1 /* Updated: Karl MacMillan <kmacmillan@tresys.com>
3 * Added conditional policy language extensions
5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
6 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2.
12 #include <linux/config.h>
13 #include <linux/kernel.h>
14 #include <linux/pagemap.h>
15 #include <linux/slab.h>
16 #include <linux/vmalloc.h>
18 #include <linux/mutex.h>
19 #include <linux/init.h>
20 #include <linux/string.h>
21 #include <linux/security.h>
22 #include <linux/major.h>
23 #include <linux/seq_file.h>
24 #include <linux/percpu.h>
25 #include <asm/uaccess.h>
26 #include <asm/semaphore.h>
28 /* selinuxfs pseudo filesystem for exporting the security policy API.
29 Based on the proc code and the fs/nfsd/nfsctl.c code. */
36 #include "conditional.h"
38 unsigned int selinux_checkreqprot
= CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
;
40 static int __init
checkreqprot_setup(char *str
)
42 selinux_checkreqprot
= simple_strtoul(str
,NULL
,0) ? 1 : 0;
45 __setup("checkreqprot=", checkreqprot_setup
);
48 static DEFINE_MUTEX(sel_mutex
);
50 /* global data for booleans */
51 static struct dentry
*bool_dir
= NULL
;
52 static int bool_num
= 0;
53 static int *bool_pending_values
= NULL
;
55 extern void selnl_notify_setenforce(int val
);
57 /* Check whether a task is allowed to use a security operation. */
58 static int task_has_security(struct task_struct
*tsk
,
61 struct task_security_struct
*tsec
;
67 return avc_has_perm(tsec
->sid
, SECINITSID_SECURITY
,
68 SECCLASS_SECURITY
, perms
, NULL
);
73 SEL_LOAD
, /* load policy */
74 SEL_ENFORCE
, /* get or set enforcing status */
75 SEL_CONTEXT
, /* validate context */
76 SEL_ACCESS
, /* compute access decision */
77 SEL_CREATE
, /* compute create labeling decision */
78 SEL_RELABEL
, /* compute relabeling decision */
79 SEL_USER
, /* compute reachable user contexts */
80 SEL_POLICYVERS
, /* return policy version for this kernel */
81 SEL_COMMIT_BOOLS
, /* commit new boolean values */
82 SEL_MLS
, /* return if MLS policy is enabled */
83 SEL_DISABLE
, /* disable SELinux until next reboot */
84 SEL_AVC
, /* AVC management directory */
85 SEL_MEMBER
, /* compute polyinstantiation membership decision */
86 SEL_CHECKREQPROT
, /* check requested protection, not kernel-applied one */
90 static ssize_t
sel_read_enforce(struct file
*filp
, char __user
*buf
,
91 size_t count
, loff_t
*ppos
)
93 char tmpbuf
[TMPBUFLEN
];
96 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%d", selinux_enforcing
);
97 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 static ssize_t
sel_write_enforce(struct file
* file
, const char __user
* buf
,
102 size_t count
, loff_t
*ppos
)
109 if (count
>= PAGE_SIZE
)
112 /* No partial writes. */
115 page
= (char*)get_zeroed_page(GFP_KERNEL
);
119 if (copy_from_user(page
, buf
, count
))
123 if (sscanf(page
, "%d", &new_value
) != 1)
126 if (new_value
!= selinux_enforcing
) {
127 length
= task_has_security(current
, SECURITY__SETENFORCE
);
130 selinux_enforcing
= new_value
;
131 if (selinux_enforcing
)
133 selnl_notify_setenforce(selinux_enforcing
);
137 free_page((unsigned long) page
);
141 #define sel_write_enforce NULL
144 static struct file_operations sel_enforce_ops
= {
145 .read
= sel_read_enforce
,
146 .write
= sel_write_enforce
,
149 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
150 static ssize_t
sel_write_disable(struct file
* file
, const char __user
* buf
,
151 size_t count
, loff_t
*ppos
)
157 extern int selinux_disable(void);
159 if (count
>= PAGE_SIZE
)
162 /* No partial writes. */
165 page
= (char*)get_zeroed_page(GFP_KERNEL
);
169 if (copy_from_user(page
, buf
, count
))
173 if (sscanf(page
, "%d", &new_value
) != 1)
177 length
= selinux_disable();
184 free_page((unsigned long) page
);
188 #define sel_write_disable NULL
191 static struct file_operations sel_disable_ops
= {
192 .write
= sel_write_disable
,
195 static ssize_t
sel_read_policyvers(struct file
*filp
, char __user
*buf
,
196 size_t count
, loff_t
*ppos
)
198 char tmpbuf
[TMPBUFLEN
];
201 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", POLICYDB_VERSION_MAX
