2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
130 static struct kmem_cache *sel_inode_cache;
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled.
142 static int selinux_secmark_enabled(void)
144 return (atomic_read(&selinux_secmark_refcount) > 0);
148 * initialise the security for the init task
150 static void cred_init_security(void)
152 struct cred *cred = (struct cred *) current->real_cred;
153 struct task_security_struct *tsec;
155 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157 panic("SELinux: Failed to initialize initial task.\n");
159 tsec->osid = tsec->sid = SECINITSID_KERNEL;
160 cred->security = tsec;
164 * get the security ID of a set of credentials
166 static inline u32 cred_sid(const struct cred *cred)
168 const struct task_security_struct *tsec;
170 tsec = cred->security;
175 * get the objective security ID of a task
177 static inline u32 task_sid(const struct task_struct *task)
182 sid = cred_sid(__task_cred(task));
188 * get the subjective security ID of the current task
190 static inline u32 current_sid(void)
192 const struct task_security_struct *tsec = current_security();
197 /* Allocate and free functions for each kind of security blob. */
199 static int inode_alloc_security(struct inode *inode)
201 struct inode_security_struct *isec;
202 u32 sid = current_sid();
204 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
208 mutex_init(&isec->lock);
209 INIT_LIST_HEAD(&isec->list);
211 isec->sid = SECINITSID_UNLABELED;
212 isec->sclass = SECCLASS_FILE;
213 isec->task_sid = sid;
214 inode->i_security = isec;
219 static void inode_free_security(struct inode *inode)
221 struct inode_security_struct *isec = inode->i_security;
222 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224 spin_lock(&sbsec->isec_lock);
225 if (!list_empty(&isec->list))
226 list_del_init(&isec->list);
227 spin_unlock(&sbsec->isec_lock);
229 inode->i_security = NULL;
230 kmem_cache_free(sel_inode_cache, isec);
233 static int file_alloc_security(struct file *file)
235 struct file_security_struct *fsec;
236 u32 sid = current_sid();
238 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
243 fsec->fown_sid = sid;
244 file->f_security = fsec;
249 static void file_free_security(struct file *file)
251 struct file_security_struct *fsec = file->f_security;
252 file->f_security = NULL;
256 static int superblock_alloc_security(struct super_block *sb)
258 struct superblock_security_struct *sbsec;
260 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
264 mutex_init(&sbsec->lock);
265 INIT_LIST_HEAD(&sbsec->isec_head);
266 spin_lock_init(&sbsec->isec_lock);
268 sbsec->sid = SECINITSID_UNLABELED;
269 sbsec->def_sid = SECINITSID_FILE;
270 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
271 sb->s_security = sbsec;
276 static void superblock_free_security(struct super_block *sb)
278 struct superblock_security_struct *sbsec = sb->s_security;
279 sb->s_security = NULL;
283 /* The file system's label must be initialized prior to use. */
285 static const char *labeling_behaviors[6] = {
287 "uses transition SIDs",
289 "uses genfs_contexts",
290 "not configured for labeling",
291 "uses mountpoint labeling",
294 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
296 static inline int inode_doinit(struct inode *inode)
298 return inode_doinit_with_dentry(inode, NULL);
307 Opt_labelsupport = 5,
311 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
313 static const match_table_t tokens = {
314 {Opt_context, CONTEXT_STR "%s"},
315 {Opt_fscontext, FSCONTEXT_STR "%s"},
316 {Opt_defcontext, DEFCONTEXT_STR "%s"},
317 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
318 {Opt_labelsupport, LABELSUPP_STR},
322 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
324 static int may_context_mount_sb_relabel(u32 sid,
325 struct superblock_security_struct *sbsec,
326 const struct cred *cred)
328 const struct task_security_struct *tsec = cred->security;
331 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
332 FILESYSTEM__RELABELFROM, NULL);
336 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
337 FILESYSTEM__RELABELTO, NULL);
341 static int may_context_mount_inode_relabel(u32 sid,
342 struct superblock_security_struct *sbsec,
343 const struct cred *cred)
345 const struct task_security_struct *tsec = cred->security;
347 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELFROM, NULL);
352 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
353 FILESYSTEM__ASSOCIATE, NULL);
357 static int sb_finish_set_opts(struct super_block *sb)
359 struct superblock_security_struct *sbsec = sb->s_security;
360 struct dentry *root = sb->s_root;
361 struct inode *root_inode = root->d_inode;
364 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
365 /* Make sure that the xattr handler exists and that no
366 error other than -ENODATA is returned by getxattr on
367 the root directory. -ENODATA is ok, as this may be
368 the first boot of the SELinux kernel before we have
369 assigned xattr values to the filesystem. */
370 if (!root_inode->i_op->getxattr) {
371 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
372 "xattr support\n", sb->s_id, sb->s_type->name);
376 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
377 if (rc < 0 && rc != -ENODATA) {
378 if (rc == -EOPNOTSUPP)
379 printk(KERN_WARNING "SELinux: (dev %s, type "
380 "%s) has no security xattr handler\n",
381 sb->s_id, sb->s_type->name);
383 printk(KERN_WARNING "SELinux: (dev %s, type "
384 "%s) getxattr errno %d\n", sb->s_id,
385 sb->s_type->name, -rc);
390 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
391 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
392 sb->s_id, sb->s_type->name);
394 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
395 sb->s_id, sb->s_type->name,
396 labeling_behaviors[sbsec->behavior-1]);
398 sbsec->flags |= SE_SBINITIALIZED;
399 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
400 sbsec->behavior == SECURITY_FS_USE_TRANS ||
401 sbsec->behavior == SECURITY_FS_USE_TASK)
402 sbsec->flags |= SBLABEL_MNT;
404 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
405 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
406 sbsec->flags |= SBLABEL_MNT;
409 * Special handling for rootfs. Is genfs but supports
410 * setting SELinux context on in-core inodes.
412 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
413 sbsec->flags |= SBLABEL_MNT;
415 /* Initialize the root inode. */
416 rc = inode_doinit_with_dentry(root_inode, root);
418 /* Initialize any other inodes associated with the superblock, e.g.
419 inodes created prior to initial policy load or inodes created
420 during get_sb by a pseudo filesystem that directly
422 spin_lock(&sbsec->isec_lock);
424 if (!list_empty(&sbsec->isec_head)) {
425 struct inode_security_struct *isec =
426 list_entry(sbsec->isec_head.next,
427 struct inode_security_struct, list);
428 struct inode *inode = isec->inode;
429 spin_unlock(&sbsec->isec_lock);
430 inode = igrab(inode);
432 if (!IS_PRIVATE(inode))
436 spin_lock(&sbsec->isec_lock);
437 list_del_init(&isec->list);
440 spin_unlock(&sbsec->isec_lock);
446 * This function should allow an FS to ask what it's mount security
447 * options were so it can use those later for submounts, displaying
448 * mount options, or whatever.
450 static int selinux_get_mnt_opts(const struct super_block *sb,
451 struct security_mnt_opts *opts)
454 struct superblock_security_struct *sbsec = sb->s_security;
455 char *context = NULL;
459 security_init_mnt_opts(opts);
461 if (!(sbsec->flags & SE_SBINITIALIZED))
467 /* make sure we always check enough bits to cover the mask */
468 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
470 tmp = sbsec->flags & SE_MNTMASK;
471 /* count the number of mount options for this sb */
472 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
474 opts->num_mnt_opts++;
477 /* Check if the Label support flag is set */
478 if (sbsec->flags & SBLABEL_MNT)
479 opts->num_mnt_opts++;
481 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
482 if (!opts->mnt_opts) {
487 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
488 if (!opts->mnt_opts_flags) {
494 if (sbsec->flags & FSCONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->sid, &context, &len);
498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
501 if (sbsec->flags & CONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
508 if (sbsec->flags & DEFCONTEXT_MNT) {
509 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
512 opts->mnt_opts[i] = context;
513 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
515 if (sbsec->flags & ROOTCONTEXT_MNT) {
516 struct inode *root = sbsec->sb->s_root->d_inode;
517 struct inode_security_struct *isec = root->i_security;
519 rc = security_sid_to_context(isec->sid, &context, &len);
522 opts->mnt_opts[i] = context;
523 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
525 if (sbsec->flags & SBLABEL_MNT) {
526 opts->mnt_opts[i] = NULL;
527 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
530 BUG_ON(i != opts->num_mnt_opts);
535 security_free_mnt_opts(opts);
539 static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
542 char mnt_flags = sbsec->flags & SE_MNTMASK;
544 /* check if the old mount command had the same options */
545 if (sbsec->flags & SE_SBINITIALIZED)
546 if (!(sbsec->flags & flag) ||
547 (old_sid != new_sid))
550 /* check if we were passed the same options twice,
551 * aka someone passed context=a,context=b
553 if (!(sbsec->flags & SE_SBINITIALIZED))
554 if (mnt_flags & flag)
560 * Allow filesystems with binary mount data to explicitly set mount point
561 * labeling information.
563 static int selinux_set_mnt_opts(struct super_block *sb,
564 struct security_mnt_opts *opts)
566 const struct cred *cred = current_cred();
568 struct superblock_security_struct *sbsec = sb->s_security;
569 const char *name = sb->s_type->name;
570 struct inode *inode = sbsec->sb->s_root->d_inode;
571 struct inode_security_struct *root_isec = inode->i_security;
572 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
573 u32 defcontext_sid = 0;
574 char **mount_options = opts->mnt_opts;
575 int *flags = opts->mnt_opts_flags;
576 int num_opts = opts->num_mnt_opts;
578 mutex_lock(&sbsec->lock);
580 if (!ss_initialized) {
582 /* Defer initialization until selinux_complete_init,
583 after the initial policy is loaded and the security
584 server is ready to handle calls. */
588 printk(KERN_WARNING "SELinux: Unable to set superblock options "
589 "before the security server is initialized\n");
594 * Binary mount data FS will come through this function twice. Once
595 * from an explicit call and once from the generic calls from the vfs.
596 * Since the generic VFS calls will not contain any security mount data
597 * we need to skip the double mount verification.
599 * This does open a hole in which we will not notice if the first
600 * mount using this sb set explict options and a second mount using
601 * this sb does not set any security options. (The first options
602 * will be used for both mounts)
604 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
609 * parse the mount options, check if they are valid sids.
610 * also check if someone is trying to mount the same sb more
611 * than once with different security options.
613 for (i = 0; i < num_opts; i++) {
616 if (flags[i] == SBLABEL_MNT)
618 rc = security_context_to_sid(mount_options[i],
619 strlen(mount_options[i]), &sid);
621 printk(KERN_WARNING "SELinux: security_context_to_sid"
622 "(%s) failed for (dev %s, type %s) errno=%d\n",
623 mount_options[i], sb->s_id, name, rc);
630 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
632 goto out_double_mount;
634 sbsec->flags |= FSCONTEXT_MNT;
639 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
641 goto out_double_mount;
643 sbsec->flags |= CONTEXT_MNT;
645 case ROOTCONTEXT_MNT:
646 rootcontext_sid = sid;
648 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
650 goto out_double_mount;
652 sbsec->flags |= ROOTCONTEXT_MNT;
656 defcontext_sid = sid;
658 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
660 goto out_double_mount;
662 sbsec->flags |= DEFCONTEXT_MNT;
671 if (sbsec->flags & SE_SBINITIALIZED) {
672 /* previously mounted with options, but not on this attempt? */
673 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
674 goto out_double_mount;
679 if (strcmp(sb->s_type->name, "proc") == 0)
680 sbsec->flags |= SE_SBPROC;
682 /* Determine the labeling behavior to use for this filesystem type. */
683 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
685 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
686 __func__, sb->s_type->name, rc);
690 /* sets the context of the superblock for the fs being mounted. */
692 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
696 sbsec->sid = fscontext_sid;
700 * Switch to using mount point labeling behavior.
701 * sets the label used on all file below the mountpoint, and will set
702 * the superblock context if not already set.
