2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <linux/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
96 #define NUM_SEL_MNT_OPTS 5
98 extern struct security_operations *security_ops;
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
106 static int __init enforcing_setup(char *str)
108 unsigned long enforcing;
109 if (!strict_strtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
113 __setup("enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 static int __init selinux_enabled_setup(char *str)
121 unsigned long enabled;
122 if (!strict_strtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
126 __setup("selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
131 static struct kmem_cache *sel_inode_cache;
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
140 * enabled, false (0) if SECMARK is disabled.
143 static int selinux_secmark_enabled(void)
145 return (atomic_read(&selinux_secmark_refcount) > 0);
149 * initialise the security for the init task
151 static void cred_init_security(void)
153 struct cred *cred = (struct cred *) current->real_cred;
154 struct task_security_struct *tsec;
156 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158 panic("SELinux: Failed to initialize initial task.\n");
160 tsec->osid = tsec->sid = SECINITSID_KERNEL;
161 cred->security = tsec;
165 * get the security ID of a set of credentials
167 static inline u32 cred_sid(const struct cred *cred)
169 const struct task_security_struct *tsec;
171 tsec = cred->security;
176 * get the objective security ID of a task
178 static inline u32 task_sid(const struct task_struct *task)
183 sid = cred_sid(__task_cred(task));
189 * get the subjective security ID of the current task
191 static inline u32 current_sid(void)
193 const struct task_security_struct *tsec = current_security();
198 /* Allocate and free functions for each kind of security blob. */
200 static int inode_alloc_security(struct inode *inode)
202 struct inode_security_struct *isec;
203 u32 sid = current_sid();
205 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
209 mutex_init(&isec->lock);
210 INIT_LIST_HEAD(&isec->list);
212 isec->sid = SECINITSID_UNLABELED;
213 isec->sclass = SECCLASS_FILE;
214 isec->task_sid = sid;
215 inode->i_security = isec;
220 static void inode_free_rcu(struct rcu_head *head)
222 struct inode_security_struct *isec;
224 isec = container_of(head, struct inode_security_struct, rcu);
225 kmem_cache_free(sel_inode_cache, isec);
228 static void inode_free_security(struct inode *inode)
230 struct inode_security_struct *isec = inode->i_security;
231 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
233 spin_lock(&sbsec->isec_lock);
234 if (!list_empty(&isec->list))
235 list_del_init(&isec->list);
236 spin_unlock(&sbsec->isec_lock);
239 * The inode may still be referenced in a path walk and
240 * a call to selinux_inode_permission() can be made
241 * after inode_free_security() is called. Ideally, the VFS
242 * wouldn't do this, but fixing that is a much harder
243 * job. For now, simply free the i_security via RCU, and
244 * leave the current inode->i_security pointer intact.
245 * The inode will be freed after the RCU grace period too.
247 call_rcu(&isec->rcu, inode_free_rcu);
250 static int file_alloc_security(struct file *file)
252 struct file_security_struct *fsec;
253 u32 sid = current_sid();
255 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
260 fsec->fown_sid = sid;
261 file->f_security = fsec;
266 static void file_free_security(struct file *file)
268 struct file_security_struct *fsec = file->f_security;
269 file->f_security = NULL;
273 static int superblock_alloc_security(struct super_block *sb)
275 struct superblock_security_struct *sbsec;
277 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
281 mutex_init(&sbsec->lock);
282 INIT_LIST_HEAD(&sbsec->isec_head);
283 spin_lock_init(&sbsec->isec_lock);
285 sbsec->sid = SECINITSID_UNLABELED;
286 sbsec->def_sid = SECINITSID_FILE;
287 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
288 sb->s_security = sbsec;
293 static void superblock_free_security(struct super_block *sb)
295 struct superblock_security_struct *sbsec = sb->s_security;
296 sb->s_security = NULL;
300 /* The file system's label must be initialized prior to use. */
302 static const char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
324 Opt_labelsupport = 5,
327 static const match_table_t tokens = {
328 {Opt_context, CONTEXT_STR "%s"},
329 {Opt_fscontext, FSCONTEXT_STR "%s"},
330 {Opt_defcontext, DEFCONTEXT_STR "%s"},
331 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332 {Opt_labelsupport, LABELSUPP_STR},
336 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
338 static int may_context_mount_sb_relabel(u32 sid,
339 struct superblock_security_struct *sbsec,
340 const struct cred *cred)
342 const struct task_security_struct *tsec = cred->security;
345 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELFROM, NULL);
350 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
351 FILESYSTEM__RELABELTO, NULL);
355 static int may_context_mount_inode_relabel(u32 sid,
356 struct superblock_security_struct *sbsec,
357 const struct cred *cred)
359 const struct task_security_struct *tsec = cred->security;
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
371 static int sb_finish_set_opts(struct super_block *sb)
373 struct superblock_security_struct *sbsec = sb->s_security;
374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
404 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
414 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
415 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
416 sbsec->behavior == SECURITY_FS_USE_NONE ||
417 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
418 sbsec->flags &= ~SE_SBLABELSUPP;
420 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
421 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
422 sbsec->flags |= SE_SBLABELSUPP;
424 /* Initialize the root inode. */
425 rc = inode_doinit_with_dentry(root_inode, root);
427 /* Initialize any other inodes associated with the superblock, e.g.
428 inodes created prior to initial policy load or inodes created
429 during get_sb by a pseudo filesystem that directly
431 spin_lock(&sbsec->isec_lock);
433 if (!list_empty(&sbsec->isec_head)) {
434 struct inode_security_struct *isec =
435 list_entry(sbsec->isec_head.next,
436 struct inode_security_struct, list);
437 struct inode *inode = isec->inode;
438 spin_unlock(&sbsec->isec_lock);
439 inode = igrab(inode);
441 if (!IS_PRIVATE(inode))
445 spin_lock(&sbsec->isec_lock);
446 list_del_init(&isec->list);
449 spin_unlock(&sbsec->isec_lock);
455 * This function should allow an FS to ask what it's mount security
456 * options were so it can use those later for submounts, displaying
457 * mount options, or whatever.
459 static int selinux_get_mnt_opts(const struct super_block *sb,
460 struct security_mnt_opts *opts)
463 struct superblock_security_struct *sbsec = sb->s_security;
464 char *context = NULL;
468 security_init_mnt_opts(opts);
470 if (!(sbsec->flags & SE_SBINITIALIZED))
476 tmp = sbsec->flags & SE_MNTMASK;
477 /* count the number of mount options for this sb */
478 for (i = 0; i < 8; i++) {
480 opts->num_mnt_opts++;
483 /* Check if the Label support flag is set */
484 if (sbsec->flags & SE_SBLABELSUPP)
485 opts->num_mnt_opts++;
487 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
488 if (!opts->mnt_opts) {
493 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
494 if (!opts->mnt_opts_flags) {
500 if (sbsec->flags & FSCONTEXT_MNT) {
501 rc = security_sid_to_context(sbsec->sid, &context, &len);
504 opts->mnt_opts[i] = context;
505 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
507 if (sbsec->flags & CONTEXT_MNT) {
508 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
511 opts->mnt_opts[i] = context;
512 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
514 if (sbsec->flags & DEFCONTEXT_MNT) {
515 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
518 opts->mnt_opts[i] = context;
519 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
521 if (sbsec->flags & ROOTCONTEXT_MNT) {
522 struct inode *root = sbsec->sb->s_root->d_inode;
523 struct inode_security_struct *isec = root->i_security;
525 rc = security_sid_to_context(isec->sid, &context, &len);
528 opts->mnt_opts[i] = context;
529 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
531 if (sbsec->flags & SE_SBLABELSUPP) {
532 opts->mnt_opts[i] = NULL;
533 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
536 BUG_ON(i != opts->num_mnt_opts);
541 security_free_mnt_opts(opts);
545 static int bad_option(struct superblock_security_struct *sbsec, char flag,
546 u32 old_sid, u32 new_sid)
548 char mnt_flags = sbsec->flags & SE_MNTMASK;
550 /* check if the old mount command had the same options */
551 if (sbsec->flags & SE_SBINITIALIZED)
552 if (!(sbsec->flags & flag) ||
553 (old_sid != new_sid))
556 /* check if we were passed the same options twice,
557 * aka someone passed context=a,context=b
559 if (!(sbsec->flags & SE_SBINITIALIZED))
560 if (mnt_flags & flag)
566 * Allow filesystems with binary mount data to explicitly set mount point
567 * labeling information.
569 static int selinux_set_mnt_opts(struct super_block *sb,
570 struct security_mnt_opts *opts)
572 const struct cred *cred = current_cred();
574 struct superblock_security_struct *sbsec = sb->s_security;
575 const char *name = sb->s_type->name;
576 struct inode *inode = sbsec->sb->s_root->d_inode;
577 struct inode_security_struct *root_isec = inode->i_security;
578 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
579 u32 defcontext_sid = 0;
580 char **mount_options = opts->mnt_opts;
581 int *flags = opts->mnt_opts_flags;
582 int num_opts = opts->num_mnt_opts;
584 mutex_lock(&sbsec->lock);
586 if (!ss_initialized) {
588 /* Defer initialization until selinux_complete_init,
589 after the initial policy is loaded and the security
590 server is ready to handle calls. */
594 printk(KERN_WARNING "SELinux: Unable to set superblock options "
595 "before the security server is initialized\n");
600 * Binary mount data FS will come through this function twice. Once
601 * from an explicit call and once from the generic calls from the vfs.
602 * Since the generic VFS calls will not contain any security mount data
603 * we need to skip the double mount verification.
605 * This does open a hole in which we will not notice if the first
606 * mount using this sb set explict options and a second mount using
607 * this sb does not set any security options. (The first options
608 * will be used for both mounts)
610 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
615 * parse the mount options, check if they are valid sids.
616 * also check if someone is trying to mount the same sb more
617 * than once with different security options.
619 for (i = 0; i < num_opts; i++) {
622 if (flags[i] == SE_SBLABELSUPP)
624 rc = security_context_to_sid(mount_options[i],
625 strlen(mount_options[i]), &sid);
627 printk(KERN_WARNING "SELinux: security_context_to_sid"
628 "(%s) failed for (dev %s, type %s) errno=%d\n",
629 mount_options[i], sb->s_id, name, rc);
636 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
638 goto out_double_mount;
640 sbsec->flags |= FSCONTEXT_MNT;
645 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
647 goto out_double_mount;
649 sbsec->flags |= CONTEXT_MNT;
651 case ROOTCONTEXT_MNT:
652 rootcontext_sid = sid;
654 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
656 goto out_double_mount;
658 sbsec->flags |= ROOTCONTEXT_MNT;
662 defcontext_sid = sid;
664 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
666 goto out_double_mount;
668 sbsec->flags |= DEFCONTEXT_MNT;
677 if (sbsec->flags & SE_SBINITIALIZED) {
678 /* previously mounted with options, but not on this attempt? */
679 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
680 goto out_double_mount;
685 if (strcmp(sb->s_type->name, "proc") == 0)
686 sbsec->flags |= SE_SBPROC;
688 /* Determine the labeling behavior to use for this filesystem type. */
689 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
691 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
692 __func__, sb->s_type->name, rc);
696 /* sets the context of the superblock for the fs being mounted. */
698 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
702 sbsec->sid = fscontext_sid;
706 * Switch to using mount point labeling behavior.
707 * sets the label used on all file below the mountpoint, and will set
708 * the superblock context if not already set.
