2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 #define NUM_SEL_MNT_OPTS 5
99 extern struct security_operations *security_ops;
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
107 static int __init enforcing_setup(char *str)
109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
114 __setup("enforcing=", enforcing_setup);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
120 static int __init selinux_enabled_setup(char *str)
122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup);
129 int selinux_enabled = 1;
132 static struct kmem_cache *sel_inode_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
144 static int selinux_secmark_enabled(void)
146 return (atomic_read(&selinux_secmark_refcount) > 0);
149 static int selinux_netcache_avc_callback(u32 event)
151 if (event == AVC_CALLBACK_RESET) {
161 * initialise the security for the init task
163 static void cred_init_security(void)
165 struct cred *cred = (struct cred *) current->real_cred;
166 struct task_security_struct *tsec;
168 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
170 panic("SELinux: Failed to initialize initial task.\n");
172 tsec->osid = tsec->sid = SECINITSID_KERNEL;
173 cred->security = tsec;
177 * get the security ID of a set of credentials
179 static inline u32 cred_sid(const struct cred *cred)
181 const struct task_security_struct *tsec;
183 tsec = cred->security;
188 * get the objective security ID of a task
190 static inline u32 task_sid(const struct task_struct *task)
195 sid = cred_sid(__task_cred(task));
201 * get the subjective security ID of the current task
203 static inline u32 current_sid(void)
205 const struct task_security_struct *tsec = current_security();
210 /* Allocate and free functions for each kind of security blob. */
212 static int inode_alloc_security(struct inode *inode)
214 struct inode_security_struct *isec;
215 u32 sid = current_sid();
217 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
221 mutex_init(&isec->lock);
222 INIT_LIST_HEAD(&isec->list);
224 isec->sid = SECINITSID_UNLABELED;
225 isec->sclass = SECCLASS_FILE;
226 isec->task_sid = sid;
227 inode->i_security = isec;
232 static void inode_free_rcu(struct rcu_head *head)
234 struct inode_security_struct *isec;
236 isec = container_of(head, struct inode_security_struct, rcu);
237 kmem_cache_free(sel_inode_cache, isec);
240 static void inode_free_security(struct inode *inode)
242 struct inode_security_struct *isec = inode->i_security;
243 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
245 spin_lock(&sbsec->isec_lock);
246 if (!list_empty(&isec->list))
247 list_del_init(&isec->list);
248 spin_unlock(&sbsec->isec_lock);
251 * The inode may still be referenced in a path walk and
252 * a call to selinux_inode_permission() can be made
253 * after inode_free_security() is called. Ideally, the VFS
254 * wouldn't do this, but fixing that is a much harder
255 * job. For now, simply free the i_security via RCU, and
256 * leave the current inode->i_security pointer intact.
257 * The inode will be freed after the RCU grace period too.
259 call_rcu(&isec->rcu, inode_free_rcu);
262 static int file_alloc_security(struct file *file)
264 struct file_security_struct *fsec;
265 u32 sid = current_sid();
267 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
272 fsec->fown_sid = sid;
273 file->f_security = fsec;
278 static void file_free_security(struct file *file)
280 struct file_security_struct *fsec = file->f_security;
281 file->f_security = NULL;
285 static int superblock_alloc_security(struct super_block *sb)
287 struct superblock_security_struct *sbsec;
289 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
293 mutex_init(&sbsec->lock);
294 INIT_LIST_HEAD(&sbsec->isec_head);
295 spin_lock_init(&sbsec->isec_lock);
297 sbsec->sid = SECINITSID_UNLABELED;
298 sbsec->def_sid = SECINITSID_FILE;
299 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
300 sb->s_security = sbsec;
305 static void superblock_free_security(struct super_block *sb)
307 struct superblock_security_struct *sbsec = sb->s_security;
308 sb->s_security = NULL;
312 /* The file system's label must be initialized prior to use. */
314 static const char *labeling_behaviors[6] = {
316 "uses transition SIDs",
318 "uses genfs_contexts",
319 "not configured for labeling",
320 "uses mountpoint labeling",
323 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
325 static inline int inode_doinit(struct inode *inode)
327 return inode_doinit_with_dentry(inode, NULL);
336 Opt_labelsupport = 5,
339 static const match_table_t tokens = {
340 {Opt_context, CONTEXT_STR "%s"},
341 {Opt_fscontext, FSCONTEXT_STR "%s"},
342 {Opt_defcontext, DEFCONTEXT_STR "%s"},
343 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
344 {Opt_labelsupport, LABELSUPP_STR},
348 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
350 static int may_context_mount_sb_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 const struct cred *cred)
354 const struct task_security_struct *tsec = cred->security;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELTO, NULL);
367 static int may_context_mount_inode_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
369 const struct cred *cred)
371 const struct task_security_struct *tsec = cred->security;
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
378 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__ASSOCIATE, NULL);
383 static int sb_finish_set_opts(struct super_block *sb)
385 struct superblock_security_struct *sbsec = sb->s_security;
386 struct dentry *root = sb->s_root;
387 struct inode *root_inode = root->d_inode;
390 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
391 /* Make sure that the xattr handler exists and that no
392 error other than -ENODATA is returned by getxattr on
393 the root directory. -ENODATA is ok, as this may be
394 the first boot of the SELinux kernel before we have
395 assigned xattr values to the filesystem. */
396 if (!root_inode->i_op->getxattr) {
397 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
398 "xattr support\n", sb->s_id, sb->s_type->name);
402 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
403 if (rc < 0 && rc != -ENODATA) {
404 if (rc == -EOPNOTSUPP)
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) has no security xattr handler\n",
407 sb->s_id, sb->s_type->name);
409 printk(KERN_WARNING "SELinux: (dev %s, type "
410 "%s) getxattr errno %d\n", sb->s_id,
411 sb->s_type->name, -rc);
416 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
418 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
420 sb->s_id, sb->s_type->name);
422 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
423 sb->s_id, sb->s_type->name,
424 labeling_behaviors[sbsec->behavior-1]);
426 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
427 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
428 sbsec->behavior == SECURITY_FS_USE_NONE ||
429 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
430 sbsec->flags &= ~SE_SBLABELSUPP;
432 /* Special handling. Is genfs but also has in-core setxattr handler*/
433 if (!strcmp(sb->s_type->name, "sysfs") ||
434 !strcmp(sb->s_type->name, "pstore") ||
435 !strcmp(sb->s_type->name, "debugfs") ||
436 !strcmp(sb->s_type->name, "rootfs"))
437 sbsec->flags |= SE_SBLABELSUPP;
439 /* Initialize the root inode. */
440 rc = inode_doinit_with_dentry(root_inode, root);
442 /* Initialize any other inodes associated with the superblock, e.g.
443 inodes created prior to initial policy load or inodes created
444 during get_sb by a pseudo filesystem that directly
446 spin_lock(&sbsec->isec_lock);
448 if (!list_empty(&sbsec->isec_head)) {
449 struct inode_security_struct *isec =
450 list_entry(sbsec->isec_head.next,
451 struct inode_security_struct, list);
452 struct inode *inode = isec->inode;
453 spin_unlock(&sbsec->isec_lock);
454 inode = igrab(inode);
456 if (!IS_PRIVATE(inode))
460 spin_lock(&sbsec->isec_lock);
461 list_del_init(&isec->list);
464 spin_unlock(&sbsec->isec_lock);
470 * This function should allow an FS to ask what it's mount security
471 * options were so it can use those later for submounts, displaying
472 * mount options, or whatever.
474 static int selinux_get_mnt_opts(const struct super_block *sb,
475 struct security_mnt_opts *opts)
478 struct superblock_security_struct *sbsec = sb->s_security;
479 char *context = NULL;
483 security_init_mnt_opts(opts);
485 if (!(sbsec->flags & SE_SBINITIALIZED))
491 tmp = sbsec->flags & SE_MNTMASK;
492 /* count the number of mount options for this sb */
493 for (i = 0; i < 8; i++) {
495 opts->num_mnt_opts++;
498 /* Check if the Label support flag is set */
499 if (sbsec->flags & SE_SBLABELSUPP)
500 opts->num_mnt_opts++;
502 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
503 if (!opts->mnt_opts) {
508 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
509 if (!opts->mnt_opts_flags) {
515 if (sbsec->flags & FSCONTEXT_MNT) {
516 rc = security_sid_to_context(sbsec->sid, &context, &len);
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
522 if (sbsec->flags & CONTEXT_MNT) {
523 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
526 opts->mnt_opts[i] = context;
527 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
529 if (sbsec->flags & DEFCONTEXT_MNT) {
530 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
533 opts->mnt_opts[i] = context;
534 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
536 if (sbsec->flags & ROOTCONTEXT_MNT) {
537 struct inode *root = sbsec->sb->s_root->d_inode;
538 struct inode_security_struct *isec = root->i_security;
540 rc = security_sid_to_context(isec->sid, &context, &len);
543 opts->mnt_opts[i] = context;
544 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
546 if (sbsec->flags & SE_SBLABELSUPP) {
547 opts->mnt_opts[i] = NULL;
548 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
551 BUG_ON(i != opts->num_mnt_opts);
556 security_free_mnt_opts(opts);
560 static int bad_option(struct superblock_security_struct *sbsec, char flag,
561 u32 old_sid, u32 new_sid)
563 char mnt_flags = sbsec->flags & SE_MNTMASK;
565 /* check if the old mount command had the same options */
566 if (sbsec->flags & SE_SBINITIALIZED)
567 if (!(sbsec->flags & flag) ||
568 (old_sid != new_sid))
571 /* check if we were passed the same options twice,
572 * aka someone passed context=a,context=b
574 if (!(sbsec->flags & SE_SBINITIALIZED))
575 if (mnt_flags & flag)
581 * Allow filesystems with binary mount data to explicitly set mount point
582 * labeling information.
584 static int selinux_set_mnt_opts(struct super_block *sb,
585 struct security_mnt_opts *opts)
587 const struct cred *cred = current_cred();
589 struct superblock_security_struct *sbsec = sb->s_security;
590 const char *name = sb->s_type->name;
591 struct inode *inode = sbsec->sb->s_root->d_inode;
592 struct inode_security_struct *root_isec = inode->i_security;
593 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594 u32 defcontext_sid = 0;
595 char **mount_options = opts->mnt_opts;
596 int *flags = opts->mnt_opts_flags;
597 int num_opts = opts->num_mnt_opts;
599 mutex_lock(&sbsec->lock);
601 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
609 printk(KERN_WARNING "SELinux: Unable to set superblock options "
610 "before the security server is initialized\n");
615 * Binary mount data FS will come through this function twice. Once
616 * from an explicit call and once from the generic calls from the vfs.
617 * Since the generic VFS calls will not contain any security mount data
618 * we need to skip the double mount verification.
620 * This does open a hole in which we will not notice if the first
621 * mount using this sb set explict options and a second mount using
622 * this sb does not set any security options. (The first options
623 * will be used for both mounts)
625 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630 * parse the mount options, check if they are valid sids.
631 * also check if someone is trying to mount the same sb more
632 * than once with different security options.
634 for (i = 0; i < num_opts; i++) {
637 if (flags[i] == SE_SBLABELSUPP)
639 rc = security_context_to_sid(mount_options[i],
640 strlen(mount_options[i]), &sid);
642 printk(KERN_WARNING "SELinux: security_context_to_sid"
643 "(%s) failed for (dev %s, type %s) errno=%d\n",
644 mount_options[i], sb->s_id, name, rc);
651 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653 goto out_double_mount;
655 sbsec->flags |= FSCONTEXT_MNT;
660 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662 goto out_double_mount;
664 sbsec->flags |= CONTEXT_MNT;
666 case ROOTCONTEXT_MNT:
667 rootcontext_sid = sid;
669 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671 goto out_double_mount;
673 sbsec->flags |= ROOTCONTEXT_MNT;
677 defcontext_sid = sid;
679 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 goto out_double_mount;
683 sbsec->flags |= DEFCONTEXT_MNT;
692 if (sbsec->flags & SE_SBINITIALIZED) {
693 /* previously mounted with options, but not on this attempt? */
694 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
695 goto out_double_mount;
700 if (strcmp(sb->s_type->name, "proc") == 0)
701 sbsec->flags |= SE_SBPROC;
703 /* Determine the labeling behavior to use for this filesystem type. */
704 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
707 __func__, sb->s_type->name, rc);
711 /* sets the context of the superblock for the fs being mounted. */
713 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
717 sbsec->sid = fscontext_sid;
721 * Switch to using mount point labeling behavior.
722 * sets the label used on all file below the mountpoint, and will set
723 * the superblock context if not already set.
