2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
103 static int __init enforcing_setup(char *str)
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
110 __setup("enforcing=", enforcing_setup);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 static int __init selinux_enabled_setup(char *str)
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup);
125 int selinux_enabled = 1;
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event)
164 if (event == AVC_CALLBACK_RESET) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
190 * get the security ID of a set of credentials
192 static inline u32 cred_sid(const struct cred *cred)
194 const struct task_security_struct *tsec;
196 tsec = cred->security;
201 * get the objective security ID of a task
203 static inline u32 task_sid(const struct task_struct *task)
208 sid = cred_sid(__task_cred(task));
214 * get the subjective security ID of the current task
216 static inline u32 current_sid(void)
218 const struct task_security_struct *tsec = current_security();
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode *inode)
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
245 static void inode_free_rcu(struct rcu_head *head)
247 struct inode_security_struct *isec;
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
253 static void inode_free_security(struct inode *inode)
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
259 * As not all inode security structures are in a list, we check for
260 * empty list outside of the lock to make sure that we won't waste
261 * time taking a lock doing nothing.
263 * The list_del_init() function can be safely called more than once.
264 * It should not be possible for this function to be called with
265 * concurrent list_add(), but for better safety against future changes
266 * in the code, we use list_empty_careful() here.
268 if (!list_empty_careful(&isec->list)) {
269 spin_lock(&sbsec->isec_lock);
270 list_del_init(&isec->list);
271 spin_unlock(&sbsec->isec_lock);
275 * The inode may still be referenced in a path walk and
276 * a call to selinux_inode_permission() can be made
277 * after inode_free_security() is called. Ideally, the VFS
278 * wouldn't do this, but fixing that is a much harder
279 * job. For now, simply free the i_security via RCU, and
280 * leave the current inode->i_security pointer intact.
281 * The inode will be freed after the RCU grace period too.
283 call_rcu(&isec->rcu, inode_free_rcu);
286 static int file_alloc_security(struct file *file)
288 struct file_security_struct *fsec;
289 u32 sid = current_sid();
291 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
296 fsec->fown_sid = sid;
297 file->f_security = fsec;
302 static void file_free_security(struct file *file)
304 struct file_security_struct *fsec = file->f_security;
305 file->f_security = NULL;
306 kmem_cache_free(file_security_cache, fsec);
309 static int superblock_alloc_security(struct super_block *sb)
311 struct superblock_security_struct *sbsec;
313 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
317 mutex_init(&sbsec->lock);
318 INIT_LIST_HEAD(&sbsec->isec_head);
319 spin_lock_init(&sbsec->isec_lock);
321 sbsec->sid = SECINITSID_UNLABELED;
322 sbsec->def_sid = SECINITSID_FILE;
323 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
324 sb->s_security = sbsec;
329 static void superblock_free_security(struct super_block *sb)
331 struct superblock_security_struct *sbsec = sb->s_security;
332 sb->s_security = NULL;
336 /* The file system's label must be initialized prior to use. */
338 static const char *labeling_behaviors[7] = {
340 "uses transition SIDs",
342 "uses genfs_contexts",
343 "not configured for labeling",
344 "uses mountpoint labeling",
345 "uses native labeling",
348 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
350 static inline int inode_doinit(struct inode *inode)
352 return inode_doinit_with_dentry(inode, NULL);
361 Opt_labelsupport = 5,
365 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
367 static const match_table_t tokens = {
368 {Opt_context, CONTEXT_STR "%s"},
369 {Opt_fscontext, FSCONTEXT_STR "%s"},
370 {Opt_defcontext, DEFCONTEXT_STR "%s"},
371 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
372 {Opt_labelsupport, LABELSUPP_STR},
376 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
378 static int may_context_mount_sb_relabel(u32 sid,
379 struct superblock_security_struct *sbsec,
380 const struct cred *cred)
382 const struct task_security_struct *tsec = cred->security;
385 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
386 FILESYSTEM__RELABELFROM, NULL);
390 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
391 FILESYSTEM__RELABELTO, NULL);
395 static int may_context_mount_inode_relabel(u32 sid,
396 struct superblock_security_struct *sbsec,
397 const struct cred *cred)
399 const struct task_security_struct *tsec = cred->security;
401 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELFROM, NULL);
406 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
407 FILESYSTEM__ASSOCIATE, NULL);
411 static int selinux_is_sblabel_mnt(struct super_block *sb)
413 struct superblock_security_struct *sbsec = sb->s_security;
415 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
416 sbsec->behavior == SECURITY_FS_USE_TRANS ||
417 sbsec->behavior == SECURITY_FS_USE_TASK ||
418 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
419 /* Special handling. Genfs but also in-core setxattr handler */
420 !strcmp(sb->s_type->name, "sysfs") ||
421 !strcmp(sb->s_type->name, "pstore") ||
422 !strcmp(sb->s_type->name, "debugfs") ||
423 !strcmp(sb->s_type->name, "tracefs") ||
424 !strcmp(sb->s_type->name, "rootfs");
427 static int sb_finish_set_opts(struct super_block *sb)
429 struct superblock_security_struct *sbsec = sb->s_security;
430 struct dentry *root = sb->s_root;
431 struct inode *root_inode = d_backing_inode(root);
434 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
435 /* Make sure that the xattr handler exists and that no
436 error other than -ENODATA is returned by getxattr on
437 the root directory. -ENODATA is ok, as this may be
438 the first boot of the SELinux kernel before we have
439 assigned xattr values to the filesystem. */
440 if (!root_inode->i_op->getxattr) {
441 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
442 "xattr support\n", sb->s_id, sb->s_type->name);
446 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
447 if (rc < 0 && rc != -ENODATA) {
448 if (rc == -EOPNOTSUPP)
449 printk(KERN_WARNING "SELinux: (dev %s, type "
450 "%s) has no security xattr handler\n",
451 sb->s_id, sb->s_type->name);
453 printk(KERN_WARNING "SELinux: (dev %s, type "
454 "%s) getxattr errno %d\n", sb->s_id,
455 sb->s_type->name, -rc);
460 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
461 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
462 sb->s_id, sb->s_type->name);
464 sbsec->flags |= SE_SBINITIALIZED;
465 if (selinux_is_sblabel_mnt(sb))
466 sbsec->flags |= SBLABEL_MNT;
468 /* Initialize the root inode. */
469 rc = inode_doinit_with_dentry(root_inode, root);
471 /* Initialize any other inodes associated with the superblock, e.g.
472 inodes created prior to initial policy load or inodes created
473 during get_sb by a pseudo filesystem that directly
475 spin_lock(&sbsec->isec_lock);
477 if (!list_empty(&sbsec->isec_head)) {
478 struct inode_security_struct *isec =
479 list_entry(sbsec->isec_head.next,
480 struct inode_security_struct, list);
481 struct inode *inode = isec->inode;
482 list_del_init(&isec->list);
483 spin_unlock(&sbsec->isec_lock);
484 inode = igrab(inode);
486 if (!IS_PRIVATE(inode))
490 spin_lock(&sbsec->isec_lock);
493 spin_unlock(&sbsec->isec_lock);
499 * This function should allow an FS to ask what it's mount security
500 * options were so it can use those later for submounts, displaying
501 * mount options, or whatever.
503 static int selinux_get_mnt_opts(const struct super_block *sb,
504 struct security_mnt_opts *opts)
507 struct superblock_security_struct *sbsec = sb->s_security;
508 char *context = NULL;
512 security_init_mnt_opts(opts);
514 if (!(sbsec->flags & SE_SBINITIALIZED))
520 /* make sure we always check enough bits to cover the mask */
521 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
523 tmp = sbsec->flags & SE_MNTMASK;
524 /* count the number of mount options for this sb */
525 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
527 opts->num_mnt_opts++;
530 /* Check if the Label support flag is set */
531 if (sbsec->flags & SBLABEL_MNT)
532 opts->num_mnt_opts++;
534 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
535 if (!opts->mnt_opts) {
540 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
541 if (!opts->mnt_opts_flags) {
547 if (sbsec->flags & FSCONTEXT_MNT) {
548 rc = security_sid_to_context(sbsec->sid, &context, &len);
551 opts->mnt_opts[i] = context;
552 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
554 if (sbsec->flags & CONTEXT_MNT) {
555 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
558 opts->mnt_opts[i] = context;
559 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
561 if (sbsec->flags & DEFCONTEXT_MNT) {
562 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
565 opts->mnt_opts[i] = context;
566 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
568 if (sbsec->flags & ROOTCONTEXT_MNT) {
569 struct inode *root = d_backing_inode(sbsec->sb->s_root);
570 struct inode_security_struct *isec = root->i_security;
572 rc = security_sid_to_context(isec->sid, &context, &len);
575 opts->mnt_opts[i] = context;
576 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
578 if (sbsec->flags & SBLABEL_MNT) {
579 opts->mnt_opts[i] = NULL;
580 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
583 BUG_ON(i != opts->num_mnt_opts);
588 security_free_mnt_opts(opts);
592 static int bad_option(struct superblock_security_struct *sbsec, char flag,
593 u32 old_sid, u32 new_sid)
595 char mnt_flags = sbsec->flags & SE_MNTMASK;
597 /* check if the old mount command had the same options */
598 if (sbsec->flags & SE_SBINITIALIZED)
599 if (!(sbsec->flags & flag) ||
600 (old_sid != new_sid))
603 /* check if we were passed the same options twice,
604 * aka someone passed context=a,context=b
606 if (!(sbsec->flags & SE_SBINITIALIZED))
607 if (mnt_flags & flag)
613 * Allow filesystems with binary mount data to explicitly set mount point
614 * labeling information.
616 static int selinux_set_mnt_opts(struct super_block *sb,
617 struct security_mnt_opts *opts,
618 unsigned long kern_flags,
619 unsigned long *set_kern_flags)
621 const struct cred *cred = current_cred();
623 struct superblock_security_struct *sbsec = sb->s_security;
624 const char *name = sb->s_type->name;
625 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
626 struct inode_security_struct *root_isec = inode->i_security;
627 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
628 u32 defcontext_sid = 0;
629 char **mount_options = opts->mnt_opts;
630 int *flags = opts->mnt_opts_flags;
631 int num_opts = opts->num_mnt_opts;
633 mutex_lock(&sbsec->lock);
635 if (!ss_initialized) {
637 /* Defer initialization until selinux_complete_init,
638 after the initial policy is loaded and the security
639 server is ready to handle calls. */
643 printk(KERN_WARNING "SELinux: Unable to set superblock options "
644 "before the security server is initialized\n");
647 if (kern_flags && !set_kern_flags) {
648 /* Specifying internal flags without providing a place to
649 * place the results is not allowed */
655 * Binary mount data FS will come through this function twice. Once
656 * from an explicit call and once from the generic calls from the vfs.
657 * Since the generic VFS calls will not contain any security mount data
658 * we need to skip the double mount verification.
660 * This does open a hole in which we will not notice if the first
661 * mount using this sb set explict options and a second mount using
662 * this sb does not set any security options. (The first options
663 * will be used for both mounts)
665 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
670 * parse the mount options, check if they are valid sids.
671 * also check if someone is trying to mount the same sb more
672 * than once with different security options.
674 for (i = 0; i < num_opts; i++) {
677 if (flags[i] == SBLABEL_MNT)
679 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
681 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
682 "(%s) failed for (dev %s, type %s) errno=%d\n",
683 mount_options[i], sb->s_id, name, rc);
690 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
692 goto out_double_mount;
694 sbsec->flags |= FSCONTEXT_MNT;
699 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
701 goto out_double_mount;
703 sbsec->flags |= CONTEXT_MNT;
705 case ROOTCONTEXT_MNT:
706 rootcontext_sid = sid;
708 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
710 goto out_double_mount;
712 sbsec->flags |= ROOTCONTEXT_MNT;
716 defcontext_sid = sid;
718 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
720 goto out_double_mount;
722 sbsec->flags |= DEFCONTEXT_MNT;
731 if (sbsec->flags & SE_SBINITIALIZED) {
732 /* previously mounted with options, but not on this attempt? */
733 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
734 goto out_double_mount;
739 if (strcmp(sb->s_type->name, "proc") == 0)
740 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
742 if (!strcmp(sb->s_type->name, "debugfs") ||
743 !strcmp(sb->s_type->name, "sysfs") ||
744 !strcmp(sb->s_type->name, "pstore"))
745 sbsec->flags |= SE_SBGENFS;
747 if (!sbsec->behavior) {
749 * Determine the labeling behavior to use for this
752 rc = security_fs_use(sb);
755 "%s: security_fs_use(%s) returned %d\n",
756 __func__, sb->s_type->name, rc);
760 /* sets the context of the superblock for the fs being mounted. */
762 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
766 sbsec->sid = fscontext_sid;
770 * Switch to using mount point labeling behavior.
771 * sets the label used on all file below the mountpoint, and will set
772 * the superblock context if not already set.
