
1129 if (list_empty(&isec->list))
1130 list_add(&isec->list, &sbsec->isec_head);
1131 spin_unlock(&sbsec->isec_lock);
1135 switch (sbsec->behavior) {
1136 case SECURITY_FS_USE_XATTR:
1137 if (!inode->i_op->getxattr) {
1138 isec->sid = sbsec->def_sid;
1142 /* Need a dentry, since the xattr API requires one.
1143 Life would be simpler if we could just pass the inode. */
1145 /* Called from d_instantiate or d_splice_alias. */
1146 dentry = dget(opt_dentry);
1148 /* Called from selinux_complete_init, try to find a dentry. */
1149 dentry = d_find_alias(inode);
1152 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1153 "ino=%ld\n", __func__, inode->i_sb->s_id,
1158 len = INITCONTEXTLEN;
1159 context = kmalloc(len, GFP_NOFS);
1165 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1167 if (rc == -ERANGE) {
1168 /* Need a larger buffer. Query for the right size. */
1169 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1177 context = kmalloc(len, GFP_NOFS);
1183 rc = inode->i_op->getxattr(dentry,
1189 if (rc != -ENODATA) {
1190 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1191 "%d for dev=%s ino=%ld\n", __func__,
1192 -rc, inode->i_sb->s_id, inode->i_ino);
1196 /* Map ENODATA to the default file SID */
1197 sid = sbsec->def_sid;
1200 rc = security_context_to_sid_default(context, rc, &sid,
1204 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1205 "returned %d for dev=%s ino=%ld\n",
1206 __func__, context, -rc,
1207 inode->i_sb->s_id, inode->i_ino);
1209 /* Leave with the unlabeled SID */
1217 case SECURITY_FS_USE_TASK:
1218 isec->sid = isec->task_sid;
1220 case SECURITY_FS_USE_TRANS:
1221 /* Default to the fs SID. */
1222 isec->sid = sbsec->sid;
1224 /* Try to obtain a transition SID. */
1225 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1226 rc = security_transition_sid(isec->task_sid,
1234 case SECURITY_FS_USE_MNTPOINT:
1235 isec->sid = sbsec->mntpoint_sid;
1238 /* Default to the fs superblock SID. */
1239 isec->sid = sbsec->sid;
1242 struct proc_inode *proci = PROC_I(inode);
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 rc = selinux_proc_get_sid(proci->pde,
1256 isec->initialized = 1;
1259 mutex_unlock(&isec->lock);
1261 if (isec->sclass == SECCLASS_FILE)
1262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1266 /* Convert a Linux signal to an access vector. */
1267 static inline u32 signal_to_av(int sig)
1273 /* Commonly granted from child to parent. */
1274 perm = PROCESS__SIGCHLD;
1277 /* Cannot be caught or ignored */
1278 perm = PROCESS__SIGKILL;
1281 /* Cannot be caught or ignored */
1282 perm = PROCESS__SIGSTOP;
1285 /* All other signals. */
1286 perm = PROCESS__SIGNAL;
1293 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1294 fork check, ptrace check, etc. */
1295 static int task_has_perm(struct task_struct *tsk1,
1296 struct task_struct *tsk2,
1299 struct task_security_struct *tsec1, *tsec2;
1301 tsec1 = tsk1->security;
1302 tsec2 = tsk2->security;
1303 return avc_has_perm(tsec1->sid, tsec2->sid,
1304 SECCLASS_PROCESS, perms, NULL);
1307 #if CAP_LAST_CAP > 63
1308 #error Fix SELinux to handle capabilities > 63.
1311 /* Check whether a task is allowed to use a capability. */
1312 static int task_has_capability(struct task_struct *tsk,
1315 struct task_security_struct *tsec;
1316 struct avc_audit_data ad;
1318 u32 av = CAP_TO_MASK(cap);
1320 tsec = tsk->security;
1322 AVC_AUDIT_DATA_INIT(&ad, CAP);
1326 switch (CAP_TO_INDEX(cap)) {
1328 sclass = SECCLASS_CAPABILITY;
1331 sclass = SECCLASS_CAPABILITY2;
1335 "SELinux: out of range capability %d\n", cap);
1338 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1341 /* Check whether a task is allowed to use a system operation. */
1342 static int task_has_system(struct task_struct *tsk,
1345 struct task_security_struct *tsec;
1347 tsec = tsk->security;
1349 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1350 SECCLASS_SYSTEM, perms, NULL);
1353 /* Check whether a task has a particular permission to an inode.
1354 The 'adp' parameter is optional and allows other audit
1355 data to be passed (e.g. the dentry). */
1356 static int inode_has_perm(struct task_struct *tsk,
1357 struct inode *inode,
1359 struct avc_audit_data *adp)
1361 struct task_security_struct *tsec;
1362 struct inode_security_struct *isec;
1363 struct avc_audit_data ad;
1365 if (unlikely(IS_PRIVATE(inode)))
1368 tsec = tsk->security;
1369 isec = inode->i_security;
1373 AVC_AUDIT_DATA_INIT(&ad, FS);
1374 ad.u.fs.inode = inode;
1377 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1380 /* Same as inode_has_perm, but pass explicit audit data containing
1381 the dentry to help the auditing code to more easily generate the
1382 pathname if needed. */
1383 static inline int dentry_has_perm(struct task_struct *tsk,
1384 struct vfsmount *mnt,
1385 struct dentry *dentry,
1388 struct inode *inode = dentry->d_inode;
1389 struct avc_audit_data ad;
1390 AVC_AUDIT_DATA_INIT(&ad, FS);
1391 ad.u.fs.path.mnt = mnt;
1392 ad.u.fs.path.dentry = dentry;
1393 return inode_has_perm(tsk, inode, av, &ad);
1396 /* Check whether a task can use an open file descriptor to
1397 access an inode in a given way. Check access to the
1398 descriptor itself, and then use dentry_has_perm to
1399 check a particular permission to the file.
1400 Access to the descriptor is implicitly granted if it
1401 has the same SID as the process. If av is zero, then
1402 access to the file is not checked, e.g. for cases
1403 where only the descriptor is affected like seek. */
1404 static int file_has_perm(struct task_struct *tsk,
1408 struct task_security_struct *tsec = tsk->security;
1409 struct file_security_struct *fsec = file->f_security;
1410 struct inode *inode = file->f_path.dentry->d_inode;
1411 struct avc_audit_data ad;
1414 AVC_AUDIT_DATA_INIT(&ad, FS);
1415 ad.u.fs.path = file->f_path;
1417 if (tsec->sid != fsec->sid) {
1418 rc = avc_has_perm(tsec->sid, fsec->sid,
1426 /* av is zero if only checking access to the descriptor. */
1428 return inode_has_perm(tsk, inode, av, &ad);
1433 /* Check whether a task can create a file. */
1434 static int may_create(struct inode *dir,
1435 struct dentry *dentry,
1438 struct task_security_struct *tsec;
1439 struct inode_security_struct *dsec;
1440 struct superblock_security_struct *sbsec;
1442 struct avc_audit_data ad;
1445 tsec = current->security;
1446 dsec = dir->i_security;
1447 sbsec = dir->i_sb->s_security;
1449 AVC_AUDIT_DATA_INIT(&ad, FS);
1450 ad.u.fs.path.dentry = dentry;
1452 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1453 DIR__ADD_NAME | DIR__SEARCH,
1458 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1459 newsid = tsec->create_sid;
1461 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1467 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1471 return avc_has_perm(newsid, sbsec->sid,
1472 SECCLASS_FILESYSTEM,
1473 FILESYSTEM__ASSOCIATE, &ad);
1476 /* Check whether a task can create a key. */
1477 static int may_create_key(u32 ksid,
1478 struct task_struct *ctx)
1480 struct task_security_struct *tsec;
1482 tsec = ctx->security;
1484 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1488 #define MAY_UNLINK 1
1491 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1492 static int may_link(struct inode *dir,
1493 struct dentry *dentry,
1497 struct task_security_struct *tsec;
1498 struct inode_security_struct *dsec, *isec;
1499 struct avc_audit_data ad;
1503 tsec = current->security;
1504 dsec = dir->i_security;
1505 isec = dentry->d_inode->i_security;
1507 AVC_AUDIT_DATA_INIT(&ad, FS);
1508 ad.u.fs.path.dentry = dentry;
1511 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1512 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1527 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1532 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1536 static inline int may_rename(struct inode *old_dir,
1537 struct dentry *old_dentry,
1538 struct inode *new_dir,
1539 struct dentry *new_dentry)
1541 struct task_security_struct *tsec;
1542 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1543 struct avc_audit_data ad;
1545 int old_is_dir, new_is_dir;
1548 tsec = current->security;
1549 old_dsec = old_dir->i_security;
1550 old_isec = old_dentry->d_inode->i_security;
1551 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1552 new_dsec = new_dir->i_security;
1554 AVC_AUDIT_DATA_INIT(&ad, FS);
1556 ad.u.fs.path.dentry = old_dentry;
1557 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1558 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1561 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562 old_isec->sclass, FILE__RENAME, &ad);
1565 if (old_is_dir && new_dir != old_dir) {
1566 rc = avc_has_perm(tsec->sid, old_isec->sid,
1567 old_isec->sclass, DIR__REPARENT, &ad);
1572 ad.u.fs.path.dentry = new_dentry;
1573 av = DIR__ADD_NAME | DIR__SEARCH;
1574 if (new_dentry->d_inode)
1575 av |= DIR__REMOVE_NAME;
1576 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1579 if (new_dentry->d_inode) {
1580 new_isec = new_dentry->d_inode->i_security;
1581 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1582 rc = avc_has_perm(tsec->sid, new_isec->sid,
1584 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1592 /* Check whether a task can perform a filesystem operation. */
1593 static int superblock_has_perm(struct task_struct *tsk,
1594 struct super_block *sb,
1596 struct avc_audit_data *ad)
1598 struct task_security_struct *tsec;
1599 struct superblock_security_struct *sbsec;
1601 tsec = tsk->security;
1602 sbsec = sb->s_security;
1603 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1607 /* Convert a Linux mode and permission mask to an access vector. */
1608 static inline u32 file_mask_to_av(int mode, int mask)
1612 if ((mode & S_IFMT) != S_IFDIR) {
1613 if (mask & MAY_EXEC)
1614 av |= FILE__EXECUTE;
1615 if (mask & MAY_READ)
1618 if (mask & MAY_APPEND)
1620 else if (mask & MAY_WRITE)
1624 if (mask & MAY_EXEC)
1626 if (mask & MAY_WRITE)
1628 if (mask & MAY_READ)
1636 * Convert a file mask to an access vector and include the correct open
1639 static inline u32 open_file_mask_to_av(int mode, int mask)
1641 u32 av = file_mask_to_av(mode, mask);
1643 if (selinux_policycap_openperm) {
1645 * lnk files and socks do not really have an 'open'
1649 else if (S_ISCHR(mode))
1650 av |= CHR_FILE__OPEN;
1651 else if (S_ISBLK(mode))
1652 av |= BLK_FILE__OPEN;
1653 else if (S_ISFIFO(mode))
1654 av |= FIFO_FILE__OPEN;
1655 else if (S_ISDIR(mode))
1658 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1659 "unknown mode:%x\n", __func__, mode);
1664 /* Convert a Linux file to an access vector. */
1665 static inline u32 file_to_av(struct file *file)
1669 if (file->f_mode & FMODE_READ)
1671 if (file->f_mode & FMODE_WRITE) {
1672 if (file->f_flags & O_APPEND)
1679 * Special file opened with flags 3 for ioctl-only use.
