2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
139 /* Return security context for a given sid or just the context
140 length if the buffer is null or length is 0 */
141 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
147 rc = security_sid_to_context(sid, &context, &len);
151 if (!buffer || !size)
152 goto getsecurity_exit;
156 goto getsecurity_exit;
158 memcpy(buffer, context, len);
166 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
169 * This function checks the SECMARK reference counter to see if any SECMARK
170 * targets are currently configured, if the reference counter is greater than
171 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
172 * enabled, false (0) if SECMARK is disabled.
175 static int selinux_secmark_enabled(void)
177 return (atomic_read(&selinux_secmark_refcount) > 0);
180 /* Allocate and free functions for each kind of security blob. */
182 static int task_alloc_security(struct task_struct *task)
184 struct task_security_struct *tsec;
186 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
191 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
192 task->security = tsec;
197 static void task_free_security(struct task_struct *task)
199 struct task_security_struct *tsec = task->security;
200 task->security = NULL;
204 static int inode_alloc_security(struct inode *inode)
206 struct task_security_struct *tsec = current->security;
207 struct inode_security_struct *isec;
209 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
213 mutex_init(&isec->lock);
214 INIT_LIST_HEAD(&isec->list);
216 isec->sid = SECINITSID_UNLABELED;
217 isec->sclass = SECCLASS_FILE;
218 isec->task_sid = tsec->sid;
219 inode->i_security = isec;
224 static void inode_free_security(struct inode *inode)
226 struct inode_security_struct *isec = inode->i_security;
227 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
229 spin_lock(&sbsec->isec_lock);
230 if (!list_empty(&isec->list))
231 list_del_init(&isec->list);
232 spin_unlock(&sbsec->isec_lock);
234 inode->i_security = NULL;
235 kmem_cache_free(sel_inode_cache, isec);
238 static int file_alloc_security(struct file *file)
240 struct task_security_struct *tsec = current->security;
241 struct file_security_struct *fsec;
243 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
248 fsec->sid = tsec->sid;
249 fsec->fown_sid = tsec->sid;
250 file->f_security = fsec;
255 static void file_free_security(struct file *file)
257 struct file_security_struct *fsec = file->f_security;
258 file->f_security = NULL;
262 static int superblock_alloc_security(struct super_block *sb)
264 struct superblock_security_struct *sbsec;
266 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
270 mutex_init(&sbsec->lock);
271 INIT_LIST_HEAD(&sbsec->list);
272 INIT_LIST_HEAD(&sbsec->isec_head);
273 spin_lock_init(&sbsec->isec_lock);
275 sbsec->sid = SECINITSID_UNLABELED;
276 sbsec->def_sid = SECINITSID_FILE;
277 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
278 sb->s_security = sbsec;
283 static void superblock_free_security(struct super_block *sb)
285 struct superblock_security_struct *sbsec = sb->s_security;
287 spin_lock(&sb_security_lock);
288 if (!list_empty(&sbsec->list))
289 list_del_init(&sbsec->list);
290 spin_unlock(&sb_security_lock);
292 sb->s_security = NULL;
296 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
298 struct sk_security_struct *ssec;
300 ssec = kzalloc(sizeof(*ssec), priority);
305 ssec->peer_sid = SECINITSID_UNLABELED;
306 ssec->sid = SECINITSID_UNLABELED;
307 sk->sk_security = ssec;
309 selinux_netlbl_sk_security_init(ssec, family);
314 static void sk_free_security(struct sock *sk)
316 struct sk_security_struct *ssec = sk->sk_security;
318 sk->sk_security = NULL;
322 /* The security server must be initialized before
323 any labeling or access decisions can be provided. */
324 extern int ss_initialized;
326 /* The file system's label must be initialized prior to use. */
328 static char *labeling_behaviors[6] = {
330 "uses transition SIDs",
332 "uses genfs_contexts",
333 "not configured for labeling",
334 "uses mountpoint labeling",
337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
339 static inline int inode_doinit(struct inode *inode)
341 return inode_doinit_with_dentry(inode, NULL);
352 static match_table_t tokens = {
353 {Opt_context, "context=%s"},
354 {Opt_fscontext, "fscontext=%s"},
355 {Opt_defcontext, "defcontext=%s"},
356 {Opt_rootcontext, "rootcontext=%s"},
360 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
362 static int may_context_mount_sb_relabel(u32 sid,
363 struct superblock_security_struct *sbsec,
364 struct task_security_struct *tsec)
368 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__RELABELFROM, NULL);
373 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELTO, NULL);
378 static int may_context_mount_inode_relabel(u32 sid,
379 struct superblock_security_struct *sbsec,
380 struct task_security_struct *tsec)
383 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
384 FILESYSTEM__RELABELFROM, NULL);
388 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
389 FILESYSTEM__ASSOCIATE, NULL);
393 static int sb_finish_set_opts(struct super_block *sb)
395 struct superblock_security_struct *sbsec = sb->s_security;
396 struct dentry *root = sb->s_root;
397 struct inode *root_inode = root->d_inode;
400 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
401 /* Make sure that the xattr handler exists and that no
402 error other than -ENODATA is returned by getxattr on
403 the root directory. -ENODATA is ok, as this may be
404 the first boot of the SELinux kernel before we have
405 assigned xattr values to the filesystem. */
406 if (!root_inode->i_op->getxattr) {
407 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
408 "xattr support\n", sb->s_id, sb->s_type->name);
412 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
413 if (rc < 0 && rc != -ENODATA) {
414 if (rc == -EOPNOTSUPP)
415 printk(KERN_WARNING "SELinux: (dev %s, type "
416 "%s) has no security xattr handler\n",
417 sb->s_id, sb->s_type->name);
419 printk(KERN_WARNING "SELinux: (dev %s, type "
420 "%s) getxattr errno %d\n", sb->s_id,
421 sb->s_type->name, -rc);
426 sbsec->initialized = 1;
428 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
429 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
430 sb->s_id, sb->s_type->name);
432 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
433 sb->s_id, sb->s_type->name,
434 labeling_behaviors[sbsec->behavior-1]);
436 /* Initialize the root inode. */
437 rc = inode_doinit_with_dentry(root_inode, root);
439 /* Initialize any other inodes associated with the superblock, e.g.
440 inodes created prior to initial policy load or inodes created
441 during get_sb by a pseudo filesystem that directly
443 spin_lock(&sbsec->isec_lock);
445 if (!list_empty(&sbsec->isec_head)) {
446 struct inode_security_struct *isec =
447 list_entry(sbsec->isec_head.next,
448 struct inode_security_struct, list);
449 struct inode *inode = isec->inode;
450 spin_unlock(&sbsec->isec_lock);
451 inode = igrab(inode);
453 if (!IS_PRIVATE(inode))
457 spin_lock(&sbsec->isec_lock);
458 list_del_init(&isec->list);
461 spin_unlock(&sbsec->isec_lock);
467 * This function should allow an FS to ask what it's mount security
468 * options were so it can use those later for submounts, displaying
469 * mount options, or whatever.
471 static int selinux_get_mnt_opts(const struct super_block *sb,
472 char ***mount_options, int **mnt_opts_flags,
476 struct superblock_security_struct *sbsec = sb->s_security;
477 char *context = NULL;
482 *mount_options = NULL;
483 *mnt_opts_flags = NULL;
485 if (!sbsec->initialized)
492 * if we ever use sbsec flags for anything other than tracking mount
493 * settings this is going to need a mask
496 /* count the number of mount options for this sb */
497 for (i = 0; i < 8; i++) {
503 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
504 if (!*mount_options) {
509 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
510 if (!*mnt_opts_flags) {
516 if (sbsec->flags & FSCONTEXT_MNT) {
517 rc = security_sid_to_context(sbsec->sid, &context, &len);
520 (*mount_options)[i] = context;
521 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
523 if (sbsec->flags & CONTEXT_MNT) {
524 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
527 (*mount_options)[i] = context;
528 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
530 if (sbsec->flags & DEFCONTEXT_MNT) {
531 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
534 (*mount_options)[i] = context;
535 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
537 if (sbsec->flags & ROOTCONTEXT_MNT) {
538 struct inode *root = sbsec->sb->s_root->d_inode;
539 struct inode_security_struct *isec = root->i_security;
541 rc = security_sid_to_context(isec->sid, &context, &len);
544 (*mount_options)[i] = context;
545 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
548 BUG_ON(i != *num_opts);
553 /* don't leak context string if security_sid_to_context had an error */
554 if (*mount_options && i)
556 kfree((*mount_options)[i-1]);
557 kfree(*mount_options);
558 *mount_options = NULL;
559 kfree(*mnt_opts_flags);
560 *mnt_opts_flags = NULL;
565 static int bad_option(struct superblock_security_struct *sbsec, char flag,
566 u32 old_sid, u32 new_sid)
568 /* check if the old mount command had the same options */
569 if (sbsec->initialized)
570 if (!(sbsec->flags & flag) ||
571 (old_sid != new_sid))
574 /* check if we were passed the same options twice,
575 * aka someone passed context=a,context=b
577 if (!sbsec->initialized)
578 if (sbsec->flags & flag)
583 * Allow filesystems with binary mount data to explicitly set mount point
584 * labeling information.
586 int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
587 int *flags, int num_opts)
590 struct task_security_struct *tsec = current->security;
591 struct superblock_security_struct *sbsec = sb->s_security;
592 const char *name = sb->s_type->name;
593 struct inode *inode = sbsec->sb->s_root->d_inode;
594 struct inode_security_struct *root_isec = inode->i_security;
595 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
596 u32 defcontext_sid = 0;
598 mutex_lock(&sbsec->lock);
600 if (!ss_initialized) {
602 /* Defer initialization until selinux_complete_init,
603 after the initial policy is loaded and the security
604 server is ready to handle calls. */
605 spin_lock(&sb_security_lock);
606 if (list_empty(&sbsec->list))
607 list_add(&sbsec->list, &superblock_security_head);
608 spin_unlock(&sb_security_lock);
612 printk(KERN_WARNING "Unable to set superblock options before "
613 "the security server is initialized\n");
618 * parse the mount options, check if they are valid sids.
619 * also check if someone is trying to mount the same sb more
620 * than once with different security options.
622 for (i = 0; i < num_opts; i++) {
624 rc = security_context_to_sid(mount_options[i],
625 strlen(mount_options[i]), &sid);
627 printk(KERN_WARNING "SELinux: security_context_to_sid"
628 "(%s) failed for (dev %s, type %s) errno=%d\n",
629 mount_options[i], sb->s_id, name, rc);
636 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
638 goto out_double_mount;
640 sbsec->flags |= FSCONTEXT_MNT;
645 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
647 goto out_double_mount;
649 sbsec->flags |= CONTEXT_MNT;
651 case ROOTCONTEXT_MNT:
652 rootcontext_sid = sid;
654 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
656 goto out_double_mount;
658 sbsec->flags |= ROOTCONTEXT_MNT;
662 defcontext_sid = sid;
664 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
666 goto out_double_mount;
668 sbsec->flags |= DEFCONTEXT_MNT;
677 if (sbsec->initialized) {
678 /* previously mounted with options, but not on this attempt? */
679 if (sbsec->flags && !num_opts)
680 goto out_double_mount;
685 if (strcmp(sb->s_type->name, "proc") == 0)
688 /* Determine the labeling behavior to use for this filesystem type. */
689 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
691 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
692 __FUNCTION__, sb->s_type->name, rc);
696 /* sets the context of the superblock for the fs being mounted. */
699 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
703 sbsec->sid = fscontext_sid;
707 * Switch to using mount point labeling behavior.
708 * sets the label used on all file below the mountpoint, and will set
709 * the superblock context if not already set.