);
202 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
205 static struct file_operations sel_policyvers_ops
= {
206 .read
= sel_read_policyvers
,
209 /* declaration for sel_write_load */
210 static int sel_make_bools(void);
212 static ssize_t
sel_read_mls(struct file
*filp
, char __user
*buf
,
213 size_t count
, loff_t
*ppos
)
215 char tmpbuf
[TMPBUFLEN
];
218 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%d", selinux_mls_enabled
);
219 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
222 static struct file_operations sel_mls_ops
= {
223 .read
= sel_read_mls
,
226 static ssize_t
sel_write_load(struct file
* file
, const char __user
* buf
,
227 size_t count
, loff_t
*ppos
)
234 mutex_lock(&sel_mutex
);
236 length
= task_has_security(current
, SECURITY__LOAD_POLICY
);
241 /* No partial writes. */
246 if ((count
> 64 * 1024 * 1024)
247 || (data
= vmalloc(count
)) == NULL
) {
253 if (copy_from_user(data
, buf
, count
) != 0)
256 length
= security_load_policy(data
, count
);
260 ret
= sel_make_bools();
266 mutex_unlock(&sel_mutex
);
271 static struct file_operations sel_load_ops
= {
272 .write
= sel_write_load
,
275 static ssize_t
sel_write_context(struct file
* file
, char *buf
, size_t size
)
281 length
= task_has_security(current
, SECURITY__CHECK_CONTEXT
);
285 length
= security_context_to_sid(buf
, size
, &sid
);
289 length
= security_sid_to_context(sid
, &canon
, &len
);
293 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
294 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
295 "max\n", __FUNCTION__
, len
);
300 memcpy(buf
, canon
, len
);
307 static ssize_t
sel_read_checkreqprot(struct file
*filp
, char __user
*buf
,
308 size_t count
, loff_t
*ppos
)
310 char tmpbuf
[TMPBUFLEN
];
313 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", selinux_checkreqprot
);
314 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
317 static ssize_t
sel_write_checkreqprot(struct file
* file
, const char __user
* buf
,
318 size_t count
, loff_t
*ppos
)
322 unsigned int new_value
;
324 length
= task_has_security(current
, SECURITY__SETCHECKREQPROT
);
328 if (count
>= PAGE_SIZE
)
331 /* No partial writes. */
334 page
= (char*)get_zeroed_page(GFP_KERNEL
);
338 if (copy_from_user(page
, buf
, count
))
342 if (sscanf(page
, "%u", &new_value
) != 1)
345 selinux_checkreqprot
= new_value
? 1 : 0;
348 free_page((unsigned long) page
);
351 static struct file_operations sel_checkreqprot_ops
= {
352 .read
= sel_read_checkreqprot
,
353 .write
= sel_write_checkreqprot
,
357 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
359 static ssize_t
sel_write_access(struct file
* file
, char *buf
, size_t size
);
360 static ssize_t
sel_write_create(struct file
* file
, char *buf
, size_t size
);
361 static ssize_t
sel_write_relabel(struct file
* file
, char *buf
, size_t size
);
362 static ssize_t
sel_write_user(struct file
* file
, char *buf
, size_t size
);
363 static ssize_t
sel_write_member(struct file
* file
, char *buf
, size_t size
);
365 static ssize_t (*write_op
[])(struct file
*, char *, size_t) = {
366 [SEL_ACCESS
] = sel_write_access
,
367 [SEL_CREATE
] = sel_write_create
,
368 [SEL_RELABEL
] = sel_write_relabel
,
369 [SEL_USER
] = sel_write_user
,
370 [SEL_MEMBER
] = sel_write_member
,
371 [SEL_CONTEXT
] = sel_write_context
,
374 static ssize_t
selinux_transaction_write(struct file
*file
, const char __user
*buf
, size_t size
, loff_t
*pos
)
376 ino_t ino
= file
->f_dentry
->d_inode
->i_ino
;
380 if (ino
>= ARRAY_SIZE(write_op
) || !write_op
[ino
])
383 data
= simple_transaction_get(file
, buf
, size
);
385 return PTR_ERR(data
);
387 rv
= write_op
[ino
](file
, data
, size
);
389 simple_transaction_set(file
, rv
);
395 static struct file_operations transaction_ops
= {
396 .write
= selinux_transaction_write
,
397 .read
= simple_transaction_read
,
398 .release
= simple_transaction_release
,
402 * payload - write methods
403 * If the method has a response, the response should be put in buf,
404 * and the length returned. Otherwise return 0 or and -error.
