2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 #define SB_TYPE_FMT "%s%s%s"
98 #define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
99 #define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
101 extern struct security_operations *security_ops;
103 /* SECMARK reference count */
104 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
106 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
107 int selinux_enforcing;
109 static int __init enforcing_setup(char *str)
111 unsigned long enforcing;
112 if (!strict_strtoul(str, 0, &enforcing))
113 selinux_enforcing = enforcing ? 1 : 0;
116 __setup("enforcing=", enforcing_setup);
119 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
120 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
122 static int __init selinux_enabled_setup(char *str)
124 unsigned long enabled;
125 if (!strict_strtoul(str, 0, &enabled))
126 selinux_enabled = enabled ? 1 : 0;
129 __setup("selinux=", selinux_enabled_setup);
131 int selinux_enabled = 1;
134 static struct kmem_cache *sel_inode_cache;
137 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
140 * This function checks the SECMARK reference counter to see if any SECMARK
141 * targets are currently configured, if the reference counter is greater than
142 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
143 * enabled, false (0) if SECMARK is disabled. If the always_check_network
144 * policy capability is enabled, SECMARK is always considered enabled.
147 static int selinux_secmark_enabled(void)
149 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
153 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
156 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
157 * (1) if any are enabled or false (0) if neither are enabled. If the
158 * always_check_network policy capability is enabled, peer labeling
159 * is always considered enabled.
162 static int selinux_peerlbl_enabled(void)
164 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
168 * initialise the security for the init task
170 static void cred_init_security(void)
172 struct cred *cred = (struct cred *) current->real_cred;
173 struct task_security_struct *tsec;
175 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
177 panic("SELinux: Failed to initialize initial task.\n");
179 tsec->osid = tsec->sid = SECINITSID_KERNEL;
180 cred->security = tsec;
184 * get the security ID of a set of credentials
186 static inline u32 cred_sid(const struct cred *cred)
188 const struct task_security_struct *tsec;
190 tsec = cred->security;
195 * get the objective security ID of a task
197 static inline u32 task_sid(const struct task_struct *task)
202 sid = cred_sid(__task_cred(task));
208 * get the subjective security ID of the current task
210 static inline u32 current_sid(void)
212 const struct task_security_struct *tsec = current_security();
217 /* Allocate and free functions for each kind of security blob. */
219 static int inode_alloc_security(struct inode *inode)
221 struct inode_security_struct *isec;
222 u32 sid = current_sid();
224 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
228 mutex_init(&isec->lock);
229 INIT_LIST_HEAD(&isec->list);
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
233 isec->task_sid = sid;
234 inode->i_security = isec;
239 static void inode_free_security(struct inode *inode)
241 struct inode_security_struct *isec = inode->i_security;
242 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
244 spin_lock(&sbsec->isec_lock);
245 if (!list_empty(&isec->list))
246 list_del_init(&isec->list);
247 spin_unlock(&sbsec->isec_lock);
249 inode->i_security = NULL;
250 kmem_cache_free(sel_inode_cache, isec);
253 static int file_alloc_security(struct file *file)
255 struct file_security_struct *fsec;
256 u32 sid = current_sid();
258 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
263 fsec->fown_sid = sid;
264 file->f_security = fsec;
269 static void file_free_security(struct file *file)
271 struct file_security_struct *fsec = file->f_security;
272 file->f_security = NULL;
276 static int superblock_alloc_security(struct super_block *sb)
278 struct superblock_security_struct *sbsec;
280 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
284 mutex_init(&sbsec->lock);
285 INIT_LIST_HEAD(&sbsec->isec_head);
286 spin_lock_init(&sbsec->isec_lock);
288 sbsec->sid = SECINITSID_UNLABELED;
289 sbsec->def_sid = SECINITSID_FILE;
290 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
291 sb->s_security = sbsec;
296 static void superblock_free_security(struct super_block *sb)
298 struct superblock_security_struct *sbsec = sb->s_security;
299 sb->s_security = NULL;
303 /* The file system's label must be initialized prior to use. */
305 static const char *labeling_behaviors[6] = {
307 "uses transition SIDs",
309 "uses genfs_contexts",
310 "not configured for labeling",
311 "uses mountpoint labeling",
314 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316 static inline int inode_doinit(struct inode *inode)
318 return inode_doinit_with_dentry(inode, NULL);
327 Opt_labelsupport = 5,
331 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
333 static const match_table_t tokens = {
334 {Opt_context, CONTEXT_STR "%s"},
335 {Opt_fscontext, FSCONTEXT_STR "%s"},
336 {Opt_defcontext, DEFCONTEXT_STR "%s"},
337 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
338 {Opt_labelsupport, LABELSUPP_STR},
342 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
344 static int may_context_mount_sb_relabel(u32 sid,
345 struct superblock_security_struct *sbsec,
346 const struct cred *cred)
348 const struct task_security_struct *tsec = cred->security;
351 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELFROM, NULL);
356 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__RELABELTO, NULL);
361 static int may_context_mount_inode_relabel(u32 sid,
362 struct superblock_security_struct *sbsec,
363 const struct cred *cred)
365 const struct task_security_struct *tsec = cred->security;
367 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
368 FILESYSTEM__RELABELFROM, NULL);
372 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
373 FILESYSTEM__ASSOCIATE, NULL);
377 static int selinux_is_sblabel_mnt(struct super_block *sb)
379 struct superblock_security_struct *sbsec = sb->s_security;
381 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
382 sbsec->behavior == SECURITY_FS_USE_TRANS ||
383 sbsec->behavior == SECURITY_FS_USE_TASK)
386 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
387 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
391 * Special handling for rootfs. Is genfs but supports
392 * setting SELinux context on in-core inodes.
394 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
400 static int sb_finish_set_opts(struct super_block *sb)
402 struct superblock_security_struct *sbsec = sb->s_security;
403 struct dentry *root = sb->s_root;
404 struct inode *root_inode = root->d_inode;
407 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
408 /* Make sure that the xattr handler exists and that no
409 error other than -ENODATA is returned by getxattr on
410 the root directory. -ENODATA is ok, as this may be
411 the first boot of the SELinux kernel before we have
412 assigned xattr values to the filesystem. */
413 if (!root_inode->i_op->getxattr) {
414 printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
415 "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
419 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
420 if (rc < 0 && rc != -ENODATA) {
421 if (rc == -EOPNOTSUPP)
422 printk(KERN_WARNING "SELinux: (dev %s, type "
423 SB_TYPE_FMT") has no security xattr handler\n",
424 sb->s_id, SB_TYPE_ARGS(sb));
426 printk(KERN_WARNING "SELinux: (dev %s, type "
427 SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
428 SB_TYPE_ARGS(sb), -rc);
433 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
434 printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
435 sb->s_id, SB_TYPE_ARGS(sb));
437 printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
438 sb->s_id, SB_TYPE_ARGS(sb),
439 labeling_behaviors[sbsec->behavior-1]);
441 sbsec->flags |= SE_SBINITIALIZED;
442 if (selinux_is_sblabel_mnt(sb))
443 sbsec->flags |= SBLABEL_MNT;
445 /* Initialize the root inode. */
446 rc = inode_doinit_with_dentry(root_inode, root);
448 /* Initialize any other inodes associated with the superblock, e.g.
449 inodes created prior to initial policy load or inodes created
450 during get_sb by a pseudo filesystem that directly
452 spin_lock(&sbsec->isec_lock);
454 if (!list_empty(&sbsec->isec_head)) {
455 struct inode_security_struct *isec =
456 list_entry(sbsec->isec_head.next,
457 struct inode_security_struct, list);
458 struct inode *inode = isec->inode;
459 spin_unlock(&sbsec->isec_lock);
460 inode = igrab(inode);
462 if (!IS_PRIVATE(inode))
466 spin_lock(&sbsec->isec_lock);
467 list_del_init(&isec->list);
470 spin_unlock(&sbsec->isec_lock);
476 * This function should allow an FS to ask what it's mount security
477 * options were so it can use those later for submounts, displaying
478 * mount options, or whatever.
480 static int selinux_get_mnt_opts(const struct super_block *sb,
481 struct security_mnt_opts *opts)
484 struct superblock_security_struct *sbsec = sb->s_security;
485 char *context = NULL;
489 security_init_mnt_opts(opts);
491 if (!(sbsec->flags & SE_SBINITIALIZED))
497 /* make sure we always check enough bits to cover the mask */
498 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
500 tmp = sbsec->flags & SE_MNTMASK;
501 /* count the number of mount options for this sb */
502 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
504 opts->num_mnt_opts++;
508 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509 if (!opts->mnt_opts) {
514 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515 if (!opts->mnt_opts_flags) {
521 if (sbsec->flags & FSCONTEXT_MNT) {
522 rc = security_sid_to_context(sbsec->sid, &context, &len);
525 opts->mnt_opts[i] = context;
526 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
528 if (sbsec->flags & CONTEXT_MNT) {
529 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
532 opts->mnt_opts[i] = context;
533 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
535 if (sbsec->flags & DEFCONTEXT_MNT) {
536 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
539 opts->mnt_opts[i] = context;
540 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
542 if (sbsec->flags & ROOTCONTEXT_MNT) {
543 struct inode *root = sbsec->sb->s_root->d_inode;
544 struct inode_security_struct *isec = root->i_security;
546 rc = security_sid_to_context(isec->sid, &context, &len);
549 opts->mnt_opts[i] = context;
550 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
552 if (sbsec->flags & SBLABEL_MNT) {
553 opts->mnt_opts[i] = NULL;
554 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
557 BUG_ON(i != opts->num_mnt_opts);
562 security_free_mnt_opts(opts);
566 static int bad_option(struct superblock_security_struct *sbsec, char flag,
567 u32 old_sid, u32 new_sid)
569 char mnt_flags = sbsec->flags & SE_MNTMASK;
571 /* check if the old mount command had the same options */
572 if (sbsec->flags & SE_SBINITIALIZED)
573 if (!(sbsec->flags & flag) ||
574 (old_sid != new_sid))
577 /* check if we were passed the same options twice,
578 * aka someone passed context=a,context=b
580 if (!(sbsec->flags & SE_SBINITIALIZED))
581 if (mnt_flags & flag)
587 * Allow filesystems with binary mount data to explicitly set mount point
588 * labeling information.
590 static int selinux_set_mnt_opts(struct super_block *sb,
591 struct security_mnt_opts *opts)
593 const struct cred *cred = current_cred();
595 struct superblock_security_struct *sbsec = sb->s_security;
596 struct inode *inode = sbsec->sb->s_root->d_inode;
597 struct inode_security_struct *root_isec = inode->i_security;
598 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
599 u32 defcontext_sid = 0;
600 char **mount_options = opts->mnt_opts;
601 int *flags = opts->mnt_opts_flags;
602 int num_opts = opts->num_mnt_opts;
604 mutex_lock(&sbsec->lock);
606 if (!ss_initialized) {
608 /* Defer initialization until selinux_complete_init,
609 after the initial policy is loaded and the security
610 server is ready to handle calls. */
614 printk(KERN_WARNING "SELinux: Unable to set superblock options "
615 "before the security server is initialized\n");
620 * Binary mount data FS will come through this function twice. Once
621 * from an explicit call and once from the generic calls from the vfs.
622 * Since the generic VFS calls will not contain any security mount data
623 * we need to skip the double mount verification.
625 * This does open a hole in which we will not notice if the first
626 * mount using this sb set explict options and a second mount using
627 * this sb does not set any security options. (The first options
628 * will be used for both mounts)
630 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
635 * parse the mount options, check if they are valid sids.
636 * also check if someone is trying to mount the same sb more
637 * than once with different security options.
639 for (i = 0; i < num_opts; i++) {
642 if (flags[i] == SBLABEL_MNT)
644 rc = security_context_to_sid(mount_options[i],
645 strlen(mount_options[i]), &sid);
647 printk(KERN_WARNING "SELinux: security_context_to_sid"
648 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
649 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
656 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
658 goto out_double_mount;
660 sbsec->flags |= FSCONTEXT_MNT;
665 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
667 goto out_double_mount;
669 sbsec->flags |= CONTEXT_MNT;
671 case ROOTCONTEXT_MNT:
672 rootcontext_sid = sid;
674 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
676 goto out_double_mount;
678 sbsec->flags |= ROOTCONTEXT_MNT;
682 defcontext_sid = sid;
684 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
686 goto out_double_mount;
688 sbsec->flags |= DEFCONTEXT_MNT;
697 if (sbsec->flags & SE_SBINITIALIZED) {
698 /* previously mounted with options, but not on this attempt? */
699 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
700 goto out_double_mount;
705 if (strcmp(sb->s_type->name, "proc") == 0)
706 sbsec->flags |= SE_SBPROC;
708 /* Determine the labeling behavior to use for this filesystem type. */
709 rc = security_fs_use(sb);
711 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
712 __func__, sb->s_type->name, rc);
716 /* sets the context of the superblock for the fs being mounted. */
718 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
722 sbsec->sid = fscontext_sid;
726 * Switch to using mount point labeling behavior.
727 * sets the label used on all file below the mountpoint, and will set
728 * the superblock context if not already set.