712 if (!fscontext_sid) {
713 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
716 sbsec->sid = context_sid;
718 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
722 if (!rootcontext_sid)
723 rootcontext_sid = context_sid;
725 sbsec->mntpoint_sid = context_sid;
726 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
729 if (rootcontext_sid) {
730 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
734 root_isec->sid = rootcontext_sid;
735 root_isec->initialized = 1;
738 if (defcontext_sid) {
739 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
741 printk(KERN_WARNING "SELinux: defcontext option is "
742 "invalid for this filesystem type\n");
746 if (defcontext_sid != sbsec->def_sid) {
747 rc = may_context_mount_inode_relabel(defcontext_sid,
753 sbsec->def_sid = defcontext_sid;
756 rc = sb_finish_set_opts(sb);
758 mutex_unlock(&sbsec->lock);
762 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
763 "security settings for (dev %s, type %s)\n", sb->s_id, name);
767 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
768 struct super_block *newsb)
770 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
771 struct superblock_security_struct *newsbsec = newsb->s_security;
773 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
774 int set_context = (oldsbsec->flags & CONTEXT_MNT);
775 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
777 /* we can't error, we can't save the info, this shouldn't get called
778 * this early in the boot process. */
779 BUG_ON(!ss_initialized);
781 /* this might go away sometime down the line if there is a new user
782 * of clone, but for now, nfs better not get here... */
783 BUG_ON(newsbsec->initialized);
785 /* how can we clone if the old one wasn't set up?? */
786 BUG_ON(!oldsbsec->initialized);
788 mutex_lock(&newsbsec->lock);
790 newsbsec->flags = oldsbsec->flags;
792 newsbsec->sid = oldsbsec->sid;
793 newsbsec->def_sid = oldsbsec->def_sid;
794 newsbsec->behavior = oldsbsec->behavior;
797 u32 sid = oldsbsec->mntpoint_sid;
801 if (!set_rootcontext) {
802 struct inode *newinode = newsb->s_root->d_inode;
803 struct inode_security_struct *newisec = newinode->i_security;
806 newsbsec->mntpoint_sid = sid;
808 if (set_rootcontext) {
809 const struct inode *oldinode = oldsb->s_root->d_inode;
810 const struct inode_security_struct *oldisec = oldinode->i_security;
811 struct inode *newinode = newsb->s_root->d_inode;
812 struct inode_security_struct *newisec = newinode->i_security;
814 newisec->sid = oldisec->sid;
817 sb_finish_set_opts(newsb);
818 mutex_unlock(&newsbsec->lock);
822 * string mount options parsing and call set the sbsec
824 static int superblock_doinit(struct super_block *sb, void *data)
826 char *context = NULL, *defcontext = NULL;
827 char *fscontext = NULL, *rootcontext = NULL;
829 char *p, *options = data;
830 /* selinux only know about a fixed number of mount options */
831 char *mnt_opts[NUM_SEL_MNT_OPTS];
832 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
837 /* with the nfs patch this will become a goto out; */
838 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
839 const char *name = sb->s_type->name;
840 /* NFS we understand. */
841 if (!strcmp(name, "nfs")) {
842 struct nfs_mount_data *d = data;
844 if (d->version != NFS_MOUNT_VERSION)
848 context = kstrdup(d->context, GFP_KERNEL);
859 /* Standard string-based options. */
860 while ((p = strsep(&options, "|")) != NULL) {
862 substring_t args[MAX_OPT_ARGS];
867 token = match_token(p, tokens, args);
871 if (context || defcontext) {
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 context = match_strdup(&args[0]);
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 fscontext = match_strdup(&args[0]);
896 case Opt_rootcontext:
899 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902 rootcontext = match_strdup(&args[0]);
910 if (context || defcontext) {
912 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
915 defcontext = match_strdup(&args[0]);
924 printk(KERN_WARNING "SELinux: unknown mount option\n");
932 mnt_opts[num_mnt_opts] = fscontext;
933 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
936 mnt_opts[num_mnt_opts] = context;
937 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
940 mnt_opts[num_mnt_opts] = rootcontext;
941 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
944 mnt_opts[num_mnt_opts] = defcontext;
945 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
949 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
958 static inline u16 inode_mode_to_security_class(umode_t mode)
960 switch (mode & S_IFMT) {
962 return SECCLASS_SOCK_FILE;
964 return SECCLASS_LNK_FILE;
966 return SECCLASS_FILE;
968 return SECCLASS_BLK_FILE;
972 return SECCLASS_CHR_FILE;
974 return SECCLASS_FIFO_FILE;
978 return SECCLASS_FILE;
981 static inline int default_protocol_stream(int protocol)
983 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
986 static inline int default_protocol_dgram(int protocol)
988 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
991 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
998 return SECCLASS_UNIX_STREAM_SOCKET;
1000 return SECCLASS_UNIX_DGRAM_SOCKET;
1007 if (default_protocol_stream(protocol))
1008 return SECCLASS_TCP_SOCKET;
1010 return SECCLASS_RAWIP_SOCKET;
1012 if (default_protocol_dgram(protocol))
1013 return SECCLASS_UDP_SOCKET;
1015 return SECCLASS_RAWIP_SOCKET;
1017 return SECCLASS_DCCP_SOCKET;
1019 return SECCLASS_RAWIP_SOCKET;
1025 return SECCLASS_NETLINK_ROUTE_SOCKET;
1026 case NETLINK_FIREWALL:
1027 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1028 case NETLINK_INET_DIAG:
1029 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1031 return SECCLASS_NETLINK_NFLOG_SOCKET;
1033 return SECCLASS_NETLINK_XFRM_SOCKET;
1034 case NETLINK_SELINUX:
1035 return SECCLASS_NETLINK_SELINUX_SOCKET;
1037 return SECCLASS_NETLINK_AUDIT_SOCKET;
1038 case NETLINK_IP6_FW:
1039 return SECCLASS_NETLINK_IP6FW_SOCKET;
1040 case NETLINK_DNRTMSG:
1041 return SECCLASS_NETLINK_DNRT_SOCKET;
1042 case NETLINK_KOBJECT_UEVENT:
1043 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1045 return SECCLASS_NETLINK_SOCKET;
1048 return SECCLASS_PACKET_SOCKET;
1050 return SECCLASS_KEY_SOCKET;
1052 return SECCLASS_APPLETALK_SOCKET;
1055 return SECCLASS_SOCKET;
1058 #ifdef CONFIG_PROC_FS
1059 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1064 char *buffer, *path, *end;
1066 buffer = (char*)__get_free_page(GFP_KERNEL);
1071 end = buffer+buflen;
1076 while (de && de != de->parent) {
1077 buflen -= de->namelen + 1;
1081 memcpy(end, de->name, de->namelen);
1086 rc = security_genfs_sid("proc", path, tclass, sid);
1087 free_page((unsigned long)buffer);
1091 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1099 /* The inode's security attributes must be initialized before first use. */
1100 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1102 struct superblock_security_struct *sbsec = NULL;
1103 struct inode_security_struct *isec = inode->i_security;
1105 struct dentry *dentry;
1106 #define INITCONTEXTLEN 255
1107 char *context = NULL;
1111 if (isec->initialized)
1114 mutex_lock(&isec->lock);
1115 if (isec->initialized)
1118 sbsec = inode->i_sb->s_security;
1119 if (!sbsec->initialized) {
1120 /* Defer initialization until selinux_complete_init,
1121 after the initial policy is loaded and the security
1122 server is ready to handle calls. */
1123 spin_lock(&sbsec->isec_lock);
1124 if (list_empty(&isec->list))
1125 list_add(&isec->list, &sbsec->isec_head);
1126 spin_unlock(&sbsec->isec_lock);
1130 switch (sbsec->behavior) {
1131 case SECURITY_FS_USE_XATTR:
1132 if (!inode->i_op->getxattr) {
1133 isec->sid = sbsec->def_sid;
1137 /* Need a dentry, since the xattr API requires one.
1138 Life would be simpler if we could just pass the inode. */
1140 /* Called from d_instantiate or d_splice_alias. */
1141 dentry = dget(opt_dentry);
1143 /* Called from selinux_complete_init, try to find a dentry. */
1144 dentry = d_find_alias(inode);
1147 printk(KERN_WARNING "%s: no dentry for dev=%s "
1148 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1153 len = INITCONTEXTLEN;
1154 context = kmalloc(len, GFP_KERNEL);
1160 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1162 if (rc == -ERANGE) {
1163 /* Need a larger buffer. Query for the right size. */
1164 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1172 context = kmalloc(len, GFP_KERNEL);
1178 rc = inode->i_op->getxattr(dentry,
1184 if (rc != -ENODATA) {
1185 printk(KERN_WARNING "%s: getxattr returned "
1186 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1187 -rc, inode->i_sb->s_id, inode->i_ino);
1191 /* Map ENODATA to the default file SID */
1192 sid = sbsec->def_sid;
1195 rc = security_context_to_sid_default(context, rc, &sid,
1198 printk(KERN_WARNING "%s: context_to_sid(%s) "
1199 "returned %d for dev=%s ino=%ld\n",
1200 __FUNCTION__, context, -rc,
1201 inode->i_sb->s_id, inode->i_ino);
1203 /* Leave with the unlabeled SID */
1211 case SECURITY_FS_USE_TASK:
1212 isec->sid = isec->task_sid;
1214 case SECURITY_FS_USE_TRANS:
1215 /* Default to the fs SID. */
1216 isec->sid = sbsec->sid;
1218 /* Try to obtain a transition SID. */
1219 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1220 rc = security_transition_sid(isec->task_sid,
1228 case SECURITY_FS_USE_MNTPOINT:
1229 isec->sid = sbsec->mntpoint_sid;
1232 /* Default to the fs superblock SID. */
1233 isec->sid = sbsec->sid;
1236 struct proc_inode *proci = PROC_I(inode);
1238 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1239 rc = selinux_proc_get_sid(proci->pde,
1250 isec->initialized = 1;
1253 mutex_unlock(&isec->lock);
1255 if (isec->sclass == SECCLASS_FILE)
1256 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1260 /* Convert a Linux signal to an access vector. */
1261 static inline u32 signal_to_av(int sig)
1267 /* Commonly granted from child to parent. */
1268 perm = PROCESS__SIGCHLD;
1271 /* Cannot be caught or ignored */
1272 perm = PROCESS__SIGKILL;
1275 /* Cannot be caught or ignored */
1276 perm = PROCESS__SIGSTOP;
1279 /* All other signals. */
1280 perm = PROCESS__SIGNAL;
1287 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1288 fork check, ptrace check, etc. */
1289 static int task_has_perm(struct task_struct *tsk1,
1290 struct task_struct *tsk2,
1293 struct task_security_struct *tsec1, *tsec2;
1295 tsec1 = tsk1->security;
1296 tsec2 = tsk2->security;
1297 return avc_has_perm(tsec1->sid, tsec2->sid,
1298 SECCLASS_PROCESS, perms, NULL);
1301 /* Check whether a task is allowed to use a capability. */
1302 static int task_has_capability(struct task_struct *tsk,
1305 struct task_security_struct *tsec;
1306 struct avc_audit_data ad;
1308 tsec = tsk->security;
1310 AVC_AUDIT_DATA_INIT(&ad,CAP);
1314 return avc_has_perm(tsec->sid, tsec->sid,
1315 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1318 /* Check whether a task is allowed to use a system operation. */
1319 static int task_has_system(struct task_struct *tsk,
1322 struct task_security_struct *tsec;
1324 tsec = tsk->security;
1326 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1327 SECCLASS_SYSTEM, perms, NULL);
1330 /* Check whether a task has a particular permission to an inode.
1331 The 'adp' parameter is optional and allows other audit
1332 data to be passed (e.g. the dentry). */
1333 static int inode_has_perm(struct task_struct *tsk,
1334 struct inode *inode,
1336 struct avc_audit_data *adp)
1338 struct task_security_struct *tsec;
1339 struct inode_security_struct *isec;
1340 struct avc_audit_data ad;
1342 if (unlikely (IS_PRIVATE (inode)))
1345 tsec = tsk->security;
1346 isec = inode->i_security;
1350 AVC_AUDIT_DATA_INIT(&ad, FS);
1351 ad.u.fs.inode = inode;
1354 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1357 /* Same as inode_has_perm, but pass explicit audit data containing
1358 the dentry to help the auditing code to more easily generate the
1359 pathname if needed. */
1360 static inline int dentry_has_perm(struct task_struct *tsk,
1361 struct vfsmount *mnt,
1362 struct dentry *dentry,
1365 struct inode *inode = dentry->d_inode;
1366 struct avc_audit_data ad;
1367 AVC_AUDIT_DATA_INIT(&ad,FS);
1369 ad.u.fs.dentry = dentry;
1370 return inode_has_perm(tsk, inode, av, &ad);
1373 /* Check whether a task can use an open file descriptor to
1374 access an inode in a given way. Check access to the
1375 descriptor itself, and then use dentry_has_perm to
1376 check a particular permission to the file.
