2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
130 static struct kmem_cache *sel_inode_cache;
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled.
142 static int selinux_secmark_enabled(void)
144 return (atomic_read(&selinux_secmark_refcount) > 0);
148 * initialise the security for the init task
150 static void cred_init_security(void)
152 struct cred *cred = (struct cred *) current->real_cred;
153 struct task_security_struct *tsec;
155 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157 panic("SELinux: Failed to initialize initial task.\n");
159 tsec->osid = tsec->sid = SECINITSID_KERNEL;
160 cred->security = tsec;
164 * get the security ID of a set of credentials
166 static inline u32 cred_sid(const struct cred *cred)
168 const struct task_security_struct *tsec;
170 tsec = cred->security;
175 * get the objective security ID of a task
177 static inline u32 task_sid(const struct task_struct *task)
182 sid = cred_sid(__task_cred(task));
188 * get the subjective security ID of the current task
190 static inline u32 current_sid(void)
192 const struct task_security_struct *tsec = current_security();
197 /* Allocate and free functions for each kind of security blob. */
199 static int inode_alloc_security(struct inode *inode)
201 struct inode_security_struct *isec;
202 u32 sid = current_sid();
204 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
208 mutex_init(&isec->lock);
209 INIT_LIST_HEAD(&isec->list);
211 isec->sid = SECINITSID_UNLABELED;
212 isec->sclass = SECCLASS_FILE;
213 isec->task_sid = sid;
214 inode->i_security = isec;
219 static void inode_free_security(struct inode *inode)
221 struct inode_security_struct *isec = inode->i_security;
222 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224 spin_lock(&sbsec->isec_lock);
225 if (!list_empty(&isec->list))
226 list_del_init(&isec->list);
227 spin_unlock(&sbsec->isec_lock);
229 inode->i_security = NULL;
230 kmem_cache_free(sel_inode_cache, isec);
233 static int file_alloc_security(struct file *file)
235 struct file_security_struct *fsec;
236 u32 sid = current_sid();
238 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
243 fsec->fown_sid = sid;
244 file->f_security = fsec;
249 static void file_free_security(struct file *file)
251 struct file_security_struct *fsec = file->f_security;
252 file->f_security = NULL;
256 static int superblock_alloc_security(struct super_block *sb)
258 struct superblock_security_struct *sbsec;
260 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
264 mutex_init(&sbsec->lock);
265 INIT_LIST_HEAD(&sbsec->isec_head);
266 spin_lock_init(&sbsec->isec_lock);
268 sbsec->sid = SECINITSID_UNLABELED;
269 sbsec->def_sid = SECINITSID_FILE;
270 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
271 sb->s_security = sbsec;
276 static void superblock_free_security(struct super_block *sb)
278 struct superblock_security_struct *sbsec = sb->s_security;
279 sb->s_security = NULL;
283 /* The file system's label must be initialized prior to use. */
285 static const char *labeling_behaviors[6] = {
287 "uses transition SIDs",
289 "uses genfs_contexts",
290 "not configured for labeling",
291 "uses mountpoint labeling",
294 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296 static inline int inode_doinit(struct inode *inode)
298 return inode_doinit_with_dentry(inode, NULL);
307 Opt_labelsupport = 5,
311 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
313 static const match_table_t tokens = {
314 {Opt_context, CONTEXT_STR "%s"},
315 {Opt_fscontext, FSCONTEXT_STR "%s"},
316 {Opt_defcontext, DEFCONTEXT_STR "%s"},
317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
318 {Opt_labelsupport, LABELSUPP_STR},
322 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
324 static int may_context_mount_sb_relabel(u32 sid,
325 struct superblock_security_struct *sbsec,
326 const struct cred *cred)
328 const struct task_security_struct *tsec = cred->security;
331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332 FILESYSTEM__RELABELFROM, NULL);
336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELTO, NULL);
341 static int may_context_mount_inode_relabel(u32 sid,
342 struct superblock_security_struct *sbsec,
343 const struct cred *cred)
345 const struct task_security_struct *tsec = cred->security;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__ASSOCIATE, NULL);
357 static int sb_finish_set_opts(struct super_block *sb)
359 struct superblock_security_struct *sbsec = sb->s_security;
360 struct dentry *root = sb->s_root;
361 struct inode *root_inode = root->d_inode;
364 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
365 /* Make sure that the xattr handler exists and that no
366 error other than -ENODATA is returned by getxattr on
367 the root directory. -ENODATA is ok, as this may be
368 the first boot of the SELinux kernel before we have
369 assigned xattr values to the filesystem. */
370 if (!root_inode->i_op->getxattr) {
371 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
372 "xattr support\n", sb->s_id, sb->s_type->name);
376 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
377 if (rc < 0 && rc != -ENODATA) {
378 if (rc == -EOPNOTSUPP)
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) has no security xattr handler\n",
381 sb->s_id, sb->s_type->name);
383 printk(KERN_WARNING "SELinux: (dev %s, type "
384 "%s) getxattr errno %d\n", sb->s_id,
385 sb->s_type->name, -rc);
390 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392 sb->s_id, sb->s_type->name);
394 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395 sb->s_id, sb->s_type->name,
396 labeling_behaviors[sbsec->behavior-1]);
398 sbsec->flags |= SE_SBINITIALIZED;
399 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
400 sbsec->behavior == SECURITY_FS_USE_TRANS ||
401 sbsec->behavior == SECURITY_FS_USE_TASK)
402 sbsec->flags |= SBLABEL_MNT;
404 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406 sbsec->flags |= SBLABEL_MNT;
409 * Special handling for rootfs. Is genfs but supports
410 * setting SELinux context on in-core inodes.
412 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
413 sbsec->flags |= SBLABEL_MNT;
415 /* Initialize the root inode. */
416 rc = inode_doinit_with_dentry(root_inode, root);
418 /* Initialize any other inodes associated with the superblock, e.g.
419 inodes created prior to initial policy load or inodes created
420 during get_sb by a pseudo filesystem that directly
422 spin_lock(&sbsec->isec_lock);
424 if (!list_empty(&sbsec->isec_head)) {
425 struct inode_security_struct *isec =
426 list_entry(sbsec->isec_head.next,
427 struct inode_security_struct, list);
428 struct inode *inode = isec->inode;
429 spin_unlock(&sbsec->isec_lock);
430 inode = igrab(inode);
432 if (!IS_PRIVATE(inode))
436 spin_lock(&sbsec->isec_lock);
437 list_del_init(&isec->list);
440 spin_unlock(&sbsec->isec_lock);
446 * This function should allow an FS to ask what it's mount security
447 * options were so it can use those later for submounts, displaying
448 * mount options, or whatever.
450 static int selinux_get_mnt_opts(const struct super_block *sb,
451 struct security_mnt_opts *opts)
454 struct superblock_security_struct *sbsec = sb->s_security;
455 char *context = NULL;
459 security_init_mnt_opts(opts);
461 if (!(sbsec->flags & SE_SBINITIALIZED))
467 /* make sure we always check enough bits to cover the mask */
468 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
470 tmp = sbsec->flags & SE_MNTMASK;
471 /* count the number of mount options for this sb */
472 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
474 opts->num_mnt_opts++;
478 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479 if (!opts->mnt_opts) {
484 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485 if (!opts->mnt_opts_flags) {
491 if (sbsec->flags & FSCONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->sid, &context, &len);
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
498 if (sbsec->flags & CONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
505 if (sbsec->flags & DEFCONTEXT_MNT) {
506 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
509 opts->mnt_opts[i] = context;
510 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
512 if (sbsec->flags & ROOTCONTEXT_MNT) {
513 struct inode *root = sbsec->sb->s_root->d_inode;
514 struct inode_security_struct *isec = root->i_security;
516 rc = security_sid_to_context(isec->sid, &context, &len);
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
522 if (sbsec->flags & SBLABEL_MNT) {
523 opts->mnt_opts[i] = NULL;
524 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
527 BUG_ON(i != opts->num_mnt_opts);
532 security_free_mnt_opts(opts);
536 static int bad_option(struct superblock_security_struct *sbsec, char flag,
537 u32 old_sid, u32 new_sid)
539 char mnt_flags = sbsec->flags & SE_MNTMASK;
541 /* check if the old mount command had the same options */
542 if (sbsec->flags & SE_SBINITIALIZED)
543 if (!(sbsec->flags & flag) ||
544 (old_sid != new_sid))
547 /* check if we were passed the same options twice,
548 * aka someone passed context=a,context=b
550 if (!(sbsec->flags & SE_SBINITIALIZED))
551 if (mnt_flags & flag)
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
560 static int selinux_set_mnt_opts(struct super_block *sb,
561 struct security_mnt_opts *opts)
563 const struct cred *cred = current_cred();
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
571 char **mount_options = opts->mnt_opts;
572 int *flags = opts->mnt_opts_flags;
573 int num_opts = opts->num_mnt_opts;
575 mutex_lock(&sbsec->lock);
577 if (!ss_initialized) {
579 /* Defer initialization until selinux_complete_init,
580 after the initial policy is loaded and the security
581 server is ready to handle calls. */
585 printk(KERN_WARNING "SELinux: Unable to set superblock options "
586 "before the security server is initialized\n");
591 * Binary mount data FS will come through this function twice. Once
592 * from an explicit call and once from the generic calls from the vfs.
593 * Since the generic VFS calls will not contain any security mount data
594 * we need to skip the double mount verification.
596 * This does open a hole in which we will not notice if the first
597 * mount using this sb set explict options and a second mount using
598 * this sb does not set any security options. (The first options
599 * will be used for both mounts)
601 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
606 * parse the mount options, check if they are valid sids.
607 * also check if someone is trying to mount the same sb more
608 * than once with different security options.
610 for (i = 0; i < num_opts; i++) {
613 if (flags[i] == SBLABEL_MNT)
615 rc = security_context_to_sid(mount_options[i],
616 strlen(mount_options[i]), &sid);
618 printk(KERN_WARNING "SELinux: security_context_to_sid"
619 "(%s) failed for (dev %s, type %s) errno=%d\n",
620 mount_options[i], sb->s_id, name, rc);
627 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
629 goto out_double_mount;
631 sbsec->flags |= FSCONTEXT_MNT;
636 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
638 goto out_double_mount;
640 sbsec->flags |= CONTEXT_MNT;
642 case ROOTCONTEXT_MNT:
643 rootcontext_sid = sid;
645 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
647 goto out_double_mount;
649 sbsec->flags |= ROOTCONTEXT_MNT;
653 defcontext_sid = sid;
655 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
657 goto out_double_mount;
659 sbsec->flags |= DEFCONTEXT_MNT;
668 if (sbsec->flags & SE_SBINITIALIZED) {
669 /* previously mounted with options, but not on this attempt? */
670 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
671 goto out_double_mount;
676 if (strcmp(sb->s_type->name, "proc") == 0)
677 sbsec->flags |= SE_SBPROC;
679 /* Determine the labeling behavior to use for this filesystem type. */
680 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
682 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
683 __func__, sb->s_type->name, rc);
687 /* sets the context of the superblock for the fs being mounted. */
689 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
693 sbsec->sid = fscontext_sid;
697 * Switch to using mount point labeling behavior.
698 * sets the label used on all file below the mountpoint, and will set
699 * the superblock context if not already set.
