2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 #define NUM_SEL_MNT_OPTS 5
99 extern struct security_operations *security_ops;
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
107 static int __init enforcing_setup(char *str)
109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
114 __setup("enforcing=", enforcing_setup);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
120 static int __init selinux_enabled_setup(char *str)
122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup);
129 int selinux_enabled = 1;
132 static struct kmem_cache *sel_inode_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
144 static int selinux_secmark_enabled(void)
146 return (atomic_read(&selinux_secmark_refcount) > 0);
150 * initialise the security for the init task
152 static void cred_init_security(void)
154 struct cred *cred = (struct cred *) current->real_cred;
155 struct task_security_struct *tsec;
157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
159 panic("SELinux: Failed to initialize initial task.\n");
161 tsec->osid = tsec->sid = SECINITSID_KERNEL;
162 cred->security = tsec;
166 * get the security ID of a set of credentials
168 static inline u32 cred_sid(const struct cred *cred)
170 const struct task_security_struct *tsec;
172 tsec = cred->security;
177 * get the objective security ID of a task
179 static inline u32 task_sid(const struct task_struct *task)
184 sid = cred_sid(__task_cred(task));
190 * get the subjective security ID of the current task
192 static inline u32 current_sid(void)
194 const struct task_security_struct *tsec = current_security();
199 /* Allocate and free functions for each kind of security blob. */
201 static int inode_alloc_security(struct inode *inode)
203 struct inode_security_struct *isec;
204 u32 sid = current_sid();
206 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
210 mutex_init(&isec->lock);
211 INIT_LIST_HEAD(&isec->list);
213 isec->sid = SECINITSID_UNLABELED;
214 isec->sclass = SECCLASS_FILE;
215 isec->task_sid = sid;
216 inode->i_security = isec;
221 static void inode_free_security(struct inode *inode)
223 struct inode_security_struct *isec = inode->i_security;
224 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
226 spin_lock(&sbsec->isec_lock);
227 if (!list_empty(&isec->list))
228 list_del_init(&isec->list);
229 spin_unlock(&sbsec->isec_lock);
231 inode->i_security = NULL;
232 kmem_cache_free(sel_inode_cache, isec);
235 static int file_alloc_security(struct file *file)
237 struct file_security_struct *fsec;
238 u32 sid = current_sid();
240 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
245 fsec->fown_sid = sid;
246 file->f_security = fsec;
251 static void file_free_security(struct file *file)
253 struct file_security_struct *fsec = file->f_security;
254 file->f_security = NULL;
258 static int superblock_alloc_security(struct super_block *sb)
260 struct superblock_security_struct *sbsec;
262 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
266 mutex_init(&sbsec->lock);
267 INIT_LIST_HEAD(&sbsec->isec_head);
268 spin_lock_init(&sbsec->isec_lock);
270 sbsec->sid = SECINITSID_UNLABELED;
271 sbsec->def_sid = SECINITSID_FILE;
272 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
273 sb->s_security = sbsec;
278 static void superblock_free_security(struct super_block *sb)
280 struct superblock_security_struct *sbsec = sb->s_security;
281 sb->s_security = NULL;
285 /* The file system's label must be initialized prior to use. */
287 static const char *labeling_behaviors[6] = {
289 "uses transition SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
296 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
298 static inline int inode_doinit(struct inode *inode)
300 return inode_doinit_with_dentry(inode, NULL);
309 Opt_labelsupport = 5,
312 static const match_table_t tokens = {
313 {Opt_context, CONTEXT_STR "%s"},
314 {Opt_fscontext, FSCONTEXT_STR "%s"},
315 {Opt_defcontext, DEFCONTEXT_STR "%s"},
316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
317 {Opt_labelsupport, LABELSUPP_STR},
321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323 static int may_context_mount_sb_relabel(u32 sid,
324 struct superblock_security_struct *sbsec,
325 const struct cred *cred)
327 const struct task_security_struct *tsec = cred->security;
330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331 FILESYSTEM__RELABELFROM, NULL);
335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336 FILESYSTEM__RELABELTO, NULL);
340 static int may_context_mount_inode_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 const struct cred *cred)
344 const struct task_security_struct *tsec = cred->security;
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__ASSOCIATE, NULL);
356 static int sb_finish_set_opts(struct super_block *sb)
358 struct superblock_security_struct *sbsec = sb->s_security;
359 struct dentry *root = sb->s_root;
360 struct inode *root_inode = root->d_inode;
363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode->i_op->getxattr) {
370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb->s_id, sb->s_type->name);
375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376 if (rc < 0 && rc != -ENODATA) {
377 if (rc == -EOPNOTSUPP)
378 printk(KERN_WARNING "SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb->s_id, sb->s_type->name);
382 printk(KERN_WARNING "SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb->s_id,
384 sb->s_type->name, -rc);
389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb->s_id, sb->s_type->name);
395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396 sb->s_id, sb->s_type->name,
397 labeling_behaviors[sbsec->behavior-1]);
399 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401 sbsec->behavior == SECURITY_FS_USE_NONE ||
402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 sbsec->flags &= ~SE_SBLABELSUPP;
405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407 sbsec->flags |= SE_SBLABELSUPP;
410 * Special handling for rootfs. Is genfs but supports
411 * setting SELinux context on in-core inodes.
413 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
414 sbsec->flags |= SE_SBLABELSUPP;
416 /* Initialize the root inode. */
417 rc = inode_doinit_with_dentry(root_inode, root);
419 /* Initialize any other inodes associated with the superblock, e.g.
420 inodes created prior to initial policy load or inodes created
421 during get_sb by a pseudo filesystem that directly
423 spin_lock(&sbsec->isec_lock);
425 if (!list_empty(&sbsec->isec_head)) {
426 struct inode_security_struct *isec =
427 list_entry(sbsec->isec_head.next,
428 struct inode_security_struct, list);
429 struct inode *inode = isec->inode;
430 spin_unlock(&sbsec->isec_lock);
431 inode = igrab(inode);
433 if (!IS_PRIVATE(inode))
437 spin_lock(&sbsec->isec_lock);
438 list_del_init(&isec->list);
441 spin_unlock(&sbsec->isec_lock);
447 * This function should allow an FS to ask what it's mount security
448 * options were so it can use those later for submounts, displaying
449 * mount options, or whatever.
451 static int selinux_get_mnt_opts(const struct super_block *sb,
452 struct security_mnt_opts *opts)
455 struct superblock_security_struct *sbsec = sb->s_security;
456 char *context = NULL;
460 security_init_mnt_opts(opts);
462 if (!(sbsec->flags & SE_SBINITIALIZED))
468 tmp = sbsec->flags & SE_MNTMASK;
469 /* count the number of mount options for this sb */
470 for (i = 0; i < 8; i++) {
472 opts->num_mnt_opts++;
475 /* Check if the Label support flag is set */
476 if (sbsec->flags & SE_SBLABELSUPP)
477 opts->num_mnt_opts++;
479 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
480 if (!opts->mnt_opts) {
485 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
486 if (!opts->mnt_opts_flags) {
492 if (sbsec->flags & FSCONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->sid, &context, &len);
496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
499 if (sbsec->flags & CONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
506 if (sbsec->flags & DEFCONTEXT_MNT) {
507 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
510 opts->mnt_opts[i] = context;
511 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
513 if (sbsec->flags & ROOTCONTEXT_MNT) {
514 struct inode *root = sbsec->sb->s_root->d_inode;
515 struct inode_security_struct *isec = root->i_security;
517 rc = security_sid_to_context(isec->sid, &context, &len);
520 opts->mnt_opts[i] = context;
521 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
523 if (sbsec->flags & SE_SBLABELSUPP) {
524 opts->mnt_opts[i] = NULL;
525 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
528 BUG_ON(i != opts->num_mnt_opts);
533 security_free_mnt_opts(opts);
537 static int bad_option(struct superblock_security_struct *sbsec, char flag,
538 u32 old_sid, u32 new_sid)
540 char mnt_flags = sbsec->flags & SE_MNTMASK;
542 /* check if the old mount command had the same options */
543 if (sbsec->flags & SE_SBINITIALIZED)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
551 if (!(sbsec->flags & SE_SBINITIALIZED))
552 if (mnt_flags & flag)
558 * Allow filesystems with binary mount data to explicitly set mount point
559 * labeling information.
561 static int selinux_set_mnt_opts(struct super_block *sb,
562 struct security_mnt_opts *opts)
564 const struct cred *cred = current_cred();
566 struct superblock_security_struct *sbsec = sb->s_security;
567 const char *name = sb->s_type->name;
568 struct inode *inode = sbsec->sb->s_root->d_inode;
569 struct inode_security_struct *root_isec = inode->i_security;
570 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
571 u32 defcontext_sid = 0;
572 char **mount_options = opts->mnt_opts;
573 int *flags = opts->mnt_opts_flags;
574 int num_opts = opts->num_mnt_opts;
576 mutex_lock(&sbsec->lock);
578 if (!ss_initialized) {
580 /* Defer initialization until selinux_complete_init,
581 after the initial policy is loaded and the security
582 server is ready to handle calls. */
586 printk(KERN_WARNING "SELinux: Unable to set superblock options "
587 "before the security server is initialized\n");
592 * Binary mount data FS will come through this function twice. Once
593 * from an explicit call and once from the generic calls from the vfs.
594 * Since the generic VFS calls will not contain any security mount data
595 * we need to skip the double mount verification.
597 * This does open a hole in which we will not notice if the first
598 * mount using this sb set explict options and a second mount using
599 * this sb does not set any security options. (The first options
600 * will be used for both mounts)
602 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
607 * parse the mount options, check if they are valid sids.
608 * also check if someone is trying to mount the same sb more
609 * than once with different security options.
611 for (i = 0; i < num_opts; i++) {
614 if (flags[i] == SE_SBLABELSUPP)
616 rc = security_context_to_sid(mount_options[i],
617 strlen(mount_options[i]), &sid);
619 printk(KERN_WARNING "SELinux: security_context_to_sid"
620 "(%s) failed for (dev %s, type %s) errno=%d\n",
621 mount_options[i], sb->s_id, name, rc);
628 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
630 goto out_double_mount;
632 sbsec->flags |= FSCONTEXT_MNT;
637 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
639 goto out_double_mount;
641 sbsec->flags |= CONTEXT_MNT;
643 case ROOTCONTEXT_MNT:
644 rootcontext_sid = sid;
646 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
648 goto out_double_mount;
650 sbsec->flags |= ROOTCONTEXT_MNT;
654 defcontext_sid = sid;
656 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
658 goto out_double_mount;
660 sbsec->flags |= DEFCONTEXT_MNT;
669 if (sbsec->flags & SE_SBINITIALIZED) {
670 /* previously mounted with options, but not on this attempt? */
671 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
672 goto out_double_mount;
677 if (strcmp(sb->s_type->name, "proc") == 0)
678 sbsec->flags |= SE_SBPROC;
680 /* Determine the labeling behavior to use for this filesystem type. */
681 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
683 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
684 __func__, sb->s_type->name, rc);
688 /* sets the context of the superblock for the fs being mounted. */
690 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
694 sbsec->sid = fscontext_sid;
698 * Switch to using mount point labeling behavior.
699 * sets the label used on all file below the mountpoint, and will set
700 * the superblock context if not already set.
