2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/ptrace.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
49 #include <net/ip.h> /* for sysctl_local_port_range[] */
50 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h> /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h> /* for Unix socket types */
62 #include <net/af_unix.h> /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
88 static int __init enforcing_setup(char *str)
90 selinux_enforcing = simple_strtol(str,NULL,0);
93 __setup("enforcing=", enforcing_setup);
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
99 static int __init selinux_enabled_setup(char *str)
101 selinux_enabled = simple_strtol(str, NULL, 0);
104 __setup("selinux=", selinux_enabled_setup);
106 int selinux_enabled = 1;
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
112 /* Minimal support for a secondary security module,
113 just to allow the use of the dummy or capability modules.
114 The owlsm module can alternatively be used as a secondary
115 module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
118 /* Lists of inode and superblock security structures initialized
119 before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
123 static kmem_cache_t *sel_inode_cache;
125 /* Return security context for a given sid or just the context
126 length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
133 rc = security_sid_to_context(sid, &context, &len);
137 if (!buffer || !size)
138 goto getsecurity_exit;
142 goto getsecurity_exit;
144 memcpy(buffer, context, len);
151 /* Allocate and free functions for each kind of security blob. */
153 static int task_alloc_security(struct task_struct *task)
155 struct task_security_struct *tsec;
157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163 task->security = tsec;
168 static void task_free_security(struct task_struct *task)
170 struct task_security_struct *tsec = task->security;
171 task->security = NULL;
175 static int inode_alloc_security(struct inode *inode)
177 struct task_security_struct *tsec = current->security;
178 struct inode_security_struct *isec;
180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
184 memset(isec, 0, sizeof(*isec));
185 init_MUTEX(&isec->sem);
186 INIT_LIST_HEAD(&isec->list);
188 isec->sid = SECINITSID_UNLABELED;
189 isec->sclass = SECCLASS_FILE;
190 isec->task_sid = tsec->sid;
191 inode->i_security = isec;
196 static void inode_free_security(struct inode *inode)
198 struct inode_security_struct *isec = inode->i_security;
199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201 spin_lock(&sbsec->isec_lock);
202 if (!list_empty(&isec->list))
203 list_del_init(&isec->list);
204 spin_unlock(&sbsec->isec_lock);
206 inode->i_security = NULL;
207 kmem_cache_free(sel_inode_cache, isec);
210 static int file_alloc_security(struct file *file)
212 struct task_security_struct *tsec = current->security;
213 struct file_security_struct *fsec;
215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
222 file->f_security = fsec;
227 static void file_free_security(struct file *file)
229 struct file_security_struct *fsec = file->f_security;
230 file->f_security = NULL;
234 static int superblock_alloc_security(struct super_block *sb)
236 struct superblock_security_struct *sbsec;
238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
242 init_MUTEX(&sbsec->sem);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250 sb->s_security = sbsec;
255 static void superblock_free_security(struct super_block *sb)
257 struct superblock_security_struct *sbsec = sb->s_security;
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
264 sb->s_security = NULL;
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
270 struct sk_security_struct *ssec;
272 if (family != PF_UNIX)
275 ssec = kzalloc(sizeof(*ssec), priority);
280 ssec->peer_sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
286 static void sk_free_security(struct sock *sk)
288 struct sk_security_struct *ssec = sk->sk_security;
290 if (sk->sk_family != PF_UNIX)
293 sk->sk_security = NULL;
297 /* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299 extern int ss_initialized;
301 /* The file system's label must be initialized prior to use. */
303 static char *labeling_behaviors[6] = {
305 "uses transition SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314 static inline int inode_doinit(struct inode *inode)
316 return inode_doinit_with_dentry(inode, NULL);
325 static match_table_t tokens = {
326 {Opt_context, "context=%s"},
327 {Opt_fscontext, "fscontext=%s"},
328 {Opt_defcontext, "defcontext=%s"},
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
333 static int may_context_mount_sb_relabel(u32 sid,
334 struct superblock_security_struct *sbsec,
335 struct task_security_struct *tsec)
339 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340 FILESYSTEM__RELABELFROM, NULL);
344 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELTO, NULL);
349 static int try_context_mount(struct super_block *sb, void *data)
351 char *context = NULL, *defcontext = NULL;
352 char *fscontext = NULL;
355 int alloc = 0, rc = 0, seen = 0;
356 struct task_security_struct *tsec = current->security;
357 struct superblock_security_struct *sbsec = sb->s_security;
362 name = sb->s_type->name;
364 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
366 /* NFS we understand. */
367 if (!strcmp(name, "nfs")) {
368 struct nfs_mount_data *d = data;
370 if (d->version < NFS_MOUNT_VERSION)
374 context = d->context;
381 /* Standard string-based options. */
382 char *p, *options = data;
384 while ((p = strsep(&options, ",")) != NULL) {
386 substring_t args[MAX_OPT_ARGS];
391 token = match_token(p, tokens, args);
395 if (seen & (Opt_context|Opt_defcontext)) {
397 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
400 context = match_strdup(&args[0]);
411 if (seen & Opt_fscontext) {
413 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 fscontext = match_strdup(&args[0]);
423 seen |= Opt_fscontext;
427 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
429 printk(KERN_WARNING "SELinux: "
430 "defcontext option is invalid "
431 "for this filesystem type\n");
434 if (seen & (Opt_context|Opt_defcontext)) {
436 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
439 defcontext = match_strdup(&args[0]);
446 seen |= Opt_defcontext;
451 printk(KERN_WARNING "SELinux: unknown mount "
462 /* sets the context of the superblock for the fs being mounted. */
464 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
466 printk(KERN_WARNING "SELinux: security_context_to_sid"
467 "(%s) failed for (dev %s, type %s) errno=%d\n",
468 fscontext, sb->s_id, name, rc);
472 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
480 * Switch to using mount point labeling behavior.
481 * sets the label used on all file below the mountpoint, and will set
482 * the superblock context if not already set.
485 rc = security_context_to_sid(context, strlen(context), &sid);
487 printk(KERN_WARNING "SELinux: security_context_to_sid"
488 "(%s) failed for (dev %s, type %s) errno=%d\n",
489 context, sb->s_id, name, rc);
493 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
499 sbsec->mntpoint_sid = sid;
501 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
505 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
507 printk(KERN_WARNING "SELinux: security_context_to_sid"
508 "(%s) failed for (dev %s, type %s) errno=%d\n",
509 defcontext, sb->s_id, name, rc);
513 if (sid == sbsec->def_sid)
516 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
517 FILESYSTEM__RELABELFROM, NULL);
521 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
522 FILESYSTEM__ASSOCIATE, NULL);
526 sbsec->def_sid = sid;
539 static int superblock_doinit(struct super_block *sb, void *data)
541 struct superblock_security_struct *sbsec = sb->s_security;
542 struct dentry *root = sb->s_root;
543 struct inode *inode = root->d_inode;
547 if (sbsec->initialized)
550 if (!ss_initialized) {
551 /* Defer initialization until selinux_complete_init,
552 after the initial policy is loaded and the security
553 server is ready to handle calls. */
554 spin_lock(&sb_security_lock);
555 if (list_empty(&sbsec->list))
556 list_add(&sbsec->list, &superblock_security_head);
557 spin_unlock(&sb_security_lock);
561 /* Determine the labeling behavior to use for this filesystem type. */
562 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
564 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
565 __FUNCTION__, sb->s_type->name, rc);
569 rc = try_context_mount(sb, data);
573 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
574 /* Make sure that the xattr handler exists and that no
575 error other than -ENODATA is returned by getxattr on
576 the root directory. -ENODATA is ok, as this may be
577 the first boot of the SELinux kernel before we have
578 assigned xattr values to the filesystem. */
579 if (!inode->i_op->getxattr) {
580 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
581 "xattr support\n", sb->s_id, sb->s_type->name);
585 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
586 if (rc < 0 && rc != -ENODATA) {
587 if (rc == -EOPNOTSUPP)
588 printk(KERN_WARNING "SELinux: (dev %s, type "
589 "%s) has no security xattr handler\n",
590 sb->s_id, sb->s_type->name);
592 printk(KERN_WARNING "SELinux: (dev %s, type "
593 "%s) getxattr errno %d\n", sb->s_id,
594 sb->s_type->name, -rc);
599 if (strcmp(sb->s_type->name, "proc") == 0)
602 sbsec->initialized = 1;
604 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
605 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
606 sb->s_id, sb->s_type->name);
609 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
610 sb->s_id, sb->s_type->name,
611 labeling_behaviors[sbsec->behavior-1]);
614 /* Initialize the root inode. */
615 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
617 /* Initialize any other inodes associated with the superblock, e.g.
618 inodes created prior to initial policy load or inodes created
619 during get_sb by a pseudo filesystem that directly
621 spin_lock(&sbsec->isec_lock);
623 if (!list_empty(&sbsec->isec_head)) {
624 struct inode_security_struct *isec =
625 list_entry(sbsec->isec_head.next,
626 struct inode_security_struct, list);
627 struct inode *inode = isec->inode;
628 spin_unlock(&sbsec->isec_lock);
629 inode = igrab(inode);
631 if (!IS_PRIVATE (inode))
635 spin_lock(&sbsec->isec_lock);
636 list_del_init(&isec->list);
639 spin_unlock(&sbsec->isec_lock);
645 static inline u16 inode_mode_to_security_class(umode_t mode)
647 switch (mode & S_IFMT) {
649 return SECCLASS_SOCK_FILE;
651 return SECCLASS_LNK_FILE;
653 return SECCLASS_FILE;
655 return SECCLASS_BLK_FILE;
659 return SECCLASS_CHR_FILE;
661 return SECCLASS_FIFO_FILE;
665 return SECCLASS_FILE;
668 static inline int default_protocol_stream(int protocol)
670 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
673 static inline int default_protocol_dgram(int protocol)
675 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
678 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
685 return SECCLASS_UNIX_STREAM_SOCKET;
687 return SECCLASS_UNIX_DGRAM_SOCKET;
694 if (default_protocol_stream(protocol))
695 return SECCLASS_TCP_SOCKET;
697 return SECCLASS_RAWIP_SOCKET;
699 if (default_protocol_dgram(protocol))
700 return SECCLASS_UDP_SOCKET;
702 return SECCLASS_RAWIP_SOCKET;
704 return SECCLASS_RAWIP_SOCKET;
710 return SECCLASS_NETLINK_ROUTE_SOCKET;
711 case NETLINK_FIREWALL:
712 return SECCLASS_NETLINK_FIREWALL_SOCKET;
713 case NETLINK_INET_DIAG:
714 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
716 return SECCLASS_NETLINK_NFLOG_SOCKET;
718 return SECCLASS_NETLINK_XFRM_SOCKET;
719 case NETLINK_SELINUX:
720 return SECCLASS_NETLINK_SELINUX_SOCKET;
722 return SECCLASS_NETLINK_AUDIT_SOCKET;
724 return SECCLASS_NETLINK_IP6FW_SOCKET;
725 case NETLINK_DNRTMSG:
726 return SECCLASS_NETLINK_DNRT_SOCKET;
727 case NETLINK_KOBJECT_UEVENT:
728 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
730 return SECCLASS_NETLINK_SOCKET;
733 return SECCLASS_PACKET_SOCKET;
735 return SECCLASS_KEY_SOCKET;
737 return SECCLASS_APPLETALK_SOCKET;
740 return SECCLASS_SOCKET;
743 #ifdef CONFIG_PROC_FS
744 static int selinux_proc_get_sid(struct proc_dir_entry *de,
749 char *buffer, *path, *end;
751 buffer = (char*)__get_free_page(GFP_KERNEL);
761 while (de && de != de->parent) {
762 buflen -= de->namelen + 1;
766 memcpy(end, de->name, de->namelen);
771 rc = security_genfs_sid("proc", path, tclass, sid);
772 free_page((unsigned long)buffer);
776 static int selinux_proc_get_sid(struct proc_dir_entry *de,
784 /* The inode's security attributes must be initialized before first use. */
785 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
787 struct superblock_security_struct *sbsec = NULL;
788 struct inode_security_struct *isec = inode->i_security;
790 struct dentry *dentry;
791 #define INITCONTEXTLEN 255
792 char *context = NULL;
797 if (isec->initialized)
802 if (isec->initialized)
805 sbsec = inode->i_sb->s_security;
806 if (!sbsec->initialized) {
807 /* Defer initialization until selinux_complete_init,
808 after the initial policy is loaded and the security
809 server is ready to handle calls. */
810 spin_lock(&sbsec->isec_lock);
811 if (list_empty(&isec->list))
812 list_add(&isec->list, &sbsec->isec_head);
813 spin_unlock(&sbsec->isec_lock);
817 switch (sbsec->behavior) {
818 case SECURITY_FS_USE_XATTR:
819 if (!inode->i_op->getxattr) {
820 isec->sid = sbsec->def_sid;
824 /* Need a dentry, since the xattr API requires one.
