2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version
;
92 extern int selinux_nlmsg_lookup(u16 sclass
, u16 nlmsg_type
, u32
*perm
);
93 extern int selinux_compat_net
;
94 extern struct security_operations
*security_ops
;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing
= 0;
102 static int __init
enforcing_setup(char *str
)
104 selinux_enforcing
= simple_strtol(str
,NULL
,0);
107 __setup("enforcing=", enforcing_setup
);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
113 static int __init
selinux_enabled_setup(char *str
)
115 selinux_enabled
= simple_strtol(str
, NULL
, 0);
118 __setup("selinux=", selinux_enabled_setup
);
120 int selinux_enabled
= 1;
123 /* Original (dummy) security module. */
124 static struct security_operations
*original_ops
= NULL
;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations
*secondary_ops
= NULL
;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head
);
135 static DEFINE_SPINLOCK(sb_security_lock
);
137 static struct kmem_cache
*sel_inode_cache
;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount
) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct
*task
)
158 struct task_security_struct
*tsec
;
160 tsec
= kzalloc(sizeof(struct task_security_struct
), GFP_KERNEL
);
164 tsec
->osid
= tsec
->sid
= tsec
->ptrace_sid
= SECINITSID_UNLABELED
;
165 task
->security
= tsec
;
170 static void task_free_security(struct task_struct
*task
)
172 struct task_security_struct
*tsec
= task
->security
;
173 task
->security
= NULL
;
177 static int inode_alloc_security(struct inode
*inode
)
179 struct task_security_struct
*tsec
= current
->security
;
180 struct inode_security_struct
*isec
;
182 isec
= kmem_cache_zalloc(sel_inode_cache
, GFP_NOFS
);
186 mutex_init(&isec
->lock
);
187 INIT_LIST_HEAD(&isec
->list
);
189 isec
->sid
= SECINITSID_UNLABELED
;
190 isec
->sclass
= SECCLASS_FILE
;
191 isec
->task_sid
= tsec
->sid
;
192 inode
->i_security
= isec
;
197 static void inode_free_security(struct inode
*inode
)
199 struct inode_security_struct
*isec
= inode
->i_security
;
200 struct superblock_security_struct
*sbsec
= inode
->i_sb
->s_security
;
202 spin_lock(&sbsec
->isec_lock
);
203 if (!list_empty(&isec
->list
))
204 list_del_init(&isec
->list
);
205 spin_unlock(&sbsec
->isec_lock
);
207 inode
->i_security
= NULL
;
208 kmem_cache_free(sel_inode_cache
, isec
);
211 static int file_alloc_security(struct file
*file
)
213 struct task_security_struct
*tsec
= current
->security
;
214 struct file_security_struct
*fsec
;
216 fsec
= kzalloc(sizeof(struct file_security_struct
), GFP_KERNEL
);
220 fsec
->sid
= tsec
->sid
;
221 fsec
->fown_sid
= tsec
->sid
;
222 file
->f_security
= fsec
;
227 static void file_free_security(struct file
*file
)
229 struct file_security_struct
*fsec
= file
->f_security
;
230 file
->f_security
= NULL
;
234 static int superblock_alloc_security(struct super_block
*sb
)
236 struct superblock_security_struct
*sbsec
;
238 sbsec
= kzalloc(sizeof(struct superblock_security_struct
), GFP_KERNEL
);
242 mutex_init(&sbsec
->lock
);
243 INIT_LIST_HEAD(&sbsec
->list
);
244 INIT_LIST_HEAD(&sbsec
->isec_head
);
245 spin_lock_init(&sbsec
->isec_lock
);
247 sbsec
->sid
= SECINITSID_UNLABELED
;
248 sbsec
->def_sid
= SECINITSID_FILE
;
249 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
250 sb
->s_security
= sbsec
;
255 static void superblock_free_security(struct super_block
*sb
)
257 struct superblock_security_struct
*sbsec
= sb
->s_security
;
259 spin_lock(&sb_security_lock
);
260 if (!list_empty(&sbsec
->list
))
261 list_del_init(&sbsec
->list
);
262 spin_unlock(&sb_security_lock
);
264 sb
->s_security
= NULL
;
268 static int sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
270 struct sk_security_struct
*ssec
;
272 ssec
= kzalloc(sizeof(*ssec
), priority
);
276 ssec
->peer_sid
= SECINITSID_UNLABELED
;
277 ssec
->sid
= SECINITSID_UNLABELED
;
278 sk
->sk_security
= ssec
;
280 selinux_netlbl_sk_security_reset(ssec
, family
);
285 static void sk_free_security(struct sock
*sk
)
287 struct sk_security_struct
*ssec
= sk
->sk_security
;
289 sk
->sk_security
= NULL
;
293 /* The security server must be initialized before
294 any labeling or access decisions can be provided. */
295 extern int ss_initialized
;
297 /* The file system's label must be initialized prior to use. */
299 static char *labeling_behaviors
[6] = {
301 "uses transition SIDs",
303 "uses genfs_contexts",
304 "not configured for labeling",
305 "uses mountpoint labeling",
308 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
310 static inline int inode_doinit(struct inode
*inode
)
312 return inode_doinit_with_dentry(inode
, NULL
);
323 static match_table_t tokens
= {
324 {Opt_context
, "context=%s"},
325 {Opt_fscontext
, "fscontext=%s"},
326 {Opt_defcontext
, "defcontext=%s"},
327 {Opt_rootcontext
, "rootcontext=%s"},
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
333 static int may_context_mount_sb_relabel(u32 sid
,
334 struct superblock_security_struct
*sbsec
,
335 struct task_security_struct
*tsec
)
339 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
340 FILESYSTEM__RELABELFROM
, NULL
);
344 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
345 FILESYSTEM__RELABELTO
, NULL
);
349 static int may_context_mount_inode_relabel(u32 sid
,
350 struct superblock_security_struct
*sbsec
,
351 struct task_security_struct
*tsec
)
354 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
355 FILESYSTEM__RELABELFROM
, NULL
);
359 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
360 FILESYSTEM__ASSOCIATE
, NULL
);
364 static int sb_finish_set_opts(struct super_block
*sb
)
366 struct superblock_security_struct
*sbsec
= sb
->s_security
;
367 struct dentry
*root
= sb
->s_root
;
368 struct inode
*root_inode
= root
->d_inode
;
371 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
372 /* Make sure that the xattr handler exists and that no
373 error other than -ENODATA is returned by getxattr on
374 the root directory. -ENODATA is ok, as this may be
375 the first boot of the SELinux kernel before we have
376 assigned xattr values to the filesystem. */
377 if (!root_inode
->i_op
->getxattr
) {
378 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
379 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
383 rc
= root_inode
->i_op
->getxattr(root
, XATTR_NAME_SELINUX
, NULL
, 0);
384 if (rc
< 0 && rc
!= -ENODATA
) {
385 if (rc
== -EOPNOTSUPP
)
386 printk(KERN_WARNING
"SELinux: (dev %s, type "
387 "%s) has no security xattr handler\n",
388 sb
->s_id
, sb
->s_type
->name
);
390 printk(KERN_WARNING
"SELinux: (dev %s, type "
391 "%s) getxattr errno %d\n", sb
->s_id
,
392 sb
->s_type
->name
, -rc
);
397 sbsec
->initialized
= 1;
399 if (sbsec
->behavior
> ARRAY_SIZE(labeling_behaviors
))
400 printk(KERN_ERR
"SELinux: initialized (dev %s, type %s), unknown behavior\n",
401 sb
->s_id
, sb
->s_type
->name
);
403 printk(KERN_DEBUG
"SELinux: initialized (dev %s, type %s), %s\n",
404 sb
->s_id
, sb
->s_type
->name
,
405 labeling_behaviors
[sbsec
->behavior
-1]);
407 /* Initialize the root inode. */
408 rc
= inode_doinit_with_dentry(root_inode
, root
);
410 /* Initialize any other inodes associated with the superblock, e.g.
411 inodes created prior to initial policy load or inodes created
412 during get_sb by a pseudo filesystem that directly
414 spin_lock(&sbsec
->isec_lock
);
416 if (!list_empty(&sbsec
->isec_head
)) {
417 struct inode_security_struct
*isec
=
418 list_entry(sbsec
->isec_head
.next
,
419 struct inode_security_struct
, list
);
420 struct inode
*inode
= isec
->inode
;
421 spin_unlock(&sbsec
->isec_lock
);
422 inode
= igrab(inode
);
424 if (!IS_PRIVATE(inode
))
428 spin_lock(&sbsec
->isec_lock
);
429 list_del_init(&isec
->list
);
432 spin_unlock(&sbsec
->isec_lock
);
438 * This function should allow an FS to ask what it's mount security
439 * options were so it can use those later for submounts, displaying
440 * mount options, or whatever.
442 static int selinux_get_mnt_opts(const struct super_block
*sb
,
443 struct security_mnt_opts
*opts
)
446 struct superblock_security_struct
*sbsec
= sb
->s_security
;
447 char *context
= NULL
;
451 security_init_mnt_opts(opts
);
453 if (!sbsec
->initialized
)
460 * if we ever use sbsec flags for anything other than tracking mount
461 * settings this is going to need a mask
464 /* count the number of mount options for this sb */
465 for (i
= 0; i
< 8; i
++) {
467 opts
->num_mnt_opts
++;
471 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
472 if (!opts
->mnt_opts
) {
477 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
478 if (!opts
->mnt_opts_flags
) {
484 if (sbsec
->flags
& FSCONTEXT_MNT
) {
485 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
488 opts
->mnt_opts
[i
] = context
;
489 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
491 if (sbsec
->flags
& CONTEXT_MNT
) {
492 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
495 opts
->mnt_opts
[i
] = context
;
496 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
498 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
499 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
502 opts
->mnt_opts
[i
] = context
;
503 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
505 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
506 struct inode
*root
= sbsec
->sb
->s_root
->d_inode
;
507 struct inode_security_struct
*isec
= root
->i_security
;
509 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
512 opts
->mnt_opts
[i
] = context
;
513 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
516 BUG_ON(i
!= opts
->num_mnt_opts
);
521 security_free_mnt_opts(opts
);
525 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
526 u32 old_sid
, u32 new_sid
)
528 /* check if the old mount command had the same options */
529 if (sbsec
->initialized
)
530 if (!(sbsec
->flags
& flag
) ||
531 (old_sid
!= new_sid
))
534 /* check if we were passed the same options twice,
535 * aka someone passed context=a,context=b
537 if (!sbsec
->initialized
)
538 if (sbsec
->flags
& flag
)
544 * Allow filesystems with binary mount data to explicitly set mount point
545 * labeling information.
547 static int selinux_set_mnt_opts(struct super_block
*sb
,
548 struct security_mnt_opts
*opts
)
551 struct task_security_struct
*tsec
= current
->security
;
552 struct superblock_security_struct
*sbsec
= sb
->s_security
;
553 const char *name
= sb
->s_type
->name
;
554 struct inode
*inode
= sbsec
->sb
->s_root
->d_inode
;
555 struct inode_security_struct
*root_isec
= inode
->i_security
;
556 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
557 u32 defcontext_sid
= 0;
558 char **mount_options
= opts
->mnt_opts
;
559 int *flags
= opts
->mnt_opts_flags
;
560 int num_opts
= opts
->num_mnt_opts
;
562 mutex_lock(&sbsec
->lock
);
564 if (!ss_initialized
) {
566 /* Defer initialization until selinux_complete_init,
567 after the initial policy is loaded and the security
568 server is ready to handle calls. */
569 spin_lock(&sb_security_lock
);
570 if (list_empty(&sbsec
->list
))
571 list_add(&sbsec
->list
, &superblock_security_head
);
572 spin_unlock(&sb_security_lock
);
576 printk(KERN_WARNING
"Unable to set superblock options before "
577 "the security server is initialized\n");
582 * Binary mount data FS will come through this function twice. Once
583 * from an explicit call and once from the generic calls from the vfs.
584 * Since the generic VFS calls will not contain any security mount data
585 * we need to skip the double mount verification.
587 * This does open a hole in which we will not notice if the first
588 * mount using this sb set explict options and a second mount using
589 * this sb does not set any security options. (The first options
590 * will be used for both mounts)
592 if (sbsec
->initialized
&& (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
597 * parse the mount options, check if they are valid sids.
598 * also check if someone is trying to mount the same sb more
599 * than once with different security options.
601 for (i
= 0; i
< num_opts
; i
++) {
603 rc
= security_context_to_sid(mount_options
[i
],
604 strlen(mount_options
[i
]), &sid
);
606 printk(KERN_WARNING
"SELinux: security_context_to_sid"
607 "(%s) failed for (dev %s, type %s) errno=%d\n",
608 mount_options
[i
], sb
->s_id
, name
, rc
);
615 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
617 goto out_double_mount
;
619 sbsec
->flags
|= FSCONTEXT_MNT
;
624 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
626 goto out_double_mount
;
628 sbsec
->flags
|= CONTEXT_MNT
;
630 case ROOTCONTEXT_MNT
:
631 rootcontext_sid
= sid
;
633 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
635 goto out_double_mount
;
637 sbsec
->flags
|= ROOTCONTEXT_MNT
;
641 defcontext_sid
= sid
;
643 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
645 goto out_double_mount
;
647 sbsec
->flags
|= DEFCONTEXT_MNT
;
656 if (sbsec
->initialized
) {
657 /* previously mounted with options, but not on this attempt? */
658 if (sbsec
->flags
&& !num_opts
)
659 goto out_double_mount
;
664 if (strcmp(sb
->s_type
->name
, "proc") == 0)
667 /* Determine the labeling behavior to use for this filesystem type. */
668 rc
= security_fs_use(sb
->s_type
->name
, &sbsec
->behavior
, &sbsec
->sid
);
670 printk(KERN_WARNING
"%s: security_fs_use(%s) returned %d\n",
671 __func__
, sb
->s_type
->name
, rc
);
675 /* sets the context of the superblock for the fs being mounted. */
678 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, tsec
);
682 sbsec
->sid
= fscontext_sid
;
686 * Switch to using mount point labeling behavior.
687 * sets the label used on all file below the mountpoint, and will set
688 * the superblock context if not already set.