703 if (!fscontext_sid) {
704 rc = may_context_mount_sb_relabel(context_sid, sbsec,
708 sbsec->sid = context_sid;
710 rc = may_context_mount_inode_relabel(context_sid, sbsec,
715 if (!rootcontext_sid)
716 rootcontext_sid = context_sid;
718 sbsec->mntpoint_sid = context_sid;
719 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
722 if (rootcontext_sid) {
723 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
728 root_isec->sid = rootcontext_sid;
729 root_isec->initialized = 1;
732 if (defcontext_sid) {
733 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
735 printk(KERN_WARNING "SELinux: defcontext option is "
736 "invalid for this filesystem type\n");
740 if (defcontext_sid != sbsec->def_sid) {
741 rc = may_context_mount_inode_relabel(defcontext_sid,
747 sbsec->def_sid = defcontext_sid;
750 rc = sb_finish_set_opts(sb);
752 mutex_unlock(&sbsec->lock);
756 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
757 "security settings for (dev %s, type %s)\n", sb->s_id, name);
761 static int selinux_cmp_sb_context(const struct super_block *oldsb,
762 const struct super_block *newsb)
764 struct superblock_security_struct *old = oldsb->s_security;
765 struct superblock_security_struct *new = newsb->s_security;
766 char oldflags = old->flags & SE_MNTMASK;
767 char newflags = new->flags & SE_MNTMASK;
769 if (oldflags != newflags)
771 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
773 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
775 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
777 if (oldflags & ROOTCONTEXT_MNT) {
778 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
779 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
780 if (oldroot->sid != newroot->sid)
785 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
786 "different security settings for (dev %s, "
787 "type %s)\n", newsb->s_id, newsb->s_type->name);
791 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
792 struct super_block *newsb)
794 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
795 struct superblock_security_struct *newsbsec = newsb->s_security;
797 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
798 int set_context = (oldsbsec->flags & CONTEXT_MNT);
799 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
802 * if the parent was able to be mounted it clearly had no special lsm
803 * mount options. thus we can safely deal with this superblock later
808 /* how can we clone if the old one wasn't set up?? */
809 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
811 /* if fs is reusing a sb, make sure that the contexts match */
812 if (newsbsec->flags & SE_SBINITIALIZED)
813 return selinux_cmp_sb_context(oldsb, newsb);
815 mutex_lock(&newsbsec->lock);
817 newsbsec->flags = oldsbsec->flags;
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
824 u32 sid = oldsbsec->mntpoint_sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
833 newsbsec->mntpoint_sid = sid;
835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
841 newisec->sid = oldisec->sid;
844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
849 static int selinux_parse_opts_str(char *options,
850 struct security_mnt_opts *opts)
853 char *context = NULL, *defcontext = NULL;
854 char *fscontext = NULL, *rootcontext = NULL;
855 int rc, num_mnt_opts = 0;
857 opts->num_mnt_opts = 0;
859 /* Standard string-based options. */
860 while ((p = strsep(&options, "|")) != NULL) {
862 substring_t args[MAX_OPT_ARGS];
867 token = match_token(p, tokens, args);
871 if (context || defcontext) {
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 context = match_strdup(&args[0]);
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 fscontext = match_strdup(&args[0]);
896 case Opt_rootcontext:
899 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902 rootcontext = match_strdup(&args[0]);
910 if (context || defcontext) {
912 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
915 defcontext = match_strdup(&args[0]);
921 case Opt_labelsupport:
925 printk(KERN_WARNING "SELinux: unknown mount option\n");
932 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
936 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
937 if (!opts->mnt_opts_flags) {
938 kfree(opts->mnt_opts);
943 opts->mnt_opts[num_mnt_opts] = fscontext;
944 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
947 opts->mnt_opts[num_mnt_opts] = context;
948 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
951 opts->mnt_opts[num_mnt_opts] = rootcontext;
952 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
955 opts->mnt_opts[num_mnt_opts] = defcontext;
956 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
959 opts->num_mnt_opts = num_mnt_opts;
970 * string mount options parsing and call set the sbsec
972 static int superblock_doinit(struct super_block *sb, void *data)
975 char *options = data;
976 struct security_mnt_opts opts;
978 security_init_mnt_opts(&opts);
983 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
985 rc = selinux_parse_opts_str(options, &opts);
990 rc = selinux_set_mnt_opts(sb, &opts);
993 security_free_mnt_opts(&opts);
997 static void selinux_write_opts(struct seq_file *m,
998 struct security_mnt_opts *opts)
1003 for (i = 0; i < opts->num_mnt_opts; i++) {
1006 if (opts->mnt_opts[i])
1007 has_comma = strchr(opts->mnt_opts[i], ',');
1011 switch (opts->mnt_opts_flags[i]) {
1013 prefix = CONTEXT_STR;
1016 prefix = FSCONTEXT_STR;
1018 case ROOTCONTEXT_MNT:
1019 prefix = ROOTCONTEXT_STR;
1021 case DEFCONTEXT_MNT:
1022 prefix = DEFCONTEXT_STR;
1024 case SE_SBLABELSUPP:
1026 seq_puts(m, LABELSUPP_STR);
1032 /* we need a comma before each option */
1034 seq_puts(m, prefix);
1037 seq_puts(m, opts->mnt_opts[i]);
1043 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1045 struct security_mnt_opts opts;
1048 rc = selinux_get_mnt_opts(sb, &opts);
1050 /* before policy load we may get EINVAL, don't show anything */
1056 selinux_write_opts(m, &opts);
1058 security_free_mnt_opts(&opts);
1063 static inline u16 inode_mode_to_security_class(umode_t mode)
1065 switch (mode & S_IFMT) {
1067 return SECCLASS_SOCK_FILE;
1069 return SECCLASS_LNK_FILE;
1071 return SECCLASS_FILE;
1073 return SECCLASS_BLK_FILE;
1075 return SECCLASS_DIR;
1077 return SECCLASS_CHR_FILE;
1079 return SECCLASS_FIFO_FILE;
1083 return SECCLASS_FILE;
1086 static inline int default_protocol_stream(int protocol)
1088 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1091 static inline int default_protocol_dgram(int protocol)
1093 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1096 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1102 case SOCK_SEQPACKET:
1103 return SECCLASS_UNIX_STREAM_SOCKET;
1105 return SECCLASS_UNIX_DGRAM_SOCKET;
1112 if (default_protocol_stream(protocol))
1113 return SECCLASS_TCP_SOCKET;
1115 return SECCLASS_RAWIP_SOCKET;
1117 if (default_protocol_dgram(protocol))
1118 return SECCLASS_UDP_SOCKET;
1120 return SECCLASS_RAWIP_SOCKET;
1122 return SECCLASS_DCCP_SOCKET;
1124 return SECCLASS_RAWIP_SOCKET;
1130 return SECCLASS_NETLINK_ROUTE_SOCKET;
1131 case NETLINK_FIREWALL:
1132 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1133 case NETLINK_SOCK_DIAG:
1134 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1136 return SECCLASS_NETLINK_NFLOG_SOCKET;
1138 return SECCLASS_NETLINK_XFRM_SOCKET;
1139 case NETLINK_SELINUX:
1140 return SECCLASS_NETLINK_SELINUX_SOCKET;
1142 return SECCLASS_NETLINK_AUDIT_SOCKET;
1143 case NETLINK_IP6_FW:
1144 return SECCLASS_NETLINK_IP6FW_SOCKET;
1145 case NETLINK_DNRTMSG:
1146 return SECCLASS_NETLINK_DNRT_SOCKET;
1147 case NETLINK_KOBJECT_UEVENT:
1148 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1150 return SECCLASS_NETLINK_SOCKET;
1153 return SECCLASS_PACKET_SOCKET;
1155 return SECCLASS_KEY_SOCKET;
1157 return SECCLASS_APPLETALK_SOCKET;
1160 return SECCLASS_SOCKET;
1163 #ifdef CONFIG_PROC_FS
1164 static int selinux_proc_get_sid(struct dentry *dentry,
1169 char *buffer, *path;
1171 buffer = (char *)__get_free_page(GFP_KERNEL);
1175 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1179 /* each process gets a /proc/PID/ entry. Strip off the
1180 * PID part to get a valid selinux labeling.
1181 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1182 while (path[1] >= '0' && path[1] <= '9') {
1186 rc = security_genfs_sid("proc", path, tclass, sid);
1188 free_page((unsigned long)buffer);
1192 static int selinux_proc_get_sid(struct dentry *dentry,
1200 /* The inode's security attributes must be initialized before first use. */
1201 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1203 struct superblock_security_struct *sbsec = NULL;
1204 struct inode_security_struct *isec = inode->i_security;
1206 struct dentry *dentry;
1207 #define INITCONTEXTLEN 255
1208 char *context = NULL;
1212 if (isec->initialized)
1215 mutex_lock(&isec->lock);
1216 if (isec->initialized)
1219 sbsec = inode->i_sb->s_security;
1220 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1221 /* Defer initialization until selinux_complete_init,
1222 after the initial policy is loaded and the security
1223 server is ready to handle calls. */
1224 spin_lock(&sbsec->isec_lock);
1225 if (list_empty(&isec->list))
1226 list_add(&isec->list, &sbsec->isec_head);
1227 spin_unlock(&sbsec->isec_lock);
1231 switch (sbsec->behavior) {
1232 case SECURITY_FS_USE_XATTR:
1233 if (!inode->i_op->getxattr) {
1234 isec->sid = sbsec->def_sid;
1238 /* Need a dentry, since the xattr API requires one.
1239 Life would be simpler if we could just pass the inode. */
1241 /* Called from d_instantiate or d_splice_alias. */
1242 dentry = dget(opt_dentry);
1244 /* Called from selinux_complete_init, try to find a dentry. */
1245 dentry = d_find_alias(inode);
1249 * this is can be hit on boot when a file is accessed
1250 * before the policy is loaded. When we load policy we
1251 * may find inodes that have no dentry on the
1252 * sbsec->isec_head list. No reason to complain as these
1253 * will get fixed up the next time we go through
1254 * inode_doinit with a dentry, before these inodes could
1255 * be used again by userspace.
1260 len = INITCONTEXTLEN;
1261 context = kmalloc(len+1, GFP_NOFS);
1267 context[len] = '\0';
1268 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1270 if (rc == -ERANGE) {
1273 /* Need a larger buffer. Query for the right size. */
1274 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1281 context = kmalloc(len+1, GFP_NOFS);
1287 context[len] = '\0';
1288 rc = inode->i_op->getxattr(dentry,
1294 if (rc != -ENODATA) {
1295 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1296 "%d for dev=%s ino=%ld\n", __func__,
1297 -rc, inode->i_sb->s_id, inode->i_ino);
1301 /* Map ENODATA to the default file SID */
1302 sid = sbsec->def_sid;
1305 rc = security_context_to_sid_default(context, rc, &sid,
1309 char *dev = inode->i_sb->s_id;
1310 unsigned long ino = inode->i_ino;
1312 if (rc == -EINVAL) {
1313 if (printk_ratelimit())
1314 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1315 "context=%s. This indicates you may need to relabel the inode or the "
1316 "filesystem in question.\n", ino, dev, context);
1318 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1319 "returned %d for dev=%s ino=%ld\n",
1320 __func__, context, -rc, dev, ino);
1323 /* Leave with the unlabeled SID */
1331 case SECURITY_FS_USE_TASK:
1332 isec->sid = isec->task_sid;
1334 case SECURITY_FS_USE_TRANS:
1335 /* Default to the fs SID. */
1336 isec->sid = sbsec->sid;
1338 /* Try to obtain a transition SID. */
1339 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1340 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1341 isec->sclass, NULL, &sid);
1346 case SECURITY_FS_USE_MNTPOINT:
1347 isec->sid = sbsec->mntpoint_sid;
1350 /* Default to the fs superblock SID. */
1351 isec->sid = sbsec->sid;
1353 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1355 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1356 rc = selinux_proc_get_sid(opt_dentry,
1367 isec->initialized = 1;
1370 mutex_unlock(&isec->lock);
1372 if (isec->sclass == SECCLASS_FILE)
1373 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1377 /* Convert a Linux signal to an access vector. */
1378 static inline u32 signal_to_av(int sig)
1384 /* Commonly granted from child to parent. */
1385 perm = PROCESS__SIGCHLD;
1388 /* Cannot be caught or ignored */
1389 perm = PROCESS__SIGKILL;
1392 /* Cannot be caught or ignored */
1393 perm = PROCESS__SIGSTOP;
1396 /* All other signals. */
1397 perm = PROCESS__SIGNAL;
1405 * Check permission between a pair of credentials
1406 * fork check, ptrace check, etc.
1408 static int cred_has_perm(const struct cred *actor,
1409 const struct cred *target,
1412 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1414 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1418 * Check permission between a pair of tasks, e.g. signal checks,
1419 * fork check, ptrace check, etc.
1420 * tsk1 is the actor and tsk2 is the target
1421 * - this uses the default subjective creds of tsk1
1423 static int task_has_perm(const struct task_struct *tsk1,
1424 const struct task_struct *tsk2,
1427 const struct task_security_struct *__tsec1, *__tsec2;
1431 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1432 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1434 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1438 * Check permission between current and another task, e.g. signal checks,
1439 * fork check, ptrace check, etc.
1440 * current is the actor and tsk2 is the target
1441 * - this uses current's subjective creds
1443 static int current_has_perm(const struct task_struct *tsk,
1448 sid = current_sid();
1449 tsid = task_sid(tsk);
1450 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1453 #if CAP_LAST_CAP > 63
1454 #error Fix SELinux to handle capabilities > 63.
1457 /* Check whether a task is allowed to use a capability. */
1458 static int cred_has_capability(const struct cred *cred,
1461 struct common_audit_data ad;
1462 struct av_decision avd;
1464 u32 sid = cred_sid(cred);
1465 u32 av = CAP_TO_MASK(cap);
1468 ad.type = LSM_AUDIT_DATA_CAP;
1471 switch (CAP_TO_INDEX(cap)) {
1473 sclass = SECCLASS_CAPABILITY;
1476 sclass = SECCLASS_CAPABILITY2;
1480 "SELinux: out of range capability %d\n", cap);
1485 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1486 if (audit == SECURITY_CAP_AUDIT) {
1487 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1494 /* Check whether a task is allowed to use a system operation. */
1495 static int task_has_system(struct task_struct *tsk,
1498 u32 sid = task_sid(tsk);
1500 return avc_has_perm(sid, SECINITSID_KERNEL,
1501 SECCLASS_SYSTEM, perms, NULL);
1504 /* Check whether a task has a particular permission to an inode.
1505 The 'adp' parameter is optional and allows other audit
1506 data to be passed (e.g. the dentry). */
1507 static int inode_has_perm(const struct cred *cred,
1508 struct inode *inode,
1510 struct common_audit_data *adp,
1513 struct inode_security_struct *isec;
1516 validate_creds(cred);
1518 if (unlikely(IS_PRIVATE(inode)))
1521 sid = cred_sid(cred);
1522 isec = inode->i_security;
1524 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1527 /* Same as inode_has_perm, but pass explicit audit data containing
1528 the dentry to help the auditing code to more easily generate the
1529 pathname if needed. */
1530 static inline int dentry_has_perm(const struct cred *cred,
1531 struct dentry *dentry,
1534 struct inode *inode = dentry->d_inode;
1535 struct common_audit_data ad;
1537 ad.type = LSM_AUDIT_DATA_DENTRY;
1538 ad.u.dentry = dentry;
1539 return inode_has_perm(cred, inode, av, &ad, 0);
1542 /* Same as inode_has_perm, but pass explicit audit data containing
1543 the path to help the auditing code to more easily generate the
1544 pathname if needed. */
1545 static inline int path_has_perm(const struct cred *cred,
1549 struct inode *inode = path->dentry->d_inode;
1550 struct common_audit_data ad;
1552 ad.type = LSM_AUDIT_DATA_PATH;
1554 return inode_has_perm(cred, inode, av, &ad, 0);
1557 /* Check whether a task can use an open file descriptor to
1558 access an inode in a given way. Check access to the
1559 descriptor itself, and then use dentry_has_perm to
1560 check a particular permission to the file.
