2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
98 #define NUM_SEL_MNT_OPTS 5
100 extern struct security_operations *security_ops;
102 /* SECMARK reference count */
103 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
105 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
106 int selinux_enforcing;
108 static int __init enforcing_setup(char *str)
110 unsigned long enforcing;
111 if (!strict_strtoul(str, 0, &enforcing))
112 selinux_enforcing = enforcing ? 1 : 0;
115 __setup("enforcing=", enforcing_setup);
118 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
119 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
121 static int __init selinux_enabled_setup(char *str)
123 unsigned long enabled;
124 if (!strict_strtoul(str, 0, &enabled))
125 selinux_enabled = enabled ? 1 : 0;
128 __setup("selinux=", selinux_enabled_setup);
130 int selinux_enabled = 1;
133 static struct kmem_cache *sel_inode_cache;
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled.
145 static int selinux_secmark_enabled(void)
147 return (atomic_read(&selinux_secmark_refcount) > 0);
151 * initialise the security for the init task
153 static void cred_init_security(void)
155 struct cred *cred = (struct cred *) current->real_cred;
156 struct task_security_struct *tsec;
158 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
160 panic("SELinux: Failed to initialize initial task.\n");
162 tsec->osid = tsec->sid = SECINITSID_KERNEL;
163 cred->security = tsec;
167 * get the security ID of a set of credentials
169 static inline u32 cred_sid(const struct cred *cred)
171 const struct task_security_struct *tsec;
173 tsec = cred->security;
178 * get the objective security ID of a task
180 static inline u32 task_sid(const struct task_struct *task)
185 sid = cred_sid(__task_cred(task));
191 * get the subjective security ID of the current task
193 static inline u32 current_sid(void)
195 const struct task_security_struct *tsec = current_security();
200 /* Allocate and free functions for each kind of security blob. */
202 static int inode_alloc_security(struct inode *inode)
204 struct inode_security_struct *isec;
205 u32 sid = current_sid();
207 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
211 mutex_init(&isec->lock);
212 INIT_LIST_HEAD(&isec->list);
214 isec->sid = SECINITSID_UNLABELED;
215 isec->sclass = SECCLASS_FILE;
216 isec->task_sid = sid;
217 inode->i_security = isec;
222 static void inode_free_rcu(struct rcu_head *head)
224 struct inode_security_struct *isec;
226 isec = container_of(head, struct inode_security_struct, rcu);
227 kmem_cache_free(sel_inode_cache, isec);
230 static void inode_free_security(struct inode *inode)
232 struct inode_security_struct *isec = inode->i_security;
233 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235 spin_lock(&sbsec->isec_lock);
236 if (!list_empty(&isec->list))
237 list_del_init(&isec->list);
238 spin_unlock(&sbsec->isec_lock);
241 * The inode may still be referenced in a path walk and
242 * a call to selinux_inode_permission() can be made
243 * after inode_free_security() is called. Ideally, the VFS
244 * wouldn't do this, but fixing that is a much harder
245 * job. For now, simply free the i_security via RCU, and
246 * leave the current inode->i_security pointer intact.
247 * The inode will be freed after the RCU grace period too.
249 call_rcu(&isec->rcu, inode_free_rcu);
252 static int file_alloc_security(struct file *file)
254 struct file_security_struct *fsec;
255 u32 sid = current_sid();
257 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
262 fsec->fown_sid = sid;
263 file->f_security = fsec;
268 static void file_free_security(struct file *file)
270 struct file_security_struct *fsec = file->f_security;
271 file->f_security = NULL;
275 static int superblock_alloc_security(struct super_block *sb)
277 struct superblock_security_struct *sbsec;
279 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
283 mutex_init(&sbsec->lock);
284 INIT_LIST_HEAD(&sbsec->isec_head);
285 spin_lock_init(&sbsec->isec_lock);
287 sbsec->sid = SECINITSID_UNLABELED;
288 sbsec->def_sid = SECINITSID_FILE;
289 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
290 sb->s_security = sbsec;
295 static void superblock_free_security(struct super_block *sb)
297 struct superblock_security_struct *sbsec = sb->s_security;
298 sb->s_security = NULL;
302 /* The file system's label must be initialized prior to use. */
304 static const char *labeling_behaviors[6] = {
306 "uses transition SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
315 static inline int inode_doinit(struct inode *inode)
317 return inode_doinit_with_dentry(inode, NULL);
326 Opt_labelsupport = 5,
329 static const match_table_t tokens = {
330 {Opt_context, CONTEXT_STR "%s"},
331 {Opt_fscontext, FSCONTEXT_STR "%s"},
332 {Opt_defcontext, DEFCONTEXT_STR "%s"},
333 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
334 {Opt_labelsupport, LABELSUPP_STR},
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
344 const struct task_security_struct *tsec = cred->security;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
352 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__RELABELTO, NULL);
357 static int may_context_mount_inode_relabel(u32 sid,
358 struct superblock_security_struct *sbsec,
359 const struct cred *cred)
361 const struct task_security_struct *tsec = cred->security;
363 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__RELABELFROM, NULL);
368 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__ASSOCIATE, NULL);
373 static int sb_finish_set_opts(struct super_block *sb)
375 struct superblock_security_struct *sbsec = sb->s_security;
376 struct dentry *root = sb->s_root;
377 struct inode *root_inode = root->d_inode;
380 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
381 /* Make sure that the xattr handler exists and that no
382 error other than -ENODATA is returned by getxattr on
383 the root directory. -ENODATA is ok, as this may be
384 the first boot of the SELinux kernel before we have
385 assigned xattr values to the filesystem. */
386 if (!root_inode->i_op->getxattr) {
387 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
388 "xattr support\n", sb->s_id, sb->s_type->name);
392 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
393 if (rc < 0 && rc != -ENODATA) {
394 if (rc == -EOPNOTSUPP)
395 printk(KERN_WARNING "SELinux: (dev %s, type "
396 "%s) has no security xattr handler\n",
397 sb->s_id, sb->s_type->name);
399 printk(KERN_WARNING "SELinux: (dev %s, type "
400 "%s) getxattr errno %d\n", sb->s_id,
401 sb->s_type->name, -rc);
406 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
408 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
409 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
410 sb->s_id, sb->s_type->name);
412 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
413 sb->s_id, sb->s_type->name,
414 labeling_behaviors[sbsec->behavior-1]);
416 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
417 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
418 sbsec->behavior == SECURITY_FS_USE_NONE ||
419 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
420 sbsec->flags &= ~SE_SBLABELSUPP;
422 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
423 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
424 sbsec->flags |= SE_SBLABELSUPP;
426 /* Initialize the root inode. */
427 rc = inode_doinit_with_dentry(root_inode, root);
429 /* Initialize any other inodes associated with the superblock, e.g.
430 inodes created prior to initial policy load or inodes created
431 during get_sb by a pseudo filesystem that directly
433 spin_lock(&sbsec->isec_lock);
435 if (!list_empty(&sbsec->isec_head)) {
436 struct inode_security_struct *isec =
437 list_entry(sbsec->isec_head.next,
438 struct inode_security_struct, list);
439 struct inode *inode = isec->inode;
440 spin_unlock(&sbsec->isec_lock);
441 inode = igrab(inode);
443 if (!IS_PRIVATE(inode))
447 spin_lock(&sbsec->isec_lock);
448 list_del_init(&isec->list);
451 spin_unlock(&sbsec->isec_lock);
457 * This function should allow an FS to ask what it's mount security
458 * options were so it can use those later for submounts, displaying
459 * mount options, or whatever.
461 static int selinux_get_mnt_opts(const struct super_block *sb,
462 struct security_mnt_opts *opts)
465 struct superblock_security_struct *sbsec = sb->s_security;
466 char *context = NULL;
470 security_init_mnt_opts(opts);
472 if (!(sbsec->flags & SE_SBINITIALIZED))
478 tmp = sbsec->flags & SE_MNTMASK;
479 /* count the number of mount options for this sb */
480 for (i = 0; i < 8; i++) {
482 opts->num_mnt_opts++;
485 /* Check if the Label support flag is set */
486 if (sbsec->flags & SE_SBLABELSUPP)
487 opts->num_mnt_opts++;
489 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
490 if (!opts->mnt_opts) {
495 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
496 if (!opts->mnt_opts_flags) {
502 if (sbsec->flags & FSCONTEXT_MNT) {
503 rc = security_sid_to_context(sbsec->sid, &context, &len);
506 opts->mnt_opts[i] = context;
507 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
509 if (sbsec->flags & CONTEXT_MNT) {
510 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
516 if (sbsec->flags & DEFCONTEXT_MNT) {
517 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
520 opts->mnt_opts[i] = context;
521 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
523 if (sbsec->flags & ROOTCONTEXT_MNT) {
524 struct inode *root = sbsec->sb->s_root->d_inode;
525 struct inode_security_struct *isec = root->i_security;
527 rc = security_sid_to_context(isec->sid, &context, &len);
530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
533 if (sbsec->flags & SE_SBLABELSUPP) {
534 opts->mnt_opts[i] = NULL;
535 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
538 BUG_ON(i != opts->num_mnt_opts);
543 security_free_mnt_opts(opts);
547 static int bad_option(struct superblock_security_struct *sbsec, char flag,
548 u32 old_sid, u32 new_sid)
550 char mnt_flags = sbsec->flags & SE_MNTMASK;
552 /* check if the old mount command had the same options */
553 if (sbsec->flags & SE_SBINITIALIZED)
554 if (!(sbsec->flags & flag) ||
555 (old_sid != new_sid))
558 /* check if we were passed the same options twice,
559 * aka someone passed context=a,context=b
561 if (!(sbsec->flags & SE_SBINITIALIZED))
562 if (mnt_flags & flag)
568 * Allow filesystems with binary mount data to explicitly set mount point
569 * labeling information.
571 static int selinux_set_mnt_opts(struct super_block *sb,
572 struct security_mnt_opts *opts)
574 const struct cred *cred = current_cred();
576 struct superblock_security_struct *sbsec = sb->s_security;
577 const char *name = sb->s_type->name;
578 struct inode *inode = sbsec->sb->s_root->d_inode;
579 struct inode_security_struct *root_isec = inode->i_security;
580 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
581 u32 defcontext_sid = 0;
582 char **mount_options = opts->mnt_opts;
583 int *flags = opts->mnt_opts_flags;
584 int num_opts = opts->num_mnt_opts;
586 mutex_lock(&sbsec->lock);
588 if (!ss_initialized) {
590 /* Defer initialization until selinux_complete_init,
591 after the initial policy is loaded and the security
592 server is ready to handle calls. */
596 printk(KERN_WARNING "SELinux: Unable to set superblock options "
597 "before the security server is initialized\n");
602 * Binary mount data FS will come through this function twice. Once
603 * from an explicit call and once from the generic calls from the vfs.
604 * Since the generic VFS calls will not contain any security mount data
605 * we need to skip the double mount verification.
607 * This does open a hole in which we will not notice if the first
608 * mount using this sb set explict options and a second mount using
609 * this sb does not set any security options. (The first options
610 * will be used for both mounts)
612 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
617 * parse the mount options, check if they are valid sids.
618 * also check if someone is trying to mount the same sb more
619 * than once with different security options.
621 for (i = 0; i < num_opts; i++) {
624 if (flags[i] == SE_SBLABELSUPP)
626 rc = security_context_to_sid(mount_options[i],
627 strlen(mount_options[i]), &sid);
629 printk(KERN_WARNING "SELinux: security_context_to_sid"
630 "(%s) failed for (dev %s, type %s) errno=%d\n",
631 mount_options[i], sb->s_id, name, rc);
638 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
640 goto out_double_mount;
642 sbsec->flags |= FSCONTEXT_MNT;
647 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
649 goto out_double_mount;
651 sbsec->flags |= CONTEXT_MNT;
653 case ROOTCONTEXT_MNT:
654 rootcontext_sid = sid;
656 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
658 goto out_double_mount;
660 sbsec->flags |= ROOTCONTEXT_MNT;
664 defcontext_sid = sid;
666 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
668 goto out_double_mount;
670 sbsec->flags |= DEFCONTEXT_MNT;
679 if (sbsec->flags & SE_SBINITIALIZED) {
680 /* previously mounted with options, but not on this attempt? */
681 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
682 goto out_double_mount;
687 if (strcmp(sb->s_type->name, "proc") == 0)
688 sbsec->flags |= SE_SBPROC;
690 /* Determine the labeling behavior to use for this filesystem type. */
691 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
693 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
694 __func__, sb->s_type->name, rc);
698 /* sets the context of the superblock for the fs being mounted. */
700 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
704 sbsec->sid = fscontext_sid;
708 * Switch to using mount point labeling behavior.
709 * sets the label used on all file below the mountpoint, and will set
710 * the superblock context if not already set.
