2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/ext2_fs.h>
46 #include <linux/proc_fs.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
52 #include <net/ip.h> /* for local_port_range[] */
53 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <linux/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h> /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h> /* for Unix socket types */
68 #include <net/af_unix.h> /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92 #define NUM_SEL_MNT_OPTS 4
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
105 static int __init enforcing_setup(char *str)
107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
112 __setup("enforcing=", enforcing_setup);
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 static int __init selinux_enabled_setup(char *str)
120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
125 __setup("selinux=", selinux_enabled_setup);
127 int selinux_enabled = 1;
130 /* Original (dummy) security module. */
131 static struct security_operations *original_ops;
133 /* Minimal support for a secondary security module,
134 just to allow the use of the dummy or capability modules.
135 The owlsm module can alternatively be used as a secondary
136 module as long as CONFIG_OWLSM_FD is not enabled. */
137 static struct security_operations *secondary_ops;
139 /* Lists of inode and superblock security structures initialized
140 before the policy was loaded. */
141 static LIST_HEAD(superblock_security_head);
142 static DEFINE_SPINLOCK(sb_security_lock);
144 static struct kmem_cache *sel_inode_cache;
147 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
150 * This function checks the SECMARK reference counter to see if any SECMARK
151 * targets are currently configured, if the reference counter is greater than
152 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
153 * enabled, false (0) if SECMARK is disabled.
156 static int selinux_secmark_enabled(void)
158 return (atomic_read(&selinux_secmark_refcount) > 0);
161 /* Allocate and free functions for each kind of security blob. */
163 static int task_alloc_security(struct task_struct *task)
165 struct task_security_struct *tsec;
167 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
171 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
172 task->security = tsec;
177 static void task_free_security(struct task_struct *task)
179 struct task_security_struct *tsec = task->security;
180 task->security = NULL;
184 static int inode_alloc_security(struct inode *inode)
186 struct task_security_struct *tsec = current->security;
187 struct inode_security_struct *isec;
189 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
193 mutex_init(&isec->lock);
194 INIT_LIST_HEAD(&isec->list);
196 isec->sid = SECINITSID_UNLABELED;
197 isec->sclass = SECCLASS_FILE;
198 isec->task_sid = tsec->sid;
199 inode->i_security = isec;
204 static void inode_free_security(struct inode *inode)
206 struct inode_security_struct *isec = inode->i_security;
207 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
209 spin_lock(&sbsec->isec_lock);
210 if (!list_empty(&isec->list))
211 list_del_init(&isec->list);
212 spin_unlock(&sbsec->isec_lock);
214 inode->i_security = NULL;
215 kmem_cache_free(sel_inode_cache, isec);
218 static int file_alloc_security(struct file *file)
220 struct task_security_struct *tsec = current->security;
221 struct file_security_struct *fsec;
223 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
227 fsec->sid = tsec->sid;
228 fsec->fown_sid = tsec->sid;
229 file->f_security = fsec;
234 static void file_free_security(struct file *file)
236 struct file_security_struct *fsec = file->f_security;
237 file->f_security = NULL;
241 static int superblock_alloc_security(struct super_block *sb)
243 struct superblock_security_struct *sbsec;
245 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
249 mutex_init(&sbsec->lock);
250 INIT_LIST_HEAD(&sbsec->list);
251 INIT_LIST_HEAD(&sbsec->isec_head);
252 spin_lock_init(&sbsec->isec_lock);
254 sbsec->sid = SECINITSID_UNLABELED;
255 sbsec->def_sid = SECINITSID_FILE;
256 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
257 sb->s_security = sbsec;
262 static void superblock_free_security(struct super_block *sb)
264 struct superblock_security_struct *sbsec = sb->s_security;
266 spin_lock(&sb_security_lock);
267 if (!list_empty(&sbsec->list))
268 list_del_init(&sbsec->list);
269 spin_unlock(&sb_security_lock);
271 sb->s_security = NULL;
275 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
277 struct sk_security_struct *ssec;
279 ssec = kzalloc(sizeof(*ssec), priority);
283 ssec->peer_sid = SECINITSID_UNLABELED;
284 ssec->sid = SECINITSID_UNLABELED;
285 sk->sk_security = ssec;
287 selinux_netlbl_sk_security_reset(ssec, family);
292 static void sk_free_security(struct sock *sk)
294 struct sk_security_struct *ssec = sk->sk_security;
296 sk->sk_security = NULL;
300 /* The security server must be initialized before
301 any labeling or access decisions can be provided. */
302 extern int ss_initialized;
304 /* The file system's label must be initialized prior to use. */
306 static char *labeling_behaviors[6] = {
308 "uses transition SIDs",
310 "uses genfs_contexts",
311 "not configured for labeling",
312 "uses mountpoint labeling",
315 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
317 static inline int inode_doinit(struct inode *inode)
319 return inode_doinit_with_dentry(inode, NULL);
330 static match_table_t tokens = {
331 {Opt_context, CONTEXT_STR "%s"},
332 {Opt_fscontext, FSCONTEXT_STR "%s"},
333 {Opt_defcontext, DEFCONTEXT_STR "%s"},
334 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
338 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
340 static int may_context_mount_sb_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
342 struct task_security_struct *tsec)
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
351 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__RELABELTO, NULL);
356 static int may_context_mount_inode_relabel(u32 sid,
357 struct superblock_security_struct *sbsec,
358 struct task_security_struct *tsec)
361 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__RELABELFROM, NULL);
366 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367 FILESYSTEM__ASSOCIATE, NULL);
371 static int sb_finish_set_opts(struct super_block *sb)
373 struct superblock_security_struct *sbsec = sb->s_security;
374 struct dentry *root = sb->s_root;
375 struct inode *root_inode = root->d_inode;
378 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379 /* Make sure that the xattr handler exists and that no
380 error other than -ENODATA is returned by getxattr on
381 the root directory. -ENODATA is ok, as this may be
382 the first boot of the SELinux kernel before we have
383 assigned xattr values to the filesystem. */
384 if (!root_inode->i_op->getxattr) {
385 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386 "xattr support\n", sb->s_id, sb->s_type->name);
390 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391 if (rc < 0 && rc != -ENODATA) {
392 if (rc == -EOPNOTSUPP)
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) has no security xattr handler\n",
395 sb->s_id, sb->s_type->name);
397 printk(KERN_WARNING "SELinux: (dev %s, type "
398 "%s) getxattr errno %d\n", sb->s_id,
399 sb->s_type->name, -rc);
404 sbsec->initialized = 1;
406 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408 sb->s_id, sb->s_type->name);
410 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411 sb->s_id, sb->s_type->name,
412 labeling_behaviors[sbsec->behavior-1]);
414 /* Initialize the root inode. */
415 rc = inode_doinit_with_dentry(root_inode, root);
417 /* Initialize any other inodes associated with the superblock, e.g.
418 inodes created prior to initial policy load or inodes created
419 during get_sb by a pseudo filesystem that directly
421 spin_lock(&sbsec->isec_lock);
423 if (!list_empty(&sbsec->isec_head)) {
424 struct inode_security_struct *isec =
425 list_entry(sbsec->isec_head.next,
426 struct inode_security_struct, list);
427 struct inode *inode = isec->inode;
428 spin_unlock(&sbsec->isec_lock);
429 inode = igrab(inode);
431 if (!IS_PRIVATE(inode))
435 spin_lock(&sbsec->isec_lock);
436 list_del_init(&isec->list);
439 spin_unlock(&sbsec->isec_lock);
445 * This function should allow an FS to ask what it's mount security
446 * options were so it can use those later for submounts, displaying
447 * mount options, or whatever.
449 static int selinux_get_mnt_opts(const struct super_block *sb,
450 struct security_mnt_opts *opts)
453 struct superblock_security_struct *sbsec = sb->s_security;
454 char *context = NULL;
458 security_init_mnt_opts(opts);
460 if (!sbsec->initialized)
467 * if we ever use sbsec flags for anything other than tracking mount
468 * settings this is going to need a mask
471 /* count the number of mount options for this sb */
472 for (i = 0; i < 8; i++) {
474 opts->num_mnt_opts++;
478 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479 if (!opts->mnt_opts) {
484 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485 if (!opts->mnt_opts_flags) {
491 if (sbsec->flags & FSCONTEXT_MNT) {
492 rc = security_sid_to_context(sbsec->sid, &context, &len);
495 opts->mnt_opts[i] = context;
496 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
498 if (sbsec->flags & CONTEXT_MNT) {
499 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
502 opts->mnt_opts[i] = context;
503 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
505 if (sbsec->flags & DEFCONTEXT_MNT) {
506 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
509 opts->mnt_opts[i] = context;
510 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
512 if (sbsec->flags & ROOTCONTEXT_MNT) {
513 struct inode *root = sbsec->sb->s_root->d_inode;
514 struct inode_security_struct *isec = root->i_security;
516 rc = security_sid_to_context(isec->sid, &context, &len);
519 opts->mnt_opts[i] = context;
520 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
523 BUG_ON(i != opts->num_mnt_opts);
528 security_free_mnt_opts(opts);
532 static int bad_option(struct superblock_security_struct *sbsec, char flag,
533 u32 old_sid, u32 new_sid)
535 /* check if the old mount command had the same options */
536 if (sbsec->initialized)
537 if (!(sbsec->flags & flag) ||
538 (old_sid != new_sid))
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
544 if (!sbsec->initialized)
545 if (sbsec->flags & flag)
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
554 static int selinux_set_mnt_opts(struct super_block *sb,
555 struct security_mnt_opts *opts)
558 struct task_security_struct *tsec = current->security;
559 struct superblock_security_struct *sbsec = sb->s_security;
560 const char *name = sb->s_type->name;
561 struct inode *inode = sbsec->sb->s_root->d_inode;
562 struct inode_security_struct *root_isec = inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
569 mutex_lock(&sbsec->lock);
571 if (!ss_initialized) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 spin_lock(&sb_security_lock);
577 if (list_empty(&sbsec->list))
578 list_add(&sbsec->list, &superblock_security_head);
579 spin_unlock(&sb_security_lock);
583 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584 "before the security server is initialized\n");
589 * Binary mount data FS will come through this function twice. Once
590 * from an explicit call and once from the generic calls from the vfs.
591 * Since the generic VFS calls will not contain any security mount data
592 * we need to skip the double mount verification.
594 * This does open a hole in which we will not notice if the first
595 * mount using this sb set explict options and a second mount using
596 * this sb does not set any security options. (The first options
597 * will be used for both mounts)
599 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
604 * parse the mount options, check if they are valid sids.
605 * also check if someone is trying to mount the same sb more
606 * than once with different security options.
608 for (i = 0; i < num_opts; i++) {
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
615 mount_options[i], sb->s_id, name, rc);
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
624 goto out_double_mount;
626 sbsec->flags |= FSCONTEXT_MNT;
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
633 goto out_double_mount;
635 sbsec->flags |= CONTEXT_MNT;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
642 goto out_double_mount;
644 sbsec->flags |= ROOTCONTEXT_MNT;
648 defcontext_sid = sid;
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
652 goto out_double_mount;
654 sbsec->flags |= DEFCONTEXT_MNT;
663 if (sbsec->initialized) {
664 /* previously mounted with options, but not on this attempt? */
665 if (sbsec->flags && !num_opts)
666 goto out_double_mount;
671 if (strcmp(sb->s_type->name, "proc") == 0)
674 /* Determine the labeling behavior to use for this filesystem type. */
675 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
677 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678 __func__, sb->s_type->name, rc);
682 /* sets the context of the superblock for the fs being mounted. */
685 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
689 sbsec->sid = fscontext_sid;
693 * Switch to using mount point labeling behavior.
694 * sets the label used on all file below the mountpoint, and will set
695 * the superblock context if not already set.
