2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 #define NUM_SEL_MNT_OPTS 5
99 extern struct security_operations *security_ops;
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
107 static int __init enforcing_setup(char *str)
109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
114 __setup("enforcing=", enforcing_setup);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
120 static int __init selinux_enabled_setup(char *str)
122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup);
129 int selinux_enabled = 1;
132 static struct kmem_cache *sel_inode_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
144 static int selinux_secmark_enabled(void)
146 return (atomic_read(&selinux_secmark_refcount) > 0);
149 static int selinux_netcache_avc_callback(u32 event)
151 if (event == AVC_CALLBACK_RESET) {
161 * initialise the security for the init task
163 static void cred_init_security(void)
165 struct cred *cred = (struct cred *) current->real_cred;
166 struct task_security_struct *tsec;
168 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
170 panic("SELinux: Failed to initialize initial task.\n");
172 tsec->osid = tsec->sid = SECINITSID_KERNEL;
173 cred->security = tsec;
177 * get the security ID of a set of credentials
179 static inline u32 cred_sid(const struct cred *cred)
181 const struct task_security_struct *tsec;
183 tsec = cred->security;
188 * get the objective security ID of a task
190 static inline u32 task_sid(const struct task_struct *task)
195 sid = cred_sid(__task_cred(task));
201 * get the subjective security ID of the current task
203 static inline u32 current_sid(void)
205 const struct task_security_struct *tsec = current_security();
210 /* Allocate and free functions for each kind of security blob. */
212 static int inode_alloc_security(struct inode *inode)
214 struct inode_security_struct *isec;
215 u32 sid = current_sid();
217 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
221 mutex_init(&isec->lock);
222 INIT_LIST_HEAD(&isec->list);
224 isec->sid = SECINITSID_UNLABELED;
225 isec->sclass = SECCLASS_FILE;
226 isec->task_sid = sid;
227 inode->i_security = isec;
232 static void inode_free_rcu(struct rcu_head *head)
234 struct inode_security_struct *isec;
236 isec = container_of(head, struct inode_security_struct, rcu);
237 kmem_cache_free(sel_inode_cache, isec);
240 static void inode_free_security(struct inode *inode)
242 struct inode_security_struct *isec = inode->i_security;
243 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
245 spin_lock(&sbsec->isec_lock);
246 if (!list_empty(&isec->list))
247 list_del_init(&isec->list);
248 spin_unlock(&sbsec->isec_lock);
251 * The inode may still be referenced in a path walk and
252 * a call to selinux_inode_permission() can be made
253 * after inode_free_security() is called. Ideally, the VFS
254 * wouldn't do this, but fixing that is a much harder
255 * job. For now, simply free the i_security via RCU, and
256 * leave the current inode->i_security pointer intact.
257 * The inode will be freed after the RCU grace period too.
259 call_rcu(&isec->rcu, inode_free_rcu);
262 static int file_alloc_security(struct file *file)
264 struct file_security_struct *fsec;
265 u32 sid = current_sid();
267 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
272 fsec->fown_sid = sid;
273 file->f_security = fsec;
278 static void file_free_security(struct file *file)
280 struct file_security_struct *fsec = file->f_security;
281 file->f_security = NULL;
285 static int superblock_alloc_security(struct super_block *sb)
287 struct superblock_security_struct *sbsec;
289 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
293 mutex_init(&sbsec->lock);
294 INIT_LIST_HEAD(&sbsec->isec_head);
295 spin_lock_init(&sbsec->isec_lock);
297 sbsec->sid = SECINITSID_UNLABELED;
298 sbsec->def_sid = SECINITSID_FILE;
299 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
300 sb->s_security = sbsec;
305 static void superblock_free_security(struct super_block *sb)
307 struct superblock_security_struct *sbsec = sb->s_security;
308 sb->s_security = NULL;
312 /* The file system's label must be initialized prior to use. */
314 static const char *labeling_behaviors[6] = {
316 "uses transition SIDs",
318 "uses genfs_contexts",
319 "not configured for labeling",
320 "uses mountpoint labeling",
323 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
325 static inline int inode_doinit(struct inode *inode)
327 return inode_doinit_with_dentry(inode, NULL);
336 Opt_labelsupport = 5,
339 static const match_table_t tokens = {
340 {Opt_context, CONTEXT_STR "%s"},
341 {Opt_fscontext, FSCONTEXT_STR "%s"},
342 {Opt_defcontext, DEFCONTEXT_STR "%s"},
343 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
344 {Opt_labelsupport, LABELSUPP_STR},
348 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
350 static int may_context_mount_sb_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 const struct cred *cred)
354 const struct task_security_struct *tsec = cred->security;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELTO, NULL);
367 static int may_context_mount_inode_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
369 const struct cred *cred)
371 const struct task_security_struct *tsec = cred->security;
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
378 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__ASSOCIATE, NULL);
383 static int sb_finish_set_opts(struct super_block *sb)
385 struct superblock_security_struct *sbsec = sb->s_security;
386 struct dentry *root = sb->s_root;
387 struct inode *root_inode = root->d_inode;
390 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
391 /* Make sure that the xattr handler exists and that no
392 error other than -ENODATA is returned by getxattr on
393 the root directory. -ENODATA is ok, as this may be
394 the first boot of the SELinux kernel before we have
395 assigned xattr values to the filesystem. */
396 if (!root_inode->i_op->getxattr) {
397 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
398 "xattr support\n", sb->s_id, sb->s_type->name);
402 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
403 if (rc < 0 && rc != -ENODATA) {
404 if (rc == -EOPNOTSUPP)
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) has no security xattr handler\n",
407 sb->s_id, sb->s_type->name);
409 printk(KERN_WARNING "SELinux: (dev %s, type "
410 "%s) getxattr errno %d\n", sb->s_id,
411 sb->s_type->name, -rc);
416 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
418 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
420 sb->s_id, sb->s_type->name);
422 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
423 sb->s_id, sb->s_type->name,
424 labeling_behaviors[sbsec->behavior-1]);
426 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
427 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
428 sbsec->behavior == SECURITY_FS_USE_NONE ||
429 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
430 sbsec->flags &= ~SE_SBLABELSUPP;
432 /* Special handling. Is genfs but also has in-core setxattr handler*/
433 if (!strcmp(sb->s_type->name, "sysfs") ||
434 !strcmp(sb->s_type->name, "pstore") ||
435 !strcmp(sb->s_type->name, "debugfs") ||
436 !strcmp(sb->s_type->name, "rootfs"))
437 sbsec->flags |= SE_SBLABELSUPP;
439 /* Initialize the root inode. */
440 rc = inode_doinit_with_dentry(root_inode, root);
442 /* Initialize any other inodes associated with the superblock, e.g.
443 inodes created prior to initial policy load or inodes created
444 during get_sb by a pseudo filesystem that directly
446 spin_lock(&sbsec->isec_lock);
448 if (!list_empty(&sbsec->isec_head)) {
449 struct inode_security_struct *isec =
450 list_entry(sbsec->isec_head.next,
451 struct inode_security_struct, list);
452 struct inode *inode = isec->inode;
453 spin_unlock(&sbsec->isec_lock);
454 inode = igrab(inode);
456 if (!IS_PRIVATE(inode))
460 spin_lock(&sbsec->isec_lock);
461 list_del_init(&isec->list);
464 spin_unlock(&sbsec->isec_lock);
470 * This function should allow an FS to ask what it's mount security
471 * options were so it can use those later for submounts, displaying
472 * mount options, or whatever.
474 static int selinux_get_mnt_opts(const struct super_block *sb,
475 struct security_mnt_opts *opts)
478 struct superblock_security_struct *sbsec = sb->s_security;
479 char *context = NULL;
483 security_init_mnt_opts(opts);
485 if (!(sbsec->flags & SE_SBINITIALIZED))
491 tmp = sbsec->flags & SE_MNTMASK;
492 /* count the number of mount options for this sb */
493 for (i = 0; i < 8; i++) {
495 opts->num_mnt_opts++;
498 /* Check if the Label support flag is set */
499 if (sbsec->flags & SE_SBLABELSUPP)
500 opts->num_mnt_opts++;
502 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
503 if (!opts->mnt_opts) {
508 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
509 if (!opts->mnt_opts_flags) {
515 if (sbsec->flags & FSCONTEXT_MNT) {
516 rc = security_sid_to_context(sbsec->sid, &context, &len);
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
522 if (sbsec->flags & CONTEXT_MNT) {
523 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
526 opts->mnt_opts[i] = context;
527 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
529 if (sbsec->flags & DEFCONTEXT_MNT) {
530 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
533 opts->mnt_opts[i] = context;
534 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
536 if (sbsec->flags & ROOTCONTEXT_MNT) {
537 struct inode *root = sbsec->sb->s_root->d_inode;
538 struct inode_security_struct *isec = root->i_security;
540 rc = security_sid_to_context(isec->sid, &context, &len);
543 opts->mnt_opts[i] = context;
544 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
546 if (sbsec->flags & SE_SBLABELSUPP) {
547 opts->mnt_opts[i] = NULL;
548 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
551 BUG_ON(i != opts->num_mnt_opts);
556 security_free_mnt_opts(opts);
560 static int bad_option(struct superblock_security_struct *sbsec, char flag,
561 u32 old_sid, u32 new_sid)
563 char mnt_flags = sbsec->flags & SE_MNTMASK;
565 /* check if the old mount command had the same options */
566 if (sbsec->flags & SE_SBINITIALIZED)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
574 if (!(sbsec->flags & SE_SBINITIALIZED))
575 if (mnt_flags & flag)
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
587 const struct cred *cred = current_cred();
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
599 mutex_lock(&sbsec->lock);
601 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
609 printk(KERN_WARNING "SELinux: Unable to set superblock options "
610 "before the security server is initialized\n");
615 * Binary mount data FS will come through this function twice. Once
616 * from an explicit call and once from the generic calls from the vfs.
617 * Since the generic VFS calls will not contain any security mount data
618 * we need to skip the double mount verification.
620 * This does open a hole in which we will not notice if the first
621 * mount using this sb set explict options and a second mount using
622 * this sb does not set any security options. (The first options
623 * will be used for both mounts)
625 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 * parse the mount options, check if they are valid sids.
631 * also check if someone is trying to mount the same sb more
632 * than once with different security options.
634 for (i = 0; i < num_opts; i++) {
637 if (flags[i] == SE_SBLABELSUPP)
639 rc = security_context_to_sid(mount_options[i],
640 strlen(mount_options[i]), &sid);
642 printk(KERN_WARNING "SELinux: security_context_to_sid"
643 "(%s) failed for (dev %s, type %s) errno=%d\n",
644 mount_options[i], sb->s_id, name, rc);
651 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653 goto out_double_mount;
655 sbsec->flags |= FSCONTEXT_MNT;
660 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662 goto out_double_mount;
664 sbsec->flags |= CONTEXT_MNT;
666 case ROOTCONTEXT_MNT:
667 rootcontext_sid = sid;
669 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671 goto out_double_mount;
673 sbsec->flags |= ROOTCONTEXT_MNT;
677 defcontext_sid = sid;
679 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 goto out_double_mount;
683 sbsec->flags |= DEFCONTEXT_MNT;
692 if (sbsec->flags & SE_SBINITIALIZED) {
693 /* previously mounted with options, but not on this attempt? */
694 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
695 goto out_double_mount;
700 if (strcmp(sb->s_type->name, "proc") == 0)
701 sbsec->flags |= SE_SBPROC;
703 /* Determine the labeling behavior to use for this filesystem type. */
704 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
707 __func__, sb->s_type->name, rc);
711 /* sets the context of the superblock for the fs being mounted. */
713 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
717 sbsec->sid = fscontext_sid;
721 * Switch to using mount point labeling behavior.
722 * sets the label used on all file below the mountpoint, and will set
723 * the superblock context if not already set.