705 if (!fscontext_sid) {
706 rc = may_context_mount_sb_relabel(context_sid, sbsec,
710 sbsec->sid = context_sid;
712 rc = may_context_mount_inode_relabel(context_sid, sbsec,
717 if (!rootcontext_sid)
718 rootcontext_sid = context_sid;
720 sbsec->mntpoint_sid = context_sid;
721 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
724 if (rootcontext_sid) {
725 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
730 root_isec->sid = rootcontext_sid;
731 root_isec->initialized = 1;
734 if (defcontext_sid) {
735 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
737 printk(KERN_WARNING "SELinux: defcontext option is "
738 "invalid for this filesystem type\n");
742 if (defcontext_sid != sbsec->def_sid) {
743 rc = may_context_mount_inode_relabel(defcontext_sid,
749 sbsec->def_sid = defcontext_sid;
752 rc = sb_finish_set_opts(sb);
754 mutex_unlock(&sbsec->lock);
758 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
759 "security settings for (dev %s, type %s)\n", sb->s_id, name);
763 static int selinux_cmp_sb_context(const struct super_block *oldsb,
764 const struct super_block *newsb)
766 struct superblock_security_struct *old = oldsb->s_security;
767 struct superblock_security_struct *new = newsb->s_security;
768 char oldflags = old->flags & SE_MNTMASK;
769 char newflags = new->flags & SE_MNTMASK;
771 if (oldflags != newflags)
773 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
775 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
777 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
779 if (oldflags & ROOTCONTEXT_MNT) {
780 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
781 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
782 if (oldroot->sid != newroot->sid)
787 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
788 "different security settings for (dev %s, "
789 "type %s)\n", newsb->s_id, newsb->s_type->name);
793 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
794 struct super_block *newsb)
796 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
797 struct superblock_security_struct *newsbsec = newsb->s_security;
799 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
800 int set_context = (oldsbsec->flags & CONTEXT_MNT);
801 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
804 * if the parent was able to be mounted it clearly had no special lsm
805 * mount options. thus we can safely deal with this superblock later
810 /* how can we clone if the old one wasn't set up?? */
811 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
813 /* if fs is reusing a sb, make sure that the contexts match */
814 if (newsbsec->flags & SE_SBINITIALIZED)
815 return selinux_cmp_sb_context(oldsb, newsb);
817 mutex_lock(&newsbsec->lock);
819 newsbsec->flags = oldsbsec->flags;
821 newsbsec->sid = oldsbsec->sid;
822 newsbsec->def_sid = oldsbsec->def_sid;
823 newsbsec->behavior = oldsbsec->behavior;
826 u32 sid = oldsbsec->mntpoint_sid;
830 if (!set_rootcontext) {
831 struct inode *newinode = newsb->s_root->d_inode;
832 struct inode_security_struct *newisec = newinode->i_security;
835 newsbsec->mntpoint_sid = sid;
837 if (set_rootcontext) {
838 const struct inode *oldinode = oldsb->s_root->d_inode;
839 const struct inode_security_struct *oldisec = oldinode->i_security;
840 struct inode *newinode = newsb->s_root->d_inode;
841 struct inode_security_struct *newisec = newinode->i_security;
843 newisec->sid = oldisec->sid;
846 sb_finish_set_opts(newsb);
847 mutex_unlock(&newsbsec->lock);
851 static int selinux_parse_opts_str(char *options,
852 struct security_mnt_opts *opts)
855 char *context = NULL, *defcontext = NULL;
856 char *fscontext = NULL, *rootcontext = NULL;
857 int rc, num_mnt_opts = 0;
859 opts->num_mnt_opts = 0;
861 /* Standard string-based options. */
862 while ((p = strsep(&options, "|")) != NULL) {
864 substring_t args[MAX_OPT_ARGS];
869 token = match_token(p, tokens, args);
873 if (context || defcontext) {
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
878 context = match_strdup(&args[0]);
888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
891 fscontext = match_strdup(&args[0]);
898 case Opt_rootcontext:
901 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
904 rootcontext = match_strdup(&args[0]);
912 if (context || defcontext) {
914 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
917 defcontext = match_strdup(&args[0]);
923 case Opt_labelsupport:
927 printk(KERN_WARNING "SELinux: unknown mount option\n");
934 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
938 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
939 if (!opts->mnt_opts_flags) {
940 kfree(opts->mnt_opts);
945 opts->mnt_opts[num_mnt_opts] = fscontext;
946 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
949 opts->mnt_opts[num_mnt_opts] = context;
950 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
953 opts->mnt_opts[num_mnt_opts] = rootcontext;
954 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
957 opts->mnt_opts[num_mnt_opts] = defcontext;
958 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
961 opts->num_mnt_opts = num_mnt_opts;
972 * string mount options parsing and call set the sbsec
974 static int superblock_doinit(struct super_block *sb, void *data)
977 char *options = data;
978 struct security_mnt_opts opts;
980 security_init_mnt_opts(&opts);
985 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
987 rc = selinux_parse_opts_str(options, &opts);
992 rc = selinux_set_mnt_opts(sb, &opts);
995 security_free_mnt_opts(&opts);
999 static void selinux_write_opts(struct seq_file *m,
1000 struct security_mnt_opts *opts)
1005 for (i = 0; i < opts->num_mnt_opts; i++) {
1008 if (opts->mnt_opts[i])
1009 has_comma = strchr(opts->mnt_opts[i], ',');
1013 switch (opts->mnt_opts_flags[i]) {
1015 prefix = CONTEXT_STR;
1018 prefix = FSCONTEXT_STR;
1020 case ROOTCONTEXT_MNT:
1021 prefix = ROOTCONTEXT_STR;
1023 case DEFCONTEXT_MNT:
1024 prefix = DEFCONTEXT_STR;
1028 seq_puts(m, LABELSUPP_STR);
1034 /* we need a comma before each option */
1036 seq_puts(m, prefix);
1039 seq_puts(m, opts->mnt_opts[i]);
1045 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1047 struct security_mnt_opts opts;
1050 rc = selinux_get_mnt_opts(sb, &opts);
1052 /* before policy load we may get EINVAL, don't show anything */
1058 selinux_write_opts(m, &opts);
1060 security_free_mnt_opts(&opts);
1065 static inline u16 inode_mode_to_security_class(umode_t mode)
1067 switch (mode & S_IFMT) {
1069 return SECCLASS_SOCK_FILE;
1071 return SECCLASS_LNK_FILE;
1073 return SECCLASS_FILE;
1075 return SECCLASS_BLK_FILE;
1077 return SECCLASS_DIR;
1079 return SECCLASS_CHR_FILE;
1081 return SECCLASS_FIFO_FILE;
1085 return SECCLASS_FILE;
1088 static inline int default_protocol_stream(int protocol)
1090 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1093 static inline int default_protocol_dgram(int protocol)
1095 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1098 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1104 case SOCK_SEQPACKET:
1105 return SECCLASS_UNIX_STREAM_SOCKET;
1107 return SECCLASS_UNIX_DGRAM_SOCKET;
1114 if (default_protocol_stream(protocol))
1115 return SECCLASS_TCP_SOCKET;
1117 return SECCLASS_RAWIP_SOCKET;
1119 if (default_protocol_dgram(protocol))
1120 return SECCLASS_UDP_SOCKET;
1122 return SECCLASS_RAWIP_SOCKET;
1124 return SECCLASS_DCCP_SOCKET;
1126 return SECCLASS_RAWIP_SOCKET;
1132 return SECCLASS_NETLINK_ROUTE_SOCKET;
1133 case NETLINK_FIREWALL:
1134 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1135 case NETLINK_SOCK_DIAG:
1136 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1138 return SECCLASS_NETLINK_NFLOG_SOCKET;
1140 return SECCLASS_NETLINK_XFRM_SOCKET;
1141 case NETLINK_SELINUX:
1142 return SECCLASS_NETLINK_SELINUX_SOCKET;
1144 return SECCLASS_NETLINK_AUDIT_SOCKET;
1145 case NETLINK_IP6_FW:
1146 return SECCLASS_NETLINK_IP6FW_SOCKET;
1147 case NETLINK_DNRTMSG:
1148 return SECCLASS_NETLINK_DNRT_SOCKET;
1149 case NETLINK_KOBJECT_UEVENT:
1150 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1152 return SECCLASS_NETLINK_SOCKET;
1155 return SECCLASS_PACKET_SOCKET;
1157 return SECCLASS_KEY_SOCKET;
1159 return SECCLASS_APPLETALK_SOCKET;
1162 return SECCLASS_SOCKET;
1165 #ifdef CONFIG_PROC_FS
1166 static int selinux_proc_get_sid(struct dentry *dentry,
1171 char *buffer, *path;
1173 buffer = (char *)__get_free_page(GFP_KERNEL);
1177 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1181 /* each process gets a /proc/PID/ entry. Strip off the
1182 * PID part to get a valid selinux labeling.
1183 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1184 while (path[1] >= '0' && path[1] <= '9') {
1188 rc = security_genfs_sid("proc", path, tclass, sid);
1190 free_page((unsigned long)buffer);
1194 static int selinux_proc_get_sid(struct dentry *dentry,
1202 /* The inode's security attributes must be initialized before first use. */
1203 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1205 struct superblock_security_struct *sbsec = NULL;
1206 struct inode_security_struct *isec = inode->i_security;
1208 struct dentry *dentry;
1209 #define INITCONTEXTLEN 255
1210 char *context = NULL;
1214 if (isec->initialized)
1217 mutex_lock(&isec->lock);
1218 if (isec->initialized)
1221 sbsec = inode->i_sb->s_security;
1222 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1223 /* Defer initialization until selinux_complete_init,
1224 after the initial policy is loaded and the security
1225 server is ready to handle calls. */
1226 spin_lock(&sbsec->isec_lock);
1227 if (list_empty(&isec->list))
1228 list_add(&isec->list, &sbsec->isec_head);
1229 spin_unlock(&sbsec->isec_lock);
1233 switch (sbsec->behavior) {
1234 case SECURITY_FS_USE_XATTR:
1235 if (!inode->i_op->getxattr) {
1236 isec->sid = sbsec->def_sid;
1240 /* Need a dentry, since the xattr API requires one.
1241 Life would be simpler if we could just pass the inode. */
1243 /* Called from d_instantiate or d_splice_alias. */
1244 dentry = dget(opt_dentry);
1246 /* Called from selinux_complete_init, try to find a dentry. */
1247 dentry = d_find_alias(inode);
1251 * this is can be hit on boot when a file is accessed
1252 * before the policy is loaded. When we load policy we
1253 * may find inodes that have no dentry on the
1254 * sbsec->isec_head list. No reason to complain as these
1255 * will get fixed up the next time we go through
1256 * inode_doinit with a dentry, before these inodes could
1257 * be used again by userspace.
1262 len = INITCONTEXTLEN;
1263 context = kmalloc(len+1, GFP_NOFS);
1269 context[len] = '\0';
1270 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1272 if (rc == -ERANGE) {
1275 /* Need a larger buffer. Query for the right size. */
1276 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1283 context = kmalloc(len+1, GFP_NOFS);
1289 context[len] = '\0';
1290 rc = inode->i_op->getxattr(dentry,
1296 if (rc != -ENODATA) {
1297 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1298 "%d for dev=%s ino=%ld\n", __func__,
1299 -rc, inode->i_sb->s_id, inode->i_ino);
1303 /* Map ENODATA to the default file SID */
1304 sid = sbsec->def_sid;
1307 rc = security_context_to_sid_default(context, rc, &sid,
1311 char *dev = inode->i_sb->s_id;
1312 unsigned long ino = inode->i_ino;
1314 if (rc == -EINVAL) {
1315 if (printk_ratelimit())
1316 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1317 "context=%s. This indicates you may need to relabel the inode or the "
1318 "filesystem in question.\n", ino, dev, context);
1320 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1321 "returned %d for dev=%s ino=%ld\n",
1322 __func__, context, -rc, dev, ino);
1325 /* Leave with the unlabeled SID */
1333 case SECURITY_FS_USE_TASK:
1334 isec->sid = isec->task_sid;
1336 case SECURITY_FS_USE_TRANS:
1337 /* Default to the fs SID. */
1338 isec->sid = sbsec->sid;
1340 /* Try to obtain a transition SID. */
1341 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1342 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1343 isec->sclass, NULL, &sid);
1348 case SECURITY_FS_USE_MNTPOINT:
1349 isec->sid = sbsec->mntpoint_sid;
1352 /* Default to the fs superblock SID. */
1353 isec->sid = sbsec->sid;
1355 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1357 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1358 rc = selinux_proc_get_sid(opt_dentry,
1369 isec->initialized = 1;
1372 mutex_unlock(&isec->lock);
1374 if (isec->sclass == SECCLASS_FILE)
1375 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1379 /* Convert a Linux signal to an access vector. */
1380 static inline u32 signal_to_av(int sig)
1386 /* Commonly granted from child to parent. */
1387 perm = PROCESS__SIGCHLD;
1390 /* Cannot be caught or ignored */
1391 perm = PROCESS__SIGKILL;
1394 /* Cannot be caught or ignored */
1395 perm = PROCESS__SIGSTOP;
1398 /* All other signals. */
1399 perm = PROCESS__SIGNAL;
1407 * Check permission between a pair of credentials
1408 * fork check, ptrace check, etc.
1410 static int cred_has_perm(const struct cred *actor,
1411 const struct cred *target,
1414 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1416 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1420 * Check permission between a pair of tasks, e.g. signal checks,
1421 * fork check, ptrace check, etc.
1422 * tsk1 is the actor and tsk2 is the target
1423 * - this uses the default subjective creds of tsk1
1425 static int task_has_perm(const struct task_struct *tsk1,
1426 const struct task_struct *tsk2,
1429 const struct task_security_struct *__tsec1, *__tsec2;
1433 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1434 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1436 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1440 * Check permission between current and another task, e.g. signal checks,
1441 * fork check, ptrace check, etc.
1442 * current is the actor and tsk2 is the target
1443 * - this uses current's subjective creds
1445 static int current_has_perm(const struct task_struct *tsk,
1450 sid = current_sid();
1451 tsid = task_sid(tsk);
1452 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1455 #if CAP_LAST_CAP > 63
1456 #error Fix SELinux to handle capabilities > 63.
1459 /* Check whether a task is allowed to use a capability. */
1460 static int cred_has_capability(const struct cred *cred,
1463 struct common_audit_data ad;
1464 struct av_decision avd;
1466 u32 sid = cred_sid(cred);
1467 u32 av = CAP_TO_MASK(cap);
1470 ad.type = LSM_AUDIT_DATA_CAP;
1473 switch (CAP_TO_INDEX(cap)) {
1475 sclass = SECCLASS_CAPABILITY;
1478 sclass = SECCLASS_CAPABILITY2;
1482 "SELinux: out of range capability %d\n", cap);
1487 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1488 if (audit == SECURITY_CAP_AUDIT) {
1489 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1496 /* Check whether a task is allowed to use a system operation. */
1497 static int task_has_system(struct task_struct *tsk,
1500 u32 sid = task_sid(tsk);
1502 return avc_has_perm(sid, SECINITSID_KERNEL,
1503 SECCLASS_SYSTEM, perms, NULL);
1506 /* Check whether a task has a particular permission to an inode.
1507 The 'adp' parameter is optional and allows other audit
1508 data to be passed (e.g. the dentry). */
1509 static int inode_has_perm(const struct cred *cred,
1510 struct inode *inode,
1512 struct common_audit_data *adp,
1515 struct inode_security_struct *isec;
1518 validate_creds(cred);
1520 if (unlikely(IS_PRIVATE(inode)))
1523 sid = cred_sid(cred);
1524 isec = inode->i_security;
1526 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1529 /* Same as inode_has_perm, but pass explicit audit data containing
1530 the dentry to help the auditing code to more easily generate the
1531 pathname if needed. */
1532 static inline int dentry_has_perm(const struct cred *cred,
1533 struct dentry *dentry,
1536 struct inode *inode = dentry->d_inode;
1537 struct common_audit_data ad;
1539 ad.type = LSM_AUDIT_DATA_DENTRY;
1540 ad.u.dentry = dentry;
1541 return inode_has_perm(cred, inode, av, &ad, 0);
1544 /* Same as inode_has_perm, but pass explicit audit data containing
1545 the path to help the auditing code to more easily generate the
1546 pathname if needed. */
1547 static inline int path_has_perm(const struct cred *cred,
1551 struct inode *inode = path->dentry->d_inode;
1552 struct common_audit_data ad;
1554 ad.type = LSM_AUDIT_DATA_PATH;
1556 return inode_has_perm(cred, inode, av, &ad, 0);
1559 /* Check whether a task can use an open file descriptor to
1560 access an inode in a given way. Check access to the
1561 descriptor itself, and then use dentry_has_perm to
1562 check a particular permission to the file.