726 if (!fscontext_sid) {
727 rc = may_context_mount_sb_relabel(context_sid, sbsec,
731 sbsec->sid = context_sid;
733 rc = may_context_mount_inode_relabel(context_sid, sbsec,
738 if (!rootcontext_sid)
739 rootcontext_sid = context_sid;
741 sbsec->mntpoint_sid = context_sid;
742 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
745 if (rootcontext_sid) {
746 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
751 root_isec->sid = rootcontext_sid;
752 root_isec->initialized = 1;
755 if (defcontext_sid) {
756 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758 printk(KERN_WARNING "SELinux: defcontext option is "
759 "invalid for this filesystem type\n");
763 if (defcontext_sid != sbsec->def_sid) {
764 rc = may_context_mount_inode_relabel(defcontext_sid,
770 sbsec->def_sid = defcontext_sid;
773 rc = sb_finish_set_opts(sb);
775 mutex_unlock(&sbsec->lock);
779 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
780 "security settings for (dev %s, type %s)\n", sb->s_id, name);
784 static int selinux_cmp_sb_context(const struct super_block *oldsb,
785 const struct super_block *newsb)
787 struct superblock_security_struct *old = oldsb->s_security;
788 struct superblock_security_struct *new = newsb->s_security;
789 char oldflags = old->flags & SE_MNTMASK;
790 char newflags = new->flags & SE_MNTMASK;
792 if (oldflags != newflags)
794 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
796 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
798 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
800 if (oldflags & ROOTCONTEXT_MNT) {
801 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
802 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
803 if (oldroot->sid != newroot->sid)
808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
809 "different security settings for (dev %s, "
810 "type %s)\n", newsb->s_id, newsb->s_type->name);
814 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
815 struct super_block *newsb)
817 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
818 struct superblock_security_struct *newsbsec = newsb->s_security;
820 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
821 int set_context = (oldsbsec->flags & CONTEXT_MNT);
822 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
825 * if the parent was able to be mounted it clearly had no special lsm
826 * mount options. thus we can safely deal with this superblock later
831 /* how can we clone if the old one wasn't set up?? */
832 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
834 /* if fs is reusing a sb, make sure that the contexts match */
835 if (newsbsec->flags & SE_SBINITIALIZED)
836 return selinux_cmp_sb_context(oldsb, newsb);
838 mutex_lock(&newsbsec->lock);
840 newsbsec->flags = oldsbsec->flags;
842 newsbsec->sid = oldsbsec->sid;
843 newsbsec->def_sid = oldsbsec->def_sid;
844 newsbsec->behavior = oldsbsec->behavior;
847 u32 sid = oldsbsec->mntpoint_sid;
851 if (!set_rootcontext) {
852 struct inode *newinode = newsb->s_root->d_inode;
853 struct inode_security_struct *newisec = newinode->i_security;
856 newsbsec->mntpoint_sid = sid;
858 if (set_rootcontext) {
859 const struct inode *oldinode = oldsb->s_root->d_inode;
860 const struct inode_security_struct *oldisec = oldinode->i_security;
861 struct inode *newinode = newsb->s_root->d_inode;
862 struct inode_security_struct *newisec = newinode->i_security;
864 newisec->sid = oldisec->sid;
867 sb_finish_set_opts(newsb);
868 mutex_unlock(&newsbsec->lock);
872 static int selinux_parse_opts_str(char *options,
873 struct security_mnt_opts *opts)
876 char *context = NULL, *defcontext = NULL;
877 char *fscontext = NULL, *rootcontext = NULL;
878 int rc, num_mnt_opts = 0;
880 opts->num_mnt_opts = 0;
882 /* Standard string-based options. */
883 while ((p = strsep(&options, "|")) != NULL) {
885 substring_t args[MAX_OPT_ARGS];
890 token = match_token(p, tokens, args);
894 if (context || defcontext) {
896 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899 context = match_strdup(&args[0]);
909 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912 fscontext = match_strdup(&args[0]);
919 case Opt_rootcontext:
922 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
925 rootcontext = match_strdup(&args[0]);
933 if (context || defcontext) {
935 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
938 defcontext = match_strdup(&args[0]);
944 case Opt_labelsupport:
948 printk(KERN_WARNING "SELinux: unknown mount option\n");
955 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
959 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
960 if (!opts->mnt_opts_flags) {
961 kfree(opts->mnt_opts);
966 opts->mnt_opts[num_mnt_opts] = fscontext;
967 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
970 opts->mnt_opts[num_mnt_opts] = context;
971 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
974 opts->mnt_opts[num_mnt_opts] = rootcontext;
975 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
978 opts->mnt_opts[num_mnt_opts] = defcontext;
979 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
982 opts->num_mnt_opts = num_mnt_opts;
993 * string mount options parsing and call set the sbsec
995 static int superblock_doinit(struct super_block *sb, void *data)
998 char *options = data;
999 struct security_mnt_opts opts;
1001 security_init_mnt_opts(&opts);
1006 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1008 rc = selinux_parse_opts_str(options, &opts);
1013 rc = selinux_set_mnt_opts(sb, &opts);
1016 security_free_mnt_opts(&opts);
1020 static void selinux_write_opts(struct seq_file *m,
1021 struct security_mnt_opts *opts)
1026 for (i = 0; i < opts->num_mnt_opts; i++) {
1029 if (opts->mnt_opts[i])
1030 has_comma = strchr(opts->mnt_opts[i], ',');
1034 switch (opts->mnt_opts_flags[i]) {
1036 prefix = CONTEXT_STR;
1039 prefix = FSCONTEXT_STR;
1041 case ROOTCONTEXT_MNT:
1042 prefix = ROOTCONTEXT_STR;
1044 case DEFCONTEXT_MNT:
1045 prefix = DEFCONTEXT_STR;
1047 case SE_SBLABELSUPP:
1049 seq_puts(m, LABELSUPP_STR);
1055 /* we need a comma before each option */
1057 seq_puts(m, prefix);
1060 seq_puts(m, opts->mnt_opts[i]);
1066 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1068 struct security_mnt_opts opts;
1071 rc = selinux_get_mnt_opts(sb, &opts);
1073 /* before policy load we may get EINVAL, don't show anything */
1079 selinux_write_opts(m, &opts);
1081 security_free_mnt_opts(&opts);
1086 static inline u16 inode_mode_to_security_class(umode_t mode)
1088 switch (mode & S_IFMT) {
1090 return SECCLASS_SOCK_FILE;
1092 return SECCLASS_LNK_FILE;
1094 return SECCLASS_FILE;
1096 return SECCLASS_BLK_FILE;
1098 return SECCLASS_DIR;
1100 return SECCLASS_CHR_FILE;
1102 return SECCLASS_FIFO_FILE;
1106 return SECCLASS_FILE;
1109 static inline int default_protocol_stream(int protocol)
1111 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1114 static inline int default_protocol_dgram(int protocol)
1116 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1119 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1125 case SOCK_SEQPACKET:
1126 return SECCLASS_UNIX_STREAM_SOCKET;
1128 return SECCLASS_UNIX_DGRAM_SOCKET;
1135 if (default_protocol_stream(protocol))
1136 return SECCLASS_TCP_SOCKET;
1138 return SECCLASS_RAWIP_SOCKET;
1140 if (default_protocol_dgram(protocol))
1141 return SECCLASS_UDP_SOCKET;
1143 return SECCLASS_RAWIP_SOCKET;
1145 return SECCLASS_DCCP_SOCKET;
1147 return SECCLASS_RAWIP_SOCKET;
1153 return SECCLASS_NETLINK_ROUTE_SOCKET;
1154 case NETLINK_FIREWALL:
1155 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1156 case NETLINK_SOCK_DIAG:
1157 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1159 return SECCLASS_NETLINK_NFLOG_SOCKET;
1161 return SECCLASS_NETLINK_XFRM_SOCKET;
1162 case NETLINK_SELINUX:
1163 return SECCLASS_NETLINK_SELINUX_SOCKET;
1165 return SECCLASS_NETLINK_AUDIT_SOCKET;
1166 case NETLINK_IP6_FW:
1167 return SECCLASS_NETLINK_IP6FW_SOCKET;
1168 case NETLINK_DNRTMSG:
1169 return SECCLASS_NETLINK_DNRT_SOCKET;
1170 case NETLINK_KOBJECT_UEVENT:
1171 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1173 return SECCLASS_NETLINK_SOCKET;
1176 return SECCLASS_PACKET_SOCKET;
1178 return SECCLASS_KEY_SOCKET;
1180 return SECCLASS_APPLETALK_SOCKET;
1183 return SECCLASS_SOCKET;
1186 #ifdef CONFIG_PROC_FS
1187 static int selinux_proc_get_sid(struct dentry *dentry,
1192 char *buffer, *path;
1194 buffer = (char *)__get_free_page(GFP_KERNEL);
1198 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1202 /* each process gets a /proc/PID/ entry. Strip off the
1203 * PID part to get a valid selinux labeling.
1204 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1205 while (path[1] >= '0' && path[1] <= '9') {
1209 rc = security_genfs_sid("proc", path, tclass, sid);
1211 free_page((unsigned long)buffer);
1215 static int selinux_proc_get_sid(struct dentry *dentry,
1223 /* The inode's security attributes must be initialized before first use. */
1224 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1226 struct superblock_security_struct *sbsec = NULL;
1227 struct inode_security_struct *isec = inode->i_security;
1229 struct dentry *dentry;
1230 #define INITCONTEXTLEN 255
1231 char *context = NULL;
1235 if (isec->initialized)
1238 mutex_lock(&isec->lock);
1239 if (isec->initialized)
1242 sbsec = inode->i_sb->s_security;
1243 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1244 /* Defer initialization until selinux_complete_init,
1245 after the initial policy is loaded and the security
1246 server is ready to handle calls. */
1247 spin_lock(&sbsec->isec_lock);
1248 if (list_empty(&isec->list))
1249 list_add(&isec->list, &sbsec->isec_head);
1250 spin_unlock(&sbsec->isec_lock);
1254 switch (sbsec->behavior) {
1255 case SECURITY_FS_USE_XATTR:
1256 if (!inode->i_op->getxattr) {
1257 isec->sid = sbsec->def_sid;
1261 /* Need a dentry, since the xattr API requires one.
1262 Life would be simpler if we could just pass the inode. */
1264 /* Called from d_instantiate or d_splice_alias. */
1265 dentry = dget(opt_dentry);
1267 /* Called from selinux_complete_init, try to find a dentry. */
1268 dentry = d_find_alias(inode);
1272 * this is can be hit on boot when a file is accessed
1273 * before the policy is loaded. When we load policy we
1274 * may find inodes that have no dentry on the
1275 * sbsec->isec_head list. No reason to complain as these
1276 * will get fixed up the next time we go through
1277 * inode_doinit with a dentry, before these inodes could
1278 * be used again by userspace.
1283 len = INITCONTEXTLEN;
1284 context = kmalloc(len+1, GFP_NOFS);
1290 context[len] = '\0';
1291 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1293 if (rc == -ERANGE) {
1296 /* Need a larger buffer. Query for the right size. */
1297 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1304 context = kmalloc(len+1, GFP_NOFS);
1310 context[len] = '\0';
1311 rc = inode->i_op->getxattr(dentry,
1317 if (rc != -ENODATA) {
1318 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1319 "%d for dev=%s ino=%ld\n", __func__,
1320 -rc, inode->i_sb->s_id, inode->i_ino);
1324 /* Map ENODATA to the default file SID */
1325 sid = sbsec->def_sid;
1328 rc = security_context_to_sid_default(context, rc, &sid,
1332 char *dev = inode->i_sb->s_id;
1333 unsigned long ino = inode->i_ino;
1335 if (rc == -EINVAL) {
1336 if (printk_ratelimit())
1337 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1338 "context=%s. This indicates you may need to relabel the inode or the "
1339 "filesystem in question.\n", ino, dev, context);
1341 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1342 "returned %d for dev=%s ino=%ld\n",
1343 __func__, context, -rc, dev, ino);
1346 /* Leave with the unlabeled SID */
1354 case SECURITY_FS_USE_TASK:
1355 isec->sid = isec->task_sid;
1357 case SECURITY_FS_USE_TRANS:
1358 /* Default to the fs SID. */
1359 isec->sid = sbsec->sid;
1361 /* Try to obtain a transition SID. */
1362 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1363 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1364 isec->sclass, NULL, &sid);
1369 case SECURITY_FS_USE_MNTPOINT:
1370 isec->sid = sbsec->mntpoint_sid;
1373 /* Default to the fs superblock SID. */
1374 isec->sid = sbsec->sid;
1376 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1378 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1379 rc = selinux_proc_get_sid(opt_dentry,
1390 isec->initialized = 1;
1393 mutex_unlock(&isec->lock);
1395 if (isec->sclass == SECCLASS_FILE)
1396 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1400 /* Convert a Linux signal to an access vector. */
1401 static inline u32 signal_to_av(int sig)
1407 /* Commonly granted from child to parent. */
1408 perm = PROCESS__SIGCHLD;
1411 /* Cannot be caught or ignored */
1412 perm = PROCESS__SIGKILL;
1415 /* Cannot be caught or ignored */
1416 perm = PROCESS__SIGSTOP;
1419 /* All other signals. */
1420 perm = PROCESS__SIGNAL;
1428 * Check permission between a pair of credentials
1429 * fork check, ptrace check, etc.
1431 static int cred_has_perm(const struct cred *actor,
1432 const struct cred *target,
1435 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1437 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1441 * Check permission between a pair of tasks, e.g. signal checks,
1442 * fork check, ptrace check, etc.
1443 * tsk1 is the actor and tsk2 is the target
1444 * - this uses the default subjective creds of tsk1
1446 static int task_has_perm(const struct task_struct *tsk1,
1447 const struct task_struct *tsk2,
1450 const struct task_security_struct *__tsec1, *__tsec2;
1454 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1455 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1457 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1461 * Check permission between current and another task, e.g. signal checks,
1462 * fork check, ptrace check, etc.
1463 * current is the actor and tsk2 is the target
1464 * - this uses current's subjective creds
1466 static int current_has_perm(const struct task_struct *tsk,
1471 sid = current_sid();
1472 tsid = task_sid(tsk);
1473 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1476 #if CAP_LAST_CAP > 63
1477 #error Fix SELinux to handle capabilities > 63.
1480 /* Check whether a task is allowed to use a capability. */
1481 static int cred_has_capability(const struct cred *cred,
1484 struct common_audit_data ad;
1485 struct av_decision avd;
1487 u32 sid = cred_sid(cred);
1488 u32 av = CAP_TO_MASK(cap);
1491 ad.type = LSM_AUDIT_DATA_CAP;
1494 switch (CAP_TO_INDEX(cap)) {
1496 sclass = SECCLASS_CAPABILITY;
1499 sclass = SECCLASS_CAPABILITY2;
1503 "SELinux: out of range capability %d\n", cap);
1508 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1509 if (audit == SECURITY_CAP_AUDIT) {
1510 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1517 /* Check whether a task is allowed to use a system operation. */
1518 static int task_has_system(struct task_struct *tsk,
1521 u32 sid = task_sid(tsk);
1523 return avc_has_perm(sid, SECINITSID_KERNEL,
1524 SECCLASS_SYSTEM, perms, NULL);
1527 /* Check whether a task has a particular permission to an inode.
1528 The 'adp' parameter is optional and allows other audit
1529 data to be passed (e.g. the dentry). */
1530 static int inode_has_perm(const struct cred *cred,
1531 struct inode *inode,
1533 struct common_audit_data *adp,
1536 struct inode_security_struct *isec;
1539 validate_creds(cred);
1541 if (unlikely(IS_PRIVATE(inode)))
1544 sid = cred_sid(cred);
1545 isec = inode->i_security;
1547 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1550 /* Same as inode_has_perm, but pass explicit audit data containing
1551 the dentry to help the auditing code to more easily generate the
1552 pathname if needed. */
1553 static inline int dentry_has_perm(const struct cred *cred,
1554 struct dentry *dentry,
1557 struct inode *inode = dentry->d_inode;
1558 struct common_audit_data ad;
1560 ad.type = LSM_AUDIT_DATA_DENTRY;
1561 ad.u.dentry = dentry;
1562 return inode_has_perm(cred, inode, av, &ad, 0);
1565 /* Same as inode_has_perm, but pass explicit audit data containing
1566 the path to help the auditing code to more easily generate the
1567 pathname if needed. */
1568 static inline int path_has_perm(const struct cred *cred,
1572 struct inode *inode = path->dentry->d_inode;
1573 struct common_audit_data ad;
1575 ad.type = LSM_AUDIT_DATA_PATH;
1577 return inode_has_perm(cred, inode, av, &ad, 0);
1580 /* Check whether a task can use an open file descriptor to
1581 access an inode in a given way. Check access to the
1582 descriptor itself, and then use dentry_has_perm to
1583 check a particular permission to the file.
