2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <asm/uaccess.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/dccp.h>
62 #include <linux/quota.h>
63 #include <linux/un.h> /* for Unix socket types */
64 #include <net/af_unix.h> /* for Unix socket types */
65 #include <linux/parser.h>
66 #include <linux/nfs_mount.h>
68 #include <linux/hugetlb.h>
69 #include <linux/personality.h>
70 #include <linux/sysctl.h>
71 #include <linux/audit.h>
72 #include <linux/string.h>
73 #include <linux/selinux.h>
74 #include <linux/mutex.h>
82 #define XATTR_SELINUX_SUFFIX "selinux"
83 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
85 #define NUM_SEL_MNT_OPTS 4
87 extern unsigned int policydb_loaded_version;
88 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
89 extern int selinux_compat_net;
90 extern struct security_operations *security_ops;
92 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
93 int selinux_enforcing = 0;
95 static int __init enforcing_setup(char *str)
97 selinux_enforcing = simple_strtol(str,NULL,0);
100 __setup("enforcing=", enforcing_setup);
103 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
104 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
106 static int __init selinux_enabled_setup(char *str)
108 selinux_enabled = simple_strtol(str, NULL, 0);
111 __setup("selinux=", selinux_enabled_setup);
113 int selinux_enabled = 1;
116 /* Original (dummy) security module. */
117 static struct security_operations *original_ops = NULL;
119 /* Minimal support for a secondary security module,
120 just to allow the use of the dummy or capability modules.
121 The owlsm module can alternatively be used as a secondary
122 module as long as CONFIG_OWLSM_FD is not enabled. */
123 static struct security_operations *secondary_ops = NULL;
125 /* Lists of inode and superblock security structures initialized
126 before the policy was loaded. */
127 static LIST_HEAD(superblock_security_head);
128 static DEFINE_SPINLOCK(sb_security_lock);
130 static struct kmem_cache *sel_inode_cache;
132 /* Return security context for a given sid or just the context
133 length if the buffer is null or length is 0 */
134 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
140 rc = security_sid_to_context(sid, &context, &len);
144 if (!buffer || !size)
145 goto getsecurity_exit;
149 goto getsecurity_exit;
151 memcpy(buffer, context, len);
158 /* Allocate and free functions for each kind of security blob. */
160 static int task_alloc_security(struct task_struct *task)
162 struct task_security_struct *tsec;
164 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
169 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
170 task->security = tsec;
175 static void task_free_security(struct task_struct *task)
177 struct task_security_struct *tsec = task->security;
178 task->security = NULL;
182 static int inode_alloc_security(struct inode *inode)
184 struct task_security_struct *tsec = current->security;
185 struct inode_security_struct *isec;
187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
191 mutex_init(&isec->lock);
192 INIT_LIST_HEAD(&isec->list);
194 isec->sid = SECINITSID_UNLABELED;
195 isec->sclass = SECCLASS_FILE;
196 isec->task_sid = tsec->sid;
197 inode->i_security = isec;
202 static void inode_free_security(struct inode *inode)
204 struct inode_security_struct *isec = inode->i_security;
205 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
207 spin_lock(&sbsec->isec_lock);
208 if (!list_empty(&isec->list))
209 list_del_init(&isec->list);
210 spin_unlock(&sbsec->isec_lock);
212 inode->i_security = NULL;
213 kmem_cache_free(sel_inode_cache, isec);
216 static int file_alloc_security(struct file *file)
218 struct task_security_struct *tsec = current->security;
219 struct file_security_struct *fsec;
221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
226 fsec->sid = tsec->sid;
227 fsec->fown_sid = tsec->sid;
228 file->f_security = fsec;
233 static void file_free_security(struct file *file)
235 struct file_security_struct *fsec = file->f_security;
236 file->f_security = NULL;
240 static int superblock_alloc_security(struct super_block *sb)
242 struct superblock_security_struct *sbsec;
244 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
248 mutex_init(&sbsec->lock);
249 INIT_LIST_HEAD(&sbsec->list);
250 INIT_LIST_HEAD(&sbsec->isec_head);
251 spin_lock_init(&sbsec->isec_lock);
253 sbsec->sid = SECINITSID_UNLABELED;
254 sbsec->def_sid = SECINITSID_FILE;
255 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
256 sb->s_security = sbsec;
261 static void superblock_free_security(struct super_block *sb)
263 struct superblock_security_struct *sbsec = sb->s_security;
265 spin_lock(&sb_security_lock);
266 if (!list_empty(&sbsec->list))
267 list_del_init(&sbsec->list);
268 spin_unlock(&sb_security_lock);
270 sb->s_security = NULL;
274 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
276 struct sk_security_struct *ssec;
278 ssec = kzalloc(sizeof(*ssec), priority);
283 ssec->peer_sid = SECINITSID_UNLABELED;
284 ssec->sid = SECINITSID_UNLABELED;
285 sk->sk_security = ssec;
287 selinux_netlbl_sk_security_init(ssec, family);
292 static void sk_free_security(struct sock *sk)
294 struct sk_security_struct *ssec = sk->sk_security;
296 sk->sk_security = NULL;
300 /* The security server must be initialized before
301 any labeling or access decisions can be provided. */
302 extern int ss_initialized;
304 /* The file system's label must be initialized prior to use. */
306 static char *labeling_behaviors[6] = {
308 "uses transition SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
315 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
317 static inline int inode_doinit(struct inode *inode)
319 return inode_doinit_with_dentry(inode, NULL);
330 static match_table_t tokens = {
331 {Opt_context, "context=%s"},
332 {Opt_fscontext, "fscontext=%s"},
333 {Opt_defcontext, "defcontext=%s"},
334 {Opt_rootcontext, "rootcontext=%s"},
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 struct task_security_struct *tsec)
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
356 static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 struct task_security_struct *tsec)
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
371 static int sb_finish_set_opts(struct super_block *sb)
373 struct superblock_security_struct *sbsec = sb->s_security;
374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
404 sbsec->initialized = 1;
406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
414 /* Initialize the root inode. */
415 rc = inode_doinit_with_dentry(root_inode, root);
417 /* Initialize any other inodes associated with the superblock, e.g.
418 inodes created prior to initial policy load or inodes created
419 during get_sb by a pseudo filesystem that directly
421 spin_lock(&sbsec->isec_lock);
423 if (!list_empty(&sbsec->isec_head)) {
424 struct inode_security_struct *isec =
425 list_entry(sbsec->isec_head.next,
426 struct inode_security_struct, list);
427 struct inode *inode = isec->inode;
428 spin_unlock(&sbsec->isec_lock);
429 inode = igrab(inode);
431 if (!IS_PRIVATE(inode))
435 spin_lock(&sbsec->isec_lock);
436 list_del_init(&isec->list);
439 spin_unlock(&sbsec->isec_lock);
445 * This function should allow an FS to ask what it's mount security
446 * options were so it can use those later for submounts, displaying
447 * mount options, or whatever.
449 static int selinux_get_mnt_opts(const struct super_block *sb,
450 char ***mount_options, int **mnt_opts_flags,
454 struct superblock_security_struct *sbsec = sb->s_security;
455 char *context = NULL;
460 *mount_options = NULL;
461 *mnt_opts_flags = NULL;
463 if (!sbsec->initialized)
470 * if we ever use sbsec flags for anything other than tracking mount
471 * settings this is going to need a mask
474 /* count the number of mount options for this sb */
475 for (i = 0; i < 8; i++) {
481 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
482 if (!*mount_options) {
487 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
488 if (!*mnt_opts_flags) {
494 if (sbsec->flags & FSCONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->sid, &context, &len);
498 (*mount_options)[i] = context;
499 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
501 if (sbsec->flags & CONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
505 (*mount_options)[i] = context;
506 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
508 if (sbsec->flags & DEFCONTEXT_MNT) {
509 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
512 (*mount_options)[i] = context;
513 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
515 if (sbsec->flags & ROOTCONTEXT_MNT) {
516 struct inode *root = sbsec->sb->s_root->d_inode;
517 struct inode_security_struct *isec = root->i_security;
519 rc = security_sid_to_context(isec->sid, &context, &len);
522 (*mount_options)[i] = context;
523 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
526 BUG_ON(i != *num_opts);
531 /* don't leak context string if security_sid_to_context had an error */
532 if (*mount_options && i)
534 kfree((*mount_options)[i-1]);
535 kfree(*mount_options);
536 *mount_options = NULL;
537 kfree(*mnt_opts_flags);
538 *mnt_opts_flags = NULL;
543 static int bad_option(struct superblock_security_struct *sbsec, char flag,
544 u32 old_sid, u32 new_sid)
546 /* check if the old mount command had the same options */
547 if (sbsec->initialized)
548 if (!(sbsec->flags & flag) ||
549 (old_sid != new_sid))
552 /* check if we were passed the same options twice,
553 * aka someone passed context=a,context=b
555 if (!sbsec->initialized)
556 if (sbsec->flags & flag)
561 * Allow filesystems with binary mount data to explicitly set mount point
562 * labeling information.
564 int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
565 int *flags, int num_opts)
568 struct task_security_struct *tsec = current->security;
569 struct superblock_security_struct *sbsec = sb->s_security;
570 const char *name = sb->s_type->name;
571 struct inode *inode = sbsec->sb->s_root->d_inode;
572 struct inode_security_struct *root_isec = inode->i_security;
573 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
574 u32 defcontext_sid = 0;
576 mutex_lock(&sbsec->lock);
578 if (!ss_initialized) {
580 /* Defer initialization until selinux_complete_init,
581 after the initial policy is loaded and the security
582 server is ready to handle calls. */
583 spin_lock(&sb_security_lock);
584 if (list_empty(&sbsec->list))
585 list_add(&sbsec->list, &superblock_security_head);
586 spin_unlock(&sb_security_lock);
590 printk(KERN_WARNING "Unable to set superblock options before "
591 "the security server is initialized\n");
596 * parse the mount options, check if they are valid sids.
597 * also check if someone is trying to mount the same sb more
598 * than once with different security options.
600 for (i = 0; i < num_opts; i++) {
602 rc = security_context_to_sid(mount_options[i],
603 strlen(mount_options[i]), &sid);
605 printk(KERN_WARNING "SELinux: security_context_to_sid"
606 "(%s) failed for (dev %s, type %s) errno=%d\n",
607 mount_options[i], sb->s_id, name, rc);
614 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
616 goto out_double_mount;
618 sbsec->flags |= FSCONTEXT_MNT;
623 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
625 goto out_double_mount;
627 sbsec->flags |= CONTEXT_MNT;
629 case ROOTCONTEXT_MNT:
630 rootcontext_sid = sid;
632 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
634 goto out_double_mount;
636 sbsec->flags |= ROOTCONTEXT_MNT;
640 defcontext_sid = sid;
642 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
644 goto out_double_mount;
646 sbsec->flags |= DEFCONTEXT_MNT;
655 if (sbsec->initialized) {
656 /* previously mounted with options, but not on this attempt? */
657 if (sbsec->flags && !num_opts)
658 goto out_double_mount;
663 if (strcmp(sb->s_type->name, "proc") == 0)
666 /* Determine the labeling behavior to use for this filesystem type. */
667 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
670 __FUNCTION__, sb->s_type->name, rc);
674 /* sets the context of the superblock for the fs being mounted. */
677 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
681 sbsec->sid = fscontext_sid;
685 * Switch to using mount point labeling behavior.
686 * sets the label used on all file below the mountpoint, and will set
687 * the superblock context if not already set.