825 Life would be simpler if we could just pass the inode. */
827 /* Called from d_instantiate or d_splice_alias. */
828 dentry = dget(opt_dentry);
830 /* Called from selinux_complete_init, try to find a dentry. */
831 dentry = d_find_alias(inode);
834 printk(KERN_WARNING "%s: no dentry for dev=%s "
835 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
840 len = INITCONTEXTLEN;
841 context = kmalloc(len, GFP_KERNEL);
847 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
850 /* Need a larger buffer. Query for the right size. */
851 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
859 context = kmalloc(len, GFP_KERNEL);
865 rc = inode->i_op->getxattr(dentry,
871 if (rc != -ENODATA) {
872 printk(KERN_WARNING "%s: getxattr returned "
873 "%d for dev=%s ino=%ld\n", __FUNCTION__,
874 -rc, inode->i_sb->s_id, inode->i_ino);
878 /* Map ENODATA to the default file SID */
879 sid = sbsec->def_sid;
882 rc = security_context_to_sid_default(context, rc, &sid,
885 printk(KERN_WARNING "%s: context_to_sid(%s) "
886 "returned %d for dev=%s ino=%ld\n",
887 __FUNCTION__, context, -rc,
888 inode->i_sb->s_id, inode->i_ino);
890 /* Leave with the unlabeled SID */
898 case SECURITY_FS_USE_TASK:
899 isec->sid = isec->task_sid;
901 case SECURITY_FS_USE_TRANS:
902 /* Default to the fs SID. */
903 isec->sid = sbsec->sid;
905 /* Try to obtain a transition SID. */
906 isec->sclass = inode_mode_to_security_class(inode->i_mode);
907 rc = security_transition_sid(isec->task_sid,
915 case SECURITY_FS_USE_MNTPOINT:
916 isec->sid = sbsec->mntpoint_sid;
919 /* Default to the fs superblock SID. */
920 isec->sid = sbsec->sid;
923 struct proc_inode *proci = PROC_I(inode);
925 isec->sclass = inode_mode_to_security_class(inode->i_mode);
926 rc = selinux_proc_get_sid(proci->pde,
937 isec->initialized = 1;
940 if (isec->sclass == SECCLASS_FILE)
941 isec->sclass = inode_mode_to_security_class(inode->i_mode);
948 /* Convert a Linux signal to an access vector. */
949 static inline u32 signal_to_av(int sig)
955 /* Commonly granted from child to parent. */
956 perm = PROCESS__SIGCHLD;
959 /* Cannot be caught or ignored */
960 perm = PROCESS__SIGKILL;
963 /* Cannot be caught or ignored */
964 perm = PROCESS__SIGSTOP;
967 /* All other signals. */
968 perm = PROCESS__SIGNAL;
975 /* Check permission betweeen a pair of tasks, e.g. signal checks,
976 fork check, ptrace check, etc. */
977 static int task_has_perm(struct task_struct *tsk1,
978 struct task_struct *tsk2,
981 struct task_security_struct *tsec1, *tsec2;
983 tsec1 = tsk1->security;
984 tsec2 = tsk2->security;
985 return avc_has_perm(tsec1->sid, tsec2->sid,
986 SECCLASS_PROCESS, perms, NULL);
989 /* Check whether a task is allowed to use a capability. */
990 static int task_has_capability(struct task_struct *tsk,
993 struct task_security_struct *tsec;
994 struct avc_audit_data ad;
996 tsec = tsk->security;
998 AVC_AUDIT_DATA_INIT(&ad,CAP);
1002 return avc_has_perm(tsec->sid, tsec->sid,
1003 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1006 /* Check whether a task is allowed to use a system operation. */
1007 static int task_has_system(struct task_struct *tsk,
1010 struct task_security_struct *tsec;
1012 tsec = tsk->security;
1014 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1015 SECCLASS_SYSTEM, perms, NULL);
1018 /* Check whether a task has a particular permission to an inode.
1019 The 'adp' parameter is optional and allows other audit
1020 data to be passed (e.g. the dentry). */
1021 static int inode_has_perm(struct task_struct *tsk,
1022 struct inode *inode,
1024 struct avc_audit_data *adp)
1026 struct task_security_struct *tsec;
1027 struct inode_security_struct *isec;
1028 struct avc_audit_data ad;
1030 tsec = tsk->security;
1031 isec = inode->i_security;
1035 AVC_AUDIT_DATA_INIT(&ad, FS);
1036 ad.u.fs.inode = inode;
1039 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1042 /* Same as inode_has_perm, but pass explicit audit data containing
1043 the dentry to help the auditing code to more easily generate the
1044 pathname if needed. */
1045 static inline int dentry_has_perm(struct task_struct *tsk,
1046 struct vfsmount *mnt,
1047 struct dentry *dentry,
1050 struct inode *inode = dentry->d_inode;
1051 struct avc_audit_data ad;
1052 AVC_AUDIT_DATA_INIT(&ad,FS);
1054 ad.u.fs.dentry = dentry;
1055 return inode_has_perm(tsk, inode, av, &ad);
1058 /* Check whether a task can use an open file descriptor to
1059 access an inode in a given way. Check access to the
1060 descriptor itself, and then use dentry_has_perm to
1061 check a particular permission to the file.
1062 Access to the descriptor is implicitly granted if it
1063 has the same SID as the process. If av is zero, then
1064 access to the file is not checked, e.g. for cases
1065 where only the descriptor is affected like seek. */
1066 static int file_has_perm(struct task_struct *tsk,
1070 struct task_security_struct *tsec = tsk->security;
1071 struct file_security_struct *fsec = file->f_security;
1072 struct vfsmount *mnt = file->f_vfsmnt;
1073 struct dentry *dentry = file->f_dentry;
1074 struct inode *inode = dentry->d_inode;
1075 struct avc_audit_data ad;
1078 AVC_AUDIT_DATA_INIT(&ad, FS);
1080 ad.u.fs.dentry = dentry;
1082 if (tsec->sid != fsec->sid) {
1083 rc = avc_has_perm(tsec->sid, fsec->sid,
1091 /* av is zero if only checking access to the descriptor. */
1093 return inode_has_perm(tsk, inode, av, &ad);
1098 /* Check whether a task can create a file. */
1099 static int may_create(struct inode *dir,
1100 struct dentry *dentry,
1103 struct task_security_struct *tsec;
1104 struct inode_security_struct *dsec;
1105 struct superblock_security_struct *sbsec;
1107 struct avc_audit_data ad;
1110 tsec = current->security;
1111 dsec = dir->i_security;
1112 sbsec = dir->i_sb->s_security;
1114 AVC_AUDIT_DATA_INIT(&ad, FS);
1115 ad.u.fs.dentry = dentry;
1117 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1118 DIR__ADD_NAME | DIR__SEARCH,
1123 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1124 newsid = tsec->create_sid;
1126 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1132 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1136 return avc_has_perm(newsid, sbsec->sid,
1137 SECCLASS_FILESYSTEM,
1138 FILESYSTEM__ASSOCIATE, &ad);
1141 /* Check whether a task can create a key. */
1142 static int may_create_key(u32 ksid,
1143 struct task_struct *ctx)
1145 struct task_security_struct *tsec;
1147 tsec = ctx->security;
1149 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1153 #define MAY_UNLINK 1
1156 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1157 static int may_link(struct inode *dir,
1158 struct dentry *dentry,
1162 struct task_security_struct *tsec;
1163 struct inode_security_struct *dsec, *isec;
1164 struct avc_audit_data ad;
1168 tsec = current->security;
1169 dsec = dir->i_security;
1170 isec = dentry->d_inode->i_security;
1172 AVC_AUDIT_DATA_INIT(&ad, FS);
1173 ad.u.fs.dentry = dentry;
1176 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1177 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1192 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1196 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1200 static inline int may_rename(struct inode *old_dir,
1201 struct dentry *old_dentry,
1202 struct inode *new_dir,
1203 struct dentry *new_dentry)
1205 struct task_security_struct *tsec;
1206 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1207 struct avc_audit_data ad;
1209 int old_is_dir, new_is_dir;
1212 tsec = current->security;
1213 old_dsec = old_dir->i_security;
1214 old_isec = old_dentry->d_inode->i_security;
1215 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1216 new_dsec = new_dir->i_security;
1218 AVC_AUDIT_DATA_INIT(&ad, FS);
1220 ad.u.fs.dentry = old_dentry;
1221 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1222 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1225 rc = avc_has_perm(tsec->sid, old_isec->sid,
1226 old_isec->sclass, FILE__RENAME, &ad);
1229 if (old_is_dir && new_dir != old_dir) {
1230 rc = avc_has_perm(tsec->sid, old_isec->sid,
1231 old_isec->sclass, DIR__REPARENT, &ad);
1236 ad.u.fs.dentry = new_dentry;
1237 av = DIR__ADD_NAME | DIR__SEARCH;
1238 if (new_dentry->d_inode)
1239 av |= DIR__REMOVE_NAME;
1240 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1243 if (new_dentry->d_inode) {
1244 new_isec = new_dentry->d_inode->i_security;
1245 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1246 rc = avc_has_perm(tsec->sid, new_isec->sid,
1248 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1256 /* Check whether a task can perform a filesystem operation. */
1257 static int superblock_has_perm(struct task_struct *tsk,
1258 struct super_block *sb,
1260 struct avc_audit_data *ad)
1262 struct task_security_struct *tsec;
1263 struct superblock_security_struct *sbsec;
1265 tsec = tsk->security;
1266 sbsec = sb->s_security;
1267 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1271 /* Convert a Linux mode and permission mask to an access vector. */
1272 static inline u32 file_mask_to_av(int mode, int mask)
1276 if ((mode & S_IFMT) != S_IFDIR) {
1277 if (mask & MAY_EXEC)
1278 av |= FILE__EXECUTE;
1279 if (mask & MAY_READ)
1282 if (mask & MAY_APPEND)