774 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
775 sbsec->behavior = SECURITY_FS_USE_NATIVE;
776 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
780 if (!fscontext_sid) {
781 rc = may_context_mount_sb_relabel(context_sid, sbsec,
785 sbsec->sid = context_sid;
787 rc = may_context_mount_inode_relabel(context_sid, sbsec,
792 if (!rootcontext_sid)
793 rootcontext_sid = context_sid;
795 sbsec->mntpoint_sid = context_sid;
796 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
799 if (rootcontext_sid) {
800 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
805 root_isec->sid = rootcontext_sid;
806 root_isec->initialized = 1;
809 if (defcontext_sid) {
810 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
811 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
813 printk(KERN_WARNING "SELinux: defcontext option is "
814 "invalid for this filesystem type\n");
818 if (defcontext_sid != sbsec->def_sid) {
819 rc = may_context_mount_inode_relabel(defcontext_sid,
825 sbsec->def_sid = defcontext_sid;
828 rc = sb_finish_set_opts(sb);
830 mutex_unlock(&sbsec->lock);
834 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
835 "security settings for (dev %s, type %s)\n", sb->s_id, name);
839 static int selinux_cmp_sb_context(const struct super_block *oldsb,
840 const struct super_block *newsb)
842 struct superblock_security_struct *old = oldsb->s_security;
843 struct superblock_security_struct *new = newsb->s_security;
844 char oldflags = old->flags & SE_MNTMASK;
845 char newflags = new->flags & SE_MNTMASK;
847 if (oldflags != newflags)
849 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
851 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
853 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
855 if (oldflags & ROOTCONTEXT_MNT) {
856 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
857 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
858 if (oldroot->sid != newroot->sid)
863 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
864 "different security settings for (dev %s, "
865 "type %s)\n", newsb->s_id, newsb->s_type->name);
869 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
870 struct super_block *newsb)
872 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
873 struct superblock_security_struct *newsbsec = newsb->s_security;
875 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
876 int set_context = (oldsbsec->flags & CONTEXT_MNT);
877 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
880 * if the parent was able to be mounted it clearly had no special lsm
881 * mount options. thus we can safely deal with this superblock later
886 /* how can we clone if the old one wasn't set up?? */
887 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
889 /* if fs is reusing a sb, make sure that the contexts match */
890 if (newsbsec->flags & SE_SBINITIALIZED)
891 return selinux_cmp_sb_context(oldsb, newsb);
893 mutex_lock(&newsbsec->lock);
895 newsbsec->flags = oldsbsec->flags;
897 newsbsec->sid = oldsbsec->sid;
898 newsbsec->def_sid = oldsbsec->def_sid;
899 newsbsec->behavior = oldsbsec->behavior;
902 u32 sid = oldsbsec->mntpoint_sid;
906 if (!set_rootcontext) {
907 struct inode *newinode = d_backing_inode(newsb->s_root);
908 struct inode_security_struct *newisec = newinode->i_security;
911 newsbsec->mntpoint_sid = sid;
913 if (set_rootcontext) {
914 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
915 const struct inode_security_struct *oldisec = oldinode->i_security;
916 struct inode *newinode = d_backing_inode(newsb->s_root);
917 struct inode_security_struct *newisec = newinode->i_security;
919 newisec->sid = oldisec->sid;
922 sb_finish_set_opts(newsb);
923 mutex_unlock(&newsbsec->lock);
927 static int selinux_parse_opts_str(char *options,
928 struct security_mnt_opts *opts)
931 char *context = NULL, *defcontext = NULL;
932 char *fscontext = NULL, *rootcontext = NULL;
933 int rc, num_mnt_opts = 0;
935 opts->num_mnt_opts = 0;
937 /* Standard string-based options. */
938 while ((p = strsep(&options, "|")) != NULL) {
940 substring_t args[MAX_OPT_ARGS];
945 token = match_token(p, tokens, args);
949 if (context || defcontext) {
951 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
954 context = match_strdup(&args[0]);
964 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
967 fscontext = match_strdup(&args[0]);
974 case Opt_rootcontext:
977 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
980 rootcontext = match_strdup(&args[0]);
988 if (context || defcontext) {
990 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
993 defcontext = match_strdup(&args[0]);
999 case Opt_labelsupport:
1003 printk(KERN_WARNING "SELinux: unknown mount option\n");
1010 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1011 if (!opts->mnt_opts)
1014 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1015 if (!opts->mnt_opts_flags) {
1016 kfree(opts->mnt_opts);
1021 opts->mnt_opts[num_mnt_opts] = fscontext;
1022 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1025 opts->mnt_opts[num_mnt_opts] = context;
1026 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1029 opts->mnt_opts[num_mnt_opts] = rootcontext;
1030 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1033 opts->mnt_opts[num_mnt_opts] = defcontext;
1034 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1037 opts->num_mnt_opts = num_mnt_opts;
1048 * string mount options parsing and call set the sbsec
1050 static int superblock_doinit(struct super_block *sb, void *data)
1053 char *options = data;
1054 struct security_mnt_opts opts;
1056 security_init_mnt_opts(&opts);
1061 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1063 rc = selinux_parse_opts_str(options, &opts);
1068 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1071 security_free_mnt_opts(&opts);
1075 static void selinux_write_opts(struct seq_file *m,
1076 struct security_mnt_opts *opts)
1081 for (i = 0; i < opts->num_mnt_opts; i++) {
1084 if (opts->mnt_opts[i])
1085 has_comma = strchr(opts->mnt_opts[i], ',');
1089 switch (opts->mnt_opts_flags[i]) {
1091 prefix = CONTEXT_STR;
1094 prefix = FSCONTEXT_STR;
1096 case ROOTCONTEXT_MNT:
1097 prefix = ROOTCONTEXT_STR;
1099 case DEFCONTEXT_MNT:
1100 prefix = DEFCONTEXT_STR;
1104 seq_puts(m, LABELSUPP_STR);
1110 /* we need a comma before each option */
1112 seq_puts(m, prefix);
1115 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1121 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1123 struct security_mnt_opts opts;
1126 rc = selinux_get_mnt_opts(sb, &opts);
1128 /* before policy load we may get EINVAL, don't show anything */
1134 selinux_write_opts(m, &opts);
1136 security_free_mnt_opts(&opts);
1141 static inline u16 inode_mode_to_security_class(umode_t mode)
1143 switch (mode & S_IFMT) {
1145 return SECCLASS_SOCK_FILE;
1147 return SECCLASS_LNK_FILE;
1149 return SECCLASS_FILE;
1151 return SECCLASS_BLK_FILE;
1153 return SECCLASS_DIR;
1155 return SECCLASS_CHR_FILE;
1157 return SECCLASS_FIFO_FILE;
1161 return SECCLASS_FILE;
1164 static inline int default_protocol_stream(int protocol)
1166 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1169 static inline int default_protocol_dgram(int protocol)
1171 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1174 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180 case SOCK_SEQPACKET:
1181 return SECCLASS_UNIX_STREAM_SOCKET;
1183 return SECCLASS_UNIX_DGRAM_SOCKET;
1190 if (default_protocol_stream(protocol))
1191 return SECCLASS_TCP_SOCKET;
1193 return SECCLASS_RAWIP_SOCKET;
1195 if (default_protocol_dgram(protocol))
1196 return SECCLASS_UDP_SOCKET;
1198 return SECCLASS_RAWIP_SOCKET;
1200 return SECCLASS_DCCP_SOCKET;
1202 return SECCLASS_RAWIP_SOCKET;
1208 return SECCLASS_NETLINK_ROUTE_SOCKET;
1209 case NETLINK_SOCK_DIAG:
1210 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1212 return SECCLASS_NETLINK_NFLOG_SOCKET;
1214 return SECCLASS_NETLINK_XFRM_SOCKET;
1215 case NETLINK_SELINUX:
1216 return SECCLASS_NETLINK_SELINUX_SOCKET;
1218 return SECCLASS_NETLINK_ISCSI_SOCKET;
1220 return SECCLASS_NETLINK_AUDIT_SOCKET;
1221 case NETLINK_FIB_LOOKUP:
1222 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1223 case NETLINK_CONNECTOR:
1224 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1225 case NETLINK_NETFILTER:
1226 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1227 case NETLINK_DNRTMSG:
1228 return SECCLASS_NETLINK_DNRT_SOCKET;
1229 case NETLINK_KOBJECT_UEVENT:
1230 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1231 case NETLINK_GENERIC:
1232 return SECCLASS_NETLINK_GENERIC_SOCKET;
1233 case NETLINK_SCSITRANSPORT:
1234 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1236 return SECCLASS_NETLINK_RDMA_SOCKET;
1237 case NETLINK_CRYPTO:
1238 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1240 return SECCLASS_NETLINK_SOCKET;
1243 return SECCLASS_PACKET_SOCKET;
1245 return SECCLASS_KEY_SOCKET;
1247 return SECCLASS_APPLETALK_SOCKET;
1250 return SECCLASS_SOCKET;
1253 static int selinux_genfs_get_sid(struct dentry *dentry,
1259 struct super_block *sb = dentry->d_inode->i_sb;
1260 char *buffer, *path;
1262 buffer = (char *)__get_free_page(GFP_KERNEL);
1266 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1270 if (flags & SE_SBPROC) {
1271 /* each process gets a /proc/PID/ entry. Strip off the
1272 * PID part to get a valid selinux labeling.
1273 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1274 while (path[1] >= '0' && path[1] <= '9') {
1279 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1281 free_page((unsigned long)buffer);
1285 /* The inode's security attributes must be initialized before first use. */
1286 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1288 struct superblock_security_struct *sbsec = NULL;
1289 struct inode_security_struct *isec = inode->i_security;
1291 struct dentry *dentry;
1292 #define INITCONTEXTLEN 255
1293 char *context = NULL;
1297 if (isec->initialized)
1300 mutex_lock(&isec->lock);
1301 if (isec->initialized)
1304 sbsec = inode->i_sb->s_security;
1305 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1306 /* Defer initialization until selinux_complete_init,
1307 after the initial policy is loaded and the security
1308 server is ready to handle calls. */
1309 spin_lock(&sbsec->isec_lock);
1310 if (list_empty(&isec->list))
1311 list_add(&isec->list, &sbsec->isec_head);
1312 spin_unlock(&sbsec->isec_lock);
1316 switch (sbsec->behavior) {
1317 case SECURITY_FS_USE_NATIVE:
1319 case SECURITY_FS_USE_XATTR:
1320 if (!inode->i_op->getxattr) {
1321 isec->sid = sbsec->def_sid;
1325 /* Need a dentry, since the xattr API requires one.
1326 Life would be simpler if we could just pass the inode. */
1328 /* Called from d_instantiate or d_splice_alias. */
1329 dentry = dget(opt_dentry);
1331 /* Called from selinux_complete_init, try to find a dentry. */
1332 dentry = d_find_alias(inode);
1336 * this is can be hit on boot when a file is accessed
1337 * before the policy is loaded. When we load policy we
1338 * may find inodes that have no dentry on the
1339 * sbsec->isec_head list. No reason to complain as these
1340 * will get fixed up the next time we go through
1341 * inode_doinit with a dentry, before these inodes could
1342 * be used again by userspace.
1347 len = INITCONTEXTLEN;
1348 context = kmalloc(len+1, GFP_NOFS);
1354 context[len] = '\0';
1355 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1357 if (rc == -ERANGE) {
1360 /* Need a larger buffer. Query for the right size. */
1361 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1368 context = kmalloc(len+1, GFP_NOFS);
1374 context[len] = '\0';
1375 rc = inode->i_op->getxattr(dentry,
1381 if (rc != -ENODATA) {
1382 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1383 "%d for dev=%s ino=%ld\n", __func__,
1384 -rc, inode->i_sb->s_id, inode->i_ino);
1388 /* Map ENODATA to the default file SID */
1389 sid = sbsec->def_sid;
1392 rc = security_context_to_sid_default(context, rc, &sid,
1396 char *dev = inode->i_sb->s_id;
1397 unsigned long ino = inode->i_ino;
1399 if (rc == -EINVAL) {
1400 if (printk_ratelimit())
1401 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1402 "context=%s. This indicates you may need to relabel the inode or the "
1403 "filesystem in question.\n", ino, dev, context);
1405 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1406 "returned %d for dev=%s ino=%ld\n",
1407 __func__, context, -rc, dev, ino);
1410 /* Leave with the unlabeled SID */
1418 case SECURITY_FS_USE_TASK:
1419 isec->sid = isec->task_sid;
1421 case SECURITY_FS_USE_TRANS:
1422 /* Default to the fs SID. */
1423 isec->sid = sbsec->sid;
1425 /* Try to obtain a transition SID. */
1426 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1427 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1428 isec->sclass, NULL, &sid);
1433 case SECURITY_FS_USE_MNTPOINT:
1434 isec->sid = sbsec->mntpoint_sid;
1437 /* Default to the fs superblock SID. */
1438 isec->sid = sbsec->sid;
1440 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1441 /* We must have a dentry to determine the label on
1444 /* Called from d_instantiate or
1445 * d_splice_alias. */
1446 dentry = dget(opt_dentry);
1448 /* Called from selinux_complete_init, try to
1450 dentry = d_find_alias(inode);
1452 * This can be hit on boot when a file is accessed
1453 * before the policy is loaded. When we load policy we
1454 * may find inodes that have no dentry on the
1455 * sbsec->isec_head list. No reason to complain as
1456 * these will get fixed up the next time we go through
1457 * inode_doinit() with a dentry, before these inodes
1458 * could be used again by userspace.
1462 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1463 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1464 sbsec->flags, &sid);
1473 isec->initialized = 1;
1476 mutex_unlock(&isec->lock);
1478 if (isec->sclass == SECCLASS_FILE)
1479 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1483 /* Convert a Linux signal to an access vector. */
1484 static inline u32 signal_to_av(int sig)
1490 /* Commonly granted from child to parent. */
1491 perm = PROCESS__SIGCHLD;
1494 /* Cannot be caught or ignored */
1495 perm = PROCESS__SIGKILL;
1498 /* Cannot be caught or ignored */
1499 perm = PROCESS__SIGSTOP;
1502 /* All other signals. */
1503 perm = PROCESS__SIGNAL;
1511 * Check permission between a pair of credentials
1512 * fork check, ptrace check, etc.
1514 static int cred_has_perm(const struct cred *actor,
1515 const struct cred *target,
1518 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1520 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1524 * Check permission between a pair of tasks, e.g. signal checks,
1525 * fork check, ptrace check, etc.
1526 * tsk1 is the actor and tsk2 is the target
1527 * - this uses the default subjective creds of tsk1
1529 static int task_has_perm(const struct task_struct *tsk1,
1530 const struct task_struct *tsk2,
1533 const struct task_security_struct *__tsec1, *__tsec2;
1537 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1538 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1540 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1544 * Check permission between current and another task, e.g. signal checks,
1545 * fork check, ptrace check, etc.
1546 * current is the actor and tsk2 is the target
1547 * - this uses current's subjective creds
1549 static int current_has_perm(const struct task_struct *tsk,
1554 sid = current_sid();
1555 tsid = task_sid(tsk);
1556 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1559 #if CAP_LAST_CAP > 63
1560 #error Fix SELinux to handle capabilities > 63.
1563 /* Check whether a task is allowed to use a capability. */
1564 static int cred_has_capability(const struct cred *cred,
1567 struct common_audit_data ad;
1568 struct av_decision avd;
1570 u32 sid = cred_sid(cred);
1571 u32 av = CAP_TO_MASK(cap);
1574 ad.type = LSM_AUDIT_DATA_CAP;
1577 switch (CAP_TO_INDEX(cap)) {
1579 sclass = SECCLASS_CAPABILITY;
1582 sclass = SECCLASS_CAPABILITY2;
1586 "SELinux: out of range capability %d\n", cap);
1591 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1592 if (audit == SECURITY_CAP_AUDIT) {
1593 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1600 /* Check whether a task is allowed to use a system operation. */
1601 static int task_has_system(struct task_struct *tsk,
1604 u32 sid = task_sid(tsk);
1606 return avc_has_perm(sid, SECINITSID_KERNEL,
1607 SECCLASS_SYSTEM, perms, NULL);
1610 /* Check whether a task has a particular permission to an inode.