698 if (!fscontext_sid) {
699 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
702 sbsec->sid = context_sid;
704 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
708 if (!rootcontext_sid)
709 rootcontext_sid = context_sid;
711 sbsec->mntpoint_sid = context_sid;
712 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
715 if (rootcontext_sid) {
716 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
720 root_isec->sid = rootcontext_sid;
721 root_isec->initialized = 1;
724 if (defcontext_sid) {
725 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
727 printk(KERN_WARNING "SELinux: defcontext option is "
728 "invalid for this filesystem type\n");
732 if (defcontext_sid != sbsec->def_sid) {
733 rc = may_context_mount_inode_relabel(defcontext_sid,
739 sbsec->def_sid = defcontext_sid;
742 rc = sb_finish_set_opts(sb);
744 mutex_unlock(&sbsec->lock);
748 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
749 "security settings for (dev %s, type %s)\n", sb->s_id, name);
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754 struct super_block *newsb)
756 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757 struct superblock_security_struct *newsbsec = newsb->s_security;
759 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
760 int set_context = (oldsbsec->flags & CONTEXT_MNT);
761 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
764 * if the parent was able to be mounted it clearly had no special lsm
765 * mount options. thus we can safely put this sb on the list and deal
768 if (!ss_initialized) {
769 spin_lock(&sb_security_lock);
770 if (list_empty(&newsbsec->list))
771 list_add(&newsbsec->list, &superblock_security_head);
772 spin_unlock(&sb_security_lock);
776 /* how can we clone if the old one wasn't set up?? */
777 BUG_ON(!oldsbsec->initialized);
779 /* if fs is reusing a sb, just let its options stand... */
780 if (newsbsec->initialized)
783 mutex_lock(&newsbsec->lock);
785 newsbsec->flags = oldsbsec->flags;
787 newsbsec->sid = oldsbsec->sid;
788 newsbsec->def_sid = oldsbsec->def_sid;
789 newsbsec->behavior = oldsbsec->behavior;
792 u32 sid = oldsbsec->mntpoint_sid;
796 if (!set_rootcontext) {
797 struct inode *newinode = newsb->s_root->d_inode;
798 struct inode_security_struct *newisec = newinode->i_security;
801 newsbsec->mntpoint_sid = sid;
803 if (set_rootcontext) {
804 const struct inode *oldinode = oldsb->s_root->d_inode;
805 const struct inode_security_struct *oldisec = oldinode->i_security;
806 struct inode *newinode = newsb->s_root->d_inode;
807 struct inode_security_struct *newisec = newinode->i_security;
809 newisec->sid = oldisec->sid;
812 sb_finish_set_opts(newsb);
813 mutex_unlock(&newsbsec->lock);
816 static int selinux_parse_opts_str(char *options,
817 struct security_mnt_opts *opts)
820 char *context = NULL, *defcontext = NULL;
821 char *fscontext = NULL, *rootcontext = NULL;
822 int rc, num_mnt_opts = 0;
824 opts->num_mnt_opts = 0;
826 /* Standard string-based options. */
827 while ((p = strsep(&options, "|")) != NULL) {
829 substring_t args[MAX_OPT_ARGS];
834 token = match_token(p, tokens, args);
838 if (context || defcontext) {
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
843 context = match_strdup(&args[0]);
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
856 fscontext = match_strdup(&args[0]);
863 case Opt_rootcontext:
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
869 rootcontext = match_strdup(&args[0]);
877 if (context || defcontext) {
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
882 defcontext = match_strdup(&args[0]);
891 printk(KERN_WARNING "SELinux: unknown mount option\n");
898 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
902 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
903 if (!opts->mnt_opts_flags) {
904 kfree(opts->mnt_opts);
909 opts->mnt_opts[num_mnt_opts] = fscontext;
910 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
913 opts->mnt_opts[num_mnt_opts] = context;
914 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
917 opts->mnt_opts[num_mnt_opts] = rootcontext;
918 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
921 opts->mnt_opts[num_mnt_opts] = defcontext;
922 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
925 opts->num_mnt_opts = num_mnt_opts;
936 * string mount options parsing and call set the sbsec
938 static int superblock_doinit(struct super_block *sb, void *data)
941 char *options = data;
942 struct security_mnt_opts opts;
944 security_init_mnt_opts(&opts);
949 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
951 rc = selinux_parse_opts_str(options, &opts);
956 rc = selinux_set_mnt_opts(sb, &opts);
959 security_free_mnt_opts(&opts);
963 static inline u16 inode_mode_to_security_class(umode_t mode)
965 switch (mode & S_IFMT) {
967 return SECCLASS_SOCK_FILE;
969 return SECCLASS_LNK_FILE;
971 return SECCLASS_FILE;
973 return SECCLASS_BLK_FILE;
977 return SECCLASS_CHR_FILE;
979 return SECCLASS_FIFO_FILE;
983 return SECCLASS_FILE;
986 static inline int default_protocol_stream(int protocol)
988 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
991 static inline int default_protocol_dgram(int protocol)
993 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
996 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1002 case SOCK_SEQPACKET:
1003 return SECCLASS_UNIX_STREAM_SOCKET;
1005 return SECCLASS_UNIX_DGRAM_SOCKET;
1012 if (default_protocol_stream(protocol))
1013 return SECCLASS_TCP_SOCKET;
1015 return SECCLASS_RAWIP_SOCKET;
1017 if (default_protocol_dgram(protocol))
1018 return SECCLASS_UDP_SOCKET;
1020 return SECCLASS_RAWIP_SOCKET;
1022 return SECCLASS_DCCP_SOCKET;
1024 return SECCLASS_RAWIP_SOCKET;
1030 return SECCLASS_NETLINK_ROUTE_SOCKET;
1031 case NETLINK_FIREWALL:
1032 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1033 case NETLINK_INET_DIAG:
1034 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1036 return SECCLASS_NETLINK_NFLOG_SOCKET;
1038 return SECCLASS_NETLINK_XFRM_SOCKET;
1039 case NETLINK_SELINUX:
1040 return SECCLASS_NETLINK_SELINUX_SOCKET;
1042 return SECCLASS_NETLINK_AUDIT_SOCKET;
1043 case NETLINK_IP6_FW:
1044 return SECCLASS_NETLINK_IP6FW_SOCKET;
1045 case NETLINK_DNRTMSG:
1046 return SECCLASS_NETLINK_DNRT_SOCKET;
1047 case NETLINK_KOBJECT_UEVENT:
1048 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1050 return SECCLASS_NETLINK_SOCKET;
1053 return SECCLASS_PACKET_SOCKET;
1055 return SECCLASS_KEY_SOCKET;
1057 return SECCLASS_APPLETALK_SOCKET;
1060 return SECCLASS_SOCKET;
1063 #ifdef CONFIG_PROC_FS
1064 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1069 char *buffer, *path, *end;
1071 buffer = (char *)__get_free_page(GFP_KERNEL);
1076 end = buffer+buflen;
1081 while (de && de != de->parent) {
1082 buflen -= de->namelen + 1;
1086 memcpy(end, de->name, de->namelen);
1091 rc = security_genfs_sid("proc", path, tclass, sid);
1092 free_page((unsigned long)buffer);
1096 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1104 /* The inode's security attributes must be initialized before first use. */
1105 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1107 struct superblock_security_struct *sbsec = NULL;
1108 struct inode_security_struct *isec = inode->i_security;
1110 struct dentry *dentry;
1111 #define INITCONTEXTLEN 255
1112 char *context = NULL;
1116 if (isec->initialized)
1119 mutex_lock(&isec->lock);
1120 if (isec->initialized)
1123 sbsec = inode->i_sb->s_security;
1124 if (!sbsec->initialized) {
1125 /* Defer initialization until selinux_complete_init,
1126 after the initial policy is loaded and the security
1127 server is ready to handle calls. */
1128 spin_lock(&sbsec->isec_lock);
1129 if (list_empty(&isec->list))
1130 list_add(&isec->list, &sbsec->isec_head);
1131 spin_unlock(&sbsec->isec_lock);
1135 switch (sbsec->behavior) {
1136 case SECURITY_FS_USE_XATTR:
1137 if (!inode->i_op->getxattr) {
1138 isec->sid = sbsec->def_sid;
1142 /* Need a dentry, since the xattr API requires one.
1143 Life would be simpler if we could just pass the inode. */
1145 /* Called from d_instantiate or d_splice_alias. */
1146 dentry = dget(opt_dentry);
1148 /* Called from selinux_complete_init, try to find a dentry. */
1149 dentry = d_find_alias(inode);
1152 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1153 "ino=%ld\n", __func__, inode->i_sb->s_id,
1158 len = INITCONTEXTLEN;
1159 context = kmalloc(len, GFP_NOFS);
1165 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1167 if (rc == -ERANGE) {
1168 /* Need a larger buffer. Query for the right size. */
1169 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1177 context = kmalloc(len, GFP_NOFS);
1183 rc = inode->i_op->getxattr(dentry,
1189 if (rc != -ENODATA) {
1190 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1191 "%d for dev=%s ino=%ld\n", __func__,
1192 -rc, inode->i_sb->s_id, inode->i_ino);
1196 /* Map ENODATA to the default file SID */
1197 sid = sbsec->def_sid;
1200 rc = security_context_to_sid_default(context, rc, &sid,
1204 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1205 "returned %d for dev=%s ino=%ld\n",
1206 __func__, context, -rc,
1207 inode->i_sb->s_id, inode->i_ino);
1209 /* Leave with the unlabeled SID */
1217 case SECURITY_FS_USE_TASK:
1218 isec->sid = isec->task_sid;
1220 case SECURITY_FS_USE_TRANS:
1221 /* Default to the fs SID. */
1222 isec->sid = sbsec->sid;
1224 /* Try to obtain a transition SID. */
1225 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1226 rc = security_transition_sid(isec->task_sid,
1234 case SECURITY_FS_USE_MNTPOINT:
1235 isec->sid = sbsec->mntpoint_sid;
1238 /* Default to the fs superblock SID. */
1239 isec->sid = sbsec->sid;
1242 struct proc_inode *proci = PROC_I(inode);
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245 rc = selinux_proc_get_sid(proci->pde,
1256 isec->initialized = 1;
1259 mutex_unlock(&isec->lock);
1261 if (isec->sclass == SECCLASS_FILE)
1262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1266 /* Convert a Linux signal to an access vector. */
1267 static inline u32 signal_to_av(int sig)
1273 /* Commonly granted from child to parent. */
1274 perm = PROCESS__SIGCHLD;
1277 /* Cannot be caught or ignored */
1278 perm = PROCESS__SIGKILL;
1281 /* Cannot be caught or ignored */
1282 perm = PROCESS__SIGSTOP;
1285 /* All other signals. */
1286 perm = PROCESS__SIGNAL;
1293 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1294 fork check, ptrace check, etc. */
1295 static int task_has_perm(struct task_struct *tsk1,
1296 struct task_struct *tsk2,
1299 struct task_security_struct *tsec1, *tsec2;
1301 tsec1 = tsk1->security;
1302 tsec2 = tsk2->security;
1303 return avc_has_perm(tsec1->sid, tsec2->sid,
1304 SECCLASS_PROCESS, perms, NULL);
1307 #if CAP_LAST_CAP > 63
1308 #error Fix SELinux to handle capabilities > 63.
1311 /* Check whether a task is allowed to use a capability. */
1312 static int task_has_capability(struct task_struct *tsk,
1315 struct task_security_struct *tsec;
1316 struct avc_audit_data ad;
1318 u32 av = CAP_TO_MASK(cap);
1320 tsec = tsk->security;
1322 AVC_AUDIT_DATA_INIT(&ad, CAP);
1326 switch (CAP_TO_INDEX(cap)) {
1328 sclass = SECCLASS_CAPABILITY;
1331 sclass = SECCLASS_CAPABILITY2;
1335 "SELinux: out of range capability %d\n", cap);
1338 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1341 /* Check whether a task is allowed to use a system operation. */
1342 static int task_has_system(struct task_struct *tsk,
1345 struct task_security_struct *tsec;
1347 tsec = tsk->security;
1349 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1350 SECCLASS_SYSTEM, perms, NULL);
1353 /* Check whether a task has a particular permission to an inode.
1354 The 'adp' parameter is optional and allows other audit
1355 data to be passed (e.g. the dentry). */
1356 static int inode_has_perm(struct task_struct *tsk,
1357 struct inode *inode,
1359 struct avc_audit_data *adp)
1361 struct task_security_struct *tsec;
1362 struct inode_security_struct *isec;
1363 struct avc_audit_data ad;
1365 if (unlikely(IS_PRIVATE(inode)))
1368 tsec = tsk->security;
1369 isec = inode->i_security;
1373 AVC_AUDIT_DATA_INIT(&ad, FS);
1374 ad.u.fs.inode = inode;
1377 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1380 /* Same as inode_has_perm, but pass explicit audit data containing
1381 the dentry to help the auditing code to more easily generate the
1382 pathname if needed. */
1383 static inline int dentry_has_perm(struct task_struct *tsk,
1384 struct vfsmount *mnt,
1385 struct dentry *dentry,
1388 struct inode *inode = dentry->d_inode;
1389 struct avc_audit_data ad;
1390 AVC_AUDIT_DATA_INIT(&ad, FS);
1391 ad.u.fs.path.mnt = mnt;
1392 ad.u.fs.path.dentry = dentry;
1393 return inode_has_perm(tsk, inode, av, &ad);
1396 /* Check whether a task can use an open file descriptor to
1397 access an inode in a given way. Check access to the
1398 descriptor itself, and then use dentry_has_perm to
1399 check a particular permission to the file.