691 if (!fscontext_sid
) {
692 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
, tsec
);
695 sbsec
->sid
= context_sid
;
697 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
, tsec
);
701 if (!rootcontext_sid
)
702 rootcontext_sid
= context_sid
;
704 sbsec
->mntpoint_sid
= context_sid
;
705 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
708 if (rootcontext_sid
) {
709 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
, tsec
);
713 root_isec
->sid
= rootcontext_sid
;
714 root_isec
->initialized
= 1;
717 if (defcontext_sid
) {
718 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
) {
720 printk(KERN_WARNING
"SELinux: defcontext option is "
721 "invalid for this filesystem type\n");
725 if (defcontext_sid
!= sbsec
->def_sid
) {
726 rc
= may_context_mount_inode_relabel(defcontext_sid
,
732 sbsec
->def_sid
= defcontext_sid
;
735 rc
= sb_finish_set_opts(sb
);
737 mutex_unlock(&sbsec
->lock
);
741 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
742 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
746 static void selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
747 struct super_block
*newsb
)
749 const struct superblock_security_struct
*oldsbsec
= oldsb
->s_security
;
750 struct superblock_security_struct
*newsbsec
= newsb
->s_security
;
752 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
753 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
754 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
756 /* we can't error, we can't save the info, this shouldn't get called
757 * this early in the boot process. */
758 BUG_ON(!ss_initialized
);
760 /* how can we clone if the old one wasn't set up?? */
761 BUG_ON(!oldsbsec
->initialized
);
763 /* if fs is reusing a sb, just let its options stand... */
764 if (newsbsec
->initialized
)
767 mutex_lock(&newsbsec
->lock
);
769 newsbsec
->flags
= oldsbsec
->flags
;
771 newsbsec
->sid
= oldsbsec
->sid
;
772 newsbsec
->def_sid
= oldsbsec
->def_sid
;
773 newsbsec
->behavior
= oldsbsec
->behavior
;
776 u32 sid
= oldsbsec
->mntpoint_sid
;
780 if (!set_rootcontext
) {
781 struct inode
*newinode
= newsb
->s_root
->d_inode
;
782 struct inode_security_struct
*newisec
= newinode
->i_security
;
785 newsbsec
->mntpoint_sid
= sid
;
787 if (set_rootcontext
) {
788 const struct inode
*oldinode
= oldsb
->s_root
->d_inode
;
789 const struct inode_security_struct
*oldisec
= oldinode
->i_security
;
790 struct inode
*newinode
= newsb
->s_root
->d_inode
;
791 struct inode_security_struct
*newisec
= newinode
->i_security
;
793 newisec
->sid
= oldisec
->sid
;
796 sb_finish_set_opts(newsb
);
797 mutex_unlock(&newsbsec
->lock
);
800 static int selinux_parse_opts_str(char *options
,
801 struct security_mnt_opts
*opts
)
804 char *context
= NULL
, *defcontext
= NULL
;
805 char *fscontext
= NULL
, *rootcontext
= NULL
;
806 int rc
, num_mnt_opts
= 0;
808 opts
->num_mnt_opts
= 0;
810 /* Standard string-based options. */
811 while ((p
= strsep(&options
, "|")) != NULL
) {
813 substring_t args
[MAX_OPT_ARGS
];
818 token
= match_token(p
, tokens
, args
);
822 if (context
|| defcontext
) {
824 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
827 context
= match_strdup(&args
[0]);
837 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
840 fscontext
= match_strdup(&args
[0]);
847 case Opt_rootcontext
:
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
853 rootcontext
= match_strdup(&args
[0]);
861 if (context
|| defcontext
) {
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
866 defcontext
= match_strdup(&args
[0]);
875 printk(KERN_WARNING
"SELinux: unknown mount option\n");
882 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_ATOMIC
);
886 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int), GFP_ATOMIC
);
887 if (!opts
->mnt_opts_flags
) {
888 kfree(opts
->mnt_opts
);
893 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
894 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
897 opts
->mnt_opts
[num_mnt_opts
] = context
;
898 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
901 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
902 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
905 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
906 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
909 opts
->num_mnt_opts
= num_mnt_opts
;
920 * string mount options parsing and call set the sbsec
922 static int superblock_doinit(struct super_block
*sb
, void *data
)
925 char *options
= data
;
926 struct security_mnt_opts opts
;
928 security_init_mnt_opts(&opts
);
933 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
935 rc
= selinux_parse_opts_str(options
, &opts
);
940 rc
= selinux_set_mnt_opts(sb
, &opts
);
943 security_free_mnt_opts(&opts
);
947 static inline u16
inode_mode_to_security_class(umode_t mode
)
949 switch (mode
& S_IFMT
) {
951 return SECCLASS_SOCK_FILE
;
953 return SECCLASS_LNK_FILE
;
955 return SECCLASS_FILE
;
957 return SECCLASS_BLK_FILE
;
961 return SECCLASS_CHR_FILE
;
963 return SECCLASS_FIFO_FILE
;
967 return SECCLASS_FILE
;
970 static inline int default_protocol_stream(int protocol
)
972 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
975 static inline int default_protocol_dgram(int protocol
)
977 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
980 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
987 return SECCLASS_UNIX_STREAM_SOCKET
;
989 return SECCLASS_UNIX_DGRAM_SOCKET
;
996 if (default_protocol_stream(protocol
))
997 return SECCLASS_TCP_SOCKET
;
999 return SECCLASS_RAWIP_SOCKET
;
1001 if (default_protocol_dgram(protocol
))
1002 return SECCLASS_UDP_SOCKET
;
1004 return SECCLASS_RAWIP_SOCKET
;
1006 return SECCLASS_DCCP_SOCKET
;
1008 return SECCLASS_RAWIP_SOCKET
;
1014 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1015 case NETLINK_FIREWALL
:
1016 return SECCLASS_NETLINK_FIREWALL_SOCKET
;
1017 case NETLINK_INET_DIAG
:
1018 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1020 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1022 return SECCLASS_NETLINK_XFRM_SOCKET
;
1023 case NETLINK_SELINUX
:
1024 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1026 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1027 case NETLINK_IP6_FW
:
1028 return SECCLASS_NETLINK_IP6FW_SOCKET
;
1029 case NETLINK_DNRTMSG
:
1030 return SECCLASS_NETLINK_DNRT_SOCKET
;
1031 case NETLINK_KOBJECT_UEVENT
:
1032 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1034 return SECCLASS_NETLINK_SOCKET
;
1037 return SECCLASS_PACKET_SOCKET
;
1039 return SECCLASS_KEY_SOCKET
;
1041 return SECCLASS_APPLETALK_SOCKET
;
1044 return SECCLASS_SOCKET
;
1047 #ifdef CONFIG_PROC_FS
1048 static int selinux_proc_get_sid(struct proc_dir_entry
*de
,
1053 char *buffer
, *path
, *end
;
1055 buffer
= (char*)__get_free_page(GFP_KERNEL
);
1060 end
= buffer
+buflen
;
1065 while (de
&& de
!= de
->parent
) {
1066 buflen
-= de
->namelen
+ 1;
1070 memcpy(end
, de
->name
, de
->namelen
);
1075 rc
= security_genfs_sid("proc", path
, tclass
, sid
);
1076 free_page((unsigned long)buffer
);
1080 static int selinux_proc_get_sid(struct proc_dir_entry
*de
,
1088 /* The inode's security attributes must be initialized before first use. */
1089 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1091 struct superblock_security_struct
*sbsec
= NULL
;
1092 struct inode_security_struct
*isec
= inode
->i_security
;
1094 struct dentry
*dentry
;
1095 #define INITCONTEXTLEN 255
1096 char *context
= NULL
;
1100 if (isec
->initialized
)
1103 mutex_lock(&isec
->lock
);
1104 if (isec
->initialized
)
1107 sbsec
= inode
->i_sb
->s_security
;
1108 if (!sbsec
->initialized
) {
1109 /* Defer initialization until selinux_complete_init,
1110 after the initial policy is loaded and the security
1111 server is ready to handle calls. */
1112 spin_lock(&sbsec
->isec_lock
);
1113 if (list_empty(&isec
->list
))
1114 list_add(&isec
->list
, &sbsec
->isec_head
);
1115 spin_unlock(&sbsec
->isec_lock
);
1119 switch (sbsec
->behavior
) {
1120 case SECURITY_FS_USE_XATTR
:
1121 if (!inode
->i_op
->getxattr
) {
1122 isec
->sid
= sbsec
->def_sid
;
1126 /* Need a dentry, since the xattr API requires one.
1127 Life would be simpler if we could just pass the inode. */
1129 /* Called from d_instantiate or d_splice_alias. */
1130 dentry
= dget(opt_dentry
);
1132 /* Called from selinux_complete_init, try to find a dentry. */
1133 dentry
= d_find_alias(inode
);
1136 printk(KERN_WARNING
"%s: no dentry for dev=%s "
1137 "ino=%ld\n", __func__
, inode
->i_sb
->s_id
,
1142 len
= INITCONTEXTLEN
;
1143 context
= kmalloc(len
, GFP_NOFS
);
1149 rc
= inode
->i_op
->getxattr(dentry
, XATTR_NAME_SELINUX
,
1151 if (rc
== -ERANGE
) {
1152 /* Need a larger buffer. Query for the right size. */
1153 rc
= inode
->i_op
->getxattr(dentry
, XATTR_NAME_SELINUX
,
1161 context
= kmalloc(len
, GFP_NOFS
);
1167 rc
= inode
->i_op
->getxattr(dentry
,
1173 if (rc
!= -ENODATA
) {
1174 printk(KERN_WARNING
"%s: getxattr returned "
1175 "%d for dev=%s ino=%ld\n", __func__
,
1176 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1180 /* Map ENODATA to the default file SID */
1181 sid
= sbsec
->def_sid
;
1184 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1188 printk(KERN_WARNING
"%s: context_to_sid(%s) "
1189 "returned %d for dev=%s ino=%ld\n",
1190 __func__
, context
, -rc
,
1191 inode
->i_sb
->s_id
, inode
->i_ino
);
1193 /* Leave with the unlabeled SID */
1201 case SECURITY_FS_USE_TASK
:
1202 isec
->sid
= isec
->task_sid
;
1204 case SECURITY_FS_USE_TRANS
:
1205 /* Default to the fs SID. */
1206 isec
->sid
= sbsec
->sid
;
1208 /* Try to obtain a transition SID. */
1209 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1210 rc
= security_transition_sid(isec
->task_sid
,
1218 case SECURITY_FS_USE_MNTPOINT
:
1219 isec
->sid
= sbsec
->mntpoint_sid
;
1222 /* Default to the fs superblock SID. */
1223 isec
->sid
= sbsec
->sid
;
1226 struct proc_inode
*proci
= PROC_I(inode
);
1228 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1229 rc
= selinux_proc_get_sid(proci
->pde
,
1240 isec
->initialized
= 1;
1243 mutex_unlock(&isec
->lock
);
1245 if (isec
->sclass
== SECCLASS_FILE
)
1246 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1250 /* Convert a Linux signal to an access vector. */
1251 static inline u32
signal_to_av(int sig
)
1257 /* Commonly granted from child to parent. */
1258 perm
= PROCESS__SIGCHLD
;
1261 /* Cannot be caught or ignored */
1262 perm
= PROCESS__SIGKILL
;
1265 /* Cannot be caught or ignored */
1266 perm
= PROCESS__SIGSTOP
;
1269 /* All other signals. */
1270 perm
= PROCESS__SIGNAL
;
1277 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1278 fork check, ptrace check, etc. */
1279 static int task_has_perm(struct task_struct
*tsk1
,
1280 struct task_struct
*tsk2
,
1283 struct task_security_struct
*tsec1
, *tsec2
;
1285 tsec1
= tsk1
->security
;
1286 tsec2
= tsk2
->security
;
1287 return avc_has_perm(tsec1
->sid
, tsec2
->sid
,
1288 SECCLASS_PROCESS
, perms
, NULL
);
1291 #if CAP_LAST_CAP > 63
1292 #error Fix SELinux to handle capabilities > 63.
1295 /* Check whether a task is allowed to use a capability. */
1296 static int task_has_capability(struct task_struct
*tsk
,
1299 struct task_security_struct
*tsec
;
1300 struct avc_audit_data ad
;
1302 u32 av
= CAP_TO_MASK(cap
);
1304 tsec
= tsk
->security
;
1306 AVC_AUDIT_DATA_INIT(&ad
,CAP
);
1310 switch (CAP_TO_INDEX(cap
)) {
1312 sclass
= SECCLASS_CAPABILITY
;
1315 sclass
= SECCLASS_CAPABILITY2
;
1319 "SELinux: out of range capability %d\n", cap
);
1322 return avc_has_perm(tsec
->sid
, tsec
->sid
, sclass
, av
, &ad
);
1325 /* Check whether a task is allowed to use a system operation. */
1326 static int task_has_system(struct task_struct
*tsk
,
1329 struct task_security_struct
*tsec
;
1331 tsec
= tsk
->security
;
1333 return avc_has_perm(tsec
->sid
, SECINITSID_KERNEL
,
1334 SECCLASS_SYSTEM
, perms
, NULL
);
1337 /* Check whether a task has a particular permission to an inode.
1338 The 'adp' parameter is optional and allows other audit
1339 data to be passed (e.g. the dentry). */
1340 static int inode_has_perm(struct task_struct
*tsk
,
1341 struct inode
*inode
,
1343 struct avc_audit_data
*adp
)
1345 struct task_security_struct
*tsec
;
1346 struct inode_security_struct
*isec
;
1347 struct avc_audit_data ad
;
1349 if (unlikely (IS_PRIVATE (inode
)))
1352 tsec
= tsk
->security
;
1353 isec
= inode
->i_security
;
1357 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1358 ad
.u
.fs
.inode
= inode
;
1361 return avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1364 /* Same as inode_has_perm, but pass explicit audit data containing
1365 the dentry to help the auditing code to more easily generate the
1366 pathname if needed. */
1367 static inline int dentry_has_perm(struct task_struct
*tsk
,
1368 struct vfsmount
*mnt
,
1369 struct dentry
*dentry
,
1372 struct inode
*inode
= dentry
->d_inode
;
1373 struct avc_audit_data ad
;
1374 AVC_AUDIT_DATA_INIT(&ad
,FS
);
1375 ad
.u
.fs
.path
.mnt
= mnt
;
1376 ad
.u
.fs
.path
.dentry
= dentry
;
1377 return inode_has_perm(tsk
, inode
, av
, &ad
);
1380 /* Check whether a task can use an open file descriptor to
1381 access an inode in a given way. Check access to the
1382 descriptor itself, and then use dentry_has_perm to
1383 check a particular permission to the file.
1384 Access to the descriptor is implicitly granted if it
1385 has the same SID as the process. If av is zero, then
1386 access to the file is not checked, e.g. for cases
1387 where only the descriptor is affected like seek. */
1388 static int file_has_perm(struct task_struct
*tsk
,
1392 struct task_security_struct
*tsec
= tsk
->security
;
1393 struct file_security_struct
*fsec
= file
->f_security
;
1394 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
1395 struct avc_audit_data ad
;
1398 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1399 ad
.u
.fs
.path
= file
->f_path
;
1401 if (tsec
->sid
!= fsec
->sid
) {
1402 rc
= avc_has_perm(tsec
->sid
, fsec
->sid
,
1410 /* av is zero if only checking access to the descriptor. */
1412 return inode_has_perm(tsk
, inode
, av
, &ad
);
1417 /* Check whether a task can create a file. */
1418 static int may_create(struct inode
*dir
,
1419 struct dentry
*dentry
,
1422 struct task_security_struct
*tsec
;
1423 struct inode_security_struct
*dsec
;
1424 struct superblock_security_struct
*sbsec
;
1426 struct avc_audit_data ad
;
1429 tsec
= current
->security
;
1430 dsec
= dir
->i_security
;
1431 sbsec
= dir
->i_sb
->s_security
;
1433 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1434 ad
.u
.fs
.path
.dentry
= dentry
;
1436 rc
= avc_has_perm(tsec
->sid
, dsec
->sid
, SECCLASS_DIR
,
1437 DIR__ADD_NAME
| DIR__SEARCH
,
1442 if (tsec
->create_sid
&& sbsec
->behavior
!= SECURITY_FS_USE_MNTPOINT
) {
1443 newsid
= tsec
->create_sid
;
1445 rc
= security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1451 rc
= avc_has_perm(tsec
->sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1455 return avc_has_perm(newsid
, sbsec
->sid
,
1456 SECCLASS_FILESYSTEM
,
1457 FILESYSTEM__ASSOCIATE
, &ad
);
1460 /* Check whether a task can create a key. */
1461 static int may_create_key(u32 ksid
,
1462 struct task_struct
*ctx
)
1464 struct task_security_struct
*tsec
;
1466 tsec
= ctx
->security
;
1468 return avc_has_perm(tsec
->sid
, ksid
, SECCLASS_KEY
, KEY__CREATE
, NULL
);
1472 #define MAY_UNLINK 1
1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1476 static int may_link(struct inode
*dir
,
1477 struct dentry
*dentry
,
1481 struct task_security_struct
*tsec
;
1482 struct inode_security_struct
*dsec
, *isec
;
1483 struct avc_audit_data ad
;
1487 tsec
= current
->security
;
1488 dsec
= dir
->i_security
;
1489 isec
= dentry
->d_inode
->i_security
;
1491 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1492 ad
.u
.fs
.path
.dentry
= dentry
;
1495 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1496 rc
= avc_has_perm(tsec
->sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1511 printk(KERN_WARNING
"may_link: unrecognized kind %d\n", kind
);
1515 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1519 static inline int may_rename(struct inode
*old_dir
,
1520 struct dentry
*old_dentry
,
1521 struct inode
*new_dir
,
1522 struct dentry
*new_dentry
)
1524 struct task_security_struct
*tsec
;
1525 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1526 struct avc_audit_data ad
;
1528 int old_is_dir
, new_is_dir
;
1531 tsec
= current
->security
;
1532 old_dsec
= old_dir
->i_security
;
1533 old_isec
= old_dentry
->d_inode
->i_security
;
1534 old_is_dir
= S_ISDIR(old_dentry
->d_inode
->i_mode
);
1535 new_dsec
= new_dir
->i_security
;
1537 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1539 ad
.u
.fs
.path
.dentry
= old_dentry
;
1540 rc
= avc_has_perm(tsec
->sid
, old_dsec
->sid
, SECCLASS_DIR
,
1541 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1544 rc
= avc_has_perm(tsec
->sid
, old_isec
->sid
,
1545 old_isec
->sclass
, FILE__RENAME
, &ad
);
1548 if (old_is_dir
&& new_dir
!= old_dir
) {
1549 rc
= avc_has_perm(tsec
->sid
, old_isec
->sid
,
1550 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1555 ad
.u
.fs
.path
.dentry
= new_dentry
;
1556 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1557 if (new_dentry
->d_inode
)
1558 av
|= DIR__REMOVE_NAME
;
1559 rc
= avc_has_perm(tsec
->sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1562 if (new_dentry
->d_inode
) {
1563 new_isec
= new_dentry
->d_inode
->i_security
;
1564 new_is_dir
= S_ISDIR(new_dentry
->d_inode
->i_mode
);
1565 rc
= avc_has_perm(tsec
->sid
, new_isec
->sid
,
1567 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
1575 /* Check whether a task can perform a filesystem operation. */
1576 static int superblock_has_perm(struct task_struct
*tsk
,
1577 struct super_block
*sb
,
1579 struct avc_audit_data
*ad
)
1581 struct task_security_struct
*tsec
;
1582 struct superblock_security_struct
*sbsec
;
1584 tsec
= tsk
->security
;
1585 sbsec
= sb
->s_security
;
1586 return avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
1590 /* Convert a Linux mode and permission mask to an access vector. */
1591 static inline u32
file_mask_to_av(int mode
, int mask
)
1595 if ((mode
& S_IFMT
) != S_IFDIR
) {
1596 if (mask
& MAY_EXEC
)
1597 av
|= FILE__EXECUTE
;
1598 if (mask
& MAY_READ
)
1601 if (mask
& MAY_APPEND
)
1603 else if (mask
& MAY_WRITE
)
1607 if (mask
& MAY_EXEC
)
1609 if (mask
& MAY_WRITE
)
1611 if (mask
& MAY_READ
)
1619 * Convert a file mask to an access vector and include the correct open
1622 static inline u32
open_file_mask_to_av(int mode
, int mask
)
1624 u32 av
= file_mask_to_av(mode
, mask
);
1626 if (selinux_policycap_openperm
) {
1628 * lnk files and socks do not really have an 'open'
1632 else if (S_ISCHR(mode
))
1633 av
|= CHR_FILE__OPEN
;
1634 else if (S_ISBLK(mode
))
1635 av
|= BLK_FILE__OPEN
;
1636 else if (S_ISFIFO(mode
))
1637 av
|= FIFO_FILE__OPEN
;
1638 else if (S_ISDIR(mode
))
1641 printk(KERN_ERR
"SELinux: WARNING: inside open_file_to_av "
1642 "with unknown mode:%x\n", mode
);
1647 /* Convert a Linux file to an access vector. */
1648 static inline u32
file_to_av(struct file
*file
)
1652 if (file
->f_mode
& FMODE_READ
)
1654 if (file
->f_mode
& FMODE_WRITE
) {
1655 if (file
->f_flags
& O_APPEND
)
1662 * Special file opened with flags 3 for ioctl-only use.