711 if (!fscontext_sid) {
712 rc = may_context_mount_sb_relabel(context_sid, sbsec,
716 sbsec->sid = context_sid;
718 rc = may_context_mount_inode_relabel(context_sid, sbsec,
723 if (!rootcontext_sid)
724 rootcontext_sid = context_sid;
726 sbsec->mntpoint_sid = context_sid;
727 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
730 if (rootcontext_sid) {
731 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
736 root_isec->sid = rootcontext_sid;
737 root_isec->initialized = 1;
740 if (defcontext_sid) {
741 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
743 printk(KERN_WARNING "SELinux: defcontext option is "
744 "invalid for this filesystem type\n");
748 if (defcontext_sid != sbsec->def_sid) {
749 rc = may_context_mount_inode_relabel(defcontext_sid,
755 sbsec->def_sid = defcontext_sid;
758 rc = sb_finish_set_opts(sb);
760 mutex_unlock(&sbsec->lock);
764 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
765 "security settings for (dev %s, type %s)\n", sb->s_id, name);
769 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
770 struct super_block *newsb)
772 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
773 struct superblock_security_struct *newsbsec = newsb->s_security;
775 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
776 int set_context = (oldsbsec->flags & CONTEXT_MNT);
777 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
780 * if the parent was able to be mounted it clearly had no special lsm
781 * mount options. thus we can safely deal with this superblock later
786 /* how can we clone if the old one wasn't set up?? */
787 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
789 /* if fs is reusing a sb, just let its options stand... */
790 if (newsbsec->flags & SE_SBINITIALIZED)
793 mutex_lock(&newsbsec->lock);
795 newsbsec->flags = oldsbsec->flags;
797 newsbsec->sid = oldsbsec->sid;
798 newsbsec->def_sid = oldsbsec->def_sid;
799 newsbsec->behavior = oldsbsec->behavior;
802 u32 sid = oldsbsec->mntpoint_sid;
806 if (!set_rootcontext) {
807 struct inode *newinode = newsb->s_root->d_inode;
808 struct inode_security_struct *newisec = newinode->i_security;
811 newsbsec->mntpoint_sid = sid;
813 if (set_rootcontext) {
814 const struct inode *oldinode = oldsb->s_root->d_inode;
815 const struct inode_security_struct *oldisec = oldinode->i_security;
816 struct inode *newinode = newsb->s_root->d_inode;
817 struct inode_security_struct *newisec = newinode->i_security;
819 newisec->sid = oldisec->sid;
822 sb_finish_set_opts(newsb);
823 mutex_unlock(&newsbsec->lock);
826 static int selinux_parse_opts_str(char *options,
827 struct security_mnt_opts *opts)
830 char *context = NULL, *defcontext = NULL;
831 char *fscontext = NULL, *rootcontext = NULL;
832 int rc, num_mnt_opts = 0;
834 opts->num_mnt_opts = 0;
836 /* Standard string-based options. */
837 while ((p = strsep(&options, "|")) != NULL) {
839 substring_t args[MAX_OPT_ARGS];
844 token = match_token(p, tokens, args);
848 if (context || defcontext) {
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
853 context = match_strdup(&args[0]);
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
866 fscontext = match_strdup(&args[0]);
873 case Opt_rootcontext:
876 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
879 rootcontext = match_strdup(&args[0]);
887 if (context || defcontext) {
889 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
892 defcontext = match_strdup(&args[0]);
898 case Opt_labelsupport:
902 printk(KERN_WARNING "SELinux: unknown mount option\n");
909 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
913 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
914 if (!opts->mnt_opts_flags) {
915 kfree(opts->mnt_opts);
920 opts->mnt_opts[num_mnt_opts] = fscontext;
921 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
924 opts->mnt_opts[num_mnt_opts] = context;
925 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
928 opts->mnt_opts[num_mnt_opts] = rootcontext;
929 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
932 opts->mnt_opts[num_mnt_opts] = defcontext;
933 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
936 opts->num_mnt_opts = num_mnt_opts;
947 * string mount options parsing and call set the sbsec
949 static int superblock_doinit(struct super_block *sb, void *data)
952 char *options = data;
953 struct security_mnt_opts opts;
955 security_init_mnt_opts(&opts);
960 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
962 rc = selinux_parse_opts_str(options, &opts);
967 rc = selinux_set_mnt_opts(sb, &opts);
970 security_free_mnt_opts(&opts);
974 static void selinux_write_opts(struct seq_file *m,
975 struct security_mnt_opts *opts)
980 for (i = 0; i < opts->num_mnt_opts; i++) {
983 if (opts->mnt_opts[i])
984 has_comma = strchr(opts->mnt_opts[i], ',');
988 switch (opts->mnt_opts_flags[i]) {
990 prefix = CONTEXT_STR;
993 prefix = FSCONTEXT_STR;
995 case ROOTCONTEXT_MNT:
996 prefix = ROOTCONTEXT_STR;
999 prefix = DEFCONTEXT_STR;
1001 case SE_SBLABELSUPP:
1003 seq_puts(m, LABELSUPP_STR);
1009 /* we need a comma before each option */
1011 seq_puts(m, prefix);
1014 seq_puts(m, opts->mnt_opts[i]);
1020 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1022 struct security_mnt_opts opts;
1025 rc = selinux_get_mnt_opts(sb, &opts);
1027 /* before policy load we may get EINVAL, don't show anything */
1033 selinux_write_opts(m, &opts);
1035 security_free_mnt_opts(&opts);
1040 static inline u16 inode_mode_to_security_class(umode_t mode)
1042 switch (mode & S_IFMT) {
1044 return SECCLASS_SOCK_FILE;
1046 return SECCLASS_LNK_FILE;
1048 return SECCLASS_FILE;
1050 return SECCLASS_BLK_FILE;
1052 return SECCLASS_DIR;
1054 return SECCLASS_CHR_FILE;
1056 return SECCLASS_FIFO_FILE;
1060 return SECCLASS_FILE;
1063 static inline int default_protocol_stream(int protocol)
1065 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1068 static inline int default_protocol_dgram(int protocol)
1070 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1073 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1079 case SOCK_SEQPACKET:
1080 return SECCLASS_UNIX_STREAM_SOCKET;
1082 return SECCLASS_UNIX_DGRAM_SOCKET;
1089 if (default_protocol_stream(protocol))
1090 return SECCLASS_TCP_SOCKET;
1092 return SECCLASS_RAWIP_SOCKET;
1094 if (default_protocol_dgram(protocol))
1095 return SECCLASS_UDP_SOCKET;
1097 return SECCLASS_RAWIP_SOCKET;
1099 return SECCLASS_DCCP_SOCKET;
1101 return SECCLASS_RAWIP_SOCKET;
1107 return SECCLASS_NETLINK_ROUTE_SOCKET;
1108 case NETLINK_FIREWALL:
1109 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1110 case NETLINK_INET_DIAG:
1111 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1113 return SECCLASS_NETLINK_NFLOG_SOCKET;
1115 return SECCLASS_NETLINK_XFRM_SOCKET;
1116 case NETLINK_SELINUX:
1117 return SECCLASS_NETLINK_SELINUX_SOCKET;
1119 return SECCLASS_NETLINK_AUDIT_SOCKET;
1120 case NETLINK_IP6_FW:
1121 return SECCLASS_NETLINK_IP6FW_SOCKET;
1122 case NETLINK_DNRTMSG:
1123 return SECCLASS_NETLINK_DNRT_SOCKET;
1124 case NETLINK_KOBJECT_UEVENT:
1125 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1127 return SECCLASS_NETLINK_SOCKET;
1130 return SECCLASS_PACKET_SOCKET;
1132 return SECCLASS_KEY_SOCKET;
1134 return SECCLASS_APPLETALK_SOCKET;
1137 return SECCLASS_SOCKET;
1140 #ifdef CONFIG_PROC_FS
1141 static int selinux_proc_get_sid(struct dentry *dentry,
1146 char *buffer, *path;
1148 buffer = (char *)__get_free_page(GFP_KERNEL);
1152 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1156 /* each process gets a /proc/PID/ entry. Strip off the
1157 * PID part to get a valid selinux labeling.
1158 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1159 while (path[1] >= '0' && path[1] <= '9') {
1163 rc = security_genfs_sid("proc", path, tclass, sid);
1165 free_page((unsigned long)buffer);
1169 static int selinux_proc_get_sid(struct dentry *dentry,
1177 /* The inode's security attributes must be initialized before first use. */
1178 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1180 struct superblock_security_struct *sbsec = NULL;
1181 struct inode_security_struct *isec = inode->i_security;
1183 struct dentry *dentry;
1184 #define INITCONTEXTLEN 255
1185 char *context = NULL;
1189 if (isec->initialized)
1192 mutex_lock(&isec->lock);
1193 if (isec->initialized)
1196 sbsec = inode->i_sb->s_security;
1197 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1198 /* Defer initialization until selinux_complete_init,
1199 after the initial policy is loaded and the security
1200 server is ready to handle calls. */
1201 spin_lock(&sbsec->isec_lock);
1202 if (list_empty(&isec->list))
1203 list_add(&isec->list, &sbsec->isec_head);
1204 spin_unlock(&sbsec->isec_lock);
1208 switch (sbsec->behavior) {
1209 case SECURITY_FS_USE_XATTR:
1210 if (!inode->i_op->getxattr) {
1211 isec->sid = sbsec->def_sid;
1215 /* Need a dentry, since the xattr API requires one.
1216 Life would be simpler if we could just pass the inode. */
1218 /* Called from d_instantiate or d_splice_alias. */
1219 dentry = dget(opt_dentry);
1221 /* Called from selinux_complete_init, try to find a dentry. */
1222 dentry = d_find_alias(inode);
1226 * this is can be hit on boot when a file is accessed
1227 * before the policy is loaded. When we load policy we
1228 * may find inodes that have no dentry on the
1229 * sbsec->isec_head list. No reason to complain as these
1230 * will get fixed up the next time we go through
1231 * inode_doinit with a dentry, before these inodes could
1232 * be used again by userspace.
1237 len = INITCONTEXTLEN;
1238 context = kmalloc(len+1, GFP_NOFS);
1244 context[len] = '\0';
1245 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1247 if (rc == -ERANGE) {
1250 /* Need a larger buffer. Query for the right size. */
1251 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258 context = kmalloc(len+1, GFP_NOFS);
1264 context[len] = '\0';
1265 rc = inode->i_op->getxattr(dentry,
1271 if (rc != -ENODATA) {
1272 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1273 "%d for dev=%s ino=%ld\n", __func__,
1274 -rc, inode->i_sb->s_id, inode->i_ino);
1278 /* Map ENODATA to the default file SID */
1279 sid = sbsec->def_sid;
1282 rc = security_context_to_sid_default(context, rc, &sid,
1286 char *dev = inode->i_sb->s_id;
1287 unsigned long ino = inode->i_ino;
1289 if (rc == -EINVAL) {
1290 if (printk_ratelimit())
1291 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1292 "context=%s. This indicates you may need to relabel the inode or the "
1293 "filesystem in question.\n", ino, dev, context);
1295 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1296 "returned %d for dev=%s ino=%ld\n",
1297 __func__, context, -rc, dev, ino);
1300 /* Leave with the unlabeled SID */
1308 case SECURITY_FS_USE_TASK:
1309 isec->sid = isec->task_sid;
1311 case SECURITY_FS_USE_TRANS:
1312 /* Default to the fs SID. */
1313 isec->sid = sbsec->sid;
1315 /* Try to obtain a transition SID. */
1316 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1318 isec->sclass, NULL, &sid);
1323 case SECURITY_FS_USE_MNTPOINT:
1324 isec->sid = sbsec->mntpoint_sid;
1327 /* Default to the fs superblock SID. */
1328 isec->sid = sbsec->sid;
1330 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333 rc = selinux_proc_get_sid(opt_dentry,
1344 isec->initialized = 1;
1347 mutex_unlock(&isec->lock);
1349 if (isec->sclass == SECCLASS_FILE)
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1361 /* Commonly granted from child to parent. */
1362 perm = PROCESS__SIGCHLD;
1365 /* Cannot be caught or ignored */
1366 perm = PROCESS__SIGKILL;
1369 /* Cannot be caught or ignored */
1370 perm = PROCESS__SIGSTOP;
1373 /* All other signals. */
1374 perm = PROCESS__SIGNAL;
1382 * Check permission between a pair of credentials
1383 * fork check, ptrace check, etc.
1385 static int cred_has_perm(const struct cred *actor,
1386 const struct cred *target,
1389 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1391 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1395 * Check permission between a pair of tasks, e.g. signal checks,
1396 * fork check, ptrace check, etc.
1397 * tsk1 is the actor and tsk2 is the target
1398 * - this uses the default subjective creds of tsk1
1400 static int task_has_perm(const struct task_struct *tsk1,
1401 const struct task_struct *tsk2,
1404 const struct task_security_struct *__tsec1, *__tsec2;
1408 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1409 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1411 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1415 * Check permission between current and another task, e.g. signal checks,
1416 * fork check, ptrace check, etc.
1417 * current is the actor and tsk2 is the target
1418 * - this uses current's subjective creds
1420 static int current_has_perm(const struct task_struct *tsk,
1425 sid = current_sid();
1426 tsid = task_sid(tsk);
1427 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436 const struct cred *cred,
1439 struct common_audit_data ad;
1440 struct av_decision avd;
1442 u32 sid = cred_sid(cred);
1443 u32 av = CAP_TO_MASK(cap);
1446 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1450 switch (CAP_TO_INDEX(cap)) {
1452 sclass = SECCLASS_CAPABILITY;
1455 sclass = SECCLASS_CAPABILITY2;
1459 "SELinux: out of range capability %d\n", cap);
1464 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1465 if (audit == SECURITY_CAP_AUDIT) {
1466 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1473 /* Check whether a task is allowed to use a system operation. */
1474 static int task_has_system(struct task_struct *tsk,
1477 u32 sid = task_sid(tsk);
1479 return avc_has_perm(sid, SECINITSID_KERNEL,
1480 SECCLASS_SYSTEM, perms, NULL);
1483 /* Check whether a task has a particular permission to an inode.
1484 The 'adp' parameter is optional and allows other audit
1485 data to be passed (e.g. the dentry). */
1486 static int inode_has_perm(const struct cred *cred,
1487 struct inode *inode,
1489 struct common_audit_data *adp,
1492 struct inode_security_struct *isec;
1495 validate_creds(cred);
1497 if (unlikely(IS_PRIVATE(inode)))
1500 sid = cred_sid(cred);
1501 isec = inode->i_security;
1503 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1506 static int inode_has_perm_noadp(const struct cred *cred,
1507 struct inode *inode,
1511 struct common_audit_data ad;
1513 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1515 return inode_has_perm(cred, inode, perms, &ad, flags);
1518 /* Same as inode_has_perm, but pass explicit audit data containing
1519 the dentry to help the auditing code to more easily generate the
1520 pathname if needed. */
1521 static inline int dentry_has_perm(const struct cred *cred,
1522 struct dentry *dentry,
1525 struct inode *inode = dentry->d_inode;
1526 struct common_audit_data ad;
1528 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1529 ad.u.dentry = dentry;
1530 return inode_has_perm(cred, inode, av, &ad, 0);
1533 /* Same as inode_has_perm, but pass explicit audit data containing
1534 the path to help the auditing code to more easily generate the
1535 pathname if needed. */
1536 static inline int path_has_perm(const struct cred *cred,
1540 struct inode *inode = path->dentry->d_inode;
1541 struct common_audit_data ad;
1543 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1545 return inode_has_perm(cred, inode, av, &ad, 0);
1548 /* Check whether a task can use an open file descriptor to
1549 access an inode in a given way. Check access to the
1550 descriptor itself, and then use dentry_has_perm to
1551 check a particular permission to the file.