731 if (!fscontext_sid) {
732 rc = may_context_mount_sb_relabel(context_sid, sbsec,
736 sbsec->sid = context_sid;
738 rc = may_context_mount_inode_relabel(context_sid, sbsec,
743 if (!rootcontext_sid)
744 rootcontext_sid = context_sid;
746 sbsec->mntpoint_sid = context_sid;
747 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
750 if (rootcontext_sid) {
751 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
756 root_isec->sid = rootcontext_sid;
757 root_isec->initialized = 1;
760 if (defcontext_sid) {
761 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
763 printk(KERN_WARNING "SELinux: defcontext option is "
764 "invalid for this filesystem type\n");
768 if (defcontext_sid != sbsec->def_sid) {
769 rc = may_context_mount_inode_relabel(defcontext_sid,
775 sbsec->def_sid = defcontext_sid;
778 rc = sb_finish_set_opts(sb);
780 mutex_unlock(&sbsec->lock);
784 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
785 "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
790 static int selinux_cmp_sb_context(const struct super_block *oldsb,
791 const struct super_block *newsb)
793 struct superblock_security_struct *old = oldsb->s_security;
794 struct superblock_security_struct *new = newsb->s_security;
795 char oldflags = old->flags & SE_MNTMASK;
796 char newflags = new->flags & SE_MNTMASK;
798 if (oldflags != newflags)
800 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
802 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
804 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
806 if (oldflags & ROOTCONTEXT_MNT) {
807 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
808 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
809 if (oldroot->sid != newroot->sid)
814 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
815 "different security settings for (dev %s, "
816 "type %s)\n", newsb->s_id, newsb->s_type->name);
820 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
821 struct super_block *newsb)
823 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
824 struct superblock_security_struct *newsbsec = newsb->s_security;
826 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
827 int set_context = (oldsbsec->flags & CONTEXT_MNT);
828 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
831 * if the parent was able to be mounted it clearly had no special lsm
832 * mount options. thus we can safely deal with this superblock later
837 /* how can we clone if the old one wasn't set up?? */
838 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
840 /* if fs is reusing a sb, make sure that the contexts match */
841 if (newsbsec->flags & SE_SBINITIALIZED)
842 return selinux_cmp_sb_context(oldsb, newsb);
844 mutex_lock(&newsbsec->lock);
846 newsbsec->flags = oldsbsec->flags;
848 newsbsec->sid = oldsbsec->sid;
849 newsbsec->def_sid = oldsbsec->def_sid;
850 newsbsec->behavior = oldsbsec->behavior;
853 u32 sid = oldsbsec->mntpoint_sid;
857 if (!set_rootcontext) {
858 struct inode *newinode = newsb->s_root->d_inode;
859 struct inode_security_struct *newisec = newinode->i_security;
862 newsbsec->mntpoint_sid = sid;
864 if (set_rootcontext) {
865 const struct inode *oldinode = oldsb->s_root->d_inode;
866 const struct inode_security_struct *oldisec = oldinode->i_security;
867 struct inode *newinode = newsb->s_root->d_inode;
868 struct inode_security_struct *newisec = newinode->i_security;
870 newisec->sid = oldisec->sid;
873 sb_finish_set_opts(newsb);
874 mutex_unlock(&newsbsec->lock);
878 static int selinux_parse_opts_str(char *options,
879 struct security_mnt_opts *opts)
882 char *context = NULL, *defcontext = NULL;
883 char *fscontext = NULL, *rootcontext = NULL;
884 int rc, num_mnt_opts = 0;
886 opts->num_mnt_opts = 0;
888 /* Standard string-based options. */
889 while ((p = strsep(&options, "|")) != NULL) {
891 substring_t args[MAX_OPT_ARGS];
896 token = match_token(p, tokens, args);
900 if (context || defcontext) {
902 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
905 context = match_strdup(&args[0]);
915 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
918 fscontext = match_strdup(&args[0]);
925 case Opt_rootcontext:
928 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
931 rootcontext = match_strdup(&args[0]);
939 if (context || defcontext) {
941 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
944 defcontext = match_strdup(&args[0]);
950 case Opt_labelsupport:
954 printk(KERN_WARNING "SELinux: unknown mount option\n");
961 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
965 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
966 if (!opts->mnt_opts_flags) {
967 kfree(opts->mnt_opts);
972 opts->mnt_opts[num_mnt_opts] = fscontext;
973 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
976 opts->mnt_opts[num_mnt_opts] = context;
977 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
980 opts->mnt_opts[num_mnt_opts] = rootcontext;
981 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
984 opts->mnt_opts[num_mnt_opts] = defcontext;
985 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
988 opts->num_mnt_opts = num_mnt_opts;
999 * string mount options parsing and call set the sbsec
1001 static int superblock_doinit(struct super_block *sb, void *data)
1004 char *options = data;
1005 struct security_mnt_opts opts;
1007 security_init_mnt_opts(&opts);
1012 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1014 rc = selinux_parse_opts_str(options, &opts);
1019 rc = selinux_set_mnt_opts(sb, &opts);
1022 security_free_mnt_opts(&opts);
1026 static void selinux_write_opts(struct seq_file *m,
1027 struct security_mnt_opts *opts)
1032 for (i = 0; i < opts->num_mnt_opts; i++) {
1035 if (opts->mnt_opts[i])
1036 has_comma = strchr(opts->mnt_opts[i], ',');
1040 switch (opts->mnt_opts_flags[i]) {
1042 prefix = CONTEXT_STR;
1045 prefix = FSCONTEXT_STR;
1047 case ROOTCONTEXT_MNT:
1048 prefix = ROOTCONTEXT_STR;
1050 case DEFCONTEXT_MNT:
1051 prefix = DEFCONTEXT_STR;
1055 seq_puts(m, LABELSUPP_STR);
1061 /* we need a comma before each option */
1063 seq_puts(m, prefix);
1066 seq_puts(m, opts->mnt_opts[i]);
1072 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1074 struct security_mnt_opts opts;
1077 rc = selinux_get_mnt_opts(sb, &opts);
1079 /* before policy load we may get EINVAL, don't show anything */
1085 selinux_write_opts(m, &opts);
1087 security_free_mnt_opts(&opts);
1092 static inline u16 inode_mode_to_security_class(umode_t mode)
1094 switch (mode & S_IFMT) {
1096 return SECCLASS_SOCK_FILE;
1098 return SECCLASS_LNK_FILE;
1100 return SECCLASS_FILE;
1102 return SECCLASS_BLK_FILE;
1104 return SECCLASS_DIR;
1106 return SECCLASS_CHR_FILE;
1108 return SECCLASS_FIFO_FILE;
1112 return SECCLASS_FILE;
1115 static inline int default_protocol_stream(int protocol)
1117 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1120 static inline int default_protocol_dgram(int protocol)
1122 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1125 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1131 case SOCK_SEQPACKET:
1132 return SECCLASS_UNIX_STREAM_SOCKET;
1134 return SECCLASS_UNIX_DGRAM_SOCKET;
1141 if (default_protocol_stream(protocol))
1142 return SECCLASS_TCP_SOCKET;
1144 return SECCLASS_RAWIP_SOCKET;
1146 if (default_protocol_dgram(protocol))
1147 return SECCLASS_UDP_SOCKET;
1149 return SECCLASS_RAWIP_SOCKET;
1151 return SECCLASS_DCCP_SOCKET;
1153 return SECCLASS_RAWIP_SOCKET;
1159 return SECCLASS_NETLINK_ROUTE_SOCKET;
1160 case NETLINK_FIREWALL:
1161 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1162 case NETLINK_SOCK_DIAG:
1163 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1165 return SECCLASS_NETLINK_NFLOG_SOCKET;
1167 return SECCLASS_NETLINK_XFRM_SOCKET;
1168 case NETLINK_SELINUX:
1169 return SECCLASS_NETLINK_SELINUX_SOCKET;
1171 return SECCLASS_NETLINK_AUDIT_SOCKET;
1172 case NETLINK_IP6_FW:
1173 return SECCLASS_NETLINK_IP6FW_SOCKET;
1174 case NETLINK_DNRTMSG:
1175 return SECCLASS_NETLINK_DNRT_SOCKET;
1176 case NETLINK_KOBJECT_UEVENT:
1177 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1179 return SECCLASS_NETLINK_SOCKET;
1182 return SECCLASS_PACKET_SOCKET;
1184 return SECCLASS_KEY_SOCKET;
1186 return SECCLASS_APPLETALK_SOCKET;
1189 return SECCLASS_SOCKET;
1192 #ifdef CONFIG_PROC_FS
1193 static int selinux_proc_get_sid(struct dentry *dentry,
1198 char *buffer, *path;
1200 buffer = (char *)__get_free_page(GFP_KERNEL);
1204 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1208 /* each process gets a /proc/PID/ entry. Strip off the
1209 * PID part to get a valid selinux labeling.
1210 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1211 while (path[1] >= '0' && path[1] <= '9') {
1215 rc = security_genfs_sid("proc", path, tclass, sid);
1217 free_page((unsigned long)buffer);
1221 static int selinux_proc_get_sid(struct dentry *dentry,
1229 /* The inode's security attributes must be initialized before first use. */
1230 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1232 struct superblock_security_struct *sbsec = NULL;
1233 struct inode_security_struct *isec = inode->i_security;
1235 struct dentry *dentry;
1236 #define INITCONTEXTLEN 255
1237 char *context = NULL;
1241 if (isec->initialized)
1244 mutex_lock(&isec->lock);
1245 if (isec->initialized)
1248 sbsec = inode->i_sb->s_security;
1249 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1250 /* Defer initialization until selinux_complete_init,
1251 after the initial policy is loaded and the security
1252 server is ready to handle calls. */
1253 spin_lock(&sbsec->isec_lock);
1254 if (list_empty(&isec->list))
1255 list_add(&isec->list, &sbsec->isec_head);
1256 spin_unlock(&sbsec->isec_lock);
1260 switch (sbsec->behavior) {
1261 case SECURITY_FS_USE_XATTR:
1262 if (!inode->i_op->getxattr) {
1263 isec->sid = sbsec->def_sid;
1267 /* Need a dentry, since the xattr API requires one.
1268 Life would be simpler if we could just pass the inode. */
1270 /* Called from d_instantiate or d_splice_alias. */
1271 dentry = dget(opt_dentry);
1273 /* Called from selinux_complete_init, try to find a dentry. */
1274 dentry = d_find_alias(inode);
1278 * this is can be hit on boot when a file is accessed
1279 * before the policy is loaded. When we load policy we
1280 * may find inodes that have no dentry on the
1281 * sbsec->isec_head list. No reason to complain as these
1282 * will get fixed up the next time we go through
1283 * inode_doinit with a dentry, before these inodes could
1284 * be used again by userspace.
1289 len = INITCONTEXTLEN;
1290 context = kmalloc(len+1, GFP_NOFS);
1296 context[len] = '\0';
1297 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1299 if (rc == -ERANGE) {
1302 /* Need a larger buffer. Query for the right size. */
1303 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1310 context = kmalloc(len+1, GFP_NOFS);
1316 context[len] = '\0';
1317 rc = inode->i_op->getxattr(dentry,
1323 if (rc != -ENODATA) {
1324 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1325 "%d for dev=%s ino=%ld\n", __func__,
1326 -rc, inode->i_sb->s_id, inode->i_ino);
1330 /* Map ENODATA to the default file SID */
1331 sid = sbsec->def_sid;
1334 rc = security_context_to_sid_default(context, rc, &sid,
1338 char *dev = inode->i_sb->s_id;
1339 unsigned long ino = inode->i_ino;
1341 if (rc == -EINVAL) {
1342 if (printk_ratelimit())
1343 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1344 "context=%s. This indicates you may need to relabel the inode or the "
1345 "filesystem in question.\n", ino, dev, context);
1347 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1348 "returned %d for dev=%s ino=%ld\n",
1349 __func__, context, -rc, dev, ino);
1352 /* Leave with the unlabeled SID */
1360 case SECURITY_FS_USE_TASK:
1361 isec->sid = isec->task_sid;
1363 case SECURITY_FS_USE_TRANS:
1364 /* Default to the fs SID. */
1365 isec->sid = sbsec->sid;
1367 /* Try to obtain a transition SID. */
1368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1369 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1370 isec->sclass, NULL, &sid);
1375 case SECURITY_FS_USE_MNTPOINT:
1376 isec->sid = sbsec->mntpoint_sid;
1379 /* Default to the fs superblock SID. */
1380 isec->sid = sbsec->sid;
1382 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1384 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1385 rc = selinux_proc_get_sid(opt_dentry,
1396 isec->initialized = 1;
1399 mutex_unlock(&isec->lock);
1401 if (isec->sclass == SECCLASS_FILE)
1402 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1406 /* Convert a Linux signal to an access vector. */
1407 static inline u32 signal_to_av(int sig)
1413 /* Commonly granted from child to parent. */
1414 perm = PROCESS__SIGCHLD;
1417 /* Cannot be caught or ignored */
1418 perm = PROCESS__SIGKILL;
1421 /* Cannot be caught or ignored */
1422 perm = PROCESS__SIGSTOP;
1425 /* All other signals. */
1426 perm = PROCESS__SIGNAL;
1434 * Check permission between a pair of credentials
1435 * fork check, ptrace check, etc.
1437 static int cred_has_perm(const struct cred *actor,
1438 const struct cred *target,
1441 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1443 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1447 * Check permission between a pair of tasks, e.g. signal checks,
1448 * fork check, ptrace check, etc.
1449 * tsk1 is the actor and tsk2 is the target
1450 * - this uses the default subjective creds of tsk1
1452 static int task_has_perm(const struct task_struct *tsk1,
1453 const struct task_struct *tsk2,
1456 const struct task_security_struct *__tsec1, *__tsec2;
1460 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1461 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1463 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1467 * Check permission between current and another task, e.g. signal checks,
1468 * fork check, ptrace check, etc.
1469 * current is the actor and tsk2 is the target
1470 * - this uses current's subjective creds
1472 static int current_has_perm(const struct task_struct *tsk,
1477 sid = current_sid();
1478 tsid = task_sid(tsk);
1479 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1482 #if CAP_LAST_CAP > 63
1483 #error Fix SELinux to handle capabilities > 63.
1486 /* Check whether a task is allowed to use a capability. */
1487 static int cred_has_capability(const struct cred *cred,
1490 struct common_audit_data ad;
1491 struct av_decision avd;
1493 u32 sid = cred_sid(cred);
1494 u32 av = CAP_TO_MASK(cap);
1497 ad.type = LSM_AUDIT_DATA_CAP;
1500 switch (CAP_TO_INDEX(cap)) {
1502 sclass = SECCLASS_CAPABILITY;
1505 sclass = SECCLASS_CAPABILITY2;
1509 "SELinux: out of range capability %d\n", cap);
1514 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1515 if (audit == SECURITY_CAP_AUDIT) {
1516 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1523 /* Check whether a task is allowed to use a system operation. */
1524 static int task_has_system(struct task_struct *tsk,
1527 u32 sid = task_sid(tsk);
1529 return avc_has_perm(sid, SECINITSID_KERNEL,
1530 SECCLASS_SYSTEM, perms, NULL);
1533 /* Check whether a task has a particular permission to an inode.
