1 /* Updated: Karl MacMillan <kmacmillan@tresys.com>
3 * Added conditional policy language extensions
5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
6 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2.
12 #include <linux/config.h>
13 #include <linux/kernel.h>
14 #include <linux/pagemap.h>
15 #include <linux/slab.h>
16 #include <linux/vmalloc.h>
18 #include <linux/mutex.h>
19 #include <linux/init.h>
20 #include <linux/string.h>
21 #include <linux/security.h>
22 #include <linux/major.h>
23 #include <linux/seq_file.h>
24 #include <linux/percpu.h>
25 #include <asm/uaccess.h>
26 #include <asm/semaphore.h>
28 /* selinuxfs pseudo filesystem for exporting the security policy API.
29 Based on the proc code and the fs/nfsd/nfsctl.c code. */
36 #include "conditional.h"
38 unsigned int selinux_checkreqprot
= CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
;
40 static int __init
checkreqprot_setup(char *str
)
42 selinux_checkreqprot
= simple_strtoul(str
,NULL
,0) ? 1 : 0;
45 __setup("checkreqprot=", checkreqprot_setup
);
48 static DEFINE_MUTEX(sel_mutex
);
50 /* global data for booleans */
51 static struct dentry
*bool_dir
= NULL
;
52 static int bool_num
= 0;
53 static int *bool_pending_values
= NULL
;
55 extern void selnl_notify_setenforce(int val
);
57 /* Check whether a task is allowed to use a security operation. */
58 static int task_has_security(struct task_struct
*tsk
,
61 struct task_security_struct
*tsec
;
67 return avc_has_perm(tsec
->sid
, SECINITSID_SECURITY
,
68 SECCLASS_SECURITY
, perms
, NULL
);
73 SEL_LOAD
, /* load policy */
74 SEL_ENFORCE
, /* get or set enforcing status */
75 SEL_CONTEXT
, /* validate context */
76 SEL_ACCESS
, /* compute access decision */
77 SEL_CREATE
, /* compute create labeling decision */
78 SEL_RELABEL
, /* compute relabeling decision */
79 SEL_USER
, /* compute reachable user contexts */
80 SEL_POLICYVERS
, /* return policy version for this kernel */
81 SEL_COMMIT_BOOLS
, /* commit new boolean values */
82 SEL_MLS
, /* return if MLS policy is enabled */
83 SEL_DISABLE
, /* disable SELinux until next reboot */
84 SEL_AVC
, /* AVC management directory */
85 SEL_MEMBER
, /* compute polyinstantiation membership decision */
86 SEL_CHECKREQPROT
, /* check requested protection, not kernel-applied one */
90 static ssize_t
sel_read_enforce(struct file
*filp
, char __user
*buf
,
91 size_t count
, loff_t
*ppos
)
93 char tmpbuf
[TMPBUFLEN
];
96 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%d", selinux_enforcing
);
97 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 static ssize_t
sel_write_enforce(struct file
* file
, const char __user
* buf
,
102 size_t count
, loff_t
*ppos
)
109 if (count
>= PAGE_SIZE
)
112 /* No partial writes. */
115 page
= (char*)get_zeroed_page(GFP_KERNEL
);
119 if (copy_from_user(page
, buf
, count
))
123 if (sscanf(page
, "%d", &new_value
) != 1)
126 if (new_value
!= selinux_enforcing
) {
127 length
= task_has_security(current
, SECURITY__SETENFORCE
);
130 selinux_enforcing
= new_value
;
131 if (selinux_enforcing
)
133 selnl_notify_setenforce(selinux_enforcing
);
137 free_page((unsigned long) page
);
141 #define sel_write_enforce NULL
144 static struct file_operations sel_enforce_ops
= {
145 .read
= sel_read_enforce
,
146 .write
= sel_write_enforce
,
149 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
150 static ssize_t
sel_write_disable(struct file
* file
, const char __user
* buf
,
151 size_t count
, loff_t
*ppos
)
157 extern int selinux_disable(void);
159 if (count
>= PAGE_SIZE
)
162 /* No partial writes. */
165 page
= (char*)get_zeroed_page(GFP_KERNEL
);
169 if (copy_from_user(page
, buf
, count
))
173 if (sscanf(page
, "%d", &new_value
) != 1)
177 length
= selinux_disable();
184 free_page((unsigned long) page
);
188 #define sel_write_disable NULL
191 static struct file_operations sel_disable_ops
= {
192 .write
= sel_write_disable
,
195 static ssize_t
sel_read_policyvers(struct file
*filp
, char __user
*buf
,
196 size_t count
, loff_t
*ppos
)
198 char tmpbuf
[TMPBUFLEN
];
201 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", POLICYDB_VERSION_MAX
