2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
98 #define NUM_SEL_MNT_OPTS 5
100 extern struct security_operations *security_ops;
102 /* SECMARK reference count */
103 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
105 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
106 int selinux_enforcing;
108 static int __init enforcing_setup(char *str)
110 unsigned long enforcing;
111 if (!strict_strtoul(str, 0, &enforcing))
112 selinux_enforcing = enforcing ? 1 : 0;
115 __setup("enforcing=", enforcing_setup);
118 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
119 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
121 static int __init selinux_enabled_setup(char *str)
123 unsigned long enabled;
124 if (!strict_strtoul(str, 0, &enabled))
125 selinux_enabled = enabled ? 1 : 0;
128 __setup("selinux=", selinux_enabled_setup);
130 int selinux_enabled = 1;
133 static struct kmem_cache *sel_inode_cache;
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled.
145 static int selinux_secmark_enabled(void)
147 return (atomic_read(&selinux_secmark_refcount) > 0);
151 * initialise the security for the init task
153 static void cred_init_security(void)
155 struct cred *cred = (struct cred *) current->real_cred;
156 struct task_security_struct *tsec;
158 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
160 panic("SELinux: Failed to initialize initial task.\n");
162 tsec->osid = tsec->sid = SECINITSID_KERNEL;
163 cred->security = tsec;
167 * get the security ID of a set of credentials
169 static inline u32 cred_sid(const struct cred *cred)
171 const struct task_security_struct *tsec;
173 tsec = cred->security;
178 * get the objective security ID of a task
180 static inline u32 task_sid(const struct task_struct *task)
185 sid = cred_sid(__task_cred(task));
191 * get the subjective security ID of the current task
193 static inline u32 current_sid(void)
195 const struct task_security_struct *tsec = current_security();
200 /* Allocate and free functions for each kind of security blob. */
202 static int inode_alloc_security(struct inode *inode)
204 struct inode_security_struct *isec;
205 u32 sid = current_sid();
207 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
211 mutex_init(&isec->lock);
212 INIT_LIST_HEAD(&isec->list);
214 isec->sid = SECINITSID_UNLABELED;
215 isec->sclass = SECCLASS_FILE;
216 isec->task_sid = sid;
217 inode->i_security = isec;
222 static void inode_free_rcu(struct rcu_head *head)
224 struct inode_security_struct *isec;
226 isec = container_of(head, struct inode_security_struct, rcu);
227 kmem_cache_free(sel_inode_cache, isec);
230 static void inode_free_security(struct inode *inode)
232 struct inode_security_struct *isec = inode->i_security;
233 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235 spin_lock(&sbsec->isec_lock);
236 if (!list_empty(&isec->list))
237 list_del_init(&isec->list);
238 spin_unlock(&sbsec->isec_lock);
241 * The inode may still be referenced in a path walk and
242 * a call to selinux_inode_permission() can be made
243 * after inode_free_security() is called. Ideally, the VFS
244 * wouldn't do this, but fixing that is a much harder
245 * job. For now, simply free the i_security via RCU, and
246 * leave the current inode->i_security pointer intact.
247 * The inode will be freed after the RCU grace period too.
249 call_rcu(&isec->rcu, inode_free_rcu);
252 static int file_alloc_security(struct file *file)
254 struct file_security_struct *fsec;
255 u32 sid = current_sid();
257 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
262 fsec->fown_sid = sid;
263 file->f_security = fsec;
268 static void file_free_security(struct file *file)
270 struct file_security_struct *fsec = file->f_security;
271 file->f_security = NULL;
275 static int superblock_alloc_security(struct super_block *sb)
277 struct superblock_security_struct *sbsec;
279 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
283 mutex_init(&sbsec->lock);
284 INIT_LIST_HEAD(&sbsec->isec_head);
285 spin_lock_init(&sbsec->isec_lock);
287 sbsec->sid = SECINITSID_UNLABELED;
288 sbsec->def_sid = SECINITSID_FILE;
289 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
290 sb->s_security = sbsec;
295 static void superblock_free_security(struct super_block *sb)
297 struct superblock_security_struct *sbsec = sb->s_security;
298 sb->s_security = NULL;
302 /* The file system's label must be initialized prior to use. */
304 static const char *labeling_behaviors[6] = {
306 "uses transition SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
315 static inline int inode_doinit(struct inode *inode)
317 return inode_doinit_with_dentry(inode, NULL);
326 Opt_labelsupport = 5,
329 static const match_table_t tokens = {
330 {Opt_context, CONTEXT_STR "%s"},
331 {Opt_fscontext, FSCONTEXT_STR "%s"},
332 {Opt_defcontext, DEFCONTEXT_STR "%s"},
333 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
334 {Opt_labelsupport, LABELSUPP_STR},
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
344 const struct task_security_struct *tsec = cred->security;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
352 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__RELABELTO, NULL);
357 static int may_context_mount_inode_relabel(u32 sid,
358 struct superblock_security_struct *sbsec,
359 const struct cred *cred)
361 const struct task_security_struct *tsec = cred->security;
363 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__RELABELFROM, NULL);
368 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__ASSOCIATE, NULL);
373 static int sb_finish_set_opts(struct super_block *sb)
375 struct superblock_security_struct *sbsec = sb->s_security;
376 struct dentry *root = sb->s_root;
377 struct inode *root_inode = root->d_inode;
380 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
381 /* Make sure that the xattr handler exists and that no
382 error other than -ENODATA is returned by getxattr on
383 the root directory. -ENODATA is ok, as this may be
384 the first boot of the SELinux kernel before we have
385 assigned xattr values to the filesystem. */
386 if (!root_inode->i_op->getxattr) {
387 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
388 "xattr support\n", sb->s_id, sb->s_type->name);
392 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
393 if (rc < 0 && rc != -ENODATA) {
394 if (rc == -EOPNOTSUPP)
395 printk(KERN_WARNING "SELinux: (dev %s, type "
396 "%s) has no security xattr handler\n",
397 sb->s_id, sb->s_type->name);
399 printk(KERN_WARNING "SELinux: (dev %s, type "
400 "%s) getxattr errno %d\n", sb->s_id,
401 sb->s_type->name, -rc);
406 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
408 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
409 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
410 sb->s_id, sb->s_type->name);
412 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
413 sb->s_id, sb->s_type->name,
414 labeling_behaviors[sbsec->behavior-1]);
416 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
417 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
418 sbsec->behavior == SECURITY_FS_USE_NONE ||
419 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
420 sbsec->flags &= ~SE_SBLABELSUPP;
422 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
423 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
424 sbsec->flags |= SE_SBLABELSUPP;
426 /* Initialize the root inode. */
427 rc = inode_doinit_with_dentry(root_inode, root);
429 /* Initialize any other inodes associated with the superblock, e.g.
430 inodes created prior to initial policy load or inodes created
431 during get_sb by a pseudo filesystem that directly
433 spin_lock(&sbsec->isec_lock);
435 if (!list_empty(&sbsec->isec_head)) {
436 struct inode_security_struct *isec =
437 list_entry(sbsec->isec_head.next,
438 struct inode_security_struct, list);
439 struct inode *inode = isec->inode;
440 spin_unlock(&sbsec->isec_lock);
441 inode = igrab(inode);
443 if (!IS_PRIVATE(inode))
447 spin_lock(&sbsec->isec_lock);
448 list_del_init(&isec->list);
451 spin_unlock(&sbsec->isec_lock);
457 * This function should allow an FS to ask what it's mount security
458 * options were so it can use those later for submounts, displaying
459 * mount options, or whatever.
461 static int selinux_get_mnt_opts(const struct super_block *sb,
462 struct security_mnt_opts *opts)
465 struct superblock_security_struct *sbsec = sb->s_security;
466 char *context = NULL;
470 security_init_mnt_opts(opts);
472 if (!(sbsec->flags & SE_SBINITIALIZED))
478 tmp = sbsec->flags & SE_MNTMASK;
479 /* count the number of mount options for this sb */
480 for (i = 0; i < 8; i++) {
482 opts->num_mnt_opts++;
485 /* Check if the Label support flag is set */
486 if (sbsec->flags & SE_SBLABELSUPP)
487 opts->num_mnt_opts++;
489 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
490 if (!opts->mnt_opts) {
495 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
496 if (!opts->mnt_opts_flags) {
502 if (sbsec->flags & FSCONTEXT_MNT) {
503 rc = security_sid_to_context(sbsec->sid, &context, &len);
506 opts->mnt_opts[i] = context;
507 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
509 if (sbsec->flags & CONTEXT_MNT) {
510 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
516 if (sbsec->flags & DEFCONTEXT_MNT) {
517 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
520 opts->mnt_opts[i] = context;
521 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
523 if (sbsec->flags & ROOTCONTEXT_MNT) {
524 struct inode *root = sbsec->sb->s_root->d_inode;
525 struct inode_security_struct *isec = root->i_security;
527 rc = security_sid_to_context(isec->sid, &context, &len);
530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
533 if (sbsec->flags & SE_SBLABELSUPP) {
534 opts->mnt_opts[i] = NULL;
535 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
538 BUG_ON(i != opts->num_mnt_opts);
543 security_free_mnt_opts(opts);
547 static int bad_option(struct superblock_security_struct *sbsec, char flag,
548 u32 old_sid, u32 new_sid)
550 char mnt_flags = sbsec->flags & SE_MNTMASK;
552 /* check if the old mount command had the same options */
553 if (sbsec->flags & SE_SBINITIALIZED)
554 if (!(sbsec->flags & flag) ||
555 (old_sid != new_sid))
558 /* check if we were passed the same options twice,
559 * aka someone passed context=a,context=b
561 if (!(sbsec->flags & SE_SBINITIALIZED))
562 if (mnt_flags & flag)
568 * Allow filesystems with binary mount data to explicitly set mount point
569 * labeling information.
571 static int selinux_set_mnt_opts(struct super_block *sb,
572 struct security_mnt_opts *opts)
574 const struct cred *cred = current_cred();
576 struct superblock_security_struct *sbsec = sb->s_security;
577 const char *name = sb->s_type->name;
578 struct inode *inode = sbsec->sb->s_root->d_inode;
579 struct inode_security_struct *root_isec = inode->i_security;
580 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
581 u32 defcontext_sid = 0;
582 char **mount_options = opts->mnt_opts;
583 int *flags = opts->mnt_opts_flags;
584 int num_opts = opts->num_mnt_opts;
586 mutex_lock(&sbsec->lock);
588 if (!ss_initialized) {
590 /* Defer initialization until selinux_complete_init,
591 after the initial policy is loaded and the security
592 server is ready to handle calls. */
596 printk(KERN_WARNING "SELinux: Unable to set superblock options "
597 "before the security server is initialized\n");
602 * Binary mount data FS will come through this function twice. Once
603 * from an explicit call and once from the generic calls from the vfs.
604 * Since the generic VFS calls will not contain any security mount data
605 * we need to skip the double mount verification.
607 * This does open a hole in which we will not notice if the first
608 * mount using this sb set explict options and a second mount using
609 * this sb does not set any security options. (The first options
610 * will be used for both mounts)
612 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
617 * parse the mount options, check if they are valid sids.
618 * also check if someone is trying to mount the same sb more
619 * than once with different security options.
621 for (i = 0; i < num_opts; i++) {
624 if (flags[i] == SE_SBLABELSUPP)
626 rc = security_context_to_sid(mount_options[i],
627 strlen(mount_options[i]), &sid);
629 printk(KERN_WARNING "SELinux: security_context_to_sid"
630 "(%s) failed for (dev %s, type %s) errno=%d\n",
631 mount_options[i], sb->s_id, name, rc);
638 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
640 goto out_double_mount;
642 sbsec->flags |= FSCONTEXT_MNT;
647 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
649 goto out_double_mount;
651 sbsec->flags |= CONTEXT_MNT;
653 case ROOTCONTEXT_MNT:
654 rootcontext_sid = sid;
656 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
658 goto out_double_mount;
660 sbsec->flags |= ROOTCONTEXT_MNT;
664 defcontext_sid = sid;
666 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
668 goto out_double_mount;
670 sbsec->flags |= DEFCONTEXT_MNT;
679 if (sbsec->flags & SE_SBINITIALIZED) {
680 /* previously mounted with options, but not on this attempt? */
681 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
682 goto out_double_mount;
687 if (strcmp(sb->s_type->name, "proc") == 0)
688 sbsec->flags |= SE_SBPROC;
690 /* Determine the labeling behavior to use for this filesystem type. */
691 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
693 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
694 __func__, sb->s_type->name, rc);
698 /* sets the context of the superblock for the fs being mounted. */
700 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
704 sbsec->sid = fscontext_sid;
708 * Switch to using mount point labeling behavior.
709 * sets the label used on all file below the mountpoint, and will set
710 * the superblock context if not already set.