1377 Access to the descriptor is implicitly granted if it
1378 has the same SID as the process. If av is zero, then
1379 access to the file is not checked, e.g. for cases
1380 where only the descriptor is affected like seek. */
1381 static int file_has_perm(struct task_struct *tsk,
1385 struct task_security_struct *tsec = tsk->security;
1386 struct file_security_struct *fsec = file->f_security;
1387 struct vfsmount *mnt = file->f_path.mnt;
1388 struct dentry *dentry = file->f_path.dentry;
1389 struct inode *inode = dentry->d_inode;
1390 struct avc_audit_data ad;
1393 AVC_AUDIT_DATA_INIT(&ad, FS);
1395 ad.u.fs.dentry = dentry;
1397 if (tsec->sid != fsec->sid) {
1398 rc = avc_has_perm(tsec->sid, fsec->sid,
1406 /* av is zero if only checking access to the descriptor. */
1408 return inode_has_perm(tsk, inode, av, &ad);
1413 /* Check whether a task can create a file. */
1414 static int may_create(struct inode *dir,
1415 struct dentry *dentry,
1418 struct task_security_struct *tsec;
1419 struct inode_security_struct *dsec;
1420 struct superblock_security_struct *sbsec;
1422 struct avc_audit_data ad;
1425 tsec = current->security;
1426 dsec = dir->i_security;
1427 sbsec = dir->i_sb->s_security;
1429 AVC_AUDIT_DATA_INIT(&ad, FS);
1430 ad.u.fs.dentry = dentry;
1432 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1433 DIR__ADD_NAME | DIR__SEARCH,
1438 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1439 newsid = tsec->create_sid;
1441 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1447 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1451 return avc_has_perm(newsid, sbsec->sid,
1452 SECCLASS_FILESYSTEM,
1453 FILESYSTEM__ASSOCIATE, &ad);
1456 /* Check whether a task can create a key. */
1457 static int may_create_key(u32 ksid,
1458 struct task_struct *ctx)
1460 struct task_security_struct *tsec;
1462 tsec = ctx->security;
1464 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1468 #define MAY_UNLINK 1
1471 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1472 static int may_link(struct inode *dir,
1473 struct dentry *dentry,
1477 struct task_security_struct *tsec;
1478 struct inode_security_struct *dsec, *isec;
1479 struct avc_audit_data ad;
1483 tsec = current->security;
1484 dsec = dir->i_security;
1485 isec = dentry->d_inode->i_security;
1487 AVC_AUDIT_DATA_INIT(&ad, FS);
1488 ad.u.fs.dentry = dentry;
1491 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1492 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1507 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1511 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1515 static inline int may_rename(struct inode *old_dir,
1516 struct dentry *old_dentry,
1517 struct inode *new_dir,
1518 struct dentry *new_dentry)
1520 struct task_security_struct *tsec;
1521 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1522 struct avc_audit_data ad;
1524 int old_is_dir, new_is_dir;
1527 tsec = current->security;
1528 old_dsec = old_dir->i_security;
1529 old_isec = old_dentry->d_inode->i_security;
1530 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1531 new_dsec = new_dir->i_security;
1533 AVC_AUDIT_DATA_INIT(&ad, FS);
1535 ad.u.fs.dentry = old_dentry;
1536 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1537 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1540 rc = avc_has_perm(tsec->sid, old_isec->sid,
1541 old_isec->sclass, FILE__RENAME, &ad);
1544 if (old_is_dir && new_dir != old_dir) {
1545 rc = avc_has_perm(tsec->sid, old_isec->sid,
1546 old_isec->sclass, DIR__REPARENT, &ad);
1551 ad.u.fs.dentry = new_dentry;
1552 av = DIR__ADD_NAME | DIR__SEARCH;
1553 if (new_dentry->d_inode)
1554 av |= DIR__REMOVE_NAME;
1555 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1558 if (new_dentry->d_inode) {
1559 new_isec = new_dentry->d_inode->i_security;
1560 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1561 rc = avc_has_perm(tsec->sid, new_isec->sid,
1563 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1571 /* Check whether a task can perform a filesystem operation. */
1572 static int superblock_has_perm(struct task_struct *tsk,
1573 struct super_block *sb,
1575 struct avc_audit_data *ad)
1577 struct task_security_struct *tsec;
1578 struct superblock_security_struct *sbsec;
1580 tsec = tsk->security;
1581 sbsec = sb->s_security;
1582 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1586 /* Convert a Linux mode and permission mask to an access vector. */
1587 static inline u32 file_mask_to_av(int mode, int mask)
1591 if ((mode & S_IFMT) != S_IFDIR) {
1592 if (mask & MAY_EXEC)
1593 av |= FILE__EXECUTE;
1594 if (mask & MAY_READ)
1597 if (mask & MAY_APPEND)
1599 else if (mask & MAY_WRITE)
1603 if (mask & MAY_EXEC)
1605 if (mask & MAY_WRITE)
1607 if (mask & MAY_READ)
1614 /* Convert a Linux file to an access vector. */
1615 static inline u32 file_to_av(struct file *file)
1619 if (file->f_mode & FMODE_READ)
1621 if (file->f_mode & FMODE_WRITE) {
1622 if (file->f_flags & O_APPEND)
1631 /* Hook functions begin here. */
1633 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1635 struct task_security_struct *psec = parent->security;
1636 struct task_security_struct *csec = child->security;
1639 rc = secondary_ops->ptrace(parent,child);
1643 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1644 /* Save the SID of the tracing process for later use in apply_creds. */
1645 if (!(child->ptrace & PT_PTRACED) && !rc)
1646 csec->ptrace_sid = psec->sid;
1650 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1651 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1655 error = task_has_perm(current, target, PROCESS__GETCAP);
1659 return secondary_ops->capget(target, effective, inheritable, permitted);
1662 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1663 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1667 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1671 return task_has_perm(current, target, PROCESS__SETCAP);
1674 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1675 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1677 secondary_ops->capset_set(target, effective, inheritable, permitted);
1680 static int selinux_capable(struct task_struct *tsk, int cap)
1684 rc = secondary_ops->capable(tsk, cap);
1688 return task_has_capability(tsk,cap);
1691 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1694 char *buffer, *path, *end;
1697 buffer = (char*)__get_free_page(GFP_KERNEL);
1702 end = buffer+buflen;
1708 const char *name = table->procname;
1709 size_t namelen = strlen(name);
1710 buflen -= namelen + 1;
1714 memcpy(end, name, namelen);
1717 table = table->parent;
1723 memcpy(end, "/sys", 4);
1725 rc = security_genfs_sid("proc", path, tclass, sid);
1727 free_page((unsigned long)buffer);
1732 static int selinux_sysctl(ctl_table *table, int op)
1736 struct task_security_struct *tsec;
1740 rc = secondary_ops->sysctl(table, op);
1744 tsec = current->security;
1746 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1747 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1749 /* Default to the well-defined sysctl SID. */
1750 tsid = SECINITSID_SYSCTL;
1753 /* The op values are "defined" in sysctl.c, thereby creating
1754 * a bad coupling between this module and sysctl.c */
1756 error = avc_has_perm(tsec->sid, tsid,
1757 SECCLASS_DIR, DIR__SEARCH, NULL);
1765 error = avc_has_perm(tsec->sid, tsid,
1766 SECCLASS_FILE, av, NULL);
1772 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1785 rc = superblock_has_perm(current,
1787 FILESYSTEM__QUOTAMOD, NULL);
1792 rc = superblock_has_perm(current,
1794 FILESYSTEM__QUOTAGET, NULL);
1797 rc = 0; /* let the kernel handle invalid cmds */
1803 static int selinux_quota_on(struct dentry *dentry)
1805 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1808 static int selinux_syslog(int type)
1812 rc = secondary_ops->syslog(type);
1817 case 3: /* Read last kernel messages */
1818 case 10: /* Return size of the log buffer */
1819 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1821 case 6: /* Disable logging to console */
1822 case 7: /* Enable logging to console */
1823 case 8: /* Set level of messages printed to console */
1824 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1826 case 0: /* Close log */
1827 case 1: /* Open log */
1828 case 2: /* Read from log */
1829 case 4: /* Read/clear last kernel messages */
1830 case 5: /* Clear ring buffer */
1832 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1839 * Check that a process has enough memory to allocate a new virtual
1840 * mapping. 0 means there is enough memory for the allocation to
1841 * succeed and -ENOMEM implies there is not.
1843 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1844 * if the capability is granted, but __vm_enough_memory requires 1 if
1845 * the capability is granted.
1847 * Do not audit the selinux permission check, as this is applied to all
1848 * processes that allocate mappings.
1850 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1852 int rc, cap_sys_admin = 0;
1853 struct task_security_struct *tsec = current->security;
1855 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1857 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1858 SECCLASS_CAPABILITY,
1859 CAP_TO_MASK(CAP_SYS_ADMIN),
1866 return __vm_enough_memory(mm, pages, cap_sys_admin);
1869 /* binprm security operations */
1871 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1873 struct bprm_security_struct *bsec;
1875 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1880 bsec->sid = SECINITSID_UNLABELED;
1883 bprm->security = bsec;
1887 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1889 struct task_security_struct *tsec;
1890 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1891 struct inode_security_struct *isec;
1892 struct bprm_security_struct *bsec;
1894 struct avc_audit_data ad;
1897 rc = secondary_ops->bprm_set_security(bprm);
1901 bsec = bprm->security;
1906 tsec = current->security;
1907 isec = inode->i_security;
1909 /* Default to the current task SID. */
1910 bsec->sid = tsec->sid;
1912 /* Reset fs, key, and sock SIDs on execve. */
1913 tsec->create_sid = 0;
1914 tsec->keycreate_sid = 0;
1915 tsec->sockcreate_sid = 0;
1917 if (tsec->exec_sid) {
1918 newsid = tsec->exec_sid;
1919 /* Reset exec SID on execve. */
1922 /* Check for a default transition on this program. */
1923 rc = security_transition_sid(tsec->sid, isec->sid,
1924 SECCLASS_PROCESS, &newsid);
1929 AVC_AUDIT_DATA_INIT(&ad, FS);
1930 ad.u.fs.mnt = bprm->file->f_path.mnt;
1931 ad.u.fs.dentry = bprm->file->f_path.dentry;
1933 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1936 if (tsec->sid == newsid) {
1937 rc = avc_has_perm(tsec->sid, isec->sid,
1938 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1942 /* Check permissions for the transition. */
1943 rc = avc_has_perm(tsec->sid, newsid,
1944 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1948 rc = avc_has_perm(newsid, isec->sid,
1949 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1953 /* Clear any possibly unsafe personality bits on exec: */
1954 current->personality &= ~PER_CLEAR_ON_SETID;
1956 /* Set the security field to the new SID. */
1964 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1966 return secondary_ops->bprm_check_security(bprm);
1970 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1972 struct task_security_struct *tsec = current->security;
1975 if (tsec->osid != tsec->sid) {
1976 /* Enable secure mode for SIDs transitions unless
1977 the noatsecure permission is granted between
1978 the two SIDs, i.e. ahp returns 0. */
1979 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1981 PROCESS__NOATSECURE, NULL);
1984 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1987 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1989 kfree(bprm->security);
1990 bprm->security = NULL;
1993 extern struct vfsmount *selinuxfs_mount;
1994 extern struct dentry *selinux_null;
1996 /* Derived from fs/exec.c:flush_old_files. */
1997 static inline void flush_unauthorized_files(struct files_struct * files)
1999 struct avc_audit_data ad;
2000 struct file *file, *devnull = NULL;
2001 struct tty_struct *tty;
2002 struct fdtable *fdt;
2006 mutex_lock(&tty_mutex);
2007 tty = get_current_tty();
2010 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2012 /* Revalidate access to controlling tty.
2013 Use inode_has_perm on the tty inode directly rather
2014 than using file_has_perm, as this particular open
2015 file may belong to another process and we are only
2016 interested in the inode-based check here. */
2017 struct inode *inode = file->f_path.dentry->d_inode;
2018 if (inode_has_perm(current, inode,
2019 FILE__READ | FILE__WRITE, NULL)) {
2025 mutex_unlock(&tty_mutex);
2026 /* Reset controlling tty. */
2030 /* Revalidate access to inherited open files. */
2032 AVC_AUDIT_DATA_INIT(&ad,FS);
2034 spin_lock(&files->file_lock);
2036 unsigned long set, i;
2041 fdt = files_fdtable(files);
2042 if (i >= fdt->max_fds)
2044 set = fdt->open_fds->fds_bits[j];
2047 spin_unlock(&files->file_lock);
2048 for ( ; set ; i++,set >>= 1) {
2053 if (file_has_perm(current,
2055 file_to_av(file))) {
2057 fd = get_unused_fd();
2067 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2068 if (IS_ERR(devnull)) {
2075 fd_install(fd, devnull);
2080 spin_lock(&files->file_lock);
2083 spin_unlock(&files->file_lock);
2086 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2088 struct task_security_struct *tsec;
2089 struct bprm_security_struct *bsec;
2093 secondary_ops->bprm_apply_creds(bprm, unsafe);
2095 tsec = current->security;
2097 bsec = bprm->security;
2100 tsec->osid = tsec->sid;
2102 if (tsec->sid != sid) {
2103 /* Check for shared state. If not ok, leave SID
2104 unchanged and kill. */
2105 if (unsafe & LSM_UNSAFE_SHARE) {
2106 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2107 PROCESS__SHARE, NULL);
2114 /* Check for ptracing, and update the task SID if ok.