1552 Access to the descriptor is implicitly granted if it
1553 has the same SID as the process. If av is zero, then
1554 access to the file is not checked, e.g. for cases
1555 where only the descriptor is affected like seek. */
1556 static int file_has_perm(const struct cred *cred,
1560 struct file_security_struct *fsec = file->f_security;
1561 struct inode *inode = file->f_path.dentry->d_inode;
1562 struct common_audit_data ad;
1563 u32 sid = cred_sid(cred);
1566 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1567 ad.u.path = file->f_path;
1569 if (sid != fsec->sid) {
1570 rc = avc_has_perm(sid, fsec->sid,
1578 /* av is zero if only checking access to the descriptor. */
1581 rc = inode_has_perm(cred, inode, av, &ad, 0);
1587 /* Check whether a task can create a file. */
1588 static int may_create(struct inode *dir,
1589 struct dentry *dentry,
1592 const struct task_security_struct *tsec = current_security();
1593 struct inode_security_struct *dsec;
1594 struct superblock_security_struct *sbsec;
1596 struct common_audit_data ad;
1599 dsec = dir->i_security;
1600 sbsec = dir->i_sb->s_security;
1603 newsid = tsec->create_sid;
1605 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1606 ad.u.dentry = dentry;
1608 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1609 DIR__ADD_NAME | DIR__SEARCH,
1614 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1615 rc = security_transition_sid(sid, dsec->sid, tclass,
1616 &dentry->d_name, &newsid);
1621 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1625 return avc_has_perm(newsid, sbsec->sid,
1626 SECCLASS_FILESYSTEM,
1627 FILESYSTEM__ASSOCIATE, &ad);
1630 /* Check whether a task can create a key. */
1631 static int may_create_key(u32 ksid,
1632 struct task_struct *ctx)
1634 u32 sid = task_sid(ctx);
1636 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1640 #define MAY_UNLINK 1
1643 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1644 static int may_link(struct inode *dir,
1645 struct dentry *dentry,
1649 struct inode_security_struct *dsec, *isec;
1650 struct common_audit_data ad;
1651 u32 sid = current_sid();
1655 dsec = dir->i_security;
1656 isec = dentry->d_inode->i_security;
1658 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1659 ad.u.dentry = dentry;
1662 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1663 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1678 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1683 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1687 static inline int may_rename(struct inode *old_dir,
1688 struct dentry *old_dentry,
1689 struct inode *new_dir,
1690 struct dentry *new_dentry)
1692 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1693 struct common_audit_data ad;
1694 u32 sid = current_sid();
1696 int old_is_dir, new_is_dir;
1699 old_dsec = old_dir->i_security;
1700 old_isec = old_dentry->d_inode->i_security;
1701 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1702 new_dsec = new_dir->i_security;
1704 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1706 ad.u.dentry = old_dentry;
1707 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1708 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1711 rc = avc_has_perm(sid, old_isec->sid,
1712 old_isec->sclass, FILE__RENAME, &ad);
1715 if (old_is_dir && new_dir != old_dir) {
1716 rc = avc_has_perm(sid, old_isec->sid,
1717 old_isec->sclass, DIR__REPARENT, &ad);
1722 ad.u.dentry = new_dentry;
1723 av = DIR__ADD_NAME | DIR__SEARCH;
1724 if (new_dentry->d_inode)
1725 av |= DIR__REMOVE_NAME;
1726 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1729 if (new_dentry->d_inode) {
1730 new_isec = new_dentry->d_inode->i_security;
1731 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1732 rc = avc_has_perm(sid, new_isec->sid,
1734 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1742 /* Check whether a task can perform a filesystem operation. */
1743 static int superblock_has_perm(const struct cred *cred,
1744 struct super_block *sb,
1746 struct common_audit_data *ad)
1748 struct superblock_security_struct *sbsec;
1749 u32 sid = cred_sid(cred);
1751 sbsec = sb->s_security;
1752 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1755 /* Convert a Linux mode and permission mask to an access vector. */
1756 static inline u32 file_mask_to_av(int mode, int mask)
1760 if ((mode & S_IFMT) != S_IFDIR) {
1761 if (mask & MAY_EXEC)
1762 av |= FILE__EXECUTE;
1763 if (mask & MAY_READ)
1766 if (mask & MAY_APPEND)
1768 else if (mask & MAY_WRITE)
1772 if (mask & MAY_EXEC)
1774 if (mask & MAY_WRITE)
1776 if (mask & MAY_READ)
1783 /* Convert a Linux file to an access vector. */
1784 static inline u32 file_to_av(struct file *file)
1788 if (file->f_mode & FMODE_READ)
1790 if (file->f_mode & FMODE_WRITE) {
1791 if (file->f_flags & O_APPEND)
1798 * Special file opened with flags 3 for ioctl-only use.
1807 * Convert a file to an access vector and include the correct open
1810 static inline u32 open_file_to_av(struct file *file)
1812 u32 av = file_to_av(file);
1814 if (selinux_policycap_openperm)
1820 /* Hook functions begin here. */
1822 static int selinux_ptrace_access_check(struct task_struct *child,
1827 rc = cap_ptrace_access_check(child, mode);
1831 if (mode == PTRACE_MODE_READ) {
1832 u32 sid = current_sid();
1833 u32 csid = task_sid(child);
1834 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1837 return current_has_perm(child, PROCESS__PTRACE);
1840 static int selinux_ptrace_traceme(struct task_struct *parent)
1844 rc = cap_ptrace_traceme(parent);
1848 return task_has_perm(parent, current, PROCESS__PTRACE);
1851 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1852 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1856 error = current_has_perm(target, PROCESS__GETCAP);
1860 return cap_capget(target, effective, inheritable, permitted);
1863 static int selinux_capset(struct cred *new, const struct cred *old,
1864 const kernel_cap_t *effective,
1865 const kernel_cap_t *inheritable,
1866 const kernel_cap_t *permitted)
1870 error = cap_capset(new, old,
1871 effective, inheritable, permitted);
1875 return cred_has_perm(old, new, PROCESS__SETCAP);
1879 * (This comment used to live with the selinux_task_setuid hook,
1880 * which was removed).
1882 * Since setuid only affects the current process, and since the SELinux
1883 * controls are not based on the Linux identity attributes, SELinux does not
1884 * need to control this operation. However, SELinux does control the use of
1885 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1888 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1889 struct user_namespace *ns, int cap, int audit)
1893 rc = cap_capable(tsk, cred, ns, cap, audit);
1897 return task_has_capability(tsk, cred, cap, audit);
1900 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1902 const struct cred *cred = current_cred();
1914 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1919 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1922 rc = 0; /* let the kernel handle invalid cmds */
1928 static int selinux_quota_on(struct dentry *dentry)
1930 const struct cred *cred = current_cred();
1932 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1935 static int selinux_syslog(int type)
1940 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1941 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1942 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1944 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1945 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1946 /* Set level of messages printed to console */
1947 case SYSLOG_ACTION_CONSOLE_LEVEL:
1948 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1950 case SYSLOG_ACTION_CLOSE: /* Close log */
1951 case SYSLOG_ACTION_OPEN: /* Open log */
1952 case SYSLOG_ACTION_READ: /* Read from log */
1953 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1954 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1956 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1963 * Check that a process has enough memory to allocate a new virtual
1964 * mapping. 0 means there is enough memory for the allocation to
1965 * succeed and -ENOMEM implies there is not.
1967 * Do not audit the selinux permission check, as this is applied to all
1968 * processes that allocate mappings.
1970 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1972 int rc, cap_sys_admin = 0;
1974 rc = selinux_capable(current, current_cred(),
1975 &init_user_ns, CAP_SYS_ADMIN,
1976 SECURITY_CAP_NOAUDIT);
1980 return __vm_enough_memory(mm, pages, cap_sys_admin);
1983 /* binprm security operations */
1985 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1987 const struct task_security_struct *old_tsec;
1988 struct task_security_struct *new_tsec;
1989 struct inode_security_struct *isec;
1990 struct common_audit_data ad;
1991 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1994 rc = cap_bprm_set_creds(bprm);
1998 /* SELinux context only depends on initial program or script and not
1999 * the script interpreter */
2000 if (bprm->cred_prepared)
2003 old_tsec = current_security();
2004 new_tsec = bprm->cred->security;
2005 isec = inode->i_security;
2007 /* Default to the current task SID. */
2008 new_tsec->sid = old_tsec->sid;
2009 new_tsec->osid = old_tsec->sid;
2011 /* Reset fs, key, and sock SIDs on execve. */
2012 new_tsec->create_sid = 0;
2013 new_tsec->keycreate_sid = 0;
2014 new_tsec->sockcreate_sid = 0;
2016 if (old_tsec->exec_sid) {
2017 new_tsec->sid = old_tsec->exec_sid;
2018 /* Reset exec SID on execve. */
2019 new_tsec->exec_sid = 0;
2021 /* Check for a default transition on this program. */
2022 rc = security_transition_sid(old_tsec->sid, isec->sid,
2023 SECCLASS_PROCESS, NULL,
2029 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2030 ad.u.path = bprm->file->f_path;
2032 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2033 new_tsec->sid = old_tsec->sid;
2035 if (new_tsec->sid == old_tsec->sid) {
2036 rc = avc_has_perm(old_tsec->sid, isec->sid,
2037 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2041 /* Check permissions for the transition. */
2042 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2043 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2047 rc = avc_has_perm(new_tsec->sid, isec->sid,
2048 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2052 /* Check for shared state */
2053 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2054 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2055 SECCLASS_PROCESS, PROCESS__SHARE,
2061 /* Make sure that anyone attempting to ptrace over a task that
2062 * changes its SID has the appropriate permit */
2064 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2065 struct task_struct *tracer;
2066 struct task_security_struct *sec;
2070 tracer = ptrace_parent(current);
2071 if (likely(tracer != NULL)) {
2072 sec = __task_cred(tracer)->security;
2078 rc = avc_has_perm(ptsid, new_tsec->sid,
2080 PROCESS__PTRACE, NULL);
2086 /* Clear any possibly unsafe personality bits on exec: */
2087 bprm->per_clear |= PER_CLEAR_ON_SETID;
2093 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2095 const struct task_security_struct *tsec = current_security();
2103 /* Enable secure mode for SIDs transitions unless
2104 the noatsecure permission is granted between
2105 the two SIDs, i.e. ahp returns 0. */
2106 atsecure = avc_has_perm(osid, sid,
2108 PROCESS__NOATSECURE, NULL);
2111 return (atsecure || cap_bprm_secureexec(bprm));
2114 /* Derived from fs/exec.c:flush_old_files. */
2115 static inline void flush_unauthorized_files(const struct cred *cred,
2116 struct files_struct *files)
2118 struct common_audit_data ad;
2119 struct file *file, *devnull = NULL;
2120 struct tty_struct *tty;
2121 struct fdtable *fdt;
2125 tty = get_current_tty();
2127 spin_lock(&tty_files_lock);
2128 if (!list_empty(&tty->tty_files)) {
2129 struct tty_file_private *file_priv;
2130 struct inode *inode;
2132 /* Revalidate access to controlling tty.
2133 Use inode_has_perm on the tty inode directly rather
2134 than using file_has_perm, as this particular open
2135 file may belong to another process and we are only
2136 interested in the inode-based check here. */
2137 file_priv = list_first_entry(&tty->tty_files,
2138 struct tty_file_private, list);
2139 file = file_priv->file;
2140 inode = file->f_path.dentry->d_inode;
2141 if (inode_has_perm_noadp(cred, inode,
2142 FILE__READ | FILE__WRITE, 0)) {
2146 spin_unlock(&tty_files_lock);
2149 /* Reset controlling tty. */
2153 /* Revalidate access to inherited open files. */
2155 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2157 spin_lock(&files->file_lock);
2159 unsigned long set, i;
2164 fdt = files_fdtable(files);
2165 if (i >= fdt->max_fds)
2167 set = fdt->open_fds->fds_bits[j];
2170 spin_unlock(&files->file_lock);
2171 for ( ; set ; i++, set >>= 1) {
2176 if (file_has_perm(cred,
2178 file_to_av(file))) {
2180 fd = get_unused_fd();
2190 devnull = dentry_open(
2192 mntget(selinuxfs_mount),
2194 if (IS_ERR(devnull)) {
2201 fd_install(fd, devnull);
2206 spin_lock(&files->file_lock);
2209 spin_unlock(&files->file_lock);
2213 * Prepare a process for imminent new credential changes due to exec
2215 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2217 struct task_security_struct *new_tsec;
2218 struct rlimit *rlim, *initrlim;
2221 new_tsec = bprm->cred->security;
2222 if (new_tsec->sid == new_tsec->osid)
2225 /* Close files for which the new task SID is not authorized. */
2226 flush_unauthorized_files(bprm->cred, current->files);
2228 /* Always clear parent death signal on SID transitions. */
2229 current->pdeath_signal = 0;
2231 /* Check whether the new SID can inherit resource limits from the old
2232 * SID. If not, reset all soft limits to the lower of the current
2233 * task's hard limit and the init task's soft limit.
2235 * Note that the setting of hard limits (even to lower them) can be
2236 * controlled by the setrlimit check. The inclusion of the init task's
2237 * soft limit into the computation is to avoid resetting soft limits
2238 * higher than the default soft limit for cases where the default is
2239 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2241 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2242 PROCESS__RLIMITINH, NULL);
2244 /* protect against do_prlimit() */
2246 for (i = 0; i < RLIM_NLIMITS; i++) {
2247 rlim = current->signal->rlim + i;
2248 initrlim = init_task.signal->rlim + i;
2249 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2251 task_unlock(current);
2252 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2257 * Clean up the process immediately after the installation of new credentials
2260 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2262 const struct task_security_struct *tsec = current_security();
2263 struct itimerval itimer;
2273 /* Check whether the new SID can inherit signal state from the old SID.
2274 * If not, clear itimers to avoid subsequent signal generation and
2275 * flush and unblock signals.
2277 * This must occur _after_ the task SID has been updated so that any
2278 * kill done after the flush will be checked against the new SID.