1561 Access to the descriptor is implicitly granted if it
1562 has the same SID as the process. If av is zero, then
1563 access to the file is not checked, e.g. for cases
1564 where only the descriptor is affected like seek. */
1565 static int file_has_perm(const struct cred *cred,
1569 struct file_security_struct *fsec = file->f_security;
1570 struct inode *inode = file_inode(file);
1571 struct common_audit_data ad;
1572 u32 sid = cred_sid(cred);
1575 ad.type = LSM_AUDIT_DATA_PATH;
1576 ad.u.path = file->f_path;
1578 if (sid != fsec->sid) {
1579 rc = avc_has_perm(sid, fsec->sid,
1587 /* av is zero if only checking access to the descriptor. */
1590 rc = inode_has_perm(cred, inode, av, &ad, 0);
1596 /* Check whether a task can create a file. */
1597 static int may_create(struct inode *dir,
1598 struct dentry *dentry,
1601 const struct task_security_struct *tsec = current_security();
1602 struct inode_security_struct *dsec;
1603 struct superblock_security_struct *sbsec;
1605 struct common_audit_data ad;
1608 dsec = dir->i_security;
1609 sbsec = dir->i_sb->s_security;
1612 newsid = tsec->create_sid;
1614 ad.type = LSM_AUDIT_DATA_DENTRY;
1615 ad.u.dentry = dentry;
1617 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1618 DIR__ADD_NAME | DIR__SEARCH,
1623 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1624 rc = security_transition_sid(sid, dsec->sid, tclass,
1625 &dentry->d_name, &newsid);
1630 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1634 return avc_has_perm(newsid, sbsec->sid,
1635 SECCLASS_FILESYSTEM,
1636 FILESYSTEM__ASSOCIATE, &ad);
1639 /* Check whether a task can create a key. */
1640 static int may_create_key(u32 ksid,
1641 struct task_struct *ctx)
1643 u32 sid = task_sid(ctx);
1645 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1649 #define MAY_UNLINK 1
1652 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1653 static int may_link(struct inode *dir,
1654 struct dentry *dentry,
1658 struct inode_security_struct *dsec, *isec;
1659 struct common_audit_data ad;
1660 u32 sid = current_sid();
1664 dsec = dir->i_security;
1665 isec = dentry->d_inode->i_security;
1667 ad.type = LSM_AUDIT_DATA_DENTRY;
1668 ad.u.dentry = dentry;
1671 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1672 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1687 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1692 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1696 static inline int may_rename(struct inode *old_dir,
1697 struct dentry *old_dentry,
1698 struct inode *new_dir,
1699 struct dentry *new_dentry)
1701 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1702 struct common_audit_data ad;
1703 u32 sid = current_sid();
1705 int old_is_dir, new_is_dir;
1708 old_dsec = old_dir->i_security;
1709 old_isec = old_dentry->d_inode->i_security;
1710 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1711 new_dsec = new_dir->i_security;
1713 ad.type = LSM_AUDIT_DATA_DENTRY;
1715 ad.u.dentry = old_dentry;
1716 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1717 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1720 rc = avc_has_perm(sid, old_isec->sid,
1721 old_isec->sclass, FILE__RENAME, &ad);
1724 if (old_is_dir && new_dir != old_dir) {
1725 rc = avc_has_perm(sid, old_isec->sid,
1726 old_isec->sclass, DIR__REPARENT, &ad);
1731 ad.u.dentry = new_dentry;
1732 av = DIR__ADD_NAME | DIR__SEARCH;
1733 if (new_dentry->d_inode)
1734 av |= DIR__REMOVE_NAME;
1735 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1738 if (new_dentry->d_inode) {
1739 new_isec = new_dentry->d_inode->i_security;
1740 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1741 rc = avc_has_perm(sid, new_isec->sid,
1743 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1751 /* Check whether a task can perform a filesystem operation. */
1752 static int superblock_has_perm(const struct cred *cred,
1753 struct super_block *sb,
1755 struct common_audit_data *ad)
1757 struct superblock_security_struct *sbsec;
1758 u32 sid = cred_sid(cred);
1760 sbsec = sb->s_security;
1761 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1764 /* Convert a Linux mode and permission mask to an access vector. */
1765 static inline u32 file_mask_to_av(int mode, int mask)
1769 if (!S_ISDIR(mode)) {
1770 if (mask & MAY_EXEC)
1771 av |= FILE__EXECUTE;
1772 if (mask & MAY_READ)
1775 if (mask & MAY_APPEND)
1777 else if (mask & MAY_WRITE)
1781 if (mask & MAY_EXEC)
1783 if (mask & MAY_WRITE)
1785 if (mask & MAY_READ)
1792 /* Convert a Linux file to an access vector. */
1793 static inline u32 file_to_av(struct file *file)
1797 if (file->f_mode & FMODE_READ)
1799 if (file->f_mode & FMODE_WRITE) {
1800 if (file->f_flags & O_APPEND)
1807 * Special file opened with flags 3 for ioctl-only use.
1816 * Convert a file to an access vector and include the correct open
1819 static inline u32 open_file_to_av(struct file *file)
1821 u32 av = file_to_av(file);
1823 if (selinux_policycap_openperm)
1829 /* Hook functions begin here. */
1831 static int selinux_ptrace_access_check(struct task_struct *child,
1836 rc = cap_ptrace_access_check(child, mode);
1840 if (mode & PTRACE_MODE_READ) {
1841 u32 sid = current_sid();
1842 u32 csid = task_sid(child);
1843 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1846 return current_has_perm(child, PROCESS__PTRACE);
1849 static int selinux_ptrace_traceme(struct task_struct *parent)
1853 rc = cap_ptrace_traceme(parent);
1857 return task_has_perm(parent, current, PROCESS__PTRACE);
1860 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1861 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1865 error = current_has_perm(target, PROCESS__GETCAP);
1869 return cap_capget(target, effective, inheritable, permitted);
1872 static int selinux_capset(struct cred *new, const struct cred *old,
1873 const kernel_cap_t *effective,
1874 const kernel_cap_t *inheritable,
1875 const kernel_cap_t *permitted)
1879 error = cap_capset(new, old,
1880 effective, inheritable, permitted);
1884 return cred_has_perm(old, new, PROCESS__SETCAP);
1888 * (This comment used to live with the selinux_task_setuid hook,
1889 * which was removed).
1891 * Since setuid only affects the current process, and since the SELinux
1892 * controls are not based on the Linux identity attributes, SELinux does not
1893 * need to control this operation. However, SELinux does control the use of
1894 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1897 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1902 rc = cap_capable(cred, ns, cap, audit);
1906 return cred_has_capability(cred, cap, audit);
1909 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1911 const struct cred *cred = current_cred();
1923 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1928 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1931 rc = 0; /* let the kernel handle invalid cmds */
1937 static int selinux_quota_on(struct dentry *dentry)
1939 const struct cred *cred = current_cred();
1941 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1944 static int selinux_syslog(int type)
1949 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1950 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1951 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1953 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1954 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1955 /* Set level of messages printed to console */
1956 case SYSLOG_ACTION_CONSOLE_LEVEL:
1957 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1959 case SYSLOG_ACTION_CLOSE: /* Close log */
1960 case SYSLOG_ACTION_OPEN: /* Open log */
1961 case SYSLOG_ACTION_READ: /* Read from log */
1962 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1963 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1965 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1972 * Check that a process has enough memory to allocate a new virtual
1973 * mapping. 0 means there is enough memory for the allocation to
1974 * succeed and -ENOMEM implies there is not.
1976 * Do not audit the selinux permission check, as this is applied to all
1977 * processes that allocate mappings.
1979 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1981 int rc, cap_sys_admin = 0;
1983 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1984 SECURITY_CAP_NOAUDIT);
1988 return __vm_enough_memory(mm, pages, cap_sys_admin);
1991 /* binprm security operations */
1993 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1995 const struct task_security_struct *old_tsec;
1996 struct task_security_struct *new_tsec;
1997 struct inode_security_struct *isec;
1998 struct common_audit_data ad;
1999 struct inode *inode = file_inode(bprm->file);
2002 rc = cap_bprm_set_creds(bprm);
2006 /* SELinux context only depends on initial program or script and not
2007 * the script interpreter */
2008 if (bprm->cred_prepared)
2011 old_tsec = current_security();
2012 new_tsec = bprm->cred->security;
2013 isec = inode->i_security;
2015 /* Default to the current task SID. */
2016 new_tsec->sid = old_tsec->sid;
2017 new_tsec->osid = old_tsec->sid;
2019 /* Reset fs, key, and sock SIDs on execve. */
2020 new_tsec->create_sid = 0;
2021 new_tsec->keycreate_sid = 0;
2022 new_tsec->sockcreate_sid = 0;
2024 if (old_tsec->exec_sid) {
2025 new_tsec->sid = old_tsec->exec_sid;
2026 /* Reset exec SID on execve. */
2027 new_tsec->exec_sid = 0;
2030 * Minimize confusion: if no_new_privs and a transition is
2031 * explicitly requested, then fail the exec.
2033 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2036 /* Check for a default transition on this program. */
2037 rc = security_transition_sid(old_tsec->sid, isec->sid,
2038 SECCLASS_PROCESS, NULL,
2044 ad.type = LSM_AUDIT_DATA_PATH;
2045 ad.u.path = bprm->file->f_path;
2047 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2048 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2049 new_tsec->sid = old_tsec->sid;
2051 if (new_tsec->sid == old_tsec->sid) {
2052 rc = avc_has_perm(old_tsec->sid, isec->sid,
2053 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2057 /* Check permissions for the transition. */
2058 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2059 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2063 rc = avc_has_perm(new_tsec->sid, isec->sid,
2064 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2068 /* Check for shared state */
2069 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2070 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2071 SECCLASS_PROCESS, PROCESS__SHARE,
2077 /* Make sure that anyone attempting to ptrace over a task that
2078 * changes its SID has the appropriate permit */
2080 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2081 struct task_struct *tracer;
2082 struct task_security_struct *sec;
2086 tracer = ptrace_parent(current);
2087 if (likely(tracer != NULL)) {
2088 sec = __task_cred(tracer)->security;
2094 rc = avc_has_perm(ptsid, new_tsec->sid,
2096 PROCESS__PTRACE, NULL);
2102 /* Clear any possibly unsafe personality bits on exec: */
2103 bprm->per_clear |= PER_CLEAR_ON_SETID;
2109 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2111 const struct task_security_struct *tsec = current_security();
2119 /* Enable secure mode for SIDs transitions unless
2120 the noatsecure permission is granted between
2121 the two SIDs, i.e. ahp returns 0. */
2122 atsecure = avc_has_perm(osid, sid,
2124 PROCESS__NOATSECURE, NULL);
2127 return (atsecure || cap_bprm_secureexec(bprm));
2130 static int match_file(const void *p, struct file *file, unsigned fd)
2132 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2135 /* Derived from fs/exec.c:flush_old_files. */
2136 static inline void flush_unauthorized_files(const struct cred *cred,
2137 struct files_struct *files)
2139 struct file *file, *devnull = NULL;
2140 struct tty_struct *tty;
2144 tty = get_current_tty();
2146 spin_lock(&tty_files_lock);
2147 if (!list_empty(&tty->tty_files)) {
2148 struct tty_file_private *file_priv;
2150 /* Revalidate access to controlling tty.
2151 Use path_has_perm on the tty path directly rather
2152 than using file_has_perm, as this particular open
2153 file may belong to another process and we are only
2154 interested in the inode-based check here. */
2155 file_priv = list_first_entry(&tty->tty_files,
2156 struct tty_file_private, list);
2157 file = file_priv->file;
2158 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2161 spin_unlock(&tty_files_lock);
2164 /* Reset controlling tty. */
2168 /* Revalidate access to inherited open files. */
2169 n = iterate_fd(files, 0, match_file, cred);
2170 if (!n) /* none found? */
2173 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2174 if (IS_ERR(devnull))
2176 /* replace all the matching ones with this */
2178 replace_fd(n - 1, devnull, 0);
2179 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2185 * Prepare a process for imminent new credential changes due to exec
2187 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2189 struct task_security_struct *new_tsec;
2190 struct rlimit *rlim, *initrlim;
2193 new_tsec = bprm->cred->security;
2194 if (new_tsec->sid == new_tsec->osid)
2197 /* Close files for which the new task SID is not authorized. */
2198 flush_unauthorized_files(bprm->cred, current->files);
2200 /* Always clear parent death signal on SID transitions. */
2201 current->pdeath_signal = 0;
2203 /* Check whether the new SID can inherit resource limits from the old
2204 * SID. If not, reset all soft limits to the lower of the current
2205 * task's hard limit and the init task's soft limit.
2207 * Note that the setting of hard limits (even to lower them) can be
2208 * controlled by the setrlimit check. The inclusion of the init task's
2209 * soft limit into the computation is to avoid resetting soft limits
2210 * higher than the default soft limit for cases where the default is
2211 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2213 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2214 PROCESS__RLIMITINH, NULL);
2216 /* protect against do_prlimit() */
2218 for (i = 0; i < RLIM_NLIMITS; i++) {
2219 rlim = current->signal->rlim + i;
2220 initrlim = init_task.signal->rlim + i;
2221 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2223 task_unlock(current);
2224 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2229 * Clean up the process immediately after the installation of new credentials
2232 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2234 const struct task_security_struct *tsec = current_security();
2235 struct itimerval itimer;
2245 /* Check whether the new SID can inherit signal state from the old SID.
2246 * If not, clear itimers to avoid subsequent signal generation and
2247 * flush and unblock signals.
2249 * This must occur _after_ the task SID has been updated so that any
2250 * kill done after the flush will be checked against the new SID.