2115 Otherwise, leave SID unchanged and kill. */
2116 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2117 rc = avc_has_perm(tsec->ptrace_sid, sid,
2118 SECCLASS_PROCESS, PROCESS__PTRACE,
2130 * called after apply_creds without the task lock held
2132 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2134 struct task_security_struct *tsec;
2135 struct rlimit *rlim, *initrlim;
2136 struct itimerval itimer;
2137 struct bprm_security_struct *bsec;
2140 tsec = current->security;
2141 bsec = bprm->security;
2144 force_sig_specific(SIGKILL, current);
2147 if (tsec->osid == tsec->sid)
2150 /* Close files for which the new task SID is not authorized. */
2151 flush_unauthorized_files(current->files);
2153 /* Check whether the new SID can inherit signal state
2154 from the old SID. If not, clear itimers to avoid
2155 subsequent signal generation and flush and unblock
2156 signals. This must occur _after_ the task SID has
2157 been updated so that any kill done after the flush
2158 will be checked against the new SID. */
2159 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2160 PROCESS__SIGINH, NULL);
2162 memset(&itimer, 0, sizeof itimer);
2163 for (i = 0; i < 3; i++)
2164 do_setitimer(i, &itimer, NULL);
2165 flush_signals(current);
2166 spin_lock_irq(¤t->sighand->siglock);
2167 flush_signal_handlers(current, 1);
2168 sigemptyset(¤t->blocked);
2169 recalc_sigpending();
2170 spin_unlock_irq(¤t->sighand->siglock);
2173 /* Always clear parent death signal on SID transitions. */
2174 current->pdeath_signal = 0;
2176 /* Check whether the new SID can inherit resource limits
2177 from the old SID. If not, reset all soft limits to
2178 the lower of the current task's hard limit and the init
2179 task's soft limit. Note that the setting of hard limits
2180 (even to lower them) can be controlled by the setrlimit
2181 check. The inclusion of the init task's soft limit into
2182 the computation is to avoid resetting soft limits higher
2183 than the default soft limit for cases where the default
2184 is lower than the hard limit, e.g. RLIMIT_CORE or
2186 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2187 PROCESS__RLIMITINH, NULL);
2189 for (i = 0; i < RLIM_NLIMITS; i++) {
2190 rlim = current->signal->rlim + i;
2191 initrlim = init_task.signal->rlim+i;
2192 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2194 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2196 * This will cause RLIMIT_CPU calculations
2199 current->it_prof_expires = jiffies_to_cputime(1);
2203 /* Wake up the parent if it is waiting so that it can
2204 recheck wait permission to the new task SID. */
2205 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2208 /* superblock security operations */
2210 static int selinux_sb_alloc_security(struct super_block *sb)
2212 return superblock_alloc_security(sb);
2215 static void selinux_sb_free_security(struct super_block *sb)
2217 superblock_free_security(sb);
2220 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2225 return !memcmp(prefix, option, plen);
2228 static inline int selinux_option(char *option, int len)
2230 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2231 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2232 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2233 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2236 static inline void take_option(char **to, char *from, int *first, int len)
2243 memcpy(*to, from, len);
2247 static inline void take_selinux_option(char **to, char *from, int *first,
2250 int current_size = 0;
2259 while (current_size < len) {
2269 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2271 int fnosec, fsec, rc = 0;
2272 char *in_save, *in_curr, *in_end;
2273 char *sec_curr, *nosec_save, *nosec;
2279 /* Binary mount data: just copy */
2280 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2281 copy_page(sec_curr, in_curr);
2285 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2293 in_save = in_end = orig;
2297 open_quote = !open_quote;
2298 if ((*in_end == ',' && open_quote == 0) ||
2300 int len = in_end - in_curr;
2302 if (selinux_option(in_curr, len))
2303 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2305 take_option(&nosec, in_curr, &fnosec, len);
2307 in_curr = in_end + 1;
2309 } while (*in_end++);
2311 strcpy(in_save, nosec_save);
2312 free_page((unsigned long)nosec_save);
2317 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2319 struct avc_audit_data ad;
2322 rc = superblock_doinit(sb, data);
2326 AVC_AUDIT_DATA_INIT(&ad,FS);
2327 ad.u.fs.dentry = sb->s_root;
2328 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2331 static int selinux_sb_statfs(struct dentry *dentry)
2333 struct avc_audit_data ad;
2335 AVC_AUDIT_DATA_INIT(&ad,FS);
2336 ad.u.fs.dentry = dentry->d_sb->s_root;
2337 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2340 static int selinux_mount(char * dev_name,
2341 struct nameidata *nd,
2343 unsigned long flags,
2348 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2352 if (flags & MS_REMOUNT)
2353 return superblock_has_perm(current, nd->mnt->mnt_sb,
2354 FILESYSTEM__REMOUNT, NULL);
2356 return dentry_has_perm(current, nd->mnt, nd->dentry,
2360 static int selinux_umount(struct vfsmount *mnt, int flags)
2364 rc = secondary_ops->sb_umount(mnt, flags);
2368 return superblock_has_perm(current,mnt->mnt_sb,
2369 FILESYSTEM__UNMOUNT,NULL);
2372 /* inode security operations */
2374 static int selinux_inode_alloc_security(struct inode *inode)
2376 return inode_alloc_security(inode);
2379 static void selinux_inode_free_security(struct inode *inode)
2381 inode_free_security(inode);
2384 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2385 char **name, void **value,
2388 struct task_security_struct *tsec;
2389 struct inode_security_struct *dsec;
2390 struct superblock_security_struct *sbsec;
2393 char *namep = NULL, *context;
2395 tsec = current->security;
2396 dsec = dir->i_security;
2397 sbsec = dir->i_sb->s_security;
2399 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2400 newsid = tsec->create_sid;
2402 rc = security_transition_sid(tsec->sid, dsec->sid,
2403 inode_mode_to_security_class(inode->i_mode),
2406 printk(KERN_WARNING "%s: "
2407 "security_transition_sid failed, rc=%d (dev=%s "
2410 -rc, inode->i_sb->s_id, inode->i_ino);
2415 /* Possibly defer initialization to selinux_complete_init. */
2416 if (sbsec->initialized) {
2417 struct inode_security_struct *isec = inode->i_security;
2418 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2420 isec->initialized = 1;
2423 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2427 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2434 rc = security_sid_to_context(newsid, &context, &clen);
2446 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2448 return may_create(dir, dentry, SECCLASS_FILE);
2451 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2455 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2458 return may_link(dir, old_dentry, MAY_LINK);
2461 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2465 rc = secondary_ops->inode_unlink(dir, dentry);
2468 return may_link(dir, dentry, MAY_UNLINK);
2471 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2473 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2476 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2478 return may_create(dir, dentry, SECCLASS_DIR);
2481 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2483 return may_link(dir, dentry, MAY_RMDIR);
2486 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2490 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2494 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2497 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2498 struct inode *new_inode, struct dentry *new_dentry)
2500 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2503 static int selinux_inode_readlink(struct dentry *dentry)
2505 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2508 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2512 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2515 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2518 static int selinux_inode_permission(struct inode *inode, int mask,
2519 struct nameidata *nd)
2523 rc = secondary_ops->inode_permission(inode, mask, nd);
2528 /* No permission to check. Existence test. */
2532 return inode_has_perm(current, inode,
2533 file_mask_to_av(inode->i_mode, mask), NULL);
2536 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2540 rc = secondary_ops->inode_setattr(dentry, iattr);
2544 if (iattr->ia_valid & ATTR_FORCE)
2547 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2548 ATTR_ATIME_SET | ATTR_MTIME_SET))
2549 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2551 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2554 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2556 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2559 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2561 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2562 sizeof XATTR_SECURITY_PREFIX - 1)) {
2563 if (!strcmp(name, XATTR_NAME_CAPS)) {
2564 if (!capable(CAP_SETFCAP))
2566 } else if (!capable(CAP_SYS_ADMIN)) {
2567 /* A different attribute in the security namespace.
2568 Restrict to administrator. */
2573 /* Not an attribute we recognize, so just check the
2574 ordinary setattr permission. */
2575 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2578 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2580 struct task_security_struct *tsec = current->security;
2581 struct inode *inode = dentry->d_inode;
2582 struct inode_security_struct *isec = inode->i_security;
2583 struct superblock_security_struct *sbsec;
2584 struct avc_audit_data ad;
2588 if (strcmp(name, XATTR_NAME_SELINUX))
2589 return selinux_inode_setotherxattr(dentry, name);
2591 sbsec = inode->i_sb->s_security;
2592 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2595 if (!is_owner_or_cap(inode))
2598 AVC_AUDIT_DATA_INIT(&ad,FS);
2599 ad.u.fs.dentry = dentry;
2601 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2602 FILE__RELABELFROM, &ad);
2606 rc = security_context_to_sid(value, size, &newsid);
2610 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2611 FILE__RELABELTO, &ad);
2615 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2620 return avc_has_perm(newsid,
2622 SECCLASS_FILESYSTEM,
2623 FILESYSTEM__ASSOCIATE,
2627 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2628 void *value, size_t size, int flags)
2630 struct inode *inode = dentry->d_inode;
2631 struct inode_security_struct *isec = inode->i_security;
2635 if (strcmp(name, XATTR_NAME_SELINUX)) {
2636 /* Not an attribute we recognize, so nothing to do. */
2640 rc = security_context_to_sid(value, size, &newsid);
2642 printk(KERN_WARNING "%s: unable to obtain SID for context "
2643 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2651 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2653 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2656 static int selinux_inode_listxattr (struct dentry *dentry)
2658 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2661 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2663 if (strcmp(name, XATTR_NAME_SELINUX))
2664 return selinux_inode_setotherxattr(dentry, name);
2666 /* No one is allowed to remove a SELinux security label.
2667 You can change the label, but all data must be labeled. */
2672 * Copy the in-core inode security context value to the user. If the
2673 * getxattr() prior to this succeeded, check to see if we need to
2674 * canonicalize the value to be finally returned to the user.
2676 * Permission check is handled by selinux_inode_getxattr hook.
2678 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2680 struct inode_security_struct *isec = inode->i_security;
2682 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2685 return selinux_getsecurity(isec->sid, buffer, size);
2688 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2689 const void *value, size_t size, int flags)
2691 struct inode_security_struct *isec = inode->i_security;
2695 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2698 if (!value || !size)
2701 rc = security_context_to_sid((void*)value, size, &newsid);
2709 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2711 const int len = sizeof(XATTR_NAME_SELINUX);
2712 if (buffer && len <= buffer_size)
2713 memcpy(buffer, XATTR_NAME_SELINUX, len);
2717 static int selinux_inode_need_killpriv(struct dentry *dentry)
2719 return secondary_ops->inode_need_killpriv(dentry);
2722 static int selinux_inode_killpriv(struct dentry *dentry)
2724 return secondary_ops->inode_killpriv(dentry);
2727 /* file security operations */
2729 static int selinux_revalidate_file_permission(struct file *file, int mask)
2732 struct inode *inode = file->f_path.dentry->d_inode;
2735 /* No permission to check. Existence test. */
2739 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2740 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2743 rc = file_has_perm(current, file,
2744 file_mask_to_av(inode->i_mode, mask));
2748 return selinux_netlbl_inode_permission(inode, mask);
2751 static int selinux_file_permission(struct file *file, int mask)
2753 struct inode *inode = file->f_path.dentry->d_inode;
2754 struct task_security_struct *tsec = current->security;
2755 struct file_security_struct *fsec = file->f_security;
2756 struct inode_security_struct *isec = inode->i_security;
2759 /* No permission to check. Existence test. */
2763 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2764 && fsec->pseqno == avc_policy_seqno())
2765 return selinux_netlbl_inode_permission(inode, mask);
2767 return selinux_revalidate_file_permission(file, mask);
2770 static int selinux_file_alloc_security(struct file *file)
2772 return file_alloc_security(file);
2775 static void selinux_file_free_security(struct file *file)
2777 file_free_security(file);
2780 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2792 case EXT2_IOC_GETFLAGS:
2794 case EXT2_IOC_GETVERSION:
2795 error = file_has_perm(current, file, FILE__GETATTR);
2798 case EXT2_IOC_SETFLAGS:
2800 case EXT2_IOC_SETVERSION:
2801 error = file_has_perm(current, file, FILE__SETATTR);
2804 /* sys_ioctl() checks */
2808 error = file_has_perm(current, file, 0);
2813 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2816 /* default case assumes that the command will go
2817 * to the file's ioctl() function.
2820 error = file_has_perm(current, file, FILE__IOCTL);
2826 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2828 #ifndef CONFIG_PPC32
2829 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2831 * We are making executable an anonymous mapping or a
2832 * private file mapping that will also be writable.
2833 * This has an additional check.
2835 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2842 /* read access is always possible with a mapping */
2843 u32 av = FILE__READ;
2845 /* write access only matters if the mapping is shared */
2846 if (shared && (prot & PROT_WRITE))
2849 if (prot & PROT_EXEC)
2850 av |= FILE__EXECUTE;
2852 return file_has_perm(current, file, av);
2857 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2858 unsigned long prot, unsigned long flags,
2859 unsigned long addr, unsigned long addr_only)
2862 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2864 if (addr < mmap_min_addr)
2865 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2866 MEMPROTECT__MMAP_ZERO, NULL);
2867 if (rc || addr_only)
2870 if (selinux_checkreqprot)
2873 return file_map_prot_check(file, prot,
2874 (flags & MAP_TYPE) == MAP_SHARED);
2877 static int selinux_file_mprotect(struct vm_area_struct *vma,
2878 unsigned long reqprot,
2883 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2887 if (selinux_checkreqprot)
2890 #ifndef CONFIG_PPC32
2891 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2893 if (vma->vm_start >= vma->vm_mm->start_brk &&
2894 vma->vm_end <= vma->vm_mm->brk) {
2895 rc = task_has_perm(current, current,
2897 } else if (!vma->vm_file &&
2898 vma->vm_start <= vma->vm_mm->start_stack &&
2899 vma->vm_end >= vma->vm_mm->start_stack) {
2900 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2901 } else if (vma->vm_file && vma->anon_vma) {
2903 * We are making executable a file mapping that has
2904 * had some COW done. Since pages might have been
2905 * written, check ability to execute the possibly
2906 * modified content. This typically should only
2907 * occur for text relocations.
2909 rc = file_has_perm(current, vma->vm_file,
2917 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2920 static int selinux_file_lock(struct file *file, unsigned int cmd)
2922 return file_has_perm(current, file, FILE__LOCK);
2925 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2932 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2937 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2938 err = file_has_perm(current, file,FILE__WRITE);
2947 /* Just check FD__USE permission */
2948 err = file_has_perm(current, file, 0);
2953 #if BITS_PER_LONG == 32
2958 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2962 err = file_has_perm(current, file, FILE__LOCK);
2969 static int selinux_file_set_fowner(struct file *file)
2971 struct task_security_struct *tsec;
2972 struct file_security_struct *fsec;
2974 tsec = current->security;
2975 fsec = file->f_security;
2976 fsec->fown_sid = tsec->sid;
2981 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2982 struct fown_struct *fown, int signum)
2986 struct task_security_struct *tsec;
2987 struct file_security_struct *fsec;
2989 /* struct fown_struct is never outside the context of a struct file */
2990 file = container_of(fown, struct file, f_owner);
2992 tsec = tsk->security;
2993 fsec = file->f_security;
2996 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2998 perm = signal_to_av(signum);
3000 return avc_has_perm(fsec->fown_sid, tsec->sid,
3001 SECCLASS_PROCESS, perm, NULL);
3004 static int selinux_file_receive(struct file *file)
3006 return file_has_perm(current, file, file_to_av(file));
3009 static int selinux_dentry_open(struct file *file)
3011 struct file_security_struct *fsec;
3012 struct inode *inode;
3013 struct inode_security_struct *isec;
3014 inode = file->f_path.dentry->d_inode;
3015 fsec = file->f_security;
3016 isec = inode->i_security;
3018 * Save inode label and policy sequence number
3019 * at open-time so that selinux_file_permission
3020 * can determine whether revalidation is necessary.