690 if (!fscontext_sid) {
691 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
694 sbsec->sid = context_sid;
696 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
700 if (!rootcontext_sid)
701 rootcontext_sid = context_sid;
703 sbsec->mntpoint_sid = context_sid;
704 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
707 if (rootcontext_sid) {
708 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
712 root_isec->sid = rootcontext_sid;
713 root_isec->initialized = 1;
716 if (defcontext_sid) {
717 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
719 printk(KERN_WARNING "SELinux: defcontext option is "
720 "invalid for this filesystem type\n");
724 if (defcontext_sid != sbsec->def_sid) {
725 rc = may_context_mount_inode_relabel(defcontext_sid,
731 sbsec->def_sid = defcontext_sid;
734 rc = sb_finish_set_opts(sb);
736 mutex_unlock(&sbsec->lock);
740 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
741 "security settings for (dev %s, type %s)\n", sb->s_id, name);
745 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
746 struct super_block *newsb)
748 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
749 struct superblock_security_struct *newsbsec = newsb->s_security;
751 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
752 int set_context = (oldsbsec->flags & CONTEXT_MNT);
753 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
755 /* we can't error, we can't save the info, this shouldn't get called
756 * this early in the boot process. */
757 BUG_ON(!ss_initialized);
759 /* this might go away sometime down the line if there is a new user
760 * of clone, but for now, nfs better not get here... */
761 BUG_ON(newsbsec->initialized);
763 /* how can we clone if the old one wasn't set up?? */
764 BUG_ON(!oldsbsec->initialized);
766 mutex_lock(&newsbsec->lock);
768 newsbsec->flags = oldsbsec->flags;
770 newsbsec->sid = oldsbsec->sid;
771 newsbsec->def_sid = oldsbsec->def_sid;
772 newsbsec->behavior = oldsbsec->behavior;
775 u32 sid = oldsbsec->mntpoint_sid;
779 if (!set_rootcontext) {
780 struct inode *newinode = newsb->s_root->d_inode;
781 struct inode_security_struct *newisec = newinode->i_security;
784 newsbsec->mntpoint_sid = sid;
786 if (set_rootcontext) {
787 const struct inode *oldinode = oldsb->s_root->d_inode;
788 const struct inode_security_struct *oldisec = oldinode->i_security;
789 struct inode *newinode = newsb->s_root->d_inode;
790 struct inode_security_struct *newisec = newinode->i_security;
792 newisec->sid = oldisec->sid;
795 sb_finish_set_opts(newsb);
796 mutex_unlock(&newsbsec->lock);
800 * string mount options parsing and call set the sbsec
802 static int superblock_doinit(struct super_block *sb, void *data)
804 char *context = NULL, *defcontext = NULL;
805 char *fscontext = NULL, *rootcontext = NULL;
807 char *p, *options = data;
808 /* selinux only know about a fixed number of mount options */
809 char *mnt_opts[NUM_SEL_MNT_OPTS];
810 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
815 /* with the nfs patch this will become a goto out; */
816 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
817 const char *name = sb->s_type->name;
818 /* NFS we understand. */
819 if (!strcmp(name, "nfs")) {
820 struct nfs_mount_data *d = data;
822 if (d->version != NFS_MOUNT_VERSION)
826 context = kstrdup(d->context, GFP_KERNEL);
837 /* Standard string-based options. */
838 while ((p = strsep(&options, "|")) != NULL) {
840 substring_t args[MAX_OPT_ARGS];
845 token = match_token(p, tokens, args);
849 if (context || defcontext) {
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 context = match_strdup(&args[0]);
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 fscontext = match_strdup(&args[0]);
874 case Opt_rootcontext:
877 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880 rootcontext = match_strdup(&args[0]);
888 if (context || defcontext) {
890 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
893 defcontext = match_strdup(&args[0]);
902 printk(KERN_WARNING "SELinux: unknown mount option\n");
910 mnt_opts[num_mnt_opts] = fscontext;
911 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
914 mnt_opts[num_mnt_opts] = context;
915 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
918 mnt_opts[num_mnt_opts] = rootcontext;
919 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
922 mnt_opts[num_mnt_opts] = defcontext;
923 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
927 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
936 static inline u16 inode_mode_to_security_class(umode_t mode)
938 switch (mode & S_IFMT) {
940 return SECCLASS_SOCK_FILE;
942 return SECCLASS_LNK_FILE;
944 return SECCLASS_FILE;
946 return SECCLASS_BLK_FILE;
950 return SECCLASS_CHR_FILE;
952 return SECCLASS_FIFO_FILE;
956 return SECCLASS_FILE;
959 static inline int default_protocol_stream(int protocol)
961 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
964 static inline int default_protocol_dgram(int protocol)
966 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
969 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
976 return SECCLASS_UNIX_STREAM_SOCKET;
978 return SECCLASS_UNIX_DGRAM_SOCKET;
985 if (default_protocol_stream(protocol))
986 return SECCLASS_TCP_SOCKET;
988 return SECCLASS_RAWIP_SOCKET;
990 if (default_protocol_dgram(protocol))
991 return SECCLASS_UDP_SOCKET;
993 return SECCLASS_RAWIP_SOCKET;
995 return SECCLASS_DCCP_SOCKET;
997 return SECCLASS_RAWIP_SOCKET;
1003 return SECCLASS_NETLINK_ROUTE_SOCKET;
1004 case NETLINK_FIREWALL:
1005 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1006 case NETLINK_INET_DIAG:
1007 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1009 return SECCLASS_NETLINK_NFLOG_SOCKET;
1011 return SECCLASS_NETLINK_XFRM_SOCKET;
1012 case NETLINK_SELINUX:
1013 return SECCLASS_NETLINK_SELINUX_SOCKET;
1015 return SECCLASS_NETLINK_AUDIT_SOCKET;
1016 case NETLINK_IP6_FW:
1017 return SECCLASS_NETLINK_IP6FW_SOCKET;
1018 case NETLINK_DNRTMSG:
1019 return SECCLASS_NETLINK_DNRT_SOCKET;
1020 case NETLINK_KOBJECT_UEVENT:
1021 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1023 return SECCLASS_NETLINK_SOCKET;
1026 return SECCLASS_PACKET_SOCKET;
1028 return SECCLASS_KEY_SOCKET;
1030 return SECCLASS_APPLETALK_SOCKET;
1033 return SECCLASS_SOCKET;
1036 #ifdef CONFIG_PROC_FS
1037 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1042 char *buffer, *path, *end;
1044 buffer = (char*)__get_free_page(GFP_KERNEL);
1049 end = buffer+buflen;
1054 while (de && de != de->parent) {
1055 buflen -= de->namelen + 1;
1059 memcpy(end, de->name, de->namelen);
1064 rc = security_genfs_sid("proc", path, tclass, sid);
1065 free_page((unsigned long)buffer);
1069 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1077 /* The inode's security attributes must be initialized before first use. */
1078 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1080 struct superblock_security_struct *sbsec = NULL;
1081 struct inode_security_struct *isec = inode->i_security;
1083 struct dentry *dentry;
1084 #define INITCONTEXTLEN 255
1085 char *context = NULL;
1089 if (isec->initialized)
1092 mutex_lock(&isec->lock);
1093 if (isec->initialized)
1096 sbsec = inode->i_sb->s_security;
1097 if (!sbsec->initialized) {
1098 /* Defer initialization until selinux_complete_init,
1099 after the initial policy is loaded and the security
1100 server is ready to handle calls. */
1101 spin_lock(&sbsec->isec_lock);
1102 if (list_empty(&isec->list))
1103 list_add(&isec->list, &sbsec->isec_head);
1104 spin_unlock(&sbsec->isec_lock);
1108 switch (sbsec->behavior) {
1109 case SECURITY_FS_USE_XATTR:
1110 if (!inode->i_op->getxattr) {
1111 isec->sid = sbsec->def_sid;
1115 /* Need a dentry, since the xattr API requires one.
1116 Life would be simpler if we could just pass the inode. */
1118 /* Called from d_instantiate or d_splice_alias. */
1119 dentry = dget(opt_dentry);
1121 /* Called from selinux_complete_init, try to find a dentry. */
1122 dentry = d_find_alias(inode);
1125 printk(KERN_WARNING "%s: no dentry for dev=%s "
1126 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1131 len = INITCONTEXTLEN;
1132 context = kmalloc(len, GFP_KERNEL);
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1140 if (rc == -ERANGE) {
1141 /* Need a larger buffer. Query for the right size. */
1142 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1150 context = kmalloc(len, GFP_KERNEL);
1156 rc = inode->i_op->getxattr(dentry,
1162 if (rc != -ENODATA) {
1163 printk(KERN_WARNING "%s: getxattr returned "
1164 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1165 -rc, inode->i_sb->s_id, inode->i_ino);
1169 /* Map ENODATA to the default file SID */
1170 sid = sbsec->def_sid;
1173 rc = security_context_to_sid_default(context, rc, &sid,
1176 printk(KERN_WARNING "%s: context_to_sid(%s) "
1177 "returned %d for dev=%s ino=%ld\n",
1178 __FUNCTION__, context, -rc,
1179 inode->i_sb->s_id, inode->i_ino);
1181 /* Leave with the unlabeled SID */
1189 case SECURITY_FS_USE_TASK:
1190 isec->sid = isec->task_sid;
1192 case SECURITY_FS_USE_TRANS:
1193 /* Default to the fs SID. */
1194 isec->sid = sbsec->sid;
1196 /* Try to obtain a transition SID. */
1197 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1198 rc = security_transition_sid(isec->task_sid,
1206 case SECURITY_FS_USE_MNTPOINT:
1207 isec->sid = sbsec->mntpoint_sid;
1210 /* Default to the fs superblock SID. */
1211 isec->sid = sbsec->sid;
1214 struct proc_inode *proci = PROC_I(inode);
1216 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1217 rc = selinux_proc_get_sid(proci->pde,
1228 isec->initialized = 1;
1231 mutex_unlock(&isec->lock);
1233 if (isec->sclass == SECCLASS_FILE)
1234 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1238 /* Convert a Linux signal to an access vector. */
1239 static inline u32 signal_to_av(int sig)
1245 /* Commonly granted from child to parent. */
1246 perm = PROCESS__SIGCHLD;
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGKILL;
1253 /* Cannot be caught or ignored */
1254 perm = PROCESS__SIGSTOP;
1257 /* All other signals. */
1258 perm = PROCESS__SIGNAL;
1265 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1266 fork check, ptrace check, etc. */
1267 static int task_has_perm(struct task_struct *tsk1,
1268 struct task_struct *tsk2,
1271 struct task_security_struct *tsec1, *tsec2;
1273 tsec1 = tsk1->security;
1274 tsec2 = tsk2->security;
1275 return avc_has_perm(tsec1->sid, tsec2->sid,
1276 SECCLASS_PROCESS, perms, NULL);
1279 /* Check whether a task is allowed to use a capability. */
1280 static int task_has_capability(struct task_struct *tsk,
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
1286 tsec = tsk->security;
1288 AVC_AUDIT_DATA_INIT(&ad,CAP);
1292 return avc_has_perm(tsec->sid, tsec->sid,
1293 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1296 /* Check whether a task is allowed to use a system operation. */
1297 static int task_has_system(struct task_struct *tsk,
1300 struct task_security_struct *tsec;
1302 tsec = tsk->security;
1304 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1305 SECCLASS_SYSTEM, perms, NULL);
1308 /* Check whether a task has a particular permission to an inode.
1309 The 'adp' parameter is optional and allows other audit
1310 data to be passed (e.g. the dentry). */
1311 static int inode_has_perm(struct task_struct *tsk,
1312 struct inode *inode,
1314 struct avc_audit_data *adp)
1316 struct task_security_struct *tsec;
1317 struct inode_security_struct *isec;
1318 struct avc_audit_data ad;
1320 if (unlikely (IS_PRIVATE (inode)))
1323 tsec = tsk->security;
1324 isec = inode->i_security;
1328 AVC_AUDIT_DATA_INIT(&ad, FS);
1329 ad.u.fs.inode = inode;
1332 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1335 /* Same as inode_has_perm, but pass explicit audit data containing
1336 the dentry to help the auditing code to more easily generate the
1337 pathname if needed. */
1338 static inline int dentry_has_perm(struct task_struct *tsk,
1339 struct vfsmount *mnt,
1340 struct dentry *dentry,
1343 struct inode *inode = dentry->d_inode;
1344 struct avc_audit_data ad;
1345 AVC_AUDIT_DATA_INIT(&ad,FS);
1347 ad.u.fs.dentry = dentry;
1348 return inode_has_perm(tsk, inode, av, &ad);
1351 /* Check whether a task can use an open file descriptor to
1352 access an inode in a given way. Check access to the
1353 descriptor itself, and then use dentry_has_perm to
1354 check a particular permission to the file.
