2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing
;
103 static int __init
enforcing_setup(char *str
)
105 unsigned long enforcing
;
106 if (!kstrtoul(str
, 0, &enforcing
))
107 selinux_enforcing
= enforcing
? 1 : 0;
110 __setup("enforcing=", enforcing_setup
);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
116 static int __init
selinux_enabled_setup(char *str
)
118 unsigned long enabled
;
119 if (!kstrtoul(str
, 0, &enabled
))
120 selinux_enabled
= enabled
? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup
);
125 int selinux_enabled
= 1;
128 static struct kmem_cache
*sel_inode_cache
;
129 static struct kmem_cache
*file_security_cache
;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork
|| atomic_read(&selinux_secmark_refcount
));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork
|| netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event
)
164 if (event
== AVC_CALLBACK_RESET
) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred
*cred
= (struct cred
*) current
->real_cred
;
179 struct task_security_struct
*tsec
;
181 tsec
= kzalloc(sizeof(struct task_security_struct
), GFP_KERNEL
);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
186 cred
->security
= tsec
;
190 * get the security ID of a set of credentials
192 static inline u32
cred_sid(const struct cred
*cred
)
194 const struct task_security_struct
*tsec
;
196 tsec
= cred
->security
;
201 * get the objective security ID of a task
203 static inline u32
task_sid(const struct task_struct
*task
)
208 sid
= cred_sid(__task_cred(task
));
213 /* Allocate and free functions for each kind of security blob. */
215 static int inode_alloc_security(struct inode
*inode
)
217 struct inode_security_struct
*isec
;
218 u32 sid
= current_sid();
220 isec
= kmem_cache_zalloc(sel_inode_cache
, GFP_NOFS
);
224 spin_lock_init(&isec
->lock
);
225 INIT_LIST_HEAD(&isec
->list
);
227 isec
->sid
= SECINITSID_UNLABELED
;
228 isec
->sclass
= SECCLASS_FILE
;
229 isec
->task_sid
= sid
;
230 isec
->initialized
= LABEL_INVALID
;
231 inode
->i_security
= isec
;
236 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
239 * Try reloading inode security labels that have been marked as invalid. The
240 * @may_sleep parameter indicates when sleeping and thus reloading labels is
241 * allowed; when set to false, returns -ECHILD when the label is
242 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
243 * when no dentry is available, set it to NULL instead.
245 static int __inode_security_revalidate(struct inode
*inode
,
246 struct dentry
*opt_dentry
,
249 struct inode_security_struct
*isec
= inode
->i_security
;
251 might_sleep_if(may_sleep
);
253 if (ss_initialized
&& isec
->initialized
!= LABEL_INITIALIZED
) {
258 * Try reloading the inode security label. This will fail if
259 * @opt_dentry is NULL and no dentry for this inode can be
260 * found; in that case, continue using the old label.
262 inode_doinit_with_dentry(inode
, opt_dentry
);
267 static struct inode_security_struct
*inode_security_novalidate(struct inode
*inode
)
269 return inode
->i_security
;
272 static struct inode_security_struct
*inode_security_rcu(struct inode
*inode
, bool rcu
)
276 error
= __inode_security_revalidate(inode
, NULL
, !rcu
);
278 return ERR_PTR(error
);
279 return inode
->i_security
;
283 * Get the security label of an inode.
285 static struct inode_security_struct
*inode_security(struct inode
*inode
)
287 __inode_security_revalidate(inode
, NULL
, true);
288 return inode
->i_security
;
291 static struct inode_security_struct
*backing_inode_security_novalidate(struct dentry
*dentry
)
293 struct inode
*inode
= d_backing_inode(dentry
);
295 return inode
->i_security
;
299 * Get the security label of a dentry's backing inode.
301 static struct inode_security_struct
*backing_inode_security(struct dentry
*dentry
)
303 struct inode
*inode
= d_backing_inode(dentry
);
305 __inode_security_revalidate(inode
, dentry
, true);
306 return inode
->i_security
;
309 static void inode_free_rcu(struct rcu_head
*head
)
311 struct inode_security_struct
*isec
;
313 isec
= container_of(head
, struct inode_security_struct
, rcu
);
314 kmem_cache_free(sel_inode_cache
, isec
);
317 static void inode_free_security(struct inode
*inode
)
319 struct inode_security_struct
*isec
= inode
->i_security
;
320 struct superblock_security_struct
*sbsec
= inode
->i_sb
->s_security
;
323 * As not all inode security structures are in a list, we check for
324 * empty list outside of the lock to make sure that we won't waste
325 * time taking a lock doing nothing.
327 * The list_del_init() function can be safely called more than once.
328 * It should not be possible for this function to be called with
329 * concurrent list_add(), but for better safety against future changes
330 * in the code, we use list_empty_careful() here.
332 if (!list_empty_careful(&isec
->list
)) {
333 spin_lock(&sbsec
->isec_lock
);
334 list_del_init(&isec
->list
);
335 spin_unlock(&sbsec
->isec_lock
);
339 * The inode may still be referenced in a path walk and
340 * a call to selinux_inode_permission() can be made
341 * after inode_free_security() is called. Ideally, the VFS
342 * wouldn't do this, but fixing that is a much harder
343 * job. For now, simply free the i_security via RCU, and
344 * leave the current inode->i_security pointer intact.
345 * The inode will be freed after the RCU grace period too.
347 call_rcu(&isec
->rcu
, inode_free_rcu
);
350 static int file_alloc_security(struct file
*file
)
352 struct file_security_struct
*fsec
;
353 u32 sid
= current_sid();
355 fsec
= kmem_cache_zalloc(file_security_cache
, GFP_KERNEL
);
360 fsec
->fown_sid
= sid
;
361 file
->f_security
= fsec
;
366 static void file_free_security(struct file
*file
)
368 struct file_security_struct
*fsec
= file
->f_security
;
369 file
->f_security
= NULL
;
370 kmem_cache_free(file_security_cache
, fsec
);
373 static int superblock_alloc_security(struct super_block
*sb
)
375 struct superblock_security_struct
*sbsec
;
377 sbsec
= kzalloc(sizeof(struct superblock_security_struct
), GFP_KERNEL
);
381 mutex_init(&sbsec
->lock
);
382 INIT_LIST_HEAD(&sbsec
->isec_head
);
383 spin_lock_init(&sbsec
->isec_lock
);
385 sbsec
->sid
= SECINITSID_UNLABELED
;
386 sbsec
->def_sid
= SECINITSID_FILE
;
387 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
388 sb
->s_security
= sbsec
;
393 static void superblock_free_security(struct super_block
*sb
)
395 struct superblock_security_struct
*sbsec
= sb
->s_security
;
396 sb
->s_security
= NULL
;
400 /* The file system's label must be initialized prior to use. */
402 static const char *labeling_behaviors
[7] = {
404 "uses transition SIDs",
406 "uses genfs_contexts",
407 "not configured for labeling",
408 "uses mountpoint labeling",
409 "uses native labeling",
412 static inline int inode_doinit(struct inode
*inode
)
414 return inode_doinit_with_dentry(inode
, NULL
);
423 Opt_labelsupport
= 5,
427 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
429 static const match_table_t tokens
= {
430 {Opt_context
, CONTEXT_STR
"%s"},
431 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
432 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
433 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
434 {Opt_labelsupport
, LABELSUPP_STR
},
438 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
440 static int may_context_mount_sb_relabel(u32 sid
,
441 struct superblock_security_struct
*sbsec
,
442 const struct cred
*cred
)
444 const struct task_security_struct
*tsec
= cred
->security
;
447 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
448 FILESYSTEM__RELABELFROM
, NULL
);
452 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
453 FILESYSTEM__RELABELTO
, NULL
);
457 static int may_context_mount_inode_relabel(u32 sid
,
458 struct superblock_security_struct
*sbsec
,
459 const struct cred
*cred
)
461 const struct task_security_struct
*tsec
= cred
->security
;
463 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
464 FILESYSTEM__RELABELFROM
, NULL
);
468 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
469 FILESYSTEM__ASSOCIATE
, NULL
);
473 static int selinux_is_sblabel_mnt(struct super_block
*sb
)
475 struct superblock_security_struct
*sbsec
= sb
->s_security
;
477 return sbsec
->behavior
== SECURITY_FS_USE_XATTR
||
478 sbsec
->behavior
== SECURITY_FS_USE_TRANS
||
479 sbsec
->behavior
== SECURITY_FS_USE_TASK
||
480 sbsec
->behavior
== SECURITY_FS_USE_NATIVE
||
481 /* Special handling. Genfs but also in-core setxattr handler */
482 !strcmp(sb
->s_type
->name
, "sysfs") ||
483 !strcmp(sb
->s_type
->name
, "cgroup") ||
484 !strcmp(sb
->s_type
->name
, "cgroup2") ||
485 !strcmp(sb
->s_type
->name
, "pstore") ||
486 !strcmp(sb
->s_type
->name
, "debugfs") ||
487 !strcmp(sb
->s_type
->name
, "tracefs") ||
488 !strcmp(sb
->s_type
->name
, "rootfs");
491 static int sb_finish_set_opts(struct super_block
*sb
)
493 struct superblock_security_struct
*sbsec
= sb
->s_security
;
494 struct dentry
*root
= sb
->s_root
;
495 struct inode
*root_inode
= d_backing_inode(root
);
498 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
499 /* Make sure that the xattr handler exists and that no
500 error other than -ENODATA is returned by getxattr on
501 the root directory. -ENODATA is ok, as this may be
502 the first boot of the SELinux kernel before we have
503 assigned xattr values to the filesystem. */
504 if (!(root_inode
->i_opflags
& IOP_XATTR
)) {
505 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
506 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
511 rc
= __vfs_getxattr(root
, root_inode
, XATTR_NAME_SELINUX
, NULL
, 0);
512 if (rc
< 0 && rc
!= -ENODATA
) {
513 if (rc
== -EOPNOTSUPP
)
514 printk(KERN_WARNING
"SELinux: (dev %s, type "
515 "%s) has no security xattr handler\n",
516 sb
->s_id
, sb
->s_type
->name
);
518 printk(KERN_WARNING
"SELinux: (dev %s, type "
519 "%s) getxattr errno %d\n", sb
->s_id
,
520 sb
->s_type
->name
, -rc
);
525 if (sbsec
->behavior
> ARRAY_SIZE(labeling_behaviors
))
526 printk(KERN_ERR
"SELinux: initialized (dev %s, type %s), unknown behavior\n",
527 sb
->s_id
, sb
->s_type
->name
);
529 sbsec
->flags
|= SE_SBINITIALIZED
;
530 if (selinux_is_sblabel_mnt(sb
))
531 sbsec
->flags
|= SBLABEL_MNT
;
533 /* Initialize the root inode. */
534 rc
= inode_doinit_with_dentry(root_inode
, root
);
536 /* Initialize any other inodes associated with the superblock, e.g.
537 inodes created prior to initial policy load or inodes created
538 during get_sb by a pseudo filesystem that directly
540 spin_lock(&sbsec
->isec_lock
);
542 if (!list_empty(&sbsec
->isec_head
)) {
543 struct inode_security_struct
*isec
=
544 list_entry(sbsec
->isec_head
.next
,
545 struct inode_security_struct
, list
);
546 struct inode
*inode
= isec
->inode
;
547 list_del_init(&isec
->list
);
548 spin_unlock(&sbsec
->isec_lock
);
549 inode
= igrab(inode
);
551 if (!IS_PRIVATE(inode
))
555 spin_lock(&sbsec
->isec_lock
);
558 spin_unlock(&sbsec
->isec_lock
);
564 * This function should allow an FS to ask what it's mount security
565 * options were so it can use those later for submounts, displaying
566 * mount options, or whatever.
568 static int selinux_get_mnt_opts(const struct super_block
*sb
,
569 struct security_mnt_opts
*opts
)
572 struct superblock_security_struct
*sbsec
= sb
->s_security
;
573 char *context
= NULL
;
577 security_init_mnt_opts(opts
);
579 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
585 /* make sure we always check enough bits to cover the mask */
586 BUILD_BUG_ON(SE_MNTMASK
>= (1 << NUM_SEL_MNT_OPTS
));
588 tmp
= sbsec
->flags
& SE_MNTMASK
;
589 /* count the number of mount options for this sb */
590 for (i
= 0; i
< NUM_SEL_MNT_OPTS
; i
++) {
592 opts
->num_mnt_opts
++;
595 /* Check if the Label support flag is set */
596 if (sbsec
->flags
& SBLABEL_MNT
)
597 opts
->num_mnt_opts
++;
599 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
600 if (!opts
->mnt_opts
) {
605 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
606 if (!opts
->mnt_opts_flags
) {
612 if (sbsec
->flags
& FSCONTEXT_MNT
) {
613 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
616 opts
->mnt_opts
[i
] = context
;
617 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
619 if (sbsec
->flags
& CONTEXT_MNT
) {
620 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
623 opts
->mnt_opts
[i
] = context
;
624 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
626 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
627 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
630 opts
->mnt_opts
[i
] = context
;
631 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
633 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
634 struct dentry
*root
= sbsec
->sb
->s_root
;
635 struct inode_security_struct
*isec
= backing_inode_security(root
);
637 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
640 opts
->mnt_opts
[i
] = context
;
641 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
643 if (sbsec
->flags
& SBLABEL_MNT
) {
644 opts
->mnt_opts
[i
] = NULL
;
645 opts
->mnt_opts_flags
[i
++] = SBLABEL_MNT
;
648 BUG_ON(i
!= opts
->num_mnt_opts
);
653 security_free_mnt_opts(opts
);
657 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
658 u32 old_sid
, u32 new_sid
)
660 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
662 /* check if the old mount command had the same options */
663 if (sbsec
->flags
& SE_SBINITIALIZED
)
664 if (!(sbsec
->flags
& flag
) ||
665 (old_sid
!= new_sid
))
668 /* check if we were passed the same options twice,
669 * aka someone passed context=a,context=b
671 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
672 if (mnt_flags
& flag
)
678 * Allow filesystems with binary mount data to explicitly set mount point
679 * labeling information.
681 static int selinux_set_mnt_opts(struct super_block
*sb
,
682 struct security_mnt_opts
*opts
,
683 unsigned long kern_flags
,
684 unsigned long *set_kern_flags
)
686 const struct cred
*cred
= current_cred();
688 struct superblock_security_struct
*sbsec
= sb
->s_security
;
689 const char *name
= sb
->s_type
->name
;
690 struct dentry
*root
= sbsec
->sb
->s_root
;
691 struct inode_security_struct
*root_isec
;
692 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
693 u32 defcontext_sid
= 0;
694 char **mount_options
= opts
->mnt_opts
;
695 int *flags
= opts
->mnt_opts_flags
;
696 int num_opts
= opts
->num_mnt_opts
;
698 mutex_lock(&sbsec
->lock
);
700 if (!ss_initialized
) {
702 /* Defer initialization until selinux_complete_init,
703 after the initial policy is loaded and the security
704 server is ready to handle calls. */
708 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
709 "before the security server is initialized\n");
712 if (kern_flags
&& !set_kern_flags
) {
713 /* Specifying internal flags without providing a place to
714 * place the results is not allowed */
720 * Binary mount data FS will come through this function twice. Once
721 * from an explicit call and once from the generic calls from the vfs.
722 * Since the generic VFS calls will not contain any security mount data
723 * we need to skip the double mount verification.
725 * This does open a hole in which we will not notice if the first
726 * mount using this sb set explict options and a second mount using
727 * this sb does not set any security options. (The first options
728 * will be used for both mounts)
730 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
734 root_isec
= backing_inode_security_novalidate(root
);
737 * parse the mount options, check if they are valid sids.
738 * also check if someone is trying to mount the same sb more
739 * than once with different security options.
741 for (i
= 0; i
< num_opts
; i
++) {
744 if (flags
[i
] == SBLABEL_MNT
)
746 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
748 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
749 "(%s) failed for (dev %s, type %s) errno=%d\n",
750 mount_options
[i
], sb
->s_id
, name
, rc
);
757 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
759 goto out_double_mount
;
761 sbsec
->flags
|= FSCONTEXT_MNT
;
766 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
768 goto out_double_mount
;
770 sbsec
->flags
|= CONTEXT_MNT
;
772 case ROOTCONTEXT_MNT
:
773 rootcontext_sid
= sid
;
775 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
777 goto out_double_mount
;
779 sbsec
->flags
|= ROOTCONTEXT_MNT
;
783 defcontext_sid
= sid
;
785 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
787 goto out_double_mount
;
789 sbsec
->flags
|= DEFCONTEXT_MNT
;
798 if (sbsec
->flags
& SE_SBINITIALIZED
) {
799 /* previously mounted with options, but not on this attempt? */
800 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
801 goto out_double_mount
;
806 if (strcmp(sb
->s_type
->name
, "proc") == 0)
807 sbsec
->flags
|= SE_SBPROC
| SE_SBGENFS
;
809 if (!strcmp(sb
->s_type
->name
, "debugfs") ||
810 !strcmp(sb
->s_type
->name
, "sysfs") ||
811 !strcmp(sb
->s_type
->name
, "pstore"))
812 sbsec
->flags
|= SE_SBGENFS
;
814 if (!sbsec
->behavior
) {
816 * Determine the labeling behavior to use for this
819 rc
= security_fs_use(sb
);
822 "%s: security_fs_use(%s) returned %d\n",
823 __func__
, sb
->s_type
->name
, rc
);
829 * If this is a user namespace mount and the filesystem type is not
830 * explicitly whitelisted, then no contexts are allowed on the command
831 * line and security labels must be ignored.
833 if (sb
->s_user_ns
!= &init_user_ns
&&
834 strcmp(sb
->s_type
->name
, "tmpfs") &&
835 strcmp(sb
->s_type
->name
, "ramfs") &&
836 strcmp(sb
->s_type
->name
, "devpts")) {
837 if (context_sid
|| fscontext_sid
|| rootcontext_sid
||
842 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
843 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
844 rc
= security_transition_sid(current_sid(), current_sid(),
846 &sbsec
->mntpoint_sid
);
853 /* sets the context of the superblock for the fs being mounted. */
855 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
859 sbsec
->sid
= fscontext_sid
;
863 * Switch to using mount point labeling behavior.
864 * sets the label used on all file below the mountpoint, and will set
865 * the superblock context if not already set.