713 if (!fscontext_sid) {
714 rc = may_context_mount_sb_relabel(context_sid, sbsec,
718 sbsec->sid = context_sid;
720 rc = may_context_mount_inode_relabel(context_sid, sbsec,
725 if (!rootcontext_sid)
726 rootcontext_sid = context_sid;
728 sbsec->mntpoint_sid = context_sid;
729 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
732 if (rootcontext_sid) {
733 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
738 root_isec->sid = rootcontext_sid;
739 root_isec->initialized = 1;
742 if (defcontext_sid) {
743 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
745 printk(KERN_WARNING "SELinux: defcontext option is "
746 "invalid for this filesystem type\n");
750 if (defcontext_sid != sbsec->def_sid) {
751 rc = may_context_mount_inode_relabel(defcontext_sid,
757 sbsec->def_sid = defcontext_sid;
760 rc = sb_finish_set_opts(sb);
762 mutex_unlock(&sbsec->lock);
766 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
767 "security settings for (dev %s, type %s)\n", sb->s_id, name);
771 static int selinux_cmp_sb_context(const struct super_block *oldsb,
772 const struct super_block *newsb)
774 struct superblock_security_struct *old = oldsb->s_security;
775 struct superblock_security_struct *new = newsb->s_security;
776 char oldflags = old->flags & SE_MNTMASK;
777 char newflags = new->flags & SE_MNTMASK;
779 if (oldflags != newflags)
781 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
783 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
785 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
787 if (oldflags & ROOTCONTEXT_MNT) {
788 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
789 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
790 if (oldroot->sid != newroot->sid)
795 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
796 "different security settings for (dev %s, "
797 "type %s)\n", newsb->s_id, newsb->s_type->name);
801 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
802 struct super_block *newsb)
804 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
805 struct superblock_security_struct *newsbsec = newsb->s_security;
807 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
808 int set_context = (oldsbsec->flags & CONTEXT_MNT);
809 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
812 * if the parent was able to be mounted it clearly had no special lsm
813 * mount options. thus we can safely deal with this superblock later
818 /* how can we clone if the old one wasn't set up?? */
819 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
821 /* if fs is reusing a sb, make sure that the contexts match */
822 if (newsbsec->flags & SE_SBINITIALIZED)
823 return selinux_cmp_sb_context(oldsb, newsb);
825 mutex_lock(&newsbsec->lock);
827 newsbsec->flags = oldsbsec->flags;
829 newsbsec->sid = oldsbsec->sid;
830 newsbsec->def_sid = oldsbsec->def_sid;
831 newsbsec->behavior = oldsbsec->behavior;
834 u32 sid = oldsbsec->mntpoint_sid;
838 if (!set_rootcontext) {
839 struct inode *newinode = newsb->s_root->d_inode;
840 struct inode_security_struct *newisec = newinode->i_security;
843 newsbsec->mntpoint_sid = sid;
845 if (set_rootcontext) {
846 const struct inode *oldinode = oldsb->s_root->d_inode;
847 const struct inode_security_struct *oldisec = oldinode->i_security;
848 struct inode *newinode = newsb->s_root->d_inode;
849 struct inode_security_struct *newisec = newinode->i_security;
851 newisec->sid = oldisec->sid;
854 sb_finish_set_opts(newsb);
855 mutex_unlock(&newsbsec->lock);
859 static int selinux_parse_opts_str(char *options,
860 struct security_mnt_opts *opts)
863 char *context = NULL, *defcontext = NULL;
864 char *fscontext = NULL, *rootcontext = NULL;
865 int rc, num_mnt_opts = 0;
867 opts->num_mnt_opts = 0;
869 /* Standard string-based options. */
870 while ((p = strsep(&options, "|")) != NULL) {
872 substring_t args[MAX_OPT_ARGS];
877 token = match_token(p, tokens, args);
881 if (context || defcontext) {
883 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 context = match_strdup(&args[0]);
896 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 fscontext = match_strdup(&args[0]);
906 case Opt_rootcontext:
909 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 rootcontext = match_strdup(&args[0]);
920 if (context || defcontext) {
922 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
925 defcontext = match_strdup(&args[0]);
931 case Opt_labelsupport:
935 printk(KERN_WARNING "SELinux: unknown mount option\n");
942 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
946 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
947 if (!opts->mnt_opts_flags) {
948 kfree(opts->mnt_opts);
953 opts->mnt_opts[num_mnt_opts] = fscontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
957 opts->mnt_opts[num_mnt_opts] = context;
958 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
961 opts->mnt_opts[num_mnt_opts] = rootcontext;
962 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
965 opts->mnt_opts[num_mnt_opts] = defcontext;
966 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
969 opts->num_mnt_opts = num_mnt_opts;
980 * string mount options parsing and call set the sbsec
982 static int superblock_doinit(struct super_block *sb, void *data)
985 char *options = data;
986 struct security_mnt_opts opts;
988 security_init_mnt_opts(&opts);
993 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
995 rc = selinux_parse_opts_str(options, &opts);
1000 rc = selinux_set_mnt_opts(sb, &opts);
1003 security_free_mnt_opts(&opts);
1007 static void selinux_write_opts(struct seq_file *m,
1008 struct security_mnt_opts *opts)
1013 for (i = 0; i < opts->num_mnt_opts; i++) {
1016 if (opts->mnt_opts[i])
1017 has_comma = strchr(opts->mnt_opts[i], ',');
1021 switch (opts->mnt_opts_flags[i]) {
1023 prefix = CONTEXT_STR;
1026 prefix = FSCONTEXT_STR;
1028 case ROOTCONTEXT_MNT:
1029 prefix = ROOTCONTEXT_STR;
1031 case DEFCONTEXT_MNT:
1032 prefix = DEFCONTEXT_STR;
1034 case SE_SBLABELSUPP:
1036 seq_puts(m, LABELSUPP_STR);
1042 /* we need a comma before each option */
1044 seq_puts(m, prefix);
1047 seq_puts(m, opts->mnt_opts[i]);
1053 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1055 struct security_mnt_opts opts;
1058 rc = selinux_get_mnt_opts(sb, &opts);
1060 /* before policy load we may get EINVAL, don't show anything */
1066 selinux_write_opts(m, &opts);
1068 security_free_mnt_opts(&opts);
1073 static inline u16 inode_mode_to_security_class(umode_t mode)
1075 switch (mode & S_IFMT) {
1077 return SECCLASS_SOCK_FILE;
1079 return SECCLASS_LNK_FILE;
1081 return SECCLASS_FILE;
1083 return SECCLASS_BLK_FILE;
1085 return SECCLASS_DIR;
1087 return SECCLASS_CHR_FILE;
1089 return SECCLASS_FIFO_FILE;
1093 return SECCLASS_FILE;
1096 static inline int default_protocol_stream(int protocol)
1098 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1101 static inline int default_protocol_dgram(int protocol)
1103 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1106 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1112 case SOCK_SEQPACKET:
1113 return SECCLASS_UNIX_STREAM_SOCKET;
1115 return SECCLASS_UNIX_DGRAM_SOCKET;
1122 if (default_protocol_stream(protocol))
1123 return SECCLASS_TCP_SOCKET;
1125 return SECCLASS_RAWIP_SOCKET;
1127 if (default_protocol_dgram(protocol))
1128 return SECCLASS_UDP_SOCKET;
1130 return SECCLASS_RAWIP_SOCKET;
1132 return SECCLASS_DCCP_SOCKET;
1134 return SECCLASS_RAWIP_SOCKET;
1140 return SECCLASS_NETLINK_ROUTE_SOCKET;
1141 case NETLINK_FIREWALL:
1142 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1143 case NETLINK_SOCK_DIAG:
1144 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1146 return SECCLASS_NETLINK_NFLOG_SOCKET;
1148 return SECCLASS_NETLINK_XFRM_SOCKET;
1149 case NETLINK_SELINUX:
1150 return SECCLASS_NETLINK_SELINUX_SOCKET;
1152 return SECCLASS_NETLINK_AUDIT_SOCKET;
1153 case NETLINK_IP6_FW:
1154 return SECCLASS_NETLINK_IP6FW_SOCKET;
1155 case NETLINK_DNRTMSG:
1156 return SECCLASS_NETLINK_DNRT_SOCKET;
1157 case NETLINK_KOBJECT_UEVENT:
1158 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1160 return SECCLASS_NETLINK_SOCKET;
1163 return SECCLASS_PACKET_SOCKET;
1165 return SECCLASS_KEY_SOCKET;
1167 return SECCLASS_APPLETALK_SOCKET;
1170 return SECCLASS_SOCKET;
1173 #ifdef CONFIG_PROC_FS
1174 static int selinux_proc_get_sid(struct dentry *dentry,
1179 char *buffer, *path;
1181 buffer = (char *)__get_free_page(GFP_KERNEL);
1185 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1189 /* each process gets a /proc/PID/ entry. Strip off the
1190 * PID part to get a valid selinux labeling.
1191 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1192 while (path[1] >= '0' && path[1] <= '9') {
1196 rc = security_genfs_sid("proc", path, tclass, sid);
1198 free_page((unsigned long)buffer);
1202 static int selinux_proc_get_sid(struct dentry *dentry,
1210 /* The inode's security attributes must be initialized before first use. */
1211 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1213 struct superblock_security_struct *sbsec = NULL;
1214 struct inode_security_struct *isec = inode->i_security;
1216 struct dentry *dentry;
1217 #define INITCONTEXTLEN 255
1218 char *context = NULL;
1222 if (isec->initialized)
1225 mutex_lock(&isec->lock);
1226 if (isec->initialized)
1229 sbsec = inode->i_sb->s_security;
1230 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1231 /* Defer initialization until selinux_complete_init,
1232 after the initial policy is loaded and the security
1233 server is ready to handle calls. */
1234 spin_lock(&sbsec->isec_lock);
1235 if (list_empty(&isec->list))
1236 list_add(&isec->list, &sbsec->isec_head);
1237 spin_unlock(&sbsec->isec_lock);
1241 switch (sbsec->behavior) {
1242 case SECURITY_FS_USE_XATTR:
1243 if (!inode->i_op->getxattr) {
1244 isec->sid = sbsec->def_sid;
1248 /* Need a dentry, since the xattr API requires one.
1249 Life would be simpler if we could just pass the inode. */
1251 /* Called from d_instantiate or d_splice_alias. */
1252 dentry = dget(opt_dentry);
1254 /* Called from selinux_complete_init, try to find a dentry. */
1255 dentry = d_find_alias(inode);
1259 * this is can be hit on boot when a file is accessed
1260 * before the policy is loaded. When we load policy we
1261 * may find inodes that have no dentry on the
1262 * sbsec->isec_head list. No reason to complain as these
1263 * will get fixed up the next time we go through
1264 * inode_doinit with a dentry, before these inodes could
1265 * be used again by userspace.
1270 len = INITCONTEXTLEN;
1271 context = kmalloc(len+1, GFP_NOFS);
1277 context[len] = '\0';
1278 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1280 if (rc == -ERANGE) {
1283 /* Need a larger buffer. Query for the right size. */
1284 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1291 context = kmalloc(len+1, GFP_NOFS);
1297 context[len] = '\0';
1298 rc = inode->i_op->getxattr(dentry,
1304 if (rc != -ENODATA) {
1305 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1306 "%d for dev=%s ino=%ld\n", __func__,
1307 -rc, inode->i_sb->s_id, inode->i_ino);
1311 /* Map ENODATA to the default file SID */
1312 sid = sbsec->def_sid;
1315 rc = security_context_to_sid_default(context, rc, &sid,
1319 char *dev = inode->i_sb->s_id;
1320 unsigned long ino = inode->i_ino;
1322 if (rc == -EINVAL) {
1323 if (printk_ratelimit())
1324 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1325 "context=%s. This indicates you may need to relabel the inode or the "
1326 "filesystem in question.\n", ino, dev, context);
1328 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1329 "returned %d for dev=%s ino=%ld\n",
1330 __func__, context, -rc, dev, ino);
1333 /* Leave with the unlabeled SID */
1341 case SECURITY_FS_USE_TASK:
1342 isec->sid = isec->task_sid;
1344 case SECURITY_FS_USE_TRANS:
1345 /* Default to the fs SID. */
1346 isec->sid = sbsec->sid;
1348 /* Try to obtain a transition SID. */
1349 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1350 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1351 isec->sclass, NULL, &sid);
1356 case SECURITY_FS_USE_MNTPOINT:
1357 isec->sid = sbsec->mntpoint_sid;
1360 /* Default to the fs superblock SID. */
1361 isec->sid = sbsec->sid;
1363 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1364 /* We must have a dentry to determine the label on
1367 /* Called from d_instantiate or
1368 * d_splice_alias. */
1369 dentry = dget(opt_dentry);
1371 /* Called from selinux_complete_init, try to
1373 dentry = d_find_alias(inode);
1375 * This can be hit on boot when a file is accessed
1376 * before the policy is loaded. When we load policy we
1377 * may find inodes that have no dentry on the
1378 * sbsec->isec_head list. No reason to complain as
1379 * these will get fixed up the next time we go through
1380 * inode_doinit() with a dentry, before these inodes
1381 * could be used again by userspace.
1385 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1386 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1395 isec->initialized = 1;
1398 mutex_unlock(&isec->lock);
1400 if (isec->sclass == SECCLASS_FILE)
1401 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1405 /* Convert a Linux signal to an access vector. */
1406 static inline u32 signal_to_av(int sig)
1412 /* Commonly granted from child to parent. */
1413 perm = PROCESS__SIGCHLD;
1416 /* Cannot be caught or ignored */
1417 perm = PROCESS__SIGKILL;
1420 /* Cannot be caught or ignored */
1421 perm = PROCESS__SIGSTOP;
1424 /* All other signals. */
1425 perm = PROCESS__SIGNAL;
1433 * Check permission between a pair of credentials
1434 * fork check, ptrace check, etc.
1436 static int cred_has_perm(const struct cred *actor,
1437 const struct cred *target,
1440 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1442 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1446 * Check permission between a pair of tasks, e.g. signal checks,
1447 * fork check, ptrace check, etc.
1448 * tsk1 is the actor and tsk2 is the target
1449 * - this uses the default subjective creds of tsk1
1451 static int task_has_perm(const struct task_struct *tsk1,
1452 const struct task_struct *tsk2,
1455 const struct task_security_struct *__tsec1, *__tsec2;
1459 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1460 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1462 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1466 * Check permission between current and another task, e.g. signal checks,
1467 * fork check, ptrace check, etc.
1468 * current is the actor and tsk2 is the target
1469 * - this uses current's subjective creds
1471 static int current_has_perm(const struct task_struct *tsk,
1476 sid = current_sid();
1477 tsid = task_sid(tsk);
1478 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1481 #if CAP_LAST_CAP > 63
1482 #error Fix SELinux to handle capabilities > 63.
1485 /* Check whether a task is allowed to use a capability. */
1486 static int cred_has_capability(const struct cred *cred,
1489 struct common_audit_data ad;
1490 struct av_decision avd;
1492 u32 sid = cred_sid(cred);
1493 u32 av = CAP_TO_MASK(cap);
1496 ad.type = LSM_AUDIT_DATA_CAP;
1499 switch (CAP_TO_INDEX(cap)) {
1501 sclass = SECCLASS_CAPABILITY;
1504 sclass = SECCLASS_CAPABILITY2;
1508 "SELinux: out of range capability %d\n", cap);
1513 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1514 if (audit == SECURITY_CAP_AUDIT) {
1515 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1522 /* Check whether a task is allowed to use a system operation. */
1523 static int task_has_system(struct task_struct *tsk,
1526 u32 sid = task_sid(tsk);
1528 return avc_has_perm(sid, SECINITSID_KERNEL,
1529 SECCLASS_SYSTEM, perms, NULL);
1532 /* Check whether a task has a particular permission to an inode.
1533 The 'adp' parameter is optional and allows other audit
1534 data to be passed (e.g. the dentry). */
1535 static int inode_has_perm(const struct cred *cred,
1536 struct inode *inode,
1538 struct common_audit_data *adp,
1541 struct inode_security_struct *isec;
1544 validate_creds(cred);
1546 if (unlikely(IS_PRIVATE(inode)))
1549 sid = cred_sid(cred);
1550 isec = inode->i_security;
1552 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1555 /* Same as inode_has_perm, but pass explicit audit data containing
1556 the dentry to help the auditing code to more easily generate the
1557 pathname if needed. */
1558 static inline int dentry_has_perm(const struct cred *cred,
1559 struct dentry *dentry,
1562 struct inode *inode = dentry->d_inode;
1563 struct common_audit_data ad;
1565 ad.type = LSM_AUDIT_DATA_DENTRY;
1566 ad.u.dentry = dentry;
1567 return inode_has_perm(cred, inode, av, &ad, 0);
1570 /* Same as inode_has_perm, but pass explicit audit data containing
1571 the path to help the auditing code to more easily generate the
1572 pathname if needed. */
1573 static inline int path_has_perm(const struct cred *cred,
1577 struct inode *inode = path->dentry->d_inode;
1578 struct common_audit_data ad;
1580 ad.type = LSM_AUDIT_DATA_PATH;
1582 return inode_has_perm(cred, inode, av, &ad, 0);
1585 /* Check whether a task can use an open file descriptor to
1586 access an inode in a given way. Check access to the
1587 descriptor itself, and then use dentry_has_perm to
1588 check a particular permission to the file.