726 if (!fscontext_sid) {
727 rc = may_context_mount_sb_relabel(context_sid, sbsec,
731 sbsec->sid = context_sid;
733 rc = may_context_mount_inode_relabel(context_sid, sbsec,
738 if (!rootcontext_sid)
739 rootcontext_sid = context_sid;
741 sbsec->mntpoint_sid = context_sid;
742 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
745 if (rootcontext_sid) {
746 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
751 root_isec->sid = rootcontext_sid;
752 root_isec->initialized = 1;
755 if (defcontext_sid) {
756 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758 printk(KERN_WARNING "SELinux: defcontext option is "
759 "invalid for this filesystem type\n");
763 if (defcontext_sid != sbsec->def_sid) {
764 rc = may_context_mount_inode_relabel(defcontext_sid,
770 sbsec->def_sid = defcontext_sid;
773 rc = sb_finish_set_opts(sb);
775 mutex_unlock(&sbsec->lock);
779 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
780 "security settings for (dev %s, type %s)\n", sb->s_id, name);
784 static int selinux_cmp_sb_context(const struct super_block *oldsb,
785 const struct super_block *newsb)
787 struct superblock_security_struct *old = oldsb->s_security;
788 struct superblock_security_struct *new = newsb->s_security;
789 char oldflags = old->flags & SE_MNTMASK;
790 char newflags = new->flags & SE_MNTMASK;
792 if (oldflags != newflags)
794 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
796 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
798 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
800 if (oldflags & ROOTCONTEXT_MNT) {
801 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
802 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
803 if (oldroot->sid != newroot->sid)
808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
809 "different security settings for (dev %s, "
810 "type %s)\n", newsb->s_id, newsb->s_type->name);
814 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
815 struct super_block *newsb)
817 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
818 struct superblock_security_struct *newsbsec = newsb->s_security;
820 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
821 int set_context = (oldsbsec->flags & CONTEXT_MNT);
822 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
825 * if the parent was able to be mounted it clearly had no special lsm
826 * mount options. thus we can safely deal with this superblock later
831 /* how can we clone if the old one wasn't set up?? */
832 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
834 /* if fs is reusing a sb, make sure that the contexts match */
835 if (newsbsec->flags & SE_SBINITIALIZED)
836 return selinux_cmp_sb_context(oldsb, newsb);
838 mutex_lock(&newsbsec->lock);
840 newsbsec->flags = oldsbsec->flags;
842 newsbsec->sid = oldsbsec->sid;
843 newsbsec->def_sid = oldsbsec->def_sid;
844 newsbsec->behavior = oldsbsec->behavior;
847 u32 sid = oldsbsec->mntpoint_sid;
851 if (!set_rootcontext) {
852 struct inode *newinode = newsb->s_root->d_inode;
853 struct inode_security_struct *newisec = newinode->i_security;
856 newsbsec->mntpoint_sid = sid;
858 if (set_rootcontext) {
859 const struct inode *oldinode = oldsb->s_root->d_inode;
860 const struct inode_security_struct *oldisec = oldinode->i_security;
861 struct inode *newinode = newsb->s_root->d_inode;
862 struct inode_security_struct *newisec = newinode->i_security;
864 newisec->sid = oldisec->sid;
867 sb_finish_set_opts(newsb);
868 mutex_unlock(&newsbsec->lock);
872 static int selinux_parse_opts_str(char *options,
873 struct security_mnt_opts *opts)
876 char *context = NULL, *defcontext = NULL;
877 char *fscontext = NULL, *rootcontext = NULL;
878 int rc, num_mnt_opts = 0;
880 opts->num_mnt_opts = 0;
882 /* Standard string-based options. */
883 while ((p = strsep(&options, "|")) != NULL) {
885 substring_t args[MAX_OPT_ARGS];
890 token = match_token(p, tokens, args);
894 if (context || defcontext) {
896 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 context = match_strdup(&args[0]);
909 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 fscontext = match_strdup(&args[0]);
919 case Opt_rootcontext:
922 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
925 rootcontext = match_strdup(&args[0]);
933 if (context || defcontext) {
935 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
938 defcontext = match_strdup(&args[0]);
944 case Opt_labelsupport:
948 printk(KERN_WARNING "SELinux: unknown mount option\n");
955 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
959 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
960 if (!opts->mnt_opts_flags) {
961 kfree(opts->mnt_opts);
966 opts->mnt_opts[num_mnt_opts] = fscontext;
967 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
970 opts->mnt_opts[num_mnt_opts] = context;
971 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
974 opts->mnt_opts[num_mnt_opts] = rootcontext;
975 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
978 opts->mnt_opts[num_mnt_opts] = defcontext;
979 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
982 opts->num_mnt_opts = num_mnt_opts;
993 * string mount options parsing and call set the sbsec
995 static int superblock_doinit(struct super_block *sb, void *data)
998 char *options = data;
999 struct security_mnt_opts opts;
1001 security_init_mnt_opts(&opts);
1006 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1008 rc = selinux_parse_opts_str(options, &opts);
1013 rc = selinux_set_mnt_opts(sb, &opts);
1016 security_free_mnt_opts(&opts);
1020 static void selinux_write_opts(struct seq_file *m,
1021 struct security_mnt_opts *opts)
1026 for (i = 0; i < opts->num_mnt_opts; i++) {
1029 if (opts->mnt_opts[i])
1030 has_comma = strchr(opts->mnt_opts[i], ',');
1034 switch (opts->mnt_opts_flags[i]) {
1036 prefix = CONTEXT_STR;
1039 prefix = FSCONTEXT_STR;
1041 case ROOTCONTEXT_MNT:
1042 prefix = ROOTCONTEXT_STR;
1044 case DEFCONTEXT_MNT:
1045 prefix = DEFCONTEXT_STR;
1047 case SE_SBLABELSUPP:
1049 seq_puts(m, LABELSUPP_STR);
1055 /* we need a comma before each option */
1057 seq_puts(m, prefix);
1060 seq_puts(m, opts->mnt_opts[i]);
1066 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1068 struct security_mnt_opts opts;
1071 rc = selinux_get_mnt_opts(sb, &opts);
1073 /* before policy load we may get EINVAL, don't show anything */
1079 selinux_write_opts(m, &opts);
1081 security_free_mnt_opts(&opts);
1086 static inline u16 inode_mode_to_security_class(umode_t mode)
1088 switch (mode & S_IFMT) {
1090 return SECCLASS_SOCK_FILE;
1092 return SECCLASS_LNK_FILE;
1094 return SECCLASS_FILE;
1096 return SECCLASS_BLK_FILE;
1098 return SECCLASS_DIR;
1100 return SECCLASS_CHR_FILE;
1102 return SECCLASS_FIFO_FILE;
1106 return SECCLASS_FILE;
1109 static inline int default_protocol_stream(int protocol)
1111 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1114 static inline int default_protocol_dgram(int protocol)
1116 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1119 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1125 case SOCK_SEQPACKET:
1126 return SECCLASS_UNIX_STREAM_SOCKET;
1128 return SECCLASS_UNIX_DGRAM_SOCKET;
1135 if (default_protocol_stream(protocol))
1136 return SECCLASS_TCP_SOCKET;
1138 return SECCLASS_RAWIP_SOCKET;
1140 if (default_protocol_dgram(protocol))
1141 return SECCLASS_UDP_SOCKET;
1143 return SECCLASS_RAWIP_SOCKET;
1145 return SECCLASS_DCCP_SOCKET;
1147 return SECCLASS_RAWIP_SOCKET;
1153 return SECCLASS_NETLINK_ROUTE_SOCKET;
1154 case NETLINK_FIREWALL:
1155 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1156 case NETLINK_SOCK_DIAG:
1157 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1159 return SECCLASS_NETLINK_NFLOG_SOCKET;
1161 return SECCLASS_NETLINK_XFRM_SOCKET;
1162 case NETLINK_SELINUX:
1163 return SECCLASS_NETLINK_SELINUX_SOCKET;
1165 return SECCLASS_NETLINK_AUDIT_SOCKET;
1166 case NETLINK_IP6_FW:
1167 return SECCLASS_NETLINK_IP6FW_SOCKET;
1168 case NETLINK_DNRTMSG:
1169 return SECCLASS_NETLINK_DNRT_SOCKET;
1170 case NETLINK_KOBJECT_UEVENT:
1171 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1173 return SECCLASS_NETLINK_SOCKET;
1176 return SECCLASS_PACKET_SOCKET;
1178 return SECCLASS_KEY_SOCKET;
1180 return SECCLASS_APPLETALK_SOCKET;
1183 return SECCLASS_SOCKET;
1186 #ifdef CONFIG_PROC_FS
1187 static int selinux_proc_get_sid(struct dentry *dentry,
1192 char *buffer, *path;
1194 buffer = (char *)__get_free_page(GFP_KERNEL);
1198 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1202 /* each process gets a /proc/PID/ entry. Strip off the
1203 * PID part to get a valid selinux labeling.
1204 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1205 while (path[1] >= '0' && path[1] <= '9') {
1209 rc = security_genfs_sid("proc", path, tclass, sid);
1211 free_page((unsigned long)buffer);
1215 static int selinux_proc_get_sid(struct dentry *dentry,
1223 /* The inode's security attributes must be initialized before first use. */
1224 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1226 struct superblock_security_struct *sbsec = NULL;
1227 struct inode_security_struct *isec = inode->i_security;
1229 struct dentry *dentry;
1230 #define INITCONTEXTLEN 255
1231 char *context = NULL;
1235 if (isec->initialized)
1238 mutex_lock(&isec->lock);
1239 if (isec->initialized)
1242 sbsec = inode->i_sb->s_security;
1243 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1244 /* Defer initialization until selinux_complete_init,
1245 after the initial policy is loaded and the security
1246 server is ready to handle calls. */
1247 spin_lock(&sbsec->isec_lock);
1248 if (list_empty(&isec->list))
1249 list_add(&isec->list, &sbsec->isec_head);
1250 spin_unlock(&sbsec->isec_lock);
1254 switch (sbsec->behavior) {
1255 case SECURITY_FS_USE_XATTR:
1256 if (!inode->i_op->getxattr) {
1257 isec->sid = sbsec->def_sid;
1261 /* Need a dentry, since the xattr API requires one.
1262 Life would be simpler if we could just pass the inode. */
1264 /* Called from d_instantiate or d_splice_alias. */
1265 dentry = dget(opt_dentry);
1267 /* Called from selinux_complete_init, try to find a dentry. */
1268 dentry = d_find_alias(inode);
1272 * this is can be hit on boot when a file is accessed
1273 * before the policy is loaded. When we load policy we
1274 * may find inodes that have no dentry on the
1275 * sbsec->isec_head list. No reason to complain as these
1276 * will get fixed up the next time we go through
1277 * inode_doinit with a dentry, before these inodes could
1278 * be used again by userspace.
1283 len = INITCONTEXTLEN;
1284 context = kmalloc(len+1, GFP_NOFS);
1290 context[len] = '\0';
1291 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1293 if (rc == -ERANGE) {
1296 /* Need a larger buffer. Query for the right size. */
1297 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1304 context = kmalloc(len+1, GFP_NOFS);
1310 context[len] = '\0';
1311 rc = inode->i_op->getxattr(dentry,
1317 if (rc != -ENODATA) {
1318 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1319 "%d for dev=%s ino=%ld\n", __func__,
1320 -rc, inode->i_sb->s_id, inode->i_ino);
1324 /* Map ENODATA to the default file SID */
1325 sid = sbsec->def_sid;
1328 rc = security_context_to_sid_default(context, rc, &sid,
1332 char *dev = inode->i_sb->s_id;
1333 unsigned long ino = inode->i_ino;
1335 if (rc == -EINVAL) {
1336 if (printk_ratelimit())
1337 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1338 "context=%s. This indicates you may need to relabel the inode or the "
1339 "filesystem in question.\n", ino, dev, context);
1341 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1342 "returned %d for dev=%s ino=%ld\n",
1343 __func__, context, -rc, dev, ino);
1346 /* Leave with the unlabeled SID */
1354 case SECURITY_FS_USE_TASK:
1355 isec->sid = isec->task_sid;
1357 case SECURITY_FS_USE_TRANS:
1358 /* Default to the fs SID. */
1359 isec->sid = sbsec->sid;
1361 /* Try to obtain a transition SID. */
1362 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1363 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1364 isec->sclass, NULL, &sid);
1369 case SECURITY_FS_USE_MNTPOINT:
1370 isec->sid = sbsec->mntpoint_sid;
1373 /* Default to the fs superblock SID. */
1374 isec->sid = sbsec->sid;
1376 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1378 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1379 rc = selinux_proc_get_sid(opt_dentry,
1390 isec->initialized = 1;
1393 mutex_unlock(&isec->lock);
1395 if (isec->sclass == SECCLASS_FILE)
1396 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1400 /* Convert a Linux signal to an access vector. */
1401 static inline u32 signal_to_av(int sig)
1407 /* Commonly granted from child to parent. */
1408 perm = PROCESS__SIGCHLD;
1411 /* Cannot be caught or ignored */
1412 perm = PROCESS__SIGKILL;
1415 /* Cannot be caught or ignored */
1416 perm = PROCESS__SIGSTOP;
1419 /* All other signals. */
1420 perm = PROCESS__SIGNAL;
1428 * Check permission between a pair of credentials
1429 * fork check, ptrace check, etc.
1431 static int cred_has_perm(const struct cred *actor,
1432 const struct cred *target,
1435 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1437 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1441 * Check permission between a pair of tasks, e.g. signal checks,
1442 * fork check, ptrace check, etc.
1443 * tsk1 is the actor and tsk2 is the target
1444 * - this uses the default subjective creds of tsk1
1446 static int task_has_perm(const struct task_struct *tsk1,
1447 const struct task_struct *tsk2,
1450 const struct task_security_struct *__tsec1, *__tsec2;
1454 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1455 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1457 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1461 * Check permission between current and another task, e.g. signal checks,
1462 * fork check, ptrace check, etc.
1463 * current is the actor and tsk2 is the target
1464 * - this uses current's subjective creds
1466 static int current_has_perm(const struct task_struct *tsk,
1471 sid = current_sid();
1472 tsid = task_sid(tsk);
1473 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1476 #if CAP_LAST_CAP > 63
1477 #error Fix SELinux to handle capabilities > 63.
1480 /* Check whether a task is allowed to use a capability. */
1481 static int cred_has_capability(const struct cred *cred,
1484 struct common_audit_data ad;
1485 struct av_decision avd;
1487 u32 sid = cred_sid(cred);
1488 u32 av = CAP_TO_MASK(cap);
1491 ad.type = LSM_AUDIT_DATA_CAP;
1494 switch (CAP_TO_INDEX(cap)) {
1496 sclass = SECCLASS_CAPABILITY;
1499 sclass = SECCLASS_CAPABILITY2;
1503 "SELinux: out of range capability %d\n", cap);
1508 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1509 if (audit == SECURITY_CAP_AUDIT) {
1510 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1517 /* Check whether a task is allowed to use a system operation. */
1518 static int task_has_system(struct task_struct *tsk,
1521 u32 sid = task_sid(tsk);
1523 return avc_has_perm(sid, SECINITSID_KERNEL,
1524 SECCLASS_SYSTEM, perms, NULL);
1527 /* Check whether a task has a particular permission to an inode.
1528 The 'adp' parameter is optional and allows other audit
1529 data to be passed (e.g. the dentry). */
1530 static int inode_has_perm(const struct cred *cred,
1531 struct inode *inode,
1533 struct common_audit_data *adp,
1536 struct inode_security_struct *isec;
1539 validate_creds(cred);
1541 if (unlikely(IS_PRIVATE(inode)))
1544 sid = cred_sid(cred);
1545 isec = inode->i_security;
1547 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1550 /* Same as inode_has_perm, but pass explicit audit data containing
1551 the dentry to help the auditing code to more easily generate the
1552 pathname if needed. */
1553 static inline int dentry_has_perm(const struct cred *cred,
1554 struct dentry *dentry,
1557 struct inode *inode = dentry->d_inode;
1558 struct common_audit_data ad;
1560 ad.type = LSM_AUDIT_DATA_DENTRY;
1561 ad.u.dentry = dentry;
1562 return inode_has_perm(cred, inode, av, &ad, 0);
1565 /* Same as inode_has_perm, but pass explicit audit data containing
1566 the path to help the auditing code to more easily generate the
1567 pathname if needed. */
1568 static inline int path_has_perm(const struct cred *cred,
1572 struct inode *inode = path->dentry->d_inode;
1573 struct common_audit_data ad;
1575 ad.type = LSM_AUDIT_DATA_PATH;
1577 return inode_has_perm(cred, inode, av, &ad, 0);
1580 /* Check whether a task can use an open file descriptor to
1581 access an inode in a given way. Check access to the
1582 descriptor itself, and then use dentry_has_perm to
1583 check a particular permission to the file.