1284 else if (mask & MAY_WRITE)
1288 if (mask & MAY_EXEC)
1290 if (mask & MAY_WRITE)
1292 if (mask & MAY_READ)
1299 /* Convert a Linux file to an access vector. */
1300 static inline u32 file_to_av(struct file *file)
1304 if (file->f_mode & FMODE_READ)
1306 if (file->f_mode & FMODE_WRITE) {
1307 if (file->f_flags & O_APPEND)
1316 /* Set an inode's SID to a specified value. */
1317 static int inode_security_set_sid(struct inode *inode, u32 sid)
1319 struct inode_security_struct *isec = inode->i_security;
1320 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1322 if (!sbsec->initialized) {
1323 /* Defer initialization to selinux_complete_init. */
1328 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1330 isec->initialized = 1;
1335 /* Hook functions begin here. */
1337 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1339 struct task_security_struct *psec = parent->security;
1340 struct task_security_struct *csec = child->security;
1343 rc = secondary_ops->ptrace(parent,child);
1347 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1348 /* Save the SID of the tracing process for later use in apply_creds. */
1349 if (!(child->ptrace & PT_PTRACED) && !rc)
1350 csec->ptrace_sid = psec->sid;
1354 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1355 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1359 error = task_has_perm(current, target, PROCESS__GETCAP);
1363 return secondary_ops->capget(target, effective, inheritable, permitted);
1366 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1367 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1371 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1375 return task_has_perm(current, target, PROCESS__SETCAP);
1378 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1379 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1381 secondary_ops->capset_set(target, effective, inheritable, permitted);
1384 static int selinux_capable(struct task_struct *tsk, int cap)
1388 rc = secondary_ops->capable(tsk, cap);
1392 return task_has_capability(tsk,cap);
1395 static int selinux_sysctl(ctl_table *table, int op)
1399 struct task_security_struct *tsec;
1403 rc = secondary_ops->sysctl(table, op);
1407 tsec = current->security;
1409 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1410 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1412 /* Default to the well-defined sysctl SID. */
1413 tsid = SECINITSID_SYSCTL;
1416 /* The op values are "defined" in sysctl.c, thereby creating
1417 * a bad coupling between this module and sysctl.c */
1419 error = avc_has_perm(tsec->sid, tsid,
1420 SECCLASS_DIR, DIR__SEARCH, NULL);
1428 error = avc_has_perm(tsec->sid, tsid,
1429 SECCLASS_FILE, av, NULL);
1435 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1448 rc = superblock_has_perm(current,
1450 FILESYSTEM__QUOTAMOD, NULL);
1455 rc = superblock_has_perm(current,
1457 FILESYSTEM__QUOTAGET, NULL);
1460 rc = 0; /* let the kernel handle invalid cmds */
1466 static int selinux_quota_on(struct dentry *dentry)
1468 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1471 static int selinux_syslog(int type)
1475 rc = secondary_ops->syslog(type);
1480 case 3: /* Read last kernel messages */
1481 case 10: /* Return size of the log buffer */
1482 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1484 case 6: /* Disable logging to console */
1485 case 7: /* Enable logging to console */
1486 case 8: /* Set level of messages printed to console */
1487 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1489 case 0: /* Close log */
1490 case 1: /* Open log */
1491 case 2: /* Read from log */
1492 case 4: /* Read/clear last kernel messages */
1493 case 5: /* Clear ring buffer */
1495 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1502 * Check that a process has enough memory to allocate a new virtual
1503 * mapping. 0 means there is enough memory for the allocation to
1504 * succeed and -ENOMEM implies there is not.
1506 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1507 * if the capability is granted, but __vm_enough_memory requires 1 if
1508 * the capability is granted.
1510 * Do not audit the selinux permission check, as this is applied to all
1511 * processes that allocate mappings.
1513 static int selinux_vm_enough_memory(long pages)
1515 int rc, cap_sys_admin = 0;
1516 struct task_security_struct *tsec = current->security;
1518 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1520 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1521 SECCLASS_CAPABILITY,
1522 CAP_TO_MASK(CAP_SYS_ADMIN),
1528 return __vm_enough_memory(pages, cap_sys_admin);
1531 /* binprm security operations */
1533 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1535 struct bprm_security_struct *bsec;
1537 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1542 bsec->sid = SECINITSID_UNLABELED;
1545 bprm->security = bsec;
1549 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1551 struct task_security_struct *tsec;
1552 struct inode *inode = bprm->file->f_dentry->d_inode;
1553 struct inode_security_struct *isec;
1554 struct bprm_security_struct *bsec;
1556 struct avc_audit_data ad;
1559 rc = secondary_ops->bprm_set_security(bprm);
1563 bsec = bprm->security;
1568 tsec = current->security;
1569 isec = inode->i_security;
1571 /* Default to the current task SID. */
1572 bsec->sid = tsec->sid;
1574 /* Reset fs, key, and sock SIDs on execve. */
1575 tsec->create_sid = 0;
1576 tsec->keycreate_sid = 0;
1577 tsec->sockcreate_sid = 0;
1579 if (tsec->exec_sid) {
1580 newsid = tsec->exec_sid;
1581 /* Reset exec SID on execve. */
1584 /* Check for a default transition on this program. */
1585 rc = security_transition_sid(tsec->sid, isec->sid,
1586 SECCLASS_PROCESS, &newsid);
1591 AVC_AUDIT_DATA_INIT(&ad, FS);
1592 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1593 ad.u.fs.dentry = bprm->file->f_dentry;
1595 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1598 if (tsec->sid == newsid) {
1599 rc = avc_has_perm(tsec->sid, isec->sid,
1600 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1604 /* Check permissions for the transition. */
1605 rc = avc_has_perm(tsec->sid, newsid,
1606 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1610 rc = avc_has_perm(newsid, isec->sid,
1611 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1615 /* Clear any possibly unsafe personality bits on exec: */
1616 current->personality &= ~PER_CLEAR_ON_SETID;
1618 /* Set the security field to the new SID. */
1626 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1628 return secondary_ops->bprm_check_security(bprm);
1632 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1634 struct task_security_struct *tsec = current->security;
1637 if (tsec->osid != tsec->sid) {
1638 /* Enable secure mode for SIDs transitions unless
1639 the noatsecure permission is granted between
1640 the two SIDs, i.e. ahp returns 0. */
1641 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1643 PROCESS__NOATSECURE, NULL);
1646 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1649 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1651 kfree(bprm->security);
1652 bprm->security = NULL;
1655 extern struct vfsmount *selinuxfs_mount;
1656 extern struct dentry *selinux_null;
1658 /* Derived from fs/exec.c:flush_old_files. */
1659 static inline void flush_unauthorized_files(struct files_struct * files)
1661 struct avc_audit_data ad;
1662 struct file *file, *devnull = NULL;
1663 struct tty_struct *tty = current->signal->tty;
1664 struct fdtable *fdt;
1669 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1671 /* Revalidate access to controlling tty.
1672 Use inode_has_perm on the tty inode directly rather
1673 than using file_has_perm, as this particular open
1674 file may belong to another process and we are only
1675 interested in the inode-based check here. */
1676 struct inode *inode = file->f_dentry->d_inode;
1677 if (inode_has_perm(current, inode,
1678 FILE__READ | FILE__WRITE, NULL)) {
1679 /* Reset controlling tty. */
1680 current->signal->tty = NULL;
1681 current->signal->tty_old_pgrp = 0;
1687 /* Revalidate access to inherited open files. */
1689 AVC_AUDIT_DATA_INIT(&ad,FS);
1691 spin_lock(&files->file_lock);
1693 unsigned long set, i;
1698 fdt = files_fdtable(files);
1699 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1701 set = fdt->open_fds->fds_bits[j];
1704 spin_unlock(&files->file_lock);
1705 for ( ; set ; i++,set >>= 1) {
1710 if (file_has_perm(current,
1712 file_to_av(file))) {
1714 fd = get_unused_fd();
1724 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1731 fd_install(fd, devnull);
1736 spin_lock(&files->file_lock);
1739 spin_unlock(&files->file_lock);
1742 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1744 struct task_security_struct *tsec;
1745 struct bprm_security_struct *bsec;
1749 secondary_ops->bprm_apply_creds(bprm, unsafe);
1751 tsec = current->security;
1753 bsec = bprm->security;
1756 tsec->osid = tsec->sid;
1758 if (tsec->sid != sid) {
1759 /* Check for shared state. If not ok, leave SID
1760 unchanged and kill. */
1761 if (unsafe & LSM_UNSAFE_SHARE) {
1762 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1763 PROCESS__SHARE, NULL);
1770 /* Check for ptracing, and update the task SID if ok.