1563 Access to the descriptor is implicitly granted if it
1564 has the same SID as the process. If av is zero, then
1565 access to the file is not checked, e.g. for cases
1566 where only the descriptor is affected like seek. */
1567 static int file_has_perm(const struct cred *cred,
1571 struct file_security_struct *fsec = file->f_security;
1572 struct inode *inode = file_inode(file);
1573 struct common_audit_data ad;
1574 u32 sid = cred_sid(cred);
1577 ad.type = LSM_AUDIT_DATA_PATH;
1578 ad.u.path = file->f_path;
1580 if (sid != fsec->sid) {
1581 rc = avc_has_perm(sid, fsec->sid,
1589 /* av is zero if only checking access to the descriptor. */
1592 rc = inode_has_perm(cred, inode, av, &ad, 0);
1598 /* Check whether a task can create a file. */
1599 static int may_create(struct inode *dir,
1600 struct dentry *dentry,
1603 const struct task_security_struct *tsec = current_security();
1604 struct inode_security_struct *dsec;
1605 struct superblock_security_struct *sbsec;
1607 struct common_audit_data ad;
1610 dsec = dir->i_security;
1611 sbsec = dir->i_sb->s_security;
1614 newsid = tsec->create_sid;
1616 ad.type = LSM_AUDIT_DATA_DENTRY;
1617 ad.u.dentry = dentry;
1619 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1620 DIR__ADD_NAME | DIR__SEARCH,
1625 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1626 rc = security_transition_sid(sid, dsec->sid, tclass,
1627 &dentry->d_name, &newsid);
1632 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1636 return avc_has_perm(newsid, sbsec->sid,
1637 SECCLASS_FILESYSTEM,
1638 FILESYSTEM__ASSOCIATE, &ad);
1641 /* Check whether a task can create a key. */
1642 static int may_create_key(u32 ksid,
1643 struct task_struct *ctx)
1645 u32 sid = task_sid(ctx);
1647 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1651 #define MAY_UNLINK 1
1654 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1655 static int may_link(struct inode *dir,
1656 struct dentry *dentry,
1660 struct inode_security_struct *dsec, *isec;
1661 struct common_audit_data ad;
1662 u32 sid = current_sid();
1666 dsec = dir->i_security;
1667 isec = dentry->d_inode->i_security;
1669 ad.type = LSM_AUDIT_DATA_DENTRY;
1670 ad.u.dentry = dentry;
1673 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1674 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1689 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1694 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1698 static inline int may_rename(struct inode *old_dir,
1699 struct dentry *old_dentry,
1700 struct inode *new_dir,
1701 struct dentry *new_dentry)
1703 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1704 struct common_audit_data ad;
1705 u32 sid = current_sid();
1707 int old_is_dir, new_is_dir;
1710 old_dsec = old_dir->i_security;
1711 old_isec = old_dentry->d_inode->i_security;
1712 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1713 new_dsec = new_dir->i_security;
1715 ad.type = LSM_AUDIT_DATA_DENTRY;
1717 ad.u.dentry = old_dentry;
1718 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1719 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1722 rc = avc_has_perm(sid, old_isec->sid,
1723 old_isec->sclass, FILE__RENAME, &ad);
1726 if (old_is_dir && new_dir != old_dir) {
1727 rc = avc_has_perm(sid, old_isec->sid,
1728 old_isec->sclass, DIR__REPARENT, &ad);
1733 ad.u.dentry = new_dentry;
1734 av = DIR__ADD_NAME | DIR__SEARCH;
1735 if (new_dentry->d_inode)
1736 av |= DIR__REMOVE_NAME;
1737 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1740 if (new_dentry->d_inode) {
1741 new_isec = new_dentry->d_inode->i_security;
1742 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1743 rc = avc_has_perm(sid, new_isec->sid,
1745 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1753 /* Check whether a task can perform a filesystem operation. */
1754 static int superblock_has_perm(const struct cred *cred,
1755 struct super_block *sb,
1757 struct common_audit_data *ad)
1759 struct superblock_security_struct *sbsec;
1760 u32 sid = cred_sid(cred);
1762 sbsec = sb->s_security;
1763 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1766 /* Convert a Linux mode and permission mask to an access vector. */
1767 static inline u32 file_mask_to_av(int mode, int mask)
1771 if (!S_ISDIR(mode)) {
1772 if (mask & MAY_EXEC)
1773 av |= FILE__EXECUTE;
1774 if (mask & MAY_READ)
1777 if (mask & MAY_APPEND)
1779 else if (mask & MAY_WRITE)
1783 if (mask & MAY_EXEC)
1785 if (mask & MAY_WRITE)
1787 if (mask & MAY_READ)
1794 /* Convert a Linux file to an access vector. */
1795 static inline u32 file_to_av(struct file *file)
1799 if (file->f_mode & FMODE_READ)
1801 if (file->f_mode & FMODE_WRITE) {
1802 if (file->f_flags & O_APPEND)
1809 * Special file opened with flags 3 for ioctl-only use.
1818 * Convert a file to an access vector and include the correct open
1821 static inline u32 open_file_to_av(struct file *file)
1823 u32 av = file_to_av(file);
1825 if (selinux_policycap_openperm)
1831 /* Hook functions begin here. */
1833 static int selinux_ptrace_access_check(struct task_struct *child,
1838 rc = cap_ptrace_access_check(child, mode);
1842 if (mode & PTRACE_MODE_READ) {
1843 u32 sid = current_sid();
1844 u32 csid = task_sid(child);
1845 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1848 return current_has_perm(child, PROCESS__PTRACE);
1851 static int selinux_ptrace_traceme(struct task_struct *parent)
1855 rc = cap_ptrace_traceme(parent);
1859 return task_has_perm(parent, current, PROCESS__PTRACE);
1862 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1863 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1867 error = current_has_perm(target, PROCESS__GETCAP);
1871 return cap_capget(target, effective, inheritable, permitted);
1874 static int selinux_capset(struct cred *new, const struct cred *old,
1875 const kernel_cap_t *effective,
1876 const kernel_cap_t *inheritable,
1877 const kernel_cap_t *permitted)
1881 error = cap_capset(new, old,
1882 effective, inheritable, permitted);
1886 return cred_has_perm(old, new, PROCESS__SETCAP);
1890 * (This comment used to live with the selinux_task_setuid hook,
1891 * which was removed).
1893 * Since setuid only affects the current process, and since the SELinux
1894 * controls are not based on the Linux identity attributes, SELinux does not
1895 * need to control this operation. However, SELinux does control the use of
1896 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1899 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1904 rc = cap_capable(cred, ns, cap, audit);
1908 return cred_has_capability(cred, cap, audit);
1911 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1913 const struct cred *cred = current_cred();
1925 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1930 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1933 rc = 0; /* let the kernel handle invalid cmds */
1939 static int selinux_quota_on(struct dentry *dentry)
1941 const struct cred *cred = current_cred();
1943 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1946 static int selinux_syslog(int type)
1951 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1952 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
1953 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1955 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1956 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1957 /* Set level of messages printed to console */
1958 case SYSLOG_ACTION_CONSOLE_LEVEL:
1959 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1961 case SYSLOG_ACTION_CLOSE: /* Close log */
1962 case SYSLOG_ACTION_OPEN: /* Open log */
1963 case SYSLOG_ACTION_READ: /* Read from log */
1964 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1965 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
1967 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1974 * Check that a process has enough memory to allocate a new virtual
1975 * mapping. 0 means there is enough memory for the allocation to
1976 * succeed and -ENOMEM implies there is not.
1978 * Do not audit the selinux permission check, as this is applied to all
1979 * processes that allocate mappings.
1981 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1983 int rc, cap_sys_admin = 0;
1985 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1986 SECURITY_CAP_NOAUDIT);
1990 return __vm_enough_memory(mm, pages, cap_sys_admin);
1993 /* binprm security operations */
1995 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1997 const struct task_security_struct *old_tsec;
1998 struct task_security_struct *new_tsec;
1999 struct inode_security_struct *isec;
2000 struct common_audit_data ad;
2001 struct inode *inode = file_inode(bprm->file);
2004 rc = cap_bprm_set_creds(bprm);
2008 /* SELinux context only depends on initial program or script and not
2009 * the script interpreter */
2010 if (bprm->cred_prepared)
2013 old_tsec = current_security();
2014 new_tsec = bprm->cred->security;
2015 isec = inode->i_security;
2017 /* Default to the current task SID. */
2018 new_tsec->sid = old_tsec->sid;
2019 new_tsec->osid = old_tsec->sid;
2021 /* Reset fs, key, and sock SIDs on execve. */
2022 new_tsec->create_sid = 0;
2023 new_tsec->keycreate_sid = 0;
2024 new_tsec->sockcreate_sid = 0;
2026 if (old_tsec->exec_sid) {
2027 new_tsec->sid = old_tsec->exec_sid;
2028 /* Reset exec SID on execve. */
2029 new_tsec->exec_sid = 0;
2032 * Minimize confusion: if no_new_privs and a transition is
2033 * explicitly requested, then fail the exec.
2035 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2038 /* Check for a default transition on this program. */
2039 rc = security_transition_sid(old_tsec->sid, isec->sid,
2040 SECCLASS_PROCESS, NULL,
2046 ad.type = LSM_AUDIT_DATA_PATH;
2047 ad.u.path = bprm->file->f_path;
2049 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2050 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2051 new_tsec->sid = old_tsec->sid;
2053 if (new_tsec->sid == old_tsec->sid) {
2054 rc = avc_has_perm(old_tsec->sid, isec->sid,
2055 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2059 /* Check permissions for the transition. */
2060 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2061 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2065 rc = avc_has_perm(new_tsec->sid, isec->sid,
2066 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2070 /* Check for shared state */
2071 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2072 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2073 SECCLASS_PROCESS, PROCESS__SHARE,
2079 /* Make sure that anyone attempting to ptrace over a task that
2080 * changes its SID has the appropriate permit */
2082 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2083 struct task_struct *tracer;
2084 struct task_security_struct *sec;
2088 tracer = ptrace_parent(current);
2089 if (likely(tracer != NULL)) {
2090 sec = __task_cred(tracer)->security;
2096 rc = avc_has_perm(ptsid, new_tsec->sid,
2098 PROCESS__PTRACE, NULL);
2104 /* Clear any possibly unsafe personality bits on exec: */
2105 bprm->per_clear |= PER_CLEAR_ON_SETID;
2111 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2113 const struct task_security_struct *tsec = current_security();
2121 /* Enable secure mode for SIDs transitions unless
2122 the noatsecure permission is granted between
2123 the two SIDs, i.e. ahp returns 0. */
2124 atsecure = avc_has_perm(osid, sid,
2126 PROCESS__NOATSECURE, NULL);
2129 return (atsecure || cap_bprm_secureexec(bprm));
2132 static int match_file(const void *p, struct file *file, unsigned fd)
2134 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2137 /* Derived from fs/exec.c:flush_old_files. */
2138 static inline void flush_unauthorized_files(const struct cred *cred,
2139 struct files_struct *files)
2141 struct file *file, *devnull = NULL;
2142 struct tty_struct *tty;
2146 tty = get_current_tty();
2148 spin_lock(&tty_files_lock);
2149 if (!list_empty(&tty->tty_files)) {
2150 struct tty_file_private *file_priv;
2152 /* Revalidate access to controlling tty.
2153 Use path_has_perm on the tty path directly rather
2154 than using file_has_perm, as this particular open
2155 file may belong to another process and we are only
2156 interested in the inode-based check here. */
2157 file_priv = list_first_entry(&tty->tty_files,
2158 struct tty_file_private, list);
2159 file = file_priv->file;
2160 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2163 spin_unlock(&tty_files_lock);
2166 /* Reset controlling tty. */
2170 /* Revalidate access to inherited open files. */
2171 n = iterate_fd(files, 0, match_file, cred);
2172 if (!n) /* none found? */
2175 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2176 if (IS_ERR(devnull))
2178 /* replace all the matching ones with this */
2180 replace_fd(n - 1, devnull, 0);
2181 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2187 * Prepare a process for imminent new credential changes due to exec
2189 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2191 struct task_security_struct *new_tsec;
2192 struct rlimit *rlim, *initrlim;
2195 new_tsec = bprm->cred->security;
2196 if (new_tsec->sid == new_tsec->osid)
2199 /* Close files for which the new task SID is not authorized. */
2200 flush_unauthorized_files(bprm->cred, current->files);
2202 /* Always clear parent death signal on SID transitions. */
2203 current->pdeath_signal = 0;
2205 /* Check whether the new SID can inherit resource limits from the old
2206 * SID. If not, reset all soft limits to the lower of the current
2207 * task's hard limit and the init task's soft limit.
2209 * Note that the setting of hard limits (even to lower them) can be
2210 * controlled by the setrlimit check. The inclusion of the init task's
2211 * soft limit into the computation is to avoid resetting soft limits
2212 * higher than the default soft limit for cases where the default is
2213 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2215 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2216 PROCESS__RLIMITINH, NULL);
2218 /* protect against do_prlimit() */
2220 for (i = 0; i < RLIM_NLIMITS; i++) {
2221 rlim = current->signal->rlim + i;
2222 initrlim = init_task.signal->rlim + i;
2223 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2225 task_unlock(current);
2226 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2231 * Clean up the process immediately after the installation of new credentials
2234 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2236 const struct task_security_struct *tsec = current_security();
2237 struct itimerval itimer;
2247 /* Check whether the new SID can inherit signal state from the old SID.
2248 * If not, clear itimers to avoid subsequent signal generation and
2249 * flush and unblock signals.
2251 * This must occur _after_ the task SID has been updated so that any
2252 * kill done after the flush will be checked against the new SID.