1400 Access to the descriptor is implicitly granted if it
1401 has the same SID as the process. If av is zero, then
1402 access to the file is not checked, e.g. for cases
1403 where only the descriptor is affected like seek. */
1404 static int file_has_perm(struct task_struct *tsk,
1408 struct task_security_struct *tsec = tsk->security;
1409 struct file_security_struct *fsec = file->f_security;
1410 struct inode *inode = file->f_path.dentry->d_inode;
1411 struct avc_audit_data ad;
1414 AVC_AUDIT_DATA_INIT(&ad, FS);
1415 ad.u.fs.path = file->f_path;
1417 if (tsec->sid != fsec->sid) {
1418 rc = avc_has_perm(tsec->sid, fsec->sid,
1426 /* av is zero if only checking access to the descriptor. */
1428 return inode_has_perm(tsk, inode, av, &ad);
1433 /* Check whether a task can create a file. */
1434 static int may_create(struct inode *dir,
1435 struct dentry *dentry,
1438 struct task_security_struct *tsec;
1439 struct inode_security_struct *dsec;
1440 struct superblock_security_struct *sbsec;
1442 struct avc_audit_data ad;
1445 tsec = current->security;
1446 dsec = dir->i_security;
1447 sbsec = dir->i_sb->s_security;
1449 AVC_AUDIT_DATA_INIT(&ad, FS);
1450 ad.u.fs.path.dentry = dentry;
1452 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1453 DIR__ADD_NAME | DIR__SEARCH,
1458 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1459 newsid = tsec->create_sid;
1461 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1467 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1471 return avc_has_perm(newsid, sbsec->sid,
1472 SECCLASS_FILESYSTEM,
1473 FILESYSTEM__ASSOCIATE, &ad);
1476 /* Check whether a task can create a key. */
1477 static int may_create_key(u32 ksid,
1478 struct task_struct *ctx)
1480 struct task_security_struct *tsec;
1482 tsec = ctx->security;
1484 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1488 #define MAY_UNLINK 1
1491 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1492 static int may_link(struct inode *dir,
1493 struct dentry *dentry,
1497 struct task_security_struct *tsec;
1498 struct inode_security_struct *dsec, *isec;
1499 struct avc_audit_data ad;
1503 tsec = current->security;
1504 dsec = dir->i_security;
1505 isec = dentry->d_inode->i_security;
1507 AVC_AUDIT_DATA_INIT(&ad, FS);
1508 ad.u.fs.path.dentry = dentry;
1511 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1512 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1527 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1532 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1536 static inline int may_rename(struct inode *old_dir,
1537 struct dentry *old_dentry,
1538 struct inode *new_dir,
1539 struct dentry *new_dentry)
1541 struct task_security_struct *tsec;
1542 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1543 struct avc_audit_data ad;
1545 int old_is_dir, new_is_dir;
1548 tsec = current->security;
1549 old_dsec = old_dir->i_security;
1550 old_isec = old_dentry->d_inode->i_security;
1551 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1552 new_dsec = new_dir->i_security;
1554 AVC_AUDIT_DATA_INIT(&ad, FS);
1556 ad.u.fs.path.dentry = old_dentry;
1557 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1558 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1561 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562 old_isec->sclass, FILE__RENAME, &ad);
1565 if (old_is_dir && new_dir != old_dir) {
1566 rc = avc_has_perm(tsec->sid, old_isec->sid,
1567 old_isec->sclass, DIR__REPARENT, &ad);
1572 ad.u.fs.path.dentry = new_dentry;
1573 av = DIR__ADD_NAME | DIR__SEARCH;
1574 if (new_dentry->d_inode)
1575 av |= DIR__REMOVE_NAME;
1576 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1579 if (new_dentry->d_inode) {
1580 new_isec = new_dentry->d_inode->i_security;
1581 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1582 rc = avc_has_perm(tsec->sid, new_isec->sid,
1584 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1592 /* Check whether a task can perform a filesystem operation. */
1593 static int superblock_has_perm(struct task_struct *tsk,
1594 struct super_block *sb,
1596 struct avc_audit_data *ad)
1598 struct task_security_struct *tsec;
1599 struct superblock_security_struct *sbsec;
1601 tsec = tsk->security;
1602 sbsec = sb->s_security;
1603 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1607 /* Convert a Linux mode and permission mask to an access vector. */
1608 static inline u32 file_mask_to_av(int mode, int mask)
1612 if ((mode & S_IFMT) != S_IFDIR) {
1613 if (mask & MAY_EXEC)
1614 av |= FILE__EXECUTE;
1615 if (mask & MAY_READ)
1618 if (mask & MAY_APPEND)
1620 else if (mask & MAY_WRITE)
1624 if (mask & MAY_EXEC)
1626 if (mask & MAY_WRITE)
1628 if (mask & MAY_READ)
1636 * Convert a file mask to an access vector and include the correct open
1639 static inline u32 open_file_mask_to_av(int mode, int mask)
1641 u32 av = file_mask_to_av(mode, mask);
1643 if (selinux_policycap_openperm) {
1645 * lnk files and socks do not really have an 'open'
1649 else if (S_ISCHR(mode))
1650 av |= CHR_FILE__OPEN;
1651 else if (S_ISBLK(mode))
1652 av |= BLK_FILE__OPEN;
1653 else if (S_ISFIFO(mode))
1654 av |= FIFO_FILE__OPEN;
1655 else if (S_ISDIR(mode))
1658 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1659 "unknown mode:%x\n", __func__, mode);
1664 /* Convert a Linux file to an access vector. */
1665 static inline u32 file_to_av(struct file *file)
1669 if (file->f_mode & FMODE_READ)
1671 if (file->f_mode & FMODE_WRITE) {
1672 if (file->f_flags & O_APPEND)
1679 * Special file opened with flags 3 for ioctl-only use.
1687 /* Hook functions begin here. */
1689 static int selinux_ptrace(struct task_struct *parent,
1690 struct task_struct *child,
1695 rc = secondary_ops->ptrace(parent, child, mode);
1699 if (mode == PTRACE_MODE_READ) {
1700 struct task_security_struct *tsec = parent->security;
1701 struct task_security_struct *csec = child->security;
1702 return avc_has_perm(tsec->sid, csec->sid,
1703 SECCLASS_FILE, FILE__READ, NULL);
1706 return task_has_perm(parent, child, PROCESS__PTRACE);
1709 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1710 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1714 error = task_has_perm(current, target, PROCESS__GETCAP);
1718 return secondary_ops->capget(target, effective, inheritable, permitted);
1721 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1722 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1726 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1730 return task_has_perm(current, target, PROCESS__SETCAP);
1733 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1734 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1736 secondary_ops->capset_set(target, effective, inheritable, permitted);
1739 static int selinux_capable(struct task_struct *tsk, int cap)
1743 rc = secondary_ops->capable(tsk, cap);
1747 return task_has_capability(tsk, cap);
1750 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1753 char *buffer, *path, *end;
1756 buffer = (char *)__get_free_page(GFP_KERNEL);
1761 end = buffer+buflen;
1767 const char *name = table->procname;
1768 size_t namelen = strlen(name);
1769 buflen -= namelen + 1;
1773 memcpy(end, name, namelen);
1776 table = table->parent;
1782 memcpy(end, "/sys", 4);
1784 rc = security_genfs_sid("proc", path, tclass, sid);
1786 free_page((unsigned long)buffer);
1791 static int selinux_sysctl(ctl_table *table, int op)
1795 struct task_security_struct *tsec;
1799 rc = secondary_ops->sysctl(table, op);
1803 tsec = current->security;
1805 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1806 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1808 /* Default to the well-defined sysctl SID. */
1809 tsid = SECINITSID_SYSCTL;
1812 /* The op values are "defined" in sysctl.c, thereby creating
1813 * a bad coupling between this module and sysctl.c */
1815 error = avc_has_perm(tsec->sid, tsid,
1816 SECCLASS_DIR, DIR__SEARCH, NULL);
1824 error = avc_has_perm(tsec->sid, tsid,
1825 SECCLASS_FILE, av, NULL);
1831 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1844 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1850 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1854 rc = 0; /* let the kernel handle invalid cmds */
1860 static int selinux_quota_on(struct dentry *dentry)
1862 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1865 static int selinux_syslog(int type)
1869 rc = secondary_ops->syslog(type);
1874 case 3: /* Read last kernel messages */
1875 case 10: /* Return size of the log buffer */
1876 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1878 case 6: /* Disable logging to console */
1879 case 7: /* Enable logging to console */
1880 case 8: /* Set level of messages printed to console */
1881 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1883 case 0: /* Close log */
1884 case 1: /* Open log */
1885 case 2: /* Read from log */
1886 case 4: /* Read/clear last kernel messages */
1887 case 5: /* Clear ring buffer */
1889 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1896 * Check that a process has enough memory to allocate a new virtual
1897 * mapping. 0 means there is enough memory for the allocation to
1898 * succeed and -ENOMEM implies there is not.
1900 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1901 * if the capability is granted, but __vm_enough_memory requires 1 if
1902 * the capability is granted.
1904 * Do not audit the selinux permission check, as this is applied to all
1905 * processes that allocate mappings.
1907 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1909 int rc, cap_sys_admin = 0;
1910 struct task_security_struct *tsec = current->security;
1912 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1914 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1915 SECCLASS_CAPABILITY,
1916 CAP_TO_MASK(CAP_SYS_ADMIN),
1923 return __vm_enough_memory(mm, pages, cap_sys_admin);
1927 * task_tracer_task - return the task that is tracing the given task
1928 * @task: task to consider
1930 * Returns NULL if noone is tracing @task, or the &struct task_struct
1931 * pointer to its tracer.
1933 * Must be called under rcu_read_lock().
1935 static struct task_struct *task_tracer_task(struct task_struct *task)
1937 if (task->ptrace & PT_PTRACED)
1938 return rcu_dereference(task->parent);
1942 /* binprm security operations */
1944 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1946 struct bprm_security_struct *bsec;
1948 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1952 bsec->sid = SECINITSID_UNLABELED;
1955 bprm->security = bsec;
1959 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1961 struct task_security_struct *tsec;
1962 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1963 struct inode_security_struct *isec;
1964 struct bprm_security_struct *bsec;
1966 struct avc_audit_data ad;
1969 rc = secondary_ops->bprm_set_security(bprm);
1973 bsec = bprm->security;
1978 tsec = current->security;
1979 isec = inode->i_security;
1981 /* Default to the current task SID. */
1982 bsec->sid = tsec->sid;
1984 /* Reset fs, key, and sock SIDs on execve. */
1985 tsec->create_sid = 0;
1986 tsec->keycreate_sid = 0;
1987 tsec->sockcreate_sid = 0;
1989 if (tsec->exec_sid) {
1990 newsid = tsec->exec_sid;
1991 /* Reset exec SID on execve. */
1994 /* Check for a default transition on this program. */
1995 rc = security_transition_sid(tsec->sid, isec->sid,
1996 SECCLASS_PROCESS, &newsid);
2001 AVC_AUDIT_DATA_INIT(&ad, FS);
2002 ad.u.fs.path = bprm->file->f_path;
2004 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2007 if (tsec->sid == newsid) {
2008 rc = avc_has_perm(tsec->sid, isec->sid,
2009 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2013 /* Check permissions for the transition. */
2014 rc = avc_has_perm(tsec->sid, newsid,
2015 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2019 rc = avc_has_perm(newsid, isec->sid,
2020 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2024 /* Clear any possibly unsafe personality bits on exec: */
2025 current->personality &= ~PER_CLEAR_ON_SETID;
2027 /* Set the security field to the new SID. */
2035 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2037 return secondary_ops->bprm_check_security(bprm);
2041 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2043 struct task_security_struct *tsec = current->security;
2046 if (tsec->osid != tsec->sid) {
2047 /* Enable secure mode for SIDs transitions unless
2048 the noatsecure permission is granted between
2049 the two SIDs, i.e. ahp returns 0. */
2050 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2052 PROCESS__NOATSECURE, NULL);
2055 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2058 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2060 kfree(bprm->security);
2061 bprm->security = NULL;
2064 extern struct vfsmount *selinuxfs_mount;
2065 extern struct dentry *selinux_null;
2067 /* Derived from fs/exec.c:flush_old_files. */
2068 static inline void flush_unauthorized_files(struct files_struct *files)
2070 struct avc_audit_data ad;
2071 struct file *file, *devnull = NULL;
2072 struct tty_struct *tty;
2073 struct fdtable *fdt;
2077 mutex_lock(&tty_mutex);
2078 tty = get_current_tty();
2081 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2083 /* Revalidate access to controlling tty.
2084 Use inode_has_perm on the tty inode directly rather
2085 than using file_has_perm, as this particular open
2086 file may belong to another process and we are only
2087 interested in the inode-based check here. */
2088 struct inode *inode = file->f_path.dentry->d_inode;
2089 if (inode_has_perm(current, inode,
2090 FILE__READ | FILE__WRITE, NULL)) {
2096 mutex_unlock(&tty_mutex);
2097 /* Reset controlling tty. */
2101 /* Revalidate access to inherited open files. */
2103 AVC_AUDIT_DATA_INIT(&ad, FS);
2105 spin_lock(&files->file_lock);
2107 unsigned long set, i;
2112 fdt = files_fdtable(files);
2113 if (i >= fdt->max_fds)
2115 set = fdt->open_fds->fds_bits[j];
2118 spin_unlock(&files->file_lock);
2119 for ( ; set ; i++, set >>= 1) {
2124 if (file_has_perm(current,
2126 file_to_av(file))) {
2128 fd = get_unused_fd();
2138 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2139 if (IS_ERR(devnull)) {
2146 fd_install(fd, devnull);
2151 spin_lock(&files->file_lock);
2154 spin_unlock(&files->file_lock);
2157 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2159 struct task_security_struct *tsec;
2160 struct bprm_security_struct *bsec;
2164 secondary_ops->bprm_apply_creds(bprm, unsafe);
2166 tsec = current->security;
2168 bsec = bprm->security;
2171 tsec->osid = tsec->sid;
2173 if (tsec->sid != sid) {
2174 /* Check for shared state. If not ok, leave SID
2175 unchanged and kill. */
2176 if (unsafe & LSM_UNSAFE_SHARE) {
2177 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2178 PROCESS__SHARE, NULL);
2185 /* Check for ptracing, and update the task SID if ok.
