1 /* Updated: Karl MacMillan <kmacmillan@tresys.com>
3 * Added conditional policy language extensions
5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
6 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2.
12 #include <linux/config.h>
13 #include <linux/kernel.h>
14 #include <linux/pagemap.h>
15 #include <linux/slab.h>
16 #include <linux/vmalloc.h>
18 #include <linux/init.h>
19 #include <linux/string.h>
20 #include <linux/security.h>
21 #include <linux/major.h>
22 #include <linux/seq_file.h>
23 #include <linux/percpu.h>
24 #include <asm/uaccess.h>
25 #include <asm/semaphore.h>
27 /* selinuxfs pseudo filesystem for exporting the security policy API.
28 Based on the proc code and the fs/nfsd/nfsctl.c code. */
35 #include "conditional.h"
37 unsigned int selinux_checkreqprot
= CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
;
39 static int __init
checkreqprot_setup(char *str
)
41 selinux_checkreqprot
= simple_strtoul(str
,NULL
,0) ? 1 : 0;
44 __setup("checkreqprot=", checkreqprot_setup
);
47 static DECLARE_MUTEX(sel_sem
);
49 /* global data for booleans */
50 static struct dentry
*bool_dir
= NULL
;
51 static int bool_num
= 0;
52 static int *bool_pending_values
= NULL
;
54 extern void selnl_notify_setenforce(int val
);
56 /* Check whether a task is allowed to use a security operation. */
57 static int task_has_security(struct task_struct
*tsk
,
60 struct task_security_struct
*tsec
;
66 return avc_has_perm(tsec
->sid
, SECINITSID_SECURITY
,
67 SECCLASS_SECURITY
, perms
, NULL
);
72 SEL_LOAD
, /* load policy */
73 SEL_ENFORCE
, /* get or set enforcing status */
74 SEL_CONTEXT
, /* validate context */
75 SEL_ACCESS
, /* compute access decision */
76 SEL_CREATE
, /* compute create labeling decision */
77 SEL_RELABEL
, /* compute relabeling decision */
78 SEL_USER
, /* compute reachable user contexts */
79 SEL_POLICYVERS
, /* return policy version for this kernel */
80 SEL_COMMIT_BOOLS
, /* commit new boolean values */
81 SEL_MLS
, /* return if MLS policy is enabled */
82 SEL_DISABLE
, /* disable SELinux until next reboot */
83 SEL_AVC
, /* AVC management directory */
84 SEL_MEMBER
, /* compute polyinstantiation membership decision */
85 SEL_CHECKREQPROT
, /* check requested protection, not kernel-applied one */
89 static ssize_t
sel_read_enforce(struct file
*filp
, char __user
*buf
,
90 size_t count
, loff_t
*ppos
)
92 char tmpbuf
[TMPBUFLEN
];
95 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%d", selinux_enforcing
);
96 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 static ssize_t
sel_write_enforce(struct file
* file
, const char __user
* buf
,
101 size_t count
, loff_t
*ppos
)
108 if (count
>= PAGE_SIZE
)
111 /* No partial writes. */
114 page
= (char*)get_zeroed_page(GFP_KERNEL
);
118 if (copy_from_user(page
, buf
, count
))
122 if (sscanf(page
, "%d", &new_value
) != 1)
125 if (new_value
!= selinux_enforcing
) {
126 length
= task_has_security(current
, SECURITY__SETENFORCE
);
129 selinux_enforcing
= new_value
;
130 if (selinux_enforcing
)
132 selnl_notify_setenforce(selinux_enforcing
);
136 free_page((unsigned long) page
);
140 #define sel_write_enforce NULL
143 static struct file_operations sel_enforce_ops
= {
144 .read
= sel_read_enforce
,
145 .write
= sel_write_enforce
,
148 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
149 static ssize_t
sel_write_disable(struct file
* file
, const char __user
* buf
,
150 size_t count
, loff_t
*ppos
)
156 extern int selinux_disable(void);
158 if (count
>= PAGE_SIZE
)
161 /* No partial writes. */
164 page
= (char*)get_zeroed_page(GFP_KERNEL
);
168 if (copy_from_user(page
, buf
, count
))
172 if (sscanf(page
, "%d", &new_value
) != 1)
176 length
= selinux_disable();
183 free_page((unsigned long) page
);
187 #define sel_write_disable NULL
190 static struct file_operations sel_disable_ops
= {
191 .write
= sel_write_disable
,
194 static ssize_t
sel_read_policyvers(struct file
*filp
, char __user
*buf
,
195 size_t count
, loff_t
*ppos
)
197 char tmpbuf
[TMPBUFLEN
];
200 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", POLICYDB_VERSION_MAX