713 if (!fscontext_sid) {
714 rc = may_context_mount_sb_relabel(context_sid, sbsec,
718 sbsec->sid = context_sid;
720 rc = may_context_mount_inode_relabel(context_sid, sbsec,
725 if (!rootcontext_sid)
726 rootcontext_sid = context_sid;
728 sbsec->mntpoint_sid = context_sid;
729 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
732 if (rootcontext_sid) {
733 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
738 root_isec->sid = rootcontext_sid;
739 root_isec->initialized = 1;
742 if (defcontext_sid) {
743 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
745 printk(KERN_WARNING "SELinux: defcontext option is "
746 "invalid for this filesystem type\n");
750 if (defcontext_sid != sbsec->def_sid) {
751 rc = may_context_mount_inode_relabel(defcontext_sid,
757 sbsec->def_sid = defcontext_sid;
760 rc = sb_finish_set_opts(sb);
762 mutex_unlock(&sbsec->lock);
766 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
767 "security settings for (dev %s, type %s)\n", sb->s_id, name);
771 static int selinux_cmp_sb_context(const struct super_block *oldsb,
772 const struct super_block *newsb)
774 struct superblock_security_struct *old = oldsb->s_security;
775 struct superblock_security_struct *new = newsb->s_security;
776 char oldflags = old->flags & SE_MNTMASK;
777 char newflags = new->flags & SE_MNTMASK;
779 if (oldflags != newflags)
781 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
783 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
785 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
787 if (oldflags & ROOTCONTEXT_MNT) {
788 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
789 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
790 if (oldroot->sid != newroot->sid)
795 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
796 "different security settings for (dev %s, "
797 "type %s)\n", newsb->s_id, newsb->s_type->name);
801 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
802 struct super_block *newsb)
804 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
805 struct superblock_security_struct *newsbsec = newsb->s_security;
807 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
808 int set_context = (oldsbsec->flags & CONTEXT_MNT);
809 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
812 * if the parent was able to be mounted it clearly had no special lsm
813 * mount options. thus we can safely deal with this superblock later
818 /* how can we clone if the old one wasn't set up?? */
819 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
821 /* if fs is reusing a sb, make sure that the contexts match */
822 if (newsbsec->flags & SE_SBINITIALIZED)
823 return selinux_cmp_sb_context(oldsb, newsb);
825 mutex_lock(&newsbsec->lock);
827 newsbsec->flags = oldsbsec->flags;
829 newsbsec->sid = oldsbsec->sid;
830 newsbsec->def_sid = oldsbsec->def_sid;
831 newsbsec->behavior = oldsbsec->behavior;
834 u32 sid = oldsbsec->mntpoint_sid;
838 if (!set_rootcontext) {
839 struct inode *newinode = newsb->s_root->d_inode;
840 struct inode_security_struct *newisec = newinode->i_security;
843 newsbsec->mntpoint_sid = sid;
845 if (set_rootcontext) {
846 const struct inode *oldinode = oldsb->s_root->d_inode;
847 const struct inode_security_struct *oldisec = oldinode->i_security;
848 struct inode *newinode = newsb->s_root->d_inode;
849 struct inode_security_struct *newisec = newinode->i_security;
851 newisec->sid = oldisec->sid;
854 sb_finish_set_opts(newsb);
855 mutex_unlock(&newsbsec->lock);
859 static int selinux_parse_opts_str(char *options,
860 struct security_mnt_opts *opts)
863 char *context = NULL, *defcontext = NULL;
864 char *fscontext = NULL, *rootcontext = NULL;
865 int rc, num_mnt_opts = 0;
867 opts->num_mnt_opts = 0;
869 /* Standard string-based options. */
870 while ((p = strsep(&options, "|")) != NULL) {
872 substring_t args[MAX_OPT_ARGS];
877 token = match_token(p, tokens, args);
881 if (context || defcontext) {
883 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886 context = match_strdup(&args[0]);
896 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 fscontext = match_strdup(&args[0]);
906 case Opt_rootcontext:
909 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 rootcontext = match_strdup(&args[0]);
920 if (context || defcontext) {
922 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
925 defcontext = match_strdup(&args[0]);
931 case Opt_labelsupport:
935 printk(KERN_WARNING "SELinux: unknown mount option\n");
942 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
946 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
947 if (!opts->mnt_opts_flags) {
948 kfree(opts->mnt_opts);
953 opts->mnt_opts[num_mnt_opts] = fscontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
957 opts->mnt_opts[num_mnt_opts] = context;
958 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
961 opts->mnt_opts[num_mnt_opts] = rootcontext;
962 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
965 opts->mnt_opts[num_mnt_opts] = defcontext;
966 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
969 opts->num_mnt_opts = num_mnt_opts;
980 * string mount options parsing and call set the sbsec
982 static int superblock_doinit(struct super_block *sb, void *data)
985 char *options = data;
986 struct security_mnt_opts opts;
988 security_init_mnt_opts(&opts);
993 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
995 rc = selinux_parse_opts_str(options, &opts);
1000 rc = selinux_set_mnt_opts(sb, &opts);
1003 security_free_mnt_opts(&opts);
1007 static void selinux_write_opts(struct seq_file *m,
1008 struct security_mnt_opts *opts)
1013 for (i = 0; i < opts->num_mnt_opts; i++) {
1016 if (opts->mnt_opts[i])
1017 has_comma = strchr(opts->mnt_opts[i], ',');
1021 switch (opts->mnt_opts_flags[i]) {
1023 prefix = CONTEXT_STR;
1026 prefix = FSCONTEXT_STR;
1028 case ROOTCONTEXT_MNT:
1029 prefix = ROOTCONTEXT_STR;
1031 case DEFCONTEXT_MNT:
1032 prefix = DEFCONTEXT_STR;
1034 case SE_SBLABELSUPP:
1036 seq_puts(m, LABELSUPP_STR);
1042 /* we need a comma before each option */
1044 seq_puts(m, prefix);
1047 seq_puts(m, opts->mnt_opts[i]);
1053 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1055 struct security_mnt_opts opts;
1058 rc = selinux_get_mnt_opts(sb, &opts);
1060 /* before policy load we may get EINVAL, don't show anything */
1066 selinux_write_opts(m, &opts);
1068 security_free_mnt_opts(&opts);
1073 static inline u16 inode_mode_to_security_class(umode_t mode)
1075 switch (mode & S_IFMT) {
1077 return SECCLASS_SOCK_FILE;
1079 return SECCLASS_LNK_FILE;
1081 return SECCLASS_FILE;
1083 return SECCLASS_BLK_FILE;
1085 return SECCLASS_DIR;
1087 return SECCLASS_CHR_FILE;
1089 return SECCLASS_FIFO_FILE;
1093 return SECCLASS_FILE;
1096 static inline int default_protocol_stream(int protocol)
1098 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1101 static inline int default_protocol_dgram(int protocol)
1103 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1106 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1112 case SOCK_SEQPACKET:
1113 return SECCLASS_UNIX_STREAM_SOCKET;
1115 return SECCLASS_UNIX_DGRAM_SOCKET;
1122 if (default_protocol_stream(protocol))
1123 return SECCLASS_TCP_SOCKET;
1125 return SECCLASS_RAWIP_SOCKET;
1127 if (default_protocol_dgram(protocol))
1128 return SECCLASS_UDP_SOCKET;
1130 return SECCLASS_RAWIP_SOCKET;
1132 return SECCLASS_DCCP_SOCKET;
1134 return SECCLASS_RAWIP_SOCKET;
1140 return SECCLASS_NETLINK_ROUTE_SOCKET;
1141 case NETLINK_FIREWALL:
1142 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1143 case NETLINK_SOCK_DIAG:
1144 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1146 return SECCLASS_NETLINK_NFLOG_SOCKET;
1148 return SECCLASS_NETLINK_XFRM_SOCKET;
1149 case NETLINK_SELINUX:
1150 return SECCLASS_NETLINK_SELINUX_SOCKET;
1152 return SECCLASS_NETLINK_AUDIT_SOCKET;
1153 case NETLINK_IP6_FW:
1154 return SECCLASS_NETLINK_IP6FW_SOCKET;
1155 case NETLINK_DNRTMSG:
1156 return SECCLASS_NETLINK_DNRT_SOCKET;
1157 case NETLINK_KOBJECT_UEVENT:
1158 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1160 return SECCLASS_NETLINK_SOCKET;
1163 return SECCLASS_PACKET_SOCKET;
1165 return SECCLASS_KEY_SOCKET;
1167 return SECCLASS_APPLETALK_SOCKET;
1170 return SECCLASS_SOCKET;
1173 #ifdef CONFIG_PROC_FS
1174 static int selinux_proc_get_sid(struct dentry *dentry,
1179 char *buffer, *path;
1181 buffer = (char *)__get_free_page(GFP_KERNEL);
1185 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1189 /* each process gets a /proc/PID/ entry. Strip off the
1190 * PID part to get a valid selinux labeling.
1191 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1192 while (path[1] >= '0' && path[1] <= '9') {
1196 rc = security_genfs_sid("proc", path, tclass, sid);
1198 free_page((unsigned long)buffer);
1202 static int selinux_proc_get_sid(struct dentry *dentry,
1210 /* The inode's security attributes must be initialized before first use. */
1211 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1213 struct superblock_security_struct *sbsec = NULL;
1214 struct inode_security_struct *isec = inode->i_security;
1216 struct dentry *dentry;
1217 #define INITCONTEXTLEN 255
1218 char *context = NULL;
1222 if (isec->initialized)
1225 mutex_lock(&isec->lock);
1226 if (isec->initialized)
1229 sbsec = inode->i_sb->s_security;
1230 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1231 /* Defer initialization until selinux_complete_init,
1232 after the initial policy is loaded and the security
1233 server is ready to handle calls. */
1234 spin_lock(&sbsec->isec_lock);
1235 if (list_empty(&isec->list))
1236 list_add(&isec->list, &sbsec->isec_head);
1237 spin_unlock(&sbsec->isec_lock);
1241 switch (sbsec->behavior) {
1242 case SECURITY_FS_USE_XATTR:
1243 if (!inode->i_op->getxattr) {
1244 isec->sid = sbsec->def_sid;
1248 /* Need a dentry, since the xattr API requires one.
1249 Life would be simpler if we could just pass the inode. */
1251 /* Called from d_instantiate or d_splice_alias. */
1252 dentry = dget(opt_dentry);
1254 /* Called from selinux_complete_init, try to find a dentry. */
1255 dentry = d_find_alias(inode);
1259 * this is can be hit on boot when a file is accessed
1260 * before the policy is loaded. When we load policy we
1261 * may find inodes that have no dentry on the
1262 * sbsec->isec_head list. No reason to complain as these
1263 * will get fixed up the next time we go through
1264 * inode_doinit with a dentry, before these inodes could
1265 * be used again by userspace.
1270 len = INITCONTEXTLEN;
1271 context = kmalloc(len+1, GFP_NOFS);
1277 context[len] = '\0';
1278 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1280 if (rc == -ERANGE) {
1283 /* Need a larger buffer. Query for the right size. */
1284 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1291 context = kmalloc(len+1, GFP_NOFS);
1297 context[len] = '\0';
1298 rc = inode->i_op->getxattr(dentry,
1304 if (rc != -ENODATA) {
1305 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1306 "%d for dev=%s ino=%ld\n", __func__,
1307 -rc, inode->i_sb->s_id, inode->i_ino);
1311 /* Map ENODATA to the default file SID */
1312 sid = sbsec->def_sid;
1315 rc = security_context_to_sid_default(context, rc, &sid,
1319 char *dev = inode->i_sb->s_id;
1320 unsigned long ino = inode->i_ino;
1322 if (rc == -EINVAL) {
1323 if (printk_ratelimit())
1324 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1325 "context=%s. This indicates you may need to relabel the inode or the "
1326 "filesystem in question.\n", ino, dev, context);
1328 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1329 "returned %d for dev=%s ino=%ld\n",
1330 __func__, context, -rc, dev, ino);
1333 /* Leave with the unlabeled SID */
1341 case SECURITY_FS_USE_TASK:
1342 isec->sid = isec->task_sid;
1344 case SECURITY_FS_USE_TRANS:
1345 /* Default to the fs SID. */
1346 isec->sid = sbsec->sid;
1348 /* Try to obtain a transition SID. */
1349 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1350 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1351 isec->sclass, NULL, &sid);
1356 case SECURITY_FS_USE_MNTPOINT:
1357 isec->sid = sbsec->mntpoint_sid;
1360 /* Default to the fs superblock SID. */
1361 isec->sid = sbsec->sid;
1363 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1364 /* We must have a dentry to determine the label on
1367 /* Called from d_instantiate or
1368 * d_splice_alias. */
1369 dentry = dget(opt_dentry);
1371 /* Called from selinux_complete_init, try to
1373 dentry = d_find_alias(inode);
1375 * This can be hit on boot when a file is accessed
1376 * before the policy is loaded. When we load policy we
1377 * may find inodes that have no dentry on the
1378 * sbsec->isec_head list. No reason to complain as
1379 * these will get fixed up the next time we go through
1380 * inode_doinit() with a dentry, before these inodes
1381 * could be used again by userspace.
1385 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1386 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1395 isec->initialized = 1;
1398 mutex_unlock(&isec->lock);
1400 if (isec->sclass == SECCLASS_FILE)
1401 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1405 /* Convert a Linux signal to an access vector. */
1406 static inline u32 signal_to_av(int sig)
1412 /* Commonly granted from child to parent. */
1413 perm = PROCESS__SIGCHLD;
1416 /* Cannot be caught or ignored */
1417 perm = PROCESS__SIGKILL;
1420 /* Cannot be caught or ignored */
1421 perm = PROCESS__SIGSTOP;
1424 /* All other signals. */
1425 perm = PROCESS__SIGNAL;
1433 * Check permission between a pair of credentials
1434 * fork check, ptrace check, etc.
1436 static int cred_has_perm(const struct cred *actor,
1437 const struct cred *target,
1440 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1442 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1446 * Check permission between a pair of tasks, e.g. signal checks,
1447 * fork check, ptrace check, etc.
1448 * tsk1 is the actor and tsk2 is the target
1449 * - this uses the default subjective creds of tsk1
1451 static int task_has_perm(const struct task_struct *tsk1,
1452 const struct task_struct *tsk2,
1455 const struct task_security_struct *__tsec1, *__tsec2;
1459 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1460 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1462 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1466 * Check permission between current and another task, e.g. signal checks,
1467 * fork check, ptrace check, etc.
1468 * current is the actor and tsk2 is the target
1469 * - this uses current's subjective creds
1471 static int current_has_perm(const struct task_struct *tsk,
1476 sid = current_sid();
1477 tsid = task_sid(tsk);
1478 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1481 #if CAP_LAST_CAP > 63
1482 #error Fix SELinux to handle capabilities > 63.
1485 /* Check whether a task is allowed to use a capability. */
1486 static int cred_has_capability(const struct cred *cred,
1489 struct common_audit_data ad;
1490 struct av_decision avd;
1492 u32 sid = cred_sid(cred);
1493 u32 av = CAP_TO_MASK(cap);
1496 ad.type = LSM_AUDIT_DATA_CAP;
1499 switch (CAP_TO_INDEX(cap)) {
1501 sclass = SECCLASS_CAPABILITY;
1504 sclass = SECCLASS_CAPABILITY2;
1508 "SELinux: out of range capability %d\n", cap);
1513 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1514 if (audit == SECURITY_CAP_AUDIT) {
1515 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1522 /* Check whether a task is allowed to use a system operation. */
1523 static int task_has_system(struct task_struct *tsk,
1526 u32 sid = task_sid(tsk);
1528 return avc_has_perm(sid, SECINITSID_KERNEL,
1529 SECCLASS_SYSTEM, perms, NULL);
1532 /* Check whether a task has a particular permission to an inode.
1533 The 'adp' parameter is optional and allows other audit
1534 data to be passed (e.g. the dentry). */
1535 static int inode_has_perm(const struct cred *cred,
1536 struct inode *inode,
1538 struct common_audit_data *adp,
1541 struct inode_security_struct *isec;
1544 validate_creds(cred);
1546 if (unlikely(IS_PRIVATE(inode)))
1549 sid = cred_sid(cred);
1550 isec = inode->i_security;
1552 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1555 /* Same as inode_has_perm, but pass explicit audit data containing
1556 the dentry to help the auditing code to more easily generate the
1557 pathname if needed. */
1558 static inline int dentry_has_perm(const struct cred *cred,
1559 struct dentry *dentry,
1562 struct inode *inode = dentry->d_inode;
1563 struct common_audit_data ad;
1565 ad.type = LSM_AUDIT_DATA_DENTRY;
1566 ad.u.dentry = dentry;
1567 return inode_has_perm(cred, inode, av, &ad, 0);
1570 /* Same as inode_has_perm, but pass explicit audit data containing
1571 the path to help the auditing code to more easily generate the
1572 pathname if needed. */
1573 static inline int path_has_perm(const struct cred *cred,
1577 struct inode *inode = path->dentry->d_inode;
1578 struct common_audit_data ad;
1580 ad.type = LSM_AUDIT_DATA_PATH;
1582 return inode_has_perm(cred, inode, av, &ad, 0);
1585 /* Check whether a task can use an open file descriptor to
1586 access an inode in a given way. Check access to the
1587 descriptor itself, and then use dentry_has_perm to
1588 check a particular permission to the file.
