2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
92 #define NUM_SEL_MNT_OPTS 5
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern struct security_operations *security_ops;
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
103 static int __init enforcing_setup(char *str)
105 unsigned long enforcing;
106 if (!strict_strtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
110 __setup("enforcing=", enforcing_setup);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 static int __init selinux_enabled_setup(char *str)
118 unsigned long enabled;
119 if (!strict_strtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup);
125 int selinux_enabled = 1;
128 static struct kmem_cache *sel_inode_cache;
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
137 * enabled, false (0) if SECMARK is disabled.
140 static int selinux_secmark_enabled(void)
142 return (atomic_read(&selinux_secmark_refcount) > 0);
146 * initialise the security for the init task
148 static void cred_init_security(void)
150 struct cred *cred = (struct cred *) current->real_cred;
151 struct task_security_struct *tsec;
153 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155 panic("SELinux: Failed to initialize initial task.\n");
157 tsec->osid = tsec->sid = SECINITSID_KERNEL;
158 cred->security = tsec;
162 * get the security ID of a set of credentials
164 static inline u32 cred_sid(const struct cred *cred)
166 const struct task_security_struct *tsec;
168 tsec = cred->security;
173 * get the objective security ID of a task
175 static inline u32 task_sid(const struct task_struct *task)
180 sid = cred_sid(__task_cred(task));
186 * get the subjective security ID of the current task
188 static inline u32 current_sid(void)
190 const struct task_security_struct *tsec = current_security();
195 /* Allocate and free functions for each kind of security blob. */
197 static int inode_alloc_security(struct inode *inode)
199 struct inode_security_struct *isec;
200 u32 sid = current_sid();
202 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
206 mutex_init(&isec->lock);
207 INIT_LIST_HEAD(&isec->list);
209 isec->sid = SECINITSID_UNLABELED;
210 isec->sclass = SECCLASS_FILE;
211 isec->task_sid = sid;
212 inode->i_security = isec;
217 static void inode_free_security(struct inode *inode)
219 struct inode_security_struct *isec = inode->i_security;
220 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222 spin_lock(&sbsec->isec_lock);
223 if (!list_empty(&isec->list))
224 list_del_init(&isec->list);
225 spin_unlock(&sbsec->isec_lock);
227 inode->i_security = NULL;
228 kmem_cache_free(sel_inode_cache, isec);
231 static int file_alloc_security(struct file *file)
233 struct file_security_struct *fsec;
234 u32 sid = current_sid();
236 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
241 fsec->fown_sid = sid;
242 file->f_security = fsec;
247 static void file_free_security(struct file *file)
249 struct file_security_struct *fsec = file->f_security;
250 file->f_security = NULL;
254 static int superblock_alloc_security(struct super_block *sb)
256 struct superblock_security_struct *sbsec;
258 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
262 mutex_init(&sbsec->lock);
263 INIT_LIST_HEAD(&sbsec->isec_head);
264 spin_lock_init(&sbsec->isec_lock);
266 sbsec->sid = SECINITSID_UNLABELED;
267 sbsec->def_sid = SECINITSID_FILE;
268 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
269 sb->s_security = sbsec;
274 static void superblock_free_security(struct super_block *sb)
276 struct superblock_security_struct *sbsec = sb->s_security;
277 sb->s_security = NULL;
281 /* The security server must be initialized before
282 any labeling or access decisions can be provided. */
283 extern int ss_initialized;
285 /* The file system's label must be initialized prior to use. */
287 static const char *labeling_behaviors[6] = {
289 "uses transition SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
298 static inline int inode_doinit(struct inode *inode)
300 return inode_doinit_with_dentry(inode, NULL);
309 Opt_labelsupport = 5,
312 static const match_table_t tokens = {
313 {Opt_context, CONTEXT_STR "%s"},
314 {Opt_fscontext, FSCONTEXT_STR "%s"},
315 {Opt_defcontext, DEFCONTEXT_STR "%s"},
316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317 {Opt_labelsupport, LABELSUPP_STR},
321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323 static int may_context_mount_sb_relabel(u32 sid,
324 struct superblock_security_struct *sbsec,
325 const struct cred *cred)
327 const struct task_security_struct *tsec = cred->security;
330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331 FILESYSTEM__RELABELFROM, NULL);
335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336 FILESYSTEM__RELABELTO, NULL);
340 static int may_context_mount_inode_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
344 const struct task_security_struct *tsec = cred->security;
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__ASSOCIATE, NULL);
356 static int sb_finish_set_opts(struct super_block *sb)
358 struct superblock_security_struct *sbsec = sb->s_security;
359 struct dentry *root = sb->s_root;
360 struct inode *root_inode = root->d_inode;
363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode->i_op->getxattr) {
370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb->s_id, sb->s_type->name);
375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376 if (rc < 0 && rc != -ENODATA) {
377 if (rc == -EOPNOTSUPP)
378 printk(KERN_WARNING "SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb->s_id, sb->s_type->name);
382 printk(KERN_WARNING "SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb->s_id,
384 sb->s_type->name, -rc);
389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb->s_id, sb->s_type->name);
395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396 sb->s_id, sb->s_type->name,
397 labeling_behaviors[sbsec->behavior-1]);
399 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401 sbsec->behavior == SECURITY_FS_USE_NONE ||
402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 sbsec->flags &= ~SE_SBLABELSUPP;
405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407 sbsec->flags |= SE_SBLABELSUPP;
409 /* Initialize the root inode. */
410 rc = inode_doinit_with_dentry(root_inode, root);
412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
416 spin_lock(&sbsec->isec_lock);
418 if (!list_empty(&sbsec->isec_head)) {
419 struct inode_security_struct *isec =
420 list_entry(sbsec->isec_head.next,
421 struct inode_security_struct, list);
422 struct inode *inode = isec->inode;
423 spin_unlock(&sbsec->isec_lock);
424 inode = igrab(inode);
426 if (!IS_PRIVATE(inode))
430 spin_lock(&sbsec->isec_lock);
431 list_del_init(&isec->list);
434 spin_unlock(&sbsec->isec_lock);
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445 struct security_mnt_opts *opts)
448 struct superblock_security_struct *sbsec = sb->s_security;
449 char *context = NULL;
453 security_init_mnt_opts(opts);
455 if (!(sbsec->flags & SE_SBINITIALIZED))
461 tmp = sbsec->flags & SE_MNTMASK;
462 /* count the number of mount options for this sb */
463 for (i = 0; i < 8; i++) {
465 opts->num_mnt_opts++;
468 /* Check if the Label support flag is set */
469 if (sbsec->flags & SE_SBLABELSUPP)
470 opts->num_mnt_opts++;
472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
510 rc = security_sid_to_context(isec->sid, &context, &len);
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516 if (sbsec->flags & SE_SBLABELSUPP) {
517 opts->mnt_opts[i] = NULL;
518 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
521 BUG_ON(i != opts->num_mnt_opts);
526 security_free_mnt_opts(opts);
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531 u32 old_sid, u32 new_sid)
533 char mnt_flags = sbsec->flags & SE_MNTMASK;
535 /* check if the old mount command had the same options */
536 if (sbsec->flags & SE_SBINITIALIZED)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
544 if (!(sbsec->flags & SE_SBINITIALIZED))
545 if (mnt_flags & flag)
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
554 static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
557 const struct cred *cred = current_cred();
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
569 mutex_lock(&sbsec->lock);
571 if (!ss_initialized) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
579 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580 "before the security server is initialized\n");
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
595 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
604 for (i = 0; i < num_opts; i++) {
607 if (flags[i] == SE_SBLABELSUPP)
609 rc = security_context_to_sid(mount_options[i],
610 strlen(mount_options[i]), &sid);
612 printk(KERN_WARNING "SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
614 mount_options[i], sb->s_id, name, rc);
621 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 goto out_double_mount;
625 sbsec->flags |= FSCONTEXT_MNT;
630 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 goto out_double_mount;
634 sbsec->flags |= CONTEXT_MNT;
636 case ROOTCONTEXT_MNT:
637 rootcontext_sid = sid;
639 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 goto out_double_mount;
643 sbsec->flags |= ROOTCONTEXT_MNT;
647 defcontext_sid = sid;
649 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 goto out_double_mount;
653 sbsec->flags |= DEFCONTEXT_MNT;
662 if (sbsec->flags & SE_SBINITIALIZED) {
663 /* previously mounted with options, but not on this attempt? */
664 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
665 goto out_double_mount;
670 if (strcmp(sb->s_type->name, "proc") == 0)
671 sbsec->flags |= SE_SBPROC;
673 /* Determine the labeling behavior to use for this filesystem type. */
674 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
677 __func__, sb->s_type->name, rc);
681 /* sets the context of the superblock for the fs being mounted. */
683 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
687 sbsec->sid = fscontext_sid;
691 * Switch to using mount point labeling behavior.
692 * sets the label used on all file below the mountpoint, and will set
693 * the superblock context if not already set.
696 if (!fscontext_sid) {
697 rc = may_context_mount_sb_relabel(context_sid, sbsec,
701 sbsec->sid = context_sid;
703 rc = may_context_mount_inode_relabel(context_sid, sbsec,
708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
711 sbsec->mntpoint_sid = context_sid;
712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
721 root_isec->sid = rootcontext_sid;
722 root_isec->initialized = 1;
725 if (defcontext_sid) {
726 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
728 printk(KERN_WARNING "SELinux: defcontext option is "
729 "invalid for this filesystem type\n");
733 if (defcontext_sid != sbsec->def_sid) {
734 rc = may_context_mount_inode_relabel(defcontext_sid,
740 sbsec->def_sid = defcontext_sid;
743 rc = sb_finish_set_opts(sb);
745 mutex_unlock(&sbsec->lock);
749 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
750 "security settings for (dev %s, type %s)\n", sb->s_id, name);
754 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755 struct super_block *newsb)
757 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
758 struct superblock_security_struct *newsbsec = newsb->s_security;
760 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
761 int set_context = (oldsbsec->flags & CONTEXT_MNT);
762 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
765 * if the parent was able to be mounted it clearly had no special lsm
766 * mount options. thus we can safely deal with this superblock later
771 /* how can we clone if the old one wasn't set up?? */
772 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
774 /* if fs is reusing a sb, just let its options stand... */
775 if (newsbsec->flags & SE_SBINITIALIZED)
778 mutex_lock(&newsbsec->lock);
780 newsbsec->flags = oldsbsec->flags;
782 newsbsec->sid = oldsbsec->sid;
783 newsbsec->def_sid = oldsbsec->def_sid;
784 newsbsec->behavior = oldsbsec->behavior;
787 u32 sid = oldsbsec->mntpoint_sid;
791 if (!set_rootcontext) {
792 struct inode *newinode = newsb->s_root->d_inode;
793 struct inode_security_struct *newisec = newinode->i_security;
796 newsbsec->mntpoint_sid = sid;
798 if (set_rootcontext) {
799 const struct inode *oldinode = oldsb->s_root->d_inode;
800 const struct inode_security_struct *oldisec = oldinode->i_security;
801 struct inode *newinode = newsb->s_root->d_inode;
802 struct inode_security_struct *newisec = newinode->i_security;
804 newisec->sid = oldisec->sid;
807 sb_finish_set_opts(newsb);
808 mutex_unlock(&newsbsec->lock);
811 static int selinux_parse_opts_str(char *options,
812 struct security_mnt_opts *opts)
815 char *context = NULL, *defcontext = NULL;
816 char *fscontext = NULL, *rootcontext = NULL;
817 int rc, num_mnt_opts = 0;
819 opts->num_mnt_opts = 0;
821 /* Standard string-based options. */
822 while ((p = strsep(&options, "|")) != NULL) {
824 substring_t args[MAX_OPT_ARGS];
829 token = match_token(p, tokens, args);
833 if (context || defcontext) {
835 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838 context = match_strdup(&args[0]);
848 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851 fscontext = match_strdup(&args[0]);
858 case Opt_rootcontext:
861 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864 rootcontext = match_strdup(&args[0]);
872 if (context || defcontext) {
874 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
877 defcontext = match_strdup(&args[0]);
883 case Opt_labelsupport:
887 printk(KERN_WARNING "SELinux: unknown mount option\n");
894 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
898 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899 if (!opts->mnt_opts_flags) {
900 kfree(opts->mnt_opts);
905 opts->mnt_opts[num_mnt_opts] = fscontext;
906 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
909 opts->mnt_opts[num_mnt_opts] = context;
910 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
913 opts->mnt_opts[num_mnt_opts] = rootcontext;
914 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
917 opts->mnt_opts[num_mnt_opts] = defcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
921 opts->num_mnt_opts = num_mnt_opts;
932 * string mount options parsing and call set the sbsec
934 static int superblock_doinit(struct super_block *sb, void *data)
937 char *options = data;
938 struct security_mnt_opts opts;
940 security_init_mnt_opts(&opts);
945 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947 rc = selinux_parse_opts_str(options, &opts);
952 rc = selinux_set_mnt_opts(sb, &opts);
955 security_free_mnt_opts(&opts);
959 static void selinux_write_opts(struct seq_file *m,
960 struct security_mnt_opts *opts)
965 for (i = 0; i < opts->num_mnt_opts; i++) {
968 if (opts->mnt_opts[i])
969 has_comma = strchr(opts->mnt_opts[i], ',');
973 switch (opts->mnt_opts_flags[i]) {
975 prefix = CONTEXT_STR;
978 prefix = FSCONTEXT_STR;
980 case ROOTCONTEXT_MNT:
981 prefix = ROOTCONTEXT_STR;
984 prefix = DEFCONTEXT_STR;
988 seq_puts(m, LABELSUPP_STR);
993 /* we need a comma before each option */
998 seq_puts(m, opts->mnt_opts[i]);
1004 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1006 struct security_mnt_opts opts;
1009 rc = selinux_get_mnt_opts(sb, &opts);
1011 /* before policy load we may get EINVAL, don't show anything */
1017 selinux_write_opts(m, &opts);
1019 security_free_mnt_opts(&opts);
1024 static inline u16 inode_mode_to_security_class(umode_t mode)
1026 switch (mode & S_IFMT) {
1028 return SECCLASS_SOCK_FILE;
1030 return SECCLASS_LNK_FILE;
1032 return SECCLASS_FILE;
1034 return SECCLASS_BLK_FILE;
1036 return SECCLASS_DIR;
1038 return SECCLASS_CHR_FILE;
1040 return SECCLASS_FIFO_FILE;
1044 return SECCLASS_FILE;
1047 static inline int default_protocol_stream(int protocol)
1049 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1052 static inline int default_protocol_dgram(int protocol)
1054 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1057 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1063 case SOCK_SEQPACKET:
1064 return SECCLASS_UNIX_STREAM_SOCKET;
1066 return SECCLASS_UNIX_DGRAM_SOCKET;
1073 if (default_protocol_stream(protocol))
1074 return SECCLASS_TCP_SOCKET;
1076 return SECCLASS_RAWIP_SOCKET;
1078 if (default_protocol_dgram(protocol))
1079 return SECCLASS_UDP_SOCKET;
1081 return SECCLASS_RAWIP_SOCKET;
1083 return SECCLASS_DCCP_SOCKET;
1085 return SECCLASS_RAWIP_SOCKET;
1091 return SECCLASS_NETLINK_ROUTE_SOCKET;
1092 case NETLINK_FIREWALL:
1093 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1094 case NETLINK_INET_DIAG:
1095 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097 return SECCLASS_NETLINK_NFLOG_SOCKET;
1099 return SECCLASS_NETLINK_XFRM_SOCKET;
1100 case NETLINK_SELINUX:
1101 return SECCLASS_NETLINK_SELINUX_SOCKET;
1103 return SECCLASS_NETLINK_AUDIT_SOCKET;
1104 case NETLINK_IP6_FW:
1105 return SECCLASS_NETLINK_IP6FW_SOCKET;
1106 case NETLINK_DNRTMSG:
1107 return SECCLASS_NETLINK_DNRT_SOCKET;
1108 case NETLINK_KOBJECT_UEVENT:
1109 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111 return SECCLASS_NETLINK_SOCKET;
1114 return SECCLASS_PACKET_SOCKET;
1116 return SECCLASS_KEY_SOCKET;
1118 return SECCLASS_APPLETALK_SOCKET;
1121 return SECCLASS_SOCKET;
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry *dentry,
1130 char *buffer, *path;
1132 buffer = (char *)__get_free_page(GFP_KERNEL);
1136 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1140 /* each process gets a /proc/PID/ entry. Strip off the
1141 * PID part to get a valid selinux labeling.