);
202 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
205 static struct file_operations sel_policyvers_ops
= {
206 .read
= sel_read_policyvers
,
209 /* declaration for sel_write_load */
210 static int sel_make_bools(void);
212 static ssize_t
sel_read_mls(struct file
*filp
, char __user
*buf
,
213 size_t count
, loff_t
*ppos
)
215 char tmpbuf
[TMPBUFLEN
];
218 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%d", selinux_mls_enabled
);
219 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
222 static struct file_operations sel_mls_ops
= {
223 .read
= sel_read_mls
,
226 static ssize_t
sel_write_load(struct file
* file
, const char __user
* buf
,
227 size_t count
, loff_t
*ppos
)
234 mutex_lock(&sel_mutex
);
236 length
= task_has_security(current
, SECURITY__LOAD_POLICY
);
241 /* No partial writes. */
246 if ((count
> 64 * 1024 * 1024)
247 || (data
= vmalloc(count
)) == NULL
) {
253 if (copy_from_user(data
, buf
, count
) != 0)
256 length
= security_load_policy(data
, count
);
260 ret
= sel_make_bools();
266 mutex_unlock(&sel_mutex
);
271 static struct file_operations sel_load_ops
= {
272 .write
= sel_write_load
,
275 static ssize_t
sel_write_context(struct file
* file
, char *buf
, size_t size
)
281 length
= task_has_security(current
, SECURITY__CHECK_CONTEXT
);
285 length
= security_context_to_sid(buf
, size
, &sid
);
289 length
= security_sid_to_context(sid
, &canon
, &len
);
293 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
294 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
295 "max\n", __FUNCTION__
, len
);
300 memcpy(buf
, canon
, len
);
307 static ssize_t
sel_read_checkreqprot(struct file
*filp
, char __user
*buf
,
308 size_t count
, loff_t
*ppos
)
310 char tmpbuf
[TMPBUFLEN
];
313 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", selinux_checkreqprot
);
314 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
317 static ssize_t
sel_write_checkreqprot(struct file
* file
, const char __user
* buf
,
318 size_t count
, loff_t
*ppos
)
322 unsigned int new_value
;
324 length
= task_has_security(current
, SECURITY__SETCHECKREQPROT
);
328 if (count
>= PAGE_SIZE
)
331 /* No partial writes. */
334 page
= (char*)get_zeroed_page(GFP_KERNEL
);
338 if (copy_from_user(page
, buf
, count
))
342 if (sscanf(page
, "%u", &new_value
) != 1)
345 selinux_checkreqprot
= new_value
? 1 : 0;
348 free_page((unsigned long) page
);
351 static struct file_operations sel_checkreqprot_ops
= {
352 .read
= sel_read_checkreqprot
,
353 .write
= sel_write_checkreqprot
,
357 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
359 static ssize_t
sel_write_access(struct file
* file
, char *buf
, size_t size
);
360 static ssize_t
sel_write_create(struct file
* file
, char *buf
, size_t size
);
361 static ssize_t
sel_write_relabel(struct file
* file
, char *buf
, size_t size
);
362 static ssize_t
sel_write_user(struct file
* file
, char *buf
, size_t size
);
363 static ssize_t
sel_write_member(struct file
* file
, char *buf
, size_t size
);
365 static ssize_t (*write_op
[])(struct file
*, char *, size_t) = {
366 [SEL_ACCESS
] = sel_write_access
,
367 [SEL_CREATE
] = sel_write_create
,
368 [SEL_RELABEL
] = sel_write_relabel
,
369 [SEL_USER
] = sel_write_user
,
370 [SEL_MEMBER
] = sel_write_member
,
371 [SEL_CONTEXT
] = sel_write_context
,
374 static ssize_t
selinux_transaction_write(struct file
*file
, const char __user
*buf
, size_t size
, loff_t
*pos
)
376 ino_t ino
= file
->f_dentry
->d_inode
->i_ino
;
380 if (ino
>= ARRAY_SIZE(write_op
) || !write_op
[ino
])
383 data
= simple_transaction_get(file
, buf
, size
);
385 return PTR_ERR(data
);
387 rv
= write_op
[ino
](file
, data
, size
);
389 simple_transaction_set(file
, rv
);
395 static struct file_operations transaction_ops
= {
396 .write
= selinux_transaction_write
,
397 .read
= simple_transaction_read
,
398 .release
= simple_transaction_release
,
402 * payload - write methods
403 * If the method has a response, the response should be put in buf,
404 * and the length returned. Otherwise return 0 or and -error.