867 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !context_sid
) {
868 sbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
869 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
873 if (!fscontext_sid
) {
874 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
878 sbsec
->sid
= context_sid
;
880 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
885 if (!rootcontext_sid
)
886 rootcontext_sid
= context_sid
;
888 sbsec
->mntpoint_sid
= context_sid
;
889 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
892 if (rootcontext_sid
) {
893 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
898 root_isec
->sid
= rootcontext_sid
;
899 root_isec
->initialized
= LABEL_INITIALIZED
;
902 if (defcontext_sid
) {
903 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
&&
904 sbsec
->behavior
!= SECURITY_FS_USE_NATIVE
) {
906 printk(KERN_WARNING
"SELinux: defcontext option is "
907 "invalid for this filesystem type\n");
911 if (defcontext_sid
!= sbsec
->def_sid
) {
912 rc
= may_context_mount_inode_relabel(defcontext_sid
,
918 sbsec
->def_sid
= defcontext_sid
;
922 rc
= sb_finish_set_opts(sb
);
924 mutex_unlock(&sbsec
->lock
);
928 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
929 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
933 static int selinux_cmp_sb_context(const struct super_block
*oldsb
,
934 const struct super_block
*newsb
)
936 struct superblock_security_struct
*old
= oldsb
->s_security
;
937 struct superblock_security_struct
*new = newsb
->s_security
;
938 char oldflags
= old
->flags
& SE_MNTMASK
;
939 char newflags
= new->flags
& SE_MNTMASK
;
941 if (oldflags
!= newflags
)
943 if ((oldflags
& FSCONTEXT_MNT
) && old
->sid
!= new->sid
)
945 if ((oldflags
& CONTEXT_MNT
) && old
->mntpoint_sid
!= new->mntpoint_sid
)
947 if ((oldflags
& DEFCONTEXT_MNT
) && old
->def_sid
!= new->def_sid
)
949 if (oldflags
& ROOTCONTEXT_MNT
) {
950 struct inode_security_struct
*oldroot
= backing_inode_security(oldsb
->s_root
);
951 struct inode_security_struct
*newroot
= backing_inode_security(newsb
->s_root
);
952 if (oldroot
->sid
!= newroot
->sid
)
957 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, "
958 "different security settings for (dev %s, "
959 "type %s)\n", newsb
->s_id
, newsb
->s_type
->name
);
963 static int selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
964 struct super_block
*newsb
)
966 const struct superblock_security_struct
*oldsbsec
= oldsb
->s_security
;
967 struct superblock_security_struct
*newsbsec
= newsb
->s_security
;
969 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
970 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
971 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
974 * if the parent was able to be mounted it clearly had no special lsm
975 * mount options. thus we can safely deal with this superblock later
980 /* how can we clone if the old one wasn't set up?? */
981 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
983 /* if fs is reusing a sb, make sure that the contexts match */
984 if (newsbsec
->flags
& SE_SBINITIALIZED
)
985 return selinux_cmp_sb_context(oldsb
, newsb
);
987 mutex_lock(&newsbsec
->lock
);
989 newsbsec
->flags
= oldsbsec
->flags
;
991 newsbsec
->sid
= oldsbsec
->sid
;
992 newsbsec
->def_sid
= oldsbsec
->def_sid
;
993 newsbsec
->behavior
= oldsbsec
->behavior
;
996 u32 sid
= oldsbsec
->mntpoint_sid
;
1000 if (!set_rootcontext
) {
1001 struct inode_security_struct
*newisec
= backing_inode_security(newsb
->s_root
);
1004 newsbsec
->mntpoint_sid
= sid
;
1006 if (set_rootcontext
) {
1007 const struct inode_security_struct
*oldisec
= backing_inode_security(oldsb
->s_root
);
1008 struct inode_security_struct
*newisec
= backing_inode_security(newsb
->s_root
);
1010 newisec
->sid
= oldisec
->sid
;
1013 sb_finish_set_opts(newsb
);
1014 mutex_unlock(&newsbsec
->lock
);
1018 static int selinux_parse_opts_str(char *options
,
1019 struct security_mnt_opts
*opts
)
1022 char *context
= NULL
, *defcontext
= NULL
;
1023 char *fscontext
= NULL
, *rootcontext
= NULL
;
1024 int rc
, num_mnt_opts
= 0;
1026 opts
->num_mnt_opts
= 0;
1028 /* Standard string-based options. */
1029 while ((p
= strsep(&options
, "|")) != NULL
) {
1031 substring_t args
[MAX_OPT_ARGS
];
1036 token
= match_token(p
, tokens
, args
);
1040 if (context
|| defcontext
) {
1042 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1045 context
= match_strdup(&args
[0]);
1055 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1058 fscontext
= match_strdup(&args
[0]);
1065 case Opt_rootcontext
:
1068 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1071 rootcontext
= match_strdup(&args
[0]);
1078 case Opt_defcontext
:
1079 if (context
|| defcontext
) {
1081 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1084 defcontext
= match_strdup(&args
[0]);
1090 case Opt_labelsupport
:
1094 printk(KERN_WARNING
"SELinux: unknown mount option\n");
1101 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_KERNEL
);
1102 if (!opts
->mnt_opts
)
1105 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int),
1107 if (!opts
->mnt_opts_flags
) {
1108 kfree(opts
->mnt_opts
);
1113 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
1114 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
1117 opts
->mnt_opts
[num_mnt_opts
] = context
;
1118 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
1121 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
1122 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
1125 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
1126 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
1129 opts
->num_mnt_opts
= num_mnt_opts
;
1140 * string mount options parsing and call set the sbsec
1142 static int superblock_doinit(struct super_block
*sb
, void *data
)
1145 char *options
= data
;
1146 struct security_mnt_opts opts
;
1148 security_init_mnt_opts(&opts
);
1153 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
1155 rc
= selinux_parse_opts_str(options
, &opts
);
1160 rc
= selinux_set_mnt_opts(sb
, &opts
, 0, NULL
);
1163 security_free_mnt_opts(&opts
);
1167 static void selinux_write_opts(struct seq_file
*m
,
1168 struct security_mnt_opts
*opts
)
1173 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
1176 if (opts
->mnt_opts
[i
])
1177 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
1181 switch (opts
->mnt_opts_flags
[i
]) {
1183 prefix
= CONTEXT_STR
;
1186 prefix
= FSCONTEXT_STR
;
1188 case ROOTCONTEXT_MNT
:
1189 prefix
= ROOTCONTEXT_STR
;
1191 case DEFCONTEXT_MNT
:
1192 prefix
= DEFCONTEXT_STR
;
1196 seq_puts(m
, LABELSUPP_STR
);
1202 /* we need a comma before each option */
1204 seq_puts(m
, prefix
);
1207 seq_escape(m
, opts
->mnt_opts
[i
], "\"\n\\");
1213 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1215 struct security_mnt_opts opts
;
1218 rc
= selinux_get_mnt_opts(sb
, &opts
);
1220 /* before policy load we may get EINVAL, don't show anything */
1226 selinux_write_opts(m
, &opts
);
1228 security_free_mnt_opts(&opts
);
1233 static inline u16
inode_mode_to_security_class(umode_t mode
)
1235 switch (mode
& S_IFMT
) {
1237 return SECCLASS_SOCK_FILE
;
1239 return SECCLASS_LNK_FILE
;
1241 return SECCLASS_FILE
;
1243 return SECCLASS_BLK_FILE
;
1245 return SECCLASS_DIR
;
1247 return SECCLASS_CHR_FILE
;
1249 return SECCLASS_FIFO_FILE
;
1253 return SECCLASS_FILE
;
1256 static inline int default_protocol_stream(int protocol
)
1258 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1261 static inline int default_protocol_dgram(int protocol
)
1263 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1266 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1268 int extsockclass
= selinux_policycap_extsockclass
;
1274 case SOCK_SEQPACKET
:
1275 return SECCLASS_UNIX_STREAM_SOCKET
;
1277 return SECCLASS_UNIX_DGRAM_SOCKET
;
1284 case SOCK_SEQPACKET
:
1285 if (default_protocol_stream(protocol
))
1286 return SECCLASS_TCP_SOCKET
;
1287 else if (extsockclass
&& protocol
== IPPROTO_SCTP
)
1288 return SECCLASS_SCTP_SOCKET
;
1290 return SECCLASS_RAWIP_SOCKET
;
1292 if (default_protocol_dgram(protocol
))
1293 return SECCLASS_UDP_SOCKET
;
1294 else if (extsockclass
&& (protocol
== IPPROTO_ICMP
||
1295 protocol
== IPPROTO_ICMPV6
))
1296 return SECCLASS_ICMP_SOCKET
;
1298 return SECCLASS_RAWIP_SOCKET
;
1300 return SECCLASS_DCCP_SOCKET
;
1302 return SECCLASS_RAWIP_SOCKET
;
1308 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1309 case NETLINK_SOCK_DIAG
:
1310 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1312 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1314 return SECCLASS_NETLINK_XFRM_SOCKET
;
1315 case NETLINK_SELINUX
:
1316 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1318 return SECCLASS_NETLINK_ISCSI_SOCKET
;
1320 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1321 case NETLINK_FIB_LOOKUP
:
1322 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET
;
1323 case NETLINK_CONNECTOR
:
1324 return SECCLASS_NETLINK_CONNECTOR_SOCKET
;
1325 case NETLINK_NETFILTER
:
1326 return SECCLASS_NETLINK_NETFILTER_SOCKET
;
1327 case NETLINK_DNRTMSG
:
1328 return SECCLASS_NETLINK_DNRT_SOCKET
;
1329 case NETLINK_KOBJECT_UEVENT
:
1330 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1331 case NETLINK_GENERIC
:
1332 return SECCLASS_NETLINK_GENERIC_SOCKET
;
1333 case NETLINK_SCSITRANSPORT
:
1334 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET
;
1336 return SECCLASS_NETLINK_RDMA_SOCKET
;
1337 case NETLINK_CRYPTO
:
1338 return SECCLASS_NETLINK_CRYPTO_SOCKET
;
1340 return SECCLASS_NETLINK_SOCKET
;
1343 return SECCLASS_PACKET_SOCKET
;
1345 return SECCLASS_KEY_SOCKET
;
1347 return SECCLASS_APPLETALK_SOCKET
;
1353 return SECCLASS_AX25_SOCKET
;
1355 return SECCLASS_IPX_SOCKET
;
1357 return SECCLASS_NETROM_SOCKET
;
1359 return SECCLASS_ATMPVC_SOCKET
;
1361 return SECCLASS_X25_SOCKET
;
1363 return SECCLASS_ROSE_SOCKET
;
1365 return SECCLASS_DECNET_SOCKET
;
1367 return SECCLASS_ATMSVC_SOCKET
;
1369 return SECCLASS_RDS_SOCKET
;
1371 return SECCLASS_IRDA_SOCKET
;
1373 return SECCLASS_PPPOX_SOCKET
;
1375 return SECCLASS_LLC_SOCKET
;
1377 return SECCLASS_CAN_SOCKET
;
1379 return SECCLASS_TIPC_SOCKET
;
1381 return SECCLASS_BLUETOOTH_SOCKET
;
1383 return SECCLASS_IUCV_SOCKET
;
1385 return SECCLASS_RXRPC_SOCKET
;
1387 return SECCLASS_ISDN_SOCKET
;
1389 return SECCLASS_PHONET_SOCKET
;
1391 return SECCLASS_IEEE802154_SOCKET
;
1393 return SECCLASS_CAIF_SOCKET
;
1395 return SECCLASS_ALG_SOCKET
;
1397 return SECCLASS_NFC_SOCKET
;
1399 return SECCLASS_VSOCK_SOCKET
;
1401 return SECCLASS_KCM_SOCKET
;
1403 return SECCLASS_QIPCRTR_SOCKET
;
1405 #error New address family defined, please update this function.
1410 return SECCLASS_SOCKET
;
1413 static int selinux_genfs_get_sid(struct dentry
*dentry
,
1419 struct super_block
*sb
= dentry
->d_sb
;
1420 char *buffer
, *path
;
1422 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1426 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1430 if (flags
& SE_SBPROC
) {
1431 /* each process gets a /proc/PID/ entry. Strip off the
1432 * PID part to get a valid selinux labeling.
1433 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1434 while (path
[1] >= '0' && path
[1] <= '9') {
1439 rc
= security_genfs_sid(sb
->s_type
->name
, path
, tclass
, sid
);
1441 free_page((unsigned long)buffer
);
1445 /* The inode's security attributes must be initialized before first use. */
1446 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1448 struct superblock_security_struct
*sbsec
= NULL
;
1449 struct inode_security_struct
*isec
= inode
->i_security
;
1450 u32 task_sid
, sid
= 0;
1452 struct dentry
*dentry
;
1453 #define INITCONTEXTLEN 255
1454 char *context
= NULL
;
1458 if (isec
->initialized
== LABEL_INITIALIZED
)
1461 spin_lock(&isec
->lock
);
1462 if (isec
->initialized
== LABEL_INITIALIZED
)
1465 if (isec
->sclass
== SECCLASS_FILE
)
1466 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1468 sbsec
= inode
->i_sb
->s_security
;
1469 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1470 /* Defer initialization until selinux_complete_init,
1471 after the initial policy is loaded and the security
1472 server is ready to handle calls. */
1473 spin_lock(&sbsec
->isec_lock
);
1474 if (list_empty(&isec
->list
))
1475 list_add(&isec
->list
, &sbsec
->isec_head
);
1476 spin_unlock(&sbsec
->isec_lock
);
1480 sclass
= isec
->sclass
;
1481 task_sid
= isec
->task_sid
;
1483 isec
->initialized
= LABEL_PENDING
;
1484 spin_unlock(&isec
->lock
);
1486 switch (sbsec
->behavior
) {
1487 case SECURITY_FS_USE_NATIVE
:
1489 case SECURITY_FS_USE_XATTR
:
1490 if (!(inode
->i_opflags
& IOP_XATTR
)) {
1491 sid
= sbsec
->def_sid
;
1494 /* Need a dentry, since the xattr API requires one.
1495 Life would be simpler if we could just pass the inode. */
1497 /* Called from d_instantiate or d_splice_alias. */
1498 dentry
= dget(opt_dentry
);
1500 /* Called from selinux_complete_init, try to find a dentry. */
1501 dentry
= d_find_alias(inode
);
1505 * this is can be hit on boot when a file is accessed
1506 * before the policy is loaded. When we load policy we
1507 * may find inodes that have no dentry on the
1508 * sbsec->isec_head list. No reason to complain as these
1509 * will get fixed up the next time we go through
1510 * inode_doinit with a dentry, before these inodes could
1511 * be used again by userspace.
1516 len
= INITCONTEXTLEN
;
1517 context
= kmalloc(len
+1, GFP_NOFS
);
1523 context
[len
] = '\0';
1524 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1525 if (rc
== -ERANGE
) {
1528 /* Need a larger buffer. Query for the right size. */
1529 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, NULL
, 0);
1535 context
= kmalloc(len
+1, GFP_NOFS
);
1541 context
[len
] = '\0';
1542 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1546 if (rc
!= -ENODATA
) {
1547 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1548 "%d for dev=%s ino=%ld\n", __func__
,
1549 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1553 /* Map ENODATA to the default file SID */
1554 sid
= sbsec
->def_sid
;
1557 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1561 char *dev
= inode
->i_sb
->s_id
;
1562 unsigned long ino
= inode
->i_ino
;
1564 if (rc
== -EINVAL
) {
1565 if (printk_ratelimit())
1566 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1567 "context=%s. This indicates you may need to relabel the inode or the "
1568 "filesystem in question.\n", ino
, dev
, context
);
1570 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1571 "returned %d for dev=%s ino=%ld\n",
1572 __func__
, context
, -rc
, dev
, ino
);
1575 /* Leave with the unlabeled SID */
1582 case SECURITY_FS_USE_TASK
:
1585 case SECURITY_FS_USE_TRANS
:
1586 /* Default to the fs SID. */
1589 /* Try to obtain a transition SID. */
1590 rc
= security_transition_sid(task_sid
, sid
, sclass
, NULL
, &sid
);
1594 case SECURITY_FS_USE_MNTPOINT
:
1595 sid
= sbsec
->mntpoint_sid
;
1598 /* Default to the fs superblock SID. */
1601 if ((sbsec
->flags
& SE_SBGENFS
) && !S_ISLNK(inode
->i_mode
)) {
1602 /* We must have a dentry to determine the label on
1605 /* Called from d_instantiate or
1606 * d_splice_alias. */
1607 dentry
= dget(opt_dentry
);
1609 /* Called from selinux_complete_init, try to
1611 dentry
= d_find_alias(inode
);
1613 * This can be hit on boot when a file is accessed
1614 * before the policy is loaded. When we load policy we
1615 * may find inodes that have no dentry on the
1616 * sbsec->isec_head list. No reason to complain as
1617 * these will get fixed up the next time we go through
1618 * inode_doinit() with a dentry, before these inodes
1619 * could be used again by userspace.
1623 rc
= selinux_genfs_get_sid(dentry
, sclass
,
1624 sbsec
->flags
, &sid
);
1633 spin_lock(&isec
->lock
);
1634 if (isec
->initialized
== LABEL_PENDING
) {
1636 isec
->initialized
= LABEL_INVALID
;
1640 isec
->initialized
= LABEL_INITIALIZED
;
1645 spin_unlock(&isec
->lock
);
1649 /* Convert a Linux signal to an access vector. */
1650 static inline u32
signal_to_av(int sig
)
1656 /* Commonly granted from child to parent. */
1657 perm
= PROCESS__SIGCHLD
;
1660 /* Cannot be caught or ignored */
1661 perm
= PROCESS__SIGKILL
;
1664 /* Cannot be caught or ignored */
1665 perm
= PROCESS__SIGSTOP
;
1668 /* All other signals. */
1669 perm
= PROCESS__SIGNAL
;
1676 #if CAP_LAST_CAP > 63
1677 #error Fix SELinux to handle capabilities > 63.
1680 /* Check whether a task is allowed to use a capability. */
1681 static int cred_has_capability(const struct cred
*cred
,
1682 int cap
, int audit
, bool initns
)
1684 struct common_audit_data ad
;
1685 struct av_decision avd
;
1687 u32 sid
= cred_sid(cred
);
1688 u32 av
= CAP_TO_MASK(cap
);
1691 ad
.type
= LSM_AUDIT_DATA_CAP
;
1694 switch (CAP_TO_INDEX(cap
)) {
1696 sclass
= initns
? SECCLASS_CAPABILITY
: SECCLASS_CAP_USERNS
;
1699 sclass
= initns
? SECCLASS_CAPABILITY2
: SECCLASS_CAP2_USERNS
;
1703 "SELinux: out of range capability %d\n", cap
);
1708 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1709 if (audit
== SECURITY_CAP_AUDIT
) {
1710 int rc2
= avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
, 0);
1717 /* Check whether a task has a particular permission to an inode.