2254 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2256 memset(&itimer, 0, sizeof itimer);
2257 for (i = 0; i < 3; i++)
2258 do_setitimer(i, &itimer, NULL);
2259 spin_lock_irq(¤t->sighand->siglock);
2260 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2261 __flush_signals(current);
2262 flush_signal_handlers(current, 1);
2263 sigemptyset(¤t->blocked);
2265 spin_unlock_irq(¤t->sighand->siglock);
2268 /* Wake up the parent if it is waiting so that it can recheck
2269 * wait permission to the new task SID. */
2270 read_lock(&tasklist_lock);
2271 __wake_up_parent(current, current->real_parent);
2272 read_unlock(&tasklist_lock);
2275 /* superblock security operations */
2277 static int selinux_sb_alloc_security(struct super_block *sb)
2279 return superblock_alloc_security(sb);
2282 static void selinux_sb_free_security(struct super_block *sb)
2284 superblock_free_security(sb);
2287 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2292 return !memcmp(prefix, option, plen);
2295 static inline int selinux_option(char *option, int len)
2297 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2298 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2299 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2300 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2301 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2304 static inline void take_option(char **to, char *from, int *first, int len)
2311 memcpy(*to, from, len);
2315 static inline void take_selinux_option(char **to, char *from, int *first,
2318 int current_size = 0;
2326 while (current_size < len) {
2336 static int selinux_sb_copy_data(char *orig, char *copy)
2338 int fnosec, fsec, rc = 0;
2339 char *in_save, *in_curr, *in_end;
2340 char *sec_curr, *nosec_save, *nosec;
2346 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2354 in_save = in_end = orig;
2358 open_quote = !open_quote;
2359 if ((*in_end == ',' && open_quote == 0) ||
2361 int len = in_end - in_curr;
2363 if (selinux_option(in_curr, len))
2364 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2366 take_option(&nosec, in_curr, &fnosec, len);
2368 in_curr = in_end + 1;
2370 } while (*in_end++);
2372 strcpy(in_save, nosec_save);
2373 free_page((unsigned long)nosec_save);
2378 static int selinux_sb_remount(struct super_block *sb, void *data)
2381 struct security_mnt_opts opts;
2382 char *secdata, **mount_options;
2383 struct superblock_security_struct *sbsec = sb->s_security;
2385 if (!(sbsec->flags & SE_SBINITIALIZED))
2391 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2394 security_init_mnt_opts(&opts);
2395 secdata = alloc_secdata();
2398 rc = selinux_sb_copy_data(data, secdata);
2400 goto out_free_secdata;
2402 rc = selinux_parse_opts_str(secdata, &opts);
2404 goto out_free_secdata;
2406 mount_options = opts.mnt_opts;
2407 flags = opts.mnt_opts_flags;
2409 for (i = 0; i < opts.num_mnt_opts; i++) {
2413 if (flags[i] == SBLABEL_MNT)
2415 len = strlen(mount_options[i]);
2416 rc = security_context_to_sid(mount_options[i], len, &sid);
2418 printk(KERN_WARNING "SELinux: security_context_to_sid"
2419 "(%s) failed for (dev %s, type %s) errno=%d\n",
2420 mount_options[i], sb->s_id, sb->s_type->name, rc);
2426 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2427 goto out_bad_option;
2430 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2431 goto out_bad_option;
2433 case ROOTCONTEXT_MNT: {
2434 struct inode_security_struct *root_isec;
2435 root_isec = sb->s_root->d_inode->i_security;
2437 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2438 goto out_bad_option;
2441 case DEFCONTEXT_MNT:
2442 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2443 goto out_bad_option;
2452 security_free_mnt_opts(&opts);
2454 free_secdata(secdata);
2457 printk(KERN_WARNING "SELinux: unable to change security options "
2458 "during remount (dev %s, type=%s)\n", sb->s_id,
2463 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2465 const struct cred *cred = current_cred();
2466 struct common_audit_data ad;
2469 rc = superblock_doinit(sb, data);
2473 /* Allow all mounts performed by the kernel */
2474 if (flags & MS_KERNMOUNT)
2477 ad.type = LSM_AUDIT_DATA_DENTRY;
2478 ad.u.dentry = sb->s_root;
2479 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2482 static int selinux_sb_statfs(struct dentry *dentry)
2484 const struct cred *cred = current_cred();
2485 struct common_audit_data ad;
2487 ad.type = LSM_AUDIT_DATA_DENTRY;
2488 ad.u.dentry = dentry->d_sb->s_root;
2489 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2492 static int selinux_mount(const char *dev_name,
2495 unsigned long flags,
2498 const struct cred *cred = current_cred();
2500 if (flags & MS_REMOUNT)
2501 return superblock_has_perm(cred, path->dentry->d_sb,
2502 FILESYSTEM__REMOUNT, NULL);
2504 return path_has_perm(cred, path, FILE__MOUNTON);
2507 static int selinux_umount(struct vfsmount *mnt, int flags)
2509 const struct cred *cred = current_cred();
2511 return superblock_has_perm(cred, mnt->mnt_sb,
2512 FILESYSTEM__UNMOUNT, NULL);
2515 /* inode security operations */
2517 static int selinux_inode_alloc_security(struct inode *inode)
2519 return inode_alloc_security(inode);
2522 static void selinux_inode_free_security(struct inode *inode)
2524 inode_free_security(inode);
2527 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2528 const struct qstr *qstr, char **name,
2529 void **value, size_t *len)
2531 const struct task_security_struct *tsec = current_security();
2532 struct inode_security_struct *dsec;
2533 struct superblock_security_struct *sbsec;
2534 u32 sid, newsid, clen;
2536 char *namep = NULL, *context;
2538 dsec = dir->i_security;
2539 sbsec = dir->i_sb->s_security;
2542 newsid = tsec->create_sid;
2544 if ((sbsec->flags & SE_SBINITIALIZED) &&
2545 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2546 newsid = sbsec->mntpoint_sid;
2547 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2548 rc = security_transition_sid(sid, dsec->sid,
2549 inode_mode_to_security_class(inode->i_mode),
2552 printk(KERN_WARNING "%s: "
2553 "security_transition_sid failed, rc=%d (dev=%s "
2556 -rc, inode->i_sb->s_id, inode->i_ino);
2561 /* Possibly defer initialization to selinux_complete_init. */
2562 if (sbsec->flags & SE_SBINITIALIZED) {
2563 struct inode_security_struct *isec = inode->i_security;
2564 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2566 isec->initialized = 1;
2569 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2573 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2580 rc = security_sid_to_context_force(newsid, &context, &clen);
2592 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2594 return may_create(dir, dentry, SECCLASS_FILE);
2597 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2599 return may_link(dir, old_dentry, MAY_LINK);
2602 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2604 return may_link(dir, dentry, MAY_UNLINK);
2607 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2609 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2612 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2614 return may_create(dir, dentry, SECCLASS_DIR);
2617 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2619 return may_link(dir, dentry, MAY_RMDIR);
2622 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2624 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2627 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2628 struct inode *new_inode, struct dentry *new_dentry)
2630 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2633 static int selinux_inode_readlink(struct dentry *dentry)
2635 const struct cred *cred = current_cred();
2637 return dentry_has_perm(cred, dentry, FILE__READ);
2640 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2642 const struct cred *cred = current_cred();
2644 return dentry_has_perm(cred, dentry, FILE__READ);
2647 static noinline int audit_inode_permission(struct inode *inode,
2648 u32 perms, u32 audited, u32 denied,
2651 struct common_audit_data ad;
2652 struct inode_security_struct *isec = inode->i_security;
2655 ad.type = LSM_AUDIT_DATA_INODE;
2658 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2659 audited, denied, &ad, flags);
2665 static int selinux_inode_permission(struct inode *inode, int mask)
2667 const struct cred *cred = current_cred();
2670 unsigned flags = mask & MAY_NOT_BLOCK;
2671 struct inode_security_struct *isec;
2673 struct av_decision avd;
2675 u32 audited, denied;
2677 from_access = mask & MAY_ACCESS;
2678 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2680 /* No permission to check. Existence test. */
2684 validate_creds(cred);
2686 if (unlikely(IS_PRIVATE(inode)))
2689 perms = file_mask_to_av(inode->i_mode, mask);
2691 sid = cred_sid(cred);
2692 isec = inode->i_security;
2694 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2695 audited = avc_audit_required(perms, &avd, rc,
2696 from_access ? FILE__AUDIT_ACCESS : 0,
2698 if (likely(!audited))
2701 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2707 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2709 const struct cred *cred = current_cred();
2710 unsigned int ia_valid = iattr->ia_valid;
2711 __u32 av = FILE__WRITE;
2713 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2714 if (ia_valid & ATTR_FORCE) {
2715 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2721 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2722 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2723 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2725 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2728 return dentry_has_perm(cred, dentry, av);
2731 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2733 const struct cred *cred = current_cred();
2736 path.dentry = dentry;
2739 return path_has_perm(cred, &path, FILE__GETATTR);
2742 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2744 const struct cred *cred = current_cred();
2746 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2747 sizeof XATTR_SECURITY_PREFIX - 1)) {
2748 if (!strcmp(name, XATTR_NAME_CAPS)) {
2749 if (!capable(CAP_SETFCAP))
2751 } else if (!capable(CAP_SYS_ADMIN)) {
2752 /* A different attribute in the security namespace.
2753 Restrict to administrator. */
2758 /* Not an attribute we recognize, so just check the
2759 ordinary setattr permission. */
2760 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2763 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2764 const void *value, size_t size, int flags)
2766 struct inode *inode = dentry->d_inode;
2767 struct inode_security_struct *isec = inode->i_security;
2768 struct superblock_security_struct *sbsec;
2769 struct common_audit_data ad;
2770 u32 newsid, sid = current_sid();
2773 if (strcmp(name, XATTR_NAME_SELINUX))
2774 return selinux_inode_setotherxattr(dentry, name);
2776 sbsec = inode->i_sb->s_security;
2777 if (!(sbsec->flags & SBLABEL_MNT))
2780 if (!inode_owner_or_capable(inode))
2783 ad.type = LSM_AUDIT_DATA_DENTRY;
2784 ad.u.dentry = dentry;
2786 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2787 FILE__RELABELFROM, &ad);
2791 rc = security_context_to_sid(value, size, &newsid);
2792 if (rc == -EINVAL) {
2793 if (!capable(CAP_MAC_ADMIN)) {
2794 struct audit_buffer *ab;
2798 /* We strip a nul only if it is at the end, otherwise the
2799 * context contains a nul and we should audit that */
2802 if (str[size - 1] == '\0')
2803 audit_size = size - 1;
2810 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2811 audit_log_format(ab, "op=setxattr invalid_context=");
2812 audit_log_n_untrustedstring(ab, value, audit_size);
2817 rc = security_context_to_sid_force(value, size, &newsid);
2822 rc = avc_has_perm(sid, newsid, isec->sclass,
2823 FILE__RELABELTO, &ad);
2827 rc = security_validate_transition(isec->sid, newsid, sid,
2832 return avc_has_perm(newsid,
2834 SECCLASS_FILESYSTEM,
2835 FILESYSTEM__ASSOCIATE,
2839 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2840 const void *value, size_t size,
2843 struct inode *inode = dentry->d_inode;
2844 struct inode_security_struct *isec = inode->i_security;
2848 if (strcmp(name, XATTR_NAME_SELINUX)) {
2849 /* Not an attribute we recognize, so nothing to do. */
2853 rc = security_context_to_sid_force(value, size, &newsid);
2855 printk(KERN_ERR "SELinux: unable to map context to SID"
2856 "for (%s, %lu), rc=%d\n",
2857 inode->i_sb->s_id, inode->i_ino, -rc);
2865 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2867 const struct cred *cred = current_cred();
2869 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2872 static int selinux_inode_listxattr(struct dentry *dentry)
2874 const struct cred *cred = current_cred();
2876 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2879 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2881 if (strcmp(name, XATTR_NAME_SELINUX))
2882 return selinux_inode_setotherxattr(dentry, name);
2884 /* No one is allowed to remove a SELinux security label.
2885 You can change the label, but all data must be labeled. */
2890 * Copy the inode security context value to the user.
2892 * Permission check is handled by selinux_inode_getxattr hook.
2894 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2898 char *context = NULL;
2899 struct inode_security_struct *isec = inode->i_security;
2901 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2905 * If the caller has CAP_MAC_ADMIN, then get the raw context
2906 * value even if it is not defined by current policy; otherwise,
2907 * use the in-core value under current policy.
2908 * Use the non-auditing forms of the permission checks since
2909 * getxattr may be called by unprivileged processes commonly
2910 * and lack of permission just means that we fall back to the
2911 * in-core context value, not a denial.
2913 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
2914 SECURITY_CAP_NOAUDIT);
2916 error = security_sid_to_context_force(isec->sid, &context,
2919 error = security_sid_to_context(isec->sid, &context, &size);
2932 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2933 const void *value, size_t size, int flags)
2935 struct inode_security_struct *isec = inode->i_security;
2939 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2942 if (!value || !size)
2945 rc = security_context_to_sid((void *)value, size, &newsid);
2950 isec->initialized = 1;
2954 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2956 const int len = sizeof(XATTR_NAME_SELINUX);
2957 if (buffer && len <= buffer_size)
2958 memcpy(buffer, XATTR_NAME_SELINUX, len);
2962 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2964 struct inode_security_struct *isec = inode->i_security;
2968 /* file security operations */
2970 static int selinux_revalidate_file_permission(struct file *file, int mask)
2972 const struct cred *cred = current_cred();
2973 struct inode *inode = file_inode(file);
2975 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2976 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2979 return file_has_perm(cred, file,
2980 file_mask_to_av(inode->i_mode, mask));
2983 static int selinux_file_permission(struct file *file, int mask)
2985 struct inode *inode = file_inode(file);
2986 struct file_security_struct *fsec = file->f_security;
2987 struct inode_security_struct *isec = inode->i_security;
2988 u32 sid = current_sid();
2991 /* No permission to check. Existence test. */
2994 if (sid == fsec->sid && fsec->isid == isec->sid &&
2995 fsec->pseqno == avc_policy_seqno())
2996 /* No change since file_open check. */
2999 return selinux_revalidate_file_permission(file, mask);
3002 static int selinux_file_alloc_security(struct file *file)
3004 return file_alloc_security(file);
3007 static void selinux_file_free_security(struct file *file)
3009 file_free_security(file);
3012 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3015 const struct cred *cred = current_cred();
3025 case FS_IOC_GETFLAGS:
3027 case FS_IOC_GETVERSION:
3028 error = file_has_perm(cred, file, FILE__GETATTR);
3031 case FS_IOC_SETFLAGS:
3033 case FS_IOC_SETVERSION:
3034 error = file_has_perm(cred, file, FILE__SETATTR);
3037 /* sys_ioctl() checks */
3041 error = file_has_perm(cred, file, 0);
3046 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3047 SECURITY_CAP_AUDIT);
3050 /* default case assumes that the command will go
3051 * to the file's ioctl() function.
3054 error = file_has_perm(cred, file, FILE__IOCTL);
3059 static int default_noexec;
3061 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3063 const struct cred *cred = current_cred();
3066 if (default_noexec &&
3067 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3069 * We are making executable an anonymous mapping or a
3070 * private file mapping that will also be writable.