1771 Otherwise, leave SID unchanged and kill. */
1772 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1773 rc = avc_has_perm(tsec->ptrace_sid, sid,
1774 SECCLASS_PROCESS, PROCESS__PTRACE,
1786 * called after apply_creds without the task lock held
1788 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1790 struct task_security_struct *tsec;
1791 struct rlimit *rlim, *initrlim;
1792 struct itimerval itimer;
1793 struct bprm_security_struct *bsec;
1796 tsec = current->security;
1797 bsec = bprm->security;
1800 force_sig_specific(SIGKILL, current);
1803 if (tsec->osid == tsec->sid)
1806 /* Close files for which the new task SID is not authorized. */
1807 flush_unauthorized_files(current->files);
1809 /* Check whether the new SID can inherit signal state
1810 from the old SID. If not, clear itimers to avoid
1811 subsequent signal generation and flush and unblock
1812 signals. This must occur _after_ the task SID has
1813 been updated so that any kill done after the flush
1814 will be checked against the new SID. */
1815 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1816 PROCESS__SIGINH, NULL);
1818 memset(&itimer, 0, sizeof itimer);
1819 for (i = 0; i < 3; i++)
1820 do_setitimer(i, &itimer, NULL);
1821 flush_signals(current);
1822 spin_lock_irq(¤t->sighand->siglock);
1823 flush_signal_handlers(current, 1);
1824 sigemptyset(¤t->blocked);
1825 recalc_sigpending();
1826 spin_unlock_irq(¤t->sighand->siglock);
1829 /* Check whether the new SID can inherit resource limits
1830 from the old SID. If not, reset all soft limits to
1831 the lower of the current task's hard limit and the init
1832 task's soft limit. Note that the setting of hard limits
1833 (even to lower them) can be controlled by the setrlimit
1834 check. The inclusion of the init task's soft limit into
1835 the computation is to avoid resetting soft limits higher
1836 than the default soft limit for cases where the default
1837 is lower than the hard limit, e.g. RLIMIT_CORE or
1839 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1840 PROCESS__RLIMITINH, NULL);
1842 for (i = 0; i < RLIM_NLIMITS; i++) {
1843 rlim = current->signal->rlim + i;
1844 initrlim = init_task.signal->rlim+i;
1845 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1847 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1849 * This will cause RLIMIT_CPU calculations
1852 current->it_prof_expires = jiffies_to_cputime(1);
1856 /* Wake up the parent if it is waiting so that it can
1857 recheck wait permission to the new task SID. */
1858 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1861 /* superblock security operations */
1863 static int selinux_sb_alloc_security(struct super_block *sb)
1865 return superblock_alloc_security(sb);
1868 static void selinux_sb_free_security(struct super_block *sb)
1870 superblock_free_security(sb);
1873 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1878 return !memcmp(prefix, option, plen);
1881 static inline int selinux_option(char *option, int len)
1883 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1884 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1885 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1888 static inline void take_option(char **to, char *from, int *first, int len)
1896 memcpy(*to, from, len);
1900 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1902 int fnosec, fsec, rc = 0;
1903 char *in_save, *in_curr, *in_end;
1904 char *sec_curr, *nosec_save, *nosec;
1909 /* Binary mount data: just copy */
1910 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1911 copy_page(sec_curr, in_curr);
1915 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1923 in_save = in_end = orig;
1926 if (*in_end == ',' || *in_end == '\0') {
1927 int len = in_end - in_curr;
1929 if (selinux_option(in_curr, len))
1930 take_option(&sec_curr, in_curr, &fsec, len);
1932 take_option(&nosec, in_curr, &fnosec, len);
1934 in_curr = in_end + 1;
1936 } while (*in_end++);
1938 strcpy(in_save, nosec_save);
1939 free_page((unsigned long)nosec_save);
1944 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1946 struct avc_audit_data ad;
1949 rc = superblock_doinit(sb, data);
1953 AVC_AUDIT_DATA_INIT(&ad,FS);
1954 ad.u.fs.dentry = sb->s_root;
1955 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1958 static int selinux_sb_statfs(struct dentry *dentry)
1960 struct avc_audit_data ad;
1962 AVC_AUDIT_DATA_INIT(&ad,FS);
1963 ad.u.fs.dentry = dentry->d_sb->s_root;
1964 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1967 static int selinux_mount(char * dev_name,
1968 struct nameidata *nd,
1970 unsigned long flags,
1975 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1979 if (flags & MS_REMOUNT)
1980 return superblock_has_perm(current, nd->mnt->mnt_sb,
1981 FILESYSTEM__REMOUNT, NULL);
1983 return dentry_has_perm(current, nd->mnt, nd->dentry,
1987 static int selinux_umount(struct vfsmount *mnt, int flags)
1991 rc = secondary_ops->sb_umount(mnt, flags);
1995 return superblock_has_perm(current,mnt->mnt_sb,
1996 FILESYSTEM__UNMOUNT,NULL);
1999 /* inode security operations */
2001 static int selinux_inode_alloc_security(struct inode *inode)
2003 return inode_alloc_security(inode);
2006 static void selinux_inode_free_security(struct inode *inode)
2008 inode_free_security(inode);
2011 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2012 char **name, void **value,
2015 struct task_security_struct *tsec;
2016 struct inode_security_struct *dsec;
2017 struct superblock_security_struct *sbsec;
2020 char *namep = NULL, *context;
2022 tsec = current->security;
2023 dsec = dir->i_security;
2024 sbsec = dir->i_sb->s_security;
2026 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2027 newsid = tsec->create_sid;
2029 rc = security_transition_sid(tsec->sid, dsec->sid,
2030 inode_mode_to_security_class(inode->i_mode),
2033 printk(KERN_WARNING "%s: "
2034 "security_transition_sid failed, rc=%d (dev=%s "
2037 -rc, inode->i_sb->s_id, inode->i_ino);
2042 inode_security_set_sid(inode, newsid);
2044 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2048 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2055 rc = security_sid_to_context(newsid, &context, &clen);
2067 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2069 return may_create(dir, dentry, SECCLASS_FILE);
2072 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2076 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2079 return may_link(dir, old_dentry, MAY_LINK);
2082 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2086 rc = secondary_ops->inode_unlink(dir, dentry);
2089 return may_link(dir, dentry, MAY_UNLINK);
2092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2094 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2099 return may_create(dir, dentry, SECCLASS_DIR);
2102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2104 return may_link(dir, dentry, MAY_RMDIR);
2107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2111 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2115 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2118 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2119 struct inode *new_inode, struct dentry *new_dentry)
2121 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2124 static int selinux_inode_readlink(struct dentry *dentry)
2126 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2129 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2133 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2136 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2139 static int selinux_inode_permission(struct inode *inode, int mask,
2140 struct nameidata *nd)
2144 rc = secondary_ops->inode_permission(inode, mask, nd);
2149 /* No permission to check. Existence test. */
2153 return inode_has_perm(current, inode,
2154 file_mask_to_av(inode->i_mode, mask), NULL);
2157 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2161 rc = secondary_ops->inode_setattr(dentry, iattr);
2165 if (iattr->ia_valid & ATTR_FORCE)
2168 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2169 ATTR_ATIME_SET | ATTR_MTIME_SET))
2170 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2172 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2175 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2177 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2180 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2182 struct task_security_struct *tsec = current->security;
2183 struct inode *inode = dentry->d_inode;
2184 struct inode_security_struct *isec = inode->i_security;
2185 struct superblock_security_struct *sbsec;
2186 struct avc_audit_data ad;
2190 if (strcmp(name, XATTR_NAME_SELINUX)) {
2191 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2192 sizeof XATTR_SECURITY_PREFIX - 1) &&
2193 !capable(CAP_SYS_ADMIN)) {
2194 /* A different attribute in the security namespace.
2195 Restrict to administrator. */
2199 /* Not an attribute we recognize, so just check the
2200 ordinary setattr permission. */
2201 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2204 sbsec = inode->i_sb->s_security;
2205 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2208 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2211 AVC_AUDIT_DATA_INIT(&ad,FS);
2212 ad.u.fs.dentry = dentry;
2214 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2215 FILE__RELABELFROM, &ad);
2219 rc = security_context_to_sid(value, size, &newsid);
2223 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2224 FILE__RELABELTO, &ad);
2228 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2233 return avc_has_perm(newsid,
2235 SECCLASS_FILESYSTEM,
2236 FILESYSTEM__ASSOCIATE,
2240 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2241 void *value, size_t size, int flags)
2243 struct inode *inode = dentry->d_inode;
2244 struct inode_security_struct *isec = inode->i_security;
2248 if (strcmp(name, XATTR_NAME_SELINUX)) {
2249 /* Not an attribute we recognize, so nothing to do. */
2253 rc = security_context_to_sid(value, size, &newsid);
2255 printk(KERN_WARNING "%s: unable to obtain SID for context "
2256 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2264 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2266 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2269 static int selinux_inode_listxattr (struct dentry *dentry)
2271 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2274 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2276 if (strcmp(name, XATTR_NAME_SELINUX)) {
2277 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2278 sizeof XATTR_SECURITY_PREFIX - 1) &&
2279 !capable(CAP_SYS_ADMIN)) {
2280 /* A different attribute in the security namespace.
2281 Restrict to administrator. */
2285 /* Not an attribute we recognize, so just check the
2286 ordinary setattr permission. Might want a separate
2287 permission for removexattr. */
2288 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2291 /* No one is allowed to remove a SELinux security label.
2292 You can change the label, but all data must be labeled. */
2296 static const char *selinux_inode_xattr_getsuffix(void)
2298 return XATTR_SELINUX_SUFFIX;
2302 * Copy the in-core inode security context value to the user. If the
2303 * getxattr() prior to this succeeded, check to see if we need to
2304 * canonicalize the value to be finally returned to the user.
2306 * Permission check is handled by selinux_inode_getxattr hook.
2308 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2310 struct inode_security_struct *isec = inode->i_security;
2312 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2315 return selinux_getsecurity(isec->sid, buffer, size);
2318 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2319 const void *value, size_t size, int flags)
2321 struct inode_security_struct *isec = inode->i_security;
2325 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2328 if (!value || !size)
2331 rc = security_context_to_sid((void*)value, size, &newsid);
2339 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2341 const int len = sizeof(XATTR_NAME_SELINUX);
2342 if (buffer && len <= buffer_size)
2343 memcpy(buffer, XATTR_NAME_SELINUX, len);
2347 /* file security operations */
2349 static int selinux_file_permission(struct file *file, int mask)
2351 struct inode *inode = file->f_dentry->d_inode;
2354 /* No permission to check. Existence test. */
2358 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2359 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2362 return file_has_perm(current, file,
2363 file_mask_to_av(inode->i_mode, mask));
2366 static int selinux_file_alloc_security(struct file *file)
2368 return file_alloc_security(file);
2371 static void selinux_file_free_security(struct file *file)
2373 file_free_security(file);
2376 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2388 case EXT2_IOC_GETFLAGS:
2390 case EXT2_IOC_GETVERSION:
2391 error = file_has_perm(current, file, FILE__GETATTR);
2394 case EXT2_IOC_SETFLAGS:
2396 case EXT2_IOC_SETVERSION:
2397 error = file_has_perm(current, file, FILE__SETATTR);
2400 /* sys_ioctl() checks */
2404 error = file_has_perm(current, file, 0);
2409 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2412 /* default case assumes that the command will go
2413 * to the file's ioctl() function.
2416 error = file_has_perm(current, file, FILE__IOCTL);
2422 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2424 #ifndef CONFIG_PPC32
2425 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2427 * We are making executable an anonymous mapping or a
2428 * private file mapping that will also be writable.
2429 * This has an additional check.
2431 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2438 /* read access is always possible with a mapping */
2439 u32 av = FILE__READ;
2441 /* write access only matters if the mapping is shared */
2442 if (shared && (prot & PROT_WRITE))
2445 if (prot & PROT_EXEC)
2446 av |= FILE__EXECUTE;
2448 return file_has_perm(current, file, av);
2453 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2454 unsigned long prot, unsigned long flags)
2458 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2462 if (selinux_checkreqprot)
2465 return file_map_prot_check(file, prot,
2466 (flags & MAP_TYPE) == MAP_SHARED);
2469 static int selinux_file_mprotect(struct vm_area_struct *vma,
2470 unsigned long reqprot,
2475 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2479 if (selinux_checkreqprot)
2482 #ifndef CONFIG_PPC32
2483 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2485 if (vma->vm_start >= vma->vm_mm->start_brk &&
2486 vma->vm_end <= vma->vm_mm->brk) {
2487 rc = task_has_perm(current, current,
2489 } else if (!vma->vm_file &&
2490 vma->vm_start <= vma->vm_mm->start_stack &&
2491 vma->vm_end >= vma->vm_mm->start_stack) {
2492 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2493 } else if (vma->vm_file && vma->anon_vma) {
2495 * We are making executable a file mapping that has
2496 * had some COW done. Since pages might have been
2497 * written, check ability to execute the possibly
2498 * modified content. This typically should only
2499 * occur for text relocations.