1584 Access to the descriptor is implicitly granted if it
1585 has the same SID as the process. If av is zero, then
1586 access to the file is not checked, e.g. for cases
1587 where only the descriptor is affected like seek. */
1588 static int file_has_perm(const struct cred *cred,
1592 struct file_security_struct *fsec = file->f_security;
1593 struct inode *inode = file_inode(file);
1594 struct common_audit_data ad;
1595 u32 sid = cred_sid(cred);
1598 ad.type = LSM_AUDIT_DATA_PATH;
1599 ad.u.path = file->f_path;
1601 if (sid != fsec->sid) {
1602 rc = avc_has_perm(sid, fsec->sid,
1610 /* av is zero if only checking access to the descriptor. */
1613 rc = inode_has_perm(cred, inode, av, &ad, 0);
1619 /* Check whether a task can create a file. */
1620 static int may_create(struct inode *dir,
1621 struct dentry *dentry,
1624 const struct task_security_struct *tsec = current_security();
1625 struct inode_security_struct *dsec;
1626 struct superblock_security_struct *sbsec;
1628 struct common_audit_data ad;
1631 dsec = dir->i_security;
1632 sbsec = dir->i_sb->s_security;
1635 newsid = tsec->create_sid;
1637 ad.type = LSM_AUDIT_DATA_DENTRY;
1638 ad.u.dentry = dentry;
1640 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1641 DIR__ADD_NAME | DIR__SEARCH,
1646 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1647 rc = security_transition_sid(sid, dsec->sid, tclass,
1648 &dentry->d_name, &newsid);
1653 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1657 return avc_has_perm(newsid, sbsec->sid,
1658 SECCLASS_FILESYSTEM,
1659 FILESYSTEM__ASSOCIATE, &ad);
1662 /* Check whether a task can create a key. */
1663 static int may_create_key(u32 ksid,
1664 struct task_struct *ctx)
1666 u32 sid = task_sid(ctx);
1668 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1672 #define MAY_UNLINK 1
1675 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1676 static int may_link(struct inode *dir,
1677 struct dentry *dentry,
1681 struct inode_security_struct *dsec, *isec;
1682 struct common_audit_data ad;
1683 u32 sid = current_sid();
1687 dsec = dir->i_security;
1688 isec = dentry->d_inode->i_security;
1690 ad.type = LSM_AUDIT_DATA_DENTRY;
1691 ad.u.dentry = dentry;
1694 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1695 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1710 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1715 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1719 static inline int may_rename(struct inode *old_dir,
1720 struct dentry *old_dentry,
1721 struct inode *new_dir,
1722 struct dentry *new_dentry)
1724 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1725 struct common_audit_data ad;
1726 u32 sid = current_sid();
1728 int old_is_dir, new_is_dir;
1731 old_dsec = old_dir->i_security;
1732 old_isec = old_dentry->d_inode->i_security;
1733 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1734 new_dsec = new_dir->i_security;
1736 ad.type = LSM_AUDIT_DATA_DENTRY;
1738 ad.u.dentry = old_dentry;
1739 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1740 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1743 rc = avc_has_perm(sid, old_isec->sid,
1744 old_isec->sclass, FILE__RENAME, &ad);
1747 if (old_is_dir && new_dir != old_dir) {
1748 rc = avc_has_perm(sid, old_isec->sid,
1749 old_isec->sclass, DIR__REPARENT, &ad);
1754 ad.u.dentry = new_dentry;
1755 av = DIR__ADD_NAME | DIR__SEARCH;
1756 if (new_dentry->d_inode)
1757 av |= DIR__REMOVE_NAME;
1758 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1761 if (new_dentry->d_inode) {
1762 new_isec = new_dentry->d_inode->i_security;
1763 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1764 rc = avc_has_perm(sid, new_isec->sid,
1766 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1774 /* Check whether a task can perform a filesystem operation. */
1775 static int superblock_has_perm(const struct cred *cred,
1776 struct super_block *sb,
1778 struct common_audit_data *ad)
1780 struct superblock_security_struct *sbsec;
1781 u32 sid = cred_sid(cred);
1783 sbsec = sb->s_security;
1784 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1787 /* Convert a Linux mode and permission mask to an access vector. */
1788 static inline u32 file_mask_to_av(int mode, int mask)
1792 if (!S_ISDIR(mode)) {
1793 if (mask & MAY_EXEC)
1794 av |= FILE__EXECUTE;
1795 if (mask & MAY_READ)
1798 if (mask & MAY_APPEND)
1800 else if (mask & MAY_WRITE)
1804 if (mask & MAY_EXEC)
1806 if (mask & MAY_WRITE)
1808 if (mask & MAY_READ)
1815 /* Convert a Linux file to an access vector. */
1816 static inline u32 file_to_av(struct file *file)
1820 if (file->f_mode & FMODE_READ)
1822 if (file->f_mode & FMODE_WRITE) {
1823 if (file->f_flags & O_APPEND)
1830 * Special file opened with flags 3 for ioctl-only use.
1839 * Convert a file to an access vector and include the correct open
1842 static inline u32 open_file_to_av(struct file *file)
1844 u32 av = file_to_av(file);
1846 if (selinux_policycap_openperm)
1852 /* Hook functions begin here. */
1854 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1856 u32 mysid = current_sid();
1857 u32 mgrsid = task_sid(mgr);
1859 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, BINDER__SET_CONTEXT_MGR, NULL);
1862 static int selinux_binder_transaction(struct task_struct *from, struct task_struct *to)
1864 u32 mysid = current_sid();
1865 u32 fromsid = task_sid(from);
1866 u32 tosid = task_sid(to);
1869 if (mysid != fromsid) {
1870 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, BINDER__IMPERSONATE, NULL);
1875 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
1878 static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
1880 u32 fromsid = task_sid(from);
1881 u32 tosid = task_sid(to);
1882 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
1885 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)
1887 u32 sid = task_sid(to);
1888 struct file_security_struct *fsec = file->f_security;
1889 struct inode *inode = file->f_path.dentry->d_inode;
1890 struct inode_security_struct *isec = inode->i_security;
1891 struct common_audit_data ad;
1892 struct selinux_audit_data sad = {0,};
1895 ad.type = LSM_AUDIT_DATA_PATH;
1896 ad.u.path = file->f_path;
1897 ad.selinux_audit_data = &sad;
1899 if (sid != fsec->sid) {
1900 rc = avc_has_perm(sid, fsec->sid,
1908 if (unlikely(IS_PRIVATE(inode)))
1911 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
1915 static int selinux_ptrace_access_check(struct task_struct *child,
1920 rc = cap_ptrace_access_check(child, mode);
1924 if (mode & PTRACE_MODE_READ) {
1925 u32 sid = current_sid();
1926 u32 csid = task_sid(child);
1927 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1930 return current_has_perm(child, PROCESS__PTRACE);
1933 static int selinux_ptrace_traceme(struct task_struct *parent)
1937 rc = cap_ptrace_traceme(parent);
1941 return task_has_perm(parent, current, PROCESS__PTRACE);
1944 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1945 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1949 error = current_has_perm(target, PROCESS__GETCAP);
1953 return cap_capget(target, effective, inheritable, permitted);
1956 static int selinux_capset(struct cred *new, const struct cred *old,
1957 const kernel_cap_t *effective,
1958 const kernel_cap_t *inheritable,
1959 const kernel_cap_t *permitted)
1963 error = cap_capset(new, old,
1964 effective, inheritable, permitted);
1968 return cred_has_perm(old, new, PROCESS__SETCAP);
1972 * (This comment used to live with the selinux_task_setuid hook,
1973 * which was removed).
1975 * Since setuid only affects the current process, and since the SELinux
1976 * controls are not based on the Linux identity attributes, SELinux does not
1977 * need to control this operation. However, SELinux does control the use of
1978 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1981 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1986 rc = cap_capable(cred, ns, cap, audit);
1990 return cred_has_capability(cred, cap, audit);
1993 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1995 const struct cred *cred = current_cred();
2007 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2012 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2015 rc = 0; /* let the kernel handle invalid cmds */
2021 static int selinux_quota_on(struct dentry *dentry)
2023 const struct cred *cred = current_cred();
2025 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2028 static int selinux_syslog(int type)
2033 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2034 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2035 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2037 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2038 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2039 /* Set level of messages printed to console */
2040 case SYSLOG_ACTION_CONSOLE_LEVEL:
2041 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2043 case SYSLOG_ACTION_CLOSE: /* Close log */
2044 case SYSLOG_ACTION_OPEN: /* Open log */
2045 case SYSLOG_ACTION_READ: /* Read from log */
2046 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2047 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2049 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2056 * Check that a process has enough memory to allocate a new virtual
2057 * mapping. 0 means there is enough memory for the allocation to
2058 * succeed and -ENOMEM implies there is not.
2060 * Do not audit the selinux permission check, as this is applied to all
2061 * processes that allocate mappings.
2063 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2065 int rc, cap_sys_admin = 0;
2067 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2068 SECURITY_CAP_NOAUDIT);
2072 return __vm_enough_memory(mm, pages, cap_sys_admin);
2075 /* binprm security operations */
2077 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2079 const struct task_security_struct *old_tsec;
2080 struct task_security_struct *new_tsec;
2081 struct inode_security_struct *isec;
2082 struct common_audit_data ad;
2083 struct inode *inode = file_inode(bprm->file);
2086 rc = cap_bprm_set_creds(bprm);
2090 /* SELinux context only depends on initial program or script and not
2091 * the script interpreter */
2092 if (bprm->cred_prepared)
2095 old_tsec = current_security();
2096 new_tsec = bprm->cred->security;
2097 isec = inode->i_security;
2099 /* Default to the current task SID. */
2100 new_tsec->sid = old_tsec->sid;
2101 new_tsec->osid = old_tsec->sid;
2103 /* Reset fs, key, and sock SIDs on execve. */
2104 new_tsec->create_sid = 0;
2105 new_tsec->keycreate_sid = 0;
2106 new_tsec->sockcreate_sid = 0;
2108 if (old_tsec->exec_sid) {
2109 new_tsec->sid = old_tsec->exec_sid;
2110 /* Reset exec SID on execve. */
2111 new_tsec->exec_sid = 0;
2114 * Minimize confusion: if no_new_privs and a transition is
2115 * explicitly requested, then fail the exec.
2117 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2120 /* Check for a default transition on this program. */
2121 rc = security_transition_sid(old_tsec->sid, isec->sid,
2122 SECCLASS_PROCESS, NULL,
2128 ad.type = LSM_AUDIT_DATA_PATH;
2129 ad.u.path = bprm->file->f_path;
2131 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2132 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2133 new_tsec->sid = old_tsec->sid;
2135 if (new_tsec->sid == old_tsec->sid) {
2136 rc = avc_has_perm(old_tsec->sid, isec->sid,
2137 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2141 /* Check permissions for the transition. */
2142 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2143 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2147 rc = avc_has_perm(new_tsec->sid, isec->sid,
2148 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2152 /* Check for shared state */
2153 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2154 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2155 SECCLASS_PROCESS, PROCESS__SHARE,
2161 /* Make sure that anyone attempting to ptrace over a task that
2162 * changes its SID has the appropriate permit */
2164 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2165 struct task_struct *tracer;
2166 struct task_security_struct *sec;
2170 tracer = ptrace_parent(current);
2171 if (likely(tracer != NULL)) {
2172 sec = __task_cred(tracer)->security;
2178 rc = avc_has_perm(ptsid, new_tsec->sid,
2180 PROCESS__PTRACE, NULL);
2186 /* Clear any possibly unsafe personality bits on exec: */
2187 bprm->per_clear |= PER_CLEAR_ON_SETID;
2193 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2195 const struct task_security_struct *tsec = current_security();
2203 /* Enable secure mode for SIDs transitions unless
2204 the noatsecure permission is granted between
2205 the two SIDs, i.e. ahp returns 0. */
2206 atsecure = avc_has_perm(osid, sid,
2208 PROCESS__NOATSECURE, NULL);
2211 return (atsecure || cap_bprm_secureexec(bprm));
2214 static int match_file(const void *p, struct file *file, unsigned fd)
2216 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2219 /* Derived from fs/exec.c:flush_old_files. */
2220 static inline void flush_unauthorized_files(const struct cred *cred,
2221 struct files_struct *files)
2223 struct file *file, *devnull = NULL;
2224 struct tty_struct *tty;
2228 tty = get_current_tty();
2230 spin_lock(&tty_files_lock);
2231 if (!list_empty(&tty->tty_files)) {
2232 struct tty_file_private *file_priv;
2234 /* Revalidate access to controlling tty.
2235 Use path_has_perm on the tty path directly rather
2236 than using file_has_perm, as this particular open
2237 file may belong to another process and we are only
2238 interested in the inode-based check here. */
2239 file_priv = list_first_entry(&tty->tty_files,
2240 struct tty_file_private, list);
2241 file = file_priv->file;
2242 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2245 spin_unlock(&tty_files_lock);
2248 /* Reset controlling tty. */
2252 /* Revalidate access to inherited open files. */
2253 n = iterate_fd(files, 0, match_file, cred);
2254 if (!n) /* none found? */
2257 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2258 if (IS_ERR(devnull))
2260 /* replace all the matching ones with this */
2262 replace_fd(n - 1, devnull, 0);
2263 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2269 * Prepare a process for imminent new credential changes due to exec
2271 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2273 struct task_security_struct *new_tsec;
2274 struct rlimit *rlim, *initrlim;
2277 new_tsec = bprm->cred->security;
2278 if (new_tsec->sid == new_tsec->osid)
2281 /* Close files for which the new task SID is not authorized. */
2282 flush_unauthorized_files(bprm->cred, current->files);
2284 /* Always clear parent death signal on SID transitions. */
2285 current->pdeath_signal = 0;
2287 /* Check whether the new SID can inherit resource limits from the old
2288 * SID. If not, reset all soft limits to the lower of the current
2289 * task's hard limit and the init task's soft limit.
2291 * Note that the setting of hard limits (even to lower them) can be
2292 * controlled by the setrlimit check. The inclusion of the init task's
2293 * soft limit into the computation is to avoid resetting soft limits
2294 * higher than the default soft limit for cases where the default is
2295 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2297 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2298 PROCESS__RLIMITINH, NULL);
2300 /* protect against do_prlimit() */
2302 for (i = 0; i < RLIM_NLIMITS; i++) {
2303 rlim = current->signal->rlim + i;
2304 initrlim = init_task.signal->rlim + i;
2305 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2307 task_unlock(current);
2308 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2313 * Clean up the process immediately after the installation of new credentials
2316 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2318 const struct task_security_struct *tsec = current_security();
2319 struct itimerval itimer;
2329 /* Check whether the new SID can inherit signal state from the old SID.