702 if (!fscontext_sid) {
703 rc = may_context_mount_sb_relabel(context_sid, sbsec,
707 sbsec->sid = context_sid;
709 rc = may_context_mount_inode_relabel(context_sid, sbsec,
714 if (!rootcontext_sid)
715 rootcontext_sid = context_sid;
717 sbsec->mntpoint_sid = context_sid;
718 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
721 if (rootcontext_sid) {
722 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
727 root_isec->sid = rootcontext_sid;
728 root_isec->initialized = 1;
731 if (defcontext_sid) {
732 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
734 printk(KERN_WARNING "SELinux: defcontext option is "
735 "invalid for this filesystem type\n");
739 if (defcontext_sid != sbsec->def_sid) {
740 rc = may_context_mount_inode_relabel(defcontext_sid,
746 sbsec->def_sid = defcontext_sid;
749 rc = sb_finish_set_opts(sb);
751 mutex_unlock(&sbsec->lock);
755 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
756 "security settings for (dev %s, type %s)\n", sb->s_id, name);
760 static int selinux_cmp_sb_context(const struct super_block *oldsb,
761 const struct super_block *newsb)
763 struct superblock_security_struct *old = oldsb->s_security;
764 struct superblock_security_struct *new = newsb->s_security;
765 char oldflags = old->flags & SE_MNTMASK;
766 char newflags = new->flags & SE_MNTMASK;
768 if (oldflags != newflags)
770 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
772 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
774 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
776 if (oldflags & ROOTCONTEXT_MNT) {
777 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
778 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
779 if (oldroot->sid != newroot->sid)
784 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
785 "different security settings for (dev %s, "
786 "type %s)\n", newsb->s_id, newsb->s_type->name);
790 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
791 struct super_block *newsb)
793 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
794 struct superblock_security_struct *newsbsec = newsb->s_security;
796 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
797 int set_context = (oldsbsec->flags & CONTEXT_MNT);
798 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
801 * if the parent was able to be mounted it clearly had no special lsm
802 * mount options. thus we can safely deal with this superblock later
807 /* how can we clone if the old one wasn't set up?? */
808 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
810 /* if fs is reusing a sb, make sure that the contexts match */
811 if (newsbsec->flags & SE_SBINITIALIZED)
812 return selinux_cmp_sb_context(oldsb, newsb);
814 mutex_lock(&newsbsec->lock);
816 newsbsec->flags = oldsbsec->flags;
818 newsbsec->sid = oldsbsec->sid;
819 newsbsec->def_sid = oldsbsec->def_sid;
820 newsbsec->behavior = oldsbsec->behavior;
823 u32 sid = oldsbsec->mntpoint_sid;
827 if (!set_rootcontext) {
828 struct inode *newinode = newsb->s_root->d_inode;
829 struct inode_security_struct *newisec = newinode->i_security;
832 newsbsec->mntpoint_sid = sid;
834 if (set_rootcontext) {
835 const struct inode *oldinode = oldsb->s_root->d_inode;
836 const struct inode_security_struct *oldisec = oldinode->i_security;
837 struct inode *newinode = newsb->s_root->d_inode;
838 struct inode_security_struct *newisec = newinode->i_security;
840 newisec->sid = oldisec->sid;
843 sb_finish_set_opts(newsb);
844 mutex_unlock(&newsbsec->lock);
848 static int selinux_parse_opts_str(char *options,
849 struct security_mnt_opts *opts)
852 char *context = NULL, *defcontext = NULL;
853 char *fscontext = NULL, *rootcontext = NULL;
854 int rc, num_mnt_opts = 0;
856 opts->num_mnt_opts = 0;
858 /* Standard string-based options. */
859 while ((p = strsep(&options, "|")) != NULL) {
861 substring_t args[MAX_OPT_ARGS];
866 token = match_token(p, tokens, args);
870 if (context || defcontext) {
872 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 context = match_strdup(&args[0]);
885 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
888 fscontext = match_strdup(&args[0]);
895 case Opt_rootcontext:
898 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
901 rootcontext = match_strdup(&args[0]);
909 if (context || defcontext) {
911 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
914 defcontext = match_strdup(&args[0]);
920 case Opt_labelsupport:
924 printk(KERN_WARNING "SELinux: unknown mount option\n");
931 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
935 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
936 if (!opts->mnt_opts_flags) {
937 kfree(opts->mnt_opts);
942 opts->mnt_opts[num_mnt_opts] = fscontext;
943 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
946 opts->mnt_opts[num_mnt_opts] = context;
947 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
950 opts->mnt_opts[num_mnt_opts] = rootcontext;
951 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
954 opts->mnt_opts[num_mnt_opts] = defcontext;
955 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
958 opts->num_mnt_opts = num_mnt_opts;
969 * string mount options parsing and call set the sbsec
971 static int superblock_doinit(struct super_block *sb, void *data)
974 char *options = data;
975 struct security_mnt_opts opts;
977 security_init_mnt_opts(&opts);
982 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
984 rc = selinux_parse_opts_str(options, &opts);
989 rc = selinux_set_mnt_opts(sb, &opts);
992 security_free_mnt_opts(&opts);
996 static void selinux_write_opts(struct seq_file *m,
997 struct security_mnt_opts *opts)
1002 for (i = 0; i < opts->num_mnt_opts; i++) {
1005 if (opts->mnt_opts[i])
1006 has_comma = strchr(opts->mnt_opts[i], ',');
1010 switch (opts->mnt_opts_flags[i]) {
1012 prefix = CONTEXT_STR;
1015 prefix = FSCONTEXT_STR;
1017 case ROOTCONTEXT_MNT:
1018 prefix = ROOTCONTEXT_STR;
1020 case DEFCONTEXT_MNT:
1021 prefix = DEFCONTEXT_STR;
1025 seq_puts(m, LABELSUPP_STR);
1031 /* we need a comma before each option */
1033 seq_puts(m, prefix);
1036 seq_puts(m, opts->mnt_opts[i]);
1042 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1044 struct security_mnt_opts opts;
1047 rc = selinux_get_mnt_opts(sb, &opts);
1049 /* before policy load we may get EINVAL, don't show anything */
1055 selinux_write_opts(m, &opts);
1057 security_free_mnt_opts(&opts);
1062 static inline u16 inode_mode_to_security_class(umode_t mode)
1064 switch (mode & S_IFMT) {
1066 return SECCLASS_SOCK_FILE;
1068 return SECCLASS_LNK_FILE;
1070 return SECCLASS_FILE;
1072 return SECCLASS_BLK_FILE;
1074 return SECCLASS_DIR;
1076 return SECCLASS_CHR_FILE;
1078 return SECCLASS_FIFO_FILE;
1082 return SECCLASS_FILE;
1085 static inline int default_protocol_stream(int protocol)
1087 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1090 static inline int default_protocol_dgram(int protocol)
1092 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1095 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1101 case SOCK_SEQPACKET:
1102 return SECCLASS_UNIX_STREAM_SOCKET;
1104 return SECCLASS_UNIX_DGRAM_SOCKET;
1111 if (default_protocol_stream(protocol))
1112 return SECCLASS_TCP_SOCKET;
1114 return SECCLASS_RAWIP_SOCKET;
1116 if (default_protocol_dgram(protocol))
1117 return SECCLASS_UDP_SOCKET;
1119 return SECCLASS_RAWIP_SOCKET;
1121 return SECCLASS_DCCP_SOCKET;
1123 return SECCLASS_RAWIP_SOCKET;
1129 return SECCLASS_NETLINK_ROUTE_SOCKET;
1130 case NETLINK_FIREWALL:
1131 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1132 case NETLINK_SOCK_DIAG:
1133 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1135 return SECCLASS_NETLINK_NFLOG_SOCKET;
1137 return SECCLASS_NETLINK_XFRM_SOCKET;
1138 case NETLINK_SELINUX:
1139 return SECCLASS_NETLINK_SELINUX_SOCKET;
1141 return SECCLASS_NETLINK_AUDIT_SOCKET;
1142 case NETLINK_IP6_FW:
1143 return SECCLASS_NETLINK_IP6FW_SOCKET;
1144 case NETLINK_DNRTMSG:
1145 return SECCLASS_NETLINK_DNRT_SOCKET;
1146 case NETLINK_KOBJECT_UEVENT:
1147 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1149 return SECCLASS_NETLINK_SOCKET;
1152 return SECCLASS_PACKET_SOCKET;
1154 return SECCLASS_KEY_SOCKET;
1156 return SECCLASS_APPLETALK_SOCKET;
1159 return SECCLASS_SOCKET;
1162 #ifdef CONFIG_PROC_FS
1163 static int selinux_proc_get_sid(struct dentry *dentry,
1168 char *buffer, *path;
1170 buffer = (char *)__get_free_page(GFP_KERNEL);
1174 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1178 /* each process gets a /proc/PID/ entry. Strip off the
1179 * PID part to get a valid selinux labeling.
1180 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1181 while (path[1] >= '0' && path[1] <= '9') {
1185 rc = security_genfs_sid("proc", path, tclass, sid);
1187 free_page((unsigned long)buffer);
1191 static int selinux_proc_get_sid(struct dentry *dentry,
1199 /* The inode's security attributes must be initialized before first use. */
1200 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1202 struct superblock_security_struct *sbsec = NULL;
1203 struct inode_security_struct *isec = inode->i_security;
1205 struct dentry *dentry;
1206 #define INITCONTEXTLEN 255
1207 char *context = NULL;
1211 if (isec->initialized)
1214 mutex_lock(&isec->lock);
1215 if (isec->initialized)
1218 sbsec = inode->i_sb->s_security;
1219 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1220 /* Defer initialization until selinux_complete_init,
1221 after the initial policy is loaded and the security
1222 server is ready to handle calls. */
1223 spin_lock(&sbsec->isec_lock);
1224 if (list_empty(&isec->list))
1225 list_add(&isec->list, &sbsec->isec_head);
1226 spin_unlock(&sbsec->isec_lock);
1230 switch (sbsec->behavior) {
1231 case SECURITY_FS_USE_XATTR:
1232 if (!inode->i_op->getxattr) {
1233 isec->sid = sbsec->def_sid;
1237 /* Need a dentry, since the xattr API requires one.
1238 Life would be simpler if we could just pass the inode. */
1240 /* Called from d_instantiate or d_splice_alias. */
1241 dentry = dget(opt_dentry);
1243 /* Called from selinux_complete_init, try to find a dentry. */
1244 dentry = d_find_alias(inode);
1248 * this is can be hit on boot when a file is accessed
1249 * before the policy is loaded. When we load policy we
1250 * may find inodes that have no dentry on the
1251 * sbsec->isec_head list. No reason to complain as these
1252 * will get fixed up the next time we go through
1253 * inode_doinit with a dentry, before these inodes could
1254 * be used again by userspace.
1259 len = INITCONTEXTLEN;
1260 context = kmalloc(len+1, GFP_NOFS);
1266 context[len] = '\0';
1267 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1269 if (rc == -ERANGE) {
1272 /* Need a larger buffer. Query for the right size. */
1273 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1280 context = kmalloc(len+1, GFP_NOFS);
1286 context[len] = '\0';
1287 rc = inode->i_op->getxattr(dentry,
1293 if (rc != -ENODATA) {
1294 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1295 "%d for dev=%s ino=%ld\n", __func__,
1296 -rc, inode->i_sb->s_id, inode->i_ino);
1300 /* Map ENODATA to the default file SID */
1301 sid = sbsec->def_sid;
1304 rc = security_context_to_sid_default(context, rc, &sid,
1308 char *dev = inode->i_sb->s_id;
1309 unsigned long ino = inode->i_ino;
1311 if (rc == -EINVAL) {
1312 if (printk_ratelimit())
1313 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1314 "context=%s. This indicates you may need to relabel the inode or the "
1315 "filesystem in question.\n", ino, dev, context);
1317 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1318 "returned %d for dev=%s ino=%ld\n",
1319 __func__, context, -rc, dev, ino);
1322 /* Leave with the unlabeled SID */
1330 case SECURITY_FS_USE_TASK:
1331 isec->sid = isec->task_sid;
1333 case SECURITY_FS_USE_TRANS:
1334 /* Default to the fs SID. */
1335 isec->sid = sbsec->sid;
1337 /* Try to obtain a transition SID. */
1338 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1339 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1340 isec->sclass, NULL, &sid);
1345 case SECURITY_FS_USE_MNTPOINT:
1346 isec->sid = sbsec->mntpoint_sid;
1349 /* Default to the fs superblock SID. */
1350 isec->sid = sbsec->sid;
1352 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1354 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1355 rc = selinux_proc_get_sid(opt_dentry,
1366 isec->initialized = 1;
1369 mutex_unlock(&isec->lock);
1371 if (isec->sclass == SECCLASS_FILE)
1372 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1376 /* Convert a Linux signal to an access vector. */
1377 static inline u32 signal_to_av(int sig)
1383 /* Commonly granted from child to parent. */
1384 perm = PROCESS__SIGCHLD;
1387 /* Cannot be caught or ignored */
1388 perm = PROCESS__SIGKILL;
1391 /* Cannot be caught or ignored */
1392 perm = PROCESS__SIGSTOP;
1395 /* All other signals. */
1396 perm = PROCESS__SIGNAL;
1404 * Check permission between a pair of credentials
1405 * fork check, ptrace check, etc.
1407 static int cred_has_perm(const struct cred *actor,
1408 const struct cred *target,
1411 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1413 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1417 * Check permission between a pair of tasks, e.g. signal checks,
1418 * fork check, ptrace check, etc.
1419 * tsk1 is the actor and tsk2 is the target
1420 * - this uses the default subjective creds of tsk1
1422 static int task_has_perm(const struct task_struct *tsk1,
1423 const struct task_struct *tsk2,
1426 const struct task_security_struct *__tsec1, *__tsec2;
1430 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1431 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1433 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1437 * Check permission between current and another task, e.g. signal checks,
1438 * fork check, ptrace check, etc.
1439 * current is the actor and tsk2 is the target
1440 * - this uses current's subjective creds
1442 static int current_has_perm(const struct task_struct *tsk,
1447 sid = current_sid();
1448 tsid = task_sid(tsk);
1449 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1452 #if CAP_LAST_CAP > 63
1453 #error Fix SELinux to handle capabilities > 63.
1456 /* Check whether a task is allowed to use a capability. */
1457 static int cred_has_capability(const struct cred *cred,
1460 struct common_audit_data ad;
1461 struct av_decision avd;
1463 u32 sid = cred_sid(cred);
1464 u32 av = CAP_TO_MASK(cap);
1467 ad.type = LSM_AUDIT_DATA_CAP;
1470 switch (CAP_TO_INDEX(cap)) {
1472 sclass = SECCLASS_CAPABILITY;
1475 sclass = SECCLASS_CAPABILITY2;
1479 "SELinux: out of range capability %d\n", cap);
1484 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1485 if (audit == SECURITY_CAP_AUDIT) {
1486 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1493 /* Check whether a task is allowed to use a system operation. */
1494 static int task_has_system(struct task_struct *tsk,
1497 u32 sid = task_sid(tsk);
1499 return avc_has_perm(sid, SECINITSID_KERNEL,
1500 SECCLASS_SYSTEM, perms, NULL);
1503 /* Check whether a task has a particular permission to an inode.
1504 The 'adp' parameter is optional and allows other audit
1505 data to be passed (e.g. the dentry). */
1506 static int inode_has_perm(const struct cred *cred,
1507 struct inode *inode,
1509 struct common_audit_data *adp,
1512 struct inode_security_struct *isec;
1515 validate_creds(cred);
1517 if (unlikely(IS_PRIVATE(inode)))
1520 sid = cred_sid(cred);
1521 isec = inode->i_security;
1523 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1526 /* Same as inode_has_perm, but pass explicit audit data containing
1527 the dentry to help the auditing code to more easily generate the
1528 pathname if needed. */
1529 static inline int dentry_has_perm(const struct cred *cred,
1530 struct dentry *dentry,
1533 struct inode *inode = dentry->d_inode;
1534 struct common_audit_data ad;
1536 ad.type = LSM_AUDIT_DATA_DENTRY;
1537 ad.u.dentry = dentry;
1538 return inode_has_perm(cred, inode, av, &ad, 0);
1541 /* Same as inode_has_perm, but pass explicit audit data containing
1542 the path to help the auditing code to more easily generate the
1543 pathname if needed. */
1544 static inline int path_has_perm(const struct cred *cred,
1548 struct inode *inode = path->dentry->d_inode;
1549 struct common_audit_data ad;
1551 ad.type = LSM_AUDIT_DATA_PATH;
1553 return inode_has_perm(cred, inode, av, &ad, 0);
1556 /* Check whether a task can use an open file descriptor to
1557 access an inode in a given way. Check access to the
1558 descriptor itself, and then use dentry_has_perm to
1559 check a particular permission to the file.
