2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91 #define NUM_SEL_MNT_OPTS 4
93 extern unsigned int policydb_loaded_version
;
94 extern int selinux_nlmsg_lookup(u16 sclass
, u16 nlmsg_type
, u32
*perm
);
95 extern int selinux_compat_net
;
96 extern struct security_operations
*security_ops
;
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing
;
104 static int __init
enforcing_setup(char *str
)
106 selinux_enforcing
= simple_strtol(str
, NULL
, 0);
109 __setup("enforcing=", enforcing_setup
);
112 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
115 static int __init
selinux_enabled_setup(char *str
)
117 selinux_enabled
= simple_strtol(str
, NULL
, 0);
120 __setup("selinux=", selinux_enabled_setup
);
122 int selinux_enabled
= 1;
125 /* Original (dummy) security module. */
126 static struct security_operations
*original_ops
;
128 /* Minimal support for a secondary security module,
129 just to allow the use of the dummy or capability modules.
130 The owlsm module can alternatively be used as a secondary
131 module as long as CONFIG_OWLSM_FD is not enabled. */
132 static struct security_operations
*secondary_ops
;
134 /* Lists of inode and superblock security structures initialized
135 before the policy was loaded. */
136 static LIST_HEAD(superblock_security_head
);
137 static DEFINE_SPINLOCK(sb_security_lock
);
139 static struct kmem_cache
*sel_inode_cache
;
142 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145 * This function checks the SECMARK reference counter to see if any SECMARK
146 * targets are currently configured, if the reference counter is greater than
147 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
148 * enabled, false (0) if SECMARK is disabled.
151 static int selinux_secmark_enabled(void)
153 return (atomic_read(&selinux_secmark_refcount
) > 0);
156 /* Allocate and free functions for each kind of security blob. */
158 static int task_alloc_security(struct task_struct
*task
)
160 struct task_security_struct
*tsec
;
162 tsec
= kzalloc(sizeof(struct task_security_struct
), GFP_KERNEL
);
166 tsec
->osid
= tsec
->sid
= SECINITSID_UNLABELED
;
167 task
->security
= tsec
;
172 static void task_free_security(struct task_struct
*task
)
174 struct task_security_struct
*tsec
= task
->security
;
175 task
->security
= NULL
;
179 static int inode_alloc_security(struct inode
*inode
)
181 struct task_security_struct
*tsec
= current
->security
;
182 struct inode_security_struct
*isec
;
184 isec
= kmem_cache_zalloc(sel_inode_cache
, GFP_NOFS
);
188 mutex_init(&isec
->lock
);
189 INIT_LIST_HEAD(&isec
->list
);
191 isec
->sid
= SECINITSID_UNLABELED
;
192 isec
->sclass
= SECCLASS_FILE
;
193 isec
->task_sid
= tsec
->sid
;
194 inode
->i_security
= isec
;
199 static void inode_free_security(struct inode
*inode
)
201 struct inode_security_struct
*isec
= inode
->i_security
;
202 struct superblock_security_struct
*sbsec
= inode
->i_sb
->s_security
;
204 spin_lock(&sbsec
->isec_lock
);
205 if (!list_empty(&isec
->list
))
206 list_del_init(&isec
->list
);
207 spin_unlock(&sbsec
->isec_lock
);
209 inode
->i_security
= NULL
;
210 kmem_cache_free(sel_inode_cache
, isec
);
213 static int file_alloc_security(struct file
*file
)
215 struct task_security_struct
*tsec
= current
->security
;
216 struct file_security_struct
*fsec
;
218 fsec
= kzalloc(sizeof(struct file_security_struct
), GFP_KERNEL
);
222 fsec
->sid
= tsec
->sid
;
223 fsec
->fown_sid
= tsec
->sid
;
224 file
->f_security
= fsec
;
229 static void file_free_security(struct file
*file
)
231 struct file_security_struct
*fsec
= file
->f_security
;
232 file
->f_security
= NULL
;
236 static int superblock_alloc_security(struct super_block
*sb
)
238 struct superblock_security_struct
*sbsec
;
240 sbsec
= kzalloc(sizeof(struct superblock_security_struct
), GFP_KERNEL
);
244 mutex_init(&sbsec
->lock
);
245 INIT_LIST_HEAD(&sbsec
->list
);
246 INIT_LIST_HEAD(&sbsec
->isec_head
);
247 spin_lock_init(&sbsec
->isec_lock
);
249 sbsec
->sid
= SECINITSID_UNLABELED
;
250 sbsec
->def_sid
= SECINITSID_FILE
;
251 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
252 sb
->s_security
= sbsec
;
257 static void superblock_free_security(struct super_block
*sb
)
259 struct superblock_security_struct
*sbsec
= sb
->s_security
;
261 spin_lock(&sb_security_lock
);
262 if (!list_empty(&sbsec
->list
))
263 list_del_init(&sbsec
->list
);
264 spin_unlock(&sb_security_lock
);
266 sb
->s_security
= NULL
;
270 static int sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
272 struct sk_security_struct
*ssec
;
274 ssec
= kzalloc(sizeof(*ssec
), priority
);
278 ssec
->peer_sid
= SECINITSID_UNLABELED
;
279 ssec
->sid
= SECINITSID_UNLABELED
;
280 sk
->sk_security
= ssec
;
282 selinux_netlbl_sk_security_reset(ssec
, family
);
287 static void sk_free_security(struct sock
*sk
)
289 struct sk_security_struct
*ssec
= sk
->sk_security
;
291 sk
->sk_security
= NULL
;
295 /* The security server must be initialized before
296 any labeling or access decisions can be provided. */
297 extern int ss_initialized
;
299 /* The file system's label must be initialized prior to use. */
301 static char *labeling_behaviors
[6] = {
303 "uses transition SIDs",
305 "uses genfs_contexts",
306 "not configured for labeling",
307 "uses mountpoint labeling",
310 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
312 static inline int inode_doinit(struct inode
*inode
)
314 return inode_doinit_with_dentry(inode
, NULL
);
325 static match_table_t tokens
= {
326 {Opt_context
, CONTEXT_STR
"%s"},
327 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
328 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
329 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
333 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335 static int may_context_mount_sb_relabel(u32 sid
,
336 struct superblock_security_struct
*sbsec
,
337 struct task_security_struct
*tsec
)
341 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
342 FILESYSTEM__RELABELFROM
, NULL
);
346 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
347 FILESYSTEM__RELABELTO
, NULL
);
351 static int may_context_mount_inode_relabel(u32 sid
,
352 struct superblock_security_struct
*sbsec
,
353 struct task_security_struct
*tsec
)
356 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
357 FILESYSTEM__RELABELFROM
, NULL
);
361 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
362 FILESYSTEM__ASSOCIATE
, NULL
);
366 static int sb_finish_set_opts(struct super_block
*sb
)
368 struct superblock_security_struct
*sbsec
= sb
->s_security
;
369 struct dentry
*root
= sb
->s_root
;
370 struct inode
*root_inode
= root
->d_inode
;
373 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
374 /* Make sure that the xattr handler exists and that no
375 error other than -ENODATA is returned by getxattr on
376 the root directory. -ENODATA is ok, as this may be
377 the first boot of the SELinux kernel before we have
378 assigned xattr values to the filesystem. */
379 if (!root_inode
->i_op
->getxattr
) {
380 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
381 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
385 rc
= root_inode
->i_op
->getxattr(root
, XATTR_NAME_SELINUX
, NULL
, 0);
386 if (rc
< 0 && rc
!= -ENODATA
) {
387 if (rc
== -EOPNOTSUPP
)
388 printk(KERN_WARNING
"SELinux: (dev %s, type "
389 "%s) has no security xattr handler\n",
390 sb
->s_id
, sb
->s_type
->name
);
392 printk(KERN_WARNING
"SELinux: (dev %s, type "
393 "%s) getxattr errno %d\n", sb
->s_id
,
394 sb
->s_type
->name
, -rc
);
399 sbsec
->initialized
= 1;
401 if (sbsec
->behavior
> ARRAY_SIZE(labeling_behaviors
))
402 printk(KERN_ERR
"SELinux: initialized (dev %s, type %s), unknown behavior\n",
403 sb
->s_id
, sb
->s_type
->name
);
405 printk(KERN_DEBUG
"SELinux: initialized (dev %s, type %s), %s\n",
406 sb
->s_id
, sb
->s_type
->name
,
407 labeling_behaviors
[sbsec
->behavior
-1]);
409 /* Initialize the root inode. */
410 rc
= inode_doinit_with_dentry(root_inode
, root
);
412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
416 spin_lock(&sbsec
->isec_lock
);
418 if (!list_empty(&sbsec
->isec_head
)) {
419 struct inode_security_struct
*isec
=
420 list_entry(sbsec
->isec_head
.next
,
421 struct inode_security_struct
, list
);
422 struct inode
*inode
= isec
->inode
;
423 spin_unlock(&sbsec
->isec_lock
);
424 inode
= igrab(inode
);
426 if (!IS_PRIVATE(inode
))
430 spin_lock(&sbsec
->isec_lock
);
431 list_del_init(&isec
->list
);
434 spin_unlock(&sbsec
->isec_lock
);
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
444 static int selinux_get_mnt_opts(const struct super_block
*sb
,
445 struct security_mnt_opts
*opts
)
448 struct superblock_security_struct
*sbsec
= sb
->s_security
;
449 char *context
= NULL
;
453 security_init_mnt_opts(opts
);
455 if (!sbsec
->initialized
)
462 * if we ever use sbsec flags for anything other than tracking mount
463 * settings this is going to need a mask
466 /* count the number of mount options for this sb */
467 for (i
= 0; i
< 8; i
++) {
469 opts
->num_mnt_opts
++;
473 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
474 if (!opts
->mnt_opts
) {
479 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
480 if (!opts
->mnt_opts_flags
) {
486 if (sbsec
->flags
& FSCONTEXT_MNT
) {
487 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
490 opts
->mnt_opts
[i
] = context
;
491 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
493 if (sbsec
->flags
& CONTEXT_MNT
) {
494 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
497 opts
->mnt_opts
[i
] = context
;
498 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
500 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
501 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
504 opts
->mnt_opts
[i
] = context
;
505 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
507 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
508 struct inode
*root
= sbsec
->sb
->s_root
->d_inode
;
509 struct inode_security_struct
*isec
= root
->i_security
;
511 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
514 opts
->mnt_opts
[i
] = context
;
515 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
518 BUG_ON(i
!= opts
->num_mnt_opts
);
523 security_free_mnt_opts(opts
);
527 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
528 u32 old_sid
, u32 new_sid
)
530 /* check if the old mount command had the same options */
531 if (sbsec
->initialized
)
532 if (!(sbsec
->flags
& flag
) ||
533 (old_sid
!= new_sid
))
536 /* check if we were passed the same options twice,
537 * aka someone passed context=a,context=b
539 if (!sbsec
->initialized
)
540 if (sbsec
->flags
& flag
)
546 * Allow filesystems with binary mount data to explicitly set mount point
547 * labeling information.
549 static int selinux_set_mnt_opts(struct super_block
*sb
,
550 struct security_mnt_opts
*opts
)
553 struct task_security_struct
*tsec
= current
->security
;
554 struct superblock_security_struct
*sbsec
= sb
->s_security
;
555 const char *name
= sb
->s_type
->name
;
556 struct inode
*inode
= sbsec
->sb
->s_root
->d_inode
;
557 struct inode_security_struct
*root_isec
= inode
->i_security
;
558 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
559 u32 defcontext_sid
= 0;
560 char **mount_options
= opts
->mnt_opts
;
561 int *flags
= opts
->mnt_opts_flags
;
562 int num_opts
= opts
->num_mnt_opts
;
564 mutex_lock(&sbsec
->lock
);
566 if (!ss_initialized
) {
568 /* Defer initialization until selinux_complete_init,
569 after the initial policy is loaded and the security
570 server is ready to handle calls. */
571 spin_lock(&sb_security_lock
);
572 if (list_empty(&sbsec
->list
))
573 list_add(&sbsec
->list
, &superblock_security_head
);
574 spin_unlock(&sb_security_lock
);
578 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
579 "before the security server is initialized\n");
584 * Binary mount data FS will come through this function twice. Once
585 * from an explicit call and once from the generic calls from the vfs.
586 * Since the generic VFS calls will not contain any security mount data
587 * we need to skip the double mount verification.
589 * This does open a hole in which we will not notice if the first
590 * mount using this sb set explict options and a second mount using
591 * this sb does not set any security options. (The first options
592 * will be used for both mounts)
594 if (sbsec
->initialized
&& (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
599 * parse the mount options, check if they are valid sids.
600 * also check if someone is trying to mount the same sb more
601 * than once with different security options.
603 for (i
= 0; i
< num_opts
; i
++) {
605 rc
= security_context_to_sid(mount_options
[i
],
606 strlen(mount_options
[i
]), &sid
);
608 printk(KERN_WARNING
"SELinux: security_context_to_sid"
609 "(%s) failed for (dev %s, type %s) errno=%d\n",
610 mount_options
[i
], sb
->s_id
, name
, rc
);
617 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
619 goto out_double_mount
;
621 sbsec
->flags
|= FSCONTEXT_MNT
;
626 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
628 goto out_double_mount
;
630 sbsec
->flags
|= CONTEXT_MNT
;
632 case ROOTCONTEXT_MNT
:
633 rootcontext_sid
= sid
;
635 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
637 goto out_double_mount
;
639 sbsec
->flags
|= ROOTCONTEXT_MNT
;
643 defcontext_sid
= sid
;
645 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
647 goto out_double_mount
;
649 sbsec
->flags
|= DEFCONTEXT_MNT
;
658 if (sbsec
->initialized
) {
659 /* previously mounted with options, but not on this attempt? */
660 if (sbsec
->flags
&& !num_opts
)
661 goto out_double_mount
;
666 if (strcmp(sb
->s_type
->name
, "proc") == 0)
669 /* Determine the labeling behavior to use for this filesystem type. */
670 rc
= security_fs_use(sb
->s_type
->name
, &sbsec
->behavior
, &sbsec
->sid
);
672 printk(KERN_WARNING
"%s: security_fs_use(%s) returned %d\n",
673 __func__
, sb
->s_type
->name
, rc
);
677 /* sets the context of the superblock for the fs being mounted. */
680 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, tsec
);
684 sbsec
->sid
= fscontext_sid
;
688 * Switch to using mount point labeling behavior.
689 * sets the label used on all file below the mountpoint, and will set
690 * the superblock context if not already set.