2330 * If not, clear itimers to avoid subsequent signal generation and
2331 * flush and unblock signals.
2333 * This must occur _after_ the task SID has been updated so that any
2334 * kill done after the flush will be checked against the new SID.
2336 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2338 memset(&itimer, 0, sizeof itimer);
2339 for (i = 0; i < 3; i++)
2340 do_setitimer(i, &itimer, NULL);
2341 spin_lock_irq(¤t->sighand->siglock);
2342 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2343 __flush_signals(current);
2344 flush_signal_handlers(current, 1);
2345 sigemptyset(¤t->blocked);
2347 spin_unlock_irq(¤t->sighand->siglock);
2350 /* Wake up the parent if it is waiting so that it can recheck
2351 * wait permission to the new task SID. */
2352 read_lock(&tasklist_lock);
2353 __wake_up_parent(current, current->real_parent);
2354 read_unlock(&tasklist_lock);
2357 /* superblock security operations */
2359 static int selinux_sb_alloc_security(struct super_block *sb)
2361 return superblock_alloc_security(sb);
2364 static void selinux_sb_free_security(struct super_block *sb)
2366 superblock_free_security(sb);
2369 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2374 return !memcmp(prefix, option, plen);
2377 static inline int selinux_option(char *option, int len)
2379 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2380 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2381 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2382 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2383 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2386 static inline void take_option(char **to, char *from, int *first, int len)
2393 memcpy(*to, from, len);
2397 static inline void take_selinux_option(char **to, char *from, int *first,
2400 int current_size = 0;
2408 while (current_size < len) {
2418 static int selinux_sb_copy_data(char *orig, char *copy)
2420 int fnosec, fsec, rc = 0;
2421 char *in_save, *in_curr, *in_end;
2422 char *sec_curr, *nosec_save, *nosec;
2428 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2436 in_save = in_end = orig;
2440 open_quote = !open_quote;
2441 if ((*in_end == ',' && open_quote == 0) ||
2443 int len = in_end - in_curr;
2445 if (selinux_option(in_curr, len))
2446 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2448 take_option(&nosec, in_curr, &fnosec, len);
2450 in_curr = in_end + 1;
2452 } while (*in_end++);
2454 strcpy(in_save, nosec_save);
2455 free_page((unsigned long)nosec_save);
2460 static int selinux_sb_remount(struct super_block *sb, void *data)
2463 struct security_mnt_opts opts;
2464 char *secdata, **mount_options;
2465 struct superblock_security_struct *sbsec = sb->s_security;
2467 if (!(sbsec->flags & SE_SBINITIALIZED))
2473 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2476 security_init_mnt_opts(&opts);
2477 secdata = alloc_secdata();
2480 rc = selinux_sb_copy_data(data, secdata);
2482 goto out_free_secdata;
2484 rc = selinux_parse_opts_str(secdata, &opts);
2486 goto out_free_secdata;
2488 mount_options = opts.mnt_opts;
2489 flags = opts.mnt_opts_flags;
2491 for (i = 0; i < opts.num_mnt_opts; i++) {
2495 if (flags[i] == SE_SBLABELSUPP)
2497 len = strlen(mount_options[i]);
2498 rc = security_context_to_sid(mount_options[i], len, &sid);
2500 printk(KERN_WARNING "SELinux: security_context_to_sid"
2501 "(%s) failed for (dev %s, type %s) errno=%d\n",
2502 mount_options[i], sb->s_id, sb->s_type->name, rc);
2508 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2509 goto out_bad_option;
2512 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2513 goto out_bad_option;
2515 case ROOTCONTEXT_MNT: {
2516 struct inode_security_struct *root_isec;
2517 root_isec = sb->s_root->d_inode->i_security;
2519 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2520 goto out_bad_option;
2523 case DEFCONTEXT_MNT:
2524 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2525 goto out_bad_option;
2534 security_free_mnt_opts(&opts);
2536 free_secdata(secdata);
2539 printk(KERN_WARNING "SELinux: unable to change security options "
2540 "during remount (dev %s, type=%s)\n", sb->s_id,
2545 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2547 const struct cred *cred = current_cred();
2548 struct common_audit_data ad;
2551 rc = superblock_doinit(sb, data);
2555 /* Allow all mounts performed by the kernel */
2556 if (flags & MS_KERNMOUNT)
2559 ad.type = LSM_AUDIT_DATA_DENTRY;
2560 ad.u.dentry = sb->s_root;
2561 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2564 static int selinux_sb_statfs(struct dentry *dentry)
2566 const struct cred *cred = current_cred();
2567 struct common_audit_data ad;
2569 ad.type = LSM_AUDIT_DATA_DENTRY;
2570 ad.u.dentry = dentry->d_sb->s_root;
2571 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2574 static int selinux_mount(const char *dev_name,
2577 unsigned long flags,
2580 const struct cred *cred = current_cred();
2582 if (flags & MS_REMOUNT)
2583 return superblock_has_perm(cred, path->dentry->d_sb,
2584 FILESYSTEM__REMOUNT, NULL);
2586 return path_has_perm(cred, path, FILE__MOUNTON);
2589 static int selinux_umount(struct vfsmount *mnt, int flags)
2591 const struct cred *cred = current_cred();
2593 return superblock_has_perm(cred, mnt->mnt_sb,
2594 FILESYSTEM__UNMOUNT, NULL);
2597 /* inode security operations */
2599 static int selinux_inode_alloc_security(struct inode *inode)
2601 return inode_alloc_security(inode);
2604 static void selinux_inode_free_security(struct inode *inode)
2606 inode_free_security(inode);
2609 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2610 const struct qstr *qstr, char **name,
2611 void **value, size_t *len)
2613 const struct task_security_struct *tsec = current_security();
2614 struct inode_security_struct *dsec;
2615 struct superblock_security_struct *sbsec;
2616 u32 sid, newsid, clen;
2618 char *namep = NULL, *context;
2620 dsec = dir->i_security;
2621 sbsec = dir->i_sb->s_security;
2624 newsid = tsec->create_sid;
2626 if ((sbsec->flags & SE_SBINITIALIZED) &&
2627 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2628 newsid = sbsec->mntpoint_sid;
2629 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2630 rc = security_transition_sid(sid, dsec->sid,
2631 inode_mode_to_security_class(inode->i_mode),
2634 printk(KERN_WARNING "%s: "
2635 "security_transition_sid failed, rc=%d (dev=%s "
2638 -rc, inode->i_sb->s_id, inode->i_ino);
2643 /* Possibly defer initialization to selinux_complete_init. */
2644 if (sbsec->flags & SE_SBINITIALIZED) {
2645 struct inode_security_struct *isec = inode->i_security;
2646 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2648 isec->initialized = 1;
2651 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2655 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2662 rc = security_sid_to_context_force(newsid, &context, &clen);
2674 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2676 return may_create(dir, dentry, SECCLASS_FILE);
2679 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2681 return may_link(dir, old_dentry, MAY_LINK);
2684 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2686 return may_link(dir, dentry, MAY_UNLINK);
2689 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2691 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2694 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2696 return may_create(dir, dentry, SECCLASS_DIR);
2699 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2701 return may_link(dir, dentry, MAY_RMDIR);
2704 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2706 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2709 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2710 struct inode *new_inode, struct dentry *new_dentry)
2712 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2715 static int selinux_inode_readlink(struct dentry *dentry)
2717 const struct cred *cred = current_cred();
2719 return dentry_has_perm(cred, dentry, FILE__READ);
2722 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2724 const struct cred *cred = current_cred();
2726 return dentry_has_perm(cred, dentry, FILE__READ);
2729 static noinline int audit_inode_permission(struct inode *inode,
2730 u32 perms, u32 audited, u32 denied,
2734 struct common_audit_data ad;
2735 struct inode_security_struct *isec = inode->i_security;
2738 ad.type = LSM_AUDIT_DATA_INODE;
2741 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2742 audited, denied, result, &ad, flags);
2748 static int selinux_inode_permission(struct inode *inode, int mask)
2750 const struct cred *cred = current_cred();
2753 unsigned flags = mask & MAY_NOT_BLOCK;
2754 struct inode_security_struct *isec;
2756 struct av_decision avd;
2758 u32 audited, denied;
2760 from_access = mask & MAY_ACCESS;
2761 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2763 /* No permission to check. Existence test. */
2767 validate_creds(cred);
2769 if (unlikely(IS_PRIVATE(inode)))
2772 perms = file_mask_to_av(inode->i_mode, mask);
2774 sid = cred_sid(cred);
2775 isec = inode->i_security;
2777 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2778 audited = avc_audit_required(perms, &avd, rc,
2779 from_access ? FILE__AUDIT_ACCESS : 0,
2781 if (likely(!audited))
2784 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2790 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2792 const struct cred *cred = current_cred();
2793 unsigned int ia_valid = iattr->ia_valid;
2794 __u32 av = FILE__WRITE;
2796 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2797 if (ia_valid & ATTR_FORCE) {
2798 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2804 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2805 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2806 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2808 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2811 return dentry_has_perm(cred, dentry, av);
2814 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2816 const struct cred *cred = current_cred();
2819 path.dentry = dentry;
2822 return path_has_perm(cred, &path, FILE__GETATTR);
2825 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2827 const struct cred *cred = current_cred();
2829 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2830 sizeof XATTR_SECURITY_PREFIX - 1)) {
2831 if (!strcmp(name, XATTR_NAME_CAPS)) {
2832 if (!capable(CAP_SETFCAP))
2834 } else if (!capable(CAP_SYS_ADMIN)) {
2835 /* A different attribute in the security namespace.
2836 Restrict to administrator. */
2841 /* Not an attribute we recognize, so just check the
2842 ordinary setattr permission. */
2843 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2846 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2847 const void *value, size_t size, int flags)
2849 struct inode *inode = dentry->d_inode;
2850 struct inode_security_struct *isec = inode->i_security;
2851 struct superblock_security_struct *sbsec;
2852 struct common_audit_data ad;
2853 u32 newsid, sid = current_sid();
2856 if (strcmp(name, XATTR_NAME_SELINUX))
2857 return selinux_inode_setotherxattr(dentry, name);
2859 sbsec = inode->i_sb->s_security;
2860 if (!(sbsec->flags & SE_SBLABELSUPP))
2863 if (!inode_owner_or_capable(inode))
2866 ad.type = LSM_AUDIT_DATA_DENTRY;
2867 ad.u.dentry = dentry;
2869 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2870 FILE__RELABELFROM, &ad);
2874 rc = security_context_to_sid(value, size, &newsid);
2875 if (rc == -EINVAL) {
2876 if (!capable(CAP_MAC_ADMIN)) {
2877 struct audit_buffer *ab;
2881 /* We strip a nul only if it is at the end, otherwise the
2882 * context contains a nul and we should audit that */
2885 if (str[size - 1] == '\0')
2886 audit_size = size - 1;
2893 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2894 audit_log_format(ab, "op=setxattr invalid_context=");
2895 audit_log_n_untrustedstring(ab, value, audit_size);
2900 rc = security_context_to_sid_force(value, size, &newsid);
2905 rc = avc_has_perm(sid, newsid, isec->sclass,
2906 FILE__RELABELTO, &ad);
2910 rc = security_validate_transition(isec->sid, newsid, sid,
2915 return avc_has_perm(newsid,
2917 SECCLASS_FILESYSTEM,
2918 FILESYSTEM__ASSOCIATE,
2922 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2923 const void *value, size_t size,
2926 struct inode *inode = dentry->d_inode;
2927 struct inode_security_struct *isec = inode->i_security;
2931 if (strcmp(name, XATTR_NAME_SELINUX)) {
2932 /* Not an attribute we recognize, so nothing to do. */
2936 rc = security_context_to_sid_force(value, size, &newsid);
2938 printk(KERN_ERR "SELinux: unable to map context to SID"
2939 "for (%s, %lu), rc=%d\n",
2940 inode->i_sb->s_id, inode->i_ino, -rc);
2948 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2950 const struct cred *cred = current_cred();
2952 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2955 static int selinux_inode_listxattr(struct dentry *dentry)
2957 const struct cred *cred = current_cred();
2959 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2962 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2964 if (strcmp(name, XATTR_NAME_SELINUX))
2965 return selinux_inode_setotherxattr(dentry, name);
2967 /* No one is allowed to remove a SELinux security label.
2968 You can change the label, but all data must be labeled. */
2973 * Copy the inode security context value to the user.
2975 * Permission check is handled by selinux_inode_getxattr hook.
2977 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2981 char *context = NULL;
2982 struct inode_security_struct *isec = inode->i_security;
2984 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2988 * If the caller has CAP_MAC_ADMIN, then get the raw context
2989 * value even if it is not defined by current policy; otherwise,
2990 * use the in-core value under current policy.
2991 * Use the non-auditing forms of the permission checks since
2992 * getxattr may be called by unprivileged processes commonly
2993 * and lack of permission just means that we fall back to the
2994 * in-core context value, not a denial.
2996 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2997 SECURITY_CAP_NOAUDIT);
2999 error = security_sid_to_context_force(isec->sid, &context,
3002 error = security_sid_to_context(isec->sid, &context, &size);
3015 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3016 const void *value, size_t size, int flags)
3018 struct inode_security_struct *isec = inode->i_security;
3022 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3025 if (!value || !size)
3028 rc = security_context_to_sid((void *)value, size, &newsid);
3033 isec->initialized = 1;
3037 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3039 const int len = sizeof(XATTR_NAME_SELINUX);
3040 if (buffer && len <= buffer_size)
3041 memcpy(buffer, XATTR_NAME_SELINUX, len);
3045 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3047 struct inode_security_struct *isec = inode->i_security;
3051 /* file security operations */
3053 static int selinux_revalidate_file_permission(struct file *file, int mask)
3055 const struct cred *cred = current_cred();
3056 struct inode *inode = file_inode(file);
3058 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3059 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3062 return file_has_perm(cred, file,
3063 file_mask_to_av(inode->i_mode, mask));
3066 static int selinux_file_permission(struct file *file, int mask)
3068 struct inode *inode = file_inode(file);
3069 struct file_security_struct *fsec = file->f_security;
3070 struct inode_security_struct *isec = inode->i_security;
3071 u32 sid = current_sid();
3074 /* No permission to check. Existence test. */
3077 if (sid == fsec->sid && fsec->isid == isec->sid &&
3078 fsec->pseqno == avc_policy_seqno())
3079 /* No change since file_open check. */
3082 return selinux_revalidate_file_permission(file, mask);
3085 static int selinux_file_alloc_security(struct file *file)
3087 return file_alloc_security(file);
3090 static void selinux_file_free_security(struct file *file)
3092 file_free_security(file);
3095 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3098 const struct cred *cred = current_cred();
3108 case FS_IOC_GETFLAGS:
3110 case FS_IOC_GETVERSION:
3111 error = file_has_perm(cred, file, FILE__GETATTR);
3114 case FS_IOC_SETFLAGS:
3116 case FS_IOC_SETVERSION:
3117 error = file_has_perm(cred, file, FILE__SETATTR);
3120 /* sys_ioctl() checks */
3124 error = file_has_perm(cred, file, 0);
3129 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3130 SECURITY_CAP_AUDIT);
3133 /* default case assumes that the command will go
3134 * to the file's ioctl() function.