1142 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143 while (path[1] >= '0' && path[1] <= '9') {
1147 rc = security_genfs_sid("proc", path, tclass, sid);
1149 free_page((unsigned long)buffer);
1153 static int selinux_proc_get_sid(struct dentry *dentry,
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1164 struct superblock_security_struct *sbsec = NULL;
1165 struct inode_security_struct *isec = inode->i_security;
1167 struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169 char *context = NULL;
1173 if (isec->initialized)
1176 mutex_lock(&isec->lock);
1177 if (isec->initialized)
1180 sbsec = inode->i_sb->s_security;
1181 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1182 /* Defer initialization until selinux_complete_init,
1183 after the initial policy is loaded and the security
1184 server is ready to handle calls. */
1185 spin_lock(&sbsec->isec_lock);
1186 if (list_empty(&isec->list))
1187 list_add(&isec->list, &sbsec->isec_head);
1188 spin_unlock(&sbsec->isec_lock);
1192 switch (sbsec->behavior) {
1193 case SECURITY_FS_USE_XATTR:
1194 if (!inode->i_op->getxattr) {
1195 isec->sid = sbsec->def_sid;
1199 /* Need a dentry, since the xattr API requires one.
1200 Life would be simpler if we could just pass the inode. */
1202 /* Called from d_instantiate or d_splice_alias. */
1203 dentry = dget(opt_dentry);
1205 /* Called from selinux_complete_init, try to find a dentry. */
1206 dentry = d_find_alias(inode);
1210 * this is can be hit on boot when a file is accessed
1211 * before the policy is loaded. When we load policy we
1212 * may find inodes that have no dentry on the
1213 * sbsec->isec_head list. No reason to complain as these
1214 * will get fixed up the next time we go through
1215 * inode_doinit with a dentry, before these inodes could
1216 * be used again by userspace.
1221 len = INITCONTEXTLEN;
1222 context = kmalloc(len+1, GFP_NOFS);
1228 context[len] = '\0';
1229 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1231 if (rc == -ERANGE) {
1234 /* Need a larger buffer. Query for the right size. */
1235 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1242 context = kmalloc(len+1, GFP_NOFS);
1248 context[len] = '\0';
1249 rc = inode->i_op->getxattr(dentry,
1255 if (rc != -ENODATA) {
1256 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1257 "%d for dev=%s ino=%ld\n", __func__,
1258 -rc, inode->i_sb->s_id, inode->i_ino);
1262 /* Map ENODATA to the default file SID */
1263 sid = sbsec->def_sid;
1266 rc = security_context_to_sid_default(context, rc, &sid,
1270 char *dev = inode->i_sb->s_id;
1271 unsigned long ino = inode->i_ino;
1273 if (rc == -EINVAL) {
1274 if (printk_ratelimit())
1275 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1276 "context=%s. This indicates you may need to relabel the inode or the "
1277 "filesystem in question.\n", ino, dev, context);
1279 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1280 "returned %d for dev=%s ino=%ld\n",
1281 __func__, context, -rc, dev, ino);
1284 /* Leave with the unlabeled SID */
1292 case SECURITY_FS_USE_TASK:
1293 isec->sid = isec->task_sid;
1295 case SECURITY_FS_USE_TRANS:
1296 /* Default to the fs SID. */
1297 isec->sid = sbsec->sid;
1299 /* Try to obtain a transition SID. */
1300 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1301 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1302 isec->sclass, NULL, &sid);
1307 case SECURITY_FS_USE_MNTPOINT:
1308 isec->sid = sbsec->mntpoint_sid;
1311 /* Default to the fs superblock SID. */
1312 isec->sid = sbsec->sid;
1314 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1316 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1317 rc = selinux_proc_get_sid(opt_dentry,
1328 isec->initialized = 1;
1331 mutex_unlock(&isec->lock);
1333 if (isec->sclass == SECCLASS_FILE)
1334 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32 signal_to_av(int sig)
1345 /* Commonly granted from child to parent. */
1346 perm = PROCESS__SIGCHLD;
1349 /* Cannot be caught or ignored */
1350 perm = PROCESS__SIGKILL;
1353 /* Cannot be caught or ignored */
1354 perm = PROCESS__SIGSTOP;
1357 /* All other signals. */
1358 perm = PROCESS__SIGNAL;
1366 * Check permission between a pair of credentials
1367 * fork check, ptrace check, etc.
1369 static int cred_has_perm(const struct cred *actor,
1370 const struct cred *target,
1373 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1379 * Check permission between a pair of tasks, e.g. signal checks,
1380 * fork check, ptrace check, etc.
1381 * tsk1 is the actor and tsk2 is the target
1382 * - this uses the default subjective creds of tsk1
1384 static int task_has_perm(const struct task_struct *tsk1,
1385 const struct task_struct *tsk2,
1388 const struct task_security_struct *__tsec1, *__tsec2;
1392 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1393 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1395 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1399 * Check permission between current and another task, e.g. signal checks,
1400 * fork check, ptrace check, etc.
1401 * current is the actor and tsk2 is the target
1402 * - this uses current's subjective creds
1404 static int current_has_perm(const struct task_struct *tsk,
1409 sid = current_sid();
1410 tsid = task_sid(tsk);
1411 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1418 /* Check whether a task is allowed to use a capability. */
1419 static int task_has_capability(struct task_struct *tsk,
1420 const struct cred *cred,
1423 struct common_audit_data ad;
1424 struct av_decision avd;
1426 u32 sid = cred_sid(cred);
1427 u32 av = CAP_TO_MASK(cap);
1430 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1434 switch (CAP_TO_INDEX(cap)) {
1436 sclass = SECCLASS_CAPABILITY;
1439 sclass = SECCLASS_CAPABILITY2;
1443 "SELinux: out of range capability %d\n", cap);
1447 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1448 if (audit == SECURITY_CAP_AUDIT)
1449 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1453 /* Check whether a task is allowed to use a system operation. */
1454 static int task_has_system(struct task_struct *tsk,
1457 u32 sid = task_sid(tsk);
1459 return avc_has_perm(sid, SECINITSID_KERNEL,
1460 SECCLASS_SYSTEM, perms, NULL);
1463 /* Check whether a task has a particular permission to an inode.
1464 The 'adp' parameter is optional and allows other audit
1465 data to be passed (e.g. the dentry). */
1466 static int inode_has_perm(const struct cred *cred,
1467 struct inode *inode,
1469 struct common_audit_data *adp)
1471 struct inode_security_struct *isec;
1472 struct common_audit_data ad;
1475 validate_creds(cred);
1477 if (unlikely(IS_PRIVATE(inode)))
1480 sid = cred_sid(cred);
1481 isec = inode->i_security;
1485 COMMON_AUDIT_DATA_INIT(&ad, FS);
1486 ad.u.fs.inode = inode;
1489 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1492 /* Same as inode_has_perm, but pass explicit audit data containing
1493 the dentry to help the auditing code to more easily generate the
1494 pathname if needed. */
1495 static inline int dentry_has_perm(const struct cred *cred,
1496 struct vfsmount *mnt,
1497 struct dentry *dentry,
1500 struct inode *inode = dentry->d_inode;
1501 struct common_audit_data ad;
1503 COMMON_AUDIT_DATA_INIT(&ad, FS);
1504 ad.u.fs.path.mnt = mnt;
1505 ad.u.fs.path.dentry = dentry;
1506 return inode_has_perm(cred, inode, av, &ad);
1509 /* Check whether a task can use an open file descriptor to
1510 access an inode in a given way. Check access to the
1511 descriptor itself, and then use dentry_has_perm to
1512 check a particular permission to the file.
1513 Access to the descriptor is implicitly granted if it
1514 has the same SID as the process. If av is zero, then
1515 access to the file is not checked, e.g. for cases
1516 where only the descriptor is affected like seek. */
1517 static int file_has_perm(const struct cred *cred,
1521 struct file_security_struct *fsec = file->f_security;
1522 struct inode *inode = file->f_path.dentry->d_inode;
1523 struct common_audit_data ad;
1524 u32 sid = cred_sid(cred);
1527 COMMON_AUDIT_DATA_INIT(&ad, FS);
1528 ad.u.fs.path = file->f_path;
1530 if (sid != fsec->sid) {
1531 rc = avc_has_perm(sid, fsec->sid,
1539 /* av is zero if only checking access to the descriptor. */
1542 rc = inode_has_perm(cred, inode, av, &ad);
1548 /* Check whether a task can create a file. */
1549 static int may_create(struct inode *dir,
1550 struct dentry *dentry,
1553 const struct task_security_struct *tsec = current_security();
1554 struct inode_security_struct *dsec;
1555 struct superblock_security_struct *sbsec;
1557 struct common_audit_data ad;
1560 dsec = dir->i_security;
1561 sbsec = dir->i_sb->s_security;
1564 newsid = tsec->create_sid;
1566 COMMON_AUDIT_DATA_INIT(&ad, FS);
1567 ad.u.fs.path.dentry = dentry;
1569 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1570 DIR__ADD_NAME | DIR__SEARCH,
1575 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1576 rc = security_transition_sid(sid, dsec->sid, tclass,
1577 &dentry->d_name, &newsid);
1582 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1586 return avc_has_perm(newsid, sbsec->sid,
1587 SECCLASS_FILESYSTEM,
1588 FILESYSTEM__ASSOCIATE, &ad);
1591 /* Check whether a task can create a key. */
1592 static int may_create_key(u32 ksid,
1593 struct task_struct *ctx)
1595 u32 sid = task_sid(ctx);
1597 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1601 #define MAY_UNLINK 1
1604 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1605 static int may_link(struct inode *dir,
1606 struct dentry *dentry,
1610 struct inode_security_struct *dsec, *isec;
1611 struct common_audit_data ad;
1612 u32 sid = current_sid();
1616 dsec = dir->i_security;
1617 isec = dentry->d_inode->i_security;
1619 COMMON_AUDIT_DATA_INIT(&ad, FS);
1620 ad.u.fs.path.dentry = dentry;
1623 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1624 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1639 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1644 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1648 static inline int may_rename(struct inode *old_dir,
1649 struct dentry *old_dentry,
1650 struct inode *new_dir,
1651 struct dentry *new_dentry)
1653 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1654 struct common_audit_data ad;
1655 u32 sid = current_sid();
1657 int old_is_dir, new_is_dir;
1660 old_dsec = old_dir->i_security;
1661 old_isec = old_dentry->d_inode->i_security;
1662 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1663 new_dsec = new_dir->i_security;
1665 COMMON_AUDIT_DATA_INIT(&ad, FS);
1667 ad.u.fs.path.dentry = old_dentry;
1668 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1669 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1672 rc = avc_has_perm(sid, old_isec->sid,
1673 old_isec->sclass, FILE__RENAME, &ad);
1676 if (old_is_dir && new_dir != old_dir) {
1677 rc = avc_has_perm(sid, old_isec->sid,
1678 old_isec->sclass, DIR__REPARENT, &ad);
1683 ad.u.fs.path.dentry = new_dentry;
1684 av = DIR__ADD_NAME | DIR__SEARCH;
1685 if (new_dentry->d_inode)
1686 av |= DIR__REMOVE_NAME;
1687 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1690 if (new_dentry->d_inode) {
1691 new_isec = new_dentry->d_inode->i_security;
1692 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1693 rc = avc_has_perm(sid, new_isec->sid,
1695 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1703 /* Check whether a task can perform a filesystem operation. */
1704 static int superblock_has_perm(const struct cred *cred,
1705 struct super_block *sb,
1707 struct common_audit_data *ad)
1709 struct superblock_security_struct *sbsec;
1710 u32 sid = cred_sid(cred);
1712 sbsec = sb->s_security;
1713 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1716 /* Convert a Linux mode and permission mask to an access vector. */
1717 static inline u32 file_mask_to_av(int mode, int mask)
1721 if ((mode & S_IFMT) != S_IFDIR) {
1722 if (mask & MAY_EXEC)
1723 av |= FILE__EXECUTE;
1724 if (mask & MAY_READ)
1727 if (mask & MAY_APPEND)
1729 else if (mask & MAY_WRITE)
1733 if (mask & MAY_EXEC)
1735 if (mask & MAY_WRITE)
1737 if (mask & MAY_READ)
1744 /* Convert a Linux file to an access vector. */
1745 static inline u32 file_to_av(struct file *file)
1749 if (file->f_mode & FMODE_READ)
1751 if (file->f_mode & FMODE_WRITE) {
1752 if (file->f_flags & O_APPEND)
1759 * Special file opened with flags 3 for ioctl-only use.