1687 /* Hook functions begin here. */
1689 static int selinux_ptrace(struct task_struct *parent,
1690 struct task_struct *child,
1695 rc = secondary_ops->ptrace(parent, child, mode);
1699 if (mode == PTRACE_MODE_READ) {
1700 struct task_security_struct *tsec = parent->security;
1701 struct task_security_struct *csec = child->security;
1702 return avc_has_perm(tsec->sid, csec->sid,
1703 SECCLASS_FILE, FILE__READ, NULL);
1706 return task_has_perm(parent, child, PROCESS__PTRACE);
1709 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1714 error = task_has_perm(current, target, PROCESS__GETCAP);
1718 return secondary_ops->capget(target, effective, inheritable, permitted);
1721 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1722 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1726 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1730 return task_has_perm(current, target, PROCESS__SETCAP);
1733 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1734 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1736 secondary_ops->capset_set(target, effective, inheritable, permitted);
1739 static int selinux_capable(struct task_struct *tsk, int cap)
1743 rc = secondary_ops->capable(tsk, cap);
1747 return task_has_capability(tsk, cap);
1750 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1753 char *buffer, *path, *end;
1756 buffer = (char *)__get_free_page(GFP_KERNEL);
1761 end = buffer+buflen;
1767 const char *name = table->procname;
1768 size_t namelen = strlen(name);
1769 buflen -= namelen + 1;
1773 memcpy(end, name, namelen);
1776 table = table->parent;
1782 memcpy(end, "/sys", 4);
1784 rc = security_genfs_sid("proc", path, tclass, sid);
1786 free_page((unsigned long)buffer);
1791 static int selinux_sysctl(ctl_table *table, int op)
1795 struct task_security_struct *tsec;
1799 rc = secondary_ops->sysctl(table, op);
1803 tsec = current->security;
1805 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1806 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1808 /* Default to the well-defined sysctl SID. */
1809 tsid = SECINITSID_SYSCTL;
1812 /* The op values are "defined" in sysctl.c, thereby creating
1813 * a bad coupling between this module and sysctl.c */
1815 error = avc_has_perm(tsec->sid, tsid,
1816 SECCLASS_DIR, DIR__SEARCH, NULL);
1824 error = avc_has_perm(tsec->sid, tsid,
1825 SECCLASS_FILE, av, NULL);
1831 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1844 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1850 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1854 rc = 0; /* let the kernel handle invalid cmds */
1860 static int selinux_quota_on(struct dentry *dentry)
1862 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1865 static int selinux_syslog(int type)
1869 rc = secondary_ops->syslog(type);
1874 case 3: /* Read last kernel messages */
1875 case 10: /* Return size of the log buffer */
1876 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1878 case 6: /* Disable logging to console */
1879 case 7: /* Enable logging to console */
1880 case 8: /* Set level of messages printed to console */
1881 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1883 case 0: /* Close log */
1884 case 1: /* Open log */
1885 case 2: /* Read from log */
1886 case 4: /* Read/clear last kernel messages */
1887 case 5: /* Clear ring buffer */
1889 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1896 * Check that a process has enough memory to allocate a new virtual
1897 * mapping. 0 means there is enough memory for the allocation to
1898 * succeed and -ENOMEM implies there is not.
1900 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1901 * if the capability is granted, but __vm_enough_memory requires 1 if
1902 * the capability is granted.
1904 * Do not audit the selinux permission check, as this is applied to all
1905 * processes that allocate mappings.
1907 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1909 int rc, cap_sys_admin = 0;
1910 struct task_security_struct *tsec = current->security;
1912 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1914 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1915 SECCLASS_CAPABILITY,
1916 CAP_TO_MASK(CAP_SYS_ADMIN),
1923 return __vm_enough_memory(mm, pages, cap_sys_admin);
1927 * task_tracer_task - return the task that is tracing the given task
1928 * @task: task to consider
1930 * Returns NULL if noone is tracing @task, or the &struct task_struct
1931 * pointer to its tracer.
1933 * Must be called under rcu_read_lock().
1935 static struct task_struct *task_tracer_task(struct task_struct *task)
1937 if (task->ptrace & PT_PTRACED)
1938 return rcu_dereference(task->parent);
1942 /* binprm security operations */
1944 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1946 struct bprm_security_struct *bsec;
1948 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1952 bsec->sid = SECINITSID_UNLABELED;
1955 bprm->security = bsec;
1959 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1961 struct task_security_struct *tsec;
1962 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1963 struct inode_security_struct *isec;
1964 struct bprm_security_struct *bsec;
1966 struct avc_audit_data ad;
1969 rc = secondary_ops->bprm_set_security(bprm);
1973 bsec = bprm->security;
1978 tsec = current->security;
1979 isec = inode->i_security;
1981 /* Default to the current task SID. */
1982 bsec->sid = tsec->sid;
1984 /* Reset fs, key, and sock SIDs on execve. */
1985 tsec->create_sid = 0;
1986 tsec->keycreate_sid = 0;
1987 tsec->sockcreate_sid = 0;
1989 if (tsec->exec_sid) {
1990 newsid = tsec->exec_sid;
1991 /* Reset exec SID on execve. */
1994 /* Check for a default transition on this program. */
1995 rc = security_transition_sid(tsec->sid, isec->sid,
1996 SECCLASS_PROCESS, &newsid);
2001 AVC_AUDIT_DATA_INIT(&ad, FS);
2002 ad.u.fs.path = bprm->file->f_path;
2004 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2007 if (tsec->sid == newsid) {
2008 rc = avc_has_perm(tsec->sid, isec->sid,
2009 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2013 /* Check permissions for the transition. */
2014 rc = avc_has_perm(tsec->sid, newsid,
2015 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2019 rc = avc_has_perm(newsid, isec->sid,
2020 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2024 /* Clear any possibly unsafe personality bits on exec: */
2025 current->personality &= ~PER_CLEAR_ON_SETID;
2027 /* Set the security field to the new SID. */
2035 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2037 return secondary_ops->bprm_check_security(bprm);
2041 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2043 struct task_security_struct *tsec = current->security;
2046 if (tsec->osid != tsec->sid) {
2047 /* Enable secure mode for SIDs transitions unless
2048 the noatsecure permission is granted between
2049 the two SIDs, i.e. ahp returns 0. */
2050 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2052 PROCESS__NOATSECURE, NULL);
2055 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2058 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2060 kfree(bprm->security);
2061 bprm->security = NULL;
2064 extern struct vfsmount *selinuxfs_mount;
2065 extern struct dentry *selinux_null;
2067 /* Derived from fs/exec.c:flush_old_files. */
2068 static inline void flush_unauthorized_files(struct files_struct *files)
2070 struct avc_audit_data ad;
2071 struct file *file, *devnull = NULL;
2072 struct tty_struct *tty;
2073 struct fdtable *fdt;
2077 mutex_lock(&tty_mutex);
2078 tty = get_current_tty();
2081 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2083 /* Revalidate access to controlling tty.
2084 Use inode_has_perm on the tty inode directly rather
2085 than using file_has_perm, as this particular open
2086 file may belong to another process and we are only
2087 interested in the inode-based check here. */
2088 struct inode *inode = file->f_path.dentry->d_inode;
2089 if (inode_has_perm(current, inode,
2090 FILE__READ | FILE__WRITE, NULL)) {
2096 mutex_unlock(&tty_mutex);
2097 /* Reset controlling tty. */
2101 /* Revalidate access to inherited open files. */
2103 AVC_AUDIT_DATA_INIT(&ad, FS);
2105 spin_lock(&files->file_lock);
2107 unsigned long set, i;
2112 fdt = files_fdtable(files);
2113 if (i >= fdt->max_fds)
2115 set = fdt->open_fds->fds_bits[j];
2118 spin_unlock(&files->file_lock);
2119 for ( ; set ; i++, set >>= 1) {
2124 if (file_has_perm(current,
2126 file_to_av(file))) {
2128 fd = get_unused_fd();
2138 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2139 if (IS_ERR(devnull)) {
2146 fd_install(fd, devnull);
2151 spin_lock(&files->file_lock);
2154 spin_unlock(&files->file_lock);
2157 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2159 struct task_security_struct *tsec;
2160 struct bprm_security_struct *bsec;
2164 secondary_ops->bprm_apply_creds(bprm, unsafe);
2166 tsec = current->security;
2168 bsec = bprm->security;
2171 tsec->osid = tsec->sid;
2173 if (tsec->sid != sid) {
2174 /* Check for shared state. If not ok, leave SID
2175 unchanged and kill. */
2176 if (unsafe & LSM_UNSAFE_SHARE) {
2177 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2178 PROCESS__SHARE, NULL);
2185 /* Check for ptracing, and update the task SID if ok.