3071 * This has an additional check.
3073 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3079 /* read access is always possible with a mapping */
3080 u32 av = FILE__READ;
3082 /* write access only matters if the mapping is shared */
3083 if (shared && (prot & PROT_WRITE))
3086 if (prot & PROT_EXEC)
3087 av |= FILE__EXECUTE;
3089 return file_has_perm(cred, file, av);
3096 static int selinux_mmap_addr(unsigned long addr)
3099 u32 sid = current_sid();
3102 * notice that we are intentionally putting the SELinux check before
3103 * the secondary cap_file_mmap check. This is such a likely attempt
3104 * at bad behaviour/exploit that we always want to get the AVC, even
3105 * if DAC would have also denied the operation.
3107 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3108 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3109 MEMPROTECT__MMAP_ZERO, NULL);
3114 /* do DAC check on address space usage */
3115 return cap_mmap_addr(addr);
3118 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3119 unsigned long prot, unsigned long flags)
3121 if (selinux_checkreqprot)
3124 return file_map_prot_check(file, prot,
3125 (flags & MAP_TYPE) == MAP_SHARED);
3128 static int selinux_file_mprotect(struct vm_area_struct *vma,
3129 unsigned long reqprot,
3132 const struct cred *cred = current_cred();
3134 if (selinux_checkreqprot)
3137 if (default_noexec &&
3138 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3140 if (vma->vm_start >= vma->vm_mm->start_brk &&
3141 vma->vm_end <= vma->vm_mm->brk) {
3142 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3143 } else if (!vma->vm_file &&
3144 vma->vm_start <= vma->vm_mm->start_stack &&
3145 vma->vm_end >= vma->vm_mm->start_stack) {
3146 rc = current_has_perm(current, PROCESS__EXECSTACK);
3147 } else if (vma->vm_file && vma->anon_vma) {
3149 * We are making executable a file mapping that has
3150 * had some COW done. Since pages might have been
3151 * written, check ability to execute the possibly
3152 * modified content. This typically should only
3153 * occur for text relocations.
3155 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3161 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3164 static int selinux_file_lock(struct file *file, unsigned int cmd)
3166 const struct cred *cred = current_cred();
3168 return file_has_perm(cred, file, FILE__LOCK);
3171 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3174 const struct cred *cred = current_cred();
3179 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3180 err = file_has_perm(cred, file, FILE__WRITE);
3189 case F_GETOWNER_UIDS:
3190 /* Just check FD__USE permission */
3191 err = file_has_perm(cred, file, 0);
3196 #if BITS_PER_LONG == 32
3201 err = file_has_perm(cred, file, FILE__LOCK);
3208 static int selinux_file_set_fowner(struct file *file)
3210 struct file_security_struct *fsec;
3212 fsec = file->f_security;
3213 fsec->fown_sid = current_sid();
3218 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3219 struct fown_struct *fown, int signum)
3222 u32 sid = task_sid(tsk);
3224 struct file_security_struct *fsec;
3226 /* struct fown_struct is never outside the context of a struct file */
3227 file = container_of(fown, struct file, f_owner);
3229 fsec = file->f_security;
3232 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3234 perm = signal_to_av(signum);
3236 return avc_has_perm(fsec->fown_sid, sid,
3237 SECCLASS_PROCESS, perm, NULL);
3240 static int selinux_file_receive(struct file *file)
3242 const struct cred *cred = current_cred();
3244 return file_has_perm(cred, file, file_to_av(file));
3247 static int selinux_file_open(struct file *file, const struct cred *cred)
3249 struct file_security_struct *fsec;
3250 struct inode_security_struct *isec;
3252 fsec = file->f_security;
3253 isec = file_inode(file)->i_security;
3255 * Save inode label and policy sequence number
3256 * at open-time so that selinux_file_permission
3257 * can determine whether revalidation is necessary.
3258 * Task label is already saved in the file security
3259 * struct as its SID.
3261 fsec->isid = isec->sid;
3262 fsec->pseqno = avc_policy_seqno();
3264 * Since the inode label or policy seqno may have changed
3265 * between the selinux_inode_permission check and the saving
3266 * of state above, recheck that access is still permitted.
3267 * Otherwise, access might never be revalidated against the
3268 * new inode label or new policy.
3269 * This check is not redundant - do not remove.
3271 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3274 /* task security operations */
3276 static int selinux_task_create(unsigned long clone_flags)
3278 return current_has_perm(current, PROCESS__FORK);
3282 * allocate the SELinux part of blank credentials
3284 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3286 struct task_security_struct *tsec;
3288 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3292 cred->security = tsec;
3297 * detach and free the LSM part of a set of credentials
3299 static void selinux_cred_free(struct cred *cred)
3301 struct task_security_struct *tsec = cred->security;
3304 * cred->security == NULL if security_cred_alloc_blank() or
3305 * security_prepare_creds() returned an error.
3307 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3308 cred->security = (void *) 0x7UL;
3313 * prepare a new set of credentials for modification
3315 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3318 const struct task_security_struct *old_tsec;
3319 struct task_security_struct *tsec;
3321 old_tsec = old->security;
3323 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3327 new->security = tsec;
3332 * transfer the SELinux data to a blank set of creds
3334 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3336 const struct task_security_struct *old_tsec = old->security;
3337 struct task_security_struct *tsec = new->security;
3343 * set the security data for a kernel service
3344 * - all the creation contexts are set to unlabelled
3346 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3348 struct task_security_struct *tsec = new->security;
3349 u32 sid = current_sid();
3352 ret = avc_has_perm(sid, secid,
3353 SECCLASS_KERNEL_SERVICE,
3354 KERNEL_SERVICE__USE_AS_OVERRIDE,
3358 tsec->create_sid = 0;
3359 tsec->keycreate_sid = 0;
3360 tsec->sockcreate_sid = 0;
3366 * set the file creation context in a security record to the same as the
3367 * objective context of the specified inode
3369 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3371 struct inode_security_struct *isec = inode->i_security;
3372 struct task_security_struct *tsec = new->security;
3373 u32 sid = current_sid();
3376 ret = avc_has_perm(sid, isec->sid,
3377 SECCLASS_KERNEL_SERVICE,
3378 KERNEL_SERVICE__CREATE_FILES_AS,
3382 tsec->create_sid = isec->sid;
3386 static int selinux_kernel_module_request(char *kmod_name)
3389 struct common_audit_data ad;
3391 sid = task_sid(current);
3393 ad.type = LSM_AUDIT_DATA_KMOD;
3394 ad.u.kmod_name = kmod_name;
3396 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3397 SYSTEM__MODULE_REQUEST, &ad);
3400 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3402 return current_has_perm(p, PROCESS__SETPGID);
3405 static int selinux_task_getpgid(struct task_struct *p)
3407 return current_has_perm(p, PROCESS__GETPGID);
3410 static int selinux_task_getsid(struct task_struct *p)
3412 return current_has_perm(p, PROCESS__GETSESSION);
3415 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3417 *secid = task_sid(p);
3420 static int selinux_task_setnice(struct task_struct *p, int nice)
3424 rc = cap_task_setnice(p, nice);
3428 return current_has_perm(p, PROCESS__SETSCHED);
3431 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3435 rc = cap_task_setioprio(p, ioprio);
3439 return current_has_perm(p, PROCESS__SETSCHED);
3442 static int selinux_task_getioprio(struct task_struct *p)
3444 return current_has_perm(p, PROCESS__GETSCHED);
3447 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3448 struct rlimit *new_rlim)
3450 struct rlimit *old_rlim = p->signal->rlim + resource;
3452 /* Control the ability to change the hard limit (whether
3453 lowering or raising it), so that the hard limit can
3454 later be used as a safe reset point for the soft limit
3455 upon context transitions. See selinux_bprm_committing_creds. */
3456 if (old_rlim->rlim_max != new_rlim->rlim_max)
3457 return current_has_perm(p, PROCESS__SETRLIMIT);
3462 static int selinux_task_setscheduler(struct task_struct *p)
3466 rc = cap_task_setscheduler(p);
3470 return current_has_perm(p, PROCESS__SETSCHED);
3473 static int selinux_task_getscheduler(struct task_struct *p)
3475 return current_has_perm(p, PROCESS__GETSCHED);
3478 static int selinux_task_movememory(struct task_struct *p)
3480 return current_has_perm(p, PROCESS__SETSCHED);
3483 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3490 perm = PROCESS__SIGNULL; /* null signal; existence test */
3492 perm = signal_to_av(sig);
3494 rc = avc_has_perm(secid, task_sid(p),
3495 SECCLASS_PROCESS, perm, NULL);
3497 rc = current_has_perm(p, perm);
3501 static int selinux_task_wait(struct task_struct *p)
3503 return task_has_perm(p, current, PROCESS__SIGCHLD);
3506 static void selinux_task_to_inode(struct task_struct *p,
3507 struct inode *inode)
3509 struct inode_security_struct *isec = inode->i_security;
3510 u32 sid = task_sid(p);
3513 isec->initialized = 1;
3516 /* Returns error only if unable to parse addresses */
3517 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3518 struct common_audit_data *ad, u8 *proto)
3520 int offset, ihlen, ret = -EINVAL;
3521 struct iphdr _iph, *ih;
3523 offset = skb_network_offset(skb);
3524 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3528 ihlen = ih->ihl * 4;
3529 if (ihlen < sizeof(_iph))
3532 ad->u.net->v4info.saddr = ih->saddr;
3533 ad->u.net->v4info.daddr = ih->daddr;
3537 *proto = ih->protocol;
3539 switch (ih->protocol) {
3541 struct tcphdr _tcph, *th;
3543 if (ntohs(ih->frag_off) & IP_OFFSET)
3547 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3551 ad->u.net->sport = th->source;
3552 ad->u.net->dport = th->dest;
3557 struct udphdr _udph, *uh;
3559 if (ntohs(ih->frag_off) & IP_OFFSET)
3563 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3567 ad->u.net->sport = uh->source;
3568 ad->u.net->dport = uh->dest;
3572 case IPPROTO_DCCP: {
3573 struct dccp_hdr _dccph, *dh;
3575 if (ntohs(ih->frag_off) & IP_OFFSET)
3579 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3583 ad->u.net->sport = dh->dccph_sport;
3584 ad->u.net->dport = dh->dccph_dport;
3595 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3597 /* Returns error only if unable to parse addresses */
3598 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3599 struct common_audit_data *ad, u8 *proto)
3602 int ret = -EINVAL, offset;
3603 struct ipv6hdr _ipv6h, *ip6;
3606 offset = skb_network_offset(skb);
3607 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3611 ad->u.net->v6info.saddr = ip6->saddr;
3612 ad->u.net->v6info.daddr = ip6->daddr;
3615 nexthdr = ip6->nexthdr;
3616 offset += sizeof(_ipv6h);
3617 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3626 struct tcphdr _tcph, *th;
3628 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3632 ad->u.net->sport = th->source;
3633 ad->u.net->dport = th->dest;
3638 struct udphdr _udph, *uh;
3640 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3644 ad->u.net->sport = uh->source;
3645 ad->u.net->dport = uh->dest;
3649 case IPPROTO_DCCP: {
3650 struct dccp_hdr _dccph, *dh;
3652 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3656 ad->u.net->sport = dh->dccph_sport;
3657 ad->u.net->dport = dh->dccph_dport;
3661 /* includes fragments */
3671 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3672 char **_addrp, int src, u8 *proto)
3677 switch (ad->u.net->family) {
3679 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3682 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3683 &ad->u.net->v4info.daddr);
3686 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3688 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3691 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3692 &ad->u.net->v6info.daddr);
3702 "SELinux: failure in selinux_parse_skb(),"
3703 " unable to parse packet\n");
3713 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3715 * @family: protocol family
3716 * @sid: the packet's peer label SID
3719 * Check the various different forms of network peer labeling and determine
3720 * the peer label/SID for the packet; most of the magic actually occurs in
3721 * the security server function security_net_peersid_cmp(). The function
3722 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3723 * or -EACCES if @sid is invalid due to inconsistencies with the different
3727 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3734 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3737 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3741 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3742 if (unlikely(err)) {
3744 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3745 " unable to determine packet's peer label\n");
3752 /* socket security operations */
3754 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3755 u16 secclass, u32 *socksid)
3757 if (tsec->sockcreate_sid > SECSID_NULL) {
3758 *socksid = tsec->sockcreate_sid;
3762 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3766 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3768 struct sk_security_struct *sksec = sk->sk_security;
3769 struct common_audit_data ad;
3770 struct lsm_network_audit net = {0,};
3771 u32 tsid = task_sid(task);
3773 if (sksec->sid == SECINITSID_KERNEL)
3776 ad.type = LSM_AUDIT_DATA_NET;
3780 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3783 static int selinux_socket_create(int family, int type,
3784 int protocol, int kern)
3786 const struct task_security_struct *tsec = current_security();
3794 secclass = socket_type_to_security_class(family, type, protocol);
3795 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3799 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3802 static int selinux_socket_post_create(struct socket *sock, int family,
3803 int type, int protocol, int kern)
3805 const struct task_security_struct *tsec = current_security();
3806 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3807 struct sk_security_struct *sksec;
3810 isec->sclass = socket_type_to_security_class(family, type, protocol);
3813 isec->sid = SECINITSID_KERNEL;
3815 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3820 isec->initialized = 1;
3823 sksec = sock->sk->sk_security;
3824 sksec->sid = isec->sid;
3825 sksec->sclass = isec->sclass;
3826 err = selinux_netlbl_socket_post_create(sock->sk, family);
3832 /* Range of port numbers used to automatically bind.
3833 Need to determine whether we should perform a name_bind
3834 permission check between the socket and the port number. */
3836 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3838 struct sock *sk = sock->sk;
3842 err = sock_has_perm(current, sk, SOCKET__BIND);
3847 * If PF_INET or PF_INET6, check name_bind permission for the port.
3848 * Multiple address binding for SCTP is not supported yet: we just
3849 * check the first address now.