1768 * Convert a file to an access vector and include the correct open
1771 static inline u32 open_file_to_av(struct file *file)
1773 u32 av = file_to_av(file);
1775 if (selinux_policycap_openperm)
1781 /* Hook functions begin here. */
1783 static int selinux_ptrace_access_check(struct task_struct *child,
1788 rc = cap_ptrace_access_check(child, mode);
1792 if (mode == PTRACE_MODE_READ) {
1793 u32 sid = current_sid();
1794 u32 csid = task_sid(child);
1795 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1798 return current_has_perm(child, PROCESS__PTRACE);
1801 static int selinux_ptrace_traceme(struct task_struct *parent)
1805 rc = cap_ptrace_traceme(parent);
1809 return task_has_perm(parent, current, PROCESS__PTRACE);
1812 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1813 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1817 error = current_has_perm(target, PROCESS__GETCAP);
1821 return cap_capget(target, effective, inheritable, permitted);
1824 static int selinux_capset(struct cred *new, const struct cred *old,
1825 const kernel_cap_t *effective,
1826 const kernel_cap_t *inheritable,
1827 const kernel_cap_t *permitted)
1831 error = cap_capset(new, old,
1832 effective, inheritable, permitted);
1836 return cred_has_perm(old, new, PROCESS__SETCAP);
1840 * (This comment used to live with the selinux_task_setuid hook,
1841 * which was removed).
1843 * Since setuid only affects the current process, and since the SELinux
1844 * controls are not based on the Linux identity attributes, SELinux does not
1845 * need to control this operation. However, SELinux does control the use of
1846 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1849 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1854 rc = cap_capable(tsk, cred, cap, audit);
1858 return task_has_capability(tsk, cred, cap, audit);
1861 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1863 const struct cred *cred = current_cred();
1875 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1880 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1883 rc = 0; /* let the kernel handle invalid cmds */
1889 static int selinux_quota_on(struct dentry *dentry)
1891 const struct cred *cred = current_cred();
1893 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1896 static int selinux_syslog(int type)
1901 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1902 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1903 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1905 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1906 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1907 /* Set level of messages printed to console */
1908 case SYSLOG_ACTION_CONSOLE_LEVEL:
1909 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1911 case SYSLOG_ACTION_CLOSE: /* Close log */
1912 case SYSLOG_ACTION_OPEN: /* Open log */
1913 case SYSLOG_ACTION_READ: /* Read from log */
1914 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1915 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1917 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1924 * Check that a process has enough memory to allocate a new virtual
1925 * mapping. 0 means there is enough memory for the allocation to
1926 * succeed and -ENOMEM implies there is not.
1928 * Do not audit the selinux permission check, as this is applied to all
1929 * processes that allocate mappings.
1931 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1933 int rc, cap_sys_admin = 0;
1935 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
1936 SECURITY_CAP_NOAUDIT);
1940 return __vm_enough_memory(mm, pages, cap_sys_admin);
1943 /* binprm security operations */
1945 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1947 const struct task_security_struct *old_tsec;
1948 struct task_security_struct *new_tsec;
1949 struct inode_security_struct *isec;
1950 struct common_audit_data ad;
1951 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1954 rc = cap_bprm_set_creds(bprm);
1958 /* SELinux context only depends on initial program or script and not
1959 * the script interpreter */
1960 if (bprm->cred_prepared)
1963 old_tsec = current_security();
1964 new_tsec = bprm->cred->security;
1965 isec = inode->i_security;
1967 /* Default to the current task SID. */
1968 new_tsec->sid = old_tsec->sid;
1969 new_tsec->osid = old_tsec->sid;
1971 /* Reset fs, key, and sock SIDs on execve. */
1972 new_tsec->create_sid = 0;
1973 new_tsec->keycreate_sid = 0;
1974 new_tsec->sockcreate_sid = 0;
1976 if (old_tsec->exec_sid) {
1977 new_tsec->sid = old_tsec->exec_sid;
1978 /* Reset exec SID on execve. */
1979 new_tsec->exec_sid = 0;
1981 /* Check for a default transition on this program. */
1982 rc = security_transition_sid(old_tsec->sid, isec->sid,
1983 SECCLASS_PROCESS, NULL,
1989 COMMON_AUDIT_DATA_INIT(&ad, FS);
1990 ad.u.fs.path = bprm->file->f_path;
1992 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1993 new_tsec->sid = old_tsec->sid;
1995 if (new_tsec->sid == old_tsec->sid) {
1996 rc = avc_has_perm(old_tsec->sid, isec->sid,
1997 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2001 /* Check permissions for the transition. */
2002 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2003 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2007 rc = avc_has_perm(new_tsec->sid, isec->sid,
2008 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2012 /* Check for shared state */
2013 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2014 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2015 SECCLASS_PROCESS, PROCESS__SHARE,
2021 /* Make sure that anyone attempting to ptrace over a task that
2022 * changes its SID has the appropriate permit */
2024 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2025 struct task_struct *tracer;
2026 struct task_security_struct *sec;
2030 tracer = tracehook_tracer_task(current);
2031 if (likely(tracer != NULL)) {
2032 sec = __task_cred(tracer)->security;
2038 rc = avc_has_perm(ptsid, new_tsec->sid,
2040 PROCESS__PTRACE, NULL);
2046 /* Clear any possibly unsafe personality bits on exec: */
2047 bprm->per_clear |= PER_CLEAR_ON_SETID;
2053 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2055 const struct task_security_struct *tsec = current_security();
2063 /* Enable secure mode for SIDs transitions unless
2064 the noatsecure permission is granted between
2065 the two SIDs, i.e. ahp returns 0. */
2066 atsecure = avc_has_perm(osid, sid,
2068 PROCESS__NOATSECURE, NULL);
2071 return (atsecure || cap_bprm_secureexec(bprm));
2074 extern struct vfsmount *selinuxfs_mount;
2075 extern struct dentry *selinux_null;
2077 /* Derived from fs/exec.c:flush_old_files. */
2078 static inline void flush_unauthorized_files(const struct cred *cred,
2079 struct files_struct *files)
2081 struct common_audit_data ad;
2082 struct file *file, *devnull = NULL;
2083 struct tty_struct *tty;
2084 struct fdtable *fdt;
2088 tty = get_current_tty();
2090 spin_lock(&tty_files_lock);
2091 if (!list_empty(&tty->tty_files)) {
2092 struct tty_file_private *file_priv;
2093 struct inode *inode;
2095 /* Revalidate access to controlling tty.
2096 Use inode_has_perm on the tty inode directly rather
2097 than using file_has_perm, as this particular open
2098 file may belong to another process and we are only
2099 interested in the inode-based check here. */
2100 file_priv = list_first_entry(&tty->tty_files,
2101 struct tty_file_private, list);
2102 file = file_priv->file;
2103 inode = file->f_path.dentry->d_inode;
2104 if (inode_has_perm(cred, inode,
2105 FILE__READ | FILE__WRITE, NULL)) {
2109 spin_unlock(&tty_files_lock);
2112 /* Reset controlling tty. */
2116 /* Revalidate access to inherited open files. */
2118 COMMON_AUDIT_DATA_INIT(&ad, FS);
2120 spin_lock(&files->file_lock);
2122 unsigned long set, i;
2127 fdt = files_fdtable(files);
2128 if (i >= fdt->max_fds)
2130 set = fdt->open_fds->fds_bits[j];
2133 spin_unlock(&files->file_lock);
2134 for ( ; set ; i++, set >>= 1) {
2139 if (file_has_perm(cred,
2141 file_to_av(file))) {
2143 fd = get_unused_fd();
2153 devnull = dentry_open(
2155 mntget(selinuxfs_mount),
2157 if (IS_ERR(devnull)) {
2164 fd_install(fd, devnull);
2169 spin_lock(&files->file_lock);
2172 spin_unlock(&files->file_lock);
2176 * Prepare a process for imminent new credential changes due to exec
2178 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2180 struct task_security_struct *new_tsec;
2181 struct rlimit *rlim, *initrlim;
2184 new_tsec = bprm->cred->security;
2185 if (new_tsec->sid == new_tsec->osid)
2188 /* Close files for which the new task SID is not authorized. */
2189 flush_unauthorized_files(bprm->cred, current->files);
2191 /* Always clear parent death signal on SID transitions. */
2192 current->pdeath_signal = 0;
2194 /* Check whether the new SID can inherit resource limits from the old
2195 * SID. If not, reset all soft limits to the lower of the current
2196 * task's hard limit and the init task's soft limit.
2198 * Note that the setting of hard limits (even to lower them) can be
2199 * controlled by the setrlimit check. The inclusion of the init task's
2200 * soft limit into the computation is to avoid resetting soft limits
2201 * higher than the default soft limit for cases where the default is
2202 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2204 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2205 PROCESS__RLIMITINH, NULL);
2207 /* protect against do_prlimit() */
2209 for (i = 0; i < RLIM_NLIMITS; i++) {
2210 rlim = current->signal->rlim + i;
2211 initrlim = init_task.signal->rlim + i;
2212 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2214 task_unlock(current);
2215 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2220 * Clean up the process immediately after the installation of new credentials
2223 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2225 const struct task_security_struct *tsec = current_security();
2226 struct itimerval itimer;
2236 /* Check whether the new SID can inherit signal state from the old SID.
2237 * If not, clear itimers to avoid subsequent signal generation and
2238 * flush and unblock signals.
2240 * This must occur _after_ the task SID has been updated so that any
2241 * kill done after the flush will be checked against the new SID.