2186 Otherwise, leave SID unchanged and kill. */
2187 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2188 struct task_struct *tracer;
2189 struct task_security_struct *sec;
2193 tracer = task_tracer_task(current);
2194 if (likely(tracer != NULL)) {
2195 sec = tracer->security;
2201 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2202 PROCESS__PTRACE, NULL);
2214 * called after apply_creds without the task lock held
2216 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2218 struct task_security_struct *tsec;
2219 struct rlimit *rlim, *initrlim;
2220 struct itimerval itimer;
2221 struct bprm_security_struct *bsec;
2224 tsec = current->security;
2225 bsec = bprm->security;
2228 force_sig_specific(SIGKILL, current);
2231 if (tsec->osid == tsec->sid)
2234 /* Close files for which the new task SID is not authorized. */
2235 flush_unauthorized_files(current->files);
2237 /* Check whether the new SID can inherit signal state
2238 from the old SID. If not, clear itimers to avoid
2239 subsequent signal generation and flush and unblock
2240 signals. This must occur _after_ the task SID has
2241 been updated so that any kill done after the flush
2242 will be checked against the new SID. */
2243 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2244 PROCESS__SIGINH, NULL);
2246 memset(&itimer, 0, sizeof itimer);
2247 for (i = 0; i < 3; i++)
2248 do_setitimer(i, &itimer, NULL);
2249 flush_signals(current);
2250 spin_lock_irq(¤t->sighand->siglock);
2251 flush_signal_handlers(current, 1);
2252 sigemptyset(¤t->blocked);
2253 recalc_sigpending();
2254 spin_unlock_irq(¤t->sighand->siglock);
2257 /* Always clear parent death signal on SID transitions. */
2258 current->pdeath_signal = 0;
2260 /* Check whether the new SID can inherit resource limits
2261 from the old SID. If not, reset all soft limits to
2262 the lower of the current task's hard limit and the init
2263 task's soft limit. Note that the setting of hard limits
2264 (even to lower them) can be controlled by the setrlimit
2265 check. The inclusion of the init task's soft limit into
2266 the computation is to avoid resetting soft limits higher
2267 than the default soft limit for cases where the default
2268 is lower than the hard limit, e.g. RLIMIT_CORE or
2270 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2271 PROCESS__RLIMITINH, NULL);
2273 for (i = 0; i < RLIM_NLIMITS; i++) {
2274 rlim = current->signal->rlim + i;
2275 initrlim = init_task.signal->rlim+i;
2276 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2278 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2280 * This will cause RLIMIT_CPU calculations
2283 current->it_prof_expires = jiffies_to_cputime(1);
2287 /* Wake up the parent if it is waiting so that it can
2288 recheck wait permission to the new task SID. */
2289 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2292 /* superblock security operations */
2294 static int selinux_sb_alloc_security(struct super_block *sb)
2296 return superblock_alloc_security(sb);
2299 static void selinux_sb_free_security(struct super_block *sb)
2301 superblock_free_security(sb);
2304 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2309 return !memcmp(prefix, option, plen);
2312 static inline int selinux_option(char *option, int len)
2314 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2315 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2316 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2317 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2320 static inline void take_option(char **to, char *from, int *first, int len)
2327 memcpy(*to, from, len);
2331 static inline void take_selinux_option(char **to, char *from, int *first,
2334 int current_size = 0;
2342 while (current_size < len) {
2352 static int selinux_sb_copy_data(char *orig, char *copy)
2354 int fnosec, fsec, rc = 0;
2355 char *in_save, *in_curr, *in_end;
2356 char *sec_curr, *nosec_save, *nosec;
2362 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2370 in_save = in_end = orig;
2374 open_quote = !open_quote;
2375 if ((*in_end == ',' && open_quote == 0) ||
2377 int len = in_end - in_curr;
2379 if (selinux_option(in_curr, len))
2380 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2382 take_option(&nosec, in_curr, &fnosec, len);
2384 in_curr = in_end + 1;
2386 } while (*in_end++);
2388 strcpy(in_save, nosec_save);
2389 free_page((unsigned long)nosec_save);
2394 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2396 struct avc_audit_data ad;
2399 rc = superblock_doinit(sb, data);
2403 AVC_AUDIT_DATA_INIT(&ad, FS);
2404 ad.u.fs.path.dentry = sb->s_root;
2405 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2408 static int selinux_sb_statfs(struct dentry *dentry)
2410 struct avc_audit_data ad;
2412 AVC_AUDIT_DATA_INIT(&ad, FS);
2413 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2414 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2417 static int selinux_mount(char *dev_name,
2420 unsigned long flags,
2425 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2429 if (flags & MS_REMOUNT)
2430 return superblock_has_perm(current, path->mnt->mnt_sb,
2431 FILESYSTEM__REMOUNT, NULL);
2433 return dentry_has_perm(current, path->mnt, path->dentry,
2437 static int selinux_umount(struct vfsmount *mnt, int flags)
2441 rc = secondary_ops->sb_umount(mnt, flags);
2445 return superblock_has_perm(current, mnt->mnt_sb,
2446 FILESYSTEM__UNMOUNT, NULL);
2449 /* inode security operations */
2451 static int selinux_inode_alloc_security(struct inode *inode)
2453 return inode_alloc_security(inode);
2456 static void selinux_inode_free_security(struct inode *inode)
2458 inode_free_security(inode);
2461 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2462 char **name, void **value,
2465 struct task_security_struct *tsec;
2466 struct inode_security_struct *dsec;
2467 struct superblock_security_struct *sbsec;
2470 char *namep = NULL, *context;
2472 tsec = current->security;
2473 dsec = dir->i_security;
2474 sbsec = dir->i_sb->s_security;
2476 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2477 newsid = tsec->create_sid;
2479 rc = security_transition_sid(tsec->sid, dsec->sid,
2480 inode_mode_to_security_class(inode->i_mode),
2483 printk(KERN_WARNING "%s: "
2484 "security_transition_sid failed, rc=%d (dev=%s "
2487 -rc, inode->i_sb->s_id, inode->i_ino);
2492 /* Possibly defer initialization to selinux_complete_init. */
2493 if (sbsec->initialized) {
2494 struct inode_security_struct *isec = inode->i_security;
2495 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2497 isec->initialized = 1;
2500 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2504 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2511 rc = security_sid_to_context_force(newsid, &context, &clen);
2523 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2525 return may_create(dir, dentry, SECCLASS_FILE);
2528 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2532 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2535 return may_link(dir, old_dentry, MAY_LINK);
2538 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2542 rc = secondary_ops->inode_unlink(dir, dentry);
2545 return may_link(dir, dentry, MAY_UNLINK);
2548 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2550 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2553 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2555 return may_create(dir, dentry, SECCLASS_DIR);
2558 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2560 return may_link(dir, dentry, MAY_RMDIR);
2563 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2567 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2571 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2574 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2575 struct inode *new_inode, struct dentry *new_dentry)
2577 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2580 static int selinux_inode_readlink(struct dentry *dentry)
2582 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2585 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2589 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2592 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2595 static int selinux_inode_permission(struct inode *inode, int mask,
2596 struct nameidata *nd)
2600 rc = secondary_ops->inode_permission(inode, mask, nd);
2605 /* No permission to check. Existence test. */
2609 return inode_has_perm(current, inode,
2610 open_file_mask_to_av(inode->i_mode, mask), NULL);
2613 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2617 rc = secondary_ops->inode_setattr(dentry, iattr);
2621 if (iattr->ia_valid & ATTR_FORCE)
2624 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2625 ATTR_ATIME_SET | ATTR_MTIME_SET))
2626 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2628 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2631 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2633 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2636 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2638 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2639 sizeof XATTR_SECURITY_PREFIX - 1)) {
2640 if (!strcmp(name, XATTR_NAME_CAPS)) {
2641 if (!capable(CAP_SETFCAP))
2643 } else if (!capable(CAP_SYS_ADMIN)) {
2644 /* A different attribute in the security namespace.
2645 Restrict to administrator. */
2650 /* Not an attribute we recognize, so just check the
2651 ordinary setattr permission. */
2652 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2655 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2656 const void *value, size_t size, int flags)
2658 struct task_security_struct *tsec = current->security;
2659 struct inode *inode = dentry->d_inode;
2660 struct inode_security_struct *isec = inode->i_security;
2661 struct superblock_security_struct *sbsec;
2662 struct avc_audit_data ad;
2666 if (strcmp(name, XATTR_NAME_SELINUX))
2667 return selinux_inode_setotherxattr(dentry, name);
2669 sbsec = inode->i_sb->s_security;
2670 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2673 if (!is_owner_or_cap(inode))
2676 AVC_AUDIT_DATA_INIT(&ad, FS);
2677 ad.u.fs.path.dentry = dentry;
2679 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2680 FILE__RELABELFROM, &ad);
2684 rc = security_context_to_sid(value, size, &newsid);
2685 if (rc == -EINVAL) {
2686 if (!capable(CAP_MAC_ADMIN))
2688 rc = security_context_to_sid_force(value, size, &newsid);
2693 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2694 FILE__RELABELTO, &ad);
2698 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2703 return avc_has_perm(newsid,
2705 SECCLASS_FILESYSTEM,
2706 FILESYSTEM__ASSOCIATE,
2710 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2711 const void *value, size_t size,
2714 struct inode *inode = dentry->d_inode;
2715 struct inode_security_struct *isec = inode->i_security;
2719 if (strcmp(name, XATTR_NAME_SELINUX)) {
2720 /* Not an attribute we recognize, so nothing to do. */
2724 rc = security_context_to_sid_force(value, size, &newsid);
2726 printk(KERN_ERR "SELinux: unable to map context to SID"
2727 "for (%s, %lu), rc=%d\n",
2728 inode->i_sb->s_id, inode->i_ino, -rc);
2736 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2738 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2741 static int selinux_inode_listxattr(struct dentry *dentry)
2743 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2746 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2748 if (strcmp(name, XATTR_NAME_SELINUX))
2749 return selinux_inode_setotherxattr(dentry, name);
2751 /* No one is allowed to remove a SELinux security label.
2752 You can change the label, but all data must be labeled. */
2757 * Copy the inode security context value to the user.
2759 * Permission check is handled by selinux_inode_getxattr hook.
2761 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2765 char *context = NULL;
2766 struct task_security_struct *tsec = current->security;
2767 struct inode_security_struct *isec = inode->i_security;
2769 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2773 * If the caller has CAP_MAC_ADMIN, then get the raw context
2774 * value even if it is not defined by current policy; otherwise,
2775 * use the in-core value under current policy.
2776 * Use the non-auditing forms of the permission checks since
2777 * getxattr may be called by unprivileged processes commonly
2778 * and lack of permission just means that we fall back to the
2779 * in-core context value, not a denial.
2781 error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2783 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2784 SECCLASS_CAPABILITY2,
2785 CAPABILITY2__MAC_ADMIN,
2789 error = security_sid_to_context_force(isec->sid, &context,
2792 error = security_sid_to_context(isec->sid, &context, &size);
2805 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2806 const void *value, size_t size, int flags)
2808 struct inode_security_struct *isec = inode->i_security;
2812 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2815 if (!value || !size)
2818 rc = security_context_to_sid((void *)value, size, &newsid);
2826 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2828 const int len = sizeof(XATTR_NAME_SELINUX);
2829 if (buffer && len <= buffer_size)
2830 memcpy(buffer, XATTR_NAME_SELINUX, len);
2834 static int selinux_inode_need_killpriv(struct dentry *dentry)
2836 return secondary_ops->inode_need_killpriv(dentry);
2839 static int selinux_inode_killpriv(struct dentry *dentry)
2841 return secondary_ops->inode_killpriv(dentry);
2844 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2846 struct inode_security_struct *isec = inode->i_security;
2850 /* file security operations */
2852 static int selinux_revalidate_file_permission(struct file *file, int mask)
2855 struct inode *inode = file->f_path.dentry->d_inode;
2858 /* No permission to check. Existence test. */
2862 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2863 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2866 rc = file_has_perm(current, file,
2867 file_mask_to_av(inode->i_mode, mask));
2871 return selinux_netlbl_inode_permission(inode, mask);
2874 static int selinux_file_permission(struct file *file, int mask)
2876 struct inode *inode = file->f_path.dentry->d_inode;
2877 struct task_security_struct *tsec = current->security;
2878 struct file_security_struct *fsec = file->f_security;
2879 struct inode_security_struct *isec = inode->i_security;
2882 /* No permission to check. Existence test. */
2886 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2887 && fsec->pseqno == avc_policy_seqno())
2888 return selinux_netlbl_inode_permission(inode, mask);
2890 return selinux_revalidate_file_permission(file, mask);
2893 static int selinux_file_alloc_security(struct file *file)
2895 return file_alloc_security(file);
2898 static void selinux_file_free_security(struct file *file)
2900 file_free_security(file);
2903 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2915 case EXT2_IOC_GETFLAGS:
2917 case EXT2_IOC_GETVERSION:
2918 error = file_has_perm(current, file, FILE__GETATTR);
2921 case EXT2_IOC_SETFLAGS:
2923 case EXT2_IOC_SETVERSION:
2924 error = file_has_perm(current, file, FILE__SETATTR);
2927 /* sys_ioctl() checks */
2931 error = file_has_perm(current, file, 0);
2936 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2939 /* default case assumes that the command will go
2940 * to the file's ioctl() function.
2943 error = file_has_perm(current, file, FILE__IOCTL);
2948 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2950 #ifndef CONFIG_PPC32
2951 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2953 * We are making executable an anonymous mapping or a
2954 * private file mapping that will also be writable.
2955 * This has an additional check.
2957 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2964 /* read access is always possible with a mapping */
2965 u32 av = FILE__READ;
2967 /* write access only matters if the mapping is shared */
2968 if (shared && (prot & PROT_WRITE))
2971 if (prot & PROT_EXEC)
2972 av |= FILE__EXECUTE;
2974 return file_has_perm(current, file, av);
2979 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2980 unsigned long prot, unsigned long flags,
2981 unsigned long addr, unsigned long addr_only)
2984 u32 sid = ((struct task_security_struct *)(current->security))->sid;
2986 if (addr < mmap_min_addr)
2987 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2988 MEMPROTECT__MMAP_ZERO, NULL);
2989 if (rc || addr_only)
2992 if (selinux_checkreqprot)
2995 return file_map_prot_check(file, prot,
2996 (flags & MAP_TYPE) == MAP_SHARED);
2999 static int selinux_file_mprotect(struct vm_area_struct *vma,
3000 unsigned long reqprot,
3005 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3009 if (selinux_checkreqprot)
3012 #ifndef CONFIG_PPC32
3013 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3015 if (vma->vm_start >= vma->vm_mm->start_brk &&
3016 vma->vm_end <= vma->vm_mm->brk) {
3017 rc = task_has_perm(current, current,
3019 } else if (!vma->vm_file &&
3020 vma->vm_start <= vma->vm_mm->start_stack &&
3021 vma->vm_end >= vma->vm_mm->start_stack) {
3022 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3023 } else if (vma->vm_file && vma->anon_vma) {
3025 * We are making executable a file mapping that has
3026 * had some COW done. Since pages might have been
3027 * written, check ability to execute the possibly
3028 * modified content. This typically should only
3029 * occur for text relocations.