1560 Access to the descriptor is implicitly granted if it
1561 has the same SID as the process. If av is zero, then
1562 access to the file is not checked, e.g. for cases
1563 where only the descriptor is affected like seek. */
1564 static int file_has_perm(const struct cred *cred,
1568 struct file_security_struct *fsec = file->f_security;
1569 struct inode *inode = file_inode(file);
1570 struct common_audit_data ad;
1571 u32 sid = cred_sid(cred);
1574 ad.type = LSM_AUDIT_DATA_PATH;
1575 ad.u.path = file->f_path;
1577 if (sid != fsec->sid) {
1578 rc = avc_has_perm(sid, fsec->sid,
1586 /* av is zero if only checking access to the descriptor. */
1589 rc = inode_has_perm(cred, inode, av, &ad, 0);
1595 /* Check whether a task can create a file. */
1596 static int may_create(struct inode *dir,
1597 struct dentry *dentry,
1600 const struct task_security_struct *tsec = current_security();
1601 struct inode_security_struct *dsec;
1602 struct superblock_security_struct *sbsec;
1604 struct common_audit_data ad;
1607 dsec = dir->i_security;
1608 sbsec = dir->i_sb->s_security;
1611 newsid = tsec->create_sid;
1613 ad.type = LSM_AUDIT_DATA_DENTRY;
1614 ad.u.dentry = dentry;
1616 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1617 DIR__ADD_NAME | DIR__SEARCH,
1622 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1623 rc = security_transition_sid(sid, dsec->sid, tclass,
1624 &dentry->d_name, &newsid);
1629 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1633 return avc_has_perm(newsid, sbsec->sid,
1634 SECCLASS_FILESYSTEM,
1635 FILESYSTEM__ASSOCIATE, &ad);
1638 /* Check whether a task can create a key. */
1639 static int may_create_key(u32 ksid,
1640 struct task_struct *ctx)
1642 u32 sid = task_sid(ctx);
1644 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1648 #define MAY_UNLINK 1
1651 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1652 static int may_link(struct inode *dir,
1653 struct dentry *dentry,
1657 struct inode_security_struct *dsec, *isec;
1658 struct common_audit_data ad;
1659 u32 sid = current_sid();
1663 dsec = dir->i_security;
1664 isec = dentry->d_inode->i_security;
1666 ad.type = LSM_AUDIT_DATA_DENTRY;
1667 ad.u.dentry = dentry;
1670 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1671 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1686 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1691 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1695 static inline int may_rename(struct inode *old_dir,
1696 struct dentry *old_dentry,
1697 struct inode *new_dir,
1698 struct dentry *new_dentry)
1700 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1701 struct common_audit_data ad;
1702 u32 sid = current_sid();
1704 int old_is_dir, new_is_dir;
1707 old_dsec = old_dir->i_security;
1708 old_isec = old_dentry->d_inode->i_security;
1709 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1710 new_dsec = new_dir->i_security;
1712 ad.type = LSM_AUDIT_DATA_DENTRY;
1714 ad.u.dentry = old_dentry;
1715 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1716 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1719 rc = avc_has_perm(sid, old_isec->sid,
1720 old_isec->sclass, FILE__RENAME, &ad);
1723 if (old_is_dir && new_dir != old_dir) {
1724 rc = avc_has_perm(sid, old_isec->sid,
1725 old_isec->sclass, DIR__REPARENT, &ad);
1730 ad.u.dentry = new_dentry;
1731 av = DIR__ADD_NAME | DIR__SEARCH;
1732 if (new_dentry->d_inode)
1733 av |= DIR__REMOVE_NAME;
1734 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1737 if (new_dentry->d_inode) {
1738 new_isec = new_dentry->d_inode->i_security;
1739 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1740 rc = avc_has_perm(sid, new_isec->sid,
1742 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1750 /* Check whether a task can perform a filesystem operation. */
1751 static int superblock_has_perm(const struct cred *cred,
1752 struct super_block *sb,
1754 struct common_audit_data *ad)
1756 struct superblock_security_struct *sbsec;
1757 u32 sid = cred_sid(cred);
1759 sbsec = sb->s_security;
1760 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1763 /* Convert a Linux mode and permission mask to an access vector. */
1764 static inline u32 file_mask_to_av(int mode, int mask)
1768 if (!S_ISDIR(mode)) {
1769 if (mask & MAY_EXEC)
1770 av |= FILE__EXECUTE;
1771 if (mask & MAY_READ)
1774 if (mask & MAY_APPEND)
1776 else if (mask & MAY_WRITE)
1780 if (mask & MAY_EXEC)
1782 if (mask & MAY_WRITE)
1784 if (mask & MAY_READ)
1791 /* Convert a Linux file to an access vector. */
1792 static inline u32 file_to_av(struct file *file)
1796 if (file->f_mode & FMODE_READ)
1798 if (file->f_mode & FMODE_WRITE) {
1799 if (file->f_flags & O_APPEND)
1806 * Special file opened with flags 3 for ioctl-only use.
1815 * Convert a file to an access vector and include the correct open
1818 static inline u32 open_file_to_av(struct file *file)
1820 u32 av = file_to_av(file);
1822 if (selinux_policycap_openperm)
1828 /* Hook functions begin here. */
1830 static int selinux_ptrace_access_check(struct task_struct *child,
1835 rc = cap_ptrace_access_check(child, mode);
1839 if (mode & PTRACE_MODE_READ) {
1840 u32 sid = current_sid();
1841 u32 csid = task_sid(child);
1842 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1845 return current_has_perm(child, PROCESS__PTRACE);
1848 static int selinux_ptrace_traceme(struct task_struct *parent)
1852 rc = cap_ptrace_traceme(parent);
1856 return task_has_perm(parent, current, PROCESS__PTRACE);
1859 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1860 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1864 error = current_has_perm(target, PROCESS__GETCAP);
1868 return cap_capget(target, effective, inheritable, permitted);
1871 static int selinux_capset(struct cred *new, const struct cred *old,
1872 const kernel_cap_t *effective,
1873 const kernel_cap_t *inheritable,
1874 const kernel_cap_t *permitted)
1878 error = cap_capset(new, old,
1879 effective, inheritable, permitted);
1883 return cred_has_perm(old, new, PROCESS__SETCAP);
1887 * (This comment used to live with the selinux_task_setuid hook,
1888 * which was removed).
1890 * Since setuid only affects the current process, and since the SELinux
1891 * controls are not based on the Linux identity attributes, SELinux does not
1892 * need to control this operation. However, SELinux does control the use of
1893 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1896 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1901 rc = cap_capable(cred, ns, cap, audit);
1905 return cred_has_capability(cred, cap, audit);
1908 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1910 const struct cred *cred = current_cred();
1922 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1927 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1930 rc = 0; /* let the kernel handle invalid cmds */
1936 static int selinux_quota_on(struct dentry *dentry)
1938 const struct cred *cred = current_cred();
1940 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1943 static int selinux_syslog(int type)
1948 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1949 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1950 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1952 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1953 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1954 /* Set level of messages printed to console */
1955 case SYSLOG_ACTION_CONSOLE_LEVEL:
1956 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1958 case SYSLOG_ACTION_CLOSE: /* Close log */
1959 case SYSLOG_ACTION_OPEN: /* Open log */
1960 case SYSLOG_ACTION_READ: /* Read from log */
1961 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1962 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1964 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1971 * Check that a process has enough memory to allocate a new virtual
1972 * mapping. 0 means there is enough memory for the allocation to
1973 * succeed and -ENOMEM implies there is not.
1975 * Do not audit the selinux permission check, as this is applied to all
1976 * processes that allocate mappings.
1978 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1980 int rc, cap_sys_admin = 0;
1982 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1983 SECURITY_CAP_NOAUDIT);
1987 return __vm_enough_memory(mm, pages, cap_sys_admin);
1990 /* binprm security operations */
1992 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1994 const struct task_security_struct *old_tsec;
1995 struct task_security_struct *new_tsec;
1996 struct inode_security_struct *isec;
1997 struct common_audit_data ad;
1998 struct inode *inode = file_inode(bprm->file);
2001 rc = cap_bprm_set_creds(bprm);
2005 /* SELinux context only depends on initial program or script and not
2006 * the script interpreter */
2007 if (bprm->cred_prepared)
2010 old_tsec = current_security();
2011 new_tsec = bprm->cred->security;
2012 isec = inode->i_security;
2014 /* Default to the current task SID. */
2015 new_tsec->sid = old_tsec->sid;
2016 new_tsec->osid = old_tsec->sid;
2018 /* Reset fs, key, and sock SIDs on execve. */
2019 new_tsec->create_sid = 0;
2020 new_tsec->keycreate_sid = 0;
2021 new_tsec->sockcreate_sid = 0;
2023 if (old_tsec->exec_sid) {
2024 new_tsec->sid = old_tsec->exec_sid;
2025 /* Reset exec SID on execve. */
2026 new_tsec->exec_sid = 0;
2029 * Minimize confusion: if no_new_privs and a transition is
2030 * explicitly requested, then fail the exec.
2032 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2035 /* Check for a default transition on this program. */
2036 rc = security_transition_sid(old_tsec->sid, isec->sid,
2037 SECCLASS_PROCESS, NULL,
2043 ad.type = LSM_AUDIT_DATA_PATH;
2044 ad.u.path = bprm->file->f_path;
2046 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2047 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2048 new_tsec->sid = old_tsec->sid;
2050 if (new_tsec->sid == old_tsec->sid) {
2051 rc = avc_has_perm(old_tsec->sid, isec->sid,
2052 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2056 /* Check permissions for the transition. */
2057 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2058 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2062 rc = avc_has_perm(new_tsec->sid, isec->sid,
2063 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2067 /* Check for shared state */
2068 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2069 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2070 SECCLASS_PROCESS, PROCESS__SHARE,
2076 /* Make sure that anyone attempting to ptrace over a task that
2077 * changes its SID has the appropriate permit */
2079 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2080 struct task_struct *tracer;
2081 struct task_security_struct *sec;
2085 tracer = ptrace_parent(current);
2086 if (likely(tracer != NULL)) {
2087 sec = __task_cred(tracer)->security;
2093 rc = avc_has_perm(ptsid, new_tsec->sid,
2095 PROCESS__PTRACE, NULL);
2101 /* Clear any possibly unsafe personality bits on exec: */
2102 bprm->per_clear |= PER_CLEAR_ON_SETID;
2108 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2110 const struct task_security_struct *tsec = current_security();
2118 /* Enable secure mode for SIDs transitions unless
2119 the noatsecure permission is granted between
2120 the two SIDs, i.e. ahp returns 0. */
2121 atsecure = avc_has_perm(osid, sid,
2123 PROCESS__NOATSECURE, NULL);
2126 return (atsecure || cap_bprm_secureexec(bprm));
2129 static int match_file(const void *p, struct file *file, unsigned fd)
2131 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2134 /* Derived from fs/exec.c:flush_old_files. */
2135 static inline void flush_unauthorized_files(const struct cred *cred,
2136 struct files_struct *files)
2138 struct file *file, *devnull = NULL;
2139 struct tty_struct *tty;
2143 tty = get_current_tty();
2145 spin_lock(&tty_files_lock);
2146 if (!list_empty(&tty->tty_files)) {
2147 struct tty_file_private *file_priv;
2149 /* Revalidate access to controlling tty.
2150 Use path_has_perm on the tty path directly rather
2151 than using file_has_perm, as this particular open
2152 file may belong to another process and we are only
2153 interested in the inode-based check here. */
2154 file_priv = list_first_entry(&tty->tty_files,
2155 struct tty_file_private, list);
2156 file = file_priv->file;
2157 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2160 spin_unlock(&tty_files_lock);
2163 /* Reset controlling tty. */
2167 /* Revalidate access to inherited open files. */
2168 n = iterate_fd(files, 0, match_file, cred);
2169 if (!n) /* none found? */
2172 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2173 if (IS_ERR(devnull))
2175 /* replace all the matching ones with this */
2177 replace_fd(n - 1, devnull, 0);
2178 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2184 * Prepare a process for imminent new credential changes due to exec
2186 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2188 struct task_security_struct *new_tsec;
2189 struct rlimit *rlim, *initrlim;
2192 new_tsec = bprm->cred->security;
2193 if (new_tsec->sid == new_tsec->osid)
2196 /* Close files for which the new task SID is not authorized. */
2197 flush_unauthorized_files(bprm->cred, current->files);
2199 /* Always clear parent death signal on SID transitions. */
2200 current->pdeath_signal = 0;
2202 /* Check whether the new SID can inherit resource limits from the old
2203 * SID. If not, reset all soft limits to the lower of the current
2204 * task's hard limit and the init task's soft limit.
2206 * Note that the setting of hard limits (even to lower them) can be
2207 * controlled by the setrlimit check. The inclusion of the init task's
2208 * soft limit into the computation is to avoid resetting soft limits
2209 * higher than the default soft limit for cases where the default is
2210 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2212 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2213 PROCESS__RLIMITINH, NULL);
2215 /* protect against do_prlimit() */
2217 for (i = 0; i < RLIM_NLIMITS; i++) {
2218 rlim = current->signal->rlim + i;
2219 initrlim = init_task.signal->rlim + i;
2220 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2222 task_unlock(current);
2223 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2228 * Clean up the process immediately after the installation of new credentials
2231 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2233 const struct task_security_struct *tsec = current_security();
2234 struct itimerval itimer;
2244 /* Check whether the new SID can inherit signal state from the old SID.
2245 * If not, clear itimers to avoid subsequent signal generation and
2246 * flush and unblock signals.
2248 * This must occur _after_ the task SID has been updated so that any
2249 * kill done after the flush will be checked against the new SID.