693 if (!fscontext_sid
) {
694 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
, tsec
);
697 sbsec
->sid
= context_sid
;
699 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
, tsec
);
703 if (!rootcontext_sid
)
704 rootcontext_sid
= context_sid
;
706 sbsec
->mntpoint_sid
= context_sid
;
707 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
710 if (rootcontext_sid
) {
711 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
, tsec
);
715 root_isec
->sid
= rootcontext_sid
;
716 root_isec
->initialized
= 1;
719 if (defcontext_sid
) {
720 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
) {
722 printk(KERN_WARNING
"SELinux: defcontext option is "
723 "invalid for this filesystem type\n");
727 if (defcontext_sid
!= sbsec
->def_sid
) {
728 rc
= may_context_mount_inode_relabel(defcontext_sid
,
734 sbsec
->def_sid
= defcontext_sid
;
737 rc
= sb_finish_set_opts(sb
);
739 mutex_unlock(&sbsec
->lock
);
743 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
744 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
748 static void selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
749 struct super_block
*newsb
)
751 const struct superblock_security_struct
*oldsbsec
= oldsb
->s_security
;
752 struct superblock_security_struct
*newsbsec
= newsb
->s_security
;
754 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
755 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
756 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
758 /* we can't error, we can't save the info, this shouldn't get called
759 * this early in the boot process. */
760 BUG_ON(!ss_initialized
);
762 /* how can we clone if the old one wasn't set up?? */
763 BUG_ON(!oldsbsec
->initialized
);
765 /* if fs is reusing a sb, just let its options stand... */
766 if (newsbsec
->initialized
)
769 mutex_lock(&newsbsec
->lock
);
771 newsbsec
->flags
= oldsbsec
->flags
;
773 newsbsec
->sid
= oldsbsec
->sid
;
774 newsbsec
->def_sid
= oldsbsec
->def_sid
;
775 newsbsec
->behavior
= oldsbsec
->behavior
;
778 u32 sid
= oldsbsec
->mntpoint_sid
;
782 if (!set_rootcontext
) {
783 struct inode
*newinode
= newsb
->s_root
->d_inode
;
784 struct inode_security_struct
*newisec
= newinode
->i_security
;
787 newsbsec
->mntpoint_sid
= sid
;
789 if (set_rootcontext
) {
790 const struct inode
*oldinode
= oldsb
->s_root
->d_inode
;
791 const struct inode_security_struct
*oldisec
= oldinode
->i_security
;
792 struct inode
*newinode
= newsb
->s_root
->d_inode
;
793 struct inode_security_struct
*newisec
= newinode
->i_security
;
795 newisec
->sid
= oldisec
->sid
;
798 sb_finish_set_opts(newsb
);
799 mutex_unlock(&newsbsec
->lock
);
802 static int selinux_parse_opts_str(char *options
,
803 struct security_mnt_opts
*opts
)
806 char *context
= NULL
, *defcontext
= NULL
;
807 char *fscontext
= NULL
, *rootcontext
= NULL
;
808 int rc
, num_mnt_opts
= 0;
810 opts
->num_mnt_opts
= 0;
812 /* Standard string-based options. */
813 while ((p
= strsep(&options
, "|")) != NULL
) {
815 substring_t args
[MAX_OPT_ARGS
];
820 token
= match_token(p
, tokens
, args
);
824 if (context
|| defcontext
) {
826 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
829 context
= match_strdup(&args
[0]);
839 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
842 fscontext
= match_strdup(&args
[0]);
849 case Opt_rootcontext
:
852 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
855 rootcontext
= match_strdup(&args
[0]);
863 if (context
|| defcontext
) {
865 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
868 defcontext
= match_strdup(&args
[0]);
877 printk(KERN_WARNING
"SELinux: unknown mount option\n");
884 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_ATOMIC
);
888 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int), GFP_ATOMIC
);
889 if (!opts
->mnt_opts_flags
) {
890 kfree(opts
->mnt_opts
);
895 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
896 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
899 opts
->mnt_opts
[num_mnt_opts
] = context
;
900 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
903 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
904 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
907 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
908 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
911 opts
->num_mnt_opts
= num_mnt_opts
;
922 * string mount options parsing and call set the sbsec
924 static int superblock_doinit(struct super_block
*sb
, void *data
)
927 char *options
= data
;
928 struct security_mnt_opts opts
;
930 security_init_mnt_opts(&opts
);
935 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
937 rc
= selinux_parse_opts_str(options
, &opts
);
942 rc
= selinux_set_mnt_opts(sb
, &opts
);
945 security_free_mnt_opts(&opts
);
949 static inline u16
inode_mode_to_security_class(umode_t mode
)
951 switch (mode
& S_IFMT
) {
953 return SECCLASS_SOCK_FILE
;
955 return SECCLASS_LNK_FILE
;
957 return SECCLASS_FILE
;
959 return SECCLASS_BLK_FILE
;
963 return SECCLASS_CHR_FILE
;
965 return SECCLASS_FIFO_FILE
;
969 return SECCLASS_FILE
;
972 static inline int default_protocol_stream(int protocol
)
974 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
977 static inline int default_protocol_dgram(int protocol
)
979 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
982 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
989 return SECCLASS_UNIX_STREAM_SOCKET
;
991 return SECCLASS_UNIX_DGRAM_SOCKET
;
998 if (default_protocol_stream(protocol
))
999 return SECCLASS_TCP_SOCKET
;
1001 return SECCLASS_RAWIP_SOCKET
;
1003 if (default_protocol_dgram(protocol
))
1004 return SECCLASS_UDP_SOCKET
;
1006 return SECCLASS_RAWIP_SOCKET
;
1008 return SECCLASS_DCCP_SOCKET
;
1010 return SECCLASS_RAWIP_SOCKET
;
1016 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1017 case NETLINK_FIREWALL
:
1018 return SECCLASS_NETLINK_FIREWALL_SOCKET
;
1019 case NETLINK_INET_DIAG
:
1020 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1022 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1024 return SECCLASS_NETLINK_XFRM_SOCKET
;
1025 case NETLINK_SELINUX
:
1026 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1028 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1029 case NETLINK_IP6_FW
:
1030 return SECCLASS_NETLINK_IP6FW_SOCKET
;
1031 case NETLINK_DNRTMSG
:
1032 return SECCLASS_NETLINK_DNRT_SOCKET
;
1033 case NETLINK_KOBJECT_UEVENT
:
1034 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1036 return SECCLASS_NETLINK_SOCKET
;
1039 return SECCLASS_PACKET_SOCKET
;
1041 return SECCLASS_KEY_SOCKET
;
1043 return SECCLASS_APPLETALK_SOCKET
;
1046 return SECCLASS_SOCKET
;
1049 #ifdef CONFIG_PROC_FS
1050 static int selinux_proc_get_sid(struct proc_dir_entry
*de
,
1055 char *buffer
, *path
, *end
;
1057 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1062 end
= buffer
+buflen
;
1067 while (de
&& de
!= de
->parent
) {
1068 buflen
-= de
->namelen
+ 1;
1072 memcpy(end
, de
->name
, de
->namelen
);
1077 rc
= security_genfs_sid("proc", path
, tclass
, sid
);
1078 free_page((unsigned long)buffer
);
1082 static int selinux_proc_get_sid(struct proc_dir_entry
*de
,
1090 /* The inode's security attributes must be initialized before first use. */
1091 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1093 struct superblock_security_struct
*sbsec
= NULL
;
1094 struct inode_security_struct
*isec
= inode
->i_security
;
1096 struct dentry
*dentry
;
1097 #define INITCONTEXTLEN 255
1098 char *context
= NULL
;
1102 if (isec
->initialized
)
1105 mutex_lock(&isec
->lock
);
1106 if (isec
->initialized
)
1109 sbsec
= inode
->i_sb
->s_security
;
1110 if (!sbsec
->initialized
) {
1111 /* Defer initialization until selinux_complete_init,
1112 after the initial policy is loaded and the security
1113 server is ready to handle calls. */
1114 spin_lock(&sbsec
->isec_lock
);
1115 if (list_empty(&isec
->list
))
1116 list_add(&isec
->list
, &sbsec
->isec_head
);
1117 spin_unlock(&sbsec
->isec_lock
);
1121 switch (sbsec
->behavior
) {
1122 case SECURITY_FS_USE_XATTR
:
1123 if (!inode
->i_op
->getxattr
) {
1124 isec
->sid
= sbsec
->def_sid
;
1128 /* Need a dentry, since the xattr API requires one.
1129 Life would be simpler if we could just pass the inode. */
1131 /* Called from d_instantiate or d_splice_alias. */
1132 dentry
= dget(opt_dentry
);
1134 /* Called from selinux_complete_init, try to find a dentry. */
1135 dentry
= d_find_alias(inode
);
1138 printk(KERN_WARNING
"SELinux: %s: no dentry for dev=%s "
1139 "ino=%ld\n", __func__
, inode
->i_sb
->s_id
,
1144 len
= INITCONTEXTLEN
;
1145 context
= kmalloc(len
, GFP_NOFS
);
1151 rc
= inode
->i_op
->getxattr(dentry
, XATTR_NAME_SELINUX
,
1153 if (rc
== -ERANGE
) {
1154 /* Need a larger buffer. Query for the right size. */
1155 rc
= inode
->i_op
->getxattr(dentry
, XATTR_NAME_SELINUX
,
1163 context
= kmalloc(len
, GFP_NOFS
);
1169 rc
= inode
->i_op
->getxattr(dentry
,
1175 if (rc
!= -ENODATA
) {
1176 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1177 "%d for dev=%s ino=%ld\n", __func__
,
1178 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1182 /* Map ENODATA to the default file SID */
1183 sid
= sbsec
->def_sid
;
1186 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1190 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
1192 __func__
, context
, -rc
,
1193 inode
->i_sb
->s_id
, inode
->i_ino
);
1195 /* Leave with the unlabeled SID */
1203 case SECURITY_FS_USE_TASK
:
1204 isec
->sid
= isec
->task_sid
;
1206 case SECURITY_FS_USE_TRANS
:
1207 /* Default to the fs SID. */
1208 isec
->sid
= sbsec
->sid
;
1210 /* Try to obtain a transition SID. */
1211 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1212 rc
= security_transition_sid(isec
->task_sid
,
1220 case SECURITY_FS_USE_MNTPOINT
:
1221 isec
->sid
= sbsec
->mntpoint_sid
;
1224 /* Default to the fs superblock SID. */
1225 isec
->sid
= sbsec
->sid
;
1228 struct proc_inode
*proci
= PROC_I(inode
);
1230 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1231 rc
= selinux_proc_get_sid(proci
->pde
,
1242 isec
->initialized
= 1;
1245 mutex_unlock(&isec
->lock
);
1247 if (isec
->sclass
== SECCLASS_FILE
)
1248 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32
signal_to_av(int sig
)
1259 /* Commonly granted from child to parent. */
1260 perm
= PROCESS__SIGCHLD
;
1263 /* Cannot be caught or ignored */
1264 perm
= PROCESS__SIGKILL
;
1267 /* Cannot be caught or ignored */
1268 perm
= PROCESS__SIGSTOP
;
1271 /* All other signals. */
1272 perm
= PROCESS__SIGNAL
;
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct
*tsk1
,
1282 struct task_struct
*tsk2
,
1285 struct task_security_struct
*tsec1
, *tsec2
;
1287 tsec1
= tsk1
->security
;
1288 tsec2
= tsk2
->security
;
1289 return avc_has_perm(tsec1
->sid
, tsec2
->sid
,
1290 SECCLASS_PROCESS
, perms
, NULL
);
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct
*tsk
,
1301 struct task_security_struct
*tsec
;
1302 struct avc_audit_data ad
;
1304 u32 av
= CAP_TO_MASK(cap
);
1306 tsec
= tsk
->security
;
1308 AVC_AUDIT_DATA_INIT(&ad
, CAP
);
1312 switch (CAP_TO_INDEX(cap
)) {
1314 sclass
= SECCLASS_CAPABILITY
;
1317 sclass
= SECCLASS_CAPABILITY2
;
1321 "SELinux: out of range capability %d\n", cap
);
1324 return avc_has_perm(tsec
->sid
, tsec
->sid
, sclass
, av
, &ad
);
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct
*tsk
,
1331 struct task_security_struct
*tsec
;
1333 tsec
= tsk
->security
;
1335 return avc_has_perm(tsec
->sid
, SECINITSID_KERNEL
,
1336 SECCLASS_SYSTEM
, perms
, NULL
);
1339 /* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct
*tsk
,
1343 struct inode
*inode
,
1345 struct avc_audit_data
*adp
)
1347 struct task_security_struct
*tsec
;
1348 struct inode_security_struct
*isec
;
1349 struct avc_audit_data ad
;
1351 if (unlikely(IS_PRIVATE(inode
)))
1354 tsec
= tsk
->security
;
1355 isec
= inode
->i_security
;
1359 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1360 ad
.u
.fs
.inode
= inode
;
1363 return avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct
*tsk
,
1370 struct vfsmount
*mnt
,
1371 struct dentry
*dentry
,
1374 struct inode
*inode
= dentry
->d_inode
;
1375 struct avc_audit_data ad
;
1376 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1377 ad
.u
.fs
.path
.mnt
= mnt
;
1378 ad
.u
.fs
.path
.dentry
= dentry
;
1379 return inode_has_perm(tsk
, inode
, av
, &ad
);
1382 /* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct
*tsk
,
1394 struct task_security_struct
*tsec
= tsk
->security
;
1395 struct file_security_struct
*fsec
= file
->f_security
;
1396 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
1397 struct avc_audit_data ad
;
1400 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1401 ad
.u
.fs
.path
= file
->f_path
;
1403 if (tsec
->sid
!= fsec
->sid
) {
1404 rc
= avc_has_perm(tsec
->sid
, fsec
->sid
,
1412 /* av is zero if only checking access to the descriptor. */
1414 return inode_has_perm(tsk
, inode
, av
, &ad
);
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode
*dir
,
1421 struct dentry
*dentry
,
1424 struct task_security_struct
*tsec
;
1425 struct inode_security_struct
*dsec
;
1426 struct superblock_security_struct
*sbsec
;
1428 struct avc_audit_data ad
;
1431 tsec
= current
->security
;
1432 dsec
= dir
->i_security
;
1433 sbsec
= dir
->i_sb
->s_security
;
1435 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1436 ad
.u
.fs
.path
.dentry
= dentry
;
1438 rc
= avc_has_perm(tsec
->sid
, dsec
->sid
, SECCLASS_DIR
,
1439 DIR__ADD_NAME
| DIR__SEARCH
,
1444 if (tsec
->create_sid
&& sbsec
->behavior
!= SECURITY_FS_USE_MNTPOINT
) {
1445 newsid
= tsec
->create_sid
;
1447 rc
= security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1453 rc
= avc_has_perm(tsec
->sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1457 return avc_has_perm(newsid
, sbsec
->sid
,
1458 SECCLASS_FILESYSTEM
,
1459 FILESYSTEM__ASSOCIATE
, &ad
);
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid
,
1464 struct task_struct
*ctx
)
1466 struct task_security_struct
*tsec
;
1468 tsec
= ctx
->security
;
1470 return avc_has_perm(tsec
->sid
, ksid
, SECCLASS_KEY
, KEY__CREATE
, NULL
);
1474 #define MAY_UNLINK 1
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode
*dir
,
1479 struct dentry
*dentry
,
1483 struct task_security_struct
*tsec
;
1484 struct inode_security_struct
*dsec
, *isec
;
1485 struct avc_audit_data ad
;
1489 tsec
= current
->security
;
1490 dsec
= dir
->i_security
;
1491 isec
= dentry
->d_inode
->i_security
;
1493 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1494 ad
.u
.fs
.path
.dentry
= dentry
;
1497 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1498 rc
= avc_has_perm(tsec
->sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1513 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1518 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1522 static inline int may_rename(struct inode
*old_dir
,
1523 struct dentry
*old_dentry
,
1524 struct inode
*new_dir
,
1525 struct dentry
*new_dentry
)
1527 struct task_security_struct
*tsec
;
1528 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1529 struct avc_audit_data ad
;
1531 int old_is_dir
, new_is_dir
;
1534 tsec
= current
->security
;
1535 old_dsec
= old_dir
->i_security
;
1536 old_isec
= old_dentry
->d_inode
->i_security
;
1537 old_is_dir
= S_ISDIR(old_dentry
->d_inode
->i_mode
);
1538 new_dsec
= new_dir
->i_security
;
1540 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1542 ad
.u
.fs
.path
.dentry
= old_dentry
;
1543 rc
= avc_has_perm(tsec
->sid
, old_dsec
->sid
, SECCLASS_DIR
,
1544 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1547 rc
= avc_has_perm(tsec
->sid
, old_isec
->sid
,
1548 old_isec
->sclass
, FILE__RENAME
, &ad
);
1551 if (old_is_dir
&& new_dir
!= old_dir
) {
1552 rc
= avc_has_perm(tsec
->sid
, old_isec
->sid
,
1553 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1558 ad
.u
.fs
.path
.dentry
= new_dentry
;
1559 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1560 if (new_dentry
->d_inode
)
1561 av
|= DIR__REMOVE_NAME
;
1562 rc
= avc_has_perm(tsec
->sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1565 if (new_dentry
->d_inode
) {
1566 new_isec
= new_dentry
->d_inode
->i_security
;
1567 new_is_dir
= S_ISDIR(new_dentry
->d_inode
->i_mode
);
1568 rc
= avc_has_perm(tsec
->sid
, new_isec
->sid
,
1570 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
1578 /* Check whether a task can perform a filesystem operation. */
1579 static int superblock_has_perm(struct task_struct
*tsk
,
1580 struct super_block
*sb
,
1582 struct avc_audit_data
*ad
)
1584 struct task_security_struct
*tsec
;
1585 struct superblock_security_struct
*sbsec
;
1587 tsec
= tsk
->security
;
1588 sbsec
= sb
->s_security
;
1589 return avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
1593 /* Convert a Linux mode and permission mask to an access vector. */
1594 static inline u32
file_mask_to_av(int mode
, int mask
)
1598 if ((mode
& S_IFMT
) != S_IFDIR
) {
1599 if (mask
& MAY_EXEC
)
1600 av
|= FILE__EXECUTE
;
1601 if (mask
& MAY_READ
)
1604 if (mask
& MAY_APPEND
)
1606 else if (mask
& MAY_WRITE
)
1610 if (mask
& MAY_EXEC
)
1612 if (mask
& MAY_WRITE
)
1614 if (mask
& MAY_READ
)
1622 * Convert a file mask to an access vector and include the correct open
1625 static inline u32
open_file_mask_to_av(int mode
, int mask
)
1627 u32 av
= file_mask_to_av(mode
, mask
);
1629 if (selinux_policycap_openperm
) {
1631 * lnk files and socks do not really have an 'open'
1635 else if (S_ISCHR(mode
))
1636 av
|= CHR_FILE__OPEN
;
1637 else if (S_ISBLK(mode
))
1638 av
|= BLK_FILE__OPEN
;
1639 else if (S_ISFIFO(mode
))
1640 av
|= FIFO_FILE__OPEN
;
1641 else if (S_ISDIR(mode
))
1644 printk(KERN_ERR
"SELinux: WARNING: inside %s with "
1645 "unknown mode:%x\n", __func__
, mode
);
1650 /* Convert a Linux file to an access vector. */
1651 static inline u32
file_to_av(struct file
*file
)
1655 if (file
->f_mode
& FMODE_READ
)
1657 if (file
->f_mode
& FMODE_WRITE
) {
1658 if (file
->f_flags
& O_APPEND
)
1665 * Special file opened with flags 3 for ioctl-only use.