407 static ssize_t
sel_write_access(struct file
* file
, char *buf
, size_t size
)
413 struct av_decision avd
;
416 length
= task_has_security(current
, SECURITY__COMPUTE_AV
);
421 scon
= kzalloc(size
+1, GFP_KERNEL
);
425 tcon
= kzalloc(size
+1, GFP_KERNEL
);
430 if (sscanf(buf
, "%s %s %hu %x", scon
, tcon
, &tclass
, &req
) != 4)
433 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
436 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
440 length
= security_compute_av(ssid
, tsid
, tclass
, req
, &avd
);
444 length
= scnprintf(buf
, SIMPLE_TRANSACTION_LIMIT
,
446 avd
.allowed
, avd
.decided
,
447 avd
.auditallow
, avd
.auditdeny
,
456 static ssize_t
sel_write_create(struct file
* file
, char *buf
, size_t size
)
459 u32 ssid
, tsid
, newsid
;
465 length
= task_has_security(current
, SECURITY__COMPUTE_CREATE
);
470 scon
= kzalloc(size
+1, GFP_KERNEL
);
474 tcon
= kzalloc(size
+1, GFP_KERNEL
);
479 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
482 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
485 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
489 length
= security_transition_sid(ssid
, tsid
, tclass
, &newsid
);
493 length
= security_sid_to_context(newsid
, &newcon
, &len
);
497 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
498 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
499 "max\n", __FUNCTION__
, len
);
504 memcpy(buf
, newcon
, len
);
515 static ssize_t
sel_write_relabel(struct file
* file
, char *buf
, size_t size
)
518 u32 ssid
, tsid
, newsid
;
524 length
= task_has_security(current
, SECURITY__COMPUTE_RELABEL
);
529 scon
= kzalloc(size
+1, GFP_KERNEL
);
533 tcon
= kzalloc(size
+1, GFP_KERNEL
);
538 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
541 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
544 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
548 length
= security_change_sid(ssid
, tsid
, tclass
, &newsid
);
552 length
= security_sid_to_context(newsid
, &newcon
, &len
);
556 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
561 memcpy(buf
, newcon
, len
);
572 static ssize_t
sel_write_user(struct file
* file
, char *buf
, size_t size
)
574 char *con
, *user
, *ptr
;
581 length
= task_has_security(current
, SECURITY__COMPUTE_USER
);
586 con
= kzalloc(size
+1, GFP_KERNEL
);
590 user
= kzalloc(size
+1, GFP_KERNEL
);
595 if (sscanf(buf
, "%s %s", con
, user
) != 2)
598 length
= security_context_to_sid(con
, strlen(con
)+1, &sid
);
602 length
= security_get_user_sids(sid
, user
, &sids
, &nsids
);
606 length
= sprintf(buf
, "%u", nsids
) + 1;
608 for (i
= 0; i
< nsids
; i
++) {
609 rc
= security_sid_to_context(sids
[i
], &newcon
, &len
);
614 if ((length
+ len
) >= SIMPLE_TRANSACTION_LIMIT
) {
619 memcpy(ptr
, newcon
, len
);
633 static ssize_t
sel_write_member(struct file
* file
, char *buf
, size_t size
)
636 u32 ssid
, tsid
, newsid
;
642 length
= task_has_security(current
, SECURITY__COMPUTE_MEMBER
);
647 scon
= kzalloc(size
+1, GFP_KERNEL
);
651 tcon
= kzalloc(size
