2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
99 /* SECMARK reference count */
100 static atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing
;
105 static int __init
enforcing_setup(char *str
)
107 unsigned long enforcing
;
108 if (!kstrtoul(str
, 0, &enforcing
))
109 selinux_enforcing
= enforcing
? 1 : 0;
112 __setup("enforcing=", enforcing_setup
);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
118 static int __init
selinux_enabled_setup(char *str
)
120 unsigned long enabled
;
121 if (!kstrtoul(str
, 0, &enabled
))
122 selinux_enabled
= enabled
? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup
);
127 int selinux_enabled
= 1;
130 static struct kmem_cache
*sel_inode_cache
;
131 static struct kmem_cache
*file_security_cache
;
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
144 static int selinux_secmark_enabled(void)
146 return (selinux_policycap_alwaysnetwork
|| atomic_read(&selinux_secmark_refcount
));
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
159 static int selinux_peerlbl_enabled(void)
161 return (selinux_policycap_alwaysnetwork
|| netlbl_enabled() || selinux_xfrm_enabled());
164 static int selinux_netcache_avc_callback(u32 event
)
166 if (event
== AVC_CALLBACK_RESET
) {
175 static int selinux_lsm_notifier_avc_callback(u32 event
)
177 if (event
== AVC_CALLBACK_RESET
)
178 call_lsm_notifier(LSM_POLICY_CHANGE
, NULL
);
184 * initialise the security for the init task
186 static void cred_init_security(void)
188 struct cred
*cred
= (struct cred
*) current
->real_cred
;
189 struct task_security_struct
*tsec
;
191 tsec
= kzalloc(sizeof(struct task_security_struct
), GFP_KERNEL
);
193 panic("SELinux: Failed to initialize initial task.\n");
195 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
196 cred
->security
= tsec
;
200 * get the security ID of a set of credentials
202 static inline u32
cred_sid(const struct cred
*cred
)
204 const struct task_security_struct
*tsec
;
206 tsec
= cred
->security
;
211 * get the objective security ID of a task
213 static inline u32
task_sid(const struct task_struct
*task
)
218 sid
= cred_sid(__task_cred(task
));
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode
*inode
)
227 struct inode_security_struct
*isec
;
228 u32 sid
= current_sid();
230 isec
= kmem_cache_zalloc(sel_inode_cache
, GFP_NOFS
);
234 spin_lock_init(&isec
->lock
);
235 INIT_LIST_HEAD(&isec
->list
);
237 isec
->sid
= SECINITSID_UNLABELED
;
238 isec
->sclass
= SECCLASS_FILE
;
239 isec
->task_sid
= sid
;
240 isec
->initialized
= LABEL_INVALID
;
241 inode
->i_security
= isec
;
246 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
251 * allowed; when set to false, returns -ECHILD when the label is
252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
255 static int __inode_security_revalidate(struct inode
*inode
,
256 struct dentry
*opt_dentry
,
259 struct inode_security_struct
*isec
= inode
->i_security
;
261 might_sleep_if(may_sleep
);
263 if (ss_initialized
&& isec
->initialized
!= LABEL_INITIALIZED
) {
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
272 inode_doinit_with_dentry(inode
, opt_dentry
);
277 static struct inode_security_struct
*inode_security_novalidate(struct inode
*inode
)
279 return inode
->i_security
;
282 static struct inode_security_struct
*inode_security_rcu(struct inode
*inode
, bool rcu
)
286 error
= __inode_security_revalidate(inode
, NULL
, !rcu
);
288 return ERR_PTR(error
);
289 return inode
->i_security
;
293 * Get the security label of an inode.
295 static struct inode_security_struct
*inode_security(struct inode
*inode
)
297 __inode_security_revalidate(inode
, NULL
, true);
298 return inode
->i_security
;
301 static struct inode_security_struct
*backing_inode_security_novalidate(struct dentry
*dentry
)
303 struct inode
*inode
= d_backing_inode(dentry
);
305 return inode
->i_security
;
309 * Get the security label of a dentry's backing inode.
311 static struct inode_security_struct
*backing_inode_security(struct dentry
*dentry
)
313 struct inode
*inode
= d_backing_inode(dentry
);
315 __inode_security_revalidate(inode
, dentry
, true);
316 return inode
->i_security
;
319 static void inode_free_rcu(struct rcu_head
*head
)
321 struct inode_security_struct
*isec
;
323 isec
= container_of(head
, struct inode_security_struct
, rcu
);
324 kmem_cache_free(sel_inode_cache
, isec
);
327 static void inode_free_security(struct inode
*inode
)
329 struct inode_security_struct
*isec
= inode
->i_security
;
330 struct superblock_security_struct
*sbsec
= inode
->i_sb
->s_security
;
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
342 if (!list_empty_careful(&isec
->list
)) {
343 spin_lock(&sbsec
->isec_lock
);
344 list_del_init(&isec
->list
);
345 spin_unlock(&sbsec
->isec_lock
);
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
357 call_rcu(&isec
->rcu
, inode_free_rcu
);
360 static int file_alloc_security(struct file
*file
)
362 struct file_security_struct
*fsec
;
363 u32 sid
= current_sid();
365 fsec
= kmem_cache_zalloc(file_security_cache
, GFP_KERNEL
);
370 fsec
->fown_sid
= sid
;
371 file
->f_security
= fsec
;
376 static void file_free_security(struct file
*file
)
378 struct file_security_struct
*fsec
= file
->f_security
;
379 file
->f_security
= NULL
;
380 kmem_cache_free(file_security_cache
, fsec
);
383 static int superblock_alloc_security(struct super_block
*sb
)
385 struct superblock_security_struct
*sbsec
;
387 sbsec
= kzalloc(sizeof(struct superblock_security_struct
), GFP_KERNEL
);
391 mutex_init(&sbsec
->lock
);
392 INIT_LIST_HEAD(&sbsec
->isec_head
);
393 spin_lock_init(&sbsec
->isec_lock
);
395 sbsec
->sid
= SECINITSID_UNLABELED
;
396 sbsec
->def_sid
= SECINITSID_FILE
;
397 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
398 sb
->s_security
= sbsec
;
403 static void superblock_free_security(struct super_block
*sb
)
405 struct superblock_security_struct
*sbsec
= sb
->s_security
;
406 sb
->s_security
= NULL
;
410 static inline int inode_doinit(struct inode
*inode
)
412 return inode_doinit_with_dentry(inode
, NULL
);
421 Opt_labelsupport
= 5,
425 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
427 static const match_table_t tokens
= {
428 {Opt_context
, CONTEXT_STR
"%s"},
429 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
430 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
431 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
432 {Opt_labelsupport
, LABELSUPP_STR
},
436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
438 static int may_context_mount_sb_relabel(u32 sid
,
439 struct superblock_security_struct
*sbsec
,
440 const struct cred
*cred
)
442 const struct task_security_struct
*tsec
= cred
->security
;
445 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
446 FILESYSTEM__RELABELFROM
, NULL
);
450 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
451 FILESYSTEM__RELABELTO
, NULL
);
455 static int may_context_mount_inode_relabel(u32 sid
,
456 struct superblock_security_struct
*sbsec
,
457 const struct cred
*cred
)
459 const struct task_security_struct
*tsec
= cred
->security
;
461 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
462 FILESYSTEM__RELABELFROM
, NULL
);
466 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
467 FILESYSTEM__ASSOCIATE
, NULL
);
471 static int selinux_is_sblabel_mnt(struct super_block
*sb
)
473 struct superblock_security_struct
*sbsec
= sb
->s_security
;
475 return sbsec
->behavior
== SECURITY_FS_USE_XATTR
||
476 sbsec
->behavior
== SECURITY_FS_USE_TRANS
||
477 sbsec
->behavior
== SECURITY_FS_USE_TASK
||
478 sbsec
->behavior
== SECURITY_FS_USE_NATIVE
||
479 /* Special handling. Genfs but also in-core setxattr handler */
480 !strcmp(sb
->s_type
->name
, "sysfs") ||
481 !strcmp(sb
->s_type
->name
, "pstore") ||
482 !strcmp(sb
->s_type
->name
, "debugfs") ||
483 !strcmp(sb
->s_type
->name
, "tracefs") ||
484 !strcmp(sb
->s_type
->name
, "rootfs") ||
485 (selinux_policycap_cgroupseclabel
&&
486 (!strcmp(sb
->s_type
->name
, "cgroup") ||
487 !strcmp(sb
->s_type
->name
, "cgroup2")));
490 static int sb_finish_set_opts(struct super_block
*sb
)
492 struct superblock_security_struct
*sbsec
= sb
->s_security
;
493 struct dentry
*root
= sb
->s_root
;
494 struct inode
*root_inode
= d_backing_inode(root
);
497 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
503 if (!(root_inode
->i_opflags
& IOP_XATTR
)) {
504 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
510 rc
= __vfs_getxattr(root
, root_inode
, XATTR_NAME_SELINUX
, NULL
, 0);
511 if (rc
< 0 && rc
!= -ENODATA
) {
512 if (rc
== -EOPNOTSUPP
)
513 printk(KERN_WARNING
"SELinux: (dev %s, type "
514 "%s) has no security xattr handler\n",
515 sb
->s_id
, sb
->s_type
->name
);
517 printk(KERN_WARNING
"SELinux: (dev %s, type "
518 "%s) getxattr errno %d\n", sb
->s_id
,
519 sb
->s_type
->name
, -rc
);
524 sbsec
->flags
|= SE_SBINITIALIZED
;
525 if (selinux_is_sblabel_mnt(sb
))
526 sbsec
->flags
|= SBLABEL_MNT
;
528 /* Initialize the root inode. */
529 rc
= inode_doinit_with_dentry(root_inode
, root
);
531 /* Initialize any other inodes associated with the superblock, e.g.
532 inodes created prior to initial policy load or inodes created
533 during get_sb by a pseudo filesystem that directly
535 spin_lock(&sbsec
->isec_lock
);
537 if (!list_empty(&sbsec
->isec_head
)) {
538 struct inode_security_struct
*isec
=
539 list_entry(sbsec
->isec_head
.next
,
540 struct inode_security_struct
, list
);
541 struct inode
*inode
= isec
->inode
;
542 list_del_init(&isec
->list
);
543 spin_unlock(&sbsec
->isec_lock
);
544 inode
= igrab(inode
);
546 if (!IS_PRIVATE(inode
))
550 spin_lock(&sbsec
->isec_lock
);
553 spin_unlock(&sbsec
->isec_lock
);
559 * This function should allow an FS to ask what it's mount security
560 * options were so it can use those later for submounts, displaying
561 * mount options, or whatever.
563 static int selinux_get_mnt_opts(const struct super_block
*sb
,
564 struct security_mnt_opts
*opts
)
567 struct superblock_security_struct
*sbsec
= sb
->s_security
;
568 char *context
= NULL
;
572 security_init_mnt_opts(opts
);
574 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
580 /* make sure we always check enough bits to cover the mask */
581 BUILD_BUG_ON(SE_MNTMASK
>= (1 << NUM_SEL_MNT_OPTS
));
583 tmp
= sbsec
->flags
& SE_MNTMASK
;
584 /* count the number of mount options for this sb */
585 for (i
= 0; i
< NUM_SEL_MNT_OPTS
; i
++) {
587 opts
->num_mnt_opts
++;
590 /* Check if the Label support flag is set */
591 if (sbsec
->flags
& SBLABEL_MNT
)
592 opts
->num_mnt_opts
++;
594 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
595 if (!opts
->mnt_opts
) {
600 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
601 if (!opts
->mnt_opts_flags
) {
607 if (sbsec
->flags
& FSCONTEXT_MNT
) {
608 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
611 opts
->mnt_opts
[i
] = context
;
612 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
614 if (sbsec
->flags
& CONTEXT_MNT
) {
615 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
618 opts
->mnt_opts
[i
] = context
;
619 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
621 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
622 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
625 opts
->mnt_opts
[i
] = context
;
626 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
628 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
629 struct dentry
*root
= sbsec
->sb
->s_root
;
630 struct inode_security_struct
*isec
= backing_inode_security(root
);
632 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
635 opts
->mnt_opts
[i
] = context
;
636 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
638 if (sbsec
->flags
& SBLABEL_MNT
) {
639 opts
->mnt_opts
[i
] = NULL
;
640 opts
->mnt_opts_flags
[i
++] = SBLABEL_MNT
;
643 BUG_ON(i
!= opts
->num_mnt_opts
);
648 security_free_mnt_opts(opts
);
652 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
653 u32 old_sid
, u32 new_sid
)
655 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
657 /* check if the old mount command had the same options */
658 if (sbsec
->flags
& SE_SBINITIALIZED
)
659 if (!(sbsec
->flags
& flag
) ||
660 (old_sid
!= new_sid
))
663 /* check if we were passed the same options twice,
664 * aka someone passed context=a,context=b
666 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
667 if (mnt_flags
& flag
)
673 * Allow filesystems with binary mount data to explicitly set mount point
674 * labeling information.
676 static int selinux_set_mnt_opts(struct super_block
*sb
,
677 struct security_mnt_opts
*opts
,
678 unsigned long kern_flags
,
679 unsigned long *set_kern_flags
)
681 const struct cred
*cred
= current_cred();
683 struct superblock_security_struct
*sbsec
= sb
->s_security
;
684 const char *name
= sb
->s_type
->name
;
685 struct dentry
*root
= sbsec
->sb
->s_root
;
686 struct inode_security_struct
*root_isec
;
687 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
688 u32 defcontext_sid
= 0;
689 char **mount_options
= opts
->mnt_opts
;
690 int *flags
= opts
->mnt_opts_flags
;
691 int num_opts
= opts
->num_mnt_opts
;
693 mutex_lock(&sbsec
->lock
);
695 if (!ss_initialized
) {
697 /* Defer initialization until selinux_complete_init,
698 after the initial policy is loaded and the security
699 server is ready to handle calls. */
703 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
704 "before the security server is initialized\n");
707 if (kern_flags
&& !set_kern_flags
) {
708 /* Specifying internal flags without providing a place to
709 * place the results is not allowed */
715 * Binary mount data FS will come through this function twice. Once
716 * from an explicit call and once from the generic calls from the vfs.
717 * Since the generic VFS calls will not contain any security mount data
718 * we need to skip the double mount verification.
720 * This does open a hole in which we will not notice if the first
721 * mount using this sb set explict options and a second mount using
722 * this sb does not set any security options. (The first options
723 * will be used for both mounts)
725 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
729 root_isec
= backing_inode_security_novalidate(root
);
732 * parse the mount options, check if they are valid sids.
733 * also check if someone is trying to mount the same sb more
734 * than once with different security options.
736 for (i
= 0; i
< num_opts
; i
++) {
739 if (flags
[i
] == SBLABEL_MNT
)
741 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
743 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
744 "(%s) failed for (dev %s, type %s) errno=%d\n",
745 mount_options
[i
], sb
->s_id
, name
, rc
);
752 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
754 goto out_double_mount
;
756 sbsec
->flags
|= FSCONTEXT_MNT
;
761 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
763 goto out_double_mount
;
765 sbsec
->flags
|= CONTEXT_MNT
;
767 case ROOTCONTEXT_MNT
:
768 rootcontext_sid
= sid
;
770 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
772 goto out_double_mount
;
774 sbsec
->flags
|= ROOTCONTEXT_MNT
;
778 defcontext_sid
= sid
;
780 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
782 goto out_double_mount
;
784 sbsec
->flags
|= DEFCONTEXT_MNT
;
793 if (sbsec
->flags
& SE_SBINITIALIZED
) {
794 /* previously mounted with options, but not on this attempt? */
795 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
796 goto out_double_mount
;
801 if (strcmp(sb
->s_type
->name
, "proc") == 0)
802 sbsec
->flags
|= SE_SBPROC
| SE_SBGENFS
;
804 if (!strcmp(sb
->s_type
->name
, "debugfs") ||
805 !strcmp(sb
->s_type
->name
, "sysfs") ||
806 !strcmp(sb
->s_type
->name
, "pstore"))
807 sbsec
->flags
|= SE_SBGENFS
;
809 if (!sbsec
->behavior
) {
811 * Determine the labeling behavior to use for this
814 rc
= security_fs_use(sb
);
817 "%s: security_fs_use(%s) returned %d\n",
818 __func__
, sb
->s_type
->name
, rc
);
824 * If this is a user namespace mount and the filesystem type is not
825 * explicitly whitelisted, then no contexts are allowed on the command
826 * line and security labels must be ignored.
828 if (sb
->s_user_ns
!= &init_user_ns
&&
829 strcmp(sb
->s_type
->name
, "tmpfs") &&
830 strcmp(sb
->s_type
->name
, "ramfs") &&
831 strcmp(sb
->s_type
->name
, "devpts")) {
832 if (context_sid
|| fscontext_sid
|| rootcontext_sid
||
837 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
838 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
839 rc
= security_transition_sid(current_sid(), current_sid(),
841 &sbsec
->mntpoint_sid
);
848 /* sets the context of the superblock for the fs being mounted. */
850 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
854 sbsec
->sid
= fscontext_sid
;
858 * Switch to using mount point labeling behavior.
859 * sets the label used on all file below the mountpoint, and will set
860 * the superblock context if not already set.
