2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
94 #define NUM_SEL_MNT_OPTS 5
96 extern struct security_operations *security_ops;
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
104 static int __init enforcing_setup(char *str)
106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
111 __setup("enforcing=", enforcing_setup);
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117 static int __init selinux_enabled_setup(char *str)
119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
124 __setup("selinux=", selinux_enabled_setup);
126 int selinux_enabled = 1;
129 static struct kmem_cache *sel_inode_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
141 static int selinux_secmark_enabled(void)
143 return (atomic_read(&selinux_secmark_refcount) > 0);
147 * initialise the security for the init task
149 static void cred_init_security(void)
151 struct cred *cred = (struct cred *) current->real_cred;
152 struct task_security_struct *tsec;
154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
156 panic("SELinux: Failed to initialize initial task.\n");
158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
159 cred->security = tsec;
163 * get the security ID of a set of credentials
165 static inline u32 cred_sid(const struct cred *cred)
167 const struct task_security_struct *tsec;
169 tsec = cred->security;
174 * get the objective security ID of a task
176 static inline u32 task_sid(const struct task_struct *task)
181 sid = cred_sid(__task_cred(task));
187 * get the subjective security ID of the current task
189 static inline u32 current_sid(void)
191 const struct task_security_struct *tsec = current_security();
196 /* Allocate and free functions for each kind of security blob. */
198 static int inode_alloc_security(struct inode *inode)
200 struct inode_security_struct *isec;
201 u32 sid = current_sid();
203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
207 mutex_init(&isec->lock);
208 INIT_LIST_HEAD(&isec->list);
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
212 isec->task_sid = sid;
213 inode->i_security = isec;
218 static void inode_free_security(struct inode *inode)
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
228 inode->i_security = NULL;
229 kmem_cache_free(sel_inode_cache, isec);
232 static int file_alloc_security(struct file *file)
234 struct file_security_struct *fsec;
235 u32 sid = current_sid();
237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
242 fsec->fown_sid = sid;
243 file->f_security = fsec;
248 static void file_free_security(struct file *file)
250 struct file_security_struct *fsec = file->f_security;
251 file->f_security = NULL;
255 static int superblock_alloc_security(struct super_block *sb)
257 struct superblock_security_struct *sbsec;
259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
263 mutex_init(&sbsec->lock);
264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
270 sb->s_security = sbsec;
275 static void superblock_free_security(struct super_block *sb)
277 struct superblock_security_struct *sbsec = sb->s_security;
278 sb->s_security = NULL;
282 /* The file system's label must be initialized prior to use. */
284 static const char *labeling_behaviors[6] = {
286 "uses transition SIDs",
288 "uses genfs_contexts",
289 "not configured for labeling",
290 "uses mountpoint labeling",
293 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
295 static inline int inode_doinit(struct inode *inode)
297 return inode_doinit_with_dentry(inode, NULL);
306 Opt_labelsupport = 5,
309 static const match_table_t tokens = {
310 {Opt_context, CONTEXT_STR "%s"},
311 {Opt_fscontext, FSCONTEXT_STR "%s"},
312 {Opt_defcontext, DEFCONTEXT_STR "%s"},
313 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
314 {Opt_labelsupport, LABELSUPP_STR},
318 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
320 static int may_context_mount_sb_relabel(u32 sid,
321 struct superblock_security_struct *sbsec,
322 const struct cred *cred)
324 const struct task_security_struct *tsec = cred->security;
327 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
328 FILESYSTEM__RELABELFROM, NULL);
332 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
333 FILESYSTEM__RELABELTO, NULL);
337 static int may_context_mount_inode_relabel(u32 sid,
338 struct superblock_security_struct *sbsec,
339 const struct cred *cred)
341 const struct task_security_struct *tsec = cred->security;
343 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344 FILESYSTEM__RELABELFROM, NULL);
348 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__ASSOCIATE, NULL);
353 static int sb_finish_set_opts(struct super_block *sb)
355 struct superblock_security_struct *sbsec = sb->s_security;
356 struct dentry *root = sb->s_root;
357 struct inode *root_inode = root->d_inode;
360 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
361 /* Make sure that the xattr handler exists and that no
362 error other than -ENODATA is returned by getxattr on
363 the root directory. -ENODATA is ok, as this may be
364 the first boot of the SELinux kernel before we have
365 assigned xattr values to the filesystem. */
366 if (!root_inode->i_op->getxattr) {
367 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
368 "xattr support\n", sb->s_id, sb->s_type->name);
372 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
373 if (rc < 0 && rc != -ENODATA) {
374 if (rc == -EOPNOTSUPP)
375 printk(KERN_WARNING "SELinux: (dev %s, type "
376 "%s) has no security xattr handler\n",
377 sb->s_id, sb->s_type->name);
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) getxattr errno %d\n", sb->s_id,
381 sb->s_type->name, -rc);
386 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
388 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
389 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
390 sb->s_id, sb->s_type->name);
392 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
393 sb->s_id, sb->s_type->name,
394 labeling_behaviors[sbsec->behavior-1]);
396 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
397 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
398 sbsec->behavior == SECURITY_FS_USE_NONE ||
399 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400 sbsec->flags &= ~SE_SBLABELSUPP;
402 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
403 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
404 sbsec->flags |= SE_SBLABELSUPP;
406 /* Initialize the root inode. */
407 rc = inode_doinit_with_dentry(root_inode, root);
409 /* Initialize any other inodes associated with the superblock, e.g.
410 inodes created prior to initial policy load or inodes created
411 during get_sb by a pseudo filesystem that directly
413 spin_lock(&sbsec->isec_lock);
415 if (!list_empty(&sbsec->isec_head)) {
416 struct inode_security_struct *isec =
417 list_entry(sbsec->isec_head.next,
418 struct inode_security_struct, list);
419 struct inode *inode = isec->inode;
420 spin_unlock(&sbsec->isec_lock);
421 inode = igrab(inode);
423 if (!IS_PRIVATE(inode))
427 spin_lock(&sbsec->isec_lock);
428 list_del_init(&isec->list);
431 spin_unlock(&sbsec->isec_lock);
437 * This function should allow an FS to ask what it's mount security
438 * options were so it can use those later for submounts, displaying
439 * mount options, or whatever.
441 static int selinux_get_mnt_opts(const struct super_block *sb,
442 struct security_mnt_opts *opts)
445 struct superblock_security_struct *sbsec = sb->s_security;
446 char *context = NULL;
450 security_init_mnt_opts(opts);
452 if (!(sbsec->flags & SE_SBINITIALIZED))
458 tmp = sbsec->flags & SE_MNTMASK;
459 /* count the number of mount options for this sb */
460 for (i = 0; i < 8; i++) {
462 opts->num_mnt_opts++;
465 /* Check if the Label support flag is set */
466 if (sbsec->flags & SE_SBLABELSUPP)
467 opts->num_mnt_opts++;
469 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
470 if (!opts->mnt_opts) {
475 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
476 if (!opts->mnt_opts_flags) {
482 if (sbsec->flags & FSCONTEXT_MNT) {
483 rc = security_sid_to_context(sbsec->sid, &context, &len);
486 opts->mnt_opts[i] = context;
487 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
489 if (sbsec->flags & CONTEXT_MNT) {
490 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493 opts->mnt_opts[i] = context;
494 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
496 if (sbsec->flags & DEFCONTEXT_MNT) {
497 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500 opts->mnt_opts[i] = context;
501 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
503 if (sbsec->flags & ROOTCONTEXT_MNT) {
504 struct inode *root = sbsec->sb->s_root->d_inode;
505 struct inode_security_struct *isec = root->i_security;
507 rc = security_sid_to_context(isec->sid, &context, &len);
510 opts->mnt_opts[i] = context;
511 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
513 if (sbsec->flags & SE_SBLABELSUPP) {
514 opts->mnt_opts[i] = NULL;
515 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
518 BUG_ON(i != opts->num_mnt_opts);
523 security_free_mnt_opts(opts);
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528 u32 old_sid, u32 new_sid)
530 char mnt_flags = sbsec->flags & SE_MNTMASK;
532 /* check if the old mount command had the same options */
533 if (sbsec->flags & SE_SBINITIALIZED)
534 if (!(sbsec->flags & flag) ||
535 (old_sid != new_sid))
538 /* check if we were passed the same options twice,
539 * aka someone passed context=a,context=b
541 if (!(sbsec->flags & SE_SBINITIALIZED))
542 if (mnt_flags & flag)
548 * Allow filesystems with binary mount data to explicitly set mount point
549 * labeling information.
551 static int selinux_set_mnt_opts(struct super_block *sb,
552 struct security_mnt_opts *opts)
554 const struct cred *cred = current_cred();
556 struct superblock_security_struct *sbsec = sb->s_security;
557 const char *name = sb->s_type->name;
558 struct inode *inode = sbsec->sb->s_root->d_inode;
559 struct inode_security_struct *root_isec = inode->i_security;
560 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561 u32 defcontext_sid = 0;
562 char **mount_options = opts->mnt_opts;
563 int *flags = opts->mnt_opts_flags;
564 int num_opts = opts->num_mnt_opts;
566 mutex_lock(&sbsec->lock);
568 if (!ss_initialized) {
570 /* Defer initialization until selinux_complete_init,
571 after the initial policy is loaded and the security
572 server is ready to handle calls. */
576 printk(KERN_WARNING "SELinux: Unable to set superblock options "
577 "before the security server is initialized\n");
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
592 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
601 for (i = 0; i < num_opts; i++) {
604 if (flags[i] == SE_SBLABELSUPP)
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
620 goto out_double_mount;
622 sbsec->flags |= FSCONTEXT_MNT;
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
629 goto out_double_mount;
631 sbsec->flags |= CONTEXT_MNT;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
638 goto out_double_mount;
640 sbsec->flags |= ROOTCONTEXT_MNT;
644 defcontext_sid = sid;
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
648 goto out_double_mount;
650 sbsec->flags |= DEFCONTEXT_MNT;
659 if (sbsec->flags & SE_SBINITIALIZED) {
660 /* previously mounted with options, but not on this attempt? */
661 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
662 goto out_double_mount;
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->flags |= SE_SBPROC;
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __func__, sb->s_type->name, rc);
678 /* sets the context of the superblock for the fs being mounted. */
680 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
684 sbsec->sid = fscontext_sid;
688 * Switch to using mount point labeling behavior.
689 * sets the label used on all file below the mountpoint, and will set
690 * the superblock context if not already set.