2251 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2253 memset(&itimer, 0, sizeof itimer);
2254 for (i = 0; i < 3; i++)
2255 do_setitimer(i, &itimer, NULL);
2256 spin_lock_irq(¤t->sighand->siglock);
2257 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2258 __flush_signals(current);
2259 flush_signal_handlers(current, 1);
2260 sigemptyset(¤t->blocked);
2262 spin_unlock_irq(¤t->sighand->siglock);
2265 /* Wake up the parent if it is waiting so that it can recheck
2266 * wait permission to the new task SID. */
2267 read_lock(&tasklist_lock);
2268 __wake_up_parent(current, current->real_parent);
2269 read_unlock(&tasklist_lock);
2272 /* superblock security operations */
2274 static int selinux_sb_alloc_security(struct super_block *sb)
2276 return superblock_alloc_security(sb);
2279 static void selinux_sb_free_security(struct super_block *sb)
2281 superblock_free_security(sb);
2284 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2289 return !memcmp(prefix, option, plen);
2292 static inline int selinux_option(char *option, int len)
2294 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2295 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2296 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2297 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2298 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2301 static inline void take_option(char **to, char *from, int *first, int len)
2308 memcpy(*to, from, len);
2312 static inline void take_selinux_option(char **to, char *from, int *first,
2315 int current_size = 0;
2323 while (current_size < len) {
2333 static int selinux_sb_copy_data(char *orig, char *copy)
2335 int fnosec, fsec, rc = 0;
2336 char *in_save, *in_curr, *in_end;
2337 char *sec_curr, *nosec_save, *nosec;
2343 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2351 in_save = in_end = orig;
2355 open_quote = !open_quote;
2356 if ((*in_end == ',' && open_quote == 0) ||
2358 int len = in_end - in_curr;
2360 if (selinux_option(in_curr, len))
2361 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2363 take_option(&nosec, in_curr, &fnosec, len);
2365 in_curr = in_end + 1;
2367 } while (*in_end++);
2369 strcpy(in_save, nosec_save);
2370 free_page((unsigned long)nosec_save);
2375 static int selinux_sb_remount(struct super_block *sb, void *data)
2378 struct security_mnt_opts opts;
2379 char *secdata, **mount_options;
2380 struct superblock_security_struct *sbsec = sb->s_security;
2382 if (!(sbsec->flags & SE_SBINITIALIZED))
2388 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2391 security_init_mnt_opts(&opts);
2392 secdata = alloc_secdata();
2395 rc = selinux_sb_copy_data(data, secdata);
2397 goto out_free_secdata;
2399 rc = selinux_parse_opts_str(secdata, &opts);
2401 goto out_free_secdata;
2403 mount_options = opts.mnt_opts;
2404 flags = opts.mnt_opts_flags;
2406 for (i = 0; i < opts.num_mnt_opts; i++) {
2410 if (flags[i] == SBLABEL_MNT)
2412 len = strlen(mount_options[i]);
2413 rc = security_context_to_sid(mount_options[i], len, &sid);
2415 printk(KERN_WARNING "SELinux: security_context_to_sid"
2416 "(%s) failed for (dev %s, type %s) errno=%d\n",
2417 mount_options[i], sb->s_id, sb->s_type->name, rc);
2423 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2424 goto out_bad_option;
2427 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2428 goto out_bad_option;
2430 case ROOTCONTEXT_MNT: {
2431 struct inode_security_struct *root_isec;
2432 root_isec = sb->s_root->d_inode->i_security;
2434 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2435 goto out_bad_option;
2438 case DEFCONTEXT_MNT:
2439 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2440 goto out_bad_option;
2449 security_free_mnt_opts(&opts);
2451 free_secdata(secdata);
2454 printk(KERN_WARNING "SELinux: unable to change security options "
2455 "during remount (dev %s, type=%s)\n", sb->s_id,
2460 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2462 const struct cred *cred = current_cred();
2463 struct common_audit_data ad;
2466 rc = superblock_doinit(sb, data);
2470 /* Allow all mounts performed by the kernel */
2471 if (flags & MS_KERNMOUNT)
2474 ad.type = LSM_AUDIT_DATA_DENTRY;
2475 ad.u.dentry = sb->s_root;
2476 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2479 static int selinux_sb_statfs(struct dentry *dentry)
2481 const struct cred *cred = current_cred();
2482 struct common_audit_data ad;
2484 ad.type = LSM_AUDIT_DATA_DENTRY;
2485 ad.u.dentry = dentry->d_sb->s_root;
2486 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2489 static int selinux_mount(const char *dev_name,
2492 unsigned long flags,
2495 const struct cred *cred = current_cred();
2497 if (flags & MS_REMOUNT)
2498 return superblock_has_perm(cred, path->dentry->d_sb,
2499 FILESYSTEM__REMOUNT, NULL);
2501 return path_has_perm(cred, path, FILE__MOUNTON);
2504 static int selinux_umount(struct vfsmount *mnt, int flags)
2506 const struct cred *cred = current_cred();
2508 return superblock_has_perm(cred, mnt->mnt_sb,
2509 FILESYSTEM__UNMOUNT, NULL);
2512 /* inode security operations */
2514 static int selinux_inode_alloc_security(struct inode *inode)
2516 return inode_alloc_security(inode);
2519 static void selinux_inode_free_security(struct inode *inode)
2521 inode_free_security(inode);
2524 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2525 const struct qstr *qstr, char **name,
2526 void **value, size_t *len)
2528 const struct task_security_struct *tsec = current_security();
2529 struct inode_security_struct *dsec;
2530 struct superblock_security_struct *sbsec;
2531 u32 sid, newsid, clen;
2533 char *namep = NULL, *context;
2535 dsec = dir->i_security;
2536 sbsec = dir->i_sb->s_security;
2539 newsid = tsec->create_sid;
2541 if ((sbsec->flags & SE_SBINITIALIZED) &&
2542 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2543 newsid = sbsec->mntpoint_sid;
2544 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2545 rc = security_transition_sid(sid, dsec->sid,
2546 inode_mode_to_security_class(inode->i_mode),
2549 printk(KERN_WARNING "%s: "
2550 "security_transition_sid failed, rc=%d (dev=%s "
2553 -rc, inode->i_sb->s_id, inode->i_ino);
2558 /* Possibly defer initialization to selinux_complete_init. */
2559 if (sbsec->flags & SE_SBINITIALIZED) {
2560 struct inode_security_struct *isec = inode->i_security;
2561 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2563 isec->initialized = 1;
2566 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2570 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2577 rc = security_sid_to_context_force(newsid, &context, &clen);
2589 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2591 return may_create(dir, dentry, SECCLASS_FILE);
2594 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2596 return may_link(dir, old_dentry, MAY_LINK);
2599 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2601 return may_link(dir, dentry, MAY_UNLINK);
2604 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2606 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2609 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2611 return may_create(dir, dentry, SECCLASS_DIR);
2614 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2616 return may_link(dir, dentry, MAY_RMDIR);
2619 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2621 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2624 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2625 struct inode *new_inode, struct dentry *new_dentry)
2627 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2630 static int selinux_inode_readlink(struct dentry *dentry)
2632 const struct cred *cred = current_cred();
2634 return dentry_has_perm(cred, dentry, FILE__READ);
2637 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2639 const struct cred *cred = current_cred();
2641 return dentry_has_perm(cred, dentry, FILE__READ);
2644 static noinline int audit_inode_permission(struct inode *inode,
2645 u32 perms, u32 audited, u32 denied,
2648 struct common_audit_data ad;
2649 struct inode_security_struct *isec = inode->i_security;
2652 ad.type = LSM_AUDIT_DATA_INODE;
2655 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2656 audited, denied, &ad, flags);
2662 static int selinux_inode_permission(struct inode *inode, int mask)
2664 const struct cred *cred = current_cred();
2667 unsigned flags = mask & MAY_NOT_BLOCK;
2668 struct inode_security_struct *isec;
2670 struct av_decision avd;
2672 u32 audited, denied;
2674 from_access = mask & MAY_ACCESS;
2675 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2677 /* No permission to check. Existence test. */
2681 validate_creds(cred);
2683 if (unlikely(IS_PRIVATE(inode)))
2686 perms = file_mask_to_av(inode->i_mode, mask);
2688 sid = cred_sid(cred);
2689 isec = inode->i_security;
2691 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2692 audited = avc_audit_required(perms, &avd, rc,
2693 from_access ? FILE__AUDIT_ACCESS : 0,
2695 if (likely(!audited))
2698 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2704 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2706 const struct cred *cred = current_cred();
2707 unsigned int ia_valid = iattr->ia_valid;
2708 __u32 av = FILE__WRITE;
2710 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2711 if (ia_valid & ATTR_FORCE) {
2712 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2718 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2719 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2720 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2722 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2725 return dentry_has_perm(cred, dentry, av);
2728 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2730 const struct cred *cred = current_cred();
2733 path.dentry = dentry;
2736 return path_has_perm(cred, &path, FILE__GETATTR);
2739 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2741 const struct cred *cred = current_cred();
2743 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2744 sizeof XATTR_SECURITY_PREFIX - 1)) {
2745 if (!strcmp(name, XATTR_NAME_CAPS)) {
2746 if (!capable(CAP_SETFCAP))
2748 } else if (!capable(CAP_SYS_ADMIN)) {
2749 /* A different attribute in the security namespace.
2750 Restrict to administrator. */
2755 /* Not an attribute we recognize, so just check the
2756 ordinary setattr permission. */
2757 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2760 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2761 const void *value, size_t size, int flags)
2763 struct inode *inode = dentry->d_inode;
2764 struct inode_security_struct *isec = inode->i_security;
2765 struct superblock_security_struct *sbsec;
2766 struct common_audit_data ad;
2767 u32 newsid, sid = current_sid();
2770 if (strcmp(name, XATTR_NAME_SELINUX))
2771 return selinux_inode_setotherxattr(dentry, name);
2773 sbsec = inode->i_sb->s_security;
2774 if (!(sbsec->flags & SBLABEL_MNT))
2777 if (!inode_owner_or_capable(inode))
2780 ad.type = LSM_AUDIT_DATA_DENTRY;
2781 ad.u.dentry = dentry;
2783 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2784 FILE__RELABELFROM, &ad);
2788 rc = security_context_to_sid(value, size, &newsid);
2789 if (rc == -EINVAL) {
2790 if (!capable(CAP_MAC_ADMIN)) {
2791 struct audit_buffer *ab;
2795 /* We strip a nul only if it is at the end, otherwise the
2796 * context contains a nul and we should audit that */
2799 if (str[size - 1] == '\0')
2800 audit_size = size - 1;
2807 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2808 audit_log_format(ab, "op=setxattr invalid_context=");
2809 audit_log_n_untrustedstring(ab, value, audit_size);
2814 rc = security_context_to_sid_force(value, size, &newsid);
2819 rc = avc_has_perm(sid, newsid, isec->sclass,
2820 FILE__RELABELTO, &ad);
2824 rc = security_validate_transition(isec->sid, newsid, sid,
2829 return avc_has_perm(newsid,
2831 SECCLASS_FILESYSTEM,
2832 FILESYSTEM__ASSOCIATE,
2836 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2837 const void *value, size_t size,
2840 struct inode *inode = dentry->d_inode;
2841 struct inode_security_struct *isec = inode->i_security;
2845 if (strcmp(name, XATTR_NAME_SELINUX)) {
2846 /* Not an attribute we recognize, so nothing to do. */
2850 rc = security_context_to_sid_force(value, size, &newsid);
2852 printk(KERN_ERR "SELinux: unable to map context to SID"
2853 "for (%s, %lu), rc=%d\n",
2854 inode->i_sb->s_id, inode->i_ino, -rc);
2862 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2864 const struct cred *cred = current_cred();
2866 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2869 static int selinux_inode_listxattr(struct dentry *dentry)
2871 const struct cred *cred = current_cred();
2873 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2876 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2878 if (strcmp(name, XATTR_NAME_SELINUX))
2879 return selinux_inode_setotherxattr(dentry, name);
2881 /* No one is allowed to remove a SELinux security label.
2882 You can change the label, but all data must be labeled. */
2887 * Copy the inode security context value to the user.
2889 * Permission check is handled by selinux_inode_getxattr hook.
2891 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2895 char *context = NULL;
2896 struct inode_security_struct *isec = inode->i_security;
2898 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2902 * If the caller has CAP_MAC_ADMIN, then get the raw context
2903 * value even if it is not defined by current policy; otherwise,
2904 * use the in-core value under current policy.
2905 * Use the non-auditing forms of the permission checks since
2906 * getxattr may be called by unprivileged processes commonly
2907 * and lack of permission just means that we fall back to the
2908 * in-core context value, not a denial.
2910 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2911 SECURITY_CAP_NOAUDIT);
2913 error = security_sid_to_context_force(isec->sid, &context,
2916 error = security_sid_to_context(isec->sid, &context, &size);
2929 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2930 const void *value, size_t size, int flags)
2932 struct inode_security_struct *isec = inode->i_security;
2936 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2939 if (!value || !size)
2942 rc = security_context_to_sid((void *)value, size, &newsid);
2947 isec->initialized = 1;
2951 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2953 const int len = sizeof(XATTR_NAME_SELINUX);
2954 if (buffer && len <= buffer_size)
2955 memcpy(buffer, XATTR_NAME_SELINUX, len);
2959 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2961 struct inode_security_struct *isec = inode->i_security;
2965 /* file security operations */
2967 static int selinux_revalidate_file_permission(struct file *file, int mask)
2969 const struct cred *cred = current_cred();
2970 struct inode *inode = file_inode(file);
2972 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2973 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2976 return file_has_perm(cred, file,
2977 file_mask_to_av(inode->i_mode, mask));
2980 static int selinux_file_permission(struct file *file, int mask)
2982 struct inode *inode = file_inode(file);
2983 struct file_security_struct *fsec = file->f_security;
2984 struct inode_security_struct *isec = inode->i_security;
2985 u32 sid = current_sid();
2988 /* No permission to check. Existence test. */
2991 if (sid == fsec->sid && fsec->isid == isec->sid &&
2992 fsec->pseqno == avc_policy_seqno())
2993 /* No change since file_open check. */
2996 return selinux_revalidate_file_permission(file, mask);
2999 static int selinux_file_alloc_security(struct file *file)
3001 return file_alloc_security(file);
3004 static void selinux_file_free_security(struct file *file)
3006 file_free_security(file);
3009 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3012 const struct cred *cred = current_cred();
3022 case FS_IOC_GETFLAGS:
3024 case FS_IOC_GETVERSION:
3025 error = file_has_perm(cred, file, FILE__GETATTR);
3028 case FS_IOC_SETFLAGS:
3030 case FS_IOC_SETVERSION:
3031 error = file_has_perm(cred, file, FILE__SETATTR);
3034 /* sys_ioctl() checks */
3038 error = file_has_perm(cred, file, 0);
3043 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3044 SECURITY_CAP_AUDIT);
3047 /* default case assumes that the command will go
3048 * to the file's ioctl() function.
3051 error = file_has_perm(cred, file, FILE__IOCTL);
3056 static int default_noexec;
3058 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3060 const struct cred *cred = current_cred();
3063 if (default_noexec &&
3064 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3066 * We are making executable an anonymous mapping or a
3067 * private file mapping that will also be writable.
3068 * This has an additional check.