1534 The 'adp' parameter is optional and allows other audit
1535 data to be passed (e.g. the dentry). */
1536 static int inode_has_perm(const struct cred *cred,
1537 struct inode *inode,
1539 struct common_audit_data *adp,
1542 struct inode_security_struct *isec;
1545 validate_creds(cred);
1547 if (unlikely(IS_PRIVATE(inode)))
1550 sid = cred_sid(cred);
1551 isec = inode->i_security;
1553 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1556 /* Same as inode_has_perm, but pass explicit audit data containing
1557 the dentry to help the auditing code to more easily generate the
1558 pathname if needed. */
1559 static inline int dentry_has_perm(const struct cred *cred,
1560 struct dentry *dentry,
1563 struct inode *inode = dentry->d_inode;
1564 struct common_audit_data ad;
1566 ad.type = LSM_AUDIT_DATA_DENTRY;
1567 ad.u.dentry = dentry;
1568 return inode_has_perm(cred, inode, av, &ad, 0);
1571 /* Same as inode_has_perm, but pass explicit audit data containing
1572 the path to help the auditing code to more easily generate the
1573 pathname if needed. */
1574 static inline int path_has_perm(const struct cred *cred,
1578 struct inode *inode = path->dentry->d_inode;
1579 struct common_audit_data ad;
1581 ad.type = LSM_AUDIT_DATA_PATH;
1583 return inode_has_perm(cred, inode, av, &ad, 0);
1586 /* Check whether a task can use an open file descriptor to
1587 access an inode in a given way. Check access to the
1588 descriptor itself, and then use dentry_has_perm to
1589 check a particular permission to the file.
1590 Access to the descriptor is implicitly granted if it
1591 has the same SID as the process. If av is zero, then
1592 access to the file is not checked, e.g. for cases
1593 where only the descriptor is affected like seek. */
1594 static int file_has_perm(const struct cred *cred,
1598 struct file_security_struct *fsec = file->f_security;
1599 struct inode *inode = file_inode(file);
1600 struct common_audit_data ad;
1601 u32 sid = cred_sid(cred);
1604 ad.type = LSM_AUDIT_DATA_PATH;
1605 ad.u.path = file->f_path;
1607 if (sid != fsec->sid) {
1608 rc = avc_has_perm(sid, fsec->sid,
1616 /* av is zero if only checking access to the descriptor. */
1619 rc = inode_has_perm(cred, inode, av, &ad, 0);
1625 /* Check whether a task can create a file. */
1626 static int may_create(struct inode *dir,
1627 struct dentry *dentry,
1630 const struct task_security_struct *tsec = current_security();
1631 struct inode_security_struct *dsec;
1632 struct superblock_security_struct *sbsec;
1634 struct common_audit_data ad;
1637 dsec = dir->i_security;
1638 sbsec = dir->i_sb->s_security;
1641 newsid = tsec->create_sid;
1643 ad.type = LSM_AUDIT_DATA_DENTRY;
1644 ad.u.dentry = dentry;
1646 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1647 DIR__ADD_NAME | DIR__SEARCH,
1652 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1653 rc = security_transition_sid(sid, dsec->sid, tclass,
1654 &dentry->d_name, &newsid);
1659 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1663 return avc_has_perm(newsid, sbsec->sid,
1664 SECCLASS_FILESYSTEM,
1665 FILESYSTEM__ASSOCIATE, &ad);
1668 /* Check whether a task can create a key. */
1669 static int may_create_key(u32 ksid,
1670 struct task_struct *ctx)
1672 u32 sid = task_sid(ctx);
1674 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1678 #define MAY_UNLINK 1
1681 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1682 static int may_link(struct inode *dir,
1683 struct dentry *dentry,
1687 struct inode_security_struct *dsec, *isec;
1688 struct common_audit_data ad;
1689 u32 sid = current_sid();
1693 dsec = dir->i_security;
1694 isec = dentry->d_inode->i_security;
1696 ad.type = LSM_AUDIT_DATA_DENTRY;
1697 ad.u.dentry = dentry;
1700 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1701 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1716 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1721 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1725 static inline int may_rename(struct inode *old_dir,
1726 struct dentry *old_dentry,
1727 struct inode *new_dir,
1728 struct dentry *new_dentry)
1730 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1731 struct common_audit_data ad;
1732 u32 sid = current_sid();
1734 int old_is_dir, new_is_dir;
1737 old_dsec = old_dir->i_security;
1738 old_isec = old_dentry->d_inode->i_security;
1739 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1740 new_dsec = new_dir->i_security;
1742 ad.type = LSM_AUDIT_DATA_DENTRY;
1744 ad.u.dentry = old_dentry;
1745 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1746 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1749 rc = avc_has_perm(sid, old_isec->sid,
1750 old_isec->sclass, FILE__RENAME, &ad);
1753 if (old_is_dir && new_dir != old_dir) {
1754 rc = avc_has_perm(sid, old_isec->sid,
1755 old_isec->sclass, DIR__REPARENT, &ad);
1760 ad.u.dentry = new_dentry;
1761 av = DIR__ADD_NAME | DIR__SEARCH;
1762 if (new_dentry->d_inode)
1763 av |= DIR__REMOVE_NAME;
1764 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1767 if (new_dentry->d_inode) {
1768 new_isec = new_dentry->d_inode->i_security;
1769 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1770 rc = avc_has_perm(sid, new_isec->sid,
1772 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1780 /* Check whether a task can perform a filesystem operation. */
1781 static int superblock_has_perm(const struct cred *cred,
1782 struct super_block *sb,
1784 struct common_audit_data *ad)
1786 struct superblock_security_struct *sbsec;
1787 u32 sid = cred_sid(cred);
1789 sbsec = sb->s_security;
1790 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1793 /* Convert a Linux mode and permission mask to an access vector. */
1794 static inline u32 file_mask_to_av(int mode, int mask)
1798 if (!S_ISDIR(mode)) {
1799 if (mask & MAY_EXEC)
1800 av |= FILE__EXECUTE;
1801 if (mask & MAY_READ)
1804 if (mask & MAY_APPEND)
1806 else if (mask & MAY_WRITE)
1810 if (mask & MAY_EXEC)
1812 if (mask & MAY_WRITE)
1814 if (mask & MAY_READ)
1821 /* Convert a Linux file to an access vector. */
1822 static inline u32 file_to_av(struct file *file)
1826 if (file->f_mode & FMODE_READ)
1828 if (file->f_mode & FMODE_WRITE) {
1829 if (file->f_flags & O_APPEND)
1836 * Special file opened with flags 3 for ioctl-only use.
1845 * Convert a file to an access vector and include the correct open
1848 static inline u32 open_file_to_av(struct file *file)
1850 u32 av = file_to_av(file);
1852 if (selinux_policycap_openperm)
1858 /* Hook functions begin here. */
1860 static int selinux_ptrace_access_check(struct task_struct *child,
1865 rc = cap_ptrace_access_check(child, mode);
1869 if (mode & PTRACE_MODE_READ) {
1870 u32 sid = current_sid();
1871 u32 csid = task_sid(child);
1872 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1875 return current_has_perm(child, PROCESS__PTRACE);
1878 static int selinux_ptrace_traceme(struct task_struct *parent)
1882 rc = cap_ptrace_traceme(parent);
1886 return task_has_perm(parent, current, PROCESS__PTRACE);
1889 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1890 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1894 error = current_has_perm(target, PROCESS__GETCAP);
1898 return cap_capget(target, effective, inheritable, permitted);
1901 static int selinux_capset(struct cred *new, const struct cred *old,
1902 const kernel_cap_t *effective,
1903 const kernel_cap_t *inheritable,
1904 const kernel_cap_t *permitted)
1908 error = cap_capset(new, old,
1909 effective, inheritable, permitted);
1913 return cred_has_perm(old, new, PROCESS__SETCAP);
1917 * (This comment used to live with the selinux_task_setuid hook,
1918 * which was removed).
1920 * Since setuid only affects the current process, and since the SELinux
1921 * controls are not based on the Linux identity attributes, SELinux does not
1922 * need to control this operation. However, SELinux does control the use of
1923 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1926 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1931 rc = cap_capable(cred, ns, cap, audit);
1935 return cred_has_capability(cred, cap, audit);
1938 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1940 const struct cred *cred = current_cred();
1952 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1957 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1960 rc = 0; /* let the kernel handle invalid cmds */
1966 static int selinux_quota_on(struct dentry *dentry)
1968 const struct cred *cred = current_cred();
1970 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1973 static int selinux_syslog(int type)
1978 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1979 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1980 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1982 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1983 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1984 /* Set level of messages printed to console */
1985 case SYSLOG_ACTION_CONSOLE_LEVEL:
1986 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1988 case SYSLOG_ACTION_CLOSE: /* Close log */
1989 case SYSLOG_ACTION_OPEN: /* Open log */
1990 case SYSLOG_ACTION_READ: /* Read from log */
1991 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1992 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1994 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2001 * Check that a process has enough memory to allocate a new virtual
2002 * mapping. 0 means there is enough memory for the allocation to
2003 * succeed and -ENOMEM implies there is not.
2005 * Do not audit the selinux permission check, as this is applied to all
2006 * processes that allocate mappings.
2008 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2010 int rc, cap_sys_admin = 0;
2012 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2013 SECURITY_CAP_NOAUDIT);
2017 return __vm_enough_memory(mm, pages, cap_sys_admin);
2020 /* binprm security operations */
2022 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2024 const struct task_security_struct *old_tsec;
2025 struct task_security_struct *new_tsec;
2026 struct inode_security_struct *isec;
2027 struct common_audit_data ad;
2028 struct inode *inode = file_inode(bprm->file);
2031 rc = cap_bprm_set_creds(bprm);
2035 /* SELinux context only depends on initial program or script and not
2036 * the script interpreter */
2037 if (bprm->cred_prepared)
2040 old_tsec = current_security();
2041 new_tsec = bprm->cred->security;
2042 isec = inode->i_security;
2044 /* Default to the current task SID. */
2045 new_tsec->sid = old_tsec->sid;
2046 new_tsec->osid = old_tsec->sid;
2048 /* Reset fs, key, and sock SIDs on execve. */
2049 new_tsec->create_sid = 0;
2050 new_tsec->keycreate_sid = 0;
2051 new_tsec->sockcreate_sid = 0;
2053 if (old_tsec->exec_sid) {
2054 new_tsec->sid = old_tsec->exec_sid;
2055 /* Reset exec SID on execve. */
2056 new_tsec->exec_sid = 0;
2059 * Minimize confusion: if no_new_privs and a transition is
2060 * explicitly requested, then fail the exec.
2062 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2065 /* Check for a default transition on this program. */
2066 rc = security_transition_sid(old_tsec->sid, isec->sid,
2067 SECCLASS_PROCESS, NULL,
2073 ad.type = LSM_AUDIT_DATA_PATH;
2074 ad.u.path = bprm->file->f_path;
2076 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2077 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2078 new_tsec->sid = old_tsec->sid;
2080 if (new_tsec->sid == old_tsec->sid) {
2081 rc = avc_has_perm(old_tsec->sid, isec->sid,
2082 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2086 /* Check permissions for the transition. */
2087 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2088 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2092 rc = avc_has_perm(new_tsec->sid, isec->sid,
2093 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2097 /* Check for shared state */
2098 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2099 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2100 SECCLASS_PROCESS, PROCESS__SHARE,
2106 /* Make sure that anyone attempting to ptrace over a task that
2107 * changes its SID has the appropriate permit */
2109 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2110 struct task_struct *tracer;
2111 struct task_security_struct *sec;
2115 tracer = ptrace_parent(current);
2116 if (likely(tracer != NULL)) {
2117 sec = __task_cred(tracer)->security;
2123 rc = avc_has_perm(ptsid, new_tsec->sid,
2125 PROCESS__PTRACE, NULL);
2131 /* Clear any possibly unsafe personality bits on exec: */
2132 bprm->per_clear |= PER_CLEAR_ON_SETID;
2138 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2140 const struct task_security_struct *tsec = current_security();
2148 /* Enable secure mode for SIDs transitions unless
2149 the noatsecure permission is granted between
2150 the two SIDs, i.e. ahp returns 0. */
2151 atsecure = avc_has_perm(osid, sid,
2153 PROCESS__NOATSECURE, NULL);
2156 return (atsecure || cap_bprm_secureexec(bprm));
2159 static int match_file(const void *p, struct file *file, unsigned fd)
2161 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2164 /* Derived from fs/exec.c:flush_old_files. */
2165 static inline void flush_unauthorized_files(const struct cred *cred,
2166 struct files_struct *files)
2168 struct file *file, *devnull = NULL;
2169 struct tty_struct *tty;
2173 tty = get_current_tty();
2175 spin_lock(&tty_files_lock);
2176 if (!list_empty(&tty->tty_files)) {
2177 struct tty_file_private *file_priv;
2179 /* Revalidate access to controlling tty.
2180 Use path_has_perm on the tty path directly rather
2181 than using file_has_perm, as this particular open
2182 file may belong to another process and we are only
2183 interested in the inode-based check here. */
2184 file_priv = list_first_entry(&tty->tty_files,
2185 struct tty_file_private, list);
2186 file = file_priv->file;
2187 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2190 spin_unlock(&tty_files_lock);
2193 /* Reset controlling tty. */
2197 /* Revalidate access to inherited open files. */
2198 n = iterate_fd(files, 0, match_file, cred);
2199 if (!n) /* none found? */
2202 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2203 if (IS_ERR(devnull))
2205 /* replace all the matching ones with this */
2207 replace_fd(n - 1, devnull, 0);
2208 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2214 * Prepare a process for imminent new credential changes due to exec
2216 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2218 struct task_security_struct *new_tsec;
2219 struct rlimit *rlim, *initrlim;
2222 new_tsec = bprm->cred->security;
2223 if (new_tsec->sid == new_tsec->osid)
2226 /* Close files for which the new task SID is not authorized. */
2227 flush_unauthorized_files(bprm->cred, current->files);
2229 /* Always clear parent death signal on SID transitions. */
2230 current->pdeath_signal = 0;
2232 /* Check whether the new SID can inherit resource limits from the old
2233 * SID. If not, reset all soft limits to the lower of the current
2234 * task's hard limit and the init task's soft limit.
2236 * Note that the setting of hard limits (even to lower them) can be
2237 * controlled by the setrlimit check. The inclusion of the init task's
2238 * soft limit into the computation is to avoid resetting soft limits
2239 * higher than the default soft limit for cases where the default is
2240 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2242 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2243 PROCESS__RLIMITINH, NULL);
2245 /* protect against do_prlimit() */
2247 for (i = 0; i < RLIM_NLIMITS; i++) {
2248 rlim = current->signal->rlim + i;
2249 initrlim = init_task.signal->rlim + i;
2250 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2252 task_unlock(current);
2253 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2258 * Clean up the process immediately after the installation of new credentials
2261 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2263 const struct task_security_struct *tsec = current_security();
2264 struct itimerval itimer;
2274 /* Check whether the new SID can inherit signal state from the old SID.
2275 * If not, clear itimers to avoid subsequent signal generation and
2276 * flush and unblock signals.
2278 * This must occur _after_ the task SID has been updated so that any
2279 * kill done after the flush will be checked against the new SID.