);
201 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
204 static struct file_operations sel_policyvers_ops
= {
205 .read
= sel_read_policyvers
,
208 /* declaration for sel_write_load */
209 static int sel_make_bools(void);
211 static ssize_t
sel_read_mls(struct file
*filp
, char __user
*buf
,
212 size_t count
, loff_t
*ppos
)
214 char tmpbuf
[TMPBUFLEN
];
217 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%d", selinux_mls_enabled
);
218 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
221 static struct file_operations sel_mls_ops
= {
222 .read
= sel_read_mls
,
225 static ssize_t
sel_write_load(struct file
* file
, const char __user
* buf
,
226 size_t count
, loff_t
*ppos
)
235 length
= task_has_security(current
, SECURITY__LOAD_POLICY
);
240 /* No partial writes. */
245 if ((count
> 64 * 1024 * 1024)
246 || (data
= vmalloc(count
)) == NULL
) {
252 if (copy_from_user(data
, buf
, count
) != 0)
255 length
= security_load_policy(data
, count
);
259 ret
= sel_make_bools();
270 static struct file_operations sel_load_ops
= {
271 .write
= sel_write_load
,
275 static ssize_t
sel_write_context(struct file
* file
, const char __user
* buf
,
276 size_t count
, loff_t
*ppos
)
283 length
= task_has_security(current
, SECURITY__CHECK_CONTEXT
);
287 if (count
>= PAGE_SIZE
)
290 /* No partial writes. */
293 page
= (char*)get_zeroed_page(GFP_KERNEL
);
297 if (copy_from_user(page
, buf
, count
))
300 length
= security_context_to_sid(page
, count
, &sid
);
306 free_page((unsigned long) page
);
310 static struct file_operations sel_context_ops
= {
311 .write
= sel_write_context
,
314 static ssize_t
sel_read_checkreqprot(struct file
*filp
, char __user
*buf
,
315 size_t count
, loff_t
*ppos
)
317 char tmpbuf
[TMPBUFLEN
];
320 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", selinux_checkreqprot
);
321 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
324 static ssize_t
sel_write_checkreqprot(struct file
* file
, const char __user
* buf
,
325 size_t count
, loff_t
*ppos
)
329 unsigned int new_value
;
331 length
= task_has_security(current
, SECURITY__SETCHECKREQPROT
);
335 if (count
>= PAGE_SIZE
)
338 /* No partial writes. */
341 page
= (char*)get_zeroed_page(GFP_KERNEL
);
345 if (copy_from_user(page
, buf
, count
))
349 if (sscanf(page
, "%u", &new_value
) != 1)
352 selinux_checkreqprot
= new_value
? 1 : 0;
355 free_page((unsigned long) page
);
358 static struct file_operations sel_checkreqprot_ops
= {
359 .read
= sel_read_checkreqprot
,
360 .write
= sel_write_checkreqprot
,
364 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
366 static ssize_t
sel_write_access(struct file
* file
, char *buf
, size_t size
);
367 static ssize_t
sel_write_create(struct file
* file
, char *buf
, size_t size
);
368 static ssize_t
sel_write_relabel(struct file
* file
, char *buf
, size_t size
);
369 static ssize_t
sel_write_user(struct file
* file
, char *buf
, size_t size
);
370 static ssize_t
sel_write_member(struct file
* file
, char *buf
, size_t size
);
372 static ssize_t (*write_op
[])(struct file
*, char *, size_t) = {
373 [SEL_ACCESS
] = sel_write_access
,
374 [SEL_CREATE
] = sel_write_create
,
375 [SEL_RELABEL
] = sel_write_relabel
,
376 [SEL_USER
] = sel_write_user
,
377 [SEL_MEMBER
] = sel_write_member
,
380 static ssize_t
selinux_transaction_write(struct file
*file
, const char __user
*buf
, size_t size
, loff_t
*pos
)
382 ino_t ino
= file
->f_dentry
->d_inode
->i_ino
;
386 if (ino
>= sizeof(write_op
)/sizeof(write_op
[0]) || !write_op
[ino
])
389 data
= simple_transaction_get(file
, buf
, size
);
391 return PTR_ERR(data
);
393 rv
= write_op
[ino
](file
, data
, size
);
395 simple_transaction_set(file
, rv
);
401 static struct file_operations transaction_ops
= {
402 .write
= selinux_transaction_write
,
403 .read
= simple_transaction_read
,
404 .release
= simple_transaction_release
,
408 * payload - write methods
409 * If the method has a response, the response should be put in buf,
410 * and the length returned. Otherwise return 0 or and -error.