3031 rc = file_has_perm(current, vma->vm_file,
3039 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3042 static int selinux_file_lock(struct file *file, unsigned int cmd)
3044 return file_has_perm(current, file, FILE__LOCK);
3047 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3054 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3059 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3060 err = file_has_perm(current, file, FILE__WRITE);
3069 /* Just check FD__USE permission */
3070 err = file_has_perm(current, file, 0);
3075 #if BITS_PER_LONG == 32
3080 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3084 err = file_has_perm(current, file, FILE__LOCK);
3091 static int selinux_file_set_fowner(struct file *file)
3093 struct task_security_struct *tsec;
3094 struct file_security_struct *fsec;
3096 tsec = current->security;
3097 fsec = file->f_security;
3098 fsec->fown_sid = tsec->sid;
3103 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3104 struct fown_struct *fown, int signum)
3108 struct task_security_struct *tsec;
3109 struct file_security_struct *fsec;
3111 /* struct fown_struct is never outside the context of a struct file */
3112 file = container_of(fown, struct file, f_owner);
3114 tsec = tsk->security;
3115 fsec = file->f_security;
3118 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3120 perm = signal_to_av(signum);
3122 return avc_has_perm(fsec->fown_sid, tsec->sid,
3123 SECCLASS_PROCESS, perm, NULL);
3126 static int selinux_file_receive(struct file *file)
3128 return file_has_perm(current, file, file_to_av(file));
3131 static int selinux_dentry_open(struct file *file)
3133 struct file_security_struct *fsec;
3134 struct inode *inode;
3135 struct inode_security_struct *isec;
3136 inode = file->f_path.dentry->d_inode;
3137 fsec = file->f_security;
3138 isec = inode->i_security;
3140 * Save inode label and policy sequence number
3141 * at open-time so that selinux_file_permission
3142 * can determine whether revalidation is necessary.
3143 * Task label is already saved in the file security
3144 * struct as its SID.
3146 fsec->isid = isec->sid;
3147 fsec->pseqno = avc_policy_seqno();
3149 * Since the inode label or policy seqno may have changed
3150 * between the selinux_inode_permission check and the saving
3151 * of state above, recheck that access is still permitted.
3152 * Otherwise, access might never be revalidated against the
3153 * new inode label or new policy.
3154 * This check is not redundant - do not remove.
3156 return inode_has_perm(current, inode, file_to_av(file), NULL);
3159 /* task security operations */
3161 static int selinux_task_create(unsigned long clone_flags)
3165 rc = secondary_ops->task_create(clone_flags);
3169 return task_has_perm(current, current, PROCESS__FORK);
3172 static int selinux_task_alloc_security(struct task_struct *tsk)
3174 struct task_security_struct *tsec1, *tsec2;
3177 tsec1 = current->security;
3179 rc = task_alloc_security(tsk);
3182 tsec2 = tsk->security;
3184 tsec2->osid = tsec1->osid;
3185 tsec2->sid = tsec1->sid;
3187 /* Retain the exec, fs, key, and sock SIDs across fork */
3188 tsec2->exec_sid = tsec1->exec_sid;
3189 tsec2->create_sid = tsec1->create_sid;
3190 tsec2->keycreate_sid = tsec1->keycreate_sid;
3191 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3196 static void selinux_task_free_security(struct task_struct *tsk)
3198 task_free_security(tsk);
3201 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3203 /* Since setuid only affects the current process, and
3204 since the SELinux controls are not based on the Linux
3205 identity attributes, SELinux does not need to control
3206 this operation. However, SELinux does control the use
3207 of the CAP_SETUID and CAP_SETGID capabilities using the
3212 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3214 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3217 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3219 /* See the comment for setuid above. */
3223 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3225 return task_has_perm(current, p, PROCESS__SETPGID);
3228 static int selinux_task_getpgid(struct task_struct *p)
3230 return task_has_perm(current, p, PROCESS__GETPGID);
3233 static int selinux_task_getsid(struct task_struct *p)
3235 return task_has_perm(current, p, PROCESS__GETSESSION);
3238 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3240 struct task_security_struct *tsec = p->security;
3244 static int selinux_task_setgroups(struct group_info *group_info)
3246 /* See the comment for setuid above. */
3250 static int selinux_task_setnice(struct task_struct *p, int nice)
3254 rc = secondary_ops->task_setnice(p, nice);
3258 return task_has_perm(current, p, PROCESS__SETSCHED);
3261 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3265 rc = secondary_ops->task_setioprio(p, ioprio);
3269 return task_has_perm(current, p, PROCESS__SETSCHED);
3272 static int selinux_task_getioprio(struct task_struct *p)
3274 return task_has_perm(current, p, PROCESS__GETSCHED);
3277 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3279 struct rlimit *old_rlim = current->signal->rlim + resource;
3282 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3286 /* Control the ability to change the hard limit (whether
3287 lowering or raising it), so that the hard limit can
3288 later be used as a safe reset point for the soft limit
3289 upon context transitions. See selinux_bprm_apply_creds. */
3290 if (old_rlim->rlim_max != new_rlim->rlim_max)
3291 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3296 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3300 rc = secondary_ops->task_setscheduler(p, policy, lp);
3304 return task_has_perm(current, p, PROCESS__SETSCHED);
3307 static int selinux_task_getscheduler(struct task_struct *p)
3309 return task_has_perm(current, p, PROCESS__GETSCHED);
3312 static int selinux_task_movememory(struct task_struct *p)
3314 return task_has_perm(current, p, PROCESS__SETSCHED);
3317 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3322 struct task_security_struct *tsec;
3324 rc = secondary_ops->task_kill(p, info, sig, secid);
3329 perm = PROCESS__SIGNULL; /* null signal; existence test */
3331 perm = signal_to_av(sig);
3334 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3336 rc = task_has_perm(current, p, perm);
3340 static int selinux_task_prctl(int option,
3347 /* The current prctl operations do not appear to require
3348 any SELinux controls since they merely observe or modify
3349 the state of the current process. */
3350 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3353 static int selinux_task_wait(struct task_struct *p)
3355 return task_has_perm(p, current, PROCESS__SIGCHLD);
3358 static void selinux_task_reparent_to_init(struct task_struct *p)
3360 struct task_security_struct *tsec;
3362 secondary_ops->task_reparent_to_init(p);
3365 tsec->osid = tsec->sid;
3366 tsec->sid = SECINITSID_KERNEL;
3370 static void selinux_task_to_inode(struct task_struct *p,
3371 struct inode *inode)
3373 struct task_security_struct *tsec = p->security;
3374 struct inode_security_struct *isec = inode->i_security;
3376 isec->sid = tsec->sid;
3377 isec->initialized = 1;
3381 /* Returns error only if unable to parse addresses */
3382 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3383 struct avc_audit_data *ad, u8 *proto)
3385 int offset, ihlen, ret = -EINVAL;
3386 struct iphdr _iph, *ih;
3388 offset = skb_network_offset(skb);
3389 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3393 ihlen = ih->ihl * 4;
3394 if (ihlen < sizeof(_iph))
3397 ad->u.net.v4info.saddr = ih->saddr;
3398 ad->u.net.v4info.daddr = ih->daddr;
3402 *proto = ih->protocol;
3404 switch (ih->protocol) {
3406 struct tcphdr _tcph, *th;
3408 if (ntohs(ih->frag_off) & IP_OFFSET)
3412 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3416 ad->u.net.sport = th->source;
3417 ad->u.net.dport = th->dest;
3422 struct udphdr _udph, *uh;
3424 if (ntohs(ih->frag_off) & IP_OFFSET)
3428 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3432 ad->u.net.sport = uh->source;
3433 ad->u.net.dport = uh->dest;
3437 case IPPROTO_DCCP: {
3438 struct dccp_hdr _dccph, *dh;
3440 if (ntohs(ih->frag_off) & IP_OFFSET)
3444 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3448 ad->u.net.sport = dh->dccph_sport;
3449 ad->u.net.dport = dh->dccph_dport;
3460 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3462 /* Returns error only if unable to parse addresses */
3463 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3464 struct avc_audit_data *ad, u8 *proto)
3467 int ret = -EINVAL, offset;
3468 struct ipv6hdr _ipv6h, *ip6;
3470 offset = skb_network_offset(skb);
3471 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3475 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3476 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3479 nexthdr = ip6->nexthdr;
3480 offset += sizeof(_ipv6h);
3481 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3490 struct tcphdr _tcph, *th;
3492 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3496 ad->u.net.sport = th->source;
3497 ad->u.net.dport = th->dest;
3502 struct udphdr _udph, *uh;
3504 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3508 ad->u.net.sport = uh->source;
3509 ad->u.net.dport = uh->dest;
3513 case IPPROTO_DCCP: {
3514 struct dccp_hdr _dccph, *dh;
3516 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3520 ad->u.net.sport = dh->dccph_sport;
3521 ad->u.net.dport = dh->dccph_dport;
3525 /* includes fragments */
3535 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3536 char **addrp, int src, u8 *proto)
3540 switch (ad->u.net.family) {
3542 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3545 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3546 &ad->u.net.v4info.daddr);
3549 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3551 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3554 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3555 &ad->u.net.v6info.daddr);
3564 "SELinux: failure in selinux_parse_skb(),"
3565 " unable to parse packet\n");
3571 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3573 * @family: protocol family
3574 * @sid: the packet's peer label SID
3577 * Check the various different forms of network peer labeling and determine
3578 * the peer label/SID for the packet; most of the magic actually occurs in
3579 * the security server function security_net_peersid_cmp(). The function
3580 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3581 * or -EACCES if @sid is invalid due to inconsistencies with the different
3585 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3592 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3593 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3595 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3596 if (unlikely(err)) {
3598 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3599 " unable to determine packet's peer label\n");
3606 /* socket security operations */
3607 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3610 struct inode_security_struct *isec;
3611 struct task_security_struct *tsec;
3612 struct avc_audit_data ad;
3615 tsec = task->security;
3616 isec = SOCK_INODE(sock)->i_security;
3618 if (isec->sid == SECINITSID_KERNEL)
3621 AVC_AUDIT_DATA_INIT(&ad, NET);
3622 ad.u.net.sk = sock->sk;
3623 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3629 static int selinux_socket_create(int family, int type,
3630 int protocol, int kern)
3633 struct task_security_struct *tsec;
3639 tsec = current->security;
3640 newsid = tsec->sockcreate_sid ? : tsec->sid;
3641 err = avc_has_perm(tsec->sid, newsid,
3642 socket_type_to_security_class(family, type,
3643 protocol), SOCKET__CREATE, NULL);
3649 static int selinux_socket_post_create(struct socket *sock, int family,
3650 int type, int protocol, int kern)
3653 struct inode_security_struct *isec;
3654 struct task_security_struct *tsec;
3655 struct sk_security_struct *sksec;
3658 isec = SOCK_INODE(sock)->i_security;
3660 tsec = current->security;
3661 newsid = tsec->sockcreate_sid ? : tsec->sid;
3662 isec->sclass = socket_type_to_security_class(family, type, protocol);
3663 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3664 isec->initialized = 1;
3667 sksec = sock->sk->sk_security;
3668 sksec->sid = isec->sid;
3669 sksec->sclass = isec->sclass;
3670 err = selinux_netlbl_socket_post_create(sock);
3676 /* Range of port numbers used to automatically bind.
3677 Need to determine whether we should perform a name_bind
3678 permission check between the socket and the port number. */
3680 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3685 err = socket_has_perm(current, sock, SOCKET__BIND);
3690 * If PF_INET or PF_INET6, check name_bind permission for the port.
3691 * Multiple address binding for SCTP is not supported yet: we just
3692 * check the first address now.
3694 family = sock->sk->sk_family;
3695 if (family == PF_INET || family == PF_INET6) {
3697 struct inode_security_struct *isec;
3698 struct task_security_struct *tsec;
3699 struct avc_audit_data ad;
3700 struct sockaddr_in *addr4 = NULL;
3701 struct sockaddr_in6 *addr6 = NULL;
3702 unsigned short snum;
3703 struct sock *sk = sock->sk;
3704 u32 sid, node_perm, addrlen;
3706 tsec = current->security;
3707 isec = SOCK_INODE(sock)->i_security;
3709 if (family == PF_INET) {
3710 addr4 = (struct sockaddr_in *)address;
3711 snum = ntohs(addr4->sin_port);
3712 addrlen = sizeof(addr4->sin_addr.s_addr);
3713 addrp = (char *)&addr4->sin_addr.s_addr;
3715 addr6 = (struct sockaddr_in6 *)address;
3716 snum = ntohs(addr6->sin6_port);
3717 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3718 addrp = (char *)&addr6->sin6_addr.s6_addr;
3724 inet_get_local_port_range(&low, &high);
3726 if (snum < max(PROT_SOCK, low) || snum > high) {
3727 err = sel_netport_sid(sk->sk_protocol,
3731 AVC_AUDIT_DATA_INIT(&ad, NET);
3732 ad.u.net.sport = htons(snum);
3733 ad.u.net.family = family;
3734 err = avc_has_perm(isec->sid, sid,
3736 SOCKET__NAME_BIND, &ad);
3742 switch (isec->sclass) {
3743 case SECCLASS_TCP_SOCKET:
3744 node_perm = TCP_SOCKET__NODE_BIND;
3747 case SECCLASS_UDP_SOCKET:
3748 node_perm = UDP_SOCKET__NODE_BIND;
3751 case SECCLASS_DCCP_SOCKET:
3752 node_perm = DCCP_SOCKET__NODE_BIND;
3756 node_perm = RAWIP_SOCKET__NODE_BIND;
3760 err = sel_netnode_sid(addrp, family, &sid);
3764 AVC_AUDIT_DATA_INIT(&ad, NET);
3765 ad.u.net.sport = htons(snum);
3766 ad.u.net.family = family;
3768 if (family == PF_INET)
3769 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3771 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3773 err = avc_has_perm(isec->sid, sid,
3774 isec->sclass, node_perm, &ad);
3782 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3784 struct inode_security_struct *isec;
3787 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3792 * If a TCP or DCCP socket, check name_connect permission for the port.