2186 Otherwise, leave SID unchanged and kill. */
2187 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2188 struct task_struct *tracer;
2189 struct task_security_struct *sec;
2193 tracer = task_tracer_task(current);
2194 if (likely(tracer != NULL)) {
2195 sec = tracer->security;
2201 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2202 PROCESS__PTRACE, NULL);
2214 * called after apply_creds without the task lock held
2216 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2218 struct task_security_struct *tsec;
2219 struct rlimit *rlim, *initrlim;
2220 struct itimerval itimer;
2221 struct bprm_security_struct *bsec;
2224 tsec = current->security;
2225 bsec = bprm->security;
2228 force_sig_specific(SIGKILL, current);
2231 if (tsec->osid == tsec->sid)
2234 /* Close files for which the new task SID is not authorized. */
2235 flush_unauthorized_files(current->files);
2237 /* Check whether the new SID can inherit signal state
2238 from the old SID. If not, clear itimers to avoid
2239 subsequent signal generation and flush and unblock
2240 signals. This must occur _after_ the task SID has
2241 been updated so that any kill done after the flush
2242 will be checked against the new SID. */
2243 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2244 PROCESS__SIGINH, NULL);
2246 memset(&itimer, 0, sizeof itimer);
2247 for (i = 0; i < 3; i++)
2248 do_setitimer(i, &itimer, NULL);
2249 flush_signals(current);
2250 spin_lock_irq(¤t->sighand->siglock);
2251 flush_signal_handlers(current, 1);
2252 sigemptyset(¤t->blocked);
2253 recalc_sigpending();
2254 spin_unlock_irq(¤t->sighand->siglock);
2257 /* Always clear parent death signal on SID transitions. */
2258 current->pdeath_signal = 0;
2260 /* Check whether the new SID can inherit resource limits
2261 from the old SID. If not, reset all soft limits to
2262 the lower of the current task's hard limit and the init
2263 task's soft limit. Note that the setting of hard limits
2264 (even to lower them) can be controlled by the setrlimit
2265 check. The inclusion of the init task's soft limit into
2266 the computation is to avoid resetting soft limits higher
2267 than the default soft limit for cases where the default
2268 is lower than the hard limit, e.g. RLIMIT_CORE or
2270 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2271 PROCESS__RLIMITINH, NULL);
2273 for (i = 0; i < RLIM_NLIMITS; i++) {
2274 rlim = current->signal->rlim + i;
2275 initrlim = init_task.signal->rlim+i;
2276 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2278 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2280 * This will cause RLIMIT_CPU calculations
2283 current->it_prof_expires = jiffies_to_cputime(1);
2287 /* Wake up the parent if it is waiting so that it can
2288 recheck wait permission to the new task SID. */
2289 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2292 /* superblock security operations */
2294 static int selinux_sb_alloc_security(struct super_block *sb)
2296 return superblock_alloc_security(sb);
2299 static void selinux_sb_free_security(struct super_block *sb)
2301 superblock_free_security(sb);
2304 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2309 return !memcmp(prefix, option, plen);
2312 static inline int selinux_option(char *option, int len)
2314 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2315 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2316 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2317 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2320 static inline void take_option(char **to, char *from, int *first, int len)
2327 memcpy(*to, from, len);
2331 static inline void take_selinux_option(char **to, char *from, int *first,
2334 int current_size = 0;
2342 while (current_size < len) {
2352 static int selinux_sb_copy_data(char *orig, char *copy)
2354 int fnosec, fsec, rc = 0;
2355 char *in_save, *in_curr, *in_end;
2356 char *sec_curr, *nosec_save, *nosec;
2362 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2370 in_save = in_end = orig;
2374 open_quote = !open_quote;
2375 if ((*in_end == ',' && open_quote == 0) ||
2377 int len = in_end - in_curr;
2379 if (selinux_option(in_curr, len))
2380 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2382 take_option(&nosec, in_curr, &fnosec, len);
2384 in_curr = in_end + 1;
2386 } while (*in_end++);
2388 strcpy(in_save, nosec_save);
2389 free_page((unsigned long)nosec_save);
2394 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2396 struct avc_audit_data ad;
2399 rc = superblock_doinit(sb, data);
2403 AVC_AUDIT_DATA_INIT(&ad, FS);
2404 ad.u.fs.path.dentry = sb->s_root;
2405 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2408 static int selinux_sb_statfs(struct dentry *dentry)
2410 struct avc_audit_data ad;
2412 AVC_AUDIT_DATA_INIT(&ad, FS);
2413 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2414 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2417 static int selinux_mount(char *dev_name,
2420 unsigned long flags,
2425 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2429 if (flags & MS_REMOUNT)
2430 return superblock_has_perm(current, path->mnt->mnt_sb,
2431 FILESYSTEM__REMOUNT, NULL);
2433 return dentry_has_perm(current, path->mnt, path->dentry,
2437 static int selinux_umount(struct vfsmount *mnt, int flags)
2441 rc = secondary_ops->sb_umount(mnt, flags);
2445 return superblock_has_perm(current, mnt->mnt_sb,
2446 FILESYSTEM__UNMOUNT, NULL);
2449 /* inode security operations */
2451 static int selinux_inode_alloc_security(struct inode *inode)
2453 return inode_alloc_security(inode);
2456 static void selinux_inode_free_security(struct inode *inode)
2458 inode_free_security(inode);
2461 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2462 char **name, void **value,
2465 struct task_security_struct *tsec;
2466 struct inode_security_struct *dsec;
2467 struct superblock_security_struct *sbsec;
2470 char *namep = NULL, *context;
2472 tsec = current->security;
2473 dsec = dir->i_security;
2474 sbsec = dir->i_sb->s_security;
2476 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2477 newsid = tsec->create_sid;
2479 rc = security_transition_sid(tsec->sid, dsec->sid,
2480 inode_mode_to_security_class(inode->i_mode),
2483 printk(KERN_WARNING "%s: "
2484 "security_transition_sid failed, rc=%d (dev=%s "
2487 -rc, inode->i_sb->s_id, inode->i_ino);
2492 /* Possibly defer initialization to selinux_complete_init. */
2493 if (sbsec->initialized) {
2494 struct inode_security_struct *isec = inode->i_security;
2495 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2497 isec->initialized = 1;
2500 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2504 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2511 rc = security_sid_to_context_force(newsid, &context, &clen);
2523 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2525 return may_create(dir, dentry, SECCLASS_FILE);
2528 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2532 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2535 return may_link(dir, old_dentry, MAY_LINK);
2538 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2542 rc = secondary_ops->inode_unlink(dir, dentry);
2545 return may_link(dir, dentry, MAY_UNLINK);
2548 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2550 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2553 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2555 return may_create(dir, dentry, SECCLASS_DIR);
2558 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2560 return may_link(dir, dentry, MAY_RMDIR);
2563 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2567 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2571 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2574 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2575 struct inode *new_inode, struct dentry *new_dentry)
2577 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2580 static int selinux_inode_readlink(struct dentry *dentry)
2582 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2585 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2589 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2592 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2595 static int selinux_inode_permission(struct inode *inode, int mask,
2596 struct nameidata *nd)
2600 rc = secondary_ops->inode_permission(inode, mask, nd);
2605 /* No permission to check. Existence test. */
2609 return inode_has_perm(current, inode,
2610 open_file_mask_to_av(inode->i_mode, mask), NULL);
2613 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2617 rc = secondary_ops->inode_setattr(dentry, iattr);
2621 if (iattr->ia_valid & ATTR_FORCE)
2624 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2625 ATTR_ATIME_SET | ATTR_MTIME_SET))
2626 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2628 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2631 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2633 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2636 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2638 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2639 sizeof XATTR_SECURITY_PREFIX - 1)) {
2640 if (!strcmp(name, XATTR_NAME_CAPS)) {
2641 if (!capable(CAP_SETFCAP))
2643 } else if (!capable(CAP_SYS_ADMIN)) {
2644 /* A different attribute in the security namespace.
2645 Restrict to administrator. */
2650 /* Not an attribute we recognize, so just check the
2651 ordinary setattr permission. */
2652 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2655 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2656 const void *value, size_t size, int flags)
2658 struct task_security_struct *tsec = current->security;
2659 struct inode *inode = dentry->d_inode;
2660 struct inode_security_struct *isec = inode->i_security;
2661 struct superblock_security_struct *sbsec;
2662 struct avc_audit_data ad;
2666 if (strcmp(name, XATTR_NAME_SELINUX))
2667 return selinux_inode_setotherxattr(dentry, name);
2669 sbsec = inode->i_sb->s_security;
2670 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2673 if (!is_owner_or_cap(inode))
2676 AVC_AUDIT_DATA_INIT(&ad, FS);
2677 ad.u.fs.path.dentry = dentry;
2679 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2680 FILE__RELABELFROM, &ad);
2684 rc = security_context_to_sid(value, size, &newsid);
2685 if (rc == -EINVAL) {
2686 if (!capable(CAP_MAC_ADMIN))
2688 rc = security_context_to_sid_force(value, size, &newsid);
2693 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2694 FILE__RELABELTO, &ad);
2698 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2703 return avc_has_perm(newsid,
2705 SECCLASS_FILESYSTEM,
2706 FILESYSTEM__ASSOCIATE,
2710 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2711 const void *value, size_t size,
2714 struct inode *inode = dentry->d_inode;
2715 struct inode_security_struct *isec = inode->i_security;
2719 if (strcmp(name, XATTR_NAME_SELINUX)) {
2720 /* Not an attribute we recognize, so nothing to do. */
2724 rc = security_context_to_sid_force(value, size, &newsid);
2726 printk(KERN_ERR "SELinux: unable to map context to SID"
2727 "for (%s, %lu), rc=%d\n",
2728 inode->i_sb->s_id, inode->i_ino, -rc);
2736 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2738 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2741 static int selinux_inode_listxattr(struct dentry *dentry)
2743 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2746 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2748 if (strcmp(name, XATTR_NAME_SELINUX))
2749 return selinux_inode_setotherxattr(dentry, name);
2751 /* No one is allowed to remove a SELinux security label.
2752 You can change the label, but all data must be labeled. */
2757 * Copy the in-core inode security context value to the user. If the
2758 * getxattr() prior to this succeeded, check to see if we need to
2759 * canonicalize the value to be finally returned to the user.
2761 * Permission check is handled by selinux_inode_getxattr hook.
2763 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2767 char *context = NULL;
2768 struct inode_security_struct *isec = inode->i_security;
2770 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2773 error = security_sid_to_context(isec->sid, &context, &size);
2786 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2787 const void *value, size_t size, int flags)
2789 struct inode_security_struct *isec = inode->i_security;
2793 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2796 if (!value || !size)
2799 rc = security_context_to_sid((void *)value, size, &newsid);
2807 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2809 const int len = sizeof(XATTR_NAME_SELINUX);
2810 if (buffer && len <= buffer_size)
2811 memcpy(buffer, XATTR_NAME_SELINUX, len);
2815 static int selinux_inode_need_killpriv(struct dentry *dentry)
2817 return secondary_ops->inode_need_killpriv(dentry);
2820 static int selinux_inode_killpriv(struct dentry *dentry)
2822 return secondary_ops->inode_killpriv(dentry);
2825 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2827 struct inode_security_struct *isec = inode->i_security;
2831 /* file security operations */
2833 static int selinux_revalidate_file_permission(struct file *file, int mask)
2836 struct inode *inode = file->f_path.dentry->d_inode;
2839 /* No permission to check. Existence test. */
2843 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2844 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2847 rc = file_has_perm(current, file,
2848 file_mask_to_av(inode->i_mode, mask));
2852 return selinux_netlbl_inode_permission(inode, mask);
2855 static int selinux_file_permission(struct file *file, int mask)
2857 struct inode *inode = file->f_path.dentry->d_inode;
2858 struct task_security_struct *tsec = current->security;
2859 struct file_security_struct *fsec = file->f_security;
2860 struct inode_security_struct *isec = inode->i_security;
2863 /* No permission to check. Existence test. */
2867 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2868 && fsec->pseqno == avc_policy_seqno())
2869 return selinux_netlbl_inode_permission(inode, mask);
2871 return selinux_revalidate_file_permission(file, mask);
2874 static int selinux_file_alloc_security(struct file *file)
2876 return file_alloc_security(file);
2879 static void selinux_file_free_security(struct file *file)
2881 file_free_security(file);
2884 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2896 case EXT2_IOC_GETFLAGS:
2898 case EXT2_IOC_GETVERSION:
2899 error = file_has_perm(current, file, FILE__GETATTR);
2902 case EXT2_IOC_SETFLAGS:
2904 case EXT2_IOC_SETVERSION:
2905 error = file_has_perm(current, file, FILE__SETATTR);
2908 /* sys_ioctl() checks */
2912 error = file_has_perm(current, file, 0);
2917 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2920 /* default case assumes that the command will go
2921 * to the file's ioctl() function.
2924 error = file_has_perm(current, file, FILE__IOCTL);
2929 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2931 #ifndef CONFIG_PPC32
2932 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2934 * We are making executable an anonymous mapping or a
2935 * private file mapping that will also be writable.
2936 * This has an additional check.
2938 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2945 /* read access is always possible with a mapping */
2946 u32 av = FILE__READ;
2948 /* write access only matters if the mapping is shared */
2949 if (shared && (prot & PROT_WRITE))
2952 if (prot & PROT_EXEC)
2953 av |= FILE__EXECUTE;
2955 return file_has_perm(current, file, av);
2960 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2961 unsigned long prot, unsigned long flags,
2962 unsigned long addr, unsigned long addr_only)
2965 u32 sid = ((struct task_security_struct *)(current->security))->sid;
2967 if (addr < mmap_min_addr)
2968 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2969 MEMPROTECT__MMAP_ZERO, NULL);
2970 if (rc || addr_only)
2973 if (selinux_checkreqprot)
2976 return file_map_prot_check(file, prot,
2977 (flags & MAP_TYPE) == MAP_SHARED);
2980 static int selinux_file_mprotect(struct vm_area_struct *vma,
2981 unsigned long reqprot,
2986 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2990 if (selinux_checkreqprot)
2993 #ifndef CONFIG_PPC32
2994 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2996 if (vma->vm_start >= vma->vm_mm->start_brk &&
2997 vma->vm_end <= vma->vm_mm->brk) {
2998 rc = task_has_perm(current, current,
3000 } else if (!vma->vm_file &&
3001 vma->vm_start <= vma->vm_mm->start_stack &&
3002 vma->vm_end >= vma->vm_mm->start_stack) {
3003 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3004 } else if (vma->vm_file && vma->anon_vma) {
3006 * We are making executable a file mapping that has
3007 * had some COW done. Since pages might have been
3008 * written, check ability to execute the possibly
3009 * modified content. This typically should only
3010 * occur for text relocations.