1355 Access to the descriptor is implicitly granted if it
1356 has the same SID as the process. If av is zero, then
1357 access to the file is not checked, e.g. for cases
1358 where only the descriptor is affected like seek. */
1359 static int file_has_perm(struct task_struct *tsk,
1363 struct task_security_struct *tsec = tsk->security;
1364 struct file_security_struct *fsec = file->f_security;
1365 struct vfsmount *mnt = file->f_path.mnt;
1366 struct dentry *dentry = file->f_path.dentry;
1367 struct inode *inode = dentry->d_inode;
1368 struct avc_audit_data ad;
1371 AVC_AUDIT_DATA_INIT(&ad, FS);
1373 ad.u.fs.dentry = dentry;
1375 if (tsec->sid != fsec->sid) {
1376 rc = avc_has_perm(tsec->sid, fsec->sid,
1384 /* av is zero if only checking access to the descriptor. */
1386 return inode_has_perm(tsk, inode, av, &ad);
1391 /* Check whether a task can create a file. */
1392 static int may_create(struct inode *dir,
1393 struct dentry *dentry,
1396 struct task_security_struct *tsec;
1397 struct inode_security_struct *dsec;
1398 struct superblock_security_struct *sbsec;
1400 struct avc_audit_data ad;
1403 tsec = current->security;
1404 dsec = dir->i_security;
1405 sbsec = dir->i_sb->s_security;
1407 AVC_AUDIT_DATA_INIT(&ad, FS);
1408 ad.u.fs.dentry = dentry;
1410 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1411 DIR__ADD_NAME | DIR__SEARCH,
1416 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1417 newsid = tsec->create_sid;
1419 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1425 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1429 return avc_has_perm(newsid, sbsec->sid,
1430 SECCLASS_FILESYSTEM,
1431 FILESYSTEM__ASSOCIATE, &ad);
1434 /* Check whether a task can create a key. */
1435 static int may_create_key(u32 ksid,
1436 struct task_struct *ctx)
1438 struct task_security_struct *tsec;
1440 tsec = ctx->security;
1442 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1446 #define MAY_UNLINK 1
1449 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1450 static int may_link(struct inode *dir,
1451 struct dentry *dentry,
1455 struct task_security_struct *tsec;
1456 struct inode_security_struct *dsec, *isec;
1457 struct avc_audit_data ad;
1461 tsec = current->security;
1462 dsec = dir->i_security;
1463 isec = dentry->d_inode->i_security;
1465 AVC_AUDIT_DATA_INIT(&ad, FS);
1466 ad.u.fs.dentry = dentry;
1469 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1470 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1485 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1489 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1493 static inline int may_rename(struct inode *old_dir,
1494 struct dentry *old_dentry,
1495 struct inode *new_dir,
1496 struct dentry *new_dentry)
1498 struct task_security_struct *tsec;
1499 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1500 struct avc_audit_data ad;
1502 int old_is_dir, new_is_dir;
1505 tsec = current->security;
1506 old_dsec = old_dir->i_security;
1507 old_isec = old_dentry->d_inode->i_security;
1508 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1509 new_dsec = new_dir->i_security;
1511 AVC_AUDIT_DATA_INIT(&ad, FS);
1513 ad.u.fs.dentry = old_dentry;
1514 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1515 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1518 rc = avc_has_perm(tsec->sid, old_isec->sid,
1519 old_isec->sclass, FILE__RENAME, &ad);
1522 if (old_is_dir && new_dir != old_dir) {
1523 rc = avc_has_perm(tsec->sid, old_isec->sid,
1524 old_isec->sclass, DIR__REPARENT, &ad);
1529 ad.u.fs.dentry = new_dentry;
1530 av = DIR__ADD_NAME | DIR__SEARCH;
1531 if (new_dentry->d_inode)
1532 av |= DIR__REMOVE_NAME;
1533 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1536 if (new_dentry->d_inode) {
1537 new_isec = new_dentry->d_inode->i_security;
1538 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1539 rc = avc_has_perm(tsec->sid, new_isec->sid,
1541 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1549 /* Check whether a task can perform a filesystem operation. */
1550 static int superblock_has_perm(struct task_struct *tsk,
1551 struct super_block *sb,
1553 struct avc_audit_data *ad)
1555 struct task_security_struct *tsec;
1556 struct superblock_security_struct *sbsec;
1558 tsec = tsk->security;
1559 sbsec = sb->s_security;
1560 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1564 /* Convert a Linux mode and permission mask to an access vector. */
1565 static inline u32 file_mask_to_av(int mode, int mask)
1569 if ((mode & S_IFMT) != S_IFDIR) {
1570 if (mask & MAY_EXEC)
1571 av |= FILE__EXECUTE;
1572 if (mask & MAY_READ)
1575 if (mask & MAY_APPEND)
1577 else if (mask & MAY_WRITE)
1581 if (mask & MAY_EXEC)
1583 if (mask & MAY_WRITE)
1585 if (mask & MAY_READ)
1592 /* Convert a Linux file to an access vector. */
1593 static inline u32 file_to_av(struct file *file)
1597 if (file->f_mode & FMODE_READ)
1599 if (file->f_mode & FMODE_WRITE) {
1600 if (file->f_flags & O_APPEND)
1609 /* Hook functions begin here. */
1611 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1613 struct task_security_struct *psec = parent->security;
1614 struct task_security_struct *csec = child->security;
1617 rc = secondary_ops->ptrace(parent,child);
1621 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1622 /* Save the SID of the tracing process for later use in apply_creds. */
1623 if (!(child->ptrace & PT_PTRACED) && !rc)
1624 csec->ptrace_sid = psec->sid;
1628 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1629 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1633 error = task_has_perm(current, target, PROCESS__GETCAP);
1637 return secondary_ops->capget(target, effective, inheritable, permitted);
1640 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1641 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1645 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1649 return task_has_perm(current, target, PROCESS__SETCAP);
1652 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1653 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1655 secondary_ops->capset_set(target, effective, inheritable, permitted);
1658 static int selinux_capable(struct task_struct *tsk, int cap)
1662 rc = secondary_ops->capable(tsk, cap);
1666 return task_has_capability(tsk,cap);
1669 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1672 char *buffer, *path, *end;
1675 buffer = (char*)__get_free_page(GFP_KERNEL);
1680 end = buffer+buflen;
1686 const char *name = table->procname;
1687 size_t namelen = strlen(name);
1688 buflen -= namelen + 1;
1692 memcpy(end, name, namelen);
1695 table = table->parent;
1701 memcpy(end, "/sys", 4);
1703 rc = security_genfs_sid("proc", path, tclass, sid);
1705 free_page((unsigned long)buffer);
1710 static int selinux_sysctl(ctl_table *table, int op)
1714 struct task_security_struct *tsec;
1718 rc = secondary_ops->sysctl(table, op);
1722 tsec = current->security;
1724 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1725 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1727 /* Default to the well-defined sysctl SID. */
1728 tsid = SECINITSID_SYSCTL;
1731 /* The op values are "defined" in sysctl.c, thereby creating
1732 * a bad coupling between this module and sysctl.c */
1734 error = avc_has_perm(tsec->sid, tsid,
1735 SECCLASS_DIR, DIR__SEARCH, NULL);
1743 error = avc_has_perm(tsec->sid, tsid,
1744 SECCLASS_FILE, av, NULL);
1750 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1763 rc = superblock_has_perm(current,
1765 FILESYSTEM__QUOTAMOD, NULL);
1770 rc = superblock_has_perm(current,
1772 FILESYSTEM__QUOTAGET, NULL);
1775 rc = 0; /* let the kernel handle invalid cmds */
1781 static int selinux_quota_on(struct dentry *dentry)
1783 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1786 static int selinux_syslog(int type)
1790 rc = secondary_ops->syslog(type);
1795 case 3: /* Read last kernel messages */
1796 case 10: /* Return size of the log buffer */
1797 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1799 case 6: /* Disable logging to console */
1800 case 7: /* Enable logging to console */
1801 case 8: /* Set level of messages printed to console */
1802 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1804 case 0: /* Close log */
1805 case 1: /* Open log */
1806 case 2: /* Read from log */
1807 case 4: /* Read/clear last kernel messages */
1808 case 5: /* Clear ring buffer */
1810 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1817 * Check that a process has enough memory to allocate a new virtual
1818 * mapping. 0 means there is enough memory for the allocation to
1819 * succeed and -ENOMEM implies there is not.
1821 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1822 * if the capability is granted, but __vm_enough_memory requires 1 if
1823 * the capability is granted.
1825 * Do not audit the selinux permission check, as this is applied to all
1826 * processes that allocate mappings.
1828 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1830 int rc, cap_sys_admin = 0;
1831 struct task_security_struct *tsec = current->security;
1833 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1835 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1836 SECCLASS_CAPABILITY,
1837 CAP_TO_MASK(CAP_SYS_ADMIN),
1844 return __vm_enough_memory(mm, pages, cap_sys_admin);
1847 /* binprm security operations */
1849 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1851 struct bprm_security_struct *bsec;
1853 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1858 bsec->sid = SECINITSID_UNLABELED;
1861 bprm->security = bsec;
1865 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1867 struct task_security_struct *tsec;
1868 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1869 struct inode_security_struct *isec;
1870 struct bprm_security_struct *bsec;
1872 struct avc_audit_data ad;
1875 rc = secondary_ops->bprm_set_security(bprm);
1879 bsec = bprm->security;
1884 tsec = current->security;
1885 isec = inode->i_security;
1887 /* Default to the current task SID. */
1888 bsec->sid = tsec->sid;
1890 /* Reset fs, key, and sock SIDs on execve. */
1891 tsec->create_sid = 0;
1892 tsec->keycreate_sid = 0;
1893 tsec->sockcreate_sid = 0;
1895 if (tsec->exec_sid) {
1896 newsid = tsec->exec_sid;
1897 /* Reset exec SID on execve. */
1900 /* Check for a default transition on this program. */
1901 rc = security_transition_sid(tsec->sid, isec->sid,
1902 SECCLASS_PROCESS, &newsid);
1907 AVC_AUDIT_DATA_INIT(&ad, FS);
1908 ad.u.fs.mnt = bprm->file->f_path.mnt;
1909 ad.u.fs.dentry = bprm->file->f_path.dentry;
1911 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1914 if (tsec->sid == newsid) {
1915 rc = avc_has_perm(tsec->sid, isec->sid,
1916 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1920 /* Check permissions for the transition. */
1921 rc = avc_has_perm(tsec->sid, newsid,
1922 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1926 rc = avc_has_perm(newsid, isec->sid,
1927 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1931 /* Clear any possibly unsafe personality bits on exec: */
1932 current->personality &= ~PER_CLEAR_ON_SETID;
1934 /* Set the security field to the new SID. */
1942 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1944 return secondary_ops->bprm_check_security(bprm);
1948 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1950 struct task_security_struct *tsec = current->security;
1953 if (tsec->osid != tsec->sid) {
1954 /* Enable secure mode for SIDs transitions unless
1955 the noatsecure permission is granted between
1956 the two SIDs, i.e. ahp returns 0. */
1957 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1959 PROCESS__NOATSECURE, NULL);
1962 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1965 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1967 kfree(bprm->security);
1968 bprm->security = NULL;
1971 extern struct vfsmount *selinuxfs_mount;
1972 extern struct dentry *selinux_null;
1974 /* Derived from fs/exec.c:flush_old_files. */
1975 static inline void flush_unauthorized_files(struct files_struct * files)
1977 struct avc_audit_data ad;
1978 struct file *file, *devnull = NULL;
1979 struct tty_struct *tty;
1980 struct fdtable *fdt;
1984 mutex_lock(&tty_mutex);
1985 tty = get_current_tty();
1988 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1990 /* Revalidate access to controlling tty.
1991 Use inode_has_perm on the tty inode directly rather
1992 than using file_has_perm, as this particular open
1993 file may belong to another process and we are only
1994 interested in the inode-based check here. */
1995 struct inode *inode = file->f_path.dentry->d_inode;
1996 if (inode_has_perm(current, inode,
1997 FILE__READ | FILE__WRITE, NULL)) {
2003 mutex_unlock(&tty_mutex);
2004 /* Reset controlling tty. */
2008 /* Revalidate access to inherited open files. */
2010 AVC_AUDIT_DATA_INIT(&ad,FS);
2012 spin_lock(&files->file_lock);
2014 unsigned long set, i;
2019 fdt = files_fdtable(files);
2020 if (i >= fdt->max_fds)
2022 set = fdt->open_fds->fds_bits[j];
2025 spin_unlock(&files->file_lock);
2026 for ( ; set ; i++,set >>= 1) {
2031 if (file_has_perm(current,
2033 file_to_av(file))) {
2035 fd = get_unused_fd();
2045 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2046 if (IS_ERR(devnull)) {
2053 fd_install(fd, devnull);
2058 spin_lock(&files->file_lock);
2061 spin_unlock(&files->file_lock);
2064 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2066 struct task_security_struct *tsec;
2067 struct bprm_security_struct *bsec;
2071 secondary_ops->bprm_apply_creds(bprm, unsafe);
2073 tsec = current->security;
2075 bsec = bprm->security;
2078 tsec->osid = tsec->sid;
2080 if (tsec->sid != sid) {
2081 /* Check for shared state. If not ok, leave SID
2082 unchanged and kill. */
2083 if (unsafe & LSM_UNSAFE_SHARE) {
2084 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2085 PROCESS__SHARE, NULL);
2092 /* Check for ptracing, and update the task SID if ok.