1589 Access to the descriptor is implicitly granted if it
1590 has the same SID as the process. If av is zero, then
1591 access to the file is not checked, e.g. for cases
1592 where only the descriptor is affected like seek. */
1593 static int file_has_perm(const struct cred *cred,
1597 struct file_security_struct *fsec = file->f_security;
1598 struct inode *inode = file_inode(file);
1599 struct common_audit_data ad;
1600 u32 sid = cred_sid(cred);
1603 ad.type = LSM_AUDIT_DATA_PATH;
1604 ad.u.path = file->f_path;
1606 if (sid != fsec->sid) {
1607 rc = avc_has_perm(sid, fsec->sid,
1615 /* av is zero if only checking access to the descriptor. */
1618 rc = inode_has_perm(cred, inode, av, &ad, 0);
1624 /* Check whether a task can create a file. */
1625 static int may_create(struct inode *dir,
1626 struct dentry *dentry,
1629 const struct task_security_struct *tsec = current_security();
1630 struct inode_security_struct *dsec;
1631 struct superblock_security_struct *sbsec;
1633 struct common_audit_data ad;
1636 dsec = dir->i_security;
1637 sbsec = dir->i_sb->s_security;
1640 newsid = tsec->create_sid;
1642 ad.type = LSM_AUDIT_DATA_DENTRY;
1643 ad.u.dentry = dentry;
1645 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1646 DIR__ADD_NAME | DIR__SEARCH,
1651 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1652 rc = security_transition_sid(sid, dsec->sid, tclass,
1653 &dentry->d_name, &newsid);
1658 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1662 return avc_has_perm(newsid, sbsec->sid,
1663 SECCLASS_FILESYSTEM,
1664 FILESYSTEM__ASSOCIATE, &ad);
1667 /* Check whether a task can create a key. */
1668 static int may_create_key(u32 ksid,
1669 struct task_struct *ctx)
1671 u32 sid = task_sid(ctx);
1673 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1677 #define MAY_UNLINK 1
1680 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1681 static int may_link(struct inode *dir,
1682 struct dentry *dentry,
1686 struct inode_security_struct *dsec, *isec;
1687 struct common_audit_data ad;
1688 u32 sid = current_sid();
1692 dsec = dir->i_security;
1693 isec = dentry->d_inode->i_security;
1695 ad.type = LSM_AUDIT_DATA_DENTRY;
1696 ad.u.dentry = dentry;
1699 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1700 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1715 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1720 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1724 static inline int may_rename(struct inode *old_dir,
1725 struct dentry *old_dentry,
1726 struct inode *new_dir,
1727 struct dentry *new_dentry)
1729 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1730 struct common_audit_data ad;
1731 u32 sid = current_sid();
1733 int old_is_dir, new_is_dir;
1736 old_dsec = old_dir->i_security;
1737 old_isec = old_dentry->d_inode->i_security;
1738 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1739 new_dsec = new_dir->i_security;
1741 ad.type = LSM_AUDIT_DATA_DENTRY;
1743 ad.u.dentry = old_dentry;
1744 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1745 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1748 rc = avc_has_perm(sid, old_isec->sid,
1749 old_isec->sclass, FILE__RENAME, &ad);
1752 if (old_is_dir && new_dir != old_dir) {
1753 rc = avc_has_perm(sid, old_isec->sid,
1754 old_isec->sclass, DIR__REPARENT, &ad);
1759 ad.u.dentry = new_dentry;
1760 av = DIR__ADD_NAME | DIR__SEARCH;
1761 if (new_dentry->d_inode)
1762 av |= DIR__REMOVE_NAME;
1763 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1766 if (new_dentry->d_inode) {
1767 new_isec = new_dentry->d_inode->i_security;
1768 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1769 rc = avc_has_perm(sid, new_isec->sid,
1771 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1779 /* Check whether a task can perform a filesystem operation. */
1780 static int superblock_has_perm(const struct cred *cred,
1781 struct super_block *sb,
1783 struct common_audit_data *ad)
1785 struct superblock_security_struct *sbsec;
1786 u32 sid = cred_sid(cred);
1788 sbsec = sb->s_security;
1789 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1792 /* Convert a Linux mode and permission mask to an access vector. */
1793 static inline u32 file_mask_to_av(int mode, int mask)
1797 if (!S_ISDIR(mode)) {
1798 if (mask & MAY_EXEC)
1799 av |= FILE__EXECUTE;
1800 if (mask & MAY_READ)
1803 if (mask & MAY_APPEND)
1805 else if (mask & MAY_WRITE)
1809 if (mask & MAY_EXEC)
1811 if (mask & MAY_WRITE)
1813 if (mask & MAY_READ)
1820 /* Convert a Linux file to an access vector. */
1821 static inline u32 file_to_av(struct file *file)
1825 if (file->f_mode & FMODE_READ)
1827 if (file->f_mode & FMODE_WRITE) {
1828 if (file->f_flags & O_APPEND)
1835 * Special file opened with flags 3 for ioctl-only use.
1844 * Convert a file to an access vector and include the correct open
1847 static inline u32 open_file_to_av(struct file *file)
1849 u32 av = file_to_av(file);
1851 if (selinux_policycap_openperm)
1857 /* Hook functions begin here. */
1859 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1861 u32 mysid = current_sid();
1862 u32 mgrsid = task_sid(mgr);
1864 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1867 static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1869 u32 mysid = current_sid();
1870 u32 fromsid = task_sid(from);
1871 u32 tosid = task_sid(to);
1874 if (mysid != fromsid) {
1875 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1880 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1883 static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1885 u32 fromsid = task_sid(from);
1886 u32 tosid = task_sid(to);
1887 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1890 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1892 u32 sid = task_sid(to);
1893 struct file_security_struct *fsec = file->f_security;
1894 struct inode *inode = file->f_path.dentry->d_inode;
1895 struct inode_security_struct *isec = inode->i_security;
1896 struct common_audit_data ad;
1897 struct selinux_audit_data sad = {0,};
1900 ad.type = LSM_AUDIT_DATA_PATH;
1901 ad.u.path = file->f_path;
1902 ad.selinux_audit_data = &sad;
1904 if (sid != fsec->sid) {
1905 rc = avc_has_perm(sid, fsec->sid,
1913 if (unlikely(IS_PRIVATE(inode)))
1916 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1920 static int selinux_ptrace_access_check(struct task_struct *child,
1925 rc = cap_ptrace_access_check(child, mode);
1929 if (mode & PTRACE_MODE_READ) {
1930 u32 sid = current_sid();
1931 u32 csid = task_sid(child);
1932 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1935 return current_has_perm(child, PROCESS__PTRACE);
1938 static int selinux_ptrace_traceme(struct task_struct *parent)
1942 rc = cap_ptrace_traceme(parent);
1946 return task_has_perm(parent, current, PROCESS__PTRACE);
1949 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1950 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1954 error = current_has_perm(target, PROCESS__GETCAP);
1958 return cap_capget(target, effective, inheritable, permitted);
1961 static int selinux_capset(struct cred *new, const struct cred *old,
1962 const kernel_cap_t *effective,
1963 const kernel_cap_t *inheritable,
1964 const kernel_cap_t *permitted)
1968 error = cap_capset(new, old,
1969 effective, inheritable, permitted);
1973 return cred_has_perm(old, new, PROCESS__SETCAP);
1977 * (This comment used to live with the selinux_task_setuid hook,
1978 * which was removed).
1980 * Since setuid only affects the current process, and since the SELinux
1981 * controls are not based on the Linux identity attributes, SELinux does not
1982 * need to control this operation. However, SELinux does control the use of
1983 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1986 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1991 rc = cap_capable(cred, ns, cap, audit);
1995 return cred_has_capability(cred, cap, audit);
1998 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2000 const struct cred *cred = current_cred();
2012 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2017 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2020 rc = 0; /* let the kernel handle invalid cmds */
2026 static int selinux_quota_on(struct dentry *dentry)
2028 const struct cred *cred = current_cred();
2030 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2033 static int selinux_syslog(int type)
2038 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2039 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2040 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2042 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2043 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2044 /* Set level of messages printed to console */
2045 case SYSLOG_ACTION_CONSOLE_LEVEL:
2046 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2048 case SYSLOG_ACTION_CLOSE: /* Close log */
2049 case SYSLOG_ACTION_OPEN: /* Open log */
2050 case SYSLOG_ACTION_READ: /* Read from log */
2051 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2052 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2054 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2061 * Check that a process has enough memory to allocate a new virtual
2062 * mapping. 0 means there is enough memory for the allocation to
2063 * succeed and -ENOMEM implies there is not.
2065 * Do not audit the selinux permission check, as this is applied to all
2066 * processes that allocate mappings.
2068 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2070 int rc, cap_sys_admin = 0;
2072 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2073 SECURITY_CAP_NOAUDIT);
2077 return __vm_enough_memory(mm, pages, cap_sys_admin);
2080 /* binprm security operations */
2082 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2084 const struct task_security_struct *old_tsec;
2085 struct task_security_struct *new_tsec;
2086 struct inode_security_struct *isec;
2087 struct common_audit_data ad;
2088 struct inode *inode = file_inode(bprm->file);
2091 rc = cap_bprm_set_creds(bprm);
2095 /* SELinux context only depends on initial program or script and not
2096 * the script interpreter */
2097 if (bprm->cred_prepared)
2100 old_tsec = current_security();
2101 new_tsec = bprm->cred->security;
2102 isec = inode->i_security;
2104 /* Default to the current task SID. */
2105 new_tsec->sid = old_tsec->sid;
2106 new_tsec->osid = old_tsec->sid;
2108 /* Reset fs, key, and sock SIDs on execve. */
2109 new_tsec->create_sid = 0;
2110 new_tsec->keycreate_sid = 0;
2111 new_tsec->sockcreate_sid = 0;
2113 if (old_tsec->exec_sid) {
2114 new_tsec->sid = old_tsec->exec_sid;
2115 /* Reset exec SID on execve. */
2116 new_tsec->exec_sid = 0;
2119 * Minimize confusion: if no_new_privs and a transition is
2120 * explicitly requested, then fail the exec.
2122 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2125 /* Check for a default transition on this program. */
2126 rc = security_transition_sid(old_tsec->sid, isec->sid,
2127 SECCLASS_PROCESS, NULL,
2133 ad.type = LSM_AUDIT_DATA_PATH;
2134 ad.u.path = bprm->file->f_path;
2136 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2137 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2138 new_tsec->sid = old_tsec->sid;
2140 if (new_tsec->sid == old_tsec->sid) {
2141 rc = avc_has_perm(old_tsec->sid, isec->sid,
2142 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2146 /* Check permissions for the transition. */
2147 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2148 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2152 rc = avc_has_perm(new_tsec->sid, isec->sid,
2153 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2157 /* Check for shared state */
2158 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2159 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2160 SECCLASS_PROCESS, PROCESS__SHARE,
2166 /* Make sure that anyone attempting to ptrace over a task that
2167 * changes its SID has the appropriate permit */
2169 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2170 struct task_struct *tracer;
2171 struct task_security_struct *sec;
2175 tracer = ptrace_parent(current);
2176 if (likely(tracer != NULL)) {
2177 sec = __task_cred(tracer)->security;
2183 rc = avc_has_perm(ptsid, new_tsec->sid,
2185 PROCESS__PTRACE, NULL);
2191 /* Clear any possibly unsafe personality bits on exec: */
2192 bprm->per_clear |= PER_CLEAR_ON_SETID;
2198 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2200 const struct task_security_struct *tsec = current_security();
2208 /* Enable secure mode for SIDs transitions unless
2209 the noatsecure permission is granted between
2210 the two SIDs, i.e. ahp returns 0. */
2211 atsecure = avc_has_perm(osid, sid,
2213 PROCESS__NOATSECURE, NULL);
2216 return (atsecure || cap_bprm_secureexec(bprm));
2219 static int match_file(const void *p, struct file *file, unsigned fd)
2221 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2224 /* Derived from fs/exec.c:flush_old_files. */
2225 static inline void flush_unauthorized_files(const struct cred *cred,
2226 struct files_struct *files)
2228 struct file *file, *devnull = NULL;
2229 struct tty_struct *tty;
2233 tty = get_current_tty();
2235 spin_lock(&tty_files_lock);
2236 if (!list_empty(&tty->tty_files)) {
2237 struct tty_file_private *file_priv;
2239 /* Revalidate access to controlling tty.
2240 Use path_has_perm on the tty path directly rather
2241 than using file_has_perm, as this particular open
2242 file may belong to another process and we are only
2243 interested in the inode-based check here. */
2244 file_priv = list_first_entry(&tty->tty_files,
2245 struct tty_file_private, list);
2246 file = file_priv->file;
2247 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2250 spin_unlock(&tty_files_lock);
2253 /* Reset controlling tty. */
2257 /* Revalidate access to inherited open files. */
2258 n = iterate_fd(files, 0, match_file, cred);
2259 if (!n) /* none found? */
2262 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2263 if (IS_ERR(devnull))
2265 /* replace all the matching ones with this */
2267 replace_fd(n - 1, devnull, 0);
2268 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2274 * Prepare a process for imminent new credential changes due to exec
2276 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2278 struct task_security_struct *new_tsec;
2279 struct rlimit *rlim, *initrlim;
2282 new_tsec = bprm->cred->security;
2283 if (new_tsec->sid == new_tsec->osid)
2286 /* Close files for which the new task SID is not authorized. */
2287 flush_unauthorized_files(bprm->cred, current->files);
2289 /* Always clear parent death signal on SID transitions. */
2290 current->pdeath_signal = 0;
2292 /* Check whether the new SID can inherit resource limits from the old
2293 * SID. If not, reset all soft limits to the lower of the current
2294 * task's hard limit and the init task's soft limit.
2296 * Note that the setting of hard limits (even to lower them) can be
2297 * controlled by the setrlimit check. The inclusion of the init task's
2298 * soft limit into the computation is to avoid resetting soft limits
2299 * higher than the default soft limit for cases where the default is
2300 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2302 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2303 PROCESS__RLIMITINH, NULL);
2305 /* protect against do_prlimit() */
2307 for (i = 0; i < RLIM_NLIMITS; i++) {
2308 rlim = current->signal->rlim + i;
2309 initrlim = init_task.signal->rlim + i;
2310 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2312 task_unlock(current);
2313 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2318 * Clean up the process immediately after the installation of new credentials
2321 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2323 const struct task_security_struct *tsec = current_security();
2324 struct itimerval itimer;
2334 /* Check whether the new SID can inherit signal state from the old SID.
2335 * If not, clear itimers to avoid subsequent signal generation and
2336 * flush and unblock signals.
2338 * This must occur _after_ the task SID has been updated so that any
2339 * kill done after the flush will be checked against the new SID.