3021 * Task label is already saved in the file security
3022 * struct as its SID.
3024 fsec->isid = isec->sid;
3025 fsec->pseqno = avc_policy_seqno();
3027 * Since the inode label or policy seqno may have changed
3028 * between the selinux_inode_permission check and the saving
3029 * of state above, recheck that access is still permitted.
3030 * Otherwise, access might never be revalidated against the
3031 * new inode label or new policy.
3032 * This check is not redundant - do not remove.
3034 return inode_has_perm(current, inode, file_to_av(file), NULL);
3037 /* task security operations */
3039 static int selinux_task_create(unsigned long clone_flags)
3043 rc = secondary_ops->task_create(clone_flags);
3047 return task_has_perm(current, current, PROCESS__FORK);
3050 static int selinux_task_alloc_security(struct task_struct *tsk)
3052 struct task_security_struct *tsec1, *tsec2;
3055 tsec1 = current->security;
3057 rc = task_alloc_security(tsk);
3060 tsec2 = tsk->security;
3062 tsec2->osid = tsec1->osid;
3063 tsec2->sid = tsec1->sid;
3065 /* Retain the exec, fs, key, and sock SIDs across fork */
3066 tsec2->exec_sid = tsec1->exec_sid;
3067 tsec2->create_sid = tsec1->create_sid;
3068 tsec2->keycreate_sid = tsec1->keycreate_sid;
3069 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3071 /* Retain ptracer SID across fork, if any.
3072 This will be reset by the ptrace hook upon any
3073 subsequent ptrace_attach operations. */
3074 tsec2->ptrace_sid = tsec1->ptrace_sid;
3079 static void selinux_task_free_security(struct task_struct *tsk)
3081 task_free_security(tsk);
3084 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3086 /* Since setuid only affects the current process, and
3087 since the SELinux controls are not based on the Linux
3088 identity attributes, SELinux does not need to control
3089 this operation. However, SELinux does control the use
3090 of the CAP_SETUID and CAP_SETGID capabilities using the
3095 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3097 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3100 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3102 /* See the comment for setuid above. */
3106 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3108 return task_has_perm(current, p, PROCESS__SETPGID);
3111 static int selinux_task_getpgid(struct task_struct *p)
3113 return task_has_perm(current, p, PROCESS__GETPGID);
3116 static int selinux_task_getsid(struct task_struct *p)
3118 return task_has_perm(current, p, PROCESS__GETSESSION);
3121 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3123 selinux_get_task_sid(p, secid);
3126 static int selinux_task_setgroups(struct group_info *group_info)
3128 /* See the comment for setuid above. */
3132 static int selinux_task_setnice(struct task_struct *p, int nice)
3136 rc = secondary_ops->task_setnice(p, nice);
3140 return task_has_perm(current,p, PROCESS__SETSCHED);
3143 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3147 rc = secondary_ops->task_setioprio(p, ioprio);
3151 return task_has_perm(current, p, PROCESS__SETSCHED);
3154 static int selinux_task_getioprio(struct task_struct *p)
3156 return task_has_perm(current, p, PROCESS__GETSCHED);
3159 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3161 struct rlimit *old_rlim = current->signal->rlim + resource;
3164 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3168 /* Control the ability to change the hard limit (whether
3169 lowering or raising it), so that the hard limit can
3170 later be used as a safe reset point for the soft limit
3171 upon context transitions. See selinux_bprm_apply_creds. */
3172 if (old_rlim->rlim_max != new_rlim->rlim_max)
3173 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3178 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3182 rc = secondary_ops->task_setscheduler(p, policy, lp);
3186 return task_has_perm(current, p, PROCESS__SETSCHED);
3189 static int selinux_task_getscheduler(struct task_struct *p)
3191 return task_has_perm(current, p, PROCESS__GETSCHED);
3194 static int selinux_task_movememory(struct task_struct *p)
3196 return task_has_perm(current, p, PROCESS__SETSCHED);
3199 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3204 struct task_security_struct *tsec;
3206 rc = secondary_ops->task_kill(p, info, sig, secid);
3210 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3214 perm = PROCESS__SIGNULL; /* null signal; existence test */
3216 perm = signal_to_av(sig);
3219 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3221 rc = task_has_perm(current, p, perm);
3225 static int selinux_task_prctl(int option,
3231 /* The current prctl operations do not appear to require
3232 any SELinux controls since they merely observe or modify
3233 the state of the current process. */
3237 static int selinux_task_wait(struct task_struct *p)
3239 return task_has_perm(p, current, PROCESS__SIGCHLD);
3242 static void selinux_task_reparent_to_init(struct task_struct *p)
3244 struct task_security_struct *tsec;
3246 secondary_ops->task_reparent_to_init(p);
3249 tsec->osid = tsec->sid;
3250 tsec->sid = SECINITSID_KERNEL;
3254 static void selinux_task_to_inode(struct task_struct *p,
3255 struct inode *inode)
3257 struct task_security_struct *tsec = p->security;
3258 struct inode_security_struct *isec = inode->i_security;
3260 isec->sid = tsec->sid;
3261 isec->initialized = 1;
3265 /* Returns error only if unable to parse addresses */
3266 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3267 struct avc_audit_data *ad, u8 *proto)
3269 int offset, ihlen, ret = -EINVAL;
3270 struct iphdr _iph, *ih;
3272 offset = skb_network_offset(skb);
3273 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3277 ihlen = ih->ihl * 4;
3278 if (ihlen < sizeof(_iph))
3281 ad->u.net.v4info.saddr = ih->saddr;
3282 ad->u.net.v4info.daddr = ih->daddr;
3286 *proto = ih->protocol;
3288 switch (ih->protocol) {
3290 struct tcphdr _tcph, *th;
3292 if (ntohs(ih->frag_off) & IP_OFFSET)
3296 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3300 ad->u.net.sport = th->source;
3301 ad->u.net.dport = th->dest;
3306 struct udphdr _udph, *uh;
3308 if (ntohs(ih->frag_off) & IP_OFFSET)
3312 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3316 ad->u.net.sport = uh->source;
3317 ad->u.net.dport = uh->dest;
3321 case IPPROTO_DCCP: {
3322 struct dccp_hdr _dccph, *dh;
3324 if (ntohs(ih->frag_off) & IP_OFFSET)
3328 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3332 ad->u.net.sport = dh->dccph_sport;
3333 ad->u.net.dport = dh->dccph_dport;
3344 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3346 /* Returns error only if unable to parse addresses */
3347 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3348 struct avc_audit_data *ad, u8 *proto)
3351 int ret = -EINVAL, offset;
3352 struct ipv6hdr _ipv6h, *ip6;
3354 offset = skb_network_offset(skb);
3355 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3359 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3360 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3363 nexthdr = ip6->nexthdr;
3364 offset += sizeof(_ipv6h);
3365 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3374 struct tcphdr _tcph, *th;
3376 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3380 ad->u.net.sport = th->source;
3381 ad->u.net.dport = th->dest;
3386 struct udphdr _udph, *uh;
3388 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3392 ad->u.net.sport = uh->source;
3393 ad->u.net.dport = uh->dest;
3397 case IPPROTO_DCCP: {
3398 struct dccp_hdr _dccph, *dh;
3400 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3404 ad->u.net.sport = dh->dccph_sport;
3405 ad->u.net.dport = dh->dccph_dport;
3409 /* includes fragments */
3419 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3420 char **addrp, int src, u8 *proto)
3424 switch (ad->u.net.family) {
3426 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3429 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3430 &ad->u.net.v4info.daddr);
3433 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3435 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3438 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3439 &ad->u.net.v6info.daddr);
3450 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3452 * @family: protocol family
3453 * @sid: the packet's peer label SID
3456 * Check the various different forms of network peer labeling and determine
3457 * the peer label/SID for the packet; most of the magic actually occurs in
3458 * the security server function security_net_peersid_cmp(). The function
3459 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3460 * or -EACCES if @sid is invalid due to inconsistencies with the different
3464 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3470 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3471 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3473 if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
3481 /* socket security operations */
3482 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3485 struct inode_security_struct *isec;
3486 struct task_security_struct *tsec;
3487 struct avc_audit_data ad;
3490 tsec = task->security;
3491 isec = SOCK_INODE(sock)->i_security;
3493 if (isec->sid == SECINITSID_KERNEL)
3496 AVC_AUDIT_DATA_INIT(&ad,NET);
3497 ad.u.net.sk = sock->sk;
3498 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3504 static int selinux_socket_create(int family, int type,
3505 int protocol, int kern)
3508 struct task_security_struct *tsec;
3514 tsec = current->security;
3515 newsid = tsec->sockcreate_sid ? : tsec->sid;
3516 err = avc_has_perm(tsec->sid, newsid,
3517 socket_type_to_security_class(family, type,
3518 protocol), SOCKET__CREATE, NULL);
3524 static int selinux_socket_post_create(struct socket *sock, int family,
3525 int type, int protocol, int kern)
3528 struct inode_security_struct *isec;
3529 struct task_security_struct *tsec;
3530 struct sk_security_struct *sksec;
3533 isec = SOCK_INODE(sock)->i_security;
3535 tsec = current->security;
3536 newsid = tsec->sockcreate_sid ? : tsec->sid;
3537 isec->sclass = socket_type_to_security_class(family, type, protocol);
3538 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3539 isec->initialized = 1;
3542 sksec = sock->sk->sk_security;
3543 sksec->sid = isec->sid;
3544 sksec->sclass = isec->sclass;
3545 err = selinux_netlbl_socket_post_create(sock);
3551 /* Range of port numbers used to automatically bind.
3552 Need to determine whether we should perform a name_bind
3553 permission check between the socket and the port number. */
3555 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3560 err = socket_has_perm(current, sock, SOCKET__BIND);
3565 * If PF_INET or PF_INET6, check name_bind permission for the port.
3566 * Multiple address binding for SCTP is not supported yet: we just
3567 * check the first address now.
3569 family = sock->sk->sk_family;
3570 if (family == PF_INET || family == PF_INET6) {
3572 struct inode_security_struct *isec;
3573 struct task_security_struct *tsec;
3574 struct avc_audit_data ad;
3575 struct sockaddr_in *addr4 = NULL;
3576 struct sockaddr_in6 *addr6 = NULL;
3577 unsigned short snum;
3578 struct sock *sk = sock->sk;
3579 u32 sid, node_perm, addrlen;
3581 tsec = current->security;
3582 isec = SOCK_INODE(sock)->i_security;
3584 if (family == PF_INET) {
3585 addr4 = (struct sockaddr_in *)address;
3586 snum = ntohs(addr4->sin_port);
3587 addrlen = sizeof(addr4->sin_addr.s_addr);
3588 addrp = (char *)&addr4->sin_addr.s_addr;
3590 addr6 = (struct sockaddr_in6 *)address;
3591 snum = ntohs(addr6->sin6_port);
3592 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3593 addrp = (char *)&addr6->sin6_addr.s6_addr;
3599 inet_get_local_port_range(&low, &high);
3601 if (snum < max(PROT_SOCK, low) || snum > high) {
3602 err = security_port_sid(sk->sk_family,
3604 sk->sk_protocol, snum,
3608 AVC_AUDIT_DATA_INIT(&ad,NET);
3609 ad.u.net.sport = htons(snum);
3610 ad.u.net.family = family;
3611 err = avc_has_perm(isec->sid, sid,
3613 SOCKET__NAME_BIND, &ad);
3619 switch(isec->sclass) {
3620 case SECCLASS_TCP_SOCKET:
3621 node_perm = TCP_SOCKET__NODE_BIND;
3624 case SECCLASS_UDP_SOCKET:
3625 node_perm = UDP_SOCKET__NODE_BIND;
3628 case SECCLASS_DCCP_SOCKET:
3629 node_perm = DCCP_SOCKET__NODE_BIND;
3633 node_perm = RAWIP_SOCKET__NODE_BIND;
3637 err = sel_netnode_sid(addrp, family, &sid);
3641 AVC_AUDIT_DATA_INIT(&ad,NET);
3642 ad.u.net.sport = htons(snum);
3643 ad.u.net.family = family;
3645 if (family == PF_INET)
3646 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3648 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3650 err = avc_has_perm(isec->sid, sid,
3651 isec->sclass, node_perm, &ad);
3659 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3661 struct inode_security_struct *isec;
3664 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3669 * If a TCP or DCCP socket, check name_connect permission for the port.