2252 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2254 memset(&itimer, 0, sizeof itimer);
2255 for (i = 0; i < 3; i++)
2256 do_setitimer(i, &itimer, NULL);
2257 spin_lock_irq(¤t->sighand->siglock);
2258 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2259 __flush_signals(current);
2260 flush_signal_handlers(current, 1);
2261 sigemptyset(¤t->blocked);
2263 spin_unlock_irq(¤t->sighand->siglock);
2266 /* Wake up the parent if it is waiting so that it can recheck
2267 * wait permission to the new task SID. */
2268 read_lock(&tasklist_lock);
2269 __wake_up_parent(current, current->real_parent);
2270 read_unlock(&tasklist_lock);
2273 /* superblock security operations */
2275 static int selinux_sb_alloc_security(struct super_block *sb)
2277 return superblock_alloc_security(sb);
2280 static void selinux_sb_free_security(struct super_block *sb)
2282 superblock_free_security(sb);
2285 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2290 return !memcmp(prefix, option, plen);
2293 static inline int selinux_option(char *option, int len)
2295 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2296 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2297 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2298 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2299 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2302 static inline void take_option(char **to, char *from, int *first, int len)
2309 memcpy(*to, from, len);
2313 static inline void take_selinux_option(char **to, char *from, int *first,
2316 int current_size = 0;
2324 while (current_size < len) {
2334 static int selinux_sb_copy_data(char *orig, char *copy)
2336 int fnosec, fsec, rc = 0;
2337 char *in_save, *in_curr, *in_end;
2338 char *sec_curr, *nosec_save, *nosec;
2344 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2352 in_save = in_end = orig;
2356 open_quote = !open_quote;
2357 if ((*in_end == ',' && open_quote == 0) ||
2359 int len = in_end - in_curr;
2361 if (selinux_option(in_curr, len))
2362 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2364 take_option(&nosec, in_curr, &fnosec, len);
2366 in_curr = in_end + 1;
2368 } while (*in_end++);
2370 strcpy(in_save, nosec_save);
2371 free_page((unsigned long)nosec_save);
2376 static int selinux_sb_remount(struct super_block *sb, void *data)
2379 struct security_mnt_opts opts;
2380 char *secdata, **mount_options;
2381 struct superblock_security_struct *sbsec = sb->s_security;
2383 if (!(sbsec->flags & SE_SBINITIALIZED))
2389 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2392 security_init_mnt_opts(&opts);
2393 secdata = alloc_secdata();
2396 rc = selinux_sb_copy_data(data, secdata);
2398 goto out_free_secdata;
2400 rc = selinux_parse_opts_str(secdata, &opts);
2402 goto out_free_secdata;
2404 mount_options = opts.mnt_opts;
2405 flags = opts.mnt_opts_flags;
2407 for (i = 0; i < opts.num_mnt_opts; i++) {
2411 if (flags[i] == SE_SBLABELSUPP)
2413 len = strlen(mount_options[i]);
2414 rc = security_context_to_sid(mount_options[i], len, &sid);
2416 printk(KERN_WARNING "SELinux: security_context_to_sid"
2417 "(%s) failed for (dev %s, type %s) errno=%d\n",
2418 mount_options[i], sb->s_id, sb->s_type->name, rc);
2424 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2425 goto out_bad_option;
2428 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2429 goto out_bad_option;
2431 case ROOTCONTEXT_MNT: {
2432 struct inode_security_struct *root_isec;
2433 root_isec = sb->s_root->d_inode->i_security;
2435 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2436 goto out_bad_option;
2439 case DEFCONTEXT_MNT:
2440 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2441 goto out_bad_option;
2450 security_free_mnt_opts(&opts);
2452 free_secdata(secdata);
2455 printk(KERN_WARNING "SELinux: unable to change security options "
2456 "during remount (dev %s, type=%s)\n", sb->s_id,
2461 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2463 const struct cred *cred = current_cred();
2464 struct common_audit_data ad;
2467 rc = superblock_doinit(sb, data);
2471 /* Allow all mounts performed by the kernel */
2472 if (flags & MS_KERNMOUNT)
2475 ad.type = LSM_AUDIT_DATA_DENTRY;
2476 ad.u.dentry = sb->s_root;
2477 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2480 static int selinux_sb_statfs(struct dentry *dentry)
2482 const struct cred *cred = current_cred();
2483 struct common_audit_data ad;
2485 ad.type = LSM_AUDIT_DATA_DENTRY;
2486 ad.u.dentry = dentry->d_sb->s_root;
2487 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2490 static int selinux_mount(const char *dev_name,
2493 unsigned long flags,
2496 const struct cred *cred = current_cred();
2498 if (flags & MS_REMOUNT)
2499 return superblock_has_perm(cred, path->dentry->d_sb,
2500 FILESYSTEM__REMOUNT, NULL);
2502 return path_has_perm(cred, path, FILE__MOUNTON);
2505 static int selinux_umount(struct vfsmount *mnt, int flags)
2507 const struct cred *cred = current_cred();
2509 return superblock_has_perm(cred, mnt->mnt_sb,
2510 FILESYSTEM__UNMOUNT, NULL);
2513 /* inode security operations */
2515 static int selinux_inode_alloc_security(struct inode *inode)
2517 return inode_alloc_security(inode);
2520 static void selinux_inode_free_security(struct inode *inode)
2522 inode_free_security(inode);
2525 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2526 const struct qstr *qstr, char **name,
2527 void **value, size_t *len)
2529 const struct task_security_struct *tsec = current_security();
2530 struct inode_security_struct *dsec;
2531 struct superblock_security_struct *sbsec;
2532 u32 sid, newsid, clen;
2534 char *namep = NULL, *context;
2536 dsec = dir->i_security;
2537 sbsec = dir->i_sb->s_security;
2540 newsid = tsec->create_sid;
2542 if ((sbsec->flags & SE_SBINITIALIZED) &&
2543 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2544 newsid = sbsec->mntpoint_sid;
2545 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2546 rc = security_transition_sid(sid, dsec->sid,
2547 inode_mode_to_security_class(inode->i_mode),
2550 printk(KERN_WARNING "%s: "
2551 "security_transition_sid failed, rc=%d (dev=%s "
2554 -rc, inode->i_sb->s_id, inode->i_ino);
2559 /* Possibly defer initialization to selinux_complete_init. */
2560 if (sbsec->flags & SE_SBINITIALIZED) {
2561 struct inode_security_struct *isec = inode->i_security;
2562 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2564 isec->initialized = 1;
2567 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2571 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2578 rc = security_sid_to_context_force(newsid, &context, &clen);
2590 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2592 return may_create(dir, dentry, SECCLASS_FILE);
2595 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2597 return may_link(dir, old_dentry, MAY_LINK);
2600 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2602 return may_link(dir, dentry, MAY_UNLINK);
2605 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2607 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2610 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2612 return may_create(dir, dentry, SECCLASS_DIR);
2615 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2617 return may_link(dir, dentry, MAY_RMDIR);
2620 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2622 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2625 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2626 struct inode *new_inode, struct dentry *new_dentry)
2628 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2631 static int selinux_inode_readlink(struct dentry *dentry)
2633 const struct cred *cred = current_cred();
2635 return dentry_has_perm(cred, dentry, FILE__READ);
2638 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2640 const struct cred *cred = current_cred();
2642 return dentry_has_perm(cred, dentry, FILE__READ);
2645 static noinline int audit_inode_permission(struct inode *inode,
2646 u32 perms, u32 audited, u32 denied,
2649 struct common_audit_data ad;
2650 struct inode_security_struct *isec = inode->i_security;
2653 ad.type = LSM_AUDIT_DATA_INODE;
2656 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2657 audited, denied, &ad, flags);
2663 static int selinux_inode_permission(struct inode *inode, int mask)
2665 const struct cred *cred = current_cred();
2668 unsigned flags = mask & MAY_NOT_BLOCK;
2669 struct inode_security_struct *isec;
2671 struct av_decision avd;
2673 u32 audited, denied;
2675 from_access = mask & MAY_ACCESS;
2676 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2678 /* No permission to check. Existence test. */
2682 validate_creds(cred);
2684 if (unlikely(IS_PRIVATE(inode)))
2687 perms = file_mask_to_av(inode->i_mode, mask);
2689 sid = cred_sid(cred);
2690 isec = inode->i_security;
2692 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2693 audited = avc_audit_required(perms, &avd, rc,
2694 from_access ? FILE__AUDIT_ACCESS : 0,
2696 if (likely(!audited))
2699 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2705 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2707 const struct cred *cred = current_cred();
2708 unsigned int ia_valid = iattr->ia_valid;
2709 __u32 av = FILE__WRITE;
2711 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2712 if (ia_valid & ATTR_FORCE) {
2713 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2719 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2720 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2721 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2723 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2726 return dentry_has_perm(cred, dentry, av);
2729 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2731 const struct cred *cred = current_cred();
2734 path.dentry = dentry;
2737 return path_has_perm(cred, &path, FILE__GETATTR);
2740 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2742 const struct cred *cred = current_cred();
2744 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2745 sizeof XATTR_SECURITY_PREFIX - 1)) {
2746 if (!strcmp(name, XATTR_NAME_CAPS)) {
2747 if (!capable(CAP_SETFCAP))
2749 } else if (!capable(CAP_SYS_ADMIN)) {
2750 /* A different attribute in the security namespace.
2751 Restrict to administrator. */
2756 /* Not an attribute we recognize, so just check the
2757 ordinary setattr permission. */
2758 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2761 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2762 const void *value, size_t size, int flags)
2764 struct inode *inode = dentry->d_inode;
2765 struct inode_security_struct *isec = inode->i_security;
2766 struct superblock_security_struct *sbsec;
2767 struct common_audit_data ad;
2768 u32 newsid, sid = current_sid();
2771 if (strcmp(name, XATTR_NAME_SELINUX))
2772 return selinux_inode_setotherxattr(dentry, name);
2774 sbsec = inode->i_sb->s_security;
2775 if (!(sbsec->flags & SE_SBLABELSUPP))
2778 if (!inode_owner_or_capable(inode))
2781 ad.type = LSM_AUDIT_DATA_DENTRY;
2782 ad.u.dentry = dentry;
2784 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2785 FILE__RELABELFROM, &ad);
2789 rc = security_context_to_sid(value, size, &newsid);
2790 if (rc == -EINVAL) {
2791 if (!capable(CAP_MAC_ADMIN)) {
2792 struct audit_buffer *ab;
2796 /* We strip a nul only if it is at the end, otherwise the
2797 * context contains a nul and we should audit that */
2800 if (str[size - 1] == '\0')
2801 audit_size = size - 1;
2808 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2809 audit_log_format(ab, "op=setxattr invalid_context=");
2810 audit_log_n_untrustedstring(ab, value, audit_size);
2815 rc = security_context_to_sid_force(value, size, &newsid);
2820 rc = avc_has_perm(sid, newsid, isec->sclass,
2821 FILE__RELABELTO, &ad);
2825 rc = security_validate_transition(isec->sid, newsid, sid,
2830 return avc_has_perm(newsid,
2832 SECCLASS_FILESYSTEM,
2833 FILESYSTEM__ASSOCIATE,
2837 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2838 const void *value, size_t size,
2841 struct inode *inode = dentry->d_inode;
2842 struct inode_security_struct *isec = inode->i_security;
2846 if (strcmp(name, XATTR_NAME_SELINUX)) {
2847 /* Not an attribute we recognize, so nothing to do. */
2851 rc = security_context_to_sid_force(value, size, &newsid);
2853 printk(KERN_ERR "SELinux: unable to map context to SID"
2854 "for (%s, %lu), rc=%d\n",
2855 inode->i_sb->s_id, inode->i_ino, -rc);
2863 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2865 const struct cred *cred = current_cred();
2867 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2870 static int selinux_inode_listxattr(struct dentry *dentry)
2872 const struct cred *cred = current_cred();
2874 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2877 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2879 if (strcmp(name, XATTR_NAME_SELINUX))
2880 return selinux_inode_setotherxattr(dentry, name);
2882 /* No one is allowed to remove a SELinux security label.
2883 You can change the label, but all data must be labeled. */
2888 * Copy the inode security context value to the user.
2890 * Permission check is handled by selinux_inode_getxattr hook.
2892 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2896 char *context = NULL;
2897 struct inode_security_struct *isec = inode->i_security;
2899 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2903 * If the caller has CAP_MAC_ADMIN, then get the raw context
2904 * value even if it is not defined by current policy; otherwise,
2905 * use the in-core value under current policy.
2906 * Use the non-auditing forms of the permission checks since
2907 * getxattr may be called by unprivileged processes commonly
2908 * and lack of permission just means that we fall back to the
2909 * in-core context value, not a denial.
2911 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2912 SECURITY_CAP_NOAUDIT);
2914 error = security_sid_to_context_force(isec->sid, &context,
2917 error = security_sid_to_context(isec->sid, &context, &size);
2930 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2931 const void *value, size_t size, int flags)
2933 struct inode_security_struct *isec = inode->i_security;
2937 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2940 if (!value || !size)
2943 rc = security_context_to_sid((void *)value, size, &newsid);
2948 isec->initialized = 1;
2952 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2954 const int len = sizeof(XATTR_NAME_SELINUX);
2955 if (buffer && len <= buffer_size)
2956 memcpy(buffer, XATTR_NAME_SELINUX, len);
2960 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2962 struct inode_security_struct *isec = inode->i_security;
2966 /* file security operations */
2968 static int selinux_revalidate_file_permission(struct file *file, int mask)
2970 const struct cred *cred = current_cred();
2971 struct inode *inode = file_inode(file);
2973 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2974 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2977 return file_has_perm(cred, file,
2978 file_mask_to_av(inode->i_mode, mask));
2981 static int selinux_file_permission(struct file *file, int mask)
2983 struct inode *inode = file_inode(file);
2984 struct file_security_struct *fsec = file->f_security;
2985 struct inode_security_struct *isec = inode->i_security;
2986 u32 sid = current_sid();
2989 /* No permission to check. Existence test. */
2992 if (sid == fsec->sid && fsec->isid == isec->sid &&
2993 fsec->pseqno == avc_policy_seqno())
2994 /* No change since file_open check. */
2997 return selinux_revalidate_file_permission(file, mask);
3000 static int selinux_file_alloc_security(struct file *file)
3002 return file_alloc_security(file);
3005 static void selinux_file_free_security(struct file *file)
3007 file_free_security(file);
3010 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3013 const struct cred *cred = current_cred();
3023 case FS_IOC_GETFLAGS:
3025 case FS_IOC_GETVERSION:
3026 error = file_has_perm(cred, file, FILE__GETATTR);
3029 case FS_IOC_SETFLAGS:
3031 case FS_IOC_SETVERSION:
3032 error = file_has_perm(cred, file, FILE__SETATTR);
3035 /* sys_ioctl() checks */
3039 error = file_has_perm(cred, file, 0);
3044 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3045 SECURITY_CAP_AUDIT);
3048 /* default case assumes that the command will go
3049 * to the file's ioctl() function.
3052 error = file_has_perm(cred, file, FILE__IOCTL);
3057 static int default_noexec;
3059 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3061 const struct cred *cred = current_cred();
3064 if (default_noexec &&
3065 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3067 * We are making executable an anonymous mapping or a
3068 * private file mapping that will also be writable.
3069 * This has an additional check.
3071 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3077 /* read access is always possible with a mapping */
3078 u32 av = FILE__READ;
3080 /* write access only matters if the mapping is shared */
3081 if (shared && (prot & PROT_WRITE))
3084 if (prot & PROT_EXEC)
3085 av |= FILE__EXECUTE;
3087 return file_has_perm(cred, file, av);
3094 static int selinux_mmap_addr(unsigned long addr)
3097 u32 sid = current_sid();
3100 * notice that we are intentionally putting the SELinux check before
3101 * the secondary cap_file_mmap check. This is such a likely attempt
3102 * at bad behaviour/exploit that we always want to get the AVC, even
3103 * if DAC would have also denied the operation.