2501 rc = file_has_perm(current, vma->vm_file,
2509 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2512 static int selinux_file_lock(struct file *file, unsigned int cmd)
2514 return file_has_perm(current, file, FILE__LOCK);
2517 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2524 if (!file->f_dentry || !file->f_dentry->d_inode) {
2529 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2530 err = file_has_perm(current, file,FILE__WRITE);
2539 /* Just check FD__USE permission */
2540 err = file_has_perm(current, file, 0);
2545 #if BITS_PER_LONG == 32
2550 if (!file->f_dentry || !file->f_dentry->d_inode) {
2554 err = file_has_perm(current, file, FILE__LOCK);
2561 static int selinux_file_set_fowner(struct file *file)
2563 struct task_security_struct *tsec;
2564 struct file_security_struct *fsec;
2566 tsec = current->security;
2567 fsec = file->f_security;
2568 fsec->fown_sid = tsec->sid;
2573 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2574 struct fown_struct *fown, int signum)
2578 struct task_security_struct *tsec;
2579 struct file_security_struct *fsec;
2581 /* struct fown_struct is never outside the context of a struct file */
2582 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2584 tsec = tsk->security;
2585 fsec = file->f_security;
2588 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2590 perm = signal_to_av(signum);
2592 return avc_has_perm(fsec->fown_sid, tsec->sid,
2593 SECCLASS_PROCESS, perm, NULL);
2596 static int selinux_file_receive(struct file *file)
2598 return file_has_perm(current, file, file_to_av(file));
2601 /* task security operations */
2603 static int selinux_task_create(unsigned long clone_flags)
2607 rc = secondary_ops->task_create(clone_flags);
2611 return task_has_perm(current, current, PROCESS__FORK);
2614 static int selinux_task_alloc_security(struct task_struct *tsk)
2616 struct task_security_struct *tsec1, *tsec2;
2619 tsec1 = current->security;
2621 rc = task_alloc_security(tsk);
2624 tsec2 = tsk->security;
2626 tsec2->osid = tsec1->osid;
2627 tsec2->sid = tsec1->sid;
2629 /* Retain the exec, fs, key, and sock SIDs across fork */
2630 tsec2->exec_sid = tsec1->exec_sid;
2631 tsec2->create_sid = tsec1->create_sid;
2632 tsec2->keycreate_sid = tsec1->keycreate_sid;
2633 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2635 /* Retain ptracer SID across fork, if any.
2636 This will be reset by the ptrace hook upon any
2637 subsequent ptrace_attach operations. */
2638 tsec2->ptrace_sid = tsec1->ptrace_sid;
2643 static void selinux_task_free_security(struct task_struct *tsk)
2645 task_free_security(tsk);
2648 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2650 /* Since setuid only affects the current process, and
2651 since the SELinux controls are not based on the Linux
2652 identity attributes, SELinux does not need to control
2653 this operation. However, SELinux does control the use
2654 of the CAP_SETUID and CAP_SETGID capabilities using the
2659 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2661 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2664 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2666 /* See the comment for setuid above. */
2670 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2672 return task_has_perm(current, p, PROCESS__SETPGID);
2675 static int selinux_task_getpgid(struct task_struct *p)
2677 return task_has_perm(current, p, PROCESS__GETPGID);
2680 static int selinux_task_getsid(struct task_struct *p)
2682 return task_has_perm(current, p, PROCESS__GETSESSION);
2685 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2687 selinux_get_task_sid(p, secid);
2690 static int selinux_task_setgroups(struct group_info *group_info)
2692 /* See the comment for setuid above. */
2696 static int selinux_task_setnice(struct task_struct *p, int nice)
2700 rc = secondary_ops->task_setnice(p, nice);
2704 return task_has_perm(current,p, PROCESS__SETSCHED);
2707 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2709 return task_has_perm(current, p, PROCESS__SETSCHED);
2712 static int selinux_task_getioprio(struct task_struct *p)
2714 return task_has_perm(current, p, PROCESS__GETSCHED);
2717 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2719 struct rlimit *old_rlim = current->signal->rlim + resource;
2722 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2726 /* Control the ability to change the hard limit (whether
2727 lowering or raising it), so that the hard limit can
2728 later be used as a safe reset point for the soft limit
2729 upon context transitions. See selinux_bprm_apply_creds. */
2730 if (old_rlim->rlim_max != new_rlim->rlim_max)
2731 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2736 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2738 return task_has_perm(current, p, PROCESS__SETSCHED);
2741 static int selinux_task_getscheduler(struct task_struct *p)
2743 return task_has_perm(current, p, PROCESS__GETSCHED);
2746 static int selinux_task_movememory(struct task_struct *p)
2748 return task_has_perm(current, p, PROCESS__SETSCHED);
2751 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2756 struct task_security_struct *tsec;
2758 rc = secondary_ops->task_kill(p, info, sig, secid);
2762 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2766 perm = PROCESS__SIGNULL; /* null signal; existence test */
2768 perm = signal_to_av(sig);
2771 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2773 rc = task_has_perm(current, p, perm);
2777 static int selinux_task_prctl(int option,
2783 /* The current prctl operations do not appear to require
2784 any SELinux controls since they merely observe or modify
2785 the state of the current process. */
2789 static int selinux_task_wait(struct task_struct *p)
2793 perm = signal_to_av(p->exit_signal);
2795 return task_has_perm(p, current, perm);
2798 static void selinux_task_reparent_to_init(struct task_struct *p)
2800 struct task_security_struct *tsec;
2802 secondary_ops->task_reparent_to_init(p);
2805 tsec->osid = tsec->sid;
2806 tsec->sid = SECINITSID_KERNEL;
2810 static void selinux_task_to_inode(struct task_struct *p,
2811 struct inode *inode)
2813 struct task_security_struct *tsec = p->security;
2814 struct inode_security_struct *isec = inode->i_security;
2816 isec->sid = tsec->sid;
2817 isec->initialized = 1;
2821 /* Returns error only if unable to parse addresses */
2822 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2824 int offset, ihlen, ret = -EINVAL;
2825 struct iphdr _iph, *ih;
2827 offset = skb->nh.raw - skb->data;
2828 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2832 ihlen = ih->ihl * 4;
2833 if (ihlen < sizeof(_iph))
2836 ad->u.net.v4info.saddr = ih->saddr;
2837 ad->u.net.v4info.daddr = ih->daddr;
2840 switch (ih->protocol) {
2842 struct tcphdr _tcph, *th;
2844 if (ntohs(ih->frag_off) & IP_OFFSET)
2848 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2852 ad->u.net.sport = th->source;
2853 ad->u.net.dport = th->dest;
2858 struct udphdr _udph, *uh;
2860 if (ntohs(ih->frag_off) & IP_OFFSET)
2864 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2868 ad->u.net.sport = uh->source;
2869 ad->u.net.dport = uh->dest;
2880 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2882 /* Returns error only if unable to parse addresses */
2883 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2886 int ret = -EINVAL, offset;
2887 struct ipv6hdr _ipv6h, *ip6;
2889 offset = skb->nh.raw - skb->data;
2890 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2894 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2895 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2898 nexthdr = ip6->nexthdr;
2899 offset += sizeof(_ipv6h);
2900 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2906 struct tcphdr _tcph, *th;
2908 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2912 ad->u.net.sport = th->source;
2913 ad->u.net.dport = th->dest;
2918 struct udphdr _udph, *uh;
2920 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2924 ad->u.net.sport = uh->source;
2925 ad->u.net.dport = uh->dest;
2929 /* includes fragments */
2939 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2940 char **addrp, int *len, int src)
2944 switch (ad->u.net.family) {
2946 ret = selinux_parse_skb_ipv4(skb, ad);
2950 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2951 &ad->u.net.v4info.daddr);
2954 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2956 ret = selinux_parse_skb_ipv6(skb, ad);
2960 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2961 &ad->u.net.v6info.daddr);
2971 /* socket security operations */
2972 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2975 struct inode_security_struct *isec;
2976 struct task_security_struct *tsec;
2977 struct avc_audit_data ad;
2980 tsec = task->security;
2981 isec = SOCK_INODE(sock)->i_security;
2983 if (isec->sid == SECINITSID_KERNEL)
2986 AVC_AUDIT_DATA_INIT(&ad,NET);
2987 ad.u.net.sk = sock->sk;
2988 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2994 static int selinux_socket_create(int family, int type,
2995 int protocol, int kern)
2998 struct task_security_struct *tsec;
3004 tsec = current->security;
3005 newsid = tsec->sockcreate_sid ? : tsec->sid;
3006 err = avc_has_perm(tsec->sid, newsid,
3007 socket_type_to_security_class(family, type,
3008 protocol), SOCKET__CREATE, NULL);
3014 static void selinux_socket_post_create(struct socket *sock, int family,
3015 int type, int protocol, int kern)
3017 struct inode_security_struct *isec;
3018 struct task_security_struct *tsec;
3021 isec = SOCK_INODE(sock)->i_security;
3023 tsec = current->security;
3024 newsid = tsec->sockcreate_sid ? : tsec->sid;
3025 isec->sclass = socket_type_to_security_class(family, type, protocol);
3026 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3027 isec->initialized = 1;
3032 /* Range of port numbers used to automatically bind.
3033 Need to determine whether we should perform a name_bind
3034 permission check between the socket and the port number. */
3035 #define ip_local_port_range_0 sysctl_local_port_range[0]
3036 #define ip_local_port_range_1 sysctl_local_port_range[1]
3038 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3043 err = socket_has_perm(current, sock, SOCKET__BIND);
3048 * If PF_INET or PF_INET6, check name_bind permission for the port.
3049 * Multiple address binding for SCTP is not supported yet: we just
3050 * check the first address now.
3052 family = sock->sk->sk_family;
3053 if (family == PF_INET || family == PF_INET6) {
3055 struct inode_security_struct *isec;
3056 struct task_security_struct *tsec;
3057 struct avc_audit_data ad;
3058 struct sockaddr_in *addr4 = NULL;
3059 struct sockaddr_in6 *addr6 = NULL;
3060 unsigned short snum;
3061 struct sock *sk = sock->sk;
3062 u32 sid, node_perm, addrlen;
3064 tsec = current->security;
3065 isec = SOCK_INODE(sock)->i_security;
3067 if (family == PF_INET) {
3068 addr4 = (struct sockaddr_in *)address;
3069 snum = ntohs(addr4->sin_port);
3070 addrlen = sizeof(addr4->sin_addr.s_addr);
3071 addrp = (char *)&addr4->sin_addr.s_addr;
3073 addr6 = (struct sockaddr_in6 *)address;
3074 snum = ntohs(addr6->sin6_port);
3075 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3076 addrp = (char *)&addr6->sin6_addr.s6_addr;
3079 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3080 snum > ip_local_port_range_1)) {
3081 err = security_port_sid(sk->sk_family, sk->sk_type,
3082 sk->sk_protocol, snum, &sid);
3085 AVC_AUDIT_DATA_INIT(&ad,NET);
3086 ad.u.net.sport = htons(snum);
3087 ad.u.net.family = family;
3088 err = avc_has_perm(isec->sid, sid,
3090 SOCKET__NAME_BIND, &ad);
3095 switch(isec->sclass) {
3096 case SECCLASS_TCP_SOCKET:
3097 node_perm = TCP_SOCKET__NODE_BIND;
3100 case SECCLASS_UDP_SOCKET:
3101 node_perm = UDP_SOCKET__NODE_BIND;
3105 node_perm = RAWIP_SOCKET__NODE_BIND;
3109 err = security_node_sid(family, addrp, addrlen, &sid);
3113 AVC_AUDIT_DATA_INIT(&ad,NET);
3114 ad.u.net.sport = htons(snum);
3115 ad.u.net.family = family;
3117 if (family == PF_INET)
3118 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3120 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3122 err = avc_has_perm(isec->sid, sid,
3123 isec->sclass, node_perm, &ad);
3131 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3133 struct inode_security_struct *isec;
3136 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3141 * If a TCP socket, check name_connect permission for the port.