1718 The 'adp' parameter is optional and allows other audit
1719 data to be passed (e.g. the dentry). */
1720 static int inode_has_perm(const struct cred
*cred
,
1721 struct inode
*inode
,
1723 struct common_audit_data
*adp
)
1725 struct inode_security_struct
*isec
;
1728 validate_creds(cred
);
1730 if (unlikely(IS_PRIVATE(inode
)))
1733 sid
= cred_sid(cred
);
1734 isec
= inode
->i_security
;
1736 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1739 /* Same as inode_has_perm, but pass explicit audit data containing
1740 the dentry to help the auditing code to more easily generate the
1741 pathname if needed. */
1742 static inline int dentry_has_perm(const struct cred
*cred
,
1743 struct dentry
*dentry
,
1746 struct inode
*inode
= d_backing_inode(dentry
);
1747 struct common_audit_data ad
;
1749 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1750 ad
.u
.dentry
= dentry
;
1751 __inode_security_revalidate(inode
, dentry
, true);
1752 return inode_has_perm(cred
, inode
, av
, &ad
);
1755 /* Same as inode_has_perm, but pass explicit audit data containing
1756 the path to help the auditing code to more easily generate the
1757 pathname if needed. */
1758 static inline int path_has_perm(const struct cred
*cred
,
1759 const struct path
*path
,
1762 struct inode
*inode
= d_backing_inode(path
->dentry
);
1763 struct common_audit_data ad
;
1765 ad
.type
= LSM_AUDIT_DATA_PATH
;
1767 __inode_security_revalidate(inode
, path
->dentry
, true);
1768 return inode_has_perm(cred
, inode
, av
, &ad
);
1771 /* Same as path_has_perm, but uses the inode from the file struct. */
1772 static inline int file_path_has_perm(const struct cred
*cred
,
1776 struct common_audit_data ad
;
1778 ad
.type
= LSM_AUDIT_DATA_FILE
;
1780 return inode_has_perm(cred
, file_inode(file
), av
, &ad
);
1783 /* Check whether a task can use an open file descriptor to
1784 access an inode in a given way. Check access to the
1785 descriptor itself, and then use dentry_has_perm to
1786 check a particular permission to the file.
1787 Access to the descriptor is implicitly granted if it
1788 has the same SID as the process. If av is zero, then
1789 access to the file is not checked, e.g. for cases
1790 where only the descriptor is affected like seek. */
1791 static int file_has_perm(const struct cred
*cred
,
1795 struct file_security_struct
*fsec
= file
->f_security
;
1796 struct inode
*inode
= file_inode(file
);
1797 struct common_audit_data ad
;
1798 u32 sid
= cred_sid(cred
);
1801 ad
.type
= LSM_AUDIT_DATA_FILE
;
1804 if (sid
!= fsec
->sid
) {
1805 rc
= avc_has_perm(sid
, fsec
->sid
,
1813 /* av is zero if only checking access to the descriptor. */
1816 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1823 * Determine the label for an inode that might be unioned.
1826 selinux_determine_inode_label(const struct task_security_struct
*tsec
,
1828 const struct qstr
*name
, u16 tclass
,
1831 const struct superblock_security_struct
*sbsec
= dir
->i_sb
->s_security
;
1833 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
1834 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)) {
1835 *_new_isid
= sbsec
->mntpoint_sid
;
1836 } else if ((sbsec
->flags
& SBLABEL_MNT
) &&
1838 *_new_isid
= tsec
->create_sid
;
1840 const struct inode_security_struct
*dsec
= inode_security(dir
);
1841 return security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1848 /* Check whether a task can create a file. */
1849 static int may_create(struct inode
*dir
,
1850 struct dentry
*dentry
,
1853 const struct task_security_struct
*tsec
= current_security();
1854 struct inode_security_struct
*dsec
;
1855 struct superblock_security_struct
*sbsec
;
1857 struct common_audit_data ad
;
1860 dsec
= inode_security(dir
);
1861 sbsec
= dir
->i_sb
->s_security
;
1865 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1866 ad
.u
.dentry
= dentry
;
1868 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1869 DIR__ADD_NAME
| DIR__SEARCH
,
1874 rc
= selinux_determine_inode_label(current_security(), dir
,
1875 &dentry
->d_name
, tclass
, &newsid
);
1879 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1883 return avc_has_perm(newsid
, sbsec
->sid
,
1884 SECCLASS_FILESYSTEM
,
1885 FILESYSTEM__ASSOCIATE
, &ad
);
1889 #define MAY_UNLINK 1
1892 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1893 static int may_link(struct inode
*dir
,
1894 struct dentry
*dentry
,
1898 struct inode_security_struct
*dsec
, *isec
;
1899 struct common_audit_data ad
;
1900 u32 sid
= current_sid();
1904 dsec
= inode_security(dir
);
1905 isec
= backing_inode_security(dentry
);
1907 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1908 ad
.u
.dentry
= dentry
;
1911 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1912 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1927 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1932 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1936 static inline int may_rename(struct inode
*old_dir
,
1937 struct dentry
*old_dentry
,
1938 struct inode
*new_dir
,
1939 struct dentry
*new_dentry
)
1941 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1942 struct common_audit_data ad
;
1943 u32 sid
= current_sid();
1945 int old_is_dir
, new_is_dir
;
1948 old_dsec
= inode_security(old_dir
);
1949 old_isec
= backing_inode_security(old_dentry
);
1950 old_is_dir
= d_is_dir(old_dentry
);
1951 new_dsec
= inode_security(new_dir
);
1953 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1955 ad
.u
.dentry
= old_dentry
;
1956 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
1957 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1960 rc
= avc_has_perm(sid
, old_isec
->sid
,
1961 old_isec
->sclass
, FILE__RENAME
, &ad
);
1964 if (old_is_dir
&& new_dir
!= old_dir
) {
1965 rc
= avc_has_perm(sid
, old_isec
->sid
,
1966 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1971 ad
.u
.dentry
= new_dentry
;
1972 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1973 if (d_is_positive(new_dentry
))
1974 av
|= DIR__REMOVE_NAME
;
1975 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1978 if (d_is_positive(new_dentry
)) {
1979 new_isec
= backing_inode_security(new_dentry
);
1980 new_is_dir
= d_is_dir(new_dentry
);
1981 rc
= avc_has_perm(sid
, new_isec
->sid
,
1983 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
1991 /* Check whether a task can perform a filesystem operation. */
1992 static int superblock_has_perm(const struct cred
*cred
,
1993 struct super_block
*sb
,
1995 struct common_audit_data
*ad
)
1997 struct superblock_security_struct
*sbsec
;
1998 u32 sid
= cred_sid(cred
);
2000 sbsec
= sb
->s_security
;
2001 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
2004 /* Convert a Linux mode and permission mask to an access vector. */
2005 static inline u32
file_mask_to_av(int mode
, int mask
)
2009 if (!S_ISDIR(mode
)) {
2010 if (mask
& MAY_EXEC
)
2011 av
|= FILE__EXECUTE
;
2012 if (mask
& MAY_READ
)
2015 if (mask
& MAY_APPEND
)
2017 else if (mask
& MAY_WRITE
)
2021 if (mask
& MAY_EXEC
)
2023 if (mask
& MAY_WRITE
)
2025 if (mask
& MAY_READ
)
2032 /* Convert a Linux file to an access vector. */
2033 static inline u32
file_to_av(struct file
*file
)
2037 if (file
->f_mode
& FMODE_READ
)
2039 if (file
->f_mode
& FMODE_WRITE
) {
2040 if (file
->f_flags
& O_APPEND
)
2047 * Special file opened with flags 3 for ioctl-only use.
2056 * Convert a file to an access vector and include the correct open
2059 static inline u32
open_file_to_av(struct file
*file
)
2061 u32 av
= file_to_av(file
);
2063 if (selinux_policycap_openperm
)
2069 /* Hook functions begin here. */
2071 static int selinux_binder_set_context_mgr(struct task_struct
*mgr
)
2073 u32 mysid
= current_sid();
2074 u32 mgrsid
= task_sid(mgr
);
2076 return avc_has_perm(mysid
, mgrsid
, SECCLASS_BINDER
,
2077 BINDER__SET_CONTEXT_MGR
, NULL
);
2080 static int selinux_binder_transaction(struct task_struct
*from
,
2081 struct task_struct
*to
)
2083 u32 mysid
= current_sid();
2084 u32 fromsid
= task_sid(from
);
2085 u32 tosid
= task_sid(to
);
2088 if (mysid
!= fromsid
) {
2089 rc
= avc_has_perm(mysid
, fromsid
, SECCLASS_BINDER
,
2090 BINDER__IMPERSONATE
, NULL
);
2095 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__CALL
,
2099 static int selinux_binder_transfer_binder(struct task_struct
*from
,
2100 struct task_struct
*to
)
2102 u32 fromsid
= task_sid(from
);
2103 u32 tosid
= task_sid(to
);
2105 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__TRANSFER
,
2109 static int selinux_binder_transfer_file(struct task_struct
*from
,
2110 struct task_struct
*to
,
2113 u32 sid
= task_sid(to
);
2114 struct file_security_struct
*fsec
= file
->f_security
;
2115 struct dentry
*dentry
= file
->f_path
.dentry
;
2116 struct inode_security_struct
*isec
;
2117 struct common_audit_data ad
;
2120 ad
.type
= LSM_AUDIT_DATA_PATH
;
2121 ad
.u
.path
= file
->f_path
;
2123 if (sid
!= fsec
->sid
) {
2124 rc
= avc_has_perm(sid
, fsec
->sid
,
2132 if (unlikely(IS_PRIVATE(d_backing_inode(dentry
))))
2135 isec
= backing_inode_security(dentry
);
2136 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, file_to_av(file
),
2140 static int selinux_ptrace_access_check(struct task_struct
*child
,
2143 u32 sid
= current_sid();
2144 u32 csid
= task_sid(child
);
2146 if (mode
& PTRACE_MODE_READ
)
2147 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
2149 return avc_has_perm(sid
, csid
, SECCLASS_PROCESS
, PROCESS__PTRACE
, NULL
);
2152 static int selinux_ptrace_traceme(struct task_struct
*parent
)
2154 return avc_has_perm(task_sid(parent
), current_sid(), SECCLASS_PROCESS
,
2155 PROCESS__PTRACE
, NULL
);
2158 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
2159 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
2161 return avc_has_perm(current_sid(), task_sid(target
), SECCLASS_PROCESS
,
2162 PROCESS__GETCAP
, NULL
);
2165 static int selinux_capset(struct cred
*new, const struct cred
*old
,
2166 const kernel_cap_t
*effective
,
2167 const kernel_cap_t
*inheritable
,
2168 const kernel_cap_t
*permitted
)
2170 return avc_has_perm(cred_sid(old
), cred_sid(new), SECCLASS_PROCESS
,
2171 PROCESS__SETCAP
, NULL
);
2175 * (This comment used to live with the selinux_task_setuid hook,
2176 * which was removed).
2178 * Since setuid only affects the current process, and since the SELinux
2179 * controls are not based on the Linux identity attributes, SELinux does not
2180 * need to control this operation. However, SELinux does control the use of
2181 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2184 static int selinux_capable(const struct cred
*cred
, struct user_namespace
*ns
,
2187 return cred_has_capability(cred
, cap
, audit
, ns
== &init_user_ns
);
2190 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
2192 const struct cred
*cred
= current_cred();
2204 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
2209 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
2212 rc
= 0; /* let the kernel handle invalid cmds */
2218 static int selinux_quota_on(struct dentry
*dentry
)
2220 const struct cred
*cred
= current_cred();
2222 return dentry_has_perm(cred
, dentry
, FILE__QUOTAON
);
2225 static int selinux_syslog(int type
)
2228 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
2229 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
2230 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2231 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_READ
, NULL
);
2232 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
2233 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
2234 /* Set level of messages printed to console */
2235 case SYSLOG_ACTION_CONSOLE_LEVEL
:
2236 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2237 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_CONSOLE
,
2240 /* All other syslog types */
2241 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2242 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_MOD
, NULL
);
2246 * Check that a process has enough memory to allocate a new virtual
2247 * mapping. 0 means there is enough memory for the allocation to
2248 * succeed and -ENOMEM implies there is not.
2250 * Do not audit the selinux permission check, as this is applied to all
2251 * processes that allocate mappings.
2253 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
2255 int rc
, cap_sys_admin
= 0;
2257 rc
= cred_has_capability(current_cred(), CAP_SYS_ADMIN
,
2258 SECURITY_CAP_NOAUDIT
, true);
2262 return cap_sys_admin
;
2265 /* binprm security operations */
2267 static u32
ptrace_parent_sid(void)
2270 struct task_struct
*tracer
;
2273 tracer
= ptrace_parent(current
);
2275 sid
= task_sid(tracer
);
2281 static int check_nnp_nosuid(const struct linux_binprm
*bprm
,
2282 const struct task_security_struct
*old_tsec
,
2283 const struct task_security_struct
*new_tsec
)
2285 int nnp
= (bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
);
2286 int nosuid
= !mnt_may_suid(bprm
->file
->f_path
.mnt
);
2289 if (!nnp
&& !nosuid
)
2290 return 0; /* neither NNP nor nosuid */
2292 if (new_tsec
->sid
== old_tsec
->sid
)
2293 return 0; /* No change in credentials */
2296 * The only transitions we permit under NNP or nosuid
2297 * are transitions to bounded SIDs, i.e. SIDs that are
2298 * guaranteed to only be allowed a subset of the permissions
2299 * of the current SID.
2301 rc
= security_bounded_transition(old_tsec
->sid
, new_tsec
->sid
);
2304 * On failure, preserve the errno values for NNP vs nosuid.
2305 * NNP: Operation not permitted for caller.
2306 * nosuid: Permission denied to file.
2316 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
2318 const struct task_security_struct
*old_tsec
;
2319 struct task_security_struct
*new_tsec
;
2320 struct inode_security_struct
*isec
;
2321 struct common_audit_data ad
;
2322 struct inode
*inode
= file_inode(bprm
->file
);
2325 /* SELinux context only depends on initial program or script and not
2326 * the script interpreter */
2327 if (bprm
->cred_prepared
)
2330 old_tsec
= current_security();
2331 new_tsec
= bprm
->cred
->security
;
2332 isec
= inode_security(inode
);
2334 /* Default to the current task SID. */
2335 new_tsec
->sid
= old_tsec
->sid
;
2336 new_tsec
->osid
= old_tsec
->sid
;
2338 /* Reset fs, key, and sock SIDs on execve. */
2339 new_tsec
->create_sid
= 0;
2340 new_tsec
->keycreate_sid
= 0;
2341 new_tsec
->sockcreate_sid
= 0;
2343 if (old_tsec
->exec_sid
) {
2344 new_tsec
->sid
= old_tsec
->exec_sid
;
2345 /* Reset exec SID on execve. */
2346 new_tsec
->exec_sid
= 0;
2348 /* Fail on NNP or nosuid if not an allowed transition. */
2349 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2353 /* Check for a default transition on this program. */
2354 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
2355 SECCLASS_PROCESS
, NULL
,
2361 * Fallback to old SID on NNP or nosuid if not an allowed
2364 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2366 new_tsec
->sid
= old_tsec
->sid
;
2369 ad
.type
= LSM_AUDIT_DATA_FILE
;
2370 ad
.u
.file
= bprm
->file
;
2372 if (new_tsec
->sid
== old_tsec
->sid
) {
2373 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
2374 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2378 /* Check permissions for the transition. */
2379 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2380 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2384 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2385 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2389 /* Check for shared state */
2390 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2391 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2392 SECCLASS_PROCESS
, PROCESS__SHARE
,
2398 /* Make sure that anyone attempting to ptrace over a task that
2399 * changes its SID has the appropriate permit */
2401 (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
2402 u32 ptsid
= ptrace_parent_sid();
2404 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2406 PROCESS__PTRACE
, NULL
);
2412 /* Clear any possibly unsafe personality bits on exec: */
2413 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2419 static int selinux_bprm_secureexec(struct linux_binprm
*bprm
)
2421 const struct task_security_struct
*tsec
= current_security();
2429 /* Enable secure mode for SIDs transitions unless
2430 the noatsecure permission is granted between
2431 the two SIDs, i.e. ahp returns 0. */
2432 atsecure
= avc_has_perm(osid
, sid
,
2434 PROCESS__NOATSECURE
, NULL
);
2440 static int match_file(const void *p
, struct file
*file
, unsigned fd
)
2442 return file_has_perm(p
, file
, file_to_av(file
)) ? fd
+ 1 : 0;
2445 /* Derived from fs/exec.c:flush_old_files. */
2446 static inline void flush_unauthorized_files(const struct cred
*cred
,
2447 struct files_struct
*files
)
2449 struct file
*file
, *devnull
= NULL
;
2450 struct tty_struct
*tty
;
2454 tty
= get_current_tty();
2456 spin_lock(&tty
->files_lock
);
2457 if (!list_empty(&tty
->tty_files
)) {
2458 struct tty_file_private
*file_priv
;
2460 /* Revalidate access to controlling tty.
2461 Use file_path_has_perm on the tty path directly
2462 rather than using file_has_perm, as this particular
2463 open file may belong to another process and we are
2464 only interested in the inode-based check here. */
2465 file_priv
= list_first_entry(&tty
->tty_files
,
2466 struct tty_file_private
, list
);
2467 file
= file_priv
->file
;
2468 if (file_path_has_perm(cred
, file
, FILE__READ
| FILE__WRITE
))
2471 spin_unlock(&tty
->files_lock
);
2474 /* Reset controlling tty. */
2478 /* Revalidate access to inherited open files. */
2479 n
= iterate_fd(files
, 0, match_file
, cred
);
2480 if (!n
) /* none found? */
2483 devnull
= dentry_open(&selinux_null
, O_RDWR
, cred
);
2484 if (IS_ERR(devnull
))
2486 /* replace all the matching ones with this */
2488 replace_fd(n
- 1, devnull
, 0);
2489 } while ((n
= iterate_fd(files
, n
, match_file
, cred
)) != 0);
2495 * Prepare a process for imminent new credential changes due to exec
2497 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2499 struct task_security_struct
*new_tsec
;
2500 struct rlimit
*rlim
, *initrlim
;
2503 new_tsec
= bprm
->cred
->security
;
2504 if (new_tsec
->sid
== new_tsec
->osid
)
2507 /* Close files for which the new task SID is not authorized. */
2508 flush_unauthorized_files(bprm
->cred
, current
->files
);
2510 /* Always clear parent death signal on SID transitions. */
2511 current
->pdeath_signal
= 0;
2513 /* Check whether the new SID can inherit resource limits from the old
2514 * SID. If not, reset all soft limits to the lower of the current
2515 * task's hard limit and the init task's soft limit.
2517 * Note that the setting of hard limits (even to lower them) can be
2518 * controlled by the setrlimit check. The inclusion of the init task's
2519 * soft limit into the computation is to avoid resetting soft limits
2520 * higher than the default soft limit for cases where the default is
2521 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2523 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2524 PROCESS__RLIMITINH
, NULL
);
2526 /* protect against do_prlimit() */
2528 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2529 rlim
= current
->signal
->rlim
+ i
;
2530 initrlim
= init_task
.signal
->rlim
+ i
;
2531 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2533 task_unlock(current
);
2534 if (IS_ENABLED(CONFIG_POSIX_TIMERS
))
2535 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2540 * Clean up the process immediately after the installation of new credentials
2543 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2545 const struct task_security_struct
*tsec
= current_security();
2546 struct itimerval itimer
;
2556 /* Check whether the new SID can inherit signal state from the old SID.
2557 * If not, clear itimers to avoid subsequent signal generation and
2558 * flush and unblock signals.
2560 * This must occur _after_ the task SID has been updated so that any
2561 * kill done after the flush will be checked against the new SID.