693 if (!fscontext_sid) {
694 rc = may_context_mount_sb_relabel(context_sid, sbsec,
698 sbsec->sid = context_sid;
700 rc = may_context_mount_inode_relabel(context_sid, sbsec,
705 if (!rootcontext_sid)
706 rootcontext_sid = context_sid;
708 sbsec->mntpoint_sid = context_sid;
709 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
712 if (rootcontext_sid) {
713 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
718 root_isec->sid = rootcontext_sid;
719 root_isec->initialized = 1;
722 if (defcontext_sid) {
723 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
725 printk(KERN_WARNING "SELinux: defcontext option is "
726 "invalid for this filesystem type\n");
730 if (defcontext_sid != sbsec->def_sid) {
731 rc = may_context_mount_inode_relabel(defcontext_sid,
737 sbsec->def_sid = defcontext_sid;
740 rc = sb_finish_set_opts(sb);
742 mutex_unlock(&sbsec->lock);
746 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
747 "security settings for (dev %s, type %s)\n", sb->s_id, name);
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752 struct super_block *newsb)
754 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755 struct superblock_security_struct *newsbsec = newsb->s_security;
757 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
758 int set_context = (oldsbsec->flags & CONTEXT_MNT);
759 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
762 * if the parent was able to be mounted it clearly had no special lsm
763 * mount options. thus we can safely deal with this superblock later
768 /* how can we clone if the old one wasn't set up?? */
769 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
771 /* if fs is reusing a sb, just let its options stand... */
772 if (newsbsec->flags & SE_SBINITIALIZED)
775 mutex_lock(&newsbsec->lock);
777 newsbsec->flags = oldsbsec->flags;
779 newsbsec->sid = oldsbsec->sid;
780 newsbsec->def_sid = oldsbsec->def_sid;
781 newsbsec->behavior = oldsbsec->behavior;
784 u32 sid = oldsbsec->mntpoint_sid;
788 if (!set_rootcontext) {
789 struct inode *newinode = newsb->s_root->d_inode;
790 struct inode_security_struct *newisec = newinode->i_security;
793 newsbsec->mntpoint_sid = sid;
795 if (set_rootcontext) {
796 const struct inode *oldinode = oldsb->s_root->d_inode;
797 const struct inode_security_struct *oldisec = oldinode->i_security;
798 struct inode *newinode = newsb->s_root->d_inode;
799 struct inode_security_struct *newisec = newinode->i_security;
801 newisec->sid = oldisec->sid;
804 sb_finish_set_opts(newsb);
805 mutex_unlock(&newsbsec->lock);
808 static int selinux_parse_opts_str(char *options,
809 struct security_mnt_opts *opts)
812 char *context = NULL, *defcontext = NULL;
813 char *fscontext = NULL, *rootcontext = NULL;
814 int rc, num_mnt_opts = 0;
816 opts->num_mnt_opts = 0;
818 /* Standard string-based options. */
819 while ((p = strsep(&options, "|")) != NULL) {
821 substring_t args[MAX_OPT_ARGS];
826 token = match_token(p, tokens, args);
830 if (context || defcontext) {
832 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
835 context = match_strdup(&args[0]);
845 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
848 fscontext = match_strdup(&args[0]);
855 case Opt_rootcontext:
858 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
861 rootcontext = match_strdup(&args[0]);
869 if (context || defcontext) {
871 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 defcontext = match_strdup(&args[0]);
880 case Opt_labelsupport:
884 printk(KERN_WARNING "SELinux: unknown mount option\n");
891 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
896 if (!opts->mnt_opts_flags) {
897 kfree(opts->mnt_opts);
902 opts->mnt_opts[num_mnt_opts] = fscontext;
903 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906 opts->mnt_opts[num_mnt_opts] = context;
907 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910 opts->mnt_opts[num_mnt_opts] = rootcontext;
911 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914 opts->mnt_opts[num_mnt_opts] = defcontext;
915 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918 opts->num_mnt_opts = num_mnt_opts;
929 * string mount options parsing and call set the sbsec
931 static int superblock_doinit(struct super_block *sb, void *data)
934 char *options = data;
935 struct security_mnt_opts opts;
937 security_init_mnt_opts(&opts);
942 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
944 rc = selinux_parse_opts_str(options, &opts);
949 rc = selinux_set_mnt_opts(sb, &opts);
952 security_free_mnt_opts(&opts);
956 static void selinux_write_opts(struct seq_file *m,
957 struct security_mnt_opts *opts)
962 for (i = 0; i < opts->num_mnt_opts; i++) {
965 if (opts->mnt_opts[i])
966 has_comma = strchr(opts->mnt_opts[i], ',');
970 switch (opts->mnt_opts_flags[i]) {
972 prefix = CONTEXT_STR;
975 prefix = FSCONTEXT_STR;
977 case ROOTCONTEXT_MNT:
978 prefix = ROOTCONTEXT_STR;
981 prefix = DEFCONTEXT_STR;
985 seq_puts(m, LABELSUPP_STR);
991 /* we need a comma before each option */
996 seq_puts(m, opts->mnt_opts[i]);
1002 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1004 struct security_mnt_opts opts;
1007 rc = selinux_get_mnt_opts(sb, &opts);
1009 /* before policy load we may get EINVAL, don't show anything */
1015 selinux_write_opts(m, &opts);
1017 security_free_mnt_opts(&opts);
1022 static inline u16 inode_mode_to_security_class(umode_t mode)
1024 switch (mode & S_IFMT) {
1026 return SECCLASS_SOCK_FILE;
1028 return SECCLASS_LNK_FILE;
1030 return SECCLASS_FILE;
1032 return SECCLASS_BLK_FILE;
1034 return SECCLASS_DIR;
1036 return SECCLASS_CHR_FILE;
1038 return SECCLASS_FIFO_FILE;
1042 return SECCLASS_FILE;
1045 static inline int default_protocol_stream(int protocol)
1047 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1050 static inline int default_protocol_dgram(int protocol)
1052 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1055 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1061 case SOCK_SEQPACKET:
1062 return SECCLASS_UNIX_STREAM_SOCKET;
1064 return SECCLASS_UNIX_DGRAM_SOCKET;
1071 if (default_protocol_stream(protocol))
1072 return SECCLASS_TCP_SOCKET;
1074 return SECCLASS_RAWIP_SOCKET;
1076 if (default_protocol_dgram(protocol))
1077 return SECCLASS_UDP_SOCKET;
1079 return SECCLASS_RAWIP_SOCKET;
1081 return SECCLASS_DCCP_SOCKET;
1083 return SECCLASS_RAWIP_SOCKET;
1089 return SECCLASS_NETLINK_ROUTE_SOCKET;
1090 case NETLINK_FIREWALL:
1091 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1092 case NETLINK_INET_DIAG:
1093 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1095 return SECCLASS_NETLINK_NFLOG_SOCKET;
1097 return SECCLASS_NETLINK_XFRM_SOCKET;
1098 case NETLINK_SELINUX:
1099 return SECCLASS_NETLINK_SELINUX_SOCKET;
1101 return SECCLASS_NETLINK_AUDIT_SOCKET;
1102 case NETLINK_IP6_FW:
1103 return SECCLASS_NETLINK_IP6FW_SOCKET;
1104 case NETLINK_DNRTMSG:
1105 return SECCLASS_NETLINK_DNRT_SOCKET;
1106 case NETLINK_KOBJECT_UEVENT:
1107 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1109 return SECCLASS_NETLINK_SOCKET;
1112 return SECCLASS_PACKET_SOCKET;
1114 return SECCLASS_KEY_SOCKET;
1116 return SECCLASS_APPLETALK_SOCKET;
1119 return SECCLASS_SOCKET;
1122 #ifdef CONFIG_PROC_FS
1123 static int selinux_proc_get_sid(struct dentry *dentry,
1128 char *buffer, *path;
1130 buffer = (char *)__get_free_page(GFP_KERNEL);
1134 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1138 /* each process gets a /proc/PID/ entry. Strip off the
1139 * PID part to get a valid selinux labeling.
1140 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1141 while (path[1] >= '0' && path[1] <= '9') {
1145 rc = security_genfs_sid("proc", path, tclass, sid);
1147 free_page((unsigned long)buffer);
1151 static int selinux_proc_get_sid(struct dentry *dentry,
1159 /* The inode's security attributes must be initialized before first use. */
1160 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1162 struct superblock_security_struct *sbsec = NULL;
1163 struct inode_security_struct *isec = inode->i_security;
1165 struct dentry *dentry;
1166 #define INITCONTEXTLEN 255
1167 char *context = NULL;
1171 if (isec->initialized)
1174 mutex_lock(&isec->lock);
1175 if (isec->initialized)
1178 sbsec = inode->i_sb->s_security;
1179 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1180 /* Defer initialization until selinux_complete_init,
1181 after the initial policy is loaded and the security
1182 server is ready to handle calls. */
1183 spin_lock(&sbsec->isec_lock);
1184 if (list_empty(&isec->list))
1185 list_add(&isec->list, &sbsec->isec_head);
1186 spin_unlock(&sbsec->isec_lock);
1190 switch (sbsec->behavior) {
1191 case SECURITY_FS_USE_XATTR:
1192 if (!inode->i_op->getxattr) {
1193 isec->sid = sbsec->def_sid;
1197 /* Need a dentry, since the xattr API requires one.
1198 Life would be simpler if we could just pass the inode. */
1200 /* Called from d_instantiate or d_splice_alias. */
1201 dentry = dget(opt_dentry);
1203 /* Called from selinux_complete_init, try to find a dentry. */
1204 dentry = d_find_alias(inode);
1208 * this is can be hit on boot when a file is accessed
1209 * before the policy is loaded. When we load policy we
1210 * may find inodes that have no dentry on the
1211 * sbsec->isec_head list. No reason to complain as these
1212 * will get fixed up the next time we go through
1213 * inode_doinit with a dentry, before these inodes could
1214 * be used again by userspace.
1219 len = INITCONTEXTLEN;
1220 context = kmalloc(len+1, GFP_NOFS);
1226 context[len] = '\0';
1227 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1229 if (rc == -ERANGE) {
1232 /* Need a larger buffer. Query for the right size. */
1233 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1240 context = kmalloc(len+1, GFP_NOFS);
1246 context[len] = '\0';
1247 rc = inode->i_op->getxattr(dentry,
1253 if (rc != -ENODATA) {
1254 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1255 "%d for dev=%s ino=%ld\n", __func__,
1256 -rc, inode->i_sb->s_id, inode->i_ino);
1260 /* Map ENODATA to the default file SID */
1261 sid = sbsec->def_sid;
1264 rc = security_context_to_sid_default(context, rc, &sid,
1268 char *dev = inode->i_sb->s_id;
1269 unsigned long ino = inode->i_ino;
1271 if (rc == -EINVAL) {
1272 if (printk_ratelimit())
1273 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1274 "context=%s. This indicates you may need to relabel the inode or the "
1275 "filesystem in question.\n", ino, dev, context);
1277 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1278 "returned %d for dev=%s ino=%ld\n",
1279 __func__, context, -rc, dev, ino);
1282 /* Leave with the unlabeled SID */
1290 case SECURITY_FS_USE_TASK:
1291 isec->sid = isec->task_sid;
1293 case SECURITY_FS_USE_TRANS:
1294 /* Default to the fs SID. */
1295 isec->sid = sbsec->sid;
1297 /* Try to obtain a transition SID. */
1298 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1299 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1300 isec->sclass, NULL, &sid);
1305 case SECURITY_FS_USE_MNTPOINT:
1306 isec->sid = sbsec->mntpoint_sid;
1309 /* Default to the fs superblock SID. */
1310 isec->sid = sbsec->sid;
1312 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1314 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1315 rc = selinux_proc_get_sid(opt_dentry,
1326 isec->initialized = 1;
1329 mutex_unlock(&isec->lock);
1331 if (isec->sclass == SECCLASS_FILE)
1332 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1336 /* Convert a Linux signal to an access vector. */
1337 static inline u32 signal_to_av(int sig)
1343 /* Commonly granted from child to parent. */
1344 perm = PROCESS__SIGCHLD;
1347 /* Cannot be caught or ignored */
1348 perm = PROCESS__SIGKILL;
1351 /* Cannot be caught or ignored */
1352 perm = PROCESS__SIGSTOP;
1355 /* All other signals. */
1356 perm = PROCESS__SIGNAL;
1364 * Check permission between a pair of credentials
1365 * fork check, ptrace check, etc.
1367 static int cred_has_perm(const struct cred *actor,
1368 const struct cred *target,
1371 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1373 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1377 * Check permission between a pair of tasks, e.g. signal checks,
1378 * fork check, ptrace check, etc.
1379 * tsk1 is the actor and tsk2 is the target
1380 * - this uses the default subjective creds of tsk1
1382 static int task_has_perm(const struct task_struct *tsk1,
1383 const struct task_struct *tsk2,
1386 const struct task_security_struct *__tsec1, *__tsec2;
1390 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1391 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1393 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1397 * Check permission between current and another task, e.g. signal checks,
1398 * fork check, ptrace check, etc.
1399 * current is the actor and tsk2 is the target
1400 * - this uses current's subjective creds
1402 static int current_has_perm(const struct task_struct *tsk,
1407 sid = current_sid();
1408 tsid = task_sid(tsk);
1409 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1412 #if CAP_LAST_CAP > 63
1413 #error Fix SELinux to handle capabilities > 63.
1416 /* Check whether a task is allowed to use a capability. */
1417 static int cred_has_capability(const struct cred *cred,
1420 struct common_audit_data ad;
1421 struct av_decision avd;
1423 u32 sid = cred_sid(cred);
1424 u32 av = CAP_TO_MASK(cap);
1427 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1431 switch (CAP_TO_INDEX(cap)) {
1433 sclass = SECCLASS_CAPABILITY;
1436 sclass = SECCLASS_CAPABILITY2;
1440 "SELinux: out of range capability %d\n", cap);
1445 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1446 if (audit == SECURITY_CAP_AUDIT) {
1447 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1454 /* Check whether a task is allowed to use a system operation. */
1455 static int task_has_system(struct task_struct *tsk,
1458 u32 sid = task_sid(tsk);
1460 return avc_has_perm(sid, SECINITSID_KERNEL,
1461 SECCLASS_SYSTEM, perms, NULL);
1464 /* Check whether a task has a particular permission to an inode.
1465 The 'adp' parameter is optional and allows other audit
1466 data to be passed (e.g. the dentry). */
1467 static int inode_has_perm(const struct cred *cred,
1468 struct inode *inode,
1470 struct common_audit_data *adp,
1473 struct inode_security_struct *isec;
1476 validate_creds(cred);
1478 if (unlikely(IS_PRIVATE(inode)))
1481 sid = cred_sid(cred);
1482 isec = inode->i_security;
1484 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1487 static int inode_has_perm_noadp(const struct cred *cred,
1488 struct inode *inode,
1492 struct common_audit_data ad;
1494 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1496 return inode_has_perm(cred, inode, perms, &ad, flags);
1499 /* Same as inode_has_perm, but pass explicit audit data containing
1500 the dentry to help the auditing code to more easily generate the
1501 pathname if needed. */
1502 static inline int dentry_has_perm(const struct cred *cred,
1503 struct dentry *dentry,
1506 struct inode *inode = dentry->d_inode;
1507 struct common_audit_data ad;
1509 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1510 ad.u.dentry = dentry;
1511 return inode_has_perm(cred, inode, av, &ad, 0);
1514 /* Same as inode_has_perm, but pass explicit audit data containing
1515 the path to help the auditing code to more easily generate the
1516 pathname if needed. */
1517 static inline int path_has_perm(const struct cred *cred,
1521 struct inode *inode = path->dentry->d_inode;
1522 struct common_audit_data ad;
1524 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1526 return inode_has_perm(cred, inode, av, &ad, 0);
1529 /* Check whether a task can use an open file descriptor to
1530 access an inode in a given way. Check access to the
1531 descriptor itself, and then use dentry_has_perm to
1532 check a particular permission to the file.