1670 /* Hook functions begin here. */
1672 static int selinux_ptrace(struct task_struct
*parent
, struct task_struct
*child
)
1674 struct task_security_struct
*psec
= parent
->security
;
1675 struct task_security_struct
*csec
= child
->security
;
1678 rc
= secondary_ops
->ptrace(parent
,child
);
1682 rc
= task_has_perm(parent
, child
, PROCESS__PTRACE
);
1683 /* Save the SID of the tracing process for later use in apply_creds. */
1684 if (!(child
->ptrace
& PT_PTRACED
) && !rc
)
1685 csec
->ptrace_sid
= psec
->sid
;
1689 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
1690 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1694 error
= task_has_perm(current
, target
, PROCESS__GETCAP
);
1698 return secondary_ops
->capget(target
, effective
, inheritable
, permitted
);
1701 static int selinux_capset_check(struct task_struct
*target
, kernel_cap_t
*effective
,
1702 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1706 error
= secondary_ops
->capset_check(target
, effective
, inheritable
, permitted
);
1710 return task_has_perm(current
, target
, PROCESS__SETCAP
);
1713 static void selinux_capset_set(struct task_struct
*target
, kernel_cap_t
*effective
,
1714 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1716 secondary_ops
->capset_set(target
, effective
, inheritable
, permitted
);
1719 static int selinux_capable(struct task_struct
*tsk
, int cap
)
1723 rc
= secondary_ops
->capable(tsk
, cap
);
1727 return task_has_capability(tsk
,cap
);
1730 static int selinux_sysctl_get_sid(ctl_table
*table
, u16 tclass
, u32
*sid
)
1733 char *buffer
, *path
, *end
;
1736 buffer
= (char*)__get_free_page(GFP_KERNEL
);
1741 end
= buffer
+buflen
;
1747 const char *name
= table
->procname
;
1748 size_t namelen
= strlen(name
);
1749 buflen
-= namelen
+ 1;
1753 memcpy(end
, name
, namelen
);
1756 table
= table
->parent
;
1762 memcpy(end
, "/sys", 4);
1764 rc
= security_genfs_sid("proc", path
, tclass
, sid
);
1766 free_page((unsigned long)buffer
);
1771 static int selinux_sysctl(ctl_table
*table
, int op
)
1775 struct task_security_struct
*tsec
;
1779 rc
= secondary_ops
->sysctl(table
, op
);
1783 tsec
= current
->security
;
1785 rc
= selinux_sysctl_get_sid(table
, (op
== 0001) ?
1786 SECCLASS_DIR
: SECCLASS_FILE
, &tsid
);
1788 /* Default to the well-defined sysctl SID. */
1789 tsid
= SECINITSID_SYSCTL
;
1792 /* The op values are "defined" in sysctl.c, thereby creating
1793 * a bad coupling between this module and sysctl.c */
1795 error
= avc_has_perm(tsec
->sid
, tsid
,
1796 SECCLASS_DIR
, DIR__SEARCH
, NULL
);
1804 error
= avc_has_perm(tsec
->sid
, tsid
,
1805 SECCLASS_FILE
, av
, NULL
);
1811 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
1824 rc
= superblock_has_perm(current
,
1826 FILESYSTEM__QUOTAMOD
, NULL
);
1831 rc
= superblock_has_perm(current
,
1833 FILESYSTEM__QUOTAGET
, NULL
);
1836 rc
= 0; /* let the kernel handle invalid cmds */
1842 static int selinux_quota_on(struct dentry
*dentry
)
1844 return dentry_has_perm(current
, NULL
, dentry
, FILE__QUOTAON
);
1847 static int selinux_syslog(int type
)
1851 rc
= secondary_ops
->syslog(type
);
1856 case 3: /* Read last kernel messages */
1857 case 10: /* Return size of the log buffer */
1858 rc
= task_has_system(current
, SYSTEM__SYSLOG_READ
);
1860 case 6: /* Disable logging to console */
1861 case 7: /* Enable logging to console */
1862 case 8: /* Set level of messages printed to console */
1863 rc
= task_has_system(current
, SYSTEM__SYSLOG_CONSOLE
);
1865 case 0: /* Close log */
1866 case 1: /* Open log */
1867 case 2: /* Read from log */
1868 case 4: /* Read/clear last kernel messages */
1869 case 5: /* Clear ring buffer */
1871 rc
= task_has_system(current
, SYSTEM__SYSLOG_MOD
);
1878 * Check that a process has enough memory to allocate a new virtual
1879 * mapping. 0 means there is enough memory for the allocation to
1880 * succeed and -ENOMEM implies there is not.
1882 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1883 * if the capability is granted, but __vm_enough_memory requires 1 if
1884 * the capability is granted.
1886 * Do not audit the selinux permission check, as this is applied to all
1887 * processes that allocate mappings.
1889 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
1891 int rc
, cap_sys_admin
= 0;
1892 struct task_security_struct
*tsec
= current
->security
;
1894 rc
= secondary_ops
->capable(current
, CAP_SYS_ADMIN
);
1896 rc
= avc_has_perm_noaudit(tsec
->sid
, tsec
->sid
,
1897 SECCLASS_CAPABILITY
,
1898 CAP_TO_MASK(CAP_SYS_ADMIN
),
1905 return __vm_enough_memory(mm
, pages
, cap_sys_admin
);
1908 /* binprm security operations */
1910 static int selinux_bprm_alloc_security(struct linux_binprm
*bprm
)
1912 struct bprm_security_struct
*bsec
;
1914 bsec
= kzalloc(sizeof(struct bprm_security_struct
), GFP_KERNEL
);
1918 bsec
->sid
= SECINITSID_UNLABELED
;
1921 bprm
->security
= bsec
;
1925 static int selinux_bprm_set_security(struct linux_binprm
*bprm
)
1927 struct task_security_struct
*tsec
;
1928 struct inode
*inode
= bprm
->file
->f_path
.dentry
->d_inode
;
1929 struct inode_security_struct
*isec
;
1930 struct bprm_security_struct
*bsec
;
1932 struct avc_audit_data ad
;
1935 rc
= secondary_ops
->bprm_set_security(bprm
);
1939 bsec
= bprm
->security
;
1944 tsec
= current
->security
;
1945 isec
= inode
->i_security
;
1947 /* Default to the current task SID. */
1948 bsec
->sid
= tsec
->sid
;
1950 /* Reset fs, key, and sock SIDs on execve. */
1951 tsec
->create_sid
= 0;
1952 tsec
->keycreate_sid
= 0;
1953 tsec
->sockcreate_sid
= 0;
1955 if (tsec
->exec_sid
) {
1956 newsid
= tsec
->exec_sid
;
1957 /* Reset exec SID on execve. */
1960 /* Check for a default transition on this program. */
1961 rc
= security_transition_sid(tsec
->sid
, isec
->sid
,
1962 SECCLASS_PROCESS
, &newsid
);
1967 AVC_AUDIT_DATA_INIT(&ad
, FS
);
1968 ad
.u
.fs
.path
= bprm
->file
->f_path
;
1970 if (bprm
->file
->f_path
.mnt
->mnt_flags
& MNT_NOSUID
)
1973 if (tsec
->sid
== newsid
) {
1974 rc
= avc_has_perm(tsec
->sid
, isec
->sid
,
1975 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
1979 /* Check permissions for the transition. */
1980 rc
= avc_has_perm(tsec
->sid
, newsid
,
1981 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
1985 rc
= avc_has_perm(newsid
, isec
->sid
,
1986 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
1990 /* Clear any possibly unsafe personality bits on exec: */
1991 current
->personality
&= ~PER_CLEAR_ON_SETID
;
1993 /* Set the security field to the new SID. */
2001 static int selinux_bprm_check_security (struct linux_binprm
*bprm
)
2003 return secondary_ops
->bprm_check_security(bprm
);
2007 static int selinux_bprm_secureexec (struct linux_binprm
*bprm
)
2009 struct task_security_struct
*tsec
= current
->security
;
2012 if (tsec
->osid
!= tsec
->sid
) {
2013 /* Enable secure mode for SIDs transitions unless
2014 the noatsecure permission is granted between
2015 the two SIDs, i.e. ahp returns 0. */
2016 atsecure
= avc_has_perm(tsec
->osid
, tsec
->sid
,
2018 PROCESS__NOATSECURE
, NULL
);
2021 return (atsecure
|| secondary_ops
->bprm_secureexec(bprm
));
2024 static void selinux_bprm_free_security(struct linux_binprm
*bprm
)
2026 kfree(bprm
->security
);
2027 bprm
->security
= NULL
;
2030 extern struct vfsmount
*selinuxfs_mount
;
2031 extern struct dentry
*selinux_null
;
2033 /* Derived from fs/exec.c:flush_old_files. */
2034 static inline void flush_unauthorized_files(struct files_struct
* files
)
2036 struct avc_audit_data ad
;
2037 struct file
*file
, *devnull
= NULL
;
2038 struct tty_struct
*tty
;
2039 struct fdtable
*fdt
;
2043 mutex_lock(&tty_mutex
);
2044 tty
= get_current_tty();
2047 file
= list_entry(tty
->tty_files
.next
, typeof(*file
), f_u
.fu_list
);
2049 /* Revalidate access to controlling tty.
2050 Use inode_has_perm on the tty inode directly rather
2051 than using file_has_perm, as this particular open
2052 file may belong to another process and we are only
2053 interested in the inode-based check here. */
2054 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2055 if (inode_has_perm(current
, inode
,
2056 FILE__READ
| FILE__WRITE
, NULL
)) {
2062 mutex_unlock(&tty_mutex
);
2063 /* Reset controlling tty. */
2067 /* Revalidate access to inherited open files. */
2069 AVC_AUDIT_DATA_INIT(&ad
,FS
);
2071 spin_lock(&files
->file_lock
);
2073 unsigned long set
, i
;
2078 fdt
= files_fdtable(files
);
2079 if (i
>= fdt
->max_fds
)
2081 set
= fdt
->open_fds
->fds_bits
[j
];
2084 spin_unlock(&files
->file_lock
);
2085 for ( ; set
; i
++,set
>>= 1) {
2090 if (file_has_perm(current
,
2092 file_to_av(file
))) {
2094 fd
= get_unused_fd();
2104 devnull
= dentry_open(dget(selinux_null
), mntget(selinuxfs_mount
), O_RDWR
);
2105 if (IS_ERR(devnull
)) {
2112 fd_install(fd
, devnull
);
2117 spin_lock(&files
->file_lock
);
2120 spin_unlock(&files
->file_lock
);
2123 static void selinux_bprm_apply_creds(struct linux_binprm
*bprm
, int unsafe
)
2125 struct task_security_struct
*tsec
;
2126 struct bprm_security_struct
*bsec
;
2130 secondary_ops
->bprm_apply_creds(bprm
, unsafe
);
2132 tsec
= current
->security
;
2134 bsec
= bprm
->security
;
2137 tsec
->osid
= tsec
->sid
;
2139 if (tsec
->sid
!= sid
) {
2140 /* Check for shared state. If not ok, leave SID
2141 unchanged and kill. */
2142 if (unsafe
& LSM_UNSAFE_SHARE
) {
2143 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
2144 PROCESS__SHARE
, NULL
);
2151 /* Check for ptracing, and update the task SID if ok.