1589 Access to the descriptor is implicitly granted if it
1590 has the same SID as the process. If av is zero, then
1591 access to the file is not checked, e.g. for cases
1592 where only the descriptor is affected like seek. */
1593 static int file_has_perm(const struct cred *cred,
1597 struct file_security_struct *fsec = file->f_security;
1598 struct inode *inode = file_inode(file);
1599 struct common_audit_data ad;
1600 u32 sid = cred_sid(cred);
1603 ad.type = LSM_AUDIT_DATA_PATH;
1604 ad.u.path = file->f_path;
1606 if (sid != fsec->sid) {
1607 rc = avc_has_perm(sid, fsec->sid,
1615 /* av is zero if only checking access to the descriptor. */
1618 rc = inode_has_perm(cred, inode, av, &ad, 0);
1624 /* Check whether a task can create a file. */
1625 static int may_create(struct inode *dir,
1626 struct dentry *dentry,
1629 const struct task_security_struct *tsec = current_security();
1630 struct inode_security_struct *dsec;
1631 struct superblock_security_struct *sbsec;
1633 struct common_audit_data ad;
1636 dsec = dir->i_security;
1637 sbsec = dir->i_sb->s_security;
1640 newsid = tsec->create_sid;
1642 ad.type = LSM_AUDIT_DATA_DENTRY;
1643 ad.u.dentry = dentry;
1645 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1646 DIR__ADD_NAME | DIR__SEARCH,
1651 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1652 rc = security_transition_sid(sid, dsec->sid, tclass,
1653 &dentry->d_name, &newsid);
1658 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1662 return avc_has_perm(newsid, sbsec->sid,
1663 SECCLASS_FILESYSTEM,
1664 FILESYSTEM__ASSOCIATE, &ad);
1667 /* Check whether a task can create a key. */
1668 static int may_create_key(u32 ksid,
1669 struct task_struct *ctx)
1671 u32 sid = task_sid(ctx);
1673 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1677 #define MAY_UNLINK 1
1680 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1681 static int may_link(struct inode *dir,
1682 struct dentry *dentry,
1686 struct inode_security_struct *dsec, *isec;
1687 struct common_audit_data ad;
1688 u32 sid = current_sid();
1692 dsec = dir->i_security;
1693 isec = dentry->d_inode->i_security;
1695 ad.type = LSM_AUDIT_DATA_DENTRY;
1696 ad.u.dentry = dentry;
1699 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1700 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1715 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1720 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1724 static inline int may_rename(struct inode *old_dir,
1725 struct dentry *old_dentry,
1726 struct inode *new_dir,
1727 struct dentry *new_dentry)
1729 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1730 struct common_audit_data ad;
1731 u32 sid = current_sid();
1733 int old_is_dir, new_is_dir;
1736 old_dsec = old_dir->i_security;
1737 old_isec = old_dentry->d_inode->i_security;
1738 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1739 new_dsec = new_dir->i_security;
1741 ad.type = LSM_AUDIT_DATA_DENTRY;
1743 ad.u.dentry = old_dentry;
1744 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1745 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1748 rc = avc_has_perm(sid, old_isec->sid,
1749 old_isec->sclass, FILE__RENAME, &ad);
1752 if (old_is_dir && new_dir != old_dir) {
1753 rc = avc_has_perm(sid, old_isec->sid,
1754 old_isec->sclass, DIR__REPARENT, &ad);
1759 ad.u.dentry = new_dentry;
1760 av = DIR__ADD_NAME | DIR__SEARCH;
1761 if (new_dentry->d_inode)
1762 av |= DIR__REMOVE_NAME;
1763 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1766 if (new_dentry->d_inode) {
1767 new_isec = new_dentry->d_inode->i_security;
1768 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1769 rc = avc_has_perm(sid, new_isec->sid,
1771 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1779 /* Check whether a task can perform a filesystem operation. */
1780 static int superblock_has_perm(const struct cred *cred,
1781 struct super_block *sb,
1783 struct common_audit_data *ad)
1785 struct superblock_security_struct *sbsec;
1786 u32 sid = cred_sid(cred);
1788 sbsec = sb->s_security;
1789 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1792 /* Convert a Linux mode and permission mask to an access vector. */
1793 static inline u32 file_mask_to_av(int mode, int mask)
1797 if (!S_ISDIR(mode)) {
1798 if (mask & MAY_EXEC)
1799 av |= FILE__EXECUTE;
1800 if (mask & MAY_READ)
1803 if (mask & MAY_APPEND)
1805 else if (mask & MAY_WRITE)
1809 if (mask & MAY_EXEC)
1811 if (mask & MAY_WRITE)
1813 if (mask & MAY_READ)
1820 /* Convert a Linux file to an access vector. */
1821 static inline u32 file_to_av(struct file *file)
1825 if (file->f_mode & FMODE_READ)
1827 if (file->f_mode & FMODE_WRITE) {
1828 if (file->f_flags & O_APPEND)
1835 * Special file opened with flags 3 for ioctl-only use.
1844 * Convert a file to an access vector and include the correct open
1847 static inline u32 open_file_to_av(struct file *file)
1849 u32 av = file_to_av(file);
1851 if (selinux_policycap_openperm)
1857 /* Hook functions begin here. */
1859 static int selinux_ptrace_access_check(struct task_struct *child,
1864 rc = cap_ptrace_access_check(child, mode);
1868 if (mode & PTRACE_MODE_READ) {
1869 u32 sid = current_sid();
1870 u32 csid = task_sid(child);
1871 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1874 return current_has_perm(child, PROCESS__PTRACE);
1877 static int selinux_ptrace_traceme(struct task_struct *parent)
1881 rc = cap_ptrace_traceme(parent);
1885 return task_has_perm(parent, current, PROCESS__PTRACE);
1888 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1889 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1893 error = current_has_perm(target, PROCESS__GETCAP);
1897 return cap_capget(target, effective, inheritable, permitted);
1900 static int selinux_capset(struct cred *new, const struct cred *old,
1901 const kernel_cap_t *effective,
1902 const kernel_cap_t *inheritable,
1903 const kernel_cap_t *permitted)
1907 error = cap_capset(new, old,
1908 effective, inheritable, permitted);
1912 return cred_has_perm(old, new, PROCESS__SETCAP);
1916 * (This comment used to live with the selinux_task_setuid hook,
1917 * which was removed).
1919 * Since setuid only affects the current process, and since the SELinux
1920 * controls are not based on the Linux identity attributes, SELinux does not
1921 * need to control this operation. However, SELinux does control the use of
1922 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1925 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1930 rc = cap_capable(cred, ns, cap, audit);
1934 return cred_has_capability(cred, cap, audit);
1937 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1939 const struct cred *cred = current_cred();
1951 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1956 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1959 rc = 0; /* let the kernel handle invalid cmds */
1965 static int selinux_quota_on(struct dentry *dentry)
1967 const struct cred *cred = current_cred();
1969 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1972 static int selinux_syslog(int type)
1977 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1978 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1979 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1981 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1982 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1983 /* Set level of messages printed to console */
1984 case SYSLOG_ACTION_CONSOLE_LEVEL:
1985 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1987 case SYSLOG_ACTION_CLOSE: /* Close log */
1988 case SYSLOG_ACTION_OPEN: /* Open log */
1989 case SYSLOG_ACTION_READ: /* Read from log */
1990 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1991 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1993 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2000 * Check that a process has enough memory to allocate a new virtual
2001 * mapping. 0 means there is enough memory for the allocation to
2002 * succeed and -ENOMEM implies there is not.
2004 * Do not audit the selinux permission check, as this is applied to all
2005 * processes that allocate mappings.
2007 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2009 int rc, cap_sys_admin = 0;
2011 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2012 SECURITY_CAP_NOAUDIT);
2016 return __vm_enough_memory(mm, pages, cap_sys_admin);
2019 /* binprm security operations */
2021 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2023 const struct task_security_struct *old_tsec;
2024 struct task_security_struct *new_tsec;
2025 struct inode_security_struct *isec;
2026 struct common_audit_data ad;
2027 struct inode *inode = file_inode(bprm->file);
2030 rc = cap_bprm_set_creds(bprm);
2034 /* SELinux context only depends on initial program or script and not
2035 * the script interpreter */
2036 if (bprm->cred_prepared)
2039 old_tsec = current_security();
2040 new_tsec = bprm->cred->security;
2041 isec = inode->i_security;
2043 /* Default to the current task SID. */
2044 new_tsec->sid = old_tsec->sid;
2045 new_tsec->osid = old_tsec->sid;
2047 /* Reset fs, key, and sock SIDs on execve. */
2048 new_tsec->create_sid = 0;
2049 new_tsec->keycreate_sid = 0;
2050 new_tsec->sockcreate_sid = 0;
2052 if (old_tsec->exec_sid) {
2053 new_tsec->sid = old_tsec->exec_sid;
2054 /* Reset exec SID on execve. */
2055 new_tsec->exec_sid = 0;
2058 * Minimize confusion: if no_new_privs and a transition is
2059 * explicitly requested, then fail the exec.
2061 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2064 /* Check for a default transition on this program. */
2065 rc = security_transition_sid(old_tsec->sid, isec->sid,
2066 SECCLASS_PROCESS, NULL,
2072 ad.type = LSM_AUDIT_DATA_PATH;
2073 ad.u.path = bprm->file->f_path;
2075 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2076 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2077 new_tsec->sid = old_tsec->sid;
2079 if (new_tsec->sid == old_tsec->sid) {
2080 rc = avc_has_perm(old_tsec->sid, isec->sid,
2081 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2085 /* Check permissions for the transition. */
2086 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2087 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2091 rc = avc_has_perm(new_tsec->sid, isec->sid,
2092 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2096 /* Check for shared state */
2097 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2098 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2099 SECCLASS_PROCESS, PROCESS__SHARE,
2105 /* Make sure that anyone attempting to ptrace over a task that
2106 * changes its SID has the appropriate permit */
2108 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2109 struct task_struct *tracer;
2110 struct task_security_struct *sec;
2114 tracer = ptrace_parent(current);
2115 if (likely(tracer != NULL)) {
2116 sec = __task_cred(tracer)->security;
2122 rc = avc_has_perm(ptsid, new_tsec->sid,
2124 PROCESS__PTRACE, NULL);
2130 /* Clear any possibly unsafe personality bits on exec: */
2131 bprm->per_clear |= PER_CLEAR_ON_SETID;
2137 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2139 const struct task_security_struct *tsec = current_security();
2147 /* Enable secure mode for SIDs transitions unless
2148 the noatsecure permission is granted between
2149 the two SIDs, i.e. ahp returns 0. */
2150 atsecure = avc_has_perm(osid, sid,
2152 PROCESS__NOATSECURE, NULL);
2155 return (atsecure || cap_bprm_secureexec(bprm));
2158 static int match_file(const void *p, struct file *file, unsigned fd)
2160 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2163 /* Derived from fs/exec.c:flush_old_files. */
2164 static inline void flush_unauthorized_files(const struct cred *cred,
2165 struct files_struct *files)
2167 struct file *file, *devnull = NULL;
2168 struct tty_struct *tty;
2172 tty = get_current_tty();
2174 spin_lock(&tty_files_lock);
2175 if (!list_empty(&tty->tty_files)) {
2176 struct tty_file_private *file_priv;
2178 /* Revalidate access to controlling tty.
2179 Use path_has_perm on the tty path directly rather
2180 than using file_has_perm, as this particular open
2181 file may belong to another process and we are only
2182 interested in the inode-based check here. */
2183 file_priv = list_first_entry(&tty->tty_files,
2184 struct tty_file_private, list);
2185 file = file_priv->file;
2186 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2189 spin_unlock(&tty_files_lock);
2192 /* Reset controlling tty. */
2196 /* Revalidate access to inherited open files. */
2197 n = iterate_fd(files, 0, match_file, cred);
2198 if (!n) /* none found? */
2201 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2202 if (IS_ERR(devnull))
2204 /* replace all the matching ones with this */
2206 replace_fd(n - 1, devnull, 0);
2207 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2213 * Prepare a process for imminent new credential changes due to exec
2215 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2217 struct task_security_struct *new_tsec;
2218 struct rlimit *rlim, *initrlim;
2221 new_tsec = bprm->cred->security;
2222 if (new_tsec->sid == new_tsec->osid)
2225 /* Close files for which the new task SID is not authorized. */
2226 flush_unauthorized_files(bprm->cred, current->files);
2228 /* Always clear parent death signal on SID transitions. */
2229 current->pdeath_signal = 0;
2231 /* Check whether the new SID can inherit resource limits from the old
2232 * SID. If not, reset all soft limits to the lower of the current
2233 * task's hard limit and the init task's soft limit.
2235 * Note that the setting of hard limits (even to lower them) can be
2236 * controlled by the setrlimit check. The inclusion of the init task's
2237 * soft limit into the computation is to avoid resetting soft limits
2238 * higher than the default soft limit for cases where the default is
2239 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2241 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2242 PROCESS__RLIMITINH, NULL);
2244 /* protect against do_prlimit() */
2246 for (i = 0; i < RLIM_NLIMITS; i++) {
2247 rlim = current->signal->rlim + i;
2248 initrlim = init_task.signal->rlim + i;
2249 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2251 task_unlock(current);
2252 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2257 * Clean up the process immediately after the installation of new credentials
2260 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2262 const struct task_security_struct *tsec = current_security();
2263 struct itimerval itimer;
2273 /* Check whether the new SID can inherit signal state from the old SID.
2274 * If not, clear itimers to avoid subsequent signal generation and
2275 * flush and unblock signals.
2277 * This must occur _after_ the task SID has been updated so that any
2278 * kill done after the flush will be checked against the new SID.