413 static ssize_t
sel_write_access(struct file
* file
, char *buf
, size_t size
)
419 struct av_decision avd
;
422 length
= task_has_security(current
, SECURITY__COMPUTE_AV
);
427 scon
= kzalloc(size
+1, GFP_KERNEL
);
431 tcon
= kzalloc(size
+1, GFP_KERNEL
);
436 if (sscanf(buf
, "%s %s %hu %x", scon
, tcon
, &tclass
, &req
) != 4)
439 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
442 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
446 length
= security_compute_av(ssid
, tsid
, tclass
, req
, &avd
);
450 length
= scnprintf(buf
, SIMPLE_TRANSACTION_LIMIT
,
452 avd
.allowed
, avd
.decided
,
453 avd
.auditallow
, avd
.auditdeny
,
462 static ssize_t
sel_write_create(struct file
* file
, char *buf
, size_t size
)
465 u32 ssid
, tsid
, newsid
;
471 length
= task_has_security(current
, SECURITY__COMPUTE_CREATE
);
476 scon
= kzalloc(size
+1, GFP_KERNEL
);
480 tcon
= kzalloc(size
+1, GFP_KERNEL
);
485 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
488 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
491 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
495 length
= security_transition_sid(ssid
, tsid
, tclass
, &newsid
);
499 length
= security_sid_to_context(newsid
, &newcon
, &len
);
503 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
504 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
505 "max\n", __FUNCTION__
, len
);
510 memcpy(buf
, newcon
, len
);
521 static ssize_t
sel_write_relabel(struct file
* file
, char *buf
, size_t size
)
524 u32 ssid
, tsid
, newsid
;
530 length
= task_has_security(current
, SECURITY__COMPUTE_RELABEL
);
535 scon
= kzalloc(size
+1, GFP_KERNEL
);
539 tcon
= kzalloc(size
+1, GFP_KERNEL
);
544 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
547 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
550 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
554 length
= security_change_sid(ssid
, tsid
, tclass
, &newsid
);
558 length
= security_sid_to_context(newsid
, &newcon
, &len
);
562 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
567 memcpy(buf
, newcon
, len
);
578 static ssize_t
sel_write_user(struct file
* file
, char *buf
, size_t size
)
580 char *con
, *user
, *ptr
;
587 length
= task_has_security(current
, SECURITY__COMPUTE_USER
);
592 con
= kzalloc(size
+1, GFP_KERNEL
);
596 user
= kzalloc(size
+1, GFP_KERNEL
);
601 if (sscanf(buf
, "%s %s", con
, user
) != 2)
604 length
= security_context_to_sid(con
, strlen(con
)+1, &sid
);
608 length
= security_get_user_sids(sid
, user
, &sids
, &nsids
);
612 length
= sprintf(buf
, "%u", nsids
) + 1;
614 for (i
= 0; i
< nsids
; i
++) {
615 rc
= security_sid_to_context(sids
[i
], &newcon
, &len
);
620 if ((length
+ len
) >= SIMPLE_TRANSACTION_LIMIT
) {
625 memcpy(ptr
, newcon
, len
);
639 static ssize_t
sel_write_member(struct file
* file
, char *buf
, size_t size
)
642 u32 ssid
, tsid
, newsid
;
648 length
= task_has_security(current
, SECURITY__COMPUTE_MEMBER
);
653 scon
= kzalloc(size
+1, GFP_KERNEL