2280 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2282 memset(&itimer, 0, sizeof itimer);
2283 for (i = 0; i < 3; i++)
2284 do_setitimer(i, &itimer, NULL);
2285 spin_lock_irq(¤t->sighand->siglock);
2286 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2287 __flush_signals(current);
2288 flush_signal_handlers(current, 1);
2289 sigemptyset(¤t->blocked);
2291 spin_unlock_irq(¤t->sighand->siglock);
2294 /* Wake up the parent if it is waiting so that it can recheck
2295 * wait permission to the new task SID. */
2296 read_lock(&tasklist_lock);
2297 __wake_up_parent(current, current->real_parent);
2298 read_unlock(&tasklist_lock);
2301 /* superblock security operations */
2303 static int selinux_sb_alloc_security(struct super_block *sb)
2305 return superblock_alloc_security(sb);
2308 static void selinux_sb_free_security(struct super_block *sb)
2310 superblock_free_security(sb);
2313 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2318 return !memcmp(prefix, option, plen);
2321 static inline int selinux_option(char *option, int len)
2323 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2324 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2325 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2326 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2327 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2330 static inline void take_option(char **to, char *from, int *first, int len)
2337 memcpy(*to, from, len);
2341 static inline void take_selinux_option(char **to, char *from, int *first,
2344 int current_size = 0;
2352 while (current_size < len) {
2362 static int selinux_sb_copy_data(char *orig, char *copy)
2364 int fnosec, fsec, rc = 0;
2365 char *in_save, *in_curr, *in_end;
2366 char *sec_curr, *nosec_save, *nosec;
2372 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2380 in_save = in_end = orig;
2384 open_quote = !open_quote;
2385 if ((*in_end == ',' && open_quote == 0) ||
2387 int len = in_end - in_curr;
2389 if (selinux_option(in_curr, len))
2390 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2392 take_option(&nosec, in_curr, &fnosec, len);
2394 in_curr = in_end + 1;
2396 } while (*in_end++);
2398 strcpy(in_save, nosec_save);
2399 free_page((unsigned long)nosec_save);
2404 static int selinux_sb_remount(struct super_block *sb, void *data)
2407 struct security_mnt_opts opts;
2408 char *secdata, **mount_options;
2409 struct superblock_security_struct *sbsec = sb->s_security;
2411 if (!(sbsec->flags & SE_SBINITIALIZED))
2417 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2420 security_init_mnt_opts(&opts);
2421 secdata = alloc_secdata();
2424 rc = selinux_sb_copy_data(data, secdata);
2426 goto out_free_secdata;
2428 rc = selinux_parse_opts_str(secdata, &opts);
2430 goto out_free_secdata;
2432 mount_options = opts.mnt_opts;
2433 flags = opts.mnt_opts_flags;
2435 for (i = 0; i < opts.num_mnt_opts; i++) {
2439 if (flags[i] == SE_SBLABELSUPP)
2441 len = strlen(mount_options[i]);
2442 rc = security_context_to_sid(mount_options[i], len, &sid);
2444 printk(KERN_WARNING "SELinux: security_context_to_sid"
2445 "(%s) failed for (dev %s, type %s) errno=%d\n",
2446 mount_options[i], sb->s_id, sb->s_type->name, rc);
2452 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2453 goto out_bad_option;
2456 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2457 goto out_bad_option;
2459 case ROOTCONTEXT_MNT: {
2460 struct inode_security_struct *root_isec;
2461 root_isec = sb->s_root->d_inode->i_security;
2463 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2464 goto out_bad_option;
2467 case DEFCONTEXT_MNT:
2468 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2469 goto out_bad_option;
2478 security_free_mnt_opts(&opts);
2480 free_secdata(secdata);
2483 printk(KERN_WARNING "SELinux: unable to change security options "
2484 "during remount (dev %s, type=%s)\n", sb->s_id,
2489 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2491 const struct cred *cred = current_cred();
2492 struct common_audit_data ad;
2495 rc = superblock_doinit(sb, data);
2499 /* Allow all mounts performed by the kernel */
2500 if (flags & MS_KERNMOUNT)
2503 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2504 ad.u.dentry = sb->s_root;
2505 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2508 static int selinux_sb_statfs(struct dentry *dentry)
2510 const struct cred *cred = current_cred();
2511 struct common_audit_data ad;
2513 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2514 ad.u.dentry = dentry->d_sb->s_root;
2515 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2518 static int selinux_mount(char *dev_name,
2521 unsigned long flags,
2524 const struct cred *cred = current_cred();
2526 if (flags & MS_REMOUNT)
2527 return superblock_has_perm(cred, path->mnt->mnt_sb,
2528 FILESYSTEM__REMOUNT, NULL);
2530 return path_has_perm(cred, path, FILE__MOUNTON);
2533 static int selinux_umount(struct vfsmount *mnt, int flags)
2535 const struct cred *cred = current_cred();
2537 return superblock_has_perm(cred, mnt->mnt_sb,
2538 FILESYSTEM__UNMOUNT, NULL);
2541 /* inode security operations */
2543 static int selinux_inode_alloc_security(struct inode *inode)
2545 return inode_alloc_security(inode);
2548 static void selinux_inode_free_security(struct inode *inode)
2550 inode_free_security(inode);
2553 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2554 const struct qstr *qstr, char **name,
2555 void **value, size_t *len)
2557 const struct task_security_struct *tsec = current_security();
2558 struct inode_security_struct *dsec;
2559 struct superblock_security_struct *sbsec;
2560 u32 sid, newsid, clen;
2562 char *namep = NULL, *context;
2564 dsec = dir->i_security;
2565 sbsec = dir->i_sb->s_security;
2568 newsid = tsec->create_sid;
2570 if ((sbsec->flags & SE_SBINITIALIZED) &&
2571 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2572 newsid = sbsec->mntpoint_sid;
2573 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2574 rc = security_transition_sid(sid, dsec->sid,
2575 inode_mode_to_security_class(inode->i_mode),
2578 printk(KERN_WARNING "%s: "
2579 "security_transition_sid failed, rc=%d (dev=%s "
2582 -rc, inode->i_sb->s_id, inode->i_ino);
2587 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->flags & SE_SBINITIALIZED) {
2589 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2592 isec->initialized = 1;
2595 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2599 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2606 rc = security_sid_to_context_force(newsid, &context, &clen);
2618 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2620 return may_create(dir, dentry, SECCLASS_FILE);
2623 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2625 return may_link(dir, old_dentry, MAY_LINK);
2628 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2630 return may_link(dir, dentry, MAY_UNLINK);
2633 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2635 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2638 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2640 return may_create(dir, dentry, SECCLASS_DIR);
2643 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2645 return may_link(dir, dentry, MAY_RMDIR);
2648 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2650 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2653 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2654 struct inode *new_inode, struct dentry *new_dentry)
2656 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2659 static int selinux_inode_readlink(struct dentry *dentry)
2661 const struct cred *cred = current_cred();
2663 return dentry_has_perm(cred, dentry, FILE__READ);
2666 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2668 const struct cred *cred = current_cred();
2670 return dentry_has_perm(cred, dentry, FILE__READ);
2673 static int selinux_inode_permission(struct inode *inode, int mask)
2675 const struct cred *cred = current_cred();
2676 struct common_audit_data ad;
2679 unsigned flags = mask & MAY_NOT_BLOCK;
2681 from_access = mask & MAY_ACCESS;
2682 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2684 /* No permission to check. Existence test. */
2688 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2692 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2694 perms = file_mask_to_av(inode->i_mode, mask);
2696 return inode_has_perm(cred, inode, perms, &ad, flags);
2699 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2701 const struct cred *cred = current_cred();
2702 unsigned int ia_valid = iattr->ia_valid;
2704 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2705 if (ia_valid & ATTR_FORCE) {
2706 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2712 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2713 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2714 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2716 return dentry_has_perm(cred, dentry, FILE__WRITE);
2719 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2721 const struct cred *cred = current_cred();
2724 path.dentry = dentry;
2727 return path_has_perm(cred, &path, FILE__GETATTR);
2730 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2732 const struct cred *cred = current_cred();
2734 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2735 sizeof XATTR_SECURITY_PREFIX - 1)) {
2736 if (!strcmp(name, XATTR_NAME_CAPS)) {
2737 if (!capable(CAP_SETFCAP))
2739 } else if (!capable(CAP_SYS_ADMIN)) {
2740 /* A different attribute in the security namespace.
2741 Restrict to administrator. */
2746 /* Not an attribute we recognize, so just check the
2747 ordinary setattr permission. */
2748 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2751 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2752 const void *value, size_t size, int flags)
2754 struct inode *inode = dentry->d_inode;
2755 struct inode_security_struct *isec = inode->i_security;
2756 struct superblock_security_struct *sbsec;
2757 struct common_audit_data ad;
2758 u32 newsid, sid = current_sid();
2761 if (strcmp(name, XATTR_NAME_SELINUX))
2762 return selinux_inode_setotherxattr(dentry, name);
2764 sbsec = inode->i_sb->s_security;
2765 if (!(sbsec->flags & SE_SBLABELSUPP))
2768 if (!inode_owner_or_capable(inode))
2771 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2772 ad.u.dentry = dentry;
2774 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2775 FILE__RELABELFROM, &ad);
2779 rc = security_context_to_sid(value, size, &newsid);
2780 if (rc == -EINVAL) {
2781 if (!capable(CAP_MAC_ADMIN))
2783 rc = security_context_to_sid_force(value, size, &newsid);
2788 rc = avc_has_perm(sid, newsid, isec->sclass,
2789 FILE__RELABELTO, &ad);
2793 rc = security_validate_transition(isec->sid, newsid, sid,
2798 return avc_has_perm(newsid,
2800 SECCLASS_FILESYSTEM,
2801 FILESYSTEM__ASSOCIATE,
2805 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2806 const void *value, size_t size,
2809 struct inode *inode = dentry->d_inode;
2810 struct inode_security_struct *isec = inode->i_security;
2814 if (strcmp(name, XATTR_NAME_SELINUX)) {
2815 /* Not an attribute we recognize, so nothing to do. */
2819 rc = security_context_to_sid_force(value, size, &newsid);
2821 printk(KERN_ERR "SELinux: unable to map context to SID"
2822 "for (%s, %lu), rc=%d\n",
2823 inode->i_sb->s_id, inode->i_ino, -rc);
2831 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2833 const struct cred *cred = current_cred();
2835 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2838 static int selinux_inode_listxattr(struct dentry *dentry)
2840 const struct cred *cred = current_cred();
2842 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2845 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2847 if (strcmp(name, XATTR_NAME_SELINUX))
2848 return selinux_inode_setotherxattr(dentry, name);
2850 /* No one is allowed to remove a SELinux security label.
2851 You can change the label, but all data must be labeled. */
2856 * Copy the inode security context value to the user.
2858 * Permission check is handled by selinux_inode_getxattr hook.
2860 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2864 char *context = NULL;
2865 struct inode_security_struct *isec = inode->i_security;
2867 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2871 * If the caller has CAP_MAC_ADMIN, then get the raw context
2872 * value even if it is not defined by current policy; otherwise,
2873 * use the in-core value under current policy.
2874 * Use the non-auditing forms of the permission checks since
2875 * getxattr may be called by unprivileged processes commonly
2876 * and lack of permission just means that we fall back to the
2877 * in-core context value, not a denial.
2879 error = selinux_capable(current, current_cred(),
2880 &init_user_ns, CAP_MAC_ADMIN,
2881 SECURITY_CAP_NOAUDIT);
2883 error = security_sid_to_context_force(isec->sid, &context,
2886 error = security_sid_to_context(isec->sid, &context, &size);
2899 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2900 const void *value, size_t size, int flags)
2902 struct inode_security_struct *isec = inode->i_security;
2906 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2909 if (!value || !size)
2912 rc = security_context_to_sid((void *)value, size, &newsid);
2917 isec->initialized = 1;
2921 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2923 const int len = sizeof(XATTR_NAME_SELINUX);
2924 if (buffer && len <= buffer_size)
2925 memcpy(buffer, XATTR_NAME_SELINUX, len);
2929 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2931 struct inode_security_struct *isec = inode->i_security;
2935 /* file security operations */
2937 static int selinux_revalidate_file_permission(struct file *file, int mask)
2939 const struct cred *cred = current_cred();
2940 struct inode *inode = file->f_path.dentry->d_inode;
2942 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2943 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2946 return file_has_perm(cred, file,
2947 file_mask_to_av(inode->i_mode, mask));
2950 static int selinux_file_permission(struct file *file, int mask)
2952 struct inode *inode = file->f_path.dentry->d_inode;
2953 struct file_security_struct *fsec = file->f_security;
2954 struct inode_security_struct *isec = inode->i_security;
2955 u32 sid = current_sid();
2958 /* No permission to check. Existence test. */
2961 if (sid == fsec->sid && fsec->isid == isec->sid &&
2962 fsec->pseqno == avc_policy_seqno())
2963 /* No change since dentry_open check. */
2966 return selinux_revalidate_file_permission(file, mask);
2969 static int selinux_file_alloc_security(struct file *file)
2971 return file_alloc_security(file);
2974 static void selinux_file_free_security(struct file *file)
2976 file_free_security(file);
2979 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2982 const struct cred *cred = current_cred();
2992 case EXT2_IOC_GETFLAGS:
2994 case EXT2_IOC_GETVERSION:
2995 error = file_has_perm(cred, file, FILE__GETATTR);
2998 case EXT2_IOC_SETFLAGS:
3000 case EXT2_IOC_SETVERSION:
3001 error = file_has_perm(cred, file, FILE__SETATTR);
3004 /* sys_ioctl() checks */
3008 error = file_has_perm(cred, file, 0);
3013 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
3014 SECURITY_CAP_AUDIT);
3017 /* default case assumes that the command will go
3018 * to the file's ioctl() function.
3021 error = file_has_perm(cred, file, FILE__IOCTL);
3026 static int default_noexec;
3028 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3030 const struct cred *cred = current_cred();
3033 if (default_noexec &&
3034 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3036 * We are making executable an anonymous mapping or a
3037 * private file mapping that will also be writable.
3038 * This has an additional check.
3040 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3046 /* read access is always possible with a mapping */
3047 u32 av = FILE__READ;
3049 /* write access only matters if the mapping is shared */
3050 if (shared && (prot & PROT_WRITE))
3053 if (prot & PROT_EXEC)
3054 av |= FILE__EXECUTE;
3056 return file_has_perm(cred, file, av);
3063 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3064 unsigned long prot, unsigned long flags,
3065 unsigned long addr, unsigned long addr_only)
3068 u32 sid = current_sid();
3071 * notice that we are intentionally putting the SELinux check before
3072 * the secondary cap_file_mmap check. This is such a likely attempt
3073 * at bad behaviour/exploit that we always want to get the AVC, even
3074 * if DAC would have also denied the operation.
3076 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3077 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3078 MEMPROTECT__MMAP_ZERO, NULL);
3083 /* do DAC check on address space usage */
3084 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3085 if (rc || addr_only)
3088 if (selinux_checkreqprot)
3091 return file_map_prot_check(file, prot,
3092 (flags & MAP_TYPE) == MAP_SHARED);
3095 static int selinux_file_mprotect(struct vm_area_struct *vma,
3096 unsigned long reqprot,
3099 const struct cred *cred = current_cred();
3101 if (selinux_checkreqprot)
3104 if (default_noexec &&
3105 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3107 if (vma->vm_start >= vma->vm_mm->start_brk &&
3108 vma->vm_end <= vma->vm_mm->brk) {
3109 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3110 } else if (!vma->vm_file &&
3111 vma->vm_start <= vma->vm_mm->start_stack &&
3112 vma->vm_end >= vma->vm_mm->start_stack) {
3113 rc = current_has_perm(current, PROCESS__EXECSTACK);
3114 } else if (vma->vm_file && vma->anon_vma) {
3116 * We are making executable a file mapping that has
3117 * had some COW done. Since pages might have been
3118 * written, check ability to execute the possibly
3119 * modified content. This typically should only
3120 * occur for text relocations.