1611 The 'adp' parameter is optional and allows other audit
1612 data to be passed (e.g. the dentry). */
1613 static int inode_has_perm(const struct cred *cred,
1614 struct inode *inode,
1616 struct common_audit_data *adp)
1618 struct inode_security_struct *isec;
1621 validate_creds(cred);
1623 if (unlikely(IS_PRIVATE(inode)))
1626 sid = cred_sid(cred);
1627 isec = inode->i_security;
1629 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1632 /* Same as inode_has_perm, but pass explicit audit data containing
1633 the dentry to help the auditing code to more easily generate the
1634 pathname if needed. */
1635 static inline int dentry_has_perm(const struct cred *cred,
1636 struct dentry *dentry,
1639 struct inode *inode = d_backing_inode(dentry);
1640 struct common_audit_data ad;
1642 ad.type = LSM_AUDIT_DATA_DENTRY;
1643 ad.u.dentry = dentry;
1644 return inode_has_perm(cred, inode, av, &ad);
1647 /* Same as inode_has_perm, but pass explicit audit data containing
1648 the path to help the auditing code to more easily generate the
1649 pathname if needed. */
1650 static inline int path_has_perm(const struct cred *cred,
1651 const struct path *path,
1654 struct inode *inode = d_backing_inode(path->dentry);
1655 struct common_audit_data ad;
1657 ad.type = LSM_AUDIT_DATA_PATH;
1659 return inode_has_perm(cred, inode, av, &ad);
1662 /* Same as path_has_perm, but uses the inode from the file struct. */
1663 static inline int file_path_has_perm(const struct cred *cred,
1667 struct common_audit_data ad;
1669 ad.type = LSM_AUDIT_DATA_PATH;
1670 ad.u.path = file->f_path;
1671 return inode_has_perm(cred, file_inode(file), av, &ad);
1674 /* Check whether a task can use an open file descriptor to
1675 access an inode in a given way. Check access to the
1676 descriptor itself, and then use dentry_has_perm to
1677 check a particular permission to the file.
1678 Access to the descriptor is implicitly granted if it
1679 has the same SID as the process. If av is zero, then
1680 access to the file is not checked, e.g. for cases
1681 where only the descriptor is affected like seek. */
1682 static int file_has_perm(const struct cred *cred,
1686 struct file_security_struct *fsec = file->f_security;
1687 struct inode *inode = file_inode(file);
1688 struct common_audit_data ad;
1689 u32 sid = cred_sid(cred);
1692 ad.type = LSM_AUDIT_DATA_PATH;
1693 ad.u.path = file->f_path;
1695 if (sid != fsec->sid) {
1696 rc = avc_has_perm(sid, fsec->sid,
1704 /* av is zero if only checking access to the descriptor. */
1707 rc = inode_has_perm(cred, inode, av, &ad);
1714 * Determine the label for an inode that might be unioned.
1716 static int selinux_determine_inode_label(const struct inode *dir,
1717 const struct qstr *name,
1721 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1722 const struct inode_security_struct *dsec = dir->i_security;
1723 const struct task_security_struct *tsec = current_security();
1725 if ((sbsec->flags & SE_SBINITIALIZED) &&
1726 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1727 *_new_isid = sbsec->mntpoint_sid;
1728 } else if ((sbsec->flags & SBLABEL_MNT) &&
1730 *_new_isid = tsec->create_sid;
1732 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1739 /* Check whether a task can create a file. */
1740 static int may_create(struct inode *dir,
1741 struct dentry *dentry,
1744 const struct task_security_struct *tsec = current_security();
1745 struct inode_security_struct *dsec;
1746 struct superblock_security_struct *sbsec;
1748 struct common_audit_data ad;
1751 dsec = dir->i_security;
1752 sbsec = dir->i_sb->s_security;
1756 ad.type = LSM_AUDIT_DATA_DENTRY;
1757 ad.u.dentry = dentry;
1759 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1760 DIR__ADD_NAME | DIR__SEARCH,
1765 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1770 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1774 return avc_has_perm(newsid, sbsec->sid,
1775 SECCLASS_FILESYSTEM,
1776 FILESYSTEM__ASSOCIATE, &ad);
1779 /* Check whether a task can create a key. */
1780 static int may_create_key(u32 ksid,
1781 struct task_struct *ctx)
1783 u32 sid = task_sid(ctx);
1785 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1789 #define MAY_UNLINK 1
1792 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1793 static int may_link(struct inode *dir,
1794 struct dentry *dentry,
1798 struct inode_security_struct *dsec, *isec;
1799 struct common_audit_data ad;
1800 u32 sid = current_sid();
1804 dsec = dir->i_security;
1805 isec = d_backing_inode(dentry)->i_security;
1807 ad.type = LSM_AUDIT_DATA_DENTRY;
1808 ad.u.dentry = dentry;
1811 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1812 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1827 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1832 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1836 static inline int may_rename(struct inode *old_dir,
1837 struct dentry *old_dentry,
1838 struct inode *new_dir,
1839 struct dentry *new_dentry)
1841 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1842 struct common_audit_data ad;
1843 u32 sid = current_sid();
1845 int old_is_dir, new_is_dir;
1848 old_dsec = old_dir->i_security;
1849 old_isec = d_backing_inode(old_dentry)->i_security;
1850 old_is_dir = d_is_dir(old_dentry);
1851 new_dsec = new_dir->i_security;
1853 ad.type = LSM_AUDIT_DATA_DENTRY;
1855 ad.u.dentry = old_dentry;
1856 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1857 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1860 rc = avc_has_perm(sid, old_isec->sid,
1861 old_isec->sclass, FILE__RENAME, &ad);
1864 if (old_is_dir && new_dir != old_dir) {
1865 rc = avc_has_perm(sid, old_isec->sid,
1866 old_isec->sclass, DIR__REPARENT, &ad);
1871 ad.u.dentry = new_dentry;
1872 av = DIR__ADD_NAME | DIR__SEARCH;
1873 if (d_is_positive(new_dentry))
1874 av |= DIR__REMOVE_NAME;
1875 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1878 if (d_is_positive(new_dentry)) {
1879 new_isec = d_backing_inode(new_dentry)->i_security;
1880 new_is_dir = d_is_dir(new_dentry);
1881 rc = avc_has_perm(sid, new_isec->sid,
1883 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1891 /* Check whether a task can perform a filesystem operation. */
1892 static int superblock_has_perm(const struct cred *cred,
1893 struct super_block *sb,
1895 struct common_audit_data *ad)
1897 struct superblock_security_struct *sbsec;
1898 u32 sid = cred_sid(cred);
1900 sbsec = sb->s_security;
1901 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1904 /* Convert a Linux mode and permission mask to an access vector. */
1905 static inline u32 file_mask_to_av(int mode, int mask)
1909 if (!S_ISDIR(mode)) {
1910 if (mask & MAY_EXEC)
1911 av |= FILE__EXECUTE;
1912 if (mask & MAY_READ)
1915 if (mask & MAY_APPEND)
1917 else if (mask & MAY_WRITE)
1921 if (mask & MAY_EXEC)
1923 if (mask & MAY_WRITE)
1925 if (mask & MAY_READ)
1932 /* Convert a Linux file to an access vector. */
1933 static inline u32 file_to_av(struct file *file)
1937 if (file->f_mode & FMODE_READ)
1939 if (file->f_mode & FMODE_WRITE) {
1940 if (file->f_flags & O_APPEND)
1947 * Special file opened with flags 3 for ioctl-only use.
1956 * Convert a file to an access vector and include the correct open
1959 static inline u32 open_file_to_av(struct file *file)
1961 u32 av = file_to_av(file);
1963 if (selinux_policycap_openperm)
1969 /* Hook functions begin here. */
1971 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1973 u32 mysid = current_sid();
1974 u32 mgrsid = task_sid(mgr);
1976 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1977 BINDER__SET_CONTEXT_MGR, NULL);
1980 static int selinux_binder_transaction(struct task_struct *from,
1981 struct task_struct *to)
1983 u32 mysid = current_sid();
1984 u32 fromsid = task_sid(from);
1985 u32 tosid = task_sid(to);
1988 if (mysid != fromsid) {
1989 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1990 BINDER__IMPERSONATE, NULL);
1995 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1999 static int selinux_binder_transfer_binder(struct task_struct *from,
2000 struct task_struct *to)
2002 u32 fromsid = task_sid(from);
2003 u32 tosid = task_sid(to);
2005 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2009 static int selinux_binder_transfer_file(struct task_struct *from,
2010 struct task_struct *to,
2013 u32 sid = task_sid(to);
2014 struct file_security_struct *fsec = file->f_security;
2015 struct inode *inode = d_backing_inode(file->f_path.dentry);
2016 struct inode_security_struct *isec = inode->i_security;
2017 struct common_audit_data ad;
2020 ad.type = LSM_AUDIT_DATA_PATH;
2021 ad.u.path = file->f_path;
2023 if (sid != fsec->sid) {
2024 rc = avc_has_perm(sid, fsec->sid,
2032 if (unlikely(IS_PRIVATE(inode)))
2035 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2039 static int selinux_ptrace_access_check(struct task_struct *child,
2042 if (mode & PTRACE_MODE_READ) {
2043 u32 sid = current_sid();
2044 u32 csid = task_sid(child);
2045 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2048 return current_has_perm(child, PROCESS__PTRACE);
2051 static int selinux_ptrace_traceme(struct task_struct *parent)
2053 return task_has_perm(parent, current, PROCESS__PTRACE);
2056 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2057 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2059 return current_has_perm(target, PROCESS__GETCAP);
2062 static int selinux_capset(struct cred *new, const struct cred *old,
2063 const kernel_cap_t *effective,
2064 const kernel_cap_t *inheritable,
2065 const kernel_cap_t *permitted)
2067 return cred_has_perm(old, new, PROCESS__SETCAP);
2071 * (This comment used to live with the selinux_task_setuid hook,
2072 * which was removed).
2074 * Since setuid only affects the current process, and since the SELinux
2075 * controls are not based on the Linux identity attributes, SELinux does not
2076 * need to control this operation. However, SELinux does control the use of
2077 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2080 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2083 return cred_has_capability(cred, cap, audit);
2086 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2088 const struct cred *cred = current_cred();
2100 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2105 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2108 rc = 0; /* let the kernel handle invalid cmds */
2114 static int selinux_quota_on(struct dentry *dentry)
2116 const struct cred *cred = current_cred();
2118 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2121 static int selinux_syslog(int type)
2126 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2127 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2128 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2130 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2131 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2132 /* Set level of messages printed to console */
2133 case SYSLOG_ACTION_CONSOLE_LEVEL:
2134 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2136 case SYSLOG_ACTION_CLOSE: /* Close log */
2137 case SYSLOG_ACTION_OPEN: /* Open log */
2138 case SYSLOG_ACTION_READ: /* Read from log */
2139 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2140 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2142 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2149 * Check that a process has enough memory to allocate a new virtual
2150 * mapping. 0 means there is enough memory for the allocation to
2151 * succeed and -ENOMEM implies there is not.
2153 * Do not audit the selinux permission check, as this is applied to all
2154 * processes that allocate mappings.
2156 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2158 int rc, cap_sys_admin = 0;
2160 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2161 SECURITY_CAP_NOAUDIT);
2165 return cap_sys_admin;
2168 /* binprm security operations */
2170 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2171 const struct task_security_struct *old_tsec,
2172 const struct task_security_struct *new_tsec)
2174 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2175 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2178 if (!nnp && !nosuid)
2179 return 0; /* neither NNP nor nosuid */
2181 if (new_tsec->sid == old_tsec->sid)
2182 return 0; /* No change in credentials */
2185 * The only transitions we permit under NNP or nosuid
2186 * are transitions to bounded SIDs, i.e. SIDs that are
2187 * guaranteed to only be allowed a subset of the permissions
2188 * of the current SID.
2190 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2193 * On failure, preserve the errno values for NNP vs nosuid.
2194 * NNP: Operation not permitted for caller.
2195 * nosuid: Permission denied to file.
2205 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2207 const struct task_security_struct *old_tsec;
2208 struct task_security_struct *new_tsec;
2209 struct inode_security_struct *isec;
2210 struct common_audit_data ad;
2211 struct inode *inode = file_inode(bprm->file);
2214 /* SELinux context only depends on initial program or script and not
2215 * the script interpreter */
2216 if (bprm->cred_prepared)
2219 old_tsec = current_security();
2220 new_tsec = bprm->cred->security;
2221 isec = inode->i_security;
2223 /* Default to the current task SID. */
2224 new_tsec->sid = old_tsec->sid;
2225 new_tsec->osid = old_tsec->sid;
2227 /* Reset fs, key, and sock SIDs on execve. */
2228 new_tsec->create_sid = 0;
2229 new_tsec->keycreate_sid = 0;
2230 new_tsec->sockcreate_sid = 0;
2232 if (old_tsec->exec_sid) {
2233 new_tsec->sid = old_tsec->exec_sid;
2234 /* Reset exec SID on execve. */
2235 new_tsec->exec_sid = 0;
2237 /* Fail on NNP or nosuid if not an allowed transition. */
2238 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2242 /* Check for a default transition on this program. */
2243 rc = security_transition_sid(old_tsec->sid, isec->sid,
2244 SECCLASS_PROCESS, NULL,
2250 * Fallback to old SID on NNP or nosuid if not an allowed
2253 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2255 new_tsec->sid = old_tsec->sid;
2258 ad.type = LSM_AUDIT_DATA_PATH;
2259 ad.u.path = bprm->file->f_path;
2261 if (new_tsec->sid == old_tsec->sid) {
2262 rc = avc_has_perm(old_tsec->sid, isec->sid,
2263 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2267 /* Check permissions for the transition. */
2268 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2269 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2273 rc = avc_has_perm(new_tsec->sid, isec->sid,
2274 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2278 /* Check for shared state */
2279 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2280 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2281 SECCLASS_PROCESS, PROCESS__SHARE,
2287 /* Make sure that anyone attempting to ptrace over a task that
2288 * changes its SID has the appropriate permit */
2290 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2291 struct task_struct *tracer;
2292 struct task_security_struct *sec;
2296 tracer = ptrace_parent(current);
2297 if (likely(tracer != NULL)) {
2298 sec = __task_cred(tracer)->security;
2304 rc = avc_has_perm(ptsid, new_tsec->sid,
2306 PROCESS__PTRACE, NULL);
2312 /* Clear any possibly unsafe personality bits on exec: */
2313 bprm->per_clear |= PER_CLEAR_ON_SETID;
2319 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2321 const struct task_security_struct *tsec = current_security();
2329 /* Enable secure mode for SIDs transitions unless
2330 the noatsecure permission is granted between
2331 the two SIDs, i.e. ahp returns 0. */
2332 atsecure = avc_has_perm(osid, sid,
2334 PROCESS__NOATSECURE, NULL);
2340 static int match_file(const void *p, struct file *file, unsigned fd)
2342 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2345 /* Derived from fs/exec.c:flush_old_files. */
2346 static inline void flush_unauthorized_files(const struct cred *cred,
2347 struct files_struct *files)
2349 struct file *file, *devnull = NULL;
2350 struct tty_struct *tty;
2354 tty = get_current_tty();
2356 spin_lock(&tty_files_lock);
2357 if (!list_empty(&tty->tty_files)) {
2358 struct tty_file_private *file_priv;
2360 /* Revalidate access to controlling tty.