2093 Otherwise, leave SID unchanged and kill. */
2094 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2095 rc = avc_has_perm(tsec->ptrace_sid, sid,
2096 SECCLASS_PROCESS, PROCESS__PTRACE,
2108 * called after apply_creds without the task lock held
2110 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2112 struct task_security_struct *tsec;
2113 struct rlimit *rlim, *initrlim;
2114 struct itimerval itimer;
2115 struct bprm_security_struct *bsec;
2118 tsec = current->security;
2119 bsec = bprm->security;
2122 force_sig_specific(SIGKILL, current);
2125 if (tsec->osid == tsec->sid)
2128 /* Close files for which the new task SID is not authorized. */
2129 flush_unauthorized_files(current->files);
2131 /* Check whether the new SID can inherit signal state
2132 from the old SID. If not, clear itimers to avoid
2133 subsequent signal generation and flush and unblock
2134 signals. This must occur _after_ the task SID has
2135 been updated so that any kill done after the flush
2136 will be checked against the new SID. */
2137 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2138 PROCESS__SIGINH, NULL);
2140 memset(&itimer, 0, sizeof itimer);
2141 for (i = 0; i < 3; i++)
2142 do_setitimer(i, &itimer, NULL);
2143 flush_signals(current);
2144 spin_lock_irq(¤t->sighand->siglock);
2145 flush_signal_handlers(current, 1);
2146 sigemptyset(¤t->blocked);
2147 recalc_sigpending();
2148 spin_unlock_irq(¤t->sighand->siglock);
2151 /* Always clear parent death signal on SID transitions. */
2152 current->pdeath_signal = 0;
2154 /* Check whether the new SID can inherit resource limits
2155 from the old SID. If not, reset all soft limits to
2156 the lower of the current task's hard limit and the init
2157 task's soft limit. Note that the setting of hard limits
2158 (even to lower them) can be controlled by the setrlimit
2159 check. The inclusion of the init task's soft limit into
2160 the computation is to avoid resetting soft limits higher
2161 than the default soft limit for cases where the default
2162 is lower than the hard limit, e.g. RLIMIT_CORE or
2164 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2165 PROCESS__RLIMITINH, NULL);
2167 for (i = 0; i < RLIM_NLIMITS; i++) {
2168 rlim = current->signal->rlim + i;
2169 initrlim = init_task.signal->rlim+i;
2170 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2172 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2174 * This will cause RLIMIT_CPU calculations
2177 current->it_prof_expires = jiffies_to_cputime(1);
2181 /* Wake up the parent if it is waiting so that it can
2182 recheck wait permission to the new task SID. */
2183 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2186 /* superblock security operations */
2188 static int selinux_sb_alloc_security(struct super_block *sb)
2190 return superblock_alloc_security(sb);
2193 static void selinux_sb_free_security(struct super_block *sb)
2195 superblock_free_security(sb);
2198 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2203 return !memcmp(prefix, option, plen);
2206 static inline int selinux_option(char *option, int len)
2208 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2209 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2210 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2211 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2214 static inline void take_option(char **to, char *from, int *first, int len)
2221 memcpy(*to, from, len);
2225 static inline void take_selinux_option(char **to, char *from, int *first,
2228 int current_size = 0;
2237 while (current_size < len) {
2247 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2249 int fnosec, fsec, rc = 0;
2250 char *in_save, *in_curr, *in_end;
2251 char *sec_curr, *nosec_save, *nosec;
2257 /* Binary mount data: just copy */
2258 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2259 copy_page(sec_curr, in_curr);
2263 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2271 in_save = in_end = orig;
2275 open_quote = !open_quote;
2276 if ((*in_end == ',' && open_quote == 0) ||
2278 int len = in_end - in_curr;
2280 if (selinux_option(in_curr, len))
2281 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2283 take_option(&nosec, in_curr, &fnosec, len);
2285 in_curr = in_end + 1;
2287 } while (*in_end++);
2289 strcpy(in_save, nosec_save);
2290 free_page((unsigned long)nosec_save);
2295 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2297 struct avc_audit_data ad;
2300 rc = superblock_doinit(sb, data);
2304 AVC_AUDIT_DATA_INIT(&ad,FS);
2305 ad.u.fs.dentry = sb->s_root;
2306 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2309 static int selinux_sb_statfs(struct dentry *dentry)
2311 struct avc_audit_data ad;
2313 AVC_AUDIT_DATA_INIT(&ad,FS);
2314 ad.u.fs.dentry = dentry->d_sb->s_root;
2315 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2318 static int selinux_mount(char * dev_name,
2319 struct nameidata *nd,
2321 unsigned long flags,
2326 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2330 if (flags & MS_REMOUNT)
2331 return superblock_has_perm(current, nd->mnt->mnt_sb,
2332 FILESYSTEM__REMOUNT, NULL);
2334 return dentry_has_perm(current, nd->mnt, nd->dentry,
2338 static int selinux_umount(struct vfsmount *mnt, int flags)
2342 rc = secondary_ops->sb_umount(mnt, flags);
2346 return superblock_has_perm(current,mnt->mnt_sb,
2347 FILESYSTEM__UNMOUNT,NULL);
2350 /* inode security operations */
2352 static int selinux_inode_alloc_security(struct inode *inode)
2354 return inode_alloc_security(inode);
2357 static void selinux_inode_free_security(struct inode *inode)
2359 inode_free_security(inode);
2362 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2363 char **name, void **value,
2366 struct task_security_struct *tsec;
2367 struct inode_security_struct *dsec;
2368 struct superblock_security_struct *sbsec;
2371 char *namep = NULL, *context;
2373 tsec = current->security;
2374 dsec = dir->i_security;
2375 sbsec = dir->i_sb->s_security;
2377 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2378 newsid = tsec->create_sid;
2380 rc = security_transition_sid(tsec->sid, dsec->sid,
2381 inode_mode_to_security_class(inode->i_mode),
2384 printk(KERN_WARNING "%s: "
2385 "security_transition_sid failed, rc=%d (dev=%s "
2388 -rc, inode->i_sb->s_id, inode->i_ino);
2393 /* Possibly defer initialization to selinux_complete_init. */
2394 if (sbsec->initialized) {
2395 struct inode_security_struct *isec = inode->i_security;
2396 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2398 isec->initialized = 1;
2401 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2405 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2412 rc = security_sid_to_context(newsid, &context, &clen);
2424 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2426 return may_create(dir, dentry, SECCLASS_FILE);
2429 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2433 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2436 return may_link(dir, old_dentry, MAY_LINK);
2439 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2443 rc = secondary_ops->inode_unlink(dir, dentry);
2446 return may_link(dir, dentry, MAY_UNLINK);
2449 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2451 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2454 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2456 return may_create(dir, dentry, SECCLASS_DIR);
2459 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2461 return may_link(dir, dentry, MAY_RMDIR);
2464 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2468 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2472 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2475 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2476 struct inode *new_inode, struct dentry *new_dentry)
2478 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2481 static int selinux_inode_readlink(struct dentry *dentry)
2483 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2486 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2490 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2493 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2496 static int selinux_inode_permission(struct inode *inode, int mask,
2497 struct nameidata *nd)
2501 rc = secondary_ops->inode_permission(inode, mask, nd);
2506 /* No permission to check. Existence test. */
2510 return inode_has_perm(current, inode,
2511 file_mask_to_av(inode->i_mode, mask), NULL);
2514 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2518 rc = secondary_ops->inode_setattr(dentry, iattr);
2522 if (iattr->ia_valid & ATTR_FORCE)
2525 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2526 ATTR_ATIME_SET | ATTR_MTIME_SET))
2527 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2529 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2532 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2534 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2537 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2539 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2540 sizeof XATTR_SECURITY_PREFIX - 1)) {
2541 if (!strcmp(name, XATTR_NAME_CAPS)) {
2542 if (!capable(CAP_SETFCAP))
2544 } else if (!capable(CAP_SYS_ADMIN)) {
2545 /* A different attribute in the security namespace.
2546 Restrict to administrator. */
2551 /* Not an attribute we recognize, so just check the
2552 ordinary setattr permission. */
2553 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2556 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2558 struct task_security_struct *tsec = current->security;
2559 struct inode *inode = dentry->d_inode;
2560 struct inode_security_struct *isec = inode->i_security;
2561 struct superblock_security_struct *sbsec;
2562 struct avc_audit_data ad;
2566 if (strcmp(name, XATTR_NAME_SELINUX))
2567 return selinux_inode_setotherxattr(dentry, name);
2569 sbsec = inode->i_sb->s_security;
2570 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2573 if (!is_owner_or_cap(inode))
2576 AVC_AUDIT_DATA_INIT(&ad,FS);
2577 ad.u.fs.dentry = dentry;
2579 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2580 FILE__RELABELFROM, &ad);
2584 rc = security_context_to_sid(value, size, &newsid);
2588 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2589 FILE__RELABELTO, &ad);
2593 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2598 return avc_has_perm(newsid,
2600 SECCLASS_FILESYSTEM,
2601 FILESYSTEM__ASSOCIATE,
2605 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2606 void *value, size_t size, int flags)
2608 struct inode *inode = dentry->d_inode;
2609 struct inode_security_struct *isec = inode->i_security;
2613 if (strcmp(name, XATTR_NAME_SELINUX)) {
2614 /* Not an attribute we recognize, so nothing to do. */
2618 rc = security_context_to_sid(value, size, &newsid);
2620 printk(KERN_WARNING "%s: unable to obtain SID for context "
2621 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2629 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2631 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2634 static int selinux_inode_listxattr (struct dentry *dentry)
2636 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2639 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2641 if (strcmp(name, XATTR_NAME_SELINUX))
2642 return selinux_inode_setotherxattr(dentry, name);
2644 /* No one is allowed to remove a SELinux security label.
2645 You can change the label, but all data must be labeled. */
2650 * Copy the in-core inode security context value to the user. If the
2651 * getxattr() prior to this succeeded, check to see if we need to
2652 * canonicalize the value to be finally returned to the user.
2654 * Permission check is handled by selinux_inode_getxattr hook.
2656 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2658 struct inode_security_struct *isec = inode->i_security;
2660 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2663 return selinux_getsecurity(isec->sid, buffer, size);
2666 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2667 const void *value, size_t size, int flags)
2669 struct inode_security_struct *isec = inode->i_security;
2673 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2676 if (!value || !size)
2679 rc = security_context_to_sid((void*)value, size, &newsid);
2687 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2689 const int len = sizeof(XATTR_NAME_SELINUX);
2690 if (buffer && len <= buffer_size)
2691 memcpy(buffer, XATTR_NAME_SELINUX, len);
2695 static int selinux_inode_need_killpriv(struct dentry *dentry)
2697 return secondary_ops->inode_need_killpriv(dentry);
2700 static int selinux_inode_killpriv(struct dentry *dentry)
2702 return secondary_ops->inode_killpriv(dentry);
2705 /* file security operations */
2707 static int selinux_revalidate_file_permission(struct file *file, int mask)
2710 struct inode *inode = file->f_path.dentry->d_inode;
2713 /* No permission to check. Existence test. */
2717 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2718 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2721 rc = file_has_perm(current, file,
2722 file_mask_to_av(inode->i_mode, mask));
2726 return selinux_netlbl_inode_permission(inode, mask);
2729 static int selinux_file_permission(struct file *file, int mask)
2731 struct inode *inode = file->f_path.dentry->d_inode;
2732 struct task_security_struct *tsec = current->security;
2733 struct file_security_struct *fsec = file->f_security;
2734 struct inode_security_struct *isec = inode->i_security;
2737 /* No permission to check. Existence test. */
2741 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2742 && fsec->pseqno == avc_policy_seqno())
2743 return selinux_netlbl_inode_permission(inode, mask);
2745 return selinux_revalidate_file_permission(file, mask);
2748 static int selinux_file_alloc_security(struct file *file)
2750 return file_alloc_security(file);
2753 static void selinux_file_free_security(struct file *file)
2755 file_free_security(file);
2758 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2770 case EXT2_IOC_GETFLAGS:
2772 case EXT2_IOC_GETVERSION:
2773 error = file_has_perm(current, file, FILE__GETATTR);
2776 case EXT2_IOC_SETFLAGS:
2778 case EXT2_IOC_SETVERSION:
2779 error = file_has_perm(current, file, FILE__SETATTR);
2782 /* sys_ioctl() checks */
2786 error = file_has_perm(current, file, 0);
2791 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2794 /* default case assumes that the command will go
2795 * to the file's ioctl() function.
2798 error = file_has_perm(current, file, FILE__IOCTL);
2804 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2806 #ifndef CONFIG_PPC32
2807 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2809 * We are making executable an anonymous mapping or a
2810 * private file mapping that will also be writable.
2811 * This has an additional check.
2813 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2820 /* read access is always possible with a mapping */
2821 u32 av = FILE__READ;
2823 /* write access only matters if the mapping is shared */
2824 if (shared && (prot & PROT_WRITE))
2827 if (prot & PROT_EXEC)
2828 av |= FILE__EXECUTE;
2830 return file_has_perm(current, file, av);
2835 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2836 unsigned long prot, unsigned long flags,
2837 unsigned long addr, unsigned long addr_only)
2840 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2842 if (addr < mmap_min_addr)
2843 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2844 MEMPROTECT__MMAP_ZERO, NULL);
2845 if (rc || addr_only)
2848 if (selinux_checkreqprot)
2851 return file_map_prot_check(file, prot,
2852 (flags & MAP_TYPE) == MAP_SHARED);
2855 static int selinux_file_mprotect(struct vm_area_struct *vma,
2856 unsigned long reqprot,
2861 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2865 if (selinux_checkreqprot)
2868 #ifndef CONFIG_PPC32
2869 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2871 if (vma->vm_start >= vma->vm_mm->start_brk &&
2872 vma->vm_end <= vma->vm_mm->brk) {
2873 rc = task_has_perm(current, current,
2875 } else if (!vma->vm_file &&
2876 vma->vm_start <= vma->vm_mm->start_stack &&
2877 vma->vm_end >= vma->vm_mm->start_stack) {
2878 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2879 } else if (vma->vm_file && vma->anon_vma) {
2881 * We are making executable a file mapping that has
2882 * had some COW done. Since pages might have been
2883 * written, check ability to execute the possibly
2884 * modified content. This typically should only
2885 * occur for text relocations.