862 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !context_sid
) {
863 sbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
864 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
868 if (!fscontext_sid
) {
869 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
873 sbsec
->sid
= context_sid
;
875 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
880 if (!rootcontext_sid
)
881 rootcontext_sid
= context_sid
;
883 sbsec
->mntpoint_sid
= context_sid
;
884 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
887 if (rootcontext_sid
) {
888 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
893 root_isec
->sid
= rootcontext_sid
;
894 root_isec
->initialized
= LABEL_INITIALIZED
;
897 if (defcontext_sid
) {
898 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
&&
899 sbsec
->behavior
!= SECURITY_FS_USE_NATIVE
) {
901 printk(KERN_WARNING
"SELinux: defcontext option is "
902 "invalid for this filesystem type\n");
906 if (defcontext_sid
!= sbsec
->def_sid
) {
907 rc
= may_context_mount_inode_relabel(defcontext_sid
,
913 sbsec
->def_sid
= defcontext_sid
;
917 rc
= sb_finish_set_opts(sb
);
919 mutex_unlock(&sbsec
->lock
);
923 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
924 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
928 static int selinux_cmp_sb_context(const struct super_block
*oldsb
,
929 const struct super_block
*newsb
)
931 struct superblock_security_struct
*old
= oldsb
->s_security
;
932 struct superblock_security_struct
*new = newsb
->s_security
;
933 char oldflags
= old
->flags
& SE_MNTMASK
;
934 char newflags
= new->flags
& SE_MNTMASK
;
936 if (oldflags
!= newflags
)
938 if ((oldflags
& FSCONTEXT_MNT
) && old
->sid
!= new->sid
)
940 if ((oldflags
& CONTEXT_MNT
) && old
->mntpoint_sid
!= new->mntpoint_sid
)
942 if ((oldflags
& DEFCONTEXT_MNT
) && old
->def_sid
!= new->def_sid
)
944 if (oldflags
& ROOTCONTEXT_MNT
) {
945 struct inode_security_struct
*oldroot
= backing_inode_security(oldsb
->s_root
);
946 struct inode_security_struct
*newroot
= backing_inode_security(newsb
->s_root
);
947 if (oldroot
->sid
!= newroot
->sid
)
952 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, "
953 "different security settings for (dev %s, "
954 "type %s)\n", newsb
->s_id
, newsb
->s_type
->name
);
958 static int selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
959 struct super_block
*newsb
)
961 const struct superblock_security_struct
*oldsbsec
= oldsb
->s_security
;
962 struct superblock_security_struct
*newsbsec
= newsb
->s_security
;
964 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
965 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
966 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
969 * if the parent was able to be mounted it clearly had no special lsm
970 * mount options. thus we can safely deal with this superblock later
975 /* how can we clone if the old one wasn't set up?? */
976 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
978 /* if fs is reusing a sb, make sure that the contexts match */
979 if (newsbsec
->flags
& SE_SBINITIALIZED
)
980 return selinux_cmp_sb_context(oldsb
, newsb
);
982 mutex_lock(&newsbsec
->lock
);
984 newsbsec
->flags
= oldsbsec
->flags
;
986 newsbsec
->sid
= oldsbsec
->sid
;
987 newsbsec
->def_sid
= oldsbsec
->def_sid
;
988 newsbsec
->behavior
= oldsbsec
->behavior
;
991 u32 sid
= oldsbsec
->mntpoint_sid
;
995 if (!set_rootcontext
) {
996 struct inode_security_struct
*newisec
= backing_inode_security(newsb
->s_root
);
999 newsbsec
->mntpoint_sid
= sid
;
1001 if (set_rootcontext
) {
1002 const struct inode_security_struct
*oldisec
= backing_inode_security(oldsb
->s_root
);
1003 struct inode_security_struct
*newisec
= backing_inode_security(newsb
->s_root
);
1005 newisec
->sid
= oldisec
->sid
;
1008 sb_finish_set_opts(newsb
);
1009 mutex_unlock(&newsbsec
->lock
);
1013 static int selinux_parse_opts_str(char *options
,
1014 struct security_mnt_opts
*opts
)
1017 char *context
= NULL
, *defcontext
= NULL
;
1018 char *fscontext
= NULL
, *rootcontext
= NULL
;
1019 int rc
, num_mnt_opts
= 0;
1021 opts
->num_mnt_opts
= 0;
1023 /* Standard string-based options. */
1024 while ((p
= strsep(&options
, "|")) != NULL
) {
1026 substring_t args
[MAX_OPT_ARGS
];
1031 token
= match_token(p
, tokens
, args
);
1035 if (context
|| defcontext
) {
1037 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1040 context
= match_strdup(&args
[0]);
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1053 fscontext
= match_strdup(&args
[0]);
1060 case Opt_rootcontext
:
1063 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1066 rootcontext
= match_strdup(&args
[0]);
1073 case Opt_defcontext
:
1074 if (context
|| defcontext
) {
1076 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1079 defcontext
= match_strdup(&args
[0]);
1085 case Opt_labelsupport
:
1089 printk(KERN_WARNING
"SELinux: unknown mount option\n");
1096 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_KERNEL
);
1097 if (!opts
->mnt_opts
)
1100 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int),
1102 if (!opts
->mnt_opts_flags
) {
1103 kfree(opts
->mnt_opts
);
1108 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
1109 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
1112 opts
->mnt_opts
[num_mnt_opts
] = context
;
1113 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
1116 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
1117 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
1120 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
1121 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
1124 opts
->num_mnt_opts
= num_mnt_opts
;
1135 * string mount options parsing and call set the sbsec
1137 static int superblock_doinit(struct super_block
*sb
, void *data
)
1140 char *options
= data
;
1141 struct security_mnt_opts opts
;
1143 security_init_mnt_opts(&opts
);
1148 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
1150 rc
= selinux_parse_opts_str(options
, &opts
);
1155 rc
= selinux_set_mnt_opts(sb
, &opts
, 0, NULL
);
1158 security_free_mnt_opts(&opts
);
1162 static void selinux_write_opts(struct seq_file
*m
,
1163 struct security_mnt_opts
*opts
)
1168 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
1171 if (opts
->mnt_opts
[i
])
1172 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
1176 switch (opts
->mnt_opts_flags
[i
]) {
1178 prefix
= CONTEXT_STR
;
1181 prefix
= FSCONTEXT_STR
;
1183 case ROOTCONTEXT_MNT
:
1184 prefix
= ROOTCONTEXT_STR
;
1186 case DEFCONTEXT_MNT
:
1187 prefix
= DEFCONTEXT_STR
;
1191 seq_puts(m
, LABELSUPP_STR
);
1197 /* we need a comma before each option */
1199 seq_puts(m
, prefix
);
1202 seq_escape(m
, opts
->mnt_opts
[i
], "\"\n\\");
1208 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1210 struct security_mnt_opts opts
;
1213 rc
= selinux_get_mnt_opts(sb
, &opts
);
1215 /* before policy load we may get EINVAL, don't show anything */
1221 selinux_write_opts(m
, &opts
);
1223 security_free_mnt_opts(&opts
);
1228 static inline u16
inode_mode_to_security_class(umode_t mode
)
1230 switch (mode
& S_IFMT
) {
1232 return SECCLASS_SOCK_FILE
;
1234 return SECCLASS_LNK_FILE
;
1236 return SECCLASS_FILE
;
1238 return SECCLASS_BLK_FILE
;
1240 return SECCLASS_DIR
;
1242 return SECCLASS_CHR_FILE
;
1244 return SECCLASS_FIFO_FILE
;
1248 return SECCLASS_FILE
;
1251 static inline int default_protocol_stream(int protocol
)
1253 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1256 static inline int default_protocol_dgram(int protocol
)
1258 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1261 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1263 int extsockclass
= selinux_policycap_extsockclass
;
1269 case SOCK_SEQPACKET
:
1270 return SECCLASS_UNIX_STREAM_SOCKET
;
1272 return SECCLASS_UNIX_DGRAM_SOCKET
;
1279 case SOCK_SEQPACKET
:
1280 if (default_protocol_stream(protocol
))
1281 return SECCLASS_TCP_SOCKET
;
1282 else if (extsockclass
&& protocol
== IPPROTO_SCTP
)
1283 return SECCLASS_SCTP_SOCKET
;
1285 return SECCLASS_RAWIP_SOCKET
;
1287 if (default_protocol_dgram(protocol
))
1288 return SECCLASS_UDP_SOCKET
;
1289 else if (extsockclass
&& (protocol
== IPPROTO_ICMP
||
1290 protocol
== IPPROTO_ICMPV6
))
1291 return SECCLASS_ICMP_SOCKET
;
1293 return SECCLASS_RAWIP_SOCKET
;
1295 return SECCLASS_DCCP_SOCKET
;
1297 return SECCLASS_RAWIP_SOCKET
;
1303 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1304 case NETLINK_SOCK_DIAG
:
1305 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1307 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1309 return SECCLASS_NETLINK_XFRM_SOCKET
;
1310 case NETLINK_SELINUX
:
1311 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1313 return SECCLASS_NETLINK_ISCSI_SOCKET
;
1315 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1316 case NETLINK_FIB_LOOKUP
:
1317 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET
;
1318 case NETLINK_CONNECTOR
:
1319 return SECCLASS_NETLINK_CONNECTOR_SOCKET
;
1320 case NETLINK_NETFILTER
:
1321 return SECCLASS_NETLINK_NETFILTER_SOCKET
;
1322 case NETLINK_DNRTMSG
:
1323 return SECCLASS_NETLINK_DNRT_SOCKET
;
1324 case NETLINK_KOBJECT_UEVENT
:
1325 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1326 case NETLINK_GENERIC
:
1327 return SECCLASS_NETLINK_GENERIC_SOCKET
;
1328 case NETLINK_SCSITRANSPORT
:
1329 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET
;
1331 return SECCLASS_NETLINK_RDMA_SOCKET
;
1332 case NETLINK_CRYPTO
:
1333 return SECCLASS_NETLINK_CRYPTO_SOCKET
;
1335 return SECCLASS_NETLINK_SOCKET
;
1338 return SECCLASS_PACKET_SOCKET
;
1340 return SECCLASS_KEY_SOCKET
;
1342 return SECCLASS_APPLETALK_SOCKET
;
1348 return SECCLASS_AX25_SOCKET
;
1350 return SECCLASS_IPX_SOCKET
;
1352 return SECCLASS_NETROM_SOCKET
;
1354 return SECCLASS_ATMPVC_SOCKET
;
1356 return SECCLASS_X25_SOCKET
;
1358 return SECCLASS_ROSE_SOCKET
;
1360 return SECCLASS_DECNET_SOCKET
;
1362 return SECCLASS_ATMSVC_SOCKET
;
1364 return SECCLASS_RDS_SOCKET
;
1366 return SECCLASS_IRDA_SOCKET
;
1368 return SECCLASS_PPPOX_SOCKET
;
1370 return SECCLASS_LLC_SOCKET
;
1372 return SECCLASS_CAN_SOCKET
;
1374 return SECCLASS_TIPC_SOCKET
;
1376 return SECCLASS_BLUETOOTH_SOCKET
;
1378 return SECCLASS_IUCV_SOCKET
;
1380 return SECCLASS_RXRPC_SOCKET
;
1382 return SECCLASS_ISDN_SOCKET
;
1384 return SECCLASS_PHONET_SOCKET
;
1386 return SECCLASS_IEEE802154_SOCKET
;
1388 return SECCLASS_CAIF_SOCKET
;
1390 return SECCLASS_ALG_SOCKET
;
1392 return SECCLASS_NFC_SOCKET
;
1394 return SECCLASS_VSOCK_SOCKET
;
1396 return SECCLASS_KCM_SOCKET
;
1398 return SECCLASS_QIPCRTR_SOCKET
;
1400 return SECCLASS_SMC_SOCKET
;
1402 #error New address family defined, please update this function.
1407 return SECCLASS_SOCKET
;
1410 static int selinux_genfs_get_sid(struct dentry
*dentry
,
1416 struct super_block
*sb
= dentry
->d_sb
;
1417 char *buffer
, *path
;
1419 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1423 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1427 if (flags
& SE_SBPROC
) {
1428 /* each process gets a /proc/PID/ entry. Strip off the
1429 * PID part to get a valid selinux labeling.
1430 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1431 while (path
[1] >= '0' && path
[1] <= '9') {
1436 rc
= security_genfs_sid(sb
->s_type
->name
, path
, tclass
, sid
);
1438 free_page((unsigned long)buffer
);
1442 /* The inode's security attributes must be initialized before first use. */
1443 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1445 struct superblock_security_struct
*sbsec
= NULL
;
1446 struct inode_security_struct
*isec
= inode
->i_security
;
1447 u32 task_sid
, sid
= 0;
1449 struct dentry
*dentry
;
1450 #define INITCONTEXTLEN 255
1451 char *context
= NULL
;
1455 if (isec
->initialized
== LABEL_INITIALIZED
)
1458 spin_lock(&isec
->lock
);
1459 if (isec
->initialized
== LABEL_INITIALIZED
)
1462 if (isec
->sclass
== SECCLASS_FILE
)
1463 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1465 sbsec
= inode
->i_sb
->s_security
;
1466 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1467 /* Defer initialization until selinux_complete_init,
1468 after the initial policy is loaded and the security
1469 server is ready to handle calls. */
1470 spin_lock(&sbsec
->isec_lock
);
1471 if (list_empty(&isec
->list
))
1472 list_add(&isec
->list
, &sbsec
->isec_head
);
1473 spin_unlock(&sbsec
->isec_lock
);
1477 sclass
= isec
->sclass
;
1478 task_sid
= isec
->task_sid
;
1480 isec
->initialized
= LABEL_PENDING
;
1481 spin_unlock(&isec
->lock
);
1483 switch (sbsec
->behavior
) {
1484 case SECURITY_FS_USE_NATIVE
:
1486 case SECURITY_FS_USE_XATTR
:
1487 if (!(inode
->i_opflags
& IOP_XATTR
)) {
1488 sid
= sbsec
->def_sid
;
1491 /* Need a dentry, since the xattr API requires one.
1492 Life would be simpler if we could just pass the inode. */
1494 /* Called from d_instantiate or d_splice_alias. */
1495 dentry
= dget(opt_dentry
);
1497 /* Called from selinux_complete_init, try to find a dentry. */
1498 dentry
= d_find_alias(inode
);
1502 * this is can be hit on boot when a file is accessed
1503 * before the policy is loaded. When we load policy we
1504 * may find inodes that have no dentry on the
1505 * sbsec->isec_head list. No reason to complain as these
1506 * will get fixed up the next time we go through
1507 * inode_doinit with a dentry, before these inodes could
1508 * be used again by userspace.
1513 len
= INITCONTEXTLEN
;
1514 context
= kmalloc(len
+1, GFP_NOFS
);
1520 context
[len
] = '\0';
1521 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1522 if (rc
== -ERANGE
) {
1525 /* Need a larger buffer. Query for the right size. */
1526 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, NULL
, 0);
1532 context
= kmalloc(len
+1, GFP_NOFS
);
1538 context
[len
] = '\0';
1539 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1543 if (rc
!= -ENODATA
) {
1544 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1545 "%d for dev=%s ino=%ld\n", __func__
,
1546 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1550 /* Map ENODATA to the default file SID */
1551 sid
= sbsec
->def_sid
;
1554 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1558 char *dev
= inode
->i_sb
->s_id
;
1559 unsigned long ino
= inode
->i_ino
;
1561 if (rc
== -EINVAL
) {
1562 if (printk_ratelimit())
1563 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1564 "context=%s. This indicates you may need to relabel the inode or the "
1565 "filesystem in question.\n", ino
, dev
, context
);
1567 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1568 "returned %d for dev=%s ino=%ld\n",
1569 __func__
, context
, -rc
, dev
, ino
);
1572 /* Leave with the unlabeled SID */
1579 case SECURITY_FS_USE_TASK
:
1582 case SECURITY_FS_USE_TRANS
:
1583 /* Default to the fs SID. */
1586 /* Try to obtain a transition SID. */
1587 rc
= security_transition_sid(task_sid
, sid
, sclass
, NULL
, &sid
);
1591 case SECURITY_FS_USE_MNTPOINT
:
1592 sid
= sbsec
->mntpoint_sid
;
1595 /* Default to the fs superblock SID. */
1598 if ((sbsec
->flags
& SE_SBGENFS
) && !S_ISLNK(inode
->i_mode
)) {
1599 /* We must have a dentry to determine the label on
1602 /* Called from d_instantiate or
1603 * d_splice_alias. */
1604 dentry
= dget(opt_dentry
);
1606 /* Called from selinux_complete_init, try to
1608 dentry
= d_find_alias(inode
);
1610 * This can be hit on boot when a file is accessed
1611 * before the policy is loaded. When we load policy we
1612 * may find inodes that have no dentry on the
1613 * sbsec->isec_head list. No reason to complain as
1614 * these will get fixed up the next time we go through
1615 * inode_doinit() with a dentry, before these inodes
1616 * could be used again by userspace.
1620 rc
= selinux_genfs_get_sid(dentry
, sclass
,
1621 sbsec
->flags
, &sid
);
1630 spin_lock(&isec
->lock
);
1631 if (isec
->initialized
== LABEL_PENDING
) {
1633 isec
->initialized
= LABEL_INVALID
;
1637 isec
->initialized
= LABEL_INITIALIZED
;
1642 spin_unlock(&isec
->lock
);
1646 /* Convert a Linux signal to an access vector. */
1647 static inline u32
signal_to_av(int sig
)
1653 /* Commonly granted from child to parent. */
1654 perm
= PROCESS__SIGCHLD
;
1657 /* Cannot be caught or ignored */
1658 perm
= PROCESS__SIGKILL
;
1661 /* Cannot be caught or ignored */
1662 perm
= PROCESS__SIGSTOP
;
1665 /* All other signals. */
1666 perm
= PROCESS__SIGNAL
;
1673 #if CAP_LAST_CAP > 63
1674 #error Fix SELinux to handle capabilities > 63.
1677 /* Check whether a task is allowed to use a capability. */
1678 static int cred_has_capability(const struct cred
*cred
,
1679 int cap
, int audit
, bool initns
)
1681 struct common_audit_data ad
;
1682 struct av_decision avd
;
1684 u32 sid
= cred_sid(cred
);
1685 u32 av
= CAP_TO_MASK(cap
);
1688 ad
.type
= LSM_AUDIT_DATA_CAP
;
1691 switch (CAP_TO_INDEX(cap
)) {
1693 sclass
= initns
? SECCLASS_CAPABILITY
: SECCLASS_CAP_USERNS
;
1696 sclass
= initns
? SECCLASS_CAPABILITY2
: SECCLASS_CAP2_USERNS
;
1700 "SELinux: out of range capability %d\n", cap
);
1705 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1706 if (audit
== SECURITY_CAP_AUDIT
) {
1707 int rc2
= avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
, 0);
1714 /* Check whether a task has a particular permission to an inode.
1715 The 'adp' parameter is optional and allows other audit
1716 data to be passed (e.g. the dentry). */
1717 static int inode_has_perm(const struct cred
*cred
,
1718 struct inode
*inode
,
1720 struct common_audit_data
*adp
)
1722 struct inode_security_struct
*isec
;
1725 validate_creds(cred
);
1727 if (unlikely(IS_PRIVATE(inode
)))
1730 sid
= cred_sid(cred
);
1731 isec
= inode
->i_security
;
1733 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1736 /* Same as inode_has_perm, but pass explicit audit data containing
1737 the dentry to help the auditing code to more easily generate the
1738 pathname if needed. */
1739 static inline int dentry_has_perm(const struct cred
*cred
,
1740 struct dentry
*dentry
,
1743 struct inode
*inode
= d_backing_inode(dentry
);
1744 struct common_audit_data ad
;
1746 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1747 ad
.u
.dentry
= dentry
;
1748 __inode_security_revalidate(inode
, dentry
, true);
1749 return inode_has_perm(cred
, inode
, av
, &ad
);
1752 /* Same as inode_has_perm, but pass explicit audit data containing
1753 the path to help the auditing code to more easily generate the
1754 pathname if needed. */
1755 static inline int path_has_perm(const struct cred
*cred
,
1756 const struct path
*path
,
1759 struct inode
*inode
= d_backing_inode(path
->dentry
);
1760 struct common_audit_data ad
;
1762 ad
.type
= LSM_AUDIT_DATA_PATH
;
1764 __inode_security_revalidate(inode
, path
->dentry
, true);
1765 return inode_has_perm(cred
, inode
, av
, &ad
);
1768 /* Same as path_has_perm, but uses the inode from the file struct. */
1769 static inline int file_path_has_perm(const struct cred
*cred
,
1773 struct common_audit_data ad
;
1775 ad
.type
= LSM_AUDIT_DATA_FILE
;
1777 return inode_has_perm(cred
, file_inode(file
), av
, &ad
);
1780 /* Check whether a task can use an open file descriptor to
1781 access an inode in a given way. Check access to the
1782 descriptor itself, and then use dentry_has_perm to
1783 check a particular permission to the file.
1784 Access to the descriptor is implicitly granted if it
1785 has the same SID as the process. If av is zero, then
1786 access to the file is not checked, e.g. for cases
1787 where only the descriptor is affected like seek. */
1788 static int file_has_perm(const struct cred
*cred
,
1792 struct file_security_struct
*fsec
= file
->f_security
;
1793 struct inode
*inode
= file_inode(file
);
1794 struct common_audit_data ad
;
1795 u32 sid
= cred_sid(cred
);
1798 ad
.type
= LSM_AUDIT_DATA_FILE
;
1801 if (sid
!= fsec
->sid
) {
1802 rc
= avc_has_perm(sid
, fsec
->sid
,
1810 /* av is zero if only checking access to the descriptor. */
1813 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1820 * Determine the label for an inode that might be unioned.