3137 error = file_has_perm(cred, file, FILE__IOCTL);
3142 static int default_noexec;
3144 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3146 const struct cred *cred = current_cred();
3149 if (default_noexec &&
3150 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3152 * We are making executable an anonymous mapping or a
3153 * private file mapping that will also be writable.
3154 * This has an additional check.
3156 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3162 /* read access is always possible with a mapping */
3163 u32 av = FILE__READ;
3165 /* write access only matters if the mapping is shared */
3166 if (shared && (prot & PROT_WRITE))
3169 if (prot & PROT_EXEC)
3170 av |= FILE__EXECUTE;
3172 return file_has_perm(cred, file, av);
3179 static int selinux_mmap_addr(unsigned long addr)
3182 u32 sid = current_sid();
3185 * notice that we are intentionally putting the SELinux check before
3186 * the secondary cap_file_mmap check. This is such a likely attempt
3187 * at bad behaviour/exploit that we always want to get the AVC, even
3188 * if DAC would have also denied the operation.
3190 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3191 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3192 MEMPROTECT__MMAP_ZERO, NULL);
3197 /* do DAC check on address space usage */
3198 return cap_mmap_addr(addr);
3201 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3202 unsigned long prot, unsigned long flags)
3204 if (selinux_checkreqprot)
3207 return file_map_prot_check(file, prot,
3208 (flags & MAP_TYPE) == MAP_SHARED);
3211 static int selinux_file_mprotect(struct vm_area_struct *vma,
3212 unsigned long reqprot,
3215 const struct cred *cred = current_cred();
3217 if (selinux_checkreqprot)
3220 if (default_noexec &&
3221 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3223 if (vma->vm_start >= vma->vm_mm->start_brk &&
3224 vma->vm_end <= vma->vm_mm->brk) {
3225 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3226 } else if (!vma->vm_file &&
3227 vma->vm_start <= vma->vm_mm->start_stack &&
3228 vma->vm_end >= vma->vm_mm->start_stack) {
3229 rc = current_has_perm(current, PROCESS__EXECSTACK);
3230 } else if (vma->vm_file && vma->anon_vma) {
3232 * We are making executable a file mapping that has
3233 * had some COW done. Since pages might have been
3234 * written, check ability to execute the possibly
3235 * modified content. This typically should only
3236 * occur for text relocations.
3238 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3244 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3247 static int selinux_file_lock(struct file *file, unsigned int cmd)
3249 const struct cred *cred = current_cred();
3251 return file_has_perm(cred, file, FILE__LOCK);
3254 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3257 const struct cred *cred = current_cred();
3262 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3263 err = file_has_perm(cred, file, FILE__WRITE);
3272 case F_GETOWNER_UIDS:
3273 /* Just check FD__USE permission */
3274 err = file_has_perm(cred, file, 0);
3279 #if BITS_PER_LONG == 32
3284 err = file_has_perm(cred, file, FILE__LOCK);
3291 static int selinux_file_set_fowner(struct file *file)
3293 struct file_security_struct *fsec;
3295 fsec = file->f_security;
3296 fsec->fown_sid = current_sid();
3301 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3302 struct fown_struct *fown, int signum)
3305 u32 sid = task_sid(tsk);
3307 struct file_security_struct *fsec;
3309 /* struct fown_struct is never outside the context of a struct file */
3310 file = container_of(fown, struct file, f_owner);
3312 fsec = file->f_security;
3315 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3317 perm = signal_to_av(signum);
3319 return avc_has_perm(fsec->fown_sid, sid,
3320 SECCLASS_PROCESS, perm, NULL);
3323 static int selinux_file_receive(struct file *file)
3325 const struct cred *cred = current_cred();
3327 return file_has_perm(cred, file, file_to_av(file));
3330 static int selinux_file_open(struct file *file, const struct cred *cred)
3332 struct file_security_struct *fsec;
3333 struct inode_security_struct *isec;
3335 fsec = file->f_security;
3336 isec = file_inode(file)->i_security;
3338 * Save inode label and policy sequence number
3339 * at open-time so that selinux_file_permission
3340 * can determine whether revalidation is necessary.
3341 * Task label is already saved in the file security
3342 * struct as its SID.
3344 fsec->isid = isec->sid;
3345 fsec->pseqno = avc_policy_seqno();
3347 * Since the inode label or policy seqno may have changed
3348 * between the selinux_inode_permission check and the saving
3349 * of state above, recheck that access is still permitted.
3350 * Otherwise, access might never be revalidated against the
3351 * new inode label or new policy.
3352 * This check is not redundant - do not remove.
3354 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3357 /* task security operations */
3359 static int selinux_task_create(unsigned long clone_flags)
3361 return current_has_perm(current, PROCESS__FORK);
3365 * allocate the SELinux part of blank credentials
3367 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3369 struct task_security_struct *tsec;
3371 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3375 cred->security = tsec;
3380 * detach and free the LSM part of a set of credentials
3382 static void selinux_cred_free(struct cred *cred)
3384 struct task_security_struct *tsec = cred->security;
3387 * cred->security == NULL if security_cred_alloc_blank() or
3388 * security_prepare_creds() returned an error.
3390 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3391 cred->security = (void *) 0x7UL;
3396 * prepare a new set of credentials for modification
3398 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3401 const struct task_security_struct *old_tsec;
3402 struct task_security_struct *tsec;
3404 old_tsec = old->security;
3406 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3410 new->security = tsec;
3415 * transfer the SELinux data to a blank set of creds
3417 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3419 const struct task_security_struct *old_tsec = old->security;
3420 struct task_security_struct *tsec = new->security;
3426 * set the security data for a kernel service
3427 * - all the creation contexts are set to unlabelled
3429 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3431 struct task_security_struct *tsec = new->security;
3432 u32 sid = current_sid();
3435 ret = avc_has_perm(sid, secid,
3436 SECCLASS_KERNEL_SERVICE,
3437 KERNEL_SERVICE__USE_AS_OVERRIDE,
3441 tsec->create_sid = 0;
3442 tsec->keycreate_sid = 0;
3443 tsec->sockcreate_sid = 0;
3449 * set the file creation context in a security record to the same as the
3450 * objective context of the specified inode
3452 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3454 struct inode_security_struct *isec = inode->i_security;
3455 struct task_security_struct *tsec = new->security;
3456 u32 sid = current_sid();
3459 ret = avc_has_perm(sid, isec->sid,
3460 SECCLASS_KERNEL_SERVICE,
3461 KERNEL_SERVICE__CREATE_FILES_AS,
3465 tsec->create_sid = isec->sid;
3469 static int selinux_kernel_module_request(char *kmod_name)
3472 struct common_audit_data ad;
3474 sid = task_sid(current);
3476 ad.type = LSM_AUDIT_DATA_KMOD;
3477 ad.u.kmod_name = kmod_name;
3479 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3480 SYSTEM__MODULE_REQUEST, &ad);
3483 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3485 return current_has_perm(p, PROCESS__SETPGID);
3488 static int selinux_task_getpgid(struct task_struct *p)
3490 return current_has_perm(p, PROCESS__GETPGID);
3493 static int selinux_task_getsid(struct task_struct *p)
3495 return current_has_perm(p, PROCESS__GETSESSION);
3498 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3500 *secid = task_sid(p);
3503 static int selinux_task_setnice(struct task_struct *p, int nice)
3507 rc = cap_task_setnice(p, nice);
3511 return current_has_perm(p, PROCESS__SETSCHED);
3514 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3518 rc = cap_task_setioprio(p, ioprio);
3522 return current_has_perm(p, PROCESS__SETSCHED);
3525 static int selinux_task_getioprio(struct task_struct *p)
3527 return current_has_perm(p, PROCESS__GETSCHED);
3530 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3531 struct rlimit *new_rlim)
3533 struct rlimit *old_rlim = p->signal->rlim + resource;
3535 /* Control the ability to change the hard limit (whether
3536 lowering or raising it), so that the hard limit can
3537 later be used as a safe reset point for the soft limit
3538 upon context transitions. See selinux_bprm_committing_creds. */
3539 if (old_rlim->rlim_max != new_rlim->rlim_max)
3540 return current_has_perm(p, PROCESS__SETRLIMIT);
3545 static int selinux_task_setscheduler(struct task_struct *p)
3549 rc = cap_task_setscheduler(p);
3553 return current_has_perm(p, PROCESS__SETSCHED);
3556 static int selinux_task_getscheduler(struct task_struct *p)
3558 return current_has_perm(p, PROCESS__GETSCHED);
3561 static int selinux_task_movememory(struct task_struct *p)
3563 return current_has_perm(p, PROCESS__SETSCHED);
3566 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3573 perm = PROCESS__SIGNULL; /* null signal; existence test */
3575 perm = signal_to_av(sig);
3577 rc = avc_has_perm(secid, task_sid(p),
3578 SECCLASS_PROCESS, perm, NULL);
3580 rc = current_has_perm(p, perm);
3584 static int selinux_task_wait(struct task_struct *p)
3586 return task_has_perm(p, current, PROCESS__SIGCHLD);
3589 static void selinux_task_to_inode(struct task_struct *p,
3590 struct inode *inode)
3592 struct inode_security_struct *isec = inode->i_security;
3593 u32 sid = task_sid(p);
3596 isec->initialized = 1;
3599 /* Returns error only if unable to parse addresses */
3600 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3601 struct common_audit_data *ad, u8 *proto)
3603 int offset, ihlen, ret = -EINVAL;
3604 struct iphdr _iph, *ih;
3606 offset = skb_network_offset(skb);
3607 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3611 ihlen = ih->ihl * 4;
3612 if (ihlen < sizeof(_iph))
3615 ad->u.net->v4info.saddr = ih->saddr;
3616 ad->u.net->v4info.daddr = ih->daddr;
3620 *proto = ih->protocol;
3622 switch (ih->protocol) {
3624 struct tcphdr _tcph, *th;
3626 if (ntohs(ih->frag_off) & IP_OFFSET)
3630 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3634 ad->u.net->sport = th->source;
3635 ad->u.net->dport = th->dest;
3640 struct udphdr _udph, *uh;
3642 if (ntohs(ih->frag_off) & IP_OFFSET)
3646 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3650 ad->u.net->sport = uh->source;
3651 ad->u.net->dport = uh->dest;
3655 case IPPROTO_DCCP: {
3656 struct dccp_hdr _dccph, *dh;
3658 if (ntohs(ih->frag_off) & IP_OFFSET)
3662 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3666 ad->u.net->sport = dh->dccph_sport;
3667 ad->u.net->dport = dh->dccph_dport;
3678 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3680 /* Returns error only if unable to parse addresses */
3681 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3682 struct common_audit_data *ad, u8 *proto)
3685 int ret = -EINVAL, offset;
3686 struct ipv6hdr _ipv6h, *ip6;
3689 offset = skb_network_offset(skb);
3690 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3694 ad->u.net->v6info.saddr = ip6->saddr;
3695 ad->u.net->v6info.daddr = ip6->daddr;
3698 nexthdr = ip6->nexthdr;
3699 offset += sizeof(_ipv6h);
3700 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3709 struct tcphdr _tcph, *th;
3711 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3715 ad->u.net->sport = th->source;
3716 ad->u.net->dport = th->dest;
3721 struct udphdr _udph, *uh;
3723 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3727 ad->u.net->sport = uh->source;
3728 ad->u.net->dport = uh->dest;
3732 case IPPROTO_DCCP: {
3733 struct dccp_hdr _dccph, *dh;
3735 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3739 ad->u.net->sport = dh->dccph_sport;
3740 ad->u.net->dport = dh->dccph_dport;
3744 /* includes fragments */
3754 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3755 char **_addrp, int src, u8 *proto)
3760 switch (ad->u.net->family) {
3762 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3765 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3766 &ad->u.net->v4info.daddr);
3769 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3771 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3774 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3775 &ad->u.net->v6info.daddr);
3785 "SELinux: failure in selinux_parse_skb(),"
3786 " unable to parse packet\n");
3796 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3798 * @family: protocol family
3799 * @sid: the packet's peer label SID
3802 * Check the various different forms of network peer labeling and determine
3803 * the peer label/SID for the packet; most of the magic actually occurs in
3804 * the security server function security_net_peersid_cmp(). The function
3805 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3806 * or -EACCES if @sid is invalid due to inconsistencies with the different
3810 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3817 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3818 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3820 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3821 if (unlikely(err)) {
3823 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3824 " unable to determine packet's peer label\n");
3831 /* socket security operations */
3833 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3834 u16 secclass, u32 *socksid)
3836 if (tsec->sockcreate_sid > SECSID_NULL) {
3837 *socksid = tsec->sockcreate_sid;
3841 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3845 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3847 struct sk_security_struct *sksec = sk->sk_security;
3848 struct common_audit_data ad;
3849 struct lsm_network_audit net = {0,};
3850 u32 tsid = task_sid(task);
3852 if (sksec->sid == SECINITSID_KERNEL)
3855 ad.type = LSM_AUDIT_DATA_NET;
3859 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3862 static int selinux_socket_create(int family, int type,
3863 int protocol, int kern)
3865 const struct task_security_struct *tsec = current_security();
3873 secclass = socket_type_to_security_class(family, type, protocol);
3874 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3878 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3881 static int selinux_socket_post_create(struct socket *sock, int family,
3882 int type, int protocol, int kern)
3884 const struct task_security_struct *tsec = current_security();
3885 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3886 struct sk_security_struct *sksec;
3889 isec->sclass = socket_type_to_security_class(family, type, protocol);
3892 isec->sid = SECINITSID_KERNEL;
3894 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3899 isec->initialized = 1;
3902 sksec = sock->sk->sk_security;
3903 sksec->sid = isec->sid;
3904 sksec->sclass = isec->sclass;
3905 err = selinux_netlbl_socket_post_create(sock->sk, family);
3911 /* Range of port numbers used to automatically bind.
3912 Need to determine whether we should perform a name_bind
3913 permission check between the socket and the port number. */
3915 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3917 struct sock *sk = sock->sk;
3921 err = sock_has_perm(current, sk, SOCKET__BIND);
3926 * If PF_INET or PF_INET6, check name_bind permission for the port.