2887 rc = file_has_perm(current, vma->vm_file,
2895 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2898 static int selinux_file_lock(struct file *file, unsigned int cmd)
2900 return file_has_perm(current, file, FILE__LOCK);
2903 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2910 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2915 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2916 err = file_has_perm(current, file,FILE__WRITE);
2925 /* Just check FD__USE permission */
2926 err = file_has_perm(current, file, 0);
2931 #if BITS_PER_LONG == 32
2936 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2940 err = file_has_perm(current, file, FILE__LOCK);
2947 static int selinux_file_set_fowner(struct file *file)
2949 struct task_security_struct *tsec;
2950 struct file_security_struct *fsec;
2952 tsec = current->security;
2953 fsec = file->f_security;
2954 fsec->fown_sid = tsec->sid;
2959 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2960 struct fown_struct *fown, int signum)
2964 struct task_security_struct *tsec;
2965 struct file_security_struct *fsec;
2967 /* struct fown_struct is never outside the context of a struct file */
2968 file = container_of(fown, struct file, f_owner);
2970 tsec = tsk->security;
2971 fsec = file->f_security;
2974 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2976 perm = signal_to_av(signum);
2978 return avc_has_perm(fsec->fown_sid, tsec->sid,
2979 SECCLASS_PROCESS, perm, NULL);
2982 static int selinux_file_receive(struct file *file)
2984 return file_has_perm(current, file, file_to_av(file));
2987 static int selinux_dentry_open(struct file *file)
2989 struct file_security_struct *fsec;
2990 struct inode *inode;
2991 struct inode_security_struct *isec;
2992 inode = file->f_path.dentry->d_inode;
2993 fsec = file->f_security;
2994 isec = inode->i_security;
2996 * Save inode label and policy sequence number
2997 * at open-time so that selinux_file_permission
2998 * can determine whether revalidation is necessary.
2999 * Task label is already saved in the file security
3000 * struct as its SID.
3002 fsec->isid = isec->sid;
3003 fsec->pseqno = avc_policy_seqno();
3005 * Since the inode label or policy seqno may have changed
3006 * between the selinux_inode_permission check and the saving
3007 * of state above, recheck that access is still permitted.
3008 * Otherwise, access might never be revalidated against the
3009 * new inode label or new policy.
3010 * This check is not redundant - do not remove.
3012 return inode_has_perm(current, inode, file_to_av(file), NULL);
3015 /* task security operations */
3017 static int selinux_task_create(unsigned long clone_flags)
3021 rc = secondary_ops->task_create(clone_flags);
3025 return task_has_perm(current, current, PROCESS__FORK);
3028 static int selinux_task_alloc_security(struct task_struct *tsk)
3030 struct task_security_struct *tsec1, *tsec2;
3033 tsec1 = current->security;
3035 rc = task_alloc_security(tsk);
3038 tsec2 = tsk->security;
3040 tsec2->osid = tsec1->osid;
3041 tsec2->sid = tsec1->sid;
3043 /* Retain the exec, fs, key, and sock SIDs across fork */
3044 tsec2->exec_sid = tsec1->exec_sid;
3045 tsec2->create_sid = tsec1->create_sid;
3046 tsec2->keycreate_sid = tsec1->keycreate_sid;
3047 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3049 /* Retain ptracer SID across fork, if any.
3050 This will be reset by the ptrace hook upon any
3051 subsequent ptrace_attach operations. */
3052 tsec2->ptrace_sid = tsec1->ptrace_sid;
3057 static void selinux_task_free_security(struct task_struct *tsk)
3059 task_free_security(tsk);
3062 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3064 /* Since setuid only affects the current process, and
3065 since the SELinux controls are not based on the Linux
3066 identity attributes, SELinux does not need to control
3067 this operation. However, SELinux does control the use
3068 of the CAP_SETUID and CAP_SETGID capabilities using the
3073 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3075 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3078 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3080 /* See the comment for setuid above. */
3084 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3086 return task_has_perm(current, p, PROCESS__SETPGID);
3089 static int selinux_task_getpgid(struct task_struct *p)
3091 return task_has_perm(current, p, PROCESS__GETPGID);
3094 static int selinux_task_getsid(struct task_struct *p)
3096 return task_has_perm(current, p, PROCESS__GETSESSION);
3099 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3101 selinux_get_task_sid(p, secid);
3104 static int selinux_task_setgroups(struct group_info *group_info)
3106 /* See the comment for setuid above. */
3110 static int selinux_task_setnice(struct task_struct *p, int nice)
3114 rc = secondary_ops->task_setnice(p, nice);
3118 return task_has_perm(current,p, PROCESS__SETSCHED);
3121 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3125 rc = secondary_ops->task_setioprio(p, ioprio);
3129 return task_has_perm(current, p, PROCESS__SETSCHED);
3132 static int selinux_task_getioprio(struct task_struct *p)
3134 return task_has_perm(current, p, PROCESS__GETSCHED);
3137 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3139 struct rlimit *old_rlim = current->signal->rlim + resource;
3142 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3146 /* Control the ability to change the hard limit (whether
3147 lowering or raising it), so that the hard limit can
3148 later be used as a safe reset point for the soft limit
3149 upon context transitions. See selinux_bprm_apply_creds. */
3150 if (old_rlim->rlim_max != new_rlim->rlim_max)
3151 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3156 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3160 rc = secondary_ops->task_setscheduler(p, policy, lp);
3164 return task_has_perm(current, p, PROCESS__SETSCHED);
3167 static int selinux_task_getscheduler(struct task_struct *p)
3169 return task_has_perm(current, p, PROCESS__GETSCHED);
3172 static int selinux_task_movememory(struct task_struct *p)
3174 return task_has_perm(current, p, PROCESS__SETSCHED);
3177 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3182 struct task_security_struct *tsec;
3184 rc = secondary_ops->task_kill(p, info, sig, secid);
3188 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3192 perm = PROCESS__SIGNULL; /* null signal; existence test */
3194 perm = signal_to_av(sig);
3197 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3199 rc = task_has_perm(current, p, perm);
3203 static int selinux_task_prctl(int option,
3209 /* The current prctl operations do not appear to require
3210 any SELinux controls since they merely observe or modify
3211 the state of the current process. */
3215 static int selinux_task_wait(struct task_struct *p)
3217 return task_has_perm(p, current, PROCESS__SIGCHLD);
3220 static void selinux_task_reparent_to_init(struct task_struct *p)
3222 struct task_security_struct *tsec;
3224 secondary_ops->task_reparent_to_init(p);
3227 tsec->osid = tsec->sid;
3228 tsec->sid = SECINITSID_KERNEL;
3232 static void selinux_task_to_inode(struct task_struct *p,
3233 struct inode *inode)
3235 struct task_security_struct *tsec = p->security;
3236 struct inode_security_struct *isec = inode->i_security;
3238 isec->sid = tsec->sid;
3239 isec->initialized = 1;
3243 /* Returns error only if unable to parse addresses */
3244 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3245 struct avc_audit_data *ad, u8 *proto)
3247 int offset, ihlen, ret = -EINVAL;
3248 struct iphdr _iph, *ih;
3250 offset = skb_network_offset(skb);
3251 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3255 ihlen = ih->ihl * 4;
3256 if (ihlen < sizeof(_iph))
3259 ad->u.net.v4info.saddr = ih->saddr;
3260 ad->u.net.v4info.daddr = ih->daddr;
3264 *proto = ih->protocol;
3266 switch (ih->protocol) {
3268 struct tcphdr _tcph, *th;
3270 if (ntohs(ih->frag_off) & IP_OFFSET)
3274 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3278 ad->u.net.sport = th->source;
3279 ad->u.net.dport = th->dest;
3284 struct udphdr _udph, *uh;
3286 if (ntohs(ih->frag_off) & IP_OFFSET)
3290 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3294 ad->u.net.sport = uh->source;
3295 ad->u.net.dport = uh->dest;
3299 case IPPROTO_DCCP: {
3300 struct dccp_hdr _dccph, *dh;
3302 if (ntohs(ih->frag_off) & IP_OFFSET)
3306 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3310 ad->u.net.sport = dh->dccph_sport;
3311 ad->u.net.dport = dh->dccph_dport;
3322 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3324 /* Returns error only if unable to parse addresses */
3325 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3326 struct avc_audit_data *ad, u8 *proto)
3329 int ret = -EINVAL, offset;
3330 struct ipv6hdr _ipv6h, *ip6;
3332 offset = skb_network_offset(skb);
3333 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3337 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3338 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3341 nexthdr = ip6->nexthdr;
3342 offset += sizeof(_ipv6h);
3343 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3352 struct tcphdr _tcph, *th;
3354 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3358 ad->u.net.sport = th->source;
3359 ad->u.net.dport = th->dest;
3364 struct udphdr _udph, *uh;
3366 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3370 ad->u.net.sport = uh->source;
3371 ad->u.net.dport = uh->dest;
3375 case IPPROTO_DCCP: {
3376 struct dccp_hdr _dccph, *dh;
3378 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3382 ad->u.net.sport = dh->dccph_sport;
3383 ad->u.net.dport = dh->dccph_dport;
3387 /* includes fragments */
3397 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3398 char **addrp, int *len, int src, u8 *proto)
3402 switch (ad->u.net.family) {
3404 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3408 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3409 &ad->u.net.v4info.daddr);
3412 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3414 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3418 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3419 &ad->u.net.v6info.daddr);
3430 * selinux_skb_extlbl_sid - Determine the external label of a packet
3432 * @family: protocol family
3433 * @sid: the packet's SID
3436 * Check the various different forms of external packet labeling and determine
3437 * the external SID for the packet. If only one form of external labeling is
3438 * present then it is used, if both labeled IPsec and NetLabel labels are
3439 * present then the SELinux type information is taken from the labeled IPsec
3440 * SA and the MLS sensitivity label information is taken from the NetLabel
3441 * security attributes. This bit of "magic" is done in the call to
3442 * selinux_netlbl_skbuff_getsid().
3445 static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3452 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3453 if (selinux_netlbl_skbuff_getsid(skb,
3455 (xfrm_sid == SECSID_NULL ?
3456 SECINITSID_NETMSG : xfrm_sid),
3458 nlbl_sid = SECSID_NULL;
3459 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3462 /* socket security operations */
3463 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3466 struct inode_security_struct *isec;
3467 struct task_security_struct *tsec;
3468 struct avc_audit_data ad;
3471 tsec = task->security;
3472 isec = SOCK_INODE(sock)->i_security;
3474 if (isec->sid == SECINITSID_KERNEL)
3477 AVC_AUDIT_DATA_INIT(&ad,NET);
3478 ad.u.net.sk = sock->sk;
3479 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3485 static int selinux_socket_create(int family, int type,
3486 int protocol, int kern)
3489 struct task_security_struct *tsec;
3495 tsec = current->security;
3496 newsid = tsec->sockcreate_sid ? : tsec->sid;
3497 err = avc_has_perm(tsec->sid, newsid,
3498 socket_type_to_security_class(family, type,
3499 protocol), SOCKET__CREATE, NULL);
3505 static int selinux_socket_post_create(struct socket *sock, int family,
3506 int type, int protocol, int kern)
3509 struct inode_security_struct *isec;
3510 struct task_security_struct *tsec;
3511 struct sk_security_struct *sksec;
3514 isec = SOCK_INODE(sock)->i_security;
3516 tsec = current->security;
3517 newsid = tsec->sockcreate_sid ? : tsec->sid;
3518 isec->sclass = socket_type_to_security_class(family, type, protocol);
3519 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3520 isec->initialized = 1;
3523 sksec = sock->sk->sk_security;
3524 sksec->sid = isec->sid;
3525 err = selinux_netlbl_socket_post_create(sock);
3531 /* Range of port numbers used to automatically bind.
3532 Need to determine whether we should perform a name_bind
3533 permission check between the socket and the port number. */
3535 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3540 err = socket_has_perm(current, sock, SOCKET__BIND);
3545 * If PF_INET or PF_INET6, check name_bind permission for the port.
3546 * Multiple address binding for SCTP is not supported yet: we just
3547 * check the first address now.