3851 family = sk->sk_family;
3852 if (family == PF_INET || family == PF_INET6) {
3854 struct sk_security_struct *sksec = sk->sk_security;
3855 struct common_audit_data ad;
3856 struct lsm_network_audit net = {0,};
3857 struct sockaddr_in *addr4 = NULL;
3858 struct sockaddr_in6 *addr6 = NULL;
3859 unsigned short snum;
3862 if (family == PF_INET) {
3863 addr4 = (struct sockaddr_in *)address;
3864 snum = ntohs(addr4->sin_port);
3865 addrp = (char *)&addr4->sin_addr.s_addr;
3867 addr6 = (struct sockaddr_in6 *)address;
3868 snum = ntohs(addr6->sin6_port);
3869 addrp = (char *)&addr6->sin6_addr.s6_addr;
3875 inet_get_local_port_range(&low, &high);
3877 if (snum < max(PROT_SOCK, low) || snum > high) {
3878 err = sel_netport_sid(sk->sk_protocol,
3882 ad.type = LSM_AUDIT_DATA_NET;
3884 ad.u.net->sport = htons(snum);
3885 ad.u.net->family = family;
3886 err = avc_has_perm(sksec->sid, sid,
3888 SOCKET__NAME_BIND, &ad);
3894 switch (sksec->sclass) {
3895 case SECCLASS_TCP_SOCKET:
3896 node_perm = TCP_SOCKET__NODE_BIND;
3899 case SECCLASS_UDP_SOCKET:
3900 node_perm = UDP_SOCKET__NODE_BIND;
3903 case SECCLASS_DCCP_SOCKET:
3904 node_perm = DCCP_SOCKET__NODE_BIND;
3908 node_perm = RAWIP_SOCKET__NODE_BIND;
3912 err = sel_netnode_sid(addrp, family, &sid);
3916 ad.type = LSM_AUDIT_DATA_NET;
3918 ad.u.net->sport = htons(snum);
3919 ad.u.net->family = family;
3921 if (family == PF_INET)
3922 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
3924 ad.u.net->v6info.saddr = addr6->sin6_addr;
3926 err = avc_has_perm(sksec->sid, sid,
3927 sksec->sclass, node_perm, &ad);
3935 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3937 struct sock *sk = sock->sk;
3938 struct sk_security_struct *sksec = sk->sk_security;
3941 err = sock_has_perm(current, sk, SOCKET__CONNECT);
3946 * If a TCP or DCCP socket, check name_connect permission for the port.
3948 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3949 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3950 struct common_audit_data ad;
3951 struct lsm_network_audit net = {0,};
3952 struct sockaddr_in *addr4 = NULL;
3953 struct sockaddr_in6 *addr6 = NULL;
3954 unsigned short snum;
3957 if (sk->sk_family == PF_INET) {
3958 addr4 = (struct sockaddr_in *)address;
3959 if (addrlen < sizeof(struct sockaddr_in))
3961 snum = ntohs(addr4->sin_port);
3963 addr6 = (struct sockaddr_in6 *)address;
3964 if (addrlen < SIN6_LEN_RFC2133)
3966 snum = ntohs(addr6->sin6_port);
3969 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3973 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3974 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3976 ad.type = LSM_AUDIT_DATA_NET;
3978 ad.u.net->dport = htons(snum);
3979 ad.u.net->family = sk->sk_family;
3980 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
3985 err = selinux_netlbl_socket_connect(sk, address);
3991 static int selinux_socket_listen(struct socket *sock, int backlog)
3993 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
3996 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3999 struct inode_security_struct *isec;
4000 struct inode_security_struct *newisec;
4002 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4006 newisec = SOCK_INODE(newsock)->i_security;
4008 isec = SOCK_INODE(sock)->i_security;
4009 newisec->sclass = isec->sclass;
4010 newisec->sid = isec->sid;
4011 newisec->initialized = 1;
4016 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4019 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4022 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4023 int size, int flags)
4025 return sock_has_perm(current, sock->sk, SOCKET__READ);
4028 static int selinux_socket_getsockname(struct socket *sock)
4030 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4033 static int selinux_socket_getpeername(struct socket *sock)
4035 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4038 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4042 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4046 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4049 static int selinux_socket_getsockopt(struct socket *sock, int level,
4052 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4055 static int selinux_socket_shutdown(struct socket *sock, int how)
4057 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4060 static int selinux_socket_unix_stream_connect(struct sock *sock,
4064 struct sk_security_struct *sksec_sock = sock->sk_security;
4065 struct sk_security_struct *sksec_other = other->sk_security;
4066 struct sk_security_struct *sksec_new = newsk->sk_security;
4067 struct common_audit_data ad;
4068 struct lsm_network_audit net = {0,};
4071 ad.type = LSM_AUDIT_DATA_NET;
4073 ad.u.net->sk = other;
4075 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4076 sksec_other->sclass,
4077 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4081 /* server child socket */
4082 sksec_new->peer_sid = sksec_sock->sid;
4083 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4088 /* connecting socket */
4089 sksec_sock->peer_sid = sksec_new->sid;
4094 static int selinux_socket_unix_may_send(struct socket *sock,
4095 struct socket *other)
4097 struct sk_security_struct *ssec = sock->sk->sk_security;
4098 struct sk_security_struct *osec = other->sk->sk_security;
4099 struct common_audit_data ad;
4100 struct lsm_network_audit net = {0,};
4102 ad.type = LSM_AUDIT_DATA_NET;
4104 ad.u.net->sk = other->sk;
4106 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4110 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4112 struct common_audit_data *ad)
4118 err = sel_netif_sid(ifindex, &if_sid);
4121 err = avc_has_perm(peer_sid, if_sid,
4122 SECCLASS_NETIF, NETIF__INGRESS, ad);
4126 err = sel_netnode_sid(addrp, family, &node_sid);
4129 return avc_has_perm(peer_sid, node_sid,
4130 SECCLASS_NODE, NODE__RECVFROM, ad);
4133 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4137 struct sk_security_struct *sksec = sk->sk_security;
4138 u32 sk_sid = sksec->sid;
4139 struct common_audit_data ad;
4140 struct lsm_network_audit net = {0,};
4143 ad.type = LSM_AUDIT_DATA_NET;
4145 ad.u.net->netif = skb->skb_iif;
4146 ad.u.net->family = family;
4147 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4151 if (selinux_secmark_enabled()) {
4152 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4158 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4161 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4166 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4169 struct sk_security_struct *sksec = sk->sk_security;
4170 u16 family = sk->sk_family;
4171 u32 sk_sid = sksec->sid;
4172 struct common_audit_data ad;
4173 struct lsm_network_audit net = {0,};
4178 if (family != PF_INET && family != PF_INET6)
4181 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4182 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4185 /* If any sort of compatibility mode is enabled then handoff processing
4186 * to the selinux_sock_rcv_skb_compat() function to deal with the
4187 * special handling. We do this in an attempt to keep this function
4188 * as fast and as clean as possible. */
4189 if (!selinux_policycap_netpeer)
4190 return selinux_sock_rcv_skb_compat(sk, skb, family);
4192 secmark_active = selinux_secmark_enabled();
4193 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4194 if (!secmark_active && !peerlbl_active)
4197 ad.type = LSM_AUDIT_DATA_NET;
4199 ad.u.net->netif = skb->skb_iif;
4200 ad.u.net->family = family;
4201 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4205 if (peerlbl_active) {
4208 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4211 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4214 selinux_netlbl_err(skb, err, 0);
4217 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4220 selinux_netlbl_err(skb, err, 0);
4223 if (secmark_active) {
4224 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4233 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4234 int __user *optlen, unsigned len)
4239 struct sk_security_struct *sksec = sock->sk->sk_security;
4240 u32 peer_sid = SECSID_NULL;
4242 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4243 sksec->sclass == SECCLASS_TCP_SOCKET)
4244 peer_sid = sksec->peer_sid;
4245 if (peer_sid == SECSID_NULL)
4246 return -ENOPROTOOPT;
4248 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4252 if (scontext_len > len) {
4257 if (copy_to_user(optval, scontext, scontext_len))
4261 if (put_user(scontext_len, optlen))
4267 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4269 u32 peer_secid = SECSID_NULL;
4272 if (skb && skb->protocol == htons(ETH_P_IP))
4274 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4277 family = sock->sk->sk_family;
4281 if (sock && family == PF_UNIX)
4282 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4284 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4287 *secid = peer_secid;
4288 if (peer_secid == SECSID_NULL)
4293 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4295 struct sk_security_struct *sksec;
4297 sksec = kzalloc(sizeof(*sksec), priority);
4301 sksec->peer_sid = SECINITSID_UNLABELED;
4302 sksec->sid = SECINITSID_UNLABELED;
4303 selinux_netlbl_sk_security_reset(sksec);
4304 sk->sk_security = sksec;
4309 static void selinux_sk_free_security(struct sock *sk)
4311 struct sk_security_struct *sksec = sk->sk_security;
4313 sk->sk_security = NULL;
4314 selinux_netlbl_sk_security_free(sksec);
4318 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4320 struct sk_security_struct *sksec = sk->sk_security;
4321 struct sk_security_struct *newsksec = newsk->sk_security;
4323 newsksec->sid = sksec->sid;
4324 newsksec->peer_sid = sksec->peer_sid;
4325 newsksec->sclass = sksec->sclass;
4327 selinux_netlbl_sk_security_reset(newsksec);
4330 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4333 *secid = SECINITSID_ANY_SOCKET;
4335 struct sk_security_struct *sksec = sk->sk_security;
4337 *secid = sksec->sid;
4341 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4343 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4344 struct sk_security_struct *sksec = sk->sk_security;
4346 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4347 sk->sk_family == PF_UNIX)
4348 isec->sid = sksec->sid;
4349 sksec->sclass = isec->sclass;
4352 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4353 struct request_sock *req)
4355 struct sk_security_struct *sksec = sk->sk_security;
4357 u16 family = sk->sk_family;
4361 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4362 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4365 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4368 if (peersid == SECSID_NULL) {
4369 req->secid = sksec->sid;
4370 req->peer_secid = SECSID_NULL;
4372 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4375 req->secid = newsid;
4376 req->peer_secid = peersid;
4379 return selinux_netlbl_inet_conn_request(req, family);
4382 static void selinux_inet_csk_clone(struct sock *newsk,
4383 const struct request_sock *req)
4385 struct sk_security_struct *newsksec = newsk->sk_security;
4387 newsksec->sid = req->secid;
4388 newsksec->peer_sid = req->peer_secid;
4389 /* NOTE: Ideally, we should also get the isec->sid for the
4390 new socket in sync, but we don't have the isec available yet.
4391 So we will wait until sock_graft to do it, by which
4392 time it will have been created and available. */
4394 /* We don't need to take any sort of lock here as we are the only
4395 * thread with access to newsksec */
4396 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4399 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4401 u16 family = sk->sk_family;
4402 struct sk_security_struct *sksec = sk->sk_security;
4404 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4405 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4408 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4411 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4413 skb_set_owner_w(skb, sk);
4416 static int selinux_secmark_relabel_packet(u32 sid)
4418 const struct task_security_struct *__tsec;
4421 __tsec = current_security();
4424 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4427 static void selinux_secmark_refcount_inc(void)
4429 atomic_inc(&selinux_secmark_refcount);
4432 static void selinux_secmark_refcount_dec(void)
4434 atomic_dec(&selinux_secmark_refcount);
4437 static void selinux_req_classify_flow(const struct request_sock *req,
4440 fl->flowi_secid = req->secid;
4443 static int selinux_tun_dev_alloc_security(void **security)
4445 struct tun_security_struct *tunsec;
4447 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4450 tunsec->sid = current_sid();
4456 static void selinux_tun_dev_free_security(void *security)
4461 static int selinux_tun_dev_create(void)
4463 u32 sid = current_sid();
4465 /* we aren't taking into account the "sockcreate" SID since the socket
4466 * that is being created here is not a socket in the traditional sense,
4467 * instead it is a private sock, accessible only to the kernel, and
4468 * representing a wide range of network traffic spanning multiple
4469 * connections unlike traditional sockets - check the TUN driver to
4470 * get a better understanding of why this socket is special */
4472 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4476 static int selinux_tun_dev_attach_queue(void *security)
4478 struct tun_security_struct *tunsec = security;
4480 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4481 TUN_SOCKET__ATTACH_QUEUE, NULL);
4484 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4486 struct tun_security_struct *tunsec = security;
4487 struct sk_security_struct *sksec = sk->sk_security;
4489 /* we don't currently perform any NetLabel based labeling here and it
4490 * isn't clear that we would want to do so anyway; while we could apply
4491 * labeling without the support of the TUN user the resulting labeled
4492 * traffic from the other end of the connection would almost certainly
4493 * cause confusion to the TUN user that had no idea network labeling
4494 * protocols were being used */
4496 sksec->sid = tunsec->sid;
4497 sksec->sclass = SECCLASS_TUN_SOCKET;
4502 static int selinux_tun_dev_open(void *security)
4504 struct tun_security_struct *tunsec = security;
4505 u32 sid = current_sid();
4508 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4509 TUN_SOCKET__RELABELFROM, NULL);
4512 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4513 TUN_SOCKET__RELABELTO, NULL);
4521 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4525 struct nlmsghdr *nlh;
4526 struct sk_security_struct *sksec = sk->sk_security;
4528 if (skb->len < NLMSG_HDRLEN) {
4532 nlh = nlmsg_hdr(skb);
4534 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4536 if (err == -EINVAL) {
4537 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4538 "SELinux: unrecognized netlink message"
4539 " type=%hu for sclass=%hu\n",
4540 nlh->nlmsg_type, sksec->sclass);
4541 if (!selinux_enforcing || security_get_allow_unknown())
4551 err = sock_has_perm(current, sk, perm);
4556 #ifdef CONFIG_NETFILTER
4558 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4564 struct common_audit_data ad;
4565 struct lsm_network_audit net = {0,};
4570 if (!selinux_policycap_netpeer)
4573 secmark_active = selinux_secmark_enabled();
4574 netlbl_active = netlbl_enabled();
4575 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4576 if (!secmark_active && !peerlbl_active)
4579 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4582 ad.type = LSM_AUDIT_DATA_NET;
4584 ad.u.net->netif = ifindex;
4585 ad.u.net->family = family;
4586 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4589 if (peerlbl_active) {
4590 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4593 selinux_netlbl_err(skb, err, 1);
4599 if (avc_has_perm(peer_sid, skb->secmark,
4600 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4604 /* we do this in the FORWARD path and not the POST_ROUTING
4605 * path because we want to make sure we apply the necessary
4606 * labeling before IPsec is applied so we can leverage AH
4608 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4614 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4615 struct sk_buff *skb,
4616 const struct net_device *in,
4617 const struct net_device *out,
4618 int (*okfn)(struct sk_buff *))
4620 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4623 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4624 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4625 struct sk_buff *skb,
4626 const struct net_device *in,
4627 const struct net_device *out,
4628 int (*okfn)(struct sk_buff *))
4630 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4634 static unsigned int selinux_ip_output(struct sk_buff *skb,
4639 if (!netlbl_enabled())
4642 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4643 * because we want to make sure we apply the necessary labeling
4644 * before IPsec is applied so we can leverage AH protection */
4646 struct sk_security_struct *sksec = skb->sk->sk_security;
4649 sid = SECINITSID_KERNEL;
4650 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4656 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4657 struct sk_buff *skb,
4658 const struct net_device *in,
4659 const struct net_device *out,
4660 int (*okfn)(struct sk_buff *))
4662 return selinux_ip_output(skb, PF_INET);
4665 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4669 struct sock *sk = skb->sk;
4670 struct sk_security_struct *sksec;
4671 struct common_audit_data ad;
4672 struct lsm_network_audit net = {0,};
4678 sksec = sk->sk_security;
4680 ad.type = LSM_AUDIT_DATA_NET;
4682 ad.u.net->netif = ifindex;
4683 ad.u.net->family = family;
4684 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4687 if (selinux_secmark_enabled())
4688 if (avc_has_perm(sksec->sid, skb->secmark,
4689 SECCLASS_PACKET, PACKET__SEND, &ad))
4690 return NF_DROP_ERR(-ECONNREFUSED);
4692 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4693 return NF_DROP_ERR(-ECONNREFUSED);
4698 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4704 struct common_audit_data ad;
4705 struct lsm_network_audit net = {0,};
4710 /* If any sort of compatibility mode is enabled then handoff processing
4711 * to the selinux_ip_postroute_compat() function to deal with the
4712 * special handling. We do this in an attempt to keep this function
4713 * as fast and as clean as possible. */
4714 if (!selinux_policycap_netpeer)
4715 return selinux_ip_postroute_compat(skb, ifindex, family);
4717 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4718 * packet transformation so allow the packet to pass without any checks
4719 * since we'll have another chance to perform access control checks
4720 * when the packet is on it's final way out.