1823 selinux_determine_inode_label(const struct task_security_struct
*tsec
,
1825 const struct qstr
*name
, u16 tclass
,
1828 const struct superblock_security_struct
*sbsec
= dir
->i_sb
->s_security
;
1830 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
1831 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)) {
1832 *_new_isid
= sbsec
->mntpoint_sid
;
1833 } else if ((sbsec
->flags
& SBLABEL_MNT
) &&
1835 *_new_isid
= tsec
->create_sid
;
1837 const struct inode_security_struct
*dsec
= inode_security(dir
);
1838 return security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1845 /* Check whether a task can create a file. */
1846 static int may_create(struct inode
*dir
,
1847 struct dentry
*dentry
,
1850 const struct task_security_struct
*tsec
= current_security();
1851 struct inode_security_struct
*dsec
;
1852 struct superblock_security_struct
*sbsec
;
1854 struct common_audit_data ad
;
1857 dsec
= inode_security(dir
);
1858 sbsec
= dir
->i_sb
->s_security
;
1862 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1863 ad
.u
.dentry
= dentry
;
1865 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1866 DIR__ADD_NAME
| DIR__SEARCH
,
1871 rc
= selinux_determine_inode_label(current_security(), dir
,
1872 &dentry
->d_name
, tclass
, &newsid
);
1876 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1880 return avc_has_perm(newsid
, sbsec
->sid
,
1881 SECCLASS_FILESYSTEM
,
1882 FILESYSTEM__ASSOCIATE
, &ad
);
1886 #define MAY_UNLINK 1
1889 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1890 static int may_link(struct inode
*dir
,
1891 struct dentry
*dentry
,
1895 struct inode_security_struct
*dsec
, *isec
;
1896 struct common_audit_data ad
;
1897 u32 sid
= current_sid();
1901 dsec
= inode_security(dir
);
1902 isec
= backing_inode_security(dentry
);
1904 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1905 ad
.u
.dentry
= dentry
;
1908 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1909 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1924 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1929 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1933 static inline int may_rename(struct inode
*old_dir
,
1934 struct dentry
*old_dentry
,
1935 struct inode
*new_dir
,
1936 struct dentry
*new_dentry
)
1938 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1939 struct common_audit_data ad
;
1940 u32 sid
= current_sid();
1942 int old_is_dir
, new_is_dir
;
1945 old_dsec
= inode_security(old_dir
);
1946 old_isec
= backing_inode_security(old_dentry
);
1947 old_is_dir
= d_is_dir(old_dentry
);
1948 new_dsec
= inode_security(new_dir
);
1950 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1952 ad
.u
.dentry
= old_dentry
;
1953 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
1954 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1957 rc
= avc_has_perm(sid
, old_isec
->sid
,
1958 old_isec
->sclass
, FILE__RENAME
, &ad
);
1961 if (old_is_dir
&& new_dir
!= old_dir
) {
1962 rc
= avc_has_perm(sid
, old_isec
->sid
,
1963 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1968 ad
.u
.dentry
= new_dentry
;
1969 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1970 if (d_is_positive(new_dentry
))
1971 av
|= DIR__REMOVE_NAME
;
1972 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1975 if (d_is_positive(new_dentry
)) {
1976 new_isec
= backing_inode_security(new_dentry
);
1977 new_is_dir
= d_is_dir(new_dentry
);
1978 rc
= avc_has_perm(sid
, new_isec
->sid
,
1980 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
1988 /* Check whether a task can perform a filesystem operation. */
1989 static int superblock_has_perm(const struct cred
*cred
,
1990 struct super_block
*sb
,
1992 struct common_audit_data
*ad
)
1994 struct superblock_security_struct
*sbsec
;
1995 u32 sid
= cred_sid(cred
);
1997 sbsec
= sb
->s_security
;
1998 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
2001 /* Convert a Linux mode and permission mask to an access vector. */
2002 static inline u32
file_mask_to_av(int mode
, int mask
)
2006 if (!S_ISDIR(mode
)) {
2007 if (mask
& MAY_EXEC
)
2008 av
|= FILE__EXECUTE
;
2009 if (mask
& MAY_READ
)
2012 if (mask
& MAY_APPEND
)
2014 else if (mask
& MAY_WRITE
)
2018 if (mask
& MAY_EXEC
)
2020 if (mask
& MAY_WRITE
)
2022 if (mask
& MAY_READ
)
2029 /* Convert a Linux file to an access vector. */
2030 static inline u32
file_to_av(struct file
*file
)
2034 if (file
->f_mode
& FMODE_READ
)
2036 if (file
->f_mode
& FMODE_WRITE
) {
2037 if (file
->f_flags
& O_APPEND
)
2044 * Special file opened with flags 3 for ioctl-only use.
2053 * Convert a file to an access vector and include the correct open
2056 static inline u32
open_file_to_av(struct file
*file
)
2058 u32 av
= file_to_av(file
);
2059 struct inode
*inode
= file_inode(file
);
2061 if (selinux_policycap_openperm
&& inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
)
2067 /* Hook functions begin here. */
2069 static int selinux_binder_set_context_mgr(struct task_struct
*mgr
)
2071 u32 mysid
= current_sid();
2072 u32 mgrsid
= task_sid(mgr
);
2074 return avc_has_perm(mysid
, mgrsid
, SECCLASS_BINDER
,
2075 BINDER__SET_CONTEXT_MGR
, NULL
);
2078 static int selinux_binder_transaction(struct task_struct
*from
,
2079 struct task_struct
*to
)
2081 u32 mysid
= current_sid();
2082 u32 fromsid
= task_sid(from
);
2083 u32 tosid
= task_sid(to
);
2086 if (mysid
!= fromsid
) {
2087 rc
= avc_has_perm(mysid
, fromsid
, SECCLASS_BINDER
,
2088 BINDER__IMPERSONATE
, NULL
);
2093 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__CALL
,
2097 static int selinux_binder_transfer_binder(struct task_struct
*from
,
2098 struct task_struct
*to
)
2100 u32 fromsid
= task_sid(from
);
2101 u32 tosid
= task_sid(to
);
2103 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__TRANSFER
,
2107 static int selinux_binder_transfer_file(struct task_struct
*from
,
2108 struct task_struct
*to
,
2111 u32 sid
= task_sid(to
);
2112 struct file_security_struct
*fsec
= file
->f_security
;
2113 struct dentry
*dentry
= file
->f_path
.dentry
;
2114 struct inode_security_struct
*isec
;
2115 struct common_audit_data ad
;
2118 ad
.type
= LSM_AUDIT_DATA_PATH
;
2119 ad
.u
.path
= file
->f_path
;
2121 if (sid
!= fsec
->sid
) {
2122 rc
= avc_has_perm(sid
, fsec
->sid
,
2130 if (unlikely(IS_PRIVATE(d_backing_inode(dentry
))))
2133 isec
= backing_inode_security(dentry
);
2134 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, file_to_av(file
),
2138 static int selinux_ptrace_access_check(struct task_struct
*child
,
2141 u32 sid
= current_sid();
2142 u32 csid
= task_sid(child
);
2144 if (mode
& PTRACE_MODE_READ
)
2145 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
2147 return avc_has_perm(sid
, csid
, SECCLASS_PROCESS
, PROCESS__PTRACE
, NULL
);
2150 static int selinux_ptrace_traceme(struct task_struct
*parent
)
2152 return avc_has_perm(task_sid(parent
), current_sid(), SECCLASS_PROCESS
,
2153 PROCESS__PTRACE
, NULL
);
2156 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
2157 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
2159 return avc_has_perm(current_sid(), task_sid(target
), SECCLASS_PROCESS
,
2160 PROCESS__GETCAP
, NULL
);
2163 static int selinux_capset(struct cred
*new, const struct cred
*old
,
2164 const kernel_cap_t
*effective
,
2165 const kernel_cap_t
*inheritable
,
2166 const kernel_cap_t
*permitted
)
2168 return avc_has_perm(cred_sid(old
), cred_sid(new), SECCLASS_PROCESS
,
2169 PROCESS__SETCAP
, NULL
);
2173 * (This comment used to live with the selinux_task_setuid hook,
2174 * which was removed).
2176 * Since setuid only affects the current process, and since the SELinux
2177 * controls are not based on the Linux identity attributes, SELinux does not
2178 * need to control this operation. However, SELinux does control the use of
2179 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2182 static int selinux_capable(const struct cred
*cred
, struct user_namespace
*ns
,
2185 return cred_has_capability(cred
, cap
, audit
, ns
== &init_user_ns
);
2188 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
2190 const struct cred
*cred
= current_cred();
2202 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
2207 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
2210 rc
= 0; /* let the kernel handle invalid cmds */
2216 static int selinux_quota_on(struct dentry
*dentry
)
2218 const struct cred
*cred
= current_cred();
2220 return dentry_has_perm(cred
, dentry
, FILE__QUOTAON
);
2223 static int selinux_syslog(int type
)
2226 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
2227 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
2228 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2229 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_READ
, NULL
);
2230 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
2231 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
2232 /* Set level of messages printed to console */
2233 case SYSLOG_ACTION_CONSOLE_LEVEL
:
2234 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2235 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_CONSOLE
,
2238 /* All other syslog types */
2239 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2240 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_MOD
, NULL
);
2244 * Check that a process has enough memory to allocate a new virtual
2245 * mapping. 0 means there is enough memory for the allocation to
2246 * succeed and -ENOMEM implies there is not.
2248 * Do not audit the selinux permission check, as this is applied to all
2249 * processes that allocate mappings.
2251 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
2253 int rc
, cap_sys_admin
= 0;
2255 rc
= cred_has_capability(current_cred(), CAP_SYS_ADMIN
,
2256 SECURITY_CAP_NOAUDIT
, true);
2260 return cap_sys_admin
;
2263 /* binprm security operations */
2265 static u32
ptrace_parent_sid(void)
2268 struct task_struct
*tracer
;
2271 tracer
= ptrace_parent(current
);
2273 sid
= task_sid(tracer
);
2279 static int check_nnp_nosuid(const struct linux_binprm
*bprm
,
2280 const struct task_security_struct
*old_tsec
,
2281 const struct task_security_struct
*new_tsec
)
2283 int nnp
= (bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
);
2284 int nosuid
= !mnt_may_suid(bprm
->file
->f_path
.mnt
);
2287 if (!nnp
&& !nosuid
)
2288 return 0; /* neither NNP nor nosuid */
2290 if (new_tsec
->sid
== old_tsec
->sid
)
2291 return 0; /* No change in credentials */
2294 * The only transitions we permit under NNP or nosuid
2295 * are transitions to bounded SIDs, i.e. SIDs that are
2296 * guaranteed to only be allowed a subset of the permissions
2297 * of the current SID.
2299 rc
= security_bounded_transition(old_tsec
->sid
, new_tsec
->sid
);
2302 * On failure, preserve the errno values for NNP vs nosuid.
2303 * NNP: Operation not permitted for caller.
2304 * nosuid: Permission denied to file.
2314 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
2316 const struct task_security_struct
*old_tsec
;
2317 struct task_security_struct
*new_tsec
;
2318 struct inode_security_struct
*isec
;
2319 struct common_audit_data ad
;
2320 struct inode
*inode
= file_inode(bprm
->file
);
2323 /* SELinux context only depends on initial program or script and not
2324 * the script interpreter */
2325 if (bprm
->cred_prepared
)
2328 old_tsec
= current_security();
2329 new_tsec
= bprm
->cred
->security
;
2330 isec
= inode_security(inode
);
2332 /* Default to the current task SID. */
2333 new_tsec
->sid
= old_tsec
->sid
;
2334 new_tsec
->osid
= old_tsec
->sid
;
2336 /* Reset fs, key, and sock SIDs on execve. */
2337 new_tsec
->create_sid
= 0;
2338 new_tsec
->keycreate_sid
= 0;
2339 new_tsec
->sockcreate_sid
= 0;
2341 if (old_tsec
->exec_sid
) {
2342 new_tsec
->sid
= old_tsec
->exec_sid
;
2343 /* Reset exec SID on execve. */
2344 new_tsec
->exec_sid
= 0;
2346 /* Fail on NNP or nosuid if not an allowed transition. */
2347 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2351 /* Check for a default transition on this program. */
2352 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
2353 SECCLASS_PROCESS
, NULL
,
2359 * Fallback to old SID on NNP or nosuid if not an allowed
2362 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2364 new_tsec
->sid
= old_tsec
->sid
;
2367 ad
.type
= LSM_AUDIT_DATA_FILE
;
2368 ad
.u
.file
= bprm
->file
;
2370 if (new_tsec
->sid
== old_tsec
->sid
) {
2371 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
2372 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2376 /* Check permissions for the transition. */
2377 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2378 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2382 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2383 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2387 /* Check for shared state */
2388 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2389 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2390 SECCLASS_PROCESS
, PROCESS__SHARE
,
2396 /* Make sure that anyone attempting to ptrace over a task that
2397 * changes its SID has the appropriate permit */
2398 if (bprm
->unsafe
& LSM_UNSAFE_PTRACE
) {
2399 u32 ptsid
= ptrace_parent_sid();
2401 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2403 PROCESS__PTRACE
, NULL
);
2409 /* Clear any possibly unsafe personality bits on exec: */
2410 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2416 static int selinux_bprm_secureexec(struct linux_binprm
*bprm
)
2418 const struct task_security_struct
*tsec
= current_security();
2426 /* Enable secure mode for SIDs transitions unless
2427 the noatsecure permission is granted between
2428 the two SIDs, i.e. ahp returns 0. */
2429 atsecure
= avc_has_perm(osid
, sid
,
2431 PROCESS__NOATSECURE
, NULL
);
2437 static int match_file(const void *p
, struct file
*file
, unsigned fd
)
2439 return file_has_perm(p
, file
, file_to_av(file
)) ? fd
+ 1 : 0;
2442 /* Derived from fs/exec.c:flush_old_files. */
2443 static inline void flush_unauthorized_files(const struct cred
*cred
,
2444 struct files_struct
*files
)
2446 struct file
*file
, *devnull
= NULL
;
2447 struct tty_struct
*tty
;
2451 tty
= get_current_tty();
2453 spin_lock(&tty
->files_lock
);
2454 if (!list_empty(&tty
->tty_files
)) {
2455 struct tty_file_private
*file_priv
;
2457 /* Revalidate access to controlling tty.
2458 Use file_path_has_perm on the tty path directly
2459 rather than using file_has_perm, as this particular
2460 open file may belong to another process and we are
2461 only interested in the inode-based check here. */
2462 file_priv
= list_first_entry(&tty
->tty_files
,
2463 struct tty_file_private
, list
);
2464 file
= file_priv
->file
;
2465 if (file_path_has_perm(cred
, file
, FILE__READ
| FILE__WRITE
))
2468 spin_unlock(&tty
->files_lock
);
2471 /* Reset controlling tty. */
2475 /* Revalidate access to inherited open files. */
2476 n
= iterate_fd(files
, 0, match_file
, cred
);
2477 if (!n
) /* none found? */
2480 devnull
= dentry_open(&selinux_null
, O_RDWR
, cred
);
2481 if (IS_ERR(devnull
))
2483 /* replace all the matching ones with this */
2485 replace_fd(n
- 1, devnull
, 0);
2486 } while ((n
= iterate_fd(files
, n
, match_file
, cred
)) != 0);
2492 * Prepare a process for imminent new credential changes due to exec
2494 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2496 struct task_security_struct
*new_tsec
;
2497 struct rlimit
*rlim
, *initrlim
;
2500 new_tsec
= bprm
->cred
->security
;
2501 if (new_tsec
->sid
== new_tsec
->osid
)
2504 /* Close files for which the new task SID is not authorized. */
2505 flush_unauthorized_files(bprm
->cred
, current
->files
);
2507 /* Always clear parent death signal on SID transitions. */
2508 current
->pdeath_signal
= 0;
2510 /* Check whether the new SID can inherit resource limits from the old
2511 * SID. If not, reset all soft limits to the lower of the current
2512 * task's hard limit and the init task's soft limit.
2514 * Note that the setting of hard limits (even to lower them) can be
2515 * controlled by the setrlimit check. The inclusion of the init task's
2516 * soft limit into the computation is to avoid resetting soft limits
2517 * higher than the default soft limit for cases where the default is
2518 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2520 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2521 PROCESS__RLIMITINH
, NULL
);
2523 /* protect against do_prlimit() */
2525 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2526 rlim
= current
->signal
->rlim
+ i
;
2527 initrlim
= init_task
.signal
->rlim
+ i
;
2528 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2530 task_unlock(current
);
2531 if (IS_ENABLED(CONFIG_POSIX_TIMERS
))
2532 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2537 * Clean up the process immediately after the installation of new credentials
2540 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2542 const struct task_security_struct
*tsec
= current_security();
2543 struct itimerval itimer
;
2553 /* Check whether the new SID can inherit signal state from the old SID.
2554 * If not, clear itimers to avoid subsequent signal generation and
2555 * flush and unblock signals.
2557 * This must occur _after_ the task SID has been updated so that any
2558 * kill done after the flush will be checked against the new SID.