1533 Access to the descriptor is implicitly granted if it
1534 has the same SID as the process. If av is zero, then
1535 access to the file is not checked, e.g. for cases
1536 where only the descriptor is affected like seek. */
1537 static int file_has_perm(const struct cred *cred,
1541 struct file_security_struct *fsec = file->f_security;
1542 struct inode *inode = file->f_path.dentry->d_inode;
1543 struct common_audit_data ad;
1544 u32 sid = cred_sid(cred);
1547 COMMON_AUDIT_DATA_INIT(&ad, PATH);
1548 ad.u.path = file->f_path;
1550 if (sid != fsec->sid) {
1551 rc = avc_has_perm(sid, fsec->sid,
1559 /* av is zero if only checking access to the descriptor. */
1562 rc = inode_has_perm(cred, inode, av, &ad, 0);
1568 /* Check whether a task can create a file. */
1569 static int may_create(struct inode *dir,
1570 struct dentry *dentry,
1573 const struct task_security_struct *tsec = current_security();
1574 struct inode_security_struct *dsec;
1575 struct superblock_security_struct *sbsec;
1577 struct common_audit_data ad;
1580 dsec = dir->i_security;
1581 sbsec = dir->i_sb->s_security;
1584 newsid = tsec->create_sid;
1586 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1587 ad.u.dentry = dentry;
1589 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1590 DIR__ADD_NAME | DIR__SEARCH,
1595 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1596 rc = security_transition_sid(sid, dsec->sid, tclass,
1597 &dentry->d_name, &newsid);
1602 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1606 return avc_has_perm(newsid, sbsec->sid,
1607 SECCLASS_FILESYSTEM,
1608 FILESYSTEM__ASSOCIATE, &ad);
1611 /* Check whether a task can create a key. */
1612 static int may_create_key(u32 ksid,
1613 struct task_struct *ctx)
1615 u32 sid = task_sid(ctx);
1617 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1621 #define MAY_UNLINK 1
1624 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1625 static int may_link(struct inode *dir,
1626 struct dentry *dentry,
1630 struct inode_security_struct *dsec, *isec;
1631 struct common_audit_data ad;
1632 u32 sid = current_sid();
1636 dsec = dir->i_security;
1637 isec = dentry->d_inode->i_security;
1639 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1640 ad.u.dentry = dentry;
1643 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1644 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1659 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1664 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1668 static inline int may_rename(struct inode *old_dir,
1669 struct dentry *old_dentry,
1670 struct inode *new_dir,
1671 struct dentry *new_dentry)
1673 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1674 struct common_audit_data ad;
1675 u32 sid = current_sid();
1677 int old_is_dir, new_is_dir;
1680 old_dsec = old_dir->i_security;
1681 old_isec = old_dentry->d_inode->i_security;
1682 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1683 new_dsec = new_dir->i_security;
1685 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
1687 ad.u.dentry = old_dentry;
1688 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1689 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1692 rc = avc_has_perm(sid, old_isec->sid,
1693 old_isec->sclass, FILE__RENAME, &ad);
1696 if (old_is_dir && new_dir != old_dir) {
1697 rc = avc_has_perm(sid, old_isec->sid,
1698 old_isec->sclass, DIR__REPARENT, &ad);
1703 ad.u.dentry = new_dentry;
1704 av = DIR__ADD_NAME | DIR__SEARCH;
1705 if (new_dentry->d_inode)
1706 av |= DIR__REMOVE_NAME;
1707 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1710 if (new_dentry->d_inode) {
1711 new_isec = new_dentry->d_inode->i_security;
1712 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1713 rc = avc_has_perm(sid, new_isec->sid,
1715 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1723 /* Check whether a task can perform a filesystem operation. */
1724 static int superblock_has_perm(const struct cred *cred,
1725 struct super_block *sb,
1727 struct common_audit_data *ad)
1729 struct superblock_security_struct *sbsec;
1730 u32 sid = cred_sid(cred);
1732 sbsec = sb->s_security;
1733 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1736 /* Convert a Linux mode and permission mask to an access vector. */
1737 static inline u32 file_mask_to_av(int mode, int mask)
1741 if ((mode & S_IFMT) != S_IFDIR) {
1742 if (mask & MAY_EXEC)
1743 av |= FILE__EXECUTE;
1744 if (mask & MAY_READ)
1747 if (mask & MAY_APPEND)
1749 else if (mask & MAY_WRITE)
1753 if (mask & MAY_EXEC)
1755 if (mask & MAY_WRITE)
1757 if (mask & MAY_READ)
1764 /* Convert a Linux file to an access vector. */
1765 static inline u32 file_to_av(struct file *file)
1769 if (file->f_mode & FMODE_READ)
1771 if (file->f_mode & FMODE_WRITE) {
1772 if (file->f_flags & O_APPEND)
1779 * Special file opened with flags 3 for ioctl-only use.
1788 * Convert a file to an access vector and include the correct open
1791 static inline u32 open_file_to_av(struct file *file)
1793 u32 av = file_to_av(file);
1795 if (selinux_policycap_openperm)
1801 /* Hook functions begin here. */
1803 static int selinux_ptrace_access_check(struct task_struct *child,
1808 rc = cap_ptrace_access_check(child, mode);
1812 if (mode & PTRACE_MODE_READ) {
1813 u32 sid = current_sid();
1814 u32 csid = task_sid(child);
1815 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1818 return current_has_perm(child, PROCESS__PTRACE);
1821 static int selinux_ptrace_traceme(struct task_struct *parent)
1825 rc = cap_ptrace_traceme(parent);
1829 return task_has_perm(parent, current, PROCESS__PTRACE);
1832 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1833 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1837 error = current_has_perm(target, PROCESS__GETCAP);
1841 return cap_capget(target, effective, inheritable, permitted);
1844 static int selinux_capset(struct cred *new, const struct cred *old,
1845 const kernel_cap_t *effective,
1846 const kernel_cap_t *inheritable,
1847 const kernel_cap_t *permitted)
1851 error = cap_capset(new, old,
1852 effective, inheritable, permitted);
1856 return cred_has_perm(old, new, PROCESS__SETCAP);
1860 * (This comment used to live with the selinux_task_setuid hook,
1861 * which was removed).
1863 * Since setuid only affects the current process, and since the SELinux
1864 * controls are not based on the Linux identity attributes, SELinux does not
1865 * need to control this operation. However, SELinux does control the use of
1866 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1869 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1874 rc = cap_capable(cred, ns, cap, audit);
1878 return cred_has_capability(cred, cap, audit);
1881 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1883 const struct cred *cred = current_cred();
1895 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1900 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1903 rc = 0; /* let the kernel handle invalid cmds */
1909 static int selinux_quota_on(struct dentry *dentry)
1911 const struct cred *cred = current_cred();
1913 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1916 static int selinux_syslog(int type)
1921 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1922 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1923 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1926 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1927 /* Set level of messages printed to console */
1928 case SYSLOG_ACTION_CONSOLE_LEVEL:
1929 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1931 case SYSLOG_ACTION_CLOSE: /* Close log */
1932 case SYSLOG_ACTION_OPEN: /* Open log */
1933 case SYSLOG_ACTION_READ: /* Read from log */
1934 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1935 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1937 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1944 * Check that a process has enough memory to allocate a new virtual
1945 * mapping. 0 means there is enough memory for the allocation to
1946 * succeed and -ENOMEM implies there is not.
1948 * Do not audit the selinux permission check, as this is applied to all
1949 * processes that allocate mappings.
1951 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1953 int rc, cap_sys_admin = 0;
1955 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1956 SECURITY_CAP_NOAUDIT);
1960 return __vm_enough_memory(mm, pages, cap_sys_admin);
1963 /* binprm security operations */
1965 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1967 const struct task_security_struct *old_tsec;
1968 struct task_security_struct *new_tsec;
1969 struct inode_security_struct *isec;
1970 struct common_audit_data ad;
1971 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1974 rc = cap_bprm_set_creds(bprm);
1978 /* SELinux context only depends on initial program or script and not
1979 * the script interpreter */
1980 if (bprm->cred_prepared)
1983 old_tsec = current_security();
1984 new_tsec = bprm->cred->security;
1985 isec = inode->i_security;
1987 /* Default to the current task SID. */
1988 new_tsec->sid = old_tsec->sid;
1989 new_tsec->osid = old_tsec->sid;
1991 /* Reset fs, key, and sock SIDs on execve. */
1992 new_tsec->create_sid = 0;
1993 new_tsec->keycreate_sid = 0;
1994 new_tsec->sockcreate_sid = 0;
1996 if (old_tsec->exec_sid) {
1997 new_tsec->sid = old_tsec->exec_sid;
1998 /* Reset exec SID on execve. */
1999 new_tsec->exec_sid = 0;
2001 /* Check for a default transition on this program. */
2002 rc = security_transition_sid(old_tsec->sid, isec->sid,
2003 SECCLASS_PROCESS, NULL,
2009 COMMON_AUDIT_DATA_INIT(&ad, PATH);
2010 ad.u.path = bprm->file->f_path;
2012 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2013 new_tsec->sid = old_tsec->sid;
2015 if (new_tsec->sid == old_tsec->sid) {
2016 rc = avc_has_perm(old_tsec->sid, isec->sid,
2017 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2021 /* Check permissions for the transition. */
2022 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2023 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2027 rc = avc_has_perm(new_tsec->sid, isec->sid,
2028 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2032 /* Check for shared state */
2033 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2034 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2035 SECCLASS_PROCESS, PROCESS__SHARE,
2041 /* Make sure that anyone attempting to ptrace over a task that
2042 * changes its SID has the appropriate permit */
2044 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2045 struct task_struct *tracer;
2046 struct task_security_struct *sec;
2050 tracer = ptrace_parent(current);
2051 if (likely(tracer != NULL)) {
2052 sec = __task_cred(tracer)->security;
2058 rc = avc_has_perm(ptsid, new_tsec->sid,
2060 PROCESS__PTRACE, NULL);
2066 /* Clear any possibly unsafe personality bits on exec: */
2067 bprm->per_clear |= PER_CLEAR_ON_SETID;
2073 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2075 const struct task_security_struct *tsec = current_security();
2083 /* Enable secure mode for SIDs transitions unless
2084 the noatsecure permission is granted between
2085 the two SIDs, i.e. ahp returns 0. */
2086 atsecure = avc_has_perm(osid, sid,
2088 PROCESS__NOATSECURE, NULL);
2091 return (atsecure || cap_bprm_secureexec(bprm));
2094 /* Derived from fs/exec.c:flush_old_files. */
2095 static inline void flush_unauthorized_files(const struct cred *cred,
2096 struct files_struct *files)
2098 struct common_audit_data ad;
2099 struct file *file, *devnull = NULL;
2100 struct tty_struct *tty;
2101 struct fdtable *fdt;
2105 tty = get_current_tty();
2107 spin_lock(&tty_files_lock);
2108 if (!list_empty(&tty->tty_files)) {
2109 struct tty_file_private *file_priv;
2110 struct inode *inode;
2112 /* Revalidate access to controlling tty.
2113 Use inode_has_perm on the tty inode directly rather
2114 than using file_has_perm, as this particular open
2115 file may belong to another process and we are only
2116 interested in the inode-based check here. */
2117 file_priv = list_first_entry(&tty->tty_files,
2118 struct tty_file_private, list);
2119 file = file_priv->file;
2120 inode = file->f_path.dentry->d_inode;
2121 if (inode_has_perm_noadp(cred, inode,
2122 FILE__READ | FILE__WRITE, 0)) {
2126 spin_unlock(&tty_files_lock);
2129 /* Reset controlling tty. */
2133 /* Revalidate access to inherited open files. */
2135 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2137 spin_lock(&files->file_lock);
2139 unsigned long set, i;
2144 fdt = files_fdtable(files);
2145 if (i >= fdt->max_fds)
2147 set = fdt->open_fds->fds_bits[j];
2150 spin_unlock(&files->file_lock);
2151 for ( ; set ; i++, set >>= 1) {
2156 if (file_has_perm(cred,
2158 file_to_av(file))) {
2160 fd = get_unused_fd();
2170 devnull = dentry_open(
2172 mntget(selinuxfs_mount),
2174 if (IS_ERR(devnull)) {
2181 fd_install(fd, devnull);
2186 spin_lock(&files->file_lock);
2189 spin_unlock(&files->file_lock);
2193 * Prepare a process for imminent new credential changes due to exec
2195 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2197 struct task_security_struct *new_tsec;
2198 struct rlimit *rlim, *initrlim;
2201 new_tsec = bprm->cred->security;
2202 if (new_tsec->sid == new_tsec->osid)
2205 /* Close files for which the new task SID is not authorized. */
2206 flush_unauthorized_files(bprm->cred, current->files);
2208 /* Always clear parent death signal on SID transitions. */
2209 current->pdeath_signal = 0;
2211 /* Check whether the new SID can inherit resource limits from the old
2212 * SID. If not, reset all soft limits to the lower of the current
2213 * task's hard limit and the init task's soft limit.
2215 * Note that the setting of hard limits (even to lower them) can be
2216 * controlled by the setrlimit check. The inclusion of the init task's
2217 * soft limit into the computation is to avoid resetting soft limits
2218 * higher than the default soft limit for cases where the default is
2219 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2221 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2222 PROCESS__RLIMITINH, NULL);
2224 /* protect against do_prlimit() */
2226 for (i = 0; i < RLIM_NLIMITS; i++) {
2227 rlim = current->signal->rlim + i;
2228 initrlim = init_task.signal->rlim + i;
2229 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2231 task_unlock(current);
2232 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2237 * Clean up the process immediately after the installation of new credentials
2240 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2242 const struct task_security_struct *tsec = current_security();
2243 struct itimerval itimer;
2253 /* Check whether the new SID can inherit signal state from the old SID.
2254 * If not, clear itimers to avoid subsequent signal generation and
2255 * flush and unblock signals.
2257 * This must occur _after_ the task SID has been updated so that any
2258 * kill done after the flush will be checked against the new SID.