3671 isec = SOCK_INODE(sock)->i_security;
3672 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3673 isec->sclass == SECCLASS_DCCP_SOCKET) {
3674 struct sock *sk = sock->sk;
3675 struct avc_audit_data ad;
3676 struct sockaddr_in *addr4 = NULL;
3677 struct sockaddr_in6 *addr6 = NULL;
3678 unsigned short snum;
3681 if (sk->sk_family == PF_INET) {
3682 addr4 = (struct sockaddr_in *)address;
3683 if (addrlen < sizeof(struct sockaddr_in))
3685 snum = ntohs(addr4->sin_port);
3687 addr6 = (struct sockaddr_in6 *)address;
3688 if (addrlen < SIN6_LEN_RFC2133)
3690 snum = ntohs(addr6->sin6_port);
3693 err = security_port_sid(sk->sk_family, sk->sk_type,
3694 sk->sk_protocol, snum, &sid);
3698 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3699 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3701 AVC_AUDIT_DATA_INIT(&ad,NET);
3702 ad.u.net.dport = htons(snum);
3703 ad.u.net.family = sk->sk_family;
3704 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3713 static int selinux_socket_listen(struct socket *sock, int backlog)
3715 return socket_has_perm(current, sock, SOCKET__LISTEN);
3718 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3721 struct inode_security_struct *isec;
3722 struct inode_security_struct *newisec;
3724 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3728 newisec = SOCK_INODE(newsock)->i_security;
3730 isec = SOCK_INODE(sock)->i_security;
3731 newisec->sclass = isec->sclass;
3732 newisec->sid = isec->sid;
3733 newisec->initialized = 1;
3738 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3743 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3747 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3750 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3751 int size, int flags)
3753 return socket_has_perm(current, sock, SOCKET__READ);
3756 static int selinux_socket_getsockname(struct socket *sock)
3758 return socket_has_perm(current, sock, SOCKET__GETATTR);
3761 static int selinux_socket_getpeername(struct socket *sock)
3763 return socket_has_perm(current, sock, SOCKET__GETATTR);
3766 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3770 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3774 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3777 static int selinux_socket_getsockopt(struct socket *sock, int level,
3780 return socket_has_perm(current, sock, SOCKET__GETOPT);
3783 static int selinux_socket_shutdown(struct socket *sock, int how)
3785 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3788 static int selinux_socket_unix_stream_connect(struct socket *sock,
3789 struct socket *other,
3792 struct sk_security_struct *ssec;
3793 struct inode_security_struct *isec;
3794 struct inode_security_struct *other_isec;
3795 struct avc_audit_data ad;
3798 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3802 isec = SOCK_INODE(sock)->i_security;
3803 other_isec = SOCK_INODE(other)->i_security;
3805 AVC_AUDIT_DATA_INIT(&ad,NET);
3806 ad.u.net.sk = other->sk;
3808 err = avc_has_perm(isec->sid, other_isec->sid,
3810 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3814 /* connecting socket */
3815 ssec = sock->sk->sk_security;
3816 ssec->peer_sid = other_isec->sid;
3818 /* server child socket */
3819 ssec = newsk->sk_security;
3820 ssec->peer_sid = isec->sid;
3821 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3826 static int selinux_socket_unix_may_send(struct socket *sock,
3827 struct socket *other)
3829 struct inode_security_struct *isec;
3830 struct inode_security_struct *other_isec;
3831 struct avc_audit_data ad;
3834 isec = SOCK_INODE(sock)->i_security;
3835 other_isec = SOCK_INODE(other)->i_security;
3837 AVC_AUDIT_DATA_INIT(&ad,NET);
3838 ad.u.net.sk = other->sk;
3840 err = avc_has_perm(isec->sid, other_isec->sid,
3841 isec->sclass, SOCKET__SENDTO, &ad);
3848 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3850 struct avc_audit_data *ad)
3856 err = sel_netif_sid(ifindex, &if_sid);
3859 err = avc_has_perm(peer_sid, if_sid,
3860 SECCLASS_NETIF, NETIF__INGRESS, ad);
3864 err = sel_netnode_sid(addrp, family, &node_sid);
3867 return avc_has_perm(peer_sid, node_sid,
3868 SECCLASS_NODE, NODE__RECVFROM, ad);
3871 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3872 struct sk_buff *skb,
3873 struct avc_audit_data *ad,
3878 struct sk_security_struct *sksec = sk->sk_security;
3880 u32 netif_perm, node_perm, recv_perm;
3881 u32 port_sid, node_sid, if_sid, sk_sid;
3883 sk_sid = sksec->sid;
3884 sk_class = sksec->sclass;
3887 case SECCLASS_UDP_SOCKET:
3888 netif_perm = NETIF__UDP_RECV;
3889 node_perm = NODE__UDP_RECV;
3890 recv_perm = UDP_SOCKET__RECV_MSG;
3892 case SECCLASS_TCP_SOCKET:
3893 netif_perm = NETIF__TCP_RECV;
3894 node_perm = NODE__TCP_RECV;
3895 recv_perm = TCP_SOCKET__RECV_MSG;
3897 case SECCLASS_DCCP_SOCKET:
3898 netif_perm = NETIF__DCCP_RECV;
3899 node_perm = NODE__DCCP_RECV;
3900 recv_perm = DCCP_SOCKET__RECV_MSG;
3903 netif_perm = NETIF__RAWIP_RECV;
3904 node_perm = NODE__RAWIP_RECV;
3909 err = sel_netif_sid(skb->iif, &if_sid);
3912 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3916 err = sel_netnode_sid(addrp, family, &node_sid);
3919 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3925 err = security_port_sid(sk->sk_family, sk->sk_type,
3926 sk->sk_protocol, ntohs(ad->u.net.sport),
3930 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3933 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3934 struct avc_audit_data *ad,
3935 u16 family, char *addrp)
3938 struct sk_security_struct *sksec = sk->sk_security;
3940 u32 sk_sid = sksec->sid;
3942 if (selinux_compat_net)
3943 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3946 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3951 if (selinux_policycap_netpeer) {
3952 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3955 err = avc_has_perm(sk_sid, peer_sid,
3956 SECCLASS_PEER, PEER__RECV, ad);
3958 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3961 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3967 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3970 struct sk_security_struct *sksec = sk->sk_security;
3971 u16 family = sk->sk_family;
3972 u32 sk_sid = sksec->sid;
3973 struct avc_audit_data ad;
3976 if (family != PF_INET && family != PF_INET6)
3979 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3980 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3983 AVC_AUDIT_DATA_INIT(&ad, NET);
3984 ad.u.net.netif = skb->iif;
3985 ad.u.net.family = family;
3986 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3990 /* If any sort of compatibility mode is enabled then handoff processing
3991 * to the selinux_sock_rcv_skb_compat() function to deal with the
3992 * special handling. We do this in an attempt to keep this function
3993 * as fast and as clean as possible. */
3994 if (selinux_compat_net || !selinux_policycap_netpeer)
3995 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
3998 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4001 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4004 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4008 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4012 if (selinux_secmark_enabled()) {
4013 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4022 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4023 int __user *optlen, unsigned len)
4028 struct sk_security_struct *ssec;
4029 struct inode_security_struct *isec;
4030 u32 peer_sid = SECSID_NULL;
4032 isec = SOCK_INODE(sock)->i_security;
4034 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4035 isec->sclass == SECCLASS_TCP_SOCKET) {
4036 ssec = sock->sk->sk_security;
4037 peer_sid = ssec->peer_sid;
4039 if (peer_sid == SECSID_NULL) {
4044 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4049 if (scontext_len > len) {
4054 if (copy_to_user(optval, scontext, scontext_len))
4058 if (put_user(scontext_len, optlen))
4066 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4068 u32 peer_secid = SECSID_NULL;
4072 family = sock->sk->sk_family;
4073 else if (skb && skb->sk)
4074 family = skb->sk->sk_family;
4078 if (sock && family == PF_UNIX)
4079 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4081 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4084 *secid = peer_secid;
4085 if (peer_secid == SECSID_NULL)
4090 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4092 return sk_alloc_security(sk, family, priority);
4095 static void selinux_sk_free_security(struct sock *sk)
4097 sk_free_security(sk);
4100 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4102 struct sk_security_struct *ssec = sk->sk_security;
4103 struct sk_security_struct *newssec = newsk->sk_security;
4105 newssec->sid = ssec->sid;
4106 newssec->peer_sid = ssec->peer_sid;
4107 newssec->sclass = ssec->sclass;
4109 selinux_netlbl_sk_security_clone(ssec, newssec);
4112 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4115 *secid = SECINITSID_ANY_SOCKET;
4117 struct sk_security_struct *sksec = sk->sk_security;
4119 *secid = sksec->sid;
4123 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4125 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4126 struct sk_security_struct *sksec = sk->sk_security;
4128 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4129 sk->sk_family == PF_UNIX)
4130 isec->sid = sksec->sid;
4131 sksec->sclass = isec->sclass;
4133 selinux_netlbl_sock_graft(sk, parent);
4136 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4137 struct request_sock *req)
4139 struct sk_security_struct *sksec = sk->sk_security;
4144 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4147 if (peersid == SECSID_NULL) {
4148 req->secid = sksec->sid;
4149 req->peer_secid = SECSID_NULL;
4153 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4157 req->secid = newsid;
4158 req->peer_secid = peersid;
4162 static void selinux_inet_csk_clone(struct sock *newsk,
4163 const struct request_sock *req)
4165 struct sk_security_struct *newsksec = newsk->sk_security;
4167 newsksec->sid = req->secid;
4168 newsksec->peer_sid = req->peer_secid;
4169 /* NOTE: Ideally, we should also get the isec->sid for the
4170 new socket in sync, but we don't have the isec available yet.
4171 So we will wait until sock_graft to do it, by which
4172 time it will have been created and available. */
4174 /* We don't need to take any sort of lock here as we are the only
4175 * thread with access to newsksec */
4176 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4179 static void selinux_inet_conn_established(struct sock *sk,
4180 struct sk_buff *skb)
4182 struct sk_security_struct *sksec = sk->sk_security;
4184 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4187 static void selinux_req_classify_flow(const struct request_sock *req,
4190 fl->secid = req->secid;
4193 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4197 struct nlmsghdr *nlh;
4198 struct socket *sock = sk->sk_socket;
4199 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4201 if (skb->len < NLMSG_SPACE(0)) {
4205 nlh = nlmsg_hdr(skb);
4207 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4209 if (err == -EINVAL) {
4210 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4211 "SELinux: unrecognized netlink message"
4212 " type=%hu for sclass=%hu\n",
4213 nlh->nlmsg_type, isec->sclass);
4214 if (!selinux_enforcing)
4224 err = socket_has_perm(current, sock, perm);
4229 #ifdef CONFIG_NETFILTER
4231 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4236 struct avc_audit_data ad;
4240 if (!selinux_policycap_netpeer)
4243 secmark_active = selinux_secmark_enabled();
4244 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4245 if (!secmark_active && !peerlbl_active)
4248 AVC_AUDIT_DATA_INIT(&ad, NET);
4249 ad.u.net.netif = ifindex;
4250 ad.u.net.family = family;
4251 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4254 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4258 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4259 peer_sid, &ad) != 0)
4263 if (avc_has_perm(peer_sid, skb->secmark,
4264 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4270 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4271 struct sk_buff *skb,
4272 const struct net_device *in,
4273 const struct net_device *out,
4274 int (*okfn)(struct sk_buff *))
4276 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4279 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4280 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4281 struct sk_buff *skb,
4282 const struct net_device *in,
4283 const struct net_device *out,
4284 int (*okfn)(struct sk_buff *))
4286 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4290 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4292 struct avc_audit_data *ad,
4293 u16 family, char *addrp)
4296 struct sk_security_struct *sksec = sk->sk_security;
4298 u32 netif_perm, node_perm, send_perm;
4299 u32 port_sid, node_sid, if_sid, sk_sid;
4301 sk_sid = sksec->sid;
4302 sk_class = sksec->sclass;
4305 case SECCLASS_UDP_SOCKET:
4306 netif_perm = NETIF__UDP_SEND;
4307 node_perm = NODE__UDP_SEND;
4308 send_perm = UDP_SOCKET__SEND_MSG;
4310 case SECCLASS_TCP_SOCKET:
4311 netif_perm = NETIF__TCP_SEND;
4312 node_perm = NODE__TCP_SEND;
4313 send_perm = TCP_SOCKET__SEND_MSG;
4315 case SECCLASS_DCCP_SOCKET:
4316 netif_perm = NETIF__DCCP_SEND;
4317 node_perm = NODE__DCCP_SEND;
4318 send_perm = DCCP_SOCKET__SEND_MSG;
4321 netif_perm = NETIF__RAWIP_SEND;
4322 node_perm = NODE__RAWIP_SEND;
4327 err = sel_netif_sid(ifindex, &if_sid);
4330 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4333 err = sel_netnode_sid(addrp, family, &node_sid);
4336 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4343 err = security_port_sid(sk->sk_family, sk->sk_type,
4344 sk->sk_protocol, ntohs(ad->u.net.dport),
4348 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4351 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4353 struct avc_audit_data *ad,
4358 struct sock *sk = skb->sk;
4359 struct sk_security_struct *sksec;
4363 sksec = sk->sk_security;
4365 if (selinux_compat_net) {
4366 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4370 if (avc_has_perm(sksec->sid, skb->secmark,
4371 SECCLASS_PACKET, PACKET__SEND, ad))
4375 if (selinux_policycap_netpeer)
4376 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4382 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4388 struct avc_audit_data ad;
4394 AVC_AUDIT_DATA_INIT(&ad, NET);
4395 ad.u.net.netif = ifindex;
4396 ad.u.net.family = family;
4397 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4400 /* If any sort of compatibility mode is enabled then handoff processing
4401 * to the selinux_ip_postroute_compat() function to deal with the
4402 * special handling. We do this in an attempt to keep this function
4403 * as fast and as clean as possible. */
4404 if (selinux_compat_net || !selinux_policycap_netpeer)
4405 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4406 family, addrp, proto);
4408 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4409 * packet transformation so allow the packet to pass without any checks
4410 * since we'll have another chance to perform access control checks
4411 * when the packet is on it's final way out.