2243 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2245 memset(&itimer, 0, sizeof itimer);
2246 for (i = 0; i < 3; i++)
2247 do_setitimer(i, &itimer, NULL);
2248 spin_lock_irq(¤t->sighand->siglock);
2249 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2250 __flush_signals(current);
2251 flush_signal_handlers(current, 1);
2252 sigemptyset(¤t->blocked);
2254 spin_unlock_irq(¤t->sighand->siglock);
2257 /* Wake up the parent if it is waiting so that it can recheck
2258 * wait permission to the new task SID. */
2259 read_lock(&tasklist_lock);
2260 __wake_up_parent(current, current->real_parent);
2261 read_unlock(&tasklist_lock);
2264 /* superblock security operations */
2266 static int selinux_sb_alloc_security(struct super_block *sb)
2268 return superblock_alloc_security(sb);
2271 static void selinux_sb_free_security(struct super_block *sb)
2273 superblock_free_security(sb);
2276 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2281 return !memcmp(prefix, option, plen);
2284 static inline int selinux_option(char *option, int len)
2286 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2287 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2288 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2289 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2290 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2293 static inline void take_option(char **to, char *from, int *first, int len)
2300 memcpy(*to, from, len);
2304 static inline void take_selinux_option(char **to, char *from, int *first,
2307 int current_size = 0;
2315 while (current_size < len) {
2325 static int selinux_sb_copy_data(char *orig, char *copy)
2327 int fnosec, fsec, rc = 0;
2328 char *in_save, *in_curr, *in_end;
2329 char *sec_curr, *nosec_save, *nosec;
2335 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2343 in_save = in_end = orig;
2347 open_quote = !open_quote;
2348 if ((*in_end == ',' && open_quote == 0) ||
2350 int len = in_end - in_curr;
2352 if (selinux_option(in_curr, len))
2353 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2355 take_option(&nosec, in_curr, &fnosec, len);
2357 in_curr = in_end + 1;
2359 } while (*in_end++);
2361 strcpy(in_save, nosec_save);
2362 free_page((unsigned long)nosec_save);
2367 static int selinux_sb_remount(struct super_block *sb, void *data)
2370 struct security_mnt_opts opts;
2371 char *secdata, **mount_options;
2372 struct superblock_security_struct *sbsec = sb->s_security;
2374 if (!(sbsec->flags & SE_SBINITIALIZED))
2380 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2383 security_init_mnt_opts(&opts);
2384 secdata = alloc_secdata();
2387 rc = selinux_sb_copy_data(data, secdata);
2389 goto out_free_secdata;
2391 rc = selinux_parse_opts_str(secdata, &opts);
2393 goto out_free_secdata;
2395 mount_options = opts.mnt_opts;
2396 flags = opts.mnt_opts_flags;
2398 for (i = 0; i < opts.num_mnt_opts; i++) {
2402 if (flags[i] == SE_SBLABELSUPP)
2404 len = strlen(mount_options[i]);
2405 rc = security_context_to_sid(mount_options[i], len, &sid);
2407 printk(KERN_WARNING "SELinux: security_context_to_sid"
2408 "(%s) failed for (dev %s, type %s) errno=%d\n",
2409 mount_options[i], sb->s_id, sb->s_type->name, rc);
2415 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2416 goto out_bad_option;
2419 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2420 goto out_bad_option;
2422 case ROOTCONTEXT_MNT: {
2423 struct inode_security_struct *root_isec;
2424 root_isec = sb->s_root->d_inode->i_security;
2426 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2427 goto out_bad_option;
2430 case DEFCONTEXT_MNT:
2431 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2432 goto out_bad_option;
2441 security_free_mnt_opts(&opts);
2443 free_secdata(secdata);
2446 printk(KERN_WARNING "SELinux: unable to change security options "
2447 "during remount (dev %s, type=%s)\n", sb->s_id,
2452 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2454 const struct cred *cred = current_cred();
2455 struct common_audit_data ad;
2458 rc = superblock_doinit(sb, data);
2462 /* Allow all mounts performed by the kernel */
2463 if (flags & MS_KERNMOUNT)
2466 COMMON_AUDIT_DATA_INIT(&ad, FS);
2467 ad.u.fs.path.dentry = sb->s_root;
2468 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2471 static int selinux_sb_statfs(struct dentry *dentry)
2473 const struct cred *cred = current_cred();
2474 struct common_audit_data ad;
2476 COMMON_AUDIT_DATA_INIT(&ad, FS);
2477 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2478 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2481 static int selinux_mount(char *dev_name,
2484 unsigned long flags,
2487 const struct cred *cred = current_cred();
2489 if (flags & MS_REMOUNT)
2490 return superblock_has_perm(cred, path->mnt->mnt_sb,
2491 FILESYSTEM__REMOUNT, NULL);
2493 return dentry_has_perm(cred, path->mnt, path->dentry,
2497 static int selinux_umount(struct vfsmount *mnt, int flags)
2499 const struct cred *cred = current_cred();
2501 return superblock_has_perm(cred, mnt->mnt_sb,
2502 FILESYSTEM__UNMOUNT, NULL);
2505 /* inode security operations */
2507 static int selinux_inode_alloc_security(struct inode *inode)
2509 return inode_alloc_security(inode);
2512 static void selinux_inode_free_security(struct inode *inode)
2514 inode_free_security(inode);
2517 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2518 const struct qstr *qstr, char **name,
2519 void **value, size_t *len)
2521 const struct task_security_struct *tsec = current_security();
2522 struct inode_security_struct *dsec;
2523 struct superblock_security_struct *sbsec;
2524 u32 sid, newsid, clen;
2526 char *namep = NULL, *context;
2528 dsec = dir->i_security;
2529 sbsec = dir->i_sb->s_security;
2532 newsid = tsec->create_sid;
2534 if ((sbsec->flags & SE_SBINITIALIZED) &&
2535 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2536 newsid = sbsec->mntpoint_sid;
2537 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2538 rc = security_transition_sid(sid, dsec->sid,
2539 inode_mode_to_security_class(inode->i_mode),
2542 printk(KERN_WARNING "%s: "
2543 "security_transition_sid failed, rc=%d (dev=%s "
2546 -rc, inode->i_sb->s_id, inode->i_ino);
2551 /* Possibly defer initialization to selinux_complete_init. */
2552 if (sbsec->flags & SE_SBINITIALIZED) {
2553 struct inode_security_struct *isec = inode->i_security;
2554 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556 isec->initialized = 1;
2559 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2563 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2570 rc = security_sid_to_context_force(newsid, &context, &clen);
2582 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2584 return may_create(dir, dentry, SECCLASS_FILE);
2587 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589 return may_link(dir, old_dentry, MAY_LINK);
2592 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2594 return may_link(dir, dentry, MAY_UNLINK);
2597 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2599 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2602 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2604 return may_create(dir, dentry, SECCLASS_DIR);
2607 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2609 return may_link(dir, dentry, MAY_RMDIR);
2612 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2614 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2617 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2618 struct inode *new_inode, struct dentry *new_dentry)
2620 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2623 static int selinux_inode_readlink(struct dentry *dentry)
2625 const struct cred *cred = current_cred();
2627 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2630 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2632 const struct cred *cred = current_cred();
2634 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2637 static int selinux_inode_permission(struct inode *inode, int mask)
2639 const struct cred *cred = current_cred();
2640 struct common_audit_data ad;
2644 from_access = mask & MAY_ACCESS;
2645 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2647 /* No permission to check. Existence test. */
2651 COMMON_AUDIT_DATA_INIT(&ad, FS);
2652 ad.u.fs.inode = inode;
2655 ad.selinux_audit_data.auditdeny |= FILE__AUDIT_ACCESS;
2657 perms = file_mask_to_av(inode->i_mode, mask);
2659 return inode_has_perm(cred, inode, perms, &ad);
2662 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2664 const struct cred *cred = current_cred();
2665 unsigned int ia_valid = iattr->ia_valid;
2667 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2668 if (ia_valid & ATTR_FORCE) {
2669 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2675 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2676 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2677 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2679 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2682 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2684 const struct cred *cred = current_cred();
2686 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2689 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2691 const struct cred *cred = current_cred();
2693 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2694 sizeof XATTR_SECURITY_PREFIX - 1)) {
2695 if (!strcmp(name, XATTR_NAME_CAPS)) {
2696 if (!capable(CAP_SETFCAP))
2698 } else if (!capable(CAP_SYS_ADMIN)) {
2699 /* A different attribute in the security namespace.
2700 Restrict to administrator. */
2705 /* Not an attribute we recognize, so just check the
2706 ordinary setattr permission. */
2707 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2710 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2711 const void *value, size_t size, int flags)
2713 struct inode *inode = dentry->d_inode;
2714 struct inode_security_struct *isec = inode->i_security;
2715 struct superblock_security_struct *sbsec;
2716 struct common_audit_data ad;
2717 u32 newsid, sid = current_sid();
2720 if (strcmp(name, XATTR_NAME_SELINUX))
2721 return selinux_inode_setotherxattr(dentry, name);
2723 sbsec = inode->i_sb->s_security;
2724 if (!(sbsec->flags & SE_SBLABELSUPP))
2727 if (!is_owner_or_cap(inode))
2730 COMMON_AUDIT_DATA_INIT(&ad, FS);
2731 ad.u.fs.path.dentry = dentry;
2733 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2734 FILE__RELABELFROM, &ad);
2738 rc = security_context_to_sid(value, size, &newsid);
2739 if (rc == -EINVAL) {
2740 if (!capable(CAP_MAC_ADMIN))
2742 rc = security_context_to_sid_force(value, size, &newsid);
2747 rc = avc_has_perm(sid, newsid, isec->sclass,
2748 FILE__RELABELTO, &ad);
2752 rc = security_validate_transition(isec->sid, newsid, sid,
2757 return avc_has_perm(newsid,
2759 SECCLASS_FILESYSTEM,
2760 FILESYSTEM__ASSOCIATE,
2764 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2765 const void *value, size_t size,
2768 struct inode *inode = dentry->d_inode;
2769 struct inode_security_struct *isec = inode->i_security;
2773 if (strcmp(name, XATTR_NAME_SELINUX)) {
2774 /* Not an attribute we recognize, so nothing to do. */
2778 rc = security_context_to_sid_force(value, size, &newsid);
2780 printk(KERN_ERR "SELinux: unable to map context to SID"
2781 "for (%s, %lu), rc=%d\n",
2782 inode->i_sb->s_id, inode->i_ino, -rc);
2790 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2792 const struct cred *cred = current_cred();
2794 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2797 static int selinux_inode_listxattr(struct dentry *dentry)
2799 const struct cred *cred = current_cred();
2801 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2804 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2806 if (strcmp(name, XATTR_NAME_SELINUX))
2807 return selinux_inode_setotherxattr(dentry, name);
2809 /* No one is allowed to remove a SELinux security label.
2810 You can change the label, but all data must be labeled. */
2815 * Copy the inode security context value to the user.
2817 * Permission check is handled by selinux_inode_getxattr hook.
2819 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2823 char *context = NULL;
2824 struct inode_security_struct *isec = inode->i_security;
2826 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2830 * If the caller has CAP_MAC_ADMIN, then get the raw context
2831 * value even if it is not defined by current policy; otherwise,
2832 * use the in-core value under current policy.
2833 * Use the non-auditing forms of the permission checks since
2834 * getxattr may be called by unprivileged processes commonly
2835 * and lack of permission just means that we fall back to the
2836 * in-core context value, not a denial.
2838 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2839 SECURITY_CAP_NOAUDIT);
2841 error = security_sid_to_context_force(isec->sid, &context,
2844 error = security_sid_to_context(isec->sid, &context, &size);
2857 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2858 const void *value, size_t size, int flags)
2860 struct inode_security_struct *isec = inode->i_security;
2864 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2867 if (!value || !size)
2870 rc = security_context_to_sid((void *)value, size, &newsid);
2875 isec->initialized = 1;
2879 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2881 const int len = sizeof(XATTR_NAME_SELINUX);
2882 if (buffer && len <= buffer_size)
2883 memcpy(buffer, XATTR_NAME_SELINUX, len);
2887 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2889 struct inode_security_struct *isec = inode->i_security;
2893 /* file security operations */
2895 static int selinux_revalidate_file_permission(struct file *file, int mask)
2897 const struct cred *cred = current_cred();
2898 struct inode *inode = file->f_path.dentry->d_inode;
2900 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2901 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2904 return file_has_perm(cred, file,
2905 file_mask_to_av(inode->i_mode, mask));
2908 static int selinux_file_permission(struct file *file, int mask)
2910 struct inode *inode = file->f_path.dentry->d_inode;
2911 struct file_security_struct *fsec = file->f_security;
2912 struct inode_security_struct *isec = inode->i_security;
2913 u32 sid = current_sid();
2916 /* No permission to check. Existence test. */
2919 if (sid == fsec->sid && fsec->isid == isec->sid &&
2920 fsec->pseqno == avc_policy_seqno())
2921 /* No change since dentry_open check. */
2924 return selinux_revalidate_file_permission(file, mask);
2927 static int selinux_file_alloc_security(struct file *file)
2929 return file_alloc_security(file);
2932 static void selinux_file_free_security(struct file *file)
2934 file_free_security(file);
2937 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2940 const struct cred *cred = current_cred();
2950 case EXT2_IOC_GETFLAGS:
2952 case EXT2_IOC_GETVERSION:
2953 error = file_has_perm(cred, file, FILE__GETATTR);
2956 case EXT2_IOC_SETFLAGS:
2958 case EXT2_IOC_SETVERSION:
2959 error = file_has_perm(cred, file, FILE__SETATTR);
2962 /* sys_ioctl() checks */
2966 error = file_has_perm(cred, file, 0);
2971 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2972 SECURITY_CAP_AUDIT);
2975 /* default case assumes that the command will go
2976 * to the file's ioctl() function.
2979 error = file_has_perm(cred, file, FILE__IOCTL);
2984 static int default_noexec;
2986 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2988 const struct cred *cred = current_cred();
2991 if (default_noexec &&
2992 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2994 * We are making executable an anonymous mapping or a
2995 * private file mapping that will also be writable.
2996 * This has an additional check.
2998 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3004 /* read access is always possible with a mapping */
3005 u32 av = FILE__READ;
3007 /* write access only matters if the mapping is shared */
3008 if (shared && (prot & PROT_WRITE))
3011 if (prot & PROT_EXEC)
3012 av |= FILE__EXECUTE;
3014 return file_has_perm(cred, file, av);
3021 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3022 unsigned long prot, unsigned long flags,
3023 unsigned long addr, unsigned long addr_only)
3026 u32 sid = current_sid();
3029 * notice that we are intentionally putting the SELinux check before
3030 * the secondary cap_file_mmap check. This is such a likely attempt
3031 * at bad behaviour/exploit that we always want to get the AVC, even
3032 * if DAC would have also denied the operation.
3034 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3035 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3036 MEMPROTECT__MMAP_ZERO, NULL);
3041 /* do DAC check on address space usage */
3042 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
3043 if (rc || addr_only)
3046 if (selinux_checkreqprot)
3049 return file_map_prot_check(file, prot,
3050 (flags & MAP_TYPE) == MAP_SHARED);
3053 static int selinux_file_mprotect(struct vm_area_struct *vma,
3054 unsigned long reqprot,
3057 const struct cred *cred = current_cred();
3059 if (selinux_checkreqprot)
3062 if (default_noexec &&
3063 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3065 if (vma->vm_start >= vma->vm_mm->start_brk &&
3066 vma->vm_end <= vma->vm_mm->brk) {
3067 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3068 } else if (!vma->vm_file &&
3069 vma->vm_start <= vma->vm_mm->start_stack &&
3070 vma->vm_end >= vma->vm_mm->start_stack) {
3071 rc = current_has_perm(current, PROCESS__EXECSTACK);
3072 } else if (vma->vm_file && vma->anon_vma) {
3074 * We are making executable a file mapping that has
3075 * had some COW done. Since pages might have been
3076 * written, check ability to execute the possibly
3077 * modified content. This typically should only
3078 * occur for text relocations.