2260 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2262 memset(&itimer, 0, sizeof itimer);
2263 for (i = 0; i < 3; i++)
2264 do_setitimer(i, &itimer, NULL);
2265 spin_lock_irq(¤t->sighand->siglock);
2266 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2267 __flush_signals(current);
2268 flush_signal_handlers(current, 1);
2269 sigemptyset(¤t->blocked);
2271 spin_unlock_irq(¤t->sighand->siglock);
2274 /* Wake up the parent if it is waiting so that it can recheck
2275 * wait permission to the new task SID. */
2276 read_lock(&tasklist_lock);
2277 __wake_up_parent(current, current->real_parent);
2278 read_unlock(&tasklist_lock);
2281 /* superblock security operations */
2283 static int selinux_sb_alloc_security(struct super_block *sb)
2285 return superblock_alloc_security(sb);
2288 static void selinux_sb_free_security(struct super_block *sb)
2290 superblock_free_security(sb);
2293 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2298 return !memcmp(prefix, option, plen);
2301 static inline int selinux_option(char *option, int len)
2303 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2304 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2305 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2306 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2307 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2310 static inline void take_option(char **to, char *from, int *first, int len)
2317 memcpy(*to, from, len);
2321 static inline void take_selinux_option(char **to, char *from, int *first,
2324 int current_size = 0;
2332 while (current_size < len) {
2342 static int selinux_sb_copy_data(char *orig, char *copy)
2344 int fnosec, fsec, rc = 0;
2345 char *in_save, *in_curr, *in_end;
2346 char *sec_curr, *nosec_save, *nosec;
2352 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2360 in_save = in_end = orig;
2364 open_quote = !open_quote;
2365 if ((*in_end == ',' && open_quote == 0) ||
2367 int len = in_end - in_curr;
2369 if (selinux_option(in_curr, len))
2370 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2372 take_option(&nosec, in_curr, &fnosec, len);
2374 in_curr = in_end + 1;
2376 } while (*in_end++);
2378 strcpy(in_save, nosec_save);
2379 free_page((unsigned long)nosec_save);
2384 static int selinux_sb_remount(struct super_block *sb, void *data)
2387 struct security_mnt_opts opts;
2388 char *secdata, **mount_options;
2389 struct superblock_security_struct *sbsec = sb->s_security;
2391 if (!(sbsec->flags & SE_SBINITIALIZED))
2397 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2400 security_init_mnt_opts(&opts);
2401 secdata = alloc_secdata();
2404 rc = selinux_sb_copy_data(data, secdata);
2406 goto out_free_secdata;
2408 rc = selinux_parse_opts_str(secdata, &opts);
2410 goto out_free_secdata;
2412 mount_options = opts.mnt_opts;
2413 flags = opts.mnt_opts_flags;
2415 for (i = 0; i < opts.num_mnt_opts; i++) {
2419 if (flags[i] == SE_SBLABELSUPP)
2421 len = strlen(mount_options[i]);
2422 rc = security_context_to_sid(mount_options[i], len, &sid);
2424 printk(KERN_WARNING "SELinux: security_context_to_sid"
2425 "(%s) failed for (dev %s, type %s) errno=%d\n",
2426 mount_options[i], sb->s_id, sb->s_type->name, rc);
2432 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2433 goto out_bad_option;
2436 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2437 goto out_bad_option;
2439 case ROOTCONTEXT_MNT: {
2440 struct inode_security_struct *root_isec;
2441 root_isec = sb->s_root->d_inode->i_security;
2443 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2444 goto out_bad_option;
2447 case DEFCONTEXT_MNT:
2448 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2449 goto out_bad_option;
2458 security_free_mnt_opts(&opts);
2460 free_secdata(secdata);
2463 printk(KERN_WARNING "SELinux: unable to change security options "
2464 "during remount (dev %s, type=%s)\n", sb->s_id,
2469 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2471 const struct cred *cred = current_cred();
2472 struct common_audit_data ad;
2475 rc = superblock_doinit(sb, data);
2479 /* Allow all mounts performed by the kernel */
2480 if (flags & MS_KERNMOUNT)
2483 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2484 ad.u.dentry = sb->s_root;
2485 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2488 static int selinux_sb_statfs(struct dentry *dentry)
2490 const struct cred *cred = current_cred();
2491 struct common_audit_data ad;
2493 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2494 ad.u.dentry = dentry->d_sb->s_root;
2495 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2498 static int selinux_mount(char *dev_name,
2501 unsigned long flags,
2504 const struct cred *cred = current_cred();
2506 if (flags & MS_REMOUNT)
2507 return superblock_has_perm(cred, path->mnt->mnt_sb,
2508 FILESYSTEM__REMOUNT, NULL);
2510 return path_has_perm(cred, path, FILE__MOUNTON);
2513 static int selinux_umount(struct vfsmount *mnt, int flags)
2515 const struct cred *cred = current_cred();
2517 return superblock_has_perm(cred, mnt->mnt_sb,
2518 FILESYSTEM__UNMOUNT, NULL);
2521 /* inode security operations */
2523 static int selinux_inode_alloc_security(struct inode *inode)
2525 return inode_alloc_security(inode);
2528 static void selinux_inode_free_security(struct inode *inode)
2530 inode_free_security(inode);
2533 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2534 const struct qstr *qstr, char **name,
2535 void **value, size_t *len)
2537 const struct task_security_struct *tsec = current_security();
2538 struct inode_security_struct *dsec;
2539 struct superblock_security_struct *sbsec;
2540 u32 sid, newsid, clen;
2542 char *namep = NULL, *context;
2544 dsec = dir->i_security;
2545 sbsec = dir->i_sb->s_security;
2548 newsid = tsec->create_sid;
2550 if ((sbsec->flags & SE_SBINITIALIZED) &&
2551 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2552 newsid = sbsec->mntpoint_sid;
2553 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2554 rc = security_transition_sid(sid, dsec->sid,
2555 inode_mode_to_security_class(inode->i_mode),
2558 printk(KERN_WARNING "%s: "
2559 "security_transition_sid failed, rc=%d (dev=%s "
2562 -rc, inode->i_sb->s_id, inode->i_ino);
2567 /* Possibly defer initialization to selinux_complete_init. */
2568 if (sbsec->flags & SE_SBINITIALIZED) {
2569 struct inode_security_struct *isec = inode->i_security;
2570 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2572 isec->initialized = 1;
2575 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2579 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2586 rc = security_sid_to_context_force(newsid, &context, &clen);
2598 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2600 return may_create(dir, dentry, SECCLASS_FILE);
2603 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2605 return may_link(dir, old_dentry, MAY_LINK);
2608 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2610 return may_link(dir, dentry, MAY_UNLINK);
2613 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2615 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2618 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2620 return may_create(dir, dentry, SECCLASS_DIR);
2623 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2625 return may_link(dir, dentry, MAY_RMDIR);
2628 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2630 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2633 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2634 struct inode *new_inode, struct dentry *new_dentry)
2636 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2639 static int selinux_inode_readlink(struct dentry *dentry)
2641 const struct cred *cred = current_cred();
2643 return dentry_has_perm(cred, dentry, FILE__READ);
2646 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2648 const struct cred *cred = current_cred();
2650 return dentry_has_perm(cred, dentry, FILE__READ);
2653 static int selinux_inode_permission(struct inode *inode, int mask)
2655 const struct cred *cred = current_cred();
2656 struct common_audit_data ad;
2659 unsigned flags = mask & MAY_NOT_BLOCK;
2661 from_access = mask & MAY_ACCESS;
2662 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2664 /* No permission to check. Existence test. */
2668 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2672 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2674 perms = file_mask_to_av(inode->i_mode, mask);
2676 return inode_has_perm(cred, inode, perms, &ad, flags);
2679 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2681 const struct cred *cred = current_cred();
2682 unsigned int ia_valid = iattr->ia_valid;
2684 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2685 if (ia_valid & ATTR_FORCE) {
2686 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2692 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2693 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2694 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2696 return dentry_has_perm(cred, dentry, FILE__WRITE);
2699 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2701 const struct cred *cred = current_cred();
2704 path.dentry = dentry;
2707 return path_has_perm(cred, &path, FILE__GETATTR);
2710 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2712 const struct cred *cred = current_cred();
2714 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2715 sizeof XATTR_SECURITY_PREFIX - 1)) {
2716 if (!strcmp(name, XATTR_NAME_CAPS)) {
2717 if (!capable(CAP_SETFCAP))
2719 } else if (!capable(CAP_SYS_ADMIN)) {
2720 /* A different attribute in the security namespace.
2721 Restrict to administrator. */
2726 /* Not an attribute we recognize, so just check the
2727 ordinary setattr permission. */
2728 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2731 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2732 const void *value, size_t size, int flags)
2734 struct inode *inode = dentry->d_inode;
2735 struct inode_security_struct *isec = inode->i_security;
2736 struct superblock_security_struct *sbsec;
2737 struct common_audit_data ad;
2738 u32 newsid, sid = current_sid();
2741 if (strcmp(name, XATTR_NAME_SELINUX))
2742 return selinux_inode_setotherxattr(dentry, name);
2744 sbsec = inode->i_sb->s_security;
2745 if (!(sbsec->flags & SE_SBLABELSUPP))
2748 if (!inode_owner_or_capable(inode))
2751 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
2752 ad.u.dentry = dentry;
2754 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2755 FILE__RELABELFROM, &ad);
2759 rc = security_context_to_sid(value, size, &newsid);
2760 if (rc == -EINVAL) {
2761 if (!capable(CAP_MAC_ADMIN))
2763 rc = security_context_to_sid_force(value, size, &newsid);
2768 rc = avc_has_perm(sid, newsid, isec->sclass,
2769 FILE__RELABELTO, &ad);
2773 rc = security_validate_transition(isec->sid, newsid, sid,
2778 return avc_has_perm(newsid,
2780 SECCLASS_FILESYSTEM,
2781 FILESYSTEM__ASSOCIATE,
2785 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2786 const void *value, size_t size,
2789 struct inode *inode = dentry->d_inode;
2790 struct inode_security_struct *isec = inode->i_security;
2794 if (strcmp(name, XATTR_NAME_SELINUX)) {
2795 /* Not an attribute we recognize, so nothing to do. */
2799 rc = security_context_to_sid_force(value, size, &newsid);
2801 printk(KERN_ERR "SELinux: unable to map context to SID"
2802 "for (%s, %lu), rc=%d\n",
2803 inode->i_sb->s_id, inode->i_ino, -rc);
2811 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2813 const struct cred *cred = current_cred();
2815 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2818 static int selinux_inode_listxattr(struct dentry *dentry)
2820 const struct cred *cred = current_cred();
2822 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2825 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2827 if (strcmp(name, XATTR_NAME_SELINUX))
2828 return selinux_inode_setotherxattr(dentry, name);
2830 /* No one is allowed to remove a SELinux security label.
2831 You can change the label, but all data must be labeled. */
2836 * Copy the inode security context value to the user.
2838 * Permission check is handled by selinux_inode_getxattr hook.
2840 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2844 char *context = NULL;
2845 struct inode_security_struct *isec = inode->i_security;
2847 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2851 * If the caller has CAP_MAC_ADMIN, then get the raw context
2852 * value even if it is not defined by current policy; otherwise,
2853 * use the in-core value under current policy.
2854 * Use the non-auditing forms of the permission checks since
2855 * getxattr may be called by unprivileged processes commonly
2856 * and lack of permission just means that we fall back to the
2857 * in-core context value, not a denial.
2859 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2860 SECURITY_CAP_NOAUDIT);
2862 error = security_sid_to_context_force(isec->sid, &context,
2865 error = security_sid_to_context(isec->sid, &context, &size);
2878 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2879 const void *value, size_t size, int flags)
2881 struct inode_security_struct *isec = inode->i_security;
2885 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2888 if (!value || !size)
2891 rc = security_context_to_sid((void *)value, size, &newsid);
2896 isec->initialized = 1;
2900 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2902 const int len = sizeof(XATTR_NAME_SELINUX);
2903 if (buffer && len <= buffer_size)
2904 memcpy(buffer, XATTR_NAME_SELINUX, len);
2908 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2910 struct inode_security_struct *isec = inode->i_security;
2914 /* file security operations */
2916 static int selinux_revalidate_file_permission(struct file *file, int mask)
2918 const struct cred *cred = current_cred();
2919 struct inode *inode = file->f_path.dentry->d_inode;
2921 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2922 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2925 return file_has_perm(cred, file,
2926 file_mask_to_av(inode->i_mode, mask));
2929 static int selinux_file_permission(struct file *file, int mask)
2931 struct inode *inode = file->f_path.dentry->d_inode;
2932 struct file_security_struct *fsec = file->f_security;
2933 struct inode_security_struct *isec = inode->i_security;
2934 u32 sid = current_sid();
2937 /* No permission to check. Existence test. */
2940 if (sid == fsec->sid && fsec->isid == isec->sid &&
2941 fsec->pseqno == avc_policy_seqno())
2942 /* No change since dentry_open check. */
2945 return selinux_revalidate_file_permission(file, mask);
2948 static int selinux_file_alloc_security(struct file *file)
2950 return file_alloc_security(file);
2953 static void selinux_file_free_security(struct file *file)
2955 file_free_security(file);
2958 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2961 const struct cred *cred = current_cred();
2971 case EXT2_IOC_GETFLAGS:
2973 case EXT2_IOC_GETVERSION:
2974 error = file_has_perm(cred, file, FILE__GETATTR);
2977 case EXT2_IOC_SETFLAGS:
2979 case EXT2_IOC_SETVERSION:
2980 error = file_has_perm(cred, file, FILE__SETATTR);
2983 /* sys_ioctl() checks */
2987 error = file_has_perm(cred, file, 0);
2992 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
2993 SECURITY_CAP_AUDIT);
2996 /* default case assumes that the command will go
2997 * to the file's ioctl() function.
3000 error = file_has_perm(cred, file, FILE__IOCTL);
3005 static int default_noexec;
3007 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3009 const struct cred *cred = current_cred();
3012 if (default_noexec &&
3013 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3015 * We are making executable an anonymous mapping or a
3016 * private file mapping that will also be writable.
3017 * This has an additional check.
3019 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3025 /* read access is always possible with a mapping */
3026 u32 av = FILE__READ;
3028 /* write access only matters if the mapping is shared */
3029 if (shared && (prot & PROT_WRITE))
3032 if (prot & PROT_EXEC)
3033 av |= FILE__EXECUTE;
3035 return file_has_perm(cred, file, av);
3042 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3043 unsigned long prot, unsigned long flags,
3044 unsigned long addr, unsigned long addr_only)
3047 u32 sid = current_sid();
3050 * notice that we are intentionally putting the SELinux check before
3051 * the secondary cap_file_mmap check. This is such a likely attempt
3052 * at bad behaviour/exploit that we always want to get the AVC, even
3053 * if DAC would have also denied the operation.