407 static ssize_t
sel_write_access(struct file
* file
, char *buf
, size_t size
)
413 struct av_decision avd
;
416 length
= task_has_security(current
, SECURITY__COMPUTE_AV
);
421 scon
= kzalloc(size
+1, GFP_KERNEL
);
425 tcon
= kzalloc(size
+1, GFP_KERNEL
);
430 if (sscanf(buf
, "%s %s %hu %x", scon
, tcon
, &tclass
, &req
) != 4)
433 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
436 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
440 length
= security_compute_av(ssid
, tsid
, tclass
, req
, &avd
);
444 length
= scnprintf(buf
, SIMPLE_TRANSACTION_LIMIT
,
446 avd
.allowed
, avd
.decided
,
447 avd
.auditallow
, avd
.auditdeny
,
456 static ssize_t
sel_write_create(struct file
* file
, char *buf
, size_t size
)
459 u32 ssid
, tsid
, newsid
;
465 length
= task_has_security(current
, SECURITY__COMPUTE_CREATE
);
470 scon
= kzalloc(size
+1, GFP_KERNEL
);
474 tcon
= kzalloc(size
+1, GFP_KERNEL
);
479 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
482 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
485 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
489 length
= security_transition_sid(ssid
, tsid
, tclass
, &newsid
);
493 length
= security_sid_to_context(newsid
, &newcon
, &len
);
497 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
498 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
499 "max\n", __FUNCTION__
, len
);
504 memcpy(buf
, newcon
, len
);
515 static ssize_t
sel_write_relabel(struct file
* file
, char *buf
, size_t size
)
518 u32 ssid
, tsid
, newsid
;
524 length
= task_has_security(current
, SECURITY__COMPUTE_RELABEL
);
529 scon
= kzalloc(size
+1, GFP_KERNEL
);
533 tcon
= kzalloc(size
+1, GFP_KERNEL
);
538 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
541 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
544 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
548 length
= security_change_sid(ssid
, tsid
, tclass
, &newsid
);
552 length
= security_sid_to_context(newsid
, &newcon
, &len
);
556 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
561 memcpy(buf
, newcon
, len
);
572 static ssize_t
sel_write_user(struct file
* file
, char *buf
, size_t size
)
574 char *con
, *user
, *ptr
;
581 length
= task_has_security(current
, SECURITY__COMPUTE_USER
);
586 con
= kzalloc(size
+1, GFP_KERNEL
);
590 user
= kzalloc(size
+1, GFP_KERNEL
);
595 if (sscanf(buf
, "%s %s", con
, user
) != 2)
598 length
= security_context_to_sid(con
, strlen(con
)+1, &sid
);
602 length
= security_get_user_sids(sid
, user
, &sids
, &nsids
);
606 length
= sprintf(buf
, "%u", nsids
) + 1;
608 for (i
= 0; i
< nsids
; i
++) {
609 rc
= security_sid_to_context(sids
[i
], &newcon
, &len
);
614 if ((length
+ len
) >= SIMPLE_TRANSACTION_LIMIT
) {
619 memcpy(ptr
, newcon
, len
);
633 static ssize_t
sel_write_member(struct file
* file
, char *buf
, size_t size
)
636 u32 ssid
, tsid
, newsid
;
642 length
= task_has_security(current
, SECURITY__COMPUTE_MEMBER
);
647 scon
= kzalloc(size
+1, GFP_KERNEL
);
651 tcon
= kzalloc(size
+1, GFP_KERNEL