3927 * Multiple address binding for SCTP is not supported yet: we just
3928 * check the first address now.
3930 family = sk->sk_family;
3931 if (family == PF_INET || family == PF_INET6) {
3933 struct sk_security_struct *sksec = sk->sk_security;
3934 struct common_audit_data ad;
3935 struct lsm_network_audit net = {0,};
3936 struct sockaddr_in *addr4 = NULL;
3937 struct sockaddr_in6 *addr6 = NULL;
3938 unsigned short snum;
3941 if (family == PF_INET) {
3942 addr4 = (struct sockaddr_in *)address;
3943 snum = ntohs(addr4->sin_port);
3944 addrp = (char *)&addr4->sin_addr.s_addr;
3946 addr6 = (struct sockaddr_in6 *)address;
3947 snum = ntohs(addr6->sin6_port);
3948 addrp = (char *)&addr6->sin6_addr.s6_addr;
3954 inet_get_local_port_range(&low, &high);
3956 if (snum < max(PROT_SOCK, low) || snum > high) {
3957 err = sel_netport_sid(sk->sk_protocol,
3961 ad.type = LSM_AUDIT_DATA_NET;
3963 ad.u.net->sport = htons(snum);
3964 ad.u.net->family = family;
3965 err = avc_has_perm(sksec->sid, sid,
3967 SOCKET__NAME_BIND, &ad);
3973 switch (sksec->sclass) {
3974 case SECCLASS_TCP_SOCKET:
3975 node_perm = TCP_SOCKET__NODE_BIND;
3978 case SECCLASS_UDP_SOCKET:
3979 node_perm = UDP_SOCKET__NODE_BIND;
3982 case SECCLASS_DCCP_SOCKET:
3983 node_perm = DCCP_SOCKET__NODE_BIND;
3987 node_perm = RAWIP_SOCKET__NODE_BIND;
3991 err = sel_netnode_sid(addrp, family, &sid);
3995 ad.type = LSM_AUDIT_DATA_NET;
3997 ad.u.net->sport = htons(snum);
3998 ad.u.net->family = family;
4000 if (family == PF_INET)
4001 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4003 ad.u.net->v6info.saddr = addr6->sin6_addr;
4005 err = avc_has_perm(sksec->sid, sid,
4006 sksec->sclass, node_perm, &ad);
4014 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4016 struct sock *sk = sock->sk;
4017 struct sk_security_struct *sksec = sk->sk_security;
4020 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4025 * If a TCP or DCCP socket, check name_connect permission for the port.
4027 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4028 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4029 struct common_audit_data ad;
4030 struct lsm_network_audit net = {0,};
4031 struct sockaddr_in *addr4 = NULL;
4032 struct sockaddr_in6 *addr6 = NULL;
4033 unsigned short snum;
4036 if (sk->sk_family == PF_INET) {
4037 addr4 = (struct sockaddr_in *)address;
4038 if (addrlen < sizeof(struct sockaddr_in))
4040 snum = ntohs(addr4->sin_port);
4042 addr6 = (struct sockaddr_in6 *)address;
4043 if (addrlen < SIN6_LEN_RFC2133)
4045 snum = ntohs(addr6->sin6_port);
4048 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4052 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4053 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4055 ad.type = LSM_AUDIT_DATA_NET;
4057 ad.u.net->dport = htons(snum);
4058 ad.u.net->family = sk->sk_family;
4059 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4064 err = selinux_netlbl_socket_connect(sk, address);
4070 static int selinux_socket_listen(struct socket *sock, int backlog)
4072 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4075 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4078 struct inode_security_struct *isec;
4079 struct inode_security_struct *newisec;
4081 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4085 newisec = SOCK_INODE(newsock)->i_security;
4087 isec = SOCK_INODE(sock)->i_security;
4088 newisec->sclass = isec->sclass;
4089 newisec->sid = isec->sid;
4090 newisec->initialized = 1;
4095 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4098 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4101 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4102 int size, int flags)
4104 return sock_has_perm(current, sock->sk, SOCKET__READ);
4107 static int selinux_socket_getsockname(struct socket *sock)
4109 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4112 static int selinux_socket_getpeername(struct socket *sock)
4114 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4117 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4121 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4125 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4128 static int selinux_socket_getsockopt(struct socket *sock, int level,
4131 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4134 static int selinux_socket_shutdown(struct socket *sock, int how)
4136 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4139 static int selinux_socket_unix_stream_connect(struct sock *sock,
4143 struct sk_security_struct *sksec_sock = sock->sk_security;
4144 struct sk_security_struct *sksec_other = other->sk_security;
4145 struct sk_security_struct *sksec_new = newsk->sk_security;
4146 struct common_audit_data ad;
4147 struct lsm_network_audit net = {0,};
4150 ad.type = LSM_AUDIT_DATA_NET;
4152 ad.u.net->sk = other;
4154 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4155 sksec_other->sclass,
4156 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4160 /* server child socket */
4161 sksec_new->peer_sid = sksec_sock->sid;
4162 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4167 /* connecting socket */
4168 sksec_sock->peer_sid = sksec_new->sid;
4173 static int selinux_socket_unix_may_send(struct socket *sock,
4174 struct socket *other)
4176 struct sk_security_struct *ssec = sock->sk->sk_security;
4177 struct sk_security_struct *osec = other->sk->sk_security;
4178 struct common_audit_data ad;
4179 struct lsm_network_audit net = {0,};
4181 ad.type = LSM_AUDIT_DATA_NET;
4183 ad.u.net->sk = other->sk;
4185 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4189 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4191 struct common_audit_data *ad)
4197 err = sel_netif_sid(ifindex, &if_sid);
4200 err = avc_has_perm(peer_sid, if_sid,
4201 SECCLASS_NETIF, NETIF__INGRESS, ad);
4205 err = sel_netnode_sid(addrp, family, &node_sid);
4208 return avc_has_perm(peer_sid, node_sid,
4209 SECCLASS_NODE, NODE__RECVFROM, ad);
4212 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4216 struct sk_security_struct *sksec = sk->sk_security;
4217 u32 sk_sid = sksec->sid;
4218 struct common_audit_data ad;
4219 struct lsm_network_audit net = {0,};
4222 ad.type = LSM_AUDIT_DATA_NET;
4224 ad.u.net->netif = skb->skb_iif;
4225 ad.u.net->family = family;
4226 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4230 if (selinux_secmark_enabled()) {
4231 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4237 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4240 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4245 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4248 struct sk_security_struct *sksec = sk->sk_security;
4249 u16 family = sk->sk_family;
4250 u32 sk_sid = sksec->sid;
4251 struct common_audit_data ad;
4252 struct lsm_network_audit net = {0,};
4257 if (family != PF_INET && family != PF_INET6)
4260 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4261 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4264 /* If any sort of compatibility mode is enabled then handoff processing
4265 * to the selinux_sock_rcv_skb_compat() function to deal with the
4266 * special handling. We do this in an attempt to keep this function
4267 * as fast and as clean as possible. */
4268 if (!selinux_policycap_netpeer)
4269 return selinux_sock_rcv_skb_compat(sk, skb, family);
4271 secmark_active = selinux_secmark_enabled();
4272 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4273 if (!secmark_active && !peerlbl_active)
4276 ad.type = LSM_AUDIT_DATA_NET;
4278 ad.u.net->netif = skb->skb_iif;
4279 ad.u.net->family = family;
4280 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4284 if (peerlbl_active) {
4287 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4290 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4293 selinux_netlbl_err(skb, err, 0);
4296 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4299 selinux_netlbl_err(skb, err, 0);
4302 if (secmark_active) {
4303 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4312 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4313 int __user *optlen, unsigned len)
4318 struct sk_security_struct *sksec = sock->sk->sk_security;
4319 u32 peer_sid = SECSID_NULL;
4321 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4322 sksec->sclass == SECCLASS_TCP_SOCKET)
4323 peer_sid = sksec->peer_sid;
4324 if (peer_sid == SECSID_NULL)
4325 return -ENOPROTOOPT;
4327 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4331 if (scontext_len > len) {
4336 if (copy_to_user(optval, scontext, scontext_len))
4340 if (put_user(scontext_len, optlen))
4346 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4348 u32 peer_secid = SECSID_NULL;
4351 if (skb && skb->protocol == htons(ETH_P_IP))
4353 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4356 family = sock->sk->sk_family;
4360 if (sock && family == PF_UNIX)
4361 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4363 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4366 *secid = peer_secid;
4367 if (peer_secid == SECSID_NULL)
4372 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4374 struct sk_security_struct *sksec;
4376 sksec = kzalloc(sizeof(*sksec), priority);
4380 sksec->peer_sid = SECINITSID_UNLABELED;
4381 sksec->sid = SECINITSID_UNLABELED;
4382 selinux_netlbl_sk_security_reset(sksec);
4383 sk->sk_security = sksec;
4388 static void selinux_sk_free_security(struct sock *sk)
4390 struct sk_security_struct *sksec = sk->sk_security;
4392 sk->sk_security = NULL;
4393 selinux_netlbl_sk_security_free(sksec);
4397 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4399 struct sk_security_struct *sksec = sk->sk_security;
4400 struct sk_security_struct *newsksec = newsk->sk_security;
4402 newsksec->sid = sksec->sid;
4403 newsksec->peer_sid = sksec->peer_sid;
4404 newsksec->sclass = sksec->sclass;
4406 selinux_netlbl_sk_security_reset(newsksec);
4409 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4412 *secid = SECINITSID_ANY_SOCKET;
4414 struct sk_security_struct *sksec = sk->sk_security;
4416 *secid = sksec->sid;
4420 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4422 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4423 struct sk_security_struct *sksec = sk->sk_security;
4425 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4426 sk->sk_family == PF_UNIX)
4427 isec->sid = sksec->sid;
4428 sksec->sclass = isec->sclass;
4431 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4432 struct request_sock *req)
4434 struct sk_security_struct *sksec = sk->sk_security;
4436 u16 family = sk->sk_family;
4440 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4441 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4444 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4447 if (peersid == SECSID_NULL) {
4448 req->secid = sksec->sid;
4449 req->peer_secid = SECSID_NULL;
4451 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4454 req->secid = newsid;
4455 req->peer_secid = peersid;
4458 return selinux_netlbl_inet_conn_request(req, family);
4461 static void selinux_inet_csk_clone(struct sock *newsk,
4462 const struct request_sock *req)
4464 struct sk_security_struct *newsksec = newsk->sk_security;
4466 newsksec->sid = req->secid;
4467 newsksec->peer_sid = req->peer_secid;
4468 /* NOTE: Ideally, we should also get the isec->sid for the
4469 new socket in sync, but we don't have the isec available yet.
4470 So we will wait until sock_graft to do it, by which
4471 time it will have been created and available. */
4473 /* We don't need to take any sort of lock here as we are the only
4474 * thread with access to newsksec */
4475 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4478 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4480 u16 family = sk->sk_family;
4481 struct sk_security_struct *sksec = sk->sk_security;
4483 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4484 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4487 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4490 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4492 skb_set_owner_w(skb, sk);
4495 static int selinux_secmark_relabel_packet(u32 sid)
4497 const struct task_security_struct *__tsec;
4500 __tsec = current_security();
4503 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4506 static void selinux_secmark_refcount_inc(void)
4508 atomic_inc(&selinux_secmark_refcount);
4511 static void selinux_secmark_refcount_dec(void)
4513 atomic_dec(&selinux_secmark_refcount);
4516 static void selinux_req_classify_flow(const struct request_sock *req,
4519 fl->flowi_secid = req->secid;
4522 static int selinux_tun_dev_alloc_security(void **security)
4524 struct tun_security_struct *tunsec;
4526 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4529 tunsec->sid = current_sid();
4535 static void selinux_tun_dev_free_security(void *security)
4540 static int selinux_tun_dev_create(void)
4542 u32 sid = current_sid();
4544 /* we aren't taking into account the "sockcreate" SID since the socket
4545 * that is being created here is not a socket in the traditional sense,
4546 * instead it is a private sock, accessible only to the kernel, and
4547 * representing a wide range of network traffic spanning multiple
4548 * connections unlike traditional sockets - check the TUN driver to
4549 * get a better understanding of why this socket is special */
4551 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4555 static int selinux_tun_dev_attach_queue(void *security)
4557 struct tun_security_struct *tunsec = security;
4559 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4560 TUN_SOCKET__ATTACH_QUEUE, NULL);
4563 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4565 struct tun_security_struct *tunsec = security;
4566 struct sk_security_struct *sksec = sk->sk_security;
4568 /* we don't currently perform any NetLabel based labeling here and it
4569 * isn't clear that we would want to do so anyway; while we could apply
4570 * labeling without the support of the TUN user the resulting labeled
4571 * traffic from the other end of the connection would almost certainly
4572 * cause confusion to the TUN user that had no idea network labeling
4573 * protocols were being used */
4575 sksec->sid = tunsec->sid;
4576 sksec->sclass = SECCLASS_TUN_SOCKET;
4581 static int selinux_tun_dev_open(void *security)
4583 struct tun_security_struct *tunsec = security;
4584 u32 sid = current_sid();
4587 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4588 TUN_SOCKET__RELABELFROM, NULL);
4591 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4592 TUN_SOCKET__RELABELTO, NULL);
4600 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4604 struct nlmsghdr *nlh;
4605 struct sk_security_struct *sksec = sk->sk_security;
4607 if (skb->len < NLMSG_HDRLEN) {
4611 nlh = nlmsg_hdr(skb);
4613 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4615 if (err == -EINVAL) {
4616 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4617 "SELinux: unrecognized netlink message"
4618 " type=%hu for sclass=%hu\n",
4619 nlh->nlmsg_type, sksec->sclass);
4620 if (!selinux_enforcing || security_get_allow_unknown())
4630 err = sock_has_perm(current, sk, perm);
4635 #ifdef CONFIG_NETFILTER
4637 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4643 struct common_audit_data ad;
4644 struct lsm_network_audit net = {0,};
4649 if (!selinux_policycap_netpeer)
4652 secmark_active = selinux_secmark_enabled();
4653 netlbl_active = netlbl_enabled();
4654 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4655 if (!secmark_active && !peerlbl_active)
4658 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4661 ad.type = LSM_AUDIT_DATA_NET;
4663 ad.u.net->netif = ifindex;
4664 ad.u.net->family = family;
4665 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4668 if (peerlbl_active) {
4669 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4672 selinux_netlbl_err(skb, err, 1);
4678 if (avc_has_perm(peer_sid, skb->secmark,
4679 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4683 /* we do this in the FORWARD path and not the POST_ROUTING
4684 * path because we want to make sure we apply the necessary
4685 * labeling before IPsec is applied so we can leverage AH
4687 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4693 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4694 struct sk_buff *skb,
4695 const struct net_device *in,
4696 const struct net_device *out,
4697 int (*okfn)(struct sk_buff *))
4699 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4702 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4703 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4704 struct sk_buff *skb,
4705 const struct net_device *in,
4706 const struct net_device *out,
4707 int (*okfn)(struct sk_buff *))
4709 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4713 static unsigned int selinux_ip_output(struct sk_buff *skb,
4718 if (!netlbl_enabled())
4721 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4722 * because we want to make sure we apply the necessary labeling
4723 * before IPsec is applied so we can leverage AH protection */
4725 struct sk_security_struct *sksec = skb->sk->sk_security;
4728 sid = SECINITSID_KERNEL;
4729 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4735 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4736 struct sk_buff *skb,
4737 const struct net_device *in,
4738 const struct net_device *out,
4739 int (*okfn)(struct sk_buff *))
4741 return selinux_ip_output(skb, PF_INET);
4744 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4748 struct sock *sk = skb->sk;
4749 struct sk_security_struct *sksec;
4750 struct common_audit_data ad;
4751 struct lsm_network_audit net = {0,};
4757 sksec = sk->sk_security;
4759 ad.type = LSM_AUDIT_DATA_NET;
4761 ad.u.net->netif = ifindex;
4762 ad.u.net->family = family;
4763 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4766 if (selinux_secmark_enabled())
4767 if (avc_has_perm(sksec->sid, skb->secmark,
4768 SECCLASS_PACKET, PACKET__SEND, &ad))
4769 return NF_DROP_ERR(-ECONNREFUSED);
4771 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4772 return NF_DROP_ERR(-ECONNREFUSED);
4777 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4783 struct common_audit_data ad;
4784 struct lsm_network_audit net = {0,};
4789 /* If any sort of compatibility mode is enabled then handoff processing
4790 * to the selinux_ip_postroute_compat() function to deal with the
4791 * special handling. We do this in an attempt to keep this function
4792 * as fast and as clean as possible. */
4793 if (!selinux_policycap_netpeer)
4794 return selinux_ip_postroute_compat(skb, ifindex, family);
4796 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4797 * packet transformation so allow the packet to pass without any checks
4798 * since we'll have another chance to perform access control checks
4799 * when the packet is on it's final way out.