3012 rc = file_has_perm(current, vma->vm_file,
3020 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3023 static int selinux_file_lock(struct file *file, unsigned int cmd)
3025 return file_has_perm(current, file, FILE__LOCK);
3028 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3035 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3040 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3041 err = file_has_perm(current, file, FILE__WRITE);
3050 /* Just check FD__USE permission */
3051 err = file_has_perm(current, file, 0);
3056 #if BITS_PER_LONG == 32
3061 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3065 err = file_has_perm(current, file, FILE__LOCK);
3072 static int selinux_file_set_fowner(struct file *file)
3074 struct task_security_struct *tsec;
3075 struct file_security_struct *fsec;
3077 tsec = current->security;
3078 fsec = file->f_security;
3079 fsec->fown_sid = tsec->sid;
3084 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3085 struct fown_struct *fown, int signum)
3089 struct task_security_struct *tsec;
3090 struct file_security_struct *fsec;
3092 /* struct fown_struct is never outside the context of a struct file */
3093 file = container_of(fown, struct file, f_owner);
3095 tsec = tsk->security;
3096 fsec = file->f_security;
3099 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3101 perm = signal_to_av(signum);
3103 return avc_has_perm(fsec->fown_sid, tsec->sid,
3104 SECCLASS_PROCESS, perm, NULL);
3107 static int selinux_file_receive(struct file *file)
3109 return file_has_perm(current, file, file_to_av(file));
3112 static int selinux_dentry_open(struct file *file)
3114 struct file_security_struct *fsec;
3115 struct inode *inode;
3116 struct inode_security_struct *isec;
3117 inode = file->f_path.dentry->d_inode;
3118 fsec = file->f_security;
3119 isec = inode->i_security;
3121 * Save inode label and policy sequence number
3122 * at open-time so that selinux_file_permission
3123 * can determine whether revalidation is necessary.
3124 * Task label is already saved in the file security
3125 * struct as its SID.
3127 fsec->isid = isec->sid;
3128 fsec->pseqno = avc_policy_seqno();
3130 * Since the inode label or policy seqno may have changed
3131 * between the selinux_inode_permission check and the saving
3132 * of state above, recheck that access is still permitted.
3133 * Otherwise, access might never be revalidated against the
3134 * new inode label or new policy.
3135 * This check is not redundant - do not remove.
3137 return inode_has_perm(current, inode, file_to_av(file), NULL);
3140 /* task security operations */
3142 static int selinux_task_create(unsigned long clone_flags)
3146 rc = secondary_ops->task_create(clone_flags);
3150 return task_has_perm(current, current, PROCESS__FORK);
3153 static int selinux_task_alloc_security(struct task_struct *tsk)
3155 struct task_security_struct *tsec1, *tsec2;
3158 tsec1 = current->security;
3160 rc = task_alloc_security(tsk);
3163 tsec2 = tsk->security;
3165 tsec2->osid = tsec1->osid;
3166 tsec2->sid = tsec1->sid;
3168 /* Retain the exec, fs, key, and sock SIDs across fork */
3169 tsec2->exec_sid = tsec1->exec_sid;
3170 tsec2->create_sid = tsec1->create_sid;
3171 tsec2->keycreate_sid = tsec1->keycreate_sid;
3172 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3177 static void selinux_task_free_security(struct task_struct *tsk)
3179 task_free_security(tsk);
3182 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3184 /* Since setuid only affects the current process, and
3185 since the SELinux controls are not based on the Linux
3186 identity attributes, SELinux does not need to control
3187 this operation. However, SELinux does control the use
3188 of the CAP_SETUID and CAP_SETGID capabilities using the
3193 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3195 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3198 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3200 /* See the comment for setuid above. */
3204 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3206 return task_has_perm(current, p, PROCESS__SETPGID);
3209 static int selinux_task_getpgid(struct task_struct *p)
3211 return task_has_perm(current, p, PROCESS__GETPGID);
3214 static int selinux_task_getsid(struct task_struct *p)
3216 return task_has_perm(current, p, PROCESS__GETSESSION);
3219 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3221 struct task_security_struct *tsec = p->security;
3225 static int selinux_task_setgroups(struct group_info *group_info)
3227 /* See the comment for setuid above. */
3231 static int selinux_task_setnice(struct task_struct *p, int nice)
3235 rc = secondary_ops->task_setnice(p, nice);
3239 return task_has_perm(current, p, PROCESS__SETSCHED);
3242 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3246 rc = secondary_ops->task_setioprio(p, ioprio);
3250 return task_has_perm(current, p, PROCESS__SETSCHED);
3253 static int selinux_task_getioprio(struct task_struct *p)
3255 return task_has_perm(current, p, PROCESS__GETSCHED);
3258 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3260 struct rlimit *old_rlim = current->signal->rlim + resource;
3263 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3267 /* Control the ability to change the hard limit (whether
3268 lowering or raising it), so that the hard limit can
3269 later be used as a safe reset point for the soft limit
3270 upon context transitions. See selinux_bprm_apply_creds. */
3271 if (old_rlim->rlim_max != new_rlim->rlim_max)
3272 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3277 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3281 rc = secondary_ops->task_setscheduler(p, policy, lp);
3285 return task_has_perm(current, p, PROCESS__SETSCHED);
3288 static int selinux_task_getscheduler(struct task_struct *p)
3290 return task_has_perm(current, p, PROCESS__GETSCHED);
3293 static int selinux_task_movememory(struct task_struct *p)
3295 return task_has_perm(current, p, PROCESS__SETSCHED);
3298 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3303 struct task_security_struct *tsec;
3305 rc = secondary_ops->task_kill(p, info, sig, secid);
3310 perm = PROCESS__SIGNULL; /* null signal; existence test */
3312 perm = signal_to_av(sig);
3315 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3317 rc = task_has_perm(current, p, perm);
3321 static int selinux_task_prctl(int option,
3328 /* The current prctl operations do not appear to require
3329 any SELinux controls since they merely observe or modify
3330 the state of the current process. */
3331 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3334 static int selinux_task_wait(struct task_struct *p)
3336 return task_has_perm(p, current, PROCESS__SIGCHLD);
3339 static void selinux_task_reparent_to_init(struct task_struct *p)
3341 struct task_security_struct *tsec;
3343 secondary_ops->task_reparent_to_init(p);
3346 tsec->osid = tsec->sid;
3347 tsec->sid = SECINITSID_KERNEL;
3351 static void selinux_task_to_inode(struct task_struct *p,
3352 struct inode *inode)
3354 struct task_security_struct *tsec = p->security;
3355 struct inode_security_struct *isec = inode->i_security;
3357 isec->sid = tsec->sid;
3358 isec->initialized = 1;
3362 /* Returns error only if unable to parse addresses */
3363 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3364 struct avc_audit_data *ad, u8 *proto)
3366 int offset, ihlen, ret = -EINVAL;
3367 struct iphdr _iph, *ih;
3369 offset = skb_network_offset(skb);
3370 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3374 ihlen = ih->ihl * 4;
3375 if (ihlen < sizeof(_iph))
3378 ad->u.net.v4info.saddr = ih->saddr;
3379 ad->u.net.v4info.daddr = ih->daddr;
3383 *proto = ih->protocol;
3385 switch (ih->protocol) {
3387 struct tcphdr _tcph, *th;
3389 if (ntohs(ih->frag_off) & IP_OFFSET)
3393 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3397 ad->u.net.sport = th->source;
3398 ad->u.net.dport = th->dest;
3403 struct udphdr _udph, *uh;
3405 if (ntohs(ih->frag_off) & IP_OFFSET)
3409 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3413 ad->u.net.sport = uh->source;
3414 ad->u.net.dport = uh->dest;
3418 case IPPROTO_DCCP: {
3419 struct dccp_hdr _dccph, *dh;
3421 if (ntohs(ih->frag_off) & IP_OFFSET)
3425 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3429 ad->u.net.sport = dh->dccph_sport;
3430 ad->u.net.dport = dh->dccph_dport;
3441 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3443 /* Returns error only if unable to parse addresses */
3444 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3445 struct avc_audit_data *ad, u8 *proto)
3448 int ret = -EINVAL, offset;
3449 struct ipv6hdr _ipv6h, *ip6;
3451 offset = skb_network_offset(skb);
3452 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3456 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3457 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3460 nexthdr = ip6->nexthdr;
3461 offset += sizeof(_ipv6h);
3462 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3471 struct tcphdr _tcph, *th;
3473 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3477 ad->u.net.sport = th->source;
3478 ad->u.net.dport = th->dest;
3483 struct udphdr _udph, *uh;
3485 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3489 ad->u.net.sport = uh->source;
3490 ad->u.net.dport = uh->dest;
3494 case IPPROTO_DCCP: {
3495 struct dccp_hdr _dccph, *dh;
3497 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3501 ad->u.net.sport = dh->dccph_sport;
3502 ad->u.net.dport = dh->dccph_dport;
3506 /* includes fragments */
3516 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3517 char **addrp, int src, u8 *proto)
3521 switch (ad->u.net.family) {
3523 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3526 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3527 &ad->u.net.v4info.daddr);
3530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3532 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3535 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3536 &ad->u.net.v6info.daddr);
3545 "SELinux: failure in selinux_parse_skb(),"
3546 " unable to parse packet\n");
3552 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3554 * @family: protocol family
3555 * @sid: the packet's peer label SID
3558 * Check the various different forms of network peer labeling and determine
3559 * the peer label/SID for the packet; most of the magic actually occurs in
3560 * the security server function security_net_peersid_cmp(). The function
3561 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3562 * or -EACCES if @sid is invalid due to inconsistencies with the different
3566 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3573 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3574 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3576 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3577 if (unlikely(err)) {
3579 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3580 " unable to determine packet's peer label\n");
3587 /* socket security operations */
3588 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3591 struct inode_security_struct *isec;
3592 struct task_security_struct *tsec;
3593 struct avc_audit_data ad;
3596 tsec = task->security;
3597 isec = SOCK_INODE(sock)->i_security;
3599 if (isec->sid == SECINITSID_KERNEL)
3602 AVC_AUDIT_DATA_INIT(&ad, NET);
3603 ad.u.net.sk = sock->sk;
3604 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3610 static int selinux_socket_create(int family, int type,
3611 int protocol, int kern)
3614 struct task_security_struct *tsec;
3620 tsec = current->security;
3621 newsid = tsec->sockcreate_sid ? : tsec->sid;
3622 err = avc_has_perm(tsec->sid, newsid,
3623 socket_type_to_security_class(family, type,
3624 protocol), SOCKET__CREATE, NULL);
3630 static int selinux_socket_post_create(struct socket *sock, int family,
3631 int type, int protocol, int kern)
3634 struct inode_security_struct *isec;
3635 struct task_security_struct *tsec;
3636 struct sk_security_struct *sksec;
3639 isec = SOCK_INODE(sock)->i_security;
3641 tsec = current->security;
3642 newsid = tsec->sockcreate_sid ? : tsec->sid;
3643 isec->sclass = socket_type_to_security_class(family, type, protocol);
3644 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3645 isec->initialized = 1;
3648 sksec = sock->sk->sk_security;
3649 sksec->sid = isec->sid;
3650 sksec->sclass = isec->sclass;
3651 err = selinux_netlbl_socket_post_create(sock);
3657 /* Range of port numbers used to automatically bind.