4721 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4722 * is NULL, in this case go ahead and apply access control. */
4723 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL)
4726 secmark_active = selinux_secmark_enabled();
4727 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4728 if (!secmark_active && !peerlbl_active)
4731 /* if the packet is being forwarded then get the peer label from the
4732 * packet itself; otherwise check to see if it is from a local
4733 * application or the kernel, if from an application get the peer label
4734 * from the sending socket, otherwise use the kernel's sid */
4738 secmark_perm = PACKET__FORWARD_OUT;
4739 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4742 secmark_perm = PACKET__SEND;
4743 peer_sid = SECINITSID_KERNEL;
4746 struct sk_security_struct *sksec = sk->sk_security;
4747 peer_sid = sksec->sid;
4748 secmark_perm = PACKET__SEND;
4751 ad.type = LSM_AUDIT_DATA_NET;
4753 ad.u.net->netif = ifindex;
4754 ad.u.net->family = family;
4755 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4759 if (avc_has_perm(peer_sid, skb->secmark,
4760 SECCLASS_PACKET, secmark_perm, &ad))
4761 return NF_DROP_ERR(-ECONNREFUSED);
4763 if (peerlbl_active) {
4767 if (sel_netif_sid(ifindex, &if_sid))
4769 if (avc_has_perm(peer_sid, if_sid,
4770 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4771 return NF_DROP_ERR(-ECONNREFUSED);
4773 if (sel_netnode_sid(addrp, family, &node_sid))
4775 if (avc_has_perm(peer_sid, node_sid,
4776 SECCLASS_NODE, NODE__SENDTO, &ad))
4777 return NF_DROP_ERR(-ECONNREFUSED);
4783 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4784 struct sk_buff *skb,
4785 const struct net_device *in,
4786 const struct net_device *out,
4787 int (*okfn)(struct sk_buff *))
4789 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4792 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4793 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4794 struct sk_buff *skb,
4795 const struct net_device *in,
4796 const struct net_device *out,
4797 int (*okfn)(struct sk_buff *))
4799 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4803 #endif /* CONFIG_NETFILTER */
4805 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4809 err = cap_netlink_send(sk, skb);
4813 return selinux_nlmsg_perm(sk, skb);
4816 static int ipc_alloc_security(struct task_struct *task,
4817 struct kern_ipc_perm *perm,
4820 struct ipc_security_struct *isec;
4823 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4827 sid = task_sid(task);
4828 isec->sclass = sclass;
4830 perm->security = isec;
4835 static void ipc_free_security(struct kern_ipc_perm *perm)
4837 struct ipc_security_struct *isec = perm->security;
4838 perm->security = NULL;
4842 static int msg_msg_alloc_security(struct msg_msg *msg)
4844 struct msg_security_struct *msec;
4846 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4850 msec->sid = SECINITSID_UNLABELED;
4851 msg->security = msec;
4856 static void msg_msg_free_security(struct msg_msg *msg)
4858 struct msg_security_struct *msec = msg->security;
4860 msg->security = NULL;
4864 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4867 struct ipc_security_struct *isec;
4868 struct common_audit_data ad;
4869 u32 sid = current_sid();
4871 isec = ipc_perms->security;
4873 ad.type = LSM_AUDIT_DATA_IPC;
4874 ad.u.ipc_id = ipc_perms->key;
4876 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4879 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4881 return msg_msg_alloc_security(msg);
4884 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4886 msg_msg_free_security(msg);
4889 /* message queue security operations */
4890 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4892 struct ipc_security_struct *isec;
4893 struct common_audit_data ad;
4894 u32 sid = current_sid();
4897 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4901 isec = msq->q_perm.security;
4903 ad.type = LSM_AUDIT_DATA_IPC;
4904 ad.u.ipc_id = msq->q_perm.key;
4906 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4909 ipc_free_security(&msq->q_perm);
4915 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4917 ipc_free_security(&msq->q_perm);
4920 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4922 struct ipc_security_struct *isec;
4923 struct common_audit_data ad;
4924 u32 sid = current_sid();
4926 isec = msq->q_perm.security;
4928 ad.type = LSM_AUDIT_DATA_IPC;
4929 ad.u.ipc_id = msq->q_perm.key;
4931 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4932 MSGQ__ASSOCIATE, &ad);
4935 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4943 /* No specific object, just general system-wide information. */
4944 return task_has_system(current, SYSTEM__IPC_INFO);
4947 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4950 perms = MSGQ__SETATTR;
4953 perms = MSGQ__DESTROY;
4959 err = ipc_has_perm(&msq->q_perm, perms);
4963 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4965 struct ipc_security_struct *isec;
4966 struct msg_security_struct *msec;
4967 struct common_audit_data ad;
4968 u32 sid = current_sid();
4971 isec = msq->q_perm.security;
4972 msec = msg->security;
4975 * First time through, need to assign label to the message
4977 if (msec->sid == SECINITSID_UNLABELED) {
4979 * Compute new sid based on current process and
4980 * message queue this message will be stored in
4982 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4988 ad.type = LSM_AUDIT_DATA_IPC;
4989 ad.u.ipc_id = msq->q_perm.key;
4991 /* Can this process write to the queue? */
4992 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4995 /* Can this process send the message */
4996 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4999 /* Can the message be put in the queue? */
5000 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5001 MSGQ__ENQUEUE, &ad);
5006 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5007 struct task_struct *target,
5008 long type, int mode)
5010 struct ipc_security_struct *isec;
5011 struct msg_security_struct *msec;
5012 struct common_audit_data ad;
5013 u32 sid = task_sid(target);
5016 isec = msq->q_perm.security;
5017 msec = msg->security;
5019 ad.type = LSM_AUDIT_DATA_IPC;
5020 ad.u.ipc_id = msq->q_perm.key;
5022 rc = avc_has_perm(sid, isec->sid,
5023 SECCLASS_MSGQ, MSGQ__READ, &ad);
5025 rc = avc_has_perm(sid, msec->sid,
5026 SECCLASS_MSG, MSG__RECEIVE, &ad);
5030 /* Shared Memory security operations */
5031 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5033 struct ipc_security_struct *isec;
5034 struct common_audit_data ad;
5035 u32 sid = current_sid();
5038 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5042 isec = shp->shm_perm.security;
5044 ad.type = LSM_AUDIT_DATA_IPC;
5045 ad.u.ipc_id = shp->shm_perm.key;
5047 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5050 ipc_free_security(&shp->shm_perm);
5056 static void selinux_shm_free_security(struct shmid_kernel *shp)
5058 ipc_free_security(&shp->shm_perm);
5061 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5063 struct ipc_security_struct *isec;
5064 struct common_audit_data ad;
5065 u32 sid = current_sid();
5067 isec = shp->shm_perm.security;
5069 ad.type = LSM_AUDIT_DATA_IPC;
5070 ad.u.ipc_id = shp->shm_perm.key;
5072 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5073 SHM__ASSOCIATE, &ad);
5076 /* Note, at this point, shp is locked down */
5077 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5085 /* No specific object, just general system-wide information. */
5086 return task_has_system(current, SYSTEM__IPC_INFO);
5089 perms = SHM__GETATTR | SHM__ASSOCIATE;
5092 perms = SHM__SETATTR;
5099 perms = SHM__DESTROY;
5105 err = ipc_has_perm(&shp->shm_perm, perms);
5109 static int selinux_shm_shmat(struct shmid_kernel *shp,
5110 char __user *shmaddr, int shmflg)
5114 if (shmflg & SHM_RDONLY)
5117 perms = SHM__READ | SHM__WRITE;
5119 return ipc_has_perm(&shp->shm_perm, perms);
5122 /* Semaphore security operations */
5123 static int selinux_sem_alloc_security(struct sem_array *sma)
5125 struct ipc_security_struct *isec;
5126 struct common_audit_data ad;
5127 u32 sid = current_sid();
5130 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5134 isec = sma->sem_perm.security;
5136 ad.type = LSM_AUDIT_DATA_IPC;
5137 ad.u.ipc_id = sma->sem_perm.key;
5139 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5142 ipc_free_security(&sma->sem_perm);
5148 static void selinux_sem_free_security(struct sem_array *sma)
5150 ipc_free_security(&sma->sem_perm);
5153 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5155 struct ipc_security_struct *isec;
5156 struct common_audit_data ad;
5157 u32 sid = current_sid();
5159 isec = sma->sem_perm.security;
5161 ad.type = LSM_AUDIT_DATA_IPC;
5162 ad.u.ipc_id = sma->sem_perm.key;
5164 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5165 SEM__ASSOCIATE, &ad);
5168 /* Note, at this point, sma is locked down */
5169 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5177 /* No specific object, just general system-wide information. */
5178 return task_has_system(current, SYSTEM__IPC_INFO);
5182 perms = SEM__GETATTR;
5193 perms = SEM__DESTROY;
5196 perms = SEM__SETATTR;
5200 perms = SEM__GETATTR | SEM__ASSOCIATE;
5206 err = ipc_has_perm(&sma->sem_perm, perms);
5210 static int selinux_sem_semop(struct sem_array *sma,
5211 struct sembuf *sops, unsigned nsops, int alter)
5216 perms = SEM__READ | SEM__WRITE;
5220 return ipc_has_perm(&sma->sem_perm, perms);
5223 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5229 av |= IPC__UNIX_READ;
5231 av |= IPC__UNIX_WRITE;
5236 return ipc_has_perm(ipcp, av);
5239 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5241 struct ipc_security_struct *isec = ipcp->security;
5245 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5248 inode_doinit_with_dentry(inode, dentry);
5251 static int selinux_getprocattr(struct task_struct *p,
5252 char *name, char **value)
5254 const struct task_security_struct *__tsec;
5260 error = current_has_perm(p, PROCESS__GETATTR);
5266 __tsec = __task_cred(p)->security;
5268 if (!strcmp(name, "current"))
5270 else if (!strcmp(name, "prev"))
5272 else if (!strcmp(name, "exec"))
5273 sid = __tsec->exec_sid;
5274 else if (!strcmp(name, "fscreate"))
5275 sid = __tsec->create_sid;
5276 else if (!strcmp(name, "keycreate"))
5277 sid = __tsec->keycreate_sid;
5278 else if (!strcmp(name, "sockcreate"))
5279 sid = __tsec->sockcreate_sid;
5287 error = security_sid_to_context(sid, value, &len);
5297 static int selinux_setprocattr(struct task_struct *p,
5298 char *name, void *value, size_t size)
5300 struct task_security_struct *tsec;
5301 struct task_struct *tracer;
5308 /* SELinux only allows a process to change its own
5309 security attributes. */
5314 * Basic control over ability to set these attributes at all.
5315 * current == p, but we'll pass them separately in case the
5316 * above restriction is ever removed.
5318 if (!strcmp(name, "exec"))
5319 error = current_has_perm(p, PROCESS__SETEXEC);
5320 else if (!strcmp(name, "fscreate"))
5321 error = current_has_perm(p, PROCESS__SETFSCREATE);
5322 else if (!strcmp(name, "keycreate"))
5323 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5324 else if (!strcmp(name, "sockcreate"))
5325 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5326 else if (!strcmp(name, "current"))
5327 error = current_has_perm(p, PROCESS__SETCURRENT);
5333 /* Obtain a SID for the context, if one was specified. */
5334 if (size && str[1] && str[1] != '\n') {
5335 if (str[size-1] == '\n') {
5339 error = security_context_to_sid(value, size, &sid);
5340 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5341 if (!capable(CAP_MAC_ADMIN)) {
5342 struct audit_buffer *ab;
5345 /* We strip a nul only if it is at the end, otherwise the
5346 * context contains a nul and we should audit that */
5347 if (str[size - 1] == '\0')
5348 audit_size = size - 1;
5351 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5352 audit_log_format(ab, "op=fscreate invalid_context=");
5353 audit_log_n_untrustedstring(ab, value, audit_size);
5358 error = security_context_to_sid_force(value, size,
5365 new = prepare_creds();
5369 /* Permission checking based on the specified context is
5370 performed during the actual operation (execve,
5371 open/mkdir/...), when we know the full context of the
5372 operation. See selinux_bprm_set_creds for the execve
5373 checks and may_create for the file creation checks. The
5374 operation will then fail if the context is not permitted. */
5375 tsec = new->security;
5376 if (!strcmp(name, "exec")) {
5377 tsec->exec_sid = sid;
5378 } else if (!strcmp(name, "fscreate")) {
5379 tsec->create_sid = sid;
5380 } else if (!strcmp(name, "keycreate")) {
5381 error = may_create_key(sid, p);
5384 tsec->keycreate_sid = sid;
5385 } else if (!strcmp(name, "sockcreate")) {
5386 tsec->sockcreate_sid = sid;
5387 } else if (!strcmp(name, "current")) {
5392 /* Only allow single threaded processes to change context */
5394 if (!current_is_single_threaded()) {
5395 error = security_bounded_transition(tsec->sid, sid);
5400 /* Check permissions for the transition. */
5401 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5402 PROCESS__DYNTRANSITION, NULL);
5406 /* Check for ptracing, and update the task SID if ok.