1673 /* Hook functions begin here. */
1675 static int selinux_ptrace(struct task_struct
*parent
, struct task_struct
*child
)
1679 rc
= secondary_ops
->ptrace(parent
, child
);
1683 return task_has_perm(parent
, child
, PROCESS__PTRACE
);
1686 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
1687 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1691 error
= task_has_perm(current
, target
, PROCESS__GETCAP
);
1695 return secondary_ops
->capget(target
, effective
, inheritable
, permitted
);
1698 static int selinux_capset_check(struct task_struct
*target
, kernel_cap_t
*effective
,
1699 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1703 error
= secondary_ops
->capset_check(target
, effective
, inheritable
, permitted
);
1707 return task_has_perm(current
, target
, PROCESS__SETCAP
);
1710 static void selinux_capset_set(struct task_struct
*target
, kernel_cap_t
*effective
,
1711 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1713 secondary_ops
->capset_set(target
, effective
, inheritable
, permitted
);
1716 static int selinux_capable(struct task_struct
*tsk
, int cap
)
1720 rc
= secondary_ops
->capable(tsk
, cap
);
1724 return task_has_capability(tsk
, cap
);
1727 static int selinux_sysctl_get_sid(ctl_table
*table
, u16 tclass
, u32
*sid
)
1730 char *buffer
, *path
, *end
;
1733 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1738 end
= buffer
+buflen
;
1744 const char *name
= table
->procname
;
1745 size_t namelen
= strlen(name
);
1746 buflen
-= namelen
+ 1;
1750 memcpy(end
, name
, namelen
);
1753 table
= table
->parent
;
1759 memcpy(end
, "/sys", 4);
1761 rc
= security_genfs_sid("proc", path
, tclass
, sid
);
1763 free_page((unsigned long)buffer
);
1768 static int selinux_sysctl(ctl_table
*table
, int op
)
1772 struct task_security_struct
*tsec
;
1776 rc
= secondary_ops
->sysctl(table
, op
);
1780 tsec
= current
->security
;
1782 rc
= selinux_sysctl_get_sid(table
, (op
== 0001) ?
1783 SECCLASS_DIR
: SECCLASS_FILE
, &tsid
);
1785 /* Default to the well-defined sysctl SID. */
1786 tsid
= SECINITSID_SYSCTL
;
1789 /* The op values are "defined" in sysctl.c, thereby creating
1790 * a bad coupling between this module and sysctl.c */
1792 error
= avc_has_perm(tsec
->sid
, tsid
,
1793 SECCLASS_DIR
, DIR__SEARCH
, NULL
);
1801 error
= avc_has_perm(tsec
->sid
, tsid
,
1802 SECCLASS_FILE
, av
, NULL
);
1808 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
1821 rc
= superblock_has_perm(current
, sb
, FILESYSTEM__QUOTAMOD
,
1827 rc
= superblock_has_perm(current
, sb
, FILESYSTEM__QUOTAGET
,
1831 rc
= 0; /* let the kernel handle invalid cmds */
1837 static int selinux_quota_on(struct dentry
*dentry
)
1839 return dentry_has_perm(current
, NULL
, dentry
, FILE__QUOTAON
);
1842 static int selinux_syslog(int type
)
1846 rc
= secondary_ops
->syslog(type
);
1851 case 3: /* Read last kernel messages */
1852 case 10: /* Return size of the log buffer */
1853 rc
= task_has_system(current
, SYSTEM__SYSLOG_READ
);
1855 case 6: /* Disable logging to console */
1856 case 7: /* Enable logging to console */
1857 case 8: /* Set level of messages printed to console */
1858 rc
= task_has_system(current
, SYSTEM__SYSLOG_CONSOLE
);
1860 case 0: /* Close log */
1861 case 1: /* Open log */
1862 case 2: /* Read from log */
1863 case 4: /* Read/clear last kernel messages */
1864 case 5: /* Clear ring buffer */
1866 rc
= task_has_system(current
, SYSTEM__SYSLOG_MOD
);
1873 * Check that a process has enough memory to allocate a new virtual
1874 * mapping. 0 means there is enough memory for the allocation to
1875 * succeed and -ENOMEM implies there is not.
1877 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1878 * if the capability is granted, but __vm_enough_memory requires 1 if
1879 * the capability is granted.
1881 * Do not audit the selinux permission check, as this is applied to all
1882 * processes that allocate mappings.
1884 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
1886 int rc
, cap_sys_admin
= 0;
1887 struct task_security_struct
*tsec
= current
->security
;
1889 rc
= secondary_ops
->capable(current
, CAP_SYS_ADMIN
);
1891 rc
= avc_has_perm_noaudit(tsec
->sid
, tsec
->sid
,
1892 SECCLASS_CAPABILITY
,
1893 CAP_TO_MASK(CAP_SYS_ADMIN
),
1900 return __vm_enough_memory(mm
, pages
, cap_sys_admin
);
1904 * task_tracer_task - return the task that is tracing the given task
1905 * @task: task to consider
1907 * Returns NULL if noone is tracing @task, or the &struct task_struct
1908 * pointer to its tracer.
1910 * Must be called under rcu_read_lock().
1912 static struct task_struct
*task_tracer_task(struct task_struct
*task
)
1914 if (task
->ptrace
& PT_PTRACED
)
1915 return rcu_dereference(task
->parent
);
1919 /* binprm security operations */
1921 static int selinux_bprm_alloc_security(struct linux_binprm
*bprm
)
1923 struct bprm_security_struct
*bsec
;
1925 bsec
= kzalloc(sizeof(struct bprm_security_struct
), GFP_KERNEL
);
1929 bsec
->sid
= SECINITSID_UNLABELED
;
1932 bprm
->security
= bsec
;
1936 static int selinux_bprm_set_security(struct linux_binprm
*bprm
)
1938 struct task_security_struct
*tsec
;
1939 struct inode
*inode
= bprm
->file
->f_path
.dentry
->d_inode
;
1940 struct inode_security_struct
*isec
;
1941 struct bprm_security_struct
*bsec
;
1943 struct avc_audit_data ad
;
1946 rc
= secondary_ops
->bprm_set_security(bprm
);
1950 bsec
= bprm
->security
;
1955 tsec
= current
->security
;
1956 isec
= inode
->i_security
;
1958 /* Default to the current task SID. */
1959 bsec
->sid
= tsec
->sid
;
1961 /* Reset fs, key, and sock SIDs on execve. */
1962 tsec
->create_sid
= 0;
1963 tsec
->keycreate_sid
= 0;
1964 tsec
->sockcreate_sid
= 0;
1966 if (tsec
->exec_sid
) {
1967 newsid
= tsec
->exec_sid
;
1968 /* Reset exec SID on execve. */
1971 /* Check for a default transition on this program. */
1972 rc
= security_transition_sid(tsec
->sid
, isec
->sid
,
1973 SECCLASS_PROCESS
, &newsid
);
1978 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1979 ad
.u
.fs
.path
= bprm
->file
->f_path
;
1981 if (bprm
->file
->f_path
.mnt
->mnt_flags
& MNT_NOSUID
)
1984 if (tsec
->sid
== newsid
) {
1985 rc
= avc_has_perm(tsec
->sid
, isec
->sid
,
1986 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
1990 /* Check permissions for the transition. */
1991 rc
= avc_has_perm(tsec
->sid
, newsid
,
1992 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
1996 rc
= avc_has_perm(newsid
, isec
->sid
,
1997 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2001 /* Clear any possibly unsafe personality bits on exec: */
2002 current
->personality
&= ~PER_CLEAR_ON_SETID
;
2004 /* Set the security field to the new SID. */
2012 static int selinux_bprm_check_security(struct linux_binprm
*bprm
)
2014 return secondary_ops
->bprm_check_security(bprm
);
2018 static int selinux_bprm_secureexec(struct linux_binprm
*bprm
)
2020 struct task_security_struct
*tsec
= current
->security
;
2023 if (tsec
->osid
!= tsec
->sid
) {
2024 /* Enable secure mode for SIDs transitions unless
2025 the noatsecure permission is granted between
2026 the two SIDs, i.e. ahp returns 0. */
2027 atsecure
= avc_has_perm(tsec
->osid
, tsec
->sid
,
2029 PROCESS__NOATSECURE
, NULL
);
2032 return (atsecure
|| secondary_ops
->bprm_secureexec(bprm
));
2035 static void selinux_bprm_free_security(struct linux_binprm
*bprm
)
2037 kfree(bprm
->security
);
2038 bprm
->security
= NULL
;
2041 extern struct vfsmount
*selinuxfs_mount
;
2042 extern struct dentry
*selinux_null
;
2044 /* Derived from fs/exec.c:flush_old_files. */
2045 static inline void flush_unauthorized_files(struct files_struct
*files
)
2047 struct avc_audit_data ad
;
2048 struct file
*file
, *devnull
= NULL
;
2049 struct tty_struct
*tty
;
2050 struct fdtable
*fdt
;
2054 mutex_lock(&tty_mutex
);
2055 tty
= get_current_tty();
2058 file
= list_entry(tty
->tty_files
.next
, typeof(*file
), f_u
.fu_list
);
2060 /* Revalidate access to controlling tty.
2061 Use inode_has_perm on the tty inode directly rather
2062 than using file_has_perm, as this particular open
2063 file may belong to another process and we are only
2064 interested in the inode-based check here. */
2065 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2066 if (inode_has_perm(current
, inode
,
2067 FILE__READ
| FILE__WRITE
, NULL
)) {
2073 mutex_unlock(&tty_mutex
);
2074 /* Reset controlling tty. */
2078 /* Revalidate access to inherited open files. */
2080 AVC_AUDIT_DATA_INIT(&ad
, FS
);
2082 spin_lock(&files
->file_lock
);
2084 unsigned long set
, i
;
2089 fdt
= files_fdtable(files
);
2090 if (i
>= fdt
->max_fds
)
2092 set
= fdt
->open_fds
->fds_bits
[j
];
2095 spin_unlock(&files
->file_lock
);
2096 for ( ; set
; i
++, set
>>= 1) {
2101 if (file_has_perm(current
,
2103 file_to_av(file
))) {
2105 fd
= get_unused_fd();
2115 devnull
= dentry_open(dget(selinux_null
), mntget(selinuxfs_mount
), O_RDWR
);
2116 if (IS_ERR(devnull
)) {
2123 fd_install(fd
, devnull
);
2128 spin_lock(&files
->file_lock
);
2131 spin_unlock(&files
->file_lock
);
2134 static void selinux_bprm_apply_creds(struct linux_binprm
*bprm
, int unsafe
)
2136 struct task_security_struct
*tsec
;
2137 struct bprm_security_struct
*bsec
;
2141 secondary_ops
->bprm_apply_creds(bprm
, unsafe
);
2143 tsec
= current
->security
;
2145 bsec
= bprm
->security
;
2148 tsec
->osid
= tsec
->sid
;
2150 if (tsec
->sid
!= sid
) {
2151 /* Check for shared state. If not ok, leave SID
2152 unchanged and kill. */
2153 if (unsafe
& LSM_UNSAFE_SHARE
) {
2154 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
2155 PROCESS__SHARE
, NULL
);
2162 /* Check for ptracing, and update the task SID if ok.