2152 Otherwise, leave SID unchanged and kill. */
2153 if (unsafe
& (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
2154 rc
= avc_has_perm(tsec
->ptrace_sid
, sid
,
2155 SECCLASS_PROCESS
, PROCESS__PTRACE
,
2167 * called after apply_creds without the task lock held
2169 static void selinux_bprm_post_apply_creds(struct linux_binprm
*bprm
)
2171 struct task_security_struct
*tsec
;
2172 struct rlimit
*rlim
, *initrlim
;
2173 struct itimerval itimer
;
2174 struct bprm_security_struct
*bsec
;
2177 tsec
= current
->security
;
2178 bsec
= bprm
->security
;
2181 force_sig_specific(SIGKILL
, current
);
2184 if (tsec
->osid
== tsec
->sid
)
2187 /* Close files for which the new task SID is not authorized. */
2188 flush_unauthorized_files(current
->files
);
2190 /* Check whether the new SID can inherit signal state
2191 from the old SID. If not, clear itimers to avoid
2192 subsequent signal generation and flush and unblock
2193 signals. This must occur _after_ the task SID has
2194 been updated so that any kill done after the flush
2195 will be checked against the new SID. */
2196 rc
= avc_has_perm(tsec
->osid
, tsec
->sid
, SECCLASS_PROCESS
,
2197 PROCESS__SIGINH
, NULL
);
2199 memset(&itimer
, 0, sizeof itimer
);
2200 for (i
= 0; i
< 3; i
++)
2201 do_setitimer(i
, &itimer
, NULL
);
2202 flush_signals(current
);
2203 spin_lock_irq(¤t
->sighand
->siglock
);
2204 flush_signal_handlers(current
, 1);
2205 sigemptyset(¤t
->blocked
);
2206 recalc_sigpending();
2207 spin_unlock_irq(¤t
->sighand
->siglock
);
2210 /* Always clear parent death signal on SID transitions. */
2211 current
->pdeath_signal
= 0;
2213 /* Check whether the new SID can inherit resource limits
2214 from the old SID. If not, reset all soft limits to
2215 the lower of the current task's hard limit and the init
2216 task's soft limit. Note that the setting of hard limits
2217 (even to lower them) can be controlled by the setrlimit
2218 check. The inclusion of the init task's soft limit into
2219 the computation is to avoid resetting soft limits higher
2220 than the default soft limit for cases where the default
2221 is lower than the hard limit, e.g. RLIMIT_CORE or
2223 rc
= avc_has_perm(tsec
->osid
, tsec
->sid
, SECCLASS_PROCESS
,
2224 PROCESS__RLIMITINH
, NULL
);
2226 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2227 rlim
= current
->signal
->rlim
+ i
;
2228 initrlim
= init_task
.signal
->rlim
+i
;
2229 rlim
->rlim_cur
= min(rlim
->rlim_max
,initrlim
->rlim_cur
);
2231 if (current
->signal
->rlim
[RLIMIT_CPU
].rlim_cur
!= RLIM_INFINITY
) {
2233 * This will cause RLIMIT_CPU calculations
2236 current
->it_prof_expires
= jiffies_to_cputime(1);
2240 /* Wake up the parent if it is waiting so that it can
2241 recheck wait permission to the new task SID. */
2242 wake_up_interruptible(¤t
->parent
->signal
->wait_chldexit
);
2245 /* superblock security operations */
2247 static int selinux_sb_alloc_security(struct super_block
*sb
)
2249 return superblock_alloc_security(sb
);
2252 static void selinux_sb_free_security(struct super_block
*sb
)
2254 superblock_free_security(sb
);
2257 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2262 return !memcmp(prefix
, option
, plen
);
2265 static inline int selinux_option(char *option
, int len
)
2267 return (match_prefix("context=", sizeof("context=")-1, option
, len
) ||
2268 match_prefix("fscontext=", sizeof("fscontext=")-1, option
, len
) ||
2269 match_prefix("defcontext=", sizeof("defcontext=")-1, option
, len
) ||
2270 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option
, len
));
2273 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2280 memcpy(*to
, from
, len
);
2284 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2287 int current_size
= 0;
2296 while (current_size
< len
) {
2306 static int selinux_sb_copy_data(char *orig
, char *copy
)
2308 int fnosec
, fsec
, rc
= 0;
2309 char *in_save
, *in_curr
, *in_end
;
2310 char *sec_curr
, *nosec_save
, *nosec
;
2316 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2324 in_save
= in_end
= orig
;
2328 open_quote
= !open_quote
;
2329 if ((*in_end
== ',' && open_quote
== 0) ||
2331 int len
= in_end
- in_curr
;
2333 if (selinux_option(in_curr
, len
))
2334 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2336 take_option(&nosec
, in_curr
, &fnosec
, len
);
2338 in_curr
= in_end
+ 1;
2340 } while (*in_end
++);
2342 strcpy(in_save
, nosec_save
);
2343 free_page((unsigned long)nosec_save
);
2348 static int selinux_sb_kern_mount(struct super_block
*sb
, void *data
)
2350 struct avc_audit_data ad
;
2353 rc
= superblock_doinit(sb
, data
);
2357 AVC_AUDIT_DATA_INIT(&ad
,FS
);
2358 ad
.u
.fs
.path
.dentry
= sb
->s_root
;
2359 return superblock_has_perm(current
, sb
, FILESYSTEM__MOUNT
, &ad
);
2362 static int selinux_sb_statfs(struct dentry
*dentry
)
2364 struct avc_audit_data ad
;
2366 AVC_AUDIT_DATA_INIT(&ad
,FS
);
2367 ad
.u
.fs
.path
.dentry
= dentry
->d_sb
->s_root
;
2368 return superblock_has_perm(current
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2371 static int selinux_mount(char * dev_name
,
2372 struct nameidata
*nd
,
2374 unsigned long flags
,
2379 rc
= secondary_ops
->sb_mount(dev_name
, nd
, type
, flags
, data
);
2383 if (flags
& MS_REMOUNT
)
2384 return superblock_has_perm(current
, nd
->path
.mnt
->mnt_sb
,
2385 FILESYSTEM__REMOUNT
, NULL
);
2387 return dentry_has_perm(current
, nd
->path
.mnt
, nd
->path
.dentry
,
2391 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2395 rc
= secondary_ops
->sb_umount(mnt
, flags
);
2399 return superblock_has_perm(current
,mnt
->mnt_sb
,
2400 FILESYSTEM__UNMOUNT
,NULL
);
2403 /* inode security operations */
2405 static int selinux_inode_alloc_security(struct inode
*inode
)
2407 return inode_alloc_security(inode
);
2410 static void selinux_inode_free_security(struct inode
*inode
)
2412 inode_free_security(inode
);
2415 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2416 char **name
, void **value
,
2419 struct task_security_struct
*tsec
;
2420 struct inode_security_struct
*dsec
;
2421 struct superblock_security_struct
*sbsec
;
2424 char *namep
= NULL
, *context
;
2426 tsec
= current
->security
;
2427 dsec
= dir
->i_security
;
2428 sbsec
= dir
->i_sb
->s_security
;
2430 if (tsec
->create_sid
&& sbsec
->behavior
!= SECURITY_FS_USE_MNTPOINT
) {
2431 newsid
= tsec
->create_sid
;
2433 rc
= security_transition_sid(tsec
->sid
, dsec
->sid
,
2434 inode_mode_to_security_class(inode
->i_mode
),
2437 printk(KERN_WARNING
"%s: "
2438 "security_transition_sid failed, rc=%d (dev=%s "
2441 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
2446 /* Possibly defer initialization to selinux_complete_init. */
2447 if (sbsec
->initialized
) {
2448 struct inode_security_struct
*isec
= inode
->i_security
;
2449 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2451 isec
->initialized
= 1;
2454 if (!ss_initialized
|| sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)
2458 namep
= kstrdup(XATTR_SELINUX_SUFFIX
, GFP_NOFS
);
2465 rc
= security_sid_to_context(newsid
, &context
, &clen
);
2477 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, int mask
)
2479 return may_create(dir
, dentry
, SECCLASS_FILE
);
2482 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2486 rc
= secondary_ops
->inode_link(old_dentry
,dir
,new_dentry
);
2489 return may_link(dir
, old_dentry
, MAY_LINK
);
2492 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2496 rc
= secondary_ops
->inode_unlink(dir
, dentry
);
2499 return may_link(dir
, dentry
, MAY_UNLINK
);
2502 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2504 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2507 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, int mask
)
2509 return may_create(dir
, dentry
, SECCLASS_DIR
);
2512 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2514 return may_link(dir
, dentry
, MAY_RMDIR
);
2517 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, int mode
, dev_t dev
)
2521 rc
= secondary_ops
->inode_mknod(dir
, dentry
, mode
, dev
);
2525 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2528 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2529 struct inode
*new_inode
, struct dentry
*new_dentry
)
2531 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2534 static int selinux_inode_readlink(struct dentry
*dentry
)
2536 return dentry_has_perm(current
, NULL
, dentry
, FILE__READ
);
2539 static int selinux_inode_follow_link(struct dentry
*dentry
, struct nameidata
*nameidata
)
2543 rc
= secondary_ops
->inode_follow_link(dentry
,nameidata
);
2546 return dentry_has_perm(current
, NULL
, dentry
, FILE__READ
);
2549 static int selinux_inode_permission(struct inode
*inode
, int mask
,
2550 struct nameidata
*nd
)
2554 rc
= secondary_ops
->inode_permission(inode
, mask
, nd
);
2559 /* No permission to check. Existence test. */
2563 return inode_has_perm(current
, inode
,
2564 open_file_mask_to_av(inode
->i_mode
, mask
), NULL
);
2567 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
2571 rc
= secondary_ops
->inode_setattr(dentry
, iattr
);
2575 if (iattr
->ia_valid
& ATTR_FORCE
)
2578 if (iattr
->ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
2579 ATTR_ATIME_SET
| ATTR_MTIME_SET
))
2580 return dentry_has_perm(current
, NULL
, dentry
, FILE__SETATTR
);
2582 return dentry_has_perm(current
, NULL
, dentry
, FILE__WRITE
);
2585 static int selinux_inode_getattr(struct vfsmount
*mnt
, struct dentry
*dentry
)
2587 return dentry_has_perm(current
, mnt
, dentry
, FILE__GETATTR
);
2590 static int selinux_inode_setotherxattr(struct dentry
*dentry
, char *name
)
2592 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
2593 sizeof XATTR_SECURITY_PREFIX
- 1)) {
2594 if (!strcmp(name
, XATTR_NAME_CAPS
)) {
2595 if (!capable(CAP_SETFCAP
))
2597 } else if (!capable(CAP_SYS_ADMIN
)) {
2598 /* A different attribute in the security namespace.
2599 Restrict to administrator. */
2604 /* Not an attribute we recognize, so just check the
2605 ordinary setattr permission. */
2606 return dentry_has_perm(current
, NULL
, dentry
, FILE__SETATTR
);
2609 static int selinux_inode_setxattr(struct dentry
*dentry
, char *name
, void *value
, size_t size
, int flags
)
2611 struct task_security_struct
*tsec
= current
->security
;
2612 struct inode
*inode
= dentry
->d_inode
;
2613 struct inode_security_struct
*isec
= inode
->i_security
;
2614 struct superblock_security_struct
*sbsec
;
2615 struct avc_audit_data ad
;
2619 if (strcmp(name
, XATTR_NAME_SELINUX
))
2620 return selinux_inode_setotherxattr(dentry
, name
);
2622 sbsec
= inode
->i_sb
->s_security
;
2623 if (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)
2626 if (!is_owner_or_cap(inode
))
2629 AVC_AUDIT_DATA_INIT(&ad
,FS
);
2630 ad
.u
.fs
.path
.dentry
= dentry
;
2632 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
,
2633 FILE__RELABELFROM
, &ad
);
2637 rc
= security_context_to_sid(value
, size
, &newsid
);
2641 rc
= avc_has_perm(tsec
->sid
, newsid
, isec
->sclass
,
2642 FILE__RELABELTO
, &ad
);
2646 rc
= security_validate_transition(isec
->sid
, newsid
, tsec
->sid
,
2651 return avc_has_perm(newsid
,
2653 SECCLASS_FILESYSTEM
,
2654 FILESYSTEM__ASSOCIATE
,
2658 static void selinux_inode_post_setxattr(struct dentry
*dentry
, char *name
,
2659 void *value
, size_t size
, int flags
)
2661 struct inode
*inode
= dentry
->d_inode
;
2662 struct inode_security_struct
*isec
= inode
->i_security
;
2666 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
2667 /* Not an attribute we recognize, so nothing to do. */
2671 rc
= security_context_to_sid(value
, size
, &newsid
);
2673 printk(KERN_WARNING
"%s: unable to obtain SID for context "
2674 "%s, rc=%d\n", __func__
, (char *)value
, -rc
);
2682 static int selinux_inode_getxattr (struct dentry
*dentry
, char *name
)
2684 return dentry_has_perm(current
, NULL
, dentry
, FILE__GETATTR
);
2687 static int selinux_inode_listxattr (struct dentry
*dentry
)
2689 return dentry_has_perm(current
, NULL
, dentry
, FILE__GETATTR
);
2692 static int selinux_inode_removexattr (struct dentry
*dentry
, char *name
)
2694 if (strcmp(name
, XATTR_NAME_SELINUX
))
2695 return selinux_inode_setotherxattr(dentry
, name
);
2697 /* No one is allowed to remove a SELinux security label.
2698 You can change the label, but all data must be labeled. */
2703 * Copy the in-core inode security context value to the user. If the
2704 * getxattr() prior to this succeeded, check to see if we need to
2705 * canonicalize the value to be finally returned to the user.
2707 * Permission check is handled by selinux_inode_getxattr hook.
2709 static int selinux_inode_getsecurity(const struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
2713 char *context
= NULL
;
2714 struct inode_security_struct
*isec
= inode
->i_security
;
2716 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
2719 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
2732 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
2733 const void *value
, size_t size
, int flags
)
2735 struct inode_security_struct
*isec
= inode
->i_security
;
2739 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
2742 if (!value
|| !size
)
2745 rc
= security_context_to_sid((void*)value
, size
, &newsid
);
2753 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
2755 const int len
= sizeof(XATTR_NAME_SELINUX
);
2756 if (buffer
&& len
<= buffer_size
)
2757 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
2761 static int selinux_inode_need_killpriv(struct dentry
*dentry
)
2763 return secondary_ops
->inode_need_killpriv(dentry
);
2766 static int selinux_inode_killpriv(struct dentry
*dentry
)
2768 return secondary_ops
->inode_killpriv(dentry
);
2771 /* file security operations */
2773 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
2776 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2779 /* No permission to check. Existence test. */
2783 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2784 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
2787 rc
= file_has_perm(current
, file
,
2788 file_mask_to_av(inode
->i_mode
, mask
));
2792 return selinux_netlbl_inode_permission(inode
, mask
);
2795 static int selinux_file_permission(struct file
*file
, int mask
)
2797 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2798 struct task_security_struct
*tsec
= current
->security
;
2799 struct file_security_struct
*fsec
= file
->f_security
;
2800 struct inode_security_struct
*isec
= inode
->i_security
;
2803 /* No permission to check. Existence test. */
2807 if (tsec
->sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
2808 && fsec
->pseqno
== avc_policy_seqno())
2809 return selinux_netlbl_inode_permission(inode
, mask
);
2811 return selinux_revalidate_file_permission(file
, mask
);
2814 static int selinux_file_alloc_security(struct file
*file
)
2816 return file_alloc_security(file
);
2819 static void selinux_file_free_security(struct file
*file
)
2821 file_free_security(file
);
2824 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
2836 case EXT2_IOC_GETFLAGS
:
2838 case EXT2_IOC_GETVERSION
:
2839 error
= file_has_perm(current
, file
, FILE__GETATTR
);
2842 case EXT2_IOC_SETFLAGS
:
2844 case EXT2_IOC_SETVERSION
:
2845 error
= file_has_perm(current
, file
, FILE__SETATTR
);
2848 /* sys_ioctl() checks */
2852 error
= file_has_perm(current
, file
, 0);
2857 error
= task_has_capability(current
,CAP_SYS_TTY_CONFIG
);
2860 /* default case assumes that the command will go
2861 * to the file's ioctl() function.
2864 error
= file_has_perm(current
, file
, FILE__IOCTL
);
2870 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
2872 #ifndef CONFIG_PPC32
2873 if ((prot
& PROT_EXEC
) && (!file
|| (!shared
&& (prot
& PROT_WRITE
)))) {
2875 * We are making executable an anonymous mapping or a
2876 * private file mapping that will also be writable.
2877 * This has an additional check.
2879 int rc
= task_has_perm(current
, current
, PROCESS__EXECMEM
);
2886 /* read access is always possible with a mapping */
2887 u32 av
= FILE__READ
;
2889 /* write access only matters if the mapping is shared */
2890 if (shared
&& (prot
& PROT_WRITE
))
2893 if (prot
& PROT_EXEC
)
2894 av
|= FILE__EXECUTE
;
2896 return file_has_perm(current
, file
, av
);
2901 static int selinux_file_mmap(struct file
*file
, unsigned long reqprot
,
2902 unsigned long prot
, unsigned long flags
,
2903 unsigned long addr
, unsigned long addr_only
)
2906 u32 sid
= ((struct task_security_struct
*)(current
->security
))->sid
;
2908 if (addr
< mmap_min_addr
)
2909 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
2910 MEMPROTECT__MMAP_ZERO
, NULL
);
2911 if (rc
|| addr_only
)
2914 if (selinux_checkreqprot
)
2917 return file_map_prot_check(file
, prot
,
2918 (flags
& MAP_TYPE
) == MAP_SHARED
);
2921 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
2922 unsigned long reqprot
,
2927 rc
= secondary_ops
->file_mprotect(vma
, reqprot
, prot
);
2931 if (selinux_checkreqprot
)
2934 #ifndef CONFIG_PPC32
2935 if ((prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
2937 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
2938 vma
->vm_end
<= vma
->vm_mm
->brk
) {
2939 rc
= task_has_perm(current
, current
,
2941 } else if (!vma
->vm_file
&&
2942 vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
2943 vma
->vm_end
>= vma
->vm_mm
->start_stack
) {
2944 rc
= task_has_perm(current
, current
, PROCESS__EXECSTACK
);
2945 } else if (vma
->vm_file
&& vma
->anon_vma
) {
2947 * We are making executable a file mapping that has
2948 * had some COW done. Since pages might have been
2949 * written, check ability to execute the possibly
2950 * modified content. This typically should only
2951 * occur for text relocations.
2953 rc
= file_has_perm(current
, vma
->vm_file
,
2961 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
2964 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
2966 return file_has_perm(current
, file
, FILE__LOCK
);
2969 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
2976 if (!file
->f_path
.dentry
|| !file
->f_path
.dentry
->d_inode
) {
2981 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
2982 err
= file_has_perm(current
, file
,FILE__WRITE
);
2991 /* Just check FD__USE permission */
2992 err
= file_has_perm(current
, file
, 0);
2997 #if BITS_PER_LONG == 32
3002 if (!file
->f_path
.dentry
|| !file
->f_path
.dentry
->d_inode
) {
3006 err
= file_has_perm(current
, file
, FILE__LOCK
);
3013 static int selinux_file_set_fowner(struct file
*file
)
3015 struct task_security_struct
*tsec
;
3016 struct file_security_struct
*fsec
;
3018 tsec
= current
->security
;
3019 fsec
= file
->f_security
;
3020 fsec
->fown_sid
= tsec
->sid
;
3025 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3026 struct fown_struct
*fown
, int signum
)
3030 struct task_security_struct
*tsec
;
3031 struct file_security_struct
*fsec
;
3033 /* struct fown_struct is never outside the context of a struct file */
3034 file
= container_of(fown
, struct file
, f_owner
);
3036 tsec
= tsk
->security
;
3037 fsec
= file
->f_security
;
3040 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3042 perm
= signal_to_av(signum
);
3044 return avc_has_perm(fsec
->fown_sid
, tsec
->sid
,
3045 SECCLASS_PROCESS
, perm
, NULL
);
3048 static int selinux_file_receive(struct file
*file
)
3050 return file_has_perm(current
, file
, file_to_av(file
));
3053 static int selinux_dentry_open(struct file
*file
)
3055 struct file_security_struct
*fsec
;
3056 struct inode
*inode
;
3057 struct inode_security_struct
*isec
;
3058 inode
= file
->f_path
.dentry
->d_inode
;
3059 fsec
= file
->f_security
;
3060 isec
= inode
->i_security
;
3062 * Save inode label and policy sequence number
3063 * at open-time so that selinux_file_permission
3064 * can determine whether revalidation is necessary.