2361 Use file_path_has_perm on the tty path directly
2362 rather than using file_has_perm, as this particular
2363 open file may belong to another process and we are
2364 only interested in the inode-based check here. */
2365 file_priv = list_first_entry(&tty->tty_files,
2366 struct tty_file_private, list);
2367 file = file_priv->file;
2368 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2371 spin_unlock(&tty_files_lock);
2374 /* Reset controlling tty. */
2378 /* Revalidate access to inherited open files. */
2379 n = iterate_fd(files, 0, match_file, cred);
2380 if (!n) /* none found? */
2383 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2384 if (IS_ERR(devnull))
2386 /* replace all the matching ones with this */
2388 replace_fd(n - 1, devnull, 0);
2389 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2395 * Prepare a process for imminent new credential changes due to exec
2397 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2399 struct task_security_struct *new_tsec;
2400 struct rlimit *rlim, *initrlim;
2403 new_tsec = bprm->cred->security;
2404 if (new_tsec->sid == new_tsec->osid)
2407 /* Close files for which the new task SID is not authorized. */
2408 flush_unauthorized_files(bprm->cred, current->files);
2410 /* Always clear parent death signal on SID transitions. */
2411 current->pdeath_signal = 0;
2413 /* Check whether the new SID can inherit resource limits from the old
2414 * SID. If not, reset all soft limits to the lower of the current
2415 * task's hard limit and the init task's soft limit.
2417 * Note that the setting of hard limits (even to lower them) can be
2418 * controlled by the setrlimit check. The inclusion of the init task's
2419 * soft limit into the computation is to avoid resetting soft limits
2420 * higher than the default soft limit for cases where the default is
2421 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2423 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2424 PROCESS__RLIMITINH, NULL);
2426 /* protect against do_prlimit() */
2428 for (i = 0; i < RLIM_NLIMITS; i++) {
2429 rlim = current->signal->rlim + i;
2430 initrlim = init_task.signal->rlim + i;
2431 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2433 task_unlock(current);
2434 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2439 * Clean up the process immediately after the installation of new credentials
2442 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2444 const struct task_security_struct *tsec = current_security();
2445 struct itimerval itimer;
2455 /* Check whether the new SID can inherit signal state from the old SID.
2456 * If not, clear itimers to avoid subsequent signal generation and
2457 * flush and unblock signals.
2459 * This must occur _after_ the task SID has been updated so that any
2460 * kill done after the flush will be checked against the new SID.
2462 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2464 memset(&itimer, 0, sizeof itimer);
2465 for (i = 0; i < 3; i++)
2466 do_setitimer(i, &itimer, NULL);
2467 spin_lock_irq(¤t->sighand->siglock);
2468 if (!fatal_signal_pending(current)) {
2469 flush_sigqueue(¤t->pending);
2470 flush_sigqueue(¤t->signal->shared_pending);
2471 flush_signal_handlers(current, 1);
2472 sigemptyset(¤t->blocked);
2473 recalc_sigpending();
2475 spin_unlock_irq(¤t->sighand->siglock);
2478 /* Wake up the parent if it is waiting so that it can recheck
2479 * wait permission to the new task SID. */
2480 read_lock(&tasklist_lock);
2481 __wake_up_parent(current, current->real_parent);
2482 read_unlock(&tasklist_lock);
2485 /* superblock security operations */
2487 static int selinux_sb_alloc_security(struct super_block *sb)
2489 return superblock_alloc_security(sb);
2492 static void selinux_sb_free_security(struct super_block *sb)
2494 superblock_free_security(sb);
2497 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2502 return !memcmp(prefix, option, plen);
2505 static inline int selinux_option(char *option, int len)
2507 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2508 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2509 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2510 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2511 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2514 static inline void take_option(char **to, char *from, int *first, int len)
2521 memcpy(*to, from, len);
2525 static inline void take_selinux_option(char **to, char *from, int *first,
2528 int current_size = 0;
2536 while (current_size < len) {
2546 static int selinux_sb_copy_data(char *orig, char *copy)
2548 int fnosec, fsec, rc = 0;
2549 char *in_save, *in_curr, *in_end;
2550 char *sec_curr, *nosec_save, *nosec;
2556 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2564 in_save = in_end = orig;
2568 open_quote = !open_quote;
2569 if ((*in_end == ',' && open_quote == 0) ||
2571 int len = in_end - in_curr;
2573 if (selinux_option(in_curr, len))
2574 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2576 take_option(&nosec, in_curr, &fnosec, len);
2578 in_curr = in_end + 1;
2580 } while (*in_end++);
2582 strcpy(in_save, nosec_save);
2583 free_page((unsigned long)nosec_save);
2588 static int selinux_sb_remount(struct super_block *sb, void *data)
2591 struct security_mnt_opts opts;
2592 char *secdata, **mount_options;
2593 struct superblock_security_struct *sbsec = sb->s_security;
2595 if (!(sbsec->flags & SE_SBINITIALIZED))
2601 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2604 security_init_mnt_opts(&opts);
2605 secdata = alloc_secdata();
2608 rc = selinux_sb_copy_data(data, secdata);
2610 goto out_free_secdata;
2612 rc = selinux_parse_opts_str(secdata, &opts);
2614 goto out_free_secdata;
2616 mount_options = opts.mnt_opts;
2617 flags = opts.mnt_opts_flags;
2619 for (i = 0; i < opts.num_mnt_opts; i++) {
2622 if (flags[i] == SBLABEL_MNT)
2624 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2626 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2627 "(%s) failed for (dev %s, type %s) errno=%d\n",
2628 mount_options[i], sb->s_id, sb->s_type->name, rc);
2634 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2635 goto out_bad_option;
2638 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2639 goto out_bad_option;
2641 case ROOTCONTEXT_MNT: {
2642 struct inode_security_struct *root_isec;
2643 root_isec = d_backing_inode(sb->s_root)->i_security;
2645 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2646 goto out_bad_option;
2649 case DEFCONTEXT_MNT:
2650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2651 goto out_bad_option;
2660 security_free_mnt_opts(&opts);
2662 free_secdata(secdata);
2665 printk(KERN_WARNING "SELinux: unable to change security options "
2666 "during remount (dev %s, type=%s)\n", sb->s_id,
2671 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2673 const struct cred *cred = current_cred();
2674 struct common_audit_data ad;
2677 rc = superblock_doinit(sb, data);
2681 /* Allow all mounts performed by the kernel */
2682 if (flags & MS_KERNMOUNT)
2685 ad.type = LSM_AUDIT_DATA_DENTRY;
2686 ad.u.dentry = sb->s_root;
2687 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2690 static int selinux_sb_statfs(struct dentry *dentry)
2692 const struct cred *cred = current_cred();
2693 struct common_audit_data ad;
2695 ad.type = LSM_AUDIT_DATA_DENTRY;
2696 ad.u.dentry = dentry->d_sb->s_root;
2697 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2700 static int selinux_mount(const char *dev_name,
2703 unsigned long flags,
2706 const struct cred *cred = current_cred();
2708 if (flags & MS_REMOUNT)
2709 return superblock_has_perm(cred, path->dentry->d_sb,
2710 FILESYSTEM__REMOUNT, NULL);
2712 return path_has_perm(cred, path, FILE__MOUNTON);
2715 static int selinux_umount(struct vfsmount *mnt, int flags)
2717 const struct cred *cred = current_cred();
2719 return superblock_has_perm(cred, mnt->mnt_sb,
2720 FILESYSTEM__UNMOUNT, NULL);
2723 /* inode security operations */
2725 static int selinux_inode_alloc_security(struct inode *inode)
2727 return inode_alloc_security(inode);
2730 static void selinux_inode_free_security(struct inode *inode)
2732 inode_free_security(inode);
2735 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2736 struct qstr *name, void **ctx,
2742 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2743 inode_mode_to_security_class(mode),
2748 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2751 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2752 const struct qstr *qstr,
2754 void **value, size_t *len)
2756 const struct task_security_struct *tsec = current_security();
2757 struct inode_security_struct *dsec;
2758 struct superblock_security_struct *sbsec;
2759 u32 sid, newsid, clen;
2763 dsec = dir->i_security;
2764 sbsec = dir->i_sb->s_security;
2767 newsid = tsec->create_sid;
2769 rc = selinux_determine_inode_label(
2771 inode_mode_to_security_class(inode->i_mode),
2776 /* Possibly defer initialization to selinux_complete_init. */
2777 if (sbsec->flags & SE_SBINITIALIZED) {
2778 struct inode_security_struct *isec = inode->i_security;
2779 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2781 isec->initialized = 1;
2784 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2788 *name = XATTR_SELINUX_SUFFIX;
2791 rc = security_sid_to_context_force(newsid, &context, &clen);
2801 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2803 return may_create(dir, dentry, SECCLASS_FILE);
2806 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2808 return may_link(dir, old_dentry, MAY_LINK);
2811 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2813 return may_link(dir, dentry, MAY_UNLINK);
2816 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2818 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2821 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2823 return may_create(dir, dentry, SECCLASS_DIR);
2826 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2828 return may_link(dir, dentry, MAY_RMDIR);
2831 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2833 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2836 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2837 struct inode *new_inode, struct dentry *new_dentry)
2839 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2842 static int selinux_inode_readlink(struct dentry *dentry)
2844 const struct cred *cred = current_cred();
2846 return dentry_has_perm(cred, dentry, FILE__READ);
2849 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2852 const struct cred *cred = current_cred();
2853 struct common_audit_data ad;
2854 struct inode_security_struct *isec;
2857 validate_creds(cred);
2859 ad.type = LSM_AUDIT_DATA_DENTRY;
2860 ad.u.dentry = dentry;
2861 sid = cred_sid(cred);
2862 isec = inode->i_security;
2864 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2865 rcu ? MAY_NOT_BLOCK : 0);
2868 static noinline int audit_inode_permission(struct inode *inode,
2869 u32 perms, u32 audited, u32 denied,
2873 struct common_audit_data ad;
2874 struct inode_security_struct *isec = inode->i_security;
2877 ad.type = LSM_AUDIT_DATA_INODE;
2880 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2881 audited, denied, result, &ad, flags);
2887 static int selinux_inode_permission(struct inode *inode, int mask)
2889 const struct cred *cred = current_cred();
2892 unsigned flags = mask & MAY_NOT_BLOCK;
2893 struct inode_security_struct *isec;
2895 struct av_decision avd;
2897 u32 audited, denied;
2899 from_access = mask & MAY_ACCESS;
2900 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2902 /* No permission to check. Existence test. */
2906 validate_creds(cred);
2908 if (unlikely(IS_PRIVATE(inode)))
2911 perms = file_mask_to_av(inode->i_mode, mask);
2913 sid = cred_sid(cred);
2914 isec = inode->i_security;
2916 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2917 audited = avc_audit_required(perms, &avd, rc,
2918 from_access ? FILE__AUDIT_ACCESS : 0,
2920 if (likely(!audited))
2923 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2929 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2931 const struct cred *cred = current_cred();
2932 unsigned int ia_valid = iattr->ia_valid;
2933 __u32 av = FILE__WRITE;
2935 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2936 if (ia_valid & ATTR_FORCE) {
2937 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2943 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2944 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2945 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2947 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
2948 && !(ia_valid & ATTR_FILE))
2951 return dentry_has_perm(cred, dentry, av);
2954 static int selinux_inode_getattr(const struct path *path)
2956 return path_has_perm(current_cred(), path, FILE__GETATTR);
2959 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2961 const struct cred *cred = current_cred();
2963 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2964 sizeof XATTR_SECURITY_PREFIX - 1)) {
2965 if (!strcmp(name, XATTR_NAME_CAPS)) {
2966 if (!capable(CAP_SETFCAP))
2968 } else if (!capable(CAP_SYS_ADMIN)) {
2969 /* A different attribute in the security namespace.
2970 Restrict to administrator. */
2975 /* Not an attribute we recognize, so just check the
2976 ordinary setattr permission. */
2977 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2980 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2981 const void *value, size_t size, int flags)
2983 struct inode *inode = d_backing_inode(dentry);
2984 struct inode_security_struct *isec = inode->i_security;
2985 struct superblock_security_struct *sbsec;
2986 struct common_audit_data ad;
2987 u32 newsid, sid = current_sid();
2990 if (strcmp(name, XATTR_NAME_SELINUX))
2991 return selinux_inode_setotherxattr(dentry, name);
2993 sbsec = inode->i_sb->s_security;
2994 if (!(sbsec->flags & SBLABEL_MNT))
2997 if (!inode_owner_or_capable(inode))
3000 ad.type = LSM_AUDIT_DATA_DENTRY;
3001 ad.u.dentry = dentry;
3003 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3004 FILE__RELABELFROM, &ad);
3008 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3009 if (rc == -EINVAL) {
3010 if (!capable(CAP_MAC_ADMIN)) {
3011 struct audit_buffer *ab;
3015 /* We strip a nul only if it is at the end, otherwise the
3016 * context contains a nul and we should audit that */
3019 if (str[size - 1] == '\0')
3020 audit_size = size - 1;
3027 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3028 audit_log_format(ab, "op=setxattr invalid_context=");
3029 audit_log_n_untrustedstring(ab, value, audit_size);
3034 rc = security_context_to_sid_force(value, size, &newsid);
3039 rc = avc_has_perm(sid, newsid, isec->sclass,
3040 FILE__RELABELTO, &ad);
3044 rc = security_validate_transition(isec->sid, newsid, sid,
3049 return avc_has_perm(newsid,
3051 SECCLASS_FILESYSTEM,
3052 FILESYSTEM__ASSOCIATE,
3056 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3057 const void *value, size_t size,
3060 struct inode *inode = d_backing_inode(dentry);
3061 struct inode_security_struct *isec = inode->i_security;
3065 if (strcmp(name, XATTR_NAME_SELINUX)) {
3066 /* Not an attribute we recognize, so nothing to do. */
3070 rc = security_context_to_sid_force(value, size, &newsid);
3072 printk(KERN_ERR "SELinux: unable to map context to SID"
3073 "for (%s, %lu), rc=%d\n",
3074 inode->i_sb->s_id, inode->i_ino, -rc);
3078 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3080 isec->initialized = 1;
3085 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3087 const struct cred *cred = current_cred();
3089 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3092 static int selinux_inode_listxattr(struct dentry *dentry)
3094 const struct cred *cred = current_cred();
3096 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3099 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3101 if (strcmp(name, XATTR_NAME_SELINUX))
3102 return selinux_inode_setotherxattr(dentry, name);
3104 /* No one is allowed to remove a SELinux security label.