);
657 tcon
= kzalloc(size
+1, GFP_KERNEL
);
662 if (sscanf(buf
, "%s %s %hu", scon
, tcon
, &tclass
) != 3)
665 length
= security_context_to_sid(scon
, strlen(scon
)+1, &ssid
);
668 length
= security_context_to_sid(tcon
, strlen(tcon
)+1, &tsid
);
672 length
= security_member_sid(ssid
, tsid
, tclass
, &newsid
);
676 length
= security_sid_to_context(newsid
, &newcon
, &len
);
680 if (len
> SIMPLE_TRANSACTION_LIMIT
) {
681 printk(KERN_ERR
"%s: context size (%u) exceeds payload "
682 "max\n", __FUNCTION__
, len
);
687 memcpy(buf
, newcon
, len
);
698 static struct inode
*sel_make_inode(struct super_block
*sb
, int mode
)
700 struct inode
*ret
= new_inode(sb
);
704 ret
->i_uid
= ret
->i_gid
= 0;
705 ret
->i_blksize
= PAGE_CACHE_SIZE
;
707 ret
->i_atime
= ret
->i_mtime
= ret
->i_ctime
= CURRENT_TIME
;
712 #define BOOL_INO_OFFSET 30
714 static ssize_t
sel_read_bool(struct file
*filep
, char __user
*buf
,
715 size_t count
, loff_t
*ppos
)
728 /* check to see if this file has been deleted */
732 if (count
> PAGE_SIZE
) {
736 if (!(page
= (char*)get_zeroed_page(GFP_KERNEL
))) {
741 inode
= filep
->f_dentry
->d_inode
;
742 cur_enforcing
= security_get_bool_value(inode
->i_ino
- BOOL_INO_OFFSET
);
743 if (cur_enforcing
< 0) {
748 length
= scnprintf(page
, PAGE_SIZE
, "%d %d", cur_enforcing
,
749 bool_pending_values
[inode
->i_ino
- BOOL_INO_OFFSET
]);
755 if (*ppos
>= length
) {
759 if (count
+ *ppos
> length
)
760 count
= length
- *ppos
;
762 if (copy_to_user(buf
, (char *) page
+ *ppos
, count
)) {
771 free_page((unsigned long)page
);
775 static ssize_t
sel_write_bool(struct file
*filep
, const char __user
*buf
,
776 size_t count
, loff_t
*ppos
)
779 ssize_t length
= -EFAULT
;
785 length
= task_has_security(current
, SECURITY__SETBOOL
);
789 /* check to see if this file has been deleted */
793 if (count
>= PAGE_SIZE
) {
798 /* No partial writes. */
801 page
= (char*)get_zeroed_page(GFP_KERNEL
);
807 if (copy_from_user(page
, buf
, count
))
811 if (sscanf(page
, "%d", &new_value
) != 1)
817 inode
= filep
->f_dentry
->d_inode
;
818 bool_pending_values
[inode
->i_ino
- BOOL_INO_OFFSET
] = new_value
;
824 free_page((unsigned long) page
);
828 static struct file_operations sel_bool_ops
= {
829 .read
= sel_read_bool
,
830 .write
= sel_write_bool
,
833 static ssize_t
sel_commit_bools_write(struct file
*filep
,
834 const char __user
*buf
,
835 size_t count
, loff_t
*ppos
)
838 ssize_t length
= -EFAULT
;
843 length
= task_has_security(current
, SECURITY__SETBOOL
);
847 /* check to see if this file has been deleted */
851 if (count
>= PAGE_SIZE
) {
856 /* No partial writes. */
859 page
= (char*)get_zeroed_page(GFP_KERNEL
);
865 if (copy_from_user(page
, buf
, count
))
869 if (sscanf(page
, "%d", &new_value
) != 1)
872 if (new_value
&& bool_pending_values
) {
873 security_set_bools(bool_num
, bool_pending_values
);
881 free_page((unsigned long) page
);
885 static struct file_operations sel_commit_bools_ops
= {
886 .write
= sel_commit_bools_write