3143 isec = SOCK_INODE(sock)->i_security;
3144 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3145 struct sock *sk = sock->sk;
3146 struct avc_audit_data ad;
3147 struct sockaddr_in *addr4 = NULL;
3148 struct sockaddr_in6 *addr6 = NULL;
3149 unsigned short snum;
3152 if (sk->sk_family == PF_INET) {
3153 addr4 = (struct sockaddr_in *)address;
3154 if (addrlen < sizeof(struct sockaddr_in))
3156 snum = ntohs(addr4->sin_port);
3158 addr6 = (struct sockaddr_in6 *)address;
3159 if (addrlen < SIN6_LEN_RFC2133)
3161 snum = ntohs(addr6->sin6_port);
3164 err = security_port_sid(sk->sk_family, sk->sk_type,
3165 sk->sk_protocol, snum, &sid);
3169 AVC_AUDIT_DATA_INIT(&ad,NET);
3170 ad.u.net.dport = htons(snum);
3171 ad.u.net.family = sk->sk_family;
3172 err = avc_has_perm(isec->sid, sid, isec->sclass,
3173 TCP_SOCKET__NAME_CONNECT, &ad);
3182 static int selinux_socket_listen(struct socket *sock, int backlog)
3184 return socket_has_perm(current, sock, SOCKET__LISTEN);
3187 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3190 struct inode_security_struct *isec;
3191 struct inode_security_struct *newisec;
3193 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3197 newisec = SOCK_INODE(newsock)->i_security;
3199 isec = SOCK_INODE(sock)->i_security;
3200 newisec->sclass = isec->sclass;
3201 newisec->sid = isec->sid;
3202 newisec->initialized = 1;
3207 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3210 return socket_has_perm(current, sock, SOCKET__WRITE);
3213 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3214 int size, int flags)
3216 return socket_has_perm(current, sock, SOCKET__READ);
3219 static int selinux_socket_getsockname(struct socket *sock)
3221 return socket_has_perm(current, sock, SOCKET__GETATTR);
3224 static int selinux_socket_getpeername(struct socket *sock)
3226 return socket_has_perm(current, sock, SOCKET__GETATTR);
3229 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3231 return socket_has_perm(current, sock, SOCKET__SETOPT);
3234 static int selinux_socket_getsockopt(struct socket *sock, int level,
3237 return socket_has_perm(current, sock, SOCKET__GETOPT);
3240 static int selinux_socket_shutdown(struct socket *sock, int how)
3242 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3245 static int selinux_socket_unix_stream_connect(struct socket *sock,
3246 struct socket *other,
3249 struct sk_security_struct *ssec;
3250 struct inode_security_struct *isec;
3251 struct inode_security_struct *other_isec;
3252 struct avc_audit_data ad;
3255 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3259 isec = SOCK_INODE(sock)->i_security;
3260 other_isec = SOCK_INODE(other)->i_security;
3262 AVC_AUDIT_DATA_INIT(&ad,NET);
3263 ad.u.net.sk = other->sk;
3265 err = avc_has_perm(isec->sid, other_isec->sid,
3267 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3271 /* connecting socket */
3272 ssec = sock->sk->sk_security;
3273 ssec->peer_sid = other_isec->sid;
3275 /* server child socket */
3276 ssec = newsk->sk_security;
3277 ssec->peer_sid = isec->sid;
3282 static int selinux_socket_unix_may_send(struct socket *sock,
3283 struct socket *other)
3285 struct inode_security_struct *isec;
3286 struct inode_security_struct *other_isec;
3287 struct avc_audit_data ad;
3290 isec = SOCK_INODE(sock)->i_security;
3291 other_isec = SOCK_INODE(other)->i_security;
3293 AVC_AUDIT_DATA_INIT(&ad,NET);
3294 ad.u.net.sk = other->sk;
3296 err = avc_has_perm(isec->sid, other_isec->sid,
3297 isec->sclass, SOCKET__SENDTO, &ad);
3304 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3305 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3306 u16 family, char *addrp, int len)
3309 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3314 err = sel_netif_sids(skb->dev, &if_sid, NULL);
3318 switch (sock_class) {
3319 case SECCLASS_UDP_SOCKET:
3320 netif_perm = NETIF__UDP_RECV;
3321 node_perm = NODE__UDP_RECV;
3322 recv_perm = UDP_SOCKET__RECV_MSG;
3325 case SECCLASS_TCP_SOCKET:
3326 netif_perm = NETIF__TCP_RECV;
3327 node_perm = NODE__TCP_RECV;
3328 recv_perm = TCP_SOCKET__RECV_MSG;
3332 netif_perm = NETIF__RAWIP_RECV;
3333 node_perm = NODE__RAWIP_RECV;
3337 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3341 err = security_node_sid(family, addrp, len, &node_sid);
3345 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3352 err = security_port_sid(sk->sk_family, sk->sk_type,
3353 sk->sk_protocol, ntohs(ad->u.net.sport),
3358 err = avc_has_perm(sock_sid, port_sid,
3359 sock_class, recv_perm, ad);
3366 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3373 struct socket *sock;
3374 struct avc_audit_data ad;
3376 family = sk->sk_family;
3377 if (family != PF_INET && family != PF_INET6)
3380 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3381 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3384 read_lock_bh(&sk->sk_callback_lock);
3385 sock = sk->sk_socket;
3387 struct inode *inode;
3388 inode = SOCK_INODE(sock);
3390 struct inode_security_struct *isec;
3391 isec = inode->i_security;
3392 sock_sid = isec->sid;
3393 sock_class = isec->sclass;
3396 read_unlock_bh(&sk->sk_callback_lock);
3400 AVC_AUDIT_DATA_INIT(&ad, NET);
3401 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3402 ad.u.net.family = family;
3404 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3408 if (selinux_compat_net)
3409 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3413 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3418 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3423 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3424 int __user *optlen, unsigned len)
3429 struct sk_security_struct *ssec;
3430 struct inode_security_struct *isec;
3433 isec = SOCK_INODE(sock)->i_security;
3435 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3436 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3437 ssec = sock->sk->sk_security;
3438 peer_sid = ssec->peer_sid;
3440 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3441 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3443 if (peer_sid == SECSID_NULL) {
3453 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3458 if (scontext_len > len) {
3463 if (copy_to_user(optval, scontext, scontext_len))
3467 if (put_user(scontext_len, optlen))
3475 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3480 if (skb->sk->sk_family == PF_UNIX)
3481 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3484 peer_sid = selinux_socket_getpeer_dgram(skb);
3486 if (peer_sid == SECSID_NULL)
3489 err = security_sid_to_context(peer_sid, secdata, seclen);
3496 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3498 return sk_alloc_security(sk, family, priority);
3501 static void selinux_sk_free_security(struct sock *sk)
3503 sk_free_security(sk);
3506 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3508 struct inode_security_struct *isec;
3509 u32 sock_sid = SECINITSID_ANY_SOCKET;
3512 return selinux_no_sk_sid(fl);
3514 read_lock_bh(&sk->sk_callback_lock);
3515 isec = get_sock_isec(sk);
3518 sock_sid = isec->sid;
3520 read_unlock_bh(&sk->sk_callback_lock);
3524 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3528 struct nlmsghdr *nlh;
3529 struct socket *sock = sk->sk_socket;
3530 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3532 if (skb->len < NLMSG_SPACE(0)) {
3536 nlh = (struct nlmsghdr *)skb->data;
3538 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3540 if (err == -EINVAL) {
3541 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3542 "SELinux: unrecognized netlink message"
3543 " type=%hu for sclass=%hu\n",
3544 nlh->nlmsg_type, isec->sclass);
3545 if (!selinux_enforcing)
3555 err = socket_has_perm(current, sock, perm);
3560 #ifdef CONFIG_NETFILTER
3562 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3563 struct inode_security_struct *isec,
3564 struct avc_audit_data *ad,
3565 u16 family, char *addrp, int len)
3568 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3570 err = sel_netif_sids(dev, &if_sid, NULL);
3574 switch (isec->sclass) {
3575 case SECCLASS_UDP_SOCKET:
3576 netif_perm = NETIF__UDP_SEND;
3577 node_perm = NODE__UDP_SEND;
3578 send_perm = UDP_SOCKET__SEND_MSG;
3581 case SECCLASS_TCP_SOCKET:
3582 netif_perm = NETIF__TCP_SEND;
3583 node_perm = NODE__TCP_SEND;
3584 send_perm = TCP_SOCKET__SEND_MSG;
3588 netif_perm = NETIF__RAWIP_SEND;
3589 node_perm = NODE__RAWIP_SEND;
3593 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3597 err = security_node_sid(family, addrp, len, &node_sid);
3601 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3608 err = security_port_sid(sk->sk_family,
3611 ntohs(ad->u.net.dport),
3616 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3623 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3624 struct sk_buff **pskb,
3625 const struct net_device *in,
3626 const struct net_device *out,
3627 int (*okfn)(struct sk_buff *),
3633 struct socket *sock;
3634 struct inode *inode;
3635 struct sk_buff *skb = *pskb;
3636 struct inode_security_struct *isec;
3637 struct avc_audit_data ad;
3638 struct net_device *dev = (struct net_device *)out;
3644 sock = sk->sk_socket;
3648 inode = SOCK_INODE(sock);
3652 isec = inode->i_security;
3654 AVC_AUDIT_DATA_INIT(&ad, NET);
3655 ad.u.net.netif = dev->name;
3656 ad.u.net.family = family;
3658 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3662 if (selinux_compat_net)
3663 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3664 family, addrp, len);
3666 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3672 err = selinux_xfrm_postroute_last(isec->sid, skb);
3674 return err ? NF_DROP : NF_ACCEPT;
3677 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3678 struct sk_buff **pskb,
3679 const struct net_device *in,
3680 const struct net_device *out,
3681 int (*okfn)(struct sk_buff *))
3683 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3686 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3688 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3689 struct sk_buff **pskb,
3690 const struct net_device *in,
3691 const struct net_device *out,
3692 int (*okfn)(struct sk_buff *))
3694 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3699 #endif /* CONFIG_NETFILTER */
3701 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3705 err = secondary_ops->netlink_send(sk, skb);
3709 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3710 err = selinux_nlmsg_perm(sk, skb);
3715 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3718 struct avc_audit_data ad;
3720 err = secondary_ops->netlink_recv(skb, capability);
3724 AVC_AUDIT_DATA_INIT(&ad, CAP);
3725 ad.u.cap = capability;
3727 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3728 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3731 static int ipc_alloc_security(struct task_struct *task,
3732 struct kern_ipc_perm *perm,
3735 struct task_security_struct *tsec = task->security;
3736 struct ipc_security_struct *isec;
3738 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3742 isec->sclass = sclass;
3743 isec->ipc_perm = perm;
3744 isec->sid = tsec->sid;
3745 perm->security = isec;
3750 static void ipc_free_security(struct kern_ipc_perm *perm)