2163 Otherwise, leave SID unchanged and kill. */
2164 if (unsafe
& (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
2165 struct task_struct
*tracer
;
2166 struct task_security_struct
*sec
;
2170 tracer
= task_tracer_task(current
);
2171 if (likely(tracer
!= NULL
)) {
2172 sec
= tracer
->security
;
2178 rc
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
2179 PROCESS__PTRACE
, NULL
);
2191 * called after apply_creds without the task lock held
2193 static void selinux_bprm_post_apply_creds(struct linux_binprm
*bprm
)
2195 struct task_security_struct
*tsec
;
2196 struct rlimit
*rlim
, *initrlim
;
2197 struct itimerval itimer
;
2198 struct bprm_security_struct
*bsec
;
2201 tsec
= current
->security
;
2202 bsec
= bprm
->security
;
2205 force_sig_specific(SIGKILL
, current
);
2208 if (tsec
->osid
== tsec
->sid
)
2211 /* Close files for which the new task SID is not authorized. */
2212 flush_unauthorized_files(current
->files
);
2214 /* Check whether the new SID can inherit signal state
2215 from the old SID. If not, clear itimers to avoid
2216 subsequent signal generation and flush and unblock
2217 signals. This must occur _after_ the task SID has
2218 been updated so that any kill done after the flush
2219 will be checked against the new SID. */
2220 rc
= avc_has_perm(tsec
->osid
, tsec
->sid
, SECCLASS_PROCESS
,
2221 PROCESS__SIGINH
, NULL
);
2223 memset(&itimer
, 0, sizeof itimer
);
2224 for (i
= 0; i
< 3; i
++)
2225 do_setitimer(i
, &itimer
, NULL
);
2226 flush_signals(current
);
2227 spin_lock_irq(¤t
->sighand
->siglock
);
2228 flush_signal_handlers(current
, 1);
2229 sigemptyset(¤t
->blocked
);
2230 recalc_sigpending();
2231 spin_unlock_irq(¤t
->sighand
->siglock
);
2234 /* Always clear parent death signal on SID transitions. */
2235 current
->pdeath_signal
= 0;
2237 /* Check whether the new SID can inherit resource limits
2238 from the old SID. If not, reset all soft limits to
2239 the lower of the current task's hard limit and the init
2240 task's soft limit. Note that the setting of hard limits
2241 (even to lower them) can be controlled by the setrlimit
2242 check. The inclusion of the init task's soft limit into
2243 the computation is to avoid resetting soft limits higher
2244 than the default soft limit for cases where the default
2245 is lower than the hard limit, e.g. RLIMIT_CORE or
2247 rc
= avc_has_perm(tsec
->osid
, tsec
->sid
, SECCLASS_PROCESS
,
2248 PROCESS__RLIMITINH
, NULL
);
2250 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2251 rlim
= current
->signal
->rlim
+ i
;
2252 initrlim
= init_task
.signal
->rlim
+i
;
2253 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2255 if (current
->signal
->rlim
[RLIMIT_CPU
].rlim_cur
!= RLIM_INFINITY
) {
2257 * This will cause RLIMIT_CPU calculations
2260 current
->it_prof_expires
= jiffies_to_cputime(1);
2264 /* Wake up the parent if it is waiting so that it can
2265 recheck wait permission to the new task SID. */
2266 wake_up_interruptible(¤t
->parent
->signal
->wait_chldexit
);
2269 /* superblock security operations */
2271 static int selinux_sb_alloc_security(struct super_block
*sb
)
2273 return superblock_alloc_security(sb
);
2276 static void selinux_sb_free_security(struct super_block
*sb
)
2278 superblock_free_security(sb
);
2281 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2286 return !memcmp(prefix
, option
, plen
);
2289 static inline int selinux_option(char *option
, int len
)
2291 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2292 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2293 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2294 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
));
2297 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2304 memcpy(*to
, from
, len
);
2308 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2311 int current_size
= 0;
2319 while (current_size
< len
) {
2329 static int selinux_sb_copy_data(char *orig
, char *copy
)
2331 int fnosec
, fsec
, rc
= 0;
2332 char *in_save
, *in_curr
, *in_end
;
2333 char *sec_curr
, *nosec_save
, *nosec
;
2339 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2347 in_save
= in_end
= orig
;
2351 open_quote
= !open_quote
;
2352 if ((*in_end
== ',' && open_quote
== 0) ||
2354 int len
= in_end
- in_curr
;
2356 if (selinux_option(in_curr
, len
))
2357 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2359 take_option(&nosec
, in_curr
, &fnosec
, len
);
2361 in_curr
= in_end
+ 1;
2363 } while (*in_end
++);
2365 strcpy(in_save
, nosec_save
);
2366 free_page((unsigned long)nosec_save
);
2371 static int selinux_sb_kern_mount(struct super_block
*sb
, void *data
)
2373 struct avc_audit_data ad
;
2376 rc
= superblock_doinit(sb
, data
);
2380 AVC_AUDIT_DATA_INIT(&ad
, FS
);
2381 ad
.u
.fs
.path
.dentry
= sb
->s_root
;
2382 return superblock_has_perm(current
, sb
, FILESYSTEM__MOUNT
, &ad
);
2385 static int selinux_sb_statfs(struct dentry
*dentry
)
2387 struct avc_audit_data ad
;
2389 AVC_AUDIT_DATA_INIT(&ad
, FS
);
2390 ad
.u
.fs
.path
.dentry
= dentry
->d_sb
->s_root
;
2391 return superblock_has_perm(current
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2394 static int selinux_mount(char *dev_name
,
2395 struct nameidata
*nd
,
2397 unsigned long flags
,
2402 rc
= secondary_ops
->sb_mount(dev_name
, nd
, type
, flags
, data
);
2406 if (flags
& MS_REMOUNT
)
2407 return superblock_has_perm(current
, nd
->path
.mnt
->mnt_sb
,
2408 FILESYSTEM__REMOUNT
, NULL
);
2410 return dentry_has_perm(current
, nd
->path
.mnt
, nd
->path
.dentry
,
2414 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2418 rc
= secondary_ops
->sb_umount(mnt
, flags
);
2422 return superblock_has_perm(current
, mnt
->mnt_sb
,
2423 FILESYSTEM__UNMOUNT
, NULL
);
2426 /* inode security operations */
2428 static int selinux_inode_alloc_security(struct inode
*inode
)
2430 return inode_alloc_security(inode
);
2433 static void selinux_inode_free_security(struct inode
*inode
)
2435 inode_free_security(inode
);
2438 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2439 char **name
, void **value
,
2442 struct task_security_struct
*tsec
;
2443 struct inode_security_struct
*dsec
;
2444 struct superblock_security_struct
*sbsec
;
2447 char *namep
= NULL
, *context
;
2449 tsec
= current
->security
;
2450 dsec
= dir
->i_security
;
2451 sbsec
= dir
->i_sb
->s_security
;
2453 if (tsec
->create_sid
&& sbsec
->behavior
!= SECURITY_FS_USE_MNTPOINT
) {
2454 newsid
= tsec
->create_sid
;
2456 rc
= security_transition_sid(tsec
->sid
, dsec
->sid
,
2457 inode_mode_to_security_class(inode
->i_mode
),
2460 printk(KERN_WARNING
"%s: "
2461 "security_transition_sid failed, rc=%d (dev=%s "
2464 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
2469 /* Possibly defer initialization to selinux_complete_init. */
2470 if (sbsec
->initialized
) {
2471 struct inode_security_struct
*isec
= inode
->i_security
;
2472 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2474 isec
->initialized
= 1;
2477 if (!ss_initialized
|| sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)
2481 namep
= kstrdup(XATTR_SELINUX_SUFFIX
, GFP_NOFS
);
2488 rc
= security_sid_to_context(newsid
, &context
, &clen
);
2500 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, int mask
)
2502 return may_create(dir
, dentry
, SECCLASS_FILE
);
2505 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2509 rc
= secondary_ops
->inode_link(old_dentry
, dir
, new_dentry
);
2512 return may_link(dir
, old_dentry
, MAY_LINK
);
2515 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2519 rc
= secondary_ops
->inode_unlink(dir
, dentry
);
2522 return may_link(dir
, dentry
, MAY_UNLINK
);
2525 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2527 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2530 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, int mask
)
2532 return may_create(dir
, dentry
, SECCLASS_DIR
);
2535 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2537 return may_link(dir
, dentry
, MAY_RMDIR
);
2540 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, int mode
, dev_t dev
)
2544 rc
= secondary_ops
->inode_mknod(dir
, dentry
, mode
, dev
);
2548 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2551 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2552 struct inode
*new_inode
, struct dentry
*new_dentry
)
2554 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2557 static int selinux_inode_readlink(struct dentry
*dentry
)
2559 return dentry_has_perm(current
, NULL
, dentry
, FILE__READ
);
2562 static int selinux_inode_follow_link(struct dentry
*dentry
, struct nameidata
*nameidata
)
2566 rc
= secondary_ops
->inode_follow_link(dentry
, nameidata
);
2569 return dentry_has_perm(current
, NULL
, dentry
, FILE__READ
);
2572 static int selinux_inode_permission(struct inode
*inode
, int mask
,
2573 struct nameidata
*nd
)
2577 rc
= secondary_ops
->inode_permission(inode
, mask
, nd
);
2582 /* No permission to check. Existence test. */
2586 return inode_has_perm(current
, inode
,
2587 open_file_mask_to_av(inode
->i_mode
, mask
), NULL
);
2590 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
2594 rc
= secondary_ops
->inode_setattr(dentry
, iattr
);
2598 if (iattr
->ia_valid
& ATTR_FORCE
)
2601 if (iattr
->ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
2602 ATTR_ATIME_SET
| ATTR_MTIME_SET
))
2603 return dentry_has_perm(current
, NULL
, dentry
, FILE__SETATTR
);
2605 return dentry_has_perm(current
, NULL
, dentry
, FILE__WRITE
);
2608 static int selinux_inode_getattr(struct vfsmount
*mnt
, struct dentry
*dentry
)
2610 return dentry_has_perm(current
, mnt
, dentry
, FILE__GETATTR
);
2613 static int selinux_inode_setotherxattr(struct dentry
*dentry
, char *name
)
2615 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
2616 sizeof XATTR_SECURITY_PREFIX
- 1)) {
2617 if (!strcmp(name
, XATTR_NAME_CAPS
)) {
2618 if (!capable(CAP_SETFCAP
))
2620 } else if (!capable(CAP_SYS_ADMIN
)) {
2621 /* A different attribute in the security namespace.
2622 Restrict to administrator. */
2627 /* Not an attribute we recognize, so just check the
2628 ordinary setattr permission. */
2629 return dentry_has_perm(current
, NULL
, dentry
, FILE__SETATTR
);
2632 static int selinux_inode_setxattr(struct dentry
*dentry
, char *name
, void *value
, size_t size
, int flags
)
2634 struct task_security_struct
*tsec
= current
->security
;
2635 struct inode
*inode
= dentry
->d_inode
;
2636 struct inode_security_struct
*isec
= inode
->i_security
;
2637 struct superblock_security_struct
*sbsec
;
2638 struct avc_audit_data ad
;
2642 if (strcmp(name
, XATTR_NAME_SELINUX
))
2643 return selinux_inode_setotherxattr(dentry
, name
);
2645 sbsec
= inode
->i_sb
->s_security
;
2646 if (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)
2649 if (!is_owner_or_cap(inode
))
2652 AVC_AUDIT_DATA_INIT(&ad
, FS
);
2653 ad
.u
.fs
.path
.dentry
= dentry
;
2655 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
,
2656 FILE__RELABELFROM
, &ad
);
2660 rc
= security_context_to_sid(value
, size
, &newsid
);
2664 rc
= avc_has_perm(tsec
->sid
, newsid
, isec
->sclass
,
2665 FILE__RELABELTO
, &ad
);
2669 rc
= security_validate_transition(isec
->sid
, newsid
, tsec
->sid
,
2674 return avc_has_perm(newsid
,
2676 SECCLASS_FILESYSTEM
,
2677 FILESYSTEM__ASSOCIATE
,
2681 static void selinux_inode_post_setxattr(struct dentry
*dentry
, char *name
,
2682 void *value
, size_t size
, int flags
)
2684 struct inode
*inode
= dentry
->d_inode
;
2685 struct inode_security_struct
*isec
= inode
->i_security
;
2689 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
2690 /* Not an attribute we recognize, so nothing to do. */
2694 rc
= security_context_to_sid(value
, size
, &newsid
);
2696 printk(KERN_WARNING
"%s: unable to obtain SID for context "
2697 "%s, rc=%d\n", __func__
, (char *)value
, -rc
);
2705 static int selinux_inode_getxattr(struct dentry
*dentry
, char *name
)
2707 return dentry_has_perm(current
, NULL
, dentry
, FILE__GETATTR
);
2710 static int selinux_inode_listxattr(struct dentry
*dentry
)
2712 return dentry_has_perm(current
, NULL
, dentry
, FILE__GETATTR
);
2715 static int selinux_inode_removexattr(struct dentry
*dentry
, char *name
)
2717 if (strcmp(name
, XATTR_NAME_SELINUX
))
2718 return selinux_inode_setotherxattr(dentry
, name
);
2720 /* No one is allowed to remove a SELinux security label.
2721 You can change the label, but all data must be labeled. */
2726 * Copy the in-core inode security context value to the user. If the
2727 * getxattr() prior to this succeeded, check to see if we need to
2728 * canonicalize the value to be finally returned to the user.
2730 * Permission check is handled by selinux_inode_getxattr hook.
2732 static int selinux_inode_getsecurity(const struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
2736 char *context
= NULL
;
2737 struct inode_security_struct
*isec
= inode
->i_security
;
2739 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
2742 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
2755 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
2756 const void *value
, size_t size
, int flags
)
2758 struct inode_security_struct
*isec
= inode
->i_security
;
2762 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
2765 if (!value
|| !size
)
2768 rc
= security_context_to_sid((void *)value
, size
, &newsid
);
2776 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
2778 const int len
= sizeof(XATTR_NAME_SELINUX
);
2779 if (buffer
&& len
<= buffer_size
)
2780 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
2784 static int selinux_inode_need_killpriv(struct dentry
*dentry
)
2786 return secondary_ops
->inode_need_killpriv(dentry
);
2789 static int selinux_inode_killpriv(struct dentry
*dentry
)
2791 return secondary_ops
->inode_killpriv(dentry
);
2794 static void selinux_inode_getsecid(const struct inode
*inode
, u32
*secid
)
2796 struct inode_security_struct
*isec
= inode
->i_security
;
2800 /* file security operations */
2802 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
2805 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2808 /* No permission to check. Existence test. */
2812 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2813 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
2816 rc
= file_has_perm(current
, file
,
2817 file_mask_to_av(inode
->i_mode
, mask
));
2821 return selinux_netlbl_inode_permission(inode
, mask
);
2824 static int selinux_file_permission(struct file
*file
, int mask
)
2826 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2827 struct task_security_struct
*tsec
= current
->security
;
2828 struct file_security_struct
*fsec
= file
->f_security
;
2829 struct inode_security_struct
*isec
= inode
->i_security
;
2832 /* No permission to check. Existence test. */
2836 if (tsec
->sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
2837 && fsec
->pseqno
== avc_policy_seqno())
2838 return selinux_netlbl_inode_permission(inode
, mask
);
2840 return selinux_revalidate_file_permission(file
, mask
);
2843 static int selinux_file_alloc_security(struct file
*file
)
2845 return file_alloc_security(file
);
2848 static void selinux_file_free_security(struct file
*file
)
2850 file_free_security(file
);
2853 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
2865 case EXT2_IOC_GETFLAGS
:
2867 case EXT2_IOC_GETVERSION
:
2868 error
= file_has_perm(current
, file
, FILE__GETATTR
);
2871 case EXT2_IOC_SETFLAGS
:
2873 case EXT2_IOC_SETVERSION
:
2874 error
= file_has_perm(current
, file
, FILE__SETATTR
);
2877 /* sys_ioctl() checks */
2881 error
= file_has_perm(current
, file
, 0);
2886 error
= task_has_capability(current
, CAP_SYS_TTY_CONFIG
);
2889 /* default case assumes that the command will go
2890 * to the file's ioctl() function.
2893 error
= file_has_perm(current
, file
, FILE__IOCTL
);
2898 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
2900 #ifndef CONFIG_PPC32
2901 if ((prot
& PROT_EXEC
) && (!file
|| (!shared
&& (prot
& PROT_WRITE
)))) {
2903 * We are making executable an anonymous mapping or a
2904 * private file mapping that will also be writable.
2905 * This has an additional check.
2907 int rc
= task_has_perm(current
, current
, PROCESS__EXECMEM
);
2914 /* read access is always possible with a mapping */
2915 u32 av
= FILE__READ
;
2917 /* write access only matters if the mapping is shared */
2918 if (shared
&& (prot
& PROT_WRITE
))
2921 if (prot
& PROT_EXEC
)
2922 av
|= FILE__EXECUTE
;
2924 return file_has_perm(current
, file
, av
);
2929 static int selinux_file_mmap(struct file
*file
, unsigned long reqprot
,
2930 unsigned long prot
, unsigned long flags
,
2931 unsigned long addr
, unsigned long addr_only
)
2934 u32 sid
= ((struct task_security_struct
*)(current
->security
))->sid
;
2936 if (addr
< mmap_min_addr
)
2937 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
2938 MEMPROTECT__MMAP_ZERO
, NULL
);
2939 if (rc
|| addr_only
)
2942 if (selinux_checkreqprot
)
2945 return file_map_prot_check(file
, prot
,
2946 (flags
& MAP_TYPE
) == MAP_SHARED
);
2949 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
2950 unsigned long reqprot
,
2955 rc
= secondary_ops
->file_mprotect(vma
, reqprot
, prot
);
2959 if (selinux_checkreqprot
)
2962 #ifndef CONFIG_PPC32
2963 if ((prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
2965 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
2966 vma
->vm_end
<= vma
->vm_mm
->brk
) {
2967 rc
= task_has_perm(current
, current
,
2969 } else if (!vma
->vm_file
&&
2970 vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
2971 vma
->vm_end
>= vma
->vm_mm
->start_stack
) {
2972 rc
= task_has_perm(current
, current
, PROCESS__EXECSTACK
);
2973 } else if (vma
->vm_file
&& vma
->anon_vma
) {
2975 * We are making executable a file mapping that has
2976 * had some COW done. Since pages might have been
2977 * written, check ability to execute the possibly
2978 * modified content. This typically should only
2979 * occur for text relocations.
2981 rc
= file_has_perm(current
, vma
->vm_file
,
2989 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
2992 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
2994 return file_has_perm(current
, file
, FILE__LOCK
);
2997 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3004 if (!file
->f_path
.dentry
|| !file
->f_path
.dentry
->d_inode
) {
3009 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3010 err
= file_has_perm(current
, file
, FILE__WRITE
);
3019 /* Just check FD__USE permission */
3020 err
= file_has_perm(current
, file
, 0);
3025 #if BITS_PER_LONG == 32
3030 if (!file
->f_path
.dentry
|| !file
->f_path
.dentry
->d_inode
) {
3034 err
= file_has_perm(current
, file
, FILE__LOCK
);
3041 static int selinux_file_set_fowner(struct file
*file
)
3043 struct task_security_struct
*tsec
;
3044 struct file_security_struct
*fsec
;
3046 tsec
= current
->security
;
3047 fsec
= file
->f_security
;
3048 fsec
->fown_sid
= tsec
->sid
;
3053 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3054 struct fown_struct
*fown
, int signum
)
3058 struct task_security_struct
*tsec
;
3059 struct file_security_struct
*fsec
;
3061 /* struct fown_struct is never outside the context of a struct file */
3062 file
= container_of(fown
, struct file
, f_owner
);
3064 tsec
= tsk
->security
;
3065 fsec
= file
->f_security
;
3068 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3070 perm
= signal_to_av(signum
);
3072 return avc_has_perm(fsec
->fown_sid
, tsec
->sid
,
3073 SECCLASS_PROCESS
, perm
, NULL
);
3076 static int selinux_file_receive(struct file
*file
)
3078 return file_has_perm(current
, file
, file_to_av(file
));
3081 static int selinux_dentry_open(struct file
*file
)
3083 struct file_security_struct
*fsec
;
3084 struct inode
*inode
;
3085 struct inode_security_struct
*isec
;
3086 inode
= file
->f_path
.dentry
->d_inode
;
3087 fsec
= file
->f_security
;
3088 isec
= inode
->i_security
;
3090 * Save inode label and policy sequence number
3091 * at open-time so that selinux_file_permission
3092 * can determine whether revalidation is necessary.
3093 * Task label is already saved in the file security
3094 * struct as its SID.
3096 fsec
->isid
= isec
->sid
;
3097 fsec
->pseqno
= avc_policy_seqno();
3099 * Since the inode label or policy seqno may have changed
3100 * between the selinux_inode_permission check and the saving
3101 * of state above, recheck that access is still permitted.
3102 * Otherwise, access might never be revalidated against the
3103 * new inode label or new policy.