3549 family = sock->sk->sk_family;
3550 if (family == PF_INET || family == PF_INET6) {
3552 struct inode_security_struct *isec;
3553 struct task_security_struct *tsec;
3554 struct avc_audit_data ad;
3555 struct sockaddr_in *addr4 = NULL;
3556 struct sockaddr_in6 *addr6 = NULL;
3557 unsigned short snum;
3558 struct sock *sk = sock->sk;
3559 u32 sid, node_perm, addrlen;
3561 tsec = current->security;
3562 isec = SOCK_INODE(sock)->i_security;
3564 if (family == PF_INET) {
3565 addr4 = (struct sockaddr_in *)address;
3566 snum = ntohs(addr4->sin_port);
3567 addrlen = sizeof(addr4->sin_addr.s_addr);
3568 addrp = (char *)&addr4->sin_addr.s_addr;
3570 addr6 = (struct sockaddr_in6 *)address;
3571 snum = ntohs(addr6->sin6_port);
3572 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3573 addrp = (char *)&addr6->sin6_addr.s6_addr;
3579 inet_get_local_port_range(&low, &high);
3581 if (snum < max(PROT_SOCK, low) || snum > high) {
3582 err = security_port_sid(sk->sk_family,
3584 sk->sk_protocol, snum,
3588 AVC_AUDIT_DATA_INIT(&ad,NET);
3589 ad.u.net.sport = htons(snum);
3590 ad.u.net.family = family;
3591 err = avc_has_perm(isec->sid, sid,
3593 SOCKET__NAME_BIND, &ad);
3599 switch(isec->sclass) {
3600 case SECCLASS_TCP_SOCKET:
3601 node_perm = TCP_SOCKET__NODE_BIND;
3604 case SECCLASS_UDP_SOCKET:
3605 node_perm = UDP_SOCKET__NODE_BIND;
3608 case SECCLASS_DCCP_SOCKET:
3609 node_perm = DCCP_SOCKET__NODE_BIND;
3613 node_perm = RAWIP_SOCKET__NODE_BIND;
3617 err = security_node_sid(family, addrp, addrlen, &sid);
3621 AVC_AUDIT_DATA_INIT(&ad,NET);
3622 ad.u.net.sport = htons(snum);
3623 ad.u.net.family = family;
3625 if (family == PF_INET)
3626 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3628 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3630 err = avc_has_perm(isec->sid, sid,
3631 isec->sclass, node_perm, &ad);
3639 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3641 struct inode_security_struct *isec;
3644 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3649 * If a TCP or DCCP socket, check name_connect permission for the port.
3651 isec = SOCK_INODE(sock)->i_security;
3652 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3653 isec->sclass == SECCLASS_DCCP_SOCKET) {
3654 struct sock *sk = sock->sk;
3655 struct avc_audit_data ad;
3656 struct sockaddr_in *addr4 = NULL;
3657 struct sockaddr_in6 *addr6 = NULL;
3658 unsigned short snum;
3661 if (sk->sk_family == PF_INET) {
3662 addr4 = (struct sockaddr_in *)address;
3663 if (addrlen < sizeof(struct sockaddr_in))
3665 snum = ntohs(addr4->sin_port);
3667 addr6 = (struct sockaddr_in6 *)address;
3668 if (addrlen < SIN6_LEN_RFC2133)
3670 snum = ntohs(addr6->sin6_port);
3673 err = security_port_sid(sk->sk_family, sk->sk_type,
3674 sk->sk_protocol, snum, &sid);
3678 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3679 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3681 AVC_AUDIT_DATA_INIT(&ad,NET);
3682 ad.u.net.dport = htons(snum);
3683 ad.u.net.family = sk->sk_family;
3684 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3693 static int selinux_socket_listen(struct socket *sock, int backlog)
3695 return socket_has_perm(current, sock, SOCKET__LISTEN);
3698 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3701 struct inode_security_struct *isec;
3702 struct inode_security_struct *newisec;
3704 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3708 newisec = SOCK_INODE(newsock)->i_security;
3710 isec = SOCK_INODE(sock)->i_security;
3711 newisec->sclass = isec->sclass;
3712 newisec->sid = isec->sid;
3713 newisec->initialized = 1;
3718 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3723 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3727 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3730 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3731 int size, int flags)
3733 return socket_has_perm(current, sock, SOCKET__READ);
3736 static int selinux_socket_getsockname(struct socket *sock)
3738 return socket_has_perm(current, sock, SOCKET__GETATTR);
3741 static int selinux_socket_getpeername(struct socket *sock)
3743 return socket_has_perm(current, sock, SOCKET__GETATTR);
3746 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3750 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3754 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3757 static int selinux_socket_getsockopt(struct socket *sock, int level,
3760 return socket_has_perm(current, sock, SOCKET__GETOPT);
3763 static int selinux_socket_shutdown(struct socket *sock, int how)
3765 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3768 static int selinux_socket_unix_stream_connect(struct socket *sock,
3769 struct socket *other,
3772 struct sk_security_struct *ssec;
3773 struct inode_security_struct *isec;
3774 struct inode_security_struct *other_isec;
3775 struct avc_audit_data ad;
3778 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3782 isec = SOCK_INODE(sock)->i_security;
3783 other_isec = SOCK_INODE(other)->i_security;
3785 AVC_AUDIT_DATA_INIT(&ad,NET);
3786 ad.u.net.sk = other->sk;
3788 err = avc_has_perm(isec->sid, other_isec->sid,
3790 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3794 /* connecting socket */
3795 ssec = sock->sk->sk_security;
3796 ssec->peer_sid = other_isec->sid;
3798 /* server child socket */
3799 ssec = newsk->sk_security;
3800 ssec->peer_sid = isec->sid;
3801 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3806 static int selinux_socket_unix_may_send(struct socket *sock,
3807 struct socket *other)
3809 struct inode_security_struct *isec;
3810 struct inode_security_struct *other_isec;
3811 struct avc_audit_data ad;
3814 isec = SOCK_INODE(sock)->i_security;
3815 other_isec = SOCK_INODE(other)->i_security;
3817 AVC_AUDIT_DATA_INIT(&ad,NET);
3818 ad.u.net.sk = other->sk;
3820 err = avc_has_perm(isec->sid, other_isec->sid,
3821 isec->sclass, SOCKET__SENDTO, &ad);
3828 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3829 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3832 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3833 struct socket *sock;
3837 read_lock_bh(&sk->sk_callback_lock);
3838 sock = sk->sk_socket;
3840 struct inode *inode;
3841 inode = SOCK_INODE(sock);
3843 struct inode_security_struct *isec;
3844 isec = inode->i_security;
3845 sock_sid = isec->sid;
3846 sock_class = isec->sclass;
3849 read_unlock_bh(&sk->sk_callback_lock);
3856 err = sel_netif_sids(skb->dev, &if_sid, NULL);
3860 switch (sock_class) {
3861 case SECCLASS_UDP_SOCKET:
3862 netif_perm = NETIF__UDP_RECV;
3863 node_perm = NODE__UDP_RECV;
3864 recv_perm = UDP_SOCKET__RECV_MSG;
3867 case SECCLASS_TCP_SOCKET:
3868 netif_perm = NETIF__TCP_RECV;
3869 node_perm = NODE__TCP_RECV;
3870 recv_perm = TCP_SOCKET__RECV_MSG;
3873 case SECCLASS_DCCP_SOCKET:
3874 netif_perm = NETIF__DCCP_RECV;
3875 node_perm = NODE__DCCP_RECV;
3876 recv_perm = DCCP_SOCKET__RECV_MSG;
3880 netif_perm = NETIF__RAWIP_RECV;
3881 node_perm = NODE__RAWIP_RECV;
3885 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3889 err = security_node_sid(family, addrp, len, &node_sid);
3893 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3900 err = security_port_sid(sk->sk_family, sk->sk_type,
3901 sk->sk_protocol, ntohs(ad->u.net.sport),
3906 err = avc_has_perm(sock_sid, port_sid,
3907 sock_class, recv_perm, ad);
3914 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3919 struct avc_audit_data ad;
3920 struct sk_security_struct *sksec = sk->sk_security;
3922 family = sk->sk_family;
3923 if (family != PF_INET && family != PF_INET6)
3926 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3927 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3930 AVC_AUDIT_DATA_INIT(&ad, NET);
3931 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3932 ad.u.net.family = family;
3934 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
3938 if (selinux_compat_net)
3939 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3942 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3947 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3951 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3956 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3957 int __user *optlen, unsigned len)
3962 struct sk_security_struct *ssec;
3963 struct inode_security_struct *isec;
3964 u32 peer_sid = SECSID_NULL;
3966 isec = SOCK_INODE(sock)->i_security;
3968 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3969 isec->sclass == SECCLASS_TCP_SOCKET) {
3970 ssec = sock->sk->sk_security;
3971 peer_sid = ssec->peer_sid;
3973 if (peer_sid == SECSID_NULL) {
3978 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3983 if (scontext_len > len) {
3988 if (copy_to_user(optval, scontext, scontext_len))
3992 if (put_user(scontext_len, optlen))
4000 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4002 u32 peer_secid = SECSID_NULL;
4006 family = sock->sk->sk_family;
4007 else if (skb && skb->sk)
4008 family = skb->sk->sk_family;
4012 if (sock && family == PF_UNIX)
4013 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4015 selinux_skb_extlbl_sid(skb, family, &peer_secid);
4018 *secid = peer_secid;
4019 if (peer_secid == SECSID_NULL)
4024 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4026 return sk_alloc_security(sk, family, priority);
4029 static void selinux_sk_free_security(struct sock *sk)
4031 sk_free_security(sk);
4034 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4036 struct sk_security_struct *ssec = sk->sk_security;
4037 struct sk_security_struct *newssec = newsk->sk_security;
4039 newssec->sid = ssec->sid;
4040 newssec->peer_sid = ssec->peer_sid;
4042 selinux_netlbl_sk_security_clone(ssec, newssec);
4045 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4048 *secid = SECINITSID_ANY_SOCKET;
4050 struct sk_security_struct *sksec = sk->sk_security;
4052 *secid = sksec->sid;
4056 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4058 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4059 struct sk_security_struct *sksec = sk->sk_security;
4061 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4062 sk->sk_family == PF_UNIX)
4063 isec->sid = sksec->sid;
4065 selinux_netlbl_sock_graft(sk, parent);
4068 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4069 struct request_sock *req)
4071 struct sk_security_struct *sksec = sk->sk_security;
4076 selinux_skb_extlbl_sid(skb, sk->sk_family, &peersid);
4077 if (peersid == SECSID_NULL) {
4078 req->secid = sksec->sid;
4079 req->peer_secid = SECSID_NULL;
4083 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4087 req->secid = newsid;
4088 req->peer_secid = peersid;
4092 static void selinux_inet_csk_clone(struct sock *newsk,
4093 const struct request_sock *req)
4095 struct sk_security_struct *newsksec = newsk->sk_security;
4097 newsksec->sid = req->secid;
4098 newsksec->peer_sid = req->peer_secid;
4099 /* NOTE: Ideally, we should also get the isec->sid for the
4100 new socket in sync, but we don't have the isec available yet.