3122 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3128 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3131 static int selinux_file_lock(struct file *file, unsigned int cmd)
3133 const struct cred *cred = current_cred();
3135 return file_has_perm(cred, file, FILE__LOCK);
3138 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3141 const struct cred *cred = current_cred();
3146 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3151 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3152 err = file_has_perm(cred, file, FILE__WRITE);
3161 /* Just check FD__USE permission */
3162 err = file_has_perm(cred, file, 0);
3167 #if BITS_PER_LONG == 32
3172 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3176 err = file_has_perm(cred, file, FILE__LOCK);
3183 static int selinux_file_set_fowner(struct file *file)
3185 struct file_security_struct *fsec;
3187 fsec = file->f_security;
3188 fsec->fown_sid = current_sid();
3193 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3194 struct fown_struct *fown, int signum)
3197 u32 sid = task_sid(tsk);
3199 struct file_security_struct *fsec;
3201 /* struct fown_struct is never outside the context of a struct file */
3202 file = container_of(fown, struct file, f_owner);
3204 fsec = file->f_security;
3207 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3209 perm = signal_to_av(signum);
3211 return avc_has_perm(fsec->fown_sid, sid,
3212 SECCLASS_PROCESS, perm, NULL);
3215 static int selinux_file_receive(struct file *file)
3217 const struct cred *cred = current_cred();
3219 return file_has_perm(cred, file, file_to_av(file));
3222 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3224 struct file_security_struct *fsec;
3225 struct inode *inode;
3226 struct inode_security_struct *isec;
3228 inode = file->f_path.dentry->d_inode;
3229 fsec = file->f_security;
3230 isec = inode->i_security;
3232 * Save inode label and policy sequence number
3233 * at open-time so that selinux_file_permission
3234 * can determine whether revalidation is necessary.
3235 * Task label is already saved in the file security
3236 * struct as its SID.
3238 fsec->isid = isec->sid;
3239 fsec->pseqno = avc_policy_seqno();
3241 * Since the inode label or policy seqno may have changed
3242 * between the selinux_inode_permission check and the saving
3243 * of state above, recheck that access is still permitted.
3244 * Otherwise, access might never be revalidated against the
3245 * new inode label or new policy.
3246 * This check is not redundant - do not remove.
3248 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3251 /* task security operations */
3253 static int selinux_task_create(unsigned long clone_flags)
3255 return current_has_perm(current, PROCESS__FORK);
3259 * allocate the SELinux part of blank credentials
3261 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3263 struct task_security_struct *tsec;
3265 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3269 cred->security = tsec;
3274 * detach and free the LSM part of a set of credentials
3276 static void selinux_cred_free(struct cred *cred)
3278 struct task_security_struct *tsec = cred->security;
3281 * cred->security == NULL if security_cred_alloc_blank() or
3282 * security_prepare_creds() returned an error.
3284 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3285 cred->security = (void *) 0x7UL;
3290 * prepare a new set of credentials for modification
3292 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3295 const struct task_security_struct *old_tsec;
3296 struct task_security_struct *tsec;
3298 old_tsec = old->security;
3300 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3304 new->security = tsec;
3309 * transfer the SELinux data to a blank set of creds
3311 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3313 const struct task_security_struct *old_tsec = old->security;
3314 struct task_security_struct *tsec = new->security;
3320 * set the security data for a kernel service
3321 * - all the creation contexts are set to unlabelled
3323 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3325 struct task_security_struct *tsec = new->security;
3326 u32 sid = current_sid();
3329 ret = avc_has_perm(sid, secid,
3330 SECCLASS_KERNEL_SERVICE,
3331 KERNEL_SERVICE__USE_AS_OVERRIDE,
3335 tsec->create_sid = 0;
3336 tsec->keycreate_sid = 0;
3337 tsec->sockcreate_sid = 0;
3343 * set the file creation context in a security record to the same as the
3344 * objective context of the specified inode
3346 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3348 struct inode_security_struct *isec = inode->i_security;
3349 struct task_security_struct *tsec = new->security;
3350 u32 sid = current_sid();
3353 ret = avc_has_perm(sid, isec->sid,
3354 SECCLASS_KERNEL_SERVICE,
3355 KERNEL_SERVICE__CREATE_FILES_AS,
3359 tsec->create_sid = isec->sid;
3363 static int selinux_kernel_module_request(char *kmod_name)
3366 struct common_audit_data ad;
3368 sid = task_sid(current);
3370 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3371 ad.u.kmod_name = kmod_name;
3373 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3374 SYSTEM__MODULE_REQUEST, &ad);
3377 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3379 return current_has_perm(p, PROCESS__SETPGID);
3382 static int selinux_task_getpgid(struct task_struct *p)
3384 return current_has_perm(p, PROCESS__GETPGID);
3387 static int selinux_task_getsid(struct task_struct *p)
3389 return current_has_perm(p, PROCESS__GETSESSION);
3392 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3394 *secid = task_sid(p);
3397 static int selinux_task_setnice(struct task_struct *p, int nice)
3401 rc = cap_task_setnice(p, nice);
3405 return current_has_perm(p, PROCESS__SETSCHED);
3408 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3412 rc = cap_task_setioprio(p, ioprio);
3416 return current_has_perm(p, PROCESS__SETSCHED);
3419 static int selinux_task_getioprio(struct task_struct *p)
3421 return current_has_perm(p, PROCESS__GETSCHED);
3424 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3425 struct rlimit *new_rlim)
3427 struct rlimit *old_rlim = p->signal->rlim + resource;
3429 /* Control the ability to change the hard limit (whether
3430 lowering or raising it), so that the hard limit can
3431 later be used as a safe reset point for the soft limit
3432 upon context transitions. See selinux_bprm_committing_creds. */
3433 if (old_rlim->rlim_max != new_rlim->rlim_max)
3434 return current_has_perm(p, PROCESS__SETRLIMIT);
3439 static int selinux_task_setscheduler(struct task_struct *p)
3443 rc = cap_task_setscheduler(p);
3447 return current_has_perm(p, PROCESS__SETSCHED);
3450 static int selinux_task_getscheduler(struct task_struct *p)
3452 return current_has_perm(p, PROCESS__GETSCHED);
3455 static int selinux_task_movememory(struct task_struct *p)
3457 return current_has_perm(p, PROCESS__SETSCHED);
3460 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3467 perm = PROCESS__SIGNULL; /* null signal; existence test */
3469 perm = signal_to_av(sig);
3471 rc = avc_has_perm(secid, task_sid(p),
3472 SECCLASS_PROCESS, perm, NULL);
3474 rc = current_has_perm(p, perm);
3478 static int selinux_task_wait(struct task_struct *p)
3480 return task_has_perm(p, current, PROCESS__SIGCHLD);
3483 static void selinux_task_to_inode(struct task_struct *p,
3484 struct inode *inode)
3486 struct inode_security_struct *isec = inode->i_security;
3487 u32 sid = task_sid(p);
3490 isec->initialized = 1;
3493 /* Returns error only if unable to parse addresses */
3494 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3495 struct common_audit_data *ad, u8 *proto)
3497 int offset, ihlen, ret = -EINVAL;
3498 struct iphdr _iph, *ih;
3500 offset = skb_network_offset(skb);
3501 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3505 ihlen = ih->ihl * 4;
3506 if (ihlen < sizeof(_iph))
3509 ad->u.net.v4info.saddr = ih->saddr;
3510 ad->u.net.v4info.daddr = ih->daddr;
3514 *proto = ih->protocol;
3516 switch (ih->protocol) {
3518 struct tcphdr _tcph, *th;
3520 if (ntohs(ih->frag_off) & IP_OFFSET)
3524 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3528 ad->u.net.sport = th->source;
3529 ad->u.net.dport = th->dest;
3534 struct udphdr _udph, *uh;
3536 if (ntohs(ih->frag_off) & IP_OFFSET)
3540 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3544 ad->u.net.sport = uh->source;
3545 ad->u.net.dport = uh->dest;
3549 case IPPROTO_DCCP: {
3550 struct dccp_hdr _dccph, *dh;
3552 if (ntohs(ih->frag_off) & IP_OFFSET)
3556 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3560 ad->u.net.sport = dh->dccph_sport;
3561 ad->u.net.dport = dh->dccph_dport;
3572 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3574 /* Returns error only if unable to parse addresses */
3575 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3576 struct common_audit_data *ad, u8 *proto)
3579 int ret = -EINVAL, offset;
3580 struct ipv6hdr _ipv6h, *ip6;
3582 offset = skb_network_offset(skb);
3583 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3587 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3588 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3591 nexthdr = ip6->nexthdr;
3592 offset += sizeof(_ipv6h);
3593 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3602 struct tcphdr _tcph, *th;
3604 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3608 ad->u.net.sport = th->source;
3609 ad->u.net.dport = th->dest;
3614 struct udphdr _udph, *uh;
3616 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3620 ad->u.net.sport = uh->source;
3621 ad->u.net.dport = uh->dest;
3625 case IPPROTO_DCCP: {
3626 struct dccp_hdr _dccph, *dh;
3628 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3632 ad->u.net.sport = dh->dccph_sport;
3633 ad->u.net.dport = dh->dccph_dport;
3637 /* includes fragments */
3647 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3648 char **_addrp, int src, u8 *proto)
3653 switch (ad->u.net.family) {
3655 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3658 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3659 &ad->u.net.v4info.daddr);
3662 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3664 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3667 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3668 &ad->u.net.v6info.daddr);
3678 "SELinux: failure in selinux_parse_skb(),"
3679 " unable to parse packet\n");
3689 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3691 * @family: protocol family
3692 * @sid: the packet's peer label SID
3695 * Check the various different forms of network peer labeling and determine
3696 * the peer label/SID for the packet; most of the magic actually occurs in
3697 * the security server function security_net_peersid_cmp(). The function
3698 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3699 * or -EACCES if @sid is invalid due to inconsistencies with the different
3703 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3710 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3711 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3713 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3714 if (unlikely(err)) {
3716 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3717 " unable to determine packet's peer label\n");
3725 * selinux_conn_sid - Determine the child socket label for a connection
3726 * @sk_sid: the parent socket's SID
3727 * @skb_sid: the packet's SID
3728 * @conn_sid: the resulting connection SID
3730 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3731 * combined with the MLS information from @skb_sid in order to create
3732 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3733 * of @sk_sid. Returns zero on success, negative values on failure.
3736 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3740 if (skb_sid != SECSID_NULL)
3741 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3748 /* socket security operations */
3750 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3751 u16 secclass, u32 *socksid)
3753 if (tsec->sockcreate_sid > SECSID_NULL) {
3754 *socksid = tsec->sockcreate_sid;
3758 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3762 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3764 struct sk_security_struct *sksec = sk->sk_security;
3765 struct common_audit_data ad;
3766 u32 tsid = task_sid(task);
3768 if (sksec->sid == SECINITSID_KERNEL)
3771 COMMON_AUDIT_DATA_INIT(&ad, NET);
3774 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3777 static int selinux_socket_create(int family, int type,
3778 int protocol, int kern)
3780 const struct task_security_struct *tsec = current_security();
3788 secclass = socket_type_to_security_class(family, type, protocol);
3789 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3793 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3796 static int selinux_socket_post_create(struct socket *sock, int family,
3797 int type, int protocol, int kern)
3799 const struct task_security_struct *tsec = current_security();
3800 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3801 struct sk_security_struct *sksec;
3804 isec->sclass = socket_type_to_security_class(family, type, protocol);
3807 isec->sid = SECINITSID_KERNEL;
3809 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3814 isec->initialized = 1;
3817 sksec = sock->sk->sk_security;
3818 sksec->sid = isec->sid;
3819 sksec->sclass = isec->sclass;
3820 err = selinux_netlbl_socket_post_create(sock->sk, family);
3826 /* Range of port numbers used to automatically bind.
3827 Need to determine whether we should perform a name_bind
3828 permission check between the socket and the port number. */
3830 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3832 struct sock *sk = sock->sk;
3836 err = sock_has_perm(current, sk, SOCKET__BIND);
3841 * If PF_INET or PF_INET6, check name_bind permission for the port.
3842 * Multiple address binding for SCTP is not supported yet: we just
3843 * check the first address now.
3845 family = sk->sk_family;
3846 if (family == PF_INET || family == PF_INET6) {
3848 struct sk_security_struct *sksec = sk->sk_security;
3849 struct common_audit_data ad;
3850 struct sockaddr_in *addr4 = NULL;
3851 struct sockaddr_in6 *addr6 = NULL;
3852 unsigned short snum;
3855 if (family == PF_INET) {
3856 addr4 = (struct sockaddr_in *)address;
3857 snum = ntohs(addr4->sin_port);
3858 addrp = (char *)&addr4->sin_addr.s_addr;
3860 addr6 = (struct sockaddr_in6 *)address;
3861 snum = ntohs(addr6->sin6_port);
3862 addrp = (char *)&addr6->sin6_addr.s6_addr;
3868 inet_get_local_port_range(&low, &high);
3870 if (snum < max(PROT_SOCK, low) || snum > high) {
3871 err = sel_netport_sid(sk->sk_protocol,
3875 COMMON_AUDIT_DATA_INIT(&ad, NET);
3876 ad.u.net.sport = htons(snum);
3877 ad.u.net.family = family;
3878 err = avc_has_perm(sksec->sid, sid,
3880 SOCKET__NAME_BIND, &ad);
3886 switch (sksec->sclass) {
3887 case SECCLASS_TCP_SOCKET:
3888 node_perm = TCP_SOCKET__NODE_BIND;
3891 case SECCLASS_UDP_SOCKET:
3892 node_perm = UDP_SOCKET__NODE_BIND;
3895 case SECCLASS_DCCP_SOCKET:
3896 node_perm = DCCP_SOCKET__NODE_BIND;
3900 node_perm = RAWIP_SOCKET__NODE_BIND;
3904 err = sel_netnode_sid(addrp, family, &sid);
3908 COMMON_AUDIT_DATA_INIT(&ad, NET);
3909 ad.u.net.sport = htons(snum);
3910 ad.u.net.family = family;
3912 if (family == PF_INET)
3913 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3915 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3917 err = avc_has_perm(sksec->sid, sid,
3918 sksec->sclass, node_perm, &ad);
3926 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3928 struct sock *sk = sock->sk;
3929 struct sk_security_struct *sksec = sk->sk_security;
3932 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3937 * If a TCP or DCCP socket, check name_connect permission for the port.