4800 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4801 * is NULL, in this case go ahead and apply access control. */
4802 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4805 secmark_active = selinux_secmark_enabled();
4806 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4807 if (!secmark_active && !peerlbl_active)
4810 /* if the packet is being forwarded then get the peer label from the
4811 * packet itself; otherwise check to see if it is from a local
4812 * application or the kernel, if from an application get the peer label
4813 * from the sending socket, otherwise use the kernel's sid */
4817 secmark_perm = PACKET__FORWARD_OUT;
4818 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4821 secmark_perm = PACKET__SEND;
4822 peer_sid = SECINITSID_KERNEL;
4825 struct sk_security_struct *sksec = sk->sk_security;
4826 peer_sid = sksec->sid;
4827 secmark_perm = PACKET__SEND;
4830 ad.type = LSM_AUDIT_DATA_NET;
4832 ad.u.net->netif = ifindex;
4833 ad.u.net->family = family;
4834 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4838 if (avc_has_perm(peer_sid, skb->secmark,
4839 SECCLASS_PACKET, secmark_perm, &ad))
4840 return NF_DROP_ERR(-ECONNREFUSED);
4842 if (peerlbl_active) {
4846 if (sel_netif_sid(ifindex, &if_sid))
4848 if (avc_has_perm(peer_sid, if_sid,
4849 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4850 return NF_DROP_ERR(-ECONNREFUSED);
4852 if (sel_netnode_sid(addrp, family, &node_sid))
4854 if (avc_has_perm(peer_sid, node_sid,
4855 SECCLASS_NODE, NODE__SENDTO, &ad))
4856 return NF_DROP_ERR(-ECONNREFUSED);
4862 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4863 struct sk_buff *skb,
4864 const struct net_device *in,
4865 const struct net_device *out,
4866 int (*okfn)(struct sk_buff *))
4868 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4871 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4872 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4873 struct sk_buff *skb,
4874 const struct net_device *in,
4875 const struct net_device *out,
4876 int (*okfn)(struct sk_buff *))
4878 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4882 #endif /* CONFIG_NETFILTER */
4884 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4888 err = cap_netlink_send(sk, skb);
4892 return selinux_nlmsg_perm(sk, skb);
4895 static int ipc_alloc_security(struct task_struct *task,
4896 struct kern_ipc_perm *perm,
4899 struct ipc_security_struct *isec;
4902 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4906 sid = task_sid(task);
4907 isec->sclass = sclass;
4909 perm->security = isec;
4914 static void ipc_free_security(struct kern_ipc_perm *perm)
4916 struct ipc_security_struct *isec = perm->security;
4917 perm->security = NULL;
4921 static int msg_msg_alloc_security(struct msg_msg *msg)
4923 struct msg_security_struct *msec;
4925 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4929 msec->sid = SECINITSID_UNLABELED;
4930 msg->security = msec;
4935 static void msg_msg_free_security(struct msg_msg *msg)
4937 struct msg_security_struct *msec = msg->security;
4939 msg->security = NULL;
4943 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4946 struct ipc_security_struct *isec;
4947 struct common_audit_data ad;
4948 u32 sid = current_sid();
4950 isec = ipc_perms->security;
4952 ad.type = LSM_AUDIT_DATA_IPC;
4953 ad.u.ipc_id = ipc_perms->key;
4955 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4958 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4960 return msg_msg_alloc_security(msg);
4963 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4965 msg_msg_free_security(msg);
4968 /* message queue security operations */
4969 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4971 struct ipc_security_struct *isec;
4972 struct common_audit_data ad;
4973 u32 sid = current_sid();
4976 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4980 isec = msq->q_perm.security;
4982 ad.type = LSM_AUDIT_DATA_IPC;
4983 ad.u.ipc_id = msq->q_perm.key;
4985 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4988 ipc_free_security(&msq->q_perm);
4994 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4996 ipc_free_security(&msq->q_perm);
4999 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5001 struct ipc_security_struct *isec;
5002 struct common_audit_data ad;
5003 u32 sid = current_sid();
5005 isec = msq->q_perm.security;
5007 ad.type = LSM_AUDIT_DATA_IPC;
5008 ad.u.ipc_id = msq->q_perm.key;
5010 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5011 MSGQ__ASSOCIATE, &ad);
5014 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5022 /* No specific object, just general system-wide information. */
5023 return task_has_system(current, SYSTEM__IPC_INFO);
5026 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5029 perms = MSGQ__SETATTR;
5032 perms = MSGQ__DESTROY;
5038 err = ipc_has_perm(&msq->q_perm, perms);
5042 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5044 struct ipc_security_struct *isec;
5045 struct msg_security_struct *msec;
5046 struct common_audit_data ad;
5047 u32 sid = current_sid();
5050 isec = msq->q_perm.security;
5051 msec = msg->security;
5054 * First time through, need to assign label to the message
5056 if (msec->sid == SECINITSID_UNLABELED) {
5058 * Compute new sid based on current process and
5059 * message queue this message will be stored in
5061 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5067 ad.type = LSM_AUDIT_DATA_IPC;
5068 ad.u.ipc_id = msq->q_perm.key;
5070 /* Can this process write to the queue? */
5071 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5074 /* Can this process send the message */
5075 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5078 /* Can the message be put in the queue? */
5079 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5080 MSGQ__ENQUEUE, &ad);
5085 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5086 struct task_struct *target,
5087 long type, int mode)
5089 struct ipc_security_struct *isec;
5090 struct msg_security_struct *msec;
5091 struct common_audit_data ad;
5092 u32 sid = task_sid(target);
5095 isec = msq->q_perm.security;
5096 msec = msg->security;
5098 ad.type = LSM_AUDIT_DATA_IPC;
5099 ad.u.ipc_id = msq->q_perm.key;
5101 rc = avc_has_perm(sid, isec->sid,
5102 SECCLASS_MSGQ, MSGQ__READ, &ad);
5104 rc = avc_has_perm(sid, msec->sid,
5105 SECCLASS_MSG, MSG__RECEIVE, &ad);
5109 /* Shared Memory security operations */
5110 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5112 struct ipc_security_struct *isec;
5113 struct common_audit_data ad;
5114 u32 sid = current_sid();
5117 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5121 isec = shp->shm_perm.security;
5123 ad.type = LSM_AUDIT_DATA_IPC;
5124 ad.u.ipc_id = shp->shm_perm.key;
5126 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5129 ipc_free_security(&shp->shm_perm);
5135 static void selinux_shm_free_security(struct shmid_kernel *shp)
5137 ipc_free_security(&shp->shm_perm);
5140 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5142 struct ipc_security_struct *isec;
5143 struct common_audit_data ad;
5144 u32 sid = current_sid();
5146 isec = shp->shm_perm.security;
5148 ad.type = LSM_AUDIT_DATA_IPC;
5149 ad.u.ipc_id = shp->shm_perm.key;
5151 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5152 SHM__ASSOCIATE, &ad);
5155 /* Note, at this point, shp is locked down */
5156 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5164 /* No specific object, just general system-wide information. */
5165 return task_has_system(current, SYSTEM__IPC_INFO);
5168 perms = SHM__GETATTR | SHM__ASSOCIATE;
5171 perms = SHM__SETATTR;
5178 perms = SHM__DESTROY;
5184 err = ipc_has_perm(&shp->shm_perm, perms);
5188 static int selinux_shm_shmat(struct shmid_kernel *shp,
5189 char __user *shmaddr, int shmflg)
5193 if (shmflg & SHM_RDONLY)
5196 perms = SHM__READ | SHM__WRITE;
5198 return ipc_has_perm(&shp->shm_perm, perms);
5201 /* Semaphore security operations */
5202 static int selinux_sem_alloc_security(struct sem_array *sma)
5204 struct ipc_security_struct *isec;
5205 struct common_audit_data ad;
5206 u32 sid = current_sid();
5209 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5213 isec = sma->sem_perm.security;
5215 ad.type = LSM_AUDIT_DATA_IPC;
5216 ad.u.ipc_id = sma->sem_perm.key;
5218 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5221 ipc_free_security(&sma->sem_perm);
5227 static void selinux_sem_free_security(struct sem_array *sma)
5229 ipc_free_security(&sma->sem_perm);
5232 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5234 struct ipc_security_struct *isec;
5235 struct common_audit_data ad;
5236 u32 sid = current_sid();
5238 isec = sma->sem_perm.security;
5240 ad.type = LSM_AUDIT_DATA_IPC;
5241 ad.u.ipc_id = sma->sem_perm.key;
5243 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5244 SEM__ASSOCIATE, &ad);
5247 /* Note, at this point, sma is locked down */
5248 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5256 /* No specific object, just general system-wide information. */
5257 return task_has_system(current, SYSTEM__IPC_INFO);
5261 perms = SEM__GETATTR;
5272 perms = SEM__DESTROY;
5275 perms = SEM__SETATTR;
5279 perms = SEM__GETATTR | SEM__ASSOCIATE;
5285 err = ipc_has_perm(&sma->sem_perm, perms);
5289 static int selinux_sem_semop(struct sem_array *sma,
5290 struct sembuf *sops, unsigned nsops, int alter)
5295 perms = SEM__READ | SEM__WRITE;
5299 return ipc_has_perm(&sma->sem_perm, perms);
5302 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5308 av |= IPC__UNIX_READ;
5310 av |= IPC__UNIX_WRITE;
5315 return ipc_has_perm(ipcp, av);
5318 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5320 struct ipc_security_struct *isec = ipcp->security;
5324 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5327 inode_doinit_with_dentry(inode, dentry);
5330 static int selinux_getprocattr(struct task_struct *p,
5331 char *name, char **value)
5333 const struct task_security_struct *__tsec;
5339 error = current_has_perm(p, PROCESS__GETATTR);
5345 __tsec = __task_cred(p)->security;
5347 if (!strcmp(name, "current"))
5349 else if (!strcmp(name, "prev"))
5351 else if (!strcmp(name, "exec"))
5352 sid = __tsec->exec_sid;
5353 else if (!strcmp(name, "fscreate"))
5354 sid = __tsec->create_sid;
5355 else if (!strcmp(name, "keycreate"))
5356 sid = __tsec->keycreate_sid;
5357 else if (!strcmp(name, "sockcreate"))
5358 sid = __tsec->sockcreate_sid;
5366 error = security_sid_to_context(sid, value, &len);
5376 static int selinux_setprocattr(struct task_struct *p,
5377 char *name, void *value, size_t size)
5379 struct task_security_struct *tsec;
5380 struct task_struct *tracer;
5387 /* SELinux only allows a process to change its own
5388 security attributes. */
5393 * Basic control over ability to set these attributes at all.
5394 * current == p, but we'll pass them separately in case the
5395 * above restriction is ever removed.
5397 if (!strcmp(name, "exec"))
5398 error = current_has_perm(p, PROCESS__SETEXEC);
5399 else if (!strcmp(name, "fscreate"))
5400 error = current_has_perm(p, PROCESS__SETFSCREATE);
5401 else if (!strcmp(name, "keycreate"))
5402 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5403 else if (!strcmp(name, "sockcreate"))
5404 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5405 else if (!strcmp(name, "current"))
5406 error = current_has_perm(p, PROCESS__SETCURRENT);
5412 /* Obtain a SID for the context, if one was specified. */
5413 if (size && str[1] && str[1] != '\n') {
5414 if (str[size-1] == '\n') {
5418 error = security_context_to_sid(value, size, &sid);
5419 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5420 if (!capable(CAP_MAC_ADMIN)) {
5421 struct audit_buffer *ab;
5424 /* We strip a nul only if it is at the end, otherwise the
5425 * context contains a nul and we should audit that */
5426 if (str[size - 1] == '\0')
5427 audit_size = size - 1;
5430 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5431 audit_log_format(ab, "op=fscreate invalid_context=");
5432 audit_log_n_untrustedstring(ab, value, audit_size);
5437 error = security_context_to_sid_force(value, size,
5444 new = prepare_creds();
5448 /* Permission checking based on the specified context is
5449 performed during the actual operation (execve,
5450 open/mkdir/...), when we know the full context of the
5451 operation. See selinux_bprm_set_creds for the execve
5452 checks and may_create for the file creation checks. The
5453 operation will then fail if the context is not permitted. */
5454 tsec = new->security;
5455 if (!strcmp(name, "exec")) {
5456 tsec->exec_sid = sid;
5457 } else if (!strcmp(name, "fscreate")) {
5458 tsec->create_sid = sid;
5459 } else if (!strcmp(name, "keycreate")) {
5460 error = may_create_key(sid, p);
5463 tsec->keycreate_sid = sid;
5464 } else if (!strcmp(name, "sockcreate")) {
5465 tsec->sockcreate_sid = sid;
5466 } else if (!strcmp(name, "current")) {
5471 /* Only allow single threaded processes to change context */
5473 if (!current_is_single_threaded()) {
5474 error = security_bounded_transition(tsec->sid, sid);
5479 /* Check permissions for the transition. */
5480 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5481 PROCESS__DYNTRANSITION, NULL);
5485 /* Check for ptracing, and update the task SID if ok.