3080 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3086 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3089 static int selinux_file_lock(struct file *file, unsigned int cmd)
3091 const struct cred *cred = current_cred();
3093 return file_has_perm(cred, file, FILE__LOCK);
3096 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3099 const struct cred *cred = current_cred();
3104 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3109 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3110 err = file_has_perm(cred, file, FILE__WRITE);
3119 /* Just check FD__USE permission */
3120 err = file_has_perm(cred, file, 0);
3125 #if BITS_PER_LONG == 32
3130 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3134 err = file_has_perm(cred, file, FILE__LOCK);
3141 static int selinux_file_set_fowner(struct file *file)
3143 struct file_security_struct *fsec;
3145 fsec = file->f_security;
3146 fsec->fown_sid = current_sid();
3151 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3152 struct fown_struct *fown, int signum)
3155 u32 sid = task_sid(tsk);
3157 struct file_security_struct *fsec;
3159 /* struct fown_struct is never outside the context of a struct file */
3160 file = container_of(fown, struct file, f_owner);
3162 fsec = file->f_security;
3165 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3167 perm = signal_to_av(signum);
3169 return avc_has_perm(fsec->fown_sid, sid,
3170 SECCLASS_PROCESS, perm, NULL);
3173 static int selinux_file_receive(struct file *file)
3175 const struct cred *cred = current_cred();
3177 return file_has_perm(cred, file, file_to_av(file));
3180 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3182 struct file_security_struct *fsec;
3183 struct inode *inode;
3184 struct inode_security_struct *isec;
3186 inode = file->f_path.dentry->d_inode;
3187 fsec = file->f_security;
3188 isec = inode->i_security;
3190 * Save inode label and policy sequence number
3191 * at open-time so that selinux_file_permission
3192 * can determine whether revalidation is necessary.
3193 * Task label is already saved in the file security
3194 * struct as its SID.
3196 fsec->isid = isec->sid;
3197 fsec->pseqno = avc_policy_seqno();
3199 * Since the inode label or policy seqno may have changed
3200 * between the selinux_inode_permission check and the saving
3201 * of state above, recheck that access is still permitted.
3202 * Otherwise, access might never be revalidated against the
3203 * new inode label or new policy.
3204 * This check is not redundant - do not remove.
3206 return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3209 /* task security operations */
3211 static int selinux_task_create(unsigned long clone_flags)
3213 return current_has_perm(current, PROCESS__FORK);
3217 * allocate the SELinux part of blank credentials
3219 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3221 struct task_security_struct *tsec;
3223 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3227 cred->security = tsec;
3232 * detach and free the LSM part of a set of credentials
3234 static void selinux_cred_free(struct cred *cred)
3236 struct task_security_struct *tsec = cred->security;
3239 * cred->security == NULL if security_cred_alloc_blank() or
3240 * security_prepare_creds() returned an error.
3242 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3243 cred->security = (void *) 0x7UL;
3248 * prepare a new set of credentials for modification
3250 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3253 const struct task_security_struct *old_tsec;
3254 struct task_security_struct *tsec;
3256 old_tsec = old->security;
3258 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3262 new->security = tsec;
3267 * transfer the SELinux data to a blank set of creds
3269 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3271 const struct task_security_struct *old_tsec = old->security;
3272 struct task_security_struct *tsec = new->security;
3278 * set the security data for a kernel service
3279 * - all the creation contexts are set to unlabelled
3281 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3283 struct task_security_struct *tsec = new->security;
3284 u32 sid = current_sid();
3287 ret = avc_has_perm(sid, secid,
3288 SECCLASS_KERNEL_SERVICE,
3289 KERNEL_SERVICE__USE_AS_OVERRIDE,
3293 tsec->create_sid = 0;
3294 tsec->keycreate_sid = 0;
3295 tsec->sockcreate_sid = 0;
3301 * set the file creation context in a security record to the same as the
3302 * objective context of the specified inode
3304 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3306 struct inode_security_struct *isec = inode->i_security;
3307 struct task_security_struct *tsec = new->security;
3308 u32 sid = current_sid();
3311 ret = avc_has_perm(sid, isec->sid,
3312 SECCLASS_KERNEL_SERVICE,
3313 KERNEL_SERVICE__CREATE_FILES_AS,
3317 tsec->create_sid = isec->sid;
3321 static int selinux_kernel_module_request(char *kmod_name)
3324 struct common_audit_data ad;
3326 sid = task_sid(current);
3328 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3329 ad.u.kmod_name = kmod_name;
3331 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3332 SYSTEM__MODULE_REQUEST, &ad);
3335 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3337 return current_has_perm(p, PROCESS__SETPGID);
3340 static int selinux_task_getpgid(struct task_struct *p)
3342 return current_has_perm(p, PROCESS__GETPGID);
3345 static int selinux_task_getsid(struct task_struct *p)
3347 return current_has_perm(p, PROCESS__GETSESSION);
3350 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3352 *secid = task_sid(p);
3355 static int selinux_task_setnice(struct task_struct *p, int nice)
3359 rc = cap_task_setnice(p, nice);
3363 return current_has_perm(p, PROCESS__SETSCHED);
3366 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3370 rc = cap_task_setioprio(p, ioprio);
3374 return current_has_perm(p, PROCESS__SETSCHED);
3377 static int selinux_task_getioprio(struct task_struct *p)
3379 return current_has_perm(p, PROCESS__GETSCHED);
3382 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3383 struct rlimit *new_rlim)
3385 struct rlimit *old_rlim = p->signal->rlim + resource;
3387 /* Control the ability to change the hard limit (whether
3388 lowering or raising it), so that the hard limit can
3389 later be used as a safe reset point for the soft limit
3390 upon context transitions. See selinux_bprm_committing_creds. */
3391 if (old_rlim->rlim_max != new_rlim->rlim_max)
3392 return current_has_perm(p, PROCESS__SETRLIMIT);
3397 static int selinux_task_setscheduler(struct task_struct *p)
3401 rc = cap_task_setscheduler(p);
3405 return current_has_perm(p, PROCESS__SETSCHED);
3408 static int selinux_task_getscheduler(struct task_struct *p)
3410 return current_has_perm(p, PROCESS__GETSCHED);
3413 static int selinux_task_movememory(struct task_struct *p)
3415 return current_has_perm(p, PROCESS__SETSCHED);
3418 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3425 perm = PROCESS__SIGNULL; /* null signal; existence test */
3427 perm = signal_to_av(sig);
3429 rc = avc_has_perm(secid, task_sid(p),
3430 SECCLASS_PROCESS, perm, NULL);
3432 rc = current_has_perm(p, perm);
3436 static int selinux_task_wait(struct task_struct *p)
3438 return task_has_perm(p, current, PROCESS__SIGCHLD);
3441 static void selinux_task_to_inode(struct task_struct *p,
3442 struct inode *inode)
3444 struct inode_security_struct *isec = inode->i_security;
3445 u32 sid = task_sid(p);
3448 isec->initialized = 1;
3451 /* Returns error only if unable to parse addresses */
3452 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3453 struct common_audit_data *ad, u8 *proto)
3455 int offset, ihlen, ret = -EINVAL;
3456 struct iphdr _iph, *ih;
3458 offset = skb_network_offset(skb);
3459 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3463 ihlen = ih->ihl * 4;
3464 if (ihlen < sizeof(_iph))
3467 ad->u.net.v4info.saddr = ih->saddr;
3468 ad->u.net.v4info.daddr = ih->daddr;
3472 *proto = ih->protocol;
3474 switch (ih->protocol) {
3476 struct tcphdr _tcph, *th;
3478 if (ntohs(ih->frag_off) & IP_OFFSET)
3482 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3486 ad->u.net.sport = th->source;
3487 ad->u.net.dport = th->dest;
3492 struct udphdr _udph, *uh;
3494 if (ntohs(ih->frag_off) & IP_OFFSET)
3498 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3502 ad->u.net.sport = uh->source;
3503 ad->u.net.dport = uh->dest;
3507 case IPPROTO_DCCP: {
3508 struct dccp_hdr _dccph, *dh;
3510 if (ntohs(ih->frag_off) & IP_OFFSET)
3514 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3518 ad->u.net.sport = dh->dccph_sport;
3519 ad->u.net.dport = dh->dccph_dport;
3530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3532 /* Returns error only if unable to parse addresses */
3533 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3534 struct common_audit_data *ad, u8 *proto)
3537 int ret = -EINVAL, offset;
3538 struct ipv6hdr _ipv6h, *ip6;
3540 offset = skb_network_offset(skb);
3541 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3545 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3546 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3549 nexthdr = ip6->nexthdr;
3550 offset += sizeof(_ipv6h);
3551 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3560 struct tcphdr _tcph, *th;
3562 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3566 ad->u.net.sport = th->source;
3567 ad->u.net.dport = th->dest;
3572 struct udphdr _udph, *uh;
3574 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3578 ad->u.net.sport = uh->source;
3579 ad->u.net.dport = uh->dest;
3583 case IPPROTO_DCCP: {
3584 struct dccp_hdr _dccph, *dh;
3586 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3590 ad->u.net.sport = dh->dccph_sport;
3591 ad->u.net.dport = dh->dccph_dport;
3595 /* includes fragments */
3605 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3606 char **_addrp, int src, u8 *proto)
3611 switch (ad->u.net.family) {
3613 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3616 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3617 &ad->u.net.v4info.daddr);
3620 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3622 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3625 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3626 &ad->u.net.v6info.daddr);
3636 "SELinux: failure in selinux_parse_skb(),"
3637 " unable to parse packet\n");
3647 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3649 * @family: protocol family
3650 * @sid: the packet's peer label SID
3653 * Check the various different forms of network peer labeling and determine
3654 * the peer label/SID for the packet; most of the magic actually occurs in
3655 * the security server function security_net_peersid_cmp(). The function
3656 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3657 * or -EACCES if @sid is invalid due to inconsistencies with the different
3661 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3668 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3669 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3671 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3672 if (unlikely(err)) {
3674 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3675 " unable to determine packet's peer label\n");
3682 /* socket security operations */
3684 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3685 u16 secclass, u32 *socksid)
3687 if (tsec->sockcreate_sid > SECSID_NULL) {
3688 *socksid = tsec->sockcreate_sid;
3692 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3696 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3698 struct sk_security_struct *sksec = sk->sk_security;
3699 struct common_audit_data ad;
3700 u32 tsid = task_sid(task);
3702 if (sksec->sid == SECINITSID_KERNEL)
3705 COMMON_AUDIT_DATA_INIT(&ad, NET);
3708 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3711 static int selinux_socket_create(int family, int type,
3712 int protocol, int kern)
3714 const struct task_security_struct *tsec = current_security();
3722 secclass = socket_type_to_security_class(family, type, protocol);
3723 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3727 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3730 static int selinux_socket_post_create(struct socket *sock, int family,
3731 int type, int protocol, int kern)
3733 const struct task_security_struct *tsec = current_security();
3734 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3735 struct sk_security_struct *sksec;
3738 isec->sclass = socket_type_to_security_class(family, type, protocol);
3741 isec->sid = SECINITSID_KERNEL;
3743 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3748 isec->initialized = 1;
3751 sksec = sock->sk->sk_security;
3752 sksec->sid = isec->sid;
3753 sksec->sclass = isec->sclass;
3754 err = selinux_netlbl_socket_post_create(sock->sk, family);
3760 /* Range of port numbers used to automatically bind.
3761 Need to determine whether we should perform a name_bind
3762 permission check between the socket and the port number. */
3764 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3766 struct sock *sk = sock->sk;
3770 err = sock_has_perm(current, sk, SOCKET__BIND);
3775 * If PF_INET or PF_INET6, check name_bind permission for the port.
3776 * Multiple address binding for SCTP is not supported yet: we just
3777 * check the first address now.
3779 family = sk->sk_family;
3780 if (family == PF_INET || family == PF_INET6) {
3782 struct sk_security_struct *sksec = sk->sk_security;
3783 struct common_audit_data ad;
3784 struct sockaddr_in *addr4 = NULL;
3785 struct sockaddr_in6 *addr6 = NULL;
3786 unsigned short snum;
3789 if (family == PF_INET) {
3790 addr4 = (struct sockaddr_in *)address;
3791 snum = ntohs(addr4->sin_port);
3792 addrp = (char *)&addr4->sin_addr.s_addr;
3794 addr6 = (struct sockaddr_in6 *)address;
3795 snum = ntohs(addr6->sin6_port);
3796 addrp = (char *)&addr6->sin6_addr.s6_addr;
3802 inet_get_local_port_range(&low, &high);
3804 if (snum < max(PROT_SOCK, low) || snum > high) {
3805 err = sel_netport_sid(sk->sk_protocol,
3809 COMMON_AUDIT_DATA_INIT(&ad, NET);
3810 ad.u.net.sport = htons(snum);
3811 ad.u.net.family = family;
3812 err = avc_has_perm(sksec->sid, sid,
3814 SOCKET__NAME_BIND, &ad);
3820 switch (sksec->sclass) {
3821 case SECCLASS_TCP_SOCKET:
3822 node_perm = TCP_SOCKET__NODE_BIND;
3825 case SECCLASS_UDP_SOCKET:
3826 node_perm = UDP_SOCKET__NODE_BIND;
3829 case SECCLASS_DCCP_SOCKET:
3830 node_perm = DCCP_SOCKET__NODE_BIND;
3834 node_perm = RAWIP_SOCKET__NODE_BIND;
3838 err = sel_netnode_sid(addrp, family, &sid);
3842 COMMON_AUDIT_DATA_INIT(&ad, NET);
3843 ad.u.net.sport = htons(snum);
3844 ad.u.net.family = family;
3846 if (family == PF_INET)
3847 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3849 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3851 err = avc_has_perm(sksec->sid, sid,
3852 sksec->sclass, node_perm, &ad);
3860 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3862 struct sock *sk = sock->sk;
3863 struct sk_security_struct *sksec = sk->sk_security;
3866 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3871 * If a TCP or DCCP socket, check name_connect permission for the port.