2281 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2283 memset(&itimer, 0, sizeof itimer);
2284 for (i = 0; i < 3; i++)
2285 do_setitimer(i, &itimer, NULL);
2286 spin_lock_irq(¤t->sighand->siglock);
2287 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2288 __flush_signals(current);
2289 flush_signal_handlers(current, 1);
2290 sigemptyset(¤t->blocked);
2292 spin_unlock_irq(¤t->sighand->siglock);
2295 /* Wake up the parent if it is waiting so that it can recheck
2296 * wait permission to the new task SID. */
2297 read_lock(&tasklist_lock);
2298 __wake_up_parent(current, current->real_parent);
2299 read_unlock(&tasklist_lock);
2302 /* superblock security operations */
2304 static int selinux_sb_alloc_security(struct super_block *sb)
2306 return superblock_alloc_security(sb);
2309 static void selinux_sb_free_security(struct super_block *sb)
2311 superblock_free_security(sb);
2314 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2319 return !memcmp(prefix, option, plen);
2322 static inline int selinux_option(char *option, int len)
2324 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2325 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2326 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2327 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2328 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2331 static inline void take_option(char **to, char *from, int *first, int len)
2338 memcpy(*to, from, len);
2342 static inline void take_selinux_option(char **to, char *from, int *first,
2345 int current_size = 0;
2353 while (current_size < len) {
2363 static int selinux_sb_copy_data(char *orig, char *copy)
2365 int fnosec, fsec, rc = 0;
2366 char *in_save, *in_curr, *in_end;
2367 char *sec_curr, *nosec_save, *nosec;
2373 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2381 in_save = in_end = orig;
2385 open_quote = !open_quote;
2386 if ((*in_end == ',' && open_quote == 0) ||
2388 int len = in_end - in_curr;
2390 if (selinux_option(in_curr, len))
2391 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2393 take_option(&nosec, in_curr, &fnosec, len);
2395 in_curr = in_end + 1;
2397 } while (*in_end++);
2399 strcpy(in_save, nosec_save);
2400 free_page((unsigned long)nosec_save);
2405 static int selinux_sb_remount(struct super_block *sb, void *data)
2408 struct security_mnt_opts opts;
2409 char *secdata, **mount_options;
2410 struct superblock_security_struct *sbsec = sb->s_security;
2412 if (!(sbsec->flags & SE_SBINITIALIZED))
2418 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2421 security_init_mnt_opts(&opts);
2422 secdata = alloc_secdata();
2425 rc = selinux_sb_copy_data(data, secdata);
2427 goto out_free_secdata;
2429 rc = selinux_parse_opts_str(secdata, &opts);
2431 goto out_free_secdata;
2433 mount_options = opts.mnt_opts;
2434 flags = opts.mnt_opts_flags;
2436 for (i = 0; i < opts.num_mnt_opts; i++) {
2440 if (flags[i] == SBLABEL_MNT)
2442 len = strlen(mount_options[i]);
2443 rc = security_context_to_sid(mount_options[i], len, &sid);
2445 printk(KERN_WARNING "SELinux: security_context_to_sid"
2446 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
2447 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
2453 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2454 goto out_bad_option;
2457 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2458 goto out_bad_option;
2460 case ROOTCONTEXT_MNT: {
2461 struct inode_security_struct *root_isec;
2462 root_isec = sb->s_root->d_inode->i_security;
2464 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2465 goto out_bad_option;
2468 case DEFCONTEXT_MNT:
2469 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2470 goto out_bad_option;
2479 security_free_mnt_opts(&opts);
2481 free_secdata(secdata);
2484 printk(KERN_WARNING "SELinux: unable to change security options "
2485 "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
2490 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2492 const struct cred *cred = current_cred();
2493 struct common_audit_data ad;
2496 rc = superblock_doinit(sb, data);
2500 /* Allow all mounts performed by the kernel */
2501 if (flags & MS_KERNMOUNT)
2504 ad.type = LSM_AUDIT_DATA_DENTRY;
2505 ad.u.dentry = sb->s_root;
2506 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2509 static int selinux_sb_statfs(struct dentry *dentry)
2511 const struct cred *cred = current_cred();
2512 struct common_audit_data ad;
2514 ad.type = LSM_AUDIT_DATA_DENTRY;
2515 ad.u.dentry = dentry->d_sb->s_root;
2516 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2519 static int selinux_mount(const char *dev_name,
2522 unsigned long flags,
2525 const struct cred *cred = current_cred();
2527 if (flags & MS_REMOUNT)
2528 return superblock_has_perm(cred, path->dentry->d_sb,
2529 FILESYSTEM__REMOUNT, NULL);
2531 return path_has_perm(cred, path, FILE__MOUNTON);
2534 static int selinux_umount(struct vfsmount *mnt, int flags)
2536 const struct cred *cred = current_cred();
2538 return superblock_has_perm(cred, mnt->mnt_sb,
2539 FILESYSTEM__UNMOUNT, NULL);
2542 /* inode security operations */
2544 static int selinux_inode_alloc_security(struct inode *inode)
2546 return inode_alloc_security(inode);
2549 static void selinux_inode_free_security(struct inode *inode)
2551 inode_free_security(inode);
2554 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2555 const struct qstr *qstr, char **name,
2556 void **value, size_t *len)
2558 const struct task_security_struct *tsec = current_security();
2559 struct inode_security_struct *dsec;
2560 struct superblock_security_struct *sbsec;
2561 u32 sid, newsid, clen;
2563 char *namep = NULL, *context;
2565 dsec = dir->i_security;
2566 sbsec = dir->i_sb->s_security;
2569 newsid = tsec->create_sid;
2571 if ((sbsec->flags & SE_SBINITIALIZED) &&
2572 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2573 newsid = sbsec->mntpoint_sid;
2574 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2575 rc = security_transition_sid(sid, dsec->sid,
2576 inode_mode_to_security_class(inode->i_mode),
2579 printk(KERN_WARNING "%s: "
2580 "security_transition_sid failed, rc=%d (dev=%s "
2583 -rc, inode->i_sb->s_id, inode->i_ino);
2588 /* Possibly defer initialization to selinux_complete_init. */
2589 if (sbsec->flags & SE_SBINITIALIZED) {
2590 struct inode_security_struct *isec = inode->i_security;
2591 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2593 isec->initialized = 1;
2596 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2600 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2607 rc = security_sid_to_context_force(newsid, &context, &clen);
2619 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2621 return may_create(dir, dentry, SECCLASS_FILE);
2624 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2626 return may_link(dir, old_dentry, MAY_LINK);
2629 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2631 return may_link(dir, dentry, MAY_UNLINK);
2634 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2636 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2639 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2641 return may_create(dir, dentry, SECCLASS_DIR);
2644 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2646 return may_link(dir, dentry, MAY_RMDIR);
2649 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2651 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2654 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2655 struct inode *new_inode, struct dentry *new_dentry)
2657 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2660 static int selinux_inode_readlink(struct dentry *dentry)
2662 const struct cred *cred = current_cred();
2664 return dentry_has_perm(cred, dentry, FILE__READ);
2667 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2669 const struct cred *cred = current_cred();
2671 return dentry_has_perm(cred, dentry, FILE__READ);
2674 static noinline int audit_inode_permission(struct inode *inode,
2675 u32 perms, u32 audited, u32 denied,
2678 struct common_audit_data ad;
2679 struct inode_security_struct *isec = inode->i_security;
2682 ad.type = LSM_AUDIT_DATA_INODE;
2685 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2686 audited, denied, &ad, flags);
2692 static int selinux_inode_permission(struct inode *inode, int mask)
2694 const struct cred *cred = current_cred();
2697 unsigned flags = mask & MAY_NOT_BLOCK;
2698 struct inode_security_struct *isec;
2700 struct av_decision avd;
2702 u32 audited, denied;
2704 from_access = mask & MAY_ACCESS;
2705 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2707 /* No permission to check. Existence test. */
2711 validate_creds(cred);
2713 if (unlikely(IS_PRIVATE(inode)))
2716 perms = file_mask_to_av(inode->i_mode, mask);
2718 sid = cred_sid(cred);
2719 isec = inode->i_security;
2721 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2722 audited = avc_audit_required(perms, &avd, rc,
2723 from_access ? FILE__AUDIT_ACCESS : 0,
2725 if (likely(!audited))
2728 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2734 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2736 const struct cred *cred = current_cred();
2737 unsigned int ia_valid = iattr->ia_valid;
2738 __u32 av = FILE__WRITE;
2740 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2741 if (ia_valid & ATTR_FORCE) {
2742 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2748 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2749 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2750 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2752 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2755 return dentry_has_perm(cred, dentry, av);
2758 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2760 const struct cred *cred = current_cred();
2763 path.dentry = dentry;
2766 return path_has_perm(cred, &path, FILE__GETATTR);
2769 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2771 const struct cred *cred = current_cred();
2773 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2774 sizeof XATTR_SECURITY_PREFIX - 1)) {
2775 if (!strcmp(name, XATTR_NAME_CAPS)) {
2776 if (!capable(CAP_SETFCAP))
2778 } else if (!capable(CAP_SYS_ADMIN)) {
2779 /* A different attribute in the security namespace.
2780 Restrict to administrator. */
2785 /* Not an attribute we recognize, so just check the
2786 ordinary setattr permission. */
2787 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2790 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2791 const void *value, size_t size, int flags)
2793 struct inode *inode = dentry->d_inode;
2794 struct inode_security_struct *isec = inode->i_security;
2795 struct superblock_security_struct *sbsec;
2796 struct common_audit_data ad;
2797 u32 newsid, sid = current_sid();
2800 if (strcmp(name, XATTR_NAME_SELINUX))
2801 return selinux_inode_setotherxattr(dentry, name);
2803 sbsec = inode->i_sb->s_security;
2804 if (!(sbsec->flags & SBLABEL_MNT))
2807 if (!inode_owner_or_capable(inode))
2810 ad.type = LSM_AUDIT_DATA_DENTRY;
2811 ad.u.dentry = dentry;
2813 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2814 FILE__RELABELFROM, &ad);
2818 rc = security_context_to_sid(value, size, &newsid);
2819 if (rc == -EINVAL) {
2820 if (!capable(CAP_MAC_ADMIN)) {
2821 struct audit_buffer *ab;
2825 /* We strip a nul only if it is at the end, otherwise the
2826 * context contains a nul and we should audit that */
2829 if (str[size - 1] == '\0')
2830 audit_size = size - 1;
2837 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2838 audit_log_format(ab, "op=setxattr invalid_context=");
2839 audit_log_n_untrustedstring(ab, value, audit_size);
2844 rc = security_context_to_sid_force(value, size, &newsid);
2849 rc = avc_has_perm(sid, newsid, isec->sclass,
2850 FILE__RELABELTO, &ad);
2854 rc = security_validate_transition(isec->sid, newsid, sid,
2859 return avc_has_perm(newsid,
2861 SECCLASS_FILESYSTEM,
2862 FILESYSTEM__ASSOCIATE,
2866 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2867 const void *value, size_t size,
2870 struct inode *inode = dentry->d_inode;
2871 struct inode_security_struct *isec = inode->i_security;
2875 if (strcmp(name, XATTR_NAME_SELINUX)) {
2876 /* Not an attribute we recognize, so nothing to do. */
2880 rc = security_context_to_sid_force(value, size, &newsid);
2882 printk(KERN_ERR "SELinux: unable to map context to SID"
2883 "for (%s, %lu), rc=%d\n",
2884 inode->i_sb->s_id, inode->i_ino, -rc);
2892 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2894 const struct cred *cred = current_cred();
2896 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2899 static int selinux_inode_listxattr(struct dentry *dentry)
2901 const struct cred *cred = current_cred();
2903 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2906 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2908 if (strcmp(name, XATTR_NAME_SELINUX))
2909 return selinux_inode_setotherxattr(dentry, name);
2911 /* No one is allowed to remove a SELinux security label.
2912 You can change the label, but all data must be labeled. */
2917 * Copy the inode security context value to the user.
2919 * Permission check is handled by selinux_inode_getxattr hook.
2921 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2925 char *context = NULL;
2926 struct inode_security_struct *isec = inode->i_security;
2928 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2932 * If the caller has CAP_MAC_ADMIN, then get the raw context
2933 * value even if it is not defined by current policy; otherwise,
2934 * use the in-core value under current policy.
2935 * Use the non-auditing forms of the permission checks since
2936 * getxattr may be called by unprivileged processes commonly
2937 * and lack of permission just means that we fall back to the
2938 * in-core context value, not a denial.
2940 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2941 SECURITY_CAP_NOAUDIT);
2943 error = security_sid_to_context_force(isec->sid, &context,
2946 error = security_sid_to_context(isec->sid, &context, &size);
2959 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2960 const void *value, size_t size, int flags)
2962 struct inode_security_struct *isec = inode->i_security;
2966 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2969 if (!value || !size)
2972 rc = security_context_to_sid((void *)value, size, &newsid);
2977 isec->initialized = 1;
2981 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2983 const int len = sizeof(XATTR_NAME_SELINUX);
2984 if (buffer && len <= buffer_size)
2985 memcpy(buffer, XATTR_NAME_SELINUX, len);
2989 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2991 struct inode_security_struct *isec = inode->i_security;
2995 /* file security operations */
2997 static int selinux_revalidate_file_permission(struct file *file, int mask)
2999 const struct cred *cred = current_cred();
3000 struct inode *inode = file_inode(file);
3002 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3003 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3006 return file_has_perm(cred, file,
3007 file_mask_to_av(inode->i_mode, mask));
3010 static int selinux_file_permission(struct file *file, int mask)
3012 struct inode *inode = file_inode(file);
3013 struct file_security_struct *fsec = file->f_security;
3014 struct inode_security_struct *isec = inode->i_security;
3015 u32 sid = current_sid();
3018 /* No permission to check. Existence test. */
3021 if (sid == fsec->sid && fsec->isid == isec->sid &&
3022 fsec->pseqno == avc_policy_seqno())
3023 /* No change since file_open check. */
3026 return selinux_revalidate_file_permission(file, mask);
3029 static int selinux_file_alloc_security(struct file *file)
3031 return file_alloc_security(file);
3034 static void selinux_file_free_security(struct file *file)
3036 file_free_security(file);
3039 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3042 const struct cred *cred = current_cred();
3052 case FS_IOC_GETFLAGS:
3054 case FS_IOC_GETVERSION:
3055 error = file_has_perm(cred, file, FILE__GETATTR);
3058 case FS_IOC_SETFLAGS:
3060 case FS_IOC_SETVERSION:
3061 error = file_has_perm(cred, file, FILE__SETATTR);
3064 /* sys_ioctl() checks */
3068 error = file_has_perm(cred, file, 0);
3073 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3074 SECURITY_CAP_AUDIT);
3077 /* default case assumes that the command will go
3078 * to the file's ioctl() function.