1584 Access to the descriptor is implicitly granted if it
1585 has the same SID as the process. If av is zero, then
1586 access to the file is not checked, e.g. for cases
1587 where only the descriptor is affected like seek. */
1588 static int file_has_perm(const struct cred *cred,
1592 struct file_security_struct *fsec = file->f_security;
1593 struct inode *inode = file_inode(file);
1594 struct common_audit_data ad;
1595 u32 sid = cred_sid(cred);
1598 ad.type = LSM_AUDIT_DATA_PATH;
1599 ad.u.path = file->f_path;
1601 if (sid != fsec->sid) {
1602 rc = avc_has_perm(sid, fsec->sid,
1610 /* av is zero if only checking access to the descriptor. */
1613 rc = inode_has_perm(cred, inode, av, &ad, 0);
1619 /* Check whether a task can create a file. */
1620 static int may_create(struct inode *dir,
1621 struct dentry *dentry,
1624 const struct task_security_struct *tsec = current_security();
1625 struct inode_security_struct *dsec;
1626 struct superblock_security_struct *sbsec;
1628 struct common_audit_data ad;
1631 dsec = dir->i_security;
1632 sbsec = dir->i_sb->s_security;
1635 newsid = tsec->create_sid;
1637 ad.type = LSM_AUDIT_DATA_DENTRY;
1638 ad.u.dentry = dentry;
1640 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1641 DIR__ADD_NAME | DIR__SEARCH,
1646 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1647 rc = security_transition_sid(sid, dsec->sid, tclass,
1648 &dentry->d_name, &newsid);
1653 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1657 return avc_has_perm(newsid, sbsec->sid,
1658 SECCLASS_FILESYSTEM,
1659 FILESYSTEM__ASSOCIATE, &ad);
1662 /* Check whether a task can create a key. */
1663 static int may_create_key(u32 ksid,
1664 struct task_struct *ctx)
1666 u32 sid = task_sid(ctx);
1668 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1672 #define MAY_UNLINK 1
1675 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1676 static int may_link(struct inode *dir,
1677 struct dentry *dentry,
1681 struct inode_security_struct *dsec, *isec;
1682 struct common_audit_data ad;
1683 u32 sid = current_sid();
1687 dsec = dir->i_security;
1688 isec = dentry->d_inode->i_security;
1690 ad.type = LSM_AUDIT_DATA_DENTRY;
1691 ad.u.dentry = dentry;
1694 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1695 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1710 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1715 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1719 static inline int may_rename(struct inode *old_dir,
1720 struct dentry *old_dentry,
1721 struct inode *new_dir,
1722 struct dentry *new_dentry)
1724 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1725 struct common_audit_data ad;
1726 u32 sid = current_sid();
1728 int old_is_dir, new_is_dir;
1731 old_dsec = old_dir->i_security;
1732 old_isec = old_dentry->d_inode->i_security;
1733 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1734 new_dsec = new_dir->i_security;
1736 ad.type = LSM_AUDIT_DATA_DENTRY;
1738 ad.u.dentry = old_dentry;
1739 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1740 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1743 rc = avc_has_perm(sid, old_isec->sid,
1744 old_isec->sclass, FILE__RENAME, &ad);
1747 if (old_is_dir && new_dir != old_dir) {
1748 rc = avc_has_perm(sid, old_isec->sid,
1749 old_isec->sclass, DIR__REPARENT, &ad);
1754 ad.u.dentry = new_dentry;
1755 av = DIR__ADD_NAME | DIR__SEARCH;
1756 if (new_dentry->d_inode)
1757 av |= DIR__REMOVE_NAME;
1758 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1761 if (new_dentry->d_inode) {
1762 new_isec = new_dentry->d_inode->i_security;
1763 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1764 rc = avc_has_perm(sid, new_isec->sid,
1766 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1774 /* Check whether a task can perform a filesystem operation. */
1775 static int superblock_has_perm(const struct cred *cred,
1776 struct super_block *sb,
1778 struct common_audit_data *ad)
1780 struct superblock_security_struct *sbsec;
1781 u32 sid = cred_sid(cred);
1783 sbsec = sb->s_security;
1784 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1787 /* Convert a Linux mode and permission mask to an access vector. */
1788 static inline u32 file_mask_to_av(int mode, int mask)
1792 if (!S_ISDIR(mode)) {
1793 if (mask & MAY_EXEC)
1794 av |= FILE__EXECUTE;
1795 if (mask & MAY_READ)
1798 if (mask & MAY_APPEND)
1800 else if (mask & MAY_WRITE)
1804 if (mask & MAY_EXEC)
1806 if (mask & MAY_WRITE)
1808 if (mask & MAY_READ)
1815 /* Convert a Linux file to an access vector. */
1816 static inline u32 file_to_av(struct file *file)
1820 if (file->f_mode & FMODE_READ)
1822 if (file->f_mode & FMODE_WRITE) {
1823 if (file->f_flags & O_APPEND)
1830 * Special file opened with flags 3 for ioctl-only use.
1839 * Convert a file to an access vector and include the correct open
1842 static inline u32 open_file_to_av(struct file *file)
1844 u32 av = file_to_av(file);
1846 if (selinux_policycap_openperm)
1852 /* Hook functions begin here. */
1854 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1856 u32 mysid = current_sid();
1857 u32 mgrsid = task_sid(mgr);
1859 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1862 static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1864 u32 mysid = current_sid();
1865 u32 fromsid = task_sid(from);
1866 u32 tosid = task_sid(to);
1869 if (mysid != fromsid) {
1870 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1875 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1878 static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1880 u32 fromsid = task_sid(from);
1881 u32 tosid = task_sid(to);
1882 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1885 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1887 u32 sid = task_sid(to);
1888 struct file_security_struct *fsec = file->f_security;
1889 struct inode *inode = file->f_path.dentry->d_inode;
1890 struct inode_security_struct *isec = inode->i_security;
1891 struct common_audit_data ad;
1892 struct selinux_audit_data sad = {0,};
1895 ad.type = LSM_AUDIT_DATA_PATH;
1896 ad.u.path = file->f_path;
1897 ad.selinux_audit_data = &sad;
1899 if (sid != fsec->sid) {
1900 rc = avc_has_perm(sid, fsec->sid,
1908 if (unlikely(IS_PRIVATE(inode)))
1911 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1915 static int selinux_ptrace_access_check(struct task_struct *child,
1920 rc = cap_ptrace_access_check(child, mode);
1924 if (mode & PTRACE_MODE_READ) {
1925 u32 sid = current_sid();
1926 u32 csid = task_sid(child);
1927 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1930 return current_has_perm(child, PROCESS__PTRACE);
1933 static int selinux_ptrace_traceme(struct task_struct *parent)
1937 rc = cap_ptrace_traceme(parent);
1941 return task_has_perm(parent, current, PROCESS__PTRACE);
1944 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1945 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1949 error = current_has_perm(target, PROCESS__GETCAP);
1953 return cap_capget(target, effective, inheritable, permitted);
1956 static int selinux_capset(struct cred *new, const struct cred *old,
1957 const kernel_cap_t *effective,
1958 const kernel_cap_t *inheritable,
1959 const kernel_cap_t *permitted)
1963 error = cap_capset(new, old,
1964 effective, inheritable, permitted);
1968 return cred_has_perm(old, new, PROCESS__SETCAP);
1972 * (This comment used to live with the selinux_task_setuid hook,
1973 * which was removed).
1975 * Since setuid only affects the current process, and since the SELinux
1976 * controls are not based on the Linux identity attributes, SELinux does not
1977 * need to control this operation. However, SELinux does control the use of
1978 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1981 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1986 rc = cap_capable(cred, ns, cap, audit);
1990 return cred_has_capability(cred, cap, audit);
1993 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1995 const struct cred *cred = current_cred();
2007 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2012 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2015 rc = 0; /* let the kernel handle invalid cmds */
2021 static int selinux_quota_on(struct dentry *dentry)
2023 const struct cred *cred = current_cred();
2025 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2028 static int selinux_syslog(int type)
2033 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2034 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2035 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2037 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2038 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2039 /* Set level of messages printed to console */
2040 case SYSLOG_ACTION_CONSOLE_LEVEL:
2041 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2043 case SYSLOG_ACTION_CLOSE: /* Close log */
2044 case SYSLOG_ACTION_OPEN: /* Open log */
2045 case SYSLOG_ACTION_READ: /* Read from log */
2046 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2047 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2049 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2056 * Check that a process has enough memory to allocate a new virtual
2057 * mapping. 0 means there is enough memory for the allocation to
2058 * succeed and -ENOMEM implies there is not.
2060 * Do not audit the selinux permission check, as this is applied to all
2061 * processes that allocate mappings.
2063 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2065 int rc, cap_sys_admin = 0;
2067 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2068 SECURITY_CAP_NOAUDIT);
2072 return __vm_enough_memory(mm, pages, cap_sys_admin);
2075 /* binprm security operations */
2077 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2079 const struct task_security_struct *old_tsec;
2080 struct task_security_struct *new_tsec;
2081 struct inode_security_struct *isec;
2082 struct common_audit_data ad;
2083 struct inode *inode = file_inode(bprm->file);
2086 rc = cap_bprm_set_creds(bprm);
2090 /* SELinux context only depends on initial program or script and not
2091 * the script interpreter */
2092 if (bprm->cred_prepared)
2095 old_tsec = current_security();
2096 new_tsec = bprm->cred->security;
2097 isec = inode->i_security;
2099 /* Default to the current task SID. */
2100 new_tsec->sid = old_tsec->sid;
2101 new_tsec->osid = old_tsec->sid;
2103 /* Reset fs, key, and sock SIDs on execve. */
2104 new_tsec->create_sid = 0;
2105 new_tsec->keycreate_sid = 0;
2106 new_tsec->sockcreate_sid = 0;
2108 if (old_tsec->exec_sid) {
2109 new_tsec->sid = old_tsec->exec_sid;
2110 /* Reset exec SID on execve. */
2111 new_tsec->exec_sid = 0;
2114 * Minimize confusion: if no_new_privs and a transition is
2115 * explicitly requested, then fail the exec.
2117 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2120 /* Check for a default transition on this program. */
2121 rc = security_transition_sid(old_tsec->sid, isec->sid,
2122 SECCLASS_PROCESS, NULL,
2128 ad.type = LSM_AUDIT_DATA_PATH;
2129 ad.u.path = bprm->file->f_path;
2131 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2132 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2133 new_tsec->sid = old_tsec->sid;
2135 if (new_tsec->sid == old_tsec->sid) {
2136 rc = avc_has_perm(old_tsec->sid, isec->sid,
2137 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2141 /* Check permissions for the transition. */
2142 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2143 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2147 rc = avc_has_perm(new_tsec->sid, isec->sid,
2148 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2152 /* Check for shared state */
2153 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2154 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2155 SECCLASS_PROCESS, PROCESS__SHARE,
2161 /* Make sure that anyone attempting to ptrace over a task that
2162 * changes its SID has the appropriate permit */
2164 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2165 struct task_struct *tracer;
2166 struct task_security_struct *sec;
2170 tracer = ptrace_parent(current);
2171 if (likely(tracer != NULL)) {
2172 sec = __task_cred(tracer)->security;
2178 rc = avc_has_perm(ptsid, new_tsec->sid,
2180 PROCESS__PTRACE, NULL);
2186 /* Clear any possibly unsafe personality bits on exec: */
2187 bprm->per_clear |= PER_CLEAR_ON_SETID;
2193 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2195 const struct task_security_struct *tsec = current_security();
2203 /* Enable secure mode for SIDs transitions unless
2204 the noatsecure permission is granted between
2205 the two SIDs, i.e. ahp returns 0. */
2206 atsecure = avc_has_perm(osid, sid,
2208 PROCESS__NOATSECURE, NULL);
2211 return (atsecure || cap_bprm_secureexec(bprm));
2214 static int match_file(const void *p, struct file *file, unsigned fd)
2216 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2219 /* Derived from fs/exec.c:flush_old_files. */
2220 static inline void flush_unauthorized_files(const struct cred *cred,
2221 struct files_struct *files)
2223 struct file *file, *devnull = NULL;
2224 struct tty_struct *tty;
2228 tty = get_current_tty();
2230 spin_lock(&tty_files_lock);
2231 if (!list_empty(&tty->tty_files)) {
2232 struct tty_file_private *file_priv;
2234 /* Revalidate access to controlling tty.
2235 Use path_has_perm on the tty path directly rather
2236 than using file_has_perm, as this particular open
2237 file may belong to another process and we are only
2238 interested in the inode-based check here. */
2239 file_priv = list_first_entry(&tty->tty_files,
2240 struct tty_file_private, list);
2241 file = file_priv->file;
2242 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2245 spin_unlock(&tty_files_lock);
2248 /* Reset controlling tty. */
2252 /* Revalidate access to inherited open files. */
2253 n = iterate_fd(files, 0, match_file, cred);
2254 if (!n) /* none found? */
2257 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2258 if (IS_ERR(devnull))
2260 /* replace all the matching ones with this */
2262 replace_fd(n - 1, devnull, 0);
2263 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2269 * Prepare a process for imminent new credential changes due to exec
2271 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2273 struct task_security_struct *new_tsec;
2274 struct rlimit *rlim, *initrlim;
2277 new_tsec = bprm->cred->security;
2278 if (new_tsec->sid == new_tsec->osid)
2281 /* Close files for which the new task SID is not authorized. */
2282 flush_unauthorized_files(bprm->cred, current->files);
2284 /* Always clear parent death signal on SID transitions. */
2285 current->pdeath_signal = 0;
2287 /* Check whether the new SID can inherit resource limits from the old
2288 * SID. If not, reset all soft limits to the lower of the current
2289 * task's hard limit and the init task's soft limit.
2291 * Note that the setting of hard limits (even to lower them) can be
2292 * controlled by the setrlimit check. The inclusion of the init task's
2293 * soft limit into the computation is to avoid resetting soft limits
2294 * higher than the default soft limit for cases where the default is
2295 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2297 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2298 PROCESS__RLIMITINH, NULL);
2300 /* protect against do_prlimit() */
2302 for (i = 0; i < RLIM_NLIMITS; i++) {
2303 rlim = current->signal->rlim + i;
2304 initrlim = init_task.signal->rlim + i;
2305 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2307 task_unlock(current);
2308 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2313 * Clean up the process immediately after the installation of new credentials
2316 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2318 const struct task_security_struct *tsec = current_security();
2319 struct itimerval itimer;
2329 /* Check whether the new SID can inherit signal state from the old SID.
2330 * If not, clear itimers to avoid subsequent signal generation and
2331 * flush and unblock signals.
2333 * This must occur _after_ the task SID has been updated so that any
2334 * kill done after the flush will be checked against the new SID.