+1, GFP_KERNEL
);
656 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
659 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
662 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
666 length
= security_member_sid(ssid
, tsid
, tclass
, &newsid
);
670 length
= security_sid_to_context(newsid
, &newcon
, &len
);
674 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
675 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
676 "max\n", __FUNCTION__
, len
);
681 memcpy(buf
, newcon
, len
);
692 static struct inode
*sel_make_inode(struct super_block
*sb
, int mode
)
694 struct inode
*ret
= new_inode(sb
);
698 ret
->i_uid
= ret
->i_gid
= 0;
699 ret
->i_blksize
= PAGE_CACHE_SIZE
;
701 ret
->i_atime
= ret
->i_mtime
= ret
->i_ctime
= CURRENT_TIME
;
706 #define BOOL_INO_OFFSET 30
708 static ssize_t
sel_read_bool(struct file
*filep
, char __user
*buf
,
709 size_t count
, loff_t
*ppos
)
718 mutex_lock(&sel_mutex
);
722 /* check to see if this file has been deleted */
726 if (count
> PAGE_SIZE
) {
730 if (!(page
= (char*)get_zeroed_page(GFP_KERNEL
))) {
735 inode
= filep
->f_dentry
->d_inode
;
736 cur_enforcing
= security_get_bool_value(inode
->i_ino
- BOOL_INO_OFFSET
);
737 if (cur_enforcing
< 0) {
742 length
= scnprintf(page
, PAGE_SIZE
, "%d %d", cur_enforcing
,
743 bool_pending_values
[inode
->i_ino
- BOOL_INO_OFFSET
]);
749 if (*ppos
>= length
) {
753 if (count
+ *ppos
> length
)
754 count
= length
- *ppos
;
756 if (copy_to_user(buf
, (char *) page
+ *ppos
, count
)) {
763 mutex_unlock(&sel_mutex
);
765 free_page((unsigned long)page
);
769 static ssize_t
sel_write_bool(struct file
*filep
, const char __user
*buf
,
770 size_t count
, loff_t
*ppos
)
773 ssize_t length
= -EFAULT
;
777 mutex_lock(&sel_mutex
);
779 length
= task_has_security(current
, SECURITY__SETBOOL
);
783 /* check to see if this file has been deleted */
787 if (count
>= PAGE_SIZE
) {
792 /* No partial writes. */
795 page
= (char*)get_zeroed_page(GFP_KERNEL
);
801 if (copy_from_user(page
, buf
, count
))
805 if (sscanf(page
, "%d", &new_value
) != 1)
811 inode
= filep
->f_dentry
->d_inode
;
812 bool_pending_values
[inode
->i_ino
- BOOL_INO_OFFSET
] = new_value
;
816 mutex_unlock(&sel_mutex
);
818 free_page((unsigned long) page
);
822 static struct file_operations sel_bool_ops
= {
823 .read
= sel_read_bool
,
824 .write
= sel_write_bool
,
827 static ssize_t
sel_commit_bools_write(struct file
*filep
,
828 const char __user
*buf
,
829 size_t count
, loff_t
*ppos
)
832 ssize_t length
= -EFAULT
;
835 mutex_lock(&sel_mutex
);
837 length
= task_has_security(current
, SECURITY__SETBOOL
);
841 /* check to see if this file has been deleted */
845 if (count
>= PAGE_SIZE
) {
850 /* No partial writes. */
853 page
= (char*)get_zeroed_page(GFP_KERNEL
);
859 if (copy_from_user(page
, buf
, count
))
863 if (sscanf(page
, "%d", &new_value
) != 1)
866 if (new_value
&& bool_pending_values
) {
867 security_set_bools(bool_num
, bool_pending_values
);
873 mutex_unlock(&sel_mutex
);
875 free_page((unsigned long) page