3081 error = file_has_perm(cred, file, FILE__IOCTL);
3086 static int default_noexec;
3088 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3090 const struct cred *cred = current_cred();
3093 if (default_noexec &&
3094 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3096 * We are making executable an anonymous mapping or a
3097 * private file mapping that will also be writable.
3098 * This has an additional check.
3100 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3106 /* read access is always possible with a mapping */
3107 u32 av = FILE__READ;
3109 /* write access only matters if the mapping is shared */
3110 if (shared && (prot & PROT_WRITE))
3113 if (prot & PROT_EXEC)
3114 av |= FILE__EXECUTE;
3116 return file_has_perm(cred, file, av);
3123 static int selinux_mmap_addr(unsigned long addr)
3126 u32 sid = current_sid();
3129 * notice that we are intentionally putting the SELinux check before
3130 * the secondary cap_file_mmap check. This is such a likely attempt
3131 * at bad behaviour/exploit that we always want to get the AVC, even
3132 * if DAC would have also denied the operation.
3134 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3135 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3136 MEMPROTECT__MMAP_ZERO, NULL);
3141 /* do DAC check on address space usage */
3142 return cap_mmap_addr(addr);
3145 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3146 unsigned long prot, unsigned long flags)
3148 if (selinux_checkreqprot)
3151 return file_map_prot_check(file, prot,
3152 (flags & MAP_TYPE) == MAP_SHARED);
3155 static int selinux_file_mprotect(struct vm_area_struct *vma,
3156 unsigned long reqprot,
3159 const struct cred *cred = current_cred();
3161 if (selinux_checkreqprot)
3164 if (default_noexec &&
3165 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3167 if (vma->vm_start >= vma->vm_mm->start_brk &&
3168 vma->vm_end <= vma->vm_mm->brk) {
3169 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3170 } else if (!vma->vm_file &&
3171 vma->vm_start <= vma->vm_mm->start_stack &&
3172 vma->vm_end >= vma->vm_mm->start_stack) {
3173 rc = current_has_perm(current, PROCESS__EXECSTACK);
3174 } else if (vma->vm_file && vma->anon_vma) {
3176 * We are making executable a file mapping that has
3177 * had some COW done. Since pages might have been
3178 * written, check ability to execute the possibly
3179 * modified content. This typically should only
3180 * occur for text relocations.
3182 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3188 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3191 static int selinux_file_lock(struct file *file, unsigned int cmd)
3193 const struct cred *cred = current_cred();
3195 return file_has_perm(cred, file, FILE__LOCK);
3198 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3201 const struct cred *cred = current_cred();
3206 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3207 err = file_has_perm(cred, file, FILE__WRITE);
3216 case F_GETOWNER_UIDS:
3217 /* Just check FD__USE permission */
3218 err = file_has_perm(cred, file, 0);
3223 #if BITS_PER_LONG == 32
3228 err = file_has_perm(cred, file, FILE__LOCK);
3235 static int selinux_file_set_fowner(struct file *file)
3237 struct file_security_struct *fsec;
3239 fsec = file->f_security;
3240 fsec->fown_sid = current_sid();
3245 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3246 struct fown_struct *fown, int signum)
3249 u32 sid = task_sid(tsk);
3251 struct file_security_struct *fsec;
3253 /* struct fown_struct is never outside the context of a struct file */
3254 file = container_of(fown, struct file, f_owner);
3256 fsec = file->f_security;
3259 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3261 perm = signal_to_av(signum);
3263 return avc_has_perm(fsec->fown_sid, sid,
3264 SECCLASS_PROCESS, perm, NULL);
3267 static int selinux_file_receive(struct file *file)
3269 const struct cred *cred = current_cred();
3271 return file_has_perm(cred, file, file_to_av(file));
3274 static int selinux_file_open(struct file *file, const struct cred *cred)
3276 struct file_security_struct *fsec;
3277 struct inode_security_struct *isec;
3279 fsec = file->f_security;
3280 isec = file_inode(file)->i_security;
3282 * Save inode label and policy sequence number
3283 * at open-time so that selinux_file_permission
3284 * can determine whether revalidation is necessary.
3285 * Task label is already saved in the file security
3286 * struct as its SID.
3288 fsec->isid = isec->sid;
3289 fsec->pseqno = avc_policy_seqno();
3291 * Since the inode label or policy seqno may have changed
3292 * between the selinux_inode_permission check and the saving
3293 * of state above, recheck that access is still permitted.
3294 * Otherwise, access might never be revalidated against the
3295 * new inode label or new policy.
3296 * This check is not redundant - do not remove.
3298 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3301 /* task security operations */
3303 static int selinux_task_create(unsigned long clone_flags)
3305 return current_has_perm(current, PROCESS__FORK);
3309 * allocate the SELinux part of blank credentials
3311 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3313 struct task_security_struct *tsec;
3315 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3319 cred->security = tsec;
3324 * detach and free the LSM part of a set of credentials
3326 static void selinux_cred_free(struct cred *cred)
3328 struct task_security_struct *tsec = cred->security;
3331 * cred->security == NULL if security_cred_alloc_blank() or
3332 * security_prepare_creds() returned an error.
3334 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3335 cred->security = (void *) 0x7UL;
3340 * prepare a new set of credentials for modification
3342 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3345 const struct task_security_struct *old_tsec;
3346 struct task_security_struct *tsec;
3348 old_tsec = old->security;
3350 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3354 new->security = tsec;
3359 * transfer the SELinux data to a blank set of creds
3361 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3363 const struct task_security_struct *old_tsec = old->security;
3364 struct task_security_struct *tsec = new->security;
3370 * set the security data for a kernel service
3371 * - all the creation contexts are set to unlabelled
3373 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3375 struct task_security_struct *tsec = new->security;
3376 u32 sid = current_sid();
3379 ret = avc_has_perm(sid, secid,
3380 SECCLASS_KERNEL_SERVICE,
3381 KERNEL_SERVICE__USE_AS_OVERRIDE,
3385 tsec->create_sid = 0;
3386 tsec->keycreate_sid = 0;
3387 tsec->sockcreate_sid = 0;
3393 * set the file creation context in a security record to the same as the
3394 * objective context of the specified inode
3396 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3398 struct inode_security_struct *isec = inode->i_security;
3399 struct task_security_struct *tsec = new->security;
3400 u32 sid = current_sid();
3403 ret = avc_has_perm(sid, isec->sid,
3404 SECCLASS_KERNEL_SERVICE,
3405 KERNEL_SERVICE__CREATE_FILES_AS,
3409 tsec->create_sid = isec->sid;
3413 static int selinux_kernel_module_request(char *kmod_name)
3416 struct common_audit_data ad;
3418 sid = task_sid(current);
3420 ad.type = LSM_AUDIT_DATA_KMOD;
3421 ad.u.kmod_name = kmod_name;
3423 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3424 SYSTEM__MODULE_REQUEST, &ad);
3427 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3429 return current_has_perm(p, PROCESS__SETPGID);
3432 static int selinux_task_getpgid(struct task_struct *p)
3434 return current_has_perm(p, PROCESS__GETPGID);
3437 static int selinux_task_getsid(struct task_struct *p)
3439 return current_has_perm(p, PROCESS__GETSESSION);
3442 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3444 *secid = task_sid(p);
3447 static int selinux_task_setnice(struct task_struct *p, int nice)
3451 rc = cap_task_setnice(p, nice);
3455 return current_has_perm(p, PROCESS__SETSCHED);
3458 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3462 rc = cap_task_setioprio(p, ioprio);
3466 return current_has_perm(p, PROCESS__SETSCHED);
3469 static int selinux_task_getioprio(struct task_struct *p)
3471 return current_has_perm(p, PROCESS__GETSCHED);
3474 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3475 struct rlimit *new_rlim)
3477 struct rlimit *old_rlim = p->signal->rlim + resource;
3479 /* Control the ability to change the hard limit (whether
3480 lowering or raising it), so that the hard limit can
3481 later be used as a safe reset point for the soft limit
3482 upon context transitions. See selinux_bprm_committing_creds. */
3483 if (old_rlim->rlim_max != new_rlim->rlim_max)
3484 return current_has_perm(p, PROCESS__SETRLIMIT);
3489 static int selinux_task_setscheduler(struct task_struct *p)
3493 rc = cap_task_setscheduler(p);
3497 return current_has_perm(p, PROCESS__SETSCHED);
3500 static int selinux_task_getscheduler(struct task_struct *p)
3502 return current_has_perm(p, PROCESS__GETSCHED);
3505 static int selinux_task_movememory(struct task_struct *p)
3507 return current_has_perm(p, PROCESS__SETSCHED);
3510 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3517 perm = PROCESS__SIGNULL; /* null signal; existence test */
3519 perm = signal_to_av(sig);
3521 rc = avc_has_perm(secid, task_sid(p),
3522 SECCLASS_PROCESS, perm, NULL);
3524 rc = current_has_perm(p, perm);
3528 static int selinux_task_wait(struct task_struct *p)
3530 return task_has_perm(p, current, PROCESS__SIGCHLD);
3533 static void selinux_task_to_inode(struct task_struct *p,
3534 struct inode *inode)
3536 struct inode_security_struct *isec = inode->i_security;
3537 u32 sid = task_sid(p);
3540 isec->initialized = 1;
3543 /* Returns error only if unable to parse addresses */
3544 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3545 struct common_audit_data *ad, u8 *proto)
3547 int offset, ihlen, ret = -EINVAL;
3548 struct iphdr _iph, *ih;
3550 offset = skb_network_offset(skb);
3551 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3555 ihlen = ih->ihl * 4;
3556 if (ihlen < sizeof(_iph))
3559 ad->u.net->v4info.saddr = ih->saddr;
3560 ad->u.net->v4info.daddr = ih->daddr;
3564 *proto = ih->protocol;
3566 switch (ih->protocol) {
3568 struct tcphdr _tcph, *th;
3570 if (ntohs(ih->frag_off) & IP_OFFSET)
3574 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3578 ad->u.net->sport = th->source;
3579 ad->u.net->dport = th->dest;
3584 struct udphdr _udph, *uh;
3586 if (ntohs(ih->frag_off) & IP_OFFSET)
3590 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3594 ad->u.net->sport = uh->source;
3595 ad->u.net->dport = uh->dest;
3599 case IPPROTO_DCCP: {
3600 struct dccp_hdr _dccph, *dh;
3602 if (ntohs(ih->frag_off) & IP_OFFSET)
3606 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3610 ad->u.net->sport = dh->dccph_sport;
3611 ad->u.net->dport = dh->dccph_dport;
3622 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3624 /* Returns error only if unable to parse addresses */
3625 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3626 struct common_audit_data *ad, u8 *proto)
3629 int ret = -EINVAL, offset;
3630 struct ipv6hdr _ipv6h, *ip6;
3633 offset = skb_network_offset(skb);
3634 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3638 ad->u.net->v6info.saddr = ip6->saddr;
3639 ad->u.net->v6info.daddr = ip6->daddr;
3642 nexthdr = ip6->nexthdr;
3643 offset += sizeof(_ipv6h);
3644 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3653 struct tcphdr _tcph, *th;
3655 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3659 ad->u.net->sport = th->source;
3660 ad->u.net->dport = th->dest;
3665 struct udphdr _udph, *uh;
3667 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3671 ad->u.net->sport = uh->source;
3672 ad->u.net->dport = uh->dest;
3676 case IPPROTO_DCCP: {
3677 struct dccp_hdr _dccph, *dh;
3679 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3683 ad->u.net->sport = dh->dccph_sport;
3684 ad->u.net->dport = dh->dccph_dport;
3688 /* includes fragments */
3698 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3699 char **_addrp, int src, u8 *proto)
3704 switch (ad->u.net->family) {
3706 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3709 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3710 &ad->u.net->v4info.daddr);
3713 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3715 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3718 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3719 &ad->u.net->v6info.daddr);
3729 "SELinux: failure in selinux_parse_skb(),"
3730 " unable to parse packet\n");
3740 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3742 * @family: protocol family
3743 * @sid: the packet's peer label SID
3746 * Check the various different forms of network peer labeling and determine
3747 * the peer label/SID for the packet; most of the magic actually occurs in
3748 * the security server function security_net_peersid_cmp(). The function
3749 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3750 * or -EACCES if @sid is invalid due to inconsistencies with the different
3754 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3761 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3764 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3768 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3769 if (unlikely(err)) {
3771 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3772 " unable to determine packet's peer label\n");
3779 /* socket security operations */
3781 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3782 u16 secclass, u32 *socksid)
3784 if (tsec->sockcreate_sid > SECSID_NULL) {
3785 *socksid = tsec->sockcreate_sid;
3789 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3793 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3795 struct sk_security_struct *sksec = sk->sk_security;
3796 struct common_audit_data ad;
3797 struct lsm_network_audit net = {0,};
3798 u32 tsid = task_sid(task);
3800 if (sksec->sid == SECINITSID_KERNEL)
3803 ad.type = LSM_AUDIT_DATA_NET;
3807 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3810 static int selinux_socket_create(int family, int type,
3811 int protocol, int kern)
3813 const struct task_security_struct *tsec = current_security();
3821 secclass = socket_type_to_security_class(family, type, protocol);
3822 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3826 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3829 static int selinux_socket_post_create(struct socket *sock, int family,
3830 int type, int protocol, int kern)
3832 const struct task_security_struct *tsec = current_security();
3833 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3834 struct sk_security_struct *sksec;
3837 isec->sclass = socket_type_to_security_class(family, type, protocol);
3840 isec->sid = SECINITSID_KERNEL;
3842 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3847 isec->initialized = 1;
3850 sksec = sock->sk->sk_security;
3851 sksec->sid = isec->sid;
3852 sksec->sclass = isec->sclass;
3853 err = selinux_netlbl_socket_post_create(sock->sk, family);
3859 /* Range of port numbers used to automatically bind.
3860 Need to determine whether we should perform a name_bind
3861 permission check between the socket and the port number. */
3863 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3865 struct sock *sk = sock->sk;
3869 err = sock_has_perm(current, sk, SOCKET__BIND);
3874 * If PF_INET or PF_INET6, check name_bind permission for the port.
3875 * Multiple address binding for SCTP is not supported yet: we just
3876 * check the first address now.