2280 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2282 memset(&itimer, 0, sizeof itimer);
2283 for (i = 0; i < 3; i++)
2284 do_setitimer(i, &itimer, NULL);
2285 spin_lock_irq(¤t->sighand->siglock);
2286 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2287 __flush_signals(current);
2288 flush_signal_handlers(current, 1);
2289 sigemptyset(¤t->blocked);
2291 spin_unlock_irq(¤t->sighand->siglock);
2294 /* Wake up the parent if it is waiting so that it can recheck
2295 * wait permission to the new task SID. */
2296 read_lock(&tasklist_lock);
2297 __wake_up_parent(current, current->real_parent);
2298 read_unlock(&tasklist_lock);
2301 /* superblock security operations */
2303 static int selinux_sb_alloc_security(struct super_block *sb)
2305 return superblock_alloc_security(sb);
2308 static void selinux_sb_free_security(struct super_block *sb)
2310 superblock_free_security(sb);
2313 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2318 return !memcmp(prefix, option, plen);
2321 static inline int selinux_option(char *option, int len)
2323 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2324 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2325 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2326 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2327 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2330 static inline void take_option(char **to, char *from, int *first, int len)
2337 memcpy(*to, from, len);
2341 static inline void take_selinux_option(char **to, char *from, int *first,
2344 int current_size = 0;
2352 while (current_size < len) {
2362 static int selinux_sb_copy_data(char *orig, char *copy)
2364 int fnosec, fsec, rc = 0;
2365 char *in_save, *in_curr, *in_end;
2366 char *sec_curr, *nosec_save, *nosec;
2372 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2380 in_save = in_end = orig;
2384 open_quote = !open_quote;
2385 if ((*in_end == ',' && open_quote == 0) ||
2387 int len = in_end - in_curr;
2389 if (selinux_option(in_curr, len))
2390 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2392 take_option(&nosec, in_curr, &fnosec, len);
2394 in_curr = in_end + 1;
2396 } while (*in_end++);
2398 strcpy(in_save, nosec_save);
2399 free_page((unsigned long)nosec_save);
2404 static int selinux_sb_remount(struct super_block *sb, void *data)
2407 struct security_mnt_opts opts;
2408 char *secdata, **mount_options;
2409 struct superblock_security_struct *sbsec = sb->s_security;
2411 if (!(sbsec->flags & SE_SBINITIALIZED))
2417 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2420 security_init_mnt_opts(&opts);
2421 secdata = alloc_secdata();
2424 rc = selinux_sb_copy_data(data, secdata);
2426 goto out_free_secdata;
2428 rc = selinux_parse_opts_str(secdata, &opts);
2430 goto out_free_secdata;
2432 mount_options = opts.mnt_opts;
2433 flags = opts.mnt_opts_flags;
2435 for (i = 0; i < opts.num_mnt_opts; i++) {
2439 if (flags[i] == SE_SBLABELSUPP)
2441 len = strlen(mount_options[i]);
2442 rc = security_context_to_sid(mount_options[i], len, &sid);
2444 printk(KERN_WARNING "SELinux: security_context_to_sid"
2445 "(%s) failed for (dev %s, type %s) errno=%d\n",
2446 mount_options[i], sb->s_id, sb->s_type->name, rc);
2452 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2453 goto out_bad_option;
2456 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2457 goto out_bad_option;
2459 case ROOTCONTEXT_MNT: {
2460 struct inode_security_struct *root_isec;
2461 root_isec = sb->s_root->d_inode->i_security;
2463 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2464 goto out_bad_option;
2467 case DEFCONTEXT_MNT:
2468 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2469 goto out_bad_option;
2478 security_free_mnt_opts(&opts);
2480 free_secdata(secdata);
2483 printk(KERN_WARNING "SELinux: unable to change security options "
2484 "during remount (dev %s, type=%s)\n", sb->s_id,
2489 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2491 const struct cred *cred = current_cred();
2492 struct common_audit_data ad;
2495 rc = superblock_doinit(sb, data);
2499 /* Allow all mounts performed by the kernel */
2500 if (flags & MS_KERNMOUNT)
2503 ad.type = LSM_AUDIT_DATA_DENTRY;
2504 ad.u.dentry = sb->s_root;
2505 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2508 static int selinux_sb_statfs(struct dentry *dentry)
2510 const struct cred *cred = current_cred();
2511 struct common_audit_data ad;
2513 ad.type = LSM_AUDIT_DATA_DENTRY;
2514 ad.u.dentry = dentry->d_sb->s_root;
2515 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2518 static int selinux_mount(const char *dev_name,
2521 unsigned long flags,
2524 const struct cred *cred = current_cred();
2526 if (flags & MS_REMOUNT)
2527 return superblock_has_perm(cred, path->dentry->d_sb,
2528 FILESYSTEM__REMOUNT, NULL);
2530 return path_has_perm(cred, path, FILE__MOUNTON);
2533 static int selinux_umount(struct vfsmount *mnt, int flags)
2535 const struct cred *cred = current_cred();
2537 return superblock_has_perm(cred, mnt->mnt_sb,
2538 FILESYSTEM__UNMOUNT, NULL);
2541 /* inode security operations */
2543 static int selinux_inode_alloc_security(struct inode *inode)
2545 return inode_alloc_security(inode);
2548 static void selinux_inode_free_security(struct inode *inode)
2550 inode_free_security(inode);
2553 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2554 const struct qstr *qstr, char **name,
2555 void **value, size_t *len)
2557 const struct task_security_struct *tsec = current_security();
2558 struct inode_security_struct *dsec;
2559 struct superblock_security_struct *sbsec;
2560 u32 sid, newsid, clen;
2562 char *namep = NULL, *context;
2564 dsec = dir->i_security;
2565 sbsec = dir->i_sb->s_security;
2568 newsid = tsec->create_sid;
2570 if ((sbsec->flags & SE_SBINITIALIZED) &&
2571 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2572 newsid = sbsec->mntpoint_sid;
2573 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2574 rc = security_transition_sid(sid, dsec->sid,
2575 inode_mode_to_security_class(inode->i_mode),
2578 printk(KERN_WARNING "%s: "
2579 "security_transition_sid failed, rc=%d (dev=%s "
2582 -rc, inode->i_sb->s_id, inode->i_ino);
2587 /* Possibly defer initialization to selinux_complete_init. */
2588 if (sbsec->flags & SE_SBINITIALIZED) {
2589 struct inode_security_struct *isec = inode->i_security;
2590 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2592 isec->initialized = 1;
2595 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2599 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2606 rc = security_sid_to_context_force(newsid, &context, &clen);
2618 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2620 return may_create(dir, dentry, SECCLASS_FILE);
2623 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2625 return may_link(dir, old_dentry, MAY_LINK);
2628 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2630 return may_link(dir, dentry, MAY_UNLINK);
2633 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2635 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2638 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2640 return may_create(dir, dentry, SECCLASS_DIR);
2643 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2645 return may_link(dir, dentry, MAY_RMDIR);
2648 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2650 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2653 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2654 struct inode *new_inode, struct dentry *new_dentry)
2656 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2659 static int selinux_inode_readlink(struct dentry *dentry)
2661 const struct cred *cred = current_cred();
2663 return dentry_has_perm(cred, dentry, FILE__READ);
2666 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2668 const struct cred *cred = current_cred();
2670 return dentry_has_perm(cred, dentry, FILE__READ);
2673 static noinline int audit_inode_permission(struct inode *inode,
2674 u32 perms, u32 audited, u32 denied,
2677 struct common_audit_data ad;
2678 struct inode_security_struct *isec = inode->i_security;
2681 ad.type = LSM_AUDIT_DATA_INODE;
2684 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2685 audited, denied, &ad, flags);
2691 static int selinux_inode_permission(struct inode *inode, int mask)
2693 const struct cred *cred = current_cred();
2696 unsigned flags = mask & MAY_NOT_BLOCK;
2697 struct inode_security_struct *isec;
2699 struct av_decision avd;
2701 u32 audited, denied;
2703 from_access = mask & MAY_ACCESS;
2704 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2706 /* No permission to check. Existence test. */
2710 validate_creds(cred);
2712 if (unlikely(IS_PRIVATE(inode)))
2715 perms = file_mask_to_av(inode->i_mode, mask);
2717 sid = cred_sid(cred);
2718 isec = inode->i_security;
2720 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2721 audited = avc_audit_required(perms, &avd, rc,
2722 from_access ? FILE__AUDIT_ACCESS : 0,
2724 if (likely(!audited))
2727 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2733 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2735 const struct cred *cred = current_cred();
2736 unsigned int ia_valid = iattr->ia_valid;
2737 __u32 av = FILE__WRITE;
2739 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2740 if (ia_valid & ATTR_FORCE) {
2741 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2747 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2748 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2749 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2751 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2754 return dentry_has_perm(cred, dentry, av);
2757 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2759 const struct cred *cred = current_cred();
2762 path.dentry = dentry;
2765 return path_has_perm(cred, &path, FILE__GETATTR);
2768 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2770 const struct cred *cred = current_cred();
2772 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2773 sizeof XATTR_SECURITY_PREFIX - 1)) {
2774 if (!strcmp(name, XATTR_NAME_CAPS)) {
2775 if (!capable(CAP_SETFCAP))
2777 } else if (!capable(CAP_SYS_ADMIN)) {
2778 /* A different attribute in the security namespace.
2779 Restrict to administrator. */
2784 /* Not an attribute we recognize, so just check the
2785 ordinary setattr permission. */
2786 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2789 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2790 const void *value, size_t size, int flags)
2792 struct inode *inode = dentry->d_inode;
2793 struct inode_security_struct *isec = inode->i_security;
2794 struct superblock_security_struct *sbsec;
2795 struct common_audit_data ad;
2796 u32 newsid, sid = current_sid();
2799 if (strcmp(name, XATTR_NAME_SELINUX))
2800 return selinux_inode_setotherxattr(dentry, name);
2802 sbsec = inode->i_sb->s_security;
2803 if (!(sbsec->flags & SE_SBLABELSUPP))
2806 if (!inode_owner_or_capable(inode))
2809 ad.type = LSM_AUDIT_DATA_DENTRY;
2810 ad.u.dentry = dentry;
2812 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2813 FILE__RELABELFROM, &ad);
2817 rc = security_context_to_sid(value, size, &newsid);
2818 if (rc == -EINVAL) {
2819 if (!capable(CAP_MAC_ADMIN)) {
2820 struct audit_buffer *ab;
2824 /* We strip a nul only if it is at the end, otherwise the
2825 * context contains a nul and we should audit that */
2828 if (str[size - 1] == '\0')
2829 audit_size = size - 1;
2836 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2837 audit_log_format(ab, "op=setxattr invalid_context=");
2838 audit_log_n_untrustedstring(ab, value, audit_size);
2843 rc = security_context_to_sid_force(value, size, &newsid);
2848 rc = avc_has_perm(sid, newsid, isec->sclass,
2849 FILE__RELABELTO, &ad);
2853 rc = security_validate_transition(isec->sid, newsid, sid,
2858 return avc_has_perm(newsid,
2860 SECCLASS_FILESYSTEM,
2861 FILESYSTEM__ASSOCIATE,
2865 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2866 const void *value, size_t size,
2869 struct inode *inode = dentry->d_inode;
2870 struct inode_security_struct *isec = inode->i_security;
2874 if (strcmp(name, XATTR_NAME_SELINUX)) {
2875 /* Not an attribute we recognize, so nothing to do. */
2879 rc = security_context_to_sid_force(value, size, &newsid);
2881 printk(KERN_ERR "SELinux: unable to map context to SID"
2882 "for (%s, %lu), rc=%d\n",
2883 inode->i_sb->s_id, inode->i_ino, -rc);
2891 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2893 const struct cred *cred = current_cred();
2895 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2898 static int selinux_inode_listxattr(struct dentry *dentry)
2900 const struct cred *cred = current_cred();
2902 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2905 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2907 if (strcmp(name, XATTR_NAME_SELINUX))
2908 return selinux_inode_setotherxattr(dentry, name);
2910 /* No one is allowed to remove a SELinux security label.
2911 You can change the label, but all data must be labeled. */
2916 * Copy the inode security context value to the user.
2918 * Permission check is handled by selinux_inode_getxattr hook.
2920 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2924 char *context = NULL;
2925 struct inode_security_struct *isec = inode->i_security;
2927 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2931 * If the caller has CAP_MAC_ADMIN, then get the raw context
2932 * value even if it is not defined by current policy; otherwise,
2933 * use the in-core value under current policy.
2934 * Use the non-auditing forms of the permission checks since
2935 * getxattr may be called by unprivileged processes commonly
2936 * and lack of permission just means that we fall back to the
2937 * in-core context value, not a denial.
2939 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2940 SECURITY_CAP_NOAUDIT);
2942 error = security_sid_to_context_force(isec->sid, &context,
2945 error = security_sid_to_context(isec->sid, &context, &size);
2958 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2959 const void *value, size_t size, int flags)
2961 struct inode_security_struct *isec = inode->i_security;
2965 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2968 if (!value || !size)
2971 rc = security_context_to_sid((void *)value, size, &newsid);
2976 isec->initialized = 1;
2980 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2982 const int len = sizeof(XATTR_NAME_SELINUX);
2983 if (buffer && len <= buffer_size)
2984 memcpy(buffer, XATTR_NAME_SELINUX, len);
2988 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2990 struct inode_security_struct *isec = inode->i_security;
2994 /* file security operations */
2996 static int selinux_revalidate_file_permission(struct file *file, int mask)
2998 const struct cred *cred = current_cred();
2999 struct inode *inode = file_inode(file);
3001 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3002 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3005 return file_has_perm(cred, file,
3006 file_mask_to_av(inode->i_mode, mask));
3009 static int selinux_file_permission(struct file *file, int mask)
3011 struct inode *inode = file_inode(file);
3012 struct file_security_struct *fsec = file->f_security;
3013 struct inode_security_struct *isec = inode->i_security;
3014 u32 sid = current_sid();
3017 /* No permission to check. Existence test. */
3020 if (sid == fsec->sid && fsec->isid == isec->sid &&
3021 fsec->pseqno == avc_policy_seqno())
3022 /* No change since file_open check. */
3025 return selinux_revalidate_file_permission(file, mask);
3028 static int selinux_file_alloc_security(struct file *file)
3030 return file_alloc_security(file);
3033 static void selinux_file_free_security(struct file *file)
3035 file_free_security(file);
3038 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3041 const struct cred *cred = current_cred();
3051 case FS_IOC_GETFLAGS:
3053 case FS_IOC_GETVERSION:
3054 error = file_has_perm(cred, file, FILE__GETATTR);
3057 case FS_IOC_SETFLAGS:
3059 case FS_IOC_SETVERSION:
3060 error = file_has_perm(cred, file, FILE__SETATTR);
3063 /* sys_ioctl() checks */
3067 error = file_has_perm(cred, file, 0);
3072 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3073 SECURITY_CAP_AUDIT);
3076 /* default case assumes that the command will go
3077 * to the file's ioctl() function.
3080 error = file_has_perm(cred, file, FILE__IOCTL);
3085 static int default_noexec;
3087 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3089 const struct cred *cred = current_cred();
3092 if (default_noexec &&
3093 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3095 * We are making executable an anonymous mapping or a
3096 * private file mapping that will also be writable.
3097 * This has an additional check.
3099 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3105 /* read access is always possible with a mapping */
3106 u32 av = FILE__READ;
3108 /* write access only matters if the mapping is shared */
3109 if (shared && (prot & PROT_WRITE))
3112 if (prot & PROT_EXEC)
3113 av |= FILE__EXECUTE;
3115 return file_has_perm(cred, file, av);
3122 static int selinux_mmap_addr(unsigned long addr)
3125 u32 sid = current_sid();
3128 * notice that we are intentionally putting the SELinux check before
3129 * the secondary cap_file_mmap check. This is such a likely attempt
3130 * at bad behaviour/exploit that we always want to get the AVC, even
3131 * if DAC would have also denied the operation.