);
656 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
659 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
662 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
666 length
= security_member_sid(ssid
, tsid
, tclass
, &newsid
);
670 length
= security_sid_to_context(newsid
, &newcon
, &len
);
674 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
675 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
676 "max\n", __FUNCTION__
, len
);
681 memcpy(buf
, newcon
, len
);
692 static struct inode
*sel_make_inode(struct super_block
*sb
, int mode
)
694 struct inode
*ret
= new_inode(sb
);
698 ret
->i_uid
= ret
->i_gid
= 0;
699 ret
->i_blksize
= PAGE_CACHE_SIZE
;
701 ret
->i_atime
= ret
->i_mtime
= ret
->i_ctime
= CURRENT_TIME
;
706 #define BOOL_INO_OFFSET 30
708 static ssize_t
sel_read_bool(struct file
*filep
, char __user
*buf
,
709 size_t count
, loff_t
*ppos
)
717 mutex_lock(&sel_mutex
);
721 /* check to see if this file has been deleted */
725 if (count
> PAGE_SIZE
) {
729 if (!(page
= (char*)get_zeroed_page(GFP_KERNEL
))) {
734 inode
= filep
->f_dentry
->d_inode
;
735 cur_enforcing
= security_get_bool_value(inode
->i_ino
- BOOL_INO_OFFSET
);
736 if (cur_enforcing
< 0) {
741 length
= scnprintf(page
, PAGE_SIZE
, "%d %d", cur_enforcing
,
742 bool_pending_values
[inode
->i_ino
- BOOL_INO_OFFSET
]);
743 ret
= simple_read_from_buffer(buf
, count
, ppos
, page
, length
);
745 mutex_unlock(&sel_mutex
);
747 free_page((unsigned long)page
);
751 static ssize_t
sel_write_bool(struct file
*filep
, const char __user
*buf
,
752 size_t count
, loff_t
*ppos
)
755 ssize_t length
= -EFAULT
;
759 mutex_lock(&sel_mutex
);
761 length
= task_has_security(current
, SECURITY__SETBOOL
);
765 /* check to see if this file has been deleted */
769 if (count
>= PAGE_SIZE
) {
774 /* No partial writes. */
777 page
= (char*)get_zeroed_page(GFP_KERNEL
);
783 if (copy_from_user(page
, buf
, count
))
787 if (sscanf(page
, "%d", &new_value
) != 1)
793 inode
= filep
->f_dentry
->d_inode
;
794 bool_pending_values
[inode
->i_ino
- BOOL_INO_OFFSET
] = new_value
;
798 mutex_unlock(&sel_mutex
);
800 free_page((unsigned long) page
);
804 static struct file_operations sel_bool_ops
= {
805 .read
= sel_read_bool
,
806 .write
= sel_write_bool
,
809 static ssize_t
sel_commit_bools_write(struct file
*filep
,
810 const char __user
*buf
,
811 size_t count
, loff_t
*ppos
)
814 ssize_t length
= -EFAULT
;
817 mutex_lock(&sel_mutex
);
819 length
= task_has_security(current
, SECURITY__SETBOOL
);
823 /* check to see if this file has been deleted */
827 if (count
>= PAGE_SIZE
) {
832 /* No partial writes. */
835 page
= (char*)get_zeroed_page(GFP_KERNEL
);
841 if (copy_from_user(page
, buf
, count
))
845 if (sscanf(page
, "%d", &new_value
) != 1)
848 if (new_value
&& bool_pending_values
) {
849 security_set_bools(bool_num
, bool_pending_values
);
855 mutex_unlock(&sel_mutex
);
857 free_page((unsigned long) page
);
861 static struct file_operations sel_commit_bools_ops
= {
862 .write
= sel_commit_bools_write