2560 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2562 if (IS_ENABLED(CONFIG_POSIX_TIMERS
)) {
2563 memset(&itimer
, 0, sizeof itimer
);
2564 for (i
= 0; i
< 3; i
++)
2565 do_setitimer(i
, &itimer
, NULL
);
2567 spin_lock_irq(¤t
->sighand
->siglock
);
2568 if (!fatal_signal_pending(current
)) {
2569 flush_sigqueue(¤t
->pending
);
2570 flush_sigqueue(¤t
->signal
->shared_pending
);
2571 flush_signal_handlers(current
, 1);
2572 sigemptyset(¤t
->blocked
);
2573 recalc_sigpending();
2575 spin_unlock_irq(¤t
->sighand
->siglock
);
2578 /* Wake up the parent if it is waiting so that it can recheck
2579 * wait permission to the new task SID. */
2580 read_lock(&tasklist_lock
);
2581 __wake_up_parent(current
, current
->real_parent
);
2582 read_unlock(&tasklist_lock
);
2585 /* superblock security operations */
2587 static int selinux_sb_alloc_security(struct super_block
*sb
)
2589 return superblock_alloc_security(sb
);
2592 static void selinux_sb_free_security(struct super_block
*sb
)
2594 superblock_free_security(sb
);
2597 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2602 return !memcmp(prefix
, option
, plen
);
2605 static inline int selinux_option(char *option
, int len
)
2607 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2608 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2609 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2610 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2611 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2614 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2621 memcpy(*to
, from
, len
);
2625 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2628 int current_size
= 0;
2636 while (current_size
< len
) {
2646 static int selinux_sb_copy_data(char *orig
, char *copy
)
2648 int fnosec
, fsec
, rc
= 0;
2649 char *in_save
, *in_curr
, *in_end
;
2650 char *sec_curr
, *nosec_save
, *nosec
;
2656 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2664 in_save
= in_end
= orig
;
2668 open_quote
= !open_quote
;
2669 if ((*in_end
== ',' && open_quote
== 0) ||
2671 int len
= in_end
- in_curr
;
2673 if (selinux_option(in_curr
, len
))
2674 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2676 take_option(&nosec
, in_curr
, &fnosec
, len
);
2678 in_curr
= in_end
+ 1;
2680 } while (*in_end
++);
2682 strcpy(in_save
, nosec_save
);
2683 free_page((unsigned long)nosec_save
);
2688 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2691 struct security_mnt_opts opts
;
2692 char *secdata
, **mount_options
;
2693 struct superblock_security_struct
*sbsec
= sb
->s_security
;
2695 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2701 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2704 security_init_mnt_opts(&opts
);
2705 secdata
= alloc_secdata();
2708 rc
= selinux_sb_copy_data(data
, secdata
);
2710 goto out_free_secdata
;
2712 rc
= selinux_parse_opts_str(secdata
, &opts
);
2714 goto out_free_secdata
;
2716 mount_options
= opts
.mnt_opts
;
2717 flags
= opts
.mnt_opts_flags
;
2719 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2722 if (flags
[i
] == SBLABEL_MNT
)
2724 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
2726 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
2727 "(%s) failed for (dev %s, type %s) errno=%d\n",
2728 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2734 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2735 goto out_bad_option
;
2738 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2739 goto out_bad_option
;
2741 case ROOTCONTEXT_MNT
: {
2742 struct inode_security_struct
*root_isec
;
2743 root_isec
= backing_inode_security(sb
->s_root
);
2745 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2746 goto out_bad_option
;
2749 case DEFCONTEXT_MNT
:
2750 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2751 goto out_bad_option
;
2760 security_free_mnt_opts(&opts
);
2762 free_secdata(secdata
);
2765 printk(KERN_WARNING
"SELinux: unable to change security options "
2766 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2771 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2773 const struct cred
*cred
= current_cred();
2774 struct common_audit_data ad
;
2777 rc
= superblock_doinit(sb
, data
);
2781 /* Allow all mounts performed by the kernel */
2782 if (flags
& MS_KERNMOUNT
)
2785 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2786 ad
.u
.dentry
= sb
->s_root
;
2787 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2790 static int selinux_sb_statfs(struct dentry
*dentry
)
2792 const struct cred
*cred
= current_cred();
2793 struct common_audit_data ad
;
2795 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2796 ad
.u
.dentry
= dentry
->d_sb
->s_root
;
2797 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2800 static int selinux_mount(const char *dev_name
,
2801 const struct path
*path
,
2803 unsigned long flags
,
2806 const struct cred
*cred
= current_cred();
2808 if (flags
& MS_REMOUNT
)
2809 return superblock_has_perm(cred
, path
->dentry
->d_sb
,
2810 FILESYSTEM__REMOUNT
, NULL
);
2812 return path_has_perm(cred
, path
, FILE__MOUNTON
);
2815 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2817 const struct cred
*cred
= current_cred();
2819 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2820 FILESYSTEM__UNMOUNT
, NULL
);
2823 /* inode security operations */
2825 static int selinux_inode_alloc_security(struct inode
*inode
)
2827 return inode_alloc_security(inode
);
2830 static void selinux_inode_free_security(struct inode
*inode
)
2832 inode_free_security(inode
);
2835 static int selinux_dentry_init_security(struct dentry
*dentry
, int mode
,
2836 const struct qstr
*name
, void **ctx
,
2842 rc
= selinux_determine_inode_label(current_security(),
2843 d_inode(dentry
->d_parent
), name
,
2844 inode_mode_to_security_class(mode
),
2849 return security_sid_to_context(newsid
, (char **)ctx
, ctxlen
);
2852 static int selinux_dentry_create_files_as(struct dentry
*dentry
, int mode
,
2854 const struct cred
*old
,
2859 struct task_security_struct
*tsec
;
2861 rc
= selinux_determine_inode_label(old
->security
,
2862 d_inode(dentry
->d_parent
), name
,
2863 inode_mode_to_security_class(mode
),
2868 tsec
= new->security
;
2869 tsec
->create_sid
= newsid
;
2873 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2874 const struct qstr
*qstr
,
2876 void **value
, size_t *len
)
2878 const struct task_security_struct
*tsec
= current_security();
2879 struct superblock_security_struct
*sbsec
;
2880 u32 sid
, newsid
, clen
;
2884 sbsec
= dir
->i_sb
->s_security
;
2887 newsid
= tsec
->create_sid
;
2889 rc
= selinux_determine_inode_label(current_security(),
2891 inode_mode_to_security_class(inode
->i_mode
),
2896 /* Possibly defer initialization to selinux_complete_init. */
2897 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2898 struct inode_security_struct
*isec
= inode
->i_security
;
2899 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2901 isec
->initialized
= LABEL_INITIALIZED
;
2904 if (!ss_initialized
|| !(sbsec
->flags
& SBLABEL_MNT
))
2908 *name
= XATTR_SELINUX_SUFFIX
;
2911 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2921 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
)
2923 return may_create(dir
, dentry
, SECCLASS_FILE
);
2926 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2928 return may_link(dir
, old_dentry
, MAY_LINK
);
2931 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2933 return may_link(dir
, dentry
, MAY_UNLINK
);
2936 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2938 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2941 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, umode_t mask
)
2943 return may_create(dir
, dentry
, SECCLASS_DIR
);
2946 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2948 return may_link(dir
, dentry
, MAY_RMDIR
);
2951 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
, dev_t dev
)
2953 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2956 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2957 struct inode
*new_inode
, struct dentry
*new_dentry
)
2959 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2962 static int selinux_inode_readlink(struct dentry
*dentry
)
2964 const struct cred
*cred
= current_cred();
2966 return dentry_has_perm(cred
, dentry
, FILE__READ
);
2969 static int selinux_inode_follow_link(struct dentry
*dentry
, struct inode
*inode
,
2972 const struct cred
*cred
= current_cred();
2973 struct common_audit_data ad
;
2974 struct inode_security_struct
*isec
;
2977 validate_creds(cred
);
2979 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2980 ad
.u
.dentry
= dentry
;
2981 sid
= cred_sid(cred
);
2982 isec
= inode_security_rcu(inode
, rcu
);
2984 return PTR_ERR(isec
);
2986 return avc_has_perm_flags(sid
, isec
->sid
, isec
->sclass
, FILE__READ
, &ad
,
2987 rcu
? MAY_NOT_BLOCK
: 0);
2990 static noinline
int audit_inode_permission(struct inode
*inode
,
2991 u32 perms
, u32 audited
, u32 denied
,
2995 struct common_audit_data ad
;
2996 struct inode_security_struct
*isec
= inode
->i_security
;
2999 ad
.type
= LSM_AUDIT_DATA_INODE
;
3002 rc
= slow_avc_audit(current_sid(), isec
->sid
, isec
->sclass
, perms
,
3003 audited
, denied
, result
, &ad
, flags
);
3009 static int selinux_inode_permission(struct inode
*inode
, int mask
)
3011 const struct cred
*cred
= current_cred();
3014 unsigned flags
= mask
& MAY_NOT_BLOCK
;
3015 struct inode_security_struct
*isec
;
3017 struct av_decision avd
;
3019 u32 audited
, denied
;
3021 from_access
= mask
& MAY_ACCESS
;
3022 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
3024 /* No permission to check. Existence test. */
3028 validate_creds(cred
);
3030 if (unlikely(IS_PRIVATE(inode
)))
3033 perms
= file_mask_to_av(inode
->i_mode
, mask
);
3035 sid
= cred_sid(cred
);
3036 isec
= inode_security_rcu(inode
, flags
& MAY_NOT_BLOCK
);
3038 return PTR_ERR(isec
);
3040 rc
= avc_has_perm_noaudit(sid
, isec
->sid
, isec
->sclass
, perms
, 0, &avd
);
3041 audited
= avc_audit_required(perms
, &avd
, rc
,
3042 from_access
? FILE__AUDIT_ACCESS
: 0,
3044 if (likely(!audited
))
3047 rc2
= audit_inode_permission(inode
, perms
, audited
, denied
, rc
, flags
);
3053 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
3055 const struct cred
*cred
= current_cred();
3056 struct inode
*inode
= d_backing_inode(dentry
);
3057 unsigned int ia_valid
= iattr
->ia_valid
;
3058 __u32 av
= FILE__WRITE
;
3060 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3061 if (ia_valid
& ATTR_FORCE
) {
3062 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
3068 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
3069 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
3070 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3072 if (selinux_policycap_openperm
&&
3073 inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
&&
3074 (ia_valid
& ATTR_SIZE
) &&
3075 !(ia_valid
& ATTR_FILE
))
3078 return dentry_has_perm(cred
, dentry
, av
);
3081 static int selinux_inode_getattr(const struct path
*path
)
3083 return path_has_perm(current_cred(), path
, FILE__GETATTR
);
3086 static int selinux_inode_setotherxattr(struct dentry
*dentry
, const char *name
)
3088 const struct cred
*cred
= current_cred();
3090 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
3091 sizeof XATTR_SECURITY_PREFIX
- 1)) {
3092 if (!strcmp(name
, XATTR_NAME_CAPS
)) {
3093 if (!capable(CAP_SETFCAP
))
3095 } else if (!capable(CAP_SYS_ADMIN
)) {
3096 /* A different attribute in the security namespace.
3097 Restrict to administrator. */
3102 /* Not an attribute we recognize, so just check the
3103 ordinary setattr permission. */
3104 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3107 static bool has_cap_mac_admin(bool audit
)
3109 const struct cred
*cred
= current_cred();
3110 int cap_audit
= audit
? SECURITY_CAP_AUDIT
: SECURITY_CAP_NOAUDIT
;
3112 if (cap_capable(cred
, &init_user_ns
, CAP_MAC_ADMIN
, cap_audit
))
3114 if (cred_has_capability(cred
, CAP_MAC_ADMIN
, cap_audit
, true))
3119 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
3120 const void *value
, size_t size
, int flags
)
3122 struct inode
*inode
= d_backing_inode(dentry
);
3123 struct inode_security_struct
*isec
;
3124 struct superblock_security_struct
*sbsec
;
3125 struct common_audit_data ad
;
3126 u32 newsid
, sid
= current_sid();
3129 if (strcmp(name
, XATTR_NAME_SELINUX
))
3130 return selinux_inode_setotherxattr(dentry
, name
);
3132 sbsec
= inode
->i_sb
->s_security
;
3133 if (!(sbsec
->flags
& SBLABEL_MNT
))
3136 if (!inode_owner_or_capable(inode
))
3139 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3140 ad
.u
.dentry
= dentry
;
3142 isec
= backing_inode_security(dentry
);
3143 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
3144 FILE__RELABELFROM
, &ad
);
3148 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3149 if (rc
== -EINVAL
) {
3150 if (!has_cap_mac_admin(true)) {
3151 struct audit_buffer
*ab
;
3155 /* We strip a nul only if it is at the end, otherwise the
3156 * context contains a nul and we should audit that */
3159 if (str
[size
- 1] == '\0')
3160 audit_size
= size
- 1;
3167 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
3168 audit_log_format(ab
, "op=setxattr invalid_context=");
3169 audit_log_n_untrustedstring(ab
, value
, audit_size
);
3174 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3179 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
3180 FILE__RELABELTO
, &ad
);
3184 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
3189 return avc_has_perm(newsid
,
3191 SECCLASS_FILESYSTEM
,
3192 FILESYSTEM__ASSOCIATE
,
3196 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
3197 const void *value
, size_t size
,
3200 struct inode
*inode
= d_backing_inode(dentry
);
3201 struct inode_security_struct
*isec
;
3205 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3206 /* Not an attribute we recognize, so nothing to do. */
3210 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3212 printk(KERN_ERR
"SELinux: unable to map context to SID"
3213 "for (%s, %lu), rc=%d\n",
3214 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
3218 isec
= backing_inode_security(dentry
);
3219 spin_lock(&isec
->lock
);
3220 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3222 isec
->initialized
= LABEL_INITIALIZED
;
3223 spin_unlock(&isec
->lock
);
3228 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
3230 const struct cred
*cred
= current_cred();
3232 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3235 static int selinux_inode_listxattr(struct dentry
*dentry
)
3237 const struct cred
*cred
= current_cred();
3239 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3242 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
3244 if (strcmp(name
, XATTR_NAME_SELINUX
))
3245 return selinux_inode_setotherxattr(dentry
, name
);
3247 /* No one is allowed to remove a SELinux security label.
3248 You can change the label, but all data must be labeled. */
3253 * Copy the inode security context value to the user.
3255 * Permission check is handled by selinux_inode_getxattr hook.
3257 static int selinux_inode_getsecurity(struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
3261 char *context
= NULL
;
3262 struct inode_security_struct
*isec
;
3264 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3268 * If the caller has CAP_MAC_ADMIN, then get the raw context
3269 * value even if it is not defined by current policy; otherwise,
3270 * use the in-core value under current policy.
3271 * Use the non-auditing forms of the permission checks since
3272 * getxattr may be called by unprivileged processes commonly
3273 * and lack of permission just means that we fall back to the
3274 * in-core context value, not a denial.
3276 isec
= inode_security(inode
);
3277 if (has_cap_mac_admin(false))
3278 error
= security_sid_to_context_force(isec
->sid
, &context
,
3281 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
3294 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
3295 const void *value
, size_t size
, int flags
)
3297 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3301 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3304 if (!value
|| !size
)
3307 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3311 spin_lock(&isec
->lock
);
3312 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3314 isec
->initialized
= LABEL_INITIALIZED
;
3315 spin_unlock(&isec
->lock
);
3319 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
3321 const int len
= sizeof(XATTR_NAME_SELINUX
);
3322 if (buffer
&& len
<= buffer_size
)
3323 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
3327 static void selinux_inode_getsecid(struct inode
*inode
, u32
*secid
)
3329 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3333 static int selinux_inode_copy_up(struct dentry
*src
, struct cred
**new)
3336 struct task_security_struct
*tsec
;
3337 struct cred
*new_creds
= *new;
3339 if (new_creds
== NULL
) {
3340 new_creds
= prepare_creds();
3345 tsec
= new_creds
->security
;
3346 /* Get label from overlay inode and set it in create_sid */
3347 selinux_inode_getsecid(d_inode(src
), &sid
);
3348 tsec
->create_sid
= sid
;
3353 static int selinux_inode_copy_up_xattr(const char *name
)
3355 /* The copy_up hook above sets the initial context on an inode, but we
3356 * don't then want to overwrite it by blindly copying all the lower
3357 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3359 if (strcmp(name
, XATTR_NAME_SELINUX
) == 0)
3360 return 1; /* Discard */
3362 * Any other attribute apart from SELINUX is not claimed, supported
3368 /* file security operations */
3370 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
3372 const struct cred
*cred
= current_cred();
3373 struct inode
*inode
= file_inode(file
);
3375 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3376 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
3379 return file_has_perm(cred
, file
,
3380 file_mask_to_av(inode
->i_mode
, mask
));
3383 static int selinux_file_permission(struct file
*file
, int mask
)
3385 struct inode
*inode
= file_inode(file
);
3386 struct file_security_struct
*fsec
= file
->f_security
;
3387 struct inode_security_struct
*isec
;
3388 u32 sid
= current_sid();
3391 /* No permission to check. Existence test. */
3394 isec
= inode_security(inode
);
3395 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
3396 fsec
->pseqno
== avc_policy_seqno())
3397 /* No change since file_open check. */
3400 return selinux_revalidate_file_permission(file
, mask
);
3403 static int selinux_file_alloc_security(struct file
*file
)
3405 return file_alloc_security(file
);
3408 static void selinux_file_free_security(struct file
*file
)
3410 file_free_security(file
);
3414 * Check whether a task has the ioctl permission and cmd
3415 * operation to an inode.
3417 static int ioctl_has_perm(const struct cred
*cred
, struct file
*file
,
3418 u32 requested
, u16 cmd
)
3420 struct common_audit_data ad
;
3421 struct file_security_struct
*fsec
= file
->f_security
;
3422 struct inode
*inode
= file_inode(file
);
3423 struct inode_security_struct
*isec
;
3424 struct lsm_ioctlop_audit ioctl
;
3425 u32 ssid
= cred_sid(cred
);
3427 u8 driver
= cmd
>> 8;
3428 u8 xperm
= cmd
& 0xff;
3430 ad
.type
= LSM_AUDIT_DATA_IOCTL_OP
;
3433 ad
.u
.op
->path
= file
->f_path
;
3435 if (ssid
!= fsec
->sid
) {
3436 rc
= avc_has_perm(ssid
, fsec
->sid
,
3444 if (unlikely(IS_PRIVATE(inode
)))
3447 isec
= inode_security(inode
);
3448 rc
= avc_has_extended_perms(ssid
, isec
->sid
, isec
->sclass
,
3449 requested
, driver
, xperm
, &ad
);
3454 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
3457 const struct cred
*cred
= current_cred();
3467 case FS_IOC_GETFLAGS
:
3469 case FS_IOC_GETVERSION
:
3470 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
3473 case FS_IOC_SETFLAGS
:
3475 case FS_IOC_SETVERSION
:
3476 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
3479 /* sys_ioctl() checks */
3483 error
= file_has_perm(cred
, file
, 0);
3488 error
= cred_has_capability(cred
, CAP_SYS_TTY_CONFIG
,
3489 SECURITY_CAP_AUDIT
, true);
3492 /* default case assumes that the command will go
3493 * to the file's ioctl() function.
3496 error
= ioctl_has_perm(cred
, file
, FILE__IOCTL
, (u16
) cmd
);
3501 static int default_noexec
;
3503 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
3505 const struct cred
*cred
= current_cred();
3506 u32 sid
= cred_sid(cred
);
3509 if (default_noexec
&&
3510 (prot
& PROT_EXEC
) && (!file
|| IS_PRIVATE(file_inode(file
)) ||
3511 (!shared
&& (prot
& PROT_WRITE
)))) {
3513 * We are making executable an anonymous mapping or a
3514 * private file mapping that will also be writable.
3515 * This has an additional check.
3517 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3518 PROCESS__EXECMEM
, NULL
);
3524 /* read access is always possible with a mapping */
3525 u32 av
= FILE__READ
;
3527 /* write access only matters if the mapping is shared */
3528 if (shared
&& (prot
& PROT_WRITE
))
3531 if (prot
& PROT_EXEC
)
3532 av
|= FILE__EXECUTE
;
3534 return file_has_perm(cred
, file
, av
);
3541 static int selinux_mmap_addr(unsigned long addr
)
3545 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3546 u32 sid
= current_sid();
3547 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3548 MEMPROTECT__MMAP_ZERO
, NULL
);
3554 static int selinux_mmap_file(struct file
*file
, unsigned long reqprot
,
3555 unsigned long prot
, unsigned long flags
)
3557 struct common_audit_data ad
;
3561 ad
.type
= LSM_AUDIT_DATA_FILE
;
3563 rc
= inode_has_perm(current_cred(), file_inode(file
),
3569 if (selinux_checkreqprot
)
3572 return file_map_prot_check(file
, prot
,
3573 (flags
& MAP_TYPE
) == MAP_SHARED
);
3576 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3577 unsigned long reqprot
,
3580 const struct cred
*cred
= current_cred();
3581 u32 sid
= cred_sid(cred
);
3583 if (selinux_checkreqprot
)
3586 if (default_noexec
&&
3587 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3589 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3590 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3591 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3592 PROCESS__EXECHEAP
, NULL
);
3593 } else if (!vma
->vm_file
&&
3594 ((vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3595 vma
->vm_end
>= vma
->vm_mm
->start_stack
) ||
3596 vma_is_stack_for_current(vma
))) {
3597 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3598 PROCESS__EXECSTACK
, NULL
);
3599 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3601 * We are making executable a file mapping that has
3602 * had some COW done. Since pages might have been
3603 * written, check ability to execute the possibly
3604 * modified content. This typically should only
3605 * occur for text relocations.