4412 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4413 * is NULL, in this case go ahead and apply access control. */
4414 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4417 secmark_active = selinux_secmark_enabled();
4418 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4419 if (!secmark_active && !peerlbl_active)
4422 /* if the packet is locally generated (skb->sk != NULL) then use the
4423 * socket's label as the peer label, otherwise the packet is being
4424 * forwarded through this system and we need to fetch the peer label
4425 * directly from the packet */
4428 struct sk_security_struct *sksec = sk->sk_security;
4429 peer_sid = sksec->sid;
4430 secmark_perm = PACKET__SEND;
4432 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4434 secmark_perm = PACKET__FORWARD_OUT;
4438 if (avc_has_perm(peer_sid, skb->secmark,
4439 SECCLASS_PACKET, secmark_perm, &ad))
4442 if (peerlbl_active) {
4446 if (sel_netif_sid(ifindex, &if_sid))
4448 if (avc_has_perm(peer_sid, if_sid,
4449 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4452 if (sel_netnode_sid(addrp, family, &node_sid))
4454 if (avc_has_perm(peer_sid, node_sid,
4455 SECCLASS_NODE, NODE__SENDTO, &ad))
4462 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4463 struct sk_buff *skb,
4464 const struct net_device *in,
4465 const struct net_device *out,
4466 int (*okfn)(struct sk_buff *))
4468 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4471 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4472 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4473 struct sk_buff *skb,
4474 const struct net_device *in,
4475 const struct net_device *out,
4476 int (*okfn)(struct sk_buff *))
4478 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4482 #endif /* CONFIG_NETFILTER */
4484 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4488 err = secondary_ops->netlink_send(sk, skb);
4492 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4493 err = selinux_nlmsg_perm(sk, skb);
4498 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4501 struct avc_audit_data ad;
4503 err = secondary_ops->netlink_recv(skb, capability);
4507 AVC_AUDIT_DATA_INIT(&ad, CAP);
4508 ad.u.cap = capability;
4510 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4511 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4514 static int ipc_alloc_security(struct task_struct *task,
4515 struct kern_ipc_perm *perm,
4518 struct task_security_struct *tsec = task->security;
4519 struct ipc_security_struct *isec;
4521 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4525 isec->sclass = sclass;
4526 isec->ipc_perm = perm;
4527 isec->sid = tsec->sid;
4528 perm->security = isec;
4533 static void ipc_free_security(struct kern_ipc_perm *perm)
4535 struct ipc_security_struct *isec = perm->security;
4536 perm->security = NULL;
4540 static int msg_msg_alloc_security(struct msg_msg *msg)
4542 struct msg_security_struct *msec;
4544 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4549 msec->sid = SECINITSID_UNLABELED;
4550 msg->security = msec;
4555 static void msg_msg_free_security(struct msg_msg *msg)
4557 struct msg_security_struct *msec = msg->security;
4559 msg->security = NULL;
4563 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4566 struct task_security_struct *tsec;
4567 struct ipc_security_struct *isec;
4568 struct avc_audit_data ad;
4570 tsec = current->security;
4571 isec = ipc_perms->security;
4573 AVC_AUDIT_DATA_INIT(&ad, IPC);
4574 ad.u.ipc_id = ipc_perms->key;
4576 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4579 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4581 return msg_msg_alloc_security(msg);
4584 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4586 msg_msg_free_security(msg);
4589 /* message queue security operations */
4590 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4592 struct task_security_struct *tsec;
4593 struct ipc_security_struct *isec;
4594 struct avc_audit_data ad;
4597 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4601 tsec = current->security;
4602 isec = msq->q_perm.security;
4604 AVC_AUDIT_DATA_INIT(&ad, IPC);
4605 ad.u.ipc_id = msq->q_perm.key;
4607 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4610 ipc_free_security(&msq->q_perm);
4616 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4618 ipc_free_security(&msq->q_perm);
4621 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4623 struct task_security_struct *tsec;
4624 struct ipc_security_struct *isec;
4625 struct avc_audit_data ad;
4627 tsec = current->security;
4628 isec = msq->q_perm.security;
4630 AVC_AUDIT_DATA_INIT(&ad, IPC);
4631 ad.u.ipc_id = msq->q_perm.key;
4633 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4634 MSGQ__ASSOCIATE, &ad);
4637 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4645 /* No specific object, just general system-wide information. */
4646 return task_has_system(current, SYSTEM__IPC_INFO);
4649 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4652 perms = MSGQ__SETATTR;
4655 perms = MSGQ__DESTROY;
4661 err = ipc_has_perm(&msq->q_perm, perms);
4665 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4667 struct task_security_struct *tsec;
4668 struct ipc_security_struct *isec;
4669 struct msg_security_struct *msec;
4670 struct avc_audit_data ad;
4673 tsec = current->security;
4674 isec = msq->q_perm.security;
4675 msec = msg->security;
4678 * First time through, need to assign label to the message
4680 if (msec->sid == SECINITSID_UNLABELED) {
4682 * Compute new sid based on current process and
4683 * message queue this message will be stored in
4685 rc = security_transition_sid(tsec->sid,
4693 AVC_AUDIT_DATA_INIT(&ad, IPC);
4694 ad.u.ipc_id = msq->q_perm.key;
4696 /* Can this process write to the queue? */
4697 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4700 /* Can this process send the message */
4701 rc = avc_has_perm(tsec->sid, msec->sid,
4702 SECCLASS_MSG, MSG__SEND, &ad);
4704 /* Can the message be put in the queue? */
4705 rc = avc_has_perm(msec->sid, isec->sid,
4706 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4711 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4712 struct task_struct *target,
4713 long type, int mode)
4715 struct task_security_struct *tsec;
4716 struct ipc_security_struct *isec;
4717 struct msg_security_struct *msec;
4718 struct avc_audit_data ad;
4721 tsec = target->security;
4722 isec = msq->q_perm.security;
4723 msec = msg->security;
4725 AVC_AUDIT_DATA_INIT(&ad, IPC);
4726 ad.u.ipc_id = msq->q_perm.key;
4728 rc = avc_has_perm(tsec->sid, isec->sid,
4729 SECCLASS_MSGQ, MSGQ__READ, &ad);
4731 rc = avc_has_perm(tsec->sid, msec->sid,
4732 SECCLASS_MSG, MSG__RECEIVE, &ad);
4736 /* Shared Memory security operations */
4737 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4739 struct task_security_struct *tsec;
4740 struct ipc_security_struct *isec;
4741 struct avc_audit_data ad;
4744 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4748 tsec = current->security;
4749 isec = shp->shm_perm.security;
4751 AVC_AUDIT_DATA_INIT(&ad, IPC);
4752 ad.u.ipc_id = shp->shm_perm.key;
4754 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4757 ipc_free_security(&shp->shm_perm);
4763 static void selinux_shm_free_security(struct shmid_kernel *shp)
4765 ipc_free_security(&shp->shm_perm);
4768 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4770 struct task_security_struct *tsec;
4771 struct ipc_security_struct *isec;
4772 struct avc_audit_data ad;
4774 tsec = current->security;
4775 isec = shp->shm_perm.security;
4777 AVC_AUDIT_DATA_INIT(&ad, IPC);
4778 ad.u.ipc_id = shp->shm_perm.key;
4780 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4781 SHM__ASSOCIATE, &ad);
4784 /* Note, at this point, shp is locked down */
4785 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4793 /* No specific object, just general system-wide information. */
4794 return task_has_system(current, SYSTEM__IPC_INFO);
4797 perms = SHM__GETATTR | SHM__ASSOCIATE;
4800 perms = SHM__SETATTR;
4807 perms = SHM__DESTROY;
4813 err = ipc_has_perm(&shp->shm_perm, perms);
4817 static int selinux_shm_shmat(struct shmid_kernel *shp,
4818 char __user *shmaddr, int shmflg)
4823 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4827 if (shmflg & SHM_RDONLY)
4830 perms = SHM__READ | SHM__WRITE;
4832 return ipc_has_perm(&shp->shm_perm, perms);
4835 /* Semaphore security operations */
4836 static int selinux_sem_alloc_security(struct sem_array *sma)
4838 struct task_security_struct *tsec;
4839 struct ipc_security_struct *isec;
4840 struct avc_audit_data ad;
4843 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4847 tsec = current->security;
4848 isec = sma->sem_perm.security;
4850 AVC_AUDIT_DATA_INIT(&ad, IPC);
4851 ad.u.ipc_id = sma->sem_perm.key;
4853 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4856 ipc_free_security(&sma->sem_perm);
4862 static void selinux_sem_free_security(struct sem_array *sma)
4864 ipc_free_security(&sma->sem_perm);
4867 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4869 struct task_security_struct *tsec;
4870 struct ipc_security_struct *isec;
4871 struct avc_audit_data ad;
4873 tsec = current->security;
4874 isec = sma->sem_perm.security;
4876 AVC_AUDIT_DATA_INIT(&ad, IPC);
4877 ad.u.ipc_id = sma->sem_perm.key;
4879 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4880 SEM__ASSOCIATE, &ad);
4883 /* Note, at this point, sma is locked down */
4884 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4892 /* No specific object, just general system-wide information. */
4893 return task_has_system(current, SYSTEM__IPC_INFO);
4897 perms = SEM__GETATTR;
4908 perms = SEM__DESTROY;
4911 perms = SEM__SETATTR;
4915 perms = SEM__GETATTR | SEM__ASSOCIATE;
4921 err = ipc_has_perm(&sma->sem_perm, perms);
4925 static int selinux_sem_semop(struct sem_array *sma,
4926 struct sembuf *sops, unsigned nsops, int alter)
4931 perms = SEM__READ | SEM__WRITE;
4935 return ipc_has_perm(&sma->sem_perm, perms);
4938 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4944 av |= IPC__UNIX_READ;
4946 av |= IPC__UNIX_WRITE;
4951 return ipc_has_perm(ipcp, av);
4954 /* module stacking operations */
4955 static int selinux_register_security (const char *name, struct security_operations *ops)
4957 if (secondary_ops != original_ops) {
4958 printk(KERN_ERR "%s: There is already a secondary security "
4959 "module registered.\n", __FUNCTION__);
4963 secondary_ops = ops;
4965 printk(KERN_INFO "%s: Registering secondary module %s\n",
4972 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4975 inode_doinit_with_dentry(inode, dentry);
4978 static int selinux_getprocattr(struct task_struct *p,
4979 char *name, char **value)
4981 struct task_security_struct *tsec;
4987 error = task_has_perm(current, p, PROCESS__GETATTR);
4994 if (!strcmp(name, "current"))
4996 else if (!strcmp(name, "prev"))
4998 else if (!strcmp(name, "exec"))
4999 sid = tsec->exec_sid;
5000 else if (!strcmp(name, "fscreate"))
5001 sid = tsec->create_sid;
5002 else if (!strcmp(name, "keycreate"))
5003 sid = tsec->keycreate_sid;
5004 else if (!strcmp(name, "sockcreate"))
5005 sid = tsec->sockcreate_sid;
5012 error = security_sid_to_context(sid, value, &len);
5018 static int selinux_setprocattr(struct task_struct *p,
5019 char *name, void *value, size_t size)
5021 struct task_security_struct *tsec;
5027 /* SELinux only allows a process to change its own
5028 security attributes. */
5033 * Basic control over ability to set these attributes at all.
5034 * current == p, but we'll pass them separately in case the
5035 * above restriction is ever removed.
5037 if (!strcmp(name, "exec"))
5038 error = task_has_perm(current, p, PROCESS__SETEXEC);
5039 else if (!strcmp(name, "fscreate"))
5040 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5041 else if (!strcmp(name, "keycreate"))
5042 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5043 else if (!strcmp(name, "sockcreate"))
5044 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5045 else if (!strcmp(name, "current"))
5046 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5052 /* Obtain a SID for the context, if one was specified. */
5053 if (size && str[1] && str[1] != '\n') {
5054 if (str[size-1] == '\n') {
5058 error = security_context_to_sid(value, size, &sid);
5063 /* Permission checking based on the specified context is
5064 performed during the actual operation (execve,
5065 open/mkdir/...), when we know the full context of the
5066 operation. See selinux_bprm_set_security for the execve
5067 checks and may_create for the file creation checks. The
5068 operation will then fail if the context is not permitted. */
5070 if (!strcmp(name, "exec"))
5071 tsec->exec_sid = sid;
5072 else if (!strcmp(name, "fscreate"))
5073 tsec->create_sid = sid;
5074 else if (!strcmp(name, "keycreate")) {
5075 error = may_create_key(sid, p);
5078 tsec->keycreate_sid = sid;
5079 } else if (!strcmp(name, "sockcreate"))
5080 tsec->sockcreate_sid = sid;
5081 else if (!strcmp(name, "current")) {
5082 struct av_decision avd;
5087 /* Only allow single threaded processes to change context */
5088 if (atomic_read(&p->mm->mm_users) != 1) {
5089 struct task_struct *g, *t;
5090 struct mm_struct *mm = p->mm;
5091 read_lock(&tasklist_lock);
5092 do_each_thread(g, t)
5093 if (t->mm == mm && t != p) {
5094 read_unlock(&tasklist_lock);
5097 while_each_thread(g, t);
5098 read_unlock(&tasklist_lock);
5101 /* Check permissions for the transition. */
5102 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5103 PROCESS__DYNTRANSITION, NULL);
5107 /* Check for ptracing, and update the task SID if ok.