3070 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3076 /* read access is always possible with a mapping */
3077 u32 av = FILE__READ;
3079 /* write access only matters if the mapping is shared */
3080 if (shared && (prot & PROT_WRITE))
3083 if (prot & PROT_EXEC)
3084 av |= FILE__EXECUTE;
3086 return file_has_perm(cred, file, av);
3093 static int selinux_mmap_addr(unsigned long addr)
3096 u32 sid = current_sid();
3099 * notice that we are intentionally putting the SELinux check before
3100 * the secondary cap_file_mmap check. This is such a likely attempt
3101 * at bad behaviour/exploit that we always want to get the AVC, even
3102 * if DAC would have also denied the operation.
3104 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3105 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3106 MEMPROTECT__MMAP_ZERO, NULL);
3111 /* do DAC check on address space usage */
3112 return cap_mmap_addr(addr);
3115 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3116 unsigned long prot, unsigned long flags)
3118 if (selinux_checkreqprot)
3121 return file_map_prot_check(file, prot,
3122 (flags & MAP_TYPE) == MAP_SHARED);
3125 static int selinux_file_mprotect(struct vm_area_struct *vma,
3126 unsigned long reqprot,
3129 const struct cred *cred = current_cred();
3131 if (selinux_checkreqprot)
3134 if (default_noexec &&
3135 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3137 if (vma->vm_start >= vma->vm_mm->start_brk &&
3138 vma->vm_end <= vma->vm_mm->brk) {
3139 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3140 } else if (!vma->vm_file &&
3141 vma->vm_start <= vma->vm_mm->start_stack &&
3142 vma->vm_end >= vma->vm_mm->start_stack) {
3143 rc = current_has_perm(current, PROCESS__EXECSTACK);
3144 } else if (vma->vm_file && vma->anon_vma) {
3146 * We are making executable a file mapping that has
3147 * had some COW done. Since pages might have been
3148 * written, check ability to execute the possibly
3149 * modified content. This typically should only
3150 * occur for text relocations.
3152 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3158 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3161 static int selinux_file_lock(struct file *file, unsigned int cmd)
3163 const struct cred *cred = current_cred();
3165 return file_has_perm(cred, file, FILE__LOCK);
3168 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3171 const struct cred *cred = current_cred();
3176 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3177 err = file_has_perm(cred, file, FILE__WRITE);
3186 case F_GETOWNER_UIDS:
3187 /* Just check FD__USE permission */
3188 err = file_has_perm(cred, file, 0);
3193 #if BITS_PER_LONG == 32
3198 err = file_has_perm(cred, file, FILE__LOCK);
3205 static int selinux_file_set_fowner(struct file *file)
3207 struct file_security_struct *fsec;
3209 fsec = file->f_security;
3210 fsec->fown_sid = current_sid();
3215 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3216 struct fown_struct *fown, int signum)
3219 u32 sid = task_sid(tsk);
3221 struct file_security_struct *fsec;
3223 /* struct fown_struct is never outside the context of a struct file */
3224 file = container_of(fown, struct file, f_owner);
3226 fsec = file->f_security;
3229 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3231 perm = signal_to_av(signum);
3233 return avc_has_perm(fsec->fown_sid, sid,
3234 SECCLASS_PROCESS, perm, NULL);
3237 static int selinux_file_receive(struct file *file)
3239 const struct cred *cred = current_cred();
3241 return file_has_perm(cred, file, file_to_av(file));
3244 static int selinux_file_open(struct file *file, const struct cred *cred)
3246 struct file_security_struct *fsec;
3247 struct inode_security_struct *isec;
3249 fsec = file->f_security;
3250 isec = file_inode(file)->i_security;
3252 * Save inode label and policy sequence number
3253 * at open-time so that selinux_file_permission
3254 * can determine whether revalidation is necessary.
3255 * Task label is already saved in the file security
3256 * struct as its SID.
3258 fsec->isid = isec->sid;
3259 fsec->pseqno = avc_policy_seqno();
3261 * Since the inode label or policy seqno may have changed
3262 * between the selinux_inode_permission check and the saving
3263 * of state above, recheck that access is still permitted.
3264 * Otherwise, access might never be revalidated against the
3265 * new inode label or new policy.
3266 * This check is not redundant - do not remove.
3268 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3271 /* task security operations */
3273 static int selinux_task_create(unsigned long clone_flags)
3275 return current_has_perm(current, PROCESS__FORK);
3279 * allocate the SELinux part of blank credentials
3281 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3283 struct task_security_struct *tsec;
3285 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3289 cred->security = tsec;
3294 * detach and free the LSM part of a set of credentials
3296 static void selinux_cred_free(struct cred *cred)
3298 struct task_security_struct *tsec = cred->security;
3301 * cred->security == NULL if security_cred_alloc_blank() or
3302 * security_prepare_creds() returned an error.
3304 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3305 cred->security = (void *) 0x7UL;
3310 * prepare a new set of credentials for modification
3312 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3315 const struct task_security_struct *old_tsec;
3316 struct task_security_struct *tsec;
3318 old_tsec = old->security;
3320 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3324 new->security = tsec;
3329 * transfer the SELinux data to a blank set of creds
3331 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3333 const struct task_security_struct *old_tsec = old->security;
3334 struct task_security_struct *tsec = new->security;
3340 * set the security data for a kernel service
3341 * - all the creation contexts are set to unlabelled
3343 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3345 struct task_security_struct *tsec = new->security;
3346 u32 sid = current_sid();
3349 ret = avc_has_perm(sid, secid,
3350 SECCLASS_KERNEL_SERVICE,
3351 KERNEL_SERVICE__USE_AS_OVERRIDE,
3355 tsec->create_sid = 0;
3356 tsec->keycreate_sid = 0;
3357 tsec->sockcreate_sid = 0;
3363 * set the file creation context in a security record to the same as the
3364 * objective context of the specified inode
3366 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3368 struct inode_security_struct *isec = inode->i_security;
3369 struct task_security_struct *tsec = new->security;
3370 u32 sid = current_sid();
3373 ret = avc_has_perm(sid, isec->sid,
3374 SECCLASS_KERNEL_SERVICE,
3375 KERNEL_SERVICE__CREATE_FILES_AS,
3379 tsec->create_sid = isec->sid;
3383 static int selinux_kernel_module_request(char *kmod_name)
3386 struct common_audit_data ad;
3388 sid = task_sid(current);
3390 ad.type = LSM_AUDIT_DATA_KMOD;
3391 ad.u.kmod_name = kmod_name;
3393 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3394 SYSTEM__MODULE_REQUEST, &ad);
3397 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3399 return current_has_perm(p, PROCESS__SETPGID);
3402 static int selinux_task_getpgid(struct task_struct *p)
3404 return current_has_perm(p, PROCESS__GETPGID);
3407 static int selinux_task_getsid(struct task_struct *p)
3409 return current_has_perm(p, PROCESS__GETSESSION);
3412 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3414 *secid = task_sid(p);
3417 static int selinux_task_setnice(struct task_struct *p, int nice)
3421 rc = cap_task_setnice(p, nice);
3425 return current_has_perm(p, PROCESS__SETSCHED);
3428 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3432 rc = cap_task_setioprio(p, ioprio);
3436 return current_has_perm(p, PROCESS__SETSCHED);
3439 static int selinux_task_getioprio(struct task_struct *p)
3441 return current_has_perm(p, PROCESS__GETSCHED);
3444 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3445 struct rlimit *new_rlim)
3447 struct rlimit *old_rlim = p->signal->rlim + resource;
3449 /* Control the ability to change the hard limit (whether
3450 lowering or raising it), so that the hard limit can
3451 later be used as a safe reset point for the soft limit
3452 upon context transitions. See selinux_bprm_committing_creds. */
3453 if (old_rlim->rlim_max != new_rlim->rlim_max)
3454 return current_has_perm(p, PROCESS__SETRLIMIT);
3459 static int selinux_task_setscheduler(struct task_struct *p)
3463 rc = cap_task_setscheduler(p);
3467 return current_has_perm(p, PROCESS__SETSCHED);
3470 static int selinux_task_getscheduler(struct task_struct *p)
3472 return current_has_perm(p, PROCESS__GETSCHED);
3475 static int selinux_task_movememory(struct task_struct *p)
3477 return current_has_perm(p, PROCESS__SETSCHED);
3480 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3487 perm = PROCESS__SIGNULL; /* null signal; existence test */
3489 perm = signal_to_av(sig);
3491 rc = avc_has_perm(secid, task_sid(p),
3492 SECCLASS_PROCESS, perm, NULL);
3494 rc = current_has_perm(p, perm);
3498 static int selinux_task_wait(struct task_struct *p)
3500 return task_has_perm(p, current, PROCESS__SIGCHLD);
3503 static void selinux_task_to_inode(struct task_struct *p,
3504 struct inode *inode)
3506 struct inode_security_struct *isec = inode->i_security;
3507 u32 sid = task_sid(p);
3510 isec->initialized = 1;
3513 /* Returns error only if unable to parse addresses */
3514 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3515 struct common_audit_data *ad, u8 *proto)
3517 int offset, ihlen, ret = -EINVAL;
3518 struct iphdr _iph, *ih;
3520 offset = skb_network_offset(skb);
3521 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3525 ihlen = ih->ihl * 4;
3526 if (ihlen < sizeof(_iph))
3529 ad->u.net->v4info.saddr = ih->saddr;
3530 ad->u.net->v4info.daddr = ih->daddr;
3534 *proto = ih->protocol;
3536 switch (ih->protocol) {
3538 struct tcphdr _tcph, *th;
3540 if (ntohs(ih->frag_off) & IP_OFFSET)
3544 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3548 ad->u.net->sport = th->source;
3549 ad->u.net->dport = th->dest;
3554 struct udphdr _udph, *uh;
3556 if (ntohs(ih->frag_off) & IP_OFFSET)
3560 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3564 ad->u.net->sport = uh->source;
3565 ad->u.net->dport = uh->dest;
3569 case IPPROTO_DCCP: {
3570 struct dccp_hdr _dccph, *dh;
3572 if (ntohs(ih->frag_off) & IP_OFFSET)
3576 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3580 ad->u.net->sport = dh->dccph_sport;
3581 ad->u.net->dport = dh->dccph_dport;
3592 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3594 /* Returns error only if unable to parse addresses */
3595 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3596 struct common_audit_data *ad, u8 *proto)
3599 int ret = -EINVAL, offset;
3600 struct ipv6hdr _ipv6h, *ip6;
3603 offset = skb_network_offset(skb);
3604 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3608 ad->u.net->v6info.saddr = ip6->saddr;
3609 ad->u.net->v6info.daddr = ip6->daddr;
3612 nexthdr = ip6->nexthdr;
3613 offset += sizeof(_ipv6h);
3614 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3623 struct tcphdr _tcph, *th;
3625 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3629 ad->u.net->sport = th->source;
3630 ad->u.net->dport = th->dest;
3635 struct udphdr _udph, *uh;
3637 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3641 ad->u.net->sport = uh->source;
3642 ad->u.net->dport = uh->dest;
3646 case IPPROTO_DCCP: {
3647 struct dccp_hdr _dccph, *dh;
3649 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3653 ad->u.net->sport = dh->dccph_sport;
3654 ad->u.net->dport = dh->dccph_dport;
3658 /* includes fragments */
3668 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3669 char **_addrp, int src, u8 *proto)
3674 switch (ad->u.net->family) {
3676 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3679 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3680 &ad->u.net->v4info.daddr);
3683 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3685 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3688 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3689 &ad->u.net->v6info.daddr);
3699 "SELinux: failure in selinux_parse_skb(),"
3700 " unable to parse packet\n");
3710 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3712 * @family: protocol family
3713 * @sid: the packet's peer label SID
3716 * Check the various different forms of network peer labeling and determine
3717 * the peer label/SID for the packet; most of the magic actually occurs in
3718 * the security server function security_net_peersid_cmp(). The function
3719 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3720 * or -EACCES if @sid is invalid due to inconsistencies with the different
3724 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3731 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3734 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3738 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3739 if (unlikely(err)) {
3741 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3742 " unable to determine packet's peer label\n");
3749 /* socket security operations */
3751 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3752 u16 secclass, u32 *socksid)
3754 if (tsec->sockcreate_sid > SECSID_NULL) {
3755 *socksid = tsec->sockcreate_sid;
3759 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3763 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3765 struct sk_security_struct *sksec = sk->sk_security;
3766 struct common_audit_data ad;
3767 struct lsm_network_audit net = {0,};
3768 u32 tsid = task_sid(task);
3770 if (sksec->sid == SECINITSID_KERNEL)
3773 ad.type = LSM_AUDIT_DATA_NET;
3777 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3780 static int selinux_socket_create(int family, int type,
3781 int protocol, int kern)
3783 const struct task_security_struct *tsec = current_security();
3791 secclass = socket_type_to_security_class(family, type, protocol);
3792 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3796 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3799 static int selinux_socket_post_create(struct socket *sock, int family,
3800 int type, int protocol, int kern)
3802 const struct task_security_struct *tsec = current_security();
3803 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3804 struct sk_security_struct *sksec;
3807 isec->sclass = socket_type_to_security_class(family, type, protocol);
3810 isec->sid = SECINITSID_KERNEL;
3812 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3817 isec->initialized = 1;
3820 sksec = sock->sk->sk_security;
3821 sksec->sid = isec->sid;
3822 sksec->sclass = isec->sclass;
3823 err = selinux_netlbl_socket_post_create(sock->sk, family);
3829 /* Range of port numbers used to automatically bind.
3830 Need to determine whether we should perform a name_bind
3831 permission check between the socket and the port number. */
3833 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3835 struct sock *sk = sock->sk;
3839 err = sock_has_perm(current, sk, SOCKET__BIND);
3844 * If PF_INET or PF_INET6, check name_bind permission for the port.
3845 * Multiple address binding for SCTP is not supported yet: we just
3846 * check the first address now.