3055 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3056 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3057 MEMPROTECT__MMAP_ZERO, NULL);
3062 /* do DAC check on address space usage */
3063 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3064 if (rc || addr_only)
3067 if (selinux_checkreqprot)
3070 return file_map_prot_check(file, prot,
3071 (flags & MAP_TYPE) == MAP_SHARED);
3074 static int selinux_file_mprotect(struct vm_area_struct *vma,
3075 unsigned long reqprot,
3078 const struct cred *cred = current_cred();
3080 if (selinux_checkreqprot)
3083 if (default_noexec &&
3084 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3086 if (vma->vm_start >= vma->vm_mm->start_brk &&
3087 vma->vm_end <= vma->vm_mm->brk) {
3088 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3089 } else if (!vma->vm_file &&
3090 vma->vm_start <= vma->vm_mm->start_stack &&
3091 vma->vm_end >= vma->vm_mm->start_stack) {
3092 rc = current_has_perm(current, PROCESS__EXECSTACK);
3093 } else if (vma->vm_file && vma->anon_vma) {
3095 * We are making executable a file mapping that has
3096 * had some COW done. Since pages might have been
3097 * written, check ability to execute the possibly
3098 * modified content. This typically should only
3099 * occur for text relocations.
3101 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3107 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3110 static int selinux_file_lock(struct file *file, unsigned int cmd)
3112 const struct cred *cred = current_cred();
3114 return file_has_perm(cred, file, FILE__LOCK);
3117 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3120 const struct cred *cred = current_cred();
3125 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3130 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3131 err = file_has_perm(cred, file, FILE__WRITE);
3140 /* Just check FD__USE permission */
3141 err = file_has_perm(cred, file, 0);
3146 #if BITS_PER_LONG == 32
3151 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3155 err = file_has_perm(cred, file, FILE__LOCK);
3162 static int selinux_file_set_fowner(struct file *file)
3164 struct file_security_struct *fsec;
3166 fsec = file->f_security;
3167 fsec->fown_sid = current_sid();
3172 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3173 struct fown_struct *fown, int signum)
3176 u32 sid = task_sid(tsk);
3178 struct file_security_struct *fsec;
3180 /* struct fown_struct is never outside the context of a struct file */
3181 file = container_of(fown, struct file, f_owner);
3183 fsec = file->f_security;
3186 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3188 perm = signal_to_av(signum);
3190 return avc_has_perm(fsec->fown_sid, sid,
3191 SECCLASS_PROCESS, perm, NULL);
3194 static int selinux_file_receive(struct file *file)
3196 const struct cred *cred = current_cred();
3198 return file_has_perm(cred, file, file_to_av(file));
3201 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3203 struct file_security_struct *fsec;
3204 struct inode *inode;
3205 struct inode_security_struct *isec;
3207 inode = file->f_path.dentry->d_inode;
3208 fsec = file->f_security;
3209 isec = inode->i_security;
3211 * Save inode label and policy sequence number
3212 * at open-time so that selinux_file_permission
3213 * can determine whether revalidation is necessary.
3214 * Task label is already saved in the file security
3215 * struct as its SID.
3217 fsec->isid = isec->sid;
3218 fsec->pseqno = avc_policy_seqno();
3220 * Since the inode label or policy seqno may have changed
3221 * between the selinux_inode_permission check and the saving
3222 * of state above, recheck that access is still permitted.
3223 * Otherwise, access might never be revalidated against the
3224 * new inode label or new policy.
3225 * This check is not redundant - do not remove.
3227 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0);
3230 /* task security operations */
3232 static int selinux_task_create(unsigned long clone_flags)
3234 return current_has_perm(current, PROCESS__FORK);
3238 * allocate the SELinux part of blank credentials
3240 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3242 struct task_security_struct *tsec;
3244 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3248 cred->security = tsec;
3253 * detach and free the LSM part of a set of credentials
3255 static void selinux_cred_free(struct cred *cred)
3257 struct task_security_struct *tsec = cred->security;
3260 * cred->security == NULL if security_cred_alloc_blank() or
3261 * security_prepare_creds() returned an error.
3263 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3264 cred->security = (void *) 0x7UL;
3269 * prepare a new set of credentials for modification
3271 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3274 const struct task_security_struct *old_tsec;
3275 struct task_security_struct *tsec;
3277 old_tsec = old->security;
3279 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3283 new->security = tsec;
3288 * transfer the SELinux data to a blank set of creds
3290 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3292 const struct task_security_struct *old_tsec = old->security;
3293 struct task_security_struct *tsec = new->security;
3299 * set the security data for a kernel service
3300 * - all the creation contexts are set to unlabelled
3302 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3304 struct task_security_struct *tsec = new->security;
3305 u32 sid = current_sid();
3308 ret = avc_has_perm(sid, secid,
3309 SECCLASS_KERNEL_SERVICE,
3310 KERNEL_SERVICE__USE_AS_OVERRIDE,
3314 tsec->create_sid = 0;
3315 tsec->keycreate_sid = 0;
3316 tsec->sockcreate_sid = 0;
3322 * set the file creation context in a security record to the same as the
3323 * objective context of the specified inode
3325 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3327 struct inode_security_struct *isec = inode->i_security;
3328 struct task_security_struct *tsec = new->security;
3329 u32 sid = current_sid();
3332 ret = avc_has_perm(sid, isec->sid,
3333 SECCLASS_KERNEL_SERVICE,
3334 KERNEL_SERVICE__CREATE_FILES_AS,
3338 tsec->create_sid = isec->sid;
3342 static int selinux_kernel_module_request(char *kmod_name)
3345 struct common_audit_data ad;
3347 sid = task_sid(current);
3349 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3350 ad.u.kmod_name = kmod_name;
3352 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3353 SYSTEM__MODULE_REQUEST, &ad);
3356 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3358 return current_has_perm(p, PROCESS__SETPGID);
3361 static int selinux_task_getpgid(struct task_struct *p)
3363 return current_has_perm(p, PROCESS__GETPGID);
3366 static int selinux_task_getsid(struct task_struct *p)
3368 return current_has_perm(p, PROCESS__GETSESSION);
3371 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3373 *secid = task_sid(p);
3376 static int selinux_task_setnice(struct task_struct *p, int nice)
3380 rc = cap_task_setnice(p, nice);
3384 return current_has_perm(p, PROCESS__SETSCHED);
3387 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3391 rc = cap_task_setioprio(p, ioprio);
3395 return current_has_perm(p, PROCESS__SETSCHED);
3398 static int selinux_task_getioprio(struct task_struct *p)
3400 return current_has_perm(p, PROCESS__GETSCHED);
3403 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3404 struct rlimit *new_rlim)
3406 struct rlimit *old_rlim = p->signal->rlim + resource;
3408 /* Control the ability to change the hard limit (whether
3409 lowering or raising it), so that the hard limit can
3410 later be used as a safe reset point for the soft limit
3411 upon context transitions. See selinux_bprm_committing_creds. */
3412 if (old_rlim->rlim_max != new_rlim->rlim_max)
3413 return current_has_perm(p, PROCESS__SETRLIMIT);
3418 static int selinux_task_setscheduler(struct task_struct *p)
3422 rc = cap_task_setscheduler(p);
3426 return current_has_perm(p, PROCESS__SETSCHED);
3429 static int selinux_task_getscheduler(struct task_struct *p)
3431 return current_has_perm(p, PROCESS__GETSCHED);
3434 static int selinux_task_movememory(struct task_struct *p)
3436 return current_has_perm(p, PROCESS__SETSCHED);
3439 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3446 perm = PROCESS__SIGNULL; /* null signal; existence test */
3448 perm = signal_to_av(sig);
3450 rc = avc_has_perm(secid, task_sid(p),
3451 SECCLASS_PROCESS, perm, NULL);
3453 rc = current_has_perm(p, perm);
3457 static int selinux_task_wait(struct task_struct *p)
3459 return task_has_perm(p, current, PROCESS__SIGCHLD);
3462 static void selinux_task_to_inode(struct task_struct *p,
3463 struct inode *inode)
3465 struct inode_security_struct *isec = inode->i_security;
3466 u32 sid = task_sid(p);
3469 isec->initialized = 1;
3472 /* Returns error only if unable to parse addresses */
3473 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3474 struct common_audit_data *ad, u8 *proto)
3476 int offset, ihlen, ret = -EINVAL;
3477 struct iphdr _iph, *ih;
3479 offset = skb_network_offset(skb);
3480 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3484 ihlen = ih->ihl * 4;
3485 if (ihlen < sizeof(_iph))
3488 ad->u.net.v4info.saddr = ih->saddr;
3489 ad->u.net.v4info.daddr = ih->daddr;
3493 *proto = ih->protocol;
3495 switch (ih->protocol) {
3497 struct tcphdr _tcph, *th;
3499 if (ntohs(ih->frag_off) & IP_OFFSET)
3503 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3507 ad->u.net.sport = th->source;
3508 ad->u.net.dport = th->dest;
3513 struct udphdr _udph, *uh;
3515 if (ntohs(ih->frag_off) & IP_OFFSET)
3519 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3523 ad->u.net.sport = uh->source;
3524 ad->u.net.dport = uh->dest;
3528 case IPPROTO_DCCP: {
3529 struct dccp_hdr _dccph, *dh;
3531 if (ntohs(ih->frag_off) & IP_OFFSET)
3535 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3539 ad->u.net.sport = dh->dccph_sport;
3540 ad->u.net.dport = dh->dccph_dport;
3551 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3553 /* Returns error only if unable to parse addresses */
3554 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3555 struct common_audit_data *ad, u8 *proto)
3558 int ret = -EINVAL, offset;
3559 struct ipv6hdr _ipv6h, *ip6;
3561 offset = skb_network_offset(skb);
3562 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3566 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3567 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3570 nexthdr = ip6->nexthdr;
3571 offset += sizeof(_ipv6h);
3572 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3581 struct tcphdr _tcph, *th;
3583 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3587 ad->u.net.sport = th->source;
3588 ad->u.net.dport = th->dest;
3593 struct udphdr _udph, *uh;
3595 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3599 ad->u.net.sport = uh->source;
3600 ad->u.net.dport = uh->dest;
3604 case IPPROTO_DCCP: {
3605 struct dccp_hdr _dccph, *dh;
3607 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3611 ad->u.net.sport = dh->dccph_sport;
3612 ad->u.net.dport = dh->dccph_dport;
3616 /* includes fragments */
3626 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3627 char **_addrp, int src, u8 *proto)
3632 switch (ad->u.net.family) {
3634 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3637 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3638 &ad->u.net.v4info.daddr);
3641 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3643 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3646 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3647 &ad->u.net.v6info.daddr);
3657 "SELinux: failure in selinux_parse_skb(),"
3658 " unable to parse packet\n");
3668 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3670 * @family: protocol family
3671 * @sid: the packet's peer label SID
3674 * Check the various different forms of network peer labeling and determine
3675 * the peer label/SID for the packet; most of the magic actually occurs in
3676 * the security server function security_net_peersid_cmp(). The function
3677 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3678 * or -EACCES if @sid is invalid due to inconsistencies with the different
3682 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3689 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3690 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3692 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3693 if (unlikely(err)) {
3695 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3696 " unable to determine packet's peer label\n");
3703 /* socket security operations */
3705 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3706 u16 secclass, u32 *socksid)
3708 if (tsec->sockcreate_sid > SECSID_NULL) {
3709 *socksid = tsec->sockcreate_sid;
3713 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3717 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3719 struct sk_security_struct *sksec = sk->sk_security;
3720 struct common_audit_data ad;
3721 u32 tsid = task_sid(task);
3723 if (sksec->sid == SECINITSID_KERNEL)
3726 COMMON_AUDIT_DATA_INIT(&ad, NET);
3729 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3732 static int selinux_socket_create(int family, int type,
3733 int protocol, int kern)
3735 const struct task_security_struct *tsec = current_security();
3743 secclass = socket_type_to_security_class(family, type, protocol);
3744 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3748 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3751 static int selinux_socket_post_create(struct socket *sock, int family,
3752 int type, int protocol, int kern)
3754 const struct task_security_struct *tsec = current_security();
3755 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3756 struct sk_security_struct *sksec;
3759 isec->sclass = socket_type_to_security_class(family, type, protocol);
3762 isec->sid = SECINITSID_KERNEL;
3764 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3769 isec->initialized = 1;
3772 sksec = sock->sk->sk_security;
3773 sksec->sid = isec->sid;
3774 sksec->sclass = isec->sclass;
3775 err = selinux_netlbl_socket_post_create(sock->sk, family);
3781 /* Range of port numbers used to automatically bind.
3782 Need to determine whether we should perform a name_bind
3783 permission check between the socket and the port number. */
3785 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3787 struct sock *sk = sock->sk;
3791 err = sock_has_perm(current, sk, SOCKET__BIND);
3796 * If PF_INET or PF_INET6, check name_bind permission for the port.
3797 * Multiple address binding for SCTP is not supported yet: we just
3798 * check the first address now.