2563 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2565 if (IS_ENABLED(CONFIG_POSIX_TIMERS
)) {
2566 memset(&itimer
, 0, sizeof itimer
);
2567 for (i
= 0; i
< 3; i
++)
2568 do_setitimer(i
, &itimer
, NULL
);
2570 spin_lock_irq(¤t
->sighand
->siglock
);
2571 if (!fatal_signal_pending(current
)) {
2572 flush_sigqueue(¤t
->pending
);
2573 flush_sigqueue(¤t
->signal
->shared_pending
);
2574 flush_signal_handlers(current
, 1);
2575 sigemptyset(¤t
->blocked
);
2576 recalc_sigpending();
2578 spin_unlock_irq(¤t
->sighand
->siglock
);
2581 /* Wake up the parent if it is waiting so that it can recheck
2582 * wait permission to the new task SID. */
2583 read_lock(&tasklist_lock
);
2584 __wake_up_parent(current
, current
->real_parent
);
2585 read_unlock(&tasklist_lock
);
2588 /* superblock security operations */
2590 static int selinux_sb_alloc_security(struct super_block
*sb
)
2592 return superblock_alloc_security(sb
);
2595 static void selinux_sb_free_security(struct super_block
*sb
)
2597 superblock_free_security(sb
);
2600 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2605 return !memcmp(prefix
, option
, plen
);
2608 static inline int selinux_option(char *option
, int len
)
2610 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2611 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2612 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2613 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2614 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2617 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2624 memcpy(*to
, from
, len
);
2628 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2631 int current_size
= 0;
2639 while (current_size
< len
) {
2649 static int selinux_sb_copy_data(char *orig
, char *copy
)
2651 int fnosec
, fsec
, rc
= 0;
2652 char *in_save
, *in_curr
, *in_end
;
2653 char *sec_curr
, *nosec_save
, *nosec
;
2659 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2667 in_save
= in_end
= orig
;
2671 open_quote
= !open_quote
;
2672 if ((*in_end
== ',' && open_quote
== 0) ||
2674 int len
= in_end
- in_curr
;
2676 if (selinux_option(in_curr
, len
))
2677 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2679 take_option(&nosec
, in_curr
, &fnosec
, len
);
2681 in_curr
= in_end
+ 1;
2683 } while (*in_end
++);
2685 strcpy(in_save
, nosec_save
);
2686 free_page((unsigned long)nosec_save
);
2691 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2694 struct security_mnt_opts opts
;
2695 char *secdata
, **mount_options
;
2696 struct superblock_security_struct
*sbsec
= sb
->s_security
;
2698 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2704 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2707 security_init_mnt_opts(&opts
);
2708 secdata
= alloc_secdata();
2711 rc
= selinux_sb_copy_data(data
, secdata
);
2713 goto out_free_secdata
;
2715 rc
= selinux_parse_opts_str(secdata
, &opts
);
2717 goto out_free_secdata
;
2719 mount_options
= opts
.mnt_opts
;
2720 flags
= opts
.mnt_opts_flags
;
2722 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2725 if (flags
[i
] == SBLABEL_MNT
)
2727 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
2729 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
2730 "(%s) failed for (dev %s, type %s) errno=%d\n",
2731 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2737 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2738 goto out_bad_option
;
2741 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2742 goto out_bad_option
;
2744 case ROOTCONTEXT_MNT
: {
2745 struct inode_security_struct
*root_isec
;
2746 root_isec
= backing_inode_security(sb
->s_root
);
2748 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2749 goto out_bad_option
;
2752 case DEFCONTEXT_MNT
:
2753 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2754 goto out_bad_option
;
2763 security_free_mnt_opts(&opts
);
2765 free_secdata(secdata
);
2768 printk(KERN_WARNING
"SELinux: unable to change security options "
2769 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2774 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2776 const struct cred
*cred
= current_cred();
2777 struct common_audit_data ad
;
2780 rc
= superblock_doinit(sb
, data
);
2784 /* Allow all mounts performed by the kernel */
2785 if (flags
& MS_KERNMOUNT
)
2788 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2789 ad
.u
.dentry
= sb
->s_root
;
2790 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2793 static int selinux_sb_statfs(struct dentry
*dentry
)
2795 const struct cred
*cred
= current_cred();
2796 struct common_audit_data ad
;
2798 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2799 ad
.u
.dentry
= dentry
->d_sb
->s_root
;
2800 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2803 static int selinux_mount(const char *dev_name
,
2804 const struct path
*path
,
2806 unsigned long flags
,
2809 const struct cred
*cred
= current_cred();
2811 if (flags
& MS_REMOUNT
)
2812 return superblock_has_perm(cred
, path
->dentry
->d_sb
,
2813 FILESYSTEM__REMOUNT
, NULL
);
2815 return path_has_perm(cred
, path
, FILE__MOUNTON
);
2818 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2820 const struct cred
*cred
= current_cred();
2822 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2823 FILESYSTEM__UNMOUNT
, NULL
);
2826 /* inode security operations */
2828 static int selinux_inode_alloc_security(struct inode
*inode
)
2830 return inode_alloc_security(inode
);
2833 static void selinux_inode_free_security(struct inode
*inode
)
2835 inode_free_security(inode
);
2838 static int selinux_dentry_init_security(struct dentry
*dentry
, int mode
,
2839 const struct qstr
*name
, void **ctx
,
2845 rc
= selinux_determine_inode_label(current_security(),
2846 d_inode(dentry
->d_parent
), name
,
2847 inode_mode_to_security_class(mode
),
2852 return security_sid_to_context(newsid
, (char **)ctx
, ctxlen
);
2855 static int selinux_dentry_create_files_as(struct dentry
*dentry
, int mode
,
2857 const struct cred
*old
,
2862 struct task_security_struct
*tsec
;
2864 rc
= selinux_determine_inode_label(old
->security
,
2865 d_inode(dentry
->d_parent
), name
,
2866 inode_mode_to_security_class(mode
),
2871 tsec
= new->security
;
2872 tsec
->create_sid
= newsid
;
2876 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2877 const struct qstr
*qstr
,
2879 void **value
, size_t *len
)
2881 const struct task_security_struct
*tsec
= current_security();
2882 struct superblock_security_struct
*sbsec
;
2883 u32 sid
, newsid
, clen
;
2887 sbsec
= dir
->i_sb
->s_security
;
2890 newsid
= tsec
->create_sid
;
2892 rc
= selinux_determine_inode_label(current_security(),
2894 inode_mode_to_security_class(inode
->i_mode
),
2899 /* Possibly defer initialization to selinux_complete_init. */
2900 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2901 struct inode_security_struct
*isec
= inode
->i_security
;
2902 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2904 isec
->initialized
= LABEL_INITIALIZED
;
2907 if (!ss_initialized
|| !(sbsec
->flags
& SBLABEL_MNT
))
2911 *name
= XATTR_SELINUX_SUFFIX
;
2914 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2924 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
)
2926 return may_create(dir
, dentry
, SECCLASS_FILE
);
2929 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2931 return may_link(dir
, old_dentry
, MAY_LINK
);
2934 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2936 return may_link(dir
, dentry
, MAY_UNLINK
);
2939 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2941 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2944 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, umode_t mask
)
2946 return may_create(dir
, dentry
, SECCLASS_DIR
);
2949 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2951 return may_link(dir
, dentry
, MAY_RMDIR
);
2954 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
, dev_t dev
)
2956 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2959 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2960 struct inode
*new_inode
, struct dentry
*new_dentry
)
2962 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2965 static int selinux_inode_readlink(struct dentry
*dentry
)
2967 const struct cred
*cred
= current_cred();
2969 return dentry_has_perm(cred
, dentry
, FILE__READ
);
2972 static int selinux_inode_follow_link(struct dentry
*dentry
, struct inode
*inode
,
2975 const struct cred
*cred
= current_cred();
2976 struct common_audit_data ad
;
2977 struct inode_security_struct
*isec
;
2980 validate_creds(cred
);
2982 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2983 ad
.u
.dentry
= dentry
;
2984 sid
= cred_sid(cred
);
2985 isec
= inode_security_rcu(inode
, rcu
);
2987 return PTR_ERR(isec
);
2989 return avc_has_perm_flags(sid
, isec
->sid
, isec
->sclass
, FILE__READ
, &ad
,
2990 rcu
? MAY_NOT_BLOCK
: 0);
2993 static noinline
int audit_inode_permission(struct inode
*inode
,
2994 u32 perms
, u32 audited
, u32 denied
,
2998 struct common_audit_data ad
;
2999 struct inode_security_struct
*isec
= inode
->i_security
;
3002 ad
.type
= LSM_AUDIT_DATA_INODE
;
3005 rc
= slow_avc_audit(current_sid(), isec
->sid
, isec
->sclass
, perms
,
3006 audited
, denied
, result
, &ad
, flags
);
3012 static int selinux_inode_permission(struct inode
*inode
, int mask
)
3014 const struct cred
*cred
= current_cred();
3017 unsigned flags
= mask
& MAY_NOT_BLOCK
;
3018 struct inode_security_struct
*isec
;
3020 struct av_decision avd
;
3022 u32 audited
, denied
;
3024 from_access
= mask
& MAY_ACCESS
;
3025 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
3027 /* No permission to check. Existence test. */
3031 validate_creds(cred
);
3033 if (unlikely(IS_PRIVATE(inode
)))
3036 perms
= file_mask_to_av(inode
->i_mode
, mask
);
3038 sid
= cred_sid(cred
);
3039 isec
= inode_security_rcu(inode
, flags
& MAY_NOT_BLOCK
);
3041 return PTR_ERR(isec
);
3043 rc
= avc_has_perm_noaudit(sid
, isec
->sid
, isec
->sclass
, perms
, 0, &avd
);
3044 audited
= avc_audit_required(perms
, &avd
, rc
,
3045 from_access
? FILE__AUDIT_ACCESS
: 0,
3047 if (likely(!audited
))
3050 rc2
= audit_inode_permission(inode
, perms
, audited
, denied
, rc
, flags
);
3056 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
3058 const struct cred
*cred
= current_cred();
3059 unsigned int ia_valid
= iattr
->ia_valid
;
3060 __u32 av
= FILE__WRITE
;
3062 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3063 if (ia_valid
& ATTR_FORCE
) {
3064 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
3070 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
3071 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
3072 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3074 if (selinux_policycap_openperm
&& (ia_valid
& ATTR_SIZE
)
3075 && !(ia_valid
& ATTR_FILE
))
3078 return dentry_has_perm(cred
, dentry
, av
);
3081 static int selinux_inode_getattr(const struct path
*path
)
3083 return path_has_perm(current_cred(), path
, FILE__GETATTR
);
3086 static int selinux_inode_setotherxattr(struct dentry
*dentry
, const char *name
)
3088 const struct cred
*cred
= current_cred();
3090 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
3091 sizeof XATTR_SECURITY_PREFIX
- 1)) {
3092 if (!strcmp(name
, XATTR_NAME_CAPS
)) {
3093 if (!capable(CAP_SETFCAP
))
3095 } else if (!capable(CAP_SYS_ADMIN
)) {
3096 /* A different attribute in the security namespace.
3097 Restrict to administrator. */
3102 /* Not an attribute we recognize, so just check the
3103 ordinary setattr permission. */
3104 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3107 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
3108 const void *value
, size_t size
, int flags
)
3110 struct inode
*inode
= d_backing_inode(dentry
);
3111 struct inode_security_struct
*isec
;
3112 struct superblock_security_struct
*sbsec
;
3113 struct common_audit_data ad
;
3114 u32 newsid
, sid
= current_sid();
3117 if (strcmp(name
, XATTR_NAME_SELINUX
))
3118 return selinux_inode_setotherxattr(dentry
, name
);
3120 sbsec
= inode
->i_sb
->s_security
;
3121 if (!(sbsec
->flags
& SBLABEL_MNT
))
3124 if (!inode_owner_or_capable(inode
))
3127 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3128 ad
.u
.dentry
= dentry
;
3130 isec
= backing_inode_security(dentry
);
3131 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
3132 FILE__RELABELFROM
, &ad
);
3136 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3137 if (rc
== -EINVAL
) {
3138 if (!capable(CAP_MAC_ADMIN
)) {
3139 struct audit_buffer
*ab
;
3143 /* We strip a nul only if it is at the end, otherwise the
3144 * context contains a nul and we should audit that */
3147 if (str
[size
- 1] == '\0')
3148 audit_size
= size
- 1;
3155 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
3156 audit_log_format(ab
, "op=setxattr invalid_context=");
3157 audit_log_n_untrustedstring(ab
, value
, audit_size
);
3162 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3167 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
3168 FILE__RELABELTO
, &ad
);
3172 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
3177 return avc_has_perm(newsid
,
3179 SECCLASS_FILESYSTEM
,
3180 FILESYSTEM__ASSOCIATE
,
3184 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
3185 const void *value
, size_t size
,
3188 struct inode
*inode
= d_backing_inode(dentry
);
3189 struct inode_security_struct
*isec
;
3193 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3194 /* Not an attribute we recognize, so nothing to do. */
3198 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3200 printk(KERN_ERR
"SELinux: unable to map context to SID"
3201 "for (%s, %lu), rc=%d\n",
3202 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
3206 isec
= backing_inode_security(dentry
);
3207 spin_lock(&isec
->lock
);
3208 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3210 isec
->initialized
= LABEL_INITIALIZED
;
3211 spin_unlock(&isec
->lock
);
3216 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
3218 const struct cred
*cred
= current_cred();
3220 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3223 static int selinux_inode_listxattr(struct dentry
*dentry
)
3225 const struct cred
*cred
= current_cred();
3227 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3230 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
3232 if (strcmp(name
, XATTR_NAME_SELINUX
))
3233 return selinux_inode_setotherxattr(dentry
, name
);
3235 /* No one is allowed to remove a SELinux security label.
3236 You can change the label, but all data must be labeled. */
3241 * Copy the inode security context value to the user.
3243 * Permission check is handled by selinux_inode_getxattr hook.
3245 static int selinux_inode_getsecurity(struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
3249 char *context
= NULL
;
3250 struct inode_security_struct
*isec
;
3252 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3256 * If the caller has CAP_MAC_ADMIN, then get the raw context
3257 * value even if it is not defined by current policy; otherwise,
3258 * use the in-core value under current policy.
3259 * Use the non-auditing forms of the permission checks since
3260 * getxattr may be called by unprivileged processes commonly
3261 * and lack of permission just means that we fall back to the
3262 * in-core context value, not a denial.
3264 error
= cap_capable(current_cred(), &init_user_ns
, CAP_MAC_ADMIN
,
3265 SECURITY_CAP_NOAUDIT
);
3267 error
= cred_has_capability(current_cred(), CAP_MAC_ADMIN
,
3268 SECURITY_CAP_NOAUDIT
, true);
3269 isec
= inode_security(inode
);
3271 error
= security_sid_to_context_force(isec
->sid
, &context
,
3274 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
3287 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
3288 const void *value
, size_t size
, int flags
)
3290 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3294 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3297 if (!value
|| !size
)
3300 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3304 spin_lock(&isec
->lock
);
3305 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3307 isec
->initialized
= LABEL_INITIALIZED
;
3308 spin_unlock(&isec
->lock
);
3312 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
3314 const int len
= sizeof(XATTR_NAME_SELINUX
);
3315 if (buffer
&& len
<= buffer_size
)
3316 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
3320 static void selinux_inode_getsecid(struct inode
*inode
, u32
*secid
)
3322 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3326 static int selinux_inode_copy_up(struct dentry
*src
, struct cred
**new)
3329 struct task_security_struct
*tsec
;
3330 struct cred
*new_creds
= *new;
3332 if (new_creds
== NULL
) {
3333 new_creds
= prepare_creds();
3338 tsec
= new_creds
->security
;
3339 /* Get label from overlay inode and set it in create_sid */
3340 selinux_inode_getsecid(d_inode(src
), &sid
);
3341 tsec
->create_sid
= sid
;
3346 static int selinux_inode_copy_up_xattr(const char *name
)
3348 /* The copy_up hook above sets the initial context on an inode, but we
3349 * don't then want to overwrite it by blindly copying all the lower
3350 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3352 if (strcmp(name
, XATTR_NAME_SELINUX
) == 0)
3353 return 1; /* Discard */
3355 * Any other attribute apart from SELINUX is not claimed, supported
3361 /* file security operations */
3363 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
3365 const struct cred
*cred
= current_cred();
3366 struct inode
*inode
= file_inode(file
);
3368 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3369 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
3372 return file_has_perm(cred
, file
,
3373 file_mask_to_av(inode
->i_mode
, mask
));
3376 static int selinux_file_permission(struct file
*file
, int mask
)
3378 struct inode
*inode
= file_inode(file
);
3379 struct file_security_struct
*fsec
= file
->f_security
;
3380 struct inode_security_struct
*isec
;
3381 u32 sid
= current_sid();
3384 /* No permission to check. Existence test. */
3387 isec
= inode_security(inode
);
3388 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
3389 fsec
->pseqno
== avc_policy_seqno())
3390 /* No change since file_open check. */
3393 return selinux_revalidate_file_permission(file
, mask
);
3396 static int selinux_file_alloc_security(struct file
*file
)
3398 return file_alloc_security(file
);
3401 static void selinux_file_free_security(struct file
*file
)
3403 file_free_security(file
);
3407 * Check whether a task has the ioctl permission and cmd
3408 * operation to an inode.
3410 static int ioctl_has_perm(const struct cred
*cred
, struct file
*file
,
3411 u32 requested
, u16 cmd
)
3413 struct common_audit_data ad
;
3414 struct file_security_struct
*fsec
= file
->f_security
;
3415 struct inode
*inode
= file_inode(file
);
3416 struct inode_security_struct
*isec
;
3417 struct lsm_ioctlop_audit ioctl
;
3418 u32 ssid
= cred_sid(cred
);
3420 u8 driver
= cmd
>> 8;
3421 u8 xperm
= cmd
& 0xff;
3423 ad
.type
= LSM_AUDIT_DATA_IOCTL_OP
;
3426 ad
.u
.op
->path
= file
->f_path
;
3428 if (ssid
!= fsec
->sid
) {
3429 rc
= avc_has_perm(ssid
, fsec
->sid
,
3437 if (unlikely(IS_PRIVATE(inode
)))
3440 isec
= inode_security(inode
);
3441 rc
= avc_has_extended_perms(ssid
, isec
->sid
, isec
->sclass
,
3442 requested
, driver
, xperm
, &ad
);
3447 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
3450 const struct cred
*cred
= current_cred();
3460 case FS_IOC_GETFLAGS
:
3462 case FS_IOC_GETVERSION
:
3463 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
3466 case FS_IOC_SETFLAGS
:
3468 case FS_IOC_SETVERSION
:
3469 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
3472 /* sys_ioctl() checks */
3476 error
= file_has_perm(cred
, file
, 0);
3481 error
= cred_has_capability(cred
, CAP_SYS_TTY_CONFIG
,
3482 SECURITY_CAP_AUDIT
, true);
3485 /* default case assumes that the command will go
3486 * to the file's ioctl() function.