2336 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2338 memset(&itimer, 0, sizeof itimer);
2339 for (i = 0; i < 3; i++)
2340 do_setitimer(i, &itimer, NULL);
2341 spin_lock_irq(¤t->sighand->siglock);
2342 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2343 __flush_signals(current);
2344 flush_signal_handlers(current, 1);
2345 sigemptyset(¤t->blocked);
2347 spin_unlock_irq(¤t->sighand->siglock);
2350 /* Wake up the parent if it is waiting so that it can recheck
2351 * wait permission to the new task SID. */
2352 read_lock(&tasklist_lock);
2353 __wake_up_parent(current, current->real_parent);
2354 read_unlock(&tasklist_lock);
2357 /* superblock security operations */
2359 static int selinux_sb_alloc_security(struct super_block *sb)
2361 return superblock_alloc_security(sb);
2364 static void selinux_sb_free_security(struct super_block *sb)
2366 superblock_free_security(sb);
2369 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2374 return !memcmp(prefix, option, plen);
2377 static inline int selinux_option(char *option, int len)
2379 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2380 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2381 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2382 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2383 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2386 static inline void take_option(char **to, char *from, int *first, int len)
2393 memcpy(*to, from, len);
2397 static inline void take_selinux_option(char **to, char *from, int *first,
2400 int current_size = 0;
2408 while (current_size < len) {
2418 static int selinux_sb_copy_data(char *orig, char *copy)
2420 int fnosec, fsec, rc = 0;
2421 char *in_save, *in_curr, *in_end;
2422 char *sec_curr, *nosec_save, *nosec;
2428 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2436 in_save = in_end = orig;
2440 open_quote = !open_quote;
2441 if ((*in_end == ',' && open_quote == 0) ||
2443 int len = in_end - in_curr;
2445 if (selinux_option(in_curr, len))
2446 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2448 take_option(&nosec, in_curr, &fnosec, len);
2450 in_curr = in_end + 1;
2452 } while (*in_end++);
2454 strcpy(in_save, nosec_save);
2455 free_page((unsigned long)nosec_save);
2460 static int selinux_sb_remount(struct super_block *sb, void *data)
2463 struct security_mnt_opts opts;
2464 char *secdata, **mount_options;
2465 struct superblock_security_struct *sbsec = sb->s_security;
2467 if (!(sbsec->flags & SE_SBINITIALIZED))
2473 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2476 security_init_mnt_opts(&opts);
2477 secdata = alloc_secdata();
2480 rc = selinux_sb_copy_data(data, secdata);
2482 goto out_free_secdata;
2484 rc = selinux_parse_opts_str(secdata, &opts);
2486 goto out_free_secdata;
2488 mount_options = opts.mnt_opts;
2489 flags = opts.mnt_opts_flags;
2491 for (i = 0; i < opts.num_mnt_opts; i++) {
2495 if (flags[i] == SE_SBLABELSUPP)
2497 len = strlen(mount_options[i]);
2498 rc = security_context_to_sid(mount_options[i], len, &sid);
2500 printk(KERN_WARNING "SELinux: security_context_to_sid"
2501 "(%s) failed for (dev %s, type %s) errno=%d\n",
2502 mount_options[i], sb->s_id, sb->s_type->name, rc);
2508 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2509 goto out_bad_option;
2512 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2513 goto out_bad_option;
2515 case ROOTCONTEXT_MNT: {
2516 struct inode_security_struct *root_isec;
2517 root_isec = sb->s_root->d_inode->i_security;
2519 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2520 goto out_bad_option;
2523 case DEFCONTEXT_MNT:
2524 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2525 goto out_bad_option;
2534 security_free_mnt_opts(&opts);
2536 free_secdata(secdata);
2539 printk(KERN_WARNING "SELinux: unable to change security options "
2540 "during remount (dev %s, type=%s)\n", sb->s_id,
2545 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2547 const struct cred *cred = current_cred();
2548 struct common_audit_data ad;
2551 rc = superblock_doinit(sb, data);
2555 /* Allow all mounts performed by the kernel */
2556 if (flags & MS_KERNMOUNT)
2559 ad.type = LSM_AUDIT_DATA_DENTRY;
2560 ad.u.dentry = sb->s_root;
2561 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2564 static int selinux_sb_statfs(struct dentry *dentry)
2566 const struct cred *cred = current_cred();
2567 struct common_audit_data ad;
2569 ad.type = LSM_AUDIT_DATA_DENTRY;
2570 ad.u.dentry = dentry->d_sb->s_root;
2571 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2574 static int selinux_mount(const char *dev_name,
2577 unsigned long flags,
2580 const struct cred *cred = current_cred();
2582 if (flags & MS_REMOUNT)
2583 return superblock_has_perm(cred, path->dentry->d_sb,
2584 FILESYSTEM__REMOUNT, NULL);
2586 return path_has_perm(cred, path, FILE__MOUNTON);
2589 static int selinux_umount(struct vfsmount *mnt, int flags)
2591 const struct cred *cred = current_cred();
2593 return superblock_has_perm(cred, mnt->mnt_sb,
2594 FILESYSTEM__UNMOUNT, NULL);
2597 /* inode security operations */
2599 static int selinux_inode_alloc_security(struct inode *inode)
2601 return inode_alloc_security(inode);
2604 static void selinux_inode_free_security(struct inode *inode)
2606 inode_free_security(inode);
2609 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2610 const struct qstr *qstr, char **name,
2611 void **value, size_t *len)
2613 const struct task_security_struct *tsec = current_security();
2614 struct inode_security_struct *dsec;
2615 struct superblock_security_struct *sbsec;
2616 u32 sid, newsid, clen;
2618 char *namep = NULL, *context;
2620 dsec = dir->i_security;
2621 sbsec = dir->i_sb->s_security;
2624 newsid = tsec->create_sid;
2626 if ((sbsec->flags & SE_SBINITIALIZED) &&
2627 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2628 newsid = sbsec->mntpoint_sid;
2629 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2630 rc = security_transition_sid(sid, dsec->sid,
2631 inode_mode_to_security_class(inode->i_mode),
2634 printk(KERN_WARNING "%s: "
2635 "security_transition_sid failed, rc=%d (dev=%s "
2638 -rc, inode->i_sb->s_id, inode->i_ino);
2643 /* Possibly defer initialization to selinux_complete_init. */
2644 if (sbsec->flags & SE_SBINITIALIZED) {
2645 struct inode_security_struct *isec = inode->i_security;
2646 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2648 isec->initialized = 1;
2651 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2655 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2662 rc = security_sid_to_context_force(newsid, &context, &clen);
2674 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2676 return may_create(dir, dentry, SECCLASS_FILE);
2679 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2681 return may_link(dir, old_dentry, MAY_LINK);
2684 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2686 return may_link(dir, dentry, MAY_UNLINK);
2689 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2691 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2694 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2696 return may_create(dir, dentry, SECCLASS_DIR);
2699 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2701 return may_link(dir, dentry, MAY_RMDIR);
2704 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2706 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2709 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2710 struct inode *new_inode, struct dentry *new_dentry)
2712 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2715 static int selinux_inode_readlink(struct dentry *dentry)
2717 const struct cred *cred = current_cred();
2719 return dentry_has_perm(cred, dentry, FILE__READ);
2722 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2724 const struct cred *cred = current_cred();
2726 return dentry_has_perm(cred, dentry, FILE__READ);
2729 static noinline int audit_inode_permission(struct inode *inode,
2730 u32 perms, u32 audited, u32 denied,
2734 struct common_audit_data ad;
2735 struct inode_security_struct *isec = inode->i_security;
2738 ad.type = LSM_AUDIT_DATA_INODE;
2741 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2742 audited, denied, result, &ad, flags);
2748 static int selinux_inode_permission(struct inode *inode, int mask)
2750 const struct cred *cred = current_cred();
2753 unsigned flags = mask & MAY_NOT_BLOCK;
2754 struct inode_security_struct *isec;
2756 struct av_decision avd;
2758 u32 audited, denied;
2760 from_access = mask & MAY_ACCESS;
2761 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2763 /* No permission to check. Existence test. */
2767 validate_creds(cred);
2769 if (unlikely(IS_PRIVATE(inode)))
2772 perms = file_mask_to_av(inode->i_mode, mask);
2774 sid = cred_sid(cred);
2775 isec = inode->i_security;
2777 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2778 audited = avc_audit_required(perms, &avd, rc,
2779 from_access ? FILE__AUDIT_ACCESS : 0,
2781 if (likely(!audited))
2784 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2790 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2792 const struct cred *cred = current_cred();
2793 unsigned int ia_valid = iattr->ia_valid;
2794 __u32 av = FILE__WRITE;
2796 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2797 if (ia_valid & ATTR_FORCE) {
2798 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2804 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2805 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2806 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2808 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2811 return dentry_has_perm(cred, dentry, av);
2814 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2816 const struct cred *cred = current_cred();
2819 path.dentry = dentry;
2822 return path_has_perm(cred, &path, FILE__GETATTR);
2825 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2827 const struct cred *cred = current_cred();
2829 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2830 sizeof XATTR_SECURITY_PREFIX - 1)) {
2831 if (!strcmp(name, XATTR_NAME_CAPS)) {
2832 if (!capable(CAP_SETFCAP))
2834 } else if (!capable(CAP_SYS_ADMIN)) {
2835 /* A different attribute in the security namespace.
2836 Restrict to administrator. */
2841 /* Not an attribute we recognize, so just check the
2842 ordinary setattr permission. */
2843 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2846 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2847 const void *value, size_t size, int flags)
2849 struct inode *inode = dentry->d_inode;
2850 struct inode_security_struct *isec = inode->i_security;
2851 struct superblock_security_struct *sbsec;
2852 struct common_audit_data ad;
2853 u32 newsid, sid = current_sid();
2856 if (strcmp(name, XATTR_NAME_SELINUX))
2857 return selinux_inode_setotherxattr(dentry, name);
2859 sbsec = inode->i_sb->s_security;
2860 if (!(sbsec->flags & SE_SBLABELSUPP))
2863 if (!inode_owner_or_capable(inode))
2866 ad.type = LSM_AUDIT_DATA_DENTRY;
2867 ad.u.dentry = dentry;
2869 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2870 FILE__RELABELFROM, &ad);
2874 rc = security_context_to_sid(value, size, &newsid);
2875 if (rc == -EINVAL) {
2876 if (!capable(CAP_MAC_ADMIN)) {
2877 struct audit_buffer *ab;
2881 /* We strip a nul only if it is at the end, otherwise the
2882 * context contains a nul and we should audit that */
2885 if (str[size - 1] == '\0')
2886 audit_size = size - 1;
2893 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2894 audit_log_format(ab, "op=setxattr invalid_context=");
2895 audit_log_n_untrustedstring(ab, value, audit_size);
2900 rc = security_context_to_sid_force(value, size, &newsid);
2905 rc = avc_has_perm(sid, newsid, isec->sclass,
2906 FILE__RELABELTO, &ad);
2910 rc = security_validate_transition(isec->sid, newsid, sid,
2915 return avc_has_perm(newsid,
2917 SECCLASS_FILESYSTEM,
2918 FILESYSTEM__ASSOCIATE,
2922 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2923 const void *value, size_t size,
2926 struct inode *inode = dentry->d_inode;
2927 struct inode_security_struct *isec = inode->i_security;
2931 if (strcmp(name, XATTR_NAME_SELINUX)) {
2932 /* Not an attribute we recognize, so nothing to do. */
2936 rc = security_context_to_sid_force(value, size, &newsid);
2938 printk(KERN_ERR "SELinux: unable to map context to SID"
2939 "for (%s, %lu), rc=%d\n",
2940 inode->i_sb->s_id, inode->i_ino, -rc);
2948 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2950 const struct cred *cred = current_cred();
2952 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2955 static int selinux_inode_listxattr(struct dentry *dentry)
2957 const struct cred *cred = current_cred();
2959 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2962 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2964 if (strcmp(name, XATTR_NAME_SELINUX))
2965 return selinux_inode_setotherxattr(dentry, name);
2967 /* No one is allowed to remove a SELinux security label.
2968 You can change the label, but all data must be labeled. */
2973 * Copy the inode security context value to the user.
2975 * Permission check is handled by selinux_inode_getxattr hook.
2977 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2981 char *context = NULL;
2982 struct inode_security_struct *isec = inode->i_security;
2984 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2988 * If the caller has CAP_MAC_ADMIN, then get the raw context
2989 * value even if it is not defined by current policy; otherwise,
2990 * use the in-core value under current policy.
2991 * Use the non-auditing forms of the permission checks since
2992 * getxattr may be called by unprivileged processes commonly
2993 * and lack of permission just means that we fall back to the
2994 * in-core context value, not a denial.
2996 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2997 SECURITY_CAP_NOAUDIT);
2999 error = security_sid_to_context_force(isec->sid, &context,
3002 error = security_sid_to_context(isec->sid, &context, &size);
3015 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3016 const void *value, size_t size, int flags)
3018 struct inode_security_struct *isec = inode->i_security;
3022 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3025 if (!value || !size)
3028 rc = security_context_to_sid((void *)value, size, &newsid);
3033 isec->initialized = 1;
3037 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3039 const int len = sizeof(XATTR_NAME_SELINUX);
3040 if (buffer && len <= buffer_size)
3041 memcpy(buffer, XATTR_NAME_SELINUX, len);
3045 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3047 struct inode_security_struct *isec = inode->i_security;
3051 /* file security operations */
3053 static int selinux_revalidate_file_permission(struct file *file, int mask)
3055 const struct cred *cred = current_cred();
3056 struct inode *inode = file_inode(file);
3058 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3059 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3062 return file_has_perm(cred, file,
3063 file_mask_to_av(inode->i_mode, mask));
3066 static int selinux_file_permission(struct file *file, int mask)
3068 struct inode *inode = file_inode(file);
3069 struct file_security_struct *fsec = file->f_security;
3070 struct inode_security_struct *isec = inode->i_security;
3071 u32 sid = current_sid();
3074 /* No permission to check. Existence test. */
3077 if (sid == fsec->sid && fsec->isid == isec->sid &&
3078 fsec->pseqno == avc_policy_seqno())
3079 /* No change since file_open check. */
3082 return selinux_revalidate_file_permission(file, mask);
3085 static int selinux_file_alloc_security(struct file *file)
3087 return file_alloc_security(file);
3090 static void selinux_file_free_security(struct file *file)
3092 file_free_security(file);
3095 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3098 const struct cred *cred = current_cred();
3108 case FS_IOC_GETFLAGS:
3110 case FS_IOC_GETVERSION:
3111 error = file_has_perm(cred, file, FILE__GETATTR);
3114 case FS_IOC_SETFLAGS:
3116 case FS_IOC_SETVERSION:
3117 error = file_has_perm(cred, file, FILE__SETATTR);
3120 /* sys_ioctl() checks */
3124 error = file_has_perm(cred, file, 0);
3129 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3130 SECURITY_CAP_AUDIT);
3133 /* default case assumes that the command will go
3134 * to the file's ioctl() function.