);
879 static struct file_operations sel_commit_bools_ops
= {
880 .write
= sel_commit_bools_write
,
883 /* delete booleans - partial revoke() from
884 * fs/proc/generic.c proc_kill_inodes */
885 static void sel_remove_bools(struct dentry
*de
)
887 struct list_head
*p
, *node
;
888 struct super_block
*sb
= de
->d_sb
;
890 spin_lock(&dcache_lock
);
891 node
= de
->d_subdirs
.next
;
892 while (node
!= &de
->d_subdirs
) {
893 struct dentry
*d
= list_entry(node
, struct dentry
, d_u
.d_child
);
898 spin_unlock(&dcache_lock
);
900 simple_unlink(de
->d_inode
, d
);
902 spin_lock(&dcache_lock
);
904 node
= de
->d_subdirs
.next
;
907 spin_unlock(&dcache_lock
);
910 list_for_each(p
, &sb
->s_files
) {
911 struct file
* filp
= list_entry(p
, struct file
, f_u
.fu_list
);
912 struct dentry
* dentry
= filp
->f_dentry
;
914 if (dentry
->d_parent
!= de
) {
922 #define BOOL_DIR_NAME "booleans"
924 static int sel_make_bools(void)
928 struct dentry
*dentry
= NULL
;
929 struct dentry
*dir
= bool_dir
;
930 struct inode
*inode
= NULL
;
931 struct inode_security_struct
*isec
;
932 char **names
= NULL
, *page
;
937 /* remove any existing files */
938 kfree(bool_pending_values
);
939 bool_pending_values
= NULL
;
941 sel_remove_bools(dir
);
943 if (!(page
= (char*)get_zeroed_page(GFP_KERNEL
)))
946 ret
= security_get_bools(&num
, &names
, &values
);
950 for (i
= 0; i
< num
; i
++) {
951 dentry
= d_alloc_name(dir
, names
[i
]);
956 inode
= sel_make_inode(dir
->d_sb
, S_IFREG
| S_IRUGO
| S_IWUSR
);
962 len
= snprintf(page
, PAGE_SIZE
, "/%s/%s", BOOL_DIR_NAME
, names
[i
]);
966 } else if (len
>= PAGE_SIZE
) {
970 isec
= (struct inode_security_struct
*)inode
->i_security
;
971 if ((ret
= security_genfs_sid("selinuxfs", page
, SECCLASS_FILE
, &sid
)))
974 isec
->initialized
= 1;
975 inode
->i_fop
= &sel_bool_ops
;
976 inode
->i_ino
= i
+ BOOL_INO_OFFSET
;
977 d_add(dentry
, inode
);
980 bool_pending_values
= values
;
982 free_page((unsigned long)page
);
984 for (i
= 0; i
< num
; i
++)
996 #define NULL_FILE_NAME "null"
998 struct dentry
*selinux_null
= NULL
;
1000 static ssize_t
sel_read_avc_cache_threshold(struct file
*filp
, char __user
*buf
,
1001 size_t count
, loff_t
*ppos
)
1003 char tmpbuf
[TMPBUFLEN
];
1006 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", avc_cache_threshold
);
1007 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
1010 static ssize_t
sel_write_avc_cache_threshold(struct file
* file
,
1011 const char __user
* buf
,
1012 size_t count
, loff_t
*ppos
)
1019 if (count
>= PAGE_SIZE
) {
1025 /* No partial writes. */
1030 page
= (char*)get_zeroed_page(GFP_KERNEL
);
1036 if (copy_from_user(page
, buf
, count
)) {
1041 if (sscanf(page
, "%u", &new_value
) != 1) {
1046 if (new_value
!= avc_cache_threshold
) {
1047 ret
= task_has_security(current
, SECURITY__SETSECPARAM
);
1050 avc_cache_threshold
= new_value
;
1054 free_page((unsigned long)page
);
1059 static ssize_t
sel_read_avc_hash_stats(struct file
*filp
, char __user
*buf
,
1060 size_t count