4101 So we will wait until sock_graft to do it, by which
4102 time it will have been created and available. */
4104 /* We don't need to take any sort of lock here as we are the only
4105 * thread with access to newsksec */
4106 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4109 static void selinux_inet_conn_established(struct sock *sk,
4110 struct sk_buff *skb)
4112 struct sk_security_struct *sksec = sk->sk_security;
4114 selinux_skb_extlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4117 static void selinux_req_classify_flow(const struct request_sock *req,
4120 fl->secid = req->secid;
4123 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4127 struct nlmsghdr *nlh;
4128 struct socket *sock = sk->sk_socket;
4129 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4131 if (skb->len < NLMSG_SPACE(0)) {
4135 nlh = nlmsg_hdr(skb);
4137 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4139 if (err == -EINVAL) {
4140 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4141 "SELinux: unrecognized netlink message"
4142 " type=%hu for sclass=%hu\n",
4143 nlh->nlmsg_type, isec->sclass);
4144 if (!selinux_enforcing)
4154 err = socket_has_perm(current, sock, perm);
4159 #ifdef CONFIG_NETFILTER
4161 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
4162 struct avc_audit_data *ad,
4163 u16 family, char *addrp, int len)
4166 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
4167 struct socket *sock;
4168 struct inode *inode;
4169 struct inode_security_struct *isec;
4171 sock = sk->sk_socket;
4175 inode = SOCK_INODE(sock);
4179 isec = inode->i_security;
4181 err = sel_netif_sids(dev, &if_sid, NULL);
4185 switch (isec->sclass) {
4186 case SECCLASS_UDP_SOCKET:
4187 netif_perm = NETIF__UDP_SEND;
4188 node_perm = NODE__UDP_SEND;
4189 send_perm = UDP_SOCKET__SEND_MSG;
4192 case SECCLASS_TCP_SOCKET:
4193 netif_perm = NETIF__TCP_SEND;
4194 node_perm = NODE__TCP_SEND;
4195 send_perm = TCP_SOCKET__SEND_MSG;
4198 case SECCLASS_DCCP_SOCKET:
4199 netif_perm = NETIF__DCCP_SEND;
4200 node_perm = NODE__DCCP_SEND;
4201 send_perm = DCCP_SOCKET__SEND_MSG;
4205 netif_perm = NETIF__RAWIP_SEND;
4206 node_perm = NODE__RAWIP_SEND;
4210 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4214 err = security_node_sid(family, addrp, len, &node_sid);
4218 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
4225 err = security_port_sid(sk->sk_family,
4228 ntohs(ad->u.net.dport),
4233 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
4240 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
4241 struct sk_buff *skb,
4242 const struct net_device *in,
4243 const struct net_device *out,
4244 int (*okfn)(struct sk_buff *),
4250 struct avc_audit_data ad;
4251 struct net_device *dev = (struct net_device *)out;
4252 struct sk_security_struct *sksec;
4259 sksec = sk->sk_security;
4261 AVC_AUDIT_DATA_INIT(&ad, NET);
4262 ad.u.net.netif = dev->name;
4263 ad.u.net.family = family;
4265 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
4269 if (selinux_compat_net)
4270 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
4271 family, addrp, len);
4273 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
4279 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
4281 return err ? NF_DROP : NF_ACCEPT;
4284 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
4285 struct sk_buff *skb,
4286 const struct net_device *in,
4287 const struct net_device *out,
4288 int (*okfn)(struct sk_buff *))
4290 return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET);
4293 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4295 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
4296 struct sk_buff *skb,
4297 const struct net_device *in,
4298 const struct net_device *out,
4299 int (*okfn)(struct sk_buff *))
4301 return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6);
4306 #endif /* CONFIG_NETFILTER */
4308 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4312 err = secondary_ops->netlink_send(sk, skb);
4316 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4317 err = selinux_nlmsg_perm(sk, skb);
4322 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4325 struct avc_audit_data ad;
4327 err = secondary_ops->netlink_recv(skb, capability);
4331 AVC_AUDIT_DATA_INIT(&ad, CAP);
4332 ad.u.cap = capability;
4334 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4335 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4338 static int ipc_alloc_security(struct task_struct *task,
4339 struct kern_ipc_perm *perm,
4342 struct task_security_struct *tsec = task->security;
4343 struct ipc_security_struct *isec;
4345 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4349 isec->sclass = sclass;
4350 isec->ipc_perm = perm;
4351 isec->sid = tsec->sid;
4352 perm->security = isec;
4357 static void ipc_free_security(struct kern_ipc_perm *perm)
4359 struct ipc_security_struct *isec = perm->security;
4360 perm->security = NULL;
4364 static int msg_msg_alloc_security(struct msg_msg *msg)
4366 struct msg_security_struct *msec;
4368 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4373 msec->sid = SECINITSID_UNLABELED;
4374 msg->security = msec;
4379 static void msg_msg_free_security(struct msg_msg *msg)
4381 struct msg_security_struct *msec = msg->security;
4383 msg->security = NULL;
4387 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4390 struct task_security_struct *tsec;
4391 struct ipc_security_struct *isec;
4392 struct avc_audit_data ad;
4394 tsec = current->security;
4395 isec = ipc_perms->security;
4397 AVC_AUDIT_DATA_INIT(&ad, IPC);
4398 ad.u.ipc_id = ipc_perms->key;
4400 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4403 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4405 return msg_msg_alloc_security(msg);
4408 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4410 msg_msg_free_security(msg);
4413 /* message queue security operations */
4414 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4416 struct task_security_struct *tsec;
4417 struct ipc_security_struct *isec;
4418 struct avc_audit_data ad;
4421 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4425 tsec = current->security;
4426 isec = msq->q_perm.security;
4428 AVC_AUDIT_DATA_INIT(&ad, IPC);
4429 ad.u.ipc_id = msq->q_perm.key;
4431 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4434 ipc_free_security(&msq->q_perm);
4440 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4442 ipc_free_security(&msq->q_perm);
4445 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4447 struct task_security_struct *tsec;
4448 struct ipc_security_struct *isec;
4449 struct avc_audit_data ad;
4451 tsec = current->security;
4452 isec = msq->q_perm.security;
4454 AVC_AUDIT_DATA_INIT(&ad, IPC);
4455 ad.u.ipc_id = msq->q_perm.key;
4457 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4458 MSGQ__ASSOCIATE, &ad);
4461 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4469 /* No specific object, just general system-wide information. */
4470 return task_has_system(current, SYSTEM__IPC_INFO);
4473 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4476 perms = MSGQ__SETATTR;
4479 perms = MSGQ__DESTROY;
4485 err = ipc_has_perm(&msq->q_perm, perms);
4489 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4491 struct task_security_struct *tsec;
4492 struct ipc_security_struct *isec;
4493 struct msg_security_struct *msec;
4494 struct avc_audit_data ad;
4497 tsec = current->security;
4498 isec = msq->q_perm.security;
4499 msec = msg->security;
4502 * First time through, need to assign label to the message
4504 if (msec->sid == SECINITSID_UNLABELED) {
4506 * Compute new sid based on current process and
4507 * message queue this message will be stored in
4509 rc = security_transition_sid(tsec->sid,
4517 AVC_AUDIT_DATA_INIT(&ad, IPC);
4518 ad.u.ipc_id = msq->q_perm.key;
4520 /* Can this process write to the queue? */
4521 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4524 /* Can this process send the message */
4525 rc = avc_has_perm(tsec->sid, msec->sid,
4526 SECCLASS_MSG, MSG__SEND, &ad);
4528 /* Can the message be put in the queue? */
4529 rc = avc_has_perm(msec->sid, isec->sid,
4530 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4535 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4536 struct task_struct *target,
4537 long type, int mode)
4539 struct task_security_struct *tsec;
4540 struct ipc_security_struct *isec;
4541 struct msg_security_struct *msec;
4542 struct avc_audit_data ad;
4545 tsec = target->security;
4546 isec = msq->q_perm.security;
4547 msec = msg->security;
4549 AVC_AUDIT_DATA_INIT(&ad, IPC);
4550 ad.u.ipc_id = msq->q_perm.key;
4552 rc = avc_has_perm(tsec->sid, isec->sid,
4553 SECCLASS_MSGQ, MSGQ__READ, &ad);
4555 rc = avc_has_perm(tsec->sid, msec->sid,
4556 SECCLASS_MSG, MSG__RECEIVE, &ad);
4560 /* Shared Memory security operations */
4561 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4563 struct task_security_struct *tsec;
4564 struct ipc_security_struct *isec;
4565 struct avc_audit_data ad;
4568 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4572 tsec = current->security;
4573 isec = shp->shm_perm.security;
4575 AVC_AUDIT_DATA_INIT(&ad, IPC);
4576 ad.u.ipc_id = shp->shm_perm.key;
4578 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4581 ipc_free_security(&shp->shm_perm);
4587 static void selinux_shm_free_security(struct shmid_kernel *shp)
4589 ipc_free_security(&shp->shm_perm);
4592 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4594 struct task_security_struct *tsec;
4595 struct ipc_security_struct *isec;
4596 struct avc_audit_data ad;
4598 tsec = current->security;
4599 isec = shp->shm_perm.security;
4601 AVC_AUDIT_DATA_INIT(&ad, IPC);
4602 ad.u.ipc_id = shp->shm_perm.key;
4604 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4605 SHM__ASSOCIATE, &ad);
4608 /* Note, at this point, shp is locked down */
4609 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4617 /* No specific object, just general system-wide information. */
4618 return task_has_system(current, SYSTEM__IPC_INFO);
4621 perms = SHM__GETATTR | SHM__ASSOCIATE;
4624 perms = SHM__SETATTR;
4631 perms = SHM__DESTROY;
4637 err = ipc_has_perm(&shp->shm_perm, perms);
4641 static int selinux_shm_shmat(struct shmid_kernel *shp,
4642 char __user *shmaddr, int shmflg)
4647 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4651 if (shmflg & SHM_RDONLY)
4654 perms = SHM__READ | SHM__WRITE;
4656 return ipc_has_perm(&shp->shm_perm, perms);
4659 /* Semaphore security operations */
4660 static int selinux_sem_alloc_security(struct sem_array *sma)
4662 struct task_security_struct *tsec;
4663 struct ipc_security_struct *isec;
4664 struct avc_audit_data ad;
4667 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4671 tsec = current->security;
4672 isec = sma->sem_perm.security;
4674 AVC_AUDIT_DATA_INIT(&ad, IPC);
4675 ad.u.ipc_id = sma->sem_perm.key;
4677 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4680 ipc_free_security(&sma->sem_perm);
4686 static void selinux_sem_free_security(struct sem_array *sma)
4688 ipc_free_security(&sma->sem_perm);
4691 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4693 struct task_security_struct *tsec;
4694 struct ipc_security_struct *isec;
4695 struct avc_audit_data ad;
4697 tsec = current->security;
4698 isec = sma->sem_perm.security;
4700 AVC_AUDIT_DATA_INIT(&ad, IPC);
4701 ad.u.ipc_id = sma->sem_perm.key;
4703 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4704 SEM__ASSOCIATE, &ad);
4707 /* Note, at this point, sma is locked down */
4708 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4716 /* No specific object, just general system-wide information. */
4717 return task_has_system(current, SYSTEM__IPC_INFO);
4721 perms = SEM__GETATTR;
4732 perms = SEM__DESTROY;
4735 perms = SEM__SETATTR;
4739 perms = SEM__GETATTR | SEM__ASSOCIATE;
4745 err = ipc_has_perm(&sma->sem_perm, perms);
4749 static int selinux_sem_semop(struct sem_array *sma,
4750 struct sembuf *sops, unsigned nsops, int alter)
4755 perms = SEM__READ | SEM__WRITE;
4759 return ipc_has_perm(&sma->sem_perm, perms);
4762 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4768 av |= IPC__UNIX_READ;
4770 av |= IPC__UNIX_WRITE;
4775 return ipc_has_perm(ipcp, av);
4778 /* module stacking operations */
4779 static int selinux_register_security (const char *name, struct security_operations *ops)
4781 if (secondary_ops != original_ops) {
4782 printk(KERN_ERR "%s: There is already a secondary security "
4783 "module registered.\n", __FUNCTION__);
4787 secondary_ops = ops;
4789 printk(KERN_INFO "%s: Registering secondary module %s\n",
4796 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4799 inode_doinit_with_dentry(inode, dentry);
4802 static int selinux_getprocattr(struct task_struct *p,
4803 char *name, char **value)
4805 struct task_security_struct *tsec;
4811 error = task_has_perm(current, p, PROCESS__GETATTR);
4818 if (!strcmp(name, "current"))
4820 else if (!strcmp(name, "prev"))
4822 else if (!strcmp(name, "exec"))
4823 sid = tsec->exec_sid;
4824 else if (!strcmp(name, "fscreate"))
4825 sid = tsec->create_sid;
4826 else if (!strcmp(name, "keycreate"))
4827 sid = tsec->keycreate_sid;
4828 else if (!strcmp(name, "sockcreate"))
4829 sid = tsec->sockcreate_sid;
4836 error = security_sid_to_context(sid, value, &len);
4842 static int selinux_setprocattr(struct task_struct *p,
4843 char *name, void *value, size_t size)
4845 struct task_security_struct *tsec;
4851 /* SELinux only allows a process to change its own
4852 security attributes. */
4857 * Basic control over ability to set these attributes at all.
4858 * current == p, but we'll pass them separately in case the
4859 * above restriction is ever removed.
4861 if (!strcmp(name, "exec"))
4862 error = task_has_perm(current, p, PROCESS__SETEXEC);
4863 else if (!strcmp(name, "fscreate"))
4864 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4865 else if (!strcmp(name, "keycreate"))
4866 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4867 else if (!strcmp(name, "sockcreate"))
4868 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4869 else if (!strcmp(name, "current"))
4870 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4876 /* Obtain a SID for the context, if one was specified. */
4877 if (size && str[1] && str[1] != '\n') {
4878 if (str[size-1] == '\n') {
4882 error = security_context_to_sid(value, size, &sid);
4887 /* Permission checking based on the specified context is
4888 performed during the actual operation (execve,
4889 open/mkdir/...), when we know the full context of the
4890 operation. See selinux_bprm_set_security for the execve
4891 checks and may_create for the file creation checks. The
4892 operation will then fail if the context is not permitted. */
4894 if (!strcmp(name, "exec"))
4895 tsec->exec_sid = sid;
4896 else if (!strcmp(name, "fscreate"))
4897 tsec->create_sid = sid;
4898 else if (!strcmp(name, "keycreate")) {
4899 error = may_create_key(sid, p);
4902 tsec->keycreate_sid = sid;
4903 } else if (!strcmp(name, "sockcreate"))
4904 tsec->sockcreate_sid = sid;
4905 else if (!strcmp(name, "current")) {
4906 struct av_decision avd;
4911 /* Only allow single threaded processes to change context */
4912 if (atomic_read(&p->mm->mm_users) != 1) {
4913 struct task_struct *g, *t;
4914 struct mm_struct *mm = p->mm;
4915 read_lock(&tasklist_lock);
4916 do_each_thread(g, t)
4917 if (t->mm == mm && t != p) {
4918 read_unlock(&tasklist_lock);
4921 while_each_thread(g, t);
4922 read_unlock(&tasklist_lock);
4925 /* Check permissions for the transition. */
4926 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4927 PROCESS__DYNTRANSITION, NULL);
4931 /* Check for ptracing, and update the task SID if ok.