3133 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3134 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3135 MEMPROTECT__MMAP_ZERO, NULL);
3140 /* do DAC check on address space usage */
3141 return cap_mmap_addr(addr);
3144 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3145 unsigned long prot, unsigned long flags)
3147 if (selinux_checkreqprot)
3150 return file_map_prot_check(file, prot,
3151 (flags & MAP_TYPE) == MAP_SHARED);
3154 static int selinux_file_mprotect(struct vm_area_struct *vma,
3155 unsigned long reqprot,
3158 const struct cred *cred = current_cred();
3160 if (selinux_checkreqprot)
3163 if (default_noexec &&
3164 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3166 if (vma->vm_start >= vma->vm_mm->start_brk &&
3167 vma->vm_end <= vma->vm_mm->brk) {
3168 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3169 } else if (!vma->vm_file &&
3170 vma->vm_start <= vma->vm_mm->start_stack &&
3171 vma->vm_end >= vma->vm_mm->start_stack) {
3172 rc = current_has_perm(current, PROCESS__EXECSTACK);
3173 } else if (vma->vm_file && vma->anon_vma) {
3175 * We are making executable a file mapping that has
3176 * had some COW done. Since pages might have been
3177 * written, check ability to execute the possibly
3178 * modified content. This typically should only
3179 * occur for text relocations.
3181 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3187 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3190 static int selinux_file_lock(struct file *file, unsigned int cmd)
3192 const struct cred *cred = current_cred();
3194 return file_has_perm(cred, file, FILE__LOCK);
3197 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3200 const struct cred *cred = current_cred();
3205 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3206 err = file_has_perm(cred, file, FILE__WRITE);
3215 case F_GETOWNER_UIDS:
3216 /* Just check FD__USE permission */
3217 err = file_has_perm(cred, file, 0);
3222 #if BITS_PER_LONG == 32
3227 err = file_has_perm(cred, file, FILE__LOCK);
3234 static int selinux_file_set_fowner(struct file *file)
3236 struct file_security_struct *fsec;
3238 fsec = file->f_security;
3239 fsec->fown_sid = current_sid();
3244 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3245 struct fown_struct *fown, int signum)
3248 u32 sid = task_sid(tsk);
3250 struct file_security_struct *fsec;
3252 /* struct fown_struct is never outside the context of a struct file */
3253 file = container_of(fown, struct file, f_owner);
3255 fsec = file->f_security;
3258 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3260 perm = signal_to_av(signum);
3262 return avc_has_perm(fsec->fown_sid, sid,
3263 SECCLASS_PROCESS, perm, NULL);
3266 static int selinux_file_receive(struct file *file)
3268 const struct cred *cred = current_cred();
3270 return file_has_perm(cred, file, file_to_av(file));
3273 static int selinux_file_open(struct file *file, const struct cred *cred)
3275 struct file_security_struct *fsec;
3276 struct inode_security_struct *isec;
3278 fsec = file->f_security;
3279 isec = file_inode(file)->i_security;
3281 * Save inode label and policy sequence number
3282 * at open-time so that selinux_file_permission
3283 * can determine whether revalidation is necessary.
3284 * Task label is already saved in the file security
3285 * struct as its SID.
3287 fsec->isid = isec->sid;
3288 fsec->pseqno = avc_policy_seqno();
3290 * Since the inode label or policy seqno may have changed
3291 * between the selinux_inode_permission check and the saving
3292 * of state above, recheck that access is still permitted.
3293 * Otherwise, access might never be revalidated against the
3294 * new inode label or new policy.
3295 * This check is not redundant - do not remove.
3297 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3300 /* task security operations */
3302 static int selinux_task_create(unsigned long clone_flags)
3304 return current_has_perm(current, PROCESS__FORK);
3308 * allocate the SELinux part of blank credentials
3310 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3312 struct task_security_struct *tsec;
3314 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3318 cred->security = tsec;
3323 * detach and free the LSM part of a set of credentials
3325 static void selinux_cred_free(struct cred *cred)
3327 struct task_security_struct *tsec = cred->security;
3330 * cred->security == NULL if security_cred_alloc_blank() or
3331 * security_prepare_creds() returned an error.
3333 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3334 cred->security = (void *) 0x7UL;
3339 * prepare a new set of credentials for modification
3341 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3344 const struct task_security_struct *old_tsec;
3345 struct task_security_struct *tsec;
3347 old_tsec = old->security;
3349 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3353 new->security = tsec;
3358 * transfer the SELinux data to a blank set of creds
3360 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3362 const struct task_security_struct *old_tsec = old->security;
3363 struct task_security_struct *tsec = new->security;
3369 * set the security data for a kernel service
3370 * - all the creation contexts are set to unlabelled
3372 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3374 struct task_security_struct *tsec = new->security;
3375 u32 sid = current_sid();
3378 ret = avc_has_perm(sid, secid,
3379 SECCLASS_KERNEL_SERVICE,
3380 KERNEL_SERVICE__USE_AS_OVERRIDE,
3384 tsec->create_sid = 0;
3385 tsec->keycreate_sid = 0;
3386 tsec->sockcreate_sid = 0;
3392 * set the file creation context in a security record to the same as the
3393 * objective context of the specified inode
3395 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3397 struct inode_security_struct *isec = inode->i_security;
3398 struct task_security_struct *tsec = new->security;
3399 u32 sid = current_sid();
3402 ret = avc_has_perm(sid, isec->sid,
3403 SECCLASS_KERNEL_SERVICE,
3404 KERNEL_SERVICE__CREATE_FILES_AS,
3408 tsec->create_sid = isec->sid;
3412 static int selinux_kernel_module_request(char *kmod_name)
3415 struct common_audit_data ad;
3417 sid = task_sid(current);
3419 ad.type = LSM_AUDIT_DATA_KMOD;
3420 ad.u.kmod_name = kmod_name;
3422 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3423 SYSTEM__MODULE_REQUEST, &ad);
3426 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3428 return current_has_perm(p, PROCESS__SETPGID);
3431 static int selinux_task_getpgid(struct task_struct *p)
3433 return current_has_perm(p, PROCESS__GETPGID);
3436 static int selinux_task_getsid(struct task_struct *p)
3438 return current_has_perm(p, PROCESS__GETSESSION);
3441 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3443 *secid = task_sid(p);
3446 static int selinux_task_setnice(struct task_struct *p, int nice)
3450 rc = cap_task_setnice(p, nice);
3454 return current_has_perm(p, PROCESS__SETSCHED);
3457 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3461 rc = cap_task_setioprio(p, ioprio);
3465 return current_has_perm(p, PROCESS__SETSCHED);
3468 static int selinux_task_getioprio(struct task_struct *p)
3470 return current_has_perm(p, PROCESS__GETSCHED);
3473 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3474 struct rlimit *new_rlim)
3476 struct rlimit *old_rlim = p->signal->rlim + resource;
3478 /* Control the ability to change the hard limit (whether
3479 lowering or raising it), so that the hard limit can
3480 later be used as a safe reset point for the soft limit
3481 upon context transitions. See selinux_bprm_committing_creds. */
3482 if (old_rlim->rlim_max != new_rlim->rlim_max)
3483 return current_has_perm(p, PROCESS__SETRLIMIT);
3488 static int selinux_task_setscheduler(struct task_struct *p)
3492 rc = cap_task_setscheduler(p);
3496 return current_has_perm(p, PROCESS__SETSCHED);
3499 static int selinux_task_getscheduler(struct task_struct *p)
3501 return current_has_perm(p, PROCESS__GETSCHED);
3504 static int selinux_task_movememory(struct task_struct *p)
3506 return current_has_perm(p, PROCESS__SETSCHED);
3509 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3516 perm = PROCESS__SIGNULL; /* null signal; existence test */
3518 perm = signal_to_av(sig);
3520 rc = avc_has_perm(secid, task_sid(p),
3521 SECCLASS_PROCESS, perm, NULL);
3523 rc = current_has_perm(p, perm);
3527 static int selinux_task_wait(struct task_struct *p)
3529 return task_has_perm(p, current, PROCESS__SIGCHLD);
3532 static void selinux_task_to_inode(struct task_struct *p,
3533 struct inode *inode)
3535 struct inode_security_struct *isec = inode->i_security;
3536 u32 sid = task_sid(p);
3539 isec->initialized = 1;
3542 /* Returns error only if unable to parse addresses */
3543 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3544 struct common_audit_data *ad, u8 *proto)
3546 int offset, ihlen, ret = -EINVAL;
3547 struct iphdr _iph, *ih;
3549 offset = skb_network_offset(skb);
3550 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3554 ihlen = ih->ihl * 4;
3555 if (ihlen < sizeof(_iph))
3558 ad->u.net->v4info.saddr = ih->saddr;
3559 ad->u.net->v4info.daddr = ih->daddr;
3563 *proto = ih->protocol;
3565 switch (ih->protocol) {
3567 struct tcphdr _tcph, *th;
3569 if (ntohs(ih->frag_off) & IP_OFFSET)
3573 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3577 ad->u.net->sport = th->source;
3578 ad->u.net->dport = th->dest;
3583 struct udphdr _udph, *uh;
3585 if (ntohs(ih->frag_off) & IP_OFFSET)
3589 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3593 ad->u.net->sport = uh->source;
3594 ad->u.net->dport = uh->dest;
3598 case IPPROTO_DCCP: {
3599 struct dccp_hdr _dccph, *dh;
3601 if (ntohs(ih->frag_off) & IP_OFFSET)
3605 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3609 ad->u.net->sport = dh->dccph_sport;
3610 ad->u.net->dport = dh->dccph_dport;
3621 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3623 /* Returns error only if unable to parse addresses */
3624 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3625 struct common_audit_data *ad, u8 *proto)
3628 int ret = -EINVAL, offset;
3629 struct ipv6hdr _ipv6h, *ip6;
3632 offset = skb_network_offset(skb);
3633 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3637 ad->u.net->v6info.saddr = ip6->saddr;
3638 ad->u.net->v6info.daddr = ip6->daddr;
3641 nexthdr = ip6->nexthdr;
3642 offset += sizeof(_ipv6h);
3643 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3652 struct tcphdr _tcph, *th;
3654 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3658 ad->u.net->sport = th->source;
3659 ad->u.net->dport = th->dest;
3664 struct udphdr _udph, *uh;
3666 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3670 ad->u.net->sport = uh->source;
3671 ad->u.net->dport = uh->dest;
3675 case IPPROTO_DCCP: {
3676 struct dccp_hdr _dccph, *dh;
3678 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3682 ad->u.net->sport = dh->dccph_sport;
3683 ad->u.net->dport = dh->dccph_dport;
3687 /* includes fragments */
3697 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3698 char **_addrp, int src, u8 *proto)
3703 switch (ad->u.net->family) {
3705 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3708 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3709 &ad->u.net->v4info.daddr);
3712 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3714 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3717 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3718 &ad->u.net->v6info.daddr);
3728 "SELinux: failure in selinux_parse_skb(),"
3729 " unable to parse packet\n");
3739 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3741 * @family: protocol family
3742 * @sid: the packet's peer label SID
3745 * Check the various different forms of network peer labeling and determine
3746 * the peer label/SID for the packet; most of the magic actually occurs in
3747 * the security server function security_net_peersid_cmp(). The function
3748 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3749 * or -EACCES if @sid is invalid due to inconsistencies with the different
3753 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3760 selinux_xfrm_skb_sid(skb, &xfrm_sid);
3761 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3763 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3764 if (unlikely(err)) {
3766 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3767 " unable to determine packet's peer label\n");
3775 * selinux_conn_sid - Determine the child socket label for a connection
3776 * @sk_sid: the parent socket's SID
3777 * @skb_sid: the packet's SID
3778 * @conn_sid: the resulting connection SID
3780 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3781 * combined with the MLS information from @skb_sid in order to create
3782 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3783 * of @sk_sid. Returns zero on success, negative values on failure.
3786 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3790 if (skb_sid != SECSID_NULL)
3791 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3798 /* socket security operations */
3800 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3801 u16 secclass, u32 *socksid)
3803 if (tsec->sockcreate_sid > SECSID_NULL) {
3804 *socksid = tsec->sockcreate_sid;
3808 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3812 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3814 struct sk_security_struct *sksec = sk->sk_security;
3815 struct common_audit_data ad;
3816 struct lsm_network_audit net = {0,};
3817 u32 tsid = task_sid(task);
3819 if (sksec->sid == SECINITSID_KERNEL)
3822 ad.type = LSM_AUDIT_DATA_NET;
3826 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3829 static int selinux_socket_create(int family, int type,
3830 int protocol, int kern)
3832 const struct task_security_struct *tsec = current_security();
3840 secclass = socket_type_to_security_class(family, type, protocol);
3841 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3845 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3848 static int selinux_socket_post_create(struct socket *sock, int family,
3849 int type, int protocol, int kern)
3851 const struct task_security_struct *tsec = current_security();
3852 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3853 struct sk_security_struct *sksec;
3856 isec->sclass = socket_type_to_security_class(family, type, protocol);
3859 isec->sid = SECINITSID_KERNEL;
3861 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3866 isec->initialized = 1;
3869 sksec = sock->sk->sk_security;
3870 sksec->sid = isec->sid;
3871 sksec->sclass = isec->sclass;
3872 err = selinux_netlbl_socket_post_create(sock->sk, family);
3878 /* Range of port numbers used to automatically bind.
3879 Need to determine whether we should perform a name_bind
3880 permission check between the socket and the port number. */
3882 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3884 struct sock *sk = sock->sk;
3888 err = sock_has_perm(current, sk, SOCKET__BIND);
3893 * If PF_INET or PF_INET6, check name_bind permission for the port.
3894 * Multiple address binding for SCTP is not supported yet: we just
3895 * check the first address now.