3105 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3106 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3107 MEMPROTECT__MMAP_ZERO, NULL);
3112 /* do DAC check on address space usage */
3113 return cap_mmap_addr(addr);
3116 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3117 unsigned long prot, unsigned long flags)
3119 if (selinux_checkreqprot)
3122 return file_map_prot_check(file, prot,
3123 (flags & MAP_TYPE) == MAP_SHARED);
3126 static int selinux_file_mprotect(struct vm_area_struct *vma,
3127 unsigned long reqprot,
3130 const struct cred *cred = current_cred();
3132 if (selinux_checkreqprot)
3135 if (default_noexec &&
3136 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3138 if (vma->vm_start >= vma->vm_mm->start_brk &&
3139 vma->vm_end <= vma->vm_mm->brk) {
3140 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3141 } else if (!vma->vm_file &&
3142 vma->vm_start <= vma->vm_mm->start_stack &&
3143 vma->vm_end >= vma->vm_mm->start_stack) {
3144 rc = current_has_perm(current, PROCESS__EXECSTACK);
3145 } else if (vma->vm_file && vma->anon_vma) {
3147 * We are making executable a file mapping that has
3148 * had some COW done. Since pages might have been
3149 * written, check ability to execute the possibly
3150 * modified content. This typically should only
3151 * occur for text relocations.
3153 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3159 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3162 static int selinux_file_lock(struct file *file, unsigned int cmd)
3164 const struct cred *cred = current_cred();
3166 return file_has_perm(cred, file, FILE__LOCK);
3169 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3172 const struct cred *cred = current_cred();
3177 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3178 err = file_has_perm(cred, file, FILE__WRITE);
3187 case F_GETOWNER_UIDS:
3188 /* Just check FD__USE permission */
3189 err = file_has_perm(cred, file, 0);
3194 #if BITS_PER_LONG == 32
3199 err = file_has_perm(cred, file, FILE__LOCK);
3206 static int selinux_file_set_fowner(struct file *file)
3208 struct file_security_struct *fsec;
3210 fsec = file->f_security;
3211 fsec->fown_sid = current_sid();
3216 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3217 struct fown_struct *fown, int signum)
3220 u32 sid = task_sid(tsk);
3222 struct file_security_struct *fsec;
3224 /* struct fown_struct is never outside the context of a struct file */
3225 file = container_of(fown, struct file, f_owner);
3227 fsec = file->f_security;
3230 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3232 perm = signal_to_av(signum);
3234 return avc_has_perm(fsec->fown_sid, sid,
3235 SECCLASS_PROCESS, perm, NULL);
3238 static int selinux_file_receive(struct file *file)
3240 const struct cred *cred = current_cred();
3242 return file_has_perm(cred, file, file_to_av(file));
3245 static int selinux_file_open(struct file *file, const struct cred *cred)
3247 struct file_security_struct *fsec;
3248 struct inode_security_struct *isec;
3250 fsec = file->f_security;
3251 isec = file_inode(file)->i_security;
3253 * Save inode label and policy sequence number
3254 * at open-time so that selinux_file_permission
3255 * can determine whether revalidation is necessary.
3256 * Task label is already saved in the file security
3257 * struct as its SID.
3259 fsec->isid = isec->sid;
3260 fsec->pseqno = avc_policy_seqno();
3262 * Since the inode label or policy seqno may have changed
3263 * between the selinux_inode_permission check and the saving
3264 * of state above, recheck that access is still permitted.
3265 * Otherwise, access might never be revalidated against the
3266 * new inode label or new policy.
3267 * This check is not redundant - do not remove.
3269 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3272 /* task security operations */
3274 static int selinux_task_create(unsigned long clone_flags)
3276 return current_has_perm(current, PROCESS__FORK);
3280 * allocate the SELinux part of blank credentials
3282 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3284 struct task_security_struct *tsec;
3286 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3290 cred->security = tsec;
3295 * detach and free the LSM part of a set of credentials
3297 static void selinux_cred_free(struct cred *cred)
3299 struct task_security_struct *tsec = cred->security;
3302 * cred->security == NULL if security_cred_alloc_blank() or
3303 * security_prepare_creds() returned an error.
3305 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3306 cred->security = (void *) 0x7UL;
3311 * prepare a new set of credentials for modification
3313 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3316 const struct task_security_struct *old_tsec;
3317 struct task_security_struct *tsec;
3319 old_tsec = old->security;
3321 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3325 new->security = tsec;
3330 * transfer the SELinux data to a blank set of creds
3332 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3334 const struct task_security_struct *old_tsec = old->security;
3335 struct task_security_struct *tsec = new->security;
3341 * set the security data for a kernel service
3342 * - all the creation contexts are set to unlabelled
3344 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3346 struct task_security_struct *tsec = new->security;
3347 u32 sid = current_sid();
3350 ret = avc_has_perm(sid, secid,
3351 SECCLASS_KERNEL_SERVICE,
3352 KERNEL_SERVICE__USE_AS_OVERRIDE,
3356 tsec->create_sid = 0;
3357 tsec->keycreate_sid = 0;
3358 tsec->sockcreate_sid = 0;
3364 * set the file creation context in a security record to the same as the
3365 * objective context of the specified inode
3367 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3369 struct inode_security_struct *isec = inode->i_security;
3370 struct task_security_struct *tsec = new->security;
3371 u32 sid = current_sid();
3374 ret = avc_has_perm(sid, isec->sid,
3375 SECCLASS_KERNEL_SERVICE,
3376 KERNEL_SERVICE__CREATE_FILES_AS,
3380 tsec->create_sid = isec->sid;
3384 static int selinux_kernel_module_request(char *kmod_name)
3387 struct common_audit_data ad;
3389 sid = task_sid(current);
3391 ad.type = LSM_AUDIT_DATA_KMOD;
3392 ad.u.kmod_name = kmod_name;
3394 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3395 SYSTEM__MODULE_REQUEST, &ad);
3398 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3400 return current_has_perm(p, PROCESS__SETPGID);
3403 static int selinux_task_getpgid(struct task_struct *p)
3405 return current_has_perm(p, PROCESS__GETPGID);
3408 static int selinux_task_getsid(struct task_struct *p)
3410 return current_has_perm(p, PROCESS__GETSESSION);
3413 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3415 *secid = task_sid(p);
3418 static int selinux_task_setnice(struct task_struct *p, int nice)
3422 rc = cap_task_setnice(p, nice);
3426 return current_has_perm(p, PROCESS__SETSCHED);
3429 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3433 rc = cap_task_setioprio(p, ioprio);
3437 return current_has_perm(p, PROCESS__SETSCHED);
3440 static int selinux_task_getioprio(struct task_struct *p)
3442 return current_has_perm(p, PROCESS__GETSCHED);
3445 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3446 struct rlimit *new_rlim)
3448 struct rlimit *old_rlim = p->signal->rlim + resource;
3450 /* Control the ability to change the hard limit (whether
3451 lowering or raising it), so that the hard limit can
3452 later be used as a safe reset point for the soft limit
3453 upon context transitions. See selinux_bprm_committing_creds. */
3454 if (old_rlim->rlim_max != new_rlim->rlim_max)
3455 return current_has_perm(p, PROCESS__SETRLIMIT);
3460 static int selinux_task_setscheduler(struct task_struct *p)
3464 rc = cap_task_setscheduler(p);
3468 return current_has_perm(p, PROCESS__SETSCHED);
3471 static int selinux_task_getscheduler(struct task_struct *p)
3473 return current_has_perm(p, PROCESS__GETSCHED);
3476 static int selinux_task_movememory(struct task_struct *p)
3478 return current_has_perm(p, PROCESS__SETSCHED);
3481 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3488 perm = PROCESS__SIGNULL; /* null signal; existence test */
3490 perm = signal_to_av(sig);
3492 rc = avc_has_perm(secid, task_sid(p),
3493 SECCLASS_PROCESS, perm, NULL);
3495 rc = current_has_perm(p, perm);
3499 static int selinux_task_wait(struct task_struct *p)
3501 return task_has_perm(p, current, PROCESS__SIGCHLD);
3504 static void selinux_task_to_inode(struct task_struct *p,
3505 struct inode *inode)
3507 struct inode_security_struct *isec = inode->i_security;
3508 u32 sid = task_sid(p);
3511 isec->initialized = 1;
3514 /* Returns error only if unable to parse addresses */
3515 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3516 struct common_audit_data *ad, u8 *proto)
3518 int offset, ihlen, ret = -EINVAL;
3519 struct iphdr _iph, *ih;
3521 offset = skb_network_offset(skb);
3522 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3526 ihlen = ih->ihl * 4;
3527 if (ihlen < sizeof(_iph))
3530 ad->u.net->v4info.saddr = ih->saddr;
3531 ad->u.net->v4info.daddr = ih->daddr;
3535 *proto = ih->protocol;
3537 switch (ih->protocol) {
3539 struct tcphdr _tcph, *th;
3541 if (ntohs(ih->frag_off) & IP_OFFSET)
3545 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3549 ad->u.net->sport = th->source;
3550 ad->u.net->dport = th->dest;
3555 struct udphdr _udph, *uh;
3557 if (ntohs(ih->frag_off) & IP_OFFSET)
3561 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3565 ad->u.net->sport = uh->source;
3566 ad->u.net->dport = uh->dest;
3570 case IPPROTO_DCCP: {
3571 struct dccp_hdr _dccph, *dh;
3573 if (ntohs(ih->frag_off) & IP_OFFSET)
3577 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3581 ad->u.net->sport = dh->dccph_sport;
3582 ad->u.net->dport = dh->dccph_dport;
3593 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3595 /* Returns error only if unable to parse addresses */
3596 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3597 struct common_audit_data *ad, u8 *proto)
3600 int ret = -EINVAL, offset;
3601 struct ipv6hdr _ipv6h, *ip6;
3604 offset = skb_network_offset(skb);
3605 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3609 ad->u.net->v6info.saddr = ip6->saddr;
3610 ad->u.net->v6info.daddr = ip6->daddr;
3613 nexthdr = ip6->nexthdr;
3614 offset += sizeof(_ipv6h);
3615 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3624 struct tcphdr _tcph, *th;
3626 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3630 ad->u.net->sport = th->source;
3631 ad->u.net->dport = th->dest;
3636 struct udphdr _udph, *uh;
3638 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3642 ad->u.net->sport = uh->source;
3643 ad->u.net->dport = uh->dest;
3647 case IPPROTO_DCCP: {
3648 struct dccp_hdr _dccph, *dh;
3650 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3654 ad->u.net->sport = dh->dccph_sport;
3655 ad->u.net->dport = dh->dccph_dport;
3659 /* includes fragments */
3669 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3670 char **_addrp, int src, u8 *proto)
3675 switch (ad->u.net->family) {
3677 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3680 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3681 &ad->u.net->v4info.daddr);
3684 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3686 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3689 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3690 &ad->u.net->v6info.daddr);
3700 "SELinux: failure in selinux_parse_skb(),"
3701 " unable to parse packet\n");
3711 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3713 * @family: protocol family
3714 * @sid: the packet's peer label SID
3717 * Check the various different forms of network peer labeling and determine
3718 * the peer label/SID for the packet; most of the magic actually occurs in
3719 * the security server function security_net_peersid_cmp(). The function
3720 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3721 * or -EACCES if @sid is invalid due to inconsistencies with the different
3725 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3732 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3735 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3739 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3740 if (unlikely(err)) {
3742 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3743 " unable to determine packet's peer label\n");
3750 /* socket security operations */
3752 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3753 u16 secclass, u32 *socksid)
3755 if (tsec->sockcreate_sid > SECSID_NULL) {
3756 *socksid = tsec->sockcreate_sid;
3760 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3764 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3766 struct sk_security_struct *sksec = sk->sk_security;
3767 struct common_audit_data ad;
3768 struct lsm_network_audit net = {0,};
3769 u32 tsid = task_sid(task);
3771 if (sksec->sid == SECINITSID_KERNEL)
3774 ad.type = LSM_AUDIT_DATA_NET;
3778 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3781 static int selinux_socket_create(int family, int type,
3782 int protocol, int kern)
3784 const struct task_security_struct *tsec = current_security();
3792 secclass = socket_type_to_security_class(family, type, protocol);
3793 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3797 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3800 static int selinux_socket_post_create(struct socket *sock, int family,
3801 int type, int protocol, int kern)
3803 const struct task_security_struct *tsec = current_security();
3804 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3805 struct sk_security_struct *sksec;
3808 isec->sclass = socket_type_to_security_class(family, type, protocol);
3811 isec->sid = SECINITSID_KERNEL;
3813 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3818 isec->initialized = 1;
3821 sksec = sock->sk->sk_security;
3822 sksec->sid = isec->sid;
3823 sksec->sclass = isec->sclass;
3824 err = selinux_netlbl_socket_post_create(sock->sk, family);
3830 /* Range of port numbers used to automatically bind.
3831 Need to determine whether we should perform a name_bind
3832 permission check between the socket and the port number. */
3834 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3836 struct sock *sk = sock->sk;
3840 err = sock_has_perm(current, sk, SOCKET__BIND);
3845 * If PF_INET or PF_INET6, check name_bind permission for the port.
3846 * Multiple address binding for SCTP is not supported yet: we just
3847 * check the first address now.