, loff_t
*ppos
)
1065 page
= (char *)__get_free_page(GFP_KERNEL
);
1070 ret
= avc_get_hash_stats(page
);
1072 ret
= simple_read_from_buffer(buf
, count
, ppos
, page
, ret
);
1073 free_page((unsigned long)page
);
1078 static struct file_operations sel_avc_cache_threshold_ops
= {
1079 .read
= sel_read_avc_cache_threshold
,
1080 .write
= sel_write_avc_cache_threshold
,
1083 static struct file_operations sel_avc_hash_stats_ops
= {
1084 .read
= sel_read_avc_hash_stats
,
1087 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1088 static struct avc_cache_stats
*sel_avc_get_stat_idx(loff_t
*idx
)
1092 for (cpu
= *idx
; cpu
< NR_CPUS
; ++cpu
) {
1093 if (!cpu_possible(cpu
))
1096 return &per_cpu(avc_cache_stats
, cpu
);
1101 static void *sel_avc_stats_seq_start(struct seq_file
*seq
, loff_t
*pos
)
1103 loff_t n
= *pos
- 1;
1106 return SEQ_START_TOKEN
;
1108 return sel_avc_get_stat_idx(&n
);
1111 static void *sel_avc_stats_seq_next(struct seq_file
*seq
, void *v
, loff_t
*pos
)
1113 return sel_avc_get_stat_idx(pos
);
1116 static int sel_avc_stats_seq_show(struct seq_file
*seq
, void *v
)
1118 struct avc_cache_stats
*st
= v
;
1120 if (v
== SEQ_START_TOKEN
)
1121 seq_printf(seq
, "lookups hits misses allocations reclaims "
1124 seq_printf(seq
, "%u %u %u %u %u %u\n", st
->lookups
,
1125 st
->hits
, st
->misses
, st
->allocations
,
1126 st
->reclaims
, st
->frees
);
1130 static void sel_avc_stats_seq_stop(struct seq_file
*seq
, void *v
)
1133 static struct seq_operations sel_avc_cache_stats_seq_ops
= {
1134 .start
= sel_avc_stats_seq_start
,
1135 .next
= sel_avc_stats_seq_next
,
1136 .show
= sel_avc_stats_seq_show
,
1137 .stop
= sel_avc_stats_seq_stop
,
1140 static int sel_open_avc_cache_stats(struct inode
*inode
, struct file
*file
)
1142 return seq_open(file
, &sel_avc_cache_stats_seq_ops
);
1145 static struct file_operations sel_avc_cache_stats_ops
= {
1146 .open
= sel_open_avc_cache_stats
,
1148 .llseek
= seq_lseek
,
1149 .release
= seq_release
,
1153 static int sel_make_avc_files(struct dentry
*dir
)
1156 static struct tree_descr files
[] = {
1157 { "cache_threshold",
1158 &sel_avc_cache_threshold_ops
, S_IRUGO
|S_IWUSR
},
1159 { "hash_stats", &sel_avc_hash_stats_ops
, S_IRUGO
},
1160 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1161 { "cache_stats", &sel_avc_cache_stats_ops
, S_IRUGO
},
1165 for (i
= 0; i
< ARRAY_SIZE(files
); i
++) {
1166 struct inode
*inode
;
1167 struct dentry
*dentry
;
1169 dentry
= d_alloc_name(dir
, files
[i
].name
);
1175 inode
= sel_make_inode(dir
->d_sb
, S_IFREG
|files
[i
].mode
);
1180 inode
->i_fop
= files
[i
].ops
;
1181 d_add(dentry
, inode
);
1190 static int sel_make_dir(struct super_block
*sb
, struct dentry
*dentry
)
1193 struct inode
*inode
;
1195 inode
= sel_make_inode(sb
, S_IFDIR
| S_IRUGO
| S_IXUGO
);
1200 inode
->i_op
= &simple_dir_inode_operations
;
1201 inode
->i_fop
= &simple_dir_operations
;
1202 d_add(dentry
, inode
);
1207 static int sel_fill_super(struct super_block
* sb
, void * data
, int silent
)