2341 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2343 memset(&itimer, 0, sizeof itimer);
2344 for (i = 0; i < 3; i++)
2345 do_setitimer(i, &itimer, NULL);
2346 spin_lock_irq(¤t->sighand->siglock);
2347 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2348 __flush_signals(current);
2349 flush_signal_handlers(current, 1);
2350 sigemptyset(¤t->blocked);
2352 spin_unlock_irq(¤t->sighand->siglock);
2355 /* Wake up the parent if it is waiting so that it can recheck
2356 * wait permission to the new task SID. */
2357 read_lock(&tasklist_lock);
2358 __wake_up_parent(current, current->real_parent);
2359 read_unlock(&tasklist_lock);
2362 /* superblock security operations */
2364 static int selinux_sb_alloc_security(struct super_block *sb)
2366 return superblock_alloc_security(sb);
2369 static void selinux_sb_free_security(struct super_block *sb)
2371 superblock_free_security(sb);
2374 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2379 return !memcmp(prefix, option, plen);
2382 static inline int selinux_option(char *option, int len)
2384 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2385 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2386 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2387 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2388 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2391 static inline void take_option(char **to, char *from, int *first, int len)
2398 memcpy(*to, from, len);
2402 static inline void take_selinux_option(char **to, char *from, int *first,
2405 int current_size = 0;
2413 while (current_size < len) {
2423 static int selinux_sb_copy_data(char *orig, char *copy)
2425 int fnosec, fsec, rc = 0;
2426 char *in_save, *in_curr, *in_end;
2427 char *sec_curr, *nosec_save, *nosec;
2433 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2441 in_save = in_end = orig;
2445 open_quote = !open_quote;
2446 if ((*in_end == ',' && open_quote == 0) ||
2448 int len = in_end - in_curr;
2450 if (selinux_option(in_curr, len))
2451 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2453 take_option(&nosec, in_curr, &fnosec, len);
2455 in_curr = in_end + 1;
2457 } while (*in_end++);
2459 strcpy(in_save, nosec_save);
2460 free_page((unsigned long)nosec_save);
2465 static int selinux_sb_remount(struct super_block *sb, void *data)
2468 struct security_mnt_opts opts;
2469 char *secdata, **mount_options;
2470 struct superblock_security_struct *sbsec = sb->s_security;
2472 if (!(sbsec->flags & SE_SBINITIALIZED))
2478 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2481 security_init_mnt_opts(&opts);
2482 secdata = alloc_secdata();
2485 rc = selinux_sb_copy_data(data, secdata);
2487 goto out_free_secdata;
2489 rc = selinux_parse_opts_str(secdata, &opts);
2491 goto out_free_secdata;
2493 mount_options = opts.mnt_opts;
2494 flags = opts.mnt_opts_flags;
2496 for (i = 0; i < opts.num_mnt_opts; i++) {
2500 if (flags[i] == SE_SBLABELSUPP)
2502 len = strlen(mount_options[i]);
2503 rc = security_context_to_sid(mount_options[i], len, &sid);
2505 printk(KERN_WARNING "SELinux: security_context_to_sid"
2506 "(%s) failed for (dev %s, type %s) errno=%d\n",
2507 mount_options[i], sb->s_id, sb->s_type->name, rc);
2513 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2514 goto out_bad_option;
2517 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2518 goto out_bad_option;
2520 case ROOTCONTEXT_MNT: {
2521 struct inode_security_struct *root_isec;
2522 root_isec = sb->s_root->d_inode->i_security;
2524 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2525 goto out_bad_option;
2528 case DEFCONTEXT_MNT:
2529 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2530 goto out_bad_option;
2539 security_free_mnt_opts(&opts);
2541 free_secdata(secdata);
2544 printk(KERN_WARNING "SELinux: unable to change security options "
2545 "during remount (dev %s, type=%s)\n", sb->s_id,
2550 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2552 const struct cred *cred = current_cred();
2553 struct common_audit_data ad;
2556 rc = superblock_doinit(sb, data);
2560 /* Allow all mounts performed by the kernel */
2561 if (flags & MS_KERNMOUNT)
2564 ad.type = LSM_AUDIT_DATA_DENTRY;
2565 ad.u.dentry = sb->s_root;
2566 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2569 static int selinux_sb_statfs(struct dentry *dentry)
2571 const struct cred *cred = current_cred();
2572 struct common_audit_data ad;
2574 ad.type = LSM_AUDIT_DATA_DENTRY;
2575 ad.u.dentry = dentry->d_sb->s_root;
2576 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2579 static int selinux_mount(const char *dev_name,
2582 unsigned long flags,
2585 const struct cred *cred = current_cred();
2587 if (flags & MS_REMOUNT)
2588 return superblock_has_perm(cred, path->dentry->d_sb,
2589 FILESYSTEM__REMOUNT, NULL);
2591 return path_has_perm(cred, path, FILE__MOUNTON);
2594 static int selinux_umount(struct vfsmount *mnt, int flags)
2596 const struct cred *cred = current_cred();
2598 return superblock_has_perm(cred, mnt->mnt_sb,
2599 FILESYSTEM__UNMOUNT, NULL);
2602 /* inode security operations */
2604 static int selinux_inode_alloc_security(struct inode *inode)
2606 return inode_alloc_security(inode);
2609 static void selinux_inode_free_security(struct inode *inode)
2611 inode_free_security(inode);
2614 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2615 const struct qstr *qstr, char **name,
2616 void **value, size_t *len)
2618 const struct task_security_struct *tsec = current_security();
2619 struct inode_security_struct *dsec;
2620 struct superblock_security_struct *sbsec;
2621 u32 sid, newsid, clen;
2623 char *namep = NULL, *context;
2625 dsec = dir->i_security;
2626 sbsec = dir->i_sb->s_security;
2629 newsid = tsec->create_sid;
2631 if ((sbsec->flags & SE_SBINITIALIZED) &&
2632 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2633 newsid = sbsec->mntpoint_sid;
2634 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2635 rc = security_transition_sid(sid, dsec->sid,
2636 inode_mode_to_security_class(inode->i_mode),
2639 printk(KERN_WARNING "%s: "
2640 "security_transition_sid failed, rc=%d (dev=%s "
2643 -rc, inode->i_sb->s_id, inode->i_ino);
2648 /* Possibly defer initialization to selinux_complete_init. */
2649 if (sbsec->flags & SE_SBINITIALIZED) {
2650 struct inode_security_struct *isec = inode->i_security;
2651 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2653 isec->initialized = 1;
2656 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2660 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2667 rc = security_sid_to_context_force(newsid, &context, &clen);
2679 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2681 return may_create(dir, dentry, SECCLASS_FILE);
2684 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2686 return may_link(dir, old_dentry, MAY_LINK);
2689 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2691 return may_link(dir, dentry, MAY_UNLINK);
2694 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2696 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2699 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2701 return may_create(dir, dentry, SECCLASS_DIR);
2704 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2706 return may_link(dir, dentry, MAY_RMDIR);
2709 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2711 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2714 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2715 struct inode *new_inode, struct dentry *new_dentry)
2717 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2720 static int selinux_inode_readlink(struct dentry *dentry)
2722 const struct cred *cred = current_cred();
2724 return dentry_has_perm(cred, dentry, FILE__READ);
2727 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2729 const struct cred *cred = current_cred();
2731 return dentry_has_perm(cred, dentry, FILE__READ);
2734 static noinline int audit_inode_permission(struct inode *inode,
2735 u32 perms, u32 audited, u32 denied,
2739 struct common_audit_data ad;
2740 struct inode_security_struct *isec = inode->i_security;
2743 ad.type = LSM_AUDIT_DATA_INODE;
2746 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2747 audited, denied, result, &ad, flags);
2753 static int selinux_inode_permission(struct inode *inode, int mask)
2755 const struct cred *cred = current_cred();
2758 unsigned flags = mask & MAY_NOT_BLOCK;
2759 struct inode_security_struct *isec;
2761 struct av_decision avd;
2763 u32 audited, denied;
2765 from_access = mask & MAY_ACCESS;
2766 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2768 /* No permission to check. Existence test. */
2772 validate_creds(cred);
2774 if (unlikely(IS_PRIVATE(inode)))
2777 perms = file_mask_to_av(inode->i_mode, mask);
2779 sid = cred_sid(cred);
2780 isec = inode->i_security;
2782 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2783 audited = avc_audit_required(perms, &avd, rc,
2784 from_access ? FILE__AUDIT_ACCESS : 0,
2786 if (likely(!audited))
2789 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2795 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2797 const struct cred *cred = current_cred();
2798 unsigned int ia_valid = iattr->ia_valid;
2799 __u32 av = FILE__WRITE;
2801 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2802 if (ia_valid & ATTR_FORCE) {
2803 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2809 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2810 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2811 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2813 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2816 return dentry_has_perm(cred, dentry, av);
2819 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2821 const struct cred *cred = current_cred();
2824 path.dentry = dentry;
2827 return path_has_perm(cred, &path, FILE__GETATTR);
2830 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2832 const struct cred *cred = current_cred();
2834 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2835 sizeof XATTR_SECURITY_PREFIX - 1)) {
2836 if (!strcmp(name, XATTR_NAME_CAPS)) {
2837 if (!capable(CAP_SETFCAP))
2839 } else if (!capable(CAP_SYS_ADMIN)) {
2840 /* A different attribute in the security namespace.
2841 Restrict to administrator. */
2846 /* Not an attribute we recognize, so just check the
2847 ordinary setattr permission. */
2848 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2851 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2852 const void *value, size_t size, int flags)
2854 struct inode *inode = dentry->d_inode;
2855 struct inode_security_struct *isec = inode->i_security;
2856 struct superblock_security_struct *sbsec;
2857 struct common_audit_data ad;
2858 u32 newsid, sid = current_sid();
2861 if (strcmp(name, XATTR_NAME_SELINUX))
2862 return selinux_inode_setotherxattr(dentry, name);
2864 sbsec = inode->i_sb->s_security;
2865 if (!(sbsec->flags & SE_SBLABELSUPP))
2868 if (!inode_owner_or_capable(inode))
2871 ad.type = LSM_AUDIT_DATA_DENTRY;
2872 ad.u.dentry = dentry;
2874 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2875 FILE__RELABELFROM, &ad);
2879 rc = security_context_to_sid(value, size, &newsid);
2880 if (rc == -EINVAL) {
2881 if (!capable(CAP_MAC_ADMIN)) {
2882 struct audit_buffer *ab;
2886 /* We strip a nul only if it is at the end, otherwise the
2887 * context contains a nul and we should audit that */
2890 if (str[size - 1] == '\0')
2891 audit_size = size - 1;
2898 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2899 audit_log_format(ab, "op=setxattr invalid_context=");
2900 audit_log_n_untrustedstring(ab, value, audit_size);
2905 rc = security_context_to_sid_force(value, size, &newsid);
2910 rc = avc_has_perm(sid, newsid, isec->sclass,
2911 FILE__RELABELTO, &ad);
2915 rc = security_validate_transition(isec->sid, newsid, sid,
2920 return avc_has_perm(newsid,
2922 SECCLASS_FILESYSTEM,
2923 FILESYSTEM__ASSOCIATE,
2927 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2928 const void *value, size_t size,
2931 struct inode *inode = dentry->d_inode;
2932 struct inode_security_struct *isec = inode->i_security;
2936 if (strcmp(name, XATTR_NAME_SELINUX)) {
2937 /* Not an attribute we recognize, so nothing to do. */
2941 rc = security_context_to_sid_force(value, size, &newsid);
2943 printk(KERN_ERR "SELinux: unable to map context to SID"
2944 "for (%s, %lu), rc=%d\n",
2945 inode->i_sb->s_id, inode->i_ino, -rc);
2953 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2955 const struct cred *cred = current_cred();
2957 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2960 static int selinux_inode_listxattr(struct dentry *dentry)
2962 const struct cred *cred = current_cred();
2964 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2967 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2969 if (strcmp(name, XATTR_NAME_SELINUX))
2970 return selinux_inode_setotherxattr(dentry, name);
2972 /* No one is allowed to remove a SELinux security label.
2973 You can change the label, but all data must be labeled. */
2978 * Copy the inode security context value to the user.
2980 * Permission check is handled by selinux_inode_getxattr hook.
2982 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2986 char *context = NULL;
2987 struct inode_security_struct *isec = inode->i_security;
2989 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2993 * If the caller has CAP_MAC_ADMIN, then get the raw context
2994 * value even if it is not defined by current policy; otherwise,
2995 * use the in-core value under current policy.
2996 * Use the non-auditing forms of the permission checks since
2997 * getxattr may be called by unprivileged processes commonly
2998 * and lack of permission just means that we fall back to the
2999 * in-core context value, not a denial.
3001 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3002 SECURITY_CAP_NOAUDIT);
3004 error = security_sid_to_context_force(isec->sid, &context,
3007 error = security_sid_to_context(isec->sid, &context, &size);
3020 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3021 const void *value, size_t size, int flags)
3023 struct inode_security_struct *isec = inode->i_security;
3027 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3030 if (!value || !size)
3033 rc = security_context_to_sid((void *)value, size, &newsid);
3038 isec->initialized = 1;
3042 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3044 const int len = sizeof(XATTR_NAME_SELINUX);
3045 if (buffer && len <= buffer_size)
3046 memcpy(buffer, XATTR_NAME_SELINUX, len);
3050 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3052 struct inode_security_struct *isec = inode->i_security;
3056 /* file security operations */
3058 static int selinux_revalidate_file_permission(struct file *file, int mask)
3060 const struct cred *cred = current_cred();
3061 struct inode *inode = file_inode(file);
3063 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3064 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3067 return file_has_perm(cred, file,
3068 file_mask_to_av(inode->i_mode, mask));
3071 static int selinux_file_permission(struct file *file, int mask)
3073 struct inode *inode = file_inode(file);
3074 struct file_security_struct *fsec = file->f_security;
3075 struct inode_security_struct *isec = inode->i_security;
3076 u32 sid = current_sid();
3079 /* No permission to check. Existence test. */
3082 if (sid == fsec->sid && fsec->isid == isec->sid &&
3083 fsec->pseqno == avc_policy_seqno())
3084 /* No change since file_open check. */
3087 return selinux_revalidate_file_permission(file, mask);
3090 static int selinux_file_alloc_security(struct file *file)
3092 return file_alloc_security(file);
3095 static void selinux_file_free_security(struct file *file)
3097 file_free_security(file);
3100 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3103 const struct cred *cred = current_cred();
3113 case FS_IOC_GETFLAGS:
3115 case FS_IOC_GETVERSION:
3116 error = file_has_perm(cred, file, FILE__GETATTR);
3119 case FS_IOC_SETFLAGS:
3121 case FS_IOC_SETVERSION:
3122 error = file_has_perm(cred, file, FILE__SETATTR);
3125 /* sys_ioctl() checks */
3129 error = file_has_perm(cred, file, 0);
3134 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3135 SECURITY_CAP_AUDIT);
3138 /* default case assumes that the command will go
3139 * to the file's ioctl() function.
3142 error = file_has_perm(cred, file, FILE__IOCTL);
3147 static int default_noexec;
3149 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3151 const struct cred *cred = current_cred();
3154 if (default_noexec &&
3155 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3157 * We are making executable an anonymous mapping or a
3158 * private file mapping that will also be writable.
3159 * This has an additional check.