3752 struct ipc_security_struct *isec = perm->security;
3753 perm->security = NULL;
3757 static int msg_msg_alloc_security(struct msg_msg *msg)
3759 struct msg_security_struct *msec;
3761 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3766 msec->sid = SECINITSID_UNLABELED;
3767 msg->security = msec;
3772 static void msg_msg_free_security(struct msg_msg *msg)
3774 struct msg_security_struct *msec = msg->security;
3776 msg->security = NULL;
3780 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3783 struct task_security_struct *tsec;
3784 struct ipc_security_struct *isec;
3785 struct avc_audit_data ad;
3787 tsec = current->security;
3788 isec = ipc_perms->security;
3790 AVC_AUDIT_DATA_INIT(&ad, IPC);
3791 ad.u.ipc_id = ipc_perms->key;
3793 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3796 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3798 return msg_msg_alloc_security(msg);
3801 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3803 msg_msg_free_security(msg);
3806 /* message queue security operations */
3807 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3809 struct task_security_struct *tsec;
3810 struct ipc_security_struct *isec;
3811 struct avc_audit_data ad;
3814 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3818 tsec = current->security;
3819 isec = msq->q_perm.security;
3821 AVC_AUDIT_DATA_INIT(&ad, IPC);
3822 ad.u.ipc_id = msq->q_perm.key;
3824 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3827 ipc_free_security(&msq->q_perm);
3833 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3835 ipc_free_security(&msq->q_perm);
3838 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3840 struct task_security_struct *tsec;
3841 struct ipc_security_struct *isec;
3842 struct avc_audit_data ad;
3844 tsec = current->security;
3845 isec = msq->q_perm.security;
3847 AVC_AUDIT_DATA_INIT(&ad, IPC);
3848 ad.u.ipc_id = msq->q_perm.key;
3850 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3851 MSGQ__ASSOCIATE, &ad);
3854 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3862 /* No specific object, just general system-wide information. */
3863 return task_has_system(current, SYSTEM__IPC_INFO);
3866 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3869 perms = MSGQ__SETATTR;
3872 perms = MSGQ__DESTROY;
3878 err = ipc_has_perm(&msq->q_perm, perms);
3882 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3884 struct task_security_struct *tsec;
3885 struct ipc_security_struct *isec;
3886 struct msg_security_struct *msec;
3887 struct avc_audit_data ad;
3890 tsec = current->security;
3891 isec = msq->q_perm.security;
3892 msec = msg->security;
3895 * First time through, need to assign label to the message
3897 if (msec->sid == SECINITSID_UNLABELED) {
3899 * Compute new sid based on current process and
3900 * message queue this message will be stored in
3902 rc = security_transition_sid(tsec->sid,
3910 AVC_AUDIT_DATA_INIT(&ad, IPC);
3911 ad.u.ipc_id = msq->q_perm.key;
3913 /* Can this process write to the queue? */
3914 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3917 /* Can this process send the message */
3918 rc = avc_has_perm(tsec->sid, msec->sid,
3919 SECCLASS_MSG, MSG__SEND, &ad);
3921 /* Can the message be put in the queue? */
3922 rc = avc_has_perm(msec->sid, isec->sid,
3923 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3928 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3929 struct task_struct *target,
3930 long type, int mode)
3932 struct task_security_struct *tsec;
3933 struct ipc_security_struct *isec;
3934 struct msg_security_struct *msec;
3935 struct avc_audit_data ad;
3938 tsec = target->security;
3939 isec = msq->q_perm.security;
3940 msec = msg->security;
3942 AVC_AUDIT_DATA_INIT(&ad, IPC);
3943 ad.u.ipc_id = msq->q_perm.key;
3945 rc = avc_has_perm(tsec->sid, isec->sid,
3946 SECCLASS_MSGQ, MSGQ__READ, &ad);
3948 rc = avc_has_perm(tsec->sid, msec->sid,
3949 SECCLASS_MSG, MSG__RECEIVE, &ad);
3953 /* Shared Memory security operations */
3954 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3956 struct task_security_struct *tsec;
3957 struct ipc_security_struct *isec;
3958 struct avc_audit_data ad;
3961 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3965 tsec = current->security;
3966 isec = shp->shm_perm.security;
3968 AVC_AUDIT_DATA_INIT(&ad, IPC);
3969 ad.u.ipc_id = shp->shm_perm.key;
3971 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3974 ipc_free_security(&shp->shm_perm);
3980 static void selinux_shm_free_security(struct shmid_kernel *shp)
3982 ipc_free_security(&shp->shm_perm);
3985 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3987 struct task_security_struct *tsec;
3988 struct ipc_security_struct *isec;
3989 struct avc_audit_data ad;
3991 tsec = current->security;
3992 isec = shp->shm_perm.security;
3994 AVC_AUDIT_DATA_INIT(&ad, IPC);
3995 ad.u.ipc_id = shp->shm_perm.key;
3997 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3998 SHM__ASSOCIATE, &ad);
4001 /* Note, at this point, shp is locked down */
4002 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4010 /* No specific object, just general system-wide information. */
4011 return task_has_system(current, SYSTEM__IPC_INFO);
4014 perms = SHM__GETATTR | SHM__ASSOCIATE;
4017 perms = SHM__SETATTR;
4024 perms = SHM__DESTROY;
4030 err = ipc_has_perm(&shp->shm_perm, perms);
4034 static int selinux_shm_shmat(struct shmid_kernel *shp,
4035 char __user *shmaddr, int shmflg)
4040 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4044 if (shmflg & SHM_RDONLY)
4047 perms = SHM__READ | SHM__WRITE;
4049 return ipc_has_perm(&shp->shm_perm, perms);
4052 /* Semaphore security operations */
4053 static int selinux_sem_alloc_security(struct sem_array *sma)
4055 struct task_security_struct *tsec;
4056 struct ipc_security_struct *isec;
4057 struct avc_audit_data ad;
4060 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4064 tsec = current->security;
4065 isec = sma->sem_perm.security;
4067 AVC_AUDIT_DATA_INIT(&ad, IPC);
4068 ad.u.ipc_id = sma->sem_perm.key;
4070 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4073 ipc_free_security(&sma->sem_perm);
4079 static void selinux_sem_free_security(struct sem_array *sma)
4081 ipc_free_security(&sma->sem_perm);
4084 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4086 struct task_security_struct *tsec;
4087 struct ipc_security_struct *isec;
4088 struct avc_audit_data ad;
4090 tsec = current->security;
4091 isec = sma->sem_perm.security;
4093 AVC_AUDIT_DATA_INIT(&ad, IPC);
4094 ad.u.ipc_id = sma->sem_perm.key;
4096 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4097 SEM__ASSOCIATE, &ad);
4100 /* Note, at this point, sma is locked down */
4101 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4109 /* No specific object, just general system-wide information. */
4110 return task_has_system(current, SYSTEM__IPC_INFO);
4114 perms = SEM__GETATTR;
4125 perms = SEM__DESTROY;
4128 perms = SEM__SETATTR;
4132 perms = SEM__GETATTR | SEM__ASSOCIATE;
4138 err = ipc_has_perm(&sma->sem_perm, perms);
4142 static int selinux_sem_semop(struct sem_array *sma,
4143 struct sembuf *sops, unsigned nsops, int alter)
4148 perms = SEM__READ | SEM__WRITE;
4152 return ipc_has_perm(&sma->sem_perm, perms);
4155 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4161 av |= IPC__UNIX_READ;
4163 av |= IPC__UNIX_WRITE;
4168 return ipc_has_perm(ipcp, av);
4171 /* module stacking operations */
4172 static int selinux_register_security (const char *name, struct security_operations *ops)
4174 if (secondary_ops != original_ops) {
4175 printk(KERN_INFO "%s: There is already a secondary security "
4176 "module registered.\n", __FUNCTION__);
4180 secondary_ops = ops;
4182 printk(KERN_INFO "%s: Registering secondary module %s\n",
4189 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4191 if (ops != secondary_ops) {
4192 printk (KERN_INFO "%s: trying to unregister a security module "
4193 "that is not registered.\n", __FUNCTION__);
4197 secondary_ops = original_ops;
4202 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4205 inode_doinit_with_dentry(inode, dentry);
4208 static int selinux_getprocattr(struct task_struct *p,
4209 char *name, void *value, size_t size)
4211 struct task_security_struct *tsec;
4216 error = task_has_perm(current, p, PROCESS__GETATTR);
4223 if (!strcmp(name, "current"))
4225 else if (!strcmp(name, "prev"))
4227 else if (!strcmp(name, "exec"))
4228 sid = tsec->exec_sid;
4229 else if (!strcmp(name, "fscreate"))
4230 sid = tsec->create_sid;
4231 else if (!strcmp(name, "keycreate"))
4232 sid = tsec->keycreate_sid;
4233 else if (!strcmp(name, "sockcreate"))
4234 sid = tsec->sockcreate_sid;
4241 return selinux_getsecurity(sid, value, size);
4244 static int selinux_setprocattr(struct task_struct *p,
4245 char *name, void *value, size_t size)
4247 struct task_security_struct *tsec;
4253 /* SELinux only allows a process to change its own
4254 security attributes. */
4259 * Basic control over ability to set these attributes at all.
4260 * current == p, but we'll pass them separately in case the
4261 * above restriction is ever removed.
4263 if (!strcmp(name, "exec"))
4264 error = task_has_perm(current, p, PROCESS__SETEXEC);
4265 else if (!strcmp(name, "fscreate"))
4266 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4267 else if (!strcmp(name, "keycreate"))
4268 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4269 else if (!strcmp(name, "sockcreate"))
4270 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4271 else if (!strcmp(name, "current"))
4272 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4278 /* Obtain a SID for the context, if one was specified. */
4279 if (size && str[1] && str[1] != '\n') {
4280 if (str[size-1] == '\n') {
4284 error = security_context_to_sid(value, size, &sid);
4289 /* Permission checking based on the specified context is
4290 performed during the actual operation (execve,
4291 open/mkdir/...), when we know the full context of the
4292 operation. See selinux_bprm_set_security for the execve
4293 checks and may_create for the file creation checks. The
4294 operation will then fail if the context is not permitted. */
4296 if (!strcmp(name, "exec"))
4297 tsec->exec_sid = sid;
4298 else if (!strcmp(name, "fscreate"))
4299 tsec->create_sid = sid;
4300 else if (!strcmp(name, "keycreate")) {
4301 error = may_create_key(sid, p);
4304 tsec->keycreate_sid = sid;
4305 } else if (!strcmp(name, "sockcreate"))
4306 tsec->sockcreate_sid = sid;
4307 else if (!strcmp(name, "current")) {
4308 struct av_decision avd;
4313 /* Only allow single threaded processes to change context */
4314 if (atomic_read(&p->mm->mm_users) != 1) {
4315 struct task_struct *g, *t;
4316 struct mm_struct *mm = p->mm;
4317 read_lock(&tasklist_lock);
4318 do_each_thread(g, t)
4319 if (t->mm == mm && t != p) {
4320 read_unlock(&tasklist_lock);
4323 while_each_thread(g, t);
4324 read_unlock(&tasklist_lock);
4327 /* Check permissions for the transition. */
4328 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4329 PROCESS__DYNTRANSITION, NULL);
4333 /* Check for ptracing, and update the task SID if ok.