3658 Need to determine whether we should perform a name_bind
3659 permission check between the socket and the port number. */
3661 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3666 err = socket_has_perm(current, sock, SOCKET__BIND);
3671 * If PF_INET or PF_INET6, check name_bind permission for the port.
3672 * Multiple address binding for SCTP is not supported yet: we just
3673 * check the first address now.
3675 family = sock->sk->sk_family;
3676 if (family == PF_INET || family == PF_INET6) {
3678 struct inode_security_struct *isec;
3679 struct task_security_struct *tsec;
3680 struct avc_audit_data ad;
3681 struct sockaddr_in *addr4 = NULL;
3682 struct sockaddr_in6 *addr6 = NULL;
3683 unsigned short snum;
3684 struct sock *sk = sock->sk;
3685 u32 sid, node_perm, addrlen;
3687 tsec = current->security;
3688 isec = SOCK_INODE(sock)->i_security;
3690 if (family == PF_INET) {
3691 addr4 = (struct sockaddr_in *)address;
3692 snum = ntohs(addr4->sin_port);
3693 addrlen = sizeof(addr4->sin_addr.s_addr);
3694 addrp = (char *)&addr4->sin_addr.s_addr;
3696 addr6 = (struct sockaddr_in6 *)address;
3697 snum = ntohs(addr6->sin6_port);
3698 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3699 addrp = (char *)&addr6->sin6_addr.s6_addr;
3705 inet_get_local_port_range(&low, &high);
3707 if (snum < max(PROT_SOCK, low) || snum > high) {
3708 err = sel_netport_sid(sk->sk_protocol,
3712 AVC_AUDIT_DATA_INIT(&ad, NET);
3713 ad.u.net.sport = htons(snum);
3714 ad.u.net.family = family;
3715 err = avc_has_perm(isec->sid, sid,
3717 SOCKET__NAME_BIND, &ad);
3723 switch (isec->sclass) {
3724 case SECCLASS_TCP_SOCKET:
3725 node_perm = TCP_SOCKET__NODE_BIND;
3728 case SECCLASS_UDP_SOCKET:
3729 node_perm = UDP_SOCKET__NODE_BIND;
3732 case SECCLASS_DCCP_SOCKET:
3733 node_perm = DCCP_SOCKET__NODE_BIND;
3737 node_perm = RAWIP_SOCKET__NODE_BIND;
3741 err = sel_netnode_sid(addrp, family, &sid);
3745 AVC_AUDIT_DATA_INIT(&ad, NET);
3746 ad.u.net.sport = htons(snum);
3747 ad.u.net.family = family;
3749 if (family == PF_INET)
3750 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3752 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3754 err = avc_has_perm(isec->sid, sid,
3755 isec->sclass, node_perm, &ad);
3763 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3765 struct inode_security_struct *isec;
3768 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3773 * If a TCP or DCCP socket, check name_connect permission for the port.
3775 isec = SOCK_INODE(sock)->i_security;
3776 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3777 isec->sclass == SECCLASS_DCCP_SOCKET) {
3778 struct sock *sk = sock->sk;
3779 struct avc_audit_data ad;
3780 struct sockaddr_in *addr4 = NULL;
3781 struct sockaddr_in6 *addr6 = NULL;
3782 unsigned short snum;
3785 if (sk->sk_family == PF_INET) {
3786 addr4 = (struct sockaddr_in *)address;
3787 if (addrlen < sizeof(struct sockaddr_in))
3789 snum = ntohs(addr4->sin_port);
3791 addr6 = (struct sockaddr_in6 *)address;
3792 if (addrlen < SIN6_LEN_RFC2133)
3794 snum = ntohs(addr6->sin6_port);
3797 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3801 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3802 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3804 AVC_AUDIT_DATA_INIT(&ad, NET);
3805 ad.u.net.dport = htons(snum);
3806 ad.u.net.family = sk->sk_family;
3807 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3816 static int selinux_socket_listen(struct socket *sock, int backlog)
3818 return socket_has_perm(current, sock, SOCKET__LISTEN);
3821 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3824 struct inode_security_struct *isec;
3825 struct inode_security_struct *newisec;
3827 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3831 newisec = SOCK_INODE(newsock)->i_security;
3833 isec = SOCK_INODE(sock)->i_security;
3834 newisec->sclass = isec->sclass;
3835 newisec->sid = isec->sid;
3836 newisec->initialized = 1;
3841 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3846 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3850 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3853 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3854 int size, int flags)
3856 return socket_has_perm(current, sock, SOCKET__READ);
3859 static int selinux_socket_getsockname(struct socket *sock)
3861 return socket_has_perm(current, sock, SOCKET__GETATTR);
3864 static int selinux_socket_getpeername(struct socket *sock)
3866 return socket_has_perm(current, sock, SOCKET__GETATTR);
3869 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3873 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3877 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3880 static int selinux_socket_getsockopt(struct socket *sock, int level,
3883 return socket_has_perm(current, sock, SOCKET__GETOPT);
3886 static int selinux_socket_shutdown(struct socket *sock, int how)
3888 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3891 static int selinux_socket_unix_stream_connect(struct socket *sock,
3892 struct socket *other,
3895 struct sk_security_struct *ssec;
3896 struct inode_security_struct *isec;
3897 struct inode_security_struct *other_isec;
3898 struct avc_audit_data ad;
3901 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3905 isec = SOCK_INODE(sock)->i_security;
3906 other_isec = SOCK_INODE(other)->i_security;
3908 AVC_AUDIT_DATA_INIT(&ad, NET);
3909 ad.u.net.sk = other->sk;
3911 err = avc_has_perm(isec->sid, other_isec->sid,
3913 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3917 /* connecting socket */
3918 ssec = sock->sk->sk_security;
3919 ssec->peer_sid = other_isec->sid;
3921 /* server child socket */
3922 ssec = newsk->sk_security;
3923 ssec->peer_sid = isec->sid;
3924 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3929 static int selinux_socket_unix_may_send(struct socket *sock,
3930 struct socket *other)
3932 struct inode_security_struct *isec;
3933 struct inode_security_struct *other_isec;
3934 struct avc_audit_data ad;
3937 isec = SOCK_INODE(sock)->i_security;
3938 other_isec = SOCK_INODE(other)->i_security;
3940 AVC_AUDIT_DATA_INIT(&ad, NET);
3941 ad.u.net.sk = other->sk;
3943 err = avc_has_perm(isec->sid, other_isec->sid,
3944 isec->sclass, SOCKET__SENDTO, &ad);
3951 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3953 struct avc_audit_data *ad)
3959 err = sel_netif_sid(ifindex, &if_sid);
3962 err = avc_has_perm(peer_sid, if_sid,
3963 SECCLASS_NETIF, NETIF__INGRESS, ad);
3967 err = sel_netnode_sid(addrp, family, &node_sid);
3970 return avc_has_perm(peer_sid, node_sid,
3971 SECCLASS_NODE, NODE__RECVFROM, ad);
3974 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3975 struct sk_buff *skb,
3976 struct avc_audit_data *ad,
3981 struct sk_security_struct *sksec = sk->sk_security;
3983 u32 netif_perm, node_perm, recv_perm;
3984 u32 port_sid, node_sid, if_sid, sk_sid;
3986 sk_sid = sksec->sid;
3987 sk_class = sksec->sclass;
3990 case SECCLASS_UDP_SOCKET:
3991 netif_perm = NETIF__UDP_RECV;
3992 node_perm = NODE__UDP_RECV;
3993 recv_perm = UDP_SOCKET__RECV_MSG;
3995 case SECCLASS_TCP_SOCKET:
3996 netif_perm = NETIF__TCP_RECV;
3997 node_perm = NODE__TCP_RECV;
3998 recv_perm = TCP_SOCKET__RECV_MSG;
4000 case SECCLASS_DCCP_SOCKET:
4001 netif_perm = NETIF__DCCP_RECV;
4002 node_perm = NODE__DCCP_RECV;
4003 recv_perm = DCCP_SOCKET__RECV_MSG;
4006 netif_perm = NETIF__RAWIP_RECV;
4007 node_perm = NODE__RAWIP_RECV;
4012 err = sel_netif_sid(skb->iif, &if_sid);
4015 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4019 err = sel_netnode_sid(addrp, family, &node_sid);
4022 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4028 err = sel_netport_sid(sk->sk_protocol,
4029 ntohs(ad->u.net.sport), &port_sid);
4030 if (unlikely(err)) {
4032 "SELinux: failure in"
4033 " selinux_sock_rcv_skb_iptables_compat(),"
4034 " network port label not found\n");
4037 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4040 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4041 struct avc_audit_data *ad,
4042 u16 family, char *addrp)
4045 struct sk_security_struct *sksec = sk->sk_security;
4047 u32 sk_sid = sksec->sid;
4049 if (selinux_compat_net)
4050 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4053 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4058 if (selinux_policycap_netpeer) {
4059 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4062 err = avc_has_perm(sk_sid, peer_sid,
4063 SECCLASS_PEER, PEER__RECV, ad);
4065 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4068 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4074 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4077 struct sk_security_struct *sksec = sk->sk_security;
4078 u16 family = sk->sk_family;
4079 u32 sk_sid = sksec->sid;
4080 struct avc_audit_data ad;
4083 if (family != PF_INET && family != PF_INET6)
4086 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4087 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4090 AVC_AUDIT_DATA_INIT(&ad, NET);
4091 ad.u.net.netif = skb->iif;
4092 ad.u.net.family = family;
4093 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4097 /* If any sort of compatibility mode is enabled then handoff processing
4098 * to the selinux_sock_rcv_skb_compat() function to deal with the
4099 * special handling. We do this in an attempt to keep this function
4100 * as fast and as clean as possible. */
4101 if (selinux_compat_net || !selinux_policycap_netpeer)
4102 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4105 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4108 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4111 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4115 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4119 if (selinux_secmark_enabled()) {
4120 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4129 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4130 int __user *optlen, unsigned len)
4135 struct sk_security_struct *ssec;
4136 struct inode_security_struct *isec;
4137 u32 peer_sid = SECSID_NULL;
4139 isec = SOCK_INODE(sock)->i_security;
4141 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4142 isec->sclass == SECCLASS_TCP_SOCKET) {
4143 ssec = sock->sk->sk_security;
4144 peer_sid = ssec->peer_sid;
4146 if (peer_sid == SECSID_NULL) {
4151 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4156 if (scontext_len > len) {
4161 if (copy_to_user(optval, scontext, scontext_len))
4165 if (put_user(scontext_len, optlen))
4173 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4175 u32 peer_secid = SECSID_NULL;
4179 family = sock->sk->sk_family;
4180 else if (skb && skb->sk)
4181 family = skb->sk->sk_family;
4185 if (sock && family == PF_UNIX)
4186 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4188 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4191 *secid = peer_secid;
4192 if (peer_secid == SECSID_NULL)
4197 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4199 return sk_alloc_security(sk, family, priority);
4202 static void selinux_sk_free_security(struct sock *sk)
4204 sk_free_security(sk);
4207 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4209 struct sk_security_struct *ssec = sk->sk_security;
4210 struct sk_security_struct *newssec = newsk->sk_security;
4212 newssec->sid = ssec->sid;
4213 newssec->peer_sid = ssec->peer_sid;
4214 newssec->sclass = ssec->sclass;
4216 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4219 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4222 *secid = SECINITSID_ANY_SOCKET;
4224 struct sk_security_struct *sksec = sk->sk_security;
4226 *secid = sksec->sid;
4230 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4232 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4233 struct sk_security_struct *sksec = sk->sk_security;
4235 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4236 sk->sk_family == PF_UNIX)
4237 isec->sid = sksec->sid;
4238 sksec->sclass = isec->sclass;
4240 selinux_netlbl_sock_graft(sk, parent);
4243 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4244 struct request_sock *req)
4246 struct sk_security_struct *sksec = sk->sk_security;
4251 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4254 if (peersid == SECSID_NULL) {
4255 req->secid = sksec->sid;
4256 req->peer_secid = SECSID_NULL;
4260 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4264 req->secid = newsid;
4265 req->peer_secid = peersid;
4269 static void selinux_inet_csk_clone(struct sock *newsk,
4270 const struct request_sock *req)
4272 struct sk_security_struct *newsksec = newsk->sk_security;
4274 newsksec->sid = req->secid;
4275 newsksec->peer_sid = req->peer_secid;
4276 /* NOTE: Ideally, we should also get the isec->sid for the
4277 new socket in sync, but we don't have the isec available yet.