3161 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3167 /* read access is always possible with a mapping */
3168 u32 av = FILE__READ;
3170 /* write access only matters if the mapping is shared */
3171 if (shared && (prot & PROT_WRITE))
3174 if (prot & PROT_EXEC)
3175 av |= FILE__EXECUTE;
3177 return file_has_perm(cred, file, av);
3184 static int selinux_mmap_addr(unsigned long addr)
3187 u32 sid = current_sid();
3190 * notice that we are intentionally putting the SELinux check before
3191 * the secondary cap_file_mmap check. This is such a likely attempt
3192 * at bad behaviour/exploit that we always want to get the AVC, even
3193 * if DAC would have also denied the operation.
3195 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3196 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3197 MEMPROTECT__MMAP_ZERO, NULL);
3202 /* do DAC check on address space usage */
3203 return cap_mmap_addr(addr);
3206 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3207 unsigned long prot, unsigned long flags)
3209 if (selinux_checkreqprot)
3212 return file_map_prot_check(file, prot,
3213 (flags & MAP_TYPE) == MAP_SHARED);
3216 static int selinux_file_mprotect(struct vm_area_struct *vma,
3217 unsigned long reqprot,
3220 const struct cred *cred = current_cred();
3222 if (selinux_checkreqprot)
3225 if (default_noexec &&
3226 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3228 if (vma->vm_start >= vma->vm_mm->start_brk &&
3229 vma->vm_end <= vma->vm_mm->brk) {
3230 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3231 } else if (!vma->vm_file &&
3232 vma->vm_start <= vma->vm_mm->start_stack &&
3233 vma->vm_end >= vma->vm_mm->start_stack) {
3234 rc = current_has_perm(current, PROCESS__EXECSTACK);
3235 } else if (vma->vm_file && vma->anon_vma) {
3237 * We are making executable a file mapping that has
3238 * had some COW done. Since pages might have been
3239 * written, check ability to execute the possibly
3240 * modified content. This typically should only
3241 * occur for text relocations.
3243 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3249 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3252 static int selinux_file_lock(struct file *file, unsigned int cmd)
3254 const struct cred *cred = current_cred();
3256 return file_has_perm(cred, file, FILE__LOCK);
3259 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3262 const struct cred *cred = current_cred();
3267 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3268 err = file_has_perm(cred, file, FILE__WRITE);
3277 case F_GETOWNER_UIDS:
3278 /* Just check FD__USE permission */
3279 err = file_has_perm(cred, file, 0);
3284 #if BITS_PER_LONG == 32
3289 err = file_has_perm(cred, file, FILE__LOCK);
3296 static int selinux_file_set_fowner(struct file *file)
3298 struct file_security_struct *fsec;
3300 fsec = file->f_security;
3301 fsec->fown_sid = current_sid();
3306 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3307 struct fown_struct *fown, int signum)
3310 u32 sid = task_sid(tsk);
3312 struct file_security_struct *fsec;
3314 /* struct fown_struct is never outside the context of a struct file */
3315 file = container_of(fown, struct file, f_owner);
3317 fsec = file->f_security;
3320 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3322 perm = signal_to_av(signum);
3324 return avc_has_perm(fsec->fown_sid, sid,
3325 SECCLASS_PROCESS, perm, NULL);
3328 static int selinux_file_receive(struct file *file)
3330 const struct cred *cred = current_cred();
3332 return file_has_perm(cred, file, file_to_av(file));
3335 static int selinux_file_open(struct file *file, const struct cred *cred)
3337 struct file_security_struct *fsec;
3338 struct inode_security_struct *isec;
3340 fsec = file->f_security;
3341 isec = file_inode(file)->i_security;
3343 * Save inode label and policy sequence number
3344 * at open-time so that selinux_file_permission
3345 * can determine whether revalidation is necessary.
3346 * Task label is already saved in the file security
3347 * struct as its SID.
3349 fsec->isid = isec->sid;
3350 fsec->pseqno = avc_policy_seqno();
3352 * Since the inode label or policy seqno may have changed
3353 * between the selinux_inode_permission check and the saving
3354 * of state above, recheck that access is still permitted.
3355 * Otherwise, access might never be revalidated against the
3356 * new inode label or new policy.
3357 * This check is not redundant - do not remove.
3359 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3362 /* task security operations */
3364 static int selinux_task_create(unsigned long clone_flags)
3366 return current_has_perm(current, PROCESS__FORK);
3370 * allocate the SELinux part of blank credentials
3372 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3374 struct task_security_struct *tsec;
3376 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3380 cred->security = tsec;
3385 * detach and free the LSM part of a set of credentials
3387 static void selinux_cred_free(struct cred *cred)
3389 struct task_security_struct *tsec = cred->security;
3392 * cred->security == NULL if security_cred_alloc_blank() or
3393 * security_prepare_creds() returned an error.
3395 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3396 cred->security = (void *) 0x7UL;
3401 * prepare a new set of credentials for modification
3403 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3406 const struct task_security_struct *old_tsec;
3407 struct task_security_struct *tsec;
3409 old_tsec = old->security;
3411 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3415 new->security = tsec;
3420 * transfer the SELinux data to a blank set of creds
3422 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3424 const struct task_security_struct *old_tsec = old->security;
3425 struct task_security_struct *tsec = new->security;
3431 * set the security data for a kernel service
3432 * - all the creation contexts are set to unlabelled
3434 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3436 struct task_security_struct *tsec = new->security;
3437 u32 sid = current_sid();
3440 ret = avc_has_perm(sid, secid,
3441 SECCLASS_KERNEL_SERVICE,
3442 KERNEL_SERVICE__USE_AS_OVERRIDE,
3446 tsec->create_sid = 0;
3447 tsec->keycreate_sid = 0;
3448 tsec->sockcreate_sid = 0;
3454 * set the file creation context in a security record to the same as the
3455 * objective context of the specified inode
3457 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3459 struct inode_security_struct *isec = inode->i_security;
3460 struct task_security_struct *tsec = new->security;
3461 u32 sid = current_sid();
3464 ret = avc_has_perm(sid, isec->sid,
3465 SECCLASS_KERNEL_SERVICE,
3466 KERNEL_SERVICE__CREATE_FILES_AS,
3470 tsec->create_sid = isec->sid;
3474 static int selinux_kernel_module_request(char *kmod_name)
3477 struct common_audit_data ad;
3479 sid = task_sid(current);
3481 ad.type = LSM_AUDIT_DATA_KMOD;
3482 ad.u.kmod_name = kmod_name;
3484 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3485 SYSTEM__MODULE_REQUEST, &ad);
3488 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3490 return current_has_perm(p, PROCESS__SETPGID);
3493 static int selinux_task_getpgid(struct task_struct *p)
3495 return current_has_perm(p, PROCESS__GETPGID);
3498 static int selinux_task_getsid(struct task_struct *p)
3500 return current_has_perm(p, PROCESS__GETSESSION);
3503 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3505 *secid = task_sid(p);
3508 static int selinux_task_setnice(struct task_struct *p, int nice)
3512 rc = cap_task_setnice(p, nice);
3516 return current_has_perm(p, PROCESS__SETSCHED);
3519 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3523 rc = cap_task_setioprio(p, ioprio);
3527 return current_has_perm(p, PROCESS__SETSCHED);
3530 static int selinux_task_getioprio(struct task_struct *p)
3532 return current_has_perm(p, PROCESS__GETSCHED);
3535 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3536 struct rlimit *new_rlim)
3538 struct rlimit *old_rlim = p->signal->rlim + resource;
3540 /* Control the ability to change the hard limit (whether
3541 lowering or raising it), so that the hard limit can
3542 later be used as a safe reset point for the soft limit
3543 upon context transitions. See selinux_bprm_committing_creds. */
3544 if (old_rlim->rlim_max != new_rlim->rlim_max)
3545 return current_has_perm(p, PROCESS__SETRLIMIT);
3550 static int selinux_task_setscheduler(struct task_struct *p)
3554 rc = cap_task_setscheduler(p);
3558 return current_has_perm(p, PROCESS__SETSCHED);
3561 static int selinux_task_getscheduler(struct task_struct *p)
3563 return current_has_perm(p, PROCESS__GETSCHED);
3566 static int selinux_task_movememory(struct task_struct *p)
3568 return current_has_perm(p, PROCESS__SETSCHED);
3571 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3578 perm = PROCESS__SIGNULL; /* null signal; existence test */
3580 perm = signal_to_av(sig);
3582 rc = avc_has_perm(secid, task_sid(p),
3583 SECCLASS_PROCESS, perm, NULL);
3585 rc = current_has_perm(p, perm);
3589 static int selinux_task_wait(struct task_struct *p)
3591 return task_has_perm(p, current, PROCESS__SIGCHLD);
3594 static void selinux_task_to_inode(struct task_struct *p,
3595 struct inode *inode)
3597 struct inode_security_struct *isec = inode->i_security;
3598 u32 sid = task_sid(p);
3601 isec->initialized = 1;
3604 /* Returns error only if unable to parse addresses */
3605 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3606 struct common_audit_data *ad, u8 *proto)
3608 int offset, ihlen, ret = -EINVAL;
3609 struct iphdr _iph, *ih;
3611 offset = skb_network_offset(skb);
3612 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3616 ihlen = ih->ihl * 4;
3617 if (ihlen < sizeof(_iph))
3620 ad->u.net->v4info.saddr = ih->saddr;
3621 ad->u.net->v4info.daddr = ih->daddr;
3625 *proto = ih->protocol;
3627 switch (ih->protocol) {
3629 struct tcphdr _tcph, *th;
3631 if (ntohs(ih->frag_off) & IP_OFFSET)
3635 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3639 ad->u.net->sport = th->source;
3640 ad->u.net->dport = th->dest;
3645 struct udphdr _udph, *uh;
3647 if (ntohs(ih->frag_off) & IP_OFFSET)
3651 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3655 ad->u.net->sport = uh->source;
3656 ad->u.net->dport = uh->dest;
3660 case IPPROTO_DCCP: {
3661 struct dccp_hdr _dccph, *dh;
3663 if (ntohs(ih->frag_off) & IP_OFFSET)
3667 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3671 ad->u.net->sport = dh->dccph_sport;
3672 ad->u.net->dport = dh->dccph_dport;
3683 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3685 /* Returns error only if unable to parse addresses */
3686 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3687 struct common_audit_data *ad, u8 *proto)
3690 int ret = -EINVAL, offset;
3691 struct ipv6hdr _ipv6h, *ip6;
3694 offset = skb_network_offset(skb);
3695 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3699 ad->u.net->v6info.saddr = ip6->saddr;
3700 ad->u.net->v6info.daddr = ip6->daddr;
3703 nexthdr = ip6->nexthdr;
3704 offset += sizeof(_ipv6h);
3705 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3714 struct tcphdr _tcph, *th;
3716 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3720 ad->u.net->sport = th->source;
3721 ad->u.net->dport = th->dest;
3726 struct udphdr _udph, *uh;
3728 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3732 ad->u.net->sport = uh->source;
3733 ad->u.net->dport = uh->dest;
3737 case IPPROTO_DCCP: {
3738 struct dccp_hdr _dccph, *dh;
3740 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3744 ad->u.net->sport = dh->dccph_sport;
3745 ad->u.net->dport = dh->dccph_dport;
3749 /* includes fragments */
3759 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3760 char **_addrp, int src, u8 *proto)
3765 switch (ad->u.net->family) {
3767 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3770 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3771 &ad->u.net->v4info.daddr);
3774 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3776 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3779 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3780 &ad->u.net->v6info.daddr);
3790 "SELinux: failure in selinux_parse_skb(),"
3791 " unable to parse packet\n");
3801 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3803 * @family: protocol family
3804 * @sid: the packet's peer label SID
3807 * Check the various different forms of network peer labeling and determine
3808 * the peer label/SID for the packet; most of the magic actually occurs in
3809 * the security server function security_net_peersid_cmp(). The function
3810 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3811 * or -EACCES if @sid is invalid due to inconsistencies with the different
3815 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3822 selinux_xfrm_skb_sid(skb, &xfrm_sid);
3823 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3825 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3826 if (unlikely(err)) {
3828 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3829 " unable to determine packet's peer label\n");
3837 * selinux_conn_sid - Determine the child socket label for a connection
3838 * @sk_sid: the parent socket's SID
3839 * @skb_sid: the packet's SID
3840 * @conn_sid: the resulting connection SID
3842 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3843 * combined with the MLS information from @skb_sid in order to create
3844 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3845 * of @sk_sid. Returns zero on success, negative values on failure.
3848 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3852 if (skb_sid != SECSID_NULL)
3853 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3860 /* socket security operations */
3862 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3863 u16 secclass, u32 *socksid)
3865 if (tsec->sockcreate_sid > SECSID_NULL) {
3866 *socksid = tsec->sockcreate_sid;
3870 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3874 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3876 struct sk_security_struct *sksec = sk->sk_security;
3877 struct common_audit_data ad;
3878 struct lsm_network_audit net = {0,};
3879 u32 tsid = task_sid(task);
3881 if (sksec->sid == SECINITSID_KERNEL)
3884 ad.type = LSM_AUDIT_DATA_NET;
3888 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3891 static int selinux_socket_create(int family, int type,
3892 int protocol, int kern)
3894 const struct task_security_struct *tsec = current_security();
3902 secclass = socket_type_to_security_class(family, type, protocol);
3903 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3907 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3910 static int selinux_socket_post_create(struct socket *sock, int family,
3911 int type, int protocol, int kern)
3913 const struct task_security_struct *tsec = current_security();
3914 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3915 struct sk_security_struct *sksec;
3918 isec->sclass = socket_type_to_security_class(family, type, protocol);
3921 isec->sid = SECINITSID_KERNEL;
3923 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3928 isec->initialized = 1;
3931 sksec = sock->sk->sk_security;
3932 sksec->sid = isec->sid;
3933 sksec->sclass = isec->sclass;
3934 err = selinux_netlbl_socket_post_create(sock->sk, family);
3940 /* Range of port numbers used to automatically bind.
3941 Need to determine whether we should perform a name_bind
3942 permission check between the socket and the port number. */
3944 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3946 struct sock *sk = sock->sk;
3950 err = sock_has_perm(current, sk, SOCKET__BIND);
3955 * If PF_INET or PF_INET6, check name_bind permission for the port.
3956 * Multiple address binding for SCTP is not supported yet: we just
3957 * check the first address now.