3939 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3940 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3941 struct common_audit_data ad;
3942 struct sockaddr_in *addr4 = NULL;
3943 struct sockaddr_in6 *addr6 = NULL;
3944 unsigned short snum;
3947 if (sk->sk_family == PF_INET) {
3948 addr4 = (struct sockaddr_in *)address;
3949 if (addrlen < sizeof(struct sockaddr_in))
3951 snum = ntohs(addr4->sin_port);
3953 addr6 = (struct sockaddr_in6 *)address;
3954 if (addrlen < SIN6_LEN_RFC2133)
3956 snum = ntohs(addr6->sin6_port);
3959 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3963 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3964 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3966 COMMON_AUDIT_DATA_INIT(&ad, NET);
3967 ad.u.net.dport = htons(snum);
3968 ad.u.net.family = sk->sk_family;
3969 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3974 err = selinux_netlbl_socket_connect(sk, address);
3980 static int selinux_socket_listen(struct socket *sock, int backlog)
3982 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3985 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3988 struct inode_security_struct *isec;
3989 struct inode_security_struct *newisec;
3991 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3995 newisec = SOCK_INODE(newsock)->i_security;
3997 isec = SOCK_INODE(sock)->i_security;
3998 newisec->sclass = isec->sclass;
3999 newisec->sid = isec->sid;
4000 newisec->initialized = 1;
4005 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4008 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4011 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4012 int size, int flags)
4014 return sock_has_perm(current, sock->sk, SOCKET__READ);
4017 static int selinux_socket_getsockname(struct socket *sock)
4019 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4022 static int selinux_socket_getpeername(struct socket *sock)
4024 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4027 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4031 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4035 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4038 static int selinux_socket_getsockopt(struct socket *sock, int level,
4041 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4044 static int selinux_socket_shutdown(struct socket *sock, int how)
4046 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4049 static int selinux_socket_unix_stream_connect(struct sock *sock,
4053 struct sk_security_struct *sksec_sock = sock->sk_security;
4054 struct sk_security_struct *sksec_other = other->sk_security;
4055 struct sk_security_struct *sksec_new = newsk->sk_security;
4056 struct common_audit_data ad;
4059 COMMON_AUDIT_DATA_INIT(&ad, NET);
4060 ad.u.net.sk = other;
4062 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4063 sksec_other->sclass,
4064 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4068 /* server child socket */
4069 sksec_new->peer_sid = sksec_sock->sid;
4070 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4075 /* connecting socket */
4076 sksec_sock->peer_sid = sksec_new->sid;
4081 static int selinux_socket_unix_may_send(struct socket *sock,
4082 struct socket *other)
4084 struct sk_security_struct *ssec = sock->sk->sk_security;
4085 struct sk_security_struct *osec = other->sk->sk_security;
4086 struct common_audit_data ad;
4088 COMMON_AUDIT_DATA_INIT(&ad, NET);
4089 ad.u.net.sk = other->sk;
4091 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4095 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4097 struct common_audit_data *ad)
4103 err = sel_netif_sid(ifindex, &if_sid);
4106 err = avc_has_perm(peer_sid, if_sid,
4107 SECCLASS_NETIF, NETIF__INGRESS, ad);
4111 err = sel_netnode_sid(addrp, family, &node_sid);
4114 return avc_has_perm(peer_sid, node_sid,
4115 SECCLASS_NODE, NODE__RECVFROM, ad);
4118 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4122 struct sk_security_struct *sksec = sk->sk_security;
4123 u32 sk_sid = sksec->sid;
4124 struct common_audit_data ad;
4127 COMMON_AUDIT_DATA_INIT(&ad, NET);
4128 ad.u.net.netif = skb->skb_iif;
4129 ad.u.net.family = family;
4130 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4134 if (selinux_secmark_enabled()) {
4135 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4141 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4144 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4149 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4152 struct sk_security_struct *sksec = sk->sk_security;
4153 u16 family = sk->sk_family;
4154 u32 sk_sid = sksec->sid;
4155 struct common_audit_data ad;
4160 if (family != PF_INET && family != PF_INET6)
4163 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4164 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4167 /* If any sort of compatibility mode is enabled then handoff processing
4168 * to the selinux_sock_rcv_skb_compat() function to deal with the
4169 * special handling. We do this in an attempt to keep this function
4170 * as fast and as clean as possible. */
4171 if (!selinux_policycap_netpeer)
4172 return selinux_sock_rcv_skb_compat(sk, skb, family);
4174 secmark_active = selinux_secmark_enabled();
4175 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4176 if (!secmark_active && !peerlbl_active)
4179 COMMON_AUDIT_DATA_INIT(&ad, NET);
4180 ad.u.net.netif = skb->skb_iif;
4181 ad.u.net.family = family;
4182 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4186 if (peerlbl_active) {
4189 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4192 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4195 selinux_netlbl_err(skb, err, 0);
4198 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4201 selinux_netlbl_err(skb, err, 0);
4206 if (secmark_active) {
4207 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4216 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4217 int __user *optlen, unsigned len)
4222 struct sk_security_struct *sksec = sock->sk->sk_security;
4223 u32 peer_sid = SECSID_NULL;
4225 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4226 sksec->sclass == SECCLASS_TCP_SOCKET)
4227 peer_sid = sksec->peer_sid;
4228 if (peer_sid == SECSID_NULL)
4229 return -ENOPROTOOPT;
4231 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4235 if (scontext_len > len) {
4240 if (copy_to_user(optval, scontext, scontext_len))
4244 if (put_user(scontext_len, optlen))
4250 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4252 u32 peer_secid = SECSID_NULL;
4255 if (skb && skb->protocol == htons(ETH_P_IP))
4257 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4260 family = sock->sk->sk_family;
4264 if (sock && family == PF_UNIX)
4265 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4267 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4270 *secid = peer_secid;
4271 if (peer_secid == SECSID_NULL)
4276 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4278 struct sk_security_struct *sksec;
4280 sksec = kzalloc(sizeof(*sksec), priority);
4284 sksec->peer_sid = SECINITSID_UNLABELED;
4285 sksec->sid = SECINITSID_UNLABELED;
4286 selinux_netlbl_sk_security_reset(sksec);
4287 sk->sk_security = sksec;
4292 static void selinux_sk_free_security(struct sock *sk)
4294 struct sk_security_struct *sksec = sk->sk_security;
4296 sk->sk_security = NULL;
4297 selinux_netlbl_sk_security_free(sksec);
4301 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4303 struct sk_security_struct *sksec = sk->sk_security;
4304 struct sk_security_struct *newsksec = newsk->sk_security;
4306 newsksec->sid = sksec->sid;
4307 newsksec->peer_sid = sksec->peer_sid;
4308 newsksec->sclass = sksec->sclass;
4310 selinux_netlbl_sk_security_reset(newsksec);
4313 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4316 *secid = SECINITSID_ANY_SOCKET;
4318 struct sk_security_struct *sksec = sk->sk_security;
4320 *secid = sksec->sid;
4324 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4326 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4327 struct sk_security_struct *sksec = sk->sk_security;
4329 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4330 sk->sk_family == PF_UNIX)
4331 isec->sid = sksec->sid;
4332 sksec->sclass = isec->sclass;
4335 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4336 struct request_sock *req)
4338 struct sk_security_struct *sksec = sk->sk_security;
4340 u16 family = sk->sk_family;
4344 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4345 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4348 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4351 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4354 req->secid = connsid;
4355 req->peer_secid = peersid;
4357 return selinux_netlbl_inet_conn_request(req, family);
4360 static void selinux_inet_csk_clone(struct sock *newsk,
4361 const struct request_sock *req)
4363 struct sk_security_struct *newsksec = newsk->sk_security;
4365 newsksec->sid = req->secid;
4366 newsksec->peer_sid = req->peer_secid;
4367 /* NOTE: Ideally, we should also get the isec->sid for the
4368 new socket in sync, but we don't have the isec available yet.
4369 So we will wait until sock_graft to do it, by which
4370 time it will have been created and available. */
4372 /* We don't need to take any sort of lock here as we are the only
4373 * thread with access to newsksec */
4374 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4377 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4379 u16 family = sk->sk_family;
4380 struct sk_security_struct *sksec = sk->sk_security;
4382 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4383 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4386 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4389 static int selinux_secmark_relabel_packet(u32 sid)
4391 const struct task_security_struct *__tsec;
4394 __tsec = current_security();
4397 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4400 static void selinux_secmark_refcount_inc(void)
4402 atomic_inc(&selinux_secmark_refcount);
4405 static void selinux_secmark_refcount_dec(void)
4407 atomic_dec(&selinux_secmark_refcount);
4410 static void selinux_req_classify_flow(const struct request_sock *req,
4413 fl->flowi_secid = req->secid;
4416 static int selinux_tun_dev_create(void)
4418 u32 sid = current_sid();
4420 /* we aren't taking into account the "sockcreate" SID since the socket
4421 * that is being created here is not a socket in the traditional sense,
4422 * instead it is a private sock, accessible only to the kernel, and
4423 * representing a wide range of network traffic spanning multiple
4424 * connections unlike traditional sockets - check the TUN driver to
4425 * get a better understanding of why this socket is special */
4427 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4431 static void selinux_tun_dev_post_create(struct sock *sk)
4433 struct sk_security_struct *sksec = sk->sk_security;
4435 /* we don't currently perform any NetLabel based labeling here and it
4436 * isn't clear that we would want to do so anyway; while we could apply
4437 * labeling without the support of the TUN user the resulting labeled
4438 * traffic from the other end of the connection would almost certainly
4439 * cause confusion to the TUN user that had no idea network labeling
4440 * protocols were being used */
4442 /* see the comments in selinux_tun_dev_create() about why we don't use
4443 * the sockcreate SID here */
4445 sksec->sid = current_sid();
4446 sksec->sclass = SECCLASS_TUN_SOCKET;
4449 static int selinux_tun_dev_attach(struct sock *sk)
4451 struct sk_security_struct *sksec = sk->sk_security;
4452 u32 sid = current_sid();
4455 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4456 TUN_SOCKET__RELABELFROM, NULL);
4459 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4460 TUN_SOCKET__RELABELTO, NULL);
4469 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4473 struct nlmsghdr *nlh;
4474 struct sk_security_struct *sksec = sk->sk_security;
4476 if (skb->len < NLMSG_SPACE(0)) {
4480 nlh = nlmsg_hdr(skb);
4482 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4484 if (err == -EINVAL) {
4485 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4486 "SELinux: unrecognized netlink message"
4487 " type=%hu for sclass=%hu\n",
4488 nlh->nlmsg_type, sksec->sclass);
4489 if (!selinux_enforcing || security_get_allow_unknown())
4499 err = sock_has_perm(current, sk, perm);
4504 #ifdef CONFIG_NETFILTER
4506 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4512 struct common_audit_data ad;
4517 if (!selinux_policycap_netpeer)
4520 secmark_active = selinux_secmark_enabled();
4521 netlbl_active = netlbl_enabled();
4522 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4523 if (!secmark_active && !peerlbl_active)
4526 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4529 COMMON_AUDIT_DATA_INIT(&ad, NET);
4530 ad.u.net.netif = ifindex;
4531 ad.u.net.family = family;
4532 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4535 if (peerlbl_active) {
4536 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4539 selinux_netlbl_err(skb, err, 1);
4545 if (avc_has_perm(peer_sid, skb->secmark,
4546 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4550 /* we do this in the FORWARD path and not the POST_ROUTING
4551 * path because we want to make sure we apply the necessary
4552 * labeling before IPsec is applied so we can leverage AH
4554 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4560 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4561 struct sk_buff *skb,
4562 const struct net_device *in,
4563 const struct net_device *out,
4564 int (*okfn)(struct sk_buff *))
4566 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4570 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4571 struct sk_buff *skb,
4572 const struct net_device *in,
4573 const struct net_device *out,
4574 int (*okfn)(struct sk_buff *))
4576 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4580 static unsigned int selinux_ip_output(struct sk_buff *skb,
4586 if (!netlbl_enabled())
4589 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4590 * because we want to make sure we apply the necessary labeling
4591 * before IPsec is applied so we can leverage AH protection */
4594 struct sk_security_struct *sksec;
4596 if (sk->sk_state == TCP_LISTEN)
4597 /* if the socket is the listening state then this
4598 * packet is a SYN-ACK packet which means it needs to
4599 * be labeled based on the connection/request_sock and
4600 * not the parent socket. unfortunately, we can't
4601 * lookup the request_sock yet as it isn't queued on
4602 * the parent socket until after the SYN-ACK is sent.