3137 error = file_has_perm(cred, file, FILE__IOCTL);
3142 static int default_noexec;
3144 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3146 const struct cred *cred = current_cred();
3149 if (default_noexec &&
3150 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3152 * We are making executable an anonymous mapping or a
3153 * private file mapping that will also be writable.
3154 * This has an additional check.
3156 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3162 /* read access is always possible with a mapping */
3163 u32 av = FILE__READ;
3165 /* write access only matters if the mapping is shared */
3166 if (shared && (prot & PROT_WRITE))
3169 if (prot & PROT_EXEC)
3170 av |= FILE__EXECUTE;
3172 return file_has_perm(cred, file, av);
3179 static int selinux_mmap_addr(unsigned long addr)
3183 /* do DAC check on address space usage */
3184 rc = cap_mmap_addr(addr);
3188 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3189 u32 sid = current_sid();
3190 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3191 MEMPROTECT__MMAP_ZERO, NULL);
3197 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3198 unsigned long prot, unsigned long flags)
3200 if (selinux_checkreqprot)
3203 return file_map_prot_check(file, prot,
3204 (flags & MAP_TYPE) == MAP_SHARED);
3207 static int selinux_file_mprotect(struct vm_area_struct *vma,
3208 unsigned long reqprot,
3211 const struct cred *cred = current_cred();
3213 if (selinux_checkreqprot)
3216 if (default_noexec &&
3217 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3219 if (vma->vm_start >= vma->vm_mm->start_brk &&
3220 vma->vm_end <= vma->vm_mm->brk) {
3221 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3222 } else if (!vma->vm_file &&
3223 vma->vm_start <= vma->vm_mm->start_stack &&
3224 vma->vm_end >= vma->vm_mm->start_stack) {
3225 rc = current_has_perm(current, PROCESS__EXECSTACK);
3226 } else if (vma->vm_file && vma->anon_vma) {
3228 * We are making executable a file mapping that has
3229 * had some COW done. Since pages might have been
3230 * written, check ability to execute the possibly
3231 * modified content. This typically should only
3232 * occur for text relocations.
3234 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3240 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3243 static int selinux_file_lock(struct file *file, unsigned int cmd)
3245 const struct cred *cred = current_cred();
3247 return file_has_perm(cred, file, FILE__LOCK);
3250 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3253 const struct cred *cred = current_cred();
3258 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3259 err = file_has_perm(cred, file, FILE__WRITE);
3268 case F_GETOWNER_UIDS:
3269 /* Just check FD__USE permission */
3270 err = file_has_perm(cred, file, 0);
3275 #if BITS_PER_LONG == 32
3280 err = file_has_perm(cred, file, FILE__LOCK);
3287 static int selinux_file_set_fowner(struct file *file)
3289 struct file_security_struct *fsec;
3291 fsec = file->f_security;
3292 fsec->fown_sid = current_sid();
3297 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3298 struct fown_struct *fown, int signum)
3301 u32 sid = task_sid(tsk);
3303 struct file_security_struct *fsec;
3305 /* struct fown_struct is never outside the context of a struct file */
3306 file = container_of(fown, struct file, f_owner);
3308 fsec = file->f_security;
3311 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3313 perm = signal_to_av(signum);
3315 return avc_has_perm(fsec->fown_sid, sid,
3316 SECCLASS_PROCESS, perm, NULL);
3319 static int selinux_file_receive(struct file *file)
3321 const struct cred *cred = current_cred();
3323 return file_has_perm(cred, file, file_to_av(file));
3326 static int selinux_file_open(struct file *file, const struct cred *cred)
3328 struct file_security_struct *fsec;
3329 struct inode_security_struct *isec;
3331 fsec = file->f_security;
3332 isec = file_inode(file)->i_security;
3334 * Save inode label and policy sequence number
3335 * at open-time so that selinux_file_permission
3336 * can determine whether revalidation is necessary.
3337 * Task label is already saved in the file security
3338 * struct as its SID.
3340 fsec->isid = isec->sid;
3341 fsec->pseqno = avc_policy_seqno();
3343 * Since the inode label or policy seqno may have changed
3344 * between the selinux_inode_permission check and the saving
3345 * of state above, recheck that access is still permitted.
3346 * Otherwise, access might never be revalidated against the
3347 * new inode label or new policy.
3348 * This check is not redundant - do not remove.
3350 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3353 /* task security operations */
3355 static int selinux_task_create(unsigned long clone_flags)
3357 return current_has_perm(current, PROCESS__FORK);
3361 * allocate the SELinux part of blank credentials
3363 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3365 struct task_security_struct *tsec;
3367 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3371 cred->security = tsec;
3376 * detach and free the LSM part of a set of credentials
3378 static void selinux_cred_free(struct cred *cred)
3380 struct task_security_struct *tsec = cred->security;
3383 * cred->security == NULL if security_cred_alloc_blank() or
3384 * security_prepare_creds() returned an error.
3386 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3387 cred->security = (void *) 0x7UL;
3392 * prepare a new set of credentials for modification
3394 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3397 const struct task_security_struct *old_tsec;
3398 struct task_security_struct *tsec;
3400 old_tsec = old->security;
3402 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3406 new->security = tsec;
3411 * transfer the SELinux data to a blank set of creds
3413 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3415 const struct task_security_struct *old_tsec = old->security;
3416 struct task_security_struct *tsec = new->security;
3422 * set the security data for a kernel service
3423 * - all the creation contexts are set to unlabelled
3425 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3427 struct task_security_struct *tsec = new->security;
3428 u32 sid = current_sid();
3431 ret = avc_has_perm(sid, secid,
3432 SECCLASS_KERNEL_SERVICE,
3433 KERNEL_SERVICE__USE_AS_OVERRIDE,
3437 tsec->create_sid = 0;
3438 tsec->keycreate_sid = 0;
3439 tsec->sockcreate_sid = 0;
3445 * set the file creation context in a security record to the same as the
3446 * objective context of the specified inode
3448 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3450 struct inode_security_struct *isec = inode->i_security;
3451 struct task_security_struct *tsec = new->security;
3452 u32 sid = current_sid();
3455 ret = avc_has_perm(sid, isec->sid,
3456 SECCLASS_KERNEL_SERVICE,
3457 KERNEL_SERVICE__CREATE_FILES_AS,
3461 tsec->create_sid = isec->sid;
3465 static int selinux_kernel_module_request(char *kmod_name)
3468 struct common_audit_data ad;
3470 sid = task_sid(current);
3472 ad.type = LSM_AUDIT_DATA_KMOD;
3473 ad.u.kmod_name = kmod_name;
3475 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3476 SYSTEM__MODULE_REQUEST, &ad);
3479 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3481 return current_has_perm(p, PROCESS__SETPGID);
3484 static int selinux_task_getpgid(struct task_struct *p)
3486 return current_has_perm(p, PROCESS__GETPGID);
3489 static int selinux_task_getsid(struct task_struct *p)
3491 return current_has_perm(p, PROCESS__GETSESSION);
3494 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3496 *secid = task_sid(p);
3499 static int selinux_task_setnice(struct task_struct *p, int nice)
3503 rc = cap_task_setnice(p, nice);
3507 return current_has_perm(p, PROCESS__SETSCHED);
3510 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3514 rc = cap_task_setioprio(p, ioprio);
3518 return current_has_perm(p, PROCESS__SETSCHED);
3521 static int selinux_task_getioprio(struct task_struct *p)
3523 return current_has_perm(p, PROCESS__GETSCHED);
3526 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3527 struct rlimit *new_rlim)
3529 struct rlimit *old_rlim = p->signal->rlim + resource;
3531 /* Control the ability to change the hard limit (whether
3532 lowering or raising it), so that the hard limit can
3533 later be used as a safe reset point for the soft limit
3534 upon context transitions. See selinux_bprm_committing_creds. */
3535 if (old_rlim->rlim_max != new_rlim->rlim_max)
3536 return current_has_perm(p, PROCESS__SETRLIMIT);
3541 static int selinux_task_setscheduler(struct task_struct *p)
3545 rc = cap_task_setscheduler(p);
3549 return current_has_perm(p, PROCESS__SETSCHED);
3552 static int selinux_task_getscheduler(struct task_struct *p)
3554 return current_has_perm(p, PROCESS__GETSCHED);
3557 static int selinux_task_movememory(struct task_struct *p)
3559 return current_has_perm(p, PROCESS__SETSCHED);
3562 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3569 perm = PROCESS__SIGNULL; /* null signal; existence test */
3571 perm = signal_to_av(sig);
3573 rc = avc_has_perm(secid, task_sid(p),
3574 SECCLASS_PROCESS, perm, NULL);
3576 rc = current_has_perm(p, perm);
3580 static int selinux_task_wait(struct task_struct *p)
3582 return task_has_perm(p, current, PROCESS__SIGCHLD);
3585 static void selinux_task_to_inode(struct task_struct *p,
3586 struct inode *inode)
3588 struct inode_security_struct *isec = inode->i_security;
3589 u32 sid = task_sid(p);
3592 isec->initialized = 1;
3595 /* Returns error only if unable to parse addresses */
3596 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3597 struct common_audit_data *ad, u8 *proto)
3599 int offset, ihlen, ret = -EINVAL;
3600 struct iphdr _iph, *ih;
3602 offset = skb_network_offset(skb);
3603 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3607 ihlen = ih->ihl * 4;
3608 if (ihlen < sizeof(_iph))
3611 ad->u.net->v4info.saddr = ih->saddr;
3612 ad->u.net->v4info.daddr = ih->daddr;
3616 *proto = ih->protocol;
3618 switch (ih->protocol) {
3620 struct tcphdr _tcph, *th;
3622 if (ntohs(ih->frag_off) & IP_OFFSET)
3626 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3630 ad->u.net->sport = th->source;
3631 ad->u.net->dport = th->dest;
3636 struct udphdr _udph, *uh;
3638 if (ntohs(ih->frag_off) & IP_OFFSET)
3642 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3646 ad->u.net->sport = uh->source;
3647 ad->u.net->dport = uh->dest;
3651 case IPPROTO_DCCP: {
3652 struct dccp_hdr _dccph, *dh;
3654 if (ntohs(ih->frag_off) & IP_OFFSET)
3658 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3662 ad->u.net->sport = dh->dccph_sport;
3663 ad->u.net->dport = dh->dccph_dport;
3674 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3676 /* Returns error only if unable to parse addresses */
3677 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3678 struct common_audit_data *ad, u8 *proto)
3681 int ret = -EINVAL, offset;
3682 struct ipv6hdr _ipv6h, *ip6;
3685 offset = skb_network_offset(skb);
3686 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3690 ad->u.net->v6info.saddr = ip6->saddr;
3691 ad->u.net->v6info.daddr = ip6->daddr;
3694 nexthdr = ip6->nexthdr;
3695 offset += sizeof(_ipv6h);
3696 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3705 struct tcphdr _tcph, *th;
3707 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3711 ad->u.net->sport = th->source;
3712 ad->u.net->dport = th->dest;
3717 struct udphdr _udph, *uh;
3719 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3723 ad->u.net->sport = uh->source;
3724 ad->u.net->dport = uh->dest;
3728 case IPPROTO_DCCP: {
3729 struct dccp_hdr _dccph, *dh;
3731 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3735 ad->u.net->sport = dh->dccph_sport;
3736 ad->u.net->dport = dh->dccph_dport;
3740 /* includes fragments */
3750 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3751 char **_addrp, int src, u8 *proto)
3756 switch (ad->u.net->family) {
3758 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3761 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3762 &ad->u.net->v4info.daddr);
3765 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3767 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3770 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3771 &ad->u.net->v6info.daddr);
3781 "SELinux: failure in selinux_parse_skb(),"
3782 " unable to parse packet\n");
3792 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3794 * @family: protocol family
3795 * @sid: the packet's peer label SID
3798 * Check the various different forms of network peer labeling and determine
3799 * the peer label/SID for the packet; most of the magic actually occurs in
3800 * the security server function security_net_peersid_cmp(). The function
3801 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3802 * or -EACCES if @sid is invalid due to inconsistencies with the different
3806 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3813 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3814 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3816 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3817 if (unlikely(err)) {
3819 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3820 " unable to determine packet's peer label\n");
3827 /* socket security operations */
3829 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3830 u16 secclass, u32 *socksid)
3832 if (tsec->sockcreate_sid > SECSID_NULL) {
3833 *socksid = tsec->sockcreate_sid;
3837 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3841 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3843 struct sk_security_struct *sksec = sk->sk_security;
3844 struct common_audit_data ad;
3845 struct lsm_network_audit net = {0,};
3846 u32 tsid = task_sid(task);
3848 if (sksec->sid == SECINITSID_KERNEL)
3851 ad.type = LSM_AUDIT_DATA_NET;
3855 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3858 static int selinux_socket_create(int family, int type,
3859 int protocol, int kern)
3861 const struct task_security_struct *tsec = current_security();
3869 secclass = socket_type_to_security_class(family, type, protocol);
3870 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3874 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3877 static int selinux_socket_post_create(struct socket *sock, int family,
3878 int type, int protocol, int kern)
3880 const struct task_security_struct *tsec = current_security();
3881 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3882 struct sk_security_struct *sksec;
3885 isec->sclass = socket_type_to_security_class(family, type, protocol);
3888 isec->sid = SECINITSID_KERNEL;
3890 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3895 isec->initialized = 1;
3898 sksec = sock->sk->sk_security;
3899 sksec->sid = isec->sid;
3900 sksec->sclass = isec->sclass;
3901 err = selinux_netlbl_socket_post_create(sock->sk, family);
3907 /* Range of port numbers used to automatically bind.
3908 Need to determine whether we should perform a name_bind
3909 permission check between the socket and the port number. */
3911 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3913 struct sock *sk = sock->sk;
3917 err = sock_has_perm(current, sk, SOCKET__BIND);
3922 * If PF_INET or PF_INET6, check name_bind permission for the port.
3923 * Multiple address binding for SCTP is not supported yet: we just
3924 * check the first address now.