3800 family = sk->sk_family;
3801 if (family == PF_INET || family == PF_INET6) {
3803 struct sk_security_struct *sksec = sk->sk_security;
3804 struct common_audit_data ad;
3805 struct sockaddr_in *addr4 = NULL;
3806 struct sockaddr_in6 *addr6 = NULL;
3807 unsigned short snum;
3810 if (family == PF_INET) {
3811 addr4 = (struct sockaddr_in *)address;
3812 snum = ntohs(addr4->sin_port);
3813 addrp = (char *)&addr4->sin_addr.s_addr;
3815 addr6 = (struct sockaddr_in6 *)address;
3816 snum = ntohs(addr6->sin6_port);
3817 addrp = (char *)&addr6->sin6_addr.s6_addr;
3823 inet_get_local_port_range(&low, &high);
3825 if (snum < max(PROT_SOCK, low) || snum > high) {
3826 err = sel_netport_sid(sk->sk_protocol,
3830 COMMON_AUDIT_DATA_INIT(&ad, NET);
3831 ad.u.net.sport = htons(snum);
3832 ad.u.net.family = family;
3833 err = avc_has_perm(sksec->sid, sid,
3835 SOCKET__NAME_BIND, &ad);
3841 switch (sksec->sclass) {
3842 case SECCLASS_TCP_SOCKET:
3843 node_perm = TCP_SOCKET__NODE_BIND;
3846 case SECCLASS_UDP_SOCKET:
3847 node_perm = UDP_SOCKET__NODE_BIND;
3850 case SECCLASS_DCCP_SOCKET:
3851 node_perm = DCCP_SOCKET__NODE_BIND;
3855 node_perm = RAWIP_SOCKET__NODE_BIND;
3859 err = sel_netnode_sid(addrp, family, &sid);
3863 COMMON_AUDIT_DATA_INIT(&ad, NET);
3864 ad.u.net.sport = htons(snum);
3865 ad.u.net.family = family;
3867 if (family == PF_INET)
3868 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3870 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3872 err = avc_has_perm(sksec->sid, sid,
3873 sksec->sclass, node_perm, &ad);
3881 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3883 struct sock *sk = sock->sk;
3884 struct sk_security_struct *sksec = sk->sk_security;
3887 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3892 * If a TCP or DCCP socket, check name_connect permission for the port.
3894 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3895 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3896 struct common_audit_data ad;
3897 struct sockaddr_in *addr4 = NULL;
3898 struct sockaddr_in6 *addr6 = NULL;
3899 unsigned short snum;
3902 if (sk->sk_family == PF_INET) {
3903 addr4 = (struct sockaddr_in *)address;
3904 if (addrlen < sizeof(struct sockaddr_in))
3906 snum = ntohs(addr4->sin_port);
3908 addr6 = (struct sockaddr_in6 *)address;
3909 if (addrlen < SIN6_LEN_RFC2133)
3911 snum = ntohs(addr6->sin6_port);
3914 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3918 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3919 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3921 COMMON_AUDIT_DATA_INIT(&ad, NET);
3922 ad.u.net.dport = htons(snum);
3923 ad.u.net.family = sk->sk_family;
3924 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3929 err = selinux_netlbl_socket_connect(sk, address);
3935 static int selinux_socket_listen(struct socket *sock, int backlog)
3937 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3940 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3943 struct inode_security_struct *isec;
3944 struct inode_security_struct *newisec;
3946 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3950 newisec = SOCK_INODE(newsock)->i_security;
3952 isec = SOCK_INODE(sock)->i_security;
3953 newisec->sclass = isec->sclass;
3954 newisec->sid = isec->sid;
3955 newisec->initialized = 1;
3960 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3963 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3966 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3967 int size, int flags)
3969 return sock_has_perm(current, sock->sk, SOCKET__READ);
3972 static int selinux_socket_getsockname(struct socket *sock)
3974 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3977 static int selinux_socket_getpeername(struct socket *sock)
3979 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3982 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3986 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3990 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3993 static int selinux_socket_getsockopt(struct socket *sock, int level,
3996 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3999 static int selinux_socket_shutdown(struct socket *sock, int how)
4001 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4004 static int selinux_socket_unix_stream_connect(struct sock *sock,
4008 struct sk_security_struct *sksec_sock = sock->sk_security;
4009 struct sk_security_struct *sksec_other = other->sk_security;
4010 struct sk_security_struct *sksec_new = newsk->sk_security;
4011 struct common_audit_data ad;
4014 COMMON_AUDIT_DATA_INIT(&ad, NET);
4015 ad.u.net.sk = other;
4017 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4018 sksec_other->sclass,
4019 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4023 /* server child socket */
4024 sksec_new->peer_sid = sksec_sock->sid;
4025 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4030 /* connecting socket */
4031 sksec_sock->peer_sid = sksec_new->sid;
4036 static int selinux_socket_unix_may_send(struct socket *sock,
4037 struct socket *other)
4039 struct sk_security_struct *ssec = sock->sk->sk_security;
4040 struct sk_security_struct *osec = other->sk->sk_security;
4041 struct common_audit_data ad;
4043 COMMON_AUDIT_DATA_INIT(&ad, NET);
4044 ad.u.net.sk = other->sk;
4046 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4050 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4052 struct common_audit_data *ad)
4058 err = sel_netif_sid(ifindex, &if_sid);
4061 err = avc_has_perm(peer_sid, if_sid,
4062 SECCLASS_NETIF, NETIF__INGRESS, ad);
4066 err = sel_netnode_sid(addrp, family, &node_sid);
4069 return avc_has_perm(peer_sid, node_sid,
4070 SECCLASS_NODE, NODE__RECVFROM, ad);
4073 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4077 struct sk_security_struct *sksec = sk->sk_security;
4078 u32 sk_sid = sksec->sid;
4079 struct common_audit_data ad;
4082 COMMON_AUDIT_DATA_INIT(&ad, NET);
4083 ad.u.net.netif = skb->skb_iif;
4084 ad.u.net.family = family;
4085 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4089 if (selinux_secmark_enabled()) {
4090 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4096 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4099 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4104 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4107 struct sk_security_struct *sksec = sk->sk_security;
4108 u16 family = sk->sk_family;
4109 u32 sk_sid = sksec->sid;
4110 struct common_audit_data ad;
4115 if (family != PF_INET && family != PF_INET6)
4118 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4119 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4122 /* If any sort of compatibility mode is enabled then handoff processing
4123 * to the selinux_sock_rcv_skb_compat() function to deal with the
4124 * special handling. We do this in an attempt to keep this function
4125 * as fast and as clean as possible. */
4126 if (!selinux_policycap_netpeer)
4127 return selinux_sock_rcv_skb_compat(sk, skb, family);
4129 secmark_active = selinux_secmark_enabled();
4130 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4131 if (!secmark_active && !peerlbl_active)
4134 COMMON_AUDIT_DATA_INIT(&ad, NET);
4135 ad.u.net.netif = skb->skb_iif;
4136 ad.u.net.family = family;
4137 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141 if (peerlbl_active) {
4144 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4147 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4150 selinux_netlbl_err(skb, err, 0);
4153 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4156 selinux_netlbl_err(skb, err, 0);
4159 if (secmark_active) {
4160 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4169 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4170 int __user *optlen, unsigned len)
4175 struct sk_security_struct *sksec = sock->sk->sk_security;
4176 u32 peer_sid = SECSID_NULL;
4178 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4179 sksec->sclass == SECCLASS_TCP_SOCKET)
4180 peer_sid = sksec->peer_sid;
4181 if (peer_sid == SECSID_NULL)
4182 return -ENOPROTOOPT;
4184 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4188 if (scontext_len > len) {
4193 if (copy_to_user(optval, scontext, scontext_len))
4197 if (put_user(scontext_len, optlen))
4203 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4205 u32 peer_secid = SECSID_NULL;
4208 if (skb && skb->protocol == htons(ETH_P_IP))
4210 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4213 family = sock->sk->sk_family;
4217 if (sock && family == PF_UNIX)
4218 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4220 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4223 *secid = peer_secid;
4224 if (peer_secid == SECSID_NULL)
4229 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4231 struct sk_security_struct *sksec;
4233 sksec = kzalloc(sizeof(*sksec), priority);
4237 sksec->peer_sid = SECINITSID_UNLABELED;
4238 sksec->sid = SECINITSID_UNLABELED;
4239 selinux_netlbl_sk_security_reset(sksec);
4240 sk->sk_security = sksec;
4245 static void selinux_sk_free_security(struct sock *sk)
4247 struct sk_security_struct *sksec = sk->sk_security;
4249 sk->sk_security = NULL;
4250 selinux_netlbl_sk_security_free(sksec);
4254 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4256 struct sk_security_struct *sksec = sk->sk_security;
4257 struct sk_security_struct *newsksec = newsk->sk_security;
4259 newsksec->sid = sksec->sid;
4260 newsksec->peer_sid = sksec->peer_sid;
4261 newsksec->sclass = sksec->sclass;
4263 selinux_netlbl_sk_security_reset(newsksec);
4266 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4269 *secid = SECINITSID_ANY_SOCKET;
4271 struct sk_security_struct *sksec = sk->sk_security;
4273 *secid = sksec->sid;
4277 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4279 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4280 struct sk_security_struct *sksec = sk->sk_security;
4282 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4283 sk->sk_family == PF_UNIX)
4284 isec->sid = sksec->sid;
4285 sksec->sclass = isec->sclass;
4288 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4289 struct request_sock *req)
4291 struct sk_security_struct *sksec = sk->sk_security;
4293 u16 family = sk->sk_family;
4297 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4298 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4301 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4304 if (peersid == SECSID_NULL) {
4305 req->secid = sksec->sid;
4306 req->peer_secid = SECSID_NULL;
4308 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4311 req->secid = newsid;
4312 req->peer_secid = peersid;
4315 return selinux_netlbl_inet_conn_request(req, family);
4318 static void selinux_inet_csk_clone(struct sock *newsk,
4319 const struct request_sock *req)
4321 struct sk_security_struct *newsksec = newsk->sk_security;
4323 newsksec->sid = req->secid;
4324 newsksec->peer_sid = req->peer_secid;
4325 /* NOTE: Ideally, we should also get the isec->sid for the
4326 new socket in sync, but we don't have the isec available yet.
4327 So we will wait until sock_graft to do it, by which
4328 time it will have been created and available. */
4330 /* We don't need to take any sort of lock here as we are the only
4331 * thread with access to newsksec */
4332 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4335 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4337 u16 family = sk->sk_family;
4338 struct sk_security_struct *sksec = sk->sk_security;
4340 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4341 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4344 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4347 static int selinux_secmark_relabel_packet(u32 sid)
4349 const struct task_security_struct *__tsec;
4352 __tsec = current_security();
4355 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4358 static void selinux_secmark_refcount_inc(void)
4360 atomic_inc(&selinux_secmark_refcount);
4363 static void selinux_secmark_refcount_dec(void)
4365 atomic_dec(&selinux_secmark_refcount);
4368 static void selinux_req_classify_flow(const struct request_sock *req,
4371 fl->flowi_secid = req->secid;
4374 static int selinux_tun_dev_create(void)
4376 u32 sid = current_sid();
4378 /* we aren't taking into account the "sockcreate" SID since the socket
4379 * that is being created here is not a socket in the traditional sense,
4380 * instead it is a private sock, accessible only to the kernel, and
4381 * representing a wide range of network traffic spanning multiple
4382 * connections unlike traditional sockets - check the TUN driver to
4383 * get a better understanding of why this socket is special */
4385 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4389 static void selinux_tun_dev_post_create(struct sock *sk)
4391 struct sk_security_struct *sksec = sk->sk_security;
4393 /* we don't currently perform any NetLabel based labeling here and it
4394 * isn't clear that we would want to do so anyway; while we could apply
4395 * labeling without the support of the TUN user the resulting labeled
4396 * traffic from the other end of the connection would almost certainly
4397 * cause confusion to the TUN user that had no idea network labeling
4398 * protocols were being used */
4400 /* see the comments in selinux_tun_dev_create() about why we don't use
4401 * the sockcreate SID here */
4403 sksec->sid = current_sid();
4404 sksec->sclass = SECCLASS_TUN_SOCKET;
4407 static int selinux_tun_dev_attach(struct sock *sk)
4409 struct sk_security_struct *sksec = sk->sk_security;
4410 u32 sid = current_sid();
4413 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4414 TUN_SOCKET__RELABELFROM, NULL);
4417 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4418 TUN_SOCKET__RELABELTO, NULL);
4427 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4431 struct nlmsghdr *nlh;
4432 struct sk_security_struct *sksec = sk->sk_security;
4434 if (skb->len < NLMSG_SPACE(0)) {
4438 nlh = nlmsg_hdr(skb);
4440 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4442 if (err == -EINVAL) {
4443 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4444 "SELinux: unrecognized netlink message"
4445 " type=%hu for sclass=%hu\n",
4446 nlh->nlmsg_type, sksec->sclass);
4447 if (!selinux_enforcing || security_get_allow_unknown())
4457 err = sock_has_perm(current, sk, perm);
4462 #ifdef CONFIG_NETFILTER
4464 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4470 struct common_audit_data ad;
4475 if (!selinux_policycap_netpeer)
4478 secmark_active = selinux_secmark_enabled();
4479 netlbl_active = netlbl_enabled();
4480 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4481 if (!secmark_active && !peerlbl_active)
4484 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4487 COMMON_AUDIT_DATA_INIT(&ad, NET);
4488 ad.u.net.netif = ifindex;
4489 ad.u.net.family = family;
4490 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4493 if (peerlbl_active) {
4494 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4497 selinux_netlbl_err(skb, err, 1);
4503 if (avc_has_perm(peer_sid, skb->secmark,
4504 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4508 /* we do this in the FORWARD path and not the POST_ROUTING
4509 * path because we want to make sure we apply the necessary
4510 * labeling before IPsec is applied so we can leverage AH
4512 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4518 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4519 struct sk_buff *skb,
4520 const struct net_device *in,
4521 const struct net_device *out,
4522 int (*okfn)(struct sk_buff *))
4524 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4527 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4528 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4529 struct sk_buff *skb,
4530 const struct net_device *in,
4531 const struct net_device *out,
4532 int (*okfn)(struct sk_buff *))
4534 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4538 static unsigned int selinux_ip_output(struct sk_buff *skb,
4543 if (!netlbl_enabled())
4546 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4547 * because we want to make sure we apply the necessary labeling
4548 * before IPsec is applied so we can leverage AH protection */
4550 struct sk_security_struct *sksec = skb->sk->sk_security;
4553 sid = SECINITSID_KERNEL;
4554 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4560 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4561 struct sk_buff *skb,
4562 const struct net_device *in,
4563 const struct net_device *out,
4564 int (*okfn)(struct sk_buff *))
4566 return selinux_ip_output(skb, PF_INET);
4569 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4573 struct sock *sk = skb->sk;
4574 struct sk_security_struct *sksec;
4575 struct common_audit_data ad;
4581 sksec = sk->sk_security;
4583 COMMON_AUDIT_DATA_INIT(&ad, NET);
4584 ad.u.net.netif = ifindex;
4585 ad.u.net.family = family;
4586 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4589 if (selinux_secmark_enabled())
4590 if (avc_has_perm(sksec->sid, skb->secmark,
4591 SECCLASS_PACKET, PACKET__SEND, &ad))
4592 return NF_DROP_ERR(-ECONNREFUSED);
4594 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4595 return NF_DROP_ERR(-ECONNREFUSED);
4600 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4606 struct common_audit_data ad;
4611 /* If any sort of compatibility mode is enabled then handoff processing
4612 * to the selinux_ip_postroute_compat() function to deal with the
4613 * special handling. We do this in an attempt to keep this function
4614 * as fast and as clean as possible. */
4615 if (!selinux_policycap_netpeer)
4616 return selinux_ip_postroute_compat(skb, ifindex, family);
4618 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4619 * packet transformation so allow the packet to pass without any checks
4620 * since we'll have another chance to perform access control checks
4621 * when the packet is on it's final way out.