3105 You can change the label, but all data must be labeled. */
3110 * Copy the inode security context value to the user.
3112 * Permission check is handled by selinux_inode_getxattr hook.
3114 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3118 char *context = NULL;
3119 struct inode_security_struct *isec = inode->i_security;
3121 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3125 * If the caller has CAP_MAC_ADMIN, then get the raw context
3126 * value even if it is not defined by current policy; otherwise,
3127 * use the in-core value under current policy.
3128 * Use the non-auditing forms of the permission checks since
3129 * getxattr may be called by unprivileged processes commonly
3130 * and lack of permission just means that we fall back to the
3131 * in-core context value, not a denial.
3133 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3134 SECURITY_CAP_NOAUDIT);
3136 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3137 SECURITY_CAP_NOAUDIT);
3139 error = security_sid_to_context_force(isec->sid, &context,
3142 error = security_sid_to_context(isec->sid, &context, &size);
3155 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3156 const void *value, size_t size, int flags)
3158 struct inode_security_struct *isec = inode->i_security;
3162 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3165 if (!value || !size)
3168 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3172 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3174 isec->initialized = 1;
3178 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3180 const int len = sizeof(XATTR_NAME_SELINUX);
3181 if (buffer && len <= buffer_size)
3182 memcpy(buffer, XATTR_NAME_SELINUX, len);
3186 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3188 struct inode_security_struct *isec = inode->i_security;
3192 /* file security operations */
3194 static int selinux_revalidate_file_permission(struct file *file, int mask)
3196 const struct cred *cred = current_cred();
3197 struct inode *inode = file_inode(file);
3199 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3200 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3203 return file_has_perm(cred, file,
3204 file_mask_to_av(inode->i_mode, mask));
3207 static int selinux_file_permission(struct file *file, int mask)
3209 struct inode *inode = file_inode(file);
3210 struct file_security_struct *fsec = file->f_security;
3211 struct inode_security_struct *isec = inode->i_security;
3212 u32 sid = current_sid();
3215 /* No permission to check. Existence test. */
3218 if (sid == fsec->sid && fsec->isid == isec->sid &&
3219 fsec->pseqno == avc_policy_seqno())
3220 /* No change since file_open check. */
3223 return selinux_revalidate_file_permission(file, mask);
3226 static int selinux_file_alloc_security(struct file *file)
3228 return file_alloc_security(file);
3231 static void selinux_file_free_security(struct file *file)
3233 file_free_security(file);
3237 * Check whether a task has the ioctl permission and cmd
3238 * operation to an inode.
3240 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3241 u32 requested, u16 cmd)
3243 struct common_audit_data ad;
3244 struct file_security_struct *fsec = file->f_security;
3245 struct inode *inode = file_inode(file);
3246 struct inode_security_struct *isec = inode->i_security;
3247 struct lsm_ioctlop_audit ioctl;
3248 u32 ssid = cred_sid(cred);
3250 u8 driver = cmd >> 8;
3251 u8 xperm = cmd & 0xff;
3253 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3256 ad.u.op->path = file->f_path;
3258 if (ssid != fsec->sid) {
3259 rc = avc_has_perm(ssid, fsec->sid,
3267 if (unlikely(IS_PRIVATE(inode)))
3270 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3271 requested, driver, xperm, &ad);
3276 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3279 const struct cred *cred = current_cred();
3289 case FS_IOC_GETFLAGS:
3291 case FS_IOC_GETVERSION:
3292 error = file_has_perm(cred, file, FILE__GETATTR);
3295 case FS_IOC_SETFLAGS:
3297 case FS_IOC_SETVERSION:
3298 error = file_has_perm(cred, file, FILE__SETATTR);
3301 /* sys_ioctl() checks */
3305 error = file_has_perm(cred, file, 0);
3310 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3311 SECURITY_CAP_AUDIT);
3314 /* default case assumes that the command will go
3315 * to the file's ioctl() function.
3318 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3323 static int default_noexec;
3325 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3327 const struct cred *cred = current_cred();
3330 if (default_noexec &&
3331 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3332 (!shared && (prot & PROT_WRITE)))) {
3334 * We are making executable an anonymous mapping or a
3335 * private file mapping that will also be writable.
3336 * This has an additional check.
3338 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3344 /* read access is always possible with a mapping */
3345 u32 av = FILE__READ;
3347 /* write access only matters if the mapping is shared */
3348 if (shared && (prot & PROT_WRITE))
3351 if (prot & PROT_EXEC)
3352 av |= FILE__EXECUTE;
3354 return file_has_perm(cred, file, av);
3361 static int selinux_mmap_addr(unsigned long addr)
3365 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3366 u32 sid = current_sid();
3367 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3368 MEMPROTECT__MMAP_ZERO, NULL);
3374 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3375 unsigned long prot, unsigned long flags)
3377 if (selinux_checkreqprot)
3380 return file_map_prot_check(file, prot,
3381 (flags & MAP_TYPE) == MAP_SHARED);
3384 static int selinux_file_mprotect(struct vm_area_struct *vma,
3385 unsigned long reqprot,
3388 const struct cred *cred = current_cred();
3390 if (selinux_checkreqprot)
3393 if (default_noexec &&
3394 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3396 if (vma->vm_start >= vma->vm_mm->start_brk &&
3397 vma->vm_end <= vma->vm_mm->brk) {
3398 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3399 } else if (!vma->vm_file &&
3400 vma->vm_start <= vma->vm_mm->start_stack &&
3401 vma->vm_end >= vma->vm_mm->start_stack) {
3402 rc = current_has_perm(current, PROCESS__EXECSTACK);
3403 } else if (vma->vm_file && vma->anon_vma) {
3405 * We are making executable a file mapping that has
3406 * had some COW done. Since pages might have been
3407 * written, check ability to execute the possibly
3408 * modified content. This typically should only
3409 * occur for text relocations.
3411 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3417 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3420 static int selinux_file_lock(struct file *file, unsigned int cmd)
3422 const struct cred *cred = current_cred();
3424 return file_has_perm(cred, file, FILE__LOCK);
3427 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3430 const struct cred *cred = current_cred();
3435 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3436 err = file_has_perm(cred, file, FILE__WRITE);
3445 case F_GETOWNER_UIDS:
3446 /* Just check FD__USE permission */
3447 err = file_has_perm(cred, file, 0);
3455 #if BITS_PER_LONG == 32
3460 err = file_has_perm(cred, file, FILE__LOCK);
3467 static void selinux_file_set_fowner(struct file *file)
3469 struct file_security_struct *fsec;
3471 fsec = file->f_security;
3472 fsec->fown_sid = current_sid();
3475 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3476 struct fown_struct *fown, int signum)
3479 u32 sid = task_sid(tsk);
3481 struct file_security_struct *fsec;
3483 /* struct fown_struct is never outside the context of a struct file */
3484 file = container_of(fown, struct file, f_owner);
3486 fsec = file->f_security;
3489 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3491 perm = signal_to_av(signum);
3493 return avc_has_perm(fsec->fown_sid, sid,
3494 SECCLASS_PROCESS, perm, NULL);
3497 static int selinux_file_receive(struct file *file)
3499 const struct cred *cred = current_cred();
3501 return file_has_perm(cred, file, file_to_av(file));
3504 static int selinux_file_open(struct file *file, const struct cred *cred)
3506 struct file_security_struct *fsec;
3507 struct inode_security_struct *isec;
3509 fsec = file->f_security;
3510 isec = file_inode(file)->i_security;
3512 * Save inode label and policy sequence number
3513 * at open-time so that selinux_file_permission
3514 * can determine whether revalidation is necessary.
3515 * Task label is already saved in the file security
3516 * struct as its SID.
3518 fsec->isid = isec->sid;
3519 fsec->pseqno = avc_policy_seqno();
3521 * Since the inode label or policy seqno may have changed
3522 * between the selinux_inode_permission check and the saving
3523 * of state above, recheck that access is still permitted.
3524 * Otherwise, access might never be revalidated against the
3525 * new inode label or new policy.
3526 * This check is not redundant - do not remove.
3528 return file_path_has_perm(cred, file, open_file_to_av(file));
3531 /* task security operations */
3533 static int selinux_task_create(unsigned long clone_flags)
3535 return current_has_perm(current, PROCESS__FORK);
3539 * allocate the SELinux part of blank credentials
3541 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3543 struct task_security_struct *tsec;
3545 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3549 cred->security = tsec;
3554 * detach and free the LSM part of a set of credentials
3556 static void selinux_cred_free(struct cred *cred)
3558 struct task_security_struct *tsec = cred->security;
3561 * cred->security == NULL if security_cred_alloc_blank() or
3562 * security_prepare_creds() returned an error.
3564 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3565 cred->security = (void *) 0x7UL;
3570 * prepare a new set of credentials for modification
3572 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3575 const struct task_security_struct *old_tsec;
3576 struct task_security_struct *tsec;
3578 old_tsec = old->security;
3580 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3584 new->security = tsec;
3589 * transfer the SELinux data to a blank set of creds
3591 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3593 const struct task_security_struct *old_tsec = old->security;
3594 struct task_security_struct *tsec = new->security;
3600 * set the security data for a kernel service
3601 * - all the creation contexts are set to unlabelled
3603 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3605 struct task_security_struct *tsec = new->security;
3606 u32 sid = current_sid();
3609 ret = avc_has_perm(sid, secid,
3610 SECCLASS_KERNEL_SERVICE,
3611 KERNEL_SERVICE__USE_AS_OVERRIDE,
3615 tsec->create_sid = 0;
3616 tsec->keycreate_sid = 0;
3617 tsec->sockcreate_sid = 0;
3623 * set the file creation context in a security record to the same as the
3624 * objective context of the specified inode
3626 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3628 struct inode_security_struct *isec = inode->i_security;
3629 struct task_security_struct *tsec = new->security;
3630 u32 sid = current_sid();
3633 ret = avc_has_perm(sid, isec->sid,
3634 SECCLASS_KERNEL_SERVICE,
3635 KERNEL_SERVICE__CREATE_FILES_AS,
3639 tsec->create_sid = isec->sid;
3643 static int selinux_kernel_module_request(char *kmod_name)
3646 struct common_audit_data ad;
3648 sid = task_sid(current);
3650 ad.type = LSM_AUDIT_DATA_KMOD;
3651 ad.u.kmod_name = kmod_name;
3653 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3654 SYSTEM__MODULE_REQUEST, &ad);
3657 static int selinux_kernel_module_from_file(struct file *file)
3659 struct common_audit_data ad;
3660 struct inode_security_struct *isec;
3661 struct file_security_struct *fsec;
3662 struct inode *inode;
3663 u32 sid = current_sid();
3668 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3669 SYSTEM__MODULE_LOAD, NULL);
3672 ad.type = LSM_AUDIT_DATA_PATH;
3673 ad.u.path = file->f_path;
3675 inode = file_inode(file);
3676 isec = inode->i_security;
3677 fsec = file->f_security;
3679 if (sid != fsec->sid) {
3680 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3685 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3686 SYSTEM__MODULE_LOAD, &ad);
3689 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3691 return current_has_perm(p, PROCESS__SETPGID);
3694 static int selinux_task_getpgid(struct task_struct *p)
3696 return current_has_perm(p, PROCESS__GETPGID);
3699 static int selinux_task_getsid(struct task_struct *p)
3701 return current_has_perm(p, PROCESS__GETSESSION);
3704 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3706 *secid = task_sid(p);
3709 static int selinux_task_setnice(struct task_struct *p, int nice)
3711 return current_has_perm(p, PROCESS__SETSCHED);
3714 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3716 return current_has_perm(p, PROCESS__SETSCHED);
3719 static int selinux_task_getioprio(struct task_struct *p)
3721 return current_has_perm(p, PROCESS__GETSCHED);
3724 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3725 struct rlimit *new_rlim)
3727 struct rlimit *old_rlim = p->signal->rlim + resource;
3729 /* Control the ability to change the hard limit (whether
3730 lowering or raising it), so that the hard limit can
3731 later be used as a safe reset point for the soft limit
3732 upon context transitions. See selinux_bprm_committing_creds. */
3733 if (old_rlim->rlim_max != new_rlim->rlim_max)
3734 return current_has_perm(p, PROCESS__SETRLIMIT);
3739 static int selinux_task_setscheduler(struct task_struct *p)
3741 return current_has_perm(p, PROCESS__SETSCHED);
3744 static int selinux_task_getscheduler(struct task_struct *p)
3746 return current_has_perm(p, PROCESS__GETSCHED);
3749 static int selinux_task_movememory(struct task_struct *p)
3751 return current_has_perm(p, PROCESS__SETSCHED);
3754 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3761 perm = PROCESS__SIGNULL; /* null signal; existence test */
3763 perm = signal_to_av(sig);
3765 rc = avc_has_perm(secid, task_sid(p),
3766 SECCLASS_PROCESS, perm, NULL);
3768 rc = current_has_perm(p, perm);
3772 static int selinux_task_wait(struct task_struct *p)
3774 return task_has_perm(p, current, PROCESS__SIGCHLD);
3777 static void selinux_task_to_inode(struct task_struct *p,
3778 struct inode *inode)
3780 struct inode_security_struct *isec = inode->i_security;
3781 u32 sid = task_sid(p);
3784 isec->initialized = 1;
3787 /* Returns error only if unable to parse addresses */
3788 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3789 struct common_audit_data *ad, u8 *proto)
3791 int offset, ihlen, ret = -EINVAL;
3792 struct iphdr _iph, *ih;
3794 offset = skb_network_offset(skb);
3795 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3799 ihlen = ih->ihl * 4;
3800 if (ihlen < sizeof(_iph))
3803 ad->u.net->v4info.saddr = ih->saddr;
3804 ad->u.net->v4info.daddr = ih->daddr;
3808 *proto = ih->protocol;
3810 switch (ih->protocol) {
3812 struct tcphdr _tcph, *th;
3814 if (ntohs(ih->frag_off) & IP_OFFSET)
3818 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3822 ad->u.net->sport = th->source;
3823 ad->u.net->dport = th->dest;
3828 struct udphdr _udph, *uh;
3830 if (ntohs(ih->frag_off) & IP_OFFSET)
3834 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3838 ad->u.net->sport = uh->source;
3839 ad->u.net->dport = uh->dest;
3843 case IPPROTO_DCCP: {
3844 struct dccp_hdr _dccph, *dh;
3846 if (ntohs(ih->frag_off) & IP_OFFSET)
3850 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3854 ad->u.net->sport = dh->dccph_sport;
3855 ad->u.net->dport = dh->dccph_dport;
3866 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3868 /* Returns error only if unable to parse addresses */
3869 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3870 struct common_audit_data *ad, u8 *proto)
3873 int ret = -EINVAL, offset;
3874 struct ipv6hdr _ipv6h, *ip6;
3877 offset = skb_network_offset(skb);
3878 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3882 ad->u.net->v6info.saddr = ip6->saddr;
3883 ad->u.net->v6info.daddr = ip6->daddr;
3886 nexthdr = ip6->nexthdr;
3887 offset += sizeof(_ipv6h);
3888 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3897 struct tcphdr _tcph, *th;
3899 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3903 ad->u.net->sport = th->source;
3904 ad->u.net->dport = th->dest;
3909 struct udphdr _udph, *uh;
3911 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3915 ad->u.net->sport = uh->source;
3916 ad->u.net->dport = uh->dest;
3920 case IPPROTO_DCCP: {
3921 struct dccp_hdr _dccph, *dh;
3923 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3927 ad->u.net->sport = dh->dccph_sport;
3928 ad->u.net->dport = dh->dccph_dport;
3932 /* includes fragments */
3942 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3943 char **_addrp, int src, u8 *proto)
3948 switch (ad->u.net->family) {
3950 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3953 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3954 &ad->u.net->v4info.daddr);
3957 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3959 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3962 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3963 &ad->u.net->v6info.daddr);
3973 "SELinux: failure in selinux_parse_skb(),"
3974 " unable to parse packet\n");
3984 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3986 * @family: protocol family
3987 * @sid: the packet's peer label SID
3990 * Check the various different forms of network peer labeling and determine
3991 * the peer label/SID for the packet; most of the magic actually occurs in
3992 * the security server function security_net_peersid_cmp(). The function
3993 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3994 * or -EACCES if @sid is invalid due to inconsistencies with the different
3998 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4005 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4008 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4012 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4013 if (unlikely(err)) {
4015 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4016 " unable to determine packet's peer label\n");
4024 * selinux_conn_sid - Determine the child socket label for a connection
4025 * @sk_sid: the parent socket's SID
4026 * @skb_sid: the packet's SID
4027 * @conn_sid: the resulting connection SID
4029 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4030 * combined with the MLS information from @skb_sid in order to create
4031 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4032 * of @sk_sid. Returns zero on success, negative values on failure.