4603 * the "solution" is to simply pass the packet as-is
4604 * as any IP option based labeling should be copied
4605 * from the initial connection request (in the IP
4606 * layer). it is far from ideal, but until we get a
4607 * security label in the packet itself this is the
4608 * best we can do. */
4611 /* standard practice, label using the parent socket */
4612 sksec = sk->sk_security;
4615 sid = SECINITSID_KERNEL;
4616 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4622 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4623 struct sk_buff *skb,
4624 const struct net_device *in,
4625 const struct net_device *out,
4626 int (*okfn)(struct sk_buff *))
4628 return selinux_ip_output(skb, PF_INET);
4631 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4635 struct sock *sk = skb->sk;
4636 struct sk_security_struct *sksec;
4637 struct common_audit_data ad;
4643 sksec = sk->sk_security;
4645 COMMON_AUDIT_DATA_INIT(&ad, NET);
4646 ad.u.net.netif = ifindex;
4647 ad.u.net.family = family;
4648 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4651 if (selinux_secmark_enabled())
4652 if (avc_has_perm(sksec->sid, skb->secmark,
4653 SECCLASS_PACKET, PACKET__SEND, &ad))
4654 return NF_DROP_ERR(-ECONNREFUSED);
4656 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4657 return NF_DROP_ERR(-ECONNREFUSED);
4662 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4668 struct common_audit_data ad;
4673 /* If any sort of compatibility mode is enabled then handoff processing
4674 * to the selinux_ip_postroute_compat() function to deal with the
4675 * special handling. We do this in an attempt to keep this function
4676 * as fast and as clean as possible. */
4677 if (!selinux_policycap_netpeer)
4678 return selinux_ip_postroute_compat(skb, ifindex, family);
4680 secmark_active = selinux_secmark_enabled();
4681 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4682 if (!secmark_active && !peerlbl_active)
4688 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4689 * packet transformation so allow the packet to pass without any checks
4690 * since we'll have another chance to perform access control checks
4691 * when the packet is on it's final way out.
4692 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4693 * is NULL, in this case go ahead and apply access control.
4694 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4695 * TCP listening state we cannot wait until the XFRM processing
4696 * is done as we will miss out on the SA label if we do;
4697 * unfortunately, this means more work, but it is only once per
4699 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4700 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4705 /* Without an associated socket the packet is either coming
4706 * from the kernel or it is being forwarded; check the packet
4707 * to determine which and if the packet is being forwarded
4708 * query the packet directly to determine the security label. */
4710 secmark_perm = PACKET__FORWARD_OUT;
4711 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4714 secmark_perm = PACKET__SEND;
4715 peer_sid = SECINITSID_KERNEL;
4717 } else if (sk->sk_state == TCP_LISTEN) {
4718 /* Locally generated packet but the associated socket is in the
4719 * listening state which means this is a SYN-ACK packet. In
4720 * this particular case the correct security label is assigned
4721 * to the connection/request_sock but unfortunately we can't
4722 * query the request_sock as it isn't queued on the parent
4723 * socket until after the SYN-ACK packet is sent; the only
4724 * viable choice is to regenerate the label like we do in
4725 * selinux_inet_conn_request(). See also selinux_ip_output()
4726 * for similar problems. */
4728 struct sk_security_struct *sksec = sk->sk_security;
4729 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4731 /* At this point, if the returned skb peerlbl is SECSID_NULL
4732 * and the packet has been through at least one XFRM
4733 * transformation then we must be dealing with the "final"
4734 * form of labeled IPsec packet; since we've already applied
4735 * all of our access controls on this packet we can safely
4736 * pass the packet. */
4737 if (skb_sid == SECSID_NULL) {
4740 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4744 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4747 return NF_DROP_ERR(-ECONNREFUSED);
4750 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4752 secmark_perm = PACKET__SEND;
4754 /* Locally generated packet, fetch the security label from the
4755 * associated socket. */
4756 struct sk_security_struct *sksec = sk->sk_security;
4757 peer_sid = sksec->sid;
4758 secmark_perm = PACKET__SEND;
4761 COMMON_AUDIT_DATA_INIT(&ad, NET);
4762 ad.u.net.netif = ifindex;
4763 ad.u.net.family = family;
4764 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4768 if (avc_has_perm(peer_sid, skb->secmark,
4769 SECCLASS_PACKET, secmark_perm, &ad))
4770 return NF_DROP_ERR(-ECONNREFUSED);
4772 if (peerlbl_active) {
4776 if (sel_netif_sid(ifindex, &if_sid))
4778 if (avc_has_perm(peer_sid, if_sid,
4779 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4780 return NF_DROP_ERR(-ECONNREFUSED);
4782 if (sel_netnode_sid(addrp, family, &node_sid))
4784 if (avc_has_perm(peer_sid, node_sid,
4785 SECCLASS_NODE, NODE__SENDTO, &ad))
4786 return NF_DROP_ERR(-ECONNREFUSED);
4792 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4793 struct sk_buff *skb,
4794 const struct net_device *in,
4795 const struct net_device *out,
4796 int (*okfn)(struct sk_buff *))
4798 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4801 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4802 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4803 struct sk_buff *skb,
4804 const struct net_device *in,
4805 const struct net_device *out,
4806 int (*okfn)(struct sk_buff *))
4808 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4812 #endif /* CONFIG_NETFILTER */
4814 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4818 err = cap_netlink_send(sk, skb);
4822 return selinux_nlmsg_perm(sk, skb);
4825 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4828 struct common_audit_data ad;
4831 err = cap_netlink_recv(skb, capability);
4835 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4836 ad.u.cap = capability;
4838 security_task_getsecid(current, &sid);
4839 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4840 CAP_TO_MASK(capability), &ad);
4843 static int ipc_alloc_security(struct task_struct *task,
4844 struct kern_ipc_perm *perm,
4847 struct ipc_security_struct *isec;
4850 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4854 sid = task_sid(task);
4855 isec->sclass = sclass;
4857 perm->security = isec;
4862 static void ipc_free_security(struct kern_ipc_perm *perm)
4864 struct ipc_security_struct *isec = perm->security;
4865 perm->security = NULL;
4869 static int msg_msg_alloc_security(struct msg_msg *msg)
4871 struct msg_security_struct *msec;
4873 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4877 msec->sid = SECINITSID_UNLABELED;
4878 msg->security = msec;
4883 static void msg_msg_free_security(struct msg_msg *msg)
4885 struct msg_security_struct *msec = msg->security;
4887 msg->security = NULL;
4891 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4894 struct ipc_security_struct *isec;
4895 struct common_audit_data ad;
4896 u32 sid = current_sid();
4898 isec = ipc_perms->security;
4900 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4901 ad.u.ipc_id = ipc_perms->key;
4903 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4906 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4908 return msg_msg_alloc_security(msg);
4911 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4913 msg_msg_free_security(msg);
4916 /* message queue security operations */
4917 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4919 struct ipc_security_struct *isec;
4920 struct common_audit_data ad;
4921 u32 sid = current_sid();
4924 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4928 isec = msq->q_perm.security;
4930 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4931 ad.u.ipc_id = msq->q_perm.key;
4933 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4936 ipc_free_security(&msq->q_perm);
4942 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4944 ipc_free_security(&msq->q_perm);
4947 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4949 struct ipc_security_struct *isec;
4950 struct common_audit_data ad;
4951 u32 sid = current_sid();
4953 isec = msq->q_perm.security;
4955 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4956 ad.u.ipc_id = msq->q_perm.key;
4958 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4959 MSGQ__ASSOCIATE, &ad);
4962 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4970 /* No specific object, just general system-wide information. */
4971 return task_has_system(current, SYSTEM__IPC_INFO);
4974 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4977 perms = MSGQ__SETATTR;
4980 perms = MSGQ__DESTROY;
4986 err = ipc_has_perm(&msq->q_perm, perms);
4990 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4992 struct ipc_security_struct *isec;
4993 struct msg_security_struct *msec;
4994 struct common_audit_data ad;
4995 u32 sid = current_sid();
4998 isec = msq->q_perm.security;
4999 msec = msg->security;
5002 * First time through, need to assign label to the message
5004 if (msec->sid == SECINITSID_UNLABELED) {
5006 * Compute new sid based on current process and
5007 * message queue this message will be stored in
5009 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5015 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5016 ad.u.ipc_id = msq->q_perm.key;
5018 /* Can this process write to the queue? */
5019 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5022 /* Can this process send the message */
5023 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5026 /* Can the message be put in the queue? */
5027 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5028 MSGQ__ENQUEUE, &ad);
5033 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5034 struct task_struct *target,
5035 long type, int mode)
5037 struct ipc_security_struct *isec;
5038 struct msg_security_struct *msec;
5039 struct common_audit_data ad;
5040 u32 sid = task_sid(target);
5043 isec = msq->q_perm.security;
5044 msec = msg->security;
5046 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5047 ad.u.ipc_id = msq->q_perm.key;
5049 rc = avc_has_perm(sid, isec->sid,
5050 SECCLASS_MSGQ, MSGQ__READ, &ad);
5052 rc = avc_has_perm(sid, msec->sid,
5053 SECCLASS_MSG, MSG__RECEIVE, &ad);
5057 /* Shared Memory security operations */
5058 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5060 struct ipc_security_struct *isec;
5061 struct common_audit_data ad;
5062 u32 sid = current_sid();
5065 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5069 isec = shp->shm_perm.security;
5071 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5072 ad.u.ipc_id = shp->shm_perm.key;
5074 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5077 ipc_free_security(&shp->shm_perm);
5083 static void selinux_shm_free_security(struct shmid_kernel *shp)
5085 ipc_free_security(&shp->shm_perm);
5088 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5090 struct ipc_security_struct *isec;
5091 struct common_audit_data ad;
5092 u32 sid = current_sid();
5094 isec = shp->shm_perm.security;
5096 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5097 ad.u.ipc_id = shp->shm_perm.key;
5099 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5100 SHM__ASSOCIATE, &ad);
5103 /* Note, at this point, shp is locked down */
5104 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5112 /* No specific object, just general system-wide information. */
5113 return task_has_system(current, SYSTEM__IPC_INFO);
5116 perms = SHM__GETATTR | SHM__ASSOCIATE;
5119 perms = SHM__SETATTR;
5126 perms = SHM__DESTROY;
5132 err = ipc_has_perm(&shp->shm_perm, perms);
5136 static int selinux_shm_shmat(struct shmid_kernel *shp,
5137 char __user *shmaddr, int shmflg)
5141 if (shmflg & SHM_RDONLY)
5144 perms = SHM__READ | SHM__WRITE;
5146 return ipc_has_perm(&shp->shm_perm, perms);
5149 /* Semaphore security operations */
5150 static int selinux_sem_alloc_security(struct sem_array *sma)
5152 struct ipc_security_struct *isec;
5153 struct common_audit_data ad;
5154 u32 sid = current_sid();
5157 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5161 isec = sma->sem_perm.security;
5163 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5164 ad.u.ipc_id = sma->sem_perm.key;
5166 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5169 ipc_free_security(&sma->sem_perm);
5175 static void selinux_sem_free_security(struct sem_array *sma)
5177 ipc_free_security(&sma->sem_perm);
5180 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5182 struct ipc_security_struct *isec;
5183 struct common_audit_data ad;
5184 u32 sid = current_sid();
5186 isec = sma->sem_perm.security;
5188 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5189 ad.u.ipc_id = sma->sem_perm.key;
5191 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5192 SEM__ASSOCIATE, &ad);
5195 /* Note, at this point, sma is locked down */
5196 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5204 /* No specific object, just general system-wide information. */
5205 return task_has_system(current, SYSTEM__IPC_INFO);
5209 perms = SEM__GETATTR;
5220 perms = SEM__DESTROY;
5223 perms = SEM__SETATTR;
5227 perms = SEM__GETATTR | SEM__ASSOCIATE;
5233 err = ipc_has_perm(&sma->sem_perm, perms);
5237 static int selinux_sem_semop(struct sem_array *sma,
5238 struct sembuf *sops, unsigned nsops, int alter)
5243 perms = SEM__READ | SEM__WRITE;
5247 return ipc_has_perm(&sma->sem_perm, perms);
5250 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5256 av |= IPC__UNIX_READ;
5258 av |= IPC__UNIX_WRITE;
5263 return ipc_has_perm(ipcp, av);
5266 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5268 struct ipc_security_struct *isec = ipcp->security;
5272 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5275 inode_doinit_with_dentry(inode, dentry);
5278 static int selinux_getprocattr(struct task_struct *p,
5279 char *name, char **value)
5281 const struct task_security_struct *__tsec;
5287 error = current_has_perm(p, PROCESS__GETATTR);
5293 __tsec = __task_cred(p)->security;
5295 if (!strcmp(name, "current"))
5297 else if (!strcmp(name, "prev"))
5299 else if (!strcmp(name, "exec"))
5300 sid = __tsec->exec_sid;
5301 else if (!strcmp(name, "fscreate"))
5302 sid = __tsec->create_sid;
5303 else if (!strcmp(name, "keycreate"))
5304 sid = __tsec->keycreate_sid;
5305 else if (!strcmp(name, "sockcreate"))
5306 sid = __tsec->sockcreate_sid;
5314 error = security_sid_to_context(sid, value, &len);
5324 static int selinux_setprocattr(struct task_struct *p,
5325 char *name, void *value, size_t size)
5327 struct task_security_struct *tsec;
5328 struct task_struct *tracer;
5335 /* SELinux only allows a process to change its own
5336 security attributes. */
5341 * Basic control over ability to set these attributes at all.
5342 * current == p, but we'll pass them separately in case the
5343 * above restriction is ever removed.
5345 if (!strcmp(name, "exec"))
5346 error = current_has_perm(p, PROCESS__SETEXEC);
5347 else if (!strcmp(name, "fscreate"))
5348 error = current_has_perm(p, PROCESS__SETFSCREATE);
5349 else if (!strcmp(name, "keycreate"))
5350 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5351 else if (!strcmp(name, "sockcreate"))
5352 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5353 else if (!strcmp(name, "current"))
5354 error = current_has_perm(p, PROCESS__SETCURRENT);
5360 /* Obtain a SID for the context, if one was specified. */
5361 if (size && str[1] && str[1] != '\n') {
5362 if (str[size-1] == '\n') {
5366 error = security_context_to_sid(value, size, &sid);
5367 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5368 if (!capable(CAP_MAC_ADMIN))
5370 error = security_context_to_sid_force(value, size,
5377 new = prepare_creds();
5381 /* Permission checking based on the specified context is
5382 performed during the actual operation (execve,
5383 open/mkdir/...), when we know the full context of the
5384 operation. See selinux_bprm_set_creds for the execve
5385 checks and may_create for the file creation checks. The
5386 operation will then fail if the context is not permitted. */
5387 tsec = new->security;
5388 if (!strcmp(name, "exec")) {
5389 tsec->exec_sid = sid;
5390 } else if (!strcmp(name, "fscreate")) {
5391 tsec->create_sid = sid;
5392 } else if (!strcmp(name, "keycreate")) {
5393 error = may_create_key(sid, p);
5396 tsec->keycreate_sid = sid;
5397 } else if (!strcmp(name, "sockcreate")) {
5398 tsec->sockcreate_sid = sid;
5399 } else if (!strcmp(name, "current")) {
5404 /* Only allow single threaded processes to change context */
5406 if (!current_is_single_threaded()) {
5407 error = security_bounded_transition(tsec->sid, sid);
5412 /* Check permissions for the transition. */
5413 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5414 PROCESS__DYNTRANSITION, NULL);
5418 /* Check for ptracing, and update the task SID if ok.