3873 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3874 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3875 struct common_audit_data ad;
3876 struct sockaddr_in *addr4 = NULL;
3877 struct sockaddr_in6 *addr6 = NULL;
3878 unsigned short snum;
3881 if (sk->sk_family == PF_INET) {
3882 addr4 = (struct sockaddr_in *)address;
3883 if (addrlen < sizeof(struct sockaddr_in))
3885 snum = ntohs(addr4->sin_port);
3887 addr6 = (struct sockaddr_in6 *)address;
3888 if (addrlen < SIN6_LEN_RFC2133)
3890 snum = ntohs(addr6->sin6_port);
3893 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3897 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3898 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3900 COMMON_AUDIT_DATA_INIT(&ad, NET);
3901 ad.u.net.dport = htons(snum);
3902 ad.u.net.family = sk->sk_family;
3903 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3908 err = selinux_netlbl_socket_connect(sk, address);
3914 static int selinux_socket_listen(struct socket *sock, int backlog)
3916 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3919 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3922 struct inode_security_struct *isec;
3923 struct inode_security_struct *newisec;
3925 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
3929 newisec = SOCK_INODE(newsock)->i_security;
3931 isec = SOCK_INODE(sock)->i_security;
3932 newisec->sclass = isec->sclass;
3933 newisec->sid = isec->sid;
3934 newisec->initialized = 1;
3939 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3942 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
3945 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3946 int size, int flags)
3948 return sock_has_perm(current, sock->sk, SOCKET__READ);
3951 static int selinux_socket_getsockname(struct socket *sock)
3953 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3956 static int selinux_socket_getpeername(struct socket *sock)
3958 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
3961 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3965 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
3969 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3972 static int selinux_socket_getsockopt(struct socket *sock, int level,
3975 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
3978 static int selinux_socket_shutdown(struct socket *sock, int how)
3980 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
3983 static int selinux_socket_unix_stream_connect(struct sock *sock,
3987 struct sk_security_struct *sksec_sock = sock->sk_security;
3988 struct sk_security_struct *sksec_other = other->sk_security;
3989 struct sk_security_struct *sksec_new = newsk->sk_security;
3990 struct common_audit_data ad;
3993 COMMON_AUDIT_DATA_INIT(&ad, NET);
3994 ad.u.net.sk = other;
3996 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
3997 sksec_other->sclass,
3998 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4002 /* server child socket */
4003 sksec_new->peer_sid = sksec_sock->sid;
4004 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4009 /* connecting socket */
4010 sksec_sock->peer_sid = sksec_new->sid;
4015 static int selinux_socket_unix_may_send(struct socket *sock,
4016 struct socket *other)
4018 struct sk_security_struct *ssec = sock->sk->sk_security;
4019 struct sk_security_struct *osec = other->sk->sk_security;
4020 struct common_audit_data ad;
4022 COMMON_AUDIT_DATA_INIT(&ad, NET);
4023 ad.u.net.sk = other->sk;
4025 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4029 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4031 struct common_audit_data *ad)
4037 err = sel_netif_sid(ifindex, &if_sid);
4040 err = avc_has_perm(peer_sid, if_sid,
4041 SECCLASS_NETIF, NETIF__INGRESS, ad);
4045 err = sel_netnode_sid(addrp, family, &node_sid);
4048 return avc_has_perm(peer_sid, node_sid,
4049 SECCLASS_NODE, NODE__RECVFROM, ad);
4052 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4056 struct sk_security_struct *sksec = sk->sk_security;
4057 u32 sk_sid = sksec->sid;
4058 struct common_audit_data ad;
4061 COMMON_AUDIT_DATA_INIT(&ad, NET);
4062 ad.u.net.netif = skb->skb_iif;
4063 ad.u.net.family = family;
4064 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4068 if (selinux_secmark_enabled()) {
4069 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4075 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4078 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4083 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4086 struct sk_security_struct *sksec = sk->sk_security;
4087 u16 family = sk->sk_family;
4088 u32 sk_sid = sksec->sid;
4089 struct common_audit_data ad;
4094 if (family != PF_INET && family != PF_INET6)
4097 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4098 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4101 /* If any sort of compatibility mode is enabled then handoff processing
4102 * to the selinux_sock_rcv_skb_compat() function to deal with the
4103 * special handling. We do this in an attempt to keep this function
4104 * as fast and as clean as possible. */
4105 if (!selinux_policycap_netpeer)
4106 return selinux_sock_rcv_skb_compat(sk, skb, family);
4108 secmark_active = selinux_secmark_enabled();
4109 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4110 if (!secmark_active && !peerlbl_active)
4113 COMMON_AUDIT_DATA_INIT(&ad, NET);
4114 ad.u.net.netif = skb->skb_iif;
4115 ad.u.net.family = family;
4116 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4120 if (peerlbl_active) {
4123 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4126 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4129 selinux_netlbl_err(skb, err, 0);
4132 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4135 selinux_netlbl_err(skb, err, 0);
4138 if (secmark_active) {
4139 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4148 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4149 int __user *optlen, unsigned len)
4154 struct sk_security_struct *sksec = sock->sk->sk_security;
4155 u32 peer_sid = SECSID_NULL;
4157 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4158 sksec->sclass == SECCLASS_TCP_SOCKET)
4159 peer_sid = sksec->peer_sid;
4160 if (peer_sid == SECSID_NULL)
4161 return -ENOPROTOOPT;
4163 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4167 if (scontext_len > len) {
4172 if (copy_to_user(optval, scontext, scontext_len))
4176 if (put_user(scontext_len, optlen))
4182 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4184 u32 peer_secid = SECSID_NULL;
4187 if (skb && skb->protocol == htons(ETH_P_IP))
4189 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4192 family = sock->sk->sk_family;
4196 if (sock && family == PF_UNIX)
4197 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4199 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4202 *secid = peer_secid;
4203 if (peer_secid == SECSID_NULL)
4208 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4210 struct sk_security_struct *sksec;
4212 sksec = kzalloc(sizeof(*sksec), priority);
4216 sksec->peer_sid = SECINITSID_UNLABELED;
4217 sksec->sid = SECINITSID_UNLABELED;
4218 selinux_netlbl_sk_security_reset(sksec);
4219 sk->sk_security = sksec;
4224 static void selinux_sk_free_security(struct sock *sk)
4226 struct sk_security_struct *sksec = sk->sk_security;
4228 sk->sk_security = NULL;
4229 selinux_netlbl_sk_security_free(sksec);
4233 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4235 struct sk_security_struct *sksec = sk->sk_security;
4236 struct sk_security_struct *newsksec = newsk->sk_security;
4238 newsksec->sid = sksec->sid;
4239 newsksec->peer_sid = sksec->peer_sid;
4240 newsksec->sclass = sksec->sclass;
4242 selinux_netlbl_sk_security_reset(newsksec);
4245 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4248 *secid = SECINITSID_ANY_SOCKET;
4250 struct sk_security_struct *sksec = sk->sk_security;
4252 *secid = sksec->sid;
4256 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4258 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4259 struct sk_security_struct *sksec = sk->sk_security;
4261 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4262 sk->sk_family == PF_UNIX)
4263 isec->sid = sksec->sid;
4264 sksec->sclass = isec->sclass;
4267 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4268 struct request_sock *req)
4270 struct sk_security_struct *sksec = sk->sk_security;
4272 u16 family = sk->sk_family;
4276 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4277 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4280 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4283 if (peersid == SECSID_NULL) {
4284 req->secid = sksec->sid;
4285 req->peer_secid = SECSID_NULL;
4287 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4290 req->secid = newsid;
4291 req->peer_secid = peersid;
4294 return selinux_netlbl_inet_conn_request(req, family);
4297 static void selinux_inet_csk_clone(struct sock *newsk,
4298 const struct request_sock *req)
4300 struct sk_security_struct *newsksec = newsk->sk_security;
4302 newsksec->sid = req->secid;
4303 newsksec->peer_sid = req->peer_secid;
4304 /* NOTE: Ideally, we should also get the isec->sid for the
4305 new socket in sync, but we don't have the isec available yet.
4306 So we will wait until sock_graft to do it, by which
4307 time it will have been created and available. */
4309 /* We don't need to take any sort of lock here as we are the only
4310 * thread with access to newsksec */
4311 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4314 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4316 u16 family = sk->sk_family;
4317 struct sk_security_struct *sksec = sk->sk_security;
4319 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4320 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4323 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4326 static int selinux_secmark_relabel_packet(u32 sid)
4328 const struct task_security_struct *__tsec;
4331 __tsec = current_security();
4334 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4337 static void selinux_secmark_refcount_inc(void)
4339 atomic_inc(&selinux_secmark_refcount);
4342 static void selinux_secmark_refcount_dec(void)
4344 atomic_dec(&selinux_secmark_refcount);
4347 static void selinux_req_classify_flow(const struct request_sock *req,
4350 fl->secid = req->secid;
4353 static int selinux_tun_dev_create(void)
4355 u32 sid = current_sid();
4357 /* we aren't taking into account the "sockcreate" SID since the socket
4358 * that is being created here is not a socket in the traditional sense,
4359 * instead it is a private sock, accessible only to the kernel, and
4360 * representing a wide range of network traffic spanning multiple
4361 * connections unlike traditional sockets - check the TUN driver to
4362 * get a better understanding of why this socket is special */
4364 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4368 static void selinux_tun_dev_post_create(struct sock *sk)
4370 struct sk_security_struct *sksec = sk->sk_security;
4372 /* we don't currently perform any NetLabel based labeling here and it
4373 * isn't clear that we would want to do so anyway; while we could apply
4374 * labeling without the support of the TUN user the resulting labeled
4375 * traffic from the other end of the connection would almost certainly
4376 * cause confusion to the TUN user that had no idea network labeling
4377 * protocols were being used */
4379 /* see the comments in selinux_tun_dev_create() about why we don't use
4380 * the sockcreate SID here */
4382 sksec->sid = current_sid();
4383 sksec->sclass = SECCLASS_TUN_SOCKET;
4386 static int selinux_tun_dev_attach(struct sock *sk)
4388 struct sk_security_struct *sksec = sk->sk_security;
4389 u32 sid = current_sid();
4392 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4393 TUN_SOCKET__RELABELFROM, NULL);
4396 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4397 TUN_SOCKET__RELABELTO, NULL);
4406 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4410 struct nlmsghdr *nlh;
4411 struct sk_security_struct *sksec = sk->sk_security;
4413 if (skb->len < NLMSG_SPACE(0)) {
4417 nlh = nlmsg_hdr(skb);
4419 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4421 if (err == -EINVAL) {
4422 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4423 "SELinux: unrecognized netlink message"
4424 " type=%hu for sclass=%hu\n",
4425 nlh->nlmsg_type, sksec->sclass);
4426 if (!selinux_enforcing || security_get_allow_unknown())
4436 err = sock_has_perm(current, sk, perm);
4441 #ifdef CONFIG_NETFILTER
4443 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4449 struct common_audit_data ad;
4454 if (!selinux_policycap_netpeer)
4457 secmark_active = selinux_secmark_enabled();
4458 netlbl_active = netlbl_enabled();
4459 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4460 if (!secmark_active && !peerlbl_active)
4463 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4466 COMMON_AUDIT_DATA_INIT(&ad, NET);
4467 ad.u.net.netif = ifindex;
4468 ad.u.net.family = family;
4469 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4472 if (peerlbl_active) {
4473 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4476 selinux_netlbl_err(skb, err, 1);
4482 if (avc_has_perm(peer_sid, skb->secmark,
4483 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4487 /* we do this in the FORWARD path and not the POST_ROUTING
4488 * path because we want to make sure we apply the necessary
4489 * labeling before IPsec is applied so we can leverage AH
4491 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4497 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4498 struct sk_buff *skb,
4499 const struct net_device *in,
4500 const struct net_device *out,
4501 int (*okfn)(struct sk_buff *))
4503 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4506 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4507 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4508 struct sk_buff *skb,
4509 const struct net_device *in,
4510 const struct net_device *out,
4511 int (*okfn)(struct sk_buff *))
4513 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4517 static unsigned int selinux_ip_output(struct sk_buff *skb,
4522 if (!netlbl_enabled())
4525 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4526 * because we want to make sure we apply the necessary labeling
4527 * before IPsec is applied so we can leverage AH protection */
4529 struct sk_security_struct *sksec = skb->sk->sk_security;
4532 sid = SECINITSID_KERNEL;
4533 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4539 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4540 struct sk_buff *skb,
4541 const struct net_device *in,
4542 const struct net_device *out,
4543 int (*okfn)(struct sk_buff *))
4545 return selinux_ip_output(skb, PF_INET);
4548 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4552 struct sock *sk = skb->sk;
4553 struct sk_security_struct *sksec;
4554 struct common_audit_data ad;
4560 sksec = sk->sk_security;
4562 COMMON_AUDIT_DATA_INIT(&ad, NET);
4563 ad.u.net.netif = ifindex;
4564 ad.u.net.family = family;
4565 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4568 if (selinux_secmark_enabled())
4569 if (avc_has_perm(sksec->sid, skb->secmark,
4570 SECCLASS_PACKET, PACKET__SEND, &ad))
4571 return NF_DROP_ERR(-ECONNREFUSED);
4573 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4574 return NF_DROP_ERR(-ECONNREFUSED);
4579 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4585 struct common_audit_data ad;
4590 /* If any sort of compatibility mode is enabled then handoff processing
4591 * to the selinux_ip_postroute_compat() function to deal with the
4592 * special handling. We do this in an attempt to keep this function
4593 * as fast and as clean as possible. */
4594 if (!selinux_policycap_netpeer)
4595 return selinux_ip_postroute_compat(skb, ifindex, family);
4597 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4598 * packet transformation so allow the packet to pass without any checks
4599 * since we'll have another chance to perform access control checks
4600 * when the packet is on it's final way out.