4932 Otherwise, leave SID unchanged and fail. */
4934 if (p->ptrace & PT_PTRACED) {
4935 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4937 PROCESS__PTRACE, 0, &avd);
4941 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4942 PROCESS__PTRACE, &avd, error, NULL);
4956 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4958 return security_sid_to_context(secid, secdata, seclen);
4961 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
4963 return security_context_to_sid(secdata, seclen, secid);
4966 static void selinux_release_secctx(char *secdata, u32 seclen)
4973 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4974 unsigned long flags)
4976 struct task_security_struct *tsec = tsk->security;
4977 struct key_security_struct *ksec;
4979 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4984 if (tsec->keycreate_sid)
4985 ksec->sid = tsec->keycreate_sid;
4987 ksec->sid = tsec->sid;
4993 static void selinux_key_free(struct key *k)
4995 struct key_security_struct *ksec = k->security;
5001 static int selinux_key_permission(key_ref_t key_ref,
5002 struct task_struct *ctx,
5006 struct task_security_struct *tsec;
5007 struct key_security_struct *ksec;
5009 key = key_ref_to_ptr(key_ref);
5011 tsec = ctx->security;
5012 ksec = key->security;
5014 /* if no specific permissions are requested, we skip the
5015 permission check. No serious, additional covert channels
5016 appear to be created. */
5020 return avc_has_perm(tsec->sid, ksec->sid,
5021 SECCLASS_KEY, perm, NULL);
5026 static struct security_operations selinux_ops = {
5027 .ptrace = selinux_ptrace,
5028 .capget = selinux_capget,
5029 .capset_check = selinux_capset_check,
5030 .capset_set = selinux_capset_set,
5031 .sysctl = selinux_sysctl,
5032 .capable = selinux_capable,
5033 .quotactl = selinux_quotactl,
5034 .quota_on = selinux_quota_on,
5035 .syslog = selinux_syslog,
5036 .vm_enough_memory = selinux_vm_enough_memory,
5038 .netlink_send = selinux_netlink_send,
5039 .netlink_recv = selinux_netlink_recv,
5041 .bprm_alloc_security = selinux_bprm_alloc_security,
5042 .bprm_free_security = selinux_bprm_free_security,
5043 .bprm_apply_creds = selinux_bprm_apply_creds,
5044 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5045 .bprm_set_security = selinux_bprm_set_security,
5046 .bprm_check_security = selinux_bprm_check_security,
5047 .bprm_secureexec = selinux_bprm_secureexec,
5049 .sb_alloc_security = selinux_sb_alloc_security,
5050 .sb_free_security = selinux_sb_free_security,
5051 .sb_copy_data = selinux_sb_copy_data,
5052 .sb_kern_mount = selinux_sb_kern_mount,
5053 .sb_statfs = selinux_sb_statfs,
5054 .sb_mount = selinux_mount,
5055 .sb_umount = selinux_umount,
5056 .sb_get_mnt_opts = selinux_get_mnt_opts,
5057 .sb_set_mnt_opts = selinux_set_mnt_opts,
5058 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5060 .inode_alloc_security = selinux_inode_alloc_security,
5061 .inode_free_security = selinux_inode_free_security,
5062 .inode_init_security = selinux_inode_init_security,
5063 .inode_create = selinux_inode_create,
5064 .inode_link = selinux_inode_link,
5065 .inode_unlink = selinux_inode_unlink,
5066 .inode_symlink = selinux_inode_symlink,
5067 .inode_mkdir = selinux_inode_mkdir,
5068 .inode_rmdir = selinux_inode_rmdir,
5069 .inode_mknod = selinux_inode_mknod,
5070 .inode_rename = selinux_inode_rename,
5071 .inode_readlink = selinux_inode_readlink,
5072 .inode_follow_link = selinux_inode_follow_link,
5073 .inode_permission = selinux_inode_permission,
5074 .inode_setattr = selinux_inode_setattr,
5075 .inode_getattr = selinux_inode_getattr,
5076 .inode_setxattr = selinux_inode_setxattr,
5077 .inode_post_setxattr = selinux_inode_post_setxattr,
5078 .inode_getxattr = selinux_inode_getxattr,
5079 .inode_listxattr = selinux_inode_listxattr,
5080 .inode_removexattr = selinux_inode_removexattr,
5081 .inode_getsecurity = selinux_inode_getsecurity,
5082 .inode_setsecurity = selinux_inode_setsecurity,
5083 .inode_listsecurity = selinux_inode_listsecurity,
5084 .inode_need_killpriv = selinux_inode_need_killpriv,
5085 .inode_killpriv = selinux_inode_killpriv,
5087 .file_permission = selinux_file_permission,
5088 .file_alloc_security = selinux_file_alloc_security,
5089 .file_free_security = selinux_file_free_security,
5090 .file_ioctl = selinux_file_ioctl,
5091 .file_mmap = selinux_file_mmap,
5092 .file_mprotect = selinux_file_mprotect,
5093 .file_lock = selinux_file_lock,
5094 .file_fcntl = selinux_file_fcntl,
5095 .file_set_fowner = selinux_file_set_fowner,
5096 .file_send_sigiotask = selinux_file_send_sigiotask,
5097 .file_receive = selinux_file_receive,
5099 .dentry_open = selinux_dentry_open,
5101 .task_create = selinux_task_create,
5102 .task_alloc_security = selinux_task_alloc_security,
5103 .task_free_security = selinux_task_free_security,
5104 .task_setuid = selinux_task_setuid,
5105 .task_post_setuid = selinux_task_post_setuid,
5106 .task_setgid = selinux_task_setgid,
5107 .task_setpgid = selinux_task_setpgid,
5108 .task_getpgid = selinux_task_getpgid,
5109 .task_getsid = selinux_task_getsid,
5110 .task_getsecid = selinux_task_getsecid,
5111 .task_setgroups = selinux_task_setgroups,
5112 .task_setnice = selinux_task_setnice,
5113 .task_setioprio = selinux_task_setioprio,
5114 .task_getioprio = selinux_task_getioprio,
5115 .task_setrlimit = selinux_task_setrlimit,
5116 .task_setscheduler = selinux_task_setscheduler,
5117 .task_getscheduler = selinux_task_getscheduler,
5118 .task_movememory = selinux_task_movememory,
5119 .task_kill = selinux_task_kill,
5120 .task_wait = selinux_task_wait,
5121 .task_prctl = selinux_task_prctl,
5122 .task_reparent_to_init = selinux_task_reparent_to_init,
5123 .task_to_inode = selinux_task_to_inode,
5125 .ipc_permission = selinux_ipc_permission,
5127 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5128 .msg_msg_free_security = selinux_msg_msg_free_security,
5130 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5131 .msg_queue_free_security = selinux_msg_queue_free_security,
5132 .msg_queue_associate = selinux_msg_queue_associate,
5133 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5134 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5135 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5137 .shm_alloc_security = selinux_shm_alloc_security,
5138 .shm_free_security = selinux_shm_free_security,
5139 .shm_associate = selinux_shm_associate,
5140 .shm_shmctl = selinux_shm_shmctl,
5141 .shm_shmat = selinux_shm_shmat,
5143 .sem_alloc_security = selinux_sem_alloc_security,
5144 .sem_free_security = selinux_sem_free_security,
5145 .sem_associate = selinux_sem_associate,
5146 .sem_semctl = selinux_sem_semctl,
5147 .sem_semop = selinux_sem_semop,
5149 .register_security = selinux_register_security,
5151 .d_instantiate = selinux_d_instantiate,
5153 .getprocattr = selinux_getprocattr,
5154 .setprocattr = selinux_setprocattr,
5156 .secid_to_secctx = selinux_secid_to_secctx,
5157 .secctx_to_secid = selinux_secctx_to_secid,
5158 .release_secctx = selinux_release_secctx,
5160 .unix_stream_connect = selinux_socket_unix_stream_connect,
5161 .unix_may_send = selinux_socket_unix_may_send,
5163 .socket_create = selinux_socket_create,
5164 .socket_post_create = selinux_socket_post_create,
5165 .socket_bind = selinux_socket_bind,
5166 .socket_connect = selinux_socket_connect,
5167 .socket_listen = selinux_socket_listen,
5168 .socket_accept = selinux_socket_accept,
5169 .socket_sendmsg = selinux_socket_sendmsg,
5170 .socket_recvmsg = selinux_socket_recvmsg,
5171 .socket_getsockname = selinux_socket_getsockname,
5172 .socket_getpeername = selinux_socket_getpeername,
5173 .socket_getsockopt = selinux_socket_getsockopt,
5174 .socket_setsockopt = selinux_socket_setsockopt,
5175 .socket_shutdown = selinux_socket_shutdown,
5176 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5177 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5178 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5179 .sk_alloc_security = selinux_sk_alloc_security,
5180 .sk_free_security = selinux_sk_free_security,
5181 .sk_clone_security = selinux_sk_clone_security,
5182 .sk_getsecid = selinux_sk_getsecid,
5183 .sock_graft = selinux_sock_graft,
5184 .inet_conn_request = selinux_inet_conn_request,
5185 .inet_csk_clone = selinux_inet_csk_clone,
5186 .inet_conn_established = selinux_inet_conn_established,
5187 .req_classify_flow = selinux_req_classify_flow,
5189 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5190 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5191 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5192 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5193 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5194 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5195 .xfrm_state_free_security = selinux_xfrm_state_free,
5196 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5197 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5198 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5199 .xfrm_decode_session = selinux_xfrm_decode_session,
5203 .key_alloc = selinux_key_alloc,
5204 .key_free = selinux_key_free,
5205 .key_permission = selinux_key_permission,
5209 static __init int selinux_init(void)
5211 struct task_security_struct *tsec;
5213 if (!selinux_enabled) {
5214 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5218 printk(KERN_INFO "SELinux: Initializing.\n");
5220 /* Set the security state for the initial task. */
5221 if (task_alloc_security(current))
5222 panic("SELinux: Failed to initialize initial task.\n");
5223 tsec = current->security;
5224 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5226 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5227 sizeof(struct inode_security_struct),
5228 0, SLAB_PANIC, NULL);
5231 original_ops = secondary_ops = security_ops;
5233 panic ("SELinux: No initial security operations\n");
5234 if (register_security (&selinux_ops))
5235 panic("SELinux: Unable to register with kernel.\n");
5237 if (selinux_enforcing) {
5238 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5240 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5244 /* Add security information to initial keyrings */
5245 selinux_key_alloc(&root_user_keyring, current,
5246 KEY_ALLOC_NOT_IN_QUOTA);
5247 selinux_key_alloc(&root_session_keyring, current,
5248 KEY_ALLOC_NOT_IN_QUOTA);
5254 void selinux_complete_init(void)
5256 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5258 /* Set up any superblocks initialized prior to the policy load. */
5259 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5260 spin_lock(&sb_lock);
5261 spin_lock(&sb_security_lock);
5263 if (!list_empty(&superblock_security_head)) {
5264 struct superblock_security_struct *sbsec =
5265 list_entry(superblock_security_head.next,
5266 struct superblock_security_struct,
5268 struct super_block *sb = sbsec->sb;
5270 spin_unlock(&sb_security_lock);
5271 spin_unlock(&sb_lock);
5272 down_read(&sb->s_umount);
5274 superblock_doinit(sb, NULL);
5276 spin_lock(&sb_lock);
5277 spin_lock(&sb_security_lock);
5278 list_del_init(&sbsec->list);
5281 spin_unlock(&sb_security_lock);
5282 spin_unlock(&sb_lock);
5285 /* SELinux requires early initialization in order to label
5286 all processes and objects when they are created. */
5287 security_initcall(selinux_init);
5289 #if defined(CONFIG_NETFILTER)
5291 static struct nf_hook_ops selinux_ipv4_op = {
5292 .hook = selinux_ipv4_postroute_last,
5293 .owner = THIS_MODULE,
5295 .hooknum = NF_INET_POST_ROUTING,
5296 .priority = NF_IP_PRI_SELINUX_LAST,
5299 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5301 static struct nf_hook_ops selinux_ipv6_op = {
5302 .hook = selinux_ipv6_postroute_last,
5303 .owner = THIS_MODULE,
5305 .hooknum = NF_INET_POST_ROUTING,
5306 .priority = NF_IP6_PRI_SELINUX_LAST,
5311 static int __init selinux_nf_ip_init(void)
5315 if (!selinux_enabled)
5318 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5320 err = nf_register_hook(&selinux_ipv4_op);
5322 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5324 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5326 err = nf_register_hook(&selinux_ipv6_op);
5328 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5336 __initcall(selinux_nf_ip_init);
5338 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5339 static void selinux_nf_ip_exit(void)
5341 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5343 nf_unregister_hook(&selinux_ipv4_op);
5344 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5345 nf_unregister_hook(&selinux_ipv6_op);
5350 #else /* CONFIG_NETFILTER */
5352 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5353 #define selinux_nf_ip_exit()
5356 #endif /* CONFIG_NETFILTER */
5358 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5359 int selinux_disable(void)
5361 extern void exit_sel_fs(void);
5362 static int selinux_disabled = 0;
5364 if (ss_initialized) {
5365 /* Not permitted after initial policy load. */
5369 if (selinux_disabled) {
5370 /* Only do this once. */
5374 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5376 selinux_disabled = 1;
5377 selinux_enabled = 0;
5379 /* Reset security_ops to the secondary module, dummy or capability. */
5380 security_ops = secondary_ops;
5382 /* Unregister netfilter hooks. */
5383 selinux_nf_ip_exit();
5385 /* Unregister selinuxfs. */
git.openpandora.org / pandora-kernel.git / blob