3065 * Task label is already saved in the file security
3066 * struct as its SID.
3068 fsec
->isid
= isec
->sid
;
3069 fsec
->pseqno
= avc_policy_seqno();
3071 * Since the inode label or policy seqno may have changed
3072 * between the selinux_inode_permission check and the saving
3073 * of state above, recheck that access is still permitted.
3074 * Otherwise, access might never be revalidated against the
3075 * new inode label or new policy.
3076 * This check is not redundant - do not remove.
3078 return inode_has_perm(current
, inode
, file_to_av(file
), NULL
);
3081 /* task security operations */
3083 static int selinux_task_create(unsigned long clone_flags
)
3087 rc
= secondary_ops
->task_create(clone_flags
);
3091 return task_has_perm(current
, current
, PROCESS__FORK
);
3094 static int selinux_task_alloc_security(struct task_struct
*tsk
)
3096 struct task_security_struct
*tsec1
, *tsec2
;
3099 tsec1
= current
->security
;
3101 rc
= task_alloc_security(tsk
);
3104 tsec2
= tsk
->security
;
3106 tsec2
->osid
= tsec1
->osid
;
3107 tsec2
->sid
= tsec1
->sid
;
3109 /* Retain the exec, fs, key, and sock SIDs across fork */
3110 tsec2
->exec_sid
= tsec1
->exec_sid
;
3111 tsec2
->create_sid
= tsec1
->create_sid
;
3112 tsec2
->keycreate_sid
= tsec1
->keycreate_sid
;
3113 tsec2
->sockcreate_sid
= tsec1
->sockcreate_sid
;
3115 /* Retain ptracer SID across fork, if any.
3116 This will be reset by the ptrace hook upon any
3117 subsequent ptrace_attach operations. */
3118 tsec2
->ptrace_sid
= tsec1
->ptrace_sid
;
3123 static void selinux_task_free_security(struct task_struct
*tsk
)
3125 task_free_security(tsk
);
3128 static int selinux_task_setuid(uid_t id0
, uid_t id1
, uid_t id2
, int flags
)
3130 /* Since setuid only affects the current process, and
3131 since the SELinux controls are not based on the Linux
3132 identity attributes, SELinux does not need to control
3133 this operation. However, SELinux does control the use
3134 of the CAP_SETUID and CAP_SETGID capabilities using the
3139 static int selinux_task_post_setuid(uid_t id0
, uid_t id1
, uid_t id2
, int flags
)
3141 return secondary_ops
->task_post_setuid(id0
,id1
,id2
,flags
);
3144 static int selinux_task_setgid(gid_t id0
, gid_t id1
, gid_t id2
, int flags
)
3146 /* See the comment for setuid above. */
3150 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3152 return task_has_perm(current
, p
, PROCESS__SETPGID
);
3155 static int selinux_task_getpgid(struct task_struct
*p
)
3157 return task_has_perm(current
, p
, PROCESS__GETPGID
);
3160 static int selinux_task_getsid(struct task_struct
*p
)
3162 return task_has_perm(current
, p
, PROCESS__GETSESSION
);
3165 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3167 selinux_get_task_sid(p
, secid
);
3170 static int selinux_task_setgroups(struct group_info
*group_info
)
3172 /* See the comment for setuid above. */
3176 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3180 rc
= secondary_ops
->task_setnice(p
, nice
);
3184 return task_has_perm(current
,p
, PROCESS__SETSCHED
);
3187 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3191 rc
= secondary_ops
->task_setioprio(p
, ioprio
);
3195 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3198 static int selinux_task_getioprio(struct task_struct
*p
)
3200 return task_has_perm(current
, p
, PROCESS__GETSCHED
);
3203 static int selinux_task_setrlimit(unsigned int resource
, struct rlimit
*new_rlim
)
3205 struct rlimit
*old_rlim
= current
->signal
->rlim
+ resource
;
3208 rc
= secondary_ops
->task_setrlimit(resource
, new_rlim
);
3212 /* Control the ability to change the hard limit (whether
3213 lowering or raising it), so that the hard limit can
3214 later be used as a safe reset point for the soft limit
3215 upon context transitions. See selinux_bprm_apply_creds. */
3216 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3217 return task_has_perm(current
, current
, PROCESS__SETRLIMIT
);
3222 static int selinux_task_setscheduler(struct task_struct
*p
, int policy
, struct sched_param
*lp
)
3226 rc
= secondary_ops
->task_setscheduler(p
, policy
, lp
);
3230 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3233 static int selinux_task_getscheduler(struct task_struct
*p
)
3235 return task_has_perm(current
, p
, PROCESS__GETSCHED
);
3238 static int selinux_task_movememory(struct task_struct
*p
)
3240 return task_has_perm(current
, p
, PROCESS__SETSCHED
);
3243 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3248 struct task_security_struct
*tsec
;
3250 rc
= secondary_ops
->task_kill(p
, info
, sig
, secid
);
3254 if (info
!= SEND_SIG_NOINFO
&& (is_si_special(info
) || SI_FROMKERNEL(info
)))
3258 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3260 perm
= signal_to_av(sig
);
3263 rc
= avc_has_perm(secid
, tsec
->sid
, SECCLASS_PROCESS
, perm
, NULL
);
3265 rc
= task_has_perm(current
, p
, perm
);
3269 static int selinux_task_prctl(int option
,
3275 /* The current prctl operations do not appear to require
3276 any SELinux controls since they merely observe or modify
3277 the state of the current process. */
3281 static int selinux_task_wait(struct task_struct
*p
)
3283 return task_has_perm(p
, current
, PROCESS__SIGCHLD
);
3286 static void selinux_task_reparent_to_init(struct task_struct
*p
)
3288 struct task_security_struct
*tsec
;
3290 secondary_ops
->task_reparent_to_init(p
);
3293 tsec
->osid
= tsec
->sid
;
3294 tsec
->sid
= SECINITSID_KERNEL
;
3298 static void selinux_task_to_inode(struct task_struct
*p
,
3299 struct inode
*inode
)
3301 struct task_security_struct
*tsec
= p
->security
;
3302 struct inode_security_struct
*isec
= inode
->i_security
;
3304 isec
->sid
= tsec
->sid
;
3305 isec
->initialized
= 1;
3309 /* Returns error only if unable to parse addresses */
3310 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3311 struct avc_audit_data
*ad
, u8
*proto
)
3313 int offset
, ihlen
, ret
= -EINVAL
;
3314 struct iphdr _iph
, *ih
;
3316 offset
= skb_network_offset(skb
);
3317 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
3321 ihlen
= ih
->ihl
* 4;
3322 if (ihlen
< sizeof(_iph
))
3325 ad
->u
.net
.v4info
.saddr
= ih
->saddr
;
3326 ad
->u
.net
.v4info
.daddr
= ih
->daddr
;
3330 *proto
= ih
->protocol
;
3332 switch (ih
->protocol
) {
3334 struct tcphdr _tcph
, *th
;
3336 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3340 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
3344 ad
->u
.net
.sport
= th
->source
;
3345 ad
->u
.net
.dport
= th
->dest
;
3350 struct udphdr _udph
, *uh
;
3352 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3356 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
3360 ad
->u
.net
.sport
= uh
->source
;
3361 ad
->u
.net
.dport
= uh
->dest
;
3365 case IPPROTO_DCCP
: {
3366 struct dccp_hdr _dccph
, *dh
;
3368 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3372 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
3376 ad
->u
.net
.sport
= dh
->dccph_sport
;
3377 ad
->u
.net
.dport
= dh
->dccph_dport
;
3388 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3390 /* Returns error only if unable to parse addresses */
3391 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
3392 struct avc_audit_data
*ad
, u8
*proto
)
3395 int ret
= -EINVAL
, offset
;
3396 struct ipv6hdr _ipv6h
, *ip6
;
3398 offset
= skb_network_offset(skb
);
3399 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
3403 ipv6_addr_copy(&ad
->u
.net
.v6info
.saddr
, &ip6
->saddr
);
3404 ipv6_addr_copy(&ad
->u
.net
.v6info
.daddr
, &ip6
->daddr
);
3407 nexthdr
= ip6
->nexthdr
;
3408 offset
+= sizeof(_ipv6h
);
3409 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
);
3418 struct tcphdr _tcph
, *th
;
3420 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
3424 ad
->u
.net
.sport
= th
->source
;
3425 ad
->u
.net
.dport
= th
->dest
;
3430 struct udphdr _udph
, *uh
;
3432 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
3436 ad
->u
.net
.sport
= uh
->source
;
3437 ad
->u
.net
.dport
= uh
->dest
;
3441 case IPPROTO_DCCP
: {
3442 struct dccp_hdr _dccph
, *dh
;
3444 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
3448 ad
->u
.net
.sport
= dh
->dccph_sport
;
3449 ad
->u
.net
.dport
= dh
->dccph_dport
;
3453 /* includes fragments */
3463 static int selinux_parse_skb(struct sk_buff
*skb
, struct avc_audit_data
*ad
,
3464 char **addrp
, int src
, u8
*proto
)
3468 switch (ad
->u
.net
.family
) {
3470 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
3473 *addrp
= (char *)(src
? &ad
->u
.net
.v4info
.saddr
:
3474 &ad
->u
.net
.v4info
.daddr
);
3477 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3479 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
3482 *addrp
= (char *)(src
? &ad
->u
.net
.v6info
.saddr
:
3483 &ad
->u
.net
.v6info
.daddr
);
3492 "SELinux: failure in selinux_parse_skb(),"
3493 " unable to parse packet\n");
3499 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3501 * @family: protocol family
3502 * @sid: the packet's peer label SID
3505 * Check the various different forms of network peer labeling and determine
3506 * the peer label/SID for the packet; most of the magic actually occurs in
3507 * the security server function security_net_peersid_cmp(). The function
3508 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3509 * or -EACCES if @sid is invalid due to inconsistencies with the different
3513 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
3520 selinux_skb_xfrm_sid(skb
, &xfrm_sid
);
3521 selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
3523 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
3524 if (unlikely(err
)) {
3526 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3527 " unable to determine packet's peer label\n");
3534 /* socket security operations */
3535 static int socket_has_perm(struct task_struct
*task
, struct socket
*sock
,
3538 struct inode_security_struct
*isec
;
3539 struct task_security_struct
*tsec
;
3540 struct avc_audit_data ad
;
3543 tsec
= task
->security
;
3544 isec
= SOCK_INODE(sock
)->i_security
;
3546 if (isec
->sid
== SECINITSID_KERNEL
)
3549 AVC_AUDIT_DATA_INIT(&ad
,NET
);
3550 ad
.u
.net
.sk
= sock
->sk
;
3551 err
= avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
3557 static int selinux_socket_create(int family
, int type
,
3558 int protocol
, int kern
)
3561 struct task_security_struct
*tsec
;
3567 tsec
= current
->security
;
3568 newsid
= tsec
->sockcreate_sid
? : tsec
->sid
;
3569 err
= avc_has_perm(tsec
->sid
, newsid
,
3570 socket_type_to_security_class(family
, type
,
3571 protocol
), SOCKET__CREATE
, NULL
);
3577 static int selinux_socket_post_create(struct socket
*sock
, int family
,
3578 int type
, int protocol
, int kern
)
3581 struct inode_security_struct
*isec
;
3582 struct task_security_struct
*tsec
;
3583 struct sk_security_struct
*sksec
;
3586 isec
= SOCK_INODE(sock
)->i_security
;
3588 tsec
= current
->security
;
3589 newsid
= tsec
->sockcreate_sid
? : tsec
->sid
;
3590 isec
->sclass
= socket_type_to_security_class(family
, type
, protocol
);
3591 isec
->sid
= kern
? SECINITSID_KERNEL
: newsid
;
3592 isec
->initialized
= 1;
3595 sksec
= sock
->sk
->sk_security
;
3596 sksec
->sid
= isec
->sid
;
3597 sksec
->sclass
= isec
->sclass
;
3598 err
= selinux_netlbl_socket_post_create(sock
);
3604 /* Range of port numbers used to automatically bind.
3605 Need to determine whether we should perform a name_bind
3606 permission check between the socket and the port number. */
3608 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
3613 err
= socket_has_perm(current
, sock
, SOCKET__BIND
);
3618 * If PF_INET or PF_INET6, check name_bind permission for the port.
3619 * Multiple address binding for SCTP is not supported yet: we just
3620 * check the first address now.
3622 family
= sock
->sk
->sk_family
;
3623 if (family
== PF_INET
|| family
== PF_INET6
) {
3625 struct inode_security_struct
*isec
;
3626 struct task_security_struct
*tsec
;
3627 struct avc_audit_data ad
;
3628 struct sockaddr_in
*addr4
= NULL
;
3629 struct sockaddr_in6
*addr6
= NULL
;
3630 unsigned short snum
;
3631 struct sock
*sk
= sock
->sk
;
3632 u32 sid
, node_perm
, addrlen
;
3634 tsec
= current
->security
;
3635 isec
= SOCK_INODE(sock
)->i_security
;
3637 if (family
== PF_INET
) {
3638 addr4
= (struct sockaddr_in
*)address
;
3639 snum
= ntohs(addr4
->sin_port
);
3640 addrlen
= sizeof(addr4
->sin_addr
.s_addr
);
3641 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
3643 addr6
= (struct sockaddr_in6
*)address
;
3644 snum
= ntohs(addr6
->sin6_port
);
3645 addrlen
= sizeof(addr6
->sin6_addr
.s6_addr
);
3646 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
3652 inet_get_local_port_range(&low
, &high
);
3654 if (snum
< max(PROT_SOCK
, low
) || snum
> high
) {
3655 err
= security_port_sid(sk
->sk_family
,
3657 sk
->sk_protocol
, snum
,
3661 AVC_AUDIT_DATA_INIT(&ad
,NET
);
3662 ad
.u
.net
.sport
= htons(snum
);
3663 ad
.u
.net
.family
= family
;
3664 err
= avc_has_perm(isec
->sid
, sid
,
3666 SOCKET__NAME_BIND
, &ad
);
3672 switch(isec
->sclass
) {
3673 case SECCLASS_TCP_SOCKET
:
3674 node_perm
= TCP_SOCKET__NODE_BIND
;
3677 case SECCLASS_UDP_SOCKET
:
3678 node_perm
= UDP_SOCKET__NODE_BIND
;
3681 case SECCLASS_DCCP_SOCKET
:
3682 node_perm
= DCCP_SOCKET__NODE_BIND
;
3686 node_perm
= RAWIP_SOCKET__NODE_BIND
;
3690 err
= sel_netnode_sid(addrp
, family
, &sid
);
3694 AVC_AUDIT_DATA_INIT(&ad
,NET
);
3695 ad
.u
.net
.sport
= htons(snum
);
3696 ad
.u
.net
.family
= family
;
3698 if (family
== PF_INET
)
3699 ad
.u
.net
.v4info
.saddr
= addr4
->sin_addr
.s_addr
;
3701 ipv6_addr_copy(&ad
.u
.net
.v6info
.saddr
, &addr6
->sin6_addr
);
3703 err
= avc_has_perm(isec
->sid
, sid
,
3704 isec
->sclass
, node_perm
, &ad
);
3712 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
3714 struct inode_security_struct
*isec
;
3717 err
= socket_has_perm(current
, sock
, SOCKET__CONNECT
);
3722 * If a TCP or DCCP socket, check name_connect permission for the port.
3724 isec
= SOCK_INODE(sock
)->i_security
;
3725 if (isec
->sclass
== SECCLASS_TCP_SOCKET
||
3726 isec
->sclass
== SECCLASS_DCCP_SOCKET
) {
3727 struct sock
*sk
= sock
->sk
;
3728 struct avc_audit_data ad
;
3729 struct sockaddr_in
*addr4
= NULL
;
3730 struct sockaddr_in6
*addr6
= NULL
;
3731 unsigned short snum
;
3734 if (sk
->sk_family
== PF_INET
) {
3735 addr4
= (struct sockaddr_in
*)address
;
3736 if (addrlen
< sizeof(struct sockaddr_in
))
3738 snum
= ntohs(addr4
->sin_port
);
3740 addr6
= (struct sockaddr_in6
*)address
;
3741 if (addrlen
< SIN6_LEN_RFC2133
)
3743 snum
= ntohs(addr6
->sin6_port
);
3746 err
= security_port_sid(sk
->sk_family
, sk
->sk_type
,
3747 sk
->sk_protocol
, snum
, &sid
);
3751 perm
= (isec
->sclass
== SECCLASS_TCP_SOCKET
) ?