3878 family = sk->sk_family;
3879 if (family == PF_INET || family == PF_INET6) {
3881 struct sk_security_struct *sksec = sk->sk_security;
3882 struct common_audit_data ad;
3883 struct lsm_network_audit net = {0,};
3884 struct sockaddr_in *addr4 = NULL;
3885 struct sockaddr_in6 *addr6 = NULL;
3886 unsigned short snum;
3889 if (family == PF_INET) {
3890 addr4 = (struct sockaddr_in *)address;
3891 snum = ntohs(addr4->sin_port);
3892 addrp = (char *)&addr4->sin_addr.s_addr;
3894 addr6 = (struct sockaddr_in6 *)address;
3895 snum = ntohs(addr6->sin6_port);
3896 addrp = (char *)&addr6->sin6_addr.s6_addr;
3902 inet_get_local_port_range(&low, &high);
3904 if (snum < max(PROT_SOCK, low) || snum > high) {
3905 err = sel_netport_sid(sk->sk_protocol,
3909 ad.type = LSM_AUDIT_DATA_NET;
3911 ad.u.net->sport = htons(snum);
3912 ad.u.net->family = family;
3913 err = avc_has_perm(sksec->sid, sid,
3915 SOCKET__NAME_BIND, &ad);
3921 switch (sksec->sclass) {
3922 case SECCLASS_TCP_SOCKET:
3923 node_perm = TCP_SOCKET__NODE_BIND;
3926 case SECCLASS_UDP_SOCKET:
3927 node_perm = UDP_SOCKET__NODE_BIND;
3930 case SECCLASS_DCCP_SOCKET:
3931 node_perm = DCCP_SOCKET__NODE_BIND;
3935 node_perm = RAWIP_SOCKET__NODE_BIND;
3939 err = sel_netnode_sid(addrp, family, &sid);
3943 ad.type = LSM_AUDIT_DATA_NET;
3945 ad.u.net->sport = htons(snum);
3946 ad.u.net->family = family;
3948 if (family == PF_INET)
3949 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3951 ad.u.net->v6info.saddr = addr6->sin6_addr;
3953 err = avc_has_perm(sksec->sid, sid,
3954 sksec->sclass, node_perm, &ad);
3962 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3964 struct sock *sk = sock->sk;
3965 struct sk_security_struct *sksec = sk->sk_security;
3968 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3973 * If a TCP or DCCP socket, check name_connect permission for the port.
3975 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3976 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3977 struct common_audit_data ad;
3978 struct lsm_network_audit net = {0,};
3979 struct sockaddr_in *addr4 = NULL;
3980 struct sockaddr_in6 *addr6 = NULL;
3981 unsigned short snum;
3984 if (sk->sk_family == PF_INET) {
3985 addr4 = (struct sockaddr_in *)address;
3986 if (addrlen < sizeof(struct sockaddr_in))
3988 snum = ntohs(addr4->sin_port);
3990 addr6 = (struct sockaddr_in6 *)address;
3991 if (addrlen < SIN6_LEN_RFC2133)
3993 snum = ntohs(addr6->sin6_port);
3996 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4000 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4001 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4003 ad.type = LSM_AUDIT_DATA_NET;
4005 ad.u.net->dport = htons(snum);
4006 ad.u.net->family = sk->sk_family;
4007 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4012 err = selinux_netlbl_socket_connect(sk, address);
4018 static int selinux_socket_listen(struct socket *sock, int backlog)
4020 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4023 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4026 struct inode_security_struct *isec;
4027 struct inode_security_struct *newisec;
4029 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4033 newisec = SOCK_INODE(newsock)->i_security;
4035 isec = SOCK_INODE(sock)->i_security;
4036 newisec->sclass = isec->sclass;
4037 newisec->sid = isec->sid;
4038 newisec->initialized = 1;
4043 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4046 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4049 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4050 int size, int flags)
4052 return sock_has_perm(current, sock->sk, SOCKET__READ);
4055 static int selinux_socket_getsockname(struct socket *sock)
4057 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4060 static int selinux_socket_getpeername(struct socket *sock)
4062 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4065 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4069 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4073 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4076 static int selinux_socket_getsockopt(struct socket *sock, int level,
4079 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4082 static int selinux_socket_shutdown(struct socket *sock, int how)
4084 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4087 static int selinux_socket_unix_stream_connect(struct sock *sock,
4091 struct sk_security_struct *sksec_sock = sock->sk_security;
4092 struct sk_security_struct *sksec_other = other->sk_security;
4093 struct sk_security_struct *sksec_new = newsk->sk_security;
4094 struct common_audit_data ad;
4095 struct lsm_network_audit net = {0,};
4098 ad.type = LSM_AUDIT_DATA_NET;
4100 ad.u.net->sk = other;
4102 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4103 sksec_other->sclass,
4104 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4108 /* server child socket */
4109 sksec_new->peer_sid = sksec_sock->sid;
4110 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4115 /* connecting socket */
4116 sksec_sock->peer_sid = sksec_new->sid;
4121 static int selinux_socket_unix_may_send(struct socket *sock,
4122 struct socket *other)
4124 struct sk_security_struct *ssec = sock->sk->sk_security;
4125 struct sk_security_struct *osec = other->sk->sk_security;
4126 struct common_audit_data ad;
4127 struct lsm_network_audit net = {0,};
4129 ad.type = LSM_AUDIT_DATA_NET;
4131 ad.u.net->sk = other->sk;
4133 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4137 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4139 struct common_audit_data *ad)
4145 err = sel_netif_sid(ifindex, &if_sid);
4148 err = avc_has_perm(peer_sid, if_sid,
4149 SECCLASS_NETIF, NETIF__INGRESS, ad);
4153 err = sel_netnode_sid(addrp, family, &node_sid);
4156 return avc_has_perm(peer_sid, node_sid,
4157 SECCLASS_NODE, NODE__RECVFROM, ad);
4160 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4164 struct sk_security_struct *sksec = sk->sk_security;
4165 u32 sk_sid = sksec->sid;
4166 struct common_audit_data ad;
4167 struct lsm_network_audit net = {0,};
4170 ad.type = LSM_AUDIT_DATA_NET;
4172 ad.u.net->netif = skb->skb_iif;
4173 ad.u.net->family = family;
4174 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4178 if (selinux_secmark_enabled()) {
4179 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4185 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4188 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4193 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4196 struct sk_security_struct *sksec = sk->sk_security;
4197 u16 family = sk->sk_family;
4198 u32 sk_sid = sksec->sid;
4199 struct common_audit_data ad;
4200 struct lsm_network_audit net = {0,};
4205 if (family != PF_INET && family != PF_INET6)
4208 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4209 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4212 /* If any sort of compatibility mode is enabled then handoff processing
4213 * to the selinux_sock_rcv_skb_compat() function to deal with the
4214 * special handling. We do this in an attempt to keep this function
4215 * as fast and as clean as possible. */
4216 if (!selinux_policycap_netpeer)
4217 return selinux_sock_rcv_skb_compat(sk, skb, family);
4219 secmark_active = selinux_secmark_enabled();
4220 peerlbl_active = selinux_peerlbl_enabled();
4221 if (!secmark_active && !peerlbl_active)
4224 ad.type = LSM_AUDIT_DATA_NET;
4226 ad.u.net->netif = skb->skb_iif;
4227 ad.u.net->family = family;
4228 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4232 if (peerlbl_active) {
4235 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4238 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4241 selinux_netlbl_err(skb, err, 0);
4244 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4247 selinux_netlbl_err(skb, err, 0);
4250 if (secmark_active) {
4251 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4260 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4261 int __user *optlen, unsigned len)
4266 struct sk_security_struct *sksec = sock->sk->sk_security;
4267 u32 peer_sid = SECSID_NULL;
4269 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4270 sksec->sclass == SECCLASS_TCP_SOCKET)
4271 peer_sid = sksec->peer_sid;
4272 if (peer_sid == SECSID_NULL)
4273 return -ENOPROTOOPT;
4275 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4279 if (scontext_len > len) {
4284 if (copy_to_user(optval, scontext, scontext_len))
4288 if (put_user(scontext_len, optlen))
4294 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4296 u32 peer_secid = SECSID_NULL;
4299 if (skb && skb->protocol == htons(ETH_P_IP))
4301 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4304 family = sock->sk->sk_family;
4308 if (sock && family == PF_UNIX)
4309 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4311 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4314 *secid = peer_secid;
4315 if (peer_secid == SECSID_NULL)
4320 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4322 struct sk_security_struct *sksec;
4324 sksec = kzalloc(sizeof(*sksec), priority);
4328 sksec->peer_sid = SECINITSID_UNLABELED;
4329 sksec->sid = SECINITSID_UNLABELED;
4330 selinux_netlbl_sk_security_reset(sksec);
4331 sk->sk_security = sksec;
4336 static void selinux_sk_free_security(struct sock *sk)
4338 struct sk_security_struct *sksec = sk->sk_security;
4340 sk->sk_security = NULL;
4341 selinux_netlbl_sk_security_free(sksec);
4345 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4347 struct sk_security_struct *sksec = sk->sk_security;
4348 struct sk_security_struct *newsksec = newsk->sk_security;
4350 newsksec->sid = sksec->sid;
4351 newsksec->peer_sid = sksec->peer_sid;
4352 newsksec->sclass = sksec->sclass;
4354 selinux_netlbl_sk_security_reset(newsksec);
4357 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4360 *secid = SECINITSID_ANY_SOCKET;
4362 struct sk_security_struct *sksec = sk->sk_security;
4364 *secid = sksec->sid;
4368 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4370 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4371 struct sk_security_struct *sksec = sk->sk_security;
4373 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4374 sk->sk_family == PF_UNIX)
4375 isec->sid = sksec->sid;
4376 sksec->sclass = isec->sclass;
4379 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4380 struct request_sock *req)
4382 struct sk_security_struct *sksec = sk->sk_security;
4384 u16 family = sk->sk_family;
4388 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4389 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4392 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4395 if (peersid == SECSID_NULL) {
4396 req->secid = sksec->sid;
4397 req->peer_secid = SECSID_NULL;
4399 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4402 req->secid = newsid;
4403 req->peer_secid = peersid;
4406 return selinux_netlbl_inet_conn_request(req, family);
4409 static void selinux_inet_csk_clone(struct sock *newsk,
4410 const struct request_sock *req)
4412 struct sk_security_struct *newsksec = newsk->sk_security;
4414 newsksec->sid = req->secid;
4415 newsksec->peer_sid = req->peer_secid;
4416 /* NOTE: Ideally, we should also get the isec->sid for the
4417 new socket in sync, but we don't have the isec available yet.
4418 So we will wait until sock_graft to do it, by which
4419 time it will have been created and available. */
4421 /* We don't need to take any sort of lock here as we are the only
4422 * thread with access to newsksec */
4423 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4426 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4428 u16 family = sk->sk_family;
4429 struct sk_security_struct *sksec = sk->sk_security;
4431 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4432 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4435 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4438 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4440 skb_set_owner_w(skb, sk);
4443 static int selinux_secmark_relabel_packet(u32 sid)
4445 const struct task_security_struct *__tsec;
4448 __tsec = current_security();
4451 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4454 static void selinux_secmark_refcount_inc(void)
4456 atomic_inc(&selinux_secmark_refcount);
4459 static void selinux_secmark_refcount_dec(void)
4461 atomic_dec(&selinux_secmark_refcount);
4464 static void selinux_req_classify_flow(const struct request_sock *req,
4467 fl->flowi_secid = req->secid;
4470 static int selinux_tun_dev_alloc_security(void **security)
4472 struct tun_security_struct *tunsec;
4474 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4477 tunsec->sid = current_sid();
4483 static void selinux_tun_dev_free_security(void *security)
4488 static int selinux_tun_dev_create(void)
4490 u32 sid = current_sid();
4492 /* we aren't taking into account the "sockcreate" SID since the socket
4493 * that is being created here is not a socket in the traditional sense,
4494 * instead it is a private sock, accessible only to the kernel, and
4495 * representing a wide range of network traffic spanning multiple
4496 * connections unlike traditional sockets - check the TUN driver to
4497 * get a better understanding of why this socket is special */
4499 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4503 static int selinux_tun_dev_attach_queue(void *security)
4505 struct tun_security_struct *tunsec = security;
4507 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4508 TUN_SOCKET__ATTACH_QUEUE, NULL);
4511 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4513 struct tun_security_struct *tunsec = security;
4514 struct sk_security_struct *sksec = sk->sk_security;
4516 /* we don't currently perform any NetLabel based labeling here and it
4517 * isn't clear that we would want to do so anyway; while we could apply
4518 * labeling without the support of the TUN user the resulting labeled
4519 * traffic from the other end of the connection would almost certainly
4520 * cause confusion to the TUN user that had no idea network labeling
4521 * protocols were being used */
4523 sksec->sid = tunsec->sid;
4524 sksec->sclass = SECCLASS_TUN_SOCKET;
4529 static int selinux_tun_dev_open(void *security)
4531 struct tun_security_struct *tunsec = security;
4532 u32 sid = current_sid();
4535 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4536 TUN_SOCKET__RELABELFROM, NULL);
4539 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4540 TUN_SOCKET__RELABELTO, NULL);
4548 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4552 struct nlmsghdr *nlh;
4553 struct sk_security_struct *sksec = sk->sk_security;
4555 if (skb->len < NLMSG_HDRLEN) {
4559 nlh = nlmsg_hdr(skb);
4561 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4563 if (err == -EINVAL) {
4564 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4565 "SELinux: unrecognized netlink message"
4566 " type=%hu for sclass=%hu\n",
4567 nlh->nlmsg_type, sksec->sclass);
4568 if (!selinux_enforcing || security_get_allow_unknown())
4578 err = sock_has_perm(current, sk, perm);
4583 #ifdef CONFIG_NETFILTER
4585 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4591 struct common_audit_data ad;
4592 struct lsm_network_audit net = {0,};
4597 if (!selinux_policycap_netpeer)
4600 secmark_active = selinux_secmark_enabled();
4601 netlbl_active = netlbl_enabled();
4602 peerlbl_active = selinux_peerlbl_enabled();
4603 if (!secmark_active && !peerlbl_active)
4606 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4609 ad.type = LSM_AUDIT_DATA_NET;
4611 ad.u.net->netif = ifindex;
4612 ad.u.net->family = family;
4613 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4616 if (peerlbl_active) {
4617 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4620 selinux_netlbl_err(skb, err, 1);
4626 if (avc_has_perm(peer_sid, skb->secmark,
4627 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4631 /* we do this in the FORWARD path and not the POST_ROUTING
4632 * path because we want to make sure we apply the necessary
4633 * labeling before IPsec is applied so we can leverage AH
4635 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4641 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4642 struct sk_buff *skb,
4643 const struct net_device *in,
4644 const struct net_device *out,
4645 int (*okfn)(struct sk_buff *))
4647 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4650 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4651 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4652 struct sk_buff *skb,
4653 const struct net_device *in,
4654 const struct net_device *out,
4655 int (*okfn)(struct sk_buff *))
4657 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4661 static unsigned int selinux_ip_output(struct sk_buff *skb,
4666 if (!netlbl_enabled())
4669 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4670 * because we want to make sure we apply the necessary labeling
4671 * before IPsec is applied so we can leverage AH protection */
4673 struct sk_security_struct *sksec = skb->sk->sk_security;
4676 sid = SECINITSID_KERNEL;
4677 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4683 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4684 struct sk_buff *skb,
4685 const struct net_device *in,
4686 const struct net_device *out,
4687 int (*okfn)(struct sk_buff *))
4689 return selinux_ip_output(skb, PF_INET);
4692 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4696 struct sock *sk = skb->sk;
4697 struct sk_security_struct *sksec;
4698 struct common_audit_data ad;
4699 struct lsm_network_audit net = {0,};
4705 sksec = sk->sk_security;
4707 ad.type = LSM_AUDIT_DATA_NET;
4709 ad.u.net->netif = ifindex;
4710 ad.u.net->family = family;
4711 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4714 if (selinux_secmark_enabled())
4715 if (avc_has_perm(sksec->sid, skb->secmark,
4716 SECCLASS_PACKET, PACKET__SEND, &ad))
4717 return NF_DROP_ERR(-ECONNREFUSED);
4719 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4720 return NF_DROP_ERR(-ECONNREFUSED);
4725 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4731 struct common_audit_data ad;
4732 struct lsm_network_audit net = {0,};
4737 /* If any sort of compatibility mode is enabled then handoff processing
4738 * to the selinux_ip_postroute_compat() function to deal with the
4739 * special handling. We do this in an attempt to keep this function
4740 * as fast and as clean as possible. */
4741 if (!selinux_policycap_netpeer)
4742 return selinux_ip_postroute_compat(skb, ifindex, family);
4744 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4745 * packet transformation so allow the packet to pass without any checks
4746 * since we'll have another chance to perform access control checks
4747 * when the packet is on it's final way out.