,
889 /* delete booleans - partial revoke() from
890 * fs/proc/generic.c proc_kill_inodes */
891 static void sel_remove_bools(struct dentry
*de
)
893 struct list_head
*p
, *node
;
894 struct super_block
*sb
= de
->d_sb
;
896 spin_lock(&dcache_lock
);
897 node
= de
->d_subdirs
.next
;
898 while (node
!= &de
->d_subdirs
) {
899 struct dentry
*d
= list_entry(node
, struct dentry
, d_child
);
904 spin_unlock(&dcache_lock
);
906 simple_unlink(de
->d_inode
, d
);
908 spin_lock(&dcache_lock
);
910 node
= de
->d_subdirs
.next
;
913 spin_unlock(&dcache_lock
);
916 list_for_each(p
, &sb
->s_files
) {
917 struct file
* filp
= list_entry(p
, struct file
, f_u
.fu_list
);
918 struct dentry
* dentry
= filp
->f_dentry
;
920 if (dentry
->d_parent
!= de
) {
928 #define BOOL_DIR_NAME "booleans"
930 static int sel_make_bools(void)
934 struct dentry
*dentry
= NULL
;
935 struct dentry
*dir
= bool_dir
;
936 struct inode
*inode
= NULL
;
937 struct inode_security_struct
*isec
;
938 char **names
= NULL
, *page
;
943 /* remove any existing files */
944 kfree(bool_pending_values
);
945 bool_pending_values
= NULL
;
947 sel_remove_bools(dir
);
949 if (!(page
= (char*)get_zeroed_page(GFP_KERNEL
)))
952 ret
= security_get_bools(&num
, &names
, &values
);
956 for (i
= 0; i
< num
; i
++) {
957 dentry
= d_alloc_name(dir
, names
[i
]);
962 inode
= sel_make_inode(dir
->d_sb
, S_IFREG
| S_IRUGO
| S_IWUSR
);
968 len
= snprintf(page
, PAGE_SIZE
, "/%s/%s", BOOL_DIR_NAME
, names
[i
]);
972 } else if (len
>= PAGE_SIZE
) {
976 isec
= (struct inode_security_struct
*)inode
->i_security
;
977 if ((ret
= security_genfs_sid("selinuxfs", page
, SECCLASS_FILE
, &sid
)))
980 isec
->initialized
= 1;
981 inode
->i_fop
= &sel_bool_ops
;
982 inode
->i_ino
= i
+ BOOL_INO_OFFSET
;
983 d_add(dentry
, inode
);
986 bool_pending_values
= values
;
988 free_page((unsigned long)page
);
990 for (i
= 0; i
< num
; i
++)
1002 #define NULL_FILE_NAME "null"
1004 struct dentry
*selinux_null
= NULL
;
1006 static ssize_t
sel_read_avc_cache_threshold(struct file
*filp
, char __user
*buf
,
1007 size_t count
, loff_t
*ppos
)
1009 char tmpbuf
[TMPBUFLEN
];
1012 length
= scnprintf(tmpbuf
, TMPBUFLEN
, "%u", avc_cache_threshold
);
1013 return simple_read_from_buffer(buf
, count
, ppos
, tmpbuf
, length
);
1016 static ssize_t
sel_write_avc_cache_threshold(struct file
* file
,
1017 const char __user
* buf
,
1018 size_t count
, loff_t
*ppos
)
1025 if (count
>= PAGE_SIZE
) {
1031 /* No partial writes. */
1036 page
= (char*)get_zeroed_page(GFP_KERNEL
);
1042 if (copy_from_user(page
, buf
, count
)) {
1047 if (sscanf(page
, "%u", &new_value
) != 1) {
1052 if (new_value
!= avc_cache_threshold
) {
1053 ret
= task_has_security(current
, SECURITY__SETSECPARAM
);
1056 avc_cache_threshold
= new_value
;
1060 free_page((unsigned long)page
);
1065 static ssize_t
sel_read_avc_hash_stats(struct file
*filp
, char __user
*buf
,
1066 size_t count
, loff_t
*ppos
)
1071 page
= (char *)__get_free_page(GFP_KERNEL