3849 family = sk->sk_family;
3850 if (family == PF_INET || family == PF_INET6) {
3852 struct sk_security_struct *sksec = sk->sk_security;
3853 struct common_audit_data ad;
3854 struct lsm_network_audit net = {0,};
3855 struct sockaddr_in *addr4 = NULL;
3856 struct sockaddr_in6 *addr6 = NULL;
3857 unsigned short snum;
3860 if (family == PF_INET) {
3861 addr4 = (struct sockaddr_in *)address;
3862 snum = ntohs(addr4->sin_port);
3863 addrp = (char *)&addr4->sin_addr.s_addr;
3865 addr6 = (struct sockaddr_in6 *)address;
3866 snum = ntohs(addr6->sin6_port);
3867 addrp = (char *)&addr6->sin6_addr.s6_addr;
3873 inet_get_local_port_range(&low, &high);
3875 if (snum < max(PROT_SOCK, low) || snum > high) {
3876 err = sel_netport_sid(sk->sk_protocol,
3880 ad.type = LSM_AUDIT_DATA_NET;
3882 ad.u.net->sport = htons(snum);
3883 ad.u.net->family = family;
3884 err = avc_has_perm(sksec->sid, sid,
3886 SOCKET__NAME_BIND, &ad);
3892 switch (sksec->sclass) {
3893 case SECCLASS_TCP_SOCKET:
3894 node_perm = TCP_SOCKET__NODE_BIND;
3897 case SECCLASS_UDP_SOCKET:
3898 node_perm = UDP_SOCKET__NODE_BIND;
3901 case SECCLASS_DCCP_SOCKET:
3902 node_perm = DCCP_SOCKET__NODE_BIND;
3906 node_perm = RAWIP_SOCKET__NODE_BIND;
3910 err = sel_netnode_sid(addrp, family, &sid);
3914 ad.type = LSM_AUDIT_DATA_NET;
3916 ad.u.net->sport = htons(snum);
3917 ad.u.net->family = family;
3919 if (family == PF_INET)
3920 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3922 ad.u.net->v6info.saddr = addr6->sin6_addr;
3924 err = avc_has_perm(sksec->sid, sid,
3925 sksec->sclass, node_perm, &ad);
3933 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3935 struct sock *sk = sock->sk;
3936 struct sk_security_struct *sksec = sk->sk_security;
3939 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3944 * If a TCP or DCCP socket, check name_connect permission for the port.
3946 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3947 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3948 struct common_audit_data ad;
3949 struct lsm_network_audit net = {0,};
3950 struct sockaddr_in *addr4 = NULL;
3951 struct sockaddr_in6 *addr6 = NULL;
3952 unsigned short snum;
3955 if (sk->sk_family == PF_INET) {
3956 addr4 = (struct sockaddr_in *)address;
3957 if (addrlen < sizeof(struct sockaddr_in))
3959 snum = ntohs(addr4->sin_port);
3961 addr6 = (struct sockaddr_in6 *)address;
3962 if (addrlen < SIN6_LEN_RFC2133)
3964 snum = ntohs(addr6->sin6_port);
3967 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3971 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3972 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3974 ad.type = LSM_AUDIT_DATA_NET;
3976 ad.u.net->dport = htons(snum);
3977 ad.u.net->family = sk->sk_family;
3978 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3983 err = selinux_netlbl_socket_connect(sk, address);
3989 static int selinux_socket_listen(struct socket *sock, int backlog)
3991 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3994 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3997 struct inode_security_struct *isec;
3998 struct inode_security_struct *newisec;
4000 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4004 newisec = SOCK_INODE(newsock)->i_security;
4006 isec = SOCK_INODE(sock)->i_security;
4007 newisec->sclass = isec->sclass;
4008 newisec->sid = isec->sid;
4009 newisec->initialized = 1;
4014 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4017 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4020 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4021 int size, int flags)
4023 return sock_has_perm(current, sock->sk, SOCKET__READ);
4026 static int selinux_socket_getsockname(struct socket *sock)
4028 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4031 static int selinux_socket_getpeername(struct socket *sock)
4033 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4036 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4040 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4044 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4047 static int selinux_socket_getsockopt(struct socket *sock, int level,
4050 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4053 static int selinux_socket_shutdown(struct socket *sock, int how)
4055 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4058 static int selinux_socket_unix_stream_connect(struct sock *sock,
4062 struct sk_security_struct *sksec_sock = sock->sk_security;
4063 struct sk_security_struct *sksec_other = other->sk_security;
4064 struct sk_security_struct *sksec_new = newsk->sk_security;
4065 struct common_audit_data ad;
4066 struct lsm_network_audit net = {0,};
4069 ad.type = LSM_AUDIT_DATA_NET;
4071 ad.u.net->sk = other;
4073 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4074 sksec_other->sclass,
4075 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4079 /* server child socket */
4080 sksec_new->peer_sid = sksec_sock->sid;
4081 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4086 /* connecting socket */
4087 sksec_sock->peer_sid = sksec_new->sid;
4092 static int selinux_socket_unix_may_send(struct socket *sock,
4093 struct socket *other)
4095 struct sk_security_struct *ssec = sock->sk->sk_security;
4096 struct sk_security_struct *osec = other->sk->sk_security;
4097 struct common_audit_data ad;
4098 struct lsm_network_audit net = {0,};
4100 ad.type = LSM_AUDIT_DATA_NET;
4102 ad.u.net->sk = other->sk;
4104 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4108 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4110 struct common_audit_data *ad)
4116 err = sel_netif_sid(ifindex, &if_sid);
4119 err = avc_has_perm(peer_sid, if_sid,
4120 SECCLASS_NETIF, NETIF__INGRESS, ad);
4124 err = sel_netnode_sid(addrp, family, &node_sid);
4127 return avc_has_perm(peer_sid, node_sid,
4128 SECCLASS_NODE, NODE__RECVFROM, ad);
4131 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4135 struct sk_security_struct *sksec = sk->sk_security;
4136 u32 sk_sid = sksec->sid;
4137 struct common_audit_data ad;
4138 struct lsm_network_audit net = {0,};
4141 ad.type = LSM_AUDIT_DATA_NET;
4143 ad.u.net->netif = skb->skb_iif;
4144 ad.u.net->family = family;
4145 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4149 if (selinux_secmark_enabled()) {
4150 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4156 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4159 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4164 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4167 struct sk_security_struct *sksec = sk->sk_security;
4168 u16 family = sk->sk_family;
4169 u32 sk_sid = sksec->sid;
4170 struct common_audit_data ad;
4171 struct lsm_network_audit net = {0,};
4176 if (family != PF_INET && family != PF_INET6)
4179 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4180 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4183 /* If any sort of compatibility mode is enabled then handoff processing
4184 * to the selinux_sock_rcv_skb_compat() function to deal with the
4185 * special handling. We do this in an attempt to keep this function
4186 * as fast and as clean as possible. */
4187 if (!selinux_policycap_netpeer)
4188 return selinux_sock_rcv_skb_compat(sk, skb, family);
4190 secmark_active = selinux_secmark_enabled();
4191 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4192 if (!secmark_active && !peerlbl_active)
4195 ad.type = LSM_AUDIT_DATA_NET;
4197 ad.u.net->netif = skb->skb_iif;
4198 ad.u.net->family = family;
4199 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4203 if (peerlbl_active) {
4206 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4209 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4212 selinux_netlbl_err(skb, err, 0);
4215 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4218 selinux_netlbl_err(skb, err, 0);
4221 if (secmark_active) {
4222 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4231 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4232 int __user *optlen, unsigned len)
4237 struct sk_security_struct *sksec = sock->sk->sk_security;
4238 u32 peer_sid = SECSID_NULL;
4240 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4241 sksec->sclass == SECCLASS_TCP_SOCKET)
4242 peer_sid = sksec->peer_sid;
4243 if (peer_sid == SECSID_NULL)
4244 return -ENOPROTOOPT;
4246 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4250 if (scontext_len > len) {
4255 if (copy_to_user(optval, scontext, scontext_len))
4259 if (put_user(scontext_len, optlen))
4265 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4267 u32 peer_secid = SECSID_NULL;
4270 if (skb && skb->protocol == htons(ETH_P_IP))
4272 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4275 family = sock->sk->sk_family;
4279 if (sock && family == PF_UNIX)
4280 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4282 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4285 *secid = peer_secid;
4286 if (peer_secid == SECSID_NULL)
4291 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4293 struct sk_security_struct *sksec;
4295 sksec = kzalloc(sizeof(*sksec), priority);
4299 sksec->peer_sid = SECINITSID_UNLABELED;
4300 sksec->sid = SECINITSID_UNLABELED;
4301 selinux_netlbl_sk_security_reset(sksec);
4302 sk->sk_security = sksec;
4307 static void selinux_sk_free_security(struct sock *sk)
4309 struct sk_security_struct *sksec = sk->sk_security;
4311 sk->sk_security = NULL;
4312 selinux_netlbl_sk_security_free(sksec);
4316 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4318 struct sk_security_struct *sksec = sk->sk_security;
4319 struct sk_security_struct *newsksec = newsk->sk_security;
4321 newsksec->sid = sksec->sid;
4322 newsksec->peer_sid = sksec->peer_sid;
4323 newsksec->sclass = sksec->sclass;
4325 selinux_netlbl_sk_security_reset(newsksec);
4328 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4331 *secid = SECINITSID_ANY_SOCKET;
4333 struct sk_security_struct *sksec = sk->sk_security;
4335 *secid = sksec->sid;
4339 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4341 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4342 struct sk_security_struct *sksec = sk->sk_security;
4344 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4345 sk->sk_family == PF_UNIX)
4346 isec->sid = sksec->sid;
4347 sksec->sclass = isec->sclass;
4350 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4351 struct request_sock *req)
4353 struct sk_security_struct *sksec = sk->sk_security;
4355 u16 family = sk->sk_family;
4359 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4360 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4363 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4366 if (peersid == SECSID_NULL) {
4367 req->secid = sksec->sid;
4368 req->peer_secid = SECSID_NULL;
4370 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4373 req->secid = newsid;
4374 req->peer_secid = peersid;
4377 return selinux_netlbl_inet_conn_request(req, family);
4380 static void selinux_inet_csk_clone(struct sock *newsk,
4381 const struct request_sock *req)
4383 struct sk_security_struct *newsksec = newsk->sk_security;
4385 newsksec->sid = req->secid;
4386 newsksec->peer_sid = req->peer_secid;
4387 /* NOTE: Ideally, we should also get the isec->sid for the
4388 new socket in sync, but we don't have the isec available yet.
4389 So we will wait until sock_graft to do it, by which
4390 time it will have been created and available. */
4392 /* We don't need to take any sort of lock here as we are the only
4393 * thread with access to newsksec */
4394 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4397 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4399 u16 family = sk->sk_family;
4400 struct sk_security_struct *sksec = sk->sk_security;
4402 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4403 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4406 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4409 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4411 skb_set_owner_w(skb, sk);
4414 static int selinux_secmark_relabel_packet(u32 sid)
4416 const struct task_security_struct *__tsec;
4419 __tsec = current_security();
4422 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4425 static void selinux_secmark_refcount_inc(void)
4427 atomic_inc(&selinux_secmark_refcount);
4430 static void selinux_secmark_refcount_dec(void)
4432 atomic_dec(&selinux_secmark_refcount);
4435 static void selinux_req_classify_flow(const struct request_sock *req,
4438 fl->flowi_secid = req->secid;
4441 static int selinux_tun_dev_alloc_security(void **security)
4443 struct tun_security_struct *tunsec;
4445 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4448 tunsec->sid = current_sid();
4454 static void selinux_tun_dev_free_security(void *security)
4459 static int selinux_tun_dev_create(void)
4461 u32 sid = current_sid();
4463 /* we aren't taking into account the "sockcreate" SID since the socket
4464 * that is being created here is not a socket in the traditional sense,
4465 * instead it is a private sock, accessible only to the kernel, and
4466 * representing a wide range of network traffic spanning multiple
4467 * connections unlike traditional sockets - check the TUN driver to
4468 * get a better understanding of why this socket is special */
4470 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4474 static int selinux_tun_dev_attach_queue(void *security)
4476 struct tun_security_struct *tunsec = security;
4478 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4479 TUN_SOCKET__ATTACH_QUEUE, NULL);
4482 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4484 struct tun_security_struct *tunsec = security;
4485 struct sk_security_struct *sksec = sk->sk_security;
4487 /* we don't currently perform any NetLabel based labeling here and it
4488 * isn't clear that we would want to do so anyway; while we could apply
4489 * labeling without the support of the TUN user the resulting labeled
4490 * traffic from the other end of the connection would almost certainly
4491 * cause confusion to the TUN user that had no idea network labeling
4492 * protocols were being used */
4494 sksec->sid = tunsec->sid;
4495 sksec->sclass = SECCLASS_TUN_SOCKET;
4500 static int selinux_tun_dev_open(void *security)
4502 struct tun_security_struct *tunsec = security;
4503 u32 sid = current_sid();
4506 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4507 TUN_SOCKET__RELABELFROM, NULL);
4510 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4511 TUN_SOCKET__RELABELTO, NULL);
4519 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4523 struct nlmsghdr *nlh;
4524 struct sk_security_struct *sksec = sk->sk_security;
4526 if (skb->len < NLMSG_HDRLEN) {
4530 nlh = nlmsg_hdr(skb);
4532 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4534 if (err == -EINVAL) {
4535 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4536 "SELinux: unrecognized netlink message"
4537 " type=%hu for sclass=%hu\n",
4538 nlh->nlmsg_type, sksec->sclass);
4539 if (!selinux_enforcing || security_get_allow_unknown())
4549 err = sock_has_perm(current, sk, perm);
4554 #ifdef CONFIG_NETFILTER
4556 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4562 struct common_audit_data ad;
4563 struct lsm_network_audit net = {0,};
4568 if (!selinux_policycap_netpeer)
4571 secmark_active = selinux_secmark_enabled();
4572 netlbl_active = netlbl_enabled();
4573 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4574 if (!secmark_active && !peerlbl_active)
4577 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4580 ad.type = LSM_AUDIT_DATA_NET;
4582 ad.u.net->netif = ifindex;
4583 ad.u.net->family = family;
4584 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4587 if (peerlbl_active) {
4588 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4591 selinux_netlbl_err(skb, err, 1);
4597 if (avc_has_perm(peer_sid, skb->secmark,
4598 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4602 /* we do this in the FORWARD path and not the POST_ROUTING
4603 * path because we want to make sure we apply the necessary
4604 * labeling before IPsec is applied so we can leverage AH
4606 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4612 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4613 struct sk_buff *skb,
4614 const struct net_device *in,
4615 const struct net_device *out,
4616 int (*okfn)(struct sk_buff *))
4618 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4621 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4622 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4623 struct sk_buff *skb,
4624 const struct net_device *in,
4625 const struct net_device *out,
4626 int (*okfn)(struct sk_buff *))
4628 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4632 static unsigned int selinux_ip_output(struct sk_buff *skb,
4637 if (!netlbl_enabled())
4640 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4641 * because we want to make sure we apply the necessary labeling
4642 * before IPsec is applied so we can leverage AH protection */
4644 struct sk_security_struct *sksec = skb->sk->sk_security;
4647 sid = SECINITSID_KERNEL;
4648 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4654 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4655 struct sk_buff *skb,
4656 const struct net_device *in,
4657 const struct net_device *out,
4658 int (*okfn)(struct sk_buff *))
4660 return selinux_ip_output(skb, PF_INET);
4663 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4667 struct sock *sk = skb->sk;
4668 struct sk_security_struct *sksec;
4669 struct common_audit_data ad;
4670 struct lsm_network_audit net = {0,};
4676 sksec = sk->sk_security;
4678 ad.type = LSM_AUDIT_DATA_NET;
4680 ad.u.net->netif = ifindex;
4681 ad.u.net->family = family;
4682 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4685 if (selinux_secmark_enabled())
4686 if (avc_has_perm(sksec->sid, skb->secmark,
4687 SECCLASS_PACKET, PACKET__SEND, &ad))
4688 return NF_DROP_ERR(-ECONNREFUSED);
4690 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4691 return NF_DROP_ERR(-ECONNREFUSED);
4696 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4702 struct common_audit_data ad;
4703 struct lsm_network_audit net = {0,};
4708 /* If any sort of compatibility mode is enabled then handoff processing
4709 * to the selinux_ip_postroute_compat() function to deal with the
4710 * special handling. We do this in an attempt to keep this function
4711 * as fast and as clean as possible. */
4712 if (!selinux_policycap_netpeer)
4713 return selinux_ip_postroute_compat(skb, ifindex, family);
4715 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4716 * packet transformation so allow the packet to pass without any checks
4717 * since we'll have another chance to perform access control checks
4718 * when the packet is on it's final way out.