4035 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4039 if (skb_sid != SECSID_NULL)
4040 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4047 /* socket security operations */
4049 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4050 u16 secclass, u32 *socksid)
4052 if (tsec->sockcreate_sid > SECSID_NULL) {
4053 *socksid = tsec->sockcreate_sid;
4057 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4061 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4063 struct sk_security_struct *sksec = sk->sk_security;
4064 struct common_audit_data ad;
4065 struct lsm_network_audit net = {0,};
4066 u32 tsid = task_sid(task);
4068 if (sksec->sid == SECINITSID_KERNEL)
4071 ad.type = LSM_AUDIT_DATA_NET;
4075 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4078 static int selinux_socket_create(int family, int type,
4079 int protocol, int kern)
4081 const struct task_security_struct *tsec = current_security();
4089 secclass = socket_type_to_security_class(family, type, protocol);
4090 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4094 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4097 static int selinux_socket_post_create(struct socket *sock, int family,
4098 int type, int protocol, int kern)
4100 const struct task_security_struct *tsec = current_security();
4101 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4102 struct sk_security_struct *sksec;
4105 isec->sclass = socket_type_to_security_class(family, type, protocol);
4108 isec->sid = SECINITSID_KERNEL;
4110 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4115 isec->initialized = 1;
4118 sksec = sock->sk->sk_security;
4119 sksec->sid = isec->sid;
4120 sksec->sclass = isec->sclass;
4121 err = selinux_netlbl_socket_post_create(sock->sk, family);
4127 /* Range of port numbers used to automatically bind.
4128 Need to determine whether we should perform a name_bind
4129 permission check between the socket and the port number. */
4131 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4133 struct sock *sk = sock->sk;
4137 err = sock_has_perm(current, sk, SOCKET__BIND);
4142 * If PF_INET or PF_INET6, check name_bind permission for the port.
4143 * Multiple address binding for SCTP is not supported yet: we just
4144 * check the first address now.
4146 family = sk->sk_family;
4147 if (family == PF_INET || family == PF_INET6) {
4149 struct sk_security_struct *sksec = sk->sk_security;
4150 struct common_audit_data ad;
4151 struct lsm_network_audit net = {0,};
4152 struct sockaddr_in *addr4 = NULL;
4153 struct sockaddr_in6 *addr6 = NULL;
4154 unsigned short snum;
4157 if (family == PF_INET) {
4158 addr4 = (struct sockaddr_in *)address;
4159 snum = ntohs(addr4->sin_port);
4160 addrp = (char *)&addr4->sin_addr.s_addr;
4162 addr6 = (struct sockaddr_in6 *)address;
4163 snum = ntohs(addr6->sin6_port);
4164 addrp = (char *)&addr6->sin6_addr.s6_addr;
4170 inet_get_local_port_range(sock_net(sk), &low, &high);
4172 if (snum < max(PROT_SOCK, low) || snum > high) {
4173 err = sel_netport_sid(sk->sk_protocol,
4177 ad.type = LSM_AUDIT_DATA_NET;
4179 ad.u.net->sport = htons(snum);
4180 ad.u.net->family = family;
4181 err = avc_has_perm(sksec->sid, sid,
4183 SOCKET__NAME_BIND, &ad);
4189 switch (sksec->sclass) {
4190 case SECCLASS_TCP_SOCKET:
4191 node_perm = TCP_SOCKET__NODE_BIND;
4194 case SECCLASS_UDP_SOCKET:
4195 node_perm = UDP_SOCKET__NODE_BIND;
4198 case SECCLASS_DCCP_SOCKET:
4199 node_perm = DCCP_SOCKET__NODE_BIND;
4203 node_perm = RAWIP_SOCKET__NODE_BIND;
4207 err = sel_netnode_sid(addrp, family, &sid);
4211 ad.type = LSM_AUDIT_DATA_NET;
4213 ad.u.net->sport = htons(snum);
4214 ad.u.net->family = family;
4216 if (family == PF_INET)
4217 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4219 ad.u.net->v6info.saddr = addr6->sin6_addr;
4221 err = avc_has_perm(sksec->sid, sid,
4222 sksec->sclass, node_perm, &ad);
4230 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4232 struct sock *sk = sock->sk;
4233 struct sk_security_struct *sksec = sk->sk_security;
4236 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4241 * If a TCP or DCCP socket, check name_connect permission for the port.
4243 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4244 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4245 struct common_audit_data ad;
4246 struct lsm_network_audit net = {0,};
4247 struct sockaddr_in *addr4 = NULL;
4248 struct sockaddr_in6 *addr6 = NULL;
4249 unsigned short snum;
4252 if (sk->sk_family == PF_INET) {
4253 addr4 = (struct sockaddr_in *)address;
4254 if (addrlen < sizeof(struct sockaddr_in))
4256 snum = ntohs(addr4->sin_port);
4258 addr6 = (struct sockaddr_in6 *)address;
4259 if (addrlen < SIN6_LEN_RFC2133)
4261 snum = ntohs(addr6->sin6_port);
4264 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4268 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4269 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4271 ad.type = LSM_AUDIT_DATA_NET;
4273 ad.u.net->dport = htons(snum);
4274 ad.u.net->family = sk->sk_family;
4275 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4280 err = selinux_netlbl_socket_connect(sk, address);
4286 static int selinux_socket_listen(struct socket *sock, int backlog)
4288 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4291 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4294 struct inode_security_struct *isec;
4295 struct inode_security_struct *newisec;
4297 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4301 newisec = SOCK_INODE(newsock)->i_security;
4303 isec = SOCK_INODE(sock)->i_security;
4304 newisec->sclass = isec->sclass;
4305 newisec->sid = isec->sid;
4306 newisec->initialized = 1;
4311 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4314 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4317 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4318 int size, int flags)
4320 return sock_has_perm(current, sock->sk, SOCKET__READ);
4323 static int selinux_socket_getsockname(struct socket *sock)
4325 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4328 static int selinux_socket_getpeername(struct socket *sock)
4330 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4333 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4337 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4341 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4344 static int selinux_socket_getsockopt(struct socket *sock, int level,
4347 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4350 static int selinux_socket_shutdown(struct socket *sock, int how)
4352 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4355 static int selinux_socket_unix_stream_connect(struct sock *sock,
4359 struct sk_security_struct *sksec_sock = sock->sk_security;
4360 struct sk_security_struct *sksec_other = other->sk_security;
4361 struct sk_security_struct *sksec_new = newsk->sk_security;
4362 struct common_audit_data ad;
4363 struct lsm_network_audit net = {0,};
4366 ad.type = LSM_AUDIT_DATA_NET;
4368 ad.u.net->sk = other;
4370 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4371 sksec_other->sclass,
4372 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4376 /* server child socket */
4377 sksec_new->peer_sid = sksec_sock->sid;
4378 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4383 /* connecting socket */
4384 sksec_sock->peer_sid = sksec_new->sid;
4389 static int selinux_socket_unix_may_send(struct socket *sock,
4390 struct socket *other)
4392 struct sk_security_struct *ssec = sock->sk->sk_security;
4393 struct sk_security_struct *osec = other->sk->sk_security;
4394 struct common_audit_data ad;
4395 struct lsm_network_audit net = {0,};
4397 ad.type = LSM_AUDIT_DATA_NET;
4399 ad.u.net->sk = other->sk;
4401 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4405 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4406 char *addrp, u16 family, u32 peer_sid,
4407 struct common_audit_data *ad)
4413 err = sel_netif_sid(ns, ifindex, &if_sid);
4416 err = avc_has_perm(peer_sid, if_sid,
4417 SECCLASS_NETIF, NETIF__INGRESS, ad);
4421 err = sel_netnode_sid(addrp, family, &node_sid);
4424 return avc_has_perm(peer_sid, node_sid,
4425 SECCLASS_NODE, NODE__RECVFROM, ad);
4428 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4432 struct sk_security_struct *sksec = sk->sk_security;
4433 u32 sk_sid = sksec->sid;
4434 struct common_audit_data ad;
4435 struct lsm_network_audit net = {0,};
4438 ad.type = LSM_AUDIT_DATA_NET;
4440 ad.u.net->netif = skb->skb_iif;
4441 ad.u.net->family = family;
4442 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4446 if (selinux_secmark_enabled()) {
4447 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4453 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4456 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4461 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4464 struct sk_security_struct *sksec = sk->sk_security;
4465 u16 family = sk->sk_family;
4466 u32 sk_sid = sksec->sid;
4467 struct common_audit_data ad;
4468 struct lsm_network_audit net = {0,};
4473 if (family != PF_INET && family != PF_INET6)
4476 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4477 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4480 /* If any sort of compatibility mode is enabled then handoff processing
4481 * to the selinux_sock_rcv_skb_compat() function to deal with the
4482 * special handling. We do this in an attempt to keep this function
4483 * as fast and as clean as possible. */
4484 if (!selinux_policycap_netpeer)
4485 return selinux_sock_rcv_skb_compat(sk, skb, family);
4487 secmark_active = selinux_secmark_enabled();
4488 peerlbl_active = selinux_peerlbl_enabled();
4489 if (!secmark_active && !peerlbl_active)
4492 ad.type = LSM_AUDIT_DATA_NET;
4494 ad.u.net->netif = skb->skb_iif;
4495 ad.u.net->family = family;
4496 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4500 if (peerlbl_active) {
4503 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4506 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4507 addrp, family, peer_sid, &ad);
4509 selinux_netlbl_err(skb, err, 0);
4512 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4515 selinux_netlbl_err(skb, err, 0);
4520 if (secmark_active) {
4521 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4530 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4531 int __user *optlen, unsigned len)
4536 struct sk_security_struct *sksec = sock->sk->sk_security;
4537 u32 peer_sid = SECSID_NULL;
4539 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4540 sksec->sclass == SECCLASS_TCP_SOCKET)
4541 peer_sid = sksec->peer_sid;
4542 if (peer_sid == SECSID_NULL)
4543 return -ENOPROTOOPT;
4545 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4549 if (scontext_len > len) {
4554 if (copy_to_user(optval, scontext, scontext_len))
4558 if (put_user(scontext_len, optlen))
4564 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4566 u32 peer_secid = SECSID_NULL;
4569 if (skb && skb->protocol == htons(ETH_P_IP))
4571 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4574 family = sock->sk->sk_family;
4578 if (sock && family == PF_UNIX)
4579 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4581 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4584 *secid = peer_secid;
4585 if (peer_secid == SECSID_NULL)
4590 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4592 struct sk_security_struct *sksec;
4594 sksec = kzalloc(sizeof(*sksec), priority);
4598 sksec->peer_sid = SECINITSID_UNLABELED;
4599 sksec->sid = SECINITSID_UNLABELED;
4600 sksec->sclass = SECCLASS_SOCKET;
4601 selinux_netlbl_sk_security_reset(sksec);
4602 sk->sk_security = sksec;
4607 static void selinux_sk_free_security(struct sock *sk)
4609 struct sk_security_struct *sksec = sk->sk_security;
4611 sk->sk_security = NULL;
4612 selinux_netlbl_sk_security_free(sksec);
4616 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4618 struct sk_security_struct *sksec = sk->sk_security;
4619 struct sk_security_struct *newsksec = newsk->sk_security;
4621 newsksec->sid = sksec->sid;
4622 newsksec->peer_sid = sksec->peer_sid;
4623 newsksec->sclass = sksec->sclass;
4625 selinux_netlbl_sk_security_reset(newsksec);
4628 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4631 *secid = SECINITSID_ANY_SOCKET;
4633 struct sk_security_struct *sksec = sk->sk_security;
4635 *secid = sksec->sid;
4639 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4641 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4642 struct sk_security_struct *sksec = sk->sk_security;
4644 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4645 sk->sk_family == PF_UNIX)
4646 isec->sid = sksec->sid;
4647 sksec->sclass = isec->sclass;
4650 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4651 struct request_sock *req)
4653 struct sk_security_struct *sksec = sk->sk_security;
4655 u16 family = req->rsk_ops->family;
4659 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4662 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4665 req->secid = connsid;
4666 req->peer_secid = peersid;
4668 return selinux_netlbl_inet_conn_request(req, family);
4671 static void selinux_inet_csk_clone(struct sock *newsk,
4672 const struct request_sock *req)
4674 struct sk_security_struct *newsksec = newsk->sk_security;
4676 newsksec->sid = req->secid;
4677 newsksec->peer_sid = req->peer_secid;
4678 /* NOTE: Ideally, we should also get the isec->sid for the
4679 new socket in sync, but we don't have the isec available yet.