);
1076 ret
= avc_get_hash_stats(page
);
1078 ret
= simple_read_from_buffer(buf
, count
, ppos
, page
, ret
);
1079 free_page((unsigned long)page
);
1084 static struct file_operations sel_avc_cache_threshold_ops
= {
1085 .read
= sel_read_avc_cache_threshold
,
1086 .write
= sel_write_avc_cache_threshold
,
1089 static struct file_operations sel_avc_hash_stats_ops
= {
1090 .read
= sel_read_avc_hash_stats
,
1093 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1094 static struct avc_cache_stats
*sel_avc_get_stat_idx(loff_t
*idx
)
1098 for (cpu
= *idx
; cpu
< NR_CPUS
; ++cpu
) {
1099 if (!cpu_possible(cpu
))
1102 return &per_cpu(avc_cache_stats
, cpu
);
1107 static void *sel_avc_stats_seq_start(struct seq_file
*seq
, loff_t
*pos
)
1109 loff_t n
= *pos
- 1;
1112 return SEQ_START_TOKEN
;
1114 return sel_avc_get_stat_idx(&n
);
1117 static void *sel_avc_stats_seq_next(struct seq_file
*seq
, void *v
, loff_t
*pos
)
1119 return sel_avc_get_stat_idx(pos
);
1122 static int sel_avc_stats_seq_show(struct seq_file
*seq
, void *v
)
1124 struct avc_cache_stats
*st
= v
;
1126 if (v
== SEQ_START_TOKEN
)
1127 seq_printf(seq
, "lookups hits misses allocations reclaims "
1130 seq_printf(seq
, "%u %u %u %u %u %u\n", st
->lookups
,
1131 st
->hits
, st
->misses
, st
->allocations
,
1132 st
->reclaims
, st
->frees
);
1136 static void sel_avc_stats_seq_stop(struct seq_file
*seq
, void *v
)
1139 static struct seq_operations sel_avc_cache_stats_seq_ops
= {
1140 .start
= sel_avc_stats_seq_start
,
1141 .next
= sel_avc_stats_seq_next
,
1142 .show
= sel_avc_stats_seq_show
,
1143 .stop
= sel_avc_stats_seq_stop
,
1146 static int sel_open_avc_cache_stats(struct inode
*inode
, struct file
*file
)
1148 return seq_open(file
, &sel_avc_cache_stats_seq_ops
);
1151 static struct file_operations sel_avc_cache_stats_ops
= {
1152 .open
= sel_open_avc_cache_stats
,
1154 .llseek
= seq_lseek
,
1155 .release
= seq_release
,
1159 static int sel_make_avc_files(struct dentry
*dir
)
1162 static struct tree_descr files
[] = {
1163 { "cache_threshold",
1164 &sel_avc_cache_threshold_ops
, S_IRUGO
|S_IWUSR
},
1165 { "hash_stats", &sel_avc_hash_stats_ops
, S_IRUGO
},
1166 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1167 { "cache_stats", &sel_avc_cache_stats_ops
, S_IRUGO
},
1171 for (i
= 0; i
< sizeof (files
) / sizeof (files
[0]); i
++) {
1172 struct inode
*inode
;
1173 struct dentry
*dentry
;
1175 dentry
= d_alloc_name(dir
, files
[i
].name
);
1181 inode
= sel_make_inode(dir
->d_sb
, S_IFREG
|files
[i
].mode
);
1186 inode
->i_fop
= files
[i
].ops
;
1187 d_add(dentry
, inode
);
1196 static int sel_make_dir(struct super_block
*sb
, struct dentry
*dentry
)
1199 struct inode
*inode
;
1201 inode
= sel_make_inode(sb
, S_IFDIR
| S_IRUGO
| S_IXUGO
);
1206 inode
->i_op
= &simple_dir_inode_operations
;
1207 inode
->i_fop
= &simple_dir_operations
;
1208 d_add(dentry
, inode
);
1213 static int sel_fill_super(struct super_block
* sb
, void * data
, int silent
)
1216 struct dentry