4719 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4720 * is NULL, in this case go ahead and apply access control. */
4721 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4724 secmark_active = selinux_secmark_enabled();
4725 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4726 if (!secmark_active && !peerlbl_active)
4729 /* if the packet is being forwarded then get the peer label from the
4730 * packet itself; otherwise check to see if it is from a local
4731 * application or the kernel, if from an application get the peer label
4732 * from the sending socket, otherwise use the kernel's sid */
4736 secmark_perm = PACKET__FORWARD_OUT;
4737 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4740 secmark_perm = PACKET__SEND;
4741 peer_sid = SECINITSID_KERNEL;
4744 struct sk_security_struct *sksec = sk->sk_security;
4745 peer_sid = sksec->sid;
4746 secmark_perm = PACKET__SEND;
4749 ad.type = LSM_AUDIT_DATA_NET;
4751 ad.u.net->netif = ifindex;
4752 ad.u.net->family = family;
4753 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4757 if (avc_has_perm(peer_sid, skb->secmark,
4758 SECCLASS_PACKET, secmark_perm, &ad))
4759 return NF_DROP_ERR(-ECONNREFUSED);
4761 if (peerlbl_active) {
4765 if (sel_netif_sid(ifindex, &if_sid))
4767 if (avc_has_perm(peer_sid, if_sid,
4768 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4769 return NF_DROP_ERR(-ECONNREFUSED);
4771 if (sel_netnode_sid(addrp, family, &node_sid))
4773 if (avc_has_perm(peer_sid, node_sid,
4774 SECCLASS_NODE, NODE__SENDTO, &ad))
4775 return NF_DROP_ERR(-ECONNREFUSED);
4781 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4782 struct sk_buff *skb,
4783 const struct net_device *in,
4784 const struct net_device *out,
4785 int (*okfn)(struct sk_buff *))
4787 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4790 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4791 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4792 struct sk_buff *skb,
4793 const struct net_device *in,
4794 const struct net_device *out,
4795 int (*okfn)(struct sk_buff *))
4797 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4801 #endif /* CONFIG_NETFILTER */
4803 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4807 err = cap_netlink_send(sk, skb);
4811 return selinux_nlmsg_perm(sk, skb);
4814 static int ipc_alloc_security(struct task_struct *task,
4815 struct kern_ipc_perm *perm,
4818 struct ipc_security_struct *isec;
4821 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4825 sid = task_sid(task);
4826 isec->sclass = sclass;
4828 perm->security = isec;
4833 static void ipc_free_security(struct kern_ipc_perm *perm)
4835 struct ipc_security_struct *isec = perm->security;
4836 perm->security = NULL;
4840 static int msg_msg_alloc_security(struct msg_msg *msg)
4842 struct msg_security_struct *msec;
4844 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4848 msec->sid = SECINITSID_UNLABELED;
4849 msg->security = msec;
4854 static void msg_msg_free_security(struct msg_msg *msg)
4856 struct msg_security_struct *msec = msg->security;
4858 msg->security = NULL;
4862 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4865 struct ipc_security_struct *isec;
4866 struct common_audit_data ad;
4867 u32 sid = current_sid();
4869 isec = ipc_perms->security;
4871 ad.type = LSM_AUDIT_DATA_IPC;
4872 ad.u.ipc_id = ipc_perms->key;
4874 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4877 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4879 return msg_msg_alloc_security(msg);
4882 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4884 msg_msg_free_security(msg);
4887 /* message queue security operations */
4888 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4890 struct ipc_security_struct *isec;
4891 struct common_audit_data ad;
4892 u32 sid = current_sid();
4895 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4899 isec = msq->q_perm.security;
4901 ad.type = LSM_AUDIT_DATA_IPC;
4902 ad.u.ipc_id = msq->q_perm.key;
4904 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4907 ipc_free_security(&msq->q_perm);
4913 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4915 ipc_free_security(&msq->q_perm);
4918 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4920 struct ipc_security_struct *isec;
4921 struct common_audit_data ad;
4922 u32 sid = current_sid();
4924 isec = msq->q_perm.security;
4926 ad.type = LSM_AUDIT_DATA_IPC;
4927 ad.u.ipc_id = msq->q_perm.key;
4929 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4930 MSGQ__ASSOCIATE, &ad);
4933 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4941 /* No specific object, just general system-wide information. */
4942 return task_has_system(current, SYSTEM__IPC_INFO);
4945 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4948 perms = MSGQ__SETATTR;
4951 perms = MSGQ__DESTROY;
4957 err = ipc_has_perm(&msq->q_perm, perms);
4961 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4963 struct ipc_security_struct *isec;
4964 struct msg_security_struct *msec;
4965 struct common_audit_data ad;
4966 u32 sid = current_sid();
4969 isec = msq->q_perm.security;
4970 msec = msg->security;
4973 * First time through, need to assign label to the message
4975 if (msec->sid == SECINITSID_UNLABELED) {
4977 * Compute new sid based on current process and
4978 * message queue this message will be stored in
4980 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4986 ad.type = LSM_AUDIT_DATA_IPC;
4987 ad.u.ipc_id = msq->q_perm.key;
4989 /* Can this process write to the queue? */
4990 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4993 /* Can this process send the message */
4994 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4997 /* Can the message be put in the queue? */
4998 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4999 MSGQ__ENQUEUE, &ad);
5004 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5005 struct task_struct *target,
5006 long type, int mode)
5008 struct ipc_security_struct *isec;
5009 struct msg_security_struct *msec;
5010 struct common_audit_data ad;
5011 u32 sid = task_sid(target);
5014 isec = msq->q_perm.security;
5015 msec = msg->security;
5017 ad.type = LSM_AUDIT_DATA_IPC;
5018 ad.u.ipc_id = msq->q_perm.key;
5020 rc = avc_has_perm(sid, isec->sid,
5021 SECCLASS_MSGQ, MSGQ__READ, &ad);
5023 rc = avc_has_perm(sid, msec->sid,
5024 SECCLASS_MSG, MSG__RECEIVE, &ad);
5028 /* Shared Memory security operations */
5029 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5031 struct ipc_security_struct *isec;
5032 struct common_audit_data ad;
5033 u32 sid = current_sid();
5036 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5040 isec = shp->shm_perm.security;
5042 ad.type = LSM_AUDIT_DATA_IPC;
5043 ad.u.ipc_id = shp->shm_perm.key;
5045 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5048 ipc_free_security(&shp->shm_perm);
5054 static void selinux_shm_free_security(struct shmid_kernel *shp)
5056 ipc_free_security(&shp->shm_perm);
5059 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5061 struct ipc_security_struct *isec;
5062 struct common_audit_data ad;
5063 u32 sid = current_sid();
5065 isec = shp->shm_perm.security;
5067 ad.type = LSM_AUDIT_DATA_IPC;
5068 ad.u.ipc_id = shp->shm_perm.key;
5070 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5071 SHM__ASSOCIATE, &ad);
5074 /* Note, at this point, shp is locked down */
5075 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5083 /* No specific object, just general system-wide information. */
5084 return task_has_system(current, SYSTEM__IPC_INFO);
5087 perms = SHM__GETATTR | SHM__ASSOCIATE;
5090 perms = SHM__SETATTR;
5097 perms = SHM__DESTROY;
5103 err = ipc_has_perm(&shp->shm_perm, perms);
5107 static int selinux_shm_shmat(struct shmid_kernel *shp,
5108 char __user *shmaddr, int shmflg)
5112 if (shmflg & SHM_RDONLY)
5115 perms = SHM__READ | SHM__WRITE;
5117 return ipc_has_perm(&shp->shm_perm, perms);
5120 /* Semaphore security operations */
5121 static int selinux_sem_alloc_security(struct sem_array *sma)
5123 struct ipc_security_struct *isec;
5124 struct common_audit_data ad;
5125 u32 sid = current_sid();
5128 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5132 isec = sma->sem_perm.security;
5134 ad.type = LSM_AUDIT_DATA_IPC;
5135 ad.u.ipc_id = sma->sem_perm.key;
5137 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5140 ipc_free_security(&sma->sem_perm);
5146 static void selinux_sem_free_security(struct sem_array *sma)
5148 ipc_free_security(&sma->sem_perm);
5151 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5153 struct ipc_security_struct *isec;
5154 struct common_audit_data ad;
5155 u32 sid = current_sid();
5157 isec = sma->sem_perm.security;
5159 ad.type = LSM_AUDIT_DATA_IPC;
5160 ad.u.ipc_id = sma->sem_perm.key;
5162 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5163 SEM__ASSOCIATE, &ad);
5166 /* Note, at this point, sma is locked down */
5167 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5175 /* No specific object, just general system-wide information. */
5176 return task_has_system(current, SYSTEM__IPC_INFO);
5180 perms = SEM__GETATTR;
5191 perms = SEM__DESTROY;
5194 perms = SEM__SETATTR;
5198 perms = SEM__GETATTR | SEM__ASSOCIATE;
5204 err = ipc_has_perm(&sma->sem_perm, perms);
5208 static int selinux_sem_semop(struct sem_array *sma,
5209 struct sembuf *sops, unsigned nsops, int alter)
5214 perms = SEM__READ | SEM__WRITE;
5218 return ipc_has_perm(&sma->sem_perm, perms);
5221 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5227 av |= IPC__UNIX_READ;
5229 av |= IPC__UNIX_WRITE;
5234 return ipc_has_perm(ipcp, av);
5237 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5239 struct ipc_security_struct *isec = ipcp->security;
5243 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5246 inode_doinit_with_dentry(inode, dentry);
5249 static int selinux_getprocattr(struct task_struct *p,
5250 char *name, char **value)
5252 const struct task_security_struct *__tsec;
5258 error = current_has_perm(p, PROCESS__GETATTR);
5264 __tsec = __task_cred(p)->security;
5266 if (!strcmp(name, "current"))
5268 else if (!strcmp(name, "prev"))
5270 else if (!strcmp(name, "exec"))
5271 sid = __tsec->exec_sid;
5272 else if (!strcmp(name, "fscreate"))
5273 sid = __tsec->create_sid;
5274 else if (!strcmp(name, "keycreate"))
5275 sid = __tsec->keycreate_sid;
5276 else if (!strcmp(name, "sockcreate"))
5277 sid = __tsec->sockcreate_sid;
5285 error = security_sid_to_context(sid, value, &len);
5295 static int selinux_setprocattr(struct task_struct *p,
5296 char *name, void *value, size_t size)
5298 struct task_security_struct *tsec;
5299 struct task_struct *tracer;
5306 /* SELinux only allows a process to change its own
5307 security attributes. */
5312 * Basic control over ability to set these attributes at all.
5313 * current == p, but we'll pass them separately in case the
5314 * above restriction is ever removed.
5316 if (!strcmp(name, "exec"))
5317 error = current_has_perm(p, PROCESS__SETEXEC);
5318 else if (!strcmp(name, "fscreate"))
5319 error = current_has_perm(p, PROCESS__SETFSCREATE);
5320 else if (!strcmp(name, "keycreate"))
5321 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5322 else if (!strcmp(name, "sockcreate"))
5323 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5324 else if (!strcmp(name, "current"))
5325 error = current_has_perm(p, PROCESS__SETCURRENT);
5331 /* Obtain a SID for the context, if one was specified. */
5332 if (size && str[1] && str[1] != '\n') {
5333 if (str[size-1] == '\n') {
5337 error = security_context_to_sid(value, size, &sid);
5338 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5339 if (!capable(CAP_MAC_ADMIN)) {
5340 struct audit_buffer *ab;
5343 /* We strip a nul only if it is at the end, otherwise the
5344 * context contains a nul and we should audit that */
5345 if (str[size - 1] == '\0')
5346 audit_size = size - 1;
5349 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5350 audit_log_format(ab, "op=fscreate invalid_context=");
5351 audit_log_n_untrustedstring(ab, value, audit_size);
5356 error = security_context_to_sid_force(value, size,
5363 new = prepare_creds();
5367 /* Permission checking based on the specified context is
5368 performed during the actual operation (execve,
5369 open/mkdir/...), when we know the full context of the
5370 operation. See selinux_bprm_set_creds for the execve
5371 checks and may_create for the file creation checks. The
5372 operation will then fail if the context is not permitted. */
5373 tsec = new->security;
5374 if (!strcmp(name, "exec")) {
5375 tsec->exec_sid = sid;
5376 } else if (!strcmp(name, "fscreate")) {
5377 tsec->create_sid = sid;
5378 } else if (!strcmp(name, "keycreate")) {
5379 error = may_create_key(sid, p);
5382 tsec->keycreate_sid = sid;
5383 } else if (!strcmp(name, "sockcreate")) {
5384 tsec->sockcreate_sid = sid;
5385 } else if (!strcmp(name, "current")) {
5390 /* Only allow single threaded processes to change context */
5392 if (!current_is_single_threaded()) {
5393 error = security_bounded_transition(tsec->sid, sid);
5398 /* Check permissions for the transition. */
5399 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5400 PROCESS__DYNTRANSITION, NULL);
5404 /* Check for ptracing, and update the task SID if ok.