4748 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4749 * is NULL, in this case go ahead and apply access control. */
4750 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4753 secmark_active = selinux_secmark_enabled();
4754 peerlbl_active = selinux_peerlbl_enabled();
4755 if (!secmark_active && !peerlbl_active)
4758 /* if the packet is being forwarded then get the peer label from the
4759 * packet itself; otherwise check to see if it is from a local
4760 * application or the kernel, if from an application get the peer label
4761 * from the sending socket, otherwise use the kernel's sid */
4765 secmark_perm = PACKET__FORWARD_OUT;
4766 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4769 secmark_perm = PACKET__SEND;
4770 peer_sid = SECINITSID_KERNEL;
4773 struct sk_security_struct *sksec = sk->sk_security;
4774 peer_sid = sksec->sid;
4775 secmark_perm = PACKET__SEND;
4778 ad.type = LSM_AUDIT_DATA_NET;
4780 ad.u.net->netif = ifindex;
4781 ad.u.net->family = family;
4782 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4786 if (avc_has_perm(peer_sid, skb->secmark,
4787 SECCLASS_PACKET, secmark_perm, &ad))
4788 return NF_DROP_ERR(-ECONNREFUSED);
4790 if (peerlbl_active) {
4794 if (sel_netif_sid(ifindex, &if_sid))
4796 if (avc_has_perm(peer_sid, if_sid,
4797 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4798 return NF_DROP_ERR(-ECONNREFUSED);
4800 if (sel_netnode_sid(addrp, family, &node_sid))
4802 if (avc_has_perm(peer_sid, node_sid,
4803 SECCLASS_NODE, NODE__SENDTO, &ad))
4804 return NF_DROP_ERR(-ECONNREFUSED);
4810 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4811 struct sk_buff *skb,
4812 const struct net_device *in,
4813 const struct net_device *out,
4814 int (*okfn)(struct sk_buff *))
4816 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4819 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4820 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4821 struct sk_buff *skb,
4822 const struct net_device *in,
4823 const struct net_device *out,
4824 int (*okfn)(struct sk_buff *))
4826 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4830 #endif /* CONFIG_NETFILTER */
4832 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4836 err = cap_netlink_send(sk, skb);
4840 return selinux_nlmsg_perm(sk, skb);
4843 static int ipc_alloc_security(struct task_struct *task,
4844 struct kern_ipc_perm *perm,
4847 struct ipc_security_struct *isec;
4850 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4854 sid = task_sid(task);
4855 isec->sclass = sclass;
4857 perm->security = isec;
4862 static void ipc_free_security(struct kern_ipc_perm *perm)
4864 struct ipc_security_struct *isec = perm->security;
4865 perm->security = NULL;
4869 static int msg_msg_alloc_security(struct msg_msg *msg)
4871 struct msg_security_struct *msec;
4873 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4877 msec->sid = SECINITSID_UNLABELED;
4878 msg->security = msec;
4883 static void msg_msg_free_security(struct msg_msg *msg)
4885 struct msg_security_struct *msec = msg->security;
4887 msg->security = NULL;
4891 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4894 struct ipc_security_struct *isec;
4895 struct common_audit_data ad;
4896 u32 sid = current_sid();
4898 isec = ipc_perms->security;
4900 ad.type = LSM_AUDIT_DATA_IPC;
4901 ad.u.ipc_id = ipc_perms->key;
4903 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4906 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4908 return msg_msg_alloc_security(msg);
4911 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4913 msg_msg_free_security(msg);
4916 /* message queue security operations */
4917 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4919 struct ipc_security_struct *isec;
4920 struct common_audit_data ad;
4921 u32 sid = current_sid();
4924 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4928 isec = msq->q_perm.security;
4930 ad.type = LSM_AUDIT_DATA_IPC;
4931 ad.u.ipc_id = msq->q_perm.key;
4933 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4936 ipc_free_security(&msq->q_perm);
4942 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4944 ipc_free_security(&msq->q_perm);
4947 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4949 struct ipc_security_struct *isec;
4950 struct common_audit_data ad;
4951 u32 sid = current_sid();
4953 isec = msq->q_perm.security;
4955 ad.type = LSM_AUDIT_DATA_IPC;
4956 ad.u.ipc_id = msq->q_perm.key;
4958 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4959 MSGQ__ASSOCIATE, &ad);
4962 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4970 /* No specific object, just general system-wide information. */
4971 return task_has_system(current, SYSTEM__IPC_INFO);
4974 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4977 perms = MSGQ__SETATTR;
4980 perms = MSGQ__DESTROY;
4986 err = ipc_has_perm(&msq->q_perm, perms);
4990 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4992 struct ipc_security_struct *isec;
4993 struct msg_security_struct *msec;
4994 struct common_audit_data ad;
4995 u32 sid = current_sid();
4998 isec = msq->q_perm.security;
4999 msec = msg->security;
5002 * First time through, need to assign label to the message
5004 if (msec->sid == SECINITSID_UNLABELED) {
5006 * Compute new sid based on current process and
5007 * message queue this message will be stored in
5009 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5015 ad.type = LSM_AUDIT_DATA_IPC;
5016 ad.u.ipc_id = msq->q_perm.key;
5018 /* Can this process write to the queue? */
5019 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5022 /* Can this process send the message */
5023 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5026 /* Can the message be put in the queue? */
5027 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5028 MSGQ__ENQUEUE, &ad);
5033 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5034 struct task_struct *target,
5035 long type, int mode)
5037 struct ipc_security_struct *isec;
5038 struct msg_security_struct *msec;
5039 struct common_audit_data ad;
5040 u32 sid = task_sid(target);
5043 isec = msq->q_perm.security;
5044 msec = msg->security;
5046 ad.type = LSM_AUDIT_DATA_IPC;
5047 ad.u.ipc_id = msq->q_perm.key;
5049 rc = avc_has_perm(sid, isec->sid,
5050 SECCLASS_MSGQ, MSGQ__READ, &ad);
5052 rc = avc_has_perm(sid, msec->sid,
5053 SECCLASS_MSG, MSG__RECEIVE, &ad);
5057 /* Shared Memory security operations */
5058 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5060 struct ipc_security_struct *isec;
5061 struct common_audit_data ad;
5062 u32 sid = current_sid();
5065 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5069 isec = shp->shm_perm.security;
5071 ad.type = LSM_AUDIT_DATA_IPC;
5072 ad.u.ipc_id = shp->shm_perm.key;
5074 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5077 ipc_free_security(&shp->shm_perm);
5083 static void selinux_shm_free_security(struct shmid_kernel *shp)
5085 ipc_free_security(&shp->shm_perm);
5088 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5090 struct ipc_security_struct *isec;
5091 struct common_audit_data ad;
5092 u32 sid = current_sid();
5094 isec = shp->shm_perm.security;
5096 ad.type = LSM_AUDIT_DATA_IPC;
5097 ad.u.ipc_id = shp->shm_perm.key;
5099 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5100 SHM__ASSOCIATE, &ad);
5103 /* Note, at this point, shp is locked down */
5104 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5112 /* No specific object, just general system-wide information. */
5113 return task_has_system(current, SYSTEM__IPC_INFO);
5116 perms = SHM__GETATTR | SHM__ASSOCIATE;
5119 perms = SHM__SETATTR;
5126 perms = SHM__DESTROY;
5132 err = ipc_has_perm(&shp->shm_perm, perms);
5136 static int selinux_shm_shmat(struct shmid_kernel *shp,
5137 char __user *shmaddr, int shmflg)
5141 if (shmflg & SHM_RDONLY)
5144 perms = SHM__READ | SHM__WRITE;
5146 return ipc_has_perm(&shp->shm_perm, perms);
5149 /* Semaphore security operations */
5150 static int selinux_sem_alloc_security(struct sem_array *sma)
5152 struct ipc_security_struct *isec;
5153 struct common_audit_data ad;
5154 u32 sid = current_sid();
5157 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5161 isec = sma->sem_perm.security;
5163 ad.type = LSM_AUDIT_DATA_IPC;
5164 ad.u.ipc_id = sma->sem_perm.key;
5166 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5169 ipc_free_security(&sma->sem_perm);
5175 static void selinux_sem_free_security(struct sem_array *sma)
5177 ipc_free_security(&sma->sem_perm);
5180 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5182 struct ipc_security_struct *isec;
5183 struct common_audit_data ad;
5184 u32 sid = current_sid();
5186 isec = sma->sem_perm.security;
5188 ad.type = LSM_AUDIT_DATA_IPC;
5189 ad.u.ipc_id = sma->sem_perm.key;
5191 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5192 SEM__ASSOCIATE, &ad);
5195 /* Note, at this point, sma is locked down */
5196 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5204 /* No specific object, just general system-wide information. */
5205 return task_has_system(current, SYSTEM__IPC_INFO);
5209 perms = SEM__GETATTR;
5220 perms = SEM__DESTROY;
5223 perms = SEM__SETATTR;
5227 perms = SEM__GETATTR | SEM__ASSOCIATE;
5233 err = ipc_has_perm(&sma->sem_perm, perms);
5237 static int selinux_sem_semop(struct sem_array *sma,
5238 struct sembuf *sops, unsigned nsops, int alter)
5243 perms = SEM__READ | SEM__WRITE;
5247 return ipc_has_perm(&sma->sem_perm, perms);
5250 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5256 av |= IPC__UNIX_READ;
5258 av |= IPC__UNIX_WRITE;
5263 return ipc_has_perm(ipcp, av);
5266 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5268 struct ipc_security_struct *isec = ipcp->security;
5272 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5275 inode_doinit_with_dentry(inode, dentry);
5278 static int selinux_getprocattr(struct task_struct *p,
5279 char *name, char **value)
5281 const struct task_security_struct *__tsec;
5287 error = current_has_perm(p, PROCESS__GETATTR);
5293 __tsec = __task_cred(p)->security;
5295 if (!strcmp(name, "current"))
5297 else if (!strcmp(name, "prev"))
5299 else if (!strcmp(name, "exec"))
5300 sid = __tsec->exec_sid;
5301 else if (!strcmp(name, "fscreate"))
5302 sid = __tsec->create_sid;
5303 else if (!strcmp(name, "keycreate"))
5304 sid = __tsec->keycreate_sid;
5305 else if (!strcmp(name, "sockcreate"))
5306 sid = __tsec->sockcreate_sid;
5314 error = security_sid_to_context(sid, value, &len);
5324 static int selinux_setprocattr(struct task_struct *p,
5325 char *name, void *value, size_t size)
5327 struct task_security_struct *tsec;
5328 struct task_struct *tracer;
5335 /* SELinux only allows a process to change its own
5336 security attributes. */
5341 * Basic control over ability to set these attributes at all.
5342 * current == p, but we'll pass them separately in case the
5343 * above restriction is ever removed.
5345 if (!strcmp(name, "exec"))
5346 error = current_has_perm(p, PROCESS__SETEXEC);
5347 else if (!strcmp(name, "fscreate"))
5348 error = current_has_perm(p, PROCESS__SETFSCREATE);
5349 else if (!strcmp(name, "keycreate"))
5350 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5351 else if (!strcmp(name, "sockcreate"))
5352 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5353 else if (!strcmp(name, "current"))
5354 error = current_has_perm(p, PROCESS__SETCURRENT);
5360 /* Obtain a SID for the context, if one was specified. */
5361 if (size && str[1] && str[1] != '\n') {
5362 if (str[size-1] == '\n') {
5366 error = security_context_to_sid(value, size, &sid);
5367 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5368 if (!capable(CAP_MAC_ADMIN)) {
5369 struct audit_buffer *ab;
5372 /* We strip a nul only if it is at the end, otherwise the
5373 * context contains a nul and we should audit that */
5374 if (str[size - 1] == '\0')
5375 audit_size = size - 1;
5378 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5379 audit_log_format(ab, "op=fscreate invalid_context=");
5380 audit_log_n_untrustedstring(ab, value, audit_size);
5385 error = security_context_to_sid_force(value, size,
5392 new = prepare_creds();
5396 /* Permission checking based on the specified context is
5397 performed during the actual operation (execve,
5398 open/mkdir/...), when we know the full context of the
5399 operation. See selinux_bprm_set_creds for the execve
5400 checks and may_create for the file creation checks. The
5401 operation will then fail if the context is not permitted. */
5402 tsec = new->security;
5403 if (!strcmp(name, "exec")) {
5404 tsec->exec_sid = sid;
5405 } else if (!strcmp(name, "fscreate")) {
5406 tsec->create_sid = sid;
5407 } else if (!strcmp(name, "keycreate")) {
5408 error = may_create_key(sid, p);
5411 tsec->keycreate_sid = sid;
5412 } else if (!strcmp(name, "sockcreate")) {
5413 tsec->sockcreate_sid = sid;
5414 } else if (!strcmp(name, "current")) {
5419 /* Only allow single threaded processes to change context */
5421 if (!current_is_single_threaded()) {
5422 error = security_bounded_transition(tsec->sid, sid);
5427 /* Check permissions for the transition. */
5428 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5429 PROCESS__DYNTRANSITION, NULL);
5433 /* Check for ptracing, and update the task SID if ok.