4622 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4623 * is NULL, in this case go ahead and apply access control. */
4624 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4627 secmark_active = selinux_secmark_enabled();
4628 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4629 if (!secmark_active && !peerlbl_active)
4632 /* if the packet is being forwarded then get the peer label from the
4633 * packet itself; otherwise check to see if it is from a local
4634 * application or the kernel, if from an application get the peer label
4635 * from the sending socket, otherwise use the kernel's sid */
4639 secmark_perm = PACKET__FORWARD_OUT;
4640 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4643 secmark_perm = PACKET__SEND;
4644 peer_sid = SECINITSID_KERNEL;
4647 struct sk_security_struct *sksec = sk->sk_security;
4648 peer_sid = sksec->sid;
4649 secmark_perm = PACKET__SEND;
4652 COMMON_AUDIT_DATA_INIT(&ad, NET);
4653 ad.u.net.netif = ifindex;
4654 ad.u.net.family = family;
4655 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4659 if (avc_has_perm(peer_sid, skb->secmark,
4660 SECCLASS_PACKET, secmark_perm, &ad))
4661 return NF_DROP_ERR(-ECONNREFUSED);
4663 if (peerlbl_active) {
4667 if (sel_netif_sid(ifindex, &if_sid))
4669 if (avc_has_perm(peer_sid, if_sid,
4670 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4671 return NF_DROP_ERR(-ECONNREFUSED);
4673 if (sel_netnode_sid(addrp, family, &node_sid))
4675 if (avc_has_perm(peer_sid, node_sid,
4676 SECCLASS_NODE, NODE__SENDTO, &ad))
4677 return NF_DROP_ERR(-ECONNREFUSED);
4683 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4684 struct sk_buff *skb,
4685 const struct net_device *in,
4686 const struct net_device *out,
4687 int (*okfn)(struct sk_buff *))
4689 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4692 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4693 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4694 struct sk_buff *skb,
4695 const struct net_device *in,
4696 const struct net_device *out,
4697 int (*okfn)(struct sk_buff *))
4699 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4703 #endif /* CONFIG_NETFILTER */
4705 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4709 err = cap_netlink_send(sk, skb);
4713 return selinux_nlmsg_perm(sk, skb);
4716 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4719 struct common_audit_data ad;
4722 err = cap_netlink_recv(skb, capability);
4726 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4727 ad.u.cap = capability;
4729 security_task_getsecid(current, &sid);
4730 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4731 CAP_TO_MASK(capability), &ad);
4734 static int ipc_alloc_security(struct task_struct *task,
4735 struct kern_ipc_perm *perm,
4738 struct ipc_security_struct *isec;
4741 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4745 sid = task_sid(task);
4746 isec->sclass = sclass;
4748 perm->security = isec;
4753 static void ipc_free_security(struct kern_ipc_perm *perm)
4755 struct ipc_security_struct *isec = perm->security;
4756 perm->security = NULL;
4760 static int msg_msg_alloc_security(struct msg_msg *msg)
4762 struct msg_security_struct *msec;
4764 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4768 msec->sid = SECINITSID_UNLABELED;
4769 msg->security = msec;
4774 static void msg_msg_free_security(struct msg_msg *msg)
4776 struct msg_security_struct *msec = msg->security;
4778 msg->security = NULL;
4782 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4785 struct ipc_security_struct *isec;
4786 struct common_audit_data ad;
4787 u32 sid = current_sid();
4789 isec = ipc_perms->security;
4791 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4792 ad.u.ipc_id = ipc_perms->key;
4794 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4797 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4799 return msg_msg_alloc_security(msg);
4802 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4804 msg_msg_free_security(msg);
4807 /* message queue security operations */
4808 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4810 struct ipc_security_struct *isec;
4811 struct common_audit_data ad;
4812 u32 sid = current_sid();
4815 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4819 isec = msq->q_perm.security;
4821 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4822 ad.u.ipc_id = msq->q_perm.key;
4824 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4827 ipc_free_security(&msq->q_perm);
4833 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4835 ipc_free_security(&msq->q_perm);
4838 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4840 struct ipc_security_struct *isec;
4841 struct common_audit_data ad;
4842 u32 sid = current_sid();
4844 isec = msq->q_perm.security;
4846 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4847 ad.u.ipc_id = msq->q_perm.key;
4849 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4850 MSGQ__ASSOCIATE, &ad);
4853 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4861 /* No specific object, just general system-wide information. */
4862 return task_has_system(current, SYSTEM__IPC_INFO);
4865 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4868 perms = MSGQ__SETATTR;
4871 perms = MSGQ__DESTROY;
4877 err = ipc_has_perm(&msq->q_perm, perms);
4881 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4883 struct ipc_security_struct *isec;
4884 struct msg_security_struct *msec;
4885 struct common_audit_data ad;
4886 u32 sid = current_sid();
4889 isec = msq->q_perm.security;
4890 msec = msg->security;
4893 * First time through, need to assign label to the message
4895 if (msec->sid == SECINITSID_UNLABELED) {
4897 * Compute new sid based on current process and
4898 * message queue this message will be stored in
4900 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4906 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4907 ad.u.ipc_id = msq->q_perm.key;
4909 /* Can this process write to the queue? */
4910 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4913 /* Can this process send the message */
4914 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4917 /* Can the message be put in the queue? */
4918 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4919 MSGQ__ENQUEUE, &ad);
4924 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4925 struct task_struct *target,
4926 long type, int mode)
4928 struct ipc_security_struct *isec;
4929 struct msg_security_struct *msec;
4930 struct common_audit_data ad;
4931 u32 sid = task_sid(target);
4934 isec = msq->q_perm.security;
4935 msec = msg->security;
4937 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4938 ad.u.ipc_id = msq->q_perm.key;
4940 rc = avc_has_perm(sid, isec->sid,
4941 SECCLASS_MSGQ, MSGQ__READ, &ad);
4943 rc = avc_has_perm(sid, msec->sid,
4944 SECCLASS_MSG, MSG__RECEIVE, &ad);
4948 /* Shared Memory security operations */
4949 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4951 struct ipc_security_struct *isec;
4952 struct common_audit_data ad;
4953 u32 sid = current_sid();
4956 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4960 isec = shp->shm_perm.security;
4962 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4963 ad.u.ipc_id = shp->shm_perm.key;
4965 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4968 ipc_free_security(&shp->shm_perm);
4974 static void selinux_shm_free_security(struct shmid_kernel *shp)
4976 ipc_free_security(&shp->shm_perm);
4979 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4981 struct ipc_security_struct *isec;
4982 struct common_audit_data ad;
4983 u32 sid = current_sid();
4985 isec = shp->shm_perm.security;
4987 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4988 ad.u.ipc_id = shp->shm_perm.key;
4990 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4991 SHM__ASSOCIATE, &ad);
4994 /* Note, at this point, shp is locked down */
4995 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5003 /* No specific object, just general system-wide information. */
5004 return task_has_system(current, SYSTEM__IPC_INFO);
5007 perms = SHM__GETATTR | SHM__ASSOCIATE;
5010 perms = SHM__SETATTR;
5017 perms = SHM__DESTROY;
5023 err = ipc_has_perm(&shp->shm_perm, perms);
5027 static int selinux_shm_shmat(struct shmid_kernel *shp,
5028 char __user *shmaddr, int shmflg)
5032 if (shmflg & SHM_RDONLY)
5035 perms = SHM__READ | SHM__WRITE;
5037 return ipc_has_perm(&shp->shm_perm, perms);
5040 /* Semaphore security operations */
5041 static int selinux_sem_alloc_security(struct sem_array *sma)
5043 struct ipc_security_struct *isec;
5044 struct common_audit_data ad;
5045 u32 sid = current_sid();
5048 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5052 isec = sma->sem_perm.security;
5054 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5055 ad.u.ipc_id = sma->sem_perm.key;
5057 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5060 ipc_free_security(&sma->sem_perm);
5066 static void selinux_sem_free_security(struct sem_array *sma)
5068 ipc_free_security(&sma->sem_perm);
5071 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5073 struct ipc_security_struct *isec;
5074 struct common_audit_data ad;
5075 u32 sid = current_sid();
5077 isec = sma->sem_perm.security;
5079 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5080 ad.u.ipc_id = sma->sem_perm.key;
5082 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5083 SEM__ASSOCIATE, &ad);
5086 /* Note, at this point, sma is locked down */
5087 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5095 /* No specific object, just general system-wide information. */
5096 return task_has_system(current, SYSTEM__IPC_INFO);
5100 perms = SEM__GETATTR;
5111 perms = SEM__DESTROY;
5114 perms = SEM__SETATTR;
5118 perms = SEM__GETATTR | SEM__ASSOCIATE;
5124 err = ipc_has_perm(&sma->sem_perm, perms);
5128 static int selinux_sem_semop(struct sem_array *sma,
5129 struct sembuf *sops, unsigned nsops, int alter)
5134 perms = SEM__READ | SEM__WRITE;
5138 return ipc_has_perm(&sma->sem_perm, perms);
5141 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5147 av |= IPC__UNIX_READ;
5149 av |= IPC__UNIX_WRITE;
5154 return ipc_has_perm(ipcp, av);
5157 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5159 struct ipc_security_struct *isec = ipcp->security;
5163 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5166 inode_doinit_with_dentry(inode, dentry);
5169 static int selinux_getprocattr(struct task_struct *p,
5170 char *name, char **value)
5172 const struct task_security_struct *__tsec;
5178 error = current_has_perm(p, PROCESS__GETATTR);
5184 __tsec = __task_cred(p)->security;
5186 if (!strcmp(name, "current"))
5188 else if (!strcmp(name, "prev"))
5190 else if (!strcmp(name, "exec"))
5191 sid = __tsec->exec_sid;
5192 else if (!strcmp(name, "fscreate"))
5193 sid = __tsec->create_sid;
5194 else if (!strcmp(name, "keycreate"))
5195 sid = __tsec->keycreate_sid;
5196 else if (!strcmp(name, "sockcreate"))
5197 sid = __tsec->sockcreate_sid;
5205 error = security_sid_to_context(sid, value, &len);
5215 static int selinux_setprocattr(struct task_struct *p,
5216 char *name, void *value, size_t size)
5218 struct task_security_struct *tsec;
5219 struct task_struct *tracer;
5226 /* SELinux only allows a process to change its own
5227 security attributes. */
5232 * Basic control over ability to set these attributes at all.
5233 * current == p, but we'll pass them separately in case the
5234 * above restriction is ever removed.
5236 if (!strcmp(name, "exec"))
5237 error = current_has_perm(p, PROCESS__SETEXEC);
5238 else if (!strcmp(name, "fscreate"))
5239 error = current_has_perm(p, PROCESS__SETFSCREATE);
5240 else if (!strcmp(name, "keycreate"))
5241 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5242 else if (!strcmp(name, "sockcreate"))
5243 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5244 else if (!strcmp(name, "current"))
5245 error = current_has_perm(p, PROCESS__SETCURRENT);
5251 /* Obtain a SID for the context, if one was specified. */
5252 if (size && str[1] && str[1] != '\n') {
5253 if (str[size-1] == '\n') {
5257 error = security_context_to_sid(value, size, &sid);
5258 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5259 if (!capable(CAP_MAC_ADMIN))
5261 error = security_context_to_sid_force(value, size,
5268 new = prepare_creds();
5272 /* Permission checking based on the specified context is
5273 performed during the actual operation (execve,
5274 open/mkdir/...), when we know the full context of the
5275 operation. See selinux_bprm_set_creds for the execve
5276 checks and may_create for the file creation checks. The
5277 operation will then fail if the context is not permitted. */
5278 tsec = new->security;
5279 if (!strcmp(name, "exec")) {
5280 tsec->exec_sid = sid;
5281 } else if (!strcmp(name, "fscreate")) {
5282 tsec->create_sid = sid;
5283 } else if (!strcmp(name, "keycreate")) {
5284 error = may_create_key(sid, p);
5287 tsec->keycreate_sid = sid;
5288 } else if (!strcmp(name, "sockcreate")) {
5289 tsec->sockcreate_sid = sid;
5290 } else if (!strcmp(name, "current")) {
5295 /* Only allow single threaded processes to change context */
5297 if (!current_is_single_threaded()) {
5298 error = security_bounded_transition(tsec->sid, sid);
5303 /* Check permissions for the transition. */
5304 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5305 PROCESS__DYNTRANSITION, NULL);
5309 /* Check for ptracing, and update the task SID if ok.