3489 error
= ioctl_has_perm(cred
, file
, FILE__IOCTL
, (u16
) cmd
);
3494 static int default_noexec
;
3496 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
3498 const struct cred
*cred
= current_cred();
3499 u32 sid
= cred_sid(cred
);
3502 if (default_noexec
&&
3503 (prot
& PROT_EXEC
) && (!file
|| IS_PRIVATE(file_inode(file
)) ||
3504 (!shared
&& (prot
& PROT_WRITE
)))) {
3506 * We are making executable an anonymous mapping or a
3507 * private file mapping that will also be writable.
3508 * This has an additional check.
3510 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3511 PROCESS__EXECMEM
, NULL
);
3517 /* read access is always possible with a mapping */
3518 u32 av
= FILE__READ
;
3520 /* write access only matters if the mapping is shared */
3521 if (shared
&& (prot
& PROT_WRITE
))
3524 if (prot
& PROT_EXEC
)
3525 av
|= FILE__EXECUTE
;
3527 return file_has_perm(cred
, file
, av
);
3534 static int selinux_mmap_addr(unsigned long addr
)
3538 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3539 u32 sid
= current_sid();
3540 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3541 MEMPROTECT__MMAP_ZERO
, NULL
);
3547 static int selinux_mmap_file(struct file
*file
, unsigned long reqprot
,
3548 unsigned long prot
, unsigned long flags
)
3550 if (selinux_checkreqprot
)
3553 return file_map_prot_check(file
, prot
,
3554 (flags
& MAP_TYPE
) == MAP_SHARED
);
3557 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3558 unsigned long reqprot
,
3561 const struct cred
*cred
= current_cred();
3562 u32 sid
= cred_sid(cred
);
3564 if (selinux_checkreqprot
)
3567 if (default_noexec
&&
3568 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3570 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3571 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3572 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3573 PROCESS__EXECHEAP
, NULL
);
3574 } else if (!vma
->vm_file
&&
3575 ((vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3576 vma
->vm_end
>= vma
->vm_mm
->start_stack
) ||
3577 vma_is_stack_for_current(vma
))) {
3578 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3579 PROCESS__EXECSTACK
, NULL
);
3580 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3582 * We are making executable a file mapping that has
3583 * had some COW done. Since pages might have been
3584 * written, check ability to execute the possibly
3585 * modified content. This typically should only
3586 * occur for text relocations.
3588 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3594 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3597 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3599 const struct cred
*cred
= current_cred();
3601 return file_has_perm(cred
, file
, FILE__LOCK
);
3604 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3607 const struct cred
*cred
= current_cred();
3612 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3613 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3622 case F_GETOWNER_UIDS
:
3623 /* Just check FD__USE permission */
3624 err
= file_has_perm(cred
, file
, 0);
3632 #if BITS_PER_LONG == 32
3637 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3644 static void selinux_file_set_fowner(struct file
*file
)
3646 struct file_security_struct
*fsec
;
3648 fsec
= file
->f_security
;
3649 fsec
->fown_sid
= current_sid();
3652 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3653 struct fown_struct
*fown
, int signum
)
3656 u32 sid
= task_sid(tsk
);
3658 struct file_security_struct
*fsec
;
3660 /* struct fown_struct is never outside the context of a struct file */
3661 file
= container_of(fown
, struct file
, f_owner
);
3663 fsec
= file
->f_security
;
3666 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3668 perm
= signal_to_av(signum
);
3670 return avc_has_perm(fsec
->fown_sid
, sid
,
3671 SECCLASS_PROCESS
, perm
, NULL
);
3674 static int selinux_file_receive(struct file
*file
)
3676 const struct cred
*cred
= current_cred();
3678 return file_has_perm(cred
, file
, file_to_av(file
));
3681 static int selinux_file_open(struct file
*file
, const struct cred
*cred
)
3683 struct file_security_struct
*fsec
;
3684 struct inode_security_struct
*isec
;
3686 fsec
= file
->f_security
;
3687 isec
= inode_security(file_inode(file
));
3689 * Save inode label and policy sequence number
3690 * at open-time so that selinux_file_permission
3691 * can determine whether revalidation is necessary.
3692 * Task label is already saved in the file security
3693 * struct as its SID.
3695 fsec
->isid
= isec
->sid
;
3696 fsec
->pseqno
= avc_policy_seqno();
3698 * Since the inode label or policy seqno may have changed
3699 * between the selinux_inode_permission check and the saving
3700 * of state above, recheck that access is still permitted.
3701 * Otherwise, access might never be revalidated against the
3702 * new inode label or new policy.
3703 * This check is not redundant - do not remove.
3705 return file_path_has_perm(cred
, file
, open_file_to_av(file
));
3708 /* task security operations */
3710 static int selinux_task_create(unsigned long clone_flags
)
3712 u32 sid
= current_sid();
3714 return avc_has_perm(sid
, sid
, SECCLASS_PROCESS
, PROCESS__FORK
, NULL
);
3718 * allocate the SELinux part of blank credentials
3720 static int selinux_cred_alloc_blank(struct cred
*cred
, gfp_t gfp
)
3722 struct task_security_struct
*tsec
;
3724 tsec
= kzalloc(sizeof(struct task_security_struct
), gfp
);
3728 cred
->security
= tsec
;
3733 * detach and free the LSM part of a set of credentials
3735 static void selinux_cred_free(struct cred
*cred
)
3737 struct task_security_struct
*tsec
= cred
->security
;
3740 * cred->security == NULL if security_cred_alloc_blank() or
3741 * security_prepare_creds() returned an error.
3743 BUG_ON(cred
->security
&& (unsigned long) cred
->security
< PAGE_SIZE
);
3744 cred
->security
= (void *) 0x7UL
;
3749 * prepare a new set of credentials for modification
3751 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3754 const struct task_security_struct
*old_tsec
;
3755 struct task_security_struct
*tsec
;
3757 old_tsec
= old
->security
;
3759 tsec
= kmemdup(old_tsec
, sizeof(struct task_security_struct
), gfp
);
3763 new->security
= tsec
;
3768 * transfer the SELinux data to a blank set of creds
3770 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3772 const struct task_security_struct
*old_tsec
= old
->security
;
3773 struct task_security_struct
*tsec
= new->security
;
3779 * set the security data for a kernel service
3780 * - all the creation contexts are set to unlabelled
3782 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3784 struct task_security_struct
*tsec
= new->security
;
3785 u32 sid
= current_sid();
3788 ret
= avc_has_perm(sid
, secid
,
3789 SECCLASS_KERNEL_SERVICE
,
3790 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3794 tsec
->create_sid
= 0;
3795 tsec
->keycreate_sid
= 0;
3796 tsec
->sockcreate_sid
= 0;
3802 * set the file creation context in a security record to the same as the
3803 * objective context of the specified inode
3805 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3807 struct inode_security_struct
*isec
= inode_security(inode
);
3808 struct task_security_struct
*tsec
= new->security
;
3809 u32 sid
= current_sid();
3812 ret
= avc_has_perm(sid
, isec
->sid
,
3813 SECCLASS_KERNEL_SERVICE
,
3814 KERNEL_SERVICE__CREATE_FILES_AS
,
3818 tsec
->create_sid
= isec
->sid
;
3822 static int selinux_kernel_module_request(char *kmod_name
)
3824 struct common_audit_data ad
;
3826 ad
.type
= LSM_AUDIT_DATA_KMOD
;
3827 ad
.u
.kmod_name
= kmod_name
;
3829 return avc_has_perm(current_sid(), SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3830 SYSTEM__MODULE_REQUEST
, &ad
);
3833 static int selinux_kernel_module_from_file(struct file
*file
)
3835 struct common_audit_data ad
;
3836 struct inode_security_struct
*isec
;
3837 struct file_security_struct
*fsec
;
3838 u32 sid
= current_sid();
3843 return avc_has_perm(sid
, sid
, SECCLASS_SYSTEM
,
3844 SYSTEM__MODULE_LOAD
, NULL
);
3848 ad
.type
= LSM_AUDIT_DATA_FILE
;
3851 fsec
= file
->f_security
;
3852 if (sid
!= fsec
->sid
) {
3853 rc
= avc_has_perm(sid
, fsec
->sid
, SECCLASS_FD
, FD__USE
, &ad
);
3858 isec
= inode_security(file_inode(file
));
3859 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SYSTEM
,
3860 SYSTEM__MODULE_LOAD
, &ad
);
3863 static int selinux_kernel_read_file(struct file
*file
,
3864 enum kernel_read_file_id id
)
3869 case READING_MODULE
:
3870 rc
= selinux_kernel_module_from_file(file
);
3879 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3881 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3882 PROCESS__SETPGID
, NULL
);
3885 static int selinux_task_getpgid(struct task_struct
*p
)
3887 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3888 PROCESS__GETPGID
, NULL
);
3891 static int selinux_task_getsid(struct task_struct
*p
)
3893 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3894 PROCESS__GETSESSION
, NULL
);
3897 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3899 *secid
= task_sid(p
);
3902 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3904 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3905 PROCESS__SETSCHED
, NULL
);
3908 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3910 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3911 PROCESS__SETSCHED
, NULL
);
3914 static int selinux_task_getioprio(struct task_struct
*p
)
3916 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3917 PROCESS__GETSCHED
, NULL
);
3920 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
3921 struct rlimit
*new_rlim
)
3923 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
3925 /* Control the ability to change the hard limit (whether
3926 lowering or raising it), so that the hard limit can
3927 later be used as a safe reset point for the soft limit
3928 upon context transitions. See selinux_bprm_committing_creds. */
3929 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3930 return avc_has_perm(current_sid(), task_sid(p
),
3931 SECCLASS_PROCESS
, PROCESS__SETRLIMIT
, NULL
);
3936 static int selinux_task_setscheduler(struct task_struct
*p
)
3938 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3939 PROCESS__SETSCHED
, NULL
);
3942 static int selinux_task_getscheduler(struct task_struct
*p
)
3944 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3945 PROCESS__GETSCHED
, NULL
);
3948 static int selinux_task_movememory(struct task_struct
*p
)
3950 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3951 PROCESS__SETSCHED
, NULL
);
3954 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3960 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3962 perm
= signal_to_av(sig
);
3964 secid
= current_sid();
3965 return avc_has_perm(secid
, task_sid(p
), SECCLASS_PROCESS
, perm
, NULL
);
3968 static void selinux_task_to_inode(struct task_struct
*p
,
3969 struct inode
*inode
)
3971 struct inode_security_struct
*isec
= inode
->i_security
;
3972 u32 sid
= task_sid(p
);
3974 spin_lock(&isec
->lock
);
3975 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3977 isec
->initialized
= LABEL_INITIALIZED
;
3978 spin_unlock(&isec
->lock
);
3981 /* Returns error only if unable to parse addresses */
3982 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3983 struct common_audit_data
*ad
, u8
*proto
)
3985 int offset
, ihlen
, ret
= -EINVAL
;
3986 struct iphdr _iph
, *ih
;
3988 offset
= skb_network_offset(skb
);
3989 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
3993 ihlen
= ih
->ihl
* 4;
3994 if (ihlen
< sizeof(_iph
))
3997 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
3998 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
4002 *proto
= ih
->protocol
;
4004 switch (ih
->protocol
) {
4006 struct tcphdr _tcph
, *th
;
4008 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4012 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4016 ad
->u
.net
->sport
= th
->source
;
4017 ad
->u
.net
->dport
= th
->dest
;
4022 struct udphdr _udph
, *uh
;
4024 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4028 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4032 ad
->u
.net
->sport
= uh
->source
;
4033 ad
->u
.net
->dport
= uh
->dest
;
4037 case IPPROTO_DCCP
: {
4038 struct dccp_hdr _dccph
, *dh
;
4040 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4044 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4048 ad
->u
.net
->sport
= dh
->dccph_sport
;
4049 ad
->u
.net
->dport
= dh
->dccph_dport
;
4060 #if IS_ENABLED(CONFIG_IPV6)
4062 /* Returns error only if unable to parse addresses */
4063 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
4064 struct common_audit_data
*ad
, u8
*proto
)
4067 int ret
= -EINVAL
, offset
;
4068 struct ipv6hdr _ipv6h
, *ip6
;
4071 offset
= skb_network_offset(skb
);
4072 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
4076 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
4077 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
4080 nexthdr
= ip6
->nexthdr
;
4081 offset
+= sizeof(_ipv6h
);
4082 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
4091 struct tcphdr _tcph
, *th
;
4093 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4097 ad
->u
.net
->sport
= th
->source
;
4098 ad
->u
.net
->dport
= th
->dest
;
4103 struct udphdr _udph
, *uh
;
4105 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4109 ad
->u
.net
->sport
= uh
->source
;
4110 ad
->u
.net
->dport
= uh
->dest
;
4114 case IPPROTO_DCCP
: {
4115 struct dccp_hdr _dccph
, *dh
;
4117 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4121 ad
->u
.net
->sport
= dh
->dccph_sport
;
4122 ad
->u
.net
->dport
= dh
->dccph_dport
;
4126 /* includes fragments */
4136 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
4137 char **_addrp
, int src
, u8
*proto
)
4142 switch (ad
->u
.net
->family
) {
4144 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
4147 addrp
= (char *)(src
? &ad
->u
.net
->v4info
.saddr
:
4148 &ad
->u
.net
->v4info
.daddr
);
4151 #if IS_ENABLED(CONFIG_IPV6)
4153 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
4156 addrp
= (char *)(src
? &ad
->u
.net
->v6info
.saddr
:
4157 &ad
->u
.net
->v6info
.daddr
);
4167 "SELinux: failure in selinux_parse_skb(),"
4168 " unable to parse packet\n");
4178 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4180 * @family: protocol family
4181 * @sid: the packet's peer label SID
4184 * Check the various different forms of network peer labeling and determine
4185 * the peer label/SID for the packet; most of the magic actually occurs in
4186 * the security server function security_net_peersid_cmp(). The function
4187 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4188 * or -EACCES if @sid is invalid due to inconsistencies with the different
4192 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
4199 err
= selinux_xfrm_skb_sid(skb
, &xfrm_sid
);
4202 err
= selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
4206 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
4207 if (unlikely(err
)) {
4209 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4210 " unable to determine packet's peer label\n");
4218 * selinux_conn_sid - Determine the child socket label for a connection
4219 * @sk_sid: the parent socket's SID
4220 * @skb_sid: the packet's SID
4221 * @conn_sid: the resulting connection SID
4223 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4224 * combined with the MLS information from @skb_sid in order to create
4225 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4226 * of @sk_sid. Returns zero on success, negative values on failure.
4229 static int selinux_conn_sid(u32 sk_sid
, u32 skb_sid
, u32
*conn_sid
)
4233 if (skb_sid
!= SECSID_NULL
)
4234 err
= security_sid_mls_copy(sk_sid
, skb_sid
, conn_sid
);
4241 /* socket security operations */
4243 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
4244 u16 secclass
, u32
*socksid
)
4246 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
4247 *socksid
= tsec
->sockcreate_sid
;
4251 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
4255 static int sock_has_perm(struct sock
*sk
, u32 perms
)
4257 struct sk_security_struct
*sksec
= sk
->sk_security
;
4258 struct common_audit_data ad
;
4259 struct lsm_network_audit net
= {0,};
4261 if (sksec
->sid
== SECINITSID_KERNEL
)
4264 ad
.type
= LSM_AUDIT_DATA_NET
;
4268 return avc_has_perm(current_sid(), sksec
->sid
, sksec
->sclass
, perms
,
4272 static int selinux_socket_create(int family
, int type
,
4273 int protocol
, int kern
)
4275 const struct task_security_struct
*tsec
= current_security();
4283 secclass
= socket_type_to_security_class(family
, type
, protocol
);
4284 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
4288 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
4291 static int selinux_socket_post_create(struct socket
*sock
, int family
,
4292 int type
, int protocol
, int kern
)
4294 const struct task_security_struct
*tsec
= current_security();
4295 struct inode_security_struct
*isec
= inode_security_novalidate(SOCK_INODE(sock
));
4296 struct sk_security_struct
*sksec
;
4297 u16 sclass
= socket_type_to_security_class(family
, type
, protocol
);
4298 u32 sid
= SECINITSID_KERNEL
;
4302 err
= socket_sockcreate_sid(tsec
, sclass
, &sid
);
4307 isec
->sclass
= sclass
;
4309 isec
->initialized
= LABEL_INITIALIZED
;
4312 sksec
= sock
->sk
->sk_security
;
4313 sksec
->sclass
= sclass
;
4315 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
4321 /* Range of port numbers used to automatically bind.
4322 Need to determine whether we should perform a name_bind
4323 permission check between the socket and the port number. */
4325 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4327 struct sock
*sk
= sock
->sk
;
4331 err
= sock_has_perm(sk
, SOCKET__BIND
);
4336 * If PF_INET or PF_INET6, check name_bind permission for the port.
4337 * Multiple address binding for SCTP is not supported yet: we just
4338 * check the first address now.
4340 family
= sk
->sk_family
;
4341 if (family
== PF_INET
|| family
== PF_INET6
) {
4343 struct sk_security_struct
*sksec
= sk
->sk_security
;
4344 struct common_audit_data ad
;
4345 struct lsm_network_audit net
= {0,};
4346 struct sockaddr_in
*addr4
= NULL
;
4347 struct sockaddr_in6
*addr6
= NULL
;
4348 unsigned short snum
;
4351 if (family
== PF_INET
) {
4352 addr4
= (struct sockaddr_in
*)address
;
4353 snum
= ntohs(addr4
->sin_port
);
4354 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
4356 addr6
= (struct sockaddr_in6
*)address
;
4357 snum
= ntohs(addr6
->sin6_port
);
4358 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
4364 inet_get_local_port_range(sock_net(sk
), &low
, &high
);
4366 if (snum
< max(PROT_SOCK
, low
) || snum
> high
) {
4367 err
= sel_netport_sid(sk
->sk_protocol
,
4371 ad
.type
= LSM_AUDIT_DATA_NET
;
4373 ad
.u
.net
->sport
= htons(snum
);
4374 ad
.u
.net
->family
= family
;
4375 err
= avc_has_perm(sksec
->sid
, sid
,
4377 SOCKET__NAME_BIND
, &ad
);
4383 switch (sksec
->sclass
) {
4384 case SECCLASS_TCP_SOCKET
:
4385 node_perm
= TCP_SOCKET__NODE_BIND
;
4388 case SECCLASS_UDP_SOCKET
:
4389 node_perm
= UDP_SOCKET__NODE_BIND
;
4392 case SECCLASS_DCCP_SOCKET
:
4393 node_perm
= DCCP_SOCKET__NODE_BIND
;
4397 node_perm
= RAWIP_SOCKET__NODE_BIND
;
4401 err
= sel_netnode_sid(addrp
, family
, &sid
);
4405 ad
.type
= LSM_AUDIT_DATA_NET
;
4407 ad
.u
.net
->sport
= htons(snum
);
4408 ad
.u
.net
->family
= family
;
4410 if (family
== PF_INET
)
4411 ad
.u
.net
->v4info
.saddr
= addr4
->sin_addr
.s_addr
;
4413 ad
.u
.net
->v6info
.saddr
= addr6
->sin6_addr
;
4415 err
= avc_has_perm(sksec
->sid
, sid
,
4416 sksec
->sclass
, node_perm
, &ad
);
4424 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4426 struct sock
*sk
= sock
->sk
;
4427 struct sk_security_struct
*sksec
= sk
->sk_security
;
4430 err
= sock_has_perm(sk
, SOCKET__CONNECT
);
4435 * If a TCP or DCCP socket, check name_connect permission for the port.