,
865 /* delete booleans - partial revoke() from
866 * fs/proc/generic.c proc_kill_inodes */
867 static void sel_remove_bools(struct dentry
*de
)
869 struct list_head
*p
, *node
;
870 struct super_block
*sb
= de
->d_sb
;
872 spin_lock(&dcache_lock
);
873 node
= de
->d_subdirs
.next
;
874 while (node
!= &de
->d_subdirs
) {
875 struct dentry
*d
= list_entry(node
, struct dentry
, d_u
.d_child
);
880 spin_unlock(&dcache_lock
);
882 simple_unlink(de
->d_inode
, d
);
884 spin_lock(&dcache_lock
);
886 node
= de
->d_subdirs
.next
;
889 spin_unlock(&dcache_lock
);
892 list_for_each(p
, &sb
->s_files
) {
893 struct file
* filp
= list_entry(p
, struct file
, f_u
.fu_list
);
894 struct dentry
* dentry
= filp
->f_dentry
;
896 if (dentry
->d_parent
!= de
) {
904 #define BOOL_DIR_NAME "booleans"
906 static int sel_make_bools(void)
910 struct dentry
*dentry
= NULL
;
911 struct dentry
*dir
= bool_dir
;
912 struct inode
*inode
= NULL
;
913 struct inode_security_struct
*isec
;
914 char **names
= NULL
, *page
;
919 /* remove any existing files */
920 kfree(bool_pending_values
);
921 bool_pending_values
= NULL
;
923 sel_remove_bools(dir
);
925 if (!(page
= (char*)get_zeroed_page(GFP_KERNEL
)))
928 ret
= security_get_bools(&num
, &names
, &values
);
932 for (i
= 0; i
< num
; i
++) {
933 dentry
= d_alloc_name(dir
, names
[i
]);
938 inode
= sel_make_inode(dir
->d_sb
, S_IFREG
| S_IRUGO
| S_IWUSR
);
944 len
= snprintf(page
, PAGE_SIZE
, "/%s/%s", BOOL_DIR_NAME
, names
[i
]);
948 } else if (len
>= PAGE_SIZE
) {
952 isec
= (struct inode_security_struct
*)inode
->i_security
;
953 if ((ret
= security_genfs_sid("selinuxfs", page
, SECCLASS_FILE
, &sid
)))
956 isec
->initialized
= 1;
957 inode
->i_fop
= &sel_bool_ops
;
958 inode
->i_ino
= i
+ BOOL_INO_OFFSET
;
959 d_add(dentry
, inode
);
962 bool_pending_values
= values
;
964 free_page((unsigned long)page
);
966 for (i
= 0; i
< num
; i
++)
978 #define NULL_FILE_NAME "null"
980 struct dentry
*selinux_null
= NULL
;
982 static ssize_t
sel_read_avc_cache_threshold(struct file
*filp
, char __user
*buf
,
983 size_t count
, loff_t
*ppos
)
985 char tmpbuf
[TMPBUFLEN
];
988 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", avc_cache_threshold
);
989 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
992 static ssize_t
sel_write_avc_cache_threshold(struct file
* file
,
993 const char __user
* buf
,
994 size_t count
, loff_t
*ppos
)
1001 if (count
>= PAGE_SIZE
) {
1007 /* No partial writes. */
1012 page
= (char*)get_zeroed_page(GFP_KERNEL
);
1018 if (copy_from_user(page
, buf
, count
)) {
1023 if (sscanf(page
, "%u", &new_value
) != 1) {
1028 if (new_value
!= avc_cache_threshold
) {
1029 ret
= task_has_security(current
, SECURITY__SETSECPARAM
);
1032 avc_cache_threshold
= new_value
;
1036 free_page((unsigned long)page
);
1041 static ssize_t
sel_read_avc_hash_stats(struct file
*filp
, char __user
*buf
,
1042 size_t count
, loff_t
*ppos
)
1047 page
= (char *)__get_free_page(GFP_KERNEL
);
1052 ret
= avc_get_hash_stats(page
);
1054 ret