3607 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3613 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3616 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3618 const struct cred
*cred
= current_cred();
3620 return file_has_perm(cred
, file
, FILE__LOCK
);
3623 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3626 const struct cred
*cred
= current_cred();
3631 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3632 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3641 case F_GETOWNER_UIDS
:
3642 /* Just check FD__USE permission */
3643 err
= file_has_perm(cred
, file
, 0);
3651 #if BITS_PER_LONG == 32
3656 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3663 static void selinux_file_set_fowner(struct file
*file
)
3665 struct file_security_struct
*fsec
;
3667 fsec
= file
->f_security
;
3668 fsec
->fown_sid
= current_sid();
3671 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3672 struct fown_struct
*fown
, int signum
)
3675 u32 sid
= task_sid(tsk
);
3677 struct file_security_struct
*fsec
;
3679 /* struct fown_struct is never outside the context of a struct file */
3680 file
= container_of(fown
, struct file
, f_owner
);
3682 fsec
= file
->f_security
;
3685 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3687 perm
= signal_to_av(signum
);
3689 return avc_has_perm(fsec
->fown_sid
, sid
,
3690 SECCLASS_PROCESS
, perm
, NULL
);
3693 static int selinux_file_receive(struct file
*file
)
3695 const struct cred
*cred
= current_cred();
3697 return file_has_perm(cred
, file
, file_to_av(file
));
3700 static int selinux_file_open(struct file
*file
, const struct cred
*cred
)
3702 struct file_security_struct
*fsec
;
3703 struct inode_security_struct
*isec
;
3705 fsec
= file
->f_security
;
3706 isec
= inode_security(file_inode(file
));
3708 * Save inode label and policy sequence number
3709 * at open-time so that selinux_file_permission
3710 * can determine whether revalidation is necessary.
3711 * Task label is already saved in the file security
3712 * struct as its SID.
3714 fsec
->isid
= isec
->sid
;
3715 fsec
->pseqno
= avc_policy_seqno();
3717 * Since the inode label or policy seqno may have changed
3718 * between the selinux_inode_permission check and the saving
3719 * of state above, recheck that access is still permitted.
3720 * Otherwise, access might never be revalidated against the
3721 * new inode label or new policy.
3722 * This check is not redundant - do not remove.
3724 return file_path_has_perm(cred
, file
, open_file_to_av(file
));
3727 /* task security operations */
3729 static int selinux_task_alloc(struct task_struct
*task
,
3730 unsigned long clone_flags
)
3732 u32 sid
= current_sid();
3734 return avc_has_perm(sid
, sid
, SECCLASS_PROCESS
, PROCESS__FORK
, NULL
);
3738 * allocate the SELinux part of blank credentials
3740 static int selinux_cred_alloc_blank(struct cred
*cred
, gfp_t gfp
)
3742 struct task_security_struct
*tsec
;
3744 tsec
= kzalloc(sizeof(struct task_security_struct
), gfp
);
3748 cred
->security
= tsec
;
3753 * detach and free the LSM part of a set of credentials
3755 static void selinux_cred_free(struct cred
*cred
)
3757 struct task_security_struct
*tsec
= cred
->security
;
3760 * cred->security == NULL if security_cred_alloc_blank() or
3761 * security_prepare_creds() returned an error.
3763 BUG_ON(cred
->security
&& (unsigned long) cred
->security
< PAGE_SIZE
);
3764 cred
->security
= (void *) 0x7UL
;
3769 * prepare a new set of credentials for modification
3771 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3774 const struct task_security_struct
*old_tsec
;
3775 struct task_security_struct
*tsec
;
3777 old_tsec
= old
->security
;
3779 tsec
= kmemdup(old_tsec
, sizeof(struct task_security_struct
), gfp
);
3783 new->security
= tsec
;
3788 * transfer the SELinux data to a blank set of creds
3790 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3792 const struct task_security_struct
*old_tsec
= old
->security
;
3793 struct task_security_struct
*tsec
= new->security
;
3799 * set the security data for a kernel service
3800 * - all the creation contexts are set to unlabelled
3802 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3804 struct task_security_struct
*tsec
= new->security
;
3805 u32 sid
= current_sid();
3808 ret
= avc_has_perm(sid
, secid
,
3809 SECCLASS_KERNEL_SERVICE
,
3810 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3814 tsec
->create_sid
= 0;
3815 tsec
->keycreate_sid
= 0;
3816 tsec
->sockcreate_sid
= 0;
3822 * set the file creation context in a security record to the same as the
3823 * objective context of the specified inode
3825 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3827 struct inode_security_struct
*isec
= inode_security(inode
);
3828 struct task_security_struct
*tsec
= new->security
;
3829 u32 sid
= current_sid();
3832 ret
= avc_has_perm(sid
, isec
->sid
,
3833 SECCLASS_KERNEL_SERVICE
,
3834 KERNEL_SERVICE__CREATE_FILES_AS
,
3838 tsec
->create_sid
= isec
->sid
;
3842 static int selinux_kernel_module_request(char *kmod_name
)
3844 struct common_audit_data ad
;
3846 ad
.type
= LSM_AUDIT_DATA_KMOD
;
3847 ad
.u
.kmod_name
= kmod_name
;
3849 return avc_has_perm(current_sid(), SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3850 SYSTEM__MODULE_REQUEST
, &ad
);
3853 static int selinux_kernel_module_from_file(struct file
*file
)
3855 struct common_audit_data ad
;
3856 struct inode_security_struct
*isec
;
3857 struct file_security_struct
*fsec
;
3858 u32 sid
= current_sid();
3863 return avc_has_perm(sid
, sid
, SECCLASS_SYSTEM
,
3864 SYSTEM__MODULE_LOAD
, NULL
);
3868 ad
.type
= LSM_AUDIT_DATA_FILE
;
3871 fsec
= file
->f_security
;
3872 if (sid
!= fsec
->sid
) {
3873 rc
= avc_has_perm(sid
, fsec
->sid
, SECCLASS_FD
, FD__USE
, &ad
);
3878 isec
= inode_security(file_inode(file
));
3879 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SYSTEM
,
3880 SYSTEM__MODULE_LOAD
, &ad
);
3883 static int selinux_kernel_read_file(struct file
*file
,
3884 enum kernel_read_file_id id
)
3889 case READING_MODULE
:
3890 rc
= selinux_kernel_module_from_file(file
);
3899 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3901 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3902 PROCESS__SETPGID
, NULL
);
3905 static int selinux_task_getpgid(struct task_struct
*p
)
3907 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3908 PROCESS__GETPGID
, NULL
);
3911 static int selinux_task_getsid(struct task_struct
*p
)
3913 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3914 PROCESS__GETSESSION
, NULL
);
3917 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3919 *secid
= task_sid(p
);
3922 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3924 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3925 PROCESS__SETSCHED
, NULL
);
3928 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3930 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3931 PROCESS__SETSCHED
, NULL
);
3934 static int selinux_task_getioprio(struct task_struct
*p
)
3936 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3937 PROCESS__GETSCHED
, NULL
);
3940 int selinux_task_prlimit(const struct cred
*cred
, const struct cred
*tcred
,
3947 if (flags
& LSM_PRLIMIT_WRITE
)
3948 av
|= PROCESS__SETRLIMIT
;
3949 if (flags
& LSM_PRLIMIT_READ
)
3950 av
|= PROCESS__GETRLIMIT
;
3951 return avc_has_perm(cred_sid(cred
), cred_sid(tcred
),
3952 SECCLASS_PROCESS
, av
, NULL
);
3955 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
3956 struct rlimit
*new_rlim
)
3958 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
3960 /* Control the ability to change the hard limit (whether
3961 lowering or raising it), so that the hard limit can
3962 later be used as a safe reset point for the soft limit
3963 upon context transitions. See selinux_bprm_committing_creds. */
3964 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3965 return avc_has_perm(current_sid(), task_sid(p
),
3966 SECCLASS_PROCESS
, PROCESS__SETRLIMIT
, NULL
);
3971 static int selinux_task_setscheduler(struct task_struct
*p
)
3973 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3974 PROCESS__SETSCHED
, NULL
);
3977 static int selinux_task_getscheduler(struct task_struct
*p
)
3979 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3980 PROCESS__GETSCHED
, NULL
);
3983 static int selinux_task_movememory(struct task_struct
*p
)
3985 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3986 PROCESS__SETSCHED
, NULL
);
3989 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3995 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3997 perm
= signal_to_av(sig
);
3999 secid
= current_sid();
4000 return avc_has_perm(secid
, task_sid(p
), SECCLASS_PROCESS
, perm
, NULL
);
4003 static void selinux_task_to_inode(struct task_struct
*p
,
4004 struct inode
*inode
)
4006 struct inode_security_struct
*isec
= inode
->i_security
;
4007 u32 sid
= task_sid(p
);
4009 spin_lock(&isec
->lock
);
4010 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
4012 isec
->initialized
= LABEL_INITIALIZED
;
4013 spin_unlock(&isec
->lock
);
4016 /* Returns error only if unable to parse addresses */
4017 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
4018 struct common_audit_data
*ad
, u8
*proto
)
4020 int offset
, ihlen
, ret
= -EINVAL
;
4021 struct iphdr _iph
, *ih
;
4023 offset
= skb_network_offset(skb
);
4024 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
4028 ihlen
= ih
->ihl
* 4;
4029 if (ihlen
< sizeof(_iph
))
4032 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
4033 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
4037 *proto
= ih
->protocol
;
4039 switch (ih
->protocol
) {
4041 struct tcphdr _tcph
, *th
;
4043 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4047 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4051 ad
->u
.net
->sport
= th
->source
;
4052 ad
->u
.net
->dport
= th
->dest
;
4057 struct udphdr _udph
, *uh
;
4059 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4063 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4067 ad
->u
.net
->sport
= uh
->source
;
4068 ad
->u
.net
->dport
= uh
->dest
;
4072 case IPPROTO_DCCP
: {
4073 struct dccp_hdr _dccph
, *dh
;
4075 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4079 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4083 ad
->u
.net
->sport
= dh
->dccph_sport
;
4084 ad
->u
.net
->dport
= dh
->dccph_dport
;
4095 #if IS_ENABLED(CONFIG_IPV6)
4097 /* Returns error only if unable to parse addresses */
4098 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
4099 struct common_audit_data
*ad
, u8
*proto
)
4102 int ret
= -EINVAL
, offset
;
4103 struct ipv6hdr _ipv6h
, *ip6
;
4106 offset
= skb_network_offset(skb
);
4107 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
4111 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
4112 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
4115 nexthdr
= ip6
->nexthdr
;
4116 offset
+= sizeof(_ipv6h
);
4117 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
4126 struct tcphdr _tcph
, *th
;
4128 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4132 ad
->u
.net
->sport
= th
->source
;
4133 ad
->u
.net
->dport
= th
->dest
;
4138 struct udphdr _udph
, *uh
;
4140 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4144 ad
->u
.net
->sport
= uh
->source
;
4145 ad
->u
.net
->dport
= uh
->dest
;
4149 case IPPROTO_DCCP
: {
4150 struct dccp_hdr _dccph
, *dh
;
4152 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4156 ad
->u
.net
->sport
= dh
->dccph_sport
;
4157 ad
->u
.net
->dport
= dh
->dccph_dport
;
4161 /* includes fragments */
4171 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
4172 char **_addrp
, int src
, u8
*proto
)
4177 switch (ad
->u
.net
->family
) {
4179 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
4182 addrp
= (char *)(src
? &ad
->u
.net
->v4info
.saddr
:
4183 &ad
->u
.net
->v4info
.daddr
);
4186 #if IS_ENABLED(CONFIG_IPV6)
4188 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
4191 addrp
= (char *)(src
? &ad
->u
.net
->v6info
.saddr
:
4192 &ad
->u
.net
->v6info
.daddr
);
4202 "SELinux: failure in selinux_parse_skb(),"
4203 " unable to parse packet\n");
4213 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4215 * @family: protocol family
4216 * @sid: the packet's peer label SID
4219 * Check the various different forms of network peer labeling and determine
4220 * the peer label/SID for the packet; most of the magic actually occurs in
4221 * the security server function security_net_peersid_cmp(). The function
4222 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4223 * or -EACCES if @sid is invalid due to inconsistencies with the different
4227 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
4234 err
= selinux_xfrm_skb_sid(skb
, &xfrm_sid
);
4237 err
= selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
4241 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
4242 if (unlikely(err
)) {
4244 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4245 " unable to determine packet's peer label\n");
4253 * selinux_conn_sid - Determine the child socket label for a connection
4254 * @sk_sid: the parent socket's SID
4255 * @skb_sid: the packet's SID
4256 * @conn_sid: the resulting connection SID
4258 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4259 * combined with the MLS information from @skb_sid in order to create
4260 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4261 * of @sk_sid. Returns zero on success, negative values on failure.
4264 static int selinux_conn_sid(u32 sk_sid
, u32 skb_sid
, u32
*conn_sid
)
4268 if (skb_sid
!= SECSID_NULL
)
4269 err
= security_sid_mls_copy(sk_sid
, skb_sid
, conn_sid
);
4276 /* socket security operations */
4278 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
4279 u16 secclass
, u32
*socksid
)
4281 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
4282 *socksid
= tsec
->sockcreate_sid
;
4286 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
4290 static int sock_has_perm(struct sock
*sk
, u32 perms
)
4292 struct sk_security_struct
*sksec
= sk
->sk_security
;
4293 struct common_audit_data ad
;
4294 struct lsm_network_audit net
= {0,};
4296 if (sksec
->sid
== SECINITSID_KERNEL
)
4299 ad
.type
= LSM_AUDIT_DATA_NET
;
4303 return avc_has_perm(current_sid(), sksec
->sid
, sksec
->sclass
, perms
,
4307 static int selinux_socket_create(int family
, int type
,
4308 int protocol
, int kern
)
4310 const struct task_security_struct
*tsec
= current_security();
4318 secclass
= socket_type_to_security_class(family
, type
, protocol
);
4319 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
4323 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
4326 static int selinux_socket_post_create(struct socket
*sock
, int family
,
4327 int type
, int protocol
, int kern
)
4329 const struct task_security_struct
*tsec
= current_security();
4330 struct inode_security_struct
*isec
= inode_security_novalidate(SOCK_INODE(sock
));
4331 struct sk_security_struct
*sksec
;
4332 u16 sclass
= socket_type_to_security_class(family
, type
, protocol
);
4333 u32 sid
= SECINITSID_KERNEL
;
4337 err
= socket_sockcreate_sid(tsec
, sclass
, &sid
);
4342 isec
->sclass
= sclass
;
4344 isec
->initialized
= LABEL_INITIALIZED
;
4347 sksec
= sock
->sk
->sk_security
;
4348 sksec
->sclass
= sclass
;
4350 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
4356 /* Range of port numbers used to automatically bind.
4357 Need to determine whether we should perform a name_bind
4358 permission check between the socket and the port number. */
4360 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4362 struct sock
*sk
= sock
->sk
;
4366 err
= sock_has_perm(sk
, SOCKET__BIND
);
4371 * If PF_INET or PF_INET6, check name_bind permission for the port.
4372 * Multiple address binding for SCTP is not supported yet: we just
4373 * check the first address now.
4375 family
= sk
->sk_family
;
4376 if (family
== PF_INET
|| family
== PF_INET6
) {
4378 struct sk_security_struct
*sksec
= sk
->sk_security
;
4379 struct common_audit_data ad
;
4380 struct lsm_network_audit net
= {0,};
4381 struct sockaddr_in
*addr4
= NULL
;
4382 struct sockaddr_in6
*addr6
= NULL
;
4383 unsigned short snum
;
4386 if (family
== PF_INET
) {
4387 if (addrlen
< sizeof(struct sockaddr_in
)) {
4391 addr4
= (struct sockaddr_in
*)address
;
4392 snum
= ntohs(addr4
->sin_port
);
4393 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
4395 if (addrlen
< SIN6_LEN_RFC2133
) {
4399 addr6
= (struct sockaddr_in6
*)address
;
4400 snum
= ntohs(addr6
->sin6_port
);
4401 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
4407 inet_get_local_port_range(sock_net(sk
), &low
, &high
);
4409 if (snum
< max(inet_prot_sock(sock_net(sk
)), low
) ||
4411 err
= sel_netport_sid(sk
->sk_protocol
,
4415 ad
.type
= LSM_AUDIT_DATA_NET
;
4417 ad
.u
.net
->sport
= htons(snum
);
4418 ad
.u
.net
->family
= family
;
4419 err
= avc_has_perm(sksec
->sid
, sid
,
4421 SOCKET__NAME_BIND
, &ad
);
4427 switch (sksec
->sclass
) {
4428 case SECCLASS_TCP_SOCKET
:
4429 node_perm
= TCP_SOCKET__NODE_BIND
;
4432 case SECCLASS_UDP_SOCKET
:
4433 node_perm
= UDP_SOCKET__NODE_BIND
;
4436 case SECCLASS_DCCP_SOCKET
:
4437 node_perm
= DCCP_SOCKET__NODE_BIND
;
4441 node_perm
= RAWIP_SOCKET__NODE_BIND
;
4445 err
= sel_netnode_sid(addrp
, family
, &sid
);
4449 ad
.type
= LSM_AUDIT_DATA_NET
;
4451 ad
.u
.net
->sport
= htons(snum
);
4452 ad
.u
.net
->family
= family
;
4454 if (family
== PF_INET
)
4455 ad
.u
.net
->v4info
.saddr
= addr4
->sin_addr
.s_addr
;
4457 ad
.u
.net
->v6info
.saddr
= addr6
->sin6_addr
;
4459 err
= avc_has_perm(sksec
->sid
, sid
,
4460 sksec
->sclass
, node_perm
, &ad
);
4468 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4470 struct sock
*sk
= sock
->sk
;
4471 struct sk_security_struct
*sksec
= sk
->sk_security
;
4474 err
= sock_has_perm(sk
, SOCKET__CONNECT
);
4479 * If a TCP or DCCP socket, check name_connect permission for the port.