4437 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
4438 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
4439 struct common_audit_data ad
;
4440 struct lsm_network_audit net
= {0,};
4441 struct sockaddr_in
*addr4
= NULL
;
4442 struct sockaddr_in6
*addr6
= NULL
;
4443 unsigned short snum
;
4446 if (sk
->sk_family
== PF_INET
) {
4447 addr4
= (struct sockaddr_in
*)address
;
4448 if (addrlen
< sizeof(struct sockaddr_in
))
4450 snum
= ntohs(addr4
->sin_port
);
4452 addr6
= (struct sockaddr_in6
*)address
;
4453 if (addrlen
< SIN6_LEN_RFC2133
)
4455 snum
= ntohs(addr6
->sin6_port
);
4458 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
4462 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
4463 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
4465 ad
.type
= LSM_AUDIT_DATA_NET
;
4467 ad
.u
.net
->dport
= htons(snum
);
4468 ad
.u
.net
->family
= sk
->sk_family
;
4469 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
4474 err
= selinux_netlbl_socket_connect(sk
, address
);
4480 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
4482 return sock_has_perm(sock
->sk
, SOCKET__LISTEN
);
4485 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
4488 struct inode_security_struct
*isec
;
4489 struct inode_security_struct
*newisec
;
4493 err
= sock_has_perm(sock
->sk
, SOCKET__ACCEPT
);
4497 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4498 spin_lock(&isec
->lock
);
4499 sclass
= isec
->sclass
;
4501 spin_unlock(&isec
->lock
);
4503 newisec
= inode_security_novalidate(SOCK_INODE(newsock
));
4504 newisec
->sclass
= sclass
;
4506 newisec
->initialized
= LABEL_INITIALIZED
;
4511 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
4514 return sock_has_perm(sock
->sk
, SOCKET__WRITE
);
4517 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
4518 int size
, int flags
)
4520 return sock_has_perm(sock
->sk
, SOCKET__READ
);
4523 static int selinux_socket_getsockname(struct socket
*sock
)
4525 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4528 static int selinux_socket_getpeername(struct socket
*sock
)
4530 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4533 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
4537 err
= sock_has_perm(sock
->sk
, SOCKET__SETOPT
);
4541 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
4544 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
4547 return sock_has_perm(sock
->sk
, SOCKET__GETOPT
);
4550 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
4552 return sock_has_perm(sock
->sk
, SOCKET__SHUTDOWN
);
4555 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
4559 struct sk_security_struct
*sksec_sock
= sock
->sk_security
;
4560 struct sk_security_struct
*sksec_other
= other
->sk_security
;
4561 struct sk_security_struct
*sksec_new
= newsk
->sk_security
;
4562 struct common_audit_data ad
;
4563 struct lsm_network_audit net
= {0,};
4566 ad
.type
= LSM_AUDIT_DATA_NET
;
4568 ad
.u
.net
->sk
= other
;
4570 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
4571 sksec_other
->sclass
,
4572 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
4576 /* server child socket */
4577 sksec_new
->peer_sid
= sksec_sock
->sid
;
4578 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4583 /* connecting socket */
4584 sksec_sock
->peer_sid
= sksec_new
->sid
;
4589 static int selinux_socket_unix_may_send(struct socket
*sock
,
4590 struct socket
*other
)
4592 struct sk_security_struct
*ssec
= sock
->sk
->sk_security
;
4593 struct sk_security_struct
*osec
= other
->sk
->sk_security
;
4594 struct common_audit_data ad
;
4595 struct lsm_network_audit net
= {0,};
4597 ad
.type
= LSM_AUDIT_DATA_NET
;
4599 ad
.u
.net
->sk
= other
->sk
;
4601 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4605 static int selinux_inet_sys_rcv_skb(struct net
*ns
, int ifindex
,
4606 char *addrp
, u16 family
, u32 peer_sid
,
4607 struct common_audit_data
*ad
)
4613 err
= sel_netif_sid(ns
, ifindex
, &if_sid
);
4616 err
= avc_has_perm(peer_sid
, if_sid
,
4617 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4621 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4624 return avc_has_perm(peer_sid
, node_sid
,
4625 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4628 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4632 struct sk_security_struct
*sksec
= sk
->sk_security
;
4633 u32 sk_sid
= sksec
->sid
;
4634 struct common_audit_data ad
;
4635 struct lsm_network_audit net
= {0,};
4638 ad
.type
= LSM_AUDIT_DATA_NET
;
4640 ad
.u
.net
->netif
= skb
->skb_iif
;
4641 ad
.u
.net
->family
= family
;
4642 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4646 if (selinux_secmark_enabled()) {
4647 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4653 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4656 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4661 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4664 struct sk_security_struct
*sksec
= sk
->sk_security
;
4665 u16 family
= sk
->sk_family
;
4666 u32 sk_sid
= sksec
->sid
;
4667 struct common_audit_data ad
;
4668 struct lsm_network_audit net
= {0,};
4673 if (family
!= PF_INET
&& family
!= PF_INET6
)
4676 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4677 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4680 /* If any sort of compatibility mode is enabled then handoff processing
4681 * to the selinux_sock_rcv_skb_compat() function to deal with the
4682 * special handling. We do this in an attempt to keep this function
4683 * as fast and as clean as possible. */
4684 if (!selinux_policycap_netpeer
)
4685 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4687 secmark_active
= selinux_secmark_enabled();
4688 peerlbl_active
= selinux_peerlbl_enabled();
4689 if (!secmark_active
&& !peerlbl_active
)
4692 ad
.type
= LSM_AUDIT_DATA_NET
;
4694 ad
.u
.net
->netif
= skb
->skb_iif
;
4695 ad
.u
.net
->family
= family
;
4696 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4700 if (peerlbl_active
) {
4703 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4706 err
= selinux_inet_sys_rcv_skb(sock_net(sk
), skb
->skb_iif
,
4707 addrp
, family
, peer_sid
, &ad
);
4709 selinux_netlbl_err(skb
, family
, err
, 0);
4712 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4715 selinux_netlbl_err(skb
, family
, err
, 0);
4720 if (secmark_active
) {
4721 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4730 static int selinux_socket_getpeersec_stream(struct socket
*sock
, char __user
*optval
,
4731 int __user
*optlen
, unsigned len
)
4736 struct sk_security_struct
*sksec
= sock
->sk
->sk_security
;
4737 u32 peer_sid
= SECSID_NULL
;
4739 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4740 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4741 peer_sid
= sksec
->peer_sid
;
4742 if (peer_sid
== SECSID_NULL
)
4743 return -ENOPROTOOPT
;
4745 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4749 if (scontext_len
> len
) {
4754 if (copy_to_user(optval
, scontext
, scontext_len
))
4758 if (put_user(scontext_len
, optlen
))
4764 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4766 u32 peer_secid
= SECSID_NULL
;
4768 struct inode_security_struct
*isec
;
4770 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4772 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4775 family
= sock
->sk
->sk_family
;
4779 if (sock
&& family
== PF_UNIX
) {
4780 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4781 peer_secid
= isec
->sid
;
4783 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4786 *secid
= peer_secid
;
4787 if (peer_secid
== SECSID_NULL
)
4792 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4794 struct sk_security_struct
*sksec
;
4796 sksec
= kzalloc(sizeof(*sksec
), priority
);
4800 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4801 sksec
->sid
= SECINITSID_UNLABELED
;
4802 sksec
->sclass
= SECCLASS_SOCKET
;
4803 selinux_netlbl_sk_security_reset(sksec
);
4804 sk
->sk_security
= sksec
;
4809 static void selinux_sk_free_security(struct sock
*sk
)
4811 struct sk_security_struct
*sksec
= sk
->sk_security
;
4813 sk
->sk_security
= NULL
;
4814 selinux_netlbl_sk_security_free(sksec
);
4818 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4820 struct sk_security_struct
*sksec
= sk
->sk_security
;
4821 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4823 newsksec
->sid
= sksec
->sid
;
4824 newsksec
->peer_sid
= sksec
->peer_sid
;
4825 newsksec
->sclass
= sksec
->sclass
;
4827 selinux_netlbl_sk_security_reset(newsksec
);
4830 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4833 *secid
= SECINITSID_ANY_SOCKET
;
4835 struct sk_security_struct
*sksec
= sk
->sk_security
;
4837 *secid
= sksec
->sid
;
4841 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4843 struct inode_security_struct
*isec
=
4844 inode_security_novalidate(SOCK_INODE(parent
));
4845 struct sk_security_struct
*sksec
= sk
->sk_security
;
4847 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4848 sk
->sk_family
== PF_UNIX
)
4849 isec
->sid
= sksec
->sid
;
4850 sksec
->sclass
= isec
->sclass
;
4853 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4854 struct request_sock
*req
)
4856 struct sk_security_struct
*sksec
= sk
->sk_security
;
4858 u16 family
= req
->rsk_ops
->family
;
4862 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4865 err
= selinux_conn_sid(sksec
->sid
, peersid
, &connsid
);
4868 req
->secid
= connsid
;
4869 req
->peer_secid
= peersid
;
4871 return selinux_netlbl_inet_conn_request(req
, family
);
4874 static void selinux_inet_csk_clone(struct sock
*newsk
,
4875 const struct request_sock
*req
)
4877 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4879 newsksec
->sid
= req
->secid
;
4880 newsksec
->peer_sid
= req
->peer_secid
;
4881 /* NOTE: Ideally, we should also get the isec->sid for the
4882 new socket in sync, but we don't have the isec available yet.
4883 So we will wait until sock_graft to do it, by which
4884 time it will have been created and available. */
4886 /* We don't need to take any sort of lock here as we are the only
4887 * thread with access to newsksec */
4888 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4891 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4893 u16 family
= sk
->sk_family
;
4894 struct sk_security_struct
*sksec
= sk
->sk_security
;
4896 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4897 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4900 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
4903 static int selinux_secmark_relabel_packet(u32 sid
)
4905 const struct task_security_struct
*__tsec
;
4908 __tsec
= current_security();
4911 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
4914 static void selinux_secmark_refcount_inc(void)
4916 atomic_inc(&selinux_secmark_refcount
);
4919 static void selinux_secmark_refcount_dec(void)
4921 atomic_dec(&selinux_secmark_refcount
);
4924 static void selinux_req_classify_flow(const struct request_sock
*req
,
4927 fl
->flowi_secid
= req
->secid
;
4930 static int selinux_tun_dev_alloc_security(void **security
)
4932 struct tun_security_struct
*tunsec
;
4934 tunsec
= kzalloc(sizeof(*tunsec
), GFP_KERNEL
);
4937 tunsec
->sid
= current_sid();
4943 static void selinux_tun_dev_free_security(void *security
)
4948 static int selinux_tun_dev_create(void)
4950 u32 sid
= current_sid();
4952 /* we aren't taking into account the "sockcreate" SID since the socket
4953 * that is being created here is not a socket in the traditional sense,
4954 * instead it is a private sock, accessible only to the kernel, and
4955 * representing a wide range of network traffic spanning multiple
4956 * connections unlike traditional sockets - check the TUN driver to
4957 * get a better understanding of why this socket is special */
4959 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
4963 static int selinux_tun_dev_attach_queue(void *security
)
4965 struct tun_security_struct
*tunsec
= security
;
4967 return avc_has_perm(current_sid(), tunsec
->sid
, SECCLASS_TUN_SOCKET
,
4968 TUN_SOCKET__ATTACH_QUEUE
, NULL
);
4971 static int selinux_tun_dev_attach(struct sock
*sk
, void *security
)
4973 struct tun_security_struct
*tunsec
= security
;
4974 struct sk_security_struct
*sksec
= sk
->sk_security
;
4976 /* we don't currently perform any NetLabel based labeling here and it
4977 * isn't clear that we would want to do so anyway; while we could apply
4978 * labeling without the support of the TUN user the resulting labeled
4979 * traffic from the other end of the connection would almost certainly
4980 * cause confusion to the TUN user that had no idea network labeling
4981 * protocols were being used */
4983 sksec
->sid
= tunsec
->sid
;
4984 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
4989 static int selinux_tun_dev_open(void *security
)
4991 struct tun_security_struct
*tunsec
= security
;
4992 u32 sid
= current_sid();
4995 err
= avc_has_perm(sid
, tunsec
->sid
, SECCLASS_TUN_SOCKET
,
4996 TUN_SOCKET__RELABELFROM
, NULL
);
4999 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
5000 TUN_SOCKET__RELABELTO
, NULL
);
5008 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
5012 struct nlmsghdr
*nlh
;
5013 struct sk_security_struct
*sksec
= sk
->sk_security
;
5015 if (skb
->len
< NLMSG_HDRLEN
) {
5019 nlh
= nlmsg_hdr(skb
);
5021 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
5023 if (err
== -EINVAL
) {
5024 pr_warn_ratelimited("SELinux: unrecognized netlink"
5025 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5026 " pig=%d comm=%s\n",
5027 sk
->sk_protocol
, nlh
->nlmsg_type
,
5028 secclass_map
[sksec
->sclass
- 1].name
,
5029 task_pid_nr(current
), current
->comm
);
5030 if (!selinux_enforcing
|| security_get_allow_unknown())
5040 err
= sock_has_perm(sk
, perm
);
5045 #ifdef CONFIG_NETFILTER
5047 static unsigned int selinux_ip_forward(struct sk_buff
*skb
,
5048 const struct net_device
*indev
,
5054 struct common_audit_data ad
;
5055 struct lsm_network_audit net
= {0,};
5060 if (!selinux_policycap_netpeer
)
5063 secmark_active
= selinux_secmark_enabled();
5064 netlbl_active
= netlbl_enabled();
5065 peerlbl_active
= selinux_peerlbl_enabled();
5066 if (!secmark_active
&& !peerlbl_active
)
5069 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
5072 ad
.type
= LSM_AUDIT_DATA_NET
;
5074 ad
.u
.net
->netif
= indev
->ifindex
;
5075 ad
.u
.net
->family
= family
;
5076 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
5079 if (peerlbl_active
) {
5080 err
= selinux_inet_sys_rcv_skb(dev_net(indev
), indev
->ifindex
,
5081 addrp
, family
, peer_sid
, &ad
);
5083 selinux_netlbl_err(skb
, family
, err
, 1);
5089 if (avc_has_perm(peer_sid
, skb
->secmark
,
5090 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
5094 /* we do this in the FORWARD path and not the POST_ROUTING
5095 * path because we want to make sure we apply the necessary
5096 * labeling before IPsec is applied so we can leverage AH
5098 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
5104 static unsigned int selinux_ipv4_forward(void *priv
,
5105 struct sk_buff
*skb
,
5106 const struct nf_hook_state
*state
)
5108 return selinux_ip_forward(skb
, state
->in
, PF_INET
);
5111 #if IS_ENABLED(CONFIG_IPV6)
5112 static unsigned int selinux_ipv6_forward(void *priv
,
5113 struct sk_buff
*skb
,
5114 const struct nf_hook_state
*state
)
5116 return selinux_ip_forward(skb
, state
->in
, PF_INET6
);
5120 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
5126 if (!netlbl_enabled())
5129 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5130 * because we want to make sure we apply the necessary labeling
5131 * before IPsec is applied so we can leverage AH protection */
5134 struct sk_security_struct
*sksec
;
5136 if (sk_listener(sk
))
5137 /* if the socket is the listening state then this
5138 * packet is a SYN-ACK packet which means it needs to
5139 * be labeled based on the connection/request_sock and
5140 * not the parent socket. unfortunately, we can't
5141 * lookup the request_sock yet as it isn't queued on
5142 * the parent socket until after the SYN-ACK is sent.
5143 * the "solution" is to simply pass the packet as-is
5144 * as any IP option based labeling should be copied
5145 * from the initial connection request (in the IP
5146 * layer). it is far from ideal, but until we get a
5147 * security label in the packet itself this is the
5148 * best we can do. */
5151 /* standard practice, label using the parent socket */
5152 sksec
= sk
->sk_security
;
5155 sid
= SECINITSID_KERNEL
;
5156 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
5162 static unsigned int selinux_ipv4_output(void *priv
,
5163 struct sk_buff
*skb
,
5164 const struct nf_hook_state
*state
)
5166 return selinux_ip_output(skb
, PF_INET
);
5169 #if IS_ENABLED(CONFIG_IPV6)
5170 static unsigned int selinux_ipv6_output(void *priv
,
5171 struct sk_buff
*skb
,
5172 const struct nf_hook_state
*state
)
5174 return selinux_ip_output(skb
, PF_INET6
);
5178 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
5182 struct sock
*sk
= skb_to_full_sk(skb
);
5183 struct sk_security_struct
*sksec
;
5184 struct common_audit_data ad
;
5185 struct lsm_network_audit net
= {0,};
5191 sksec
= sk
->sk_security
;
5193 ad
.type
= LSM_AUDIT_DATA_NET
;
5195 ad
.u
.net
->netif
= ifindex
;
5196 ad
.u
.net
->family
= family
;
5197 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
5200 if (selinux_secmark_enabled())
5201 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
5202 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
5203 return NF_DROP_ERR(-ECONNREFUSED
);
5205 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
5206 return NF_DROP_ERR(-ECONNREFUSED
);
5211 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
,
5212 const struct net_device
*outdev
,
5217 int ifindex
= outdev
->ifindex
;
5219 struct common_audit_data ad
;
5220 struct lsm_network_audit net
= {0,};
5225 /* If any sort of compatibility mode is enabled then handoff processing
5226 * to the selinux_ip_postroute_compat() function to deal with the
5227 * special handling. We do this in an attempt to keep this function
5228 * as fast and as clean as possible. */
5229 if (!selinux_policycap_netpeer
)
5230 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
5232 secmark_active
= selinux_secmark_enabled();
5233 peerlbl_active
= selinux_peerlbl_enabled();
5234 if (!secmark_active
&& !peerlbl_active
)
5237 sk
= skb_to_full_sk(skb
);
5240 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5241 * packet transformation so allow the packet to pass without any checks
5242 * since we'll have another chance to perform access control checks
5243 * when the packet is on it's final way out.
5244 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5245 * is NULL, in this case go ahead and apply access control.