3104 * This check is not redundant - do not remove.
3106 return inode_has_perm(current
, inode
, file_to_av(file
), NULL
);
3109 /* task security operations */
3111 static int selinux_task_create(unsigned long clone_flags
)
3115 rc
= secondary_ops
->task_create(clone_flags
);
3119 return task_has_perm(current
, current
, PROCESS__FORK
);
3122 static int selinux_task_alloc_security(struct task_struct
*tsk
)
3124 struct task_security_struct
*tsec1
, *tsec2
;
3127 tsec1
= current
->security
;
3129 rc
= task_alloc_security(tsk
);
3132 tsec2
= tsk
->security
;
3134 tsec2
->osid
= tsec1
->osid
;
3135 tsec2
->sid
= tsec1
->sid
;
3137 /* Retain the exec, fs, key, and sock SIDs across fork */
3138 tsec2
->exec_sid
= tsec1
->exec_sid
;
3139 tsec2
->create_sid
= tsec1
->create_sid
;
3140 tsec2
->keycreate_sid
= tsec1
->keycreate_sid
;
3141 tsec2
->sockcreate_sid
= tsec1
->sockcreate_sid
;
3146 static void selinux_task_free_security(struct task_struct
*tsk
)
3148 task_free_security(tsk
);
3151 static int selinux_task_setuid(uid_t id0
, uid_t id1
, uid_t id2
, int flags
)
3153 /* Since setuid only affects the current process, and
3154 since the SELinux controls are not based on the Linux
3155 identity attributes, SELinux does not need to control
3156 this operation. However, SELinux does control the use
3157 of the CAP_SETUID and CAP_SETGID capabilities using the
3162 static int selinux_task_post_setuid(uid_t id0
, uid_t id1
, uid_t id2
, int flags
)
3164 return secondary_ops
->task_post_setuid(id0
, id1
, id2
, flags
);
3167 static int selinux_task_setgid(gid_t id0
, gid_t id1
, gid_t id2
, int flags
)
3169 /* See the comment for setuid above. */
3173 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3175 return task_has_perm(current
, p
, PROCESS__SETPGID
);
3178 static int selinux_task_getpgid(struct task_struct
*p
)
3180 return task_has_perm(current
, p
, PROCESS__GETPGID
);
3183 static int selinux_task_getsid(struct task_struct
*p
)
3185 return task_has_perm(current
, p
, PROCESS__GETSESSION
);
3188 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3190 struct task_security_struct
*tsec
= p
->security
;
3194 static int selinux_task_setgroups(struct group_info
*group_info
)
3196 /* See the comment for setuid above. */
3200 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3204 rc
= secondary_ops
->task_setnice(p
, nice
);
3208 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3211 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3215 rc
= secondary_ops
->task_setioprio(p
, ioprio
);
3219 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3222 static int selinux_task_getioprio(struct task_struct
*p
)
3224 return task_has_perm(current
, p
, PROCESS__GETSCHED
);
3227 static int selinux_task_setrlimit(unsigned int resource
, struct rlimit
*new_rlim
)
3229 struct rlimit
*old_rlim
= current
->signal
->rlim
+ resource
;
3232 rc
= secondary_ops
->task_setrlimit(resource
, new_rlim
);
3236 /* Control the ability to change the hard limit (whether
3237 lowering or raising it), so that the hard limit can
3238 later be used as a safe reset point for the soft limit
3239 upon context transitions. See selinux_bprm_apply_creds. */
3240 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3241 return task_has_perm(current
, current
, PROCESS__SETRLIMIT
);
3246 static int selinux_task_setscheduler(struct task_struct
*p
, int policy
, struct sched_param
*lp
)
3250 rc
= secondary_ops
->task_setscheduler(p
, policy
, lp
);
3254 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3257 static int selinux_task_getscheduler(struct task_struct
*p
)
3259 return task_has_perm(current
, p
, PROCESS__GETSCHED
);
3262 static int selinux_task_movememory(struct task_struct
*p
)
3264 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3267 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3272 struct task_security_struct
*tsec
;
3274 rc
= secondary_ops
->task_kill(p
, info
, sig
, secid
);
3278 if (info
!= SEND_SIG_NOINFO
&& (is_si_special(info
) || SI_FROMKERNEL(info
)))
3282 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3284 perm
= signal_to_av(sig
);
3287 rc
= avc_has_perm(secid
, tsec
->sid
, SECCLASS_PROCESS
, perm
, NULL
);
3289 rc
= task_has_perm(current
, p
, perm
);
3293 static int selinux_task_prctl(int option
,
3299 /* The current prctl operations do not appear to require
3300 any SELinux controls since they merely observe or modify
3301 the state of the current process. */
3305 static int selinux_task_wait(struct task_struct
*p
)
3307 return task_has_perm(p
, current
, PROCESS__SIGCHLD
);
3310 static void selinux_task_reparent_to_init(struct task_struct
*p
)
3312 struct task_security_struct
*tsec
;
3314 secondary_ops
->task_reparent_to_init(p
);
3317 tsec
->osid
= tsec
->sid
;
3318 tsec
->sid
= SECINITSID_KERNEL
;
3322 static void selinux_task_to_inode(struct task_struct
*p
,
3323 struct inode
*inode
)
3325 struct task_security_struct
*tsec
= p
->security
;
3326 struct inode_security_struct
*isec
= inode
->i_security
;
3328 isec
->sid
= tsec
->sid
;
3329 isec
->initialized
= 1;
3333 /* Returns error only if unable to parse addresses */
3334 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3335 struct avc_audit_data
*ad
, u8
*proto
)
3337 int offset
, ihlen
, ret
= -EINVAL
;
3338 struct iphdr _iph
, *ih
;
3340 offset
= skb_network_offset(skb
);
3341 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
3345 ihlen
= ih
->ihl
* 4;
3346 if (ihlen
< sizeof(_iph
))
3349 ad
->u
.net
.v4info
.saddr
= ih
->saddr
;
3350 ad
->u
.net
.v4info
.daddr
= ih
->daddr
;
3354 *proto
= ih
->protocol
;
3356 switch (ih
->protocol
) {
3358 struct tcphdr _tcph
, *th
;
3360 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3364 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
3368 ad
->u
.net
.sport
= th
->source
;
3369 ad
->u
.net
.dport
= th
->dest
;
3374 struct udphdr _udph
, *uh
;
3376 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3380 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
3384 ad
->u
.net
.sport
= uh
->source
;
3385 ad
->u
.net
.dport
= uh
->dest
;
3389 case IPPROTO_DCCP
: {
3390 struct dccp_hdr _dccph
, *dh
;
3392 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3396 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
3400 ad
->u
.net
.sport
= dh
->dccph_sport
;
3401 ad
->u
.net
.dport
= dh
->dccph_dport
;
3412 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3414 /* Returns error only if unable to parse addresses */
3415 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
3416 struct avc_audit_data
*ad
, u8
*proto
)
3419 int ret
= -EINVAL
, offset
;
3420 struct ipv6hdr _ipv6h
, *ip6
;
3422 offset
= skb_network_offset(skb
);
3423 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
3427 ipv6_addr_copy(&ad
->u
.net
.v6info
.saddr
, &ip6
->saddr
);
3428 ipv6_addr_copy(&ad
->u
.net
.v6info
.daddr
, &ip6
->daddr
);
3431 nexthdr
= ip6
->nexthdr
;
3432 offset
+= sizeof(_ipv6h
);
3433 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
);
3442 struct tcphdr _tcph
, *th
;
3444 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
3448 ad
->u
.net
.sport
= th
->source
;
3449 ad
->u
.net
.dport
= th
->dest
;
3454 struct udphdr _udph
, *uh
;
3456 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
3460 ad
->u
.net
.sport
= uh
->source
;
3461 ad
->u
.net
.dport
= uh
->dest
;
3465 case IPPROTO_DCCP
: {
3466 struct dccp_hdr _dccph
, *dh
;
3468 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
3472 ad
->u
.net
.sport
= dh
->dccph_sport
;
3473 ad
->u
.net
.dport
= dh
->dccph_dport
;
3477 /* includes fragments */
3487 static int selinux_parse_skb(struct sk_buff
*skb
, struct avc_audit_data
*ad
,
3488 char **addrp
, int src
, u8
*proto
)
3492 switch (ad
->u
.net
.family
) {
3494 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
3497 *addrp
= (char *)(src
? &ad
->u
.net
.v4info
.saddr
:
3498 &ad
->u
.net
.v4info
.daddr
);
3501 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3503 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
3506 *addrp
= (char *)(src
? &ad
->u
.net
.v6info
.saddr
:
3507 &ad
->u
.net
.v6info
.daddr
);
3516 "SELinux: failure in selinux_parse_skb(),"
3517 " unable to parse packet\n");
3523 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3525 * @family: protocol family
3526 * @sid: the packet's peer label SID
3529 * Check the various different forms of network peer labeling and determine
3530 * the peer label/SID for the packet; most of the magic actually occurs in
3531 * the security server function security_net_peersid_cmp(). The function
3532 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3533 * or -EACCES if @sid is invalid due to inconsistencies with the different
3537 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
3544 selinux_skb_xfrm_sid(skb
, &xfrm_sid
);
3545 selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
3547 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
3548 if (unlikely(err
)) {
3550 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3551 " unable to determine packet's peer label\n");
3558 /* socket security operations */
3559 static int socket_has_perm(struct task_struct
*task
, struct socket
*sock
,
3562 struct inode_security_struct
*isec
;
3563 struct task_security_struct
*tsec
;
3564 struct avc_audit_data ad
;
3567 tsec
= task
->security
;
3568 isec
= SOCK_INODE(sock
)->i_security
;
3570 if (isec
->sid
== SECINITSID_KERNEL
)
3573 AVC_AUDIT_DATA_INIT(&ad
, NET
);
3574 ad
.u
.net
.sk
= sock
->sk
;
3575 err
= avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
3581 static int selinux_socket_create(int family
, int type
,
3582 int protocol
, int kern
)
3585 struct task_security_struct
*tsec
;
3591 tsec
= current
->security
;
3592 newsid
= tsec
->sockcreate_sid
? : tsec
->sid
;
3593 err
= avc_has_perm(tsec
->sid
, newsid
,
3594 socket_type_to_security_class(family
, type
,
3595 protocol
), SOCKET__CREATE
, NULL
);
3601 static int selinux_socket_post_create(struct socket
*sock
, int family
,
3602 int type
, int protocol
, int kern
)
3605 struct inode_security_struct
*isec
;
3606 struct task_security_struct
*tsec
;
3607 struct sk_security_struct
*sksec
;
3610 isec
= SOCK_INODE(sock
)->i_security
;
3612 tsec
= current
->security
;
3613 newsid
= tsec
->sockcreate_sid
? : tsec
->sid
;
3614 isec
->sclass
= socket_type_to_security_class(family
, type
, protocol
);
3615 isec
->sid
= kern
? SECINITSID_KERNEL
: newsid
;
3616 isec
->initialized
= 1;
3619 sksec
= sock
->sk
->sk_security
;
3620 sksec
->sid
= isec
->sid
;
3621 sksec
->sclass
= isec
->sclass
;
3622 err
= selinux_netlbl_socket_post_create(sock
);
3628 /* Range of port numbers used to automatically bind.
3629 Need to determine whether we should perform a name_bind
3630 permission check between the socket and the port number. */
3632 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
3637 err
= socket_has_perm(current
, sock
, SOCKET__BIND
);
3642 * If PF_INET or PF_INET6, check name_bind permission for the port.
3643 * Multiple address binding for SCTP is not supported yet: we just
3644 * check the first address now.
3646 family
= sock
->sk
->sk_family
;
3647 if (family
== PF_INET
|| family
== PF_INET6
) {
3649 struct inode_security_struct
*isec
;
3650 struct task_security_struct
*tsec
;
3651 struct avc_audit_data ad
;
3652 struct sockaddr_in
*addr4
= NULL
;
3653 struct sockaddr_in6
*addr6
= NULL
;
3654 unsigned short snum
;
3655 struct sock
*sk
= sock
->sk
;
3656 u32 sid
, node_perm
, addrlen
;
3658 tsec
= current
->security
;
3659 isec
= SOCK_INODE(sock
)->i_security
;
3661 if (family
== PF_INET
) {
3662 addr4
= (struct sockaddr_in
*)address
;
3663 snum
= ntohs(addr4
->sin_port
);
3664 addrlen
= sizeof(addr4
->sin_addr
.s_addr
);
3665 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
3667 addr6
= (struct sockaddr_in6
*)address
;
3668 snum
= ntohs(addr6
->sin6_port
);
3669 addrlen
= sizeof(addr6
->sin6_addr
.s6_addr
);
3670 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
3676 inet_get_local_port_range(&low
, &high
);
3678 if (snum
< max(PROT_SOCK
, low
) || snum
> high
) {
3679 err
= sel_netport_sid(sk
->sk_protocol
,
3683 AVC_AUDIT_DATA_INIT(&ad
, NET
);
3684 ad
.u
.net
.sport
= htons(snum
);
3685 ad
.u
.net
.family
= family
;
3686 err
= avc_has_perm(isec
->sid
, sid
,
3688 SOCKET__NAME_BIND
, &ad
);
3694 switch (isec
->sclass
) {
3695 case SECCLASS_TCP_SOCKET
:
3696 node_perm
= TCP_SOCKET__NODE_BIND
;
3699 case SECCLASS_UDP_SOCKET
:
3700 node_perm
= UDP_SOCKET__NODE_BIND
;
3703 case SECCLASS_DCCP_SOCKET
:
3704 node_perm
= DCCP_SOCKET__NODE_BIND
;
3708 node_perm
= RAWIP_SOCKET__NODE_BIND
;
3712 err
= sel_netnode_sid(addrp
, family
, &sid
);
3716 AVC_AUDIT_DATA_INIT(&ad
, NET
);
3717 ad
.u
.net
.sport
= htons(snum
);
3718 ad
.u
.net
.family
= family
;
3720 if (family
== PF_INET
)
3721 ad
.u
.net
.v4info
.saddr
= addr4
->sin_addr
.s_addr
;
3723 ipv6_addr_copy(&ad
.u
.net
.v6info
.saddr
, &addr6
->sin6_addr
);
3725 err
= avc_has_perm(isec
->sid
, sid
,
3726 isec
->sclass
, node_perm
, &ad
);
3734 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
3736 struct inode_security_struct
*isec
;
3739 err
= socket_has_perm(current
, sock
, SOCKET__CONNECT
);
3744 * If a TCP or DCCP socket, check name_connect permission for the port.
3746 isec
= SOCK_INODE(sock
)->i_security
;
3747 if (isec
->sclass
== SECCLASS_TCP_SOCKET
||
3748 isec
->sclass
== SECCLASS_DCCP_SOCKET
) {
3749 struct sock
*sk
= sock
->sk
;
3750 struct avc_audit_data ad
;
3751 struct sockaddr_in
*addr4
= NULL
;
3752 struct sockaddr_in6
*addr6
= NULL
;
3753 unsigned short snum
;
3756 if (sk
->sk_family
== PF_INET
) {
3757 addr4
= (struct sockaddr_in
*)address
;
3758 if (addrlen
< sizeof(struct sockaddr_in
))
3760 snum
= ntohs(addr4
->sin_port
);
3762 addr6
= (struct sockaddr_in6
*)address
;
3763 if (addrlen
< SIN6_LEN_RFC2133
)
3765 snum
= ntohs(addr6
->sin6_port
);
3768 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
3772 perm
= (isec
->sclass
== SECCLASS_TCP_SOCKET
) ?