5407 Otherwise, leave SID unchanged and fail. */
5410 tracer = ptrace_parent(p);
5412 ptsid = task_sid(tracer);
5416 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5417 PROCESS__PTRACE, NULL);
5436 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5438 return security_sid_to_context(secid, secdata, seclen);
5441 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5443 return security_context_to_sid(secdata, seclen, secid);
5446 static void selinux_release_secctx(char *secdata, u32 seclen)
5452 * called with inode->i_mutex locked
5454 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5456 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5460 * called with inode->i_mutex locked
5462 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5464 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5467 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5470 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5479 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5480 unsigned long flags)
5482 const struct task_security_struct *tsec;
5483 struct key_security_struct *ksec;
5485 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5489 tsec = cred->security;
5490 if (tsec->keycreate_sid)
5491 ksec->sid = tsec->keycreate_sid;
5493 ksec->sid = tsec->sid;
5499 static void selinux_key_free(struct key *k)
5501 struct key_security_struct *ksec = k->security;
5507 static int selinux_key_permission(key_ref_t key_ref,
5508 const struct cred *cred,
5512 struct key_security_struct *ksec;
5515 /* if no specific permissions are requested, we skip the
5516 permission check. No serious, additional covert channels
5517 appear to be created. */
5521 sid = cred_sid(cred);
5523 key = key_ref_to_ptr(key_ref);
5524 ksec = key->security;
5526 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5529 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5531 struct key_security_struct *ksec = key->security;
5532 char *context = NULL;
5536 rc = security_sid_to_context(ksec->sid, &context, &len);
5545 static struct security_operations selinux_ops = {
5548 .ptrace_access_check = selinux_ptrace_access_check,
5549 .ptrace_traceme = selinux_ptrace_traceme,
5550 .capget = selinux_capget,
5551 .capset = selinux_capset,
5552 .capable = selinux_capable,
5553 .quotactl = selinux_quotactl,
5554 .quota_on = selinux_quota_on,
5555 .syslog = selinux_syslog,
5556 .vm_enough_memory = selinux_vm_enough_memory,
5558 .netlink_send = selinux_netlink_send,
5560 .bprm_set_creds = selinux_bprm_set_creds,
5561 .bprm_committing_creds = selinux_bprm_committing_creds,
5562 .bprm_committed_creds = selinux_bprm_committed_creds,
5563 .bprm_secureexec = selinux_bprm_secureexec,
5565 .sb_alloc_security = selinux_sb_alloc_security,
5566 .sb_free_security = selinux_sb_free_security,
5567 .sb_copy_data = selinux_sb_copy_data,
5568 .sb_remount = selinux_sb_remount,
5569 .sb_kern_mount = selinux_sb_kern_mount,
5570 .sb_show_options = selinux_sb_show_options,
5571 .sb_statfs = selinux_sb_statfs,
5572 .sb_mount = selinux_mount,
5573 .sb_umount = selinux_umount,
5574 .sb_set_mnt_opts = selinux_set_mnt_opts,
5575 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5576 .sb_parse_opts_str = selinux_parse_opts_str,
5579 .inode_alloc_security = selinux_inode_alloc_security,
5580 .inode_free_security = selinux_inode_free_security,
5581 .inode_init_security = selinux_inode_init_security,
5582 .inode_create = selinux_inode_create,
5583 .inode_link = selinux_inode_link,
5584 .inode_unlink = selinux_inode_unlink,
5585 .inode_symlink = selinux_inode_symlink,
5586 .inode_mkdir = selinux_inode_mkdir,
5587 .inode_rmdir = selinux_inode_rmdir,
5588 .inode_mknod = selinux_inode_mknod,
5589 .inode_rename = selinux_inode_rename,
5590 .inode_readlink = selinux_inode_readlink,
5591 .inode_follow_link = selinux_inode_follow_link,
5592 .inode_permission = selinux_inode_permission,
5593 .inode_setattr = selinux_inode_setattr,
5594 .inode_getattr = selinux_inode_getattr,
5595 .inode_setxattr = selinux_inode_setxattr,
5596 .inode_post_setxattr = selinux_inode_post_setxattr,
5597 .inode_getxattr = selinux_inode_getxattr,
5598 .inode_listxattr = selinux_inode_listxattr,
5599 .inode_removexattr = selinux_inode_removexattr,
5600 .inode_getsecurity = selinux_inode_getsecurity,
5601 .inode_setsecurity = selinux_inode_setsecurity,
5602 .inode_listsecurity = selinux_inode_listsecurity,
5603 .inode_getsecid = selinux_inode_getsecid,
5605 .file_permission = selinux_file_permission,
5606 .file_alloc_security = selinux_file_alloc_security,
5607 .file_free_security = selinux_file_free_security,
5608 .file_ioctl = selinux_file_ioctl,
5609 .mmap_file = selinux_mmap_file,
5610 .mmap_addr = selinux_mmap_addr,
5611 .file_mprotect = selinux_file_mprotect,
5612 .file_lock = selinux_file_lock,
5613 .file_fcntl = selinux_file_fcntl,
5614 .file_set_fowner = selinux_file_set_fowner,
5615 .file_send_sigiotask = selinux_file_send_sigiotask,
5616 .file_receive = selinux_file_receive,
5618 .file_open = selinux_file_open,
5620 .task_create = selinux_task_create,
5621 .cred_alloc_blank = selinux_cred_alloc_blank,
5622 .cred_free = selinux_cred_free,
5623 .cred_prepare = selinux_cred_prepare,
5624 .cred_transfer = selinux_cred_transfer,
5625 .kernel_act_as = selinux_kernel_act_as,
5626 .kernel_create_files_as = selinux_kernel_create_files_as,
5627 .kernel_module_request = selinux_kernel_module_request,
5628 .task_setpgid = selinux_task_setpgid,
5629 .task_getpgid = selinux_task_getpgid,
5630 .task_getsid = selinux_task_getsid,
5631 .task_getsecid = selinux_task_getsecid,
5632 .task_setnice = selinux_task_setnice,
5633 .task_setioprio = selinux_task_setioprio,
5634 .task_getioprio = selinux_task_getioprio,
5635 .task_setrlimit = selinux_task_setrlimit,
5636 .task_setscheduler = selinux_task_setscheduler,
5637 .task_getscheduler = selinux_task_getscheduler,
5638 .task_movememory = selinux_task_movememory,
5639 .task_kill = selinux_task_kill,
5640 .task_wait = selinux_task_wait,
5641 .task_to_inode = selinux_task_to_inode,
5643 .ipc_permission = selinux_ipc_permission,
5644 .ipc_getsecid = selinux_ipc_getsecid,
5646 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5647 .msg_msg_free_security = selinux_msg_msg_free_security,
5649 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5650 .msg_queue_free_security = selinux_msg_queue_free_security,
5651 .msg_queue_associate = selinux_msg_queue_associate,
5652 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5653 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5654 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5656 .shm_alloc_security = selinux_shm_alloc_security,
5657 .shm_free_security = selinux_shm_free_security,
5658 .shm_associate = selinux_shm_associate,
5659 .shm_shmctl = selinux_shm_shmctl,
5660 .shm_shmat = selinux_shm_shmat,
5662 .sem_alloc_security = selinux_sem_alloc_security,
5663 .sem_free_security = selinux_sem_free_security,
5664 .sem_associate = selinux_sem_associate,
5665 .sem_semctl = selinux_sem_semctl,
5666 .sem_semop = selinux_sem_semop,
5668 .d_instantiate = selinux_d_instantiate,
5670 .getprocattr = selinux_getprocattr,
5671 .setprocattr = selinux_setprocattr,
5673 .secid_to_secctx = selinux_secid_to_secctx,
5674 .secctx_to_secid = selinux_secctx_to_secid,
5675 .release_secctx = selinux_release_secctx,
5676 .inode_notifysecctx = selinux_inode_notifysecctx,
5677 .inode_setsecctx = selinux_inode_setsecctx,
5678 .inode_getsecctx = selinux_inode_getsecctx,
5680 .unix_stream_connect = selinux_socket_unix_stream_connect,
5681 .unix_may_send = selinux_socket_unix_may_send,
5683 .socket_create = selinux_socket_create,
5684 .socket_post_create = selinux_socket_post_create,
5685 .socket_bind = selinux_socket_bind,
5686 .socket_connect = selinux_socket_connect,
5687 .socket_listen = selinux_socket_listen,
5688 .socket_accept = selinux_socket_accept,
5689 .socket_sendmsg = selinux_socket_sendmsg,
5690 .socket_recvmsg = selinux_socket_recvmsg,
5691 .socket_getsockname = selinux_socket_getsockname,
5692 .socket_getpeername = selinux_socket_getpeername,
5693 .socket_getsockopt = selinux_socket_getsockopt,
5694 .socket_setsockopt = selinux_socket_setsockopt,
5695 .socket_shutdown = selinux_socket_shutdown,
5696 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5697 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5698 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5699 .sk_alloc_security = selinux_sk_alloc_security,
5700 .sk_free_security = selinux_sk_free_security,
5701 .sk_clone_security = selinux_sk_clone_security,
5702 .sk_getsecid = selinux_sk_getsecid,
5703 .sock_graft = selinux_sock_graft,
5704 .inet_conn_request = selinux_inet_conn_request,
5705 .inet_csk_clone = selinux_inet_csk_clone,
5706 .inet_conn_established = selinux_inet_conn_established,
5707 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5708 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5709 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5710 .req_classify_flow = selinux_req_classify_flow,
5711 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5712 .tun_dev_free_security = selinux_tun_dev_free_security,
5713 .tun_dev_create = selinux_tun_dev_create,
5714 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5715 .tun_dev_attach = selinux_tun_dev_attach,
5716 .tun_dev_open = selinux_tun_dev_open,
5717 .skb_owned_by = selinux_skb_owned_by,
5719 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5720 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5721 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5722 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5723 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5724 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5725 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5726 .xfrm_state_free_security = selinux_xfrm_state_free,
5727 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5728 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5729 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5730 .xfrm_decode_session = selinux_xfrm_decode_session,
5734 .key_alloc = selinux_key_alloc,
5735 .key_free = selinux_key_free,
5736 .key_permission = selinux_key_permission,
5737 .key_getsecurity = selinux_key_getsecurity,
5741 .audit_rule_init = selinux_audit_rule_init,
5742 .audit_rule_known = selinux_audit_rule_known,
5743 .audit_rule_match = selinux_audit_rule_match,
5744 .audit_rule_free = selinux_audit_rule_free,
5748 static __init int selinux_init(void)
5750 if (!security_module_enable(&selinux_ops)) {
5751 selinux_enabled = 0;
5755 if (!selinux_enabled) {
5756 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5760 printk(KERN_INFO "SELinux: Initializing.\n");
5762 /* Set the security state for the initial task. */
5763 cred_init_security();
5765 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
5767 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5768 sizeof(struct inode_security_struct),
5769 0, SLAB_PANIC, NULL);
5772 if (register_security(&selinux_ops))
5773 panic("SELinux: Unable to register with kernel.\n");
5775 if (selinux_enforcing)
5776 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5778 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5783 static void delayed_superblock_init(struct super_block *sb, void *unused)
5785 superblock_doinit(sb, NULL);
5788 void selinux_complete_init(void)
5790 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5792 /* Set up any superblocks initialized prior to the policy load. */
5793 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5794 iterate_supers(delayed_superblock_init, NULL);
5797 /* SELinux requires early initialization in order to label
5798 all processes and objects when they are created. */
5799 security_initcall(selinux_init);
5801 #if defined(CONFIG_NETFILTER)
5803 static struct nf_hook_ops selinux_ipv4_ops[] = {
5805 .hook = selinux_ipv4_postroute,
5806 .owner = THIS_MODULE,
5808 .hooknum = NF_INET_POST_ROUTING,
5809 .priority = NF_IP_PRI_SELINUX_LAST,
5812 .hook = selinux_ipv4_forward,
5813 .owner = THIS_MODULE,
5815 .hooknum = NF_INET_FORWARD,
5816 .priority = NF_IP_PRI_SELINUX_FIRST,
5819 .hook = selinux_ipv4_output,
5820 .owner = THIS_MODULE,
5822 .hooknum = NF_INET_LOCAL_OUT,
5823 .priority = NF_IP_PRI_SELINUX_FIRST,
5827 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5829 static struct nf_hook_ops selinux_ipv6_ops[] = {
5831 .hook = selinux_ipv6_postroute,
5832 .owner = THIS_MODULE,
5834 .hooknum = NF_INET_POST_ROUTING,
5835 .priority = NF_IP6_PRI_SELINUX_LAST,
5838 .hook = selinux_ipv6_forward,
5839 .owner = THIS_MODULE,
5841 .hooknum = NF_INET_FORWARD,
5842 .priority = NF_IP6_PRI_SELINUX_FIRST,
5848 static int __init selinux_nf_ip_init(void)
5852 if (!selinux_enabled)
5855 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5857 err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5859 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5861 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5862 err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5864 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5871 __initcall(selinux_nf_ip_init);
5873 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5874 static void selinux_nf_ip_exit(void)
5876 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5878 nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5879 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5880 nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5885 #else /* CONFIG_NETFILTER */
5887 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5888 #define selinux_nf_ip_exit()
5891 #endif /* CONFIG_NETFILTER */
5893 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5894 static int selinux_disabled;
5896 int selinux_disable(void)
5898 if (ss_initialized) {
5899 /* Not permitted after initial policy load. */
5903 if (selinux_disabled) {
5904 /* Only do this once. */
5908 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5910 selinux_disabled = 1;
5911 selinux_enabled = 0;
5913 reset_security_ops();
5915 /* Try to destroy the avc node cache */
5918 /* Unregister netfilter hooks. */
5919 selinux_nf_ip_exit();
5921 /* Unregister selinuxfs. */