3794 isec = SOCK_INODE(sock)->i_security;
3795 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3796 isec->sclass == SECCLASS_DCCP_SOCKET) {
3797 struct sock *sk = sock->sk;
3798 struct avc_audit_data ad;
3799 struct sockaddr_in *addr4 = NULL;
3800 struct sockaddr_in6 *addr6 = NULL;
3801 unsigned short snum;
3804 if (sk->sk_family == PF_INET) {
3805 addr4 = (struct sockaddr_in *)address;
3806 if (addrlen < sizeof(struct sockaddr_in))
3808 snum = ntohs(addr4->sin_port);
3810 addr6 = (struct sockaddr_in6 *)address;
3811 if (addrlen < SIN6_LEN_RFC2133)
3813 snum = ntohs(addr6->sin6_port);
3816 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3820 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3821 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3823 AVC_AUDIT_DATA_INIT(&ad, NET);
3824 ad.u.net.dport = htons(snum);
3825 ad.u.net.family = sk->sk_family;
3826 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3835 static int selinux_socket_listen(struct socket *sock, int backlog)
3837 return socket_has_perm(current, sock, SOCKET__LISTEN);
3840 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3843 struct inode_security_struct *isec;
3844 struct inode_security_struct *newisec;
3846 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3850 newisec = SOCK_INODE(newsock)->i_security;
3852 isec = SOCK_INODE(sock)->i_security;
3853 newisec->sclass = isec->sclass;
3854 newisec->sid = isec->sid;
3855 newisec->initialized = 1;
3860 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3865 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3869 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3872 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3873 int size, int flags)
3875 return socket_has_perm(current, sock, SOCKET__READ);
3878 static int selinux_socket_getsockname(struct socket *sock)
3880 return socket_has_perm(current, sock, SOCKET__GETATTR);
3883 static int selinux_socket_getpeername(struct socket *sock)
3885 return socket_has_perm(current, sock, SOCKET__GETATTR);
3888 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3892 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3896 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3899 static int selinux_socket_getsockopt(struct socket *sock, int level,
3902 return socket_has_perm(current, sock, SOCKET__GETOPT);
3905 static int selinux_socket_shutdown(struct socket *sock, int how)
3907 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3910 static int selinux_socket_unix_stream_connect(struct socket *sock,
3911 struct socket *other,
3914 struct sk_security_struct *ssec;
3915 struct inode_security_struct *isec;
3916 struct inode_security_struct *other_isec;
3917 struct avc_audit_data ad;
3920 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3924 isec = SOCK_INODE(sock)->i_security;
3925 other_isec = SOCK_INODE(other)->i_security;
3927 AVC_AUDIT_DATA_INIT(&ad, NET);
3928 ad.u.net.sk = other->sk;
3930 err = avc_has_perm(isec->sid, other_isec->sid,
3932 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3936 /* connecting socket */
3937 ssec = sock->sk->sk_security;
3938 ssec->peer_sid = other_isec->sid;
3940 /* server child socket */
3941 ssec = newsk->sk_security;
3942 ssec->peer_sid = isec->sid;
3943 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3948 static int selinux_socket_unix_may_send(struct socket *sock,
3949 struct socket *other)
3951 struct inode_security_struct *isec;
3952 struct inode_security_struct *other_isec;
3953 struct avc_audit_data ad;
3956 isec = SOCK_INODE(sock)->i_security;
3957 other_isec = SOCK_INODE(other)->i_security;
3959 AVC_AUDIT_DATA_INIT(&ad, NET);
3960 ad.u.net.sk = other->sk;
3962 err = avc_has_perm(isec->sid, other_isec->sid,
3963 isec->sclass, SOCKET__SENDTO, &ad);
3970 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3972 struct avc_audit_data *ad)
3978 err = sel_netif_sid(ifindex, &if_sid);
3981 err = avc_has_perm(peer_sid, if_sid,
3982 SECCLASS_NETIF, NETIF__INGRESS, ad);
3986 err = sel_netnode_sid(addrp, family, &node_sid);
3989 return avc_has_perm(peer_sid, node_sid,
3990 SECCLASS_NODE, NODE__RECVFROM, ad);
3993 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3994 struct sk_buff *skb,
3995 struct avc_audit_data *ad,
4000 struct sk_security_struct *sksec = sk->sk_security;
4002 u32 netif_perm, node_perm, recv_perm;
4003 u32 port_sid, node_sid, if_sid, sk_sid;
4005 sk_sid = sksec->sid;
4006 sk_class = sksec->sclass;
4009 case SECCLASS_UDP_SOCKET:
4010 netif_perm = NETIF__UDP_RECV;
4011 node_perm = NODE__UDP_RECV;
4012 recv_perm = UDP_SOCKET__RECV_MSG;
4014 case SECCLASS_TCP_SOCKET:
4015 netif_perm = NETIF__TCP_RECV;
4016 node_perm = NODE__TCP_RECV;
4017 recv_perm = TCP_SOCKET__RECV_MSG;
4019 case SECCLASS_DCCP_SOCKET:
4020 netif_perm = NETIF__DCCP_RECV;
4021 node_perm = NODE__DCCP_RECV;
4022 recv_perm = DCCP_SOCKET__RECV_MSG;
4025 netif_perm = NETIF__RAWIP_RECV;
4026 node_perm = NODE__RAWIP_RECV;
4031 err = sel_netif_sid(skb->iif, &if_sid);
4034 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4038 err = sel_netnode_sid(addrp, family, &node_sid);
4041 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4047 err = sel_netport_sid(sk->sk_protocol,
4048 ntohs(ad->u.net.sport), &port_sid);
4049 if (unlikely(err)) {
4051 "SELinux: failure in"
4052 " selinux_sock_rcv_skb_iptables_compat(),"
4053 " network port label not found\n");
4056 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4059 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4060 struct avc_audit_data *ad,
4061 u16 family, char *addrp)
4064 struct sk_security_struct *sksec = sk->sk_security;
4066 u32 sk_sid = sksec->sid;
4068 if (selinux_compat_net)
4069 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4072 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4077 if (selinux_policycap_netpeer) {
4078 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4081 err = avc_has_perm(sk_sid, peer_sid,
4082 SECCLASS_PEER, PEER__RECV, ad);
4084 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4087 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4093 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4096 struct sk_security_struct *sksec = sk->sk_security;
4097 u16 family = sk->sk_family;
4098 u32 sk_sid = sksec->sid;
4099 struct avc_audit_data ad;
4102 if (family != PF_INET && family != PF_INET6)
4105 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4106 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4109 AVC_AUDIT_DATA_INIT(&ad, NET);
4110 ad.u.net.netif = skb->iif;
4111 ad.u.net.family = family;
4112 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4116 /* If any sort of compatibility mode is enabled then handoff processing
4117 * to the selinux_sock_rcv_skb_compat() function to deal with the
4118 * special handling. We do this in an attempt to keep this function
4119 * as fast and as clean as possible. */
4120 if (selinux_compat_net || !selinux_policycap_netpeer)
4121 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4124 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4127 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4130 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4134 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4138 if (selinux_secmark_enabled()) {
4139 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4148 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4149 int __user *optlen, unsigned len)
4154 struct sk_security_struct *ssec;
4155 struct inode_security_struct *isec;
4156 u32 peer_sid = SECSID_NULL;
4158 isec = SOCK_INODE(sock)->i_security;
4160 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4161 isec->sclass == SECCLASS_TCP_SOCKET) {
4162 ssec = sock->sk->sk_security;
4163 peer_sid = ssec->peer_sid;
4165 if (peer_sid == SECSID_NULL) {
4170 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4175 if (scontext_len > len) {
4180 if (copy_to_user(optval, scontext, scontext_len))
4184 if (put_user(scontext_len, optlen))
4192 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4194 u32 peer_secid = SECSID_NULL;
4198 family = sock->sk->sk_family;
4199 else if (skb && skb->sk)
4200 family = skb->sk->sk_family;
4204 if (sock && family == PF_UNIX)
4205 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4207 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4210 *secid = peer_secid;
4211 if (peer_secid == SECSID_NULL)
4216 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4218 return sk_alloc_security(sk, family, priority);
4221 static void selinux_sk_free_security(struct sock *sk)
4223 sk_free_security(sk);
4226 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4228 struct sk_security_struct *ssec = sk->sk_security;
4229 struct sk_security_struct *newssec = newsk->sk_security;
4231 newssec->sid = ssec->sid;
4232 newssec->peer_sid = ssec->peer_sid;
4233 newssec->sclass = ssec->sclass;
4235 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4238 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4241 *secid = SECINITSID_ANY_SOCKET;
4243 struct sk_security_struct *sksec = sk->sk_security;
4245 *secid = sksec->sid;
4249 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4251 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4252 struct sk_security_struct *sksec = sk->sk_security;
4254 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4255 sk->sk_family == PF_UNIX)
4256 isec->sid = sksec->sid;
4257 sksec->sclass = isec->sclass;
4259 selinux_netlbl_sock_graft(sk, parent);
4262 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4263 struct request_sock *req)
4265 struct sk_security_struct *sksec = sk->sk_security;
4270 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4273 if (peersid == SECSID_NULL) {
4274 req->secid = sksec->sid;
4275 req->peer_secid = SECSID_NULL;
4279 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4283 req->secid = newsid;
4284 req->peer_secid = peersid;
4288 static void selinux_inet_csk_clone(struct sock *newsk,
4289 const struct request_sock *req)
4291 struct sk_security_struct *newsksec = newsk->sk_security;
4293 newsksec->sid = req->secid;
4294 newsksec->peer_sid = req->peer_secid;
4295 /* NOTE: Ideally, we should also get the isec->sid for the
4296 new socket in sync, but we don't have the isec available yet.
4297 So we will wait until sock_graft to do it, by which
4298 time it will have been created and available. */
4300 /* We don't need to take any sort of lock here as we are the only
4301 * thread with access to newsksec */
4302 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4305 static void selinux_inet_conn_established(struct sock *sk,
4306 struct sk_buff *skb)
4308 struct sk_security_struct *sksec = sk->sk_security;
4310 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4313 static void selinux_req_classify_flow(const struct request_sock *req,
4316 fl->secid = req->secid;
4319 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4323 struct nlmsghdr *nlh;
4324 struct socket *sock = sk->sk_socket;
4325 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4327 if (skb->len < NLMSG_SPACE(0)) {
4331 nlh = nlmsg_hdr(skb);
4333 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4335 if (err == -EINVAL) {
4336 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4337 "SELinux: unrecognized netlink message"
4338 " type=%hu for sclass=%hu\n",
4339 nlh->nlmsg_type, isec->sclass);
4340 if (!selinux_enforcing)
4350 err = socket_has_perm(current, sock, perm);
4355 #ifdef CONFIG_NETFILTER
4357 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4362 struct avc_audit_data ad;
4366 if (!selinux_policycap_netpeer)
4369 secmark_active = selinux_secmark_enabled();
4370 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4371 if (!secmark_active && !peerlbl_active)
4374 AVC_AUDIT_DATA_INIT(&ad, NET);
4375 ad.u.net.netif = ifindex;
4376 ad.u.net.family = family;
4377 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4380 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4384 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4385 peer_sid, &ad) != 0)
4389 if (avc_has_perm(peer_sid, skb->secmark,
4390 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4396 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4397 struct sk_buff *skb,
4398 const struct net_device *in,
4399 const struct net_device *out,
4400 int (*okfn)(struct sk_buff *))
4402 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4405 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4406 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4407 struct sk_buff *skb,
4408 const struct net_device *in,
4409 const struct net_device *out,
4410 int (*okfn)(struct sk_buff *))
4412 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4416 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4418 struct avc_audit_data *ad,
4419 u16 family, char *addrp)
4422 struct sk_security_struct *sksec = sk->sk_security;
4424 u32 netif_perm, node_perm, send_perm;
4425 u32 port_sid, node_sid, if_sid, sk_sid;
4427 sk_sid = sksec->sid;
4428 sk_class = sksec->sclass;
4431 case SECCLASS_UDP_SOCKET:
4432 netif_perm = NETIF__UDP_SEND;
4433 node_perm = NODE__UDP_SEND;
4434 send_perm = UDP_SOCKET__SEND_MSG;
4436 case SECCLASS_TCP_SOCKET:
4437 netif_perm = NETIF__TCP_SEND;
4438 node_perm = NODE__TCP_SEND;
4439 send_perm = TCP_SOCKET__SEND_MSG;
4441 case SECCLASS_DCCP_SOCKET:
4442 netif_perm = NETIF__DCCP_SEND;
4443 node_perm = NODE__DCCP_SEND;
4444 send_perm = DCCP_SOCKET__SEND_MSG;
4447 netif_perm = NETIF__RAWIP_SEND;
4448 node_perm = NODE__RAWIP_SEND;
4453 err = sel_netif_sid(ifindex, &if_sid);
4456 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4459 err = sel_netnode_sid(addrp, family, &node_sid);
4462 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4469 err = sel_netport_sid(sk->sk_protocol,
4470 ntohs(ad->u.net.dport), &port_sid);
4471 if (unlikely(err)) {
4473 "SELinux: failure in"
4474 " selinux_ip_postroute_iptables_compat(),"
4475 " network port label not found\n");
4478 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4481 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4483 struct avc_audit_data *ad,
4488 struct sock *sk = skb->sk;
4489 struct sk_security_struct *sksec;
4493 sksec = sk->sk_security;
4495 if (selinux_compat_net) {
4496 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4500 if (avc_has_perm(sksec->sid, skb->secmark,
4501 SECCLASS_PACKET, PACKET__SEND, ad))
4505 if (selinux_policycap_netpeer)
4506 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4512 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4518 struct avc_audit_data ad;
4524 AVC_AUDIT_DATA_INIT(&ad, NET);
4525 ad.u.net.netif = ifindex;
4526 ad.u.net.family = family;
4527 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4530 /* If any sort of compatibility mode is enabled then handoff processing
4531 * to the selinux_ip_postroute_compat() function to deal with the
4532 * special handling. We do this in an attempt to keep this function
4533 * as fast and as clean as possible. */
4534 if (selinux_compat_net || !selinux_policycap_netpeer)
4535 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4536 family, addrp, proto);
4538 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4539 * packet transformation so allow the packet to pass without any checks
4540 * since we'll have another chance to perform access control checks
4541 * when the packet is on it's final way out.