4481 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
4482 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
4483 struct common_audit_data ad
;
4484 struct lsm_network_audit net
= {0,};
4485 struct sockaddr_in
*addr4
= NULL
;
4486 struct sockaddr_in6
*addr6
= NULL
;
4487 unsigned short snum
;
4490 if (sk
->sk_family
== PF_INET
) {
4491 addr4
= (struct sockaddr_in
*)address
;
4492 if (addrlen
< sizeof(struct sockaddr_in
))
4494 snum
= ntohs(addr4
->sin_port
);
4496 addr6
= (struct sockaddr_in6
*)address
;
4497 if (addrlen
< SIN6_LEN_RFC2133
)
4499 snum
= ntohs(addr6
->sin6_port
);
4502 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
4506 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
4507 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
4509 ad
.type
= LSM_AUDIT_DATA_NET
;
4511 ad
.u
.net
->dport
= htons(snum
);
4512 ad
.u
.net
->family
= sk
->sk_family
;
4513 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
4518 err
= selinux_netlbl_socket_connect(sk
, address
);
4524 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
4526 return sock_has_perm(sock
->sk
, SOCKET__LISTEN
);
4529 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
4532 struct inode_security_struct
*isec
;
4533 struct inode_security_struct
*newisec
;
4537 err
= sock_has_perm(sock
->sk
, SOCKET__ACCEPT
);
4541 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4542 spin_lock(&isec
->lock
);
4543 sclass
= isec
->sclass
;
4545 spin_unlock(&isec
->lock
);
4547 newisec
= inode_security_novalidate(SOCK_INODE(newsock
));
4548 newisec
->sclass
= sclass
;
4550 newisec
->initialized
= LABEL_INITIALIZED
;
4555 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
4558 return sock_has_perm(sock
->sk
, SOCKET__WRITE
);
4561 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
4562 int size
, int flags
)
4564 return sock_has_perm(sock
->sk
, SOCKET__READ
);
4567 static int selinux_socket_getsockname(struct socket
*sock
)
4569 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4572 static int selinux_socket_getpeername(struct socket
*sock
)
4574 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4577 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
4581 err
= sock_has_perm(sock
->sk
, SOCKET__SETOPT
);
4585 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
4588 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
4591 return sock_has_perm(sock
->sk
, SOCKET__GETOPT
);
4594 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
4596 return sock_has_perm(sock
->sk
, SOCKET__SHUTDOWN
);
4599 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
4603 struct sk_security_struct
*sksec_sock
= sock
->sk_security
;
4604 struct sk_security_struct
*sksec_other
= other
->sk_security
;
4605 struct sk_security_struct
*sksec_new
= newsk
->sk_security
;
4606 struct common_audit_data ad
;
4607 struct lsm_network_audit net
= {0,};
4610 ad
.type
= LSM_AUDIT_DATA_NET
;
4612 ad
.u
.net
->sk
= other
;
4614 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
4615 sksec_other
->sclass
,
4616 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
4620 /* server child socket */
4621 sksec_new
->peer_sid
= sksec_sock
->sid
;
4622 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4627 /* connecting socket */
4628 sksec_sock
->peer_sid
= sksec_new
->sid
;
4633 static int selinux_socket_unix_may_send(struct socket
*sock
,
4634 struct socket
*other
)
4636 struct sk_security_struct
*ssec
= sock
->sk
->sk_security
;
4637 struct sk_security_struct
*osec
= other
->sk
->sk_security
;
4638 struct common_audit_data ad
;
4639 struct lsm_network_audit net
= {0,};
4641 ad
.type
= LSM_AUDIT_DATA_NET
;
4643 ad
.u
.net
->sk
= other
->sk
;
4645 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4649 static int selinux_inet_sys_rcv_skb(struct net
*ns
, int ifindex
,
4650 char *addrp
, u16 family
, u32 peer_sid
,
4651 struct common_audit_data
*ad
)
4657 err
= sel_netif_sid(ns
, ifindex
, &if_sid
);
4660 err
= avc_has_perm(peer_sid
, if_sid
,
4661 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4665 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4668 return avc_has_perm(peer_sid
, node_sid
,
4669 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4672 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4676 struct sk_security_struct
*sksec
= sk
->sk_security
;
4677 u32 sk_sid
= sksec
->sid
;
4678 struct common_audit_data ad
;
4679 struct lsm_network_audit net
= {0,};
4682 ad
.type
= LSM_AUDIT_DATA_NET
;
4684 ad
.u
.net
->netif
= skb
->skb_iif
;
4685 ad
.u
.net
->family
= family
;
4686 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4690 if (selinux_secmark_enabled()) {
4691 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4697 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4700 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4705 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4708 struct sk_security_struct
*sksec
= sk
->sk_security
;
4709 u16 family
= sk
->sk_family
;
4710 u32 sk_sid
= sksec
->sid
;
4711 struct common_audit_data ad
;
4712 struct lsm_network_audit net
= {0,};
4717 if (family
!= PF_INET
&& family
!= PF_INET6
)
4720 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4721 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4724 /* If any sort of compatibility mode is enabled then handoff processing
4725 * to the selinux_sock_rcv_skb_compat() function to deal with the
4726 * special handling. We do this in an attempt to keep this function
4727 * as fast and as clean as possible. */
4728 if (!selinux_policycap_netpeer
)
4729 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4731 secmark_active
= selinux_secmark_enabled();
4732 peerlbl_active
= selinux_peerlbl_enabled();
4733 if (!secmark_active
&& !peerlbl_active
)
4736 ad
.type
= LSM_AUDIT_DATA_NET
;
4738 ad
.u
.net
->netif
= skb
->skb_iif
;
4739 ad
.u
.net
->family
= family
;
4740 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4744 if (peerlbl_active
) {
4747 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4750 err
= selinux_inet_sys_rcv_skb(sock_net(sk
), skb
->skb_iif
,
4751 addrp
, family
, peer_sid
, &ad
);
4753 selinux_netlbl_err(skb
, family
, err
, 0);
4756 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4759 selinux_netlbl_err(skb
, family
, err
, 0);
4764 if (secmark_active
) {
4765 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4774 static int selinux_socket_getpeersec_stream(struct socket
*sock
, char __user
*optval
,
4775 int __user
*optlen
, unsigned len
)
4780 struct sk_security_struct
*sksec
= sock
->sk
->sk_security
;
4781 u32 peer_sid
= SECSID_NULL
;
4783 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4784 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4785 peer_sid
= sksec
->peer_sid
;
4786 if (peer_sid
== SECSID_NULL
)
4787 return -ENOPROTOOPT
;
4789 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4793 if (scontext_len
> len
) {
4798 if (copy_to_user(optval
, scontext
, scontext_len
))
4802 if (put_user(scontext_len
, optlen
))
4808 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4810 u32 peer_secid
= SECSID_NULL
;
4812 struct inode_security_struct
*isec
;
4814 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4816 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4819 family
= sock
->sk
->sk_family
;
4823 if (sock
&& family
== PF_UNIX
) {
4824 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4825 peer_secid
= isec
->sid
;
4827 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4830 *secid
= peer_secid
;
4831 if (peer_secid
== SECSID_NULL
)
4836 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4838 struct sk_security_struct
*sksec
;
4840 sksec
= kzalloc(sizeof(*sksec
), priority
);
4844 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4845 sksec
->sid
= SECINITSID_UNLABELED
;
4846 sksec
->sclass
= SECCLASS_SOCKET
;
4847 selinux_netlbl_sk_security_reset(sksec
);
4848 sk
->sk_security
= sksec
;
4853 static void selinux_sk_free_security(struct sock
*sk
)
4855 struct sk_security_struct
*sksec
= sk
->sk_security
;
4857 sk
->sk_security
= NULL
;
4858 selinux_netlbl_sk_security_free(sksec
);
4862 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4864 struct sk_security_struct
*sksec
= sk
->sk_security
;
4865 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4867 newsksec
->sid
= sksec
->sid
;
4868 newsksec
->peer_sid
= sksec
->peer_sid
;
4869 newsksec
->sclass
= sksec
->sclass
;
4871 selinux_netlbl_sk_security_reset(newsksec
);
4874 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4877 *secid
= SECINITSID_ANY_SOCKET
;
4879 struct sk_security_struct
*sksec
= sk
->sk_security
;
4881 *secid
= sksec
->sid
;
4885 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4887 struct inode_security_struct
*isec
=
4888 inode_security_novalidate(SOCK_INODE(parent
));
4889 struct sk_security_struct
*sksec
= sk
->sk_security
;
4891 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4892 sk
->sk_family
== PF_UNIX
)
4893 isec
->sid
= sksec
->sid
;
4894 sksec
->sclass
= isec
->sclass
;
4897 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4898 struct request_sock
*req
)
4900 struct sk_security_struct
*sksec
= sk
->sk_security
;
4902 u16 family
= req
->rsk_ops
->family
;
4906 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4909 err
= selinux_conn_sid(sksec
->sid
, peersid
, &connsid
);
4912 req
->secid
= connsid
;
4913 req
->peer_secid
= peersid
;
4915 return selinux_netlbl_inet_conn_request(req
, family
);
4918 static void selinux_inet_csk_clone(struct sock
*newsk
,
4919 const struct request_sock
*req
)
4921 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4923 newsksec
->sid
= req
->secid
;
4924 newsksec
->peer_sid
= req
->peer_secid
;
4925 /* NOTE: Ideally, we should also get the isec->sid for the
4926 new socket in sync, but we don't have the isec available yet.
4927 So we will wait until sock_graft to do it, by which
4928 time it will have been created and available. */
4930 /* We don't need to take any sort of lock here as we are the only
4931 * thread with access to newsksec */
4932 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4935 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4937 u16 family
= sk
->sk_family
;
4938 struct sk_security_struct
*sksec
= sk
->sk_security
;
4940 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4941 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4944 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
4947 static int selinux_secmark_relabel_packet(u32 sid
)
4949 const struct task_security_struct
*__tsec
;
4952 __tsec
= current_security();
4955 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
4958 static void selinux_secmark_refcount_inc(void)
4960 atomic_inc(&selinux_secmark_refcount
);
4963 static void selinux_secmark_refcount_dec(void)
4965 atomic_dec(&selinux_secmark_refcount
);
4968 static void selinux_req_classify_flow(const struct request_sock
*req
,
4971 fl
->flowi_secid
= req
->secid
;
4974 static int selinux_tun_dev_alloc_security(void **security
)
4976 struct tun_security_struct
*tunsec
;
4978 tunsec
= kzalloc(sizeof(*tunsec
), GFP_KERNEL
);
4981 tunsec
->sid
= current_sid();
4987 static void selinux_tun_dev_free_security(void *security
)
4992 static int selinux_tun_dev_create(void)
4994 u32 sid
= current_sid();
4996 /* we aren't taking into account the "sockcreate" SID since the socket
4997 * that is being created here is not a socket in the traditional sense,
4998 * instead it is a private sock, accessible only to the kernel, and
4999 * representing a wide range of network traffic spanning multiple
5000 * connections unlike traditional sockets - check the TUN driver to
5001 * get a better understanding of why this socket is special */
5003 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
5007 static int selinux_tun_dev_attach_queue(void *security
)
5009 struct tun_security_struct
*tunsec
= security
;
5011 return avc_has_perm(current_sid(), tunsec
->sid
, SECCLASS_TUN_SOCKET
,
5012 TUN_SOCKET__ATTACH_QUEUE
, NULL
);
5015 static int selinux_tun_dev_attach(struct sock
*sk
, void *security
)
5017 struct tun_security_struct
*tunsec
= security
;
5018 struct sk_security_struct
*sksec
= sk
->sk_security
;
5020 /* we don't currently perform any NetLabel based labeling here and it
5021 * isn't clear that we would want to do so anyway; while we could apply
5022 * labeling without the support of the TUN user the resulting labeled
5023 * traffic from the other end of the connection would almost certainly
5024 * cause confusion to the TUN user that had no idea network labeling
5025 * protocols were being used */
5027 sksec
->sid
= tunsec
->sid
;
5028 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
5033 static int selinux_tun_dev_open(void *security
)
5035 struct tun_security_struct
*tunsec
= security
;
5036 u32 sid
= current_sid();
5039 err
= avc_has_perm(sid
, tunsec
->sid
, SECCLASS_TUN_SOCKET
,
5040 TUN_SOCKET__RELABELFROM
, NULL
);
5043 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
5044 TUN_SOCKET__RELABELTO
, NULL
);
5052 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
5056 struct nlmsghdr
*nlh
;
5057 struct sk_security_struct
*sksec
= sk
->sk_security
;
5059 if (skb
->len
< NLMSG_HDRLEN
) {
5063 nlh
= nlmsg_hdr(skb
);
5065 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
5067 if (err
== -EINVAL
) {
5068 pr_warn_ratelimited("SELinux: unrecognized netlink"
5069 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5070 " pig=%d comm=%s\n",
5071 sk
->sk_protocol
, nlh
->nlmsg_type
,
5072 secclass_map
[sksec
->sclass
- 1].name
,
5073 task_pid_nr(current
), current
->comm
);
5074 if (!selinux_enforcing
|| security_get_allow_unknown())
5084 err
= sock_has_perm(sk
, perm
);
5089 #ifdef CONFIG_NETFILTER
5091 static unsigned int selinux_ip_forward(struct sk_buff
*skb
,
5092 const struct net_device
*indev
,
5098 struct common_audit_data ad
;
5099 struct lsm_network_audit net
= {0,};
5104 if (!selinux_policycap_netpeer
)
5107 secmark_active
= selinux_secmark_enabled();
5108 netlbl_active
= netlbl_enabled();
5109 peerlbl_active
= selinux_peerlbl_enabled();
5110 if (!secmark_active
&& !peerlbl_active
)
5113 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
5116 ad
.type
= LSM_AUDIT_DATA_NET
;
5118 ad
.u
.net
->netif
= indev
->ifindex
;
5119 ad
.u
.net
->family
= family
;
5120 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
5123 if (peerlbl_active
) {
5124 err
= selinux_inet_sys_rcv_skb(dev_net(indev
), indev
->ifindex
,
5125 addrp
, family
, peer_sid
, &ad
);
5127 selinux_netlbl_err(skb
, family
, err
, 1);
5133 if (avc_has_perm(peer_sid
, skb
->secmark
,
5134 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
5138 /* we do this in the FORWARD path and not the POST_ROUTING
5139 * path because we want to make sure we apply the necessary
5140 * labeling before IPsec is applied so we can leverage AH
5142 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
5148 static unsigned int selinux_ipv4_forward(void *priv
,
5149 struct sk_buff
*skb
,
5150 const struct nf_hook_state
*state
)
5152 return selinux_ip_forward(skb
, state
->in
, PF_INET
);
5155 #if IS_ENABLED(CONFIG_IPV6)
5156 static unsigned int selinux_ipv6_forward(void *priv
,
5157 struct sk_buff
*skb
,
5158 const struct nf_hook_state
*state
)
5160 return selinux_ip_forward(skb
, state
->in
, PF_INET6
);
5164 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
5170 if (!netlbl_enabled())
5173 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5174 * because we want to make sure we apply the necessary labeling
5175 * before IPsec is applied so we can leverage AH protection */
5178 struct sk_security_struct
*sksec
;
5180 if (sk_listener(sk
))
5181 /* if the socket is the listening state then this
5182 * packet is a SYN-ACK packet which means it needs to
5183 * be labeled based on the connection/request_sock and
5184 * not the parent socket. unfortunately, we can't
5185 * lookup the request_sock yet as it isn't queued on
5186 * the parent socket until after the SYN-ACK is sent.
5187 * the "solution" is to simply pass the packet as-is
5188 * as any IP option based labeling should be copied
5189 * from the initial connection request (in the IP
5190 * layer). it is far from ideal, but until we get a
5191 * security label in the packet itself this is the
5192 * best we can do. */
5195 /* standard practice, label using the parent socket */
5196 sksec
= sk
->sk_security
;
5199 sid
= SECINITSID_KERNEL
;
5200 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
5206 static unsigned int selinux_ipv4_output(void *priv
,
5207 struct sk_buff
*skb
,
5208 const struct nf_hook_state
*state
)
5210 return selinux_ip_output(skb
, PF_INET
);
5213 #if IS_ENABLED(CONFIG_IPV6)
5214 static unsigned int selinux_ipv6_output(void *priv
,
5215 struct sk_buff
*skb
,
5216 const struct nf_hook_state
*state
)
5218 return selinux_ip_output(skb
, PF_INET6
);
5222 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
5226 struct sock
*sk
= skb_to_full_sk(skb
);
5227 struct sk_security_struct
*sksec
;
5228 struct common_audit_data ad
;
5229 struct lsm_network_audit net
= {0,};
5235 sksec
= sk
->sk_security
;
5237 ad
.type
= LSM_AUDIT_DATA_NET
;
5239 ad
.u
.net
->netif
= ifindex
;
5240 ad
.u
.net
->family
= family
;
5241 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
5244 if (selinux_secmark_enabled())
5245 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
5246 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
5247 return NF_DROP_ERR(-ECONNREFUSED
);
5249 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
5250 return NF_DROP_ERR(-ECONNREFUSED
);
5255 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
,
5256 const struct net_device
*outdev
,
5261 int ifindex
= outdev
->ifindex
;
5263 struct common_audit_data ad
;
5264 struct lsm_network_audit net
= {0,};
5269 /* If any sort of compatibility mode is enabled then handoff processing
5270 * to the selinux_ip_postroute_compat() function to deal with the
5271 * special handling. We do this in an attempt to keep this function
5272 * as fast and as clean as possible. */
5273 if (!selinux_policycap_netpeer
)
5274 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
5276 secmark_active
= selinux_secmark_enabled();
5277 peerlbl_active
= selinux_peerlbl_enabled();
5278 if (!secmark_active
&& !peerlbl_active
)
5281 sk
= skb_to_full_sk(skb
);
5284 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5285 * packet transformation so allow the packet to pass without any checks
5286 * since we'll have another chance to perform access control checks
5287 * when the packet is on it's final way out.
5288 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5289 * is NULL, in this case go ahead and apply access control.