1210 struct dentry
*dentry
;
1211 struct inode
*inode
;
1212 struct inode_security_struct
*isec
;
1214 static struct tree_descr selinux_files
[] = {
1215 [SEL_LOAD
] = {"load", &sel_load_ops
, S_IRUSR
|S_IWUSR
},
1216 [SEL_ENFORCE
] = {"enforce", &sel_enforce_ops
, S_IRUGO
|S_IWUSR
},
1217 [SEL_CONTEXT
] = {"context", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1218 [SEL_ACCESS
] = {"access", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1219 [SEL_CREATE
] = {"create", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1220 [SEL_RELABEL
] = {"relabel", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1221 [SEL_USER
] = {"user", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1222 [SEL_POLICYVERS
] = {"policyvers", &sel_policyvers_ops
, S_IRUGO
},
1223 [SEL_COMMIT_BOOLS
] = {"commit_pending_bools", &sel_commit_bools_ops
, S_IWUSR
},
1224 [SEL_MLS
] = {"mls", &sel_mls_ops
, S_IRUGO
},
1225 [SEL_DISABLE
] = {"disable", &sel_disable_ops
, S_IWUSR
},
1226 [SEL_MEMBER
] = {"member", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1227 [SEL_CHECKREQPROT
] = {"checkreqprot", &sel_checkreqprot_ops
, S_IRUGO
|S_IWUSR
},
1230 ret
= simple_fill_super(sb
, SELINUX_MAGIC
, selinux_files
);
1234 dentry
= d_alloc_name(sb
->s_root
, BOOL_DIR_NAME
);
1238 inode
= sel_make_inode(sb
, S_IFDIR
| S_IRUGO
| S_IXUGO
);
1241 inode
->i_op
= &simple_dir_inode_operations
;
1242 inode
->i_fop
= &simple_dir_operations
;
1243 d_add(dentry
, inode
);
1245 ret
= sel_make_bools();
1249 dentry
= d_alloc_name(sb
->s_root
, NULL_FILE_NAME
);
1253 inode
= sel_make_inode(sb
, S_IFCHR
| S_IRUGO
| S_IWUGO
);
1256 isec
= (struct inode_security_struct
*)inode
->i_security
;
1257 isec
->sid
= SECINITSID_DEVNULL
;
1258 isec
->sclass
= SECCLASS_CHR_FILE
;
1259 isec
->initialized
= 1;
1261 init_special_inode(inode
, S_IFCHR
| S_IRUGO
| S_IWUGO
, MKDEV(MEM_MAJOR
, 3));
1262 d_add(dentry
, inode
);
1263 selinux_null
= dentry
;
1265 dentry
= d_alloc_name(sb
->s_root
, "avc");
1269 ret
= sel_make_dir(sb
, dentry
);
1273 ret
= sel_make_avc_files(dentry
);
1280 printk(KERN_ERR
"%s: failed while creating inodes\n", __FUNCTION__
);
1284 static struct super_block
*sel_get_sb(struct file_system_type
*fs_type
,
1285 int flags
, const char *dev_name
, void *data
)
1287 return get_sb_single(fs_type
, flags
, data
, sel_fill_super
);
1290 static struct file_system_type sel_fs_type
= {
1291 .name
= "selinuxfs",
1292 .get_sb
= sel_get_sb
,
1293 .kill_sb
= kill_litter_super
,
1296 struct vfsmount
*selinuxfs_mount
;
1298 static int __init
init_sel_fs(void)
1302 if (!selinux_enabled
)
1304 err
= register_filesystem(&sel_fs_type
);
1306 selinuxfs_mount
= kern_mount(&sel_fs_type
);
1307 if (IS_ERR(selinuxfs_mount
)) {
1308 printk(KERN_ERR
"selinuxfs: could not mount!\n");
1309 err
= PTR_ERR(selinuxfs_mount
);
1310 selinuxfs_mount
= NULL
;
1316 __initcall(init_sel_fs
);
1318 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
1319 void exit_sel_fs(void)
1321 unregister_filesystem(&sel_fs_type
);