5434 Otherwise, leave SID unchanged and fail. */
5437 tracer = ptrace_parent(p);
5439 ptsid = task_sid(tracer);
5443 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5444 PROCESS__PTRACE, NULL);
5463 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5465 return security_sid_to_context(secid, secdata, seclen);
5468 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5470 return security_context_to_sid(secdata, seclen, secid);
5473 static void selinux_release_secctx(char *secdata, u32 seclen)
5479 * called with inode->i_mutex locked
5481 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5483 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5487 * called with inode->i_mutex locked
5489 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5491 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5494 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5497 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5506 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5507 unsigned long flags)
5509 const struct task_security_struct *tsec;
5510 struct key_security_struct *ksec;
5512 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5516 tsec = cred->security;
5517 if (tsec->keycreate_sid)
5518 ksec->sid = tsec->keycreate_sid;
5520 ksec->sid = tsec->sid;
5526 static void selinux_key_free(struct key *k)
5528 struct key_security_struct *ksec = k->security;
5534 static int selinux_key_permission(key_ref_t key_ref,
5535 const struct cred *cred,
5539 struct key_security_struct *ksec;
5542 /* if no specific permissions are requested, we skip the
5543 permission check. No serious, additional covert channels
5544 appear to be created. */
5548 sid = cred_sid(cred);
5550 key = key_ref_to_ptr(key_ref);
5551 ksec = key->security;
5553 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5556 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5558 struct key_security_struct *ksec = key->security;
5559 char *context = NULL;
5563 rc = security_sid_to_context(ksec->sid, &context, &len);
5572 static struct security_operations selinux_ops = {
5575 .ptrace_access_check = selinux_ptrace_access_check,
5576 .ptrace_traceme = selinux_ptrace_traceme,
5577 .capget = selinux_capget,
5578 .capset = selinux_capset,
5579 .capable = selinux_capable,
5580 .quotactl = selinux_quotactl,
5581 .quota_on = selinux_quota_on,
5582 .syslog = selinux_syslog,
5583 .vm_enough_memory = selinux_vm_enough_memory,
5585 .netlink_send = selinux_netlink_send,
5587 .bprm_set_creds = selinux_bprm_set_creds,
5588 .bprm_committing_creds = selinux_bprm_committing_creds,
5589 .bprm_committed_creds = selinux_bprm_committed_creds,
5590 .bprm_secureexec = selinux_bprm_secureexec,
5592 .sb_alloc_security = selinux_sb_alloc_security,
5593 .sb_free_security = selinux_sb_free_security,
5594 .sb_copy_data = selinux_sb_copy_data,
5595 .sb_remount = selinux_sb_remount,
5596 .sb_kern_mount = selinux_sb_kern_mount,
5597 .sb_show_options = selinux_sb_show_options,
5598 .sb_statfs = selinux_sb_statfs,
5599 .sb_mount = selinux_mount,
5600 .sb_umount = selinux_umount,
5601 .sb_set_mnt_opts = selinux_set_mnt_opts,
5602 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5603 .sb_parse_opts_str = selinux_parse_opts_str,
5606 .inode_alloc_security = selinux_inode_alloc_security,
5607 .inode_free_security = selinux_inode_free_security,
5608 .inode_init_security = selinux_inode_init_security,
5609 .inode_create = selinux_inode_create,
5610 .inode_link = selinux_inode_link,
5611 .inode_unlink = selinux_inode_unlink,
5612 .inode_symlink = selinux_inode_symlink,
5613 .inode_mkdir = selinux_inode_mkdir,
5614 .inode_rmdir = selinux_inode_rmdir,
5615 .inode_mknod = selinux_inode_mknod,
5616 .inode_rename = selinux_inode_rename,
5617 .inode_readlink = selinux_inode_readlink,
5618 .inode_follow_link = selinux_inode_follow_link,
5619 .inode_permission = selinux_inode_permission,
5620 .inode_setattr = selinux_inode_setattr,
5621 .inode_getattr = selinux_inode_getattr,
5622 .inode_setxattr = selinux_inode_setxattr,
5623 .inode_post_setxattr = selinux_inode_post_setxattr,
5624 .inode_getxattr = selinux_inode_getxattr,
5625 .inode_listxattr = selinux_inode_listxattr,
5626 .inode_removexattr = selinux_inode_removexattr,
5627 .inode_getsecurity = selinux_inode_getsecurity,
5628 .inode_setsecurity = selinux_inode_setsecurity,
5629 .inode_listsecurity = selinux_inode_listsecurity,
5630 .inode_getsecid = selinux_inode_getsecid,
5632 .file_permission = selinux_file_permission,
5633 .file_alloc_security = selinux_file_alloc_security,
5634 .file_free_security = selinux_file_free_security,
5635 .file_ioctl = selinux_file_ioctl,
5636 .mmap_file = selinux_mmap_file,
5637 .mmap_addr = selinux_mmap_addr,
5638 .file_mprotect = selinux_file_mprotect,
5639 .file_lock = selinux_file_lock,
5640 .file_fcntl = selinux_file_fcntl,
5641 .file_set_fowner = selinux_file_set_fowner,
5642 .file_send_sigiotask = selinux_file_send_sigiotask,
5643 .file_receive = selinux_file_receive,
5645 .file_open = selinux_file_open,
5647 .task_create = selinux_task_create,
5648 .cred_alloc_blank = selinux_cred_alloc_blank,
5649 .cred_free = selinux_cred_free,
5650 .cred_prepare = selinux_cred_prepare,
5651 .cred_transfer = selinux_cred_transfer,
5652 .kernel_act_as = selinux_kernel_act_as,
5653 .kernel_create_files_as = selinux_kernel_create_files_as,
5654 .kernel_module_request = selinux_kernel_module_request,
5655 .task_setpgid = selinux_task_setpgid,
5656 .task_getpgid = selinux_task_getpgid,
5657 .task_getsid = selinux_task_getsid,
5658 .task_getsecid = selinux_task_getsecid,
5659 .task_setnice = selinux_task_setnice,
5660 .task_setioprio = selinux_task_setioprio,
5661 .task_getioprio = selinux_task_getioprio,
5662 .task_setrlimit = selinux_task_setrlimit,
5663 .task_setscheduler = selinux_task_setscheduler,
5664 .task_getscheduler = selinux_task_getscheduler,
5665 .task_movememory = selinux_task_movememory,
5666 .task_kill = selinux_task_kill,
5667 .task_wait = selinux_task_wait,
5668 .task_to_inode = selinux_task_to_inode,
5670 .ipc_permission = selinux_ipc_permission,
5671 .ipc_getsecid = selinux_ipc_getsecid,
5673 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5674 .msg_msg_free_security = selinux_msg_msg_free_security,
5676 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5677 .msg_queue_free_security = selinux_msg_queue_free_security,
5678 .msg_queue_associate = selinux_msg_queue_associate,
5679 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5680 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5681 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5683 .shm_alloc_security = selinux_shm_alloc_security,
5684 .shm_free_security = selinux_shm_free_security,
5685 .shm_associate = selinux_shm_associate,
5686 .shm_shmctl = selinux_shm_shmctl,
5687 .shm_shmat = selinux_shm_shmat,
5689 .sem_alloc_security = selinux_sem_alloc_security,
5690 .sem_free_security = selinux_sem_free_security,
5691 .sem_associate = selinux_sem_associate,
5692 .sem_semctl = selinux_sem_semctl,
5693 .sem_semop = selinux_sem_semop,
5695 .d_instantiate = selinux_d_instantiate,
5697 .getprocattr = selinux_getprocattr,
5698 .setprocattr = selinux_setprocattr,
5700 .secid_to_secctx = selinux_secid_to_secctx,
5701 .secctx_to_secid = selinux_secctx_to_secid,
5702 .release_secctx = selinux_release_secctx,
5703 .inode_notifysecctx = selinux_inode_notifysecctx,
5704 .inode_setsecctx = selinux_inode_setsecctx,
5705 .inode_getsecctx = selinux_inode_getsecctx,
5707 .unix_stream_connect = selinux_socket_unix_stream_connect,
5708 .unix_may_send = selinux_socket_unix_may_send,
5710 .socket_create = selinux_socket_create,
5711 .socket_post_create = selinux_socket_post_create,
5712 .socket_bind = selinux_socket_bind,
5713 .socket_connect = selinux_socket_connect,
5714 .socket_listen = selinux_socket_listen,
5715 .socket_accept = selinux_socket_accept,
5716 .socket_sendmsg = selinux_socket_sendmsg,
5717 .socket_recvmsg = selinux_socket_recvmsg,
5718 .socket_getsockname = selinux_socket_getsockname,
5719 .socket_getpeername = selinux_socket_getpeername,
5720 .socket_getsockopt = selinux_socket_getsockopt,
5721 .socket_setsockopt = selinux_socket_setsockopt,
5722 .socket_shutdown = selinux_socket_shutdown,
5723 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5724 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5725 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5726 .sk_alloc_security = selinux_sk_alloc_security,
5727 .sk_free_security = selinux_sk_free_security,
5728 .sk_clone_security = selinux_sk_clone_security,
5729 .sk_getsecid = selinux_sk_getsecid,
5730 .sock_graft = selinux_sock_graft,
5731 .inet_conn_request = selinux_inet_conn_request,
5732 .inet_csk_clone = selinux_inet_csk_clone,
5733 .inet_conn_established = selinux_inet_conn_established,
5734 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5735 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5736 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5737 .req_classify_flow = selinux_req_classify_flow,
5738 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5739 .tun_dev_free_security = selinux_tun_dev_free_security,
5740 .tun_dev_create = selinux_tun_dev_create,
5741 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5742 .tun_dev_attach = selinux_tun_dev_attach,
5743 .tun_dev_open = selinux_tun_dev_open,
5744 .skb_owned_by = selinux_skb_owned_by,
5746 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5747 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5748 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5749 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5750 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5751 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5752 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5753 .xfrm_state_free_security = selinux_xfrm_state_free,
5754 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5755 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5756 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5757 .xfrm_decode_session = selinux_xfrm_decode_session,
5761 .key_alloc = selinux_key_alloc,
5762 .key_free = selinux_key_free,
5763 .key_permission = selinux_key_permission,
5764 .key_getsecurity = selinux_key_getsecurity,
5768 .audit_rule_init = selinux_audit_rule_init,
5769 .audit_rule_known = selinux_audit_rule_known,
5770 .audit_rule_match = selinux_audit_rule_match,
5771 .audit_rule_free = selinux_audit_rule_free,
5775 static __init int selinux_init(void)
5777 if (!security_module_enable(&selinux_ops)) {
5778 selinux_enabled = 0;
5782 if (!selinux_enabled) {
5783 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5787 printk(KERN_INFO "SELinux: Initializing.\n");
5789 /* Set the security state for the initial task. */
5790 cred_init_security();
5792 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5794 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5795 sizeof(struct inode_security_struct),
5796 0, SLAB_PANIC, NULL);
5799 if (register_security(&selinux_ops))
5800 panic("SELinux: Unable to register with kernel.\n");
5802 if (selinux_enforcing)
5803 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5805 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5810 static void delayed_superblock_init(struct super_block *sb, void *unused)
5812 superblock_doinit(sb, NULL);
5815 void selinux_complete_init(void)
5817 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5819 /* Set up any superblocks initialized prior to the policy load. */
5820 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5821 iterate_supers(delayed_superblock_init, NULL);
5824 /* SELinux requires early initialization in order to label
5825 all processes and objects when they are created. */
5826 security_initcall(selinux_init);
5828 #if defined(CONFIG_NETFILTER)
5830 static struct nf_hook_ops selinux_ipv4_ops[] = {
5832 .hook = selinux_ipv4_postroute,
5833 .owner = THIS_MODULE,
5835 .hooknum = NF_INET_POST_ROUTING,
5836 .priority = NF_IP_PRI_SELINUX_LAST,
5839 .hook = selinux_ipv4_forward,
5840 .owner = THIS_MODULE,
5842 .hooknum = NF_INET_FORWARD,
5843 .priority = NF_IP_PRI_SELINUX_FIRST,
5846 .hook = selinux_ipv4_output,
5847 .owner = THIS_MODULE,
5849 .hooknum = NF_INET_LOCAL_OUT,
5850 .priority = NF_IP_PRI_SELINUX_FIRST,
5854 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5856 static struct nf_hook_ops selinux_ipv6_ops[] = {
5858 .hook = selinux_ipv6_postroute,
5859 .owner = THIS_MODULE,
5861 .hooknum = NF_INET_POST_ROUTING,
5862 .priority = NF_IP6_PRI_SELINUX_LAST,
5865 .hook = selinux_ipv6_forward,
5866 .owner = THIS_MODULE,
5868 .hooknum = NF_INET_FORWARD,
5869 .priority = NF_IP6_PRI_SELINUX_FIRST,
5875 static int __init selinux_nf_ip_init(void)
5879 if (!selinux_enabled)
5882 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5884 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5886 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5888 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5889 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5891 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5898 __initcall(selinux_nf_ip_init);
5900 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5901 static void selinux_nf_ip_exit(void)
5903 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5905 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5906 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5907 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5912 #else /* CONFIG_NETFILTER */
5914 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5915 #define selinux_nf_ip_exit()
5918 #endif /* CONFIG_NETFILTER */
5920 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5921 static int selinux_disabled;
5923 int selinux_disable(void)
5925 if (ss_initialized) {
5926 /* Not permitted after initial policy load. */
5930 if (selinux_disabled) {
5931 /* Only do this once. */
5935 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5937 selinux_disabled = 1;
5938 selinux_enabled = 0;
5940 reset_security_ops();
5942 /* Try to destroy the avc node cache */
5945 /* Unregister netfilter hooks. */
5946 selinux_nf_ip_exit();
5948 /* Unregister selinuxfs. */