4278 So we will wait until sock_graft to do it, by which
4279 time it will have been created and available. */
4281 /* We don't need to take any sort of lock here as we are the only
4282 * thread with access to newsksec */
4283 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4286 static void selinux_inet_conn_established(struct sock *sk,
4287 struct sk_buff *skb)
4289 struct sk_security_struct *sksec = sk->sk_security;
4291 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4294 static void selinux_req_classify_flow(const struct request_sock *req,
4297 fl->secid = req->secid;
4300 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4304 struct nlmsghdr *nlh;
4305 struct socket *sock = sk->sk_socket;
4306 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4308 if (skb->len < NLMSG_SPACE(0)) {
4312 nlh = nlmsg_hdr(skb);
4314 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4316 if (err == -EINVAL) {
4317 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4318 "SELinux: unrecognized netlink message"
4319 " type=%hu for sclass=%hu\n",
4320 nlh->nlmsg_type, isec->sclass);
4321 if (!selinux_enforcing)
4331 err = socket_has_perm(current, sock, perm);
4336 #ifdef CONFIG_NETFILTER
4338 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4343 struct avc_audit_data ad;
4347 if (!selinux_policycap_netpeer)
4350 secmark_active = selinux_secmark_enabled();
4351 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4352 if (!secmark_active && !peerlbl_active)
4355 AVC_AUDIT_DATA_INIT(&ad, NET);
4356 ad.u.net.netif = ifindex;
4357 ad.u.net.family = family;
4358 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4361 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4365 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4366 peer_sid, &ad) != 0)
4370 if (avc_has_perm(peer_sid, skb->secmark,
4371 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4377 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4378 struct sk_buff *skb,
4379 const struct net_device *in,
4380 const struct net_device *out,
4381 int (*okfn)(struct sk_buff *))
4383 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4386 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4387 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4388 struct sk_buff *skb,
4389 const struct net_device *in,
4390 const struct net_device *out,
4391 int (*okfn)(struct sk_buff *))
4393 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4397 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4399 struct avc_audit_data *ad,
4400 u16 family, char *addrp)
4403 struct sk_security_struct *sksec = sk->sk_security;
4405 u32 netif_perm, node_perm, send_perm;
4406 u32 port_sid, node_sid, if_sid, sk_sid;
4408 sk_sid = sksec->sid;
4409 sk_class = sksec->sclass;
4412 case SECCLASS_UDP_SOCKET:
4413 netif_perm = NETIF__UDP_SEND;
4414 node_perm = NODE__UDP_SEND;
4415 send_perm = UDP_SOCKET__SEND_MSG;
4417 case SECCLASS_TCP_SOCKET:
4418 netif_perm = NETIF__TCP_SEND;
4419 node_perm = NODE__TCP_SEND;
4420 send_perm = TCP_SOCKET__SEND_MSG;
4422 case SECCLASS_DCCP_SOCKET:
4423 netif_perm = NETIF__DCCP_SEND;
4424 node_perm = NODE__DCCP_SEND;
4425 send_perm = DCCP_SOCKET__SEND_MSG;
4428 netif_perm = NETIF__RAWIP_SEND;
4429 node_perm = NODE__RAWIP_SEND;
4434 err = sel_netif_sid(ifindex, &if_sid);
4437 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4440 err = sel_netnode_sid(addrp, family, &node_sid);
4443 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4450 err = sel_netport_sid(sk->sk_protocol,
4451 ntohs(ad->u.net.dport), &port_sid);
4452 if (unlikely(err)) {
4454 "SELinux: failure in"
4455 " selinux_ip_postroute_iptables_compat(),"
4456 " network port label not found\n");
4459 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4462 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4464 struct avc_audit_data *ad,
4469 struct sock *sk = skb->sk;
4470 struct sk_security_struct *sksec;
4474 sksec = sk->sk_security;
4476 if (selinux_compat_net) {
4477 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4481 if (avc_has_perm(sksec->sid, skb->secmark,
4482 SECCLASS_PACKET, PACKET__SEND, ad))
4486 if (selinux_policycap_netpeer)
4487 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4493 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4499 struct avc_audit_data ad;
4505 AVC_AUDIT_DATA_INIT(&ad, NET);
4506 ad.u.net.netif = ifindex;
4507 ad.u.net.family = family;
4508 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4511 /* If any sort of compatibility mode is enabled then handoff processing
4512 * to the selinux_ip_postroute_compat() function to deal with the
4513 * special handling. We do this in an attempt to keep this function
4514 * as fast and as clean as possible. */
4515 if (selinux_compat_net || !selinux_policycap_netpeer)
4516 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4517 family, addrp, proto);
4519 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4520 * packet transformation so allow the packet to pass without any checks
4521 * since we'll have another chance to perform access control checks
4522 * when the packet is on it's final way out.
4523 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4524 * is NULL, in this case go ahead and apply access control. */
4525 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4528 secmark_active = selinux_secmark_enabled();
4529 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4530 if (!secmark_active && !peerlbl_active)
4533 /* if the packet is locally generated (skb->sk != NULL) then use the
4534 * socket's label as the peer label, otherwise the packet is being
4535 * forwarded through this system and we need to fetch the peer label
4536 * directly from the packet */
4539 struct sk_security_struct *sksec = sk->sk_security;
4540 peer_sid = sksec->sid;
4541 secmark_perm = PACKET__SEND;
4543 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4545 secmark_perm = PACKET__FORWARD_OUT;
4549 if (avc_has_perm(peer_sid, skb->secmark,
4550 SECCLASS_PACKET, secmark_perm, &ad))
4553 if (peerlbl_active) {
4557 if (sel_netif_sid(ifindex, &if_sid))
4559 if (avc_has_perm(peer_sid, if_sid,
4560 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4563 if (sel_netnode_sid(addrp, family, &node_sid))
4565 if (avc_has_perm(peer_sid, node_sid,
4566 SECCLASS_NODE, NODE__SENDTO, &ad))
4573 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4574 struct sk_buff *skb,
4575 const struct net_device *in,
4576 const struct net_device *out,
4577 int (*okfn)(struct sk_buff *))
4579 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4582 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4583 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4584 struct sk_buff *skb,
4585 const struct net_device *in,
4586 const struct net_device *out,
4587 int (*okfn)(struct sk_buff *))
4589 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4593 #endif /* CONFIG_NETFILTER */
4595 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4599 err = secondary_ops->netlink_send(sk, skb);
4603 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4604 err = selinux_nlmsg_perm(sk, skb);
4609 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4612 struct avc_audit_data ad;
4614 err = secondary_ops->netlink_recv(skb, capability);
4618 AVC_AUDIT_DATA_INIT(&ad, CAP);
4619 ad.u.cap = capability;
4621 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4622 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4625 static int ipc_alloc_security(struct task_struct *task,
4626 struct kern_ipc_perm *perm,
4629 struct task_security_struct *tsec = task->security;
4630 struct ipc_security_struct *isec;
4632 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4636 isec->sclass = sclass;
4637 isec->sid = tsec->sid;
4638 perm->security = isec;
4643 static void ipc_free_security(struct kern_ipc_perm *perm)
4645 struct ipc_security_struct *isec = perm->security;
4646 perm->security = NULL;
4650 static int msg_msg_alloc_security(struct msg_msg *msg)
4652 struct msg_security_struct *msec;
4654 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4658 msec->sid = SECINITSID_UNLABELED;
4659 msg->security = msec;
4664 static void msg_msg_free_security(struct msg_msg *msg)
4666 struct msg_security_struct *msec = msg->security;
4668 msg->security = NULL;
4672 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4675 struct task_security_struct *tsec;
4676 struct ipc_security_struct *isec;
4677 struct avc_audit_data ad;
4679 tsec = current->security;
4680 isec = ipc_perms->security;
4682 AVC_AUDIT_DATA_INIT(&ad, IPC);
4683 ad.u.ipc_id = ipc_perms->key;
4685 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4688 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4690 return msg_msg_alloc_security(msg);
4693 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4695 msg_msg_free_security(msg);
4698 /* message queue security operations */
4699 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4701 struct task_security_struct *tsec;
4702 struct ipc_security_struct *isec;
4703 struct avc_audit_data ad;
4706 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4710 tsec = current->security;
4711 isec = msq->q_perm.security;
4713 AVC_AUDIT_DATA_INIT(&ad, IPC);
4714 ad.u.ipc_id = msq->q_perm.key;
4716 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4719 ipc_free_security(&msq->q_perm);
4725 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4727 ipc_free_security(&msq->q_perm);
4730 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4732 struct task_security_struct *tsec;