*dentry
;
1217 struct inode
*inode
;
1218 struct inode_security_struct
*isec
;
1220 static struct tree_descr selinux_files
[] = {
1221 [SEL_LOAD
] = {"load", &sel_load_ops
, S_IRUSR
|S_IWUSR
},
1222 [SEL_ENFORCE
] = {"enforce", &sel_enforce_ops
, S_IRUGO
|S_IWUSR
},
1223 [SEL_CONTEXT
] = {"context", &sel_context_ops
, S_IRUGO
|S_IWUGO
},
1224 [SEL_ACCESS
] = {"access", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1225 [SEL_CREATE
] = {"create", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1226 [SEL_RELABEL
] = {"relabel", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1227 [SEL_USER
] = {"user", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1228 [SEL_POLICYVERS
] = {"policyvers", &sel_policyvers_ops
, S_IRUGO
},
1229 [SEL_COMMIT_BOOLS
] = {"commit_pending_bools", &sel_commit_bools_ops
, S_IWUSR
},
1230 [SEL_MLS
] = {"mls", &sel_mls_ops
, S_IRUGO
},
1231 [SEL_DISABLE
] = {"disable", &sel_disable_ops
, S_IWUSR
},
1232 [SEL_MEMBER
] = {"member", &transaction_ops
, S_IRUGO
|S_IWUGO
},
1233 [SEL_CHECKREQPROT
] = {"checkreqprot", &sel_checkreqprot_ops
, S_IRUGO
|S_IWUSR
},
1236 ret
= simple_fill_super(sb
, SELINUX_MAGIC
, selinux_files
);
1240 dentry
= d_alloc_name(sb
->s_root
, BOOL_DIR_NAME
);
1244 inode
= sel_make_inode(sb
, S_IFDIR
| S_IRUGO
| S_IXUGO
);
1247 inode
->i_op
= &simple_dir_inode_operations
;
1248 inode
->i_fop
= &simple_dir_operations
;
1249 d_add(dentry
, inode
);
1251 ret
= sel_make_bools();
1255 dentry
= d_alloc_name(sb
->s_root
, NULL_FILE_NAME
);
1259 inode
= sel_make_inode(sb
, S_IFCHR
| S_IRUGO
| S_IWUGO
);
1262 isec
= (struct inode_security_struct
*)inode
->i_security
;
1263 isec
->sid
= SECINITSID_DEVNULL
;
1264 isec
->sclass
= SECCLASS_CHR_FILE
;
1265 isec
->initialized
= 1;
1267 init_special_inode(inode
, S_IFCHR
| S_IRUGO
| S_IWUGO
, MKDEV(MEM_MAJOR
, 3));
1268 d_add(dentry
, inode
);
1269 selinux_null
= dentry
;
1271 dentry
= d_alloc_name(sb
->s_root
, "avc");
1275 ret
= sel_make_dir(sb
, dentry
);
1279 ret
= sel_make_avc_files(dentry
);
1286 printk(KERN_ERR
"%s: failed while creating inodes\n", __FUNCTION__
);
1290 static struct super_block
*sel_get_sb(struct file_system_type
*fs_type
,
1291 int flags
, const char *dev_name
, void *data
)
1293 return get_sb_single(fs_type
, flags
, data
, sel_fill_super
);
1296 static struct file_system_type sel_fs_type
= {
1297 .name
= "selinuxfs",
1298 .get_sb
= sel_get_sb
,
1299 .kill_sb
= kill_litter_super
,
1302 struct vfsmount
*selinuxfs_mount
;
1304 static int __init
init_sel_fs(void)
1308 if (!selinux_enabled
)
1310 err
= register_filesystem(&sel_fs_type
);
1312 selinuxfs_mount
= kern_mount(&sel_fs_type
);
1313 if (IS_ERR(selinuxfs_mount
)) {
1314 printk(KERN_ERR
"selinuxfs: could not mount!\n");
1315 err
= PTR_ERR(selinuxfs_mount
);
1316 selinuxfs_mount
= NULL
;
1322 __initcall(init_sel_fs
);
1324 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
1325 void exit_sel_fs(void)
1327 unregister_filesystem(&sel_fs_type
);