3926 family = sk->sk_family;
3927 if (family == PF_INET || family == PF_INET6) {
3929 struct sk_security_struct *sksec = sk->sk_security;
3930 struct common_audit_data ad;
3931 struct lsm_network_audit net = {0,};
3932 struct sockaddr_in *addr4 = NULL;
3933 struct sockaddr_in6 *addr6 = NULL;
3934 unsigned short snum;
3937 if (family == PF_INET) {
3938 addr4 = (struct sockaddr_in *)address;
3939 snum = ntohs(addr4->sin_port);
3940 addrp = (char *)&addr4->sin_addr.s_addr;
3942 addr6 = (struct sockaddr_in6 *)address;
3943 snum = ntohs(addr6->sin6_port);
3944 addrp = (char *)&addr6->sin6_addr.s6_addr;
3950 inet_get_local_port_range(&low, &high);
3952 if (snum < max(PROT_SOCK, low) || snum > high) {
3953 err = sel_netport_sid(sk->sk_protocol,
3957 ad.type = LSM_AUDIT_DATA_NET;
3959 ad.u.net->sport = htons(snum);
3960 ad.u.net->family = family;
3961 err = avc_has_perm(sksec->sid, sid,
3963 SOCKET__NAME_BIND, &ad);
3969 switch (sksec->sclass) {
3970 case SECCLASS_TCP_SOCKET:
3971 node_perm = TCP_SOCKET__NODE_BIND;
3974 case SECCLASS_UDP_SOCKET:
3975 node_perm = UDP_SOCKET__NODE_BIND;
3978 case SECCLASS_DCCP_SOCKET:
3979 node_perm = DCCP_SOCKET__NODE_BIND;
3983 node_perm = RAWIP_SOCKET__NODE_BIND;
3987 err = sel_netnode_sid(addrp, family, &sid);
3991 ad.type = LSM_AUDIT_DATA_NET;
3993 ad.u.net->sport = htons(snum);
3994 ad.u.net->family = family;
3996 if (family == PF_INET)
3997 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3999 ad.u.net->v6info.saddr = addr6->sin6_addr;
4001 err = avc_has_perm(sksec->sid, sid,
4002 sksec->sclass, node_perm, &ad);
4010 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4012 struct sock *sk = sock->sk;
4013 struct sk_security_struct *sksec = sk->sk_security;
4016 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4021 * If a TCP or DCCP socket, check name_connect permission for the port.
4023 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4024 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4025 struct common_audit_data ad;
4026 struct lsm_network_audit net = {0,};
4027 struct sockaddr_in *addr4 = NULL;
4028 struct sockaddr_in6 *addr6 = NULL;
4029 unsigned short snum;
4032 if (sk->sk_family == PF_INET) {
4033 addr4 = (struct sockaddr_in *)address;
4034 if (addrlen < sizeof(struct sockaddr_in))
4036 snum = ntohs(addr4->sin_port);
4038 addr6 = (struct sockaddr_in6 *)address;
4039 if (addrlen < SIN6_LEN_RFC2133)
4041 snum = ntohs(addr6->sin6_port);
4044 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4048 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4049 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4051 ad.type = LSM_AUDIT_DATA_NET;
4053 ad.u.net->dport = htons(snum);
4054 ad.u.net->family = sk->sk_family;
4055 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4060 err = selinux_netlbl_socket_connect(sk, address);
4066 static int selinux_socket_listen(struct socket *sock, int backlog)
4068 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4071 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4074 struct inode_security_struct *isec;
4075 struct inode_security_struct *newisec;
4077 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4081 newisec = SOCK_INODE(newsock)->i_security;
4083 isec = SOCK_INODE(sock)->i_security;
4084 newisec->sclass = isec->sclass;
4085 newisec->sid = isec->sid;
4086 newisec->initialized = 1;
4091 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4094 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4097 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4098 int size, int flags)
4100 return sock_has_perm(current, sock->sk, SOCKET__READ);
4103 static int selinux_socket_getsockname(struct socket *sock)
4105 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4108 static int selinux_socket_getpeername(struct socket *sock)
4110 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4113 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4117 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4121 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4124 static int selinux_socket_getsockopt(struct socket *sock, int level,
4127 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4130 static int selinux_socket_shutdown(struct socket *sock, int how)
4132 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4135 static int selinux_socket_unix_stream_connect(struct sock *sock,
4139 struct sk_security_struct *sksec_sock = sock->sk_security;
4140 struct sk_security_struct *sksec_other = other->sk_security;
4141 struct sk_security_struct *sksec_new = newsk->sk_security;
4142 struct common_audit_data ad;
4143 struct lsm_network_audit net = {0,};
4146 ad.type = LSM_AUDIT_DATA_NET;
4148 ad.u.net->sk = other;
4150 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4151 sksec_other->sclass,
4152 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4156 /* server child socket */
4157 sksec_new->peer_sid = sksec_sock->sid;
4158 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4163 /* connecting socket */
4164 sksec_sock->peer_sid = sksec_new->sid;
4169 static int selinux_socket_unix_may_send(struct socket *sock,
4170 struct socket *other)
4172 struct sk_security_struct *ssec = sock->sk->sk_security;
4173 struct sk_security_struct *osec = other->sk->sk_security;
4174 struct common_audit_data ad;
4175 struct lsm_network_audit net = {0,};
4177 ad.type = LSM_AUDIT_DATA_NET;
4179 ad.u.net->sk = other->sk;
4181 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4185 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4187 struct common_audit_data *ad)
4193 err = sel_netif_sid(ifindex, &if_sid);
4196 err = avc_has_perm(peer_sid, if_sid,
4197 SECCLASS_NETIF, NETIF__INGRESS, ad);
4201 err = sel_netnode_sid(addrp, family, &node_sid);
4204 return avc_has_perm(peer_sid, node_sid,
4205 SECCLASS_NODE, NODE__RECVFROM, ad);
4208 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4212 struct sk_security_struct *sksec = sk->sk_security;
4213 u32 sk_sid = sksec->sid;
4214 struct common_audit_data ad;
4215 struct lsm_network_audit net = {0,};
4218 ad.type = LSM_AUDIT_DATA_NET;
4220 ad.u.net->netif = skb->skb_iif;
4221 ad.u.net->family = family;
4222 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4226 if (selinux_secmark_enabled()) {
4227 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4233 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4236 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4241 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4244 struct sk_security_struct *sksec = sk->sk_security;
4245 u16 family = sk->sk_family;
4246 u32 sk_sid = sksec->sid;
4247 struct common_audit_data ad;
4248 struct lsm_network_audit net = {0,};
4253 if (family != PF_INET && family != PF_INET6)
4256 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4257 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4260 /* If any sort of compatibility mode is enabled then handoff processing
4261 * to the selinux_sock_rcv_skb_compat() function to deal with the
4262 * special handling. We do this in an attempt to keep this function
4263 * as fast and as clean as possible. */
4264 if (!selinux_policycap_netpeer)
4265 return selinux_sock_rcv_skb_compat(sk, skb, family);
4267 secmark_active = selinux_secmark_enabled();
4268 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4269 if (!secmark_active && !peerlbl_active)
4272 ad.type = LSM_AUDIT_DATA_NET;
4274 ad.u.net->netif = skb->skb_iif;
4275 ad.u.net->family = family;
4276 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4280 if (peerlbl_active) {
4283 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4286 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4289 selinux_netlbl_err(skb, err, 0);
4292 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4295 selinux_netlbl_err(skb, err, 0);
4298 if (secmark_active) {
4299 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4308 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4309 int __user *optlen, unsigned len)
4314 struct sk_security_struct *sksec = sock->sk->sk_security;
4315 u32 peer_sid = SECSID_NULL;
4317 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4318 sksec->sclass == SECCLASS_TCP_SOCKET)
4319 peer_sid = sksec->peer_sid;
4320 if (peer_sid == SECSID_NULL)
4321 return -ENOPROTOOPT;
4323 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4327 if (scontext_len > len) {
4332 if (copy_to_user(optval, scontext, scontext_len))
4336 if (put_user(scontext_len, optlen))
4342 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4344 u32 peer_secid = SECSID_NULL;
4347 if (skb && skb->protocol == htons(ETH_P_IP))
4349 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4352 family = sock->sk->sk_family;
4356 if (sock && family == PF_UNIX)
4357 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4359 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4362 *secid = peer_secid;
4363 if (peer_secid == SECSID_NULL)
4368 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4370 struct sk_security_struct *sksec;
4372 sksec = kzalloc(sizeof(*sksec), priority);
4376 sksec->peer_sid = SECINITSID_UNLABELED;
4377 sksec->sid = SECINITSID_UNLABELED;
4378 selinux_netlbl_sk_security_reset(sksec);
4379 sk->sk_security = sksec;
4384 static void selinux_sk_free_security(struct sock *sk)
4386 struct sk_security_struct *sksec = sk->sk_security;
4388 sk->sk_security = NULL;
4389 selinux_netlbl_sk_security_free(sksec);
4393 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4395 struct sk_security_struct *sksec = sk->sk_security;
4396 struct sk_security_struct *newsksec = newsk->sk_security;
4398 newsksec->sid = sksec->sid;
4399 newsksec->peer_sid = sksec->peer_sid;
4400 newsksec->sclass = sksec->sclass;
4402 selinux_netlbl_sk_security_reset(newsksec);
4405 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4408 *secid = SECINITSID_ANY_SOCKET;
4410 struct sk_security_struct *sksec = sk->sk_security;
4412 *secid = sksec->sid;
4416 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4418 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4419 struct sk_security_struct *sksec = sk->sk_security;
4421 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4422 sk->sk_family == PF_UNIX)
4423 isec->sid = sksec->sid;
4424 sksec->sclass = isec->sclass;
4427 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4428 struct request_sock *req)
4430 struct sk_security_struct *sksec = sk->sk_security;
4432 u16 family = sk->sk_family;
4436 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4437 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4440 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4443 if (peersid == SECSID_NULL) {
4444 req->secid = sksec->sid;
4445 req->peer_secid = SECSID_NULL;
4447 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4450 req->secid = newsid;
4451 req->peer_secid = peersid;
4454 return selinux_netlbl_inet_conn_request(req, family);
4457 static void selinux_inet_csk_clone(struct sock *newsk,
4458 const struct request_sock *req)
4460 struct sk_security_struct *newsksec = newsk->sk_security;
4462 newsksec->sid = req->secid;
4463 newsksec->peer_sid = req->peer_secid;
4464 /* NOTE: Ideally, we should also get the isec->sid for the
4465 new socket in sync, but we don't have the isec available yet.
4466 So we will wait until sock_graft to do it, by which
4467 time it will have been created and available. */
4469 /* We don't need to take any sort of lock here as we are the only
4470 * thread with access to newsksec */
4471 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4474 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4476 u16 family = sk->sk_family;
4477 struct sk_security_struct *sksec = sk->sk_security;
4479 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4480 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4483 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4486 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4488 skb_set_owner_w(skb, sk);
4491 static int selinux_secmark_relabel_packet(u32 sid)
4493 const struct task_security_struct *__tsec;
4496 __tsec = current_security();
4499 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4502 static void selinux_secmark_refcount_inc(void)
4504 atomic_inc(&selinux_secmark_refcount);
4507 static void selinux_secmark_refcount_dec(void)
4509 atomic_dec(&selinux_secmark_refcount);
4512 static void selinux_req_classify_flow(const struct request_sock *req,
4515 fl->flowi_secid = req->secid;
4518 static int selinux_tun_dev_alloc_security(void **security)
4520 struct tun_security_struct *tunsec;
4522 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4525 tunsec->sid = current_sid();
4531 static void selinux_tun_dev_free_security(void *security)
4536 static int selinux_tun_dev_create(void)
4538 u32 sid = current_sid();
4540 /* we aren't taking into account the "sockcreate" SID since the socket
4541 * that is being created here is not a socket in the traditional sense,
4542 * instead it is a private sock, accessible only to the kernel, and
4543 * representing a wide range of network traffic spanning multiple
4544 * connections unlike traditional sockets - check the TUN driver to
4545 * get a better understanding of why this socket is special */
4547 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4551 static int selinux_tun_dev_attach_queue(void *security)
4553 struct tun_security_struct *tunsec = security;
4555 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4556 TUN_SOCKET__ATTACH_QUEUE, NULL);
4559 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4561 struct tun_security_struct *tunsec = security;
4562 struct sk_security_struct *sksec = sk->sk_security;
4564 /* we don't currently perform any NetLabel based labeling here and it
4565 * isn't clear that we would want to do so anyway; while we could apply
4566 * labeling without the support of the TUN user the resulting labeled
4567 * traffic from the other end of the connection would almost certainly
4568 * cause confusion to the TUN user that had no idea network labeling
4569 * protocols were being used */
4571 sksec->sid = tunsec->sid;
4572 sksec->sclass = SECCLASS_TUN_SOCKET;
4577 static int selinux_tun_dev_open(void *security)
4579 struct tun_security_struct *tunsec = security;
4580 u32 sid = current_sid();
4583 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4584 TUN_SOCKET__RELABELFROM, NULL);
4587 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4588 TUN_SOCKET__RELABELTO, NULL);
4596 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4600 struct nlmsghdr *nlh;
4601 struct sk_security_struct *sksec = sk->sk_security;
4603 if (skb->len < NLMSG_HDRLEN) {
4607 nlh = nlmsg_hdr(skb);
4609 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4611 if (err == -EINVAL) {
4612 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4613 "SELinux: unrecognized netlink message"
4614 " type=%hu for sclass=%hu\n",
4615 nlh->nlmsg_type, sksec->sclass);
4616 if (!selinux_enforcing || security_get_allow_unknown())
4626 err = sock_has_perm(current, sk, perm);
4631 #ifdef CONFIG_NETFILTER
4633 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4639 struct common_audit_data ad;
4640 struct lsm_network_audit net = {0,};
4645 if (!selinux_policycap_netpeer)
4648 secmark_active = selinux_secmark_enabled();
4649 netlbl_active = netlbl_enabled();
4650 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4651 if (!secmark_active && !peerlbl_active)
4654 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4657 ad.type = LSM_AUDIT_DATA_NET;
4659 ad.u.net->netif = ifindex;
4660 ad.u.net->family = family;
4661 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4664 if (peerlbl_active) {
4665 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4668 selinux_netlbl_err(skb, err, 1);
4674 if (avc_has_perm(peer_sid, skb->secmark,
4675 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4679 /* we do this in the FORWARD path and not the POST_ROUTING
4680 * path because we want to make sure we apply the necessary
4681 * labeling before IPsec is applied so we can leverage AH
4683 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4689 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4690 struct sk_buff *skb,
4691 const struct net_device *in,
4692 const struct net_device *out,
4693 int (*okfn)(struct sk_buff *))
4695 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4698 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4699 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4700 struct sk_buff *skb,
4701 const struct net_device *in,
4702 const struct net_device *out,
4703 int (*okfn)(struct sk_buff *))
4705 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4709 static unsigned int selinux_ip_output(struct sk_buff *skb,
4714 if (!netlbl_enabled())
4717 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4718 * because we want to make sure we apply the necessary labeling
4719 * before IPsec is applied so we can leverage AH protection */
4721 struct sk_security_struct *sksec = skb->sk->sk_security;
4724 sid = SECINITSID_KERNEL;
4725 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4731 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4732 struct sk_buff *skb,
4733 const struct net_device *in,
4734 const struct net_device *out,
4735 int (*okfn)(struct sk_buff *))
4737 return selinux_ip_output(skb, PF_INET);
4740 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4744 struct sock *sk = skb->sk;
4745 struct sk_security_struct *sksec;
4746 struct common_audit_data ad;
4747 struct lsm_network_audit net = {0,};
4753 sksec = sk->sk_security;
4755 ad.type = LSM_AUDIT_DATA_NET;
4757 ad.u.net->netif = ifindex;
4758 ad.u.net->family = family;
4759 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4762 if (selinux_secmark_enabled())
4763 if (avc_has_perm(sksec->sid, skb->secmark,
4764 SECCLASS_PACKET, PACKET__SEND, &ad))
4765 return NF_DROP_ERR(-ECONNREFUSED);
4767 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4768 return NF_DROP_ERR(-ECONNREFUSED);
4773 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4779 struct common_audit_data ad;
4780 struct lsm_network_audit net = {0,};
4785 /* If any sort of compatibility mode is enabled then handoff processing
4786 * to the selinux_ip_postroute_compat() function to deal with the
4787 * special handling. We do this in an attempt to keep this function
4788 * as fast and as clean as possible. */
4789 if (!selinux_policycap_netpeer)
4790 return selinux_ip_postroute_compat(skb, ifindex, family);
4792 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4793 * packet transformation so allow the packet to pass without any checks
4794 * since we'll have another chance to perform access control checks
4795 * when the packet is on it's final way out.