4680 So we will wait until sock_graft to do it, by which
4681 time it will have been created and available. */
4683 /* We don't need to take any sort of lock here as we are the only
4684 * thread with access to newsksec */
4685 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4688 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4690 u16 family = sk->sk_family;
4691 struct sk_security_struct *sksec = sk->sk_security;
4693 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4694 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4697 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4700 static int selinux_secmark_relabel_packet(u32 sid)
4702 const struct task_security_struct *__tsec;
4705 __tsec = current_security();
4708 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4711 static void selinux_secmark_refcount_inc(void)
4713 atomic_inc(&selinux_secmark_refcount);
4716 static void selinux_secmark_refcount_dec(void)
4718 atomic_dec(&selinux_secmark_refcount);
4721 static void selinux_req_classify_flow(const struct request_sock *req,
4724 fl->flowi_secid = req->secid;
4727 static int selinux_tun_dev_alloc_security(void **security)
4729 struct tun_security_struct *tunsec;
4731 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4734 tunsec->sid = current_sid();
4740 static void selinux_tun_dev_free_security(void *security)
4745 static int selinux_tun_dev_create(void)
4747 u32 sid = current_sid();
4749 /* we aren't taking into account the "sockcreate" SID since the socket
4750 * that is being created here is not a socket in the traditional sense,
4751 * instead it is a private sock, accessible only to the kernel, and
4752 * representing a wide range of network traffic spanning multiple
4753 * connections unlike traditional sockets - check the TUN driver to
4754 * get a better understanding of why this socket is special */
4756 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4760 static int selinux_tun_dev_attach_queue(void *security)
4762 struct tun_security_struct *tunsec = security;
4764 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4765 TUN_SOCKET__ATTACH_QUEUE, NULL);
4768 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4770 struct tun_security_struct *tunsec = security;
4771 struct sk_security_struct *sksec = sk->sk_security;
4773 /* we don't currently perform any NetLabel based labeling here and it
4774 * isn't clear that we would want to do so anyway; while we could apply
4775 * labeling without the support of the TUN user the resulting labeled
4776 * traffic from the other end of the connection would almost certainly
4777 * cause confusion to the TUN user that had no idea network labeling
4778 * protocols were being used */
4780 sksec->sid = tunsec->sid;
4781 sksec->sclass = SECCLASS_TUN_SOCKET;
4786 static int selinux_tun_dev_open(void *security)
4788 struct tun_security_struct *tunsec = security;
4789 u32 sid = current_sid();
4792 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4793 TUN_SOCKET__RELABELFROM, NULL);
4796 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4797 TUN_SOCKET__RELABELTO, NULL);
4805 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4809 struct nlmsghdr *nlh;
4810 struct sk_security_struct *sksec = sk->sk_security;
4812 if (skb->len < NLMSG_HDRLEN) {
4816 nlh = nlmsg_hdr(skb);
4818 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4820 if (err == -EINVAL) {
4822 "SELinux: unrecognized netlink message:"
4823 " protocol=%hu nlmsg_type=%hu sclass=%s\n",
4824 sk->sk_protocol, nlh->nlmsg_type,
4825 secclass_map[sksec->sclass - 1].name);
4826 if (!selinux_enforcing || security_get_allow_unknown())
4836 err = sock_has_perm(current, sk, perm);
4841 #ifdef CONFIG_NETFILTER
4843 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4844 const struct net_device *indev,
4850 struct common_audit_data ad;
4851 struct lsm_network_audit net = {0,};
4856 if (!selinux_policycap_netpeer)
4859 secmark_active = selinux_secmark_enabled();
4860 netlbl_active = netlbl_enabled();
4861 peerlbl_active = selinux_peerlbl_enabled();
4862 if (!secmark_active && !peerlbl_active)
4865 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4868 ad.type = LSM_AUDIT_DATA_NET;
4870 ad.u.net->netif = indev->ifindex;
4871 ad.u.net->family = family;
4872 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4875 if (peerlbl_active) {
4876 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4877 addrp, family, peer_sid, &ad);
4879 selinux_netlbl_err(skb, err, 1);
4885 if (avc_has_perm(peer_sid, skb->secmark,
4886 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4890 /* we do this in the FORWARD path and not the POST_ROUTING
4891 * path because we want to make sure we apply the necessary
4892 * labeling before IPsec is applied so we can leverage AH
4894 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4900 static unsigned int selinux_ipv4_forward(void *priv,
4901 struct sk_buff *skb,
4902 const struct nf_hook_state *state)
4904 return selinux_ip_forward(skb, state->in, PF_INET);
4907 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4908 static unsigned int selinux_ipv6_forward(void *priv,
4909 struct sk_buff *skb,
4910 const struct nf_hook_state *state)
4912 return selinux_ip_forward(skb, state->in, PF_INET6);
4916 static unsigned int selinux_ip_output(struct sk_buff *skb,
4922 if (!netlbl_enabled())
4925 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4926 * because we want to make sure we apply the necessary labeling
4927 * before IPsec is applied so we can leverage AH protection */
4930 struct sk_security_struct *sksec;
4932 if (sk_listener(sk))
4933 /* if the socket is the listening state then this
4934 * packet is a SYN-ACK packet which means it needs to
4935 * be labeled based on the connection/request_sock and
4936 * not the parent socket. unfortunately, we can't
4937 * lookup the request_sock yet as it isn't queued on
4938 * the parent socket until after the SYN-ACK is sent.
4939 * the "solution" is to simply pass the packet as-is
4940 * as any IP option based labeling should be copied
4941 * from the initial connection request (in the IP
4942 * layer). it is far from ideal, but until we get a
4943 * security label in the packet itself this is the
4944 * best we can do. */
4947 /* standard practice, label using the parent socket */
4948 sksec = sk->sk_security;
4951 sid = SECINITSID_KERNEL;
4952 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4958 static unsigned int selinux_ipv4_output(void *priv,
4959 struct sk_buff *skb,
4960 const struct nf_hook_state *state)
4962 return selinux_ip_output(skb, PF_INET);
4965 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4969 struct sock *sk = skb_to_full_sk(skb);
4970 struct sk_security_struct *sksec;
4971 struct common_audit_data ad;
4972 struct lsm_network_audit net = {0,};
4978 sksec = sk->sk_security;
4980 ad.type = LSM_AUDIT_DATA_NET;
4982 ad.u.net->netif = ifindex;
4983 ad.u.net->family = family;
4984 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4987 if (selinux_secmark_enabled())
4988 if (avc_has_perm(sksec->sid, skb->secmark,
4989 SECCLASS_PACKET, PACKET__SEND, &ad))
4990 return NF_DROP_ERR(-ECONNREFUSED);
4992 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4993 return NF_DROP_ERR(-ECONNREFUSED);
4998 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4999 const struct net_device *outdev,
5004 int ifindex = outdev->ifindex;
5006 struct common_audit_data ad;
5007 struct lsm_network_audit net = {0,};
5012 /* If any sort of compatibility mode is enabled then handoff processing
5013 * to the selinux_ip_postroute_compat() function to deal with the
5014 * special handling. We do this in an attempt to keep this function
5015 * as fast and as clean as possible. */
5016 if (!selinux_policycap_netpeer)
5017 return selinux_ip_postroute_compat(skb, ifindex, family);
5019 secmark_active = selinux_secmark_enabled();
5020 peerlbl_active = selinux_peerlbl_enabled();
5021 if (!secmark_active && !peerlbl_active)
5024 sk = skb_to_full_sk(skb);
5027 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5028 * packet transformation so allow the packet to pass without any checks
5029 * since we'll have another chance to perform access control checks
5030 * when the packet is on it's final way out.
5031 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5032 * is NULL, in this case go ahead and apply access control.
5033 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5034 * TCP listening state we cannot wait until the XFRM processing
5035 * is done as we will miss out on the SA label if we do;
5036 * unfortunately, this means more work, but it is only once per
5038 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5039 !(sk && sk_listener(sk)))
5044 /* Without an associated socket the packet is either coming
5045 * from the kernel or it is being forwarded; check the packet
5046 * to determine which and if the packet is being forwarded
5047 * query the packet directly to determine the security label. */
5049 secmark_perm = PACKET__FORWARD_OUT;
5050 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5053 secmark_perm = PACKET__SEND;
5054 peer_sid = SECINITSID_KERNEL;
5056 } else if (sk_listener(sk)) {
5057 /* Locally generated packet but the associated socket is in the
5058 * listening state which means this is a SYN-ACK packet. In
5059 * this particular case the correct security label is assigned
5060 * to the connection/request_sock but unfortunately we can't
5061 * query the request_sock as it isn't queued on the parent
5062 * socket until after the SYN-ACK packet is sent; the only
5063 * viable choice is to regenerate the label like we do in
5064 * selinux_inet_conn_request(). See also selinux_ip_output()
5065 * for similar problems. */
5067 struct sk_security_struct *sksec;
5069 sksec = sk->sk_security;
5070 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5072 /* At this point, if the returned skb peerlbl is SECSID_NULL
5073 * and the packet has been through at least one XFRM
5074 * transformation then we must be dealing with the "final"
5075 * form of labeled IPsec packet; since we've already applied
5076 * all of our access controls on this packet we can safely
5077 * pass the packet. */
5078 if (skb_sid == SECSID_NULL) {
5081 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5085 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5089 return NF_DROP_ERR(-ECONNREFUSED);
5092 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5094 secmark_perm = PACKET__SEND;
5096 /* Locally generated packet, fetch the security label from the
5097 * associated socket. */
5098 struct sk_security_struct *sksec = sk->sk_security;
5099 peer_sid = sksec->sid;
5100 secmark_perm = PACKET__SEND;
5103 ad.type = LSM_AUDIT_DATA_NET;
5105 ad.u.net->netif = ifindex;
5106 ad.u.net->family = family;
5107 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5111 if (avc_has_perm(peer_sid, skb->secmark,
5112 SECCLASS_PACKET, secmark_perm, &ad))
5113 return NF_DROP_ERR(-ECONNREFUSED);
5115 if (peerlbl_active) {
5119 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5121 if (avc_has_perm(peer_sid, if_sid,
5122 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5123 return NF_DROP_ERR(-ECONNREFUSED);
5125 if (sel_netnode_sid(addrp, family, &node_sid))
5127 if (avc_has_perm(peer_sid, node_sid,
5128 SECCLASS_NODE, NODE__SENDTO, &ad))
5129 return NF_DROP_ERR(-ECONNREFUSED);
5135 static unsigned int selinux_ipv4_postroute(void *priv,
5136 struct sk_buff *skb,
5137 const struct nf_hook_state *state)
5139 return selinux_ip_postroute(skb, state->out, PF_INET);
5142 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5143 static unsigned int selinux_ipv6_postroute(void *priv,
5144 struct sk_buff *skb,
5145 const struct nf_hook_state *state)
5147 return selinux_ip_postroute(skb, state->out, PF_INET6);
5151 #endif /* CONFIG_NETFILTER */
5153 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5155 return selinux_nlmsg_perm(sk, skb);
5158 static int ipc_alloc_security(struct task_struct *task,
5159 struct kern_ipc_perm *perm,
5162 struct ipc_security_struct *isec;
5165 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5169 sid = task_sid(task);
5170 isec->sclass = sclass;
5172 perm->security = isec;
5177 static void ipc_free_security(struct kern_ipc_perm *perm)
5179 struct ipc_security_struct *isec = perm->security;
5180 perm->security = NULL;
5184 static int msg_msg_alloc_security(struct msg_msg *msg)
5186 struct msg_security_struct *msec;
5188 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5192 msec->sid = SECINITSID_UNLABELED;
5193 msg->security = msec;
5198 static void msg_msg_free_security(struct msg_msg *msg)
5200 struct msg_security_struct *msec = msg->security;
5202 msg->security = NULL;
5206 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5209 struct ipc_security_struct *isec;
5210 struct common_audit_data ad;
5211 u32 sid = current_sid();
5213 isec = ipc_perms->security;
5215 ad.type = LSM_AUDIT_DATA_IPC;
5216 ad.u.ipc_id = ipc_perms->key;
5218 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5221 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5223 return msg_msg_alloc_security(msg);
5226 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5228 msg_msg_free_security(msg);
5231 /* message queue security operations */
5232 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5234 struct ipc_security_struct *isec;
5235 struct common_audit_data ad;
5236 u32 sid = current_sid();
5239 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5243 isec = msq->q_perm.security;
5245 ad.type = LSM_AUDIT_DATA_IPC;
5246 ad.u.ipc_id = msq->q_perm.key;
5248 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5251 ipc_free_security(&msq->q_perm);
5257 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5259 ipc_free_security(&msq->q_perm);
5262 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5264 struct ipc_security_struct *isec;
5265 struct common_audit_data ad;
5266 u32 sid = current_sid();
5268 isec = msq->q_perm.security;
5270 ad.type = LSM_AUDIT_DATA_IPC;
5271 ad.u.ipc_id = msq->q_perm.key;
5273 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5274 MSGQ__ASSOCIATE, &ad);
5277 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5285 /* No specific object, just general system-wide information. */
5286 return task_has_system(current, SYSTEM__IPC_INFO);
5289 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5292 perms = MSGQ__SETATTR;
5295 perms = MSGQ__DESTROY;
5301 err = ipc_has_perm(&msq->q_perm, perms);
5305 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5307 struct ipc_security_struct *isec;
5308 struct msg_security_struct *msec;
5309 struct common_audit_data ad;
5310 u32 sid = current_sid();
5313 isec = msq->q_perm.security;
5314 msec = msg->security;
5317 * First time through, need to assign label to the message
5319 if (msec->sid == SECINITSID_UNLABELED) {
5321 * Compute new sid based on current process and
5322 * message queue this message will be stored in
5324 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5330 ad.type = LSM_AUDIT_DATA_IPC;
5331 ad.u.ipc_id = msq->q_perm.key;
5333 /* Can this process write to the queue? */
5334 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5337 /* Can this process send the message */
5338 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5341 /* Can the message be put in the queue? */
5342 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5343 MSGQ__ENQUEUE, &ad);
5348 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5349 struct task_struct *target,
5350 long type, int mode)
5352 struct ipc_security_struct *isec;
5353 struct msg_security_struct *msec;
5354 struct common_audit_data ad;
5355 u32 sid = task_sid(target);
5358 isec = msq->q_perm.security;
5359 msec = msg->security;
5361 ad.type = LSM_AUDIT_DATA_IPC;
5362 ad.u.ipc_id = msq->q_perm.key;
5364 rc = avc_has_perm(sid, isec->sid,
5365 SECCLASS_MSGQ, MSGQ__READ, &ad);
5367 rc = avc_has_perm(sid, msec->sid,
5368 SECCLASS_MSG, MSG__RECEIVE, &ad);
5372 /* Shared Memory security operations */
5373 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5375 struct ipc_security_struct *isec;
5376 struct common_audit_data ad;
5377 u32 sid = current_sid();
5380 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5384 isec = shp->shm_perm.security;
5386 ad.type = LSM_AUDIT_DATA_IPC;
5387 ad.u.ipc_id = shp->shm_perm.key;
5389 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5392 ipc_free_security(&shp->shm_perm);
5398 static void selinux_shm_free_security(struct shmid_kernel *shp)
5400 ipc_free_security(&shp->shm_perm);
5403 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5405 struct ipc_security_struct *isec;
5406 struct common_audit_data ad;
5407 u32 sid = current_sid();
5409 isec = shp->shm_perm.security;
5411 ad.type = LSM_AUDIT_DATA_IPC;
5412 ad.u.ipc_id = shp->shm_perm.key;
5414 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5415 SHM__ASSOCIATE, &ad);
5418 /* Note, at this point, shp is locked down */
5419 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5427 /* No specific object, just general system-wide information. */
5428 return task_has_system(current, SYSTEM__IPC_INFO);
5431 perms = SHM__GETATTR | SHM__ASSOCIATE;
5434 perms = SHM__SETATTR;
5441 perms = SHM__DESTROY;
5447 err = ipc_has_perm(&shp->shm_perm, perms);
5451 static int selinux_shm_shmat(struct shmid_kernel *shp,
5452 char __user *shmaddr, int shmflg)
5456 if (shmflg & SHM_RDONLY)
5459 perms = SHM__READ | SHM__WRITE;
5461 return ipc_has_perm(&shp->shm_perm, perms);
5464 /* Semaphore security operations */
5465 static int selinux_sem_alloc_security(struct sem_array *sma)
5467 struct ipc_security_struct *isec;
5468 struct common_audit_data ad;
5469 u32 sid = current_sid();
5472 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5476 isec = sma->sem_perm.security;
5478 ad.type = LSM_AUDIT_DATA_IPC;
5479 ad.u.ipc_id = sma->sem_perm.key;
5481 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5484 ipc_free_security(&sma->sem_perm);
5490 static void selinux_sem_free_security(struct sem_array *sma)
5492 ipc_free_security(&sma->sem_perm);
5495 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5497 struct ipc_security_struct *isec;
5498 struct common_audit_data ad;
5499 u32 sid = current_sid();
5501 isec = sma->sem_perm.security;
5503 ad.type = LSM_AUDIT_DATA_IPC;
5504 ad.u.ipc_id = sma->sem_perm.key;
5506 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5507 SEM__ASSOCIATE, &ad);
5510 /* Note, at this point, sma is locked down */
5511 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5519 /* No specific object, just general system-wide information. */
5520 return task_has_system(current, SYSTEM__IPC_INFO);
5524 perms = SEM__GETATTR;
5535 perms = SEM__DESTROY;
5538 perms = SEM__SETATTR;
5542 perms = SEM__GETATTR | SEM__ASSOCIATE;
5548 err = ipc_has_perm(&sma->sem_perm, perms);
5552 static int selinux_sem_semop(struct sem_array *sma,
5553 struct sembuf *sops, unsigned nsops, int alter)
5558 perms = SEM__READ | SEM__WRITE;
5562 return ipc_has_perm(&sma->sem_perm, perms);
5565 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5571 av |= IPC__UNIX_READ;
5573 av |= IPC__UNIX_WRITE;
5578 return ipc_has_perm(ipcp, av);
5581 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5583 struct ipc_security_struct *isec = ipcp->security;
5587 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5590 inode_doinit_with_dentry(inode, dentry);
5593 static int selinux_getprocattr(struct task_struct *p,
5594 char *name, char **value)
5596 const struct task_security_struct *__tsec;
5602 error = current_has_perm(p, PROCESS__GETATTR);
5608 __tsec = __task_cred(p)->security;
5610 if (!strcmp(name, "current"))
5612 else if (!strcmp(name, "prev"))
5614 else if (!strcmp(name, "exec"))
5615 sid = __tsec->exec_sid;
5616 else if (!strcmp(name, "fscreate"))
5617 sid = __tsec->create_sid;
5618 else if (!strcmp(name, "keycreate"))
5619 sid = __tsec->keycreate_sid;
5620 else if (!strcmp(name, "sockcreate"))
5621 sid = __tsec->sockcreate_sid;
5629 error = security_sid_to_context(sid, value, &len);
5639 static int selinux_setprocattr(struct task_struct *p,
5640 char *name, void *value, size_t size)
5642 struct task_security_struct *tsec;
5643 struct task_struct *tracer;
5650 /* SELinux only allows a process to change its own
5651 security attributes. */
5656 * Basic control over ability to set these attributes at all.