3752 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
3754 AVC_AUDIT_DATA_INIT(&ad
,NET
);
3755 ad
.u
.net
.dport
= htons(snum
);
3756 ad
.u
.net
.family
= sk
->sk_family
;
3757 err
= avc_has_perm(isec
->sid
, sid
, isec
->sclass
, perm
, &ad
);
3766 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
3768 return socket_has_perm(current
, sock
, SOCKET__LISTEN
);
3771 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
3774 struct inode_security_struct
*isec
;
3775 struct inode_security_struct
*newisec
;
3777 err
= socket_has_perm(current
, sock
, SOCKET__ACCEPT
);
3781 newisec
= SOCK_INODE(newsock
)->i_security
;
3783 isec
= SOCK_INODE(sock
)->i_security
;
3784 newisec
->sclass
= isec
->sclass
;
3785 newisec
->sid
= isec
->sid
;
3786 newisec
->initialized
= 1;
3791 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
3796 rc
= socket_has_perm(current
, sock
, SOCKET__WRITE
);
3800 return selinux_netlbl_inode_permission(SOCK_INODE(sock
), MAY_WRITE
);
3803 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
3804 int size
, int flags
)
3806 return socket_has_perm(current
, sock
, SOCKET__READ
);
3809 static int selinux_socket_getsockname(struct socket
*sock
)
3811 return socket_has_perm(current
, sock
, SOCKET__GETATTR
);
3814 static int selinux_socket_getpeername(struct socket
*sock
)
3816 return socket_has_perm(current
, sock
, SOCKET__GETATTR
);
3819 static int selinux_socket_setsockopt(struct socket
*sock
,int level
,int optname
)
3823 err
= socket_has_perm(current
, sock
, SOCKET__SETOPT
);
3827 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
3830 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
3833 return socket_has_perm(current
, sock
, SOCKET__GETOPT
);
3836 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
3838 return socket_has_perm(current
, sock
, SOCKET__SHUTDOWN
);
3841 static int selinux_socket_unix_stream_connect(struct socket
*sock
,
3842 struct socket
*other
,
3845 struct sk_security_struct
*ssec
;
3846 struct inode_security_struct
*isec
;
3847 struct inode_security_struct
*other_isec
;
3848 struct avc_audit_data ad
;
3851 err
= secondary_ops
->unix_stream_connect(sock
, other
, newsk
);
3855 isec
= SOCK_INODE(sock
)->i_security
;
3856 other_isec
= SOCK_INODE(other
)->i_security
;
3858 AVC_AUDIT_DATA_INIT(&ad
,NET
);
3859 ad
.u
.net
.sk
= other
->sk
;
3861 err
= avc_has_perm(isec
->sid
, other_isec
->sid
,
3863 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
3867 /* connecting socket */
3868 ssec
= sock
->sk
->sk_security
;
3869 ssec
->peer_sid
= other_isec
->sid
;
3871 /* server child socket */
3872 ssec
= newsk
->sk_security
;
3873 ssec
->peer_sid
= isec
->sid
;
3874 err
= security_sid_mls_copy(other_isec
->sid
, ssec
->peer_sid
, &ssec
->sid
);
3879 static int selinux_socket_unix_may_send(struct socket
*sock
,
3880 struct socket
*other
)
3882 struct inode_security_struct
*isec
;
3883 struct inode_security_struct
*other_isec
;
3884 struct avc_audit_data ad
;
3887 isec
= SOCK_INODE(sock
)->i_security
;
3888 other_isec
= SOCK_INODE(other
)->i_security
;
3890 AVC_AUDIT_DATA_INIT(&ad
,NET
);
3891 ad
.u
.net
.sk
= other
->sk
;
3893 err
= avc_has_perm(isec
->sid
, other_isec
->sid
,
3894 isec
->sclass
, SOCKET__SENDTO
, &ad
);
3901 static int selinux_inet_sys_rcv_skb(int ifindex
, char *addrp
, u16 family
,
3903 struct avc_audit_data
*ad
)
3909 err
= sel_netif_sid(ifindex
, &if_sid
);
3912 err
= avc_has_perm(peer_sid
, if_sid
,
3913 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
3917 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
3920 return avc_has_perm(peer_sid
, node_sid
,
3921 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
3924 static int selinux_sock_rcv_skb_iptables_compat(struct sock
*sk
,
3925 struct sk_buff
*skb
,
3926 struct avc_audit_data
*ad
,
3931 struct sk_security_struct
*sksec
= sk
->sk_security
;
3933 u32 netif_perm
, node_perm
, recv_perm
;
3934 u32 port_sid
, node_sid
, if_sid
, sk_sid
;
3936 sk_sid
= sksec
->sid
;
3937 sk_class
= sksec
->sclass
;
3940 case SECCLASS_UDP_SOCKET
:
3941 netif_perm
= NETIF__UDP_RECV
;
3942 node_perm
= NODE__UDP_RECV
;
3943 recv_perm
= UDP_SOCKET__RECV_MSG
;
3945 case SECCLASS_TCP_SOCKET
:
3946 netif_perm
= NETIF__TCP_RECV
;
3947 node_perm
= NODE__TCP_RECV
;
3948 recv_perm
= TCP_SOCKET__RECV_MSG
;
3950 case SECCLASS_DCCP_SOCKET
:
3951 netif_perm
= NETIF__DCCP_RECV
;
3952 node_perm
= NODE__DCCP_RECV
;
3953 recv_perm
= DCCP_SOCKET__RECV_MSG
;
3956 netif_perm
= NETIF__RAWIP_RECV
;
3957 node_perm
= NODE__RAWIP_RECV
;
3962 err
= sel_netif_sid(skb
->iif
, &if_sid
);
3965 err
= avc_has_perm(sk_sid
, if_sid
, SECCLASS_NETIF
, netif_perm
, ad
);
3969 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
3972 err
= avc_has_perm(sk_sid
, node_sid
, SECCLASS_NODE
, node_perm
, ad
);
3978 err
= security_port_sid(sk
->sk_family
, sk
->sk_type
,
3979 sk
->sk_protocol
, ntohs(ad
->u
.net
.sport
),
3981 if (unlikely(err
)) {
3983 "SELinux: failure in"
3984 " selinux_sock_rcv_skb_iptables_compat(),"
3985 " network port label not found\n");
3988 return avc_has_perm(sk_sid
, port_sid
, sk_class
, recv_perm
, ad
);
3991 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
3992 struct avc_audit_data
*ad
,
3993 u16 family
, char *addrp
)
3996 struct sk_security_struct
*sksec
= sk
->sk_security
;
3998 u32 sk_sid
= sksec
->sid
;
4000 if (selinux_compat_net
)
4001 err
= selinux_sock_rcv_skb_iptables_compat(sk
, skb
, ad
,
4004 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4009 if (selinux_policycap_netpeer
) {
4010 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4013 err
= avc_has_perm(sk_sid
, peer_sid
,
4014 SECCLASS_PEER
, PEER__RECV
, ad
);
4016 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, ad
);
4019 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, ad
);
4025 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4028 struct sk_security_struct
*sksec
= sk
->sk_security
;
4029 u16 family
= sk
->sk_family
;
4030 u32 sk_sid
= sksec
->sid
;
4031 struct avc_audit_data ad
;
4034 if (family
!= PF_INET
&& family
!= PF_INET6
)
4037 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4038 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4041 AVC_AUDIT_DATA_INIT(&ad
, NET
);
4042 ad
.u
.net
.netif
= skb
->iif
;
4043 ad
.u
.net
.family
= family
;
4044 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4048 /* If any sort of compatibility mode is enabled then handoff processing
4049 * to the selinux_sock_rcv_skb_compat() function to deal with the
4050 * special handling. We do this in an attempt to keep this function
4051 * as fast and as clean as possible. */
4052 if (selinux_compat_net
|| !selinux_policycap_netpeer
)
4053 return selinux_sock_rcv_skb_compat(sk
, skb
, &ad
,
4056 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4059 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4062 err
= selinux_inet_sys_rcv_skb(skb
->iif
, addrp
, family
,
4066 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4070 if (selinux_secmark_enabled()) {
4071 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4080 static int selinux_socket_getpeersec_stream(struct socket
*sock
, char __user
*optval
,
4081 int __user
*optlen
, unsigned len
)
4086 struct sk_security_struct
*ssec
;
4087 struct inode_security_struct
*isec
;
4088 u32 peer_sid
= SECSID_NULL
;
4090 isec
= SOCK_INODE(sock
)->i_security
;
4092 if (isec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4093 isec
->sclass
== SECCLASS_TCP_SOCKET
) {
4094 ssec
= sock
->sk
->sk_security
;
4095 peer_sid
= ssec
->peer_sid
;
4097 if (peer_sid
== SECSID_NULL
) {
4102 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4107 if (scontext_len
> len
) {
4112 if (copy_to_user(optval
, scontext
, scontext_len
))
4116 if (put_user(scontext_len
, optlen
))
4124 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4126 u32 peer_secid
= SECSID_NULL
;
4130 family
= sock
->sk
->sk_family
;
4131 else if (skb
&& skb
->sk
)
4132 family
= skb
->sk
->sk_family
;
4136 if (sock
&& family
== PF_UNIX
)
4137 selinux_get_inode_sid(SOCK_INODE(sock
), &peer_secid
);
4139 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4142 *secid
= peer_secid
;
4143 if (peer_secid
== SECSID_NULL
)
4148 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4150 return sk_alloc_security(sk
, family
, priority
);
4153 static void selinux_sk_free_security(struct sock
*sk
)
4155 sk_free_security(sk
);
4158 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4160 struct sk_security_struct
*ssec
= sk
->sk_security
;
4161 struct sk_security_struct
*newssec
= newsk
->sk_security
;
4163 newssec
->sid
= ssec
->sid
;
4164 newssec
->peer_sid
= ssec
->peer_sid
;
4165 newssec
->sclass
= ssec
->sclass
;
4167 selinux_netlbl_sk_security_reset(newssec
, newsk
->sk_family
);
4170 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4173 *secid
= SECINITSID_ANY_SOCKET
;
4175 struct sk_security_struct
*sksec
= sk
->sk_security
;
4177 *secid
= sksec
->sid
;
4181 static void selinux_sock_graft(struct sock
* sk
, struct socket
*parent
)
4183 struct inode_security_struct
*isec
= SOCK_INODE(parent
)->i_security
;
4184 struct sk_security_struct
*sksec
= sk
->sk_security
;
4186 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4187 sk
->sk_family
== PF_UNIX
)
4188 isec
->sid
= sksec
->sid
;
4189 sksec
->sclass
= isec
->sclass
;
4191 selinux_netlbl_sock_graft(sk
, parent
);
4194 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4195 struct request_sock
*req
)
4197 struct sk_security_struct
*sksec
= sk
->sk_security
;
4202 err
= selinux_skb_peerlbl_sid(skb
, sk
->sk_family
, &peersid
);
4205 if (peersid
== SECSID_NULL
) {
4206 req
->secid
= sksec
->sid
;
4207 req
->peer_secid
= SECSID_NULL
;
4211 err
= security_sid_mls_copy(sksec
->sid
, peersid
, &newsid
);
4215 req
->secid
= newsid
;
4216 req
->peer_secid
= peersid
;
4220 static void selinux_inet_csk_clone(struct sock
*newsk
,
4221 const struct request_sock
*req
)
4223 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4225 newsksec
->sid
= req
->secid
;
4226 newsksec
->peer_sid
= req
->peer_secid
;
4227 /* NOTE: Ideally, we should also get the isec->sid for the
4228 new socket in sync, but we don't have the isec available yet.
4229 So we will wait until sock_graft to do it, by which
4230 time it will have been created and available. */
4232 /* We don't need to take any sort of lock here as we are the only
4233 * thread with access to newsksec */
4234 selinux_netlbl_sk_security_reset(newsksec
, req
->rsk_ops
->family
);
4237 static void selinux_inet_conn_established(struct sock
*sk
,
4238 struct sk_buff
*skb
)
4240 struct sk_security_struct
*sksec
= sk
->sk_security
;
4242 selinux_skb_peerlbl_sid(skb
, sk
->sk_family
, &sksec
->peer_sid
);
4245 static void selinux_req_classify_flow(const struct request_sock
*req
,
4248 fl
->secid
= req
->secid
;
4251 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
4255 struct nlmsghdr
*nlh
;
4256 struct socket
*sock
= sk
->sk_socket
;
4257 struct inode_security_struct
*isec
= SOCK_INODE(sock
)->i_security
;
4259 if (skb
->len
< NLMSG_SPACE(0)) {
4263 nlh
= nlmsg_hdr(skb
);
4265 err
= selinux_nlmsg_lookup(isec
->sclass
, nlh
->nlmsg_type
, &perm
);
4267 if (err
== -EINVAL
) {
4268 audit_log(current
->audit_context
, GFP_KERNEL
, AUDIT_SELINUX_ERR
,
4269 "SELinux: unrecognized netlink message"
4270 " type=%hu for sclass=%hu\n",
4271 nlh
->nlmsg_type
, isec
->sclass
);
4272 if (!selinux_enforcing
)
4282 err
= socket_has_perm(current
, sock
, perm
);
4287 #ifdef CONFIG_NETFILTER
4289 static unsigned int selinux_ip_forward(struct sk_buff
*skb
, int ifindex
,
4294 struct avc_audit_data ad
;
4298 if (!selinux_policycap_netpeer
)
4301 secmark_active
= selinux_secmark_enabled();
4302 peerlbl_active
= netlbl_enabled() || selinux_xfrm_enabled();
4303 if (!secmark_active
&& !peerlbl_active
)
4306 AVC_AUDIT_DATA_INIT(&ad
, NET
);
4307 ad
.u
.net
.netif
= ifindex
;
4308 ad
.u
.net
.family
= family
;
4309 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
4312 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
4316 if (selinux_inet_sys_rcv_skb(ifindex
, addrp
, family
,
4317 peer_sid
, &ad
) != 0)
4321 if (avc_has_perm(peer_sid
, skb
->secmark
,
4322 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
4328 static unsigned int selinux_ipv4_forward(unsigned int hooknum
,
4329 struct sk_buff
*skb
,
4330 const struct net_device
*in
,
4331 const struct net_device
*out
,
4332 int (*okfn
)(struct sk_buff
*))
4334 return selinux_ip_forward(skb
, in
->ifindex
, PF_INET
);
4337 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4338 static unsigned int selinux_ipv6_forward(unsigned int hooknum
,
4339 struct sk_buff
*skb
,
4340 const struct net_device
*in
,
4341 const struct net_device
*out
,
4342 int (*okfn
)(struct sk_buff
*))
4344 return selinux_ip_forward(skb
, in
->ifindex
, PF_INET6
);
4348 static int selinux_ip_postroute_iptables_compat(struct sock
*sk
,
4350 struct avc_audit_data
*ad
,
4351 u16 family
, char *addrp
)
4354 struct sk_security_struct
*sksec
= sk
->sk_security
;
4356 u32 netif_perm
, node_perm
, send_perm
;
4357 u32 port_sid
, node_sid
, if_sid
, sk_sid
;
4359 sk_sid
= sksec
->sid
;
4360 sk_class
= sksec
->sclass
;
4363 case SECCLASS_UDP_SOCKET
:
4364 netif_perm
= NETIF__UDP_SEND
;
4365 node_perm
= NODE__UDP_SEND
;
4366 send_perm
= UDP_SOCKET__SEND_MSG
;
4368 case SECCLASS_TCP_SOCKET
:
4369 netif_perm
= NETIF__TCP_SEND
;
4370 node_perm
= NODE__TCP_SEND
;
4371 send_perm
= TCP_SOCKET__SEND_MSG
;
4373 case SECCLASS_DCCP_SOCKET
:
4374 netif_perm
= NETIF__DCCP_SEND
;
4375 node_perm
= NODE__DCCP_SEND
;
4376 send_perm
= DCCP_SOCKET__SEND_MSG
;
4379 netif_perm
= NETIF__RAWIP_SEND
;
4380 node_perm
= NODE__RAWIP_SEND
;
4385 err
= sel_netif_sid(ifindex
, &if_sid
);
4388 err
= avc_has_perm(sk_sid
, if_sid
, SECCLASS_NETIF
, netif_perm
, ad
);
4391 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4394 err
= avc_has_perm(sk_sid
, node_sid
, SECCLASS_NODE
, node_perm
, ad
);
4401 err
= security_port_sid(sk
->sk_family
, sk
->sk_type
,
4402 sk
->sk_protocol
, ntohs(ad
->u
.net
.dport
),
4404 if (unlikely(err
)) {
4406 "SELinux: failure in"
4407 " selinux_ip_postroute_iptables_compat(),"
4408 " network port label not found\n");
4411 return avc_has_perm(sk_sid
, port_sid
, sk_class
, send_perm
, ad
);
4414 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
4416 struct avc_audit_data
*ad
,
4421 struct sock
*sk
= skb
->sk
;
4422 struct sk_security_struct
*sksec
;
4426 sksec
= sk
->sk_security
;
4428 if (selinux_compat_net
) {
4429 if (selinux_ip_postroute_iptables_compat(skb
->sk
, ifindex
,
4433 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
4434 SECCLASS_PACKET
, PACKET__SEND
, ad
))
4438 if (selinux_policycap_netpeer
)
4439 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, ad
, proto
))
4445 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
, int ifindex
,
4451 struct avc_audit_data ad
;
4457 AVC_AUDIT_DATA_INIT(&ad
, NET
);
4458 ad
.u
.net
.netif
= ifindex
;
4459 ad
.u
.net
.family
= family
;
4460 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
4463 /* If any sort of compatibility mode is enabled then handoff processing
4464 * to the selinux_ip_postroute_compat() function to deal with the
4465 * special handling. We do this in an attempt to keep this function
4466 * as fast and as clean as possible. */
4467 if (selinux_compat_net
|| !selinux_policycap_netpeer
)
4468 return selinux_ip_postroute_compat(skb
, ifindex
, &ad
,
4469 family
, addrp
, proto
);
4471 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4472 * packet transformation so allow the packet to pass without any checks
4473 * since we'll have another chance to perform access control checks
4474 * when the packet is on it's final way out.