4796 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4797 * is NULL, in this case go ahead and apply access control. */
4798 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4801 secmark_active = selinux_secmark_enabled();
4802 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4803 if (!secmark_active && !peerlbl_active)
4806 /* if the packet is being forwarded then get the peer label from the
4807 * packet itself; otherwise check to see if it is from a local
4808 * application or the kernel, if from an application get the peer label
4809 * from the sending socket, otherwise use the kernel's sid */
4813 secmark_perm = PACKET__FORWARD_OUT;
4814 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4817 secmark_perm = PACKET__SEND;
4818 peer_sid = SECINITSID_KERNEL;
4821 struct sk_security_struct *sksec = sk->sk_security;
4822 peer_sid = sksec->sid;
4823 secmark_perm = PACKET__SEND;
4826 ad.type = LSM_AUDIT_DATA_NET;
4828 ad.u.net->netif = ifindex;
4829 ad.u.net->family = family;
4830 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4834 if (avc_has_perm(peer_sid, skb->secmark,
4835 SECCLASS_PACKET, secmark_perm, &ad))
4836 return NF_DROP_ERR(-ECONNREFUSED);
4838 if (peerlbl_active) {
4842 if (sel_netif_sid(ifindex, &if_sid))
4844 if (avc_has_perm(peer_sid, if_sid,
4845 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4846 return NF_DROP_ERR(-ECONNREFUSED);
4848 if (sel_netnode_sid(addrp, family, &node_sid))
4850 if (avc_has_perm(peer_sid, node_sid,
4851 SECCLASS_NODE, NODE__SENDTO, &ad))
4852 return NF_DROP_ERR(-ECONNREFUSED);
4858 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4859 struct sk_buff *skb,
4860 const struct net_device *in,
4861 const struct net_device *out,
4862 int (*okfn)(struct sk_buff *))
4864 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4867 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4868 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4869 struct sk_buff *skb,
4870 const struct net_device *in,
4871 const struct net_device *out,
4872 int (*okfn)(struct sk_buff *))
4874 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4878 #endif /* CONFIG_NETFILTER */
4880 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4884 err = cap_netlink_send(sk, skb);
4888 return selinux_nlmsg_perm(sk, skb);
4891 static int ipc_alloc_security(struct task_struct *task,
4892 struct kern_ipc_perm *perm,
4895 struct ipc_security_struct *isec;
4898 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4902 sid = task_sid(task);
4903 isec->sclass = sclass;
4905 perm->security = isec;
4910 static void ipc_free_security(struct kern_ipc_perm *perm)
4912 struct ipc_security_struct *isec = perm->security;
4913 perm->security = NULL;
4917 static int msg_msg_alloc_security(struct msg_msg *msg)
4919 struct msg_security_struct *msec;
4921 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4925 msec->sid = SECINITSID_UNLABELED;
4926 msg->security = msec;
4931 static void msg_msg_free_security(struct msg_msg *msg)
4933 struct msg_security_struct *msec = msg->security;
4935 msg->security = NULL;
4939 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4942 struct ipc_security_struct *isec;
4943 struct common_audit_data ad;
4944 u32 sid = current_sid();
4946 isec = ipc_perms->security;
4948 ad.type = LSM_AUDIT_DATA_IPC;
4949 ad.u.ipc_id = ipc_perms->key;
4951 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4954 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4956 return msg_msg_alloc_security(msg);
4959 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4961 msg_msg_free_security(msg);
4964 /* message queue security operations */
4965 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4967 struct ipc_security_struct *isec;
4968 struct common_audit_data ad;
4969 u32 sid = current_sid();
4972 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4976 isec = msq->q_perm.security;
4978 ad.type = LSM_AUDIT_DATA_IPC;
4979 ad.u.ipc_id = msq->q_perm.key;
4981 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4984 ipc_free_security(&msq->q_perm);
4990 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4992 ipc_free_security(&msq->q_perm);
4995 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4997 struct ipc_security_struct *isec;
4998 struct common_audit_data ad;
4999 u32 sid = current_sid();
5001 isec = msq->q_perm.security;
5003 ad.type = LSM_AUDIT_DATA_IPC;
5004 ad.u.ipc_id = msq->q_perm.key;
5006 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5007 MSGQ__ASSOCIATE, &ad);
5010 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5018 /* No specific object, just general system-wide information. */
5019 return task_has_system(current, SYSTEM__IPC_INFO);
5022 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5025 perms = MSGQ__SETATTR;
5028 perms = MSGQ__DESTROY;
5034 err = ipc_has_perm(&msq->q_perm, perms);
5038 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5040 struct ipc_security_struct *isec;
5041 struct msg_security_struct *msec;
5042 struct common_audit_data ad;
5043 u32 sid = current_sid();
5046 isec = msq->q_perm.security;
5047 msec = msg->security;
5050 * First time through, need to assign label to the message
5052 if (msec->sid == SECINITSID_UNLABELED) {
5054 * Compute new sid based on current process and
5055 * message queue this message will be stored in
5057 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5063 ad.type = LSM_AUDIT_DATA_IPC;
5064 ad.u.ipc_id = msq->q_perm.key;
5066 /* Can this process write to the queue? */
5067 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5070 /* Can this process send the message */
5071 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5074 /* Can the message be put in the queue? */
5075 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5076 MSGQ__ENQUEUE, &ad);
5081 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5082 struct task_struct *target,
5083 long type, int mode)
5085 struct ipc_security_struct *isec;
5086 struct msg_security_struct *msec;
5087 struct common_audit_data ad;
5088 u32 sid = task_sid(target);
5091 isec = msq->q_perm.security;
5092 msec = msg->security;
5094 ad.type = LSM_AUDIT_DATA_IPC;
5095 ad.u.ipc_id = msq->q_perm.key;
5097 rc = avc_has_perm(sid, isec->sid,
5098 SECCLASS_MSGQ, MSGQ__READ, &ad);
5100 rc = avc_has_perm(sid, msec->sid,
5101 SECCLASS_MSG, MSG__RECEIVE, &ad);
5105 /* Shared Memory security operations */
5106 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5108 struct ipc_security_struct *isec;
5109 struct common_audit_data ad;
5110 u32 sid = current_sid();
5113 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5117 isec = shp->shm_perm.security;
5119 ad.type = LSM_AUDIT_DATA_IPC;
5120 ad.u.ipc_id = shp->shm_perm.key;
5122 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5125 ipc_free_security(&shp->shm_perm);
5131 static void selinux_shm_free_security(struct shmid_kernel *shp)
5133 ipc_free_security(&shp->shm_perm);
5136 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5138 struct ipc_security_struct *isec;
5139 struct common_audit_data ad;
5140 u32 sid = current_sid();
5142 isec = shp->shm_perm.security;
5144 ad.type = LSM_AUDIT_DATA_IPC;
5145 ad.u.ipc_id = shp->shm_perm.key;
5147 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5148 SHM__ASSOCIATE, &ad);
5151 /* Note, at this point, shp is locked down */
5152 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5160 /* No specific object, just general system-wide information. */
5161 return task_has_system(current, SYSTEM__IPC_INFO);
5164 perms = SHM__GETATTR | SHM__ASSOCIATE;
5167 perms = SHM__SETATTR;
5174 perms = SHM__DESTROY;
5180 err = ipc_has_perm(&shp->shm_perm, perms);
5184 static int selinux_shm_shmat(struct shmid_kernel *shp,
5185 char __user *shmaddr, int shmflg)
5189 if (shmflg & SHM_RDONLY)
5192 perms = SHM__READ | SHM__WRITE;
5194 return ipc_has_perm(&shp->shm_perm, perms);
5197 /* Semaphore security operations */
5198 static int selinux_sem_alloc_security(struct sem_array *sma)
5200 struct ipc_security_struct *isec;
5201 struct common_audit_data ad;
5202 u32 sid = current_sid();
5205 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5209 isec = sma->sem_perm.security;
5211 ad.type = LSM_AUDIT_DATA_IPC;
5212 ad.u.ipc_id = sma->sem_perm.key;
5214 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5217 ipc_free_security(&sma->sem_perm);
5223 static void selinux_sem_free_security(struct sem_array *sma)
5225 ipc_free_security(&sma->sem_perm);
5228 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5230 struct ipc_security_struct *isec;
5231 struct common_audit_data ad;
5232 u32 sid = current_sid();
5234 isec = sma->sem_perm.security;
5236 ad.type = LSM_AUDIT_DATA_IPC;
5237 ad.u.ipc_id = sma->sem_perm.key;
5239 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5240 SEM__ASSOCIATE, &ad);
5243 /* Note, at this point, sma is locked down */
5244 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5252 /* No specific object, just general system-wide information. */
5253 return task_has_system(current, SYSTEM__IPC_INFO);
5257 perms = SEM__GETATTR;
5268 perms = SEM__DESTROY;
5271 perms = SEM__SETATTR;
5275 perms = SEM__GETATTR | SEM__ASSOCIATE;
5281 err = ipc_has_perm(&sma->sem_perm, perms);
5285 static int selinux_sem_semop(struct sem_array *sma,
5286 struct sembuf *sops, unsigned nsops, int alter)
5291 perms = SEM__READ | SEM__WRITE;
5295 return ipc_has_perm(&sma->sem_perm, perms);
5298 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5304 av |= IPC__UNIX_READ;
5306 av |= IPC__UNIX_WRITE;
5311 return ipc_has_perm(ipcp, av);
5314 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5316 struct ipc_security_struct *isec = ipcp->security;
5320 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5323 inode_doinit_with_dentry(inode, dentry);
5326 static int selinux_getprocattr(struct task_struct *p,
5327 char *name, char **value)
5329 const struct task_security_struct *__tsec;
5335 error = current_has_perm(p, PROCESS__GETATTR);
5341 __tsec = __task_cred(p)->security;
5343 if (!strcmp(name, "current"))
5345 else if (!strcmp(name, "prev"))
5347 else if (!strcmp(name, "exec"))
5348 sid = __tsec->exec_sid;
5349 else if (!strcmp(name, "fscreate"))
5350 sid = __tsec->create_sid;
5351 else if (!strcmp(name, "keycreate"))
5352 sid = __tsec->keycreate_sid;
5353 else if (!strcmp(name, "sockcreate"))
5354 sid = __tsec->sockcreate_sid;
5362 error = security_sid_to_context(sid, value, &len);
5372 static int selinux_setprocattr(struct task_struct *p,
5373 char *name, void *value, size_t size)
5375 struct task_security_struct *tsec;
5376 struct task_struct *tracer;
5383 /* SELinux only allows a process to change its own
5384 security attributes. */
5389 * Basic control over ability to set these attributes at all.
5390 * current == p, but we'll pass them separately in case the
5391 * above restriction is ever removed.
5393 if (!strcmp(name, "exec"))
5394 error = current_has_perm(p, PROCESS__SETEXEC);
5395 else if (!strcmp(name, "fscreate"))
5396 error = current_has_perm(p, PROCESS__SETFSCREATE);
5397 else if (!strcmp(name, "keycreate"))
5398 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5399 else if (!strcmp(name, "sockcreate"))
5400 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5401 else if (!strcmp(name, "current"))
5402 error = current_has_perm(p, PROCESS__SETCURRENT);
5408 /* Obtain a SID for the context, if one was specified. */
5409 if (size && str[1] && str[1] != '\n') {
5410 if (str[size-1] == '\n') {
5414 error = security_context_to_sid(value, size, &sid);
5415 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5416 if (!capable(CAP_MAC_ADMIN)) {
5417 struct audit_buffer *ab;
5420 /* We strip a nul only if it is at the end, otherwise the
5421 * context contains a nul and we should audit that */
5422 if (str[size - 1] == '\0')
5423 audit_size = size - 1;
5426 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5427 audit_log_format(ab, "op=fscreate invalid_context=");
5428 audit_log_n_untrustedstring(ab, value, audit_size);
5433 error = security_context_to_sid_force(value, size,
5440 new = prepare_creds();
5444 /* Permission checking based on the specified context is
5445 performed during the actual operation (execve,
5446 open/mkdir/...), when we know the full context of the
5447 operation. See selinux_bprm_set_creds for the execve
5448 checks and may_create for the file creation checks. The
5449 operation will then fail if the context is not permitted. */
5450 tsec = new->security;
5451 if (!strcmp(name, "exec")) {
5452 tsec->exec_sid = sid;
5453 } else if (!strcmp(name, "fscreate")) {
5454 tsec->create_sid = sid;
5455 } else if (!strcmp(name, "keycreate")) {
5456 error = may_create_key(sid, p);
5459 tsec->keycreate_sid = sid;
5460 } else if (!strcmp(name, "sockcreate")) {
5461 tsec->sockcreate_sid = sid;
5462 } else if (!strcmp(name, "current")) {
5467 /* Only allow single threaded processes to change context */
5469 if (!current_is_single_threaded()) {
5470 error = security_bounded_transition(tsec->sid, sid);
5475 /* Check permissions for the transition. */
5476 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5477 PROCESS__DYNTRANSITION, NULL);
5481 /* Check for ptracing, and update the task SID if ok.