5486 Otherwise, leave SID unchanged and fail. */
5489 tracer = ptrace_parent(p);
5491 ptsid = task_sid(tracer);
5495 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5496 PROCESS__PTRACE, NULL);
5515 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5517 return security_sid_to_context(secid, secdata, seclen);
5520 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5522 return security_context_to_sid(secdata, seclen, secid);
5525 static void selinux_release_secctx(char *secdata, u32 seclen)
5531 * called with inode->i_mutex locked
5533 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5535 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5539 * called with inode->i_mutex locked
5541 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5543 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5546 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5549 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5558 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5559 unsigned long flags)
5561 const struct task_security_struct *tsec;
5562 struct key_security_struct *ksec;
5564 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5568 tsec = cred->security;
5569 if (tsec->keycreate_sid)
5570 ksec->sid = tsec->keycreate_sid;
5572 ksec->sid = tsec->sid;
5578 static void selinux_key_free(struct key *k)
5580 struct key_security_struct *ksec = k->security;
5586 static int selinux_key_permission(key_ref_t key_ref,
5587 const struct cred *cred,
5591 struct key_security_struct *ksec;
5594 /* if no specific permissions are requested, we skip the
5595 permission check. No serious, additional covert channels
5596 appear to be created. */
5600 sid = cred_sid(cred);
5602 key = key_ref_to_ptr(key_ref);
5603 ksec = key->security;
5605 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5608 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5610 struct key_security_struct *ksec = key->security;
5611 char *context = NULL;
5615 rc = security_sid_to_context(ksec->sid, &context, &len);
5624 static struct security_operations selinux_ops = {
5627 .binder_set_context_mgr = selinux_binder_set_context_mgr,
5628 .binder_transaction = selinux_binder_transaction,
5629 .binder_transfer_binder = selinux_binder_transfer_binder,
5630 .binder_transfer_file = selinux_binder_transfer_file,
5632 .ptrace_access_check = selinux_ptrace_access_check,
5633 .ptrace_traceme = selinux_ptrace_traceme,
5634 .capget = selinux_capget,
5635 .capset = selinux_capset,
5636 .capable = selinux_capable,
5637 .quotactl = selinux_quotactl,
5638 .quota_on = selinux_quota_on,
5639 .syslog = selinux_syslog,
5640 .vm_enough_memory = selinux_vm_enough_memory,
5642 .netlink_send = selinux_netlink_send,
5644 .bprm_set_creds = selinux_bprm_set_creds,
5645 .bprm_committing_creds = selinux_bprm_committing_creds,
5646 .bprm_committed_creds = selinux_bprm_committed_creds,
5647 .bprm_secureexec = selinux_bprm_secureexec,
5649 .sb_alloc_security = selinux_sb_alloc_security,
5650 .sb_free_security = selinux_sb_free_security,
5651 .sb_copy_data = selinux_sb_copy_data,
5652 .sb_remount = selinux_sb_remount,
5653 .sb_kern_mount = selinux_sb_kern_mount,
5654 .sb_show_options = selinux_sb_show_options,
5655 .sb_statfs = selinux_sb_statfs,
5656 .sb_mount = selinux_mount,
5657 .sb_umount = selinux_umount,
5658 .sb_set_mnt_opts = selinux_set_mnt_opts,
5659 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5660 .sb_parse_opts_str = selinux_parse_opts_str,
5663 .inode_alloc_security = selinux_inode_alloc_security,
5664 .inode_free_security = selinux_inode_free_security,
5665 .inode_init_security = selinux_inode_init_security,
5666 .inode_create = selinux_inode_create,
5667 .inode_link = selinux_inode_link,
5668 .inode_unlink = selinux_inode_unlink,
5669 .inode_symlink = selinux_inode_symlink,
5670 .inode_mkdir = selinux_inode_mkdir,
5671 .inode_rmdir = selinux_inode_rmdir,
5672 .inode_mknod = selinux_inode_mknod,
5673 .inode_rename = selinux_inode_rename,
5674 .inode_readlink = selinux_inode_readlink,
5675 .inode_follow_link = selinux_inode_follow_link,
5676 .inode_permission = selinux_inode_permission,
5677 .inode_setattr = selinux_inode_setattr,
5678 .inode_getattr = selinux_inode_getattr,
5679 .inode_setxattr = selinux_inode_setxattr,
5680 .inode_post_setxattr = selinux_inode_post_setxattr,
5681 .inode_getxattr = selinux_inode_getxattr,
5682 .inode_listxattr = selinux_inode_listxattr,
5683 .inode_removexattr = selinux_inode_removexattr,
5684 .inode_getsecurity = selinux_inode_getsecurity,
5685 .inode_setsecurity = selinux_inode_setsecurity,
5686 .inode_listsecurity = selinux_inode_listsecurity,
5687 .inode_getsecid = selinux_inode_getsecid,
5689 .file_permission = selinux_file_permission,
5690 .file_alloc_security = selinux_file_alloc_security,
5691 .file_free_security = selinux_file_free_security,
5692 .file_ioctl = selinux_file_ioctl,
5693 .mmap_file = selinux_mmap_file,
5694 .mmap_addr = selinux_mmap_addr,
5695 .file_mprotect = selinux_file_mprotect,
5696 .file_lock = selinux_file_lock,
5697 .file_fcntl = selinux_file_fcntl,
5698 .file_set_fowner = selinux_file_set_fowner,
5699 .file_send_sigiotask = selinux_file_send_sigiotask,
5700 .file_receive = selinux_file_receive,
5702 .file_open = selinux_file_open,
5704 .task_create = selinux_task_create,
5705 .cred_alloc_blank = selinux_cred_alloc_blank,
5706 .cred_free = selinux_cred_free,
5707 .cred_prepare = selinux_cred_prepare,
5708 .cred_transfer = selinux_cred_transfer,
5709 .kernel_act_as = selinux_kernel_act_as,
5710 .kernel_create_files_as = selinux_kernel_create_files_as,
5711 .kernel_module_request = selinux_kernel_module_request,
5712 .task_setpgid = selinux_task_setpgid,
5713 .task_getpgid = selinux_task_getpgid,
5714 .task_getsid = selinux_task_getsid,
5715 .task_getsecid = selinux_task_getsecid,
5716 .task_setnice = selinux_task_setnice,
5717 .task_setioprio = selinux_task_setioprio,
5718 .task_getioprio = selinux_task_getioprio,
5719 .task_setrlimit = selinux_task_setrlimit,
5720 .task_setscheduler = selinux_task_setscheduler,
5721 .task_getscheduler = selinux_task_getscheduler,
5722 .task_movememory = selinux_task_movememory,
5723 .task_kill = selinux_task_kill,
5724 .task_wait = selinux_task_wait,
5725 .task_to_inode = selinux_task_to_inode,
5727 .ipc_permission = selinux_ipc_permission,
5728 .ipc_getsecid = selinux_ipc_getsecid,
5730 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5731 .msg_msg_free_security = selinux_msg_msg_free_security,
5733 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5734 .msg_queue_free_security = selinux_msg_queue_free_security,
5735 .msg_queue_associate = selinux_msg_queue_associate,
5736 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5737 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5738 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5740 .shm_alloc_security = selinux_shm_alloc_security,
5741 .shm_free_security = selinux_shm_free_security,
5742 .shm_associate = selinux_shm_associate,
5743 .shm_shmctl = selinux_shm_shmctl,
5744 .shm_shmat = selinux_shm_shmat,
5746 .sem_alloc_security = selinux_sem_alloc_security,
5747 .sem_free_security = selinux_sem_free_security,
5748 .sem_associate = selinux_sem_associate,
5749 .sem_semctl = selinux_sem_semctl,
5750 .sem_semop = selinux_sem_semop,
5752 .d_instantiate = selinux_d_instantiate,
5754 .getprocattr = selinux_getprocattr,
5755 .setprocattr = selinux_setprocattr,
5757 .secid_to_secctx = selinux_secid_to_secctx,
5758 .secctx_to_secid = selinux_secctx_to_secid,
5759 .release_secctx = selinux_release_secctx,
5760 .inode_notifysecctx = selinux_inode_notifysecctx,
5761 .inode_setsecctx = selinux_inode_setsecctx,
5762 .inode_getsecctx = selinux_inode_getsecctx,
5764 .unix_stream_connect = selinux_socket_unix_stream_connect,
5765 .unix_may_send = selinux_socket_unix_may_send,
5767 .socket_create = selinux_socket_create,
5768 .socket_post_create = selinux_socket_post_create,
5769 .socket_bind = selinux_socket_bind,
5770 .socket_connect = selinux_socket_connect,
5771 .socket_listen = selinux_socket_listen,
5772 .socket_accept = selinux_socket_accept,
5773 .socket_sendmsg = selinux_socket_sendmsg,
5774 .socket_recvmsg = selinux_socket_recvmsg,
5775 .socket_getsockname = selinux_socket_getsockname,
5776 .socket_getpeername = selinux_socket_getpeername,
5777 .socket_getsockopt = selinux_socket_getsockopt,
5778 .socket_setsockopt = selinux_socket_setsockopt,
5779 .socket_shutdown = selinux_socket_shutdown,
5780 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5781 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5782 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5783 .sk_alloc_security = selinux_sk_alloc_security,
5784 .sk_free_security = selinux_sk_free_security,
5785 .sk_clone_security = selinux_sk_clone_security,
5786 .sk_getsecid = selinux_sk_getsecid,
5787 .sock_graft = selinux_sock_graft,
5788 .inet_conn_request = selinux_inet_conn_request,
5789 .inet_csk_clone = selinux_inet_csk_clone,
5790 .inet_conn_established = selinux_inet_conn_established,
5791 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5792 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5793 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5794 .req_classify_flow = selinux_req_classify_flow,
5795 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5796 .tun_dev_free_security = selinux_tun_dev_free_security,
5797 .tun_dev_create = selinux_tun_dev_create,
5798 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5799 .tun_dev_attach = selinux_tun_dev_attach,
5800 .tun_dev_open = selinux_tun_dev_open,
5801 .skb_owned_by = selinux_skb_owned_by,
5803 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5804 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5805 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5806 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5807 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5808 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5809 .xfrm_state_free_security = selinux_xfrm_state_free,
5810 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5811 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5812 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5813 .xfrm_decode_session = selinux_xfrm_decode_session,
5817 .key_alloc = selinux_key_alloc,
5818 .key_free = selinux_key_free,
5819 .key_permission = selinux_key_permission,
5820 .key_getsecurity = selinux_key_getsecurity,
5824 .audit_rule_init = selinux_audit_rule_init,
5825 .audit_rule_known = selinux_audit_rule_known,
5826 .audit_rule_match = selinux_audit_rule_match,
5827 .audit_rule_free = selinux_audit_rule_free,
5831 static __init int selinux_init(void)
5833 if (!security_module_enable(&selinux_ops)) {
5834 selinux_enabled = 0;
5838 if (!selinux_enabled) {
5839 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5843 printk(KERN_INFO "SELinux: Initializing.\n");
5845 /* Set the security state for the initial task. */
5846 cred_init_security();
5848 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5850 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5851 sizeof(struct inode_security_struct),
5852 0, SLAB_PANIC, NULL);
5855 if (register_security(&selinux_ops))
5856 panic("SELinux: Unable to register with kernel.\n");
5858 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
5859 panic("SELinux: Unable to register AVC netcache callback\n");
5861 if (selinux_enforcing)
5862 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5864 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5869 static void delayed_superblock_init(struct super_block *sb, void *unused)
5871 superblock_doinit(sb, NULL);
5874 void selinux_complete_init(void)
5876 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5878 /* Set up any superblocks initialized prior to the policy load. */
5879 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5880 iterate_supers(delayed_superblock_init, NULL);
5883 /* SELinux requires early initialization in order to label
5884 all processes and objects when they are created. */
5885 security_initcall(selinux_init);
5887 #if defined(CONFIG_NETFILTER)
5889 static struct nf_hook_ops selinux_ipv4_ops[] = {
5891 .hook = selinux_ipv4_postroute,
5892 .owner = THIS_MODULE,
5894 .hooknum = NF_INET_POST_ROUTING,
5895 .priority = NF_IP_PRI_SELINUX_LAST,
5898 .hook = selinux_ipv4_forward,
5899 .owner = THIS_MODULE,
5901 .hooknum = NF_INET_FORWARD,
5902 .priority = NF_IP_PRI_SELINUX_FIRST,
5905 .hook = selinux_ipv4_output,
5906 .owner = THIS_MODULE,
5908 .hooknum = NF_INET_LOCAL_OUT,
5909 .priority = NF_IP_PRI_SELINUX_FIRST,
5913 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5915 static struct nf_hook_ops selinux_ipv6_ops[] = {
5917 .hook = selinux_ipv6_postroute,
5918 .owner = THIS_MODULE,
5920 .hooknum = NF_INET_POST_ROUTING,
5921 .priority = NF_IP6_PRI_SELINUX_LAST,
5924 .hook = selinux_ipv6_forward,
5925 .owner = THIS_MODULE,
5927 .hooknum = NF_INET_FORWARD,
5928 .priority = NF_IP6_PRI_SELINUX_FIRST,
5934 static int __init selinux_nf_ip_init(void)
5938 if (!selinux_enabled)
5941 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5943 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5945 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5947 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5948 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5950 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5957 __initcall(selinux_nf_ip_init);
5959 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5960 static void selinux_nf_ip_exit(void)
5962 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5964 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5965 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5966 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5971 #else /* CONFIG_NETFILTER */
5973 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5974 #define selinux_nf_ip_exit()
5977 #endif /* CONFIG_NETFILTER */
5979 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5980 static int selinux_disabled;
5982 int selinux_disable(void)
5984 if (ss_initialized) {
5985 /* Not permitted after initial policy load. */
5989 if (selinux_disabled) {
5990 /* Only do this once. */
5994 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5996 selinux_disabled = 1;
5997 selinux_enabled = 0;
5999 reset_security_ops();
6001 /* Try to destroy the avc node cache */
6004 /* Unregister netfilter hooks. */
6005 selinux_nf_ip_exit();
6007 /* Unregister selinuxfs. */