3897 family = sk->sk_family;
3898 if (family == PF_INET || family == PF_INET6) {
3900 struct sk_security_struct *sksec = sk->sk_security;
3901 struct common_audit_data ad;
3902 struct lsm_network_audit net = {0,};
3903 struct sockaddr_in *addr4 = NULL;
3904 struct sockaddr_in6 *addr6 = NULL;
3905 unsigned short snum;
3908 if (family == PF_INET) {
3909 addr4 = (struct sockaddr_in *)address;
3910 snum = ntohs(addr4->sin_port);
3911 addrp = (char *)&addr4->sin_addr.s_addr;
3913 addr6 = (struct sockaddr_in6 *)address;
3914 snum = ntohs(addr6->sin6_port);
3915 addrp = (char *)&addr6->sin6_addr.s6_addr;
3921 inet_get_local_port_range(&low, &high);
3923 if (snum < max(PROT_SOCK, low) || snum > high) {
3924 err = sel_netport_sid(sk->sk_protocol,
3928 ad.type = LSM_AUDIT_DATA_NET;
3930 ad.u.net->sport = htons(snum);
3931 ad.u.net->family = family;
3932 err = avc_has_perm(sksec->sid, sid,
3934 SOCKET__NAME_BIND, &ad);
3940 switch (sksec->sclass) {
3941 case SECCLASS_TCP_SOCKET:
3942 node_perm = TCP_SOCKET__NODE_BIND;
3945 case SECCLASS_UDP_SOCKET:
3946 node_perm = UDP_SOCKET__NODE_BIND;
3949 case SECCLASS_DCCP_SOCKET:
3950 node_perm = DCCP_SOCKET__NODE_BIND;
3954 node_perm = RAWIP_SOCKET__NODE_BIND;
3958 err = sel_netnode_sid(addrp, family, &sid);
3962 ad.type = LSM_AUDIT_DATA_NET;
3964 ad.u.net->sport = htons(snum);
3965 ad.u.net->family = family;
3967 if (family == PF_INET)
3968 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3970 ad.u.net->v6info.saddr = addr6->sin6_addr;
3972 err = avc_has_perm(sksec->sid, sid,
3973 sksec->sclass, node_perm, &ad);
3981 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3983 struct sock *sk = sock->sk;
3984 struct sk_security_struct *sksec = sk->sk_security;
3987 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3992 * If a TCP or DCCP socket, check name_connect permission for the port.
3994 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3995 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3996 struct common_audit_data ad;
3997 struct lsm_network_audit net = {0,};
3998 struct sockaddr_in *addr4 = NULL;
3999 struct sockaddr_in6 *addr6 = NULL;
4000 unsigned short snum;
4003 if (sk->sk_family == PF_INET) {
4004 addr4 = (struct sockaddr_in *)address;
4005 if (addrlen < sizeof(struct sockaddr_in))
4007 snum = ntohs(addr4->sin_port);
4009 addr6 = (struct sockaddr_in6 *)address;
4010 if (addrlen < SIN6_LEN_RFC2133)
4012 snum = ntohs(addr6->sin6_port);
4015 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4019 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4020 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4022 ad.type = LSM_AUDIT_DATA_NET;
4024 ad.u.net->dport = htons(snum);
4025 ad.u.net->family = sk->sk_family;
4026 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4031 err = selinux_netlbl_socket_connect(sk, address);
4037 static int selinux_socket_listen(struct socket *sock, int backlog)
4039 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4042 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4045 struct inode_security_struct *isec;
4046 struct inode_security_struct *newisec;
4048 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4052 newisec = SOCK_INODE(newsock)->i_security;
4054 isec = SOCK_INODE(sock)->i_security;
4055 newisec->sclass = isec->sclass;
4056 newisec->sid = isec->sid;
4057 newisec->initialized = 1;
4062 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4065 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4068 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4069 int size, int flags)
4071 return sock_has_perm(current, sock->sk, SOCKET__READ);
4074 static int selinux_socket_getsockname(struct socket *sock)
4076 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4079 static int selinux_socket_getpeername(struct socket *sock)
4081 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4084 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4088 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4092 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4095 static int selinux_socket_getsockopt(struct socket *sock, int level,
4098 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4101 static int selinux_socket_shutdown(struct socket *sock, int how)
4103 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4106 static int selinux_socket_unix_stream_connect(struct sock *sock,
4110 struct sk_security_struct *sksec_sock = sock->sk_security;
4111 struct sk_security_struct *sksec_other = other->sk_security;
4112 struct sk_security_struct *sksec_new = newsk->sk_security;
4113 struct common_audit_data ad;
4114 struct lsm_network_audit net = {0,};
4117 ad.type = LSM_AUDIT_DATA_NET;
4119 ad.u.net->sk = other;
4121 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4122 sksec_other->sclass,
4123 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4127 /* server child socket */
4128 sksec_new->peer_sid = sksec_sock->sid;
4129 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4134 /* connecting socket */
4135 sksec_sock->peer_sid = sksec_new->sid;
4140 static int selinux_socket_unix_may_send(struct socket *sock,
4141 struct socket *other)
4143 struct sk_security_struct *ssec = sock->sk->sk_security;
4144 struct sk_security_struct *osec = other->sk->sk_security;
4145 struct common_audit_data ad;
4146 struct lsm_network_audit net = {0,};
4148 ad.type = LSM_AUDIT_DATA_NET;
4150 ad.u.net->sk = other->sk;
4152 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4156 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4158 struct common_audit_data *ad)
4164 err = sel_netif_sid(ifindex, &if_sid);
4167 err = avc_has_perm(peer_sid, if_sid,
4168 SECCLASS_NETIF, NETIF__INGRESS, ad);
4172 err = sel_netnode_sid(addrp, family, &node_sid);
4175 return avc_has_perm(peer_sid, node_sid,
4176 SECCLASS_NODE, NODE__RECVFROM, ad);
4179 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4183 struct sk_security_struct *sksec = sk->sk_security;
4184 u32 sk_sid = sksec->sid;
4185 struct common_audit_data ad;
4186 struct lsm_network_audit net = {0,};
4189 ad.type = LSM_AUDIT_DATA_NET;
4191 ad.u.net->netif = skb->skb_iif;
4192 ad.u.net->family = family;
4193 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4197 if (selinux_secmark_enabled()) {
4198 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4204 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4207 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4212 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4215 struct sk_security_struct *sksec = sk->sk_security;
4216 u16 family = sk->sk_family;
4217 u32 sk_sid = sksec->sid;
4218 struct common_audit_data ad;
4219 struct lsm_network_audit net = {0,};
4224 if (family != PF_INET && family != PF_INET6)
4227 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4228 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4231 /* If any sort of compatibility mode is enabled then handoff processing
4232 * to the selinux_sock_rcv_skb_compat() function to deal with the
4233 * special handling. We do this in an attempt to keep this function
4234 * as fast and as clean as possible. */
4235 if (!selinux_policycap_netpeer)
4236 return selinux_sock_rcv_skb_compat(sk, skb, family);
4238 secmark_active = selinux_secmark_enabled();
4239 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4240 if (!secmark_active && !peerlbl_active)
4243 ad.type = LSM_AUDIT_DATA_NET;
4245 ad.u.net->netif = skb->skb_iif;
4246 ad.u.net->family = family;
4247 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4251 if (peerlbl_active) {
4254 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4257 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4260 selinux_netlbl_err(skb, err, 0);
4263 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4266 selinux_netlbl_err(skb, err, 0);
4271 if (secmark_active) {
4272 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4281 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4282 int __user *optlen, unsigned len)
4287 struct sk_security_struct *sksec = sock->sk->sk_security;
4288 u32 peer_sid = SECSID_NULL;
4290 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4291 sksec->sclass == SECCLASS_TCP_SOCKET)
4292 peer_sid = sksec->peer_sid;
4293 if (peer_sid == SECSID_NULL)
4294 return -ENOPROTOOPT;
4296 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4300 if (scontext_len > len) {
4305 if (copy_to_user(optval, scontext, scontext_len))
4309 if (put_user(scontext_len, optlen))
4315 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4317 u32 peer_secid = SECSID_NULL;
4320 if (skb && skb->protocol == htons(ETH_P_IP))
4322 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4325 family = sock->sk->sk_family;
4329 if (sock && family == PF_UNIX)
4330 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4332 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4335 *secid = peer_secid;
4336 if (peer_secid == SECSID_NULL)
4341 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4343 struct sk_security_struct *sksec;
4345 sksec = kzalloc(sizeof(*sksec), priority);
4349 sksec->peer_sid = SECINITSID_UNLABELED;
4350 sksec->sid = SECINITSID_UNLABELED;
4351 selinux_netlbl_sk_security_reset(sksec);
4352 sk->sk_security = sksec;
4357 static void selinux_sk_free_security(struct sock *sk)
4359 struct sk_security_struct *sksec = sk->sk_security;
4361 sk->sk_security = NULL;
4362 selinux_netlbl_sk_security_free(sksec);
4366 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4368 struct sk_security_struct *sksec = sk->sk_security;
4369 struct sk_security_struct *newsksec = newsk->sk_security;
4371 newsksec->sid = sksec->sid;
4372 newsksec->peer_sid = sksec->peer_sid;
4373 newsksec->sclass = sksec->sclass;
4375 selinux_netlbl_sk_security_reset(newsksec);
4378 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4381 *secid = SECINITSID_ANY_SOCKET;
4383 struct sk_security_struct *sksec = sk->sk_security;
4385 *secid = sksec->sid;
4389 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4391 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4392 struct sk_security_struct *sksec = sk->sk_security;
4394 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4395 sk->sk_family == PF_UNIX)
4396 isec->sid = sksec->sid;
4397 sksec->sclass = isec->sclass;
4400 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4401 struct request_sock *req)
4403 struct sk_security_struct *sksec = sk->sk_security;
4405 u16 family = sk->sk_family;
4409 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4410 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4413 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4416 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4419 req->secid = connsid;
4420 req->peer_secid = peersid;
4422 return selinux_netlbl_inet_conn_request(req, family);
4425 static void selinux_inet_csk_clone(struct sock *newsk,
4426 const struct request_sock *req)
4428 struct sk_security_struct *newsksec = newsk->sk_security;
4430 newsksec->sid = req->secid;
4431 newsksec->peer_sid = req->peer_secid;
4432 /* NOTE: Ideally, we should also get the isec->sid for the
4433 new socket in sync, but we don't have the isec available yet.
4434 So we will wait until sock_graft to do it, by which
4435 time it will have been created and available. */
4437 /* We don't need to take any sort of lock here as we are the only
4438 * thread with access to newsksec */
4439 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4442 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4444 u16 family = sk->sk_family;
4445 struct sk_security_struct *sksec = sk->sk_security;
4447 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4448 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4451 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4454 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4456 skb_set_owner_w(skb, sk);
4459 static int selinux_secmark_relabel_packet(u32 sid)
4461 const struct task_security_struct *__tsec;
4464 __tsec = current_security();
4467 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4470 static void selinux_secmark_refcount_inc(void)
4472 atomic_inc(&selinux_secmark_refcount);
4475 static void selinux_secmark_refcount_dec(void)
4477 atomic_dec(&selinux_secmark_refcount);
4480 static void selinux_req_classify_flow(const struct request_sock *req,
4483 fl->flowi_secid = req->secid;
4486 static int selinux_tun_dev_alloc_security(void **security)
4488 struct tun_security_struct *tunsec;
4490 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4493 tunsec->sid = current_sid();
4499 static void selinux_tun_dev_free_security(void *security)
4504 static int selinux_tun_dev_create(void)
4506 u32 sid = current_sid();
4508 /* we aren't taking into account the "sockcreate" SID since the socket
4509 * that is being created here is not a socket in the traditional sense,
4510 * instead it is a private sock, accessible only to the kernel, and
4511 * representing a wide range of network traffic spanning multiple
4512 * connections unlike traditional sockets - check the TUN driver to
4513 * get a better understanding of why this socket is special */
4515 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4519 static int selinux_tun_dev_attach_queue(void *security)
4521 struct tun_security_struct *tunsec = security;
4523 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4524 TUN_SOCKET__ATTACH_QUEUE, NULL);
4527 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4529 struct tun_security_struct *tunsec = security;
4530 struct sk_security_struct *sksec = sk->sk_security;
4532 /* we don't currently perform any NetLabel based labeling here and it
4533 * isn't clear that we would want to do so anyway; while we could apply
4534 * labeling without the support of the TUN user the resulting labeled
4535 * traffic from the other end of the connection would almost certainly
4536 * cause confusion to the TUN user that had no idea network labeling
4537 * protocols were being used */
4539 sksec->sid = tunsec->sid;
4540 sksec->sclass = SECCLASS_TUN_SOCKET;
4545 static int selinux_tun_dev_open(void *security)
4547 struct tun_security_struct *tunsec = security;
4548 u32 sid = current_sid();
4551 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4552 TUN_SOCKET__RELABELFROM, NULL);
4555 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4556 TUN_SOCKET__RELABELTO, NULL);
4564 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4568 struct nlmsghdr *nlh;
4569 struct sk_security_struct *sksec = sk->sk_security;
4571 if (skb->len < NLMSG_HDRLEN) {
4575 nlh = nlmsg_hdr(skb);
4577 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4579 if (err == -EINVAL) {
4580 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4581 "SELinux: unrecognized netlink message"
4582 " type=%hu for sclass=%hu\n",
4583 nlh->nlmsg_type, sksec->sclass);
4584 if (!selinux_enforcing || security_get_allow_unknown())
4594 err = sock_has_perm(current, sk, perm);
4599 #ifdef CONFIG_NETFILTER
4601 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4607 struct common_audit_data ad;
4608 struct lsm_network_audit net = {0,};
4613 if (!selinux_policycap_netpeer)
4616 secmark_active = selinux_secmark_enabled();
4617 netlbl_active = netlbl_enabled();
4618 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4619 if (!secmark_active && !peerlbl_active)
4622 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4625 ad.type = LSM_AUDIT_DATA_NET;
4627 ad.u.net->netif = ifindex;
4628 ad.u.net->family = family;
4629 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4632 if (peerlbl_active) {
4633 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4636 selinux_netlbl_err(skb, err, 1);
4642 if (avc_has_perm(peer_sid, skb->secmark,
4643 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4647 /* we do this in the FORWARD path and not the POST_ROUTING
4648 * path because we want to make sure we apply the necessary
4649 * labeling before IPsec is applied so we can leverage AH
4651 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4657 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4658 struct sk_buff *skb,
4659 const struct net_device *in,
4660 const struct net_device *out,
4661 int (*okfn)(struct sk_buff *))
4663 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4666 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4667 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4668 struct sk_buff *skb,
4669 const struct net_device *in,
4670 const struct net_device *out,
4671 int (*okfn)(struct sk_buff *))
4673 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4677 static unsigned int selinux_ip_output(struct sk_buff *skb,
4683 if (!netlbl_enabled())
4686 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4687 * because we want to make sure we apply the necessary labeling
4688 * before IPsec is applied so we can leverage AH protection */
4691 struct sk_security_struct *sksec;
4693 if (sk->sk_state == TCP_LISTEN)
4694 /* if the socket is the listening state then this
4695 * packet is a SYN-ACK packet which means it needs to
4696 * be labeled based on the connection/request_sock and
4697 * not the parent socket. unfortunately, we can't
4698 * lookup the request_sock yet as it isn't queued on
4699 * the parent socket until after the SYN-ACK is sent.