5246 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5247 * TCP listening state we cannot wait until the XFRM processing
5248 * is done as we will miss out on the SA label if we do;
5249 * unfortunately, this means more work, but it is only once per
5251 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
&&
5252 !(sk
&& sk_listener(sk
)))
5257 /* Without an associated socket the packet is either coming
5258 * from the kernel or it is being forwarded; check the packet
5259 * to determine which and if the packet is being forwarded
5260 * query the packet directly to determine the security label. */
5262 secmark_perm
= PACKET__FORWARD_OUT
;
5263 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
5266 secmark_perm
= PACKET__SEND
;
5267 peer_sid
= SECINITSID_KERNEL
;
5269 } else if (sk_listener(sk
)) {
5270 /* Locally generated packet but the associated socket is in the
5271 * listening state which means this is a SYN-ACK packet. In
5272 * this particular case the correct security label is assigned
5273 * to the connection/request_sock but unfortunately we can't
5274 * query the request_sock as it isn't queued on the parent
5275 * socket until after the SYN-ACK packet is sent; the only
5276 * viable choice is to regenerate the label like we do in
5277 * selinux_inet_conn_request(). See also selinux_ip_output()
5278 * for similar problems. */
5280 struct sk_security_struct
*sksec
;
5282 sksec
= sk
->sk_security
;
5283 if (selinux_skb_peerlbl_sid(skb
, family
, &skb_sid
))
5285 /* At this point, if the returned skb peerlbl is SECSID_NULL
5286 * and the packet has been through at least one XFRM
5287 * transformation then we must be dealing with the "final"
5288 * form of labeled IPsec packet; since we've already applied
5289 * all of our access controls on this packet we can safely
5290 * pass the packet. */
5291 if (skb_sid
== SECSID_NULL
) {
5294 if (IPCB(skb
)->flags
& IPSKB_XFRM_TRANSFORMED
)
5298 if (IP6CB(skb
)->flags
& IP6SKB_XFRM_TRANSFORMED
)
5302 return NF_DROP_ERR(-ECONNREFUSED
);
5305 if (selinux_conn_sid(sksec
->sid
, skb_sid
, &peer_sid
))
5307 secmark_perm
= PACKET__SEND
;
5309 /* Locally generated packet, fetch the security label from the
5310 * associated socket. */
5311 struct sk_security_struct
*sksec
= sk
->sk_security
;
5312 peer_sid
= sksec
->sid
;
5313 secmark_perm
= PACKET__SEND
;
5316 ad
.type
= LSM_AUDIT_DATA_NET
;
5318 ad
.u
.net
->netif
= ifindex
;
5319 ad
.u
.net
->family
= family
;
5320 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
5324 if (avc_has_perm(peer_sid
, skb
->secmark
,
5325 SECCLASS_PACKET
, secmark_perm
, &ad
))
5326 return NF_DROP_ERR(-ECONNREFUSED
);
5328 if (peerlbl_active
) {
5332 if (sel_netif_sid(dev_net(outdev
), ifindex
, &if_sid
))
5334 if (avc_has_perm(peer_sid
, if_sid
,
5335 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
5336 return NF_DROP_ERR(-ECONNREFUSED
);
5338 if (sel_netnode_sid(addrp
, family
, &node_sid
))
5340 if (avc_has_perm(peer_sid
, node_sid
,
5341 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
5342 return NF_DROP_ERR(-ECONNREFUSED
);
5348 static unsigned int selinux_ipv4_postroute(void *priv
,
5349 struct sk_buff
*skb
,
5350 const struct nf_hook_state
*state
)
5352 return selinux_ip_postroute(skb
, state
->out
, PF_INET
);
5355 #if IS_ENABLED(CONFIG_IPV6)
5356 static unsigned int selinux_ipv6_postroute(void *priv
,
5357 struct sk_buff
*skb
,
5358 const struct nf_hook_state
*state
)
5360 return selinux_ip_postroute(skb
, state
->out
, PF_INET6
);
5364 #endif /* CONFIG_NETFILTER */
5366 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
5368 return selinux_nlmsg_perm(sk
, skb
);
5371 static int ipc_alloc_security(struct kern_ipc_perm
*perm
,
5374 struct ipc_security_struct
*isec
;
5376 isec
= kzalloc(sizeof(struct ipc_security_struct
), GFP_KERNEL
);
5380 isec
->sclass
= sclass
;
5381 isec
->sid
= current_sid();
5382 perm
->security
= isec
;
5387 static void ipc_free_security(struct kern_ipc_perm
*perm
)
5389 struct ipc_security_struct
*isec
= perm
->security
;
5390 perm
->security
= NULL
;
5394 static int msg_msg_alloc_security(struct msg_msg
*msg
)
5396 struct msg_security_struct
*msec
;
5398 msec
= kzalloc(sizeof(struct msg_security_struct
), GFP_KERNEL
);
5402 msec
->sid
= SECINITSID_UNLABELED
;
5403 msg
->security
= msec
;
5408 static void msg_msg_free_security(struct msg_msg
*msg
)
5410 struct msg_security_struct
*msec
= msg
->security
;
5412 msg
->security
= NULL
;
5416 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
5419 struct ipc_security_struct
*isec
;
5420 struct common_audit_data ad
;
5421 u32 sid
= current_sid();
5423 isec
= ipc_perms
->security
;
5425 ad
.type
= LSM_AUDIT_DATA_IPC
;
5426 ad
.u
.ipc_id
= ipc_perms
->key
;
5428 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
5431 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
5433 return msg_msg_alloc_security(msg
);
5436 static void selinux_msg_msg_free_security(struct msg_msg
*msg
)
5438 msg_msg_free_security(msg
);
5441 /* message queue security operations */
5442 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
5444 struct ipc_security_struct
*isec
;
5445 struct common_audit_data ad
;
5446 u32 sid
= current_sid();
5449 rc
= ipc_alloc_security(&msq
->q_perm
, SECCLASS_MSGQ
);
5453 isec
= msq
->q_perm
.security
;
5455 ad
.type
= LSM_AUDIT_DATA_IPC
;
5456 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5458 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5461 ipc_free_security(&msq
->q_perm
);
5467 static void selinux_msg_queue_free_security(struct msg_queue
*msq
)
5469 ipc_free_security(&msq
->q_perm
);
5472 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
5474 struct ipc_security_struct
*isec
;
5475 struct common_audit_data ad
;
5476 u32 sid
= current_sid();
5478 isec
= msq
->q_perm
.security
;
5480 ad
.type
= LSM_AUDIT_DATA_IPC
;
5481 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5483 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5484 MSGQ__ASSOCIATE
, &ad
);
5487 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
5495 /* No specific object, just general system-wide information. */
5496 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5497 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5500 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
5503 perms
= MSGQ__SETATTR
;
5506 perms
= MSGQ__DESTROY
;
5512 err
= ipc_has_perm(&msq
->q_perm
, perms
);
5516 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
5518 struct ipc_security_struct
*isec
;
5519 struct msg_security_struct
*msec
;
5520 struct common_audit_data ad
;
5521 u32 sid
= current_sid();
5524 isec
= msq
->q_perm
.security
;
5525 msec
= msg
->security
;
5528 * First time through, need to assign label to the message
5530 if (msec
->sid
== SECINITSID_UNLABELED
) {
5532 * Compute new sid based on current process and
5533 * message queue this message will be stored in
5535 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
5541 ad
.type
= LSM_AUDIT_DATA_IPC
;
5542 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5544 /* Can this process write to the queue? */
5545 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5548 /* Can this process send the message */
5549 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
5552 /* Can the message be put in the queue? */
5553 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
5554 MSGQ__ENQUEUE
, &ad
);
5559 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
5560 struct task_struct
*target
,
5561 long type
, int mode
)
5563 struct ipc_security_struct
*isec
;
5564 struct msg_security_struct
*msec
;
5565 struct common_audit_data ad
;
5566 u32 sid
= task_sid(target
);
5569 isec
= msq
->q_perm
.security
;
5570 msec
= msg
->security
;
5572 ad
.type
= LSM_AUDIT_DATA_IPC
;
5573 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5575 rc
= avc_has_perm(sid
, isec
->sid
,
5576 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
5578 rc
= avc_has_perm(sid
, msec
->sid
,
5579 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
5583 /* Shared Memory security operations */
5584 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
5586 struct ipc_security_struct
*isec
;
5587 struct common_audit_data ad
;
5588 u32 sid
= current_sid();
5591 rc
= ipc_alloc_security(&shp
->shm_perm
, SECCLASS_SHM
);
5595 isec
= shp
->shm_perm
.security
;
5597 ad
.type
= LSM_AUDIT_DATA_IPC
;
5598 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5600 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5603 ipc_free_security(&shp
->shm_perm
);
5609 static void selinux_shm_free_security(struct shmid_kernel
*shp
)
5611 ipc_free_security(&shp
->shm_perm
);
5614 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
5616 struct ipc_security_struct
*isec
;
5617 struct common_audit_data ad
;
5618 u32 sid
= current_sid();
5620 isec
= shp
->shm_perm
.security
;
5622 ad
.type
= LSM_AUDIT_DATA_IPC
;
5623 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5625 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5626 SHM__ASSOCIATE
, &ad
);
5629 /* Note, at this point, shp is locked down */
5630 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
5638 /* No specific object, just general system-wide information. */
5639 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5640 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5643 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
5646 perms
= SHM__SETATTR
;
5653 perms
= SHM__DESTROY
;
5659 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
5663 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5664 char __user
*shmaddr
, int shmflg
)
5668 if (shmflg
& SHM_RDONLY
)
5671 perms
= SHM__READ
| SHM__WRITE
;
5673 return ipc_has_perm(&shp
->shm_perm
, perms
);
5676 /* Semaphore security operations */
5677 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5679 struct ipc_security_struct
*isec
;
5680 struct common_audit_data ad
;
5681 u32 sid
= current_sid();
5684 rc
= ipc_alloc_security(&sma
->sem_perm
, SECCLASS_SEM
);
5688 isec
= sma
->sem_perm
.security
;
5690 ad
.type
= LSM_AUDIT_DATA_IPC
;
5691 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5693 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5696 ipc_free_security(&sma
->sem_perm
);
5702 static void selinux_sem_free_security(struct sem_array
*sma
)
5704 ipc_free_security(&sma
->sem_perm
);
5707 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5709 struct ipc_security_struct
*isec
;
5710 struct common_audit_data ad
;
5711 u32 sid
= current_sid();
5713 isec
= sma
->sem_perm
.security
;
5715 ad
.type
= LSM_AUDIT_DATA_IPC
;
5716 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5718 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5719 SEM__ASSOCIATE
, &ad
);
5722 /* Note, at this point, sma is locked down */
5723 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5731 /* No specific object, just general system-wide information. */
5732 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5733 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5737 perms
= SEM__GETATTR
;
5748 perms
= SEM__DESTROY
;
5751 perms
= SEM__SETATTR
;
5755 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5761 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5765 static int selinux_sem_semop(struct sem_array
*sma
,
5766 struct sembuf
*sops
, unsigned nsops
, int alter
)
5771 perms
= SEM__READ
| SEM__WRITE
;
5775 return ipc_has_perm(&sma
->sem_perm
, perms
);
5778 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5784 av
|= IPC__UNIX_READ
;
5786 av
|= IPC__UNIX_WRITE
;
5791 return ipc_has_perm(ipcp
, av
);
5794 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5796 struct ipc_security_struct
*isec
= ipcp
->security
;
5800 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5803 inode_doinit_with_dentry(inode
, dentry
);
5806 static int selinux_getprocattr(struct task_struct
*p
,
5807 char *name
, char **value
)
5809 const struct task_security_struct
*__tsec
;
5815 __tsec
= __task_cred(p
)->security
;
5818 error
= avc_has_perm(current_sid(), __tsec
->sid
,
5819 SECCLASS_PROCESS
, PROCESS__GETATTR
, NULL
);
5824 if (!strcmp(name
, "current"))
5826 else if (!strcmp(name
, "prev"))
5828 else if (!strcmp(name
, "exec"))
5829 sid
= __tsec
->exec_sid
;
5830 else if (!strcmp(name
, "fscreate"))
5831 sid
= __tsec
->create_sid
;
5832 else if (!strcmp(name
, "keycreate"))
5833 sid
= __tsec
->keycreate_sid
;
5834 else if (!strcmp(name
, "sockcreate"))
5835 sid
= __tsec
->sockcreate_sid
;
5845 error
= security_sid_to_context(sid
, value
, &len
);
5855 static int selinux_setprocattr(const char *name
, void *value
, size_t size
)
5857 struct task_security_struct
*tsec
;
5859 u32 mysid
= current_sid(), sid
= 0, ptsid
;
5864 * Basic control over ability to set these attributes at all.
5866 if (!strcmp(name
, "exec"))
5867 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5868 PROCESS__SETEXEC
, NULL
);
5869 else if (!strcmp(name
, "fscreate"))
5870 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5871 PROCESS__SETFSCREATE
, NULL
);
5872 else if (!strcmp(name
, "keycreate"))
5873 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5874 PROCESS__SETKEYCREATE
, NULL
);
5875 else if (!strcmp(name
, "sockcreate"))
5876 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5877 PROCESS__SETSOCKCREATE
, NULL
);
5878 else if (!strcmp(name
, "current"))
5879 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5880 PROCESS__SETCURRENT
, NULL
);
5886 /* Obtain a SID for the context, if one was specified. */
5887 if (size
&& str
[0] && str
[0] != '\n') {
5888 if (str
[size
-1] == '\n') {
5892 error
= security_context_to_sid(value
, size
, &sid
, GFP_KERNEL
);
5893 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5894 if (!capable(CAP_MAC_ADMIN
)) {
5895 struct audit_buffer
*ab
;
5898 /* We strip a nul only if it is at the end, otherwise the
5899 * context contains a nul and we should audit that */
5900 if (str
[size
- 1] == '\0')
5901 audit_size
= size
- 1;
5904 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
5905 audit_log_format(ab
, "op=fscreate invalid_context=");
5906 audit_log_n_untrustedstring(ab
, value
, audit_size
);
5911 error
= security_context_to_sid_force(value
, size
,
5918 new = prepare_creds();
5922 /* Permission checking based on the specified context is
5923 performed during the actual operation (execve,
5924 open/mkdir/...), when we know the full context of the
5925 operation. See selinux_bprm_set_creds for the execve
5926 checks and may_create for the file creation checks. The
5927 operation will then fail if the context is not permitted. */
5928 tsec
= new->security
;
5929 if (!strcmp(name
, "exec")) {
5930 tsec
->exec_sid
= sid
;
5931 } else if (!strcmp(name
, "fscreate")) {
5932 tsec
->create_sid
= sid
;
5933 } else if (!strcmp(name
, "keycreate")) {
5934 error
= avc_has_perm(mysid
, sid
, SECCLASS_KEY
, KEY__CREATE
,
5938 tsec
->keycreate_sid
= sid
;
5939 } else if (!strcmp(name
, "sockcreate")) {
5940 tsec
->sockcreate_sid
= sid
;
5941 } else if (!strcmp(name
, "current")) {
5946 /* Only allow single threaded processes to change context */
5948 if (!current_is_single_threaded()) {
5949 error
= security_bounded_transition(tsec
->sid
, sid
);
5954 /* Check permissions for the transition. */
5955 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5956 PROCESS__DYNTRANSITION
, NULL
);
5960 /* Check for ptracing, and update the task SID if ok.