4601 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4602 * is NULL, in this case go ahead and apply access control. */
4603 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4606 secmark_active = selinux_secmark_enabled();
4607 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4608 if (!secmark_active && !peerlbl_active)
4611 /* if the packet is being forwarded then get the peer label from the
4612 * packet itself; otherwise check to see if it is from a local
4613 * application or the kernel, if from an application get the peer label
4614 * from the sending socket, otherwise use the kernel's sid */
4618 secmark_perm = PACKET__FORWARD_OUT;
4619 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4622 secmark_perm = PACKET__SEND;
4623 peer_sid = SECINITSID_KERNEL;
4626 struct sk_security_struct *sksec = sk->sk_security;
4627 peer_sid = sksec->sid;
4628 secmark_perm = PACKET__SEND;
4631 COMMON_AUDIT_DATA_INIT(&ad, NET);
4632 ad.u.net.netif = ifindex;
4633 ad.u.net.family = family;
4634 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4638 if (avc_has_perm(peer_sid, skb->secmark,
4639 SECCLASS_PACKET, secmark_perm, &ad))
4640 return NF_DROP_ERR(-ECONNREFUSED);
4642 if (peerlbl_active) {
4646 if (sel_netif_sid(ifindex, &if_sid))
4648 if (avc_has_perm(peer_sid, if_sid,
4649 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4650 return NF_DROP_ERR(-ECONNREFUSED);
4652 if (sel_netnode_sid(addrp, family, &node_sid))
4654 if (avc_has_perm(peer_sid, node_sid,
4655 SECCLASS_NODE, NODE__SENDTO, &ad))
4656 return NF_DROP_ERR(-ECONNREFUSED);
4662 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4663 struct sk_buff *skb,
4664 const struct net_device *in,
4665 const struct net_device *out,
4666 int (*okfn)(struct sk_buff *))
4668 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4671 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4672 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4673 struct sk_buff *skb,
4674 const struct net_device *in,
4675 const struct net_device *out,
4676 int (*okfn)(struct sk_buff *))
4678 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4682 #endif /* CONFIG_NETFILTER */
4684 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4688 err = cap_netlink_send(sk, skb);
4692 return selinux_nlmsg_perm(sk, skb);
4695 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4698 struct common_audit_data ad;
4700 err = cap_netlink_recv(skb, capability);
4704 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4705 ad.u.cap = capability;
4707 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4708 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4711 static int ipc_alloc_security(struct task_struct *task,
4712 struct kern_ipc_perm *perm,
4715 struct ipc_security_struct *isec;
4718 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4722 sid = task_sid(task);
4723 isec->sclass = sclass;
4725 perm->security = isec;
4730 static void ipc_free_security(struct kern_ipc_perm *perm)
4732 struct ipc_security_struct *isec = perm->security;
4733 perm->security = NULL;
4737 static int msg_msg_alloc_security(struct msg_msg *msg)
4739 struct msg_security_struct *msec;
4741 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4745 msec->sid = SECINITSID_UNLABELED;
4746 msg->security = msec;
4751 static void msg_msg_free_security(struct msg_msg *msg)
4753 struct msg_security_struct *msec = msg->security;
4755 msg->security = NULL;
4759 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4762 struct ipc_security_struct *isec;
4763 struct common_audit_data ad;
4764 u32 sid = current_sid();
4766 isec = ipc_perms->security;
4768 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4769 ad.u.ipc_id = ipc_perms->key;
4771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4774 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4776 return msg_msg_alloc_security(msg);
4779 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4781 msg_msg_free_security(msg);
4784 /* message queue security operations */
4785 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4787 struct ipc_security_struct *isec;
4788 struct common_audit_data ad;
4789 u32 sid = current_sid();
4792 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4796 isec = msq->q_perm.security;
4798 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4799 ad.u.ipc_id = msq->q_perm.key;
4801 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4804 ipc_free_security(&msq->q_perm);
4810 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4812 ipc_free_security(&msq->q_perm);
4815 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4817 struct ipc_security_struct *isec;
4818 struct common_audit_data ad;
4819 u32 sid = current_sid();
4821 isec = msq->q_perm.security;
4823 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4824 ad.u.ipc_id = msq->q_perm.key;
4826 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4827 MSGQ__ASSOCIATE, &ad);
4830 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4838 /* No specific object, just general system-wide information. */
4839 return task_has_system(current, SYSTEM__IPC_INFO);
4842 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4845 perms = MSGQ__SETATTR;
4848 perms = MSGQ__DESTROY;
4854 err = ipc_has_perm(&msq->q_perm, perms);
4858 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4860 struct ipc_security_struct *isec;
4861 struct msg_security_struct *msec;
4862 struct common_audit_data ad;
4863 u32 sid = current_sid();
4866 isec = msq->q_perm.security;
4867 msec = msg->security;
4870 * First time through, need to assign label to the message
4872 if (msec->sid == SECINITSID_UNLABELED) {
4874 * Compute new sid based on current process and
4875 * message queue this message will be stored in
4877 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4883 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4884 ad.u.ipc_id = msq->q_perm.key;
4886 /* Can this process write to the queue? */
4887 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4890 /* Can this process send the message */
4891 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4894 /* Can the message be put in the queue? */
4895 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4896 MSGQ__ENQUEUE, &ad);
4901 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4902 struct task_struct *target,
4903 long type, int mode)
4905 struct ipc_security_struct *isec;
4906 struct msg_security_struct *msec;
4907 struct common_audit_data ad;
4908 u32 sid = task_sid(target);
4911 isec = msq->q_perm.security;
4912 msec = msg->security;
4914 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4915 ad.u.ipc_id = msq->q_perm.key;
4917 rc = avc_has_perm(sid, isec->sid,
4918 SECCLASS_MSGQ, MSGQ__READ, &ad);
4920 rc = avc_has_perm(sid, msec->sid,
4921 SECCLASS_MSG, MSG__RECEIVE, &ad);
4925 /* Shared Memory security operations */
4926 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4928 struct ipc_security_struct *isec;
4929 struct common_audit_data ad;
4930 u32 sid = current_sid();
4933 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4937 isec = shp->shm_perm.security;
4939 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4940 ad.u.ipc_id = shp->shm_perm.key;
4942 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4945 ipc_free_security(&shp->shm_perm);
4951 static void selinux_shm_free_security(struct shmid_kernel *shp)
4953 ipc_free_security(&shp->shm_perm);
4956 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4958 struct ipc_security_struct *isec;
4959 struct common_audit_data ad;
4960 u32 sid = current_sid();
4962 isec = shp->shm_perm.security;
4964 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4965 ad.u.ipc_id = shp->shm_perm.key;
4967 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
4968 SHM__ASSOCIATE, &ad);
4971 /* Note, at this point, shp is locked down */
4972 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4980 /* No specific object, just general system-wide information. */
4981 return task_has_system(current, SYSTEM__IPC_INFO);
4984 perms = SHM__GETATTR | SHM__ASSOCIATE;
4987 perms = SHM__SETATTR;
4994 perms = SHM__DESTROY;
5000 err = ipc_has_perm(&shp->shm_perm, perms);
5004 static int selinux_shm_shmat(struct shmid_kernel *shp,
5005 char __user *shmaddr, int shmflg)
5009 if (shmflg & SHM_RDONLY)
5012 perms = SHM__READ | SHM__WRITE;
5014 return ipc_has_perm(&shp->shm_perm, perms);
5017 /* Semaphore security operations */
5018 static int selinux_sem_alloc_security(struct sem_array *sma)
5020 struct ipc_security_struct *isec;
5021 struct common_audit_data ad;
5022 u32 sid = current_sid();
5025 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5029 isec = sma->sem_perm.security;
5031 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5032 ad.u.ipc_id = sma->sem_perm.key;
5034 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5037 ipc_free_security(&sma->sem_perm);
5043 static void selinux_sem_free_security(struct sem_array *sma)
5045 ipc_free_security(&sma->sem_perm);
5048 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5050 struct ipc_security_struct *isec;
5051 struct common_audit_data ad;
5052 u32 sid = current_sid();
5054 isec = sma->sem_perm.security;
5056 COMMON_AUDIT_DATA_INIT(&ad, IPC);
5057 ad.u.ipc_id = sma->sem_perm.key;
5059 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5060 SEM__ASSOCIATE, &ad);
5063 /* Note, at this point, sma is locked down */
5064 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5072 /* No specific object, just general system-wide information. */
5073 return task_has_system(current, SYSTEM__IPC_INFO);
5077 perms = SEM__GETATTR;
5088 perms = SEM__DESTROY;
5091 perms = SEM__SETATTR;
5095 perms = SEM__GETATTR | SEM__ASSOCIATE;
5101 err = ipc_has_perm(&sma->sem_perm, perms);
5105 static int selinux_sem_semop(struct sem_array *sma,
5106 struct sembuf *sops, unsigned nsops, int alter)
5111 perms = SEM__READ | SEM__WRITE;
5115 return ipc_has_perm(&sma->sem_perm, perms);
5118 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5124 av |= IPC__UNIX_READ;
5126 av |= IPC__UNIX_WRITE;
5131 return ipc_has_perm(ipcp, av);
5134 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5136 struct ipc_security_struct *isec = ipcp->security;
5140 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5143 inode_doinit_with_dentry(inode, dentry);
5146 static int selinux_getprocattr(struct task_struct *p,
5147 char *name, char **value)
5149 const struct task_security_struct *__tsec;
5155 error = current_has_perm(p, PROCESS__GETATTR);
5161 __tsec = __task_cred(p)->security;
5163 if (!strcmp(name, "current"))
5165 else if (!strcmp(name, "prev"))
5167 else if (!strcmp(name, "exec"))
5168 sid = __tsec->exec_sid;
5169 else if (!strcmp(name, "fscreate"))
5170 sid = __tsec->create_sid;
5171 else if (!strcmp(name, "keycreate"))
5172 sid = __tsec->keycreate_sid;
5173 else if (!strcmp(name, "sockcreate"))
5174 sid = __tsec->sockcreate_sid;
5182 error = security_sid_to_context(sid, value, &len);
5192 static int selinux_setprocattr(struct task_struct *p,
5193 char *name, void *value, size_t size)
5195 struct task_security_struct *tsec;
5196 struct task_struct *tracer;
5203 /* SELinux only allows a process to change its own
5204 security attributes. */
5209 * Basic control over ability to set these attributes at all.
5210 * current == p, but we'll pass them separately in case the
5211 * above restriction is ever removed.
5213 if (!strcmp(name, "exec"))
5214 error = current_has_perm(p, PROCESS__SETEXEC);
5215 else if (!strcmp(name, "fscreate"))
5216 error = current_has_perm(p, PROCESS__SETFSCREATE);
5217 else if (!strcmp(name, "keycreate"))
5218 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5219 else if (!strcmp(name, "sockcreate"))
5220 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5221 else if (!strcmp(name, "current"))
5222 error = current_has_perm(p, PROCESS__SETCURRENT);
5228 /* Obtain a SID for the context, if one was specified. */
5229 if (size && str[1] && str[1] != '\n') {
5230 if (str[size-1] == '\n') {
5234 error = security_context_to_sid(value, size, &sid);
5235 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5236 if (!capable(CAP_MAC_ADMIN))
5238 error = security_context_to_sid_force(value, size,
5245 new = prepare_creds();
5249 /* Permission checking based on the specified context is
5250 performed during the actual operation (execve,
5251 open/mkdir/...), when we know the full context of the
5252 operation. See selinux_bprm_set_creds for the execve
5253 checks and may_create for the file creation checks. The
5254 operation will then fail if the context is not permitted. */
5255 tsec = new->security;
5256 if (!strcmp(name, "exec")) {
5257 tsec->exec_sid = sid;
5258 } else if (!strcmp(name, "fscreate")) {
5259 tsec->create_sid = sid;
5260 } else if (!strcmp(name, "keycreate")) {
5261 error = may_create_key(sid, p);
5264 tsec->keycreate_sid = sid;
5265 } else if (!strcmp(name, "sockcreate")) {
5266 tsec->sockcreate_sid = sid;
5267 } else if (!strcmp(name, "current")) {
5272 /* Only allow single threaded processes to change context */
5274 if (!current_is_single_threaded()) {
5275 error = security_bounded_transition(tsec->sid, sid);
5280 /* Check permissions for the transition. */
5281 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5282 PROCESS__DYNTRANSITION, NULL);
5286 /* Check for ptracing, and update the task SID if ok.