4475 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4476 * is NULL, in this case go ahead and apply access control. */
4477 if (skb
->dst
!= NULL
&& skb
->dst
->xfrm
!= NULL
)
4480 secmark_active
= selinux_secmark_enabled();
4481 peerlbl_active
= netlbl_enabled() || selinux_xfrm_enabled();
4482 if (!secmark_active
&& !peerlbl_active
)
4485 /* if the packet is locally generated (skb->sk != NULL) then use the
4486 * socket's label as the peer label, otherwise the packet is being
4487 * forwarded through this system and we need to fetch the peer label
4488 * directly from the packet */
4491 struct sk_security_struct
*sksec
= sk
->sk_security
;
4492 peer_sid
= sksec
->sid
;
4493 secmark_perm
= PACKET__SEND
;
4495 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
4497 secmark_perm
= PACKET__FORWARD_OUT
;
4501 if (avc_has_perm(peer_sid
, skb
->secmark
,
4502 SECCLASS_PACKET
, secmark_perm
, &ad
))
4505 if (peerlbl_active
) {
4509 if (sel_netif_sid(ifindex
, &if_sid
))
4511 if (avc_has_perm(peer_sid
, if_sid
,
4512 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
4515 if (sel_netnode_sid(addrp
, family
, &node_sid
))
4517 if (avc_has_perm(peer_sid
, node_sid
,
4518 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
4525 static unsigned int selinux_ipv4_postroute(unsigned int hooknum
,
4526 struct sk_buff
*skb
,
4527 const struct net_device
*in
,
4528 const struct net_device
*out
,
4529 int (*okfn
)(struct sk_buff
*))
4531 return selinux_ip_postroute(skb
, out
->ifindex
, PF_INET
);
4534 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4535 static unsigned int selinux_ipv6_postroute(unsigned int hooknum
,
4536 struct sk_buff
*skb
,
4537 const struct net_device
*in
,
4538 const struct net_device
*out
,
4539 int (*okfn
)(struct sk_buff
*))
4541 return selinux_ip_postroute(skb
, out
->ifindex
, PF_INET6
);
4545 #endif /* CONFIG_NETFILTER */
4547 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
4551 err
= secondary_ops
->netlink_send(sk
, skb
);
4555 if (policydb_loaded_version
>= POLICYDB_VERSION_NLCLASS
)
4556 err
= selinux_nlmsg_perm(sk
, skb
);
4561 static int selinux_netlink_recv(struct sk_buff
*skb
, int capability
)
4564 struct avc_audit_data ad
;
4566 err
= secondary_ops
->netlink_recv(skb
, capability
);
4570 AVC_AUDIT_DATA_INIT(&ad
, CAP
);
4571 ad
.u
.cap
= capability
;
4573 return avc_has_perm(NETLINK_CB(skb
).sid
, NETLINK_CB(skb
).sid
,
4574 SECCLASS_CAPABILITY
, CAP_TO_MASK(capability
), &ad
);
4577 static int ipc_alloc_security(struct task_struct
*task
,
4578 struct kern_ipc_perm
*perm
,
4581 struct task_security_struct
*tsec
= task
->security
;
4582 struct ipc_security_struct
*isec
;
4584 isec
= kzalloc(sizeof(struct ipc_security_struct
), GFP_KERNEL
);
4588 isec
->sclass
= sclass
;
4589 isec
->sid
= tsec
->sid
;
4590 perm
->security
= isec
;
4595 static void ipc_free_security(struct kern_ipc_perm
*perm
)
4597 struct ipc_security_struct
*isec
= perm
->security
;
4598 perm
->security
= NULL
;
4602 static int msg_msg_alloc_security(struct msg_msg
*msg
)
4604 struct msg_security_struct
*msec
;
4606 msec
= kzalloc(sizeof(struct msg_security_struct
), GFP_KERNEL
);
4610 msec
->sid
= SECINITSID_UNLABELED
;
4611 msg
->security
= msec
;
4616 static void msg_msg_free_security(struct msg_msg
*msg
)
4618 struct msg_security_struct
*msec
= msg
->security
;
4620 msg
->security
= NULL
;
4624 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
4627 struct task_security_struct
*tsec
;
4628 struct ipc_security_struct
*isec
;
4629 struct avc_audit_data ad
;
4631 tsec
= current
->security
;
4632 isec
= ipc_perms
->security
;
4634 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4635 ad
.u
.ipc_id
= ipc_perms
->key
;
4637 return avc_has_perm(tsec
->sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
4640 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
4642 return msg_msg_alloc_security(msg
);
4645 static void selinux_msg_msg_free_security(struct msg_msg
*msg
)
4647 msg_msg_free_security(msg
);
4650 /* message queue security operations */
4651 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
4653 struct task_security_struct
*tsec
;
4654 struct ipc_security_struct
*isec
;
4655 struct avc_audit_data ad
;
4658 rc
= ipc_alloc_security(current
, &msq
->q_perm
, SECCLASS_MSGQ
);
4662 tsec
= current
->security
;
4663 isec
= msq
->q_perm
.security
;
4665 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4666 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4668 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4671 ipc_free_security(&msq
->q_perm
);
4677 static void selinux_msg_queue_free_security(struct msg_queue
*msq
)
4679 ipc_free_security(&msq
->q_perm
);
4682 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
4684 struct task_security_struct
*tsec
;
4685 struct ipc_security_struct
*isec
;
4686 struct avc_audit_data ad
;
4688 tsec
= current
->security
;
4689 isec
= msq
->q_perm
.security
;
4691 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4692 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4694 return avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4695 MSGQ__ASSOCIATE
, &ad
);
4698 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
4706 /* No specific object, just general system-wide information. */
4707 return task_has_system(current
, SYSTEM__IPC_INFO
);
4710 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
4713 perms
= MSGQ__SETATTR
;
4716 perms
= MSGQ__DESTROY
;
4722 err
= ipc_has_perm(&msq
->q_perm
, perms
);
4726 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
4728 struct task_security_struct
*tsec
;
4729 struct ipc_security_struct
*isec
;
4730 struct msg_security_struct
*msec
;
4731 struct avc_audit_data ad
;
4734 tsec
= current
->security
;
4735 isec
= msq
->q_perm
.security
;
4736 msec
= msg
->security
;
4739 * First time through, need to assign label to the message
4741 if (msec
->sid
== SECINITSID_UNLABELED
) {
4743 * Compute new sid based on current process and
4744 * message queue this message will be stored in
4746 rc
= security_transition_sid(tsec
->sid
,
4754 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4755 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4757 /* Can this process write to the queue? */
4758 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4761 /* Can this process send the message */
4762 rc
= avc_has_perm(tsec
->sid
, msec
->sid
,
4763 SECCLASS_MSG
, MSG__SEND
, &ad
);
4765 /* Can the message be put in the queue? */
4766 rc
= avc_has_perm(msec
->sid
, isec
->sid
,
4767 SECCLASS_MSGQ
, MSGQ__ENQUEUE
, &ad
);
4772 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
4773 struct task_struct
*target
,
4774 long type
, int mode
)
4776 struct task_security_struct
*tsec
;
4777 struct ipc_security_struct
*isec
;
4778 struct msg_security_struct
*msec
;
4779 struct avc_audit_data ad
;
4782 tsec
= target
->security
;
4783 isec
= msq
->q_perm
.security
;
4784 msec
= msg
->security
;
4786 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4787 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4789 rc
= avc_has_perm(tsec
->sid
, isec
->sid
,
4790 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
4792 rc
= avc_has_perm(tsec
->sid
, msec
->sid
,
4793 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
4797 /* Shared Memory security operations */
4798 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
4800 struct task_security_struct
*tsec
;
4801 struct ipc_security_struct
*isec
;
4802 struct avc_audit_data ad
;
4805 rc
= ipc_alloc_security(current
, &shp
->shm_perm
, SECCLASS_SHM
);
4809 tsec
= current
->security
;
4810 isec
= shp
->shm_perm
.security
;
4812 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4813 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
4815 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SHM
,
4818 ipc_free_security(&shp
->shm_perm
);
4824 static void selinux_shm_free_security(struct shmid_kernel
*shp
)
4826 ipc_free_security(&shp
->shm_perm
);
4829 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
4831 struct task_security_struct
*tsec
;
4832 struct ipc_security_struct
*isec
;
4833 struct avc_audit_data ad
;
4835 tsec
= current
->security
;
4836 isec
= shp
->shm_perm
.security
;
4838 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4839 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
4841 return avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SHM
,
4842 SHM__ASSOCIATE
, &ad
);
4845 /* Note, at this point, shp is locked down */
4846 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
4854 /* No specific object, just general system-wide information. */
4855 return task_has_system(current
, SYSTEM__IPC_INFO
);
4858 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
4861 perms
= SHM__SETATTR
;
4868 perms
= SHM__DESTROY
;
4874 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
4878 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
4879 char __user
*shmaddr
, int shmflg
)
4884 rc
= secondary_ops
->shm_shmat(shp
, shmaddr
, shmflg
);
4888 if (shmflg
& SHM_RDONLY
)
4891 perms
= SHM__READ
| SHM__WRITE
;
4893 return ipc_has_perm(&shp
->shm_perm
, perms
);
4896 /* Semaphore security operations */
4897 static int selinux_sem_alloc_security(struct sem_array
*sma
)
4899 struct task_security_struct
*tsec
;
4900 struct ipc_security_struct
*isec
;
4901 struct avc_audit_data ad
;
4904 rc
= ipc_alloc_security(current
, &sma
->sem_perm
, SECCLASS_SEM
);
4908 tsec
= current
->security
;
4909 isec
= sma
->sem_perm
.security
;
4911 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4912 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
4914 rc
= avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SEM
,
4917 ipc_free_security(&sma
->sem_perm
);
4923 static void selinux_sem_free_security(struct sem_array
*sma
)
4925 ipc_free_security(&sma
->sem_perm
);
4928 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
4930 struct task_security_struct
*tsec
;
4931 struct ipc_security_struct
*isec
;
4932 struct avc_audit_data ad
;
4934 tsec
= current
->security
;
4935 isec
= sma
->sem_perm
.security
;
4937 AVC_AUDIT_DATA_INIT(&ad
, IPC
);
4938 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
4940 return avc_has_perm(tsec
->sid
, isec
->sid
, SECCLASS_SEM
,
4941 SEM__ASSOCIATE
, &ad
);
4944 /* Note, at this point, sma is locked down */
4945 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
4953 /* No specific object, just general system-wide information. */
4954 return task_has_system(current
, SYSTEM__IPC_INFO
);
4958 perms
= SEM__GETATTR
;
4969 perms
= SEM__DESTROY
;
4972 perms
= SEM__SETATTR
;
4976 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
4982 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
4986 static int selinux_sem_semop(struct sem_array
*sma
,
4987 struct sembuf
*sops
, unsigned nsops
, int alter
)
4992 perms
= SEM__READ
| SEM__WRITE
;
4996 return ipc_has_perm(&sma
->sem_perm
, perms
);
4999 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5005 av
|= IPC__UNIX_READ
;
5007 av
|= IPC__UNIX_WRITE
;
5012 return ipc_has_perm(ipcp
, av
);
5015 /* module stacking operations */
5016 static int selinux_register_security (const char *name
, struct security_operations
*ops
)
5018 if (secondary_ops
!= original_ops
) {
5019 printk(KERN_ERR
"%s: There is already a secondary security "
5020 "module registered.\n", __func__
);
5024 secondary_ops
= ops
;
5026 printk(KERN_INFO
"%s: Registering secondary module %s\n",
5033 static void selinux_d_instantiate (struct dentry
*dentry
, struct inode
*inode
)
5036 inode_doinit_with_dentry(inode
, dentry
);
5039 static int selinux_getprocattr(struct task_struct
*p
,
5040 char *name
, char **value
)
5042 struct task_security_struct
*tsec
;
5048 error
= task_has_perm(current
, p
, PROCESS__GETATTR
);
5055 if (!strcmp(name
, "current"))
5057 else if (!strcmp(name
, "prev"))
5059 else if (!strcmp(name
, "exec"))
5060 sid
= tsec
->exec_sid
;
5061 else if (!strcmp(name
, "fscreate"))
5062 sid
= tsec
->create_sid
;
5063 else if (!strcmp(name
, "keycreate"))
5064 sid
= tsec
->keycreate_sid
;
5065 else if (!strcmp(name
, "sockcreate"))
5066 sid
= tsec
->sockcreate_sid
;
5073 error
= security_sid_to_context(sid
, value
, &len
);
5079 static int selinux_setprocattr(struct task_struct
*p
,
5080 char *name
, void *value
, size_t size
)
5082 struct task_security_struct
*tsec
;
5088 /* SELinux only allows a process to change its own
5089 security attributes. */
5094 * Basic control over ability to set these attributes at all.
5095 * current == p, but we'll pass them separately in case the
5096 * above restriction is ever removed.
5098 if (!strcmp(name
, "exec"))
5099 error
= task_has_perm(current
, p
, PROCESS__SETEXEC
);
5100 else if (!strcmp(name
, "fscreate"))
5101 error
= task_has_perm(current
, p
, PROCESS__SETFSCREATE
);
5102 else if (!strcmp(name
, "keycreate"))
5103 error
= task_has_perm(current
, p
, PROCESS__SETKEYCREATE
);
5104 else if (!strcmp(name
, "sockcreate"))
5105 error
= task_has_perm(current
, p
, PROCESS__SETSOCKCREATE
);
5106 else if (!strcmp(name
, "current"))
5107 error
= task_has_perm(current
, p
, PROCESS__SETCURRENT
);
5113 /* Obtain a SID for the context, if one was specified. */
5114 if (size
&& str
[1] && str
[1] != '\n') {
5115 if (str
[size
-1] == '\n') {
5119 error
= security_context_to_sid(value
, size
, &sid
);
5124 /* Permission checking based on the specified context is
5125 performed during the actual operation (execve,
5126 open/mkdir/...), when we know the full context of the
5127 operation. See selinux_bprm_set_security for the execve
5128 checks and may_create for the file creation checks. The
5129 operation will then fail if the context is not permitted. */
5131 if (!strcmp(name
, "exec"))
5132 tsec
->exec_sid
= sid
;
5133 else if (!strcmp(name
, "fscreate"))
5134 tsec
->create_sid
= sid
;
5135 else if (!strcmp(name
, "keycreate")) {
5136 error
= may_create_key(sid
, p
);
5139 tsec
->keycreate_sid
= sid
;
5140 } else if (!strcmp(name
, "sockcreate"))
5141 tsec
->sockcreate_sid
= sid
;
5142 else if (!strcmp(name
, "current")) {
5143 struct av_decision avd
;
5148 /* Only allow single threaded processes to change context */
5149 if (atomic_read(&p
->mm
->mm_users
) != 1) {
5150 struct task_struct
*g
, *t
;
5151 struct mm_struct
*mm
= p
->mm
;
5152 read_lock(&tasklist_lock
);
5153 do_each_thread(g
, t
)
5154 if (t
->mm
== mm
&& t
!= p
) {
5155 read_unlock(&tasklist_lock
);
5158 while_each_thread(g
, t
);
5159 read_unlock(&tasklist_lock
);
5162 /* Check permissions for the transition. */
5163 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5164 PROCESS__DYNTRANSITION
, NULL
);
5168 /* Check for ptracing, and update the task SID if ok.