4334 Otherwise, leave SID unchanged and fail. */
4336 if (p->ptrace & PT_PTRACED) {
4337 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4339 PROCESS__PTRACE, &avd);
4343 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4344 PROCESS__PTRACE, &avd, error, NULL);
4360 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4361 unsigned long flags)
4363 struct task_security_struct *tsec = tsk->security;
4364 struct key_security_struct *ksec;
4366 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4371 if (tsec->keycreate_sid)
4372 ksec->sid = tsec->keycreate_sid;
4374 ksec->sid = tsec->sid;
4380 static void selinux_key_free(struct key *k)
4382 struct key_security_struct *ksec = k->security;
4388 static int selinux_key_permission(key_ref_t key_ref,
4389 struct task_struct *ctx,
4393 struct task_security_struct *tsec;
4394 struct key_security_struct *ksec;
4396 key = key_ref_to_ptr(key_ref);
4398 tsec = ctx->security;
4399 ksec = key->security;
4401 /* if no specific permissions are requested, we skip the
4402 permission check. No serious, additional covert channels
4403 appear to be created. */
4407 return avc_has_perm(tsec->sid, ksec->sid,
4408 SECCLASS_KEY, perm, NULL);
4413 static struct security_operations selinux_ops = {
4414 .ptrace = selinux_ptrace,
4415 .capget = selinux_capget,
4416 .capset_check = selinux_capset_check,
4417 .capset_set = selinux_capset_set,
4418 .sysctl = selinux_sysctl,
4419 .capable = selinux_capable,
4420 .quotactl = selinux_quotactl,
4421 .quota_on = selinux_quota_on,
4422 .syslog = selinux_syslog,
4423 .vm_enough_memory = selinux_vm_enough_memory,
4425 .netlink_send = selinux_netlink_send,
4426 .netlink_recv = selinux_netlink_recv,
4428 .bprm_alloc_security = selinux_bprm_alloc_security,
4429 .bprm_free_security = selinux_bprm_free_security,
4430 .bprm_apply_creds = selinux_bprm_apply_creds,
4431 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4432 .bprm_set_security = selinux_bprm_set_security,
4433 .bprm_check_security = selinux_bprm_check_security,
4434 .bprm_secureexec = selinux_bprm_secureexec,
4436 .sb_alloc_security = selinux_sb_alloc_security,
4437 .sb_free_security = selinux_sb_free_security,
4438 .sb_copy_data = selinux_sb_copy_data,
4439 .sb_kern_mount = selinux_sb_kern_mount,
4440 .sb_statfs = selinux_sb_statfs,
4441 .sb_mount = selinux_mount,
4442 .sb_umount = selinux_umount,
4444 .inode_alloc_security = selinux_inode_alloc_security,
4445 .inode_free_security = selinux_inode_free_security,
4446 .inode_init_security = selinux_inode_init_security,
4447 .inode_create = selinux_inode_create,
4448 .inode_link = selinux_inode_link,
4449 .inode_unlink = selinux_inode_unlink,
4450 .inode_symlink = selinux_inode_symlink,
4451 .inode_mkdir = selinux_inode_mkdir,
4452 .inode_rmdir = selinux_inode_rmdir,
4453 .inode_mknod = selinux_inode_mknod,
4454 .inode_rename = selinux_inode_rename,
4455 .inode_readlink = selinux_inode_readlink,
4456 .inode_follow_link = selinux_inode_follow_link,
4457 .inode_permission = selinux_inode_permission,
4458 .inode_setattr = selinux_inode_setattr,
4459 .inode_getattr = selinux_inode_getattr,
4460 .inode_setxattr = selinux_inode_setxattr,
4461 .inode_post_setxattr = selinux_inode_post_setxattr,
4462 .inode_getxattr = selinux_inode_getxattr,
4463 .inode_listxattr = selinux_inode_listxattr,
4464 .inode_removexattr = selinux_inode_removexattr,
4465 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
4466 .inode_getsecurity = selinux_inode_getsecurity,
4467 .inode_setsecurity = selinux_inode_setsecurity,
4468 .inode_listsecurity = selinux_inode_listsecurity,
4470 .file_permission = selinux_file_permission,
4471 .file_alloc_security = selinux_file_alloc_security,
4472 .file_free_security = selinux_file_free_security,
4473 .file_ioctl = selinux_file_ioctl,
4474 .file_mmap = selinux_file_mmap,
4475 .file_mprotect = selinux_file_mprotect,
4476 .file_lock = selinux_file_lock,
4477 .file_fcntl = selinux_file_fcntl,
4478 .file_set_fowner = selinux_file_set_fowner,
4479 .file_send_sigiotask = selinux_file_send_sigiotask,
4480 .file_receive = selinux_file_receive,
4482 .task_create = selinux_task_create,
4483 .task_alloc_security = selinux_task_alloc_security,
4484 .task_free_security = selinux_task_free_security,
4485 .task_setuid = selinux_task_setuid,
4486 .task_post_setuid = selinux_task_post_setuid,
4487 .task_setgid = selinux_task_setgid,
4488 .task_setpgid = selinux_task_setpgid,
4489 .task_getpgid = selinux_task_getpgid,
4490 .task_getsid = selinux_task_getsid,
4491 .task_getsecid = selinux_task_getsecid,
4492 .task_setgroups = selinux_task_setgroups,
4493 .task_setnice = selinux_task_setnice,
4494 .task_setioprio = selinux_task_setioprio,
4495 .task_getioprio = selinux_task_getioprio,
4496 .task_setrlimit = selinux_task_setrlimit,
4497 .task_setscheduler = selinux_task_setscheduler,
4498 .task_getscheduler = selinux_task_getscheduler,
4499 .task_movememory = selinux_task_movememory,
4500 .task_kill = selinux_task_kill,
4501 .task_wait = selinux_task_wait,
4502 .task_prctl = selinux_task_prctl,
4503 .task_reparent_to_init = selinux_task_reparent_to_init,
4504 .task_to_inode = selinux_task_to_inode,
4506 .ipc_permission = selinux_ipc_permission,
4508 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4509 .msg_msg_free_security = selinux_msg_msg_free_security,
4511 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4512 .msg_queue_free_security = selinux_msg_queue_free_security,
4513 .msg_queue_associate = selinux_msg_queue_associate,
4514 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4515 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4516 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4518 .shm_alloc_security = selinux_shm_alloc_security,
4519 .shm_free_security = selinux_shm_free_security,
4520 .shm_associate = selinux_shm_associate,
4521 .shm_shmctl = selinux_shm_shmctl,
4522 .shm_shmat = selinux_shm_shmat,
4524 .sem_alloc_security = selinux_sem_alloc_security,
4525 .sem_free_security = selinux_sem_free_security,
4526 .sem_associate = selinux_sem_associate,
4527 .sem_semctl = selinux_sem_semctl,
4528 .sem_semop = selinux_sem_semop,
4530 .register_security = selinux_register_security,
4531 .unregister_security = selinux_unregister_security,
4533 .d_instantiate = selinux_d_instantiate,
4535 .getprocattr = selinux_getprocattr,
4536 .setprocattr = selinux_setprocattr,
4538 .unix_stream_connect = selinux_socket_unix_stream_connect,
4539 .unix_may_send = selinux_socket_unix_may_send,
4541 .socket_create = selinux_socket_create,
4542 .socket_post_create = selinux_socket_post_create,
4543 .socket_bind = selinux_socket_bind,
4544 .socket_connect = selinux_socket_connect,
4545 .socket_listen = selinux_socket_listen,
4546 .socket_accept = selinux_socket_accept,
4547 .socket_sendmsg = selinux_socket_sendmsg,
4548 .socket_recvmsg = selinux_socket_recvmsg,
4549 .socket_getsockname = selinux_socket_getsockname,
4550 .socket_getpeername = selinux_socket_getpeername,
4551 .socket_getsockopt = selinux_socket_getsockopt,
4552 .socket_setsockopt = selinux_socket_setsockopt,
4553 .socket_shutdown = selinux_socket_shutdown,
4554 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4555 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4556 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4557 .sk_alloc_security = selinux_sk_alloc_security,
4558 .sk_free_security = selinux_sk_free_security,
4559 .sk_getsid = selinux_sk_getsid_security,
4561 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4562 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4563 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4564 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4565 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
4566 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4567 .xfrm_state_free_security = selinux_xfrm_state_free,
4568 .xfrm_state_delete_security = selinux_xfrm_state_delete,
4569 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4573 .key_alloc = selinux_key_alloc,
4574 .key_free = selinux_key_free,
4575 .key_permission = selinux_key_permission,
4579 static __init int selinux_init(void)
4581 struct task_security_struct *tsec;
4583 if (!selinux_enabled) {
4584 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4588 printk(KERN_INFO "SELinux: Initializing.\n");
4590 /* Set the security state for the initial task. */
4591 if (task_alloc_security(current))
4592 panic("SELinux: Failed to initialize initial task.\n");
4593 tsec = current->security;
4594 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4596 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4597 sizeof(struct inode_security_struct),
4598 0, SLAB_PANIC, NULL, NULL);
4601 original_ops = secondary_ops = security_ops;
4603 panic ("SELinux: No initial security operations\n");
4604 if (register_security (&selinux_ops))
4605 panic("SELinux: Unable to register with kernel.\n");
4607 if (selinux_enforcing) {
4608 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4610 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4614 /* Add security information to initial keyrings */
4615 selinux_key_alloc(&root_user_keyring, current,
4616 KEY_ALLOC_NOT_IN_QUOTA);
4617 selinux_key_alloc(&root_session_keyring, current,
4618 KEY_ALLOC_NOT_IN_QUOTA);
4624 void selinux_complete_init(void)
4626 printk(KERN_INFO "SELinux: Completing initialization.\n");
4628 /* Set up any superblocks initialized prior to the policy load. */
4629 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4630 spin_lock(&sb_lock);
4631 spin_lock(&sb_security_lock);
4633 if (!list_empty(&superblock_security_head)) {
4634 struct superblock_security_struct *sbsec =
4635 list_entry(superblock_security_head.next,
4636 struct superblock_security_struct,
4638 struct super_block *sb = sbsec->sb;
4640 spin_unlock(&sb_security_lock);
4641 spin_unlock(&sb_lock);
4642 down_read(&sb->s_umount);
4644 superblock_doinit(sb, NULL);
4646 spin_lock(&sb_lock);
4647 spin_lock(&sb_security_lock);
4648 list_del_init(&sbsec->list);
4651 spin_unlock(&sb_security_lock);
4652 spin_unlock(&sb_lock);
4655 /* SELinux requires early initialization in order to label
4656 all processes and objects when they are created. */
4657 security_initcall(selinux_init);
4659 #if defined(CONFIG_NETFILTER)
4661 static struct nf_hook_ops selinux_ipv4_op = {
4662 .hook = selinux_ipv4_postroute_last,
4663 .owner = THIS_MODULE,
4665 .hooknum = NF_IP_POST_ROUTING,
4666 .priority = NF_IP_PRI_SELINUX_LAST,
4669 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4671 static struct nf_hook_ops selinux_ipv6_op = {
4672 .hook = selinux_ipv6_postroute_last,
4673 .owner = THIS_MODULE,
4675 .hooknum = NF_IP6_POST_ROUTING,
4676 .priority = NF_IP6_PRI_SELINUX_LAST,
4681 static int __init selinux_nf_ip_init(void)
4685 if (!selinux_enabled)
4688 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4690 err = nf_register_hook(&selinux_ipv4_op);
4692 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4694 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4696 err = nf_register_hook(&selinux_ipv6_op);
4698 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4706 __initcall(selinux_nf_ip_init);
4708 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4709 static void selinux_nf_ip_exit(void)
4711 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4713 nf_unregister_hook(&selinux_ipv4_op);
4714 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4715 nf_unregister_hook(&selinux_ipv6_op);
4720 #else /* CONFIG_NETFILTER */
4722 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4723 #define selinux_nf_ip_exit()
4726 #endif /* CONFIG_NETFILTER */
4728 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4729 int selinux_disable(void)
4731 extern void exit_sel_fs(void);
4732 static int selinux_disabled = 0;
4734 if (ss_initialized) {
4735 /* Not permitted after initial policy load. */
4739 if (selinux_disabled) {
4740 /* Only do this once. */
4744 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4746 selinux_disabled = 1;
4747 selinux_enabled = 0;
4749 /* Reset security_ops to the secondary module, dummy or capability. */
4750 security_ops = secondary_ops;
4752 /* Unregister netfilter hooks. */
4753 selinux_nf_ip_exit();
4755 /* Unregister selinuxfs. */
git.openpandora.org / pandora-kernel.git / blob