4733 struct ipc_security_struct *isec;
4734 struct avc_audit_data ad;
4736 tsec = current->security;
4737 isec = msq->q_perm.security;
4739 AVC_AUDIT_DATA_INIT(&ad, IPC);
4740 ad.u.ipc_id = msq->q_perm.key;
4742 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4743 MSGQ__ASSOCIATE, &ad);
4746 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4754 /* No specific object, just general system-wide information. */
4755 return task_has_system(current, SYSTEM__IPC_INFO);
4758 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4761 perms = MSGQ__SETATTR;
4764 perms = MSGQ__DESTROY;
4770 err = ipc_has_perm(&msq->q_perm, perms);
4774 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4776 struct task_security_struct *tsec;
4777 struct ipc_security_struct *isec;
4778 struct msg_security_struct *msec;
4779 struct avc_audit_data ad;
4782 tsec = current->security;
4783 isec = msq->q_perm.security;
4784 msec = msg->security;
4787 * First time through, need to assign label to the message
4789 if (msec->sid == SECINITSID_UNLABELED) {
4791 * Compute new sid based on current process and
4792 * message queue this message will be stored in
4794 rc = security_transition_sid(tsec->sid,
4802 AVC_AUDIT_DATA_INIT(&ad, IPC);
4803 ad.u.ipc_id = msq->q_perm.key;
4805 /* Can this process write to the queue? */
4806 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4809 /* Can this process send the message */
4810 rc = avc_has_perm(tsec->sid, msec->sid,
4811 SECCLASS_MSG, MSG__SEND, &ad);
4813 /* Can the message be put in the queue? */
4814 rc = avc_has_perm(msec->sid, isec->sid,
4815 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4820 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4821 struct task_struct *target,
4822 long type, int mode)
4824 struct task_security_struct *tsec;
4825 struct ipc_security_struct *isec;
4826 struct msg_security_struct *msec;
4827 struct avc_audit_data ad;
4830 tsec = target->security;
4831 isec = msq->q_perm.security;
4832 msec = msg->security;
4834 AVC_AUDIT_DATA_INIT(&ad, IPC);
4835 ad.u.ipc_id = msq->q_perm.key;
4837 rc = avc_has_perm(tsec->sid, isec->sid,
4838 SECCLASS_MSGQ, MSGQ__READ, &ad);
4840 rc = avc_has_perm(tsec->sid, msec->sid,
4841 SECCLASS_MSG, MSG__RECEIVE, &ad);
4845 /* Shared Memory security operations */
4846 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4848 struct task_security_struct *tsec;
4849 struct ipc_security_struct *isec;
4850 struct avc_audit_data ad;
4853 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4857 tsec = current->security;
4858 isec = shp->shm_perm.security;
4860 AVC_AUDIT_DATA_INIT(&ad, IPC);
4861 ad.u.ipc_id = shp->shm_perm.key;
4863 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4866 ipc_free_security(&shp->shm_perm);
4872 static void selinux_shm_free_security(struct shmid_kernel *shp)
4874 ipc_free_security(&shp->shm_perm);
4877 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4879 struct task_security_struct *tsec;
4880 struct ipc_security_struct *isec;
4881 struct avc_audit_data ad;
4883 tsec = current->security;
4884 isec = shp->shm_perm.security;
4886 AVC_AUDIT_DATA_INIT(&ad, IPC);
4887 ad.u.ipc_id = shp->shm_perm.key;
4889 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4890 SHM__ASSOCIATE, &ad);
4893 /* Note, at this point, shp is locked down */
4894 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4902 /* No specific object, just general system-wide information. */
4903 return task_has_system(current, SYSTEM__IPC_INFO);
4906 perms = SHM__GETATTR | SHM__ASSOCIATE;
4909 perms = SHM__SETATTR;
4916 perms = SHM__DESTROY;
4922 err = ipc_has_perm(&shp->shm_perm, perms);
4926 static int selinux_shm_shmat(struct shmid_kernel *shp,
4927 char __user *shmaddr, int shmflg)
4932 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4936 if (shmflg & SHM_RDONLY)
4939 perms = SHM__READ | SHM__WRITE;
4941 return ipc_has_perm(&shp->shm_perm, perms);
4944 /* Semaphore security operations */
4945 static int selinux_sem_alloc_security(struct sem_array *sma)
4947 struct task_security_struct *tsec;
4948 struct ipc_security_struct *isec;
4949 struct avc_audit_data ad;
4952 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4956 tsec = current->security;
4957 isec = sma->sem_perm.security;
4959 AVC_AUDIT_DATA_INIT(&ad, IPC);
4960 ad.u.ipc_id = sma->sem_perm.key;
4962 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4965 ipc_free_security(&sma->sem_perm);
4971 static void selinux_sem_free_security(struct sem_array *sma)
4973 ipc_free_security(&sma->sem_perm);
4976 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4978 struct task_security_struct *tsec;
4979 struct ipc_security_struct *isec;
4980 struct avc_audit_data ad;
4982 tsec = current->security;
4983 isec = sma->sem_perm.security;
4985 AVC_AUDIT_DATA_INIT(&ad, IPC);
4986 ad.u.ipc_id = sma->sem_perm.key;
4988 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4989 SEM__ASSOCIATE, &ad);
4992 /* Note, at this point, sma is locked down */
4993 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5001 /* No specific object, just general system-wide information. */
5002 return task_has_system(current, SYSTEM__IPC_INFO);
5006 perms = SEM__GETATTR;
5017 perms = SEM__DESTROY;
5020 perms = SEM__SETATTR;
5024 perms = SEM__GETATTR | SEM__ASSOCIATE;
5030 err = ipc_has_perm(&sma->sem_perm, perms);
5034 static int selinux_sem_semop(struct sem_array *sma,
5035 struct sembuf *sops, unsigned nsops, int alter)
5040 perms = SEM__READ | SEM__WRITE;
5044 return ipc_has_perm(&sma->sem_perm, perms);
5047 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5053 av |= IPC__UNIX_READ;
5055 av |= IPC__UNIX_WRITE;
5060 return ipc_has_perm(ipcp, av);
5063 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5065 struct ipc_security_struct *isec = ipcp->security;
5069 /* module stacking operations */
5070 static int selinux_register_security(const char *name, struct security_operations *ops)
5072 if (secondary_ops != original_ops) {
5073 printk(KERN_ERR "%s: There is already a secondary security "
5074 "module registered.\n", __func__);
5078 secondary_ops = ops;
5080 printk(KERN_INFO "%s: Registering secondary module %s\n",
5087 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5090 inode_doinit_with_dentry(inode, dentry);
5093 static int selinux_getprocattr(struct task_struct *p,
5094 char *name, char **value)
5096 struct task_security_struct *tsec;
5102 error = task_has_perm(current, p, PROCESS__GETATTR);
5109 if (!strcmp(name, "current"))
5111 else if (!strcmp(name, "prev"))
5113 else if (!strcmp(name, "exec"))
5114 sid = tsec->exec_sid;
5115 else if (!strcmp(name, "fscreate"))
5116 sid = tsec->create_sid;
5117 else if (!strcmp(name, "keycreate"))
5118 sid = tsec->keycreate_sid;
5119 else if (!strcmp(name, "sockcreate"))
5120 sid = tsec->sockcreate_sid;
5127 error = security_sid_to_context(sid, value, &len);
5133 static int selinux_setprocattr(struct task_struct *p,
5134 char *name, void *value, size_t size)
5136 struct task_security_struct *tsec;
5137 struct task_struct *tracer;
5143 /* SELinux only allows a process to change its own
5144 security attributes. */
5149 * Basic control over ability to set these attributes at all.
5150 * current == p, but we'll pass them separately in case the
5151 * above restriction is ever removed.
5153 if (!strcmp(name, "exec"))
5154 error = task_has_perm(current, p, PROCESS__SETEXEC);
5155 else if (!strcmp(name, "fscreate"))
5156 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5157 else if (!strcmp(name, "keycreate"))
5158 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5159 else if (!strcmp(name, "sockcreate"))
5160 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5161 else if (!strcmp(name, "current"))
5162 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5168 /* Obtain a SID for the context, if one was specified. */
5169 if (size && str[1] && str[1] != '\n') {
5170 if (str[size-1] == '\n') {
5174 error = security_context_to_sid(value, size, &sid);
5175 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5176 if (!capable(CAP_MAC_ADMIN))
5178 error = security_context_to_sid_force(value, size,
5185 /* Permission checking based on the specified context is
5186 performed during the actual operation (execve,
5187 open/mkdir/...), when we know the full context of the
5188 operation. See selinux_bprm_set_security for the execve
5189 checks and may_create for the file creation checks. The
5190 operation will then fail if the context is not permitted. */
5192 if (!strcmp(name, "exec"))
5193 tsec->exec_sid = sid;
5194 else if (!strcmp(name, "fscreate"))
5195 tsec->create_sid = sid;
5196 else if (!strcmp(name, "keycreate")) {
5197 error = may_create_key(sid, p);
5200 tsec->keycreate_sid = sid;
5201 } else if (!strcmp(name, "sockcreate"))
5202 tsec->sockcreate_sid = sid;
5203 else if (!strcmp(name, "current")) {
5204 struct av_decision avd;
5209 /* Only allow single threaded processes to change context */
5210 if (atomic_read(&p->mm->mm_users) != 1) {
5211 struct task_struct *g, *t;
5212 struct mm_struct *mm = p->mm;
5213 read_lock(&tasklist_lock);
5214 do_each_thread(g, t)
5215 if (t->mm == mm && t != p) {
5216 read_unlock(&tasklist_lock);
5219 while_each_thread(g, t);
5220 read_unlock(&tasklist_lock);
5223 /* Check permissions for the transition. */
5224 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5225 PROCESS__DYNTRANSITION, NULL);
5229 /* Check for ptracing, and update the task SID if ok.