5405 Otherwise, leave SID unchanged and fail. */
5408 tracer = ptrace_parent(p);
5410 ptsid = task_sid(tracer);
5414 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5415 PROCESS__PTRACE, NULL);
5434 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5436 return security_sid_to_context(secid, secdata, seclen);
5439 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5441 return security_context_to_sid(secdata, seclen, secid);
5444 static void selinux_release_secctx(char *secdata, u32 seclen)
5450 * called with inode->i_mutex locked
5452 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5454 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5458 * called with inode->i_mutex locked
5460 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5462 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5465 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5468 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5477 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5478 unsigned long flags)
5480 const struct task_security_struct *tsec;
5481 struct key_security_struct *ksec;
5483 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5487 tsec = cred->security;
5488 if (tsec->keycreate_sid)
5489 ksec->sid = tsec->keycreate_sid;
5491 ksec->sid = tsec->sid;
5497 static void selinux_key_free(struct key *k)
5499 struct key_security_struct *ksec = k->security;
5505 static int selinux_key_permission(key_ref_t key_ref,
5506 const struct cred *cred,
5510 struct key_security_struct *ksec;
5513 /* if no specific permissions are requested, we skip the
5514 permission check. No serious, additional covert channels
5515 appear to be created. */
5519 sid = cred_sid(cred);
5521 key = key_ref_to_ptr(key_ref);
5522 ksec = key->security;
5524 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5527 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5529 struct key_security_struct *ksec = key->security;
5530 char *context = NULL;
5534 rc = security_sid_to_context(ksec->sid, &context, &len);
5543 static struct security_operations selinux_ops = {
5546 .ptrace_access_check = selinux_ptrace_access_check,
5547 .ptrace_traceme = selinux_ptrace_traceme,
5548 .capget = selinux_capget,
5549 .capset = selinux_capset,
5550 .capable = selinux_capable,
5551 .quotactl = selinux_quotactl,
5552 .quota_on = selinux_quota_on,
5553 .syslog = selinux_syslog,
5554 .vm_enough_memory = selinux_vm_enough_memory,
5556 .netlink_send = selinux_netlink_send,
5558 .bprm_set_creds = selinux_bprm_set_creds,
5559 .bprm_committing_creds = selinux_bprm_committing_creds,
5560 .bprm_committed_creds = selinux_bprm_committed_creds,
5561 .bprm_secureexec = selinux_bprm_secureexec,
5563 .sb_alloc_security = selinux_sb_alloc_security,
5564 .sb_free_security = selinux_sb_free_security,
5565 .sb_copy_data = selinux_sb_copy_data,
5566 .sb_remount = selinux_sb_remount,
5567 .sb_kern_mount = selinux_sb_kern_mount,
5568 .sb_show_options = selinux_sb_show_options,
5569 .sb_statfs = selinux_sb_statfs,
5570 .sb_mount = selinux_mount,
5571 .sb_umount = selinux_umount,
5572 .sb_set_mnt_opts = selinux_set_mnt_opts,
5573 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5574 .sb_parse_opts_str = selinux_parse_opts_str,
5577 .inode_alloc_security = selinux_inode_alloc_security,
5578 .inode_free_security = selinux_inode_free_security,
5579 .inode_init_security = selinux_inode_init_security,
5580 .inode_create = selinux_inode_create,
5581 .inode_link = selinux_inode_link,
5582 .inode_unlink = selinux_inode_unlink,
5583 .inode_symlink = selinux_inode_symlink,
5584 .inode_mkdir = selinux_inode_mkdir,
5585 .inode_rmdir = selinux_inode_rmdir,
5586 .inode_mknod = selinux_inode_mknod,
5587 .inode_rename = selinux_inode_rename,
5588 .inode_readlink = selinux_inode_readlink,
5589 .inode_follow_link = selinux_inode_follow_link,
5590 .inode_permission = selinux_inode_permission,
5591 .inode_setattr = selinux_inode_setattr,
5592 .inode_getattr = selinux_inode_getattr,
5593 .inode_setxattr = selinux_inode_setxattr,
5594 .inode_post_setxattr = selinux_inode_post_setxattr,
5595 .inode_getxattr = selinux_inode_getxattr,
5596 .inode_listxattr = selinux_inode_listxattr,
5597 .inode_removexattr = selinux_inode_removexattr,
5598 .inode_getsecurity = selinux_inode_getsecurity,
5599 .inode_setsecurity = selinux_inode_setsecurity,
5600 .inode_listsecurity = selinux_inode_listsecurity,
5601 .inode_getsecid = selinux_inode_getsecid,
5603 .file_permission = selinux_file_permission,
5604 .file_alloc_security = selinux_file_alloc_security,
5605 .file_free_security = selinux_file_free_security,
5606 .file_ioctl = selinux_file_ioctl,
5607 .mmap_file = selinux_mmap_file,
5608 .mmap_addr = selinux_mmap_addr,
5609 .file_mprotect = selinux_file_mprotect,
5610 .file_lock = selinux_file_lock,
5611 .file_fcntl = selinux_file_fcntl,
5612 .file_set_fowner = selinux_file_set_fowner,
5613 .file_send_sigiotask = selinux_file_send_sigiotask,
5614 .file_receive = selinux_file_receive,
5616 .file_open = selinux_file_open,
5618 .task_create = selinux_task_create,
5619 .cred_alloc_blank = selinux_cred_alloc_blank,
5620 .cred_free = selinux_cred_free,
5621 .cred_prepare = selinux_cred_prepare,
5622 .cred_transfer = selinux_cred_transfer,
5623 .kernel_act_as = selinux_kernel_act_as,
5624 .kernel_create_files_as = selinux_kernel_create_files_as,
5625 .kernel_module_request = selinux_kernel_module_request,
5626 .task_setpgid = selinux_task_setpgid,
5627 .task_getpgid = selinux_task_getpgid,
5628 .task_getsid = selinux_task_getsid,
5629 .task_getsecid = selinux_task_getsecid,
5630 .task_setnice = selinux_task_setnice,
5631 .task_setioprio = selinux_task_setioprio,
5632 .task_getioprio = selinux_task_getioprio,
5633 .task_setrlimit = selinux_task_setrlimit,
5634 .task_setscheduler = selinux_task_setscheduler,
5635 .task_getscheduler = selinux_task_getscheduler,
5636 .task_movememory = selinux_task_movememory,
5637 .task_kill = selinux_task_kill,
5638 .task_wait = selinux_task_wait,
5639 .task_to_inode = selinux_task_to_inode,
5641 .ipc_permission = selinux_ipc_permission,
5642 .ipc_getsecid = selinux_ipc_getsecid,
5644 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5645 .msg_msg_free_security = selinux_msg_msg_free_security,
5647 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5648 .msg_queue_free_security = selinux_msg_queue_free_security,
5649 .msg_queue_associate = selinux_msg_queue_associate,
5650 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5651 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5652 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5654 .shm_alloc_security = selinux_shm_alloc_security,
5655 .shm_free_security = selinux_shm_free_security,
5656 .shm_associate = selinux_shm_associate,
5657 .shm_shmctl = selinux_shm_shmctl,
5658 .shm_shmat = selinux_shm_shmat,
5660 .sem_alloc_security = selinux_sem_alloc_security,
5661 .sem_free_security = selinux_sem_free_security,
5662 .sem_associate = selinux_sem_associate,
5663 .sem_semctl = selinux_sem_semctl,
5664 .sem_semop = selinux_sem_semop,
5666 .d_instantiate = selinux_d_instantiate,
5668 .getprocattr = selinux_getprocattr,
5669 .setprocattr = selinux_setprocattr,
5671 .secid_to_secctx = selinux_secid_to_secctx,
5672 .secctx_to_secid = selinux_secctx_to_secid,
5673 .release_secctx = selinux_release_secctx,
5674 .inode_notifysecctx = selinux_inode_notifysecctx,
5675 .inode_setsecctx = selinux_inode_setsecctx,
5676 .inode_getsecctx = selinux_inode_getsecctx,
5678 .unix_stream_connect = selinux_socket_unix_stream_connect,
5679 .unix_may_send = selinux_socket_unix_may_send,
5681 .socket_create = selinux_socket_create,
5682 .socket_post_create = selinux_socket_post_create,
5683 .socket_bind = selinux_socket_bind,
5684 .socket_connect = selinux_socket_connect,
5685 .socket_listen = selinux_socket_listen,
5686 .socket_accept = selinux_socket_accept,
5687 .socket_sendmsg = selinux_socket_sendmsg,
5688 .socket_recvmsg = selinux_socket_recvmsg,
5689 .socket_getsockname = selinux_socket_getsockname,
5690 .socket_getpeername = selinux_socket_getpeername,
5691 .socket_getsockopt = selinux_socket_getsockopt,
5692 .socket_setsockopt = selinux_socket_setsockopt,
5693 .socket_shutdown = selinux_socket_shutdown,
5694 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5695 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5696 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5697 .sk_alloc_security = selinux_sk_alloc_security,
5698 .sk_free_security = selinux_sk_free_security,
5699 .sk_clone_security = selinux_sk_clone_security,
5700 .sk_getsecid = selinux_sk_getsecid,
5701 .sock_graft = selinux_sock_graft,
5702 .inet_conn_request = selinux_inet_conn_request,
5703 .inet_csk_clone = selinux_inet_csk_clone,
5704 .inet_conn_established = selinux_inet_conn_established,
5705 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5706 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5707 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5708 .req_classify_flow = selinux_req_classify_flow,
5709 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5710 .tun_dev_free_security = selinux_tun_dev_free_security,
5711 .tun_dev_create = selinux_tun_dev_create,
5712 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5713 .tun_dev_attach = selinux_tun_dev_attach,
5714 .tun_dev_open = selinux_tun_dev_open,
5715 .skb_owned_by = selinux_skb_owned_by,
5717 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5718 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5719 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5720 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5721 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5722 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5723 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5724 .xfrm_state_free_security = selinux_xfrm_state_free,
5725 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5726 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5727 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5728 .xfrm_decode_session = selinux_xfrm_decode_session,
5732 .key_alloc = selinux_key_alloc,
5733 .key_free = selinux_key_free,
5734 .key_permission = selinux_key_permission,
5735 .key_getsecurity = selinux_key_getsecurity,
5739 .audit_rule_init = selinux_audit_rule_init,
5740 .audit_rule_known = selinux_audit_rule_known,
5741 .audit_rule_match = selinux_audit_rule_match,
5742 .audit_rule_free = selinux_audit_rule_free,
5746 static __init int selinux_init(void)
5748 if (!security_module_enable(&selinux_ops)) {
5749 selinux_enabled = 0;
5753 if (!selinux_enabled) {
5754 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5758 printk(KERN_INFO "SELinux: Initializing.\n");
5760 /* Set the security state for the initial task. */
5761 cred_init_security();
5763 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5765 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5766 sizeof(struct inode_security_struct),
5767 0, SLAB_PANIC, NULL);
5770 if (register_security(&selinux_ops))
5771 panic("SELinux: Unable to register with kernel.\n");
5773 if (selinux_enforcing)
5774 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5776 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5781 static void delayed_superblock_init(struct super_block *sb, void *unused)
5783 superblock_doinit(sb, NULL);
5786 void selinux_complete_init(void)
5788 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5790 /* Set up any superblocks initialized prior to the policy load. */
5791 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5792 iterate_supers(delayed_superblock_init, NULL);
5795 /* SELinux requires early initialization in order to label
5796 all processes and objects when they are created. */
5797 security_initcall(selinux_init);
5799 #if defined(CONFIG_NETFILTER)
5801 static struct nf_hook_ops selinux_ipv4_ops[] = {
5803 .hook = selinux_ipv4_postroute,
5804 .owner = THIS_MODULE,
5806 .hooknum = NF_INET_POST_ROUTING,
5807 .priority = NF_IP_PRI_SELINUX_LAST,
5810 .hook = selinux_ipv4_forward,
5811 .owner = THIS_MODULE,
5813 .hooknum = NF_INET_FORWARD,
5814 .priority = NF_IP_PRI_SELINUX_FIRST,
5817 .hook = selinux_ipv4_output,
5818 .owner = THIS_MODULE,
5820 .hooknum = NF_INET_LOCAL_OUT,
5821 .priority = NF_IP_PRI_SELINUX_FIRST,
5825 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5827 static struct nf_hook_ops selinux_ipv6_ops[] = {
5829 .hook = selinux_ipv6_postroute,
5830 .owner = THIS_MODULE,
5832 .hooknum = NF_INET_POST_ROUTING,
5833 .priority = NF_IP6_PRI_SELINUX_LAST,
5836 .hook = selinux_ipv6_forward,
5837 .owner = THIS_MODULE,
5839 .hooknum = NF_INET_FORWARD,
5840 .priority = NF_IP6_PRI_SELINUX_FIRST,
5846 static int __init selinux_nf_ip_init(void)
5850 if (!selinux_enabled)
5853 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5855 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5857 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5859 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5860 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5862 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5869 __initcall(selinux_nf_ip_init);
5871 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5872 static void selinux_nf_ip_exit(void)
5874 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5876 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5877 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5878 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5883 #else /* CONFIG_NETFILTER */
5885 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5886 #define selinux_nf_ip_exit()
5889 #endif /* CONFIG_NETFILTER */
5891 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5892 static int selinux_disabled;
5894 int selinux_disable(void)
5896 if (ss_initialized) {
5897 /* Not permitted after initial policy load. */
5901 if (selinux_disabled) {
5902 /* Only do this once. */
5906 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5908 selinux_disabled = 1;
5909 selinux_enabled = 0;
5911 reset_security_ops();
5913 /* Try to destroy the avc node cache */
5916 /* Unregister netfilter hooks. */
5917 selinux_nf_ip_exit();
5919 /* Unregister selinuxfs. */