5108 Otherwise, leave SID unchanged and fail. */
5110 if (p->ptrace & PT_PTRACED) {
5111 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5113 PROCESS__PTRACE, 0, &avd);
5117 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5118 PROCESS__PTRACE, &avd, error, NULL);
5132 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5134 return security_sid_to_context(secid, secdata, seclen);
5137 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5139 return security_context_to_sid(secdata, seclen, secid);
5142 static void selinux_release_secctx(char *secdata, u32 seclen)
5149 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5150 unsigned long flags)
5152 struct task_security_struct *tsec = tsk->security;
5153 struct key_security_struct *ksec;
5155 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5160 if (tsec->keycreate_sid)
5161 ksec->sid = tsec->keycreate_sid;
5163 ksec->sid = tsec->sid;
5169 static void selinux_key_free(struct key *k)
5171 struct key_security_struct *ksec = k->security;
5177 static int selinux_key_permission(key_ref_t key_ref,
5178 struct task_struct *ctx,
5182 struct task_security_struct *tsec;
5183 struct key_security_struct *ksec;
5185 key = key_ref_to_ptr(key_ref);
5187 tsec = ctx->security;
5188 ksec = key->security;
5190 /* if no specific permissions are requested, we skip the
5191 permission check. No serious, additional covert channels
5192 appear to be created. */
5196 return avc_has_perm(tsec->sid, ksec->sid,
5197 SECCLASS_KEY, perm, NULL);
5202 static struct security_operations selinux_ops = {
5203 .ptrace = selinux_ptrace,
5204 .capget = selinux_capget,
5205 .capset_check = selinux_capset_check,
5206 .capset_set = selinux_capset_set,
5207 .sysctl = selinux_sysctl,
5208 .capable = selinux_capable,
5209 .quotactl = selinux_quotactl,
5210 .quota_on = selinux_quota_on,
5211 .syslog = selinux_syslog,
5212 .vm_enough_memory = selinux_vm_enough_memory,
5214 .netlink_send = selinux_netlink_send,
5215 .netlink_recv = selinux_netlink_recv,
5217 .bprm_alloc_security = selinux_bprm_alloc_security,
5218 .bprm_free_security = selinux_bprm_free_security,
5219 .bprm_apply_creds = selinux_bprm_apply_creds,
5220 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5221 .bprm_set_security = selinux_bprm_set_security,
5222 .bprm_check_security = selinux_bprm_check_security,
5223 .bprm_secureexec = selinux_bprm_secureexec,
5225 .sb_alloc_security = selinux_sb_alloc_security,
5226 .sb_free_security = selinux_sb_free_security,
5227 .sb_copy_data = selinux_sb_copy_data,
5228 .sb_kern_mount = selinux_sb_kern_mount,
5229 .sb_statfs = selinux_sb_statfs,
5230 .sb_mount = selinux_mount,
5231 .sb_umount = selinux_umount,
5232 .sb_get_mnt_opts = selinux_get_mnt_opts,
5233 .sb_set_mnt_opts = selinux_set_mnt_opts,
5234 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5236 .inode_alloc_security = selinux_inode_alloc_security,
5237 .inode_free_security = selinux_inode_free_security,
5238 .inode_init_security = selinux_inode_init_security,
5239 .inode_create = selinux_inode_create,
5240 .inode_link = selinux_inode_link,
5241 .inode_unlink = selinux_inode_unlink,
5242 .inode_symlink = selinux_inode_symlink,
5243 .inode_mkdir = selinux_inode_mkdir,
5244 .inode_rmdir = selinux_inode_rmdir,
5245 .inode_mknod = selinux_inode_mknod,
5246 .inode_rename = selinux_inode_rename,
5247 .inode_readlink = selinux_inode_readlink,
5248 .inode_follow_link = selinux_inode_follow_link,
5249 .inode_permission = selinux_inode_permission,
5250 .inode_setattr = selinux_inode_setattr,
5251 .inode_getattr = selinux_inode_getattr,
5252 .inode_setxattr = selinux_inode_setxattr,
5253 .inode_post_setxattr = selinux_inode_post_setxattr,
5254 .inode_getxattr = selinux_inode_getxattr,
5255 .inode_listxattr = selinux_inode_listxattr,
5256 .inode_removexattr = selinux_inode_removexattr,
5257 .inode_getsecurity = selinux_inode_getsecurity,
5258 .inode_setsecurity = selinux_inode_setsecurity,
5259 .inode_listsecurity = selinux_inode_listsecurity,
5260 .inode_need_killpriv = selinux_inode_need_killpriv,
5261 .inode_killpriv = selinux_inode_killpriv,
5263 .file_permission = selinux_file_permission,
5264 .file_alloc_security = selinux_file_alloc_security,
5265 .file_free_security = selinux_file_free_security,
5266 .file_ioctl = selinux_file_ioctl,
5267 .file_mmap = selinux_file_mmap,
5268 .file_mprotect = selinux_file_mprotect,
5269 .file_lock = selinux_file_lock,
5270 .file_fcntl = selinux_file_fcntl,
5271 .file_set_fowner = selinux_file_set_fowner,
5272 .file_send_sigiotask = selinux_file_send_sigiotask,
5273 .file_receive = selinux_file_receive,
5275 .dentry_open = selinux_dentry_open,
5277 .task_create = selinux_task_create,
5278 .task_alloc_security = selinux_task_alloc_security,
5279 .task_free_security = selinux_task_free_security,
5280 .task_setuid = selinux_task_setuid,
5281 .task_post_setuid = selinux_task_post_setuid,
5282 .task_setgid = selinux_task_setgid,
5283 .task_setpgid = selinux_task_setpgid,
5284 .task_getpgid = selinux_task_getpgid,
5285 .task_getsid = selinux_task_getsid,
5286 .task_getsecid = selinux_task_getsecid,
5287 .task_setgroups = selinux_task_setgroups,
5288 .task_setnice = selinux_task_setnice,
5289 .task_setioprio = selinux_task_setioprio,
5290 .task_getioprio = selinux_task_getioprio,
5291 .task_setrlimit = selinux_task_setrlimit,
5292 .task_setscheduler = selinux_task_setscheduler,
5293 .task_getscheduler = selinux_task_getscheduler,
5294 .task_movememory = selinux_task_movememory,
5295 .task_kill = selinux_task_kill,
5296 .task_wait = selinux_task_wait,
5297 .task_prctl = selinux_task_prctl,
5298 .task_reparent_to_init = selinux_task_reparent_to_init,
5299 .task_to_inode = selinux_task_to_inode,
5301 .ipc_permission = selinux_ipc_permission,
5303 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5304 .msg_msg_free_security = selinux_msg_msg_free_security,
5306 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5307 .msg_queue_free_security = selinux_msg_queue_free_security,
5308 .msg_queue_associate = selinux_msg_queue_associate,
5309 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5310 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5311 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5313 .shm_alloc_security = selinux_shm_alloc_security,
5314 .shm_free_security = selinux_shm_free_security,
5315 .shm_associate = selinux_shm_associate,
5316 .shm_shmctl = selinux_shm_shmctl,
5317 .shm_shmat = selinux_shm_shmat,
5319 .sem_alloc_security = selinux_sem_alloc_security,
5320 .sem_free_security = selinux_sem_free_security,
5321 .sem_associate = selinux_sem_associate,
5322 .sem_semctl = selinux_sem_semctl,
5323 .sem_semop = selinux_sem_semop,
5325 .register_security = selinux_register_security,
5327 .d_instantiate = selinux_d_instantiate,
5329 .getprocattr = selinux_getprocattr,
5330 .setprocattr = selinux_setprocattr,
5332 .secid_to_secctx = selinux_secid_to_secctx,
5333 .secctx_to_secid = selinux_secctx_to_secid,
5334 .release_secctx = selinux_release_secctx,
5336 .unix_stream_connect = selinux_socket_unix_stream_connect,
5337 .unix_may_send = selinux_socket_unix_may_send,
5339 .socket_create = selinux_socket_create,
5340 .socket_post_create = selinux_socket_post_create,
5341 .socket_bind = selinux_socket_bind,
5342 .socket_connect = selinux_socket_connect,
5343 .socket_listen = selinux_socket_listen,
5344 .socket_accept = selinux_socket_accept,
5345 .socket_sendmsg = selinux_socket_sendmsg,
5346 .socket_recvmsg = selinux_socket_recvmsg,
5347 .socket_getsockname = selinux_socket_getsockname,
5348 .socket_getpeername = selinux_socket_getpeername,
5349 .socket_getsockopt = selinux_socket_getsockopt,
5350 .socket_setsockopt = selinux_socket_setsockopt,
5351 .socket_shutdown = selinux_socket_shutdown,
5352 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5353 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5354 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5355 .sk_alloc_security = selinux_sk_alloc_security,
5356 .sk_free_security = selinux_sk_free_security,
5357 .sk_clone_security = selinux_sk_clone_security,
5358 .sk_getsecid = selinux_sk_getsecid,
5359 .sock_graft = selinux_sock_graft,
5360 .inet_conn_request = selinux_inet_conn_request,
5361 .inet_csk_clone = selinux_inet_csk_clone,
5362 .inet_conn_established = selinux_inet_conn_established,
5363 .req_classify_flow = selinux_req_classify_flow,
5365 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5366 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5367 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5368 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5369 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5370 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5371 .xfrm_state_free_security = selinux_xfrm_state_free,
5372 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5373 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5374 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5375 .xfrm_decode_session = selinux_xfrm_decode_session,
5379 .key_alloc = selinux_key_alloc,
5380 .key_free = selinux_key_free,
5381 .key_permission = selinux_key_permission,
5385 static __init int selinux_init(void)
5387 struct task_security_struct *tsec;
5389 if (!selinux_enabled) {
5390 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5394 printk(KERN_INFO "SELinux: Initializing.\n");
5396 /* Set the security state for the initial task. */
5397 if (task_alloc_security(current))
5398 panic("SELinux: Failed to initialize initial task.\n");
5399 tsec = current->security;
5400 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5402 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5403 sizeof(struct inode_security_struct),
5404 0, SLAB_PANIC, NULL);
5407 original_ops = secondary_ops = security_ops;
5409 panic ("SELinux: No initial security operations\n");
5410 if (register_security (&selinux_ops))
5411 panic("SELinux: Unable to register with kernel.\n");
5413 if (selinux_enforcing) {
5414 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5416 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5420 /* Add security information to initial keyrings */
5421 selinux_key_alloc(&root_user_keyring, current,
5422 KEY_ALLOC_NOT_IN_QUOTA);
5423 selinux_key_alloc(&root_session_keyring, current,
5424 KEY_ALLOC_NOT_IN_QUOTA);
5430 void selinux_complete_init(void)
5432 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5434 /* Set up any superblocks initialized prior to the policy load. */
5435 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5436 spin_lock(&sb_lock);
5437 spin_lock(&sb_security_lock);
5439 if (!list_empty(&superblock_security_head)) {
5440 struct superblock_security_struct *sbsec =
5441 list_entry(superblock_security_head.next,
5442 struct superblock_security_struct,
5444 struct super_block *sb = sbsec->sb;
5446 spin_unlock(&sb_security_lock);
5447 spin_unlock(&sb_lock);
5448 down_read(&sb->s_umount);
5450 superblock_doinit(sb, NULL);
5452 spin_lock(&sb_lock);
5453 spin_lock(&sb_security_lock);
5454 list_del_init(&sbsec->list);
5457 spin_unlock(&sb_security_lock);
5458 spin_unlock(&sb_lock);
5461 /* SELinux requires early initialization in order to label
5462 all processes and objects when they are created. */
5463 security_initcall(selinux_init);
5465 #if defined(CONFIG_NETFILTER)
5467 static struct nf_hook_ops selinux_ipv4_ops[] = {
5469 .hook = selinux_ipv4_postroute,
5470 .owner = THIS_MODULE,
5472 .hooknum = NF_INET_POST_ROUTING,
5473 .priority = NF_IP_PRI_SELINUX_LAST,
5476 .hook = selinux_ipv4_forward,
5477 .owner = THIS_MODULE,
5479 .hooknum = NF_INET_FORWARD,
5480 .priority = NF_IP_PRI_SELINUX_FIRST,
5484 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5486 static struct nf_hook_ops selinux_ipv6_ops[] = {
5488 .hook = selinux_ipv6_postroute,
5489 .owner = THIS_MODULE,
5491 .hooknum = NF_INET_POST_ROUTING,
5492 .priority = NF_IP6_PRI_SELINUX_LAST,
5495 .hook = selinux_ipv6_forward,
5496 .owner = THIS_MODULE,
5498 .hooknum = NF_INET_FORWARD,
5499 .priority = NF_IP6_PRI_SELINUX_FIRST,
5505 static int __init selinux_nf_ip_init(void)
5510 if (!selinux_enabled)
5513 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5515 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5516 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5518 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5522 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5523 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5524 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5526 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5535 __initcall(selinux_nf_ip_init);
5537 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5538 static void selinux_nf_ip_exit(void)
5542 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5544 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5545 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5546 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5547 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5548 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5553 #else /* CONFIG_NETFILTER */
5555 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5556 #define selinux_nf_ip_exit()
5559 #endif /* CONFIG_NETFILTER */
5561 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5562 int selinux_disable(void)
5564 extern void exit_sel_fs(void);
5565 static int selinux_disabled = 0;
5567 if (ss_initialized) {
5568 /* Not permitted after initial policy load. */
5572 if (selinux_disabled) {
5573 /* Only do this once. */
5577 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5579 selinux_disabled = 1;
5580 selinux_enabled = 0;
5582 /* Reset security_ops to the secondary module, dummy or capability. */
5583 security_ops = secondary_ops;
5585 /* Unregister netfilter hooks. */
5586 selinux_nf_ip_exit();
5588 /* Unregister selinuxfs. */