5230 Otherwise, leave SID unchanged and fail. */
5233 tracer = task_tracer_task(p);
5234 if (tracer != NULL) {
5235 struct task_security_struct *ptsec = tracer->security;
5236 u32 ptsid = ptsec->sid;
5238 error = avc_has_perm_noaudit(ptsid, sid,
5240 PROCESS__PTRACE, 0, &avd);
5244 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5245 PROCESS__PTRACE, &avd, error, NULL);
5259 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5261 return security_sid_to_context(secid, secdata, seclen);
5264 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5266 return security_context_to_sid(secdata, seclen, secid);
5269 static void selinux_release_secctx(char *secdata, u32 seclen)
5276 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5277 unsigned long flags)
5279 struct task_security_struct *tsec = tsk->security;
5280 struct key_security_struct *ksec;
5282 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5286 if (tsec->keycreate_sid)
5287 ksec->sid = tsec->keycreate_sid;
5289 ksec->sid = tsec->sid;
5295 static void selinux_key_free(struct key *k)
5297 struct key_security_struct *ksec = k->security;
5303 static int selinux_key_permission(key_ref_t key_ref,
5304 struct task_struct *ctx,
5308 struct task_security_struct *tsec;
5309 struct key_security_struct *ksec;
5311 key = key_ref_to_ptr(key_ref);
5313 tsec = ctx->security;
5314 ksec = key->security;
5316 /* if no specific permissions are requested, we skip the
5317 permission check. No serious, additional covert channels
5318 appear to be created. */
5322 return avc_has_perm(tsec->sid, ksec->sid,
5323 SECCLASS_KEY, perm, NULL);
5326 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5328 struct key_security_struct *ksec = key->security;
5329 char *context = NULL;
5333 rc = security_sid_to_context(ksec->sid, &context, &len);
5342 static struct security_operations selinux_ops = {
5345 .ptrace = selinux_ptrace,
5346 .capget = selinux_capget,
5347 .capset_check = selinux_capset_check,
5348 .capset_set = selinux_capset_set,
5349 .sysctl = selinux_sysctl,
5350 .capable = selinux_capable,
5351 .quotactl = selinux_quotactl,
5352 .quota_on = selinux_quota_on,
5353 .syslog = selinux_syslog,
5354 .vm_enough_memory = selinux_vm_enough_memory,
5356 .netlink_send = selinux_netlink_send,
5357 .netlink_recv = selinux_netlink_recv,
5359 .bprm_alloc_security = selinux_bprm_alloc_security,
5360 .bprm_free_security = selinux_bprm_free_security,
5361 .bprm_apply_creds = selinux_bprm_apply_creds,
5362 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5363 .bprm_set_security = selinux_bprm_set_security,
5364 .bprm_check_security = selinux_bprm_check_security,
5365 .bprm_secureexec = selinux_bprm_secureexec,
5367 .sb_alloc_security = selinux_sb_alloc_security,
5368 .sb_free_security = selinux_sb_free_security,
5369 .sb_copy_data = selinux_sb_copy_data,
5370 .sb_kern_mount = selinux_sb_kern_mount,
5371 .sb_statfs = selinux_sb_statfs,
5372 .sb_mount = selinux_mount,
5373 .sb_umount = selinux_umount,
5374 .sb_get_mnt_opts = selinux_get_mnt_opts,
5375 .sb_set_mnt_opts = selinux_set_mnt_opts,
5376 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5377 .sb_parse_opts_str = selinux_parse_opts_str,
5380 .inode_alloc_security = selinux_inode_alloc_security,
5381 .inode_free_security = selinux_inode_free_security,
5382 .inode_init_security = selinux_inode_init_security,
5383 .inode_create = selinux_inode_create,
5384 .inode_link = selinux_inode_link,
5385 .inode_unlink = selinux_inode_unlink,
5386 .inode_symlink = selinux_inode_symlink,
5387 .inode_mkdir = selinux_inode_mkdir,
5388 .inode_rmdir = selinux_inode_rmdir,
5389 .inode_mknod = selinux_inode_mknod,
5390 .inode_rename = selinux_inode_rename,
5391 .inode_readlink = selinux_inode_readlink,
5392 .inode_follow_link = selinux_inode_follow_link,
5393 .inode_permission = selinux_inode_permission,
5394 .inode_setattr = selinux_inode_setattr,
5395 .inode_getattr = selinux_inode_getattr,
5396 .inode_setxattr = selinux_inode_setxattr,
5397 .inode_post_setxattr = selinux_inode_post_setxattr,
5398 .inode_getxattr = selinux_inode_getxattr,
5399 .inode_listxattr = selinux_inode_listxattr,
5400 .inode_removexattr = selinux_inode_removexattr,
5401 .inode_getsecurity = selinux_inode_getsecurity,
5402 .inode_setsecurity = selinux_inode_setsecurity,
5403 .inode_listsecurity = selinux_inode_listsecurity,
5404 .inode_need_killpriv = selinux_inode_need_killpriv,
5405 .inode_killpriv = selinux_inode_killpriv,
5406 .inode_getsecid = selinux_inode_getsecid,
5408 .file_permission = selinux_file_permission,
5409 .file_alloc_security = selinux_file_alloc_security,
5410 .file_free_security = selinux_file_free_security,
5411 .file_ioctl = selinux_file_ioctl,
5412 .file_mmap = selinux_file_mmap,
5413 .file_mprotect = selinux_file_mprotect,
5414 .file_lock = selinux_file_lock,
5415 .file_fcntl = selinux_file_fcntl,
5416 .file_set_fowner = selinux_file_set_fowner,
5417 .file_send_sigiotask = selinux_file_send_sigiotask,
5418 .file_receive = selinux_file_receive,
5420 .dentry_open = selinux_dentry_open,
5422 .task_create = selinux_task_create,
5423 .task_alloc_security = selinux_task_alloc_security,
5424 .task_free_security = selinux_task_free_security,
5425 .task_setuid = selinux_task_setuid,
5426 .task_post_setuid = selinux_task_post_setuid,
5427 .task_setgid = selinux_task_setgid,
5428 .task_setpgid = selinux_task_setpgid,
5429 .task_getpgid = selinux_task_getpgid,
5430 .task_getsid = selinux_task_getsid,
5431 .task_getsecid = selinux_task_getsecid,
5432 .task_setgroups = selinux_task_setgroups,
5433 .task_setnice = selinux_task_setnice,
5434 .task_setioprio = selinux_task_setioprio,
5435 .task_getioprio = selinux_task_getioprio,
5436 .task_setrlimit = selinux_task_setrlimit,
5437 .task_setscheduler = selinux_task_setscheduler,
5438 .task_getscheduler = selinux_task_getscheduler,
5439 .task_movememory = selinux_task_movememory,
5440 .task_kill = selinux_task_kill,
5441 .task_wait = selinux_task_wait,
5442 .task_prctl = selinux_task_prctl,
5443 .task_reparent_to_init = selinux_task_reparent_to_init,
5444 .task_to_inode = selinux_task_to_inode,
5446 .ipc_permission = selinux_ipc_permission,
5447 .ipc_getsecid = selinux_ipc_getsecid,
5449 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5450 .msg_msg_free_security = selinux_msg_msg_free_security,
5452 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5453 .msg_queue_free_security = selinux_msg_queue_free_security,
5454 .msg_queue_associate = selinux_msg_queue_associate,
5455 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5456 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5457 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5459 .shm_alloc_security = selinux_shm_alloc_security,
5460 .shm_free_security = selinux_shm_free_security,
5461 .shm_associate = selinux_shm_associate,
5462 .shm_shmctl = selinux_shm_shmctl,
5463 .shm_shmat = selinux_shm_shmat,
5465 .sem_alloc_security = selinux_sem_alloc_security,
5466 .sem_free_security = selinux_sem_free_security,
5467 .sem_associate = selinux_sem_associate,
5468 .sem_semctl = selinux_sem_semctl,
5469 .sem_semop = selinux_sem_semop,
5471 .register_security = selinux_register_security,
5473 .d_instantiate = selinux_d_instantiate,
5475 .getprocattr = selinux_getprocattr,
5476 .setprocattr = selinux_setprocattr,
5478 .secid_to_secctx = selinux_secid_to_secctx,
5479 .secctx_to_secid = selinux_secctx_to_secid,
5480 .release_secctx = selinux_release_secctx,
5482 .unix_stream_connect = selinux_socket_unix_stream_connect,
5483 .unix_may_send = selinux_socket_unix_may_send,
5485 .socket_create = selinux_socket_create,
5486 .socket_post_create = selinux_socket_post_create,
5487 .socket_bind = selinux_socket_bind,
5488 .socket_connect = selinux_socket_connect,
5489 .socket_listen = selinux_socket_listen,
5490 .socket_accept = selinux_socket_accept,
5491 .socket_sendmsg = selinux_socket_sendmsg,
5492 .socket_recvmsg = selinux_socket_recvmsg,
5493 .socket_getsockname = selinux_socket_getsockname,
5494 .socket_getpeername = selinux_socket_getpeername,
5495 .socket_getsockopt = selinux_socket_getsockopt,
5496 .socket_setsockopt = selinux_socket_setsockopt,
5497 .socket_shutdown = selinux_socket_shutdown,
5498 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5499 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5500 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5501 .sk_alloc_security = selinux_sk_alloc_security,
5502 .sk_free_security = selinux_sk_free_security,
5503 .sk_clone_security = selinux_sk_clone_security,
5504 .sk_getsecid = selinux_sk_getsecid,
5505 .sock_graft = selinux_sock_graft,
5506 .inet_conn_request = selinux_inet_conn_request,
5507 .inet_csk_clone = selinux_inet_csk_clone,
5508 .inet_conn_established = selinux_inet_conn_established,
5509 .req_classify_flow = selinux_req_classify_flow,
5511 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5512 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5513 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5514 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5515 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5516 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5517 .xfrm_state_free_security = selinux_xfrm_state_free,
5518 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5519 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5520 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5521 .xfrm_decode_session = selinux_xfrm_decode_session,
5525 .key_alloc = selinux_key_alloc,
5526 .key_free = selinux_key_free,
5527 .key_permission = selinux_key_permission,
5528 .key_getsecurity = selinux_key_getsecurity,
5532 .audit_rule_init = selinux_audit_rule_init,
5533 .audit_rule_known = selinux_audit_rule_known,
5534 .audit_rule_match = selinux_audit_rule_match,
5535 .audit_rule_free = selinux_audit_rule_free,
5539 static __init int selinux_init(void)
5541 struct task_security_struct *tsec;
5543 if (!security_module_enable(&selinux_ops)) {
5544 selinux_enabled = 0;
5548 if (!selinux_enabled) {
5549 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5553 printk(KERN_INFO "SELinux: Initializing.\n");
5555 /* Set the security state for the initial task. */
5556 if (task_alloc_security(current))
5557 panic("SELinux: Failed to initialize initial task.\n");
5558 tsec = current->security;
5559 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5561 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5562 sizeof(struct inode_security_struct),
5563 0, SLAB_PANIC, NULL);
5566 original_ops = secondary_ops = security_ops;
5568 panic("SELinux: No initial security operations\n");
5569 if (register_security(&selinux_ops))
5570 panic("SELinux: Unable to register with kernel.\n");
5572 if (selinux_enforcing)
5573 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5575 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5580 void selinux_complete_init(void)
5582 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5584 /* Set up any superblocks initialized prior to the policy load. */
5585 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5586 spin_lock(&sb_lock);
5587 spin_lock(&sb_security_lock);
5589 if (!list_empty(&superblock_security_head)) {
5590 struct superblock_security_struct *sbsec =
5591 list_entry(superblock_security_head.next,
5592 struct superblock_security_struct,
5594 struct super_block *sb = sbsec->sb;
5596 spin_unlock(&sb_security_lock);
5597 spin_unlock(&sb_lock);
5598 down_read(&sb->s_umount);
5600 superblock_doinit(sb, NULL);
5602 spin_lock(&sb_lock);
5603 spin_lock(&sb_security_lock);
5604 list_del_init(&sbsec->list);
5607 spin_unlock(&sb_security_lock);
5608 spin_unlock(&sb_lock);
5611 /* SELinux requires early initialization in order to label
5612 all processes and objects when they are created. */
5613 security_initcall(selinux_init);
5615 #if defined(CONFIG_NETFILTER)
5617 static struct nf_hook_ops selinux_ipv4_ops[] = {
5619 .hook = selinux_ipv4_postroute,
5620 .owner = THIS_MODULE,
5622 .hooknum = NF_INET_POST_ROUTING,
5623 .priority = NF_IP_PRI_SELINUX_LAST,
5626 .hook = selinux_ipv4_forward,
5627 .owner = THIS_MODULE,
5629 .hooknum = NF_INET_FORWARD,
5630 .priority = NF_IP_PRI_SELINUX_FIRST,
5634 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5636 static struct nf_hook_ops selinux_ipv6_ops[] = {
5638 .hook = selinux_ipv6_postroute,
5639 .owner = THIS_MODULE,
5641 .hooknum = NF_INET_POST_ROUTING,
5642 .priority = NF_IP6_PRI_SELINUX_LAST,
5645 .hook = selinux_ipv6_forward,
5646 .owner = THIS_MODULE,
5648 .hooknum = NF_INET_FORWARD,
5649 .priority = NF_IP6_PRI_SELINUX_FIRST,
5655 static int __init selinux_nf_ip_init(void)
5660 if (!selinux_enabled)
5663 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5665 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5666 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5668 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5672 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5673 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5674 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5676 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5685 __initcall(selinux_nf_ip_init);
5687 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5688 static void selinux_nf_ip_exit(void)
5692 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5694 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5695 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5696 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5697 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5698 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5703 #else /* CONFIG_NETFILTER */
5705 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5706 #define selinux_nf_ip_exit()
5709 #endif /* CONFIG_NETFILTER */
5711 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5712 static int selinux_disabled;
5714 int selinux_disable(void)
5716 extern void exit_sel_fs(void);
5718 if (ss_initialized) {
5719 /* Not permitted after initial policy load. */
5723 if (selinux_disabled) {
5724 /* Only do this once. */
5728 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5730 selinux_disabled = 1;
5731 selinux_enabled = 0;
5733 /* Reset security_ops to the secondary module, dummy or capability. */
5734 security_ops = secondary_ops;
5736 /* Unregister netfilter hooks. */
5737 selinux_nf_ip_exit();
5739 /* Unregister selinuxfs. */