5287 Otherwise, leave SID unchanged and fail. */
5290 tracer = tracehook_tracer_task(p);
5292 ptsid = task_sid(tracer);
5296 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5297 PROCESS__PTRACE, NULL);
5316 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5318 return security_sid_to_context(secid, secdata, seclen);
5321 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5323 return security_context_to_sid(secdata, seclen, secid);
5326 static void selinux_release_secctx(char *secdata, u32 seclen)
5332 * called with inode->i_mutex locked
5334 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5336 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5340 * called with inode->i_mutex locked
5342 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5344 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5347 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5350 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5359 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5360 unsigned long flags)
5362 const struct task_security_struct *tsec;
5363 struct key_security_struct *ksec;
5365 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5369 tsec = cred->security;
5370 if (tsec->keycreate_sid)
5371 ksec->sid = tsec->keycreate_sid;
5373 ksec->sid = tsec->sid;
5379 static void selinux_key_free(struct key *k)
5381 struct key_security_struct *ksec = k->security;
5387 static int selinux_key_permission(key_ref_t key_ref,
5388 const struct cred *cred,
5392 struct key_security_struct *ksec;
5395 /* if no specific permissions are requested, we skip the
5396 permission check. No serious, additional covert channels
5397 appear to be created. */
5401 sid = cred_sid(cred);
5403 key = key_ref_to_ptr(key_ref);
5404 ksec = key->security;
5406 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5409 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5411 struct key_security_struct *ksec = key->security;
5412 char *context = NULL;
5416 rc = security_sid_to_context(ksec->sid, &context, &len);
5425 static struct security_operations selinux_ops = {
5428 .ptrace_access_check = selinux_ptrace_access_check,
5429 .ptrace_traceme = selinux_ptrace_traceme,
5430 .capget = selinux_capget,
5431 .capset = selinux_capset,
5432 .capable = selinux_capable,
5433 .quotactl = selinux_quotactl,
5434 .quota_on = selinux_quota_on,
5435 .syslog = selinux_syslog,
5436 .vm_enough_memory = selinux_vm_enough_memory,
5438 .netlink_send = selinux_netlink_send,
5439 .netlink_recv = selinux_netlink_recv,
5441 .bprm_set_creds = selinux_bprm_set_creds,
5442 .bprm_committing_creds = selinux_bprm_committing_creds,
5443 .bprm_committed_creds = selinux_bprm_committed_creds,
5444 .bprm_secureexec = selinux_bprm_secureexec,
5446 .sb_alloc_security = selinux_sb_alloc_security,
5447 .sb_free_security = selinux_sb_free_security,
5448 .sb_copy_data = selinux_sb_copy_data,
5449 .sb_remount = selinux_sb_remount,
5450 .sb_kern_mount = selinux_sb_kern_mount,
5451 .sb_show_options = selinux_sb_show_options,
5452 .sb_statfs = selinux_sb_statfs,
5453 .sb_mount = selinux_mount,
5454 .sb_umount = selinux_umount,
5455 .sb_set_mnt_opts = selinux_set_mnt_opts,
5456 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5457 .sb_parse_opts_str = selinux_parse_opts_str,
5460 .inode_alloc_security = selinux_inode_alloc_security,
5461 .inode_free_security = selinux_inode_free_security,
5462 .inode_init_security = selinux_inode_init_security,
5463 .inode_create = selinux_inode_create,
5464 .inode_link = selinux_inode_link,
5465 .inode_unlink = selinux_inode_unlink,
5466 .inode_symlink = selinux_inode_symlink,
5467 .inode_mkdir = selinux_inode_mkdir,
5468 .inode_rmdir = selinux_inode_rmdir,
5469 .inode_mknod = selinux_inode_mknod,
5470 .inode_rename = selinux_inode_rename,
5471 .inode_readlink = selinux_inode_readlink,
5472 .inode_follow_link = selinux_inode_follow_link,
5473 .inode_permission = selinux_inode_permission,
5474 .inode_setattr = selinux_inode_setattr,
5475 .inode_getattr = selinux_inode_getattr,
5476 .inode_setxattr = selinux_inode_setxattr,
5477 .inode_post_setxattr = selinux_inode_post_setxattr,
5478 .inode_getxattr = selinux_inode_getxattr,
5479 .inode_listxattr = selinux_inode_listxattr,
5480 .inode_removexattr = selinux_inode_removexattr,
5481 .inode_getsecurity = selinux_inode_getsecurity,
5482 .inode_setsecurity = selinux_inode_setsecurity,
5483 .inode_listsecurity = selinux_inode_listsecurity,
5484 .inode_getsecid = selinux_inode_getsecid,
5486 .file_permission = selinux_file_permission,
5487 .file_alloc_security = selinux_file_alloc_security,
5488 .file_free_security = selinux_file_free_security,
5489 .file_ioctl = selinux_file_ioctl,
5490 .file_mmap = selinux_file_mmap,
5491 .file_mprotect = selinux_file_mprotect,
5492 .file_lock = selinux_file_lock,
5493 .file_fcntl = selinux_file_fcntl,
5494 .file_set_fowner = selinux_file_set_fowner,
5495 .file_send_sigiotask = selinux_file_send_sigiotask,
5496 .file_receive = selinux_file_receive,
5498 .dentry_open = selinux_dentry_open,
5500 .task_create = selinux_task_create,
5501 .cred_alloc_blank = selinux_cred_alloc_blank,
5502 .cred_free = selinux_cred_free,
5503 .cred_prepare = selinux_cred_prepare,
5504 .cred_transfer = selinux_cred_transfer,
5505 .kernel_act_as = selinux_kernel_act_as,
5506 .kernel_create_files_as = selinux_kernel_create_files_as,
5507 .kernel_module_request = selinux_kernel_module_request,
5508 .task_setpgid = selinux_task_setpgid,
5509 .task_getpgid = selinux_task_getpgid,
5510 .task_getsid = selinux_task_getsid,
5511 .task_getsecid = selinux_task_getsecid,
5512 .task_setnice = selinux_task_setnice,
5513 .task_setioprio = selinux_task_setioprio,
5514 .task_getioprio = selinux_task_getioprio,
5515 .task_setrlimit = selinux_task_setrlimit,
5516 .task_setscheduler = selinux_task_setscheduler,
5517 .task_getscheduler = selinux_task_getscheduler,
5518 .task_movememory = selinux_task_movememory,
5519 .task_kill = selinux_task_kill,
5520 .task_wait = selinux_task_wait,
5521 .task_to_inode = selinux_task_to_inode,
5523 .ipc_permission = selinux_ipc_permission,
5524 .ipc_getsecid = selinux_ipc_getsecid,
5526 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5527 .msg_msg_free_security = selinux_msg_msg_free_security,
5529 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5530 .msg_queue_free_security = selinux_msg_queue_free_security,
5531 .msg_queue_associate = selinux_msg_queue_associate,
5532 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5533 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5534 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5536 .shm_alloc_security = selinux_shm_alloc_security,
5537 .shm_free_security = selinux_shm_free_security,
5538 .shm_associate = selinux_shm_associate,
5539 .shm_shmctl = selinux_shm_shmctl,
5540 .shm_shmat = selinux_shm_shmat,
5542 .sem_alloc_security = selinux_sem_alloc_security,
5543 .sem_free_security = selinux_sem_free_security,
5544 .sem_associate = selinux_sem_associate,
5545 .sem_semctl = selinux_sem_semctl,
5546 .sem_semop = selinux_sem_semop,
5548 .d_instantiate = selinux_d_instantiate,
5550 .getprocattr = selinux_getprocattr,
5551 .setprocattr = selinux_setprocattr,
5553 .secid_to_secctx = selinux_secid_to_secctx,
5554 .secctx_to_secid = selinux_secctx_to_secid,
5555 .release_secctx = selinux_release_secctx,
5556 .inode_notifysecctx = selinux_inode_notifysecctx,
5557 .inode_setsecctx = selinux_inode_setsecctx,
5558 .inode_getsecctx = selinux_inode_getsecctx,
5560 .unix_stream_connect = selinux_socket_unix_stream_connect,
5561 .unix_may_send = selinux_socket_unix_may_send,
5563 .socket_create = selinux_socket_create,
5564 .socket_post_create = selinux_socket_post_create,
5565 .socket_bind = selinux_socket_bind,
5566 .socket_connect = selinux_socket_connect,
5567 .socket_listen = selinux_socket_listen,
5568 .socket_accept = selinux_socket_accept,
5569 .socket_sendmsg = selinux_socket_sendmsg,
5570 .socket_recvmsg = selinux_socket_recvmsg,
5571 .socket_getsockname = selinux_socket_getsockname,
5572 .socket_getpeername = selinux_socket_getpeername,
5573 .socket_getsockopt = selinux_socket_getsockopt,
5574 .socket_setsockopt = selinux_socket_setsockopt,
5575 .socket_shutdown = selinux_socket_shutdown,
5576 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5577 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5578 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5579 .sk_alloc_security = selinux_sk_alloc_security,
5580 .sk_free_security = selinux_sk_free_security,
5581 .sk_clone_security = selinux_sk_clone_security,
5582 .sk_getsecid = selinux_sk_getsecid,
5583 .sock_graft = selinux_sock_graft,
5584 .inet_conn_request = selinux_inet_conn_request,
5585 .inet_csk_clone = selinux_inet_csk_clone,
5586 .inet_conn_established = selinux_inet_conn_established,
5587 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5588 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5589 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5590 .req_classify_flow = selinux_req_classify_flow,
5591 .tun_dev_create = selinux_tun_dev_create,
5592 .tun_dev_post_create = selinux_tun_dev_post_create,
5593 .tun_dev_attach = selinux_tun_dev_attach,
5595 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5596 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5597 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5598 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5599 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5600 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5601 .xfrm_state_free_security = selinux_xfrm_state_free,
5602 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5603 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5604 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5605 .xfrm_decode_session = selinux_xfrm_decode_session,
5609 .key_alloc = selinux_key_alloc,
5610 .key_free = selinux_key_free,
5611 .key_permission = selinux_key_permission,
5612 .key_getsecurity = selinux_key_getsecurity,
5616 .audit_rule_init = selinux_audit_rule_init,
5617 .audit_rule_known = selinux_audit_rule_known,
5618 .audit_rule_match = selinux_audit_rule_match,
5619 .audit_rule_free = selinux_audit_rule_free,
5623 static __init int selinux_init(void)
5625 if (!security_module_enable(&selinux_ops)) {
5626 selinux_enabled = 0;
5630 if (!selinux_enabled) {
5631 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5635 printk(KERN_INFO "SELinux: Initializing.\n");
5637 /* Set the security state for the initial task. */
5638 cred_init_security();
5640 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5642 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5643 sizeof(struct inode_security_struct),
5644 0, SLAB_PANIC, NULL);
5647 if (register_security(&selinux_ops))
5648 panic("SELinux: Unable to register with kernel.\n");
5650 if (selinux_enforcing)
5651 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5653 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5658 static void delayed_superblock_init(struct super_block *sb, void *unused)
5660 superblock_doinit(sb, NULL);
5663 void selinux_complete_init(void)
5665 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5667 /* Set up any superblocks initialized prior to the policy load. */
5668 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5669 iterate_supers(delayed_superblock_init, NULL);
5672 /* SELinux requires early initialization in order to label
5673 all processes and objects when they are created. */
5674 security_initcall(selinux_init);
5676 #if defined(CONFIG_NETFILTER)
5678 static struct nf_hook_ops selinux_ipv4_ops[] = {
5680 .hook = selinux_ipv4_postroute,
5681 .owner = THIS_MODULE,
5683 .hooknum = NF_INET_POST_ROUTING,
5684 .priority = NF_IP_PRI_SELINUX_LAST,
5687 .hook = selinux_ipv4_forward,
5688 .owner = THIS_MODULE,
5690 .hooknum = NF_INET_FORWARD,
5691 .priority = NF_IP_PRI_SELINUX_FIRST,
5694 .hook = selinux_ipv4_output,
5695 .owner = THIS_MODULE,
5697 .hooknum = NF_INET_LOCAL_OUT,
5698 .priority = NF_IP_PRI_SELINUX_FIRST,
5702 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5704 static struct nf_hook_ops selinux_ipv6_ops[] = {
5706 .hook = selinux_ipv6_postroute,
5707 .owner = THIS_MODULE,
5709 .hooknum = NF_INET_POST_ROUTING,
5710 .priority = NF_IP6_PRI_SELINUX_LAST,
5713 .hook = selinux_ipv6_forward,
5714 .owner = THIS_MODULE,
5716 .hooknum = NF_INET_FORWARD,
5717 .priority = NF_IP6_PRI_SELINUX_FIRST,
5723 static int __init selinux_nf_ip_init(void)
5727 if (!selinux_enabled)
5730 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5732 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5734 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5736 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5737 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5739 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5746 __initcall(selinux_nf_ip_init);
5748 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5749 static void selinux_nf_ip_exit(void)
5751 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5753 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5754 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5755 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5760 #else /* CONFIG_NETFILTER */
5762 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5763 #define selinux_nf_ip_exit()
5766 #endif /* CONFIG_NETFILTER */
5768 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5769 static int selinux_disabled;
5771 int selinux_disable(void)
5773 extern void exit_sel_fs(void);
5775 if (ss_initialized) {
5776 /* Not permitted after initial policy load. */
5780 if (selinux_disabled) {
5781 /* Only do this once. */
5785 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5787 selinux_disabled = 1;
5788 selinux_enabled = 0;
5790 reset_security_ops();
5792 /* Try to destroy the avc node cache */
5795 /* Unregister netfilter hooks. */
5796 selinux_nf_ip_exit();
5798 /* Unregister selinuxfs. */