= simple_read_from_buffer(buf
, count
, ppos
, page
, ret
);
1055 free_page((unsigned long)page
);
1060 static struct file_operations sel_avc_cache_threshold_ops
= {
1061 .read
= sel_read_avc_cache_threshold
,
1062 .write
= sel_write_avc_cache_threshold
,
1065 static struct file_operations sel_avc_hash_stats_ops
= {
1066 .read
= sel_read_avc_hash_stats
,
1069 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1070 static struct avc_cache_stats
*sel_avc_get_stat_idx(loff_t
*idx
)
1074 for (cpu
= *idx
; cpu
< NR_CPUS
; ++cpu
) {
1075 if (!cpu_possible(cpu
))
1078 return &per_cpu(avc_cache_stats
, cpu
);
1083 static void *sel_avc_stats_seq_start(struct seq_file
*seq
, loff_t
*pos
)
1085 loff_t n
= *pos
- 1;
1088 return SEQ_START_TOKEN
;
1090 return sel_avc_get_stat_idx(&n
);
1093 static void *sel_avc_stats_seq_next(struct seq_file
*seq
, void *v
, loff_t
*pos
)
1095 return sel_avc_get_stat_idx(pos
);
1098 static int sel_avc_stats_seq_show(struct seq_file
*seq
, void *v
)
1100 struct avc_cache_stats
*st
= v
;
1102 if (v
== SEQ_START_TOKEN
)
1103 seq_printf(seq
, "lookups hits misses allocations reclaims "
1106 seq_printf(seq
, "%u %u %u %u %u %u\n", st
->lookups
,
1107 st
->hits
, st
->misses
, st
->allocations
,
1108 st
->reclaims
, st
->frees
);
1112 static void sel_avc_stats_seq_stop(struct seq_file
*seq
, void *v
)
1115 static struct seq_operations sel_avc_cache_stats_seq_ops
= {
1116 .start
= sel_avc_stats_seq_start
,
1117 .next
= sel_avc_stats_seq_next
,
1118 .show
= sel_avc_stats_seq_show
,
1119 .stop
= sel_avc_stats_seq_stop
,
1122 static int sel_open_avc_cache_stats(struct inode
*inode
, struct file
*file
)
1124 return seq_open(file
, &sel_avc_cache_stats_seq_ops
);
1127 static struct file_operations sel_avc_cache_stats_ops
= {
1128 .open
= sel_open_avc_cache_stats
,
1130 .llseek
= seq_lseek
,
1131 .release
= seq_release
,
1135 static int sel_make_avc_files(struct dentry
*dir
)
1138 static struct tree_descr files
[] = {
1139 { "cache_threshold",
1140 &sel_avc_cache_threshold_ops
, S_IRUGO
|S_IWUSR
},
1141 { "hash_stats", &sel_avc_hash_stats_ops
, S_IRUGO
},
1142 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1143 { "cache_stats", &sel_avc_cache_stats_ops
, S_IRUGO
},
1147 for (i
= 0; i
< ARRAY_SIZE(files
); i
++) {
1148 struct inode
*inode
;
1149 struct dentry
*dentry
;
1151 dentry
= d_alloc_name(dir
, files
[i
].name
);
1157 inode
= sel_make_inode(dir
->d_sb
, S_IFREG
|files
[i
].mode
);
1162 inode
->i_fop
= files
[i
].ops
;
1163 d_add(dentry
, inode
);
1172 static int sel_make_dir(struct super_block
*sb
, struct dentry
*dentry
)
1175 struct inode
*inode
;
1177 inode
= sel_make_inode(sb
, S_IFDIR
| S_IRUGO
| S_IXUGO
);
1182 inode
->i_op
= &simple_dir_inode_operations
;
1183 inode
->i_fop
= &simple_dir_operations
;
1184 /* directory inodes start off with i_nlink == 2 (for "." entry) */
1186 d_add(dentry
, inode
);
1191 static int sel_fill_super(struct super_block
* sb
, void * data
, int silent
)
1194 struct dentry
*dentry
;
1195 struct inode
*inode
;