3959 family = sk->sk_family;
3960 if (family == PF_INET || family == PF_INET6) {
3962 struct sk_security_struct *sksec = sk->sk_security;
3963 struct common_audit_data ad;
3964 struct lsm_network_audit net = {0,};
3965 struct sockaddr_in *addr4 = NULL;
3966 struct sockaddr_in6 *addr6 = NULL;
3967 unsigned short snum;
3970 if (family == PF_INET) {
3971 addr4 = (struct sockaddr_in *)address;
3972 snum = ntohs(addr4->sin_port);
3973 addrp = (char *)&addr4->sin_addr.s_addr;
3975 addr6 = (struct sockaddr_in6 *)address;
3976 snum = ntohs(addr6->sin6_port);
3977 addrp = (char *)&addr6->sin6_addr.s6_addr;
3983 inet_get_local_port_range(&low, &high);
3985 if (snum < max(PROT_SOCK, low) || snum > high) {
3986 err = sel_netport_sid(sk->sk_protocol,
3990 ad.type = LSM_AUDIT_DATA_NET;
3992 ad.u.net->sport = htons(snum);
3993 ad.u.net->family = family;
3994 err = avc_has_perm(sksec->sid, sid,
3996 SOCKET__NAME_BIND, &ad);
4002 switch (sksec->sclass) {
4003 case SECCLASS_TCP_SOCKET:
4004 node_perm = TCP_SOCKET__NODE_BIND;
4007 case SECCLASS_UDP_SOCKET:
4008 node_perm = UDP_SOCKET__NODE_BIND;
4011 case SECCLASS_DCCP_SOCKET:
4012 node_perm = DCCP_SOCKET__NODE_BIND;
4016 node_perm = RAWIP_SOCKET__NODE_BIND;
4020 err = sel_netnode_sid(addrp, family, &sid);
4024 ad.type = LSM_AUDIT_DATA_NET;
4026 ad.u.net->sport = htons(snum);
4027 ad.u.net->family = family;
4029 if (family == PF_INET)
4030 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4032 ad.u.net->v6info.saddr = addr6->sin6_addr;
4034 err = avc_has_perm(sksec->sid, sid,
4035 sksec->sclass, node_perm, &ad);
4043 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4045 struct sock *sk = sock->sk;
4046 struct sk_security_struct *sksec = sk->sk_security;
4049 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4054 * If a TCP or DCCP socket, check name_connect permission for the port.
4056 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4057 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4058 struct common_audit_data ad;
4059 struct lsm_network_audit net = {0,};
4060 struct sockaddr_in *addr4 = NULL;
4061 struct sockaddr_in6 *addr6 = NULL;
4062 unsigned short snum;
4065 if (sk->sk_family == PF_INET) {
4066 addr4 = (struct sockaddr_in *)address;
4067 if (addrlen < sizeof(struct sockaddr_in))
4069 snum = ntohs(addr4->sin_port);
4071 addr6 = (struct sockaddr_in6 *)address;
4072 if (addrlen < SIN6_LEN_RFC2133)
4074 snum = ntohs(addr6->sin6_port);
4077 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4081 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4082 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4084 ad.type = LSM_AUDIT_DATA_NET;
4086 ad.u.net->dport = htons(snum);
4087 ad.u.net->family = sk->sk_family;
4088 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4093 err = selinux_netlbl_socket_connect(sk, address);
4099 static int selinux_socket_listen(struct socket *sock, int backlog)
4101 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4104 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4107 struct inode_security_struct *isec;
4108 struct inode_security_struct *newisec;
4110 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4114 newisec = SOCK_INODE(newsock)->i_security;
4116 isec = SOCK_INODE(sock)->i_security;
4117 newisec->sclass = isec->sclass;
4118 newisec->sid = isec->sid;
4119 newisec->initialized = 1;
4124 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4127 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4130 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4131 int size, int flags)
4133 return sock_has_perm(current, sock->sk, SOCKET__READ);
4136 static int selinux_socket_getsockname(struct socket *sock)
4138 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4141 static int selinux_socket_getpeername(struct socket *sock)
4143 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4146 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4150 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4154 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4157 static int selinux_socket_getsockopt(struct socket *sock, int level,
4160 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4163 static int selinux_socket_shutdown(struct socket *sock, int how)
4165 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4168 static int selinux_socket_unix_stream_connect(struct sock *sock,
4172 struct sk_security_struct *sksec_sock = sock->sk_security;
4173 struct sk_security_struct *sksec_other = other->sk_security;
4174 struct sk_security_struct *sksec_new = newsk->sk_security;
4175 struct common_audit_data ad;
4176 struct lsm_network_audit net = {0,};
4179 ad.type = LSM_AUDIT_DATA_NET;
4181 ad.u.net->sk = other;
4183 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4184 sksec_other->sclass,
4185 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4189 /* server child socket */
4190 sksec_new->peer_sid = sksec_sock->sid;
4191 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4196 /* connecting socket */
4197 sksec_sock->peer_sid = sksec_new->sid;
4202 static int selinux_socket_unix_may_send(struct socket *sock,
4203 struct socket *other)
4205 struct sk_security_struct *ssec = sock->sk->sk_security;
4206 struct sk_security_struct *osec = other->sk->sk_security;
4207 struct common_audit_data ad;
4208 struct lsm_network_audit net = {0,};
4210 ad.type = LSM_AUDIT_DATA_NET;
4212 ad.u.net->sk = other->sk;
4214 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4218 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4220 struct common_audit_data *ad)
4226 err = sel_netif_sid(ifindex, &if_sid);
4229 err = avc_has_perm(peer_sid, if_sid,
4230 SECCLASS_NETIF, NETIF__INGRESS, ad);
4234 err = sel_netnode_sid(addrp, family, &node_sid);
4237 return avc_has_perm(peer_sid, node_sid,
4238 SECCLASS_NODE, NODE__RECVFROM, ad);
4241 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4245 struct sk_security_struct *sksec = sk->sk_security;
4246 u32 sk_sid = sksec->sid;
4247 struct common_audit_data ad;
4248 struct lsm_network_audit net = {0,};
4251 ad.type = LSM_AUDIT_DATA_NET;
4253 ad.u.net->netif = skb->skb_iif;
4254 ad.u.net->family = family;
4255 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4259 if (selinux_secmark_enabled()) {
4260 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4266 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4269 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4274 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4277 struct sk_security_struct *sksec = sk->sk_security;
4278 u16 family = sk->sk_family;
4279 u32 sk_sid = sksec->sid;
4280 struct common_audit_data ad;
4281 struct lsm_network_audit net = {0,};
4286 if (family != PF_INET && family != PF_INET6)
4289 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4290 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4293 /* If any sort of compatibility mode is enabled then handoff processing
4294 * to the selinux_sock_rcv_skb_compat() function to deal with the
4295 * special handling. We do this in an attempt to keep this function
4296 * as fast and as clean as possible. */
4297 if (!selinux_policycap_netpeer)
4298 return selinux_sock_rcv_skb_compat(sk, skb, family);
4300 secmark_active = selinux_secmark_enabled();
4301 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4302 if (!secmark_active && !peerlbl_active)
4305 ad.type = LSM_AUDIT_DATA_NET;
4307 ad.u.net->netif = skb->skb_iif;
4308 ad.u.net->family = family;
4309 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4313 if (peerlbl_active) {
4316 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4319 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4322 selinux_netlbl_err(skb, err, 0);
4325 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4328 selinux_netlbl_err(skb, err, 0);
4333 if (secmark_active) {
4334 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4343 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4344 int __user *optlen, unsigned len)
4349 struct sk_security_struct *sksec = sock->sk->sk_security;
4350 u32 peer_sid = SECSID_NULL;
4352 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4353 sksec->sclass == SECCLASS_TCP_SOCKET)
4354 peer_sid = sksec->peer_sid;
4355 if (peer_sid == SECSID_NULL)
4356 return -ENOPROTOOPT;
4358 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4362 if (scontext_len > len) {
4367 if (copy_to_user(optval, scontext, scontext_len))
4371 if (put_user(scontext_len, optlen))
4377 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4379 u32 peer_secid = SECSID_NULL;
4382 if (skb && skb->protocol == htons(ETH_P_IP))
4384 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4387 family = sock->sk->sk_family;
4391 if (sock && family == PF_UNIX)
4392 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4394 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4397 *secid = peer_secid;
4398 if (peer_secid == SECSID_NULL)
4403 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4405 struct sk_security_struct *sksec;
4407 sksec = kzalloc(sizeof(*sksec), priority);
4411 sksec->peer_sid = SECINITSID_UNLABELED;
4412 sksec->sid = SECINITSID_UNLABELED;
4413 selinux_netlbl_sk_security_reset(sksec);
4414 sk->sk_security = sksec;
4419 static void selinux_sk_free_security(struct sock *sk)
4421 struct sk_security_struct *sksec = sk->sk_security;
4423 sk->sk_security = NULL;
4424 selinux_netlbl_sk_security_free(sksec);
4428 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4430 struct sk_security_struct *sksec = sk->sk_security;
4431 struct sk_security_struct *newsksec = newsk->sk_security;
4433 newsksec->sid = sksec->sid;
4434 newsksec->peer_sid = sksec->peer_sid;
4435 newsksec->sclass = sksec->sclass;
4437 selinux_netlbl_sk_security_reset(newsksec);
4440 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4443 *secid = SECINITSID_ANY_SOCKET;
4445 struct sk_security_struct *sksec = sk->sk_security;
4447 *secid = sksec->sid;
4451 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4453 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4454 struct sk_security_struct *sksec = sk->sk_security;
4456 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4457 sk->sk_family == PF_UNIX)
4458 isec->sid = sksec->sid;
4459 sksec->sclass = isec->sclass;
4462 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4463 struct request_sock *req)
4465 struct sk_security_struct *sksec = sk->sk_security;
4467 u16 family = sk->sk_family;
4471 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4472 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4475 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4478 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4481 req->secid = connsid;
4482 req->peer_secid = peersid;
4484 return selinux_netlbl_inet_conn_request(req, family);
4487 static void selinux_inet_csk_clone(struct sock *newsk,
4488 const struct request_sock *req)
4490 struct sk_security_struct *newsksec = newsk->sk_security;
4492 newsksec->sid = req->secid;
4493 newsksec->peer_sid = req->peer_secid;
4494 /* NOTE: Ideally, we should also get the isec->sid for the
4495 new socket in sync, but we don't have the isec available yet.
4496 So we will wait until sock_graft to do it, by which
4497 time it will have been created and available. */
4499 /* We don't need to take any sort of lock here as we are the only
4500 * thread with access to newsksec */
4501 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4504 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4506 u16 family = sk->sk_family;
4507 struct sk_security_struct *sksec = sk->sk_security;
4509 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4510 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4513 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4516 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4518 skb_set_owner_w(skb, sk);
4521 static int selinux_secmark_relabel_packet(u32 sid)
4523 const struct task_security_struct *__tsec;
4526 __tsec = current_security();
4529 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4532 static void selinux_secmark_refcount_inc(void)
4534 atomic_inc(&selinux_secmark_refcount);
4537 static void selinux_secmark_refcount_dec(void)
4539 atomic_dec(&selinux_secmark_refcount);
4542 static void selinux_req_classify_flow(const struct request_sock *req,
4545 fl->flowi_secid = req->secid;
4548 static int selinux_tun_dev_alloc_security(void **security)
4550 struct tun_security_struct *tunsec;
4552 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4555 tunsec->sid = current_sid();
4561 static void selinux_tun_dev_free_security(void *security)
4566 static int selinux_tun_dev_create(void)
4568 u32 sid = current_sid();
4570 /* we aren't taking into account the "sockcreate" SID since the socket
4571 * that is being created here is not a socket in the traditional sense,
4572 * instead it is a private sock, accessible only to the kernel, and
4573 * representing a wide range of network traffic spanning multiple
4574 * connections unlike traditional sockets - check the TUN driver to
4575 * get a better understanding of why this socket is special */
4577 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4581 static int selinux_tun_dev_attach_queue(void *security)
4583 struct tun_security_struct *tunsec = security;
4585 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4586 TUN_SOCKET__ATTACH_QUEUE, NULL);
4589 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4591 struct tun_security_struct *tunsec = security;
4592 struct sk_security_struct *sksec = sk->sk_security;
4594 /* we don't currently perform any NetLabel based labeling here and it
4595 * isn't clear that we would want to do so anyway; while we could apply
4596 * labeling without the support of the TUN user the resulting labeled
4597 * traffic from the other end of the connection would almost certainly
4598 * cause confusion to the TUN user that had no idea network labeling
4599 * protocols were being used */
4601 sksec->sid = tunsec->sid;
4602 sksec->sclass = SECCLASS_TUN_SOCKET;
4607 static int selinux_tun_dev_open(void *security)
4609 struct tun_security_struct *tunsec = security;
4610 u32 sid = current_sid();
4613 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4614 TUN_SOCKET__RELABELFROM, NULL);
4617 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4618 TUN_SOCKET__RELABELTO, NULL);
4626 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4630 struct nlmsghdr *nlh;
4631 struct sk_security_struct *sksec = sk->sk_security;
4633 if (skb->len < NLMSG_HDRLEN) {
4637 nlh = nlmsg_hdr(skb);
4639 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4641 if (err == -EINVAL) {
4642 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4643 "SELinux: unrecognized netlink message"
4644 " type=%hu for sclass=%hu\n",
4645 nlh->nlmsg_type, sksec->sclass);
4646 if (!selinux_enforcing || security_get_allow_unknown())
4656 err = sock_has_perm(current, sk, perm);
4661 #ifdef CONFIG_NETFILTER
4663 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4669 struct common_audit_data ad;
4670 struct lsm_network_audit net = {0,};
4675 if (!selinux_policycap_netpeer)
4678 secmark_active = selinux_secmark_enabled();
4679 netlbl_active = netlbl_enabled();
4680 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4681 if (!secmark_active && !peerlbl_active)
4684 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4687 ad.type = LSM_AUDIT_DATA_NET;
4689 ad.u.net->netif = ifindex;
4690 ad.u.net->family = family;
4691 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4694 if (peerlbl_active) {
4695 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4698 selinux_netlbl_err(skb, err, 1);
4704 if (avc_has_perm(peer_sid, skb->secmark,
4705 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4709 /* we do this in the FORWARD path and not the POST_ROUTING
4710 * path because we want to make sure we apply the necessary
4711 * labeling before IPsec is applied so we can leverage AH
4713 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4719 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4720 struct sk_buff *skb,
4721 const struct net_device *in,
4722 const struct net_device *out,
4723 int (*okfn)(struct sk_buff *))
4725 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4728 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4729 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4730 struct sk_buff *skb,
4731 const struct net_device *in,
4732 const struct net_device *out,
4733 int (*okfn)(struct sk_buff *))
4735 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4739 static unsigned int selinux_ip_output(struct sk_buff *skb,
4745 if (!netlbl_enabled())
4748 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4749 * because we want to make sure we apply the necessary labeling
4750 * before IPsec is applied so we can leverage AH protection */
4753 struct sk_security_struct *sksec;
4755 if (sk->sk_state == TCP_LISTEN)
4756 /* if the socket is the listening state then this
4757 * packet is a SYN-ACK packet which means it needs to
4758 * be labeled based on the connection/request_sock and
4759 * not the parent socket. unfortunately, we can't
4760 * lookup the request_sock yet as it isn't queued on
4761 * the parent socket until after the SYN-ACK is sent.