3773 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
3775 AVC_AUDIT_DATA_INIT(&ad
, NET
);
3776 ad
.u
.net
.dport
= htons(snum
);
3777 ad
.u
.net
.family
= sk
->sk_family
;
3778 err
= avc_has_perm(isec
->sid
, sid
, isec
->sclass
, perm
, &ad
);
3787 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
3789 return socket_has_perm(current
, sock
, SOCKET__LISTEN
);
3792 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
3795 struct inode_security_struct
*isec
;
3796 struct inode_security_struct
*newisec
;
3798 err
= socket_has_perm(current
, sock
, SOCKET__ACCEPT
);
3802 newisec
= SOCK_INODE(newsock
)->i_security
;
3804 isec
= SOCK_INODE(sock
)->i_security
;
3805 newisec
->sclass
= isec
->sclass
;
3806 newisec
->sid
= isec
->sid
;
3807 newisec
->initialized
= 1;
3812 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
3817 rc
= socket_has_perm(current
, sock
, SOCKET__WRITE
);
3821 return selinux_netlbl_inode_permission(SOCK_INODE(sock
), MAY_WRITE
);
3824 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
3825 int size
, int flags
)
3827 return socket_has_perm(current
, sock
, SOCKET__READ
);
3830 static int selinux_socket_getsockname(struct socket
*sock
)
3832 return socket_has_perm(current
, sock
, SOCKET__GETATTR
);
3835 static int selinux_socket_getpeername(struct socket
*sock
)
3837 return socket_has_perm(current
, sock
, SOCKET__GETATTR
);
3840 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
3844 err
= socket_has_perm(current
, sock
, SOCKET__SETOPT
);
3848 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
3851 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
3854 return socket_has_perm(current
, sock
, SOCKET__GETOPT
);
3857 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
3859 return socket_has_perm(current
, sock
, SOCKET__SHUTDOWN
);
3862 static int selinux_socket_unix_stream_connect(struct socket
*sock
,
3863 struct socket
*other
,
3866 struct sk_security_struct
*ssec
;
3867 struct inode_security_struct
*isec
;
3868 struct inode_security_struct
*other_isec
;
3869 struct avc_audit_data ad
;
3872 err
= secondary_ops
->unix_stream_connect(sock
, other
, newsk
);
3876 isec
= SOCK_INODE(sock
)->i_security
;
3877 other_isec
= SOCK_INODE(other
)->i_security
;
3879 AVC_AUDIT_DATA_INIT(&ad
, NET
);
3880 ad
.u
.net
.sk
= other
->sk
;
3882 err
= avc_has_perm(isec
->sid
, other_isec
->sid
,
3884 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
3888 /* connecting socket */
3889 ssec
= sock
->sk
->sk_security
;
3890 ssec
->peer_sid
= other_isec
->sid
;
3892 /* server child socket */
3893 ssec
= newsk
->sk_security
;
3894 ssec
->peer_sid
= isec
->sid
;
3895 err
= security_sid_mls_copy(other_isec
->sid
, ssec
->peer_sid
, &ssec
->sid
);
3900 static int selinux_socket_unix_may_send(struct socket
*sock
,
3901 struct socket
*other
)
3903 struct inode_security_struct
*isec
;
3904 struct inode_security_struct
*other_isec
;
3905 struct avc_audit_data ad
;
3908 isec
= SOCK_INODE(sock
)->i_security
;
3909 other_isec
= SOCK_INODE(other
)->i_security
;
3911 AVC_AUDIT_DATA_INIT(&ad
, NET
);
3912 ad
.u
.net
.sk
= other
->sk
;
3914 err
= avc_has_perm(isec
->sid
, other_isec
->sid
,
3915 isec
->sclass
, SOCKET__SENDTO
, &ad
);
3922 static int selinux_inet_sys_rcv_skb(int ifindex
, char *addrp
, u16 family
,
3924 struct avc_audit_data
*ad
)
3930 err
= sel_netif_sid(ifindex
, &if_sid
);
3933 err
= avc_has_perm(peer_sid
, if_sid
,
3934 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
3938 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
3941 return avc_has_perm(peer_sid
, node_sid
,
3942 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
3945 static int selinux_sock_rcv_skb_iptables_compat(struct sock
*sk
,
3946 struct sk_buff
*skb
,
3947 struct avc_audit_data
*ad
,
3952 struct sk_security_struct
*sksec
= sk
->sk_security
;
3954 u32 netif_perm
, node_perm
, recv_perm
;
3955 u32 port_sid
, node_sid
, if_sid
, sk_sid
;
3957 sk_sid
= sksec
->sid
;
3958 sk_class
= sksec
->sclass
;
3961 case SECCLASS_UDP_SOCKET
:
3962 netif_perm
= NETIF__UDP_RECV
;
3963 node_perm
= NODE__UDP_RECV
;
3964 recv_perm
= UDP_SOCKET__RECV_MSG
;
3966 case SECCLASS_TCP_SOCKET
:
3967 netif_perm
= NETIF__TCP_RECV
;
3968 node_perm
= NODE__TCP_RECV
;
3969 recv_perm
= TCP_SOCKET__RECV_MSG
;
3971 case SECCLASS_DCCP_SOCKET
:
3972 netif_perm
= NETIF__DCCP_RECV
;
3973 node_perm
= NODE__DCCP_RECV
;
3974 recv_perm
= DCCP_SOCKET__RECV_MSG
;
3977 netif_perm
= NETIF__RAWIP_RECV
;
3978 node_perm
= NODE__RAWIP_RECV
;
3983 err
= sel_netif_sid(skb
->iif
, &if_sid
);
3986 err
= avc_has_perm(sk_sid
, if_sid
, SECCLASS_NETIF
, netif_perm
, ad
);
3990 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
3993 err
= avc_has_perm(sk_sid
, node_sid
, SECCLASS_NODE
, node_perm
, ad
);
3999 err
= sel_netport_sid(sk
->sk_protocol
,
4000 ntohs(ad
->u
.net
.sport
), &port_sid
);
4001 if (unlikely(err
)) {
4003 "SELinux: failure in"
4004 " selinux_sock_rcv_skb_iptables_compat(),"
4005 " network port label not found\n");
4008 return avc_has_perm(sk_sid
, port_sid
, sk_class
, recv_perm
, ad
);
4011 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4012 struct avc_audit_data
*ad
,
4013 u16 family
, char *addrp
)
4016 struct sk_security_struct
*sksec
= sk
->sk_security
;
4018 u32 sk_sid
= sksec
->sid
;
4020 if (selinux_compat_net
)
4021 err
= selinux_sock_rcv_skb_iptables_compat(sk
, skb
, ad
,
4024 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4029 if (selinux_policycap_netpeer
) {
4030 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4033 err
= avc_has_perm(sk_sid
, peer_sid
,
4034 SECCLASS_PEER
, PEER__RECV
, ad
);
4036 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, ad
);
4039 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, ad
);
4045 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4048 struct sk_security_struct
*sksec
= sk
->sk_security
;
4049 u16 family
= sk
->sk_family
;
4050 u32 sk_sid
= sksec
->sid
;
4051 struct avc_audit_data ad
;
4054 if (family
!= PF_INET
&& family
!= PF_INET6
)
4057 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4058 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4061 AVC_AUDIT_DATA_INIT(&ad
, NET
);
4062 ad
.u
.net
.netif
= skb
->iif
;
4063 ad
.u
.net
.family
= family
;
4064 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4068 /* If any sort of compatibility mode is enabled then handoff processing
4069 * to the selinux_sock_rcv_skb_compat() function to deal with the
4070 * special handling. We do this in an attempt to keep this function
4071 * as fast and as clean as possible. */
4072 if (selinux_compat_net
|| !selinux_policycap_netpeer
)
4073 return selinux_sock_rcv_skb_compat(sk
, skb
, &ad
,
4076 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4079 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4082 err
= selinux_inet_sys_rcv_skb(skb
->iif
, addrp
, family
,
4086 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4090 if (selinux_secmark_enabled()) {
4091 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4100 static int selinux_socket_getpeersec_stream(struct socket
*sock
, char __user
*optval
,
4101 int __user
*optlen
, unsigned len
)
4106 struct sk_security_struct
*ssec
;
4107 struct inode_security_struct
*isec
;
4108 u32 peer_sid
= SECSID_NULL
;
4110 isec
= SOCK_INODE(sock
)->i_security
;
4112 if (isec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4113 isec
->sclass
== SECCLASS_TCP_SOCKET
) {
4114 ssec
= sock
->sk
->sk_security
;
4115 peer_sid
= ssec
->peer_sid
;
4117 if (peer_sid
== SECSID_NULL
) {
4122 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4127 if (scontext_len
> len
) {
4132 if (copy_to_user(optval
, scontext
, scontext_len
))
4136 if (put_user(scontext_len
, optlen
))
4144 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4146 u32 peer_secid
= SECSID_NULL
;
4150 family
= sock
->sk
->sk_family
;
4151 else if (skb
&& skb
->sk
)
4152 family
= skb
->sk
->sk_family
;
4156 if (sock
&& family
== PF_UNIX
)
4157 selinux_inode_getsecid(SOCK_INODE(sock
), &peer_secid
);
4159 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4162 *secid
= peer_secid
;
4163 if (peer_secid
== SECSID_NULL
)
4168 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4170 return sk_alloc_security(sk
, family
, priority
);
4173 static void selinux_sk_free_security(struct sock
*sk
)
4175 sk_free_security(sk
);
4178 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4180 struct sk_security_struct
*ssec
= sk
->sk_security
;
4181 struct sk_security_struct
*newssec
= newsk
->sk_security
;
4183 newssec
->sid
= ssec
->sid
;
4184 newssec
->peer_sid
= ssec
->peer_sid
;
4185 newssec
->sclass
= ssec
->sclass
;
4187 selinux_netlbl_sk_security_reset(newssec
, newsk
->sk_family
);
4190 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4193 *secid
= SECINITSID_ANY_SOCKET
;
4195 struct sk_security_struct
*sksec
= sk
->sk_security
;
4197 *secid
= sksec
->sid
;
4201 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4203 struct inode_security_struct
*isec
= SOCK_INODE(parent
)->i_security
;
4204 struct sk_security_struct
*sksec
= sk
->sk_security
;
4206 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4207 sk
->sk_family
== PF_UNIX
)
4208 isec
->sid
= sksec
->sid
;
4209 sksec
->sclass
= isec
->sclass
;
4211 selinux_netlbl_sock_graft(sk
, parent
);
4214 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4215 struct request_sock
*req
)
4217 struct sk_security_struct
*sksec
= sk
->sk_security
;
4222 err
= selinux_skb_peerlbl_sid(skb
, sk
->sk_family
, &peersid
);
4225 if (peersid
== SECSID_NULL
) {
4226 req
->secid
= sksec
->sid
;
4227 req
->peer_secid
= SECSID_NULL
;
4231 err
= security_sid_mls_copy(sksec
->sid
, peersid
, &newsid
);
4235 req
->secid
= newsid
;
4236 req
->peer_secid
= peersid
;
4240 static void selinux_inet_csk_clone(struct sock
*newsk
,
4241 const struct request_sock
*req
)
4243 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4245 newsksec
->sid
= req
->secid
;
4246 newsksec
->peer_sid
= req
->peer_secid
;
4247 /* NOTE: Ideally, we should also get the isec->sid for the
4248 new socket in sync, but we don't have the isec available yet.
4249 So we will wait until sock_graft to do it, by which
4250 time it will have been created and available. */
4252 /* We don't need to take any sort of lock here as we are the only
4253 * thread with access to newsksec */
4254 selinux_netlbl_sk_security_reset(newsksec
, req
->rsk_ops
->family
);
4257 static void selinux_inet_conn_established(struct sock
*sk
,
4258 struct sk_buff
*skb
)
4260 struct sk_security_struct
*sksec
= sk
->sk_security
;
4262 selinux_skb_peerlbl_sid(skb
, sk
->sk_family
, &sksec
->peer_sid
);
4265 static void selinux_req_classify_flow(const struct request_sock
*req
,
4268 fl
->secid
= req
->secid
;
4271 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
4275 struct nlmsghdr
*nlh
;
4276 struct socket
*sock
= sk
->sk_socket
;
4277 struct inode_security_struct
*isec
= SOCK_INODE(sock
)->i_security
;
4279 if (skb
->len
< NLMSG_SPACE(0)) {
4283 nlh
= nlmsg_hdr(skb
);
4285 err
= selinux_nlmsg_lookup(isec
->sclass
, nlh
->nlmsg_type
, &perm
);
4287 if (err
== -EINVAL
) {
4288 audit_log(current
->audit_context
, GFP_KERNEL
, AUDIT_SELINUX_ERR
,
4289 "SELinux: unrecognized netlink message"
4290 " type=%hu for sclass=%hu\n",
4291 nlh
->nlmsg_type
, isec
->sclass
);
4292 if (!selinux_enforcing
)
4302 err
= socket_has_perm(current
, sock
, perm
);
4307 #ifdef CONFIG_NETFILTER
4309 static unsigned int selinux_ip_forward(struct sk_buff
*skb
, int ifindex
,
4314 struct avc_audit_data ad
;
4318 if (!selinux_policycap_netpeer
)
4321 secmark_active
= selinux_secmark_enabled();
4322 peerlbl_active
= netlbl_enabled() || selinux_xfrm_enabled();
4323 if (!secmark_active
&& !peerlbl_active
)
4326 AVC_AUDIT_DATA_INIT(&ad
, NET
);
4327 ad
.u
.net
.netif
= ifindex
;
4328 ad
.u
.net
.family
= family
;
4329 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
4332 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
4336 if (selinux_inet_sys_rcv_skb(ifindex
, addrp
, family
,
4337 peer_sid
, &ad
) != 0)
4341 if (avc_has_perm(peer_sid
, skb
->secmark
,
4342 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
4348 static unsigned int selinux_ipv4_forward(unsigned int hooknum
,
4349 struct sk_buff
*skb
,
4350 const struct net_device
*in
,
4351 const struct net_device
*out
,
4352 int (*okfn
)(struct sk_buff
*))
4354 return selinux_ip_forward(skb
, in
->ifindex
, PF_INET
);
4357 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4358 static unsigned int selinux_ipv6_forward(unsigned int hooknum
,
4359 struct sk_buff
*skb
,
4360 const struct net_device
*in
,
4361 const struct net_device
*out
,
4362 int (*okfn
)(struct sk_buff
*))
4364 return selinux_ip_forward(skb
, in
->ifindex
, PF_INET6
);
4368 static int selinux_ip_postroute_iptables_compat(struct sock
*sk
,
4370 struct avc_audit_data
*ad
,
4371 u16 family
, char *addrp
)
4374 struct sk_security_struct
*sksec
= sk
->sk_security
;
4376 u32 netif_perm
, node_perm
, send_perm
;
4377 u32 port_sid
, node_sid
, if_sid
, sk_sid
;
4379 sk_sid
= sksec
->sid
;
4380 sk_class
= sksec
->sclass
;
4383 case SECCLASS_UDP_SOCKET
:
4384 netif_perm
= NETIF__UDP_SEND
;
4385 node_perm
= NODE__UDP_SEND
;
4386 send_perm
= UDP_SOCKET__SEND_MSG
;
4388 case SECCLASS_TCP_SOCKET
:
4389 netif_perm
= NETIF__TCP_SEND
;
4390 node_perm
= NODE__TCP_SEND
;
4391 send_perm
= TCP_SOCKET__SEND_MSG
;
4393 case SECCLASS_DCCP_SOCKET
:
4394 netif_perm
= NETIF__DCCP_SEND
;
4395 node_perm
= NODE__DCCP_SEND
;
4396 send_perm
= DCCP_SOCKET__SEND_MSG
;
4399 netif_perm
= NETIF__RAWIP_SEND
;
4400 node_perm
= NODE__RAWIP_SEND
;
4405 err
= sel_netif_sid(ifindex
, &if_sid
);
4408 err
= avc_has_perm(sk_sid
, if_sid
, SECCLASS_NETIF
, netif_perm
, ad
);
4411 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4414 err
= avc_has_perm(sk_sid
, node_sid
, SECCLASS_NODE
, node_perm
, ad
);
4421 err
= sel_netport_sid(sk
->sk_protocol
,
4422 ntohs(ad
->u
.net
.dport
), &port_sid
);
4423 if (unlikely(err
)) {
4425 "SELinux: failure in"
4426 " selinux_ip_postroute_iptables_compat(),"
4427 " network port label not found\n");
4430 return avc_has_perm(sk_sid
, port_sid
, sk_class
, send_perm
, ad
);
4433 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
4435 struct avc_audit_data
*ad
,
4440 struct sock
*sk
= skb
->sk
;
4441 struct sk_security_struct
*sksec
;
4445 sksec
= sk
->sk_security
;
4447 if (selinux_compat_net
) {
4448 if (selinux_ip_postroute_iptables_compat(skb
->sk
, ifindex
,
4452 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
4453 SECCLASS_PACKET
, PACKET__SEND
, ad
))
4457 if (selinux_policycap_netpeer
)
4458 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, ad
, proto
))
4464 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
, int ifindex
,
4470 struct avc_audit_data ad
;
4476 AVC_AUDIT_DATA_INIT(&ad
, NET
);
4477 ad
.u
.net
.netif
= ifindex
;
4478 ad
.u
.net
.family
= family
;
4479 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
4482 /* If any sort of compatibility mode is enabled then handoff processing
4483 * to the selinux_ip_postroute_compat() function to deal with the
4484 * special handling. We do this in an attempt to keep this function
4485 * as fast and as clean as possible. */
4486 if (selinux_compat_net
|| !selinux_policycap_netpeer
)
4487 return selinux_ip_postroute_compat(skb
, ifindex
, &ad
,
4488 family
, addrp
, proto
);
4490 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4491 * packet transformation so allow the packet to pass without any checks
4492 * since we'll have another chance to perform access control checks
4493 * when the packet is on it's final way out.