1196 struct inode_security_struct
*isec
;
1198 static struct tree_descr selinux_files
[] = {
1199 [SEL_LOAD
] = {"load", &sel_load_ops
, S_IRUSR
|S_IWUSR
},
1200 [SEL_ENFORCE
] = {"enforce", &sel_enforce_ops
, S_IRUGO
|S_IWUSR
},
1201 [SEL_CONTEXT
] = {"context", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1202 [SEL_ACCESS
] = {"access", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1203 [SEL_CREATE
] = {"create", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1204 [SEL_RELABEL
] = {"relabel", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1205 [SEL_USER
] = {"user", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1206 [SEL_POLICYVERS
] = {"policyvers", &sel_policyvers_ops
, S_IRUGO
},
1207 [SEL_COMMIT_BOOLS
] = {"commit_pending_bools", &sel_commit_bools_ops
, S_IWUSR
},
1208 [SEL_MLS
] = {"mls", &sel_mls_ops
, S_IRUGO
},
1209 [SEL_DISABLE
] = {"disable", &sel_disable_ops
, S_IWUSR
},
1210 [SEL_MEMBER
] = {"member", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1211 [SEL_CHECKREQPROT
] = {"checkreqprot", &sel_checkreqprot_ops
, S_IRUGO
|S_IWUSR
},
1214 ret
= simple_fill_super(sb
, SELINUX_MAGIC
, selinux_files
);
1218 dentry
= d_alloc_name(sb
->s_root
, BOOL_DIR_NAME
);
1222 inode
= sel_make_inode(sb
, S_IFDIR
| S_IRUGO
| S_IXUGO
);
1225 inode
->i_op
= &simple_dir_inode_operations
;
1226 inode
->i_fop
= &simple_dir_operations
;
1227 /* directory inodes start off with i_nlink == 2 (for "." entry) */
1229 d_add(dentry
, inode
);
1231 ret
= sel_make_bools();
1235 dentry
= d_alloc_name(sb
->s_root
, NULL_FILE_NAME
);
1239 inode
= sel_make_inode(sb
, S_IFCHR
| S_IRUGO
| S_IWUGO
);
1242 isec
= (struct inode_security_struct
*)inode
->i_security
;
1243 isec
->sid
= SECINITSID_DEVNULL
;
1244 isec
->sclass
= SECCLASS_CHR_FILE
;
1245 isec
->initialized
= 1;
1247 init_special_inode(inode
, S_IFCHR
| S_IRUGO
| S_IWUGO
, MKDEV(MEM_MAJOR
, 3));
1248 d_add(dentry
, inode
);
1249 selinux_null
= dentry
;
1251 dentry
= d_alloc_name(sb
->s_root
, "avc");
1255 ret
= sel_make_dir(sb
, dentry
);
1259 ret
= sel_make_avc_files(dentry
);
1266 printk(KERN_ERR
"%s: failed while creating inodes\n", __FUNCTION__
);
1270 static struct super_block
*sel_get_sb(struct file_system_type
*fs_type
,
1271 int flags
, const char *dev_name
, void *data
)
1273 return get_sb_single(fs_type
, flags
, data
, sel_fill_super
);
1276 static struct file_system_type sel_fs_type
= {
1277 .name
= "selinuxfs",
1278 .get_sb
= sel_get_sb
,
1279 .kill_sb
= kill_litter_super
,
1282 struct vfsmount
*selinuxfs_mount
;
1284 static int __init
init_sel_fs(void)
1288 if (!selinux_enabled
)
1290 err
= register_filesystem(&sel_fs_type
);
1292 selinuxfs_mount
= kern_mount(&sel_fs_type
);
1293 if (IS_ERR(selinuxfs_mount
)) {
1294 printk(KERN_ERR
"selinuxfs: could not mount!\n");
1295 err
= PTR_ERR(selinuxfs_mount
);
1296 selinuxfs_mount
= NULL
;
1302 __initcall(init_sel_fs
);
1304 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
1305 void exit_sel_fs(void)
1307 unregister_filesystem(&sel_fs_type
);