5290 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5291 * TCP listening state we cannot wait until the XFRM processing
5292 * is done as we will miss out on the SA label if we do;
5293 * unfortunately, this means more work, but it is only once per
5295 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
&&
5296 !(sk
&& sk_listener(sk
)))
5301 /* Without an associated socket the packet is either coming
5302 * from the kernel or it is being forwarded; check the packet
5303 * to determine which and if the packet is being forwarded
5304 * query the packet directly to determine the security label. */
5306 secmark_perm
= PACKET__FORWARD_OUT
;
5307 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
5310 secmark_perm
= PACKET__SEND
;
5311 peer_sid
= SECINITSID_KERNEL
;
5313 } else if (sk_listener(sk
)) {
5314 /* Locally generated packet but the associated socket is in the
5315 * listening state which means this is a SYN-ACK packet. In
5316 * this particular case the correct security label is assigned
5317 * to the connection/request_sock but unfortunately we can't
5318 * query the request_sock as it isn't queued on the parent
5319 * socket until after the SYN-ACK packet is sent; the only
5320 * viable choice is to regenerate the label like we do in
5321 * selinux_inet_conn_request(). See also selinux_ip_output()
5322 * for similar problems. */
5324 struct sk_security_struct
*sksec
;
5326 sksec
= sk
->sk_security
;
5327 if (selinux_skb_peerlbl_sid(skb
, family
, &skb_sid
))
5329 /* At this point, if the returned skb peerlbl is SECSID_NULL
5330 * and the packet has been through at least one XFRM
5331 * transformation then we must be dealing with the "final"
5332 * form of labeled IPsec packet; since we've already applied
5333 * all of our access controls on this packet we can safely
5334 * pass the packet. */
5335 if (skb_sid
== SECSID_NULL
) {
5338 if (IPCB(skb
)->flags
& IPSKB_XFRM_TRANSFORMED
)
5342 if (IP6CB(skb
)->flags
& IP6SKB_XFRM_TRANSFORMED
)
5346 return NF_DROP_ERR(-ECONNREFUSED
);
5349 if (selinux_conn_sid(sksec
->sid
, skb_sid
, &peer_sid
))
5351 secmark_perm
= PACKET__SEND
;
5353 /* Locally generated packet, fetch the security label from the
5354 * associated socket. */
5355 struct sk_security_struct
*sksec
= sk
->sk_security
;
5356 peer_sid
= sksec
->sid
;
5357 secmark_perm
= PACKET__SEND
;
5360 ad
.type
= LSM_AUDIT_DATA_NET
;
5362 ad
.u
.net
->netif
= ifindex
;
5363 ad
.u
.net
->family
= family
;
5364 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
5368 if (avc_has_perm(peer_sid
, skb
->secmark
,
5369 SECCLASS_PACKET
, secmark_perm
, &ad
))
5370 return NF_DROP_ERR(-ECONNREFUSED
);
5372 if (peerlbl_active
) {
5376 if (sel_netif_sid(dev_net(outdev
), ifindex
, &if_sid
))
5378 if (avc_has_perm(peer_sid
, if_sid
,
5379 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
5380 return NF_DROP_ERR(-ECONNREFUSED
);
5382 if (sel_netnode_sid(addrp
, family
, &node_sid
))
5384 if (avc_has_perm(peer_sid
, node_sid
,
5385 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
5386 return NF_DROP_ERR(-ECONNREFUSED
);
5392 static unsigned int selinux_ipv4_postroute(void *priv
,
5393 struct sk_buff
*skb
,
5394 const struct nf_hook_state
*state
)
5396 return selinux_ip_postroute(skb
, state
->out
, PF_INET
);
5399 #if IS_ENABLED(CONFIG_IPV6)
5400 static unsigned int selinux_ipv6_postroute(void *priv
,
5401 struct sk_buff
*skb
,
5402 const struct nf_hook_state
*state
)
5404 return selinux_ip_postroute(skb
, state
->out
, PF_INET6
);
5408 #endif /* CONFIG_NETFILTER */
5410 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
5412 return selinux_nlmsg_perm(sk
, skb
);
5415 static int ipc_alloc_security(struct kern_ipc_perm
*perm
,
5418 struct ipc_security_struct
*isec
;
5420 isec
= kzalloc(sizeof(struct ipc_security_struct
), GFP_KERNEL
);
5424 isec
->sclass
= sclass
;
5425 isec
->sid
= current_sid();
5426 perm
->security
= isec
;
5431 static void ipc_free_security(struct kern_ipc_perm
*perm
)
5433 struct ipc_security_struct
*isec
= perm
->security
;
5434 perm
->security
= NULL
;
5438 static int msg_msg_alloc_security(struct msg_msg
*msg
)
5440 struct msg_security_struct
*msec
;
5442 msec
= kzalloc(sizeof(struct msg_security_struct
), GFP_KERNEL
);
5446 msec
->sid
= SECINITSID_UNLABELED
;
5447 msg
->security
= msec
;
5452 static void msg_msg_free_security(struct msg_msg
*msg
)
5454 struct msg_security_struct
*msec
= msg
->security
;
5456 msg
->security
= NULL
;
5460 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
5463 struct ipc_security_struct
*isec
;
5464 struct common_audit_data ad
;
5465 u32 sid
= current_sid();
5467 isec
= ipc_perms
->security
;
5469 ad
.type
= LSM_AUDIT_DATA_IPC
;
5470 ad
.u
.ipc_id
= ipc_perms
->key
;
5472 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
5475 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
5477 return msg_msg_alloc_security(msg
);
5480 static void selinux_msg_msg_free_security(struct msg_msg
*msg
)
5482 msg_msg_free_security(msg
);
5485 /* message queue security operations */
5486 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
5488 struct ipc_security_struct
*isec
;
5489 struct common_audit_data ad
;
5490 u32 sid
= current_sid();
5493 rc
= ipc_alloc_security(&msq
->q_perm
, SECCLASS_MSGQ
);
5497 isec
= msq
->q_perm
.security
;
5499 ad
.type
= LSM_AUDIT_DATA_IPC
;
5500 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5502 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5505 ipc_free_security(&msq
->q_perm
);
5511 static void selinux_msg_queue_free_security(struct msg_queue
*msq
)
5513 ipc_free_security(&msq
->q_perm
);
5516 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
5518 struct ipc_security_struct
*isec
;
5519 struct common_audit_data ad
;
5520 u32 sid
= current_sid();
5522 isec
= msq
->q_perm
.security
;
5524 ad
.type
= LSM_AUDIT_DATA_IPC
;
5525 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5527 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5528 MSGQ__ASSOCIATE
, &ad
);
5531 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
5539 /* No specific object, just general system-wide information. */
5540 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5541 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5544 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
5547 perms
= MSGQ__SETATTR
;
5550 perms
= MSGQ__DESTROY
;
5556 err
= ipc_has_perm(&msq
->q_perm
, perms
);
5560 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
5562 struct ipc_security_struct
*isec
;
5563 struct msg_security_struct
*msec
;
5564 struct common_audit_data ad
;
5565 u32 sid
= current_sid();
5568 isec
= msq
->q_perm
.security
;
5569 msec
= msg
->security
;
5572 * First time through, need to assign label to the message
5574 if (msec
->sid
== SECINITSID_UNLABELED
) {
5576 * Compute new sid based on current process and
5577 * message queue this message will be stored in
5579 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
5585 ad
.type
= LSM_AUDIT_DATA_IPC
;
5586 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5588 /* Can this process write to the queue? */
5589 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5592 /* Can this process send the message */
5593 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
5596 /* Can the message be put in the queue? */
5597 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
5598 MSGQ__ENQUEUE
, &ad
);
5603 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
5604 struct task_struct
*target
,
5605 long type
, int mode
)
5607 struct ipc_security_struct
*isec
;
5608 struct msg_security_struct
*msec
;
5609 struct common_audit_data ad
;
5610 u32 sid
= task_sid(target
);
5613 isec
= msq
->q_perm
.security
;
5614 msec
= msg
->security
;
5616 ad
.type
= LSM_AUDIT_DATA_IPC
;
5617 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5619 rc
= avc_has_perm(sid
, isec
->sid
,
5620 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
5622 rc
= avc_has_perm(sid
, msec
->sid
,
5623 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
5627 /* Shared Memory security operations */
5628 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
5630 struct ipc_security_struct
*isec
;
5631 struct common_audit_data ad
;
5632 u32 sid
= current_sid();
5635 rc
= ipc_alloc_security(&shp
->shm_perm
, SECCLASS_SHM
);
5639 isec
= shp
->shm_perm
.security
;
5641 ad
.type
= LSM_AUDIT_DATA_IPC
;
5642 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5644 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5647 ipc_free_security(&shp
->shm_perm
);
5653 static void selinux_shm_free_security(struct shmid_kernel
*shp
)
5655 ipc_free_security(&shp
->shm_perm
);
5658 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
5660 struct ipc_security_struct
*isec
;
5661 struct common_audit_data ad
;
5662 u32 sid
= current_sid();
5664 isec
= shp
->shm_perm
.security
;
5666 ad
.type
= LSM_AUDIT_DATA_IPC
;
5667 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5669 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5670 SHM__ASSOCIATE
, &ad
);
5673 /* Note, at this point, shp is locked down */
5674 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
5682 /* No specific object, just general system-wide information. */
5683 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5684 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5687 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
5690 perms
= SHM__SETATTR
;
5697 perms
= SHM__DESTROY
;
5703 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
5707 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5708 char __user
*shmaddr
, int shmflg
)
5712 if (shmflg
& SHM_RDONLY
)
5715 perms
= SHM__READ
| SHM__WRITE
;
5717 return ipc_has_perm(&shp
->shm_perm
, perms
);
5720 /* Semaphore security operations */
5721 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5723 struct ipc_security_struct
*isec
;
5724 struct common_audit_data ad
;
5725 u32 sid
= current_sid();
5728 rc
= ipc_alloc_security(&sma
->sem_perm
, SECCLASS_SEM
);
5732 isec
= sma
->sem_perm
.security
;
5734 ad
.type
= LSM_AUDIT_DATA_IPC
;
5735 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5737 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5740 ipc_free_security(&sma
->sem_perm
);
5746 static void selinux_sem_free_security(struct sem_array
*sma
)
5748 ipc_free_security(&sma
->sem_perm
);
5751 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5753 struct ipc_security_struct
*isec
;
5754 struct common_audit_data ad
;
5755 u32 sid
= current_sid();
5757 isec
= sma
->sem_perm
.security
;
5759 ad
.type
= LSM_AUDIT_DATA_IPC
;
5760 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5762 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5763 SEM__ASSOCIATE
, &ad
);
5766 /* Note, at this point, sma is locked down */
5767 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5775 /* No specific object, just general system-wide information. */
5776 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5777 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5781 perms
= SEM__GETATTR
;
5792 perms
= SEM__DESTROY
;
5795 perms
= SEM__SETATTR
;
5799 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5805 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5809 static int selinux_sem_semop(struct sem_array
*sma
,
5810 struct sembuf
*sops
, unsigned nsops
, int alter
)
5815 perms
= SEM__READ
| SEM__WRITE
;
5819 return ipc_has_perm(&sma
->sem_perm
, perms
);
5822 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5828 av
|= IPC__UNIX_READ
;
5830 av
|= IPC__UNIX_WRITE
;
5835 return ipc_has_perm(ipcp
, av
);
5838 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5840 struct ipc_security_struct
*isec
= ipcp
->security
;
5844 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5847 inode_doinit_with_dentry(inode
, dentry
);
5850 static int selinux_getprocattr(struct task_struct
*p
,
5851 char *name
, char **value
)
5853 const struct task_security_struct
*__tsec
;
5859 __tsec
= __task_cred(p
)->security
;
5862 error
= avc_has_perm(current_sid(), __tsec
->sid
,
5863 SECCLASS_PROCESS
, PROCESS__GETATTR
, NULL
);
5868 if (!strcmp(name
, "current"))
5870 else if (!strcmp(name
, "prev"))
5872 else if (!strcmp(name
, "exec"))
5873 sid
= __tsec
->exec_sid
;
5874 else if (!strcmp(name
, "fscreate"))
5875 sid
= __tsec
->create_sid
;
5876 else if (!strcmp(name
, "keycreate"))
5877 sid
= __tsec
->keycreate_sid
;
5878 else if (!strcmp(name
, "sockcreate"))
5879 sid
= __tsec
->sockcreate_sid
;
5889 error
= security_sid_to_context(sid
, value
, &len
);
5899 static int selinux_setprocattr(const char *name
, void *value
, size_t size
)
5901 struct task_security_struct
*tsec
;
5903 u32 mysid
= current_sid(), sid
= 0, ptsid
;
5908 * Basic control over ability to set these attributes at all.
5910 if (!strcmp(name
, "exec"))
5911 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5912 PROCESS__SETEXEC
, NULL
);
5913 else if (!strcmp(name
, "fscreate"))
5914 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5915 PROCESS__SETFSCREATE
, NULL
);
5916 else if (!strcmp(name
, "keycreate"))
5917 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5918 PROCESS__SETKEYCREATE
, NULL
);
5919 else if (!strcmp(name
, "sockcreate"))
5920 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5921 PROCESS__SETSOCKCREATE
, NULL
);
5922 else if (!strcmp(name
, "current"))
5923 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5924 PROCESS__SETCURRENT
, NULL
);
5930 /* Obtain a SID for the context, if one was specified. */
5931 if (size
&& str
[0] && str
[0] != '\n') {
5932 if (str
[size
-1] == '\n') {
5936 error
= security_context_to_sid(value
, size
, &sid
, GFP_KERNEL
);
5937 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5938 if (!has_cap_mac_admin(true)) {
5939 struct audit_buffer
*ab
;
5942 /* We strip a nul only if it is at the end, otherwise the
5943 * context contains a nul and we should audit that */
5944 if (str
[size
- 1] == '\0')
5945 audit_size
= size
- 1;
5948 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
5949 audit_log_format(ab
, "op=fscreate invalid_context=");
5950 audit_log_n_untrustedstring(ab
, value
, audit_size
);
5955 error
= security_context_to_sid_force(value
, size
,
5962 new = prepare_creds();
5966 /* Permission checking based on the specified context is
5967 performed during the actual operation (execve,
5968 open/mkdir/...), when we know the full context of the
5969 operation. See selinux_bprm_set_creds for the execve
5970 checks and may_create for the file creation checks. The
5971 operation will then fail if the context is not permitted. */
5972 tsec
= new->security
;
5973 if (!strcmp(name
, "exec")) {
5974 tsec
->exec_sid
= sid
;
5975 } else if (!strcmp(name
, "fscreate")) {
5976 tsec
->create_sid
= sid
;
5977 } else if (!strcmp(name
, "keycreate")) {
5978 error
= avc_has_perm(mysid
, sid
, SECCLASS_KEY
, KEY__CREATE
,
5982 tsec
->keycreate_sid
= sid
;
5983 } else if (!strcmp(name
, "sockcreate")) {
5984 tsec
->sockcreate_sid
= sid
;
5985 } else if (!strcmp(name
, "current")) {
5990 /* Only allow single threaded processes to change context */
5992 if (!current_is_single_threaded()) {
5993 error
= security_bounded_transition(tsec
->sid
, sid
);
5998 /* Check permissions for the transition. */
5999 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
6000 PROCESS__DYNTRANSITION
, NULL
);
6004 /* Check for ptracing, and update the task SID if ok.
6005 Otherwise, leave SID unchanged and fail. */
6006 ptsid
= ptrace_parent_sid();
6008 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
6009 PROCESS__PTRACE
, NULL
);
6028 static int selinux_ismaclabel(const char *name
)
6030 return (strcmp(name
, XATTR_SELINUX_SUFFIX
) == 0);
6033 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
6035 return security_sid_to_context(secid
, secdata
, seclen
);
6038 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
6040 return security_context_to_sid(secdata
, seclen
, secid
, GFP_KERNEL
);
6043 static void selinux_release_secctx(char *secdata
, u32 seclen
)
6048 static void selinux_inode_invalidate_secctx(struct inode
*inode
)
6050 struct inode_security_struct
*isec
= inode
->i_security
;
6052 spin_lock(&isec
->lock
);
6053 isec
->initialized
= LABEL_INVALID
;
6054 spin_unlock(&isec
->lock
);
6058 * called with inode->i_mutex locked
6060 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
6062 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
6066 * called with inode->i_mutex locked
6068 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
6070 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
6073 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
6076 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
6085 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
6086 unsigned long flags
)
6088 const struct task_security_struct
*tsec
;
6089 struct key_security_struct
*ksec
;
6091 ksec
= kzalloc(sizeof(struct key_security_struct
), GFP_KERNEL
);
6095 tsec
= cred
->security
;
6096 if (tsec
->keycreate_sid
)
6097 ksec
->sid
= tsec
->keycreate_sid
;
6099 ksec
->sid
= tsec
->sid
;
6105 static void selinux_key_free(struct key
*k
)
6107 struct key_security_struct
*ksec
= k
->security
;
6113 static int selinux_key_permission(key_ref_t key_ref
,
6114 const struct cred
*cred
,
6118 struct key_security_struct
*ksec
;
6121 /* if no specific permissions are requested, we skip the
6122 permission check. No serious, additional covert channels
6123 appear to be created. */
6127 sid
= cred_sid(cred
);
6129 key
= key_ref_to_ptr(key_ref
);
6130 ksec
= key
->security
;
6132 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
6135 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