4494 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4495 * is NULL, in this case go ahead and apply access control. */
4496 if (skb
->dst
!= NULL
&& skb
->dst
->xfrm
!= NULL
)
4499 secmark_active
= selinux_secmark_enabled();
4500 peerlbl_active
= netlbl_enabled() || selinux_xfrm_enabled();
4501 if (!secmark_active
&& !peerlbl_active
)
4504 /* if the packet is locally generated (skb->sk != NULL) then use the
4505 * socket's label as the peer label, otherwise the packet is being
4506 * forwarded through this system and we need to fetch the peer label
4507 * directly from the packet */
4510 struct sk_security_struct
*sksec
= sk
->sk_security
;
4511 peer_sid
= sksec
->sid
;
4512 secmark_perm
= PACKET__SEND
;
4514 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
4516 secmark_perm
= PACKET__FORWARD_OUT
;
4520 if (avc_has_perm(peer_sid
, skb
->secmark
,
4521 SECCLASS_PACKET
, secmark_perm
, &ad
))
4524 if (peerlbl_active
) {
4528 if (sel_netif_sid(ifindex
, &if_sid
))
4530 if (avc_has_perm(peer_sid
, if_sid
,
4531 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
4534 if (sel_netnode_sid(addrp
, family
, &node_sid
))
4536 if (avc_has_perm(peer_sid
, node_sid
,
4537 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
4544 static unsigned int selinux_ipv4_postroute(unsigned int hooknum
,
4545 struct sk_buff
*skb
,
4546 const struct net_device
*in
,
4547 const struct net_device
*out
,
4548 int (*okfn
)(struct sk_buff
*))
4550 return selinux_ip_postroute(skb
, out
->ifindex
, PF_INET
);
4553 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4554 static unsigned int selinux_ipv6_postroute(unsigned int hooknum
,
4555 struct sk_buff
*skb
,
4556 const struct net_device
*in
,
4557 const struct net_device
*out
,
4558 int (*okfn
)(struct sk_buff
*))
4560 return selinux_ip_postroute(skb
, out
->ifindex
, PF_INET6
);
4564 #endif /* CONFIG_NETFILTER */
4566 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
4570 err
= secondary_ops
->netlink_send(sk
, skb
);
4574 if (policydb_loaded_version
>= POLICYDB_VERSION_NLCLASS
)
4575 err
= selinux_nlmsg_perm(sk
, skb
);
4580 static int selinux_netlink_recv(struct sk_buff
*skb
, int capability
)
4583 struct avc_audit_data ad
;
4585 err
= secondary_ops
->netlink_recv(skb
, capability
);
4589 AVC_AUDIT_DATA_INIT(&ad
, CAP
);
4590 ad
.u
.cap
= capability
;
4592 return avc_has_perm(NETLINK_CB(skb
).sid
, NETLINK_CB(skb
).sid
,
4593 SECCLASS_CAPABILITY
, CAP_TO_MASK(capability
), &ad
);
4596 static int ipc_alloc_security(struct task_struct
*task
,
4597 struct kern_ipc_perm
*perm
,
4600 struct task_security_struct
*tsec
= task
->security
;
4601 struct ipc_security_struct
*isec
;
4603 isec
= kzalloc(sizeof(struct ipc_security_struct
), GFP_KERNEL
);
4607 isec
->sclass
= sclass
;
4608 isec
->sid
= tsec
->sid
;
4609 perm
->security
= isec
;
4614 static void ipc_free_security(struct kern_ipc_perm
*perm
)
4616 struct ipc_security_struct
*isec
= perm
->security
;
4617 perm
->security
= NULL
;
4621 static int msg_msg_alloc_security(struct msg_msg
*msg
)
4623 struct msg_security_struct
*msec
;
4625 msec
= kzalloc(sizeof(struct msg_security_struct
), GFP_KERNEL
);
4629 msec
->sid
= SECINITSID_UNLABELED
;
4630 msg
->security
= msec
;
4635 static void msg_msg_free_security(struct msg_msg
*msg
)
4637 struct msg_security_struct
*msec
= msg
->security
;
4639 msg
->security
= NULL
;
4643 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
4646 struct task_security_struct
*tsec
;
4647 struct ipc_security_struct
*isec
;
4648 struct avc_audit_data ad
;
4650 tsec
= current
->security
;
4651 isec
= ipc_perms
->security
;
4653 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4654 ad
.u
.ipc_id
= ipc_perms
->key
;
4656 return avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
4659 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
4661 return msg_msg_alloc_security(msg
);
4664 static void selinux_msg_msg_free_security(struct msg_msg
*msg
)
4666 msg_msg_free_security(msg
);
4669 /* message queue security operations */
4670 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
4672 struct task_security_struct
*tsec
;
4673 struct ipc_security_struct
*isec
;
4674 struct avc_audit_data ad
;
4677 rc
= ipc_alloc_security(current
, &msq
->q_perm
, SECCLASS_MSGQ
);
4681 tsec
= current
->security
;
4682 isec
= msq
->q_perm
.security
;
4684 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4685 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4687 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4690 ipc_free_security(&msq
->q_perm
);
4696 static void selinux_msg_queue_free_security(struct msg_queue
*msq
)
4698 ipc_free_security(&msq
->q_perm
);
4701 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
4703 struct task_security_struct
*tsec
;
4704 struct ipc_security_struct
*isec
;
4705 struct avc_audit_data ad
;
4707 tsec
= current
->security
;
4708 isec
= msq
->q_perm
.security
;
4710 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4711 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4713 return avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4714 MSGQ__ASSOCIATE
, &ad
);
4717 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
4725 /* No specific object, just general system-wide information. */
4726 return task_has_system(current
, SYSTEM__IPC_INFO
);
4729 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
4732 perms
= MSGQ__SETATTR
;
4735 perms
= MSGQ__DESTROY
;
4741 err
= ipc_has_perm(&msq
->q_perm
, perms
);
4745 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
4747 struct task_security_struct
*tsec
;
4748 struct ipc_security_struct
*isec
;
4749 struct msg_security_struct
*msec
;
4750 struct avc_audit_data ad
;
4753 tsec
= current
->security
;
4754 isec
= msq
->q_perm
.security
;
4755 msec
= msg
->security
;
4758 * First time through, need to assign label to the message
4760 if (msec
->sid
== SECINITSID_UNLABELED
) {
4762 * Compute new sid based on current process and
4763 * message queue this message will be stored in
4765 rc
= security_transition_sid(tsec
->sid
,
4773 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4774 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4776 /* Can this process write to the queue? */
4777 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4780 /* Can this process send the message */
4781 rc
= avc_has_perm(tsec
->sid
, msec
->sid
,
4782 SECCLASS_MSG
, MSG__SEND
, &ad
);
4784 /* Can the message be put in the queue? */
4785 rc
= avc_has_perm(msec
->sid
, isec
->sid
,
4786 SECCLASS_MSGQ
, MSGQ__ENQUEUE
, &ad
);
4791 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
4792 struct task_struct
*target
,
4793 long type
, int mode
)
4795 struct task_security_struct
*tsec
;
4796 struct ipc_security_struct
*isec
;
4797 struct msg_security_struct
*msec
;
4798 struct avc_audit_data ad
;
4801 tsec
= target
->security
;
4802 isec
= msq
->q_perm
.security
;
4803 msec
= msg
->security
;
4805 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4806 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4808 rc
= avc_has_perm(tsec
->sid
, isec
->sid
,
4809 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
4811 rc
= avc_has_perm(tsec
->sid
, msec
->sid
,
4812 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
4816 /* Shared Memory security operations */
4817 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
4819 struct task_security_struct
*tsec
;
4820 struct ipc_security_struct
*isec
;
4821 struct avc_audit_data ad
;
4824 rc
= ipc_alloc_security(current
, &shp
->shm_perm
, SECCLASS_SHM
);
4828 tsec
= current
->security
;
4829 isec
= shp
->shm_perm
.security
;
4831 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4832 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
4834 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SHM
,
4837 ipc_free_security(&shp
->shm_perm
);
4843 static void selinux_shm_free_security(struct shmid_kernel
*shp
)
4845 ipc_free_security(&shp
->shm_perm
);
4848 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
4850 struct task_security_struct
*tsec
;
4851 struct ipc_security_struct
*isec
;
4852 struct avc_audit_data ad
;
4854 tsec
= current
->security
;
4855 isec
= shp
->shm_perm
.security
;
4857 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4858 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
4860 return avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SHM
,
4861 SHM__ASSOCIATE
, &ad
);
4864 /* Note, at this point, shp is locked down */
4865 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
4873 /* No specific object, just general system-wide information. */
4874 return task_has_system(current
, SYSTEM__IPC_INFO
);
4877 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
4880 perms
= SHM__SETATTR
;
4887 perms
= SHM__DESTROY
;
4893 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
4897 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
4898 char __user
*shmaddr
, int shmflg
)
4903 rc
= secondary_ops
->shm_shmat(shp
, shmaddr
, shmflg
);
4907 if (shmflg
& SHM_RDONLY
)
4910 perms
= SHM__READ
| SHM__WRITE
;
4912 return ipc_has_perm(&shp
->shm_perm
, perms
);
4915 /* Semaphore security operations */
4916 static int selinux_sem_alloc_security(struct sem_array
*sma
)
4918 struct task_security_struct
*tsec
;
4919 struct ipc_security_struct
*isec
;
4920 struct avc_audit_data ad
;
4923 rc
= ipc_alloc_security(current
, &sma
->sem_perm
, SECCLASS_SEM
);
4927 tsec
= current
->security
;
4928 isec
= sma
->sem_perm
.security
;
4930 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4931 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
4933 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SEM
,
4936 ipc_free_security(&sma
->sem_perm
);
4942 static void selinux_sem_free_security(struct sem_array
*sma
)
4944 ipc_free_security(&sma
->sem_perm
);
4947 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
4949 struct task_security_struct
*tsec
;
4950 struct ipc_security_struct
*isec
;
4951 struct avc_audit_data ad
;
4953 tsec
= current
->security
;
4954 isec
= sma
->sem_perm
.security
;
4956 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4957 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
4959 return avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SEM
,
4960 SEM__ASSOCIATE
, &ad
);
4963 /* Note, at this point, sma is locked down */
4964 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
4972 /* No specific object, just general system-wide information. */
4973 return task_has_system(current
, SYSTEM__IPC_INFO
);
4977 perms
= SEM__GETATTR
;
4988 perms
= SEM__DESTROY
;
4991 perms
= SEM__SETATTR
;
4995 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5001 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5005 static int selinux_sem_semop(struct sem_array
*sma
,
5006 struct sembuf
*sops
, unsigned nsops
, int alter
)
5011 perms
= SEM__READ
| SEM__WRITE
;
5015 return ipc_has_perm(&sma
->sem_perm
, perms
);
5018 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5024 av
|= IPC__UNIX_READ
;
5026 av
|= IPC__UNIX_WRITE
;
5031 return ipc_has_perm(ipcp
, av
);
5034 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5036 struct ipc_security_struct
*isec
= ipcp
->security
;
5040 /* module stacking operations */
5041 static int selinux_register_security(const char *name
, struct security_operations
*ops
)
5043 if (secondary_ops
!= original_ops
) {
5044 printk(KERN_ERR
"%s: There is already a secondary security "
5045 "module registered.\n", __func__
);
5049 secondary_ops
= ops
;
5051 printk(KERN_INFO
"%s: Registering secondary module %s\n",
5058 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5061 inode_doinit_with_dentry(inode
, dentry
);
5064 static int selinux_getprocattr(struct task_struct
*p
,
5065 char *name
, char **value
)
5067 struct task_security_struct
*tsec
;
5073 error
= task_has_perm(current
, p
, PROCESS__GETATTR
);
5080 if (!strcmp(name
, "current"))
5082 else if (!strcmp(name
, "prev"))
5084 else if (!strcmp(name
, "exec"))
5085 sid
= tsec
->exec_sid
;
5086 else if (!strcmp(name
, "fscreate"))
5087 sid
= tsec
->create_sid
;
5088 else if (!strcmp(name
, "keycreate"))
5089 sid
= tsec
->keycreate_sid
;
5090 else if (!strcmp(name
, "sockcreate"))
5091 sid
= tsec
->sockcreate_sid
;
5098 error
= security_sid_to_context(sid
, value
, &len
);
5104 static int selinux_setprocattr(struct task_struct
*p
,
5105 char *name
, void *value
, size_t size
)
5107 struct task_security_struct
*tsec
;
5108 struct task_struct
*tracer
;
5114 /* SELinux only allows a process to change its own
5115 security attributes. */
5120 * Basic control over ability to set these attributes at all.
5121 * current == p, but we'll pass them separately in case the
5122 * above restriction is ever removed.
5124 if (!strcmp(name
, "exec"))
5125 error
= task_has_perm(current
, p
, PROCESS__SETEXEC
);
5126 else if (!strcmp(name
, "fscreate"))
5127 error
= task_has_perm(current
, p
, PROCESS__SETFSCREATE
);
5128 else if (!strcmp(name
, "keycreate"))
5129 error
= task_has_perm(current
, p
, PROCESS__SETKEYCREATE
);
5130 else if (!strcmp(name
, "sockcreate"))
5131 error
= task_has_perm(current
, p
, PROCESS__SETSOCKCREATE
);
5132 else if (!strcmp(name
, "current"))
5133 error
= task_has_perm(current
, p
, PROCESS__SETCURRENT
);
5139 /* Obtain a SID for the context, if one was specified. */
5140 if (size
&& str
[1] && str
[1] != '\n') {
5141 if (str
[size
-1] == '\n') {
5145 error
= security_context_to_sid(value
, size
, &sid
);
5150 /* Permission checking based on the specified context is
5151 performed during the actual operation (execve,
5152 open/mkdir/...), when we know the full context of the
5153 operation. See selinux_bprm_set_security for the execve
5154 checks and may_create for the file creation checks. The
5155 operation will then fail if the context is not permitted. */
5157 if (!strcmp(name
, "exec"))
5158 tsec
->exec_sid
= sid
;
5159 else if (!strcmp(name
, "fscreate"))
5160 tsec
->create_sid
= sid
;
5161 else if (!strcmp(name
, "keycreate")) {
5162 error
= may_create_key(sid
, p
);
5165 tsec
->keycreate_sid
= sid
;
5166 } else if (!strcmp(name
, "sockcreate"))
5167 tsec
->sockcreate_sid
= sid
;
5168 else if (!strcmp(name
, "current")) {
5169 struct av_decision avd
;
5174 /* Only allow single threaded processes to change context */
5175 if (atomic_read(&p
->mm
->mm_users
) != 1) {
5176 struct task_struct
*g
, *t
;
5177 struct mm_struct
*mm
= p
->mm
;
5178 read_lock(&tasklist_lock
);
5179 do_each_thread(g
, t
)
5180 if (t
->mm
== mm
&& t
!= p
) {
5181 read_unlock(&tasklist_lock
);
5184 while_each_thread(g
, t
);
5185 read_unlock(&tasklist_lock
);
5188 /* Check permissions for the transition. */
5189 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5190 PROCESS__DYNTRANSITION
, NULL
);
5194 /* Check for ptracing, and update the task SID if ok.