5482 Otherwise, leave SID unchanged and fail. */
5485 tracer = ptrace_parent(p);
5487 ptsid = task_sid(tracer);
5491 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5492 PROCESS__PTRACE, NULL);
5511 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5513 return security_sid_to_context(secid, secdata, seclen);
5516 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5518 return security_context_to_sid(secdata, seclen, secid);
5521 static void selinux_release_secctx(char *secdata, u32 seclen)
5527 * called with inode->i_mutex locked
5529 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5531 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5535 * called with inode->i_mutex locked
5537 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5539 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5542 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5545 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5554 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5555 unsigned long flags)
5557 const struct task_security_struct *tsec;
5558 struct key_security_struct *ksec;
5560 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5564 tsec = cred->security;
5565 if (tsec->keycreate_sid)
5566 ksec->sid = tsec->keycreate_sid;
5568 ksec->sid = tsec->sid;
5574 static void selinux_key_free(struct key *k)
5576 struct key_security_struct *ksec = k->security;
5582 static int selinux_key_permission(key_ref_t key_ref,
5583 const struct cred *cred,
5587 struct key_security_struct *ksec;
5590 /* if no specific permissions are requested, we skip the
5591 permission check. No serious, additional covert channels
5592 appear to be created. */
5596 sid = cred_sid(cred);
5598 key = key_ref_to_ptr(key_ref);
5599 ksec = key->security;
5601 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5604 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5606 struct key_security_struct *ksec = key->security;
5607 char *context = NULL;
5611 rc = security_sid_to_context(ksec->sid, &context, &len);
5620 static struct security_operations selinux_ops = {
5623 .binder_set_context_mgr = selinux_binder_set_context_mgr,
5624 .binder_transaction = selinux_binder_transaction,
5625 .binder_transfer_binder = selinux_binder_transfer_binder,
5626 .binder_transfer_file = selinux_binder_transfer_file,
5628 .ptrace_access_check = selinux_ptrace_access_check,
5629 .ptrace_traceme = selinux_ptrace_traceme,
5630 .capget = selinux_capget,
5631 .capset = selinux_capset,
5632 .capable = selinux_capable,
5633 .quotactl = selinux_quotactl,
5634 .quota_on = selinux_quota_on,
5635 .syslog = selinux_syslog,
5636 .vm_enough_memory = selinux_vm_enough_memory,
5638 .netlink_send = selinux_netlink_send,
5640 .bprm_set_creds = selinux_bprm_set_creds,
5641 .bprm_committing_creds = selinux_bprm_committing_creds,
5642 .bprm_committed_creds = selinux_bprm_committed_creds,
5643 .bprm_secureexec = selinux_bprm_secureexec,
5645 .sb_alloc_security = selinux_sb_alloc_security,
5646 .sb_free_security = selinux_sb_free_security,
5647 .sb_copy_data = selinux_sb_copy_data,
5648 .sb_remount = selinux_sb_remount,
5649 .sb_kern_mount = selinux_sb_kern_mount,
5650 .sb_show_options = selinux_sb_show_options,
5651 .sb_statfs = selinux_sb_statfs,
5652 .sb_mount = selinux_mount,
5653 .sb_umount = selinux_umount,
5654 .sb_set_mnt_opts = selinux_set_mnt_opts,
5655 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5656 .sb_parse_opts_str = selinux_parse_opts_str,
5659 .inode_alloc_security = selinux_inode_alloc_security,
5660 .inode_free_security = selinux_inode_free_security,
5661 .inode_init_security = selinux_inode_init_security,
5662 .inode_create = selinux_inode_create,
5663 .inode_link = selinux_inode_link,
5664 .inode_unlink = selinux_inode_unlink,
5665 .inode_symlink = selinux_inode_symlink,
5666 .inode_mkdir = selinux_inode_mkdir,
5667 .inode_rmdir = selinux_inode_rmdir,
5668 .inode_mknod = selinux_inode_mknod,
5669 .inode_rename = selinux_inode_rename,
5670 .inode_readlink = selinux_inode_readlink,
5671 .inode_follow_link = selinux_inode_follow_link,
5672 .inode_permission = selinux_inode_permission,
5673 .inode_setattr = selinux_inode_setattr,
5674 .inode_getattr = selinux_inode_getattr,
5675 .inode_setxattr = selinux_inode_setxattr,
5676 .inode_post_setxattr = selinux_inode_post_setxattr,
5677 .inode_getxattr = selinux_inode_getxattr,
5678 .inode_listxattr = selinux_inode_listxattr,
5679 .inode_removexattr = selinux_inode_removexattr,
5680 .inode_getsecurity = selinux_inode_getsecurity,
5681 .inode_setsecurity = selinux_inode_setsecurity,
5682 .inode_listsecurity = selinux_inode_listsecurity,
5683 .inode_getsecid = selinux_inode_getsecid,
5685 .file_permission = selinux_file_permission,
5686 .file_alloc_security = selinux_file_alloc_security,
5687 .file_free_security = selinux_file_free_security,
5688 .file_ioctl = selinux_file_ioctl,
5689 .mmap_file = selinux_mmap_file,
5690 .mmap_addr = selinux_mmap_addr,
5691 .file_mprotect = selinux_file_mprotect,
5692 .file_lock = selinux_file_lock,
5693 .file_fcntl = selinux_file_fcntl,
5694 .file_set_fowner = selinux_file_set_fowner,
5695 .file_send_sigiotask = selinux_file_send_sigiotask,
5696 .file_receive = selinux_file_receive,
5698 .file_open = selinux_file_open,
5700 .task_create = selinux_task_create,
5701 .cred_alloc_blank = selinux_cred_alloc_blank,
5702 .cred_free = selinux_cred_free,
5703 .cred_prepare = selinux_cred_prepare,
5704 .cred_transfer = selinux_cred_transfer,
5705 .kernel_act_as = selinux_kernel_act_as,
5706 .kernel_create_files_as = selinux_kernel_create_files_as,
5707 .kernel_module_request = selinux_kernel_module_request,
5708 .task_setpgid = selinux_task_setpgid,
5709 .task_getpgid = selinux_task_getpgid,
5710 .task_getsid = selinux_task_getsid,
5711 .task_getsecid = selinux_task_getsecid,
5712 .task_setnice = selinux_task_setnice,
5713 .task_setioprio = selinux_task_setioprio,
5714 .task_getioprio = selinux_task_getioprio,
5715 .task_setrlimit = selinux_task_setrlimit,
5716 .task_setscheduler = selinux_task_setscheduler,
5717 .task_getscheduler = selinux_task_getscheduler,
5718 .task_movememory = selinux_task_movememory,
5719 .task_kill = selinux_task_kill,
5720 .task_wait = selinux_task_wait,
5721 .task_to_inode = selinux_task_to_inode,
5723 .ipc_permission = selinux_ipc_permission,
5724 .ipc_getsecid = selinux_ipc_getsecid,
5726 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5727 .msg_msg_free_security = selinux_msg_msg_free_security,
5729 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5730 .msg_queue_free_security = selinux_msg_queue_free_security,
5731 .msg_queue_associate = selinux_msg_queue_associate,
5732 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5733 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5734 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5736 .shm_alloc_security = selinux_shm_alloc_security,
5737 .shm_free_security = selinux_shm_free_security,
5738 .shm_associate = selinux_shm_associate,
5739 .shm_shmctl = selinux_shm_shmctl,
5740 .shm_shmat = selinux_shm_shmat,
5742 .sem_alloc_security = selinux_sem_alloc_security,
5743 .sem_free_security = selinux_sem_free_security,
5744 .sem_associate = selinux_sem_associate,
5745 .sem_semctl = selinux_sem_semctl,
5746 .sem_semop = selinux_sem_semop,
5748 .d_instantiate = selinux_d_instantiate,
5750 .getprocattr = selinux_getprocattr,
5751 .setprocattr = selinux_setprocattr,
5753 .secid_to_secctx = selinux_secid_to_secctx,
5754 .secctx_to_secid = selinux_secctx_to_secid,
5755 .release_secctx = selinux_release_secctx,
5756 .inode_notifysecctx = selinux_inode_notifysecctx,
5757 .inode_setsecctx = selinux_inode_setsecctx,
5758 .inode_getsecctx = selinux_inode_getsecctx,
5760 .unix_stream_connect = selinux_socket_unix_stream_connect,
5761 .unix_may_send = selinux_socket_unix_may_send,
5763 .socket_create = selinux_socket_create,
5764 .socket_post_create = selinux_socket_post_create,
5765 .socket_bind = selinux_socket_bind,
5766 .socket_connect = selinux_socket_connect,
5767 .socket_listen = selinux_socket_listen,
5768 .socket_accept = selinux_socket_accept,
5769 .socket_sendmsg = selinux_socket_sendmsg,
5770 .socket_recvmsg = selinux_socket_recvmsg,
5771 .socket_getsockname = selinux_socket_getsockname,
5772 .socket_getpeername = selinux_socket_getpeername,
5773 .socket_getsockopt = selinux_socket_getsockopt,
5774 .socket_setsockopt = selinux_socket_setsockopt,
5775 .socket_shutdown = selinux_socket_shutdown,
5776 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5777 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5778 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5779 .sk_alloc_security = selinux_sk_alloc_security,
5780 .sk_free_security = selinux_sk_free_security,
5781 .sk_clone_security = selinux_sk_clone_security,
5782 .sk_getsecid = selinux_sk_getsecid,
5783 .sock_graft = selinux_sock_graft,
5784 .inet_conn_request = selinux_inet_conn_request,
5785 .inet_csk_clone = selinux_inet_csk_clone,
5786 .inet_conn_established = selinux_inet_conn_established,
5787 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5788 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5789 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5790 .req_classify_flow = selinux_req_classify_flow,
5791 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5792 .tun_dev_free_security = selinux_tun_dev_free_security,
5793 .tun_dev_create = selinux_tun_dev_create,
5794 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5795 .tun_dev_attach = selinux_tun_dev_attach,
5796 .tun_dev_open = selinux_tun_dev_open,
5797 .skb_owned_by = selinux_skb_owned_by,
5799 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5800 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5801 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5802 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5803 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5804 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5805 .xfrm_state_free_security = selinux_xfrm_state_free,
5806 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5807 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5808 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5809 .xfrm_decode_session = selinux_xfrm_decode_session,
5813 .key_alloc = selinux_key_alloc,
5814 .key_free = selinux_key_free,
5815 .key_permission = selinux_key_permission,
5816 .key_getsecurity = selinux_key_getsecurity,
5820 .audit_rule_init = selinux_audit_rule_init,
5821 .audit_rule_known = selinux_audit_rule_known,
5822 .audit_rule_match = selinux_audit_rule_match,
5823 .audit_rule_free = selinux_audit_rule_free,
5827 static __init int selinux_init(void)
5829 if (!security_module_enable(&selinux_ops)) {
5830 selinux_enabled = 0;
5834 if (!selinux_enabled) {
5835 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5839 printk(KERN_INFO "SELinux: Initializing.\n");
5841 /* Set the security state for the initial task. */
5842 cred_init_security();
5844 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5846 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5847 sizeof(struct inode_security_struct),
5848 0, SLAB_PANIC, NULL);
5851 if (register_security(&selinux_ops))
5852 panic("SELinux: Unable to register with kernel.\n");
5854 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
5855 panic("SELinux: Unable to register AVC netcache callback\n");
5857 if (selinux_enforcing)
5858 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5860 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5865 static void delayed_superblock_init(struct super_block *sb, void *unused)
5867 superblock_doinit(sb, NULL);
5870 void selinux_complete_init(void)
5872 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5874 /* Set up any superblocks initialized prior to the policy load. */
5875 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5876 iterate_supers(delayed_superblock_init, NULL);
5879 /* SELinux requires early initialization in order to label
5880 all processes and objects when they are created. */
5881 security_initcall(selinux_init);
5883 #if defined(CONFIG_NETFILTER)
5885 static struct nf_hook_ops selinux_ipv4_ops[] = {
5887 .hook = selinux_ipv4_postroute,
5888 .owner = THIS_MODULE,
5890 .hooknum = NF_INET_POST_ROUTING,
5891 .priority = NF_IP_PRI_SELINUX_LAST,
5894 .hook = selinux_ipv4_forward,
5895 .owner = THIS_MODULE,
5897 .hooknum = NF_INET_FORWARD,
5898 .priority = NF_IP_PRI_SELINUX_FIRST,
5901 .hook = selinux_ipv4_output,
5902 .owner = THIS_MODULE,
5904 .hooknum = NF_INET_LOCAL_OUT,
5905 .priority = NF_IP_PRI_SELINUX_FIRST,
5909 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5911 static struct nf_hook_ops selinux_ipv6_ops[] = {
5913 .hook = selinux_ipv6_postroute,
5914 .owner = THIS_MODULE,
5916 .hooknum = NF_INET_POST_ROUTING,
5917 .priority = NF_IP6_PRI_SELINUX_LAST,
5920 .hook = selinux_ipv6_forward,
5921 .owner = THIS_MODULE,
5923 .hooknum = NF_INET_FORWARD,
5924 .priority = NF_IP6_PRI_SELINUX_FIRST,
5930 static int __init selinux_nf_ip_init(void)
5934 if (!selinux_enabled)
5937 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5939 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5941 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5943 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5944 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5946 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5953 __initcall(selinux_nf_ip_init);
5955 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5956 static void selinux_nf_ip_exit(void)
5958 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5960 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5961 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5962 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5967 #else /* CONFIG_NETFILTER */
5969 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5970 #define selinux_nf_ip_exit()
5973 #endif /* CONFIG_NETFILTER */
5975 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5976 static int selinux_disabled;
5978 int selinux_disable(void)
5980 if (ss_initialized) {
5981 /* Not permitted after initial policy load. */
5985 if (selinux_disabled) {
5986 /* Only do this once. */
5990 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5992 selinux_disabled = 1;
5993 selinux_enabled = 0;
5995 reset_security_ops();
5997 /* Try to destroy the avc node cache */
6000 /* Unregister netfilter hooks. */
6001 selinux_nf_ip_exit();
6003 /* Unregister selinuxfs. */