3848 family = sk->sk_family;
3849 if (family == PF_INET || family == PF_INET6) {
3851 struct sk_security_struct *sksec = sk->sk_security;
3852 struct common_audit_data ad;
3853 struct lsm_network_audit net = {0,};
3854 struct sockaddr_in *addr4 = NULL;
3855 struct sockaddr_in6 *addr6 = NULL;
3856 unsigned short snum;
3859 if (family == PF_INET) {
3860 addr4 = (struct sockaddr_in *)address;
3861 snum = ntohs(addr4->sin_port);
3862 addrp = (char *)&addr4->sin_addr.s_addr;
3864 addr6 = (struct sockaddr_in6 *)address;
3865 snum = ntohs(addr6->sin6_port);
3866 addrp = (char *)&addr6->sin6_addr.s6_addr;
3872 inet_get_local_port_range(&low, &high);
3874 if (snum < max(PROT_SOCK, low) || snum > high) {
3875 err = sel_netport_sid(sk->sk_protocol,
3879 ad.type = LSM_AUDIT_DATA_NET;
3881 ad.u.net->sport = htons(snum);
3882 ad.u.net->family = family;
3883 err = avc_has_perm(sksec->sid, sid,
3885 SOCKET__NAME_BIND, &ad);
3891 switch (sksec->sclass) {
3892 case SECCLASS_TCP_SOCKET:
3893 node_perm = TCP_SOCKET__NODE_BIND;
3896 case SECCLASS_UDP_SOCKET:
3897 node_perm = UDP_SOCKET__NODE_BIND;
3900 case SECCLASS_DCCP_SOCKET:
3901 node_perm = DCCP_SOCKET__NODE_BIND;
3905 node_perm = RAWIP_SOCKET__NODE_BIND;
3909 err = sel_netnode_sid(addrp, family, &sid);
3913 ad.type = LSM_AUDIT_DATA_NET;
3915 ad.u.net->sport = htons(snum);
3916 ad.u.net->family = family;
3918 if (family == PF_INET)
3919 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3921 ad.u.net->v6info.saddr = addr6->sin6_addr;
3923 err = avc_has_perm(sksec->sid, sid,
3924 sksec->sclass, node_perm, &ad);
3932 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3934 struct sock *sk = sock->sk;
3935 struct sk_security_struct *sksec = sk->sk_security;
3938 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3943 * If a TCP or DCCP socket, check name_connect permission for the port.
3945 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3946 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3947 struct common_audit_data ad;
3948 struct lsm_network_audit net = {0,};
3949 struct sockaddr_in *addr4 = NULL;
3950 struct sockaddr_in6 *addr6 = NULL;
3951 unsigned short snum;
3954 if (sk->sk_family == PF_INET) {
3955 addr4 = (struct sockaddr_in *)address;
3956 if (addrlen < sizeof(struct sockaddr_in))
3958 snum = ntohs(addr4->sin_port);
3960 addr6 = (struct sockaddr_in6 *)address;
3961 if (addrlen < SIN6_LEN_RFC2133)
3963 snum = ntohs(addr6->sin6_port);
3966 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3970 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3971 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3973 ad.type = LSM_AUDIT_DATA_NET;
3975 ad.u.net->dport = htons(snum);
3976 ad.u.net->family = sk->sk_family;
3977 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3982 err = selinux_netlbl_socket_connect(sk, address);
3988 static int selinux_socket_listen(struct socket *sock, int backlog)
3990 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3993 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3996 struct inode_security_struct *isec;
3997 struct inode_security_struct *newisec;
3999 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4003 newisec = SOCK_INODE(newsock)->i_security;
4005 isec = SOCK_INODE(sock)->i_security;
4006 newisec->sclass = isec->sclass;
4007 newisec->sid = isec->sid;
4008 newisec->initialized = 1;
4013 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4016 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4019 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4020 int size, int flags)
4022 return sock_has_perm(current, sock->sk, SOCKET__READ);
4025 static int selinux_socket_getsockname(struct socket *sock)
4027 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4030 static int selinux_socket_getpeername(struct socket *sock)
4032 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4035 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4039 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4043 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4046 static int selinux_socket_getsockopt(struct socket *sock, int level,
4049 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4052 static int selinux_socket_shutdown(struct socket *sock, int how)
4054 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4057 static int selinux_socket_unix_stream_connect(struct sock *sock,
4061 struct sk_security_struct *sksec_sock = sock->sk_security;
4062 struct sk_security_struct *sksec_other = other->sk_security;
4063 struct sk_security_struct *sksec_new = newsk->sk_security;
4064 struct common_audit_data ad;
4065 struct lsm_network_audit net = {0,};
4068 ad.type = LSM_AUDIT_DATA_NET;
4070 ad.u.net->sk = other;
4072 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4073 sksec_other->sclass,
4074 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4078 /* server child socket */
4079 sksec_new->peer_sid = sksec_sock->sid;
4080 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4085 /* connecting socket */
4086 sksec_sock->peer_sid = sksec_new->sid;
4091 static int selinux_socket_unix_may_send(struct socket *sock,
4092 struct socket *other)
4094 struct sk_security_struct *ssec = sock->sk->sk_security;
4095 struct sk_security_struct *osec = other->sk->sk_security;
4096 struct common_audit_data ad;
4097 struct lsm_network_audit net = {0,};
4099 ad.type = LSM_AUDIT_DATA_NET;
4101 ad.u.net->sk = other->sk;
4103 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4107 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4109 struct common_audit_data *ad)
4115 err = sel_netif_sid(ifindex, &if_sid);
4118 err = avc_has_perm(peer_sid, if_sid,
4119 SECCLASS_NETIF, NETIF__INGRESS, ad);
4123 err = sel_netnode_sid(addrp, family, &node_sid);
4126 return avc_has_perm(peer_sid, node_sid,
4127 SECCLASS_NODE, NODE__RECVFROM, ad);
4130 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4134 struct sk_security_struct *sksec = sk->sk_security;
4135 u32 sk_sid = sksec->sid;
4136 struct common_audit_data ad;
4137 struct lsm_network_audit net = {0,};
4140 ad.type = LSM_AUDIT_DATA_NET;
4142 ad.u.net->netif = skb->skb_iif;
4143 ad.u.net->family = family;
4144 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4148 if (selinux_secmark_enabled()) {
4149 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4155 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4158 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4163 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4166 struct sk_security_struct *sksec = sk->sk_security;
4167 u16 family = sk->sk_family;
4168 u32 sk_sid = sksec->sid;
4169 struct common_audit_data ad;
4170 struct lsm_network_audit net = {0,};
4175 if (family != PF_INET && family != PF_INET6)
4178 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4179 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4182 /* If any sort of compatibility mode is enabled then handoff processing
4183 * to the selinux_sock_rcv_skb_compat() function to deal with the
4184 * special handling. We do this in an attempt to keep this function
4185 * as fast and as clean as possible. */
4186 if (!selinux_policycap_netpeer)
4187 return selinux_sock_rcv_skb_compat(sk, skb, family);
4189 secmark_active = selinux_secmark_enabled();
4190 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4191 if (!secmark_active && !peerlbl_active)
4194 ad.type = LSM_AUDIT_DATA_NET;
4196 ad.u.net->netif = skb->skb_iif;
4197 ad.u.net->family = family;
4198 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4202 if (peerlbl_active) {
4205 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4208 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4211 selinux_netlbl_err(skb, err, 0);
4214 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4217 selinux_netlbl_err(skb, err, 0);
4220 if (secmark_active) {
4221 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4230 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4231 int __user *optlen, unsigned len)
4236 struct sk_security_struct *sksec = sock->sk->sk_security;
4237 u32 peer_sid = SECSID_NULL;
4239 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4240 sksec->sclass == SECCLASS_TCP_SOCKET)
4241 peer_sid = sksec->peer_sid;
4242 if (peer_sid == SECSID_NULL)
4243 return -ENOPROTOOPT;
4245 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4249 if (scontext_len > len) {
4254 if (copy_to_user(optval, scontext, scontext_len))
4258 if (put_user(scontext_len, optlen))
4264 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4266 u32 peer_secid = SECSID_NULL;
4269 if (skb && skb->protocol == htons(ETH_P_IP))
4271 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4274 family = sock->sk->sk_family;
4278 if (sock && family == PF_UNIX)
4279 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4281 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4284 *secid = peer_secid;
4285 if (peer_secid == SECSID_NULL)
4290 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4292 struct sk_security_struct *sksec;
4294 sksec = kzalloc(sizeof(*sksec), priority);
4298 sksec->peer_sid = SECINITSID_UNLABELED;
4299 sksec->sid = SECINITSID_UNLABELED;
4300 selinux_netlbl_sk_security_reset(sksec);
4301 sk->sk_security = sksec;
4306 static void selinux_sk_free_security(struct sock *sk)
4308 struct sk_security_struct *sksec = sk->sk_security;
4310 sk->sk_security = NULL;
4311 selinux_netlbl_sk_security_free(sksec);
4315 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4317 struct sk_security_struct *sksec = sk->sk_security;
4318 struct sk_security_struct *newsksec = newsk->sk_security;
4320 newsksec->sid = sksec->sid;
4321 newsksec->peer_sid = sksec->peer_sid;
4322 newsksec->sclass = sksec->sclass;
4324 selinux_netlbl_sk_security_reset(newsksec);
4327 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4330 *secid = SECINITSID_ANY_SOCKET;
4332 struct sk_security_struct *sksec = sk->sk_security;
4334 *secid = sksec->sid;
4338 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4340 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4341 struct sk_security_struct *sksec = sk->sk_security;
4343 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4344 sk->sk_family == PF_UNIX)
4345 isec->sid = sksec->sid;
4346 sksec->sclass = isec->sclass;
4349 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4350 struct request_sock *req)
4352 struct sk_security_struct *sksec = sk->sk_security;
4354 u16 family = sk->sk_family;
4358 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4359 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4362 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4365 if (peersid == SECSID_NULL) {
4366 req->secid = sksec->sid;
4367 req->peer_secid = SECSID_NULL;
4369 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4372 req->secid = newsid;
4373 req->peer_secid = peersid;
4376 return selinux_netlbl_inet_conn_request(req, family);
4379 static void selinux_inet_csk_clone(struct sock *newsk,
4380 const struct request_sock *req)
4382 struct sk_security_struct *newsksec = newsk->sk_security;
4384 newsksec->sid = req->secid;
4385 newsksec->peer_sid = req->peer_secid;
4386 /* NOTE: Ideally, we should also get the isec->sid for the
4387 new socket in sync, but we don't have the isec available yet.
4388 So we will wait until sock_graft to do it, by which
4389 time it will have been created and available. */
4391 /* We don't need to take any sort of lock here as we are the only
4392 * thread with access to newsksec */
4393 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4396 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4398 u16 family = sk->sk_family;
4399 struct sk_security_struct *sksec = sk->sk_security;
4401 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4402 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4405 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4408 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4410 skb_set_owner_w(skb, sk);
4413 static int selinux_secmark_relabel_packet(u32 sid)
4415 const struct task_security_struct *__tsec;
4418 __tsec = current_security();
4421 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4424 static void selinux_secmark_refcount_inc(void)
4426 atomic_inc(&selinux_secmark_refcount);
4429 static void selinux_secmark_refcount_dec(void)
4431 atomic_dec(&selinux_secmark_refcount);
4434 static void selinux_req_classify_flow(const struct request_sock *req,
4437 fl->flowi_secid = req->secid;
4440 static int selinux_tun_dev_alloc_security(void **security)
4442 struct tun_security_struct *tunsec;
4444 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4447 tunsec->sid = current_sid();
4453 static void selinux_tun_dev_free_security(void *security)
4458 static int selinux_tun_dev_create(void)
4460 u32 sid = current_sid();
4462 /* we aren't taking into account the "sockcreate" SID since the socket
4463 * that is being created here is not a socket in the traditional sense,
4464 * instead it is a private sock, accessible only to the kernel, and
4465 * representing a wide range of network traffic spanning multiple
4466 * connections unlike traditional sockets - check the TUN driver to
4467 * get a better understanding of why this socket is special */
4469 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4473 static int selinux_tun_dev_attach_queue(void *security)
4475 struct tun_security_struct *tunsec = security;
4477 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4478 TUN_SOCKET__ATTACH_QUEUE, NULL);
4481 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4483 struct tun_security_struct *tunsec = security;
4484 struct sk_security_struct *sksec = sk->sk_security;
4486 /* we don't currently perform any NetLabel based labeling here and it
4487 * isn't clear that we would want to do so anyway; while we could apply
4488 * labeling without the support of the TUN user the resulting labeled
4489 * traffic from the other end of the connection would almost certainly
4490 * cause confusion to the TUN user that had no idea network labeling
4491 * protocols were being used */
4493 sksec->sid = tunsec->sid;
4494 sksec->sclass = SECCLASS_TUN_SOCKET;
4499 static int selinux_tun_dev_open(void *security)
4501 struct tun_security_struct *tunsec = security;
4502 u32 sid = current_sid();
4505 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4506 TUN_SOCKET__RELABELFROM, NULL);
4509 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4510 TUN_SOCKET__RELABELTO, NULL);
4518 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4522 struct nlmsghdr *nlh;
4523 struct sk_security_struct *sksec = sk->sk_security;
4525 if (skb->len < NLMSG_HDRLEN) {
4529 nlh = nlmsg_hdr(skb);
4531 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4533 if (err == -EINVAL) {
4534 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4535 "SELinux: unrecognized netlink message"
4536 " type=%hu for sclass=%hu\n",
4537 nlh->nlmsg_type, sksec->sclass);
4538 if (!selinux_enforcing || security_get_allow_unknown())
4548 err = sock_has_perm(current, sk, perm);
4553 #ifdef CONFIG_NETFILTER
4555 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4561 struct common_audit_data ad;
4562 struct lsm_network_audit net = {0,};
4567 if (!selinux_policycap_netpeer)
4570 secmark_active = selinux_secmark_enabled();
4571 netlbl_active = netlbl_enabled();
4572 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4573 if (!secmark_active && !peerlbl_active)
4576 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4579 ad.type = LSM_AUDIT_DATA_NET;
4581 ad.u.net->netif = ifindex;
4582 ad.u.net->family = family;
4583 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4586 if (peerlbl_active) {
4587 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4590 selinux_netlbl_err(skb, err, 1);
4596 if (avc_has_perm(peer_sid, skb->secmark,
4597 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4601 /* we do this in the FORWARD path and not the POST_ROUTING
4602 * path because we want to make sure we apply the necessary
4603 * labeling before IPsec is applied so we can leverage AH
4605 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4611 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4612 struct sk_buff *skb,
4613 const struct net_device *in,
4614 const struct net_device *out,
4615 int (*okfn)(struct sk_buff *))
4617 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4620 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4621 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4622 struct sk_buff *skb,
4623 const struct net_device *in,
4624 const struct net_device *out,
4625 int (*okfn)(struct sk_buff *))
4627 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4631 static unsigned int selinux_ip_output(struct sk_buff *skb,
4636 if (!netlbl_enabled())
4639 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4640 * because we want to make sure we apply the necessary labeling
4641 * before IPsec is applied so we can leverage AH protection */
4643 struct sk_security_struct *sksec = skb->sk->sk_security;
4646 sid = SECINITSID_KERNEL;
4647 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4653 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4654 struct sk_buff *skb,
4655 const struct net_device *in,
4656 const struct net_device *out,
4657 int (*okfn)(struct sk_buff *))
4659 return selinux_ip_output(skb, PF_INET);
4662 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4666 struct sock *sk = skb->sk;
4667 struct sk_security_struct *sksec;
4668 struct common_audit_data ad;
4669 struct lsm_network_audit net = {0,};
4675 sksec = sk->sk_security;
4677 ad.type = LSM_AUDIT_DATA_NET;
4679 ad.u.net->netif = ifindex;
4680 ad.u.net->family = family;
4681 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4684 if (selinux_secmark_enabled())
4685 if (avc_has_perm(sksec->sid, skb->secmark,
4686 SECCLASS_PACKET, PACKET__SEND, &ad))
4687 return NF_DROP_ERR(-ECONNREFUSED);
4689 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4690 return NF_DROP_ERR(-ECONNREFUSED);
4695 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4701 struct common_audit_data ad;
4702 struct lsm_network_audit net = {0,};
4707 /* If any sort of compatibility mode is enabled then handoff processing
4708 * to the selinux_ip_postroute_compat() function to deal with the
4709 * special handling. We do this in an attempt to keep this function
4710 * as fast and as clean as possible. */
4711 if (!selinux_policycap_netpeer)
4712 return selinux_ip_postroute_compat(skb, ifindex, family);
4714 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4715 * packet transformation so allow the packet to pass without any checks
4716 * since we'll have another chance to perform access control checks
4717 * when the packet is on it's final way out.