4542 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4543 * is NULL, in this case go ahead and apply access control. */
4544 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4547 secmark_active = selinux_secmark_enabled();
4548 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4549 if (!secmark_active && !peerlbl_active)
4552 /* if the packet is locally generated (skb->sk != NULL) then use the
4553 * socket's label as the peer label, otherwise the packet is being
4554 * forwarded through this system and we need to fetch the peer label
4555 * directly from the packet */
4558 struct sk_security_struct *sksec = sk->sk_security;
4559 peer_sid = sksec->sid;
4560 secmark_perm = PACKET__SEND;
4562 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4564 secmark_perm = PACKET__FORWARD_OUT;
4568 if (avc_has_perm(peer_sid, skb->secmark,
4569 SECCLASS_PACKET, secmark_perm, &ad))
4572 if (peerlbl_active) {
4576 if (sel_netif_sid(ifindex, &if_sid))
4578 if (avc_has_perm(peer_sid, if_sid,
4579 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4582 if (sel_netnode_sid(addrp, family, &node_sid))
4584 if (avc_has_perm(peer_sid, node_sid,
4585 SECCLASS_NODE, NODE__SENDTO, &ad))
4592 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4593 struct sk_buff *skb,
4594 const struct net_device *in,
4595 const struct net_device *out,
4596 int (*okfn)(struct sk_buff *))
4598 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4601 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4602 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4603 struct sk_buff *skb,
4604 const struct net_device *in,
4605 const struct net_device *out,
4606 int (*okfn)(struct sk_buff *))
4608 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4612 #endif /* CONFIG_NETFILTER */
4614 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4618 err = secondary_ops->netlink_send(sk, skb);
4622 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4623 err = selinux_nlmsg_perm(sk, skb);
4628 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4631 struct avc_audit_data ad;
4633 err = secondary_ops->netlink_recv(skb, capability);
4637 AVC_AUDIT_DATA_INIT(&ad, CAP);
4638 ad.u.cap = capability;
4640 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4641 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4644 static int ipc_alloc_security(struct task_struct *task,
4645 struct kern_ipc_perm *perm,
4648 struct task_security_struct *tsec = task->security;
4649 struct ipc_security_struct *isec;
4651 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4655 isec->sclass = sclass;
4656 isec->sid = tsec->sid;
4657 perm->security = isec;
4662 static void ipc_free_security(struct kern_ipc_perm *perm)
4664 struct ipc_security_struct *isec = perm->security;
4665 perm->security = NULL;
4669 static int msg_msg_alloc_security(struct msg_msg *msg)
4671 struct msg_security_struct *msec;
4673 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4677 msec->sid = SECINITSID_UNLABELED;
4678 msg->security = msec;
4683 static void msg_msg_free_security(struct msg_msg *msg)
4685 struct msg_security_struct *msec = msg->security;
4687 msg->security = NULL;
4691 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4694 struct task_security_struct *tsec;
4695 struct ipc_security_struct *isec;
4696 struct avc_audit_data ad;
4698 tsec = current->security;
4699 isec = ipc_perms->security;
4701 AVC_AUDIT_DATA_INIT(&ad, IPC);
4702 ad.u.ipc_id = ipc_perms->key;
4704 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4707 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4709 return msg_msg_alloc_security(msg);
4712 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4714 msg_msg_free_security(msg);
4717 /* message queue security operations */
4718 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4720 struct task_security_struct *tsec;
4721 struct ipc_security_struct *isec;
4722 struct avc_audit_data ad;
4725 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4729 tsec = current->security;
4730 isec = msq->q_perm.security;
4732 AVC_AUDIT_DATA_INIT(&ad, IPC);
4733 ad.u.ipc_id = msq->q_perm.key;
4735 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4738 ipc_free_security(&msq->q_perm);
4744 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4746 ipc_free_security(&msq->q_perm);
4749 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4751 struct task_security_struct *tsec;
4752 struct ipc_security_struct *isec;
4753 struct avc_audit_data ad;
4755 tsec = current->security;
4756 isec = msq->q_perm.security;
4758 AVC_AUDIT_DATA_INIT(&ad, IPC);
4759 ad.u.ipc_id = msq->q_perm.key;
4761 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4762 MSGQ__ASSOCIATE, &ad);
4765 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4773 /* No specific object, just general system-wide information. */
4774 return task_has_system(current, SYSTEM__IPC_INFO);
4777 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4780 perms = MSGQ__SETATTR;
4783 perms = MSGQ__DESTROY;
4789 err = ipc_has_perm(&msq->q_perm, perms);
4793 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4795 struct task_security_struct *tsec;
4796 struct ipc_security_struct *isec;
4797 struct msg_security_struct *msec;
4798 struct avc_audit_data ad;
4801 tsec = current->security;
4802 isec = msq->q_perm.security;
4803 msec = msg->security;
4806 * First time through, need to assign label to the message
4808 if (msec->sid == SECINITSID_UNLABELED) {
4810 * Compute new sid based on current process and
4811 * message queue this message will be stored in
4813 rc = security_transition_sid(tsec->sid,
4821 AVC_AUDIT_DATA_INIT(&ad, IPC);
4822 ad.u.ipc_id = msq->q_perm.key;
4824 /* Can this process write to the queue? */
4825 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4828 /* Can this process send the message */
4829 rc = avc_has_perm(tsec->sid, msec->sid,
4830 SECCLASS_MSG, MSG__SEND, &ad);
4832 /* Can the message be put in the queue? */
4833 rc = avc_has_perm(msec->sid, isec->sid,
4834 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4839 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4840 struct task_struct *target,
4841 long type, int mode)
4843 struct task_security_struct *tsec;
4844 struct ipc_security_struct *isec;
4845 struct msg_security_struct *msec;
4846 struct avc_audit_data ad;
4849 tsec = target->security;
4850 isec = msq->q_perm.security;
4851 msec = msg->security;
4853 AVC_AUDIT_DATA_INIT(&ad, IPC);
4854 ad.u.ipc_id = msq->q_perm.key;
4856 rc = avc_has_perm(tsec->sid, isec->sid,
4857 SECCLASS_MSGQ, MSGQ__READ, &ad);
4859 rc = avc_has_perm(tsec->sid, msec->sid,
4860 SECCLASS_MSG, MSG__RECEIVE, &ad);
4864 /* Shared Memory security operations */
4865 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4867 struct task_security_struct *tsec;
4868 struct ipc_security_struct *isec;
4869 struct avc_audit_data ad;
4872 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4876 tsec = current->security;
4877 isec = shp->shm_perm.security;
4879 AVC_AUDIT_DATA_INIT(&ad, IPC);
4880 ad.u.ipc_id = shp->shm_perm.key;
4882 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4885 ipc_free_security(&shp->shm_perm);
4891 static void selinux_shm_free_security(struct shmid_kernel *shp)
4893 ipc_free_security(&shp->shm_perm);
4896 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4898 struct task_security_struct *tsec;
4899 struct ipc_security_struct *isec;
4900 struct avc_audit_data ad;
4902 tsec = current->security;
4903 isec = shp->shm_perm.security;
4905 AVC_AUDIT_DATA_INIT(&ad, IPC);
4906 ad.u.ipc_id = shp->shm_perm.key;
4908 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4909 SHM__ASSOCIATE, &ad);
4912 /* Note, at this point, shp is locked down */
4913 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4921 /* No specific object, just general system-wide information. */
4922 return task_has_system(current, SYSTEM__IPC_INFO);
4925 perms = SHM__GETATTR | SHM__ASSOCIATE;
4928 perms = SHM__SETATTR;
4935 perms = SHM__DESTROY;
4941 err = ipc_has_perm(&shp->shm_perm, perms);
4945 static int selinux_shm_shmat(struct shmid_kernel *shp,
4946 char __user *shmaddr, int shmflg)
4951 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4955 if (shmflg & SHM_RDONLY)
4958 perms = SHM__READ | SHM__WRITE;
4960 return ipc_has_perm(&shp->shm_perm, perms);
4963 /* Semaphore security operations */
4964 static int selinux_sem_alloc_security(struct sem_array *sma)
4966 struct task_security_struct *tsec;
4967 struct ipc_security_struct *isec;
4968 struct avc_audit_data ad;
4971 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4975 tsec = current->security;
4976 isec = sma->sem_perm.security;
4978 AVC_AUDIT_DATA_INIT(&ad, IPC);
4979 ad.u.ipc_id = sma->sem_perm.key;
4981 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4984 ipc_free_security(&sma->sem_perm);
4990 static void selinux_sem_free_security(struct sem_array *sma)
4992 ipc_free_security(&sma->sem_perm);
4995 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4997 struct task_security_struct *tsec;
4998 struct ipc_security_struct *isec;
4999 struct avc_audit_data ad;
5001 tsec = current->security;
5002 isec = sma->sem_perm.security;
5004 AVC_AUDIT_DATA_INIT(&ad, IPC);
5005 ad.u.ipc_id = sma->sem_perm.key;
5007 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5008 SEM__ASSOCIATE, &ad);
5011 /* Note, at this point, sma is locked down */
5012 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5020 /* No specific object, just general system-wide information. */
5021 return task_has_system(current, SYSTEM__IPC_INFO);
5025 perms = SEM__GETATTR;
5036 perms = SEM__DESTROY;
5039 perms = SEM__SETATTR;
5043 perms = SEM__GETATTR | SEM__ASSOCIATE;
5049 err = ipc_has_perm(&sma->sem_perm, perms);
5053 static int selinux_sem_semop(struct sem_array *sma,
5054 struct sembuf *sops, unsigned nsops, int alter)
5059 perms = SEM__READ | SEM__WRITE;
5063 return ipc_has_perm(&sma->sem_perm, perms);
5066 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5072 av |= IPC__UNIX_READ;
5074 av |= IPC__UNIX_WRITE;
5079 return ipc_has_perm(ipcp, av);
5082 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5084 struct ipc_security_struct *isec = ipcp->security;
5088 /* module stacking operations */
5089 static int selinux_register_security(const char *name, struct security_operations *ops)
5091 if (secondary_ops != original_ops) {
5092 printk(KERN_ERR "%s: There is already a secondary security "
5093 "module registered.\n", __func__);
5097 secondary_ops = ops;
5099 printk(KERN_INFO "%s: Registering secondary module %s\n",
5106 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5109 inode_doinit_with_dentry(inode, dentry);
5112 static int selinux_getprocattr(struct task_struct *p,
5113 char *name, char **value)
5115 struct task_security_struct *tsec;
5121 error = task_has_perm(current, p, PROCESS__GETATTR);
5128 if (!strcmp(name, "current"))
5130 else if (!strcmp(name, "prev"))
5132 else if (!strcmp(name, "exec"))
5133 sid = tsec->exec_sid;
5134 else if (!strcmp(name, "fscreate"))
5135 sid = tsec->create_sid;
5136 else if (!strcmp(name, "keycreate"))
5137 sid = tsec->keycreate_sid;
5138 else if (!strcmp(name, "sockcreate"))
5139 sid = tsec->sockcreate_sid;
5146 error = security_sid_to_context(sid, value, &len);
5152 static int selinux_setprocattr(struct task_struct *p,
5153 char *name, void *value, size_t size)
5155 struct task_security_struct *tsec;
5156 struct task_struct *tracer;
5162 /* SELinux only allows a process to change its own
5163 security attributes. */
5168 * Basic control over ability to set these attributes at all.
5169 * current == p, but we'll pass them separately in case the
5170 * above restriction is ever removed.
5172 if (!strcmp(name, "exec"))
5173 error = task_has_perm(current, p, PROCESS__SETEXEC);
5174 else if (!strcmp(name, "fscreate"))
5175 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5176 else if (!strcmp(name, "keycreate"))
5177 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5178 else if (!strcmp(name, "sockcreate"))
5179 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5180 else if (!strcmp(name, "current"))
5181 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5187 /* Obtain a SID for the context, if one was specified. */
5188 if (size && str[1] && str[1] != '\n') {
5189 if (str[size-1] == '\n') {
5193 error = security_context_to_sid(value, size, &sid);
5194 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5195 if (!capable(CAP_MAC_ADMIN))
5197 error = security_context_to_sid_force(value, size,
5204 /* Permission checking based on the specified context is
5205 performed during the actual operation (execve,
5206 open/mkdir/...), when we know the full context of the
5207 operation. See selinux_bprm_set_security for the execve
5208 checks and may_create for the file creation checks. The
5209 operation will then fail if the context is not permitted. */
5211 if (!strcmp(name, "exec"))
5212 tsec->exec_sid = sid;
5213 else if (!strcmp(name, "fscreate"))
5214 tsec->create_sid = sid;
5215 else if (!strcmp(name, "keycreate")) {
5216 error = may_create_key(sid, p);
5219 tsec->keycreate_sid = sid;
5220 } else if (!strcmp(name, "sockcreate"))
5221 tsec->sockcreate_sid = sid;
5222 else if (!strcmp(name, "current")) {
5223 struct av_decision avd;
5228 /* Only allow single threaded processes to change context */
5229 if (atomic_read(&p->mm->mm_users) != 1) {
5230 struct task_struct *g, *t;
5231 struct mm_struct *mm = p->mm;
5232 read_lock(&tasklist_lock);
5233 do_each_thread(g, t)
5234 if (t->mm == mm && t != p) {
5235 read_unlock(&tasklist_lock);
5238 while_each_thread(g, t);
5239 read_unlock(&tasklist_lock);
5242 /* Check permissions for the transition. */
5243 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5244 PROCESS__DYNTRANSITION, NULL);
5248 /* Check for ptracing, and update the task SID if ok.