5961 Otherwise, leave SID unchanged and fail. */
5962 ptsid
= ptrace_parent_sid();
5964 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
5965 PROCESS__PTRACE
, NULL
);
5984 static int selinux_ismaclabel(const char *name
)
5986 return (strcmp(name
, XATTR_SELINUX_SUFFIX
) == 0);
5989 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5991 return security_sid_to_context(secid
, secdata
, seclen
);
5994 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
5996 return security_context_to_sid(secdata
, seclen
, secid
, GFP_KERNEL
);
5999 static void selinux_release_secctx(char *secdata
, u32 seclen
)
6004 static void selinux_inode_invalidate_secctx(struct inode
*inode
)
6006 struct inode_security_struct
*isec
= inode
->i_security
;
6008 spin_lock(&isec
->lock
);
6009 isec
->initialized
= LABEL_INVALID
;
6010 spin_unlock(&isec
->lock
);
6014 * called with inode->i_mutex locked
6016 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
6018 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
6022 * called with inode->i_mutex locked
6024 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
6026 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
6029 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
6032 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
6041 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
6042 unsigned long flags
)
6044 const struct task_security_struct
*tsec
;
6045 struct key_security_struct
*ksec
;
6047 ksec
= kzalloc(sizeof(struct key_security_struct
), GFP_KERNEL
);
6051 tsec
= cred
->security
;
6052 if (tsec
->keycreate_sid
)
6053 ksec
->sid
= tsec
->keycreate_sid
;
6055 ksec
->sid
= tsec
->sid
;
6061 static void selinux_key_free(struct key
*k
)
6063 struct key_security_struct
*ksec
= k
->security
;
6069 static int selinux_key_permission(key_ref_t key_ref
,
6070 const struct cred
*cred
,
6074 struct key_security_struct
*ksec
;
6077 /* if no specific permissions are requested, we skip the
6078 permission check. No serious, additional covert channels
6079 appear to be created. */
6083 sid
= cred_sid(cred
);
6085 key
= key_ref_to_ptr(key_ref
);
6086 ksec
= key
->security
;
6088 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
6091 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
6093 struct key_security_struct
*ksec
= key
->security
;
6094 char *context
= NULL
;
6098 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
6107 static struct security_hook_list selinux_hooks
[] = {
6108 LSM_HOOK_INIT(binder_set_context_mgr
, selinux_binder_set_context_mgr
),
6109 LSM_HOOK_INIT(binder_transaction
, selinux_binder_transaction
),
6110 LSM_HOOK_INIT(binder_transfer_binder
, selinux_binder_transfer_binder
),
6111 LSM_HOOK_INIT(binder_transfer_file
, selinux_binder_transfer_file
),
6113 LSM_HOOK_INIT(ptrace_access_check
, selinux_ptrace_access_check
),
6114 LSM_HOOK_INIT(ptrace_traceme
, selinux_ptrace_traceme
),
6115 LSM_HOOK_INIT(capget
, selinux_capget
),
6116 LSM_HOOK_INIT(capset
, selinux_capset
),
6117 LSM_HOOK_INIT(capable
, selinux_capable
),
6118 LSM_HOOK_INIT(quotactl
, selinux_quotactl
),
6119 LSM_HOOK_INIT(quota_on
, selinux_quota_on
),
6120 LSM_HOOK_INIT(syslog
, selinux_syslog
),
6121 LSM_HOOK_INIT(vm_enough_memory
, selinux_vm_enough_memory
),
6123 LSM_HOOK_INIT(netlink_send
, selinux_netlink_send
),
6125 LSM_HOOK_INIT(bprm_set_creds
, selinux_bprm_set_creds
),
6126 LSM_HOOK_INIT(bprm_committing_creds
, selinux_bprm_committing_creds
),
6127 LSM_HOOK_INIT(bprm_committed_creds
, selinux_bprm_committed_creds
),
6128 LSM_HOOK_INIT(bprm_secureexec
, selinux_bprm_secureexec
),
6130 LSM_HOOK_INIT(sb_alloc_security
, selinux_sb_alloc_security
),
6131 LSM_HOOK_INIT(sb_free_security
, selinux_sb_free_security
),
6132 LSM_HOOK_INIT(sb_copy_data
, selinux_sb_copy_data
),
6133 LSM_HOOK_INIT(sb_remount
, selinux_sb_remount
),
6134 LSM_HOOK_INIT(sb_kern_mount
, selinux_sb_kern_mount
),
6135 LSM_HOOK_INIT(sb_show_options
, selinux_sb_show_options
),
6136 LSM_HOOK_INIT(sb_statfs
, selinux_sb_statfs
),
6137 LSM_HOOK_INIT(sb_mount
, selinux_mount
),
6138 LSM_HOOK_INIT(sb_umount
, selinux_umount
),
6139 LSM_HOOK_INIT(sb_set_mnt_opts
, selinux_set_mnt_opts
),
6140 LSM_HOOK_INIT(sb_clone_mnt_opts
, selinux_sb_clone_mnt_opts
),
6141 LSM_HOOK_INIT(sb_parse_opts_str
, selinux_parse_opts_str
),
6143 LSM_HOOK_INIT(dentry_init_security
, selinux_dentry_init_security
),
6144 LSM_HOOK_INIT(dentry_create_files_as
, selinux_dentry_create_files_as
),
6146 LSM_HOOK_INIT(inode_alloc_security
, selinux_inode_alloc_security
),
6147 LSM_HOOK_INIT(inode_free_security
, selinux_inode_free_security
),
6148 LSM_HOOK_INIT(inode_init_security
, selinux_inode_init_security
),
6149 LSM_HOOK_INIT(inode_create
, selinux_inode_create
),
6150 LSM_HOOK_INIT(inode_link
, selinux_inode_link
),
6151 LSM_HOOK_INIT(inode_unlink
, selinux_inode_unlink
),
6152 LSM_HOOK_INIT(inode_symlink
, selinux_inode_symlink
),
6153 LSM_HOOK_INIT(inode_mkdir
, selinux_inode_mkdir
),
6154 LSM_HOOK_INIT(inode_rmdir
, selinux_inode_rmdir
),
6155 LSM_HOOK_INIT(inode_mknod
, selinux_inode_mknod
),
6156 LSM_HOOK_INIT(inode_rename
, selinux_inode_rename
),
6157 LSM_HOOK_INIT(inode_readlink
, selinux_inode_readlink
),
6158 LSM_HOOK_INIT(inode_follow_link
, selinux_inode_follow_link
),
6159 LSM_HOOK_INIT(inode_permission
, selinux_inode_permission
),
6160 LSM_HOOK_INIT(inode_setattr
, selinux_inode_setattr
),
6161 LSM_HOOK_INIT(inode_getattr
, selinux_inode_getattr
),
6162 LSM_HOOK_INIT(inode_setxattr
, selinux_inode_setxattr
),
6163 LSM_HOOK_INIT(inode_post_setxattr
, selinux_inode_post_setxattr
),
6164 LSM_HOOK_INIT(inode_getxattr
, selinux_inode_getxattr
),
6165 LSM_HOOK_INIT(inode_listxattr
, selinux_inode_listxattr
),
6166 LSM_HOOK_INIT(inode_removexattr
, selinux_inode_removexattr
),
6167 LSM_HOOK_INIT(inode_getsecurity
, selinux_inode_getsecurity
),
6168 LSM_HOOK_INIT(inode_setsecurity
, selinux_inode_setsecurity
),
6169 LSM_HOOK_INIT(inode_listsecurity
, selinux_inode_listsecurity
),
6170 LSM_HOOK_INIT(inode_getsecid
, selinux_inode_getsecid
),
6171 LSM_HOOK_INIT(inode_copy_up
, selinux_inode_copy_up
),
6172 LSM_HOOK_INIT(inode_copy_up_xattr
, selinux_inode_copy_up_xattr
),
6174 LSM_HOOK_INIT(file_permission
, selinux_file_permission
),
6175 LSM_HOOK_INIT(file_alloc_security
, selinux_file_alloc_security
),
6176 LSM_HOOK_INIT(file_free_security
, selinux_file_free_security
),
6177 LSM_HOOK_INIT(file_ioctl
, selinux_file_ioctl
),
6178 LSM_HOOK_INIT(mmap_file
, selinux_mmap_file
),
6179 LSM_HOOK_INIT(mmap_addr
, selinux_mmap_addr
),
6180 LSM_HOOK_INIT(file_mprotect
, selinux_file_mprotect
),
6181 LSM_HOOK_INIT(file_lock
, selinux_file_lock
),
6182 LSM_HOOK_INIT(file_fcntl
, selinux_file_fcntl
),
6183 LSM_HOOK_INIT(file_set_fowner
, selinux_file_set_fowner
),
6184 LSM_HOOK_INIT(file_send_sigiotask
, selinux_file_send_sigiotask
),
6185 LSM_HOOK_INIT(file_receive
, selinux_file_receive
),
6187 LSM_HOOK_INIT(file_open
, selinux_file_open
),
6189 LSM_HOOK_INIT(task_create
, selinux_task_create
),
6190 LSM_HOOK_INIT(cred_alloc_blank
, selinux_cred_alloc_blank
),
6191 LSM_HOOK_INIT(cred_free
, selinux_cred_free
),
6192 LSM_HOOK_INIT(cred_prepare
, selinux_cred_prepare
),
6193 LSM_HOOK_INIT(cred_transfer
, selinux_cred_transfer
),
6194 LSM_HOOK_INIT(kernel_act_as
, selinux_kernel_act_as
),
6195 LSM_HOOK_INIT(kernel_create_files_as
, selinux_kernel_create_files_as
),
6196 LSM_HOOK_INIT(kernel_module_request
, selinux_kernel_module_request
),
6197 LSM_HOOK_INIT(kernel_read_file
, selinux_kernel_read_file
),
6198 LSM_HOOK_INIT(task_setpgid
, selinux_task_setpgid
),
6199 LSM_HOOK_INIT(task_getpgid
, selinux_task_getpgid
),
6200 LSM_HOOK_INIT(task_getsid
, selinux_task_getsid
),
6201 LSM_HOOK_INIT(task_getsecid
, selinux_task_getsecid
),
6202 LSM_HOOK_INIT(task_setnice
, selinux_task_setnice
),
6203 LSM_HOOK_INIT(task_setioprio
, selinux_task_setioprio
),
6204 LSM_HOOK_INIT(task_getioprio
, selinux_task_getioprio
),
6205 LSM_HOOK_INIT(task_setrlimit
, selinux_task_setrlimit
),
6206 LSM_HOOK_INIT(task_setscheduler
, selinux_task_setscheduler
),
6207 LSM_HOOK_INIT(task_getscheduler
, selinux_task_getscheduler
),
6208 LSM_HOOK_INIT(task_movememory
, selinux_task_movememory
),
6209 LSM_HOOK_INIT(task_kill
, selinux_task_kill
),
6210 LSM_HOOK_INIT(task_to_inode
, selinux_task_to_inode
),
6212 LSM_HOOK_INIT(ipc_permission
, selinux_ipc_permission
),
6213 LSM_HOOK_INIT(ipc_getsecid
, selinux_ipc_getsecid
),
6215 LSM_HOOK_INIT(msg_msg_alloc_security
, selinux_msg_msg_alloc_security
),
6216 LSM_HOOK_INIT(msg_msg_free_security
, selinux_msg_msg_free_security
),
6218 LSM_HOOK_INIT(msg_queue_alloc_security
,
6219 selinux_msg_queue_alloc_security
),
6220 LSM_HOOK_INIT(msg_queue_free_security
, selinux_msg_queue_free_security
),
6221 LSM_HOOK_INIT(msg_queue_associate
, selinux_msg_queue_associate
),
6222 LSM_HOOK_INIT(msg_queue_msgctl
, selinux_msg_queue_msgctl
),
6223 LSM_HOOK_INIT(msg_queue_msgsnd
, selinux_msg_queue_msgsnd
),
6224 LSM_HOOK_INIT(msg_queue_msgrcv
, selinux_msg_queue_msgrcv
),
6226 LSM_HOOK_INIT(shm_alloc_security
, selinux_shm_alloc_security
),
6227 LSM_HOOK_INIT(shm_free_security
, selinux_shm_free_security
),
6228 LSM_HOOK_INIT(shm_associate
, selinux_shm_associate
),
6229 LSM_HOOK_INIT(shm_shmctl
, selinux_shm_shmctl
),
6230 LSM_HOOK_INIT(shm_shmat
, selinux_shm_shmat
),
6232 LSM_HOOK_INIT(sem_alloc_security
, selinux_sem_alloc_security
),
6233 LSM_HOOK_INIT(sem_free_security
, selinux_sem_free_security
),
6234 LSM_HOOK_INIT(sem_associate
, selinux_sem_associate
),
6235 LSM_HOOK_INIT(sem_semctl
, selinux_sem_semctl
),
6236 LSM_HOOK_INIT(sem_semop
, selinux_sem_semop
),
6238 LSM_HOOK_INIT(d_instantiate
, selinux_d_instantiate
),
6240 LSM_HOOK_INIT(getprocattr
, selinux_getprocattr
),
6241 LSM_HOOK_INIT(setprocattr
, selinux_setprocattr
),
6243 LSM_HOOK_INIT(ismaclabel
, selinux_ismaclabel
),
6244 LSM_HOOK_INIT(secid_to_secctx
, selinux_secid_to_secctx
),
6245 LSM_HOOK_INIT(secctx_to_secid
, selinux_secctx_to_secid
),
6246 LSM_HOOK_INIT(release_secctx
, selinux_release_secctx
),
6247 LSM_HOOK_INIT(inode_invalidate_secctx
, selinux_inode_invalidate_secctx
),
6248 LSM_HOOK_INIT(inode_notifysecctx
, selinux_inode_notifysecctx
),
6249 LSM_HOOK_INIT(inode_setsecctx
, selinux_inode_setsecctx
),
6250 LSM_HOOK_INIT(inode_getsecctx
, selinux_inode_getsecctx
),
6252 LSM_HOOK_INIT(unix_stream_connect
, selinux_socket_unix_stream_connect
),
6253 LSM_HOOK_INIT(unix_may_send
, selinux_socket_unix_may_send
),
6255 LSM_HOOK_INIT(socket_create
, selinux_socket_create
),
6256 LSM_HOOK_INIT(socket_post_create
, selinux_socket_post_create
),
6257 LSM_HOOK_INIT(socket_bind
, selinux_socket_bind
),
6258 LSM_HOOK_INIT(socket_connect
, selinux_socket_connect
),
6259 LSM_HOOK_INIT(socket_listen
, selinux_socket_listen
),
6260 LSM_HOOK_INIT(socket_accept
, selinux_socket_accept
),
6261 LSM_HOOK_INIT(socket_sendmsg
, selinux_socket_sendmsg
),
6262 LSM_HOOK_INIT(socket_recvmsg
, selinux_socket_recvmsg
),
6263 LSM_HOOK_INIT(socket_getsockname
, selinux_socket_getsockname
),
6264 LSM_HOOK_INIT(socket_getpeername
, selinux_socket_getpeername
),
6265 LSM_HOOK_INIT(socket_getsockopt
, selinux_socket_getsockopt
),
6266 LSM_HOOK_INIT(socket_setsockopt
, selinux_socket_setsockopt
),
6267 LSM_HOOK_INIT(socket_shutdown
, selinux_socket_shutdown
),
6268 LSM_HOOK_INIT(socket_sock_rcv_skb
, selinux_socket_sock_rcv_skb
),
6269 LSM_HOOK_INIT(socket_getpeersec_stream
,
6270 selinux_socket_getpeersec_stream
),
6271 LSM_HOOK_INIT(socket_getpeersec_dgram
, selinux_socket_getpeersec_dgram
),
6272 LSM_HOOK_INIT(sk_alloc_security
, selinux_sk_alloc_security
),
6273 LSM_HOOK_INIT(sk_free_security
, selinux_sk_free_security
),
6274 LSM_HOOK_INIT(sk_clone_security
, selinux_sk_clone_security
),
6275 LSM_HOOK_INIT(sk_getsecid
, selinux_sk_getsecid
),
6276 LSM_HOOK_INIT(sock_graft
, selinux_sock_graft
),
6277 LSM_HOOK_INIT(inet_conn_request
, selinux_inet_conn_request
),
6278 LSM_HOOK_INIT(inet_csk_clone
, selinux_inet_csk_clone
),
6279 LSM_HOOK_INIT(inet_conn_established
, selinux_inet_conn_established
),
6280 LSM_HOOK_INIT(secmark_relabel_packet
, selinux_secmark_relabel_packet
),
6281 LSM_HOOK_INIT(secmark_refcount_inc
, selinux_secmark_refcount_inc
),
6282 LSM_HOOK_INIT(secmark_refcount_dec
, selinux_secmark_refcount_dec
),
6283 LSM_HOOK_INIT(req_classify_flow
, selinux_req_classify_flow
),
6284 LSM_HOOK_INIT(tun_dev_alloc_security
, selinux_tun_dev_alloc_security
),
6285 LSM_HOOK_INIT(tun_dev_free_security
, selinux_tun_dev_free_security
),
6286 LSM_HOOK_INIT(tun_dev_create
, selinux_tun_dev_create
),
6287 LSM_HOOK_INIT(tun_dev_attach_queue
, selinux_tun_dev_attach_queue
),
6288 LSM_HOOK_INIT(tun_dev_attach
, selinux_tun_dev_attach
),
6289 LSM_HOOK_INIT(tun_dev_open
, selinux_tun_dev_open
),
6291 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6292 LSM_HOOK_INIT(xfrm_policy_alloc_security
, selinux_xfrm_policy_alloc
),
6293 LSM_HOOK_INIT(xfrm_policy_clone_security
, selinux_xfrm_policy_clone
),
6294 LSM_HOOK_INIT(xfrm_policy_free_security
, selinux_xfrm_policy_free
),
6295 LSM_HOOK_INIT(xfrm_policy_delete_security
, selinux_xfrm_policy_delete
),
6296 LSM_HOOK_INIT(xfrm_state_alloc
, selinux_xfrm_state_alloc
),
6297 LSM_HOOK_INIT(xfrm_state_alloc_acquire
,
6298 selinux_xfrm_state_alloc_acquire
),
6299 LSM_HOOK_INIT(xfrm_state_free_security
, selinux_xfrm_state_free
),
6300 LSM_HOOK_INIT(xfrm_state_delete_security
, selinux_xfrm_state_delete
),
6301 LSM_HOOK_INIT(xfrm_policy_lookup
, selinux_xfrm_policy_lookup
),
6302 LSM_HOOK_INIT(xfrm_state_pol_flow_match
,
6303 selinux_xfrm_state_pol_flow_match
),
6304 LSM_HOOK_INIT(xfrm_decode_session
, selinux_xfrm_decode_session
),
6308 LSM_HOOK_INIT(key_alloc
, selinux_key_alloc
),
6309 LSM_HOOK_INIT(key_free
, selinux_key_free
),
6310 LSM_HOOK_INIT(key_permission
, selinux_key_permission
),
6311 LSM_HOOK_INIT(key_getsecurity
, selinux_key_getsecurity
),
6315 LSM_HOOK_INIT(audit_rule_init
, selinux_audit_rule_init
),
6316 LSM_HOOK_INIT(audit_rule_known
, selinux_audit_rule_known
),
6317 LSM_HOOK_INIT(audit_rule_match
, selinux_audit_rule_match
),
6318 LSM_HOOK_INIT(audit_rule_free
, selinux_audit_rule_free
),
6322 static __init
int selinux_init(void)
6324 if (!security_module_enable("selinux")) {
6325 selinux_enabled
= 0;
6329 if (!selinux_enabled
) {
6330 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
6334 printk(KERN_INFO
"SELinux: Initializing.\n");
6336 /* Set the security state for the initial task. */
6337 cred_init_security();
6339 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
6341 sel_inode_cache
= kmem_cache_create("selinux_inode_security",
6342 sizeof(struct inode_security_struct
),
6343 0, SLAB_PANIC
, NULL
);
6344 file_security_cache
= kmem_cache_create("selinux_file_security",
6345 sizeof(struct file_security_struct
),
6346 0, SLAB_PANIC
, NULL
);
6349 security_add_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
), "selinux");
6351 if (avc_add_callback(selinux_netcache_avc_callback
, AVC_CALLBACK_RESET
))
6352 panic("SELinux: Unable to register AVC netcache callback\n");
6354 if (selinux_enforcing
)
6355 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
6357 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
6362 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
6364 superblock_doinit(sb
, NULL
);
6367 void selinux_complete_init(void)
6369 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
6371 /* Set up any superblocks initialized prior to the policy load. */
6372 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
6373 iterate_supers(delayed_superblock_init
, NULL
);
6376 /* SELinux requires early initialization in order to label
6377 all processes and objects when they are created. */
6378 security_initcall(selinux_init
);
6380 #if defined(CONFIG_NETFILTER)
6382 static struct nf_hook_ops selinux_nf_ops
[] = {
6384 .hook
= selinux_ipv4_postroute
,
6386 .hooknum
= NF_INET_POST_ROUTING
,
6387 .priority
= NF_IP_PRI_SELINUX_LAST
,
6390 .hook
= selinux_ipv4_forward
,
6392 .hooknum
= NF_INET_FORWARD
,
6393 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6396 .hook
= selinux_ipv4_output
,
6398 .hooknum
= NF_INET_LOCAL_OUT
,
6399 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6401 #if IS_ENABLED(CONFIG_IPV6)
6403 .hook
= selinux_ipv6_postroute
,
6405 .hooknum
= NF_INET_POST_ROUTING
,
6406 .priority
= NF_IP6_PRI_SELINUX_LAST
,
6409 .hook
= selinux_ipv6_forward
,
6411 .hooknum
= NF_INET_FORWARD
,
6412 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6415 .hook
= selinux_ipv6_output
,
6417 .hooknum
= NF_INET_LOCAL_OUT
,
6418 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6423 static int __init
selinux_nf_ip_init(void)
6427 if (!selinux_enabled
)
6430 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
6432 err
= nf_register_hooks(selinux_nf_ops
, ARRAY_SIZE(selinux_nf_ops
));
6434 panic("SELinux: nf_register_hooks: error %d\n", err
);
6439 __initcall(selinux_nf_ip_init
);
6441 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6442 static void selinux_nf_ip_exit(void)
6444 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
6446 nf_unregister_hooks(selinux_nf_ops
, ARRAY_SIZE(selinux_nf_ops
));
6450 #else /* CONFIG_NETFILTER */
6452 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6453 #define selinux_nf_ip_exit()
6456 #endif /* CONFIG_NETFILTER */
6458 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6459 static int selinux_disabled
;
6461 int selinux_disable(void)
6463 if (ss_initialized
) {
6464 /* Not permitted after initial policy load. */
6468 if (selinux_disabled
) {
6469 /* Only do this once. */
6473 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
6475 selinux_disabled
= 1;
6476 selinux_enabled
= 0;
6478 security_delete_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
));
6480 /* Try to destroy the avc node cache */
6483 /* Unregister netfilter hooks. */
6484 selinux_nf_ip_exit();
6486 /* Unregister selinuxfs. */