4762 * the "solution" is to simply pass the packet as-is
4763 * as any IP option based labeling should be copied
4764 * from the initial connection request (in the IP
4765 * layer). it is far from ideal, but until we get a
4766 * security label in the packet itself this is the
4767 * best we can do. */
4770 /* standard practice, label using the parent socket */
4771 sksec = sk->sk_security;
4774 sid = SECINITSID_KERNEL;
4775 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4781 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4782 struct sk_buff *skb,
4783 const struct net_device *in,
4784 const struct net_device *out,
4785 int (*okfn)(struct sk_buff *))
4787 return selinux_ip_output(skb, PF_INET);
4790 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4794 struct sock *sk = skb->sk;
4795 struct sk_security_struct *sksec;
4796 struct common_audit_data ad;
4797 struct lsm_network_audit net = {0,};
4803 sksec = sk->sk_security;
4805 ad.type = LSM_AUDIT_DATA_NET;
4807 ad.u.net->netif = ifindex;
4808 ad.u.net->family = family;
4809 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4812 if (selinux_secmark_enabled())
4813 if (avc_has_perm(sksec->sid, skb->secmark,
4814 SECCLASS_PACKET, PACKET__SEND, &ad))
4815 return NF_DROP_ERR(-ECONNREFUSED);
4817 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4818 return NF_DROP_ERR(-ECONNREFUSED);
4823 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4829 struct common_audit_data ad;
4830 struct lsm_network_audit net = {0,};
4835 /* If any sort of compatibility mode is enabled then handoff processing
4836 * to the selinux_ip_postroute_compat() function to deal with the
4837 * special handling. We do this in an attempt to keep this function
4838 * as fast and as clean as possible. */
4839 if (!selinux_policycap_netpeer)
4840 return selinux_ip_postroute_compat(skb, ifindex, family);
4842 secmark_active = selinux_secmark_enabled();
4843 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4844 if (!secmark_active && !peerlbl_active)
4850 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4851 * packet transformation so allow the packet to pass without any checks
4852 * since we'll have another chance to perform access control checks
4853 * when the packet is on it's final way out.
4854 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4855 * is NULL, in this case go ahead and apply access control.
4856 * is NULL, in this case go ahead and apply access control.
4857 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4858 * TCP listening state we cannot wait until the XFRM processing
4859 * is done as we will miss out on the SA label if we do;
4860 * unfortunately, this means more work, but it is only once per
4862 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4863 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4868 /* Without an associated socket the packet is either coming
4869 * from the kernel or it is being forwarded; check the packet
4870 * to determine which and if the packet is being forwarded
4871 * query the packet directly to determine the security label. */
4873 secmark_perm = PACKET__FORWARD_OUT;
4874 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4877 secmark_perm = PACKET__SEND;
4878 peer_sid = SECINITSID_KERNEL;
4880 } else if (sk->sk_state == TCP_LISTEN) {
4881 /* Locally generated packet but the associated socket is in the
4882 * listening state which means this is a SYN-ACK packet. In
4883 * this particular case the correct security label is assigned
4884 * to the connection/request_sock but unfortunately we can't
4885 * query the request_sock as it isn't queued on the parent
4886 * socket until after the SYN-ACK packet is sent; the only
4887 * viable choice is to regenerate the label like we do in
4888 * selinux_inet_conn_request(). See also selinux_ip_output()
4889 * for similar problems. */
4891 struct sk_security_struct *sksec = sk->sk_security;
4892 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4894 /* At this point, if the returned skb peerlbl is SECSID_NULL
4895 * and the packet has been through at least one XFRM
4896 * transformation then we must be dealing with the "final"
4897 * form of labeled IPsec packet; since we've already applied
4898 * all of our access controls on this packet we can safely
4899 * pass the packet. */
4900 if (skb_sid == SECSID_NULL) {
4903 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4907 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4910 return NF_DROP_ERR(-ECONNREFUSED);
4913 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4915 secmark_perm = PACKET__SEND;
4917 /* Locally generated packet, fetch the security label from the
4918 * associated socket. */
4919 struct sk_security_struct *sksec = sk->sk_security;
4920 peer_sid = sksec->sid;
4921 secmark_perm = PACKET__SEND;
4924 ad.type = LSM_AUDIT_DATA_NET;
4926 ad.u.net->netif = ifindex;
4927 ad.u.net->family = family;
4928 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4932 if (avc_has_perm(peer_sid, skb->secmark,
4933 SECCLASS_PACKET, secmark_perm, &ad))
4934 return NF_DROP_ERR(-ECONNREFUSED);
4936 if (peerlbl_active) {
4940 if (sel_netif_sid(ifindex, &if_sid))
4942 if (avc_has_perm(peer_sid, if_sid,
4943 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4944 return NF_DROP_ERR(-ECONNREFUSED);
4946 if (sel_netnode_sid(addrp, family, &node_sid))
4948 if (avc_has_perm(peer_sid, node_sid,
4949 SECCLASS_NODE, NODE__SENDTO, &ad))
4950 return NF_DROP_ERR(-ECONNREFUSED);
4956 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4957 struct sk_buff *skb,
4958 const struct net_device *in,
4959 const struct net_device *out,
4960 int (*okfn)(struct sk_buff *))
4962 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4965 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4966 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4967 struct sk_buff *skb,
4968 const struct net_device *in,
4969 const struct net_device *out,
4970 int (*okfn)(struct sk_buff *))
4972 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4976 #endif /* CONFIG_NETFILTER */
4978 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4982 err = cap_netlink_send(sk, skb);
4986 return selinux_nlmsg_perm(sk, skb);
4989 static int ipc_alloc_security(struct task_struct *task,
4990 struct kern_ipc_perm *perm,
4993 struct ipc_security_struct *isec;
4996 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5000 sid = task_sid(task);
5001 isec->sclass = sclass;
5003 perm->security = isec;
5008 static void ipc_free_security(struct kern_ipc_perm *perm)
5010 struct ipc_security_struct *isec = perm->security;
5011 perm->security = NULL;
5015 static int msg_msg_alloc_security(struct msg_msg *msg)
5017 struct msg_security_struct *msec;
5019 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5023 msec->sid = SECINITSID_UNLABELED;
5024 msg->security = msec;
5029 static void msg_msg_free_security(struct msg_msg *msg)
5031 struct msg_security_struct *msec = msg->security;
5033 msg->security = NULL;
5037 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5040 struct ipc_security_struct *isec;
5041 struct common_audit_data ad;
5042 u32 sid = current_sid();
5044 isec = ipc_perms->security;
5046 ad.type = LSM_AUDIT_DATA_IPC;
5047 ad.u.ipc_id = ipc_perms->key;
5049 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5052 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5054 return msg_msg_alloc_security(msg);
5057 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5059 msg_msg_free_security(msg);
5062 /* message queue security operations */
5063 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5065 struct ipc_security_struct *isec;
5066 struct common_audit_data ad;
5067 u32 sid = current_sid();
5070 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5074 isec = msq->q_perm.security;
5076 ad.type = LSM_AUDIT_DATA_IPC;
5077 ad.u.ipc_id = msq->q_perm.key;
5079 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5082 ipc_free_security(&msq->q_perm);
5088 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5090 ipc_free_security(&msq->q_perm);
5093 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5095 struct ipc_security_struct *isec;
5096 struct common_audit_data ad;
5097 u32 sid = current_sid();
5099 isec = msq->q_perm.security;
5101 ad.type = LSM_AUDIT_DATA_IPC;
5102 ad.u.ipc_id = msq->q_perm.key;
5104 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5105 MSGQ__ASSOCIATE, &ad);
5108 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5116 /* No specific object, just general system-wide information. */
5117 return task_has_system(current, SYSTEM__IPC_INFO);
5120 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5123 perms = MSGQ__SETATTR;
5126 perms = MSGQ__DESTROY;
5132 err = ipc_has_perm(&msq->q_perm, perms);
5136 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5138 struct ipc_security_struct *isec;
5139 struct msg_security_struct *msec;
5140 struct common_audit_data ad;
5141 u32 sid = current_sid();
5144 isec = msq->q_perm.security;
5145 msec = msg->security;
5148 * First time through, need to assign label to the message
5150 if (msec->sid == SECINITSID_UNLABELED) {
5152 * Compute new sid based on current process and
5153 * message queue this message will be stored in
5155 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5161 ad.type = LSM_AUDIT_DATA_IPC;
5162 ad.u.ipc_id = msq->q_perm.key;
5164 /* Can this process write to the queue? */
5165 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5168 /* Can this process send the message */
5169 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5172 /* Can the message be put in the queue? */
5173 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5174 MSGQ__ENQUEUE, &ad);
5179 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5180 struct task_struct *target,
5181 long type, int mode)
5183 struct ipc_security_struct *isec;
5184 struct msg_security_struct *msec;
5185 struct common_audit_data ad;
5186 u32 sid = task_sid(target);
5189 isec = msq->q_perm.security;
5190 msec = msg->security;
5192 ad.type = LSM_AUDIT_DATA_IPC;
5193 ad.u.ipc_id = msq->q_perm.key;
5195 rc = avc_has_perm(sid, isec->sid,
5196 SECCLASS_MSGQ, MSGQ__READ, &ad);
5198 rc = avc_has_perm(sid, msec->sid,
5199 SECCLASS_MSG, MSG__RECEIVE, &ad);
5203 /* Shared Memory security operations */
5204 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5206 struct ipc_security_struct *isec;
5207 struct common_audit_data ad;
5208 u32 sid = current_sid();
5211 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5215 isec = shp->shm_perm.security;
5217 ad.type = LSM_AUDIT_DATA_IPC;
5218 ad.u.ipc_id = shp->shm_perm.key;
5220 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5223 ipc_free_security(&shp->shm_perm);
5229 static void selinux_shm_free_security(struct shmid_kernel *shp)
5231 ipc_free_security(&shp->shm_perm);
5234 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5236 struct ipc_security_struct *isec;
5237 struct common_audit_data ad;
5238 u32 sid = current_sid();
5240 isec = shp->shm_perm.security;
5242 ad.type = LSM_AUDIT_DATA_IPC;
5243 ad.u.ipc_id = shp->shm_perm.key;
5245 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5246 SHM__ASSOCIATE, &ad);
5249 /* Note, at this point, shp is locked down */
5250 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5258 /* No specific object, just general system-wide information. */
5259 return task_has_system(current, SYSTEM__IPC_INFO);
5262 perms = SHM__GETATTR | SHM__ASSOCIATE;
5265 perms = SHM__SETATTR;
5272 perms = SHM__DESTROY;
5278 err = ipc_has_perm(&shp->shm_perm, perms);
5282 static int selinux_shm_shmat(struct shmid_kernel *shp,
5283 char __user *shmaddr, int shmflg)
5287 if (shmflg & SHM_RDONLY)
5290 perms = SHM__READ | SHM__WRITE;
5292 return ipc_has_perm(&shp->shm_perm, perms);
5295 /* Semaphore security operations */
5296 static int selinux_sem_alloc_security(struct sem_array *sma)
5298 struct ipc_security_struct *isec;
5299 struct common_audit_data ad;
5300 u32 sid = current_sid();
5303 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5307 isec = sma->sem_perm.security;
5309 ad.type = LSM_AUDIT_DATA_IPC;
5310 ad.u.ipc_id = sma->sem_perm.key;
5312 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5315 ipc_free_security(&sma->sem_perm);
5321 static void selinux_sem_free_security(struct sem_array *sma)
5323 ipc_free_security(&sma->sem_perm);
5326 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5328 struct ipc_security_struct *isec;
5329 struct common_audit_data ad;
5330 u32 sid = current_sid();
5332 isec = sma->sem_perm.security;
5334 ad.type = LSM_AUDIT_DATA_IPC;
5335 ad.u.ipc_id = sma->sem_perm.key;
5337 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5338 SEM__ASSOCIATE, &ad);
5341 /* Note, at this point, sma is locked down */
5342 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5350 /* No specific object, just general system-wide information. */
5351 return task_has_system(current, SYSTEM__IPC_INFO);
5355 perms = SEM__GETATTR;
5366 perms = SEM__DESTROY;
5369 perms = SEM__SETATTR;
5373 perms = SEM__GETATTR | SEM__ASSOCIATE;
5379 err = ipc_has_perm(&sma->sem_perm, perms);
5383 static int selinux_sem_semop(struct sem_array *sma,
5384 struct sembuf *sops, unsigned nsops, int alter)
5389 perms = SEM__READ | SEM__WRITE;
5393 return ipc_has_perm(&sma->sem_perm, perms);
5396 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5402 av |= IPC__UNIX_READ;
5404 av |= IPC__UNIX_WRITE;
5409 return ipc_has_perm(ipcp, av);
5412 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5414 struct ipc_security_struct *isec = ipcp->security;
5418 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5421 inode_doinit_with_dentry(inode, dentry);
5424 static int selinux_getprocattr(struct task_struct *p,
5425 char *name, char **value)
5427 const struct task_security_struct *__tsec;
5433 error = current_has_perm(p, PROCESS__GETATTR);
5439 __tsec = __task_cred(p)->security;
5441 if (!strcmp(name, "current"))
5443 else if (!strcmp(name, "prev"))
5445 else if (!strcmp(name, "exec"))
5446 sid = __tsec->exec_sid;
5447 else if (!strcmp(name, "fscreate"))
5448 sid = __tsec->create_sid;
5449 else if (!strcmp(name, "keycreate"))
5450 sid = __tsec->keycreate_sid;
5451 else if (!strcmp(name, "sockcreate"))
5452 sid = __tsec->sockcreate_sid;
5460 error = security_sid_to_context(sid, value, &len);
5470 static int selinux_setprocattr(struct task_struct *p,
5471 char *name, void *value, size_t size)
5473 struct task_security_struct *tsec;
5474 struct task_struct *tracer;
5481 /* SELinux only allows a process to change its own
5482 security attributes. */
5487 * Basic control over ability to set these attributes at all.
5488 * current == p, but we'll pass them separately in case the
5489 * above restriction is ever removed.
5491 if (!strcmp(name, "exec"))
5492 error = current_has_perm(p, PROCESS__SETEXEC);
5493 else if (!strcmp(name, "fscreate"))
5494 error = current_has_perm(p, PROCESS__SETFSCREATE);
5495 else if (!strcmp(name, "keycreate"))
5496 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5497 else if (!strcmp(name, "sockcreate"))
5498 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5499 else if (!strcmp(name, "current"))
5500 error = current_has_perm(p, PROCESS__SETCURRENT);
5506 /* Obtain a SID for the context, if one was specified. */
5507 if (size && str[1] && str[1] != '\n') {
5508 if (str[size-1] == '\n') {
5512 error = security_context_to_sid(value, size, &sid);
5513 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5514 if (!capable(CAP_MAC_ADMIN)) {
5515 struct audit_buffer *ab;
5518 /* We strip a nul only if it is at the end, otherwise the
5519 * context contains a nul and we should audit that */
5520 if (str[size - 1] == '\0')
5521 audit_size = size - 1;
5524 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5525 audit_log_format(ab, "op=fscreate invalid_context=");
5526 audit_log_n_untrustedstring(ab, value, audit_size);
5531 error = security_context_to_sid_force(value, size,
5538 new = prepare_creds();
5542 /* Permission checking based on the specified context is
5543 performed during the actual operation (execve,
5544 open/mkdir/...), when we know the full context of the
5545 operation. See selinux_bprm_set_creds for the execve
5546 checks and may_create for the file creation checks. The
5547 operation will then fail if the context is not permitted. */
5548 tsec = new->security;
5549 if (!strcmp(name, "exec")) {
5550 tsec->exec_sid = sid;
5551 } else if (!strcmp(name, "fscreate")) {
5552 tsec->create_sid = sid;
5553 } else if (!strcmp(name, "keycreate")) {
5554 error = may_create_key(sid, p);
5557 tsec->keycreate_sid = sid;
5558 } else if (!strcmp(name, "sockcreate")) {
5559 tsec->sockcreate_sid = sid;
5560 } else if (!strcmp(name, "current")) {
5565 /* Only allow single threaded processes to change context */
5567 if (!current_is_single_threaded()) {
5568 error = security_bounded_transition(tsec->sid, sid);
5573 /* Check permissions for the transition. */
5574 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5575 PROCESS__DYNTRANSITION, NULL);
5579 /* Check for ptracing, and update the task SID if ok.