4718 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4719 * is NULL, in this case go ahead and apply access control. */
4720 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4723 secmark_active = selinux_secmark_enabled();
4724 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4725 if (!secmark_active && !peerlbl_active)
4728 /* if the packet is being forwarded then get the peer label from the
4729 * packet itself; otherwise check to see if it is from a local
4730 * application or the kernel, if from an application get the peer label
4731 * from the sending socket, otherwise use the kernel's sid */
4735 secmark_perm = PACKET__FORWARD_OUT;
4736 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4739 secmark_perm = PACKET__SEND;
4740 peer_sid = SECINITSID_KERNEL;
4743 struct sk_security_struct *sksec = sk->sk_security;
4744 peer_sid = sksec->sid;
4745 secmark_perm = PACKET__SEND;
4748 ad.type = LSM_AUDIT_DATA_NET;
4750 ad.u.net->netif = ifindex;
4751 ad.u.net->family = family;
4752 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4756 if (avc_has_perm(peer_sid, skb->secmark,
4757 SECCLASS_PACKET, secmark_perm, &ad))
4758 return NF_DROP_ERR(-ECONNREFUSED);
4760 if (peerlbl_active) {
4764 if (sel_netif_sid(ifindex, &if_sid))
4766 if (avc_has_perm(peer_sid, if_sid,
4767 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4768 return NF_DROP_ERR(-ECONNREFUSED);
4770 if (sel_netnode_sid(addrp, family, &node_sid))
4772 if (avc_has_perm(peer_sid, node_sid,
4773 SECCLASS_NODE, NODE__SENDTO, &ad))
4774 return NF_DROP_ERR(-ECONNREFUSED);
4780 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4781 struct sk_buff *skb,
4782 const struct net_device *in,
4783 const struct net_device *out,
4784 int (*okfn)(struct sk_buff *))
4786 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4789 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4790 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4791 struct sk_buff *skb,
4792 const struct net_device *in,
4793 const struct net_device *out,
4794 int (*okfn)(struct sk_buff *))
4796 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4800 #endif /* CONFIG_NETFILTER */
4802 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4806 err = cap_netlink_send(sk, skb);
4810 return selinux_nlmsg_perm(sk, skb);
4813 static int ipc_alloc_security(struct task_struct *task,
4814 struct kern_ipc_perm *perm,
4817 struct ipc_security_struct *isec;
4820 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4824 sid = task_sid(task);
4825 isec->sclass = sclass;
4827 perm->security = isec;
4832 static void ipc_free_security(struct kern_ipc_perm *perm)
4834 struct ipc_security_struct *isec = perm->security;
4835 perm->security = NULL;
4839 static int msg_msg_alloc_security(struct msg_msg *msg)
4841 struct msg_security_struct *msec;
4843 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4847 msec->sid = SECINITSID_UNLABELED;
4848 msg->security = msec;
4853 static void msg_msg_free_security(struct msg_msg *msg)
4855 struct msg_security_struct *msec = msg->security;
4857 msg->security = NULL;
4861 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4864 struct ipc_security_struct *isec;
4865 struct common_audit_data ad;
4866 u32 sid = current_sid();
4868 isec = ipc_perms->security;
4870 ad.type = LSM_AUDIT_DATA_IPC;
4871 ad.u.ipc_id = ipc_perms->key;
4873 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4876 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4878 return msg_msg_alloc_security(msg);
4881 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4883 msg_msg_free_security(msg);
4886 /* message queue security operations */
4887 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4889 struct ipc_security_struct *isec;
4890 struct common_audit_data ad;
4891 u32 sid = current_sid();
4894 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4898 isec = msq->q_perm.security;
4900 ad.type = LSM_AUDIT_DATA_IPC;
4901 ad.u.ipc_id = msq->q_perm.key;
4903 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4906 ipc_free_security(&msq->q_perm);
4912 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4914 ipc_free_security(&msq->q_perm);
4917 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4919 struct ipc_security_struct *isec;
4920 struct common_audit_data ad;
4921 u32 sid = current_sid();
4923 isec = msq->q_perm.security;
4925 ad.type = LSM_AUDIT_DATA_IPC;
4926 ad.u.ipc_id = msq->q_perm.key;
4928 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4929 MSGQ__ASSOCIATE, &ad);
4932 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4940 /* No specific object, just general system-wide information. */
4941 return task_has_system(current, SYSTEM__IPC_INFO);
4944 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4947 perms = MSGQ__SETATTR;
4950 perms = MSGQ__DESTROY;
4956 err = ipc_has_perm(&msq->q_perm, perms);
4960 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4962 struct ipc_security_struct *isec;
4963 struct msg_security_struct *msec;
4964 struct common_audit_data ad;
4965 u32 sid = current_sid();
4968 isec = msq->q_perm.security;
4969 msec = msg->security;
4972 * First time through, need to assign label to the message
4974 if (msec->sid == SECINITSID_UNLABELED) {
4976 * Compute new sid based on current process and
4977 * message queue this message will be stored in
4979 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4985 ad.type = LSM_AUDIT_DATA_IPC;
4986 ad.u.ipc_id = msq->q_perm.key;
4988 /* Can this process write to the queue? */
4989 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4992 /* Can this process send the message */
4993 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4996 /* Can the message be put in the queue? */
4997 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4998 MSGQ__ENQUEUE, &ad);
5003 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5004 struct task_struct *target,
5005 long type, int mode)
5007 struct ipc_security_struct *isec;
5008 struct msg_security_struct *msec;
5009 struct common_audit_data ad;
5010 u32 sid = task_sid(target);
5013 isec = msq->q_perm.security;
5014 msec = msg->security;
5016 ad.type = LSM_AUDIT_DATA_IPC;
5017 ad.u.ipc_id = msq->q_perm.key;
5019 rc = avc_has_perm(sid, isec->sid,
5020 SECCLASS_MSGQ, MSGQ__READ, &ad);
5022 rc = avc_has_perm(sid, msec->sid,
5023 SECCLASS_MSG, MSG__RECEIVE, &ad);
5027 /* Shared Memory security operations */
5028 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5030 struct ipc_security_struct *isec;
5031 struct common_audit_data ad;
5032 u32 sid = current_sid();
5035 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5039 isec = shp->shm_perm.security;
5041 ad.type = LSM_AUDIT_DATA_IPC;
5042 ad.u.ipc_id = shp->shm_perm.key;
5044 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5047 ipc_free_security(&shp->shm_perm);
5053 static void selinux_shm_free_security(struct shmid_kernel *shp)
5055 ipc_free_security(&shp->shm_perm);
5058 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5060 struct ipc_security_struct *isec;
5061 struct common_audit_data ad;
5062 u32 sid = current_sid();
5064 isec = shp->shm_perm.security;
5066 ad.type = LSM_AUDIT_DATA_IPC;
5067 ad.u.ipc_id = shp->shm_perm.key;
5069 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5070 SHM__ASSOCIATE, &ad);
5073 /* Note, at this point, shp is locked down */
5074 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5082 /* No specific object, just general system-wide information. */
5083 return task_has_system(current, SYSTEM__IPC_INFO);
5086 perms = SHM__GETATTR | SHM__ASSOCIATE;
5089 perms = SHM__SETATTR;
5096 perms = SHM__DESTROY;
5102 err = ipc_has_perm(&shp->shm_perm, perms);
5106 static int selinux_shm_shmat(struct shmid_kernel *shp,
5107 char __user *shmaddr, int shmflg)
5111 if (shmflg & SHM_RDONLY)
5114 perms = SHM__READ | SHM__WRITE;
5116 return ipc_has_perm(&shp->shm_perm, perms);
5119 /* Semaphore security operations */
5120 static int selinux_sem_alloc_security(struct sem_array *sma)
5122 struct ipc_security_struct *isec;
5123 struct common_audit_data ad;
5124 u32 sid = current_sid();
5127 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5131 isec = sma->sem_perm.security;
5133 ad.type = LSM_AUDIT_DATA_IPC;
5134 ad.u.ipc_id = sma->sem_perm.key;
5136 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5139 ipc_free_security(&sma->sem_perm);
5145 static void selinux_sem_free_security(struct sem_array *sma)
5147 ipc_free_security(&sma->sem_perm);
5150 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5152 struct ipc_security_struct *isec;
5153 struct common_audit_data ad;
5154 u32 sid = current_sid();
5156 isec = sma->sem_perm.security;
5158 ad.type = LSM_AUDIT_DATA_IPC;
5159 ad.u.ipc_id = sma->sem_perm.key;
5161 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5162 SEM__ASSOCIATE, &ad);
5165 /* Note, at this point, sma is locked down */
5166 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5174 /* No specific object, just general system-wide information. */
5175 return task_has_system(current, SYSTEM__IPC_INFO);
5179 perms = SEM__GETATTR;
5190 perms = SEM__DESTROY;
5193 perms = SEM__SETATTR;
5197 perms = SEM__GETATTR | SEM__ASSOCIATE;
5203 err = ipc_has_perm(&sma->sem_perm, perms);
5207 static int selinux_sem_semop(struct sem_array *sma,
5208 struct sembuf *sops, unsigned nsops, int alter)
5213 perms = SEM__READ | SEM__WRITE;
5217 return ipc_has_perm(&sma->sem_perm, perms);
5220 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5226 av |= IPC__UNIX_READ;
5228 av |= IPC__UNIX_WRITE;
5233 return ipc_has_perm(ipcp, av);
5236 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5238 struct ipc_security_struct *isec = ipcp->security;
5242 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5245 inode_doinit_with_dentry(inode, dentry);
5248 static int selinux_getprocattr(struct task_struct *p,
5249 char *name, char **value)
5251 const struct task_security_struct *__tsec;
5257 error = current_has_perm(p, PROCESS__GETATTR);
5263 __tsec = __task_cred(p)->security;
5265 if (!strcmp(name, "current"))
5267 else if (!strcmp(name, "prev"))
5269 else if (!strcmp(name, "exec"))
5270 sid = __tsec->exec_sid;
5271 else if (!strcmp(name, "fscreate"))
5272 sid = __tsec->create_sid;
5273 else if (!strcmp(name, "keycreate"))
5274 sid = __tsec->keycreate_sid;
5275 else if (!strcmp(name, "sockcreate"))
5276 sid = __tsec->sockcreate_sid;
5284 error = security_sid_to_context(sid, value, &len);
5294 static int selinux_setprocattr(struct task_struct *p,
5295 char *name, void *value, size_t size)
5297 struct task_security_struct *tsec;
5298 struct task_struct *tracer;
5305 /* SELinux only allows a process to change its own
5306 security attributes. */
5311 * Basic control over ability to set these attributes at all.
5312 * current == p, but we'll pass them separately in case the
5313 * above restriction is ever removed.
5315 if (!strcmp(name, "exec"))
5316 error = current_has_perm(p, PROCESS__SETEXEC);
5317 else if (!strcmp(name, "fscreate"))
5318 error = current_has_perm(p, PROCESS__SETFSCREATE);
5319 else if (!strcmp(name, "keycreate"))
5320 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5321 else if (!strcmp(name, "sockcreate"))
5322 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5323 else if (!strcmp(name, "current"))
5324 error = current_has_perm(p, PROCESS__SETCURRENT);
5330 /* Obtain a SID for the context, if one was specified. */
5331 if (size && str[1] && str[1] != '\n') {
5332 if (str[size-1] == '\n') {
5336 error = security_context_to_sid(value, size, &sid);
5337 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5338 if (!capable(CAP_MAC_ADMIN)) {
5339 struct audit_buffer *ab;
5342 /* We strip a nul only if it is at the end, otherwise the
5343 * context contains a nul and we should audit that */
5344 if (str[size - 1] == '\0')
5345 audit_size = size - 1;
5348 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5349 audit_log_format(ab, "op=fscreate invalid_context=");
5350 audit_log_n_untrustedstring(ab, value, audit_size);
5355 error = security_context_to_sid_force(value, size,
5362 new = prepare_creds();
5366 /* Permission checking based on the specified context is
5367 performed during the actual operation (execve,
5368 open/mkdir/...), when we know the full context of the
5369 operation. See selinux_bprm_set_creds for the execve
5370 checks and may_create for the file creation checks. The
5371 operation will then fail if the context is not permitted. */
5372 tsec = new->security;
5373 if (!strcmp(name, "exec")) {
5374 tsec->exec_sid = sid;
5375 } else if (!strcmp(name, "fscreate")) {
5376 tsec->create_sid = sid;
5377 } else if (!strcmp(name, "keycreate")) {
5378 error = may_create_key(sid, p);
5381 tsec->keycreate_sid = sid;
5382 } else if (!strcmp(name, "sockcreate")) {
5383 tsec->sockcreate_sid = sid;
5384 } else if (!strcmp(name, "current")) {
5389 /* Only allow single threaded processes to change context */
5391 if (!current_is_single_threaded()) {
5392 error = security_bounded_transition(tsec->sid, sid);
5397 /* Check permissions for the transition. */
5398 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5399 PROCESS__DYNTRANSITION, NULL);
5403 /* Check for ptracing, and update the task SID if ok.