5169 Otherwise, leave SID unchanged and fail. */
5171 if (p
->ptrace
& PT_PTRACED
) {
5172 error
= avc_has_perm_noaudit(tsec
->ptrace_sid
, sid
,
5174 PROCESS__PTRACE
, 0, &avd
);
5178 avc_audit(tsec
->ptrace_sid
, sid
, SECCLASS_PROCESS
,
5179 PROCESS__PTRACE
, &avd
, error
, NULL
);
5193 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5195 return security_sid_to_context(secid
, secdata
, seclen
);
5198 static int selinux_secctx_to_secid(char *secdata
, u32 seclen
, u32
*secid
)
5200 return security_context_to_sid(secdata
, seclen
, secid
);
5203 static void selinux_release_secctx(char *secdata
, u32 seclen
)
5210 static int selinux_key_alloc(struct key
*k
, struct task_struct
*tsk
,
5211 unsigned long flags
)
5213 struct task_security_struct
*tsec
= tsk
->security
;
5214 struct key_security_struct
*ksec
;
5216 ksec
= kzalloc(sizeof(struct key_security_struct
), GFP_KERNEL
);
5220 if (tsec
->keycreate_sid
)
5221 ksec
->sid
= tsec
->keycreate_sid
;
5223 ksec
->sid
= tsec
->sid
;
5229 static void selinux_key_free(struct key
*k
)
5231 struct key_security_struct
*ksec
= k
->security
;
5237 static int selinux_key_permission(key_ref_t key_ref
,
5238 struct task_struct
*ctx
,
5242 struct task_security_struct
*tsec
;
5243 struct key_security_struct
*ksec
;
5245 key
= key_ref_to_ptr(key_ref
);
5247 tsec
= ctx
->security
;
5248 ksec
= key
->security
;
5250 /* if no specific permissions are requested, we skip the
5251 permission check. No serious, additional covert channels
5252 appear to be created. */
5256 return avc_has_perm(tsec
->sid
, ksec
->sid
,
5257 SECCLASS_KEY
, perm
, NULL
);
5262 static struct security_operations selinux_ops
= {
5263 .ptrace
= selinux_ptrace
,
5264 .capget
= selinux_capget
,
5265 .capset_check
= selinux_capset_check
,
5266 .capset_set
= selinux_capset_set
,
5267 .sysctl
= selinux_sysctl
,
5268 .capable
= selinux_capable
,
5269 .quotactl
= selinux_quotactl
,
5270 .quota_on
= selinux_quota_on
,
5271 .syslog
= selinux_syslog
,
5272 .vm_enough_memory
= selinux_vm_enough_memory
,
5274 .netlink_send
= selinux_netlink_send
,
5275 .netlink_recv
= selinux_netlink_recv
,
5277 .bprm_alloc_security
= selinux_bprm_alloc_security
,
5278 .bprm_free_security
= selinux_bprm_free_security
,
5279 .bprm_apply_creds
= selinux_bprm_apply_creds
,
5280 .bprm_post_apply_creds
= selinux_bprm_post_apply_creds
,
5281 .bprm_set_security
= selinux_bprm_set_security
,
5282 .bprm_check_security
= selinux_bprm_check_security
,
5283 .bprm_secureexec
= selinux_bprm_secureexec
,
5285 .sb_alloc_security
= selinux_sb_alloc_security
,
5286 .sb_free_security
= selinux_sb_free_security
,
5287 .sb_copy_data
= selinux_sb_copy_data
,
5288 .sb_kern_mount
= selinux_sb_kern_mount
,
5289 .sb_statfs
= selinux_sb_statfs
,
5290 .sb_mount
= selinux_mount
,
5291 .sb_umount
= selinux_umount
,
5292 .sb_get_mnt_opts
= selinux_get_mnt_opts
,
5293 .sb_set_mnt_opts
= selinux_set_mnt_opts
,
5294 .sb_clone_mnt_opts
= selinux_sb_clone_mnt_opts
,
5295 .sb_parse_opts_str
= selinux_parse_opts_str
,
5298 .inode_alloc_security
= selinux_inode_alloc_security
,
5299 .inode_free_security
= selinux_inode_free_security
,
5300 .inode_init_security
= selinux_inode_init_security
,
5301 .inode_create
= selinux_inode_create
,
5302 .inode_link
= selinux_inode_link
,
5303 .inode_unlink
= selinux_inode_unlink
,
5304 .inode_symlink
= selinux_inode_symlink
,
5305 .inode_mkdir
= selinux_inode_mkdir
,
5306 .inode_rmdir
= selinux_inode_rmdir
,
5307 .inode_mknod
= selinux_inode_mknod
,
5308 .inode_rename
= selinux_inode_rename
,
5309 .inode_readlink
= selinux_inode_readlink
,
5310 .inode_follow_link
= selinux_inode_follow_link
,
5311 .inode_permission
= selinux_inode_permission
,
5312 .inode_setattr
= selinux_inode_setattr
,
5313 .inode_getattr
= selinux_inode_getattr
,
5314 .inode_setxattr
= selinux_inode_setxattr
,
5315 .inode_post_setxattr
= selinux_inode_post_setxattr
,
5316 .inode_getxattr
= selinux_inode_getxattr
,
5317 .inode_listxattr
= selinux_inode_listxattr
,
5318 .inode_removexattr
= selinux_inode_removexattr
,
5319 .inode_getsecurity
= selinux_inode_getsecurity
,
5320 .inode_setsecurity
= selinux_inode_setsecurity
,
5321 .inode_listsecurity
= selinux_inode_listsecurity
,
5322 .inode_need_killpriv
= selinux_inode_need_killpriv
,
5323 .inode_killpriv
= selinux_inode_killpriv
,
5325 .file_permission
= selinux_file_permission
,
5326 .file_alloc_security
= selinux_file_alloc_security
,
5327 .file_free_security
= selinux_file_free_security
,
5328 .file_ioctl
= selinux_file_ioctl
,
5329 .file_mmap
= selinux_file_mmap
,
5330 .file_mprotect
= selinux_file_mprotect
,
5331 .file_lock
= selinux_file_lock
,
5332 .file_fcntl
= selinux_file_fcntl
,
5333 .file_set_fowner
= selinux_file_set_fowner
,
5334 .file_send_sigiotask
= selinux_file_send_sigiotask
,
5335 .file_receive
= selinux_file_receive
,
5337 .dentry_open
= selinux_dentry_open
,
5339 .task_create
= selinux_task_create
,
5340 .task_alloc_security
= selinux_task_alloc_security
,
5341 .task_free_security
= selinux_task_free_security
,
5342 .task_setuid
= selinux_task_setuid
,
5343 .task_post_setuid
= selinux_task_post_setuid
,
5344 .task_setgid
= selinux_task_setgid
,
5345 .task_setpgid
= selinux_task_setpgid
,
5346 .task_getpgid
= selinux_task_getpgid
,
5347 .task_getsid
= selinux_task_getsid
,
5348 .task_getsecid
= selinux_task_getsecid
,
5349 .task_setgroups
= selinux_task_setgroups
,
5350 .task_setnice
= selinux_task_setnice
,
5351 .task_setioprio
= selinux_task_setioprio
,
5352 .task_getioprio
= selinux_task_getioprio
,
5353 .task_setrlimit
= selinux_task_setrlimit
,
5354 .task_setscheduler
= selinux_task_setscheduler
,
5355 .task_getscheduler
= selinux_task_getscheduler
,
5356 .task_movememory
= selinux_task_movememory
,
5357 .task_kill
= selinux_task_kill
,
5358 .task_wait
= selinux_task_wait
,
5359 .task_prctl
= selinux_task_prctl
,
5360 .task_reparent_to_init
= selinux_task_reparent_to_init
,
5361 .task_to_inode
= selinux_task_to_inode
,
5363 .ipc_permission
= selinux_ipc_permission
,
5365 .msg_msg_alloc_security
= selinux_msg_msg_alloc_security
,
5366 .msg_msg_free_security
= selinux_msg_msg_free_security
,
5368 .msg_queue_alloc_security
= selinux_msg_queue_alloc_security
,
5369 .msg_queue_free_security
= selinux_msg_queue_free_security
,
5370 .msg_queue_associate
= selinux_msg_queue_associate
,
5371 .msg_queue_msgctl
= selinux_msg_queue_msgctl
,
5372 .msg_queue_msgsnd
= selinux_msg_queue_msgsnd
,
5373 .msg_queue_msgrcv
= selinux_msg_queue_msgrcv
,
5375 .shm_alloc_security
= selinux_shm_alloc_security
,
5376 .shm_free_security
= selinux_shm_free_security
,
5377 .shm_associate
= selinux_shm_associate
,
5378 .shm_shmctl
= selinux_shm_shmctl
,
5379 .shm_shmat
= selinux_shm_shmat
,
5381 .sem_alloc_security
= selinux_sem_alloc_security
,
5382 .sem_free_security
= selinux_sem_free_security
,
5383 .sem_associate
= selinux_sem_associate
,
5384 .sem_semctl
= selinux_sem_semctl
,
5385 .sem_semop
= selinux_sem_semop
,
5387 .register_security
= selinux_register_security
,
5389 .d_instantiate
= selinux_d_instantiate
,
5391 .getprocattr
= selinux_getprocattr
,
5392 .setprocattr
= selinux_setprocattr
,
5394 .secid_to_secctx
= selinux_secid_to_secctx
,
5395 .secctx_to_secid
= selinux_secctx_to_secid
,
5396 .release_secctx
= selinux_release_secctx
,
5398 .unix_stream_connect
= selinux_socket_unix_stream_connect
,
5399 .unix_may_send
= selinux_socket_unix_may_send
,
5401 .socket_create
= selinux_socket_create
,
5402 .socket_post_create
= selinux_socket_post_create
,
5403 .socket_bind
= selinux_socket_bind
,
5404 .socket_connect
= selinux_socket_connect
,
5405 .socket_listen
= selinux_socket_listen
,
5406 .socket_accept
= selinux_socket_accept
,
5407 .socket_sendmsg
= selinux_socket_sendmsg
,
5408 .socket_recvmsg
= selinux_socket_recvmsg
,
5409 .socket_getsockname
= selinux_socket_getsockname
,
5410 .socket_getpeername
= selinux_socket_getpeername
,
5411 .socket_getsockopt
= selinux_socket_getsockopt
,
5412 .socket_setsockopt
= selinux_socket_setsockopt
,
5413 .socket_shutdown
= selinux_socket_shutdown
,
5414 .socket_sock_rcv_skb
= selinux_socket_sock_rcv_skb
,
5415 .socket_getpeersec_stream
= selinux_socket_getpeersec_stream
,
5416 .socket_getpeersec_dgram
= selinux_socket_getpeersec_dgram
,
5417 .sk_alloc_security
= selinux_sk_alloc_security
,
5418 .sk_free_security
= selinux_sk_free_security
,
5419 .sk_clone_security
= selinux_sk_clone_security
,
5420 .sk_getsecid
= selinux_sk_getsecid
,
5421 .sock_graft
= selinux_sock_graft
,
5422 .inet_conn_request
= selinux_inet_conn_request
,
5423 .inet_csk_clone
= selinux_inet_csk_clone
,
5424 .inet_conn_established
= selinux_inet_conn_established
,
5425 .req_classify_flow
= selinux_req_classify_flow
,
5427 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5428 .xfrm_policy_alloc_security
= selinux_xfrm_policy_alloc
,
5429 .xfrm_policy_clone_security
= selinux_xfrm_policy_clone
,
5430 .xfrm_policy_free_security
= selinux_xfrm_policy_free
,
5431 .xfrm_policy_delete_security
= selinux_xfrm_policy_delete
,
5432 .xfrm_state_alloc_security
= selinux_xfrm_state_alloc
,
5433 .xfrm_state_free_security
= selinux_xfrm_state_free
,
5434 .xfrm_state_delete_security
= selinux_xfrm_state_delete
,
5435 .xfrm_policy_lookup
= selinux_xfrm_policy_lookup
,
5436 .xfrm_state_pol_flow_match
= selinux_xfrm_state_pol_flow_match
,
5437 .xfrm_decode_session
= selinux_xfrm_decode_session
,
5441 .key_alloc
= selinux_key_alloc
,
5442 .key_free
= selinux_key_free
,
5443 .key_permission
= selinux_key_permission
,
5447 static __init
int selinux_init(void)
5449 struct task_security_struct
*tsec
;
5451 if (!selinux_enabled
) {
5452 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
5456 printk(KERN_INFO
"SELinux: Initializing.\n");
5458 /* Set the security state for the initial task. */
5459 if (task_alloc_security(current
))
5460 panic("SELinux: Failed to initialize initial task.\n");
5461 tsec
= current
->security
;
5462 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
5464 sel_inode_cache
= kmem_cache_create("selinux_inode_security",
5465 sizeof(struct inode_security_struct
),
5466 0, SLAB_PANIC
, NULL
);
5469 original_ops
= secondary_ops
= security_ops
;
5471 panic ("SELinux: No initial security operations\n");
5472 if (register_security (&selinux_ops
))
5473 panic("SELinux: Unable to register with kernel.\n");
5475 if (selinux_enforcing
) {
5476 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
5478 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
5482 /* Add security information to initial keyrings */
5483 selinux_key_alloc(&root_user_keyring
, current
,
5484 KEY_ALLOC_NOT_IN_QUOTA
);
5485 selinux_key_alloc(&root_session_keyring
, current
,
5486 KEY_ALLOC_NOT_IN_QUOTA
);
5492 void selinux_complete_init(void)
5494 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
5496 /* Set up any superblocks initialized prior to the policy load. */
5497 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
5498 spin_lock(&sb_lock
);
5499 spin_lock(&sb_security_lock
);
5501 if (!list_empty(&superblock_security_head
)) {
5502 struct superblock_security_struct
*sbsec
=
5503 list_entry(superblock_security_head
.next
,
5504 struct superblock_security_struct
,
5506 struct super_block
*sb
= sbsec
->sb
;
5508 spin_unlock(&sb_security_lock
);
5509 spin_unlock(&sb_lock
);
5510 down_read(&sb
->s_umount
);
5512 superblock_doinit(sb
, NULL
);
5514 spin_lock(&sb_lock
);
5515 spin_lock(&sb_security_lock
);
5516 list_del_init(&sbsec
->list
);
5519 spin_unlock(&sb_security_lock
);
5520 spin_unlock(&sb_lock
);
5523 /* SELinux requires early initialization in order to label
5524 all processes and objects when they are created. */
5525 security_initcall(selinux_init
);
5527 #if defined(CONFIG_NETFILTER)
5529 static struct nf_hook_ops selinux_ipv4_ops
[] = {
5531 .hook
= selinux_ipv4_postroute
,
5532 .owner
= THIS_MODULE
,
5534 .hooknum
= NF_INET_POST_ROUTING
,
5535 .priority
= NF_IP_PRI_SELINUX_LAST
,
5538 .hook
= selinux_ipv4_forward
,
5539 .owner
= THIS_MODULE
,
5541 .hooknum
= NF_INET_FORWARD
,
5542 .priority
= NF_IP_PRI_SELINUX_FIRST
,
5546 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5548 static struct nf_hook_ops selinux_ipv6_ops
[] = {
5550 .hook
= selinux_ipv6_postroute
,
5551 .owner
= THIS_MODULE
,
5553 .hooknum
= NF_INET_POST_ROUTING
,
5554 .priority
= NF_IP6_PRI_SELINUX_LAST
,
5557 .hook
= selinux_ipv6_forward
,
5558 .owner
= THIS_MODULE
,
5560 .hooknum
= NF_INET_FORWARD
,
5561 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
5567 static int __init
selinux_nf_ip_init(void)
5572 if (!selinux_enabled
)
5575 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
5577 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv4_ops
); iter
++) {
5578 err
= nf_register_hook(&selinux_ipv4_ops
[iter
]);
5580 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5584 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5585 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv6_ops
); iter
++) {
5586 err
= nf_register_hook(&selinux_ipv6_ops
[iter
]);
5588 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5597 __initcall(selinux_nf_ip_init
);
5599 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5600 static void selinux_nf_ip_exit(void)
5604 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
5606 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv4_ops
); iter
++)
5607 nf_unregister_hook(&selinux_ipv4_ops
[iter
]);
5608 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5609 for (iter
= 0; iter
< ARRAY_SIZE(selinux_ipv6_ops
); iter
++)
5610 nf_unregister_hook(&selinux_ipv6_ops
[iter
]);
5615 #else /* CONFIG_NETFILTER */
5617 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5618 #define selinux_nf_ip_exit()
5621 #endif /* CONFIG_NETFILTER */
5623 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5624 int selinux_disable(void)
5626 extern void exit_sel_fs(void);
5627 static int selinux_disabled
= 0;
5629 if (ss_initialized
) {
5630 /* Not permitted after initial policy load. */
5634 if (selinux_disabled
) {
5635 /* Only do this once. */
5639 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
5641 selinux_disabled
= 1;
5642 selinux_enabled
= 0;
5644 /* Reset security_ops to the secondary module, dummy or capability. */
5645 security_ops
= secondary_ops
;
5647 /* Unregister netfilter hooks. */
5648 selinux_nf_ip_exit();
5650 /* Unregister selinuxfs. */