4700 * the "solution" is to simply pass the packet as-is
4701 * as any IP option based labeling should be copied
4702 * from the initial connection request (in the IP
4703 * layer). it is far from ideal, but until we get a
4704 * security label in the packet itself this is the
4705 * best we can do. */
4708 /* standard practice, label using the parent socket */
4709 sksec = sk->sk_security;
4712 sid = SECINITSID_KERNEL;
4713 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4719 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4720 struct sk_buff *skb,
4721 const struct net_device *in,
4722 const struct net_device *out,
4723 int (*okfn)(struct sk_buff *))
4725 return selinux_ip_output(skb, PF_INET);
4728 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4732 struct sock *sk = skb->sk;
4733 struct sk_security_struct *sksec;
4734 struct common_audit_data ad;
4735 struct lsm_network_audit net = {0,};
4741 sksec = sk->sk_security;
4743 ad.type = LSM_AUDIT_DATA_NET;
4745 ad.u.net->netif = ifindex;
4746 ad.u.net->family = family;
4747 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4750 if (selinux_secmark_enabled())
4751 if (avc_has_perm(sksec->sid, skb->secmark,
4752 SECCLASS_PACKET, PACKET__SEND, &ad))
4753 return NF_DROP_ERR(-ECONNREFUSED);
4755 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4756 return NF_DROP_ERR(-ECONNREFUSED);
4761 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4767 struct common_audit_data ad;
4768 struct lsm_network_audit net = {0,};
4773 /* If any sort of compatibility mode is enabled then handoff processing
4774 * to the selinux_ip_postroute_compat() function to deal with the
4775 * special handling. We do this in an attempt to keep this function
4776 * as fast and as clean as possible. */
4777 if (!selinux_policycap_netpeer)
4778 return selinux_ip_postroute_compat(skb, ifindex, family);
4780 secmark_active = selinux_secmark_enabled();
4781 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4782 if (!secmark_active && !peerlbl_active)
4788 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4789 * packet transformation so allow the packet to pass without any checks
4790 * since we'll have another chance to perform access control checks
4791 * when the packet is on it's final way out.
4792 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4793 * is NULL, in this case go ahead and apply access control.
4794 * is NULL, in this case go ahead and apply access control.
4795 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4796 * TCP listening state we cannot wait until the XFRM processing
4797 * is done as we will miss out on the SA label if we do;
4798 * unfortunately, this means more work, but it is only once per
4800 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4801 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4806 /* Without an associated socket the packet is either coming
4807 * from the kernel or it is being forwarded; check the packet
4808 * to determine which and if the packet is being forwarded
4809 * query the packet directly to determine the security label. */
4811 secmark_perm = PACKET__FORWARD_OUT;
4812 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4815 secmark_perm = PACKET__SEND;
4816 peer_sid = SECINITSID_KERNEL;
4818 } else if (sk->sk_state == TCP_LISTEN) {
4819 /* Locally generated packet but the associated socket is in the
4820 * listening state which means this is a SYN-ACK packet. In
4821 * this particular case the correct security label is assigned
4822 * to the connection/request_sock but unfortunately we can't
4823 * query the request_sock as it isn't queued on the parent
4824 * socket until after the SYN-ACK packet is sent; the only
4825 * viable choice is to regenerate the label like we do in
4826 * selinux_inet_conn_request(). See also selinux_ip_output()
4827 * for similar problems. */
4829 struct sk_security_struct *sksec = sk->sk_security;
4830 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4832 /* At this point, if the returned skb peerlbl is SECSID_NULL
4833 * and the packet has been through at least one XFRM
4834 * transformation then we must be dealing with the "final"
4835 * form of labeled IPsec packet; since we've already applied
4836 * all of our access controls on this packet we can safely
4837 * pass the packet. */
4838 if (skb_sid == SECSID_NULL) {
4841 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4845 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4848 return NF_DROP_ERR(-ECONNREFUSED);
4851 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4853 secmark_perm = PACKET__SEND;
4855 /* Locally generated packet, fetch the security label from the
4856 * associated socket. */
4857 struct sk_security_struct *sksec = sk->sk_security;
4858 peer_sid = sksec->sid;
4859 secmark_perm = PACKET__SEND;
4862 ad.type = LSM_AUDIT_DATA_NET;
4864 ad.u.net->netif = ifindex;
4865 ad.u.net->family = family;
4866 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4870 if (avc_has_perm(peer_sid, skb->secmark,
4871 SECCLASS_PACKET, secmark_perm, &ad))
4872 return NF_DROP_ERR(-ECONNREFUSED);
4874 if (peerlbl_active) {
4878 if (sel_netif_sid(ifindex, &if_sid))
4880 if (avc_has_perm(peer_sid, if_sid,
4881 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4882 return NF_DROP_ERR(-ECONNREFUSED);
4884 if (sel_netnode_sid(addrp, family, &node_sid))
4886 if (avc_has_perm(peer_sid, node_sid,
4887 SECCLASS_NODE, NODE__SENDTO, &ad))
4888 return NF_DROP_ERR(-ECONNREFUSED);
4894 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4895 struct sk_buff *skb,
4896 const struct net_device *in,
4897 const struct net_device *out,
4898 int (*okfn)(struct sk_buff *))
4900 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4903 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4904 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4905 struct sk_buff *skb,
4906 const struct net_device *in,
4907 const struct net_device *out,
4908 int (*okfn)(struct sk_buff *))
4910 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4914 #endif /* CONFIG_NETFILTER */
4916 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4920 err = cap_netlink_send(sk, skb);
4924 return selinux_nlmsg_perm(sk, skb);
4927 static int ipc_alloc_security(struct task_struct *task,
4928 struct kern_ipc_perm *perm,
4931 struct ipc_security_struct *isec;
4934 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4938 sid = task_sid(task);
4939 isec->sclass = sclass;
4941 perm->security = isec;
4946 static void ipc_free_security(struct kern_ipc_perm *perm)
4948 struct ipc_security_struct *isec = perm->security;
4949 perm->security = NULL;
4953 static int msg_msg_alloc_security(struct msg_msg *msg)
4955 struct msg_security_struct *msec;
4957 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4961 msec->sid = SECINITSID_UNLABELED;
4962 msg->security = msec;
4967 static void msg_msg_free_security(struct msg_msg *msg)
4969 struct msg_security_struct *msec = msg->security;
4971 msg->security = NULL;
4975 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4978 struct ipc_security_struct *isec;
4979 struct common_audit_data ad;
4980 u32 sid = current_sid();
4982 isec = ipc_perms->security;
4984 ad.type = LSM_AUDIT_DATA_IPC;
4985 ad.u.ipc_id = ipc_perms->key;
4987 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4990 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4992 return msg_msg_alloc_security(msg);
4995 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4997 msg_msg_free_security(msg);
5000 /* message queue security operations */
5001 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5003 struct ipc_security_struct *isec;
5004 struct common_audit_data ad;
5005 u32 sid = current_sid();
5008 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5012 isec = msq->q_perm.security;
5014 ad.type = LSM_AUDIT_DATA_IPC;
5015 ad.u.ipc_id = msq->q_perm.key;
5017 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5020 ipc_free_security(&msq->q_perm);
5026 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5028 ipc_free_security(&msq->q_perm);
5031 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5033 struct ipc_security_struct *isec;
5034 struct common_audit_data ad;
5035 u32 sid = current_sid();
5037 isec = msq->q_perm.security;
5039 ad.type = LSM_AUDIT_DATA_IPC;
5040 ad.u.ipc_id = msq->q_perm.key;
5042 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5043 MSGQ__ASSOCIATE, &ad);
5046 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5054 /* No specific object, just general system-wide information. */
5055 return task_has_system(current, SYSTEM__IPC_INFO);
5058 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5061 perms = MSGQ__SETATTR;
5064 perms = MSGQ__DESTROY;
5070 err = ipc_has_perm(&msq->q_perm, perms);
5074 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5076 struct ipc_security_struct *isec;
5077 struct msg_security_struct *msec;
5078 struct common_audit_data ad;
5079 u32 sid = current_sid();
5082 isec = msq->q_perm.security;
5083 msec = msg->security;
5086 * First time through, need to assign label to the message
5088 if (msec->sid == SECINITSID_UNLABELED) {
5090 * Compute new sid based on current process and
5091 * message queue this message will be stored in
5093 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5099 ad.type = LSM_AUDIT_DATA_IPC;
5100 ad.u.ipc_id = msq->q_perm.key;
5102 /* Can this process write to the queue? */
5103 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5106 /* Can this process send the message */
5107 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5110 /* Can the message be put in the queue? */
5111 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5112 MSGQ__ENQUEUE, &ad);
5117 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5118 struct task_struct *target,
5119 long type, int mode)
5121 struct ipc_security_struct *isec;
5122 struct msg_security_struct *msec;
5123 struct common_audit_data ad;
5124 u32 sid = task_sid(target);
5127 isec = msq->q_perm.security;
5128 msec = msg->security;
5130 ad.type = LSM_AUDIT_DATA_IPC;
5131 ad.u.ipc_id = msq->q_perm.key;
5133 rc = avc_has_perm(sid, isec->sid,
5134 SECCLASS_MSGQ, MSGQ__READ, &ad);
5136 rc = avc_has_perm(sid, msec->sid,
5137 SECCLASS_MSG, MSG__RECEIVE, &ad);
5141 /* Shared Memory security operations */
5142 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5144 struct ipc_security_struct *isec;
5145 struct common_audit_data ad;
5146 u32 sid = current_sid();
5149 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5153 isec = shp->shm_perm.security;
5155 ad.type = LSM_AUDIT_DATA_IPC;
5156 ad.u.ipc_id = shp->shm_perm.key;
5158 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5161 ipc_free_security(&shp->shm_perm);
5167 static void selinux_shm_free_security(struct shmid_kernel *shp)
5169 ipc_free_security(&shp->shm_perm);
5172 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5174 struct ipc_security_struct *isec;
5175 struct common_audit_data ad;
5176 u32 sid = current_sid();
5178 isec = shp->shm_perm.security;
5180 ad.type = LSM_AUDIT_DATA_IPC;
5181 ad.u.ipc_id = shp->shm_perm.key;
5183 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5184 SHM__ASSOCIATE, &ad);
5187 /* Note, at this point, shp is locked down */
5188 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5196 /* No specific object, just general system-wide information. */
5197 return task_has_system(current, SYSTEM__IPC_INFO);
5200 perms = SHM__GETATTR | SHM__ASSOCIATE;
5203 perms = SHM__SETATTR;
5210 perms = SHM__DESTROY;
5216 err = ipc_has_perm(&shp->shm_perm, perms);
5220 static int selinux_shm_shmat(struct shmid_kernel *shp,
5221 char __user *shmaddr, int shmflg)
5225 if (shmflg & SHM_RDONLY)
5228 perms = SHM__READ | SHM__WRITE;
5230 return ipc_has_perm(&shp->shm_perm, perms);
5233 /* Semaphore security operations */
5234 static int selinux_sem_alloc_security(struct sem_array *sma)
5236 struct ipc_security_struct *isec;
5237 struct common_audit_data ad;
5238 u32 sid = current_sid();
5241 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5245 isec = sma->sem_perm.security;
5247 ad.type = LSM_AUDIT_DATA_IPC;
5248 ad.u.ipc_id = sma->sem_perm.key;
5250 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5253 ipc_free_security(&sma->sem_perm);
5259 static void selinux_sem_free_security(struct sem_array *sma)
5261 ipc_free_security(&sma->sem_perm);
5264 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5266 struct ipc_security_struct *isec;
5267 struct common_audit_data ad;
5268 u32 sid = current_sid();
5270 isec = sma->sem_perm.security;
5272 ad.type = LSM_AUDIT_DATA_IPC;
5273 ad.u.ipc_id = sma->sem_perm.key;
5275 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5276 SEM__ASSOCIATE, &ad);
5279 /* Note, at this point, sma is locked down */
5280 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5288 /* No specific object, just general system-wide information. */
5289 return task_has_system(current, SYSTEM__IPC_INFO);
5293 perms = SEM__GETATTR;
5304 perms = SEM__DESTROY;
5307 perms = SEM__SETATTR;
5311 perms = SEM__GETATTR | SEM__ASSOCIATE;
5317 err = ipc_has_perm(&sma->sem_perm, perms);
5321 static int selinux_sem_semop(struct sem_array *sma,
5322 struct sembuf *sops, unsigned nsops, int alter)
5327 perms = SEM__READ | SEM__WRITE;
5331 return ipc_has_perm(&sma->sem_perm, perms);
5334 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5340 av |= IPC__UNIX_READ;
5342 av |= IPC__UNIX_WRITE;
5347 return ipc_has_perm(ipcp, av);
5350 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5352 struct ipc_security_struct *isec = ipcp->security;
5356 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5359 inode_doinit_with_dentry(inode, dentry);
5362 static int selinux_getprocattr(struct task_struct *p,
5363 char *name, char **value)
5365 const struct task_security_struct *__tsec;
5371 error = current_has_perm(p, PROCESS__GETATTR);
5377 __tsec = __task_cred(p)->security;
5379 if (!strcmp(name, "current"))
5381 else if (!strcmp(name, "prev"))
5383 else if (!strcmp(name, "exec"))
5384 sid = __tsec->exec_sid;
5385 else if (!strcmp(name, "fscreate"))
5386 sid = __tsec->create_sid;
5387 else if (!strcmp(name, "keycreate"))
5388 sid = __tsec->keycreate_sid;
5389 else if (!strcmp(name, "sockcreate"))
5390 sid = __tsec->sockcreate_sid;
5398 error = security_sid_to_context(sid, value, &len);
5408 static int selinux_setprocattr(struct task_struct *p,
5409 char *name, void *value, size_t size)
5411 struct task_security_struct *tsec;
5412 struct task_struct *tracer;
5419 /* SELinux only allows a process to change its own
5420 security attributes. */
5425 * Basic control over ability to set these attributes at all.
5426 * current == p, but we'll pass them separately in case the
5427 * above restriction is ever removed.
5429 if (!strcmp(name, "exec"))
5430 error = current_has_perm(p, PROCESS__SETEXEC);
5431 else if (!strcmp(name, "fscreate"))
5432 error = current_has_perm(p, PROCESS__SETFSCREATE);
5433 else if (!strcmp(name, "keycreate"))
5434 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5435 else if (!strcmp(name, "sockcreate"))
5436 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5437 else if (!strcmp(name, "current"))
5438 error = current_has_perm(p, PROCESS__SETCURRENT);
5444 /* Obtain a SID for the context, if one was specified. */
5445 if (size && str[1] && str[1] != '\n') {
5446 if (str[size-1] == '\n') {
5450 error = security_context_to_sid(value, size, &sid);
5451 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5452 if (!capable(CAP_MAC_ADMIN)) {
5453 struct audit_buffer *ab;
5456 /* We strip a nul only if it is at the end, otherwise the
5457 * context contains a nul and we should audit that */
5458 if (str[size - 1] == '\0')
5459 audit_size = size - 1;
5462 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5463 audit_log_format(ab, "op=fscreate invalid_context=");
5464 audit_log_n_untrustedstring(ab, value, audit_size);
5469 error = security_context_to_sid_force(value, size,
5476 new = prepare_creds();
5480 /* Permission checking based on the specified context is
5481 performed during the actual operation (execve,
5482 open/mkdir/...), when we know the full context of the
5483 operation. See selinux_bprm_set_creds for the execve
5484 checks and may_create for the file creation checks. The
5485 operation will then fail if the context is not permitted. */
5486 tsec = new->security;
5487 if (!strcmp(name, "exec")) {
5488 tsec->exec_sid = sid;
5489 } else if (!strcmp(name, "fscreate")) {
5490 tsec->create_sid = sid;
5491 } else if (!strcmp(name, "keycreate")) {
5492 error = may_create_key(sid, p);
5495 tsec->keycreate_sid = sid;
5496 } else if (!strcmp(name, "sockcreate")) {
5497 tsec->sockcreate_sid = sid;
5498 } else if (!strcmp(name, "current")) {
5503 /* Only allow single threaded processes to change context */
5505 if (!current_is_single_threaded()) {
5506 error = security_bounded_transition(tsec->sid, sid);
5511 /* Check permissions for the transition. */
5512 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5513 PROCESS__DYNTRANSITION, NULL);
5517 /* Check for ptracing, and update the task SID if ok.