5657 * current == p, but we'll pass them separately in case the
5658 * above restriction is ever removed.
5660 if (!strcmp(name, "exec"))
5661 error = current_has_perm(p, PROCESS__SETEXEC);
5662 else if (!strcmp(name, "fscreate"))
5663 error = current_has_perm(p, PROCESS__SETFSCREATE);
5664 else if (!strcmp(name, "keycreate"))
5665 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5666 else if (!strcmp(name, "sockcreate"))
5667 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5668 else if (!strcmp(name, "current"))
5669 error = current_has_perm(p, PROCESS__SETCURRENT);
5675 /* Obtain a SID for the context, if one was specified. */
5676 if (size && str[1] && str[1] != '\n') {
5677 if (str[size-1] == '\n') {
5681 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5682 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5683 if (!capable(CAP_MAC_ADMIN)) {
5684 struct audit_buffer *ab;
5687 /* We strip a nul only if it is at the end, otherwise the
5688 * context contains a nul and we should audit that */
5689 if (str[size - 1] == '\0')
5690 audit_size = size - 1;
5693 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5694 audit_log_format(ab, "op=fscreate invalid_context=");
5695 audit_log_n_untrustedstring(ab, value, audit_size);
5700 error = security_context_to_sid_force(value, size,
5707 new = prepare_creds();
5711 /* Permission checking based on the specified context is
5712 performed during the actual operation (execve,
5713 open/mkdir/...), when we know the full context of the
5714 operation. See selinux_bprm_set_creds for the execve
5715 checks and may_create for the file creation checks. The
5716 operation will then fail if the context is not permitted. */
5717 tsec = new->security;
5718 if (!strcmp(name, "exec")) {
5719 tsec->exec_sid = sid;
5720 } else if (!strcmp(name, "fscreate")) {
5721 tsec->create_sid = sid;
5722 } else if (!strcmp(name, "keycreate")) {
5723 error = may_create_key(sid, p);
5726 tsec->keycreate_sid = sid;
5727 } else if (!strcmp(name, "sockcreate")) {
5728 tsec->sockcreate_sid = sid;
5729 } else if (!strcmp(name, "current")) {
5734 /* Only allow single threaded processes to change context */
5736 if (!current_is_single_threaded()) {
5737 error = security_bounded_transition(tsec->sid, sid);
5742 /* Check permissions for the transition. */
5743 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5744 PROCESS__DYNTRANSITION, NULL);
5748 /* Check for ptracing, and update the task SID if ok.
5749 Otherwise, leave SID unchanged and fail. */
5752 tracer = ptrace_parent(p);
5754 ptsid = task_sid(tracer);
5758 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5759 PROCESS__PTRACE, NULL);
5778 static int selinux_ismaclabel(const char *name)
5780 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5783 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5785 return security_sid_to_context(secid, secdata, seclen);
5788 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5790 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5793 static void selinux_release_secctx(char *secdata, u32 seclen)
5799 * called with inode->i_mutex locked
5801 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5803 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5807 * called with inode->i_mutex locked
5809 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5811 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5814 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5817 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5826 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5827 unsigned long flags)
5829 const struct task_security_struct *tsec;
5830 struct key_security_struct *ksec;
5832 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5836 tsec = cred->security;
5837 if (tsec->keycreate_sid)
5838 ksec->sid = tsec->keycreate_sid;
5840 ksec->sid = tsec->sid;
5846 static void selinux_key_free(struct key *k)
5848 struct key_security_struct *ksec = k->security;
5854 static int selinux_key_permission(key_ref_t key_ref,
5855 const struct cred *cred,
5859 struct key_security_struct *ksec;
5862 /* if no specific permissions are requested, we skip the
5863 permission check. No serious, additional covert channels
5864 appear to be created. */
5868 sid = cred_sid(cred);
5870 key = key_ref_to_ptr(key_ref);
5871 ksec = key->security;
5873 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5876 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5878 struct key_security_struct *ksec = key->security;
5879 char *context = NULL;
5883 rc = security_sid_to_context(ksec->sid, &context, &len);
5892 static struct security_hook_list selinux_hooks[] = {
5893 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5894 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5895 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5896 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5898 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5899 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5900 LSM_HOOK_INIT(capget, selinux_capget),
5901 LSM_HOOK_INIT(capset, selinux_capset),
5902 LSM_HOOK_INIT(capable, selinux_capable),
5903 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5904 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5905 LSM_HOOK_INIT(syslog, selinux_syslog),
5906 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5908 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5910 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5911 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5912 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5913 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5915 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5916 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5917 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5918 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5919 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5920 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5921 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5922 LSM_HOOK_INIT(sb_mount, selinux_mount),
5923 LSM_HOOK_INIT(sb_umount, selinux_umount),
5924 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5925 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5926 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5928 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5930 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5931 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5932 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5933 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5934 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5935 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5936 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5937 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5938 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5939 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5940 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5941 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5942 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5943 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5944 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5945 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5946 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5947 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5948 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5949 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5950 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5951 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5952 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5953 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5954 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
5956 LSM_HOOK_INIT(file_permission, selinux_file_permission),
5957 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
5958 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
5959 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
5960 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
5961 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
5962 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
5963 LSM_HOOK_INIT(file_lock, selinux_file_lock),
5964 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
5965 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
5966 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
5967 LSM_HOOK_INIT(file_receive, selinux_file_receive),
5969 LSM_HOOK_INIT(file_open, selinux_file_open),
5971 LSM_HOOK_INIT(task_create, selinux_task_create),
5972 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
5973 LSM_HOOK_INIT(cred_free, selinux_cred_free),
5974 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
5975 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
5976 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
5977 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
5978 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
5979 LSM_HOOK_INIT(kernel_module_from_file, selinux_kernel_module_from_file),
5980 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
5981 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
5982 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
5983 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
5984 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
5985 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
5986 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
5987 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
5988 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
5989 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
5990 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
5991 LSM_HOOK_INIT(task_kill, selinux_task_kill),
5992 LSM_HOOK_INIT(task_wait, selinux_task_wait),
5993 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
5995 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
5996 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
5998 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
5999 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6001 LSM_HOOK_INIT(msg_queue_alloc_security,
6002 selinux_msg_queue_alloc_security),
6003 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6004 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6005 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6006 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6007 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6009 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6010 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6011 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6012 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6013 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6015 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6016 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6017 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6018 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6019 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6021 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6023 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6024 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6026 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6027 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6028 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6029 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6030 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6031 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6032 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6034 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6035 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6037 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6038 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6039 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6040 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6041 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6042 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6043 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6044 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6045 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6046 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6047 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6048 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6049 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6050 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6051 LSM_HOOK_INIT(socket_getpeersec_stream,
6052 selinux_socket_getpeersec_stream),
6053 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6054 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6055 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6056 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6057 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6058 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6059 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6060 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6061 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6062 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6063 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6064 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6065 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6066 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6067 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6068 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6069 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6070 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6071 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6073 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6074 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6075 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6076 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6077 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6078 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6079 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6080 selinux_xfrm_state_alloc_acquire),
6081 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6082 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6083 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6084 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6085 selinux_xfrm_state_pol_flow_match),
6086 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6090 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6091 LSM_HOOK_INIT(key_free, selinux_key_free),
6092 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6093 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6097 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6098 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6099 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6100 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6104 static __init int selinux_init(void)
6106 if (!security_module_enable("selinux")) {
6107 selinux_enabled = 0;
6111 if (!selinux_enabled) {
6112 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6116 printk(KERN_INFO "SELinux: Initializing.\n");
6118 /* Set the security state for the initial task. */
6119 cred_init_security();
6121 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6123 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6124 sizeof(struct inode_security_struct),
6125 0, SLAB_PANIC, NULL);
6126 file_security_cache = kmem_cache_create("selinux_file_security",
6127 sizeof(struct file_security_struct),
6128 0, SLAB_PANIC, NULL);
6131 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6133 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6134 panic("SELinux: Unable to register AVC netcache callback\n");
6136 if (selinux_enforcing)
6137 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6139 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6144 static void delayed_superblock_init(struct super_block *sb, void *unused)
6146 superblock_doinit(sb, NULL);
6149 void selinux_complete_init(void)
6151 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6153 /* Set up any superblocks initialized prior to the policy load. */
6154 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6155 iterate_supers(delayed_superblock_init, NULL);
6158 /* SELinux requires early initialization in order to label
6159 all processes and objects when they are created. */
6160 security_initcall(selinux_init);
6162 #if defined(CONFIG_NETFILTER)
6164 static struct nf_hook_ops selinux_nf_ops[] = {
6166 .hook = selinux_ipv4_postroute,
6168 .hooknum = NF_INET_POST_ROUTING,
6169 .priority = NF_IP_PRI_SELINUX_LAST,
6172 .hook = selinux_ipv4_forward,
6174 .hooknum = NF_INET_FORWARD,
6175 .priority = NF_IP_PRI_SELINUX_FIRST,
6178 .hook = selinux_ipv4_output,
6180 .hooknum = NF_INET_LOCAL_OUT,
6181 .priority = NF_IP_PRI_SELINUX_FIRST,
6183 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6185 .hook = selinux_ipv6_postroute,
6187 .hooknum = NF_INET_POST_ROUTING,
6188 .priority = NF_IP6_PRI_SELINUX_LAST,
6191 .hook = selinux_ipv6_forward,
6193 .hooknum = NF_INET_FORWARD,
6194 .priority = NF_IP6_PRI_SELINUX_FIRST,
6199 static int __init selinux_nf_ip_init(void)
6203 if (!selinux_enabled)
6206 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6208 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6210 panic("SELinux: nf_register_hooks: error %d\n", err);
6215 __initcall(selinux_nf_ip_init);
6217 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6218 static void selinux_nf_ip_exit(void)
6220 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6222 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6226 #else /* CONFIG_NETFILTER */
6228 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6229 #define selinux_nf_ip_exit()
6232 #endif /* CONFIG_NETFILTER */
6234 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6235 static int selinux_disabled;
6237 int selinux_disable(void)
6239 if (ss_initialized) {
6240 /* Not permitted after initial policy load. */
6244 if (selinux_disabled) {
6245 /* Only do this once. */
6249 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6251 selinux_disabled = 1;
6252 selinux_enabled = 0;
6254 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6256 /* Try to destroy the avc node cache */
6259 /* Unregister netfilter hooks. */
6260 selinux_nf_ip_exit();
6262 /* Unregister selinuxfs. */