5195 Otherwise, leave SID unchanged and fail. */
5198 tracer
= task_tracer_task(p
);
5199 if (tracer
!= NULL
) {
5200 struct task_security_struct
*ptsec
= tracer
->security
;
5201 u32 ptsid
= ptsec
->sid
;
5203 error
= avc_has_perm_noaudit(ptsid
, sid
,
5205 PROCESS__PTRACE
, 0, &avd
);
5209 avc_audit(ptsid
, sid
, SECCLASS_PROCESS
,
5210 PROCESS__PTRACE
, &avd
, error
, NULL
);
5224 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5226 return security_sid_to_context(secid
, secdata
, seclen
);
5229 static int selinux_secctx_to_secid(char *secdata
, u32 seclen
, u32
*secid
)
5231 return security_context_to_sid(secdata
, seclen
, secid
);
5234 static void selinux_release_secctx(char *secdata
, u32 seclen
)
5241 static int selinux_key_alloc(struct key
*k
, struct task_struct
*tsk
,
5242 unsigned long flags
)
5244 struct task_security_struct
*tsec
= tsk
->security
;
5245 struct key_security_struct
*ksec
;
5247 ksec
= kzalloc(sizeof(struct key_security_struct
), GFP_KERNEL
);
5251 if (tsec
->keycreate_sid
)
5252 ksec
->sid
= tsec
->keycreate_sid
;
5254 ksec
->sid
= tsec
->sid
;
5260 static void selinux_key_free(struct key
*k
)
5262 struct key_security_struct
*ksec
= k
->security
;
5268 static int selinux_key_permission(key_ref_t key_ref
,
5269 struct task_struct
*ctx
,
5273 struct task_security_struct
*tsec
;
5274 struct key_security_struct
*ksec
;
5276 key
= key_ref_to_ptr(key_ref
);
5278 tsec
= ctx
->security
;
5279 ksec
= key
->security
;
5281 /* if no specific permissions are requested, we skip the
5282 permission check. No serious, additional covert channels
5283 appear to be created. */
5287 return avc_has_perm(tsec
->sid
, ksec
->sid
,
5288 SECCLASS_KEY
, perm
, NULL
);
5293 static struct security_operations selinux_ops
= {
5296 .ptrace
= selinux_ptrace
,
5297 .capget
= selinux_capget
,
5298 .capset_check
= selinux_capset_check
,
5299 .capset_set
= selinux_capset_set
,
5300 .sysctl
= selinux_sysctl
,
5301 .capable
= selinux_capable
,
5302 .quotactl
= selinux_quotactl
,
5303 .quota_on
= selinux_quota_on
,
5304 .syslog
= selinux_syslog
,
5305 .vm_enough_memory
= selinux_vm_enough_memory
,
5307 .netlink_send
= selinux_netlink_send
,
5308 .netlink_recv
= selinux_netlink_recv
,
5310 .bprm_alloc_security
= selinux_bprm_alloc_security
,
5311 .bprm_free_security
= selinux_bprm_free_security
,
5312 .bprm_apply_creds
= selinux_bprm_apply_creds
,
5313 .bprm_post_apply_creds
= selinux_bprm_post_apply_creds
,
5314 .bprm_set_security
= selinux_bprm_set_security
,
5315 .bprm_check_security
= selinux_bprm_check_security
,
5316 .bprm_secureexec
= selinux_bprm_secureexec
,
5318 .sb_alloc_security
= selinux_sb_alloc_security
,
5319 .sb_free_security
= selinux_sb_free_security
,
5320 .sb_copy_data
= selinux_sb_copy_data
,
5321 .sb_kern_mount
= selinux_sb_kern_mount
,
5322 .sb_statfs
= selinux_sb_statfs
,
5323 .sb_mount
= selinux_mount
,
5324 .sb_umount
= selinux_umount
,
5325 .sb_get_mnt_opts
= selinux_get_mnt_opts
,
5326 .sb_set_mnt_opts
= selinux_set_mnt_opts
,
5327 .sb_clone_mnt_opts
= selinux_sb_clone_mnt_opts
,
5328 .sb_parse_opts_str
= selinux_parse_opts_str
,
5331 .inode_alloc_security
= selinux_inode_alloc_security
,
5332 .inode_free_security
= selinux_inode_free_security
,
5333 .inode_init_security
= selinux_inode_init_security
,
5334 .inode_create
= selinux_inode_create
,
5335 .inode_link
= selinux_inode_link
,
5336 .inode_unlink
= selinux_inode_unlink
,
5337 .inode_symlink
= selinux_inode_symlink
,
5338 .inode_mkdir
= selinux_inode_mkdir
,
5339 .inode_rmdir
= selinux_inode_rmdir
,
5340 .inode_mknod
= selinux_inode_mknod
,
5341 .inode_rename
= selinux_inode_rename
,
5342 .inode_readlink
= selinux_inode_readlink
,
5343 .inode_follow_link
= selinux_inode_follow_link
,
5344 .inode_permission
= selinux_inode_permission
,
5345 .inode_setattr
= selinux_inode_setattr
,
5346 .inode_getattr
= selinux_inode_getattr
,
5347 .inode_setxattr
= selinux_inode_setxattr
,
5348 .inode_post_setxattr
= selinux_inode_post_setxattr
,
5349 .inode_getxattr
= selinux_inode_getxattr
,
5350 .inode_listxattr
= selinux_inode_listxattr
,
5351 .inode_removexattr
= selinux_inode_removexattr
,
5352 .inode_getsecurity
= selinux_inode_getsecurity
,
5353 .inode_setsecurity
= selinux_inode_setsecurity
,
5354 .inode_listsecurity
= selinux_inode_listsecurity
,
5355 .inode_need_killpriv
= selinux_inode_need_killpriv
,
5356 .inode_killpriv
= selinux_inode_killpriv
,
5357 .inode_getsecid
= selinux_inode_getsecid
,
5359 .file_permission
= selinux_file_permission
,
5360 .file_alloc_security
= selinux_file_alloc_security
,
5361 .file_free_security
= selinux_file_free_security
,
5362 .file_ioctl
= selinux_file_ioctl
,
5363 .file_mmap
= selinux_file_mmap
,
5364 .file_mprotect
= selinux_file_mprotect
,
5365 .file_lock
= selinux_file_lock
,
5366 .file_fcntl
= selinux_file_fcntl
,
5367 .file_set_fowner
= selinux_file_set_fowner
,
5368 .file_send_sigiotask
= selinux_file_send_sigiotask
,
5369 .file_receive
= selinux_file_receive
,
5371 .dentry_open
= selinux_dentry_open
,
5373 .task_create
= selinux_task_create
,
5374 .task_alloc_security
= selinux_task_alloc_security
,
5375 .task_free_security
= selinux_task_free_security
,
5376 .task_setuid
= selinux_task_setuid
,
5377 .task_post_setuid
= selinux_task_post_setuid
,
5378 .task_setgid
= selinux_task_setgid
,
5379 .task_setpgid
= selinux_task_setpgid
,
5380 .task_getpgid
= selinux_task_getpgid
,
5381 .task_getsid
= selinux_task_getsid
,
5382 .task_getsecid
= selinux_task_getsecid
,
5383 .task_setgroups
= selinux_task_setgroups
,
5384 .task_setnice
= selinux_task_setnice
,
5385 .task_setioprio
= selinux_task_setioprio
,
5386 .task_getioprio
= selinux_task_getioprio
,
5387 .task_setrlimit
= selinux_task_setrlimit
,
5388 .task_setscheduler
= selinux_task_setscheduler
,
5389 .task_getscheduler
= selinux_task_getscheduler
,
5390 .task_movememory
= selinux_task_movememory
,
5391 .task_kill
= selinux_task_kill
,
5392 .task_wait
= selinux_task_wait
,
5393 .task_prctl
= selinux_task_prctl
,
5394 .task_reparent_to_init
= selinux_task_reparent_to_init
,
5395 .task_to_inode
= selinux_task_to_inode
,
5397 .ipc_permission
= selinux_ipc_permission
,
5398 .ipc_getsecid
= selinux_ipc_getsecid
,
5400 .msg_msg_alloc_security
= selinux_msg_msg_alloc_security
,
5401 .msg_msg_free_security
= selinux_msg_msg_free_security
,
5403 .msg_queue_alloc_security
= selinux_msg_queue_alloc_security
,
5404 .msg_queue_free_security
= selinux_msg_queue_free_security
,
5405 .msg_queue_associate
= selinux_msg_queue_associate
,
5406 .msg_queue_msgctl
= selinux_msg_queue_msgctl
,
5407 .msg_queue_msgsnd
= selinux_msg_queue_msgsnd
,
5408 .msg_queue_msgrcv
= selinux_msg_queue_msgrcv
,
5410 .shm_alloc_security
= selinux_shm_alloc_security
,
5411 .shm_free_security
= selinux_shm_free_security
,
5412 .shm_associate
= selinux_shm_associate
,
5413 .shm_shmctl
= selinux_shm_shmctl
,
5414 .shm_shmat
= selinux_shm_shmat
,
5416 .sem_alloc_security
= selinux_sem_alloc_security
,
5417 .sem_free_security
= selinux_sem_free_security
,
5418 .sem_associate
= selinux_sem_associate
,
5419 .sem_semctl
= selinux_sem_semctl
,
5420 .sem_semop
= selinux_sem_semop
,
5422 .register_security
= selinux_register_security
,
5424 .d_instantiate
= selinux_d_instantiate
,
5426 .getprocattr
= selinux_getprocattr
,
5427 .setprocattr
= selinux_setprocattr
,
5429 .secid_to_secctx
= selinux_secid_to_secctx
,
5430 .secctx_to_secid
= selinux_secctx_to_secid
,
5431 .release_secctx
= selinux_release_secctx
,
5433 .unix_stream_connect
= selinux_socket_unix_stream_connect
,
5434 .unix_may_send
= selinux_socket_unix_may_send
,
5436 .socket_create
= selinux_socket_create
,
5437 .socket_post_create
= selinux_socket_post_create
,
5438 .socket_bind
= selinux_socket_bind
,
5439 .socket_connect
= selinux_socket_connect
,
5440 .socket_listen
= selinux_socket_listen
,
5441 .socket_accept
= selinux_socket_accept
,
5442 .socket_sendmsg
= selinux_socket_sendmsg
,
5443 .socket_recvmsg
= selinux_socket_recvmsg
,
5444 .socket_getsockname
= selinux_socket_getsockname
,
5445 .socket_getpeername
= selinux_socket_getpeername
,
5446 .socket_getsockopt
= selinux_socket_getsockopt
,
5447 .socket_setsockopt
= selinux_socket_setsockopt
,
5448 .socket_shutdown
= selinux_socket_shutdown
,
5449 .socket_sock_rcv_skb
= selinux_socket_sock_rcv_skb
,
5450 .socket_getpeersec_stream
= selinux_socket_getpeersec_stream
,
5451 .socket_getpeersec_dgram
= selinux_socket_getpeersec_dgram
,
5452 .sk_alloc_security
= selinux_sk_alloc_security
,
5453 .sk_free_security
= selinux_sk_free_security
,
5454 .sk_clone_security
= selinux_sk_clone_security
,
5455 .sk_getsecid
= selinux_sk_getsecid
,
5456 .sock_graft
= selinux_sock_graft
,
5457 .inet_conn_request
= selinux_inet_conn_request
,
5458 .inet_csk_clone
= selinux_inet_csk_clone
,
5459 .inet_conn_established
= selinux_inet_conn_established
,
5460 .req_classify_flow
= selinux_req_classify_flow
,
5462 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5463 .xfrm_policy_alloc_security
= selinux_xfrm_policy_alloc
,
5464 .xfrm_policy_clone_security
= selinux_xfrm_policy_clone
,
5465 .xfrm_policy_free_security
= selinux_xfrm_policy_free
,
5466 .xfrm_policy_delete_security
= selinux_xfrm_policy_delete
,
5467 .xfrm_state_alloc_security
= selinux_xfrm_state_alloc
,
5468 .xfrm_state_free_security
= selinux_xfrm_state_free
,
5469 .xfrm_state_delete_security
= selinux_xfrm_state_delete
,
5470 .xfrm_policy_lookup
= selinux_xfrm_policy_lookup
,
5471 .xfrm_state_pol_flow_match
= selinux_xfrm_state_pol_flow_match
,
5472 .xfrm_decode_session
= selinux_xfrm_decode_session
,
5476 .key_alloc
= selinux_key_alloc
,
5477 .key_free
= selinux_key_free
,
5478 .key_permission
= selinux_key_permission
,
5482 .audit_rule_init
= selinux_audit_rule_init
,
5483 .audit_rule_known
= selinux_audit_rule_known
,
5484 .audit_rule_match
= selinux_audit_rule_match
,
5485 .audit_rule_free
= selinux_audit_rule_free
,
5489 static __init
int selinux_init(void)
5491 struct task_security_struct
*tsec
;
5493 if (!security_module_enable(&selinux_ops
)) {
5494 selinux_enabled
= 0;
5498 if (!selinux_enabled
) {
5499 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
5503 printk(KERN_INFO
"SELinux: Initializing.\n");
5505 /* Set the security state for the initial task. */
5506 if (task_alloc_security(current
))
5507 panic("SELinux: Failed to initialize initial task.\n");
5508 tsec
= current
->security
;
5509 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
5511 sel_inode_cache
= kmem_cache_create("selinux_inode_security",
5512 sizeof(struct inode_security_struct
),
5513 0, SLAB_PANIC
, NULL
);
5516 original_ops
= secondary_ops
= security_ops
;
5518 panic("SELinux: No initial security operations\n");
5519 if (register_security(&selinux_ops
))
5520 panic("SELinux: Unable to register with kernel.\n");
5522 if (selinux_enforcing
)
5523 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
5525 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
5528 /* Add security information to initial keyrings */
5529 selinux_key_alloc(&root_user_keyring
, current
,
5530 KEY_ALLOC_NOT_IN_QUOTA
);
5531 selinux_key_alloc(&root_session_keyring
, current
,
5532 KEY_ALLOC_NOT_IN_QUOTA
);
5538 void selinux_complete_init(void)
5540 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
5542 /* Set up any superblocks initialized prior to the policy load. */
5543 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
5544 spin_lock(&sb_lock
);
5545 spin_lock(&sb_security_lock
);
5547 if (!list_empty(&superblock_security_head
)) {
5548 struct superblock_security_struct
*sbsec
=
5549 list_entry(superblock_security_head
.next
,
5550 struct superblock_security_struct
,
5552 struct super_block
*sb
= sbsec
->sb
;
5554 spin_unlock(&sb_security_lock
);
5555 spin_unlock(&sb_lock
);
5556 down_read(&sb
->s_umount
);
5558 superblock_doinit(sb
, NULL
);
5560 spin_lock(&sb_lock
);
5561 spin_lock(&sb_security_lock
);
5562 list_del_init(&sbsec
->list
);
5565 spin_unlock(&sb_security_lock
);
5566 spin_unlock(&sb_lock
);
5569 /* SELinux requires early initialization in order to label
5570 all processes and objects when they are created. */
5571 security_initcall(selinux_init
);
5573 #if defined(CONFIG_NETFILTER)
5575 static struct nf_hook_ops selinux_ipv4_ops
[] = {
5577 .hook
= selinux_ipv4_postroute
,
5578 .owner
= THIS_MODULE
,
5580 .hooknum
= NF_INET_POST_ROUTING
,
5581 .priority
= NF_IP_PRI_SELINUX_LAST
,
5584 .hook
= selinux_ipv4_forward
,
5585 .owner
= THIS_MODULE
,
5587 .hooknum
= NF_INET_FORWARD
,
5588 .priority
= NF_IP_PRI_SELINUX_FIRST
,
5592 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5594 static struct nf_hook_ops selinux_ipv6_ops
[] = {
5596 .hook
= selinux_ipv6_postroute
,
5597 .owner
= THIS_MODULE
,
5599 .hooknum
= NF_INET_POST_ROUTING
,
5600 .priority
= NF_IP6_PRI_SELINUX_LAST
,
5603 .hook
= selinux_ipv6_forward
,
5604 .owner
= THIS_MODULE
,
5606 .hooknum
= NF_INET_FORWARD
,
5607 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
5613 static int __init
selinux_nf_ip_init(void)
5618 if (!selinux_enabled
)
5621 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
5623 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv4_ops
); iter
++) {
5624 err
= nf_register_hook(&selinux_ipv4_ops
[iter
]);
5626 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5630 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5631 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv6_ops
); iter
++) {
5632 err
= nf_register_hook(&selinux_ipv6_ops
[iter
]);
5634 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5643 __initcall(selinux_nf_ip_init
);
5645 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5646 static void selinux_nf_ip_exit(void)
5650 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
5652 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv4_ops
); iter
++)
5653 nf_unregister_hook(&selinux_ipv4_ops
[iter
]);
5654 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5655 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv6_ops
); iter
++)
5656 nf_unregister_hook(&selinux_ipv6_ops
[iter
]);
5661 #else /* CONFIG_NETFILTER */
5663 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5664 #define selinux_nf_ip_exit()
5667 #endif /* CONFIG_NETFILTER */
5669 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5670 static int selinux_disabled
;
5672 int selinux_disable(void)
5674 extern void exit_sel_fs(void);
5676 if (ss_initialized
) {
5677 /* Not permitted after initial policy load. */
5681 if (selinux_disabled
) {
5682 /* Only do this once. */
5686 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
5688 selinux_disabled
= 1;
5689 selinux_enabled
= 0;
5691 /* Reset security_ops to the secondary module, dummy or capability. */
5692 security_ops
= secondary_ops
;
5694 /* Unregister netfilter hooks. */
5695 selinux_nf_ip_exit();
5697 /* Unregister selinuxfs. */