5580 Otherwise, leave SID unchanged and fail. */
5583 tracer = ptrace_parent(p);
5585 ptsid = task_sid(tracer);
5589 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5590 PROCESS__PTRACE, NULL);
5609 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5611 return security_sid_to_context(secid, secdata, seclen);
5614 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5616 return security_context_to_sid(secdata, seclen, secid);
5619 static void selinux_release_secctx(char *secdata, u32 seclen)
5625 * called with inode->i_mutex locked
5627 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5629 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5633 * called with inode->i_mutex locked
5635 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5637 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5640 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5643 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5652 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5653 unsigned long flags)
5655 const struct task_security_struct *tsec;
5656 struct key_security_struct *ksec;
5658 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5662 tsec = cred->security;
5663 if (tsec->keycreate_sid)
5664 ksec->sid = tsec->keycreate_sid;
5666 ksec->sid = tsec->sid;
5672 static void selinux_key_free(struct key *k)
5674 struct key_security_struct *ksec = k->security;
5680 static int selinux_key_permission(key_ref_t key_ref,
5681 const struct cred *cred,
5685 struct key_security_struct *ksec;
5688 /* if no specific permissions are requested, we skip the
5689 permission check. No serious, additional covert channels
5690 appear to be created. */
5694 sid = cred_sid(cred);
5696 key = key_ref_to_ptr(key_ref);
5697 ksec = key->security;
5699 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5702 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5704 struct key_security_struct *ksec = key->security;
5705 char *context = NULL;
5709 rc = security_sid_to_context(ksec->sid, &context, &len);
5718 static struct security_operations selinux_ops = {
5721 .binder_set_context_mgr = selinux_binder_set_context_mgr,
5722 .binder_transaction = selinux_binder_transaction,
5723 .binder_transfer_binder = selinux_binder_transfer_binder,
5724 .binder_transfer_file = selinux_binder_transfer_file,
5726 .ptrace_access_check = selinux_ptrace_access_check,
5727 .ptrace_traceme = selinux_ptrace_traceme,
5728 .capget = selinux_capget,
5729 .capset = selinux_capset,
5730 .capable = selinux_capable,
5731 .quotactl = selinux_quotactl,
5732 .quota_on = selinux_quota_on,
5733 .syslog = selinux_syslog,
5734 .vm_enough_memory = selinux_vm_enough_memory,
5736 .netlink_send = selinux_netlink_send,
5738 .bprm_set_creds = selinux_bprm_set_creds,
5739 .bprm_committing_creds = selinux_bprm_committing_creds,
5740 .bprm_committed_creds = selinux_bprm_committed_creds,
5741 .bprm_secureexec = selinux_bprm_secureexec,
5743 .sb_alloc_security = selinux_sb_alloc_security,
5744 .sb_free_security = selinux_sb_free_security,
5745 .sb_copy_data = selinux_sb_copy_data,
5746 .sb_remount = selinux_sb_remount,
5747 .sb_kern_mount = selinux_sb_kern_mount,
5748 .sb_show_options = selinux_sb_show_options,
5749 .sb_statfs = selinux_sb_statfs,
5750 .sb_mount = selinux_mount,
5751 .sb_umount = selinux_umount,
5752 .sb_set_mnt_opts = selinux_set_mnt_opts,
5753 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5754 .sb_parse_opts_str = selinux_parse_opts_str,
5757 .inode_alloc_security = selinux_inode_alloc_security,
5758 .inode_free_security = selinux_inode_free_security,
5759 .inode_init_security = selinux_inode_init_security,
5760 .inode_create = selinux_inode_create,
5761 .inode_link = selinux_inode_link,
5762 .inode_unlink = selinux_inode_unlink,
5763 .inode_symlink = selinux_inode_symlink,
5764 .inode_mkdir = selinux_inode_mkdir,
5765 .inode_rmdir = selinux_inode_rmdir,
5766 .inode_mknod = selinux_inode_mknod,
5767 .inode_rename = selinux_inode_rename,
5768 .inode_readlink = selinux_inode_readlink,
5769 .inode_follow_link = selinux_inode_follow_link,
5770 .inode_permission = selinux_inode_permission,
5771 .inode_setattr = selinux_inode_setattr,
5772 .inode_getattr = selinux_inode_getattr,
5773 .inode_setxattr = selinux_inode_setxattr,
5774 .inode_post_setxattr = selinux_inode_post_setxattr,
5775 .inode_getxattr = selinux_inode_getxattr,
5776 .inode_listxattr = selinux_inode_listxattr,
5777 .inode_removexattr = selinux_inode_removexattr,
5778 .inode_getsecurity = selinux_inode_getsecurity,
5779 .inode_setsecurity = selinux_inode_setsecurity,
5780 .inode_listsecurity = selinux_inode_listsecurity,
5781 .inode_getsecid = selinux_inode_getsecid,
5783 .file_permission = selinux_file_permission,
5784 .file_alloc_security = selinux_file_alloc_security,
5785 .file_free_security = selinux_file_free_security,
5786 .file_ioctl = selinux_file_ioctl,
5787 .mmap_file = selinux_mmap_file,
5788 .mmap_addr = selinux_mmap_addr,
5789 .file_mprotect = selinux_file_mprotect,
5790 .file_lock = selinux_file_lock,
5791 .file_fcntl = selinux_file_fcntl,
5792 .file_set_fowner = selinux_file_set_fowner,
5793 .file_send_sigiotask = selinux_file_send_sigiotask,
5794 .file_receive = selinux_file_receive,
5796 .file_open = selinux_file_open,
5798 .task_create = selinux_task_create,
5799 .cred_alloc_blank = selinux_cred_alloc_blank,
5800 .cred_free = selinux_cred_free,
5801 .cred_prepare = selinux_cred_prepare,
5802 .cred_transfer = selinux_cred_transfer,
5803 .kernel_act_as = selinux_kernel_act_as,
5804 .kernel_create_files_as = selinux_kernel_create_files_as,
5805 .kernel_module_request = selinux_kernel_module_request,
5806 .task_setpgid = selinux_task_setpgid,
5807 .task_getpgid = selinux_task_getpgid,
5808 .task_getsid = selinux_task_getsid,
5809 .task_getsecid = selinux_task_getsecid,
5810 .task_setnice = selinux_task_setnice,
5811 .task_setioprio = selinux_task_setioprio,
5812 .task_getioprio = selinux_task_getioprio,
5813 .task_setrlimit = selinux_task_setrlimit,
5814 .task_setscheduler = selinux_task_setscheduler,
5815 .task_getscheduler = selinux_task_getscheduler,
5816 .task_movememory = selinux_task_movememory,
5817 .task_kill = selinux_task_kill,
5818 .task_wait = selinux_task_wait,
5819 .task_to_inode = selinux_task_to_inode,
5821 .ipc_permission = selinux_ipc_permission,
5822 .ipc_getsecid = selinux_ipc_getsecid,
5824 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5825 .msg_msg_free_security = selinux_msg_msg_free_security,
5827 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5828 .msg_queue_free_security = selinux_msg_queue_free_security,
5829 .msg_queue_associate = selinux_msg_queue_associate,
5830 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5831 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5832 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5834 .shm_alloc_security = selinux_shm_alloc_security,
5835 .shm_free_security = selinux_shm_free_security,
5836 .shm_associate = selinux_shm_associate,
5837 .shm_shmctl = selinux_shm_shmctl,
5838 .shm_shmat = selinux_shm_shmat,
5840 .sem_alloc_security = selinux_sem_alloc_security,
5841 .sem_free_security = selinux_sem_free_security,
5842 .sem_associate = selinux_sem_associate,
5843 .sem_semctl = selinux_sem_semctl,
5844 .sem_semop = selinux_sem_semop,
5846 .d_instantiate = selinux_d_instantiate,
5848 .getprocattr = selinux_getprocattr,
5849 .setprocattr = selinux_setprocattr,
5851 .secid_to_secctx = selinux_secid_to_secctx,
5852 .secctx_to_secid = selinux_secctx_to_secid,
5853 .release_secctx = selinux_release_secctx,
5854 .inode_notifysecctx = selinux_inode_notifysecctx,
5855 .inode_setsecctx = selinux_inode_setsecctx,
5856 .inode_getsecctx = selinux_inode_getsecctx,
5858 .unix_stream_connect = selinux_socket_unix_stream_connect,
5859 .unix_may_send = selinux_socket_unix_may_send,
5861 .socket_create = selinux_socket_create,
5862 .socket_post_create = selinux_socket_post_create,
5863 .socket_bind = selinux_socket_bind,
5864 .socket_connect = selinux_socket_connect,
5865 .socket_listen = selinux_socket_listen,
5866 .socket_accept = selinux_socket_accept,
5867 .socket_sendmsg = selinux_socket_sendmsg,
5868 .socket_recvmsg = selinux_socket_recvmsg,
5869 .socket_getsockname = selinux_socket_getsockname,
5870 .socket_getpeername = selinux_socket_getpeername,
5871 .socket_getsockopt = selinux_socket_getsockopt,
5872 .socket_setsockopt = selinux_socket_setsockopt,
5873 .socket_shutdown = selinux_socket_shutdown,
5874 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5875 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5876 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5877 .sk_alloc_security = selinux_sk_alloc_security,
5878 .sk_free_security = selinux_sk_free_security,
5879 .sk_clone_security = selinux_sk_clone_security,
5880 .sk_getsecid = selinux_sk_getsecid,
5881 .sock_graft = selinux_sock_graft,
5882 .inet_conn_request = selinux_inet_conn_request,
5883 .inet_csk_clone = selinux_inet_csk_clone,
5884 .inet_conn_established = selinux_inet_conn_established,
5885 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5886 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5887 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5888 .req_classify_flow = selinux_req_classify_flow,
5889 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5890 .tun_dev_free_security = selinux_tun_dev_free_security,
5891 .tun_dev_create = selinux_tun_dev_create,
5892 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5893 .tun_dev_attach = selinux_tun_dev_attach,
5894 .tun_dev_open = selinux_tun_dev_open,
5895 .skb_owned_by = selinux_skb_owned_by,
5897 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5898 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5899 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5900 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5901 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5902 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5903 .xfrm_state_free_security = selinux_xfrm_state_free,
5904 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5905 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5906 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5907 .xfrm_decode_session = selinux_xfrm_decode_session,
5911 .key_alloc = selinux_key_alloc,
5912 .key_free = selinux_key_free,
5913 .key_permission = selinux_key_permission,
5914 .key_getsecurity = selinux_key_getsecurity,
5918 .audit_rule_init = selinux_audit_rule_init,
5919 .audit_rule_known = selinux_audit_rule_known,
5920 .audit_rule_match = selinux_audit_rule_match,
5921 .audit_rule_free = selinux_audit_rule_free,
5925 static __init int selinux_init(void)
5927 if (!security_module_enable(&selinux_ops)) {
5928 selinux_enabled = 0;
5932 if (!selinux_enabled) {
5933 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5937 printk(KERN_INFO "SELinux: Initializing.\n");
5939 /* Set the security state for the initial task. */
5940 cred_init_security();
5942 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5944 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5945 sizeof(struct inode_security_struct),
5946 0, SLAB_PANIC, NULL);
5949 if (register_security(&selinux_ops))
5950 panic("SELinux: Unable to register with kernel.\n");
5952 if (selinux_enforcing)
5953 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5955 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5960 static void delayed_superblock_init(struct super_block *sb, void *unused)
5962 superblock_doinit(sb, NULL);
5965 void selinux_complete_init(void)
5967 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5969 /* Set up any superblocks initialized prior to the policy load. */
5970 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5971 iterate_supers(delayed_superblock_init, NULL);
5974 /* SELinux requires early initialization in order to label
5975 all processes and objects when they are created. */
5976 security_initcall(selinux_init);
5978 #if defined(CONFIG_NETFILTER)
5980 static struct nf_hook_ops selinux_ipv4_ops[] = {
5982 .hook = selinux_ipv4_postroute,
5983 .owner = THIS_MODULE,
5985 .hooknum = NF_INET_POST_ROUTING,
5986 .priority = NF_IP_PRI_SELINUX_LAST,
5989 .hook = selinux_ipv4_forward,
5990 .owner = THIS_MODULE,
5992 .hooknum = NF_INET_FORWARD,
5993 .priority = NF_IP_PRI_SELINUX_FIRST,
5996 .hook = selinux_ipv4_output,
5997 .owner = THIS_MODULE,
5999 .hooknum = NF_INET_LOCAL_OUT,
6000 .priority = NF_IP_PRI_SELINUX_FIRST,
6004 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6006 static struct nf_hook_ops selinux_ipv6_ops[] = {
6008 .hook = selinux_ipv6_postroute,
6009 .owner = THIS_MODULE,
6011 .hooknum = NF_INET_POST_ROUTING,
6012 .priority = NF_IP6_PRI_SELINUX_LAST,
6015 .hook = selinux_ipv6_forward,
6016 .owner = THIS_MODULE,
6018 .hooknum = NF_INET_FORWARD,
6019 .priority = NF_IP6_PRI_SELINUX_FIRST,
6025 static int __init selinux_nf_ip_init(void)
6029 if (!selinux_enabled)
6032 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6034 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6036 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
6038 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6039 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6041 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
6048 __initcall(selinux_nf_ip_init);
6050 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6051 static void selinux_nf_ip_exit(void)
6053 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6055 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
6056 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6057 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
6062 #else /* CONFIG_NETFILTER */
6064 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6065 #define selinux_nf_ip_exit()
6068 #endif /* CONFIG_NETFILTER */
6070 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6071 static int selinux_disabled;
6073 int selinux_disable(void)
6075 if (ss_initialized) {
6076 /* Not permitted after initial policy load. */
6080 if (selinux_disabled) {
6081 /* Only do this once. */
6085 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6087 selinux_disabled = 1;
6088 selinux_enabled = 0;
6090 reset_security_ops();
6092 /* Try to destroy the avc node cache */
6095 /* Unregister netfilter hooks. */
6096 selinux_nf_ip_exit();
6098 /* Unregister selinuxfs. */