5249 Otherwise, leave SID unchanged and fail. */
5252 tracer = task_tracer_task(p);
5253 if (tracer != NULL) {
5254 struct task_security_struct *ptsec = tracer->security;
5255 u32 ptsid = ptsec->sid;
5257 error = avc_has_perm_noaudit(ptsid, sid,
5259 PROCESS__PTRACE, 0, &avd);
5263 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5264 PROCESS__PTRACE, &avd, error, NULL);
5278 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5280 return security_sid_to_context(secid, secdata, seclen);
5283 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5285 return security_context_to_sid(secdata, seclen, secid);
5288 static void selinux_release_secctx(char *secdata, u32 seclen)
5295 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5296 unsigned long flags)
5298 struct task_security_struct *tsec = tsk->security;
5299 struct key_security_struct *ksec;
5301 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5305 if (tsec->keycreate_sid)
5306 ksec->sid = tsec->keycreate_sid;
5308 ksec->sid = tsec->sid;
5314 static void selinux_key_free(struct key *k)
5316 struct key_security_struct *ksec = k->security;
5322 static int selinux_key_permission(key_ref_t key_ref,
5323 struct task_struct *ctx,
5327 struct task_security_struct *tsec;
5328 struct key_security_struct *ksec;
5330 key = key_ref_to_ptr(key_ref);
5332 tsec = ctx->security;
5333 ksec = key->security;
5335 /* if no specific permissions are requested, we skip the
5336 permission check. No serious, additional covert channels
5337 appear to be created. */
5341 return avc_has_perm(tsec->sid, ksec->sid,
5342 SECCLASS_KEY, perm, NULL);
5345 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5347 struct key_security_struct *ksec = key->security;
5348 char *context = NULL;
5352 rc = security_sid_to_context(ksec->sid, &context, &len);
5361 static struct security_operations selinux_ops = {
5364 .ptrace = selinux_ptrace,
5365 .capget = selinux_capget,
5366 .capset_check = selinux_capset_check,
5367 .capset_set = selinux_capset_set,
5368 .sysctl = selinux_sysctl,
5369 .capable = selinux_capable,
5370 .quotactl = selinux_quotactl,
5371 .quota_on = selinux_quota_on,
5372 .syslog = selinux_syslog,
5373 .vm_enough_memory = selinux_vm_enough_memory,
5375 .netlink_send = selinux_netlink_send,
5376 .netlink_recv = selinux_netlink_recv,
5378 .bprm_alloc_security = selinux_bprm_alloc_security,
5379 .bprm_free_security = selinux_bprm_free_security,
5380 .bprm_apply_creds = selinux_bprm_apply_creds,
5381 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5382 .bprm_set_security = selinux_bprm_set_security,
5383 .bprm_check_security = selinux_bprm_check_security,
5384 .bprm_secureexec = selinux_bprm_secureexec,
5386 .sb_alloc_security = selinux_sb_alloc_security,
5387 .sb_free_security = selinux_sb_free_security,
5388 .sb_copy_data = selinux_sb_copy_data,
5389 .sb_kern_mount = selinux_sb_kern_mount,
5390 .sb_statfs = selinux_sb_statfs,
5391 .sb_mount = selinux_mount,
5392 .sb_umount = selinux_umount,
5393 .sb_get_mnt_opts = selinux_get_mnt_opts,
5394 .sb_set_mnt_opts = selinux_set_mnt_opts,
5395 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5396 .sb_parse_opts_str = selinux_parse_opts_str,
5399 .inode_alloc_security = selinux_inode_alloc_security,
5400 .inode_free_security = selinux_inode_free_security,
5401 .inode_init_security = selinux_inode_init_security,
5402 .inode_create = selinux_inode_create,
5403 .inode_link = selinux_inode_link,
5404 .inode_unlink = selinux_inode_unlink,
5405 .inode_symlink = selinux_inode_symlink,
5406 .inode_mkdir = selinux_inode_mkdir,
5407 .inode_rmdir = selinux_inode_rmdir,
5408 .inode_mknod = selinux_inode_mknod,
5409 .inode_rename = selinux_inode_rename,
5410 .inode_readlink = selinux_inode_readlink,
5411 .inode_follow_link = selinux_inode_follow_link,
5412 .inode_permission = selinux_inode_permission,
5413 .inode_setattr = selinux_inode_setattr,
5414 .inode_getattr = selinux_inode_getattr,
5415 .inode_setxattr = selinux_inode_setxattr,
5416 .inode_post_setxattr = selinux_inode_post_setxattr,
5417 .inode_getxattr = selinux_inode_getxattr,
5418 .inode_listxattr = selinux_inode_listxattr,
5419 .inode_removexattr = selinux_inode_removexattr,
5420 .inode_getsecurity = selinux_inode_getsecurity,
5421 .inode_setsecurity = selinux_inode_setsecurity,
5422 .inode_listsecurity = selinux_inode_listsecurity,
5423 .inode_need_killpriv = selinux_inode_need_killpriv,
5424 .inode_killpriv = selinux_inode_killpriv,
5425 .inode_getsecid = selinux_inode_getsecid,
5427 .file_permission = selinux_file_permission,
5428 .file_alloc_security = selinux_file_alloc_security,
5429 .file_free_security = selinux_file_free_security,
5430 .file_ioctl = selinux_file_ioctl,
5431 .file_mmap = selinux_file_mmap,
5432 .file_mprotect = selinux_file_mprotect,
5433 .file_lock = selinux_file_lock,
5434 .file_fcntl = selinux_file_fcntl,
5435 .file_set_fowner = selinux_file_set_fowner,
5436 .file_send_sigiotask = selinux_file_send_sigiotask,
5437 .file_receive = selinux_file_receive,
5439 .dentry_open = selinux_dentry_open,
5441 .task_create = selinux_task_create,
5442 .task_alloc_security = selinux_task_alloc_security,
5443 .task_free_security = selinux_task_free_security,
5444 .task_setuid = selinux_task_setuid,
5445 .task_post_setuid = selinux_task_post_setuid,
5446 .task_setgid = selinux_task_setgid,
5447 .task_setpgid = selinux_task_setpgid,
5448 .task_getpgid = selinux_task_getpgid,
5449 .task_getsid = selinux_task_getsid,
5450 .task_getsecid = selinux_task_getsecid,
5451 .task_setgroups = selinux_task_setgroups,
5452 .task_setnice = selinux_task_setnice,
5453 .task_setioprio = selinux_task_setioprio,
5454 .task_getioprio = selinux_task_getioprio,
5455 .task_setrlimit = selinux_task_setrlimit,
5456 .task_setscheduler = selinux_task_setscheduler,
5457 .task_getscheduler = selinux_task_getscheduler,
5458 .task_movememory = selinux_task_movememory,
5459 .task_kill = selinux_task_kill,
5460 .task_wait = selinux_task_wait,
5461 .task_prctl = selinux_task_prctl,
5462 .task_reparent_to_init = selinux_task_reparent_to_init,
5463 .task_to_inode = selinux_task_to_inode,
5465 .ipc_permission = selinux_ipc_permission,
5466 .ipc_getsecid = selinux_ipc_getsecid,
5468 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5469 .msg_msg_free_security = selinux_msg_msg_free_security,
5471 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5472 .msg_queue_free_security = selinux_msg_queue_free_security,
5473 .msg_queue_associate = selinux_msg_queue_associate,
5474 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5475 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5476 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5478 .shm_alloc_security = selinux_shm_alloc_security,
5479 .shm_free_security = selinux_shm_free_security,
5480 .shm_associate = selinux_shm_associate,
5481 .shm_shmctl = selinux_shm_shmctl,
5482 .shm_shmat = selinux_shm_shmat,
5484 .sem_alloc_security = selinux_sem_alloc_security,
5485 .sem_free_security = selinux_sem_free_security,
5486 .sem_associate = selinux_sem_associate,
5487 .sem_semctl = selinux_sem_semctl,
5488 .sem_semop = selinux_sem_semop,
5490 .register_security = selinux_register_security,
5492 .d_instantiate = selinux_d_instantiate,
5494 .getprocattr = selinux_getprocattr,
5495 .setprocattr = selinux_setprocattr,
5497 .secid_to_secctx = selinux_secid_to_secctx,
5498 .secctx_to_secid = selinux_secctx_to_secid,
5499 .release_secctx = selinux_release_secctx,
5501 .unix_stream_connect = selinux_socket_unix_stream_connect,
5502 .unix_may_send = selinux_socket_unix_may_send,
5504 .socket_create = selinux_socket_create,
5505 .socket_post_create = selinux_socket_post_create,
5506 .socket_bind = selinux_socket_bind,
5507 .socket_connect = selinux_socket_connect,
5508 .socket_listen = selinux_socket_listen,
5509 .socket_accept = selinux_socket_accept,
5510 .socket_sendmsg = selinux_socket_sendmsg,
5511 .socket_recvmsg = selinux_socket_recvmsg,
5512 .socket_getsockname = selinux_socket_getsockname,
5513 .socket_getpeername = selinux_socket_getpeername,
5514 .socket_getsockopt = selinux_socket_getsockopt,
5515 .socket_setsockopt = selinux_socket_setsockopt,
5516 .socket_shutdown = selinux_socket_shutdown,
5517 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5518 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5519 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5520 .sk_alloc_security = selinux_sk_alloc_security,
5521 .sk_free_security = selinux_sk_free_security,
5522 .sk_clone_security = selinux_sk_clone_security,
5523 .sk_getsecid = selinux_sk_getsecid,
5524 .sock_graft = selinux_sock_graft,
5525 .inet_conn_request = selinux_inet_conn_request,
5526 .inet_csk_clone = selinux_inet_csk_clone,
5527 .inet_conn_established = selinux_inet_conn_established,
5528 .req_classify_flow = selinux_req_classify_flow,
5530 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5531 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5532 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5533 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5534 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5535 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5536 .xfrm_state_free_security = selinux_xfrm_state_free,
5537 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5538 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5539 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5540 .xfrm_decode_session = selinux_xfrm_decode_session,
5544 .key_alloc = selinux_key_alloc,
5545 .key_free = selinux_key_free,
5546 .key_permission = selinux_key_permission,
5547 .key_getsecurity = selinux_key_getsecurity,
5551 .audit_rule_init = selinux_audit_rule_init,
5552 .audit_rule_known = selinux_audit_rule_known,
5553 .audit_rule_match = selinux_audit_rule_match,
5554 .audit_rule_free = selinux_audit_rule_free,
5558 static __init int selinux_init(void)
5560 struct task_security_struct *tsec;
5562 if (!security_module_enable(&selinux_ops)) {
5563 selinux_enabled = 0;
5567 if (!selinux_enabled) {
5568 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5572 printk(KERN_INFO "SELinux: Initializing.\n");
5574 /* Set the security state for the initial task. */
5575 if (task_alloc_security(current))
5576 panic("SELinux: Failed to initialize initial task.\n");
5577 tsec = current->security;
5578 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5580 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5581 sizeof(struct inode_security_struct),
5582 0, SLAB_PANIC, NULL);
5585 original_ops = secondary_ops = security_ops;
5587 panic("SELinux: No initial security operations\n");
5588 if (register_security(&selinux_ops))
5589 panic("SELinux: Unable to register with kernel.\n");
5591 if (selinux_enforcing)
5592 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5594 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5599 void selinux_complete_init(void)
5601 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5603 /* Set up any superblocks initialized prior to the policy load. */
5604 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5605 spin_lock(&sb_lock);
5606 spin_lock(&sb_security_lock);
5608 if (!list_empty(&superblock_security_head)) {
5609 struct superblock_security_struct *sbsec =
5610 list_entry(superblock_security_head.next,
5611 struct superblock_security_struct,
5613 struct super_block *sb = sbsec->sb;
5615 spin_unlock(&sb_security_lock);
5616 spin_unlock(&sb_lock);
5617 down_read(&sb->s_umount);
5619 superblock_doinit(sb, NULL);
5621 spin_lock(&sb_lock);
5622 spin_lock(&sb_security_lock);
5623 list_del_init(&sbsec->list);
5626 spin_unlock(&sb_security_lock);
5627 spin_unlock(&sb_lock);
5630 /* SELinux requires early initialization in order to label
5631 all processes and objects when they are created. */
5632 security_initcall(selinux_init);
5634 #if defined(CONFIG_NETFILTER)
5636 static struct nf_hook_ops selinux_ipv4_ops[] = {
5638 .hook = selinux_ipv4_postroute,
5639 .owner = THIS_MODULE,
5641 .hooknum = NF_INET_POST_ROUTING,
5642 .priority = NF_IP_PRI_SELINUX_LAST,
5645 .hook = selinux_ipv4_forward,
5646 .owner = THIS_MODULE,
5648 .hooknum = NF_INET_FORWARD,
5649 .priority = NF_IP_PRI_SELINUX_FIRST,
5653 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5655 static struct nf_hook_ops selinux_ipv6_ops[] = {
5657 .hook = selinux_ipv6_postroute,
5658 .owner = THIS_MODULE,
5660 .hooknum = NF_INET_POST_ROUTING,
5661 .priority = NF_IP6_PRI_SELINUX_LAST,
5664 .hook = selinux_ipv6_forward,
5665 .owner = THIS_MODULE,
5667 .hooknum = NF_INET_FORWARD,
5668 .priority = NF_IP6_PRI_SELINUX_FIRST,
5674 static int __init selinux_nf_ip_init(void)
5679 if (!selinux_enabled)
5682 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5684 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5685 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5687 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5691 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5692 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5693 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5695 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5704 __initcall(selinux_nf_ip_init);
5706 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5707 static void selinux_nf_ip_exit(void)
5711 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5713 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5714 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5715 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5716 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5717 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5722 #else /* CONFIG_NETFILTER */
5724 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5725 #define selinux_nf_ip_exit()
5728 #endif /* CONFIG_NETFILTER */
5730 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5731 static int selinux_disabled;
5733 int selinux_disable(void)
5735 extern void exit_sel_fs(void);
5737 if (ss_initialized) {
5738 /* Not permitted after initial policy load. */
5742 if (selinux_disabled) {
5743 /* Only do this once. */
5747 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5749 selinux_disabled = 1;
5750 selinux_enabled = 0;
5752 /* Reset security_ops to the secondary module, dummy or capability. */
5753 security_ops = secondary_ops;
5755 /* Unregister netfilter hooks. */
5756 selinux_nf_ip_exit();
5758 /* Unregister selinuxfs. */