5310 Otherwise, leave SID unchanged and fail. */
5313 tracer = ptrace_parent(p);
5315 ptsid = task_sid(tracer);
5319 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5320 PROCESS__PTRACE, NULL);
5339 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5341 return security_sid_to_context(secid, secdata, seclen);
5344 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5346 return security_context_to_sid(secdata, seclen, secid);
5349 static void selinux_release_secctx(char *secdata, u32 seclen)
5355 * called with inode->i_mutex locked
5357 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5359 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5363 * called with inode->i_mutex locked
5365 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5367 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5370 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5373 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5382 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5383 unsigned long flags)
5385 const struct task_security_struct *tsec;
5386 struct key_security_struct *ksec;
5388 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5392 tsec = cred->security;
5393 if (tsec->keycreate_sid)
5394 ksec->sid = tsec->keycreate_sid;
5396 ksec->sid = tsec->sid;
5402 static void selinux_key_free(struct key *k)
5404 struct key_security_struct *ksec = k->security;
5410 static int selinux_key_permission(key_ref_t key_ref,
5411 const struct cred *cred,
5415 struct key_security_struct *ksec;
5418 /* if no specific permissions are requested, we skip the
5419 permission check. No serious, additional covert channels
5420 appear to be created. */
5424 sid = cred_sid(cred);
5426 key = key_ref_to_ptr(key_ref);
5427 ksec = key->security;
5429 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5432 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5434 struct key_security_struct *ksec = key->security;
5435 char *context = NULL;
5439 rc = security_sid_to_context(ksec->sid, &context, &len);
5448 static struct security_operations selinux_ops = {
5451 .ptrace_access_check = selinux_ptrace_access_check,
5452 .ptrace_traceme = selinux_ptrace_traceme,
5453 .capget = selinux_capget,
5454 .capset = selinux_capset,
5455 .capable = selinux_capable,
5456 .quotactl = selinux_quotactl,
5457 .quota_on = selinux_quota_on,
5458 .syslog = selinux_syslog,
5459 .vm_enough_memory = selinux_vm_enough_memory,
5461 .netlink_send = selinux_netlink_send,
5462 .netlink_recv = selinux_netlink_recv,
5464 .bprm_set_creds = selinux_bprm_set_creds,
5465 .bprm_committing_creds = selinux_bprm_committing_creds,
5466 .bprm_committed_creds = selinux_bprm_committed_creds,
5467 .bprm_secureexec = selinux_bprm_secureexec,
5469 .sb_alloc_security = selinux_sb_alloc_security,
5470 .sb_free_security = selinux_sb_free_security,
5471 .sb_copy_data = selinux_sb_copy_data,
5472 .sb_remount = selinux_sb_remount,
5473 .sb_kern_mount = selinux_sb_kern_mount,
5474 .sb_show_options = selinux_sb_show_options,
5475 .sb_statfs = selinux_sb_statfs,
5476 .sb_mount = selinux_mount,
5477 .sb_umount = selinux_umount,
5478 .sb_set_mnt_opts = selinux_set_mnt_opts,
5479 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5480 .sb_parse_opts_str = selinux_parse_opts_str,
5483 .inode_alloc_security = selinux_inode_alloc_security,
5484 .inode_free_security = selinux_inode_free_security,
5485 .inode_init_security = selinux_inode_init_security,
5486 .inode_create = selinux_inode_create,
5487 .inode_link = selinux_inode_link,
5488 .inode_unlink = selinux_inode_unlink,
5489 .inode_symlink = selinux_inode_symlink,
5490 .inode_mkdir = selinux_inode_mkdir,
5491 .inode_rmdir = selinux_inode_rmdir,
5492 .inode_mknod = selinux_inode_mknod,
5493 .inode_rename = selinux_inode_rename,
5494 .inode_readlink = selinux_inode_readlink,
5495 .inode_follow_link = selinux_inode_follow_link,
5496 .inode_permission = selinux_inode_permission,
5497 .inode_setattr = selinux_inode_setattr,
5498 .inode_getattr = selinux_inode_getattr,
5499 .inode_setxattr = selinux_inode_setxattr,
5500 .inode_post_setxattr = selinux_inode_post_setxattr,
5501 .inode_getxattr = selinux_inode_getxattr,
5502 .inode_listxattr = selinux_inode_listxattr,
5503 .inode_removexattr = selinux_inode_removexattr,
5504 .inode_getsecurity = selinux_inode_getsecurity,
5505 .inode_setsecurity = selinux_inode_setsecurity,
5506 .inode_listsecurity = selinux_inode_listsecurity,
5507 .inode_getsecid = selinux_inode_getsecid,
5509 .file_permission = selinux_file_permission,
5510 .file_alloc_security = selinux_file_alloc_security,
5511 .file_free_security = selinux_file_free_security,
5512 .file_ioctl = selinux_file_ioctl,
5513 .file_mmap = selinux_file_mmap,
5514 .file_mprotect = selinux_file_mprotect,
5515 .file_lock = selinux_file_lock,
5516 .file_fcntl = selinux_file_fcntl,
5517 .file_set_fowner = selinux_file_set_fowner,
5518 .file_send_sigiotask = selinux_file_send_sigiotask,
5519 .file_receive = selinux_file_receive,
5521 .dentry_open = selinux_dentry_open,
5523 .task_create = selinux_task_create,
5524 .cred_alloc_blank = selinux_cred_alloc_blank,
5525 .cred_free = selinux_cred_free,
5526 .cred_prepare = selinux_cred_prepare,
5527 .cred_transfer = selinux_cred_transfer,
5528 .kernel_act_as = selinux_kernel_act_as,
5529 .kernel_create_files_as = selinux_kernel_create_files_as,
5530 .kernel_module_request = selinux_kernel_module_request,
5531 .task_setpgid = selinux_task_setpgid,
5532 .task_getpgid = selinux_task_getpgid,
5533 .task_getsid = selinux_task_getsid,
5534 .task_getsecid = selinux_task_getsecid,
5535 .task_setnice = selinux_task_setnice,
5536 .task_setioprio = selinux_task_setioprio,
5537 .task_getioprio = selinux_task_getioprio,
5538 .task_setrlimit = selinux_task_setrlimit,
5539 .task_setscheduler = selinux_task_setscheduler,
5540 .task_getscheduler = selinux_task_getscheduler,
5541 .task_movememory = selinux_task_movememory,
5542 .task_kill = selinux_task_kill,
5543 .task_wait = selinux_task_wait,
5544 .task_to_inode = selinux_task_to_inode,
5546 .ipc_permission = selinux_ipc_permission,
5547 .ipc_getsecid = selinux_ipc_getsecid,
5549 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5550 .msg_msg_free_security = selinux_msg_msg_free_security,
5552 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5553 .msg_queue_free_security = selinux_msg_queue_free_security,
5554 .msg_queue_associate = selinux_msg_queue_associate,
5555 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5556 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5557 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5559 .shm_alloc_security = selinux_shm_alloc_security,
5560 .shm_free_security = selinux_shm_free_security,
5561 .shm_associate = selinux_shm_associate,
5562 .shm_shmctl = selinux_shm_shmctl,
5563 .shm_shmat = selinux_shm_shmat,
5565 .sem_alloc_security = selinux_sem_alloc_security,
5566 .sem_free_security = selinux_sem_free_security,
5567 .sem_associate = selinux_sem_associate,
5568 .sem_semctl = selinux_sem_semctl,
5569 .sem_semop = selinux_sem_semop,
5571 .d_instantiate = selinux_d_instantiate,
5573 .getprocattr = selinux_getprocattr,
5574 .setprocattr = selinux_setprocattr,
5576 .secid_to_secctx = selinux_secid_to_secctx,
5577 .secctx_to_secid = selinux_secctx_to_secid,
5578 .release_secctx = selinux_release_secctx,
5579 .inode_notifysecctx = selinux_inode_notifysecctx,
5580 .inode_setsecctx = selinux_inode_setsecctx,
5581 .inode_getsecctx = selinux_inode_getsecctx,
5583 .unix_stream_connect = selinux_socket_unix_stream_connect,
5584 .unix_may_send = selinux_socket_unix_may_send,
5586 .socket_create = selinux_socket_create,
5587 .socket_post_create = selinux_socket_post_create,
5588 .socket_bind = selinux_socket_bind,
5589 .socket_connect = selinux_socket_connect,
5590 .socket_listen = selinux_socket_listen,
5591 .socket_accept = selinux_socket_accept,
5592 .socket_sendmsg = selinux_socket_sendmsg,
5593 .socket_recvmsg = selinux_socket_recvmsg,
5594 .socket_getsockname = selinux_socket_getsockname,
5595 .socket_getpeername = selinux_socket_getpeername,
5596 .socket_getsockopt = selinux_socket_getsockopt,
5597 .socket_setsockopt = selinux_socket_setsockopt,
5598 .socket_shutdown = selinux_socket_shutdown,
5599 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5600 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5601 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5602 .sk_alloc_security = selinux_sk_alloc_security,
5603 .sk_free_security = selinux_sk_free_security,
5604 .sk_clone_security = selinux_sk_clone_security,
5605 .sk_getsecid = selinux_sk_getsecid,
5606 .sock_graft = selinux_sock_graft,
5607 .inet_conn_request = selinux_inet_conn_request,
5608 .inet_csk_clone = selinux_inet_csk_clone,
5609 .inet_conn_established = selinux_inet_conn_established,
5610 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5611 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5612 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5613 .req_classify_flow = selinux_req_classify_flow,
5614 .tun_dev_create = selinux_tun_dev_create,
5615 .tun_dev_post_create = selinux_tun_dev_post_create,
5616 .tun_dev_attach = selinux_tun_dev_attach,
5618 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5619 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5620 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5621 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5622 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5623 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5624 .xfrm_state_free_security = selinux_xfrm_state_free,
5625 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5626 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5627 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5628 .xfrm_decode_session = selinux_xfrm_decode_session,
5632 .key_alloc = selinux_key_alloc,
5633 .key_free = selinux_key_free,
5634 .key_permission = selinux_key_permission,
5635 .key_getsecurity = selinux_key_getsecurity,
5639 .audit_rule_init = selinux_audit_rule_init,
5640 .audit_rule_known = selinux_audit_rule_known,
5641 .audit_rule_match = selinux_audit_rule_match,
5642 .audit_rule_free = selinux_audit_rule_free,
5646 static __init int selinux_init(void)
5648 if (!security_module_enable(&selinux_ops)) {
5649 selinux_enabled = 0;
5653 if (!selinux_enabled) {
5654 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5658 printk(KERN_INFO "SELinux: Initializing.\n");
5660 /* Set the security state for the initial task. */
5661 cred_init_security();
5663 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5665 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5666 sizeof(struct inode_security_struct),
5667 0, SLAB_PANIC, NULL);
5670 if (register_security(&selinux_ops))
5671 panic("SELinux: Unable to register with kernel.\n");
5673 if (selinux_enforcing)
5674 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5676 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5681 static void delayed_superblock_init(struct super_block *sb, void *unused)
5683 superblock_doinit(sb, NULL);
5686 void selinux_complete_init(void)
5688 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5690 /* Set up any superblocks initialized prior to the policy load. */
5691 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5692 iterate_supers(delayed_superblock_init, NULL);
5695 /* SELinux requires early initialization in order to label
5696 all processes and objects when they are created. */
5697 security_initcall(selinux_init);
5699 #if defined(CONFIG_NETFILTER)
5701 static struct nf_hook_ops selinux_ipv4_ops[] = {
5703 .hook = selinux_ipv4_postroute,
5704 .owner = THIS_MODULE,
5706 .hooknum = NF_INET_POST_ROUTING,
5707 .priority = NF_IP_PRI_SELINUX_LAST,
5710 .hook = selinux_ipv4_forward,
5711 .owner = THIS_MODULE,
5713 .hooknum = NF_INET_FORWARD,
5714 .priority = NF_IP_PRI_SELINUX_FIRST,
5717 .hook = selinux_ipv4_output,
5718 .owner = THIS_MODULE,
5720 .hooknum = NF_INET_LOCAL_OUT,
5721 .priority = NF_IP_PRI_SELINUX_FIRST,
5725 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5727 static struct nf_hook_ops selinux_ipv6_ops[] = {
5729 .hook = selinux_ipv6_postroute,
5730 .owner = THIS_MODULE,
5732 .hooknum = NF_INET_POST_ROUTING,
5733 .priority = NF_IP6_PRI_SELINUX_LAST,
5736 .hook = selinux_ipv6_forward,
5737 .owner = THIS_MODULE,
5739 .hooknum = NF_INET_FORWARD,
5740 .priority = NF_IP6_PRI_SELINUX_FIRST,
5746 static int __init selinux_nf_ip_init(void)
5750 if (!selinux_enabled)
5753 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5755 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5757 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5759 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5760 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5762 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5769 __initcall(selinux_nf_ip_init);
5771 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5772 static void selinux_nf_ip_exit(void)
5774 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5776 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5777 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5778 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5783 #else /* CONFIG_NETFILTER */
5785 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5786 #define selinux_nf_ip_exit()
5789 #endif /* CONFIG_NETFILTER */
5791 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5792 static int selinux_disabled;
5794 int selinux_disable(void)
5796 if (ss_initialized) {
5797 /* Not permitted after initial policy load. */
5801 if (selinux_disabled) {
5802 /* Only do this once. */
5806 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5808 selinux_disabled = 1;
5809 selinux_enabled = 0;
5811 reset_security_ops();
5813 /* Try to destroy the avc node cache */
5816 /* Unregister netfilter hooks. */
5817 selinux_nf_ip_exit();
5819 /* Unregister selinuxfs. */