5404 Otherwise, leave SID unchanged and fail. */
5407 tracer = ptrace_parent(p);
5409 ptsid = task_sid(tracer);
5413 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5414 PROCESS__PTRACE, NULL);
5433 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5435 return security_sid_to_context(secid, secdata, seclen);
5438 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5440 return security_context_to_sid(secdata, seclen, secid);
5443 static void selinux_release_secctx(char *secdata, u32 seclen)
5449 * called with inode->i_mutex locked
5451 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5453 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5457 * called with inode->i_mutex locked
5459 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5461 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5464 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5467 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5476 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5477 unsigned long flags)
5479 const struct task_security_struct *tsec;
5480 struct key_security_struct *ksec;
5482 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5486 tsec = cred->security;
5487 if (tsec->keycreate_sid)
5488 ksec->sid = tsec->keycreate_sid;
5490 ksec->sid = tsec->sid;
5496 static void selinux_key_free(struct key *k)
5498 struct key_security_struct *ksec = k->security;
5504 static int selinux_key_permission(key_ref_t key_ref,
5505 const struct cred *cred,
5509 struct key_security_struct *ksec;
5512 /* if no specific permissions are requested, we skip the
5513 permission check. No serious, additional covert channels
5514 appear to be created. */
5518 sid = cred_sid(cred);
5520 key = key_ref_to_ptr(key_ref);
5521 ksec = key->security;
5523 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5526 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5528 struct key_security_struct *ksec = key->security;
5529 char *context = NULL;
5533 rc = security_sid_to_context(ksec->sid, &context, &len);
5542 static struct security_operations selinux_ops = {
5545 .ptrace_access_check = selinux_ptrace_access_check,
5546 .ptrace_traceme = selinux_ptrace_traceme,
5547 .capget = selinux_capget,
5548 .capset = selinux_capset,
5549 .capable = selinux_capable,
5550 .quotactl = selinux_quotactl,
5551 .quota_on = selinux_quota_on,
5552 .syslog = selinux_syslog,
5553 .vm_enough_memory = selinux_vm_enough_memory,
5555 .netlink_send = selinux_netlink_send,
5557 .bprm_set_creds = selinux_bprm_set_creds,
5558 .bprm_committing_creds = selinux_bprm_committing_creds,
5559 .bprm_committed_creds = selinux_bprm_committed_creds,
5560 .bprm_secureexec = selinux_bprm_secureexec,
5562 .sb_alloc_security = selinux_sb_alloc_security,
5563 .sb_free_security = selinux_sb_free_security,
5564 .sb_copy_data = selinux_sb_copy_data,
5565 .sb_remount = selinux_sb_remount,
5566 .sb_kern_mount = selinux_sb_kern_mount,
5567 .sb_show_options = selinux_sb_show_options,
5568 .sb_statfs = selinux_sb_statfs,
5569 .sb_mount = selinux_mount,
5570 .sb_umount = selinux_umount,
5571 .sb_set_mnt_opts = selinux_set_mnt_opts,
5572 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5573 .sb_parse_opts_str = selinux_parse_opts_str,
5576 .inode_alloc_security = selinux_inode_alloc_security,
5577 .inode_free_security = selinux_inode_free_security,
5578 .inode_init_security = selinux_inode_init_security,
5579 .inode_create = selinux_inode_create,
5580 .inode_link = selinux_inode_link,
5581 .inode_unlink = selinux_inode_unlink,
5582 .inode_symlink = selinux_inode_symlink,
5583 .inode_mkdir = selinux_inode_mkdir,
5584 .inode_rmdir = selinux_inode_rmdir,
5585 .inode_mknod = selinux_inode_mknod,
5586 .inode_rename = selinux_inode_rename,
5587 .inode_readlink = selinux_inode_readlink,
5588 .inode_follow_link = selinux_inode_follow_link,
5589 .inode_permission = selinux_inode_permission,
5590 .inode_setattr = selinux_inode_setattr,
5591 .inode_getattr = selinux_inode_getattr,
5592 .inode_setxattr = selinux_inode_setxattr,
5593 .inode_post_setxattr = selinux_inode_post_setxattr,
5594 .inode_getxattr = selinux_inode_getxattr,
5595 .inode_listxattr = selinux_inode_listxattr,
5596 .inode_removexattr = selinux_inode_removexattr,
5597 .inode_getsecurity = selinux_inode_getsecurity,
5598 .inode_setsecurity = selinux_inode_setsecurity,
5599 .inode_listsecurity = selinux_inode_listsecurity,
5600 .inode_getsecid = selinux_inode_getsecid,
5602 .file_permission = selinux_file_permission,
5603 .file_alloc_security = selinux_file_alloc_security,
5604 .file_free_security = selinux_file_free_security,
5605 .file_ioctl = selinux_file_ioctl,
5606 .mmap_file = selinux_mmap_file,
5607 .mmap_addr = selinux_mmap_addr,
5608 .file_mprotect = selinux_file_mprotect,
5609 .file_lock = selinux_file_lock,
5610 .file_fcntl = selinux_file_fcntl,
5611 .file_set_fowner = selinux_file_set_fowner,
5612 .file_send_sigiotask = selinux_file_send_sigiotask,
5613 .file_receive = selinux_file_receive,
5615 .file_open = selinux_file_open,
5617 .task_create = selinux_task_create,
5618 .cred_alloc_blank = selinux_cred_alloc_blank,
5619 .cred_free = selinux_cred_free,
5620 .cred_prepare = selinux_cred_prepare,
5621 .cred_transfer = selinux_cred_transfer,
5622 .kernel_act_as = selinux_kernel_act_as,
5623 .kernel_create_files_as = selinux_kernel_create_files_as,
5624 .kernel_module_request = selinux_kernel_module_request,
5625 .task_setpgid = selinux_task_setpgid,
5626 .task_getpgid = selinux_task_getpgid,
5627 .task_getsid = selinux_task_getsid,
5628 .task_getsecid = selinux_task_getsecid,
5629 .task_setnice = selinux_task_setnice,
5630 .task_setioprio = selinux_task_setioprio,
5631 .task_getioprio = selinux_task_getioprio,
5632 .task_setrlimit = selinux_task_setrlimit,
5633 .task_setscheduler = selinux_task_setscheduler,
5634 .task_getscheduler = selinux_task_getscheduler,
5635 .task_movememory = selinux_task_movememory,
5636 .task_kill = selinux_task_kill,
5637 .task_wait = selinux_task_wait,
5638 .task_to_inode = selinux_task_to_inode,
5640 .ipc_permission = selinux_ipc_permission,
5641 .ipc_getsecid = selinux_ipc_getsecid,
5643 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5644 .msg_msg_free_security = selinux_msg_msg_free_security,
5646 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5647 .msg_queue_free_security = selinux_msg_queue_free_security,
5648 .msg_queue_associate = selinux_msg_queue_associate,
5649 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5650 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5651 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5653 .shm_alloc_security = selinux_shm_alloc_security,
5654 .shm_free_security = selinux_shm_free_security,
5655 .shm_associate = selinux_shm_associate,
5656 .shm_shmctl = selinux_shm_shmctl,
5657 .shm_shmat = selinux_shm_shmat,
5659 .sem_alloc_security = selinux_sem_alloc_security,
5660 .sem_free_security = selinux_sem_free_security,
5661 .sem_associate = selinux_sem_associate,
5662 .sem_semctl = selinux_sem_semctl,
5663 .sem_semop = selinux_sem_semop,
5665 .d_instantiate = selinux_d_instantiate,
5667 .getprocattr = selinux_getprocattr,
5668 .setprocattr = selinux_setprocattr,
5670 .secid_to_secctx = selinux_secid_to_secctx,
5671 .secctx_to_secid = selinux_secctx_to_secid,
5672 .release_secctx = selinux_release_secctx,
5673 .inode_notifysecctx = selinux_inode_notifysecctx,
5674 .inode_setsecctx = selinux_inode_setsecctx,
5675 .inode_getsecctx = selinux_inode_getsecctx,
5677 .unix_stream_connect = selinux_socket_unix_stream_connect,
5678 .unix_may_send = selinux_socket_unix_may_send,
5680 .socket_create = selinux_socket_create,
5681 .socket_post_create = selinux_socket_post_create,
5682 .socket_bind = selinux_socket_bind,
5683 .socket_connect = selinux_socket_connect,
5684 .socket_listen = selinux_socket_listen,
5685 .socket_accept = selinux_socket_accept,
5686 .socket_sendmsg = selinux_socket_sendmsg,
5687 .socket_recvmsg = selinux_socket_recvmsg,
5688 .socket_getsockname = selinux_socket_getsockname,
5689 .socket_getpeername = selinux_socket_getpeername,
5690 .socket_getsockopt = selinux_socket_getsockopt,
5691 .socket_setsockopt = selinux_socket_setsockopt,
5692 .socket_shutdown = selinux_socket_shutdown,
5693 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5694 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5695 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5696 .sk_alloc_security = selinux_sk_alloc_security,
5697 .sk_free_security = selinux_sk_free_security,
5698 .sk_clone_security = selinux_sk_clone_security,
5699 .sk_getsecid = selinux_sk_getsecid,
5700 .sock_graft = selinux_sock_graft,
5701 .inet_conn_request = selinux_inet_conn_request,
5702 .inet_csk_clone = selinux_inet_csk_clone,
5703 .inet_conn_established = selinux_inet_conn_established,
5704 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5705 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5706 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5707 .req_classify_flow = selinux_req_classify_flow,
5708 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5709 .tun_dev_free_security = selinux_tun_dev_free_security,
5710 .tun_dev_create = selinux_tun_dev_create,
5711 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5712 .tun_dev_attach = selinux_tun_dev_attach,
5713 .tun_dev_open = selinux_tun_dev_open,
5714 .skb_owned_by = selinux_skb_owned_by,
5716 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5717 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5718 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5719 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5720 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5721 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5722 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5723 .xfrm_state_free_security = selinux_xfrm_state_free,
5724 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5725 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5726 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5727 .xfrm_decode_session = selinux_xfrm_decode_session,
5731 .key_alloc = selinux_key_alloc,
5732 .key_free = selinux_key_free,
5733 .key_permission = selinux_key_permission,
5734 .key_getsecurity = selinux_key_getsecurity,
5738 .audit_rule_init = selinux_audit_rule_init,
5739 .audit_rule_known = selinux_audit_rule_known,
5740 .audit_rule_match = selinux_audit_rule_match,
5741 .audit_rule_free = selinux_audit_rule_free,
5745 static __init int selinux_init(void)
5747 if (!security_module_enable(&selinux_ops)) {
5748 selinux_enabled = 0;
5752 if (!selinux_enabled) {
5753 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5757 printk(KERN_INFO "SELinux: Initializing.\n");
5759 /* Set the security state for the initial task. */
5760 cred_init_security();
5762 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5764 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5765 sizeof(struct inode_security_struct),
5766 0, SLAB_PANIC, NULL);
5769 if (register_security(&selinux_ops))
5770 panic("SELinux: Unable to register with kernel.\n");
5772 if (selinux_enforcing)
5773 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5775 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5780 static void delayed_superblock_init(struct super_block *sb, void *unused)
5782 superblock_doinit(sb, NULL);
5785 void selinux_complete_init(void)
5787 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5789 /* Set up any superblocks initialized prior to the policy load. */
5790 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5791 iterate_supers(delayed_superblock_init, NULL);
5794 /* SELinux requires early initialization in order to label
5795 all processes and objects when they are created. */
5796 security_initcall(selinux_init);
5798 #if defined(CONFIG_NETFILTER)
5800 static struct nf_hook_ops selinux_ipv4_ops[] = {
5802 .hook = selinux_ipv4_postroute,
5803 .owner = THIS_MODULE,
5805 .hooknum = NF_INET_POST_ROUTING,
5806 .priority = NF_IP_PRI_SELINUX_LAST,
5809 .hook = selinux_ipv4_forward,
5810 .owner = THIS_MODULE,
5812 .hooknum = NF_INET_FORWARD,
5813 .priority = NF_IP_PRI_SELINUX_FIRST,
5816 .hook = selinux_ipv4_output,
5817 .owner = THIS_MODULE,
5819 .hooknum = NF_INET_LOCAL_OUT,
5820 .priority = NF_IP_PRI_SELINUX_FIRST,
5824 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5826 static struct nf_hook_ops selinux_ipv6_ops[] = {
5828 .hook = selinux_ipv6_postroute,
5829 .owner = THIS_MODULE,
5831 .hooknum = NF_INET_POST_ROUTING,
5832 .priority = NF_IP6_PRI_SELINUX_LAST,
5835 .hook = selinux_ipv6_forward,
5836 .owner = THIS_MODULE,
5838 .hooknum = NF_INET_FORWARD,
5839 .priority = NF_IP6_PRI_SELINUX_FIRST,
5845 static int __init selinux_nf_ip_init(void)
5849 if (!selinux_enabled)
5852 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5854 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5856 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5858 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5859 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5861 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5868 __initcall(selinux_nf_ip_init);
5870 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5871 static void selinux_nf_ip_exit(void)
5873 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5875 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5876 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5877 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5882 #else /* CONFIG_NETFILTER */
5884 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5885 #define selinux_nf_ip_exit()
5888 #endif /* CONFIG_NETFILTER */
5890 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5891 static int selinux_disabled;
5893 int selinux_disable(void)
5895 if (ss_initialized) {
5896 /* Not permitted after initial policy load. */
5900 if (selinux_disabled) {
5901 /* Only do this once. */
5905 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5907 selinux_disabled = 1;
5908 selinux_enabled = 0;
5910 reset_security_ops();
5912 /* Try to destroy the avc node cache */
5915 /* Unregister netfilter hooks. */
5916 selinux_nf_ip_exit();
5918 /* Unregister selinuxfs. */