5419 Otherwise, leave SID unchanged and fail. */
5422 tracer = ptrace_parent(p);
5424 ptsid = task_sid(tracer);
5428 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5429 PROCESS__PTRACE, NULL);
5448 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5450 return security_sid_to_context(secid, secdata, seclen);
5453 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5455 return security_context_to_sid(secdata, seclen, secid);
5458 static void selinux_release_secctx(char *secdata, u32 seclen)
5464 * called with inode->i_mutex locked
5466 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5468 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5472 * called with inode->i_mutex locked
5474 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5476 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5479 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5482 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5491 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5492 unsigned long flags)
5494 const struct task_security_struct *tsec;
5495 struct key_security_struct *ksec;
5497 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5501 tsec = cred->security;
5502 if (tsec->keycreate_sid)
5503 ksec->sid = tsec->keycreate_sid;
5505 ksec->sid = tsec->sid;
5511 static void selinux_key_free(struct key *k)
5513 struct key_security_struct *ksec = k->security;
5519 static int selinux_key_permission(key_ref_t key_ref,
5520 const struct cred *cred,
5524 struct key_security_struct *ksec;
5527 /* if no specific permissions are requested, we skip the
5528 permission check. No serious, additional covert channels
5529 appear to be created. */
5533 sid = cred_sid(cred);
5535 key = key_ref_to_ptr(key_ref);
5536 ksec = key->security;
5538 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5541 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5543 struct key_security_struct *ksec = key->security;
5544 char *context = NULL;
5548 rc = security_sid_to_context(ksec->sid, &context, &len);
5557 static struct security_operations selinux_ops = {
5560 .ptrace_access_check = selinux_ptrace_access_check,
5561 .ptrace_traceme = selinux_ptrace_traceme,
5562 .capget = selinux_capget,
5563 .capset = selinux_capset,
5564 .capable = selinux_capable,
5565 .quotactl = selinux_quotactl,
5566 .quota_on = selinux_quota_on,
5567 .syslog = selinux_syslog,
5568 .vm_enough_memory = selinux_vm_enough_memory,
5570 .netlink_send = selinux_netlink_send,
5571 .netlink_recv = selinux_netlink_recv,
5573 .bprm_set_creds = selinux_bprm_set_creds,
5574 .bprm_committing_creds = selinux_bprm_committing_creds,
5575 .bprm_committed_creds = selinux_bprm_committed_creds,
5576 .bprm_secureexec = selinux_bprm_secureexec,
5578 .sb_alloc_security = selinux_sb_alloc_security,
5579 .sb_free_security = selinux_sb_free_security,
5580 .sb_copy_data = selinux_sb_copy_data,
5581 .sb_remount = selinux_sb_remount,
5582 .sb_kern_mount = selinux_sb_kern_mount,
5583 .sb_show_options = selinux_sb_show_options,
5584 .sb_statfs = selinux_sb_statfs,
5585 .sb_mount = selinux_mount,
5586 .sb_umount = selinux_umount,
5587 .sb_set_mnt_opts = selinux_set_mnt_opts,
5588 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5589 .sb_parse_opts_str = selinux_parse_opts_str,
5592 .inode_alloc_security = selinux_inode_alloc_security,
5593 .inode_free_security = selinux_inode_free_security,
5594 .inode_init_security = selinux_inode_init_security,
5595 .inode_create = selinux_inode_create,
5596 .inode_link = selinux_inode_link,
5597 .inode_unlink = selinux_inode_unlink,
5598 .inode_symlink = selinux_inode_symlink,
5599 .inode_mkdir = selinux_inode_mkdir,
5600 .inode_rmdir = selinux_inode_rmdir,
5601 .inode_mknod = selinux_inode_mknod,
5602 .inode_rename = selinux_inode_rename,
5603 .inode_readlink = selinux_inode_readlink,
5604 .inode_follow_link = selinux_inode_follow_link,
5605 .inode_permission = selinux_inode_permission,
5606 .inode_setattr = selinux_inode_setattr,
5607 .inode_getattr = selinux_inode_getattr,
5608 .inode_setxattr = selinux_inode_setxattr,
5609 .inode_post_setxattr = selinux_inode_post_setxattr,
5610 .inode_getxattr = selinux_inode_getxattr,
5611 .inode_listxattr = selinux_inode_listxattr,
5612 .inode_removexattr = selinux_inode_removexattr,
5613 .inode_getsecurity = selinux_inode_getsecurity,
5614 .inode_setsecurity = selinux_inode_setsecurity,
5615 .inode_listsecurity = selinux_inode_listsecurity,
5616 .inode_getsecid = selinux_inode_getsecid,
5618 .file_permission = selinux_file_permission,
5619 .file_alloc_security = selinux_file_alloc_security,
5620 .file_free_security = selinux_file_free_security,
5621 .file_ioctl = selinux_file_ioctl,
5622 .file_mmap = selinux_file_mmap,
5623 .file_mprotect = selinux_file_mprotect,
5624 .file_lock = selinux_file_lock,
5625 .file_fcntl = selinux_file_fcntl,
5626 .file_set_fowner = selinux_file_set_fowner,
5627 .file_send_sigiotask = selinux_file_send_sigiotask,
5628 .file_receive = selinux_file_receive,
5630 .dentry_open = selinux_dentry_open,
5632 .task_create = selinux_task_create,
5633 .cred_alloc_blank = selinux_cred_alloc_blank,
5634 .cred_free = selinux_cred_free,
5635 .cred_prepare = selinux_cred_prepare,
5636 .cred_transfer = selinux_cred_transfer,
5637 .kernel_act_as = selinux_kernel_act_as,
5638 .kernel_create_files_as = selinux_kernel_create_files_as,
5639 .kernel_module_request = selinux_kernel_module_request,
5640 .task_setpgid = selinux_task_setpgid,
5641 .task_getpgid = selinux_task_getpgid,
5642 .task_getsid = selinux_task_getsid,
5643 .task_getsecid = selinux_task_getsecid,
5644 .task_setnice = selinux_task_setnice,
5645 .task_setioprio = selinux_task_setioprio,
5646 .task_getioprio = selinux_task_getioprio,
5647 .task_setrlimit = selinux_task_setrlimit,
5648 .task_setscheduler = selinux_task_setscheduler,
5649 .task_getscheduler = selinux_task_getscheduler,
5650 .task_movememory = selinux_task_movememory,
5651 .task_kill = selinux_task_kill,
5652 .task_wait = selinux_task_wait,
5653 .task_to_inode = selinux_task_to_inode,
5655 .ipc_permission = selinux_ipc_permission,
5656 .ipc_getsecid = selinux_ipc_getsecid,
5658 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5659 .msg_msg_free_security = selinux_msg_msg_free_security,
5661 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5662 .msg_queue_free_security = selinux_msg_queue_free_security,
5663 .msg_queue_associate = selinux_msg_queue_associate,
5664 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5665 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5666 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5668 .shm_alloc_security = selinux_shm_alloc_security,
5669 .shm_free_security = selinux_shm_free_security,
5670 .shm_associate = selinux_shm_associate,
5671 .shm_shmctl = selinux_shm_shmctl,
5672 .shm_shmat = selinux_shm_shmat,
5674 .sem_alloc_security = selinux_sem_alloc_security,
5675 .sem_free_security = selinux_sem_free_security,
5676 .sem_associate = selinux_sem_associate,
5677 .sem_semctl = selinux_sem_semctl,
5678 .sem_semop = selinux_sem_semop,
5680 .d_instantiate = selinux_d_instantiate,
5682 .getprocattr = selinux_getprocattr,
5683 .setprocattr = selinux_setprocattr,
5685 .secid_to_secctx = selinux_secid_to_secctx,
5686 .secctx_to_secid = selinux_secctx_to_secid,
5687 .release_secctx = selinux_release_secctx,
5688 .inode_notifysecctx = selinux_inode_notifysecctx,
5689 .inode_setsecctx = selinux_inode_setsecctx,
5690 .inode_getsecctx = selinux_inode_getsecctx,
5692 .unix_stream_connect = selinux_socket_unix_stream_connect,
5693 .unix_may_send = selinux_socket_unix_may_send,
5695 .socket_create = selinux_socket_create,
5696 .socket_post_create = selinux_socket_post_create,
5697 .socket_bind = selinux_socket_bind,
5698 .socket_connect = selinux_socket_connect,
5699 .socket_listen = selinux_socket_listen,
5700 .socket_accept = selinux_socket_accept,
5701 .socket_sendmsg = selinux_socket_sendmsg,
5702 .socket_recvmsg = selinux_socket_recvmsg,
5703 .socket_getsockname = selinux_socket_getsockname,
5704 .socket_getpeername = selinux_socket_getpeername,
5705 .socket_getsockopt = selinux_socket_getsockopt,
5706 .socket_setsockopt = selinux_socket_setsockopt,
5707 .socket_shutdown = selinux_socket_shutdown,
5708 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5709 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5710 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5711 .sk_alloc_security = selinux_sk_alloc_security,
5712 .sk_free_security = selinux_sk_free_security,
5713 .sk_clone_security = selinux_sk_clone_security,
5714 .sk_getsecid = selinux_sk_getsecid,
5715 .sock_graft = selinux_sock_graft,
5716 .inet_conn_request = selinux_inet_conn_request,
5717 .inet_csk_clone = selinux_inet_csk_clone,
5718 .inet_conn_established = selinux_inet_conn_established,
5719 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5720 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5721 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5722 .req_classify_flow = selinux_req_classify_flow,
5723 .tun_dev_create = selinux_tun_dev_create,
5724 .tun_dev_post_create = selinux_tun_dev_post_create,
5725 .tun_dev_attach = selinux_tun_dev_attach,
5727 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5728 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5729 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5730 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5731 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5732 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5733 .xfrm_state_free_security = selinux_xfrm_state_free,
5734 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5735 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5736 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5737 .xfrm_decode_session = selinux_xfrm_decode_session,
5741 .key_alloc = selinux_key_alloc,
5742 .key_free = selinux_key_free,
5743 .key_permission = selinux_key_permission,
5744 .key_getsecurity = selinux_key_getsecurity,
5748 .audit_rule_init = selinux_audit_rule_init,
5749 .audit_rule_known = selinux_audit_rule_known,
5750 .audit_rule_match = selinux_audit_rule_match,
5751 .audit_rule_free = selinux_audit_rule_free,
5755 static __init int selinux_init(void)
5757 if (!security_module_enable(&selinux_ops)) {
5758 selinux_enabled = 0;
5762 if (!selinux_enabled) {
5763 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5767 printk(KERN_INFO "SELinux: Initializing.\n");
5769 /* Set the security state for the initial task. */
5770 cred_init_security();
5772 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5774 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5775 sizeof(struct inode_security_struct),
5776 0, SLAB_PANIC, NULL);
5779 if (register_security(&selinux_ops))
5780 panic("SELinux: Unable to register with kernel.\n");
5782 if (selinux_enforcing)
5783 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5785 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5790 static void delayed_superblock_init(struct super_block *sb, void *unused)
5792 superblock_doinit(sb, NULL);
5795 void selinux_complete_init(void)
5797 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5799 /* Set up any superblocks initialized prior to the policy load. */
5800 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5801 iterate_supers(delayed_superblock_init, NULL);
5804 /* SELinux requires early initialization in order to label
5805 all processes and objects when they are created. */
5806 security_initcall(selinux_init);
5808 #if defined(CONFIG_NETFILTER)
5810 static struct nf_hook_ops selinux_ipv4_ops[] = {
5812 .hook = selinux_ipv4_postroute,
5813 .owner = THIS_MODULE,
5815 .hooknum = NF_INET_POST_ROUTING,
5816 .priority = NF_IP_PRI_SELINUX_LAST,
5819 .hook = selinux_ipv4_forward,
5820 .owner = THIS_MODULE,
5822 .hooknum = NF_INET_FORWARD,
5823 .priority = NF_IP_PRI_SELINUX_FIRST,
5826 .hook = selinux_ipv4_output,
5827 .owner = THIS_MODULE,
5829 .hooknum = NF_INET_LOCAL_OUT,
5830 .priority = NF_IP_PRI_SELINUX_FIRST,
5834 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5836 static struct nf_hook_ops selinux_ipv6_ops[] = {
5838 .hook = selinux_ipv6_postroute,
5839 .owner = THIS_MODULE,
5841 .hooknum = NF_INET_POST_ROUTING,
5842 .priority = NF_IP6_PRI_SELINUX_LAST,
5845 .hook = selinux_ipv6_forward,
5846 .owner = THIS_MODULE,
5848 .hooknum = NF_INET_FORWARD,
5849 .priority = NF_IP6_PRI_SELINUX_FIRST,
5855 static int __init selinux_nf_ip_init(void)
5859 if (!selinux_enabled)
5862 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5864 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5866 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5869 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5871 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5878 __initcall(selinux_nf_ip_init);
5880 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5881 static void selinux_nf_ip_exit(void)
5883 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5885 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5886 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5887 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5892 #else /* CONFIG_NETFILTER */
5894 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5895 #define selinux_nf_ip_exit()
5898 #endif /* CONFIG_NETFILTER */
5900 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5901 static int selinux_disabled;
5903 int selinux_disable(void)
5905 if (ss_initialized) {
5906 /* Not permitted after initial policy load. */
5910 if (selinux_disabled) {
5911 /* Only do this once. */
5915 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5917 selinux_disabled = 1;
5918 selinux_enabled = 0;
5920 reset_security_ops();
5922 /* Try to destroy the avc node cache */
5925 /* Unregister netfilter hooks. */
5926 selinux_nf_ip_exit();
5928 /* Unregister selinuxfs. */