6137 struct key_security_struct
*ksec
= key
->security
;
6138 char *context
= NULL
;
6142 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
6150 #ifdef CONFIG_SECURITY_INFINIBAND
6151 static int selinux_ib_pkey_access(void *ib_sec
, u64 subnet_prefix
, u16 pkey_val
)
6153 struct common_audit_data ad
;
6156 struct ib_security_struct
*sec
= ib_sec
;
6157 struct lsm_ibpkey_audit ibpkey
;
6159 err
= security_ib_pkey_sid(subnet_prefix
, pkey_val
, &sid
);
6163 ad
.type
= LSM_AUDIT_DATA_IBPKEY
;
6164 ibpkey
.subnet_prefix
= subnet_prefix
;
6165 ibpkey
.pkey
= pkey_val
;
6166 ad
.u
.ibpkey
= &ibpkey
;
6167 return avc_has_perm(sec
->sid
, sid
,
6168 SECCLASS_INFINIBAND_PKEY
,
6169 INFINIBAND_PKEY__ACCESS
, &ad
);
6172 static int selinux_ib_endport_manage_subnet(void *ib_sec
, const char *dev_name
,
6175 struct common_audit_data ad
;
6178 struct ib_security_struct
*sec
= ib_sec
;
6179 struct lsm_ibendport_audit ibendport
;
6181 err
= security_ib_endport_sid(dev_name
, port_num
, &sid
);
6186 ad
.type
= LSM_AUDIT_DATA_IBENDPORT
;
6187 strncpy(ibendport
.dev_name
, dev_name
, sizeof(ibendport
.dev_name
));
6188 ibendport
.port
= port_num
;
6189 ad
.u
.ibendport
= &ibendport
;
6190 return avc_has_perm(sec
->sid
, sid
,
6191 SECCLASS_INFINIBAND_ENDPORT
,
6192 INFINIBAND_ENDPORT__MANAGE_SUBNET
, &ad
);
6195 static int selinux_ib_alloc_security(void **ib_sec
)
6197 struct ib_security_struct
*sec
;
6199 sec
= kzalloc(sizeof(*sec
), GFP_KERNEL
);
6202 sec
->sid
= current_sid();
6208 static void selinux_ib_free_security(void *ib_sec
)
6214 static struct security_hook_list selinux_hooks
[] __lsm_ro_after_init
= {
6215 LSM_HOOK_INIT(binder_set_context_mgr
, selinux_binder_set_context_mgr
),
6216 LSM_HOOK_INIT(binder_transaction
, selinux_binder_transaction
),
6217 LSM_HOOK_INIT(binder_transfer_binder
, selinux_binder_transfer_binder
),
6218 LSM_HOOK_INIT(binder_transfer_file
, selinux_binder_transfer_file
),
6220 LSM_HOOK_INIT(ptrace_access_check
, selinux_ptrace_access_check
),
6221 LSM_HOOK_INIT(ptrace_traceme
, selinux_ptrace_traceme
),
6222 LSM_HOOK_INIT(capget
, selinux_capget
),
6223 LSM_HOOK_INIT(capset
, selinux_capset
),
6224 LSM_HOOK_INIT(capable
, selinux_capable
),
6225 LSM_HOOK_INIT(quotactl
, selinux_quotactl
),
6226 LSM_HOOK_INIT(quota_on
, selinux_quota_on
),
6227 LSM_HOOK_INIT(syslog
, selinux_syslog
),
6228 LSM_HOOK_INIT(vm_enough_memory
, selinux_vm_enough_memory
),
6230 LSM_HOOK_INIT(netlink_send
, selinux_netlink_send
),
6232 LSM_HOOK_INIT(bprm_set_creds
, selinux_bprm_set_creds
),
6233 LSM_HOOK_INIT(bprm_committing_creds
, selinux_bprm_committing_creds
),
6234 LSM_HOOK_INIT(bprm_committed_creds
, selinux_bprm_committed_creds
),
6235 LSM_HOOK_INIT(bprm_secureexec
, selinux_bprm_secureexec
),
6237 LSM_HOOK_INIT(sb_alloc_security
, selinux_sb_alloc_security
),
6238 LSM_HOOK_INIT(sb_free_security
, selinux_sb_free_security
),
6239 LSM_HOOK_INIT(sb_copy_data
, selinux_sb_copy_data
),
6240 LSM_HOOK_INIT(sb_remount
, selinux_sb_remount
),
6241 LSM_HOOK_INIT(sb_kern_mount
, selinux_sb_kern_mount
),
6242 LSM_HOOK_INIT(sb_show_options
, selinux_sb_show_options
),
6243 LSM_HOOK_INIT(sb_statfs
, selinux_sb_statfs
),
6244 LSM_HOOK_INIT(sb_mount
, selinux_mount
),
6245 LSM_HOOK_INIT(sb_umount
, selinux_umount
),
6246 LSM_HOOK_INIT(sb_set_mnt_opts
, selinux_set_mnt_opts
),
6247 LSM_HOOK_INIT(sb_clone_mnt_opts
, selinux_sb_clone_mnt_opts
),
6248 LSM_HOOK_INIT(sb_parse_opts_str
, selinux_parse_opts_str
),
6250 LSM_HOOK_INIT(dentry_init_security
, selinux_dentry_init_security
),
6251 LSM_HOOK_INIT(dentry_create_files_as
, selinux_dentry_create_files_as
),
6253 LSM_HOOK_INIT(inode_alloc_security
, selinux_inode_alloc_security
),
6254 LSM_HOOK_INIT(inode_free_security
, selinux_inode_free_security
),
6255 LSM_HOOK_INIT(inode_init_security
, selinux_inode_init_security
),
6256 LSM_HOOK_INIT(inode_create
, selinux_inode_create
),
6257 LSM_HOOK_INIT(inode_link
, selinux_inode_link
),
6258 LSM_HOOK_INIT(inode_unlink
, selinux_inode_unlink
),
6259 LSM_HOOK_INIT(inode_symlink
, selinux_inode_symlink
),
6260 LSM_HOOK_INIT(inode_mkdir
, selinux_inode_mkdir
),
6261 LSM_HOOK_INIT(inode_rmdir
, selinux_inode_rmdir
),
6262 LSM_HOOK_INIT(inode_mknod
, selinux_inode_mknod
),
6263 LSM_HOOK_INIT(inode_rename
, selinux_inode_rename
),
6264 LSM_HOOK_INIT(inode_readlink
, selinux_inode_readlink
),
6265 LSM_HOOK_INIT(inode_follow_link
, selinux_inode_follow_link
),
6266 LSM_HOOK_INIT(inode_permission
, selinux_inode_permission
),
6267 LSM_HOOK_INIT(inode_setattr
, selinux_inode_setattr
),
6268 LSM_HOOK_INIT(inode_getattr
, selinux_inode_getattr
),
6269 LSM_HOOK_INIT(inode_setxattr
, selinux_inode_setxattr
),
6270 LSM_HOOK_INIT(inode_post_setxattr
, selinux_inode_post_setxattr
),
6271 LSM_HOOK_INIT(inode_getxattr
, selinux_inode_getxattr
),
6272 LSM_HOOK_INIT(inode_listxattr
, selinux_inode_listxattr
),
6273 LSM_HOOK_INIT(inode_removexattr
, selinux_inode_removexattr
),
6274 LSM_HOOK_INIT(inode_getsecurity
, selinux_inode_getsecurity
),
6275 LSM_HOOK_INIT(inode_setsecurity
, selinux_inode_setsecurity
),
6276 LSM_HOOK_INIT(inode_listsecurity
, selinux_inode_listsecurity
),
6277 LSM_HOOK_INIT(inode_getsecid
, selinux_inode_getsecid
),
6278 LSM_HOOK_INIT(inode_copy_up
, selinux_inode_copy_up
),
6279 LSM_HOOK_INIT(inode_copy_up_xattr
, selinux_inode_copy_up_xattr
),
6281 LSM_HOOK_INIT(file_permission
, selinux_file_permission
),
6282 LSM_HOOK_INIT(file_alloc_security
, selinux_file_alloc_security
),
6283 LSM_HOOK_INIT(file_free_security
, selinux_file_free_security
),
6284 LSM_HOOK_INIT(file_ioctl
, selinux_file_ioctl
),
6285 LSM_HOOK_INIT(mmap_file
, selinux_mmap_file
),
6286 LSM_HOOK_INIT(mmap_addr
, selinux_mmap_addr
),
6287 LSM_HOOK_INIT(file_mprotect
, selinux_file_mprotect
),
6288 LSM_HOOK_INIT(file_lock
, selinux_file_lock
),
6289 LSM_HOOK_INIT(file_fcntl
, selinux_file_fcntl
),
6290 LSM_HOOK_INIT(file_set_fowner
, selinux_file_set_fowner
),
6291 LSM_HOOK_INIT(file_send_sigiotask
, selinux_file_send_sigiotask
),
6292 LSM_HOOK_INIT(file_receive
, selinux_file_receive
),
6294 LSM_HOOK_INIT(file_open
, selinux_file_open
),
6296 LSM_HOOK_INIT(task_alloc
, selinux_task_alloc
),
6297 LSM_HOOK_INIT(cred_alloc_blank
, selinux_cred_alloc_blank
),
6298 LSM_HOOK_INIT(cred_free
, selinux_cred_free
),
6299 LSM_HOOK_INIT(cred_prepare
, selinux_cred_prepare
),
6300 LSM_HOOK_INIT(cred_transfer
, selinux_cred_transfer
),
6301 LSM_HOOK_INIT(kernel_act_as
, selinux_kernel_act_as
),
6302 LSM_HOOK_INIT(kernel_create_files_as
, selinux_kernel_create_files_as
),
6303 LSM_HOOK_INIT(kernel_module_request
, selinux_kernel_module_request
),
6304 LSM_HOOK_INIT(kernel_read_file
, selinux_kernel_read_file
),
6305 LSM_HOOK_INIT(task_setpgid
, selinux_task_setpgid
),
6306 LSM_HOOK_INIT(task_getpgid
, selinux_task_getpgid
),
6307 LSM_HOOK_INIT(task_getsid
, selinux_task_getsid
),
6308 LSM_HOOK_INIT(task_getsecid
, selinux_task_getsecid
),
6309 LSM_HOOK_INIT(task_setnice
, selinux_task_setnice
),
6310 LSM_HOOK_INIT(task_setioprio
, selinux_task_setioprio
),
6311 LSM_HOOK_INIT(task_getioprio
, selinux_task_getioprio
),
6312 LSM_HOOK_INIT(task_prlimit
, selinux_task_prlimit
),
6313 LSM_HOOK_INIT(task_setrlimit
, selinux_task_setrlimit
),
6314 LSM_HOOK_INIT(task_setscheduler
, selinux_task_setscheduler
),
6315 LSM_HOOK_INIT(task_getscheduler
, selinux_task_getscheduler
),
6316 LSM_HOOK_INIT(task_movememory
, selinux_task_movememory
),
6317 LSM_HOOK_INIT(task_kill
, selinux_task_kill
),
6318 LSM_HOOK_INIT(task_to_inode
, selinux_task_to_inode
),
6320 LSM_HOOK_INIT(ipc_permission
, selinux_ipc_permission
),
6321 LSM_HOOK_INIT(ipc_getsecid
, selinux_ipc_getsecid
),
6323 LSM_HOOK_INIT(msg_msg_alloc_security
, selinux_msg_msg_alloc_security
),
6324 LSM_HOOK_INIT(msg_msg_free_security
, selinux_msg_msg_free_security
),
6326 LSM_HOOK_INIT(msg_queue_alloc_security
,
6327 selinux_msg_queue_alloc_security
),
6328 LSM_HOOK_INIT(msg_queue_free_security
, selinux_msg_queue_free_security
),
6329 LSM_HOOK_INIT(msg_queue_associate
, selinux_msg_queue_associate
),
6330 LSM_HOOK_INIT(msg_queue_msgctl
, selinux_msg_queue_msgctl
),
6331 LSM_HOOK_INIT(msg_queue_msgsnd
, selinux_msg_queue_msgsnd
),
6332 LSM_HOOK_INIT(msg_queue_msgrcv
, selinux_msg_queue_msgrcv
),
6334 LSM_HOOK_INIT(shm_alloc_security
, selinux_shm_alloc_security
),
6335 LSM_HOOK_INIT(shm_free_security
, selinux_shm_free_security
),
6336 LSM_HOOK_INIT(shm_associate
, selinux_shm_associate
),
6337 LSM_HOOK_INIT(shm_shmctl
, selinux_shm_shmctl
),
6338 LSM_HOOK_INIT(shm_shmat
, selinux_shm_shmat
),
6340 LSM_HOOK_INIT(sem_alloc_security
, selinux_sem_alloc_security
),
6341 LSM_HOOK_INIT(sem_free_security
, selinux_sem_free_security
),
6342 LSM_HOOK_INIT(sem_associate
, selinux_sem_associate
),
6343 LSM_HOOK_INIT(sem_semctl
, selinux_sem_semctl
),
6344 LSM_HOOK_INIT(sem_semop
, selinux_sem_semop
),
6346 LSM_HOOK_INIT(d_instantiate
, selinux_d_instantiate
),
6348 LSM_HOOK_INIT(getprocattr
, selinux_getprocattr
),
6349 LSM_HOOK_INIT(setprocattr
, selinux_setprocattr
),
6351 LSM_HOOK_INIT(ismaclabel
, selinux_ismaclabel
),
6352 LSM_HOOK_INIT(secid_to_secctx
, selinux_secid_to_secctx
),
6353 LSM_HOOK_INIT(secctx_to_secid
, selinux_secctx_to_secid
),
6354 LSM_HOOK_INIT(release_secctx
, selinux_release_secctx
),
6355 LSM_HOOK_INIT(inode_invalidate_secctx
, selinux_inode_invalidate_secctx
),
6356 LSM_HOOK_INIT(inode_notifysecctx
, selinux_inode_notifysecctx
),
6357 LSM_HOOK_INIT(inode_setsecctx
, selinux_inode_setsecctx
),
6358 LSM_HOOK_INIT(inode_getsecctx
, selinux_inode_getsecctx
),
6360 LSM_HOOK_INIT(unix_stream_connect
, selinux_socket_unix_stream_connect
),
6361 LSM_HOOK_INIT(unix_may_send
, selinux_socket_unix_may_send
),
6363 LSM_HOOK_INIT(socket_create
, selinux_socket_create
),
6364 LSM_HOOK_INIT(socket_post_create
, selinux_socket_post_create
),
6365 LSM_HOOK_INIT(socket_bind
, selinux_socket_bind
),
6366 LSM_HOOK_INIT(socket_connect
, selinux_socket_connect
),
6367 LSM_HOOK_INIT(socket_listen
, selinux_socket_listen
),
6368 LSM_HOOK_INIT(socket_accept
, selinux_socket_accept
),
6369 LSM_HOOK_INIT(socket_sendmsg
, selinux_socket_sendmsg
),
6370 LSM_HOOK_INIT(socket_recvmsg
, selinux_socket_recvmsg
),
6371 LSM_HOOK_INIT(socket_getsockname
, selinux_socket_getsockname
),
6372 LSM_HOOK_INIT(socket_getpeername
, selinux_socket_getpeername
),
6373 LSM_HOOK_INIT(socket_getsockopt
, selinux_socket_getsockopt
),
6374 LSM_HOOK_INIT(socket_setsockopt
, selinux_socket_setsockopt
),
6375 LSM_HOOK_INIT(socket_shutdown
, selinux_socket_shutdown
),
6376 LSM_HOOK_INIT(socket_sock_rcv_skb
, selinux_socket_sock_rcv_skb
),
6377 LSM_HOOK_INIT(socket_getpeersec_stream
,
6378 selinux_socket_getpeersec_stream
),
6379 LSM_HOOK_INIT(socket_getpeersec_dgram
, selinux_socket_getpeersec_dgram
),
6380 LSM_HOOK_INIT(sk_alloc_security
, selinux_sk_alloc_security
),
6381 LSM_HOOK_INIT(sk_free_security
, selinux_sk_free_security
),
6382 LSM_HOOK_INIT(sk_clone_security
, selinux_sk_clone_security
),
6383 LSM_HOOK_INIT(sk_getsecid
, selinux_sk_getsecid
),
6384 LSM_HOOK_INIT(sock_graft
, selinux_sock_graft
),
6385 LSM_HOOK_INIT(inet_conn_request
, selinux_inet_conn_request
),
6386 LSM_HOOK_INIT(inet_csk_clone
, selinux_inet_csk_clone
),
6387 LSM_HOOK_INIT(inet_conn_established
, selinux_inet_conn_established
),
6388 LSM_HOOK_INIT(secmark_relabel_packet
, selinux_secmark_relabel_packet
),
6389 LSM_HOOK_INIT(secmark_refcount_inc
, selinux_secmark_refcount_inc
),
6390 LSM_HOOK_INIT(secmark_refcount_dec
, selinux_secmark_refcount_dec
),
6391 LSM_HOOK_INIT(req_classify_flow
, selinux_req_classify_flow
),
6392 LSM_HOOK_INIT(tun_dev_alloc_security
, selinux_tun_dev_alloc_security
),
6393 LSM_HOOK_INIT(tun_dev_free_security
, selinux_tun_dev_free_security
),
6394 LSM_HOOK_INIT(tun_dev_create
, selinux_tun_dev_create
),
6395 LSM_HOOK_INIT(tun_dev_attach_queue
, selinux_tun_dev_attach_queue
),
6396 LSM_HOOK_INIT(tun_dev_attach
, selinux_tun_dev_attach
),
6397 LSM_HOOK_INIT(tun_dev_open
, selinux_tun_dev_open
),
6398 #ifdef CONFIG_SECURITY_INFINIBAND
6399 LSM_HOOK_INIT(ib_pkey_access
, selinux_ib_pkey_access
),
6400 LSM_HOOK_INIT(ib_endport_manage_subnet
,
6401 selinux_ib_endport_manage_subnet
),
6402 LSM_HOOK_INIT(ib_alloc_security
, selinux_ib_alloc_security
),
6403 LSM_HOOK_INIT(ib_free_security
, selinux_ib_free_security
),
6405 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6406 LSM_HOOK_INIT(xfrm_policy_alloc_security
, selinux_xfrm_policy_alloc
),
6407 LSM_HOOK_INIT(xfrm_policy_clone_security
, selinux_xfrm_policy_clone
),
6408 LSM_HOOK_INIT(xfrm_policy_free_security
, selinux_xfrm_policy_free
),
6409 LSM_HOOK_INIT(xfrm_policy_delete_security
, selinux_xfrm_policy_delete
),
6410 LSM_HOOK_INIT(xfrm_state_alloc
, selinux_xfrm_state_alloc
),
6411 LSM_HOOK_INIT(xfrm_state_alloc_acquire
,
6412 selinux_xfrm_state_alloc_acquire
),
6413 LSM_HOOK_INIT(xfrm_state_free_security
, selinux_xfrm_state_free
),
6414 LSM_HOOK_INIT(xfrm_state_delete_security
, selinux_xfrm_state_delete
),
6415 LSM_HOOK_INIT(xfrm_policy_lookup
, selinux_xfrm_policy_lookup
),
6416 LSM_HOOK_INIT(xfrm_state_pol_flow_match
,
6417 selinux_xfrm_state_pol_flow_match
),
6418 LSM_HOOK_INIT(xfrm_decode_session
, selinux_xfrm_decode_session
),
6422 LSM_HOOK_INIT(key_alloc
, selinux_key_alloc
),
6423 LSM_HOOK_INIT(key_free
, selinux_key_free
),
6424 LSM_HOOK_INIT(key_permission
, selinux_key_permission
),
6425 LSM_HOOK_INIT(key_getsecurity
, selinux_key_getsecurity
),
6429 LSM_HOOK_INIT(audit_rule_init
, selinux_audit_rule_init
),
6430 LSM_HOOK_INIT(audit_rule_known
, selinux_audit_rule_known
),
6431 LSM_HOOK_INIT(audit_rule_match
, selinux_audit_rule_match
),
6432 LSM_HOOK_INIT(audit_rule_free
, selinux_audit_rule_free
),
6436 static __init
int selinux_init(void)
6438 if (!security_module_enable("selinux")) {
6439 selinux_enabled
= 0;
6443 if (!selinux_enabled
) {
6444 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
6448 printk(KERN_INFO
"SELinux: Initializing.\n");
6450 /* Set the security state for the initial task. */
6451 cred_init_security();
6453 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
6455 sel_inode_cache
= kmem_cache_create("selinux_inode_security",
6456 sizeof(struct inode_security_struct
),
6457 0, SLAB_PANIC
, NULL
);
6458 file_security_cache
= kmem_cache_create("selinux_file_security",
6459 sizeof(struct file_security_struct
),
6460 0, SLAB_PANIC
, NULL
);
6463 security_add_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
), "selinux");
6465 if (avc_add_callback(selinux_netcache_avc_callback
, AVC_CALLBACK_RESET
))
6466 panic("SELinux: Unable to register AVC netcache callback\n");
6468 if (avc_add_callback(selinux_lsm_notifier_avc_callback
, AVC_CALLBACK_RESET
))
6469 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6471 if (selinux_enforcing
)
6472 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
6474 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
6479 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
6481 superblock_doinit(sb
, NULL
);
6484 void selinux_complete_init(void)
6486 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
6488 /* Set up any superblocks initialized prior to the policy load. */
6489 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
6490 iterate_supers(delayed_superblock_init
, NULL
);
6493 /* SELinux requires early initialization in order to label
6494 all processes and objects when they are created. */
6495 security_initcall(selinux_init
);
6497 #if defined(CONFIG_NETFILTER)
6499 static struct nf_hook_ops selinux_nf_ops
[] = {
6501 .hook
= selinux_ipv4_postroute
,
6503 .hooknum
= NF_INET_POST_ROUTING
,
6504 .priority
= NF_IP_PRI_SELINUX_LAST
,
6507 .hook
= selinux_ipv4_forward
,
6509 .hooknum
= NF_INET_FORWARD
,
6510 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6513 .hook
= selinux_ipv4_output
,
6515 .hooknum
= NF_INET_LOCAL_OUT
,
6516 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6518 #if IS_ENABLED(CONFIG_IPV6)
6520 .hook
= selinux_ipv6_postroute
,
6522 .hooknum
= NF_INET_POST_ROUTING
,
6523 .priority
= NF_IP6_PRI_SELINUX_LAST
,
6526 .hook
= selinux_ipv6_forward
,
6528 .hooknum
= NF_INET_FORWARD
,
6529 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6532 .hook
= selinux_ipv6_output
,
6534 .hooknum
= NF_INET_LOCAL_OUT
,
6535 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6540 static int __init
selinux_nf_ip_init(void)
6544 if (!selinux_enabled
)
6547 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
6549 err
= nf_register_hooks(selinux_nf_ops
, ARRAY_SIZE(selinux_nf_ops
));
6551 panic("SELinux: nf_register_hooks: error %d\n", err
);
6556 __initcall(selinux_nf_ip_init
);
6558 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6559 static void selinux_nf_ip_exit(void)
6561 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
6563 nf_unregister_hooks(selinux_nf_ops
, ARRAY_SIZE(selinux_nf_ops
));
6567 #else /* CONFIG_NETFILTER */
6569 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6570 #define selinux_nf_ip_exit()
6573 #endif /* CONFIG_NETFILTER */
6575 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6576 static int selinux_disabled
;
6578 int selinux_disable(void)
6580 if (ss_initialized
) {
6581 /* Not permitted after initial policy load. */
6585 if (selinux_disabled
) {
6586 /* Only do this once. */
6590 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
6592 selinux_disabled
= 1;
6593 selinux_enabled
= 0;
6595 security_delete_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
));
6597 /* Try to destroy the avc node cache */
6600 /* Unregister netfilter hooks. */
6601 selinux_nf_ip_exit();
6603 /* Unregister selinuxfs. */