5518 Otherwise, leave SID unchanged and fail. */
5521 tracer = ptrace_parent(p);
5523 ptsid = task_sid(tracer);
5527 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5528 PROCESS__PTRACE, NULL);
5547 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5549 return security_sid_to_context(secid, secdata, seclen);
5552 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5554 return security_context_to_sid(secdata, seclen, secid);
5557 static void selinux_release_secctx(char *secdata, u32 seclen)
5563 * called with inode->i_mutex locked
5565 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5567 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5571 * called with inode->i_mutex locked
5573 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5575 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5578 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5581 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5590 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5591 unsigned long flags)
5593 const struct task_security_struct *tsec;
5594 struct key_security_struct *ksec;
5596 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5600 tsec = cred->security;
5601 if (tsec->keycreate_sid)
5602 ksec->sid = tsec->keycreate_sid;
5604 ksec->sid = tsec->sid;
5610 static void selinux_key_free(struct key *k)
5612 struct key_security_struct *ksec = k->security;
5618 static int selinux_key_permission(key_ref_t key_ref,
5619 const struct cred *cred,
5623 struct key_security_struct *ksec;
5626 /* if no specific permissions are requested, we skip the
5627 permission check. No serious, additional covert channels
5628 appear to be created. */
5632 sid = cred_sid(cred);
5634 key = key_ref_to_ptr(key_ref);
5635 ksec = key->security;
5637 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5640 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5642 struct key_security_struct *ksec = key->security;
5643 char *context = NULL;
5647 rc = security_sid_to_context(ksec->sid, &context, &len);
5656 static struct security_operations selinux_ops = {
5659 .ptrace_access_check = selinux_ptrace_access_check,
5660 .ptrace_traceme = selinux_ptrace_traceme,
5661 .capget = selinux_capget,
5662 .capset = selinux_capset,
5663 .capable = selinux_capable,
5664 .quotactl = selinux_quotactl,
5665 .quota_on = selinux_quota_on,
5666 .syslog = selinux_syslog,
5667 .vm_enough_memory = selinux_vm_enough_memory,
5669 .netlink_send = selinux_netlink_send,
5671 .bprm_set_creds = selinux_bprm_set_creds,
5672 .bprm_committing_creds = selinux_bprm_committing_creds,
5673 .bprm_committed_creds = selinux_bprm_committed_creds,
5674 .bprm_secureexec = selinux_bprm_secureexec,
5676 .sb_alloc_security = selinux_sb_alloc_security,
5677 .sb_free_security = selinux_sb_free_security,
5678 .sb_copy_data = selinux_sb_copy_data,
5679 .sb_remount = selinux_sb_remount,
5680 .sb_kern_mount = selinux_sb_kern_mount,
5681 .sb_show_options = selinux_sb_show_options,
5682 .sb_statfs = selinux_sb_statfs,
5683 .sb_mount = selinux_mount,
5684 .sb_umount = selinux_umount,
5685 .sb_set_mnt_opts = selinux_set_mnt_opts,
5686 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5687 .sb_parse_opts_str = selinux_parse_opts_str,
5690 .inode_alloc_security = selinux_inode_alloc_security,
5691 .inode_free_security = selinux_inode_free_security,
5692 .inode_init_security = selinux_inode_init_security,
5693 .inode_create = selinux_inode_create,
5694 .inode_link = selinux_inode_link,
5695 .inode_unlink = selinux_inode_unlink,
5696 .inode_symlink = selinux_inode_symlink,
5697 .inode_mkdir = selinux_inode_mkdir,
5698 .inode_rmdir = selinux_inode_rmdir,
5699 .inode_mknod = selinux_inode_mknod,
5700 .inode_rename = selinux_inode_rename,
5701 .inode_readlink = selinux_inode_readlink,
5702 .inode_follow_link = selinux_inode_follow_link,
5703 .inode_permission = selinux_inode_permission,
5704 .inode_setattr = selinux_inode_setattr,
5705 .inode_getattr = selinux_inode_getattr,
5706 .inode_setxattr = selinux_inode_setxattr,
5707 .inode_post_setxattr = selinux_inode_post_setxattr,
5708 .inode_getxattr = selinux_inode_getxattr,
5709 .inode_listxattr = selinux_inode_listxattr,
5710 .inode_removexattr = selinux_inode_removexattr,
5711 .inode_getsecurity = selinux_inode_getsecurity,
5712 .inode_setsecurity = selinux_inode_setsecurity,
5713 .inode_listsecurity = selinux_inode_listsecurity,
5714 .inode_getsecid = selinux_inode_getsecid,
5716 .file_permission = selinux_file_permission,
5717 .file_alloc_security = selinux_file_alloc_security,
5718 .file_free_security = selinux_file_free_security,
5719 .file_ioctl = selinux_file_ioctl,
5720 .mmap_file = selinux_mmap_file,
5721 .mmap_addr = selinux_mmap_addr,
5722 .file_mprotect = selinux_file_mprotect,
5723 .file_lock = selinux_file_lock,
5724 .file_fcntl = selinux_file_fcntl,
5725 .file_set_fowner = selinux_file_set_fowner,
5726 .file_send_sigiotask = selinux_file_send_sigiotask,
5727 .file_receive = selinux_file_receive,
5729 .file_open = selinux_file_open,
5731 .task_create = selinux_task_create,
5732 .cred_alloc_blank = selinux_cred_alloc_blank,
5733 .cred_free = selinux_cred_free,
5734 .cred_prepare = selinux_cred_prepare,
5735 .cred_transfer = selinux_cred_transfer,
5736 .kernel_act_as = selinux_kernel_act_as,
5737 .kernel_create_files_as = selinux_kernel_create_files_as,
5738 .kernel_module_request = selinux_kernel_module_request,
5739 .task_setpgid = selinux_task_setpgid,
5740 .task_getpgid = selinux_task_getpgid,
5741 .task_getsid = selinux_task_getsid,
5742 .task_getsecid = selinux_task_getsecid,
5743 .task_setnice = selinux_task_setnice,
5744 .task_setioprio = selinux_task_setioprio,
5745 .task_getioprio = selinux_task_getioprio,
5746 .task_setrlimit = selinux_task_setrlimit,
5747 .task_setscheduler = selinux_task_setscheduler,
5748 .task_getscheduler = selinux_task_getscheduler,
5749 .task_movememory = selinux_task_movememory,
5750 .task_kill = selinux_task_kill,
5751 .task_wait = selinux_task_wait,
5752 .task_to_inode = selinux_task_to_inode,
5754 .ipc_permission = selinux_ipc_permission,
5755 .ipc_getsecid = selinux_ipc_getsecid,
5757 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5758 .msg_msg_free_security = selinux_msg_msg_free_security,
5760 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5761 .msg_queue_free_security = selinux_msg_queue_free_security,
5762 .msg_queue_associate = selinux_msg_queue_associate,
5763 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5764 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5765 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5767 .shm_alloc_security = selinux_shm_alloc_security,
5768 .shm_free_security = selinux_shm_free_security,
5769 .shm_associate = selinux_shm_associate,
5770 .shm_shmctl = selinux_shm_shmctl,
5771 .shm_shmat = selinux_shm_shmat,
5773 .sem_alloc_security = selinux_sem_alloc_security,
5774 .sem_free_security = selinux_sem_free_security,
5775 .sem_associate = selinux_sem_associate,
5776 .sem_semctl = selinux_sem_semctl,
5777 .sem_semop = selinux_sem_semop,
5779 .d_instantiate = selinux_d_instantiate,
5781 .getprocattr = selinux_getprocattr,
5782 .setprocattr = selinux_setprocattr,
5784 .secid_to_secctx = selinux_secid_to_secctx,
5785 .secctx_to_secid = selinux_secctx_to_secid,
5786 .release_secctx = selinux_release_secctx,
5787 .inode_notifysecctx = selinux_inode_notifysecctx,
5788 .inode_setsecctx = selinux_inode_setsecctx,
5789 .inode_getsecctx = selinux_inode_getsecctx,
5791 .unix_stream_connect = selinux_socket_unix_stream_connect,
5792 .unix_may_send = selinux_socket_unix_may_send,
5794 .socket_create = selinux_socket_create,
5795 .socket_post_create = selinux_socket_post_create,
5796 .socket_bind = selinux_socket_bind,
5797 .socket_connect = selinux_socket_connect,
5798 .socket_listen = selinux_socket_listen,
5799 .socket_accept = selinux_socket_accept,
5800 .socket_sendmsg = selinux_socket_sendmsg,
5801 .socket_recvmsg = selinux_socket_recvmsg,
5802 .socket_getsockname = selinux_socket_getsockname,
5803 .socket_getpeername = selinux_socket_getpeername,
5804 .socket_getsockopt = selinux_socket_getsockopt,
5805 .socket_setsockopt = selinux_socket_setsockopt,
5806 .socket_shutdown = selinux_socket_shutdown,
5807 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5808 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5809 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5810 .sk_alloc_security = selinux_sk_alloc_security,
5811 .sk_free_security = selinux_sk_free_security,
5812 .sk_clone_security = selinux_sk_clone_security,
5813 .sk_getsecid = selinux_sk_getsecid,
5814 .sock_graft = selinux_sock_graft,
5815 .inet_conn_request = selinux_inet_conn_request,
5816 .inet_csk_clone = selinux_inet_csk_clone,
5817 .inet_conn_established = selinux_inet_conn_established,
5818 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5819 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5820 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5821 .req_classify_flow = selinux_req_classify_flow,
5822 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5823 .tun_dev_free_security = selinux_tun_dev_free_security,
5824 .tun_dev_create = selinux_tun_dev_create,
5825 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5826 .tun_dev_attach = selinux_tun_dev_attach,
5827 .tun_dev_open = selinux_tun_dev_open,
5828 .skb_owned_by = selinux_skb_owned_by,
5830 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5831 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5832 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5833 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5834 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5835 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5836 .xfrm_state_free_security = selinux_xfrm_state_free,
5837 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5838 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5839 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5840 .xfrm_decode_session = selinux_xfrm_decode_session,
5844 .key_alloc = selinux_key_alloc,
5845 .key_free = selinux_key_free,
5846 .key_permission = selinux_key_permission,
5847 .key_getsecurity = selinux_key_getsecurity,
5851 .audit_rule_init = selinux_audit_rule_init,
5852 .audit_rule_known = selinux_audit_rule_known,
5853 .audit_rule_match = selinux_audit_rule_match,
5854 .audit_rule_free = selinux_audit_rule_free,
5858 static __init int selinux_init(void)
5860 if (!security_module_enable(&selinux_ops)) {
5861 selinux_enabled = 0;
5865 if (!selinux_enabled) {
5866 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5870 printk(KERN_INFO "SELinux: Initializing.\n");
5872 /* Set the security state for the initial task. */
5873 cred_init_security();
5875 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5877 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5878 sizeof(struct inode_security_struct),
5879 0, SLAB_PANIC, NULL);
5882 if (register_security(&selinux_ops))
5883 panic("SELinux: Unable to register with kernel.\n");
5885 if (selinux_enforcing)
5886 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5888 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5893 static void delayed_superblock_init(struct super_block *sb, void *unused)
5895 superblock_doinit(sb, NULL);
5898 void selinux_complete_init(void)
5900 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5902 /* Set up any superblocks initialized prior to the policy load. */
5903 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5904 iterate_supers(delayed_superblock_init, NULL);
5907 /* SELinux requires early initialization in order to label
5908 all processes and objects when they are created. */
5909 security_initcall(selinux_init);
5911 #if defined(CONFIG_NETFILTER)
5913 static struct nf_hook_ops selinux_ipv4_ops[] = {
5915 .hook = selinux_ipv4_postroute,
5916 .owner = THIS_MODULE,
5918 .hooknum = NF_INET_POST_ROUTING,
5919 .priority = NF_IP_PRI_SELINUX_LAST,
5922 .hook = selinux_ipv4_forward,
5923 .owner = THIS_MODULE,
5925 .hooknum = NF_INET_FORWARD,
5926 .priority = NF_IP_PRI_SELINUX_FIRST,
5929 .hook = selinux_ipv4_output,
5930 .owner = THIS_MODULE,
5932 .hooknum = NF_INET_LOCAL_OUT,
5933 .priority = NF_IP_PRI_SELINUX_FIRST,
5937 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5939 static struct nf_hook_ops selinux_ipv6_ops[] = {
5941 .hook = selinux_ipv6_postroute,
5942 .owner = THIS_MODULE,
5944 .hooknum = NF_INET_POST_ROUTING,
5945 .priority = NF_IP6_PRI_SELINUX_LAST,
5948 .hook = selinux_ipv6_forward,
5949 .owner = THIS_MODULE,
5951 .hooknum = NF_INET_FORWARD,
5952 .priority = NF_IP6_PRI_SELINUX_FIRST,
5958 static int __init selinux_nf_ip_init(void)
5962 if (!selinux_enabled)
5965 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5967 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5969 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5971 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5972 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5974 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5981 __initcall(selinux_nf_ip_init);
5983 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5984 static void selinux_nf_ip_exit(void)
5986 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5988 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5989 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5990 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5995 #else /* CONFIG_NETFILTER */
5997 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5998 #define selinux_nf_ip_exit()
6001 #endif /* CONFIG_NETFILTER */
6003 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6004 static int selinux_disabled;
6006 int selinux_disable(void)
6008 if (ss_initialized) {
6009 /* Not permitted after initial policy load. */
6013 if (selinux_disabled) {
6014 /* Only do this once. */
6018 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6020 selinux_disabled = 1;
6021 selinux_enabled = 0;
6023 reset_security_ops();
6025 /* Try to destroy the avc node cache */
6028 /* Unregister netfilter hooks. */
6029 selinux_nf_ip_exit();
6031 /* Unregister selinuxfs. */